help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sudo make install


From: Bob Proulx
Subject: Re: sudo make install
Date: Thu, 16 Apr 2015 15:04:46 -0600
User-agent: Mutt/1.5.23 (2014-03-12)

Michael Heerdegen wrote:
> Is the ownership of the /usr/local directory tree the only important
> property of the staff group, or is it used for other purposes as well?
> 
> With other words: what are the consequences of adding my user to the
> staff group, other than that I will be able to modify the /usr/local
> tree?

None.  There are no other consequences unless you add them on your
system.

First there is this entry in the Securing Debian HOWTO.

  
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.1.12.3

That mentions not just /usr/local but also /home.  I have seen some
sites change /home to be owned by group staff and extend the group
there but it is not done by default.

  $ ls -ld /home
  drwxr-xr-x 12 root root 4096 Jan  9  2014 /home

The Debian Policy manual says:

  https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1.2
  ...a large section of details...
  However, because /usr/local and its contents are for exclusive use
  of the local administrator, a package must not rely on the presence
  or absence of files or directories in /usr/local for normal
  operation.

  The /usr/local directory itself and all the subdirectories created by
  the package should (by default) have permissions 2775 (group-writable
  and set-group-id) and be owned by root:staff.

If you install a pristine installation of Debian and run 'find' across
it you will locate two directory trees that are writable by group
staff.

  /usr/local
  /var/local

That is it.  No other ramifications.

This is all part of UPG (User-Private-Groups).  In order to facilitate
multiple people being able to work in a shared directory the strategy
is to place those people in a shared group.  Here we are talking about
the 'staff' group.  Then the user should have a 'umask 02' setting so
that new files are created group writable so that the other members of
the group can write them.  If you are a solo individual on your system
working then the umask won't matter but I note it as part of the
overall strategy.

I will close by saying that the address@hidden mailing
list is the best place to discuss Debian specific things such as
group 'staff' and 'adm' and other such things.  Although I like the
strategy enough that I convert the RHEL/CentOS systems I administer to
that scheme too.

Bob



reply via email to

[Prev in Thread] Current Thread [Next in Thread]