RE: networkmanager permissions problem
> > I've previously compiled modemmanager and networkmanager from source > > on x86_64 (non-systemd) and they work fine. > > > > Using basically the same method on an RPi3 (non-systemd) - I get > > permissions problems. > > > > I've compiled both (ModemManager-1.6.12, NetworkManager-1.4.6) with > > and without polkit, but both give a permissions error on starting nm- > > dispatcher. > > > > I've tried starting nm-dispatcher and polkitd directly as root (the > > dbus and networkmanager daemons are running as root) and neither give > > errors. > > It's not polkit that's the problem here. It's D-Bus service activation that's > not able > to launch nm-dispatcher or wpa_supplicant or polkit. > Perhaps that's because of something like selinux or apparmor preventing the > main dbus-daemon process from running them, or perhaps permissions aren't > set on them correctly, or perhaps the paths in the service activation files in > /etc/dbus-1/system.d/ aren't correct. > > Activation is a feature of dbus that actually runs the given program the first > time a request is made to that program's D-Bus interface. On systemd systems, > that's handled by systemd. On non-systemd systems, D- Bus has a helper that > the main dbus-daemon execs which then runs the given service binary. > Aaargh The permissions on dbus-daemon-launch-helper were incorrect. Things work fine now - sorry for the noise. John ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: networkmanager permissions problem
On Mon, 2018-02-19 at 06:12 +, John Frankish wrote: > I've previously compiled modemmanager and networkmanager from source > on x86_64 (non-systemd) and they work fine. > > Using basically the same method on an RPi3 (non-systemd) - I get > permissions problems. > > I've compiled both (ModemManager-1.6.12, NetworkManager-1.4.6) with > and without polkit, but both give a permissions error on starting nm- > dispatcher. > > I've tried starting nm-dispatcher and polkitd directly as root (the > dbus and networkmanager daemons are running as root) and neither give > errors. It's not polkit that's the problem here. It's D-Bus service activation that's not able to launch nm-dispatcher or wpa_supplicant or polkit. Perhaps that's because of something like selinux or apparmor preventing the main dbus-daemon process from running them, or perhaps permissions aren't set on them correctly, or perhaps the paths in the service activation files in /etc/dbus-1/system.d/ aren't correct. Activation is a feature of dbus that actually runs the given program the first time a request is made to that program's D-Bus interface. On systemd systems, that's handled by systemd. On non-systemd systems, D- Bus has a helper that the main dbus-daemon execs which then runs the given service binary. Dan > Note also that eth0 is already running using udhcpc before starting > networkmanager to enable an ssh connection. > > Any trouble shooting suggestions would be much appreciated. > > -- > > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.5505] NetworkManager (version 1.4.6) is > starting... > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.5507] Read config: > /usr/local/etc/NetworkManager/nm-system-settings.conf > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.5766] manager[0xdd0028]: monitoring kernel > firmware directory '/lib/firmware'. > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6028] dns-mgr[0xdda440]: init: dns=default, rc- > manager=symlink > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6176] rfkill0: found WiFi radio killswitch (at > /sys/devices/platform/soc/3f30.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0 > 001:1/ieee80211/phy0/rfkill0) (driver brcmfmac) > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6183] manager[0xdd0028]: WiFi hardware radio set > enabled > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6184] manager[0xdd0028]: WWAN hardware radio set > enabled > Feb 18 05:55:02 box daemon.notice dbus[2961]: [system] Activating > service name='org.freedesktop.nm_dispatcher' (using servicehelper) > Feb 18 05:55:02 box daemon.notice dbus[2961]: [system] Activated > service 'org.freedesktop.nm_dispatcher' failed: Failed to execute > program org.freedesktop.nm_dispatcher: Permission denied > Feb 18 05:55:02 box daemon.err NetworkManager[2966]: > [1518933302.6487] dispatcher: could not get dispatcher proxy! Error > calling StartServiceByName for org.freedesktop.nm_dispatcher: > GDBus.Error:org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to > execute program org.freedesktop.nm_dispatcher: Permission denied > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6495] settings: loaded plugin keyfile: (c) 2007 - > 2015 Red Hat, Inc. To report bugs please use the NetworkManager > mailing list. > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6565] settings: hostname: couldn't get property > from hostnamed > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6585] dhcp-init: Using DHCP client 'dhcpcd' > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6587] manager: WiFi enabled by radio killswitch; > enabled by state file > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6589] manager: WWAN enabled by radio killswitch; > enabled by state file > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6590] manager: Networking is enabled by state > file > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6594] Loaded device plugin: NMVxlanFactory > (internal) > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6595] Loaded device plugin: NMVlanFactory > (internal) > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6596] Loaded device plugin: NMVethFactory > (internal) > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6598] Loaded device plugin: NMTunFactory > (internal) > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6599] Loaded device plugin: NMMacvlanFactory > (internal) > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6600] Loaded device plugin: NMIPTunnelFactory > (internal) > Feb 18 05:55:02 box daemon.info NetworkManager[2966]: > [1518933302.6601] Loaded device plugin: NMInfinibandFactory >
networkmanager permissions problem
I've previously compiled modemmanager and networkmanager from source on x86_64 (non-systemd) and they work fine. Using basically the same method on an RPi3 (non-systemd) - I get permissions problems. I've compiled both (ModemManager-1.6.12, NetworkManager-1.4.6) with and without polkit, but both give a permissions error on starting nm-dispatcher. I've tried starting nm-dispatcher and polkitd directly as root (the dbus and networkmanager daemons are running as root) and neither give errors. Note also that eth0 is already running using udhcpc before starting networkmanager to enable an ssh connection. Any trouble shooting suggestions would be much appreciated. -- Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.5505] NetworkManager (version 1.4.6) is starting... Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.5507] Read config: /usr/local/etc/NetworkManager/nm-system-settings.conf Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.5766] manager[0xdd0028]: monitoring kernel firmware directory '/lib/firmware'. Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6028] dns-mgr[0xdda440]: init: dns=default, rc-manager=symlink Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6176] rfkill0: found WiFi radio killswitch (at /sys/devices/platform/soc/3f30.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/ieee80211/phy0/rfkill0) (driver brcmfmac) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6183] manager[0xdd0028]: WiFi hardware radio set enabled Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6184] manager[0xdd0028]: WWAN hardware radio set enabled Feb 18 05:55:02 box daemon.notice dbus[2961]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper) Feb 18 05:55:02 box daemon.notice dbus[2961]: [system] Activated service 'org.freedesktop.nm_dispatcher' failed: Failed to execute program org.freedesktop.nm_dispatcher: Permission denied Feb 18 05:55:02 box daemon.err NetworkManager[2966]: [1518933302.6487] dispatcher: could not get dispatcher proxy! Error calling StartServiceByName for org.freedesktop.nm_dispatcher: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program org.freedesktop.nm_dispatcher: Permission denied Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6495] settings: loaded plugin keyfile: (c) 2007 - 2015 Red Hat, Inc. To report bugs please use the NetworkManager mailing list. Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6565] settings: hostname: couldn't get property from hostnamed Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6585] dhcp-init: Using DHCP client 'dhcpcd' Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6587] manager: WiFi enabled by radio killswitch; enabled by state file Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6589] manager: WWAN enabled by radio killswitch; enabled by state file Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6590] manager: Networking is enabled by state file Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6594] Loaded device plugin: NMVxlanFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6595] Loaded device plugin: NMVlanFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6596] Loaded device plugin: NMVethFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6598] Loaded device plugin: NMTunFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6599] Loaded device plugin: NMMacvlanFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6600] Loaded device plugin: NMIPTunnelFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6601] Loaded device plugin: NMInfinibandFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6603] Loaded device plugin: NMEthernetFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6604] Loaded device plugin: NMBridgeFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6605] Loaded device plugin: NMBondFactory (internal) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.6951] Loaded device plugin: NMWwanFactory (/usr/local/lib/NetworkManager/libnm-device-plugin-wwan.so) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.7082] Loaded device plugin: NMWifiFactory (/usr/local/lib/NetworkManager/libnm-device-plugin-wifi.so) Feb 18 05:55:02 box daemon.info NetworkManager[2966]: [1518933302.7240] Loaded device plugin: NMBluezManager (/usr/local/lib/NetworkManager/libnm-device-plugin-bluetooth.so) Feb 18 05:55:02 box
Re: NetworkManager permissions
Sounds good, ive now reported the bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1176042 Thank you for your help Dan. On Thu, Dec 18, 2014 at 5:32 PM, Dan Williams d...@redhat.com wrote: On Thu, 2014-12-18 at 11:44 +0100, Peter Magnusson wrote: Hi Dan, Thank you for the reply! This sounds like a good solution to me, unfortunately we are indeed using Gnome Shell UI so that would cause a problem. So what you are saying is that right now there is no way to achieve this while using gnome shell ? There might be something we can do in NM itself though, given the way the shell and most other clients create new connections. But either way, best thing to do would be to file a bug at http://bugzilla.redhat.com against RHEL7 and assign to the NetworkManager component so it doesn't get lost. Does that sound OK? Thanks! Dan On Wed, Dec 17, 2014 at 4:53 PM, Dan Williams d...@redhat.com wrote: On Thu, 2014-11-27 at 11:59 +0100, Peter Magnusson wrote: Im having some problems with permissions on NetworkManager. We are in the process of migrating our clients from RHEL 6.6 to RHEL 7. The clients connect to our wireless network using eap-tls, we provide the configuration,certificate and keys for this from our central configurationserver so that the connection is transparent to the user. In RHEL6.6 the password for the privatekey(pkcs12 used for authentication) was not visible to the users only to administrators. This was achieved by setting the connection as system wide in which case the configfile was stored under /etc/sysconfig/network-scripts and only accessible by root. In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild from git) we can still limit the permissions to NM config using polkit but when doing this we also limit the possiblity for the user to add new wifi-networks. So what i would like to achieve is to limit access to existing connections (or connections not added by user) but i still want the users to be able to add new wificonnections. Is this possible ? I looked into this yesterday, and I think the way forward here is to restrict the user's permissions for modify.system, but allow them permissions for modify.own (own == self, not possession). This will prevent the user from being able to change any connection that is in /etc and does not have specific permissions. But it allows the user to create new connections that are restricted to that user only. There's one catch though; if you're using the GNOME Shell UI on RHEL 7.0 it doesn't set the necessary flags to create these user-specific connections when the modify.system permission is denied. We can work on fixing that though. Do you think this solution would work for you? Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: NetworkManager permissions
Hi Dan, Thank you for the reply! This sounds like a good solution to me, unfortunately we are indeed using Gnome Shell UI so that would cause a problem. So what you are saying is that right now there is no way to achieve this while using gnome shell ? On Wed, Dec 17, 2014 at 4:53 PM, Dan Williams d...@redhat.com wrote: On Thu, 2014-11-27 at 11:59 +0100, Peter Magnusson wrote: Im having some problems with permissions on NetworkManager. We are in the process of migrating our clients from RHEL 6.6 to RHEL 7. The clients connect to our wireless network using eap-tls, we provide the configuration,certificate and keys for this from our central configurationserver so that the connection is transparent to the user. In RHEL6.6 the password for the privatekey(pkcs12 used for authentication) was not visible to the users only to administrators. This was achieved by setting the connection as system wide in which case the configfile was stored under /etc/sysconfig/network-scripts and only accessible by root. In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild from git) we can still limit the permissions to NM config using polkit but when doing this we also limit the possiblity for the user to add new wifi-networks. So what i would like to achieve is to limit access to existing connections (or connections not added by user) but i still want the users to be able to add new wificonnections. Is this possible ? I looked into this yesterday, and I think the way forward here is to restrict the user's permissions for modify.system, but allow them permissions for modify.own (own == self, not possession). This will prevent the user from being able to change any connection that is in /etc and does not have specific permissions. But it allows the user to create new connections that are restricted to that user only. There's one catch though; if you're using the GNOME Shell UI on RHEL 7.0 it doesn't set the necessary flags to create these user-specific connections when the modify.system permission is denied. We can work on fixing that though. Do you think this solution would work for you? Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: NetworkManager permissions
On Thu, 2014-12-18 at 11:44 +0100, Peter Magnusson wrote: Hi Dan, Thank you for the reply! This sounds like a good solution to me, unfortunately we are indeed using Gnome Shell UI so that would cause a problem. So what you are saying is that right now there is no way to achieve this while using gnome shell ? There might be something we can do in NM itself though, given the way the shell and most other clients create new connections. But either way, best thing to do would be to file a bug at http://bugzilla.redhat.com against RHEL7 and assign to the NetworkManager component so it doesn't get lost. Does that sound OK? Thanks! Dan On Wed, Dec 17, 2014 at 4:53 PM, Dan Williams d...@redhat.com wrote: On Thu, 2014-11-27 at 11:59 +0100, Peter Magnusson wrote: Im having some problems with permissions on NetworkManager. We are in the process of migrating our clients from RHEL 6.6 to RHEL 7. The clients connect to our wireless network using eap-tls, we provide the configuration,certificate and keys for this from our central configurationserver so that the connection is transparent to the user. In RHEL6.6 the password for the privatekey(pkcs12 used for authentication) was not visible to the users only to administrators. This was achieved by setting the connection as system wide in which case the configfile was stored under /etc/sysconfig/network-scripts and only accessible by root. In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild from git) we can still limit the permissions to NM config using polkit but when doing this we also limit the possiblity for the user to add new wifi-networks. So what i would like to achieve is to limit access to existing connections (or connections not added by user) but i still want the users to be able to add new wificonnections. Is this possible ? I looked into this yesterday, and I think the way forward here is to restrict the user's permissions for modify.system, but allow them permissions for modify.own (own == self, not possession). This will prevent the user from being able to change any connection that is in /etc and does not have specific permissions. But it allows the user to create new connections that are restricted to that user only. There's one catch though; if you're using the GNOME Shell UI on RHEL 7.0 it doesn't set the necessary flags to create these user-specific connections when the modify.system permission is denied. We can work on fixing that though. Do you think this solution would work for you? Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: NetworkManager permissions
On Thu, 2014-11-27 at 11:59 +0100, Peter Magnusson wrote: Im having some problems with permissions on NetworkManager. We are in the process of migrating our clients from RHEL 6.6 to RHEL 7. The clients connect to our wireless network using eap-tls, we provide the configuration,certificate and keys for this from our central configurationserver so that the connection is transparent to the user. In RHEL6.6 the password for the privatekey(pkcs12 used for authentication) was not visible to the users only to administrators. This was achieved by setting the connection as system wide in which case the configfile was stored under /etc/sysconfig/network-scripts and only accessible by root. In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild from git) we can still limit the permissions to NM config using polkit but when doing this we also limit the possiblity for the user to add new wifi-networks. So what i would like to achieve is to limit access to existing connections (or connections not added by user) but i still want the users to be able to add new wificonnections. Is this possible ? I looked into this yesterday, and I think the way forward here is to restrict the user's permissions for modify.system, but allow them permissions for modify.own (own == self, not possession). This will prevent the user from being able to change any connection that is in /etc and does not have specific permissions. But it allows the user to create new connections that are restricted to that user only. There's one catch though; if you're using the GNOME Shell UI on RHEL 7.0 it doesn't set the necessary flags to create these user-specific connections when the modify.system permission is denied. We can work on fixing that though. Do you think this solution would work for you? Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
NetworkManager permissions
Im having some problems with permissions on NetworkManager. We are in the process of migrating our clients from RHEL 6.6 to RHEL 7. The clients connect to our wireless network using eap-tls, we provide the configuration,certificate and keys for this from our central configurationserver so that the connection is transparent to the user. In RHEL6.6 the password for the privatekey(pkcs12 used for authentication) was not visible to the users only to administrators. This was achieved by setting the connection as system wide in which case the configfile was stored under /etc/sysconfig/network-scripts and only accessible by root. In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild from git) we can still limit the permissions to NM config using polkit but when doing this we also limit the possiblity for the user to add new wifi-networks. So what i would like to achieve is to limit access to existing connections (or connections not added by user) but i still want the users to be able to add new wificonnections. Is this possible ? Any advice would be much appreciated! Best Regards Peter ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
