Bug 1145646 - NM should allow admins in non-local sessions to control the network
Summary: NM should allow admins in non-local sessions to control the network
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1094121 1144010 F21ServerWG
TreeView+ depends on / blocked
 
Reported: 2014-09-23 12:21 UTC by Marius Vollmer
Modified: 2014-10-31 02:43 UTC (History)
4 users (show)

Fixed In Version: NetworkManager-0.9.10.0-10.git20140704.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-31 02:43:38 UTC


Attachments (Terms of Use)
Allow non-local admin sessions to control the network. (988 bytes, patch)
2014-10-06 08:17 UTC, Marius Vollmer
no flags Details | Diff
Fix broken polkit policy (2.70 KB, patch)
2014-10-06 09:03 UTC, Stef Walter
no flags Details | Diff

Description Marius Vollmer 2014-09-23 12:21:20 UTC
NetworkManager-0.9.10.0-5.git20140704.fc21.x86_64

Cockpit allows configuration of the network via NetworkManager.  This works well for admin users except the actual activation/deactivation of connections.

I think at least "org.freedesktop.NetworkManager.network-control" should have

  <allow_any>auth_admin</allow_any>

(Others actions might need adjusting, too.)

Comment 1 Dan Williams 2014-09-23 17:19:50 UTC
Yeah, this should get fixed and non-local users should have access to this stuff.  We changed that earlier this year for other tasks, and I don't remember why we didn't fix that up for this too.

Comment 2 Marius Vollmer 2014-09-24 07:36:14 UTC
> Yeah, this should get fixed and non-local users should have access to this stuff.

Ok, nice that we agree!

We would like to have this in Fedora 21 still, but we can carefully work around this with a simple polkit rule, so if there is a reason why this can't be fixed in time in the NM package, that is no problem.

Comment 3 Stef Walter 2014-09-24 07:41:33 UTC
Actually the Fedora Server WG discussed this yesterday, and wants us to first and foremost pursue fixing these things in the package with the broken policy ... only including such an overriding polkit rule if all else fails.

http://meetbot.fedoraproject.org/fedora-meeting-1/2014-09-23/fedora-meeting-1.2014-09-23-15.01.log.html

Comment 4 Marius Vollmer 2014-10-06 08:17:31 UTC
Created attachment 944168 [details]
Allow non-local admin sessions to control the network.

Proposed patch.

Comment 5 Stef Walter 2014-10-06 09:03:47 UTC
Created attachment 944187 [details]
Fix broken polkit policy

Resolves: rhbz#1145646

Comment 6 Stef Walter 2014-10-06 09:05:34 UTC
Also added patch which can be merged into the Fedora 21 package to fix this issue during the Beta if upstream NetworkManager does not update.

The alternative, is for Cockpit to install a polkit rules.d which overrides the  NetworkManager policy.

Scratch build with this patch: http://koji.fedoraproject.org/koji/taskinfo?taskID=7773139

Comment 7 Marius Vollmer 2014-10-07 06:37:49 UTC
(In reply to Stef Walter from comment #6)

> Scratch build with this patch:
> http://koji.fedoraproject.org/koji/taskinfo?taskID=7773139

I have tested this, and it works as expected.

I tested both manually and by reverting "c7a9269 polkit: Tweak policy to work for Cockpit" in Cockpit and running the integration tests.

Comment 8 Dan Williams 2014-10-13 21:03:38 UTC
Pushed upstream to git master and nm-0-9-10.

Comment 9 Fedora Update System 2014-10-13 21:42:21 UTC
NetworkManager-0.9.10.0-7.git20140704.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/NetworkManager-0.9.10.0-7.git20140704.fc21

Comment 10 Fedora Update System 2014-10-16 02:01:32 UTC
Package NetworkManager-0.9.10.0-7.git20140704.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing NetworkManager-0.9.10.0-7.git20140704.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-12865/NetworkManager-0.9.10.0-7.git20140704.fc21
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-10-29 10:43:01 UTC
NetworkManager-0.9.10.0-10.git20140704.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-13679/NetworkManager-0.9.10.0-10.git20140704.fc21

Comment 12 Fedora Update System 2014-10-31 02:43:38 UTC
NetworkManager-0.9.10.0-10.git20140704.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.