Bug#891599: gdm3: Greeter doesn't allow control of network-manager connections even when member of netdev group
Matthew Gabeler-Lee
cheetah at fastcat.org
Sat Mar 24 21:38:14 UTC 2018
On Fri, 23 Mar 2018, Simon McVittie wrote:
> it would be unexpected for someone finding a machine with a
> locked GNOME session, logged in as a user with netdev privileges, to be
> able to reconfigure the network without first unlocking the session!
I could make the same argument that it is unexpected that explicitly
granting the greeter permission to activate network connections being
ignored is unexpected :)
> Other display managers don't let you perform unauthenticated privileged
> actions from their greeter-equivalent either, and that isn't generally
> considered to be a bug.
Actually I came to attempting to do this specifically because *they do*.
Ubuntu's configuration of LightDM explicitly allows controlling existing
network configurations.
> If you need to be connected to a VPN to be able to authenticate logins,
> configuring it to be saved as a system-wide connection that can be
> connected non-interactively might help. (I would not recommend this
> configuration, because inability to log in without first connecting to
> a VPN seems extremely fragile, but it's your system.)
This scenario (network auth) is exactly why I want to be able to bring
up a pre-defined network connection from the greeter. I don't think
that LDAP-based login (or the winbind variant of it) is really that
weird a thing...
Saving the VPN password is not a viable option here, both for technical
and policy reasons, nor is having it always auto-connect (that for
technical reasons).
For business/enterprise-y environments, the ability to configure
connections to be avaible pre-login has been a long-standing feature for
a loooong time. This was old hat even back in the mid 90s.
But history and such aside, it seems like the proper thing here would be
to actually obey the policy kit restrictions. AFAICT policy kit
supports the cases here -- don't want locked session of a user to have
network control? Require the session to be active to grant permissions.
Do want the greeter or a locked session to at least be able to turn
network connections on or off, can do that too.
--
-Matt
"Reality is that which, when you stop believing in it, doesn't go away".
-- Philip K. Dick
GPG fingerprint: 0061 15DF D282 D4A9 57CE 77C5 16AF 1460 4A3C C4E9
More information about the pkg-gnome-maintainers
mailing list