/usr/local/ ?

Posted Apr 8, 2004 13:08 UTC (Thu) by horen (subscriber, #2514) [Link]

Yes - it strikes me that having a group-writeable /usr/local, and putting select users into an "install" group, is a more elegant solution. That way, the group/user distinction still allows people to install programs that are usable by only themselves, only the group, or everyone....

Yikes! This looks like a job for RBAC

Perhaps getting up-to-speed with SELinux is more mission-critical than many of us would care to admit; or, with the degree-of-complexity it possesses, perhaps creating the appropriate tools for administering it.

OTOH, I really do not want my desktop Linux users to be installing their own software packages. In the US Army, we had a saying: "The two most dangerous people are a Private with a rifle, and a 2LT with a pen." I'd like to add to that a PhD faculty member (w/ or w/o the root password).

Posted Apr 8, 2004 20:56 UTC (Thu) by Ross (subscriber, #4065) [Link]

Give /usr/local the sticky bit so people can't remove or rename other
people's software. And mount it nosuid,nosgid so people can't play tricks
with software that runs as them no matter who uses it.

My biggest fear is that this opens the door to spreading malicious
software. There is nothing to stop a user from adding a command named
"cp" which does rm -rf $HOME. Similarly this opens the door to viruses.
In the past they only affected people who already had infected executables
in their home directory or people who used a system where the root user was
running infected executables.