Mailinglist Archive: opensuse-features (327 mails)
| < Previous | Next > |
[openFATE 305657] finer grained PolicyKit support for Networkmanager
- From: fate_noreply@xxxxxxx
- Date: Tue, 1 Sep 2009 09:14:46 +0200 (CEST)
- Message-id: <feature-305657-25@xxxxxxxxxxxxxx>
Feature changed by: Li Bin (BinLi)
Feature #305657, revision 25
Title: finer grained PolicyKit support for Networkmanager
openSUSE-11.2: Evaluation
Priority
Requester: Important
Projectmanager: Desirable
Requested by: Ludwig Nussel (lnussel)
Description:
NetworkManager currently only supports one PolicyKit privilege. That is
whether a user is allowed to modify administrator defined connections
or not. There is no way to disallow users to define their own network
configurations. NetworkManager should at least support one additional
PolicyKit privilege that defines whether or not users are allowed to
bring their own network configuration or whether they mere are allowed
to use administrator defined ones.
Use Case:
- disallow workers on centrally administered machines to configure
different network settings
- protect home users that only ever connect to a few well known nets
from accidently changing their setup
Discussion:
#1: Matthias Nagorni (mnagorni) (2009-08-21 14:26:22)
If this can be done with little effort I would be even tempted to rate
it Mandatory.
#2: Stefan Behlert (sbehlert) (2009-08-25 16:37:57)
Alex, is there soemone on your team who could look at that? MAybe with
some support form Tambet?
#3: Li Bin (binli) (2009-08-26 05:58:01)
I and lance wang would like to take care of it. We still don't know the
requirement clearly.
1. disallow workers on centrally administered machines to configure
different network settings
The workers mean the users in administered machines? Does it right that
when workers configure network settings it prompt they are no
permission? If so I thought we could change the PolicyKit's
configuration file to complete it.
2. protect home users that only ever connect to a few well known nets
from accidently changing their setup
How to distinguish home users from workers? Does it mean don't allow
the user to configure the other users connections?
#4: Ludwig Nussel (lnussel) (2009-08-26 08:40:53) (reply to #3)
Currently there's only org.freedesktop.network-manager-settings.system.
modify, introduce something like org.freedesktop.network-manager-
settings.user.modify so NM can determine whether it should accept user
settings.
#5: JP Rosevear (jproseve) (2009-08-26 17:06:51) (reply to #3)
My suggestion would be to look at something like the following: org.
freedesktop.network-manager-settings.system.modify org.freedesktop.
network-manager-settings.system.add org.freedesktop.network-manager-
settings.system.delete
and the same for .user - you may even want to specifically allow or
disallow adding for specific network types like wired, wireless, etc.
You probably also want to have the ability to enable/disable wireless
in general and enable/disable networking covered.
You can default all of these to the current settings, but adding these
would allow more lockdown opportunities.
#6: Li Bin (binli) (2009-08-31 11:22:12)
Well, We'll works on this feature in this week, know about the
PolicyKit and NetworkManager, write the patch if time is okay.
Tambet,
Do you have any idea about this feature?
#7: Luis Medinas (lmedinas) (2009-08-31 18:40:51) (reply to #6)
Might worth looking at NM 0.8 (git master), it supports the latest
polkit-1 and it should be released before 11.2. Maybe some of this
features were introduced.
#8: Tambet Ingo (tambet) (2009-09-01 09:40:05) (reply to #7)
NM 0.8 will not be out before 11.2, it'll be out for the next Fedora
release which will happen after 11.2. Also, current git master does not
have any work for this feature, it's just been converted to use the
newer, incompatible polkit API.
#9: Tambet Ingo (tambet) (2009-09-01 09:43:56) (reply to #6)
The upstream has been planning on having similar feature for a while
now, but no work has been done on it yet. I strongly suggest to have a
discussion with the upstream maintainer before any work gets done,
otherwise our effort might end up thrown away as soon as upstream
implements it.
+ #10: Li Bin (binli) (2009-09-01 09:14:24)
+ Yes, I talk with the upstream today, just wait for response. You can
+ follow it from below link. Thanks!
+ http://mail.gnome.org/archives/networkmanager-list/2009-September/date.html
--
openSUSE Feature:
https://features.opensuse.org/305657
Feature #305657, revision 25
Title: finer grained PolicyKit support for Networkmanager
openSUSE-11.2: Evaluation
Priority
Requester: Important
Projectmanager: Desirable
Requested by: Ludwig Nussel (lnussel)
Description:
NetworkManager currently only supports one PolicyKit privilege. That is
whether a user is allowed to modify administrator defined connections
or not. There is no way to disallow users to define their own network
configurations. NetworkManager should at least support one additional
PolicyKit privilege that defines whether or not users are allowed to
bring their own network configuration or whether they mere are allowed
to use administrator defined ones.
Use Case:
- disallow workers on centrally administered machines to configure
different network settings
- protect home users that only ever connect to a few well known nets
from accidently changing their setup
Discussion:
#1: Matthias Nagorni (mnagorni) (2009-08-21 14:26:22)
If this can be done with little effort I would be even tempted to rate
it Mandatory.
#2: Stefan Behlert (sbehlert) (2009-08-25 16:37:57)
Alex, is there soemone on your team who could look at that? MAybe with
some support form Tambet?
#3: Li Bin (binli) (2009-08-26 05:58:01)
I and lance wang would like to take care of it. We still don't know the
requirement clearly.
1. disallow workers on centrally administered machines to configure
different network settings
The workers mean the users in administered machines? Does it right that
when workers configure network settings it prompt they are no
permission? If so I thought we could change the PolicyKit's
configuration file to complete it.
2. protect home users that only ever connect to a few well known nets
from accidently changing their setup
How to distinguish home users from workers? Does it mean don't allow
the user to configure the other users connections?
#4: Ludwig Nussel (lnussel) (2009-08-26 08:40:53) (reply to #3)
Currently there's only org.freedesktop.network-manager-settings.system.
modify, introduce something like org.freedesktop.network-manager-
settings.user.modify so NM can determine whether it should accept user
settings.
#5: JP Rosevear (jproseve) (2009-08-26 17:06:51) (reply to #3)
My suggestion would be to look at something like the following: org.
freedesktop.network-manager-settings.system.modify org.freedesktop.
network-manager-settings.system.add org.freedesktop.network-manager-
settings.system.delete
and the same for .user - you may even want to specifically allow or
disallow adding for specific network types like wired, wireless, etc.
You probably also want to have the ability to enable/disable wireless
in general and enable/disable networking covered.
You can default all of these to the current settings, but adding these
would allow more lockdown opportunities.
#6: Li Bin (binli) (2009-08-31 11:22:12)
Well, We'll works on this feature in this week, know about the
PolicyKit and NetworkManager, write the patch if time is okay.
Tambet,
Do you have any idea about this feature?
#7: Luis Medinas (lmedinas) (2009-08-31 18:40:51) (reply to #6)
Might worth looking at NM 0.8 (git master), it supports the latest
polkit-1 and it should be released before 11.2. Maybe some of this
features were introduced.
#8: Tambet Ingo (tambet) (2009-09-01 09:40:05) (reply to #7)
NM 0.8 will not be out before 11.2, it'll be out for the next Fedora
release which will happen after 11.2. Also, current git master does not
have any work for this feature, it's just been converted to use the
newer, incompatible polkit API.
#9: Tambet Ingo (tambet) (2009-09-01 09:43:56) (reply to #6)
The upstream has been planning on having similar feature for a while
now, but no work has been done on it yet. I strongly suggest to have a
discussion with the upstream maintainer before any work gets done,
otherwise our effort might end up thrown away as soon as upstream
implements it.
+ #10: Li Bin (binli) (2009-09-01 09:14:24)
+ Yes, I talk with the upstream today, just wait for response. You can
+ follow it from below link. Thanks!
+ http://mail.gnome.org/archives/networkmanager-list/2009-September/date.html
--
openSUSE Feature:
https://features.opensuse.org/305657
| < Previous | Next > |