On Wed, May 26, 2010 at 08:40:26AM +0100, Stephen Gran wrote: > This one time, at band camp, Steve Langasek said: > > On Tue, May 25, 2010 at 11:30:49PM +0100, Stephen Gran wrote: > > > This one time, at band camp, Michael Banck said: > > > > > > Seems worthwhile to change adduser how you suggest to me, is there > > > > a bug filed to this end? > > > > > adduser has had bugs filed in the past asking for uid to be equal to > > > gid by default, and I have so far rejected them as not worth the > > > complexity for the aesthetic pleasure of having numbers match. Is > > > there some problem with username == primary group name? > > > > pam_umask requires both username == primary group name and uid == gid > > before it will assume UPG are in place when using its 'usergroups' > > option, and I am not willing to diverge from upstream on this as this > > would mean admins coming from other systems may get an unpleasant > > surprise when they find that Debian gives a more relaxed umask than > > they were expecting in some corner cases. > > > > So either someone should convince Linux-PAM upstream to change the > > behavior of pam_umask, or adduser should enforce the same rules as > > other implementations, if pam_umask is to be involved here. Beyond > > that, I have no particular opinion on this question. > > That's the first useful argument I've heard for changing adduser's > behavior. Interoperability with other software is a useful goal, and > when I was arguing it wasn't worth the complexity, either pam_umask > didn't exist or I was unaware of it. I don't agree with the upstream or Steve here. The UID==GID mapping breaks with just one call to addgroup which gets them out of sync. UIDs and GIDs are just a convenient mapping from the actual names to numbers; so long as they are constant and unique, the actual numerical values are unimportant. For UPG, comparing the names of the user and group makes sense; comparing the UID/GID does not. While interoperability is important, this UID==GID concept is not something we have ever guaranteed and makes little sense from a security POV--the name is the only part that matters. It's akin to arguing that the index offset into a table is more important than the content at that index. We also need to consider interoperability with ourselves, and the current pam_umask is broken on Debian systems where the numbers are not in sync. I'd be interested to understand the upstream POV here--with current Debian systems, assuming UID==GID without additionally checking that the names match is horribly insecure. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Attachment:
signature.asc
Description: Digital signature