Exec Node bash command "Not authorized to control networking"

Hello together,
I am new so please apologize if this is not the right thread to place my question.

I am trying to switch on my VPN Connection via the Exec-Node with following command:
nmcli con up id vpnname
This works fine from cmd line, also I get no prompt for sudo i can run this as user.
But when i try this from node red i get the following error from the exec node.
Code 4: Command failed: nmcli con up id vpnnameError: Connection activation failed: Not authorized to control networking.

Thank you for your ideas.
Br,
Gill

Are you running node-red as the same user as you are using in the command line?
If you are not sure then what OS are you using, how did you install node-red and how are you running node-red?

Hello thank you for replaying.
Yes it is the same user.
I am running Ubuntu 18.04 and installed node red with the same user.
I only have one user on the machine.
I have now set it up on a rasp pi 4 and I do not have the problem on this.

I managed to solve it on Ubuntu by adding : ALL=(ALL) NOPASSWD: ALL
to /etc/sudoers file.

Now i have a new problem stuck on the Node Red Projects settings.

Is that true, or did you have to use sudo with the command?

Do you realise that means that if anyone manages to gain entry to your machine or into your node-red app that they would have full control of the system?
It is much safer to only allow access to the particular command you want to run, though there are still risks.

1 Like

Hi Colin,
yes I am able to run the cmd without sudo from the terminal.
I understand the risk with full control, for me it was just a test and not a working environment.

So, Back to square one.
I have now completed a clean install on Ubuntu 19.10.
When I try to use the same cmd that works on the raspi, I get error 4
"Command failed: nmcli con up id VPNError: Connection activation failed: Not authorized to control networking ,from the exec node.
I run the same cmd straight from terminal and it works without password or sudo.
Like you said Collin I do not want to use the solution as mentioned above as this setup i want as a production environment.

Ok, (second attempt as replying.)

I'm not expert, but how can you know Node-Red has the same privileges as you?

How did you install Node-Red? You installed it; you are using it from the default included programs; something else.

That may go a way to help understand the problem.

To be sure:
This is on Ubuntu 19.x and not the RasPi.
The RasPi is a test bed and it works.
It does seem like privilege problems.

This may be helpful

Hello Colin,

yes I have tried this, but still no luck.

Node-Red Installed by the recommended script:

bash <(curl -sL https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered)

Ubuntu 19.10 / clean install
Raspi 4 / works with same flow

Flow:
Inject > nmcli con up id VPN > exec node
Result:
Error 4
Command failed: nmcli con up id VPN
Error: Connection activation failed: Not authorized to control networking.

Flow: /with sudo
Inject > sudo nmcli con up id VPN > exec node
Result:
Error 1
Command failed: sudo nmcli con up id VPN
sudo: no tty present and no askpass program specified

Terminal: Without sudo No password requested
nmcli con up id vpn
Result
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

The problem is undoubtedly something along the lines of the link I posted with problems running via cron. However since that post is over three years old I expect the security system in Ubuntu has evolved since then so the post is out of date.

I suggest maybe asking in an Ubuntu forum.

The problem when you tried it with sudo in an exec node is because it expects a password, so you would have to use visudo to allow the node-red user to use sudo nmcli without having to enter a password. Your earlier posts suggested that you fixed the problem by giving everybody access to any sudo command. It is possible to grant just the node-red user access to use only nmcli with sudo so that might also be a viable solution. In fact I think you can allow the node red user to use sudo nmcli con up id VPN without a password but no other commands, though I am not certain about that.

Hi Colin,
I fully agree, I will further try the link you sent and other forums regarding this subject. Hopefully i can find similar information on Ubuntu 19.10.
when i find something i will post it here.
Thanks together,

1 Like

Hi together,
as pointed out by Colin it has to do with pkla-check-authorization.
So i have done a bit of digging and found the following:

Listing NetworkManager polkit permissions:
Type in Terminal
nmcli general permissions
This will output something like this:

PERMISSION                                                        VALUE   
org.freedesktop.NetworkManager.enable-disable-network             yes     
org.freedesktop.NetworkManager.enable-disable-wifi                yes     
org.freedesktop.NetworkManager.enable-disable-wwan                yes     
org.freedesktop.NetworkManager.enable-disable-wimax               yes     
org.freedesktop.NetworkManager.sleep-wake                         no      
org.freedesktop.NetworkManager.network-control                    yes     
org.freedesktop.NetworkManager.wifi.share.protected               yes     
org.freedesktop.NetworkManager.wifi.share.open                    yes     
org.freedesktop.NetworkManager.settings.modify.system             yes     
org.freedesktop.NetworkManager.settings.modify.own                yes     
org.freedesktop.NetworkManager.settings.modify.hostname           auth    
org.freedesktop.NetworkManager.settings.modify.global-dns         auth    
org.freedesktop.NetworkManager.reload                             auth    
org.freedesktop.NetworkManager.checkpoint-rollback                auth    
org.freedesktop.NetworkManager.enable-disable-statistics          yes     
org.freedesktop.NetworkManager.enable-disable-connectivity-check  yes     
org.freedesktop.NetworkManager.wifi.scan                          unknown 

The "org.freedesktop.NetworkManager.network-control" is needed to use the following commands:

nmcli con up "connection name" and nmcli con down "connection name"

you can list "your connection name" by typing: nmcli con

Now we need to create a local policy for a specific user:
Create a file in the folder "/var/lib/polkit-1/localauthority/50-local.d/" and name the file something like "10-network-manager.pkla"
This can be done by typing:
touch /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla
Edit the file with the following:

[Let user modify system settings for network]
Identity=unix-user:USERNAME
Action=org.freedesktop.NetworkManager.network-control
ResultAny=yes
ResultInactive=no
ResultActive=yes

The Important one was ResultAny=yes

Save the file. Any change or new policy is straight away active, no logoff or reboot needed.

After this the command nmcli con up "connection name" for node-red exec node works.

sources:
https://man.linuxreviews.org/man8/pkla-check-authorization.8.html
https://people.freedesktop.org/~lkundrak/nm-dbus-api/nmcli-examples.html

I hope this sums it up and thank you for leading me in the right direction.

1 Like

That's useful stuff to know. I still don't understand why you could run it from the command line but not in an exec node though.

Hi Colin,
I could run it from the cmd line because:
ResultActive=yes
was already set in the original policy.

Ah, right, yes. Thanks.