On Fri, Sep 18, 2009 at 9:28 PM, Tambet Ingo <[email protected]> wrote: > On Fri, Sep 18, 2009 at 16:10, Lance Wang <[email protected]> wrote: >> On Thu, Sep 17, 2009 at 2:11 PM, Tambet Ingo <[email protected]> wrote: >>> On Thu, Sep 17, 2009 at 06:16, Bin Li <[email protected]> wrote: >>>> To disallow users to define their own network configuration, I add a new >>>> permission, org.freedesktop.network-manager-settings.user.modify, then link >>>> to the add button, when the user have permission, he can add it, vice >>>> versa. >>>> I've met a problem, the user's connection save in the gconf, and the user >>>> can change the gconf with gconftool-2 without permission checking. >>>> So are there any method to resolve this problem? And is it okay to do like >>>> this? Any idea? >>> >>> This makes no sense. You can already lock GConf so there's no need to >>> do anything for user settings. Just lock the /system/networking path >>> in gconf and the settings can't be changed. The only thing you could >>> improve, is to make sure nm-applet and nm-connection-editor handle it >>> more gracefully, ie "gray out" the apply button etc... >>> >> >> It make no sense that "gray out" the apply button etc, I think, >
> I'm sorry if I offended you, I didn't mean to. I say it as a normal statement. I am not a native English speaker, please forgive my misusing of words some time. ;-) > >> when the /system/networking path is locked. Because if it is locked >> all buttons should be gray out. Maybe we should not show the >> nm-connection-editor, as on average if someone was not permitted to >> modify user settings, he or she would be denied to modify the system >> settings. >> >> And another aspect. I think we should leave the control in the >> NetworkManager side. As far as I know, all settings should be apply >> through NetworkManager. If we just lock gconf, people with malicious >> intent can still use modified nm-applet to apply the user settings >> they want. So I think there may be a policy action such as >> org.freedesktop.network-manager-settings.user.apply. Every time >> NetworkManager receive the request to apply the user settings, it >> should check the action. And nm-connection-editor also check the >> action to set the button status. Further more maybe we split the >> policy to org.freedesktop.network-manager-settings.user.wired.apply >> org.freedesktop.network-manager-settings.user.wireless.apply >> org.freedesktop.network-manager-settings.user.vpn.apply etc... >> >> What do you think? > > I think in situations you describe NM should not accept user > connections at all and rely only on system settings that already need > root privileges to change. I don't see why we need two duplicate > systems for controlling one thing. Maybe there are more than one thing. In my situation, in a public place like an exhibition, the computers are used by some normal user without root privileges, but the computers are controlled by the administrator. It is necessary that user can use the net connection, but can not modify it. So what is your opinion? > > Tambet > -- : Lance Wang U+738B U+4F36 U+5353 _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
