Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

What are reasons to run as root and what not to run as root?

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
annadane
Posts: 19
Joined: 2016-12-01 16:57

What are reasons to run as root and what not to run as root?

#1 Post by annadane »

Basically title

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What are reasons to run as root and what not to run as r

#2 Post by Head_on_a_Stick »

deadbang

Segfault
Posts: 993
Joined: 2005-09-24 12:24
Has thanked: 5 times
Been thanked: 17 times

Re: What are reasons to run as root and what not to run as r

#3 Post by Segfault »

When you put your thinking cap on it will come to you. Otherwise, here you go.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: What are reasons to run as root and what not to run as r

#4 Post by GarryRicketson »

If accessing file or a directory requires the user to be "root", then the user needs to be
root.

Other wise there is no reason to be using/running a system as root.
Is this a serious question , or is it some kind joke ?
I don't get it.
They did try to warn me:

Code: Select all

/ You will be the victim of a bizarre \
\ joke.                               /
 -------------------------------------
          \
           \
            \          __---__
                    _-       /--______
               __--( /     \ )XXXXXXXXXXX\v.
             .-XXX(   O   O  )XXXXXXXXXXXXXXX-
            /XXX(       U     )        XXXXXXX\
          /XXXXX(              )--_  XXXXXXXXXXX\
         /XXXXX/ (      O     )   XXXXXX   \XXXXX\
         XXXXX/   /            XXXXXX   \__ \XXXXX
         XXXXXX__/          XXXXXX         \__---->
 ---___  XXX__/          XXXXXX      \__         /
   \-  --__/   ___/\  XXXXXX            /  ___--/=
    \-\    ___/    XXXXXX              '--- XXXXXX
       \-\/XXX\ XXXXXX                      /XXXXX
         \XXXXXXXXX   \                    /XXXXX/
          \XXXXXX      >                 _/XXXXX/
            \XXXXX--__/              __-- XXXX/
             -XXXXXXXX---------------  XXXXXX-
                \XXXXXXXXXXXXXXXXXXXXXXXXXX/
                  ""VXXXXXXXXXXXXXXXXXXV""
$ fortune 
[/size]


Another reason to do things as root:

Code: Select all

/ Your life would be very empty if you \
\ had nothing to regret.               /
 --------------------------------------
  \                                  ,+*^^*+___+++_
   \                           ,*^^^^              )
    \                       _+*                     ^**+_
     \                    +^       _ _++*+_+++_,         )
              _+^^*+_    (     ,+*^ ^          \+_        )
             {       )  (    ,(    ,_+--+--,      ^)      ^\
            { (@)    } f   ,(  ,+-^ __*_*_  ^^\_   ^\       )
           {:;-/    (_+*-+^^^^^+*+*<_ _++_)_    )    )      /
          ( /  (    (        ,___    ^*+_+* )   <    <      \
           U _/     )    *--<  ) ^\-----++__)   )    )       )
            (      )  _(^)^^))  )  )\^^^^^))^*+/    /       /
          (      /  (_))_^)) )  )  ))^^^^^))^^^)__/     +^^
         (     ,/    (^))^))  )  ) ))^^^^^^^))^^)       _)
          *+__+*       (_))^)  ) ) ))^^^^^^))^^^^^)____*^
          \             \_)^)_)) ))^^^^^^^^^^))^^^^)
           (_             ^\__^^^^^^^^^^^^))^^^^^^^)
             ^\___            ^\__^^^^^^))^^^^^^^^)\\
                  ^^^^^\uuu/^^\uuu/^^^^\^\^\^\^\^\^\^\
                     ___) >____) >___   ^\_\_\_\_\_\_\)
                    ^^^//\\_^^//\\_^       ^(\_\_\_\)
                      ^^^ ^^ ^^^ ^
 
[/size]

Segfault
Posts: 993
Joined: 2005-09-24 12:24
Has thanked: 5 times
Been thanked: 17 times

Re: What are reasons to run as root and what not to run as r

#5 Post by Segfault »

First you think everything that does not work for user needs to be run as root*. This is noob thinking. But this is what noobs do, they run their computers as root. This is a must for noobs, practically inevitable. Then [some of them] gain experience and better understanding and start using their systems as user. Some never wisen up. If you run a home computer behind NAT as root the chances getting "owned" are not very high, mostly because it is kind of unexpected and not common enough for bad guys to target. But such a computer is completely defenseless, of course.

*Often all that is needed is setting proper permissions to avoid the need for elevated rights.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: What are reasons to run as root and what not to run as r

#6 Post by GarryRicketson »

*Often all that is needed is setting proper permissions to avoid the need for elevated rights.
This is true, sometimes, I change the owner as well, and sometimes after I am done
I change it back, ..................
Everything depends on the situation at the time.

Code: Select all

man chmod

Code: Select all

man chown
You can also have a user that has all the same privlidges as root, the name
does not have to be "root" .

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: What are reasons to run as root and what not to run as r

#7 Post by dasein »

Simple:

1) Don't run anything as root unless absolutely necessary, and switch back to a regular user as soon as you're done doing whatever required root access in the first place.

2) Don't go randomly changing permissions, even when someone suggests it.

3) Never run a GUI as root. Seriously.

MALsPa
Posts: 678
Joined: 2007-12-07 19:20
Location: albuquerque
Been thanked: 2 times

Re: What are reasons to run as root and what not to run as r

#8 Post by MALsPa »

dasein wrote:3) Never run a GUI as root. Seriously.
Please elaborate. I don't log into my system as root, but if I need to I'll open up a root window in SpaceFM, for example.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: What are reasons to run as root and what not to run as r

#9 Post by GarryRicketson »

Dasein>
2) Don't go randomly changing permissions, even when someone suggests it.
Dasein is 100% right, but now the OP and others may be wondering,
"Then why did they suggest changing permissions ?"
ME> This is true, sometimes, I change the owner as well, and sometimes after I am done I change it back, ..................
Everything depends on the situation at the time.
And
by Segfault »Often all that is needed is setting proper permissions to avoid the need for elevated rights.
The key word here is " randomly ",

Doing anything to the system "randomly" is a very bad practice,....and even when
people suggest things, just taking theier word for it , is not a good practice either.
Think about what the effects of something will be, before doing it. Take the time
do some research, first. And the if you still are not sure the best thing I know of is to
use one of the many Virtual Machine programs, set one up, install a "test" system
and try it there.
by dasein » 1) Don't run anything as root unless absolutely necessary, and switch back to a regular user as soon as you're done doing whatever required root access in the first place.
This is the best "rule of thumb",.......That is pretty much what I do,..... I do everything
as a normal user most of the time.
I do not use sudo, not do I make my self a part of that,...
If and when I need to do something that does require me to be root, I logout and login as root.
dasein wrote: 3) Never run a GUI as root. Seriously.
Seriously, this is very true, the consequences of doing that are a real
pain in the neck. Especially if the GUI is a DE ,....I don't feel like going into
details, but in a nutshell you end up with a mess, and lot's of files that should
be accessable by a normal user , become no longer accesable. Best "just DON"T do it".
It can result in not having a DE anymore, unless of course you login as "root",
which is something you should not do.
by MALsPa »but if I need to I'll open up a root window in SpaceFM, for example.
I don't know what "SpaceFM" is,.... so can not really elaborate on that.

There are some programs that need to be run as root, for example
'aptitude' has a GUI , and it can be started as a normal user, however
if and when you want to actually install or remove packages, you need
to be root or use the "Ubuntu" method, "sudo",.......
MC is a file manager, a GUI of sorts, if need be run as root,...but it is still
best to start it as a normal user, and then if and when it is absolutely necessary
open the file as 'root' or use 'sudo'.
Another GUI, "synaptic package manager", if one plans to install anything,
it must be opened as root, or using sudo, however agian, only when absolutely
necessart,............It really is pretty simple, just use some common sense and logic.
Do everything as a normal user. IFand WHEN it is absolutely necessary , become
root, do what you need to , and exit.
Even if it is just 'apt-get',... you do not have to be root, or use "sudo", until
you are actually ready to perform a real task.

Example :

Code: Select all

$ apt-get -s install fortune
$ apt-get -s install fortune
NOTE: This is only a simulation!
apt-get needs root privileges for real execution.
Keep also in mind that locking is deactivated,
so don't depend on the relevance to the real current situation!
Reading package lists... Done
Building dependency tree -------snip--- was very long----
But ok, after reading everything, I decide yes, I do want to install it, or maybe
no,... this is what gets a lot of people in trouble, they run apt-get as root and
install the package, without ever checking to be sure it will not cause any problems.
I decide to install it:

Code: Select all

# apt-get install fortune
How hard is that to comprehend.

Personally, I feel if someone is not competent enough to perform tasks using the
CLI, then they have no buisness logging in as "root",...
Root can do anything, root does not need any GUI to do anything.

MALsPa
Posts: 678
Joined: 2007-12-07 19:20
Location: albuquerque
Been thanked: 2 times

Re: What are reasons to run as root and what not to run as r

#10 Post by MALsPa »

GarryRicketson wrote: MC is a file manager, a GUI of sorts, if need be run as root,...but it is still
best to start it as a normal user, and then if and when it is absolutely necessary
open the file as 'root' or use 'sudo'.
Yes, I would say that Midnight Commander is a GUI file manager, as is SpaceFM. And this is the type of situation that led me to question dasein's point #3. Using Synaptic to update the system is another example; I do that all the time. But I log in as a normal user and then get root access only if/when I need it. Are we saying that one should never do that (update the system using Synaptic)? Perhaps I misunderstood what dasein was trying to say, not sure. And, no, I am not so incompetent as to not be able to comprehend how to use CLI -- I use that all the time, too.

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: What are reasons to run as root and what not to run as r

#11 Post by dasein »

MALsPa wrote:
dasein wrote:3) Never run a GUI as root. Seriously.
Please elaborate. I don't log into my system as root, but if I need to I'll open up a root window in SpaceFM, for example.
1) First and foremost, running X as root is a serious security problem. Google has details.

2) Making potentially destructive actions 'easier' increases the likelihood of catastrophic error. That is to say: it requires more missteps to "accidentally" type the wrong command than it does to "accidentally" click the wrong thing. With today's high speed machines, in the split-second it takes you to realize that you just clicked the wrong thing, 40,000 backup files are irretrievably lost. (And yes, this is the first-person Voice of Experience talking here. :oops:)

Edit/afterthought: My exhortation to avoid permissions' hacks is simple. To paraphrase H.L. Mencken, "For every niggling systems problem there is a permissions-hack solution that is clear, simple, and wrong."

I've lost count of how many threads here contain a permissions-hack "solution" to something that isn't even an actual problem. I've given up correcting folks who break DHCP with a permissions hack because they don't understand how DHCP is supposed to work. For almost any given problem, if the "solution" offered involves a permissions hack, then the problem isn't properly understood, much less properly addressed.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: What are reasons to run as root and what not to run as r

#12 Post by GarryRicketson »

by MALsPa »Are we saying that one should never do that (update the system using Synaptic)? Perhaps I misunderstood what dasein was trying to say, not sure.
No, we are not saying no one shoudl ever use synaptic,..If you start synaptic from
the GUI menu, it asks you for the password, if "sudo" is being used, the user, if they
are in the sudoers file, can use their password,...on my system, I do not use sudo,
so I need to use "roots" password,...
Most, if not all of the GUI interfaces will prompt the user for a adminstrative password,...
IF needed,.... That is the point,... nobody should start the Xwindows, or any GUI as root,
randomly,...
So yes , I think you are misunderstanding, what dasein was trying to say, but I think
he has now explained it, much better then I can.
by MALsPa And, no, I am not so incompetent as to not be able to comprehend how to use CLI -- I use that all the time, too.
Well that is good, and just to clarify,.... I did not mean specificly you,.... but this is what
motivates a lot of these guys and gals, to start the DE or GUI , X windows,
"startx", whatever, as root.
They do not know enough about the CLI to be able to do anything,
and then they discover that if they login as root, they can start the DE, and "go to town",
without having a clue as to what damage they are doing,....and it is a disaster.
The thinking or excuse is , "It is so much easier using a GUI ",.... and it is,.it is
also so much easier to totally wreck the system, just by "clicking", this and that,
copy/paste this to there, etc,,,.....
I have my system set up in a way that does not allow "root" to login to the DE, or a WM,
"root can do anything", .... root does not need the GUI,DE, etc,....
When working as "root" you need to be sure about what you are doing, and only
work as root if absolutely necessary,....how hard is it to understand that ?
If you have to ask why, then that means you should not be using root access
to do anything.
There is no place for "assumeing" things either,....like just because
what you did on a Older Debian version, is going to be safe, and you
can do it on the newer systemd versions, there are things that root can do
that do not harm the older versions, with systemV, and they will crash a systemd
system,... this does not mean systemd is bad, or it is a bug, it is "PBKAC".
the person between the chair and the keyboard, did not know enough about
how systemd really works, and should not have been working as "root".
That is another topic though.
The same applies to systemV as well, if the person, does not know enough
about the system, to be absolutely sure of what they are doing, then they
have no buisness running anything as root,.....of course if they are experimenting
on a VM, or a machine dedicated to "learning" and experimenting,...that is
different. Everything depends on the situation,.... a little common sense
and logic goes a long ways.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What are reasons to run as root and what not to run as r

#13 Post by Head_on_a_Stick »

MALsPa wrote:
dasein wrote:3) Never run a GUI as root. Seriously.
Please elaborate. I don't log into my system as root, but if I need to I'll open up a root window in SpaceFM, for example.
How do you start the GUI program?

The recommended [1] method is:

Code: Select all

pkexec spacefm
For the reasons, see the first answer in this thread:

http://askubuntu.com/questions/802649/w ... hen-sudo-i

The X server itself is fundamentally insecure and probably shouldn't be used at all, let alone as root.

[1] I do not recommend running GUI applications as root, I think that you should just use the shell instead.
deadbang

MALsPa
Posts: 678
Joined: 2007-12-07 19:20
Location: albuquerque
Been thanked: 2 times

Re: What are reasons to run as root and what not to run as r

#14 Post by MALsPa »

Lol. Maybe let's back up here for a sec. I wonder if the OP feels that a satisfactory answer has been provided here to the question that was asked in the title of this thread.

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: What are reasons to run as root and what not to run as r

#15 Post by acewiza »

We are overlooking the fundamental reasoning behind these oft-posed root-related quandaries. 'Nix is/was born of and developed over the years through a common-use, or shared commercially-oriented environment, where security is paramount. Of course there are many, but from a 40,000-foot level, the "other" OS coincidentally competing in this space did not have the basic security focus baked-in right from the start. This is what causes newbie nix users just tying to get work done to wonder - why root? Linux'es increasing popularity comes with an increase in the "why root" phenomenon.

The real, underlying question is "why security?"
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: What are reasons to run as root and what not to run as r

#16 Post by Deb-fan »

For me depends on what I'm trying to do. Sometimes it's just easier to "su", "sudo su", "sudo -i" etc, than having to endlessly use sudo. Though due to long standing gnu/nix convention, stick to running as root only when deem it the more effective approach to completing whatever task.
Most powerful FREE tech-support tool on the planet * HERE. *

millpond
Posts: 698
Joined: 2014-06-25 04:56

Re: What are reasons to run as root and what not to run as r

#17 Post by millpond »

It should be noted that there is a difference between logging in as root, and running maintenance and system utils as root.
You can do both with rooted terminals.

User accounts should be for consumption apps which really do not require special access.

I have here system apps which pretty much refuse to run as a user account, and I am not versed in C well enough to fix that at the source level. Changing permissions does little to affect utils made to manage the system, and probably *should* be run as root. The user account should never have access to them.

And of course there are apps which refuse to run as root, which i personally regard as poor judgement on the developers part. Linux is supposed to be about choice, and if i want to test root vulnerabilities in firefox - well that should be my choice. (Palemoon does not have that problem).

It needs to be repeated that there is a world of difference between security on a single user network and a commercial enterprise. Freedom is inversely proportional to security, and some of the default stuff like polkit makes perfect sense on a production system, and is positively absurd on a laptop.

As a simple example, here polkit is disabled, but the hibernate function refuses to work in Devuan, presumably because of udev being run by systemd. So i need to use the repo hibernate with qshutdown, which refuses to function as a user. Not a problem, as I have it loading from root's .bashrc when i fire up a root terminal. From where i can call any util with a simple shell script, if not directly.

For those with the Great Linux Fear - namely of doing smething stupid like an:
rm -rf / usr/local/foo (note the space)

The problem is not in the rm command - but the fact that it is used by default in the first place. It can be run from a wrapper like:
{code]
#!/usr/bin/env perl
# safe - a root user utility to disallow commands to *system* root. Blocks a lone / .
# usage - safe command arguments
# ie; safe cp *.txt /tmp (Copies all .txt files to the /tmp directory)
# safe cp *.txt / tmp (This will generate an ERROR.
# This requires a functioning PERL interpreter - standard on Linux systems.

# To USE this file:
# First as root (preferable) - use the command env to view your PATH statement. /usr/sbin should be there. You can choose another.
# cd to the directory and execute (ignore the #'s:
# touch safe
# chmod 740 safe
# gedit safe
# Then copy and paste contensts of this file into gedit, and SAVE

$arg = @ARGV ; # Command Line
our @cmd = []; # Making this global, not re-entrant so OK
unless($ARGV[1]) { die " USAGE: command parameter1, parameter2, etc. \n" ; } # Must have a parameter to be useful
foreach $argnum (0 .. $#ARGV) {my $arg = "$ARGV[$argnum] "; # The last space is crucial
if ($arg =~ qr{\/\s}) {die " FILESYSTEM ROOT ERROR \n"; } # Die on command to root file system
push(@cmd,$arg);
# print " $arg \n";
}
shift @cmd;
$string = join('',@cmd);
print "Running $string \n";
exec( $string );
[/code]

Or even a direct replacement like:
https://github.com/kaelzhang/shell-safe-rm
(This makes a trash bin its a shell script, so it can be modified to put the deleted files in /tmp)

Post Reply