My Opinion on Running as Root
I think it's no secret that I'm against primarily running as root. I outlined this in my recent post, "Toying with Linspire". Jon left a comment on that. Most of all, he agreed with me, but disagreed about running as root. I started writing a reply, but it got long and I decided that it really deserved it's own post, so here it goes.
Before I start here, let me fully quote Michael Robertson (former CEO of Linspire) from the same question I did before (I cut off the beginning last time).
Take the typical Linspire scenario - you want a cheap computer. Unless you want to buy more than one or already have a computer, chances are this will be a family computer. Having separate user accounts just makes sense, because you will almost always have different needs than Billy, who spends most of his computer time playing TuxPaint and various games. You don't want him getting in and messing with work documents or anything else you may have in your account.
I definitely see Michael's point, but he's missing one critical factor: frustration. If you're running as root and a virus comes by and deletes everything on your hard drive, there's enough frustration that you've just lost all of your data. On top of that, you now have to go back and install the whole operating system over again. Then, you have to install all your programs again. This is a problem that can be completely avoided simply by running as a regular user. If you were running as a regular user, your files would still be gone, but it would only take a couple minutes before you'd be using it again. On top of that, all your programs and libraries are still there. If you're a good user and create backups regularly, it would only be another few minutes before you would be editing your documents and surfing with your bookmarks.
And there's another factor he's missing too: other people's frustration. It is very typical for more than one user to share a PC. If everyone uses the same root account, all of their data would be gone too from the same scenario described above. If everyone who used the computer had separate accounts, the virus would be isolated to the user that ran it. It would not affect anyone else.
Michael does make a good point, though: running as root does make certain tasks easier. Setting the clock, for instance, is one common thing that requires root permission. But he is overlooking a great tool which I, being an Ubuntu user, have come to love: sudo. Sudo can be used with multiple users so that it doesn't require a different password to do root tasks. It also will not ask you for a password more than once within a certain amount of time. On top of that, it can also be configured to run without a password. This isn't as secure, but at least it's controlled this way (and it's probably possible to disallow executions of certain commands, like 'rm -rf /').
I really hope Linspire does something about this. Teaching users that they should run as root is unacceptable. At least, during installation (not the initial setup) they should ask you if you want to create normal user accounts and explain that it is more secure to run as a normal user.
And then they should work on improving their boot speed. That's just pathetic.
Before I start here, let me fully quote Michael Robertson (former CEO of Linspire) from the same question I did before (I cut off the beginning last time).
Jo: On the security front, I noticed during the presentation that you were running everything as root. Is that really a wise idea, to train users to run everything as the one user who can mess everything up whenever they feel like it? Should you not try to teach them one basic UNIX security idea, that you really don't want to run things as root?I can think of a few good scenarios where it is a good idea to not run as root.
Michael: I think, like everything, it's a question of balance. Ease of use, versus security. I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.
Michael: Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit. I DO see it's an added pain in the ass when grandma tries to change her wallpaper, and it tells her "you don't have root privileges". What are you talking about, man? I'm just trying to use my computer, or change the clock, or any one of a hundred other things. So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out where a machine that's run with the root user could be compromised. It couldn't be.
Michael: I know the hardcore geeks feel differently, that's fine. When somebody installs Linspire, we say "do you want to set up users, yes or no", we give them the choice, right there when they start up for the first time. If they want to set up multiple users, they're welcome to do that, but we don't force them to. That's the difference we have.
Take the typical Linspire scenario - you want a cheap computer. Unless you want to buy more than one or already have a computer, chances are this will be a family computer. Having separate user accounts just makes sense, because you will almost always have different needs than Billy, who spends most of his computer time playing TuxPaint and various games. You don't want him getting in and messing with work documents or anything else you may have in your account.
I definitely see Michael's point, but he's missing one critical factor: frustration. If you're running as root and a virus comes by and deletes everything on your hard drive, there's enough frustration that you've just lost all of your data. On top of that, you now have to go back and install the whole operating system over again. Then, you have to install all your programs again. This is a problem that can be completely avoided simply by running as a regular user. If you were running as a regular user, your files would still be gone, but it would only take a couple minutes before you'd be using it again. On top of that, all your programs and libraries are still there. If you're a good user and create backups regularly, it would only be another few minutes before you would be editing your documents and surfing with your bookmarks.
And there's another factor he's missing too: other people's frustration. It is very typical for more than one user to share a PC. If everyone uses the same root account, all of their data would be gone too from the same scenario described above. If everyone who used the computer had separate accounts, the virus would be isolated to the user that ran it. It would not affect anyone else.
Michael does make a good point, though: running as root does make certain tasks easier. Setting the clock, for instance, is one common thing that requires root permission. But he is overlooking a great tool which I, being an Ubuntu user, have come to love: sudo. Sudo can be used with multiple users so that it doesn't require a different password to do root tasks. It also will not ask you for a password more than once within a certain amount of time. On top of that, it can also be configured to run without a password. This isn't as secure, but at least it's controlled this way (and it's probably possible to disallow executions of certain commands, like 'rm -rf /').
