Re: Aw: Re: Re: Only root can utilize nm-applet and nmcli as part of NetworkManager - how can other users use it w/o root?



On Sat, 2015-01-10 at 14:12 +0100, Thomas Schneider wrote:
Hi!
 
I checked if this could be related to pklocalauthority that is
documented here
(http://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html)
 
Checking the relevant config file for NetworkManager looks good to me.
But it's not clear why manfred cannot utilize NetworkManager as he
belongs to group netdev.
 
user pc1-asus:~$ sudo
cat /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla
[Adding or changing system-wide NetworkManager connections]
Identity=unix-group:netdev;unix-group:sudo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=no
ResultInactive=no
ResultActive=yes
 
user pc1-asus:~$ id manfred
uid=1005(manfred) gid=1005(manfred)
Gruppen=1005(manfred),117(netdev),1013(verwandte),126(tbb),127(openvpn),128(fcron)

Try this:

pkaction -v -a org.freedesktop.NetworkManager.settings.modify.system

What do you get when running this as the user 'manfred'?  Also when you
do this, please grab the results of 'loginctl show-session X' where X is
the session for 'manfred'.  I know you sent the mail to me private with
this output, but I want to make sure that loginctl and pkaction output
is from the same run.

Thanks!
Dan

Should I now go with the new compilation of NetworkManager using
--with-session-tracking=[ck|systemd]?
Is there a way to identify which options have been used with the
packaged shipped by the distribution?
 
THX
  
Gesendet: Freitag, 09. Januar 2015 um 23:13 Uhr
Von: "Dan Williams" <dcbw redhat com>
An: "Thomas Schneider" <c monty web de>
Cc: poma <pomidorabelisima gmail com>, networkmanager-list gnome org
Betreff: Re: Aw: Re: Only root can utilize nm-applet and nmcli as part
of NetworkManager - how can other users use it w/o root?
On Fri, 2015-01-09 at 20:49 +0100, Thomas Schneider wrote:
Hi,

here's an update on your questions

Let's start with the version of nmcli:
user pc1-asus:~$ nmcli -v
nmcli-Werkzeug, Version 0.9.10.0

Now permissions:
user pc1-asus:~$ nmcli general permissions
BEFUGNIS WERT

org.freedesktop.NetworkManager.enable-disable-network nein

Ok, this indicates that PolicyKit is denying the permissions to these
users. The most likely reason is that NM has been built with
--with-session-tracking=[ck|systemd] and something is not properly
setting up the login sessions with ConsoleKit or systemd.

PolicyKit has a concept of active (eg, using the computer right now)
and
inactive (idle or non-human users) sessions. NetworkManager uses these
for fast-user-switching and some permissions control. It's likely that
all users on your machine are considered "inactive" according to
PolicyKit and thus being denied.

What do you get for the following commands?

ck-list-sessions
loginctl
loginctl show-session X (repeat for all sessions from 'loginctl')

if you're using ConsoleKit, your session manager needs to tell
ConsoleKit that it's starting a new session. I'm not quite sure how
that happens with systemd, but it does somehow.

Alternatively, if you don't care about user permissions and want to
allow any user to control networking you can build NM with
--with-session-tracking=none and --with-polkit=no to disable this
functionality.

Dan

org.freedesktop.NetworkManager.enable-disable-wifi nein

org.freedesktop.NetworkManager.enable-disable-wwan nein

org.freedesktop.NetworkManager.enable-disable-wimax nein

org.freedesktop.NetworkManager.sleep-wake nein

org.freedesktop.NetworkManager.network-control nein

org.freedesktop.NetworkManager.wifi.share.protected nein

org.freedesktop.NetworkManager.wifi.share.open nein

org.freedesktop.NetworkManager.settings.modify.system nein

org.freedesktop.NetworkManager.settings.modify.own Legitimierung
org.freedesktop.NetworkManager.settings.modify.hostname
Legitimierung

Output when running nm-applet w/o root permission:
user pc1-asus:~$ nm-applet
(nm-applet:1167): libnm-glib-CRITICAL **: nm_secret_agent_register:
assertion 'priv->registered == FALSE' failed
(nm-applet:1167): nm-applet-WARNING **: VPN Connection activation
failed: (org.freedesktop.NetworkManager.PermissionDenied) Not
authorized to control networking.

Error message in /var/log/syslog:
Jan 9 20:41:34 pc1-asus NetworkManager[5393]: <warn> Failed to
activate 'Netzwerk-Thomas-VPN': Not authorized to control
networking.

The current config file for the required VPN connection is:
user pc1-asus:~$ sudo cat /etc/NetworkManager/system-connections/VPN
[connection]
id=VPN
uuid=a6ae2fac-4776-4f74-962c-a63113xxxxxx
type=vpn
permissions=user:<user>:;
autoconnect=false
[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
auth=SHA256
remote=<mydyndns>
cipher=AES-256-CBC
comp-lzo=yes
tunnel-mtu=1500
cert-pass-flags=1
cert=/etc/openvpn/config/server.crt
ca=/etc/openvpn/config/server.pem
key=/etc/openvpn/config/server.key
ta=/etc/openvpn/config/ta.key
[ipv6]
method=auto
ip6-privacy=0
[ipv4]
method=auto

This config file works perfectly when calling sudo nmcli.

I have identified that any user without root permission can utilize
NetworkManager and ncmli respectively. In other words, the user
needs
to be member and run any command with "sudo".
This is also true for using any device connected via USB, e.g.
scanner
or USB memory stick.


THX

Gesendet: Donnerstag, 08. Januar 2015 um 17:39 Uhr
Von: "Dan Williams" <dcbw redhat com>
An: poma <pomidorabelisima gmail com>
Cc: "Thomas Schneider" <c monty web de>,
networkmanager-list gnome org
Betreff: Re: Only root can utilize nm-applet and nmcli as part of
NetworkManager - how can other users use it w/o root?
On Wed, 2015-01-07 at 23:42 +0100, poma wrote:
On 07.01.2015 18:29, Dan Williams wrote:
On Mon, 2015-01-05 at 19:14 +0100, Thomas Schneider wrote:
Hello!

I have installed latest version of NetworkManager and nmcli
respectively + OpenVPN plugin or NetworkManager.

user pc1-asus:~$ apt-cache policy network-manager
network-manager:
Installiert: 0.9.10.0-5
Installationskandidat: 0.9.10.0-5
Versionstabelle:
*** 0.9.10.0-5 0
500 http://ftp.debian.org/debian/ jessie/main i386 Packages
100 /var/lib/dpkg/status
user pc1-asus:~$ apt-cache policy network-manager-gnome
network-manager-gnome:
Installiert: 0.9.10.0-2
Installationskandidat: 0.9.10.0-2
Versionstabelle:
*** 0.9.10.0-2 0
500 http://ftp.debian.org/debian/ jessie/main i386 Packages
100 /var/lib/dpkg/status
user pc1-asus:~$ apt-cache policy network-manager-openvpn
network-manager-openvpn:
Installiert: 0.9.10.0-1
Installationskandidat: 0.9.10.0-1
Versionstabelle:
*** 0.9.10.0-1 0
500 http://ftp.debian.org/debian/ jessie/main i386 Packages
100 /var/lib/dpkg/status
user pc1-asus:~$ apt-cache policy network-manager-openvpn-gnome
network-manager-openvpn-gnome:
Installiert: 0.9.10.0-1
Installationskandidat: 0.9.10.0-1
Versionstabelle:
*** 0.9.10.0-1 0
500 http://ftp.debian.org/debian/ jessie/main i386 Packages
100 /var/lib/dpkg/status

All maintained connections are working. This includes OpenVPN
connection type, too.
However, in order to use either nm-applet or command-line
client
nmcli, I need to be root.
The issue I'm facing is that with older release I could use
either
nm-applet or nmcli without root authorization.
This becomes a critical issue in a multi-user desktop PC where
most
user neither have root authorization nor can utilize sudo.

Question:
How can I ensure that both, nm-applet and nmcli, can be used
without
root authorization?

It's certainly intended that they can all be used without root.
When
you try to run 'nmcli' as a normal user, what error do you get?
What is
the output of "nmcli gen perm" as a normal user?


$ nmcli -v
nmcli tool, version 0.9.10.0-14.git20140704.fc21

$ nmcli general permissions
PERMISSION VALUE
org.freedesktop.NetworkManager.enable-disable-network yes
org.freedesktop.NetworkManager.enable-disable-wifi yes
org.freedesktop.NetworkManager.enable-disable-wwan yes
org.freedesktop.NetworkManager.enable-disable-wimax yes
org.freedesktop.NetworkManager.sleep-wake no
org.freedesktop.NetworkManager.network-control yes
org.freedesktop.NetworkManager.wifi.share.protected yes
org.freedesktop.NetworkManager.wifi.share.open yes
org.freedesktop.NetworkManager.settings.modify.system yes
org.freedesktop.NetworkManager.settings.modify.own yes
org.freedesktop.NetworkManager.settings.modify.hostname auth

Is this expected output?

Yes, that is expected output for "permissive" installs.

What manages the sleep state?

The sleep-wake permission is actually unused. It was previously used
for the "private" Sleep() dbus method, the only user of which was
pm-utils scripts. Unfortunately the pm-utils scripts didn't wait for
a
dbus reply, which meant NM couldn't determine the UID of the caller,
which meant polkit permission couldn't be used. So instead, the
Sleep()
method is locked to root and the permission isn't used.

When upower or systemd are active, NetworkManager listens internally
for
suspend/resume signals from those services instead of using
permissions
or a D-Bus method.

Dan


 




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]