Bug 626337

Summary: non-local user can disable wifi and wwan
Product: Red Hat Enterprise Linux 6 Reporter: Pierre Ossman <ossman>
Component: NetworkManagerAssignee: Dan Williams <dcbw>
Status: CLOSED ERRATA QA Contact: desktop-bugs <desktop-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: jklimes, mhusnain, notting, vbenes
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Unpriviledged users could change the status of the wireless connection and WWAN. This is now fixed to display a "not authorized" error for any unauthorized users attempting to change the wireless status.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 14:24:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pierre Ossman 2010-08-23 08:43:42 UTC 
This is a follow-up to bug 585182 where a non-local user could disable the entire networking system. That problem has been fixed, but users can still disable wifi and wwan at inappropriate times.

Relevant comment:

 Dan Williams      2010-08-20 15:31:54 EDT

Ah right; so the issue with Enable Networking *is* in fact fixed.  The problem
here is with "Enable Wireless", correct?

NM has always used properties for the Wifi/WWAN enable toggles, and
unfortunately those can't be protected with PK in the same way as method calls
can, becasue dbus-glib hides the necessary information.  There may be some
workarounds that we can use (and we've discussed them before) so I'll look into
the wifi/wwan switches more.

But WRT to actual servers, they most likely wont' be running wifi devices which
makes this somewhat less severe.
Comment 1 Pierre Ossman 2010-08-23 08:45:48 UTC 
Wifi is probably rare on a server, yes, but isn't wwan typically a server kind of thing?
Comment 3 Bill Nottingham 2010-08-23 18:16:19 UTC 
WRT to comment #1, no, not really. At least, I don't know of many servers that are connected to the internet via 3G dongles.
Comment 4 Pierre Ossman 2010-08-24 08:27:24 UTC 
(In reply to comment #3)
> WRT to comment #1, no, not really. At least, I don't know of many servers that
> are connected to the internet via 3G dongles.

Ah. I thought wwan meant some kind of fancy schmancy fiber ring cards. Never mind then. )
Comment 6 Dan Williams 2010-08-25 20:14:16 UTC 
Upstream fixes:

f917852de3f4676f259edd2f272b561c9068435b (master)
e554ffa85915ae86926ba0e021ffa748d77e08ea (0.8.x)
Comment 7 Dan Williams 2010-09-01 18:51:39 UTC 
Fixes rolled into Fedora 12, 13, 14, and rawhide as of git20100831 and later.
Comment 14 Misha H. Ali 2011-04-20 06:56:02 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Non-local users could use NetworkManager to enable/disable the wireless connection and wwan. This is now fixed to display a "not authorized" error for non-local users attempting to change the wireless status.
Comment 15 Misha H. Ali 2011-04-20 07:44:48 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-Non-local users could use NetworkManager to enable/disable the wireless connection and wwan. This is now fixed to display a "not authorized" error for non-local users attempting to change the wireless status.+Unpriviledged users could change the status of the wireless connection and WWAN. This is now fixed to display a "not authorized" error for any unauthorized users attempting to change the wireless status.
Comment 16 errata-xmlrpc 2011-05-19 14:24:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0769.html