Re: prevent users from fiddling with network?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



________________________________________
From: CentOS <centos-bounces@xxxxxxxxxx> on behalf of Valeri Galtsev <galtsev@xxxxxxxxxxxxxxxxx>
Sent: Thursday, September 21, 2017 9:10 AM
To: centos@xxxxxxxxxx
Subject:  prevent users from fiddling with network?

Dear Experts,

"this is system from the hell!"

Than was my first reaction when I realized that logged in with GUI (X11)
user can turn off (and on) network interfaces. Without being in sudoers
file. Wow, this is scary to see on workstations I manage centrally. Even
though I did consider local user to be able to execute the command
"shutdown" (which distinguished RedHat and CentOS from other Linux
flavors: after all local user can yank power cord off the wall).

Sorry about my little rant above. Could someone point me into right
direction as to how do I disable the ability of (local, logged in through
X11) users to fiddle with network interfaces. Even worse, they can create
new profile and define for interfaces to behave differently... In the past
I could just add

USERCTL="no"

into interface ifcfg-... file inside /etc/sysconfig/network-scripts which
doesn't seen to have any effect on latest CentOS 7. What is my pilot error
here? (Ignorant in new shiny extremely MS Windows like for _ignorant_
person - me - system).


Thanks a lot for all your help!

Valeri


Didn't see any more ideas in this thread.

The way I solved this was to use policykit.

Created the file  /etc/polkit-1/rules.d/20-networkmanager.rules with the following content

/* require authentication to modify network settings */
polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.freedesktop.NetworkManager." ) == 0 ) {
        return polkit.Result.AUTH_ADMIN;
    }
});

That will require someone with admin privileges to authenticate for NetworkManager 
actions to succeed.


regards,

Thomas     
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux