Hi Dan, Thank you for the reply! This sounds like a good solution to me, unfortunately we are indeed using Gnome Shell UI so that would cause a problem.
So what you are saying is that right now there is no way to achieve this while using gnome shell ? On Wed, Dec 17, 2014 at 4:53 PM, Dan Williams <d...@redhat.com> wrote: > On Thu, 2014-11-27 at 11:59 +0100, Peter Magnusson wrote: >> Im having some problems with permissions on NetworkManager. We are in >> the process of migrating our clients from RHEL 6.6 to RHEL 7. >> The clients connect to our wireless network using eap-tls, we provide >> the configuration,certificate and keys for this from our central >> configurationserver so that the connection is transparent to the user. >> >> In RHEL6.6 the password for the privatekey(pkcs12 used for >> authentication) was not visible to the users only to administrators. >> This was achieved by setting the connection as "system wide" in which >> case the configfile was stored under /etc/sysconfig/network-scripts >> and only accessible by root. >> >> In RHEL7 and NM version 0.9.9.1-28.git20140326.4dba720.el7_0.2 (lbuild >> from git) we can still limit the permissions to NM config using polkit >> but when doing this we also limit the possiblity for the user to add >> new wifi-networks. >> >> So what i would like to achieve is to limit access to existing >> connections (or connections not added by user) but i still want the >> users to be able to add new wificonnections. Is this possible ? > > I looked into this yesterday, and I think the way forward here is to > restrict the user's permissions for "modify.system", but allow them > permissions for "modify.own" (own == self, not possession). This will > prevent the user from being able to change any connection that is > in /etc and does not have specific permissions. But it allows the user > to create new connections that are restricted to that user only. > > There's one catch though; if you're using the GNOME Shell UI on RHEL 7.0 > it doesn't set the necessary flags to create these user-specific > connections when the modify.system permission is denied. We can work on > fixing that though. > > Do you think this solution would work for you? > > Dan > _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
