Re: Different permissions for different network interfaces

On Wed, 2010-07-07 at 11:50 -0300, José Queiroz wrote:
> 2010/7/7 <ubuntu cgi-net ch>
>         Hi all,
>         I have a problem with ubuntu 10.04 LTS and the Network
>         Manager.
>         As per default Network Manager is working fine and doesn't
>         make any
>         trouble.
>         My customer has the requirement that the default network
>         interface
>         (connected to public LAN) must be protected and it should not
>         be able to
>         change anything on it (even taking it on- or offline should be
>         possible)
>         But all of the users also have a second LAN Interface, which
>         they use for
>         testing, in a dedicated network. This Network Interface should
>         be
>         manageable by every user, without being prompt for a password
>         when changing
>         settings.
>         If tried several ways and went through the official Network
>         Manager
>         documentation without success.
>         It always seems to have somewhere a problem.
>         So I would be really thankful if somebody could point me to
>         the right
>         direction or does have a working example for this scenario.
>         If you have questions or if you require additional
>         information, feel free
>         to ask me.
>         Thanks and all the best,
>         Simon
> Hi Simon,
> Configure the first connection on the "/etc/network/interfaces". This
> way, NM will not manage it, so the users will have no access to change
> it without system access (root or sudo).
> You could also define this connection in a system-wide connection. But
> I just don't know how to enable it (shame on me); all I know is that
> you need to use policy-manager to allow it.

That's one way to do it for the time being...

Daniel, does this conflict at all with the ACL plans we have in place?
My first thought was that this situation could be handled by making the
ACL for the "first" connection be sysadmin only and locking that
connection to the MAC address of the first ethernet device.  Then the
user would not be able to deactivate it since they had no access to that
connection.  THe second device would be wide open.  Is that a correct
read of the solution we've chosen so far?  That doesn't address whether
the user can get status of that connection or not and thus see it in the
GUI of course...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]