* nmtui - user authorisation @ 2021-12-27 7:33 Paul Jewell 2021-12-27 22:07 ` Paul Jewell 0 siblings, 1 reply; 11+ messages in thread From: Paul Jewell @ 2021-12-27 7:33 UTC (permalink / raw) To: help-guix Good morning, I am using dwm with network-manager for wifi setup, but the nmtui app doesn't allow me to make changes with a user level account. How can I configure it to allow a user level account to make changes to the wifi setup? Thanks all! Paul ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: nmtui - user authorisation 2021-12-27 7:33 nmtui - user authorisation Paul Jewell @ 2021-12-27 22:07 ` Paul Jewell 2021-12-27 23:20 ` Leo Famulari 0 siblings, 1 reply; 11+ messages in thread From: Paul Jewell @ 2021-12-27 22:07 UTC (permalink / raw) To: help-guix Solved this - nmtui needs to be run as root; my script which invoked the program didn't consider that. Changing it to run as sudo gives me an opportunity to enter my password, and then successfully setup the wifi interface details. -- Paul On 27/12/2021 07:33, Paul Jewell wrote: > Good morning, > > I am using dwm with network-manager for wifi setup, but the nmtui app > doesn't allow me to make changes with a user level account. How can I > configure it to allow a user level account to make changes to the wifi > setup? > > Thanks all! > > Paul ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: nmtui - user authorisation 2021-12-27 22:07 ` Paul Jewell @ 2021-12-27 23:20 ` Leo Famulari 2021-12-28 18:39 ` Paul Jewell 0 siblings, 1 reply; 11+ messages in thread From: Leo Famulari @ 2021-12-27 23:20 UTC (permalink / raw) To: Paul Jewell; +Cc: help-guix On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote: > Solved this - nmtui needs to be run as root; my script which invoked the > program didn't consider that. Changing it to run as sudo gives me an > opportunity to enter my password, and then successfully setup the wifi > interface details. Another option is to add nmtui to the list of programs that are setuid. That way, any user on your system could configure wifi, which may be more ergonomic. https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: nmtui - user authorisation 2021-12-27 23:20 ` Leo Famulari @ 2021-12-28 18:39 ` Paul Jewell 2021-12-29 0:50 ` raingloom 0 siblings, 1 reply; 11+ messages in thread From: Paul Jewell @ 2021-12-28 18:39 UTC (permalink / raw) To: Leo Famulari; +Cc: help-guix On 27/12/2021 23:20, Leo Famulari wrote: > On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote: >> Solved this - nmtui needs to be run as root; my script which invoked the >> program didn't consider that. Changing it to run as sudo gives me an >> opportunity to enter my password, and then successfully setup the wifi >> interface details. > Another option is to add nmtui to the list of programs that are setuid. > That way, any user on your system could configure wifi, which may be > more ergonomic. > > https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html This option did work as expected. The only additional point for anyone else coming across this post with the same issue: remember to add the #:use-module (gnu system setuid) so the setuid record is known. Thanks Leo! ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: nmtui - user authorisation 2021-12-28 18:39 ` Paul Jewell @ 2021-12-29 0:50 ` raingloom 2021-12-29 11:04 ` Paul Jewell 0 siblings, 1 reply; 11+ messages in thread From: raingloom @ 2021-12-29 0:50 UTC (permalink / raw) To: Paul Jewell; +Cc: help-guix On Tue, 28 Dec 2021 18:39:52 +0000 Paul Jewell <paul@teulu.org> wrote: > On 27/12/2021 23:20, Leo Famulari wrote: > > On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote: > >> Solved this - nmtui needs to be run as root; my script which > >> invoked the program didn't consider that. Changing it to run as > >> sudo gives me an opportunity to enter my password, and then > >> successfully setup the wifi interface details. > > Another option is to add nmtui to the list of programs that are > > setuid. That way, any user on your system could configure wifi, > > which may be more ergonomic. > > > > https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html > > > > This option did work as expected. The only additional point for > anyone else coming across this post with the same issue: remember to > add the > > #:use-module (gnu system setuid) > > so the setuid record is known. > > Thanks Leo! Uhm, I'm pretty sure NetworkManager lets any user modify networking settings as long as they are in a certain group? https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions At least that's how it is on postmarketOS and I'm also fairly certain I never needed root access to set up WiFi under Guix either, but I don't have a system at hand to verify that on. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: nmtui - user authorisation 2021-12-29 0:50 ` raingloom @ 2021-12-29 11:04 ` Paul Jewell 2021-12-30 19:00 ` raingloom 0 siblings, 1 reply; 11+ messages in thread From: Paul Jewell @ 2021-12-29 11:04 UTC (permalink / raw) To: raingloom; +Cc: help-guix On 29/12/2021 00:50, raingloom wrote: > On Tue, 28 Dec 2021 18:39:52 +0000 > Paul Jewell<paul@teulu.org> wrote: > >> On 27/12/2021 23:20, Leo Famulari wrote: >>> On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote: >>>> Solved this - nmtui needs to be run as root; my script which >>>> invoked the program didn't consider that. Changing it to run as >>>> sudo gives me an opportunity to enter my password, and then >>>> successfully setup the wifi interface details. >>> Another option is to add nmtui to the list of programs that are >>> setuid. That way, any user on your system could configure wifi, >>> which may be more ergonomic. >>> >>> https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html >>> >> This option did work as expected. The only additional point for >> anyone else coming across this post with the same issue: remember to >> add the >> >> #:use-module (gnu system setuid) >> >> so the setuid record is known. >> >> Thanks Leo! > Uhm, I'm pretty sure NetworkManager lets any user modify networking > settings as long as they are in a certain group? > https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions > > At least that's how it is on postmarketOS and I'm also fairly certain I > never needed root access to set up WiFi under Guix either, but I don't > have a system at hand to verify that on. I did also think this, but I couldn't identify which group would let this happen. I thought it would be the netdev group, but my user account is already a member of that group. The network group is unknown to the system (as in I had an error when trying to add the user to the supplementary group) so I added it, but it didn't have any effect (after rebooting). If there is another group I should be in, I am not sure how to find out. At the moment, the setuid approach seems to work OK (although I would prefer a group solution!). I am interested in anyone else's experience! ^ permalink raw reply [flat|nested] 11+ messages in thread
* nmtui - user authorisation 2021-12-29 11:04 ` Paul Jewell @ 2021-12-30 19:00 ` raingloom 2021-12-31 18:41 ` bug#52904: " Josselin Poiret via Bug reports for GNU Guix 0 siblings, 1 reply; 11+ messages in thread From: raingloom @ 2021-12-30 19:00 UTC (permalink / raw) To: Paul Jewell; +Cc: Guix Bugs, help-guix On Wed, 29 Dec 2021 11:04:39 +0000 Paul Jewell <paul@teulu.org> wrote: > On 29/12/2021 00:50, raingloom wrote: > > On Tue, 28 Dec 2021 18:39:52 +0000 > > Paul Jewell<paul@teulu.org> wrote: > > > >> On 27/12/2021 23:20, Leo Famulari wrote: > >>> On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote: > >>>> Solved this - nmtui needs to be run as root; my script which > >>>> invoked the program didn't consider that. Changing it to run as > >>>> sudo gives me an opportunity to enter my password, and then > >>>> successfully setup the wifi interface details. > >>> Another option is to add nmtui to the list of programs that are > >>> setuid. That way, any user on your system could configure wifi, > >>> which may be more ergonomic. > >>> > >>> https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html > >>> > >> This option did work as expected. The only additional point for > >> anyone else coming across this post with the same issue: remember > >> to add the > >> > >> #:use-module (gnu system setuid) > >> > >> so the setuid record is known. > >> > >> Thanks Leo! > > Uhm, I'm pretty sure NetworkManager lets any user modify networking > > settings as long as they are in a certain group? > > https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions > > > > At least that's how it is on postmarketOS and I'm also fairly > > certain I never needed root access to set up WiFi under Guix > > either, but I don't have a system at hand to verify that on. > > I did also think this, but I couldn't identify which group would let > this happen. I thought it would be the netdev group, but my user > account is already a member of that group. The network group is > unknown to the system (as in I had an error when trying to add the > user to the supplementary group) so I added it, but it didn't have > any effect (after rebooting). If there is another group I should be > in, I am not sure how to find out. At the moment, the setuid approach > seems to work OK (although I would prefer a group solution!). > > I am interested in anyone else's experience! It might be that everyone else is including some default configuration for NetworkManager and we aren't. At the very least it should be documented how to set it up to use groups. CC-ing bugs-guix ^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#52904: nmtui - user authorisation 2021-12-30 19:00 ` raingloom @ 2021-12-31 18:41 ` Josselin Poiret via Bug reports for GNU Guix 2022-01-02 9:32 ` Paul Jewell 0 siblings, 1 reply; 11+ messages in thread From: Josselin Poiret via Bug reports for GNU Guix @ 2021-12-31 18:41 UTC (permalink / raw) To: raingloom, Paul Jewell; +Cc: help-guix, 52904 Hello, raingloom <raingloom@riseup.net> writes: > On Wed, 29 Dec 2021 11:04:39 +0000 > Paul Jewell <paul@teulu.org> wrote: > >> On 29/12/2021 00:50, raingloom wrote: >> > On Tue, 28 Dec 2021 18:39:52 +0000 >> > Paul Jewell<paul@teulu.org> wrote: >> > >> >> On 27/12/2021 23:20, Leo