There are some precautions that you need to abide by when setting up sudo. If you are in an environment where you have several users, you want to exclude certain program such as /bin/bash, vim, su and others. Vim has an escape to the shell ":!" that would drop the user into the shell, which in this case would be a root shell.

Also, you can set up sudo only to run certain authorized command for certain users or members of certain groups.

And above all, make sure that root has a strong password. You can also enforce strong passwords. This protects against brute force attacks.

One sometimes overlooked item is to lock down the sshd service. For example, explicitly deny access for system users, such as lp, mysql, etc.

I don't worry about this so much because as I mentioned above, I don't log into my root account very often (on my production machines) and I am sure many competent admins do the same.

It's definitely true, I think, that, if you don't restrict yourself to "just an ordinary user account" during your day-to-day browsing of the forums ... "you are a p400l and a l00z3r"

In other words, you are gonna be caught with your pants down, sooner or sooner. "And ya'll have no one to blame but yerself, ya stupid git!"

Security controls are there, in both Windows and Linux, for a good reason. They're like the safety on a gun: they make it go "click!" instead of "BANG!" when you do rm /*. It really isn't "inconvenient" or "difficult" or "restrictive" to ask the computer to make sure that an executable file, which no one would ever have any plausible reason to modify, can't be modified. It's there.. it works.. why not use it?

You put your confidential files into a locked filing-cabinet even though you have your key-ring in your pocket. You lock your door in the morning when you go to work, even though you have the keys and can unlock the door at any time. You do this because you know that most cat-burglars are shameless opportunists. "Lazy b*stards." You know that they are looking for unlocked doors, and will never bother to go through the window which you left open upstairs to catch the breeze...

The most absurd thing is that Windows users routinely leave their doors and windows open, and buy expensive stuff to try to patrol them, when they have at their disposal a well-designed security system that in many ways is much more advanced than (standard) Linux. A system that is well-designed, robust, and, inexplicably, turned off...

i totally agree with you guys...
i have always used linux on a normal account and use su for tweeking only...
mind you i spose it was instilled into me b4 linux came along...
as for your windows comment...hmmm.the disc makes a good frisbee...
only time i find windows truly secure is if its not installed...
been hacking my young brothers system for years...(and boy does he get peeved)...
i tried to get him into linux when he was young but his gaming friends have brainwashed him that linux dont work very well...
i spose he is just a kid(25yrs younger)...
at least my son is happy to use linux, and windows has some games he likes but recons linux dont stop in the middle of a game so he likes it best...
mind you at school he is not allowed near the pc's as he has a tendency to destroy the pc's...
he watched me do a repartition one day and then some how did a simular thing at school(they couldnt explain what he did but had to get whole os reinstalled)...
so i got a mad cracker on my hands at 7 yo...

I know thats not a good thing, but its still awsome!

Ah, the days of innocent youth:

Back in my secondary school, we used to use Windows 3.1 with a specialised logon dialog and security system (to keep us kids out). Anyway, I was the school geek by that time already but stupidly, one of our teachers said that if we knew what we were doing, we should be able to gain administrator access. He also challenged us to do so. What a stupid thing to do!

Anyway, there were many unsuccessful attempts by my peers to gain admin access and the closest any of them got was to shoulder-surf this same teacher logging into the network as an admin. Then they logged in as him and upgraded their accounts to Admin. Barely five minutes later they all had admin access, alarm bells rung in the server rooms and they all got into trouble (I wasn't one of them because I KNEW there would be some kind of monitoring on the system).

Sneakily, though, I had been preparing for just such an eventuality... no-one was going to shoulder-surf a password now the teacher was alert and they all gave up. For the previous month or so I had been coding a little program in Visual Basic. You see, the computers often would hang upon logging on and would require an admin to log in to unlock them. This was a known problem and happened all the time.

I crafted a small program that ran under a guest username - it took control of the screen and presented an identical and completely functional login screen to the one the school used, except it was specially coded to:

a) Hang "ordinary" logins in the same way as the computers sometimes hung.

b) Store all username/password attempts in a logfile in a public area.

c) Resist any and all attempts to shutdown/CTRL-ALT-DEL etc. (You could in those days easily override CTRL-ALT-DEL under Windows).

So the next lesson, I log in as a guest user, run the program and up pops the fake login screen. I "log in", it hangs, I go to the teacher nonchalantly while moving to another machine ("Oh, that one's hung again, sir") and wait for him to login. His login overrides the program, which stores his details and then lets him in.

I pick up the logfile from the public area, there's his password in plaintext. Fortunately, I was honest enough to then go and show him how I'd done it as well as how I would have avoided detection... for a start the network was only checking for EXTRA admins, not re-use of an admin account.

The account monitoring was done by running a NET command on a second monitor in the server room and that was easily overridden with a simple batch file which "pruned" the results of a real NET and I also knocked up a quick program that stopped any and all attempts to run unrecognised .EXE's that weren't run from a network drive or the local hard drive (my programs relied on the fact that I could run .EXE's from floppy, public drives etc.).

Such fun... and the teacher got a right ticking off for encouraging us in the first place.

ledow, maybe your just to smart for your own good? or at least the good of the school

Heh, when I was at secondary school one of my mates caught the teachers login name by shoulder surfing. It didn't take me long to figure out what the password was. Guess? Login: boss, password: chief !!!! Can you believe that? What a moron. Of course, I didn't cause any trouble. Honest!

To answer the original question: I never log in as root, always use su/sudo. I never start X as root (except maybe once or twice back when I first installed Linux).

hmmm...now i'm feeling old...
slate and a chisel for school...
well feel like it, we where not allowed to use a calculator at school...
and pc's... mmm ...yeh i built one at home...
came as a kit and took some soldering...
4 bit (trying to remember) ?cpu..would have used 4 bits and a stop bit...
1977-78 somewhere around then..may have been 76...
the z80 cpu came out not long after...probably only a couple of years....
school and computers where not even thought of...
no body believed i had a computer, and the people that knew did not say anything...
mind you i remember mum being told it was a phase i was going through and i would get over it eventually.. i spose i will but i may want to be buried with my pc too...
never did get over that phase but everyone else has joined me....