Bug 1762011

Summary: Add permission to nmcli to disable user ability to configure networking
Product: Red Hat Enterprise Linux 8 Reporter: Ash Westbrook <awestbro>
Component: NetworkManagerAssignee: sushil kulkarni <sukulkar>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: low    
Version: 8.4CC: atragler, bgalvani, fgiudici, lrintel, pasik, ralford, rkhan, sukulkar, thaller, vbenes
Target Milestone: rcKeywords: RFE, Security
Target Release: 8.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: NetworkManager-1.22.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:53:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ash Westbrook 2019-10-15 20:25:35 UTC
Description of problem:


Currently, nmcli allows users to configure networking. For example,

$ nmcli general permissions
PERMISSION                                                        VALUE   
org.freedesktop.NetworkManager.enable-disable-network             yes     
org.freedesktop.NetworkManager.enable-disable-wifi                yes     
org.freedesktop.NetworkManager.enable-disable-wwan                yes     
org.freedesktop.NetworkManager.enable-disable-wimax               yes     
org.freedesktop.NetworkManager.sleep-wake                         no      
org.freedesktop.NetworkManager.network-control                    yes     
org.freedesktop.NetworkManager.wifi.share.protected               yes     
org.freedesktop.NetworkManager.wifi.share.open                    yes     
org.freedesktop.NetworkManager.settings.modify.system             yes     
org.freedesktop.NetworkManager.settings.modify.own                yes     
org.freedesktop.NetworkManager.settings.modify.hostname           auth    
org.freedesktop.NetworkManager.settings.modify.global-dns         auth    
org.freedesktop.NetworkManager.reload                             auth    
org.freedesktop.NetworkManager.checkpoint-rollback                auth    
org.freedesktop.NetworkManager.enable-disable-statistics          yes     
org.freedesktop.NetworkManager.enable-disable-connectivity-check  yes     
org.freedesktop.NetworkManager.wifi.scan                          unknown

Add a permission such as org.freedesktop.NetworkManager.admin-config-only that when configured only those with root can configure network permissions. This is in support of FISMA High requirements.

Comment 1 Thomas Haller 2019-10-16 06:17:44 UTC
How do you imagine this to work?


What nmcli calls "PERMISSIONS" are really called "actions" in PolicyKit term's.
See https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
An "action"  org.freedesktop.NetworkManager.admin-config-only makes no sense.



If you only want root users to get permission, then configure NetworkManager's PolicyKit rules accordingly. NetworkManager uses PolicyKit, so it very much expects you to configure PolicyKit with the permissions that are suitable for you.


You could also restrict access to the D-Bus API in dbus-daemon via /etc/dbus-1/system.d/org.freedesktop.NetworkManager.conf. But that seems to be less flexible and is probably not the right approach.


> This is in support of FISMA High requirements.

Could you explain the requirements better, instead of (what you think should be) the solution?

Comment 2 ralford 2019-10-16 21:53:56 UTC
The requirement is to add a permission in nmcli to allow an administrator to prevent non-admins from configuring network configurations and settings using nmcli.
The functionality needs to be delivered with NetworkManager and is disabled by default (so that users can configure like they can today) until an admin enables
the feature with a simple command or setting.

Comment 3 Thomas Haller 2019-10-17 04:12:56 UTC
That is exactly what PolicyKit does, isn't it? Configure PolicyKit so that only certain users (administrators) are permitted.
Is there a problem with that?

Basically, in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy you find the configured actions (and their default authentication results, like deny or allow). You probably wouldn't want to edit the actions file. Instead, you can drop PolicyKit rules that can evaluate to more complex results.
Do you help with that? I am unfortunately no expert in PolicyKit and would advise help from the polkit maintainers.

(Note that NetworkManager never asks PolicyKit to authenticate root user (userid 0). Root always gets a free pass, and PolicyKit isn't even consulted. So, basically, you would configure PolicyKit to deny all actions -- whether you thereby also deny them for userid 0 has no effect for NetworkManager).

Comment 4 ralford 2019-12-05 17:19:11 UTC
> That is exactly what PolicyKit does, isn't it? Configure PolicyKit so that only certain users (administrators) are permitted.
> Is there a problem with that?

Yes, we need the capability provided by default in nmcli delivered in RHEL.

Comment 5 Beniamino Galvani 2019-12-09 07:11:26 UTC
(In reply to Ash Westbrook from comment #0)
> Description of problem:
> 
> 
> Currently, nmcli allows users to configure networking. For example,

Normal users are allowed to control networking only when they are logged into a physical terminal. Users with physical access to the machine can usually bypass authentication methods anyway (for example, rebooting into single mode). A normal user with non-physical access (for example connected via ssh) has no NM permissions:

 $ nmcli general permissions 
 PERMISSION                                                        VALUE   
 org.freedesktop.NetworkManager.enable-disable-network             no      
 org.freedesktop.NetworkManager.enable-disable-wifi                no      
 org.freedesktop.NetworkManager.enable-disable-wwan                no      
 org.freedesktop.NetworkManager.enable-disable-wimax               no      
 org.freedesktop.NetworkManager.sleep-wake                         no      
 org.freedesktop.NetworkManager.network-control                    auth    
 org.freedesktop.NetworkManager.wifi.share.protected               no      
 org.freedesktop.NetworkManager.wifi.share.open                    no      
 org.freedesktop.NetworkManager.settings.modify.system             auth    
 org.freedesktop.NetworkManager.settings.modify.own                auth    
 org.freedesktop.NetworkManager.settings.modify.hostname           auth    
 org.freedesktop.NetworkManager.settings.modify.global-dns         auth    
 org.freedesktop.NetworkManager.reload                             auth    
 org.freedesktop.NetworkManager.checkpoint-rollback                auth    
 org.freedesktop.NetworkManager.enable-disable-statistics          no      
 org.freedesktop.NetworkManager.enable-disable-connectivity-check  no

Do FISMA requirements make any distinction about local/remote access?

Comment 6 Thomas Haller 2019-12-11 12:24:04 UTC
in rhel-8.2, there will be a new configuration option "main.auth-polkit=root-only" in NetworkManager.conf [1].

For example create a file /etc/NetworkManager/conf.d/99-auth-polkit-root-only.conf with

  [main]
  auth-polkit=root-only

and restart NetworkManager. This disables the use of PolicyKit from NetworkManager and only allows request by user root (uid 0).

[1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/76240cbe2b8fa110119b996bb462e12c9e175b29


The alternative is of course to configure the appropriate rules in PolicyKit to reject unwanted permissions.



Other than that, I don't think there is anything to do here. The default in RHEL will not change, because in many scenarios allowing non-root makes sense. If you have other requirements, change the configuration.

Comment 7 Thomas Haller 2019-12-17 08:42:29 UTC
Now with main.auth-polkit=root-only setting, I don't think there is anything else to do here. It's not gonna become the default, because it would break a lot of valid usecases. You may configure it however.

You are advised to configure PolicyKit. That's what it is here for.


Moving bug forward.

Comment 8 ralford 2019-12-17 19:37:59 UTC
(In reply to Beniamino Galvani from comment #5)
> (In reply to Ash Westbrook from comment #0)
> > Description of problem:
> > 
> > 
> > Currently, nmcli allows users to configure networking. For example,
> 
> Normal users are allowed to control networking only when they are logged
> into a physical terminal. Users with physical access to the machine can
> usually bypass authentication methods anyway (for example, rebooting into
> single mode). A normal user with non-physical access (for example connected
> via ssh) has no NM permissions:
> 
>  $ nmcli general permissions 
>  PERMISSION                                                        VALUE   
>  org.freedesktop.NetworkManager.enable-disable-network             no      
>  org.freedesktop.NetworkManager.enable-disable-wifi                no      
>  org.freedesktop.NetworkManager.enable-disable-wwan                no      
>  org.freedesktop.NetworkManager.enable-disable-wimax               no      
>  org.freedesktop.NetworkManager.sleep-wake                         no      
>  org.freedesktop.NetworkManager.network-control                    auth    
>  org.freedesktop.NetworkManager.wifi.share.protected               no      
>  org.freedesktop.NetworkManager.wifi.share.open                    no      
>  org.freedesktop.NetworkManager.settings.modify.system             auth    
>  org.freedesktop.NetworkManager.settings.modify.own                auth    
>  org.freedesktop.NetworkManager.settings.modify.hostname           auth    
>  org.freedesktop.NetworkManager.settings.modify.global-dns         auth    
>  org.freedesktop.NetworkManager.reload                             auth    
>  org.freedesktop.NetworkManager.checkpoint-rollback                auth    
>  org.freedesktop.NetworkManager.enable-disable-statistics          no      
>  org.freedesktop.NetworkManager.enable-disable-connectivity-check  no
> 
> Do FISMA requirements make any distinction about local/remote access?

Yes they do including protections around single-user mode and root access.

> Now with main.auth-polkit=root-only setting, I don't think there is anything else to do here. It's not gonna become the default, because it would break a lot of valid usecases. You may configure it however.

Thanks for your work on this. Yes, agree with you here; it should only be flipped on when configured and not turned on by default install.

Comment 11 Vladimir Benes 2020-02-18 15:55:43 UTC
covered by no_user_control test in 
https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/merge_requests/520

Comment 13 errata-xmlrpc 2020-04-28 16:53:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1847