Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You certainly don't want to access the internet as root. There's not a lot of malware written for Linux but anything that you did pick up would have root privileges.
The main problem with being root however is that you can accidentally wipe parts of your system just by mis-spelling something in a command. One great difference between Linux and Windows is that Linux users are actively encouraged to explore their systems and find out where everything lives. This is safe precisely because you can't damage anything if you are not root. In Windows, you can't find out how anything works, not only for reasons of commercial secrecy, but simply because it's usually too dangerous to look around and you are strongly discouraged from trying.
Linux was written to Unix standards. Unix from the beginning was a multi-user system; multiple users could connect to the same mainframe computer from terminals either directly or over modems (in the early 70s, I had a coworker who would access a remote mainframe via a modem, which, in those days, was a cradle in which he rested his office telephone).
Putting a wall between the all-powerful administrator (that is root, as the root of a tree) was a security feature to prevent users from inadvertently (or advertently) damaging the system. (The sudo command was originally created so that users who had a compelling need to access certain administrative functions could do so; sudo was never intended to be used as a proxy for root.)
To build on what hazel said, if you connect to the internet as root and accidentally import malware, the malware will have root privileges, that is, access to your entire system. If you accidentally import malware as user, the malware will be restricted to user's home (and any other directories to which user has write privileges), thereby limiting its ability to do harm.
In short, running as root allows everything to run with all privileges. Errant processes and unauthorized users will have full access to the system. If you don't know what you're doing, you will not be stopped from doing inadvertent damage while logged in as root.
in the early 70s, I had a coworker who would access a remote mainframe via a modem, which, in those days, was a cradle in which he rested his office telephone.
I remember those! We used to call them acoustic couplers. You rang a certain number and there was this weird warbling sound. Then you put the handset into a padded box and you had a connection.
Quote:
If you accidentally import malware as user, the malware will be restricted to user's home (and any other directories to which user has write privileges), thereby limiting its ability to do harm.
But I remember a thread (maybe not on this forum) which pointed out that on a home system, the data in your home directory is often much more valuable that what's on your root partition. After all, you can always reinstall the system if it really becomes necessary. A short-lived worm that ran in your name and deleted your personal files would do a lot of damage if you didn't have a proper backup policy in place. The point of not going online as root is that permanent malware could be installed in your system which will then do damage on an ongoing basis. That can't happen if you are an unprivileged user.
Additionally, you might get permission or rather ownership problems on files and/or whole directory structures as a result. If you do this in combination with a "normal" user it can create quite a mess, and things can break in unexpected places.
I must admit that CLI advice given on forums often does not include a marker when it needs to be executed as root. This can lead to the erroneous impression that all CLI commands are "better run as root" with some newbies...
So, all you power posters, be precise!
But I remember a thread (maybe not on this forum) which pointed out that on a home system, the data in your home directory is often much more valuable that what's on your root partition. After all, you can always reinstall the system if it really becomes necessary.
Data are always valuable in home or professional systems because the system works for them.
A difference is that a professional production system or business server can't be out of work for long. The damage for the business can be very bad. I did experience such situations in my job (windows server). What the IT "rescue" technician tried to do was to have another secondary server machine working from an older backup drive as soon as possible, in several hours, so that the system is barely working for the next few days, during main server's restore from backups.
For a home system a delay of a few days isn't perhaps so important. Loosing data without backup can be very annoying.
Last edited by masterclassic; 08-09-2020 at 09:49 AM.
I remember a thread (maybe not on this forum) which pointed out that on a home system, the data in your home directory is often much more valuable that what's on your root partition.
Except that it misses the point by trivialising the issue. Admin level access allows far more than the just installation of drivers.
The separation of the user from the system means that the actions of the user cannot take the entire system down. This was the big fundamental flaw with pre-XP versions of Windows... and was the reason why switching to the NT architecture (which [poorly] mimics the Unix model) was basically inevitable. Remember the Blue Screen of Death? It could be induced by simply choosing the wrong theme in Windows 98, or by plugging in a USB scanner. That sort of thing stopped happening with Windows XP, precisely because it separated the user from the system, and this is perhaps why it is so fondly remembered by the people who were initially subjected to Windows 95/98/Me.
Admin access can also be used to install rootkits, "bots" of a million different kinds, and all sorts of malware. Of course, these can also be installed at user level... but at that level they cannot bring harm to the system. Yes, a user might lose data, but losing 1 user's data is better than losing 100 users' data and having the machine become a spambot for the V1agra sellers without your knowledge. This is the reason that the "black hats" (for want of a better phrase) are continually seeking privilege escalation and will use whatever means necessary to obtain it.
Yup, that's what we called them. A long, long time ago, we'd use 'em to dial into other computers - not necessarily mainframes but things like BBSes or even friend's computers. At one point, I had a regular cassette player that was used as a data storage device. A friend would call me and play his tape(s) while I recorded them in an early form of software piracy.
One of my local BBSes, as I was fortunate in locality - situated in Cambridge, Massachusetts, had a grand total of 12 telephone lines so we could have many people signed in simultaneously. Today, even if they know, most younger folks won't even know that MODEM is supposed to be in all caps, as it stands for MOdulation and DEModulation.
Man, computers were a pain in the butt back then. And expensive... I remember *celebrating* when RAM reached the price of $1/MB. In my basement, I still have a Trash 80 with a few working floppies - one of which has Zork on it. I've got a VIC 20, but the power brick is dead and gone.
Don't use root for any operations that doesn't need it such as browsing the internet and the like.
Or even browsing your files at the local drive, because if you suddenly need to use "rm" it will gladly execute the command and delete the files and it will suppress the permission denied to permission granted.
Quote:
Some of the pros and cons of both approaches
Pros of using a root account:
Separate password -- A separate root password can in many cases be a lot safer. It can be longer and more complex than your normal password since you'll need to use it less often.
Separate account -- When a user gets hacked, the hacker does not automatically get access to root privileges (via sudo).
Easier to differentiate between admins and users -- Admins can have all the access they need, while users will not have anything beyond what's reasonable.
Cons of using a root account:
Separate password -- It can be inconvenient to have to remember two passwords, especially on a home computer.
Separate account -- With an enabled root account, a hacker knows exactly what to target. On a multi-user system, if only one user account has administrative privileges, they might have a harder time figuring things out.
Easier to differentiate between admins and users -- Same as above. A hacker will instantly know what to target.
Except that it misses the point by trivialising the issue.
You are absolutely correct - it's a cartoon!
Nevertheless, the point hazel made is important, but it is not to be misunderstood to "trivialise" the importance of having restricted permissions in the first place.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.