Prevent Users From Fiddling With Network?

Home » CentOS » Prevent Users From Fiddling With Network?
CentOS 11 Comments

I almost had a panic attack when I realized that a logged in with GUI (X11) user can turn off (and on) network interfaces. Without being in sudoers file. Wow, this is scary to see on workstations I manage centrally. Even though I did consider local user to be able to execute the command “shutdown” (which distinguished RedHat and CentOS from other Linux flavors: after all local user can yank power cord off the wall).

Sorry about my little rant above. Could someone point me into right direction as to how do I disable the ability of (local, logged in through X11) users to fiddle with network interfaces. Even worse, they can create new profile and define for interfaces to behave differently… In the past I could just add

USERCTL="no"

into interface ifcfg-… file inside /etc/sysconfig/network-scripts which doesn’t seen to have any effect on latest CentOS 7. What is my pilot error here? (Ignorant in new shiny extremely MS Windows like for _ignorant_
person – me – system).

Thanks a lot for all your help!

11 thoughts on - Prevent Users From Fiddling With Network?

  • Would not being in sudoers prevent them from pulling the cord out? The rational for the control is well justified for users with multiple interfaces and is simply a convenience to something they could always do under any condition anyway.

  • Well, this is my longstanding rant against RedHat and friends. Take a look at what Fedora is doing before blithely throwing it into RedHat. Most Fedora stuff is for single user laptops, and frankly, a lot of it seems developed by people with no concept of system administration. Things like this. One bug, back when I cared enough to file bug reports
    (at a FreeBSD shop these days, so it affects me less) was when had pkg kit or some other GUI allow any user to install and update any package without authorization.

    Too many things to make things easy for the less experienced user, which makes sense for Fedora, get put into RedHat, and they shouldn’t.

    I wish there were a bit more competition for commercial Linux for RedHat here in the US so that they’d have to pay more attention to their user base.

  • Well, I guess we see Microsoft money invested into (“donated” to? ;-)
    RedHat at work. Yes, my servers are FreeBSD for long time already, but as we have to use Linux for wide variety of stuff, we may need to start looking which other distribution (better from sysadmin’s prospective) to flee to. Scott, I’d be glad to hear your advise on that matter. (As CentOS
    public mirror maintainer I will keep maintaining that indefinitely as a token of gratitude to the project that gave us so much over long time).

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Unfortunately, no advice. I haven’t used Debian as anything but a laptop install for a long time, but their developers did, in the past, seem to have better ideas of system administration. They have their own issues, of course, nothing is perfect.

  • As Scott said, nothing is perfect. Unfortunately, no advice. I haven’t used Debian as anything but a laptop install for a long time, but their developers did, in the past, seem to have better ideas of system administration. They have their own issues, of course, nothing is perfect.

  • Thanks Scott and Leroy for your advises. I agree, Ubuntu almost from the very beginning was (IMHO) aimed to be single user laptop or desktop system. Being Debian replica, _that_ was what differed it from Debian. Debian, though very rich and independent (not backed by company – even one with excellent reputation) had its quirks. I bet everybody remembers random number generator flop that was on Debian and all its clones for about 4 years before it became publicly known and fixed (basically, someone commented our fair chunk of code of random number generator for debugging, and left it that way, – so all random numbers had only 4 first bits random and the rest deterministically predictable from those). All Debian (and clones) admins had to re-generate all key pairs, certificates, etc., and live guessing if bad guys ever visited they systems, or rebuild those. I do not recollect a flop like that on RedHat side (praising good guys again, thigh not liking their direction now). So, I’m still looking for centrally manageable and installable en masse Linux system (my users do need to run variety of code written on and for Linux) – thanks for suggestions everybody!

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Thank you, Thomas, for the solution!


    I remember, when I started using RedHat at least a decade and a half back, it was pretty tightly put together. The only major things I was changing in inittab was adding requirement to enter root password for single user mode, and on servers disabling reboot from keyboard on ctrl+alt+del:

    ~~:S:wait:/sbin/sulogin
    #ca::ctrlaltdel:/sbin/shutdown -t3 -r now

    … not anymore, it is loose as a personal laptop (single user!) these days. MS money invested into RedHat at work!

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Yes, I agree on that. However, psychologically pulling AC power cord (or executing shutdown command) is more grave action than pressing toggle “on/off” switch image for network interface, thus killing network connection. So, I both agree and disagree with you. Namely, as with power I agree that local user (especially armed with screwdriver) can do a lot. Yet, I disagree that centrally managed “UNIX – like” (allegedly) workstation can be easily subverted in variety of ways by local user, effectively obliterating what sysadmin configured with something specific in his mind.

    My apologies, everybody. If I held myself from putting my rant when I asked for help, there wouldn’t be any abstract discussion on topic none of us can affect…

  • If it were not for creative editing/clipping I would show that I meant power cord as equivalent for shutdown, leaving network cable equivalent to turning off interface out of discussion (or implied as such). Being a moron I am I’m not against everybody having some loughs at my expense whenever possible… I still would prefer not this sidetracked discussion
    (I know I have myself to blame for that), but some push towards disabling local user’s abilities to fiddle with network settings short of uninstalling networkmanager GUI and friends. I got one general pointer already (thanks, James!). Didn’t do careful reading on that yet, so any straight guidance is still welcome!

  • Yes, I can understand the rationale as above – if it is somebody’s laptop. Or someone’s home computer. But it is arguable if it is centrally managed workstation. This ability to screw settings up is a pain for sysadmin if this workstation sits on common area (like library) and multiple users can access that, and even if it is workstation that is basically a single user one, but has to be managed centrally. I rest my case. Basically, all _I_ said on this sidetracked thread should be treated as enclosed into “rant” tags ;-)