[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[RFC] disabled root account / distinct group for users with administrative privileges


as some of you might know, the debian installer allows to install a system with
a disabled root account, i.e. there is no root password set for root.
In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as simple as
leaving the root password prompt empty.

The lenny installer then added the user, that was created during install, to
/etc/sudoers to grant him administrative privileges.

For squeeze we looked for a better way, especially as PolicyKit is becoming used
by more and more packages and mangling the PolicyKit configuration didn't look
like a sane alternative.

The idea is, to have a distinct group. Members of that group have administrative
privileges using sudo and PolicKit. The installer then simply has to add the
user to that group, if installed in root-disabled mode.
The relevant bug reports for PolicyKit is [1], the one for user-setup [2].

Bdale went ahead and added the following to /etc/sudoers:

# Allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL

The installer was changed to add the user to group "sudo" if the system is
installed with root disabled.

For PolicyKit, I can now simply ship a file, say
/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:


While I think the idea of using a distinct group for users with administrative
privileges is a very good one, I'm not sure if using the group name "sudo" is
the right choice, for two reasons:

1/ The sudo group in previous Debian releases had a different meaning: Members
of groups sudo could run sudo without needing a password.

2/ Using the name sudo in context of PolicyKit sounds weird and misleading.

So, I'm wondering if we shouldn't pick a more neutral name without a previous
history in Debian.
One suggestion is to use group "admin". Ubuntu has been using that group for
exactly the purpose what we are going for and I think it is a pretty
adequate name.

One concern that was already mentioned is, that the existing group adm and admin
are too similar and prone to mistyping.

I'm a bit undecided atm. While I lean towards using a new group and in that case
the name "admin", I also know that we are already late in the squeeze release
cycle and picking a new name will require changes to user-setup and sudo.
policykit-1 hasn't being updated yet, so it'll require a new upload anyway.

Bdale was open to changing the sudo configuration, but he didn't want to drive
this discussion.

I'm very much interested in your feedback on this matter and what others think
is the best way to go and if there is maybe another, even better suggestion for
this group name.

I've also CCed debian-release as I want to know if they'd ack uploads of the
affected packages.


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536490
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597239
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: