On Fri, Mar 11, 2005 at 01:39:28PM +0100, Santiago Vila wrote: > In this report, the submitter complains about /usr/local/bin being in > the PATH by default at the same time directories under /usr/local are > root:staff and world-writable. His complain is based on the existence > of become-any-group-but-root bugs. > If this is a bug at all, I think we should probably drop the root:staff > thing instead of changing the default PATH. So: Would anyone here > second the following patch, if it were a policy proposal? Seconded in principle; I don't know if /usr/local/share/emacs is a good example of a directory that needs to not be sgid staff, but certainly I think that /usr/local/bin, /usr/local/sbin, and /usr/local/lib must not be. -- Steve Langasek postmodern programmer > diff -ru debian-policy-3.6.1.1.orig/policy.sgml debian-policy-3.6.1.1/policy.sgml > --- debian-policy-3.6.1.1.orig/policy.sgml 2004-06-25 23:11:36.000000000 +0200 > +++ debian-policy-3.6.1.1/policy.sgml 2005-03-11 13:25:27.000000000 +0100 > @@ -5062,8 +5062,8 @@ > then > if mkdir /usr/local/share/emacs 2>/dev/null > then > - chown root:staff /usr/local/share/emacs > - chmod 2775 /usr/local/share/emacs > + chown root:root /usr/local/share/emacs > + chmod 755 /usr/local/share/emacs > fi > fi > </example> > @@ -5095,8 +5095,8 @@ > <p> > The <file>/usr/local</file> directory itself and all the > subdirectories created by the package should (by default) have > - permissions 2775 (group-writable and set-group-id) and be > - owned by <tt>root.staff</tt>. > + permissions 755 and be > + owned by <tt>root:root</tt>. > </p> > </sect1>
Attachment:
signature.asc
Description: Digital signature