Hi, as some of you might know, the debian installer allows to install a system with a disabled root account, i.e. there is no root password set for root. In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as simple as leaving the root password prompt empty. The lenny installer then added the user, that was created during install, to /etc/sudoers to grant him administrative privileges. For squeeze we looked for a better way, especially as PolicyKit is becoming used by more and more packages and mangling the PolicyKit configuration didn't look like a sane alternative. The idea is, to have a distinct group. Members of that group have administrative privileges using sudo and PolicKit. The installer then simply has to add the user to that group, if installed in root-disabled mode. The relevant bug reports for PolicyKit is [1], the one for user-setup [2]. Bdale went ahead and added the following to /etc/sudoers: # Allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL The installer was changed to add the user to group "sudo" if the system is installed with root disabled. For PolicyKit, I can now simply ship a file, say /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains: [Configuration] AdminIdentities=unix-group:sudo While I think the idea of using a distinct group for users with administrative privileges is a very good one, I'm not sure if using the group name "sudo" is the right choice, for two reasons: 1/ The sudo group in previous Debian releases had a different meaning: Members of groups sudo could run sudo without needing a password. 2/ Using the name sudo in context of PolicyKit sounds weird and misleading. So, I'm wondering if we shouldn't pick a more neutral name without a previous history in Debian. One suggestion is to use group "admin". Ubuntu has been using that group for exactly the purpose what we are going for and I think it is a pretty adequate name. One concern that was already mentioned is, that the existing group adm and admin are too similar and prone to mistyping. I'm a bit undecided atm. While I lean towards using a new group and in that case the name "admin", I also know that we are already late in the squeeze release cycle and picking a new name will require changes to user-setup and sudo. policykit-1 hasn't being updated yet, so it'll require a new upload anyway. Bdale was open to changing the sudo configuration, but he didn't want to drive this discussion. I'm very much interested in your feedback on this matter and what others think is the best way to go and if there is maybe another, even better suggestion for this group name. I've also CCed debian-release as I want to know if they'd ack uploads of the affected packages. Cheers, Michael [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536490 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597239 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Attachment:
signature.asc
Description: OpenPGP digital signature