Christian Perrier
2005-Oct-08 12:40 UTC
Bug#166718: Using pam_group to give access to "useful" groups?
(maybe asking -ctte should be done) This is an attempt to, again, summarize the situation about #166718 and related bugs. In short, the question is: how can we choose a method to make easy for people with physical access to the console to use its devices (sound, cdrom, plugged devices...) and NOT compromise security. The initial request was for passwd to "add the first created user to useful groups" in the install process (currently D-I 2nd stage). The former maintainer of passwd, Karl Ramm, was very reluctant to add this as is to passwd config script. In the meantime, the D-I team added a hack to do this in D-I 2nd stage...which explains the request doesn''t come often now. Several suggestions have been made to do this: 1) use pam_console (used by Redhat) to give all users connected to the "console" access to a bunch of groups 2) use pam_group for barely the same purpose 3) hard-code the "useful" groups in passwd.config 4) keep the current situation and let this to the D-I team 1) and 2) have the same security implications-->granting groups access to anyone using the console allows this user to hack a setgid binary and have it launch a shell later, even when not connected at the console Activating pam_group in common-auth seems OK but not with the lines that would be required in /lib/security/group.conf 3) is possible but seems to be a hack 4) (the current solution) is a similar hack I''d like to propose another approach: Add a "--useful-groups" switch to Debian''s adduser and keep a list of useful groups in this package''s default adduser.conf file. For sure, this moves the pressure of keeping a list of "useful" groups to Marc Haber and adduser maintainers...but it would have the advantage to offer admins an easy way to add users to these "useful" groups without knowing the complete list. Thoughts, opinions, flames? I''d really like to get rid of this bug...:-)
Marc Haber
2005-Oct-08 13:41 UTC
[Adduser-devel] Re: Bug#166718: Using pam_group to give access to "useful" groups?
On Sat, Oct 08, 2005 at 11:28:59AM +0200, Christian Perrier wrote:> For sure, this moves the pressure of keeping a list of "useful" groups > to Marc Haber and adduser maintainers...I am going to accept a patch from somebody who agrees to become co-maintainer of adduser. I am not going to accept a patch which increases my support burden. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
Christian Perrier
2005-Oct-09 07:15 UTC
[Adduser-devel] Re: Bug#166718: Using pam_group to give access to "useful" groups?
Quoting Marc Haber (mh+debian-packages@zugschlus.de):> On Sat, Oct 08, 2005 at 11:28:59AM +0200, Christian Perrier wrote: > > For sure, this moves the pressure of keeping a list of "useful" groups > > to Marc Haber and adduser maintainers... > > I am going to accept a patch from somebody who agrees to become > co-maintainer of adduser. I am not going to accept a patch which > increases my support burden.So, I''m afraid that the direction to go is: -reassign these bugs to adduser -find help for Marc I''m not fond of reassigning bugs to adduser because I know the situation about this package and Marc desperately needing help to maintain it. Maybe time for another call for help for adduser (IIRC, you already posted some, Marc). I''m really sad that some of our key packages cannot receive enough attention while we keep getting bunch of crappy new packages noone cares about, in the archive. If we go this way, I intend to post a message to -devel (or even -devel-announce) with these ideas (probably not the "crappy packages" part)...and do my best to have it published in DWN.
Marc Haber
2005-Oct-09 07:27 UTC
[Adduser-devel] Re: Bug#166718: Using pam_group to give access to "useful" groups?
On Sun, Oct 09, 2005 at 09:14:41AM +0200, Christian Perrier wrote:> So, I''m afraid that the direction to go is: > > -reassign these bugs to adduser > > -find help for MarcI would also accept a replacement instead of help.> I''m not fond of reassigning bugs to adduser because I know the > situation about this package and Marc desperately needing help to > maintain it.I do not have a problem with having bugs rotting away in the BTS. Usertags will help in sorting out the bugs.> Maybe time for another call for help for adduser (IIRC, you already > posted some, Marc).Yes, there was response about a rewrite in C, but the author of that rewrite decided to go a way I am not too fond about (not calling any backends but doing the work himself), and the effort seems to have kind of stalled. I have been receiving a lot of cleanup patches from J?rg Hoh, and he has received commit privileges to the SVN repository yesterday, but he doesn''t intend to become DD in the foreseeable future.> I''m really sad that some of our > key packages cannot receive enough attention while we keep getting > bunch of crappy new packages noone cares about, in the archive.I am guilty of that as well, but I took over adduser because it needed work to do the job I wanted it to do - so that approach kind of worked.> If we go this way, I intend to post a message to -devel (or even > -devel-announce) with these ideas (probably not the "crappy packages" > part)...and do my best to have it published in DWN.Go ahead. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835