Hi everyone,

Here's a pretty newbie question...so everyone says you shouldn't log in directly as root, or surf the internet as the sysadmin; instead you should open up a terminal (when in X-windows) as a normal user and use "su" if you want to perform sysadmin tasks.

Does that mean I should exit "su" as soon as I've done what I wanted as root, or can I leave the terminal minimalized while I surf the Internet? Will it be "safe" that way?

Since I'm new to Linux there's a lot of configuration (and learning!) to do, and it's such a hassle to have to log in and out as root every 3 minutes

Thanks and cheers,

MH

Running an xterm with the root account is only as dangerous as
the local security; in other words, if your console isn't locked,
or you "share desktop" to others it would be dumb. The thing in
this sceanrio is that potentially expoitable apps (e.g. gaim,
firefox, ... ) aren't being run as root.

All that said: also note the difference between "su" and "su -"
The latter will give you roots environment settings, the first
will preserve the normal users ones and just switch the uid.




Cheers,
Tink

It's always best to log in as your user, and only use su when its absolutely necessary. Su, do what you have to, then exit. It's better to be safe then sorry in that regard. Some people argue that even su shouldn't be used all that much, instead they say that things like "fakeroot" "sudo" should be used. I don't go that far, I just use su only when necessary, then quit out. That's probably your best bet. And yes, dont run programs like firefox or gaim as root, thats very bad.

Since you mention leaving "the terminal" minimized while surfing the 'Net, I am assuming that you are opening a terminal window to do your root tasks and all your other applications are running with your user permissions an not root's. In that case, no it is not bad to `su` and stay "su'd" as root in the terminal window, at least not from a security standpoint. The root priveleges conferred on whatever you run in the terminal window will not be somehow transferred to your web browser, for example. That having been said, I think it is risky to leave yourself su'd to root in a terminal window for a longer period of time because you will sometime or other forget who you are (get familiar with the command "whoami") and you will do something ill-considered thinking you are you when in fact you are root. Trust me. Sooner or later it will happen. All it takes is a `rm *` when you meant `rm ./*`, and you will be a believer.

What I frequently do, when I only want to execute one command as root, is to use `su -c "nameofcommand anditsoptions"`. This works also for editing configuration files. For example, you can do a `su -c "vim /etc/configuration.conf"', and the entire time that you are editing using vim, you are root. As soon as you exit vim, you are you again.

Well, su doesn't stand for "super user" like many think, but for "substitute user" or "switch user"

su is used to impersonate another user. You can su to other user accounts as well; try it. Create accounts "foo" and "bar" on your system, then type:

su foo

or

su bar

And you will be logging in as those users.

Also, on many (most? all?) distributions, when you su to root, you normally do not inherit their full environment. If you want their full environment, e.g., run their login shell, inherit their environment variables, and so forth follow the su with a hyphen, as in:

`su -`

The difference is key and some enterprise-level server apps actually check for this and will fail to execute commands unless you actually have root's full environment. In some cases this is due to a lazy way of checking your permissions (e.g., Meeting Maker XP), and in others they're checking to make sure you really, really, really have permissions so that you don't make permament changes without knowing with 100% certainty that you are indeed root and really do intend to make those changes.

When I first started using linux I would keep a desktop session logged in as root. Then I got debian on another machine. I noticed it wouldn't even let root log in as desktop user. I investigated and found out kde as root very bad. I use su, and have for a long time. Root logins are capable of doing severe damage, like putting the wrong directory name for "rm -r directory". With a regular user login the system is protected from spurious deletions.

I have done something similar to what you mentioned a few years ago. I was trying to delete a directory as root and ended up deleting /usr which obviously hosed my system and I had to reinstall. It wasn't a pleasant experience because I had to reconfigure the system exactly as it was before and this took precious time that I could have used for something else. now I am so careful when I switch to root.

Thanks everyone for your advice. Hussar's suggestion of only "suing" the application you intend to use is really neat!

Here's another quick question: Is it true that "sudo" is somewhat less secure than "su"? Or it might be the other away around; I can't remember where I read that now...

I'm having a great time learning all this; You guys are making it fun

MH

Which one is safer "su" or "sudo" is debatable. I guess it depends on what privileges you give yourself using sudo. I believe Ubuntus way of using sudo is not safe at all because a cracker only needs one password and they can run any commands on the system.

I agree with reddazz on the ubuntu-statement ...

Also one should bear in mind that sudo leaves an audit-trail,
while a user with the ability to su can always wipe his trails,
and remove .bash_history to his hearts content.

Personally I think that a sensible set of pre-defined commands
in /etc/sudoers is the most sensible thing to do.


Cheers,
Tink

That is my impression as well.

Hmm, do those two have different effects?

Do that and you will surely kick yourself.

They have different effects but the most dangerous one is
Do that and you will surely kick yourself.

Right, but "rm -rf *" and "rm -rf ./*" don't do anything different, do they?