Fedora Core 4 Test Update: NetworkManager-0.5.1-1.FC4.1

David Woodhouse dwmw2 at infradead.org
Mon Jan 9 16:16:08 UTC 2006


On Wed, 2006-01-04 at 13:25 -0500, Dan Williams wrote:
> Debatable.  I may be authorized to connect to certain networks, and
> you're not.  So the network & authorization information is specific to
> my user, and shouldn't be available to yours.  

That doesn't really make much sense in the Linux world -- if the network
is configured and running then all users on the machine _have_ got
access to the it. I think there are some iptables hacks around to
attempt to limit network access to certain users, but we don't ship
them, do we? We certainly don't attempt to use them.

For Windows, perhaps it's different -- one really can consider a Windows
box to be a single-user machine, and it might actually make sense to
consider network connections to be a per-user thing. Even VPNs might
make some sense in the Windows world, but this isn't Windows.

> This is the same situation as 802.1x certificates for authentication. 
> You shouldn't use my certificate to authenticate to the access
> server.  Same for WEP keys.

It isn't 'my' WEP key. It is the system's WEP key. You are trying to
impose a policy which doesn't make any sense in this environment.

> Of course, this is all premised on console-user privileges.  In an
> actively multi-user machine, there do need to be system-wide settings
> for networking.  But nobody has come up with an acceptable method for
> system-wide settings, besides using GConf's default/mandatory
> settings.
> But by default, I argue that such security and authentication
> information is first per-user, second system-wide, and only in that
> order.  Just like login passwords.

Not at all like login passwords. Login passwords get you a _session_
from which you can access an individual resources's files, and you can
access certain other shared resources which are available to you.

WEP keys set up a system-wide resource which _any_ user of the system
can then utilise. Networks _aren't_ a per-user resource in practice, and
I'd be surprised if it were particularly common for users to want WEP
keys to be per-user. Certificates might well be a different matter, but
in practice I doubt there are many users who really care about those
being per-user instead of system-wide either.

Network data being stored system wide is by far the more common
arrangement, and as far as I can tell, NetworkManager doesn't seem to
allow that -- I ought to at least have the _option_ of doing so, surely?
Or is this yet another case where GNOME knows better than its idiot
users?

I'd like to reboot my laptop onto a new kernel, but if I do so at the
moment while I'm 20 miles from it, I know it wouldn't manage to
reconnect to the network....

-- 
dwmw2




More information about the fedora-test-list mailing list