Re: Bug#484841: staff group root equivalence

To: debian-ctte@lists.debian.org, 484841-quiet@bugs.debian.org
Subject: Re: Bug#484841: staff group root equivalence
From: Don Armstrong <don@debian.org>
Date: Mon, 2 Mar 2009 14:30:55 -0800
Message-id: <[🔎] 20090302223055.GU25486@rzlab.ucr.edu>
Mail-followup-to: debian-ctte@lists.debian.org, 484841-quiet@bugs.debian.org
In-reply-to: <[🔎] 871vtfwrcn.fsf@anzu.internal.golden-gryphon.com>
References: <[🔎] 200903020806.18667.thijs@debian.org> <[🔎] 871vtgcrmi.fsf@windlord.stanford.edu> <[🔎] 20090302084821.GT14650@volo.donarmstrong.com> <[🔎] 1236013065.5962.83.camel@rover.gag.com> <[🔎] 87r61fwyso.fsf@anzu.internal.golden-gryphon.com> <[🔎] 20090302205537.GV14650@volo.donarmstrong.com> <[🔎] 871vtfwrcn.fsf@anzu.internal.golden-gryphon.com>

On Mon, 02 Mar 2009, Manoj Srivastava wrote:
> You see, us grad students in the staff group were _not_ supposed to
> be root, or be bale to modify the vendor directories (who knows, it
> might have violated the universities support contract).

Yeah, but by default, if you have staff access, you can easily gain
root access, so there's really no distinction between the two. [In
Debian, this could be done by shoving in a special /usr/local/bin/awk
to trap cron.daily/standard calling it as root, for example.]

> Not that it makes much of a difference in Debian selecting a
> default, really. But I can see a use case in a large environment
> with subgroups where limited privileges are required -- and the
> /usr/local hierarchy, with the support for local overrides in path,
> programs like perl and emacs, made such setups easy for overlaying
> such privileges on a subset of the machines.

The real problem is that by default root's PATH contains
/usr/local/sbin and /usr/local/bin, so you have to jump through quite
a few extra hoops to make the distinction between root and staff
viable in the first place.

Don Armstrong

-- 
"People selling drug paraphernalia ... are as much a part of drug
trafficking as silencers are a part of criminal homicide."
 -- John Brown, DEA Chief

http://www.donarmstrong.com              http://rzlab.ucr.edu

Reply to:

Follow-Ups:
- Re: Bug#484841: staff group root equivalence
  - From: Ian Jackson <ian@davenant.greenend.org.uk>

References:
- Bug#484841: staff group root equivalence
  - From: Thijs Kinkhorst <thijs@debian.org>
- Bug#484841: staff group root equivalence
  - From: Russ Allbery <rra@debian.org>
- Bug#484841: staff group root equivalence
  - From: Don Armstrong <don@debian.org>
- Bug#484841: staff group root equivalence
  - From: Bdale Garbee <bdale@gag.com>
- Bug#484841: staff group root equivalence
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Bug#484841: staff group root equivalence
  - From: Don Armstrong <don@debian.org>
- Re: Bug#484841: staff group root equivalence
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: Bug#484841: staff group root equivalence
Next by Date: Re: Bug#484841: staff group root equivalence
Previous by thread: Re: Bug#484841: staff group root equivalence
Next by thread: Re: Bug#484841: staff group root equivalence
Index(es):
- Date
- Thread