[opensuse-factory] NetworkManager policy broken after recent Tumbleweed update
Hello, I updated my system and now NM applet tells me "not authorized" on pretty much any operation. It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden. I looked at the policy file shipped with NM and it is quite permissive. Is there something to be done? Thanks Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Michal Suchánek <msuchanek@suse.de> [08-10-18 11:35]:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
I found similar on one of my systems. I seem to have solved or corrected it by: as root, open: /usr/bin/kcmshell5 kcm_networkmanagement.desktop make a change and save it. now it should return to normal previous operation. if not, repead and undo your change and save. and I have no idea. worked for me :) -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Freitag, 10. August 2018, 17:40:57 CEST schrieb Patrick Shanahan:
* Michal Suchánek <msuchanek@suse.de> [08-10-18 11:35]:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
I found similar on one of my systems. I seem to have solved or corrected it by:
I just ran a zypper dup, and had no problems... (just for the records...) Cheers Axel -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
10.08.2018 18:34, Michal Suchánek пишет:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
Not sure what "NM applet" is, but works for me in GNOME - I can disconnect and connect with default wired profile as normal user.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
It does not even ask for password?
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
Start with checking nmcli, nmtui and nm-connection-editor - do they behave identically?
Thanks
Michal
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 11 Aug 2018 10:03:04 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
10.08.2018 18:34, Michal Suchánek пишет:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
Not sure what "NM applet" is, but works for me in GNOME - I can disconnect and connect with default wired profile as normal user.
It works for me as well on another machine and used to work on this one before the update.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
It does not even ask for password?
Why would it?
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
Start with checking nmcli, nmtui and nm-connection-editor - do they behave identically?
Of course, it's the policy. At least root is allowed to change the connections: hramrach@neko:~> nmcli c down MicroFocus Connection 'MicroFocus' deactivation failed: Not authorized to deactivate connections hramrach@neko:~> su Password: neko:/home/hramrach # nmcli c down MicroFocus Connection 'MicroFocus' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2) neko:/home/hramrach # Thanks Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
13.08.2018 19:40, Michal Suchanek пишет:
On Sat, 11 Aug 2018 10:03:04 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
10.08.2018 18:34, Michal Suchánek пишет:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
Not sure what "NM applet" is, but works for me in GNOME - I can disconnect and connect with default wired profile as normal user.
It works for me as well on another machine and used to work on this one before the update.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
It does not even ask for password?
Why would it?
Because it is normally controlled by PolicyKit and I'd expect it to request authorization.
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
Start with checking nmcli, nmtui and nm-connection-editor - do they behave identically?
Of course, it's the policy. At least root is allowed to change the connections:
hramrach@neko:~> nmcli c down MicroFocus Connection 'MicroFocus' deactivation failed: Not authorized to deactivate connections
This message comes from NM which means nmcli could at least connect to it, so connection was not blocked by D-Bus policy. Looks like something with polkit. Not sure how to debug it further at the moment though.
hramrach@neko:~> su Password: neko:/home/hramrach # nmcli c down MicroFocus Connection 'MicroFocus' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2) neko:/home/hramrach #
Thanks
Michal
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, 13 Aug 2018 20:22:56 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
13.08.2018 19:40, Michal Suchanek пишет:
On Sat, 11 Aug 2018 10:03:04 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
10.08.2018 18:34, Michal Suchánek пишет:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
Not sure what "NM applet" is, but works for me in GNOME - I can disconnect and connect with default wired profile as normal user.
It works for me as well on another machine and used to work on this one before the update.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
It does not even ask for password?
Why would it?
Because it is normally controlled by PolicyKit and I'd expect it to request authorization.
That would be insane and that's certainly not what the NM supplied policy mandates.
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
Start with checking nmcli, nmtui and nm-connection-editor - do they behave identically?
Of course, it's the policy. At least root is allowed to change the connections:
hramrach@neko:~> nmcli c down MicroFocus Connection 'MicroFocus' deactivation failed: Not authorized to deactivate connections
This message comes from NM which means nmcli could at least connect to it, so connection was not blocked by D-Bus policy.
Sure, if it was the NM applet would not be able to list networks or even connections.
Looks like something with polkit.
Certainly. That is what it looks like from the start
Not sure how to debug it further at the moment though.
And that is exactly what I would like to know. Thanks Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, 15 Aug 2018 at 22:11, Michal Suchánek <msuchanek@suse.de> wrote:
On Mon, 13 Aug 2018 20:22:56 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
13.08.2018 19:40, Michal Suchanek пишет:
On Sat, 11 Aug 2018 10:03:04 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
10.08.2018 18:34, Michal Suchánek пишет:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
Not sure what "NM applet" is, but works for me in GNOME - I can disconnect and connect with default wired profile as normal user.
It works for me as well on another machine and used to work on this one before the update.
I have the same issue. With great difficulty I had managed to find the policy rules to make NetworkManager applet automatically connect and bring up my shared wifi connection. Now after every reboot, I have to manually connect to my shared wifi connection and give the password. This is what I had in /etc/polkit-1/rules.d/90-default-privs.rules I have tried playing with the rules below but nothing seems to be working 'org.freedesktop.NetworkManager.enable-disable-wwan': [ 'auth_admin', 'auth_admin', 'yes' ], 'org.freedesktop.NetworkManager.enable-disable-wimax': [ 'auth_admin', 'auth_admin', 'yes' ], 'org.freedesktop.NetworkManager.use-user-connections': [ 'auth_admin', 'auth_admin', 'yes' ], 'org.freedesktop.NetworkManager.settings.modify.global-dns': [ 'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ], 'org.freedesktop.NetworkManager.enable-disable-connectivity-check': [ 'no', 'no', 'yes' ], 'org.freedesktop.NetworkManager.enable-disable-wifi': [ 'auth_admin', 'auth_admin', 'yes' ], 'org.freedesktop.NetworkManager.reload': [ 'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ], 'org.freedesktop.NetworkManager.wifi.share.open': [ 'auth_admin', 'auth_admin', 'auth_admin' ], 'org.freedesktop.NetworkManager.settings.modify.own': [ 'auth_admin_keep', 'auth_admin_keep', 'yes' ], 'org.freedesktop.NetworkManager.enable-disable-network': [ 'auth_admin', 'auth_admin', 'yes' ], 'org.freedesktop.NetworkManager.settings.modify.system': [ 'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ], 'org.freedesktop.NetworkManager.wifi.share.protected': [ 'auth_admin', 'auth_admin', 'yes' ], 'org.freedesktop.NetworkManager.checkpoint-rollback': [ 'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ], 'org.freedesktop.NetworkManager.settings.modify.hostname': [ 'auth_admin', 'auth_admin', 'auth_admin' ], 'org.freedesktop.NetworkManager.sleep-wake': [ 'auth_admin', 'auth_admin', 'yes' ], 'org.freedesktop.NetworkManager.network-control': [ 'no', 'no', 'yes' ], 'org.freedesktop.NetworkManager.enable-disable-statistics': [ 'no', 'no', 'yes' ], -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, 15 Aug 2018 at 22:11, Michal Suchánek <msuchanek@suse.de> wrote:
On Mon, 13 Aug 2018 20:22:56 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
13.08.2018 19:40, Michal Suchanek пишет:
On Sat, 11 Aug 2018 10:03:04 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
10.08.2018 18:34, Michal Suchánek пишет:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
Not sure what "NM applet" is, but works for me in GNOME - I can disconnect and connect with default wired profile as normal user.
It works for me as well on another machine and used to work on this one before the update.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
It does not even ask for password?
Why would it?
Because it is normally controlled by PolicyKit and I'd expect it to request authorization.
That would be insane and that's certainly not what the NM supplied policy mandates.
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
Start with checking nmcli, nmtui and nm-connection-editor - do they behave identically?
Of course, it's the policy. At least root is allowed to change the connections:
hramrach@neko:~> nmcli c down MicroFocus Connection 'MicroFocus' deactivation failed: Not authorized to deactivate connections
This message comes from NM which means nmcli could at least connect to it, so connection was not blocked by D-Bus policy.
Sure, if it was the NM applet would not be able to list networks or even connections.
Looks like something with polkit.
Certainly. That is what it looks like from the start
Managed to solve the issue. You can use nmcli command to list the permissions. e.g NOTE: run nmcli under your own userid $ nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.enable-disable-network auth org.freedesktop.NetworkManager.enable-disable-wifi auth org.freedesktop.NetworkManager.enable-disable-wwan auth org.freedesktop.NetworkManager.enable-disable-wimax auth org.freedesktop.NetworkManager.sleep-wake auth org.freedesktop.NetworkManager.network-control no org.freedesktop.NetworkManager.wifi.share.protected auth org.freedesktop.NetworkManager.wifi.share.open auth org.freedesktop.NetworkManager.settings.modify.system auth org.freedesktop.NetworkManager.settings.modify.own auth org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-statistics no org.freedesktop.NetworkManager.enable-disable-connectivity-check no Now let's say I want to prevent NetworkManager to ask for password to enable shared protected wifi connections. You just need to add the following line in /etc/polkit-default-privs.local org.freedesktop.NetworkManager.wifi.share.protected yes Now run the command /sbin/set_polkit_default_privs $ sudo /sbin/set_polkit_default_privs Now you will find the permission taken effect $ nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.enable-disable-network auth org.freedesktop.NetworkManager.enable-disable-wifi auth org.freedesktop.NetworkManager.enable-disable-wwan auth org.freedesktop.NetworkManager.enable-disable-wimax auth org.freedesktop.NetworkManager.sleep-wake auth org.freedesktop.NetworkManager.network-control no org.freedesktop.NetworkManager.wifi.share.protected yes org.freedesktop.NetworkManager.wifi.share.open auth org.freedesktop.NetworkManager.settings.modify.system auth org.freedesktop.NetworkManager.settings.modify.own auth org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-statistics no org.freedesktop.NetworkManager.enable-disable-connectivity-check no -- Regards Manvendra - http://www.indimail.org GPG Pub Key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC7CBC760014D250C -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 16/08/18 16:06, Manvendra Bhangui wrote:
On Wed, 15 Aug 2018 at 22:11, Michal Suchánek <msuchanek@suse.de> wrote:
On Mon, 13 Aug 2018 20:22:56 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
13.08.2018 19:40, Michal Suchanek пишет:
On Sat, 11 Aug 2018 10:03:04 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
10.08.2018 18:34, Michal Suchánek пишет:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
Not sure what "NM applet" is, but works for me in GNOME - I can disconnect and connect with default wired profile as normal user.
It works for me as well on another machine and used to work on this one before the update.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
It does not even ask for password?
Why would it?
Because it is normally controlled by PolicyKit and I'd expect it to request authorization.
That would be insane and that's certainly not what the NM supplied policy mandates.
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
Start with checking nmcli, nmtui and nm-connection-editor - do they behave identically?
Of course, it's the policy. At least root is allowed to change the connections:
hramrach@neko:~> nmcli c down MicroFocus Connection 'MicroFocus' deactivation failed: Not authorized to deactivate connections
This message comes from NM which means nmcli could at least connect to it, so connection was not blocked by D-Bus policy.
Sure, if it was the NM applet would not be able to list networks or even connections.
Looks like something with polkit.
Certainly. That is what it looks like from the start
Managed to solve the issue. You can use nmcli command to list the permissions. e.g NOTE: run nmcli under your own userid
$ nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.enable-disable-network auth org.freedesktop.NetworkManager.enable-disable-wifi auth org.freedesktop.NetworkManager.enable-disable-wwan auth org.freedesktop.NetworkManager.enable-disable-wimax auth org.freedesktop.NetworkManager.sleep-wake auth org.freedesktop.NetworkManager.network-control no org.freedesktop.NetworkManager.wifi.share.protected auth org.freedesktop.NetworkManager.wifi.share.open auth org.freedesktop.NetworkManager.settings.modify.system auth org.freedesktop.NetworkManager.settings.modify.own auth org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-statistics no org.freedesktop.NetworkManager.enable-disable-connectivity-check no
Now let's say I want to prevent NetworkManager to ask for password to enable shared protected wifi connections. You just need to add the following line in /etc/polkit-default-privs.local
org.freedesktop.NetworkManager.wifi.share.protected yes
Now run the command /sbin/set_polkit_default_privs
$ sudo /sbin/set_polkit_default_privs
Now you will find the permission taken effect
$ nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.enable-disable-network auth org.freedesktop.NetworkManager.enable-disable-wifi auth org.freedesktop.NetworkManager.enable-disable-wwan auth org.freedesktop.NetworkManager.enable-disable-wimax auth org.freedesktop.NetworkManager.sleep-wake auth org.freedesktop.NetworkManager.network-control no org.freedesktop.NetworkManager.wifi.share.protected yes org.freedesktop.NetworkManager.wifi.share.open auth org.freedesktop.NetworkManager.settings.modify.system auth org.freedesktop.NetworkManager.settings.modify.own auth org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-statistics no org.freedesktop.NetworkManager.enable-disable-connectivity-check no
I tend to favor the hit it with a hammer approach, I created a network group added my user then put the following in "/etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules" polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) { return polkit.Result.YES; } }); -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
On Thu, 16 Aug 2018 12:06:27 +0530 Manvendra Bhangui <mbhangui@gmail.com> wrote:
On Wed, 15 Aug 2018 at 22:11, Michal Suchánek <msuchanek@suse.de> wrote:
On Mon, 13 Aug 2018 20:22:56 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
13.08.2018 19:40, Michal Suchanek пишет:
On Sat, 11 Aug 2018 10:03:04 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
10.08.2018 18:34, Michal Suchánek пишет:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
Not sure what "NM applet" is, but works for me in GNOME - I can disconnect and connect with default wired profile as normal user.
It works for me as well on another machine and used to work on this one before the update.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
It does not even ask for password?
Why would it?
Because it is normally controlled by PolicyKit and I'd expect it to request authorization.
That would be insane and that's certainly not what the NM supplied policy mandates.
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
Start with checking nmcli, nmtui and nm-connection-editor - do they behave identically?
Of course, it's the policy. At least root is allowed to change the connections:
hramrach@neko:~> nmcli c down MicroFocus Connection 'MicroFocus' deactivation failed: Not authorized to deactivate connections
This message comes from NM which means nmcli could at least connect to it, so connection was not blocked by D-Bus policy.
Sure, if it was the NM applet would not be able to list networks or even connections.
Looks like something with polkit.
Certainly. That is what it looks like from the start
Managed to solve the issue. You can use nmcli command to list the permissions. e.g NOTE: run nmcli under your own userid
$ sudo /sbin/set_polkit_default_privs
Indeed, running this command seems to fix the issue: hramrach@neko:~> nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.enable-disable-network auth org.freedesktop.NetworkManager.enable-disable-wifi auth org.freedesktop.NetworkManager.enable-disable-wwan auth org.freedesktop.NetworkManager.enable-disable-wimax auth org.freedesktop.NetworkManager.sleep-wake auth org.freedesktop.NetworkManager.network-control auth org.freedesktop.NetworkManager.wifi.share.protected auth org.freedesktop.NetworkManager.wifi.share.open auth org.freedesktop.NetworkManager.settings.modify.system auth org.freedesktop.NetworkManager.settings.modify.own auth org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-statistics auth org.freedesktop.NetworkManager.enable-disable-connectivity-check auth hramrach@neko:~> nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.enable-disable-network yes org.freedesktop.NetworkManager.enable-disable-wifi yes org.freedesktop.NetworkManager.enable-disable-wwan yes org.freedesktop.NetworkManager.enable-disable-wimax yes org.freedesktop.NetworkManager.sleep-wake yes org.freedesktop.NetworkManager.network-control yes org.freedesktop.NetworkManager.wifi.share.protected auth org.freedesktop.NetworkManager.wifi.share.open auth org.freedesktop.NetworkManager.settings.modify.system auth org.freedesktop.NetworkManager.settings.modify.own yes org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-statistics yes org.freedesktop.NetworkManager.enable-disable-connectivity-check yes hramrach@neko:~> Thanks Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (7)
-
Andrei Borzenkov -
Axel Braun -
Manvendra Bhangui -
Michal Suchanek -
Michal Suchánek
-
Patrick Shanahan -
Simon Lees