[Bug 486267] New: Latest update of NetworkManager breaks wireless networking
https://bugzilla.novell.com/show_bug.cgi?id=486267 Summary: Latest update of NetworkManager breaks wireless networking Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: x86-64 OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: Larry.Finger@lwfinger.net QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.7) Gecko/2009022800 SUSE/3.0.7-1.1.6 Firefox/3.0.7 Since the update to NetworkManager 0.7.0.r4359-15.1.1-x86_64, I could only connect using a wire. Wireless failed. I fixed by downgrading NetworkManager, NetworkManager-glib, NetworkManager-kde and NetworkManager-gnome. The NetworkManager log shows the following: Mar 17 16:06:01 larrylap NetworkManager: <info> Activation (wlan2/wireless): access point 'lwfdjf_rad' has security, but s ecrets are required. Mar 17 16:06:01 larrylap NetworkManager: <info> (wlan2): device state change: 5 -> 6 Mar 17 16:06:01 larrylap NetworkManager: <info> Activation (wlan2) Stage 2 of 5 (Device Configure) complete. Mar 17 16:06:01 larrylap NetworkManager: <WARN> get_secrets_cb(): Couldn't get connection secrets: A security policy in pl ace prevents this sender from sending this message to this recipient, see message bus configuration file (rejected message had interface "org.freedesktop.NetworkManagerSettings.Connection.Secrets" member "GetSecrets" error name "(unset)" destinat ion "org.freedesktop.NetworkManagerUserSettings"). I am not using SELinux and I do not know why this violation of security policy shows up. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c1 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |lnussel@novell.com |ovo.novell.com | --- Comment #1 from Marcus Meissner <meissner@novell.com> 2009-03-18 15:23:19 MST --- we released stricter dbus checking and stricter networkmanager profiles. it should however all still work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c2 --- Comment #2 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-18 19:39:16 MST --- Unfortunately, it does not. I reloaded the latest versions of NetworkManager, NM-glib, NM-gnome and NM-kde with the same result - it was broken. To get wireless working again, I once more had to downgrade and reboot. What should be changed so that get_secrets_cb() will work with the new version? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c3 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |Larry.Finger@lwfinger.net --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2009-03-19 02:10:44 MST --- Did you really install all available updates? Did you reboot after installing the updates? If you can answer both question with yes please attach /var/log/messages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c4 Larry Finger <Larry.Finger@lwfinger.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|Larry.Finger@lwfinger.net | --- Comment #4 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-19 10:05:39 MST --- Created an attachment (id=280688) --> (https://bugzilla.novell.com/attachment.cgi?id=280688) Output of /var/log/messages after rebooting -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c5 --- Comment #5 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-19 10:06:43 MST --- Created an attachment (id=280689) --> (https://bugzilla.novell.com/attachment.cgi?id=280689) Output of /var/log/NetworkManager after rebooting -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c6 --- Comment #6 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-19 10:08:09 MST --- I allowed the updates to be reinstalled. After doing so, kNM can no longer make a connection. As requested, the logs are posted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c7 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |Larry.Finger@lwfinger.net --- Comment #7 from Ludwig Nussel <lnussel@novell.com> 2009-03-19 14:16:45 MST --- what's the output of rpm -q --changelog NetworkManager-kde|head ? Should be * Mi Feb 25 2009 hschaa@suse.de - Add fix_dbus_conf.patch (bnc#479563, CVE-2009-0578) .. Make sure you install NetworkManager-kde from the correct repo. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c8 Larry Finger <Larry.Finger@lwfinger.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|Larry.Finger@lwfinger.net | --- Comment #8 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-19 14:34:29 MST --- larrylap:/etc # rpm -q --changelog NetworkManager-kde|head * Wed Feb 25 2009 hschaa@suse.de - Add fix_dbus_conf.patch (bnc#479563, CVE-2009-0578) * Thu Dec 04 2008 coolo@suse.de - take new directories into account * Sun Nov 30 2008 coolo@suse.de - do not autostart on kde4 either without NETWORKMANAGER=yes * Tue Nov 11 2008 hschaa@suse.de NetworkManager-kde was installed from repo-update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c9 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |Larry.Finger@lwfinger.net --- Comment #9 from Ludwig Nussel <lnussel@novell.com> 2009-03-20 03:11:42 MST --- You are really sure that you installed *all* available updates, including dbus etc? If so I have no idea what's wrong then. Could you please tar up /etc/dbus-1 and attach here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User dmueller@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c10 --- Comment #10 from Dirk Mueller <dmueller@novell.com> 2009-03-20 05:08:00 MST --- I get this warning on factory (no difference in the dbus policy files compared to 11.1, but better dbus output): Mar 20 11:34:24 wall-e NetworkManager: <WARN> get_secrets_cb(): Couldn't get connection secrets: Rejected send message, 4 matched rules; type=" method_call", sender=":1.5" (uid=0 pid=6688 comm="/usr/sbin/NetworkManager ") interface="org.freedesktop.NetworkManagerSettings.Connection.Secre ts" member="GetSecrets" error name="(unset)" requested_reply=0 destination="org.freedesktop.NetworkManagerUserSettings" (uid=1001 pid=6704 comm= "/opt/kde3/bin/knetworkmanager ")). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User dmueller@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c11 Dirk Mueller <dmueller@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dmueller@novell.com, | |hschaa@novell.com --- Comment #11 from Dirk Mueller <dmueller@novell.com> 2009-03-20 05:08:42 MST --- I've submitted a new done/11.1/NetworkManager-kde that appears to work for me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c12 --- Comment #12 from Helmut Schaa <hschaa@novell.com> 2009-03-20 06:55:50 MST --- Dirk, now I'm confused. Your patch adds the following: <deny send_interface="org.freedesktop.NetworkManagerSettings.Secrets"/> But that interface should not be used at all. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c13 --- Comment #13 from Ludwig Nussel <lnussel@novell.com> 2009-03-20 06:59:49 MST --- the config also opens the security hole again so this one cannot be used. AFAICT the knetworkmanager.conf from 11.1 looks good and it works just fine here if I use it with nm-applet instead of nm-applet.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c14 --- Comment #14 from Helmut Schaa <hschaa@novell.com> 2009-03-20 07:04:11 MST --- Seems to work here as well (11.1 + updates + KNM). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c15 Larry Finger <Larry.Finger@lwfinger.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|Larry.Finger@lwfinger.net | --- Comment #15 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-20 07:35:08 MST --- Created an attachment (id=280922) --> (https://bugzilla.novell.com/attachment.cgi?id=280922) tarball of /etc/dbus-1 All patches listed as "Needed" by YaST => Online Update have been installed. Just in case I got a bad download, I refreshed every installed package that was listed in searches for "NetworkManager", "dbus" and "PolicyKit" in YaST => Software Management. This did not help. I probably didn't mention this earlier, but I'm running a 2.6.29-rc8 kernel. After finishing this post, I'll reboot into the standard kernel to see if that changes anything. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c16 --- Comment #16 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-20 07:50:57 MST --- Running kernel 2.6.27.19-3.2-default did not change the situation with regard to wireless networking - it is still broken. I had to reboot immediately back into 2.6.29-rc8 as the standard kernel didn't get a link with my wired interface that uses the forcedeth driver, thus I had no network at all. The output of dmesg did not yield any clues regarding this, but I'm not interested in chasing this problem down. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c17 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thoenig@novell.com --- Comment #17 from Ludwig Nussel <lnussel@novell.com> 2009-03-20 07:52:22 MST --- the config looks goot AFAICT. TBH I'm out of ideas :( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c19 --- Comment #19 from Helmut Schaa <hschaa@novell.com> 2009-03-20 07:58:48 MST --- Created an attachment (id=280928) --> (https://bugzilla.novell.com/attachment.cgi?id=280928) dbus config patch Larry, could you please apply the attached patch to /etc/dbus-1/system.d/knetworkmanager.conf and afterwards restart dbus, NM and KNM and see if that helps? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 Helmut Schaa <hschaa@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |Larry.Finger@lwfinger.net -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c20 Larry Finger <Larry.Finger@lwfinger.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|Larry.Finger@lwfinger.net | --- Comment #20 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-20 08:53:21 MST --- Created an attachment (id=280944) --> (https://bugzilla.novell.com/attachment.cgi?id=280944) Patch for nm-applet.conf Helmut, Your patch did not help, but the one I attached fixes the problem for me. I expect that this totally blows away any security. Your patch is not applied here - only the one to nm-applet.conf. Larry -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c21 Helmut Schaa <hschaa@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |Larry.Finger@lwfinger.net --- Comment #21 from Helmut Schaa <hschaa@novell.com> 2009-03-20 09:52:12 MST --- Yep, your patch would allow all users to read the connection secrets. The following dbus-send command reads the secrets from the first connection object KNM provides. Could you please check (with and without your patch) if the command allows root to read the secrets and denies the same to a normal user? dbus-send --system --print-reply --dest=org.freedesktop.NetworkManagerUserSettings /org/freedesktop/NetworkManagerSettings/Connection/0 org.freedesktop.NetworkManagerSettings.Connection.Secrets.GetSecrets -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c22 Larry Finger <Larry.Finger@lwfinger.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|Larry.Finger@lwfinger.net | --- Comment #22 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-20 10:31:48 MST --- With my patch, both root and a normal user succeed in reading the secrets. Without my patch, both fail with an "Access Denied" error.. I'll see if I can find a patch that lets root succeed and a regular user fail. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c23 --- Comment #23 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-20 14:16:26 MST --- I am not the only one with the problem. See the thread entitled "WPA not working anymore with ath5k / NetworkManager (NC10)" in the openSUSE Wireless Subforum. I was not able to find a patch that satisfied the security requirements. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c25 Georg Müller <georgmueller@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |georgmueller@gmx.net --- Comment #25 from Georg Müller <georgmueller@gmx.net> 2009-03-21 11:20:28 MST --- Hm, I have done the upgrade, my girlfriend has done it, her laptop worked, mine did not (both using kde 3.5 with knetworkmanager). I ran a "diff -r /etc/dbus-1/" and found no differences instead of some missing/new files from different packages (kerneloops, gnome clock, ...). I am not sure how this can be possible... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c26 --- Comment #26 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-21 14:30:36 MST --- Do the two systems have the same architecture? I see the problem with x86_64. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c27 --- Comment #27 from Georg Müller <georgmueller@gmx.net> 2009-03-21 14:49:04 MST --- both are x86 systems, I will do some more comparisons tomorrow. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c28 --- Comment #28 from Georg Müller <georgmueller@gmx.net> 2009-03-21 15:41:15 MST --- hm, if I understand dbus and "at_console" correctly, the test of comment #21 might be useless, because of the order policies are being applied. As stated in the dbus-daemon man page, the last applied rule matches, and user= rules are applied before at_console=true rules. So, this means if I am root and at_console, the deny rule of "at_console" would overwrite a possible allow rule for user root. It would be nice to see the state of at_console in the reject message. Is there any way to see all rules dbus applies? I tried DBUS_DEBUG=1, but this did not help. In the reject messages, the "XX matched rules", but I want to see them in detail (including "at_console" state). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c29 --- Comment #29 from Georg Müller <georgmueller@gmx.net> 2009-03-21 17:35:26 MST --- Hm, long evening, 3rd post in a row (read and tried a bit while watching the box fight ;) ). If I get it correctly, the org.freedesktop.NetworkManagerUserSettings has nothing to do with knetworkmanager or nm-applet and should be removed from all networkmanager client busconfigs. Instead, there should be a NetworkManager-owned file nm-user-settings.conf. The NetworkManager.config should contain the own rule in at_console=true, the deny rule in context=default and the allow rule in user=root. I think this is exactly what is wanted. It works for me and I don't get a result for the dbus-send command as non-root. At the moment this configuration is duplicate in 2 (or 3) files and while testing, if you only change one to deny and leave the other to allow, the results were a bit random... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c30 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |georgmueller@gmx.net --- Comment #30 from Ludwig Nussel <lnussel@novell.com> 2009-03-22 13:12:52 MST --- (In reply to comment #25)
Hm, I have done the upgrade, my girlfriend has done it, her laptop worked, mine did not (both using kde 3.5 with knetworkmanager).
I ran a "diff -r /etc/dbus-1/" and found no differences instead of some missing/new files from different packages (kerneloops, gnome clock, ...).
I am not sure how this can be possible...
Interesting. Do the systems use different filesystems? What's the output of ls -1U /etc/dbus-1/system.d/ on both system? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c31 --- Comment #31 from Georg Müller <georgmueller@gmx.net> 2009-03-23 06:33:03 MST --- Created an attachment (id=281182) --> (https://bugzilla.novell.com/attachment.cgi?id=281182) new file to properly configure NetworkManagerUserSettings That is the output on the working system: org.opensuse.yast.SCR.conf org.freedesktop.ModemManager.conf org.gnome.ClockApplet.Mechanism.conf org.gnome.GConf.Defaults.conf wpa_supplicant.conf nm-dhcp-client.conf NetworkManager.conf bluetooth.conf avahi-dbus.conf cnetworkmanager.conf skype.conf nm-avahi-autoipd.conf ConsoleKit.conf nm-applet.conf hal.conf nm-dispatcher.conf cnetworkmanager-06.conf org.freedesktop.PackageKit.conf gdm.conf cups.conf knetworkmanager.conf org.freedesktop.PolicyKit.conf nm-system-settings.conf My system is heavily altered and modified (including some file copies and moves), so I can not say if it still in the state it was 2 days ago. org.freedesktop.PolicyKit.conf avahi-dbus.conf org.gnome.GConf.Defaults.conf nm-dispatcher.conf kerneloops.dbus knetworkmanager.conf ConsoleKit.conf nm-avahi-autoipd.conf org.opensuse.yast.SCR.conf hal.conf nm-system-settings.conf org.freedesktop.PackageKit.conf nm-dhcp-client.conf NetworkManager.conf wpa_supplicant.conf org.freedesktop.ModemManager.conf cups.conf nm-user-settings.conf nm-applet.conf bluetooth.conf nm-user-settings.conf is the new file I mentioned in comment #29 (attached to this comment) I removed similar configurations from knetworkmanager.conf and nm-applet.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|georgmueller@gmx.net | AssignedTo|lnussel@novell.com |hschaa@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c33 Helmut Schaa <hschaa@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |Larry.Finger@lwfinger.net --- Comment #33 from Helmut Schaa <hschaa@novell.com> 2009-03-23 08:26:15 MST --- Larry, could you please verify if overwriting knetworkmanager.conf with the nm-applet.conf helps? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User felix@derklecks.de added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c34 Felix Möller <felix@derklecks.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |felix@derklecks.de --- Comment #34 from Felix Möller <felix@derklecks.de> 2009-03-23 09:19:12 MST --- I am experiencing the same bug. i | NetworkManager | package | 0.7.0.r4359-15.1.1 | i586 | updates i | NetworkManager-glib | package | 0.7.0.r4359-15.1.1 | i586 | updates i | NetworkManager-gnome | package | 0.7.0.r1053-11.1.1 | i586 | updates i | NetworkManager-gnome | patch | 563 | noarch | updates i | NetworkManager-vpnc | package | 0.7.0.r4274-1.23 | i586 | oss111 i | NetworkManager-vpnc-gnome | package | 0.7.0.r4274-1.23 | i586 | oss111 i | dbus-1 | package | 1.2.10-5.3.1 | i586 | updates i | dbus-1 | patch | 488 | noarch | updates the patch from comment #20 allows me to use my wlan again. My system is 32bit. I am using KDE4 and nm-applet. It has to be noted that I have downgraded from factory some weeks ago... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c35 Larry Finger <Larry.Finger@lwfinger.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|Larry.Finger@lwfinger.net | --- Comment #35 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-23 09:21:14 MST --- No, just a plain 'cp nm-applet.conf knetworkmanager.conf' does no good. Neither does adding Georg's nm-user-settings.conf. I'm quite a bit confused about what Georg has actually done. Please tar your system.d directory and post it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User tambet@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c36 --- Comment #36 from Tambet Ingo <tambet@novell.com> 2009-03-23 09:25:41 MST --- Just coping the file over doesn't do anything. Rebooting is the simplest way to make sure the new configuration is actually used. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c37 --- Comment #37 from Georg Müller <georgmueller@gmx.net> 2009-03-23 09:31:21 MST --- Created an attachment (id=281225) --> (https://bugzilla.novell.com/attachment.cgi?id=281225) patch to remove allow/deny portions from nm-applet.conf and knetworkmanager.conf for the nm-user-settings.conf, you have to remove the portions of knetworkmanager.conf and nm-applet.conf. Attached is the diff for these two files If you also have cnetworkmanager, you might look there for similar lines... Regarding reboot: You do not have to reboot, you even don't have to restart dbus. dbus uses inotify to look for changes. I have tested the changes with the dbus-send command and every change was in place right after saving the file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c38 --- Comment #38 from Helmut Schaa <hschaa@novell.com> 2009-03-23 10:12:45 MST --- Could everyone please check if a directory called root is located in /var/run/dbus/at_console? Removing that directory (followed by dbus, NM and KNM restart) should result in a working system again. Ludwig, if one was/is logged in as root dbus will treat root as at_console and will in turn deny access to the Connection.Secrets interface. Not sure how to handle that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c39 --- Comment #39 from Georg Müller <georgmueller@gmx.net> 2009-03-23 10:17:52 MST --- I have this directory, my girlfriends laptop has not (and there it works). Solution: Do not use deny rule in at_console, only in context=default and an allow rule for root. That is what I have done with my dbus changes. No more problems :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c40 --- Comment #40 from Georg Müller <georgmueller@gmx.net> 2009-03-23 10:19:47 MST --- As an addition: If someone (for what reason ever) tries to run a network manager client logged in as root, he will fail with the current set of rules. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c41 --- Comment #41 from Helmut Schaa <hschaa@novell.com> 2009-03-23 10:25:16 MST --- (In reply to comment #39)
Solution: Do not use deny rule in at_console, only in context=default and an allow rule for root. That is what I have done with my dbus changes. No more problems :)
This might open the security hole again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c42 --- Comment #42 from Georg Müller <georgmueller@gmx.net> 2009-03-23 10:34:01 MST --- (In reply to comment #41)
(In reply to comment #39)
Solution: Do not use deny rule in at_console, only in context=default and an allow rule for root. That is what I have done with my dbus changes. No more problems :)
This might open the security hole again.
Why? Rules are applied in the following order (from dbus-daemon man page): - all context="default" policies are applied - all group="connection's user's group" policies are applied in undefined order - all user="connection's auth user" policies are applied in undefined order - all at_console="true" policies are applied - all at_console="false" policies are applied - all context="mandatory" policies are applied So, if there is a deny rule in context="default" and no other rule that is matching (you are not root and do not get the allow), then nothing else happens. To minimize the security risk. a much more transparent configuration is very helpful. That means, checking one file instead of 2, 3 or 4 files helps here (since you see on one look what you allow/deny instead of cross-checking with other files). Couldn't we get rid of the client config files at all and define it in a generic way for all nm clients? For the NetoworkManagerUserSettings, I have done it with the nm-user-settings.conf. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c43 Helmut Schaa <hschaa@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |lnussel@novell.com --- Comment #43 from Helmut Schaa <hschaa@novell.com> 2009-03-23 12:50:31 MST --- Correct NEEDINFO. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c44 --- Comment #44 from Helmut Schaa <hschaa@novell.com> 2009-03-23 12:55:04 MST --- When /var/run/dbus/at_console/root is present I'm additionally not able to trigger suspend with kpowersave due to dbus preventing the method call. Hence, I'd say this issue affects more apps than just KNM and changing the configuration files just works around the real cause. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c45 --- Comment #45 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-23 13:10:55 MST --- My latest post seems to have been lost. My system did have an empty directory named /var/run/dbus/at_console/root. After deleting it, everything works as expected. The dbus-send command from Comment #21 works for root and fails for a general user. I also logged in as root. NM worked correctly. In this case, the above directory was created, but after logging back into the machine as a general user, it had been deleted and only the directory for my login name "finger" was created. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c46 --- Comment #46 from Georg Müller <georgmueller@gmx.net> 2009-03-23 15:53:59 MST --- I see no connection to the kpowersave problem, because there is no special configuration file for kpowersave (or can you please point me to that). As an additional note:
From a logical point of view, at_console=true should only extend priviliges and not restrict them. So, deny rules in at_console=true sections do not make sense to me. They should be done at the lowest level (context=default).
Regarding nm at root login - could it be possible that NM uses NetworkManagerSystemSettings instead of NetworkManagerUserSettings if you log in as root? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c47 --- Comment #47 from Helmut Schaa <hschaa@novell.com> 2009-03-23 15:59:43 MST --- (In reply to comment #46)
I see no connection to the kpowersave problem, because there is no special configuration file for kpowersave (or can you please point me to that).
Uh, yeah, I guess you're right. That's unrelated.
Regarding nm at root login - could it be possible that NM uses NetworkManagerSystemSettings instead of NetworkManagerUserSettings if you log in as root?
No, the frontend should still use NetworkManagerUserSettings. AFAIK NetworkManagerSystemSettings is only used by nm-system-settings. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c48 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |mvidner@novell.com Info Provider|lnussel@novell.com | AssignedTo|hschaa@novell.com |tambet@novell.com --- Comment #48 from Ludwig Nussel <lnussel@novell.com> 2009-03-24 08:10:03 MST --- Do'h! Now this finally all makes sense. I wonder why I didn't see this before. Of course Georg is right. NetworkManager which runs as root sends a request over the bus. Now if root for whatever reason is at_console the policy for at_console overrides the policy for user root. at_console is now allowed to read secrets -> ouch. That's not a knetworkmanager specific problem. There are two possible solutions to this problem AFAICS: a) remove the deny rules for secrets and implement access control in the applets b) instead of the send_destination rule that allows all interfaces plus the deny rule for secrets use allow rules for individual interfaces only. This way the deny rule could be at context=default or omitted. In any case we need to update knetworkmanager, nm-applet and cnetworkmanager. so this is probably a good opportunity only ship one applet config only (bug 476502). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c49 --- Comment #49 from Ludwig Nussel <lnussel@novell.com> 2009-03-24 08:11:15 MST --- FWIW workaround for those affected: # rm -r /var/run/dbus/at_console/root # rcnetwork restart -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c50 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #280928|0 |1 is obsolete| | Attachment #280944|0 |1 is obsolete| | Attachment #281182|0 |1 is obsolete| | Attachment #281225|0 |1 is obsolete| | --- Comment #50 from Ludwig Nussel <lnussel@novell.com> 2009-03-24 09:48:19 MST --- Created an attachment (id=281578) --> (https://bugzilla.novell.com/attachment.cgi?id=281578) proposed config for method b) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c51 --- Comment #51 from Helmut Schaa <hschaa@novell.com> 2009-03-24 09:52:31 MST --- Looks good to me. Did you verify the config is working when root is also at_console? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c52 --- Comment #52 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-24 13:10:17 MST --- Created an attachment (id=281669) --> (https://bugzilla.novell.com/attachment.cgi?id=281669) Patch for knetworkmanager.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User Larry.Finger@lwfinger.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c53 --- Comment #53 from Larry Finger <Larry.Finger@lwfinger.net> 2009-03-24 13:12:05 MST --- I tried the attachment from Comment #50. It fails as long as the extra directory /var/run/dbus/at_console/root is present. By using that version of nm-applet.conf and deleting the entire "at_console" section in knetworkmanager.conf, it works correctly whether the extra directory is there or not. Patch added as attachment. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c54 --- Comment #54 from Georg Müller <georgmueller@gmx.net> 2009-03-24 16:21:43 MST --- The patch of comment #50 is only for nm-applet. Any NM client does not work if there is _any_ rule which denies access for at_console. That is why you had to rip it off knetworkmanager.conf and why bug 476502 exists. These two bugs should be closed in the same step to avoid further confusion or a new issue like that in the future. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User tambet@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c55 Tambet Ingo <tambet@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #55 from Tambet Ingo <tambet@novell.com> 2009-03-25 02:44:51 MST --- I'd argue the DBus policy matching order is wrong. The policies are applied in order (from the man page and also from comment #42) with "Policies applied later will override those applied earlier". That would mean the policies order should be from least matching to single match (ie: default, at_console, group, user). In current situation it's effectively not possible to use user and group rules independently of whether they are at console or not. But of course we just have to live with what we have... Removing the "at_console" policy means the user who runs the applet can't access his own settings over DBus, so it's not a working solution. I think the best solution would be to check the permissions in code. While it's probably a bug somewhere that the proposed patch from comment #50 doesn't work, it's probably harder to maintain to list all allowed interfaces, just to disallow one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c56 --- Comment #56 from Ludwig Nussel <lnussel@novell.com> 2009-03-25 03:11:56 MST --- Ok. I'm fine with either solution as long as we can somehow get it quickly as people out there are yelling at us already :-) So is there a chance to have the code changes applied and packages submitted to all distros within this week? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User tambet@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c57 --- Comment #57 from Tambet Ingo <tambet@novell.com> 2009-03-25 03:19:45 MST --- Sure, we already do the checking for connection updates and deletes, so adding the same check for secrets request isn't hard. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c58 --- Comment #58 from Helmut Schaa <hschaa@novell.com> 2009-03-25 03:29:17 MST --- But KNM3 and KNM4 need the same checks too. However, I agree that removing the at_console policy is a bad idea. (In reply to comment #55)
it's probably harder to maintain to list all allowed interfaces, just to disallow one.
I'd argue that it is more secure to just open single interfaces instead of opening all interfaces and deny only a specific one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User tambet@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c59 --- Comment #59 from Tambet Ingo <tambet@novell.com> 2009-03-25 04:01:27 MST --- In general, I agree, but in this specific case, it's demagogy - It's network settings we're talking about, and the GetSecrets method is the one and only one which, as it's name implies not public. Everything else isn't. The same settings would be visible to anyone when in use (through tools like ifconfig, route, resolv.conf, ...). However, it's not something I'd like to maintain as a suse specific patch, so I'd like to have whatever solution the NM maintainer prefers. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User wstephenson@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c60 --- Comment #60 from Will Stephenson <wstephenson@novell.com> 2009-03-25 04:55:45 MST --- I'm sorry to be late to this party. I'd prefer not to do user checking in applet code - it will be harder to fix or workaround the next time dbus access policies change or across different distros. Is there no way that the user can GetSecrets on their own dbus interface within the limits imposed by dbus' security policy interpretation order with the config proposed in #50? Is there a need to Get your own Secrets? Currently both applets and their editor processes are using desktop-specific storage to communicate settings, not GetSettings/Secrets and UpdateConnection - in any case, without a NetworkManagerSettings.AddConnection method, we cannot manage connections purely over dbus. Apart from GetSecrets is there any other reason #50 is not acceptable? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User tambet@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c61 --- Comment #61 from Tambet Ingo <tambet@novell.com> 2009-03-26 07:43:43 MST --- Once again, I'm not against the solution (a) that Ludwig proposed in comment #48. I personally like (b) better, but as I said, I don't think it's not worth it to go with different solution from upstream. As for the implementation of (a) from comment #50, it works fine for me on Factory, but Helmut says it doesn't work for him on 11.1. I have no idea why that might be and he's busy at the moment with some other stuff. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c62 --- Comment #62 from Georg Müller <georgmueller@gmx.net> 2009-03-26 07:55:20 MST --- I don't see Helmut saying it does not work. There was one point that the patch of comment #50 was not enough, because there were other config files causing the problem (knetworkmanager.conf, comment #53). Regarding comment 55 and comment #60: I don't see a need to get your own secrets, consider NetowrkManagerUserSettings as an interface for NetworkManager (the daemon) only. So a deny by default and allow as root is a good solution here. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User hschaa@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c63 --- Comment #63 from Helmut Schaa <hschaa@novell.com> 2009-03-26 08:14:17 MST --- (In reply to comment #62)
I don't see Helmut saying it does not work.
That was on IRC. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User tambet@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c64 --- Comment #64 from Tambet Ingo <tambet@novell.com> 2009-03-31 03:47:51 MDT --- Some updates... This is not a problem for the majority of distributions because of two reasons: First, root logins are disabled on Ubuntu/RH/... and second, there's a specific check in the script that creates the /var/run/dbus/at_console/$username (it's a different path on other distros, but used for the same thing) to never create it for root. Upstream NM wasn't very interested in these changes, mainly to have one common conf file for distros that still use the old (insecure) DBus and things work just fine now. It looks like the new configuration file Ludwig wrote will get accepted, so let's go with this. Ludwig, could you add a 'rm -rf /var/run/dbus/at_console/*' to one of the startup scripts (either CK or dbus I guess) to make sure there's no stale directories there? The problem with these is that whoever is logged in during a system freeze or hard reset, these users would always be considered as at_console="true" by DBus. Technically, that would solve this bug as well, so do we want to proceed with NM applet .conf file changes as well? Do we want to move the new configuration to NetworkManager package now for released distros? In that case we need to sync the updates of NetworkManager and all the applets to all distros... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=486267 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c65 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@novell.com AssignedTo|tambet@novell.com |thoenig@novell.com --- Comment #65 from Ludwig Nussel <lnussel@novell.com> 2009-03-31 04:23:38 MDT --- (In reply to comment #64)
Ludwig, could you add a 'rm -rf /var/run/dbus/at_console/*' to one of the startup scripts (either CK or dbus I guess) to make sure there's no stale directories there? The problem with these is that whoever is logged in during a system freeze or hard reset, these users would always be considered as at_console="true" by DBus. Technically, that would solve this bug as well, so do we want to proceed with NM applet .conf file changes as well? Do we want to move the new configuration to NetworkManager package now for released distros? In that case we need to sync the updates of NetworkManager and all the applets to all distros...
Hmm, indeed. While the config isn't quite correct not considering at_console for root and deleting the files at boot is sufficient to fix the problem. So we could get away with only updating one package, dbus. The problem with at_console only hits 11.1+. So let's do it that way. We still need to update NetworkManager itself to also fix the PPP problem. Reassigning to Timo for the dbus update on 11.1 (who is on vacation so I guess I have to do it). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com