diff options
| author | Thomas Haller <thaller@redhat.com> | 2019-12-10 08:51:03 +0100 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2019-12-11 11:52:05 +0100 |
| commit | 6d7446e52f5bfe379c2b1f54f9244b33fd236e32 (patch) | |
| tree | 769e891b307fa5d68c924d57379c8fadae8ce3d7 /man/NetworkManager.conf.xml | |
| parent | c21c6bc0be2a4467402bc2d8718859dedb10b676 (diff) | |
| download | NetworkManager-6d7446e52f5bfe379c2b1f54f9244b33fd236e32.tar.gz | |
core: add main.auth-polkit option "root-only"
We always build with PolicyKit support enabled, because it has no
additional dependencies, beside some D-Bus calls.
However, in NetworkManager.conf the user could configure
"main.auth-polkit" to disable PolicyKit. However, previously it would
only allow to disable PolicyKit while granting access to all users.
I think it's useful to have an option that disables PolicyKit and grants
access only to root. I think we should not go too far in implementing
our own authorization mechanisms beside PolicyKit (e.g. you cannot
disable PolicyKit and grant access based on group membership of the
user). However, disabling PolicyKit can be useful sometimes, and it's
simple to implement a "root-only" setup.
Note one change is that when NetworkManager now runs without a D-Bus
connection (in initrd), it would deny all non-root requests. Previously
it would grant access. I think there should be little difference in
practice, because if we have no D-Bus we also don't have any requests to
authenticate.
Diffstat (limited to 'man/NetworkManager.conf.xml')
| -rw-r--r-- | man/NetworkManager.conf.xml | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml index c213d342b6..6d78ab161c 100644 --- a/man/NetworkManager.conf.xml +++ b/man/NetworkManager.conf.xml @@ -158,8 +158,11 @@ plugins-=remove-me <varlistentry> <term><varname>auth-polkit</varname></term> <listitem><para>Whether the system uses PolicyKit for authorization. - If <literal>false</literal>, all requests will be allowed. If - <literal>true</literal>, non-root requests are authorized using PolicyKit. + If <literal>true</literal>, non-root requests are authorized using PolicyKit. + Requests from root (user ID zero) are always granted without asking PolicyKit. + If <literal>false</literal>, all requests will be allowed and PolicyKit is + not used. If set to <literal>root-only</literal> PolicyKit is not used and + all requests except root are denied. The default value is <literal>&NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT;</literal>. </para></listitem> </varlistentry> |