Re: Do we have plan to do finer grained PolicyKit support for Networkmanager?
- From: Lance Wang <lance w19 gmail com>
- To: Tambet Ingo <tambet gmail com>
- Cc: networkmanager-list gnome org
- Subject: Re: Do we have plan to do finer grained PolicyKit support for Networkmanager?
- Date: Fri, 18 Sep 2009 22:01:15 +0800
On Fri, Sep 18, 2009 at 9:28 PM, Tambet Ingo <tambet gmail com> wrote:
> On Fri, Sep 18, 2009 at 16:10, Lance Wang <lance w19 gmail com> wrote:
>> On Thu, Sep 17, 2009 at 2:11 PM, Tambet Ingo <tambet gmail com> wrote:
>>> On Thu, Sep 17, 2009 at 06:16, Bin Li <libin charles gmail com> wrote:
>>>> To disallow users to define their own network configuration, I add a new
>>>> permission, org.freedesktop.network-manager-settings.user.modify, then link
>>>> to the add button, when the user have permission, he can add it, vice versa.
>>>> I've met a problem, the user's connection save in the gconf, and the user
>>>> can change the gconf with gconftool-2 without permission checking.
>>>> So are there any method to resolve this problem? And is it okay to do like
>>>> this? Any idea?
>>>
>>> This makes no sense. You can already lock GConf so there's no need to
>>> do anything for user settings. Just lock the /system/networking path
>>> in gconf and the settings can't be changed. The only thing you could
>>> improve, is to make sure nm-applet and nm-connection-editor handle it
>>> more gracefully, ie "gray out" the apply button etc...
>>>
>>
>> It make no sense that "gray out" the apply button etc, I think,
>
> I'm sorry if I offended you, I didn't mean to.
I say it as a normal statement. I am not a native English speaker,
please forgive my misusing of words some time. ;-)
>
>> when the /system/networking path is locked. Because if it is locked
>> all buttons should be gray out. Maybe we should not show the
>> nm-connection-editor, as on average if someone was not permitted to
>> modify user settings, he or she would be denied to modify the system
>> settings.
>>
>> And another aspect. I think we should leave the control in the
>> NetworkManager side. As far as I know, all settings should be apply
>> through NetworkManager. If we just lock gconf, people with malicious
>> intent can still use modified nm-applet to apply the user settings
>> they want. So I think there may be a policy action such as
>> org.freedesktop.network-manager-settings.user.apply. Every time
>> NetworkManager receive the request to apply the user settings, it
>> should check the action. And nm-connection-editor also check the
>> action to set the button status. Further more maybe we split the
>> policy to org.freedesktop.network-manager-settings.user.wired.apply
>> org.freedesktop.network-manager-settings.user.wireless.apply
>> org.freedesktop.network-manager-settings.user.vpn.apply etc...
>>
>> What do you think?
>
> I think in situations you describe NM should not accept user
> connections at all and rely only on system settings that already need
> root privileges to change. I don't see why we need two duplicate
> systems for controlling one thing.
Maybe there are more than one thing. In my situation, in a public
place like an exhibition, the computers are used by some normal user
without root privileges, but the computers are controlled by the
administrator. It is necessary that user can use the net connection,
but can not modify it.
So what is your opinion?
>
> Tambet
>
--
:
Lance Wang
U+738B U+4F36 U+5353
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
