References

Since about 2009 Debian decided to require the file /etc/staff-group-for-usr-local to exist in order for the staff group to make sense.

The bug report which initiated the discussion:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=299007

The Technical Committee discussion and voting process:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484841

An interesting contribution:

https://kevinlocke.name/bits/2017/03/10/ownership-of-usr-local-by-group-staff/

Current debian policy page:

https://www.debian.org/doc/debian-policy/ch-opersys.html#site-specific-programs

Comment

The reduced statement “group staff is root-equivalent” is an incorrect shortening. A series of configurations and events has to happen for this to be true. Especifically a user account with group staff has to install a trojan.

While not exporting /usr/local writable via NFS, a threat to the local system is not to be expected.

We don’t fight about names, “staff” is as good as anything else, the capabilities of the account are what counts.

Position

  • We want to use the benefits of installation of local software with reduced privileges.
  • We don’t use NFS.
  • We only add users to group staff we trust both to be security aware and without malicious intents.
  • We stick to using the group staff for root-less installation of software.