GNOME Bugzilla – Bug 682406
ifupdown: exports connections to the users, even if /etc/network/interfaces is not readable by that user
Last modified: 2020-11-12 14:28:01 UTC
Hi. (This is originally from #681668.) The ifupdown plugins exports connections from /etc/network/interfaces (in managed mode). So the user can enable/disable them, when he is e.g. determined to be locally logged on (e.g. using console-kit). Per default, /etc/network/interfaces is world-readable, so the usual way to determine whether a user should be allowed to use connections seems enough. But it's also possible that /etc/network/interfaces contains credentials (VPN keys or WPA keys for example) and that it is deliberately not readable by all users or even just by root. Now even if NM doesn't show the normal users these credentials, it may be undesired, that the user is allowed to even connect. Consider that this is a VPN and allows access to otherwise unsecured resources. Therefore I suggest that we think about, whether additional conditions need to be met, for a user to actually use connections exported via /etc/network/interfaces. I propose the following: A user should be allowed to use the connections from /etc/network/interfaces if he can read /etc/network/interfaces, either by normal POSIX file permissions modes or by ACLs. Cheers, Chris.
NM bugzilla reorganization... sorry for the bug spam.
bugzilla.gnome.org is being shut down in favor of a GitLab instance. We are closing all old bug reports and feature requests in GNOME Bugzilla which have not seen updates for a long time. If you still use NetworkManager and if you still see this bug / want this feature in a recent and supported version of NetworkManager, then please feel free to report it at https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/ Thank you for creating this report and we are sorry it could not be implemented (workforce and time is unfortunately limited).