On Tue, Nov 02, 2010 at 05:47:45PM +, Ian Jackson wrote:
Guido Günther writes (Re: [RFC] disabled root account / distinct group for
users with administrative privileges):
Imho we should use diffrent groups for PolicyKit and sudo. d-i would
need to add the user to two groups
Guido Günther writes (Re: [RFC] disabled root account / distinct group for
users with administrative privileges):
Imho we should use diffrent groups for PolicyKit and sudo. d-i would
need to add the user to two groups then but it would allow for polkit
and sudo only configurations:
Why should
On Tue, Oct 19, 2010 at 12:38:41AM +0200, Michael Biebl wrote:
Hi,
as some of you might know, the debian installer allows to install a system
with
a disabled root account, i.e. there is no root password set for root.
In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as
Hi,
My concern was random introduction of more new groups with confusing
names and overwrapping capabilities with inconsistent documentation.
Besides, it sounded funny to say reinvent the wheel.
On Sun, Oct 24, 2010 at 09:22:10PM +0100, Simon McVittie wrote:
On Sun, 24 Oct 2010 at 18:05:45
Hi,
Let's not reinvent the wheel :-)
(Let's use old wheel group in line with current documentations.)
On Sat, Oct 23, 2010 at 09:44:41PM +0200, Arthur de Jong wrote:
On Thu, 2010-10-21 at 16:48 +0100, Philip Hands wrote:
If we decide to reject 'admin', I think we should use sudo. I find the
On Sun, 24 Oct 2010 at 18:05:45 +0900, Osamu Aoki wrote:
(Let's use old wheel group in line with current documentations.)
That's not in line with wheel's historical use, though... historically
wheel meant may run su(8) at all. Everyone on a GNU system has the
privileges traditionally given to
On Thu, 2010-10-21 at 16:48 +0100, Philip Hands wrote:
If we decide to reject 'admin', I think we should use sudo. I find the
argument that admin is confusing given the presence of adm fairly
convincing -- It's all too easy to say something like could you add
fred to the adm group over the
Carsten Hey writes (Re: [RFC] disabled root account / distinct group for users
with administrative privileges):
A group named sudo or sudoroot is somehow linked to sudo as tool used to
gain administrative privileges. No one knows if in future an other tool
will be the de facto standard
On Thu, 21 Oct 2010 at 17:53:53 -0600, Bob Proulx wrote:
Giacomo A. Catenazzi wrote:
It depends on the definition of equivalent.
The definition of root-equivalent I'd use is: if an account is compromised (an
attacker gains control of it), and the attacker can get root privileges as a
result,
On Fri, 22 Oct 2010 at 11:44:31 +0100, Ian Jackson wrote:
I wouldn't be at all surprised to find that priv was occasionally
used as a username for an ordinary user.
If I saw it out of context I'd also tend to assume that priv is short for
private instead of privileged, but perhaps that's just
On Fri, Oct 22, 2010 at 1:44 PM, Ian Jackson
ijack...@chiark.greenend.org.uk wrote:
Carsten Hey writes (Re: [RFC] disabled root account / distinct group for
users with administrative privileges):
A group named sudo or sudoroot is somehow linked to sudo as tool used to
gain administrative
* Simon McVittie [2010-10-22 12:10 +0100]:
On Fri, 22 Oct 2010 at 11:44:31 +0100, Ian Jackson wrote:
I wouldn't be at all surprised to find that priv was occasionally
used as a username for an ordinary user.
If I saw it out of context I'd also tend to assume that priv is
short for private
Quoting Russ Allbery (r...@debian.org):
How about the root group?
Any already-existing group is going to have the problem that some sites
will already be using it for something else. We put all sysadmins in
Isn't that the same for any kind of clever group name we'll find?
Unless we
Christian PERRIER bubu...@debian.org writes:
And for ${deity}'s sake, people […] should stop talking about
'bikeshedding' [which has the condescending] implication: the
discussion is useless.
This discussion is not.
We will have to live with whatever group name we choose now for
*years*,
Hi,
On Tue, Oct 19, 2010 at 12:38:41AM +0200, Michael Biebl wrote:
So, I'm wondering if we shouldn't pick a more neutral name without a previous
history in Debian.
One suggestion is to use group admin. Ubuntu has been using that group for
exactly the purpose what we are going for and I think
Christian PERRIER bubu...@debian.org writes:
Quoting Russ Allbery (r...@debian.org):
Any already-existing group is going to have the problem that some sites
will already be using it for something else. We put all sysadmins in
Isn't that the same for any kind of clever group name we'll find?
On Thu, 21 Oct 2010 06:49:00 +0200, Christian PERRIER bubu...@debian.org
wrote:
Quoting Russ Allbery (r...@debian.org):
...
Maybe sudo is not that bad, after all..:-)
If we decide to reject 'admin', I think we should use sudo. I find the
argument that admin is confusing given the presence
On 20.10.10 13:28, Simon McVittie wrote:
Quoting from base-passwd again:
Allows users to add local modifications to the system (/usr/local, /home)
without needing root privileges. Compare with group 'adm', which is more
related to monitoring/security.
Note that the ability
* Russ Allbery [2010-10-21 02:37 -0700]:
I like sudoroot, personally, but I think sudo is probably okay.
A group named sudo or sudoroot is somehow linked to sudo as tool used to
gain administrative privileges. No one knows if in future an other tool
will be the de facto standard to gain
Giacomo A. Catenazzi wrote:
Simon McVittie wrote:
... so in practice, staff is root-equivalent, but in principle it's
not meant to be. (Yay.)
It depends on the definition of equivalent.
Anyway staff is a protection against user (aka admin)* errors*,
not against *malicious* admins.
I
Quoting Steve Langasek (vor...@debian.org):
On the other hand, is it really necessary a new group? Can't adm or
operator
be overloaded with this new functionality? (think Ockham's razor).
No. Both of those groups also have other meanings.
How about the root group?
signature.asc
[reply-to set to d-d only]
On 20/10/2010 07:12, Christian PERRIER wrote:
Quoting Steve Langasek (vor...@debian.org):
On the other hand, is it really necessary a new group? Can't adm or
operator
be overloaded with this new functionality? (think Ockham's razor).
No. Both of those groups
* Vincent Danjean vdanjean...@free.fr [101020 09:46]:
How about the root group?
This would hurt systems where umask is 002 (or 007) by default (the root
group is the primary group of the root user with nobody else in it)
No, the root group (aka wheel) group is the group of people that are
On 20/10/2010 11:18, Petter Reinholdtsen wrote:
So I would suggest to use a name that is more likely to be unique.
unique wrt. what? admin seems unique since not used in Debian yet.
Happy hacking,
--
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/
--
To UNSUBSCRIBE, email to
On Wed, 20 Oct 2010 at 01:58:22 +, The Fungi wrote:
On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
On the other hand, is it really necessary a new group? Can't adm
or operator be overloaded with this new functionality? (think
Ockham's razor).
Maybe similarly
On Wed, Oct 20, 2010 at 12:28:49PM +0100, Simon McVittie wrote:
Quoting from base-passwd again:
[...]
... so in practice, staff is root-equivalent, but in principle it's not meant
to be. (Yay.)
Right, which was why I also chose to use it for staff who I
trusted with root access, but wanted
Maybe god ;-)
On Wed, Oct 20, 2010 at 8:16 AM, Mehdi Dogguy me...@dogguy.org wrote:
On 20/10/2010 11:18, Petter Reinholdtsen wrote:
So I would suggest to use a name that is more likely to be unique.
unique wrt. what? admin seems unique since not used in Debian yet.
Happy hacking,
--
On Wed, Oct 20, 2010 at 17:38:23 +0200, Didier 'OdyX' Raboud wrote:
Otavio Salvador wrote:
Maybe god ;-)
What about the adm group ? Is it the same as the admin ?
What about reading the thread and relevant documentation instead of
repeating turned down ideas for the bikeshed colour?
Christian PERRIER bubu...@debian.org writes:
Quoting Steve Langasek (vor...@debian.org):
On the other hand, is it really necessary a new group? Can't adm or
operator be overloaded with this new functionality? (think Ockham's
razor).
No. Both of those groups also have other meanings.
How
Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit :
1/ The sudo group in previous Debian releases had a different meaning: Members
of groups sudo could run sudo without needing a password.
Did it exist in previous releases? I don’t recall seeing it in sudoers.
2/ Using the name
hi,
2010/10/19 Michael Biebl bi...@debian.org:
Hi,
Bdale went ahead and added the following to /etc/sudoers:
# Allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
First of all: YES!
On 19.10.2010 08:15, Josselin Mouette wrote:
Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit :
1/ The sudo group in previous Debian releases had a different meaning:
Members
of groups sudo could run sudo without needing a password.
Did it exist in previous releases? I don’t
Hi, Josselin:
On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote:
[...]
Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit :
What about the old-fashioned wheel group[1]?
This would be an even worse disaster than “admin”, for similar reasons.
Users of the “wheel” group
I definitely agree that we need to get this change into squeeze and that we need
to be careful to not get into bikeshedding about names.
On the other hand, choosing a group for a purpose like this should imho be done
carefully as changing the name later is hard if not impossible.
Since this
Le mardi 19 octobre 2010 à 09:49 +0200, Fabian Greffrath a écrit :
Since this group would be Debian-specific, how about Debian-admin or
Debian-sudo (as in Debian-gdm or Debian-exim)?
The Debian-exim and Debian-gdm names are system users that are meant to
never conflict with existing,
Le mardi 19 octobre 2010 à 09:58 +0100, Philip Hands a écrit :
For PolicyKit, I can now simply ship a file, say
/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
[Configuration]
AdminIdentities=unix-group:sudo
I would object to 'sudo' being a group of people
On Tue, 19 Oct 2010 00:38:41 +0200, Michael Biebl bi...@debian.org wrote:
Bdale went ahead and added the following to /etc/sudoers:
# Allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL)
Am Dienstag, den 19.10.2010, 08:15 +0200 schrieb Josselin Mouette:
Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit :
-Snipp-
So, I'm wondering if we shouldn't pick a more neutral name without a
previous
history in Debian.
One suggestion is to use group admin. Ubuntu has
base-passwd documents sudo as Members of this group do not need to type their
password when using sudo, which is no longer true. I've opened a bug.
On Tue, 19 Oct 2010 at 09:48:58 +0200, Jesús M. Navarro wrote:
On the other hand, is it really necessary a new group? Can't adm or operator
be
On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
[...]
On the other hand, is it really necessary a new group? Can't adm
or operator be overloaded with this new functionality? (think
Ockham's razor).
Maybe similarly overloaded, but I've used the built-in staff group
for this
On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote:
[...]
Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit :
What about the old-fashioned wheel group[1]?
This would be an even worse disaster than
Hi,
as some of you might know, the debian installer allows to install a system with
a disabled root account, i.e. there is no root password set for root.
In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as simple as
leaving the root password prompt empty.
The lenny installer
Hi, Michael:
On Tuesday 19 October 2010 00:38:41 Michael Biebl wrote:
Hi,
[...]
The idea is, to have a distinct group. Members of that group have
administrative privileges using sudo and PolicKit.
[...]
While I think the idea of using a distinct group for users with
administrative
43 matches
Mail list logo