[CentOS] prevent users from fiddling with network?

Valeri Galtsev galtsev at kicp.uchicago.edu
Mon Oct 2 14:58:55 UTC 2017 

On Sun, October 1, 2017 6:05 pm, Eriksson, Thomas wrote:
> ________________________________________
> From: CentOS <centos-bounces at centos.org> on behalf of Valeri Galtsev
> <galtsev at kicp.uchicago.edu>
> Sent: Thursday, September 21, 2017 9:10 AM
> To: centos at centos.org
> Subject: [CentOS] prevent users from fiddling with network?
>
> Dear Experts,
>
> "this is system from the hell!"
>
> Than was my first reaction when I realized that logged in with GUI (X11)
> user can turn off (and on) network interfaces. Without being in sudoers
> file. Wow, this is scary to see on workstations I manage centrally. Even
> though I did consider local user to be able to execute the command
> "shutdown" (which distinguished RedHat and CentOS from other Linux
> flavors: after all local user can yank power cord off the wall).
>
> Sorry about my little rant above. Could someone point me into right
> direction as to how do I disable the ability of (local, logged in through
> X11) users to fiddle with network interfaces. Even worse, they can create
> new profile and define for interfaces to behave differently... In the past
> I could just add
>
> USERCTL="no"
>
> into interface ifcfg-... file inside /etc/sysconfig/network-scripts which
> doesn't seen to have any effect on latest CentOS 7. What is my pilot error
> here? (Ignorant in new shiny extremely MS Windows like for _ignorant_
> person - me - system).
>
>
> Thanks a lot for all your help!
>
> Valeri
>
>
> Didn't see any more ideas in this thread.
>
> The way I solved this was to use policykit.
>
> Created the file  /etc/polkit-1/rules.d/20-networkmanager.rules with the
> following content
>
> /* require authentication to modify network settings */
> polkit.addRule(function(action, subject) {
>     if (action.id.indexOf("org.freedesktop.NetworkManager." ) == 0 ) {
>         return polkit.Result.AUTH_ADMIN;
>     }
> });
>
> That will require someone with admin privileges to authenticate for
> NetworkManager
> actions to succeed.
>

Thank you, Thomas, for the solution!

<rant>
I remember, when I started using RedHat at least a decade and a half back,
it was pretty tightly put together. The only major things I was changing
in inittab was adding requirement to enter root password for single user
mode, and on servers disabling reboot from keyboard on ctrl+alt+del:

~~:S:wait:/sbin/sulogin
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

... not anymore, it is loose as a personal laptop (single user!) these
days. MS money invested into RedHat at work!
</rant>


Valeri

>
> regards,
>
> Thomas
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the CentOS mailing list