Creating Polkit rule to control NetworkManager in Gnome

I am currently running NetworkManager with Leap 15. I would like to limit the ability of non-privileged users to change network settings through the Gnome desktop. This seemed fairly straightforward with polkit but I cannot seem to get it working 100%.

Specifically, I am having trouble with blocking a regular user’s ability to change Settings > Network > Network Proxy. I have disabled their ability to shut off the network connection, but they can still modify the proxy and change it between Automatic/Manual/Disabled.

I verified that polkit is updated to the latest, and that the polkit agent is running. I also verified that the user’s current desktop session is being registered correctly.

Any tips would be greatly appreciated.

Here is the sample rule I tried to catch all NetworkManager actions, but it does not block the proxy changes in the gnome desktop UI:

polkit.addRule(function(action, subject) {
if (action.id.indexOf(“org.freedesktop.NetworkManager.”) == 0
&& subject.isInGroup(“users”)) {
return polkit.Result.NO;
}
});

Thanks in advance.

I am currently running NetworkManager with Leap 15. I would like to limit the ability of non-privileged users to change network settings through the Gnome desktop.

Any reason why you’re using NetworkManager? If the machines only have one network configuration required, then using wicked (administrator-controlled) is a better option here.

If for some reason NetworkManager is needed (usually only the case for users changing network environments frequently), then examine 90-default-privs.rules for a list of configured policies. The org.freedesktop.NetworkManager.settings.modify.own, org.freedesktop.NetworkManager.settings.modify.system, and org.freedesktop.NetworkManager.network-control policies may be relevant here.

Start with

nmcli general permissions
sudo cat /etc/polkit-1/rules.d/90-default-privs.rules|grep Network -A1

Background:

Initially, I used wicked for exactly this reason, however I was unable to get our automatic proxy settings configured correctly on the Leap 15 clients. Our class lab currently uses Leap 42.1 clients with NetworkManager pointed to our proxy’s PAC file via the “Automatic Proxy” setting. This PAC file serves back the system proxy settings so that users are prompted for credentials when they use a web browser to access the Internet. It is handled this way because the lab machines use a local non-privileged user for their gnome session, but the proxy uses different LDAP credentials for outside access.

In preparing a new Leap 15 image, I decided on switching to wicked so that network configuration was admin-controlled, as you suggest above. However, I am new to wicked (and openSUSE) and I was unable to reproduce the settings and get the system proxy enabled/configured correctly. The only option to do this with wicked that I found was YaST > Network Services > Proxy, which does not suit our purposes because enabling the proxy in this manner requires specifying system-wide credentials for the proxy, even when we point to the correct proxy URL and PAC file. It fails with an authentication error 407 because the credentials are blank. Yet, using NetworkManager with Automatic Proxy works fine, and clients are prompted for proxy credentials when web browsers are set to inherent the system proxy settings.

Current:

Fast forward to the current workaround of using NetworkManager to specify the URL to the proxy server and it is once again working like the Leap 42.1 machines. However, by default, this gives session users access to changing the NetworkManager settings, as expected.

When I run “nmcli general permissions” as the target session user, it correctly returns “no” for all org.freedesktop.NetworkManager.* action-ids. Unfortunately, the same user can still go into the network settings and change the Proxy (though they cannot do other things like change the interface, shut off the wired connection, etc.).

Therefore, with my limited knowledge, I am wondering if polkit does not control the proxy setting within NetworkManager? Or perhaps I missed something else in my configuration.

The alternative of using wicked is certainly a valid and preferred method but I had no luck with that.

Now I understand that you’re talking about the Gnome desktop settings utility (which has nothing to do with NetworkManager). I think the appropriate policy is ‘org.freedesktop.packagekit.system-network-proxy-configure’. If I check /etc/polkit-1/rules.d/90-default-privs.rules, I note that it restricts the privileges to administrator

               'org.freedesktop.packagekit.system-network-proxy-configure':
                         'auth_admin_keep', 'auth_admin_keep', 'auth_admin_keep' ],

but when I check with pkaction (which operates on the upstream defaults defined in /usr/share/polkit-1/actions/) I get

# pkaction -a org.freedesktop.packagekit.system-network-proxy-configure -v
org.freedesktop.packagekit.system-network-proxy-configure:
  description:       Set network proxy
  message:           Authentication is required to set the network proxy used for downloading software
  vendor:            The PackageKit Project
  vendor_url:        http://www.packagekit.org/
  icon:              preferences-system-network-proxy
  implicit any:      auth_admin
  implicit inactive: auth_admin
  implicit active:   yes

so I think that is where your problem will be.

The following openSUSE PolKit guide will be useful to you here
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.policykit.html#sec.security.policykit.query
In particular this section…
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.policykit.html#sec.security.policykit.change.modify_config.implicit

Hi
Sounds like hard work :wink:
Lock down via gsettings/dconf;

Ref: https://help.gnome.org/admin/system-admin-guide/stable/dconf-lockdown.html.en

Perhaps, I guess it comes down to what you are familiar with :wink:

Not being a Gnome user, I’m never quite sure about what’s current with gsettings, dconf etc, but it does look promising (assuming still current).

Thank you both for your feedback. Reading through your suggestions, I was able to walk back my changes and accomplish what I started out to do. I switched back to wicked, alleviating the issue with the non-privileged users changing network settings via NetworkManager. Next, I used gsettings/dconf to change gnome’s automatic proxy settings for the system and it is now working correctly.

After traveling down the rabbit hole with polkit, etc., I got further and further away from looking at the desktop session’s default settings…

Thanks again for the assistance.

On Tue 24 Jul 2018 03:26:03 PM CDT, whongach wrote:

Thank you both for your feedback. Reading through your suggestions, I
was able to walk back my changes and accomplish what I started out to
do. I switched back to wicked, alleviating the issue with the
non-privileged users changing network settings via NetworkManager.
Next, I used gsettings/dconf to change gnome’s automatic proxy settings
for the system and it is now working correctly.

After traveling down the rabbit hole with polkit, etc., I got further
and further away from looking at the desktop session’s default
settings…

Thanks again for the assistance.

Hi
FWIW, if using Firefox, you can lock the proxy setting here with a js
file and the pref and prefLock(“…”) option

See /usr/lib64/firefox/defaults/pref/all-openSUSE.js


Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
SLES 15 | GNOME Shell 3.26.2 | 4.12.14-23-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

Yes, I have this set up for Firefox so that users cannot change their proxy preference. Very handy!