Debian Bug report logs - #166718
Please add an option to add users to "useful" groups

version graph

Package: adduser; Maintainer for adduser is Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>; Source for adduser is src:adduser.

Reported by: Colin Walters <walters@debian.org>

Date: Mon, 28 Oct 2002 03:06:39 UTC

Owned by: Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org

Severity: wishlist

Tags: d-i, fixed, fixed-in-experimental

Merged with 212452, 233894, 239006, 240707

Fixed in versions 3.88, adduser/3.90

Done: Marc Haber <mh+debian-packages@zugschlus.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org:
Bug#166718; Package shadow. Full text and rfc822 format available.

Acknowledgement sent to Colin Walters <walters@debian.org>:
New Bug report received and forwarded. Copy sent to Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Colin Walters <walters@debian.org>
To: submit@bugs.debian.org
Subject: missing dh_installdebconf && patch for selecting groups to add initial user to
Date: 27 Oct 2002 20:38:16 -0500
[Message part 1 (text/plain, inline)]
Package: shadow
Severity: important
Tags: patch sid

Hello Karl,

This bug is severity important for two reasons:

1) You forgot to call dh_installdebconf in debian/rules, which means the
passwd.config and passwd.templates aren't installed.
2) You need to have the versioned Build-Depends on debconf be 
(>= 3.0.0), since that's what you use.

I fixed both those problems in the attached patch, plus I added support
for initial groups for the user created during installation.  The
defaults are "audio video cdrom".  This patch was created for the Debian
Desktop subproject; we think the user should have permission to do such
common tasks as play audio and video by default.

Thanks!


[passwd.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org:
Bug#166718; Package shadow. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@mit.edu>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 166718@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@mit.edu>
To: Colin Walters <walters@debian.org>
Cc: 166718@bugs.debian.org
Subject: Re: Bug#166718: missing dh_installdebconf && patch for selecting groups to add initial user to
Date: Sun, 27 Oct 2002 22:35:32 -0500
>>>>> "Colin" == Colin Walters <walters@debian.org> writes:


    Colin> I fixed both those problems in the attached patch, plus I
    Colin> added support for initial groups for the user created
    Colin> during installation.  The defaults are "audio video cdrom".
    Colin> This patch was created for the Debian Desktop subproject;
    Colin> we think the user should have permission to do such common
    Colin> tasks as play audio and video by default.

A lot of other distributions give these groups to the console user;
why did you adopt the approach of adding the user permanently to these
groups rather than giving the user of the console this access?





Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org:
Bug#166718; Package shadow. Full text and rfc822 format available.

Acknowledgement sent to Colin Walters <walters@debian.org>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org. Full text and rfc822 format available.

Message #15 received at 166718@bugs.debian.org (full text, mbox):

From: Colin Walters <walters@debian.org>
To: Sam Hartman <hartmans@mit.edu>
Cc: 166718@bugs.debian.org
Subject: Re: Bug#166718: missing dh_installdebconf && patch for selecting groups to add initial user to
Date: 28 Oct 2002 00:48:38 -0500
On Sun, 2002-10-27 at 22:35, Sam Hartman wrote:
> >>>>> "Colin" == Colin Walters <walters@debian.org> writes:
> 
> 
>     Colin> I fixed both those problems in the attached patch, plus I
>     Colin> added support for initial groups for the user created
>     Colin> during installation.  The defaults are "audio video cdrom".
>     Colin> This patch was created for the Debian Desktop subproject;
>     Colin> we think the user should have permission to do such common
>     Colin> tasks as play audio and video by default.
> 
> A lot of other distributions give these groups to the console user;

I thought the pam_console or whatever it's called was deemed to be
insecure, since the user could easily create a setgid program owned by
say user.audio, and then use it to play sound after they're logged out. 

> why did you adopt the approach of adding the user permanently to these
> groups rather than giving the user of the console this access?

Well, it was easy and it works...



Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org:
Bug#166718; Package shadow. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@mit.edu>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org. Full text and rfc822 format available.

Message #20 received at 166718@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@mit.edu>
To: Colin Walters <walters@debian.org>
Cc: 166718@bugs.debian.org
Subject: Re: Bug#166718: missing dh_installdebconf && patch for selecting groups to add initial user to
Date: Mon, 28 Oct 2002 12:19:14 -0500
>>>>> "Colin" == Colin Walters <walters@debian.org> writes:


    Colin> I thought the pam_console or whatever it's called was
    Colin> deemed to be insecure, since the user could easily create a
    Colin> setgid program owned by say user.audio, and then use it to
    Colin> play sound after they're logged out.

Hmm, although not really any less secure than adding the user to the
group permanently.

There's also the Sun approach of chowning the devices but that would
require significant changes to policy so probably not worth it.

Anyway, if you do decide you want help on the PAM front with changes
to the default pam_group config or anything, let me know.




Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org:
Bug#166718; Package shadow. Full text and rfc822 format available.

Acknowledgement sent to Colin Walters <walters@debian.org>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>, shadow@packages.qa.debian.org. Full text and rfc822 format available.

Message #25 received at 166718@bugs.debian.org (full text, mbox):

From: Colin Walters <walters@debian.org>
To: Sam Hartman <hartmans@mit.edu>
Cc: 166718@bugs.debian.org
Subject: Re: Bug#166718: missing dh_installdebconf && patch for selecting groups to add initial user to
Date: 28 Oct 2002 13:46:25 -0500
On Mon, 2002-10-28 at 12:19, Sam Hartman wrote:

> Hmm, although not really any less secure than adding the user to the
> group permanently.

Yes, I agree.  But my patch for passwd doesn't give all users who use
the console permission to access the devices; it only adds the initial
user to those groups.

So this handles what I think is the common case (single user machine,
single user who wants to play audio/video).

Now, if the administrator wants to grant more people permission to play
audio/video, it's simple enough to add them to the groups.
 
> Anyway, if you do decide you want help on the PAM front with changes
> to the default pam_group config or anything, let me know.

Ok, will do.  Thanks!




Changed Bug title. Request was from kcr@debian.org to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `wishlist'. Request was from kcr@debian.org to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#166718; Package shadow. Full text and rfc822 format available.

Acknowledgement sent to kcr@debian.org:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>. Full text and rfc822 format available.

Message #34 received at 166718@bugs.debian.org (full text, mbox):

From: kcr@debian.org
To: 166718@bugs.debian.org
Subject: this one just bothers me
Date: 22 Aug 2003 17:05:30 -0400
This doesn't make the situation any less confusing, this just puts the
confusion earlier in the install and setup process.

This needs a better list of initial groups, that it *doesn't* ask the user
about, (maybe it mentions them), and the obvious, documented way of adding
new users needs a flag for "console user".

Or we could find/write a pam module that does what solaris does, or switch to the
(admittedly not 100% s3cur3) pam_group method.  I like this solution much
better; the patch here seems undebianish.

kcr



Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#166718; Package shadow. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>. Full text and rfc822 format available.

Message #39 received at 166718@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Krikket <krikket@gothpoodle.com>, 239006@bugs.debian.org
Cc: 166718@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#239006: installation-report
Date: Sat, 20 Mar 2004 08:46:51 +0100
severity 239006 wishlist
reassign 239006 shadow
retitle 239006 Initial user should be added to useful groups
merge 239006 166718
thanks

Quoting Krikket (krikket@gothpoodle.com):

> I've only had one problem with this install, but it's been a doozy.  With
> luck, you'll be able o help me out with it...  I have no audio output.
> 
> When I boot into a KDE shell, I get an error:
> 
> Error while initializing the sound driver:
> device /dev/dsp can't be opened (Permission denied)
> 
> I have had sound working correctly on this system in the past (with many
> different flavours of linux).  I'm using a Cirrus Logic |Crystal cs4281
> PCI audio controller.  (Built into the motherboard.)
> 
> I was also dissapointed to find the video driver wasn't explicitly
> supported (but I do have a kludge that works).  I"m using a 3d Rago Pro
> AGP 1x/2x.  Some linuxes (SuSE) support it, and some don't.  *Shrug*

This is because you are not member of the audio group.

Assuming you created a user "joe", you should run:

adduser joe audio

(as root)

Then reopen the KDE session and presumably you will get sound....if
your sound card was properly setup of course.

There is a debate about whether the first created user should be added
to so-called "useful" groups which give access to local peripherals.

This belongs to the "shadow" package instead of core Debian Installer
(however, I imagine that users don't really care about this)

This point is however strongly debated...see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=166718


My opinion about this is that as long as we don't have a better and
cleaner solution, we really should add the first created user to
"useful" groups. This could be an optional question at high priority
(or medium with a default of indeed adding the user....).

Karl (shadow package maintainer), can we find a solution to this ? 
Otherwise, I highly fear dozens of reports like this as well as
"Debian sound does not work out of the box" for the upcoming reviews
of the next distribution release...




Merged 166718 239006. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#166718; Package shadow. Full text and rfc822 format available.

Acknowledgement sent to Krikket <krikket@gothpoodle.com>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>. Full text and rfc822 format available.

Message #46 received at 166718@bugs.debian.org (full text, mbox):

From: Krikket <krikket@gothpoodle.com>
To: Christian Perrier <bubulle@debian.org>
Cc: 239006@bugs.debian.org, <166718@bugs.debian.org>, <control@bugs.debian.org>
Subject: Re: Bug#239006: installation-report
Date: Sat, 20 Mar 2004 03:15:45 -0500 (EST)
On Sat, 20 Mar 2004, Christian Perrier wrote:

> severity 239006 wishlist
> reassign 239006 shadow
> retitle 239006 Initial user should be added to useful groups
> merge 239006 166718
> thanks
>
> Quoting Krikket (krikket@gothpoodle.com):
>
> > I've only had one problem with this install, but it's been a doozy.  With
> > luck, you'll be able o help me out with it...  I have no audio output.
> >
> > When I boot into a KDE shell, I get an error:
> >
> > Error while initializing the sound driver:
> > device /dev/dsp can't be opened (Permission denied)
> >
> > I have had sound working correctly on this system in the past (with many
> > different flavours of linux).  I'm using a Cirrus Logic |Crystal cs4281
> > PCI audio controller.  (Built into the motherboard.)
> >
> > I was also dissapointed to find the video driver wasn't explicitly
> > supported (but I do have a kludge that works).  I"m using a 3d Rago Pro
> > AGP 1x/2x.  Some linuxes (SuSE) support it, and some don't.  *Shrug*
>
> This is because you are not member of the audio group.
>
> Assuming you created a user "joe", you should run:
>
> adduser joe audio
>
> (as root)
>
> Then reopen the KDE session and presumably you will get sound....if
> your sound card was properly setup of course.

Wow.  I'm impressed by how fast you guys got back to me, thanks!

And yes, doing a "adduser krikket audio" did the trick very nicely.

> There is a debate about whether the first created user should be added
> to so-called "useful" groups which give access to local peripherals.
>
> This belongs to the "shadow" package instead of core Debian Installer
> (however, I imagine that users don't really care about this)

Given that I'm probably the average user (or possibly a user slightly more
knowledgeable than Joe Schmoe...  For example, I have bootstrapped a
Gentoo system into existance.)  But given that, I still don't know exactly
what is the "shadow" package and the "installer" package.  Since it
appears to being done for security purposes, why not add a question to the
intaller (or "shadow", as the case may be) if users should be given access
to "audio video cdrom" by default?

> This point is however strongly debated...see
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=166718
>
>
> My opinion about this is that as long as we don't have a better and
> cleaner solution, we really should add the first created user to
> "useful" groups. This could be an optional question at high priority
> (or medium with a default of indeed adding the user....).

While this would take care of the single-user machines, which is probably
the majority of cases out there, it doesn't take care of the desktops tat
are used by multiple people.  That's why I'd like to see (to take the
above idea one step further) a question that asks about adding all
users/one user/no users to the "audio video cdrom" groups.

(Which raises another question, are there any other standard default
groups that *aren't* given to the users?  I haven't had much need to look
into that aspect of how linux is set-up before now.)

> Karl (shadow package maintainer), can we find a solution to this ?
> Otherwise, I highly fear dozens of reports like this as well as
> "Debian sound does not work out of the box" for the upcoming reviews
> of the next distribution release...

