GNOME Bugzilla – Bug 770611
"ethernet.cloned-mac-address" should default to "preserve"
Last modified: 2016-09-12 12:05:14 UTC
Over in #708820, there were several bugs that got fixed. thanks for that! But the discussion tailed off over the default setting of ethernet.cloned-mac-address. It is currently "persistent", but it should really be (and used to be a couple versions ago) "preserve". Please change the default back to "preserve" so that lower-level (earlier userspace) randomizations aren't overridden by default. Users should not need to modify two different places on a system with both udev and nm in order to ensure that their hardware address is randomized as early as possible. I've broken this out separately from #708820 so that it has its own distinct discussion. Thanks for all your work on network-manager!
The patch itself is trivial: https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/devices/nm-device.c?id=ee6a4039c8c49d795051b75cc5e148d463ff561a#n11705 I tend to agree with this change of the default value. It indeed makes more sense, although it changes the behavior of the last two years. I suspect that few users actually rely on this behavior (because for a user who doesn't care and doesn't take special action, the MAC address is already the permanent one). Of course, that default-value is already now configurable in NetworkManager.conf by having: [device-mac-addr-preserve] ethernet.cloned-mac-address=preserve wifi.cloned-mac-address=preserve in a file like /etc/NetworkManager/conf.d/20-mac-addr-preserve.conf. -- distributions and packages should install such snippets in /usr/lib/NM/conf.d instead. +1 this change.
Thanks for the quick followup, Thomas. I'm not sure which approach you're +1'ing -- the change on line 11705 of nm-device.c, or encouraging distros to ship /etc/NetworkManager/conf.d/20-mac-addr-preserve.conf by default? It seems simplest to just change nm-device.c:11705 and let any distro that really wants "permanent" (not "persistent", as i wrote earlier, sorry) add their own separate nm config snippet.
+1 for changing the upstream default-value of last resort in nm-device.c :)
Created attachment 334608 [details] [review] device: change default value for cloned-mac-address to "preserve" (bgo#770611) Long ago before commit 1b49f94, NetworkManager did not touch the MAC address at all. Since 0.8.2 NetworkManager would modify the MAC address, and eventually it would reset the permanent MAC address of the device. This prevents a user from externally setting the MAC address via tools like macchanger and rely on NetworkManager not to reset it to the permanent MAC address. This is considered a security regression in bgo#708820. This only changed with commit 9a354cd and 1.4.0. Since then it is possible to configure "cloned-mac-address=preserve", which instead uses the "initial" MAC address when the device activates. This also changed that the "initial" MAC address is the address that was externally configured on the device as last. In other words, the "initial" MAC address is picked up from external changes, unless it was NetworkManager itself who configured the address when activating a connection. However, in absence of an explicit configuration the default for "cloned-mac-address" is still "permanent". Meaning, the user has to explicitly configure that NetworkManager should not touch the MAC address. It makes sense to change the upstream default to "preserve". Although this is a change in behavior since 0.8.2 it seems a better default. This change has the drastic effect that all the existing connections out there with "cloned-mac-address=$(nil)" change behavior after upgrade. I think most users won't notice, because their devices have the permanent address set by default anyway. I would think that there are few users who intentionally configured "cloned-mac-address=" to have NetworkManager restore the permanent address.
With this change, the concern we raised by opening https://bugzilla.gnome.org/show_bug.cgi?id=708820 will be fully addressed :) Thanks a lot, Daniel and Thomas!
merged to master: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=fae5ecec5a4d9987a1915441602cb78275a9f490 Not merged to nm-1-4 branch, as we change the behavior with 1.6.0 and not on the next minor 1.4.x release.