[ale] Linux Distributions

Michael B. Trausch fd0man at gmail.com
Tue May 17 21:04:26 EDT 2005


Jim Popovitch wrote:
> On Tue, 2005-05-17 at 13:56 -0400, George Carless wrote:
> 
>>Why would you want to run a desktop as root?  
> 
> 
> Quite simply so that I don't have to configure a thousand things in
> sudo, /dev, /proc, etc.   I like to bring up my network interfaces,
> configure iptables on the fly, change MTU, mount partitions, reformat
> temp space, access /dev/audio, /dev/dvd, /dev/midi0, etc.   What's the
> difference between giving a user access to everything vs running as
> root? 
> 

There is no need.  Place the user in the appropriate groups if they need
access to something.  If you want to have the user be able to play
audio, then place them in the audio group.  If you want them to have
access to the CD/DVD/whatever, then let them ('man 5 fstab' is a good
read, the 'users' keyword is what you're looking for).

> 
>>This is just asking for trouble.  
> 
> 
> HOW SO?   Everyone says this, nobody every follows through with
> specifics.
> 

Viruses and other exploits have very little power on a system if the
user isn't set up to run everything as root.  However, if you run across
a remote exploit once as root, it can potentially wipe out everything -
without flinching.  As a user, it can try, but to no avail.  And if you
properly configure 'sudo', the you have to enter a password when you use
it, anyway.  That way something that you get exploited on as a user
doesn't go "sudo rm -Rf /" or "sudo
/home/myuser/.some_horrible_planted_script" and win becuase no password
is required.

> 
> No need to audit software that you trust.  The fine tooth comb is needed
> to set EVERYTHING up for a normal user to have access to gratuitous
> system resources needed by everyday apps (iPODs, dvd burners, video
> games, advanced sound card features (midi, etc).
> 

Create a group and have the device owned by that group.  Only add users
with a need-to-use to it.  That's proactive security.

> 
>>there's no rationale for running as root.  
> 
> 
> Sure there is.  You may not see it however.
> 

Only when in single-user mode (e.g., "emergency" on the command line) or
when fsck fails or part of the boot process is very broken.

I've only needed to run like this once, and that was on someone else's
system and they freaked out and didn't know what to do.  The problem?
The removed something -- running as root.

> 
>>Become root - or sudo - when you need to; the rest of 
>>the time, don't.  Otherwise, running as root without problems is just a 
>>matter of luck.  How you have things configured really doesn't make too 
>>much difference when a sleep-deprived session leads you to inadvertently 
> 
> 
> What's the difference between "sudo mkfs /dev/hda8" and runing
> "mkfs /dev/hda8" as root?   
> 

If you're working with doing things that require you to work with the
partitions and creating filesystems and so forth, then why not just go
ahead and use 'sudo su -' to get a root shell for the length of time
that you need it?  If you're constantly doing stuff like this, you
didn't do your system planning right, IMHO.

-- 
Michael B. Trausch                               <fd0man at gmail.com>
Website: http://fd0man.chadeux.net/     Jabber: mtrausch at jabber.com
Phone: +1-(678)-522-7934              FAX (US Only): 1-866-806-4647
===================================================================
Do you have PGP or GPG?  Key at pgp.mit.edu, Please Encrypt E-Mail!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature




More information about the Ale mailing list