From 0b75d905e59999539ab1e92a92646b634c221215 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= Date: Wed, 17 Sep 2025 10:41:15 +0200 Subject: [PATCH] polkit: remove the modify_system build option This build option allowed non-admin users to create system-wide connections. Generally, this is not a good idea as system-wide changes should be done by administrators. However, the main reason for the change is that this can be used to bypass filesystem permissions, among possibly other attacks. As the daemon runs as root, a user can create a system-wide connection that uses a certificate from a different user to authenticate in a WiFi network protected with 802.1X or a VPN, because as root user the daemon can access to the file. This patch does not completely fix the issue, as users can still create private connections specifying a path to another user's connection. This will be addressed in other patch. However, this patch is needed too, because in system-wide connections we don't store which user created the connection, so there woudn't be any way to check his/her permissions. This is part of the fix for CVE-2025-9615 See: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809 --- .gitignore | 1 - NEWS | 4 ++++ contrib/fedora/rpm/NetworkManager.spec | 1 - contrib/fedora/rpm/configure-for-system.sh | 1 - data/meson.build | 10 +--------- ...=> org.freedesktop.NetworkManager.policy.in} | 4 ++-- meson.build | 17 +++++------------ meson_options.txt | 2 +- po/POTFILES.in | 2 +- 9 files changed, 14 insertions(+), 28 deletions(-) rename data/{org.freedesktop.NetworkManager.policy.in.in => org.freedesktop.NetworkManager.policy.in} (98%) diff --git a/.gitignore b/.gitignore index bf962c8abe..f793204262 100644 --- a/.gitignore +++ b/.gitignore @@ -81,7 +81,6 @@ test-*.trs /data/org.freedesktop.NetworkManager.service /data/server.conf /data/org.freedesktop.NetworkManager.policy -/data/org.freedesktop.NetworkManager.policy.in /data/nm-sudo.service /data/nm-priv-helper.service /data/NetworkManager-config-initrd.service diff --git a/NEWS b/NEWS index f9f1832be4..c93798c62b 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,10 @@ USE AT YOUR OWN RISK. NOT RECOMMENDED FOR PRODUCTION USE! * Install the systemd units in the initramfs using a systemd generator. * A new "check-connectivity" configuration option is available to disable the connectivity check for selected interfaces. +* Remove the modify_system build option that allowed setting up the + polkit permissions to allow non-admin users to create system-wide + connection. That configuration is discouraged because it can be used + to bypass filesystem permissions. ============================================= NetworkManager-1.56 diff --git a/contrib/fedora/rpm/NetworkManager.spec b/contrib/fedora/rpm/NetworkManager.spec index 820cfda607..bfcc1089ae 100644 --- a/contrib/fedora/rpm/NetworkManager.spec +++ b/contrib/fedora/rpm/NetworkManager.spec @@ -665,7 +665,6 @@ Preferably use nmcli instead. -Dselinux=true \ -Dpolkit=true \ -Dconfig_auth_polkit_default=true \ - -Dmodify_system=true \ -Dconcheck=true \ %if 0%{?fedora} -Dlibpsl=true \ diff --git a/contrib/fedora/rpm/configure-for-system.sh b/contrib/fedora/rpm/configure-for-system.sh index e52e372bca..62999b11b5 100755 --- a/contrib/fedora/rpm/configure-for-system.sh +++ b/contrib/fedora/rpm/configure-for-system.sh @@ -401,7 +401,6 @@ meson setup\ -Dselinux=true \ -Dpolkit=true \ -Dconfig_auth_polkit_default=true \ - -Dmodify_system=true \ -Dconcheck=true \ -Dlibpsl="$(bool_true "$P_FEDORA")" \ -Dsession_tracking=systemd \ diff --git a/data/meson.build b/data/meson.build index b77bf4340c..afe1800b56 100644 --- a/data/meson.build +++ b/data/meson.build @@ -55,16 +55,8 @@ if install_udevdir endif if enable_polkit - policy = 'org.freedesktop.NetworkManager.policy' - - policy_in = configure_file( - input: policy + '.in.in', - output: '@BASENAME@', - configuration: data_conf, - ) - i18n.merge_file( - input: policy_in, + input: 'org.freedesktop.NetworkManager.policy.in', output: '@BASENAME@', po_dir: po_dir, install: true, diff --git a/data/org.freedesktop.NetworkManager.policy.in.in b/data/org.freedesktop.NetworkManager.policy.in similarity index 98% rename from data/org.freedesktop.NetworkManager.policy.in.in rename to data/org.freedesktop.NetworkManager.policy.in index 13a0a5b504..cb143a2dd2 100644 --- a/data/org.freedesktop.NetworkManager.policy.in.in +++ b/data/org.freedesktop.NetworkManager.policy.in @@ -117,8 +117,8 @@ System policy prevents modification of network settings for all users auth_admin_keep - @NM_MODIFY_SYSTEM_POLICY@ - @NM_MODIFY_SYSTEM_POLICY@ + auth_admin_keep + auth_admin_keep diff --git a/meson.build b/meson.build index 56bbe28163..49f5b4214a 100644 --- a/meson.build +++ b/meson.build @@ -519,6 +519,10 @@ endif config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_default) enable_modify_system = get_option('modify_system') +if enable_modify_system + # FIXME: remove this after everyone has stopped using modify_system + error('modify_system=true is no longer allowed due to security reasons') +endif polkit_agent_helper_1_path = get_option('polkit_agent_helper_1') foreach p : [ '/usr/libexec/polkit-agent-helper-1', @@ -951,7 +955,6 @@ data_conf.set('NM_DHCP_CLIENTS_ENABLED', ', '.join(config_dhcp_c data_conf.set('NM_MAJOR_VERSION', nm_major_version) data_conf.set('NM_MICRO_VERSION', nm_micro_version) data_conf.set('NM_MINOR_VERSION', nm_minor_version) -data_conf.set('NM_MODIFY_SYSTEM_POLICY', (enable_modify_system ? 'yes' : 'auth_admin_keep')) data_conf.set('NM_VERSION', nm_version) data_conf.set('VERSION', nm_version) data_conf.set('bindir', nm_bindir) @@ -1082,17 +1085,7 @@ output += ' dbus_conf_dir: ' + dbus_conf_dir + '\n' output += '\nPlatform:\n' output += ' session tracking: ' + ','.join(session_trackers) + '\n' output += ' suspend/resume: ' + suspend_resume + '\n' -output += ' policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')' -if enable_polkit - output += ' (' - if enable_modify_system - output += 'permissive' - else - output += 'restrictive' - endif - output += ' modify.system)' -endif -output += '\n' +output += ' policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')\n' output += ' polkit-agent-helper-1: ' + polkit_agent_helper_1_path + '\n' output += ' selinux: ' + enable_selinux.to_string() + '\n' output += ' systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n' diff --git a/meson_options.txt b/meson_options.txt index 8ec68a46bd..44d50c6a7a 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -19,7 +19,7 @@ option('session_tracking', type: 'combo', choices: ['systemd', 'elogind', 'no'], option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'consolekit', 'auto'], value: 'auto', description: 'Build NetworkManager with specific suspend/resume support') option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.') option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.') -option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections') +option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections (option no longer supported, don\'t use)') option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit') option('selinux', type: 'boolean', value: true, description: 'Build with SELinux') option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging') diff --git a/po/POTFILES.in b/po/POTFILES.in index feeaf9ebbe..20bd8f253a 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -1,6 +1,6 @@ # List of source files containing translatable strings. # Please keep this file sorted alphabetically. -data/org.freedesktop.NetworkManager.policy.in.in +data/org.freedesktop.NetworkManager.policy.in src/core/NetworkManagerUtils.c src/core/devices/adsl/nm-device-adsl.c src/core/devices/bluetooth/nm-bluez-manager.c