Michael Robertson Says Root is Safe
Kez writes "HEXUS.net caught up with Michael Robertson, CEO of Linspire, at the UK launch of Linspire 5. Their interview with Mr. Robertson covers everything from hardware support to software patents, but a comment from Mr. Robertson on using root is perhaps the most interesting: "I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't." I would imagine a few Slashdotters would dispute that."
In the article, Michael defines security as the (in)ability to access personal data. In that respect, he's probably right. But I think he oversimplifies the real question of allowing the users to run under the one account that could really screw up their machine.
He argues that just because we could possibly drive our cars into brick walls doesn't mean we should all be limited to driving at 10 mph. I don't believe the likelihood of even the least skilled driver actually ramming into a brick wall is quite as much as my grandma's likelihood of completely screwing up her computer were she granted root access. I've seen her mess up her Windows machine pretty nicely.
http://nerdfortress.com/
1) It protects you from yourself. Nobody's perfect all the time.
2) It limits damage from exploits. Go ahead and be root if you aren't networked and never insert media, or are running a perfectly-secure OS.
3) it protects you from another user's malice. N/A for single-user machines.
Examples of when it is OK to run as root:
1) many non-networked embedded systems, e.g. your microwave oven
2) the DOS box in the corner your kids play DOOM I on.
3) Demo machines at trade shows, but only if they are not networked and have no removable media.
Other examples where running as root isn't advisable but the damage is greatly mitigated include read-only systems like Knoppix.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I knew Michael Robertson in college and he was a technological lamer and pretty much an A-hole. And he doesn't appear to have changed much. He's cobbling together whatever technologies he can get his hands on and then shamelessly pimping^H^H^H^H^H^H^H self promoting whatever his latest project is regardless of merit.
He unfortunately seems to have learned that there is little fact checking in the business press - especially where technology is concerned - and that if he can create a stir he can probably create profit.
It was several years before I realized that it was the same Michael but I visted the website and found his picture there - in multiple super high resolutions - seriously why would I want a 1435x1980 pixel image of him?
Does he think he's desktop material? There's even information for booking him for speaking engagements... but it's not about ego. *SIGH*
Look for the stock pump and dump scheme followed by an SEC investigation in 5 - 10 years...
=tkk
Bill Gates - Creationist?!?
I think this is the fault of the command not asking for confirmation. I mean Format C: will at least ask you if you are sure. It's not like you have to clear the root directory that often that this would be a pain.
Philosophy.
almost Word for word, this guy has been posting this same text around different sites for 2 years. It has sort of reached goatse status (ie effing annoying). Just ignore it
- MySQL, for instance, runs as a separate user. [...] For instance, keep your accounting files under a different user
Well, sure, but most Linspire users probably don't run MySQL or keep accounting files for a business on their Linspire box. I mean, from the article, it's clearly aimed and Grandma who want to web surf and send e-mail.- Running something like apache as root, and any vulnerability in programs such as phpMyAdmin will make your whole server go poof.
Same comment. Grandma isn't running a server, or using phpMyAdmin.- Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful.
Well, the point he's making in the article is that on a personal desktop machine, it's the data in your own user account that's valuable. The exploitable program running as user gramma can still delete all of Gramma's files, without escalating to root.- rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.
Well, Gramma's not likely to type that obscure command anyway. But even if she's not root, what if she types rm -Rf ~? From her point of view, on a single-user machine, that's just as bad -- she's back to a fresh install.And remember, when Gramma fires up her Linspire box for the first time, she doesn't have any services turned on, so actually there's not much that anyone from the outside can do without convincing her to execute an e-mail attachment or something (which Linux mail readers typically don't make it easy to do casually). Give her a hardware router between the machine and the wall, and bang, she's got a pretty decent hardware firewall as well (and it's a firewall that she doesn't need to configure or maintain).
And suppose Gramma creates a root account, but the password she chooses is her dog's name, because she figures nobody can guess that? If I was helping her set things up, I'd be more concerned with explaining to her about how to choose a good password than with convincing her to set up a separate root account.
Actually I think MacOS X has done a really nice job on this kind of stuff, and their strategy should probably be emulated, especially by distros aimed at home users. Everything is done using sudo. Any time you want to install a printer driver or whatever, it makes sure you're a user who's got administrator privs, and it makes you type in your password. For example, on my wife's MacOS X box, she and I both have admin privs, but our kids don't. I can't even remember the last time I had to do an su root on her box.
Find free books.
That's why you set the /home directory to non-executable. No program, including rm, will walk into it unless you are root. Note that this doesn't affect the ability of non-root users to access any correctly permissioned sub-directory of /home.
Elevators go up and down. The only thing that straightforward on a computer is the CD drive (and even that sometimes causes my system to freeze :-) )
I'm not suggesting that the usability of computers cannot be improved; far from it. But just as some people are simply very bad drivers, some people will not be able to use some programs because they don't have the training, they aren't willing to practice, or they just don't "get it". Trying to cater to these people by writing programs that a 5-year-old could use probably results in programs that only a 5-year-old would want to use.
In that case, I think running in administrator mode just makes it harder to remove the infection. I think it's trivial to trojan people into running bots that run in user space rather than system space. It's just not necessary to make such a program because it's easier to assume they are running as admin.
What I'd be interested to know is if there's a means to switch between user sessions on a Linux system without logging off. This is something I actually miss from XP.
I suppose that I could rig something that required multiple X sessions that you go between by hitting
the CTRL-ALT-F# keys. However, it'd be nice to have something that simple folk can use.
Your courageous and selfless spelling corrections have made me a better person.
even better, firemen and other individuals with authority can gain "root access" by using a key and thus gain full control of and override ability on the elevator.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
I hope I can remember the details of this correctly. Here goes. Some time ago (maybe 5 years ago) I was running linux on a ppc box. I wanted to play a .au file. The sound device was something like /dev/scd All I needed to do was /dev/scd
/dev/sda
cat soundfile.au >
I typed
cat soundfile.au >
Whoops. Yes, there is a reason not to run as root. I admit the mistake was dumb but if I wasn't root I would have been protected from myself.
The "users should have to learn" mentality is what keeps computers complicated and difficult to use.
Actually, my opinion is and always has been that assuming users are stupid and incapable of learning the most basic idioms is the real problem with computing. I mean, if we can't even expect to teach people what a "directory tree" is and means, how do we expect them to learn to organize information? Sure, google can claim you should "search instead of organize," but the fact remains there are times when searching is useful and times when indexing and organizing are useful. Knowing both is computing 101.
The trick for developers is creating minimal yet powerful knowledge-space for users to occupy and NOT CHANGING IT! (Note: this doesn't mean the back-end doesn't change, just that the controls remain familiar... and every change is designed specifically to make usage easier, and with an eye toward disruption costs.)
I mean really. The basic distribution model:
1) Download application to known location.
2) Execute application at known location.
Hasn't changed since the very first personal computers, so why is it we even need things like ActiveX? (ie: if it's worth running, it's probably worth the trouble to purposely install...)
Note: For moving around alot or organizations, replace "application" with "appliciation suite".
And food for thought: Why can't I just grab the contents of my "programs" directory and move it to a new machine?
"It is simply not worth it; whatever the problem is, ActiveX is never the solution :-)"
*Sigh* This is what I'm talking about! I know AX ain't great. I'm no fan of it, either. But when it's needed, it's NEEDED. Since OO and FireFox wouldn't support it, we had to use a MORE INSECURE office and browsing app! You cannot honestly tell me that the OSS Community couldn't develop something to support AX and maintain security. Heck, all it would really need is to be off by default and the user has to either turn it on or install a special module. I don't care. It certainly would have been infinitely better than what we had.
