You are not logged in.
Pages: 1
if
- i already have sudo "ask for password" disabled (vulnerability (?))
- i am the only person that has access to my computer
- all my valuable files have no root permissions; they are in home
i am not a sysadmin, why am i supposed to use my computer with permissions?
beside the natural, like having to live with permanent messages of "running as root is dangerous" and everything being build/designed against it
sorry for bad english
Offline
- i already have sudo "ask for password" disabled (vulnerability (?))
Yes. It makes it easier for malware to escalate privileges as it just needs to run sudo if you have passwordless authentication enabled for *any* program.
- i am the only person that has access to my computer
That's a misconception. If your computer is connected to the internet, other people have access to your computer in some form or another.
Most of those can be considered safe, but occasionally there are security issues in software.
If that happens, it's good to have another form of protection in place to minimize the damage that can be done.
Running software on your machine with the least possible privileges has proven to be very effective at that.
- all my valuable files have no root permissions; they are in home
They will, when you're exclusively using the root account.
i am not a sysadmin, why am i supposed to use my computer with permissions?
See above.
beside the natural, like having to live with permanent messages of "running as root is dangerous" and everything being build/designed against it
What?
Inofficial first vice president of the Rust Evangelism Strike Force
Offline
ok, but i kinda feel the same way
with
all my valuable files have no root permissions; they are in home
i meant that all the files i care about being stolen, are in $HOME, unprotected, accessible without permissions
you don't need permissions to run `tar -cf home.tar $HOME; upload_to_the_internet < home.tar`
i didn't think of this in the beginning, but i remembered this xkcd comic https://imgs.xkcd.com/comics/authorization_2x.png
maybe i should chown -R root my personal media (and activate the password)... if that doesn't make sense, then i'm at the beginning
if the password + sudo protects me, i need to see an example of how specifically it avoids a program from stealing my files
sorry for bad english
Offline
i meant that all the files i care about being stolen, are in $HOME, unprotected, accessible without permissions
Then you're doing something wrong. Files in $HOME which usually evaluates to /home/<your_user_name> should only be accessible by your current user's account and members of the eponymous group.
you don't need permissions to run `tar -cf home.tar $HOME; upload_to_the_internet < home.tar`
That depends on what you mean by permission.
i didn't think of this in the beginning, but i remembered this xkcd comic https://imgs.xkcd.com/comics/authorization_2x.png
I believe you misunderstood that joke.
maybe i should chown -R root my personal media (and activate the password)... if that doesn't make sense, then i'm at the beginning
That does not make any sense. You're confusing data protection with privilege escalation.
if the password + sudo protects me, i need to see an example of how specifically it avoids a program from stealing my files
"Stealing" files is not the only possible threat vector. It does not protect you against malware as you hinted to above, that uploads stuff to them interwebz.
It does, however, protect you against malware that may infiltrate your system on the operating system level.
Last edited by schard (2024-03-07 08:19:00)
Inofficial first vice president of the Rust Evangelism Strike Force
Offline
you don't need permissions to run `tar -cf home.tar $HOME; upload_to_the_internet < home.tar`
No, but you need to have and run "upload_to_the_internet".
Once you're installing malware, you're screwd.
Installing malware as root just screws you big-time. There're many things, regular users aren't allowed to do by default, eg. inspect other processes (for passwords), opening ports < 1024, running processes with maximum schedule occupation, filling the entire disk, replacing root-owned binaries (for later), accessing the hardware directly, freeze-locking your disk, altering the EFI, "rm -rf / path/to/file" (part of it is that shells and permissions prevent regular users from some flubs, root gets to do whatever root wants),…
if the password + sudo protects me, i need to see an example of how specifically it avoids a program from stealing my files
If cardio is good for me, i need to see an example of how specifically it grows my bro-muscles.
https://en.wikipedia.org/wiki/Syllogism … _fallacies
In order to further harden your system start at https://wiki.archlinux.org/title/Security (eg. see https://wiki.archlinux.org/title/Security#Mount_options )
If you want to protect private data against random access, see https://wiki.archlinux.org/title/Catego … encryption and eg. https://wiki.archlinux.org/title/Dm-cry … _container
The internet being broken or keeping plain-text passwords on "publically available" (euphemism for theft) devices is not an excuse to do stupid things elsewhere.
But if you insist on running a (not only defacto, but destupid) single user system, try https://en.wikipedia.org/wiki/Puppy_Linux
Edit: it obviously took more than 3 minutes to write that
Last edited by seth (2024-03-07 08:21:38)
Offline
I remember way back when I was learning HP-UX (HP Unix). Logged in as root. Exploring the file system. I was someplace in /bin looking at all the program files available to me.
I wanted to print a list of files in the directory. Imagine my horror when I ran ls -l > lp rather than ls -l | lp. Yes, I was in the directory where the lp spooler program had been.
Sometimes, limiting your ability to do stupid things without explicitly enabling stupid things will save you.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
If cardio is good for me, i need to see an example of how specifically it grows my bro-muscles.
that itself is not a fallacy; it's a valid statement, actually. for example, many people that train only for strength, do not do cardio exercises at all, so they will not be good runners or cyclists, for example, and then the statement: "if someone proves (i.e. showing an example) that cardio is beneficial for growing my muscles, i'll do it"
i'll be reading about how to make my media "more inaccesible". gamer moment
sorry for bad english
Offline
I believe the following is the most important point in this thread so far and thus bears repeating:
You're confusing data protection with privilege escalation.
My own 2 cents: there are a couple archers who run a "root only" single user system. But they really know what they are doing and have decades of experience with *nix systems. I still think what they are doing is foolish, but they are making an informed decision. The level of your (whittler's) questions in this thread indicate that you do not have nearly the knowledge and experience those others do. Please, do not use root as your default user. We could enumerate hundreds of ways this could fail spectacularly, and we'd still fall short of covering all the potential problems.
The concept of user privileges has developed over decades with input from some very smart people. Do not throw all that away.
And you are not the only "user" on your system. You might be the only human who sits at your keyboard as I am on mine, but there are 24 "users" in my /etc/passwd. None of the other 23 are human users with a directory under /home/ but rather they are system users to run particular bits of software safely. These bits of running software are - at least in part - walled off from anything I might accidentally do at the command line, or anything some javascript on some web page might try to do, or anything that anyone who manages to remotely access my machine might try to do, or anything that some other bit of running software tries to do, etc. If I ran as the root user by default, none of that running software would have any protection at all from these four attack vectors or from countless others.
With great respect to ewaller, I think his example of overwriting `lp` really undersells the risk. Protecting your system binaries and libraries from a fat-finger mistake you might make on the command line is certainly one of the things that different user access rights prevents - but frankly it is one of the more mundane or less concerning ones. The real risks are far more gruesome.
Last edited by Trilby (2024-03-07 19:13:29)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
that itself is not a fallacy; it's a valid statement, actually. for example, many people that train only for strength, do not do cardio exercises at all, so they will not be good runners or cyclists, for example, and then the statement: "if someone proves (i.e. showing an example) that cardio is beneficial for growing my muscles, i'll do it"
The fallacy is the premise that something can only be good for you when it's building your biceps or chest.
Cardio is detremental to the goal of maximum strength, but it's good for you (specifically the single most important muscle in your body)
The equivalence in your topic is pointed out more directly by schard.
Just because not executing every process as privileged user won't protect your data doesn't mean that it's not an extremely good idea in order to protect the system at large.
Offline
specifically the single most important muscle in your body
Second most. Although the activity for the most important, when done properly, is also pretty good cardio.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Yeah, well, they say the knees are the second thing to go. I forget the first.
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn
Offline
Do I have to explain that that's actually not a muscle but its discussed function depends on several muscles, the main one being still the heart?
(The little blue pills don't do anything for your musculus ejaculatorius or the muscles of the pelvic floor…)
Offline
This question is particularly interesting, but it's important to avoid using a root account as the default unless necessary. In many cases, it might seem like a good idea to use the root account due to the extensive permissions it inherently possesses. This flexibility allows you to perform various tasks that require elevated privileges. However, the appropriate rights structure in a GNU/Linux operating system can vary due to its openness and modifiability. Generally, users are granted access to and permission to execute files on the system. In Unix-like systems, there is typically a root group user rights system, where users can assign permissions such as read, write, and execute (abbreviated as rwx) to files. These rights can be set for everyone, specific groups, or individual users. For instance, being a member of a particular group can grant those rwx permissions.
Offline
now you are making me want to use 777 as default permissions for all files
sorry for bad english
Offline
I often feel misunderstood by people. Even if you have a genuine interest, I highly recommend !AGAINST! changing file permissions on a larger scale for everyone. Secondly, if you're keen on conducting experiments, it's highly advisable to test them in a virtual machine or a dedicated experimental environment. Regular users should refrain from defaulting to the root account or modifying permissions at a system-wide level.
Offline
This looks like a great place to park my bike
Running as root as a default user reduces you to the same vulnerabilities of MS/DOS and earlier (Pre-Vista) versions of Windows. The largest reason that viruses were such a threat and so popular on these systems is that any user or process could write anywhere on the filesystem. Though there certainly are rootkits and malware of its own nature designed to attack 'nix type systems these attacks require you to be root (rootkit) or have root access to install. Yes your personal data in your ~ ($HOME) is vulnerable as a standard user. The best you can do there is keep it backed up and do not have sensitive date stored there. You can keep sensitive content in a luks file or partition (check out zulucrypt). You could even setup a luks file and only mount it when needed if data integrity and security is of that high of an issue.
Though not using root as a default account has a lot more to do with system integrity vs. data security. They have to get into your system before they can get at your data. Running every process as root and accessing everything as root gives significantly higher odds for an intrusion to succeed. But no worries, you will in time understand what I mean. Have fun!
I have given my two cents so I will go on my way... hops on bike and rides off...
Last edited by OneNemo (2024-06-12 21:44:37)
Offline
Old thread, but basically, if you have root as your main, and malware enters your computer, you are dead.
I messed my Arch Linux installation, then fixed it
"Sometimes the best complexity is simplicity." - BluePy, 1856.
Offline
Pages: 1