FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 10-19-2010, 12:12 AM
"Jess M. Navarro"
 
Default disabled root account / distinct group for users with administrative privileges

Hi, Michael:

On Tuesday 19 October 2010 00:38:41 Michael Biebl wrote:
> Hi,

[...]

> The idea is, to have a distinct group. Members of that group have
> administrative privileges using sudo and PolicKit.

[...]

> While I think the idea of using a distinct group for users with
> administrative privileges is a very good one, I'm not sure if using the
> group name "sudo" is the right choice, for two reasons:
>
> 1/ The sudo group in previous Debian releases had a different meaning:
> Members of groups sudo could run sudo without needing a password.
>
> 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.
>
>
> So, I'm wondering if we shouldn't pick a more neutral name without a
> previous history in Debian.

What about the old-fashioned "wheel" group[1]?

Now, prior to resurrect the 'wheel' group, please take into account why
there's neither wheel group nor wheel support for su on GNU systems and see
if the concerns are still valid in this new environment.

Cheers.

[1] http://en.wikipedia.org/wiki/Wheel_(Unix_term)


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201010190212.25613.jesus.navarro@undominio.net">ht tp://lists.debian.org/201010190212.25613.jesus.navarro@undominio.net
 
Old 10-19-2010, 06:15 AM
Josselin Mouette
 
Default disabled root account / distinct group for users with administrative privileges

Le mardi 19 octobre 2010 * 00:38 +0200, Michael Biebl a écrit :
> 1/ The sudo group in previous Debian releases had a different meaning: Members
> of groups sudo could run sudo without needing a password.

Did it exist in previous releases? I don’t recall seeing it in sudoers.

> 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.

I don’t think so, since the configuration snippet makes PK behave like
sudo.

> So, I'm wondering if we shouldn't pick a more neutral name without a previous
> history in Debian.
> One suggestion is to use group "admin". Ubuntu has been using that group for
> exactly the purpose what we are going for and I think it is a pretty
> adequate name.

“admin” is a very widespread group name, this is likely to cause huge
security issues if members of this group are not supposed to be granted
root privileges.

> I'm a bit undecided atm. While I lean towards using a new group and in that case
> the name "admin", I also know that we are already late in the squeeze release
> cycle and picking a new name will require changes to user-setup and sudo.
> policykit-1 hasn't being updated yet, so it'll require a new upload anyway.

I think it’s much more important to get this change into squeeze than to
bikeshed the group name.

Le mardi 19 octobre 2010 * 02:12 +0200, Jesús M. Navarro a écrit :
> What about the old-fashioned "wheel" group[1]?

This would be an even worse disaster than “admin”, for similar reasons.
Users of the “wheel” group were not supposed to get root privileges with
their own password.

Cheers,
--
.'`. Josselin Mouette
: :' :
`. `' “If you behave this way because you are blackmailed by someone,
`- […] I will see what I can do for you.” -- Jörg Schilling
 
Old 10-19-2010, 07:17 AM
Bjoern Meier
 
Default disabled root account / distinct group for users with administrative privileges

hi,


2010/10/19 Michael Biebl <biebl@debian.org>:
> Hi,
> Bdale went ahead and added the following to /etc/sudoers:
>
> # Allow members of group sudo to not need a password
> # (Note that later entries override this, so you might need to move
> # it further down)
> %sudo ALL=(ALL) ALL

First of all: YES! Thanks! I didn't know the possibility of an install
with disabled root-login.
I use DebIan 90% in a professionell environment and disable root login
by hand. So yes, I would prefer an administrative group and would say:
disabled root login as default (like logins on GDM).
I don't like the idea to do sudo-things without password. I like it to
pass my secret, because this is a hint, that I do something
system-related. So: I think we need a password here.

> 1/ The sudo group in previous Debian releases had a different meaning: Members
> of groups sudo could run sudo without needing a password.
>
> 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.

Yes, sudo is not a good name for an admin group.
Well, admin also, because "Domain admin", "admin" "and
"administrators" are to near to windows. I use winbind to get the
groups out of the active directory and would prefer unique names for
groups.
My suggestions are:

- debadm
- linad (linux-administrator)
- uwscp (just a joke: user-with-super-cow-powers; a lean to "his APT
has Super Cow Powers." )

Greetings,
Bjrn


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTik0pEd_eEMqNnkN0RcAbt84Hqd4zTPPjpRWq=ju@mail .gmail.com">http://lists.debian.org/AANLkTik0pEd_eEMqNnkN0RcAbt84Hqd4zTPPjpRWq=ju@mail .gmail.com
 
Old 10-19-2010, 07:29 AM
Michael Biebl
 
Default disabled root account / distinct group for users with administrative privileges

On 19.10.2010 08:15, Josselin Mouette wrote:
> Le mardi 19 octobre 2010 * 00:38 +0200, Michael Biebl a écrit :
>> 1/ The sudo group in previous Debian releases had a different meaning: Members
>> of groups sudo could run sudo without needing a password.
>
> Did it exist in previous releases? I don’t recall seeing it in sudoers.

Bdale certainly knows the gory details and can tell us more.

But afaicr, sudo was compiled with EXEMPT_GROUP sudo in previous releases.

Bdale, please speak up if I tell non-sense here. Can you tell us a bit more
about the history of group sudo, please.


> I think it’s much more important to get this change into squeeze than to
> bikeshed the group name.

I definitely agree that we need to get this change into squeeze and that we need
to be careful to not get into bikeshedding about names.

On the other hand, choosing a group for a purpose like this should imho be done
carefully as changing the name later is hard if not impossible.

I'm sorry if I sound a bit overly cautious here and maybe my concerns are
unfounded. But that's the reason why I brought this up on debian-devel.


Regards,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
 
Old 10-19-2010, 07:48 AM
"Jesús M. Navarro"
 
Default disabled root account / distinct group for users with administrative privileges

Hi, Josselin:

On Tuesday 19 October 2010 08:15:56 Josselin Mouette wrote:
[...]

> Le mardi 19 octobre 2010 * 02:12 +0200, Jesús M. Navarro a écrit :
> > What about the old-fashioned "wheel" group[1]?
>
> This would be an even worse disaster than “admin”, for similar reasons.
> Users of the “wheel” group were not supposed to get root privileges with
> their own password.

Ok. But since this group is conceptually the same than the "old" wheel group,
one "that provides additional special system privileges that empower a user
to execute restricted commands that ordinary user accounts cannot access",
why not make a bit of a joke of it? How about bigwheel (since that's where
wheel derives from)?

On the other hand, is it really necessary a new group? Can't adm or operator
be overloaded with this new functionality? (think Ockham's razor).

Cheers.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201010190948.58805.jesus.navarro@undominio.net">ht tp://lists.debian.org/201010190948.58805.jesus.navarro@undominio.net
 
Old 10-19-2010, 07:49 AM
Fabian Greffrath
 
Default disabled root account / distinct group for users with administrative privileges

I definitely agree that we need to get this change into squeeze and that we need
to be careful to not get into bikeshedding about names.

On the other hand, choosing a group for a purpose like this should imho be done
carefully as changing the name later is hard if not impossible.


Since this group would be Debian-specific, how about "Debian-admin" or
"Debian-sudo" (as in "Debian-gdm" or "Debian-exim")?


- Fabian


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CBD4D94.2070707@greffrath.com">http://lists.debian.org/4CBD4D94.2070707@greffrath.com
 
Old 10-19-2010, 08:58 AM
Philip Hands
 
Default disabled root account / distinct group for users with administrative privileges

On Tue, 19 Oct 2010 00:38:41 +0200, Michael Biebl <biebl@debian.org> wrote:

> Bdale went ahead and added the following to /etc/sudoers:
>
> # Allow members of group sudo to not need a password
> # (Note that later entries override this, so you might need to move
> # it further down)
> %sudo ALL=(ALL) ALL

Ah yes -- that's a bug in the comment of course.

The comment says (incorrectly) that people in the sudo group don't need
a password. It would need a NOPASSWD tag for the comment to be correct.

Thankfully, the configuration does the right thing, and requires that
the user know their own password to become root.

> The installer was changed to add the user to group "sudo" if the system is
> installed with root disabled.
>
> For PolicyKit, I can now simply ship a file, say
> /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
>
> [Configuration]
> AdminIdentities=unix-group:sudo

I would object to 'sudo' being a group of people that can simply become
root if they happen to be logged in -- is that what the PolicyKit
incantation would allow?

Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/
|-| HANDS.COM Ltd. http://www.uk.debian.org/
|(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND
 
Old 10-19-2010, 10:09 AM
Olaf Mandel
 
Default disabled root account / distinct group for users with administrative privileges

Am Dienstag, den 19.10.2010, 08:15 +0200 schrieb Josselin Mouette:
> Le mardi 19 octobre 2010 * 00:38 +0200, Michael Biebl a écrit :
-Snipp-
> > So, I'm wondering if we shouldn't pick a more neutral name without a previous
> > history in Debian.
> > One suggestion is to use group "admin". Ubuntu has been using that group for
> > exactly the purpose what we are going for and I think it is a pretty
> > adequate name.
>
> “admin” is a very widespread group name, this is likely to cause huge
> security issues if members of this group are not supposed to be granted
> root privileges.
-Snipp-

Hi,

just a short info from one of the derivative distros: in Ubuntu, the
user-setup-udeb adds the following text to sudoers (and creates the
admin group, if it doesn't exist):

--Cut here--

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
--Cut here--

The newest Debian equivalent (1.34) adds the user to the sudo group if
possible while the older version (1.23) hardcodes the username in
sudoers.

Personally, I think using the sudo (or the admin) group in Debian would
probably be fine:

* the current sudo package seems to by default support members of the
sudo group as being able to execute arbitrary commands after typing in
their own password
* which different expectations do users have on the sudo group?
* the admin group would not be necessary (at least since sudo by default
uses the sudo group)
* On the other hand, adding a third group might be incompatible with
other distros.

My 2ct,
Olaf Mandel
 
Old 10-19-2010, 11:24 AM
Simon McVittie
 
Default disabled root account / distinct group for users with administrative privileges

base-passwd documents sudo as "Members of this group do not need to type their
password when using sudo", which is no longer true. I've opened a bug.

On Tue, 19 Oct 2010 at 09:48:58 +0200, Jess M. Navarro wrote:
> On the other hand, is it really necessary a new group? Can't adm or operator
> be overloaded with this new functionality? (think Ockham's razor).

/usr/share/doc/base-passwd/users-and-groups.txt.gz documents the meanings of
the predefined groups and whether they are root-equivalent.

In particular, adm is not meant to be root-equivalent. Members can read
potentially-sensitive system logfiles, but no more:

Group adm is used for system monitoring tasks. Members of this group can
read many log files in /var/log, and can use xconsole.

Historically, /var/log was /usr/adm (and later /var/adm), thus the name of
the group.

HELP: Perhaps policy should state the purpose of this group so users may be
safely added to it, in certainty that all they'll be able to do is read
logs. Wouldn't hurt to rename it 'log' either ...

On some machines I use, sysadmins' "mere mortal" user IDs are in group adm
(so after a normal login, a sysadmin is only slightly privileged - they
can read the logs), but to actually gain root, the sysadmin must log in with a
different SSH key, which is an authorized key for a privileged user with uid 0,
named something lik smcvR.

This is to avoid having the user's "mere mortal" login already be
root-equivalent, which is inconvenient/excessive for personal machines, but
good for a server environment.

(On a machine where I can sudo, anyone who can take over my normal account can
get root next time I use sudo, by putting a trojan sudo into my $PATH and
capturing my password. On a machine where I have a separate smcvR account for
being root, I lose a bit of convenience (although not much, if I'm logging in
remotely anyway), but an attacker would have to gain control of smcvR to do
serious damage.)

Simon


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101019112424.GC13706@reptile.pseudorandom.co.uk" >http://lists.debian.org/20101019112424.GC13706@reptile.pseudorandom.co.uk
 
Old 10-20-2010, 01:58 AM
The Fungi
 
Default disabled root account / distinct group for users with administrative privileges

On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jess M. Navarro wrote:
[...]
> On the other hand, is it really necessary a new group? Can't adm
> or operator be overloaded with this new functionality? (think
> Ockham's razor).

Maybe similarly overloaded, but I've used the built-in "staff" group
for this for many years. It already gets write access into many
local system folders by default, so not that much of a stretch...
--
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi@yuggoth.org); FINGER(fungi@yuggoth.org);
MUD(kinrui@katarsis.mudpy.org:6669); IRC(fungi@irc.yuggoth.org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101020015820.GE8365@yuggoth.org">http://lists.debian.org/20101020015820.GE8365@yuggoth.org
 

Thread Tools




All times are GMT. The time now is 09:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org