tags 642136 + patch clone 642136 -1 reassign -1 gnome-shell severity -1 important clone 642136 -2 reassign -2 network-manager-gnome severity -2 important tags -2 + patch clone 642136 -3 reassign -3 gnome-control-center severity -3 important thanks
On 09.12.2012 03:16, Florian Schlichting wrote: > Unfortunately, things are a little more complicated, as Michael was so > kind to explain to me on IRC. I'm trying to sum up our conversation: > > GENERAL PROBLEMS > - when changing the default for new connections in one client > (nm-applet), other clients should be changed accordingly. This means > at least gnome-shell (KDE may use different defaults anyway) > - in addition to wifi connections, also VPN and mobile broadband > connections should be user-administrateable > - a system-wide connection has advantages, and upstream changed the > default for a reason / in response to user feedback. E.g. it is not > unreasonable to expect to be able to ssh into a running laptop, even > when there's nobody logged in. .. > OPTIONS FOR A SOLUTION OF #642136 > - do not change the default for new connections (system-wide), but add a > polkit rule allowing members of the netdev and sudo groups to modify > those connections. Group sudo can do everything anyway, and netdev is > specifically meant for that. In addition, the user created during > installation is automatically added to the netdev group, so that this > would solve the "annoying password prompt" issue for the > single-user-laptop case. The polkit rule would look like this: > > [Adding or changing system-wide NetworkManager connections] > Identity=unix-group:netdev;unix-group:sudo > Action=org.freedesktop.NetworkManager.settings.modify.system > ResultAny=no > ResultInactive=no > ResultActive=yes Yeah, for simpler use-cases, especially the single-user-laptop case, this .pkla file is sufficient and should solve the problem for most users. This bug, #642136, will deal with that problem. > - this leaves open multi-user machines, where ordinary users should be > able to e.g. add their home wifi, without being given the additional > privileges that come with group membership (e.g., seeing the other > guy's home wifi password). Think managed laptop repeatedly borrowed to > students. Here, the system administrator could install a > gsettings-override (provided in examples) that would make user-private > connections the default. The gsetting would have to be added, as well > as code to check it and switch to user-private when configured. > > - personally, I'd prefer if things would "just work", that is: a > user-private connection is created automatically if the user is not > entitled to create a system-wide one, without the need to find out > about a gsetting and install the override. Unfortunately, it is > unclear if there is a way to query polkit whether the user would need > to be asked for a password in order to execute an action with the > NetworkManager.settings.modify.system privilege, without actually > doing so. Joss found a way to do just that, i.e. query polkit and automatically fall back to user settings if org.freedesktop.NetworkManager.settings.modify.system would require an admin password prompt. I think this is the ideal solution, so I'd like to go with that, especially since Joss already has prepared a patch for nm-applet [1]. Thanks a lot Joss! Other NM clients which need to be updated accordingly are gnome-shell and gnome-control-center, which both allow to setup NM connections. So I'm cloning and re-assigning this bug accordingly. Michael [1] http://malsain.org/~joss/debian/ -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
