Forgot your password?
typodupeerror

Michael Robertson Says Root is Safe 1174

Posted by timothy
from the he-calls dept.
Kez writes "HEXUS.net caught up with Michael Robertson, CEO of Linspire, at the UK launch of Linspire 5. Their interview with Mr. Robertson covers everything from hardware support to software patents, but a comment from Mr. Robertson on using root is perhaps the most interesting: "I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't." I would imagine a few Slashdotters would dispute that."
This discussion has been archived. No new comments can be posted.

Michael Robertson Says Root is Safe

Comments Filter:
  • Re:Uhhh (Score:3, Informative)

    by ink (4325) * on Monday April 18, 2005 @06:55PM (#12275447) Homepage
    Unfortunately, a normal user can install any browser plugin that they want to. Running as root would simply allow the user to install plugins for other users as well. For the curious, you can install them in $HOME/.mozilla/plugins (among other locations). Running as a normal user will not prevent your box from becoming a zombie, unless you have some kick-ass SELinux rules in place.
  • Perfect Example (Score:2, Informative)

    by Apreche (239272) on Monday April 18, 2005 @06:57PM (#12275464) Homepage Journal
    So every user on a system usually can make files in /tmp. Let's say that a malicious user of the system goes into /tmp and makes an executable file named ls. That executable file contains the code which opens up a backdoor onto the system via netcat. If you were running as a normal user and ran ls in /tmp then you would not open up any backdoor. In fact, you might realize what's going on and be able to fix it. If you were root however, the backdoor would open wide and let the whole world have a root shell on your machine. This particular problem can be averted by removing . from $PATH of all users including root. But does Linspire do this? I don't know for sure, but I doubt it.

    Linspire, Linux dumbed down for dummies by dummies.
  • IRC (Score:2, Informative)

    by laurent420 (711504) on Monday April 18, 2005 @06:58PM (#12275475)
    default dcc save directory is ~ . many users of irc are accustomed to permitting auto accept of files. someone sends you a .profile or .bashrc . .profile is sourced on every login. hmm i wonder what happened to all my filesystems.
  • by arete (170676) <areteslashdot2&xig,net> on Monday April 18, 2005 @07:01PM (#12275502) Homepage
    I have to say I love the OSX solution. For those of you that aren't familiar:

    The method:
    By default you don't use root (although it does exist)

    By default a user may or may not be an "admin" user. An admin user may perform root-like operations by authenticating again, but they give their own same password to the OS to do things.

    It still knows you're you, you're just super-you. So default files are created with you as owner, for instance. This is safer because it reduces slightly the number of escalations necessary.

    The effects:
    The actual user password being compromised is not the reason you need a separate root account, so they removed your need for two passwords.

    Bad apps still need separate priv escalation to do any harm, even if you're running as admin.

    BUT you don't have to logout of your GUI session to have one app - or even ONE PART of one app - run with escalated privledges, if you authorize it to.

    This means you have NO REASON to ever run unnecessary apps as an admin. No downloading just that one file as root because you're in the middle of doing a rooty thing and forgot one.

    The similar linux hack:
    I know you can setup similar things with sudo and a little tweaking. But this is how every OSX box ships, and it ought to be how every GUI consumer linux box ships too.
  • by Anonymous Coward on Monday April 18, 2005 @07:01PM (#12275506)
    why are you reposting a two year old comment from some bbs here?

    http://www.zone-h.com/en/forum/thread/forum=3/th re ad=19443
  • Re:Okay now... (Score:5, Informative)

    by Phleg (523632) <stephen AT touset DOT org> on Monday April 18, 2005 @07:02PM (#12275526)

    rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.

    I dare you to try this. Dare.

    Note: you may wish to back your home directory up first. Preferably somewhere not under /, or using with someone else's permissions.

  • by scupper (687418) * on Monday April 18, 2005 @07:03PM (#12275537) Homepage
    I can't take this guy seriously. He's the Billy Mays [atmospheric-violence.com] of the Linux world.

    Just read his responses....[a few of my repiles]

    Jo: On the security front, I noticed during the presentation that you were running everything as root. Is that really a wise idea, to train users to run everything as the one user who can mess everything up whenever they feel like it? Should you not try to teach one basic UNIX security idea, that you really don't want to run things as root?

    Michael: I think, like everything, it's a question of balance. Ease of use, versus security. I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data.[Mikey, that's like saying the people in my car are important, but to hell with the rest of the motorist on the highway. Pretty reckless and selfish. Maybe Linspire should should start "LinNet-Home of the Bots and Trojans] If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.[Mikey, what is a bot? And how are they born?]

