[Pkg-samba-maint] Bug#443230: Bug#443230: Bug#443230: Bug#443230: Enable net usershare

Steve Langasek vorlon at debian.org
Wed Nov 14 22:18:02 UTC 2007


On Wed, Nov 14, 2007 at 06:21:58AM +0000, Christian Perrier wrote:
> Quoting Steve Langasek (vorlon at debian.org):

> > Note that the correct group name was "admin", not "adm" which is a separate
> > group; there doesn't seem to be an analogous group on Debian systems, so I
> > haven't attempted to do any templating here.  Debian maintainers, please
> > comment if you think we should be doing something better or if you think
> > this Ubuntu-specific change shouldn't be included in the package for
> > whatever reason.

> Funnily, "admin" was discussed recently in debian-boot because it is
> marked as reserved by D-I and a user was complaining about this (see
> bug reports for user-setup).

> Colin (Watson) explained why admin is reserved (for Ubuntu
> purposes). I suggested we (D-I team) keep that name reserved to avoid
> trivial "forks" for Ubuntu....and having us (samba) use it enforces
> this, indeed.

> So, in short, I'm OK to go with "admin".

Are you saying that you're ok with it for Samba in Debian, or in Ubuntu?

I really don't think it's appropriate to use in Debian.  The admin group is
historically not created by Debian's installer or base-files, so if it
exists at all on older Debian systems it's because of action taken by the
local administrator.  The resulting group may have completely different
semantics than it does on Ubuntu, and using it as a template for the
sambashares group may result in giving share privileges to users who aren't
anything even remotely like local administrators.

The admin group in Ubuntu works because by default, everyone in group admin
has sudo access and can make changes to the samba config directly (if they
know how).  For other meanings of "admin", this represents a privilege
escalation if these users are suddenly allowed to create samba shares.

> Actually, this "admin" thing is maybe something where Ubuntu and
> Debian could converge about, no?

I would like to see that, but think that's a discussion to be had by the
wider Debian community first (debian-boot and/or debian-devel), and before
the "admin" group has established semantics within Debian I don't think we
should be using it for this in Samba.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/





More information about the Pkg-samba-maint mailing list