From: Bob Proulx <bob@proulx.com>
To: Michael Heerdegen <michael_heerdegen@web.de>
Cc: help-gnu-emacs@gnu.org
Subject: Re: sudo make install
Date: Thu, 16 Apr 2015 15:04:46 -0600 [thread overview]
Message-ID: <20150416143415154796888@bob.proulx.com> (raw)
In-Reply-To: <87r3rkbalh.fsf@web.de>
Michael Heerdegen wrote:
> Is the ownership of the /usr/local directory tree the only important
> property of the staff group, or is it used for other purposes as well?
>
> With other words: what are the consequences of adding my user to the
> staff group, other than that I will be able to modify the /usr/local
> tree?
None. There are no other consequences unless you add them on your
system.
First there is this entry in the Securing Debian HOWTO.
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.1.12.3
That mentions not just /usr/local but also /home. I have seen some
sites change /home to be owned by group staff and extend the group
there but it is not done by default.
$ ls -ld /home
drwxr-xr-x 12 root root 4096 Jan 9 2014 /home
The Debian Policy manual says:
https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1.2
...a large section of details...
However, because /usr/local and its contents are for exclusive use
of the local administrator, a package must not rely on the presence
or absence of files or directories in /usr/local for normal
operation.
The /usr/local directory itself and all the subdirectories created by
the package should (by default) have permissions 2775 (group-writable
and set-group-id) and be owned by root:staff.
If you install a pristine installation of Debian and run 'find' across
it you will locate two directory trees that are writable by group
staff.
/usr/local
/var/local
That is it. No other ramifications.
This is all part of UPG (User-Private-Groups). In order to facilitate
multiple people being able to work in a shared directory the strategy
is to place those people in a shared group. Here we are talking about
the 'staff' group. Then the user should have a 'umask 02' setting so
that new files are created group writable so that the other members of
the group can write them. If you are a solo individual on your system
working then the umask won't matter but I note it as part of the
overall strategy.
I will close by saying that the debian-user@lists.debian.org mailing
list is the best place to discuss Debian specific things such as
group 'staff' and 'adm' and other such things. Although I like the
strategy enough that I convert the RHEL/CentOS systems I administer to
that scheme too.
Bob
next prev parent reply other threads:[~2015-04-16 21:04 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-14 19:46 sudo make install Michael Heerdegen
2015-04-14 19:56 ` Milan Stanojević
2015-04-14 20:06 ` Ludwig, Mark
2015-04-14 20:16 ` Michael Heerdegen
2015-04-14 20:15 ` Michael Heerdegen
2015-04-14 20:25 ` Milan Stanojević
2015-04-15 1:05 ` Stefan Monnier
2015-04-15 10:15 ` Martin
2015-04-15 10:25 ` Michael Heerdegen
2015-04-15 10:55 ` tomas
2015-04-15 12:41 ` Stefan Monnier
2015-04-15 21:26 ` Bob Proulx
2015-04-16 11:01 ` Michael Heerdegen
2015-04-16 21:04 ` Bob Proulx [this message]
2015-04-17 15:07 ` Michael Heerdegen
2015-04-18 19:32 ` Bob Proulx
2015-04-19 13:33 ` Michael Heerdegen
2015-04-20 0:31 ` Bob Proulx
2015-04-20 14:57 ` Michael Heerdegen
2015-04-20 17:31 ` Bob Proulx
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150416143415154796888@bob.proulx.com \
--to=bob@proulx.com \
--cc=help-gnu-emacs@gnu.org \
--cc=michael_heerdegen@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.