using root as default user?

whittlers · 2024-03-07 04:26:24

if

- i already have sudo "ask for password" disabled (vulnerability (?))
- i am the only person that has access to my computer
- all my valuable files have no root permissions; they are in home

i am not a sysadmin, why am i supposed to use my computer with permissions?

beside the natural, like having to live with permanent messages of "running as root is dangerous" and everything being build/designed against it

schard · 2024-03-07 07:02:31

whittlers wrote:

- i already have sudo "ask for password" disabled (vulnerability (?))

Yes. It makes it easier for malware to escalate privileges as it just needs to run sudo if you have passwordless authentication enabled for *any* program.

whittlers wrote:

- i am the only person that has access to my computer

That's a misconception. If your computer is connected to the internet, other people have access to your computer in some form or another.
Most of those can be considered safe, but occasionally there are security issues in software.
If that happens, it's good to have another form of protection in place to minimize the damage that can be done.
Running software on your machine with the least possible privileges has proven to be very effective at that.

whittlers wrote:

- all my valuable files have no root permissions; they are in home

They will, when you're exclusively using the root account.

whittlers wrote:

i am not a sysadmin, why am i supposed to use my computer with permissions?

See above.

whittlers wrote:

beside the natural, like having to live with permanent messages of "running as root is dangerous" and everything being build/designed against it

What?

whittlers · 2024-03-07 07:36:32

ok, but i kinda feel the same way

with

all my valuable files have no root permissions; they are in home

i meant that all the files i care about being stolen, are in $HOME, unprotected, accessible without permissions

you don't need permissions to run `tar -cf home.tar $HOME; upload_to_the_internet < home.tar`

i didn't think of this in the beginning, but i remembered this xkcd comic https://imgs.xkcd.com/comics/authorization_2x.png

maybe i should chown -R root my personal media (and activate the password)... if that doesn't make sense, then i'm at the beginning

if the password + sudo protects me, i need to see an example of how specifically it avoids a program from stealing my files

schard · 2024-03-07 08:17:44

whittlers wrote:

i meant that all the files i care about being stolen, are in $HOME, unprotected, accessible without permissions

Then you're doing something wrong. Files in $HOME which usually evaluates to /home/<your_user_name> should only be accessible by your current user's account and members of the eponymous group.

whittlers wrote:

you don't need permissions to run `tar -cf home.tar $HOME; upload_to_the_internet < home.tar`

That depends on what you mean by permission.

whittlers wrote:

i didn't think of this in the beginning, but i remembered this xkcd comic https://imgs.xkcd.com/comics/authorization_2x.png

I believe you misunderstood that joke.

whittlers wrote:

maybe i should chown -R root my personal media (and activate the password)... if that doesn't make sense, then i'm at the beginning

That does not make any sense. You're confusing data protection with privilege escalation.

whittlers wrote:

if the password + sudo protects me, i need to see an example of how specifically it avoids a program from stealing my files

"Stealing" files is not the only possible threat vector. It does not protect you against malware as you hinted to above, that uploads stuff to them interwebz.
It does, however, protect you against malware that may infiltrate your system on the operating system level.

Last edited by schard (2024-03-07 08:19:00)

seth · 2024-03-07 08:20:04

you don't need permissions to run `tar -cf home.tar $HOME; upload_to_the_internet < home.tar`

No, but you need to have and run "upload_to_the_internet".

Once you're installing malware, you're screwd.
Installing malware as root just screws you big-time. There're many things, regular users aren't allowed to do by default, eg. inspect other processes (for passwords), opening ports < 1024, running processes with maximum schedule occupation, filling the entire disk, replacing root-owned binaries (for later), accessing the hardware directly, freeze-locking your disk, altering the EFI, "rm -rf / path/to/file" (part of it is that shells and permissions prevent regular users from some flubs, root gets to do whatever root wants),…

if the password + sudo protects me, i need to see an example of how specifically it avoids a program from stealing my files

If cardio is good for me, i need to see an example of how specifically it grows my bro-muscles.
https://en.wikipedia.org/wiki/Syllogism … _fallacies

In order to further harden your system start at https://wiki.archlinux.org/title/Security (eg. see https://wiki.archlinux.org/title/Security#Mount_options )
If you want to protect private data against random access, see https://wiki.archlinux.org/title/Catego … encryption and eg. https://wiki.archlinux.org/title/Dm-cry … _container

https://imgs.xkcd.com/comics/authorization_2x.png

The internet being broken or keeping plain-text passwords on "publically available" (euphemism for theft) devices is not an excuse to do stupid things elsewhere.
But if you insist on running a (not only defacto, but destupid) single user system, try https://en.wikipedia.org/wiki/Puppy_Linux

Edit: it obviously took more than 3 minutes to write that

Last edited by seth (2024-03-07 08:21:38)

ewaller · 2024-03-07 14:41:03

I remember way back when I was learning HP-UX (HP Unix). Logged in as root. Exploring the file system. I was someplace in /bin looking at all the program files available to me.
I wanted to print a list of files in the directory. Imagine my horror when I ran ls -l > lp rather than ls -l | lp. Yes, I was in the directory where the lp spooler program had been.

