Hans Witvliet wrote:
For an ordinary home-users, the default user should be member of all those admin groups, while on office-laptops, one should be able to do wifi and printers, but remains properly shielded from installing malware.
I think one should be able to create a reasonable list of allications that deserve there own admin-group:
software (general) updates network (general) wifi printers apache database ldap mail
--------------------- In order to better integrate SuSE as Windows Samba DC's, it might be a good idea to use names and ID's associated with Windows's groups. Some examples from my own /etc/group file: We don't need to use all of these groups, but we might consider 'trying' to reserve them at some 'range' (ideally at offsets of 10000, or maybe 1000000 Some useful and potentially useful groups (with many examples, but likely NOT a thorough list -- and also it would be likely that many of these would only be needed in more complex setups: (names taken verbatim from published MS documents -- spaces work fine -- backslashes also work -- they are literals, not quoting characters) Cert Publishers:!:517:root -- those who can *create( 'signing' certs for a domain (or sub domain) Schema Admins:!:518:root -- LDAP? CIM? Enterprise Admins:!:519:root:MyDomain\lawalsh domain-wide root Group Policy Creator Owners:!:520:root Polkit editors/creators Administrators:!:544:root,Administrator,Domain Admins,Enterprise Admins machine-level root Account Operators:!:548:backup,root root level access on local machine Server Operators:!:549: start/stop services; restart machine Print Operators:!:550: Add / modify print devices & queues Backup Operators:!:551:backup who can run backup and restore (which need DAC override + SET_LABEL ) Remote Desktop Users:!:555:root Those who can login remotely to a machine and get a full X-server (xrdp, remote X (xdmcp)) (might be different than those who can run ssh) Network Configuration Operators:!:556: if/ip commands + config -- firewall... etc... Distributed Com User:!:562: A group to control/allow access to RPC resources apart from per-user access Web Services:!:568: apache/lighttpd -- or any other web server... Cryptographic Operators:!:569: Those who can add new certs (not create them) to a machine or group -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org