Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Christian PERRIER]

Quoting Steve Langasek (vor...@debian.org):

  On the other hand, is it really necessary a new group?  Can't adm or 
  operator 
  be overloaded with this new functionality? (think Ockham's razor).
 
 No.  Both of those groups also have other meanings.


How about the root group?




signature.asc
Description: Digital signature

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Vincent Danjean]

[reply-to set to d-d only]

On 20/10/2010 07:12, Christian PERRIER wrote:
 Quoting Steve Langasek (vor...@debian.org):
 
 On the other hand, is it really necessary a new group?  Can't adm or 
 operator 
 be overloaded with this new functionality? (think Ockham's razor).

 No.  Both of those groups also have other meanings.
 
 
 How about the root group?

This would hurt systems where umask is 002 (or 007) by default (the root
group is the primary group of the root user with nobody else in it)

  Regards,
Vincent

-- 
Vincent Danjean   GPG key ID 0x9D025E87 vdanj...@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo:  deb http://people.debian.org/~vdanjean/debian unstable main


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4cbe9e22.5070...@free.fr

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Petter Reinholdtsen]

[Michael Biebl]
 One suggestion is to use group admin. Ubuntu has been using that
 group for exactly the purpose what we are going for and I think it
 is a pretty adequate name.

The Ubuntu use of the group 'admin' have caused some problems here at
the university where I work on integrating Ubuntu into our existing
infrastructure, because we already have a group 'admin' with the
people working at the university administration section.  And trust
me, all of these should not have administrative privileges on the
Ubuntu computers. :)

So I would suggest to use a name that is more likely to be unique.

Happy hacking,
-- 
Petter Reinholdtsen


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2fl4ochxlvh@login1.uio.no

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Mehdi Dogguy]

On 20/10/2010 11:18, Petter Reinholdtsen wrote:
 
 So I would suggest to use a name that is more likely to be unique.
 

unique wrt. what? admin seems unique since not used in Debian yet.

 Happy hacking,

-- 
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4cbec179.6030...@dogguy.org

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Otavio Salvador]

Maybe god ;-)

On Wed, Oct 20, 2010 at 8:16 AM, Mehdi Dogguy me...@dogguy.org wrote:
 On 20/10/2010 11:18, Petter Reinholdtsen wrote:

 So I would suggest to use a name that is more likely to be unique.


 unique wrt. what? admin seems unique since not used in Debian yet.

 Happy hacking,

 --
 Mehdi Dogguy مهدي الدڤي
 http://dogguy.org/


 --
 To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: http://lists.debian.org/4cbec179.6030...@dogguy.org





-- 
Otavio Salvador                  O.S. Systems
E-mail: ota...@ossystems.com.br  http://www.ossystems.com.br
Mobile: +55 53 9981-7854         http://projetos.ossystems.com.br


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlkti=vdves+9hmzv4bsuxxl03zmqriqir2gbptd...@mail.gmail.com

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Josselin Mouette]

Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : 
 1/ The sudo group in previous Debian releases had a different meaning: Members
 of groups sudo could run sudo without needing a password.

Did it exist in previous releases? I don’t recall seeing it in sudoers.

 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.

I don’t think so, since the configuration snippet makes PK behave like
sudo.

 So, I'm wondering if we shouldn't pick a more neutral name without a previous
 history in Debian.
 One suggestion is to use group admin. Ubuntu has been using that group for
 exactly the purpose what we are going for and I think it is a pretty
 adequate name.

“admin” is a very widespread group name, this is likely to cause huge
security issues if members of this group are not supposed to be granted
root privileges.

 I'm a bit undecided atm. While I lean towards using a new group and in that 
 case
 the name admin, I also know that we are already late in the squeeze release
 cycle and picking a new name will require changes to user-setup and sudo.
 policykit-1 hasn't being updated yet, so it'll require a new upload anyway.

I think it’s much more important to get this change into squeeze than to
bikeshed the group name.

Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit :
 What about the old-fashioned wheel group[1]?

This would be an even worse disaster than “admin”, for similar reasons.
Users of the “wheel” group were not supposed to get root privileges with
their own password.

Cheers,
-- 
 .''`.  Josselin Mouette
: :' :
`. `'  “If you behave this way because you are blackmailed by someone,
  `-[…] I will see what I can do for you.”  -- Jörg Schilling


signature.asc
Description: This is a digitally signed message part

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Ben Finney]

Josselin Mouette j...@debian.org writes:

 Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : 
  1/ The sudo group in previous Debian releases had a different
  meaning: Members of groups sudo could run sudo without needing a
  password.

 Did it exist in previous releases? I don’t recall seeing it in
 sudoers.

It's been there as the “exempt from password requirement” group, by
using the ‘--with-exempt=sudo’ compile option at least as early as 2002,
according to URL:http://bugs.debian.org/151049.

-- 
 \“Like the creators of sitcoms or junk food or package tours, |
  `\ Java's designers were consciously designing a product for |
_o__)   people not as smart as them.” —Paul Graham |
Ben Finney


pgpiQJZXNTxRp.pgp
Description: PGP signature

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Michael Biebl]

On 19.10.2010 08:15, Josselin Mouette wrote:
 Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : 
 1/ The sudo group in previous Debian releases had a different meaning: 
 Members
 of groups sudo could run sudo without needing a password.
 
 Did it exist in previous releases? I don’t recall seeing it in sudoers.

Bdale certainly knows the gory details and can tell us more.

But afaicr, sudo was compiled with EXEMPT_GROUP sudo in previous releases.

Bdale, please speak up if I tell non-sense here. Can you tell us a bit more
about the history of group sudo, please.


 I think it’s much more important to get this change into squeeze than to
 bikeshed the group name.

I definitely agree that we need to get this change into squeeze and that we need
to be careful to not get into bikeshedding about names.

On the other hand, choosing a group for a purpose like this should imho be done
carefully as changing the name later is hard if not impossible.

I'm sorry if I sound a bit overly cautious here and maybe my concerns are
unfounded. But that's the reason why I brought this up on debian-devel.


Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Bjoern Meier]

hi,


2010/10/19 Michael Biebl bi...@debian.org:
 Hi,
 Bdale went ahead and added the following to /etc/sudoers:

 # Allow members of group sudo to not need a password
 # (Note that later entries override this, so you might need to move
 # it further down)
 %sudo ALL=(ALL) ALL

First of all: YES! Thanks! I didn't know the possibility of an install
with disabled root-login.
I use DebIan 90% in a professionell environment and disable root login
by hand. So yes, I would prefer an administrative group and would say:
disabled root login as default (like logins on GDM).
I don't like the idea to do sudo-things without password. I like it to
pass my secret, because this is a hint, that I do something
system-related. So: I think we need a password here.

 1/ The sudo group in previous Debian releases had a different meaning: Members
 of groups sudo could run sudo without needing a password.

 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.

Yes, sudo is not a good name for an admin group.
Well, admin also, because Domain admin, admin and
administrators are to near to windows. I use winbind to get the
groups out of the active directory and would prefer unique names for
groups.
My suggestions are:

- debadm
- linad (linux-administrator)
- uwscp (just a joke: user-with-super-cow-powers; a lean to his APT
has Super Cow Powers. ;) )

Greetings,
Björn


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktik0ped_eemqnnkn0rcabt84hqd4ztppjprwq...@mail.gmail.com

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Jesús M. Navarro]

Hi, Josselin:

On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote:
[...]

 Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit :
  What about the old-fashioned wheel group[1]?

 This would be an even worse disaster than “admin”, for similar reasons.
 Users of the “wheel” group were not supposed to get root privileges with
 their own password.

Ok.  But since this group is conceptually the same than the old wheel group, 
one that provides additional special system privileges that empower a user 
to execute restricted commands that ordinary user accounts cannot access, 
why not make a bit of a joke of it?  How about bigwheel (since that's where 
wheel derives from)?

On the other hand, is it really necessary a new group?  Can't adm or operator 
be overloaded with this new functionality? (think Ockham's razor).

Cheers.


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201010190948.58805.jesus.nava...@undominio.net

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Josselin Mouette]

Le mardi 19 octobre 2010 à 09:58 +0100, Philip Hands a écrit :
  For PolicyKit, I can now simply ship a file, say
  /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
  
  [Configuration]
  AdminIdentities=unix-group:sudo
 
 I would object to 'sudo' being a group of people that can simply become
 root if they happen to be logged in -- is that what the PolicyKit
 incantation would allow?

No, it leads to them being able to do PolicyKit actions (such as
formatting a disk or changing a system default) that require root
privileges, with entering their own password. Just as sudo does without
NOPASSWD.

Cheers,
-- 
 .''`.
: :' : “You would need to ask a lawyer if you don't know
`. `'   that a handshake of course makes a valid contract.”
  `---  J???rg Schilling


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1287479240.10136.10.ca...@meh

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Philip Hands]

On Tue, 19 Oct 2010 00:38:41 +0200, Michael Biebl bi...@debian.org wrote:

 Bdale went ahead and added the following to /etc/sudoers:
 
 # Allow members of group sudo to not need a password
 # (Note that later entries override this, so you might need to move
 # it further down)
 %sudo ALL=(ALL) ALL

Ah yes -- that's a bug in the comment of course.

The comment says (incorrectly) that people in the sudo group don't need
a password.  It would need a NOPASSWD tag for the comment to be correct.

Thankfully, the configuration does the right thing, and requires that
the user know their own password to become root.

 The installer was changed to add the user to group sudo if the system is
 installed with root disabled.
 
 For PolicyKit, I can now simply ship a file, say
 /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
 
 [Configuration]
 AdminIdentities=unix-group:sudo

I would object to 'sudo' being a group of people that can simply become
root if they happen to be logged in -- is that what the PolicyKit
incantation would allow?

Cheers, Phil.
-- 
|)|  Philip Hands [+44 (0)20 8530 9560]http://www.hands.com/
|-|  HANDS.COM Ltd.http://www.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND


pgpy5SflQlIkV.pgp
Description: PGP signature

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Olaf Mandel]

Am Dienstag, den 19.10.2010, 08:15 +0200 schrieb Josselin Mouette:
 Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : 
-Snipp-
  So, I'm wondering if we shouldn't pick a more neutral name without a 
  previous
  history in Debian.
  One suggestion is to use group admin. Ubuntu has been using that group for
  exactly the purpose what we are going for and I think it is a pretty
  adequate name.
 
 “admin” is a very widespread group name, this is likely to cause huge
 security issues if members of this group are not supposed to be granted
 root privileges.
-Snipp-

Hi,

just a short info from one of the derivative distros: in Ubuntu, the
user-setup-udeb adds the following text to sudoers (and creates the
admin group, if it doesn't exist):

--Cut here--

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
--Cut here--

The newest Debian equivalent (1.34) adds the user to the sudo group if
possible while the older version (1.23) hardcodes the username in
sudoers. 

Personally, I think using the sudo (or the admin) group in Debian would
probably be fine:

* the current sudo package seems to by default support members of the
sudo group as being able to execute arbitrary commands after typing in
their own password
* which different expectations do users have on the sudo group?
* the admin group would not be necessary (at least since sudo by default
uses the sudo group)
* On the other hand, adding a third group might be incompatible with
other distros.

My 2ct,
Olaf Mandel


signature.asc
Description: This is a digitally signed message part

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Steve Langasek]

On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
 On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote:
 [...]

  Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit :
   What about the old-fashioned wheel group[1]?

  This would be an even worse disaster than “admin”, for similar reasons.
  Users of the “wheel” group were not supposed to get root privileges with
  their own password.

 Ok.  But since this group is conceptually the same than the old wheel 
 group, 
 one that provides additional special system privileges that empower a user 
 to execute restricted commands that ordinary user accounts cannot access, 
 why not make a bit of a joke of it?  How about bigwheel (since that's where 
 wheel derives from)?

It is *semantically* different.  The worst possible way to implement this is
by overtaking a pre-existing group that *we have defined* to have different
semantics than what it's being proposed for.

Defining a new group that may conflict with existing local groups on
particular installed systems is not much better, but it's as good as we can
get.

