[Bug 469530] New: wpa_supplicant-0.6.4-18.1 denies WLAN connection to non-root users
https://bugzilla.novell.com/show_bug.cgi?id=469530 User holler@nefkom.info added comment https://bugzilla.novell.com/show_bug.cgi?id=469530#c468392 Summary: wpa_supplicant-0.6.4-18.1 denies WLAN connection to non-root users Classification: openSUSE Product: openSUSE 11.2 Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: holler@nefkom.info QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.5) Gecko/2008121300 SUSE/3.0.5-2.3 Firefox/3.0.5 With wpa_supplicant-0.6.4-18.1 a non-root user is not allowed to connect to a WLAN (at least with NetworkManager, didn't try with ifup) With latest Factory /etc/dbus-1/system.d/wpa_supplicant.conf reads <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <policy user="root"> <allow own="fi.epitest.hostap.WPASupplicant"/> <allow send_destination="fi.epitest.hostap.WPASupplicant" send_interface="fi.epitest.hostap.WPASupplicant"/> </policy> <policy context="default"> <deny own="fi.epitest.hostap.WPASupplicant"/> <deny send_destination="fi.epitest.hostap.WPASupplicant"/> <deny send_interface="fi.epitest.hostap.WPASupplicant"/> </policy> </busconfig> This leads to messages in /var/log/Networkmanager (plaese note: _before_ login!): Jan 26 19:50:00 holler-n2 NetworkManager: <info> starting... Jan 26 19:50:00 holler-n2 NetworkManager: <info> Trying to start the modem-manager... Jan 26 19:50:00 holler-n2 NetworkManager: <WARN> nm_generic_enable_loopback(): error -17 returned from rtnl_addr_add(): Sucess Jan 26 19:50:00 holler-n2 NetworkManager: <info> Found radio killswitch /org/freedesktop/Hal/devices/pci_8086_4229_rfkill_4965AGN_wlan Jan 26 19:50:01 holler-n2 NetworkManager: <info> eth0: driver is 'r8169'. Jan 26 19:50:01 holler-n2 NetworkManager: <info> Found new Ethernet device 'eth0'. Jan 26 19:50:01 holler-n2 NetworkManager: <info> (eth0): exported as /org/freedesktop/Hal/devices/net_00_03_0d_90_6b_10 Jan 26 19:50:01 holler-n2 NetworkManager: <info> wlan0: driver is 'iwl4965'. Jan 26 19:50:01 holler-n2 NetworkManager: <info> wlan0: driver supports SSID scans (scan_capa 0x01). Jan 26 19:50:01 holler-n2 NetworkManager: <info> Found new 802.11 WiFi device 'wlan0'. Jan 26 19:50:01 holler-n2 NetworkManager: <info> (wlan0): exported as /org/freedesktop/Hal/devices/net_00_1d_e0_d0_d4_a1 Jan 26 19:50:01 holler-n2 NetworkManager: <info> Trying to start the supplicant... Jan 26 19:50:01 holler-n2 NetworkManager: <info> Trying to start the system settings daemon... Jan 26 19:50:01 holler-n2 NetworkManager: <info> modem manager appeared Jan 26 19:50:02 holler-n2 NetworkManager: <info> (wlan0): supplicant manager state: down -> idle Jan 26 19:50:05 holler-n2 NetworkManager: <info> (eth0): device state change: 1 -> 2 Jan 26 19:50:05 holler-n2 NetworkManager: <info> (eth0): bringing up device. Jan 26 19:50:05 holler-n2 NetworkManager: <info> (eth0): preparing device. Jan 26 19:50:05 holler-n2 NetworkManager: <info> (eth0): deactivating device (reason: 2). Jan 26 19:50:05 holler-n2 NetworkManager: <info> (eth0): carrier now ON (device state 2) Jan 26 19:50:05 holler-n2 NetworkManager: <info> (eth0): device state change: 2 -> 3 Jan 26 19:50:05 holler-n2 NetworkManager: <info> (wlan0): device state change: 1 -> 2 Jan 26 19:50:05 holler-n2 NetworkManager: <info> (wlan0): bringing up device. Jan 26 19:50:05 holler-n2 NetworkManager: <info> (wlan0): preparing device. Jan 26 19:50:05 holler-n2 NetworkManager: <info> (wlan0): deactivating device (reason: 2). Jan 26 19:50:05 holler-n2 NetworkManager: <info> (eth0): carrier now OFF (device state 3) Jan 26 19:50:05 holler-n2 NetworkManager: <info> (eth0): device state change: 3 -> 2 Jan 26 19:50:05 holler-n2 NetworkManager: <info> (eth0): deactivating device (reason: 40). Jan 26 19:50:05 holler-n2 NetworkManager: <info> (wlan0): device state change: 2 -> 3 Jan 26 19:50:05 holler-n2 NetworkManager: <WARN> iface_state_cb(): could not get interface state: A security policy in place prevents this sender from sending this message to this recipient, see message bus configuration file (rejected message had interface "fi.epitest.hostap.WPASupplicant.Interface" member "state" error name "(unset)" destination "fi.epitest.hostap.WPASupplicant"). Jan 26 19:50:07 holler-n2 NetworkManager: <WARN> scan_results_cb(): could not get scan results: A security policy in place prevents this sender from sending this message to this recipient, see message bus configuration file (rejected message had interface "fi.epitest.hostap.WPASupplicant.Interface" member "scanResults" error name "(unset)" destination "fi.epitest.hostap.WPASupplicant"). Replacing the deny lines in /etc/dbus-1/system.d/wpa_supplicant.conf to <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <policy user="root"> <allow own="fi.epitest.hostap.WPASupplicant"/> <allow send_destination="fi.epitest.hostap.WPASupplicant" send_interface="fi.epitest.hostap.WPASupplicant"/> </policy> <policy context="default"> <allow own="fi.epitest.hostap.WPASupplicant"/> <allow send_destination="fi.epitest.hostap.WPASupplicant"/> <allow send_interface="fi.epitest.hostap.WPASupplicant"/> </policy> </busconfig> enables WLAN for non-root users again. See now /var/log/Networkmanager: Jan 26 19:55:51 holler-n2 NetworkManager: <info> starting... Jan 26 19:55:51 holler-n2 NetworkManager: <info> Trying to start the modem-manager... Jan 26 19:55:51 holler-n2 NetworkManager: <WARN> nm_generic_enable_loopback(): error -17 returned from rtnl_addr_add(): Sucess Jan 26 19:55:51 holler-n2 NetworkManager: <info> Found radio killswitch /org/freedesktop/Hal/devices/pci_8086_4229_rfkill_4965AGN_wlan Jan 26 19:55:51 holler-n2 NetworkManager: <info> eth0: driver is 'r8169'. Jan 26 19:55:51 holler-n2 NetworkManager: <info> Found new Ethernet device 'eth0'. Jan 26 19:55:51 holler-n2 NetworkManager: <info> (eth0): exported as /org/freedesktop/Hal/devices/net_00_03_0d_90_6b_10 Jan 26 19:55:51 holler-n2 NetworkManager: <info> wlan0: driver is 'iwl4965'. Jan 26 19:55:51 holler-n2 NetworkManager: <info> wlan0: driver supports SSID scans (scan_capa 0x01). Jan 26 19:55:51 holler-n2 NetworkManager: <info> Found new 802.11 WiFi device 'wlan0'. Jan 26 19:55:51 holler-n2 NetworkManager: <info> (wlan0): exported as /org/freedesktop/Hal/devices/net_00_1d_e0_d0_d4_a1 Jan 26 19:55:51 holler-n2 NetworkManager: <info> Trying to start the supplicant... Jan 26 19:55:51 holler-n2 NetworkManager: <info> Trying to start the system settings daemon... Jan 26 19:55:52 holler-n2 NetworkManager: <info> modem manager appeared Jan 26 19:55:52 holler-n2 NetworkManager: <info> (wlan0): supplicant manager state: down -> idle Jan 26 19:55:55 holler-n2 NetworkManager: <info> (eth0): device state change: 1 -> 2 Jan 26 19:55:55 holler-n2 NetworkManager: <info> (eth0): bringing up device. Jan 26 19:55:55 holler-n2 NetworkManager: <info> (eth0): preparing device. Jan 26 19:55:55 holler-n2 NetworkManager: <info> (eth0): deactivating device (reason: 2). Jan 26 19:55:55 holler-n2 NetworkManager: <info> (eth0): carrier now ON (device state 2) Jan 26 19:55:55 holler-n2 NetworkManager: <info> (eth0): device state change: 2 -> 3 Jan 26 19:55:55 holler-n2 NetworkManager: <info> (wlan0): device state change: 1 -> 2 Jan 26 19:55:55 holler-n2 NetworkManager: <info> (wlan0): bringing up device. Jan 26 19:55:56 holler-n2 NetworkManager: <info> (wlan0): preparing device. Jan 26 19:55:56 holler-n2 NetworkManager: <info> (wlan0): deactivating device (reason: 2). Jan 26 19:55:56 holler-n2 NetworkManager: <info> (eth0): carrier now OFF (device state 3) Jan 26 19:55:56 holler-n2 NetworkManager: <info> (eth0): device state change: 3 -> 2 Jan 26 19:55:56 holler-n2 NetworkManager: <info> (eth0): deactivating device (reason: 40). Jan 26 19:55:56 holler-n2 NetworkManager: <info> (wlan0): device state change: 2 -> 3 Jan 26 19:55:56 holler-n2 NetworkManager: <info> (wlan0): supplicant interface state: starting -> ready Changelog from wpa_supplicant-0.6.4-18.1: * Do Jan 22 2009 hschaa@suse.de - Add fix_dbus_config.patch (bnc#468392) Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 Hans-Peter Holler <holler@nefkom.info> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED AssignedTo|bnc-team-screening@forge.pr |hschaa@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 User holler@nefkom.info added comment https://bugzilla.novell.com/show_bug.cgi?id=469530#c1 Hans-Peter Holler <holler@nefkom.info> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@novell.com --- Comment #1 from Hans-Peter Holler <holler@nefkom.info> 2009-01-26 12:53:04 MST --- And I'm _not_ amused: Access Denied You are not authorized to access bug #468392. And: Access Denied You are not authorized to access bug #468377. The latter comes from Changelog of NetworkManager-kde-0.7r848570-27.2 * Do Jan 22 2009 hschaa@suse.de - Add fix_dbus_config.patch (bnc#468377) Folks, please take attention with non-public (I'm sure: SLE11) bugs. If one is searching before filing a new bug, she/he will not find the original and therefore is filing a new bug. Guess, myself is one of these. And as I always do in such a case: cc aj -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 Helmut Schaa <hschaa@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 User thoenig@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=469530#c2 --- Comment #2 from Timo Hoenig <thoenig@novell.com> 2009-01-26 14:35:10 MST --- Hans-Peter, please take the discussion the non-public bugs elsewhere. A good place to start is the opensuse-project mailing list. Thanks. Regarding the technical issue: We're expecting some fallout due to CVE-2008-4311. wpa_supplicant has already a fixed D-Bus policy in FACTORY. However, the new D-Bus version is still waiting for check-in. I've triggered a mbuild of the new D-Bus version which I will copy over to http://beta.suse.com/private/thoenig/469530 once finished. You may give it a try to see if this fixes the issue. If it doesn't fix it (which is likely :-) we need to adopt the wpa_supplicant policy file to make things work again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 User aj@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=469530#c3 --- Comment #3 from Andreas Jaeger <aj@novell.com> 2009-01-26 22:36:56 MST --- Ad #1: Security bugs are often Novell Internal until they are disclosed. Here's a public statement of the problem: http://lists.opensuse.org/opensuse-packaging/2009-01/msg00132.html -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=469530#c4 --- Comment #4 from Helmut Schaa <hschaa@novell.com> 2009-01-27 03:08:36 MST --- Created an attachment (id=267844) --> (https://bugzilla.novell.com/attachment.cgi?id=267844) wpa_supplicant dbus config Hans-Peter, could you please try if the attached dbus configuration for wpa_supplicant works for you? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 Helmut Schaa <hschaa@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |holler@nefkom.info -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=469530#c5 --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2009-01-27 03:12:37 MST --- If wpa_supplicant doesn't offer additional interfaces that need special access control a single allow rule like this should suffice: <allow send_destination="fi.epitest.hostap.WPASupplicant"/> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 User holler@nefkom.info added comment https://bugzilla.novell.com/show_bug.cgi?id=469530#c6 Hans-Peter Holler <holler@nefkom.info> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|holler@nefkom.info | --- Comment #6 from Hans-Peter Holler <holler@nefkom.info> 2009-01-27 09:12:50 MST --- (In reply to comment #4)
Created an attachment (id=267844) --> (https://bugzilla.novell.com/attachment.cgi?id=267844) [details] wpa_supplicant dbus config
Hans-Peter, could you please try if the attached dbus configuration for wpa_supplicant works for you?
Yes, it does. Thank you. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=469530 User holler@nefkom.info added comment https://bugzilla.novell.com/show_bug.cgi?id=469530#c7 Hans-Peter Holler <holler@nefkom.info> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #7 from Hans-Peter Holler <holler@nefkom.info> 2009-01-29 02:38:20 MST --- According to http://lists.opensuse.org/opensuse-commit/2009-01/msg01431.html I installed http://download.opensuse.org/repositories/home:/hschaa:/wpa_supplicant/openS... This works, too. Thanks. And just for the record: bug #470013 mentioned in the changelog is non-public :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com