Hi everyone, for a bit of backstory: in Debian we traditionally ship a strict PolicyKit configuration for NetworkManager, which doesn't allow non-admin users to edit system wide connections (we build NM with --disable-modify-system, i.e. we use auth_admin_keep instead of yes) The reason for that is, that we want to be able to ship a default policy which is reasonably secure on a wide variety of setups and we didn't want to give unprivileged users the ability to read/write/modify connections that were not created by themselves. At the same time, unprivileged users should be able to connect to new WiFi networks without too much fuss (i.e. without having to enter an admin password). This was the main motivation for the Debian patch [1] to nm-applet back in the days. Nowadays, we have a lot more NetworkManager clients: Cinnamon, GNOME, KDE (plasma-nm) etc all have native NM support. I did a series of tests with an unprivileged users named "test" under Debian trying to connect to a new WiFi network. Here are the results a) GNOME Shell admin prompt, credentials system wide, permissions= b) gnome-control-center no admin prompt, credentials system wide, permissions=user:test:; c) Cinnamon no admin prompt, credentials user wide, permissions=user:test:; d) cinnamon-control-center no admin prompt, credentials system wide, permissions=user:test:; e) nm-applet 1.16.0 no admin prompt, credentials system wide, permissions=user:test:; f) nm-connection-editor 1.16.0 admin prompt, credentials system wide, permissions= g) nm-applet 1.8.24 (with Debian patch [1]) no admin prompt, credentials user wide, permissions=user:test:; h) nm-connection-editor 1.8.24 (with Debian patch [1]) no admin prompt, credentials system wide, permissions=user:test:; I think the current situation is unfortunate. Ideally, NM Clients would behave more consistently and provide a better ootb experience for unprivileged users. I find especially a) very unfriendly for users. In a multi-user setup it's unlikely they have an admin password and I think NM clients should just create user-owned connections in that case. Whether to store credentials system wide or make them agent owned is another topic. I guess for WiFi connections it makes sense to store them system wide, for VPN connections I would (always) default to make them agent owned. For that reason, I would like your feedback as NetworkManager upstream. Maybe we can come up with a set of recommendations how clients should behave for unprivileged users in a variety of use cases (WiFi, VPN, etc). Once we have that set of rules/recommendations, it would be easier for me to contact the various upstream projects like GNOME, Cinnamon, KDE. I would also be interested how other distros handle this situation and what there default policy is. I know that Fedora uses --enable-modify-system, which is probably ok if your target audience is a single-user desktop system. This email is already pretty long, so I'll stop here. Looking forward to read your thoughts, Michael [1] https://salsa.debian.org/utopia-team/network-manager-applet/-/blob/debian/master/debian/patches/Allow-creation-of-connections-without-admin-privileges.patch
Attachment:
signature.asc
Description: OpenPGP digital signature