After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 648836 - no access to sleep/wake D-Bus interface if root session active
no access to sleep/wake D-Bus interface if root session active
Status: RESOLVED OBSOLETE
Product: NetworkManager
Classification: Platform
Component: general
0.8.x
Other Linux
: Normal normal
: ---
Assigned To: Dan Williams
Dan Williams
Depends on:
Blocks:
 
 
Reported: 2011-04-28 05:27 UTC by Martin Steigerwald
Modified: 2013-05-06 14:15 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Martin Steigerwald 2011-04-28 05:27:51 UTC
As reported and found in http://bugs.debian.org/608301 beginning from http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=NM_0_8&id=878f6c4074acfdee42c320680f5529e01b909ba2 Network Manager's dbus configuration restricts call to sleep/wake D-BUS interface if root session is active:

shambhala:~>         dbus-send --print-reply --system                         \
                --dest=org.freedesktop.NetworkManager  \
                /org/freedesktop/NetworkManager        \
                org.freedesktop.NetworkManager.sleep
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 9 matched rules; type="method_call", sender=":1.83" (uid=0 pid=25027 comm="dbus-send --print-reply --system --dest=org.freede") interface="org.freedesktop.NetworkManager" member="sleep" error name="(unset)" requested_reply=0 destination="org.freedesktop.NetworkManager" (uid=0 pid=24698 comm="/usr/sbin/NetworkManager "))

This breaks my simple custom made hibernation script, which uses the call prior to calling hibernate which I prefer over pm-utils for its perceived robustness:

shambhala:/etc/acpi> cat hibernate-extra.sh 
#!/bin/sh

[...]

# Network Manager schlafen legen
# siehe /usr/lib/pm-utils/sleep.d/55NetworkManager
dbus-send --print-reply --system                        \
        --dest=org.freedesktop.NetworkManager \
        /org/freedesktop/NetworkManager       \
        org.freedesktop.NetworkManager.sleep

# ifplugd stoppen
#/etc/init.d/ifplugd stop
#ifdown eth0

# Systemzeit in Hardware-Uhr speichern
/etc/init.d/hwclock.sh stop

# Uptimed stoppen, damit er die Rekorde schreibt
/etc/init.d/uptimed stop

# Zur Sicherheit hier nochmal alle ausstehenden Änderungen schreiben
sync

# Gutnacht
# /etc/acpi/hibernate.sh
#echo 1 > /sys/power/tuxonice/do_hibernate
#pm-suspend-hybrid
#pm-hibernate
hibernate-disk

# Uptimed wieder starten. Dabei schreibt er erneut die Rekorde
/etc/init.d/uptimed start

# Rekorde gleich schreiben
sync

# Festplatten-Parameter wieder setzen
/etc/init.d/hdparm start

# Systemzeit anhand Hardware-Uhr wieder setzen
/etc/init.d/hwclock.sh start

# Network Manager aufwecken
dbus-send --print-reply --system                        \
        --dest=org.freedesktop.NetworkManager \
        /org/freedesktop/NetworkManager       \
        org.freedesktop.NetworkManager.wake

# ifplugd starten
#/etc/init.d/ifplugd start

Michael Biebl asked Dan for a hint on how to solve this issue in

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608301#25

but did not seem to get a reply so far.

Expected results:

- If I use dbus calls as root Network Manager whether I have a complete session or not, Network Manager will execute them

Current workaround:

shambhala:/etc/dbus-1/system.d> bzr diff -r805..806 NetworkManager.conf
=== modified file 'dbus-1/system.d/NetworkManager.conf'
--- dbus-1/system.d/NetworkManager.conf 2011-04-28 05:05:12 +0000
+++ dbus-1/system.d/NetworkManager.conf 2011-04-28 05:10:14 +0000
@@ -60,7 +60,6 @@
                 <deny send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager"
                        send_member="SetLogging"/>
-
                 <deny send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager"
                        send_member="Sleep"/>
@@ -121,8 +120,10 @@
                 <deny send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager"
                        send_member="SetLogging"/>
-
-                <deny send_destination="org.freedesktop.NetworkManager"
+<!-- See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608301 and
+         http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=NM_0_8&id=878f6c4074acfdee42c320680f5529e01b909ba2
+     28.4.2011, martin -->
+<!--                <deny send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager"
                        send_member="Sleep"/>
 
@@ -132,7 +133,7 @@
 
                 <deny send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager"
-                       send_member="wake"/>
+                       send_member="wake"/> -->
         </policy>
         <policy context="default">
                 <deny own="org.freedesktop.NetworkManager"/>

(That is deactive the three deny rules in context "<policy at_console="true">")
Comment 1 Dan Williams 2011-04-28 15:35:16 UTC
Yeah, I guess we need to figure out what to do here now that distros are shipping with root=at_console.  We need to restrict this call to root, but we dont' really care if the user is at_console or not.
Comment 2 Colin Walters 2011-04-28 22:30:40 UTC
So one thing that's important here is this (from the dbus-daemon man page):


       Policies are applied to a connection as follows:
          - all context="default" policies are applied
          - all group="connection's user's group" policies are applied
            in undefined order
          - all user="connection's auth user" policies are applied
            in undefined order
          - all at_console="true" policies are applied
          - all at_console="false" policies are applied
          - all context="mandatory" policies are applied

<policy at_console=true> is going to come after <policy user=root>.  

The only solutions I can think of are:

1) Don't use <deny> in the policy - explicitly list all allowed methods.  Yes, this sounds painful.
2) Move sleep/wake to a separate interface (I guess this would require a pm-utils change)
3a) Fix pm-utils to do a synchronous call, so you could get the credentials from it
3b) Change dbus to pass the credentials in a header, and use that in NM
Comment 3 Colin Walters 2011-04-28 22:31:53 UTC
4) Add the concept to dbus of <policy at_console_but_not_root>

(I'm not sure if we could actually change dbus to exclude root for console checks...it could break login-as-root scenarios)
Comment 4 Pavel Simerda 2012-07-26 16:16:16 UTC
Still applicable?
Comment 5 Martin Steigerwald 2012-07-26 18:14:40 UTC
I get

merkaba:~> dbus-send --print-reply --system                         \
>                 --dest=org.freedesktop.NetworkManager  \
>                 /org/freedesktop/NetworkManager        \
>                 org.freedesktop.NetworkManager.sleep
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 7 matched rules; type="method_call", sender=":1.466" (uid=0 pid=18835 comm="dbus-send --print-reply --system --dest=org.freede") interface="org.freedesktop.NetworkManager" member="sleep" error name="(unset)" requested_reply="0" destination="org.freedesktop.NetworkManager" (uid=0 pid=1379 comm="/usr/sbin/NetworkManager ")

on:


merkaba:~> cat /proc/version
Linux version 3.5.0-tp520 (martin@merkaba) (gcc version 4.7.1 (Debian 4.7.1-5) ) #5 SMP PREEMPT Sun Jul 22 13:09:18 CEST 2012
merkaba:~> apt-show-versions | egrep "(network-manager|dbus)"
dbus/sid uptodate 1.6.2-2
dbus-x11/sid uptodate 1.6.2-2
libdbus-1-3/sid uptodate 1.6.2-2
libdbus-1-dev/sid uptodate 1.6.2-2
libdbus-glib-1-2/sid uptodate 0.100-1
libdbusmenu-glib4/sid uptodate 0.6.2-1
libdbusmenu-qt2/sid uptodate 0.9.0-1
libnet-dbus-perl/sid uptodate 1.0.0-1+b1
libqt4-dbus/sid uptodate 4:4.8.2-1
libsmokeqtdbus4-3/sid uptodate 4:4.8.4-1
network-manager/sid uptodate 0.9.4.0-5
network-manager-gnome/sid uptodate 0.9.4.1-1+b1
network-manager-openvpn/sid uptodate 0.9.4.0-1
network-manager-pptp/sid uptodate 0.9.4.0-2
network-manager-vpnc/sid uptodate 0.9.4.0-1
python-dbus/sid uptodate 1.1.1-1
python-dbus-dev/sid uptodate 1.1.1-1
python-qt4-dbus/sid uptodate 4.9.3-4
qdbus/sid uptodate 4:4.8.2-1


Anyway, I do not use a custom made init script anymore.

The reject message is a bit different, maybe the call semantic changed?
Comment 6 Brian J. Murrell 2013-02-09 19:55:09 UTC
On current Ubuntu LTS (12.04) I still get:

# dbus-send --print-reply --system --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager.sleep
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 9 matched rules; type="method_call", sender=":1.25" (uid=0 pid=2326 comm="dbus-send --print-reply --system --dest=org.freede") interface="org.freedesktop.NetworkManager" member="sleep" error name="(unset)" requested_reply=0 destination="org.freedesktop.NetworkManager" (uid=0 pid=1114 comm="NetworkManager "))

when I ssh in as root (no su, etc.).

Ultimately, I want this sleep to be callable by a root process started from init (it watches for idleness and does pm-suspend when it detects it).

I'm currently using dbus 1.4.6 and pm-utils 1.4.1.

Can we have the status changed back to an open bug given this update?
Comment 7 Pavel Simerda 2013-02-09 21:18:07 UTC
Just curious whether we plan to keep the sleep/wake interface at all or not. Reopening.
Comment 8 Pavel Simerda 2013-05-06 14:15:25 UTC
(In reply to comment #7)
> Just curious whether we plan to keep the sleep/wake interface at all or not.
> Reopening.

AFAIK we don't, but it doesn't seem to be so important now.