Debian Bug report logs -
#693218
adduser --system should default to --group
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>:
Bug#693218; Package adduser.
(Wed, 14 Nov 2012 11:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Wessel Dankers <wsl-deb-bug-submit@fruit.je>:
New Bug report received and forwarded. Copy sent to Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>.
(Wed, 14 Nov 2012 11:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: adduser
Version: 3.112+nmu2
Severity: wishlist
Tags: security
Hi,
Currently, system users get nogroup (65534) as their default primary group.
However, multiple (system) accounts sharing a common group is not good
from a security standpoint. It gives unrelated processes access to each
other's files and other resources.
While this could be considered a bug in the invoker's script, it's
something that is easy to overlook and it could be argued that defaults
should be sane and secure (‘graceful degradation’).
Please make --group the default for --system.
Kind regards,
--
Wessel Dankers <wsl-deb-bug-submit@fruit.je>
[signature.asc (application/pgp-signature, inline)]
Added tag(s) confirmed.
Request was from Afif Elghraoui <afif@debian.org>
to control@bugs.debian.org.
(Sat, 26 Nov 2016 10:54:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Adduser Developers <adduser@packages.debian.org>:
Bug#693218; Package adduser.
(Wed, 06 Jul 2022 16:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Debian Adduser Developers <adduser@packages.debian.org>.
(Wed, 06 Jul 2022 16:33:03 GMT) (full text, mbox, link).
Message #12 received at 693218@bugs.debian.org (full text, mbox, reply):
Control: tags -1 - security - confirmed + wontfix
thanks
On Wed, Nov 14, 2012 at 12:36:18PM +0100, Wessel Dankers wrote:
> However, multiple (system) accounts sharing a common group is not good
> from a security standpoint. It gives unrelated processes access to each
> other's files and other resources.
/usr/share/doc/base-passwd/users-and-groups.txt.gz says:
Daemons that need not own any files sometimes run as
user nobody and group nogroup, although using a
dedicated user is far preferable. Thus, no files on a
system should be owned by this user or group.
That being said I think that adduser does the right thing.
I am ready to be convinced, but for the time being this is a wontfix.
Greetings
Marc
Removed tag(s) security.
Request was from Marc Haber <mh+debian-packages@zugschlus.de>
to 693218-submit@bugs.debian.org.
(Wed, 06 Jul 2022 16:33:03 GMT) (full text, mbox, link).
Removed tag(s) confirmed.
Request was from Marc Haber <mh+debian-packages@zugschlus.de>
to 693218-submit@bugs.debian.org.
(Wed, 06 Jul 2022 16:33:03 GMT) (full text, mbox, link).
Added tag(s) wontfix.
Request was from Marc Haber <mh+debian-packages@zugschlus.de>
to 693218-submit@bugs.debian.org.
(Wed, 06 Jul 2022 16:33:04 GMT) (full text, mbox, link).
Message sent on
to Wessel Dankers <wsl-deb-bug-submit@fruit.je>:
Bug#693218.
(Wed, 06 Jul 2022 16:33:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 1 21:14:03 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.