On Tue, Oct 19, 2010 at 12:38:41AM +0200, Michael Biebl wrote: > Hi, > > as some of you might know, the debian installer allows to install a system > with > a disabled root account, i.e. there is no root password set for root. > In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as simple > as > leaving the root password prompt empty. > > The lenny installer then added the user, that was created during install, to > /etc/sudoers to grant him administrative privileges. > > For squeeze we looked for a better way, especially as PolicyKit is becoming > used > by more and more packages and mangling the PolicyKit configuration didn't look > like a sane alternative. > > The idea is, to have a distinct group. Members of that group have > administrative > privileges using sudo and PolicKit. The installer then simply has to add the
Fedora introduced desktop_admin_r for this in the polkit-destkop-polcy package: http://www.redhat.com/archives/fedora-desktop-list/2009-August/msg00103.html Imho we should use diffrent groups for PolicyKit and sudo. d-i would need to add the user to two groups then but it would allow for polkit and sudo only configurations: If you only want to grant polkit based privileges remove the user from the sudoers group and if you only want sudo based privileges remove it from the desktop_admin_r group. This would allow administrators to only care about one set of privileges which makes it easier to oversee the consequences when adding more users to these groups. Cheers, -- Guido > user to that group, if installed in root-disabled mode. > The relevant bug reports for PolicyKit is [1], the one for user-setup [2]. > > > Bdale went ahead and added the following to /etc/sudoers: > > # Allow members of group sudo to not need a password > # (Note that later entries override this, so you might need to move > # it further down) > %sudo ALL=(ALL) ALL > > > The installer was changed to add the user to group "sudo" if the system is > installed with root disabled. > > For PolicyKit, I can now simply ship a file, say > /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains: > > [Configuration] > AdminIdentities=unix-group:sudo > > > > While I think the idea of using a distinct group for users with administrative > privileges is a very good one, I'm not sure if using the group name "sudo" is > the right choice, for two reasons: > > 1/ The sudo group in previous Debian releases had a different meaning: Members > of groups sudo could run sudo without needing a password. > > 2/ Using the name sudo in context of PolicyKit sounds weird and misleading. > > > So, I'm wondering if we shouldn't pick a more neutral name without a previous > history in Debian. > One suggestion is to use group "admin". Ubuntu has been using that group for > exactly the purpose what we are going for and I think it is a pretty > adequate name. > > One concern that was already mentioned is, that the existing group adm and > admin > are too similar and prone to mistyping. > > I'm a bit undecided atm. While I lean towards using a new group and in that > case > the name "admin", I also know that we are already late in the squeeze release > cycle and picking a new name will require changes to user-setup and sudo. > policykit-1 hasn't being updated yet, so it'll require a new upload anyway. > > Bdale was open to changing the sudo configuration, but he didn't want to drive > this discussion. > > I'm very much interested in your feedback on this matter and what others think > is the best way to go and if there is maybe another, even better suggestion > for > this group name. > > I've also CCed debian-release as I want to know if they'd ack uploads of the > affected packages. > > > Cheers, > Michael > > > > > > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536490 > [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597239 > -- > Why is it that all of the instruments seeking intelligent life in the > universe are pointed away from Earth? > -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101101143931.ga10...@bogon.sigxcpu.org