    Michael: Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit. I DO see it's an added pain in the ass when grandma tries to change her wallpaper, and it tells her "you don't have root privileges". What are you talking about, man? I'm just trying to use my computer, or change the clock, or any one of a hundred other things. So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out - In this instance, a machine that's run with the root user could be compromised, in this instance one couldn't be compromised.

    Michael: I know the hardcore geeks feel differently, that's fine. When somebody installs Linspire, we say "do you want to set up users, yes or no", we give them the choice, right there when they start up for the first time. If they want to set up multiple users, they're welcome to do that, but we don't force them to. That's the difference we have.

  • by davidwr (791652) on Monday April 18, 2005 @07:07PM (#12275585) Homepage Journal
    With poorly designed hardware, it is possible to wear out the hardware. Cheap printers and disk drives are relatively easy to wear out in a worst-case scenario. Certain types of flash memory can be destroyed by flashing it a few thousand times. While your operating system may not require you to be root to overuse these components, in principle it COULD force you to be root to do this.

    If you can write to BIOS or other boot-control data, you can potentially leave the hardware unbootable. Technically it's not hurting the hardware but you've still got a boat-anchor until it gets serviced.

    Older monitors could be fried if set to a "bad state" and left there too long. Ironically, in X-Windows, you don't have to be root to change the video settings to such a "bad state."
  • Re:Okay now... (Score:5, Informative)

    by maraist (68387) * <`moc.maps0n.liam ... tsiaram.leahcim'> on Monday April 18, 2005 @07:19PM (#12275728) Homepage
    I should be able to specify that a particular UID can listen on ifname:80

    Have you looked into selinux? I don't know if it allows port 80 access from an initially non root user, but it allows you to run a locked-down root process. Problem is that it's apparently very complicated so only supports a scant few products out of the box. But web serving is one of them.
  • by NanoGator (522640) on Monday April 18, 2005 @07:22PM (#12275757) Homepage Journal
    "How could open source applications support ActiveX?"

    Ask these guys [www.iol.ie].

    BTW, you REALLY don't understand what ActiveX is. Heh. Non-MS products can open ActiveX plugins.
  • by Anonymous Coward on Monday April 18, 2005 @07:31PM (#12275858)
    As a professional hacker, I'll give you the 25 cent reasons.

    1) Only root can forge packets. I have to get root to steal IP addresses and adjust routing tables most of the time.

    2) Only root can install kernel modules. Kernel modules are a great way to hide from prying eyes.

    3) Root can debug any process. If I can debug another process, my program can spread to that process giving me complete control of it.

    4) Getting root is noisy. If actually wants that box and not just to use it as a relay of some sort, he generally will need root to take the credit card numbers, corporate bid info, etc. Local exploits are among the noisiest and are the most likely to get caught by a good syscall IDS.

    5) Only root has access to most of the log files. If I'm not perfect when I take over a box, I've got to adjust the logs. I have to be root in most cases.

    6) Only root has raw disk access. If I want to hide all my stuff, the best way is to directly modify the filesystem. You need raw disk access for that.

    etc, etc, etc
  • Re:Okay now... (Score:2, Informative)

    by Anonymous Coward on Monday April 18, 2005 @07:33PM (#12275896)
    You can access the SYSTEM account in WinXP if you are already administrator, by scheduling an interactive command prompt. (Basically, let the equivalent of cron start a shell with privledges set to super-root)

    Normally, however, you would not be using it for anything - there's no point, not much that can do an admin can't.
  • Re:Okay now... (Score:2, Informative)

    by ilikejam (762039) on Monday April 18, 2005 @07:36PM (#12275927) Homepage
    He should ask himself why he used the -r arg in combination with *.tar
    Unless he had directories which ended in '.tar', of course...
  • by Relyt (96115) on Monday April 18, 2005 @07:41PM (#12275985)
    Well, Ubuntu Linux is set up with sudo all set up right off the bat, which is probably the way things will be setup in the future. The user can use his or her own password to get root privileges.

    I think that anyone who is considering buying a PC for Lindows would be much better served buying a Mac or Mac Mini and using OS X instead. They'll spend the same amount of money and have an OS that is better-designed and is backed by a corporation and a CEO who actually know what they are talking about.

  • Re:Okay now... (Score:3, Informative)

    by ticktockticktock (772894) on Monday April 18, 2005 @07:45PM (#12276034)
    What we lack is that fine tuning - I should be able to specify that a particular UID can listen on ifname:80, not kick off a process as root, then setuid it...

    Or you could run the process non-root and setup iptables rules to redirect port 80 requests to a port a non-root user can open. I think one can also set rules so that iptables only allows certain incoming ports to certain user accounts, so that no one else can run their own apache and take over the port, although I am not 100% sure on this.

  • by Anonymous Coward on Monday April 18, 2005 @07:57PM (#12276210)
    I believe Ubuntu/Kubuntu are going down the 'root is there if you really want it, but you don't actually need it because sudo is already set up for you' path.

  • by Mishura (744815) on Monday April 18, 2005 @08:19PM (#12276440)
    "I know in linux you can, for instance, open a terminal, su, and execute a GUI app as root while in an X session not as root. However, there's no general linux way for doing this for a nonCLI user."

    Observe, The KDE solution:
    K --> Run Command --> kdesu program_name

    The Gnome Solution (I Think):
    Gnome Foot --> Run --> gksu program_name

    Also, you can set program shortcuts in either the K/Gnome/XFCE/icewm/wtf wm you desire/ menus to start off with the gksu or kdesu to launch an app as root.

    Also, if you have a lax sudo set up, a "sudo app_name" works as well.
  • by VGPowerlord (621254) on Monday April 18, 2005 @08:24PM (#12276488)
    Microsoft's Technet has an article named Using a Least-Privileged User Account [microsoft.com] (LUA), and they intend to force LUA on people in Longhorn.

    My reaction? It's about time! This will help far more than any "Trusted Computing" initiative will.

    Now before I continue, I'll comment that my workstation/gamestation is a Windows XP SP2 machine. My web services machine is a Debian Linux machine.

    I have two accounts on my XP machine: One Administrator and one Limited User. I use the Limited User Account on a day to day basis for my classwork, Applications, and Games. I use the Administrator account to install new programs and program updates.

    The biggest problem with a LUA policy on a Windows system is... Application manufacturers. Programs tend to be written with the impression that the program directory and HKEY_LOCAL_MACHINE part of the registry is always writable. Unfortunately, this is undoubtably because Windows 9x didn't have the concept of file or registry permissions.

    On XP, by default, Limited Users can only write to their Profile directory on C:, and can only write to the HKEY_CURRENT_USER part of the registry. These are where user specific files and settings belong! The %USERPROFILE% and %APPDATA% environment variables are even set up for them! There's even an %OS% environment variable that tells the installer that this is a Windows NT system (It's set to Windows_NT).

    The most recent offender for ignoring these restrictions, that I've installed, is World of Warcraft. Since it was written in 2004, its installer is aware of accounts and account types, and gave me an error that I needed to install it as an Administrator. That's all well and good, but it still tries to write files to %ProgramFiles%\World of Warcraft\WTF\Account\[USERNAME]\ heirarchy every time it runs. While the game seems to work even if it can't write its files, you also can't save any settings changes.

  • Re:Okay now... (Score:4, Informative)

    by Artega VH (739847) on Monday April 18, 2005 @08:30PM (#12276571) Journal
    urr doesn't that make the directory non browseable?
  • Re:Okay now... (Score:5, Informative)

    by MrZaius (321037) on Monday April 18, 2005 @08:42PM (#12276677) Homepage
    >urr doesn't that make the directory non browseable?

    Yes. That's a good thing, for the reasons described in the parent post. It bears repeating that he did NOT say to set /home/* non-executable, but only the /home/ directory itself. This allows users access to subdirectories of /home/, but only the ones they know about independently.

    An "ls -l --recursive /home/" will fail to find any world-readable directories, because it won't be able to get a listing of /home/

    An "ls -l /home/bob/public_stuffs" will work just fine, however, with the permissions set properly.
  • by hackstraw (262471) * on Monday April 18, 2005 @08:44PM (#12276699)

    If this Michael guy has ever seen a rooted Linux system with one of those groovy kernel modules loaded to hide the doings of the people that rooted the box, then he would guess a 2nd time about his assertion that its OK to run Linux as root all the time.

    You think that WIndows zombie boxes are a problem? However, those systems are able to be fixed (to my knowledge, don't use windows). A rooted box with a kernel module installed to hide itself, has to be completely restored.

    I'm glad you mentioned OS X. I believe that it is a beautiful compromise between running as a user and asking for permission to escalate the privileges when needed. The best part of it is that it _rarely_ asks for administrator privilege, and when it does it makes sense. If someone opened an email attachment and it asked for administrator privileges, that would be a bit fishy (although some people would fall for it).
  • by Anonymous Coward on Monday April 18, 2005 @09:10PM (#12276941)
    AxtiveX is the Microsoft API in answer to Java.

    That's not at all true. ActiveX is just COM/OLE, which is older than Java. The origins of COM/OLE go back to the 1980s, and OLE 1 was publicly distributed with MS Office in 1991. OLE 1 wasn't based on COM, however, so is to some extent irrelevant. The first release of COM-based OLE (called OLE 2) came in 1993, at a time when Microsoft were still ignoring the Internet, with OLE controls (now called ActiveX controls) added to Visual Basic in 1994.

    The first release of Java only came in 1996, and whilst it almost certainly did inspire Microsoft's rebranding of COM as ActiveX, the ActiveX technology itself was not in any way an answer to Java (and obviously couldn't have been, since it's older).

  • by MrZaius (321037) on Monday April 18, 2005 @09:33PM (#12277157) Homepage
    Correction:
    replace "executable" with "readable"

    chmod a-r /home/, and user bob executing rm -rf /home/ fails to eliminate a bob-owned /home/bob/, as it fails to get a listing of /home/
  • by KillerBob (217953) on Monday April 18, 2005 @09:58PM (#12277382)
    That's Windows logic.

    In Linux, run as a user. A malicious script destroys your files and "toasts" your system, the only thing you've lost is your user account. As root, you can then destroy the user and user's files, and recreate the user. You've lost maybe 5 minutes of your time, and don't have to reinstall/recompile/reupdate your system.

    If you're running as root, however, the script can access the *entire* system. If it runs amok, you're completely lost, and are out several hours of reformatting, reinstalling, recompiling, and reupdating the system.

    This is especially important if you're running a multi-user system. When there's 3 people using the computer, if one of them gets a malicious script and runs it as root, then the entire system is pooped, and all 3 users are out of luck. When they're running as users, they can't touch each others' files, and as such, they can't screw each other over.
  • Re:Okay now... (Score:3, Informative)

    by Tony Hoyle (11698) <tmh@nodomain.org> on Monday April 18, 2005 @10:35PM (#12277705) Homepage
    Users are administrators by default on Windows boxes.

    That's why they are so prone to viruses, becoming spam zombies, etc.

    A properly admined box wouldn't have that issue, but then half the coporate machines I've used haven't been properly admined let alone the home ones.

    The only OS I know of besides Unix that enforces proper user/admin separation by default is OSX (it does it really nicely in fact).
  • Re:Okay now... (Score:3, Informative)

    by TClevenger (252206) on Monday April 18, 2005 @11:44PM (#12278198)
    Actually, there is a root account. It's just disabled by default.
  • by achurch (201270) on Monday April 18, 2005 @11:52PM (#12278246) Homepage
    as per this comment [slashdot.org] below (just bringing it up to make it more obvious). chmod a-x /home keeps you from doing anything in /home or any subdirectory, but will let you list /home; chmod a-r /home keeps you from listing /home but will let you do stuff in /home/bob.
  • Re:Okay now... (Score:3, Informative)

    by istartedi (132515) on Tuesday April 19, 2005 @12:57AM (#12278569) Journal

    This isn't a problem with CLIs. The GUI analogy is the Windows pop-up that asks you if you're sure you want to delete a file. Raise your hand if you use Windows and you've gotten into the habit of smaking your enter-key, sometimes before that dialog even displays.

    The problem is that people want to do things quickly, so you've got people training themselves to use -f because they're in the habit of recursivily deleteing files on a regular basis and they don't feel like interupting the flow responding to a prompt. This works really well until they don't mean to do it. The Windows recycling bin is not a bad solution to this problem; there is no widely adopted *NIX equivalent.

  • Re:Okay now... (Score:4, Informative)

    by adamruck (638131) on Tuesday April 19, 2005 @01:49AM (#12278823)
    Some more information for you.. this is an blurb from the iptables man page

    ----------------

    owner
    This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.

    --uid-owner userid
    Matches if the packet was created by a process with the given effective user id.
    --gid-owner groupid
    Matches if the packet was created by a process with the given effective group id.
    --pid-owner processid
    Matches if the packet was created by a process with the given process id.
    --sid-owner sessionid
    Matches if the packet was created by a process in the given session group.

    ------

    You can filter network traffic based off of the same system that you can use to filter access to files. Even more fun is the ability to filter network traffic based off of a process id.

  • by masklinn (823351) <slashdot.org@nOSpAm.masklinn.net> on Tuesday April 19, 2005 @02:22AM (#12278957)
    I think there are enough people out there who have to use ActiveX that support will eventually be added as a special module or something.
    Too bad you don't think like the Mozilla.org foundation does.

    It's been stated repeatedly that Mozilla.org products will never implement ActiveX out of the box... ever...

    There are extensions, if there weren't you could develop them, it's up to you to implement ActiveX in moz/fox and degrade your security, but THAT won't come from the foundation.

    Try again.
  • Re:Okay now... (Score:2, Informative)

    by Narchie Troll (581273) on Tuesday April 19, 2005 @04:36AM (#12279431)
    With GNU rm, you only get a prompt if
    a. you attempt to delete a write-protected file
    b. you use the -i switch, which some distros automatically stick into the global bashrc

How many QA engineers does it take to screw in a lightbulb? 3: 1 to screw it in and 2 to say "I told you so" when it doesn't work.

Working...