Re: Bug#484841: staff group root equivalence

To: debian-ctte@lists.debian.org
Cc: 484841-quiet@bugs.debian.org
Subject: Re: Bug#484841: staff group root equivalence
From: Manoj Srivastava <srivasta@debian.org>
Date: Mon, 02 Mar 2009 15:24:24 -0600
Message-id: <[🔎] 871vtfwrcn.fsf@anzu.internal.golden-gryphon.com>
Mail-followup-to: debian-ctte@lists.debian.org, 484841-quiet@bugs.debian.org
In-reply-to: <[🔎] 20090302205537.GV14650@volo.donarmstrong.com> (Don Armstrong's message of "Mon, 2 Mar 2009 12:55:37 -0800")
References: <[🔎] 200903020806.18667.thijs@debian.org> <[🔎] 871vtgcrmi.fsf@windlord.stanford.edu> <[🔎] 20090302084821.GT14650@volo.donarmstrong.com> <[🔎] 1236013065.5962.83.camel@rover.gag.com> <[🔎] 87r61fwyso.fsf@anzu.internal.golden-gryphon.com> <[🔎] 20090302205537.GV14650@volo.donarmstrong.com>

On Mon, Mar 02 2009, Don Armstrong wrote:

> On Mon, 02 Mar 2009, Manoj Srivastava wrote:
>> This way, each research group had special privileges to their
>> machines, but not any others, and the IT folks still had control.
>> 
>> Similar things were done at some of the larger companies I worked
>> for; so there is a use case. (And I think UNIX machines back in the
>> 80's and early 90's came set up that way by default; I know Ultrix
>> and OSF/1 did).
>
> It seems to me that most of these cases would be dealt with using sudo
> now, as it would enable you to restrict the users to having root
> access on a specific machine, since being in staff means being able to
> trivially get roo

        Not quite. You see, us grad students in the staff group were
 _not_ supposed to be root, or be bale to modify the vendor directories
 (who knows, it might have violated the universities support contract).

        We were just give access to /usr/local, and /etc/ (not /usr or
 the like). The permissions were limited, and the group ACL was used to
 modulate _where_ in the file system one had god-like access.

        Unless my sudo-fu is entirely lacking, sudo access is command
 based, not path based.

        Not that it makes much of a difference in Debian selecting a
 default, really.  But I can see a use case in a large environment with
 subgroups where limited privileges are required -- and the /usr/local
 hierarchy, with the support for local overrides in path, programs like
 perl and emacs, made such setups easy for overlaying such privileges on
 a subset of the machines.

        manoj
-- 
Tact is the art of making a point without making an enemy.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: Bug#484841: staff group root equivalence
  - From: Don Armstrong <don@debian.org>

References:
- Bug#484841: staff group root equivalence
  - From: Thijs Kinkhorst <thijs@debian.org>
- Bug#484841: staff group root equivalence
  - From: Russ Allbery <rra@debian.org>
- Bug#484841: staff group root equivalence
  - From: Don Armstrong <don@debian.org>
- Bug#484841: staff group root equivalence
  - From: Bdale Garbee <bdale@gag.com>
- Bug#484841: staff group root equivalence
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Bug#484841: staff group root equivalence
  - From: Don Armstrong <don@debian.org>

Prev by Date: Re: Bug#484841: staff group root equivalence
Next by Date: Re: Bug#484841: staff group root equivalence
Previous by thread: Re: Bug#484841: staff group root equivalence
Next by thread: Re: Bug#484841: staff group root equivalence
Index(es):
- Date
- Thread