How do I set the policy for users to modify the network state and connections?

You can create a local policy for one or more users.

Create the document where the settings will live...

touch /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla

Add one or more policies...

[Let foo modify system settings for network]
Identity=unix-user:foo
Action=org.freedesktop.NetworkManager.settings.modify.system
ResultAny=no
ResultInactive=no
ResultActive=yes

[Do not allow foo to enable/disable networking]
Identity=unix-user:foo
Action=org.freedesktop.NetworkManager.settings.enable-disable-network
ResultAny=no
ResultInactive=no
ResultActive=no

The key is the ResultActive element which can be set to yes, no, auth_admin, or auth_admin_keep where the latter two will require the password of another user with sudo privileges.

The Action element defines what action will be allowed/disallowed or require authentication with a password. There are options like org.freedesktop.NetworkManager.enable-disable-network for toggling network as enabled/disabled. You can see more options in the /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy file, just look for something like <action id="org.freedesktop.NetworkManager.enable-disable-network"> and read it's description.

You can also set all values with the * wildcard...

[Prevent foo from modifying all network states and settings except with admin password]
Identity=unix-user:foo
Action=org.freedesktop.NetworkManager.*
ResultAny=no
ResultInactive=no
ResultActive=auth_admin_keep

This will require a password to make ANY change to network settings or state.

You can do this in a single command that could be included in a script...

sudo su -c 'printf "[Prevent foo from modifying all network states and settings]\nIdentity=unix-user:foo\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin" >  /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla'

References:

  • http://manpages.ubuntu.com/manpages/trusty/en/man8/polkit.8.html
  • http://manpages.ubuntu.com/manpages/trusty/en/man8/pklocalauthority.8.html