Locking down specific nmcli actions

dacarab

Going through Lab 35.1, it occurred to me that on my system at least (CentOS 7), the ability to take down an interface etc. is not restricted in any way - i.e. any normal user is able to take a network connection down, etc.

From what I can tell, creating a rule using polkit would be the way to go to modify this behaviour. Before I potentially jump down a rabbit hole, I was wondering if anyone had come across a better\simpler way of doing this?

Cheers

coop

I've never seen such behaviour on CentOS 7 as far as Ethernet connections go. For wireless it is likely it is set up so that when you go into a cafe and want to hook up to the free wifi you don't need to be root.

It may be possible to configure a system this way but if you try to run a command to bring down a wired interface you should see something like:

    c8:/tmp>ifconfig eno1 down
    SIOCSIFFLAGS: Operation not permitted

dacarab

I was only seeing this behaviour directly on the console, i.e. ttyx when running nmcli con down eth0 - over ssh I was getting a 'deactivation failed' message as you'd expect. I'm running a minimal install of Centos 7, so maybe that doesn't have the same set of rules as a server install would.

I played around with it last night and managed to cobble together a polkit rule that disabled a normal user from doing this on tty, that seems to have worked ok.

Cheers

luisviveropena

Hi @dacarab ,

I have a complete CentOS 7 18 desktop, and I also was able to disable an interface using "nmcli" as a non-privileged user. I haven't noticed this before. But now that I think about this, I think it's normal, as any user can disable and enable again an interface from the Network Manager configuration tool (you can do that on Settings in the GUI).

Many regards,
Luis.