Forgot your password?
typodupeerror

Michael Robertson Says Root is Safe 1174

Posted by timothy
from the he-calls dept.
Kez writes "HEXUS.net caught up with Michael Robertson, CEO of Linspire, at the UK launch of Linspire 5. Their interview with Mr. Robertson covers everything from hardware support to software patents, but a comment from Mr. Robertson on using root is perhaps the most interesting: "I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't." I would imagine a few Slashdotters would dispute that."
This discussion has been archived. No new comments can be posted.

Michael Robertson Says Root is Safe

Comments Filter:
  • by Anonymous Coward on Monday April 18, 2005 @06:48PM (#12275349)
    I work as a consultant for several fortune 500 companies, and I think
    I can shed a little light on the climate of the open source community
    at the moment. I believe that part of the reason that open source
    based startups are failing left and right is not an issue of marketing
    as it's commonly believed but more of an issue of the underlying
    technology.

    I know that that's a strong statement to make, but I have evidence to
    back it up! At one of the major corps(5000+ employees) that I consult
    for, we wanted to integrate the shareware version of Linux into our
    server pool. The allure of not having to pay any restrictive licensing
    fees was too great to ignore. I reccomended the installation of
    several boxes running the new 2.4.9 kernel, and my hopes were high
    that it would perform up to snuff with the Windows 2k boxes which
    were(and still are!) doing an AMAZING job at their respective tasks of
    serving HTTP requests, DNS, and fileserving.

    I consider myself to be very technically inclined having programmed in
    VB for the last 8 years doing kernel level programming. I don't
    believe in C programming because contrary to popular belief, VB can go
    just as low level as C and the newest VB compiler generates code
    that's every bit as fast. I took it upon myself to configure the
    system from scratch and even used an optimised version of gcc 3.1 to
    increase the execution speed of the binaries. I integrated the 3
    machines I had configured into the server pool, and I'd have to say
    the results were less than impressive... We all know that linux isn't
    even close to being ready for the desktop, but I had heard that it was
    supposed to perform decently as a "server" based operating system. The
    3 machines all went into swap immediately, and it was obvious that
    they weren't going to be able to handle the load in this "enterprise"
    environment. After running for less than 24 hours, 2 of them had
    experienced kernel panics caused by Bind and Apache crashing! Granted,
    Apache is a volunteer based project written by weekend hackers in
    their spare time while Microsft's IIS has an actual professional full
    fledged development team devoted to it. Not to mention the fact that
    the Linux kernel itself lacks any support for any type of journaled
    filesystem, memory protection, SMP support, etc, but I thought that
    since Linux is based on such "old" technology that it would run with
    some level of stability. After several days of this type of behaviour,
    we decided to reinstall windows 2k on the boxes to make sure it wasn't
    a hardware problem that was causing things to go wrong. The machines
    instantly shaped up and were seamlessly reintegrated into the server
    pool with just one Win2K machine doing more work than all 3 of the
    Linux boxes.

    Needless to say, I won't be reccomending Linux/FSF to anymore of my
    clients. I'm dissappointed that they won't be able to leverege the
    free cost of Linux to their advantage, but in this case I suppose the
    old adage stands true that, "you get what you pay for." I would have
    also liked to have access to the source code of the applications that
    we're running on our mission critical systems; however, from the looks
    of it, the Microsoft "shared source" program seems to offer all of the
    same freedoms as the GPL.

    As things stand now, I can understand using Linux in academia to
    compile simple "Hello World" style programs and learn C programming,
    but I'm afraid that for anything more than a hobby OS, Windows
    98/NT/2K are your only choices.
  • Define "Secure" (Score:5, Interesting)

    by Stibidor (874526) on Monday April 18, 2005 @06:53PM (#12275417) Homepage
    In the article, Michael defines security as the (in)ability to access personal data. In that respect, he's probably right. But I think he oversimplifies the real question of allowing the users to run under the one account that could really screw up their machine.

    He argues that just because we could possibly drive our cars into brick walls doesn't mean we should all be limited to driving at 10 mph. I don't believe the likelihood of even the least skilled driver actually ramming into a brick wall is quite as much as my grandma's likelihood of completely screwing up her computer were she granted root access. I've seen her mess up her Windows machine pretty nicely.
  • by ta bu shi da yu (687699) on Monday April 18, 2005 @06:57PM (#12275467) Homepage
    ... however, your comment about FireFox not adopting ActiveX, I would put to you, is actually not a good thing. Many, many Microsoft software developers are exploiting this, and without ActiveX compatibility they aren't going to migrate to FireFox very quickly (if at all).

    On a side note: this is sort of like Word and Excel macros and OpenOffice.org. Without them, Oo.org is missing quite a few companies.
  • by davidwr (791652) on Monday April 18, 2005 @06:59PM (#12275482) Homepage Journal
    1) It protects you from yourself. Nobody's perfect all the time.
    2) It limits damage from exploits. Go ahead and be root if you aren't networked and never insert media, or are running a perfectly-secure OS.
    3) it protects you from another user's malice. N/A for single-user machines.

    Examples of when it is OK to run as root:
    1) many non-networked embedded systems, e.g. your microwave oven
    2) the DOS box in the corner your kids play DOOM I on.
    3) Demo machines at trade shows, but only if they are not networked and have no removable media.

    Other examples where running as root isn't advisable but the damage is greatly mitigated include read-only systems like Knoppix.
  • Modded -1 Flamebait (Score:4, Interesting)

    by HiredMan (5546) on Monday April 18, 2005 @07:03PM (#12275535) Journal
    I knew Michael Robertson in college and he was a technological lamer and pretty much an A-hole. And he doesn't appear to have changed much. He's cobbling together whatever technologies he can get his hands on and then shamelessly pimping^H^H^H^H^H^H^H self promoting whatever his latest project is regardless of merit.

    He unfortunately seems to have learned that there is little fact checking in the business press - especially where technology is concerned - and that if he can create a stir he can probably create profit.

    It was several years before I realized that it was the same Michael but I visted the website and found his picture there - in multiple super high resolutions - seriously why would I want a 1435x1980 pixel image [linspire.com]of him?
    Does he think he's desktop material? There's even information for booking him for speaking engagements... but it's not about ego. *SIGH*

    Look for the stock pump and dump scheme followed by an SEC investigation in 5 - 10 years...

    =tkk
  • Re:Okay now... (Score:1, Interesting)

    by Anonymous Coward on Monday April 18, 2005 @07:13PM (#12275656)
    Actually, slightly off topic, but you have just highlighted/reminded me what I believe to be one of the problems with permissions on *nix generally.

    What we lack is that fine tuning - I should be able to specify that a particular UID can listen on ifname:80, not kick off a process as root, then setuid it...

    A heirarchical permissions set on the process tree could also be very handy... (think ACLs for the proc tree), although this could get pretty damned difficult to drive very fast if implemented badly.
  • by Umbral Blot (737704) on Monday April 18, 2005 @07:22PM (#12275755) Homepage
    I think this is the fault of the command not asking for confirmation. I mean Format C: will at least ask you if you are sure. It's not like you have to clear the root directory that often that this would be a pain.
  • Boiler-plate troll (Score:2, Interesting)

    by AngryElmo (848385) on Monday April 18, 2005 @07:29PM (#12275843)
    almost Word for word, this guy has been posting this same text around different sites for 2 years. It has sort of reached goatse status (ie effing annoying). Just ignore it
  • Re:Okay now... (Score:3, Interesting)

    by bcrowell (177657) on Monday April 18, 2005 @07:33PM (#12275893) Homepage
    Your arguments all make sense, but notice how some of them really apply more to a server. For instance,
    • MySQL, for instance, runs as a separate user. [...] For instance, keep your accounting files under a different user
    Well, sure, but most Linspire users probably don't run MySQL or keep accounting files for a business on their Linspire box. I mean, from the article, it's clearly aimed and Grandma who want to web surf and send e-mail.
    • Running something like apache as root, and any vulnerability in programs such as phpMyAdmin will make your whole server go poof.
    Same comment. Grandma isn't running a server, or using phpMyAdmin.

    • Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful.
    Well, the point he's making in the article is that on a personal desktop machine, it's the data in your own user account that's valuable. The exploitable program running as user gramma can still delete all of Gramma's files, without escalating to root.
    • rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.
    Well, Gramma's not likely to type that obscure command anyway. But even if she's not root, what if she types rm -Rf ~? From her point of view, on a single-user machine, that's just as bad -- she's back to a fresh install.

    And remember, when Gramma fires up her Linspire box for the first time, she doesn't have any services turned on, so actually there's not much that anyone from the outside can do without convincing her to execute an e-mail attachment or something (which Linux mail readers typically don't make it easy to do casually). Give her a hardware router between the machine and the wall, and bang, she's got a pretty decent hardware firewall as well (and it's a firewall that she doesn't need to configure or maintain).

    And suppose Gramma creates a root account, but the password she chooses is her dog's name, because she figures nobody can guess that? If I was helping her set things up, I'd be more concerned with explaining to her about how to choose a good password than with convincing her to set up a separate root account.

    Actually I think MacOS X has done a really nice job on this kind of stuff, and their strategy should probably be emulated, especially by distros aimed at home users. Everything is done using sudo. Any time you want to install a printer driver or whatever, it makes sure you're a user who's got administrator privs, and it makes you type in your password. For example, on my wife's MacOS X box, she and I both have admin privs, but our kids don't. I can't even remember the last time I had to do an su root on her box.

  • Re:Okay now... (Score:5, Interesting)

    by Anonymous Coward on Monday April 18, 2005 @07:34PM (#12275906)
    That's why you set the /home directory to non-executable. No program, including rm, will walk into it unless you are root. Note that this doesn't affect the ability of non-root users to access any correctly permissioned sub-directory of /home.
  • Re:Okay now... (Score:3, Interesting)

    by InadequateCamel (515839) on Monday April 18, 2005 @07:37PM (#12275933)
    Elevators go up and down. The only thing that straightforward on a computer is the CD drive (and even that sometimes causes my system to freeze :-) )

    I'm not suggesting that the usability of computers cannot be improved; far from it. But just as some people are simply very bad drivers, some people will not be able to use some programs because they don't have the training, they aren't willing to practice, or they just don't "get it". Trying to cater to these people by writing programs that a 5-year-old could use probably results in programs that only a 5-year-old would want to use.
  • by Jeff DeMaagd (2015) on Monday April 18, 2005 @07:38PM (#12275939) Homepage Journal
    In that case, I think running in administrator mode just makes it harder to remove the infection. I think it's trivial to trojan people into running bots that run in user space rather than system space. It's just not necessary to make such a program because it's easier to assume they are running as admin.
  • Re:Okay now... (Score:3, Interesting)

    by clem (5683) on Monday April 18, 2005 @07:48PM (#12276082) Homepage
    What I'd be interested to know is if there's a means to switch between user sessions on a Linux system without logging off. This is something I actually miss from XP.

    I suppose that I could rig something that required multiple X sessions that you go between by hitting
    the CTRL-ALT-F# keys. However, it'd be nice to have something that simple folk can use.
  • Re:Okay now... (Score:3, Interesting)

    by Anubis350 (772791) on Monday April 18, 2005 @07:55PM (#12276179)
    even better, firemen and other individuals with authority can gain "root access" by using a key and thus gain full control of and override ability on the elevator.
  • by Anonymous Coward on Monday April 18, 2005 @07:56PM (#12276200)
    I hope I can remember the details of this correctly. Here goes. Some time ago (maybe 5 years ago) I was running linux on a ppc box. I wanted to play a .au file. The sound device was something like /dev/scd All I needed to do was
    cat soundfile.au > /dev/scd

    I typed
    cat soundfile.au > /dev/sda

    Whoops. Yes, there is a reason not to run as root. I admit the mistake was dumb but if I wasn't root I would have been protected from myself.
  • Re:Okay now... (Score:3, Interesting)

    by ebyrob (165903) on Monday April 18, 2005 @07:57PM (#12276212) Homepage
    The "users should have to learn" mentality is what keeps computers complicated and difficult to use.

    Actually, my opinion is and always has been that assuming users are stupid and incapable of learning the most basic idioms is the real problem with computing. I mean, if we can't even expect to teach people what a "directory tree" is and means, how do we expect them to learn to organize information? Sure, google can claim you should "search instead of organize," but the fact remains there are times when searching is useful and times when indexing and organizing are useful. Knowing both is computing 101.

    The trick for developers is creating minimal yet powerful knowledge-space for users to occupy and NOT CHANGING IT! (Note: this doesn't mean the back-end doesn't change, just that the controls remain familiar... and every change is designed specifically to make usage easier, and with an eye toward disruption costs.)

    I mean really. The basic distribution model:
    1) Download application to known location.
    2) Execute application at known location.

    Hasn't changed since the very first personal computers, so why is it we even need things like ActiveX? (ie: if it's worth running, it's probably worth the trouble to purposely install...)

    Note: For moving around alot or organizations, replace "application" with "appliciation suite".

    And food for thought: Why can't I just grab the contents of my "programs" directory and move it to a new machine?
  • by NanoGator (522640) on Monday April 18, 2005 @08:02PM (#12276275) Homepage Journal
    "It is simply not worth it; whatever the problem is, ActiveX is never the solution :-)"

    *Sigh* This is what I'm talking about! I know AX ain't great. I'm no fan of it, either. But when it's needed, it's NEEDED. Since OO and FireFox wouldn't support it, we had to use a MORE INSECURE office and browsing app! You cannot honestly tell me that the OSS Community couldn't develop something to support AX and maintain security. Heck, all it would really need is to be off by default and the user has to either turn it on or install a special module. I don't care. It certainly would have been infinitely better than what we had.

    Whatever. I seriously doubt this has been given serious consideration. Flipping off MS is fun, but you're also flipping off some people who can't switch.
  • by fbjon (692006) on Monday April 18, 2005 @08:08PM (#12276342) Homepage Journal
    Is there som obstacle to adding support for activeX in only the windows version? Like this:

    Default turned off. If a page has some activex thingys, block, display small text that a thingy was blocked. If user wants to run it, click here and blabla, the url gets added to "Allow" list. Done. Other platforms need not even bother.

  • by jhantin (252660) on Monday April 18, 2005 @08:09PM (#12276351)
    There have been some very good research projects done on how to build a more secure system, and some of the most amazingly effective ones have been the ones that challenge the basic assumptions of "best practice".

    MIT Kerberos [mit.edu] takes the view that no machine on the network can be implicitly trusted; access to network services is controlled by tickets, mediated by a ticket distribution service with which each user and service has a pre-shared key. This works even for systems in which the local operating systems have no internal access control mechanisms whatsoever.

    Capability-based systems [erights.org] essentially throw out the classic security model of users, roles and permissions, replacing them with a system of nonforgeable references by means of a combination of memory protection and cryptographically strong naming.

    Finally, people need to come to terms with the fundamental fact that content-based security schemes are a losing proposition (1 [stiller.com], 2 [reflex-magnetics.co.uk]). Virus scanners, adware scanners, porn blockers, spam filters, and even national customs departments all face the same problem: they can only inspect what goes by and apply a list of tests to winnow bad items. There is strong economic pressure to find ways to bypass these types of checkpoints, so new tricks are constantly being invented, only to be compensated for by the guardians; thus the guardians are always a step behind.
  • by Ost99 (101831) * on Monday April 18, 2005 @08:14PM (#12276395)
    The new netscape based on firefox is supposed to support AX on windows.

    Transgaming is working on a mozilla plugin for AX, for linux running winex / cedega.

    For openoffice, I think macros (with import from ms formats) would be more useful than AX (who uses AX in a document?)

    - Ost
  • by Monkelectric (546685) <slashdot AT monkelectric DOT com> on Monday April 18, 2005 @08:17PM (#12276423)
    Well, what the grandparent is pissed at -- and he has half a point -- is that firefox COULD support activex -- on windows only, by using the activex api.

    However, activeX is a security nightmare. And regardless it *IS* a proprietary MS extension -- and nobody wants to A: support MS and their bullcrap, B: Firefox has a reputation as a secure alternative to IE. If FireFox supports the hopelessly insecure ActiveX -- they really have nothing to offer anyone anymore as their reputation is *done*.

  • by Mr. Slippery (47854) <tms@infamo[ ]net ['us.' in gap]> on Monday April 18, 2005 @08:17PM (#12276425) Homepage
    They used to say the same thing about elevators.

    An elevator has only six possible states: going up, going down, or stopped, multiplied by doors open or doors closed. While getting into those states may have required skill in old elevators, the complexity was inherently limited.

    Your computer has a whole bunch more potential states of configuration and execution. Just assuming ten programs that may or may not be running at a given time, right there you've got 1,024 states. Then there's the state of each of those programs - say each program is not just running or not, but can be in one of five states (which is not unreasonable - not running, loading, reading, writing, and closing). Now you've got 5^10=9,765,625 possible states for your system to be in. Six orders of magnitude more complex than the elevator. Then assume a few variables of configuration - just ten binary values would take us up to ten billion states. (And that's assuming only ten programs - right now ps -ax | wc says I've got over 100 processes running.)

