On Sat, 2015-01-10 at 14:12 +0100, Thomas Schneider wrote: > Hi! > > I checked if this could be related to pklocalauthority that is > documented here > (http://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html) > > Checking the relevant config file for NetworkManager looks good to me. > But it's not clear why manfred cannot utilize NetworkManager as he > belongs to group netdev. > > user@pc1-asus:~$ sudo > cat > /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.NetworkManager.pkla > [Adding or changing system-wide NetworkManager connections] > Identity=unix-group:netdev;unix-group:sudo > Action=org.freedesktop.NetworkManager.settings.modify.system > ResultAny=no > ResultInactive=no > ResultActive=yes > > user@pc1-asus:~$ id manfred > uid=1005(manfred) gid=1005(manfred) > Gruppen=1005(manfred),117(netdev),1013(verwandte),126(tbb),127(openvpn),128(fcron)
Try this: pkaction -v -a org.freedesktop.NetworkManager.settings.modify.system What do you get when running this as the user 'manfred'? Also when you do this, please grab the results of 'loginctl show-session X' where X is the session for 'manfred'. I know you sent the mail to me private with this output, but I want to make sure that loginctl and pkaction output is from the same run. Thanks! Dan > Should I now go with the new compilation of NetworkManager using > --with-session-tracking=[ck|systemd]? > Is there a way to identify which options have been used with the > packaged shipped by the distribution? > > THX > > Gesendet: Freitag, 09. Januar 2015 um 23:13 Uhr > Von: "Dan Williams" <d...@redhat.com> > An: "Thomas Schneider" <c.mo...@web.de> > Cc: poma <pomidorabelis...@gmail.com>, networkmanager-list@gnome.org > Betreff: Re: Aw: Re: Only root can utilize nm-applet and nmcli as part > of NetworkManager - how can other users use it w/o root? > On Fri, 2015-01-09 at 20:49 +0100, Thomas Schneider wrote: > > Hi, > > > > here's an update on your questions > > > > Let's start with the version of nmcli: > > user@pc1-asus:~$ nmcli -v > > nmcli-Werkzeug, Version 0.9.10.0 > > > > Now permissions: > > user@pc1-asus:~$ nmcli general permissions > > BEFUGNIS WERT > > > > org.freedesktop.NetworkManager.enable-disable-network nein > > Ok, this indicates that PolicyKit is denying the permissions to these > users. The most likely reason is that NM has been built with > --with-session-tracking=[ck|systemd] and something is not properly > setting up the login sessions with ConsoleKit or systemd. > > PolicyKit has a concept of active (eg, using the computer right now) > and > inactive (idle or non-human users) sessions. NetworkManager uses these > for fast-user-switching and some permissions control. It's likely that > all users on your machine are considered "inactive" according to > PolicyKit and thus being denied. > > What do you get for the following commands? > > ck-list-sessions > loginctl > loginctl show-session X (repeat for all sessions from 'loginctl') > > if you're using ConsoleKit, your session manager needs to tell > ConsoleKit that it's starting a new session. I'm not quite sure how > that happens with systemd, but it does somehow. > > Alternatively, if you don't care about user permissions and want to > allow any user to control networking you can build NM with > --with-session-tracking=none and --with-polkit=no to disable this > functionality. > > Dan > > > org.freedesktop.NetworkManager.enable-disable-wifi nein > > > > org.freedesktop.NetworkManager.enable-disable-wwan nein > > > > org.freedesktop.NetworkManager.enable-disable-wimax nein > > > > org.freedesktop.NetworkManager.sleep-wake nein > > > > org.freedesktop.NetworkManager.network-control nein > > > > org.freedesktop.NetworkManager.wifi.share.protected nein > > > > org.freedesktop.NetworkManager.wifi.share.open nein > > > > org.freedesktop.NetworkManager.settings.modify.system nein > > > > org.freedesktop.NetworkManager.settings.modify.own Legitimierung > > org.freedesktop.NetworkManager.settings.modify.hostname > Legitimierung > > > > Output when running nm-applet w/o root permission: > > user@pc1-asus:~$ nm-applet > > (nm-applet:1167): libnm-glib-CRITICAL **: nm_secret_agent_register: > > assertion 'priv->registered == FALSE' failed > > (nm-applet:1167): nm-applet-WARNING **: VPN Connection activation > > failed: (org.freedesktop.NetworkManager.PermissionDenied) Not > > authorized to control networking. > > > > Error message in /var/log/syslog: > > Jan 9 20:41:34 pc1-asus NetworkManager[5393]: <warn> Failed to > > activate 'Netzwerk-Thomas-VPN': Not authorized to control > networking. > > > > The current config file for the required VPN connection is: > > user@pc1-asus:~$ sudo cat /etc/NetworkManager/system-connections/VPN > > [connection] > > id=VPN > > uuid=a6ae2fac-4776-4f74-962c-a63113xxxxxx > > type=vpn > > permissions=user:<user>:; > > autoconnect=false > > [vpn] > > service-type=org.freedesktop.NetworkManager.openvpn > > connection-type=tls > > auth=SHA256 > > remote=<mydyndns> > > cipher=AES-256-CBC > > comp-lzo=yes > > tunnel-mtu=1500 > > cert-pass-flags=1 > > cert=/etc/openvpn/config/server.crt > > ca=/etc/openvpn/config/server.pem > > key=/etc/openvpn/config/server.key > > ta=/etc/openvpn/config/ta.key > > [ipv6] > > method=auto > > ip6-privacy=0 > > [ipv4] > > method=auto > > > > This config file works perfectly when calling sudo nmcli. > > > > I have identified that any user without root permission can utilize > > NetworkManager and ncmli respectively. In other words, the user > needs > > to be member and run any command with "sudo". > > This is also true for using any device connected via USB, e.g. > scanner > > or USB memory stick. > > > > > > THX > > > > Gesendet: Donnerstag, 08. Januar 2015 um 17:39 Uhr > > Von: "Dan Williams" <d...