Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Mmm... cool question!
Let's think about it: why it is dangerous to be logged in as root?
By itself, there's nothing dangerous in it, except when you DO login, some daemons are launched and they gain the logger's privileges.
When you do it in graphical mode, many programs start. When you do it in terminal mode, it must be only sh (correct me if i'm wrong) which is not a server, by itself.
So, my guess is, there's nothing dangerous in logging in as root in terminal mode. The only problem is you MUST be careful about the command you issue.
Well, it depends. This is why Lindows' security was a flop; as soon as the PC booted, you were essentially working from inside the root directory...and so was anyone else who had access to your machine once you hit the Net.
When you update the OS with Debian, Slack, or any other distros that use apt-get or wget, you are accessing the Web with full r-w-x root privileges in place.
So you had better have some protection in place while doing that!!
I'm running Debian right now from the Knoppix 2.4 hernel, and I have kernel 2.6.2 on the next partition over so I can play with it as well.
I am also connected to a LAN behind an ADSL 1.6Mb/s modem with NAPT enabled and set to High filtering, as well as a LinkSys router with NAT configured. I never did care for, nor do I trust, software firewall solutions.For me they cause more trouble than they prevent.
GRC'sscans show this connection to be in total Stealth mode, save for the unused ports I have manually closed, which show up red.
I have tried to attack this node myself, even knowing the root password and the current IP, and I have not succeeded in compromising it. Even with the knowledge of the system, heavy-handed use of brute force attacks, and several other exploits - all have proven fruitless to date.
And since the PC attached to the modem is the only one that can possibly be visible to the Web anyway, the only suspicious thing I can see from outside the firewalls when this thing is doing apt-get is the stream of *Nix files coming in. Plus, there's no way to tell what the XP box is really running, so it could be a linux box as well!
Some extra-security-conscious folks even set up software solutions to augment hardware filters like the ones I use. They might be safer, but they also might have more issues for no gain.
All I know is, this works well and I see no reason to change it.
Usually people run x windows as a non priveledged user to be more secure. The idea is that if some client - browser/icq/etc has a bug which allows someone to gain acces to your system they will not have root access.
In theory if you regularly log in as root in for instance an xterm (like I do) and someone has gained control of the user account that runs the xterm then that hacker could maybe set an alias for su in your .bash_profile that logs the root password so they can retrieve it later. So really becoming root in x is in a way a security risk.
I see no way a hacker with control of a normal user account could send keys to a root shell that was logged in the terminal unless they cracked your root password or gained root access via some bug in a suid process.
Since I dont run a busness from my home PC I'm not going to bother logging out of my three root konsole sessions, closing down kpackage or setting a screen saver password (just incase someone smashes a window of my house and gets onto my computer).
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
You should never login as root because of the high possibility of being tricked into running a malicious program, or accidentally modifying something in an unrecoverable way.
There are many tricks that involve things in /tmp being executed by root, for instance. The most popular of those attacks are race conditions where an attacker knows that a certain program always creates a certain file in /tmp and then it gets executed by a user. If the attacker can create the file in /tmp first and put his own commands in it, when a user executes their program the attacker will gain their privileges. For a normal user this would be very bad, but root could still clean up the damage. If it was root itself that was fooled, then you're toast.
Historically their have been other problems as well, like being able to echo commands to a console that root is logged in on, spoofing PTTYs, and a whole host of other underhanded methods for getting a root user to execute commands of the attacker's choosing.
You should always use sudo to perform tasks that require root privileges. If you absolutely must login as root, then always type the full path of every command (don't rely on $PATH environment variable) and logout as soon as you're done working. You should always use rm with the -i flag so that it prompts you before removing files. The best way to do this is to add an alias in your rc file.