Frans Pop wrote: > I disagree with this proposed change. IMO the default group assignments are > in line with the purpose of the first user account. I have three reasons to feel otherwise: 1. IIRC, the reason for adding the initial user to groups has been to provide a good desktop experience. See bugs #352713, #166718. So worrying about the first account not having hardware access when not at the desktop seems like scope creep. 2. Having a non-console user in groups audio and video is a straight-up security exposure. Anything that can be done to close that hole is helpful. (I don't know what the status of revoking group membership on logout is, but even without that, some avenues of exploitation are pretty well closed by not having the first user in the groups statically.) 3. As a matter of principle, I feel there should be nothing special about the first user account. We'd had to bend principle for groups and /etc/sudoers, but these were imperfect hacks that suffered from usability problems when eg, adding a second user, or upgrading to a new version of Debian. Now, two issues with the patch: a. passwd/user-default-groups is a documented preseed variable, so it probably needs to remain available for preseeders to use, and the documentation will need to be updated. b. I'm missing the list of exactly what groups consolekit puts the console user in, so I can't tell if we have additional groups in our list. -- see shy jo
Attachment:
signature.asc
Description: Digital signature