Regular user that can change the network configuration without password

Rocky Linux Help & Support
1

Hi everybody,
I’m on RL 8.10 and I want to set up a regular user to be able to change the network configuration via NetworkManager (nmcli) without using a password. I don’t get the whole picture, I’ve tried a polkit rule:

// /usr/share/polkit-1/rules.d/90-nmcli.rules

// Allow user to use nmcli
// without entering a password.
 
polkit.addRule(function(action, subject) {
    if ( action.id == "org.freedesktop.NetworkManager.configure" &&
         subject.user == "user-name" ) {
         return polkit.Result.YES;
    }
});

I’ve tried the supposed old way, “/etc/polkit-1/localauthority/90-mandatory.d/99-network.pkla”:

[Allow a user to modify all network states and settings]
Identity=unix-user:user-name
Action=org.freedesktop.NetworkManager.*
ResultAny=yes
ResultInactive=yes
ResultActive=yes

How can I tell that polkit is watching NetworkManager? I tried to activate it explicitly with “/etc/NetworkManager/conf.d/polkit.conf”:

[main]
auth-polkit=true

Is it any worth to add the user to the sudoers list with all variants to call nmcli?

I would be very thankful for any kind of help you.


Greetings the newbie
pcre

2

Looks like I did have an error in the polkit rule, that would be a working approach:

polkit.addRule(function(action, subject) {
    if ( action.id.indexOf("org.freedesktop.NetworkManager.") == 0 &&
         subject.user == "user-name" ) {
         return polkit.Result.YES;
    }
});

Now the user can do a lot of things but a “nmcli con reload” returns with an access denied:

Error: failed to reload connections: access denied.

But it looks like that this will not be possible:
https://bugzilla.redhat.com/show_bug.cgi?id=1921082

Anyway thanks, and I hope that it will help the next one with the problem.


Greetings
pcre

3

At least that reduces your sudo needs down to the one command; polkit rules can let the user do most things then sudo nmcli con reload for the missing piece!

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.