Bug#575309: user-setup: Should stop adding first user to device access groups
Frans Pop wrote: I disagree with this proposed change. IMO the default group assignments are in line with the purpose of the first user account. I have three reasons to feel otherwise: 1. IIRC, the reason for adding the initial user to groups has been to provide a good desktop experience. See bugs #352713, #166718. So worrying about the first account not having hardware access when not at the desktop seems like scope creep. 2. Having a non-console user in groups audio and video is a straight-up security exposure. Anything that can be done to close that hole is helpful. (I don't know what the status of revoking group membership on logout is, but even without that, some avenues of exploitation are pretty well closed by not having the first user in the groups statically.) 3. As a matter of principle, I feel there should be nothing special about the first user account. We'd had to bend principle for groups and /etc/sudoers, but these were imperfect hacks that suffered from usability problems when eg, adding a second user, or upgrading to a new version of Debian. Now, two issues with the patch: a. passwd/user-default-groups is a documented preseed variable, so it probably needs to remain available for preseeders to use, and the documentation will need to be updated. b. I'm missing the list of exactly what groups consolekit puts the console user in, so I can't tell if we have additional groups in our list. -- see shy jo signature.asc Description: Digital signature
Bug#575309: user-setup: Should stop adding first user to device access groups
On Thu 25 Mar, Joey Hess wrote: Frans Pop wrote: I disagree with this proposed change. IMO the default group assignments are in line with the purpose of the first user account. I have three reasons to feel otherwise: 1. IIRC, the reason for adding the initial user to groups has been to provide a good desktop experience. See bugs #352713, #166718. So worrying about the first account not having hardware access when not at the desktop seems like scope creep. I really appreciated being able to get things working without too much hassle when I was a totally new user, and have often been asked by inexperienced users why simple things do not work as expected on a new installation. I am not involved in setting up more than small networks, and I now demonstrate the differences between users, explain why I set up an initial user account, then often create real users starting from a higher UID with the same UIDs throughout the local network, finally deleting the initial user account. If it is easy to add new users from a list it is also easy to delete the first account when not required. -- Chris Bell www.chrisbell.org.uk (was www.overview.demon.co.uk) Microsoft sells you Windows ... Linux gives you the whole house. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#575309: user-setup: Should stop adding first user to device access groups
Package: user-setup Version: 1.28 Tags:patch In squeeze, the desktop uses consolekit and friends to grant access to devices for the user in front on the screen. This scale a lot better when there is a lot of users in LDAP or NIS that need to get access to the local devices on their own machine, but not the local devices on other peoples machine. The code in user-setup-apply to add the first user to all the groups in passwd/user-default-groups should no longer be needed. I believe it should be dropped for Squeeze, or at least the default groups used should be trimmed down to nothing. Here is a patch to remove the code. Index: user-setup-apply === --- user-setup-apply(revision 58013) +++ user-setup-apply(working copy) @@ -125,13 +125,6 @@ $log $chroot $ROOT chown $USER:$USER /home/$USER /dev/null || true fi - if [ -n $USER ]; then - db_get passwd/user-default-groups - for group in $RET; do - $log $chroot $ROOT adduser $USER $group /dev/null 21 || true - done - fi - db_get passwd/root-login if [ $RET = false ] [ -n $USER ]; then # Ensure sudo is installed, and set up the user to be able Index: debian/user-setup-udeb.templates === --- debian/user-setup-udeb.templates(revision 58013) +++ debian/user-setup-udeb.templates(working copy) @@ -16,12 +16,6 @@ Type: string Description: for internal use only -# Allow preseeding the groups to which the first created user is added -Template: passwd/user-default-groups -Type: string -Default: audio cdrom dialout floppy video plugdev netdev powerdev scanner -Description: for internal use only - Template: passwd/root-login Type: boolean Default: true Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#575309: user-setup: Should stop adding first user to device access groups
On Wednesday 24 March 2010, Petter Reinholdtsen wrote: The code in user-setup-apply to add the first user to all the groups in passwd/user-default-groups should no longer be needed. I believe it should be dropped for Squeeze, or at least the default groups used should be trimmed down to nothing. What about (server) systems that don't have consolekit installed? What harm do the current group assignments do? After all, we're only talking about the first user here! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#575309: user-setup: Should stop adding first user to device access groups
[Frans Pop] What about (server) systems that don't have consolekit installed? Yes, what about them? If the local user to have special privileges, one should install the packages providing such privileges to the local user. What harm do the current group assignments do? After all, we're only talking about the first user here! It grant local device access to a user that should not have it. The first user should not have local device access, unless that user is logged in locally on the machine console. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#575309: user-setup: Should stop adding first user to device access groups
On Wednesday 24 March 2010, Petter Reinholdtsen wrote: What about (server) systems that don't have consolekit installed? Yes, what about them? On such systems the first user would be left without expected default access to devices. If the local user to have special privileges, one should install the packages providing such privileges to the local user. There's more way than one to Rome. Group membership is a traditional and still valid way to provide rights. Having packages like consolekit installed is not a requirement. What harm do the current group assignments do? After all, we're only talking about the first user here! It grant local device access to a user that should not have it. The first user should not have local device access, unless that user is logged in locally on the machine console. Why should that user not have it? For the purpose of D-I installations the first user is defined as being the admin and/or console user of the system. If you install systems where the first user does not hold that role, you should disable creation of the first user account during installation, or tune the default groups he's made a member of. I disagree with this proposed change. IMO the default group assignments are in line with the purpose of the first user account. Cheers, FJP -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org