[ale] Running stuff as root == bad, was Re: FC13 question

Michael Trausch mike at trausch.us
Sat Jul 31 00:09:54 EDT 2010


The big thing, yes, is that running everything as root defeats the whole
sandboxing that you get by running as a normal user---or even running things
as multiple, different users.

With the complexity of today's software (necessarily or not) being what it
is, I can't say that I would run much of anything as the root user. For that
matter, I don't, even on the command line. The only root privilege I retain
for myself is the use of sudo, which I nearly always call as "sudo -u
$NEEDED_USER $CMD". That way, if I screw something up, I have a command to
show for it in the system logs.

I would personally like to see "POSIX" capabilities in wider use then they
are. I think it is great to have such a versatile kernel-enforced privilege
mechanism, and useful to take away all the special powers of UID 0.
Although I don't think that it is at all as fine-grained as it could be
without add-ons, and all of the add-ons that I know of pretty much suck.

Anyway, just my 2 cents. The more permissions are isolated and enforced by a
kernel (which can often use hardware to provide the enforcement), the better
contained things such as breakins or simply rogue users are. Not saying that
would be a nirvana, but it would be a big help, I think. Especially when you
do things like put syslog on the network without any permission but INSERT.
Of course now I am talking about something way more complex than I wager
most of us want to do at home...

--
Sent from my HTC Dream---Running Froyo!
Thanks, @cyanogen!

On Jul 30, 2010 7:59 PM, "scott mcbrien" <smcbrien at gmail.com> wrote:
One of the big problems with other OS'es is that users log in as an
account with administrative privileges.  On those OS'es, when an
application, being run by the user, runs amok (perhaps a web browser
executing badness from flash or java script?), that application runs
amok with administrative rights.  So when the application tries to
mangle system files, libraries, etc. it can because administrators
could also modify said files. That's one example of why you don't want
to log in as root, but there are many more, mostly because desktop
environments like gnome run many many many processes and helper
applications each of which, when logged in as root, is given full
administrative permission to do whatever they want on a system.

-Scott

On Fri, Jul 30, 2010 at 7:05 PM, William Fragakis <william at fragakis.com>
wrote:
> Nautilus, for one ;-)
>
> GParted can do some interesting things, too, I'd gather but I've never
> tried (to do "interesting things"). Gedit can make your day exciting as
> well. Personally, I can easily do as much damage from the CLI if not
> more.
>
> I do find it easy sometimes to actually have a root Desktop although, on
> this esteemed list, I'm probably in a distinct minority.
>
> If something bad happens, I was never here.
> regards,
> William
>
> On Fri, 2010-07-30 at 18:49 -0400, Drifter wrote:
>> Thanks, this seems to work.
>> But you have to admire the warning label that pops up before the GUI
>> actually appears on the screen:
>>
>> "You are currently trying to run as Root super user. The superuser is a
>> specialized account that is not designed to run a normal user session.
>> Various programs will not function properly and actions performed under
>> this account can cause unrecoverable damage to the operating system."
>>
>> No hint, of course, as to what sorts of programs can cause the damage.
>>
>> Sean
>>
>> On Friday, July 30, 2010 06:13:33 pm William Fragakis wrote:
>> > http://blog.ask4itsolutions.com/2010/04/23/login-as-a-root-from-gui-fed
>> > ora-13/
>> >
>> > Did this a couple of days ago.
>> >
>> > Use at your own risk, owner assumes all liabilites, etc. etc.
>> >
>> > On Fri, 2010-07-30 at 17:32 -0400, Drifter wrote:
>> > > There are times when I need to to things as root that are -- for me
>> > > -- much easier to do using the GUI aps rather than the command line.
>> > > Years ago on a Red Hat install, root actually had a directory in
>> > > /home and I could log into the system as root and have the GUI.
>> > >
>> > > This FC13 install doesn't provide that feature. I can create, as
>> > > root, a directory in /home. That's easy enough.  But what do I have
>> > > to do so that I can log in as root directly just as I log into my
>> > > regular user account? If I try to log in as root now, the system
>> > > just laughs at me.
>> > >
>> > > Clearly I am missing several steps in the process.
>> > >
>> > > Sean
>> > > _______________________________________________
>> > > Ale mailing list
>> > > Ale at ale.org
>> > > http://mail.ale.org/mailman/listinfo/ale
>> > > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > > http://mail.ale.org/mailman/listinfo
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100731/cea0cfb7/attachment-0001.html 


More information about the Ale mailing list