[ale] Running stuff as root == bad, was Re: FC13 question

Charles Shapiro hooterpincher at gmail.com
Sun Aug 1 10:37:06 EDT 2010


Uh, on most of my systems <ctrl><alt><f${1,2,3,4,5,6} will get you to
a different console.  I've even successfully run two separate and
complete desktops on different consoles.

Just sayin'.

-- CHS

On Sun, Aug 1, 2010 at 10:29 AM, William Fragakis <william at fragakis.com> wrote:
> Since I invited this flame-fest....
>
> Let's define "bad", to borrow from my wife, is this "cross the double
> yellow line" bad or "I'm driving across the mall parking lot without my
> seatbelt" bad?
>
> Both, violate rules of safety. One will get you killed in about 2
> minutes, the other, probably not.
>
> Most things we do in life involve inherent risks. A ride down the
> interstate and seeing the crosses and flowers on the side is a ready
> reminder.
>
> Those of us who feel the need/convenience to 'that which can not be
> said', aren't doing so we can log into our facebook accounts with
> ies4linux. Some things can be done completely from the CLI, somethings
> by su/sudo and some things for us who've been using a mouse-based GUI
> for 24 years are much easier for the 15-20 minutes we need it if we can
> get to a full-blown desktop.
>
> Mind you, I'm not the systems admin for a Fortune 500 company. I just
> have a couple boxes in the basement. My skill set is at a basement level
> as well.
>
> Say, I'm messing about setting up a separate drive for my VMs, creating
> the VMs, messing about with samba, editing a few .confs etc. and - God
> forbid - having to consult Google when I hit a roadblock. For me, it's a
> heck of a lot easier to fire up a desktop for root so I don't have to
> deal with su'ing 5 different programs. The automatic response is "you
> shouldn't, you should do each one, separately." To those of us who've
> somehow used a desktop for decades with admin privileges without
> incident, that response is a bit Jobsian ("learn to hold your phone
> differently, it's not the phone's fault").
>
> Could I get hacked or attacked or pooch my system in those 20 minutes?
> Sure. But, in 20 minutes on the road, I could easily have a serious auto
> crash. It's much more probable that 20 minutes on any Atlanta interstate
> could involve me in a serious crash (during the school year, I'm on the
> Connector everyday, so I don't feel like I'm overstating the odds) than
> having my system get borked in the same amount of time.
>
> I'd even go further to say that if having a root graphical interface is
> inherently something that should never be done, then the graphical stack
> is too fragile.
>
> Just for fun, I looked up X11 and Xorg security advisories.  I realize
> that there are more elements to a GUI than that but the list isn't
> unsettling for my usage.
> <http://www.x.org/wiki/Development/Security?action=show&redirect=SecurityPage>
>
> Again, I get that if I'm running the system of something where if things
> go bad people lose their jobs or die, I need to be really, really
> careful and not log in as root. But let's be somewhat realistic on what
> "bad" is. <begin playful sarcasm>Otherwise, I fully expect that should I
> see you driving about town that you'll be using your HANS head restraint
> device and have environmentally safe foam peanuts up to your
> windows.</bps>
>
> And, <more bps>considering how many Liberterians there are on this list
> who haven't risen to the defense of my doing something stupid being my
> own concern, I'm shocked.  ;-) </more bps>
>
> Now, let me go get my Nomex suit before the responses come hurtling in.
>
> regards,
> William
>
> Message sent from my reinforced concrete bunker from an account that
> barely had enough privileges to even use the keyboard.
>
>
>
> On Sun, 2010-08-01 at 08:22 -0400, Greg Freemyer wrote:
>> kdesu works in kde.
>>
>> I use it from time to time.
>>
>> Greg
>>
>> On 7/31/10, Richard Bronosky <Richard at bronosky.com> wrote:
>> > While I agree with the sentiments of this message, the subject is just
>> > plain wrong. Running *stuff* as root *is not* bad. Running
>> > *everything* as root *is* bad. That is exactly what happens when you
>> > log into GUI [display manager|window manager|desktop
>> > environment|whatever] (I don't know anything about the X.org stack. I
>> > don't use GUIs) you run *everything* as yourself. You don't want that
>> > _yourself_ to be root. I could have sworn that back when I was doing
>> > MythTV I used xfce or rat poison and I used a utility called Xsudo,
>> > sudoX, or GnomeSudo. That was good for running the occational app as
>> > sudo. I found that MythTV being graphical by nature forced me to do
>> > this.
>> >
>> >
>> > On 7/30/10, scott mcbrien <smcbrien at gmail.com> wrote:
>> >> One of the big problems with other OS'es is that users log in as an
>> >> account with administrative privileges.  On those OS'es, when an
>> >> application, being run by the user, runs amok (perhaps a web browser
>> >> executing badness from flash or java script?), that application runs
>> >> amok with administrative rights.  So when the application tries to
>> >> mangle system files, libraries, etc. it can because administrators
>> >> could also modify said files. That's one example of why you don't want
>> >> to log in as root, but there are many more, mostly because desktop
>> >> environments like gnome run many many many processes and helper
>> >> applications each of which, when logged in as root, is given full
>> >> administrative permission to do whatever they want on a system.
>> >>
>> >> -Scott
>> >>
>> >> On Fri, Jul 30, 2010 at 7:05 PM, William Fragakis <william at fragakis.com>
>> >> wrote:
>> >>> Nautilus, for one ;-)
>> >>>
>> >>> GParted can do some interesting things, too, I'd gather but I've never
>> >>> tried (to do "interesting things"). Gedit can make your day exciting as
>> >>> well. Personally, I can easily do as much damage from the CLI if not
>> >>> more.
>> >>>
>> >>> I do find it easy sometimes to actually have a root Desktop although, on
>> >>> this esteemed list, I'm probably in a distinct minority.
>> >>>
>> >>> If something bad happens, I was never here.
>> >>> regards,
>> >>> William
>> >>>
>> >>> On Fri, 2010-07-30 at 18:49 -0400, Drifter wrote:
>> >>>> Thanks, this seems to work.
>> >>>> But you have to admire the warning label that pops up before the GUI
>> >>>> actually appears on the screen:
>> >>>>
>> >>>> "You are currently trying to run as Root super user. The superuser is a
>> >>>> specialized account that is not designed to run a normal user session.
>> >>>> Various programs will not function properly and actions performed under
>> >>>> this account can cause unrecoverable damage to the operating system."
>> >>>>
>> >>>> No hint, of course, as to what sorts of programs can cause the damage.
>> >>>>
>> >>>> Sean
>> >>>>
>> >>>> On Friday, July 30, 2010 06:13:33 pm William Fragakis wrote:
>> >>>> > http://blog.ask4itsolutions.com/2010/04/23/login-as-a-root-from-gui-fed
>> >>>> > ora-13/
>> >>>> >
>> >>>> > Did this a couple of days ago.
>> >>>> >
>> >>>> > Use at your own risk, owner assumes all liabilites, etc. etc.
>> >>>> >
>> >>>> > On Fri, 2010-07-30 at 17:32 -0400, Drifter wrote:
>> >>>> > > There are times when I need to to things as root that are -- for me
>> >>>> > > -- much easier to do using the GUI aps rather than the command line.
>> >>>> > > Years ago on a Red Hat install, root actually had a directory in
>> >>>> > > /home and I could log into the system as root and have the GUI.
>> >>>> > >
>> >>>> > > This FC13 install doesn't provide that feature. I can create, as
>> >>>> > > root, a directory in /home. That's easy enough.  But what do I have
>> >>>> > > to do so that I can log in as root directly just as I log into my
>> >>>> > > regular user account? If I try to log in as root now, the system
>> >>>> > > just laughs at me.
>> >>>> > >
>> >>>> > > Clearly I am missing several steps in the process.
>> >>>> > >
>> >>>> > > Sean
>> >>>> > > _______________________________________________
>> >>>> > > Ale mailing list
>> >>>> > > Ale at ale.org
>> >>>> > > http://mail.ale.org/mailman/listinfo/ale
>> >>>> > > See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>>> > > http://mail.ale.org/mailman/listinfo
>> >>>> >
>> >>>> > _______________________________________________
>> >>>> > Ale mailing list
>> >>>> > Ale at ale.org
>> >>>> > http://mail.ale.org/mailman/listinfo/ale
>> >>>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>>> > http://mail.ale.org/mailman/listinfo
>> >>>> _______________________________________________
>> >>>> Ale mailing list
>> >>>> Ale at ale.org
>> >>>> http://mail.ale.org/mailman/listinfo/ale
>> >>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>>> http://mail.ale.org/mailman/listinfo
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Ale mailing list
>> >>> Ale at ale.org
>> >>> http://mail.ale.org/mailman/listinfo/ale
>> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>> http://mail.ale.org/mailman/listinfo
>> >>>
>> >>
>> >> _______________________________________________
>> >> Ale mailing list
>> >> Ale at ale.org
>> >> http://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> http://mail.ale.org/mailman/listinfo
>> >>
>> >
>> > --
>> > Sent from my mobile device
>> >
>> > .!# RichardBronosky #!.
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> >
>>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>


More information about the Ale mailing list