Re: /usr/local is loved by Debian Python people?
ho ho -- thank you Guy!
so, here it is:
,---------------------------------------------------------------------------------,
| staff: Allows users to add local modifications to the system (/usr/local, |
| /home) without needing root privileges. Compare with group "adm", which is more |
| related to monitoring/security. |
`---------------------------------------------------------------------------------'
Hence, Debian, by design (and by policy), allows "users" to modify the
system... So 'staff' group is much broader than notion of 'Administrator',
hence, it might be unsafe to "add a user to staff group without ability to
prevent default behavior of the system to use the content of
/usr/local".
NB: actually on a freshly installed lenny system:
$> ls -ld /home
4 drwxr-xr-x 10 root root 4096 2009-01-03 16:23 /home/
and I don't see actual need for 'staff' to modify /home, since staff
group is not authorized to add users.
On Tue, 03 Feb 2009, Guy Hulbert wrote:
> Fortunately, I just spent 20-30 minutes going through this on Sunday.
> http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html
> Scroll down to: 12.1.12 Operating system users and groups
> I was reporting something to security@debian.org ... they acknowledged
> my initial inquiry but have not responded on the issue I pointed out
> (very minor) but you are looking in exactly the same place.
--
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student Ph.D. @ CS Dept. NJIT
Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171
101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW: http://www.linkedin.com/in/yarik
Reply to: