Source: debian-policy Followup-For: Bug #1099124 It's reasonable to maintain the current ownership and permissions of the /var/local directory on existing debian installations and update the defaults for new installations. This approach may however result in a divergence between legacy and new installations, which would be an argument for not changing anything in the policy and keeping the directory as is. I would still consider the policy to be underdocumented regarding this point however.
To ensure consistency across all installations, it would make sense to align the ownership and permissions of /usr/local and /var/local. Currently, these are only in sync by chance, if /etc/staff-group-for-usr-local exists. I'm not aware of anyone still using the staff group for the purposes of managing /usr/local and /var/local. I am however aware of security scanners that report the suid and sgid bits on executables and directories, and it's pointless for all debian installations (especially containers and virtual machines that are distributed to the whole world) to needlessly trigger those scanners on /var/local unconditionally. I'm not aware of any non-debian-based distributions that would still by default set the staff group and related permissions either.
