https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c zj jia changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zjjia@suse.com AssignedTo|bnc-team-screening@forge.pr |bili@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c2 P Linnell changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mrdocs@opensuse.org --- Comment #2 from P Linnell 2011-11-22 19:14:41 UTC --- Yup, this is a major pain point. Workaround for the network issue: https://bugzilla.novell.com/show_bug.cgi?id=716291#c9 I've not hit the time zone issue yet, but I have moved 3 time zones in the last 72 hours. At least in KDE you can switch the displayed time setting in the system tray without changing the system time itself. Hope that helps, Peter -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c4 --- Comment #4 from Vincent Untz 2011-11-22 19:50:24 UTC --- (In reply to comment #3)

OpenSUSE should *fix* this

I pretty much agree, but the security team has another opinion :/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c6 Cristian Rodríguez changed: What |Removed |Added ---------------------------------------------------------------------------- Blocker|--- |Yes CC| |coolo@suse.com, | |crrodriguez@opensuse.org --- Comment #6 from Cristian Rodríguez 2011-11-22 19:28:19 CLST --- (In reply to comment #4)

(In reply to comment #3)

...

OpenSUSE should *fix* this

I pretty much agree, but the security team has another opinion :/

The system would indeed be pretty secure if it cannot be used in normal circunstances heh. This defaults are detached from reality and common use cases and must be fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c8 Roger Luedecke changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |roger.luedecke@gmail.com --- Comment #8 from Roger Luedecke 2011-11-22 15:26:17 PST --- Major personalities aside, Linus is exactly correct and indeed offers a powerful use-case that shows the flaw in our overly security paranoid settings. The average Joe User will not know how to audit policy kit actions; especially since the KDE System Settings module is broken. Considering also that if you were say given a laptop by your company, they would expect you to be able to work on the move... which means being able to use NetworkManager to connect to whatever random coffee shop one lands at. And if they are concerned about security (which is the assumption of the default polkit policy) they sure as heck wouldn't give you root. Again, in the example given by Linus I sure as heck wouldn't give a child root access on any machine I have to maintain. And as he points out, the purpose of NetworkManager is to allow the desktop user to easily connect without needing root. Though one could argue the need for an admin to audit their own security and loosen it if they see necessary, considering the purpose of NetworkManager as stated in any document concerning it one would justifiably assume that it should behave as per 11.4 did. Thus its potential insecurity is well known, and changing the policy potentially introduces greater challenges to security auditing than it solves. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c10 --- Comment #10 from P Linnell 2011-11-23 14:13:42 UTC --- Ludwig, Thanks for the explanation of what is going on. So, what we need to work around this for an update is go back to the 11.4 behavior? I see SR 93203, which seems to be ths fix. Do you want me to file two new bugs one for time zone and one for IPV6 ? And no I was not blaming policy :) I just know its a major pain point. When my wife uses my netbook, I do not want to give her root to go to Starbucks.. Moreover, its a strong password likely for her to mess up ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c12 Hendrik Müller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |poolbarde@web.de --- Comment #12 from Hendrik Müller 2011-11-25 19:53:59 UTC --- I tried the one click installation provided by the comments about OBS in ticket https://bugzilla.novell.com/show_bug.cgi?id=716291. This patch works fine for me. Hope it will find into the standard updates soon... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c14 --- Comment #14 from Bernhard Wiedemann 2011-12-01 14:00:17 CET --- This is an autogenerated message for OBS integration: This bug (731812) was mentioned in https://build.opensuse.org/request/show/94704 Factory / polkit-default-privs -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c16 --- Comment #16 from Cristian Rodríguez 2011-12-07 10:03:55 CLST --- (In reply to comment #15)

I have installed OpenSuSE 12.1 last week on one of my Notebook,

An update was already released.. rpm -q --changelog polkit-default-privs-12.1-10.11.1.noarch | less * nov 23 2011 lnussel@suse.de - change NetworkManager policies (bnc#716291) - allow time zone changes (bnc#731812) - allow setting pin on modems (bnc#732358) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c18 Linus Torvalds changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #18 from Linus Torvalds 2011-12-16 05:22:11 UTC --- I'm re-opening this, because as far as I can tell, nothing has changed. I definitely have polkit-default-privs-12.1-10.11.1.noarch installed, yet when I try to connect to a new wireless network, the damn root passwork question comes up again. And when I ckick on the date, and I get the "Date and Time" settings thing, when I try to unlock that in order to actually *change* anything, it again asks for a root password. This is with gnome and networkmanager. If I go and edit the *existing* network connection (which requires the root password again) and then in network settings clear the "Available to all users" checkmark, I can then edit *that* connection without the root password. But that doesn't help. Not only did I need the root password to get there in the first place, THIS DOES NOT WORK FOR NEW CONNECTIONS! So if I give this laptop to a child, and she takes it to school and tries to connect to the school network, THAT WILL REQUIRE HER TO KNOW THE ROOT PASSWORD. Guys, what is up? This was marked as RESOLVED, but it's not fixed at all. Nothing has changed. The thing is still totally broken. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c20 Li Bin changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bili@suse.com --- Comment #20 from Li Bin 2011-12-16 08:28:26 UTC --- After debug it with '/usr/lib/polkit-1/polkitd --replace', I found we change the wrong privilege. To active the wireless, it need the permission of org.freedesktop.NetworkManager.netwok-control and org.freedesktop.NetworkManager.setttings.modify.system. And for time&timezone setting, it need the permission of org.gnome.settingdaemon.datetimemechanism.configure. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c22 Li Bin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |maintenance@opensuse.org --- Comment #22 from Li Bin 2011-12-16 09:49:50 UTC --- Maintenance, Is okay let it in updates? I submit a request for this one. Thanks! Request: #96843 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c24 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com, | |meissner@suse.com InfoProvider|maintenance@opensuse.org |lnussel@suse.com --- Comment #24 from Marcus Meissner 2011-12-16 09:59:19 UTC --- Ludwig should review this first. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c26 --- Comment #26 from Li Bin 2011-12-16 10:22:21 UTC --- (In reply to comment #24)

Ludwig should review this first.

Yes, from bnc#690496, the below 3 items merge into only one, and the upstream uses auth_admin_keep. I'm not sure if it's okay to allow time changing by default. org.gnome.settingsdaemon.datetimemechanism.settimezone org.gnome.settingsdaemon.datetimemechanism.settime org.gnome.settingsdaemon.datetimemechanism.configurehwclock => org.gnome.settingsdaemon.datetimemechanism.configure -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c28 --- Comment #28 from Linus Torvalds 2011-12-16 16:26:09 UTC --- (In reply to comment #27)

In any case feel free to adjust polkit privileges on your systems to suite your individual needs. I'm sure there are more you wish to change (e.g. to allow installing updates).

Christ. You're a distribution. Your *ONLY*GOAL*IN*LIFE* should be to make something that works. If you say "We ship shit, so you need to be an expert and fix it up in order for it to be usable", you have failed at your job. And seriously, that is exactly what you said. OpenSUSE 12.1 network configuration *IS*NOT*USABLE* in real life as-is. Don't tell people to edit their polkit privileges to individual needs. Make a usable system, or at least expose a big and visible button saying "make this system usable". As it is, the only people who can fix it are people who know more than the average bear. That's a disaster. This is not about "security issues". A unusable system is always secure, because nobody *cares*. It's crap. It is, as somebody commented elsewhere, like making everybody have their shell be "/bin/false". That's really secure, but since it means that people can't get any actual work done, who the hell cares? That kind of "security" isn't security, it's just stupidity. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c30 --- Comment #30 from Linus Torvalds 2011-12-19 18:25:20 UTC --- (In reply to comment #29)

What you currently see is standard NM 0.9 behavior: - require root authentication to create 'public' connections (...modify.system) - allow users to create 'private' connections without authentication (...modify.own)

So how do you make that 'private' the default? The thing is, the way it is set up, I never even *get* to the point where I can make a private connection. It asks for the root password even before that. I would not at all mind having the wireless connections be per-user, but right now that is simply not an option. If that 'private' mode was the default (and then you'd need the root password to make a 'public' connection) everything would work fine afaik. Please? Please? Linus -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c33 --- Comment #33 from Gary Ching-Pang Lin 2011-12-22 06:42:39 UTC --- I think we don't need an extra button on the AP list to switch the mode. I've made patches for gnome-shell and NetworkManager-gnome to make the private mode the default and am testing the patches. The user still can switch the mode with the connection editor if she/he really wants the connection to be a system connection. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c35 --- Comment #35 from Gary Ching-Pang Lin 2011-12-22 07:25:29 UTC --- Created an attachment (id=468619) --> (http://bugzilla.novell.com/attachment.cgi?id=468619) NetworkManager-gnome patch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c37 --- Comment #37 from Vincent Untz 2011-12-22 10:41:42 UTC --- (In reply to comment #33)

I think we don't need an extra button on the AP list to switch the mode. I've made patches for gnome-shell and NetworkManager-gnome to make the private mode the default and am testing the patches. The user still can switch the mode with the connection editor if she/he really wants the connection to be a system connection.

For reference, using private by default has been discussed a bit upstream, see https://bugzilla.gnome.org/show_bug.cgi?id=646187 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c39 Gary Ching-Pang Lin changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #468619|0 |1 is obsolete| | --- Comment #39 from Gary Ching-Pang Lin 2011-12-23 06:53:06 UTC --- Created an attachment (id=468795) --> (http://bugzilla.novell.com/attachment.cgi?id=468795) NetworkManager private connections patch Update the NetworkManager-gnome patch for the wired, bluetooth, 3G, and wimax connections. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c41 --- Comment #41 from Bernhard Wiedemann 2011-12-23 08:00:09 CET --- This is an autogenerated message for OBS integration: This bug (731812) was mentioned in https://build.opensuse.org/request/show/98014 12.1 / gnome-shell -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c43 Gary Ching-Pang Lin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #43 from Gary Ching-Pang Lin 2012-01-10 03:16:23 UTC --- The patches were released. Let's close this bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c45 --- Comment #45 from Gary Ching-Pang Lin 2012-01-10 08:04:03 UTC --- (In reply to comment #44)

(In reply to comment #43)

...

The patches were released. Let's close this bug.

I haven't seen the patches for the Factory packages, I guess we want them there too?

Maybe we can get them discussed upstream, with an option to do that by default in gsettings? OK, I'll respin the patches to add a gsettings option to switch the default connection mode.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c47 Reid Piercey changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |reid.piercey@impsolutions.c | |om --- Comment #47 from Reid Piercey 2012-02-09 14:35:10 UTC --- I work as a consultant and have been using OpenSuse on my laptop for the past 3 years. I usually change network settings frequently (wired and wireless) using network manager and haven't had any issues until 12.1 I have installed the polkit-default-privs-12.2-3.1.noarch and this allows me to change wireless settings without being root. I still cannot change my wired settings without being root - a password prompt flashes and the settings are not saved. It would be helpful if the patch created for the wireless settings was applied to the wired section. I also agree with Ludwig - a group privilege would be a more manageable solution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.