[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
Requiring the user to become root first adds an extra layer of security
(see below).
>
> > This is just asking for trouble.
>
> HOW SO? Everyone says this, nobody every follows through with
> specifics.
Michael Robertson made a similar argument recently to justify his
decision to run everything as root in Linspire. His main argument was
that, from a user perspective, the data is the only thing that's
important. And since a virus/malware/mistake/whatever can potentially
destroy all of your data whether you're root or not, why put up with the
"hassle" of running as non-root?
This argument may apply to an isolated computer, but it falls flat when
you consider a computer that is connected to the internet on, say, a DSL
or cable modem. If you always run as root, and your account gets
compromised, then your entire system is owned, a potential zombie or
spam relay, and a platform for launching new attacks. If you normally
run as a normal user, and your account is compromised, then the
potential for damage *to others* is much less, because the compromised
user account cannot do everything that root can do.
I suppose, from a purely selfish point of view, it makes no difference.
Unless you're held accountable for actions an attacker takes using your
compromised computer.
>
> > Unless you're going to spend the time with a fine-tooth comb
> > to audit every piece of software that you run,
>
> No need to audit software that you trust. The fine tooth comb is needed
> to set EVERYTHING up for a normal user to have access to gratuitous
> system resources needed by everyday apps (iPODs, dvd burners, video
> games, advanced sound card features (midi, etc).
It's really not that big a deal to add your user account to the dvd,
video, audio, games, etc. groups.
>
> > there's no rationale for running as root.
>
> Sure there is. You may not see it however.
It's the same old argument that always comes up: security vs.
convenience. Like many things, it's more convenient to run as root, but
less secure.
>
> > Become root - or sudo - when you need to; the rest of
> > the time, don't. Otherwise, running as root without problems is just a
> > matter of luck. How you have things configured really doesn't make too
> > much difference when a sleep-deprived session leads you to inadvertently
>
> What's the difference between "sudo mkfs /dev/hda8" and runing
> "mkfs /dev/hda8" as root?
The first requires an extra step. If a trojan script has "mkfs
/dev/hda8" in it, and you execute it as root, you just lost your
filesystem. If you execute it as a normal user you're safe. That is,
admittedly, a contrived example, but the principle still holds.
Jason
--
Jason Day jasonday at
<a rel="nofollow" href="http://jasonday.home.att.net";>http://jasonday.home.att.net</a> worldnet dot att dot net
"Of course I'm paranoid, everyone is trying to kill me."
-- Weyoun-6, Star Trek: Deep Space 9
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00416" href="msg00416.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00313" href="msg00313.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> meson3902 at gmail.com (Mark Schill)</li></ul></li>
<li><strong><a name="00346" href="msg00346.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> james.sumners at gmail.com (James Sumners)</li></ul></li>
<li><strong><a name="00348" href="msg00348.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> jsheets at yahoo.com (Jerald Sheets)</li></ul></li>
<li><strong><a name="00350" href="msg00350.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> groups at ChangingLINKS.com (ChangingLINKS.com)</li></ul></li>
<li><strong><a name="00351" href="msg00351.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> Robert.L.Harris at rdlg.net (Robert L. Harris)</li></ul></li>
<li><strong><a name="00359" href="msg00359.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
<li><strong><a name="00361" href="msg00361.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> kafka at antichri.st (George Carless)</li></ul></li>
<li><strong><a name="00368" href="msg00368.html">[ale] Linux Distributions</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00393.html">[ale] Linux Distributions</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00395.html">[ale] Linux Distributions</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00727.html">[ale] Linux Distributions</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00416.html">[ale] Linux Distributions</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00394"><strong>Date</strong></a></li>
<li><a href="threads.html#00394"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>