[CentOS] prevent users from fiddling with network?

Sun Oct 1 23:05:27 UTC 2017
Eriksson, Thomas <thomas.eriksson at slac.stanford.edu>

________________________________________
From: CentOS <centos-bounces at centos.org> on behalf of Valeri Galtsev <galtsev at kicp.uchicago.edu>
Sent: Thursday, September 21, 2017 9:10 AM
To: centos at centos.org
Subject: [CentOS] prevent users from fiddling with network?

Dear Experts,

"this is system from the hell!"

Than was my first reaction when I realized that logged in with GUI (X11)
user can turn off (and on) network interfaces. Without being in sudoers
file. Wow, this is scary to see on workstations I manage centrally. Even
though I did consider local user to be able to execute the command
"shutdown" (which distinguished RedHat and CentOS from other Linux
flavors: after all local user can yank power cord off the wall).

Sorry about my little rant above. Could someone point me into right
direction as to how do I disable the ability of (local, logged in through
X11) users to fiddle with network interfaces. Even worse, they can create
new profile and define for interfaces to behave differently... In the past
I could just add

USERCTL="no"

into interface ifcfg-... file inside /etc/sysconfig/network-scripts which
doesn't seen to have any effect on latest CentOS 7. What is my pilot error
here? (Ignorant in new shiny extremely MS Windows like for _ignorant_
person - me - system).


Thanks a lot for all your help!

Valeri


Didn't see any more ideas in this thread.

The way I solved this was to use policykit.

Created the file  /etc/polkit-1/rules.d/20-networkmanager.rules with the following content

/* require authentication to modify network settings */
polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.freedesktop.NetworkManager." ) == 0 ) {
        return polkit.Result.AUTH_ADMIN;
    }
});

That will require someone with admin privileges to authenticate for NetworkManager 
actions to succeed.


regards,

Thomas