[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Root Access



On Sun, 14 Jun 2009 01:42:53 -0400
Todd Zullinger <tmz pobox com> wrote:

There's some truly awful advice in this thread, aside from Robert
Cochran's :-(

> Mike Dwiggins wrote:

<snip>

> > Some of us are causal users who wander in from the Windows world!  I
> > wish I could live in Linux but, that ain't gonna happen!
> >
> > I need to be able to log in as root to do my job!  I wish it were
> > not so but, it is!  Life always fair!

Easy fix:

* Log in as your normal user
* "su -" (interactive root shell with full environment)
* "su - -c "some command"" - run "some command" as root with
  appropriate environment
* sudo "some command" (like above, simpler but needs sudo installed)


- Fat-fingering a command like rm or fdisk / mkfs etc. as a user may
  result in limited damage. Doing so as root will be a disaster. Don't
  shoot yourself in the foot.

- NEVER ssh as root. PermitRootLogin defaults to "no" in OpenSSH for
  good reason. If your root password is weak and an attacker guesses
  it, it's game over, your machine is compromised and you're another
  zombie in someone's botnet. Log in as a regular user and su

- Many X programs are not designed to run with root privileges
  (xscreensaver refuses to - jwz has BOFH nature, bless him) or pose
  security risks when run as root (GTK apps spring to mind) Again, log
  in as a regular user, run your app and if it needs root privileges
  you'll be prompted for them.

If a regular "user app" NEEDS root privileges and doesn't have a hook
into ConsoleKit/consolehelper then frankly it's utter garbage and you
would be wise to look at a packaged alternative. I'd be astonished if
Opera couldn't save it's downloaded extensions to somewhere under $HOME
like the Mozilla-based browsers do.

> 
> I think some of that "need" might be based on the experiences you've
> learned from in the Windows world. 

Permit me, as someone who has seen both sides (6 years systems admin on
both sides of the fence, about 15 as a user - ex-Windows desktop user
to Fedora desktop user and packager) to make some comments.

> I think it's very unfortunate that
> Microsoft has done such a poor job of encouraging and allowing users
> to run with the least privilege needed.

This isn't strictly Microsoft's fault alone. Their engineers have been
aiming to get users to run with the least available rights (and good
users / administrators have tried to do so, with mixed success) but a
combination of laziness on the parts of application developers,
"Enterprise" admins of MS domains and users (who are subject to and
learn bad habits from lazy admins and developers) often results in
users being added to Administrator groups (or just logging in to the
Administrator account) with disasterous results.

>  In trying to help my friends
> and family who cling to Windows, I am regularly appalled at needing to
> login to an account with admin privilege to perform some task.

A lot of the time this is installs / updates, for general day-to-day
work most applications will run with regular user privileges. Perhaps
not as gracefully as UNIX apps, but they can (will ask to run as an
Administrator or other profile).

Alas as most lazy installs have everyone running as Administrator most
don't see it. :-(

> In linux, I would only need to use su or sudo (or, in many cases, I'd
> automatically be prompted for credentials when more privilege was
> required).  For the most part, I think Fedora gets this right much
> more often than Microsoft does.

*nods* - the ConsoleKit / console-helper apps are much more elegant -
just prompt for the root password, no fuss, no complexity.

Michael.


-- 
Michael Fleming <mfleming thatfleminggent com> - (EMail/XMPP/Jabber)
WWW: http://www.thatfleminggent.com
Fedora / Red Hat Packages: http://www.thatfleminggent.com/rpm-packages
Twitter: http://twitter.com/thatfleminggent 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]