Logging on as Root
 

Is it really so bad to sign on your system as root? I was installing something the other day and it said I was taking chances being signed on as root. I also read here and there that it is a bad idea, but how many people actualy dont sign on as root?

I don't and I would bet that most anyone with more than 10 posts here doesn't sign on as root either...

Signing on as a "Super User" like root is one of the reasons why Windows security is so bad. Think of it this way: you go to a website and that website has some java script that will delete a bunch of files on your machine (not a java programmer, so maybe that's not possible). If you are root, then that script can do whatever it wants. If you are joeblow, he can only delete files he owns. He can't modify system files or rm -fr / (delete the entire file system structure).

And that's beside the fact that if anyone cracks your password while you login as root that they have total control of your machine.

If you use the root account for normal computer tasks then you may as well be using Windows XP Home. One of the main reasons that people and businesses use Unix or Linux is because of the security. Much of that security is based on separation of privileges. In other words the normal user account(s) cannot perform certain tasks. These tasks include reading files from other people's accounts, installing software at the system level, and changing system configuration settings. If you use the root account to browse the web, for instance, then a malicious Java script could install a program on your system. If you are browsing the web in a normal user account then that same malicious Java script can only put files into places that your user account is permitted to write into. If you are smart and have your home directory on a separate partition and mounted with the noexec option then the malicous Java script cannot run any software that it downloads into your user account home directory. You can do the same thing with the /tmp and /var/tmp directories. That would make it very difficult for a malicous Java script to download and run software on your machine.

Software installation isn't your only concern. Java scripts can work within your web browser to scan your files and download any files that appear to be interesting. If you keep your finances on your computer then financial software always keeps its information in well known places and in files with well known names. It is possible for Java or Java Script applications to look for these sorts of files. If you keep your resume on your computer then the same thing is possible. This is why, even when you use Linux or Unix, you should have one account that is for network access and another account with your personal information. The network access user account should not be able to see the filee in the home directory of the account that has your finances and resume and your email.

So the point of NOT using the root account for normal computer usage is to establish a level of security that is generally not available using other operating systems.

As I implied, even Linux security can be enhanced after it is installed. You can make a container file for the /tmp directory and another for the /var/tmp directory and mount them through a loop device with the noexec option. You can keep your home directory on a partition separate from the / partition and mount it with the noexec option. You can change the permissions on the /home directory to be owned by root:users and with access of 710 or 740. If you do these four things then your Linux system will be 1 million percent more secure than most Linux systems.

So you don't use the root account for normal computer usage because you want the separation of privileges that comes with using a normal user account for normal tasks.

It can be if you're on the internet. If you're logged on as a SU (root/super user) and somebody tries to execute a command that would normally not be executable as a user. It's for your safety, really. If you're not on the internet, I wouldn't worry about it. The only way I would worry about it is if you have other people who use the computer along with you. It's possible they could execute something as an SU and it coudl screw you over.

Regards,

Brandon

The separate root (or admin) account protects you from the outside, but also from yourself Part of the power of Linux is the ability to totally mess up a system with a few simple commands. Especially in the CLI, there is no undo, trash, etc. What is done is done, and mistakes are reversible only with great effort--if at all.

Turn the question around: Is there any good reason TO run as root? I know of none. In the CLI, I can become root in 10 seconds ---- small price to pay for the protection provided.

Ok, I made a regular user account, lesson learned.

As mentioned the only time I run as root is for installing software. Other than that no need to. It is also a good habit to get into, some company admin's get jumpy for logging in as root as well as they should be. And while you may think you won't do nothing bad, there comes that one time when you get proven wrong. I have done that recently on a test machine at home.