The Network Manager Ubuntu Community wiki ( https://help.ubuntu.com/community/NetworkManager ) tells:

Thanks, I've seen the access controls and understand how they can be changed from the GUI.

The thing that is puzzling me is that when I create a new connection, a new configuration file is created and that file is owned by root, but I didn't have to enter my sudo password .

Many other services seem to have a system-wide configuration (owned by root) that has some kind of include statement to user-owned configuration in the home directory. I don't understand why this isn't the case for network settings.

I suppose if the box was a server and two people were logged in remotely, and one of them changed the WiFi settings, it would affect the other user too (or can you connect to two access points at once?).

Has an exception been made for network settings because, from a practical point of view, you wouldn't be able to get much done as a normal user if you were unable to connect to a WiFi network?

Hint: take a look at the description for the package policykit-desktop-privileges.

btw... "security boundaries"? You're really picking this stuff up fast, aren't you? That's the precise language to use in this situation. I'm so proud

I only picked that up because you gave such an accessible explanation somewhere else on the forum... I do try to listen

Thanks for that hint, I've discovered /usr/share/polkit-1/actions/org.freedesktop/NetworkManager.policy, interesting that it's in XML.

My server is pretty much running stock kubuntu, I'm trying to decide if it's worth changing some of those settings (not necessarily just NM), or if they don't really matter. I am the only person with shell access to the server, although there is one other user with a system account (my brother, the files for his website are owned by his user and he has to enter his FTP password from within WordPress to update his site/install plugins etc.). He can't log in via SSH because there are no authorised keys for his account, and password authentication is disabled.

I wouldn't worry about it. The only thing provided by those PolicyKit privileges is a few password prompt exceptions for someone already logged in with administrative rights.

Ah, that's fine then, if someone gets that far I'm already well and truly pwned!