[Bug 1923363] Re: [FFe] Users are not added to the dialout group

Wed Apr 14 14:48:38 UTC 2021

@vorlon on the question of where it's added by default, that's in the
cloud-init default configuration which lives in /etc/cloud/cloud.cfg and
contains the following stanza (redacted for brevity):

system_info:
    ...
    default_user:
        ...
        groups: [adm, audio, cdrom, dialout, dip, floppy, lxd, netdev, plugdev, sudo, video]

I'd echo xnox's point that as the user is being added to adm and sudo, I
don't think there's any particular security concern here.

On the subject of choice of groups, it would be nice to echo raspios'
setup which is to use a "gpio" group to permit access to the GPIO
related devices (/dev/gpiomem, /dev/gpiochip*), an "spi" group for the
SPI buses (/dev/spidev*), and an "i2c" group for the I2C buses
(/dev/i2c-*).

However, I ran out of time to go fiddling with defining new groups and
ensuring the default user is in all those new groups on both the desktop
and server images. Upstream in Debian (and hence in Ubuntu), "dialout"
is already used for GPIO access (which makes sense given the serial pins
are part of the GPIO header, just like SPI and I2C), and (as noted
above) we already add the user to this group on the server image, so it
seems a reasonable approach to achieve the ultimate goal of providing
the default user access to the GPIO header without having to jump to
root to do so.

And just to answer @xnox's query as to what exactly this is for, it's
access to the GPIO header as a whole, including i2c, gpiomem (although
ideally gpiochip* actually as that's the preferred device to use for
GPIO access now), etc. just in case that's not clear from the above.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to user-setup in Ubuntu.
https://bugs.launchpad.net/bugs/1923363

Title:
  [FFe] Users are not added to the dialout group

Status in ubiquity package in Ubuntu:
  Incomplete
Status in user-setup package in Ubuntu:
  Incomplete

Bug description:
  We're attempting to make the GPIO system on the Raspberry Pi images
  work "out of the box" on the new image. By default, GPIO kernel
  devices are made available to members of the "dialout" group which the
  initial user is added to by default on our server images. However,
  we've noticed that this isn't the case on the desktop images.

  The regression potential is minimal; the group already exists and
  we're simply adding the freshly created user to a new group and not
  removing any existing memberships. The group in question ("dialout")
  is also rarely used these days except for providing access to serial
  consoles, and as mentioned above is already a default membership on
  the server images. The change has been tested on the desktop image
  successfully.

  A test build of the updated image will be made under
  https://launchpad.net/~waveform/+archive/ubuntu/ubiquity and I'll
  attach a debdiff shortly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1923363/+subscriptions