Re: Do we have plan to do finer grained PolicyKit support for Networkmanager?

[Bin Li <libin charles gmail com>]

On Fri, Sep 4, 2009 at 1:29 AM, Dan Williams <dcbw redhat com> wrote:

On Tue, 2009-09-01 at 15:12 +0800, Bin Li wrote:
> Hi,
>
>   NetworkManager currently only supports one PolicyKit privilege. That
> is whether a user is allowed to modify administrator defined
> connections or not. There is no way to disallow users to define their
> own network configurations.

Right, we do want to do this.  I think it's more possible with NM 0.8
and PolicyKit 1.0 where the actual authentication is simpler.  Having
finer grained permissions was always the plan.

To disallow activation of user connections, we'd want to add a PolicyKit
permission for it, and then do the corresponding work in nm-manager.c's
impl_activate_connection() handler.  We'd also want to make the Policy
object ignore user connections when selecting which connections to
connect to automatically, and also set a "permissions" bit in the system
settings service to indicate that user connections weren't allows so the
UI can update accordingly.

Dan,

 To disallow users to define their own network configuration, I add a new permission, org.freedesktop.network-manager-settings.user.modify, then link to the add button, when the user have permission, he can add it, vice versa. I've met a problem, the user's connection save in the gconf, and the user can change the gconf with gconftool-2 without permission checking.
 So are there any method to resolve this problem? And is it okay to do like this? Any idea?

 And I've a simple use-case that disallow workers on centrally administered machines to configure different network settings.

Thanks!