According to the scheme the library gets information from netctl and can control it. Also it provides some additional functions such as a profile creation and removal and access to wpa_supplicant functions. Some functions do not require additional permissions, but other ones do it. All dynamic arguments including profile names and paths are in double quotes to avoid white spaces problem. The functions which require root privileges are:
netctl stop-all|start|stop|restart|switch-to|enable|disable|reenable <profile>. They are commands which provide a general control to netctl.systemctl start|restart|enable <netctl-auto@service>. They are commands which provide ability to control netctl-auto systemd service.cp command is used for it.rm command is used for it.wpa_supplicant only. For the futher interaction user must be in CTRL_GROUP.If library will be initialized with FORCE_SUDO=true than it will use sudo command (which can be transferred to the library by SUDO_PATH option). Otherwise it will try to set UID of children processes to 0. Please note that sudo command and UID setting will be used only for those commands which require it.
First of all the helper does not interact with netctl directly, it uses the library to do it. So all library security notes are applicable here. To start the helper and to create DBus services user must be in network group by default (or must be root). But you may change it by editing $DBUS_SYSTEMCONF_PATH/org.netctlgui.helper.conf policy file (/etc/dbus-1/system.d/org.netctlgui.helper.conf by default). Please refer to DBus documentation to do it.
By default netctgui-helper binary has capabilities to set UID to the children processes (CAP_SETUID). If you do not want to get these capabilities you may use -DUSE_CAPABILITIES cmake flag. Please refer to man 7 capabilities for more details.
There are two configuration files $HOME/.config/netctl-gui.conf and /etc/netctl-gui.conf. The first one is a user configuration and the second one is a system-wide. Please note that by default user configuration has higher priority than system-wide, but running with --system flag user configuration will not be reading. The helper and GUI configurations are the same (although some keys aren't needed).
Graphical interface may interact with netctl over DBus (the helper) and over the library. Please refer to their notes to any additional information. If user uses helper he should have permissions to run it.
There are two netctl-based commands which are run from the DataEngine
<cmd> listnetctl is-enabled <profile>Both of them do not require any additional privileges normally. Also DataEngine has two other command which will be run from; they should define external IP. According to the idea that user can set any command to run, this module is not secure. But running commands will not do more than user can do from console himself.
The widget gets information from DataEngine, thus it does not require any additional permissions to show information. But netctl calls are used to control netctl. In this case used commands are
netctl enable <profile>netctl disable <profile>netctl restart <profile>netctl start <profile>netctl stop <profile>netctl stop-allnetctl switch-to <profile>netctl-auto switch-to <profile>All netctl-based commands require root privileges and sudo (and any other alternatives) is used normally as prefix to the commands. The netctl-auto command does not require additional permissions.
The other way is to use DBus communication with the helper. In this case user should have rights to start the helper.
© 2014-@CURRENT_YEAR@ @PROJECT_AUTHOR@
This software is licensed under @PROJECT_LICENSE@