Page MenuHomePureOS Tracker

Please add "kvm" to the list of default groups
Closed, ResolvedPublic

Description

Re. T292 please add new users installed via calamares and the OEM installer to the kvm group.

Event Timeline

chris.lamb created this task.May 26 2018, 12:28
mak added a comment.May 28 2018, 07:12

Should we add any new users created on the system to the kvm group, or just the ones that were created by the installers?

@mak Any new (non-system) users. (is that passwd/user-default-groups?)

d3vid added a subscriber: d3vid.May 29 2018, 04:22
mak added a comment.Jul 18 2018, 16:07

@chris.lamb Not sure if I get the question.. /etc/adduser.conf would need to be adjusted, as adduser is used by accountsservice in Debian.
New users created by Calamares are added to the kvm group, but not ones created by adduser/the OEM setup.

(IIRC my question around adduser.conf was to ensure new users had it, but not sure)

Users that are not part of the kvm group get an error message when starting Boxes that asks them to manually add themselves to the group.

As this may not be an issue for a technical user, it is not acceptable for an average user who is not familiar with the command line.

In that regard, ALL users should be part of the kvm group by default.

After installing PureOS with the 2018-07-06 live install 2 days ago, I can confirm that this is still not the case because I got the message from Boxes and had to add the user to the group myself.

Thank you.

Will users from previous versions need to add his user to the kvm group or will you implement a package with scripts to make necessary changes (if it is possible)?

Hi all, just to clarify some things:

@francois wrote:

Users that are not part of the kvm group get an error message when starting Boxes that asks them to manually add themselves to the group.

To be clear, this was added (by myself) in gnome-boxes 3.27.92-1pureos2 as part of https://tracker.pureos.net/T292#7971. This entire ticket is about ensuring that does not happen for new users. :)

@EchedeyLR wrote:

Will users from previous versions need to add his user to the kvm group or will you implement a package with scripts to make necessary changes (if it is possible)?

Users from previous version will need to manually add users. Please search on the page https://tracker.pureos.net/T292 for the term "existing" for more details. This was why the warning was added. :)

mak added a comment.Jul 20 2018, 18:25

Problem is we can't "just" add every new user created on the system to the kvm group.

First, there are security implications, as being in that group grants the user additional permissions to run VMs, which might not be wanted by the system administrator. Therefore, changing behavior to add all new users to kvm might be problematic.

Secondly, the kvm group is only present on the system after the libvirt-daemon-system package is installed. Otherwise it simply does not exist. We can not change adduser & co. to just add new users to a group that might only exist under certain conditions.

Therefore, I'm afraid users will continue to ask the system admin to be added to the group, or add themselves if they have permission to do so.

For the installer however, we can at least make some assumptions, like the general presence of the kvm group on the systems. New users created with the live installer should already be in the group, for the OEM variant I will need to add another vendor specific patch to make this happen.

For any user not created by the installer however, I see no sensible way to add them to the group, and I am not even sure whether that's desirable at all.

The thing is that we plan to make PureOS target the average user so most of the time there will be no system administrator but only people who don't know what a terminal or a command line is. We cannot exclude this type of people who are the ones that currently have no access to software freedom by not being technical enough.

Asking people to enter a command line to use a software that ships by default with the system is definitely not an option. So I propose the following :

  • If the software is only being installed after the user is created, then the install process of the software (Boxes) should grant the right privileges for the user to use the software. (during install there should be only one user anyway).
  • If this is not doable, Boxes should be modified to add the user to the right group on first launch with the click of a button (asking for a password if required)
guido added a comment.EditedJul 23 2018, 00:06

If we fix the underlying issue all users logged into a GNOME session will be in the KVM group and no additional work is necessay, it works out of the box (as users would expect). Just pull this systemd patch into PureOS:

https://salsa.debian.org/systemd-team/systemd/commit/4fc3fa53bfa6e16ceb6cd312f49003839b56144a

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892945#52

Oh neat. (But would we not get that patch/change if we just merged systemd?)

(Will leave any action to current task assignee to avoid duplication)

mak added a comment.Jul 24 2018, 07:56

@chris.lamb @francois Actually, I already resynchronized systemd with Debian, so this issue should actually be gone now.
Can someone else maybe verify that it's gone as well (a quick test in my VM didn't result in that issue).

mak closed this task as Resolved.Aug 17 2018, 12:08

This is indeed resolved now :-)