Whatever. I seriously doubt this has been given serious consideration. Flipping off MS is fun, but you're also flipping off some people who can't switch.
"Derp de derp."
Default turned off. If a page has some activex thingys, block, display small text that a thingy was blocked. If user wants to run it, click here and blabla, the url gets added to "Allow" list. Done. Other platforms need not even bother.
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
There have been some very good research projects done on how to build a more secure system, and some of the most amazingly effective ones have been the ones that challenge the basic assumptions of "best practice".
MIT Kerberos takes the view that no machine on the network can be implicitly trusted; access to network services is controlled by tickets, mediated by a ticket distribution service with which each user and service has a pre-shared key. This works even for systems in which the local operating systems have no internal access control mechanisms whatsoever.
Capability-based systems essentially throw out the classic security model of users, roles and permissions, replacing them with a system of nonforgeable references by means of a combination of memory protection and cryptographically strong naming.
Finally, people need to come to terms with the fundamental fact that content-based security schemes are a losing proposition (1, 2). Virus scanners, adware scanners, porn blockers, spam filters, and even national customs departments all face the same problem: they can only inspect what goes by and apply a list of tests to winnow bad items. There is strong economic pressure to find ways to bypass these types of checkpoints, so new tricks are constantly being invented, only to be compensated for by the guardians; thus the guardians are always a step behind.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
The new netscape based on firefox is supposed to support AX on windows.
Transgaming is working on a mozilla plugin for AX, for linux running winex / cedega.
For openoffice, I think macros (with import from ms formats) would be more useful than AX (who uses AX in a document?)
- Ost
---- Sig. gone.
However, activeX is a security nightmare. And regardless it *IS* a proprietary MS extension -- and nobody wants to A: support MS and their bullcrap, B: Firefox has a reputation as a secure alternative to IE. If FireFox supports the hopelessly insecure ActiveX -- they really have nothing to offer anyone anymore as their reputation is *done*.
Religion is a gateway psychosis. -- Dave Foley
I'd like to add the fact elevators didn't always have light-up buttons labelled for each floor. There used to be a lever to make it go up or down. Stopping at a floor was a skill. It was more convenient to have an operator than have people miss the floor by 3 feet and break their ankles climbing out, or maybe cutting each other in half by accidentally bumping the lever when exiting.
Now there is a much simpler and intuitive interface that anyone can use, so a dedicated operator is not needed (though I hear Congress still has elevator operators so those busy politicians don't have to worry about breaking their nails, or something).
If you had a computer with a set of buttons for each of a few trivial operations available to the user, and those are the only operations, it probably doesn't matter if you run as root or not.
Such a system would also suck as a general purpose home computer.
If you're going to do anything beyond trivial actions, and perhaps getting into complex stuff that you don't necessarily understand, its probably best NOT to be running as root.
Think of it as 2 sets of operations:
- the ones that can mess up your stuff
- the ones that can mess up the whole system
Both sets have the ability to wipe out your data, but the latter can wipe out other people's data, critical system files, raw hard drives... pretty much screw your data, and your machine.
Both your user account and root have the ability to mess up your stuff. A regular user account typically cannot mess up other accounts' data or the operating system, without using "su" or "sudo" or some other method to escalate privliges.
MacOSX has root separate from the user account. A user can be an "Administrator", which gives the user sudo capability. GIU operations (software installs, editing user accounts, and other system configuration) do a graphical equivalent to sudo, prompting the user for their admin password. Its not that complicated. Its an extra layer of protection, and lets the user know that they're doing something out of the ordinary. Its not that complicated.
Even my parents understand it.
blog
There is an issue you've not addressed. How about when your data is not the target? (Honestly, most people's data is not worth stealing).
What if an attacker just wishes to compromise your machine and use it to attack other machines, relay spam, etc? This is a huge problem with Windows.
"That's some catch, that Catch 22." "It's the best there is."
