Bug#426452: user-setup: Should allow preseeding to avoid adding initial user into local device groups
In a large installation, it does not scale to add all users to the
groups granting access to local devices on each machine. In such
configurations it is better to assign that access dynamically at
login, using the pam_group and pam_foreground pam modules.
In such setting, it is a bad idea to add the initial user to a lot of
groups, and it would be great if it was possible to preseed away the
group adding normally done in d-i.
In Debian Edu, we use pam_group and pam_foreground to grant access to
single desktop machines (what we call the standalone profile), to make
sure all users are treated the same way even if they are added later
on using adduser. We would also prefer to be able to preseed away the
group adding. I would recommend Debian changed its default to also
use pam_group and pam_foreground to grant access to local devices.
Here is a patch to add a hidden debconf question to disable the group
adding. It is untested, but show the proposed change of feature.
--- user-setup-apply (revision 47046)
+++ user-setup-apply (working copy)
@@ -125,9 +125,15 @@
if [ -n "$USER" ]; then
- for group in audio cdrom dialout floppy video plugdev netdev powerdev; do
+ db_get passwd/use_pam_group
+ if [ "$RET" = false ] ; then
+ # Grant access to some local devices for initial
+ # user, unless pam_group and pam_forground is used
+ # to grant access to console users.
+ for group in audio cdrom dialout floppy video plugdev netdev powerdev; do
$log $chroot $ROOT adduser "$USER" $group >/dev/null 2>&1 || true
--- debian/user-setup-udeb.templates (revision 47046)
+++ debian/user-setup-udeb.templates (working copy)
@@ -16,6 +16,13 @@
Description: for internal use only
+# Allow preseeding away the group assignement for the initial user
+# when using pam_group and pam_forground to grant local device access
+Description: for internal use only