Right I got a customer who is only running one account, namely root
and 1 app.  I suspect this person is opening himself to trouble.

yes/no?
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

On Fri, 6 Nov 2009 03:27:57 +0000 (UTC), The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
>Right I got a customer who is only running one account, namely root
>and 1 app.  I suspect this person is opening himself to trouble.

>yes/no?

Using root for anything but system administration is insanity.
Any process at any time can overwrite any part of the system.


That person is throwing away 50 years of computer security technology.


Just because the standard windows' user does everything as admin doesn't make
it a reasonable idea.

On 2009-11-06, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> Right I got a customer who is only running one account, namely root
> and 1 app.  I suspect this person is opening himself to trouble.
>
> yes/no?

Probably yes.  Ask him if he knows why he's doing this.  If he doesn't
know, strongly suggest that he stop.

--keith


-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

The Doctor wrote:

> Right I got a customer who is only running one account, namely root
> and 1 app.  I suspect this person is opening himself to trouble.
> 
> yes/no?

Depends, might be perfectly fine (and probably is).  What's the
application running?  Anyway, most of security issues revolve around
things other than root 99% of the time (but those 99% of things usually
end up being things done as root once exploited).
-- 
Not really a wanna-be, but I don't know everything.

Wanna-Be Sys Admin <sysadmin@example.com> writes:

>The Doctor wrote:

>> Right I got a customer who is only running one account, namely root
>> and 1 app.  I suspect this person is opening himself to trouble.
>> 
>> yes/no?

>Depends, might be perfectly fine (and probably is).  What's the
>application running?  Anyway, most of security issues revolve around
>things other than root 99% of the time (but those 99% of things usually
>end up being things done as root once exploited).

IF that system never ever ever is connected to the net in any way, via modem or
ethernet, or anything else, then this may well be fine. It is still dangerous,
since that account CAN run anything, on purpose or by accident. It can also do
immense damage (rm -r /) which a special account could not. 

The Doctor wrote:
> Right I got a customer who is only running one account, namely root
> and 1 app.  I suspect this person is opening himself to trouble.
> 
> yes/no?
well its a risk yu dont need to take.

Youy can configure IIRC a no password user login, and put that user in 
the root group so privileges needed for admin are granted automatically, 
and still run as an unprivileged user..

doctor@doctor.nl2k.ab.ca (The Doctor) writes:

> Right I got a customer who is only running one account, namely root
> and 1 app.  I suspect this person is opening himself to trouble.
>
> yes/no?

Does the application connect to any network?  If it does, and there is
a security flaw, the box can become compromized.

Unruh <unruh-spam@physics.ubc.ca> writes:

> IF that system never ever ever is connected to the net in any way,
> via modem or ethernet, or anything else, then this may well be
> fine. It is still dangerous, since that account CAN run anything, on
> purpose or by accident. It can also do immense damage (rm -r /)
> which a special account could not.

Good point. For instance, someone may walk up to a terminal, and do
something at the terminal that allows them to gain access to the root
account. Some programs like vim and more (less) allow shell access.


And then someone can walk up to a dedicated application, and with the
mouse save a file that overwrites a file like /etc/passwd -
/etc/shadow, and thereby deleting the password. Or they can trash the
system by overwriting some critical file.


It took Microsoft decades to realize the mistake of running the system
under an adminitrator account. There is a reason for this.

The Natural Philosopher <tnp@invalid.invalid> writes:

> The Doctor wrote:
>> Right I got a customer who is only running one account, namely root
>> and 1 app.  I suspect this person is opening himself to trouble.
>>
>> yes/no?
> well its a risk yu dont need to take.
>
> Youy can configure IIRC a no password user login, and put that user in
> the root group so privileges needed for admin are granted
> automatically, and still run as an unprivileged user..

Sounds like a very bad idea to me to perenantly grant IIRC privileges
this way.. a Setgid mechanism, which drops these privilegdes once the
network channels are established would be better.

Maxwell Lol wrote:
> Unruh <unruh-spam@physics.ubc.ca> writes:
> 
>> IF that system never ever ever is connected to the net in any way,
>> via modem or ethernet, or anything else, then this may well be
>> fine. It is still dangerous, since that account CAN run anything, on
>> purpose or by accident. It can also do immense damage (rm -r /)
>> which a special account could not.
> 
> Good point. For instance, someone may walk up to a terminal, and do
> something at the terminal that allows them to gain access to the root
> account. Some programs like vim and more (less) allow shell access.
> 
> 
> And then someone can walk up to a dedicated application, and with the
> mouse save a file that overwrites a file like /etc/passwd -
> /etc/shadow, and thereby deleting the password. Or they can trash the
> system by overwriting some critical file.
> 
> 
> It took Microsoft decades to realize the mistake of running the system
> under an adminitrator account. There is a reason for this.

You have to take a view on risk.

My desktop is run as a user, but I routinely make it very very easy to 
slip into 'root' mode to reconfigure it. It DOES have a name/password to 
get in - doesn't autoboot into my account, but once in, it's wide open 
FROM THE KEYBOARD. Not from the net though. That is foolish, although 
its pretty much hidden behind a NAT firewall.

Essentially, unless its stolen, it's no big risk. The bigger risk is me 
accidentally trashing it. Yup. been there, done that...

And if stolen by any reasonable linux guru, all he has to do is slip in 
a boot DVD and reset all the user passwords anyway..or just mount the 
disk..not that that would get my real data, cos that's all on a file 
server,

Having root separate means at least I am aware that I am doing Bad Stuff 
when I am root, a clear distinction between using the box, and 
configuring it.

IF it was in a place where people might fiddle and gaze at my private 
data, then of course I would be more secure with it, but its at home.

I do think people get too antsy about security. By far and away the 
greater risks are not from root kits, but from things like phishing and 
so on. There are ten unguarded windows boxes for every one reasonbly 
well guarded linux box. They are a much softer target. Id say that 
running as root is an unnecessary risk, with almost no benefits, but its 
not the worst thing you can do.

At Fri, 6 Nov 2009 03:27:57 +0000 (UTC) doctor@doctor.nl2k.ab.ca (The Doctor) wrote:

> 
> Right I got a customer who is only running one account, namely root
> and 1 app.  I suspect this person is opening himself to trouble.

Do you mean something started by init -- eg something like apache or named
or dhcp fired off during system startup from a script in /etc/init.d
(with a Snn<mumble> symlink in /etc/rcN.d/?  This would be normal.  If
he is logging in as root and then running some garden variaty program
either from the command line or from a GUI screen, this is bad, bad,
bad, partitularly if the machine is on a network and the application is
network based (like a web browser).

> 
> yes/no?

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
heller@deepsoft.com       -- http://www.deepsoft.com/ModelRailroadSystem/
                                                 

Maxwell Lol wrote:
> The Natural Philosopher <tnp@invalid.invalid> writes:
> 
>> The Doctor wrote:
>>> Right I got a customer who is only running one account, namely root
>>> and 1 app.  I suspect this person is opening himself to trouble.
>>>
>>> yes/no?
>> well its a risk yu dont need to take.
>>
>> Youy can configure IIRC a no password user login, and put that user in
>> the root group so privileges needed for admin are granted
>> automatically, and still run as an unprivileged user..
> 
> Sounds like a very bad idea to me to perenantly grant IIRC privileges
> this way.. a Setgid mechanism, which drops these privilegdes once the
> network channels are established would be better.

well its not secure from the keyboard, but it is secure from perversion 
of user processes.

I.e. here I run as me, but I don't have to enter any passwords to e.g. 
run the package manager.

And if I want a root shell, I can get it instantly, but its very much 
obviously a root shell.

For me, that's great., No irritating second password barrier to becoming 
an admin, but its clear when I am admin.

And it means that my normal user stuff..editors, mail and browsers, cant 
stamp on the whole filesystem including config files, by mistake. Or by 
externally induced abuse.

For me, thats teh best compromise.

YMMV. there is no perfect security, there is always a tradeoff between 
security and hassle in unlocking the doors.

What I was trying to convey, is that to achieve a good level of security 
against net attacks, whilst making admin relatively painless, is no 
extra effort than running all the time as root.

That is, the only advantage to running as root, is instant access to 
admin. But you can essentially have that anyway, with less risk of 
accidental trashing. So there is no real reason to run as root that I 
can see.

Robert Heller wrote:
> At Fri, 6 Nov 2009 03:27:57 +0000 (UTC) doctor@doctor.nl2k.ab.ca (The Doctor) wrote:
> 
>> Right I got a customer who is only running one account, namely root
>> and 1 app.  I suspect this person is opening himself to trouble.
> 
> Do you mean something started by init -- eg something like apache or named
> or dhcp fired off during system startup from a script in /etc/init.d
> (with a Snn<mumble> symlink in /etc/rcN.d/?  This would be normal.  If
> he is logging in as root and then running some garden variaty program
> either from the command line or from a GUI screen, this is bad, bad,
> bad, partitularly if the machine is on a network and the application is
> network based (like a web browser).
> 

I assumed that was indeed the case, yes.

There is no need to grant privileges beyond necessity.


To paraphrase Occam ;-)

>> yes/no?
> 

And verily, didst Maxwell Lol <nospam@com.invalid> hastily babble thusly:
> And then someone can walk up to a dedicated application, and with the
> mouse save a file that overwrites a file like /etc/passwd -
> /etc/shadow, and thereby deleting the password. Or they can trash the
> system by overwriting some critical file.

Even the kernel itself.
 

-- 
|   spike1@freenet.co.uk   |                                                 |
|   Andrew Halliwell BSc   | "ARSE! GERLS!! DRINK! DRINK! DRINK!!!"          |
|            in            | "THAT WOULD BE AN ECUMENICAL MATTER!...FECK!!!! |
|     Computer Science     | - Father Jack in "Father Ted"                   |

On Thu, 05 Nov 2009 20:57:21 -0800, Wanna-Be Sys Admin <sysadmin@example.com> wrote:
>The Doctor wrote:

>> Right I got a customer who is only running one account, namely root
>> and 1 app.  I suspect this person is opening himself to trouble.
>> 
>> yes/no?

>Depends, might be perfectly fine (and probably is).  What's the
>application running?  Anyway, most of security issues revolve around
>things other than root 99% of the time (but those 99% of things usually
>end up being things done as root once exploited).

Does the application connect to the internet?
Does he do anything but the application while logged in as root?

In article <slrnhf77d3.sba.aznomad.3@ip70-176-155-130.ph.ph.cox.net>,
AZ Nomad  <aznomad.3@PremoveOBthisOX.COM> wrote:
>On Fri, 6 Nov 2009 03:27:57 +0000 (UTC), The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
>>Right I got a customer who is only running one account, namely root
>>and 1 app.  I suspect this person is opening himself to trouble.
>
>>yes/no?
>
>Using root for anything but system administration is insanity.
>Any process at any time can overwrite any part of the system.
>
>
>That person is throwing away 50 years of computer security technology.
>
>
>Just because the standard windows' user does everything as admin doesn't make
>it a reasonable idea.

10/10 .
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

In article <06kcs6x40j.ln2@goaway.wombat.san-francisco.ca.us>,
Keith Keller  <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
>On 2009-11-06, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
>> Right I got a customer who is only running one account, namely root
>> and 1 app.  I suspect this person is opening himself to trouble.
>>
>> yes/no?
>
>Probably yes.  Ask him if he knows why he's doing this.  If he doesn't
>know, strongly suggest that he stop.
>
>--keith
>
>
>-- 
>kkeller-usenet@wombat.san-francisco.ca.us
>(try just my userid to email me)
>AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
>see X- headers for PGP signature information
>

3 of us concur.  This client is running an e-newsletter programme.

Even I recommend to people

1) Have 2 accounts minimum

2) Do not run any programme as root.
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

In article <R0OIm.3739$gg6.1377@newsfe25.iad>,
Wanna-Be Sys Admin  <sysadmin@example.com> wrote:
>The Doctor wrote:
>
>> Right I got a customer who is only running one account, namely root
>> and 1 app.  I suspect this person is opening himself to trouble.
>> 
>> yes/no?
>
>Depends, might be perfectly fine (and probably is).  What's the
>application running?  Anyway, most of security issues revolve around
>things other than root 99% of the time (but those 99% of things usually
>end up being things done as root once exploited).
>-- 
>Not really a wanna-be, but I don't know everything.

And E-newsletter app.
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

In article <QaQIm.51661$PH1.16608@edtnps82>,
Unruh  <unruh-spam@physics.ubc.ca> wrote:
>Wanna-Be Sys Admin <sysadmin@example.com> writes:
>
>>The Doctor wrote:
>
>>> Right I got a customer who is only running one account, namely root
>>> and 1 app.  I suspect this person is opening himself to trouble.
>>> 
>>> yes/no?
>
>>Depends, might be perfectly fine (and probably is).  What's the
>>application running?  Anyway, most of security issues revolve around
>>things other than root 99% of the time (but those 99% of things usually
>>end up being things done as root once exploited).
>
>IF that system never ever ever is connected to the net in any way, via modem or
>ethernet, or anything else, then this may well be fine. It is still dangerous,
>since that account CAN run anything, on purpose or by accident. It can also do
>immense damage (rm -r /) which a special account could not. 
>
>

I hear you.
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

In article <hd0rk3$81r$2@news.albasani.net>,
The Natural Philosopher  <tnp@invalid.invalid> wrote:
>The Doctor wrote:
>> Right I got a customer who is only running one account, namely root
>> and 1 app.  I suspect this person is opening himself to trouble.
>> 
>> yes/no?
>well its a risk yu dont need to take.
>
>Youy can configure IIRC a no password user login, and put that user in 
>the root group so privileges needed for admin are granted automatically, 
>and still run as an unprivileged user..
>

Well something is not secure I keep telling the user.
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

On Fri, 6 Nov 2009, The Doctor wrote:

> Right I got a customer who is only running one account, namely root
> and 1 app.  I suspect this person is opening himself to trouble.
>
> yes/no?

When this has come up before, it's often become clear after a bit that
the person running as root often can't see an alternative.  They hit 
something that requires being root, so they think it's better to be root 
than configure things properly. A classic example is not being able to 
access the CDROM drive, because their user account isn't in the group that 
allows access to the CDROM.  It's simple to fix, just put their user 
account in the group that has access to the CDROM, but too often the 
beginner doesn't realize that.

Then of course at least once, and maybe more, someone has whined about how 
they can't run something as root, so they want details on how to "fix" it.
They can't switch their mind out of being root, so they think the program 
is "faulty", rather than realize it's a clue that they shouldn't be 
running as root.

In a single user system, one can actually be pretty lenient, not fussing 
quite as much as with a multiple user system.  You might as well make the 
CDROM and other removeable drives open to all since "all" is only one 
user.  But far better to take that time to configure things than run as
root.

    Michael

On Fri, 06 Nov 2009 12:38:02 +0000, The Natural Philosopher wrote:

> Maxwell Lol wrote:
>> The Natural Philosopher <tnp@invalid.invalid> writes:
>> 
>>> The Doctor wrote:
>>>> Right I got a customer who is only running one account, namely root
>>>> and 1 app.  I suspect this person is opening himself to trouble.
>>>>
>>>> yes/no?
>>> well its a risk yu dont need to take.
>>>
>>> Youy can configure IIRC a no password user login, and put that user in
>>> the root group so privileges needed for admin are granted
>>> automatically, and still run as an unprivileged user..
>> 
>> Sounds like a very bad idea to me to perenantly grant IIRC privileges
>> this way.. a Setgid mechanism, which drops these privilegdes once the
>> network channels are established would be better.
> 
> well its not secure from the keyboard, but it is secure from perversion
> of user processes.
> 
> I.e. here I run as me, but I don't have to enter any passwords to e.g.
> run the package manager.
> 
> And if I want a root shell, I can get it instantly, but its very much
> obviously a root shell.
> 
> For me, that's great., No irritating second password barrier to becoming
> an admin, but its clear when I am admin.
> 
> And it means that my normal user stuff..editors, mail and browsers, cant
> stamp on the whole filesystem including config files, by mistake. Or by
> externally induced abuse.
> 
> For me, thats teh best compromise.
> 
> YMMV. there is no perfect security, there is always a tradeoff between
> security and hassle in unlocking the doors.
> 
> What I was trying to convey, is that to achieve a good level of security
> against net attacks, whilst making admin relatively painless, is no
> extra effort than running all the time as root.
> 
> That is, the only advantage to running as root, is instant access to
> admin. But you can essentially have that anyway, with less risk of
> accidental trashing. So there is no real reason to run as root that I
> can see.
>
I use sudo instead. This doesn't introduce a console vulnerability. sudo's 
configuration file includes options to give access with or without a 
password, and to specific commands or all commands. With the most non-
restrictive options you can get to root very quickly:

$ sudo -i
root@somebox:~#

Be careful as root, then exit out of the shell when operations that 
require elevated privilege are complete.

-- 
Douglas Mayne

In article <Pine.LNX.4.64.0911061015540.2856@darkstar.example.net>,
Michael Black  <et472@ncf.ca> wrote:
>On Fri, 6 Nov 2009, The Doctor wrote:
>
>> Right I got a customer who is only running one account, namely root
>> and 1 app.  I suspect this person is opening himself to trouble.
>>
>> yes/no?
>
>When this has come up before, it's often become clear after a bit that
>the person running as root often can't see an alternative.  They hit 
>something that requires being root, so they think it's better to be root 
>than configure things properly. A classic example is not being able to 
>access the CDROM drive, because their user account isn't in the group that 
>allows access to the CDROM.  It's simple to fix, just put their user 
>account in the group that has access to the CDROM, but too often the 
>beginner doesn't realize that.
>
>Then of course at least once, and maybe more, someone has whined about how 
>they can't run something as root, so they want details on how to "fix" it.
>They can't switch their mind out of being root, so they think the program 
>is "faulty", rather than realize it's a clue that they shouldn't be 
>running as root.
>
>In a single user system, one can actually be pretty lenient, not fussing 
>quite as much as with a multiple user system.  You might as well make the 
>CDROM and other removeable drives open to all since "all" is only one 
>user.  But far better to take that time to configure things than run as
>root.
>
>    Michael

But the system can be hacked into.
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

In article <hd1fum$uv0$3@news.xmission.com>,
Douglas Mayne  <invalid@invalid.com> wrote:
>On Fri, 06 Nov 2009 12:38:02 +0000, The Natural Philosopher wrote:
>
>> Maxwell Lol wrote:
>>> The Natural Philosopher <tnp@invalid.invalid> writes:
>>> 
>>>> The Doctor wrote:
>>>>> Right I got a customer who is only running one account, namely root
>>>>> and 1 app.  I suspect this person is opening himself to trouble.
>>>>>
>>>>> yes/no?
>>>> well its a risk yu dont need to take.
>>>>
>>>> Youy can configure IIRC a no password user login, and put that user in
>>>> the root group so privileges needed for admin are granted
>>>> automatically, and still run as an unprivileged user..
>>> 
>>> Sounds like a very bad idea to me to perenantly grant IIRC privileges
>>> this way.. a Setgid mechanism, which drops these privilegdes once the
>>> network channels are established would be better.
>> 
>> well its not secure from the keyboard, but it is secure from perversion
>> of user processes.
>> 
>> I.e. here I run as me, but I don't have to enter any passwords to e.g.
>> run the package manager.
>> 
>> And if I want a root shell, I can get it instantly, but its very much
>> obviously a root shell.
>> 
>> For me, that's great., No irritating second password barrier to becoming
>> an admin, but its clear when I am admin.
>> 
>> And it means that my normal user stuff..editors, mail and browsers, cant
>> stamp on the whole filesystem including config files, by mistake. Or by
>> externally induced abuse.
>> 
>> For me, thats teh best compromise.
>> 
>> YMMV. there is no perfect security, there is always a tradeoff between
>> security and hassle in unlocking the doors.
>> 
>> What I was trying to convey, is that to achieve a good level of security
>> against net attacks, whilst making admin relatively painless, is no
>> extra effort than running all the time as root.
>> 
>> That is, the only advantage to running as root, is instant access to
>> admin. But you can essentially have that anyway, with less risk of
>> accidental trashing. So there is no real reason to run as root that I
>> can see.
>>
>I use sudo instead. This doesn't introduce a console vulnerability. sudo's 
>configuration file includes options to give access with or without a 
>password, and to specific commands or all commands. With the most non-
>restrictive options you can get to root very quickly:
>
>$ sudo -i
>root@somebox:~#
>
>Be careful as root, then exit out of the shell when operations that 
>require elevated privilege are complete.
>
>-- 
>Douglas Mayne

I am a BSDer but Agreed running as root is not a good idea.
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

The Natural Philosopher wrote:

> 
> You have to take a view on risk.
> 
> My desktop is run as a user, but I routinely make it very very easy to 
> slip into 'root' mode to reconfigure it. It DOES have a name/password to 
> get in - doesn't autoboot into my account, but once in, it's wide open 
> FROM THE KEYBOARD. Not from the net though. That is foolish, although 
> its pretty much hidden behind a NAT firewall.
> 
> Essentially, unless its stolen, it's no big risk. The bigger risk is me 
> accidentally trashing it. Yup. been there, done that...
> 
> And if stolen by any reasonable linux guru, all he has to do is slip in 
> a boot DVD and reset all the user passwords anyway..or just mount the 
> disk..not that that would get my real data, cos that's all on a file 
> server,
> 
> Having root separate means at least I am aware that I am doing Bad Stuff 
> when I am root, a clear distinction between using the box, and 
> configuring it.
> 
> IF it was in a place where people might fiddle and gaze at my private 
> data, then of course I would be more secure with it, but its at home.
> 
> I do think people get too antsy about security. By far and away the 
> greater risks are not from root kits, but from things like phishing and 
> so on. There are ten unguarded windows boxes for every one reasonbly 
> well guarded linux box. They are a much softer target. Id say that 
> running as root is an unnecessary risk, with almost no benefits, but its 
> not the worst thing you can do.
> 
I agree, with qualifications. If you're going to take a risk, you first 
have to identify the potential ramifications. That means you have to 
make the effort to educate yourself. If you haven't done that, you 
shouldn't take the risk.

But at the same time there are some Linux users who know so much that 
they are fearful of doing anything at all risky. That's not good, 
either. Most "gurus" will tell you that you should never, ever, ever run 
a GUI file manager like Dolphin or Konqueror as root, because of the 
potential of clicking on the wrong thing and trashing the whole system. 
It's true that that can certainly happen, but in my own incompetent 
case, I'm MUCH more likely to trash something while using the command 
line as root, because of some simple typo, than I am when using a GUI 
interface. It's happened, more than once.

TJ

On Fri, 6 Nov 2009 15:39:02 +0000 (UTC), Douglas Mayne <invalid@invalid.com> wrote:

>I use sudo instead. This doesn't introduce a console vulnerability. sudo's 
>configuration file includes options to give access with or without a 
>password, and to specific commands or all commands. With the most non-
>restrictive options you can get to root very quickly:
>
>$ sudo -i
>root@somebox:~#

I enabled sudo a while back and did find it useful, for example compile 
install a wotsit from source: ./configure && make && sudo make install

Turns out to be quite easy.  If I'm doing a lot of stuff as root I'll 
open a root console as well as user console.  Generally I ssh into box 
so there's an agent running to supply passphrase.
>
>Be careful as root, then exit out of the shell when operations that 
>require elevated privilege are complete.

Many ways :)  I rarely boost user account to root, except on GUI where 
opening a terminal already logged in as user, needs the boost to root. 

Grant.
-- 
http://bugsplatter.id.au

On Fri, 06 Nov 2009, in the Usenet newsgroup comp.os.linux.misc, in article
<874op7kfsb.fsf@com.invalid>, Maxwell Lol wrote:

>Unruh <unruh-spam@physics.ubc.ca> writes:

>> IF that system never ever ever is connected to the net in any way,
>> via modem or ethernet, or anything else, then this may well be
>> fine.

    Secure-Programs-HOWTO, Secure Programming for Linux and Unix HOWTO

       Updated: Mar 2003. Provides a set of design and implementation
       guidelines for writing secure programs for Linux and Unix systems.

>> It is still dangerous, since that account CAN run anything, on
>> purpose or by accident. It can also do immense damage (rm -r /)
>> which a special account could not.

So Bill, are all of the daemons on your systems (including for example
/sbin/init, /sbin/mingetty and /usr/sbin/sshd) running as non-root users? 

>Good point. For instance, someone may walk up to a terminal, and do
>something at the terminal that allows them to gain access to the root
>account.

Free clue people:

  PHYSICAL ACCESS BEATS FIVE ACES.

>Some programs like vim and more (less) allow shell access.

In nearly all cases, so does the freakin' boot loader.

>It took Microsoft decades to realize the mistake of running the
>system under an adminitrator account. There is a reason for this.

Apparently, vista no longer has a default or suggested account with
the name 'administrator' - instead, that is a group description and
belonging to that group gives you administrator privileges.  As with
any O/S, the "first" account created is privileged - it's needed for
administrative duties (even if you later have to jump through major
hoops to access it - single user or via a boot/rescue CD).

I recently watched an "experienced" windoze luser setting up
accounts on a "new" vista box - the "Create New Account" tool offered
either "Standard user" or "Administrator" groups (in that order),
with very little indication of possible dangers, although there
_was_ a link at the bottom of the screen titled "Why is a standard
account recommended?".  Remember that microsoft doesn't _dare_ make
it hard for users (convenience ALWAYS trumps security or anything
else), so they are the ones who walked into the minefield.  The
average user has no clue and is merely following the lead without
understanding or being aware of the _existence_ of consequences.

        Old guy

Douglas Mayne wrote:
> On Fri, 06 Nov 2009 12:38:02 +0000, The Natural Philosopher wrote:
> 
>> Maxwell Lol wrote:
>>> The Natural Philosopher <tnp@invalid.invalid> writes:
>>>
>>>> The Doctor wrote:
>>>>> Right I got a customer who is only running one account, namely root
>>>>> and 1 app.  I suspect this person is opening himself to trouble.
>>>>>
>>>>> yes/no?
>>>> well its a risk yu dont need to take.
>>>>
>>>> Youy can configure IIRC a no password user login, and put that user in
>>>> the root group so privileges needed for admin are granted
>>>> automatically, and still run as an unprivileged user..
>>> Sounds like a very bad idea to me to perenantly grant IIRC privileges
>>> this way.. a Setgid mechanism, which drops these privilegdes once the
>>> network channels are established would be better.
>> well its not secure from the keyboard, but it is secure from perversion
>> of user processes.
>>
>> I.e. here I run as me, but I don't have to enter any passwords to e.g.
>> run the package manager.
>>
>> And if I want a root shell, I can get it instantly, but its very much
>> obviously a root shell.
>>
>> For me, that's great., No irritating second password barrier to becoming
>> an admin, but its clear when I am admin.
>>
>> And it means that my normal user stuff..editors, mail and browsers, cant
>> stamp on the whole filesystem including config files, by mistake. Or by
>> externally induced abuse.
>>
>> For me, thats teh best compromise.
>>
>> YMMV. there is no perfect security, there is always a tradeoff between
>> security and hassle in unlocking the doors.
>>
>> What I was trying to convey, is that to achieve a good level of security
>> against net attacks, whilst making admin relatively painless, is no
>> extra effort than running all the time as root.
>>
>> That is, the only advantage to running as root, is instant access to
>> admin. But you can essentially have that anyway, with less risk of
>> accidental trashing. So there is no real reason to run as root that I
>> can see.
>>
> I use sudo instead. This doesn't introduce a console vulnerability. sudo's 
> configuration file includes options to give access with or without a 
> password, and to specific commands or all commands. With the most non-
> restrictive options you can get to root very quickly:
> 
> $ sudo -i
> root@somebox:~#
> 
> Be careful as root, then exit out of the shell when operations that 
> require elevated privilege are complete.
> 
essentially that's what my root console does. There is just no password 
challenge.

That's a security hazard I am willing to accept for the convenience. I 
don't recommend it, I just state that's my considered preference.

I have another machine that is set up to always ask for a master 
password every time I do anything remotely admin. It gets on my tits.

Grant wrote:
> On Fri, 6 Nov 2009 15:39:02 +0000 (UTC), Douglas Mayne <invalid@invalid.com> wrote:
> 
>> I use sudo instead. This doesn't introduce a console vulnerability. sudo's 
>> configuration file includes options to give access with or without a 
>> password, and to specific commands or all commands. With the most non-
>> restrictive options you can get to root very quickly:
>>
>> $ sudo -i
>> root@somebox:~#
> 
> I enabled sudo a while back and did find it useful, for example compile 
> install a wotsit from source: ./configure && make && sudo make install
> 
> Turns out to be quite easy.  If I'm doing a lot of stuff as root I'll 
> open a root console as well as user console.  Generally I ssh into box 
> so there's an agent running to supply passphrase.
>> Be careful as root, then exit out of the shell when operations that 
>> require elevated privilege are complete.
> 
> Many ways :)  I rarely boost user account to root, except on GUI where 
> opening a terminal already logged in as user, needs the boost to root. 
> 
> Grant.

I think that's what mots of us running personal desktops do: get the 
user account working properly, but make root access easy, but definitely 
DIFFERENT to running as the user.

TJ wrote:

> But at the same time there are some Linux users who know so much that 
> they are fearful of doing anything at all risky. That's not good, 
> either. Most "gurus" will tell you that you should never, ever, ever run 
> a GUI file manager like Dolphin or Konqueror as root, because of the 
> potential of clicking on the wrong thing and trashing the whole system. 
> It's true that that can certainly happen, but in my own incompetent 
> case, I'm MUCH more likely to trash something while using the command 
> line as root, because of some simple typo, than I am when using a GUI 
> interface. It's happened, more than once.
> 

either terrifies me :-)

Heck I once brought down a multi-user machine with 100 people on it 
loading a custom daemon  to check out an obscure networking problem.

Fortunately, I didn't patch it into the startup files..reboot and off 
they all went..

Ultimately my security is that

(a) all my precious data is on a mirrored file server

(b) I reinstalled everything in a day last time, and can probably do the 
same again.

But I don't fiddle with the setup unless something isn't working.



> TJ

The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> Right I got a customer who is only running one account, namely root
> and 1 app.  I suspect this person is opening himself to trouble.
> 
> yes/no?

Just like with Windows or any other OS, running routinely with root 
privileges is just asking for trouble. Anything you do deliberately or 
accidentally can mess up your system, not to mention install malware of 
all kinds.

Just like in Windows or any other OS, there's very little reason 
to run as root except when doing admin.

Stan

In article <4af48b00$0$1649$742ec2ed@news.sonic.net>,
Stan Bischof  <stan@newserve.worldbadminton.com> wrote:
>The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
>> Right I got a customer who is only running one account, namely root
>> and 1 app.  I suspect this person is opening himself to trouble.
>> 
>> yes/no?
>
>Just like with Windows or any other OS, running routinely with root 
>privileges is just asking for trouble. Anything you do deliberately or 
>accidentally can mess up your system, not to mention install malware of 
>all kinds.
>
>Just like in Windows or any other OS, there's very little reason 
>to run as root except when doing admin.
>
>Stan

I fully concur.  I will send my client a link to this thread.
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

Unruh wrote:

> Wanna-Be Sys Admin <sysadmin@example.com> writes:
> 
>>The Doctor wrote:
> 
>>> Right I got a customer who is only running one account, namely root
>>> and 1 app.  I suspect this person is opening himself to trouble.
>>> 
>>> yes/no?
> 
>>Depends, might be perfectly fine (and probably is).  What's the
>>application running?  Anyway, most of security issues revolve around
>>things other than root 99% of the time (but those 99% of things
>>usually end up being things done as root once exploited).
> 
> IF that system never ever ever is connected to the net in any way, via
> modem or ethernet, or anything else, then this may well be fine. It is
> still dangerous, since that account CAN run anything, on purpose or by
> accident. It can also do immense damage (rm -r /) which a special
> account could not.

Well, the OP never said what the user does (I got the impression it
meant they user wasn't using the system for any accounts, and just had
some services running), but yeah, if they are using it and doing things
as root that you'd want to do as a normal non priv user, then yeah,
it's less safe.
-- 
Not really a wanna-be, but I don't know everything.

The Doctor wrote:

> In article <R0OIm.3739$gg6.1377@newsfe25.iad>,
> Wanna-Be Sys Admin  <sysadmin@example.com> wrote:
>>The Doctor wrote:
>>
>>> Right I got a customer who is only running one account, namely root
>>> and 1 app.  I suspect this person is opening himself to trouble.
>>> 
>>> yes/no?
>>
>>Depends, might be perfectly fine (and probably is).  What's the
>>application running?  Anyway, most of security issues revolve around
>>things other than root 99% of the time (but those 99% of things
>>usually end up being things done as root once exploited).
>>--
>>Not really a wanna-be, but I don't know everything.
> 
> And E-newsletter app.

So, is that news letter app running as root?  If so, should it be if you
can help it?  If he can, he should run a non priv user account just for
that app.
-- 
Not really a wanna-be, but I don't know everything.

In article <_b2Jm.24823$1g6.15909@newsfe10.iad>,
Wanna-Be Sys Admin  <sysadmin@example.com> wrote:
>The Doctor wrote:
>
>> In article <R0OIm.3739$gg6.1377@newsfe25.iad>,
>> Wanna-Be Sys Admin  <sysadmin@example.com> wrote:
>>>The Doctor wrote:
>>>
>>>> Right I got a customer who is only running one account, namely root
>>>> and 1 app.  I suspect this person is opening himself to trouble.
>>>> 
>>>> yes/no?
>>>
>>>Depends, might be perfectly fine (and probably is).  What's the
>>>application running?  Anyway, most of security issues revolve around
>>>things other than root 99% of the time (but those 99% of things
>>>usually end up being things done as root once exploited).
>>>--
>>>Not really a wanna-be, but I don't know everything.
>> 
>> And E-newsletter app.
>
>So, is that news letter app running as root?  If so, should it be if you
>can help it?  If he can, he should run a non priv user account just for
>that app.
>-- 
>Not really a wanna-be, but I don't know everything.

We agree!! I never want to see an app running as root.
-- 
Member - Liberal International	This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.myspace.com/502748630 
For the latest World News go to http://www.cuttingedge.org/ - Lest we forget 2009 .

The Natural Philosopher wrote:

[putolin]

> I do think people get too antsy about security. By far and away the
> greater risks are not from root kits, but from things like phishing and
> so on. There are ten unguarded windows boxes for every one reasonbly
> well guarded linux box. They are a much softer target. Id say that
> running as root is an unnecessary risk, with almost no benefits, but its
> not the worst thing you can do.

The worst thing you could do is type rm -rf / or rm -rf .* while as root
account.

Wanna-Be Sys Admin <sysadmin@example.com> writes:

>The Doctor wrote:

>> In article <R0OIm.3739$gg6.1377@newsfe25.iad>,
>> Wanna-Be Sys Admin  <sysadmin@example.com> wrote:
>>>The Doctor wrote:
>>>
>>>> Right I got a customer who is only running one account, namely root
>>>> and 1 app.  I suspect this person is opening himself to trouble.
>>>> 
>>>> yes/no?
>>>
>>>Depends, might be perfectly fine (and probably is).  What's the
>>>application running?  Anyway, most of security issues revolve around
>>>things other than root 99% of the time (but those 99% of things
>>>usually end up being things done as root once exploited).
>>>--
>>>Not really a wanna-be, but I don't know everything.
>> 
>> And E-newsletter app.

>So, is that news letter app running as root?  If so, should it be if you
>can help it?  If he can, he should run a non priv user account just for
>that app.

Sounds like it is worse than that. Most E-newletters are associated with
networking to the outside world (otherwise that E is probably
misplaced). But if you are connecte d to the outside world, having your
user run as root, becomes much more dangerous. Next the OP will be
telling us that that root account also has no password, because the user
cannot be bothered to remember a difficult password. At which point that
system is certain to be exploited, causing problems for that system, and
more likely for everyone else on the net as it gets used as a spam bot
and as a source for attacks on others. 

>-- 
>Not really a wanna-be, but I don't know everything.

Baho Utot <baho-utot@invalid.com> writes:

>The Natural Philosopher wrote:

>[putolin]

>> I do think people get too antsy about security. By far and away the
>> greater risks are not from root kits, but from things like phishing and
>> so on. There are ten unguarded windows boxes for every one reasonbly
>> well guarded linux box. They are a much softer target. Id say that
>> running as root is an unnecessary risk, with almost no benefits, but its
>> not the worst thing you can do.

>The worst thing you could do is type rm -rf / or rm -rf .* while as root
>account.

Nope. That just wipes you out.  That is self limiting damage. Either you
no longer have a machine to play with or you learn not to do that. 
Worse  is subverting that machine to
attack other machines and to send spam and phishing attacks out to
others. 

Unruh <unruh-spam@physics.ubc.ca> wrote:
> Baho Utot <baho-utot@invalid.com> writes:
> 
>>The Natural Philosopher wrote:
> 
>>[putolin]
> 
>>> I do think people get too antsy about security. By far and away the
>>> greater risks are not from root kits, but from things like phishing and
>>> so on. There are ten unguarded windows boxes for every one reasonbly
>>> well guarded linux box. They are a much softer target. Id say that
>>> running as root is an unnecessary risk, with almost no benefits, but its
>>> not the worst thing you can do.
> 
>>The worst thing you could do is type rm -rf / or rm -rf .* while as root
>>account.
> 
> Nope. That just wipes you out.  That is self limiting damage. Either you
> no longer have a machine to play with or you learn not to do that. 
> Worse  is subverting that machine to
> attack other machines and to send spam and phishing attacks out to
> others. 
> 

Worse yet is to wander by an Apollo Domain network and try rm -fr //*  !

Stan

On Fri, 6 Nov 2009, Baho Utot wrote:

> The Natural Philosopher wrote:
>
> [putolin]
>
>> I do think people get too antsy about security. By far and away the
>> greater risks are not from root kits, but from things like phishing and
>> so on. There are ten unguarded windows boxes for every one reasonbly
>> well guarded linux box. They are a much softer target. Id say that
>> running as root is an unnecessary risk, with almost no benefits, but its
>> not the worst thing you can do.
>
> The worst thing you could do is type rm -rf / or rm -rf .* while as root
> account.
>
No, the worst thing you could do is do that and then don't learn from it.

    Michael

spike1@freenet.co.uk writes:

> And verily, didst Maxwell Lol <nospam@com.invalid> hastily babble thusly:
>> And then someone can walk up to a dedicated application, and with the
>> mouse save a file that overwrites a file like /etc/passwd -
>> /etc/shadow, and thereby deleting the password. Or they can trash the
>> system by overwriting some critical file.
>
> Even the kernel itself.

That's a critical file..... :-)

The Natural Philosopher <tnp@invalid.invalid> writes:

>>> Youy can configure IIRC a no password user login, and put that user in
>>> the root group so privileges needed for admin are granted
>>> automatically, and still run as an unprivileged user..
>>
>> Sounds like a very bad idea to me to perenantly grant IIRC privileges
>> this way.. a Setgid mechanism, which drops these privilegdes once the
>> network channels are established would be better.
>
> well its not secure from the keyboard, but it is secure from
> perversion of user processes.

What is the PID and GID of the IRC process? If the GID grants that
process to modify a system file, then a buffer overflow in the IRC
daemon can grant an attacker full access to your computer.

The Natural Philosopher <tnp@invalid.invalid> writes:

>
> I assumed that was indeed the case, yes.
>
> There is no need to grant privileges beyond necessity.
>
>
> To paraphrase Occam ;-)

That's the Principle of Least Priviledge.

http://en.wikipedia.org/wiki/Principle_of_least_privilege

doctor@doctor.nl2k.ab.ca (The Doctor) writes:

> In article <R0OIm.3739$gg6.1377@newsfe25.iad>,
> Wanna-Be Sys Admin  <sysadmin@example.com> wrote:
>>The Doctor wrote:
>>
>>> Right I got a customer who is only running one account, namely root
>>> and 1 app.  I suspect this person is opening himself to trouble.
>>> 
>>> yes/no?
>>
>>Depends, might be perfectly fine (and probably is).  What's the
>>application running?  Anyway, most of security issues revolve around
>>things other than root 99% of the time (but those 99% of things usually
>>end up being things done as root once exploited).
>>-- 
>>Not really a wanna-be, but I don't know everything.
>
> And E-newsletter app.


That's vague.

Is it a web page?
Is it an X-based page viewer?
Is it a mailling list handler?

You should not do ANY of these as root.

On 2009-11-07, Maxwell Lol <nospam@com.invalid> wrote:
> The Natural Philosopher <tnp@invalid.invalid> writes:
>
>>>> Youy can configure IIRC a no password user login, and put that user in
>>>> the root group so privileges needed for admin are granted
>>>> automatically, and still run as an unprivileged user..
>>>
>>> Sounds like a very bad idea to me to perenantly grant IIRC privileges
>>> this way.. a Setgid mechanism, which drops these privilegdes once the
>>> network channels are established would be better.
>>
>> well its not secure from the keyboard, but it is secure from
>> perversion of user processes.
>
> What is the PID and GID of the IRC process? If the GID grants that
> process to modify a system file, then a buffer overflow in the IRC
> daemon can grant an attacker full access to your computer.
>
IRC=Internet Relay Chat
IIRC=If I Remember Correctly

HTH, HAND.

Unruh wrote:

> Wanna-Be Sys Admin <sysadmin@example.com> writes:
> 
>>The Doctor wrote:
> 
>>> In article <R0OIm.3739$gg6.1377@newsfe25.iad>,
>>> Wanna-Be Sys Admin  <sysadmin@example.com> wrote:
>>>>The Doctor wrote:
>>>>
>>>>> Right I got a customer who is only running one account, namely
>>>>> root
>>>>> and 1 app.  I suspect this person is opening himself to trouble.
>>>>> 
>>>>> yes/no?
>>>>
>>>>Depends, might be perfectly fine (and probably is).  What's the
>>>>application running?  Anyway, most of security issues revolve around
>>>>things other than root 99% of the time (but those 99% of things
>>>>usually end up being things done as root once exploited).
>>>>--
>>>>Not really a wanna-be, but I don't know everything.
>>> 
>>> And E-newsletter app.
> 
>>So, is that news letter app running as root?  If so, should it be if
>>you
>>can help it?  If he can, he should run a non priv user account just
>>for that app.
> 
> Sounds like it is worse than that. Most E-newletters are associated
> with networking to the outside world (otherwise that E is probably
> misplaced). But if you are connecte d to the outside world, having
> your user run as root, becomes much more dangerous. Next the OP will
> be telling us that that root account also has no password, because the
> user cannot be bothered to remember a difficult password. At which
> point that system is certain to be exploited, causing problems for
> that system, and more likely for everyone else on the net as it gets
> used as a spam bot and as a source for attacks on others.
> 
>>--
>>Not really a wanna-be, but I don't know everything.

Well, few systems will allow root logins if a password isn't set, so I'd
not worry about it not having a password in that sense.  But yeah, the
description just doesn't sound like a wise setup.
-- 
Not really a wanna-be, but I don't know everything.