On 2020-07-01 18:34, Tom H wrote:
On Wed, Jul 1, 2020 at 7:40 AM Ed Greshko
<ed.greshko(a)greshko.com>
wrote:
> On 2020-07-01 13:32, Tom H wrote:
>> On my laptop, the value's "--", which is the default and which
means
>> that root and the polkit admin group (wheel) can control the
>> connection.
> Are you sure about that?
>
> connection.autoconnect: yes
> connection.permissions: --
>
> [maria@f32k ~]$ nmcli connection down enp1s0
> Connection 'enp1s0' successfully deactivated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/3)
>
> [maria@f32k ~]$ nmcli connection up enp1s0
> Connection successfully activated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/6).
>
> [egreshko@f32k ~]$ grep maria /etc/group
> maria:x:1027:
You may be right, but I have no idea given the output of "pkaction" :(
Well, since I demonstrated it works I think it is more "right" than "may
be". :-)
But, see below....
Admin group:
$ cat /etc/polkit-1/rules.d/50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.
polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});
NM rule:
$ pkaction --verbose --action-id
org.freedesktop.NetworkManager.settings.modify.system
org.freedesktop.NetworkManager.settings.modify.system:
description: Modify network connections for all users
message: System policy prevents modification of network
settings for all users
I think the key word is "modification"....
[maria@f32k ~]$ nmcli connection edit enp1s0
===| nmcli interactive connection editor |===
Editing existing '802-3-ethernet' connection: 'enp1s0'
Type 'help' or '?' for available commands.
Type 'print' to show all the connection properties.
Type 'describe [<setting>.<prop>]' for detailed property description.
You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb,
sriov, ethtool, match, ipv4, ipv6, tc, proxy
nmcli> set connection.zone public
nmcli> save
Error: Failed to save 'enp1s0' (1c1a4060-823b-34bd-b469-177914d93b15) connection:
Insufficient privileges
But I can do....
[egreshko@f32k ~]$ sudo nmcli connection edit enp1s0
===| nmcli interactive connection editor |===
Editing existing '802-3-ethernet' connection: 'enp1s0'
Type 'help' or '?' for available commands.
Type 'print' to show all the connection properties.
Type 'describe [<setting>.<prop>]' for detailed property description.
You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb,
sriov, ethtool, match, ipv4, ipv6, tc, proxy
nmcli> set connection.zone public
nmcli> save
Connection 'enp1s0' (1c1a4060-823b-34bd-b469-177914d93b15) successfully updated.
--
The key to getting good answers is to ask good questions.