Hi. After discussing the issue together, the shadow maintainer and I (PAM maintainer) have decided to refer the issue of initial groups for users to the TC. This is not one developer asking the TC to overrule another; Karl and I are in agreement that the issue is bigger than either of our packages and that Debian should have a consistent direction on this issue.
The problem is fairly simple. Some of our users actually want to use their systems once they get it installed. Particularly, they'd like to be able to do things like play sound, access their floppy drives and cdroms, etc. Currently, to do that, you need to be added to groups that have access to devices. I think some of this comes from the FHS rather than just decisions internal to Debian. Perhaps when Debian and the FHS originally made this decision, users could be expected to simply add themselves to groups if they noticed they needed the permissions associated with these groups. However as Debian has gained appeal to a wider audience and as peoples' expectations of usability increase, users want more reasonable default behavior. The proposal in bug #166718 and the bugs merged with it is for the initial user to be added to some set of groups. Karl does not like this proposal because it only solves the problem for the initial user. That's great until you actually start to take advantage of the fact your Debian system is multi-user. Another proposal is to use paM_group to manage these groups. IF someone is logging in on /dev/tty[0-9] or :0 or :0.0 or one of the other console devices, given them audio, cdrom and floppy. This isn't really all that desirable either because it allows any console user to permanently gain that group. In particular, they can create a setgid executable belonging to that group. The solution some Solaris environments I'm familiar with use to this problem is to chown the appropriate devices to the console user. That prevents the console user from giving away privileges. I'm not sure it's compatible with the FHS, and I'd certainly want buy-in from the rest of Debian before doing that. Also, I don't believe we currently have an implementation of something to do that chowning in Debian--presumably it would be a PAM module. I don't have time to write code to solve this and I don't think Karl does either. The Redhat pam_console module does seem to do roughly what we want . IN the past people have objected significantly to adding this module to Debian for security track record reasons. I don't know how valid these objections are. Thanks for your consideration, --Sam
