From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id 2LQpCDdPz2GLQgEAgWs5BA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 31 Dec 2021 19:43:03 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id EJeCAzdPz2HSSQAA9RJhRA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 31 Dec 2021 19:43:03 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 9DA8F2E28
	for <larch@yhetil.org>; Fri, 31 Dec 2021 19:43:02 +0100 (CET)
Received: from localhost ([::1]:58724 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1n3Mrl-0005kL-AI
	for larch@yhetil.org; Fri, 31 Dec 2021 13:43:01 -0500
Received: from eggs.gnu.org ([209.51.188.92]:40122)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1n3Mqp-0005gf-HU
 for bug-guix@gnu.org; Fri, 31 Dec 2021 13:42:04 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:45911)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1n3Mqo-0002hP-Pj
 for bug-guix@gnu.org; Fri, 31 Dec 2021 13:42:03 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1n3Mqo-0002EE-9o
 for bug-guix@gnu.org; Fri, 31 Dec 2021 13:42:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: bug#52904: nmtui - user authorisation
Resent-From: Josselin Poiret <dev@jpoiret.xyz>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Fri, 31 Dec 2021 18:42:02 +0000
Resent-Message-ID: <handler.52904.B52904.16409761068536@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 52904
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: raingloom <raingloom@riseup.net>, Paul Jewell <paul@teulu.org>
Cc: help-guix@gnu.org, 52904@debbugs.gnu.org
Received: via spool by 52904-submit@debbugs.gnu.org id=B52904.16409761068536
 (code B ref 52904); Fri, 31 Dec 2021 18:42:02 +0000
Received: (at 52904) by debbugs.gnu.org; 31 Dec 2021 18:41:46 +0000
Received: from localhost ([127.0.0.1]:57457 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1n3MqY-0002Dc-Bo
 for submit@debbugs.gnu.org; Fri, 31 Dec 2021 13:41:46 -0500
Received: from jpoiret.xyz ([206.189.101.64]:46320)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dev@jpoiret.xyz>) id 1n3MqW-0002DS-9Y
 for 52904@debbugs.gnu.org; Fri, 31 Dec 2021 13:41:44 -0500
Received: from authenticated-user (jpoiret.xyz [206.189.101.64])
 by jpoiret.xyz (Postfix) with ESMTPA id DBADC184F27;
 Fri, 31 Dec 2021 18:41:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim;
 t=1640976102;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=A+Y2Is+FZapC0USfgaEG+IAzRTb5FU/9kFUv15ks+fQ=;
 b=FJgoGmj40J88APbRlDZMt5n3cjgkagKt15CkZFK8ZaxOKz3PkYTpV0g1aS6IyoH/UDaO+L
 jhS6ortA8MpLrnbR3/BYPc4vIxY0QKQl1JYQYWYqgUKAVNOdIqisfEOVm+F9hVbIz9rPQu
 +XbUetgTIrnTJZqELPh3F9RjRrHFy+qMGC479uNIbMmAObgJRPcTuyP3Y0QIf0ghL6oqBJ
 ZheBOwDOcgknj4RROa8EJGCQUfJIgc9jaRkXVGrA8jt1iKOQyWrkyEWPJIX+vh44bsF8Rs
 eetKHe3sj0qJtGJXc3WBT1RF5MYRF/mYr8BRWYknKbl7LmobWLtopxqZdB1gkg==
In-Reply-To: <20211230200023.7aec38ae@riseup.net>
References: <0f941db1-51a5-b579-7f2c-7333057cb402@teulu.org>
 <6404264d-e6c9-831c-9e5f-8327488201eb@teulu.org>
 <YcpKIONStnaZVS21@jasmine.lan>
 <ac62b53d-ceb5-8292-03d3-db08580d6dd4@teulu.org>
 <20211229015029.7f75bb7b@riseup.net>
 <e5042cd0-ddfc-af86-abec-daeee2207e18@teulu.org>
 <20211230200023.7aec38ae@riseup.net>
Date: Fri, 31 Dec 2021 19:41:40 +0100
Message-ID: <878rw0fwgr.fsf@jpoiret.xyz>
MIME-Version: 1.0
Content-Type: text/plain
X-Spamd-Bar: /
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
Reply-to:  Josselin Poiret <dev@jpoiret.xyz>
From:  Josselin Poiret via Bug reports for GNU Guix <bug-guix@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1640976182;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=A+Y2Is+FZapC0USfgaEG+IAzRTb5FU/9kFUv15ks+fQ=;
	b=TLjQFRPjZD+zXR19FQtAuGKz8a1qzJDkssevBOifbalPu42UJ85fx6YJEIh+0SR9eEpuEM
	cNPplaftHtHvHmBDlXj5wJ2MoWg46buwxyx+6dvzBXHASi5Smav8vGn1g9vK/udoVIgpXr
	DTRSiU1UJLmAdFVC8Qlo9sI+g1JqzVhyq2ZQPDTZrfWueMJTjauVfx6ZJOb7dmMRxRjtn3
	v8PF3Dnzq4wde5Z901ceZ0fF01hjMaEQMDj6wb2PYHgZn+HG7+bkEuoUgLknFfA5UAxlbD
	SJbOkzxJiUVh8K9ub+VYJa7b3kGoRkHVA+A9/w3HFwwhQ+llWNkjWIP4fawbcw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1640976182; a=rsa-sha256; cv=none;
	b=jDsQbZvgrzLwIPQfiaP02UVk7JG2aF0FDwOADVhcymNk+uNaHvxCgdjmxOboV8cy1ceIPA
	mo6QdNnJiRlSLX7I410lifuC30nGeXyL0AaHB0VnIZ1cIb2i5OtohYpjLA4TZxzpG9prej
	jDpYPcuIeTJBUgXPO2viIBBzLpooJiDFa4frvlszHN7K0a0ueX6dpbj17i38raWPbI/SqP
	pkV+9ehR1dTB94Pe1qPknQDUFztVRFrcKH/blYRikJe30UY1f7nMqdmX2ry7JHkQiwhf6o
	LbjiTOrH1UfzSS8EhRDDMdsRvb6IDmdRI3JGr8IFxzFpq5M9NPyn+UbswqTeUw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=FJgoGmj4;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -3.58
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=jpoiret.xyz header.s=dkim header.b=FJgoGmj4;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 9DA8F2E28
X-Spam-Score: -3.58
X-Migadu-Scanner: scn1.migadu.com
X-TUID: yb2+mfEy5+Jh

