I think this is a direct consequence of the commercialisation of the Linux desktop by Canonical, Red Hat, et al, but especially Canonical. The amateurs were pushed out and the professionals swarmed in, and now the requirement was to bring more "converts" from Windows.
A number of bad decisions started to get made as these sponsors became frustrated with the low rate of uptake. One of them, I'm sure, was the perceived need to keep up with the competition, essentially getting into an arms race with the strategy (if there was one) of outdoing Microsoft.
A good example of this is the absurd introduction of PulseAudio, which introduced features that nobody asked for while simultaneously breaking audio for a large number of users including myself. All because a similar (but working) feature was introduced in Vista.
What I can't figure out is how this actually helps that goal anyhow. My fight with policykit (or polkit or whichever the hell one it was) is that with XMonad, I couldn't get network manager to work properly, even when I ran it and its configurator as root. For my own desktop, I'd be happy with either of "tell policykit that 'jerf' can do anything" or "tell policykit that 'root' can do anything", literally the simplest possible configuration.
There appears to be (at least at the time) dick-all documentation on policykit, excepting magic invocations on the Ubuntu forums to do this or that. Reading the configuration files appears to suggest the primary use case for policy kit is to work in large installs like a university lab where the permissions are being portioned out in a highly granular manner via third-party authentication services. If this isn't true, don't blame me for coming to the wrong conclusion. I do not give a shit about any of this. I'm on a single-user machine and the one user can do anything it damned well pleases (to a first approximation). But there is absolutely no clue I could find about how to accomplish this.
By just fucking around and turning off permission checking in every manner I could work out, I eventually got myself into a position where "root" was capable of adding new network, but my normal user is only permitted to switch between existing networks. (Incidentally, read that sentence again, it's actually quite surprising. The result of what I did should have been to let everybody do everything, right? No. Why not? Hell if I know.) This was enough for me to declare victory and move on, but it really isn't a victory.
And the point of me posting all this isn't so much to bitch; that was just a bonus extra. The point is, if this is a "professional" solution to the problem of system permissions, I have no idea how it meets that goal. There seems to be no way for the aforementioned University administrators to learn how to properly configure it for their use cases, no logging to help them get it right. Putting on my sysadmin hat, I'd never trust this system any further than I could throw it, it's so opaque. I would get a bug report that Bob was able to use the video camera when he shouldn't be able to, and I'd push a fix, but I'd have virtually confidence that I'd actually solved the problem, to say nothing of continuously wondering exactly what my permission scheme was permitting to people. To me, it looks worse than a closed source solution... at least the closed source has a support line you could call.
I wonder if NetworkManager or polkit is doing some sort of opaque meddling with POSIX capabilities? The CAP_NET_* options, in particular. I'm grasping at straws here, certainly, but your description of the events leads me to suspect something in that general direction.
A number of bad decisions started to get made as these sponsors became frustrated with the low rate of uptake. One of them, I'm sure, was the perceived need to keep up with the competition, essentially getting into an arms race with the strategy (if there was one) of outdoing Microsoft.
A good example of this is the absurd introduction of PulseAudio, which introduced features that nobody asked for while simultaneously breaking audio for a large number of users including myself. All because a similar (but working) feature was introduced in Vista.