diff --git a/data/meson.build b/data/meson.build index b77bf4340c..34c98e3b5f 100644 --- a/data/meson.build +++ b/data/meson.build @@ -68,8 +68,17 @@ if enable_polkit output: '@BASENAME@', po_dir: po_dir, install: true, - install_dir: polkit_gobject_policydir, + install_dir: polkit_policydir, ) + + if polkit_noauth_group != '' + configure_file( + input: 'org.freedesktop.NetworkManager.rules.in', + output: '@BASENAME@', + install_dir: polkit_rulesdir, + configuration: {'NM_POLKIT_NOAUTH_GROUP': polkit_noauth_group}, + ) + endif endif if enable_firewalld_zone diff --git a/data/org.freedesktop.NetworkManager.rules.in b/data/org.freedesktop.NetworkManager.rules.in new file mode 100644 index 0000000000..d6df0b323e --- /dev/null +++ b/data/org.freedesktop.NetworkManager.rules.in @@ -0,0 +1,17 @@ +// NetworkManager authorizations/policy for the @NM_POLKIT_NOAUTH_GROUP@ group. +// +// DO NOT EDIT THIS FILE, it will be overwritten on update. +// +// Allow users in the @NM_POLKIT_NOAUTH_GROUP@ group to create system-wide connections without being +// prompted for a password if they are in a local console. +// This is optional and is only recommended to maintain backwards compatibility +// in systems where it was already working in this way. It is discouraged +// otherwise. + +polkit.addRule(function(action, subject) { + if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" && + subject.isInGroup("@NM_POLKIT_NOAUTH_GROUP@") && + subject.local) { + return polkit.Result.YES; + } +}); diff --git a/meson.build b/meson.build index 93d53ff6d7..3868df6e53 100644 --- a/meson.build +++ b/meson.build @@ -526,7 +526,8 @@ config_h.set10('WITH_TEAMDCTL', enable_teamdctl) enable_polkit = get_option('polkit') if enable_polkit # FIXME: policydir should be relative to `datadir`, not `prefix`. Fixed in https://gitlab.freedesktop.org/polkit/polkit/merge_requests/2 - polkit_gobject_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix]) + polkit_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix]) + polkit_rulesdir = join_paths(fs.parent(polkit_policydir), 'rules.d') endif config_auth_polkit_default = get_option('config_auth_polkit_default') @@ -537,6 +538,8 @@ config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_def enable_modify_system = get_option('modify_system') +polkit_noauth_group = get_option('polkit_noauth_group') + polkit_agent_helper_1_path = get_option('polkit_agent_helper_1') foreach p : [ '/usr/libexec/polkit-agent-helper-1', '/usr/lib/polkit-1/polkit-agent-helper-1', @@ -1098,7 +1101,7 @@ output += ' dbus_conf_dir: ' + dbus_conf_dir + '\n' output += '\nPlatform:\n' output += ' session tracking: ' + ','.join(session_trackers) + '\n' output += ' suspend/resume: ' + suspend_resume + '\n' -output += ' policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')' +output += ' policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ', noauth_group: "' + polkit_noauth_group + '")' if enable_polkit output += ' (' if enable_modify_system diff --git a/meson_options.txt b/meson_options.txt index d28cc76fc8..631b3037f1 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -19,6 +19,7 @@ option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'console option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.') option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.') option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections') +option('polkit_noauth_group', type: 'string', value: '', description: 'Allow users of the selected group, typically sudo or wheel, to modify system connections without introducing a password (discouraged)') option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit') option('selinux', type: 'boolean', value: true, description: 'Build with SELinux') option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging')