Re: [RFC] disabled root account / distinct group for users with administrative privileges
On Tue, Oct 19, 2010 at 12:38:41AM +0200, Michael Biebl wrote:
> Hi,
>
> as some of you might know, the debian installer allows to install a system with
> a disabled root account, i.e. there is no root password set for root.
> In lenny, iirc, this was done via d-i pre-seeding, in squeeze it is as simple as
> leaving the root password prompt empty.
>
> The lenny installer then added the user, that was created during install, to
> /etc/sudoers to grant him administrative privileges.
>
> For squeeze we looked for a better way, especially as PolicyKit is becoming used
> by more and more packages and mangling the PolicyKit configuration didn't look
> like a sane alternative.
>
> The idea is, to have a distinct group. Members of that group have administrative
> privileges using sudo and PolicKit. The installer then simply has to add the
Fedora introduced desktop_admin_r for this in the polkit-destkop-polcy
package:
http://www.redhat.com/archives/fedora-desktop-list/2009-August/msg00103.html
Imho we should use diffrent groups for PolicyKit and sudo. d-i would
need to add the user to two groups then but it would allow for polkit
and sudo only configurations:
If you only want to grant polkit based privileges remove the user from
the sudoers group and if you only want sudo based privileges remove it
from the desktop_admin_r group. This would allow administrators to only
care about one set of privileges which makes it easier to oversee the
consequences when adding more users to these groups.
Cheers,
-- Guido
> user to that group, if installed in root-disabled mode.
> The relevant bug reports for PolicyKit is [1], the one for user-setup [2].
>
>
> Bdale went ahead and added the following to /etc/sudoers:
>
> # Allow members of group sudo to not need a password
> # (Note that later entries override this, so you might need to move
> # it further down)
> %sudo ALL=(ALL) ALL
>
>
> The installer was changed to add the user to group "sudo" if the system is
> installed with root disabled.
>
> For PolicyKit, I can now simply ship a file, say
> /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf which contains:
>
> [Configuration]
> AdminIdentities=unix-group:sudo
>
>
>
> While I think the idea of using a distinct group for users with administrative
> privileges is a very good one, I'm not sure if using the group name "sudo" is
> the right choice, for two reasons:
>
> 1/ The sudo group in previous Debian releases had a different meaning: Members
> of groups sudo could run sudo without needing a password.
>
> 2/ Using the name sudo in context of PolicyKit sounds weird and misleading.
>
>
> So, I'm wondering if we shouldn't pick a more neutral name without a previous
> history in Debian.
> One suggestion is to use group "admin". Ubuntu has been using that group for
> exactly the purpose what we are going for and I think it is a pretty
> adequate name.
>
> One concern that was already mentioned is, that the existing group adm and admin
> are too similar and prone to mistyping.
>
> I'm a bit undecided atm. While I lean towards using a new group and in that case
> the name "admin", I also know that we are already late in the squeeze release
> cycle and picking a new name will require changes to user-setup and sudo.
> policykit-1 hasn't being updated yet, so it'll require a new upload anyway.
>
> Bdale was open to changing the sudo configuration, but he didn't want to drive
> this discussion.
>
> I'm very much interested in your feedback on this matter and what others think
> is the best way to go and if there is maybe another, even better suggestion for
> this group name.
>
> I've also CCed debian-release as I want to know if they'd ack uploads of the
> affected packages.
>
>
> Cheers,
> Michael
>
>
>
>
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536490
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597239
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
>
Reply to: