[ale] Running stuff as root == bad, was Re: FC13 question

William Fragakis william at fragakis.com
Sun Aug 1 10:29:00 EDT 2010


Since I invited this flame-fest....

Let's define "bad", to borrow from my wife, is this "cross the double
yellow line" bad or "I'm driving across the mall parking lot without my
seatbelt" bad?

Both, violate rules of safety. One will get you killed in about 2
minutes, the other, probably not.

Most things we do in life involve inherent risks. A ride down the
interstate and seeing the crosses and flowers on the side is a ready
reminder.

Those of us who feel the need/convenience to 'that which can not be
said', aren't doing so we can log into our facebook accounts with
ies4linux. Some things can be done completely from the CLI, somethings
by su/sudo and some things for us who've been using a mouse-based GUI
for 24 years are much easier for the 15-20 minutes we need it if we can
get to a full-blown desktop. 

Mind you, I'm not the systems admin for a Fortune 500 company. I just
have a couple boxes in the basement. My skill set is at a basement level
as well.

Say, I'm messing about setting up a separate drive for my VMs, creating
the VMs, messing about with samba, editing a few .confs etc. and - God
forbid - having to consult Google when I hit a roadblock. For me, it's a
heck of a lot easier to fire up a desktop for root so I don't have to
deal with su'ing 5 different programs. The automatic response is "you
shouldn't, you should do each one, separately." To those of us who've
somehow used a desktop for decades with admin privileges without
incident, that response is a bit Jobsian ("learn to hold your phone
differently, it's not the phone's fault"). 

Could I get hacked or attacked or pooch my system in those 20 minutes?
Sure. But, in 20 minutes on the road, I could easily have a serious auto
crash. It's much more probable that 20 minutes on any Atlanta interstate
could involve me in a serious crash (during the school year, I'm on the
Connector everyday, so I don't feel like I'm overstating the odds) than
having my system get borked in the same amount of time.

I'd even go further to say that if having a root graphical interface is
inherently something that should never be done, then the graphical stack
is too fragile. 

Just for fun, I looked up X11 and Xorg security advisories.  I realize
that there are more elements to a GUI than that but the list isn't
unsettling for my usage.
<http://www.x.org/wiki/Development/Security?action=show&redirect=SecurityPage>

Again, I get that if I'm running the system of something where if things
go bad people lose their jobs or die, I need to be really, really
careful and not log in as root. But let's be somewhat realistic on what
"bad" is. <begin playful sarcasm>Otherwise, I fully expect that should I
see you driving about town that you'll be using your HANS head restraint
device and have environmentally safe foam peanuts up to your
windows.</bps>

And, <more bps>considering how many Liberterians there are on this list
who haven't risen to the defense of my doing something stupid being my
own concern, I'm shocked.  ;-) </more bps>

Now, let me go get my Nomex suit before the responses come hurtling in. 

regards,
William

Message sent from my reinforced concrete bunker from an account that
barely had enough privileges to even use the keyboard.

 

On Sun, 2010-08-01 at 08:22 -0400, Greg Freemyer wrote:
> kdesu works in kde.
> 
> I use it from time to time.
> 
> Greg
> 
> On 7/31/10, Richard Bronosky <Richard at bronosky.com> wrote:
> > While I agree with the sentiments of this message, the subject is just
> > plain wrong. Running *stuff* as root *is not* bad. Running
> > *everything* as root *is* bad. That is exactly what happens when you
> > log into GUI [display manager|window manager|desktop
> > environment|whatever] (I don't know anything about the X.org stack. I
> > don't use GUIs) you run *everything* as yourself. You don't want that
> > _yourself_ to be root. I could have sworn that back when I was doing
> > MythTV I used xfce or rat poison and I used a utility called Xsudo,
> > sudoX, or GnomeSudo. That was good for running the occational app as
> > sudo. I found that MythTV being graphical by nature forced me to do
> > this.
> >
> >
> > On 7/30/10, scott mcbrien <smcbrien at gmail.com> wrote:
> >> One of the big problems with other OS'es is that users log in as an
> >> account with administrative privileges.  On those OS'es, when an
> >> application, being run by the user, runs amok (perhaps a web browser
> >> executing badness from flash or java script?), that application runs
> >> amok with administrative rights.  So when the application tries to
> >> mangle system files, libraries, etc. it can because administrators
> >> could also modify said files. That's one example of why you don't want
> >> to log in as root, but there are many more, mostly because desktop
> >> environments like gnome run many many many processes and helper
> >> applications each of which, when logged in as root, is given full
> >> administrative permission to do whatever they want on a system.
> >>
> >> -Scott
> >>
> >> On Fri, Jul 30, 2010 at 7:05 PM, William Fragakis <william at fragakis.com>
> >> wrote:
> >>> Nautilus, for one ;-)
> >>>
> >>> GParted can do some interesting things, too, I'd gather but I've never
> >>> tried (to do "interesting things"). Gedit can make your day exciting as
> >>> well. Personally, I can easily do as much damage from the CLI if not
> >>> more.
> >>>
> >>> I do find it easy sometimes to actually have a root Desktop although, on
> >>> this esteemed list, I'm probably in a distinct minority.
> >>>
> >>> If something bad happens, I was never here.
> >>> regards,
> >>> William
> >>>
> >>> On Fri, 2010-07-30 at 18:49 -0400, Drifter wrote:
> >>>> Thanks, this seems to work.
> >>>> But you have to admire the warning label that pops up before the GUI
> >>>> actually appears on the screen:
> >>>>
> >>>> "You are currently trying to run as Root super user. The superuser is a
> >>>> specialized account that is not designed to run a normal user session.
> >>>> Various programs will not function properly and actions performed under
> >>>> this account can cause unrecoverable damage to the operating system."
> >>>>
> >>>> No hint, of course, as to what sorts of programs can cause the damage.
> >>>>
> >>>> Sean
> >>>>
> >>>> On Friday, July 30, 2010 06:13:33 pm William Fragakis wrote:
> >>>> > http://blog.ask4itsolutions.com/2010/04/23/login-as-a-root-from-gui-fed
> >>>> > ora-13/
> >>>> >
> >>>> > Did this a couple of days ago.
> >>>> >
> >>>> > Use at your own risk, owner assumes all liabilites, etc. etc.
> >>>> >
> >>>> > On Fri, 2010-07-30 at 17:32 -0400, Drifter wrote:
> >>>> > > There are times when I need to to things as root that are -- for me
> >>>> > > -- much easier to do using the GUI aps rather than the command line.
> >>>> > > Years ago on a Red Hat install, root actually had a directory in
> >>>> > > /home and I could log into the system as root and have the GUI.
> >>>> > >
> >>>> > > This FC13 install doesn't provide that feature. I can create, as
> >>>> > > root, a directory in /home. That's easy enough.  But what do I have
> >>>> > > to do so that I can log in as root directly just as I log into my
> >>>> > > regular user account? If I try to log in as root now, the system
> >>>> > > just laughs at me.
> >>>> > >
> >>>> > > Clearly I am missing several steps in the process.
> >>>> > >
> >>>> > > Sean
> >>>> > > _______________________________________________
> >>>> > > Ale mailing list
> >>>> > > Ale at ale.org
> >>>> > > http://mail.ale.org/mailman/listinfo/ale
> >>>> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> >>>> > > http://mail.ale.org/mailman/listinfo
> >>>> >
> >>>> > _______________________________________________
> >>>> > Ale mailing list
> >>>> > Ale at ale.org
> >>>> > http://mail.ale.org/mailman/listinfo/ale
> >>>> > See JOBS, ANNOUNCE and SCHOOLS lists at
> >>>> > http://mail.ale.org/mailman/listinfo
> >>>> _______________________________________________
> >>>> Ale mailing list
> >>>> Ale at ale.org
> >>>> http://mail.ale.org/mailman/listinfo/ale
> >>>> See JOBS, ANNOUNCE and SCHOOLS lists at
> >>>> http://mail.ale.org/mailman/listinfo
> >>>
> >>>
> >>> _______________________________________________
> >>> Ale mailing list
> >>> Ale at ale.org
> >>> http://mail.ale.org/mailman/listinfo/ale
> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> >>> http://mail.ale.org/mailman/listinfo
> >>>
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >>
> >
> > --
> > Sent from my mobile device
> >
> > .!# RichardBronosky #!.
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> 




More information about the Ale mailing list