当我在 VM 的 GUI 上并且想要更改网络连接配置文件时,我可以通过以下命令以用户“vm”的身份进行操作:
vm@ubuntu1804:~$ nmcli con up DYNAMIC
但是当我以用户 VM 身份通过 SSH 连接到此框,并尝试以同一用户身份运行相同的命令时,它显示:
vm@ubuntu1804:~$ nmcli con up DYNAMIC
Error: Connection activation failed: Not authorized to control networking.
我认为这是一个权限问题,并通过以下命令进行验证
# permissions when on the GUI
vm@ubuntu1804:~$ nmcli general permissions
PERMISSION VALUE
org.freedesktop.NetworkManager.enable-disable-network yes
org.freedesktop.NetworkManager.enable-disable-wifi yes
org.freedesktop.NetworkManager.enable-disable-wwan yes
org.freedesktop.NetworkManager.enable-disable-wimax yes
org.freedesktop.NetworkManager.sleep-wake no
org.freedesktop.NetworkManager.network-control yes
org.freedesktop.NetworkManager.wifi.share.protected yes
org.freedesktop.NetworkManager.wifi.share.open yes
org.freedesktop.NetworkManager.settings.modify.system yes
org.freedesktop.NetworkManager.settings.modify.own yes
org.freedesktop.NetworkManager.settings.modify.hostname auth
org.freedesktop.NetworkManager.settings.modify.global-dns auth
org.freedesktop.NetworkManager.reload auth
org.freedesktop.NetworkManager.checkpoint-rollback auth
org.freedesktop.NetworkManager.enable-disable-statistics yes
org.freedesktop.NetworkManager.enable-disable-connectivity-check yes
# permissions when SSH'ing
vm@ubuntu1804:~$ nmcli general permissions
PERMISSION VALUE
org.freedesktop.NetworkManager.enable-disable-network no
org.freedesktop.NetworkManager.enable-disable-wifi no
org.freedesktop.NetworkManager.enable-disable-wwan no
org.freedesktop.NetworkManager.enable-disable-wimax no
org.freedesktop.NetworkManager.sleep-wake no
org.freedesktop.NetworkManager.network-control auth
org.freedesktop.NetworkManager.wifi.share.protected no
org.freedesktop.NetworkManager.wifi.share.open no
org.freedesktop.NetworkManager.settings.modify.system no
org.freedesktop.NetworkManager.settings.modify.own auth
org.freedesktop.NetworkManager.settings.modify.hostname auth
org.freedesktop.NetworkManager.settings.modify.global-dns auth
org.freedesktop.NetworkManager.reload auth
org.freedesktop.NetworkManager.checkpoint-rollback auth
org.freedesktop.NetworkManager.enable-disable-statistics no
org.freedesktop.NetworkManager.enable-disable-connectivity-check no
问题是,我该如何改变它?我尝试通过这篇文章中的答案无权控制网络但这不起作用。
请注意,我是不是寻找某人用“只需使用 sudo”来回答我的问题。
答案1
好吧,我搞明白了,但我还是要分享一下。在此之前,我想补充一点“警告”,因为出于安全原因,我所做的可能不是一个好主意(我之所以看到这一点,是因为我已经对 VM 进行了大量道德黑客攻击,并且可以看到设置背后的逻辑)。此默认设置背后的逻辑是,默认情况下,如果没有 sudo,您无法更改网络设置,这可以防止有人设法访问您的系统,例如以用户“www-data”的身份,如果他们利用您的 Web 前端,然后升级为用户“vm”,他们默认能够远程控制您的网络,因为我正在更改 NetworkManager 应用程序的系统级权限,以授予远程(ssh)访问权限,以完全控制盒子上的网络。最好只使用 sudo 并提升权限来远程更改网络设置。
无论如何,权限似乎与系统绑定,而不是专门与网络管理器绑定。因此,“polkit - 授权框架”是系统级工具,它授予特权应用程序从非特权“默认”应用程序(如网络管理器)的访问权限。因此,我需要创建一个 .pkla 文件来调整该授权(我从 ubuntu 手册页中找到了这个,具体来说:https://manpages.ubuntu.com/manpages/trusty/man8/pklocalauthority.8.html)。因此,我在下面声明,sudo 组中的任何人都可以更改网络设置(即无需提升到 sudo,您只需要成为 sudo 组的一部分)。因此,我验证了最后更改的权限,并执行了我的 nmcli 命令来更改配置文件,并且成功了。
root@ubuntu1804:/home/vm# cat /etc/polkit-1/localauthority/50-local.d/test.pkla
[ssh to modify]
Identity=unix-group:sudo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=yes
ResultInactive=yes
ResultActive=yes
[ssh to enable and disable network]
Identity=unix-group:sudo
Action=org.freedesktop.NetworkManager.enable-disable-network
ResultAny=yes
ResultInactive=yes
ResultActive=yes
[ssh to control the networking]
Identity=unix-group:sudo
Action=org.freedesktop.NetworkManager.network-control
ResultAny=yes
ResultInactive=yes
ResultActive=yes
root@ubuntu1804:/home/vm# systemctl restart polkit
root@ubuntu1804:/home/vm# exit
exit
正如您所看到的,我们之前定义的 3 个“动作”现在都是“是”。
vm@ubuntu1804:~$ nmcli general permissions
PERMISSION VALUE
org.freedesktop.NetworkManager.enable-disable-network yes
org.freedesktop.NetworkManager.enable-disable-wifi no
org.freedesktop.NetworkManager.enable-disable-wwan no
org.freedesktop.NetworkManager.enable-disable-wimax no
org.freedesktop.NetworkManager.sleep-wake no
org.freedesktop.NetworkManager.network-control yes
org.freedesktop.NetworkManager.wifi.share.protected no
org.freedesktop.NetworkManager.wifi.share.open no
org.freedesktop.NetworkManager.settings.modify.system yes
org.freedesktop.NetworkManager.settings.modify.own auth
org.freedesktop.NetworkManager.settings.modify.hostname auth
org.freedesktop.NetworkManager.settings.modify.global-dns auth
org.freedesktop.NetworkManager.reload auth
org.freedesktop.NetworkManager.checkpoint-rollback auth
org.freedesktop.NetworkManager.enable-disable-statistics no
org.freedesktop.NetworkManager.enable-disable-connectivity-check no
vm@ubuntu1804:~$ nmcli con up DYNAMIC
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/12)
完成这些之后,我现在可以通过 ssh 以 vm 用户身份执行以下命令:
vm@ubuntu1804:~$ nmcli con up DYNAMIC