[Adduser-devel] Bug#290623: adduser should never use "nogroup" as a user's group

Roderick Schertler Roderick Schertler <roderick@argon.org>, 290623@bugs.debian.org
Sat, 15 Jan 2005 07:47:37 -0500


Package: adduser
Version: 3.59
Severity: normal

adduser should never use "nogroup" as the group for a user by default.
The reason nobody and nogroup exists is so that processes can be sure of
having no special access to the file system.  For this to work there
musn't be anything in the file system with uid/gid set to either.
With system users in nogroup it's easy for files to be created with
nogroup as their group, and though they usually won't be group writable,
it's asking for trouble, with no benefit.

If USERGROUPS is set then system users should get their own unique groups,
just like regular users, and for the same reasons.

If USERGROUPS isn't set then system users should be put in a group created
for just this purpose (perhaps "sysuser"), rather than using nogroup.

-- 
Roderick Schertler
roderick@argon.org