(maybe asking -ctte should be done) This is an attempt to, again, summarize the situation about #166718 and related bugs.
In short, the question is: how can we choose a method to make easy for people with physical access to the console to use its devices (sound, cdrom, plugged devices...) and NOT compromise security. The initial request was for passwd to "add the first created user to useful groups" in the install process (currently D-I 2nd stage). The former maintainer of passwd, Karl Ramm, was very reluctant to add this as is to passwd config script. In the meantime, the D-I team added a hack to do this in D-I 2nd stage...which explains the request doesn't come often now. Several suggestions have been made to do this: 1) use pam_console (used by Redhat) to give all users connected to the "console" access to a bunch of groups 2) use pam_group for barely the same purpose 3) hard-code the "useful" groups in passwd.config 4) keep the current situation and let this to the D-I team 1) and 2) have the same security implications-->granting groups access to anyone using the console allows this user to hack a setgid binary and have it launch a shell later, even when not connected at the console Activating pam_group in common-auth seems OK but not with the lines that would be required in /lib/security/group.conf 3) is possible but seems to be a hack 4) (the current solution) is a similar hack I'd like to propose another approach: Add a "--useful-groups" switch to Debian's adduser and keep a list of useful groups in this package's default adduser.conf file. For sure, this moves the pressure of keeping a list of "useful" groups to Marc Haber and adduser maintainers...but it would have the advantage to offer admins an easy way to add users to these "useful" groups without knowing the complete list. Thoughts, opinions, flames? I'd really like to get rid of this bug...:-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]