Re: NetworkManager permissions



Sounds good, ive now reported the bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=1176042

Thank you for your help Dan.


On Thu, Dec 18, 2014 at 5:32 PM, Dan Williams <dcbw redhat com> wrote:
On Thu, 2014-12-18 at 11:44 +0100, Peter Magnusson wrote:
Hi Dan,

Thank you for the reply! This sounds like a good solution to me,
unfortunately we are indeed using Gnome Shell UI so that would cause a
problem.

So what you are saying is that right now there is no way to achieve
this while using gnome shell ?

There might be something we can do in NM itself though, given the way
the shell and most other clients create new connections.  But either
way, best thing to do would be to file a bug at
http://bugzilla.redhat.com against RHEL7 and assign to the
NetworkManager component so it doesn't get lost.  Does that sound OK?

Thanks!
Dan


On Wed, Dec 17, 2014 at 4:53 PM, Dan Williams <dcbw redhat com> wrote:
On Thu, 2014-11-27 at 11:59 +0100, Peter Magnusson wrote:
Im having some problems with permissions on NetworkManager. We are in
the process of migrating our clients from RHEL 6.6 to RHEL 7.
The clients connect to our wireless network using eap-tls, we provide
the configuration,certificate and keys for this from our central
configurationserver so that the connection is transparent to the user.

In RHEL6.6 the password for the privatekey(pkcs12 used for
authentication) was not visible to the users only to administrators.
This was achieved by setting the connection as "system wide" in which
case the configfile was stored under /etc/sysconfig/network-scripts
and only accessible by root.

In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild
from git) we can still limit the permissions to NM config using polkit
but when doing this we also limit the possiblity for the user to add
new wifi-networks.

So what i would like to achieve is to limit access to existing
connections (or connections not added by user) but i still want the
users to be able to add new wificonnections. Is this possible ?

I looked into this yesterday, and I think the way forward here is to
restrict the user's permissions for "modify.system", but allow them
permissions for "modify.own" (own == self, not possession).  This will
prevent the user from being able to change any connection that is
in /etc and does not have specific permissions.  But it allows the user
to create new connections that are restricted to that user only.

There's one catch though; if you're using the GNOME Shell UI on RHEL 7.0
it doesn't set the necessary flags to create these user-specific
connections when the modify.system permission is denied.  We can work on
fixing that though.

Do you think this solution would work for you?

Dan





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]