<p>The big thing, yes, is that running everything as root defeats the whole sandboxing that you get by running as a normal user---or even running things as multiple, different users.</p>
<p>With the complexity of today's software (necessarily or not) being what it is, I can't say that I would run much of anything as the root user. For that matter, I don't, even on the command line. The only root privilege I retain for myself is the use of sudo, which I nearly always call as "sudo -u $NEEDED_USER $CMD". That way, if I screw something up, I have a command to show for it in the system logs.</p>
<p>I would personally like to see "POSIX" capabilities in wider use then they are. I think it is great to have such a versatile kernel-enforced privilege mechanism, and useful to take away all the special powers of UID 0. Although I don't think that it is at all as fine-grained as it could be without add-ons, and all of the add-ons that I know of pretty much suck.</p>
<p>Anyway, just my 2 cents. The more permissions are isolated and enforced by a kernel (which can often use hardware to provide the enforcement), the better contained things such as breakins or simply rogue users are. Not saying that would be a nirvana, but it would be a big help, I think. Especially when you do things like put syslog on the network without any permission but INSERT. Of course now I am talking about something way more complex than I wager most of us want to do at home...</p>
<p>--<br>
Sent from my HTC Dream---Running Froyo!<br>
Thanks, @cyanogen!</p>
<p><blockquote type="cite">On Jul 30, 2010 7:59 PM, "scott mcbrien" <<a href="mailto:smcbrien@gmail.com">smcbrien@gmail.com</a>> wrote:<br type="attribution">One of the big problems with other OS'es is that users log in as an<br>
account with administrative privileges. On those OS'es, when an<br>
application, being run by the user, runs amok (perhaps a web browser<br>
executing badness from flash or java script?), that application runs<br>
amok with administrative rights. So when the application tries to<br>
mangle system files, libraries, etc. it can because administrators<br>
could also modify said files. That's one example of why you don't want<br>
to log in as root, but there are many more, mostly because desktop<br>
environments like gnome run many many many processes and helper<br>
applications each of which, when logged in as root, is given full<br>
administrative permission to do whatever they want on a system.<br>
<br>
-Scott<br>
<br>
On Fri, Jul 30, 2010 at 7:05 PM, William Fragakis <<a href="mailto:william@fragakis.com">william@fragakis.com</a>> wrote:<br>
> Nautilus, for one ;-)<br>
><br>
> GParted can do some interesting things, too, I'd gather but I've never<br>
> tried (to do "interesting things"). Gedit can make your day exciting as<br>
> well. Personally, I can easily do as much damage from the CLI if not<br>
> more.<br>
><br>
> I do find it easy sometimes to actually have a root Desktop although, on<br>
> this esteemed list, I'm probably in a distinct minority.<br>
><br>
> If something bad happens, I was never here.<br>
> regards,<br>
> William<br>
><br>
> On Fri, 2010-07-30 at 18:49 -0400, Drifter wrote:<br>
>> Thanks, this seems to work.<br>
>> But you have to admire the warning label that pops up before the GUI<br>
>> actually appears on the screen:<br>
>><br>
>> "You are currently trying to run as Root super user. The superuser is a<br>
>> specialized account that is not designed to run a normal user session.<br>
>> Various programs will not function properly and actions performed under<br>
>> this account can cause unrecoverable damage to the operating system."<br>
>><br>
>> No hint, of course, as to what sorts of programs can cause the damage.<br>
>><br>
>> Sean<br>
>><br>
>> On Friday, July 30, 2010 06:13:33 pm William Fragakis wrote:<br>
>> > <a href="http://blog.ask4itsolutions.com/2010/04/23/login-as-a-root-from-gui-fed" target="_blank">http://blog.ask4itsolutions.com/2010/04/23/login-as-a-root-from-gui-fed</a><br>
>> > ora-13/<br>
>> ><br>
>> > Did this a couple of days ago.<br>
>> ><br>
>> > Use at your own risk, owner assumes all liabilites, etc. etc.<br>
>> ><br>
>> > On Fri, 2010-07-30 at 17:32 -0400, Drifter wrote:<br>
>> > > There are times when I need to to things as root that are -- for me<br>
>> > > -- much easier to do using the GUI aps rather than the command line.<br>
>> > > Years ago on a Red Hat install, root actually had a directory in<br>
>> > > /home and I could log into the system as root and have the GUI.<br>
>> > ><br>
>> > > This FC13 install doesn't provide that feature. I can create, as<br>
>> > > root, a directory in /home. That's easy enough. But what do I have<br>
>> > > to do so that I can log in as root directly just as I log into my<br>
>> > > regular user account? If I try to log in as root now, the system<br>
>> > > just laughs at me.<br>
>> > ><br>
>> > > Clearly I am missing several steps in the process.<br>
>> > ><br>
>> > > Sean<br>
>> > > _______________________________________________<br>
>> > > Ale mailing list<br>
>> > > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> > > <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> > > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> > > <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>> ><br>
>> > _______________________________________________<br>
>> > Ale mailing list<br>
>> > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> > <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> > <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></p>