SSH 上缺少网络权限,但 GUI/控制台上没有

tag-icon tag-icon networking
SSH 上缺少网络权限,但 GUI/控制台上没有

当我在 VM 的 GUI 上并且想要更改网络连接配置文件时,我可以通过以下命令以用户“vm”的身份进行操作:

vm@ubuntu1804:~$ nmcli con up DYNAMIC

但是当我以用户 VM 身份通过 SSH 连接到此框,并尝试以同一用户身份运行相同的命令时,它显示:

vm@ubuntu1804:~$ nmcli con up DYNAMIC
Error: Connection activation failed: Not authorized to control networking.

我认为这是一个权限问题,并通过以下命令进行验证

# permissions when on the GUI
vm@ubuntu1804:~$ nmcli general permissions 
PERMISSION                                                        VALUE 
org.freedesktop.NetworkManager.enable-disable-network             yes   
org.freedesktop.NetworkManager.enable-disable-wifi                yes   
org.freedesktop.NetworkManager.enable-disable-wwan                yes   
org.freedesktop.NetworkManager.enable-disable-wimax               yes   
org.freedesktop.NetworkManager.sleep-wake                         no    
org.freedesktop.NetworkManager.network-control                    yes   
org.freedesktop.NetworkManager.wifi.share.protected               yes   
org.freedesktop.NetworkManager.wifi.share.open                    yes   
org.freedesktop.NetworkManager.settings.modify.system             yes   
org.freedesktop.NetworkManager.settings.modify.own                yes   
org.freedesktop.NetworkManager.settings.modify.hostname           auth  
org.freedesktop.NetworkManager.settings.modify.global-dns         auth  
org.freedesktop.NetworkManager.reload                             auth  
org.freedesktop.NetworkManager.checkpoint-rollback                auth  
org.freedesktop.NetworkManager.enable-disable-statistics          yes   
org.freedesktop.NetworkManager.enable-disable-connectivity-check  yes   

# permissions when SSH'ing
vm@ubuntu1804:~$ nmcli general permissions 
PERMISSION                                                        VALUE 
org.freedesktop.NetworkManager.enable-disable-network             no    
org.freedesktop.NetworkManager.enable-disable-wifi                no    
org.freedesktop.NetworkManager.enable-disable-wwan                no    
org.freedesktop.NetworkManager.enable-disable-wimax               no    
org.freedesktop.NetworkManager.sleep-wake                         no    
org.freedesktop.NetworkManager.network-control                    auth  
org.freedesktop.NetworkManager.wifi.share.protected               no    
org.freedesktop.NetworkManager.wifi.share.open                    no    
org.freedesktop.NetworkManager.settings.modify.system             no    
org.freedesktop.NetworkManager.settings.modify.own                auth  
org.freedesktop.NetworkManager.settings.modify.hostname           auth  
org.freedesktop.NetworkManager.settings.modify.global-dns         auth  
org.freedesktop.NetworkManager.reload                             auth  
org.freedesktop.NetworkManager.checkpoint-rollback                auth  
org.freedesktop.NetworkManager.enable-disable-statistics          no    
org.freedesktop.NetworkManager.enable-disable-connectivity-check  no

问题是,我该如何改变它?我尝试通过这篇文章中的答案无权控制网络但这不起作用。

请注意,我是不是寻找某人用“只需使用 sudo”来回答我的问题。

答案1

好吧,我搞明白了,但我还是要分享一下。在此之前,我想补充一点“警告”,因为出于安全原因,我所做的可能不是一个好主意(我之所以看到这一点,是因为我已经对 VM 进行了大量道德黑客攻击,并且可以看到设置背后的逻辑)。此默认设置背后的逻辑是,默认情况下,如果没有 sudo,您无法更改网络设置,这可以防止有人设法访问您的系统,例如以用户“www-data”的身份,如果他们利用您的 Web 前端,然后升级为用户“vm”,他们默认能够远程控制您的网络,因为我正在更改 NetworkManager 应用程序的系统级权限,以授予远程(ssh)访问权限,以完全控制盒子上的网络。最好只使用 sudo 并提升权限来远程更改网络设置。

无论如何,权限似乎与系统绑定,而不是专门与网络管理器绑定。因此,“polkit - 授权框架”是系统级工具,它授予特权应用程序从非特权“默认”应用程序(如网络管理器)的访问权限。因此,我需要创建一个 .pkla 文件来调整该授权(我从 ubuntu 手册页中找到了这个,具体来说:https://manpages.ubuntu.com/manpages/trusty/man8/pklocalauthority.8.html)。因此,我在下面声明,sudo 组中的任何人都可以更改网络设置(即无需提升到 sudo,您只需要成为 sudo 组的一部分)。因此,我验证了最后更改的权限,并执行了我的 nmcli 命令来更改配置文件,并且成功了。

root@ubuntu1804:/home/vm# cat /etc/polkit-1/localauthority/50-local.d/test.pkla 

[ssh to modify]
Identity=unix-group:sudo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=yes
ResultInactive=yes
ResultActive=yes

[ssh to enable and disable network]
Identity=unix-group:sudo
Action=org.freedesktop.NetworkManager.enable-disable-network
ResultAny=yes
ResultInactive=yes
ResultActive=yes

[ssh to control the networking]
Identity=unix-group:sudo
Action=org.freedesktop.NetworkManager.network-control
ResultAny=yes
ResultInactive=yes
ResultActive=yes
root@ubuntu1804:/home/vm# systemctl restart polkit
root@ubuntu1804:/home/vm# exit
exit

正如您所看到的,我们之前定义的 3 个“动作”现在都是“是”。

vm@ubuntu1804:~$ nmcli general permissions 
PERMISSION                                                        VALUE 
org.freedesktop.NetworkManager.enable-disable-network             yes   
org.freedesktop.NetworkManager.enable-disable-wifi                no    
org.freedesktop.NetworkManager.enable-disable-wwan                no    
org.freedesktop.NetworkManager.enable-disable-wimax               no    
org.freedesktop.NetworkManager.sleep-wake                         no    
org.freedesktop.NetworkManager.network-control                    yes   
org.freedesktop.NetworkManager.wifi.share.protected               no    
org.freedesktop.NetworkManager.wifi.share.open                    no    
org.freedesktop.NetworkManager.settings.modify.system             yes   
org.freedesktop.NetworkManager.settings.modify.own                auth  
org.freedesktop.NetworkManager.settings.modify.hostname           auth  
org.freedesktop.NetworkManager.settings.modify.global-dns         auth  
org.freedesktop.NetworkManager.reload                             auth  
org.freedesktop.NetworkManager.checkpoint-rollback                auth  
org.freedesktop.NetworkManager.enable-disable-statistics          no    
org.freedesktop.NetworkManager.enable-disable-connectivity-check  no    
vm@ubuntu1804:~$ nmcli con up DYNAMIC
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/12)

完成这些之后,我现在可以通过 ssh 以 vm 用户身份执行以下命令:

vm@ubuntu1804:~$ nmcli con up DYNAMIC

相关内容