Feature request: create networkmgr group so users don't have to be in wheel group

ghostbsd / networkmgr

NetworkMgr is a Python GTK3 network manager for FreeBSD, GhostBSD, TrueOS and DragonFlyBSD

BSD 3-Clause "New" or "Revised" License

95 stars 30 forks source link

Feature request: create networkmgr group so users don't have to be in wheel group #17

Closed PaddyMac closed 4 years ago

PaddyMac commented 6 years ago

I have a netbook I've set up for a teenager. I'd like him to be able to have an easy-to-use GUI to manage wifi connections, but I don't want him to have root access which he can obtain if he's in the wheel group. Is there any way that networkmgr can be set up so that users can use it to manage network connections without having the capability of becoming root? If there were a networkmgr group I could add users to so they could use this program without them being in the wheel group, that would be great.

ericbsd commented 6 years ago

NetworkMgr needs root access with doas to manage wifi until, but you could add in doas.conf

permit nopass keepenv username cmd netcardmgr
permit nopass keepenv username cmd ifconfig
permit nopass keepenv username cmd service

The only thing that he will be able to use service, ifconfig, netcardmgr with doas.

holishing commented 5 years ago

Well, I don't know much, but I still think that the privilege using service commands without any passwords is too much, (for e.g, we can directly down whole desktop like gdm via just using service commands), is it possible (at least add an option) to use pkexec commands via sysutils/polkit, although I'm not sure polkit without systemd in FreeBSD is stable enough?

ericbsd commented 4 years ago

Actually doas is not in networkmgr anymore. Did not update FreeBSD ports because of the use of sudo might not be fine for freebsd ports.

jlandrynb commented 4 years ago

I don't have time to test but assuming the networkmgr application is wrapper for wpa_cli, in your wpa_supplicant.conf try adding lines:

ctrl_interface_group=mygroup update_config=1

The first line allows users in the specified group to interact with wpa_cli and the second allows saving the network block.

ghost commented 4 years ago

You can limit the commands that your son has access to as root. If you want him to be able to control networkmgr, then do the following:

Run 'visudo' and add the following line for son's account (i.e. son): son ALL=(ALL) NOPASSWD: /usr/local/bin/networkmgr /sbin/ifconfig /sbin/service /usr/bin/killall /usr/sbin/wpa_supplicant /usr/local/bin/netcardmgr

Then, add your son's account to the wheel group.

Your son will only be able to run the commands above as root user, but not have additional root privileges.

I tested this configuration on my laptop with no discrepancies found using networkmgr.