I really hope Linspire does something about this. Teaching users that they should run as root is unacceptable. At least, during installation (not the initial setup) they should ask you if you want to create normal user accounts and explain that it is more secure to run as a normal user.
And then they should work on improving their boot speed. That's just pathetic.
Written by Justin @ 1/02/2006 02:15:00 PM | Permalink
6 Comments:
At 1/04/2006 12:08:00 AM,
elf's DH said…
Running as a user account also protects against self-installing malware. One thing M$ has right is that when Linux becomes more popular, it will become a more attractive target for attacks. When that happens, the first computers to go will be the ones that are running desktops as root. As root, anything a user downloads or any application level exploit can start system-wide servers, alter system files, install kernel-level drivers etc.
Users may not even notice what's happened. Lots of malware doesn't destroy data; in fact, a lot of malware is intended to steal data. Running a desktop as root leaves a system a lot more open to zombification and spyware.
Having an extra "inconvenience" (read: thought-requiring step) in software installs and system changes is a small price to pay for a system free of viruses and spyware.
By the way, Mac OS X integrates a sudo password prompt into all requests that require superuser privelege (eg, system changes and software installs).
At 1/04/2006 11:01:00 AM,
Anonymous said…
The first time you have your son or daughter "accidentally" delete everything in your /home folder, you'll appreciate the benefit of NOT running as root.
The argument is, your data is the most important part of your system. Well, un-necessarily risking said data to another user's "accidents" is a silly thing to do, in my opinion.
At 1/05/2006 04:03:00 PM,
Justin said…
I sense a comment war brewing...
At 1/06/2006 07:24:00 AM,
Anonymous said…
True, but that's a benefit of running with more than one user account regardless of whether one of them is the root account or not.
Huh? Wait a minute. It sounds as though you're trying to have your cake and eat it, too.
I thought the argument was that using desktop Linux as a User (rather than Root) added a level of complexity that makes the environment cumbersome (adding a printer or installing software, etc.) for the user. And that it's only the user's data that's really important.
But now you're saying that it's beneficial to run separate user accounts to protect data.
I don't get it. If everyone else in your house/office is using User accounts, then what's the point of picking someone to run as Root? Why not just use Root when you NEED to use Root.
In this scenario, I think you'd be better off to just give everyone a User account and put your Root password on a sticky note stuck to your monitor.
OR don't set up User accounts, and everyone logs in as Root. Which is what Linspire's method is.
I think the idea of running as Root but using User accounts is a bit contradictory.
This really sounds like a Microsoft ploy to me.
At 1/07/2006 01:59:00 PM,
Anonymous said…
Got-chya. My comments are probably more directed to the Linspire philosophy of doing things.
I don't believe in setting people up to fail just because it's the easier route or makes for more sales.
Yes, I guess you can call me an idealist.
At 1/08/2006 02:12:00 AM,
elf's DH said…
Lafff...no war here.
No war here from my side. I'm just curious about finding out how strong both cases are. :-)
Re: users - OK, I think we agree - I'm probably just picking nits. I guess my point is that if there are 5 users of the system and everyone runs under the 'Tom' account, then all five users are at the mercy of each other's mistakes.
Agreed. But, I think we all agree that this is not the way one should set up a system.
Re: Depth - Agreed. Not running as root is only one in a set of strategies that should be followed (in my opinion). I'm curious about your statement that an exploit can't run at startup though. As a normal user, I can assign applications to start when I log in via Konqueror. Can an exploit not do the same thing?
(1) I was referring to system startup, not login. Probably no difference for many users, but I leave my computer on and not logged in. There's no difference on a single-user machine. There's a big difference on a multi-user machine. The process that runs at log-in will terminate at log-out. If the infected user's process happens to be a keylogger and the computer is then turned over to another user who buys something online with a credit card, this could be a major problem.
(2) Most exploits don't take into account all possible situations. They attack the most common configuration. So, while you use KDE, with its set of config files, someone else might use GNOME, and it has a different set of config files. The more specific an exploit has to be, the less likely it is to propagate in the wild. An exploit running with root access has to be much less specific in what to attack.
You also bring up a good question that I haven't really heard anyone address in this conversation before: what's the big advantage to running as root? I hear lots of 'run as root' advocates whining that they have to type in their root password to change their system time (how often do they need to change the time, honestly?)
This is something I don't understand. Instead of running as root, why not just put a nice, graphical wrapper around sudo when an administration task is required? It's exactly what Mac OS X does, and it works very well there.
about the advantages of running as root all the time.
Theory: on a badly set up system, users don't have access to things they actually *use*, like the audio card?
This is why I don't put a lot of stock in things like processes showing up in ps and stuff like that. I don't think most computer users know (or would care if they did) how to check their processes.
At some point, something will happen and they will call in a tech, or, at least, the somewhat-knowledgeable user next door. Windows-based malware attempts to hide itself to fool the somewhat-knowledgeable user and above. I'd rather that user's cleanup job be easier: "Hey, did you know that you're running SendMyCreditCardNumbersToBoris?" :-)
Post a Comment
<< Home