Home_greyopenFATE - openSUSE feature tracking > #305657
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

finer grained PolicyKit support for Networkmanager

Feature state

openSUSE-11.2
Rejected Information

Description

NetworkManager currently only supports one PolicyKit privilege. That is whether a user is allowed to modify administrator defined connections or not. There is no way to disallow users to define their own network configurations.
NetworkManager should at least support one additional PolicyKit privilege that defines whether or not users are allowed to bring their own network configuration or whether they mere are allowed to use administrator defined ones.

Usecase

- disallow workers on centrally administered machines to configure different network settings

- protect home users that only ever connect to a few well known nets from accidently changing their setup

Discussion


icons/user_comment.png M. N. wrote: (8 years ago)

If this can be done with little effort I would be even tempted to rate it Mandatory.

icons/user_comment.png S. B. wrote: (8 years ago)

Alex, is there soemone on your team who could look at that? MAybe with some support form Tambet?

icons/user_comment.png L. B. wrote: (8 years ago)

I and lance wang would like to take care of it. We still don't know the requirement clearly.

1. disallow workers on centrally administered machines to configure different network settings

The workers mean the users in administered machines? Does it right that when workers configure network settings it prompt they are no permission? If so I thought we could change the PolicyKit's configuration file to complete it.

2. protect home users that only ever connect to a few well known nets from accidently changing their setup

How to distinguish home users from workers? Does it mean don't allow the user to configure the other users connections?

icons/user_comment.png L. N. wrote: (8 years ago)

Currently there's only org.freedesktop.network-manager-settings.system.modify, introduce something like org.freedesktop.network-manager-settings.user.modify so NM can determine whether it should accept user settings.

icons/user_comment.png W. L. wrote: (8 years ago)

Hi  Ludwig Nussel

I have added the following policy action:

org.freedesktop.network-manager-settings.user.wired.apply

org.freedesktop.network-manager-settings.user.wireless.apply

org.freedesktop.network-manager-settings.user.mobile.apply

org.freedesktop.network-manager-settings.user.vpn.apply

org.freedesktop.network-manager-settings.user.dsl.apply

.

NM now can determine whether it should apply the user settings to devices by type. 

Does the implementation meet your request?

I need your feedback to determine what should to do next step.

Thanks,

Lance Wang

icons/user_comment.png L. N. wrote: (8 years ago)

Sure, that's even more than I had wished for.

Would it be possible to also have a separate privilege for the connection sharing thingy? In contrast to the other configurations that one also messes with iptables and starts a DHCP daemon.

icons/user_comment.png J. R. wrote: (8 years ago)

My suggestion would be to look at something like the following:
org.freedesktop.network-manager-settings.system.modify
org.freedesktop.network-manager-settings.system.add
org.freedesktop.network-manager-settings.system.delete

and the same for .user - you may even want to specifically allow or disallow adding for specific network types like wired, wireless, etc.

You probably also want to have the ability to enable/disable wireless in general and enable/disable networking covered.

You can default all of these to the current settings, but adding these would allow more lockdown opportunities.

icons/user_comment.png L. B. wrote: (8 years ago)

Well, We'll works on this feature in this week, know about the PolicyKit and NetworkManager, write the patch if time is okay.

Tambet,

Do you have any idea about this feature?

icons/user_comment.png L. M. wrote: (8 years ago)

Might worth looking at NM 0.8 (git master), it supports the latest polkit-1 and it should be released before 11.2. Maybe some of this features were introduced.

icons/user_comment.png T. I. wrote: (8 years ago)

NM 0.8 will not be out before 11.2, it'll be out for the next Fedora release which will happen after 11.2. Also, current git master does not have any work for this feature, it's just been converted to use the newer, incompatible polkit API.

icons/user_comment.png T. I. wrote: (8 years ago)

The upstream has been planning on having similar feature for a while now, but no work has been done on it yet. I strongly suggest to have a discussion with the upstream maintainer before any work gets done, otherwise our effort might end up thrown away as soon as upstream implements it.

icons/user_comment.png L. B. wrote: (8 years ago)

Yes, I talk with the upstream today, just wait for response. You can follow it from below link. Thanks!

http://mail.gnome.org/archives/networkmanager-list/2009-September/date.html

icons/user_comment.png S. K. wrote: (8 years ago)

didn't see a lot of replies.

icons/user_comment.png L. B. wrote: (8 years ago)

The upstream maintainer Dan already reply this issue, and it's no user case for seperating add, modify and delete permission, and the others was agreed.

Lanc wang with me work the sled11 and upstream now, we'll provide a patch in this week.

icons/user_comment.png W. L. wrote: (8 years ago)

Hi

I add five policy  like the following : org.freedesktop.network-manager-settings.system.wired.modify  org.freedesktop.network-manager-settings.system.wireless.modify org.freedesktop.network-manager-settings.system.mobile.modify  org.freedesktop.network-manager-settings.system.vpn.modify org.freedesktop.network-manager-settings.system.dsl.modify.  As you know there will be one policy one type.  I make a patch which works.

But I feel a little confused on the user settings.  As the user settings are saved in the gconf, so adding  someting like manager-settings.user.*.modify make no sense.  As far as I know user  can always edit their gconf settings.  

