On Sun, 11 Oct 2020 00:08:18 +0300 Henrik Ahlgren wrote:
I've always found it bit weird and confusing that the first user
created during installation by d-i is "special" and belongs to a number
of groups that apparently are mostly unecessary in the modern world.
I agree that discrepancy between user-setup and adduser is confusing and
should be eliminated.
I came across this bug when I noticed that the netdev group was
necessary to make network-manager-gnome working in stretch
<https://sources.debian.org/src/network-manager-applet/1.4.4-1%2Bdeb9u1/debian/network-manager-gnome.README.Debian/>
but since that time uaccess has made this group mostly unnecessary for
NetworkManager. It is used however along with sudo by polkit causing
difference related to creating of system-wide connections:
nmcli general permissions
User created by installer:
org.freedesktop.NetworkManager.settings.modify.system yes
Users created by adduser
org.freedesktop.NetworkManager.settings.modify.system auth
In addition, I believe, user-setup and adduser should have consistent
behavior in respect to the "users" group (may be used to create
directories shared across local users).
For example, the first
user is in the video group by default, and according to
https://wiki.debian.org/SystemGroups
"This group can be used locally to give a set of users access to a
video device (like the framebuffer, the videocard or a webcam)" What
does it mean in practical terms, if I can access /dev/fb0 and
/dev/dri/cardX? Can I snoop another user's screen while he is logged
in?
I have no idea if another (remote) user can make a screenshot, but it
can use webcam. Udev and systemd-logind grant access to audio and video
devices for currently active local users through the uaccess feature, see
<https://bugs.debian.org/821424#61>
So membership in these groups is usually redundant and may cause issues
related to privacy.
I think, additional groups should be dropped and it should be announced
in a NEWS file and probably in release notes.
