Package: network-manager Version: 0.9.1.95-1 Severity: wishlist
Hi. These are just some thoughts, perhaps some of these are already working, or wontfix. Pick what you like :) Personally I always liked using the plain classic networking configuration, e.g. - /etc/network/interfaces for the basics - /etc/ipsec.conf for e.g strongswan - /etc/ppp/peers/* + /etc/chatscripts/* for PPP connections, including mobile broadband - /etc/vpnc/* vpnc connections Network-Manager already does some job to integrated those. Ideally, there would be plugins that just automatically load all these configurations and export it via NetworkManager. For /etc/network/interfaces there seem to be some support via the ifupdown plugin, (though I've already opened a bug here that not all configs are exported). Further I don't know, wheter all features/options are really supported, e.g. all the wpa-*, wireless-*, dns-* and at a later point e.g. iw-* stanzas. For the others, there seem to be at best some import option, but this does not export the configuration to NM, but really copies it to it, AFAIU. IMHO a bad idea, as one now has to places where everything has to be maintained. Also import has the "problem" the some configuration is typically not readable by normal users and there is currently no offer to sudo or so. So in general I'd like to see this configuration exported by NM, but not changed/rewritten etc. If a normal user wants to really do this, he can still create "new" configurations. One problem, and this might even be a problem in the current ifupdown plugin, is permissions. If any of the above networks is exported to the normal user (even if the passwords, certificates, etc. behind are not), it might be a security risk, just because a normal user can connect to such a network. This is even true for just /etc/network/interfaces, which may be root-readable only, thereby preventing normal-user access to wireless passphrases. Not sure if the ifupdown plugin is already exporting such passphrases (and thereby introducing a potential security hole). The next question would be, how can we make it configurable, which of the "system-wide" settings are exported to which users. For /etc/vpnc/*, /etc/ppp/peers/* and /etc/chatscripts/* this is easy. Each file contains just one connection, and it could be done via file permissions and perhaps ACLs. But for /etc/network/interfaces and /etc/ipsec.conf this is more difficult as it contains more than one connection. With /etc/network/interfaces we could easily add a new keyword, e.g. nm-allowed-users list nm-allowed-groups list or something like this. For /etc/ipsec.conf it's more difficult, as we cannot change the syntax easily. Also, the actual credentials are in further files, for strongswan e.g. in X.509 certs, /etc/ipsec.secrets, etc. Cheers, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
