On Tue, Nov 02, 2010 at 05:47:45PM +, Ian Jackson wrote:
> Guido Günther writes ("Re: [RFC] disabled root account / distinct group for
> users with administrative privileges"):
> > Imho we should use diffrent groups for PolicyKit and sudo. d-i would
> > need to add
Guido Günther writes ("Re: [RFC] disabled root account / distinct group for
users with administrative privileges"):
> Imho we should use diffrent groups for PolicyKit and sudo. d-i would
> need to add the user to two groups then but it would allow for polkit
> and sudo only c
On Tue, Oct 19, 2010 at 12:38:41AM +0200, Michael Biebl wrote:
> Hi,
>
> as some of you might know, the debian installer allows to install a system
> with
> a disabled root account, i.e. there is no root password set for root.
> In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is
Hi,
My concern was random introduction of more new groups with confusing
names and overwrapping capabilities with inconsistent documentation.
Besides, it sounded funny to say "reinvent the wheel".
On Sun, Oct 24, 2010 at 09:22:10PM +0100, Simon McVittie wrote:
> On Sun, 24 Oct 2010 at 18:05:45
On Sun, 24 Oct 2010 at 18:05:45 +0900, Osamu Aoki wrote:
> (Let's use old "wheel" group in line with current documentations.)
That's not in line with wheel's historical use, though... historically
wheel meant "may run su(8) at all". Everyone on a GNU system has the
privileges traditionally given t
Hi,
Let's not reinvent the "wheel" :-)
(Let's use old "wheel" group in line with current documentations.)
On Sat, Oct 23, 2010 at 09:44:41PM +0200, Arthur de Jong wrote:
> On Thu, 2010-10-21 at 16:48 +0100, Philip Hands wrote:
> > If we decide to reject 'admin', I think we should use sudo. I fi
On Thu, 2010-10-21 at 16:48 +0100, Philip Hands wrote:
> If we decide to reject 'admin', I think we should use sudo. I find the
> argument that admin is confusing given the presence of adm fairly
> convincing -- It's all too easy to say something like "could you add
> fred to the adm group" over t
* Simon McVittie [2010-10-22 12:10 +0100]:
> On Fri, 22 Oct 2010 at 11:44:31 +0100, Ian Jackson wrote:
> > I wouldn't be at all surprised to find that "priv" was occasionally
> > used as a username for an ordinary user.
>
> If I saw it out of context I'd also tend to assume that "priv" is
> short f
On Fri, Oct 22, 2010 at 1:44 PM, Ian Jackson
wrote:
> Carsten Hey writes ("Re: [RFC] disabled root account / distinct group for
> users with administrative privileges"):
>> A group named sudo or sudoroot is somehow linked to sudo as tool used to
>> gain administrati
On Fri, 22 Oct 2010 at 11:44:31 +0100, Ian Jackson wrote:
> I wouldn't be at all surprised to find that "priv" was occasionally
> used as a username for an ordinary user.
If I saw it out of context I'd also tend to assume that "priv" is short for
"private" instead of "privileged", but perhaps that
On Thu, 21 Oct 2010 at 17:53:53 -0600, Bob Proulx wrote:
> Giacomo A. Catenazzi wrote:
> > It depends on the definition of "equivalent".
The definition of root-equivalent I'd use is: if an account is compromised (an
attacker gains control of it), and the attacker can get root privileges as a
resul
Carsten Hey writes ("Re: [RFC] disabled root account / distinct group for users
with administrative privileges"):
> A group named sudo or sudoroot is somehow linked to sudo as tool used to
> gain administrative privileges. No one knows if in future an other tool
> will be th
Giacomo A. Catenazzi wrote:
> Simon McVittie wrote:
> >... so in practice, staff is root-equivalent, but in principle it's
> >not meant to be. (Yay.)
>
> It depends on the definition of "equivalent".
>
> Anyway "staff" is a protection against user (aka admin)* errors*,
> not against *malicious* a
* Russ Allbery [2010-10-21 02:37 -0700]:
> I like sudoroot, personally, but I think sudo is probably okay.
A group named sudo or sudoroot is somehow linked to sudo as tool used to
gain administrative privileges. No one knows if in future an other tool
will be the de facto standard to gain privile
On 20.10.10 13:28, Simon McVittie wrote:
Quoting from base-passwd again:
Allows users to add local modifications to the system (/usr/local, /home)
without needing root privileges. Compare with group 'adm', which is more
related to monitoring/security.
Note that the ability
On Thu, 21 Oct 2010 06:49:00 +0200, Christian PERRIER
wrote:
> Quoting Russ Allbery (r...@debian.org):
>
...
> Maybe sudo is not that bad, after all..:-)
If we decide to reject 'admin', I think we should use sudo. I find the
argument that admin is confusing given the presence of adm fairly
con
Christian PERRIER writes:
> Quoting Russ Allbery (r...@debian.org):
>> Any already-existing group is going to have the problem that some sites
>> will already be using it for something else. We put all sysadmins in
> Isn't that the same for any kind of clever group name we'll find?
> Unless we
Hi,
On Tue, Oct 19, 2010 at 12:38:41AM +0200, Michael Biebl wrote:
> So, I'm wondering if we shouldn't pick a more neutral name without a previous
> history in Debian.
> One suggestion is to use group "admin". Ubuntu has been using that group for
> exactly the purpose what we are going for and I t
Christian PERRIER writes:
> And for ${deity}'s sake, people […] should stop talking about
> 'bikeshedding' [which has the condescending] implication: the
> discussion is useless.
>
> This discussion is not.
>
> We will have to live with whatever group name we choose now for
> *years*, so better c
Quoting Russ Allbery (r...@debian.org):
> > How about the "root" group?
>
> Any already-existing group is going to have the problem that some sites
> will already be using it for something else. We put all sysadmins in
Isn't that the same for any kind of clever group name we'll find?
Unless we
Christian PERRIER writes:
> Quoting Steve Langasek (vor...@debian.org):
>>> On the other hand, is it really necessary a new group? Can't adm or
>>> operator be overloaded with this new functionality? (think Ockham's
>>> razor).
>> No. Both of those groups also have other meanings.
> How about
On Wed, Oct 20, 2010 at 17:38:23 +0200, Didier 'OdyX' Raboud wrote:
> Otavio Salvador wrote:
>
> > Maybe "god" ;-)
>
> What about the "adm" group ? Is it the same as the "admin" ?
>
What about reading the thread and relevant documentation instead of
repeating turned down ideas for the bikeshed
Maybe "god" ;-)
On Wed, Oct 20, 2010 at 8:16 AM, Mehdi Dogguy wrote:
> On 20/10/2010 11:18, Petter Reinholdtsen wrote:
>>
>> So I would suggest to use a name that is more likely to be unique.
>>
>
> unique wrt. what? "admin" seems "unique" since not used in Debian yet.
>
>> Happy hacking,
>
> --
On Wed, Oct 20, 2010 at 12:28:49PM +0100, Simon McVittie wrote:
> Quoting from base-passwd again:
[...]
> ... so in practice, staff is root-equivalent, but in principle it's not meant
> to be. (Yay.)
Right, which was why I also chose to use it for "staff" who I
trusted with root access, but wanted
On Wed, 20 Oct 2010 at 01:58:22 +, The Fungi wrote:
> On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
> > On the other hand, is it really necessary a new group? Can't adm
> > or operator be overloaded with this new functionality? (think
> > Ockham's razor).
>
> Maybe similar
On 20/10/2010 11:18, Petter Reinholdtsen wrote:
>
> So I would suggest to use a name that is more likely to be unique.
>
unique wrt. what? "admin" seems "unique" since not used in Debian yet.
> Happy hacking,
--
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/
--
To UNSUBSCRIBE, email to debian-
* Vincent Danjean [101020 09:46]:
> > How about the "root" group?
>
> This would hurt systems where umask is 002 (or 007) by default (the root
> group is the primary group of the root user with nobody else in it)
No, the root group (aka wheel) group is the group of people that are
allowed to swit
[reply-to set to d-d only]
On 20/10/2010 07:12, Christian PERRIER wrote:
> Quoting Steve Langasek (vor...@debian.org):
>
>>> On the other hand, is it really necessary a new group? Can't adm or
>>> operator
>>> be overloaded with this new functionality? (think Ockham's razor).
