How to understand what screensaver (xscreensaver gnome-screensaver kscreensaver) is used

Thu Jul 20 02:21:10 UTC 2006

I think a few things get a bit confused in the translation to/from
English...

Ambrogio:
> I think that if I use su or sudo, I become as dangerous as if I'm
> logged as root.

Almost...  "su", yes.  "sudo" is a bit more configurable.  However...

> So what is the advantage to become root when needed.

Only the things that you explicitly permit get root privileges, rather
than *everything*, some of which might have exploits.

Also, any files that you create are owned by you and not root.  One
problem with people who log in as root is that root owns all their
files, so they find they have to keep logging in as root to access their
own files.  Basically, they've made life hard for themselves for using
the system in the wrong way.  They've painted themselves into a corner.

> I think that if I will asked for root password everytime I start a
> service (at least 10 times in an hour) or if I asked for password
> everytime is needed I will become nervous.

Why "nervous"?  And now you're in the position of having to authenticate
things, you can see when things need it, or want it (and decide whether
you're been fooled, or doing something that should be okay).  No-longer
can things get away with doing something without your say-so, or even
noticing the attempt.

I rarely *need* to be root, but while I'm doing experiments I may leave
a console open as the root user, perhaps GVIM, and I may leave the
system-config-services GUI open.  That allows me to keep on fiddling,
and not have to keep entering in passwords, while logged into the PC as
myself.

> And what about upgrade, installing software and so on?

How often do you really need to do that?  It sounds a lot like you're
clutching at straws to justify what you're doing.

> I'm working on production server every days, with root password or
> sudo configured, and never happens something wrong.

"Never"?  Really?  That'd be unusual, for anyone.  There's also the
issue of whether "nothing goes wrong", or simply that you "haven't
*noticed* anything go wrong" (whether or not something actually has).

> So now I have to think on how to convert all my scripts, scheduled
> jobs, services, and apps working as now, but with another user.
> Desktop, menus, fetchmail, bogofilter, procmail, firefox with bookmark
> and so on.

Therein lays the rub when you start off doing something in the wrong
way, then get forced into doing it the right way.  You have masses of
conversions to go through.

You may find yourself forced into this more, in the future.  Try running
X-Chat as root, and it'll tell you off.  Their programmers had enough
brains to realise it's such a bad idea that they ought to put you off
trying.  With the focus on better security (SELinux, etc.), there's
probably a good chance that more user applications might be programmed
to refuse to run for the root user (they really should).

If you use SELinux, why defeat it by always doing everything as the root
user?  If you don't believe in SELinux, how many other precautions do
you think you should throw away?  Remember, they don't just protect you
from yourself, but from all the malcontents on the internet, against all
the system flaws that you know about, and some that you don't.

Years of thought have gone into why we have separated administration and
ordinary users, from experts in the field, masses of debugging and
repairs, but you're sure that you know better than all of them...

-- 
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.