 On the other hand, is it really necessary a new group?  Can't adm or operator 
 be overloaded with this new functionality? (think Ockham's razor).

No.  Both of those groups also have other meanings.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[The Fungi]

On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
[...]
 On the other hand, is it really necessary a new group?  Can't adm
 or operator be overloaded with this new functionality? (think
 Ockham's razor).

Maybe similarly overloaded, but I've used the built-in staff group
for this for many years. It already gets write access into many
local system folders by default, so not that much of a stretch...
-- 
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fu...@yuggoth.org); FINGER(fu...@yuggoth.org);
MUD(kin...@katarsis.mudpy.org:6669); IRC(fu...@irc.yuggoth.org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101020015820.ge8...@yuggoth.org

[RFC] disabled root account / distinct group for users with administrative privileges

[Michael Biebl]

Hi,

as some of you might know, the debian installer allows to install a system with
a disabled root account, i.e. there is no root password set for root.
In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as simple as
leaving the root password prompt empty.

The lenny installer then added the user, that was created during install, to
/etc/sudoers to grant him administrative privileges.

For squeeze we looked for a better way, especially as PolicyKit is becoming used
by more and more packages and mangling the PolicyKit configuration didn't look
like a sane alternative.

The idea is, to have a distinct group. Members of that group have administrative
privileges using sudo and PolicKit. The installer then simply has to add the
user to that group, if installed in root-disabled mode.
The relevant bug reports for PolicyKit is [1], the one for user-setup [2].


Bdale went ahead and added the following to /etc/sudoers:

# Allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL


The installer was changed to add the user to group sudo if the system is
installed with root disabled.

For PolicyKit, I can now simply ship a file, say
/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:

[Configuration]
AdminIdentities=unix-group:sudo



While I think the idea of using a distinct group for users with administrative
privileges is a very good one, I'm not sure if using the group name sudo is
the right choice, for two reasons:

1/ The sudo group in previous Debian releases had a different meaning: Members
of groups sudo could run sudo without needing a password.

2/ Using the name sudo in context of PolicyKit sounds weird and misleading.


So, I'm wondering if we shouldn't pick a more neutral name without a previous
history in Debian.
One suggestion is to use group admin. Ubuntu has been using that group for
exactly the purpose what we are going for and I think it is a pretty
adequate name.

One concern that was already mentioned is, that the existing group adm and admin
are too similar and prone to mistyping.

I'm a bit undecided atm. While I lean towards using a new group and in that case
the name admin, I also know that we are already late in the squeeze release
cycle and picking a new name will require changes to user-setup and sudo.
policykit-1 hasn't being updated yet, so it'll require a new upload anyway.

Bdale was open to changing the sudo configuration, but he didn't want to drive
this discussion.

I'm very much interested in your feedback on this matter and what others think
is the best way to go and if there is maybe another, even better suggestion for
this group name.

I've also CCed debian-release as I want to know if they'd ack uploads of the
affected packages.


Cheers,
Michael






[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536490
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597239
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Re: [RFC] disabled root account / distinct group for users with administrative privileges

[Jesús M. Navarro]

Hi, Michael:

On Tuesday 19 October 2010 00:38:41 Michael Biebl wrote:
 Hi,

[...]

 The idea is, to have a distinct group. Members of that group have
 administrative privileges using sudo and PolicKit.

[...]

 While I think the idea of using a distinct group for users with
 administrative privileges is a very good one, I'm not sure if using the
 group name sudo is the right choice, for two reasons:

 1/ The sudo group in previous Debian releases had a different meaning:
 Members of groups sudo could run sudo without needing a password.

 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.


 So, I'm wondering if we shouldn't pick a more neutral name without a
 previous history in Debian.

What about the old-fashioned wheel group[1]?

Now, prior to resurrect the 'wheel' group, please take into account why 
there's neither wheel group nor wheel support for su on GNU systems and see 
if the concerns are still valid in this new environment.

Cheers.

[1] http://en.wikipedia.org/wiki/Wheel_(Unix_term)


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201010190212.25613.jesus.nava...@undominio.net