On Fri, 2015-01-09 at 20:49 +0100, Thomas Schneider wrote: > Hi, > > here's an update on your questions > > Let's start with the version of nmcli: > user@pc1-asus:~$ nmcli -v > nmcli-Werkzeug, Version 0.9.10.0 > > Now permissions: > user@pc1-asus:~$ nmcli general permissions > BEFUGNIS WERT > > org.freedesktop.NetworkManager.enable-disable-network nein
Ok, this indicates that PolicyKit is denying the permissions to these users. The most likely reason is that NM has been built with --with-session-tracking=[ck|systemd] and something is not properly setting up the login sessions with ConsoleKit or systemd. PolicyKit has a concept of active (eg, using the computer right now) and inactive (idle or non-human users) sessions. NetworkManager uses these for fast-user-switching and some permissions control. It's likely that all users on your machine are considered "inactive" according to PolicyKit and thus being denied. What do you get for the following commands? ck-list-sessions loginctl loginctl show-session X (repeat for all sessions from 'loginctl') if you're using ConsoleKit, your session manager needs to tell ConsoleKit that it's starting a new session. I'm not quite sure how that happens with systemd, but it does somehow. Alternatively, if you don't care about user permissions and want to allow any user to control networking you can build NM with --with-session-tracking=none and --with-polkit=no to disable this functionality. Dan > org.freedesktop.NetworkManager.enable-disable-wifi nein > > org.freedesktop.NetworkManager.enable-disable-wwan nein > > org.freedesktop.NetworkManager.enable-disable-wimax nein > > org.freedesktop.NetworkManager.sleep-wake nein > > org.freedesktop.NetworkManager.network-control nein > > org.freedesktop.NetworkManager.wifi.share.protected nein > > org.freedesktop.NetworkManager.wifi.share.open nein > > org.freedesktop.NetworkManager.settings.modify.system nein > > org.freedesktop.NetworkManager.settings.modify.own Legitimierung > org.freedesktop.NetworkManager.settings.modify.hostname Legitimierung > > Output when running nm-applet w/o root permission: > user@pc1-asus:~$ nm-applet > (nm-applet:1167): libnm-glib-CRITICAL **: nm_secret_agent_register: > assertion 'priv->registered == FALSE' failed > (nm-applet:1167): nm-applet-WARNING **: VPN Connection activation > failed: (org.freedesktop.NetworkManager.PermissionDenied) Not > authorized to control networking. > > Error message in /var/log/syslog: > Jan 9 20:41:34 pc1-asus NetworkManager[5393]: <warn> Failed to > activate 'Netzwerk-Thomas-VPN': Not authorized to control networking. > > The current config file for the required VPN connection is: > user@pc1-asus:~$ sudo cat /etc/NetworkManager/system-connections/VPN > [connection] > id=VPN > uuid=a6ae2fac-4776-4f74-962c-a63113xxxxxx > type=vpn > permissions=user:<user>:; > autoconnect=false > [vpn] > service-type=org.freedesktop.NetworkManager.openvpn > connection-type=tls > auth=SHA256 > remote=<mydyndns> > cipher=AES-256-CBC > comp-lzo=yes > tunnel-mtu=1500 > cert-pass-flags=1 > cert=/etc/openvpn/config/server.crt > ca=/etc/openvpn/config/server.pem > key=/etc/openvpn/config/server.key > ta=/etc/openvpn/config/ta.key > [ipv6] > method=auto > ip6-privacy=0 > [ipv4] > method=auto > > This config file works perfectly when calling sudo nmcli. > > I have identified that any user without root permission can utilize > NetworkManager and ncmli respectively. In other words, the user needs > to be member and run any command with "sudo". > This is also true for using any device connected via USB, e.g. scanner > or USB memory stick. > > > THX > > Gesendet: Donnerstag, 08. Januar 2015 um 17:39 Uhr > Von: "Dan Williams" <d...@redhat.com> > An: poma <pomidorabelis...@gmail.com> > Cc: "Thomas Schneider" <c.mo...@web.de>, networkmanager-list@gnome.org > Betreff: Re: Only root can utilize nm-applet and nmcli as part of > NetworkManager - how can other users use it w/o root? > On Wed, 2015-01-07 at 23:42 +0100, poma wrote: > > On 07.01.2015 18:29, Dan Williams wrote: > > > On Mon, 2015-01-05 at 19:14 +0100, Thomas Schneider wrote: > > >> Hello! > > >> > > >> I have installed latest version of NetworkManager and nmcli > > >> respectively + OpenVPN plugin or NetworkManager. > > >> > > >> user@pc1-asus:~$ apt-cache policy network-manager > > >> network-manager: > > >> Installiert: 0.9.10.0-5 > > >> Installationskandidat: 0.9.10.0-5 > > >> Versionstabelle: > > >> *** 0.9.10.0-5 0 > > >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages > > >> 100 /var/lib/dpkg/status > > >> user@pc1-asus:~$ apt-cache policy network-manager-gnome > > >> network-manager-gnome: > > >> Installiert: 0.9.10.0-2 > > >> Installationskandidat: 0.9.10.0-2 > > >> Versionstabelle: > > >> *** 0.9.10.0-2 0 > > >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages > > >> 100 /var/lib/dpkg/status > > >> user@pc1-asus:~$ apt-cache policy network-manager-openvpn > > >> network-manager-openvpn: > > >> Installiert: 0.9.10.0-1 > > >> Installationskandidat: 0.9.10.0-1 > > >> Versionstabelle: > > >> *** 0.9.10.0-1 0 > > >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages > > >> 100 /var/lib/dpkg/status > > >> user@pc1-asus:~$ apt-cache policy network-manager-openvpn-gnome > > >> network-manager-openvpn-gnome: > > >> Installiert: 0.9.10.0-1 > > >> Installationskandidat: 0.9.10.0-1 > > >> Versionstabelle: > > >> *** 0.9.10.0-1 0 > > >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages > > >> 100 /var/lib/dpkg/status > > >> > > >> All maintained connections are working. This includes OpenVPN > > >> connection type, too. > > >> However, in order to use either nm-applet or command-line client > > >> nmcli, I need to be root. > > >> The issue I'm facing is that with older release I could use > either > > >> nm-applet or nmcli without root authorization. > > >> This becomes a critical issue in a multi-user desktop PC where > most > > >> user neither have root authorization nor can utilize sudo. > > >> > > >> Question: > > >> How can I ensure that both, nm-applet and nmcli, can be used > without > > >> root authorization? > > > > > > It's certainly intended that they can all be used without root. > When > > > you try to run 'nmcli' as a normal user, what error do you get? > What is > > > the output of "nmcli gen perm" as a normal user? > > > > > > > $ nmcli -v > > nmcli tool, version 0.9.10.0-14.git20140704.fc21 > > > > $ nmcli general permissions > > PERMISSION VALUE > > org.freedesktop.NetworkManager.enable-disable-network yes > > org.freedesktop.NetworkManager.enable-disable-wifi yes > > org.freedesktop.NetworkManager.enable-disable-wwan yes > > org.freedesktop.NetworkManager.enable-disable-wimax yes > > org.freedesktop.NetworkManager.sleep-wake no > > org.freedesktop.NetworkManager.network-control yes > > org.freedesktop.NetworkManager.wifi.share.protected yes > > org.freedesktop.NetworkManager.wifi.share.open yes > > org.freedesktop.NetworkManager.settings.modify.system yes > > org.freedesktop.NetworkManager.settings.modify.own yes > > org.freedesktop.NetworkManager.settings.modify.hostname auth > > > > Is this expected output? > > Yes, that is expected output for "permissive" installs. > > > What manages the sleep state? > > The sleep-wake permission is actually unused. It was previously used > for the "private" Sleep() dbus method, the only user of which was > pm-utils scripts. Unfortunately the pm-utils scripts didn't wait for a > dbus reply, which meant NM couldn't determine the UID of the caller, > which meant polkit permission couldn't be used. So instead, the > Sleep() > method is locked to root and the permission isn't used. > > When upower or systemd are active, NetworkManager listens internally > for > suspend/resume signals from those services instead of using > permissions > or a D-Bus method. > > Dan > _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
