From unknown Sat Jun 21 03:25:21 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#78047 <78047@debbugs.gnu.org> To: bug#78047 <78047@debbugs.gnu.org> Subject: Status: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon Reply-To: bug#78047 <78047@debbugs.gnu.org> Date: Sat, 21 Jun 2025 10:25:21 +0000 retitle 78047 WiFi stops working if managed with NetworkManager after migra= tion to unprivileged guix daemon reassign 78047 guix submitter 78047 Rodion Goritskov severity 78047 important thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 24 15:04:12 2025 Received: (at submit) by debbugs.gnu.org; 24 Apr 2025 19:04:12 +0000 Received: from localhost ([127.0.0.1]:41258 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u81ro-0001qs-Cl for submit@debbugs.gnu.org; Thu, 24 Apr 2025 15:04:12 -0400 Received: from lists.gnu.org ([2001:470:142::17]:54280) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u81rk-0001pv-JO for submit@debbugs.gnu.org; Thu, 24 Apr 2025 15:04:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u81rG-0006GZ-2R for bug-guix@gnu.org; Thu, 24 Apr 2025 15:03:41 -0400 Received: from mail.goritskov.com ([65.108.121.176]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u81rD-0003MV-Mn for bug-guix@gnu.org; Thu, 24 Apr 2025 15:03:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=goritskov.com; s=04012025; t=1745521407; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=g9uOij5ztnuT++Hb8NqI7RTtfwqqfByc2kcxlQO5mRw=; b=WQO+FrL9OI+5NsfhmFATL47YoR7lSMW87glH6P86g0tnqNm0q5rsNy4Ot3rUQ/F+rw9hN5 gkjHsCA5YmwCRsKzUiMpSpZr6fFW01wCtXlBTfCfkui4T6g15cdbek+TaX8BKHKKnCxQLr AoYRBKxGWFZMz9T2GT0TZDRqLS4FY1o= Received: from bumblebee-old (port-92-196-247-179.dynamic.as20676.net [92.196.247.179]) by mail.goritskov.com (OpenSMTPD) with ESMTPSA id 34e03c1c (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Thu, 24 Apr 2025 19:03:27 +0000 (UTC) From: Rodion Goritskov To: bug-guix@gnu.org Subject: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon Date: Thu, 24 Apr 2025 21:03:22 +0200 Message-ID: <871pth756t.fsf@bumblebee-old.mail-host-address-is-not-set> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=65.108.121.176; envelope-from=rodion@goritskov.com; helo=mail.goritskov.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) Hi! I tried to opt-in into using guix daemon in unprivileged mode using: > (modify-services %base-services > (guix-service-type config => > (guix-configuration (inherit config) > (privileged? #f)))) After reconfiguration (and finish of the task changing owner of store to guix-daemon), I rebooted system to found out that WiFi not working anymore. I use NetworkManager for the network configuration, with pretty much the default configuration: > (service wpa-supplicant-service-type) > (service network-manager-service-type > (network-manager-configuration (vpn-plugins (list > network-manager-openvpn)))) In logs I can see the following errors: > 2025-04-24 10:34:15 localhost NetworkManager[852]: [1745483655.8534] plugin: skip invalid file /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-ovs.so: file has invalid owner (should be root) > 2025-04-24 10:34:15 localhost NetworkManager[852]: [1745483655.8535] plugin: skip invalid file /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-bluetooth.so: file has invalid owner (should be root) > 2025-04-24 10:34:15 localhost NetworkManager[852]: [1745483655.8536] plugin: skip invalid file /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-adsl.so: file has invalid owner (should be root) > 2025-04-24 10:34:15 localhost NetworkManager[852]: [1745483655.8536] plugin: skip invalid file /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wifi.so: file has invalid owner (should be root) > 2025-04-24 10:34:15 localhost NetworkManager[852]: > [1745483655.8537] plugin: skip invalid file > /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wwan.so: > file has invalid owner (should be root) Looks like NetworkManager doesn't like a non-root owner of plugins. After reconfiguration back to the priveleged guix-service-type, NetworkManager is back to normal: > 2025-04-24 11:40:49 localhost NetworkManager[833]: [1745487649.2569] Loaded device plugin: NMOvsFactory (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-ovs.so) > 2025-04-24 11:40:49 localhost NetworkManager[833]: [1745487649.3357] Loaded device plugin: NMBluezManager (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-bluetooth.so) > 2025-04-24 11:40:49 localhost NetworkManager[833]: [1745487649.3373] Loaded device plugin: NMAtmManager (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-adsl.so) > 2025-04-24 11:40:49 localhost NetworkManager[833]: [1745487649.3414] Loaded device plugin: NMWifiFactory (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wifi.so) > 2025-04-24 11:40:49 localhost NetworkManager[833]: > [1745487649.3427] Loaded device plugin: NMWwanFactory > (/gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/NetworkManager/1.52.0/libnm-device-plugin-wwan.so) From debbugs-submit-bounces@debbugs.gnu.org Mon May 05 11:35:28 2025 Received: (at 78047) by debbugs.gnu.org; 5 May 2025 15:35:28 +0000 Received: from localhost ([127.0.0.1]:41793 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uBxqp-0005sY-Ro for submit@debbugs.gnu.org; Mon, 05 May 2025 11:35:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34308) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uBxqc-0005pD-F6 for 78047@debbugs.gnu.org; Mon, 05 May 2025 11:35:15 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBxqW-00024B-Tv; Mon, 05 May 2025 11:35:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=cge4KTXknyFJxOxudE2eDPdiMrhOtqSVAeLVrJpi0KE=; b=VTFJppjts490ptVXhe88 akxivaclAxnx7rEPdeFn+JYsPksCZ2hc3iaQaV3tgFnYy0twOeE5ehILneeE2d+3cJV31rDBJFJAO mXipAZACQ4Jb4TZIeQMc+BBfmqmnTptjs1H1kexZbpLcMnLp+ueVOPqAOlpC4dYML+yNK34MWbOoy acPFVniKuoCONBerJm8LTZER0WiW5ie0Zb42zkvMoyWVjak/rhcJez2ufk5scNBl0XPjunIhlaTOQ Gxplf4OtDT3ZcmOCnIcJA0p+7c5OHUt91L3uMdFw2jaNRrumJ5j85XbP/LsSw5jvcAU/iXzX1OzNC pOK+W0pQu3k36Q==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Rodion Goritskov Subject: Re: bug#78047: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon In-Reply-To: <871pth756t.fsf@bumblebee-old.mail-host-address-is-not-set> (Rodion Goritskov's message of "Thu, 24 Apr 2025 21:03:22 +0200") References: <871pth756t.fsf@bumblebee-old.mail-host-address-is-not-set> Date: Mon, 05 May 2025 15:02:35 +0200 Message-ID: <87y0vb43dg.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 78047 Cc: 78047@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Rodion Goritskov writes: > In logs I can see the following errors: > >> 2025-04-24 10:34:15 localhost NetworkManager[852]: >> [1745483655.8534] plugin: skip invalid file >> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/N= etworkManager/1.52.0/libnm-device-plugin-ovs.so: >> file has invalid owner (should be root) >> 2025-04-24 10:34:15 localhost NetworkManager[852]: >> [1745483655.8535] plugin: skip invalid file >> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/N= etworkManager/1.52.0/libnm-device-plugin-bluetooth.so: >> file has invalid owner (should be root) >> 2025-04-24 10:34:15 localhost NetworkManager[852]: >> [1745483655.8536] plugin: skip invalid file >> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/N= etworkManager/1.52.0/libnm-device-plugin-adsl.so: >> file has invalid owner (should be root) >> 2025-04-24 10:34:15 localhost NetworkManager[852]: >> [1745483655.8536] plugin: skip invalid file >> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/N= etworkManager/1.52.0/libnm-device-plugin-wifi.so: >> file has invalid owner (should be root) >> 2025-04-24 10:34:15 localhost NetworkManager[852]: >> [1745483655.8537] plugin: skip invalid file >> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/N= etworkManager/1.52.0/libnm-device-plugin-wwan.so: >> file has invalid owner (should be root) > > Looks like NetworkManager doesn't like a non-root owner of plugins. I think we=E2=80=99ll have to add an activation snippet in the =E2=80=98net= work-manager=E2=80=99 service that copies those files elsewhere with appropriate ownership. Or we could patch NetworkManager. (Maybe wiser.) Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri May 09 09:03:38 2025 Received: (at control) by debbugs.gnu.org; 9 May 2025 13:03:38 +0000 Received: from localhost ([127.0.0.1]:36650 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uDNO6-0007KW-Bb for submit@debbugs.gnu.org; Fri, 09 May 2025 09:03:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57568) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uDNO2-0007K0-88 for control@debbugs.gnu.org; Fri, 09 May 2025 09:03:35 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uDNNw-0005hv-MI for control@debbugs.gnu.org; Fri, 09 May 2025 09:03:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to: references; bh=yDV0rsM4jdWtC9RnzRCtwJM+BlM5YrWIhFgtajGH4yk=; b=sRwOUZkNsVOlZP bTN8WWmP3ijl2m99OaEikw7COpzCmbj2mXXYVskO6tHfOyNSE87cQ6U3Q4de0cYe6LZ0jNdnIDVf2 93armAjbo2t0klKQojgNl2Fw/BKOGvaOAzNocfpuWs77qRIUFr0zmaeP+S5ijcdIEkQsHGAXkDpq+ 3G+8v9JMvFptPMXh1EYIyt83lE93cvvZjxU2vh+txJ3GqCEZLsDkFqRmKhUQR+azVQindzLcYRPIg rsrKl52ewfXeSqp0Tj0X0EY1H9azYl/q8XIGrHATZz/lL2CHEdXbQ3qlooiFxm7Cq8r4wOSd5luN3 aatIbQCUGYHfAOYZLDiw==; Date: Fri, 09 May 2025 15:02:04 +0200 Message-Id: <874ixukkdv.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #78047 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) severity 78047 important quit From debbugs-submit-bounces@debbugs.gnu.org Fri May 09 19:04:59 2025 Received: (at 78047) by debbugs.gnu.org; 9 May 2025 23:04:59 +0000 Received: from localhost ([127.0.0.1]:41195 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uDWm3-0002H0-7I for submit@debbugs.gnu.org; Fri, 09 May 2025 19:04:59 -0400 Received: from layka.disroot.org ([178.21.23.139]:34802) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uDWlz-0002Gh-IE for 78047@debbugs.gnu.org; Fri, 09 May 2025 19:04:56 -0400 Received: from mail01.disroot.lan (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 9A9602618A for <78047@debbugs.gnu.org>; Sat, 10 May 2025 01:04:53 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id Vix_XxsMAIBq for <78047@debbugs.gnu.org>; Sat, 10 May 2025 01:04:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1746831893; bh=bFudXqHAM0U6MrNE0it+Yd/pZUEmjCJogDHo9qRe5Hg=; h=Date:From:To:Subject; b=jIELCQ+xT0ltq9vB6Cb7Bs1Zlzxx1zuypnj7UKQwMVrYdbJDGBowuibsPEly6Z60B lPdjAnVSMf++JgS1kJ+17dO3R8Uw4EOqm/Eu8Yen0XwLPWagllEO30wvjdaLw6pAx5 sBzESIai6ch1TIvv4pRaEeJU17vVEMOrCXTTOuKoOm7b1ACLUlMVyZrdCi//Ru32/O 823RLsIjmf7eYDhMhRfe3gycmllpBKRbkAB8UaNj1YlwY6klXGyYPaLClSLyeWaclX WNRxfkeZ1mAqRPuwyH5v4hw+YRAvLUsvN7djk3pD23yGl87q18NU8w3VepgYAw5GUp lnPeNkRVWH1AA== Date: Fri, 09 May 2025 20:04:45 -0300 From: Gabriel Santos To: 78047@debbugs.gnu.org Subject: =?US-ASCII?Q?WiFi_stops_working_if_managed_with_NetworkMana?= =?US-ASCII?Q?ger_after_migration_to_unprivileged_guix_daemon?= User-Agent: Thunderbird for Android Message-ID: <779FC18B-5BCE-43B7-BD5C-AAE09FC62DA6@disroot.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78047 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Thanks for reporting this, I also was impacted by the same issue=2E I'll just do a privileged reinstall=2E --=20 Gabriel Santos From debbugs-submit-bounces@debbugs.gnu.org Mon May 19 10:35:03 2025 Received: (at 78047) by debbugs.gnu.org; 19 May 2025 14:35:04 +0000 Received: from localhost ([127.0.0.1]:41817 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uH1a3-0004mT-GJ for submit@debbugs.gnu.org; Mon, 19 May 2025 10:35:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58752) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uH1Zz-0004lC-HJ for 78047@debbugs.gnu.org; Mon, 19 May 2025 10:35:00 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uH1Zs-0007BS-0b; Mon, 19 May 2025 10:34:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=7IgaFPLi7SQZ8EwCNacaCGY4NrCXSxqtYF4xZNGNzzY=; b=AApCmv7+I6O1AsB40vTy nUtvIX2B+cHbfqiataS7qDGV8gEFu1sWosLCtLXWw5t38wiprkwT+PNsWetiAAvn03/tOwmqGWALK lYj24/883jgSgjfo7P14wM8CzfdOaJKuzUBbpR8APUANIKsOyaVy/2JIosVocV2HpcuuNuKAcPMQa wuSbAxQonpUYsLdxvQ0mNgeMtDN92EL+F0T1toUqJMFSD0SiKAbhGG18Nt9PZX+Le6pCKjJJdn+UP /kq1+M9xfWIboD3qJ0yfTaEH2j3kcIlJORukT4JaZjKQ1nLVwnCfc9VLNlp7np5/arKpcALorA77u qFepTOMIxbbP+A==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Rodion Goritskov Subject: Re: bug#78047: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon In-Reply-To: <87y0vb43dg.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Mon, 05 May 2025 15:02:35 +0200") References: <871pth756t.fsf@bumblebee-old.mail-host-address-is-not-set> <87y0vb43dg.fsf@gnu.org> Date: Mon, 19 May 2025 16:33:22 +0200 Message-ID: <87iklw4qml.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 78047 Cc: guix-devel@gnu.org, 78047@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, Ludovic Court=C3=A8s writes: >>> 2025-04-24 10:34:15 localhost NetworkManager[852]: >>> [1745483655.8537] plugin: skip invalid file >>> /gnu/store/agadky1p0ba367avf524sh5wmcdxcxb1-network-manager-1.52.0/lib/= NetworkManager/1.52.0/libnm-device-plugin-wwan.so: >>> file has invalid owner (should be root) >> >> Looks like NetworkManager doesn't like a non-root owner of plugins. > > I think we=E2=80=99ll have to add an activation snippet in the =E2=80=98n= etwork-manager=E2=80=99 > service that copies those files elsewhere with appropriate ownership. > > Or we could patch NetworkManager. (Maybe wiser.) Looking into it, I think this root-ownership check buys us very little: it worked =E2=80=9Cby chance=E2=80=9D, but since anyone can indirectly writ= e into the store (with root ownership), it=E2=80=99s pointless. What matters is that network-manager is configured by root on Guix System, and that it is passed its configuration in the store (unambiguous). So I=E2=80=99m tempted to just remove the check, but I=E2=80=99d rather hav= e more eyeballs on this: --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/src/core/nm-core-utils.c b/src/core/nm-core-utils.c index 895a991..738f8c7 100644 --- a/src/core/nm-core-utils.c +++ b/src/core/nm-core-utils.c @@ -4319,14 +4319,6 @@ nm_utils_validate_plugin(const char *path, struct stat *st, GError **error) return FALSE; } - if (st->st_uid != 0) { - g_set_error_literal(error, - NM_UTILS_ERROR, - NM_UTILS_ERROR_UNKNOWN, - "file has invalid owner (should be root)"); - return FALSE; - } - if (st->st_mode & (S_IWGRP | S_IWOTH | S_ISUID)) { g_set_error_literal(error, NM_UTILS_ERROR, --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 DQpMdWRv4oCZLg0K --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Jun 05 18:05:10 2025 Received: (at 78047) by debbugs.gnu.org; 5 Jun 2025 22:05:11 +0000 Received: from localhost ([127.0.0.1]:38663 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uNIhy-0004XO-FX for submit@debbugs.gnu.org; Thu, 05 Jun 2025 18:05:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58848) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uNIhv-0004X9-UH for 78047@debbugs.gnu.org; Thu, 05 Jun 2025 18:05:08 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uNIhq-0007iO-K1; Thu, 05 Jun 2025 18:05:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=Hrg4qGNnUgZR077gwkh2umG9Xsc8zcsxe16hcG7UPAw=; b=cTdT4eN+P7V3xLj06y6M mANbGTXNjlF6xnjLCEJcRsk8r21HfC+jfJGxDstoWTBBbA3bGu764bKUCZcjyMXmoHE4uE+7gIHQh mClJUVikZKj+uKl1A4X6fZjqhUSeTFgXDiOyctvIdRdvZ0tJl5yxW7koG+nRiPNYk4IEvUWgwpgpC 4aKcScI2LLigVx8dzTxHVFPjTzgOUK3s0sm0VQNd76z2g7KRpqy5dtlhS+CRbfRKGGU6qScarwC2Q f4HHcFpl0TaxnKmgKclZ/9lIB/yTQNoQaPMpXKCQJLlCwcKYpQ0bpqAxHt9DNIJhW2lucCd7mwvX8 +GA8G4QZ9Xe8dA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: guix-devel@gnu.org, 78047@debbugs.gnu.org Subject: Re: bug#78047: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon In-Reply-To: <87iklw4qml.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Mon, 19 May 2025 16:33:22 +0200") References: <871pth756t.fsf@bumblebee-old.mail-host-address-is-not-set> <87y0vb43dg.fsf@gnu.org> <87iklw4qml.fsf@gnu.org> Date: Thu, 05 Jun 2025 22:47:17 +0200 Message-ID: <87zfelex0q.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 78047 Cc: Rodion Goritskov X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, Ludovic Court=C3=A8s writes: > So I=E2=80=99m tempted to just remove the check, but I=E2=80=99d rather h= ave more > eyeballs on this: > > diff --git a/src/core/nm-core-utils.c b/src/core/nm-core-utils.c > index 895a991..738f8c7 100644 > --- a/src/core/nm-core-utils.c > +++ b/src/core/nm-core-utils.c > @@ -4319,14 +4319,6 @@ nm_utils_validate_plugin(const char *path, struct = stat *st, GError **error) > return FALSE; > } >=20=20 > - if (st->st_uid !=3D 0) { > - g_set_error_literal(error, > - NM_UTILS_ERROR, > - NM_UTILS_ERROR_UNKNOWN, > - "file has invalid owner (should be root)"); > - return FALSE; > - } Any objections to this? See for context. Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 06 04:00:39 2025 Received: (at 78047) by debbugs.gnu.org; 6 Jun 2025 08:00:40 +0000 Received: from localhost ([127.0.0.1]:41513 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uNS04-0007QJ-0f for submit@debbugs.gnu.org; Fri, 06 Jun 2025 04:00:39 -0400 Received: from dragonfly.birch.relay.mailchannels.net ([23.83.209.51]:31909) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uNRzx-0007Pg-8L for 78047@debbugs.gnu.org; Fri, 06 Jun 2025 04:00:24 -0400 X-Sender-Id: dreamhost|x-authsender|dannym@friendly-machines.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id ED0078A5652; Fri, 6 Jun 2025 08:00:17 +0000 (UTC) Received: from pdx1-sub0-mail-a273.dreamhost.com (trex-green-4.trex.outbound.svc.cluster.local [100.124.120.130]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id BB8118A5CEF; Fri, 6 Jun 2025 08:00:12 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1749196812; a=rsa-sha256; cv=none; b=I87Nf5v4SL7N3oX0QFwTSvVQBZhLLXg1/3aRvp55p+lm5LxJdAC5AFgnViVYpZga9c//Vm gA23Z2WjUIzkkkETEUcDbaki2J8XwQp9p3Tr8SuSjfn/LU07NR1asA7TrY4fzwotGpaYnR gScaPrEffdNdVXVr24r04YT1mOXM/thjkY85a9N9Dh0wMq6at0h79oGsWk0U9j89aGeFGq WL/sNcBwDtXQdQidwc1JSYmHEB7XFSKEplNIg1AThgJuTcfU8VsjnX/dJc7XiAzYXVQYXP RABsbG9rYXs+eqKpbEdQ1VP/Lw6qAX1hDzprqdEVch16AdZwmnsda+ubZbF5dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1749196812; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: dkim-signature; bh=VTszRBRNV5Rn8e9sx0454B4iLyKoJmyV5eTWu1hWc7I=; b=036XpyyYjosEiT1R/G4IOEcSiv5dmFz0CL8BBDTYAlFw2FveUhuoLESvcKyFxTX3p7Ee37 Z7tNF+/ahRtTMGrk6u2ToJV8zTOHAhqsLRGcp7mdz1vv91PNmOpntmfZy9hfxyKJuDrUu8 NPrwfY7kos6TmfZPOQlcXX3iqY+fDdqv4eItsrEaMDFHkc1Ey9HD4XSaBqX5VlNMjiVviE doYjjlbitTPIiy7I0o7d9XI3O0rmNBQY8jXLPwA/kJh4nsVu5rOVPXahpYDuJp3iAH+Ono eeS+WxFJRUGt8kfgAU/KgontQ+Dnp+FfSSQhrFwOFjsQurJI5W4nXZidCSddHA== ARC-Authentication-Results: i=1; rspamd-95f6fbf49-5sbgd; auth=pass smtp.auth=dreamhost smtp.mailfrom=dannym@friendly-machines.com X-Sender-Id: dreamhost|x-authsender|dannym@friendly-machines.com X-MC-Relay: Neutral X-MC-Copy: stored-urls X-MailChannels-SenderId: dreamhost|x-authsender|dannym@friendly-machines.com X-MailChannels-Auth-Id: dreamhost X-Daffy-Inform: 425d6f0c7ae57cfd_1749196814295_2268766752 X-MC-Loop-Signature: 1749196814295:1999859429 X-MC-Ingress-Time: 1749196814295 Received: from pdx1-sub0-mail-a273.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.124.120.130 (trex/7.0.3); Fri, 06 Jun 2025 08:00:14 +0000 Received: from nova (84-115-226-251.cable.dynamic.surfer.at [84.115.226.251]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dannym@friendly-machines.com) by pdx1-sub0-mail-a273.dreamhost.com (Postfix) with ESMTPSA id 4bDDJC3LchzBX; Fri, 6 Jun 2025 01:00:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=friendly-machines.com; s=dreamhost; t=1749196812; bh=VTszRBRNV5Rn8e9sx0454B4iLyKoJmyV5eTWu1hWc7I=; h=From:To:Cc:Subject:Date:Content-Type; b=roK4iGBdr2MBUWoezZXJ0RFfsNRW8dId1dwlB0Afw2od9GKbfLArctq9k70nZZYDj Bt23Fe5RamtgLx2t27S83HliRHxG2HmWm9j6i3Qm6Vzy9o8WKWpJcU7QQrrD6n5DmB MDbfz2qNCoxrGWg9U+5gyT9YSmmNfR87bf//lOI5OcN/GIuFm/c5okkPCQypNBOJhH QNCzmkTVVzw6SvXg4SJNevKrV3b/FFtmfxU1NV1b5KUZD9jylDNkNmZA7rA8YLl7Jm t1jy6dm9fDBglM/tl5o9i++cdp0UFGkf1/4cEyoKBf85qQqoBxo2hwTAQ0heDDAKmJ 6MRGz8ahdWxOw== From: Danny Milosavljevic To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#78047: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon User-Agent: mu4e 1.12.11; emacs 29.4 Date: Fri, 06 Jun 2025 10:00:08 +0200 Message-ID: <87bjr12tbr.fsf@friendly-machines.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 4.1 (++++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Ludo, The commit that introduced the check is the following one. I'd just ask Thomas Haller for advice and for what the purpose of the check is, no? Content analysis details: (4.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [23.83.209.51 listed in sa-trusted.bondedsender.org] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [23.83.209.51 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [23.83.209.51 listed in bl.score.senderscore.com] 0.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [23.83.209.51 listed in wl.mailspike.net] 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS [84.115.226.251 listed in zen.spamhaus.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.5 PDS_BTC_ID FP reduced Bitcoin ID X-Debbugs-Envelope-To: 78047 Cc: guix-devel@gnu.org, 78047@debbugs.gnu.org, Rodion Goritskov X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) Hi Ludo, The commit that introduced the check is the following one. I'd just ask Thomas Haller for advice and for what the purpose of the check is, no? Probably the classic "if some weird user can change the contents of the (network manager or otherwise) plugins that are used in the gdm login screen, that's not good and can be used for all kinds of shady shit". (confused deputy) Maybe for a really really paranoid way we could replace the check by a check whether geteuid() == st_uid, no ? The idea being that the check wouldn't change behavior if it's actually run as root and would change behavior if it's run as your real user. For the record, on guix system, network manager is run like this: $ ps -ef |grep -i networkmana root 1650 1 0 Jun05 ? 00:00:06 /gnu/store/8fg4facbxkd31r4yl1q6zl2df28mjixg-network-manager-1.52.0/sbin/NetworkManager --config=/gnu/store/3cp48fvxfivj2255bbxj7363qj33ajs9-NetworkManager.conf --no-daemon $ cat /gnu/store/3cp48fvxfivj2255bbxj7363qj33ajs9-NetworkManager.conf [main] dns=default $ sudo cat /proc/1650/environ [...] NM_VPN_PLUGIN_DIR=/gnu/store/p9r27sli74d78mnwr1zzzr4pfm6zjnks-network-manager-vpn-plugins/lib/NetworkManager/ $ ls -lL /gnu/store/p9r27sli74d78mnwr1zzzr4pfm6zjnks-network-manager-vpn-plugins/lib/NetworkManager/ total 756 -r--r--r-- 10 root root 44330 Jan 1 1970 libnm-gtk4-vpn-plugin-openconnect-editor.a -r-xr-xr-x 1 root root 3537 Jan 1 1970 libnm-gtk4-vpn-plugin-openconnect-editor.la -r-xr-xr-x 2 root root 43664 Jan 1 1970 libnm-gtk4-vpn-plugin-openconnect-editor.so -r-xr-xr-x 1 root root 1998 Jan 1 1970 libnm-gtk4-vpn-plugin-openvpn-editor.la -r-xr-xr-x 2 root root 191840 Jan 1 1970 libnm-gtk4-vpn-plugin-openvpn-editor.so -r--r--r-- 2 root root 25986 Jan 1 1970 libnm-vpn-plugin-openconnect.a -r--r--r-- 10 root root 51568 Jan 1 1970 libnm-vpn-plugin-openconnect-editor.a -r-xr-xr-x 1 root root 3422 Jan 1 1970 libnm-vpn-plugin-openconnect-editor.la -r-xr-xr-x 2 root root 51856 Jan 1 1970 libnm-vpn-plugin-openconnect-editor.so -r-xr-xr-x 1 root root 2817 Jan 1 1970 libnm-vpn-plugin-openconnect.la -r-xr-xr-x 2 root root 27184 Jan 1 1970 libnm-vpn-plugin-openconnect.so -r-xr-xr-x 1 root root 1892 Jan 1 1970 libnm-vpn-plugin-openvpn-editor.la -r-xr-xr-x 2 root root 232832 Jan 1 1970 libnm-vpn-plugin-openvpn-editor.so -r-xr-xr-x 1 root root 1276 Jan 1 1970 libnm-vpn-plugin-openvpn.la -r-xr-xr-x 2 root root 64440 Jan 1 1970 libnm-vpn-plugin-openvpn.so dr-xr-xr-x 2 root root 4096 Jan 1 1970 VPN/ $ ls -lL /gnu/store/p9r27sli74d78mnwr1zzzr4pfm6zjnks-network-manager-vpn-plugins/lib/NetworkManager/VPN/ total 8 -r--r--r-- 1 root root 657 Jan 1 1970 nm-openconnect-service.name -r--r--r-- 1 root root 668 Jan 1 1970 nm-openvpn-service.name commit 05e2e701a8638f5a159392f7ed1fd82b02886fd9 Author: Thomas Haller Date: Wed Jun 18 11:58:30 2014 +0200 core: check file permissions when loading device plugins and order by file modification time Refactor the loading of device plugins by creating the list of module filenames in a separate function. Thereby also check for file permissions (must be only modifiable by root) and sort the files by last file modification time. This has the advantage, that if several plugins provide the same device type, that we (deterministically) prefer the most recent one. Signed-off-by: Thomas Haller From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 06 09:34:58 2025 Received: (at 78047) by debbugs.gnu.org; 6 Jun 2025 13:34:58 +0000 Received: from localhost ([127.0.0.1]:42780 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uNXDl-0006Pk-Vt for submit@debbugs.gnu.org; Fri, 06 Jun 2025 09:34:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52554) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uNXDi-0006PV-QN for 78047@debbugs.gnu.org; Fri, 06 Jun 2025 09:34:55 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uNXDc-00048A-Hq; Fri, 06 Jun 2025 09:34:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=aJ3S4TcSp5rR+DvEIHpcEJ3c3jGrBpUA7U7xdS+8vl8=; b=hcLAKy080aOwE6N3FOP1 ggzvLSpPvcnbSftzRKxV2jb1IeoEwZVmvSL97vJOv/1yI0oRFNgG2/oRJI4z7xfO2fStAqWncETzk ambDO8yIcDjawu9t89IEVnFTOmoBR6OUEmfJWhKN/qr1SyAWFCWEXMXgJBQP126TOZxmFq53fPaak QzVyUHXwM1CiEYZUMNg/rgsgbWfCuDCxc0hAoqziRcsrTMOWaHuq15769fUW1EZQc5IiNqunm61Fd a+wLq7LjNaqFHgYAW4eyNjDR+x+N7vfekOzVdrQyTu2dPT2I45ZLNjkQ2VjhQIMESV8VouyF+mFtr reY1GMTKTxre/A==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Danny Milosavljevic Subject: Re: bug#78047: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon In-Reply-To: <87bjr12tbr.fsf@friendly-machines.com> (Danny Milosavljevic's message of "Fri, 06 Jun 2025 10:00:08 +0200") References: <87bjr12tbr.fsf@friendly-machines.com> User-Agent: mu4e 1.12.11; emacs 29.4 X-URL: https://people.bordeaux.inria.fr/lcourtes/ X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu X-Revolutionary-Date: Octidi 18 Prairial an 233 de la =?utf-8?Q?R=C3=A9vol?= =?utf-8?Q?ution=2C?= jour du Pavot Date: Fri, 06 Jun 2025 15:24:27 +0200 Message-ID: <87bjr1dmus.