FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 10-20-2010, 02:11 AM
Steve Langasek
 
Default disabled root account / distinct group for users with administrative privileges

On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
> On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote:
> [...]

> > Le mardi 19 octobre 2010 * 02:12 +0200, Jesús M. Navarro a écrit :
> > > What about the old-fashioned "wheel" group[1]?

> > This would be an even worse disaster than “admin”, for similar reasons.
> > Users of the “wheel” group were not supposed to get root privileges with
> > their own password.

> Ok. But since this group is conceptually the same than the "old" wheel group,
> one "that provides additional special system privileges that empower a user
> to execute restricted commands that ordinary user accounts cannot access",
> why not make a bit of a joke of it? How about bigwheel (since that's where
> wheel derives from)?

It is *semantically* different. The worst possible way to implement this is
by overtaking a pre-existing group that *we have defined* to have different
semantics than what it's being proposed for.

Defining a new group that may conflict with existing local groups on
particular installed systems is not much better, but it's as good as we can
get.

> On the other hand, is it really necessary a new group? Can't adm or operator
> be overloaded with this new functionality? (think Ockham's razor).

No. Both of those groups also have other meanings.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
 
Old 10-20-2010, 05:12 AM
Christian PERRIER
 
Default disabled root account / distinct group for users with administrative privileges

Quoting Steve Langasek (vorlon@debian.org):

> > On the other hand, is it really necessary a new group? Can't adm or operator
> > be overloaded with this new functionality? (think Ockham's razor).
>
> No. Both of those groups also have other meanings.


How about the "root" group?
 
Old 10-20-2010, 07:45 AM
Vincent Danjean
 
Default disabled root account / distinct group for users with administrative privileges

[reply-to set to d-d only]

On 20/10/2010 07:12, Christian PERRIER wrote:
> Quoting Steve Langasek (vorlon@debian.org):
>
>>> On the other hand, is it really necessary a new group? Can't adm or operator
>>> be overloaded with this new functionality? (think Ockham's razor).
>>
>> No. Both of those groups also have other meanings.
>
>
> How about the "root" group?

This would hurt systems where umask is 002 (or 007) by default (the root
group is the primary group of the root user with nobody else in it)

Regards,
Vincent

--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://people.debian.org/~vdanjean/debian unstable main


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CBE9E22.5070805@free.fr">http://lists.debian.org/4CBE9E22.5070805@free.fr
 
Old 10-20-2010, 09:10 AM
Russell Coker
 
Default disabled root account / distinct group for users with administrative privileges

On Wed, 20 Oct 2010, Vincent Danjean <vdanjean.ml@free.fr> wrote:
> > How about the "root" group?
>
> This would hurt systems where umask is 002 (or 007) by default (the root
> group is the primary group of the root user with nobody else in it)

find / -gid 0 -perm /20 ! -type l

The above find command will discover some of the cases where access to the
root group will give direct access to interesting things. From a quick run on
a Squeeze system I noticed that with GID==0 you can apparently write directly
to all USB devices (/dev/bus/usb/*/* is writable).

However it would be nice if GID==0 wouldn't actually cause any problems and
it's good that GID==0 gets less write access to a Debian system than last time
I checked. There are too many people who write daemons that call setuid()
before calling setgid() to drop privileges...

--
russell@coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201010202010.43500.russell@coker.com.au">http://lists.debian.org/201010202010.43500.russell@coker.com.au
 
Old 10-20-2010, 10:16 AM
Mehdi Dogguy
 
Default disabled root account / distinct group for users with administrative privileges

On 20/10/2010 11:18, Petter Reinholdtsen wrote:
>
> So I would suggest to use a name that is more likely to be unique.
>

unique wrt. what? "admin" seems "unique" since not used in Debian yet.

> Happy hacking,

--
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CBEC179.6030705@dogguy.org">http://lists.debian.org/4CBEC179.6030705@dogguy.org
 
Old 10-20-2010, 11:28 AM
Simon McVittie
 
Default disabled root account / distinct group for users with administrative privileges

On Wed, 20 Oct 2010 at 01:58:22 +0000, The Fungi wrote:
> On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jess M. Navarro wrote:
> > On the other hand, is it really necessary a new group? Can't adm
> > or operator be overloaded with this new functionality? (think
> > Ockham's razor).
>
> Maybe similarly overloaded, but I've used the built-in "staff" group
> for this for many years. It already gets write access into many
> local system folders by default, so not that much of a stretch...

Quoting from base-passwd again:

Allows users to add local modifications to the system (/usr/local, /home)
without needing root privileges. Compare with group 'adm', which is more
related to monitoring/security.

Note that the ability to modify /usr/local is effectively equivalent to
root access (since /usr/local is intentionally on search paths ahead of /
usr), and so you should only add trusted users to this group. Be careful in
environments using NFS since acquiring another non-root user's privileges
is often easier in such environments.

... so in practice, staff is root-equivalent, but in principle it's not meant
to be. (Yay.)

S


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101020112849.GA14599@reptile.pseudorandom.co.uk" >http://lists.debian.org/20101020112849.GA14599@reptile.pseudorandom.co.uk
 
Old 10-20-2010, 02:46 PM
The Fungi
 
Default disabled root account / distinct group for users with administrative privileges

On Wed, Oct 20, 2010 at 12:28:49PM +0100, Simon McVittie wrote:
> Quoting from base-passwd again:
[...]
> ... so in practice, staff is root-equivalent, but in principle it's not meant
> to be. (Yay.)

Right, which was why I also chose to use it for "staff" who I
trusted with root access, but wanted logging in with their own user
IDs and making most changes through sudo (so that there's an audit
trail in case they accidentally break something I later have to
fix).
--
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi@yuggoth.org); FINGER(fungi@yuggoth.org);
MUD(kinrui@katarsis.mudpy.org:6669); IRC(fungi@irc.yuggoth.org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101020144644.GF8365@yuggoth.org">http://lists.debian.org/20101020144644.GF8365@yuggoth.org
 
Old 10-20-2010, 03:18 PM
Otavio Salvador
 
Default disabled root account / distinct group for users with administrative privileges

Maybe "god" ;-)

On Wed, Oct 20, 2010 at 8:16 AM, Mehdi Dogguy <mehdi@dogguy.org> wrote:
> On 20/10/2010 11:18, Petter Reinholdtsen wrote:
>>
>> So I would suggest to use a name that is more likely to be unique.
>>
>
> unique wrt. what? "admin" seems "unique" since not used in Debian yet.
>
>> Happy hacking,
>
> --
> Mehdi Dogguy مهدي الدڤي
> http://dogguy.org/
>
>
> --
> To UNSUBSCRIBE, email to debian-boot-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/4CBEC179.6030705@dogguy.org
>
>



--
Otavio Salvador* * * * * * * * * O.S. Systems
E-mail: otavio@ossystems.com.br* http://www.ossystems.com.br
Mobile: +55 53 9981-7854* * * ** http://projetos.ossystems.com.br


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTi=vDVeS+9hMZV4bsuxXL03zmQRiqir2GbPtDNTA@mail .gmail.com">http://lists.debian.org/AANLkTi=vDVeS+9hMZV4bsuxXL03zmQRiqir2GbPtDNTA@mail .gmail.com
 
Old 10-20-2010, 03:44 PM
Julien Cristau
 
Default disabled root account / distinct group for users with administrative privileges

On Wed, Oct 20, 2010 at 17:38:23 +0200, Didier 'OdyX' Raboud wrote:

> Otavio Salvador wrote:
>
> > Maybe "god" ;-)
>
> What about the "adm" group ? Is it the same as the "admin" ?
>
What about reading the thread and relevant documentation instead of
repeating turned down ideas for the bikeshed colour?

Cheers,
Julien
 
Old 10-20-2010, 10:14 PM
Russ Allbery
 
Default disabled root account / distinct group for users with administrative privileges

Christian PERRIER <bubulle@debian.org> writes:
> Quoting Steve Langasek (vorlon@debian.org):

>>> On the other hand, is it really necessary a new group? Can't adm or
>>> operator be overloaded with this new functionality? (think Ockham's
>>> razor).

>> No. Both of those groups also have other meanings.

> How about the "root" group?

Any already-existing group is going to have the problem that some sites
will already be using it for something else. We put all sysadmins in
group 0 (which happens to be root on Debian), a policy that for us dates
back to when we were a Solaris shop, and then set su and ksu so that
they're only executable by users in the root group. This limits access to
su/ksu, but not in the same way that is being discussed here for sudo.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87eibkfr55.fsf@windlord.stanford.edu">http://lists.debian.org/87eibkfr55.fsf@windlord.stanford.edu
 

Thread Tools




All times are GMT. The time now is 06:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org