mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git
synced 2026-04-28 13:30:47 +02:00
b635b4d419
By setting "connection.permissions", a profile is restricted to a
particular user.
That means for example, that another user cannot see, modify, delete,
activate or deactivate the profile. It also means, that the profile
will only autoconnect when the user is logged in (has a session).
Note that root is always able to activate the profile. Likewise, the
user is also allowed to manually activate the own profile, even if no
session currently exists (which can easily happen with `sudo`).
When the user logs out (the session goes away), we want do disconnect
the profile, however there are conflicting goals here:
1) if the profile was activate by root user, then logging out the user
should not disconnect the profile. The patch fixes that by not
binding the activation to the connection, if the activation is done
by the root user.
2) if the profile was activated by the owner when it had no session,
then it should stay alive until the user logs in (once) and logs
out again. This is already handled by the previous commit.
Yes, this point is odd. If you first do
$ sudo -u $OTHER_USER nmcli connection up $PROFILE
the profile activates despite not having a session. If you then
$ ssh guest@localhost nmcli device
you'll still see the profile active. However, the moment the SSH session
ends, a session closes and the profile disconnects. It's unclear, how to
solve that any better. I think, a user who cares about this, should not
activate the profile without having a session in the first place.
There are quite some special cases, in particular with internal
activations. In those cases we need to decide whether to bind the
activation to the profile's visibility.
Also, expose the "bind" setting in the D-Bus API. Note, that in the future
this flag may be modified via D-Bus API. Like we may also add related API
that allows to tweak the lifetime of the activation.
Also, I think we broke handling of connection visiblity with
|
||
|---|---|---|
| .. | ||
| adsl | ||
| bluetooth | ||
| ovs | ||
| team | ||
| tests | ||
| wifi | ||
| wwan | ||
| meson.build | ||
| nm-acd-manager.c | ||
| nm-acd-manager.h | ||
| nm-device-6lowpan.c | ||
| nm-device-6lowpan.h | ||
| nm-device-bond.c | ||
| nm-device-bond.h | ||
| nm-device-bridge.c | ||
| nm-device-bridge.h | ||
| nm-device-dummy.c | ||
| nm-device-dummy.h | ||
| nm-device-ethernet-utils.c | ||
| nm-device-ethernet-utils.h | ||
| nm-device-ethernet.c | ||
| nm-device-ethernet.h | ||
| nm-device-factory.c | ||
| nm-device-factory.h | ||
| nm-device-generic.c | ||
| nm-device-generic.h | ||
| nm-device-infiniband.c | ||
| nm-device-infiniband.h | ||
| nm-device-ip-tunnel.c | ||
| nm-device-ip-tunnel.h | ||
| nm-device-logging.h | ||
| nm-device-macsec.c | ||
| nm-device-macsec.h | ||
| nm-device-macvlan.c | ||
| nm-device-macvlan.h | ||
| nm-device-ppp.c | ||
| nm-device-ppp.h | ||
| nm-device-private.h | ||
| nm-device-tun.c | ||
| nm-device-tun.h | ||
| nm-device-veth.c | ||
| nm-device-veth.h | ||
| nm-device-vlan.c | ||
| nm-device-vlan.h | ||
| nm-device-vxlan.c | ||
| nm-device-vxlan.h | ||
| nm-device-wireguard.c | ||
| nm-device-wireguard.h | ||
| nm-device-wpan.c | ||
| nm-device-wpan.h | ||
| nm-device.c | ||
| nm-device.h | ||
| nm-lldp-listener.c | ||
| nm-lldp-listener.h | ||