Join Log in
Score:0
john smith avatar Ubuntu

Network Permissions Missing on SSH but not on GUI/Console

in flag
john smith

When I am on the GUI of my VM and I want to change the network connection profile, I can do so as user "vm" via the command below:

vm@ubuntu1804:~$ nmcli con up DYNAMIC

But when I SSH to this box as user VM, and try to run that same command as the same user it says:

vm@ubuntu1804:~$ nmcli con up DYNAMIC
Error: Connection activation failed: Not authorized to control networking.

I assumed this was a permissions issue, and verified via the command below

# permissions when on the GUI
vm@ubuntu1804:~$ nmcli general permissions 
PERMISSION                                                        VALUE 
org.freedesktop.NetworkManager.enable-disable-network             yes   
org.freedesktop.NetworkManager.enable-disable-wifi                yes   
org.freedesktop.NetworkManager.enable-disable-wwan                yes   
org.freedesktop.NetworkManager.enable-disable-wimax               yes   
org.freedesktop.NetworkManager.sleep-wake                         no    
org.freedesktop.NetworkManager.network-control                    yes   
org.freedesktop.NetworkManager.wifi.share.protected               yes   
org.freedesktop.NetworkManager.wifi.share.open                    yes   
org.freedesktop.NetworkManager.settings.modify.system             yes   
org.freedesktop.NetworkManager.settings.modify.own                yes   
org.freedesktop.NetworkManager.settings.modify.hostname           auth  
org.freedesktop.NetworkManager.settings.modify.global-dns         auth  
org.freedesktop.NetworkManager.reload                             auth  
org.freedesktop.NetworkManager.checkpoint-rollback                auth  
org.freedesktop.NetworkManager.enable-disable-statistics          yes   
org.freedesktop.NetworkManager.enable-disable-connectivity-check  yes   

# permissions when SSH'ing
vm@ubuntu1804:~$ nmcli general permissions 
PERMISSION                                                        VALUE 
org.freedesktop.NetworkManager.enable-disable-network             no    
org.freedesktop.NetworkManager.enable-disable-wifi                no    
org.freedesktop.NetworkManager.enable-disable-wwan                no    
org.freedesktop.NetworkManager.enable-disable-wimax               no    
org.freedesktop.NetworkManager.sleep-wake                         no    
org.freedesktop.NetworkManager.network-control                    auth  
org.freedesktop.NetworkManager.wifi.share.protected               no    
org.freedesktop.NetworkManager.wifi.share.open                    no    
org.freedesktop.NetworkManager.settings.modify.system             no    
org.freedesktop.NetworkManager.settings.modify.own                auth  
org.freedesktop.NetworkManager.settings.modify.hostname           auth  
org.freedesktop.NetworkManager.settings.modify.global-dns         auth  
org.freedesktop.NetworkManager.reload                             auth  
org.freedesktop.NetworkManager.checkpoint-rollback                auth  
org.freedesktop.NetworkManager.enable-disable-statistics          no    
org.freedesktop.NetworkManager.enable-disable-connectivity-check  no

The question is, how do I change it? I tried via the answer in this post Not authorized to control networking but this does not work.

Please note, I am NOT looking for someone to answer my question with "just use sudo".

46
1 + 2
guiverc avatar
cn flag
guiverc
[Ubuntu 18.04 LTS has reached the end of it's *standard* support life](https://fridge.ubuntu.com/2023/05/13/extended-security-maintenance-for-ubuntu-18-04-bionic-beaver-begins-31-may-2023/) thus is now off-topic here unless your question is specific to helping you move to a supported release of Ubuntu. Ubuntu 18.04 ESM support is available, but not on-topic here, see https://askubuntu.com/help/on-topic See also https://ubuntu.com//blog/18-04-end-of-standard-support
0
Reply
john smith avatar
in flag
john smith
its the same topic on the newer versions, makes no difference.
0
Reply
Score:0
john smith avatar Ubuntu
in flag
john smith

Ok I figured it out, but I'll share. Before I do, I want to add a "caution" because what I'm doing probably isn't a good idea for security reasons (I see this because I have done a bunch of ethical hacking against VM's, and can see the logic behind the setup). The logic behind this default setup where you can't change the network settings by default without sudo, prevents someone who managed to gain access to your system, say as user "www-data" if they exploited your web-front end, and then escalated to the user "vm", they would by default be able to remotely control your networking since I'm changing the system level permissions for the NetworkManager application to grant remote (ssh) access to fully control the networking on the box. It's going to be best if you just use sudo and elevate to change network settings remotely.

In any case, it seems that the permissions are bound to the system rather than specifically to network manager. So the "polkit - Authorization Framework" is the system level tool that grants access to privileged applications FROM an unprivileged "by default" app such as Network Manager. As such I need to create a .pkla file to adjust that authorization (I found this from the ubuntu man pages, specifically: https://manpages.ubuntu.com/manpages/trusty/man8/pklocalauthority.8.html ). So I've stated below, anyone in the sudo group can just change the network settings (i.e. without elevating to sudo, you just need to be part of the sudo group). As such, I verify the permissions changed at the end, and executed my nmcli command to change the profile, and it worked.

root@ubuntu1804:/home/vm# cat /etc/polkit-1/localauthority/50-local.d/test.pkla 

[ssh to modify]
Identity=unix-group:sudo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=yes
ResultInactive=yes
ResultActive=yes

[ssh to enable and disable network]
Identity=unix-group:sudo
Action=org.freedesktop.NetworkManager.enable-disable-network
ResultAny=yes
ResultInactive=yes
ResultActive=yes

[ssh to control the networking]
Identity=unix-group:sudo
Action=org.freedesktop.NetworkManager.network-control
ResultAny=yes
ResultInactive=yes
ResultActive=yes
root@ubuntu1804:/home/vm# systemctl restart polkit
root@ubuntu1804:/home/vm# exit
exit

As you can see the 3 "actions" we defined earlier are now yes to "yes".

vm@ubuntu1804:~$ nmcli general permissions 
PERMISSION                                                        VALUE 
org.freedesktop.NetworkManager.enable-disable-network             yes   
org.freedesktop.NetworkManager.enable-disable-wifi                no    
org.freedesktop.NetworkManager.enable-disable-wwan                no    
org.freedesktop.NetworkManager.enable-disable-wimax               no    
org.freedesktop.NetworkManager.sleep-wake                         no    
org.freedesktop.NetworkManager.network-control                    yes   
org.freedesktop.NetworkManager.wifi.share.protected               no    
org.freedesktop.NetworkManager.wifi.share.open                    no    
org.freedesktop.NetworkManager.settings.modify.system             yes   
org.freedesktop.NetworkManager.settings.modify.own                auth  
org.freedesktop.NetworkManager.settings.modify.hostname           auth  
org.freedesktop.NetworkManager.settings.modify.global-dns         auth  
org.freedesktop.NetworkManager.reload                             auth  
org.freedesktop.NetworkManager.checkpoint-rollback                auth  
org.freedesktop.NetworkManager.enable-disable-statistics          no    
org.freedesktop.NetworkManager.enable-disable-connectivity-check  no    
vm@ubuntu1804:~$ nmcli con up DYNAMIC
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/12)

After this was in place, I am now able to execute the following command as the vm user via ssh:

vm@ubuntu1804:~$ nmcli con up DYNAMIC
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.