[Pkg-utopia-maintainers] Bug#642136: network-manager: Connecting to a wifi network requires system privileges

Michael Biebl biebl at debian.org
Tue Dec 18 17:08:26 UTC 2012

tags 642136 + patch
clone 642136 -1
reassign -1 gnome-shell
severity -1 important
clone 642136 -2
reassign -2 network-manager-gnome
severity -2 important
tags -2 + patch
clone 642136 -3
reassign -3 gnome-control-center
severity -3 important

On 09.12.2012 03:16, Florian Schlichting wrote:
> Unfortunately, things are a little more complicated, as Michael was so
> kind to explain to me on IRC. I'm trying to sum up our conversation:
> - when changing the default for new connections in one client
>   (nm-applet), other clients should be changed accordingly. This means
>   at least gnome-shell (KDE may use different defaults anyway)
> - in addition to wifi connections, also VPN and mobile broadband
>   connections should be user-administrateable
> - a system-wide connection has advantages, and upstream changed the
>   default for a reason / in response to user feedback. E.g. it is not
>   unreasonable to expect to be able to ssh into a running laptop, even
>   when there's nobody logged in.


> - do not change the default for new connections (system-wide), but add a
>   polkit rule allowing members of the netdev and sudo groups to modify
>   those connections. Group sudo can do everything anyway, and netdev is
>   specifically meant for that. In addition, the user created during
>   installation is automatically added to the netdev group, so that this
>   would solve the "annoying password prompt" issue for the
>   single-user-laptop case. The polkit rule would look like this:
>     [Adding or changing system-wide NetworkManager connections]
>     Identity=unix-group:netdev;unix-group:sudo
>     Action=org.freedesktop.NetworkManager.settings.modify.system
>     ResultAny=no
>     ResultInactive=no
>     ResultActive=yes

Yeah, for simpler use-cases, especially the single-user-laptop case,
this .pkla file is sufficient and should solve the problem for most users.

This bug, #642136, will deal with that problem.

> - this leaves open multi-user machines, where ordinary users should be
>   able to e.g. add their home wifi, without being given the additional
>   privileges that come with group membership (e.g., seeing the other
>   guy's home wifi password). Think managed laptop repeatedly borrowed to
>   students. Here, the system administrator could install a
>   gsettings-override (provided in examples) that would make user-private
>   connections the default. The gsetting would have to be added, as well
>   as code to check it and switch to user-private when configured.
> - personally, I'd prefer if things would "just work", that is: a
>   user-private connection is created automatically if the user is not
>   entitled to create a system-wide one, without the need to find out
>   about a gsetting and install the override. Unfortunately, it is
>   unclear if there is a way to query polkit whether the user would need
>   to be asked for a password in order to execute an action with the
>   NetworkManager.settings.modify.system privilege, without actually
>   doing so.

Joss found a way to do just that, i.e. query polkit and automatically
fall back to user settings if
org.freedesktop.NetworkManager.settings.modify.system would require an
admin password prompt. I think this is the ideal solution, so I'd like
to go with that, especially since Joss already has prepared a patch for
nm-applet [1]. Thanks a lot Joss!

Other NM clients which need to be updated accordingly are gnome-shell
and gnome-control-center, which both allow to setup NM connections. So
I'm cloning and re-assigning this bug accordingly.


[1] http://malsain.org/~joss/debian/
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20121218/d06ba5ea/attachment.pgp>

More information about the pkg-gnome-maintainers mailing list