Bug#426452: user-setup: Should allow preseeding to avoid adding initial user into local device groups

To: submit@bugs.debian.org
Subject: Bug#426452: user-setup: Should allow preseeding to avoid adding initial user into local device groups
From: Petter Reinholdtsen <pere@hungry.com>
Date: Mon, 28 May 2007 23:33:44 +0200
Message-id: <[🔎] 2flirachbuv.fsf@saruman.uio.no>
Reply-to: Petter Reinholdtsen <pere@hungry.com>, 426452@bugs.debian.org

Package:  user-setup
Version:  1.11
Severity: wishlist
Tags:     patch

In a large installation, it does not scale to add all users to the
groups granting access to local devices on each machine.  In such
configurations it is better to assign that access dynamically at
login, using the pam_group and pam_foreground pam modules.

In such setting, it is a bad idea to add the initial user to a lot of
groups, and it would be great if it was possible to preseed away the
group adding normally done in d-i.

In Debian Edu, we use pam_group and pam_foreground to grant access to
single desktop machines (what we call the standalone profile), to make
sure all users are treated the same way even if they are added later
on using adduser.  We would also prefer to be able to preseed away the
group adding.  I would recommend Debian changed its default to also
use pam_group and pam_foreground to grant access to local devices.

Here is a patch to add a hidden debconf question to disable the group
adding.  It is untested, but show the proposed change of feature.

Index: user-setup-apply
===================================================================
--- user-setup-apply	(revision 47046)
+++ user-setup-apply	(working copy)
@@ -125,9 +125,15 @@
 	fi
 
 	if [ -n "$USER" ]; then
-		for group in audio cdrom dialout floppy video plugdev netdev powerdev; do
+		db_get passwd/use_pam_group
+		if [ "$RET" = false ] ; then
+		    # Grant access to some local devices for initial
+		    # user, unless pam_group and pam_forground is used
+		    # to grant access to console users.
+		    for group in audio cdrom dialout floppy video plugdev netdev powerdev; do
 			$log $chroot $ROOT adduser "$USER" $group >/dev/null 2>&1 || true
 		done
+		fi
 	fi
 
 	db_get passwd/root-login
Index: debian/user-setup-udeb.templates
===================================================================
--- debian/user-setup-udeb.templates	(revision 47046)
+++ debian/user-setup-udeb.templates	(working copy)
@@ -16,6 +16,13 @@
 Type: string
 Description: for internal use only
 
+# Allow preseeding away the group assignement for the initial user
+# when using pam_group and pam_forground to grant local device access
+Template: passwd/use_pam_group
+Type: boolean
+Default: false
+Description: for internal use only
+
 Template: passwd/root-login
 Type: boolean
 Default: true

Reply to:

Follow-Ups:
- Bug#426452: user-setup: Should allow preseeding to avoid adding initial user into local device groups
  - From: Frans Pop <elendil@planet.nl>
- Bug#426452: user-setup: Should allow preseeding to avoid adding initial user into local device groups
  - From: Christian Perrier <bubulle@debian.org>

Prev by Date: Bug#426284: debian-installer: partitioner doesn't seem to create RAID devices
Next by Date: Bug#426452: user-setup: Should allow preseeding to avoid adding initial user into local device groups
Previous by thread: choose-mirror_2.16_amd64.changes ACCEPTED
Next by thread: Bug#426452: user-setup: Should allow preseeding to avoid adding initial user into local device groups
Index(es):
- Date
- Thread