Feature request: create networkmgr group so users don't have to be in wheel group

Question

Feature request: create networkmgr group so users don't have to be in wheel group

Closed this issue 4 years ago · 5 comments

I have a netbook I've set up for a teenager. I'd like him to be able to have an easy-to-use GUI to manage wifi connections, but I don't want him to have root access which he can obtain if he's in the wheel group. Is there any way that networkmgr can be set up so that users can use it to manage network connections without having the capability of becoming root? If there were a networkmgr group I could add users to so they could use this program without them being in the wheel group, that would be great.

Answer 1 · 2018-07-24T12:04:26.000Z

NetworkMgr needs root access with doas to manage wifi until, but you could add in doas.conf

permit nopass keepenv username cmd netcardmgr
permit nopass keepenv username cmd ifconfig
permit nopass keepenv username cmd service

The only thing that he will be able to use service, ifconfig, netcardmgr with doas.

Answer 2 · 2019-05-06T10:29:25.000Z

Well, I don't know much, but I still think that the privilege using service commands without any passwords is too much, (for e.g, we can directly down whole desktop like gdm via just using service commands), is it possible (at least add an option) to use pkexec commands via sysutils/polkit, although I'm not sure polkit without systemd in FreeBSD is stable enough?

Answer 3 · 2020-04-08T12:41:15.000Z

Actually doas is not in networkmgr anymore. Did not update FreeBSD ports because of the use of sudo might not be fine for freebsd ports.

Answer 4 · 2020-04-09T12:39:32.000Z

I don't have time to test but assuming the networkmgr application is wrapper for wpa_cli, in your wpa_supplicant.conf try adding lines:

ctrl_interface_group=mygroup
update_config=1

The first line allows users in the specified group to interact with wpa_cli and the second allows saving the network block.

Answer 5 · 2020-04-19T01:49:52.000Z

You can limit the commands that your son has access to as root. If you want him to be able to control networkmgr, then do the following:

Run 'visudo' and add the following line for son's account (i.e. son):
son ALL=(ALL) NOPASSWD: /usr/local/bin/networkmgr /sbin/ifconfig /sbin/service /usr/bin/killall /usr/sbin/wpa_supplicant /usr/local/bin/netcardmgr

Then, add your son's account to the wheel group.

Your son will only be able to run the commands above as root user, but not have additional root privileges.

I tested this configuration on my laptop with no discrepancies found using networkmgr.