Re: exploring debian's users and groups

To: debian-devel@lists.debian.org, debian-doc@lists.debian.org, debian-user@lists.debian.org, base-passwd@packages.debian.org
Subject: Re: exploring debian's users and groups
From: Daniel Jacobowitz <dan@debian.org>
Date: Mon, 6 Aug 2001 23:11:18 -0700
Message-id: <[🔎] 20010806231118.A31057@nevyn.them.org>
Mail-followup-to: debian-devel@lists.debian.org, debian-doc@lists.debian.org, debian-user@lists.debian.org, base-passwd@packages.debian.org
In-reply-to: <[🔎] 20010807013548.A17529@kitenet.net>; from joeyh@debian.org on Tue, Aug 07, 2001 at 01:35:48AM -0400
References: <[🔎] 20010807013548.A17529@kitenet.net>

On Tue, Aug 07, 2001 at 01:35:48AM -0400, Joey Hess wrote:
> uucp:
> 
> 	HELP: Presumably used for UUCP, which I know nothing of.
> 
> 	HELP: Why is minicom owned by group uucp? Is this a bug?

It also was (until recently?) setgid uucp, for modem locking.  I
believe it was removed for security reasons.  There's talk about
redoing serial port locking entirely now though.

> irc:
> 
> 	HELP: Why does an irc daemon need its own static user and group?

Because no one wants to trust it? :)

It doesn't.  Of course, removnig them is tricky.

> adm:
> 
> 	HELP: On my system, use of group adm is confined entirely to
> 	      /var/log, and I've never seen the point. Oh, and
> 	      /dev/xconsole is owned by group adm, but that may be a
> 	      (local?) bogosity.

Nope, not a bogosity.  ADM is to read logs.  I keep myself in group adm
so that I can read syslog (and could use xconsole if so inclined)
without having to su.

> disk:
> 
> kmem:

Disk may have been a good idea at one point, but (like kmem) is
essentially equivalent to root.  Write access to any raw device is very
likely to lead to system compromise, via VFS bugs if nothing else. 
Read access to kmem is a LITTLE weaker than root... but not much. 
Especially if root ever types his password.

> sudo:
> 
> 	HELP: Nothing uses it here, and I have sudo installed.. Maybe
> 	      there's a way to only let users in this group use sudo?

There is, sure, but the group isn't special in any way...

> dip:
> 
> 	HELP: WHat did this group's name signify? DIaluP?

Dialup IP.  apt-cache show dip, actually.

> src:
> 
> 	This group owns source code, including files in /usr/src. It can be
> 	used locally to give a user the ability to manage system source
> 	code.
> 
> 	HELP: /usr/src is owned by group src and is setuid. This doesn't
> 	      make files put there by foo-src packages necessarily be owned
> 	      by group src though. If the intent is to make group src be
> 	      able to manage source code, perhaps policy should say that
> 	      foo-src packages make files in /usr/src owned and writable by
> 	      the group (and files in tarballs dropped there likewise?)

<gripe>(and that sticky bit causes no end of stupid errors when
packaging... mostly alleviated by debhelper now, but still...)</gripe>

-- 
Daniel Jacobowitz                           Carnegie Mellon University
MontaVista Software                         Debian GNU/Linux Developer

Reply to:

Follow-Ups:
- Re: exploring debian's users and groups
  - From: Craig Sanders <cas@taz.net.au>
- Re: exploring debian's users and groups
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: exploring debian's users and groups
  - From: Andrew Suffield <asuffield@users.sourceforge.net>

References:
- exploring debian's users and groups
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: exploring debian's users and groups
Next by Date: Re: exploring debian's users and groups
Previous by thread: Re: exploring debian's users and groups
Next by thread: Re: exploring debian's users and groups
Index(es):
- Date
- Thread