Non-root user cannot control NetworkManager.

[RandomCharacter]

I have stopped using slim or lightdm login manager, now using startx instead. Debian Joe helped me get Network Manager to display my connections, properly.

However, I have discovered another problem. The non-root user does not have permission to control the network connections. The Enable Network and Enable Wifi menu items are grayed out and, if I go to Edit Connections and select either connection, the Edit button is grayed out. I tested with the root userid, and it has no problem controlling the connections.

So, I installed the polkit rule in /etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules. My userid is a member of the group netdev. However, this does not resolve the problem.

Code: Select all

polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("netdev")) {
    return polkit.Result.YES;
  }
});

Why does my rule not work? Is it in the wrong directory for Debian? I have tried using the pkaction command to verify, but I don't understand the output.

Code: Select all

$ pkaction --verbose --action-id org.freedesktop.NetworkManager.enable-disable-wifi
org.freedesktop.NetworkManager.enable-disable-wifi:
  description:       Enable or disable WiFi devices
  message:           System policy prevents enabling or disabling WiFi devices
  vendor:            NetworkManager
  vendor_url:        http://www.gnome.org/projects/NetworkManager
  icon:              nm-icon
  implicit any:      no
  implicit inactive: no
  implicit active:   yes

Tim

[machinebacon]

Hi Tim,
can you please post

Code: Select all

ls /usr/share/polkit-1/actions/org.freedesktop.*

or, if it exists

Code: Select all

cat /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

and which session (WM/DE) are you using? .xinitrc starts ck-launch-session dbus-launch <session>?

[Titan]

EDIT: removed reference to group name for Arch and Ubuntu.

This mite also be important to you.

All users in the network group will be able to add and remove networks without a password. This will not work under systemd if you do not have an active session with systemd-logind.

Checking systemd-login : https://wiki.archlinux.org/index.php/Sy ... emd-logind

Also some more general troubleshooting in case you havent yet seen this : https://wiki.archlinux.org/index.php/Ge ... ermissions

Hope you get it fixed.

[machinebacon]

Jamie,
Debian uses "netdev" for NetworkManager, Ubuntu used "network".
https://wiki.ubuntu.com/Security/Privil ... t_networks

[Titan]

Ah i see, i checked the debian wiki for this, but it didnt have much information.

Anyway, those other trouble shooting options may help.

[machinebacon]

OP uses siduction with sysvinit, IIRC, so the systemd-construct won't work for him. The problem is quite definitely in the polkit-1 permissions. Just need to find out which DE/WM OP uses and we can fix it depending on that :)

[Titan]

Really? i seem to remember Tim saying something about having systemd on one of his machines, if im wrong then i hope your right and its polkit issues.

@Tim, i know you've probably already read up about polkit, but if not this mite be of some help: https://wiki.archlinux.org/index.php/PolicyKit

[machinebacon]

No idea really, I just remember he use(s/d) siduction which is sysvint; and Arch with systemd. I really just wanted to point at polkit-1 and the naming changes after recent upgrades (in Debian sid).

[RandomCharacter]

Hi Tim,
can you please post

Code: Select all

ls /usr/share/polkit-1/actions/org.freedesktop.*

or, if it exists

Code: Select all

cat /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

and which session (WM/DE) are you using? .xinitrc starts ck-launch-session dbus-launch <session>?

Code: Select all

$ ls /usr/share/polkit-1/actions/org.freedesktop.*
/usr/share/polkit-1/actions/org.freedesktop.consolekit.policy      /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy
/usr/share/polkit-1/actions/org.freedesktop.hostname1.policy       /usr/share/polkit-1/actions/org.freedesktop.timedate1.policy
/usr/share/polkit-1/actions/org.freedesktop.locale1.policy         /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy
/usr/share/polkit-1/actions/org.freedesktop.login1.policy          /usr/share/polkit-1/actions/org.freedesktop.udisks.policy
/usr/share/polkit-1/actions/org.freedesktop.modem-manager.policy   /usr/share/polkit-1/actions/org.freedesktop.upower.policy
/usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy  /usr/share/polkit-1/actions/org.freedesktop.upower.qos.policy
/usr/share/polkit-1/actions/org.freedesktop.policykit.policy

Code: Select all

  <action id="org.freedesktop.NetworkManager.settings.modify.hostname">
    <description>Modify persistent system hostname</description>
         ... a bunch of lang = statements ...
    <defaults>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

And the end of my xinitrc exec is startlxde

Tim

PS - I do use systemd. I did check the loginctl thing when I was researching the issue, but again, I do not understand the output and the Arch wiki article does not explain what to look for.

Code: Select all

Id=c2
Timestamp=Tue 2013-10-15 05:56:29 CDT
TimestampMonotonic=279622078
DefaultControlGroup=systemd:/user/1000.user/c2.session
VTNr=1
TTY=/dev/tty1
Remote=no
Service=login
Leader=17146
Audit=0
Type=tty
Class=user
Active=no
State=online
KillProcesses=no
IdleHint=yes
IdleSinceHint=1381834592482862
IdleSinceHintMonotonic=282321314
Name=tim

[RandomCharacter]

Really? i seem to remember Tim saying something about having systemd on one of his machines, if im wrong then i hope your right and its polkit issues.

@Tim, i know you've probably already read up about polkit, but if not this mite be of some help: https://wiki.archlinux.org/index.php/PolicyKit

@Titan, yes, I read that page too, but I am afraid it is over my head. I am trying to re-read it, now.

Tim

[machinebacon]

All right, thank you.

The .xinitrc should include:

Code: Select all

exec ck-launch-session dbus-launch startlxde

Also install the files:

Code: Select all

sudo apt-get install lxpolkit libpam-ck-connector libpam-gnome-keyring gnome-keyring

Add these lines to /home/$USER/.config/autostart/keyring.desktop

Code: Select all

[Desktop Entry] 
Type=Application
Exec=eval $(gnome-keyring-daemon -s --components=pkcs11,secrets,ssh,gpg)

Log out and back. Hope it works.

(side note: is there a certain reason to use gnome-network-manager instead of Ceni or wicd? I recommend Ceni, and if you need additional stuff like VPN or so, you can do this without the overhead of network-manager)

[RandomCharacter]

Thanks, @machinebacon. I am afraid I will have to do the work and testing later, as I have to get ready to take my son out of town for a school function. But I will report back, later.

Tim

[RandomCharacter]

Ok, I apologize to everyone who tried to help me, but the simplest and easiest fix was to just run "systemctl enable slim" and reboot.

I have a hard time understanding why slim can resolve this problem without having to install four new packages and an autostart file. It seems that startx should be able to be configured to do whatever slim is doing.

I was trying to make my system leaner and simpler, not vice versa.

I sincerely thank everyone who was helping.

Tim

[rhowaldt]

^

I was trying to make my system leaner and simpler, not vice versa.

(side note: is there a certain reason to use gnome-network-manager instead of Ceni or wicd? I recommend Ceni, and if you need additional stuff like VPN or so, you can do this without the overhead of network-manager)

hihi.

[machinebacon]

^ yep, biting on my tongue.

We should maybe note - for the sake of completeness - that the problems of OP did not occur on a LinuxBBQ pre-configured release.

[RandomCharacter]

Ok, I will look at Ceni and, if it works for me, I'll disable slim and try startx, again. I have tried wicd before and I didn't really care for it.

Tim

[wuxmedia]

ceni is easy peasy.
thing is theses dm's do handle a bunch of stuff i can't work out.
for example
suspend on lid down 'just works' with a DM