On Tue, August 11, 2009 23:22, Russ Allbery wrote: > "Thijs Kinkhorst" <[email protected]> writes: > > >> I'm not sure it's entirely equivalent, as the directory in the new >> situation would be owned by group 0 / root. This is clearly a special >> group just as user root is a special user; much more clearly than staff >> would be. > > Hm, it is? I don't know of anything else in Debian that treats it as > such currently; it seems fairly equivalent to staff to me. (In fact, at > Stanford, we use it roughly in the way that Debian normally uses staff.) > > > I suppose it's treated somewhat specially by NFS, but that's the only > thing I can think of off-hand. > >> I believe that the problems that could occur with the original >> situation relate to non-root users being in group staff one way or the >> other, and then elevate that to root. What would be a realistic scenario >> where the group 'root' contains users that aren't supposed to be root? > > We do this at Stanford because we use that group to control who is > allowed to su (in other words, we use it as a wheel group). I'm sure > we're not the only ones. Elevating to root still requires a separate > authentication, so users in group root are not equivalent to root, only > permitted to attempt to become root if they know the appropriate > passwords. > >> I'm fine either way, and will work on that if desired, but of course >> I'd >> like to keep things as simple as possible. > > The original question appealed to the TC was in general about having a > group-writable directory. I think we need to eliminate group-writability > to fully address the requested change. I can poll the rest of the TC, > though, to see if I'm interpreting people's positions correctly.
I was not aware of root being used in that way, but given that such is the case, I think it's reasonable to take the approach of removing group writability altogether. I will come up with more to address this soon. Thijs -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
