Finally replying. Sorry, but it took some time to recall what I knew about this and still tere are some details I could not remember.
Em 27-05-2014 15:58, Bruce Dubbs escreveu: > I've been exploring NetworkManager and the nm-applet. It took me a > while to get it working the way I think it should, but I think we may > want to discuss permissions in the book a little more. > > Running the nmcli is really not an issue because you can always use > sudo. However, without some configuration for ConsoleKit, setting up a > network from a non-root graphical screen is a bit more difficult. I find exactly the contrary. But in order to do it, I first install nm-applet (network-manager-applet-0.9.8.10), and I only did it in this machine this morning, for this discussion, because normally what we have in LFS is good enough for me. Using LXDE, nm-applet is loaded with the session in lx-panel, and I can edit the connection out of the box, apparently. I need to, because the router wants to give it a wrong ip, and I use manual (fixed) ip. When I try to close (and then the software tries to save), a pop-up window from lx-polkit, probably, asks for the root password. > > Right now, we recommend ConsoleKit with NetworkManager but don't add any > configuration for it. What I found (from > https://wiki.archlinux.org/index.php/NetworkManager) is needed is (as > root): > > cat > /etc/polkit-1/rules.d/51-org.freedesktop.NetworkManager.rules << > "EOF" > polkit.addRule( function(action, subject) > { > if ( action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && > subject.isInGroup("wheel") ) > { > return polkit.Result.YES; > } > }); > EOF But there, they recommend not wheel, network group. And some more configuration is necessary for xfce for notifications, but nm-applet would work ther, if I understood correctly. I understand that if I add this, any user added to wheel (or network) could edit the connections without needing a password, right? > > The use of a 'wheel' group is not discussed anywhere in BLFS, but > perhaps we should create one (groupadd -g 500 wheel). I like the idea. Took me some time, ages ago, to discover the use of this group. > > Of course the group name is arbitrary here, but the wheel group is also > embedded in the unmodified > /etc/{sudoers,login.access,polkit-1/rules.d/50-default.rules,/security/access.conf} > files. > > This discussion could go in several places: About System Users and > Groups, NetworkManager, and network-manager-applet are candidates. > > So there are two issues here: the nm polkit rule and the more general > wheel group discussion. > > Does anyone have thoughts about this? I like the idea to add all the discussions in the three places above. Only think that perhaps wheel and network groups could be added. Then, another candidate to reference wheel would be sudo. I like the idea of adding a discussion and the polkit rule, but feel it decreases security, so perhaps some rmarks about security could be added? In conclusion, agree, but perhaps with some modifications? -- []s, Fernando -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
