Ubuntu – How to set the policy for users to modify the network state and connections

network-managerpolicykit

How can I set the permissions for users to make changes to the network connections and state? For instance, how can I allow/disallow users to connect to new wireless networks? How can I allow/disallow users to turn off networking?

Best Answer

You can create a local policy for one or more users.

Create the document where the settings will live...

touch /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla

Add one or more policies...

[Let foo modify system settings for network]
Identity=unix-user:foo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=no
ResultInactive=no
ResultActive=yes

[Do not allow foo to enable/disable networking]
Identity=unix-user:foo
Action=org.freedesktop.NetworkManager.settings.enable-disable-network
ResultAny=no
ResultInactive=no
ResultActive=no

The key is the ResultActive element which can be set to yes, no, auth_admin, or auth_admin_keep where the latter two will require the password of another user with sudo privileges.

The Action element defines what action will be allowed/disallowed or require authentication with a password. There are options like org.freedesktop.NetworkManager.enable-disable-network for toggling network as enabled/disabled. You can see more options in the /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy file, just look for something like <action id="org.freedesktop.NetworkManager.enable-disable-network"> and read it's description.

You can also set all values with the * wildcard...

[Prevent foo from modifying all network states and settings except with admin password]
Identity=unix-user:foo
Action=org.freedesktop.NetworkManager.*
ResultAny=no
ResultInactive=no
ResultActive=auth_admin_keep

This will require a password to make ANY change to network settings or state.

You can do this in a single command that could be included in a script...

sudo su -c 'printf "[Prevent foo from modifying all network states and settings]\nIdentity=unix-user:foo\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin" >  /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla'

References:

Related Solutions

Ubuntu – How to non-admin users connect to Wi-Fi networks

Your configuration is correct, but local policy files should be placed inside /etc/polkit-1/localauthority/50-local.d/ and the file extension must be .pkla.

To solve your problem:

sudo mv /etc/polkit-1/localauthority.conf.d/52-wifi-management.conf /etc/polkit-1/localauthority/50-local.d/52-wifi-management.pkla

Ubuntu – How to make new wireless connections use a VPN by default

All of the following:

gsettings list-recursively  | grep --ignore-case vpn
gsettings list-recursively  | grep --ignore-case wifi
gsettings list-recursively  | grep --ignore-case conn

give nothing useful, so 2 possibilities left:

You do a feature-request at Canonical (24,557 reputation, 28 gold 118 silver and 248 bronze badges should carry some weight...)
I create a script that creates a script that sets it up for you... (might take a while as I'm writing an automated system backup now...)

Best Answer

Related Solutions

Ubuntu – How to non-admin users connect to Wi-Fi networks

Ubuntu – How to make new wireless connections use a VPN by default

Related Question