[arch-general] netcfg wlan connection renewal
Hi there, I use netcfg for my university wlan (eduroam). It works fine for a while but after a couple of minutes I get disconnected and need to reconnect manually. I think that happens pretty regularly, so I assume that some kind of connection renewal doesn't work for some reason. Any idea what could be wrong, how to fix it or how to reconnect automatically? Regards, Philipp
Am 28.09.2011 11:53, schrieb Philipp:
Hi there, I use netcfg for my university wlan (eduroam). It works fine for a while but after a couple of minutes I get disconnected and need to reconnect manually. I think that happens pretty regularly, so I assume that some kind of connection renewal doesn't work for some reason. Any idea what could be wrong, how to fix it or how to reconnect automatically?
No idea why this might go wrong. I suggest you use net-auto-wireless, that will handle everything gracefully.
Excerpts from Thomas Bächler's message of 2011-09-28 13:14:06 +0200:
Am 28.09.2011 11:53, schrieb Philipp:
Hi there, I use netcfg for my university wlan (eduroam). It works fine for a while but after a couple of minutes I get disconnected and need to reconnect manually. I think that happens pretty regularly, so I assume that some kind of connection renewal doesn't work for some reason. Any idea what could be wrong, how to fix it or how to reconnect automatically?
No idea why this might go wrong. I suggest you use net-auto-wireless, that will handle everything gracefully.
Thanks, I'll try that. It's important to me that wlan is completely disabled when ethernet is available. I hope this is possible. I'll tell how it went sometime next week when university starts. Thanks, Philipp
On Wed, Sep 28, 2011 at 2:33 PM, Philipp Überbacher <hollunder@lavabit.com>wrote:
It's important to me that wlan is completely disabled when ethernet is available.
Ethernet routes should be mounted with a lower Metric than wireless one. Thus, even if you have both connections active the ethernet path should be used (except if you have specific routes). -- Cédric Girard
Excerpts from Cédric Girard's message of 2011-09-28 14:37:01 +0200:
On Wed, Sep 28, 2011 at 2:33 PM, Philipp Überbacher <hollunder@lavabit.com>wrote:
It's important to me that wlan is completely disabled when ethernet is available.
Ethernet routes should be mounted with a lower Metric than wireless one. Thus, even if you have both connections active the ethernet path should be used (except if you have specific routes).
Thanks for this information, but using ethernet over wireless is not enough. Wireless stuff tends to stall the whole system for a fraction of a second at least, which is often too much already. A decision at boot-time would be enough for me. At home, where I do audio stuff, I need only ethernet. If the cable is plugged in at boot time -> ethernet, no wireless. At university I don't need audio and don't have ethernet access, no cable plugged in -> wireless. Of course I can start or stop one or the other if need be but I'm looking for the most care-free solution possible. Guess I'll need to script this somehow...
Am 28.09.2011 14:33, schrieb Philipp Überbacher:
Excerpts from Thomas Bächler's message of 2011-09-28 13:14:06 +0200:
Am 28.09.2011 11:53, schrieb Philipp:
Hi there, I use netcfg for my university wlan (eduroam). It works fine for a while but after a couple of minutes I get disconnected and need to reconnect manually. I think that happens pretty regularly, so I assume that some kind of connection renewal doesn't work for some reason. Any idea what could be wrong, how to fix it or how to reconnect automatically?
No idea why this might go wrong. I suggest you use net-auto-wireless, that will handle everything gracefully.
Thanks, I'll try that. It's important to me that wlan is completely disabled when ethernet is available. I hope this is possible. I'll tell how it went sometime next week when university starts.
I use the following script with ifplugd: #!/bin/sh [ "$1" = "eth1" ] || exit 0 case "$2" in up) /etc/rc.d/net-auto-wireless stop sleep 1 /usr/bin/netcfg lan ;; down) /usr/bin/netcfg -d lan sleep 1 /etc/rc.d/net-auto-wireless start ;; *) exit 1 ;; esac exit 0
Excerpts from Thomas Bächler's message of 2011-09-28 22:52:42 +0200:
Am 28.09.2011 14:33, schrieb Philipp Überbacher:
Excerpts from Thomas Bächler's message of 2011-09-28 13:14:06 +0200:
Am 28.09.2011 11:53, schrieb Philipp:
Hi there, I use netcfg for my university wlan (eduroam). It works fine for a while but after a couple of minutes I get disconnected and need to reconnect manually. I think that happens pretty regularly, so I assume that some kind of connection renewal doesn't work for some reason. Any idea what could be wrong, how to fix it or how to reconnect automatically?
No idea why this might go wrong. I suggest you use net-auto-wireless, that will handle everything gracefully.
Thanks, I'll try that. It's important to me that wlan is completely disabled when ethernet is available. I hope this is possible. I'll tell how it went sometime next week when university starts.
I use the following script with ifplugd:
#!/bin/sh
[ "$1" = "eth1" ] || exit 0
case "$2" in up) /etc/rc.d/net-auto-wireless stop sleep 1 /usr/bin/netcfg lan ;; down) /usr/bin/netcfg -d lan sleep 1 /etc/rc.d/net-auto-wireless start ;; *) exit 1 ;; esac
exit 0
Thanks Thomas, this looks simple enough, I'll give netcfg + net-auto-wireless + ifplugd + this script a shot, looks like a good solution to me.
Excerpts from Thomas Bächler's message of 2011-09-28 13:14:06 +0200:
Am 28.09.2011 11:53, schrieb Philipp:
Hi there, I use netcfg for my university wlan (eduroam). It works fine for a while but after a couple of minutes I get disconnected and need to reconnect manually. I think that happens pretty regularly, so I assume that some kind of connection renewal doesn't work for some reason. Any idea what could be wrong, how to fix it or how to reconnect automatically?
No idea why this might go wrong. I suggest you use net-auto-wireless, that will handle everything gracefully.
I took some time today to fiddle with netcfg, ifplugd, net-auto-wireless and wpa_actiond. Your script, slightly modified, works fine in my case Thomas, thanks. Took me a bit to figure that it needs to replace ifplugd.action though. Now with net-auto-wireless before ifplugd in the daemons-array the system works fine (as long as I'm not too fast with unplugging and replugging). I get just cable at home and wireless at university, everything's fine, except that I still get disconnected from the university wlan about every 30 minutes. net-auto-wireless didn't change a thing in this regard. Here's an excerpt from everything.log, pretty beginning with bootup. The reconnects in there are from manually running '/etc/rc.d/net-auto-wireless restart', the thing that I tried to avoid. I have no idea why these disconnects happen: ----- Oct 8 12:03:34 localhost kernel: [ 11.539025] input: SynPS/2 Synaptics TouchPad as /devices/platform/i8042/serio2/input/inp ut6 Oct 8 12:03:34 localhost kernel: [ 11.739452] [drm] initialized overlay support Oct 8 12:03:34 localhost kernel: [ 11.872555] fbcon: inteldrmfb (fb0) is primary device Oct 8 12:03:34 localhost kernel: [ 11.914034] fixme: max PWM is zero. Oct 8 12:03:34 localhost kernel: [ 11.918693] Console: switching to colour frame buffer device 160x50 Oct 8 12:03:34 localhost kernel: [ 11.922746] fb0: inteldrmfb frame buffer device Oct 8 12:03:34 localhost kernel: [ 11.922748] drm: registered panic notifier Oct 8 12:03:34 localhost kernel: [ 11.944380] acpi device:04: registered as cooling_device1 Oct 8 12:03:34 localhost kernel: [ 11.944990] input: Video Bus as /devices/LNXSYSTM:00/device:00/PNP0A08:00/LNXVIDEO:00/inp ut/input7 Oct 8 12:03:34 localhost kernel: [ 11.945133] ACPI: Video Device [GFX0] (multi-head: yes rom: no post: no) Oct 8 12:03:34 localhost kernel: [ 11.945475] [drm] Initialized i915 1.6.0 20080730 for 0000:00:02.0 on minor 0 Oct 8 12:03:34 localhost kernel: [ 12.341015] EXT4-fs (sda3): warning: maximal mount count reached, running e2fsck is recom mended Oct 8 12:03:34 localhost kernel: [ 12.422472] EXT4-fs (sda3): re-mounted. Opts: user_xattr,acl,barrier=1,nodelalloc,data=or dered Oct 8 12:03:34 localhost kernel: [ 12.480155] EXT4-fs (sda4): mounted filesystem with ordered data mode. Opts: (null) Oct 8 12:03:34 localhost kernel: [ 12.525213] Adding 2104508k swap on /dev/sda2. Priority:-1 extents:1 across:2104508k Oct 8 12:03:37 localhost wpa_actiond[907]: Starting wpa_actiond session for interface 'wlan0' Oct 8 12:03:38 localhost ifplugd(eth0)[942]: ifplugd 0.28 initializing. Oct 8 12:03:38 localhost kernel: [ 18.524010] tg3 0000:02:00.0: irq 45 for MSI/MSI-X Oct 8 12:03:38 localhost ifplugd(eth0)[942]: Using interface eth0/00:1D:72:CC:61:88 with driver <tg3> (version: 3.119) Oct 8 12:03:38 localhost ifplugd(eth0)[942]: Using detection mode: SIOCETHTOOL Oct 8 12:03:38 localhost ifplugd(eth0)[942]: Initialization complete, link beat not detected. Oct 8 12:03:38 localhost crond[1006]: /usr/sbin/crond 4.5 dillon's cron daemon, started with loglevel info Oct 8 12:03:38 localhost ntpd[1000]: ntpd 4.2.6p3@1.2290-o Sun Apr 3 17:50:25 UTC 2011 (1) Oct 8 12:03:38 localhost ntpd[1008]: proto: precision = 1.187 usec Oct 8 12:03:38 localhost kernel: [ 19.249394] NET: Registered protocol family 10 Oct 8 12:03:38 localhost kernel: [ 19.250412] ADDRCONF(NETDEV_UP): eth0: link is not ready Oct 8 12:03:38 localhost kernel: [ 19.280690] Oct 8 12:03:39 localhost ntpd[1008]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16 Oct 8 12:03:39 localhost ntpd[1008]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Oct 8 12:03:39 localhost ntpd[1008]: Listen and drop on 1 v6wildcard :: UDP 123 Oct 8 12:03:39 localhost ntpd[1008]: Listen normally on 2 lo 127.0.0.1 UDP 123 Oct 8 12:03:39 localhost ntpd[1008]: bind(19) AF_INET6 fe80::222:69ff:fe73:3c68%2#123 flags 0x11 failed: Cannot assign reques ted address Oct 8 12:03:39 localhost ntpd[1008]: unable to create socket on wlan0 (3) for fe80::222:69ff:fe73:3c68#123 Oct 8 12:03:39 localhost ntpd[1008]: failed to init interface for address fe80::222:69ff:fe73:3c68 Oct 8 12:03:39 localhost ntpd[1008]: Listen normally on 4 lo ::1 UDP 123 Oct 8 12:03:39 localhost ntpd[1008]: peers refreshed Oct 8 12:03:39 localhost wpa_actiond[907]: Interface 'wlan0' connected to network 'eduroam' Oct 8 12:03:40 localhost ntpd[1008]: Deferring DNS for pool.ntp.org 1 Oct 8 12:03:40 localhost ntpd[1045]: signal_no_reset: signal 17 had flags 4000000 Oct 8 12:03:40 localhost laptop-mode: Laptop mode Oct 8 12:03:40 localhost laptop-mode: enabled, not active Oct 8 12:03:40 localhost ntpd[1008]: bind(20) AF_INET6 fe80::222:69ff:fe73:3c68%2#123 flags 0x11 failed: Cannot assign reques ted address Oct 8 12:03:40 localhost ntpd[1008]: unable to create socket on wlan0 (5) for fe80::222:69ff:fe73:3c68#123 Oct 8 12:03:40 localhost ntpd[1008]: failed to init interface for address fe80::222:69ff:fe73:3c68 Oct 8 12:03:42 localhost ntpd_intres[1045]: host name not found: pool.ntp.org Oct 8 12:03:42 localhost dhcpcd[1376]: version 5.2.12 starting Oct 8 12:03:42 localhost dhcpcd[1376]: wlan0: rebinding lease of 192.168.0.140 Oct 8 12:03:42 localhost dhcpcd[1376]: wlan0: NAK: from 143.205.175.4 Oct 8 12:03:43 localhost dhcpcd[1376]: wlan0: broadcasting for a lease Oct 8 12:03:45 localhost dhcpcd[1376]: wlan0: offered 143.205.193.100 from 143.205.192.2 Oct 8 12:03:45 localhost dhcpcd[1376]: wlan0: ignoring offer of 143.205.192.218 from 143.205.192.3 Oct 8 12:03:45 localhost dhcpcd[1376]: wlan0: acknowledged 143.205.193.100 from 143.205.192.2 Oct 8 12:03:45 localhost dhcpcd[1376]: wlan0: checking for 143.205.193.100 Oct 8 12:03:49 localhost kernel: [ 30.256709] wlan0: no IPv6 routers present Oct 8 12:03:51 localhost dhcpcd[1376]: wlan0: leased 143.205.193.100 for 86400 seconds Oct 8 12:03:51 localhost dhcpcd[1376]: forked to background, child pid 1404 Oct 8 12:04:44 localhost ntpd_intres[1045]: DNS pool.ntp.org -> 86.59.113.114 Oct 8 12:04:44 localhost ntpd[1008]: Listen normally on 6 wlan0 143.205.193.100 UDP 123 Oct 8 12:04:44 localhost ntpd[1008]: Listen normally on 7 wlan0 fe80::222:69ff:fe73:3c68 UDP 123 Oct 8 12:04:44 localhost ntpd[1008]: peers refreshed Oct 8 12:04:44 localhost ntpd[1008]: new interface(s) found: waking up resolver Oct 8 12:05:01 localhost crond[1006]: FILE /var/spool/cron/root USER root PID 1592 job sys-hourly Oct 8 12:05:02 localhost crond[1006]: exit status 1 from user root job sys-hourly Oct 8 12:05:02 localhost crond[1593]: mailing cron output for user root job sys-hourly Oct 8 12:05:02 localhost crond[1593]: unable to exec /usr/sbin/sendmail: cron output for user root job sys-hourly to /dev/nul l Oct 8 12:23:34 localhost -- MARK -- Oct 8 12:34:14 localhost wpa_actiond[907]: Interface 'wlan0' lost connection to network 'eduroam' Oct 8 12:34:14 localhost dhcpcd[1404]: wlan0: carrier lost Oct 8 12:34:44 localhost wpa_actiond[907]: Interface 'wlan0' disconnected from network 'eduroam' Oct 8 12:34:44 localhost dhcpcd[2099]: sending signal 1 to pid 1404 Oct 8 12:34:44 localhost dhcpcd[1404]: received SIGHUP, releasing Oct 8 12:34:44 localhost dhcpcd[1404]: wlan0: removing interface Oct 8 12:34:44 localhost dhcpcd[2099]: waiting for pid 1404 to exit Oct 8 12:34:45 localhost ntpd[1008]: Deleting interface #7 wlan0, fe80::222:69ff:fe73:3c68#123, interface stats: received=0, sent=0, dropped=0, active_time=1800 secs Oct 8 12:34:45 localhost ntpd[1008]: Deleting interface #6 wlan0, 143.205.193.100#123, interface stats: received=28, sent=28, dropped=0, active_time=1800 secs Oct 8 12:34:45 localhost ntpd[1008]: 86.59.113.114 interface 143.205.193.100 -> (none) Oct 8 12:34:45 localhost ntpd[1008]: peers refreshed Oct 8 12:43:34 localhost -- MARK -- Oct 8 12:46:49 localhost wpa_actiond[907]: Terminating wpa_actiond session for interface 'wlan0' Oct 8 12:46:49 localhost kernel: [ 2608.732218] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready Oct 8 12:46:52 localhost wpa_actiond[2575]: Starting wpa_actiond session for interface 'wlan0' Oct 8 12:46:53 localhost kernel: [ 2612.995837] Oct 8 12:46:53 localhost wpa_actiond[2575]: Interface 'wlan0' connected to network 'eduroam' Oct 8 12:46:55 localhost dhcpcd[2597]: version 5.2.12 starting Oct 8 12:46:55 localhost dhcpcd[2597]: wlan0: rebinding lease of 143.205.193.100 Oct 8 12:46:55 localhost dhcpcd[2597]: wlan0: acknowledged 143.205.193.100 from 143.205.192.2 Oct 8 12:46:55 localhost dhcpcd[2597]: wlan0: checking for 143.205.193.100 Oct 8 12:46:59 localhost dhcpcd[2597]: wlan0: leased 143.205.193.100 for 86400 seconds Oct 8 12:46:59 localhost dhcpcd[2597]: forked to background, child pid 2624 Oct 8 12:47:02 localhost kernel: [ 2621.749785] wlan0: no IPv6 routers present Oct 8 12:49:45 localhost ntpd[1008]: Listen normally on 8 wlan0 143.205.193.100 UDP 123 Oct 8 12:49:45 localhost ntpd[1008]: Listen normally on 9 wlan0 fe80::222:69ff:fe73:3c68 UDP 123 Oct 8 12:49:45 localhost ntpd[1008]: peers refreshed Oct 8 12:49:45 localhost ntpd[1008]: new interface(s) found: waking up resolver Oct 8 13:03:34 localhost -- MARK -- Oct 8 13:05:01 localhost crond[1006]: FILE /var/spool/cron/root USER root PID 2779 job sys-hourly Oct 8 13:05:01 localhost crond[1006]: exit status 1 from user root job sys-hourly Oct 8 13:05:01 localhost crond[2780]: mailing cron output for user root job sys-hourly Oct 8 13:05:01 localhost crond[2780]: unable to exec /usr/sbin/sendmail: cron output for user root job sys-hourly to /dev/null Oct 8 13:07:16 localhost wpa_actiond[2575]: Interface 'wlan0' lost connection to network 'eduroam' Oct 8 13:07:16 localhost dhcpcd[2624]: wlan0: carrier lost Oct 8 13:07:46 localhost wpa_actiond[2575]: Interface 'wlan0' disconnected from network 'eduroam' Oct 8 13:07:46 localhost dhcpcd[2809]: sending signal 1 to pid 2624 Oct 8 13:07:46 localhost dhcpcd[2624]: received SIGHUP, releasing Oct 8 13:07:46 localhost dhcpcd[2624]: wlan0: removing interface Oct 8 13:07:46 localhost dhcpcd[2809]: waiting for pid 2624 to exit Oct 8 13:09:45 localhost ntpd[1008]: Deleting interface #9 wlan0, fe80::222:69ff:fe73:3c68#123, interface stats: received=0, sent=0, dropped=0, active_time=1200 secs Oct 8 13:09:45 localhost ntpd[1008]: Deleting interface #8 wlan0, 143.205.193.100#123, interface stats: received=16, sent=17, dropped=2, active_time=1200 secs Oct 8 13:09:45 localhost ntpd[1008]: 86.59.113.114 interface 143.205.193.100 -> (none) Oct 8 13:09:45 localhost ntpd[1008]: peers refreshed Oct 8 13:14:15 localhost wpa_actiond[2575]: Terminating wpa_actiond session for interface 'wlan0' Oct 8 13:14:15 localhost kernel: [ 4255.385430] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready Oct 8 13:14:18 localhost wpa_actiond[3075]: Starting wpa_actiond session for interface 'wlan0' Oct 8 13:14:20 localhost kernel: [ 4259.664834] Oct 8 13:14:20 localhost wpa_actiond[3075]: Interface 'wlan0' connected to network 'eduroam' Oct 8 13:14:22 localhost dhcpcd[3097]: version 5.2.12 starting Oct 8 13:14:22 localhost dhcpcd[3097]: wlan0: rebinding lease of 143.205.193.100 Oct 8 13:14:22 localhost dhcpcd[3097]: wlan0: acknowledged 143.205.193.100 from 143.205.192.2 Oct 8 13:14:22 localhost dhcpcd[3097]: wlan0: checking for 143.205.193.100 Oct 8 13:14:26 localhost dhcpcd[3097]: wlan0: leased 143.205.193.100 for 86400 seconds Oct 8 13:14:26 localhost dhcpcd[3097]: forked to background, child pid 3120 Oct 8 13:14:28 localhost kernel: [ 4268.242933] wlan0: no IPv6 routers present Oct 8 13:14:45 localhost ntpd[1008]: Listen normally on 10 wlan0 143.205.193.100 UDP 123 Oct 8 13:14:45 localhost ntpd[1008]: Listen normally on 11 wlan0 fe80::222:69ff:fe73:3c68 UDP 123 Oct 8 13:14:45 localhost ntpd[1008]: peers refreshed Oct 8 13:14:45 localhost ntpd[1008]: new interface(s) found: waking up resolver ----- Any ideas? Regards, Philipp
Am 08.10.2011 13:28, schrieb Philipp Überbacher:
I get just cable at home and wireless at university, everything's fine, except that I still get disconnected from the university wlan about every 30 minutes. net-auto-wireless didn't change a thing in this regard. Here's an excerpt from everything.log, pretty beginning with bootup. The reconnects in there are from manually running '/etc/rc.d/net-auto-wireless restart', the thing that I tried to avoid. I have no idea why these disconnects happen:
I cannot see any reason for the disconnects. If wpa_supplicant doesn't reconnect on its own, I don't understand why restarting it would help. Can you compare 'ifconfig' before and after disconnect, as well as 'rfkill list'?
Excerpts from Thomas Bächler's message of 2011-10-08 13:48:36 +0200:
Am 08.10.2011 13:28, schrieb Philipp Überbacher:
I get just cable at home and wireless at university, everything's fine, except that I still get disconnected from the university wlan about every 30 minutes. net-auto-wireless didn't change a thing in this regard. Here's an excerpt from everything.log, pretty beginning with bootup. The reconnects in there are from manually running '/etc/rc.d/net-auto-wireless restart', the thing that I tried to avoid. I have no idea why these disconnects happen:
I cannot see any reason for the disconnects. If wpa_supplicant doesn't reconnect on its own, I don't understand why restarting it would help. Can you compare 'ifconfig' before and after disconnect, as well as 'rfkill list'?
The 'rfkill list' output is identical, ifconfig is different, but I don't know how to interpret the output: $ diff -u disconnected connected --- disconnected 2011-10-08 14:38:12.055378633 +0200 +++ connected 2011-10-08 14:38:37.681563015 +0200 @@ -15,10 +15,12 @@ TX packets 876 bytes 67260 (65.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 -wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 metric 1 +wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 metric 1 + inet 143.205.193.100 netmask 255.255.254.0 broadcast 143.205.193.255 + inet6 fe80::222:69ff:fe73:3c68 prefixlen 64 scopeid 0x20<link> ether 00:22:69:73:3c:68 txqueuelen 1000 (Ethernet) - RX packets 560395 bytes 839856020 (800.9 MiB) - RX errors 0 dropped 0 overruns 0 frame 30809 - TX packets 286257 bytes 21785827 (20.7 MiB) - TX errors 6 dropped 0 overruns 0 carrier 0 collisions 0 + RX packets 560422 bytes 839862941 (800.9 MiB) + RX errors 0 dropped 0 overruns 0 frame 30854 + TX packets 286289 bytes 21789274 (20.7 MiB) + TX errors 8 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 17 Any ideas? Thanks for your help. Regards, Philipp
Am 08.10.2011 14:42, schrieb Philipp Überbacher:
The 'rfkill list' output is identical, ifconfig is different, but I don't know how to interpret the output:
-wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 metric 1 +wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 metric 1
That doesn't say a lot, the "RUNNING" flag disappears when you disassociate. I am out of ideas here. Maybe you can get more info by putting WPA_OPTS="-d -f /var/log/wpa_supplicant.log" into /etc/network.d/interfaces/wlan0. Or replace -d with -dd. But be careful, the log file becomes HUGE with -dd.
Excerpts from Thomas Bächler's message of 2011-10-08 18:42:35 +0200:
Am 08.10.2011 14:42, schrieb Philipp Überbacher:
The 'rfkill list' output is identical, ifconfig is different, but I don't know how to interpret the output:
-wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 metric 1 +wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 metric 1
That doesn't say a lot, the "RUNNING" flag disappears when you disassociate. I am out of ideas here.
Maybe you can get more info by putting WPA_OPTS="-d -f /var/log/wpa_supplicant.log" into /etc/network.d/interfaces/wlan0. Or replace -d with -dd. But be careful, the log file becomes HUGE with -dd.
Thanks Thomas, I'll try this sometime during the next days and report back with any findings. I'll also try the b43 driver again, but it didn't work for my [14e4:4315] BCM4312 in the past. Guess it's worth a try though.
Excerpts from Philipp Überbacher's message of 2011-10-08 19:22:54 +0200:
Excerpts from Thomas Bächler's message of 2011-10-08 18:42:35 +0200:
Am 08.10.2011 14:42, schrieb Philipp Überbacher:
The 'rfkill list' output is identical, ifconfig is different, but I don't know how to interpret the output:
-wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 metric 1 +wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 metric 1
That doesn't say a lot, the "RUNNING" flag disappears when you disassociate. I am out of ideas here.
Maybe you can get more info by putting WPA_OPTS="-d -f /var/log/wpa_supplicant.log" into /etc/network.d/interfaces/wlan0. Or replace -d with -dd. But be careful, the log file becomes HUGE with -dd.
Thanks Thomas, I'll try this sometime during the next days and report back with any findings.
I'll also try the b43 driver again, but it didn't work for my [14e4:4315] BCM4312 in the past. Guess it's worth a try though.
So I enabled logging with -d but I don't understand the cause of the problem from this log (last 500 lines attached). To me it looks like the laptop gets disassociated, disconnects, scans again and fails with a timeout. My problem is that I don't know how it's supposed to work. Thanks for your help, Regards Philipp
Am 12.10.2011 12:54, schrieb Philipp Überbacher:
I'll also try the b43 driver again, but it didn't work for my [14e4:4315] BCM4312 in the past. Guess it's worth a try though.
So I enabled logging with -d but I don't understand the cause of the problem from this log (last 500 lines attached). To me it looks like the laptop gets disassociated, disconnects, scans again and fails with a timeout. My problem is that I don't know how it's supposed to work.
Which driver was this? The first thing I noticed is that the driver gives reason 0 (no reason) for disconnecting (it isn't even reason 1, which would mean "Unspecified"). After disconnecting, it fails to receive any scan results. I am really out of ideas, but this looks like a driver problem.
Excerpts from Thomas Bächler's message of 2011-10-12 14:06:22 +0200:
Am 12.10.2011 12:54, schrieb Philipp Überbacher:
I'll also try the b43 driver again, but it didn't work for my [14e4:4315] BCM4312 in the past. Guess it's worth a try though.
So I enabled logging with -d but I don't understand the cause of the problem from this log (last 500 lines attached). To me it looks like the laptop gets disassociated, disconnects, scans again and fails with a timeout. My problem is that I don't know how it's supposed to work.
Which driver was this? The first thing I noticed is that the driver gives reason 0 (no reason) for disconnecting (it isn't even reason 1, which would mean "Unspecified"). After disconnecting, it fails to receive any scan results. I am really out of ideas, but this looks like a driver problem.
This was with the broadcom-wl (proprietary), but today I tried with the b43 (free driver, but same proprietary firmware) with the same symptom but different log messages. The definitive difference is that it tries to scan over and over again. The log is full of that, so I've yet to get a reasonably useful portion out of that log. I'll try to start with a clean log tomorrow. I tried at home with my neighbors wlan where it worked for at least 45 minutes (then he turned it off), but I don't yet know whether this was simply due to a longer leasetime or something similar. Does anyone know of a live-CD which contains those drivers? This way I could likely rule out a problem with Arch. I'll try to get a useful log tomorrow and maybe I can test some more with my neighbors wlan for comparison.
On 10/12/2011 11:43 AM, Philipp Überbacher wrote:
Does anyone know of a live-CD which contains those drivers? This way I could likely rule out a problem with Arch.
I'll try to get a useful log tomorrow and maybe I can test some more with my neighbors wlan for comparison.
Have experience with any kernel 2.6.38 or newer to have full support. Not sure if any of the older ones do, but it's possible (just don't have personal experience). I'm running fine with a BCM4313 driver over here. From my understanding the bcm43xx drivers are built into the kernel when Broadcom made them open source around a year ago. All you need is the linux-firmware package from the [core] repository if you are running an arch system and all should work smoothly. Hope that was helpful, -EP
On 10/12/2011 02:43 PM, Philipp Überbacher wrote:
Excerpts from Thomas Bächler's message of 2011-10-12 14:06:22 +0200:
Am 12.10.2011 12:54, schrieb Philipp Überbacher:
I'll also try the b43 driver again, but it didn't work for my [14e4:4315] BCM4312 in the past. Guess it's worth a try though. So I enabled logging with -d but I don't understand the cause of the problem from this log (last 500 lines attached). To me it looks like the laptop gets disassociated, disconnects, scans again and fails with a timeout. My problem is that I don't know how it's supposed to work. Which driver was this? The first thing I noticed is that the driver gives reason 0 (no reason) for disconnecting (it isn't even reason 1, which would mean "Unspecified"). After disconnecting, it fails to receive any scan results. I am really out of ideas, but this looks like a driver problem. This was with the broadcom-wl (proprietary), but today I tried with the b43 (free driver, but same proprietary firmware) with the same symptom but different log messages. The definitive difference is that it tries to scan over and over again. The log is full of that, so I've yet to get a reasonably useful portion out of that log. I'll try to start with a clean log tomorrow.
I tried at home with my neighbors wlan where it worked for at least 45 minutes (then he turned it off), but I don't yet know whether this was simply due to a longer leasetime or something similar.
Does anyone know of a live-CD which contains those drivers? This way I could likely rule out a problem with Arch.
I'll try to get a useful log tomorrow and maybe I can test some more with my neighbors wlan for comparison.
I am currently also trying to get a broadcomm working and the following may be of some use/value to you. http://wireless.kernel.org/en/users/Drivers/brcm80211 The broadcomm drivers where changed in kernel-2.6.37 and forward to brcmsmac/brcmfmac. It seems if you need to use the old b43 driver/firmware combo you will need kernel-2.6.36 or earlier. At least that is what I have came to. The problem is I can't get the firmware for the new driver because git.kernel.org is down so I am unable to test. :(
Excerpts from scrat's message of 2011-10-12 22:44:14 +0200:
On 10/12/2011 02:43 PM, Philipp Überbacher wrote:
Excerpts from Thomas Bächler's message of 2011-10-12 14:06:22 +0200:
Am 12.10.2011 12:54, schrieb Philipp Überbacher:
I'll also try the b43 driver again, but it didn't work for my [14e4:4315] BCM4312 in the past. Guess it's worth a try though. So I enabled logging with -d but I don't understand the cause of the problem from this log (last 500 lines attached). To me it looks like the laptop gets disassociated, disconnects, scans again and fails with a timeout. My problem is that I don't know how it's supposed to work. Which driver was this? The first thing I noticed is that the driver gives reason 0 (no reason) for disconnecting (it isn't even reason 1, which would mean "Unspecified"). After disconnecting, it fails to receive any scan results. I am really out of ideas, but this looks like a driver problem. This was with the broadcom-wl (proprietary), but today I tried with the b43 (free driver, but same proprietary firmware) with the same symptom but different log messages. The definitive difference is that it tries to scan over and over again. The log is full of that, so I've yet to get a reasonably useful portion out of that log. I'll try to start with a clean log tomorrow.
I tried at home with my neighbors wlan where it worked for at least 45 minutes (then he turned it off), but I don't yet know whether this was simply due to a longer leasetime or something similar.
Does anyone know of a live-CD which contains those drivers? This way I could likely rule out a problem with Arch.
I'll try to get a useful log tomorrow and maybe I can test some more with my neighbors wlan for comparison.
I am currently also trying to get a broadcomm working and the following may be of some use/value to you.
http://wireless.kernel.org/en/users/Drivers/brcm80211
The broadcomm drivers where changed in kernel-2.6.37 and forward to brcmsmac/brcmfmac.
Thanks, but this doesn't apply to the chipset built into my laptop (BCM4312 802.11b/g LP-PHY [14e4:4315] (rev 01). It only works with either b43 or wl. I just found this on http://wireless.kernel.org/en/users/Drivers/b43: ----- Known issues LP-PHY devices: DMA errors on some machines with kernel 2.6. Problem was fixed in 3.0. Using PIO (module param) can be used as workaround for 2.6. ----- I suffered from this one, workaround didn't work, but it seems the fix worked in my case.
It seems if you need to use the old b43 driver/firmware combo you will need kernel-2.6.36 or earlier. At least that is what I have came to.
Nope, my chip does work, at least half an hour at a time at university. It works with either broadcom-wifi-builder (broadcom-wl) or b43. But only for half an hour at a time, then something happens.
The problem is I can't get the firmware for the new driver because git.kernel.org is down so I am unable to test. :(
It's up for me :) Regards, Philipp
On Wed-2011/10/12-23:55 Philipp Überbacher wrote:
Excerpts from scrat's message of 2011-10-12 22:44:14 +0200:
The problem is I can't get the firmware for the new driver because git.kernel.org is down so I am unable to test. :(
It's up for me :)
You might try[1]. It should have the stable releases and is updated whenever a new stable comes out. [1] git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git clemens
On Wed, Sep 28, 2011 at 11:53 AM, Philipp <hollunder@lavabit.com> wrote:
I use netcfg for my university wlan (eduroam). It works fine for a while but after a couple of minutes I get disconnected and need to reconnect manually. I think that happens pretty regularly, so I assume that some kind of connection renewal doesn't work for some reason. Any idea what could be wrong, how to fix it or how to reconnect automatically?
I don't know why this might happen, but could you try if it is possible to reproduce the problem with NetworkManager? That should give us an idea where in the stack to look. Cheers, Tom
Excerpts from Tom Gundersen's message of 2011-09-28 13:37:29 +0200:
On Wed, Sep 28, 2011 at 11:53 AM, Philipp <hollunder@lavabit.com> wrote:
I use netcfg for my university wlan (eduroam). It works fine for a while but after a couple of minutes I get disconnected and need to reconnect manually. I think that happens pretty regularly, so I assume that some kind of connection renewal doesn't work for some reason. Any idea what could be wrong, how to fix it or how to reconnect automatically?
I don't know why this might happen, but could you try if it is possible to reproduce the problem with NetworkManager? That should give us an idea where in the stack to look.
Cheers,
Tom
I looked into networkmanager and while it's DE independent in the meanwhile and provides a CLI interface it still requires polkit. Polkit requires consolekit and both mean configuration and maintenance trouble. So far I can live well without those. Before I used netcfg I used plain wpa_supplicant and I had the same issue AFAIR. Hardware info: 04:00.0 Network controller: Broadcom Corporation BCM4312 802.11b/g LP-PHY (rev 01) Driver: broadcom-wifi-builder https://aur.archlinux.org/packages.php?ID=31449 It actually uses the old proprietary broadcom driver (broadcom-wl AFAIR), the free software version that uses only the proprietary firmware should have worked since 2.6.32 or something but never worked properly for me. The new free software driver doesn't support this old chip. I'll try net-auto-wireless as workaround, thanks. Regards, Philipp
On Wed, Sep 28, 2011 at 2:51 PM, Philipp Überbacher <hollunder@lavabit.com> wrote:
meanwhile and provides a CLI interface it still requires polkit. Polkit requires consolekit and both mean configuration and maintenance trouble.
Just a quick comment in case someone happens to read this: neither PK nor CK should require any configuration at all for most users (at least if you use a DE).
I'll try net-auto-wireless as workaround, thanks.
I hope it all works out :-) Cheers, Tom
On Wed, Sep 28, 2011 at 08:55:30PM +0200, Tom Gundersen wrote:
On Wed, Sep 28, 2011 at 2:51 PM, Philipp Überbacher <hollunder@lavabit.com> wrote:
meanwhile and provides a CLI interface it still requires polkit. Polkit requires consolekit and both mean configuration and maintenance trouble.
Just a quick comment in case someone happens to read this: neither PK nor CK should require any configuration at all for most users (at least if you use a DE).
Which makes me wonder again (and so far nobody has given me a clear answer to this, and the docs don't either): Either - PK (or a desktop app using it) is able to override lower level system security settings (in which case to me it's malware), - or it relies on permissive lower level settings, in which case it leaves the system wide open to anything not using it to filter permissions. Or maybe I'm missing a third possible scenario. ?? Ciao, -- FA
On Wed, Sep 28, 2011 at 10:02 PM, Fons Adriaensen <fons@linuxaudio.org> wrote:
On Wed, Sep 28, 2011 at 08:55:30PM +0200, Tom Gundersen wrote:
On Wed, Sep 28, 2011 at 2:51 PM, Philipp Überbacher <hollunder@lavabit.com> wrote:
meanwhile and provides a CLI interface it still requires polkit. Polkit requires consolekit and both mean configuration and maintenance trouble.
Just a quick comment in case someone happens to read this: neither PK nor CK should require any configuration at all for most users (at least if you use a DE).
Which makes me wonder again (and so far nobody has given me a clear answer to this, and the docs don't either):
Either
- PK (or a desktop app using it) is able to override lower level system security settings (in which case to me it's malware), - or it relies on permissive lower level settings, in which case it leaves the system wide open to anything not using it to filter permissions.
Or maybe I'm missing a third possible scenario.
From the PK website [0]: "PolicyKit is an application-level toolkit for defining and handling the policy that allows unprivileged
Yup, PK is neither malware, nor a gaping security hole. processes to speak to privileged processes". The way it works is that both the frontend (the unprivileged process, e.g. the GUI for setting your timezone) and the backend (the privileged process, e.g. the app that writes the timezone data to /etc/localtime) interface with PK. The backend will ultimately be the one deciding who should be allowed to do what under which conditions, PK is just the interface that lets this be done in a uniform way. In particular, note that PK will not give an unprivileged process direct access to changing /etc/localtime ("malware"), nor does it require /etc/localtime to be world writable ("security hole"). I'm not an expert on this, so I apologize if my explanation is imprecise or incomplete. Cheers, Tom [0]: <http://www.freedesktop.org/wiki/Software/PolicyKit>
On Sep 28, 2011 3:53 PM, "Tom Gundersen" <teg@jklm.no> wrote:
On Wed, Sep 28, 2011 at 10:02 PM, Fons Adriaensen <fons@linuxaudio.org>
wrote:
Or maybe I'm missing a third possible scenario.
The way it works is that both the frontend (the unprivileged process, e.g. the GUI for setting your timezone) and the backend (the privileged process, e.g. the app that writes the timezone data to /etc/localtime) interface with PK. The backend will ultimately be the one deciding who should be allowed to do what under which conditions, PK is just the interface that lets this be done in a uniform way.
The process is similar for libvirt -- when the policy is "unix perms only" having r/w access to the control socket is enough to authorize. However, when polkit is in use (the default) the socket is world writable simply because anyone *could* be authorized to use it (you could still use fs perms if you wanted) ... but all requests must be approved by polkit anyway, and at no time are you really exposing anything -- all configs/etc are never directly malleable or even disclosed. Polkit is a really good thing IMO -- FS perms are good too, but they are very crude/basic and completely lack expressive power ... not the right tool for the job.
On Wed, Sep 28, 2011 at 06:14:24PM -0500, C Anthony Risinger wrote:
On Sep 28, 2011 3:53 PM, "Tom Gundersen" <teg@jklm.no> wrote:
The way it works is that both the frontend (the unprivileged process, e.g. the GUI for setting your timezone) and the backend (the privileged process, e.g. the app that writes the timezone data to /etc/localtime) interface with PK. The backend will ultimately be the one deciding who should be allowed to do what under which conditions, PK is just the interface that lets this be done in a uniform way.
The process is similar for libvirt -- when the policy is "unix perms only" having r/w access to the control socket is enough to authorize. However, when polkit is in use (the default) the socket is world writable simply because anyone *could* be authorized to use it (you could still use fs perms if you wanted) ... but all requests must be approved by polkit anyway, and at no time are you really exposing anything -- all configs/etc are never directly malleable or even disclosed.
Thanks to both of you, but I still must be missing something. For example, when I insert an USB stick on my machine and try to mount it as a normal user I get a reply that only root can do that. That's what I actually want (there are some exceptions in /etc/fstab for my owns sticks, which are identified by UUID). Yet some Gnome/KDE desktop apps are able to mount even when running for a normal user, when PK agrees (which in my eyes is a subvertion of a policy set by the sysadmin). How do they do this if neither 'mount' nor the syscalls used by it take any notice of PK (thank $GOD for that) ? The only way I can imagine ATM is that such environments have a collection of small suid programs or daemons (all talking to PK) that do the work, and that PK is there to allow these to be separate from the main apps which require the service. If things work that way I'd say these are mafia tactics :-) 1. Make sure you have a number of corrupt police officers, judges, etc. (the privileged proxies or daemons), 2. Use them to impose your own laws (PK) instead of those of civil society (the system). In that case the real security thread is (1), not (2). Ciao, -- FA
On Thu, Sep 29, 2011 at 10:25 AM, Fons Adriaensen <fons@linuxaudio.org> wrote:
Yet some Gnome/KDE desktop apps are able to mount even when running for a normal user, when PK agrees (which in my eyes is a subvertion of a policy set by the sysadmin). How do they do this if neither 'mount' nor the syscalls used by it take any notice of PK (thank $GOD for that) ?
The only way I can imagine ATM is that such environments have a collection of small suid programs or daemons (all talking to PK) that do the work, and that PK is there to allow these to be separate from the main apps which require the service.
What you are seeing is udisks [0]. The policy that is implemented, if I understand correctly, is that udisks allows a user who is physically at the machine to mount the usb drive, but not remote users. This makes sense for two reasons: * A user who is physically present could just grab the usb stick and insert it in a laptop where he/she has whatever permissions necessary to do whatever they want, so no security is lost. * Furthermore, you probably don't want have to ask the admin to set up a new entry in fstab for every usb drive that is plugged into your machine. If you don't like the way this works you could override the policy (look for udisks PK files) or you could just disable / uninstalll udisks. Cheers, Tom [0]: <http://www.freedesktop.org/wiki/Software/udisks>
On Thu, Sep 29, 2011 at 11:51:53AM +0200, Tom Gundersen wrote:
What you are seeing is udisks [0]. The policy that is implemented, if I understand correctly, is that udisks allows a user who is physically at the machine to mount the usb drive, but not remote users.
This makes sense for two reasons:
* A user who is physically present could just grab the usb stick and insert it in a laptop where he/she has whatever permissions necessary to do whatever they want, so no security is lost.
This makes no sense. I don't mind if they use their own sticks on their own laptop. I do if they use it one this particular machine.
* Furthermore, you probably don't want have to ask the admin to set up a new entry in fstab for every usb drive that is plugged into your machine.
Not necessary. Priveleges to do certain things are given per user or to groups, it's done when a user's account is set up and that's it. Sudo can handle this nicely. The fstab entries for my own usb disks are there mainly because they have dedicated mount points. The last thing I want as an admin is a 'parallel administration' such as polkit, in particular if it can grant priveleges just by adding some files to a directory. That's very convenient for package managers etc. but it surely does not enhance security.
If you don't like the way this works you could override the policy (look for udisks PK files) or you could just disable / uninstalll udisks.
Don't worry, there's no udisks on any machine I control. Nor Gnome or KDE for that matter. I do have polkit though, for just one reason: emacs -> gconf -> polkit. So as my vim skills improve I'll probably get rid of emacs and gconf some time. Ciao, -- FA
Excerpts from Fons Adriaensen's message of 2011-09-29 12:36:30 +0200:
On Thu, Sep 29, 2011 at 11:51:53AM +0200, Tom Gundersen wrote:
What you are seeing is udisks [0]. The policy that is implemented, if I understand correctly, is that udisks allows a user who is physically at the machine to mount the usb drive, but not remote users.
This makes sense for two reasons:
* A user who is physically present could just grab the usb stick and insert it in a laptop where he/she has whatever permissions necessary to do whatever they want, so no security is lost.
This makes no sense. I don't mind if they use their own sticks on their own laptop. I do if they use it one this particular machine.
* Furthermore, you probably don't want have to ask the admin to set up a new entry in fstab for every usb drive that is plugged into your machine.
Not necessary. Priveleges to do certain things are given per user or to groups, it's done when a user's account is set up and that's it. Sudo can handle this nicely. The fstab entries for my own usb disks are there mainly because they have dedicated mount points.
The last thing I want as an admin is a 'parallel administration' such as polkit, in particular if it can grant priveleges just by adding some files to a directory. That's very convenient for package managers etc. but it surely does not enhance security.
If you don't like the way this works you could override the policy (look for udisks PK files) or you could just disable / uninstalll udisks.
Don't worry, there's no udisks on any machine I control. Nor Gnome or KDE for that matter.
I do have polkit though, for just one reason: emacs -> gconf -> polkit. So as my vim skills improve I'll probably get rid of emacs and gconf some time.
Ciao,
As a somewhat hackish workaround there's the gconf-no-polkit package in AUR: https://aur.archlinux.org/packages.php?ID=41983 Works well enough for me. I also need gconf for a single package only.
On Thu, Sep 29, 2011 at 12:54:51PM +0200, Philipp Überbacher wrote:
As a somewhat hackish workaround there's the gconf-no-polkit package in AUR: https://aur.archlinux.org/packages.php?ID=41983 Works well enough for me. I also need gconf for a single package only.
Good tip, thanks. But I'd rather have an Emacs that doesn't need gconf. I wonder why it needs that anyway, as Emacs has its own (rather baroque and complex) customisation system. Ciao, -- FA
On Thu, Sep 29, 2011 at 12:36 PM, Fons Adriaensen <fons@linuxaudio.org> wrote:
On Thu, Sep 29, 2011 at 11:51:53AM +0200, Tom Gundersen wrote:
What you are seeing is udisks [0]. The policy that is implemented, if I understand correctly, is that udisks allows a user who is physically at the machine to mount the usb drive, but not remote users.
This makes sense for two reasons:
* A user who is physically present could just grab the usb stick and insert it in a laptop where he/she has whatever permissions necessary to do whatever they want, so no security is lost.
This makes no sense. I don't mind if they use their own sticks on their own laptop. I do if they use it one this particular machine.
This is surely a very uncommon scenario. It is easily solved by tweaking the PK policies though (which should be expected if you want to do something non-standard).
* Furthermore, you probably don't want have to ask the admin to set up a new entry in fstab for every usb drive that is plugged into your machine.
Not necessary. Priveleges to do certain things are given per user or to groups, it's done when a user's account is set up and that's it. Sudo can handle this nicely. The fstab entries for my own usb disks are there mainly because they have dedicated mount points.
The last thing I want as an admin is a 'parallel administration' such as polkit, in particular if it can grant priveleges just by adding some files to a directory. That's very convenient for package managers etc. but it surely does not enhance security.
Having too coarse grained security policies means that users will be given access to more operations than they strictly speaking need. So, yes, PK does increase security by limiting what users can do. I'll stop my off-topic comments now ;-) Cheers, Tom
On 29 September 2011 06:55, Tom Gundersen <teg@jklm.no> wrote:
On Thu, Sep 29, 2011 at 12:36 PM, Fons Adriaensen <fons@linuxaudio.org> wrote:
On Thu, Sep 29, 2011 at 11:51:53AM +0200, Tom Gundersen wrote:
What you are seeing is udisks [0]. The policy that is implemented, if I understand correctly, is that udisks allows a user who is physically at the machine to mount the usb drive, but not remote users.
This makes sense for two reasons:
* A user who is physically present could just grab the usb stick and insert it in a laptop where he/she has whatever permissions necessary to do whatever they want, so no security is lost.
This makes no sense. I don't mind if they use their own sticks on their own laptop. I do if they use it one this particular machine.
This is surely a very uncommon scenario. It is easily solved by tweaking the PK policies though (which should be expected if you want to do something non-standard).
Well if I have an ext4 flash drive with a SUID bash on it, it's game over if I can mount it. Luckily udisks will mount it "nosuid,nodev" among other things, so it doesn't matter. And of course, if I have physical access, I can also steal the hard drive. -- Tavian Barnes
On Thu, Sep 29, 2011 at 12:55:25PM +0200, Tom Gundersen wrote:
This makes no sense. I don't mind if they use their own sticks on their own laptop. I do if they use it one this particular machine.
This is surely a very uncommon scenario. It is easily solved by tweaking the PK policies though (which should be expected if you want to do something non-standard).
