[Bug 731812] New: NetworkManager and time settings unusable for normal users, and forced ipv6 probing
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c0 Summary: NetworkManager and time settings unusable for normal users, and forced ipv6 probing Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: torvalds@linux-foundation.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2 I'm considering installing OpenSUSE 12.1 on the other machines in the family too, but the totally crazy security settings currently make that a non-option. When encountering a new wireless network, OpenSUSE 12.1 has apparently been configured to always ask for a root password. Seriously - that's totally idiotic. It basically means that I would have to give the root password to my kids just so that they can use their laptop. Similar idiocy covers simple things like changing your timezone, which is less of an issue for the kids, but is equally idiotically broken. Also, NetworkManager seems to always assume that IPv6 is "automatic", even if you disable IPv6 support in the network configuration tool. That's broken, and makes wireless connections take noticeably longer. Again, you can fix this in NetworkManager *after* you have connected to the network, but you need to do this on a network-by-network basis, and you need that crazy root password. Guys, these aren't just "user interface warts". They are show-stoppers. Expecting normal users to have the root password in order to get basic things done is simply NOT ACCEPTABLE. Reproducible: Always Steps to Reproduce: 1. Get to a new location with a new wireless network or time zone 2. Try to connect to the network or change the time zone 3. FAIL Actual Results: Unusable machine with wrong timezone and no networking. Expected Results: I expect the desktop user to be able to connect to the network or set the timezone without having to know the root password. And not to have to wait for non-existing IPv6 setup before falling back to IPv4, when I've already told the machine to not enable IPv6. This is a bog-standard OpenSUSE 12.1 install. It got upgraded from the beta with zypper. I assume the same happens from a from-scratch clean install. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c zj jia <zjjia@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zjjia@suse.com AssignedTo|bnc-team-screening@forge.pr |bili@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c1 Vincent Untz <vuntz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vuntz@suse.com --- Comment #1 from Vincent Untz <vuntz@suse.com> 2011-11-22 19:13:56 UTC --- (In reply to comment #0)
When encountering a new wireless network, OpenSUSE 12.1 has apparently been configured to always ask for a root password. Seriously - that's totally idiotic. It basically means that I would have to give the root password to my kids just so that they can use their laptop.
This is bug 680140. See bug 716291 comment 6 for a way to configure things differently.
Similar idiocy covers simple things like changing your timezone, which is less of an issue for the kids, but is equally idiotically broken.
Assuming this is GNOME (no idea about other desktops): same as above, except that it's for org.gnome.settingsdaemon.datetimemechanism.configure. The reason it's not automatically allowed for users is that this polkit rule is also used when changing the time, and the security team doesn't want this. (Timezone is fine for security team, but not time).
Also, NetworkManager seems to always assume that IPv6 is "automatic", even if you disable IPv6 support in the network configuration tool. That's broken, and makes wireless connections take noticeably longer. Again, you can fix this in NetworkManager *after* you have connected to the network, but you need to do this on a network-by-network basis, and you need that crazy root password.
Am I right in guessing the network configuration tool is the yast one? When NetworkManager is used, this tool warns that the settings are not valid for NetworkManager, but just for ifup. Arguably, there could be some best effort integration for some of the settings, though... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c2 P Linnell <mrdocs@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mrdocs@opensuse.org --- Comment #2 from P Linnell <mrdocs@opensuse.org> 2011-11-22 19:14:41 UTC --- Yup, this is a major pain point. Workaround for the network issue: https://bugzilla.novell.com/show_bug.cgi?id=716291#c9 I've not hit the time zone issue yet, but I have moved 3 time zones in the last 72 hours. At least in KDE you can switch the displayed time setting in the system tray without changing the system time itself. Hope that helps, Peter -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c3 --- Comment #3 from Linus Torvalds <torvalds@linux-foundation.org> 2011-11-22 19:22:40 UTC --- Umm. Seriously - why do you point me to a workaround? OpenSUSE should *fix* this, instead of pointing to some random bugzilla entry with a workaround for the problem. It's a bug in the distro. Why ask your users to fix up the problems that the distribution has? Just fix the problem. Nothing like this ever happened to me on Fedora, and the OpenSUSE default settings are *insane*. Fix them instead of telling your users to edit random files to make the distro work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c4 --- Comment #4 from Vincent Untz <vuntz@suse.com> 2011-11-22 19:50:24 UTC --- (In reply to comment #3)
OpenSUSE should *fix* this
I pretty much agree, but the security team has another opinion :/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c5 --- Comment #5 from P Linnell <mrdocs@opensuse.org> 2011-11-22 22:01:46 UTC --- Linus, The workaround is meant to be temporary. And no, we're not in the habit of telling users to find stuff in bugzilla, nor edit random files in /etc. :) Once you use the workaround, please let us know of other blockers you find. We're like Avis, we try harder. :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c6 Cristian Rodríguez <crrodriguez@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocker|--- |Yes CC| |coolo@suse.com, | |crrodriguez@opensuse.org --- Comment #6 from Cristian Rodríguez <crrodriguez@opensuse.org> 2011-11-22 19:28:19 CLST --- (In reply to comment #4)
(In reply to comment #3)
OpenSUSE should *fix* this
I pretty much agree, but the security team has another opinion :/
The system would indeed be pretty secure if it cannot be used in normal circunstances heh. This defaults are detached from reality and common use cases and must be fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c7 --- Comment #7 from Linus Torvalds <torvalds@linux-foundation.org> 2011-11-22 23:14:16 UTC --- How about giving the security guys a button they can select in the network configuration that says "require root permissions to connect to unknown wireless access points"? I don't mind giving the security people what they want, but it's crazy to have the default behavior be something unusable. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c8 Roger Luedecke <roger.luedecke@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |roger.luedecke@gmail.com --- Comment #8 from Roger Luedecke <roger.luedecke@gmail.com> 2011-11-22 15:26:17 PST --- Major personalities aside, Linus is exactly correct and indeed offers a powerful use-case that shows the flaw in our overly security paranoid settings. The average Joe User will not know how to audit policy kit actions; especially since the KDE System Settings module is broken. Considering also that if you were say given a laptop by your company, they would expect you to be able to work on the move... which means being able to use NetworkManager to connect to whatever random coffee shop one lands at. And if they are concerned about security (which is the assumption of the default polkit policy) they sure as heck wouldn't give you root. Again, in the example given by Linus I sure as heck wouldn't give a child root access on any machine I have to maintain. And as he points out, the purpose of NetworkManager is to allow the desktop user to easily connect without needing root. Though one could argue the need for an admin to audit their own security and loosen it if they see necessary, considering the purpose of NetworkManager as stated in any document concerning it one would justifiably assume that it should behave as per 11.4 did. Thus its potential insecurity is well known, and changing the policy potentially introduces greater challenges to security auditing than it solves. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c9 --- Comment #9 from Ludwig Nussel <lnussel@suse.com> 2011-11-23 09:43:36 CET --- Well, this bug should into separate ones as it mixes three issues. Anyways... Wrt IPv6 this is clearly a NM issue. IMO NM should probe v6 the first time it connects and if that doesn't yield anything useful turn it off entirely for the future for this particular connection. NM could probably use some better kernel interface for that as the current sysctl way is rather clumsy. Wrt time zone Vincent is right, no problem allowing timezone changes without auth_admin (even though I still think it's a bug in glibc that it allows setting $TZ but no ~/.localtime which would not require any changes to the system). The upstream setting for org.freedesktop.timedate1.set-timezone already is auth_admin, we didn't override that. Wrt to NM the situation is sad. I actually filed bug 713639 months ago to get the privilege handling straightened up but it turns out we don't have anyone who actually really cares about NM in openSUSE. I had to dig through the code and add some hacks to NM myself to make "system" connections work at all without throwing popups out of the blue at users. Blaming the policy is the typical knee-jerk reaction to polkit popups while in fact the backend of the program in question isn't prepared at all to receive any result from polkit other than 'yes' without becoming annoying. Also note that the 'retain authorization' checkbox (auth_admin_keep_always) of PolicyKit was a very nice way to mediate between a strict default policy and the need of individual users to regularly perform some tasks without authentication. Unfortunately polkit1 dropped support for that. But well, let's set 'org.freedesktop.NetworkManager.settings.modify.own' back to 'yes' to hide those deficiencies again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c10 --- Comment #10 from P Linnell <mrdocs@opensuse.org> 2011-11-23 14:13:42 UTC --- Ludwig, Thanks for the explanation of what is going on. So, what we need to work around this for an update is go back to the 11.4 behavior? I see SR 93203, which seems to be ths fix. Do you want me to file two new bugs one for time zone and one for IPV6 ? And no I was not blaming policy :) I just know its a major pain point. When my wife uses my netbook, I do not want to give her root to go to Starbucks.. Moreover, its a strong password likely for her to mess up ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c11 --- Comment #11 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-11-23 17:00:07 CET --- This is an autogenerated message for OBS integration: This bug (731812) was mentioned in https://build.opensuse.org/request/show/93332 12.1 / polkit-default-privs -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c12 Hendrik Müller <poolbarde@web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |poolbarde@web.de --- Comment #12 from Hendrik Müller <poolbarde@web.de> 2011-11-25 19:53:59 UTC --- I tried the one click installation provided by the comments about OBS in ticket https://bugzilla.novell.com/show_bug.cgi?id=716291. This patch works fine for me. Hope it will find into the standard updates soon... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c13 --- Comment #13 from Hendrik Müller <poolbarde@web.de> 2011-11-25 19:55:39 UTC --- Ah, ok, the direkt OBS link was just mentioned above. That already fixes the issue for me. No 12.1 feels again like the older 11.4 :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c14 --- Comment #14 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-12-01 14:00:17 CET --- This is an autogenerated message for OBS integration: This bug (731812) was mentioned in https://build.opensuse.org/request/show/94704 Factory / polkit-default-privs -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c15 Joel Sabouret <joel.sabouret@panalpina.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joel.sabouret@panalpina.com --- Comment #15 from Joel Sabouret <joel.sabouret@panalpina.com> 2011-12-07 09:16:17 UTC --- I have installed OpenSuSE 12.1 last week on one of my Notebook, each time I want to connect to the internet to work in my company environment, I have to type in 9 passwords before I can connect ( PIN, root pwd for connection of the UMTS card, then root password for networkmanager, private password for kwallet, again root pwd to allow a connection threw VPN, again kwallet, root one more time and last but not least Private company password, plus group password). That is not security, it's paranoia!! This is my notebook, and if I want to work normally without any trouble I must be root!! I hope it was only a mistake and it would be changed in the next days. At the time I told our collegue using Linux at the company that they should not installed the new version, and take another Distro if needed. Once a user has logged on in the system he should be able to use his own environment without the need to be root( some normal user don't that right but must still use their notebook outside the company) This is not given anymore with Novell! I hope it will be corrected as soon as possible! If not I will have to reconsider using Novell within the company! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c16 --- Comment #16 from Cristian Rodríguez <crrodriguez@opensuse.org> 2011-12-07 10:03:55 CLST --- (In reply to comment #15)
I have installed OpenSuSE 12.1 last week on one of my Notebook,
An update was already released.. rpm -q --changelog polkit-default-privs-12.1-10.11.1.noarch | less * nov 23 2011 lnussel@suse.de - change NetworkManager policies (bnc#716291) - allow time zone changes (bnc#731812) - allow setting pin on modems (bnc#732358) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c17 Cristian Rodríguez <crrodriguez@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Severity|Major |Critical --- Comment #17 from Cristian Rodríguez <crrodriguez@opensuse.org> 2011-12-07 10:06:31 CLST --- fixed in polkit-default-privs-12.1-10.11.1.noarch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c18 Linus Torvalds <torvalds@linux-foundation.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #18 from Linus Torvalds <torvalds@linux-foundation.org> 2011-12-16 05:22:11 UTC --- I'm re-opening this, because as far as I can tell, nothing has changed. I definitely have polkit-default-privs-12.1-10.11.1.noarch installed, yet when I try to connect to a new wireless network, the damn root passwork question comes up again. And when I ckick on the date, and I get the "Date and Time" settings thing, when I try to unlock that in order to actually *change* anything, it again asks for a root password. This is with gnome and networkmanager. If I go and edit the *existing* network connection (which requires the root password again) and then in network settings clear the "Available to all users" checkmark, I can then edit *that* connection without the root password. But that doesn't help. Not only did I need the root password to get there in the first place, THIS DOES NOT WORK FOR NEW CONNECTIONS! So if I give this laptop to a child, and she takes it to school and tries to connect to the school network, THAT WILL REQUIRE HER TO KNOW THE ROOT PASSWORD. Guys, what is up? This was marked as RESOLVED, but it's not fixed at all. Nothing has changed. The thing is still totally broken. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c19 Li Bin <bili@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |ASSIGNED AssignedTo|bili@suse.com |bnc-team-screening@forge.pr | |ovo.novell.com --- Comment #19 from Li Bin <bili@suse.com> 2011-12-16 05:54:57 UTC --- Reassign it so that more people could view about it. I could reproduce it after upgrade. Really sorry about it, just working on it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c20 Li Bin <bili@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bili@suse.com --- Comment #20 from Li Bin <bili@suse.com> 2011-12-16 08:28:26 UTC --- After debug it with '/usr/lib/polkit-1/polkitd --replace', I found we change the wrong privilege. To active the wireless, it need the permission of org.freedesktop.NetworkManager.netwok-control and org.freedesktop.NetworkManager.setttings.modify.system. And for time&timezone setting, it need the permission of org.gnome.settingdaemon.datetimemechanism.configure. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c21 --- Comment #21 from Li Bin <bili@suse.com> 2011-12-16 09:29:35 UTC --- Created an attachment (id=467818) --> (http://bugzilla.novell.com/attachment.cgi?id=467818) polkit-default-privs-time-wireless.patch Index: polkit-default-privs-12.1/polkit-default-privs.standard =================================================================== --- polkit-default-privs-12.1.orig/polkit-default-privs.standard +++ polkit-default-privs-12.1/polkit-default-privs.standard @@ -27,7 +27,7 @@ org.freedesktop.NetworkManager.enable-di org.freedesktop.NetworkManager.wifi.share.protected auth_admin org.freedesktop.NetworkManager.wifi.share.open auth_admin org.freedesktop.NetworkManager.settings.modify.own auth_admin_keep:auth_admin_keep:yes -org.freedesktop.NetworkManager.settings.modify.system auth_admin_keep +org.freedesktop.NetworkManager.settings.modify.system auth_admin_keep:auth_admin_keep:yes org.freedesktop.NetworkManager.settings.modify.hostname auth_admin # org.libvirt.unix.monitor yes @@ -35,7 +35,7 @@ org.libvirt.unix.manage # # gnome-settings-daemon (bnc#690496) # -org.gnome.settingsdaemon.datetimemechanism.configure auth_admin_keep +org.gnome.settingsdaemon.datetimemechanism.configure auth_admin_keep:auth_admin_keep:yes # # colord (bnc#698250) # In this patch, just change the related privilege permission. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c22 Li Bin <bili@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |maintenance@opensuse.org --- Comment #22 from Li Bin <bili@suse.com> 2011-12-16 09:49:50 UTC --- Maintenance, Is okay let it in updates? I submit a request for this one. Thanks! Request: #96843 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c23 --- Comment #23 from Li Bin <bili@suse.com> 2011-12-16 09:51:09 UTC --- Linus, Maybe it need sometime to let it in updates cause the weekend and Christmas, if you need it now and also have an osc account. You can try below. $ osc getbinaries home:BinLi:branches:openSUSE:12.1:Update:Test/polkit-default-privs standard i586 Then update the downloaded rpm. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c24 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com, | |meissner@suse.com InfoProvider|maintenance@opensuse.org |lnussel@suse.com --- Comment #24 from Marcus Meissner <meissner@suse.com> 2011-12-16 09:59:19 UTC --- Ludwig should review this first. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c25 --- Comment #25 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-12-16 11:00:09 CET --- This is an autogenerated message for OBS integration: This bug (731812) was mentioned in https://build.opensuse.org/request/show/96843 12.1 / polkit-default-privs -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c26 --- Comment #26 from Li Bin <bili@suse.com> 2011-12-16 10:22:21 UTC --- (In reply to comment #24)
Ludwig should review this first.
Yes, from bnc#690496, the below 3 items merge into only one, and the upstream uses auth_admin_keep. I'm not sure if it's okay to allow time changing by default. org.gnome.settingsdaemon.datetimemechanism.settimezone org.gnome.settingsdaemon.datetimemechanism.settime org.gnome.settingsdaemon.datetimemechanism.configurehwclock => org.gnome.settingsdaemon.datetimemechanism.configure -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c27 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|lnussel@suse.com | --- Comment #27 from Ludwig Nussel <lnussel@suse.com> 2011-12-16 12:28:07 CET --- Allowing modify.system means users can modify all network connections. Even those that are meant to be only changeable by the admin. Feel free to allow that on your personal system but this is not a suitable setting for the default install. Whether or not NM and it's GUI front-ends deal with the privilege handling in a smart way is another story. Gnome not using org.freedesktop.timedate1.set-timezone but rater a custom gnome specific backend with coarse grained privilege is unfortunate. Fix this by using the org.freedesktop.timedate1 service. In any case feel free to adjust polkit privileges on your systems to suite your individual needs. I'm sure there are more you wish to change (e.g. to allow installing updates). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c28 --- Comment #28 from Linus Torvalds <torvalds@linux-foundation.org> 2011-12-16 16:26:09 UTC --- (In reply to comment #27)
In any case feel free to adjust polkit privileges on your systems to suite your individual needs. I'm sure there are more you wish to change (e.g. to allow installing updates).
