How do you imagine this to work?


What nmcli calls "PERMISSIONS" are really called "actions" in PolicyKit term's.
See https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
An "action"  org.freedesktop.NetworkManager.admin-config-only makes no sense.



If you only want root users to get permission, then configure NetworkManager's PolicyKit rules accordingly. NetworkManager uses PolicyKit, so it very much expects you to configure PolicyKit with the permissions that are suitable for you.


You could also restrict access to the D-Bus API in dbus-daemon via /etc/dbus-1/system.d/org.freedesktop.NetworkManager.conf. But that seems to be less flexible and is probably not the right approach.


> This is in support of FISMA High requirements.

Could you explain the requirements better, instead of (what you think should be) the solution?

The requirement is to add a permission in nmcli to allow an administrator to prevent non-admins from configuring network configurations and settings using nmcli.
The functionality needs to be delivered with NetworkManager and is disabled by default (so that users can configure like they can today) until an admin enables
the feature with a simple command or setting.

That is exactly what PolicyKit does, isn't it? Configure PolicyKit so that only certain users (administrators) are permitted.
Is there a problem with that?

Basically, in /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy you find the configured actions (and their default authentication results, like deny or allow). You probably wouldn't want to edit the actions file. Instead, you can drop PolicyKit rules that can evaluate to more complex results.
Do you help with that? I am unfortunately no expert in PolicyKit and would advise help from the polkit maintainers.

(Note that NetworkManager never asks PolicyKit to authenticate root user (userid 0). Root always gets a free pass, and PolicyKit isn't even consulted. So, basically, you would configure PolicyKit to deny all actions -- whether you thereby also deny them for userid 0 has no effect for NetworkManager).

> That is exactly what PolicyKit does, isn't it? Configure PolicyKit so that only certain users (administrators) are permitted.
> Is there a problem with that?

Yes, we need the capability provided by default in nmcli delivered in RHEL.

(In reply to Ash Westbrook from comment #0)
> Description of problem:
> 
> 
> Currently, nmcli allows users to configure networking. For example,

Normal users are allowed to control networking only when they are logged into a physical terminal. Users with physical access to the machine can usually bypass authentication methods anyway (for example, rebooting into single mode). A normal user with non-physical access (for example connected via ssh) has no NM permissions:

 $ nmcli general permissions 
 PERMISSION                                                        VALUE   
 org.freedesktop.NetworkManager.enable-disable-network             no      
 org.freedesktop.NetworkManager.enable-disable-wifi                no      
 org.freedesktop.NetworkManager.enable-disable-wwan                no      
 org.freedesktop.NetworkManager.enable-disable-wimax               no      
 org.freedesktop.NetworkManager.sleep-wake                         no      
 org.freedesktop.NetworkManager.network-control                    auth    
 org.freedesktop.NetworkManager.wifi.share.protected               no      
 org.freedesktop.NetworkManager.wifi.share.open                    no      
 org.freedesktop.NetworkManager.settings.modify.system             auth    
 org.freedesktop.NetworkManager.settings.modify.own                auth    
 org.freedesktop.NetworkManager.settings.modify.hostname           auth    
 org.freedesktop.NetworkManager.settings.modify.global-dns         auth    
 org.freedesktop.NetworkManager.reload                             auth    
 org.freedesktop.NetworkManager.checkpoint-rollback                auth    
 org.freedesktop.NetworkManager.enable-disable-statistics          no      
 org.freedesktop.NetworkManager.enable-disable-connectivity-check  no

Do FISMA requirements make any distinction about local/remote access?

in rhel-8.2, there will be a new configuration option "main.auth-polkit=root-only" in NetworkManager.conf [1].

For example create a file /etc/NetworkManager/conf.d/99-auth-polkit-root-only.conf with

  [main]
  auth-polkit=root-only

and restart NetworkManager. This disables the use of PolicyKit from NetworkManager and only allows request by user root (uid 0).

[1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/76240cbe2b8fa110119b996bb462e12c9e175b29


The alternative is of course to configure the appropriate rules in PolicyKit to reject unwanted permissions.



Other than that, I don't think there is anything to do here. The default in RHEL will not change, because in many scenarios allowing non-root makes sense. If you have other requirements, change the configuration.

Now with main.auth-polkit=root-only setting, I don't think there is anything else to do here. It's not gonna become the default, because it would break a lot of valid usecases. You may configure it however.

You are advised to configure PolicyKit. That's what it is here for.


Moving bug forward.

(In reply to Beniamino Galvani from comment #5)
> (In reply to Ash Westbrook from comment #0)
> > Description of problem:
> > 
> > 
> > Currently, nmcli allows users to configure networking. For example,
> 
> Normal users are allowed to control networking only when they are logged
> into a physical terminal. Users with physical access to the machine can
> usually bypass authentication methods anyway (for example, rebooting into
> single mode). A normal user with non-physical access (for example connected
> via ssh) has no NM permissions:
> 
>  $ nmcli general permissions 
>  PERMISSION                                                        VALUE   
>  org.freedesktop.NetworkManager.enable-disable-network             no      
>  org.freedesktop.NetworkManager.enable-disable-wifi                no      
>  org.freedesktop.NetworkManager.enable-disable-wwan                no      
>  org.freedesktop.NetworkManager.enable-disable-wimax               no      
>  org.freedesktop.NetworkManager.sleep-wake                         no      
>  org.freedesktop.NetworkManager.network-control                    auth    
>  org.freedesktop.NetworkManager.wifi.share.protected               no      
>  org.freedesktop.NetworkManager.wifi.share.open                    no      
>  org.freedesktop.NetworkManager.settings.modify.system             auth    
>  org.freedesktop.NetworkManager.settings.modify.own                auth    
>  org.freedesktop.NetworkManager.settings.modify.hostname           auth    
>  org.freedesktop.NetworkManager.settings.modify.global-dns         auth    
>  org.freedesktop.NetworkManager.reload                             auth    
>  org.freedesktop.NetworkManager.checkpoint-rollback                auth    
>  org.freedesktop.NetworkManager.enable-disable-statistics          no      
>  org.freedesktop.NetworkManager.enable-disable-connectivity-check  no
> 
> Do FISMA requirements make any distinction about local/remote access?

Yes they do including protections around single-user mode and root access.

> Now with main.auth-polkit=root-only setting, I don't think there is anything else to do here. It's not gonna become the default, because it would break a lot of valid usecases. You may configure it however.

Thanks for your work on this. Yes, agree with you here; it should only be flipped on when configured and not turned on by default install.

covered by no_user_control test in 
https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/merge_requests/520

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1847