Your message dated Sat, 25 Jul 2009 06:20:30 -0700 with message-id <[email protected]> and subject line Re: Call for votes (was: Bug#484841: staff group root equivalence) has caused the Debian Bug report #484841, regarding Should /usr/local be writable by group staff? to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 484841: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484841 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: tech-ctte Severity: normal This is a delegation of the resolution of Bug#299007 to the Technical Committee under points 1 and 3 of section 6.1 of the Constitution. As Policy delegate, I am not comfortable making a final decision either way on this bug and ask that the tech-ctte please make a binding decision. The dispute is over the following text in Debian Policy: The `/usr/local' directory itself and all the subdirectories created by the package should (by default) have permissions 2775 (group-writable and set-group-id) and be owned by `root.staff'. The proposed change is to state instead that the /usr/local directory itself and all the subdirectories created by the package should (by default) have permissions 755 and be owned by root:root. The contention in this proposal is that the current Policy-mandated behavior represents a potential security vulnerability since it allows elevation of a compromise of group staff to a root compromise since /usr/local/bin is in root's default path. The counter-contention is that the staff group is empty by default and it is up to the local system administrator to extend that privilege in a way consistent with the local site security policy. https://launchpad.net/bugs/13795 is the corresponding Ubuntu bug. According to that bug log, Ubuntu has chosen to diverge from Debian on this point. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---unmerge 504516 clone 484841 -1 reassign -1 debian-policy reopen -1 merge 484841 504516 thanks On Sat, 25 Jul 2009, Steve Langasek wrote: > On Fri, Jul 24, 2009 at 06:55:01PM +0200, Andreas Barth wrote: > > I'm calling on votes now for these three options (the last one isn't a > > proposal, but by default in the option set). According to the > > consitution, the voting periode last for up to one week, or until the > > outcome is no longer in doubt. > > > | 1. Keep /usr/local writeable by group staff (i.e. leave things as they > > | are). > > > | 2. Decide to change the default so that /usr/local is not writeable by > > | group staff anymore. This change should only be implemented after an > > | appropriate transition plan exists which enables system administrators > > | to maintain the ability of group staff to write to /usr/local. > > | (Reasons for the change are the adaption of other tools like sudo on > > | most sites, and the concept of "least surprise" for novice users.) > > > | 3. Further discussion. > > I vote: 2 1 3 With this I believe that option 2 has prevailed (four in favor, one against, with 2 having yet to vote): 2. Decide to change the default so that /usr/local is not writeable by group staff anymore. This change should only be implemented after an appropriate transition plan exists which enables system administrators to maintain the ability of group staff to write to /usr/local. (Reasons for the change are the adaption of other tools like sudo on most sites, and the concept of "least surprise" for novice users.) I have changed the webwml for the tech-ctte, and am closing the bug with this message. Don Armstrong -- Personally, I think my choice in the mostest-superlative-computer wars has to be the HP-48 series of calculators. They'll run almost anything. And if they can't, while I'll just plug a Linux box into the serial port and load up the HP-48 VT-100 emulator. -- Jeff Dege, [email protected] http://www.donarmstrong.com http://rzlab.ucr.edu
--- End Message ---
