On Tue, Dec 31, 2024 at 6:44 AM Laurent Bigonville <bi...@debian.org> wrote:
> Hello, > > The regular user created by the debian-installer is still added to > several groups[0] by default (contrary to the other users created by > adduser later), but these days with udev/logind/polkit... this doesn't > seem necessary at all; the different desktop environments work perfectly > without these extra privileges out of the box (in the past, you needed > the video and audio group to have 3D acceleration and audio). > > This could also be seen as a security issue as, on a machine with > multiple users, the first (regular) user could listen to the audio or > watch the screen of other users without elevating their privileges > explicitly. > > There are different bugs that are open for years about this, but AFAIK, > there was nothing was really discussed(?). > > IMVHO, only the "users" group should stay (d-i and adduser should be > kept in sync regarding the added groups) and the other groups should be > dropped. ATM, the "passwd/user-default-groups" is marked as "for > internal use only" but maybe that should be made configurable if a user > has a specific need? > > What is the position of the debian-installer maintainers here? > > Kind regards, > > Laurent Bigonville > > [0] The default groups are: "audio cdrom dip floppy video plugdev netdev > scanner bluetooth debian-tor lpadmin" > Crazy thought here: What if we made the list of groups preseedable? -- -- Ben Hildred Automation Support Services
