Russell (zimzat) wrote,
Russell
zimzat

  • Mood:
  • Music:

Fear Me, For I Am root.

I'm getting tired of a majority of the Slashdot crowd.

In a recent a post on Slashdot titled "Michael Robertson Says Root is Safe", CEO of Linspire gave an interview to HEXUS.net. In the interview, he says running as root is not as unsecure as everyone makes it out to.

Michael: I think, like everything, it's a question of balance. Ease of use, versus security. I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.

Michael: Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit. I DO see it's an added pain in the ass when grandma tries to change her wallpaper, and it tells her "you don't have root privileges". What are you talking about, man? I'm just trying to use my computer, or change the clock, or any one of a hundred other things. So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out where a machine that's run with the root user could be compromised. It couldn't be.

Michael: I know the hardcore geeks feel differently, that's fine. When somebody installs Linspire, we say "do you want to set up users, yes or no", we give them the choice, right there when they start up for the first time. If they want to set up multiple users, they're welcome to do that, but we don't force them to. That's the difference we have.


In the comments on Slashdot for the above article, virtually everyone was going out of their way to prove why running as root is a bad thing. All of the arguments including protecting other users, but there are no other users on my system. I'm not a server, nor are there any national security documents on my computer to worry about. On my computer there is only one user; me (root). For my case, the guy is absolutely correct. If I were to run as a user, anyone who got into my system would still have all the access they want to my data.

There was one post that mentioned a "rootkit" which would allow someone to basically spy on you undetected. This might be one reason to consider running as a user, however I can imagine at least as many ways to make a "userkit" such that for single-user systems, that's a moot point.

The best part of my 'security' is that I'm always invariably behind a router, so no one actually has direct access to sniff out my computer and start attacking it.

The geeks, nerds, and linux 'wizards' may cry all they want, but the extra effort it would take to enter my root password every time I make a change that isn't exactly orthadox isn't worth it to me. Just yesterday I was editing the firefox shell script so it wouldn't open urls from the system and other applications in new windows. The day before I was making a symbolic link down in /usr for compatibility with an application when I was in FC2 and it installed the binary in some /usr/local/software folder instead of /usr/bin
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

  • 5 comments