@redhat.com> > > An: poma <pomidorabelis...@gmail.com> > > Cc: "Thomas Schneider" <c.mo...@web.de>, > networkmanager-list@gnome.org > > Betreff: Re: Only root can utilize nm-applet and nmcli as part of > > NetworkManager - how can other users use it w/o root? > > On Wed, 2015-01-07 at 23:42 +0100, poma wrote: > > > On 07.01.2015 18:29, Dan Williams wrote: > > > > On Mon, 2015-01-05 at 19:14 +0100, Thomas Schneider wrote: > > > >> Hello! > > > >> > > > >> I have installed latest version of NetworkManager and nmcli > > > >> respectively + OpenVPN plugin or NetworkManager. > > > >> > > > >> user@pc1-asus:~$ apt-cache policy network-manager > > > >> network-manager: > > > >> Installiert: 0.9.10.0-5 > > > >> Installationskandidat: 0.9.10.0-5 > > > >> Versionstabelle: > > > >> *** 0.9.10.0-5 0 > > > >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages > > > >> 100 /var/lib/dpkg/status > > > >> user@pc1-asus:~$ apt-cache policy network-manager-gnome > > > >> network-manager-gnome: > > > >> Installiert: 0.9.10.0-2 > > > >> Installationskandidat: 0.9.10.0-2 > > > >> Versionstabelle: > > > >> *** 0.9.10.0-2 0 > > > >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages > > > >> 100 /var/lib/dpkg/status > > > >> user@pc1-asus:~$ apt-cache policy network-manager-openvpn > > > >> network-manager-openvpn: > > > >> Installiert: 0.9.10.0-1 > > > >> Installationskandidat: 0.9.10.0-1 > > > >> Versionstabelle: > > > >> *** 0.9.10.0-1 0 > > > >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages > > > >> 100 /var/lib/dpkg/status > > > >> user@pc1-asus:~$ apt-cache policy network-manager-openvpn-gnome > > > >> network-manager-openvpn-gnome: > > > >> Installiert: 0.9.10.0-1 > > > >> Installationskandidat: 0.9.10.0-1 > > > >> Versionstabelle: > > > >> *** 0.9.10.0-1 0 > > > >> 500 http://ftp.debian.org/debian/ jessie/main i386 Packages > > > >> 100 /var/lib/dpkg/status > > > >> > > > >> All maintained connections are working. This includes OpenVPN > > > >> connection type, too. > > > >> However, in order to use either nm-applet or command-line > client > > > >> nmcli, I need to be root. > > > >> The issue I'm facing is that with older release I could use > > either > > > >> nm-applet or nmcli without root authorization. > > > >> This becomes a critical issue in a multi-user desktop PC where > > most > > > >> user neither have root authorization nor can utilize sudo. > > > >> > > > >> Question: > > > >> How can I ensure that both, nm-applet and nmcli, can be used > > without > > > >> root authorization? > > > > > > > > It's certainly intended that they can all be used without root. > > When > > > > you try to run 'nmcli' as a normal user, what error do you get? > > What is > > > > the output of "nmcli gen perm" as a normal user? > > > > > > > > > > $ nmcli -v > > > nmcli tool, version 0.9.10.0-14.git20140704.fc21 > > > > > > $ nmcli general permissions > > > PERMISSION VALUE > > > org.freedesktop.NetworkManager.enable-disable-network yes > > > org.freedesktop.NetworkManager.enable-disable-wifi yes > > > org.freedesktop.NetworkManager.enable-disable-wwan yes > > > org.freedesktop.NetworkManager.enable-disable-wimax yes > > > org.freedesktop.NetworkManager.sleep-wake no > > > org.freedesktop.NetworkManager.network-control yes > > > org.freedesktop.NetworkManager.wifi.share.protected yes > > > org.freedesktop.NetworkManager.wifi.share.open yes > > > org.freedesktop.NetworkManager.settings.modify.system yes > > > org.freedesktop.NetworkManager.settings.modify.own yes > > > org.freedesktop.NetworkManager.settings.modify.hostname auth > > > > > > Is this expected output? > > > > Yes, that is expected output for "permissive" installs. > > > > > What manages the sleep state? > > > > The sleep-wake permission is actually unused. It was previously used > > for the "private" Sleep() dbus method, the only user of which was > > pm-utils scripts. Unfortunately the pm-utils scripts didn't wait for > a > > dbus reply, which meant NM couldn't determine the UID of the caller, > > which meant polkit permission couldn't be used. So instead, the > > Sleep() > > method is locked to root and the permission isn't used. > > > > When upower or systemd are active, NetworkManager listens internally > > for > > suspend/resume signals from those services instead of using > > permissions > > or a D-Bus method. > > > > Dan > > > > _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
