GNU bug report logs -
#78047
WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon
Previous Next
To reply to this bug, email your comments to 78047 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#78047; Package
guix.
(Thu, 24 Apr 2025 19:05:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Rodion Goritskov <rodion <at> goritskov.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Thu, 24 Apr 2025 19:05:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi!
I tried to opt-in into using guix daemon in unprivileged mode using:
> (modify-services %base-services
> (guix-service-type config =>
> (guix-configuration (inherit config)
> (privileged? #f))))
After reconfiguration (and finish of the task changing owner of store to
guix-daemon), I rebooted system to found out that WiFi not working anymore.
I use NetworkManager for the network configuration, with pretty much the
default configuration:
> (service wpa-supplicant-service-type)
> (service network-manager-service-type
> (network-manager-configuration (vpn-plugins (list
> network-manager-openvpn))))
In logs I can see the following errors:
> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn> [1745483655.8534] plugin: skip invalid file /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-ovs.so: file has invalid owner (should be root)
> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn> [1745483655.8535] plugin: skip invalid file /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-bluetooth.so: file has invalid owner (should be root)
> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn> [1745483655.8536] plugin: skip invalid file /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-adsl.so: file has invalid owner (should be root)
> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn> [1745483655.8536] plugin: skip invalid file /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wifi.so: file has invalid owner (should be root)
> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn>
> [1745483655.8537] plugin: skip invalid file
> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wwan.so:
> file has invalid owner (should be root)
Looks like NetworkManager doesn't like a non-root owner of plugins.
After reconfiguration back to the priveleged guix-service-type,
NetworkManager is back to normal:
> 2025-04-24 11:40:49 localhost NetworkManager[833]: <info> [1745487649.2569] Loaded device plugin: NMOvsFactory (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-ovs.so)
> 2025-04-24 11:40:49 localhost NetworkManager[833]: <info> [1745487649.3357] Loaded device plugin: NMBluezManager (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-bluetooth.so)
> 2025-04-24 11:40:49 localhost NetworkManager[833]: <info> [1745487649.3373] Loaded device plugin: NMAtmManager (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-adsl.so)
> 2025-04-24 11:40:49 localhost NetworkManager[833]: <info> [1745487649.3414] Loaded device plugin: NMWifiFactory (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wifi.so)
> 2025-04-24 11:40:49 localhost NetworkManager[833]: <info>
> [1745487649.3427] Loaded device plugin: NMWwanFactory
> (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wwan.so)
Information forwarded
to
bug-guix <at> gnu.org:
bug#78047; Package
guix.
(Mon, 05 May 2025 15:36:04 GMT)
Full text and
rfc822 format available.
Message #8 received at 78047 <at> debbugs.gnu.org (full text, mbox):
Hi,
Rodion Goritskov <rodion <at> goritskov.com> writes:
> In logs I can see the following errors:
>
>> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn>
>> [1745483655.8534] plugin: skip invalid file
>> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-ovs.so:
>> file has invalid owner (should be root)
>> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn>
>> [1745483655.8535] plugin: skip invalid file
>> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-bluetooth.so:
>> file has invalid owner (should be root)
>> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn>
>> [1745483655.8536] plugin: skip invalid file
>> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-adsl.so:
>> file has invalid owner (should be root)
>> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn>
>> [1745483655.8536] plugin: skip invalid file
>> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wifi.so:
>> file has invalid owner (should be root)
>> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn>
>> [1745483655.8537] plugin: skip invalid file
>> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wwan.so:
>> file has invalid owner (should be root)
>
> Looks like NetworkManager doesn't like a non-root owner of plugins.
I think we’ll have to add an activation snippet in the ‘network-manager’
service that copies those files elsewhere with appropriate ownership.
Or we could patch NetworkManager. (Maybe wiser.)
Thanks,
Ludo’.
Severity set to 'important' from 'normal'
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Fri, 09 May 2025 13:04:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#78047; Package
guix.
(Fri, 09 May 2025 23:05:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 78047 <at> debbugs.gnu.org (full text, mbox):
Thanks for reporting this, I also was impacted by the same
issue. I'll just do a privileged reinstall.
--
Gabriel Santos
Information forwarded
to
bug-guix <at> gnu.org:
bug#78047; Package
guix.
(Mon, 19 May 2025 14:36:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 78047 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello,
Ludovic Courtès <ludo <at> gnu.org> writes:
>>> 2025-04-24 10:34:15 localhost NetworkManager[852]: <warn>
>>> [1745483655.8537] plugin: skip invalid file
>>> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wwan.so:
>>> file has invalid owner (should be root)
>>
>> Looks like NetworkManager doesn't like a non-root owner of plugins.
>
> I think we’ll have to add an activation snippet in the ‘network-manager’
> service that copies those files elsewhere with appropriate ownership.
>
> Or we could patch NetworkManager. (Maybe wiser.)
Looking into it, I think this root-ownership check buys us very little:
it worked “by chance”, but since anyone can indirectly write into the
store (with root ownership), it’s pointless.
What matters is that network-manager is configured by root on Guix
System, and that it is passed its configuration in the store
(unambiguous).
So I’m tempted to just remove the check, but I’d rather have more
eyeballs on this:
[Message part 2 (text/x-patch, inline)]
diff --git a/src/core/nm-core-utils.c b/src/core/nm-core-utils.c
index 895a991..738f8c7 100644
--- a/src/core/nm-core-utils.c
+++ b/src/core/nm-core-utils.c
@@ -4319,14 +4319,6 @@ nm_utils_validate_plugin(const char *path, struct stat *st, GError **error)
return FALSE;
}
- if (st->st_uid != 0) {
- g_set_error_literal(error,
- NM_UTILS_ERROR,
- NM_UTILS_ERROR_UNKNOWN,
- "file has invalid owner (should be root)");
- return FALSE;
- }
-
if (st->st_mode & (S_IWGRP | S_IWOTH | S_ISUID)) {
g_set_error_literal(error,
NM_UTILS_ERROR,
[Message part 3 (text/plain, inline)]
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#78047; Package
guix.
(Thu, 05 Jun 2025 22:06:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 78047 <at> debbugs.gnu.org (full text, mbox):
Hello,
Ludovic Courtès <ludo <at> gnu.org> writes:
> So I’m tempted to just remove the check, but I’d rather have more
> eyeballs on this:
>
> diff --git a/src/core/nm-core-utils.c b/src/core/nm-core-utils.c
> index 895a991..738f8c7 100644
> --- a/src/core/nm-core-utils.c
> +++ b/src/core/nm-core-utils.c
> @@ -4319,14 +4319,6 @@ nm_utils_validate_plugin(const char *path, struct stat *st, GError **error)
> return FALSE;
> }
>
> - if (st->st_uid != 0) {
> - g_set_error_literal(error,
> - NM_UTILS_ERROR,
> - NM_UTILS_ERROR_UNKNOWN,
> - "file has invalid owner (should be root)");
> - return FALSE;
> - }
Any objections to this?
See <https://issues.guix.gnu.org/78047> for context.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#78047; Package
guix.
(Fri, 06 Jun 2025 08:01:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 78047 <at> debbugs.gnu.org (full text, mbox):
Hi Ludo,
The commit that introduced the check is the following one.
I'd just ask Thomas Haller for advice and for what the purpose of the check is, no?
Probably the classic "if some weird user can change the contents of the (network manager or otherwise) plugins that are used in the gdm login screen, that's not good and can be used for all kinds of shady shit". (confused deputy)
Maybe for a really really paranoid way we could replace the check by a check whether geteuid() == st_uid, no ? The idea being that the check wouldn't change behavior if it's actually run as root and would change behavior if it's run as your real user.
For the record, on guix system, network manager is run like this:
$ ps -ef |grep -i networkmana
root 1650 1 0 Jun05 ? 00:00:06 /gnu/store/8fg4facbxkd31r4yl1q6zl2df28mjixg-network-manager-1.52.0/sbin/NetworkManager --config=/gnu/store/3cp48fvxfivj2255bbxj7363qj33ajs9-NetworkManager.conf --no-daemon
$ cat /gnu/store/3cp48fvxfivj2255bbxj7363qj33ajs9-NetworkManager.conf
[main]
dns=default
$ sudo cat /proc/1650/environ
[...]
