Results 1 to 10 of 10

Thread: Creating Polkit rule to control NetworkManager in Gnome

  1. #1

    Default Creating Polkit rule to control NetworkManager in Gnome

    I am currently running NetworkManager with Leap 15. I would like to limit the ability of non-privileged users to change network settings through the Gnome desktop. This seemed fairly straightforward with polkit but I cannot seem to get it working 100%.

    Specifically, I am having trouble with blocking a regular user's ability to change Settings > Network > Network Proxy. I have disabled their ability to shut off the network connection, but they can still modify the proxy and change it between Automatic/Manual/Disabled.

    I verified that polkit is updated to the latest, and that the polkit agent is running. I also verified that the user's current desktop session is being registered correctly.

    Any tips would be greatly appreciated.

    Here is the sample rule I tried to catch all NetworkManager actions, but it does not block the proxy changes in the gnome desktop UI:

    polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0
    && subject.isInGroup("users")) {
    return polkit.Result.NO;
    }
    });
    Thanks in advance.

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,569
    Blog Entries
    1

    Default Re: Creating Polkit rule to control NetworkManager in Gnome

    I am currently running NetworkManager with Leap 15. I would like to limit the ability of non-privileged users to change network settings through the Gnome desktop.
    Any reason why you're using NetworkManager? If the machines only have one network configuration required, then using wicked (administrator-controlled) is a better option here.
    openSUSE Leap 15.1; KDE Plasma 5

  3. #3
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,569
    Blog Entries
    1

    Default Re: Creating Polkit rule to control NetworkManager in Gnome

    If for some reason NetworkManager is needed (usually only the case for users changing network environments frequently), then examine 90-default-privs.rules for a list of configured policies. The org.freedesktop.NetworkManager.settings.modify.own, org.freedesktop.NetworkManager.settings.modify.system, and org.freedesktop.NetworkManager.network-control policies may be relevant here.

    Start with
    Code:
    nmcli general permissions
    Code:
    sudo cat /etc/polkit-1/rules.d/90-default-privs.rules|grep Network -A1
    openSUSE Leap 15.1; KDE Plasma 5

  4. #4

    Default Re: Creating Polkit rule to control NetworkManager in Gnome

    Quote Originally Posted by deano_ferrari View Post
    Any reason why you're using NetworkManager? If the machines only have one network configuration required, then using wicked (administrator-controlled) is a better option here.
    Background:

    Initially, I used wicked for exactly this reason, however I was unable to get our automatic proxy settings configured correctly on the Leap 15 clients. Our class lab currently uses Leap 42.1 clients with NetworkManager pointed to our proxy's PAC file via the "Automatic Proxy" setting. This PAC file serves back the system proxy settings so that users are prompted for credentials when they use a web browser to access the Internet. It is handled this way because the lab machines use a local non-privileged user for their gnome session, but the proxy uses different LDAP credentials for outside access.

    In preparing a new Leap 15 image, I decided on switching to wicked so that network configuration was admin-controlled, as you suggest above. However, I am new to wicked (and openSUSE) and I was unable to reproduce the settings and get the system proxy enabled/configured correctly. The only option to do this with wicked that I found was YaST > Network Services > Proxy, which does not suit our purposes because enabling the proxy in this manner requires specifying system-wide credentials for the proxy, even when we point to the correct proxy URL and PAC file. It fails with an authentication error 407 because the credentials are blank. Yet, using NetworkManager with Automatic Proxy works fine, and clients are prompted for proxy credentials when web browsers are set to inherent the system proxy settings.

    Current:

    Fast forward to the current workaround of using NetworkManager to specify the URL to the proxy server and it is once again working like the Leap 42.1 machines. However, by default, this gives session users access to changing the NetworkManager settings, as expected.

    When I run "nmcli general permissions" as the target session user, it correctly returns "no" for all org.freedesktop.NetworkManager.* action-ids. Unfortunately, the same user can still go into the network settings and change the Proxy (though they cannot do other things like change the interface, shut off the wired connection, etc.).

    Therefore, with my limited knowledge, I am wondering if polkit does not control the proxy setting within NetworkManager? Or perhaps I missed something else in my configuration.

    The alternative of using wicked is certainly a valid and preferred method but I had no luck with that.

  5. #5
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,569
    Blog Entries
    1

    Default Re: Creating Polkit rule to control NetworkManager in Gnome

    Now I understand that you're talking about the Gnome desktop settings utility (which has nothing to do with NetworkManager). I think the appropriate policy is 'org.freedesktop.packagekit.system-network-proxy-configure'. If I check /etc/polkit-1/rules.d/90-default-privs.rules, I note that it restricts the privileges to administrator

    Code:
                   'org.freedesktop.packagekit.system-network-proxy-configure':
                            [ 'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],
    but when I check with pkaction (which operates on the upstream defaults defined in /usr/share/polkit-1/actions/) I get
    Code:
    # pkaction -a org.freedesktop.packagekit.system-network-proxy-configure -v
    org.freedesktop.packagekit.system-network-proxy-configure:
      description:       Set network proxy
      message:           Authentication is required to set the network proxy used for downloading software
      vendor:            The PackageKit Project
      vendor_url:        http://www.packagekit.org/
      icon:              preferences-system-network-proxy
      implicit any:      auth_admin
      implicit inactive: auth_admin
      implicit active:   yes
    so I think that is where your problem will be.

    The following openSUSE PolKit guide will be useful to you here
    https://doc.opensuse.org/documentati...olicykit.query
    In particular this section...
    https://doc.opensuse.org/documentati...onfig.implicit
    openSUSE Leap 15.1; KDE Plasma 5

  6. #6
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,105
    Blog Entries
    15

    Default Re: Creating Polkit rule to control NetworkManager in Gnome

    Hi
    Sounds like hard work
    Lock down via gsettings/dconf;

    Ref: https://help.gnome.org/admin/system-...ckdown.html.en
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  7. #7
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,569
    Blog Entries
    1

    Default Re: Creating Polkit rule to control NetworkManager in Gnome

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Sounds like hard work
    Lock down via gsettings/dconf;

    Ref: https://help.gnome.org/admin/system-...ckdown.html.en
    Perhaps, I guess it comes down to what you are familiar with

    Not being a Gnome user, I'm never quite sure about what's current with gsettings, dconf etc, but it does look promising (assuming still current).
    openSUSE Leap 15.1; KDE Plasma 5

  8. #8

    Default Re: Creating Polkit rule to control NetworkManager in Gnome

    Thank you both for your feedback. Reading through your suggestions, I was able to walk back my changes and accomplish what I started out to do. I switched back to wicked, alleviating the issue with the non-privileged users changing network settings via NetworkManager. Next, I used gsettings/dconf to change gnome's automatic proxy settings for the system and it is now working correctly.

    After traveling down the rabbit hole with polkit, etc., I got further and further away from looking at the desktop session's default settings....

    Thanks again for the assistance.

  9. #9
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,105
    Blog Entries
    15

    Default Re: Creating Polkit rule to control NetworkManager in Gnome

    On Tue 24 Jul 2018 03:26:03 PM CDT, whongach wrote:

    Thank you both for your feedback. Reading through your suggestions, I
    was able to walk back my changes and accomplish what I started out to
    do. I switched back to wicked, alleviating the issue with the
    non-privileged users changing network settings via NetworkManager.
    Next, I used gsettings/dconf to change gnome's automatic proxy settings
    for the system and it is now working correctly.

    After traveling down the rabbit hole with polkit, etc., I got further
    and further away from looking at the desktop session's default
    settings....

    Thanks again for the assistance.


    Hi
    FWIW, if using Firefox, you can lock the proxy setting here with a js
    file and the pref and prefLock("....") option

    See /usr/lib64/firefox/defaults/pref/all-openSUSE.js

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SLES 15 | GNOME Shell 3.26.2 | 4.12.14-23-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  10. #10

    Default Re: Creating Polkit rule to control NetworkManager in Gnome

    Yes, I have this set up for Firefox so that users cannot change their proxy preference. Very handy!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •