[ale] Running stuff as root == bad, was Re: FC13 question

Jim Kinney jim.kinney at gmail.com
Sun Aug 1 13:12:42 EDT 2010


risk vs cost. It's a very valid analysis. One thing I have found with the
RHEL/CentOS Fedora world is the gui's needed to do things for admin stuff
are all named system-config-*. This means it's easy to pop up a gnoe
terminal, su - root, and run the gui command from a normal user account X
session. This has also been deemed relatively safe as now the (growing)
security in Xorg can follow the UID tags and see that root owns a data
stream and can add the protections frmt he rest of the gui environment.

For me, being able to switch to an admin role while on my normal desktop
WITHOUT having to login as a root user is a key aspect of my happy factor
with the Linux setup. Windows made me completely leave the environment where
I notice the need for a change but Linux lets me make the change with the
relevant data still availableand ready for testing.

The different gui environments have their own security issues. I would
expect that what ever tool/lib handles the interprocess-communication layer
is the most vulnerable and difficult to secure. For Gnome, that's bonobo.
The last time I looked, bonobo could leak data between users as it relied on
relatively weak security controls.

Since I use both single user Linux system as well as manage multi-user
servers, I have a split view of desktop security.

On Sun, Aug 1, 2010 at 10:29 AM, William Fragakis <william at fragakis.com>wrote:

