DevHeads.net

prevent users from fiddling with network?

Dear Experts,

"this is system from the hell!"

Than was my first reaction when I realized that logged in with GUI (X11)
user can turn off (and on) network interfaces. Without being in sudoers
file. Wow, this is scary to see on workstations I manage centrally. Even
though I did consider local user to be able to execute the command
"shutdown" (which distinguished RedHat and CentOS from other Linux
flavors: after all local user can yank power cord off the wall).

Sorry about my little rant above. Could someone point me into right
direction as to how do I disable the ability of (local, logged in through
X11) users to fiddle with network interfaces. Even worse, they can create
new profile and define for interfaces to behave differently... In the past
I could just add

USERCTL="no"

into interface ifcfg-... file inside /etc/sysconfig/network-scripts which
doesn't seen to have any effect on latest CentOS 7. What is my pilot error
here? (Ignorant in new shiny extremely MS Windows like for _ignorant_
person - me - system).

Thanks a lot for all your help!

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Comments

Re: prevent users from fiddling with network?

By Thomas Eriksson at 10/01/2017 - 19:05

Dear Experts,

"this is system from the hell!"

Than was my first reaction when I realized that logged in with GUI (X11)
user can turn off (and on) network interfaces. Without being in sudoers
file. Wow, this is scary to see on workstations I manage centrally. Even
though I did consider local user to be able to execute the command
"shutdown" (which distinguished RedHat and CentOS from other Linux
flavors: after all local user can yank power cord off the wall).

Sorry about my little rant above. Could someone point me into right
direction as to how do I disable the ability of (local, logged in through
X11) users to fiddle with network interfaces. Even worse, they can create
new profile and define for interfaces to behave differently... In the past
I could just add

USERCTL="no"

into interface ifcfg-... file inside /etc/sysconfig/network-scripts which
doesn't seen to have any effect on latest CentOS 7. What is my pilot error
here? (Ignorant in new shiny extremely MS Windows like for _ignorant_
person - me - system).

Thanks a lot for all your help!

Valeri

Didn't see any more ideas in this thread.

The way I solved this was to use policykit.

Created the file /etc/polkit-1/rules.d/20-networkmanager.rules with the following content

/* require authentication to modify network settings */
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.NetworkManager." ) == 0 ) {
return polkit.Result.AUTH_ADMIN;
}
});

That will require someone with admin privileges to authenticate for NetworkManager
actions to succeed.

regards,

Thomas

Re: prevent users from fiddling with network?

By Valeri Galtsev at 10/02/2017 - 10:58

On Sun, October 1, 2017 6:05 pm, Eriksson, Thomas wrote:
Thank you, Thomas, for the solution!

<rant>
I remember, when I started using RedHat at least a decade and a half back,
it was pretty tightly put together. The only major things I was changing
in inittab was adding requirement to enter root password for single user
mode, and on servers disabling reboot from keyboard on ctrl+alt+del:

~~:S:wait:/sbin/sulogin
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

... not anymore, it is loose as a personal laptop (single user!) these
days. MS money invested into RedHat at work!
</rant>

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Re: prevent users from fiddling with network?

By Joseph L. Casale at 09/21/2017 - 13:42

Would not being in sudoers prevent them from pulling the cord out? The
rational for the control is well justified for users with multiple interfaces
and is simply a convenience to something they could always do under any
condition anyway.

Re: prevent users from fiddling with network?

By Valeri Galtsev at 09/21/2017 - 18:23

On Thu, September 21, 2017 12:42 pm, Joseph L. Casale wrote:
Yes, I can understand the rationale as above - if it is somebody's laptop.
Or someone's home computer. But it is arguable if it is centrally managed
workstation. This ability to screw settings up is a pain for sysadmin if
this workstation sits on common area (like library) and multiple users can
access that, and even if it is workstation that is basically a single user
one, but has to be managed centrally. I rest my case. Basically, all _I_
said on this sidetracked thread should be treated as enclosed into "rant"
tags ;-)

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Re: prevent users from fiddling with network?

By Scott Robbins at 09/21/2017 - 19:13

On Thu, Sep 21, 2017 at 05:23:23PM -0500, Valeri Galtsev wrote:
Well, this is my longstanding rant against RedHat and friends. Take a look
at what Fedora is doing before blithely throwing it into RedHat.
Too many things to make things easy for the less experienced user, which
makes sense for Fedora, get put into RedHat, and they shouldn't.

I wish there were a bit more competition for commercial Linux for RedHat
here in the US so that they'd have to pay more attention to their user
base.

Re: prevent users from fiddling with network?

By Valeri Galtsev at 09/21/2017 - 20:00

On Thu, September 21, 2017 6:13 pm, Scott Robbins wrote:
Well, I guess we see Microsoft money invested into ("donated" to? ;-)
RedHat at work. Yes, my servers are FreeBSD for long time already, but as
we have to use Linux for wide variety of stuff, we may need to start
looking which other distribution (better from sysadmin's prospective) to
flee to. Scott, I'd be glad to hear your advise on that matter. (As CentOS
public mirror maintainer I will keep maintaining that indefinitely as a
token of gratitude to the project that gave us so much over long time).

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Re: prevent users from fiddling with network?

By Scott Robbins at 09/21/2017 - 22:40

On Thu, Sep 21, 2017 at 07:00:12PM -0500, Valeri Galtsev wrote:
Unfortunately, no advice. I haven't used Debian as anything but a laptop
install for a long time, but their developers did, in the past, seem to
have better ideas of system administration. They have their own issues, of
course, nothing is perfect.

Re: prevent users from fiddling with network?

By Leroy Tennison at 09/22/2017 - 09:31

As Scott said, nothing is perfect. On Ubuntu (16.04 - the current long term support version) all home directories are world executable/readable ("Security? What's that?").

On Thu, Sep 21, 2017 at 07:00:12PM -0500, Valeri Galtsev wrote:
Unfortunately, no advice. I haven't used Debian as anything but a laptop
install for a long time, but their developers did, in the past, seem to
have better ideas of system administration. They have their own issues, of
course, nothing is perfect.

Re: prevent users from fiddling with network?

By Valeri Galtsev at 09/22/2017 - 10:29

On Fri, September 22, 2017 8:31 am, Leroy Tennison wrote:
Thanks Scott and Leroy for your advises. I agree, Ubuntu almost from the
very beginning was (IMHO) aimed to be single user laptop or desktop
system. Being Debian replica, _that_ was what differed it from Debian.
Debian, though very rich and independent (not backed by company - even one
with excellent reputation) had its quirks. I bet everybody remembers
random number generator flop that was on Debian and all its clones for
about 4 years before it became publicly known and fixed (basically,
someone commented our fair chunk of code of random number generator for
debugging, and left it that way, - so all random numbers had only 4 first
bits random and the rest deterministically predictable from those). All
Debian (and clones) admins had to re-generate all key pairs, certificates,
etc., and live guessing if bad guys ever visited they systems, or rebuild
those. I do not recollect a flop like that on RedHat side (praising good
guys again, thigh not liking their direction now). So, I'm still looking
for centrally manageable and installable en masse Linux system (my users
do need to run variety of code written on and for Linux) - thanks for
suggestions everybody!

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Re: prevent users from fiddling with network?

By Valeri Galtsev at 09/21/2017 - 14:28

On Thu, September 21, 2017 12:42 pm, Joseph L. Casale wrote:
Yes, I agree on that. However, psychologically pulling AC power cord (or
executing shutdown command) is more grave action than pressing toggle
"on/off" switch image for network interface, thus killing network
connection. So, I both agree and disagree with you. Namely, as with power
I agree that local user (especially armed with screwdriver) can do a lot.
Yet, I disagree that centrally managed "UNIX - like" (allegedly)
workstation can be easily subverted in variety of ways by local user,
effectively obliterating what sysadmin configured with something specific
in his mind.

My apologies, everybody. If I held myself from putting my rant when I
asked for help, there wouldn't be any abstract discussion on topic none
of us can affect...

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Re: prevent users from fiddling with network?

By Joseph L. Casale at 09/21/2017 - 14:41

Network cable Valeri, not power...

Re: prevent users from fiddling with network?

By Valeri Galtsev at 09/21/2017 - 18:14

On Thu, September 21, 2017 1:41 pm, Joseph L. Casale wrote:
If it were not for creative editing/clipping I would show that I meant
power cord as equivalent for shutdown, leaving network cable equivalent to
turning off interface out of discussion (or implied as such). Being a
moron I am I'm not against everybody having some loughs at my expense
whenever possible... I still would prefer not this sidetracked discussion
(I know I have myself to blame for that), but some push towards disabling
local user's abilities to fiddle with network settings short of
uninstalling networkmanager GUI and friends. I got one general pointer
already (thanks, James!). Didn't do careful reading on that yet, so any
straight guidance is still welcome!

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Re: prevent users from fiddling with network?

By James Hogarth at 09/21/2017 - 13:08

Dear Experts,

"this is system from the hell!"

Than was my first reaction when I realized that logged in with GUI (X11)
user can turn off (and on) network interfaces. Without being in sudoers
file. Wow, this is scary to see on workstations I manage centrally. Even
though I did consider local user to be able to execute the command
"shutdown" (which distinguished RedHat and CentOS from other Linux
flavors: after all local user can yank power cord off the wall).

Sorry about my little rant above. Could someone point me into right
direction as to how do I disable the ability of (local, logged in through
X11) users to fiddle with network interfaces. Even worse, they can create
new profile and define for interfaces to behave differently... In the past
I could just add

USERCTL="no"

into interface ifcfg-... file inside /etc/sysconfig/network-scripts which
doesn't seen to have any effect on latest CentOS 7. What is my pilot error
here? (Ignorant in new shiny extremely MS Windows like for _ignorant_
person - me - system).

Thanks a lot for all your help!

Valeri

On the commute home so access to resources to test is limited.

This will no doubt be handled through polkit policy.

This should at least set you on the right path to discover and configure
the appropriate bits...

<a href="https://www.hogarthuk.com/?q=node/10" title="https://www.hogarthuk.com/?q=node/10">https://www.hogarthuk.com/?q=node/10</a>