Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136
Rep:
root and apt-get: security question
Hello,
I've read that for security reason you're strongly advised never to surf on the internet as "root". That seems pretty reasonable.
However while you run apt-get to get and install deb packages, aren't you connected to the internet as "root"? Isn't that dangerous then? What else can you do?
It's always dangerous, either you are connect as root or not. The best is to keep your Operating System (Any system you use for that matter) up-to-date. For a hacker take over full control of Linux is no harder then taking over full control of Windows if not patched correctly.
I would not really worry about using or not root when surfing the web. I do, would highly recommend you getting a firewall and using only trusted server at your /etc/apt/source.list for obvious reasons and keep an up-to-date system
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136
Original Poster
Rep:
Thanks for the recommendations Megaman X! So I take it it's pretty safe to apt-get from the Debian site.
And no, my system isn't up to date, I'm afraid. That's because I'm running a free and oldish version of Libranet, which has the advantage of making me learn how to upgrade.
So I'm learning very slowly.
We might hear more peoples with more ideas too coming into this thread . Are you using Libranet 2.7 Classic Free? I loved that distro really much . When I say keeping the system up-to-date, I mean security packages, or programs that has to connect and open ports to the Internet as Gaim or Apache. Other patches as, let's say, for nautilus or midnight commander are not a must. Meaning that if you run (x)adminmenu and install the latest security patches would help a lot .
2.7 is neat. In fact, I liked 2.7 more then the new one. The last one did not give me so much headache with Alsa then 2.8 did .
You do not have to be necessarily logged in as root to use apt-get. In a gui environment you can be logged on as a user but use a single consol as super-user (root) to install packages. This means that just that single consol is accessing the debian server at the time.
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136
Original Poster
Rep:
Many thanks TigerOC for this explanation.
I actually use a consol as super-user, but never thought there was any difference between being logged in as root and typing "su" in the consol when connected to the internet
The difference with "su" is that its a temporary state, which can be ended without logging the user out by simply using "exit". In practice, the difference is nil. If you are using apt-get to update, remmber that one of the things that's been a hallmark of this package management system for a long time was checking the signatures of the package. If they match what's been submitted to Debian along with the original package, then its a good package. If you use things from other sites, not sendorsed by the Debian project, you'd better be sure the maintainer is legit. Security begins with the user.
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136
Original Poster
Rep:
Hello again,
I forgot to ask this: What do you need to write after apt-get install to get the security updates?
I had a look at the list of security updates on the Debian site but I don't suppose you need to write the names of each files.
I stupidly typed
Code:
apt-get upgrade security
, and I'm now getting upgrades for all packages -- never mind I think I know how to stop this enormous download Ctrl + c)!
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136
Original Poster
Rep:
Hello again,
I forgot to ask this: What do you need to write after apt-get install to get the security updates?
I had a look at the list of security updates on the Debian site but I don't suppose you need to write the names of each files.
I stupidly typed
Code:
apt-get upgrade security
, and I'm now getting upgrades for all packages -- never mind I think I know how to stop this enormous download (Ctrl + c)!
Advising someone that it is alright to surf the web as a root user is irresponsible!!!! You must learn to only use root when absolutely necessary. If you execute a piece of malware as root user that code runs with the priveledges of root which means that it can do anything to your machine. If this code was run with a normal user it would have died because of lack of permissions. This is one example there are many many reasons why you don't want to run as root. Learn to su or use sudo to run a single command and then exit to your normal user. example su -c 'apt-get update' will run apt-get update as root and exit back to your user. You are always 1 command from deleting your os when running as root.
Distribution: Xubuntu Dapper - Debian Etch - Puppy Linux
Posts: 136
Original Poster
Rep:
Hello,
Quote:
Originally posted by peacebwitchu
Advising someone that it is alright to surf the web as a root user is irresponsible!!!! You must learn to only use root when absolutely necessary. If you execute a piece of malware as root user that code runs with the priveledges of root which means that it can do anything to your machine. If this code was run with a normal user it would have died because of lack of permissions. This is one example there are many many reasons why you don't want to run as root. Learn to su or use sudo to run a single command and then exit to your normal user. example su -c 'apt-get update' will run apt-get update as root and exit back to your user. You are always 1 command from deleting your os when running as root.
Don't worry peacebwitchu! I'm aware of the dangers as my original post shows, and I do use su to run apt-get. But of course if your upgrade lasts for hours your computer is open to whatever even if you aren't actually surfing all over the net.
As for getting security updates, I've finally understood how to do that: got the right sources from Libranet, and commented everything in the sources.list that had nothing to do with security -- so as not get a huge download.
And yes, vectordrake, apt-get is really smart!
As for reconfiguring after download is complete, i suppose libranet was some help. There were some instructions to stop you wreck the system (I suppose), and and I didn't change anything in Shh, Postfix, and Fetchmail. I don't seem to need Shh (a Telnet thing), Postfix (mail server), and I suppose the fetchmaildaemon configuration that was shipped with Libranet was still alive and kicking.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.