Bug 969612 - nm-connection-editor modifies ifcfg-eth0 in spite of option USERCTL=no
nm-connection-editor modifies ifcfg-eth0 in spite of option USERCTL=no
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: NetworkManager (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-31 19:16 EDT by Edgar Hoch
Modified: 2014-01-09 13:15 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-09 13:15:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Edgar Hoch 2013-05-31 19:16:30 EDT
Description of problem:
Is it possible that the option "USERCTL=no" in /etc/sysconfig/network-scripts/ifcfg-eth0 has no effect to NetworkManager?

When I start gnome-control-center and click on network, this starts nm-connection-editor. Then I can change the configuration of eth0 and save it as a regular user (logged in to the console of the host using gnome).

But since etc/sysconfig/network-scripts/ifcfg-eth0 contains the line
USERCTL=no
I should not be allowed to modify anything of eth0 - neither the configuration nor setting the device on and of. But both works.


Version-Release number of selected component (if applicable):

nm-connection-editor-0.9.8.1-4.git20130514.fc18.x86_64
NetworkManager-0.9.8.1-3.git20130514.fc18.x86_64
control-center-3.6.3-2.fc18.x86_64
gnome-shell-3.6.3.1-1.fc18.x86_64
kernel-3.9.4-200.fc18.x86_64


How reproducible:
Always.

Additional info:
I hope I have no configuration mistake. But as far as I see USERCTL=no should prevent users motifying the network interface.

On our desktop computers and servers users should not be allowed to modify the network connection, because they should always be connected and have a static configuration.
On notebooks users should be allowed to modify the network connection, because mobile computers need to be connected to different networks (mostly, dhcp is all we need).
Comment 1 JM 2013-08-05 08:44:52 EDT
Same problem for me in Fedora 18 and now Fedora 19.
Comment 2 JM 2013-08-05 08:58:48 EDT
Is there a workaround for this problem? Because right now a normal user can act like root and mess up the whole network interface.

Is

/etc/dbus-1/system.d/nm-ifcfg-rh.conf

somehow related to this problem? Is this the file which grants the NetworkManager the rights to modify /etc/sysconfig/network-scripts/ifcfg-eth0 as normal user?
Comment 3 JM 2013-08-05 09:29:28 EDT
I found the policy which controls the NetworkManager, it is

/usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

I changed the settings for

org.freedesktop.NetworkManager.settings.modify.system

from 

    <defaults>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>

to

    <defaults>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>

"auth_admin_keep" is the solution. This way you need the system password to change settings, it looks like USERCTL=no in /etc/sysconfig/network-scripts/ifcfg-eth0 is completely useless now.
Comment 4 Dan Williams 2013-08-05 15:18:42 EDT
At the moment USERCTL is not read by NM.

If it becomes a priority to support USERCTL, then the solution would be to map USERCTL to a permissions key of "user:root" such that only root can modify the configuration and control the connection.  This would be in addition to and in parallel to the PolicyKit permissions structure, and would prevent non-root users from even seeing the conneciton in the first place.
Comment 5 Edgar Hoch 2013-08-05 17:12:27 EDT
There should be a simple flag for the administrator to allow console users modifying the network configuration (on, off, lan, wlan, vpn, 802.1x, etc.) or disallow it. This flag can be a variable in the ifcfg-* file, a command to call (like getsebool / setsebool) or something similar. I think this depends on the security mechanism that implements the restriction. The variable USERCTL would be ok for me.

The use case for the first (allow) are personal mobile devices like notebooks and some pcs at home. The other (disallow) are business desktop pcs, workstations, servers, etc., which are central managed and connected to a managed network where users must not change the network configuration.


A note why I found the problem:

On previous Fedora releases (Fedora 16 and earlier) we have used NetworkManager only on notebook, where it is ok for me that users can change the network configuration to get network connection in their hotel, conference, etc.

On our desktop pcs we had disabled NetworkManager and have used network scripts to start the network at boot time. We did this until Fedora 16. We didn't really use Fedora 17 and 18, and now with Fedora 19 I leave NetworkManager enabled und use it on the desktops and servers to, because so many other services depends on a running NetworkManager service (otherwise I got many errors, for example in ~/.xsession-errors and /var/log/messages), so I have decided to use NetworkManager (instead to "fight" against it) and not "network".

With Fedora 19 NetworkManager has become more features so it can be used on desktops and servers and not only mobile hosts, and I saw that bonding and bridging is prepeared for Fedora 20.

As NetworkManager is running on Fedora 19, the nm-applet appears automatically on users desktop to see and manage network connections. In previous releases (Fedora 16) I allowed NetworkManager only on notebooks. On desktops no nm-appled appeared because NetworkManager was not running.
Comment 6 JM 2013-08-05 19:23:52 EDT
I use as workaround now a rule in 

/etc/polkit-1/rules.d

for example:

----------------
polkit.addRule(function(action, subject) {
	if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0) {
		// Only admin can change it.
		return polkit.Result.AUTH_ADMIN;
	}

	return polkit.Result.NOT_HANDLED;
});
----------------

This way it is not necessary to modify 

/usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy

Of course I would prefer USERCTL in the /etc/sysconfig/network-scripts/ifcfg-* files...
Comment 7 Fedora End Of Life 2013-12-21 08:48:18 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 8 Dan Williams 2014-01-09 13:15:23 EST
(In reply to JM from comment #6)
> I use as workaround now a rule in 
> 
> /etc/polkit-1/rules.d
> 
> for example:
> 
> ----------------
> polkit.addRule(function(action, subject) {
> 	if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0) {
> 		// Only admin can change it.
> 		return polkit.Result.AUTH_ADMIN;
> 	}
> 
> 	return polkit.Result.NOT_HANDLED;
> });
> ----------------
> 
> This way it is not necessary to modify 
> 
> /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy
> 
> Of course I would prefer USERCTL in the
> /etc/sysconfig/network-scripts/ifcfg-* files...

Note that you can also protect ifcfg files with:

USERS=root foobar baz blah

key, and the connection will only be usable (and editable) by those specific users.  Unfortunately, USERCTL=yes/no is simply not flexible enough anymore, in a world where some users may need to change network settings, and other users may not.  This is why we have PolicyKit and connection permissions.

The best option here is to use PolicyKit to restrict which operations a user can perform on a per-user or per-group basis, as you've found you can do with the scripts.  NetworkManager provides a number of POlicyKit permissions, which you've seen in the .policy file.  Note that root is *always* allowed to perform all operations no matter what.  So you could certainly just lock everything down by overriding the .policy file with your own.

Note You need to log in before you can comment on or make changes to this bug.