NM_VPN_PLUGIN_DIR=/gnu/store/p9r27sli74d78mnwr1zzzr4pfm6zjnks-network-manager-vpn-plugins/lib/NetworkManager/
$ ls -lL /gnu/store/p9r27sli74d78mnwr1zzzr4pfm6zjnks-network-manager-vpn-plugins/lib/NetworkManager/
total 756
-r--r--r-- 10 root root 44330 Jan 1 1970 libnm-gtk4-vpn-plugin-openconnect-editor.a
-r-xr-xr-x 1 root root 3537 Jan 1 1970 libnm-gtk4-vpn-plugin-openconnect-editor.la
-r-xr-xr-x 2 root root 43664 Jan 1 1970 libnm-gtk4-vpn-plugin-openconnect-editor.so
-r-xr-xr-x 1 root root 1998 Jan 1 1970 libnm-gtk4-vpn-plugin-openvpn-editor.la
-r-xr-xr-x 2 root root 191840 Jan 1 1970 libnm-gtk4-vpn-plugin-openvpn-editor.so
-r--r--r-- 2 root root 25986 Jan 1 1970 libnm-vpn-plugin-openconnect.a
-r--r--r-- 10 root root 51568 Jan 1 1970 libnm-vpn-plugin-openconnect-editor.a
-r-xr-xr-x 1 root root 3422 Jan 1 1970 libnm-vpn-plugin-openconnect-editor.la
-r-xr-xr-x 2 root root 51856 Jan 1 1970 libnm-vpn-plugin-openconnect-editor.so
-r-xr-xr-x 1 root root 2817 Jan 1 1970 libnm-vpn-plugin-openconnect.la
-r-xr-xr-x 2 root root 27184 Jan 1 1970 libnm-vpn-plugin-openconnect.so
-r-xr-xr-x 1 root root 1892 Jan 1 1970 libnm-vpn-plugin-openvpn-editor.la
-r-xr-xr-x 2 root root 232832 Jan 1 1970 libnm-vpn-plugin-openvpn-editor.so
-r-xr-xr-x 1 root root 1276 Jan 1 1970 libnm-vpn-plugin-openvpn.la
-r-xr-xr-x 2 root root 64440 Jan 1 1970 libnm-vpn-plugin-openvpn.so
dr-xr-xr-x 2 root root 4096 Jan 1 1970 VPN/
$ ls -lL /gnu/store/p9r27sli74d78mnwr1zzzr4pfm6zjnks-network-manager-vpn-plugins/lib/NetworkManager/VPN/
total 8
-r--r--r-- 1 root root 657 Jan 1 1970 nm-openconnect-service.name
-r--r--r-- 1 root root 668 Jan 1 1970 nm-openvpn-service.name
commit 05e2e701a8638f5a159392f7ed1fd82b02886fd9
Author: Thomas Haller <thaller <at> redhat.com>
Date: Wed Jun 18 11:58:30 2014 +0200
core: check file permissions when loading device plugins and order by file modification time
Refactor the loading of device plugins by creating the list of
module filenames in a separate function.
Thereby also check for file permissions (must be only modifiable by root)
and sort the files by last file modification time. This has the advantage,
that if several plugins provide the same device type, that we (deterministically)
prefer the most recent one.
Signed-off-by: Thomas Haller <thaller <at> redhat.com>
Information forwarded
to
bug-guix <at> gnu.org:
bug#78047; Package
guix.
(Fri, 06 Jun 2025 13:35:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 78047 <at> debbugs.gnu.org (full text, mbox):
Hi,
Danny Milosavljevic <dannym <at> friendly-machines.com> writes:
> Maybe for a really really paranoid way we could replace the check by a
> check whether geteuid() == st_uid, no ? The idea being that the check
> wouldn't change behavior if it's actually run as root and would change
> behavior if it's run as your real user.
But what would this check buy us?
> For the record, on guix system, network manager is run like this:
>
> $ ps -ef |grep -i networkmana
> root 1650 1 0 Jun05 ? 00:00:06
> /gnu/store/8fg4facbxkd31r4yl1q6zl2df28mjixg-network-manager-1.52.0/sbin/NetworkManager
> --config=/gnu/store/3cp48fvxfivj2255bbxj7363qj33ajs9-NetworkManager.conf
> --no-daemon
Yes, so it’s in the store and the configuration file (and thus plugin
directory) is defined statically by the system administrator.
So I feel like there cannot be a situation where an unprivileged user
would trick NetworkManager into loading user-owned plugins.
Thoughts?
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#78047; Package
guix.
(Fri, 06 Jun 2025 20:40:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 78047 <at> debbugs.gnu.org (full text, mbox):
Hi Ludo,
I see, so the use case in question here would be to have NetworkManager run as root (like always; and probably necessary for the operations it does) but refer to plugins that were built by rootless guix-daemon (presumably real user account; or service user) ? Then having geteuid() == st_uid indeed wouldn't help.
As for your patch, as long as it's not possible for the user to cause the environment variable NM_VPN_PLUGIN_DIR (or similar environment variable) to be changed for a root NetworkManager process, your change should be fine. And in the Guix case it's not possible to mutate the contents in the store (for example the contents of the directory that NM_VPN_PLUGIN_DIR points to).
Your change LGTM!
P.S. I also found an extra spot in man/NetworkManager.xml :
<para>
NetworkManager will execute scripts in the
/etc/NetworkManager/dispatcher.d directory or subdirectories in
alphabetical order in response to network events. Each script should
be a regular executable file owned by root. Furthermore, it must not be
writable by group or other, and not setuid.
</para>
Our dnssec-trigger seems to refer to that as well.
This bug report was last modified 13 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.