"Thijs Kinkhorst" <th...@debian.org> writes: > I'm not sure it's entirely equivalent, as the directory in the new > situation would be owned by group 0 / root. This is clearly a special > group just as user root is a special user; much more clearly than staff > would be.
Hm, it is? I don't know of anything else in Debian that treats it as such currently; it seems fairly equivalent to staff to me. (In fact, at Stanford, we use it roughly in the way that Debian normally uses staff.) I suppose it's treated somewhat specially by NFS, but that's the only thing I can think of off-hand. > I believe that the problems that could occur with the original situation > relate to non-root users being in group staff one way or the other, and > then elevate that to root. What would be a realistic scenario where the > group 'root' contains users that aren't supposed to be root? We do this at Stanford because we use that group to control who is allowed to su (in other words, we use it as a wheel group). I'm sure we're not the only ones. Elevating to root still requires a separate authentication, so users in group root are not equivalent to root, only permitted to attempt to become root if they know the appropriate passwords. > I'm fine either way, and will work on that if desired, but of course I'd > like to keep things as simple as possible. The original question appealed to the TC was in general about having a group-writable directory. I think we need to eliminate group-writability to fully address the requested change. I can poll the rest of the TC, though, to see if I'm interpreting people's positions correctly. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org