[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] disabled root account / distinct group for users with administrative privileges

Le mardi 19 octobre 2010 à 00:38 +0200, Michael Biebl a écrit : 
> 1/ The sudo group in previous Debian releases had a different meaning: Members
> of groups sudo could run sudo without needing a password.

Did it exist in previous releases? I don’t recall seeing it in sudoers.

> 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.

I don’t think so, since the configuration snippet makes PK behave like

> So, I'm wondering if we shouldn't pick a more neutral name without a previous
> history in Debian.
> One suggestion is to use group "admin". Ubuntu has been using that group for
> exactly the purpose what we are going for and I think it is a pretty
> adequate name.

“admin” is a very widespread group name, this is likely to cause huge
security issues if members of this group are not supposed to be granted
root privileges.

> I'm a bit undecided atm. While I lean towards using a new group and in that case
> the name "admin", I also know that we are already late in the squeeze release
> cycle and picking a new name will require changes to user-setup and sudo.
> policykit-1 hasn't being updated yet, so it'll require a new upload anyway.

I think it’s much more important to get this change into squeeze than to
bikeshed the group name.

Le mardi 19 octobre 2010 à 02:12 +0200, Jesús M. Navarro a écrit :
> What about the old-fashioned "wheel" group[1]?

This would be an even worse disaster than “admin”, for similar reasons.
Users of the “wheel” group were not supposed to get root privileges with
their own password.

 .''`.      Josselin Mouette
: :' :
`. `'  “If you behave this way because you are blackmailed by someone,
  `-    […] I will see what I can do for you.”  -- Jörg Schilling

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: