On Wed, Jul 1, 2020 at 7:40 AM Ed Greshko <ed.gres...@greshko.com>
wrote:
> On 2020-07-01 13:32, Tom H wrote:
>>
>> On my laptop, the value's "--", which is the default and which means
>> that root and the polkit admin group (wheel) can control the
>> connection.
>
> Are you sure about that?
>
> connection.autoconnect: yes
> connection.permissions: --
>
> [maria@f32k ~]$ nmcli connection down enp1s0
> Connection 'enp1s0' successfully deactivated (D-Bus active path:
> /org/freedesktop/NetworkManager/ActiveConnection/3)
>
> [maria@f32k ~]$ nmcli connection up enp1s0
> Connection successfully activated (D-Bus active path:
> /org/freedesktop/NetworkManager/ActiveConnection/6).
>
> [egreshko@f32k ~]$ grep maria /etc/group
> maria:x:1027:
You may be right, but I have no idea given the output of "pkaction" :(
Admin group:
$ cat /etc/polkit-1/rules.d/50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.
polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});
NM rule:
$ pkaction --verbose --action-id
org.freedesktop.NetworkManager.settings.modify.system
org.freedesktop.NetworkManager.settings.modify.system:
description: Modify network connections for all users
message: System policy prevents modification of network
settings for all users
vendor: NetworkManager
vendor_url: http://www.gnome.org/projects/NetworkManager
icon: nm-icon
implicit any: auth_admin_keep
implicit inactive: yes
implicit active: yes
I have no idea whether the two "yes" take precedence or the
"auth_admin_keep" does. I was expecting "auth_admin_keep"
everywhere...
The message being "System policy prevents modification of network
settings for all users", I wonder whether the fact that you have a
non-admin user who can control a connection is what's intended, and,
therefore, whether this message corresponds to previous, more
restrictive rules. Or not.
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
