Fedora Core 4 Test Update: NetworkManager-0.5.1-1.FC4.1

Peter Jones pjones at redhat.com
Mon Jan 9 18:23:49 UTC 2006 

On Mon, 2006-01-09 at 16:16 +0000, David Woodhouse wrote:
> On Wed, 2006-01-04 at 13:25 -0500, Dan Williams wrote:
> > Debatable.  I may be authorized to connect to certain networks, and
> > you're not.  So the network & authorization information is specific to
> > my user, and shouldn't be available to yours.  
> 
> That doesn't really make much sense in the Linux world -- if the network
> is configured and running then all users on the machine _have_ got
> access to the it. I think there are some iptables hacks around to
> attempt to limit network access to certain users, but we don't ship
> them, do we? We certainly don't attempt to use them.

We do implement that concept (though not that method) if you consider
xen, don't we?

That may not make sense for WEP right now, but I can certainly see a
world where Xen guests know different WEP keys than other guests, and is
on a different network, whether that's supported in software only or
just hardware.  It wouldn't be very hard to add that into the current
ieee80211 stack, and I suspect it wouldn't be hard to do in similar
software implementations.

Obviously, this doesn't have direct immediate repercussions on NM, but
it is important to keep in mind that such a scenario is possible,
whether or not we intend to support it right now.

> For Windows, perhaps it's different -- one really can consider a Windows
> box to be a single-user machine, and it might actually make sense to
> consider network connections to be a per-user thing. Even VPNs might
> make some sense in the Windows world, but this isn't Windows.

VPNs make plenty of sense in Linux.  Let's not characterize the entire
world's usage based on *your* requirements, or those of any single
individual.

> > This is the same situation as 802.1x certificates for authentication. 
> > You shouldn't use my certificate to authenticate to the access
> > server.  Same for WEP keys.
> 
> It isn't 'my' WEP key. It is the system's WEP key. You are trying to
> impose a policy which doesn't make any sense in this environment.

It doesn't make sense, but why not?  I think it's because our code
doesn't do it, not because the idea is totally off base.  I think a WEP
key can conceptually make sense as either per-host or per-user, but our
network stack doesn't really support but one of those.

> Network data being stored system wide is by far the more common
> arrangement

*That* I'll agree with.

-- 
  Peter

More information about the test mailing list