On Thu, 2014-11-27 at 11:59 +0100, Peter Magnusson wrote: > Im having some problems with permissions on NetworkManager. We are in > the process of migrating our clients from RHEL 6.6 to RHEL 7. > The clients connect to our wireless network using eap-tls, we provide > the configuration,certificate and keys for this from our central > configurationserver so that the connection is transparent to the user. > > In RHEL6.6 the password for the privatekey(pkcs12 used for > authentication) was not visible to the users only to administrators. > This was achieved by setting the connection as "system wide" in which > case the configfile was stored under /etc/sysconfig/network-scripts > and only accessible by root. > > In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild > from git) we can still limit the permissions to NM config using polkit > but when doing this we also limit the possiblity for the user to add > new wifi-networks. > > So what i would like to achieve is to limit access to existing > connections (or connections not added by user) but i still want the > users to be able to add new wificonnections. Is this possible ?
I looked into this yesterday, and I think the way forward here is to restrict the user's permissions for "modify.system", but allow them permissions for "modify.own" (own == self, not possession). This will prevent the user from being able to change any connection that is in /etc and does not have specific permissions. But it allows the user to create new connections that are restricted to that user only. There's one catch though; if you're using the GNOME Shell UI on RHEL 7.0 it doesn't set the necessary flags to create these user-specific connections when the modify.system permission is denied. We can work on fixing that though. Do you think this solution would work for you? Dan _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
