[ale] Running stuff as root == bad, was Re: FC13 question

Jim Kinney jim.kinney at gmail.com
Sat Jul 31 12:29:16 EDT 2010


Learn selinux.

On Jul 31, 2010 12:14 AM, "Michael Trausch" <mike at trausch.us> wrote:

The big thing, yes, is that running everything as root defeats the whole
sandboxing that you get by running as a normal user---or even running things
as multiple, different users.

With the complexity of today's software (necessarily or not) being what it
is, I can't say that I would run much of anything as the root user. For that
matter, I don't, even on the command line. The only root privilege I retain
for myself is the use of sudo, which I nearly always call as "sudo -u
$NEEDED_USER $CMD". That way, if I screw something up, I have a command to
show for it in the system logs.

I would personally like to see "POSIX" capabilities in wider use then they
are. I think it is great to have such a versatile kernel-enforced privilege
mechanism, and useful to take away all the special powers of UID 0.
Although I don't think that it is at all as fine-grained as it could be
without add-ons, and all of the add-ons that I know of pretty much suck.

Anyway, just my 2 cents. The more permissions are isolated and enforced by a
kernel (which can often use hardware to provide the enforcement), the better
contained things such as breakins or simply rogue users are. Not saying that
would be a nirvana, but it would be a big help, I think. Especially when you
do things like put syslog on the network without any permission but INSERT.
Of course now I am talking about something way more complex than I wager
most of us want to do at home...

--
Sent from my HTC Dream---Running Froyo!
Thanks, @cyanogen!


>
> On Jul 30, 2010 7:59 PM, "scott mcbrien" <smcbrien at gmail.com> wrote:
> One of the big problems ...

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100731/65318c9b/attachment.html 


More information about the Ale mailing list