    It gets worse if you take a finer-grained view of what a state is - the RAM in your system can assume more states than the number of elementary particles in the Universe.

    Of coruse in theory, our operating system partitions that complexity, so you only have to deal with the states of one program at a time. And one way it does that it by separating user privileges.

  • Re:Okay now... (Score:4, Interesting)

    by brianosaurus (48471) on Monday April 18, 2005 @08:28PM (#12276527) Homepage
    I'd like to add the fact elevators didn't always have light-up buttons labelled for each floor. There used to be a lever to make it go up or down. Stopping at a floor was a skill. It was more convenient to have an operator than have people miss the floor by 3 feet and break their ankles climbing out, or maybe cutting each other in half by accidentally bumping the lever when exiting.

    Now there is a much simpler and intuitive interface that anyone can use, so a dedicated operator is not needed (though I hear Congress still has elevator operators so those busy politicians don't have to worry about breaking their nails, or something).

    If you had a computer with a set of buttons for each of a few trivial operations available to the user, and those are the only operations, it probably doesn't matter if you run as root or not.
    Such a system would also suck as a general purpose home computer.

    If you're going to do anything beyond trivial actions, and perhaps getting into complex stuff that you don't necessarily understand, its probably best NOT to be running as root.

    Think of it as 2 sets of operations:

    - the ones that can mess up your stuff
    - the ones that can mess up the whole system

    Both sets have the ability to wipe out your data, but the latter can wipe out other people's data, critical system files, raw hard drives... pretty much screw your data, and your machine.

    Both your user account and root have the ability to mess up your stuff. A regular user account typically cannot mess up other accounts' data or the operating system, without using "su" or "sudo" or some other method to escalate privliges.

    MacOSX has root separate from the user account. A user can be an "Administrator", which gives the user sudo capability. GIU operations (software installs, editing user accounts, and other system configuration) do a graphical equivalent to sudo, prompting the user for their admin password. Its not that complicated. Its an extra layer of protection, and lets the user know that they're doing something out of the ordinary. Its not that complicated.

    Even my parents understand it.
  • by Kaelem (263513) on Monday April 18, 2005 @09:21PM (#12277035)
    There is an issue you've not addressed. How about when your data is not the target? (Honestly, most people's data is not worth stealing).

    What if an attacker just wishes to compromise your machine and use it to attack other machines, relay spam, etc? This is a huge problem with Windows.
  • by sbrown123 (229895) on Monday April 18, 2005 @10:04PM (#12277433) Homepage
    Nice try. ActiveX is nothing more than simple COM. It is not very difficult to use Java or XPCOM to communicate to ActiveX controls, and vice versa. Try again.
  • by jonadab (583620) on Monday April 18, 2005 @10:53PM (#12277859) Homepage Journal
    > Lack of ActiveX support actually prevented my previous company from switching
    > to OpenOffice or Mozilla. The attitude that it's better that these two apps
    > don't support it seriously pisses me off. If Microsoft can't get away with
    > being arrogant, than the OSS Community can't either.

    Arrogance has nothing to do with it; this decision is about (and can only be about) security. Applications that care about security *cannot* support ActiveX, full stop.

    It's not just better; it's *VITAL* that they not support ActiveX. If Mozilla for instance did support ActiveX, anyone even the slightest bit conscious of basic security issues would migrate away to another browser immediately (Opera, most likely). If you think ActiveX is a good thing, you have no idea what ActiveX is, or no understanding of security at all. Fundamentally, by design, ActiveX allows any website you visit to do, quite literally, whatever it wants on your computer[1]. A well-behaved site is *supposed* to be nice and just draw stuff in the browser window, but fundamentally it can do whatever it likes, because that's how ActiveX was designed. Microsoft created ActiveX during the era when they considered security to be 100% Somebody Else's Problem, so they didn't give this a second thought; now that they are making some attempt to take security seriously, they regret ever having developed ActiveX in the first place; sooner or later they will have to discontinue support for it in a service pack or upgrade, because there is no secure way to support it.

    It was a mistake for Microsoft to develop ActiveX and start supporting it; it would be a mistake for *any* application to support it that doesn't already, and the ones that do already (mainly, MSIE) will eventually have to bite the backward-compatibility bullet and stop supporting it. Mozilla.org absolutely cannot afford to make that kind of mistake; security has been and is one of the major factors driving Firefox adoption; if Firefox supported ActiveX, it would actively lose most of its market share virtually overnight. That kind of wide-open security hole is never EVER worth the risk. OpenOffice *might* be able to get away with it better, because it is used mostly with internal documents, not content off the internet, but it would still be a major security headache, and not supporting ActiveX is still substantially the right decision.

    Lack of ActiveX support is not about lack of developer time; it is not about needing to reverse-engineer protocols; it is not about platform parity; it is not about open standards, and it is certainly not about arrogance; it is about security, and it is so essential to security that no other issue can matter.

    It is Windows users who would suffer if these applications supported ActiveX on Windows. Yes, Windows has other security problems, but ActiveX dwarfs relatively little things like Shatter attacks (a form of privilege escalation attack that exploits a design flaw in the Win32 API), because it is so much easier to exploit; it is not so much a security vulnerability as a complete abdication of all pretenses of security. Right now, Windows users have a choice; they can use MSIE, and pray nobody ever sends them a link to a site with a less-than-scrupulous webmaster, or they can download a browser with basic security. Don't take that choice away from them.

    ---
    [1] The design has now had user approval retrofitted onto it, so that a site
    now can only do whatever it wants after the user frobs the "Ok" button.
    But the user (and the computer, for that matter) has no way to tell
    before doing so whether the site intends to draw pictures in the browser
    window, scroll text across the status bar, or scour the user's Documents
    directory for credit card details and other personal information and send
    it back to the site. In fact, it's not easy to tell what a site's ActiveX
    programs (called "controls" in ActiveX parlance) have done even afterwards.
  • Re:Okay now... (Score:3, Interesting)

    by Minna Kirai (624281) on Monday April 18, 2005 @11:45PM (#12278211)
    What I don't understand is why the *nixes don't implement something like the Mac's trash can.

    First, notice that if you run "rm" on Mac OS X, even it won't use the trash can.

    The behavior of Linux and Mac is actually quite similar in this instance. On either platform, removing a file with the GUI tool brings it to a trash holder, but the command line deletes immediately.

    Create an invisible directory under each and every mount that is called .trash, and when *any* user does *any* rm command, instead of deleting the files outright, simply move them into the .trash directory.

    Simple, practical obstacles: ~/.trash won't work for files which are on other disks, network shares, removable media, etc. It would have to move the file to the same hard drive as your ~ directory first, which will at best take time, and at worst will overfill your own disk.

    More fundamental, and historical explanation: Unix was designed as a operating system, a framework for applications. To keep the job managable, they added in things that were necessary for the OS (like files, copying, and deleting), but not things that could be better handled at the application level. ~/trash is GUI sugar: just a minor way to make it more difficult for users to input commands that they likely didn't intend.

    So, then the question becomes, why did application-level implementations of a two-stage file deletion become popular? And here, the answer is the old canard "Good is the enemy of great". Because the native "rm" command was adequate for more than 98% of all usages, there was little demand to shift to something more complex, even if it would be occasionally safer.

    When finally you are shopping around for disk space, only then do you consider emptying the trash.

    Unix is a server-oriented OS, both historically and still today. Servers are expected to go weeks and months without a user sitting at them. Needing a person on-hand to Empty Trash just because the webserver has been creating and deleting a bunch of cache files is a bad thing.
  • Re:Okay now... (Score:3, Interesting)

    by burns210 (572621) <maburns@gmail.com> on Tuesday April 19, 2005 @12:40AM (#12278493) Homepage Journal
    "Can one undo a commandline "rm" in OSX?
    One would not do such a thing in Mac OS X."

    Granted, I use finder to delete files 95% of the time, but on occasion I use the rm command to delete.. Not only can I not undo this, rm does not act the same way finder's delte does.. rm does not put files into the trash.

    This seems like a design flaw. The Mac is a great platform(my Tiger dvd is in the mail, I am hooked) and the Tiger features that make mv and cp more mac-native are great. Having said that, the GUI operations that have a CLI counterpart (delete in finder vs. the rm command) should operate the the same way and be interchangeable wherever possible.

  • Robertson is right (Score:2, Interesting)

    by pvdl (621000) on Tuesday April 19, 2005 @12:53AM (#12278552)
    Actually, Robertson is right.

    He said "why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well. "

    Obviously he is talking about single user computers, as most PCs are. If you have a single user computer, when your user account is penetrated, your root account is penetrated next time you su.

    The last step in a Linspire install, which apparently noone in this thread has done, is to set up user accounts for a multi-user system. If it is a single user system, there is NO additional security to setting up a user account.

    My data is the most important thing for me. I can reinstall Linux in 15 minutes, but my data is irreplacable.

    Peter
  • Re:Okay now... (Score:4, Interesting)

    by Lorkki (863577) on Tuesday April 19, 2005 @01:09AM (#12278635)
    See NeXTSTEP and MacOS X. Users were not root. Users seem to be getting along just fine. Login optional.

    Ubuntu does this too. The default installation has the root account disabled for login purposes. What few administration tasks require root access is done through sudo using the user's password for authentication. Login could just as well be automatic.

    I fail to see entirely what Linspire needs continuous root-level access for.

  • by OrangeTide (124937) on Tuesday April 19, 2005 @02:53AM (#12279074) Homepage Journal
    When one RTFA they will notice that Robertson is talking about a desktop system. Having users log in as some root/admin account is not a big deal because the only thing valuable on that system is the data stored as the only user on their system. Obviously he's not saying "run apache as root". In fact he implies it would be a very bad idea to allow things like a webserver to have write-access to a user's data!

    Now if you are maintaining a multi-user system, root access is more powerful because it grants you full access to all user's information. Although these days a family computer has multiple accounts on it, Little Timmy and Mom's data is seperate. If Timmy downloads some malicious code in some new music sharing program that turns out to be a trojan, at least Mom's calendar, address book and tax information will be protected.

    Of course I'd recommend periodic backups to give you real data security. That's perhaps more important than the root/non-root issue.
  • MarketSpeak (Score:3, Interesting)

    by tacocat (527354) <tallison1 AT twmi DOT rr DOT com> on Tuesday April 19, 2005 @03:24AM (#12279175)

    Obviously his answer is Market Force driven and non-technical. He ships as root, he doesn't want to sacrifice his products perception. He'll never say anything else.

    Would you expect the CEO of Exxon to openly state that there is something called Global Warming and it is necessary for everyone to stop driving gasoline powered cars?

    Certainly not until they have the answer. It maybe be the Linspire is working on changing this for real, but it won't be openly discussed.

  • by Craster (808453) on Tuesday April 19, 2005 @06:25AM (#12279773)
    This is only true if it's only your data that you care about.

    A compromised system with a user running as root? Simplicity itself to set an SMTP daemon running and happily accepting and relaying mail.

    Welcome to the world of the Linspire open relay network.
  • by Anonymous Coward on Tuesday April 19, 2005 @08:14AM (#12280196)

    Michael Robertson's market is rather different from the typical Linux market. He's trying to sell an end user commodity.

    The end user does not give a fuckola about permissions, user management, and the meaning of the word "root". Insecure? Yeah, a little.

    If a regular user runs a malicious program, they've already risked all of their own data. The system itself is "safe", but many of the reasons people 0wn Windows boxes can be satisfied just by having user privileges. It can be used as a spam conduit. It can be used in a DDoS attack. It can give the keys to someone else so they can try a local exploit to gain root, or it may have a set of local exploits built in to elevate to root right there.

    Running any malicious code represents some kind of compromise. The argument for running it as a non-privileged user vs. root user is just one about dampening the impact, but just slightly.

    On the other hand, running everything as root makes the end user experience a lot more comfortable. Security is inconvenient.

  • by CastrTroy (595695) on Tuesday April 19, 2005 @08:57AM (#12280433) Homepage
    You can get firefox to use active-x. It just doesn't do it by default. There's some stuff you can change in your profile to make active-x stuff work. It's not a good idea, but it can be done. As for openoffice, well, I'm not sure there. But if running compiled code in your office suite is something you can't live without, maybe you need to review the reasons behind doing stuff like this in the first place.
  • by Delos (20149) on Tuesday April 19, 2005 @09:31AM (#12280713) Homepage
    The stupidity of this position is very easy to explain. He's claiming that the worst thing (losing user data) is the only thing to worry about. Since non-root doesn't prevent that, let's get rid of it.

    To use his own analogy, if the worst thing that can happen in a car is to run into a wall, then why have door locks? Whether you have locks on the door or not, you're still going to die. And they make it hard to get into the car, so let's get rid of them.

"You tweachewous miscweant!" -- Elmer Fudd

Working...