Group 'admin' gid problem

Edward Lee tigerfishdaisy at gmail.com
Thu Jul 16 22:04:49 BST 2009


Well, I was told to post this in the ubuntu-devel and users group, so
here it is....


> This is a Won't Fix for D-Bus; we expressly do not support having
> system
> groups shared across multiple machines.
> 
> Groups < 1000 are expressly defined in Debian Policy as "allocated
> dynamically and differently on each system":
> 
>     http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2
> 
> It's generally considered a Bad Idea anyway, since during boot these
> system groups may be required before your remote authentication server
> is available.
> 
> I do sympathise with your problems with the "adm" and "admin" groups,
> I
> suggest that you mail ubuntu-devel to begin a discussion about that.
> I'd include the "staff" and "users" groups in that list as well.
> 

> On a system with both local groups and NIS groups exported with GID's
> less than 1000, the dbus setup package fails to set permissions to the
> right messagebus group (which should be the local group, not the
> remote
> NIS group).
> 
> I have most of the system groups < 1000 exported out from a common NIS
> server.  ( need common administrators across various computers, admin
> and adm being one of those groups < 1000 ).  Unfortuantely, this also
> pushes out the messagebus group across to the various computers
> ( again,
> it's a system group < 1000 ).
> 
> This screws up whatever sets up the permissions in the dbus package,
> leaving the file with permissions pointing to the REMOTE dbus group
> instead of the local group, giving us this sort of broken permissions.
> 
> Fixes?  Either rewrite the dbus setup thing to change ownership to the
> right GID, or put the admin, adm groups > 1000, because in a networked
> environment with a need for common administrators, they really OUGHT
> not
> to be system/computer groups.
> 

I have had problems with exporting groups less than 1000 out of a common
NIS server - specifically, I have had a nice debugging session the other
day on why the dbus executable permissions were set incorrectly.

It turns out that exporting groups less than < 1000 but greater than 100
is a bad idea.

My issue with this is that the 'admin' group, which is used by sudo to
control who can administer the system as root, is not one of those
groups < 100.

As a system administrator, it is nice to be able to set groups on the
server and not have to worry about anything on the client computers.

Is it possible to move the 'admin' group to a GID less than 100 so we
don't have these problems [either export all groups=>bad bugs, don't
export=>more work] (like the 'adm' group is right now @ GID 4)?

Also, is it possible to add an option to the NIS makefile so that we
export groups < 100 and greater than > 1000?

BTW, why are there two 'administrator' groups -> 'adm' and 'admin'?

Thanks,
-Ed





More information about the ubuntu-devel mailing list