Adduser devel - Oct 2005 - Bug#166718: Using pam_group to give access to "useful" groups?

(maybe asking -ctte should be done)

This is an attempt to, again, summarize the situation about #166718
and related bugs.

In short, the question is: how can we choose a method to make easy for
people with physical access to the console to use  its devices (sound,
cdrom, plugged devices...) and NOT compromise security.

The initial request was for passwd to "add the first created user to
useful groups" in the install process (currently D-I 2nd stage).

The former maintainer of passwd, Karl Ramm, was very reluctant to add
this as is to passwd config script.

In the meantime, the D-I team added a hack to do this in D-I 2nd
stage...which explains the request doesn''t come often now.

Several suggestions have been made to do this:

1) use pam_console (used by Redhat) to give all users connected to the
   "console" access to a bunch of groups

2) use pam_group for barely the same purpose

3) hard-code the "useful" groups in passwd.config

4) keep the current situation and let this to the D-I team

1) and 2) have the same security implications-->granting groups access
to anyone using the console allows this user to hack a setgid binary
and have it launch a shell later, even when not connected at the
console
Activating pam_group in common-auth seems OK but not with the lines
that would be required in /lib/security/group.conf

3) is possible but seems to be a hack

4) (the current solution) is a similar hack

I''d like to propose another approach:

Add a "--useful-groups" switch to Debian''s adduser and keep a
list of
useful groups in this package''s default adduser.conf file.

For sure, this moves the pressure of keeping a list of "useful" groups
to Marc Haber and adduser maintainers...but it would have the
advantage to offer admins an easy way to add users to these "useful"
groups without knowing the complete list.


Thoughts, opinions, flames? I''d really like to get rid of this
bug...:-)

On Sat, Oct 08, 2005 at 11:28:59AM +0200, Christian Perrier
wrote:
> For sure, this moves the pressure of keeping a list of "useful"
groups
> to Marc Haber and adduser maintainers...
I am going to accept a patch from somebody who agrees to become
co-maintainer of adduser. I am not going to accept a patch which
increases my support burden.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Quoting Marc Haber (mh+debian-packages@zugschlus.de):
> On Sat, Oct 08, 2005 at 11:28:59AM +0200, Christian Perrier wrote:
> > For sure, this moves the pressure of keeping a list of
"useful" groups
> > to Marc Haber and adduser maintainers...
> 
> I am going to accept a patch from somebody who agrees to become
> co-maintainer of adduser. I am not going to accept a patch which
> increases my support burden.
So, I''m afraid that the direction to go is:

-reassign these bugs to adduser

-find help for Marc

I''m not fond of reassigning bugs to adduser because I know the
situation about this package and Marc desperately needing help to
maintain it.

Maybe time for another call for help for adduser (IIRC, you already
posted some, Marc). I''m really sad that some of our
key packages cannot receive enough attention while we keep getting
bunch of crappy new packages noone cares about, in the archive.

If we go this way, I intend to post a message to -devel (or even
-devel-announce) with these ideas (probably not the "crappy packages"
part)...and do my best to have it published in DWN.

On Sun, Oct 09, 2005 at 09:14:41AM +0200, Christian Perrier
wrote:
> So, I''m afraid that the direction to go is:
> 
> -reassign these bugs to adduser
> 
> -find help for Marc
I would also accept a replacement instead of help.
> I''m not fond of reassigning bugs to adduser because I know the
> situation about this package and Marc desperately needing help to
> maintain it.
I do not have a problem with having bugs rotting away in the BTS.
Usertags will help in sorting out the bugs.
> Maybe time for another call for help for adduser (IIRC, you already
> posted some, Marc).
Yes, there was response about a rewrite in C, but the author of that
rewrite decided to go a way I am not too fond about (not calling any
backends but doing the work himself), and the effort seems to have
kind of stalled. I have been receiving a lot of cleanup patches from
J?rg Hoh, and he has received commit privileges to the SVN repository
yesterday, but he doesn''t intend to become DD in the foreseeable
future.
> I''m really sad that some of our
> key packages cannot receive enough attention while we keep getting
> bunch of crappy new packages noone cares about, in the archive.
I am guilty of that as well, but I took over adduser because it needed
work to do the job I wanted it to do - so that approach kind of worked.
> If we go this way, I intend to post a message to -devel (or even
> -devel-announce) with these ideas (probably not the "crappy
packages"
> part)...and do my best to have it published in DWN.
Go ahead.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835