Hi,
here's an update on your questions
Let's start with the version of nmcli:
user@pc1-asus:~$ nmcli -v
nmcli-Werkzeug, Version 0.9.10.0
nmcli-Werkzeug, Version 0.9.10.0
Now permissions:
user@pc1-asus:~$ nmcli general permissions
BEFUGNIS WERT
org.freedesktop.NetworkManager.enable-disable-network nein
org.freedesktop.NetworkManager.enable-disable-wifi nein
org.freedesktop.NetworkManager.enable-disable-wwan nein
org.freedesktop.NetworkManager.enable-disable-wimax nein
org.freedesktop.NetworkManager.sleep-wake nein
org.freedesktop.NetworkManager.network-control nein
org.freedesktop.NetworkManager.wifi.share.protected nein
org.freedesktop.NetworkManager.wifi.share.open nein
org.freedesktop.NetworkManager.settings.modify.system nein
org.freedesktop.NetworkManager.settings.modify.own Legitimierung
org.freedesktop.NetworkManager.settings.modify.hostname Legitimierung
BEFUGNIS WERT
org.freedesktop.NetworkManager.enable-disable-network nein
org.freedesktop.NetworkManager.enable-disable-wifi nein
org.freedesktop.NetworkManager.enable-disable-wwan nein
org.freedesktop.NetworkManager.enable-disable-wimax nein
org.freedesktop.NetworkManager.sleep-wake nein
org.freedesktop.NetworkManager.network-control nein
org.freedesktop.NetworkManager.wifi.share.protected nein
org.freedesktop.NetworkManager.wifi.share.open nein
org.freedesktop.NetworkManager.settings.modify.system nein
org.freedesktop.NetworkManager.settings.modify.own Legitimierung
org.freedesktop.NetworkManager.settings.modify.hostname Legitimierung
Output when running nm-applet w/o root permission:
user@pc1-asus:~$ nm-applet
(nm-applet:1167): libnm-glib-CRITICAL **: nm_secret_agent_register: assertion 'priv->registered == FALSE' failed
(nm-applet:1167): nm-applet-WARNING **: VPN Connection activation failed: (org.freedesktop.NetworkManager.PermissionDenied) Not authorized to control networking.
Error message in /var/log/syslog:
Jan 9 20:41:34 pc1-asus NetworkManager[5393]: <warn> Failed to activate 'Netzwerk-Thomas-VPN': Not authorized to control networking.
Jan 9 20:41:34 pc1-asus NetworkManager[5393]: <warn> Failed to activate 'Netzwerk-Thomas-VPN': Not authorized to control networking.
The current config file for the required VPN connection is:
user@pc1-asus:~$ sudo cat /etc/NetworkManager/system-connections/VPN
[connection]
id=VPN
uuid=a6ae2fac-4776-4f74-962c-a63113xxxxxx
type=vpn
permissions=user:<user>:;
autoconnect=false
[connection]
id=VPN
uuid=a6ae2fac-4776-4f74-962c-a63113xxxxxx
type=vpn
permissions=user:<user>:;
autoconnect=false
[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
auth=SHA256
remote=<mydyndns>
cipher=AES-256-CBC
comp-lzo=yes
tunnel-mtu=1500
cert-pass-flags=1
cert=/etc/openvpn/config/server.crt
ca=/etc/openvpn/config/server.pem
key=/etc/openvpn/config/server.key
ta=/etc/openvpn/config/ta.key
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
auth=SHA256
remote=<mydyndns>
cipher=AES-256-CBC
comp-lzo=yes
tunnel-mtu=1500
cert-pass-flags=1
cert=/etc/openvpn/config/server.crt
ca=/etc/openvpn/config/server.pem
key=/etc/openvpn/config/server.key
ta=/etc/openvpn/config/ta.key
[ipv6]
method=auto
ip6-privacy=0
method=auto
ip6-privacy=0
[ipv4]
method=auto
method=auto
This config file works perfectly when calling sudo nmcli.
I have identified that any user without root permission can utilize NetworkManager and ncmli respectively. In other words, the user needs to be member and run any command with "sudo".
This is also true for using any device connected via USB, e.g. scanner or USB memory stick.
THX
Gesendet: Donnerstag, 08. Januar 2015 um 17:39 Uhr
Von: "Dan Williams" <d...@redhat.com>
An: poma <pomidorabelis...@gmail.com>
Cc: "Thomas Schneider" <c.mo...@web.de>, networkmanager-list@gnome.org
Betreff: Re: Only root can utilize nm-applet and nmcli as part of NetworkManager - how can other users use it w/o root?
Von: "Dan Williams" <d...@redhat.com>
An: poma <pomidorabelis...@gmail.com>
Cc: "Thomas Schneider" <c.mo...@web.de>, networkmanager-list@gnome.org
Betreff: Re: Only root can utilize nm-applet and nmcli as part of NetworkManager - how can other users use it w/o root?
On Wed, 2015-01-07 at 23:42 +0100, poma wrote:
> On 07.01.2015 18:29, Dan Williams wrote:
> > On Mon, 2015-01-05 at 19:14 +0100, Thomas Schneider wrote:
> >> Hello!
> >>
> >> I have installed latest version of NetworkManager and nmcli
> >> respectively + OpenVPN plugin or NetworkManager.
> >>
> >> user@pc1-asus:~$ apt-cache policy network-manager
> >> network-manager:
> >> Installiert: 0.9.10.0-5
> >> Installationskandidat: 0.9.10.0-5
> >> Versionstabelle:
> >> *** 0.9.10.0-5 0
> >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages
> >> 100 /var/lib/dpkg/status
> >> user@pc1-asus:~$ apt-cache policy network-manager-gnome
> >> network-manager-gnome:
> >> Installiert: 0.9.10.0-2
> >> Installationskandidat: 0.9.10.0-2
> >> Versionstabelle:
> >> *** 0.9.10.0-2 0
> >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages
> >> 100 /var/lib/dpkg/status
> >> user@pc1-asus:~$ apt-cache policy network-manager-openvpn
> >> network-manager-openvpn:
> >> Installiert: 0.9.10.0-1
> >> Installationskandidat: 0.9.10.0-1
> >> Versionstabelle:
> >> *** 0.9.10.0-1 0
> >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages
> >> 100 /var/lib/dpkg/status
> >> user@pc1-asus:~$ apt-cache policy network-manager-openvpn-gnome
> >> network-manager-openvpn-gnome:
> >> Installiert: 0.9.10.0-1
> >> Installationskandidat: 0.9.10.0-1
> >> Versionstabelle:
> >> *** 0.9.10.0-1 0
> >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages
> >> 100 /var/lib/dpkg/status
> >>
> >> All maintained connections are working. This includes OpenVPN
> >> connection type, too.
> >> However, in order to use either nm-applet or command-line client
> >> nmcli, I need to be root.
> >> The issue I'm facing is that with older release I could use either
> >> nm-applet or nmcli without root authorization.
> >> This becomes a critical issue in a multi-user desktop PC where most
> >> user neither have root authorization nor can utilize sudo.
> >>
> >> Question:
> >> How can I ensure that both, nm-applet and nmcli, can be used without
> >> root authorization?
> >
> > It's certainly intended that they can all be used without root. When
> > you try to run 'nmcli' as a normal user, what error do you get? What is
> > the output of "nmcli gen perm" as a normal user?
> >
>
> $ nmcli -v
> nmcli tool, version 0.9.10.0-14.git20140704.fc21
>
> $ nmcli general permissions
> PERMISSION VALUE
> org.freedesktop.NetworkManager.enable-disable-network yes
> org.freedesktop.NetworkManager.enable-disable-wifi yes
> org.freedesktop.NetworkManager.enable-disable-wwan yes
> org.freedesktop.NetworkManager.enable-disable-wimax yes
> org.freedesktop.NetworkManager.sleep-wake no
> org.freedesktop.NetworkManager.network-control yes
> org.freedesktop.NetworkManager.wifi.share.protected yes
> org.freedesktop.NetworkManager.wifi.share.open yes
> org.freedesktop.NetworkManager.settings.modify.system yes
> org.freedesktop.NetworkManager.settings.modify.own yes
> org.freedesktop.NetworkManager.settings.modify.hostname auth
>
> Is this expected output?
Yes, that is expected output for "permissive" installs.
> What manages the sleep state?
The sleep-wake permission is actually unused. It was previously used
for the "private" Sleep() dbus method, the only user of which was
pm-utils scripts. Unfortunately the pm-utils scripts didn't wait for a
dbus reply, which meant NM couldn't determine the UID of the caller,
which meant polkit permission couldn't be used. So instead, the Sleep()
method is locked to root and the permission isn't used.
When upower or systemd are active, NetworkManager listens internally for
suspend/resume signals from those services instead of using permissions
or a D-Bus method.
Dan
> On 07.01.2015 18:29, Dan Williams wrote:
> > On Mon, 2015-01-05 at 19:14 +0100, Thomas Schneider wrote:
> >> Hello!
> >>
> >> I have installed latest version of NetworkManager and nmcli
> >> respectively + OpenVPN plugin or NetworkManager.
> >>
> >> user@pc1-asus:~$ apt-cache policy network-manager
> >> network-manager:
> >> Installiert: 0.9.10.0-5
> >> Installationskandidat: 0.9.10.0-5
> >> Versionstabelle:
> >> *** 0.9.10.0-5 0
> >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages
> >> 100 /var/lib/dpkg/status
> >> user@pc1-asus:~$ apt-cache policy network-manager-gnome
> >> network-manager-gnome:
> >> Installiert: 0.9.10.0-2
> >> Installationskandidat: 0.9.10.0-2
> >> Versionstabelle:
> >> *** 0.9.10.0-2 0
> >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages
> >> 100 /var/lib/dpkg/status
> >> user@pc1-asus:~$ apt-cache policy network-manager-openvpn
> >> network-manager-openvpn:
> >> Installiert: 0.9.10.0-1
> >> Installationskandidat: 0.9.10.0-1
> >> Versionstabelle:
> >> *** 0.9.10.0-1 0
> >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages
> >> 100 /var/lib/dpkg/status
> >> user@pc1-asus:~$ apt-cache policy network-manager-openvpn-gnome
> >> network-manager-openvpn-gnome:
> >> Installiert: 0.9.10.0-1
> >> Installationskandidat: 0.9.10.0-1
> >> Versionstabelle:
> >> *** 0.9.10.0-1 0
> >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages
> >> 100 /var/lib/dpkg/status
> >>
> >> All maintained connections are working. This includes OpenVPN
> >> connection type, too.
> >> However, in order to use either nm-applet or command-line client
> >> nmcli, I need to be root.
> >> The issue I'm facing is that with older release I could use either
> >> nm-applet or nmcli without root authorization.
> >> This becomes a critical issue in a multi-user desktop PC where most
> >> user neither have root authorization nor can utilize sudo.
> >>
> >> Question:
> >> How can I ensure that both, nm-applet and nmcli, can be used without
> >> root authorization?
> >
> > It's certainly intended that they can all be used without root. When
> > you try to run 'nmcli' as a normal user, what error do you get? What is
> > the output of "nmcli gen perm" as a normal user?
> >
>
> $ nmcli -v
> nmcli tool, version 0.9.10.0-14.git20140704.fc21
>
> $ nmcli general permissions
> PERMISSION VALUE
> org.freedesktop.NetworkManager.enable-disable-network yes
> org.freedesktop.NetworkManager.enable-disable-wifi yes
> org.freedesktop.NetworkManager.enable-disable-wwan yes
> org.freedesktop.NetworkManager.enable-disable-wimax yes
> org.freedesktop.NetworkManager.sleep-wake no
> org.freedesktop.NetworkManager.network-control yes
> org.freedesktop.NetworkManager.wifi.share.protected yes
> org.freedesktop.NetworkManager.wifi.share.open yes
> org.freedesktop.NetworkManager.settings.modify.system yes
> org.freedesktop.NetworkManager.settings.modify.own yes
> org.freedesktop.NetworkManager.settings.modify.hostname auth
>
> Is this expected output?
Yes, that is expected output for "permissive" installs.
> What manages the sleep state?
The sleep-wake permission is actually unused. It was previously used
for the "private" Sleep() dbus method, the only user of which was
pm-utils scripts. Unfortunately the pm-utils scripts didn't wait for a
dbus reply, which meant NM couldn't determine the UID of the caller,
which meant polkit permission couldn't be used. So instead, the Sleep()
method is locked to root and the permission isn't used.
When upower or systemd are active, NetworkManager listens internally for
suspend/resume signals from those services instead of using permissions
or a D-Bus method.
Dan
_______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
