Hello

LQ posts have often stated that root should not run a GUI desktop. What is the reason for this?

Best

Charles

Hi Charles, with the understanding that "root can do ANYTHING!" let me ask you:

Does your screensaver need root privileges?
Does your clock applet need root privileges?
Does your music jukebox need root privileges?
Does your sudoku game need root privileges?

Various people will give different answers---here is mine only: The GUI environment makes things easy---dragging files to copy, move, delete, etc.---. That means that is also makes it easy to do BAD things. If I am in a terminal, I tend to think more like an admin---even if I have not switched to root.

So---yes, it is not a good idea (But I have KDM set to allow root login.)

If your distro has a gui configuration utility, then you can use that graphical utility. For example openSuSE's yast2 and Mandrakes MCC.

If your distro uses policy kit, check if there is a policy where you can approve automatic online updates as a regular user.

You could even ssh -X into a machine remotely, then either su to root or use kdesu/gnomesu to launch that systems gui administration program.

So you can have the convenience of a graphical interface without logging in to a desktop environment as root.

I think that if you happen to be the only user, as I am, there is no reason to set root logins to false. Unless you have a habit of either doing unwise things or logging in as root inadverdently, surely you can trust yourself to stay out of root. Is it really necessary to hide root from yourself?

It is not about preventing freedom... it is about providing a "sane default."

Thanks all for your replies

I wasn't wanting to start up the old debate about why we should or should not work as root.

I wanted to know what are the specific dangers of running GUI/desktop as root. Is it any more dangerous than using root at the command line?

In the Windows world, sysadmins of corporate trees of domains -- responsible for perhaps tens of thousands of servers and workstations around the globe -- routinely work from a GUI/desktop without AFAIK frequent disasters. Is there something about Linux GUI/desktops that makes them less secure than Windows?

It happens so often that someone posts about never using a GUI/desktop as root and usually get a few sage nods of agreement. Maybe it's good advice; I'd just like to know "why?"

Yes. See post #2. When you log in as root, every single application and process, from your sudoku game to your instant messenger, has complete and unrestricted access to make system-wide changes affecting all users, with no prompt to the user.

To give one specific example, if you browse the web while logged in as root, then a malicious webpage has full and complete access to your machine. If you are logged in as a regular user, only your /home is compromised.

To me, the question is not "why would you not surf the web as root?" but "why would you surf the web as root?"

1 members found this post helpful.

A way I've always found best to describe it, much to some people's annoyance, is to compare it to Windows XP:

Root is like Administrator - he can do anything and everything, without a care in the world. If someone gets hold of your root password and can log in, so can they.
Normal users are like the limited users on XP, with the exception that they can use su/sudo/gksu/kdesu so run commands with root privileges as necessary. (And they don't have the screwed up XP file permissions, but that's hardly relevent.)

HTH.

Ah, thank you -- the penny is beginning to drop <== closest smiley we have to a penny.

It hadn't crossed my mind to access the Infernet as root! That would be unthinkably insecure I was only thinking of running sysadmin tools like a local file browser ...

For the longest time the really big danger/dumb thing was to irc as root.

Irc clients tend to be worse than web-browsers when it comes to security stuff

Some irc servers will kick you out with a nasty message to educate yourself if you try and connect as root even.