bug#78047: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon

Danny Milosavljevic Fri, 06 Jun 2025 01:12:06 -0700

Hi Ludo,

The commit that introduced the check is the following one.


I'd just ask Thomas Haller for advice and for what the purpose of the check is, 
no?

Probably the classic "if some weird user can change the contents of the 
(network manager or otherwise) plugins that are used in the gdm login screen, 
that's not good and can be used for all kinds of shady shit". (confused deputy)

Maybe for a really really paranoid way we could replace the check by a check 
whether geteuid() == st_uid, no ?  The idea being that the check wouldn't 
change behavior if it's actually run as root and would change behavior if it's 
run as your real user.

For the record, on guix system, network manager is run like this:

$ ps -ef |grep -i networkmana
root      1650     1  0 Jun05 ?        00:00:06 
/gnu/store/8fg4facbxkd31r4yl1q6zl2df28mjixg-network-manager-1.52.0/sbin/NetworkManager
 --config=/gnu/store/3cp48fvxfivj2255bbxj7363qj33ajs9-NetworkManager.conf 
--no-daemon

$ cat /gnu/store/3cp48fvxfivj2255bbxj7363qj33ajs9-NetworkManager.conf
[main]
dns=default

$ sudo cat /proc/1650/environ 
[...]
NM_VPN_PLUGIN_DIR=/gnu/store/p9r27sli74d78mnwr1zzzr4pfm6zjnks-network-manager-vpn-plugins/lib/NetworkManager/

$ ls -lL 
/gnu/store/p9r27sli74d78mnwr1zzzr4pfm6zjnks-network-manager-vpn-plugins/lib/NetworkManager/
total 756
-r--r--r-- 10 root root  44330 Jan  1  1970 
libnm-gtk4-vpn-plugin-openconnect-editor.a
-r-xr-xr-x  1 root root   3537 Jan  1  1970 
libnm-gtk4-vpn-plugin-openconnect-editor.la
-r-xr-xr-x  2 root root  43664 Jan  1  1970 
libnm-gtk4-vpn-plugin-openconnect-editor.so
-r-xr-xr-x  1 root root   1998 Jan  1  1970 
libnm-gtk4-vpn-plugin-openvpn-editor.la
-r-xr-xr-x  2 root root 191840 Jan  1  1970 
libnm-gtk4-vpn-plugin-openvpn-editor.so
-r--r--r--  2 root root  25986 Jan  1  1970 libnm-vpn-plugin-openconnect.a
-r--r--r-- 10 root root  51568 Jan  1  1970 
libnm-vpn-plugin-openconnect-editor.a
-r-xr-xr-x  1 root root   3422 Jan  1  1970 
libnm-vpn-plugin-openconnect-editor.la
-r-xr-xr-x  2 root root  51856 Jan  1  1970 
libnm-vpn-plugin-openconnect-editor.so
-r-xr-xr-x  1 root root   2817 Jan  1  1970 libnm-vpn-plugin-openconnect.la
-r-xr-xr-x  2 root root  27184 Jan  1  1970 libnm-vpn-plugin-openconnect.so
-r-xr-xr-x  1 root root   1892 Jan  1  1970 libnm-vpn-plugin-openvpn-editor.la
-r-xr-xr-x  2 root root 232832 Jan  1  1970 libnm-vpn-plugin-openvpn-editor.so
-r-xr-xr-x  1 root root   1276 Jan  1  1970 libnm-vpn-plugin-openvpn.la
-r-xr-xr-x  2 root root  64440 Jan  1  1970 libnm-vpn-plugin-openvpn.so
dr-xr-xr-x  2 root root   4096 Jan  1  1970 VPN/

$ ls -lL 
/gnu/store/p9r27sli74d78mnwr1zzzr4pfm6zjnks-network-manager-vpn-plugins/lib/NetworkManager/VPN/
total 8
-r--r--r-- 1 root root 657 Jan  1  1970 nm-openconnect-service.name
-r--r--r-- 1 root root 668 Jan  1  1970 nm-openvpn-service.name

commit 05e2e701a8638f5a159392f7ed1fd82b02886fd9
Author: Thomas Haller <thal...@redhat.com>
Date:   Wed Jun 18 11:58:30 2014 +0200

    core: check file permissions when loading device plugins and order by file 
modification time
    
    Refactor the loading of device plugins by creating the list of
    module filenames in a separate function.
    
    Thereby also check for file permissions (must be only modifiable by root)
    and sort the files by last file modification time. This has the advantage,
    that if several plugins provide the same device type, that we 
(deterministically)
    prefer the most recent one.
    
    Signed-off-by: Thomas Haller <thal...@redhat.com>

bug#78047: WiFi stops working if managed with NetworkManager after migration to unprivileged guix daemon

Reply via email to