Famulari wrote: >> >>> On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote: >> >>>> Solved this - nmtui needs to be run as root; my script which >> >>>> invoked the program didn't consider that. Changing it to run as >> >>>> sudo gives me an opportunity to enter my password, and then >> >>>> successfully setup the wifi interface details. >> >>> Another option is to add nmtui to the list of programs that are >> >>> setuid. That way, any user on your system could configure wifi, >> >>> which may be more ergonomic. >> >>> >> >>> https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html >> >>> >> >> This option did work as expected. The only additional point for >> >> anyone else coming across this post with the same issue: remember >> >> to add the >> >> >> >> #:use-module (gnu system setuid) >> >> >> >> so the setuid record is known. >> >> >> >> Thanks Leo! >> > Uhm, I'm pretty sure NetworkManager lets any user modify networking >> > settings as long as they are in a certain group? >> > https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions >> > >> > At least that's how it is on postmarketOS and I'm also fairly >> > certain I never needed root access to set up WiFi under Guix >> > either, but I don't have a system at hand to verify that on. >> >> I did also think this, but I couldn't identify which group would let >> this happen. I thought it would be the netdev group, but my user >> account is already a member of that group. The network group is >> unknown to the system (as in I had an error when trying to add the >> user to the supplementary group) so I added it, but it didn't have >> any effect (after rebooting). If there is another group I should be >> in, I am not sure how to find out. At the moment, the setuid approach >> seems to work OK (although I would prefer a group solution!). >> >> I am interested in anyone else's experience! > > It might be that everyone else is including some default configuration > for NetworkManager and we aren't. At the very least it should be > documented how to set it up to use groups. > > CC-ing bugs-guix NetworkManager uses dbus to communicate with its root-run service, and Polkit to check for permissions. By default, the NetworkManager actions are pretty permissive, you can do most of them without reauthenticating, except for a couple specific ones. More in detail, Polkit works by looking up the PID of processes that ask for specific actions, and then asking systemd-logind/elogind which session that process is attached to. Then, there are three different cases: * the session is active (not locked, I think that means in logind parlance). In this case, Polkit looks at the `allow_active` rule. * the session is inactive (or locked). Then, Polkit looks at the `allow_inactive`. * there is no session attached to the process (possible for eg. system services). Then, Polkit looks at the `allow_any` rule. Now, if you look at network-manager's /share/polkit-1/actions/org.freedesktop.NetworkManager.policy, you can see that some actions are possible for active sessions, while impossible for inactive sessions, or even processes not attached to the session. So, I think the issue is that you are trying to do some actions outside of a session, or in an inactive session, and Polkit refuses to let you do that. I don't think there is a way to circumvent that, since there is no `allow_any` rule for many actions, but I don't know what this entails (if it is an implicit `no`, `auth_admin`, etc...). Note that we have a catch-all rule defined at `polkit-wheel` in gnu/services/desktop.scm that says that administrative users are exactly the users in the group `wheel`. That means that when Polkit needs to authenticate an administrative user, it will ask for your own password if you're in the `wheel` group, but you still need to reauthenticate, you cannot bypass that check. I hope this clears up how Polkit works, and why the action is denied. -- Josselin Poiret ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: bug#52904: nmtui - user authorisation 2021-12-31 18:41 ` bug#52904: " Josselin Poiret via Bug reports for GNU Guix @ 2022-01-02 9:32 ` Paul Jewell 2022-01-02 11:07 ` Josselin Poiret 0 siblings, 1 reply; 11+ messages in thread From: Paul Jewell @ 2022-01-02 9:32 UTC (permalink / raw) To: Josselin Poiret, raingloom; +Cc: help-guix, 52904 On 31/12/2021 18:41, Josselin Poiret wrote: > Hello, > raingloom<raingloom@riseup.net> writes: > >> On Wed, 29 Dec 2021 11:04:39 +0000 >> Paul Jewell<paul@teulu.org> wrote: >> >>> On 29/12/2021 00:50, raingloom wrote: >>>> On Tue, 28 Dec 2021 18:39:52 +0000 >>>> Paul Jewell<paul@teulu.org> wrote: >>>> >>>>> On 27/12/2021 23:20, Leo Famulari wrote: >>>>>> On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote: >>>>>>> Solved this - nmtui needs to be run as root; my script which >>>>>>> invoked the program didn't consider that. Changing it to run as >>>>>>> sudo gives me an opportunity to enter my password, and then >>>>>>> successfully setup the wifi interface details. >>>>>> Another option is to add nmtui to the list of programs that are >>>>>> setuid. That way, any user on your system