1367 – Disallow user to manage connection: he still can with network applet

Bug 1367 - Disallow user to manage connection: he still can with network applet

Summary: Disallow user to manage connection: he still can with network applet

Status:	REOPENED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia tools maintainers
QA Contact:

URL:
Whiteboard:	MGA5TOO
Keywords:

Depends on:
Blocks:

Reported:	2011-05-21 13:05 CEST by Dick Gevers
Modified:	2018-03-11 05:22 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	drakx-net-2.27-1.mga6
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dick Gevers 2011-05-21 13:05:50 CEST

Description of problem:
I install Mageia 1 RC and during Summary I make sure that there is no flag in the field "Allow users to manage the connection".

Same with draknetcenter embedded in MCC after install is complete.

In both cases the user can simply click on the connection icon and manage the connection(s) as superuser. This is unexpected, potentially a security risk (depending on who is the user) and makes the field "allow users..." without any real value.

What I would expect to see: if I don't flag the "Allow users..." I would imagine that the user could either not manage the connection(s) at all, or only after entering the root password.

Comment 1 Frank Griffin 2011-05-21 14:35:43 CEST

I confirm this.  I've noticed it for a long time, well back into the Mandriva days, and I just assumed that it was intended to work that way, but Dick is correct.

CC: (none) => ftg

Comment 2 Ahmad Samir 2011-05-21 21:52:35 CEST

There're two different configurations here:
- "Allow users to manage the connection" means allow users to connect/disconnect that network interface

- "Configure Network" option means "start drakconnet", which can be used to configure a new network interface; this option is managed by the setting in the "Network" section in draksec (aka drakconf -> security -> configure authentication for Mageia tools)

I've just tested and both options work as expected.

Maybe the "Allow users to manage the connection" string should be clearer e.g.:
Allow users to manage (connect/disconnect) the connection

but that will have to wait for Mageia2, too late to change strings in Mageia1, IINM.

Ahmad Samir 2011-05-21 21:52:49 CEST

Component: Installer => RPM Packages

Comment 3 Dick Gevers 2011-05-21 22:37:03 CEST

Yes you can connect/disconnect, but I also see a button "configure" which enables the user to change various settings. So I don't understand what is wrong with the string...

But it can wait till after 1 final, sure.

Comment 4 Frank Griffin 2011-05-21 23:06:02 CEST

The scenario I referred to is when you *don't* enable "allow users to manage the connection".  I never do, yet I can click on the network icon in the panel, and connect/disconnect it from a normal userid.  The "configure" button from the opened network applet works as well.

Comment 5 Ahmad Samir 2011-05-21 23:25:14 CEST

"Allow users to manage the connection" enabled:
- Right click the net_applet icon -> Disconnect wired Ethernet (eth1) -> eth1 is disconnected
- Right click the net_applet icon -> Connect wired Ethernet (eth1) -> eth1 is connected

"Allow users to manage the connection" disabled:
- Right click the net_applet icon -> Disconnect wired Ethernet (eth1) -> a consolehelper window appears asking for the root password
- Right click the net_applet icon -> Connect wired Ethernet (eth1) -> a consolehelper window appears asking for the root password


Right clicking "Configure Network":
- with draksec -> Network -> Network Configuration set to "Root Password" a consolehelper appears asking for the root password
- with draksec -> Network -> Network Configuration set to "User Password" a consolehelper appears asking for the user password
- with draksec -> Network -> Network Configuration set to "No Password" drakconnect opens directly


These are the results of my tests.

Comment 6 Dick Gevers 2011-05-22 00:20:41 CEST

As per comment #4: indeed, I can configure always, without being asked for the root password.

Comment 7 Frank Griffin 2011-05-22 00:24:24 CEST

> These are the results of my tests.

You are correct, but your test case is not ours. Left-click on the network applet icon to open the full-function window, and you'll find that connect/disconnect and configure work without authentication.

Comment 8 Ahmad Samir 2011-05-22 01:16:59 CEST

You could have said "left-clicking" from the start...

Left-clicking opens draknetcenter, controlled by draksec -> Network -> Network Center. The default setting is "no password".

CC: (none) => thierry.vignaud
Assignee: bugsquad => mageia

Comment 9 Frank Griffin 2011-05-22 01:54:01 CEST

???

From comment #1:

>In both cases the user can simply click on the connection icon and manage the
>connection(s) as superuser. 

"Click" in my experience has always meant mouse button one, making "left-click" the default.  It is "right click" that needs to be explicitly qualified.

Comment 10 Ahmad Samir 2011-05-22 02:25:04 CEST

Maybe, but I rarely left click the applet, usually right click, so different use cases, i.e. "click" translated to "right click" in my mind.

Anyway, all is sorted out now (and the bug is assigned to blino, who AFAIK worked on drakx-net the most around here, IIUC).

Comment 11 Marja Van Waes 2011-10-14 19:54:37 CEST

@ Olivier

Any news?

CC: (none) => marja11

Marja Van Waes 2011-10-22 16:39:08 CEST

Summary: Disallow user to manage connection: he still can => Disallow user to manage connection: he still can with network applet

Comment 12 Marja Van Waes 2012-01-25 07:54:33 CET

Pinging. because nothing happened to this report since more than 3 months ago, and it still has the status NEW or REOPENED.

@ Oliver
Please set status to ASSIGNED if you think this bug was assigned correctly. If for work flow reasons you can't do that, then please put OK on the whiteboard instead. Don't change anything if you want to be pinged by me here again :)

Comment 13 Marja Van Waes 2012-05-09 15:21:00 CEST

3 monthly ping

@ Dick

I didn't check with rc, is this bug still valid?

Comment 14 Dick Gevers 2012-05-09 19:38:20 CEST

Marja: Sorry didn't really pay much attention to this with the rc's. I will try and see how it is during the coming weekend.

Comment 15 Dick Gevers 2012-05-13 19:08:34 CEST

The bug is still valid, IMHO

Comment 16 Marja Van Waes 2012-05-26 13:08:40 CEST

Hi,

This bug was filed against cauldron, but we do not have cauldron at the moment.

Please report whether this bug is still valid for Mageia 2.

Thanks :)

Cheers,
marja

Keywords: (none) => NEEDINFO

Comment 17 Dick Gevers 2012-05-28 12:55:45 CEST

Applies to 2 and Cauldron

Sander Lepik 2012-05-28 13:00:06 CEST

Keywords: NEEDINFO => (none)
CC: (none) => sander.lepik
Whiteboard: (none) => MGA2TOO

Comment 18 Marja Van Waes 2012-07-06 15:05:11 CEST

Please look at the bottom of this mail to see whether you're the assignee of this  bug, if you don't already know whether you are.


If you're the assignee:

We'd like to know for sure whether this bug was assigned correctly. Please change status to ASSIGNED if it is, or put OK on the whiteboard instead.

If you don't have a clue and don't see a way to find out, then please put NEEDHELP on the whiteboard.

Please assign back to Bug Squad or to the correct person to solve this bug if we were wrong to assign it to you, and explain why.

Thanks :)

**************************** 

@ the reporter and persons in the cc of this bug:

If you have any new information that wasn't given before (like this bug being valid for another version of Mageia, too, or it being solved) please tell us.

@ the reporter of this bug

If you didn't reply yet to a request for more information, please do so within two weeks from now.

Thanks all :-D

Comment 19 Marja Van Waes 2015-04-19 14:13:22 CEST

Sorry, but this bug saw no action since more than 2 yrs ago. 
No cauldron package has stayed the same since then.

Closing as OLD

Please reopen if this report is still valid for _current_ cauldron and/or fully
updated Mageia 4

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 20 Dick Gevers 2016-03-12 14:14:58 CET

Closed without having been fixed. It is still valid !

Keywords: (none) => 6dev1
Status: RESOLVED => REOPENED
Resolution: OLD => (none)
Source RPM: drakx-net-0.97.1.mga1 => drakx-net-2.23-2.mga6
Whiteboard: MGA2TOO => (none)

Comment 21 Dick Gevers 2016-05-22 17:51:31 CEST

Valid for current 6sta1 isos

Keywords: 6dev1 => 6sta1
Source RPM: drakx-net-2.23-2.mga6 => drakx-net-2.25-1.mga6

Comment 22 Dick Gevers 2016-11-07 20:42:24 CET

Valid for 5.1 iso as well

Summary: Disallow user to manage connection: he still can with network applet => [5.1] Disallow user to manage connection: he still can with network applet
Source RPM: drakx-net-2.25-1.mga6 => drakx-net-2.27-1.mga6

Samuel Verschelde 2016-11-08 10:14:30 CET

Summary: [5.1] Disallow user to manage connection: he still can with network applet => Disallow user to manage connection: he still can with network applet
Whiteboard: (none) => MGA5TOO

Samuel Verschelde 2016-11-08 10:14:44 CET

Assignee: mageia => mageiatools

Comment 23 Mauricio Andrés Bustamante Viveros 2018-03-11 05:22:18 CET

Pinging. because nothing happened to this report since more than 3 months ago, and it still has the status NEW or REOPENED, is valid in MGA6

Maintainer, Please feedback about the progress of this fix

CC: (none) => neoser10

Note You need to log in before you can comment on or make changes to this bug.