[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sudo make install

From: Bob Proulx
Subject: Re: sudo make install
Date: Thu, 16 Apr 2015 15:04:46 -0600
User-agent: Mutt/1.5.23 (2014-03-12)

Michael Heerdegen wrote:
> Is the ownership of the /usr/local directory tree the only important
> property of the staff group, or is it used for other purposes as well?
> With other words: what are the consequences of adding my user to the
> staff group, other than that I will be able to modify the /usr/local
> tree?

None.  There are no other consequences unless you add them on your

First there is this entry in the Securing Debian HOWTO.

That mentions not just /usr/local but also /home.  I have seen some
sites change /home to be owned by group staff and extend the group
there but it is not done by default.

  $ ls -ld /home
  drwxr-xr-x 12 root root 4096 Jan  9  2014 /home

The Debian Policy manual says:
  ...a large section of details...
  However, because /usr/local and its contents are for exclusive use
  of the local administrator, a package must not rely on the presence
  or absence of files or directories in /usr/local for normal

  The /usr/local directory itself and all the subdirectories created by
  the package should (by default) have permissions 2775 (group-writable
  and set-group-id) and be owned by root:staff.

If you install a pristine installation of Debian and run 'find' across
it you will locate two directory trees that are writable by group


That is it.  No other ramifications.

This is all part of UPG (User-Private-Groups).  In order to facilitate
multiple people being able to work in a shared directory the strategy
is to place those people in a shared group.  Here we are talking about
the 'staff' group.  Then the user should have a 'umask 02' setting so
that new files are created group writable so that the other members of
the group can write them.  If you are a solo individual on your system
working then the umask won't matter but I note it as part of the
overall strategy.

I will close by saying that the address@hidden mailing
list is the best place to discuss Debian specific things such as
group 'staff' and 'adm' and other such things.  Although I like the
strategy enough that I convert the RHEL/CentOS systems I administer to
that scheme too.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]