[Pkg-utopia-maintainers] Bug#647907: network-manager: some thoughts on network-manager / classic Debian networking integration
Christoph Anton Mitterer
calestyo at scientia.net
Mon Nov 7 13:26:02 UTC 2011
Package: network-manager
Version: 0.9.1.95-1
Severity: wishlist
Hi.
These are just some thoughts, perhaps some of these are already working, or wontfix.
Pick what you like :)
Personally I always liked using the plain classic networking configuration, e.g.
- /etc/network/interfaces for the basics
- /etc/ipsec.conf for e.g strongswan
- /etc/ppp/peers/* + /etc/chatscripts/* for PPP connections, including mobile broadband
- /etc/vpnc/* vpnc connections
Network-Manager already does some job to integrated those.
Ideally, there would be plugins that just automatically load all these configurations and export it
via NetworkManager.
For /etc/network/interfaces there seem to be some support via the ifupdown plugin, (though I've
already opened a bug here that not all configs are exported).
Further I don't know, wheter all features/options are really supported, e.g. all the wpa-*,
wireless-*, dns-* and at a later point e.g. iw-* stanzas.
For the others, there seem to be at best some import option, but this does not export
the configuration to NM, but really copies it to it, AFAIU.
IMHO a bad idea, as one now has to places where everything has to be maintained.
Also import has the "problem" the some configuration is typically not readable by normal users
and there is currently no offer to sudo or so.
So in general I'd like to see this configuration exported by NM, but not changed/rewritten etc.
If a normal user wants to really do this, he can still create "new" configurations.
One problem, and this might even be a problem in the current ifupdown plugin, is permissions.
If any of the above networks is exported to the normal user (even if the passwords, certificates, etc.
behind are not), it might be a security risk, just because a normal user can connect to such a network.
This is even true for just /etc/network/interfaces, which may be root-readable only, thereby preventing
normal-user access to wireless passphrases.
Not sure if the ifupdown plugin is already exporting such passphrases (and thereby introducing a
potential security hole).
The next question would be, how can we make it configurable, which of the "system-wide" settings
are exported to which users.
For /etc/vpnc/*, /etc/ppp/peers/* and /etc/chatscripts/* this is easy. Each file contains just one
connection, and it could be done via file permissions and perhaps ACLs.
But for /etc/network/interfaces and /etc/ipsec.conf this is more difficult as it contains
more than one connection.
With /etc/network/interfaces we could easily add a new keyword, e.g.
nm-allowed-users list
nm-allowed-groups list
or something like this.
For /etc/ipsec.conf it's more difficult, as we cannot change the syntax easily.
Also, the actual credentials are in further files, for strongswan e.g. in X.509 certs,
/etc/ipsec.secrets, etc.
Cheers,
Chris.
More information about the Pkg-utopia-maintainers
mailing list