[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] disabled root account / distinct group for users with administrative privileges

Am Dienstag, den 19.10.2010, 08:15 +0200 schrieb Josselin Mouette:
> Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : 
> > So, I'm wondering if we shouldn't pick a more neutral name without a previous
> > history in Debian.
> > One suggestion is to use group "admin". Ubuntu has been using that group for
> > exactly the purpose what we are going for and I think it is a pretty
> > adequate name.
> “admin” is a very widespread group name, this is likely to cause huge
> security issues if members of this group are not supposed to be granted
> root privileges.


just a short info from one of the derivative distros: in Ubuntu, the
user-setup-udeb adds the following text to sudoers (and creates the
admin group, if it doesn't exist):

--Cut here--

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
--Cut here--

The newest Debian equivalent (1.34) adds the user to the sudo group if
possible while the older version (1.23) hardcodes the username in

Personally, I think using the sudo (or the admin) group in Debian would
probably be fine:

* the current sudo package seems to by default support members of the
sudo group as being able to execute arbitrary commands after typing in
their own password
* which different expectations do users have on the sudo group?
* the admin group would not be necessary (at least since sudo by default
uses the sudo group)
* On the other hand, adding a third group might be incompatible with
other distros.

My 2ct,
Olaf Mandel

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: