Dear Daniel,
Network manager defines a default security policy that allows altering networking-related settings only when the user sits in front of the computer. This policy in general does make sense, otherwise users would be able to break their active session.
It seems unfortunate that this policy seems to affect VPN settings as well. This issue should definitely be discussed with the Network Manager maintainers. However before doing that, I think should learn more about the current situation. For instance, I'm not sure if x2go registers a proper console-kit session besides the one that is created as part of the ssh connection. I could imagine having a configuration switch to consider 'x2go' remote sessions as "local" at least for testing purposes. I fear we in x2go should really revisit and properly document the design of session management - it is not trivial at all!
Unfortunately, none of the current developers seem to have the resources to do this properly. For instance, as you have noticed yourself, x2goserver-xsession is not installed by default, but TBH, I think this is a bug that is related to the overly strict recommend relationship declaration on the x2goserver package (another wtf from my side). The only documentation for this package is here: http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver-xsession/do...
- Unfortunately, it leaves a lot of questions (such as "what is a Xsession config file", etc.). I'm not sure how to proceed from here, hence, I copy the x2go-dev mailing list as I feel that this user issue indicates a larger, conceptional problem.
What you propose is to introduce a completely new security policy: everyone in a certain group 'netdev' may change everything. This may be appropriate in your scenario, but may not be in others. For instance, have you considered what other packages "use" the netdev group? Are you fully aware about the consequences in terms of additional privileges users gain by being put in that group? Moreover, in a managed environment, where all users are in a network directory such as NIS or LDAP, it is not that simple to add a user to a computer-local group, as the group may have a different group ID on different machines. Such scenarios are not uncommon for larger x2go deployments at all!
Merry Holidays!
On Mon, Dec 24, 2012 at 9:39 AM, Daniel Lindgren <bd.dali@gmail.com> wrote:
... and these steps are also necessary to be able to fully use Network Manager:
Add user to the netdev group.
Create /etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla with these settings:
[nm-applet] Identity=unix-group:netdev Action=org.freedesktop.NetworkManager.* ResultAny=yes ResultInactive=no ResultActive=yes
- Reboot.
X2Go-User mailing list X2Go-User@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-user
-- regards, Reinhard