On Fri, 11 Mar 2005, Bill Allombert wrote: > On Fri, Mar 11, 2005 at 01:39:28PM +0100, Santiago Vila wrote: > > In this report, the submitter complains about /usr/local/bin being in > > the PATH by default at the same time directories under /usr/local are > > root:staff and world-writable. His complain is based on the existence > > of become-any-group-but-root bugs. > > Is there evidence of such bugs ? There is no binaries sgid staff in > Debian to start with.
You don't need sgid staff binaries. Quoting the submitter: Become-any-user-but-root and become-any-group-but-root bugs are quite common. When a group of machines share user home directories via NFS exported from somewhere with default root-squash, getting root on one machine gives precisely that on all others of the group. There have been "genuine" such bugs also e.g. in sendmail [6]. The issue here is that "group staff" is equivalent to "user root", and that we should better eliminate such equivalence from the default system. > However, I disagree with the attitude of reassigning bug to > debian-policy. If submitters want to make a policy proposal, > they can propose it themselves. Well, you have to be an official developer for that, so that's not always possible. In this case, you may consider this as a proposal made by me if you like. This is not a bug in base-files because policy explicitly *mandates* the root:staff thing, but as I see fewer and fewer people who find the root:staff thing useful and more and more people who consider it a potentially dangerous thing, I think that we would better drop the staff thing from policy entirely, hence my reassign. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
