Re: nm-connection-editor working only as root

From: Dan Williams <dcbw redhat com>
To: Ramon Diaz-Uriarte <rdiaz02 gmail com>
Cc: networkmanager-list gnome org
Subject: Re: nm-connection-editor working only as root
Date: Sun, 06 Nov 2011 10:47:45 -0600
On Sun, 2011-11-06 at 14:39 +0100, Ramon Diaz-Uriarte wrote:
> 
> 
> On Fri, 04 Nov 2011 11:12:09 -0500,Dan Williams <dcbw redhat com> wrote:
> > On Fri, 2011-11-04 at 11:48 +0100, Ramon Diaz-Uriarte wrote:
> > > 
> > > 
> > > On Wed, 02 Nov 2011 20:31:41 -0500,Dan Williams <dcbw redhat com> wrote:
> > > > On Mon, 2011-10-24 at 11:48 +0200, Ramon Diaz-Uriarte wrote:
> > > > > Actually, three problems remain ;-).
> > > > > 
> > > > > 
> > > > > 1. I've rebooted and reloged in several times, but I cannot save a
> > > > > connection because it complaints about insufficient privileges. (I get a
> > > > > pop-up message that says "Connection add failed", "Insufficient
> > > > > privileges").
> > > > > 
> > > > > 
> > > > > I have logged with kdm (or gdm) and have a local session:
> > > > > 
> > > > > ramon@Bufo:~$ ck-list-sessions 
> > > > > Session1:
> > > > >         unix-user = '1000'
> > > > >         realname = 'ramon diaz-uriarte'
> > > > >         seat = 'Seat1'
> > > > >         session-type = ''
> > > > >         active = TRUE
> > > > >         x11-display = ':0'
> > > > >         x11-display-device = '/dev/tty7'
> > > > >         display-device = ''
> > > > >         remote-host-name = ''
> > > > >         is-local = TRUE
> > > > >         on-since = '2011-10-23T16:29:00.632372Z'
> > > > >         login-session-id = '4294967295'
> > > 
> > > > Is this an update or a new connection?  This error is coming from
> > > > PolicyKit, so does this work if you edit the file:
> > > 
> > > > /usr/share/polkit-1/actions/org.freedesktop.network-manager-settings.system.policy
> > > 
> > > > and change the following hunk to:
> > > 
> > > >   <action id="org.freedesktop.network-manager-settings.system.modify">
> > > >     <_description>Modify system connections</_description>
> > > >     <_message>System policy prevents modification of system settings</_message>
> > > >     <defaults>
> > > >       <allow_inactive>yes</allow_inactive>
> > > >       <allow_active>auth_admin_keep</allow_active>
> > > >     </defaults>
> > > >   </action>
> > > 
> > > > then try.  If that doesn't work, change it to:
> > > 
> > > >   <action id="org.freedesktop.network-manager-settings.system.modify">
> > > >     <_description>Modify system connections</_description>
> > > >     <_message>System policy prevents modification of system settings</_message>
> > > >     <defaults>
> > > >       <allow_inactive>yes</allow_inactive>
> > > >       <allow_active>yes</allow_active>
> > > >     </defaults>
> > > >   </action>
> > > 
> > > > no reboot or anything is necessary, the changes take effect immediately.
> > > 
> > > 
> > > I tried both (note: there were minor differences in syntax, like mine is
> > > called NetworkManager, not network-manager, etc).
> > > 
> > > The first one did not work, but the second did. Thanks a lot.
> 
> > Ok, this is good to know.  We now know that your user was marked as
> > 'active' via ConsoleKit (which PolicyKit talks to) but for some reason
> > PolicyKit wasn't able to show the authentication dialog.  If you're
> > using a GNOME desktop, do you have the
> > "polkit-gnome-authentication-agent-1" program anywhere in /usr/libexec
> > or /usr/lib or /usr/lib64 or /usr/bin ?  If you're not on a GNOME
> > desktop, do you ever see PolicyKit authentication dialogs?
> 
> 
> I do not use GNOME, but I tested it here. This is what happens:

Ok, this makes some sense.  For some reasons, PolicyKit isn't able to
start the authentication agent in your desktop environment.  I don't
actually know what starts the agent but it might be the session manager.
Best thing to do here is to ask PolicyKit people about that I suppose.

