On Thu, 2009-09-10 at 14:13 +0800, Lance Wang wrote: > Hi Dan > > On Fri, Sep 4, 2009 at 1:29 AM, Dan Williams <[email protected]> wrote: > > On Tue, 2009-09-01 at 15:12 +0800, Bin Li wrote: > > > > >> There's only org.freedesktop.network-manager-settings.system.modify, > >> introduce something like > >> org.freedesktop.network-manager-settings.user.modify so NM can > >> determine whether it should accept user settings. > >> > >> Also we could separate the action in more grained, such as > >> org.freedesktop.network-manager-settings.system.modify > >> org.freedesktop.network-manager-settings.system.add > >> org.freedesktop.network-manager-settings.system.delete > > > > I thought about that, but can't see a use-case. If you can *add* > > connections, then that's the same thing as modifying them. It makes no > > sense to deny modify, but allow add, since the user could just add the > > connection they wanted instead of modifying an existing one. Delete by > > itself also doesn't make a lot of sense. I view the three permissions > > as a unit because in reality, I can't think of cases where you'd > > actually need to split them up. > > > > But maybe we could separate the action according the type of the > connection. For example, they may be like these > > org.freedesktop.network-manager-settings.system.wired.modify > org.freedesktop.network-manager-settings.system.wireless.modify > org.freedesktop.network-manager-settings.system.mobile.modify > org.freedesktop.network-manager-settings.system.vpn.modify > org.freedesktop.network-manager-settings.system.dsl.modify
That's not a bad idea, though what kind of situation would allow users to modify Ethernet connections but not 3G or wifi ones? Just trying to understand the use-cases here. > . > > >> and the same for .user . > >> > >> > >> And you may even want to specifically allow or disallow adding for > >> specific network types like wired, wireless, VPN, etc. > > > > Definitely. There are now permissions in the system settings service > > that the UI can check for, and this sort of thing would be used to allow > > the UI to intelligently enable/disable elements. > > So what is the permissions do you mean in the system settings service? > I am afraid that It is possible that go round them through dbus > directly instead of UI. I don't think that's possible; NetworkManager requires authorization of the requestor, even from the command-line, before it will allow modification of the system connection. The permissions and policy are not just a UI thing. > Because that you can send anything to the interface > org.freedesktop.NetworkManagerSettings.System > if you get authorised. Not quite, there are a few levels of permissions here. D-Bus permissions can restrict access on a coarse-grained level based on user, but PolicyKit can restrict/allow access on a much finer-grained level. NetworkManager utilizes both methods. So even if you are authorized to send a message (via D-Bus permissions), you're not necessarily authorized to perform the action contained in that message (authorization would be gained by presenting the right credentials to PolicyKit). Dan _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
