[openSUSE] ProtonVPN asks for root password several times before every connection
Dyrimon opened this issue · 20 comments
OS: openSUSE Tumbleweed
ProtonVPN version: ProtonVPN CLI v3.7.2 (protonvpn-nm-lib v3.3.2; proton-client v0.5.1)
Desktop: KDE Plasma 5
Before starting every connection (whether by cli or gui) ProtonVPN asks for root password, and that is 5-6 times! I have to enter sudo password for NetworkManager, pvpn-killswitch, pvpn-ipv6leak-protection, the final server that it connects to and couple more times for NetworkManager. The following dialog box shows up every time I switch or start a new connection.
Hey @Dyrimon
First to set the correct expectations, we currently don't support openSUSE. Regardless, this issue seems to be mostly due to polkit rules, that's why you're being prompted. You have to manually tweak them (although I don't know why since most distros are already tweaked and generally have no issues)
I'm aware of not supporting openSUSE, and this was installed from a community repository. The client works fine as expected. But polkit is continuously asking me password. I'm assuming this is related to kwallet but I don't know how to make it automatic. This might be related to ProtonVPN/linux-app#13 (comment)
Your is a different issue. Check this: #4 (comment)
I also tried using pam_kwallet to automatically unlocking kwallet following the article from archwiki
Your is a different issue. Check this: #4 (comment)
I don't know how this relates to my issue. I've no issues with ipv6leaks and so have no idea what rules to change in polkit
@Dyrimon i think you need to read the archwiki properly. It is stated that:
kwallet-pam is not compatible with GnuPG keys, the KDE Wallet must use the standard blowfish encryption.
The wallet cannot be unlocked when using autologin. <- reason why you might be prompted
The wallet cannot be unlocked when using a fingerprint reader to login . <- reason why you might be prompted
The wallet must be named kdewallet (default name). It does not unlock any other wallet(s). . <- reason why you might be prompted
If using KDE, one may want to disable Close when last application stops using it in KDE Wallet settings to prevent the wallet from being closed after each usage (WiFi-passphrase unlock, etc.). . <- possible reason
It may be needed to remove the default created wallet first, thus removing all stored entries. <- possible solution
If the kwallet Migration Assistant asks for a password after every login, rename or delete the ~/.kde4/share/apps/kwallet folder.
edit:
this relates to my issue. I've no issues with ipv6leaks and so have no idea what rules to change in polkit
If you look at the screenshot you provided me, it's due to polkit that you're getting that prompt (and possible kde wallet configuration).
Yes, but none of the limitations of pam is present in my issue. I do not autologin, nor a fingerprint scanner, wallet name is kdewallet and thats the only one. Close when last application... is already disabled. I tried removing the default wallet and creating another naming kdewallet but no use. the wallet folder doesn't exist in ~/.kde4/share/apps/
here is my /etc/pam.d/sddm config
#%PAM-1.0
auth include common-auth
auth optional pam_kwallet5.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_kwallet5.so auto_start
session optional pam_keyinit.so revoke force
@calexandru2018 I've solved this by taking a leaf out of DasCapschen's book and just allowed everything related to org.freedesktop.NetworkManager unrestricted access in /etc/polkit-1/rules.d/90-default-privs.rules:
'org.freedesktop.NetworkManager.checkpoint-rollback':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.enable-disable-connectivity-check':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.enable-disable-network':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.enable-disable-statistics':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.enable-disable-wifi':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.enable-disable-wimax':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.enable-disable-wwan':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.network-control':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.reload':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.settings.modify.global-dns':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.settings.modify.hostname':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.settings.modify.own':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.settings.modify.system':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.sleep-wake':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.wifi.scan':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.wifi.share.open':
[ 'yes', 'yes', 'yes' ],
'org.freedesktop.NetworkManager.wifi.share.protected':
[ 'yes', 'yes', 'yes' ],
I don't know if this will severely weaken my system or not, but frankly I don't care. Either it's polkit's fault or pvpn's fault but I'm too tired to bother with this any more.
Hey @Dyrimon
That severely weakens your system. I'll leave you the output of my configs so that you can check it out:
cat /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy output can be found here
Edit: basically what matters there is that your defaults match my defaults for all those actions. (don't mind the description in all those languages)
I have this problem too in my Fedora 34
@BenD780x9 refer to the post I mentioned above please.
Hey @Dyrimon
That severely weakens your system. I'll leave you the output of my configs so that you can check it out:
cat /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policyoutput can be found hereEdit: basically what matters there is that your defaults match my defaults for all those actions. (don't mind the description in all those languages)
Unfortunately your solution doesn't work for me. I've to go back to the "open door" approach. Problem is after every polkit update the rules are reverting back to the default one
@calexandru2018 on Fedora 34 kill switch doesn't seem to work on my laptop but does work on my desktop.
dummy is installed
kwallet is blowfish
for testing purposes I allowed all actions from org.freedesktop.NetworkManager.* which was reflected on 'nmcli general permissions'
Your /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy is the exact same as mine
protonvpn-dbus-wrapper.log
protonvpn.log
protonvpn-cli.log
protonvpn-daemon.log
@calexandru2018 logs from ~/.cache/protonvpn/logs
The official client should be forking the community client (which works perfectly and bypasses NetworkManager). This NetworkManager integration is hot trash.
Observing the same issues on ArchLinux. One of the "supported" linux options.
The dependency tree is too large:
- systemd
- polkit
- networkmanager
- nm-applet
There are many linux distros that will not have these items installed. And some that don't support them at all. Not to mention the whole anti-monolithic (anti-systemd) group of distros.
It feels like Windows/MacOS/Android developers who are used to a homogeneous environment are programming this application.
There are many linux distros that will not have these items installed. And some that don't support them at all. Not to mention the whole anti-monolithic (anti-systemd) group of distros.
It feels like Windows/MacOS/Android developers who are used to a homogeneous environment are programming this application.
i agree, I think a properly packaged flatpak will solve this dependency problem and give broader access to "unofficial distributions".
Since this is still open and I have no clue if a fix was found for others, I just came across this issue today but found a fix. I don't know if it's considered "hacky", but it works.
Add the user to the wheel group
sudo usermod -a -G wheel my_user
Create /etc/polkit-1/rules.d/20-protonvpn.rules
sudo touch /etc/polkit-1/rules.d/20-protonvpn.rules
Edit the file with your file editor and paste contents below
SUDO_EDITOR=kate sudoedit /etc/polkit-1/rules.d/20-protonvpn.rules
Contents of /etc/polkit-1/rules.d/20-protonvpn.rules
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
Restart and now it works! I would have tried to put this in a wiki, but there isn't one in either the linux-cli or linux-app repo.
The answer above by @pahaze is on the right track, but I think as-written it would give the user to ability to execute any command as admin with no password prompt, which is way beyond the scope of just letting protonvpn edit your network settings.
Here is what I did to resolve this on Tumbleweed, following these instructions from the arch wiki https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions
Create network group (my system didn't have one)
sudo groupadd network
Add your user to the network group
sudo gpasswd -a YOURUSER network
Create a file sudo nano /etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules with the contents:
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) {
return polkit.Result.YES;
}
});
This should allow any user in the network group to use NetworkManager without being prompted for admin credentials. Works on my machine ™
Cheers.
I see, I didn't know it could do that as on my machines, all it does is allow me to edit network settings without a password. Everything else still needs a password, but I dunno. 🤔