From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 2LQpCDdPz2GLQgEAgWs5BA (envelope-from ) for ; Fri, 31 Dec 2021 19:43:03 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id EJeCAzdPz2HSSQAA9RJhRA (envelope-from ) for ; Fri, 31 Dec 2021 19:43:03 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9DA8F2E28 for ; Fri, 31 Dec 2021 19:43:02 +0100 (CET) Received: from localhost ([::1]:58724 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1n3Mrl-0005kL-AI for larch@yhetil.org; Fri, 31 Dec 2021 13:43:01 -0500 Received: from eggs.gnu.org ([209.51.188.92]:40122) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n3Mqp-0005gf-HU for bug-guix@gnu.org; Fri, 31 Dec 2021 13:42:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:45911) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1n3Mqo-0002hP-Pj for bug-guix@gnu.org; Fri, 31 Dec 2021 13:42:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1n3Mqo-0002EE-9o for bug-guix@gnu.org; Fri, 31 Dec 2021 13:42:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#52904: nmtui - user authorisation Resent-From: Josselin Poiret Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 31 Dec 2021 18:42:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52904 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: raingloom , Paul Jewell Cc: help-guix@gnu.org, 52904@debbugs.gnu.org Received: via spool by 52904-submit@debbugs.gnu.org id=B52904.16409761068536 (code B ref 52904); Fri, 31 Dec 2021 18:42:02 +0000 Received: (at 52904) by debbugs.gnu.org; 31 Dec 2021 18:41:46 +0000 Received: from localhost ([127.0.0.1]:57457 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n3MqY-0002Dc-Bo for submit@debbugs.gnu.org; Fri, 31 Dec 2021 13:41:46 -0500 Received: from jpoiret.xyz ([206.189.101.64]:46320) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n3MqW-0002DS-9Y for 52904@debbugs.gnu.org; Fri, 31 Dec 2021 13:41:44 -0500 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id DBADC184F27; Fri, 31 Dec 2021 18:41:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1640976102; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=A+Y2Is+FZapC0USfgaEG+IAzRTb5FU/9kFUv15ks+fQ=; b=FJgoGmj40J88APbRlDZMt5n3cjgkagKt15CkZFK8ZaxOKz3PkYTpV0g1aS6IyoH/UDaO+L jhS6ortA8MpLrnbR3/BYPc4vIxY0QKQl1JYQYWYqgUKAVNOdIqisfEOVm+F9hVbIz9rPQu +XbUetgTIrnTJZqELPh3F9RjRrHFy+qMGC479uNIbMmAObgJRPcTuyP3Y0QIf0ghL6oqBJ ZheBOwDOcgknj4RROa8EJGCQUfJIgc9jaRkXVGrA8jt1iKOQyWrkyEWPJIX+vh44bsF8Rs eetKHe3sj0qJtGJXc3WBT1RF5MYRF/mYr8BRWYknKbl7LmobWLtopxqZdB1gkg== In-Reply-To: <20211230200023.7aec38ae@riseup.net> References: <0f941db1-51a5-b579-7f2c-7333057cb402@teulu.org> <6404264d-e6c9-831c-9e5f-8327488201eb@teulu.org> <20211229015029.7f75bb7b@riseup.net> <20211230200023.7aec38ae@riseup.net> Date: Fri, 31 Dec 2021 19:41:40 +0100 Message-ID: <878rw0fwgr.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain X-Spamd-Bar: / X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: Josselin Poiret From: Josselin Poiret via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1640976182; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=A+Y2Is+FZapC0USfgaEG+IAzRTb5FU/9kFUv15ks+fQ=; b=TLjQFRPjZD+zXR19FQtAuGKz8a1qzJDkssevBOifbalPu42UJ85fx6YJEIh+0SR9eEpuEM cNPplaftHtHvHmBDlXj5wJ2MoWg46buwxyx+6dvzBXHASi5Smav8vGn1g9vK/udoVIgpXr DTRSiU1UJLmAdFVC8Qlo9sI+g1JqzVhyq2ZQPDTZrfWueMJTjauVfx6ZJOb7dmMRxRjtn3 v8PF3Dnzq4wde5Z901ceZ0fF01hjMaEQMDj6wb2PYHgZn+HG7+bkEuoUgLknFfA5UAxlbD SJbOkzxJiUVh8K9ub+VYJa7b3kGoRkHVA+A9/w3HFwwhQ+llWNkjWIP4fawbcw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1640976182; a=rsa-sha256; cv=none; b=jDsQbZvgrzLwIPQfiaP02UVk7JG2aF0FDwOADVhcymNk+uNaHvxCgdjmxOboV8cy1ceIPA mo6QdNnJiRlSLX7I410lifuC30nGeXyL0AaHB0VnIZ1cIb2i5OtohYpjLA4TZxzpG9prej jDpYPcuIeTJBUgXPO2viIBBzLpooJiDFa4frvlszHN7K0a0ueX6dpbj17i38raWPbI/SqP pkV+9ehR1dTB94Pe1qPknQDUFztVRFrcKH/blYRikJe30UY1f7nMqdmX2ry7JHkQiwhf6o LbjiTOrH1UfzSS8EhRDDMdsRvb6IDmdRI3JGr8IFxzFpq5M9NPyn+UbswqTeUw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=FJgoGmj4; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.58 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=FJgoGmj4; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 9DA8F2E28 X-Spam-Score: -3.58 X-Migadu-Scanner: scn1.migadu.com