On Mon, Apr 04, 2011 at 11:00:37PM +0200, Luk Claes wrote: > On 04/04/2011 10:42 PM, Steve Langasek wrote: > > On Mon, Apr 04, 2011 at 08:32:50PM +0100, Lars Wirzenius wrote: > >> On ma, 2011-04-04 at 19:43 +0100, Roger Leigh wrote: > >>> Regarding the root shell issue, I wouldn't have an issue with it > >>> being /bin/sh. The admin is always free to chsh it to the shell > >>> of their choice. > >> We could even have d-i set the root shell to bash if it installs bash. > >> Or have bash do it always, even, if root's shell is /bin/sh. > > This doesn't address the problem that the package manager will no longer be > > treating bash as Essential, with the result that root's login shell may be > > rendered unusable at some point during an upgrade. It also removes the > > requirement that the bash maintainer ensure the package is usable when > > unpacked but not yet configured. How do we mitigate this? The latter could > > be mitigated by calling out the requirement separately in Policy, but what > > about the former? > What about Roger's suggestion to have the root account passwordless and > locked with sudo access? Are there other drawbacks to that proposal (is > booting in single user mode covered for instance?)? How does that address the problem of getting a root shell to recover a system that's gone south in the middle of an upgrade? Do you intend to have a *user* account with sudo privileges that has /bin/sh as a default login shell? > > Users who have made a conscious decision to use a different shell as their > > root shell (such as zsh) may have accepted this incremental increase in > > risk, but I'm not convinced that we want to do this for all users by default > > (if bash is still Priority: required, it will be installed by default, so > > all users will be affected unless they opt out). > I guess this is not so much an issue anymore when the account is locked? > > And if /bin/sh is going to be dash (which I think is what we want), I > > wouldn't like to inflict that on anyone as the default root login shell. > In single user mode this would still be the case I guess? Though that > would not have a big impact anymore I guess? Essential is all about the corner cases. One of those corner cases is that you've lost power in the middle of an upgrade and everything above the Essential set has been left in an inconsistent and unusable state. This rarely happens, but the Policy definition of Essential is our guarantee that when Murphy *does* have his way with your system, you don't need to resort to rescue media to recover it provided you have access to the console. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature