Referring bug #166718 and the initial groups issue to the TC

To: debian-ctte@lists.debian.org
Cc: kcr@debian.org, 166718-quiet@bugs.debian.org
Subject: Referring bug #166718 and the initial groups issue to the TC
From: Sam Hartman <hartmans@debian.org>
Date: Wed, 31 Mar 2004 14:15:00 -0500 (EST)
Message-id: <[🔎] 20040331191500.ED78015159C@konishi-polis.mit.edu>


Hi.  After discussing the issue together, the shadow maintainer and I
(PAM maintainer) have decided to refer the issue of initial groups for
users to the TC.  This is not one developer asking the TC to overrule
another; Karl and I are in agreement that the issue is bigger than
either of our packages and that Debian should have a consistent
direction on this issue.

The problem is fairly simple.  Some of our users actually want to use
their systems once they get it installed.  Particularly, they'd like
to be able to do things like play sound, access their floppy drives
and cdroms, etc.    Currently, to do that, you need to be added to
groups that have access to devices.  I think some of this comes from
the FHS  rather than just decisions internal to Debian.

Perhaps when Debian and the FHS originally made this decision, users
could be expected to simply add themselves to groups if they noticed
they needed the permissions associated with these groups.  However as
Debian has gained appeal to a wider audience and as peoples'
expectations of usability increase,  users want more reasonable
default behavior.

The proposal in bug #166718 and the bugs merged with it is for the
initial user to be added to some set of groups.  Karl does not like
this proposal because it only solves the problem for the initial
user.  That's great until you actually start to take advantage of the
fact your Debian system is multi-user.

Another proposal is to use paM_group to manage these groups.  IF
someone is logging in on /dev/tty[0-9] or :0 or :0.0 or one of the
other console devices, given them audio, cdrom and floppy.  This isn't
really all that desirable either because  it allows  any console user
to permanently gain that group.  In particular, they can create a
setgid executable belonging to that group.

The solution some Solaris environments I'm familiar with use to this
problem is to chown the appropriate devices to the console user.  That
prevents the console user from giving away privileges.  I'm not sure
it's compatible with the FHS, and I'd certainly want buy-in from the
rest of Debian before doing that.  Also, I don't believe we currently
have an implementation of something to do that chowning in
Debian--presumably it would be a PAM module.  I don't have time to
write code to solve this and I don't think Karl does either.


The Redhat pam_console module does seem to do roughly what we want .
IN the past people have objected significantly to adding this module
to Debian for security track record reasons.  I don't know how valid
these objections are.

Thanks for your consideration,

--Sam

Reply to:

Index(es):
- Date
- Thread