16

So currently when my non-admin user tries to connect to a new WiFi network (e.g. at a cafe say) NetworkManager prompts for the admin user's password. Is there a way to turn this off and to allow the non-admin user to connect to whatever Wifi network they like?

EDIT: just to clarify, I really mean a new WiFi network never connected to prior by the computer, so clicking 'Available to all users' on an existing established connection will not solve the matter- as currently no issue with the non-admin user reconnecting as many times as they like to the home network.

fpghost
  • 1,659
  • /etc/sudoers is the file to edit so it does not ask for passwords: https://help.ubuntu.com/community/Sudoers – Rinzwind Jan 18 '13 at 09:30
  • I've used visudo before to allow the non-admin user to do a few things (like sudo apt-get upate for e.g.) but I am not sure what I would have to put in there to stop them being asked for a password on connecting to a new wifi network – fpghost Jan 18 '13 at 09:32
  • ha you got me there. I would have made it an answer if I knew that from memory (been searching for a bit but did not find it yet :D ) – Rinzwind Jan 18 '13 at 09:33
  • yeah, must be something of the form someUser ALL=(root)NOPASSWD:/path/to/somethingControllingWiFi I presume, if this is indeed the way to go. – fpghost Jan 18 '13 at 09:36
  • It sure is :) .. – Rinzwind Jan 18 '13 at 09:39
  • Are you sure he is not asking to unlock the keyring? Normal non admin users are allowed to control wireless connections. If not try to open the Network Manager with your admin user and make sure that the Connection available to all users check box is enabled. – Bruno Pereira Jan 18 '13 at 10:19
  • Yes connection available to all is already ticked. The non-admin user can connect to a pre-established connection without issue (e.g. home wifi say), the problem is when they try to connect to a genuinely new wifi network (say at a cafe or hotel), somewhere never previously connected to, then upon attempting to connect via NetworkManager the non-admin user is prompted for my (the admins) password. – fpghost Jan 18 '13 at 10:31
  • Also when trying to Edit Connections for the pre-established connection msg is System policy prevents modifications of network settings for all users: an application is attempting to perform an action that requires privileges. Authentication as the super user is required to perform this action. Password for adminuser: ...... then the Details expansions says Action: org.freedesktop.NetworkManager.settings.modify.system, Vendor: NetworkManager if that helps. – fpghost Jan 18 '13 at 10:45
  • @BrunoPereira the available to all fix has to be applied for every single wifi network, so isn't practical for non-admin users connecting to new wifi on their own. – fpghost Jan 19 '13 at 11:11
  • Dupe: http://askubuntu.com/questions/230825/how-can-non-admin-users-connect-to-wi-fi-networks – artfulrobot Oct 15 '13 at 14:34

6 Answers6

19

I found success with the following solution in Ubuntu 13.04:

Open /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy with root/sudo privileges and search for the following line:

<message>System policy prevents modification of network settings for all users</message>

A few lines below that should be this:

<allow_active>auth_admin_keep</allow_active>

Change it to:

<allow_active>yes</allow_active>

Save the file and restart your computer.

muru
  • 197,895
  • 55
  • 485
  • 740
Kyle Spencer
  • 211
  • 2
  • 4
  • see the answer blow by @harlemsquirrel below, it will make it much easier to pack the permission up inside e.g. a deb package. Also the above approach is susceptible to be reset by updates, etc, because your editing a file managed by dpkg. – vidstige Aug 29 '16 at 07:59
  • 1
    Solid advice, but you should just restart the network via sudo service network-manager restart. – vise Sep 29 '17 at 15:39
5

You can edit system configuration files, but that's brute force. First of all, as a rule of thumb, configuration resides under /etc, not /usr or /var or anywhere else. HarlemSquirrel explained how to do a proper change to the default policy. Editing files under /usr is guaranteed to blow up in your face sooner or later, as those files are provided by system packages, which will be updated/replaced eventually.

But the bigger problem is that these changes are completely unnecessary, as of 18.04 at least. This is a "you're holding it wrong" issue. Actually, it's a usability issue on the NM applet's part, but anyway. Take a look at /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy:

  <action id="org.freedesktop.NetworkManager.settings.modify.system">
    <description>Modify network connections for all users</description>
    <defaults>
      <allow_any>auth_admin_keep</allow_any>
      <allow_inactive>auth_admin_keep</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

Meaning users can't create connections, right? Wrong! Look further:

  <action id="org.freedesktop.NetworkManager.settings.modify.own">
    <description>Modify personal network connections</description>
    <defaults>
      <allow_any>auth_self_keep</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

As you can see, NetworkManager supports the concept of user and system connections. The problem is, the applet creates system connections by default. So when you open the applet on the tray and click Select Network, then select the one you want to connect to, it asks for a sudo user, because creating system connections are only allowed for admins.

BUT if you open the Settings app, go to Wi-Fi and click on the desired network, it'll easily let you connect without admin password. Walk in the park.

Why the applet wants to create system connections by default is beyond me though, especially since you can make a user connection a system one anytime later. It's the Make available to other users option under connection properties, and when you check that and click Apply, it'll immediately ask for sudo password, as it should. I'll try to find a way to make the applet create user connections by default, I'll update this answer if I figured it out.

bviktor
  • 255
  • 2
    OMG thanks for this info, this has been pestering me for so long. I just submitted a bug report: https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1869225 – gpothier Mar 26 '20 at 15:45
5

You can also create a local policy for this

[Let user pupil modify system settings for network]
Identity=unix-user:pupil
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=no
ResultInactive=no
ResultActive=yes

in a file called /etc/polkit-1/localauthority/50-local.d/10-network-manager.pkla.

The advantage here is this can be a single command and usable in a script!

printf "[Let user pupil modify system settings for network]\nIdentity=unix-user:pupil\nAction=org.freedesktop.NetworkManager.settings.modify.system\nResultAny=no\nResultInactive=no\nResultActive=yes" | sudo tee /etc/polkit-1/localauthority/50-local.d/10-network-manager.pkla

Reference: Ubuntu Manpage:pklocalauthority

HarlemSquirrel
  • 3,741
4

How To Resolve the Error: System policy prevents modification of network settings for all users

There is a critical step missing from an answer above, so I am including it here. :)

This works in Ubuntu 14.04 LTS & 16.04 LTS

  1. Open Terminal

  2. su to root

    su -

  3. Type the following:

    nano /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

  4. Towards the end of the file, find the section labeled:

    <action id="org.freedesktop.NetworkManager.settings.modify.system">

  5. At the the bottom of the org.freedesktop.NetworkManager.settings.modify.system Section, locate the following line of code:

    <allow_active>auth_admin_keep</allow_active>

  6. Change this line to read as follows:

    <allow_active>yes</allow_active>

  7. Save the file using:

    ^X

  8. Answer "Save modified buffer (ANSWERING "No" WILL DESTROY CHANGES) ?" by Typing:

    Y

  9. Hit Enter when prompted with:

    File Name to Write: /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

  10. Restart.

:)

bu11etpr00f
  • 41
2

This isn't really the fix I was hoping for but one workaround I've found is just to disable NetworkManager all-together and instead use Wicd.

First stop NetworkManager from running at startup:

sudo gedit /etc/NetworkManager/NetworkManager.conf

then # out the managed line. Also # out #start on (local-filesystems and started dbus) from /etc/init/network-manager.conf . Then just to make double sure

sudo mv /etc/init/network-manager.conf /etc/init/network-manager.conf-disabled
sudo mv /etc/xdg/autostart/nm-applet.desktop /etc/xdg/autostart /nm-applet.desktop.disabled

Now can just use Wicd and no password prompts needed it seems.

fpghost
  • 1,659
1

Using @Kyle's answer, I've made a sed script to replace directly the content auth_admin_keep to yes

It's recommended to make a backup of the org.freedesktop.NetworkManager.policy before

# cp /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy /usr/share/polkit-1/actions/bkp.org.freedesktop.NetworkManager.policy

Then run this:

# sed -i '/System policy prevents modification of network settings for all users/,/allow_active/s/allow_active>auth_admin_keep/allow_active>yes/' /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy
Renan Ceratto
  • 11
  • 2