Re: NetworkManager permissions

From: Peter Magnusson <pet magnusson gmail com>
To: Dan Williams <dcbw redhat com>
Cc: networkmanager-list gnome org
Subject: Re: NetworkManager permissions
Date: Thu, 18 Dec 2014 11:44:06 +0100

Hi Dan,

Thank you for the reply! This sounds like a good solution to me,
unfortunately we are indeed using Gnome Shell UI so that would cause a
problem.

So what you are saying is that right now there is no way to achieve
this while using gnome shell ?


On Wed, Dec 17, 2014 at 4:53 PM, Dan Williams <dcbw redhat com> wrote:

On Thu, 2014-11-27 at 11:59 +0100, Peter Magnusson wrote:

Im having some problems with permissions on NetworkManager. We are in
the process of migrating our clients from RHEL 6.6 to RHEL 7.
The clients connect to our wireless network using eap-tls, we provide
the configuration,certificate and keys for this from our central
configurationserver so that the connection is transparent to the user.

In RHEL6.6 the password for the privatekey(pkcs12 used for
authentication) was not visible to the users only to administrators.
This was achieved by setting the connection as "system wide" in which
case the configfile was stored under /etc/sysconfig/network-scripts
and only accessible by root.

In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild
from git) we can still limit the permissions to NM config using polkit
but when doing this we also limit the possiblity for the user to add
new wifi-networks.

So what i would like to achieve is to limit access to existing
connections (or connections not added by user) but i still want the
users to be able to add new wificonnections. Is this possible ?


I looked into this yesterday, and I think the way forward here is to
restrict the user's permissions for "modify.system", but allow them
permissions for "modify.own" (own == self, not possession).  This will
prevent the user from being able to change any connection that is
in /etc and does not have specific permissions.  But it allows the user
to create new connections that are restricted to that user only.

There's one catch though; if you're using the GNOME Shell UI on RHEL 7.0
it doesn't set the necessary flags to create these user-specific
connections when the modify.system permission is denied.  We can work on
fixing that though.

Do you think this solution would work for you?

Dan

Follow-Ups:
- Re: NetworkManager permissions
  - From: Dan Williams

References:
- Re: NetworkManager permissions
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]