Is there any way to disable "Automatically connect to this network when available" permanently by default?

networking network-manager configuration settings
6,298

NetworkManager only connects to a network of you have a profile for it. And NetworkManager does not create profiles, also because it wouldn't know which settings to you. So this security concern seems unwarranted. Yes, if you click in nm-applet, gnome-shell or plasma-nm on a Wi-Fi for which no profile exists, one will be created. But don't click, if you don't want that. And if you accidentally clicked, remove the profile again, that doesn't seem too hurtful.

There is an exception for "NetworkManager does not create profiles". If you didn't configure no-auto-default in NetworkManager.conf, and if you have an Ethernet device without a suitable profile, then NetworkManager will create a profile named 'Wired connection 1'. But if you have a profile, that won't happen. Also, if you delete or modify the generated profile, NM remembers that in /var/lib/NetworkManager/no-auto-default.state file.

Except the no-auto-default case (that you already diabled), NetworkManager does not generate profiles. Connection profiles are in their entirety created by the user (or by some NetworkManager client tool, presumably on behalf of the user). I think the noution that NetworkManager has defaults for properties of a connection profile is not right, and you cannot thus configure a default.

Note there is an exception to this: certain properties allow to be explicitly set to a value that indicates a default, and you can overwrite that default values in NetworkManager.conf. In this case the property of the profile explicitly says to use a default. But that is only implement for certain properties, and would hardly make sense for autoconnect, because those kind of defaults depend on the device (and autoconnect property is independent of a device). See man NetworkManager.conf for these kinds of connection defaults).

Of course, when you use a certain tool to create a profile, that tool may have a default.

For example, if you drop a file to /etc/Networkmanager/system-connections and omit the autoconnect setting, it defaults to true. Solution: when you drop the file, create it with the autoconnect setting unset.

Or for example, if you use nmcli connection add to create a profile, the new profile will be create (by default) with autoconnect enabled. Solution: pass autoconnect no on the command line, or use a shell script that helps you, or use an entirely different tool.

Or for example, if you create the profile via nmcli device connect (which creates a profile if none exists) it will be be created with autoconnect enabled. Solution: don't use this way to create the profile or adjust the profile afterward with nmcli connection modify.

Or for example, if you create the profile with nm-connection-editor, the GUI is preinitialize to autoconnect automatically. Solution: untick the option before clicking "Save".

Of course, usually you create the profile once with the settings you want, and afterwards just use it. So, have the step of profile creation followed by something like nmcli connection modify "$PROFILE" autoconnect no.

Or even for U in $(nmcli -g UUID connection) ; do nmcli connection modify uuid $U autoconnect no; done.

No, most tools (nmcli, nm-connection-editor) don't allow you to define a default values for settings when creating . Instead, they usually allow you to specify the settings while creating the settings. Or create your own tool. NetworkManager's primary goal is to provide an API for network configuration. Use that API and create the profile as you prefer.

As to why most tools have a certain default and not the other, the answer is that this is usually deemed more useful, what most users would want. It's clear that the default value is nor right for everybody, otherwise the option wouldn't be configurable to begin with. The reasons for tying a profile to a certain interface name (or MAC address) are not very strong, but it's because (unless you set connection.multi-connect) a profile can only activate once at a time. It seems preferable in that case to tie the profile to on device.

Share:
6,298
alchemy
Author by

alchemy

Updated on September 18, 2022

Comments

  • alchemy
    alchemy over 1 year

    Is there any way to disable "Automatically connect to this network when available" permanently?

    I have so far been able to shut down NetworkManager in Kubuntu, tried installing network-manager-gnome, checked the config files listed with sudo NetworkManager --print-config including the main /etc/NetworkManager/NetworkManager.conf file (adding no-auto-default=* under [main]), and the individual config files per network connection in ll /etc/NetworkManager/system-connections/. Some of these do show autoconnect=false, but I need false to be the default boolean.

    There must be a template file in /etc or a config file somewhere for this. I just tried sudo grep -R 'autoconnect=true' /etc and in /usr and /var too, with no luck. Any other location suggestions to try? Or does anyone know where the actual default 'true' setting is stored? Or if there is a place to create such a setting. I realize I could create a conf file for each expected network connection, but I want it off for any and all new connections.

    The problem is that it is obviously a security flaw to connect to new networks by default. Also, I want to change the 'All users may connect to this network' to on by default, to stop the KDEWallet popups from interfering with every network change in tandem with the Autoconnect default on. Lastly, bonus if you know how to unset 'Restrict to this device' by default.. why would I want to always limit every network connection to just one device?? ..Thanks!

    PS, Im pretty sure this applies to all Buntus.

    Edit1: a longer response to @thallers answer below..

    • I believe the problem is that the 'default' of not specifying is a boolean True. That is the original flaw in the logic. And it could have security problems.

    • For example, if I have all connection passwords stored in a root protected keyring or wallet, and an attacker gets access to user level operations, all they would have to do is create a new connection to have it be autoconnected to a nearby wifi hotspot with no open authentication.

    • The safest setting for a default would be False for autoconnect, but I understand the desire to onboard new Ubuntu users with easier network connections (probably important also during first installation). However, there should be at least an option to set False as a default for new profiles. Again, there must be a piece of code somewhere, that says set True if not pre-existing, even if that is deep within the OS structure.

    • The problem with 'no-auto-default' is you have to know the new profile name in advance is impossible say if I buy a new wifi router.

    • "Solution: when you drop the file, create it with the autoconnect setting unset." doesn't make logical sense..? That would also default to True..?

    • Again, I conceded some defaults are just not my preference, but the should be a way to set a default differently. Because of the 'no setting equals True' logic, that appears to not be possible.

    • Disagree that useful to tie a network to a device.. so if I plug in another wifi dongle to troubleshoot a connection, or heaven forbid just to change it, I should have to drill into a connection setting to allow that..? On the other hand, I do see a security purpose for locking it down, but again, there should be a way to set the default to allow any device. And again, there must me a piece of code for this, unless by defining a 'Restrict device' feature in terms of negative functionality, in tandem with the 'no setting equals True' logic, it is the same problem. So the possible Solution would be to create a patch for an 'Unrestrict device' feature that would default to true. The same may be for the autoconnect, although the underlying logic problem in the first bullet point is likely the root of it.

  • alchemy
    alchemy almost 4 years
    Hi thaller, thanks for the last one-line there, that may be very useful. I disagree with many of your appraisals of the design intent.. see my Edit1 in my question.. thanks
  • thaller
    thaller almost 4 years
    'no-auto-default' is only for Ethernet. For Wi-Fi, NetworkManager (the daemon) never creates a profile. And, the no-auto-default setting in NetworkManager.conf takes an interface (by name, or MAC address or simply *).
  • thaller
    thaller almost 4 years
    "Solution: when you drop the file, create it with the autoconnect setting unset." means to have a line autoconnect=0. Since you are editing the file with the appropriate content, presumably you can do that.
  • thaller
    thaller almost 4 years
    "all they would have to do is create a new connection to have it be autoconnected to a nearby wifi hotspot". If they can create a profile and activate it, autoconnect doesn't matter (they could just manually activate the profile). Alternatively, don't give the user the permission to create or activate profiles. Of course, that isn't very useful. Also, not sure whether you mean that a user could get the secrets out of the keyring of another user. That is not possible, if you can show how that would be possible, report a bug please.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Missing network settings in KDE
How do I get NetworkManager to assign a fixed MAC address to eth0?
AttributeError: 'Settings' object has no attribute 'ROOT_URLCONF' on Heroku
What's the max value of max_input_time?
configure gvim setting color and font
Save Configuration Settings to XML file in QT?
Laravel load settings from database
How can I configure Gnome Shell Notification settings?
airodump-ng fopen failed: No such file or directory
How can I set a second network interface in ubuntu 16.04?