>> Group staff is an anachronism: its ownership of /home is "wrong". Its use
>> and usefulness should be reviewed.
>
> An anachromism ? What paradigm shift made it "wrong" ?
>
>> Group staff is said to be useful "for helpdesk types or junior sysadmins",
>> without warnings that it is in fact root-equivalent.
>
> Who said that ?
Quoting from the original bug report:
The Debian Reference [3] and Securing Debian Manual [4], [5] say
[group] staff is ... for helpdesk types or junior sysadmins ... to do
things in /usr/local and to create directories in /home.
[group] staff: Allows users to add local modifications to the system
(/usr/local, /home) without needing root privileges.
The 'staff' group are usually help-desk/junior sysadmins, allowing them
to work in /usr/local and create directories in /home.
Re-wording. Group staff ownership of /home does not seem very useful, as it
only allows directories to be created but not chowned to the user. I guess
that this is a left-over from SysV times when anyone could chown.
The above quoted authoritative Debian references advertise the use of group
staff for semi-trusted users.
>> Use of root-equivalent users and groups may enlarge the attack surface.
>
> There are a lot of them, though.
Noted. All the more enlargement.
>> If commonly used software allows breaching some security features, then
>> the features need to be changed.
>
> No security conscious person use NFS in a security sensitive context
> anyway.
Is this hearsay, common knowledge, or documented somewhere?
Please note that NFS was only an example how root-equivalent things become
an acute issue. (Admittedly my only current example: you rightfully would
not accept past sendmail bugs.)
Message-Id: <email address hidden>
Date: Thu, 31 Mar 2005 10:40:36 +1000
From: <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#299007: base-files: Insecure PATH
Bill Allombert <email address hidden> wrote:
>> Group staff is an anachronism: its ownership of /home is "wrong". Its use
>> and usefulness should be reviewed.
>
> An anachromism ? What paradigm shift made it "wrong" ?
>
>> Group staff is said to be useful "for helpdesk types or junior sysadmins",
>> without warnings that it is in fact root-equivalent.
>
> Who said that ?
Quoting from the original bug report:
The Debian Reference [3] and Securing Debian Manual [4], [5] say
[group] staff is ... for helpdesk types or junior sysadmins ... to do
things in /usr/local and to create directories in /home.
[group] staff: Allows users to add local modifications to the system
(/usr/local, /home) without needing root privileges.
The 'staff' group are usually help-desk/junior sysadmins, allowing them
to work in /usr/local and create directories in /home.
(This is surely wrong, seems a SysV left-over: you need root privileges to www.debian. org/doc/ manuals/ reference/ ch-tune. en.html# s9.2.3 www.debian. org/doc/ manuals/ securing- debian- howto/ch11. en.html# s11.1.12. 1 www.debian. org/doc/ manuals/ securing- debian- howto/ch11. en.html# s11.1.12. 2
chown user directories in /home or in fact to create users in /etc/passwd.)
...
[3] http://
[4] http://
[5] http://
Re-wording. Group staff ownership of /home does not seem very useful, as it
only allows directories to be created but not chowned to the user. I guess
that this is a left-over from SysV times when anyone could chown.
The above quoted authoritative Debian references advertise the use of group
staff for semi-trusted users.
>> Use of root-equivalent users and groups may enlarge the attack surface.
>
> There are a lot of them, though.
Noted. All the more enlargement.
>> If commonly used software allows breaching some security features, then
>> the features need to be changed.
>
> No security conscious person use NFS in a security sensitive context
> anyway.
Is this hearsay, common knowledge, or documented somewhere?
Please note that NFS was only an example how root-equivalent things become
an acute issue. (Admittedly my only current example: you rightfully would
not accept past sendmail bugs.)
Cheers,
Paul Szabo <email address hidden> http:// www.maths. usyd.edu. au/u/psz/
School of Mathematics and Statistics University of Sydney Australia