Not authorized to control networking from cron

Question

I am using the command nmcli c up id networkname to change the network in a script. The script works fine when I run from the terminal, but when I run the script from cron, I get an error:

Error: Connection activation failed: Not authorized to control networking.

Searching online, I found a bug report from 2011 about this issue: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/681708, but no resolution.

Why does the script work when run from terminal, but not from cron? I would like to avoid putting this in the root's cron if possible.

Answer 1

PolKit

The daemon deciding whether to give access to your script is called polkitd.

To get some information on what is going wrong you can issue

nmcli general permissions

It will list some permissions related to nmcli. You will note that running from cron and while logged in while give different results.

Current dists (such as Ubuntu and more) aimed at desktop use, uses the permission Active alot, meaning it will grant access to users logged in into a local and active X11 session.

You can also run polkitd in a terminal like so

killall polkitd  # first kill running polkitd
G_MESSAGES_DEBUG=all /usr/lib/policykit-1/polkitd

This will allow you to see what polkitd is doing and what decisions it's making.

Solution

Add a .pkla file in `/etc/polkit-1/localauthority/50-local.d/`, call it e.g. `x.pkla`. **Imortant:** It needs to be sorted lexicographical after other e.g. `org.freedesktop.NetworkManager.pkla` or that file will override your cute file.

Put in something like this to grant permission to users in the admgroup. You can also grant to a specific users, etc.

[Let adm group modify system settings for network]
Identity=unix-group:adm
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=yes

You might need to add multiple sections to this file if you need more permissions, such as enable/disable wifi.

Answer 2

The solution descripted by @vidstige helped me to solve the problem. As @partofthething commented the question is, if /var/lib/polkit-1/localauthority/10-vendor.d/ is the best place to store the .pkla.

After reading man pklocalauthority I think not.

The /etc/polkit-1/localauthority hierarchy is inteded for local configuration and the /var/lib/polkit-1/localauthority is intended for 3rd party packages.

Do we build a 3rd party package? I think not.

10-vendor.d is intended for use by the OS vendor.

Do we are a OS vendors? I think not.

I think /etc/polkit-1/localauthority/50-local.d/is the better place the .pkla.

Using this way also solves the problem with the sorting:

1. 50-local.d is evaluated after 10-vendor.d
2. /etc/polkit-1/localauthority/ is evaluated after /var/lib/polkit-1/localauthority

(I would write this a comment, but the 50 reputation…)