I think what should be done may be the policy that determine if the users can apply their settings to the system devices throught dbus. 

Given we do it like that, should the nm-applet display the user setting in the menu, when a normal user can not apply his or her settings to system devices?  I think it is better that nm-applet show both system settings and user settings, and it will show error dialog if a user try to apply user settings when the user does not have the right do that.    

Hi Tambet, what do you think?

icons/user_comment.png L. B. wrote: (8 years ago)

Tambet reply in the mailinglist, we just lock the /system/networking path in gconf and the settings can't be changed.

icons/user_comment.png M. M. wrote: (8 years ago)

We should also add the case mentioned in Bug #522742 - to allow disabling the "Create new wireless network" functionality.
This is of particular concern to the security team, and I'd like to see it addressed as part of the same work if possible.

Otherwise, this looks great - thanks Li Bin :-)

icons/user_comment.png L. B. wrote: (8 years ago)

Michael,

 I've viewed the Bug #522742, it talk more about sharing, and we don't need to disable "Create new wireless network", user can add it, but when they wanna to apply it by click the connection, check org.freedesktop.network-manager-settings.user.wireless.apply permission like the Lance describe in #16.

Does it okay?

icons/user_comment.png M. M. wrote: (8 years ago)

No - connecting to a new wireless network is -very- different from sharing all your existing connections over your current wireless network; I can see why people would want to allow one and not allow the other.

We should (ideally) have a different policy setting for this - if possible.
Thanks

icons/user_comment.png W. L. wrote: (8 years ago)

Hi Michael

I have read Bug #522742. And it is about sharing network. I wonder that why only the "Create new wireless network" need a policy, since all kinds type connection can be shared. As far as I know in nm-applet 7.0 the "Create new wireless network" is only for adhoc wireless connection. Did you mean that sharing adhoc wireless connection have security problem? And other type connections do not ?

Thanks,

Lance Wang.

icons/user_comment.png T. R. wrote: (8 years ago)

Can you please confirm what the final policy names (identifiers) are going to be for 11.2 and what can be influenced with them? (a short description as available from the Description field in polkit-gnome-authorization would be sufficient).

I would like to mention this in the 11.2 docs about NetworkManager, but so far, I only found the one policy that relates to modifying administrator defined connections (org.freedesktop.network-manager-settings.system.modify). From your comments above I'm not sure if the names mentioned in #16 are the final ones for the newly added policies (and if the list is complete). Please advise asap as the translation deadline for this chapter is approaching. Thanks!

icons/user_comment.png . . wrote: (8 years ago)

Tanja,

 Just come back from holiday, sorry for late. Now this feature is still not in the upstream, I'm still working on it.  I prepare to seperate the permission into more fined like,

org.freedesktop.network-manager-settings.system.wireless.modify - Modify system wired connections

org.freedesktop.network-manager-settings.system.wired.modify - Modify system wireless connections

the description follow the policy.

The #16 is now for the SLED 11-SP1 for temporary resolving usercase, I'm not sure if it could be received by upstream which is used for 11.2.

So what's your translation deadline? I'll inform you when I confirm it with upstream.

icons/user_comment.png . . wrote: (8 years ago)

Lin Bi, thanks very much for clarifying! :) Our localization deadline is Oct 15th but as the files have to go through language proofreading before, I have to finish the chapter today, I'm afraid.

But don't worry, to be on the safe side (whatever the upstream decision may be), we can handle it as follows: for now, I'll only mention that there *are* policies for NetworkManager and where to find them in PolicyKit. We can then add more details for the next release of the docs (presumably SLE 11 SP1).

icons/user_comment.png . . wrote: (8 years ago)

Removing the needinfo status.

icons/user_comment.png W. L. wrote: (8 years ago)

Hi Ludwig Nussel

Could you test this new functions in SLED11. I made the packages with the function. These are the URLs

https://api.suse.de/build/home:lzwang:branches:SUSE:SLE-11:Update:Test/standard/i586/NetworkManager/NetworkManager-0.7.0.r4359-15.24.1.i586.rpm

https://api.suse.de/build/home:lzwang:branches:SUSE:SLE-11:Update:Test/standard/i586/NetworkManager/NetworkManager-glib-0.7.0.r4359-15.24.1.i586.rpm

https://api.suse.de/build/home:lzwang:branches:SUSE:SLE-11:Update:Test/standard/i586/NetworkManager-gnome/NetworkManager-gnome-0.7.0.r1053-11.11.1.i586.rpm

I implemented the following policy:

"org.freedesktop.network-manager-settings.system.wired.modify"
"org.freedesktop.network-manager-settings.system.wireless.modify"
"org.freedesktop.network-manager-settings.system.mobile.modify"
"org.freedesktop.network-manager-settings.system.vpn.modify"
"org.freedesktop.network-manager-settings.system.dsl.modify"

"org.freedesktop.network-manager-settings.user.wired.apply"
"org.freedesktop.network-manager-settings.user.wireless.apply"
"org.freedesktop.network-manager-settings.user.mobile.apply"
"org.freedesktop.network-manager-settings.user.vpn.apply"
"org.freedesktop.network-manager-settings.user.dsl.apply"

.

And *.modify are the policy for the editing adding and deleting of the system connections. And *.apply are the policy for applying the user connection to activate the devices.

You can see the default settings in /usr/share/PolicyKit/policy/org.freedesktop.network-manager-settings.system.policy, which make the NM behave like the one without those policy.

Thanks,

Lance Wang

icons/user_comment.png L. N. wrote: (8 years ago)

I've tried it on openSUSE 11.1 now. Works great AFAICT.
However I think the usability could be enhanced by creating system connections by default, at least when user connections are restricted. That way the user would not need to authenticate each time he wants to connect.

wrt separate policy for shared connections, I think that should be doable by checking another condition in is_user_request_connection_type_authorized(), right?

icons/user_comment.png W. L. wrote: (8 years ago)

Hi Ludwig
I have a look at the request "creating system connections by default". I think it could not be done like that.
   1. Connections created by the users include personal secrets which should not be saved in system scope without the permission of the owner. Because in the NetworkManager the password in system connection is saved without encrypted.
   2. Saving a connection as a system one means another authentication which control by org.freedesktop.network-manager-settings.system.*.modify.
   3. In the NetworkManager 0.7 activation of a system connection will not ask the console user about any kind secrets settings. That will make user confused if he types the wrong password first time.
   4. Maybe it can be implemented in the way that after the user connection is successfully applied, the nm-applet change the user connection to a system connection. But the way is very ugly I think.
And there is a way the user would not need to authenticate each time he wants to connect if he have the privilege of modifying system connection. He can change a connection scope from user to system in nm-connection-editor.
   1. If the computer is a personal one, the user who is the administrator can set all the policy settings to default. That NetworkManager can apply any kind connection.
   2. If the computer is centrally controlled, the administrator is responsible for settings the default system connections for all users.
   3. If there is specific user should be given some privileges, the administrator can set them in the polkit.
wrt separate policy for shared connections, yes they are doable. I think the policy should be like these
org.freedesktop.network-manager-settings.user.*.share
.

And how do you think the default settings of these policy ?

icons/user_comment.png W. L. wrote: (8 years ago)

(sorry. repeat reply for missing format)

Hi Ludwig

I have a look at the request "creating system connections by default". I think it could not be done like that.   

  1. Connections created by the users include personal secrets which should not be saved in system scope without the permission of the owner. Because in the NetworkManager the password in system connection is saved without encrypted.   
  2. Saving a connection as a system one means another authentication which control by org.freedesktop.network-manager-settings.system.*.modify.   
  3. In the NetworkManager 0.7 activation of a system connection will not ask the console user about any kind secrets settings. That will make user confused if he types the wrong password first time.   
  4. Maybe it can be implemented in the way that after the user connection is successfully applied, the nm-applet change the user connection to a system connection. But the way is very ugly I think.

And there is a way the user would not need to authenticate each time he wants to connect if he has the privilege of modifying system connection. He can change a connection scope from user to system in nm-connection-editor.  

  1. If the computer is a personal one, the user who is the administrator can set all the policy settings to default. That NetworkManager can apply any kind connection.   
  2. If the computer is centrally controlled, the administrator is responsible for settings the default system connections for all users.   
  3. If there is specific user should be given some privileges, the administrator can set them in the polkit.

wrt separate policy for shared connections, yes they are doable. I think the policy should be like these

org.freedesktop.network-manager-settings.user.*.share

.

And how do you think the default settings of these policy ?

icons/user_comment.png L. N. wrote: (8 years ago)

Ok. I already suspected that the system setting thing is hard to do with NM's architecture.

Wrt share settings I'd set them to auth_admin_keep_always by default. However, the settings you add to the package get overwritten by polkit-default-privs anyways to be able to use different settings for 'standard' and 'restrictive'.

icons/user_comment.png W. L. wrote: (8 years ago)

Hi Ludwig

The version with shared connection is ready. These are

https://api.suse.de/build/home:lzwang:branches:SUSE:SLE-11:Update:Test/standard/i586/NetworkManager/NetworkManager-0.7.0.r4359-15.25.1.i586.rpm

https://api.suse.de/build/home:lzwang:branches:SUSE:SLE-11:Update:Test/standard/i586/NetworkManager/NetworkManager-glib-0.7.0.r4359-15.25.1.i586.rpm

https://api.suse.de/build/home:lzwang:branches:SUSE:SLE-11:Update:Test/standard/i586/NetworkManager-gnome/NetworkManager-gnome-0.7.0.r1053-11.12.1.i586.rpm

The policy added are org.freedesktop.network-manager-settings.user.*.apply-with-share.  What should be mentioned is that the shared connection is only controlled by these. In other words
org.freedesktop.network-manager-settings.user.*.apply do not control the shared connection.

Thanks,

Lance Wang

icons/user_comment.png M. S. wrote: (5 years ago)

What is the status of this feature now?

Regards
Martin

Last change: 5 years ago
Voting
Score: 10
  • Negative: 0
  • Neutral: 1
  • Positive: 10
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint