Allow regular user to `netctl switch-to <profile>`

[ropery]

By adding a polkit rule I was able to use netctl to start or stop profiles without sudo. However, when I tried netctl switch-to that as a regular user, I was surprised to find it required root. I immediately thought it must be a bug. Then a moment later, I realized the reason for root privilege: the profile files are mode 600 so as a user one cannot grep it for interface, hence ensure_root.

Of course, a workaround is just around the corner, use:

netctl stop this; netctl start that

Or more blindly,

netctl stop-all; netctl start that

But still, switch-to requiring root is really surprising, and really not inevitable in principle. I suppose the only reason profile files are mode 600 is that they may contain passwords. The interface surely isn't a secret! What if we isolate the password from the profile by putting it in a separate file? Or something else.

[joukewitteveen]

Thanks for your input!

There can be many things in profile files that may be considered sensitive information (e.g. Pin=, for a mobile_ppp connection). I don't think splitting profile files is a good idea.

Theoretically, we might be able to list running netctl services and find out what interfaces they bind to. If you can come up with a sane implementation of this idea, then I would definitely consider it!

[ropery]

Oh, good idea!
So just a quick note for future reference: for an active $profile,

systemctl show "netctl@$(systemd-escape "$profile").service" --property=BindsTo

produces (e.g.),

BindsTo=sys-subsystem-net-devices-wlan0.device

However, we can't do this with the profile we want to switch to, because it isn't active yet...