Hello,
raingloom <raingloom@riseup.net> writes:

> On Wed, 29 Dec 2021 11:04:39 +0000
> Paul Jewell <paul@teulu.org> wrote:
>
>> On 29/12/2021 00:50, raingloom wrote:
>> > On Tue, 28 Dec 2021 18:39:52 +0000
>> > Paul Jewell<paul@teulu.org>  wrote:
>> >  
>> >> On 27/12/2021 23:20, Leo Famulari wrote:  
>> >>> On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote:  
>> >>>> Solved this - nmtui needs to be run as root; my script which
>> >>>> invoked the program didn't consider that. Changing it to run as
>> >>>> sudo gives me an opportunity to enter my password, and then
>> >>>> successfully setup the wifi interface details.  
>> >>> Another option is to add nmtui to the list of programs that are
>> >>> setuid. That way, any user on your system could configure wifi,
>> >>> which may be more ergonomic.
>> >>>
>> >>> https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html
>> >>>     
>> >> This option did work as expected. The only additional point for
>> >> anyone else coming across this post with the same issue: remember
>> >> to add the
>> >>
>> >> #:use-module (gnu system setuid)
>> >>
>> >> so the setuid record is known.
>> >>
>> >> Thanks Leo!  
>> > Uhm, I'm pretty sure NetworkManager lets any user modify networking
>> > settings as long as they are in a certain group?
>> > https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions
>> >
>> > At least that's how it is on postmarketOS and I'm also fairly
>> > certain I never needed root access to set up WiFi under Guix
>> > either, but I don't have a system at hand to verify that on.  
>> 
>> I did also think this, but I couldn't identify which group would let 
>> this happen. I thought it would be the netdev group, but my user
>> account is already a member of that group. The network group is
>> unknown to the system (as in I had an error when trying to add the
>> user to the supplementary group) so I added it, but it didn't have
>> any effect (after rebooting). If there is another group I should be
>> in, I am not sure how to find out. At the moment, the setuid approach
>> seems to work OK (although I would prefer a group solution!).
>> 
>> I am interested in anyone else's experience!
>
> It might be that everyone else is including some default configuration
> for NetworkManager and we aren't. At the very least it should be
> documented how to set it up to use groups.
>
> CC-ing bugs-guix 

NetworkManager uses dbus to communicate with its root-run service, and
Polkit to check for permissions.  By default, the NetworkManager actions
are pretty permissive, you can do most of them without reauthenticating,
except for a couple specific ones.

More in detail, Polkit works by looking up the PID of processes that
ask for specific actions, and then asking systemd-logind/elogind which
session that process is attached to.  Then, there are three different
cases:
* the session is active (not locked, I think that means in logind
parlance).  In this case, Polkit looks at the `allow_active` rule.
* the session is inactive (or locked).  Then, Polkit looks at the
`allow_inactive`.
* there is no session attached to the process (possible for eg. system
services).  Then, Polkit looks at the `allow_any` rule.

Now, if you look at network-manager's
/share/polkit-1/actions/org.freedesktop.NetworkManager.policy, you can
see that some actions are possible for active sessions, while impossible
for inactive sessions, or even processes not attached to the session.

So, I think the issue is that you are trying to do some actions outside
of a session, or in an inactive session, and Polkit refuses to let you
do that.  I don't think there is a way to circumvent that, since there
is no `allow_any` rule for many actions, but I don't know what this
entails (if it is an implicit `no`, `auth_admin`, etc...).

Note that we have a catch-all rule defined at `polkit-wheel` in
gnu/services/desktop.scm that says that administrative users are exactly
the users in the group `wheel`.  That means that when Polkit needs to
authenticate an administrative user, it will ask for your own password
if you're in the `wheel` group, but you still need to reauthenticate,
you cannot bypass that check.

I hope this clears up how Polkit works, and why the action is denied.

-- 
Josselin Poiret