FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-24-2009, 04:52 PM
Daniel Moerner
 
Default handling group membership in and outside d-i

On Tue, Feb 24, 2009 at 6:11 AM, Jon Dowland
<jon+debian-devel@alcopop.org> wrote:
> Hi folks,
>
> I filed a bug against gnome-power-manager a little while
> ago because I could not suspend. It turned out my user was
> not in the powerdev group.

Hi, there are already some bugs open about this, because it's
obviously an annoying problem.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484248 has some
information about the various alternatives that may obsolete the need
to worry about putting people in powerdev.

Cheers,
Daniel

--
Daniel Moerner <dmoerner@gmail.com>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-25-2009, 10:10 PM
Roger Leigh
 
Default handling group membership in and outside d-i

On Tue, Feb 24, 2009 at 02:11:36PM +0000, Jon Dowland wrote:

> Finally can anyone with a deeper insight of the issues
> explain whether or not the frustrating "existing logins
> don't inherit new groups" behaviour is fixable, or is that
> deeply rooted in UNIX tradition?

The limitation is due to the way in which the groups a *process*
(not user) belongs to. When you log in, login/sshd/xdm/schroot
or whatever process is controlling the process will call
initgroups(3) to read the group database for the user in question,
which internally calls setgroups(2) to add all of the GIDs in
question to the process. It will then call setgid(2) and setuid(2)
to drop privileges and then typically exec the login shell/command/
session as appropriate.

Setting the group list with setgroups(2) requires the CAP_SETGID
capability (i.e. root in almost all cases). Because root
privileges are dropped, the group list is fixed and subsequently
inherited by all child processes. This is why you need to log
out and back in again, because it's only when you log in you
can add the new group to the group list of the parent of your
login session.

> (I note that it seems
> HAL makes an on-invocation group check for suspend so
> adding a user to the powerdev group and attempting a
> suspend from a pre-logged in session works)

HAL is just querying the group database directly. Any process can of
course do this. But it's asking a different question, namely:
what groups is this user a member of in the group database. All of
the system calls checking group membership are checking the process'
group list, not the group database. This is because internally the
group list is just a list of integer GIDs, so it's fast and does not
require any database lookups (which are all done in userspace by
libnss*).


Regards,
Roger

--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
 
Old 02-26-2009, 06:31 AM
Peter Palfrader
 
Default handling group membership in and outside d-i

On Wed, 25 Feb 2009, Roger Leigh wrote:

> HAL is just querying the group database directly. Any process can of
> course do this. But it's asking a different question, namely:
> what groups is this user a member of in the group database.

This is of course broken. It breaks granting console users access to
the netdev or powerdev groups through pam_groups, which is really really
annoying when you get your users from say ldap.

--
| .'`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-26-2009, 12:01 PM
Ben Hutchings
 
Default handling group membership in and outside d-i

On Thu, 2009-02-26 at 08:31 +0100, Peter Palfrader wrote:
> On Wed, 25 Feb 2009, Roger Leigh wrote:
>
> > HAL is just querying the group database directly. Any process can of
> > course do this. But it's asking a different question, namely:
> > what groups is this user a member of in the group database.
>
> This is of course broken. It breaks granting console users access to
> the netdev or powerdev groups through pam_groups, which is really really
> annoying when you get your users from say ldap.

But that's broken to start with, since you can't revoke group membership
when the user logs out.

Ben.
 
Old 02-27-2009, 02:42 PM
Arthur de Jong
 
Default handling group membership in and outside d-i

On Thu, 2009-02-26 at 13:01 +0000, Ben Hutchings wrote:
> On Thu, 2009-02-26 at 08:31 +0100, Peter Palfrader wrote:
> > This is of course broken. It breaks granting console users access
> > to the netdev or powerdev groups through pam_groups, which is really
> > really annoying when you get your users from say ldap.
>
> But that's broken to start with, since you can't revoke group
> membership when the user logs out.

The group membership is only assigned to the process, not in the group
database. I generally have something like:

gdm; :*; *; Al0000-2400; audio,floppy,video,cdrom,scanner,plugdev,voice

in /etc/security/group.conf to ensure that any user that is logged in on
the console can do most things you can expect console users to do. So
for a gdm session:

% groups
users voice cdrom floppy audio src video plugdev scanner

But the NSS databases contain the following:

% groups arthur
arthur : users src

I've found that with lenny for some things (dbus?) you need consolekit
(I install policykit-gnome which has all the dependencies I need) to
accomplish (part of?) what you did with secondary groups before.

--
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
 
Old 02-28-2009, 09:09 AM
Christian Perrier
 
Default handling group membership in and outside d-i

Quoting Jon Dowland (jon+debian-devel@alcopop.org):

> I did several subsequent installs and my user never ended
> up in powerdev (nor netdev for that matter). It's my belief
> (yet to check d-i code to confirm) that the user gets added
> to powerdev if you select the desktop task: for each of my

Not really. It *should* be added to that group.

The package responsible for this in D-I is "user-setup"
(svn+ssh://svn.debian.org/svn/d-i/trunk/packages/user-setup)

The first user is created with the "user-setup-apply" script:

if [ -x $ROOT/usr/sbin/adduser ]; then
$log $chroot $ROOT adduser --disabled-password --gecos "$RET" $UIDOPT "$USER" >/dev/null || true
else
$log $chroot $ROOT useradd -c "$RET" -m "$USER" $UIDOPT >/dev/null || true
fi

# Clear the user password from the database.
db_set passwd/user-password-crypted '
db_set passwd/user-password '
db_set passwd/user-password-again '
setpassword "$USER" "$USER_PW" "$USER_PW_CRYPTED"

if [ "$HOME_EXISTED" ]; then
# The user's home directory already existed before we called
# adduser. This often means that a mount point under
# /home/$USER was selected in (and thus created by) partman,
# and the home directory may have ended up owned by root.
$log $chroot $ROOT chown "$USER:$USER" "/home/$USER" >/dev/null || true
fi

if [ -n "$USER" ]; then
db_get passwd/user-default-groups
for group in $RET; do
$log $chroot $ROOT adduser "$USER" $group >/dev/null 2>&1 || true
done
fi



passwd/user-default-groups is a debcof setting that's preseedable and
for which the default is:

# Allow preseeding the groups to which the first created user is added
Template: passwd/user-default-groups
Type: string
Default: audio cdrom dialout floppy video plugdev netdev powerdev
Description: for internal use only


In short....the first created user *should* be in powerdev. If it is
not....then there's a bug in user-setup (or somewhere else...).


(CC'ing Colin Watson who's well aware about that part of the code,
IIRC)
 
Old 02-28-2009, 07:06 PM
Joey Hess
 
Default handling group membership in and outside d-i

> In short....the first created user *should* be in powerdev. If it is
> not....then there's a bug in user-setup (or somewhere else...).

The powerdev group only exists if hal is installed, which is only the
case if one of the desktop tasks is installed. If the group does not
exist, the initial user will silently not be added to it.

Jon's idea of having a list of primary users, which packages could then
add to groups at install time seems like a sort of good idea. But, it
doesn't solve the problem of wanting to add a new primary user and
having to manually put them in all the groups.

user-setup would also have to be refactored to create the initial user
_before_ installing tasks. And since the initial user probably can't be
sanely created before running debootstrap, packages installed in that
step still couldn't add the user to groups.

Seems like ideally there should be:

- A way to add the set of existing primary users to a newly created group.
- A way to create a new primary user, who would automatically become a
member of the set of primary user groups.

--
see shy jo


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-04-2009, 03:55 PM
Petter Reinholdtsen
 
Default handling group membership in and outside d-i

[Christian Perrier]
>> I did several subsequent installs and my user never ended
>> up in powerdev (nor netdev for that matter). It's my belief
>> (yet to check d-i code to confirm) that the user gets added
>> to powerdev if you select the desktop task: for each of my
>
> Not really. It *should* be added to that group.

Personally, I believe adding users to these groups at install time is
the wrong approach, and believe the only scalable way to handle this
is with policykit like features. Then the group membership is handled
dynamically at login time, and every console user get the expected
privileges.

> In short....the first created user *should* be in powerdev. If it is
> not....then there's a bug in user-setup (or somewhere else...).

I believe this code should be dropped from d-i, and policykit related
packages using pam_group should be installed instead.

Happy hacking,
--
Petter Reinholdtsen


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 03-04-2009, 04:12 PM
Josselin Mouette
 
Default handling group membership in and outside d-i

Le mercredi 04 mars 2009 * 17:55 +0100, Petter Reinholdtsen a écrit :
> Personally, I believe adding users to these groups at install time is
> the wrong approach, and believe the only scalable way to handle this
> is with policykit like features. Then the group membership is handled
> dynamically at login time, and every console user get the expected
> privileges.

ConsoleKit and PolicyKit cannot solve all use cases unless the whole
stack is updated. This works very nicely for things like HAL: the device
is handled purely by the process running as root, and the ability to
talk to this process is controlled by the console access. However, for
e.g. audio access this cannot work unless all audio playback goes
through a process running as a privileged user. With the current APIs,
users need to be able to access the devices directly, and these are
privileges you cannot revoke.

> > In short....the first created user *should* be in powerdev. If it is
> > not....then there's a bug in user-setup (or somewhere else...).
>
> I believe this code should be dropped from d-i, and policykit related
> packages using pam_group should be installed instead.

Using things like pam_console or pam_group should not become our default
policy, unless we at least ensure /home, /var and /tmp are mounted
nosuid – and it would be better with the ability to revoke the
permissions on the open devices as well.

There is ongoing work in the kernel to finally add session support in
it, so maybe something good will come out of it, but otherwise this is
still the same mess.

Cheers,
--
.'`. Debian 5.0 "Lenny" has been released!
: :' :
`. `' Last night, Darth Vader came down from planet Vulcan and told
`- me that if you don't install Lenny, he'd melt your brain.
 
Old 03-04-2009, 06:25 PM
Otavio Salvador
 
Default handling group membership in and outside d-i

Josselin Mouette <joss@debian.org> writes:


[...]

> There is ongoing work in the kernel to finally add session support in
> it, so maybe something good will come out of it, but otherwise this is
> still the same mess.

[...]

Any pointer for this discussion?

--
O T A V I O S A L V A D O R
---------------------------------------------
E-mail: otavio@debian.org UIN: 5906116
GNU/Linux User: 239058 GPG ID: 49A5F855
Home Page: http://otavio.ossystems.com.br
---------------------------------------------
"Microsoft sells you Windows ... Linux gives
you the whole house."


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 04:17 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org