Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
But it seems the user just in the group of root but doesn't have all the rights as the root.
-- Thomas
That's right, it doesn't. "root" is a special account, that can do things no other user can. You can try to make the root2 user's primary group 0, but you will still not be 100% root.
Generally speaking, you only want there to be one "root account," and its name should be root. There should be none other.
Now ... ... now for the lecture.
You do not want to be using an "all-powerful user account" for any purpose, for the exact same reason that you should never use such an account in Microsoft Windows.
Digital computers are terrible at knowing when to say "yes," but they are absolutely magnificent at saying, "no," and they never overlook the slightest detail. Therefore, you don't want to put a computer in the position of always saying, "yes, master..." because, say, if you give it the command, "Shoot me in the foot!!" ... heh ... that is precisely what it will do.
Digital computers do not think.
Instead, you want to set things up so that the computer is told: "do not allow me to do anything, except..." And if so, the computer will with equal precision do that. You point the gun at your foot (quite by accident...), and you pull the trigger, and the computer says to you (most politely..) "I'm sorry, sir, but you're dead now, because you just attempted to do something that you did not expressly authorize me in advance to allow you to do." And you look at that harp that has magically appeared in your hand and, lo and behold, you are dead now, but ... your foot is intact.
"Go and do likewise." On Windows, on Linux, on OS/X ... everywhere. Arrange things carefully so that the computer will always say "no!" except in the very specific cases where you want it to say, "yes."
Last edited by sundialsvcs; 05-24-2011 at 12:23 PM.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
indeed, also one more thing to add, any program a user runs has the same access privileges as the user that runs it, if such a program (such as a web browser or instant messenger etc...) has an exploit that allows a hacker to take control of the program, would you rather that compromised program have full control of your system or only access to your home directory (which you certainly back up on an at least semi-routine basis, right?)
do the math, would you rather clean up a home directory or the full system
personally from a security standpoint i would have to argue the contention that ubuntu's disabling the root account and give a regular user full sudo privileges is any better then having a root account enabled. especially since with sudo you are only challenged for the user's password and are given a brief period after that where you are authorized to continue using sudo without a password whereas with an enabled root account + su -c 'command' you are asked for the ROOT password (which should be different from the regular user password) and only given privilege for that one command
both scenarios are however more secure then running AS root (which i used to do myself, but have since broken myself of that habit)
the only time running a system with only a root account would be acceptable imho is in a specialized situation such as an embedded Linux appliance which only gets logged into for administrative purposes and has no general purpose applications that can be exploited easily.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.