Mailinglist Archive: opensuse-features (327 mails)
| < Previous | Next > |
[openFATE 305657] finer grained PolicyKit support for Networkmanager
- From: fate_noreply@xxxxxxx
- Date: Mon, 12 Oct 2009 13:19:18 +0200 (CEST)
- Message-id: <feature-305657-48@xxxxxxxxxxxxxx>
Feature changed by: Tanja Roth (ta-ro)
Feature #305657, revision 48
Title: finer grained PolicyKit support for Networkmanager
openSUSE-11.2: Candidate
Priority
Requester: Important
Projectmanager: Desirable
Requested by: Ludwig Nussel (lnussel)
Description:
NetworkManager currently only supports one PolicyKit privilege. That is
whether a user is allowed to modify administrator defined connections
or not. There is no way to disallow users to define their own network
configurations. NetworkManager should at least support one additional
PolicyKit privilege that defines whether or not users are allowed to
bring their own network configuration or whether they mere are allowed
to use administrator defined ones.
Use Case:
- disallow workers on centrally administered machines to configure
different network settings
- protect home users that only ever connect to a few well known nets
from accidently changing their setup
Discussion:
#1: Matthias Nagorni (mnagorni) (2009-08-21 14:26:22)
If this can be done with little effort I would be even tempted to rate
it Mandatory.
#2: Stefan Behlert (sbehlert) (2009-08-25 16:37:57)
Alex, is there soemone on your team who could look at that? MAybe with
some support form Tambet?
#3: Li Bin (binli) (2009-08-26 05:58:01)
I and lance wang would like to take care of it. We still don't know the
requirement clearly.
1. disallow workers on centrally administered machines to configure
different network settings
The workers mean the users in administered machines? Does it right that
when workers configure network settings it prompt they are no
permission? If so I thought we could change the PolicyKit's
configuration file to complete it.
2. protect home users that only ever connect to a few well known nets
from accidently changing their setup
How to distinguish home users from workers? Does it mean don't allow
the user to configure the other users connections?
#4: Ludwig Nussel (lnussel) (2009-08-26 08:40:53) (reply to #3)
Currently there's only org.freedesktop.network-manager-settings.system.
modify, introduce something like org.freedesktop.network-manager-
settings.user.modify so NM can determine whether it should accept user
settings.
#16: Wang Lance (lzwang) (2009-09-25 11:26:20) (reply to #4)
Hi Ludwig Nussel
I have added the following policy action:
org.freedesktop.network-manager-settings.user.wired.apply
org.freedesktop.network-manager-settings.user.wireless.apply
org.freedesktop.network-manager-settings.user.mobile.apply
org.freedesktop.network-manager-settings.user.vpn.apply
org.freedesktop.network-manager-settings.user.dsl.apply
.
NM now can determine whether it should apply the user settings to
devices by type.
Does the implementation meet your request?
I need your feedback to determine what should to do next step.
Thanks,
Lance Wang
#17: Ludwig Nussel (lnussel) (2009-09-25 11:58:50) (reply to #16)
Sure, that's even more than I had wished for.
Would it be possible to also have a separate privilege for the
connection sharing thingy? In contrast to the other configurations that
one also messes with iptables and starts a DHCP daemon.
#5: JP Rosevear (jproseve) (2009-08-26 17:06:51) (reply to #3)
My suggestion would be to look at something like the following: org.
freedesktop.network-manager-settings.system.modify org.freedesktop.
network-manager-settings.system.add org.freedesktop.network-manager-
settings.system.delete
and the same for .user - you may even want to specifically allow or
disallow adding for specific network types like wired, wireless, etc.
You probably also want to have the ability to enable/disable wireless
in general and enable/disable networking covered.
You can default all of these to the current settings, but adding these
would allow more lockdown opportunities.
#6: Li Bin (binli) (2009-08-31 11:22:12)
Well, We'll works on this feature in this week, know about the
PolicyKit and NetworkManager, write the patch if time is okay.
Tambet,
Do you have any idea about this feature?
#7: Luis Medinas (lmedinas) (2009-08-31 18:40:51) (reply to #6)
Might worth looking at NM 0.8 (git master), it supports the latest
polkit-1 and it should be released before 11.2. Maybe some of this
features were introduced.
#8: Tambet Ingo (tambet) (2009-09-01 09:40:05) (reply to #7)
NM 0.8 will not be out before 11.2, it'll be out for the next Fedora
release which will happen after 11.2. Also, current git master does not
have any work for this feature, it's just been converted to use the
newer, incompatible polkit API.
#9: Tambet Ingo (tambet) (2009-09-01 09:43:56) (reply to #6)
The upstream has been planning on having similar feature for a while
now, but no work has been done on it yet. I strongly suggest to have a
discussion with the upstream maintainer before any work gets done,
otherwise our effort might end up thrown away as soon as upstream
implements it.
#10: Li Bin (binli) (2009-09-01 09:14:24)
Yes, I talk with the upstream today, just wait for response. You can
follow it from below link. Thanks!
http://mail.gnome.org/archives/networkmanager-list/2009-September/date.html
#11: Stephan Kulow (coolo) (2009-09-07 13:39:17) (reply to #10)
didn't see a lot of replies.
#12: Li Bin (binli) (2009-09-10 05:24:05)
The upstream maintainer Dan already reply this issue, and it's no user
case for seperating add, modify and delete permission, and the others
was agreed.
Lanc wang with me work the sled11 and upstream now, we'll provide a
patch in this week.
#13: Wang Lance (lzwang) (2009-09-15 08:10:43)
Hi
I add five policy like the following : org.freedesktop.network-manager-
settings.system.wired.modify org.freedesktop.network-manager-settings.
system.wireless.modify org.freedesktop.network-manager-settings.system.
mobile.modify org.freedesktop.network-manager-settings.system.vpn.
modify org.freedesktop.network-manager-settings.system.dsl.modify. As
you know there will be one policy one type. I make a patch which
works.
But I feel a little confused on the user settings. As the user
settings are saved in the gconf, so adding someting like manager-
settings.user.*.modify make no sense. As far as I know user can
always edit their gconf settings.
I think what should be done may be the policy that determine if the
users can apply their settings to the system devices throught dbus.
Given we do it like that, should the nm-applet display the user setting
in the menu, when a normal user can not apply his or her settings to
system devices? I think it is better that nm-applet show both system
settings and user settings, and it will show error dialog if a user try
to apply user settings when the user does not have the right do
that.
Hi Tambet, what do you think?
#14: Li Bin (binli) (2009-09-17 11:18:37) (reply to #13)
Tambet reply in the mailinglist, we just lock the /system/networking
path in gconf and the settings can't be changed.
#15: Michael Meeks (michael_meeks) (2009-09-23 16:55:40)
We should also add the case mentioned in bug #522742 - to allow
disabling the "Create new wireless network" functionality. This is of
particular concern to the security team, and I'd like to see it
addressed as part of the same work if possible.
Otherwise, this looks great - thanks Li Bin :-)
#18: Li Bin (binli) (2009-09-25 12:03:28) (reply to #15)
Michael,
I've viewed the bug#522742, it talk more about sharing, and we don't
need to disable "Create new wireless network", user can add it, but
when they wanna to apply it by click the connection, check org.
freedesktop.network-manager-settings.user.wireless.apply permission
like the Lance describe in #16.
Does it okay?
#19: Michael Meeks (michael_meeks) (2009-09-28 10:10:26) (reply to
#18)
No - connecting to a new wireless network is -very- different from sharing
all your existing connections over your current wireless network; I can
see why people would want to allow one and not allow the other.
We should (ideally) have a different policy setting for this - if
possible. Thanks
#20: Tanja Roth (ta-ro) (2009-10-05 15:01:26)
Can you please confirm what the final policy names (identifiers) are
going to be for 11.2 and what can be influenced with them? (a short
description as available from the Description field in polkit-gnome-
authorization would be sufficient).
I would like to mention this in the 11.2 docs about NetworkManager, but
so far, I only found the one policy that relates to modifying
administrator defined connections (org.freedesktop.network-manager-
settings.system.modify). From your comments above I'm not sure if the
names mentioned in #16 are the final ones for the newly added policies
(and if the list is complete). Please advise asap as the translation
deadline for this chapter is approaching. Thanks!
#22: (binli) (2009-10-12 11:27:53) (reply to #20)
Tanja,
Just come back from holiday, sorry for late. Now this feature is still
not in the upstream, I'm still working on it. I prepare to seperate
the permission into more fined like,
org.freedesktop.network-manager-settings.system.wireless.modify -
Modify system wired connections
org.freedesktop.network-manager-settings.system.wired.modify - Modify
system wireless connections
the description follow the policy.
The #16 is now for the SLED 11-SP1 for temporary resolving usercase,
I'm not sure if it could be received by upstream which is used for
11.2.
So what's your translation deadline? I'll inform you when I confirm it
with upstream.
#23: (ta-ro) (2009-10-12 12:25:30) (reply to #22)
Lin Bi, thanks very much for clarifying! :) Our localization deadline
is Oct 15th but as the files have to go through language proofreading
before, I have to finish the chapter today, I'm afraid.
But don't worry, to be on the safe side (whatever the upstream decision
may be), we can handle it as follows: for now, I'll only mention that
there *are* policies for NetworkManager and where to find them in
PolicyKit. We can then add more details for the next release of the
docs (presumably SLE 11 SP1).