I hate to say it, but I'm *absolutely* certain that will be the case.
I've been playing around with Debian for a while now, usually by starting
with a derivitive and then "upgrading" to unstable.  The only reason I
played with the derivitive version was because of the installers they came
with.  It was simply damned easier to set-up.

Given that, it is my honest opinion (after trying SuSE, Red Hat 9.0,
Fedora Core 1, Gentoo, Mandrake, Libranet, Xandros, Knoppix (hard drive
install), FreeBSD, and probably a few flavors that I'm forgetting about
off-hand) that assuming that things run as well as I expect thm to, this
will be the version that is the most robust with the easiest install.
Which means that you'll be seeing a lot of people switching...

But if you can grab the code for the "ATI 3D Rage Pro AGO 1x/2x" that SuSE
uses and incorporate the driver, that will make my day.  (Or send along a
pointer to a HOWTO that explains how to do that general sort of thing...)

Once again, you've done great work, and thank you!

As I do the installs on the server and laptop, I'll do the additional
reports...

Krikket





Bug reassigned from package `shadow' to `passwd'. Request was from Karl Ramm <kcr@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important'. Request was from Karl Ramm <kcr@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sid Request was from Karl Ramm <kcr@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 166718 212452 233894 239006 240707. Request was from Karl Ramm <kcr@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #59 received at 166718-quiet@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: debian-cttee@lists.debian.org
Cc: kcr@debian.org, 166718-quiet@bugs.debian.org
Subject: Referring bug #166718 and the initial groups issue to the TC
Date: Wed, 31 Mar 2004 14:15:00 -0500 (EST)

Hi.  After discussing the issue together, the shadow maintainer and I
(PAM maintainer) have decided to refer the issue of initial groups for
users to the TC.  This is not one developer asking the TC to overrule
another; Karl and I are in agreement that the issue is bigger than
either of our packages and that Debian should have a consistent
direction on this issue.

The problem is fairly simple.  Some of our users actually want to use
their systems once they get it installed.  Particularly, they'd like
to be able to do things like play sound, access their floppy drives
and cdroms, etc.    Currently, to do that, you need to be added to
groups that have access to devices.  I think some of this comes from
the FHS  rather than just decisions internal to Debian.

Perhaps when Debian and the FHS originally made this decision, users
could be expected to simply add themselves to groups if they noticed
they needed the permissions associated with these groups.  However as
Debian has gained appeal to a wider audience and as peoples'
expectations of usability increase,  users want more reasonable
default behavior.

The proposal in bug #166718 and the bugs merged with it is for the
initial user to be added to some set of groups.  Karl does not like
this proposal because it only solves the problem for the initial
user.  That's great until you actually start to take advantage of the
fact your Debian system is multi-user.

Another proposal is to use paM_group to manage these groups.  IF
someone is logging in on /dev/tty[0-9] or :0 or :0.0 or one of the
other console devices, given them audio, cdrom and floppy.  This isn't
really all that desirable either because  it allows  any console user
to permanently gain that group.  In particular, they can create a
setgid executable belonging to that group.

The solution some Solaris environments I'm familiar with use to this
problem is to chown the appropriate devices to the console user.  That
prevents the console user from giving away privileges.  I'm not sure
it's compatible with the FHS, and I'd certainly want buy-in from the
rest of Debian before doing that.  Also, I don't believe we currently
have an implementation of something to do that chowning in
Debian--presumably it would be a PAM module.  I don't have time to
write code to solve this and I don't think Karl does either.


The Redhat pam_console module does seem to do roughly what we want .
IN the past people have objected significantly to adding this module
to Debian for security track record reasons.  I don't know how valid
these objections are.

Thanks for your consideration,

--Sam



Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Manoj Srivastava <srivasta@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #69 received at 166718-quiet@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <srivasta@debian.org>
To: debian-ctte@lists.debian.org
Cc: kcr@debian.org, 166718-quiet@bugs.debian.org, Sam Hartman <hartmans@debian.org>
Subject: Re: Referring bug #166718 and the initial groups issue to the TC
Date: Thu, 01 Apr 2004 02:42:51 -0600
On Wed, 31 Mar 2004 14:15:00 -0500 (EST), Sam Hartman <hartmans@debian.org> said: 

> The problem is fairly simple.  Some of our users actually want to
> use their systems once they get it installed.  Particularly, they'd
> like to be able to do things like play sound, access their floppy
> drives and cdroms, etc.  Currently, to do that, you need to be added
> to groups that have access to devices.  I think some of this comes
> from the FHS rather than just decisions internal to Debian.

> Perhaps when Debian and the FHS originally made this decision, users
> could be expected to simply add themselves to groups if they noticed
> they needed the permissions associated with these groups.  However
> as Debian has gained appeal to a wider audience and as peoples'
> expectations of usability increase, users want more reasonable
> default behavior.

> The proposal in bug #166718 and the bugs merged with it is for the
> initial user to be added to some set of groups.  Karl does not like
> this proposal because it only solves the problem for the initial
> user.  That's great until you actually start to take advantage of
> the fact your Debian system is multi-user.

	It seems to me that this ought to be local policy. Can you
 explain to me how the proposed solutions take site policy into
 account?  Would it be feasible instead have a simple way of enabling
 one or more users (perhaps a site wide list of users, with exceptions
 for services) to use a specific service?  Would there be security
 issues involved in giving wholesale access to hardware resources?

	Traditionally, UNIX has not been in the practice of
 automatically adding users to groups, and I think we need to be
 careful if we decide to break from universal practice.

	manoj
-- 
Why did the Roman Empire collapse?  What is the Latin for office
automation?
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C



Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Wichert Akkerman <wichert@wiggy.net>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #74 received at 166718-quiet@bugs.debian.org (full text, mbox):

From: Wichert Akkerman <wichert@wiggy.net>
To: debian-ctte@lists.debian.org, kcr@debian.org, 166718-quiet@bugs.debian.org, Sam Hartman <hartmans@debian.org>
Subject: Re: Referring bug #166718 and the initial groups issue to the TC
Date: Thu, 1 Apr 2004 11:01:45 +0200
Previously Manoj Srivastava wrote:
> 	Traditionally, UNIX has not been in the practice of
>  automatically adding users to groups, and I think we need to be
>  careful if we decide to break from universal practice.

A problem is that is simply isn't possible to do it securely currently,
which is why unices have not done this. The standard attacks are
creatin of sgid shells as mentioned and starting a long-running process
that keeps an open filehandle on a device long after a user has logged
out and another logged in. 

The possible solutions have all been discussed years ago and at that
point we decided to wait until the kernel got a revoke systemcall which
closes all open filehandles on a file. Using that one can chown a device
to the currently logged in user, and chown it back and revoke all open
filehandles on logout.

If we need to choose between chown and group member my vote would be for
chown, for two reasons:

* it is slightly more secure since it does not create the option for the
  users to create sgid executables
* while this does not allow multiple users on a physical machine (it
  breaks if another user logs in on another virtual console) I doubt
  this is a problem for standard machine usage

It is slightly more fragile than group membership though:

* it breaks if a user logs in one two consoles and then logs out on
  one of them since that will generally leave him without access to
  the device
* if the machine crashses, looses power or otherwise shuts down the
  devices will be left with the wrong owner. This can be fixed in a
  boot-time script of course.

Wichert.

-- 
Wichert Akkerman <wichert@wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.




Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Raul Miller <moth@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #79 received at 166718-quiet@bugs.debian.org (full text, mbox):

From: Raul Miller <moth@debian.org>
To: debian-ctte@lists.debian.org
Cc: 166718-quiet@bugs.debian.org
Subject: policies for access to local resources
Date: Thu, 1 Apr 2004 07:29:40 -0500
On Wed, 31 Mar 2004 14:15:00 -0500 (EST), Sam Hartman <hartmans@debian.org> said: 
> The proposal in bug #166718 and the bugs merged with it is for the
> initial user to be added to some set of groups.  Karl does not like
> this proposal because it only solves the problem for the initial
> user.  That's great until you actually start to take advantage of the
> fact your Debian system is multi-user.
> 
> Another proposal is to use paM_group to manage these groups.  IF
> someone is logging in on /dev/tty[0-9] or :0 or :0.0 or one of the
> other console devices, given them audio, cdrom and floppy.  This isn't
> really all that desirable either because  it allows  any console user
> to permanently gain that group.  In particular, they can create a
> setgid executable belonging to that group.
> 
> The solution some Solaris environments I'm familiar with use to this
> problem is to chown the appropriate devices to the console user.  That
> prevents the console user from giving away privileges.  I'm not sure
> it's compatible with the FHS, and I'd certainly want buy-in from the
> rest of Debian before doing that.  Also, I don't believe we currently
> have an implementation of something to do that chowning in
> Debian--presumably it would be a PAM module.  I don't have time to
> write code to solve this and I don't think Karl does either.
> 
> The Redhat pam_console module does seem to do roughly what we want .
> IN the past people have objected significantly to adding this module
> to Debian for security track record reasons.  I don't know how valid
> these objections are.

I think the pam_console idea is the best solution available for the
widest audience.

However, it would probably be a good idea to give the people who have
security concerns an easy way of avoiding this solution when building
large sets of machines.

One solution for people with security concerns [I've not looked at pam
close enough to see how doable this is] might be to create a "hardened"
package which satisfies the pam_console dependency, and conflicts with
the real pam_console, and in some way addresses the config file issue,
and provides no pam functionality whatsoever (so it's obvious it can't do
the ownership munging).  This could then be made a part of the "harden"
task...

We're already doing things which I consider to have a much higher
security risk.  (For example, we are building kde with a dependency on
fam which requires rpc, and last time I checked there was no easy way to
lock rpc down so that it would be as secure as pam_console's ownership
changing on device files).

One other note: some people might want to use the "all home users are in
the device specific groups" mechanism.  For example, pam_console doesn't
do the right thing for a multiple-console machine (those are rare, but
not impossible with a bit of kernel hacking, and this is just an example).
For example, pam_console doesn't do the right thing for a network of home
machines where someone wants to remote in and access the sound system...
I didn't see anything in your proposal to get rid of support for device
groups, but I wanted to mention that device groups would still have some
value to some people.

And I agree with Wichert that cleanup (for example, at boot time) would
be important with pam_console.

Thanks,

-- 
Raul



Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Wichert Akkerman <wichert@wiggy.net>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #84 received at 166718-quiet@bugs.debian.org (full text, mbox):

From: Wichert Akkerman <wichert@wiggy.net>
To: debian-ctte@lists.debian.org, 166718-quiet@bugs.debian.org
Subject: Re: policies for access to local resources
Date: Thu, 1 Apr 2004 14:38:04 +0200
Previously Raul Miller wrote:
> However, it would probably be a good idea to give the people who have
> security concerns an easy way of avoiding this solution when building
> large sets of machines.

This is largely orthogonal to the current issue, but it would be nice if
d-i had a 'select machine type' option where people could select between
'private machine on private network', 'shared machine with trusted
users', 'shared machine with untrusted users', 'server' or something
similar which would affect:

* default firewall (block/allow all incoming connections)
* package selection (do/don't install pam_console for example)

Wichert.

-- 
Wichert Akkerman <wichert@wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.




Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Raul Miller <moth@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #89 received at 166718-quiet@bugs.debian.org (full text, mbox):

From: Raul Miller <moth@debian.org>
To: debian-ctte@lists.debian.org, 166718-quiet@bugs.debian.org
Subject: Re: policies for access to local resources
Date: Thu, 1 Apr 2004 07:55:40 -0500
On Thu, Apr 01, 2004 at 02:38:04PM +0200, Wichert Akkerman wrote:
> This is largely orthogonal to the current issue, but it would be nice if
> d-i had a 'select machine type' option where people could select between
> 'private machine on private network', 'shared machine with trusted
> users', 'shared machine with untrusted users', 'server' or something
> similar which would affect:
> 
> * default firewall (block/allow all incoming connections)
> * package selection (do/don't install pam_console for example)

You're right that this is largely orthogonal to the current issue.

However, I do not think it's largely orthogonal to the solution space we
need to be addressing to resolve this local resources issue.  This issue
came up at least in part because of our current approach to security
administration and machine configuration.

It would probably be appropriate to issue some longer-term advice in
addition to any recommendations on pam_console.

