My current crusade is to not need plugdev for anything desktop, when you have policykit/consolekit. nm/nm-applet break that by changing at_console to plugdev. Attached are new confchanges patches for them to *add* plugdev, rather than *replacing* at_console. Tested here.
Created attachment 190078 [details, diff] networkmanager confchanges patch
Created attachment 190080 [details, diff] nm-applet confchanges patch
nm-applet-0.7.1-r1 and networkmanager-0.7.1-r2 added with fixes.
That makes me think why do we need plugdev than? I thought the idea is that ONLY plugdev group members can avtivate/deactivate/manage network connections and NOT everyone who's on console. On console approach is great for mobile computers, but is totally not desired for publicly available terminal PCs. We really don't want anyone who's on console to be able to mess up with network settings (students on uni, or kids at home?). Of course the person won't be able to save the settings as system default (we've got policykit guarding that), but now we allow everyone to manage network. That makes plugdev group completely unneeded. Anyway - I'm not sure if that's the best way forward. Personally I believe if you want to manage networks - add yourself to plugdev group. That's my 2 cents.
(In reply to comment #4) > That makes me think why do we need plugdev than? I thought the idea is that > ONLY plugdev group members can avtivate/deactivate/manage network connections > and NOT everyone who's on console. > > On console approach is great for mobile computers, but is totally not desired > for publicly available terminal PCs. We really don't want anyone who's on > console to be able to mess up with network settings (students on uni, or kids > at home?). Of course the person won't be able to save the settings as system > default (we've got policykit guarding that), but now we allow everyone to > manage network. That makes plugdev group completely unneeded. > > Anyway - I'm not sure if that's the best way forward. Personally I believe if > you want to manage networks - add yourself to plugdev group. > > That's my 2 cents. > AFAIU it is done by policykit. Policykit allows much more customized granting privilages than existing plugdev approach. IfI misunderstend it - i.e. it is granted for all I can see that it is wrong approach.
That's the idea. If you don't have policykit, you use plugdev; but if you *do* have policykit, you shouldn't need plugdev. I, personally, don't want plugdev at all. But I know there are people who abhore policykit, and so we should provide an alternative. Note: the policy is context="default" not at_console, so it's policykit controlled, not consolekit controlled.
(In reply to comment #6) > That's the idea. If you don't have policykit, you use plugdev; but if you *do* > have policykit, you shouldn't need plugdev. That idea would work if policykit would be used for all connections in networkmanager. Unfortunately it is not. The basic idea of networkmanager is that everyone on console can control current network settings. Policykit is used _ONLY_ for system-wide (machine) settings. That's why original patch was introduced - to change the default behaviour - so not everyone on console can control network settings, but only members of plugdev group. If you want to stick to default networkmanager's behaviour - than 1) we're loosing control plugdev patch introduced 2) plugdev patch isn't really needed any more.
Interesting point... I actually don't care what the ultimate policy is, as long as I don't need plugdev (since no other distro does) and I can change my network settings just by logging in (ie, at_console by default). I can look at writing up policy files that can be modified to block access; but it doesn't seem to me that NM is a good fit for anything other than single-user personal computers. What kind of policy do you think would be appropriate by default?