On Wed, Jul 1, 2020 at 12:49 PM Ed Greshko <ed.greshko@xxxxxxxxxxx>
wrote:
> On 2020-07-01 18:34, Tom H wrote:
>> On Wed, Jul 1, 2020 at 7:40 AM Ed Greshko <ed.greshko@xxxxxxxxxxx>
>> wrote:
>>> On 2020-07-01 13:32, Tom H wrote:
>>>> On my laptop, the value's "--", which is the default and which
>>>> means that root and the polkit admin group (wheel) can control
>>>> the connection.
>>>
>>> Are you sure about that?
>>>
>>> connection.autoconnect: yes
>>> connection.permissions: --
>>>
>>> [maria@f32k ~]$ nmcli connection down enp1s0
>>> Connection 'enp1s0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
>>>
>>> [maria@f32k ~]$ nmcli connection up enp1s0
>>> Connection successfully activated (D-Bus active path:
>>> /org/freedesktop/NetworkManager/ActiveConnection/6).
>>>
>>> [egreshko@f32k ~]$ grep maria /etc/group
>>> maria:x:1027:
>>
>> You may be right, but I have no idea given the output of "pkaction"
>> :(
>
> Well, since I demonstrated it works I think it is more "right" than
> "may be". :-)
LOL. The "may be" was a mis-expression of my surprise.
>> Admin group:
>>
>> $ cat /etc/polkit-1/rules.d/50-default.rules
>> /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
>>
>> // DO NOT EDIT THIS FILE, it will be overwritten on update
>> //
>> // Default rules for polkit
>> //
>> // See the polkit(8) man page for more information
>> // about configuring polkit.
>>
>> polkit.addAdminRule(function(action, subject) {
>> return ["unix-group:wheel"];
>> });
>>
>> NM rule:
>>
>> $ pkaction --verbose --action-id
>> org.freedesktop.NetworkManager.settings.modify.system
>> org.freedesktop.NetworkManager.settings.modify.system:
>> description: Modify network connections for all users
>> message: System policy prevents modification of network
>> settings for all users
>
> I think the key word is "modification"....
OK. Thanks. So I was looking at the wrong rule :(
> [maria@f32k ~]$ nmcli connection edit enp1s0
>
> ===| nmcli interactive connection editor |===
>
> Editing existing '802-3-ethernet' connection: 'enp1s0'
>
> Type 'help' or '?' for available commands.
> Type 'print' to show all the connection properties.
> Type 'describe [<setting>.<prop>]' for detailed property description.
>
> You may edit the following settings: connection, 802-3-ethernet
> (ethernet), 802-1x, dcb, sriov, ethtool, match, ipv4, ipv6, tc, proxy
> nmcli> set connection.zone public
> nmcli> save
> Error: Failed to save 'enp1s0' (1c1a4060-823b-34bd-b469-177914d93b15)
> connection: Insufficient privileges
>
> But I can do....
>
> [egreshko@f32k ~]$ sudo nmcli connection edit enp1s0
>
> ===| nmcli interactive connection editor |===
>
> Editing existing '802-3-ethernet' connection: 'enp1s0'
>
> Type 'help' or '?' for available commands.
> Type 'print' to show all the connection properties.
> Type 'describe [<setting>.<prop>]' for detailed property description.
>
> You may edit the following settings: connection, 802-3-ethernet
> (ethernet), 802-1x, dcb, sriov, ethtool, match, ipv4, ipv6, tc, proxy
> nmcli> set connection.zone public
> nmcli> save
> Connection 'enp1s0' (1c1a4060-823b-34bd-b469-177914d93b15)
> successfully updated.
OK. Thanks. Let's hope that this is the right rule:
$ pkaction --verbose --action-id
org.freedesktop.NetworkManager.enable-disable-network
org.freedesktop.NetworkManager.enable-disable-network:
description: Enable or disable system networking
message: System policy prevents enabling or disabling
system networking
vendor: NetworkManager
vendor_url: http://www.gnome.org/projects/NetworkManager
icon: nm-icon
implicit any: no
implicit inactive: no
implicit active: yes
Any user at the active console can enable or disable a connection. So
why is the OP looking for a way to allow certain users to do so?
My "pkaction" output's from rawhide. Perhaps Fedora 32 has different
permissions.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