?? What's uncommon about that ? I don't care what anyone does with his/her own usb disks on his/her own machine. It's not my business. I *do* care if users connect an usb disk to my machine.
Not necessary. Priveleges to do certain things are given per user or to groups, it's done when a user's account is set up and that's it. Sudo can handle this nicely. The fstab entries for my own usb disks are there mainly because they have dedicated mount points.
The last thing I want as an admin is a 'parallel administration' such as polkit, in particular if it can grant priveleges just by adding some files to a directory. That's very convenient for package managers etc. but it surely does not enhance security.
Having too coarse grained security policies means that users will be given access to more operations than they strictly speaking need.
What makes you think that the configuration I use is 'too coarse grained' ??
So, yes, PK does increase security by limiting what users can do.
That's what any security system does, so rather irrelevant. And in fact it has the opposite effect: just installing some packages that use PK can suddenly allow things that were not allowed before. The only way to avoid that is to ship all PK enabled packages with 'unix permissions only', and that is certainly not what I see happen. Ciao, -- FA
Excerpts from Fons Adriaensen's message of 2011-09-29 12:36:30 +0200:
On Thu, Sep 29, 2011 at 11:51:53AM +0200, Tom Gundersen wrote:
What you are seeing is udisks [0]. The policy that is implemented, if I understand correctly, is that udisks allows a user who is physically at the machine to mount the usb drive, but not remote users.
This makes sense for two reasons:
* A user who is physically present could just grab the usb stick and insert it in a laptop where he/she has whatever permissions necessary to do whatever they want, so no security is lost.
This makes no sense. I don't mind if they use their own sticks on their own laptop. I do if they use it one this particular machine.
* Furthermore, you probably don't want have to ask the admin to set up a new entry in fstab for every usb drive that is plugged into your machine.
Not necessary. Priveleges to do certain things are given per user or to groups, it's done when a user's account is set up and that's it. Sudo can handle this nicely. The fstab entries for my own usb disks are there mainly because they have dedicated mount points.
The last thing I want as an admin is a 'parallel administration' such as polkit, in particular if it can grant priveleges just by adding some files to a directory. That's very convenient for package managers etc. but it surely does not enhance security.
A real-world example of 'configuration by adding files': On a debian server, I needed more modules than usual early on, I needed to recreate initramfs with all modules. Debian has a file to configure how many modules are built into initramfs. I changed the config, rebuilt, tested, and it didn't work. Let's say it took me a long while to figure out what was going on. Years ago the debian installer asked my predecessor about the policy for building modules into initramfs, created a file with the config option and put it into a directory somewhere. This file was overriding the main config file and cost me a lot of time. With a system like that you need to dig through lots of files to check whether they could affect a configuration option. Even worse, there could be multiple files affecting the same option, creating a precedence chain that could be a lot of fun to figure out. In my opinion, in this particular case, it would have been way smarter to drop the installing sysadmin into a text editor with the well-commented main config file. Nothing lost, except a lot of frustration years later. Configuration by adding files can create a jungle that's really hard to see through, which can easily lead to miss-configuration. That the whole thing is basically strap-on security in addition to the already built-in security configuration of the system doesn't make it any better.
Well from what I know from my days back with $certainotherdistro, PK mounts local drives in /media and remote drives in ~/.gvfs . currently I use mount(8) manually, since I don't use a big DE nor filebrowser (IMO too many of them make use of stuff like this) and wouldn't make use of this additional source of errors and level of abstraction. I have this in my .bashrc penmount() { local target="$HOME/mnt" if [[ $1 == -u ]]; then if ! mount | grep -q "$target"; then echo "Error: ${target/$HOME/~} not mounted" >&2 return 1 fi sudo umount "$target" else if mount | grep -q "$target"; then echo "Error: ${target/$HOME/~} is already mounted" >&2 return 1 fi sudo mount -o uid=$UID,gid=$UID "$1" "$target" fi } cheers! mar77i
Excerpts from Tom Gundersen's message of 2011-09-28 20:55:30 +0200:
On Wed, Sep 28, 2011 at 2:51 PM, Philipp Überbacher <hollunder@lavabit.com> wrote:
meanwhile and provides a CLI interface it still requires polkit. Polkit requires consolekit and both mean configuration and maintenance trouble.
Just a quick comment in case someone happens to read this: neither PK nor CK should require any configuration at all for most users (at least if you use a DE).
This isn't exactly no configuration: https://wiki.archlinux.org/index.php/Networkmanager#Set_up_PolicyKit_permiss... And it interferes with stuff where it shouldn't, I tried to help a user getting jack to work, and after I talked him through all the usual stuff and was out of ideas I told him to try to disable policykit. Surprise, it worked. I don't want to deal with stuff like that.
On Thu, Sep 29, 2011 at 12:20 PM, Philipp Überbacher <hollunder@lavabit.com> wrote:
Excerpts from Tom Gundersen's message of 2011-09-28 20:55:30 +0200:
On Wed, Sep 28, 2011 at 2:51 PM, Philipp Überbacher <hollunder@lavabit.com> wrote:
meanwhile and provides a CLI interface it still requires polkit. Polkit requires consolekit and both mean configuration and maintenance trouble.
Just a quick comment in case someone happens to read this: neither PK nor CK should require any configuration at all for most users (at least if you use a DE).
This isn't exactly no configuration: https://wiki.archlinux.org/index.php/Networkmanager#Set_up_PolicyKit_permiss...
The configuration file shown there is optional.
And it interferes with stuff where it shouldn't, I tried to help a user getting jack to work, and after I talked him through all the usual stuff and was out of ideas I told him to try to disable policykit.
I don't know why that would happen, clearly a bug somewhere.
I don't want to deal with stuff like that.
Fair enough. -t
Excerpts from Tom Gundersen's message of 2011-09-29 12:35:56 +0200:
On Thu, Sep 29, 2011 at 12:20 PM, Philipp Überbacher <hollunder@lavabit.com> wrote:
Excerpts from Tom Gundersen's message of 2011-09-28 20:55:30 +0200:
On Wed, Sep 28, 2011 at 2:51 PM, Philipp Überbacher <hollunder@lavabit.com> wrote:
meanwhile and provides a CLI interface it still requires polkit. Polkit requires consolekit and both mean configuration and maintenance trouble.
Just a quick comment in case someone happens to read this: neither PK nor CK should require any configuration at all for most users (at least if you use a DE).
This isn't exactly no configuration: https://wiki.archlinux.org/index.php/Networkmanager#Set_up_PolicyKit_permiss...
The configuration file shown there is optional.
The alternative is to run polkit-gnome or polkit-kde, luckily it seems that polkit-gnome is a misnomer and it only depends on gtk3. So your options are to have an authentication agent running or add some files for every app that needs permissions. In addition you need to have a consolekit-session running in any case. Life's not getting easier for no-DE users.
participants (12)
-
C Anthony Risinger
-
clemens fischer
-
Cédric Girard
-
Fons Adriaensen
-
Martti Kühne
-
Philipp
-
Philipp Überbacher
-
scrat
-
Tavian Barnes
-
Thomas Bächler
-
Tom Gundersen
-
Zanterian