Re: [RFC] disabled root account / distinct group for users with administrative privileges
Quoting Steve Langasek (vor...@debian.org): On the other hand, is it really necessary a new group? Can't adm or operator be overloaded with this new functionality? (think Ockham's razor). No. Both of those groups also have other meanings. How about the root group? signature.asc Description: Digital signature
Re: [RFC] disabled root account / distinct group for users with administrative privileges
[reply-to set to d-d only] On 20/10/2010 07:12, Christian PERRIER wrote: Quoting Steve Langasek (vor...@debian.org): On the other hand, is it really necessary a new group? Can't adm or operator be overloaded with this new functionality? (think Ockham's razor). No. Both of those groups also have other meanings. How about the root group? This would hurt systems where umask is 002 (or 007) by default (the root group is the primary group of the root user with nobody else in it) Regards, Vincent -- Vincent Danjean GPG key ID 0x9D025E87 vdanj...@debian.org GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html APT repo: deb http://people.debian.org/~vdanjean/debian unstable main -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cbe9e22.5070...@free.fr
Re: [RFC] disabled root account / distinct group for users with administrative privileges
[Michael Biebl] One suggestion is to use group admin. Ubuntu has been using that group for exactly the purpose what we are going for and I think it is a pretty adequate name. The Ubuntu use of the group 'admin' have caused some problems here at the university where I work on integrating Ubuntu into our existing infrastructure, because we already have a group 'admin' with the people working at the university administration section. And trust me, all of these should not have administrative privileges on the Ubuntu computers. :) So I would suggest to use a name that is more likely to be unique. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2fl4ochxlvh@login1.uio.no
Re: [RFC] disabled root account / distinct group for users with administrative privileges
On 20/10/2010 11:18, Petter Reinholdtsen wrote: So I would suggest to use a name that is more likely to be unique. unique wrt. what? admin seems unique since not used in Debian yet. Happy hacking, -- Mehdi Dogguy مهدي الدڤي http://dogguy.org/ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cbec179.6030...@dogguy.org
Re: [RFC] disabled root account / distinct group for users with administrative privileges
Maybe god ;-) On Wed, Oct 20, 2010 at 8:16 AM, Mehdi Dogguy me...@dogguy.org wrote: On 20/10/2010 11:18, Petter Reinholdtsen wrote: So I would suggest to use a name that is more likely to be unique. unique wrt. what? admin seems unique since not used in Debian yet. Happy hacking, -- Mehdi Dogguy مهدي الدڤي http://dogguy.org/ -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cbec179.6030...@dogguy.org -- Otavio Salvador O.S. Systems E-mail: ota...@ossystems.com.br http://www.ossystems.com.br Mobile: +55 53 9981-7854 http://projetos.ossystems.com.br -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlkti=vdves+9hmzv4bsuxxl03zmqriqir2gbptd...@mail.gmail.com
Re: [RFC] disabled root account / distinct group for users with administrative privileges
Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : 1/ The sudo group in previous Debian releases had a different meaning: Members of groups sudo could run sudo without needing a password. Did it exist in previous releases? I don’t recall seeing it in sudoers. 2/ Using the name sudo in context of PolicyKit sounds weird and misleading. I don’t think so, since the configuration snippet makes PK behave like sudo. So, I'm wondering if we shouldn't pick a more neutral name without a previous history in Debian. One suggestion is to use group admin. Ubuntu has been using that group for exactly the purpose what we are going for and I think it is a pretty adequate name. “admin” is a very widespread group name, this is likely to cause huge security issues if members of this group are not supposed to be granted root privileges. I'm a bit undecided atm. While I lean towards using a new group and in that case the name admin, I also know that we are already late in the squeeze release cycle and picking a new name will require changes to user-setup and sudo. policykit-1 hasn't being updated yet, so it'll require a new upload anyway. I think it’s much more important to get this change into squeeze than to bikeshed the group name. Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit : What about the old-fashioned wheel group[1]? This would be an even worse disaster than “admin”, for similar reasons. Users of the “wheel” group were not supposed to get root privileges with their own password. Cheers, -- .''`. Josselin Mouette : :' : `. `' “If you behave this way because you are blackmailed by someone, `-[…] I will see what I can do for you.” -- Jörg Schilling signature.asc Description: This is a digitally signed message part
Re: [RFC] disabled root account / distinct group for users with administrative privileges
Josselin Mouette j...@debian.org writes: Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : 1/ The sudo group in previous Debian releases had a different meaning: Members of groups sudo could run sudo without needing a password. Did it exist in previous releases? I don’t recall seeing it in sudoers. It's been there as the “exempt from password requirement” group, by using the ‘--with-exempt=sudo’ compile option at least as early as 2002, according to URL:http://bugs.debian.org/151049. -- \“Like the creators of sitcoms or junk food or package tours, | `\ Java's designers were consciously designing a product for | _o__) people not as smart as them.” —Paul Graham | Ben Finney pgpiQJZXNTxRp.pgp Description: PGP signature
Re: [RFC] disabled root account / distinct group for users with administrative privileges
On 19.10.2010 08:15, Josselin Mouette wrote: Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : 1/ The sudo group in previous Debian releases had a different meaning: Members of groups sudo could run sudo without needing a password. Did it exist in previous releases? I don’t recall seeing it in sudoers. Bdale certainly knows the gory details and can tell us more. But afaicr, sudo was compiled with EXEMPT_GROUP sudo in previous releases. Bdale, please speak up if I tell non-sense here. Can you tell us a bit more about the history of group sudo, please. I think it’s much more important to get this change into squeeze than to bikeshed the group name. I definitely agree that we need to get this change into squeeze and that we need to be careful to not get into bikeshedding about names. On the other hand, choosing a group for a purpose like this should imho be done carefully as changing the name later is hard if not impossible. I'm sorry if I sound a bit overly cautious here and maybe my concerns are unfounded. But that's the reason why I brought this up on debian-devel. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: [RFC] disabled root account / distinct group for users with administrative privileges
hi, 2010/10/19 Michael Biebl bi...@debian.org: Hi, Bdale went ahead and added the following to /etc/sudoers: # Allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL First of all: YES! Thanks! I didn't know the possibility of an install with disabled root-login. I use DebIan 90% in a professionell environment and disable root login by hand. So yes, I would prefer an administrative group and would say: disabled root login as default (like logins on GDM). I don't like the idea to do sudo-things without password. I like it to pass my secret, because this is a hint, that I do something system-related. So: I think we need a password here. 1/ The sudo group in previous Debian releases had a different meaning: Members of groups sudo could run sudo without needing a password. 2/ Using the name sudo in context of PolicyKit sounds weird and misleading. Yes, sudo is not a good name for an admin group. Well, admin also, because Domain admin, admin and administrators are to near to windows. I use winbind to get the groups out of the active directory and would prefer unique names for groups. My suggestions are: - debadm - linad (linux-administrator) - uwscp (just a joke: user-with-super-cow-powers; a lean to his APT has Super Cow Powers. ;) ) Greetings, Björn -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktik0ped_eemqnnkn0rcabt84hqd4ztppjprwq...@mail.gmail.com
Re: [RFC] disabled root account / distinct group for users with administrative privileges
Hi, Josselin: On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote: [...] Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit : What about the old-fashioned wheel group[1]? This would be an even worse disaster than “admin”, for similar reasons. Users of the “wheel” group were not supposed to get root privileges with their own password. Ok. But since this group is conceptually the same than the old wheel group, one that provides additional special system privileges that empower a user to execute restricted commands that ordinary user accounts cannot access, why not make a bit of a joke of it? How about bigwheel (since that's where wheel derives from)? On the other hand, is it really necessary a new group? Can't adm or operator be overloaded with this new functionality? (think Ockham's razor). Cheers. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201010190948.58805.jesus.nava...@undominio.net
Re: [RFC] disabled root account / distinct group for users with administrative privileges
Le mardi 19 octobre 2010 à 09:58 +0100, Philip Hands a écrit : For PolicyKit, I can now simply ship a file, say /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains: [Configuration] AdminIdentities=unix-group:sudo I would object to 'sudo' being a group of people that can simply become root if they happen to be logged in -- is that what the PolicyKit incantation would allow? No, it leads to them being able to do PolicyKit actions (such as formatting a disk or changing a system default) that require root privileges, with entering their own password. Just as sudo does without NOPASSWD. Cheers, -- .''`. : :' : “You would need to ask a lawyer if you don't know `. `' that a handshake of course makes a valid contract.” `--- J???rg Schilling -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1287479240.10136.10.ca...@meh
Re: [RFC] disabled root account / distinct group for users with administrative privileges
On Tue, 19 Oct 2010 00:38:41 +0200, Michael Biebl bi...@debian.org wrote: Bdale went ahead and added the following to /etc/sudoers: # Allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL Ah yes -- that's a bug in the comment of course. The comment says (incorrectly) that people in the sudo group don't need a password. It would need a NOPASSWD tag for the comment to be correct. Thankfully, the configuration does the right thing, and requires that the user know their own password to become root. The installer was changed to add the user to group sudo if the system is installed with root disabled. For PolicyKit, I can now simply ship a file, say /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains: [Configuration] AdminIdentities=unix-group:sudo I would object to 'sudo' being a group of people that can simply become root if they happen to be logged in -- is that what the PolicyKit incantation would allow? Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560]http://www.hands.com/ |-| HANDS.COM Ltd.http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND pgpy5SflQlIkV.pgp Description: PGP signature
Re: [RFC] disabled root account / distinct group for users with administrative privileges
Am Dienstag, den 19.10.2010, 08:15 +0200 schrieb Josselin Mouette: Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : -Snipp- So, I'm wondering if we shouldn't pick a more neutral name without a previous history in Debian. One suggestion is to use group admin. Ubuntu has been using that group for exactly the purpose what we are going for and I think it is a pretty adequate name. “admin” is a very widespread group name, this is likely to cause huge security issues if members of this group are not supposed to be granted root privileges. -Snipp- Hi, just a short info from one of the derivative distros: in Ubuntu, the user-setup-udeb adds the following text to sudoers (and creates the admin group, if it doesn't exist): --Cut here-- # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL --Cut here-- The newest Debian equivalent (1.34) adds the user to the sudo group if possible while the older version (1.23) hardcodes the username in sudoers. Personally, I think using the sudo (or the admin) group in Debian would probably be fine: * the current sudo package seems to by default support members of the sudo group as being able to execute arbitrary commands after typing in their own password * which different expectations do users have on the sudo group? * the admin group would not be necessary (at least since sudo by default uses the sudo group) * On the other hand, adding a third group might be incompatible with other distros. My 2ct, Olaf Mandel signature.asc Description: This is a digitally signed message part
Re: [RFC] disabled root account / distinct group for users with administrative privileges
On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote: On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote: [...] Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit : What about the old-fashioned wheel group[1]? This would be an even worse disaster than “admin”, for similar reasons. Users of the “wheel” group were not supposed to get root privileges with their own password. Ok. But since this group is conceptually the same than the old wheel group, one that provides additional special system privileges that empower a user to execute restricted commands that ordinary user accounts cannot access, why not make a bit of a joke of it? How about bigwheel (since that's where wheel derives from)? It is *semantically* different. The worst possible way to implement this is by overtaking a pre-existing group that *we have defined* to have different semantics than what it's being proposed for. Defining a new group that may conflict with existing local groups on particular installed systems is not much better, but it's as good as we can get. On the other hand, is it really necessary a new group? Can't adm or operator be overloaded with this new functionality? (think Ockham's razor). No. Both of those groups also have other meanings. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Re: [RFC] disabled root account / distinct group for users with administrative privileges
On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote: [...] On the other hand, is it really necessary a new group? Can't adm or operator be overloaded with this new functionality? (think Ockham's razor). Maybe similarly overloaded, but I've used the built-in staff group for this for many years. It already gets write access into many local system folders by default, so not that much of a stretch... -- { IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829); WHOIS(STANL3-ARIN); SMTP(fu...@yuggoth.org); FINGER(fu...@yuggoth.org); MUD(kin...@katarsis.mudpy.org:6669); IRC(fu...@irc.yuggoth.org#ccl); ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); } -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101020015820.ge8...@yuggoth.org
[RFC] disabled root account / distinct group for users with administrative privileges
Hi, as some of you might know, the debian installer allows to install a system with a disabled root account, i.e. there is no root password set for root. In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as simple as leaving the root password prompt empty. The lenny installer then added the user, that was created during install, to /etc/sudoers to grant him administrative privileges. For squeeze we looked for a better way, especially as PolicyKit is becoming used by more and more packages and mangling the PolicyKit configuration didn't look like a sane alternative. The idea is, to have a distinct group. Members of that group have administrative privileges using sudo and PolicKit. The installer then simply has to add the user to that group, if installed in root-disabled mode. The relevant bug reports for PolicyKit is [1], the one for user-setup [2]. Bdale went ahead and added the following to /etc/sudoers: # Allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL The installer was changed to add the user to group sudo if the system is installed with root disabled. For PolicyKit, I can now simply ship a file, say /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains: [Configuration] AdminIdentities=unix-group:sudo While I think the idea of using a distinct group for users with administrative privileges is a very good one, I'm not sure if using the group name sudo is the right choice, for two reasons: 1/ The sudo group in previous Debian releases had a different meaning: Members of groups sudo could run sudo without needing a password. 2/ Using the name sudo in context of PolicyKit sounds weird and misleading. So, I'm wondering if we shouldn't pick a more neutral name without a previous history in Debian. One suggestion is to use group admin. Ubuntu has been using that group for exactly the purpose what we are going for and I think it is a pretty adequate name. One concern that was already mentioned is, that the existing group adm and admin are too similar and prone to mistyping. I'm a bit undecided atm. While I lean towards using a new group and in that case the name admin, I also know that we are already late in the squeeze release cycle and picking a new name will require changes to user-setup and sudo. policykit-1 hasn't being updated yet, so it'll require a new upload anyway. Bdale was open to changing the sudo configuration, but he didn't want to drive this discussion. I'm very much interested in your feedback on this matter and what others think is the best way to go and if there is maybe another, even better suggestion for this group name. I've also CCed debian-release as I want to know if they'd ack uploads of the affected packages. Cheers, Michael [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536490 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597239 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: [RFC] disabled root account / distinct group for users with administrative privileges
Hi, Michael: On Tuesday 19 October 2010 00:38:41 Michael Biebl wrote: Hi, [...] The idea is, to have a distinct group. Members of that group have administrative privileges using sudo and PolicKit. [...] While I think the idea of using a distinct group for users with administrative privileges is a very good one, I'm not sure if using the group name sudo is the right choice, for two reasons: 1/ The sudo group in previous Debian releases had a different meaning: Members of groups sudo could run sudo without needing a password. 2/ Using the name sudo in context of PolicyKit sounds weird and misleading. So, I'm wondering if we shouldn't pick a more neutral name without a previous history in Debian. What about the old-fashioned wheel group[1]? Now, prior to resurrect the 'wheel' group, please take into account why there's neither wheel group nor wheel support for su on GNU systems and see if the concerns are still valid in this new environment. Cheers. [1] http://en.wikipedia.org/wiki/Wheel_(Unix_term) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201010190212.25613.jesus.nava...@undominio.net