Dan

> - If I use GNOME, then the first version
> 
>  <allow_inactive>yes</allow_inactive>
>  <allow_active>auth_admin_keep</allow_active>
> 
> 
> works. When I try to add a connection with security, or to modify
> an existing one, I am prompted for the root password, and then I can
> modify, etc.
> 
> Yes, I do have polkit-gnome-authentication-agent-1 in
> /usr/lib/policykit-1-gnome/
> 
> 
> 
> - If I do not use GNOME (I use xmonad), then I need the second version
> 
>  <allow_inactive>yes</allow_inactive>
>  <allow_active>yes</allow_active>
> 
> to be able to modify, add, etc. Otherwise, I get a message saying that I do
> not have sufficient privileges.
> 
> No, I never see a PolicyKit authentication dialog. However, in case it
> matters, I do have the daemon running:
> 
> 
> ramon@Bufo:~$ ps -A -f | grep polkit
> root      1487     1  0 12:00 ?        00:00:01 /usr/lib/policykit-1/polkitd
> 
> 
> and a bunch of dbus-related stuff:
> 
> ramon@Bufo:~$ ps -A -f | grep dbus
> 101       1468     1  0 12:00 ?        00:00:02 /usr/bin/dbus-daemon --system
> ramon    10239 10197  0 12:59 ?        00:00:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /bin/bash /home/ramon/.xsession
> ramon    10242     1  0 12:59 ?        00:00:00 /usr/bin/dbus-launch --exit-with-session /bin/bash /home/ramon/.xsession
> ramon    10243     1  0 12:59 ?        00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
> 
> 
> 
> 
> Best,
> 
> 
> R.
> 
> 
> > > Best,
> > > 
> > > 
> > > R.
> > > 
> > > 
> > > 
> > > > Dan
> > > 
> > > > > 
> > > > > 2. There is the problem of not being able to access my previously defined
> > > > > connections (versions 0.8.1). They must be somewhere, but the new versions
> > > > > do not seem to be able to find them.
> > > > > 
> > > > > 
> > > > > 
> > > > > 3. Finally, connections saved using, say, gksudo nm-connection-editor are
> > > > > stored under 
> > > > > /etc/NetworkManager/system-connections 
> > > > > 
> > > > > with passwords, etc, as plain text. Sure, they are only readable to root,
> > > > > but ssn't this a potential problem? If I remember correctly, with previous
> > > > > versions, you could only access connections (and their passwords) after
> > > > > entering your password via keyring.
> > > > > 
> > > > > 
> > > > > Best,
> > > > > 
> > > > > R.
> > > > > 
> > > > > 
> > > > > 
> > > > > On Fri, 21 Oct 2011 22:17:01 +0200,Ramon Diaz-Uriarte <rdiaz02 gmail com> wrote:
> > > > > 
> > > > > 
> > > > > 
> > > > > > On Fri, 21 Oct 2011 21:16:25 +0200,Michael Biebl <biebl debian org> wrote:
> > > > > > > [1  <text/plain; UTF-8 (quoted-printable)>]
> > > > > > > Am 21.10.2011 21:14, schrieb Ramon Diaz-Uriarte:
> > > > > > > > 
> > > > > > > > 
> > > > > > > > On Fri, 21 Oct 2011 16:42:52 +0200,Michael Biebl <biebl debian org> wrote:
> > > > > > > >> Am 21.10.2011 13:44, schrieb Ramon Diaz-Uriarte:
> > > > > > > > 
> > > > > > > >> What's the output of ck-list-sessions?
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Session5:
> > > > > > > > 	active = FALSE
> > > > > > > > 	is-local = FALSE
> > > > > 
> > > > > > > That's your problem. Use a login manager, like gdm or kdm, which
> > > > > > > properly registers a ConsoleKit session.
> > > > > > > Otherwise the PolicyKit rules used by NM won't work.
> > > > > 
> > > > > > Login with gdm does work, but only partially. I can now add and edit
> > > > > > connections as non-root (ck-list-sessions now lists two local
> > > > > > sessions). But the long list of wireless connections I had defined (prior
> > > > > > to 0.9) is not there. Is there anyway to get those back?
> > > > > 
> > > > > 
> > > > > > As well, can I get the PolicyKit rules to work with other login managers?
> > > > > > I use wdm, but the trick of adding
> > > > > 
> > > > > > exec ck-launch-session xmonad
> > > > > 
> > > > > > at the end of my .xinitrc does not seem to work.
> > > > > 
> > > > > 
> > > > > > Thanks,
> > > > > 
> > > > > 
> > > > > > R.
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > > > Michael
> > > > > 
> > > > > > > -- 
> > > > > > > Why is it that all of the instruments seeking intelligent life in the
> > > > > > > universe are pointed away from Earth?
> > > > > 
> > > > > > > [2 OpenPGP digital signature <application/pgp-signature (7bit)>]
> > > > > 
> > > > > > -- 
> > > > > > Ramon Diaz-Uriarte
> > > > > > Department of Biochemistry
> > > > > > Universidad Autónoma de Madrid
> > > > > > Spain
> > > > > 
> > > > > > http://ligarto.org/rdiaz
> > > > > 
> > > > > > Temporarily at:
> > > > > > Structural Biology and Biocomputing Programme
> > > > > > Spanish National Cancer Centre (CNIO)
> > > > >  
> > > > > > Phone: +34-91-732-8000 ext. 3019
> > > > > > Fax: +-34-91-224-6972
> > > 
> > > 
> 
>
References:
- Re: nm-connection-editor working only as root
  - From: Dan Williams
- Re: nm-connection-editor working only as root
  - From: Ramon Diaz-Uriarte
- Re: nm-connection-editor working only as root
  - From: Dan Williams
- Re: nm-connection-editor working only as root
  - From: Ramon Diaz-Uriarte
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]