Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 348517

Summary: net-misc/networkmanager: Include PolicyKit .pkla file for "plugdev" group to grant access even for inactive users etc.
Product: Gentoo Linux Reporter: Markos Chandras (RETIRED) <hwoarang>
Component: New packagesAssignee: Robert Piasek (RETIRED) <dagger>
Status: RESOLVED FIXED    
Severity: normal CC: nirbheek, ssuominen, steev
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://forums.gentoo.org/viewtopic-t-856143.html
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: 01-org.freedesktop.NetworkManager.pkla

Description Markos Chandras (RETIRED) gentoo-dev 2010-12-12 15:03:32 UTC 
Since 0.8.2, NetworkManager does not work as intended for plugdev group. Downgrading back to 0.8.1 solves the problem. 

Please let me know if I can provide more information to help you debug the problem

Portage 2.2.0_alpha7 (default/linux/amd64/10.0/developer, gcc-4.5.1, glibc-2.12.1-r3, 2.6.36-pf2-night-elf x86_64)
=================================================================
System uname: Linux-2.6.36-pf2-night-elf-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T5450_@_1.66GHz-with-gentoo-2.0.1
Timestamp of tree: Unknown
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r2
dev-lang/python:     2.6.6-r1, 2.7.1, 3.1.3
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1-r1
sys-apps/openrc:     0.6.8
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.68
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.5.1-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.4-r1
sys-devel/make:      3.82
virtual/os-headers:  2.6.36.1 (sys-kernel/linux-headers)
Repositories: gentoo sunrise
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=core2 -pipe -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=core2 -pipe -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages metadata-transfer multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms sign splitdebug strict test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://mirror.bytemark.co.uk/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu,--enable-new-dtags -Wl,--as-needed"
LINGUAS="en el"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages/eternity/"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/home/hwoarang/development/gentoo-cvs/gentoo-x86"
PORTDIR_OVERLAY="/home/hwoarang/development/overlays/sunrise/sunrise"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa amd64 apm bash-completion bluetooth bus bzip2 bzlib cairo cdr chm cli consolekit cracklib crypt ctype cups cxx dbus dga divx divx4linux dri dts dvd dvdr dvdread emboss encode exif fat ffmpeg firefox flac foomaticdb gd gif gimp gimpprint glib glitz gnutls gphoto2 gpm hal iconv id3tag imagemagick imlib ipv6 ipw4965 jpeg laptop lcms libnotify libwww lm_sensors mad mikmod mime mjpeg mmx mmxext mng modules mozilla mp3 mp4 mpeg mplayer mudflap multilib multiuser ncurses networkmanager nls nptl ntfs ogg opengl openmp pam pango pcre pdf perl php png policykit posix ppds pppd private-headers python qt3support qt4 quicktime rar raster readline reiserfs session simplexml smp sockets spell sqlite sqlite3 srt sse sse2 sse3 ssl ssse3 startup-notification subtitles svg symlink sysfs syslog tcpd threads truetype unicode usb userlocales v4l v4l2 vorbis x264 xcb xcomposite xine xml xmlreader xorg xscreensaver xv xvid zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse synaptics evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en el" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2010-12-12 15:11:04 UTC 
Steps to reproduce:

1. Update networkmanager & nm-applet to 0.8.2
2. Reload dbus
3. Restart NetworkManager service
4. Launch nm-applet
Comment 2 Robert Piasek (RETIRED) gentoo-dev 2010-12-14 10:14:38 UTC 
For people who are not using polkit - I'll re-introduce dbus policy patch.

R
Comment 3 Robert Piasek (RETIRED) gentoo-dev 2010-12-17 12:36:26 UTC 
I've now re-added plugdev group patch
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2010-12-18 17:36:03 UTC 
Well, nm-applet still doesn't work
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2010-12-18 18:05:37 UTC 
And to be more precise, Enable Networking and Enable wireless are grey (disabled) on nm-applet. Furthermore when I try to launch any of my vpn connections I get the following result


** (nm-applet:3914): WARNING **: <WARN>  activate_vpn_cb(): VPN Connection activation failed: (org.freedesktop.NetworkManager.PermissionDenied) No user settings service available


I'm not sure what is wrong. Is there a decent way to configure networkmanager+nm-applet will polkit?
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-12-18 20:35:02 UTC 
(In reply to comment #5)
> And to be more precise, Enable Networking and Enable wireless are grey
> (disabled) on nm-applet. Furthermore when I try to launch any of my vpn
> connections I get the following result
> 
> 
> ** (nm-applet:3914): WARNING **: <WARN>  activate_vpn_cb(): VPN Connection
> activation failed: (org.freedesktop.NetworkManager.PermissionDenied) No user
> settings service available
> 
> 
> I'm not sure what is wrong. Is there a decent way to configure
> networkmanager+nm-applet will polkit?
> 

Ok, ignore me. dbus works fine. Polkit is the one that has troubles. Sorry for the noise
Comment 7 Samuli Suominen (RETIRED) gentoo-dev 2011-02-04 19:23:05 UTC 
reopen as the solution is incorrect and I would even claim this is a gaping security hole.  plugdev group is useless.

hwoarang, please see this thread:

http://forums.gentoo.org/viewtopic-t-858965-highlight-tips+tricks.html

tampakrap is working on converting it into a guidexml official documentation.
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2011-04-09 10:24:52 UTC 
Will remove the plugdev group support in couple of days as it's redudant.
Comment 9 Samuli Suominen (RETIRED) gentoo-dev 2011-06-04 16:49:40 UTC 
Created attachment 275813 [details]
01-org.freedesktop.NetworkManager.pkla

See bug 369667.

Then see what files get installed into /usr/share/polkit-1 by networkmanager to find out the current defaults for active vs. inactive users.

Then you can create even more specific .pkla file.

This file in $FILESDIR and installed with from ebuild's src_install():

insinto /etc/polkit-1/localauthority/10-vendor.d
doins "${FILESDIR}"/01-org.freedesktop.NetworkManager.pkla

The "enewgroup plugdev" should then be restored into networkmanager's ebuild.
Comment 10 Samuli Suominen (RETIRED) gentoo-dev 2011-06-04 16:51:03 UTC 
And:

man 8 pklocalauthority
Comment 11 Samuli Suominen (RETIRED) gentoo-dev 2011-10-29 11:50:56 UTC 
This is finally fixed by this commit today:

+*networkmanager-0.9.1.90-r3 (29 Oct 2011)
+
+  29 Oct 2011; Alexandre Rostovtsev <tetromino@gentoo.org>
+  +files/01-org.freedesktop.NetworkManager.settings.modify.system.pkla,
+  +networkmanager-0.9.1.90-r3.ebuild,
+  +files/networkmanager-0.9.1.90-force-libnl1.1.patch,
+  +files/networkmanager-0.9.1.90-if.h.patch,
+  +files/networkmanager-0.9.1.90-rfkill.patch:
+  Bump to 0.9.1.90 from the gnome overlay. Allow users in plugdev group to
+  modify system connections (so dropped wireless connections no longer bring up
+  a modal root password prompt), thanks to Samuli Suominen for the solution.
+  Numerous code changes.