[Pkg-shadow-devel] Bug#166718: Using pam_group to give access to "useful" groups?

[Christian Perrier]

(maybe asking -ctte should be done)

This is an attempt to, again, summarize the situation about #166718
and related bugs.

In short, the question is: how can we choose a method to make easy for
people with physical access to the console to use  its devices (sound,
cdrom, plugged devices...) and NOT compromise security.

The initial request was for passwd to "add the first created user to
useful groups" in the install process (currently D-I 2nd stage).

The former maintainer of passwd, Karl Ramm, was very reluctant to add
this as is to passwd config script.

In the meantime, the D-I team added a hack to do this in D-I 2nd
stage...which explains the request doesn't come often now.

Several suggestions have been made to do this:

1) use pam_console (used by Redhat) to give all users connected to the
   "console" access to a bunch of groups

2) use pam_group for barely the same purpose

3) hard-code the "useful" groups in passwd.config

4) keep the current situation and let this to the D-I team

1) and 2) have the same security implications-->granting groups access
to anyone using the console allows this user to hack a setgid binary
and have it launch a shell later, even when not connected at the
console
Activating pam_group in common-auth seems OK but not with the lines
that would be required in /lib/security/group.conf

3) is possible but seems to be a hack

4) (the current solution) is a similar hack

I'd like to propose another approach:

Add a "--useful-groups" switch to Debian's adduser and keep a list of
useful groups in this package's default adduser.conf file.

For sure, this moves the pressure of keeping a list of "useful" groups
to Marc Haber and adduser maintainers...but it would have the
advantage to offer admins an easy way to add users to these "useful"
groups without knowing the complete list.


Thoughts, opinions, flames? I'd really like to get rid of this
bug...:-)