On 16/08/18 16:06, Manvendra Bhangui wrote:
On Wed, 15 Aug 2018 at 22:11, Michal Suchánek
wrote: On Mon, 13 Aug 2018 20:22:56 +0300 Andrei Borzenkov
wrote: 13.08.2018 19:40, Michal Suchanek пишет:
On Sat, 11 Aug 2018 10:03:04 +0300 Andrei Borzenkov
wrote: 10.08.2018 18:34, Michal Suchánek пишет:
Hello,
I updated my system and now NM applet tells me "not authorized" on pretty much any operation.
Not sure what "NM applet" is, but works for me in GNOME - I can disconnect and connect with default wired profile as normal user.
It works for me as well on another machine and used to work on this one before the update.
It automatically connects to pre-configured WiFi but disconnecting, reconnecting, configuring, etc. is forbidden.
It does not even ask for password?
Why would it?
Because it is normally controlled by PolicyKit and I'd expect it to request authorization.
That would be insane and that's certainly not what the NM supplied policy mandates.
I looked at the policy file shipped with NM and it is quite permissive.
Is there something to be done?
Start with checking nmcli, nmtui and nm-connection-editor - do they behave identically?
Of course, it's the policy. At least root is allowed to change the connections:
hramrach@neko:~> nmcli c down MicroFocus Connection 'MicroFocus' deactivation failed: Not authorized to deactivate connections
This message comes from NM which means nmcli could at least connect to it, so connection was not blocked by D-Bus policy.
Sure, if it was the NM applet would not be able to list networks or even connections.
Looks like something with polkit.
Certainly. That is what it looks like from the start
Managed to solve the issue. You can use nmcli command to list the permissions. e.g NOTE: run nmcli under your own userid
$ nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.enable-disable-network auth org.freedesktop.NetworkManager.enable-disable-wifi auth org.freedesktop.NetworkManager.enable-disable-wwan auth org.freedesktop.NetworkManager.enable-disable-wimax auth org.freedesktop.NetworkManager.sleep-wake auth org.freedesktop.NetworkManager.network-control no org.freedesktop.NetworkManager.wifi.share.protected auth org.freedesktop.NetworkManager.wifi.share.open auth org.freedesktop.NetworkManager.settings.modify.system auth org.freedesktop.NetworkManager.settings.modify.own auth org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-statistics no org.freedesktop.NetworkManager.enable-disable-connectivity-check no
Now let's say I want to prevent NetworkManager to ask for password to enable shared protected wifi connections. You just need to add the following line in /etc/polkit-default-privs.local
org.freedesktop.NetworkManager.wifi.share.protected yes
Now run the command /sbin/set_polkit_default_privs
$ sudo /sbin/set_polkit_default_privs
Now you will find the permission taken effect
$ nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.enable-disable-network auth org.freedesktop.NetworkManager.enable-disable-wifi auth org.freedesktop.NetworkManager.enable-disable-wwan auth org.freedesktop.NetworkManager.enable-disable-wimax auth org.freedesktop.NetworkManager.sleep-wake auth org.freedesktop.NetworkManager.network-control no org.freedesktop.NetworkManager.wifi.share.protected yes org.freedesktop.NetworkManager.wifi.share.open auth org.freedesktop.NetworkManager.settings.modify.system auth org.freedesktop.NetworkManager.settings.modify.own auth org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-statistics no org.freedesktop.NetworkManager.enable-disable-connectivity-check no
I tend to favor the hit it with a hammer approach, I created a network group added my user then put the following in "/etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules" polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) { return polkit.Result.YES; } }); -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B