Bug 1362542 - warn nicely about insufficient permissions when changing logging level
Summary: warn nicely about insufficient permissions when changing logging level
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: NetworkManager
Version: 7.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Beniamino Galvani
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-02 13:14 UTC by Vladimir Benes
Modified: 2016-11-03 19:27 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-03 19:27:45 UTC


Attachments (Terms of Use)
[PATCH 1/2] core: add nm_bus_manager_ensure_root() helper (6.13 KB, patch)
2016-08-04 09:00 UTC, Beniamino Galvani
no flags Details | Diff
[PATCH 2/2] core: drop some rules from dbus policy file (5.87 KB, patch)
2016-08-04 09:01 UTC, Beniamino Galvani
no flags Details | Diff
[PATCH 2/2] core: drop some rules from dbus policy file (4.80 KB, patch)
2016-08-08 08:40 UTC, Beniamino Galvani
no flags Details | Diff
[PATCH v2 1/2] core: drop root requirement for load_connection(s)/set_logging D-Bus calls (2.77 KB, patch)
2016-08-19 10:11 UTC, Beniamino Galvani
no flags Details | Diff
[PATCH v2 2/2] cli: return sane error message for D-Bus policy permission errors (3.77 KB, application/mbox)
2016-08-19 10:12 UTC, Beniamino Galvani
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2581 normal SHIPPED_LIVE Low: NetworkManager security, bug fix, and enhancement update 2016-11-03 12:08:07 UTC

Description Vladimir Benes 2016-08-02 13:14:53 UTC
Description of problem:
vbenes@trautenberg:~$ nmcli general logging level TRACE domains all
Error: failed to set logging: Rejected send message, 4 matched rules; type="method_call", sender=":1.205" (uid=1000 pid=23534 comm="nmcli general logging level TRACE domains all ") interface="org.freedesktop.NetworkManager" member="SetLogging" error name="(unset)" requested_reply="0" destination=":1.118" (uid=0 pid=19337 comm="/usr/sbin/NetworkManager --no-daemon ")


Version-Release number of selected component (if applicable):
NetworkManager-1.4.0-0.3.git20160727.9446481f.el7.x86_64

Comment 1 Beniamino Galvani 2016-08-04 09:00:41 UTC
Created attachment 1187415 [details]
[PATCH 1/2] core: add nm_bus_manager_ensure_root() helper

Comment 2 Beniamino Galvani 2016-08-04 09:01:30 UTC
Created attachment 1187416 [details]
[PATCH 2/2] core: drop some rules from dbus policy file

Comment 3 Dan Williams 2016-08-05 22:01:56 UTC
For the second patch, the reason Sleep() didn't have these checks originally is for pm-tools.  These were scripts that used to trigger sleep/wake before systemd and upower, and I think we still technically support them.

They used to call dbus-send without --wait-reply, which means the dbus-send process didn't exist at the time NM asks dbus-daemon for the name-owner to ensure root, which caused the sleep calls to fail.

So we either decide to no longer support pm-utils and manual sleep/wake calls without --wait-reply, or we keep the root-only rule in the dbus permissions file.

Otherwise LGTM.

Comment 4 Beniamino Galvani 2016-08-08 08:40:37 UTC
Created attachment 1188568 [details]
[PATCH 2/2] core: drop some rules from dbus policy file

(In reply to Dan Williams from comment #3)
> So we either decide to no longer support pm-utils and manual sleep/wake
> calls without --wait-reply, or we keep the root-only rule in the dbus
> permissions file.

I've updated the second patch to leave the existing checks for the Sleep() call, so that we don't break pm-utils.

Comment 5 Beniamino Galvani 2016-08-19 10:11:18 UTC
Created attachment 1192098 [details]
[PATCH v2 1/2] core: drop root requirement for load_connection(s)/set_logging D-Bus calls

Comment 6 Beniamino Galvani 2016-08-19 10:12:19 UTC
Created attachment 1192099 [details]
[PATCH v2 2/2] cli: return sane error message for D-Bus policy permission errors

After discussion with Thomas, I have removed the checks in the daemon
and restored them in the d-bus configuration; nmcli now translates the
D-Bus denial error in something more user-friendly.

Comment 7 Thomas Haller 2016-08-19 10:22:03 UTC
lgtm (both from v2)

Comment 11 errata-xmlrpc 2016-11-03 19:27:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2581.html


Note You need to log in before you can comment on or make changes to this bug.