

Be A Man, Run As The Root Account - alaskamiller
http://www.garyshood.com/root/

======
herdrick
This is easily the lamest thing I've seen in the top ten of Hacker News.

EDIT: My mistake, it turns out Sarah Palin's emails are also in the top ten
right now.

------
mseebach
On a single-user machine, screwing up as root and screwing up in your
unprivileged account is pretty much the same, since the most valuable you're
going to loose isn't that 20 minute Ubuntu install, but your files. And the
user you use, privileged or not, will have the power to wipe your files out.

Only other benefit (apart from all those programs that will complain or
actually refuse to run as root) is if you run something questionable, it won't
be able to install a root-kit, open a backdoor and hide the process.

~~~
BrandonM
This isn't exactly true. A vigilant user will run normal backups, and those
backups will not be in a location that is writeable by the unprivileged user.
In this way, it will not be possible for you (or an attacker) to completely
wipe out your important files, only those changes from the last hour or so.

Based on an rsync-backup article that I bookmarked a long time ago
(<http://www.mikerubel.org/computers/rsync_snapshots/>), I run backups of my
important files (/home/, /etc/, /usr/local/, some directories in /var/, and so
on) every hour to a /backups/ directory that is only writeable by root. Every
day, I copy a backup over to another machine using the same rsync process.

------
petercooper
And, of course, taking advice from a Web page with a giant, obnoxious
interstitial ad is always a good idea..

------
BrandonM
The article is probably a link-baiting joke, but assuming for a moment that it
is not, you can get the same benefits without the requirement to run as root.

I don't use sudo to run just any command as root. Making the ability to run a
root command as easy as tacking a "sudo" on the front is barely safer that
running as root. Especially considering that if someone breaks your user
password and you use sudo for everything, they may as well have broken root.
Instead, I simply use "su", enter the root password, and have a root terminal.
When I'm done, I log back out of the root shell. I also disallow logging in as
root over SSH (for whatever reason, this is not the default behavior). Thus,
to break root, someone has to break both my user (knowing both the username
and the password) and my root password.

This gets old, so I do have sudo installed. You can use sudo to allow a non-
root user to run certain commands with root privileges (just be sure NOT to
include the

    
    
      %wheel ALL = (ALL) ALL
    

line, which is how most people use sudo). For common commands that don't pose
much of a security risk, you can add a line as follows to /etc/sudoers:

    
    
      username ALL = NOPASSWD: /usr/bin/emerge, /usr/sbin/hibernate, [etc.]
    

Then, in my ~username/.bashrc, I have:

    
    
      alias emerge="sudo /usr/bin/emerge"
      alias hibernate="sudo /usr/sbin/hibernate"
      [etc.]
    

(Note: emerge is basically Gentoo's apt-get, but vastly different, of course.)
Thus, from the point of view of a standard user, I can run my most common root
commands (with root privileges) as my unprivileged user, transparently. I can
be careful to only allow commands that will not compromise my entire machine
in the event that someone gains access with my username or I find myself drunk
at the terminal.

------
bendemott
This is great humor - I ran as root while I was learning how to use slackware
waaay back. Now I use Fedora because I'm lazy but don't worry behind the PECL
and LIVNA libraries I still do a make && make install from time to time.

I think for a noob, running as root is probably wise, understanding chmod, and
chown right off the bat is a tough one - and often people get so frustrated
from the inability to change settings they give up.

Either way - Batman runs as root... thats good enough for me.

------
jcl
I don't know about other people, but when I click on this link I see the
article for about three seconds, then the page fades to an advertisement that
has no apparent way to get back to the article.

I assume they didn't test it against Firefox 3 with popular extensions,
because it's otherwise the worst thought-out advertising service I've seen
online.

~~~
boredguy8
adblock isn't perfect.

~~~
Herring
worked for me, ff3

------
jacobscott
Sorry, this is silly. You're (almost) always better off running as a regular
user and using sudo. In the worst case you can sudo su. Suggesting that linux
newbies run as root is poor advice.

~~~
jcl
I'm pretty sure this is supposed to be a joke article.

~~~
Hexstream
I'm worried some kid will read this and will be "enlightened".

~~~
jcl
Probably the same kid who uses ed because they heard that "ed is the standard
text editor". :)

~~~
silentbicycle
?

~~~
jcl
<http://www.gnu.org/fun/jokes/ed.msg.html>

~~~
tdavis
Hahaha!

    
    
      Emacs has been replaced by a shell script which 1) Generates a syslog
      message at level LOG_EMERG; 2) reduces the user's disk quota by 100K;
      and 3) RUNS ED!!!!!!

------
hs
in default install, OpenBSD never asks you to create user

The first-ever boot you can only log in as root

This 'reckless (read: diff from linux distro)' installation practice made
OpenBSD got 1 point deducted from a linux review article

Despite the root thingy, OpenBSD is "Only two remote holes in the default
install, in more than 10 years!"

~~~
silentbicycle
Well, yeah, but in the afterboot(8) (<http://www.openbsd.org/cgi-
bin/man.cgi?query=afterboot>) man page, the first two points after how to use
man and find installation errata are how to deny remote root ssh logins and a
note essentially saying, "Make a non-root user and add it to the group 'wheel'
for sudo, see below.".

Of course, having daemons run as non-root and chrooted/jailed (hello, apache)
is just as important.

(And yeah, I know this article is supposed to be a joke.)

~~~
hs
love afterboot(8)

i also changed default ssh port to non-22 to prevent most brute force attacks

i can't stand GNU/linux folks bashing OpenBSD over trivialities like the root
only first-ever boot

------
mlLK
This is probably the best advice for linux/unix nubs; you will never learn
what a computer is really for until you meet the machine face-to-face via a
terminal. I don't know how many times it took me to corrupt my package-manager
or butcher some config file until I realized the advantages of running a VM,
but, yes, the article is spot-on because all learning, or understanding for
that matter, is iterating failure.

~~~
LogicHoleFlaw
I have to disagree. This article gives very dangerous advice for the noobs.

It encourages shaving.

How are they supposed to attain competence if they can't even grow out a guru
beard?

~~~
mlLK
I like your shaving metaphor, but how is a new user coming from a Windows XP
ever going to respect what an admin account can really do w/o ever test-
driving what root can really do, given that I'm sure most Windows users are
running as an Administrator. I guess my point is, given all the times I've
screwed myself w/ root, is that root is only dangerous in context of somebody
else, while the only cost of seeing what something does in Linux is your time
and your file-system. Otherwise, how can one ever appreciate how delicate and
fragile a system really is w/o a loving system administrator to cradle her in
his key-strokes. ;)

~~~
silentbicycle
Well, they could read the documentation.

Or, they could get hit by script kiddies that keep looking for old
vulnerabilities in some daemon they ran as root.

    
    
      $ cat /var/log/authlog
      ...
      Sep 13 16:57:31 lucien sshd[16283]: Invalid user webmaster from 218.234.21.151
      Sep 13 16:57:31 lucien sshd[290]: input_userauth_request: invalid user webmaster
      Sep 13 16:57:31 lucien sshd[16283]: Failed password for invalid user webmaster from 218.234.21.151 port 56992 ssh2
      Sep 13 16:57:31 lucien sshd[290]: Received disconnect from 218.234.21.151: 11: Bye Bye
      Sep 13 16:57:34 lucien sshd[12747]: User root from 218.234.21.151 not allowed because not listed in AllowUsers
      Sep 13 16:57:34 lucien sshd[2144]: input_userauth_request: invalid user root
      Sep 13 16:57:34 lucien sshd[12747]: Failed password for invalid user root from 218.234.21.151 port 57162 ssh2
      Sep 13 16:57:34 lucien sshd[2144]: Received disconnect from 218.234.21.151: 11: Bye Bye
      Sep 13 16:57:36 lucien sshd[20586]: Invalid user ftp from 218.234.21.151
      Sep 13 16:57:36 lucien sshd[3604]: input_userauth_request: invalid user ftp
      Sep 13 16:57:36 lucien sshd[20586]: Failed password for invalid user ftp from 218.234.21.151 port 57344 ssh2
      Sep 13 16:57:37 lucien sshd[3604]: Received disconnect from 218.234.21.151: 11: Bye Bye
      Sep 13 16:57:39 lucien sshd[14276]: Invalid user sales from 218.234.21.151
      Sep 13 16:57:39 lucien sshd[25572]: input_userauth_request: invalid user sales
      Sep 13 16:57:39 lucien sshd[14276]: Failed password for invalid user sales from 218.234.21.151 port 57514 ssh2
      Sep 13 16:57:40 lucien sshd[25572]: Received disconnect from 218.234.21.151: 11: Bye Bye
      ... 
    

(My firewall blocks these losers after two minutes and I _still_ have endless
logs like this.)

Learning the first way sucks less.

------
Allocator2008
This is irresponsible. For the same reason why one drives the speed limit, and
only exceeds them when one has to, like, for example, if Rosemary is about to
birth the anti-Christ in the back seat of your new Jag,so to does one not run
as super user unless one has to. Both practices are dangerous.