-- 
Raul



Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Raul Miller <moth@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #94 received at 166718-quiet@bugs.debian.org (full text, mbox):

From: Raul Miller <moth@debian.org>
To: debian-ctte@lists.debian.org, 166718-quiet@bugs.debian.org
Subject: Re: policies for access to local resources
Date: Thu, 1 Apr 2004 13:25:40 -0500
On Thu, Apr 01, 2004 at 02:38:04PM +0200, Wichert Akkerman wrote:
> This is largely orthogonal to the current issue, but it would be nice if
> d-i had a 'select machine type' option where people could select between
> 'private machine on private network', 'shared machine with trusted
> users', 'shared machine with untrusted users', 'server' or something
> similar which would affect:
> 
> * default firewall (block/allow all incoming connections)
> * package selection (do/don't install pam_console for example)

After thinking about this a bit more, a useful implementation would
have to address a number of things (what happens when the option is
changed? How does a user tune this kind of policy?) all focused around
the user learning more about what they want to do.

I don't think a simple install time option would be adequate, though we
probably do need something like this.

-- 
Raul



Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #99 received at 166718-quiet@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: debian-ctte@lists.debian.org
Cc: kcr@debian.org, 166718-quiet@bugs.debian.org
Subject: Re: Referring bug #166718 and the initial groups issue to the TC
Date: Thu, 01 Apr 2004 22:19:42 -0500
>>>>> "Manoj" == Manoj Srivastava <srivasta@debian.org> writes:

    Manoj> On Wed, 31 Mar 2004 14:15:00 -0500 (EST), Sam Hartman
    Manoj> <hartmans@debian.org> said:
    Manoj> 	It seems to me that this ought to be local policy. Can
    Manoj> you explain to me how the proposed solutions take site
    Manoj> policy into account?  

Well, adding the initial user to groups does not take site policy into
account at the present time, because there is not really a point in
the current install to give a system a site policy before the initial
user is created.  If a local administrator wishes to enforce site
policy they can either decline the install's option of an initial user
or remove the initial user from groups.

A pam_group approach would presumably involve having changes to the
default /etc/security/group.conf.  That file is a configuration file
and by its nature an expression of site policy; admins wishing to
enforce a different policy could modify that file.  Debian policy
requires that changes to a configuration file be preserved.


The pam_console approach would presumably live in
/etc/security/console.* and /etc/pam.d/common-session.  Those files
are either conffiles or configuration files and as such are
expressions of policy.



    Manoj> Would it be feasible instead have a
    Manoj> simple way of enabling one or more users (perhaps a site
    Manoj> wide list of users, with exceptions for services) to use a
    Manoj> specific service?  

I cannot think of a simple design for this in 30 seconds that seems to
meet the needs of users to have more friendly defaults and that would
work across a wide range of configurations.  However the really good
answers rarely come from 30 seconds of thought.


    Manoj> Would there be security issues involved
    Manoj> in giving wholesale access to hardware resources?

To everyone?  Yes.  As an example, giving someone access to sound
devices might turn a Debian system into a hidden microphone for the
use of spies.  Giving access to removable storage might allow a remote
user to gain access to a PGP key someone had on removable USB storage.

But for a large class of machines--single user workstations--giving
the console user or primary machine owner access to hardware resources
is desirable and consistent with reasonable security policies for that
class of machine.  Again, we are discussing defaults, not fundamental
changes to what is possible with the Debian security architecture.



    Manoj> 	Traditionally, UNIX has not been in the practice of
    Manoj> automatically adding users to groups, and I think we need
    Manoj> to be careful if we decide to break from universal
    Manoj> practice.

Agreed.  Traditionally, however, Unix has not been in the practice of
being easy to use.  We should be careful, not hidebound.




Information stored:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Raul Miller <moth@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #104 received at 166718-quiet@bugs.debian.org (full text, mbox):

From: Raul Miller <moth@debian.org>
To: Sam Hartman <hartmans@debian.org>
Cc: debian-ctte@lists.debian.org, kcr@debian.org, 166718-quiet@bugs.debian.org
Subject: Re: Referring bug #166718 and the initial groups issue to the TC
Date: Thu, 1 Apr 2004 22:54:21 -0500
On Thu, Apr 01, 2004 at 10:19:42PM -0500, Sam Hartman wrote:
> Agreed.  Traditionally, however, Unix has not been in the practice of
> being easy to use.  We should be careful, not hidebound.

That depends.

Once upon a time, security wasn't much of an issue, and ease of use for
the casual user was a significant priority.

Of course, at that time, the casual user community was mostly developers
and computer science academics, and we're still fighting a few battles
to close security holes which were left open from back then.

[I'm thinking of stuff like sendmail wizard mode, internet protocols,
and fixed length buffers.]

-- 
Raul



Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Karl Hegbloom <hegbloom@pdx.edu>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>. Full text and rfc822 format available.

Message #109 received at 166718@bugs.debian.org (full text, mbox):

From: Karl Hegbloom <hegbloom@pdx.edu>
To: 166718@bugs.debian.org
Subject: Special new kind of group, or pam_acl ?
Date: Wed, 07 Jul 2004 00:32:29 -0700
There almost ought to be a new kind of group membership --- one that
grants access to a device or file owned by that group, but that does not
allow one to create files owned by that group.  Perhaps a set of system
groups within some range could be set up (by a kernel patch) such that
only root can make files or devices owned by those groups?

Another idea is to make a pam_acl module that sets POSIX ACL's for the
devices in question, granting access to the user...  There would need to
be a reference count, perhaps, stored in the extended attributes, to
solve that log in on two consoles problem.  Then there would need to be
a tool to reset the reference count for times when it gets messed up.

-- 
Karl Hegbloom <hegbloom@pdx.edu>




Tags removed: d-i Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #116 received at 166718@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: control@bugs.debian.org
Cc: 166718@bugs.debian.org
Subject: Lower severity of this bug
Date: Thu, 24 Mar 2005 20:26:00 +0100
severity 166718 wishlist
tags 166718 confirmed d-i
tags 300892 confirmed
tags 298060 confirmed
tags 280212 confirmed
retitle 300892 passwd: Missing references to /etc/login.defs and login.defs(5) in diverse manpages
retitle 298060 Please don't install login as setuid root
retitle 280212 lastlog: fails when high UID's present
thanks

As the motivation for an important secerity has vanished along with
the package development (missing dh_installdebconf), this bug now can
be sorted as a wishlist bug. It is mostly realted to d-i as the inital
user is only created during base-config runs.

In the same time, I remove other title rewrites I did previously which,
after more thinking are not really useful. I prefer using the
"confirmed" tag to ACK that we will work on this (but after sarge
release).

And the bug triage continues..:-)

-- 





Severity set to `wishlist'. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: confirmed, d-i Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Owner recorded as Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Owner changed from Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org to Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Owner changed from Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org to Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Owner changed from Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org to Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Full text and rfc822 format available.

Message #137 received at 166718@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 166718@bugs.debian.org, libpam-runtime@packages.debian.org, vorlon@debian.org
Subject: Using pam_group to give access to "useful" groups?
Date: Fri, 7 Oct 2005 18:47:02 +0200
(Steve CC'ed as I'm unsure that libpam-runtime@p.d.o will reach you otherwise)

In a desperate attempt to deal with #166718, #212452, #233894,
#239006, #240707 all requesting the very same thing with different
wording, I tried to use pam_group to see whether it can achieve what's
requested in these bugs (basically, give access to some groups to
"console" users).

I added the following in /etc/pam.d/common-auth:
(just to make it simple, actually)

auth       optional   pam_group.so

Then in /etc/security/group.conf:

# Useful groups for console users
*;tty*&!ttyp*&:0;*;Al0000-2400;audio cdrom floppy games plugdev video

The ":0" is here to give access to users logged through a display
manager such as gdm/kdm/xdm:


bubulle@mykerinos:~/tmp/mutt> who
root     tty1         Oct  7 17:31
bubulle  :0           Oct  7 18:33
spongebo :1           Oct  7 18:33

(Yes, I run two displays on my laptop, bubulle being logged on one and
spongebob on another one and, yes, I'm a Sponge Bob fan)

However, while it works fairly well for users logged on tty terminal,
I can't manage to get this working for X users.

So, a few questions I have:

1) is using pam_group a completely silly solution which will never be
implemented by default because of limitations mentioned in the PAM doc
(users can compile a setgid binary and have it run a shell so that
they get access to the group even when they're not on the authorized
terminal) ?

2) do I use the right syntax in /etc/security/group.conf? Obviously
not, but what is then the right syntax? :-)





Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Full text and rfc822 format available.

Message #142 received at 166718@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Christian Perrier <bubulle@debian.org>
Cc: 166718@bugs.debian.org, libpam-runtime@packages.debian.org
Subject: Re: Using pam_group to give access to "useful" groups?
Date: Fri, 7 Oct 2005 15:42:41 -0700
[Message part 1 (text/plain, inline)]
On Fri, Oct 07, 2005 at 06:47:02PM +0200, Christian Perrier wrote:
> (Steve CC'ed as I'm unsure that libpam-runtime@p.d.o will reach you otherwise)

Correct, it wouldn't.

> In a desperate attempt to deal with #166718, #212452, #233894,
> #239006, #240707 all requesting the very same thing with different
> wording, I tried to use pam_group to see whether it can achieve what's
> requested in these bugs (basically, give access to some groups to
> "console" users).

> bubulle@mykerinos:~/tmp/mutt> who
> root     tty1         Oct  7 17:31
> bubulle  :0           Oct  7 18:33
> spongebo :1           Oct  7 18:33

> (Yes, I run two displays on my laptop, bubulle being logged on one and
> spongebob on another one and, yes, I'm a Sponge Bob fan)

> However, while it works fairly well for users logged on tty terminal,
> I can't manage to get this working for X users.

Hah!  Thanks for testing this; I was just looking over the pam_group code
the other day while preparing to get Debian PAM patch 012 integrated
upstream, and I had reached the conclusion that it couldn't actually work
for X users... :)

> 1) is using pam_group a completely silly solution which will never be
> implemented by default because of limitations mentioned in the PAM doc
> (users can compile a setgid binary and have it run a shell so that
> they get access to the group even when they're not on the authorized
> terminal) ?

Yes, pam_group should never be part of the default PAM config because of
the mentioned security holes, and users should be discouraged from using it.
A user should either be part of the group or not be part of the group; using
pam_group is equivalent to saying that the user is part of the group.

Now, as long as the admin *understands* this (which is fairly rare), and is
just using pam_group as shorthand for saying "all users that have physical
access to the machine have access to this group", then it's not a security
hole.  And since we do still ship pam_group in Debian (and upstream), we
might as well fix the bugs that keep it from working for X.

> 2) do I use the right syntax in /etc/security/group.conf? Obviously
> not, but what is then the right syntax? :-)

Just to be sure, can you change your config to look like either this

 *;tty*&!ttyp*;*;Al0000-2400;audio cdrom floppy games plugdev video
 *;:0;*;Al0000-2400;audio cdrom floppy games plugdev video

or this

 *;tty*&!ttyp*|:0;*;Al0000-2400;audio cdrom floppy games plugdev video

?  I think you do have an error in your config, because no tty name can ever
simultaneously satisfy the constraints "tty*", "!ttyp*", and ":0".  But I
also think that it still won't work after you fix this, due to the bug in
the pam_group patch.  If you still don't get the groups you're expecting on
:0, I can put together an updated patch for pam_groups which I'd appreciate
it if you could test.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Full text and rfc822 format available.

Message #147 received at 166718@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 166718@bugs.debian.org, libpam-runtime@packages.debian.org
Subject: Re: Using pam_group to give access to "useful" groups?
Date: Sat, 8 Oct 2005 10:30:56 +0200
> Just to be sure, can you change your config to look like either this
> 
>  *;tty*&!ttyp*;*;Al0000-2400;audio cdrom floppy games plugdev video
>  *;:0;*;Al0000-2400;audio cdrom floppy games plugdev video

*this* works

> 
> or this
> 
>  *;tty*&!ttyp*|:0;*;Al0000-2400;audio cdrom floppy games plugdev video


this will probably work





Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Full text and rfc822 format available.

Message #152 received at 166718@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 166718@bugs.debian.org, libpam-runtime@packages.debian.org
Subject: Re: Using pam_group to give access to "useful" groups?
Date: Sat, 8 Oct 2005 10:43:25 +0200
> or this
> 
>  *;tty*&!ttyp*|:0;*;Al0000-2400;audio cdrom floppy games plugdev video


That one doesn't work.





Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Full text and rfc822 format available.

Message #157 received at 166718@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Christian Perrier <bubulle@debian.org>
Cc: 166718@bugs.debian.org, libpam-runtime@packages.debian.org
Subject: Re: Using pam_group to give access to "useful" groups?
Date: Sat, 8 Oct 2005 02:13:14 -0700
[Message part 1 (text/plain, inline)]
On Sat, Oct 08, 2005 at 10:30:56AM +0200, Christian Perrier wrote:
> > Just to be sure, can you change your config to look like either this

> >  *;tty*&!ttyp*;*;Al0000-2400;audio cdrom floppy games plugdev video
> >  *;:0;*;Al0000-2400;audio cdrom floppy games plugdev video

> *this* works

Ok, then I guess I didn't see the bug I thought I saw. :)

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Full text and rfc822 format available.

Message #162 received at 166718@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 166718@bugs.debian.org, libpam-runtime@packages.debian.org, vorlon@debian.org, adduser@packages.debian.org
Subject: Re: Bug#166718: Using pam_group to give access to "useful" groups?
Date: Sat, 8 Oct 2005 11:28:59 +0200
(maybe asking -ctte should be done)

This is an attempt to, again, summarize the situation about #166718
and related bugs.

In short, the question is: how can we choose a method to make easy for
people with physical access to the console to use  its devices (sound,
cdrom, plugged devices...) and NOT compromise security.

The initial request was for passwd to "add the first created user to
useful groups" in the install process (currently D-I 2nd stage).

The former maintainer of passwd, Karl Ramm, was very reluctant to add
this as is to passwd config script.

In the meantime, the D-I team added a hack to do this in D-I 2nd
stage...which explains the request doesn't come often now.

Several suggestions have been made to do this:

1) use pam_console (used by Redhat) to give all users connected to the
   "console" access to a bunch of groups

2) use pam_group for barely the same purpose

3) hard-code the "useful" groups in passwd.config

4) keep the current situation and let this to the D-I team

1) and 2) have the same security implications-->granting groups access
to anyone using the console allows this user to hack a setgid binary
and have it launch a shell later, even when not connected at the
console
Activating pam_group in common-auth seems OK but not with the lines
that would be required in /lib/security/group.conf

3) is possible but seems to be a hack

4) (the current solution) is a similar hack

I'd like to propose another approach:

Add a "--useful-groups" switch to Debian's adduser and keep a list of
useful groups in this package's default adduser.conf file.

For sure, this moves the pressure of keeping a list of "useful" groups
to Marc Haber and adduser maintainers...but it would have the
advantage to offer admins an easy way to add users to these "useful"
groups without knowing the complete list.


Thoughts, opinions, flames? I'd really like to get rid of this
bug...:-)





Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Full text and rfc822 format available.

Message #167 received at 166718@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Christian Perrier <bubulle@debian.org>
Cc: 166718@bugs.debian.org, libpam-runtime@packages.debian.org, vorlon@debian.org, adduser@packages.debian.org
Subject: Re: [Adduser-devel] Re: Bug#166718: Using pam_group to give access to "useful" groups?
Date: Sat, 8 Oct 2005 15:41:28 +0200
On Sat, Oct 08, 2005 at 11:28:59AM +0200, Christian Perrier wrote:
> For sure, this moves the pressure of keeping a list of "useful" groups
> to Marc Haber and adduser maintainers...

I am going to accept a patch from somebody who agrees to become
co-maintainer of adduser. I am not going to accept a patch which
increases my support burden.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Full text and rfc822 format available.

Message #172 received at 166718@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 166718@bugs.debian.org, libpam-runtime@packages.debian.org, vorlon@debian.org, adduser@packages.debian.org
Subject: Re: [Adduser-devel] Re: Bug#166718: Using pam_group to give access to "useful" groups?
Date: Sun, 9 Oct 2005 09:14:41 +0200
Quoting Marc Haber (mh+debian-packages@zugschlus.de):
> On Sat, Oct 08, 2005 at 11:28:59AM +0200, Christian Perrier wrote:
> > For sure, this moves the pressure of keeping a list of "useful" groups
> > to Marc Haber and adduser maintainers...
> 
> I am going to accept a patch from somebody who agrees to become
> co-maintainer of adduser. I am not going to accept a patch which
> increases my support burden.

So, I'm afraid that the direction to go is:

-reassign these bugs to adduser

-find help for Marc

I'm not fond of reassigning bugs to adduser because I know the
situation about this package and Marc desperately needing help to
maintain it.

Maybe time for another call for help for adduser (IIRC, you already
posted some, Marc). I'm really sad that some of our
key packages cannot receive enough attention while we keep getting
bunch of crappy new packages noone cares about, in the archive.

If we go this way, I intend to post a message to -devel (or even
-devel-announce) with these ideas (probably not the "crappy packages"
part)...and do my best to have it published in DWN.






Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org:
Bug#166718; Package passwd. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Christian Perrier <bubulle@debian.org>,pkg-shadow-devel@lists.debian.org. Full text and rfc822 format available.

Message #177 received at 166718@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Christian Perrier <bubulle@debian.org>
Cc: 166718@bugs.debian.org, libpam-runtime@packages.debian.org, vorlon@debian.org, adduser@packages.debian.org
Subject: Re: [Adduser-devel] Re: Bug#166718: Using pam_group to give access to "useful" groups?
Date: Sun, 9 Oct 2005 09:27:13 +0200
On Sun, Oct 09, 2005 at 09:14:41AM +0200, Christian Perrier wrote:
> So, I'm afraid that the direction to go is:
> 
> -reassign these bugs to adduser
> 
> -find help for Marc

I would also accept a replacement instead of help.

> I'm not fond of reassigning bugs to adduser because I know the
> situation about this package and Marc desperately needing help to
> maintain it.

I do not have a problem with having bugs rotting away in the BTS.
Usertags will help in sorting out the bugs.

> Maybe time for another call for help for adduser (IIRC, you already
> posted some, Marc).

Yes, there was response about a rewrite in C, but the author of that
rewrite decided to go a way I am not too fond about (not calling any
backends but doing the work himself), and the effort seems to have
kind of stalled. I have been receiving a lot of cleanup patches from
Jörg Hoh, and he has received commit privileges to the SVN repository
yesterday, but he doesn't intend to become DD in the foreseeable future.

> I'm really sad that some of our
> key packages cannot receive enough attention while we keep getting
> bunch of crappy new packages noone cares about, in the archive.

I am guilty of that as well, but I took over adduser because it needed
work to do the job I wanted it to do - so that approach kind of worked.

> If we go this way, I intend to post a message to -devel (or even
> -devel-announce) with these ideas (probably not the "crappy packages"
> part)...and do my best to have it published in DWN.

Go ahead.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Changed Bug title. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: wontfix, patch, confirmed Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: wontfix, patch, confirmed Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: wontfix, patch, confirmed Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: wontfix, patch, confirmed Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: wontfix, patch, confirmed Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `passwd' to `adduser'. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `adduser' to `adduser'. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `adduser' to `adduser'. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `adduser' to `adduser'. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `adduser' to `adduser'. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Blocking bugs added: 166718, 212452, 233894, 239006, and 240707 Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed-in-experimental Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed-in-experimental Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed-in-experimental Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed-in-experimental Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed-in-experimental Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Colin Walters <walters@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #216 received at 166718-done@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Marc Haber <mh+debian-packages@zugschlus.de>, 147518-done@bugs.debian.org, 166718-done@bugs.debian.org, 212452-done@bugs.debian.org, 233894-done@bugs.debian.org, 239006-done@bugs.debian.org, 240707-done@bugs.debian.org, 240855-done@bugs.debian.org, 351968-done@bugs.debian.org, 357978-done@bugs.debian.org, 366885-done@bugs.debian.org, 367213-done@bugs.debian.org, 367380-done@bugs.debian.org, 370030-done@bugs.debian.org, 372599-done@bugs.debian.org
Subject: Bugs fixed in experimental
Date: Wed, 14 Jun 2006 10:12:38 +0200
Version: 3.88

The following bugs have been fixed in adduser 3.88 which is currently
in Debian experimental:

  147518 166718 212452 233894 239006 240707 240855
  351968 357978 366885 367213 367380 370030 372599

Bug reporters, if you happen to use unstable, please give 3.88 a try
to discover any breakage introduced with the new code. I plan to
upload 3.89 to unstable in about ten days, so you'll get the breakage
anyway if you don't discover it now.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Carl <eyeyam@heavybias.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Josselin Mouette <joss@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Krikket <krikket@gothpoodle.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Gatzemeier <c.gatzemeier@tu-bs.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Tags added: fixed Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Colin Walters <walters@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #251 received at 166718-close@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 166718-close@bugs.debian.org
Subject: Bug#166718: fixed in adduser 3.90
Date: Fri, 23 Jun 2006 07:32:07 -0700
Source: adduser
Source-Version: 3.90

We believe that the bug you reported is fixed in the latest version of
adduser, which is due to be installed in the Debian FTP archive:

adduser_3.90.dsc
  to pool/main/a/adduser/adduser_3.90.dsc
adduser_3.90.tar.gz
  to pool/main/a/adduser/adduser_3.90.tar.gz
adduser_3.90_all.deb
  to pool/main/a/adduser/adduser_3.90_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 166718@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Haber <mh+debian-packages@zugschlus.de> (supplier of updated adduser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 23 Jun 2006 14:23:00 +0000
Source: adduser
Binary: adduser
Architecture: source all
Version: 3.90
Distribution: unstable
Urgency: low
Maintainer: Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>
Changed-By: Marc Haber <mh+debian-packages@zugschlus.de>
Description: 
 adduser    - Add and remove users and groups
Closes: 147518 166718 212452 233894 239006 240707 240855 351968 357978 366885 367213 367380 370030 372599 374316
Changes: 
 adduser (3.90) unstable; urgency=low
 .
   * 3.89 is not an NMU, I botched up the changelog. Fixing.
 .
 adduser (3.89) unstable; urgency=low
 .
   * Add additional check to testsuite/test8.pl to make sure system users are
     not added to extra groups. (sg)
   * New translations:
     - lt (Gintautas Miliauskas <gintas@akl.lt>) (sg) Closes: #374316
   * 3.88 was in experimental for a week without any bug reports.
   * now upload to unstable to let potential breakage begin.
 .
 adduser (3.88) experimental; urgency=low
 .
   [ Marc Haber ]
   * experimental version
   * Update French (fr) program translation.
     Thanks to Thomas Huriaux. Closes: #366885
   * Update French (fr) manpage translation.
     Thanks to Nicolas François. Closes: #367380
   * Apply two small patches to deluser man page.
     Thanks to Florentin Duneau. Closes: #367213
   * Update Italian (it) program and manpage translations.
     Thanks to Luca Monducci. Closes: #370030
   * Standards-Version: 3.7.2, no changed necessary.
 .
   [ Stephen Gran ]
   * allow additional groups to be used for a new user.
     Closes: #147518, #166718, #212452, #233894, #239006, #240707, #240855
   * test 8 now adds a group, and adds the new user to that group - this should
     ensure that the new additional groups feature does not get invoked for
     'adduser to group' code paths
   * Fix "adduser: adduser:" output of error messages.
   * Fix error messages like "foo ", gtx( ..., whch does not produce
     output at all. Closes: #351968
   * Honor system PATH, do not hard-code paths to sub-programs.
     Closes: #357978
   * deluser should match its documentation, and exit 0 when asked to remove a
     system user that doesn't exist. Closes: #372599
Files: 
 472952b16a34235730954de422ba3b45 645 admin important adduser_3.90.dsc
 c1c1bd8dc8700c6457a30145e8f6e18f 217270 admin important adduser_3.90.tar.gz
 5d2f069404c3cf0ba41e9c8d0b444545 161918 admin important adduser_3.90_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEm/nmgZalRGu6PIQRAtouAJ41L1parmxhDT0qKMDs+pRnyhsBRQCgsOPW
I34N2H/1wcqSyCosvgA6lDU=
=nXiV
-----END PGP SIGNATURE-----




Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Carl <eyeyam@heavybias.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Josselin Mouette <joss@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Krikket <krikket@gothpoodle.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Gatzemeier <c.gatzemeier@tu-bs.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 11:12:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:39:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.