“Don’t run as root” is an oft-repeated mantra of *nix security. While I agree 100%, it’s not as big on the desktop as some would think. I’d like to point out why here. I still believe you shouldn’t login as root, but I also believe that it’s up to each user to make their own decision.

Think about the data on your computer. What matters to you? E-Mail? Documents? Images? Most of us have things like family photos, financial records, personal communications, saved passwords, or other sensitive or irreplaceable data. This is what we want to protect. When I backup my desktop, I backup my home directory. I don’t backup my OS install, software, or anything else that is not private or difficult to replace. Think of this as the “important stuff.”

So, let’s talk about the important stuff. What users have access to YOUR important stuff? Most likely, your own user, and the root user. So, great, not running as root eliminates one of the possible users that can access your file. So what user do you run as? Your own user. So it’s pretty obvious that not running as root doesn’t restrict access to the important stuff.

Need proof that your data is no safer under your own user? Think about running “rm -rf /” as root or as your own user. What happens to your data either way? It’s gone. Don’t run this, just think about it.

So what do you gain by not running as root? Well, your system is a lot less likely to be the victim of an ongoing compromise. As root, an attacker can modify your operating system to their liking. Think that’s not much? Guess what: your ssh client now sends the username, host, and password for any system you connect to to a server in China. Or maybe new files you create are uploaded to an anonymous file-sharing site on the internet. Perhaps every key you touch is recorded to grab usernames, passwords, credit card numbers, and your most personal conversations. Or maybe an attacker uses your computer as a middle man for downloading child pornography. That will be fun to explain to the FBI.

So, obviously some things need to run as root: system configuration tools, for example. However, running these using sudo limits your exposure to just these utilities, rather than the thousands (millions?) of lines of code in a full desktop environment.

In short, if you want to run as root on your desktop, go for it. But know the risks, and know the consequences. On the other hand, don’t chant “don’t login as root” as if it’s a magic bullet for security.

The 2nd tool is UFW (the Uncomplicated Firewall), which my server has profiles for apache, dovecot, openssh, and postfix. While not everyone uses UFW, it’s extremely straightforward to produce UFW profiles, so there’s hardly any excuse for apps not including one.

I’m not completely certain how the UFW rulesets are included in a package. Once I’ve dissected this, I’ll be producing UFW rulesets and filing bugs against packages to include them. I don’t feel that I have enough AppArmor expertise to produce profiles that are of quality to be redistributed, so I can only encourage package maintainers to examine the benefits of AppArmor for their package.

Update: I was contacted this morning by a very nice Canonical employee who has gotten me sorted out. It’s this kind of customer service that I appreciate in a company. Thanks, Canonical!

“The Art of Community” tackles a very difficult question in the Open Source world: how do you build a strong community around your project?  Jono addresses this by using anecdotal evidence of good community organization, and discussing the facets that apply to community development.  Jono’s varied experiences are shown through anecdotes about the Ubuntu community and other communities he has participated in.  The stories he shares are concise and clear, but demonstrate their points effectively and thoughtfully.  Jono’s writing skills are first-rate, with strong points made clearly.  He builds the community idea from grassroots to the enterprise and shows how community participation can help — and harm — at each step along the way.  It’s obvious that Jono knows what he’s talking about, and he communicates it well.  I highly recommend this book for anyone interested in the dynamics of a community or any project leader looking to build from the ground up.

Mackenzie over at Ubuntu Linux Tips & Tricks has called attention to the greatest dark spot on the face of the FLOSS Community: a man who calls himself MikeeUSA.

This “man” has been posting sexist, misogynist, and violent comments on blogs in the FLOSS Community advocating rape and violence towards women.  His behavior is, to say the least, nauseating and despicable.  Worse, the “man” is a coward who hides behind pseudonyms and tor in protecting his identity.  Whether he really feels the way he does or he gets his jollies on trolling in this dirty manner, he is no better than the likes of Hitler and Stalin.  Needless to say, comments by him on my blog or any site I work with (e.g., LinuxQuestions.org) will not be tolerated.

That being said, I thought today would be a good day to address my take on the numerous issues of sexism in open source that have been going around lately.  I’ll first discuss a few points brought up via Mackenzie’s link to the Geek Feminism Wiki, which I wasn’t even familiar with until today.

• Hoss Gifford’s Flashbelt Presentation: Hoss’s presentation clearly presented a sexist message which was inappropriate for the venue.  It was unprofessional and disappointing.  That being said, it didn’t seem (to me) to be anything worse than immature attention-getting, and I doubt it reflects his personal views towards women.  (Or at least, I hope it doesn’t.)
• Richard Stallman’s emacs virgin joke: It was a joke, and a bad one at that, but it was delivered by RMS.  Who has ever expected anything politically correct from him?
• Mark Shuttleworth’s Keynote: While his comment was probably politically incorrect, it was hardly sexist to me.  In fact, I doubt anyone would have noticed were it not for all the other gaffes made at conferences this year.  Are we now asking every statement open source leaders make to be run by legal?  Maybe his comments were misinterpreted, or I just interpret them differently than others do.  What I do at work, and what I do in the open source community, can be VERY hard to explain to my fiancee.  From his perspective, this is “hard to explain to girls.”  This is not to say that women are not both valued and welcomed in the open source community, but it is more about the technical nature of the work and that being a doctor or a lawyer or a banker is easy to explain, and being a contributor to an open source project is not.  (I am in no way suggesting that Mark Shuttleworth’s comments were appropriate, only that they stem from common usage, and I don’t believe they reflect a sexist attitude.)

I fully support the movement to reduce sexism in the FLOSS Community, and I welcome and encourage the participation of women in the open source community.  I hope the proportions continue to normalize, and I don’t intend to offend by posting these views.

All that being said, I think that it’s inappropriate to expect someone to use “he slash she” every time they want to refer to a person in a speech.  The political correctness involved will quickly overwhelm and swamp the efforts that are being made elsewhere.  If we are to spend all of our time thinking about being politically correct, there would be no time for any forward movement, both technically and socially.  The idea that terms like “guys” are sexist is one I cannot wrap my mind around.  Show me a list of suitable replacement words that doesn’t make a presentation sound stilted and detract from the central idea, and only then can we expect ideas to change.

As for those who are refusing to use Ubuntu over Shuttleworth’s “remark”: overreact much?  It’s not like the Ubuntu wallpaper has nudes of women on it.  Perhaps when an attitude of discrimination is demonstrated, then it will be time for a boycott.  Until then, words are words and actions are actions, never confuse the two.

Edit: I have earned myself a comment from MikeeUSA, which is interesting in that he seems to be seeking out a fight.  Big surprise.

Big thanks go out to fellow planners Nick Ali, Jim Popovitch, Joshua Chase, and Amber Graner! If any one of us had been missing, I doubt things would have worked out. Also a big thanks to the spawn of akgraner for filling in the gaps and keeping us rolling in stitches!