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.8 (-) X-Debbugs-Envelope-To: 78047 Cc: guix-devel@gnu.org, 78047@debbugs.gnu.org, Rodion Goritskov X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.8 (--) Hi, Danny Milosavljevic writes: > Maybe for a really really paranoid way we could replace the check by a > check whether geteuid() =3D=3D st_uid, no ? The idea being that the check > wouldn't change behavior if it's actually run as root and would change > behavior if it's run as your real user. But what would this check buy us? > For the record, on guix system, network manager is run like this: > > $ ps -ef |grep -i networkmana > root 1650 1 0 Jun05 ? 00:00:06 > /gnu/store/8fg4facbxkd31r4yl1q6zl2df28mjixg-network-manager-1.52.0/sbin/N= etworkManager > --config=3D/gnu/store/3cp48fvxfivj2255bbxj7363qj33ajs9-NetworkManager.conf > --no-daemon Yes, so it=E2=80=99s in the store and the configuration file (and thus plug= in directory) is defined statically by the system administrator. So I feel like there cannot be a situation where an unprivileged user would trick NetworkManager into loading user-owned plugins. Thoughts? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 06 16:39:06 2025 Received: (at 78047) by debbugs.gnu.org; 6 Jun 2025 20:39:06 +0000 Received: from localhost ([127.0.0.1]:45573 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uNdqE-0002EQ-CA for submit@debbugs.gnu.org; Fri, 06 Jun 2025 16:39:06 -0400 Received: from hedgehog.birch.relay.mailchannels.net ([23.83.209.81]:18249) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uNdqC-0002ED-0H for 78047@debbugs.gnu.org; Fri, 06 Jun 2025 16:39:05 -0400 X-Sender-Id: dreamhost|x-authsender|dannym@friendly-machines.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 12B2A8A3FAC; Fri, 6 Jun 2025 20:39:02 +0000 (UTC) Received: from pdx1-sub0-mail-a295.dreamhost.com (trex-green-6.trex.outbound.svc.cluster.local [100.126.10.237]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 3FC248A409F; Fri, 6 Jun 2025 20:39:01 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1749242341; a=rsa-sha256; cv=none; b=YQGwcFLB3buhR8Y991TGxEXHqTPkHBaGl74bqB6r5pPEYL2a06O/dS1TgLcsMv3LcVd/Nn lmOkAEfgFhEJhvOvOaZf++VQfDIwdb8sC9VGCi+44GlO0L/JGYH9rybyRsynruySWMudu1 /03AHNS4Vk+1YA7lqqh/qJ39J53KICx6YS8XJD1hlEsIThGB3kXw0Vc0PoJHqyrsQaDonG 5o97dnfEfYeyhkvqiRvDIpN7P0iNXyY0I8bMvHis3yLcj55CPfk72FmEws7R2Xg8VJotRh nh9OiNkxLvztQSHdVnvTkJ3Cgn+KR2DdR7SqQsbcT/rBVZbFWn7/HJ+zYEg9Yg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1749242341; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: dkim-signature; bh=krfHNPTHyds/8AEMJCknQ9B8TC8V0/EwXvHzGGF8cho=; b=bupx7fdCApmKW6LmRQNTRFpVL2lBSBX+/5OZK71kfFUz+O5grHw0F+9ePdG91O1fAmPPOA x3dasHqTwp6nIUEXYRtY9Btj99KscsWpRU9OlLML6BiarH6bU+gNKmcWYVVtaUFuchpvVc ih8nPPJpQ0eS/C+GLcxhYIMtGfHQkx/VSlqLMIMct365Dvy/ZUcQfPgH+8jHWH6K+zcKH5 qVZEq+hk3Ex4xBiO55fiJgsILEv3Pk+B5GwzVFuvaARQD6UPi8JG3pXM23pc2CkMTkLMZt vkJyoytSgWf9v0XZJHDhFopUXxp/W6JpqEZ7y9iV8MAB/UgvtJUkkR0MtJ8upQ== ARC-Authentication-Results: i=1; rspamd-95f6fbf49-bm9bs; auth=pass smtp.auth=dreamhost smtp.mailfrom=dannym@friendly-machines.com X-Sender-Id: dreamhost|x-authsender|dannym@friendly-machines.com X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|dannym@friendly-machines.com X-MailChannels-Auth-Id: dreamhost X-Macabre-Daffy: 6f0bf8e55aa9fdf8_1749242341882_2142607806 X-MC-Loop-Signature: 1749242341882:2646070700 X-MC-Ingress-Time: 1749242341882 Received: from pdx1-sub0-mail-a295.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.126.10.237 (trex/7.0.3); Fri, 06 Jun 2025 20:39:01 +0000 Received: from nova (84-115-226-251.cable.dynamic.surfer.at [84.115.226.251]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dannym@friendly-machines.com) by pdx1-sub0-mail-a295.dreamhost.com (Postfix) with ESMTPSA id 4bDY7m0Pztz46; Fri, 6 Jun 2025 13:38:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=friendly-machines.com; s=dreamhost; t=1749242341; bh=krfHNPTHyds/8AEMJCknQ9B8TC8V0/EwXvHzGGF8cho=; h=From:To:Cc:Subject:Date:Content-Type; b=SbhlQHko2096qNp0gPmJY6wE+N4+DlbDmhcTEHfhh66P6DJT2YMKhvvefHFA6QRRe JCGABrxXzDJQMvUxgmYSb0eYl/BCPKdvqXevCJ5SNqCGPOFnNYDX/3bl6rDOYpEl0s a0t3spaUILJCQq0J1O2JKAFymJB6BYAGKENBnsy89GuTImggA0pW5FPOLVGoJKu0l2 FK80DfUwx07NFw0W4vjIyqbh33tK2XY7mwO75M5SM3aJnOPsoU0pVDUQCfuTinddb6 cNX5nCg/RYn/1lh41mwkmcYFtic+ykQGIbapWEEqGC1WyuTxgwFWNmEEw7PJqZFFDp 51rrz4ML2oQJQ== From: Danny Milosavljevic To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#78047: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon User-Agent: mu4e 1.12.11; emacs 29.4 Date: Fri, 06 Jun 2025 22:38:56 +0200 Message-ID: <875xh838rj.fsf@friendly-machines.