> Since I invited this flame-fest....
>
> Let's define "bad", to borrow from my wife, is this "cross the double
> yellow line" bad or "I'm driving across the mall parking lot without my
> seatbelt" bad?
>
> Both, violate rules of safety. One will get you killed in about 2
> minutes, the other, probably not.
>
> Most things we do in life involve inherent risks. A ride down the
> interstate and seeing the crosses and flowers on the side is a ready
> reminder.
>
> Those of us who feel the need/convenience to 'that which can not be
> said', aren't doing so we can log into our facebook accounts with
> ies4linux. Some things can be done completely from the CLI, somethings
> by su/sudo and some things for us who've been using a mouse-based GUI
> for 24 years are much easier for the 15-20 minutes we need it if we can
> get to a full-blown desktop.
>
> Mind you, I'm not the systems admin for a Fortune 500 company. I just
> have a couple boxes in the basement. My skill set is at a basement level
> as well.
>
> Say, I'm messing about setting up a separate drive for my VMs, creating
> the VMs, messing about with samba, editing a few .confs etc. and - God
> forbid - having to consult Google when I hit a roadblock. For me, it's a
> heck of a lot easier to fire up a desktop for root so I don't have to
> deal with su'ing 5 different programs. The automatic response is "you
> shouldn't, you should do each one, separately." To those of us who've
> somehow used a desktop for decades with admin privileges without
> incident, that response is a bit Jobsian ("learn to hold your phone
> differently, it's not the phone's fault").
>
> Could I get hacked or attacked or pooch my system in those 20 minutes?
> Sure. But, in 20 minutes on the road, I could easily have a serious auto
> crash. It's much more probable that 20 minutes on any Atlanta interstate
> could involve me in a serious crash (during the school year, I'm on the
> Connector everyday, so I don't feel like I'm overstating the odds) than
> having my system get borked in the same amount of time.
>
> I'd even go further to say that if having a root graphical interface is
> inherently something that should never be done, then the graphical stack
> is too fragile.
>
> Just for fun, I looked up X11 and Xorg security advisories.  I realize
> that there are more elements to a GUI than that but the list isn't
> unsettling for my usage.
> <
> http://www.x.org/wiki/Development/Security?action=show&redirect=SecurityPage
> >
>
> Again, I get that if I'm running the system of something where if things
> go bad people lose their jobs or die, I need to be really, really
> careful and not log in as root. But let's be somewhat realistic on what
> "bad" is. <begin playful sarcasm>Otherwise, I fully expect that should I
> see you driving about town that you'll be using your HANS head restraint
> device and have environmentally safe foam peanuts up to your
> windows.</bps>
>
> And, <more bps>considering how many Liberterians there are on this list
> who haven't risen to the defense of my doing something stupid being my
> own concern, I'm shocked.  ;-) </more bps>
>
> Now, let me go get my Nomex suit before the responses come hurtling in.
>
> regards,
> William
>
> Message sent from my reinforced concrete bunker from an account that
> barely had enough privileges to even use the keyboard.
>
>
>
> On Sun, 2010-08-01 at 08:22 -0400, Greg Freemyer wrote:
> > kdesu works in kde.
> >
> > I use it from time to time.
> >
> > Greg
> >
> > On 7/31/10, Richard Bronosky <Richard at bronosky.com> wrote:
> > > While I agree with the sentiments of this message, the subject is just
> > > plain wrong. Running *stuff* as root *is not* bad. Running
> > > *everything* as root *is* bad. That is exactly what happens when you
> > > log into GUI [display manager|window manager|desktop
> > > environment|whatever] (I don't know anything about the X.org stack. I
> > > don't use GUIs) you run *everything* as yourself. You don't want that
> > > _yourself_ to be root. I could have sworn that back when I was doing
> > > MythTV I used xfce or rat poison and I used a utility called Xsudo,
> > > sudoX, or GnomeSudo. That was good for running the occational app as
> > > sudo. I found that MythTV being graphical by nature forced me to do
> > > this.
> > >
> > >
> > > On 7/30/10, scott mcbrien <smcbrien at gmail.com> wrote:
> > >> One of the big problems with other OS'es is that users log in as an
> > >> account with administrative privileges.  On those OS'es, when an
> > >> application, being run by the user, runs amok (perhaps a web browser
> > >> executing badness from flash or java script?), that application runs
> > >> amok with administrative rights.  So when the application tries to
> > >> mangle system files, libraries, etc. it can because administrators
> > >> could also modify said files. That's one example of why you don't want
> > >> to log in as root, but there are many more, mostly because desktop
> > >> environments like gnome run many many many processes and helper
> > >> applications each of which, when logged in as root, is given full
> > >> administrative permission to do whatever they want on a system.
> > >>
> > >> -Scott
> > >>
> > >> On Fri, Jul 30, 2010 at 7:05 PM, William Fragakis <
> william at fragakis.com>
> > >> wrote:
> > >>> Nautilus, for one ;-)
> > >>>
> > >>> GParted can do some interesting things, too, I'd gather but I've
> never
> > >>> tried (to do "interesting things"). Gedit can make your day exciting
> as
> > >>> well. Personally, I can easily do as much damage from the CLI if not
> > >>> more.
> > >>>
> > >>> I do find it easy sometimes to actually have a root Desktop although,
> on
> > >>> this esteemed list, I'm probably in a distinct minority.
> > >>>
> > >>> If something bad happens, I was never here.
> > >>> regards,
> > >>> William
> > >>>
> > >>> On Fri, 2010-07-30 at 18:49 -0400, Drifter wrote:
> > >>>> Thanks, this seems to work.
> > >>>> But you have to admire the warning label that pops up before the GUI
> > >>>> actually appears on the screen:
> > >>>>
> > >>>> "You are currently trying to run as Root super user. The superuser
> is a
> > >>>> specialized account that is not designed to run a normal user
> session.
> > >>>> Various programs will not function properly and actions performed
> under
> > >>>> this account can cause unrecoverable damage to the operating
> system."
> > >>>>
> > >>>> No hint, of course, as to what sorts of programs can cause the
> damage.
> > >>>>
> > >>>> Sean
> > >>>>
> > >>>> On Friday, July 30, 2010 06:13:33 pm William Fragakis wrote:
> > >>>> >
> http://blog.ask4itsolutions.com/2010/04/23/login-as-a-root-from-gui-fed
> > >>>> > ora-13/
> > >>>> >
> > >>>> > Did this a couple of days ago.
> > >>>> >
> > >>>> > Use at your own risk, owner assumes all liabilites, etc. etc.
> > >>>> >
> > >>>> > On Fri, 2010-07-30 at 17:32 -0400, Drifter wrote:
> > >>>> > > There are times when I need to to things as root that are -- for
> me
> > >>>> > > -- much easier to do using the GUI aps rather than the command
> line.
> > >>>> > > Years ago on a Red Hat install, root actually had a directory in
> > >>>> > > /home and I could log into the system as root and have the GUI.
> > >>>> > >
> > >>>> > > This FC13 install doesn't provide that feature. I can create, as
> > >>>> > > root, a directory in /home. That's easy enough.  But what do I
> have
> > >>>> > > to do so that I can log in as root directly just as I log into
> my
> > >>>> > > regular user account? If I try to log in as root now, the system
> > >>>> > > just laughs at me.
> > >>>> > >
> > >>>> > > Clearly I am missing several steps in the process.
> > >>>> > >
> > >>>> > > Sean
> > >>>> > > _______________________________________________
> > >>>> > > Ale mailing list
> > >>>> > > Ale at ale.org
> > >>>> > > http://mail.ale.org/mailman/listinfo/ale
> > >>>> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > >>>> > > http://mail.ale.org/mailman/listinfo
> > >>>> >
> > >>>> > _______________________________________________
> > >>>> > Ale mailing list
> > >>>> > Ale at ale.org
> > >>>> > http://mail.ale.org/mailman/listinfo/ale
> > >>>> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > >>>> > http://mail.ale.org/mailman/listinfo
> > >>>> _______________________________________________
> > >>>> Ale mailing list
> > >>>> Ale at ale.org
> > >>>> http://mail.ale.org/mailman/listinfo/ale
> > >>>> See JOBS, ANNOUNCE and SCHOOLS lists at
> > >>>> http://mail.ale.org/mailman/listinfo
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> Ale mailing list
> > >>> Ale at ale.org
> > >>> http://mail.ale.org/mailman/listinfo/ale
> > >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> > >>> http://mail.ale.org/mailman/listinfo
> > >>>
> > >>
> > >> _______________________________________________
> > >> Ale mailing list
> > >> Ale at ale.org
> > >> http://mail.ale.org/mailman/listinfo/ale
> > >> See JOBS, ANNOUNCE and SCHOOLS lists at
> > >> http://mail.ale.org/mailman/listinfo
> > >>
> > >
> > > --
> > > Sent from my mobile device
> > >
> > > .!# RichardBronosky #!.
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> > >
> >
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III
I would rather stumble along in freedom than walk effortlessly in chains.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100801/59bd7b33/attachment-0001.html 


More information about the Ale mailing list