root vs user

Tom 'Needs A Hat' Mitchell mitch48 at sbcglobal.net
Fri Mar 19 04:04:46 UTC 2004 

On Thu, Mar 18, 2004 at 05:35:07PM -0500, Mitch Wiedemann wrote:
> 
> First, I'd like to advise that you don't log in as root at all *ever* 
> unless you have no choice.
> 
> To do system maintenance I'd advise this procedure:
> 1. Log in to your normal user account
> 2. Open a "Terminal" or "Console" window
> 3. su (to gain root privileges)

Make that..
  3. "su - " (to gain root privileges)

> 4. Do what you need to do.
> 5. exit the root terminal when you're done.
> 
> I NEVER log in as root unless I've done something to completely hose my 
> normal user account. :)

Mitch has some good advice and a typo:   s/su/su - / above.

It is true that the less you operate as UID=0 (root) the less risk
there is for doing damage to the system.

Of interest this topic of changing roles is a hot and opinionated topic.

There are a number of different strategies for managing a
system... pick one and stick to it as best you can.

To make the point about strategies, in the file /etc/pam.d/su there
are two important 'auth' lines presented with comments.

   # Uncomment the following line to implicitly trust users in the "wheel" group.
   #auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
   ..
   # Uncomment the following line to require a user to be in the "wheel" group.
   #auth       required     /lib/security/$ISA/pam_wheel.so use_uid

This makes permissive or restricts to a member of group "wheel" su
privileges.  On a test and tinker desktop I use these to open things
up for me.  On a firewall or server I use these and more to tighten
things up.

Also other pam modules like pam_console can be used to further restrict
login access.

There are people that will only login as root to do root things and
never changed roles to root from a normal user account.

There are people that will only login as a normal user and then "su -"
to do root things and never login at the console as root except for
major updates and install.

There are people that only use "sudo" or "consolehelper" types of role
changers.

Some of the difference in opinion have to do with what you know.
     Do system maint in ways that you know and understand.

Some of the difference in opinion have to do with shared
responsibility and footprints for audit.
     Use "sudo" if there are many fingers, "su -" if it is only you.

Keep a notebook.   For systems as reliable and stable as Linux the 
"do you remember" issues become real.  A setup and configuration decision you 
made six months ago could be hard to remember when upgrade time arrives.
Use paper, you cannot read stuff on line when you are fixing the 
machine with the notes on it.

BTW: When I login as root my background is a harsh nasty red. 


-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.

More information about the fedora-list mailing list