[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: sudo make install
From: |
Bob Proulx |
Subject: |
Re: sudo make install |
Date: |
Thu, 16 Apr 2015 15:04:46 -0600 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Michael Heerdegen wrote:
> Is the ownership of the /usr/local directory tree the only important
> property of the staff group, or is it used for other purposes as well?
>
> With other words: what are the consequences of adding my user to the
> staff group, other than that I will be able to modify the /usr/local
> tree?
None. There are no other consequences unless you add them on your
system.
First there is this entry in the Securing Debian HOWTO.
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.1.12.3
That mentions not just /usr/local but also /home. I have seen some
sites change /home to be owned by group staff and extend the group
there but it is not done by default.
$ ls -ld /home
drwxr-xr-x 12 root root 4096 Jan 9 2014 /home
The Debian Policy manual says:
https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1.2
...a large section of details...
However, because /usr/local and its contents are for exclusive use
of the local administrator, a package must not rely on the presence
or absence of files or directories in /usr/local for normal
operation.
The /usr/local directory itself and all the subdirectories created by
the package should (by default) have permissions 2775 (group-writable
and set-group-id) and be owned by root:staff.
If you install a pristine installation of Debian and run 'find' across
it you will locate two directory trees that are writable by group
staff.
/usr/local
/var/local
That is it. No other ramifications.
This is all part of UPG (User-Private-Groups). In order to facilitate
multiple people being able to work in a shared directory the strategy
is to place those people in a shared group. Here we are talking about
the 'staff' group. Then the user should have a 'umask 02' setting so
that new files are created group writable so that the other members of
the group can write them. If you are a solo individual on your system
working then the umask won't matter but I note it as part of the
overall strategy.
I will close by saying that the debian-user@lists.debian.org mailing
list is the best place to discuss Debian specific things such as
group 'staff' and 'adm' and other such things. Although I like the
strategy enough that I convert the RHEL/CentOS systems I administer to
that scheme too.
Bob
- Re: sudo make install, (continued)
- Re: sudo make install, Stefan Monnier, 2015/04/14
- Re: sudo make install, Bob Proulx, 2015/04/16
- Re: sudo make install, Michael Heerdegen, 2015/04/16
- Re: sudo make install,
Bob Proulx <=
- Re: sudo make install, Michael Heerdegen, 2015/04/17
- Re: sudo make install, Bob Proulx, 2015/04/18
- Re: sudo make install, Michael Heerdegen, 2015/04/19
- Re: sudo make install, Bob Proulx, 2015/04/19
- Re: sudo make install, Michael Heerdegen, 2015/04/20
- Re: sudo make install, Bob Proulx, 2015/04/20