Your message dated Fri, 22 Jun 2012 11:02:09 +0000
with message-id <[email protected]>
and subject line Bug#650553: fixed in base-passwd 3.5.25
has caused the Debian Bug report #650553,
regarding base-passwd: should explain sudo group's meaning when policykit-1 is
installed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
650553: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650553
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: base-passwd
Version: 3.5.23
Severity: normal
File: /usr/share/doc/base-passwd/users-and-groups.txt.gz
Tags: patch
Usertags: pca-authentication
Hi there!
The discussion started at:
<http://lists.debian.org/[email protected]>
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649385#17>
On Mon, 21 Nov 2011 00:29:06 +0100, Luca Capello wrote:
> On Sun, 20 Nov 2011 23:10:17 +0100, Josselin Mouette wrote:
>> Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit :
>>> It is not about what I do or do not want, sudo != administrator, as
>>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
>>> also #600700 for the current real situation):
>>>
>>> sudo
>>>
>>> Members of this group do not need to type their password when using
>>> sudo.
>>> See /usr/share/doc/sudo/OPTIONS.
>>
>> Obviously this documentation is incorrect and needs fixing. Could you
>> file a bug about this?
>
> First, have you checked #600700, as I suggested? And if the current
> sudo behavior below WRT PolicyKit is correct (as it seems, I am the only
> one complaining), yes, I will be glad to file a bug against base-passwd.
Here I am, not replying to #600700 because IMHO these are two different
issues: #600700 is about sudo's behavior for users in the sudo's group,
this bug is about the meaning of sudo's group when policykit-1 is
installed, starting from version 0.96-4, see #532499.
> On Sun, 20 Nov 2011 21:01:33 +0100, Michael Biebl wrote:
>> On 20.11.2011 19:30, Luca Capello wrote:
>>> Perfectly fine for me, but IMHO policykit is abusing sudo, given that
>>> with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec
>>> grants any privilege to members in the sudo group *without* checking if
>>> this group is actually allowed in /etc/sudoers* (this *is* a bug):
> [...]
>>> It is not about what I do or do not want, sudo != administrator, as
>>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
>>> also #600700 for the current real situation):
>>
>> This was discussed before the squeeze release. We were looking for a
>> mechanism how we could grant administrative privileges to users (eg. if
>> installed with a disabled root account).
>> We decided to use a group for this purpose. I personally favored to use
>> group "admin", but due to various reasons (similarity to adm, etc) we
>> finally agreed to use group sudo for that. We, that included the sudo
>> maintainer.
>>
>> So, I fail to see how you consider this abusing sudo.
>
> Because if a user is in group 'sudo', even if there is no more sudo
> package installed, PolicyKit will still grant all permissions to that
> user. Which means that I do not consider using a group to grant
> administrative privileges to user as abusing sudo, but how PolicyKit
> exploits this situation.
The following patch addresses both #600700 and this bug:
--8<---------------cut here---------------start------------->8---
--- - 2011-11-30 20:52:06.275285986 +0100
+++ users-and-groups.txt 2011-11-30 20:52:00.646099578 +0100
@@ -311,8 +311,9 @@
sudo
- Members of this group do not need to type their password when using sudo.
- See /usr/share/doc/sudo/OPTIONS.
+ Members of this group may run any command as any user when using sudo
+ or pkexec (from the policykit-1 package, independently if the sudo
+ package is installed).
audio
--8<---------------cut here---------------end--------------->8---
Thx, bye,
Gismo / Luca
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages base-passwd depends on:
ii libc6 2.13-21
base-passwd recommends no packages.
base-passwd suggests no packages.
-- no debconf information
pgp1vvFBLG37S.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: base-passwd
Source-Version: 3.5.25
We believe that the bug you reported is fixed in the latest version of
base-passwd, which is due to be installed in the Debian FTP archive:
base-passwd_3.5.25.dsc
to main/b/base-passwd/base-passwd_3.5.25.dsc
base-passwd_3.5.25.tar.gz
to main/b/base-passwd/base-passwd_3.5.25.tar.gz
base-passwd_3.5.25_i386.deb
to main/b/base-passwd/base-passwd_3.5.25_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated base-passwd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 22 Jun 2012 11:40:25 +0100
Source: base-passwd
Binary: base-passwd
Architecture: source i386
Version: 3.5.25
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <[email protected]>
Changed-By: Colin Watson <[email protected]>
Description:
base-passwd - Debian base system master password and group files
Closes: 650553 655501
Changes:
base-passwd (3.5.25) unstable; urgency=low
.
* users-and-groups: Document historical meaning of sys user/group (thanks
to Mantas M. for the tip).
* Use dpkg-buildflags to enable hardening options (based on a patch from
Moritz Muehlenhoff; closes: #655501).
* Update users-and-groups documentation of the sudo group to describe
current behaviour and mention pkexec (thanks, Luca Capello; closes:
#650553).
Checksums-Sha1:
abd36ffd81ab2d85e939cfde83c4b5b26161f334 1574 base-passwd_3.5.25.dsc
92e78d57d827cfdb5147c4483979732e50cd63c6 77728 base-passwd_3.5.25.tar.gz
c8fb82106d338cd6ab59ce292ccfe430b350a36b 46982 base-passwd_3.5.25_i386.deb
Checksums-Sha256:
6fb9649e1ecc86f2d09509da5444109422ac7aed71cc4cc95dd1001f859495ae 1574
base-passwd_3.5.25.dsc
fd7801cdf1fb22e5156ef333415a8564eb35f318ec13dd2ee21bc2dc27548ca6 77728
base-passwd_3.5.25.tar.gz
78f9f6ffa45128b5a2c7090e19908ba9078bac6846e421e891d4f0b3c0ad8893 46982
base-passwd_3.5.25_i386.deb
Files:
db02cba9b9a43e7e1af971defa41f14e 1574 admin required base-passwd_3.5.25.dsc
0c4fc54429a3d7feb5fb687535c5dc24 77728 admin required base-passwd_3.5.25.tar.gz
93da55b31dfc57a7c6fedd2c0d48d9f8 46982 admin required
base-passwd_3.5.25_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Colin Watson <[email protected]> -- Debian developer
iQIVAwUBT+RMLzk1h9l9hlALAQihcRAAjIISkwktwmnh5tyDScz5EE7HydUNbhoU
8HrdJEpi9tHcNmkJs8w0YUIATw3irit+D1DByJliK14lU1IGxSMYJvyyutY7UYKZ
7m8vjTFfoPcCsJ3cxDzDdKccC8QRtiT4p5HqkCSfrTHb/jlFYRU5QgOtaDe08k0V
YbCXLiK730cHF9mO1ll3cCcrLyweERM15WY8Bbeh+wdmDdS74uCDgcY4r8Nh4e4w
dnvh9AJnG2wHnzecVJrn6UckN63D9wKyX+eJt8jCsgxJFaAM10+ZoSnmDuxkGB/B
VnerHbu5EkD7mRK7anXHJfuWlUDwFN1cSYDhafZ2V38qy2tzYlTu/inxEqbZRN4Q
1Ox1ZWxBs+U7ad3mnUYmwbwB5/s8/HCPe7XGzeAKHTsMuwPZ5BkP5ydMWxDRSRI+
4//HD+wqUByEC2egKQLsf6sm4HMjpAGgjWUPa/MBJ5fg5+YcyAcSnN/l2jtvBsXK
I4it3lQHdJG0gJjMVjkqUS/6LYxkbjaDL2BBczJjCSRPIi4ZAnoZqTPDZOk+zxjA
ycDRYXjFtSRHUEkhfcLorK3Y/VkeYItrdVE6difEwlx8y5eNo09zk1LXqIhT9I2B
0fohEnRzltjD9uQHcJXDyIpo8QPAzBJgZk8omtOnR2FdjVSTENbMP0XYpTapNMXs
2MfMfeD7GBE=
=UPqD
-----END PGP SIGNATURE-----
--- End Message ---
