#Issue with system permissions

After a recent system update I have been having some problems with user permissions. When I try signing commits using YubiKey I get an error from PS/SC daemon Rejected unauthorized PC/SC client and when I try using nmtui to deactivate a network connection I get an errorNot authorized to deactivate connections. Does anyone know how to solve it?

Can you upload your journal logs?

journalctl -S -10h | zstd | curl -F 'f:1=<-' ix.io

• internet required

http://ix.io/4Dq1

nmcli general permissions | curl -F 'f:1=<-' ix.io

http://ix.io/4Dq3

Possible polkit or rule file error/corruption

How can I fix it?

pacman -Qkk networkmanager polkit

sha256sum /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

networkmanager: 514 total files, 0 altered files
polkit: 217 total files, 0 altered files

c2f0aa557e1a5e9abe57b8ec69f6cc7c263284663bd2cc832b2327afeb1e9ee5  /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

pacman -Qkk pambase

groups

backup file: pambase: /etc/pam.d/system-login (Modification time mismatch)
backup file: pambase: /etc/pam.d/system-login (Size mismatch)
backup file: pambase: /etc/pam.d/system-login (MD5 checksum mismatch)
backup file: pambase: /etc/pam.d/system-login (SHA256 checksum mismatch)
pambase: 8 total files, 0 altered files

realtime libvirt plugdev docker video lp kvm input audio wheel kamack38

curl -F 'f:1=<-' ix.io < /etc/pam.d/system-login

http://ix.io/4Dq5

A quick question. Why should I upload files to ix.io instead of sending them by Discord?

for convenience, so we can grep/sed/sha256sum the result without copying and pasting.

ok

Let's check the Polkit logs

First remove the --no-debug flag

systemctl edit polkit.service

Read the first 2 lines carefully and add the following content

[Service]
ExecStart=
ExecStart=/usr/lib/polkit-1/polkitd

Then restart polkit

systemctl: unrecognized option '--edit'

Sorry, it's edit

I should add it in the 3rd line?

It should look like this?

Yes

done

In the meantime, please upload the polkit rules

sudo tar --zstd -cv /etc/polkit-1/rules.d | curl -F 'f:1=<-' ix.io

• Please ensure that these rules do not contain sensitive information.

There are no files there

sudo tee /etc/polkit-1/rules.d/00-log.rules << 'EOF'
polkit.log("==> action=" + action);
polkit.log("==> subject=" + subject);
EOF

Then there will be no need for an upload

Try disconnecting the network from nmcli/nmtui as a regular user, and then collect the logs.

journalctl -S -10m | zstd | curl -F 'f:1=<-' ix.io

http://ix.io/4Dqc

There is an Error loading script /etc/polkit-1/rules.d/00-log.rules

I noticed

sudo tee /etc/polkit-1/rules.d/00-log.rules << 'EOF'
polkit.addRule(function (action, subject) {
        polkit.log("==> action=" + action);
        polkit.log("==> subject=" + subject);
});
EOF

Error loading script /etc/polkit-1/rules.d/00-log.rules

The above rule does not contain any errors and can be compiled, please make sure you have not made any typos.

89d6ec9c2606d7a922c9c47c4cc3403014bb10328763102c0da0f3ab6c025b07  /etc/polkit-1/rules.d/00-log.rules

I just copied the command

Here's a sha256sum

Pleaes execute

sudo touch /etc/polkit-1/rules.d/00-log.rules
journalctl -S -5m | curl -F 'f:1=<-' ix.io

sudo touch /etc/polkit-1/rules.d/00-log.rules
journalctl -S -5m | curl -F 'f:1=<-' ix.io

http://ix.io/4Dqf

Too soon, retry only this command

journalctl -S -5m | curl -F 'f:1=<-' ix.io

http://ix.io/4Dqg

Well, it seems that touch alone does not trigger recompilation.

sudo tee /etc/polkit-1/rules.d/00-log.rules << 'EOF'
polkit.addRule(function (action, subject) {
        polkit.log("==> action=" + action);
        polkit.log("==> subject=" + subject);
});
EOF
sleep 4
journalctl -S -5m | curl -F 'f:1=<-' ix.io

http://ix.io/4Dqh

This is strange, I am able to compile this rule on a freshly created VM.

