Package: base-passwd Version: 3.5.23 Severity: normal File: /usr/share/doc/base-passwd/users-and-groups.txt.gz Tags: patch Usertags: pca-authentication
Hi there! The discussion started at: <http://lists.debian.org/4ec92ca9.4060...@debian.org> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649385#17> On Mon, 21 Nov 2011 00:29:06 +0100, Luca Capello wrote: > On Sun, 20 Nov 2011 23:10:17 +0100, Josselin Mouette wrote: >> Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit : >>> It is not about what I do or do not want, sudo != administrator, as >>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see >>> also #600700 for the current real situation): >>> >>> sudo >>> >>> Members of this group do not need to type their password when using >>> sudo. >>> See /usr/share/doc/sudo/OPTIONS. >> >> Obviously this documentation is incorrect and needs fixing. Could you >> file a bug about this? > > First, have you checked #600700, as I suggested? And if the current > sudo behavior below WRT PolicyKit is correct (as it seems, I am the only > one complaining), yes, I will be glad to file a bug against base-passwd. Here I am, not replying to #600700 because IMHO these are two different issues: #600700 is about sudo's behavior for users in the sudo's group, this bug is about the meaning of sudo's group when policykit-1 is installed, starting from version 0.96-4, see #532499. > On Sun, 20 Nov 2011 21:01:33 +0100, Michael Biebl wrote: >> On 20.11.2011 19:30, Luca Capello wrote: >>> Perfectly fine for me, but IMHO policykit is abusing sudo, given that >>> with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec >>> grants any privilege to members in the sudo group *without* checking if >>> this group is actually allowed in /etc/sudoers* (this *is* a bug): > [...] >>> It is not about what I do or do not want, sudo != administrator, as >>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see >>> also #600700 for the current real situation): >> >> This was discussed before the squeeze release. We were looking for a >> mechanism how we could grant administrative privileges to users (eg. if >> installed with a disabled root account). >> We decided to use a group for this purpose. I personally favored to use >> group "admin", but due to various reasons (similarity to adm, etc) we >> finally agreed to use group sudo for that. We, that included the sudo >> maintainer. >> >> So, I fail to see how you consider this abusing sudo. > > Because if a user is in group 'sudo', even if there is no more sudo > package installed, PolicyKit will still grant all permissions to that > user. Which means that I do not consider using a group to grant > administrative privileges to user as abusing sudo, but how PolicyKit > exploits this situation. The following patch addresses both #600700 and this bug: --8<---------------cut here---------------start------------->8--- --- - 2011-11-30 20:52:06.275285986 +0100 +++ users-and-groups.txt 2011-11-30 20:52:00.646099578 +0100 @@ -311,8 +311,9 @@ sudo - Members of this group do not need to type their password when using sudo. - See /usr/share/doc/sudo/OPTIONS. + Members of this group may run any command as any user when using sudo + or pkexec (from the policykit-1 package, independently if the sudo + package is installed). audio --8<---------------cut here---------------end--------------->8--- Thx, bye, Gismo / Luca -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages base-passwd depends on: ii libc6 2.13-21 base-passwd recommends no packages. base-passwd suggests no packages. -- no debconf information
pgpg99ldKto4W.pgp
Description: PGP signature
