Re: Running stuff as root == bad, was Re: FC13 question
Uh, on most of my systems <ctrl><alt><f${1,2,3,4,5,6} will get you to
a different console. I've even successfully run two separate and
complete desktops on different consoles.
Just sayin'.
-- CHS
On Sun, Aug 1, 2010 at 10:29 AM, William Fragakis <william@...> wrote:
> Since I invited this flame-fest....
>
> Let's define "bad", to borrow from my wife, is this "cross the double
> yellow line" bad or "I'm driving across the mall parking lot without my
> seatbelt" bad?
>
> Both, violate rules of safety. One will get you killed in about 2
> minutes, the other, probably not.
>
> Most things we do in life involve inherent risks. A ride down the
> interstate and seeing the crosses and flowers on the side is a ready
> reminder.
>
> Those of us who feel the need/convenience to 'that which can not be
> said', aren't doing so we can log into our facebook accounts with
> ies4linux. Some things can be done completely from the CLI, somethings
> by su/sudo and some things for us who've been using a mouse-based GUI
> for 24 years are much easier for the 15-20 minutes we need it if we can
> get to a full-blown desktop.
>
> Mind you, I'm not the systems admin for a Fortune 500 company. I just
> have a couple boxes in the basement. My skill set is at a basement level
> as well.
>
> Say, I'm messing about setting up a separate drive for my VMs, creating
> the VMs, messing about with samba, editing a few .confs etc. and - God
> forbid - having to consult Google when I hit a roadblock. For me, it's a
> heck of a lot easier to fire up a desktop for root so I don't have to
> deal with su'ing 5 different programs. The automatic response is "you
> shouldn't, you should do each one, separately." To those of us who've
> somehow used a desktop for decades with admin privileges without
> incident, that response is a bit Jobsian ("learn to hold your phone
> differently, it's not the phone's fault").
>
> Could I get hacked or attacked or pooch my system in those 20 minutes?
> Sure. But, in 20 minutes on the road, I could easily have a serious auto
> crash. It's much more probable that 20 minutes on any Atlanta interstate
> could involve me in a serious crash (during the school year, I'm on the
> Connector everyday, so I don't feel like I'm overstating the odds) than
> having my system get borked in the same amount of time.
>
> I'd even go further to say that if having a root graphical interface is
> inherently something that should never be done, then the graphical stack
> is too fragile.
>
> Just for fun, I looked up X11 and Xorg security advisories. I realize
> that there are more elements to a GUI than that but the list isn't
> unsettling for my usage.
> <http://www.x.org/wiki/Development/Security?action=show&redirect=SecurityPage>
>
> Again, I get that if I'm running the system of something where if things
> go bad people lose their jobs or die, I need to be really, really
> careful and not log in as root. But let's be somewhat realistic on what
> "bad" is. <begin playful sarcasm>Otherwise, I fully expect that should I
> see you driving about town that you'll be using your HANS head restraint
> device and have environmentally safe foam peanuts up to your
> windows.</bps>
>
> And, <more bps>considering how many Liberterians there are on this list
> who haven't risen to the defense of my doing something stupid being my
> own concern, I'm shocked. 
</more bps>
>
> Now, let me go get my Nomex suit before the responses come hurtling in.
>
> regards,
> William
>
> Message sent from my reinforced concrete bunker from an account that
> barely had enough privileges to even use the keyboard.
>
>
>
> On Sun, 2010-08-01 at 08:22 -0400, Greg Freemyer wrote:
>> kdesu works in kde.
>>
>> I use it from time to time.
>>
>> Greg
>>
>> On 7/31/10, Richard Bronosky <Richard@...> wrote:
>> > While I agree with the sentiments of this message, the subject is just
>> > plain wrong. Running *stuff* as root *is not* bad. Running
>> > *everything* as root *is* bad. That is exactly what happens when you
>> > log into GUI [display manager|window manager|desktop
>> > environment|whatever] (I don't know anything about the X.org stack. I
>> > don't use GUIs) you run *everything* as yourself. You don't want that
>> > _yourself_ to be root. I could have sworn that back when I was doing
>> > MythTV I used xfce or rat poison and I used a utility called Xsudo,
>> > sudoX, or GnomeSudo. That was good for running the occational app as
>> > sudo. I found that MythTV being graphical by nature forced me to do
>> > this.
>> >
>> >
>> > On 7/30/10, scott mcbrien <smcbrien@...> wrote:
>> >> One of the big problems with other OS'es is that users log in as an
>> >> account with administrative privileges. On those OS'es, when an
>> >> application, being run by the user, runs amok (perhaps a web browser
>> >> executing badness from flash or java script?), that application runs
>> >> amok with administrative rights. So when the application tries to
>> >> mangle system files, libraries, etc. it can because administrators
>> >> could also modify said files. That's one example of why you don't want
>> >> to log in as root, but there are many more, mostly because desktop
>> >> environments like gnome run many many many processes and helper
>> >> applications each of which, when logged in as root, is given full
>> >> administrative permission to do whatever they want on a system.
>> >>
>> >> -Scott
>> >>
>> >> On Fri, Jul 30, 2010 at 7:05 PM, William Fragakis <william@...>
>> >> wrote:
>> >>> Nautilus, for one
>> >>>
>> >>> GParted can do some interesting things, too, I'd gather but I've never
>> >>> tried (to do "interesting things"). Gedit can make your day exciting as
>> >>> well. Personally, I can easily do as much damage from the CLI if not
>> >>> more.
>> >>>
>> >>> I do find it easy sometimes to actually have a root Desktop although, on
>> >>> this esteemed list, I'm probably in a distinct minority.
>> >>>
>> >>> If something bad happens, I was never here.
>> >>> regards,
>> >>> William
>> >>>
>> >>> On Fri, 2010-07-30 at 18:49 -0400, Drifter wrote:
>> >>>> Thanks, this seems to work.
>> >>>> But you have to admire the warning label that pops up before the GUI
>> >>>> actually appears on the screen:
>> >>>>
>> >>>> "You are currently trying to run as Root super user. The superuser is a
>> >>>> specialized account that is not designed to run a normal user session.
>> >>>> Various programs will not function properly and actions performed under
>> >>>> this account can cause unrecoverable damage to the operating system."
>> >>>>
>> >>>> No hint, of course, as to what sorts of programs can cause the damage.
>> >>>>
>> >>>> Sean
>> >>>>
>> >>>> On Friday, July 30, 2010 06:13:33 pm William Fragakis wrote:
>> >>>> > http://blog.ask4itsolutions.com/2010/04/23/login-as-a-root-from-gui-fed
>> >>>> > ora-13/
>> >>>> >
>> >>>> > Did this a couple of days ago.
>> >>>> >
>> >>>> > Use at your own risk, owner assumes all liabilites, etc. etc.
>> >>>> >
>> >>>> > On Fri, 2010-07-30 at 17:32 -0400, Drifter wrote:
>> >>>> > > There are times when I need to to things as root that are -- for me
>> >>>> > > -- much easier to do using the GUI aps rather than the command line.
>> >>>> > > Years ago on a Red Hat install, root actually had a directory in
>> >>>> > > /home and I could log into the system as root and have the GUI.
>> >>>> > >
>> >>>> > > This FC13 install doesn't provide that feature. I can create, as
>> >>>> > > root, a directory in /home. That's easy enough. But what do I have
>> >>>> > > to do so that I can log in as root directly just as I log into my
>> >>>> > > regular user account? If I try to log in as root now, the system
>> >>>> > > just laughs at me.
>> >>>> > >
>> >>>> > > Clearly I am missing several steps in the process.
>> >>>> > >
>> >>>> > > Sean
>> >>>> > > _______________________________________________
>> >>>> > > Ale mailing list
>> >>>> > > Ale@...
>> >>>> > > http://mail.ale.org/mailman/listinfo/ale
>> >>>> > > See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>>> > > http://mail.ale.org/mailman/listinfo
>> >>>> >
>> >>>> > _______________________________________________
>> >>>> > Ale mailing list
>> >>>> > Ale@...
>> >>>> > http://mail.ale.org/mailman/listinfo/ale
>> >>>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>>> > http://mail.ale.org/mailman/listinfo
>> >>>> _______________________________________________
>> >>>> Ale mailing list
>> >>>> Ale@...
>> >>>> http://mail.ale.org/mailman/listinfo/ale
>> >>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>>> http://mail.ale.org/mailman/listinfo
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Ale mailing list
>> >>> Ale@...
>> >>> http://mail.ale.org/mailman/listinfo/ale
>> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>> http://mail.ale.org/mailman/listinfo
>> >>>
>> >>
>> >> _______________________________________________
>> >> Ale mailing list
>> >> Ale@...
>> >> http://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> http://mail.ale.org/mailman/listinfo
>> >>
>> >
>> > --
>> > Sent from my mobile device
>> >
>> > .!# RichardBronosky #!.
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale@...
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> >
>>
>
>
> _______________________________________________
> Ale mailing list
> Ale@...
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
_______________________________________________
Ale mailing list
Ale@...
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
I'm not sure what there really is in terms of useful data that companies
could use, other than having a large pool of names to be able to pick
from for things like random name generators, or parsers that look for
proper names in freeform documents, or other fairly specific things such
as that. Perhaps it's possible to use it for more than I envison, as
well.
It seems (at least from where I sit) that the Web site that is supposed
to have more information about the whole thing is unreachable; I get 17
hops before my packets to the thing enter some form of black hole on the
Internet in Canada. Oops.
Anyway, it's interesting, though of only limited use, I think; I don't
know that it contains enough information (by itself) to be harmful,
though I suppose that if you could combine it with other databases that
have additional data, it could be potentially detrimental.
One thing that I had expected to see based on all the chatter about it
was some form of relationship graph, say, showing who has friended who
on Facebook. That would be something that I could see companies easily
(ab)using for things like debt collection purposes. However, that sort
of data doesn't seem to be present, which I would consider to be a good
thing.
--- Mike
_______________________________________________
Ale mailing list
RSS Feed