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Ludo, I see, so the use case in question here would be to have NetworkManager run as root (like always; and probably necessary for the operations it does) but refer to plugins that were built by rootless gu [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [23.83.209.81 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [23.83.209.81 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS [84.115.226.251 listed in zen.spamhaus.org] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [23.83.209.81 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [23.83.209.81 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Debbugs-Envelope-To: 78047 Cc: guix-devel@gnu.org, 78047@debbugs.gnu.org, Rodion Goritskov X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Ludo, I see, so the use case in question here would be to have NetworkManager run as root (like always; and probably necessary for the operations it does) but refer to plugins that were built by rootless gu [...] Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [23.83.209.81 listed in list.dnswl.org] 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS [84.115.226.251 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [23.83.209.81 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [23.83.209.81 listed in bl.score.senderscore.com] 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [23.83.209.81 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Hi Ludo, I see, so the use case in question here would be to have NetworkManager run as root (like always; and probably necessary for the operations it does) but refer to plugins that were built by rootless guix-daemon (presumably real user account; or service user) ? Then having geteuid() == st_uid indeed wouldn't help. As for your patch, as long as it's not possible for the user to cause the environment variable NM_VPN_PLUGIN_DIR (or similar environment variable) to be changed for a root NetworkManager process, your change should be fine. And in the Guix case it's not possible to mutate the contents in the store (for example the contents of the directory that NM_VPN_PLUGIN_DIR points to). Your change LGTM! P.S. I also found an extra spot in man/NetworkManager.xml : NetworkManager will execute scripts in the /etc/NetworkManager/dispatcher.d directory or subdirectories in alphabetical order in response to network events. Each script should be a regular executable file owned by root. Furthermore, it must not be writable by group or other, and not setuid. Our dnssec-trigger seems to refer to that as well. From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 20 20:30:09 2025 Received: (at 78047) by debbugs.gnu.org; 21 Jun 2025 00:30:10 +0000 Received: from localhost ([127.0.0.1]:59204 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uSm7V-0001vT-0C for submit@debbugs.gnu.org; Fri, 20 Jun 2025 20:30:09 -0400 Received: from layka.disroot.org ([178.21.23.139]:45430) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uSm7R-0001th-8p for 78047@debbugs.gnu.org; Fri, 20 Jun 2025 20:30:06 -0400 Received: from mail01.disroot.lan (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 3FD5D25D67 for <78047@debbugs.gnu.org>; Sat, 21 Jun 2025 02:30:03 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id CJ_hSfO3vLnT for <78047@debbugs.gnu.org>; Sat, 21 Jun 2025 02:30:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1750465802; bh=qLs0HoL8nlCZfYGSK2/1KNdan5uFKR0g42EGg23tAag=; h=Date:From:To:Subject; b=RhmGf8+GRwJ75BIvaJBNj9o/E+CZfw2bJua/WfA11XNRb0lvvwxDsSki0g4exThNq N9ASf6qRhr+GHX/+NAWRKgrqJuK8SGScy0CPRe+VvXHBex2Mq/9o1s/8w3ZplF3j9p NezdnbDuquySrYvSjXHue37Hhih3+0LXv7Us1jMMYBAHtX7c9cNmpCHQxjRYYMPY8t G6fRipFKVWijIpc8jvd+KkIUj8QDEQAmzeqC5qOi1ZkVJZMCUCe/SGG1mbZJLznFhA 70Z8UggDl+7XJFfMESb3ZSKVyovUCeLE7BmnFgK4w963TBwwNP28mK4W4gMCtmuD6N o/uOnySyVBQ7g== Date: Fri, 20 Jun 2025 21:29:57 -0300 From: Gabriel Santos To: 78047@debbugs.gnu.org Subject: =?US-ASCII?Q?RE=3A_WiFi_stops_working_if_managed_with_NetworkMa?= =?US-ASCII?Q?nager_after_migration_to_unprivileged_guix_daemon?= User-Agent: Thunderbird for Android Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78047 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) >Your change LGTM! LGTM too! --=20 Gabriel Santos