[Bug 1204114] New: op="connection-update" result="fail" reason="Insufficient privileges"
https://bugzilla.suse.com/show_bug.cgi?id=1204114 Bug ID: 1204114 Summary: op="connection-update" result="fail" reason="Insufficient privileges" Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME Assignee: gnome-bugs@suse.de Reporter: msuchanek@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- 2022-10-07T09:23:48.166771+02:00 naga NetworkManager[12616]: <info> [1665127428.1662] audit: op="connection-update" uuid="24996e10-e7ab-4e0d-abed-72ccc8364160" name="VPN PRV2" pid=18394 uid=1000 result="fail" reason="Insufficient privileges" This connection has been created in NM so this is a regression. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 Michal Suchanek <msuchanek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |songchuan.kang@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c1 Jonathan Kang <songchuan.kang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |msuchanek@suse.com Flags| |needinfo?(msuchanek@suse.co | |m) --- Comment #1 from Jonathan Kang <songchuan.kang@suse.com> --- (In reply to Michal Suchanek from comment #0)
2022-10-07T09:23:48.166771+02:00 naga NetworkManager[12616]: <info> [1665127428.1662] audit: op="connection-update" uuid="24996e10-e7ab-4e0d-abed-72ccc8364160" name="VPN PRV2" pid=18394 uid=1000 result="fail" reason="Insufficient privileges"
This connection has been created in NM so this is a regression.
Thanks for the bug report, Michal. Can you add the following to /etc/NetworkManager/NetworkManager.conf, restart NetworkManager, and reproduce this issue. Then attach the output of "journalctl -b -u NetworkManager" here.
[logging] level=trace
Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c2 --- Comment #2 from Michal Suchanek <msuchanek@suse.com> --- It says which operation is checked but not what privileges are needed. Oct 09 11:43:43 naga NetworkManager[10582]: <trace> [1665308623.6281] auth: call[46]: CheckAuthorization(org.freedesktop.NetworkManager.set tings.modify.system), subject=unix-process[pid=11013, uid=1000, start=102403016] Oct 09 11:43:43 naga NetworkManager[10582]: <trace> [1665308623.6348] auth: call[46]: completed: authorized=0, challenge=1 Oct 09 11:44:06 naga NetworkManager[10582]: <trace> [1665308646.9554] auth: call[47]: CheckAuthorization(org.freedesktop.NetworkManager.set tings.modify.system), subject=unix-process[pid=11013, uid=1000, start=102403016] Oct 09 11:44:06 naga NetworkManager[10582]: <trace> [1665308646.9602] auth: call[47]: completed: authorized=0, challenge=1 Oct 09 11:44:06 naga NetworkManager[10582]: <info> [1665308646.9604] audit: op="connection-update" uuid="24996e10-e7ab-4e0d-abed-72ccc8364 160" name="VPN PRV2" pid=11013 uid=1000 result="fail" reason="Insufficient privileges" There are others that are authorized: Oct 09 11:42:28 naga NetworkManager[10582]: <trace> [1665308548.1561] auth: call[3]: CheckAuthorization(org.freedesktop.NetworkManager.chec kpoint-rollback), subject=unix-process[pid=2698, uid=1000, start=5803] Oct 09 11:42:28 naga NetworkManager[10582]: <trace> [1665308548.1563] auth: call[4]: CheckAuthorization(org.freedesktop.NetworkManager.enab le-disable-connectivity-check), subject=unix-process[pid=2698, uid=1000, start=5803] Oct 09 11:42:28 naga NetworkManager[10582]: <trace> [1665308548.3626] auth: call[3]: completed: authorized=0, challenge=1 Oct 09 11:42:28 naga NetworkManager[10582]: <trace> [1665308548.3653] auth: call[4]: completed: authorized=1, challenge=0 This is the authenticator initialization: Oct 09 11:42:27 naga NetworkManager[10582]: <debug> [1665308547.2926] auth[0x561a90727d20]: create auth-manager: polkit enabled Oct 09 11:42:27 naga NetworkManager[10582]: <debug> [1665308547.2926] auth[0x561a90727d20]: set instance Oct 09 11:42:27 naga NetworkManager[10582]: <debug> [1665308547.2926] setup NMAuthManager singleton (7a7275590f589891) Oct 09 11:42:28 naga NetworkManager[10582]: <trace> [1665308548.0863] auth: name-owner: polkit is running (now :1.1) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c3 --- Comment #3 from Michal Suchanek <msuchanek@suse.com> --- Relevant policy kit rule seems to be: 'org.freedesktop.NetworkManager.settings.modify.own': [ 'auth_admin_keep', 'auth_admin_keep', 'yes' ], 'org.freedesktop.NetworkManager.settings.modify.system': [ 'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ], rpm -qf /etc/polkit-1/rules.d/90-default-privs.rules polkit-default-privs-1550+20220727.3ce2e2f-1.2.noarch -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c4 --- Comment #4 from Jonathan Kang <songchuan.kang@suse.com> --- (In reply to Michal Suchanek from comment #2)
It says which operation is checked but not what privileges are needed.
Oct 09 11:43:43 naga NetworkManager[10582]: <trace> [1665308623.6281] auth: call[46]: CheckAuthorization(org.freedesktop.NetworkManager.set tings.modify.system), subject=unix-process[pid=11013, uid=1000, start=102403016] Oct 09 11:43:43 naga NetworkManager[10582]: <trace> [1665308623.6348] auth: call[46]: completed: authorized=0, challenge=1 Oct 09 11:44:06 naga NetworkManager[10582]: <trace> [1665308646.9554] auth: call[47]: CheckAuthorization(org.freedesktop.NetworkManager.set tings.modify.system), subject=unix-process[pid=11013, uid=1000, start=102403016] Oct 09 11:44:06 naga NetworkManager[10582]: <trace> [1665308646.9602] auth: call[47]: completed: authorized=0, challenge=1 Oct 09 11:44:06 naga NetworkManager[10582]: <info> [1665308646.9604] audit: op="connection-update" uuid="24996e10-e7ab-4e0d-abed-72ccc8364 160" name="VPN PRV2" pid=11013 uid=1000 result="fail" reason="Insufficient privileges"
Check whether there are some logs related with polkit when NetworkManager is trying to get authorization. It's not clear why NM failed to do so with these journal. BTW, did a dialog pop up asking for admin password when you were modifying the VPN connection? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c5 --- Comment #5 from Michal Suchanek <msuchanek@suse.com> --- no, no dialog popped up -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c6 --- Comment #6 from Jonathan Kang <songchuan.kang@suse.com> --- Try adding the following to /etc/polkit-1/rules.d/00-log-access.rules, restart the system, reproduce this issue and check "sudo journalctl -b" for 00-log-access.rules related logs.
polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.NetworkManager.settings.modify.system") { polkit.log("action=" + action); polkit.log("subject=" + subject); } });
-- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c7 --- Comment #7 from Michal Suchanek <msuchanek@suse.com> --- I added the rule and restarted polkit but I don't see where the logs go. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c8 --- Comment #8 from Jonathan Kang <songchuan.kang@suse.com> --- (In reply to Michal Suchanek from comment #7)
I added the rule and restarted polkit but I don't see where the logs go.
Did you reproduce the issue and check "sudo journalctl -b"? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c9 --- Comment #9 from Michal Suchanek <msuchanek@suse.com> --- yes -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c10 --- Comment #10 from Jonathan Kang <songchuan.kang@suse.com> --- (In reply to Michal Suchanek from comment #7)
I added the rule and restarted polkit but I don't see where the logs go.
Just tried this myself. Hmm, it looks like the rule filename wasn't available in the journal. The logs should look something like this:
polkitd[820920]: <no filename>:3: action=[Action id='org.freedesktop.NetworkManager.settings.modify.system'] polkitd[820920]: <no filename>:4: subject=[Subject pid=821152 user='jkang' groups=jkang,wheel,dialout,plugdev,wireshark,adbusers,mock seat=null session=null local=true active=true]
-- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204114 https://bugzilla.suse.com/show_bug.cgi?id=1204114#c11 --- Comment #11 from Jonathan Kang <songchuan.kang@suse.com> --- Does this issue still exist in latest tumbleweed? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com