I think a few things get a bit confused in the translation to/from English... Ambrogio: > I think that if I use su or sudo, I become as dangerous as if I'm > logged as root. Almost... "su", yes. "sudo" is a bit more configurable. However... > So what is the advantage to become root when needed. Only the things that you explicitly permit get root privileges, rather than *everything*, some of which might have exploits. Also, any files that you create are owned by you and not root. One problem with people who log in as root is that root owns all their files, so they find they have to keep logging in as root to access their own files. Basically, they've made life hard for themselves for using the system in the wrong way. They've painted themselves into a corner. > I think that if I will asked for root password everytime I start a > service (at least 10 times in an hour) or if I asked for password > everytime is needed I will become nervous. Why "nervous"? And now you're in the position of having to authenticate things, you can see when things need it, or want it (and decide whether you're been fooled, or doing something that should be okay). No-longer can things get away with doing something without your say-so, or even noticing the attempt. I rarely *need* to be root, but while I'm doing experiments I may leave a console open as the root user, perhaps GVIM, and I may leave the system-config-services GUI open. That allows me to keep on fiddling, and not have to keep entering in passwords, while logged into the PC as myself. > And what about upgrade, installing software and so on? How often do you really need to do that? It sounds a lot like you're clutching at straws to justify what you're doing. > I'm working on production server every days, with root password or > sudo configured, and never happens something wrong. "Never"? Really? That'd be unusual, for anyone. There's also the issue of whether "nothing goes wrong", or simply that you "haven't *noticed* anything go wrong" (whether or not something actually has). > So now I have to think on how to convert all my scripts, scheduled > jobs, services, and apps working as now, but with another user. > Desktop, menus, fetchmail, bogofilter, procmail, firefox with bookmark > and so on. Therein lays the rub when you start off doing something in the wrong way, then get forced into doing it the right way. You have masses of conversions to go through. You may find yourself forced into this more, in the future. Try running X-Chat as root, and it'll tell you off. Their programmers had enough brains to realise it's such a bad idea that they ought to put you off trying. With the focus on better security (SELinux, etc.), there's probably a good chance that more user applications might be programmed to refuse to run for the root user (they really should). If you use SELinux, why defeat it by always doing everything as the root user? If you don't believe in SELinux, how many other precautions do you think you should throw away? Remember, they don't just protect you from yourself, but from all the malcontents on the internet, against all the system flaws that you know about, and some that you don't. Years of thought have gone into why we have separated administration and ordinary users, from experts in the field, masses of debugging and repairs, but you're sure that you know better than all of them... -- (Currently running FC4, occasionally trying FC5.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
