Trying to make NetworkManager sane in 12.2
As part of my testing of opensuse 12.2 Beta1, I have been checking out how NetworkManager works for WiFi connections. And it still has the same problems we saw with 12.1, namely it required the root password to do almost anything.
I decided that it was time to get my hands dirty, and see whether I could make some changes that would result in the system behaving more sanely. This post describes what I have done. I would appreciate feedback (comments) from readers about this.
With opensuse 11.4 and earlier, when you setup a connection the information was saved in the local user files. And everything worked reasonably well, except that the KDE applet mishandled connections with hidden SSID. You could, optionally, make the defined connection a system connection, although that was only supported by the Gnome applet; the option was there for the KDE applet, but was grayed out. Setting up a connection defined in local files did not require the root password. Making it a system connection (available to all users) did require the root password.
With 12.1, there was a newer version of NetworkManager that changed everything. Now all connections are system connections. The option to have it not a system connection is still there, but NetworkManager then sets that up as a system connection that is accessible to only the one user. The information for the connection is saved in system files (in the directory “/etc/NetworkManager/system-connections”).
The effect was that the root password was required for almost everything wifi related, other than enabling/disabling wireless.
Here is what I am currently testing.
Opensuse comes with a number of NetworkManager relevant files that are used to configure PolicyKit permissions. The three files that seem most relevant are:
org.freedesktop.NetworkManager.settings.modify.system.pkla org.freedesktop.NetworkManager.wifi.share.open.pkla org.freedesktop.NetworkManager.wifi.share.protected.pkla
Those files reside in the directory “/var/lib/polkit-1/localauthority/10-vendor.d”
I have edited those three files. Before editing them, I created a unix group “network” and I added two of the three non-root users of this system to that group. I will describe the changes that I made to the first of the three files. The changes to the other files are similar.
Here’s the original version of the file:
[org.freedesktop.NetworkManager.settings.modify.system] Identity=unix-group:* Action=org.freedesktop.NetworkManager.settings.modify.system ResultAny=auth_admin_keep ResultInactive=auth_admin_keep ResultActive=auth_admin_keep
And here is the new version of the file:
[org.freedesktop.NetworkManager.settings.modify.system] Identity=unix-group:network Action=org.freedesktop.NetworkManager.settings.modify.system ResultAny=auth_admin_keep ResultInactive=auth_admin_keep ResultActive=yes
As you can see, I made two changes. I change the group from “*” to “network” in the “Identity” line, and I changed the permission in the “ResultActive” line to “yes”.
The intended effect is that users in group “network” should be able to work with WiFi connections, provided that they are at the active console.
I have tested the changes, and they seem to do what I expected of them. The two of my user accounts that I put in the “network” group can now edit connections without being prompted for the root password. I tested that in both KDE and Gnome. And the user who is not in the “network” group is still prompted for a password (only tested in Gnome).
I’m not certain, but I think my tests only apply to the first file that I changed. I’m not quite sure what the other files are for. They might be needed for an ad hoc connection. Or perhaps they are only used when there is a special user agent to manage connections (not present in the standard release).
Was my change technically wrong?
Yes, it was probably wrong. We are supposed to copy such files to the corresponding directory tree under “/etc” and modify them there. I tried that, but I could never get it to work. This is probably because my use of group “network” won’t override the group “*” if that is used in the files under “/var/lib”.