Re: /usr/local is loved by Debian Python people?

To: Guy Hulbert <gwhulbert@eol.ca>
Cc: debian-python@lists.debian.org
Subject: Re: /usr/local is loved by Debian Python people?
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue, 3 Feb 2009 09:36:03 -0500
Message-id: <[🔎] 20090203143602.GT25994@washoe.rutgers.edu>
Mail-followup-to: Yaroslav Halchenko <debian@onerussian.com>
In-reply-to: <[🔎] 1233670711.29848.17.camel@cray>
References: <[🔎] 20090203033528.GP25994@washoe.rutgers.edu> <[🔎] 1233637057.23644.1.camel@cray> <[🔎] 20090203033528.GP25994@washoe.rutgers.edu> <[🔎] 87pri0yxm5.fsf@benfinney.id.au> <[🔎] 20090203044655.GQ25994@washoe.rutgers.edu> <[🔎] 20090203095403.GA7874@jroger.in-berlin.de> <[🔎] 20090203140640.GR25994@washoe.rutgers.edu> <[🔎] 1233670711.29848.17.camel@cray>

ho ho -- thank you Guy!

so, here it is:
,---------------------------------------------------------------------------------,
| staff: Allows users to add local modifications to the system (/usr/local,       |
| /home) without needing root privileges. Compare with group "adm", which is more |
| related to monitoring/security.                                                 |
`---------------------------------------------------------------------------------'

Hence, Debian, by design (and by policy), allows "users" to modify the
system...  So 'staff' group is much broader than notion of 'Administrator',
hence, it might be unsafe to "add a user to staff group without ability to
prevent default behavior of the system to use the content of
/usr/local".

NB: actually on a freshly installed lenny system:

$> ls -ld /home
4 drwxr-xr-x 10 root root 4096 2009-01-03 16:23 /home/

and I don't see actual need for 'staff' to modify /home, since staff
group is not authorized to add users.

On Tue, 03 Feb 2009, Guy Hulbert wrote:

> Fortunately, I just spent 20-30 minutes going through this on Sunday.

> http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html

> Scroll down to: 12.1.12 Operating system users and groups

> I was reporting something to security@debian.org ... they acknowledged
> my initial inquiry but have not responded on the issue I pointed out
> (very minor) but you are looking in exactly the same place.
-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik

Reply to:

References:
- /usr/local is loved by Debian Python people?
  - From: Yaroslav Halchenko <debian@onerussian.com>
- Re: /usr/local is loved by Debian Python people?
  - From: Guy Hulbert <gwhulbert@eol.ca>
- Re: /usr/local is loved by Debian Python people?
  - From: Ben Finney <ben+debian@benfinney.id.au>
- Re: /usr/local is loved by Debian Python people?
  - From: Yaroslav Halchenko <debian@onerussian.com>
- Re: /usr/local is loved by Debian Python people?
  - From: Sebastian Rittau <srittau@jroger.in-berlin.de>
- Re: /usr/local is loved by Debian Python people?
  - From: Yaroslav Halchenko <debian@onerussian.com>
- Re: /usr/local is loved by Debian Python people?
  - From: Guy Hulbert <gwhulbert@eol.ca>

Prev by Date: Re: /usr/local is loved by Debian Python people?
Next by Date: Re: /usr/local is loved by Debian Python people?
Previous by thread: Re: /usr/local is loved by Debian Python people?
Next by thread: Re: /usr/local is loved by Debian Python people?
Index(es):
- Date
- Thread