________________________________________ From: CentOS <centos-bounces at centos.org> on behalf of Valeri Galtsev <galtsev at kicp.uchicago.edu> Sent: Thursday, September 21, 2017 9:10 AM To: centos at centos.org Subject: [CentOS] prevent users from fiddling with network? Dear Experts, "this is system from the hell!" Than was my first reaction when I realized that logged in with GUI (X11) user can turn off (and on) network interfaces. Without being in sudoers file. Wow, this is scary to see on workstations I manage centrally. Even though I did consider local user to be able to execute the command "shutdown" (which distinguished RedHat and CentOS from other Linux flavors: after all local user can yank power cord off the wall). Sorry about my little rant above. Could someone point me into right direction as to how do I disable the ability of (local, logged in through X11) users to fiddle with network interfaces. Even worse, they can create new profile and define for interfaces to behave differently... In the past I could just add USERCTL="no" into interface ifcfg-... file inside /etc/sysconfig/network-scripts which doesn't seen to have any effect on latest CentOS 7. What is my pilot error here? (Ignorant in new shiny extremely MS Windows like for _ignorant_ person - me - system). Thanks a lot for all your help! Valeri Didn't see any more ideas in this thread. The way I solved this was to use policykit. Created the file /etc/polkit-1/rules.d/20-networkmanager.rules with the following content /* require authentication to modify network settings */ polkit.addRule(function(action, subject) { if (action.id.indexOf("org.freedesktop.NetworkManager." ) == 0 ) { return polkit.Result.AUTH_ADMIN; } }); That will require someone with admin privileges to authenticate for NetworkManager actions to succeed. regards, Thomas