Ubuntu has a Network Proxy chooser which allows you to select a location (a la MacOSX). This works well enough except that the UI is a bit counter-intuitive (in my humble opinion)which causes me to regularly nuke some predefined setting inadvertently. This is not a big deal though.
However for update manager (and several other tools) to pick up the new proxy settings you need to push the settings down to the system level. This takes 2 times typing your password. Now, this IS a big deal.
When I go back and forth between work and home I have to change this at least 2 times per day. Also it irks me that a detail setting like the proxy is not auto-detected and I need to login to change this ‘system’ setting. My laptop is essentially a single user system and I do not see switching the proxy as a serious security issue, even with 3 kids running around the home.
To come back to auto-detection, while this works fine at work, it fails to figure out that at home that there is a direct connection to the Internet. I can probably fix this by replacing my aging wireless router with my Time Capsule as the Internet gateway router, but I prefer to have the Time Capsule close to my desk.
In any case the Network proxy shows 2 times the authentication dialog box. A particularly nice feature (Is this new in Natty?) is that the dialog shows for which DBUS setting access is being asked.
The first dialog asks access to com.ubuntu.systemservice.setProxy. This response is configured in the file /usr/share/polkit-1/actions/com.ubuntu.systemservice.policy. This is a very readable XML file which contains a section for the setProxy action. I feel no reservation in allowing unchecked access to the setProxy. Although this might make a man-in-the-middle attack easier someone with the sophistication to pull this off, does not need to doctor my PC to do it.
<action id="com.ubuntu.systemservice.setproxy"> <description>Set current global proxy</description> <message>System policy prevents setting proxy settings</message> <defaults> <!-- PTI : original settings <allow_inactive>no</allow_inactive> <allow_active>auth_admin_keep</allow_active> --> <allow_inactive>yes</allow_inactive> <allow_active>yes</allow_active> </defaults> </action>
Retrying, and indeed one of the authentication requests dropped.
Note that the action was configured with auth_admin_keep which according to the docs would mean we should be authenticated for some time,so I would not expect the second authentication I am getting. Must be a subtlety which escapes me at the moment.
The second action is more problematic since the set-system om the system gconf settings is much less fine-grained than setProxy and can potentially cause more damage to the system.
<action id="org.gnome.gconf.defaults.set-system"> <description gettext-domain="GConf2">Change GConf system values</description> <message gettext-domain="GConf2">Privileges are required to change GConf system values</message> <defaults> <allow_inactive>no</allow_inactive> <!-- PTI: Original setting <allow_active>auth_admin</allow_active> --> <allow_active>yes</allow_active> </defaults> </action>
After relaxing this second method, I can finally easily switch proxies between Locations.
There are several things bugging me:
- The set-system method really is too wide in scope.
- There should be a more elegant way that modifying files under /usr/share
- My system should actually switch location unaided.
For the time being, I fixed a frustration and learned something in the process. The result is not yet fully satisfactory, but that will improve over time. **
- Tutorial explaining editing static files
- pklocalauthority man page
- Install Updates as Unprivileged User
Of course there is a more elegant solution than editing files under /usr/share folder.
Everything is explained in the man pages pklocalauthority and PolicyKit.conf (among others).
But that’s for another day…