Re: Referring bug #166718 and the initial groups issue to the TC
firstname.lastname@example.org (Sam Hartman) writes:
> The problem is fairly simple. Some of our users actually want to use
> their systems once they get it installed.
> Perhaps when Debian and the FHS originally made this decision, users
> could be expected to simply add themselves to groups if they noticed
> they needed the permissions associated with these groups. However as
> Debian has gained appeal to a wider audience and as peoples'
> expectations of usability increase, users want more reasonable
> default behavior.
If we're talking about single-user machines with a graphics card for a console,
then I certainly agree. We need to be careful to avoid a change that makes
things worse (less secure, etc) for headless systems like servers, though.
> The Redhat pam_console module does seem to do roughly what we want .
The idea of conditionalizing access rights on the basis of whether a user
currently controls "the console" feels to me like exactly the right way to
approach this issue. I haven't studied pam_console, and so don't have a strong
opinion on whether it's the right hunk of code or not.