Bug#484841: staff group root equivalence

To: Thijs Kinkhorst <thijs@debian.org>, 484841@bugs.debian.org
Subject: Bug#484841: staff group root equivalence
From: Russ Allbery <rra@debian.org>
Date: Sun, 01 Mar 2009 23:26:29 -0800
Message-id: <[🔎] 871vtgcrmi.fsf@windlord.stanford.edu>
Mail-followup-to: debian-ctte@lists.debian.org
Reply-to: Russ Allbery <rra@debian.org>, 484841@bugs.debian.org
In-reply-to: <[🔎] 200903020806.18667.thijs@debian.org> (Thijs Kinkhorst's message of "Mon\, 2 Mar 2009 08\:06\:16 +0100")
References: <[🔎] 200903020806.18667.thijs@debian.org>

Thijs Kinkhorst <thijs@debian.org> writes:

> Meanwhile, this is just one way to implement differentiation between
> junior and senior sysadmins. There are many others, a notable one being
> the use of "sudo". The specifics of group staff may not fit your setup:
> perhaps another group from LDAP is used to decide on this difference, or
> there are other needs than writing /usr/local specifically. I have no
> evidence that this feature is in common enough use that would support it
> being the default.

I'm generally inclined to agree with this.  However:

> There are the problems with the approach which have been cited earlier
> in this bug and those linked from it, especially #299007 has some
> discussion and has support of a number of DD's for changing this. Should
> you need the functionality, it's of course trivial to recreate the
> situation (you need to take some action anyway to make use of it).

To be fair, it's not as clear to me that this is true.  Packages create
additional directories in /usr/local in their maintainer scripts, and
currently Policy says that they need to maintain these permissions and
ownership.  In the absence of that sort of package support, one will end
up with files and directories with the wrong ownership and have to
periodically fix that by hand.  It's therefore not *quite* trivial.

That being said, it's not clear to me that all the packages that in theory
should be setting this ownership and permissions actually do so.
debhelper's dh_usrlocal will do the right thing, but I don't think all of
the packages involved use it, and I don't think enough people use this
feature to check and file bugs against packages that don't do the
equivalent.  (Which is another argument for dropping the feature.)

Certainly among the sysadmins I talk to on a regular basis, sudo has
completely supplanted these sorts of group schemes.  I think the last time
I used a staff group system for something like this was in about 1997.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#484841: staff group root equivalence
  - From: Thijs Kinkhorst <thijs@debian.org>
- Bug#484841: staff group root equivalence
  - From: Don Armstrong <don@debian.org>

References:
- Bug#484841: staff group root equivalence
  - From: Thijs Kinkhorst <thijs@debian.org>

Prev by Date: Bug#484841: staff group root equivalence
Next by Date: Bug#484841: staff group root equivalence
Previous by thread: Bug#484841: staff group root equivalence
Next by thread: Bug#484841: staff group root equivalence
Index(es):
- Date
- Thread