>>
>> No. Both o
Quoting Steve Langasek (vor...@debian.org):
> > On the other hand, is it really necessary a new group? Can't adm or
> > operator
> > be overloaded with this new functionality? (think Ockham's razor).
>
> No. Both of those groups also have other meanings.
How about the "root" group?
sign
On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
> On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote:
> [...]
> > Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit :
> > > What about the old-fashioned "wheel" group[1]?
> > This would be an even worse disas
On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
[...]
> On the other hand, is it really necessary a new group? Can't adm
> or operator be overloaded with this new functionality? (think
> Ockham's razor).
Maybe similarly overloaded, but I've used the built-in "staff" group
for th
base-passwd documents sudo as "Members of this group do not need to type their
password when using sudo", which is no longer true. I've opened a bug.
On Tue, 19 Oct 2010 at 09:48:58 +0200, Jesús M. Navarro wrote:
> On the other hand, is it really necessary a new group? Can't adm or operator
> be
Am Dienstag, den 19.10.2010, 08:15 +0200 schrieb Josselin Mouette:
> Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit :
-Snipp-
> > So, I'm wondering if we shouldn't pick a more neutral name without a
> > previous
> > history in Debian.
> > One suggestion is to use group "admin". Ubu
On Tue, 19 Oct 2010 00:38:41 +0200, Michael Biebl wrote:
> Bdale went ahead and added the following to /etc/sudoers:
>
> # Allow members of group sudo to not need a password
> # (Note that later entries override this, so you might need to move
> # it further down)
> %sudo ALL=(ALL) ALL
Ah yes -
Le mardi 19 octobre 2010 à 09:58 +0100, Philip Hands a écrit :
> > For PolicyKit, I can now simply ship a file, say
> > /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
> >
> > [Configuration]
> > AdminIdentities=unix-group:sudo
>
> I would object to 'sudo' being a group of
Le mardi 19 octobre 2010 à 09:49 +0200, Fabian Greffrath a écrit :
> Since this group would be Debian-specific, how about "Debian-admin" or
> "Debian-sudo" (as in "Debian-gdm" or "Debian-exim")?
The Debian-exim and Debian-gdm names are system users that are meant to
never conflict with existing,
I definitely agree that we need to get this change into squeeze and that we need
to be careful to not get into bikeshedding about names.
On the other hand, choosing a group for a purpose like this should imho be done
carefully as changing the name later is hard if not impossible.
Since this gro
Hi, Josselin:
On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote:
[...]
> Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit :
> > What about the old-fashioned "wheel" group[1]?
>
> This would be an even worse disaster than “admin”, for similar reasons.
> Users of the “wheel
On 19.10.2010 08:15, Josselin Mouette wrote:
> Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit :
>> 1/ The sudo group in previous Debian releases had a different meaning:
>> Members
>> of groups sudo could run sudo without needing a password.
>
> Did it exist in previous releases?
hi,
2010/10/19 Michael Biebl :
> Hi,
> Bdale went ahead and added the following to /etc/sudoers:
>
> # Allow members of group sudo to not need a password
> # (Note that later entries override this, so you might need to move
> # it further down)
> %sudo ALL=(ALL) ALL
First of all: YES! Thanks! I
Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit :
> 1/ The sudo group in previous Debian releases had a different meaning: Members
> of groups sudo could run sudo without needing a password.
Did it exist in previous releases? I don’t recall seeing it in sudoers.
> 2/ Using the name
Hi, Michael:
On Tuesday 19 October 2010 00:38:41 Michael Biebl wrote:
> Hi,
[...]
> The idea is, to have a distinct group. Members of that group have
> administrative privileges using sudo and PolicKit.
[...]
> While I think the idea of using a distinct group for users with
> administrative pr
Hi,
as some of you might know, the debian installer allows to install a system with
a disabled root account, i.e. there is no root password set for root.
In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as simple as
leaving the root password prompt empty.
The lenny installer th
43 matches
Mail list logo