Description of problem:
Currently, nmcli allows users to configure networking. For example,
$ nmcli general permissions
Add a permission such as org.freedesktop.NetworkManager.admin-config-only that when configured only those with root can configure network permissions. This is in support of FISMA High requirements.
How do you imagine this to work?
What nmcli calls "PERMISSIONS" are really called "actions" in PolicyKit term's.
An "action" org.freedesktop.NetworkManager.admin-config-only makes no sense.
If you only want root users to get permission, then configure NetworkManager's PolicyKit rules accordingly. NetworkManager uses PolicyKit, so it very much expects you to configure PolicyKit with the permissions that are suitable for you.
You could also restrict access to the D-Bus API in dbus-daemon via /etc/dbus-1/system.d/org.freedesktop.NetworkManager.conf. But that seems to be less flexible and is probably not the right approach.
> This is in support of FISMA High requirements.
Could you explain the requirements better, instead of (what you think should be) the solution?
The requirement is to add a permission in nmcli to allow an administrator to prevent non-admins from configuring network configurations and settings using nmcli.
The functionality needs to be delivered with NetworkManager and is disabled by default (so that users can configure like they can today) until an admin enables
the feature with a simple command or setting.
That is exactly what PolicyKit does, isn't it? Configure PolicyKit so that only certain users (administrators) are permitted.
Is there a problem with that?
Basically, in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy you find the configured actions (and their default authentication results, like deny or allow). You probably wouldn't want to edit the actions file. Instead, you can drop PolicyKit rules that can evaluate to more complex results.
Do you help with that? I am unfortunately no expert in PolicyKit and would advise help from the polkit maintainers.
(Note that NetworkManager never asks PolicyKit to authenticate root user (userid 0). Root always gets a free pass, and PolicyKit isn't even consulted. So, basically, you would configure PolicyKit to deny all actions -- whether you thereby also deny them for userid 0 has no effect for NetworkManager).
> That is exactly what PolicyKit does, isn't it? Configure PolicyKit so that only certain users (administrators) are permitted.
> Is there a problem with that?
Yes, we need the capability provided by default in nmcli delivered in RHEL.
(In reply to Ash Westbrook from comment #0)
> Description of problem:
> Currently, nmcli allows users to configure networking. For example,
Normal users are allowed to control networking only when they are logged into a physical terminal. Users with physical access to the machine can usually bypass authentication methods anyway (for example, rebooting into single mode). A normal user with non-physical access (for example connected via ssh) has no NM permissions:
$ nmcli general permissions
Do FISMA requirements make any distinction about local/remote access?
in rhel-8.2, there will be a new configuration option "main.auth-polkit=root-only" in NetworkManager.conf .
For example create a file /etc/NetworkManager/conf.d/99-auth-polkit-root-only.conf with
and restart NetworkManager. This disables the use of PolicyKit from NetworkManager and only allows request by user root (uid 0).
The alternative is of course to configure the appropriate rules in PolicyKit to reject unwanted permissions.
Other than that, I don't think there is anything to do here. The default in RHEL will not change, because in many scenarios allowing non-root makes sense. If you have other requirements, change the configuration.
Now with main.auth-polkit=root-only setting, I don't think there is anything else to do here. It's not gonna become the default, because it would break a lot of valid usecases. You may configure it however.
You are advised to configure PolicyKit. That's what it is here for.
Moving bug forward.
(In reply to Beniamino Galvani from comment #5)
> (In reply to Ash Westbrook from comment #0)
> > Description of problem:
> > Currently, nmcli allows users to configure networking. For example,
> Normal users are allowed to control networking only when they are logged
> into a physical terminal. Users with physical access to the machine can
> usually bypass authentication methods anyway (for example, rebooting into
> single mode). A normal user with non-physical access (for example connected
> via ssh) has no NM permissions:
> $ nmcli general permissions
> PERMISSION VALUE
> org.freedesktop.NetworkManager.enable-disable-network no
> org.freedesktop.NetworkManager.enable-disable-wifi no
> org.freedesktop.NetworkManager.enable-disable-wwan no
> org.freedesktop.NetworkManager.enable-disable-wimax no
> org.freedesktop.NetworkManager.sleep-wake no
> org.freedesktop.NetworkManager.network-control auth
> org.freedesktop.NetworkManager.wifi.share.protected no
> org.freedesktop.NetworkManager.wifi.share.open no
> org.freedesktop.NetworkManager.settings.modify.system auth
> org.freedesktop.NetworkManager.settings.modify.own auth
> org.freedesktop.NetworkManager.settings.modify.hostname auth
> org.freedesktop.NetworkManager.settings.modify.global-dns auth
> org.freedesktop.NetworkManager.reload auth
> org.freedesktop.NetworkManager.checkpoint-rollback auth
> org.freedesktop.NetworkManager.enable-disable-statistics no
> org.freedesktop.NetworkManager.enable-disable-connectivity-check no
> Do FISMA requirements make any distinction about local/remote access?
Yes they do including protections around single-user mode and root access.
> Now with main.auth-polkit=root-only setting, I don't think there is anything else to do here. It's not gonna become the default, because it would break a lot of valid usecases. You may configure it however.
Thanks for your work on this. Yes, agree with you here; it should only be flipped on when configured and not turned on by default install.
covered by no_user_control test in
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.