sudo ls -R /etc/polkit-1

AFK

/etc/polkit-1:
rules.d

/etc/polkit-1/rules.d:
00-log.rules

Ping me when you'll be back

There was an issue with the file permissions

Its permissions was 600, but I changed it to 644 and the rule now loads properly

I tired deactivating the network connection and here's my journalctl log

polkitd[155784]: ==> action=[Action id='org.freedesktop.login1.inhibit-delay-sleep']
polkitd[155784]: ==> subject=[Subject pid=156707 user='kamack38' groups=kamack38,wheel,audio,input,kvm,lp,video,docker,plugdev,libvirt,realtime seat=null session=null local=false active=false]
polkitd[155784]: ==> action=[Action id='org.freedesktop.NetworkManager.network-control']
polkitd[155784]: ==> subject=[Subject pid=157445 user='kamack38' groups=kamack38,wheel,audio,input,kvm,lp,video,docker,plugdev,libvirt,realtime seat=null session=null local=false active=false]
NetworkManager[3858]: <info>  [1692047645.7408] audit: op="connection-deactivate" uuid="62179bb0-5381-4628-a8e3-72bdf2fbc766" name="NETIASPOT-B1FCD0" pid=157445 uid=1000 result="fail" reason="Not authorized to deactivate connections"

The same thing happens when trying to get gpg smart card (gpg --card-status)

systemd[1]: Started PC/SC Smart Card Daemon.
polkitd[8026]: ==> action=[Action id='org.debian.pcsc-lite.access_pcsc']
polkitd[8026]: ==> subject=[Subject pid=41106 user='kamack38' groups=kamack38,wheel,audio,input,kvm,lp,video,docker,plugdev,libvirt,realtime seat=null session=null local=false active=false]
pcscd[46797]: 00000000 auth.c:143:IsClientAuthorized() Process 41106 (user: 1000) is NOT authorized for action: access_pcsc
pcscd[46797]: 00000074 winscard_svc.c:336:ContextThread() Rejected unauthorized PC/SC client

@ashen void Have you had a chance to look at this yet?

No, I have other tasks

Ok

Can you do a package check?

# use paccheck from pacutils since it is faster than pacman -Qkk
sudo pacman -S --noconfirm --needed pacutils
sudo paccheck --file-properties --sha256sum --quiet 2>&1 | tee paccheck.log

Do you use Arch repo?

grep -E '^ *Server' /etc/pacman.d/mirrorlist

Server = https://london.mirror.pkgbuild.com/$repo/os/$arch
Server = https://mirror.f4st.host/archlinux/$repo/os/$arch
Server = https://arch.phinau.de/$repo/os/$arch
Server = https://america.mirror.pkgbuild.com/$repo/os/$arch
Server = https://seoul.mirror.pkgbuild.com/$repo/os/$arch

stat /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

  File: /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy
  Size: 168594        Blocks: 336        IO Block: 4096   regular file
Device: 0,27    Inode: 18797466    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-04-23 13:57:02.000000000 +0200
Modify: 2023-04-20 18:20:28.000000000 +0200
Change: 2023-04-23 13:57:02.076882859 +0200
 Birth: 2023-04-23 13:57:02.076882859 +0200

pkaction --action-id org.freedesktop.NetworkManager.enable-disable-network -v

org.freedesktop.NetworkManager.enable-disable-network:
  description:       Enable or disable system networking
  message:           System policy prevents enabling or disabling system networking
  vendor:            NetworkManager
  vendor_url:        https://networkmanager.dev/
  icon:              nm-icon
  implicit any:      no
  implicit inactive: no
  implicit active:   yes

pkaction --action-id org.freedesktop.NetworkManager.network-control -v

org.freedesktop.NetworkManager.network-control:
  description:       Allow control of network connections
  message:           System policy prevents control of network connections
  vendor:            NetworkManager
  vendor_url:        https://networkmanager.dev/
  icon:              nm-icon
  implicit any:      auth_admin
  implicit inactive: yes
  implicit active:   yes

nmcli networking off should give you an error, right?

Error: failed to set networking: Not authorized to enable/disable networking

Can you try to monitor the system bus? This should give you an idea of what's going on.

sudo dbus-monitor --system | tee system.bus.log

Then in another shell, execute

nmcli networking off

Finial, interrupt the dbus-monitor by pressing Ctrl-C

This seems to be a wayland issue. (I use Hyprland)