Michael Robertson Says Root is Safe 1174
Kez writes "HEXUS.net caught up with Michael Robertson, CEO of Linspire, at the UK launch of Linspire 5. Their interview with Mr. Robertson covers everything from hardware support to software patents, but a comment from Mr. Robertson on using root is perhaps the most interesting: "I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't." I would imagine a few Slashdotters would dispute that."
My Experience with Linspire (Score:0, Interesting)
I can shed a little light on the climate of the open source community
at the moment. I believe that part of the reason that open source
based startups are failing left and right is not an issue of marketing
as it's commonly believed but more of an issue of the underlying
technology.
I know that that's a strong statement to make, but I have evidence to
back it up! At one of the major corps(5000+ employees) that I consult
for, we wanted to integrate the shareware version of Linux into our
server pool. The allure of not having to pay any restrictive licensing
fees was too great to ignore. I reccomended the installation of
several boxes running the new 2.4.9 kernel, and my hopes were high
that it would perform up to snuff with the Windows 2k boxes which
were(and still are!) doing an AMAZING job at their respective tasks of
serving HTTP requests, DNS, and fileserving.
I consider myself to be very technically inclined having programmed in
VB for the last 8 years doing kernel level programming. I don't
believe in C programming because contrary to popular belief, VB can go
just as low level as C and the newest VB compiler generates code
that's every bit as fast. I took it upon myself to configure the
system from scratch and even used an optimised version of gcc 3.1 to
increase the execution speed of the binaries. I integrated the 3
machines I had configured into the server pool, and I'd have to say
the results were less than impressive... We all know that linux isn't
even close to being ready for the desktop, but I had heard that it was
supposed to perform decently as a "server" based operating system. The
3 machines all went into swap immediately, and it was obvious that
they weren't going to be able to handle the load in this "enterprise"
environment. After running for less than 24 hours, 2 of them had
experienced kernel panics caused by Bind and Apache crashing! Granted,
Apache is a volunteer based project written by weekend hackers in
their spare time while Microsft's IIS has an actual professional full
fledged development team devoted to it. Not to mention the fact that
the Linux kernel itself lacks any support for any type of journaled
filesystem, memory protection, SMP support, etc, but I thought that
since Linux is based on such "old" technology that it would run with
some level of stability. After several days of this type of behaviour,
we decided to reinstall windows 2k on the boxes to make sure it wasn't
a hardware problem that was causing things to go wrong. The machines
instantly shaped up and were seamlessly reintegrated into the server
pool with just one Win2K machine doing more work than all 3 of the
Linux boxes.
Needless to say, I won't be reccomending Linux/FSF to anymore of my
clients. I'm dissappointed that they won't be able to leverege the
free cost of Linux to their advantage, but in this case I suppose the
old adage stands true that, "you get what you pay for." I would have
also liked to have access to the source code of the applications that
we're running on our mission critical systems; however, from the looks
of it, the Microsoft "shared source" program seems to offer all of the
same freedoms as the GPL.
As things stand now, I can understand using Linux in academia to
compile simple "Hello World" style programs and learn C programming,
but I'm afraid that for anything more than a hobby OS, Windows
98/NT/2K are your only choices.
Define "Secure" (Score:5, Interesting)
He argues that just because we could possibly drive our cars into brick walls doesn't mean we should all be limited to driving at 10 mph. I don't believe the likelihood of even the least skilled driver actually ramming into a brick wall is quite as much as my grandma's likelihood of completely screwing up her computer were she granted root access. I've seen her mess up her Windows machine pretty nicely.
Excellent commentary... (Score:1, Interesting)
On a side note: this is sort of like Word and Excel macros and OpenOffice.org. Without them, Oo.org is missing quite a few companies.
A short list of reasons to NOT be root (Score:2, Interesting)
2) It limits damage from exploits. Go ahead and be root if you aren't networked and never insert media, or are running a perfectly-secure OS.
3) it protects you from another user's malice. N/A for single-user machines.
Examples of when it is OK to run as root:
1) many non-networked embedded systems, e.g. your microwave oven
2) the DOS box in the corner your kids play DOOM I on.
3) Demo machines at trade shows, but only if they are not networked and have no removable media.
Other examples where running as root isn't advisable but the damage is greatly mitigated include read-only systems like Knoppix.
Modded -1 Flamebait (Score:4, Interesting)
He unfortunately seems to have learned that there is little fact checking in the business press - especially where technology is concerned - and that if he can create a stir he can probably create profit.
It was several years before I realized that it was the same Michael but I visted the website and found his picture there - in multiple super high resolutions - seriously why would I want a 1435x1980 pixel image [linspire.com]of him?
Does he think he's desktop material? There's even information for booking him for speaking engagements... but it's not about ego. *SIGH*
Look for the stock pump and dump scheme followed by an SEC investigation in 5 - 10 years...
=tkk
Re:Okay now... (Score:1, Interesting)
What we lack is that fine tuning - I should be able to specify that a particular UID can listen on ifname:80, not kick off a process as root, then setuid it...
A heirarchical permissions set on the process tree could also be very handy... (think ACLs for the proc tree), although this could get pretty damned difficult to drive very fast if implemented badly.
Re:god or mear mortal (Score:3, Interesting)
Boiler-plate troll (Score:2, Interesting)
Re:Okay now... (Score:3, Interesting)
- MySQL, for instance, runs as a separate user. [...] For instance, keep your accounting files under a different user
Well, sure, but most Linspire users probably don't run MySQL or keep accounting files for a business on their Linspire box. I mean, from the article, it's clearly aimed and Grandma who want to web surf and send e-mail.- Running something like apache as root, and any vulnerability in programs such as phpMyAdmin will make your whole server go poof.
Same comment. Grandma isn't running a server, or using phpMyAdmin.- Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful.
Well, the point he's making in the article is that on a personal desktop machine, it's the data in your own user account that's valuable. The exploitable program running as user gramma can still delete all of Gramma's files, without escalating to root.- rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.
Well, Gramma's not likely to type that obscure command anyway. But even if she's not root, what if she types rm -Rf ~? From her point of view, on a single-user machine, that's just as bad -- she's back to a fresh install.And remember, when Gramma fires up her Linspire box for the first time, she doesn't have any services turned on, so actually there's not much that anyone from the outside can do without convincing her to execute an e-mail attachment or something (which Linux mail readers typically don't make it easy to do casually). Give her a hardware router between the machine and the wall, and bang, she's got a pretty decent hardware firewall as well (and it's a firewall that she doesn't need to configure or maintain).
And suppose Gramma creates a root account, but the password she chooses is her dog's name, because she figures nobody can guess that? If I was helping her set things up, I'd be more concerned with explaining to her about how to choose a good password than with convincing her to set up a separate root account.
Actually I think MacOS X has done a really nice job on this kind of stuff, and their strategy should probably be emulated, especially by distros aimed at home users. Everything is done using sudo. Any time you want to install a printer driver or whatever, it makes sure you're a user who's got administrator privs, and it makes you type in your password. For example, on my wife's MacOS X box, she and I both have admin privs, but our kids don't. I can't even remember the last time I had to do an su root on her box.
Re:Okay now... (Score:5, Interesting)
Re:Okay now... (Score:3, Interesting)
I'm not suggesting that the usability of computers cannot be improved; far from it. But just as some people are simply very bad drivers, some people will not be able to use some programs because they don't have the training, they aren't willing to practice, or they just don't "get it". Trying to cater to these people by writing programs that a 5-year-old could use probably results in programs that only a 5-year-old would want to use.
Re:500,000 windows zombies (Score:3, Interesting)
Re:Okay now... (Score:3, Interesting)
I suppose that I could rig something that required multiple X sessions that you go between by hitting
the CTRL-ALT-F# keys. However, it'd be nice to have something that simple folk can use.
Re:Okay now... (Score:3, Interesting)
How I learned not to run as root (Score:2, Interesting)
cat soundfile.au >
I typed
cat soundfile.au >
Whoops. Yes, there is a reason not to run as root. I admit the mistake was dumb but if I wasn't root I would have been protected from myself.
Re:Okay now... (Score:3, Interesting)
Actually, my opinion is and always has been that assuming users are stupid and incapable of learning the most basic idioms is the real problem with computing. I mean, if we can't even expect to teach people what a "directory tree" is and means, how do we expect them to learn to organize information? Sure, google can claim you should "search instead of organize," but the fact remains there are times when searching is useful and times when indexing and organizing are useful. Knowing both is computing 101.
The trick for developers is creating minimal yet powerful knowledge-space for users to occupy and NOT CHANGING IT! (Note: this doesn't mean the back-end doesn't change, just that the controls remain familiar... and every change is designed specifically to make usage easier, and with an eye toward disruption costs.)
I mean really. The basic distribution model:
1) Download application to known location.
2) Execute application at known location.
Hasn't changed since the very first personal computers, so why is it we even need things like ActiveX? (ie: if it's worth running, it's probably worth the trouble to purposely install...)
Note: For moving around alot or organizations, replace "application" with "appliciation suite".
And food for thought: Why can't I just grab the contents of my "programs" directory and move it to a new machine?
Re:Excellent commentary... (Score:3, Interesting)
*Sigh* This is what I'm talking about! I know AX ain't great. I'm no fan of it, either. But when it's needed, it's NEEDED. Since OO and FireFox wouldn't support it, we had to use a MORE INSECURE office and browsing app! You cannot honestly tell me that the OSS Community couldn't develop something to support AX and maintain security. Heck, all it would really need is to be off by default and the user has to either turn it on or install a special module. I don't care. It certainly would have been infinitely better than what we had.
Whatever. I seriously doubt this has been given serious consideration. Flipping off MS is fun, but you're also flipping off some people who can't switch.
Re:Excellent commentary... (Score:3, Interesting)
Default turned off. If a page has some activex thingys, block, display small text that a thingy was blocked. If user wants to run it, click here and blabla, the url gets added to "Allow" list. Done. Other platforms need not even bother.
Question your best practices! (Score:3, Interesting)
MIT Kerberos [mit.edu] takes the view that no machine on the network can be implicitly trusted; access to network services is controlled by tickets, mediated by a ticket distribution service with which each user and service has a pre-shared key. This works even for systems in which the local operating systems have no internal access control mechanisms whatsoever.
Capability-based systems [erights.org] essentially throw out the classic security model of users, roles and permissions, replacing them with a system of nonforgeable references by means of a combination of memory protection and cryptographically strong naming.
Finally, people need to come to terms with the fundamental fact that content-based security schemes are a losing proposition (1 [stiller.com], 2 [reflex-magnetics.co.uk]). Virus scanners, adware scanners, porn blockers, spam filters, and even national customs departments all face the same problem: they can only inspect what goes by and apply a list of tests to winnow bad items. There is strong economic pressure to find ways to bypass these types of checkpoints, so new tricks are constantly being invented, only to be compensated for by the guardians; thus the guardians are always a step behind.
Re:Excellent commentary... (Score:3, Interesting)
Transgaming is working on a mozilla plugin for AX, for linux running winex / cedega.
For openoffice, I think macros (with import from ms formats) would be more useful than AX (who uses AX in a document?)
- Ost
Re:Excellent commentary... (Score:3, Interesting)
However, activeX is a security nightmare. And regardless it *IS* a proprietary MS extension -- and nobody wants to A: support MS and their bullcrap, B: Firefox has a reputation as a secure alternative to IE. If FireFox supports the hopelessly insecure ActiveX -- they really have nothing to offer anyone anymore as their reputation is *done*.
Why computers are complicated (Score:1, Interesting)
An elevator has only six possible states: going up, going down, or stopped, multiplied by doors open or doors closed. While getting into those states may have required skill in old elevators, the complexity was inherently limited.
Your computer has a whole bunch more potential states of configuration and execution. Just assuming ten programs that may or may not be running at a given time, right there you've got 1,024 states. Then there's the state of each of those programs - say each program is not just running or not, but can be in one of five states (which is not unreasonable - not running, loading, reading, writing, and closing). Now you've got 5^10=9,765,625 possible states for your system to be in. Six orders of magnitude more complex than the elevator. Then assume a few variables of configuration - just ten binary values would take us up to ten billion states. (And that's assuming only ten programs - right now ps -ax | wc says I've got over 100 processes running.)
It gets worse if you take a finer-grained view of what a state is - the RAM in your system can assume more states than the number of elementary particles in the Universe.
Of coruse in theory, our operating system partitions that complexity, so you only have to deal with the states of one program at a time. And one way it does that it by separating user privileges.
Re:Okay now... (Score:4, Interesting)
Now there is a much simpler and intuitive interface that anyone can use, so a dedicated operator is not needed (though I hear Congress still has elevator operators so those busy politicians don't have to worry about breaking their nails, or something).
If you had a computer with a set of buttons for each of a few trivial operations available to the user, and those are the only operations, it probably doesn't matter if you run as root or not.
Such a system would also suck as a general purpose home computer.
If you're going to do anything beyond trivial actions, and perhaps getting into complex stuff that you don't necessarily understand, its probably best NOT to be running as root.
Think of it as 2 sets of operations:
- the ones that can mess up your stuff
- the ones that can mess up the whole system
Both sets have the ability to wipe out your data, but the latter can wipe out other people's data, critical system files, raw hard drives... pretty much screw your data, and your machine.
Both your user account and root have the ability to mess up your stuff. A regular user account typically cannot mess up other accounts' data or the operating system, without using "su" or "sudo" or some other method to escalate privliges.
MacOSX has root separate from the user account. A user can be an "Administrator", which gives the user sudo capability. GIU operations (software installs, editing user accounts, and other system configuration) do a graphical equivalent to sudo, prompting the user for their admin password. Its not that complicated. Its an extra layer of protection, and lets the user know that they're doing something out of the ordinary. Its not that complicated.
Even my parents understand it.
Re:None of you /.ers listen/read... (Score:4, Interesting)
What if an attacker just wishes to compromise your machine and use it to attack other machines, relay spam, etc? This is a huge problem with Windows.
Re:Excellent commentary... (Score:3, Interesting)
Re:Excellent commentary... (Score:2, Interesting)
> to OpenOffice or Mozilla. The attitude that it's better that these two apps
> don't support it seriously pisses me off. If Microsoft can't get away with
> being arrogant, than the OSS Community can't either.
Arrogance has nothing to do with it; this decision is about (and can only be about) security. Applications that care about security *cannot* support ActiveX, full stop.
It's not just better; it's *VITAL* that they not support ActiveX. If Mozilla for instance did support ActiveX, anyone even the slightest bit conscious of basic security issues would migrate away to another browser immediately (Opera, most likely). If you think ActiveX is a good thing, you have no idea what ActiveX is, or no understanding of security at all. Fundamentally, by design, ActiveX allows any website you visit to do, quite literally, whatever it wants on your computer[1]. A well-behaved site is *supposed* to be nice and just draw stuff in the browser window, but fundamentally it can do whatever it likes, because that's how ActiveX was designed. Microsoft created ActiveX during the era when they considered security to be 100% Somebody Else's Problem, so they didn't give this a second thought; now that they are making some attempt to take security seriously, they regret ever having developed ActiveX in the first place; sooner or later they will have to discontinue support for it in a service pack or upgrade, because there is no secure way to support it.
It was a mistake for Microsoft to develop ActiveX and start supporting it; it would be a mistake for *any* application to support it that doesn't already, and the ones that do already (mainly, MSIE) will eventually have to bite the backward-compatibility bullet and stop supporting it. Mozilla.org absolutely cannot afford to make that kind of mistake; security has been and is one of the major factors driving Firefox adoption; if Firefox supported ActiveX, it would actively lose most of its market share virtually overnight. That kind of wide-open security hole is never EVER worth the risk. OpenOffice *might* be able to get away with it better, because it is used mostly with internal documents, not content off the internet, but it would still be a major security headache, and not supporting ActiveX is still substantially the right decision.
Lack of ActiveX support is not about lack of developer time; it is not about needing to reverse-engineer protocols; it is not about platform parity; it is not about open standards, and it is certainly not about arrogance; it is about security, and it is so essential to security that no other issue can matter.
It is Windows users who would suffer if these applications supported ActiveX on Windows. Yes, Windows has other security problems, but ActiveX dwarfs relatively little things like Shatter attacks (a form of privilege escalation attack that exploits a design flaw in the Win32 API), because it is so much easier to exploit; it is not so much a security vulnerability as a complete abdication of all pretenses of security. Right now, Windows users have a choice; they can use MSIE, and pray nobody ever sends them a link to a site with a less-than-scrupulous webmaster, or they can download a browser with basic security. Don't take that choice away from them.
---
[1] The design has now had user approval retrofitted onto it, so that a site
now can only do whatever it wants after the user frobs the "Ok" button.
But the user (and the computer, for that matter) has no way to tell
before doing so whether the site intends to draw pictures in the browser
window, scroll text across the status bar, or scour the user's Documents
directory for credit card details and other personal information and send
it back to the site. In fact, it's not easy to tell what a site's ActiveX
programs (called "controls" in ActiveX parlance) have done even afterwards.
Re:Okay now... (Score:3, Interesting)
First, notice that if you run "rm" on Mac OS X, even it won't use the trash can.
The behavior of Linux and Mac is actually quite similar in this instance. On either platform, removing a file with the GUI tool brings it to a trash holder, but the command line deletes immediately.
Create an invisible directory under each and every mount that is called
Simple, practical obstacles: ~/.trash won't work for files which are on other disks, network shares, removable media, etc. It would have to move the file to the same hard drive as your ~ directory first, which will at best take time, and at worst will overfill your own disk.
More fundamental, and historical explanation: Unix was designed as a operating system, a framework for applications. To keep the job managable, they added in things that were necessary for the OS (like files, copying, and deleting), but not things that could be better handled at the application level. ~/trash is GUI sugar: just a minor way to make it more difficult for users to input commands that they likely didn't intend.
So, then the question becomes, why did application-level implementations of a two-stage file deletion become popular? And here, the answer is the old canard "Good is the enemy of great". Because the native "rm" command was adequate for more than 98% of all usages, there was little demand to shift to something more complex, even if it would be occasionally safer.
When finally you are shopping around for disk space, only then do you consider emptying the trash.
Unix is a server-oriented OS, both historically and still today. Servers are expected to go weeks and months without a user sitting at them. Needing a person on-hand to Empty Trash just because the webserver has been creating and deleting a bunch of cache files is a bad thing.
Re:Okay now... (Score:3, Interesting)
One would not do such a thing in Mac OS X."
Granted, I use finder to delete files 95% of the time, but on occasion I use the rm command to delete.. Not only can I not undo this, rm does not act the same way finder's delte does.. rm does not put files into the trash.
This seems like a design flaw. The Mac is a great platform(my Tiger dvd is in the mail, I am hooked) and the Tiger features that make mv and cp more mac-native are great. Having said that, the GUI operations that have a CLI counterpart (delete in finder vs. the rm command) should operate the the same way and be interchangeable wherever possible.
Robertson is right (Score:2, Interesting)
He said "why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well. "
Obviously he is talking about single user computers, as most PCs are. If you have a single user computer, when your user account is penetrated, your root account is penetrated next time you su.
The last step in a Linspire install, which apparently noone in this thread has done, is to set up user accounts for a multi-user system. If it is a single user system, there is NO additional security to setting up a user account.
My data is the most important thing for me. I can reinstall Linux in 15 minutes, but my data is irreplacable.
Peter
Re:Okay now... (Score:4, Interesting)
Ubuntu does this too. The default installation has the root account disabled for login purposes. What few administration tasks require root access is done through sudo using the user's password for authentication. Login could just as well be automatic.
I fail to see entirely what Linspire needs continuous root-level access for.
root on a single user system isn't a big deal (Score:4, Interesting)
Now if you are maintaining a multi-user system, root access is more powerful because it grants you full access to all user's information. Although these days a family computer has multiple accounts on it, Little Timmy and Mom's data is seperate. If Timmy downloads some malicious code in some new music sharing program that turns out to be a trojan, at least Mom's calendar, address book and tax information will be protected.
Of course I'd recommend periodic backups to give you real data security. That's perhaps more important than the root/non-root issue.
MarketSpeak (Score:3, Interesting)
Obviously his answer is Market Force driven and non-technical. He ships as root, he doesn't want to sacrifice his products perception. He'll never say anything else.
Would you expect the CEO of Exxon to openly state that there is something called Global Warming and it is necessary for everyone to stop driving gasoline powered cars?
Certainly not until they have the answer. It maybe be the Linspire is working on changing this for real, but it won't be openly discussed.
Re:root on a single user system isn't a big deal (Score:3, Interesting)
A compromised system with a user running as root? Simplicity itself to set an SMTP daemon running and happily accepting and relaying mail.
Welcome to the world of the Linspire open relay network.
Running everything root on a desktop? (Score:1, Interesting)
Michael Robertson's market is rather different from the typical Linux market. He's trying to sell an end user commodity.
The end user does not give a fuckola about permissions, user management, and the meaning of the word "root". Insecure? Yeah, a little.
If a regular user runs a malicious program, they've already risked all of their own data. The system itself is "safe", but many of the reasons people 0wn Windows boxes can be satisfied just by having user privileges. It can be used as a spam conduit. It can be used in a DDoS attack. It can give the keys to someone else so they can try a local exploit to gain root, or it may have a set of local exploits built in to elevate to root right there.
Running any malicious code represents some kind of compromise. The argument for running it as a non-privileged user vs. root user is just one about dampening the impact, but just slightly.
On the other hand, running everything as root makes the end user experience a lot more comfortable. Security is inconvenient.
Re:Excellent commentary... (Score:3, Interesting)
Only Worrying About the Worst Case (Score:2, Interesting)
To use his own analogy, if the worst thing that can happen in a car is to run into a wall, then why have door locks? Whether you have locks on the door or not, you're still going to die. And they make it hard to get into the car, so let's get rid of them.