From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 31 13:41:46 2021 Received: (at 52904) by debbugs.gnu.org; 31 Dec 2021 18:41:46 +0000 Received: from localhost ([127.0.0.1]:57457 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n3MqY-0002Dc-Bo for submit@debbugs.gnu.org; Fri, 31 Dec 2021 13:41:46 -0500 Received: from jpoiret.xyz ([206.189.101.64]:46320) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n3MqW-0002DS-9Y for 52904@debbugs.gnu.org; Fri, 31 Dec 2021 13:41:44 -0500 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id DBADC184F27; Fri, 31 Dec 2021 18:41:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1640976102; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=A+Y2Is+FZapC0USfgaEG+IAzRTb5FU/9kFUv15ks+fQ=; b=FJgoGmj40J88APbRlDZMt5n3cjgkagKt15CkZFK8ZaxOKz3PkYTpV0g1aS6IyoH/UDaO+L jhS6ortA8MpLrnbR3/BYPc4vIxY0QKQl1JYQYWYqgUKAVNOdIqisfEOVm+F9hVbIz9rPQu +XbUetgTIrnTJZqELPh3F9RjRrHFy+qMGC479uNIbMmAObgJRPcTuyP3Y0QIf0ghL6oqBJ ZheBOwDOcgknj4RROa8EJGCQUfJIgc9jaRkXVGrA8jt1iKOQyWrkyEWPJIX+vh44bsF8Rs eetKHe3sj0qJtGJXc3WBT1RF5MYRF/mYr8BRWYknKbl7LmobWLtopxqZdB1gkg== From: Josselin Poiret To: raingloom , Paul Jewell Subject: Re: bug#52904: nmtui - user authorisation In-Reply-To: <20211230200023.7aec38ae@riseup.net> References: <0f941db1-51a5-b579-7f2c-7333057cb402@teulu.org> <6404264d-e6c9-831c-9e5f-8327488201eb@teulu.org> <20211229015029.7f75bb7b@riseup.net> <20211230200023.7aec38ae@riseup.net> Date: Fri, 31 Dec 2021 19:41:40 +0100 Message-ID: <878rw0fwgr.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello, raingloom writes: > On Wed, 29 Dec 2021 11:04:39 +0000 > Paul Jewell wrote: > >> On 29/12/2021 00:50, raingloom wrote: >> > On Tue, 28 Dec 2021 18:39:52 +0000 >> > Paul Jewell wrote: >> [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 52904 Cc: help-guix@gnu.org, 52904@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello, raingloom writes: > On Wed, 29 Dec 2021 11:04:39 +0000 > Paul Jewell wrote: > >> On 29/12/2021 00:50, raingloom wrote: >> > On Tue, 28 Dec 2021 18:39:52 +0000 >> > Paul Jewell wrote: >> [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Hello, raingloom writes: > On Wed, 29 Dec 2021 11:04:39 +0000 > Paul Jewell wrote: > >> On 29/12/2021 00:50, raingloom wrote: >> > On Tue, 28 Dec 2021 18:39:52 +0000 >> > Paul Jewell wrote: >> > >> >> On 27/12/2021 23:20, Leo Famulari wrote: >> >>> On Mon, Dec 27, 2021 at 10:07:17PM +0000, Paul Jewell wrote: >> >>>> Solved this - nmtui needs to be run as root; my script which >> >>>> invoked the program didn't consider that. Changing it to run as >> >>>> sudo gives me an opportunity to enter my password, and then >> >>>> successfully setup the wifi interface details. >> >>> Another option is to add nmtui to the list of programs that are >> >>> setuid. That way, any user on your system could configure wifi, >> >>> which may be more ergonomic. >> >>> >> >>> https://guix.gnu.org/manual/devel/en/html_node/Setuid-Programs.html >> >>> >> >> This option did work as expected. The only additional point for >> >> anyone else coming across this post with the same issue: remember >> >> to add the >> >> >> >> #:use-module (gnu system setuid) >> >> >> >> so the setuid record is known. >> >> >> >> Thanks Leo! >> > Uhm, I'm pretty sure NetworkManager lets any user modify networking >> > settings as long as they are in a certain group? >> > https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions >> > >> > At least that's how it is on postmarketOS and I'm also fairly >> > certain I never needed root access to set up WiFi under Guix >> > either, but I don't have a system at hand to verify that on. >> >> I did also think this, but I couldn't identify which group would let >> this happen. I thought it would be the netdev group, but my user >> account is already a member of that group. The network group is >> unknown to the system (as in I had an error when trying to add the >> user to the supplementary group) so I added it, but it didn't have >> any effect (after rebooting). If there is another group I should be >> in, I am not sure how to find out. At the moment, the setuid approach >> seems to work OK (although I would prefer a group solution!). >> >> I am interested in anyone else's experience! > > It might be that everyone else is including some default configuration > for NetworkManager and we aren't. At the very least it should be > documented how to set it up to use groups. > > CC-ing bugs-guix NetworkManager uses dbus to communicate with its root-run service, and Polkit to check for permissions. By default, the NetworkManager actions are pretty permissive, you can do most of them without reauthenticating, except for a couple specific ones. More in detail, Polkit works by looking up the PID of processes that ask for specific actions, and then asking systemd-logind/elogind which session that process is attached to. Then, there are three different cases: * the session is active (not locked, I think that means in logind parlance). In this case, Polkit looks at the `allow_active` rule. * the session is inactive (or locked). Then, Polkit looks at the `allow_inactive`. * there is no session attached to the process (possible for eg. system services). Then, Polkit looks at the `allow_any` rule. Now, if you look at network-manager's /share/polkit-1/actions/org.freedesktop.NetworkManager.policy, you can see that some actions are possible for active sessions, while impossible for inactive sessions, or even processes not attached to the session. So, I think the issue is that you are trying to do some actions outside of a session, or in an inactive session, and Polkit refuses to let you do that. I don't think there is a way to circumvent that, since there is no `allow_any` rule for many actions, but I don't know what this entails (if it is an implicit `no`, `auth_admin`, etc...). Note that we have a catch-all rule defined at `polkit-wheel` in gnu/services/desktop.scm that says that administrative users are exactly the users in the group `wheel`. That means that when Polkit needs to authenticate an administrative user, it will ask for your own password if you're in the `wheel` group, but you still need to reauthenticate, you cannot bypass that check. I hope this clears up how Polkit works, and why the action is denied. -- Josselin Poiret