could configure wifi, >>>>>> which may be more ergonomic. >>>>>> >>>>>> https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html >>>>>> >>>>> This option did work as expected. The only additional point for >>>>> anyone else coming across this post with the same issue: remember >>>>> to add the >>>>> >>>>> #:use-module (gnu system setuid) >>>>> >>>>> so the setuid record is known. >>>>> >>>>> Thanks Leo! >>>> Uhm, I'm pretty sure NetworkManager lets any user modify networking >>>> settings as long as they are in a certain group? >>>> https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions >>>> >>>> At least that's how it is on postmarketOS and I'm also fairly >>>> certain I never needed root access to set up WiFi under Guix >>>> either, but I don't have a system at hand to verify that on. >>> I did also think this, but I couldn't identify which group would let >>> this happen. I thought it would be the netdev group, but my user >>> account is already a member of that group. The network group is >>> unknown to the system (as in I had an error when trying to add the >>> user to the supplementary group) so I added it, but it didn't have >>> any effect (after rebooting). If there is another group I should be >>> in, I am not sure how to find out. At the moment, the setuid approach >>> seems to work OK (although I would prefer a group solution!). >>> >>> I am interested in anyone else's experience! >> It might be that everyone else is including some default configuration >> for NetworkManager and we aren't. At the very least it should be >> documented how to set it up to use groups. >> >> CC-ing bugs-guix > NetworkManager uses dbus to communicate with its root-run service, and > Polkit to check for permissions. By default, the NetworkManager actions > are pretty permissive, you can do most of them without reauthenticating, > except for a couple specific ones. > > More in detail, Polkit works by looking up the PID of processes that > ask for specific actions, and then asking systemd-logind/elogind which > session that process is attached to. Then, there are three different > cases: > * the session is active (not locked, I think that means in logind > parlance). In this case, Polkit looks at the `allow_active` rule. > * the session is inactive (or locked). Then, Polkit looks at the > `allow_inactive`. > * there is no session attached to the process (possible for eg. system > services). Then, Polkit looks at the `allow_any` rule. > > Now, if you look at network-manager's > /share/polkit-1/actions/org.freedesktop.NetworkManager.policy, you can > see that some actions are possible for active sessions, while impossible > for inactive sessions, or even processes not attached to the session. > > So, I think the issue is that you are trying to do some actions outside > of a session, or in an inactive session, and Polkit refuses to let you > do that. I don't think there is a way to circumvent that, since there > is no `allow_any` rule for many actions, but I don't know what this > entails (if it is an implicit `no`, `auth_admin`, etc...). > > Note that we have a catch-all rule defined at `polkit-wheel` in > gnu/services/desktop.scm that says that administrative users are exactly > the users in the group `wheel`. That means that when Polkit needs to > authenticate an administrative user, it will ask for your own password > if you're in the `wheel` group, but you still need to reauthenticate, > you cannot bypass that check. > > I hope this clears up how Polkit works, and why the action is denied. > Good morning Josselin, and Happy New Year! Many thanks for taking the time to explain this in detail for us. If I have properly understood your explanation, it suggests I am running network-manager from outside of the dbus session. If I look at the processes running on my system at this moment, the dbus-launch process has an id of 881, while the network-manager session has an id of 463, suggesting that it was started before dbus. My system configuration is relatively standard (if there is such a thing) - I don't do anything to change how dbus or network manager are launched, but rely on the defaults provided by the the desktop-service. Is there any way to ensure network-manager is launched inside the dbus session? I am using slim rather than gdm, and as a desktop manager I am using dwm (with some local changes). Regarding the wheel group - my user is in this group, but I don't get any request for a password - nmtui simply informs me that I don't have the necessary authorisation. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: bug#52904: nmtui - user authorisation 2022-01-02 9:32 ` Paul Jewell @ 2022-01-02 11:07 ` Josselin Poiret 2022-01-02 20:42 ` Mekeor Melire 0 siblings, 1 reply; 11+ messages in thread From: Josselin Poiret @ 2022-01-02 11:07 UTC (permalink / raw) To: Paul Jewell, raingloom; +Cc: help-guix, 52904 Hello again, > Good morning Josselin, and Happy New Year! > > Many thanks for taking the time to explain this in detail for us. If I > have properly understood your explanation, it suggests I am running > network-manager from outside of the dbus session. If I look at the > processes running on my system at this moment, the dbus-launch process > has an id of 881, while the network-manager session has an id of 463, > suggesting that it was started before dbus. My system configuration is > relatively standard (if there is such a thing) - I don't do anything to > change how dbus or network manager are launched, but rely on the > defaults provided by the the desktop-service. Is there any way to ensure > network-manager is launched inside the dbus session? I am using slim > rather than gdm, and as a desktop manager I am using dwm (with some > local changes). > > Regarding the wheel group - my user is in this group, but I don't get > any request for a password - nmtui simply informs me that I don't have > the necessary authorisation. Some context is missing from the forwarded mail, so I have no idea what script you're trying to run or how, unfortunately. Here is some more information though: * there are generally two (or more) dbus daemons running. One for the system bus, launched through Shepherd (named `dbus-system`), and one for each session, for the session bus, started either manually or often through your DM (ie. GDM). elogind and NetworkManager both run on the system bus. * for Polkit to successfully reauthenticate you, it needs to have a registered agent running. A Polkit agent is a program that registers with Polkit via dbus, is associated with a session, and is used by Polkit to prompt the user for a password. There are many, see [1]. You can test whether the agent is properly set-up by simply running `pkexec echo "Hello"`, pkexec being roughly the equivalent of `sudo`, but using Polkit for permission checking. [1] https://wiki.archlinux.org/title/Polkit#Authentication_agents -- Josselin Poiret ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: bug#52904: nmtui - user authorisation 2022-01-02 11:07 ` Josselin Poiret @ 2022-01-02 20:42 ` Mekeor Melire 0 siblings, 0 replies; 11+ messages in thread From: Mekeor Melire @ 2022-01-02 20:42 UTC (permalink / raw) To: help-guix 2022-01-02 / 12:07 / dev@jpoiret.xyz: > Hello again, >> Good morning Josselin, and Happy New Year! >> >> Many thanks for taking the time to explain this in detail for us. If I >> have properly understood your explanation, it suggests I am running >> network-manager from outside of the dbus session. If I look at the n>> processes running on my system at this moment, the dbus-launch process >> has an id of 881, while the network-manager session has an id of 463, >> suggesting that it was started before dbus. My system configuration is >> relatively standard (if there is such a thing) - I don't do anything to >> change how dbus or network manager are launched, but rely on the >> defaults provided by the the desktop-service. Is there any way to ensure >> network-manager is launched inside the dbus session? I am using slim >> rather than gdm, and as a desktop manager I am using dwm (with some >> local changes). >> >> Regarding the wheel group - my user is in this group, but I don't get >> any request for a password - nmtui simply informs me that I don't have >> the necessary authorisation. > > Some context is missing from the forwarded mail, so I have no idea what > script you're trying to run or how, unfortunately. Here is some more > information though: > * there are generally two (or more) dbus daemons running. One for the > system bus, launched through Shepherd (named `dbus-system`), and one for > each session, for the session bus, started either manually or often > through your DM (ie. GDM). elogind and NetworkManager both run on the > system bus. > * for Polkit to successfully reauthenticate you, it needs to have a > registered agent running. A Polkit agent is a program that registers > with Polkit via dbus, is associated with a session, and is used by > Polkit to prompt the user for a password. There are many, see [1]. You > can test whether the agent is properly set-up by simply running `pkexec > echo "Hello"`, pkexec being roughly the equivalent of `sudo`, but using > Polkit for permission checking. > > [1] https://wiki.archlinux.org/title/Polkit#Authentication_agents On #guix:libera.chat, I reported Josselin that I had a similar issue as Paul reported. Namely, I could not use e.g. `nmcli device wifi connect foo password bar` to connect to a wifi. Instead I got a permission error. Josselin suggested me to install polkit-gnome and to keep ~/.guix-profile/libexec/polkit-gnome-authentication-agent-1 running afterwards. This worked for me. (My user is member of the netdev group.) ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-01-02 20:47 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-12-27 7:33 nmtui - user authorisation Paul Jewell 2021-12-27 22:07 ` Paul Jewell 2021-12-27 23:20 ` Leo Famulari 2021-12-28 18:39 ` Paul Jewell 2021-12-29 0:50 ` raingloom 2021-12-29 11:04 ` Paul Jewell 2021-12-30 19:00 ` raingloom 2021-12-31 18:41 ` bug#52904: " Josselin Poiret via Bug reports for GNU Guix 2022-01-02 9:32 ` Paul Jewell 2022-01-02 11:07 ` Josselin Poiret 2022-01-02 20:42 ` Mekeor Melire
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).