1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.BOOT

  • Revise/remove the groups added the the user created by d-i

    From Laurent Bigonville@21:1/5 to All on Tue Dec 31 14:50:02 2024
    Hello,

    The regular user created by the debian-installer is still added to
    several groups[0] by default (contrary to the other users created by
    adduser later), but these days with udev/logind/polkit... this doesn't
    seem necessary at all; the different desktop environments work perfectly without these extra privileges out of the box (in the past, you needed
    the video and audio group to have 3D acceleration and audio).

    This could also be seen as a security issue as, on a machine with
    multiple users, the first (regular) user could listen to the audio or
    watch the screen of other users without elevating their privileges
    explicitly.

    There are different bugs that are open for years about this, but AFAIK,
    there was nothing was really discussed(?).

    IMVHO, only the "users" group should stay (d-i and adduser should be
    kept in sync regarding the added groups) and the other groups should be dropped. ATM, the "passwd/user-default-groups" is marked as "for
    internal use only" but maybe that should be made configurable if a user
    has a specific need?

    What is the position of the debian-installer maintainers here?

    Kind regards,

    Laurent Bigonville

    [0] The default groups are: "audio cdrom dip floppy video plugdev netdev scanner bluetooth debian-tor lpadmin"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marc Haber@21:1/5 to Laurent Bigonville on Tue Dec 31 16:30:01 2024
    Adduser Maintainer here.

    On Tue, Dec 31, 2024 at 02:44:04PM +0100, Laurent Bigonville wrote:
    IMVHO, only the "users" group should stay (d-i and adduser should be kept in sync regarding the added groups) and the other groups should be dropped.
    ATM, the "passwd/user-default-groups" is marked as "for internal use only" but maybe that should be made configurable if a user has a specific need?

    It would probably be the easiest thing if the Install would just call
    adduser. The package was installed before so its defaults are already in
    place. That way, there is nothing to keep in sync. If adduser can do
    anything to make it easier for the Installer, please file a bug against
    adduser so that I can track that.

    I don't think it makes sense to make that preseedable, it's just the
    first user that gets affected, and I think that installations so big
    that they'd do preseeding here would probably create a special
    administration user from the Installer anyway.

    Greetings
    Marc

    -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Cyril Brulebois@21:1/5 to All on Tue Dec 31 16:30:02 2024
    Ben Hildred <[email protected]> (2024-12-31):
    Crazy thought here: What if we made the list of groups preseedable?

    Have you tried or maybe just researched this topic a little?

    # Allow preseeding the groups to which the first created user is added
    Template: passwd/user-default-groups
    Type: string
    Default: audio cdrom dip floppy video plugdev netdev scanner bluetooth debian-tor lpadmin
    Description: for internal use only

    And that's quite orthogonal to Laurent's topic anyway. (I have no
    opinion on it, and I'm still busy with Trixie Alpha 1 anyway.)


    Cheers,
    --
    Cyril Brulebois ([email protected]) <https://debamax.com/>
    D-I release manager -- Release team member -- Freelance Consultant

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmd0DMYACgkQ/5FK8MKz VSDqHw//Xs0HrZSdUqoyc2xXCkK2cfGqJgPDvJzlhwdJ6utIzztObxBWGt+OUqAQ j03yUN2B8UpGlwXzaX4tpfRoi+I9FxX6TIbehApEkj3yx+PS1Byp/3Artd6hy1uI KUHi6NJBmIWy97VC9rQFLtdB6cpPIWMbId9iNk5plyz89rhAtOYT+aEzpcSHIY0+ Yw6umi24RO6eb4s6r0Ge0zPZ+zg5fwA2DZOlORmOgbUOVoGGn/eWXnpHbDmlX3e9 mPQkCMEKyyfFzklAb/dKbGnm6uHI5ddJwwWMgva85Gl7tPsJOWF9XQUu8PpKxkTB tLu6PYoLXohmBo67/HED21hhCudARh5t1XB8r+jYHzOgVRZDCg2qNEJLTeCCKL9B xNjkXqmsXo8IFMcm5Zbkp2tK/9V2jCmzo1vRFH0r53GHKCk6UzMXf6Yhy7FJkg5k RJZbAH+2Bb4HawAyHYycQ1qZD+OkssBmA2SZYhFoRSCPKBUbaReyVdgMbowJyHgB VGPzs31OK8lCRbMwvH8tBSWij7VxbeBU+wxb/JYKxvTLdk32vC9dd50ynwYUKjoO j2TMgLDwOZNNI9cnNivU0ow2TaMVb8kiRalZ+PtRXlQngfTlx6CbkgMw8LVMEvbs 8f893NKJy+RF2bpfrx7CQH7Q+cXg26mx2k3dajli05H9SW3TsC8=
    =CV/O
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    *