Slashdot Mirror
New Linux Distros Insecure by Default?
An anonymous reader submits Two articles on Codefez and NewsForge review releases of Linspire 5.0 and Linare. Both these distributions let the user run as Root by default after installation, and don't prompt to set up a user ID. Is this a start of a new trend of 'dumbed down' Linux distributions that will damage the Linux reputation for security?"
I mean they have the chance to sell a reasonably secure OS and insted they do this. Hanging's to good for em.
You're not being a Devil's Advocate, you're just trolling.
Normal users can usually download, compile and use apps, and delete that which is theirs, but that doesnt meant they have access to install or delete code or configurations available to every user on the system.
Agreed. I'm a mac/freebsd user here, and I have to appreciate Apple's attitude toward user security.
Out of the box, the root account is locked out. You can't log in as root unless you type this:
sudo passwd root
Then it prompts you for your super user password, then asks you to reset root's password.
You can have sudoers on the system, but no root. Lin(are|dows|spire) could have done well to go with this model as well. Have no idea why they didn't.
Karma: Chameleon (mostly due to the fact that you come and go).
Linspire *does* have a "setup your computer" window come up. One of the buttons on it is to create a user account.
Not perfect, but not as egregious as it was in Linspire 4.5 either.
Jay | http://oldos.org
Linspire has been doing this for awhile. They're trying to make newbies as comfortable as they can, but unfortunately they're doing it by emulating even the worst ideas of that other OS.
Linspire (formerly Lindows) made that decision a long time ago, and it has been brought up on Slashdot many-a-time...
/.) also noted this problem...
A quick search reveals this article from 2003 in which the founder of Lindows states his case for the matter...
And this review from 2002 (linked to by
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
This is pretty much what the default install of Ubuntu does too. Expert install makes a separate root account though.
Every linux distro I have used since Yggdrasil has done this. Red Hat 5, Slackware ninetywhatever, Mandrake, Gentoo, Debian, Caldera OpenLinux, SuSE. . .
:-), but in my experience it's standard practise to start the user off with a root account and make the normal user account optional, possibly with a little admonishment saying that you really shouldn't use root if you can avoid it.
I've settled down in my Distro-hopping, so the examples I used in most cases were over four years old (Yggdrasil most certainly was.
None of them have ever spent much time explaining how sudo works and why you should use it.
One of the best things about linux is ordinary users don't have write access to the entire computer. This means that if one day linux malware does become a problem (as Microsoft predicts), then it will only affect individual accounts and not the entire computer.
Aside from malware that probably doesn't exist yet, it's still a good idea to have a window pop up or a console to prompt you for a root password because it lets the user know the action they take may harm their computer. It also hinders mistakes like deleting necessary files from happening accidentally. Security should be the main concern of a computer connected to a network or in an area more than one person can use. This enforces that concept and can greatly protect a computer than if it was always running as root.
OK, so the user is root by default but presuably services are still running under service accounts? That, surely has got to be of benefit.
The root account is for administering the system, installing and upgrading globally software installed globally on the system (for shared use), changing settings that effect users, managing, etc: root owns the system files.
Because root has access to bypass all security measures, it should not be used, except where necessary.
Suppose you surf the web as root: if you visit a malicious web site that exploits a bug in your browser, now your system is at their mercy.
If you had been following best practice and surfing the web as a normal user, a dirty hacker could still run code, but they could not wipe out your system without first gaining root.
Also, it's easily to accidentally trash the system configuration if you are operating as root when not necessary.
When running as root, there is a certain danger, and care needed with every command, particularly on production systems.
I installed Ubuntu just the other week and was momentarily perplexed that I couldn't su to root. After some consultation on IRC, I learned that Ubuntu has no root account by default, and you can access things you'd normally do as root by sudo, and applications requiring root just ask for your password. As I understand it, this is similar to how it works in OSX. In my opinion, this is the right direction to go in for single-user machines such as home desktops. Of course, stupid users will still type their passwords in when malware prompts for them, but that's more of a user education issue than anything. I can't really think of any way off-hand to give home users the power they need to install apps while still preventing trickery like that..
Security and useability are closely tied.
If a lock is so hard to use it never gets used it's a bad lock.
A blog I run for the wealth
If you had been following best practice and surfing the web as a normal user, a dirty hacker could still run code, but they could not wipe out your system without first gaining root.
A system which I can easily reinstall, unlike the personal data which, while it should be backed up, can't be relied on to be backed up every minute and shouldn't be accessed by someone else regardless. Root makes sense on a multi-user system from a sysadmin's point of view where the integrity of the system is paramount. A single user in his home has different priorities - his personal data is paramount - and he's just as owned from one account as the other.
And as far as mistakes, I've run DOS and Windows for years without borking the system (I rarely have need to be doing dangerous things on those systems) and I've run Linux for years without borking the system though I've come closer because Linux constantly forces me into the sensitive guts. But I can just as easily screw up in the minute I'm root as I could in the hours I'm not. A mistake takes a split-second. And having 2 accounts and having to have a 'whoami' command actually *introduces* confusion. I've got two very different prompts now with a bright red YOU ARE ROOT but, in my early days, I issued countless commands thinking I was me when I'd left an xterm up as root or forgotten which virtual console I was on.
And it tends to produce a "let's try this - I'm a regular user and nothing can go *really* wrong" attitude. In other words, you can catch yourself becoming *sloppier* as a regular user, which is actually bound to *carry over* as root.
Lastly, 'root' has horrible granularity.
But I still run my Linux system as Joe User. Just saying.
The biggest issue with running as root is that any flaws in the system can have FAR bigger effects if you are running as root. For example:
//bin" instead of "rm -rf ./bin") you can seriously corrupt your install.
.rpms
* If a program crashes, it can overwrite any part of the drive at all, not just your home directory. This could mean it belches over your programs, or worse, your kernel, meaning your computer won't boot.
* If you run a malicious program (like a virus or trojan) it can make changes to the entire configuration of your system, infecting every program on your computer. This can make it impossible to remove without a reinstall. Note: this does not have to mean you explicitly running such a program... a virus could exploit a bug in Gaim or Evolution/KMail to get malicious code to run.
* If you type a command wrong by accident ("rm -rf
Getting "owned" is a multi-step process - local code execution, priviledge escalation, rootkit installation - running as root eliminates one of those steps.
Ive heard everything, dont make changes from root account, don't install
Whats the purpose of the root account if you are not to use the OS from it.
I'm not sure who has been feeding you those lines, but "making changes" is what the root account is for. Root is a nickname for "superuser", or what "Administrator" means on Windows. Basically, root is for system administration, and installation/removal of "critical system components". Things you might do as root:
* Install drivers
* Install software
* Reconfigure your network settings
* Format harddrives
* Check the harddrive for errors
* Add users
* Set services to run at bootup
And if you are running an RPM-based distro (Redhat, Fedora, Suse, etc) then installing RPMs is the recommended way to install software.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
I agree, mc / midnight commander isn't enough.
It's a design thing that requires a rare holistic view.
The best candidate to watch is osX but I'm not familiar with that
A blog I run for the wealth
Normal users can usually download, compile and use apps, and delete that which is theirs, but that doesnt meant they have access to install or delete code or configurations available to every user on the system.
I think you'll find that in today's world there aren't that many people just sharing a 'slice' on a multi-user timesharing system. Heck, things have gone the opposite way. I have a 4 port KVM at home, and am wanting to upgrade to 8-way.
The user model for Unix is showing it's age. The way that it was 'cleaned up' in BeOS seemed pretty good, but BeOS has gone away. (BeOS had a lot of POSIX-ness, and the GNU toolchain, but not the cumbersome multi-user design)
Also, it's easily to accidentally trash the system configuration if you are operating as root when not necessary."
Yep, doing things as non-root user protects your system from getting screwed up, so that your system will keep working as expected, while your data (in your home directory) may get thrashed, deleted, or leaked/snooped on.
Here's my problem with this: while this helps, the fact is, my data happens to be the most valuable stuff on my computer. I can fix/reinstall an OS, but I probably can't retrieve data that got deleted. If a hacker gets user level access, then my system may keep working o.k., but my user data is still up for grabs.
So for starters: a good backup strategy is your friend. Next: reliable working software, so that exploits aren't there in the 1st place, user-level or otherwise.
I still have to see a security model that's:
If you know of a good model that meets ALL above points simultaneously, please let us know. And frankly, the Unix permissions model doesn't cut it. It's hard to understand for Grandma, and even with proper permissions set, all sorts of data that should be considered private to processes/users, is leaked in a variety of ways. And a flaw in your browser may destroy any non-browser related data inside your home directory.
The Unix-style users/permissions model may be useful, but it's nowhere near optimal by any metric. IMHO it's more like a clumsy fix, that tries to minimize the effect of unreliable software. After all, if software on your system would NOT contain any exploitable bugs, and 'just work' as documented, how much use would there be left for Unix-style security? At least on single-user systems (normal user = also admin): little.
A clueless newbie should never consider there OS to be secure, they dont have the knowledge to make a judgement on it.
Maybe a lot of the demographic this distro is targeting doesnt even know what root is.
Plus, there is a saying (from the *BSD folk i think) "without physical security there is no security"
Get a bit of perspective, you need knowldege to have security, its not just a configuration issue.
And if you are running an RPM-based distro (Redhat, Fedora, Suse, etc) then installing RPMs is the recommended way to install software.
Indeed. They've made it almost as 'slick' as Windoze. I guess that's okay for the kind of people who don't hang out here.
If you want it free, go with Ubuntu, If you want it cheap, go with Windows, and download freeware apps. It seems like Linspire users are paying just to use a second- rate distro.
Anyone care to enlighten me?
The toad can't burp - and for some reason can't fart either, so it swells up and eventually explodes. --Anonymous Coward
What I'd like to see is even more user granularity. One account for browsing the web, another for reading email, another for ftp'ing. Even if you download or click on some malware, not only is your OS protected, but now your user id's files are also safe.
When it comes time to actually use the files you downloaded, there should be a malware-scanning chown that checks the file is safe before assigning it over to you, perhaps on top of a check that firefox's chroot jail is not disturbed.
I wrote "Unix-style". Built my own Linux system from source ages ago a la Linux From Scratch, waiting for next releases of NetBSD and FreeBSD to take these for a spin, and writing these comments from Gentoo Linux. Does that count?
> A system which I can easily reinstall, unlike
> the personal data which, while it should be
> backed up,
But you *do* have the backups right?
> can't be relied on to be backed up every
> minute and shouldn't be accessed by someone
> else regardless.
If your work is worth of it - you should backup it every minute. It is just a matter of priorities...
> Root makes sense on a multi-user system from
> a sysadmin's point of view where the integrity
> of the system is paramount.
Not only, single user systems also benefit from separation of privileges, we have already been there with Windows 9x.
> A single user in his home has different
> priorities - his personal data is paramount -
So she/he should back it up as often as it is possible.
(...)
> And having 2 accounts
No - you only have one account, the other (root) is special.
> and having to have a 'whoami' command actually
> *introduces* confusion.
OK it may be confusing - what is other way you suggest?
> I've got two very different prompts now with
> a bright red YOU ARE ROOT but, in my early days,
> I issued countless commands thinking I was me
> when I'd left an xterm up as root or forgotten
> which virtual console I was on.
On your *own* machine that nobody else can access it does not matter.
> And it tends to produce a "let's try this - I'm
> a regular user and nothing can go *really*
> wrong" attitude. In other words, you can catch
> yourself becoming *sloppier* as a regular user,
> which is actually bound to *carry over* as root.
But you *do* have backups?
Look nothing is more valuable than frequent backups - and that is it - main hyigene of working with data. No OS will save you from f.e. fire and damaging your hardware - if data is important *backup* it.
> Lastly, 'root' has horrible granularity.
> But I still run my Linux system as Joe User.
> Just saying.
Linspire 5.0 installs as root just like any Linux OS but informs you to create users after setup.
I wish that would quit popping up every time Linspire turns a corner.
Ubuntu is a good example of the right way to do things I think. Root's there but you have to look up how to do it. However Linspire seems to have more things working for it. Unbuntu cant suspend on some machines, Linspire can, Unbuntu cant see my broadcom wireless card and getting my prism54 card going was tricky but in both cases Linspire worked just fine with either card. Still I like to see where ubuntu goes in a few years. Debian definately needs a kick in the arse and looks like ubuntu will do it.
"single user in his home has different priorities"
Says you. Most single users at home do not have the technical knowledge to reinstall the system. A root compromise means hiring a technician to resetup their computer AND losing all their data.
If root is not compromised the system is not compromised, only the individual user. If you run as root it isn't like the system is compromised but not your personal data.
Also on a single user system your personal data may or may not be all that critical. MOST home users have no critical data on their computer at all, so $100 to have the computer guy come "fix" their computer is greater than the loss of losing a couple pirated songs and a half hour spent on a paper.
Also do not assume home and single user are synonymous. Believe it or not they have these things called "families" and they have become quite common. Hell even smaller units called "couples" are in vogue. And these units involve multiple users in a home scenerio. While those users wouldn't know what they are missing in a single user setup they will never turn back once they have experienced seperate and private preferences, desktops, browser history/bookmarks, etc.
"And it tends to produce a "let's try this - I'm a regular user and nothing can go *really* wrong" attitude. In other words, you can catch yourself becoming *sloppier* as a regular user, which is actually bound to *carry over* as root."
Maybe for some. I find that most who are even aware there is another account on the system called root and consider something other than what the tech uses when he fixes the computer or sets up new programs already have a "lets try this - I want to see what happens" attitude. This is the category of user who has the kinds of problems on a linux system that require constantly adjusting internals and using root access.
I run as a regular user and actually do quite a bit with my system but tinker with it rarely nowdays. The only time I have ever used the 'whoami' command is in scripts that need to be run as root. Aside from installing software root is almost never needed on an already configured system. Even that doesn't involve something like an xterm. I mean you open synaptic, find your package, and install it. The only way you even realized it required root access is that you had to type the password into the kdesu box.
You can bork the system in 30 seconds or less in linux or dos/windows. The difference is what types of things lead you to doing it. With dos/windows the systems bork themselves and you either fix them or REALLY bork them when trying to fix what they borked on their own. Example, toasting the system hive because turned on your XP/2000/2003 system to find it randomly decided to corrupt your registry and start bluescreening today.
With linux if you leave the system be it will only bork itself if hardware goes bad. But installation and configuration involve lots of tinkering and manipulating guts and they are as gentle as an anal probe with a cattle prod. And hey, lets face it, using linux leads you to want to tinker with all that free software.
Wonderful rant really. You mentioned the fix for data yourself. It is called the backup. The NSA produced a more flexible security model if you need it, but I don't know of any grandmas that do.
I'm sure we would all like a security system that makes our checking data as secure at our home computer as at the bank and is easy enough for grandma to use but that is a pipe dream. Reality is that your computer is NOT a safe. When you connect that computer to the internet you have no reasonable expectation that the data on it is as secure as that in your wallet when you walk down a crowded street (although it is generally much safer).
"After all, if software on your system would NOT contain any exploitable bugs.."
After all if pigs sprouted butterfly wings out their arses and went scooba-diving...
Seriously though. The parent was not commenting on the general merit of the old unix security model or the new ones. Rather the parent was answering the original question of why one should not use root for day to day work. The answer is because you can't be turned into a spam zombie that hurts others and your system is much more difficult to compromise in that manner. Restoring data takes what 5m-1h if you have a substantial amount? Whereas losing your system adds anywhere from 45m-15hrs ON TOP of that.
Really only the ignorant avoid RPMs (read that as package management, debs are fine too). ;) Believe it or not being slick is NOT a bad thing. Being slick is good so long as it does not come at the expense of flexibility.
Stupid and ignorant people configure/make/make install with flags and so forth.
Intelligent ones take 2 seconds and a text editor to make a spec file that compiles the software per their specific requirements. Then they have a perfectly tuned binary whenever they have need for one that is easy to install and/or uninstall. Couple the package format with apt and you even have automated dependency resolution and network install support.
Seriously, if you still aren't using a package format (rpm/deb) with a good package management frontend (apt/yum) and maybe even a gui frontend to that (synaptic/yast2); it is time you stepped into the 21st century. Nobody thinks of rpm as just the rpm binary anymore, power users realize that rpmbuild is essential as well. If you learn how to build packages it does not take long (isn't *nix full of tools with a learning curve?) you get all the flexibility of building packages yourself (since you are literally scripting the build commands in the spec file) AND the subsequent ease of package management.
I doubt most people who are building packages by hand are stupid but I suspect many are ignorant. They have been burned by easy to use Windows and Macintosh system and are afraid of things being dumbed down. The reason I still use linux is that while the system grows ever easier to use, that ease has not come at the expense of access to flexibility and customizability.
Even less flexible pretty configuration tools are accessing the same old flexible and easy to backup config files.
I learned Unix on a DEC PDP-11/60, and then on a NeXT Cube - serial line all-the-way.
For years I build my Linux and OpenBSD boxes like I learned - half unconsciously thinking, "Better install emacs, too. Someone's gonna bitch if there's only vi. Hmmmn. There's a chance that the German man pages will be needed by a user, sooner or later..."
Of course, it was my personal Athlon! Noone was ever going to telnet on in, or kermit those files to another host! I didn't stop this builing/installing habit until I was regularly using laptops - when it just was glaringly obvious how single-user the box was.
Terrible security, from the point-of-view of "increased attack surface". I also locked down root good, tho, and ran sudo, tcp wrappers, portsentry, etc.
"Flyin' in just a sweet place,
Never been known to fail..."
system which I can easily reinstall, unlike the personal data which, while it should be backed up, can't be relied on to be backed up every minute and shouldn't be accessed by someone else regardless. Root makes sense on a multi-user system from a sysadmin's point of view where the integrity of the system is paramount. A single user in his home has different priorities - his personal data is paramount - and he's just as owned from one account as the other.
And this is one of the countless reasons that Linux should be moving towards a database fileystem. That way the normal user could screw up his system as much as he wants and the root user would still be able to restore it.
At home I run lots of computers and all of them have multiple accounts lets take my home laptop:
one account for my day to day use
one account set up for Oracle with different sets of administrators (essentially an Oracle root account)
one account set up for my wife. Looks much more Apple defaults
one account for my daughter (low privs)
a root account
a guest account
or my daughter's computer:
one account for me (administration)
the administrator account (higher privs)
one account for my wife (user account with privs but actual user data)
one account for my daughter
one guest account set aside for my daughter's friends
one guest account for other people who want a PC but are adults
These are home systems.
Damage Linux's reputation?
Come on. Too many people care too much about rumors and "repuations" instead of getting the facts. People who seriously use and understand GNU / Linux know that scares like this are stupid, and that no operating system is secure by default: in order to secure your computer, you need to understand how it works yourself... you can't simply trust a company to secure it for you.
If anything, this will damage Linspire's reputation, not GNU / Linux's reputation. People probably think that Red Hat, SUSE, and Linspire are all unrelated anyway.
I was reading this post, and I got to thinking about a comparison that Linspire had put up on one of their sites (then called linuxshootout.com; now called tryoutlinux.com). It was pretty bogus then. Anyway, I tried to go there, and got forwarded to the URL listed above. It's interesting how they claim that they are the most popular version of Linux for desktop computers. Yes, you heard me right.....Head on over to tryoutlinux.com, and check out point number 5 under the 'Why Linux' section.
1. Design linux distribution that mimics the look and feel of another profitable operating system as well as offering similarily poor security charachteristics.
2. ?!?!?
3. Profit.
Only M$ knows the answer to part 2.
zosxavius photography
Considering that a lot, if not most, computers are used by one user then the whole root access thing is moot.
/home/ which is obviously (intentionally) vulnerable
2.) Malware can still run automatically from things like ~/.bash_rc everytime the user logs in which is typically how a lot of malware works on windows too ...run_once/run/etc in registry.. autoexec.bat.. whatever.
Going back to my first statement, if only one user uses a machine and he/she/it gets malware the whole root thing doesn't help. All you really saved was the OS and thats easily replaced (don't mistake time for simplicity).
Does linux, freebsd and soloaris have a better security model than windows? Yes obviously (IMHO). Is it going to save you from malware? Hell no... Will it protect your valuables? Not likely.
Any asshole can whip something up to scan for r/w directories and empty the contents. Hell its easier to do than in windows with shell scripts. From my point of view a root account wouldn't be much more useful than the user account you want to spy on.
1.) All the important, not easily recoverable files are typically in
* If a program crashes, it can overwrite any part of the drive at all, not just your home directory. This could mean it belches over your programs, or worse, your kernel, meaning your computer won't boot.
//bin" instead of "rm -rf ./bin") you can seriously corrupt your install.
Yeah, like it's really hard to reimage your hard drive. The Lindows people rightfully pointed out that the most valuable thing a typical user has is his documents, and those aren't protected at all with the UNIX security model.
* If you run a malicious program (like a virus or trojan) it can make changes to the entire configuration of your system, infecting every program on your computer. This can make it impossible to remove without a reinstall. Note: this does not have to mean you explicitly running such a program... a virus could exploit a bug in Gaim or Evolution/KMail to get malicious code to run.
On a single-user machine, making changes to the local configuration is just as destructive.
* If you type a command wrong by accident ("rm -rf
One good reason to be careful. But what's worse, deleting your OS (which takes 15 minutes to reinstall from CD) or deleting a paper you have been working on for the last 6 months?
Those are good points - thanks. I guess I can see the advantage if you were making a limited set of commands available to select users in a multiuser environment. But I still think that exposing all root commands on a single-user box like Apple and Ubuntu is a cracker's dream. Well, OK, that'd be win98, but still. Personally, I'd like to see the user have to enter the root password, or a third 'sudo' password to have access to 5 minutes of root access, but cie la vie.
Because rm -rf ./bin is too close to rm -rf /bin. You may laugh, but I did this once on a (thank god) non-critical computer. Humans make mistakes, and if I had done that as a user, I wouldn't have had to do a complete reinstall.
Linspire does not run as root. It does allow one to do so -- but so does Fedora, SuSE, and Mandrake. The problem is not with this but having 30 daemons running by default when possibly 7 are needed.
Sigs are nice guns
But it's not just the maintenance of the actual distribution. Web communities like Slashdot will look down on you and only half-heartedly report on your latest achievements -- meaning that thousands of potential customers of you will get less information about you, or even negative commentary. When people want to know "Which distro should I use first?", the kind of people they will ask for advice will probably not recommend you.
Michael Robertson and similar people look down on the open source community. They think it has produced something they can turn into money, but secretly they believe that "they know better" because, if they didn't, why hasn't the open source community already achieved what they set out to achieve? Thus, the decision to make the distro root-only is justified as "user friendly", and people who clearly know what they are talking about are ignored. This leads to the alienation of the community with the aforementioned effects.
A distro maker needs to listen to his users, and be able to distinguish between suggestions from people who have lost touch with reality ("make vi the default editor") and those who have reasonable concerns. Those who do not listen to their users will fail. That is the beauty of competition in a market for a product that is largely community developed and community marketed.
Ubuntu seems like a safe bet at this point. Community developed, with a smart leader and a sufficient amount of money behind it to make it work.
We know damn well why not to run as root.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
Well... hell he was a director of the company, so therefore he was entitled get to log in a root on "the company" unix box.... it only seems logical that he should log in a root all the time.
/usr/bin were also in /bin (on AIX).... so he elects himself to clean up one directory.... rm -rf /usr/bin.
. html
But that was just the start...
Next thing were the permissions on the files/directories that he created. They were just wrong. We couldn't read some files he created that needed to be shared, we couldn't fix the permissions, we couldn't rename or move directories created by him. We couldn't even tell which were his creations.
I chatted to him about "root login issues", but at the end of the day, he was a director.
Finally one day he found the system was short of diskspace and notices that the files in
And so... one CAN learn from experience.
Unix/Linux Level Description and features:
beginner - has not figured out how to get a directory listing
novice - knows that "ls" will produce a directory listing
- has had his FIRST BAD EXPERIENCE with rm!!!
user - is wondering how to move a directory
- knows how to read his mail and is wondering how to read the news
knowlegable - has figured out that mv(1) will move directories
- once used sed to do some text substitution
expert - write C programs using vi and compiles with cc
- has figured out what "&&" and "||" are for
hacker - uses adb because he doesn`t trust source debuggers
- knows how to install bug fixes
guru - uses adb on the kernel while system is loaded
- reads device driver source with his breakfast - has learned how to breach security but no longer needs to try
wizard - writes device drivers with "cat >" - is on first-name basis with Dennis, Bill, and Ken (and Linux -)
The full list is here: http://www.interhack.net/pubs/unix-user-hierarchy
Cheers
NevilleDNZ
Unix/Linux Level Description and features: :-)
OOPS.... was meant to include Linus:
wizard - writes device drivers with "cat >"
- is on first-name basis with Dennis, Bill, and Ken (and Linus
Root not only has the potential to render the O/S un-usable - it has hardware level access as well.
Not quite so easy to re-flash your bios when your PC won't boot from any devices now, is it?
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
If malicious software is installed by a user, when you type ps ax or use top or whatever gui tool you use to find out why the hell your machine is so slow you will see it running. Then you say "Oh shit! Rebuild time!". If the software gets onto your machine via the root user it can replace all these tools, or even insert a kernel module to intercept syscalls. It could then slowly corrupt all your data over several months (slowly screwing up all your backups along the way), or sit there spewing out spam and DDOS attacks. In the second case the only way to tell something is wrong is that your machine seems slower.
and applications requiring root just ask for your password ...
stupid users will still type their passwords in when malware prompts for them, but that's more of a user education issue than anything.
Because telling them to have and use a separate root password, and why, isnt an user education issue?
To me this clever trick is actually a nice way to lose an opportunity to do such an education.
2 or 3 days ago, a newbye on a community forum for another user-friendly distro was complaining that he had to type his root password all the time. He said he wanted to login as root which the graphical login didnt even permit.
After one hours, he had posts explaining why it was a mistake from a security point of view, from a personnal confort point of view (too late he had already lost one important directory), explaining how to use su, sudo, kdesu, the "choose another user" features of kde, how to use fish and openssh in konqueror to become root, etc etc. In one hour, he was educated, convinced, had ways he could use to go around the trouble IF HE WANTED and therefore, he had been helped A LOT.
This clever trick should happen AFTER a user is educated, at his request, and right now it just prevents that.
I currently have Firefox, Thunderbird, Quanta Plus, Anjuta, and a terminal window open. These are the bare minimum for performing my job and I'm sure nearly every employed programmer is the same.
I doubt there's much overlap between users capable of doing this and users likely to have malware on their machines.
So they only have the ability to delete - or more insidiously, modify - the most important data on the machine ?
Right.
This is actually a very good idea, but very hard to implement with current commercial operating systems without driving the user crazy (log in, log out).
The basic problem is that processes run with the full privilege of the logged in user. This violates the principle of least privilege. Why should your web browser be able to format your hard disk? Overwrite your tax documents? Why should your word processor be able to instantiate a network connection? It's not just access to files, it's access to services. The Java sandbox model goes some way to providing this kind of security.
There is some interesting work on distributed capability systems (based around cryptographically protected access tokens attached to the processes, rather than access control lists on objects with user permissions).
Check out http://www.erights.org/ for some very interesting information on these types of system. It's also the home of the E language - a secure language for building distributed capability based systems.
I think people have not spent considerable amount of time and effort into explaining and educating users about how to use sudo for their necessities and not just su or even worse - login as root, totally discarding the normal user account, to solve their problems. I spent the first 4 months of my linux life (after I switched from Windows one fine day) without realising that there was something called sudo and running as root all the time inorder to avoid all problems. This I think is partly due to the fact that when using a distro, the very existence of something called sudo is hidden. They should make a GUI component or something, through which a normal user can login as root and configure the sudo options that he needs once and for all. A GUI interface like this, can make configuring and using sudo more attractive to desktop users and they'll probably not jump to root to satisfy their needs next time! I still remember that day when I was configuring the /etc/sudoers in vim. A normal user wouldn't want to do this in vim!
Maybe one should just sudo to user "web" when browsing, reading e-mails and so on. No damage done to your homedir in that case.
Not quite.
It only takes one linux distribution to be unsafe for certain marketing whores to start up the FUD machine and start cashing in on that piece of information. It may be disonest but that's the way marketing works. While the people on the know will laugh at the idea, the ignorant masses will read that linux, as a whole, is very insecure and move away from it.
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
...that unless and until the difference between root and other levels of access are clearly explained as well as sudo, this will keep on being old news.
Look at the false security of WinXP Home. "Oh, I'm not worried, I can't log in as Administrator unless I go to Safe Mode." So what? The average user's account is Administrator group by default and it's always root access. No end to the misery you can get into. Trojans can get total system access without their coders trying very hard at it. There's a reason they're called script kiddies.
I've said for years that ease of use is the number one make or break thing for the Linux world and it is, but there's no need to sacrifice all the wonderful better things just to make it happen. That's just distro builder laziness. As with the Debian bunch, I'm willing to wait a little for stability and security.
So all you distributors hard at work out there, when you're doing your conceptualizing, try conceiving of a step-by-step welcome on boot explaining this very important thing called security. A little bit of education would go a long way. Hint: try asking some of the people who do CGI out there to make an animated penguin presentation for you if you need help getting the average user's attention.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Well, my point was that people who understand what Unix can do aren't bothered by this crap, and will simply continue to use it correctly. Let those idiots continue to use an idiotic operating system. It's their own fault for not getting the facts.
You are trying to ignore a whole lot of people who don't understand what Unix can do, whether they are regular people or even people which make suggestions about the adoption/migration of software inside a company.
Besides that point, before someone understands what Unix is/can do, that person doesn't understand what Unix is or what it can do. What is the largest group: those who are knowledgeable about Unix or those who are ignorant?
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
I doubt there's much overlap between users capable of doing this and users likely to have malware on their machines.
The graphical easy-to-use task manager uses ps to show you the processes list.
this post contain no useful information, no need to mod it down
Even the most insecure Linux distro is more secure than Windows can be.
You're throwing around the words 'stupid,' 'ignorant,' 'intelligent' rather freely.
Personally, I use the NetBSD packages collection on the systems that I take seriously. I'll also put up a Slackware system where needed for some special case.
In no case have I found the need to use a system that depends on 'RPM' packages.
And when I want to make a NetBSD package from source, I often use the 'make package' command and it makes a binary tarball for me.
But the Linux world has gotten pretty slick lately. I don't like the word 'slick' particularly.
"In no case have I found the need to use a system that depends on 'RPM' packages."
Nor will you. RPM makes life easier for anyone who uses it effectively. You could manually clear out stale temp files on your system periodically as well. I prefer to write a script that automates this. After all, I sacrifice no flexibility since I am the one writing the script.
"And when I want to make a NetBSD package from source, I often use the 'make package' command and it makes a binary tarball for me."
Whatever floats your boat. But there is only one case where that approach offers an advantage over RPM and even that advantage is lost if regular backups of the package database are maintained. There are numerous advantages to using RPM over the BSD system.
"You're throwing around the words 'stupid,' 'ignorant,' 'intelligent' rather freely."
Spending additional time on tasks and doing extra work with NO gain of any kind IS stupid by just about anyone's definition. Unless of course you are doing it all as a hobby and get some sort of glee out of doing the additional work. If that is the case, it is different and more power to you.
If it is NOT a hobby where you like to manage packages the hard way it changes things. Not using package management is like writing a novel with a an old non-electric typewriter when you already have a computer with a wordprocessing application sitting on your desk. However, at least it sounds like you are the type who recognized this in a fashion and moved to a system that was not mainstream rather than fighting those who believe in technological advancement.
You offer panaceas, based on your experience and beliefs. However, you insist that you represent The Way Things Should Be.
I actually once OWNED a Red Hat 'RPM' tee-shirt. Not sure where that ended up. I've never been a fanboy, and grew to strongly disklike that packaging scheme. (As a telling aside, I distinctly remember that with Red Hat 5.0, the official distribution from the publisher, the binary for the graphical package management tool, 'glint' was BROKEN on delivery on the 5.0 CD. So you had to actually get down and dirty in command-line RPM to even install the 'fixed' glint RPM to get the 'graphical' tool working. It was an eyeopener about Red Hat's QA effort)
Look around. There are numerious alternatives to your chosen package management system. Some would argue that RPM is badly broken. You're either a fool or a demagogue for claiming it is THE package management system.
What's an assumption you have made? There _is_ an actual hacker is after your data. There are other possibilities.
The hacker may _just_ want to gain root, so they can make your machine zombie #10244 out of #20000 in their DDoS zombie network; erasing your files would not help their cause, in fact, it might quickly alert you to a problem and possibly their presence, making you likely to go lock them out before they got in.
What usually happens is the attacker is just a script, and the same tactics are attempted against all targets. If you follow certain practices that differ from most of the world and minimize your risk compared to others, then maybe sometimes the script attackin you doesn't quite know what it's doing, and you slip by without any impact. Of course, if you fully expose yourself to it, then it could do its worst (a full infection).
If the hacker consists of a web script, erasing your files may not be something they think to do: they may just try to install software, or do something that requires root access, and thus fails.
What's certain here is that running as root is likely to make their attempt more successful, and their intrusion more complete.
Another thing... who says you can just have one user account? You can (and ought to) have more than one account, it's your system, and you can switch between them.
Do your serious stuff as useraccount1, where you keep your private data, and your casual surfing as useraccount2.
Secondly, you can make multiple copies of your data on the system much more easily and conveniently on different accounts than on different media (i.e. you could backup all changes to your user files every 10 minutes or so, though admittedly this would require custom scripting or configuration work)
"Look around. There are numerious alternatives to your chosen package management system. Some would argue that RPM is badly broken. You're either a fool or a demagogue for claiming it is THE package management system."
I never claimed RPM was THE package management system so I will ignore your slander. You apparently aren't even reading my posts. You are advocating source management systems, I am advocating package management. RPM is a fine choice of container format (one that has come a long way since the ancient days of Redhat 5.0 and isn't even really a redhat thing anymore). RPM and glint are two seperate pieces of a puzzle so glint bugs really have nothing to do with RPM. RPM is not a graphical system and gui tools are a seperate issue. I am also not advocating RPM or Deb or any other specific container format. I'm advocating package management in general over source based systems.
Believe it or not you can distribute aged and trusted packages in rpm/deb containers just as easily as tarballs.
Ok, explain to me how you write garbage all over the BIOS, or mark blocks as bad on your hard-disk, etc as a normal user?
You can't fuck up the bios from the OS to the best of my knowledge -- even as root. If you can, that should be disabled pronto because there is no legitimate reason to write to the bios from within Linux. In any case, there have been very few viruses that managed to mess with the BIOS -- it's pretty hard.
As far as bad blocks all over the hard drive: did you miss the bit about reimaging it? Bad blocks are a filesystem construct, not a hardware feature.
Root not only has the potential to render the O/S un-usable - it has hardware level access as well.
There's not that much hardware-level stuff you can do from the OS. Plus, writing a virus that can do something destructive to the hardware would take more intelligence than virus writers have.
Not quite so easy to re-flash your bios when your PC won't boot from any devices now, is it?
Most motherboards these days have a backup bootloader BIOS that is in permanent ROM for this exact purpose. Just yesterday, I had a BIOS flash go bad because the floppy disk decided to quit. No problem -- the bootloader automatically started and booted off the floppy.
Anyway, software should not be able to completely destroy any hardware. This would simply be bad hardware design. What if a driver goes nuts and decides to reflash the BIOS?