Christ. You're a distribution. Your *ONLY*GOAL*IN*LIFE* should be to make something that works. If you say "We ship shit, so you need to be an expert and fix it up in order for it to be usable", you have failed at your job. And seriously, that is exactly what you said. OpenSUSE 12.1 network configuration *IS*NOT*USABLE* in real life as-is. Don't tell people to edit their polkit privileges to individual needs. Make a usable system, or at least expose a big and visible button saying "make this system usable". As it is, the only people who can fix it are people who know more than the average bear. That's a disaster. This is not about "security issues". A unusable system is always secure, because nobody *cares*. It's crap. It is, as somebody commented elsewhere, like making everybody have their shell be "/bin/false". That's really secure, but since it means that people can't get any actual work done, who the hell cares? That kind of "security" isn't security, it's just stupidity. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c29 --- Comment #29 from Ludwig Nussel <lnussel@suse.com> 2011-12-19 09:46:43 CET --- Well, preach to the choir. Someone decided to rewrite polkit, make it harder to configure, drop the nice tools and remove the 'keep always' feature. NM decided to change from a braindead architecture to something halfway sane but apparently got stuck when trying to implementing proper privilege handling. What you currently see is standard NM 0.9 behavior: - require root authentication to create 'public' connections (...modify.system) - allow users to create 'private' connections without authentication (...modify.own) I don't think this implementation makes anyone happy. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c30 --- Comment #30 from Linus Torvalds <torvalds@linux-foundation.org> 2011-12-19 18:25:20 UTC --- (In reply to comment #29)
What you currently see is standard NM 0.9 behavior: - require root authentication to create 'public' connections (...modify.system) - allow users to create 'private' connections without authentication (...modify.own)
So how do you make that 'private' the default? The thing is, the way it is set up, I never even *get* to the point where I can make a private connection. It asks for the root password even before that. I would not at all mind having the wireless connections be per-user, but right now that is simply not an option. If that 'private' mode was the default (and then you'd need the root password to make a 'public' connection) everything would work fine afaik. Please? Please? Linus -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c31 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |bnc-team-gnome@forge.provo. |ovo.novell.com |novell.com --- Comment #31 from Ludwig Nussel <lnussel@suse.com> 2011-12-21 08:35:25 CET --- Indeed the needed button is only available in the connection editor but not in the dialog that is shown when clicking on a network in scan results. => NetworkManager-gnome -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c33 --- Comment #33 from Gary Ching-Pang Lin <glin@suse.com> 2011-12-22 06:42:39 UTC --- I think we don't need an extra button on the AP list to switch the mode. I've made patches for gnome-shell and NetworkManager-gnome to make the private mode the default and am testing the patches. The user still can switch the mode with the connection editor if she/he really wants the connection to be a system connection. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c34 --- Comment #34 from Gary Ching-Pang Lin <glin@suse.com> 2011-12-22 07:24:37 UTC --- Created an attachment (id=468618) --> (http://bugzilla.novell.com/attachment.cgi?id=468618) gnome-shell patch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c35 --- Comment #35 from Gary Ching-Pang Lin <glin@suse.com> 2011-12-22 07:25:29 UTC --- Created an attachment (id=468619) --> (http://bugzilla.novell.com/attachment.cgi?id=468619) NetworkManager-gnome patch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c36 --- Comment #36 from Gary Ching-Pang Lin <glin@suse.com> 2011-12-22 10:26:26 UTC --- Created an attachment (id=468654) --> (http://bugzilla.novell.com/attachment.cgi?id=468654) gnome-control-center patch One more patch for the dropdown AP list in the gnome-control-center network panel -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c37 --- Comment #37 from Vincent Untz <vuntz@suse.com> 2011-12-22 10:41:42 UTC --- (In reply to comment #33)
I think we don't need an extra button on the AP list to switch the mode. I've made patches for gnome-shell and NetworkManager-gnome to make the private mode the default and am testing the patches. The user still can switch the mode with the connection editor if she/he really wants the connection to be a system connection.
For reference, using private by default has been discussed a bit upstream, see https://bugzilla.gnome.org/show_bug.cgi?id=646187 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c38 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #468618|0 |1 is obsolete| | --- Comment #38 from Gary Ching-Pang Lin <glin@suse.com> 2011-12-23 06:50:07 UTC --- Created an attachment (id=468794) --> (http://bugzilla.novell.com/attachment.cgi?id=468794) gnome-shell private connections patch Update the gnome-shell patch based on the patch in bgo#646187 comment 5 to cover the wired and bluetooth connections. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c39 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #468619|0 |1 is obsolete| | --- Comment #39 from Gary Ching-Pang Lin <glin@suse.com> 2011-12-23 06:53:06 UTC --- Created an attachment (id=468795) --> (http://bugzilla.novell.com/attachment.cgi?id=468795) NetworkManager private connections patch Update the NetworkManager-gnome patch for the wired, bluetooth, 3G, and wimax connections. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c40 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #468654|0 |1 is obsolete| | --- Comment #40 from Gary Ching-Pang Lin <glin@suse.com> 2011-12-23 06:55:17 UTC --- Created an attachment (id=468796) --> (http://bugzilla.novell.com/attachment.cgi?id=468796) gnome-control-center private connections patch Update the gnome-control-center patch to cover the 3G connections. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c41 --- Comment #41 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-12-23 08:00:09 CET --- This is an autogenerated message for OBS integration: This bug (731812) was mentioned in https://build.opensuse.org/request/show/98014 12.1 / gnome-shell -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c42 --- Comment #42 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-12-23 09:00:07 CET --- This is an autogenerated message for OBS integration: This bug (731812) was mentioned in https://build.opensuse.org/request/show/98015 12.1 / NetworkManager-gnome https://build.opensuse.org/request/show/98016 12.1 / gnome-control-center -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c43 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #43 from Gary Ching-Pang Lin <glin@suse.com> 2012-01-10 03:16:23 UTC --- The patches were released. Let's close this bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c44 --- Comment #44 from Vincent Untz <vuntz@suse.com> 2012-01-10 07:30:18 UTC --- (In reply to comment #43)
The patches were released. Let's close this bug.
I haven't seen the patches for the Factory packages, I guess we want them there too? Maybe we can get them discussed upstream, with an option to do that by default in gsettings? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c45 --- Comment #45 from Gary Ching-Pang Lin <glin@suse.com> 2012-01-10 08:04:03 UTC --- (In reply to comment #44)
(In reply to comment #43)
The patches were released. Let's close this bug.
I haven't seen the patches for the Factory packages, I guess we want them there too?
Maybe we can get them discussed upstream, with an option to do that by default in gsettings? OK, I'll respin the patches to add a gsettings option to switch the default connection mode.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c46 --- Comment #46 from Ludwig Nussel <lnussel@suse.com> 2012-01-10 09:10:11 CET --- A better long term solution would be get rid of this annoying artificial personal/system wide notion and instead have a privilege that tells whether a user is allowed to add/edit network connections in general. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c47 Reid Piercey <reid.piercey@impsolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |reid.piercey@impsolutions.c | |om --- Comment #47 from Reid Piercey <reid.piercey@impsolutions.com> 2012-02-09 14:35:10 UTC --- I work as a consultant and have been using OpenSuse on my laptop for the past 3 years. I usually change network settings frequently (wired and wireless) using network manager and haven't had any issues until 12.1 I have installed the polkit-default-privs-12.2-3.1.noarch and this allows me to change wireless settings without being root. I still cannot change my wired settings without being root - a password prompt flashes and the settings are not saved. It would be helpful if the patch created for the wireless settings was applied to the wired section. I also agree with Ludwig - a group privilege would be a more manageable solution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=731812 https://bugzilla.novell.com/show_bug.cgi?id=731812#c48 --- Comment #48 from Gary Ching-Pang Lin <glin@suse.com> 2012-02-10 02:37:26 UTC --- (In reply to comment #47)
I still cannot change my wired settings without being root - a password prompt flashes and the settings are not saved. It would be helpful if the patch created for the wireless settings was applied to the wired section. Did you upgrade NetworkManager-gnome and gnome-shell? My patches also covered wired connections. BTW, the patches are only for the new connections. If you want to modify the existed connections, you can launch nm-connection-editor to edit the connection and uncheck "Available to all users".
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com