Slashdot Mirror
Root 101 - Concept of Root for Newbies
Fozz writes "One of my colleagues wrote this article explaining the concept of root/super user for Unix newbies. He wrote it after looking for information like it and not finding much. His analogy of Unix and an apartment complex is one of the best metaphors I've seen for understanding multi-user OSes." If you're running any variety of Unix, you've probably been forced to learn this pretty well already, but this is a very lucid explanation to point out to curious friends / co-workers who aren't so sure.
It is the CLI of unix that gets people every time - there is no way to explain that it is generally easier to do stuff through a cli
ifconfig for example - I can rememeber the ifconfig line for any computer on my network and have it in and done in seconds
But in windows it takes a few minutes just to click click click
The article says that only root can "Start and stop background processes". Any user can do that, but only root can start and stop processes belonging to other users. Perhaps that is what he meant?
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
Well, if someone needed it they'll know how to search and find out, but then, stating it right away in a "beginner" introduction only brings interest to script kiddies to *hack* the password.That's more of an eye opener than a warning.
Thanks for reading,
Khalid
"What you 'seek' is what you get!"
That would be really worthy of Slashdot.
The one thing that appears to be missing is the section "Why shouldn't I run as root all the time if I'm the only one using my system." In your house (comparing your single user system to your house) nobody can control you like a puppet. Somebody can't move your arms and legs and force you to take a sledgehammer to the hot water heater. If you are running Unix as root, any code that you run could make you do just that. It's worth protecting yourself against virii by not running as root.
...but at my shop, everyone enters the building using the concierge's key (administrator), a copy of which is conveniently taped to the front door. (Post-It [TM] to the monitor). We have not, however, gone so far as to include the password in our Telnet greeting -- you'll have to sniff for that yourself.
Um, yeah. Hey! NTFS has default journaling and no 15-minute filesystem checks!
Proudly serving Satan since ought-two.
When you use sudo, you will be asked for a password. But it's your own password, not the admin password. Also, you'll have to be configured with sudo access to run the command you're requesting. And your admin will be emailed if you try to do something you're not allowed to do.
I can't say that I don't give a fuck. I've just run out of fuck to give.
This piece deserves a companion article: what Microsoft did wrong. It is utterly impracticle to use anything other than an Administrator account when running windows (despite the vulnerabilities this leaves you open to) because over half of the useful programs out there, including many titles by Microsoft itself, require Administrative access unnecessarily. The breakdown of privledges is much more distinct in the *nix world. Windows has a long way to go.
This Sig Kills Fascists
You don't really need to restart your machine to set up the root account under OS X... there's a menu option in one of the NetInfo configuration apps to "Enable root account". Much easier than rebooting the machine, heh.
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
Not to start a flame fest here, but isn't a single 'superuser' entity, which has special-case security (e.g. has automatic ownership and access to all files regardless of permissions), indicative of a mis-designed security architecture?
What about capabilities, or mandatory access controls? Or some sort of framework that incorporates root privelages, instead of setting them aside as a special case. I've never been comfortable with the idea that the security system was only for "normal" users and didn't apply to a specific user called 'root' (or id 0), which, if compromised, you are entirely hosed.
It's 10 PM. Do you know if you're un-American?
Slashdot: news for clueless newbies. Stuff that makes you think you're a l33t ninja hacker.
Amazingly enough, that's the exact title that promped my most recent ire. You see I, like many a fellow geek, serve as my family's network/computer administrator. I have a young brother. My young brother likes to get into things he shouldn't. Thus we have blocking software, because my mom wants it. Okay whatever. However, in order to let him play that stupid (Microsoft!) game, I had to give his account administrative access. Not only does this permit him to accidently fuck something up, but eventually he will figure out how to kill the blocking software. Mmmrmph!!! This makes me a frustrated geek. One thing that would be nice would be some sort of suid functionality, so I could tag a file to always run as a certain user no matter who it was executed by. That way I could selectively trust certain applications. It would also be a useful way to lower a program's permissions, if you usually run as Administrator, but a particular untrusted program has no need to do so. Hmm. I wonder how hard this would be to implement. *goes off to ponder code*
This Sig Kills Fascists
As often, the problem lies in backwards compatibility with windows 9x, which had no multi-user support (profiles don't count) and thus spawned programs which presumed to be able to write wherever they want.
Free Java games for your phone: Tontie, Sokoban
Next we can try more difficult tasks, like explaining command mode in vi.
-Sean
It's a good analogy - the first time I saw it was in a book by Cliff Stoll called "The Cuckoo's Egg", which was released in 1989.
-- R
I want to use Linux. I want to use a command line. I want to know how to add and remove programs. I want to know how to add and remove hardware refences in the kernal. I want to know how to access my data. I want to know what programs are on my system, and what they do. I want to find programs that do specific tasks. I want these and a whole lot more. And I want it all in an easy to UNDERSTAND reference guide.
I know everyone says "Switch to Linux! It's more powerful and stable then Windows, and it free!" But I have tried several times to switched, and everytime I do something goes wrong. I can't get the sound to work. I can't get my network card to work. I can't get the proper video drivers installed. I can't get it to boot up properly. Whatever. And everytime, I install Windows, spend an hour or two setting up my programs and getting everything, and I'm done. I'm using my system. I have never had that with Linux.
Basically, I want a Linux system that's as easy to install and use as Windows. I would love to learn how to use Linux properly. But I can't seem to learn it. And I've had to learn how to use an AS/400 system. Even that was easier to do then learn Linux. And I'm a programmer. It's not like I'm some dumb schmuck who thinks Windows is the best thing in the world. So until you can give me a Linux system that I can learn, or give me a better way to learn it...then you'll have problems getting the mainstream users.
...was to see that users like my parent couldn't care less about security. Anything that hinders them in doing what they want to do is considered a nuisance.
I am also having a hard time explaining to my wife why I have revoked most priviliges for the "Internet zone" in IE (yes, I prefer Phoenix too, but the sad fact is, that there are many sites that won't work unless you use IE) - somehow it is still to much of a bother to add sites that we trust to the "trusted site" list the first time we visit them.
Maybe you just need to get burned once to respect fire (and of course understand what happened). Within the first 48 hours of my job as a student programmer I managed to wipe all files of several projects - my current directory wasn't what I thought is was and I had become more priviliged than I should be. That day I learnt not to invoke all priviliges in the login-script but only as needed. I also learnt something about proper backup routines that day - the nightly backup really saved me (thank you dear sysadmin for saving my from the wrath of my colleges...!).
Oh - that reminds me of another story. As student programmers we were given group-privileges (this was VAX/VMS). It was very practical to be able to start and stop job on behalf of other student programmers etc. Once one of the other student programmers wrote a utility that would log you out every interactive session wherever you where logged in (which was rather handy when someone asked if you would like to come along for beer). The utility stopped all interactive processes that it could find, but the author remembered to explicitly turn of our group priviliges before doing so, so we didn't accidentially log each other out. Somehow our sysadmin got hold of this utility and since it was throughly tried and tested by us for several months, he trusted it. One crusual difference between a student programmer and a sysadmin is that a sysadmin has world-priviliges and the script didn't turn these of...! He learnt the hard way that as a sysadmin you should trust noone.
When we asked above mentioned sysadmin for more privileges ("can I have oper-privileges so I can restart this print-queue?!?") he always answered "Do you want more responsabilities?" No, we only wanted more privileges. "Well" he said "it is the same thing - do you still want your privileges?" Somehow it wasn't really nessecary with more privileges anyway. And that is perhaps one of the most useful lessons to be learnt.
Why hasn't this story been on the front page? I only found it through slashdot.rdf
I can't say I agree with the part where he says "just boot into single user mode and you can reset the password". Perhaps this is true of RedHat, but SuSE certainly is set up to ask for the root password when booted into single user mode.
I think some generic instructions for "Linux OS" would tell you to use a boot disk/disc, mount your old filesystem, etc...
One thing that would be nice would be some sort of suid functionality, so I could tag a file to always run as a certain user no matter who it was executed by. That way I could selectively trust certain applications
/user:administrator /savecred <program>
I think you can do this (on XP) with the RUNAS command.. Something like:
runas
Throw that into a shortcut, enter the password once, and you're all set. Don't ask me where it's storing that password though.....
...needs to stop talking to one's self online. Needs fresh air. Needs looser pants. Needs to drink milk from the bottle...without the lid. Needs to let one synapse fire before lighting another. Needs to let others out of the elevator before entering. Needs to signal before changing lanes. Needs to ring the bell from the outside. Needs to unwrap the gift of thought before putting it to use. Needs to back away from the keyboard and get some rest before subjecting others to more thinking out loud.
Within a UNIX system, root is the God. What piece of this concept requires explaining? 8-)
Yesterday was the time to do it right. Are we having a REVOLUTION yet?
Really, root is one of the disadvantages of UNIX.
Yesterday was the time to do it right. Are we having a REVOLUTION yet?
On my Debian systems, rebooting in single user mode when I have lost my root password would be of no help at all: to enter the single-user shell, I need to type the root password!
/mnt and edit the /mnt/etc/passwd file to reset (clear) the root password.
If I ever loose my root password, my only way to recover it is to use an emergency boot disk, booting the kernel with a ramdisk whose image is on another disk, with no root password, mount the / on my harddrive to
That's why I keep boot disks for each of my systems, and update them whenever I change my kernels due to new hardware, or simply because I upgrade to a more recent Linux version.
I've tried that but it wants the password every time. If you've done this, can you provide more details on exactly what I might be doing wrong?
This Sig Kills Fascists
Apparently it only works with XP Professional, so if you're running the Home edition you're screwed.. Also I've been playing around with it a little more, and it looks like once you save the credentials, you can launch ANY program with the runas command without reentering the password.
Ed, man! !man ed
ED(1) UNIX Programmer's Manual ED(1)
NAME
ed - text editor
SYNOPSIS
ed [ - ] [ -x ] [ name ]
DESCRIPTION
Ed is the standard text editor.
---
Computer Scientists love ed, not just because it comes first alphabetically, but because it's the standard. Everyone else loves ed because it's ED!
"Ed is the standard text editor."
And ed doesn't waste space on my Timex Sinclair. Just look:Of course, on the system *I* administrate, vi is symlinked to ed. Emacs has been replaced by a shell script which 1) Generates a syslog message at level LOG_EMERG; 2) reduces the user's disk quota by 100K; and 3) RUNS ED!!!!!!
"Ed is the standard text editor."
Let's look at a typical novice's session with the mighty ed:---
Note the consistent user interface and error reportage. Ed is generous enough to flag errors, yet prudent enough not to overwhelm the novice with verbosity.
"Ed is the standard text editor."
Ed, the greatest WYGIWYG editor of all.
ED IS THE TRUE PATH TO NIRVANA! ED HAS BEEN THE CHOICE OF EDUCATED AND IGNORANT ALIKE FOR CENTURIES! ED WILL NOT CORRUPT YOUR PRECIOUS ODILY FLUIDS!! ED IS THE STANDARD TEXT EDITOR! D MAKES THE SUN SHINE AND THE BIRDS SING AND THE GRASS GREEN!!
When I use an editor, I don't want eight extra KILOBYTES of worthless help screens and cursor positioning code! I just want an EDitor!! Not a "viitor". Not a "emacsitor". Those aren't even WORDS!!!! ED! ED! ED IS THE STANDARD!!! TEXT EDITOR.
When IBM, in its ever-present omnipotence, needed to base their "edlin" on a UNIX standard, did they mimic vi? No. Emacs? Surely you jest. They chose the most karmic editor of all. The standard.
Ed is for those who can *remember* what they are working on. If you are an idiot, you should use Emacs. If you are an Emacs, you should not be vi. If you use ED, you are on THE PATH TO REDEMPTION. THE SO-CALLED "VISUAL" EDITORS HAVE BEEN PLACED HERE BY ED TO TEMPT THE FAITHLESS. DO NOT GIVE IN!!! THE MIGHTY ED HAS SPOKEN!!!
Just wanted to let everybody know that the "Root 101" article has been updated on the Iodynamics site. Most of the revisions are based on the comments above.
I appreciate all of the great feedback, both here and via e-mail. This article has truly been a community effort.
--DaveI can't imagine there are many /.ers running XP Home! ;-)
However, I've approached this from every angle I can and I'm still not seeing any way to save the credentials. Even if you tell it to always run as user X it will prompt for user X's password every time. Even saving the credentials would be more safe than what I'm currently doing. Can you illustrate how you did that?
This Sig Kills Fascists
Linux supports most hardware, but I've been burned before so I always check before I buy. The most likely problem if you buy new is hardware that isn't yet supported in Linux. The WinModem was the most aggravating of these. At the time I accidentally got one of those, I didn't know such things existed (and Linux didn't support them at the time-- too new) so I didn't know to check. The manufacturers made it hard to tell a WinModem from a real one without opening the box.
The way hardware is added to the PC is horrible. Plug and Play helps, but is really a bandaid. How is the hardware identified? Configured? Allocated resources to avoid conflicts? Used? There is still no standard way of handling these issues outside of Windows.
Most manufacturers provide a Windows driver (which is usually buggy-- never use the driver that came on the included CD, first check their web site for updates) but Linux is left in the cold. Consequently for new hardware there can be a delay of months before dedicated Linux driver hackers finally manage to wangle the necessary details from the manufacturer or reverse engineer the Windows driver or something. Manufacturers tend to fear intellectual property theft too much to be very cooperative.
Don't be too hard on Linux-- sure, Linux needs improving, but problems aren't always Linux's fault. Didn't Bill Gates once complain he was tired of Windows (in the days of version 3.1) getting blamed when some poorly written device driver caused a problem? That was a big motivation behind Microsoft's efforts to take over the work of providing drivers. Remember the bad old days of DOS when each graphics application had its own stable of video and printer drivers and configuration issues?
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
You can't use the "Run As" option on the shortct properties.. You have to use the command-line RunAs.exe utility with the /savecred parameter every time you're launching the application. So you might do something like:
/user:administrator /savecred "c:\program files\Internet Explorer\iexplore.exe"
/user:domain\administrator /savecred "c:\windows\system32\mmc.exe \"C:\Program Files\Microsoft ISA Server\MSISA.MSC\""
runas
The first time it would prompt you, but after that it would just load. You have to put that whole command line into a shortcut if you want to launch it from an icon or the start menu. You can nest quotes inside the command line with a backslash - I use this on a shortcut to launch the ISA administration console:
runas.exe
Try FreeBSD.
Okay, it doesn't have a sound card driver for my ultra-new-stylish Soundblaster USB Extigy, but otherwise, it's fantastic. I actually put the CD into my drive and booted, used the very intuitive (textmode, but somewhat GUIish) installer, pressing (A)uto and (D)efault all the time, and an hour later, I had a basic system with working ADSL access, X w/ Gnome, Mozilla, OpenOffice and all the other stuff I need. XFree4 configured (almost) automatically. All hardware, including the USB mouse and a wireless network card were detected automatically. ADSL worked from scratch (just had to enter my user id/password in some config file). I don't even know how to build a kernel or install device drivers on FreeBSD. I just don't have to. Plus, everytime I have a question or problem, the relevant section of the official documentation (the 'handbook') describes everything in a fool-proof way.
Don't get me wrong. You still have to hand-edit a lot of configuration files even to get basic stuff like XWindows fully working. This doesn't matter for me, since I have already given up the hope that this will change anytime soon for any arbitrary free *nix. Also, the installer has some serious UI consistency problems, like you have to press 'Cancel' when you really want to 'Finish and bail out').
But still, it seems a lot mature than even SuSE or RedHat, who supposedly put millions of dollars into optimizing their distributions. With Linux, I just always end up rebuilding the kernel ten times, installing new versions of device drivers, modutils, autoconf or whatever, changing config files by hand (although YaST or whatever supposedly should do this for me). And this even if I have installed the "install and configure everything" option, that takes up 2 GB of my hard disk space and opens a bunch of security holes.
A couple of links:
Hope this helps
Yes, quite a few programs "require" admin access unnecssarily, especially certain games.
It's a shame, but since most (home) users don't know the difference, they accept this, and run as a local admin.
Instead of going this route, you could also figure out what privilege that Age of Mythology is looking for and assign it manually to the game-player's account. (or modify NTFS permissions as needed on the hd) Check out the local security policy for privilege adjustment.
Very handy if you want to give someone terminal access without giving them root (administrator).
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
indeed. in my book you shouldn't label yourself a windows 'administrator' unless you know how to write WMI scripts.
Gentoo is a little complex to set up, but they have EXCELLENT step by step user guides for getting everything on your system working...audio, 3d acceleration, USB, everything. The people on the support forums are superb, and I have never seen a more helpful bunch.
Gentoo is what I learned on. When you're done setting up a gentoo system, you know exactly what you have on your system and WHY it's there.
When their numbers dwindled from 50 to 8, the dwarves began to suspect Hungry.
It's not like blocking software isn't trivial to bypass even with a guest account.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
-1 Troll :-P
It's also "trivially" easy to boot from a CD and change the Administrator password. But only your dedicated hacker has such a CD. Security doesn't need to be air tight (which is good, as that is not possible), it only needs to be reasonable for the task at hand.
This Sig Kills Fascists
Only dedicated hackers would have a Windows install disk? :-). Besides, it doesn't take a lot of effort to search Google for "cgiproxy".
It's hard to be religious when certain people are never incinerated by bolts of lightning.
First of all, a windows install disk won't help you if the default security settings are left alone. AFAIK, by default it still requires the admin password to use the recovery console. Anything to the contrary was just a very popular (but false) rumor. And, yeah, it does if Google is blocked. :-P
This Sig Kills Fascists
And holy fucking shit, do the blockers block Google these days? I know they'd been restricting images/cache, but taking out the main google web search would just be crazy.
It's hard to be religious when certain people are never incinerated by bolts of lightning.