Re: [Fwd: Re: Running as root (was:Hey, it didn't get this either -- ...)]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sunday 20 April 2003 11:28, Benjamin Vander Jagt wrote:
> I should start by saying that my argument is not that Linux should be a
> single user environment.  On the contrary, probably somewhere between
> 95% to 99% of Linux users should not run as root.  However, I consider
> myself in the minority, and I think I have justified reasons for running
> as root.  I am disheartened that there's no way to give a user
> administrative privileges, but I am not as upset, since running as root
> works so well.  I have been running as root for about four months, and
> it has worked exactly how I wanted.  I'm glad that root has not been
> crippled as a user.  Root has it's own home folder, (almost) everything
> treats root as if it's just another user.  Perhaps someday, when less
> stuff needs to be tweaked, when everything installs in a uniform
> fashion, and when the system can be told to "remember password" at least
> for certain applications, then I will change back to running as a user.
> However, as it is now, the only way to get the convenience I want is to
> run as root, and the only thing that has given me any trouble has been
> xscreensaver.

*cough* have you not seen sudo?  You can assign all kinds of levels of admin 
privs w/ sudo, and the user never has to know the root password.

> > Many things will complain then. That's because you are circumvention
>
> the
>
> > protections. I remeber something that wouldn't work if a file in $HOME
> > was world readable.
>
> So far, the only thing that has given me any trouble has been
> xscreensaver, and I think I can get around that...

Why "get around" things, instead of using them as designed?

> > I ment as a work around when you have selected lots of files as some
> > user and need to put them somewhere you don't have premission. Instead
> > of starting nautilus as root and reselecting, just use root to change
> > the directory you are trying to write to.
>
> true, but that's still more work than I am doing now.  and since I am
> su-ing to root and changing permissions and copying files to a formerly
> forbidden area, am I not creating as much risk as if I were root?
>
> a couple months ago, I had a network share on the server that had
> passwords, the server did not run as root, the client system did not run
> as root.  the client system mounted the share (which had read-write
> permission for that user) in /mnt/nds.  well, I wanted to update his
> system, so I set about removing all the directories on his system except
> home so that I didn't get a free-space warning (small hard drive at the
> time).  I did something like rm -rf /usr /var /mnt ... (wow, I feel
> nervous just typing it into Evolution, hehe.)  it ran for a while, and
> then I got a message saying, "cannot remove /mnt/nds: permission
> denied".  immediately I knew what I did.  Linux took me much more
> literally than I would have expected, and I ended up losing all the data
> in that share.  at that time, I had always run as user, su-ing to root
> as necessary...

So, I don't quite get this.  Running as the user is more dangerous because you 
fat-fingered a command?  Huh?

> > Why would "everyone in the house" need access to that?
> > I haven't touched modules.conf in months. Most hardware changes don't
> > even require access to modules.conf.
>
> well, with the nVidia drivers, there are many things that can be
> adjusted with the modules.conf folder.  that was important for a while,
> because one system here had an ALi chipset that didn't like nVidia
> cards, and it was a matter of tweaking it so that it worked but didn't
> slow the system down too much...

There are also things you can pass to the modules.conf file (not folder) that 
can perm. damage the video card.  Do you really want your users having access 
to this?

> furthermore, there's no realistic way I can protect my data from the
> carelessness of others except by backing it up.  if I am a user, and I
> save some data, then it will be in the /home/user folder, right?  well,
> if I leave my system logged in as user, there is the data, completely
> vulenerable...

Locked xscreensaver, no virtual consoles left logged in.  Of course, if 
somebody really wants the data, and they have physical access to the box, 
there is no stopping them.  But locking the screensaver, and not allowing a 
<ctrl><alt><bs> can keep the casual snooper out.

THere are also many other reasons not to run as root.  Run-away processes or 
buggy software can cause _much_ more damage if ran as root, instead of as a 
user.  There are also very many security problems.  XFree86 isn't very 
secure, this being told to me by various XFree86 developers and maintainers.  
Running X as root is inviting trouble.  Many other network apps are equally 
if not more insecure, and the potential damage is much much greater if ran as 
root.

IMHO, there is no reason, other than lazyness, to run a system as root.  
Period.

-- 
Jesse Keating RHCE MCSE
http://geek.j2solutions.net
Mondo DevTeam (http://www.microwerks.net/~hugo/)

Was I helpful?  Let others know:
 http://svcs.affero.net/rm.php?r=jkeating





[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux