[ffe] allow option to create user connections by default

Bug #1116317 reported by Jonathan Davies on 2013-02-05
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
NetworkManager
Confirmed
Medium
network-manager-applet (Ubuntu)
Medium
Mathieu Trudel-Lapierre
Precise
High
Mathieu Trudel-Lapierre
Quantal
Medium
Mathieu Trudel-Lapierre
Raring
Medium
Mathieu Trudel-Lapierre
Saucy
Medium
Mathieu Trudel-Lapierre
Trusty
Medium
Mathieu Trudel-Lapierre

Bug Description

NetworkManager needs a setting that makes it create new connections as user connections by default.

org.freedesktop.NetworkManager.settings.modify.system can be used to allow access, however, you don't always want to have users edit system connections.

[Impact]
Before 12.04, new connections in NetworkManager were user-connections. Organisations could use this to lock down certain connections to system connections.

Today, non-admin users are shown a "Please enter root password" prompt when trying to connect to an unknown (wireless) network. Which is undesirable as these users may not know the root password.

A workaround is to grant the users 'org.freedesktop.NetworkManager.settings.modify.system' access, however this may be desirable as corporate networks may be defined in system-connections that adminstators may not want users to change.

[Test Case]

 * Today: Connect to a new wireless network as a non-admin user, see that a password dialog is displayed.

 * With patch, set a PolicyKit rule of:

"""
[Adding or changing system-wide NetworkManager connections]
Identity=unix-user:*
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultActive=no

[Adding or changing user-owned NetworkManager connections]
Identity=unix-user:*
Action=org.freedesktop.NetworkManager.settings.modify.own
ResultActive=yes
"""

...connect to a new wireless network as a non-admin user and see in /etc/NetworkManager/system-connections that a user-connection instead of system one has been defined, no root password should be requested either.

[Regression Potential]
None, as we do not touch the default configuration for 12.04 LTS.

Jonathan Davies (jpds) on 2013-02-05
Changed in network-manager (Ubuntu):
importance: Undecided → Wishlist
affects: network-manager (Ubuntu) → network-manager-applet (Ubuntu)
Changed in network-manager:
importance: Unknown → Medium
status: Unknown → Confirmed
Ritesh Khadgaray (khadgaray) wrote :

The patch from the attached gnome bz helps. Customer is looking for an option "org.gnome.networkmanager-applet.default-user-connection" .

-- ritz

Can you please do the necessary "paperwork" to propose this as SRU? I'll take care of applying the patches.

You can follow the steps at http://wiki.ubuntu.com/StableReleaseUpdates#Procedure for how to update the bug for SRU.

Changed in network-manager-applet (Ubuntu):
status: New → In Progress
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in network-manager-applet (Ubuntu Quantal):
status: New → Triaged
Changed in network-manager-applet (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Wishlist
Changed in network-manager-applet (Ubuntu Quantal):
importance: Undecided → Wishlist
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in network-manager-applet (Ubuntu Precise):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)

nma-sru-03 tag, so I can circle back and catch the bugs I'm marking as SRU candidates...

tags: added: nma-sru-03
Jonathan Davies (jpds) on 2013-03-13
description: updated
Martin Pitt (pitti) wrote :

Unsubscribing sponsors. This needs fixing in raring first.

Chris J Arges (arges) on 2013-04-12
Changed in network-manager-applet (Ubuntu Precise):
importance: Wishlist → Medium
Changed in network-manager-applet (Ubuntu Raring):
importance: Wishlist → Medium
Changed in network-manager-applet (Ubuntu Quantal):
importance: Wishlist → Medium
Chris J Arges (arges) on 2013-04-12
tags: added: cts-client-review
Chris J Arges (arges) on 2013-04-12
Changed in network-manager-applet (Ubuntu Precise):
importance: Medium → High
summary: - Needs option to create user connections by default
+ [ffe] allow option to create user connections by default
Ritesh Khadgaray (khadgaray) wrote :

This allows a user to create user connection by default, if he/she does not have the admin(sudo) priviliges

-- testing

* Create the below policy file

root@x230:/var/lib/polkit-1/localauthority# cat 90-mandatory.d/nm.pkla
[Adding or changing system-wide NetworkManager connections]
Identity=unix-user:*
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultActive=no

[Adding or changing user-owned NetworkManager connections]
Identity=unix-user:*
Action=org.freedesktop.NetworkManager.settings.modify.own
ResultActive=yes

* Try connecting to a secure network ( w/ password) . Connection would fail

** (nm-applet:24829): WARNING **: Failed to add/activate connection: (32) Insufficient privileges.

With the patched pkg, this would work fine..

These do not break any existing functionality, from what I could see.

Ritesh Khadgaray (khadgaray) wrote :
Ritesh Khadgaray (khadgaray) wrote :

The proposed patches are wrong. Let's use the patches from Josselin (from the upstream bug) which have had more extensive testing...

Chris J Arges (arges) on 2013-04-18
tags: removed: cts-client-review
Chris J Arges (arges) on 2013-04-26
tags: added: cts-client-review
Adam Stokes (adam-stokes) wrote :

Ritesh,

Please get the latest patches as stated in comment #10 and get the debdiffs prepared for precise, quantal, raring, and saucy.

Thanks
Adam

Changed in network-manager:
status: Confirmed → Incomplete

This still needs a FFE though, so it can be landed in Trusty before it makes it into Precise.

Changed in network-manager-applet (Ubuntu Raring):
status: In Progress → Triaged
Changed in network-manager-applet (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in network-manager-applet (Ubuntu Raring):
status: Triaged → Invalid
Changed in network-manager-applet (Ubuntu Trusty):
status: In Progress → New

Diff for network-manager-applet 0.9.8.8-0ubuntu2 for trusty

Iain Lane (laney) wrote :

It looks like the "modify.own" action references are no longer there, right? Could you please edit the description to say this?

Please add DEP-5 headers to the patch and help prod it along upstream if you think it's right.

Other than that, I'm minded to ack this. Please ping me when you've made these changes.

Iain Lane (laney) wrote :

I meant DEP-3 headers :-)

Iain Lane (laney) wrote :

Clarifying based on IRC conversation. modify.own: yes is the default so it's not necessary to change this if you haven't overridden the setting. That's what I was after emphasising in the description as I found it misleading.

Ack to do this if you add DEP-3 headers and watch out for bug reports. Actually, it'd be good to get this into the manual milestone tests too.

Changed in network-manager-applet (Ubuntu Trusty):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-applet - 0.9.8.8-0ubuntu3

---------------
network-manager-applet (0.9.8.8-0ubuntu3) trusty; urgency=medium

  * debian/patches/11-user-connections.patch: Allow users with access to modify
    their own connection to create wireless connections without using
    system-wide privileges. (LP: #1116317)
 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 18 Mar 2014 14:48:18 -0400

Changed in network-manager-applet (Ubuntu Trusty):
status: Triaged → Fix Released
Changed in network-manager:
status: Incomplete → Confirmed
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in network-manager-applet (Ubuntu Quantal):
status: Triaged → Won't Fix
Rolf Leggewie (r0lf) wrote :

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".

Changed in network-manager-applet (Ubuntu Saucy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.