2.2.4. System-wide and Private Connection Profiles
NetworkManager stores all
connection profiles. A profile is a named collection of settings that can be applied to an interface.
NetworkManager stores these connection profiles for system-wide use (
system connections), as well as all
user connection profiles. Access to the connection profiles is controlled by permissions which are stored by
NetworkManager. See the
nm-settings(5) man page for more information on the
connection settings
permissions property. The permissions correspond to the
USERS directive in the
ifcfg files. If the
USERS directive is not present, the network profile will be available to all users. As an example, the following command in an
ifcfg file will make the connection available only to the users listed:
USERS="joe bob alice"
This can also be set using graphical user interface tools. In
nm-connection-editor, there is the corresponding
All users may connect to this network check box on the
General tab, and in the GNOME
control-center Network settings Identity window, there is the
Make available to other users check box.
NetworkManager's default policy is to allow all users to create and modify system-wide connections. Profiles that should be available at boot time cannot be private because they will not be visible until the user logs in. For example, if user user creates a connection profile user-em2 with the Connect Automatically check box selected but with the Make available to other users not selected, then the connection will not be available at boot time.
To restrict connections and networking, there are two options which can be used alone or in combination:
Clear the Make available to other users check box, which changes the connection to be modifiable and usable only by the user doing the changing.
Use the polkit framework to restrict permissions of general network operations on a per-user basis.
The combination of these two options provides fine-grained security and control over networking. See the
polkit(8) man page for more information on
polkit.
Note that VPN connections are always created as private-per-user, since they are assumed to be more private than a Wi-Fi or Ethernet connection.
Procedure 2.2. Changing a Connection to Be User-specific Instead of System-Wide, or Vice Versa
Depending on the system's policy, you may need root privileges on the system in order to change whether a connection is user-specific or system-wide.
Press the Super key to enter the Activities Overview, type control network and then press Enter. The Network settings tool appears.
Select the network interface from the left-hand-side menu.
Click on the gear wheel icon of a connection profile on the right-hand side menu. If you have only one profile associated with the selected interface the gear wheel icon will be in the lower right-hand-side corner. The Network details window appears.
Select the Identity menu entry on the left. The Network window changes to the identity view.
Select the Make available to other users check box to cause NetworkManager to make the connection available system-wide. Depending on system policy, you may then be prompted for the root password by the PolicyKit application. If so, enter the root password to finalize the change.
Conversely, clear the Make available to other users check box to make the connection user-specific.
