Hi Lubo, On 21.11.2016 13:07, Lubomir Rintel wrote: > On Thu, 2016-11-17 at 12:10 +0100, Claudius Heine wrote:
>> I think the main issue is, that the network device is automatically >> setup via dhcp by tools like NetworkManager & co. > > That is a feature. You generally want network connectivity when you > plugin a network adapter with a cable in it. Yes. And a nice one ;) >> So my question is: Is that more of a system configuration issue or >> can >> NetworkManager itself do something to prevent this scenario (e.g. not >> starting dhcpcd on new interfaces generally or only while system is >> locked)? > > Yes, the feature can be turned off. Check out no-auto-default=* in > NetworkManager.conf(5) manual. In Fedora it's sufficient to install > NetworkManager-config-server package. > > However, if you don't trust your USB ports, you may want to set the > sysfs attribute "authorized" to false by default on USB devices. > Perhaps with a udev rule or something. I think you could replicate this scenario with your existing ethernet interface directly. And if the NetworkManager has a default dhcp profile for this ethernet interface already configured, disabling the creation of them with "no-auto-defaults" wouldn't help. >> While reading about the poisontap hack by Samy Kamkar >> (https://samy.pl/poisontap/), I thought about ideas to prevent that. > > Too much drama there. Hijacking the internet connection of a box you > have physical access to is hardly a security issue. Maybe not, but I guess that having a screen lock, that doesn't prevent others from manipulating the current user session that runs in the background is at least annoying. And some kind of lockdown-mode, that disables automatic configuration, would be a nice feature. Cheers, Claudius -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: [email protected] _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
