On Thu, Mar 25, 2010 at 09:21:58PM -0300, Margarita Manterola wrote: > On Thu, Mar 25, 2010 at 7:49 PM, Michael Biebl <biebl@debian.org> wrote: > > Speaking as policykit maintainer, I have to say that I generally like > > the idea of such an "admin" group and thus would prefer 1.). > Speaking as a user and sysadmin, I also prefer the group approach. > But I dislike having to add yet another new group. Debian already > lists several groups [1] that could be used for this. Particularly, > staff looks like a good option to me. 'staff' is a very *bad* option for this, because this overloads the semantics of this group name even worse than we already have in the past: in addition to it being a common English name for a group that has caused sites to assign special semantics to it (either because it was already in use on non-Debian systems at the site or because someone sees the group name without realizing its special meaning on Debian), it is the traditional owning group of /usr/local *with write privileges on root's path*. 'admin', while it may still collide with prior local site usage (as might any other new group name we pick), at least is relatively unlikely to result in unexpected privilege escalations on upgrade. (Either way, such a change ought to be documented in big bold letters in the release notes.) > The amount of groups that a users needs to belong to in order to get > the best experience from their computer is growing and growing. This > wouldn't be a problem, if there wasn't a bug with nfs related to > having more than 16 groups [2]. Well, everyone should just use NFSv4 instead anyway. :-) But yes, we should at the same time work on getting rid of some of these groups. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature