Dear Experts, "this is system from the hell!" Than was my first reaction when I realized that logged in with GUI (X11) user can turn off (and on) network interfaces. Without being in sudoers file. Wow, this is scary to see on workstations I manage centrally. Even though I did consider local user to be able to execute the command "shutdown" (which distinguished RedHat and CentOS from other Linux flavors: after all local user can yank power cord off the wall). Sorry about my little rant above. Could someone point me into right direction as to how do I disable the ability of (local, logged in through X11) users to fiddle with network interfaces. Even worse, they can create new profile and define for interfaces to behave differently... In the past I could just add USERCTL="no" into interface ifcfg-... file inside /etc/sysconfig/network-scripts which doesn't seen to have any effect on latest CentOS 7. What is my pilot error here? (Ignorant in new shiny extremely MS Windows like for _ignorant_ person - me - system). Thanks a lot for all your help! Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 21 Sep 2017 17:10, "Valeri Galtsev" <galtsev at kicp.uchicago.edu> wrote: Dear Experts, "this is system from the hell!" Than was my first reaction when I realized that logged in with GUI (X11) user can turn off (and on) network interfaces. Without being in sudoers file. Wow, this is scary to see on workstations I manage centrally. Even though I did consider local user to be able to execute the command "shutdown" (which distinguished RedHat and CentOS from other Linux flavors: after all local user can yank power cord off the wall). Sorry about my little rant above. Could someone point me into right direction as to how do I disable the ability of (local, logged in through X11) users to fiddle with network interfaces. Even worse, they can create new profile and define for interfaces to behave differently... In the past I could just add USERCTL="no" into interface ifcfg-... file inside /etc/sysconfig/network-scripts which doesn't seen to have any effect on latest CentOS 7. What is my pilot error here? (Ignorant in new shiny extremely MS Windows like for _ignorant_ person - me - system). Thanks a lot for all your help! Valeri On the commute home so access to resources to test is limited. This will no doubt be handled through polkit policy. This should at least set you on the right path to discover and configure the appropriate bits... https://www.hogarthuk.com/?q=node/10
> Than was my first reaction when I realized that logged in with GUI (X11) > user can turn off (and on) network interfaces. Without being in sudoers > file.Would not being in sudoers prevent them from pulling the cord out? The rational for the control is well justified for users with multiple interfaces and is simply a convenience to something they could always do under any condition anyway.
On Thu, September 21, 2017 12:42 pm, Joseph L. Casale wrote:>> Than was my first reaction when I realized that logged in with GUI (X11) >> user can turn off (and on) network interfaces. Without being in sudoers >> file. > > Would not being in sudoers prevent them from pulling the cord out? The > rational for the control is well justified for users with multiple > interfaces > and is simply a convenience to something they could always do under any > condition anyway.Yes, I agree on that. However, psychologically pulling AC power cord (or executing shutdown command) is more grave action than pressing toggle "on/off" switch image for network interface, thus killing network connection. So, I both agree and disagree with you. Namely, as with power I agree that local user (especially armed with screwdriver) can do a lot. Yet, I disagree that centrally managed "UNIX - like" (allegedly) workstation can be easily subverted in variety of ways by local user, effectively obliterating what sysadmin configured with something specific in his mind. My apologies, everybody. If I held myself from putting my rant when I asked for help, there wouldn't be any abstract discussion on topic none of us can affect... Valeri> _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, September 21, 2017 12:42 pm, Joseph L. Casale wrote:>> Than was my first reaction when I realized that logged in with GUI (X11) >> user can turn off (and on) network interfaces. Without being in sudoers >> file. > > Would not being in sudoers prevent them from pulling the cord out? The > rational for the control is well justified for users with multiple > interfaces > and is simply a convenience to something they could always do under any > condition anyway.Yes, I can understand the rationale as above - if it is somebody's laptop. Or someone's home computer. But it is arguable if it is centrally managed workstation. This ability to screw settings up is a pain for sysadmin if this workstation sits on common area (like library) and multiple users can access that, and even if it is workstation that is basically a single user one, but has to be managed centrally. I rest my case. Basically, all _I_ said on this sidetracked thread should be treated as enclosed into "rant" tags ;-) Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
________________________________________ From: CentOS <centos-bounces at centos.org> on behalf of Valeri Galtsev <galtsev at kicp.uchicago.edu> Sent: Thursday, September 21, 2017 9:10 AM To: centos at centos.org Subject: [CentOS] prevent users from fiddling with network? Dear Experts, "this is system from the hell!" Than was my first reaction when I realized that logged in with GUI (X11) user can turn off (and on) network interfaces. Without being in sudoers file. Wow, this is scary to see on workstations I manage centrally. Even though I did consider local user to be able to execute the command "shutdown" (which distinguished RedHat and CentOS from other Linux flavors: after all local user can yank power cord off the wall). Sorry about my little rant above. Could someone point me into right direction as to how do I disable the ability of (local, logged in through X11) users to fiddle with network interfaces. Even worse, they can create new profile and define for interfaces to behave differently... In the past I could just add USERCTL="no" into interface ifcfg-... file inside /etc/sysconfig/network-scripts which doesn't seen to have any effect on latest CentOS 7. What is my pilot error here? (Ignorant in new shiny extremely MS Windows like for _ignorant_ person - me - system). Thanks a lot for all your help! Valeri Didn't see any more ideas in this thread. The way I solved this was to use policykit. Created the file /etc/polkit-1/rules.d/20-networkmanager.rules with the following content /* require authentication to modify network settings */ polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.NetworkManager." ) == 0 ) { return polkit.Result.AUTH_ADMIN; } }); That will require someone with admin privileges to authenticate for NetworkManager actions to succeed. regards, Thomas
On Sun, October 1, 2017 6:05 pm, Eriksson, Thomas wrote:> ________________________________________ > From: CentOS <centos-bounces at centos.org> on behalf of Valeri Galtsev > <galtsev at kicp.uchicago.edu> > Sent: Thursday, September 21, 2017 9:10 AM > To: centos at centos.org > Subject: [CentOS] prevent users from fiddling with network? > > Dear Experts, > > "this is system from the hell!" > > Than was my first reaction when I realized that logged in with GUI (X11) > user can turn off (and on) network interfaces. Without being in sudoers > file. Wow, this is scary to see on workstations I manage centrally. Even > though I did consider local user to be able to execute the command > "shutdown" (which distinguished RedHat and CentOS from other Linux > flavors: after all local user can yank power cord off the wall). > > Sorry about my little rant above. Could someone point me into right > direction as to how do I disable the ability of (local, logged in through > X11) users to fiddle with network interfaces. Even worse, they can create > new profile and define for interfaces to behave differently... In the past > I could just add > > USERCTL="no" > > into interface ifcfg-... file inside /etc/sysconfig/network-scripts which > doesn't seen to have any effect on latest CentOS 7. What is my pilot error > here? (Ignorant in new shiny extremely MS Windows like for _ignorant_ > person - me - system). > > > Thanks a lot for all your help! > > Valeri > > > Didn't see any more ideas in this thread. > > The way I solved this was to use policykit. > > Created the file /etc/polkit-1/rules.d/20-networkmanager.rules with the > following content > > /* require authentication to modify network settings */ > polkit.addRule(function(action, subject) { > if (action.id.indexOf("org.freedesktop.NetworkManager." ) == 0 ) { > return polkit.Result.AUTH_ADMIN; > } > }); > > That will require someone with admin privileges to authenticate for > NetworkManager > actions to succeed. >Thank you, Thomas, for the solution! <rant> I remember, when I started using RedHat at least a decade and a half back, it was pretty tightly put together. The only major things I was changing in inittab was adding requirement to enter root password for single user mode, and on servers disabling reboot from keyboard on ctrl+alt+del: ~~:S:wait:/sbin/sulogin #ca::ctrlaltdel:/sbin/shutdown -t3 -r now ... not anymore, it is loose as a personal laptop (single user!) these days. MS money invested into RedHat at work! </rant> Valeri> > regards, > > Thomas > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++