Sometimes, limiting your ability to do stupid things without explicitly enabling stupid things will save you.

whittlers · 2024-03-07 18:54:06

seth wrote:

If cardio is good for me, i need to see an example of how specifically it grows my bro-muscles.

that itself is not a fallacy; it's a valid statement, actually. for example, many people that train only for strength, do not do cardio exercises at all, so they will not be good runners or cyclists, for example, and then the statement: "if someone proves (i.e. showing an example) that cardio is beneficial for growing my muscles, i'll do it"

i'll be reading about how to make my media "more inaccesible". gamer moment

Trilby · 2024-03-07 19:07:01

I believe the following is the most important point in this thread so far and thus bears repeating:

schard wrote:

You're confusing data protection with privilege escalation.

My own 2 cents: there are a couple archers who run a "root only" single user system. But they really know what they are doing and have decades of experience with *nix systems. I still think what they are doing is foolish, but they are making an informed decision. The level of your (whittler's) questions in this thread indicate that you do not have nearly the knowledge and experience those others do. Please, do not use root as your default user. We could enumerate hundreds of ways this could fail spectacularly, and we'd still fall short of covering all the potential problems.

The concept of user privileges has developed over decades with input from some very smart people. Do not throw all that away.

And you are not the only "user" on your system. You might be the only human who sits at your keyboard as I am on mine, but there are 24 "users" in my /etc/passwd. None of the other 23 are human users with a directory under /home/ but rather they are system users to run particular bits of software safely. These bits of running software are - at least in part - walled off from anything I might accidentally do at the command line, or anything some javascript on some web page might try to do, or anything that anyone who manages to remotely access my machine might try to do, or anything that some other bit of running software tries to do, etc. If I ran as the root user by default, none of that running software would have any protection at all from these four attack vectors or from countless others.

With great respect to ewaller, I think his example of overwriting `lp` really undersells the risk. Protecting your system binaries and libraries from a fat-finger mistake you might make on the command line is certainly one of the things that different user access rights prevents - but frankly it is one of the more mundane or less concerning ones. The real risks are far more gruesome.

Last edited by Trilby (2024-03-07 19:13:29)

seth · 2024-03-07 21:05:06

whittlers wrote:

that itself is not a fallacy; it's a valid statement, actually. for example, many people that train only for strength, do not do cardio exercises at all, so they will not be good runners or cyclists, for example, and then the statement: "if someone proves (i.e. showing an example) that cardio is beneficial for growing my muscles, i'll do it"

The fallacy is the premise that something can only be good for you when it's building your biceps or chest.
Cardio is detremental to the goal of maximum strength, but it's good for you (specifically the single most important muscle in your body)

The equivalence in your topic is pointed out more directly by schard.
Just because not executing every process as privileged user won't protect your data doesn't mean that it's not an extremely good idea in order to protect the system at large.

Trilby · 2024-03-07 23:04:28

seth wrote:

specifically the single most important muscle in your body

Second most. Although the activity for the most important, when done properly, is also pretty good cardio.

c00ter · 2024-03-08 14:09:55

Yeah, well, they say the knees are the second thing to go. I forget the first.

seth · 2024-03-08 14:17:16

Do I have to explain that that's actually not a muscle but its discussed function depends on several muscles, the main one being still the heart?
(The little blue pills don't do anything for your musculus ejaculatorius or the muscles of the pelvic floor…)

Arch Linux

#1 2024-03-07 04:26:24

using root as default user?

#2 2024-03-07 07:02:31

Re: using root as default user?

#3 2024-03-07 07:36:32

Re: using root as default user?

#4 2024-03-07 08:17:44

Re: using root as default user?

#5 2024-03-07 08:20:04

Re: using root as default user?

#6 2024-03-07 14:41:03

Re: using root as default user?

#7 2024-03-07 18:54:06

Re: using root as default user?

#8 2024-03-07 19:07:01

Re: using root as default user?

#9 2024-03-07 21:05:06

Re: using root as default user?

#10 2024-03-07 23:04:28

Re: using root as default user?

#11 2024-03-08 14:09:55

Re: using root as default user?

#12 2024-03-08 14:17:16

Re: using root as default user?

Board footer