+ #24: (ta-ro) (2009-10-12 13:18:21) (reply to #23)
+ Removing the needinfo status.
--
openSUSE Feature:
https://features.opensuse.org/305657
Feature #305657, revision 48
Title: finer grained PolicyKit support for Networkmanager
openSUSE-11.2: Candidate
Priority
Requester: Important
Projectmanager: Desirable
Requested by: Ludwig Nussel (lnussel)
Description:
NetworkManager currently only supports one PolicyKit privilege. That is
whether a user is allowed to modify administrator defined connections
or not. There is no way to disallow users to define their own network
configurations. NetworkManager should at least support one additional
PolicyKit privilege that defines whether or not users are allowed to
bring their own network configuration or whether they mere are allowed
to use administrator defined ones.
Use Case:
- disallow workers on centrally administered machines to configure
different network settings
- protect home users that only ever connect to a few well known nets
from accidently changing their setup
Discussion:
#1: Matthias Nagorni (mnagorni) (2009-08-21 14:26:22)
If this can be done with little effort I would be even tempted to rate
it Mandatory.
#2: Stefan Behlert (sbehlert) (2009-08-25 16:37:57)
Alex, is there soemone on your team who could look at that? MAybe with
some support form Tambet?
#3: Li Bin (binli) (2009-08-26 05:58:01)
I and lance wang would like to take care of it. We still don't know the
requirement clearly.
1. disallow workers on centrally administered machines to configure
different network settings
The workers mean the users in administered machines? Does it right that
when workers configure network settings it prompt they are no
permission? If so I thought we could change the PolicyKit's
configuration file to complete it.
2. protect home users that only ever connect to a few well known nets
from accidently changing their setup
How to distinguish home users from workers? Does it mean don't allow
the user to configure the other users connections?
#4: Ludwig Nussel (lnussel) (2009-08-26 08:40:53) (reply to #3)
Currently there's only org.freedesktop.network-manager-settings.system.
modify, introduce something like org.freedesktop.network-manager-
settings.user.modify so NM can determine whether it should accept user
settings.
#16: Wang Lance (lzwang) (2009-09-25 11:26:20) (reply to #4)
Hi Ludwig Nussel
I have added the following policy action:
org.freedesktop.network-manager-settings.user.wired.apply
org.freedesktop.network-manager-settings.user.wireless.apply
org.freedesktop.network-manager-settings.user.mobile.apply
org.freedesktop.network-manager-settings.user.vpn.apply
org.freedesktop.network-manager-settings.user.dsl.apply
.
NM now can determine whether it should apply the user settings to
devices by type.
Does the implementation meet your request?
I need your feedback to determine what should to do next step.
Thanks,
Lance Wang
#17: Ludwig Nussel (lnussel) (2009-09-25 11:58:50) (reply to #16)
Sure, that's even more than I had wished for.
Would it be possible to also have a separate privilege for the
connection sharing thingy? In contrast to the other configurations that
one also messes with iptables and starts a DHCP daemon.
#5: JP Rosevear (jproseve) (2009-08-26 17:06:51) (reply to #3)
My suggestion would be to look at something like the following: org.
freedesktop.network-manager-settings.system.modify org.freedesktop.
network-manager-settings.system.add org.freedesktop.network-manager-
settings.system.delete
and the same for .user - you may even want to specifically allow or
disallow adding for specific network types like wired, wireless, etc.
You probably also want to have the ability to enable/disable wireless
in general and enable/disable networking covered.
You can default all of these to the current settings, but adding these
would allow more lockdown opportunities.
#6: Li Bin (binli) (2009-08-31 11:22:12)
Well, We'll works on this feature in this week, know about the
PolicyKit and NetworkManager, write the patch if time is okay.
Tambet,
Do you have any idea about this feature?
#7: Luis Medinas (lmedinas) (2009-08-31 18:40:51) (reply to #6)
Might worth looking at NM 0.8 (git master), it supports the latest
polkit-1 and it should be released before 11.2. Maybe some of this
features were introduced.
#8: Tambet Ingo (tambet) (2009-09-01 09:40:05) (reply to #7)
NM 0.8 will not be out before 11.2, it'll be out for the next Fedora
release which will happen after 11.2. Also, current git master does not
have any work for this feature, it's just been converted to use the
newer, incompatible polkit API.
#9: Tambet Ingo (tambet) (2009-09-01 09:43:56) (reply to #6)
The upstream has been planning on having similar feature for a while
now, but no work has been done on it yet. I strongly suggest to have a
discussion with the upstream maintainer before any work gets done,
otherwise our effort might end up thrown away as soon as upstream
implements it.
#10: Li Bin (binli) (2009-09-01 09:14:24)
Yes, I talk with the upstream today, just wait for response. You can
follow it from below link. Thanks!
http://mail.gnome.org/archives/networkmanager-list/2009-September/date.html
#11: Stephan Kulow (coolo) (2009-09-07 13:39:17) (reply to #10)
didn't see a lot of replies.
#12: Li Bin (binli) (2009-09-10 05:24:05)
The upstream maintainer Dan already reply this issue, and it's no user
case for seperating add, modify and delete permission, and the others
was agreed.
Lanc wang with me work the sled11 and upstream now, we'll provide a
patch in this week.
#13: Wang Lance (lzwang) (2009-09-15 08:10:43)
Hi
I add five policy like the following : org.freedesktop.network-manager-
settings.system.wired.modify org.freedesktop.network-manager-settings.
system.wireless.modify org.freedesktop.network-manager-settings.system.
mobile.modify org.freedesktop.network-manager-settings.system.vpn.
modify org.freedesktop.network-manager-settings.system.dsl.modify. As
you know there will be one policy one type. I make a patch which
works.
But I feel a little confused on the user settings. As the user
settings are saved in the gconf, so adding someting like manager-
settings.user.*.modify make no sense. As far as I know user can
always edit their gconf settings.
I think what should be done may be the policy that determine if the
users can apply their settings to the system devices throught dbus.
Given we do it like that, should the nm-applet display the user setting
in the menu, when a normal user can not apply his or her settings to
system devices? I think it is better that nm-applet show both system
settings and user settings, and it will show error dialog if a user try
to apply user settings when the user does not have the right do
that.
Hi Tambet, what do you think?
#14: Li Bin (binli) (2009-09-17 11:18:37) (reply to #13)
Tambet reply in the mailinglist, we just lock the /system/networking
path in gconf and the settings can't be changed.
#15: Michael Meeks (michael_meeks) (2009-09-23 16:55:40)
We should also add the case mentioned in bug #522742 - to allow
disabling the "Create new wireless network" functionality. This is of
particular concern to the security team, and I'd like to see it
addressed as part of the same work if possible.
Otherwise, this looks great - thanks Li Bin :-)
#18: Li Bin (binli) (2009-09-25 12:03:28) (reply to #15)
Michael,
I've viewed the bug#522742, it talk more about sharing, and we don't
need to disable "Create new wireless network", user can add it, but
when they wanna to apply it by click the connection, check org.
freedesktop.network-manager-settings.user.wireless.apply permission
like the Lance describe in #16.
Does it okay?
#19: Michael Meeks (michael_meeks) (2009-09-28 10:10:26) (reply to
#18)
No - connecting to a new wireless network is -very- different from sharing
all your existing connections over your current wireless network; I can
see why people would want to allow one and not allow the other.
We should (ideally) have a different policy setting for this - if
possible. Thanks
#20: Tanja Roth (ta-ro) (2009-10-05 15:01:26)
Can you please confirm what the final policy names (identifiers) are
going to be for 11.2 and what can be influenced with them? (a short
description as available from the Description field in polkit-gnome-
authorization would be sufficient).
I would like to mention this in the 11.2 docs about NetworkManager, but
so far, I only found the one policy that relates to modifying
administrator defined connections (org.freedesktop.network-manager-
settings.system.modify). From your comments above I'm not sure if the
names mentioned in #16 are the final ones for the newly added policies
(and if the list is complete). Please advise asap as the translation
deadline for this chapter is approaching. Thanks!
#22: (binli) (2009-10-12 11:27:53) (reply to #20)
Tanja,
Just come back from holiday, sorry for late. Now this feature is still
not in the upstream, I'm still working on it. I prepare to seperate
the permission into more fined like,
org.freedesktop.network-manager-settings.system.wireless.modify -
Modify system wired connections
org.freedesktop.network-manager-settings.system.wired.modify - Modify
system wireless connections
the description follow the policy.
The #16 is now for the SLED 11-SP1 for temporary resolving usercase,
I'm not sure if it could be received by upstream which is used for
11.2.
So what's your translation deadline? I'll inform you when I confirm it
with upstream.
#23: (ta-ro) (2009-10-12 12:25:30) (reply to #22)
Lin Bi, thanks very much for clarifying! :) Our localization deadline
is Oct 15th but as the files have to go through language proofreading
before, I have to finish the chapter today, I'm afraid.
But don't worry, to be on the safe side (whatever the upstream decision
may be), we can handle it as follows: for now, I'll only mention that
there *are* policies for NetworkManager and where to find them in
PolicyKit. We can then add more details for the next release of the
docs (presumably SLE 11 SP1).
+ #24: (ta-ro) (2009-10-12 13:18:21) (reply to #23)
+ Removing the needinfo status.
--
openSUSE Feature:
https://features.opensuse.org/305657
| < Previous | Next > |