Ubuntu
policykit package

Policykit local authority being ignored with Network Manager

Bug #1033305 reported by jhansonxi
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
policykit (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Ubuntu 12.04 (Precise Pangolin) 32-bit
While working on a workaround for bug #964705, I encountered an unexpected behavior with policykit and localauthority with respect to Network Manager. It seems that setting an override with the local authority doesn't function but if I change the source policy then it does. Note that I'm using xmlstarlet here to query and edit xml files (apt-get install xmlstarlet).

The default policy is:

xmlstarlet sel -t -v "/policyconfig/action[@id='org.freedesktop.NetworkManager.settings.modify.system']/defaults/allow_active" /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy
auth_admin_keep

Which sets the action policy as:

pkaction --verbose --action-id org.freedesktop.NetworkManager.settings.modify.system
org.freedesktop.NetworkManager.settings.modify.system:
  description: Modify network connections for all users
  message: System policy prevents modification of network settings for all users
  vendor: NetworkManager
  vendor_url: http://www.gnome.org/projects/NetworkManager
  icon: nm-icon
  implicit any: no
  implicit inactive: no
  implicit active: auth_admin_keep

Yet it doesn't change with this local policy active (even after reboot):

cat /etc/polkit-1/localauthority.conf.d/10-network-manager.pkla
[Allow users to modify network settings]
Identity=unix-user:*
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=no
ResultInactive=no
ResultActive=yes

Looks like polkitd is active and nothing obviously wrong in the logs:

ps -Af | grep -i polkitd
root 1322 1 0 00:20 ? 00:00:00 /usr/lib/policykit-1/polkitd --no-debug

grep -i polkit /var/log/syslog
... started daemon version 0.104 using authority implementation `local' version `0.104'

grep -i polkit /var/log/auth.log

... polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.53 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
... polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.53, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
... polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session6 (system bus name :1.101 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

If I change the default policy file then it works as expected although it's not good practice:

dpkg-divert --rename --divert /usr/share/doc/network-manager/org.freedesktop.NetworkManager.policy.original /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

xmlstarlet ed -u "/policyconfig/action[@id='org.freedesktop.NetworkManager.settings.modify.system']/defaults/allow_active" -v "yes" /usr/share/doc/network-manager/org.freedesktop.NetworkManager.policy.original >/usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

xmlstarlet sel -t -v "/policyconfig/action[@id='org.freedesktop.NetworkManager.settings.modify.system']/defaults/allow_active" /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy
yes

pkaction --verbose --action-id org.freedesktop.NetworkManager.settings.modify.system
org.freedesktop.NetworkManager.settings.modify.system:
  description: Modify network connections for all users
  message: System policy prevents modification of network settings for all users
  vendor: NetworkManager
  vendor_url: http://www.gnome.org/projects/NetworkManager
  icon: nm-icon
  implicit any: no
  implicit inactive: no
  implicit active: yes

What is going on here?

Revision history for this message
Johannes Bauer (jb-imm) wrote :

Have the exact same problem as you do. Don't count on the Ubuntu people to fix anything. Rather, expect them to try to assrape you (#1048393) or to delare your problem minor and wait for a year until it's fixed (#876626 ). They're probably working on important stuff regarding completely restructuring their GUI as we speak!

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

/etc/polkit-1/localauthority/50-local.d would be the correct location for your file, not /etc/polkit-1/localauthority.conf.d.

Please try again in the /etc/polkit-1/localauthority/50-local.d directory.

Changed in policykit (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Johannes Bauer (jb-imm) wrote :

I have used the correct directory. And even see, when I manually start polkitd, that the pkla files are read in (call to inotify(2) returns as soon as a file in /etc/polkit-1/localauthority/50-local.d is modified and some more calls are made when it's a *.pkla file, i.e. reading and parsing the file). But it doesn't affect the system behavior. pkaction still shows the same output (system wide setting), no matter what's in the pkla file. And starting polkitd in foreground is also kind of pointless, as it outputs almost ZERO debugging information (and I've not found a way to enable that).

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

There is also an override for that network manager setting in /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla that you need to take in account.

Revision history for this message
jhansonxi (jhansonxi) wrote :

This file: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
doesn't exist in Ubunt 12.04

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

It should be installed by default in Ubuntu 12.04 by the policykit-desktop-privileges package.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for policykit (Ubuntu) because there has been no activity for 60 days.]

Changed in policykit (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Collegedude (college-dude) wrote :

Still not working in 14.10 ...

Changed in policykit (Ubuntu):
status: Expired → Confirmed
Revision history for this message
PorkCharSui (porkcharsui) wrote :

Have same problem too... /etc/polkit-1/localauthority/50-local.d/* does not override global defaults.

Revision history for this message
unrud (unrud) wrote :

pkaction does only show the implicit defaults. Overrides from pkla files are not shown. You can use pkcheck for this.

Revision history for this message
Jane Peters (ulpeters) wrote :

2024 with Jammy, still the same problem.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.