Bug 1457939

Summary: Network connectivity lost when last root session exits and USERS=root is used
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: NetworkManagerAssignee: Beniamino Galvani <bgalvani>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: atragler, bgalvani, fgiudici, lmiksik, lrintel, rkhan, sukulkar, thaller, vbenes
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 13:24:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420851, 1470965    
Attachments:
Description Flags
[PATCH] libnm-core: clarify the meaning of the connection.permissions property none

Description Renaud Métrich 2017-06-01 15:17:04 UTC 
Description of problem:

When specifying the "USERS=root" property in ifcfg-XXX file of a given network interface, the network gets disabled when last root session exits.

Version-Release number of selected component (if applicable):

NetworkManager-1.4.0-20.el7_3

How reproducible:

Always

Steps to Reproduce:
1. Set up a basic VM
2. Specify "USERS=root" in /etc/sysconfig/network-scripts/ifcfg-eth0 and reboot
3. In a terminal, ping the VM forever
4. Connect to the console of the VM and login as root
5. Logout from root session

Actual results:

Network connectivity is lost (interface gets down)

Expected results:

No loss of connectivity, or explanation of this behaviour in the manual page
Comment 2 Thomas Haller 2017-06-01 19:28:41 UTC 
This is intended behavior. When you restrict a connection to a certain user, the user must be logged in. It has been this way since ever.

An alternative of connection permissions it to restict access to D-Bus commands via PolicyKit. See `nmcli general permissions` for the permissions you have.

See org.freedesktop.NetworkManager.network-control in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy
Comment 3 Renaud Métrich 2017-06-13 07:07:30 UTC 
Hi Thomas,
Thank you for confirming this behaviour.
IMO the nm-settings-ifcfg-rh(5) manpage should clearly mention this behaviour when specifying USERS=root, because it has consequences on the shutdown of the OS when NFSv3 mounts are used: typically, the shutdown will just take forever, due to BZ 1312002
Comment 4 Beniamino Galvani 2017-07-19 14:28:30 UTC 
Created attachment 1301133 [details]
[PATCH] libnm-core: clarify the meaning of the connection.permissions property
Comment 5 Thomas Haller 2017-07-25 14:54:55 UTC 
(In reply to Beniamino Galvani from comment #4)
> Created attachment 1301133 [details]
> [PATCH] libnm-core: clarify the meaning of the connection.permissions
> property

lgtm. But breaks make-check for settings-docs.c
Comment 6 Beniamino Galvani 2017-07-25 16:09:18 UTC 
Fixed and applied:

https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=378a2f24869f7c550d669f05853fa56d28d36fc1
Comment 9 Vladimir Benes 2018-01-04 11:29:10 UTC 
description: Restrict to certain users the access to this connection, and allow the connection to be active only when at least one of the specified users is logged into an active session.

This should be it. Once more bug filed (#1530977)
Comment 12 errata-xmlrpc 2018-04-10 13:24:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0778