Networkmanager allows user to change DNS settings on wifi-connection

Hello openSUSE community,

I’m facing a specific issue regarding DNS configuration permissions on my laptop running openSUSE LEAP 15.4, and despite my efforts, I haven’t found a resolution. I’m hoping to get some guidance or suggestions from the community.

System Configuration:

  • OS: openSUSE LEAP 15.4
  • Desktop Environment: GNOME 41.8
  • Network Management: NetworkManager

Current Behavior:

  • For wired connections, I’m prompted for the root password when attempting to change DNS settings, which is the desired behavior.
  • However, for a Wi-Fi connection, I can modify the DNS settings through the GUI as a user without being prompted for the root password. These changes take effect after a restart of the Wi-Fi on the laptop.

Desired Behavior: I want the system to prompt for the root password when attempting to make changes to DNS settings for Wi-Fi connections, similar to the behavior observed for wired connections. The reason is to force using PiHole as a DNS-Resolver for this specific system.

Steps Taken So Far:

  1. I tried adjusting PolicyKit permissions to enforce authentication for network changes, but this did not yield the desired behavior.
sudo nano /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy



sudo nano /etc/polkit-1/rules.d/10-network-manager-dns.rules

polkit.addRule(function(action, subject) {
    if ("org.freedesktop.NetworkManager.") == 0 && action.lookup("nm.setting.connection.type") == "802-11-wireless" && action.lookup("nm.setting.ip4.config.method") != "auto") {
        return polkit.Result.AUTH_ADMIN;

  1. I also attempted to configure NetworkManager to mark Wi-Fi devices as “unmanaged.” However, this resulted in the Wi-Fi adapter not being recognized at all.
sudo nano /etc/NetworkManager/NetworkManager.conf



If anyone has faced a similar issue or has insights on how to achieve the desired behavior, your guidance would be highly appreciated.

Thank you in advance for your assistance!

  1. Thou Shalt Not Edit Anything Under /usr.
  2. Each action has own defaults and we have no idea which action you changed.
  3. Those are exactly what their name suggests - they are default values which can be overridden. In particular by standard openSUSE settings.

Can you post link which made you think it was supposed to work? NetworkManager does not provide any action details at all.

NetworkManager has two polkit actions for modifying connection properties - org.freedesktop.NetworkManager.settings.modify.own and org.freedesktop.NetworkManager.settings.modify.system. On openSUSE the former is by default allowed for locally logged in user and the latter requires root authentication. Most likely your WiFi connection was created as user connection and wired - as system connection.

If you want to prevent users to modify own connections, simply remove all action details lookup from your polkit rule leaving only check for action name itself. Alternatively, you can edit /etc/polkit-default-privs.local for all NetworkManager actions. See comments in this file.

1 Like

Thank you for your insights. Based on your suggestions, here’s what I did in case anyone else comes across the same challenge:

Initial Solution:
I created a custom rule in /etc/polkit-1/rules.d/ named 10-networkmanager-users.rules with the following content:

polkit.addRule(function(action, subject) {
    if ( == "org.freedesktop.NetworkManager.settings.modify.own" || == "org.freedesktop.NetworkManager.settings.modify.system") {
        return polkit.Result.AUTH_ADMIN;

This effectively restricted the modification of both user-specific and system-wide network connections.

Problem with the Initial Solution:
While this did achieve my goal of requiring a root password to modify connection settings, it also had the unintended consequence of requiring a root password just to connect to a new Wi-Fi network, which was not what I wanted.

Final Solution:
As arvidjaar mentioned, NetworkManager differentiates between system-wide and user-specific connections. To make a user-specific connection system-wide, I used the nmcli tool:

  1. List all connections:
nmcli connection show
  1. Set the connection to be available system-wide:
nmcli connection modify [CONNECTION_NAME_OR_UUID] connection.permissions ""

By making the connection system-wide, users can connect to new Wi-Fi networks without requiring a root password, but they still need a root password to modify the details of these connections.

Note: I also tried modifying the connection through the GNOME Network settings GUI. There is supposed to be an option like “All users may connect to this network” but it didn’t seem to work as intended.