X-TUID: yb2+mfEy5+Jh Hello, raingloom writes: > On Wed, 29 Dec 2021 11:04:39 +0000 > Paul Jewell wrote: > >> On 29/12/2021 00:50, raingloom wrote: >> > On Tue, 28 Dec 2021 18:39:52 +0000 >> > Paul Jewell wrote: >> > >> >> On 27/12/2021 23:20, Leo Famulari wrote: >> >>> On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote: >> >>>> Solved this - nmtui needs to be run as root; my script which >> >>>> invoked the program didn't consider that. Changing it to run as >> >>>> sudo gives me an opportunity to enter my password, and then >> >>>> successfully setup the wifi interface details. >> >>> Another option is to add nmtui to the list of programs that are >> >>> setuid. That way, any user on your system could configure wifi, >> >>> which may be more ergonomic. >> >>> >> >>> https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html >> >>> >> >> This option did work as expected. The only additional point for >> >> anyone else coming across this post with the same issue: remember >> >> to add the >> >> >> >> #:use-module (gnu system setuid) >> >> >> >> so the setuid record is known. >> >> >> >> Thanks Leo! >> > Uhm, I'm pretty sure NetworkManager lets any user modify networking >> > settings as long as they are in a certain group? >> > https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions >> > >> > At least that's how it is on postmarketOS and I'm also fairly >> > certain I never needed root access to set up WiFi under Guix >> > either, but I don't have a system at hand to verify that on. >> >> I did also think this, but I couldn't identify which group would let >> this happen. I thought it would be the netdev group, but my user >> account is already a member of that group. The network group is >> unknown to the system (as in I had an error when trying to add the >> user to the supplementary group) so I added it, but it didn't have >> any effect (after rebooting). If there is another group I should be >> in, I am not sure how to find out. At the moment, the setuid approach >> seems to work OK (although I would prefer a group solution!). >> >> I am interested in anyone else's experience! > > It might be that everyone else is including some default configuration > for NetworkManager and we aren't. At the very least it should be > documented how to set it up to use groups. > > CC-ing bugs-guix NetworkManager uses dbus to communicate with its root-run service, and Polkit to check for permissions. By default, the NetworkManager actions are pretty permissive, you can do most of them without reauthenticating, except for a couple specific ones. More in detail, Polkit works by looking up the PID of processes that ask for specific actions, and then asking systemd-logind/elogind which session that process is attached to. Then, there are three different cases: * the session is active (not locked, I think that means in logind parlance). In this case, Polkit looks at the `allow_active` rule. * the session is inactive (or locked). Then, Polkit looks at the `allow_inactive`. * there is no session attached to the process (possible for eg. system services). Then, Polkit looks at the `allow_any` rule. Now, if you look at network-manager's /share/polkit-1/actions/org.freedesktop.NetworkManager.policy, you can see that some actions are possible for active sessions, while impossible for inactive sessions, or even processes not attached to the session. So, I think the issue is that you are trying to do some actions outside of a session, or in an inactive session, and Polkit refuses to let you do that. I don't think there is a way to circumvent that, since there is no `allow_any` rule for many actions, but I don't know what this entails (if it is an implicit `no`, `auth_admin`, etc...). Note that we have a catch-all rule defined at `polkit-wheel` in gnu/services/desktop.scm that says that administrative users are exactly the users in the group `wheel`. That means that when Polkit needs to authenticate an administrative user, it will ask for your own password if you're in the `wheel` group, but you still need to reauthenticate, you cannot bypass that check. I hope this clears up how Polkit works, and why the action is denied. -- Josselin Poiret