LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-19-2004, 03:11 AM   #1
eeried
Member
 
Registered: Jan 2004
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136

Rep: Reputation: 15
root and apt-get: security question


Hello,

I've read that for security reason you're strongly advised never to surf on the internet as "root". That seems pretty reasonable.

However while you run apt-get to get and install deb packages, aren't you connected to the internet as "root"? Isn't that dangerous then? What else can you do?

Thanks in advance for your help and advice!
 
Old 05-19-2004, 03:26 AM   #2
Mega Man X
LQ Guru
 
Registered: Apr 2003
Location: ~
Distribution: Ubuntu, FreeBSD, Solaris, DSL
Posts: 5,339

Rep: Reputation: 64
It's always dangerous, either you are connect as root or not. The best is to keep your Operating System (Any system you use for that matter) up-to-date. For a hacker take over full control of Linux is no harder then taking over full control of Windows if not patched correctly.

I would not really worry about using or not root when surfing the web. I do, would highly recommend you getting a firewall and using only trusted server at your /etc/apt/source.list for obvious reasons and keep an up-to-date system
 
Old 05-19-2004, 04:02 AM   #3
eeried
Member
 
Registered: Jan 2004
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136

Original Poster
Rep: Reputation: 15
Thanks for the recommendations Megaman X! So I take it it's pretty safe to apt-get from the Debian site.

And no, my system isn't up to date, I'm afraid. That's because I'm running a free and oldish version of Libranet, which has the advantage of making me learn how to upgrade.
So I'm learning very slowly.
 
Old 05-19-2004, 04:14 AM   #4
Mega Man X
LQ Guru
 
Registered: Apr 2003
Location: ~
Distribution: Ubuntu, FreeBSD, Solaris, DSL
Posts: 5,339

Rep: Reputation: 64
Cool, thanks eeried!!!

We might hear more peoples with more ideas too coming into this thread . Are you using Libranet 2.7 Classic Free? I loved that distro really much . When I say keeping the system up-to-date, I mean security packages, or programs that has to connect and open ports to the Internet as Gaim or Apache. Other patches as, let's say, for nautilus or midnight commander are not a must. Meaning that if you run (x)adminmenu and install the latest security patches would help a lot .

2.7 is neat. In fact, I liked 2.7 more then the new one. The last one did not give me so much headache with Alsa then 2.8 did .
 
Old 05-19-2004, 05:45 AM   #5
eeried
Member
 
Registered: Jan 2004
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136

Original Poster
Rep: Reputation: 15
Smile

Yes I'm running Libranet 2.7 Classic, and I really love it - my first experience with Linux.

Well, let's hope Libranet 3 will be better than 2.8 as I might be tempted to get it when I feel more at ease with Linux.

Quote:
keeping the system up-to-date, I mean security packages...
Yes I understand this, I just meant that almost everything in my Libranet version has to be updated, and I'm on a dial-up connection!



Cheers,
 
Old 05-19-2004, 10:08 AM   #6
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
You do not have to be necessarily logged in as root to use apt-get. In a gui environment you can be logged on as a user but use a single consol as super-user (root) to install packages. This means that just that single consol is accessing the debian server at the time.
 
Old 05-19-2004, 02:19 PM   #7
eeried
Member
 
Registered: Jan 2004
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136

Original Poster
Rep: Reputation: 15
Many thanks TigerOC for this explanation.
I actually use a consol as super-user, but never thought there was any difference between being logged in as root and typing "su" in the consol when connected to the internet


Linux really takes care of everything.

Cheers,
 
Old 05-19-2004, 03:03 PM   #8
vectordrake
Senior Member
 
Registered: Nov 2003
Location: NB,Canada
Distribution: Something alpha or beta, binary or source...
Posts: 2,280
Blog Entries: 4

Rep: Reputation: 47
The difference with "su" is that its a temporary state, which can be ended without logging the user out by simply using "exit". In practice, the difference is nil. If you are using apt-get to update, remmber that one of the things that's been a hallmark of this package management system for a long time was checking the signatures of the package. If they match what's been submitted to Debian along with the original package, then its a good package. If you use things from other sites, not sendorsed by the Debian project, you'd better be sure the maintainer is legit. Security begins with the user.
 
Old 05-21-2004, 07:36 AM   #9
eeried
Member
 
Registered: Jan 2004
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136

Original Poster
Rep: Reputation: 15
Thanks vectordrake for your reply. It's all very clear now.

Quote:

Security begins with the user.
Sure enough!

Cheers
 
Old 05-21-2004, 10:58 AM   #10
eeried
Member
 
Registered: Jan 2004
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136

Original Poster
Rep: Reputation: 15
Hello again,

I forgot to ask this: What do you need to write after apt-get install to get the security updates?
I had a look at the list of security updates on the Debian site but I don't suppose you need to write the names of each files.

I stupidly typed
Code:
 apt-get upgrade security
, and I'm now getting upgrades for all packages -- never mind I think I know how to stop this enormous download Ctrl + c)!

Cheers,
 
Old 05-21-2004, 10:59 AM   #11
eeried
Member
 
Registered: Jan 2004
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136

Original Poster
Rep: Reputation: 15
Hello again,

I forgot to ask this: What do you need to write after apt-get install to get the security updates?
I had a look at the list of security updates on the Debian site but I don't suppose you need to write the names of each files.

I stupidly typed
Code:
 apt-get upgrade security
, and I'm now getting upgrades for all packages -- never mind I think I know how to stop this enormous download (Ctrl + c)!

Cheers,
 
Old 05-21-2004, 01:02 PM   #12
peacebwitchu
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 185

Rep: Reputation: 30
Advising someone that it is alright to surf the web as a root user is irresponsible!!!! You must learn to only use root when absolutely necessary. If you execute a piece of malware as root user that code runs with the priveledges of root which means that it can do anything to your machine. If this code was run with a normal user it would have died because of lack of permissions. This is one example there are many many reasons why you don't want to run as root. Learn to su or use sudo to run a single command and then exit to your normal user. example su -c 'apt-get update' will run apt-get update as root and exit back to your user. You are always 1 command from deleting your os when running as root.
 
Old 05-21-2004, 04:38 PM   #13
vectordrake
Senior Member
 
Registered: Nov 2003
Location: NB,Canada
Distribution: Something alpha or beta, binary or source...
Posts: 2,280
Blog Entries: 4

Rep: Reputation: 47
eeried:

all you need to get security updates is the security site in your /etc/apt/sources.list and then every time you type
Code:
apt-get update
apt-get upgrade
you'll be up to date. That's why Debian has such a strong cheering squad - its that easy.
 
Old 05-24-2004, 03:42 PM   #14
eeried
Member
 
Registered: Jan 2004
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136

Original Poster
Rep: Reputation: 15
Hello,

Quote:
Originally posted by peacebwitchu
Advising someone that it is alright to surf the web as a root user is irresponsible!!!! You must learn to only use root when absolutely necessary. If you execute a piece of malware as root user that code runs with the priveledges of root which means that it can do anything to your machine. If this code was run with a normal user it would have died because of lack of permissions. This is one example there are many many reasons why you don't want to run as root. Learn to su or use sudo to run a single command and then exit to your normal user. example su -c 'apt-get update' will run apt-get update as root and exit back to your user. You are always 1 command from deleting your os when running as root.
Don't worry peacebwitchu! I'm aware of the dangers as my original post shows, and I do use su to run apt-get. But of course if your upgrade lasts for hours your computer is open to whatever even if you aren't actually surfing all over the net.

As for getting security updates, I've finally understood how to do that: got the right sources from Libranet, and commented everything in the sources.list that had nothing to do with security -- so as not get a huge download.

And yes, vectordrake, apt-get is really smart!
As for reconfiguring after download is complete, i suppose libranet was some help. There were some instructions to stop you wreck the system (I suppose), and and I didn't change anything in Shh, Postfix, and Fetchmail. I don't seem to need Shh (a Telnet thing), Postfix (mail server), and I suppose the fetchmaildaemon configuration that was shipped with Libranet was still alive and kicking.

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
apt-get behind a proxy, security issues? R00ts Debian 4 04-19-2005 11:04 AM
Tricky Root Security Question - Adding robust options? lemay_jeff Linux - Security 12 09-07-2004 04:52 PM
Can't update security (apt-get) eeried Linux - Newbie 0 07-14-2004 04:50 PM
update security with apt-get waffe Debian 2 05-21-2004 09:37 PM
apt-get doesnt get security update gongli Debian 4 04-14-2004 09:56 PM


All times are GMT -5. The time now is 12:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration