[Bug 731812] New: NetworkManager and time settings unusable for normal users, and forced ipv6 probing
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c0 Summary: NetworkManager and time settings unusable for normal users, and forced ipv6 probing Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: torvalds@linux-foundation.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2 I'm considering installing OpenSUSE 12.1 on the other machines in the family too, but the totally crazy security settings currently make that a non-option. When encountering a new wireless network, OpenSUSE 12.1 has apparently been configured to always ask for a root password. Seriously - that's totally idiotic. It basically means that I would have to give the root password to my kids just so that they can use their laptop. Similar idiocy covers simple things like changing your timezone, which is less of an issue for the kids, but is equally idiotically broken. Also, NetworkManager seems to always assume that IPv6 is "automatic", even if you disable IPv6 support in the network configuration tool. That's broken, and makes wireless connections take noticeably longer. Again, you can fix this in NetworkManager *after* you have connected to the network, but you need to do this on a network-by-network basis, and you need that crazy root password. Guys, these aren't just "user interface warts". They are show-stoppers. Expecting normal users to have the root password in order to get basic things done is simply NOT ACCEPTABLE. Reproducible: Always Steps to Reproduce: 1. Get to a new location with a new wireless network or time zone 2. Try to connect to the network or change the time zone 3. FAIL Actual Results: Unusable machine with wrong timezone and no networking. Expected Results: I expect the desktop user to be able to connect to the network or set the timezone without having to know the root password. And not to have to wait for non-existing IPv6 setup before falling back to IPv4, when I've already told the machine to not enable IPv6. This is a bog-standard OpenSUSE 12.1 install. It got upgraded from the beta with zypper. I assume the same happens from a from-scratch clean install. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c
zj jia
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c1
Vincent Untz
When encountering a new wireless network, OpenSUSE 12.1 has apparently been configured to always ask for a root password. Seriously - that's totally idiotic. It basically means that I would have to give the root password to my kids just so that they can use their laptop.
This is bug 680140. See bug 716291 comment 6 for a way to configure things differently.
Similar idiocy covers simple things like changing your timezone, which is less of an issue for the kids, but is equally idiotically broken.
Assuming this is GNOME (no idea about other desktops): same as above, except that it's for org.gnome.settingsdaemon.datetimemechanism.configure. The reason it's not automatically allowed for users is that this polkit rule is also used when changing the time, and the security team doesn't want this. (Timezone is fine for security team, but not time).
Also, NetworkManager seems to always assume that IPv6 is "automatic", even if you disable IPv6 support in the network configuration tool. That's broken, and makes wireless connections take noticeably longer. Again, you can fix this in NetworkManager *after* you have connected to the network, but you need to do this on a network-by-network basis, and you need that crazy root password.
Am I right in guessing the network configuration tool is the yast one? When NetworkManager is used, this tool warns that the settings are not valid for NetworkManager, but just for ifup. Arguably, there could be some best effort integration for some of the settings, though... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c2
P Linnell
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c3
--- Comment #3 from Linus Torvalds
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c4
--- Comment #4 from Vincent Untz
OpenSUSE should *fix* this
I pretty much agree, but the security team has another opinion :/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c5
--- Comment #5 from P Linnell
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c6
Cristian Rodríguez
(In reply to comment #3)
OpenSUSE should *fix* this
I pretty much agree, but the security team has another opinion :/
The system would indeed be pretty secure if it cannot be used in normal circunstances heh. This defaults are detached from reality and common use cases and must be fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c7
--- Comment #7 from Linus Torvalds
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c8
Roger Luedecke
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c9
--- Comment #9 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c10
--- Comment #10 from P Linnell
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c11
--- Comment #11 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c12
Hendrik Müller
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c13
--- Comment #13 from Hendrik Müller
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c14
--- Comment #14 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c15
Joel Sabouret
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c16
--- Comment #16 from Cristian Rodríguez
I have installed OpenSuSE 12.1 last week on one of my Notebook,
An update was already released.. rpm -q --changelog polkit-default-privs-12.1-10.11.1.noarch | less * nov 23 2011 lnussel@suse.de - change NetworkManager policies (bnc#716291) - allow time zone changes (bnc#731812) - allow setting pin on modems (bnc#732358) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c17
Cristian Rodríguez
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c18
Linus Torvalds
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c19
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c20
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c21
--- Comment #21 from Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c22
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c23
--- Comment #23 from Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c24
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c25
--- Comment #25 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c26
--- Comment #26 from Li Bin
Ludwig should review this first.
Yes, from bnc#690496, the below 3 items merge into only one, and the upstream uses auth_admin_keep. I'm not sure if it's okay to allow time changing by default. org.gnome.settingsdaemon.datetimemechanism.settimezone org.gnome.settingsdaemon.datetimemechanism.settime org.gnome.settingsdaemon.datetimemechanism.configurehwclock => org.gnome.settingsdaemon.datetimemechanism.configure -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c27
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c28
--- Comment #28 from Linus Torvalds
In any case feel free to adjust polkit privileges on your systems to suite your individual needs. I'm sure there are more you wish to change (e.g. to allow installing updates).
Christ. You're a distribution. Your *ONLY*GOAL*IN*LIFE* should be to make something that works. If you say "We ship shit, so you need to be an expert and fix it up in order for it to be usable", you have failed at your job. And seriously, that is exactly what you said. OpenSUSE 12.1 network configuration *IS*NOT*USABLE* in real life as-is. Don't tell people to edit their polkit privileges to individual needs. Make a usable system, or at least expose a big and visible button saying "make this system usable". As it is, the only people who can fix it are people who know more than the average bear. That's a disaster. This is not about "security issues". A unusable system is always secure, because nobody *cares*. It's crap. It is, as somebody commented elsewhere, like making everybody have their shell be "/bin/false". That's really secure, but since it means that people can't get any actual work done, who the hell cares? That kind of "security" isn't security, it's just stupidity. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c29
--- Comment #29 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c30
--- Comment #30 from Linus Torvalds
What you currently see is standard NM 0.9 behavior: - require root authentication to create 'public' connections (...modify.system) - allow users to create 'private' connections without authentication (...modify.own)
So how do you make that 'private' the default? The thing is, the way it is set up, I never even *get* to the point where I can make a private connection. It asks for the root password even before that. I would not at all mind having the wireless connections be per-user, but right now that is simply not an option. If that 'private' mode was the default (and then you'd need the root password to make a 'public' connection) everything would work fine afaik. Please? Please? Linus -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c31
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c33
--- Comment #33 from Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c34
--- Comment #34 from Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c35
--- Comment #35 from Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c36
--- Comment #36 from Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c37
--- Comment #37 from Vincent Untz
I think we don't need an extra button on the AP list to switch the mode. I've made patches for gnome-shell and NetworkManager-gnome to make the private mode the default and am testing the patches. The user still can switch the mode with the connection editor if she/he really wants the connection to be a system connection.
For reference, using private by default has been discussed a bit upstream, see https://bugzilla.gnome.org/show_bug.cgi?id=646187 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c38
Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c39
Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c40
Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c41
--- Comment #41 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c42
--- Comment #42 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c43
Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c44
--- Comment #44 from Vincent Untz
The patches were released. Let's close this bug.
I haven't seen the patches for the Factory packages, I guess we want them there too? Maybe we can get them discussed upstream, with an option to do that by default in gsettings? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c45
--- Comment #45 from Gary Ching-Pang Lin
(In reply to comment #43)
The patches were released. Let's close this bug.
I haven't seen the patches for the Factory packages, I guess we want them there too?
Maybe we can get them discussed upstream, with an option to do that by default in gsettings? OK, I'll respin the patches to add a gsettings option to switch the default connection mode.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c46
--- Comment #46 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c47
Reid Piercey
https://bugzilla.novell.com/show_bug.cgi?id=731812
https://bugzilla.novell.com/show_bug.cgi?id=731812#c48
--- Comment #48 from Gary Ching-Pang Lin
I still cannot change my wired settings without being root - a password prompt flashes and the settings are not saved. It would be helpful if the patch created for the wireless settings was applied to the wired section. Did you upgrade NetworkManager-gnome and gnome-shell? My patches also covered wired connections. BTW, the patches are only for the new connections. If you want to modify the existed connections, you can launch nm-connection-editor to edit the connection and uncheck "Available to all users".
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com