Created attachment 861108 [details, diff] Control meson modify_system option via new USE flag "useradmin" The ebuild for networkmanager has for a long time had a feature to install a polkit rule to allow users in the plugdev group to manage system connections. But in the current networkmanager ebuild (and all recent ones), that polkit rule is rendered ineffective because the ebuild configures NetworkManager such that the default policy is to allow all users to modify system connections anyway. The result is that after installing NetworkManager, all users on the system can manage connections. This means unprivileged users on a server, for instance, could inadvertently (or otherwise) alter the network configuration of the server taking it offline. It would be better if, as seemingly used to be the case with older versions of the ebuild, only users added to the plugdev group could administer system connections. For comparison, I had previously been using netifrc on all of my Gentoo systems and just switched to NetworkManager on all of them. When using netifrc, unprivileged users cannot by default change the network configuration at all (they can't modify /etc/conf.d/net, they can't start/stop the interfaces using rc-service, they can't manually modify the kernel's configuration using "ip addr add" etc). But once someone switches from netifrc to NetworkManager, with the current policy that gets installed, suddenly all users can change any of the network configuration (start/stop interfaces, add/remove/change addresses, etc). Fixing the policy installed with NetworkManager would make it more consistent security-wise with netifrc. The issue seems to have arisen in the ebuild when it was updated to use meson infrastructure. When the switch happened, the "-Dmodify_system=true" meson argument was added. This changes the NetworkManager policy from its upstream default (where the modify_system option defaults to false). That meson option should either be left at its default, or could also be controlled by a USE flag. I'm attaching an example patch that I've used to control the option with a new USE flag. In this patch, I've defaulted the USE flag "on" to match current ebuild behavior, but for security it might be better if the flag defaulted "off" and Gentoo users who really want unprivileged system users to also be able to tinker with network settings should have to manually enable it. GCO sign-off for the attached patch: Signed-off-by: Dan Moulding <dan@danm.net>
I forgot to add the following: Observed behavior: adding/removing users from the plugdev group has no effect on permission to modify connections using NetworkManager. Expected behavior: users not in the plugdev group should not have permission to modify system connections via NetworkManager, and adding a user to the plugdev group should grant such permission.
The plugdev group was originally meant as a way to manage permissions on device nodes in /dev. It was primarily used by udev when consolekit was disabled. It is pretty much obsolete these days. The modern approach taken by udev and logind is to grant access to anyone who logs in locally. The polkit policy installed with modify_system=true mimics this udev / systemd behavior by allowing any user logged in to a local console to modify the system network config. I don't think it makes sense to promote continued use of the "plugdev" group.
(In reply to Mike Gilbert from comment #2) > I don't think it makes sense to promote continued use of the "plugdev" group. That's fair. I was misled by the presence of the rule still installed by the ebuild, and by mention of the plugdev group's use for this purpose in the wiki. If plugdev is outdated, then it makes sense to leave it out. Then the bug with the ebuild is that it still installs that rule to grant permission to plugdev users and still depends on acct-group/plugdev. > The polkit policy installed with modify_system=true mimics this udev / > systemd behavior by allowing any user logged in to a local console to modify > the system network config. I can see that for a lot of use cases it makes sense to allow a console user to have permission to do just about anything. But it does also seem like there are plenty of use cases where it doesn't always make sense (say, computers in a library or a school computer lab). It seems to me that currently a Gentoo user with a use case that needs tighter security on the network configuration is kind of out-of-luck if they use NetworkManager. The polkit policy that gets installed with it makes it so that console users will always be allowed to administer the network configuration. It seems to me like that is difficult for the Gentoo user to change if that's not the behavior they want (and the outmodded plugdev group provided a simple solution to that). Having a USE flag that controls whether the policy allows all users to administer NetworkManager or not seems like it would be an easy way to satisfy the needs of a broad range of users. Maybe that is then more of an enhancement request than a bug report.
I guess one other item to consider is whether deviating from upstream default behavior is consistent with Gentoo policies/philosophy. This is a question that I don't know the answer to. The upstream default behavior of NetworkManager is to configure the policy so that polkit will prompt for the root password before allowing regular users to modify system connections, even if they're logged in on a console. The ebuild currently is overriding that default behavior.
A specific problem with allowing this is that Steam is persistent about asking to modify NetworkManager's system connections for...reasons. Steam (or any program really, but particularly closed source ones) should not have access to all of my network credentials by default, without a password prompt that I can decline. Please consider having this flag off by default for security. https://github.com/ValveSoftware/steam-for-linux/issues/7856
Any thoughts on the USE flag that Dan suggests? If would be great if this could be added, so that this behaviour can be changed without resorting to /etc/portage/patches. Active users are given access automatically, but it's precisely those users that I am concerned about. Regarding plugdev, I see there is a netdev group, I'm not sure what Gentoo is using it for but perhaps this could be used instead on the polkit rule?
