WIFI network management

Hi to all,
I have to solve this task:

Laptops are used for educational purposes in school. They are using Xfce / network-manager at the moment.

  • the laptops should connect to the school WIFI automatically. Users are not allowed to access settings (e.g. read the WPA password). If connection gets instable they should not get shown the “enter password box” with ability to unhide the password.
  • if the laptop is outside the reach of the school WIFI users should be able to manage connections to other WIFIs they can access.


I have had the idea to set up the school connection using an “admin account” and share the connection to all users. I thought that in this case other users can connect to the network but cannot show or modify settings but this does not work. I already have dug the net and found that networkmanager seems to be unfinished in “security related things” :frowning:

  • is there a solution for solving my task using networkmanager?
  • if not: can I use other network managing tools to solve my task?

Hope there is a solution… Any help appreciated!

1 Like

OK - I already thought that there is acutally no solution for this (in my eyes “standard” and “simple”) task. But hey: I am at Gnu/Linux! I will build new network-manager-applet which solves the task…

Examine these 2 scripts. They need zenity (or can be rewritten with yad).

# Connect to a wifi network using command nmcli
idpw=$(zenity --forms \
       --text "Selected WIFI" \
       --add-entry "Enter WI-FI Network" \
       --add-password "Enter password" )
read -a strarr <<< "$idpw"
nmcli d wifi connect ${strarr[0]} password ${strarr[1]}

If SSID of the wifi network is not known use this and copy its name.

nmcli -t -f IN-USE,SSID,BARS d wifi | awk -F':' '{print $1 "\t" $2 "\t" $3}' > /tmp/wifiaround
zenity  --text-info \
	--title "WIFI Networks" \
	--filename "/tmp/wifiaround" \

Zenity is for making a bit harder to reach terminal. To make ‘captive’ as in VMS was called.

Edit: As yad is a successor of zenity and it is installed by default here is a better
or simpler version using yad:

nmcli -t -f SSID d wifi > /tmp/wifiaround
sid=$(yad  --height=300 --width=500 \
    --column=SSID \
	--title="--dclick-action=CMD" --separator="\n" --list --dclick-action="nmcli d wifi connect "\
	 <"/tmp/wifiaround" )
#if not double-click ie. OK
pwd=$(yad --text-align=center --text="$sid" --entry --entry-label=password --entry-text="Type here" --hide-text)
nmcli d wifi connect $sid password $pwd

So if the user has already used a wifi and the password is stored then double-click to the line of the wifi is enough.
If he/she selects a wifi and presses OK then a new window below asks for the password. Then OK and gets connected hopefully.
Edit2: You may remove or mv nmtui as user can Show the stored wifi passwords by using it. By the way what parts of the system are unreachable for the students? Or a shorter list: what is allowed?
This is my pre-release version 0.1 for this task:

# Shows active network for 5 sec 
nmcli con show --active | sed 's/\|/ /'| awk '{print $1}' | tail -n1 | tee -i /tmp/activenet \
	| yad  --title=IN-USE --width=80 --height=50 --text-info --timeout=5 --autohide \
		   --center --button="Disconnect":3 
case $exval in 
   3) read acn < /tmp/activenet; nmcli c down "$acn";; 
   252) echo "You pressed ESCAPE key or closed the window.";; 
# Select network by double-click or up-down arrows and Return
nmcli -t -f SSID d wifi | yad  --height=300 --width=290 --column=SSID \
	--title="--dclick-action=CMD" --list --dclick-action="nmcli d wifi connect " \
	--timeout=11 --autohide

Feel free to refine it.


Many thanks for sharing this. In the meantime I have solved this by a simple change (one line) in nm-applet sources and recompiling nm-applet. If I put new nm-applet in /usr/local/bin nothing else must be changed, package “network-manager-applet” is left untouched and can fully be maintained by pacman. The additional goal: if the students take the devices to their home they dao have full access to their private WIFIs without any additional steps. Only the password for the one critical WIFI is permanently hidden.

I found the checkbox for showing WIFI password in source code but the make procedure is not clear and gave up tinkering.
IFAK if someone once entered the password and the student can reach nmtui
then you lost the battle.

I have put two lines to rc.local where nmtui and nmtui-edit are chmod at every boot that they are not accessible to students acccounts - that fixed this hole.

make procedure for network-manager-applet:
cd in directory network-manager-applet-main

IgnorePkg = network-manager-applet
I suppose this line is in /etc/pacman.conf
I made a ‘vivisection’ a cruel way to remove nm-applet from taskbar (although it is started in Autostart but as root):

sudo cp /usr/bin/nm-applet /usr/bin/nm-applet18
sudo cp /usr/bin/whatis /usr/bin/nm-applet

Primitive but works.
I put this script to ~/.local/share and started at login from Autostart to see wether the user is connected

# Select network by double-click or Arrows and Return
nmcli -t -f SSID d wifi | yad  --height=300 --width=290 --column=SSID \
	--title="--dclick-action=CMD" --list --dclick-action="nmcli d wifi connect " \
	--timeout=11 --autohide
# Shows active network for 5 sec 
nmcli con show --active | sed 's/\|/ /'| awk '{print $1}' | tail -n1 | tee -i /tmp/activenet \
	| yad  --title=IN-USE --width=80 --height=50 --text-info --timeout=5 --autohide \
		   --center --button="Disconnect":3 
case $exval in 
   3) read acn < /tmp/activenet; nmcli c down "$acn";; 
   252) echo "You pressed ESCAPE key or closed the window.";; 

Sorry for repeating myself.

I wonder why not host a repo for those systems that has your version of the applet? This would be arguably less work than what youre doing now.

You can create a pkgbuild for it and then wont have to manually put it into /usr/local/bin on each system you just do any changes you need to the pkgbuild and push it to the repo which then propagates to all the systems with that repo.

Id also question if maybe GNOME as a DE might better serve this situation with its parental controls (idk how robust they are though). Im not sure if thats an option though

Im confident there are better ways to mask this vs rc.local which is technically these days just a systemd service that mimics rc.local. Ill have to look into what is considered the correct way to mask these so as to prevent certain users from accessing it

EDIT: here is one way using aliases only applied to certain users

you can try setting up permissions using groups to restrict access

here is restricted shell

There is a Linux-server already present which has a local repository - this reduces external bandwidth at updates to all clients significantly. The clients are maintained from this server. Adding / removing files to all, editing scripts, change permissions is broken down to one bash script which runs on the server and addresses all clients via ssh so every procedure only must be done one time.

Of course a Linux specialist will be able to find a solution to hack into the system. This scenraio was running for four years and the password was retrieved some weeks ago due to a WIFI Accesspoints failure. I think the now closed door “nm-applet” will work for the next years.

“Restricted shell” is not usable here because of there are groups of students created on the fly who are working on projects where some can read and some read/write. They need more than a handful of commands.

Yes: rc.local is a systemd job and it is “from former times”. But it solves this task (and some other more where it is used) perfectly. The now running solution satisfies me completely, all clients are modified during the last maintenance run.