[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] disabled root account / distinct group for users with administrative privileges

On Wed, 20 Oct 2010 at 01:58:22 +0000, The Fungi wrote:
> On Tue, Oct 19, 2010 at 09:48:58AM +0200, Jesús M. Navarro wrote:
> > On the other hand, is it really necessary a new group?  Can't adm
> > or operator be overloaded with this new functionality? (think
> > Ockham's razor).
> 
> Maybe similarly overloaded, but I've used the built-in "staff" group
> for this for many years. It already gets write access into many
> local system folders by default, so not that much of a stretch...

Quoting from base-passwd again:

    Allows users to add local modifications to the system (/usr/local, /home)
    without needing root privileges. Compare with group 'adm', which is more
    related to monitoring/security.

    Note that the ability to modify /usr/local is effectively equivalent to
    root access (since /usr/local is intentionally on search paths ahead of /
    usr), and so you should only add trusted users to this group. Be careful in
    environments using NFS since acquiring another non-root user's privileges
    is often easier in such environments.

... so in practice, staff is root-equivalent, but in principle it's not meant
to be. (Yay.)

    S
Reply to: