blueman 2.0.6 prompts for root password on login

[delxg]

blueman: 2.0.6
BlueZ: 5.50
Distribution: Arch Linux
Desktop environment: XFCE/lightdm

• I have consulted the Troubleshooting page and done my best effort to follow.

After upgrading to blueman 2.0.6 I get prompted for my root password when logging in. It seems this is caused by #896. The workaround is documented.

I would like to request that the default policies be changed from <allow_active>auth_admin_keep</allow_active> to <allow_active>yes</allow_active>.

My rationale is:

• This would be a more useful default for most users.
• People with special requirements can still lock things down with additional configuration.
• This behaviour would be consistent with NetworkManager, which provides roughly analogous functions to blueman.

Thanks :)

[infirit]

Hi,

It seems this is caused by #896

It is and the sole reason for the release.

The workaround is documented

It is not a workaround, it is a necessary security step for a distribution. It should not allow any users to run dbus services as root.

<allow_active>auth_admin_keep</allow_active> to <allow_active>yes</allow_active>.

These parts run as root and need to be protected so they need auth_admin. NetworkManager does the same and uses auth_admin in a very similar way. On gentoo I actually have a polkit rules file installed for NetworkManager and I am in the correct group so I do not have to enter a password. I suspect you have as well.

You should open a bug with arch so that the maintainer can install a polkit rules for blueman.

[delxg]

Hi, thanks for your fast reply! :)

I did raise Arch bug #59736, however Arch has a policy of not deviating from upstream defaults, so this is unlikely to be changed there.

The default NetworkManager policy does not require any group configuration. This is because it uses <allow_active>yes</allow_active> which according to the polkit(8) manpage grants authorisation to "clients in active sessions on local consoles".

I believe that granting access to users with active sessions on a local console is a good default for blueman as well as NetworkManager.

[cschramm]

That's not correct. The NetworkManager policy uses auth_admin_keep quite a lot and the NM_MODIFY_SYSTEM_POLICY setting probably defaults to it as well.

However, https://wiki.archlinux.org/index.php/users_and_groups#User_groups documents the wheel group, so it might make sense to ship the rule we propose in https://github.com/blueman-project/blueman/wiki/PolicyKit.

Are you in the wheel group, @delxg? 😄

[infirit]

As @cschramm pointed out it only has yes for some but a lot have auth_admin*.

I believe that granting access to users with active sessions on a local console is a good default for blueman as well as NetworkManager.

I am not comfortable having this set yes. This part of blueman is doing quite a lot of low level system changes. If a normal user is not allowed to add iptables rules, which blueman does among other things, than we should not allow it as well. If the distro does not want to add polkit rules then it is up to the users like you to decide if you are allowed or not.

I am working on making blueman use NM for all network configuration (NAP, PANU, DUN) and avoid running these low level tools as root. Part is in a PR already the other part is a bit more involved and I am working on it for 2.1.

[delxg]

Thanks for your replies.

I've looked into it more an learned that the Arch networkmanager package passes --enable-modify-system which causes org.freedesktop.NetworkManager.settings.modify.system to have <allow_active>yes</allow_active>

However NetworkManager also has the concept of "personal" connections. These are connections which are only usable by one person. The policy is hardcoded with <allow_active>yes</allow_active>.

My opinion is that a default install of NetworkManager and blueman should be optimised for the common case where all local sessions are trusted.

If you're not comfortable with this then that's fair enough though. We can disagree :)

Thanks for listening.

[Zeioth]

I'm also experiencing this issue on arch since 2.0.6-1. Waiting for the new release.

[UbuntuTarnow]

In any other operating system, Ubuntu, Rehat, Windows and Mac OS etc.. to greet new standard users with a prompt for administrator password would be unacceptable. If they figured out a way to not have the problem, Manajro should also be able to solve the problem.

[friederbluemle]

Just wondering, what is the recommended solution for normal users? I've been seeing this annoying error when starting blueman-applet for several weeks now. Everything appears to be working normally. I'm on latest Arch Linux. Thanks 🙇

[friederbluemle]

Nevermind, I figured it out. I just created a new file /etc/polkit-1/rules.d/90-blueman.rules with the content over here: https://github.com/blueman-project/blueman/wiki/PolicyKit