07.30
Please Note: This is only relevant to single-user desktop installations of Linux. The issues I will discuss here don’t apply to servers. In fact, the exact opposite applies there.
“Don’t run as root” is an oft-repeated mantra of *nix security. While I agree 100%, it’s not as big on the desktop as some would think. I’d like to point out why here. I still believe you shouldn’t login as root, but I also believe that it’s up to each user to make their own decision.
Think about the data on your computer. What matters to you? E-Mail? Documents? Images? Most of us have things like family photos, financial records, personal communications, saved passwords, or other sensitive or irreplaceable data. This is what we want to protect. When I backup my desktop, I backup my home directory. I don’t backup my OS install, software, or anything else that is not private or difficult to replace. Think of this as the “important stuff.”
So, let’s talk about the important stuff. What users have access to YOUR important stuff? Most likely, your own user, and the root user. So, great, not running as root eliminates one of the possible users that can access your file. So what user do you run as? Your own user. So it’s pretty obvious that not running as root doesn’t restrict access to the important stuff.
Need proof that your data is no safer under your own user? Think about running “rm -rf /” as root or as your own user. What happens to your data either way? It’s gone. Don’t run this, just think about it.
So what do you gain by not running as root? Well, your system is a lot less likely to be the victim of an ongoing compromise. As root, an attacker can modify your operating system to their liking. Think that’s not much? Guess what: your ssh client now sends the username, host, and password for any system you connect to to a server in China. Or maybe new files you create are uploaded to an anonymous file-sharing site on the internet. Perhaps every key you touch is recorded to grab usernames, passwords, credit card numbers, and your most personal conversations. Or maybe an attacker uses your computer as a middle man for downloading child pornography. That will be fun to explain to the FBI.
So, obviously some things need to run as root: system configuration tools, for example. However, running these using sudo limits your exposure to just these utilities, rather than the thousands (millions?) of lines of code in a full desktop environment.
In short, if you want to run as root on your desktop, go for it. But know the risks, and know the consequences. On the other hand, don’t chant “don’t login as root” as if it’s a magic bullet for security.
Thank you for this post, but I think the real takeaway point from it is that Linux needs to be made more secure for ordinary Desktop users. Fewt had a blog post here in which he argued something similar:
http://www.fewt.com/2010/04/system-security-what-about-your-data.html
rm -rf / doesn’t actually work.
I don’t like that all my apps have access to all my user data. If an Android app wanted SD card access for no good reason I wouldn’t install it, why should I put up with that on the desktop?
Games, for example, should have no access to *anything* outside of ~/Settings/NameOfGame. Nothing. Gnome minesweeper should not be physically capable of reading or modifying my files.
@ethana2: You’re absolutely right. We’re not there yet, but look at AppArmor. It’s intended to do EXACTLY what you’re looking for. Though, to be honest, single player games are one of the safest apps out there (though there was a time when some were distributed setuid to write to a central high score list for all users on the system).
Take a look at AppArmor. Unfortunately, not every app (not even close) has an AppArmor profile.
I would be nice to have some tool for executing untrusted binaries with all kinds of restrictions on network and file access without having to write a complete profile.
@Steven:
I think that article makes the central point. As a consequence, Ubuntu should focus much more on the user’s security and apply some of the advice or find their own solution.
Otherwise, with increasing popularity, it is just a question of time until the first successfull mass attacks on Ubuntu desktops discredit it’s image as a safe operating system.
One could run AppArmor in learning mode and then create a profile for any application.
Unfortunately, as an attacker, not getting directly to root on a desktop-system is mostly a minor inconvenience.
Edit ~/.bashrc, add a PATH to somewhere the user you got access to have write, add wrappers for sudo, gksudo, and wait for the next security update (usually a couple of days). There you go.
Security IS complex, and grows exponentially with systems complexity. Also, it’s usually a tradeoff between ease of use, and security. There’s a reason OpenBSD isn’t anywhere near Linux in ease of use, features etc, but it IS very secure.
It is a lot easier to just not run as root than figuring out all the apps you want apparmor or sudo to allow.
And the default packaging system on these distros allows apps to provide installation scripts that run as root. So if the user wants to install a packaged application they have to grant permission over the whole computer. Doesn’t happen in Android.
I think AppArmor is oversold. The apps I most want to be protected against are those whose history I know least about and for which a profile from a trusted third party is least likely to be available. I just wish KDE and Gnome had Android’s security model.
I like to be logged in as root when I’m compiling my downloaded Nvidia drivers or just doing a lot of hackish things like stripping Plymouth out of Ubuntu. I use sudo for an occasional system change and I would NEVER run my system as root for regular use. If I were to do that, then I may just as well stick to Windows!!!! Yes, the whole root thing is overblown and Ubuntu disabling the root account by leaving out the password is excessive, IMHO.
I think Ubuntu does exactly the right thing. Must we learn the lessons of Windows (where everyone runs as admin and has no end of problems with it) all over again?
“Ubuntu disabling the root account by leaving out the password is excessive.” If you want to enable the root account in Ubuntu, simply type
sudo passwd root
This will enable the root account (you will probably need to enter a new root password). I am running Fedora here, so I cannot test exactly what happens, but I have done this with an Ubuntu installation. See http://www.debianadmin.com/enable-and-disable-ubuntu-root-password.html
1. Even a desktop system could have more than one user. If it does, then running as root risks all users’ files.
2. Running as root allows changes to various security settings. Lets say an attacker somehow gets a script onto your system. Lets say that the script creates a user account, installs sshd, ensures there are no iptables rules, and sends an e-mail to the attacker. Obviously, the script would not produce the (attacker’s) desired results if run as a normal user.
Note Also: Having your data deleted is only one (availability) of three primary things security is intended to preserve: confidentiality, availability, and integrity.
If people start to think that games (or any types of programs) are safe then those types of programs will become attractive targets for attackers. You shouldn’t think anything is safe.
For desktop OSes there is really no reason the user should even be able to log in as root. They aren’t just a threat to themselves but to the Internet at large. Not only can their information be stolen but their systems can be hijacked and slaved to a botnet which can then attack more secure systems.
I support the idea of any system that is detected to be infected should be blocked from the Internet. Maybe even a three strikes rule where if they are blocked three times for an infection that they are permanently blocked. Security stopped being your own problem when you plugged your system into the Internet.
The article doesn’t follow the title. First, the title says the risk of running as root is overblown, then the article lists all the excellent reasons not to run as root. Then it claims that not running as root is not a “silver bullet”.
No one ever said it was. It’s simply Security 101 on any OS, learned by shamefaced sysadmins two decades ago when the first viruses were run ON UNIX MACHINES, not Windows.
And I agree that disabling the root account as Ubuntu does is overblown. The introduction of sudo was intended to restrict end users on multi-user systems who actually had reasons to run root programs, not to restrict the sole user of a personal machine. It is important not to blur the distinction between the normal user and root, and using sudo on a personal machine tends to do that. The end user starts using sudo for everything. It is better to force a clear separate login or su so that the end user knows when and why they are running as root. And the distro should always prompt for a root password when running anything as root in user space.
Further, if you want real security, the distros should adopt Marcus Ranum’s advice: block everything from running until it has been validated by crypto signature and permission given by the user. Call this the “NoScript” approach after the Firefox add-on.
Since “sudo bash” works on virtually every distro out there, there is effectively very little difference to security between running as root and not running as root.
But there is a HUGE, MASSIVE inconvenience to NOT running as root.
’nuff said. I run as root.
@Richard Steven Hack: To be clear, I wasn’t trying to make the case that the advice is useless, only that an oft-cited case for the (perception of) security on Linux is that you’re not running as an admin user. The point was to illustrate that running as a regular user still places your most valuable assets at risk. I agree with most of your views — thanks for the thoughts!
As non-root users, programs inherit your permissions, which are limited and don’t allow for example to open an SMTP server on port 25. When you run as root, any malware you load gets these capabilities and your system could be used for malicious activity.
Not every piece of malware out there just erases data.
User accounts is a the core of Unix/Linux philosophy. The present practise of logging in to the system as a non-root “normal” user is excellent for the SOHO segment. For people not bothering about their files being read without their knowledge or email addresses sent to unknown hosts or people who do not care about their system being compromised or people who do not have “any” sensitive data then there are distros which log you as root(puppy or the like) and allow you to do all the “normal” work from the ram itself OTHERWISE it would be perfectly sane to use the User accounts philosophy.
I think this article is a bit off, as well as many of the comments (no offense to anyone). Firstly, running as root allows any malicious code to be run, including though that have been iconized on the desktop or menus. If you visit a website as root, you can easily introduce some unintended by you consequence to your desktop, then investigating this new _thing_, runs malicious code.
Photo and music are not the only personal data kept on desktops. There is banking information, as well as health information. Is that common? Not necessarily, but its not rare.
The idea that running a sudo based environment for root access blurs the lines between user and superuser is also rather iffy as well. Again, you don’t sudo desktop activities, you sudo at the command line, except for things that explicity have a root recognition function built in (i.e. synaptic on ubuntu). This prompts the user to recognize they are going to run something with superuser privs. Even if the user ignores this fact, the prompt is there for a reason…awareness.
If you think you are aware of each security option on your desktop, i encourage you to reset your browser back to factory specs and revisit some of your favorite websites and be reminded about all the options you have to set as the browser runs into those circumstances that require updating the preferences. That’s only your browser…Again, the prompt about root access is important for your awareness even if functionally it does absolutely nothing else for you since you are going to SUDO it anyway.
@Guy: @Guy: I don’t think I’ve claimed that all malware erases data. I was only making the point that your average user cares, first and foremost, about their personal data. Even running as a non-root user, malware can still send spam, even without opening an SMTP server on TCP 25.