Logins

Mike McCarty mike.mccarty at sbcglobal.net
Fri Sep 9 21:45:05 UTC 2005 

akonstam at trinity.edu wrote:
> On Fri, Sep 09, 2005 at 02:36:41PM -0500, Mike McCarty wrote:
> 
>>Andrea Bencini wrote:
>>
>>>I install FC4 with KDE; when I login with "root" and password I receive 
>>>this
>>>message: "Root logins are not allowed".
>>>I can login only via ssh (root + psw).
>>>Can you help me?
>>>Thank
>>>Andrea
>>>
>>
>>This is bad manners. You should be logging in as an ordinary
>>user, and using "su -" or "sudo" to do your root activities.
>>
>>It is good policy not to log in as root.
>>
>>That's why the default is to disallow it.
>>
>>Mike
> 
> I am curious. Could someone give me a concrete example of why it is
> more dangerous to log in to a gui interface as root as  opposed to
> logging in as an ordinary user and su - to root?

If you log on as root (regardless of whether under a GUI) then every
program in your process tree runs with root authorization. So every
program defect has potentially disastrous consequences to your system.
If some defect in a program causes it to try the equivalent of
"rm /" then for an ordinary user it gets permission denied, for a
program running as root, the file system goes away. So the fewer
programs which run with root access, for the least amount of time,
the better it is for your system altogether. I never have logged onto
my machine as root. Not even once. It is an unnecessary risk. I use
"su -" or I use "sudo", and only for the minimum duration. When
I am su to root, I have some aliases

# alias
alias cp='cp -i'
alias l.='ls -d .* --color=tty'
alias ll='ls -l --color=tty'
alias ls='ls --color=tty'
alias mv='mv -i'
alias rm='rm -i'
alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot 
--show-tilde'

Notice the "-i" on "dangerous" commands cp, mv, and rm.

I want as few programs to pose a threat to my machine as possible.
The GUI is rather a lot of code to presume not to have any defects.

But even if I didn't have a GUI installed, I'd not log on as root.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!

More information about the fedora-list mailing list