On Wed, Jul 1, 2020 at 7:40 AM Ed Greshko <ed.greshko(a)greshko.com>
wrote:
On 2020-07-01 13:32, Tom H wrote:
>
> On my laptop, the value's "--", which is the default and which means
> that root and the polkit admin group (wheel) can control the
> connection.
Are you sure about that?
connection.autoconnect: yes
connection.permissions: --
[maria@f32k ~]$ nmcli connection down enp1s0
Connection 'enp1s0' successfully deactivated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/3)
[maria@f32k ~]$ nmcli connection up enp1s0
Connection successfully activated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/6).
[egreshko@f32k ~]$ grep maria /etc/group
maria:x:1027:
You may be right, but I have no idea given the output of "pkaction" :(
Admin group:
$ cat /etc/polkit-1/rules.d/50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.
polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});
NM rule:
$ pkaction --verbose --action-id
org.freedesktop.NetworkManager.settings.modify.system
org.freedesktop.NetworkManager.settings.modify.system:
description: Modify network connections for all users
message: System policy prevents modification of network
settings for all users
vendor: NetworkManager
vendor_url:
http://www.gnome.org/projects/NetworkManager
icon: nm-icon
implicit any: auth_admin_keep
implicit inactive: yes
implicit active: yes
I have no idea whether the two "yes" take precedence or the
"auth_admin_keep" does. I was expecting "auth_admin_keep"
everywhere...
The message being "System policy prevents modification of network
settings for all users", I wonder whether the fact that you have a
non-admin user who can control a connection is what's intended, and,
therefore, whether this message corresponds to previous, more
restrictive rules. Or not.