system policy prevents control of network connections

Question

When we log into a KDE seesion using X2Go client, the user is greeted with a dialog asking for a sudo password. I do not want the user to have a sudo password and I would like to prevent the dialog from appearing. The user should not be bothered with this.

The dialog title is: Authentication Required PolicyKit1 KDE Agent

The message is:

**System policy prevents control of network connections**  
An application is attempting to perform an action that requires privileges. Authentication is required to perform this action.  
Password:

Action: Allow control of network connections  
ID: org.freedesktop.NetworkManager.network-control  
Vendor: NetworkManager  
polkit.subject-pid: 20440  
polkit.caller-pid: 708  

- process 708 is /usr/bin/NetworkManager --no-daemon
- process 20440 is kded5 [kdeinit5]

pkaction version 0.116  (that's the policykit version)

The related policy is already defined so that authentication should not be requested / required:

<action id="org.freedesktop.NetworkManager.network-control">
<_description>Allow control of network connections</_description>
<_message>System policy prevents control of network connections</_message>
<defaults>
  <allow_inactive>yes</allow_inactive>
  <allow_active>yes</allow_active>
</defaults>
</action>

Relevant log lines are:

Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: "Password: "
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Request:  "Password: "
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: REQUEST
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Trying again

Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Action description has been found
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Message of action:  "System policy prevents control of network connections"
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Initiating authentication
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: polkit_qt_listener_initiate_authentication callback for  0x55df1e7190a0
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: GSimpleAsyncResult: 
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Listener adapter polkit_qt_listener_initiate_authentication

Aug 07 21:50:43 desktop polkit-kde-authentication-agent-1[26611]: Authentication agent result: true
Aug 07 21:50:43 desktop polkitd[838]: Registered Authentication Agent for unix-session:19 (system bus name :1.5274 [/usr/lib/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Aug 07 21:50:43 desktop polkit-kde-authentication-agent-1[26611]: Listener online
Aug 07 21:50:43 desktop polkit-kde-authentication-agent-1[26611]: Adding new listener  PolkitQt1::Agent::Listener
Aug 07 21:50:43 desktop polkit-kde-authentication-agent-1[26611]: New PolkitAgentListener

Aug 07 21:50:42 desktop ksmserver[26587]: org.kde.kf5.ksmserver: Starting autostart service  "/etc/xdg/autostart/polkit-kde-authentication-agent-1.desktop" ("/usr/lib/polkit-kde-authentication-agent-1")

What I have tried so far is creating this polkit rule:

/etc/polkit-1/rules.d/00-networkmanager.rules

polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system")
{
        polkit.log("NetworkManager.settings.modify.system: rule called");
    return polkit.Result.YES;
}
});

polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.network-control")
{
        polkit.log("NetworkManager.network-control: rule called");
    return polkit.Result.YES;
}
});

The rule is owned by root and has 644 permissions.

I really don't know about rule files, since the .pkla route works for me, but… that file looks script-ish—i'd be betting it needs execute permissions [I know, you could execute a bash script that doesn't have execute permission, too, but it would still be the first thing I'd try]. — Auspex, Aug 16 '23 at 18:05

score 9 · Answer 1 · edited Jun 09 '20 at 16:07

9

Try with a pkla (PolicyKit Local Authority) file:

$ sudo ls -la /etc/polkit-1/localauthority/50-local.d
total 16
drwxr-xr-x 2 root root 4096 Dec 28 20:08 .
drwx------ 7 root root 4096 Aug  1  2017 ..
-rw-r--r-- 1 root root  573 Dec 27 01:16 45-allow-colord.pkla
-rw-r--r-- 1 root root  206 Dec 28 20:08 50-allow-network-manager.pkla

$ sudo cat /etc/polkit-1/localauthority/50-local.d/50-allow-network-manager.pkla
[Network Manager all Users]
Identity=unix-user:*
Action=org.freedesktop.NetworkManager.settings.modify.system;org.freedesktop.NetworkManager.network-control
ResultAny=no
ResultInactive=no
ResultActive=yes

edited Jun 09 '20 at 16:07

Intrastellar Explorer

117
1
7

answered Dec 28 '19 at 19:16

jsiwrk

91
1
2

Thank you but that did not resolve it for me. I used the pkla file contents you show and the file has 640 permissions (and it owned by root). Did I miss any steps? – MountainX Jan 05 '20 at 03:50
I would like to accept your answer. What else is required to get the solution to work? – MountainX Feb 03 '20 at 00:48
Sorry, I don't know why I doesn't work for you... It worked for me. – jsiwrk Feb 04 '20 at 19:01
It also just worked for me, thank you @jsiwrk! – Intrastellar Explorer Jun 02 '20 at 19:33
@MountainX you should create the file `50-allow-network-manager.pkla` – Lucio M. Tato Sep 27 '20 at 20:56
It only "just worked for you", if you restarted polkit: `systemctl restart polkit`. This looks a bit extreme. NetworkManager configuration really should do the `org.freedesktop.NetworkManager.network-control` configuration when you specify to allow all users to use an iinterface (otherwise, why even ask?), but isn't `org.freedesktop.NetworkManager.settings.modify.system` saying that all users should be **able** to use NetworkManager configuration? That _should_ require sudo access. – Auspex Aug 16 '23 at 18:00

score 4 · Answer 2 · answered Jun 29 '22 at 05:08

4

Try this: Create a file named universal.pkla in the /etc/polkit-1/localauthority/50-local.d folder with these contents:

    [Allow access to anything for remote users]
    Identity=unix-user:*
    Action=*
    ResultAny=yes
    ResultInactive=yes
    ResultActive=yes

Then restart polkit with "sudo systemctl restart polkit.service" or reboot. I haven't seen any polkit authentication prompts since.

answered Jun 29 '22 at 05:08

ITCrowd

59
1
1

Worked for me. I'm using Ubuntu 22 as a Guest through Microsoft Hyper-V. – nGoline Oct 19 '22 at 12:53
What is the point of security, if you're just going to turn it all off?! – Auspex Aug 16 '23 at 17:54

system policy prevents control of network connections

2 Answers2

Linked