Hi! On Mon, 2022-07-04 at 09:12 +0200, Marc Haber wrote: > Hi, > > adduser has been putting newly created 'dynamically allocated system > users' (adduser --system) into the nogroup group. It is also > documented to do so. There is an ancient bug report complaining about > this, and I think this is a valid complaint. However, > /usr/share/doc/base-passwd/users-and-groups.txt.gz says that no files > should ever be owned by nogroup, making adduser do the right thing in > its current state. > > Can you come up with a better default for users created with adduser > --system without requesting a dedicated group? One idea worth considering, imho, is what the reporter [0] suggests: make --group the default for --system. This will add one group for every system user (that is currently created without --group).. not unreasonable overhead for slightly improved security posture. Sysadmin hat, I can think of situations where having a dedicated service group is useful (eg. giving r/o access to logs). Having two unrelated services share a GID is just an unnecessary risk; probably should not be the default. > > Greetings > Marc Cheers, Matt [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693218
Attachment:
signature.asc
Description: This is a digitally signed message part