NetworkManager: "Insufficient privileges" from remote login

Hi!

I am trying to add a VPN configuration to NetworkManager on a basically headless host. (It does have a GUI which I can access if I really need to, but that’s beyond the point.)

The proper way to do this is:
nmcli connection import type openvpn file myvpnconfig.ovpn
(without sudo!).

Yet when logged in via ssh, I get:
Error: Failed to add 'myvpnconfig' connection: Insufficient privileges
journalctrl -ex reports nothing more (even in nmcli log DEBUG mode), except for naming the action:
NetworkManager[791]: <info> [1591696744.4759] audit: op="connection-add" pid=7709 uid=1000 result="fail" reason="Insufficient privileges"

I know from experience that this command worked from a terminal in the main display (i.e. not remotely) on F27.

After some digging, I found out that NetworkManager can report permissions (not “privileges”):

[user@host ~]$ nmcli general permissions
PERMISSION                                                        VALUE
org.freedesktop.NetworkManager.enable-disable-network             no
org.freedesktop.NetworkManager.enable-disable-wifi                no
org.freedesktop.NetworkManager.enable-disable-wwan                no
org.freedesktop.NetworkManager.enable-disable-wimax               no
org.freedesktop.NetworkManager.sleep-wake                         no
org.freedesktop.NetworkManager.network-control                    auth
org.freedesktop.NetworkManager.wifi.share.protected               no
org.freedesktop.NetworkManager.wifi.share.open                    no
org.freedesktop.NetworkManager.settings.modify.system             auth
org.freedesktop.NetworkManager.settings.modify.own                auth
org.freedesktop.NetworkManager.settings.modify.hostname           auth
org.freedesktop.NetworkManager.settings.modify.global-dns         auth
org.freedesktop.NetworkManager.reload                             auth
org.freedesktop.NetworkManager.checkpoint-rollback                auth
org.freedesktop.NetworkManager.enable-disable-statistics          no
org.freedesktop.NetworkManager.enable-disable-connectivity-check  no
org.freedesktop.NetworkManager.wifi.scan                          unknown

I also know from the above named experience, that these values differ if logged in on the display and remotely. I assume this difference is controlled in some way either by PolicyKit or PAM, but I find no documentation on this.

This brings on two questions:

  1. org.freedesktop.NetworkManager.settings.modify.system = auth should mean I should be prompted for authorization, and not refused, right? Or does “enable-disable-network” apply? And why does NM not say which applies?
  2. Assuming I need to change something to have the same permissions as on a display: What do I need to change? (I’m a trusted user - I trust myself - and I do not care to resort to sudo for something which should work without it. And please assume I cannot access the GUI without going to big pains, e.g. driving to the host’s site.)

I noted that /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy defines these permissions, with yet other semantics:

  <action id="org.freedesktop.NetworkManager.settings.modify.system">
   [...]
    <defaults>
      <allow_any>auth_admin_keep</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>

(This can also be queried with
pkaction --verbose --action-id nameofaction
)

The “allow_" and "auth_” directives are quite well documented for polkit, but, again, which one applies, and why am I right out denied to add a connection?

BTW, it took me some hours of googling to get to all this knowloedge so far, meaning to say it’s all not that well documented (and error/log messages are insufficient). And I’m a 25+ year home-Linux system admin. :stuck_out_tongue:

Thanks for any help,
Moritz

(Edited for formatting of included XML.)

1 Like

Maybe this link helpful.

I played a little with the info and created a file

/var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla

with this

[Prevent foo from modifying all network states and settings]
Identity=unix-user:foo
Action=org.freedesktop.NetworkManager.*
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Changing

ResultAny

from no to yes I got all values to yes when doing a remote nmcli general permissions.
Setting it to auth did not give me a password prompt.
I would not do this on a production system.