Nice try. ActiveX is nothing more than simple COM. It is not very difficult to use Java or XPCOM to communicate to ActiveX controls, and vice versa. Try again.
> Lack of ActiveX support actually prevented my previous company from switching
> to OpenOffice or Mozilla. The attitude that it's better that these two apps
> don't support it seriously pisses me off. If Microsoft can't get away with
> being arrogant, than the OSS Community can't either.
Arrogance has nothing to do with it; this decision is about (and can only be about) security. Applications that care about security *cannot* support ActiveX, full stop.
It's not just better; it's *VITAL* that they not support ActiveX. If Mozilla for instance did support ActiveX, anyone even the slightest bit conscious of basic security issues would migrate away to another browser immediately (Opera, most likely). If you think ActiveX is a good thing, you have no idea what ActiveX is, or no understanding of security at all. Fundamentally, by design, ActiveX allows any website you visit to do, quite literally, whatever it wants on your computer[1]. A well-behaved site is *supposed* to be nice and just draw stuff in the browser window, but fundamentally it can do whatever it likes, because that's how ActiveX was designed. Microsoft created ActiveX during the era when they considered security to be 100% Somebody Else's Problem, so they didn't give this a second thought; now that they are making some attempt to take security seriously, they regret ever having developed ActiveX in the first place; sooner or later they will have to discontinue support for it in a service pack or upgrade, because there is no secure way to support it.
It was a mistake for Microsoft to develop ActiveX and start supporting it; it would be a mistake for *any* application to support it that doesn't already, and the ones that do already (mainly, MSIE) will eventually have to bite the backward-compatibility bullet and stop supporting it. Mozilla.org absolutely cannot afford to make that kind of mistake; security has been and is one of the major factors driving Firefox adoption; if Firefox supported ActiveX, it would actively lose most of its market share virtually overnight. That kind of wide-open security hole is never EVER worth the risk. OpenOffice *might* be able to get away with it better, because it is used mostly with internal documents, not content off the internet, but it would still be a major security headache, and not supporting ActiveX is still substantially the right decision.
Lack of ActiveX support is not about lack of developer time; it is not about needing to reverse-engineer protocols; it is not about platform parity; it is not about open standards, and it is certainly not about arrogance; it is about security, and it is so essential to security that no other issue can matter.
It is Windows users who would suffer if these applications supported ActiveX on Windows. Yes, Windows has other security problems, but ActiveX dwarfs relatively little things like Shatter attacks (a form of privilege escalation attack that exploits a design flaw in the Win32 API), because it is so much easier to exploit; it is not so much a security vulnerability as a complete abdication of all pretenses of security. Right now, Windows users have a choice; they can use MSIE, and pray nobody ever sends them a link to a site with a less-than-scrupulous webmaster, or they can download a browser with basic security. Don't take that choice away from them.
---
[1] The design has now had user approval retrofitted onto it, so that a site
now can only do whatever it wants after the user frobs the "Ok" button.
But the user (and the computer, for that matter) has no way to tell
before doing so whether the site intends to draw pictures in the browser
window, scroll text across the status bar, or scour the user's Documents
directory for credit card details and other personal information and send
it back to the site. In fact, it's not easy to tell what a site's ActiveX
programs (called "controls" in ActiveX parlance) have done even afterwards.
Cut that out, or I will ship you to Norilsk in a box.
What I don't understand is why the *nixes don't implement something like the Mac's trash can.
.trash, and when *any* user does *any* rm command, instead of deleting the files outright, simply move them into the .trash directory.
First, notice that if you run "rm" on Mac OS X, even it won't use the trash can.
The behavior of Linux and Mac is actually quite similar in this instance. On either platform, removing a file with the GUI tool brings it to a trash holder, but the command line deletes immediately.
Create an invisible directory under each and every mount that is called
Simple, practical obstacles: ~/.trash won't work for files which are on other disks, network shares, removable media, etc. It would have to move the file to the same hard drive as your ~ directory first, which will at best take time, and at worst will overfill your own disk.
More fundamental, and historical explanation: Unix was designed as a operating system, a framework for applications. To keep the job managable, they added in things that were necessary for the OS (like files, copying, and deleting), but not things that could be better handled at the application level. ~/trash is GUI sugar: just a minor way to make it more difficult for users to input commands that they likely didn't intend.
So, then the question becomes, why did application-level implementations of a two-stage file deletion become popular? And here, the answer is the old canard "Good is the enemy of great". Because the native "rm" command was adequate for more than 98% of all usages, there was little demand to shift to something more complex, even if it would be occasionally safer.
When finally you are shopping around for disk space, only then do you consider emptying the trash.
Unix is a server-oriented OS, both historically and still today. Servers are expected to go weeks and months without a user sitting at them. Needing a person on-hand to Empty Trash just because the webserver has been creating and deleting a bunch of cache files is a bad thing.
One would not do such a thing in Mac OS X."
Granted, I use finder to delete files 95% of the time, but on occasion I use the rm command to delete.. Not only can I not undo this, rm does not act the same way finder's delte does.. rm does not put files into the trash.
This seems like a design flaw. The Mac is a great platform(my Tiger dvd is in the mail, I am hooked) and the Tiger features that make mv and cp more mac-native are great. Having said that, the GUI operations that have a CLI counterpart (delete in finder vs. the rm command) should operate the the same way and be interchangeable wherever possible.
Actually, Robertson is right.
He said "why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well. "
Obviously he is talking about single user computers, as most PCs are. If you have a single user computer, when your user account is penetrated, your root account is penetrated next time you su.
The last step in a Linspire install, which apparently noone in this thread has done, is to set up user accounts for a multi-user system. If it is a single user system, there is NO additional security to setting up a user account.
My data is the most important thing for me. I can reinstall Linux in 15 minutes, but my data is irreplacable.
Peter
Ubuntu does this too. The default installation has the root account disabled for login purposes. What few administration tasks require root access is done through sudo using the user's password for authentication. Login could just as well be automatic.
I fail to see entirely what Linspire needs continuous root-level access for.
When one RTFA they will notice that Robertson is talking about a desktop system. Having users log in as some root/admin account is not a big deal because the only thing valuable on that system is the data stored as the only user on their system. Obviously he's not saying "run apache as root". In fact he implies it would be a very bad idea to allow things like a webserver to have write-access to a user's data!
Now if you are maintaining a multi-user system, root access is more powerful because it grants you full access to all user's information. Although these days a family computer has multiple accounts on it, Little Timmy and Mom's data is seperate. If Timmy downloads some malicious code in some new music sharing program that turns out to be a trojan, at least Mom's calendar, address book and tax information will be protected.
Of course I'd recommend periodic backups to give you real data security. That's perhaps more important than the root/non-root issue.
“Common sense is not so common.” — Voltaire
Obviously his answer is Market Force driven and non-technical. He ships as root, he doesn't want to sacrifice his products perception. He'll never say anything else.
Would you expect the CEO of Exxon to openly state that there is something called Global Warming and it is necessary for everyone to stop driving gasoline powered cars?
Certainly not until they have the answer. It maybe be the Linspire is working on changing this for real, but it won't be openly discussed.
You can get firefox to use active-x. It just doesn't do it by default. There's some stuff you can change in your profile to make active-x stuff work. It's not a good idea, but it can be done. As for openoffice, well, I'm not sure there. But if running compiled code in your office suite is something you can't live without, maybe you need to review the reasons behind doing stuff like this in the first place.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The stupidity of this position is very easy to explain. He's claiming that the worst thing (losing user data) is the only thing to worry about. Since non-root doesn't prevent that, let's get rid of it.
To use his own analogy, if the worst thing that can happen in a car is to run into a wall, then why have door locks? Whether you have locks on the door or not, you're still going to die. And they make it hard to get into the car, so let's get rid of them.