Bug#766914: Groups for default user created by d-i
I've always found it bit weird and confusing that the first user
created during installation by d-i is "special" and belongs to a number
of groups that apparently are mostly unecessary in the modern world.
However, when you add a new user using the command line
(useradd/adduser), or the GNOME settings panel, the newly created user
does not belong to any additional groups, and still everything works
fine (except audio in fast-user-switching use case, if the primary user
is in the audio group).
Why should the first user be treated differently anyway? If some groups
are necessary for normal operation, shouldn't additional users also be
included by default? If the first user is considered the primary owner
of the computer and thus entitled to more permissions, that should be
at least clearly documented.
The merge request by Felipe Sateler removes most hardware access
groups, but still leaves three groups: dip, debian-tor and lpadmin. Is
the dip (dialup, ppp?) group relevant for most users? debian-tor is not
included in default /etc/group, but maybe it works if the user installs
tor from d-i?
The purpose of these groups and the access they grant to the user is
not clearly documented anywhere I could find. For example, the first
user is in the video group by default, and according to
https://wiki.debian.org/SystemGroups
"This group can be used locally to give a set of users access to a
video device (like the framebuffer, the videocard or a webcam)" What
does it mean in practical terms, if I can access /dev/fb0 and
/dev/dri/cardX? Can I snoop another user's screen while he is logged
in?
Reply to: