Hacker News new | comments | show | ask | jobs | submit login
Be A Man, Run As The Root Account (garyshood.com)
24 points by alaskamiller 2705 days ago | past | web | 32 comments



This is easily the lamest thing I've seen in the top ten of Hacker News.

EDIT: My mistake, it turns out Sarah Palin's emails are also in the top ten right now.

-----


On a single-user machine, screwing up as root and screwing up in your unprivileged account is pretty much the same, since the most valuable you're going to loose isn't that 20 minute Ubuntu install, but your files. And the user you use, privileged or not, will have the power to wipe your files out.

Only other benefit (apart from all those programs that will complain or actually refuse to run as root) is if you run something questionable, it won't be able to install a root-kit, open a backdoor and hide the process.

-----


This isn't exactly true. A vigilant user will run normal backups, and those backups will not be in a location that is writeable by the unprivileged user. In this way, it will not be possible for you (or an attacker) to completely wipe out your important files, only those changes from the last hour or so.

Based on an rsync-backup article that I bookmarked a long time ago (http://www.mikerubel.org/computers/rsync_snapshots/), I run backups of my important files (/home/, /etc/, /usr/local/, some directories in /var/, and so on) every hour to a /backups/ directory that is only writeable by root. Every day, I copy a backup over to another machine using the same rsync process.

-----


And, of course, taking advice from a Web page with a giant, obnoxious interstitial ad is always a good idea..

-----


The article is probably a link-baiting joke, but assuming for a moment that it is not, you can get the same benefits without the requirement to run as root.

I don't use sudo to run just any command as root. Making the ability to run a root command as easy as tacking a "sudo" on the front is barely safer that running as root. Especially considering that if someone breaks your user password and you use sudo for everything, they may as well have broken root. Instead, I simply use "su", enter the root password, and have a root terminal. When I'm done, I log back out of the root shell. I also disallow logging in as root over SSH (for whatever reason, this is not the default behavior). Thus, to break root, someone has to break both my user (knowing both the username and the password) and my root password.

This gets old, so I do have sudo installed. You can use sudo to allow a non-root user to run certain commands with root privileges (just be sure NOT to include the

  %wheel ALL = (ALL) ALL
line, which is how most people use sudo). For common commands that don't pose much of a security risk, you can add a line as follows to /etc/sudoers:

  username ALL = NOPASSWD: /usr/bin/emerge, /usr/sbin/hibernate, [etc.]
Then, in my ~username/.bashrc, I have:

  alias emerge="sudo /usr/bin/emerge"
  alias hibernate="sudo /usr/sbin/hibernate"
  [etc.]
(Note: emerge is basically Gentoo's apt-get, but vastly different, of course.) Thus, from the point of view of a standard user, I can run my most common root commands (with root privileges) as my unprivileged user, transparently. I can be careful to only allow commands that will not compromise my entire machine in the event that someone gains access with my username or I find myself drunk at the terminal.

-----


This is great humor - I ran as root while I was learning how to use slackware waaay back. Now I use Fedora because I'm lazy but don't worry behind the PECL and LIVNA libraries I still do a make && make install from time to time.

I think for a noob, running as root is probably wise, understanding chmod, and chown right off the bat is a tough one - and often people get so frustrated from the inability to change settings they give up.

Either way - Batman runs as root... thats good enough for me.

-----


I don't know about other people, but when I click on this link I see the article for about three seconds, then the page fades to an advertisement that has no apparent way to get back to the article.

I assume they didn't test it against Firefox 3 with popular extensions, because it's otherwise the worst thought-out advertising service I've seen online.

-----


Err, Firefox3 running fine here.

-----


adblock isn't perfect.

-----


worked for me, ff3

-----


Sorry, this is silly. You're (almost) always better off running as a regular user and using sudo. In the worst case you can sudo su. Suggesting that linux newbies run as root is poor advice.

-----


I'm pretty sure this is supposed to be a joke article.

-----


I'm worried some kid will read this and will be "enlightened".

-----


Probably the same kid who uses ed because they heard that "ed is the standard text editor". :)

-----


?

-----


http://www.gnu.org/fun/jokes/ed.msg.html

-----


Hahaha!

  Emacs has been replaced by a shell script which 1) Generates a syslog
  message at level LOG_EMERG; 2) reduces the user's disk quota by 100K;
  and 3) RUNS ED!!!!!!

-----


?

-----


There was a big ad to click through. Linkbait, I think.

-----


But if we don't give children access to nukes how will they learn to be wise.

-C

-----


I gotta play with a city when I was 12. Hell, they gave me nukes, aliens, riots, hurricanes, tornadoes; I used a whole class of disasters.

