FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 10-22-2010, 11:10 AM
Simon McVittie
 
Default disabled root account / distinct group for users with administrative privileges

On Fri, 22 Oct 2010 at 11:44:31 +0100, Ian Jackson wrote:
> I wouldn't be at all surprised to find that "priv" was occasionally
> used as a username for an ordinary user.

If I saw it out of context I'd also tend to assume that "priv" is short for
"private" instead of "privileged", but perhaps that's just me.

S


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101022111055.GC25320@reptile.pseudorandom.co.uk" >http://lists.debian.org/20101022111055.GC25320@reptile.pseudorandom.co.uk
 
Old 10-22-2010, 12:23 PM
Teodor MICU
 
Default disabled root account / distinct group for users with administrative privileges

On Fri, Oct 22, 2010 at 1:44 PM, Ian Jackson
<ijackson@chiark.greenend.org.uk> wrote:
> Carsten Hey writes ("Re: [RFC] disabled root account / distinct group for users with administrative privileges"):
>> A group named sudo or sudoroot is somehow linked to sudo as tool used to
>> gain administrative privileges. *No one knows if in future an other tool
>> will be the de facto standard to gain privileges, as sudo is now, and
>> having a group sudoroot whose members are allowed to gain to become root
>> using an imaginary suto command sounds wrong.
>
> Speaking as the author of a program ("really") which would also want
> to use the same group, I have no problem at all with a group name
> which mentions sudo specifically. *This is probably the best way to
> ensure that the name is meaningful and not used elsewhere for
> something else.
>
> "sudoroot" is better than "sudo", as there already is a sudo group and
> therefore people may already be using it for something else.

I'm proposing to use 'sysadmins' (plural as 'users') since its kinda
short and commonly accepted for this purpose on job announcements.

Thanks


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTin7QZt_gdxgPkRv0oawo9gqdPrJBoy1N3mDK890@mail .gmail.com">http://lists.debian.org/AANLkTin7QZt_gdxgPkRv0oawo9gqdPrJBoy1N3mDK890@mail .gmail.com
 
Old 10-22-2010, 05:42 PM
Carsten Hey
 
Default disabled root account / distinct group for users with administrative privileges

* Simon McVittie [2010-10-22 12:10 +0100]:
> On Fri, 22 Oct 2010 at 11:44:31 +0100, Ian Jackson wrote:
> > I wouldn't be at all surprised to find that "priv" was occasionally
> > used as a username for an ordinary user.
>
> If I saw it out of context I'd also tend to assume that "priv" is
> short for "private" instead of "privileged", but perhaps that's just
> me.

No, it isn't just you, I thought that it could also mean 'private', too.
'prvl' or similar would look like it would have been generated by pwgen.

It doesn't look like a short, unambiguous and pronounceable abbreviation
for 'privileged' exists and 'sysadmins' seems to be a better choice than
'privileged' or 'privileges'.

My favorites up to now are 'sysadmins' and 'sudoroot', although I don't
like having the command as part of the groupname.


Carsten


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101022174232.GA17528@foghorn.stateful.de">http://lists.debian.org/20101022174232.GA17528@foghorn.stateful.de
 
Old 10-23-2010, 07:44 PM
Arthur de Jong
 
Default disabled root account / distinct group for users with administrative privileges

On Thu, 2010-10-21 at 16:48 +0100, Philip Hands wrote:
> If we decide to reject 'admin', I think we should use sudo. I find the
> argument that admin is confusing given the presence of adm fairly
> convincing -- It's all too easy to say something like "could you add
> fred to the adm group" over the phone and pronounce 'adm' as 'admin'.

At work we use "admin" to hold all administrative staff (think
paperwork) so I would vote against that.

> Sadly, we are not the first to make this decision though, and having
> admin on Ubuntu and sudo on Debian would be a pain for people that have
> mixed sites, or even for admins that just have access to some of each.

The admin group is already used in update-notifier though (#502392) and
perhaps also other software coming from Ubuntu.

--
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
 
Old 11-01-2010, 01:39 PM
Guido GŁnther
 
Default disabled root account / distinct group for users with administrative privileges

On Tue, Oct 19, 2010 at 12:38:41AM +0200, Michael Biebl wrote:
> Hi,
>
> as some of you might know, the debian installer allows to install a system with
> a disabled root account, i.e. there is no root password set for root.
> In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as simple as
> leaving the root password prompt empty.
>
> The lenny installer then added the user, that was created during install, to
> /etc/sudoers to grant him administrative privileges.
>
> For squeeze we looked for a better way, especially as PolicyKit is becoming used
> by more and more packages and mangling the PolicyKit configuration didn't look
> like a sane alternative.
>
> The idea is, to have a distinct group. Members of that group have administrative
> privileges using sudo and PolicKit. The installer then simply has to add the

Fedora introduced desktop_admin_r for this in the polkit-destkop-polcy
package:

http://www.redhat.com/archives/fedora-desktop-list/2009-August/msg00103.html

Imho we should use diffrent groups for PolicyKit and sudo. d-i would
need to add the user to two groups then but it would allow for polkit
and sudo only configurations:

If you only want to grant polkit based privileges remove the user from
the sudoers group and if you only want sudo based privileges remove it
from the desktop_admin_r group. This would allow administrators to only
care about one set of privileges which makes it easier to oversee the
consequences when adding more users to these groups.
Cheers,
-- Guido

> user to that group, if installed in root-disabled mode.
> The relevant bug reports for PolicyKit is [1], the one for user-setup [2].
>
>
> Bdale went ahead and added the following to /etc/sudoers:
>
> # Allow members of group sudo to not need a password
> # (Note that later entries override this, so you might need to move
> # it further down)
> %sudo ALL=(ALL) ALL
>
>
> The installer was changed to add the user to group "sudo" if the system is
> installed with root disabled.
>
> For PolicyKit, I can now simply ship a file, say
> /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
>
> [Configuration]
> AdminIdentities=unix-group:sudo
>
>
>
> While I think the idea of using a distinct group for users with administrative
> privileges is a very good one, I'm not sure if using the group name "sudo" is
> the right choice, for two reasons:
>
> 1/ The sudo group in previous Debian releases had a different meaning: Members
> of groups sudo could run sudo without needing a password.
>
> 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.
>
>
> So, I'm wondering if we shouldn't pick a more neutral name without a previous
> history in Debian.
> One suggestion is to use group "admin". Ubuntu has been using that group for
> exactly the purpose what we are going for and I think it is a pretty
> adequate name.
>
> One concern that was already mentioned is, that the existing group adm and admin
> are too similar and prone to mistyping.
>
> I'm a bit undecided atm. While I lean towards using a new group and in that case
> the name "admin", I also know that we are already late in the squeeze release
> cycle and picking a new name will require changes to user-setup and sudo.
> policykit-1 hasn't being updated yet, so it'll require a new upload anyway.
>
> Bdale was open to changing the sudo configuration, but he didn't want to drive
> this discussion.
>
> I'm very much interested in your feedback on this matter and what others think
> is the best way to go and if there is maybe another, even better suggestion for
> this group name.
>
> I've also CCed debian-release as I want to know if they'd ack uploads of the
> affected packages.
>
>
> Cheers,
> Michael
>
>
>
>
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536490
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597239
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
>



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101101143931.GA10763@bogon.sigxcpu.org">http://lists.debian.org/20101101143931.GA10763@bogon.sigxcpu.org
 
Old 11-02-2010, 04:47 PM
Ian Jackson
 
Default disabled root account / distinct group for users with administrative privileges

Guido GŁnther writes ("Re: [RFC] disabled root account / distinct group for users with administrative privileges"):
> Imho we should use diffrent groups for PolicyKit and sudo. d-i would
> need to add the user to two groups then but it would allow for polkit
> and sudo only configurations:

Why should we use different groups ? I'm not familiar with PolicyKit,
but does it provide equivalent access to sudo ? If it does, why would
admins often want to provide one path but not the other ?

(Of course if they don't want to do it often then it's OK to have just
one group, because the admin can set up their own group with their own
config in just sudo, say, if they want.)

Ian.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 19664.20161.108361.829386@chiark.greenend.org.uk"> http://lists.debian.org/19664.20161.108361.829386@chiark.greenend.org.uk
 
Old 11-03-2010, 08:28 AM
Guido GŁnther
 
Default disabled root account / distinct group for users with administrative privileges

On Tue, Nov 02, 2010 at 05:47:45PM +0000, Ian Jackson wrote:
> Guido GŁnther writes ("Re: [RFC] disabled root account / distinct group for users with administrative privileges"):
> > Imho we should use diffrent groups for PolicyKit and sudo. d-i would
> > need to add the user to two groups then but it would allow for polkit
> > and sudo only configurations:
>
> Why should we use different groups ? I'm not familiar with PolicyKit,
> but does it provide equivalent access to sudo ? If it does, why would
> admins often want to provide one path but not the other ?

PolicyKit has the concept of AdminIdentities that can be used to
authenticate whenever administrator authentication is required. If a
certain action requires auth_admin or not is governed by the policy.

If we only want to add rootlike access (which is of course required if
the root account is diabled) we could use the same group for sudo and
polkit but if we want to go further by e.g. not prompting for a password
for certain actions we should use a different role (group) to
differentiate this.

So we should make it very clear to the user that the groups sole purpose
is to replace the functionality of the disabled root account and nothing
else. Something like "root-equiv" comes to mind. Things like "admin"
sound to generic.
Cheers,
-- Guido


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101103092815.GA22361@bogon.sigxcpu.org">http://lists.debian.org/20101103092815.GA22361@bogon.sigxcpu.org
 

Thread Tools




All times are GMT. The time now is 11:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org