Bug#891599: gdm3: Greeter doesn't allow control of network-manager connections even when member of netdev group

Sat, 24 Mar 2018 14:43:10 -0700 

On Fri, 23 Mar 2018, Simon McVittie wrote:


it would be unexpected for someone finding a machine with a
locked GNOME session, logged in as a user with netdev privileges, to be
able to reconfigure the network without first unlocking the session!



I could make the same argument that it is unexpected that explicitly 
granting the greeter permission to activate network connections being 
ignored is unexpected :)



Other display managers don't let you perform unauthenticated privileged
actions from their greeter-equivalent either, and that isn't generally
considered to be a bug.



Actually I came to attempting to do this specifically because *they do*. 
Ubuntu's configuration of LightDM explicitly allows controlling existing 
network configurations.



If you need to be connected to a VPN to be able to authenticate logins,
configuring it to be saved as a system-wide connection that can be
connected non-interactively might help. (I would not recommend this
configuration, because inability to log in without first connecting to
a VPN seems extremely fragile, but it's your system.)



This scenario (network auth) is exactly why I want to be able to bring 
up a pre-defined network connection from the greeter.  I don't think 
that LDAP-based login (or the winbind variant of it) is really that 
weird a thing...



Saving the VPN password is not a viable option here, both for technical 
and policy reasons, nor is having it always auto-connect (that for 
technical reasons).



For business/enterprise-y environments, the ability to configure 
connections to be avaible pre-login has been a long-standing feature for 
a loooong time.  This was old hat even back in the mid 90s.



But history and such aside, it seems like the proper thing here would be 
to actually obey the policy kit restrictions.  AFAICT policy kit 
supports the cases here -- don't want locked session of a user to have 
network control?  Require the session to be active to grant permissions. 
Do want the greeter or a locked session to at least be able to turn 
network connections on or off, can do that too.


--
        -Matt
"Reality is that which, when you stop believing in it, doesn't go away".
                -- Philip K. Dick
GPG fingerprint: 0061 15DF D282 D4A9 57CE  77C5 16AF 1460 4A3C C4E9























					Reply via email to