I am trying to add a VPN configuration to NetworkManager on a basically headless host. (It does have a GUI which I can access if I really need to, but that’s beyond the point.)
The proper way to do this is:
nmcli connection import type openvpn file myvpnconfig.ovpn
Yet when logged in via ssh, I get:
Error: Failed to add 'myvpnconfig' connection: Insufficient privileges
journalctrl -ex reports nothing more (even in nmcli log DEBUG mode), except for naming the action:
NetworkManager: <info> [1591696744.4759] audit: op="connection-add" pid=7709 uid=1000 result="fail" reason="Insufficient privileges"
I know from experience that this command worked from a terminal in the main display (i.e. not remotely) on F27.
After some digging, I found out that NetworkManager can report permissions (not “privileges”):
[user@host ~]$ nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.enable-disable-network no org.freedesktop.NetworkManager.enable-disable-wifi no org.freedesktop.NetworkManager.enable-disable-wwan no org.freedesktop.NetworkManager.enable-disable-wimax no org.freedesktop.NetworkManager.sleep-wake no org.freedesktop.NetworkManager.network-control auth org.freedesktop.NetworkManager.wifi.share.protected no org.freedesktop.NetworkManager.wifi.share.open no org.freedesktop.NetworkManager.settings.modify.system auth org.freedesktop.NetworkManager.settings.modify.own auth org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-statistics no org.freedesktop.NetworkManager.enable-disable-connectivity-check no org.freedesktop.NetworkManager.wifi.scan unknown
I also know from the above named experience, that these values differ if logged in on the display and remotely. I assume this difference is controlled in some way either by PolicyKit or PAM, but I find no documentation on this.
This brings on two questions:
- org.freedesktop.NetworkManager.settings.modify.system = auth should mean I should be prompted for authorization, and not refused, right? Or does “enable-disable-network” apply? And why does NM not say which applies?
- Assuming I need to change something to have the same permissions as on a display: What do I need to change? (I’m a trusted user - I trust myself - and I do not care to resort to sudo for something which should work without it. And please assume I cannot access the GUI without going to big pains, e.g. driving to the host’s site.)
I noted that /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy defines these permissions, with yet other semantics:
<action id="org.freedesktop.NetworkManager.settings.modify.system"> [...] <defaults> <allow_any>auth_admin_keep</allow_any> <allow_inactive>yes</allow_inactive> <allow_active>yes</allow_active> </defaults>
(This can also be queried with
pkaction --verbose --action-id nameofaction
The “allow_" and "auth_” directives are quite well documented for polkit, but, again, which one applies, and why am I right out denied to add a connection?
BTW, it took me some hours of googling to get to all this knowloedge so far, meaning to say it’s all not that well documented (and error/log messages are insufficient). And I’m a 25+ year home-Linux system admin.
Thanks for any help,
(Edited for formatting of included XML.)