[pkg-fso-maint] Using debconf to give rights to users (was: Re: Bug#524060: wicd: debconf should add users to the netdev group)
David Paleino
d.paleino at gmail.com
Tue Apr 14 16:43:53 UTC 2009
Hello -devel,
please keep the bugreport (and its submitter) CCed -- (and the FSO team if it's
relevant)
On Tue, 14 Apr 2009 17:00:08 +0200, Salvo wrote:
> Debconf could show a question for add selected users to the netdev
> group, and then reload dbus service.
This bug is related to the "wicd" package -- an Internet connection daemon
(both wired/wireless).
To use the provided GUI (wicd-client), the user has to add herself to the
"netdev" system group. This has been introduced in 1.5.9-1 (Closes: #512160), as
a security measure: the user (through the GUI) can tell the daemon (which is run
by root [0]) to execute certain scripts (pre- and post-connection), and this
obviously is a security hole.
[0] this is necessary, and not fixable: the daemon has to run network-related
commands (ifconfig, route, [..]), and has to touch root-only files
(/etc/resolv.conf comes first to mind).
From 1.5.9-1 then, if the user doesn't add herself to the `netdev' group, the
GUI won't start up, firing DBus errors (#516767 is a clear example).
This is also quite user-unfriendly: not everybody has apt-listchanges
installed, and not everybody is used to read files in /usr/share/doc/<package>/
(sure it's a good habit, but not everybody has it).
The question is: is it acceptable to use debconf to add users to certain
groups, effectively granting them specific rights?
I don't see security issues here: the debconf questions would be answered by
root, and the commands to manually give would need root access (/or sudo)
nevertheless -- so I'm willing to implement that in future revisions of wicd.
Is there any other possible solution to this problem?
@pkg-fso:
Repending on the replies to the above questions, wicd might use debconf in
future revisions. Is that a problem for you people? Anything I should know
before I get tons of bugreports filed? :) (I know wicd has been chosen as the
default network manager in your land)
Thank you,
David
--
. ''`. Debian maintainer | http://wiki.debian.org/DavidPaleino
: :' : Linuxer #334216 --|-- http://www.hanskalabs.net/
`. `'` GPG: 1392B174 ----|---- http://snipr.com/qa_page
`- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-fso-maint/attachments/20090414/887a74a6/attachment.pgp>
More information about the pkg-fso-maint
mailing list