Bug#484841: marked as done (Should /usr/local be writable by group staff?)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 25 Jul 2009 06:20:30 -0700
with message-id <20090725132030.GV12392@volo.donarmstrong.com>
and subject line Re: Call for votes (was: Bug#484841: staff group root equivalence)
has caused the Debian Bug report #484841,
regarding Should /usr/local be writable by group staff?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
484841: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484841
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: Should /usr/local be writable by group staff?
• From: Russ Allbery <rra@debian.org>
• Date: Fri, 06 Jun 2008 12:24:20 -0700
• Message-id: <20080606192420.9707.33272.reportbug@windlord.stanford.edu>

Package: tech-ctte
Severity: normal

This is a delegation of the resolution of Bug#299007 to the Technical
Committee under points 1 and 3 of section 6.1 of the Constitution.  As
Policy delegate, I am not comfortable making a final decision either
way on this bug and ask that the tech-ctte please make a binding
decision.

The dispute is over the following text in Debian Policy:

     The `/usr/local' directory itself and all the subdirectories created
     by the package should (by default) have permissions 2775
     (group-writable and set-group-id) and be owned by `root.staff'.

The proposed change is to state instead that the /usr/local directory
itself and all the subdirectories created by the package should (by
default) have permissions 755 and be owned by root:root.

The contention in this proposal is that the current Policy-mandated
behavior represents a potential security vulnerability since it allows
elevation of a compromise of group staff to a root compromise since
/usr/local/bin is in root's default path.  The counter-contention is that
the staff group is empty by default and it is up to the local system
administrator to extend that privilege in a way consistent with the local
site security policy.

https://launchpad.net/bugs/13795 is the corresponding Ubuntu bug.
According to that bug log, Ubuntu has chosen to diverge from Debian on
this point.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

--- End Message ---

--- Begin Message ---

• To: 484841-done@bugs.debian.org
• Subject: Re: Call for votes (was: Bug#484841: staff group root equivalence)
• From: Don Armstrong <don@debian.org>
• Date: Sat, 25 Jul 2009 06:20:30 -0700
• Message-id: <20090725132030.GV12392@volo.donarmstrong.com>
• Mail-followup-to: 484841-done@bugs.debian.org
• In-reply-to: <[🔎] 20090725080651.GC5279@dario.dodds.net>
• References: <871vtgcrmi.fsf@windlord.stanford.edu> <20090302084821.GT14650@volo.donarmstrong.com> <1236013065.5962.83.camel@rover.gag.com> <87r61fwyso.fsf@anzu.internal.golden-gryphon.com> <20090302205537.GV14650@volo.donarmstrong.com> <[🔎] 20090706204652.GA19768@mails.so.argh.org> <[🔎] 877hylo4rv.fsf@windlord.stanford.edu> <[🔎] 20090712135039.GB19768@mails.so.argh.org> <[🔎] 20090724165501.GC19768@mails.so.argh.org> <[🔎] 20090725080651.GC5279@dario.dodds.net>

unmerge 504516
clone 484841 -1
reassign -1 debian-policy
reopen -1
merge 484841 504516
thanks

On Sat, 25 Jul 2009, Steve Langasek wrote:
> On Fri, Jul 24, 2009 at 06:55:01PM +0200, Andreas Barth wrote:
> > I'm calling on votes now for these three options (the last one isn't a
> > proposal, but by default in the option set). According to the
> > consitution, the voting periode last for up to one week, or until the
> > outcome is no longer in doubt.
> 
> > | 1. Keep /usr/local writeable by group staff (i.e. leave things as they
> > | are).
> 
> > | 2. Decide to change the default so that /usr/local is not writeable by
> > | group staff anymore. This change should only be implemented after an
> > | appropriate transition plan exists which enables system administrators
> > | to maintain the ability of group staff to write to /usr/local.
> > | (Reasons for the change are the adaption of other tools like sudo on
> > | most sites, and the concept of "least surprise" for novice users.)
> 
> > | 3. Further discussion.
> 
> I vote: 2 1 3

With this I believe that option 2 has prevailed (four in favor, one
against, with 2 having yet to vote):

    2. Decide to change the default so that /usr/local is not
    writeable by group staff anymore. This change should only be
    implemented after an appropriate transition plan exists which
    enables system administrators to maintain the ability of group
    staff to write to /usr/local. (Reasons for the change are the
    adaption of other tools like sudo on most sites, and the concept
    of "least surprise" for novice users.)

I have changed the webwml for the tech-ctte, and am closing the bug
with this message.


Don Armstrong

-- 
Personally, I think my choice in the mostest-superlative-computer wars
has to be the HP-48 series of calculators.  They'll run almost
anything.  And if they can't, while I'll just plug a Linux box into
the serial port and load up the HP-48 VT-100 emulator.
 -- Jeff Dege, jdege@winternet.com

http://www.donarmstrong.com              http://rzlab.ucr.edu

--- End Message ---