Trying to make NetworkManager sane in 12.2

As part of my testing of opensuse 12.2 Beta1, I have been checking out how NetworkManager works for WiFi connections.  And it still has the same problems we saw with 12.1, namely it required the root password to do almost anything.

I decided that it was time to get my hands dirty, and see whether I could make some changes that would result in the system behaving more sanely.  This post describes what I have done.  I would appreciate feedback (comments) from readers about this.

Background

With opensuse 11.4 and earlier, when you setup a connection the information was saved in the local user files.  And everything worked reasonably well, except that the KDE applet mishandled connections with hidden SSID.  You could, optionally, make the defined connection a system connection, although that was only supported by the Gnome applet; the option was there for the KDE applet, but was grayed out.  Setting up a connection defined in local files did not require the root password.  Making it a system connection (available to all users) did require the root password.

With 12.1, there was a newer version of NetworkManager that changed everything.  Now all connections are system connections.  The option to have it not a system connection is still there, but NetworkManager then sets that up as a system connection that is accessible to only the one user.  The information for the connection is saved in system files (in the directory “/etc/NetworkManager/system-connections”).

The effect was that the root password was required for almost everything wifi related, other than enabling/disabling wireless.

The workaround

Here is what I am currently testing.

Opensuse comes with a number of NetworkManager relevant files that are used to configure PolicyKit permissions.  The three files that seem most relevant are:

org.freedesktop.NetworkManager.settings.modify.system.pkla
org.freedesktop.NetworkManager.wifi.share.open.pkla
org.freedesktop.NetworkManager.wifi.share.protected.pkla

Those files reside in the directory “/var/lib/polkit-1/localauthority/10-vendor.d”

I have edited those three files.  Before editing them, I created a unix group “network” and I added two of the three non-root users of this system to that group.  I will describe the changes that I made to the first of the three files.  The changes to the other files are similar.

Here’s the original version of the file:

[org.freedesktop.NetworkManager.settings.modify.system]
Identity=unix-group:*
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep

And here is the new version of the file:

[org.freedesktop.NetworkManager.settings.modify.system]
Identity=unix-group:network
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=yes

As you can see, I made two changes.  I change the group from “*” to “network” in the “Identity” line, and I changed the permission in the “ResultActive” line to “yes”.

The intended effect is that users in group “network” should be able to work with WiFi connections, provided that they are at the active console.

I have tested the changes, and they seem to do what I expected of them.  The two of my user accounts that I put in the “network” group can now edit connections without being prompted for the root password.  I tested that in both KDE and Gnome.  And the user who is not in the “network” group is still prompted for a password (only tested in Gnome).

I’m not certain, but I think my tests only apply to the first file that I changed.  I’m not quite sure what the other files are for.  They might be needed for an ad hoc connection.  Or perhaps they are only used when there is a special user agent to manage connections (not present in the standard release).

Was my change technically wrong?

Yes, it was probably wrong.  We are supposed to copy such files to the corresponding directory tree under “/etc” and modify them there.  I tried that, but I could never get it to work.  This is probably because my use of group “network” won’t override the group “*” if that is used in the files under “/var/lib”.

Advertisements

Tags: , ,

About Neil Rickert

Mathematician and computer scientist who dabbles in cognitive science.

4 responses to “Trying to make NetworkManager sane in 12.2”

  1. Dr No says :

    This is completely crap behaviour, I’ve just jumped from 11.4 to 12.2 RC2 for testing and got slam dunked by this. WTF are suse developers thinking ? This just gives Linux a bad name and I’m with Linus’s rant on opensuse’s stupid permissions.

    Like

  2. Neil Rickert says :

    The changes from 11.4 to now are mostly due to a design change in NetworkManager. The way that opensuse is configuring PolicyKit has not much changed.

    It seems to me that opensuse is using a far too restrictive configuration of PolicyKit.

    In any case, the changes that I suggested should work for you. After 12.2 final is released, I plan to spend more time on PolicyKit.

    Like

    • Geza says :

      Hi Neill, thanks a lot for your hint concerning the permissions of NetworkManager. I’m using OpenSuse 12.3/Tumbleweed. For some resone the suggested changes to the files in “/var/lib/polkit-1/localauthority/10-vendor.d” did not yield the desired outcome. However, I found a suggestion on adding a new policy to PolicyKit described here:
      https://wiki.archlinux.org/index.php/NetworkManager#Enable_NetworkManager
      (section “Set up PolicyKit permissions”) which does the job. Might it have other, unintended consequences?
      Thanks and regards
      Geza

      Like

      • Neil Rickert says :

        PolicyKit was redesigned at some stage, and that changed how it works in 12.3. So I didn’t persist with what I was doing in this post. Also NetworkManager is less buggy, and I could now setup connections in KDE without the root password.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: