Jump to content
  • Announcements

    • spinynorman

      Mandriva Official Documentation

      Official documentation for extant versions of Mandriva can be found at doc.mandriva.com.   Documentation for the latest release may take some time to appear there. You can install all the manuals from the main repository if you have Mandriva installed - files are prefixed mandriva-doc.
    • paul

      Forum software upgrade   10/29/17

      So you may have noticed the forum software has upgraded !!!
      A few things that have changed. We no longer have community blogs (was never really used) We no longer have a portal page.
      We can discuss this, and decide whether it is needed (It costs money) See this thread: Here
bvc

Should root have his/her hands tied?

Poll: should root have his/her hand tied?  

30 members have voted

  1. 1. Poll: should root have his/her hand tied?

    • yes, serious security risk should be kept from root
      5
    • no, root should be able to do anything, else root is not root
      25


Recommended Posts

There is now 2 apps that I know of that can not be run as root.

gtkgnutella

gdesklets

and supposedly the command rm -f is barred from root in the latest coreutils.

 

where does this end?

X is run as root. Should it be added to the list?

 

why not add them all?

If you run as root or think individuals should be allowed to by choice, wouldn't you feel like you were in Windows when told "you can't!" ?

 

If it is agreed that a root should not run graphical software why is it possible to run X as root at all ?

Share this post


Link to post
Share on other sites

Everyone knows I run as root and have from day one.

No I don't have to....I just do. It's my money, my time, my data, my risk and no one elses, especially someone I do not know, like a developer of an app. What could easily become a common trend concerns me greatly. We leave the clutches of M$'s "you can't" mentality and force ourselves to learn nix....why? so nix devel can start acting like M$ devel?

 

I don't think so!

 

-root

Edited by bvc

Share this post


Link to post
Share on other sites

but it was better, and was made worse? That's stupid! N00bs attempt to come over from win and have to learn c++ and compile in order to have eyecandy and user friendliness? They can't;

urpmi gdesklets

and have to edit a c header file and compile?

 

very counter productive towards the cause of making linux easier

Share this post


Link to post
Share on other sites
Guest anon

No doubt your going to get lots of posts telling you you shouldn't be running as root, and not just because they have been told that its possibly dangerous, but because most people would agree that it is. Especially if your connected to the net 24/7

I could write a long list of reasons why you shouldn't be running as root, but you probably know them anyway so it would be pointless. Why you choose to take such risks i don't understand, but as you have pointed out its your choice, your M/C etc.

 

I am interested in why those two apps you mentioned can't be run as root. If its something built into the apps themselves, surely there must be some way around it so you can fool the app into thinking its being run as a user?

 

As to your concern about this practise becoming the norm, i doubt it will happen but its up to the developers i guess. If enough people don't like the way their doing things then they will probably change their ways. :juggle:

Share this post


Link to post
Share on other sites

I don't think the people who wrote the apps intentionally made their programs worse. :)

 

I see your point that this new 'feature' complicates things for the user. I think the next best thing to do is contact the makers and tell them you don't like it. Maybe they will listen, or bring out a version for the 'power user'. :D

Share this post


Link to post
Share on other sites

bvc: why dont you send an email to the developers of the respective pieces of software in question and ask them to add an option, like gtk-gnutella --yes-im-root-i-know

to allow you to. I personally think its a little overboard for them to disable the app as root alltogether, and im with you in supporting the removal of such a restriction.

 

it reduces choice, which is what one of linux's key features is.

Share this post


Link to post
Share on other sites

This is not a matter of restricting choice.

The writers of gtk-gnutella have decided that they only want responsible people on their network. They have chosen the criteria and running a GUI as root is one criteria... in a professional environment it would be an instantly dismissible offense.

 

You choose to flirt with danger (for whatever reason I can't imagine) but its hardly a good thing for noobies to do. You at least understand and accept the consequences but your av jo-blo doesn't. To be honest there are plenty you haven't addressed yourself but like anon I see no point arguing...

 

If you come to my shop to buy a gun for russian roulette then its up to me if I wanna sell it to you. You choose to drive with no seatbelt that's up to you but if the anoying bing bing gets to you then either bypass it or buy a different car.

 

If you don't like it don't use gtk-gnutella or hack it.... its that simple.

They also chose gtk-widgets... don't like em use something else. Don't like the colour scheme or the new preferences dialog... use something else or write your own.

 

There are some extra considerations for gtk-gnutella ....

 

Lets delve into fantasy... lets say I write a mail client that sniffs traffic and gathers a huge spam list and periodically sends my private docs to several million people.

 

It wouldn't be popular because it is putting me the user in danger...

 

gtk-gunetella also chose to restrict which versions can connect to their network. Again I stress their network.

They also have a reputation and like the mail client if stories get out of people being hacked because they were running gtk-guntella as root then their image suffers. They may have other reasons too... that concern the network.

 

Anyone running as root should be experienced.... anyone who knows the dangers would find it trivial to run gtk-gnutella as a non privelidged user automatically.

 

That's stupid! N00bs attempt to come over from win and have to learn c++ and compile in order to have eyecandy and user friendliness? They can't;

Yes they can they just need to type the root password to urpmi gdesklets...

very counter productive towards the cause of making linux easier

 

Not really because its just the case of running as a non priv user.

However remember many M$ people come to linux because they are sick of the security problems of Win...

 

The idea of a root account is fundamental to *nix. before GUI's and the internet *nix has always been a multiuser system and the superuser account a integral part of the unix security model.

 

Simply put its not meant to be used except for admin tasks. You choose to use it for regular tasks, thats your choice but then don't complain if your wrench doesn't knock in nails quite so well as a hammer. Its not designed with that in mind. In this case the wrench makers have realised that people were sticking a spare nail into a ridge of the wrench because it was convenient and this often flew off and blinded people ... so they redesigned the wrench to prevent people blinding themselves while misusing it.

Share this post


Link to post
Share on other sites

just a correction Gowator, gtk-gnutella doesnt have "it's own" network it uses the Gnutella network, which is also use by limewire, gift, bearshare, gnucleus, and heaps more windows clients.

 

So there are already clients on the network running as "root" or "administrator" -- those using windows clients.

 

And we would all agree that, linux is on the whole much more secure than windows.

 

As for what the root account was meant for, maybe at first it was designed for 'admin' tasks as you say, but my laptop was designed for windows, do you really think im going to use windows when I can use Linux? Just like bvc wants to use root instead of a regular users. Quite frankly, i respect that decision, and I myself have at one stage or another considered doing such a thing, and I can see the benefits in it.

 

That's stupid! N00bs attempt to come over from win and have to learn c++ and compile in order to have eyecandy and user friendliness? They can't;

Yes they can they just need to type the root password to urpmi gdesklets...

But if they want to run it as root, they neet to learn python/c++ to be able to modify and compile it so it actually lets them run it as root.

 

More on the root account though, its admin, its top, its big, it's well meant to be able to do anything, right now it cant run a handfull of apps, aren't we needlessly restricting the abilities of this account? While I can see that people would want to stop newbies from using such a program as root, if they're running those as root then they're probably running the rest of KDE, konqueror, xmms, firefox, kopete or the GNOME equivalents, which quite frankly offer more risk. It'd be easy for a newbie to mess something up when browsing around in konqueror, a once in a blue moon occurance for him to mess something up while using gtk-gnutella as root, and a next to impossible occurrance if using gdesklets as root.

 

If such programs have to have this limitation designed into them to stop the program itself from damagin the system, then the developer of the program should take more care in preventing such things, in a better way than detecting what user.

Edited by iphitus

Share this post


Link to post
Share on other sites
Guest anon
As for what the root account was meant for, maybe at first it was designed for 'admin' tasks as you say,

There is no maybe in it. It was and still is.

Root and user acounts are fundamental to *nix. Its part of what makes *nix more secure.

If i find out what your user password is, i can hack into your box and destroy all your user stuff, but thats as far as i get. Without roots pass i can't get any further. Same goes for viruses, atm they can't hop from one partition to another. So if you get one in your user account your core files (the OS) are safe.

But if you run as root all the time, well your just asking for trouble and i really can't understand the need to, or the advantages.

Share this post


Link to post
Share on other sites

To paraphrase the poll text,

 

"root has to have root, otherwise root is not root."

 

The root vs. non-root thing was one of the most baffling thing about *nix for me as a new user (including all the chowning and chmodding that goes with it). I'm sure a lot of n00bs agree.

 

But equally it has probably had a good knock-on effect for a lot of Wintel users once they've mastered it. Those still running a Winbox for old times' sake, can go back to it and think: "My God! I've been doing everything as root!" Soon they'll stop being Administrator all day and set up home in a weedy Guest account. (Right?)

 

It would help a lot if more was made of SUDO though. "Run as..." is a very simple thing to start using habitually in XP, you really can't say that about sudo. I still don't know how to use it properly. If I had enough disk, or could stand to be parted from Mandrake for any length of time, I'd go with Ubuntu for a while and see if I got the hang of it. Sudo doesn't even seem to have the ability to drop straight back to normal user after running the specified task - only after a specified time interval.

 

Serious - make sudo more usable, and I don't think this debate would even be occurring.

 

PS - sorry if my general lack of knowledge has made me talk horse-jobbies in any of the above. I couldn't claim to know sudo well enough to know when I'm wrong.

Share this post


Link to post
Share on other sites
Guest anon

Bascially adding your user name to the sudoers file allows you to carry out tasks without having to type su and root password. But if your going to set that user up for "user Fred=ALL" and then stay logged in as Fred all the time, your effectively running as root and so open up needless risk.

 

Ofcourse you can set Fred up in sudoers to only allow certain root tasks to be executed,

But come on now !! why run as root all the time? how long does it take to open a consol or if you prefer a gui, "kdesu".

two seconds? maybe three?

 

 

........don't complain if your wrench doesn't knock in nails quite so well as a hammer. Its not designed with that in mind. In this case the wrench makers have realised that people were sticking a spare nail into a ridge of the wrench because it was convenient and this often flew off and blinded people ... so they redesigned the wrench to prevent people blinding themselves while misusing it.

:thumbs:

Share this post


Link to post
Share on other sites

another thing...

root is not he/she root is IT.

Its not meant to be personal ... its not meant to be a user it is a specific admin superuser.

 

Like anon says

There is no maybe in it. It was and still is.

 

It is so fundamental to the security model and just about everything.

Init is owned by root.... everything comes from init.

But if they want to run it as root, they neet to learn python/c++ to be able to modify and compile it so it actually lets them run it as root.

Yep, i know... if they can do that then they probably understand the dangers. If not then they probably shouldn't!

 

Its actually a shame x.org runs as root becuase then the sudo stuff would be more developed. Kdesu is pretty simple... you just type the root passwd.... its a nice prompt that should say to you...

"are you sure... thats a config task?"

 

my laptop was designed for windows, do you really think im going to use windows when I can use Linux?

Nope but if we all keep buying designed for windows then linux support isn't getting any better... if you bought one designed for linux and some of the hardware wouldn't work under linux then what.... and if you bought one designed for linux but didn't work with WinXX then frankly I'd laugh my pants off! cripes talk about a regressive move...

 

But equally it has probably had a good knock-on effect for a lot of Wintel users once they've mastered it. Those still running a Winbox for old times' sake, can go back to it and think: "My God! I've been doing everything as root!" Soon they'll stop being Administrator all day and set up home in a weedy Guest account. (Right?)

 

actually yes, I now set-up my Dads PC with a internet account for a non priv user... under XP...

 

if they're running those as root then they're probably running the rest of KDE, konqueror, xmms, firefox, kopete or the GNOME equivalents, which quite frankly offer more risk

Erm yeah, ... I agree but the same developers are not doing those.

... however the browse ability on gtk-gnutella is dangerous as it specifically bypasses firewalls over http and this is a 2-way street.

 

gtk-desklets... access hardware... root can crash hardware, a user can't! (in theory...)

 

kpilot actually crashes my PC... kernel panic... it shouldn't but it does... through lousy programming... gtk-gnutella doesnt and can't! (I have an amusing email from the visor.c driver maintainer over this... as he says its crap programming if it can cause a crash... and I agree)

If such programs have to have this limitation designed into them to stop the program itself from damagin the system, then the developer of the program should take more care in preventing such things, in a better way than detecting what user.

Well I think i answered that...

restricting root access to anything with direct internet or hardware access is good programming practice. If you make an error (and we all do) then it can't go drastically wrong....

 

 

I agree with bvc that it can be annoying having to switch to root but I don't agree its pointless any more than wearing a seatbelt is pointless.

"Hey it hasn't happened to me yet" happen to be famous last words of many unfortunates...

Share this post


Link to post
Share on other sites

Running as root is not such a tragedy. Yes, yes maybe it is unsafe but as long as I'm connected to the Internet through a Linux server and I have a firewall installed on my box I don't feel unsafe at all. I always update my software and open only the necessary ports. A hacker would have to hack my Server first, then find some 0 day exploit that will work on my Desktop computer. He would also have to map the network which I'm part of which consists of 30 PCs. And out of those 30 PCs he would have to choose mine. BTW 29 of those use Windows which is far more easier to hack. The chances for me to get 0\/\/n3d are quite low as you can see. The idea is that I can afford to run everything as root.

 

Oh, and there is this little dose of insanity you need to have to do dangerous things like running everything as root, using Reiser4 or other bleeding edge stuff.

Share this post


Link to post
Share on other sites
Guest anon
Oh, and there is this little dose of insanity you need to have to do dangerous things like running everything as root,

So your saying bvc runs as root because he has a dose of insanity eh? :D

 

( anon quickly checks the board guidlines............... :P )

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×