-----


This is probably the best advice for linux/unix nubs; you will never learn what a computer is really for until you meet the machine face-to-face via a terminal. I don't know how many times it took me to corrupt my package-manager or butcher some config file until I realized the advantages of running a VM, but, yes, the article is spot-on because all learning, or understanding for that matter, is iterating failure.

-----


I have to disagree. This article gives very dangerous advice for the noobs.

It encourages shaving.

How are they supposed to attain competence if they can't even grow out a guru beard?

-----


I like your shaving metaphor, but how is a new user coming from a Windows XP ever going to respect what an admin account can really do w/o ever test-driving what root can really do, given that I'm sure most Windows users are running as an Administrator. I guess my point is, given all the times I've screwed myself w/ root, is that root is only dangerous in context of somebody else, while the only cost of seeing what something does in Linux is your time and your file-system. Otherwise, how can one ever appreciate how delicate and fragile a system really is w/o a loving system administrator to cradle her in his key-strokes. ;)

-----


Well, they could read the documentation.

Or, they could get hit by script kiddies that keep looking for old vulnerabilities in some daemon they ran as root.

  $ cat /var/log/authlog
  ...
  Sep 13 16:57:31 lucien sshd[16283]: Invalid user webmaster from 218.234.21.151
  Sep 13 16:57:31 lucien sshd[290]: input_userauth_request: invalid user webmaster
  Sep 13 16:57:31 lucien sshd[16283]: Failed password for invalid user webmaster from 218.234.21.151 port 56992 ssh2
  Sep 13 16:57:31 lucien sshd[290]: Received disconnect from 218.234.21.151: 11: Bye Bye
  Sep 13 16:57:34 lucien sshd[12747]: User root from 218.234.21.151 not allowed because not listed in AllowUsers
  Sep 13 16:57:34 lucien sshd[2144]: input_userauth_request: invalid user root
  Sep 13 16:57:34 lucien sshd[12747]: Failed password for invalid user root from 218.234.21.151 port 57162 ssh2
  Sep 13 16:57:34 lucien sshd[2144]: Received disconnect from 218.234.21.151: 11: Bye Bye
  Sep 13 16:57:36 lucien sshd[20586]: Invalid user ftp from 218.234.21.151
  Sep 13 16:57:36 lucien sshd[3604]: input_userauth_request: invalid user ftp
  Sep 13 16:57:36 lucien sshd[20586]: Failed password for invalid user ftp from 218.234.21.151 port 57344 ssh2
  Sep 13 16:57:37 lucien sshd[3604]: Received disconnect from 218.234.21.151: 11: Bye Bye
  Sep 13 16:57:39 lucien sshd[14276]: Invalid user sales from 218.234.21.151
  Sep 13 16:57:39 lucien sshd[25572]: input_userauth_request: invalid user sales
  Sep 13 16:57:39 lucien sshd[14276]: Failed password for invalid user sales from 218.234.21.151 port 57514 ssh2
  Sep 13 16:57:40 lucien sshd[25572]: Received disconnect from 218.234.21.151: 11: Bye Bye
  ... 
(My firewall blocks these losers after two minutes and I still have endless logs like this.)

Learning the first way sucks less.

-----


It's all just an abstraction. You could sub in any of the other layers of abstraction in place of "terminal" and it would make just as much (and little) sense.

-----


Interesting side-effect of using * pairs for italics.

-----


lol, ya yikes, is there no escape character for using * ?

-----


in default install, OpenBSD never asks you to create user

The first-ever boot you can only log in as root

This 'reckless (read: diff from linux distro)' installation practice made OpenBSD got 1 point deducted from a linux review article

Despite the root thingy, OpenBSD is "Only two remote holes in the default install, in more than 10 years!"

-----


Well, yeah, but in the afterboot(8) (http://www.openbsd.org/cgi-bin/man.cgi?query=afterboot) man page, the first two points after how to use man and find installation errata are how to deny remote root ssh logins and a note essentially saying, "Make a non-root user and add it to the group 'wheel' for sudo, see below.".

Of course, having daemons run as non-root and chrooted/jailed (hello, apache) is just as important.

(And yeah, I know this article is supposed to be a joke.)

-----


love afterboot(8)

i also changed default ssh port to non-22 to prevent most brute force attacks

i can't stand GNU/linux folks bashing OpenBSD over trivialities like the root only first-ever boot

-----


This is irresponsible. For the same reason why one drives the speed limit, and only exceeds them when one has to, like, for example, if Rosemary is about to birth the anti-Christ in the back seat of your new Jag,so to does one not run as super user unless one has to. Both practices are dangerous.

-----




Applications are open for YC Summer 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: