On Sun, October 1, 2017 6:05 pm, Eriksson, Thomas wrote:
From: CentOS centos-bounces@centos.org on behalf of Valeri Galtsev galtsev@kicp.uchicago.edu Sent: Thursday, September 21, 2017 9:10 AM To: centos@centos.org Subject: [CentOS] prevent users from fiddling with network?
Dear Experts,
"this is system from the hell!"
Than was my first reaction when I realized that logged in with GUI (X11) user can turn off (and on) network interfaces. Without being in sudoers file. Wow, this is scary to see on workstations I manage centrally. Even though I did consider local user to be able to execute the command "shutdown" (which distinguished RedHat and CentOS from other Linux flavors: after all local user can yank power cord off the wall).
Sorry about my little rant above. Could someone point me into right direction as to how do I disable the ability of (local, logged in through X11) users to fiddle with network interfaces. Even worse, they can create new profile and define for interfaces to behave differently... In the past I could just add
USERCTL="no"
into interface ifcfg-... file inside /etc/sysconfig/network-scripts which doesn't seen to have any effect on latest CentOS 7. What is my pilot error here? (Ignorant in new shiny extremely MS Windows like for _ignorant_ person - me - system).
Thanks a lot for all your help!
Valeri
Didn't see any more ideas in this thread.
The way I solved this was to use policykit.
Created the file /etc/polkit-1/rules.d/20-networkmanager.rules with the following content
/* require authentication to modify network settings */ polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.NetworkManager." ) == 0 ) { return polkit.Result.AUTH_ADMIN; } });
That will require someone with admin privileges to authenticate for NetworkManager actions to succeed.
Thank you, Thomas, for the solution!
<rant> I remember, when I started using RedHat at least a decade and a half back, it was pretty tightly put together. The only major things I was changing in inittab was adding requirement to enter root password for single user mode, and on servers disabling reboot from keyboard on ctrl+alt+del:
~~:S:wait:/sbin/sulogin #ca::ctrlaltdel:/sbin/shutdown -t3 -r now
... not anymore, it is loose as a personal laptop (single user!) these days. MS money invested into RedHat at work! </rant>
Valeri
regards,
Thomas _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++