This came up as a permission issue on Ubuntu 16.04. I was unable to remove some R libraries installed in
/usr/local/lib/R/site-library. It turned out that I did not have permission. The directory was owned by
root and the group was
I temporarily resolved the permission issue by manually adding my user to the
sudo usermod -a -G staff myusername # *see blockquote before using this!*
That allows me to remove the libraries from IDE.
However, when I tried to look up more information on staff group and was not able to find any definite material on the topic. Not even what the group was primarily intended for. I could only guess it is used to give similar 'enhanced' access to users on certain directories.
Are there any implications of manually adding a user to the staff group?
As an aside, is there any command to know the system-wide permissions for a group? For instance, what all are the directories for which group staff will have write permission?
Edit: I must add here that using
usermodis a much more sensible option for this operation [please see the comment below]
sudo adduser myusername staff
Ok, as nudged by @muru, I'm posting an answer to my own question, to the extent I can. The file
file:///usr/share/doc/base-passwd/users-and-groups.html includes detailed information on groups and permissions. A mirror of this page can be found here: Users and Groups
Allows users to add local modifications to the system (
/home) without needing root privileges. Compare with group
adm, which is more related to monitoring/security.
Note that the ability to modify
/usr/localis effectively equivalent to root access (since
/usr/localis intentionally on search paths ahead of
/usr), and so you should only add trusted users to this group. Be careful in environments using NFS since acquiring another non-root user's privileges is often easier in such environments.
Of course adm is already in my
groups so I can do
dmesg. But I had to manually add myself to
Logging a list of directories owned by staff shows that all these belong to one of these:
sudo find / -maxdepth 8 -type d -group staff -perm -g=w >>stafflog.txt /var/local /usr/local/lib /usr/local/share
No wonder the membership of staff gives me write access to my shared programming language libraries.
checking permission for one of these:
ls -al /var/local drwxrwsr-x 2 root staff 4096 Apr 11 2014 . drwxr-xr-x 16 root root 4096 Aug 3 15:55 ..
So apparently the staff trick is performed by the system by setting the directories' s bit (
setguid). , so that whichever user or process creates the files in that directory, the file always runs with the permissions shared across the staff group. See here
However I still wonder whether I can safely keep myself in this group. To my mind it should be pretty safe given this is a laptop which will at worst be accessed over a trusted LAN, via smb or ssh. The words 'effectively equivalent to root access' scare me. Any thoughts on this are welcome.