Linus Torvalds on requiring the root password for mundane tasks. “So here’s a plea: if you have anything to do with security in a distro, and think that my kids (replace ‘my kids’ with ‘sales people on the road’ if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place.” Yes, it’s harsh (deal with it, Finns don’t beat around the bush), but he’s completely and utterly right. While there’s cases where it makes sense to disable certain settings (public terminals, for instance), it is utterly idiotic that regular home users have to type in their root password for such mundane tasks.
Anyone remember when Linus ranted about C vs C++? I’m just reminded of that rant when I read this latest one. 🙂
Yeah that was good times. http://harmful.cat-v.org/software/c++/linus
It may be “idiotic” to prompt for root’s password for mundane tasks, but it’s also “equally idiotic” to allow your own unprivileged password to be used to authorise “non-mundane” superuser tasks (particularly the installation/removal of system software).
This is something Ubuntu does via its sudo system and it’s 100% wrong – tasks that can significantly change your system installation should require a privileged username/password and not a normal user’s! Ubuntu is also dumb for not accepting root’s (privileged) password when it prompts for privilege escalation – it only accepts your own (unprivileged – or at least it should be) password!
The very first thing I do on such a broken Ubuntu system is “sudo passwd root”, so that I can su to root and do my privileged stuff that way. I don’t know if they fixed it in later Ubuntu releases, but if you had to fsck the system disk on bootup of early Ubuntu releases, it would say “enter root password for maintenance” as part of the boot sequence. Genius that, because Ubuntu sets a random root password and never tells you it, ho hum.
Edited 2012-02-28 23:56 UTC
Wow, you completely do not understand the purpose of sudo or how it works. If you don’t want a user to be able to use sudo, don’t place the user in the sudoers list. Anyone in that list is by definition a privileged user (a sudoer), so sudo does in fact require a privileged username and password.
It’s been a while since I did a clean install of either, but I believe the default configuration of both Ubuntu and Fedora is for users to “sudo anything”, using their own password for authentication. Easily changed, but it *is* the default.
That’s the way it should be. sudoers are special users, but they are not root, they should not know or require the root password. They should use their own password.
Fedora’s default configuration is different from Ubuntu’s, we do not set up sudo out of the box. We *do* use PolicyKit for privilege escalation for some purposes, and PK is extremely powerful and flexible and can be set up so it ‘works like sudo’ for some operations – i.e. allows some or all ‘normal users’ to perform certain operations by entering their own password, not root’s.
Edited 2012-02-29 02:38 UTC
Ubuntu’s philosophy is that the first created user account *is* a privileged user. It’s a perfectly reasonable philosophy that applies to most Ubuntu use cases. User accounts beyond the first get fewer privileges than the first created account, and you can downgrade the first created account also if you prefer that.
Your understanding of sudo is 100% wrong. What security do you think having to use the root password rather than your own gives? Hint: none. They’re both passwords that you have to give and neither has an inherent security advantage over the other.
This is exactly how sudo is designed to work and it means that you can delegate privileges better than if you use a single root password.
There’s no such thing as an unprivileged password. There are accounts with more or less privileges.
Never work as root, use sudo or if you really think you need to continue this bad practice: sudo su –
root on Ubuntu has an empty password, not a random one, and that is why you can’t log in with it. Accounts with empty passwords can by default not have interactive sessions.
And no, Ubuntu does not prompt you for the root password when fsck has to be run at boot.
Edited 2012-02-29 05:19 UTC
This is wrong. sudo is great for desktops. However, for servers, you should never use sudo. Why? Most servers have servers such as openssh and mail running. That means someone can brute force your password remotely. If you have a root password set, then even if they get into your account, they must take the time to brute force root. Hopefully this extra time will make it possible for someone to notice the attack.
Full sudo rights on a server == full root for everyone on the internet courtesy of botnets.
Then just don’t run services under a sudoer’s account…
Which is why authentication via SSH keys is a good idea…
Now brute force attempts will be ineffective, and you also have two factors required in order to gain elevated privileges so even if someone steals your privatekey they still need to do extra work (and thus increase the risk of detection) in order to get root.
No, it’s great for servers and should always be used since it enables better permission control and audit trails.
That’s why you don’t use password authentication with ssh. If you need people to use sftp with passwords you always use chroot and force the accounts to be sftponly.
Most servers do not have mail running and for those that do the email username and password are more often than not different from the system users and passwords.
If they didn’t already catch the brute force on the account I doubt they’ll catch the brute force on root.
100% wrong.
Most people setup sudo to gain full access, not to run select programs. Of course it’s capable of that, but it’s rarely used in the wild. Most linux distros ship with it enabled like a root account.
I’ve seen people enable sshd on root accounts without using a key. Then they got owned. Everyday I see brute force attempts against root on my server. It’s ignorant because BSD defaults to root disabled. They also had sudo turned on.
Like any tool, sudo can be used correctly but unfortunately people don’t use it this way. Just because you setup your server competently doesn’t mean it’s common.
As for mail servers, I wasn’t talking enterprise here. No LDAP. I’m thinking web hosting, virtual private servers and small shops. Anyone using sendmail + an imap server is probably using system accounts. That’s default. Some of those accounts probably have shell access, especially in a hosting scenario. You don’t have to agree with me, but I’ve seen it. I used to work for hosting companies.
This is not a sudo problem and does not mean sudo is not suitable for servers. It’s an admin competence issue.
So what? Again, this is not a problem with sudo but with incompetent/inexperienced admins. Using root password instead of sudo doesn’t save you from this.
Most of those systems usually run something like sogo or iredmail and most of those mail systems does not use system accounts. I still say most mail servers does not use system accounts for mail access.
So did I.
You seem to misunderstand what I’m saying. I’m arguing against using sudo by default on server platforms. I don’t hate sudo. In fact, I’ve included it in my operating system. I don’t think sudo itself is the problem, but rather how people talk about it. It implies a certain type of setup and use case that most people don’t realize.
There are more incompetent system administrators than competent ones. It’s a fact of life.
I agree (up to a point):
there should be 2 levels:
– root: master of the universe
– admin: capable of common tasks that affect all users on a box and yet is not capable to make liefe impossible (if you get my drift)
another distro for a macbook air ? WHY… the thing is designed for Mac OS… either you buy into that deal or you don’t. I don’t try to feed my cat dogfood either after all.
TomUK
do you say the same thing about a laptop preloaded with windows?
I don’t exactly agree with Tom’s opinion – it makes sense for me to use different OS than OSX on Mac – that’s just my personal preference (I find OSX GUI, albeit smooth and flashy, rather limiting).
But then there are two points I agree with him:
– Mac was designed for OSX and OSX was designed for Mac. This is difficult to beat as the detail hardware specs are only known to Apple devs. Contrast it with a PC – an OEM may design the hardware for Windows but Windows (just like Linux) is only made for a generic PC.
– Linux and OSX both are Unix-based systems. There are simply less incentives for switching the system. In most cases the user can simply install missing apps.
That’s what groups are for. Restrict common admin tasks to members of admin groups. Don’t make any accounts members of the wheel/operator/admin/etc. groups unless the people who posses them can be trusted. For kids, salespeople, accountants, etc. a regular account with no privileged group memberships should be good enough. They can su to a different account with admin group membership on the occasions where they do need to do admin tasks.
tx! seems I still have to learn more
will look into this
TomUK
The issue has nothing to do with hardware. The security is ALL software!
As for using a different OS on Apple hardware… I don’t see any problem with that. Apple makes decent hardware, so why are we not allowed to run our own software on that decent hardware.
Look around! Most laptops are crap and made of plastic, or feel pasticy. Most have low battery life compared to Apple laptops. Also most laptop manufacturer buy into this crap low resolution widescreen monitors – because it’s cheaper (thanks to all the LCD TV’s). When last did you see a 1.6 ratio laptop monitor? Apple still makes those!
Am I the only one who is getting tired with all of his rants and with the attention they get?
He may be a smart person and he might be right about what he is ranting about. I’m also grateful for Linux and Git, and I kinda feel sorry for his daughter.
However, does that gives him the permission to call other people “morons” and “mentally diseased” ALL THE TIME. Worse yet, asking them to kill themselves?
I don’t know but this is getting old, it causes too many issues in FOSS and people get negative and fight all the time.
Does anyone else feels the same way? *sigh* 🙁
Edited 2012-02-29 00:07 UTC
Have to agree on that. His statement re Linux distros is (IMO) correct, but recommending suicide on the internets is stupid – you never know what nutcase/zealot/idiot/gossip might be listening.
Not sure that this has any impact on FOSS usage though. I mean, Steve Jobs was an epic screwball and people still bought (and continue to buy) tons of Apple shit. *whistles*
Some people need to lighten up and/or get up to date with slang terms. “Kill yourself now” does not mean you expect someone to actually kill themselves, just like “that’s cool” does not mean “that’s cold to the touch”.
/sigh
This world will PC itself to death some day.
Sorry but English is not my native or first language, it might not be obvious for me at first.
Linus Torvalds isn’t a native speaker either but if you spent a little time on the internet you could pick up the slang. This is just a matter of free speech. If you don’t like what or how somebody is saying something you simply don’t listen(or kill yourself).
http://knowyourmeme.com/memes/go-kill-your-self
Edited 2012-02-29 05:30 UTC
Come on, even then, obviously you understand the meaning of his words. If someone said something to the same effect in your own mother tongue, would you interpret it literaly or sardonically? If the first, it’s not a problem of foreign language understanding for sure.
er, the alternative slang meaning of ‘cool’ is universally established and understood and has been for decades. I’ve never, ever, heard anyone suggest that ‘kill yourself’ has some kind of alternative slang meaning until you did, just now. It may be the case that Linus didn’t mean it literally and that should be ‘obvious’ from tone / context, but that’s a much more nuanced case than a term which clearly and simply just has two meanings that just about everyone understands.
Edited 2012-02-29 02:40 UTC
I live in the US and where I live now and where I grew up “kill yourself now”, while not universal, is a common term to anyone under 40(ish). /shrug As you said, it was obviously not intended to be taken literally.
I’m not so much supporting Linus as I am rallying against people that think nothing offensive should be said ever. The “PC” crowd. They’re ruining the world’s sense of humor. :p
Not all native English speakers will pick up on that slang either. In fact most people I talk with on a daily basis will think that expression is advocating suicide.
It is most definitely not on the same level of universal understanding as “cool”.
How stupid are those people? Really? There’s no way in hell any person, native speaker or not, could possible take Linus words as actually advocating suicide. Unless you’re an complete moron. Maybe it’s not a good expression, maybe some people are offended by it but that’s not the point.
There’s really no kind way to put this; if you think Linus is actually advocating real-life suicide you’re an idiot.
No, I wouldn’t say they are stupid, anymore than I would call you stupid for not understanding why. Its a difference in culture, not intelligence.
Edited 2012-02-29 13:39 UTC
No, it is stupid. There are so many sayings in all languages of the world that are not meant to be taken literally. Should we all stop using those because the highly unlikely chance that it might encourage some moron to follow them literally?
I’d say “go fuck yourself” but that might encourage you to masturbate and we all know that makes you blind.
No, you should not be surprised when members of a different culture unfamiliar with your culture do not understand your culture. Its not a value judgement on either culture.
That still doesn’t make it right. It’s wrong to call upon people to kill themselves. It’s wrong to say of other people that they’re braindead.
If that’s PC’ing the world to death, then so be it.
It’s not about needing to lighten up, it’s about needing to learn basic manners.
“Am I the only one who is getting tired with all of his rants and with the attention they get?”
Maybe not, but I enjoy them quite a bit myself… and he raises some good points.
“However, does that gives him the permission to call other people ‘morons’ and ‘mentally diseased’ ALL THE TIME.”
Why not? He can say whatever the hell he wants. Whether you agree or disagree, fine, argue if you want. But there’s no reason to bitch about his choice of language.
“Worse yet, asking them to kill themselves?”
I honestly doubt that he meant that in a 100% serious, non-joking way. If anyone is getting pissed because they really think he is being completely serious, maybe they need to quit jumping at conclusions or consider anger management. Chances are, you’re getting mad over nothing.
Does anyone else feels the same way?
I only have seven more words to say: shit, piss, fuck, cunt, cocksucker, motherfucker, and tits.
If that gets you mad, go smoke a bowl and relax.
Anyway, I think we all can agree that Linux Torvalds has some attitude problems. I mean, why would you call OpenBSD developers for “masturbating monkeys” because they think security is important?
With a big ego such as Linus T, I doubt he would let anyone govern over his creation. I mean, if I created something, would I let someone else decide the name? Hell no.
There is no chance that “Linus T friend decided to call it Linux”. With such a big ego, it was Linus T that decided to call it Linux.
As Stallman said: “I am not the one who calls GNU for Stallmanix” – implying that to name a creation after yourself requires some ego.
He really wants to call it GNU/Linux though.
“Anyway, I think we all can agree that Linux Torvalds has some attitude problems. I mean, why would you call OpenBSD developers for “masturbating monkeys” because they think security is important?”
Maybe because… he has a sense of humor? What you may perceive as a threat or declaration for war may have been nothing more than a humorous stab at OpenBSD for going overboard (in his opinion; debate this all you want, but he probably realizes pure security can get in the way, and is most likely referring to that). I took it as a joke, laughed about it, forgot about it, and then moved on. Well, until you brought it up again complaining. Really… it’s no big deal, despite the insanity some of you are trying to make it out to be. Bottom line: WHO CARES?!?
You’re not the only one. I’m getting just as tired, especially because he’s setting an example and people seem to think that it’s okay to behave like that everywhere.
It’s what leads to posts like this:
http://stormyscorner.com/2012/02/its-scary-to-join-an-open-source-p…
It’s a pity, that due to his fame, and more importantly other people apparently blindly following and agreeing (or not blindly, but taking a considered view, and agreeing), and with news sites further highlighting his views, that he should be censored, and would not be allowed the same freedom as you or I.
Why is it, that I could say that, yet he can not?
Yes yes, fame, moral responsibility (and advocating shooting one’s self is a bit extreme, but it’s obviously meant in humour), however I don’t think this is at all extreme, it is, as he said, a simple rant.
You’d think he would be a more well spoken at this point in his life.
Anyway, Theo’s rants are better, and he was doing it when it wasn’t cool.
[NB: I am not a computer security expert. Do not take my word on any of the following.]
Changing the system time probably has little security relevance these days (I think?). And for CUPS, it strikes me that authenticating as root by default might not be such a hot idea in a multi-user environment, and is a pain for a single user. So most distros’ default configurations leave something wanting there. OTOH I only know of one distro (Slitaz) that requires the root password for wireless configuration.
BTW, two points that I think may be relevant to this:
1. Principle of least privilege says that too much restriction can be bad. Every task that unnecessarily demands root privileges is potentially exploitable.
2. Prompting for passwords all the time can also be bad, since a malicious application could potentially nab the password.
Of course that’s kind of moot now, seeing as it’s all about money and personal info these days, and the sorts who go after home users may not even need root to do their dirty work… Even so.
P.S. #2 is something Windows (theoretically) does right and popular Linux distros do wrong. Windows prompts you about admin actions every time, without requesting a password. Ubuntu, etc. prompt for the password, and then give you five minutes or so of passwordless root access without any notification. The Linux method strikes me as much more inviting for social engineering attacks.
The five minute time out is a setting that can be changed in the sudo config. It’s a convenience thing for command line users.
Yeah, OSs really need to try to sandbox the user much more then they already to. Eveything still has that DOS mentallity that the user should have complete control of the computer, when in reality they just need control of their profile/home dir unless they need to make a system wide change.
For instace, software should have the option of installing system wide or just for the user. If the software is going to be system wide, then authentication is asked for, and if it’s user only, then the software gets installed into a programs folder.
There is support for this (PortableApps for windows and compiling from source Unix, for instance), but it’s not mainstream.
I’ve never looked into it as i don’t manage Linux professionally but shouldn’t there be a way of assigning users the ability to do these things?
It might not be simple but there has to be a way of assigning users/groups access to the required privileges.
Personally I’ve never had to look at this because i maintain my own systems so i know the root password.
But I’d have thought that that’s what users and groups was for in the very least.
EDIT: (http://wiki.debian.org/SystemPrinting#Add_Printer)
and adding a printer via the Administration screen. If you get a permission error, try adding yourself to the group lpadmin. E.g. if you are user “tom”:
sudo usermod -a -G lpadmin tom
Edited 2012-02-29 00:09 UTC
If you need to become root to allow yourself to not become root to configure your printer, then your distro has failed
Not if by default everyone is added to the lpadmin group. which is probably what Linus is complaining about.
Whether you want to allow or disallow something will require root but once deployed should be okay. you can give the users group access instead of a single user.
http://fai-project.org/
Smart admins do the customising before the user gets a hold of something.
Yes, it’s called sudo. It’s simple to configure sudo so that password is not required for certain tasks.
That’s what sudo is for isn’t it? Just add primary computer users to sudoers list.
Having full sudo isn’t much different than having root.
Luckily sudo can do far more than just give people “su” access.
The point is, you need to input your password, not root’s.
Sounds like a perfect recipe for becoming a single-user operating system.
A great many Linux systems *are* single user – indeed, if you’re talking about desktop distros, almost all of them are. And on such systems, Linus is right – the default behaviour should be to annoy the user as little as possible, and with the ability to tighten security as-needed (e.g for genuine multi-user systems).
The recommendations of suicide from Linus were clearly misdirected.
What do you mean? “kill yourself”=you should be terribly ashamed of yourself.
Not a good example. It makes sense to have one universal “machine” time (e.g. UTC) while users could have time displayed as they wish (like per-user timezones). This needs to be supported in UI’s to be presented properly. however if the clock is off by minutes or seconds, there should be a way to tune it. For example user could initiate sync with time servers (which still can be spoofed in emulated network setup unless secure NTP is used).
For everything else he said I agree. Many things should be looser by default (for home desktops at least) like printers, wifi, etc. Network printers are good example of nonsense. Even if “secured” CUPS is there, what (in theory) prevents user from opening a network port to talk to a printer?
Microsoft also had to deal with these problems when they adopted UAC. Windows7 already has it much better toned down than Vista.
I really don’t care so much about needing a root password to do things, but what I can’t accept is being required to use a root password every time I do something when I have never logged off. What is so hard about entering that password once and leaving it alone until you log off or lock the desktop?
What I find humorous is that the separation of root, elevated privileges, and general users is intended to provide security. But a whole hell of a lot of systems don’t use this hierarchy as intended and thus their systems security is compromised….and they don’t even realize it.
It can easily be like how overly strict password policies lead to unsafe password storage – if you make your security system too annoying, the workarounds will be worse than if you implemented a less safe but also less annoying system in the fist place. And what constitutes “too annoying” shifts greatly between systems; a single-user laptop should be less finicky than a multiuser server, etc.
Linus has every reason to be upset.
http://www.freedesktop.org/wiki/Software/PolicyKit is directly designed to address the issue.
Network configuration who is allowed to change modify and what ever form of alteration using network-manager is defined by policy kit.
This is a case of distributions not providing the latest and some software needing to be updated to support latest.
Policykit is that is allowances are application dependant. So privileged is granted on a per application base to request a Policy-kit action.
Policykit is not a grant all like windows admin where random programs can get up to admin rights.
Linus has more than enough reason to what to kill distributions over this. There is no reason to be still using old sudo methods.
Edited 2012-02-29 03:22 UTC
Except for a few user-friendly distributions most Linux systems are configured as if they were all deployed on thin-clients in a bank. The problem is that small users are much more reliant on the defaults – they don’t have their own teams of system administrators and their needs/environment is much more dynamic.
I would go even further and allow users to install software from official repo without root password or sudo. We still want to make sure it is the user who initiates the process but that’s all. It can probably be done without a password and certainly without a root password.
Interestingly most problems I experience don’t come from major installations (these have good administrators and procedures) and not from my home installations (I simply use sudo). They all come from minor networked installations (workstations), where some self-proclaimed sysadmins have installed an ancient version of CentOS, locked it down (or rather not UNlocked) and declared the job done. We could blame these admins for sloppy work (“OMG, they don’t do security updates!”) but I’ve seen it happen in so many different place so there is clearly a mismatch between what distributors expect sysadmins to do and what they really do.
Policy kit as a mentioned before and http://www.packagekit.org/
Now you don’t need root password to install applications. Can ask for users password or no password at all.
This is a simple case of distributions not providing configuration front ends for policykit.
Lot of times if you are using sudo you should not be this more often than not shows defective distribution.
Having a rights control system then no way to make it simple to manage is a major defect.
Once deployed and configured properly both sudo and policykit do the job. As a user I have no preference for any of them. Chances are that I’ll get sudo before PackageKit (just because PackageKit is somewhat newish), and I’d be perfectly happy with it.
Unfortunately, if the default is to have sudo/PK disabled and there is no easy switch to enable it I’ll still have to use my Linux workstation as a dumb terminal and compile everything from sources. It isn’t exactly “using an OS”, more like “fighting” it.
I know most people thinks its a hassle to type in the root password, but seriously, how many times do you configure printers? Or the time? There were legitimate security concerns for everything that requires root. Once you unlock these services from root, they become vehicles for malicious attacks on the system. Remember, one of the benefits of Linux is that everything runs as its own user. That means by default, all Linux boxes are multiuser whether you like it or not.
It’s a hassle to obtain the root password, which shouldn’t be required for routine stuff in the first place. In fact obtaining a root password is often impossible and the user is then left with a desktop crippled to the point of being unusable (seriously, I prefer using Windows XP with Linux inside a VM than a system like that).
Connecting a printer, mounting a filesystem, connecting to a network, installing some non-privileged apps or bugfix upgrades of privileged ones – these are all legitimate user tasks on decentralized systems (which is almost all of the current deployments), none of them should require “I own the world” type of permission.
You are not thinking this through.
Virus and Malware you don’t want messing with those settings.
Policykit is design for the particular problem. Because it approve applications to do things.
sudo becomes unworkable as so as you try filtering to applications.
“I own the world” type of permission. Is what the problem is. Policykit provides another set of permissions. This application is trusted todo the following. And only this app. Even if the app is trusted it then asks the user the first time they use that app if they do wish to use its privileged options.
This is creating true secuirty by obscurity. Because attacker has to know what application you use for task not to be noticed.
I have a problem understanding you. Can you write what’s your point again?
Reading through your answer it looks as if you’re disagreeing with me but then you confirm all the issues I’ve risen.
Is it just that you prefer PolicyKit over sudo? That’s fine with me – I have no problem with PolicyKit (but then I have no problem with sudo either).
How is this better than “this user is allowed to do A and B but not C”?
Because security through obscurity is so awesome…
From a sysadmin’s point of view on security? Not at all. Mind you, that’s a very narrow view. Especially when you consider typical dekstop installations, where “the system” can be reinstalled in an hour and all valuable data are in home directories.
From user data security point of view – a lot. There is a big difference between user actions in e.g. synaptic and firefox. I’d like to have access to the printer setup when I explicitly ask for it (e.g. in an appropriate config dialog box) but now when I compile a program or browse Internet.
So it’s not better as much as it is a different use-case.
But is this actually how policykit is set up on any current distro? I’m pretty sure any application run in the user account has full access to all user data.
As you said, the system can be re-installed in an hour so a system compromise or failure is not as serious as that of user data loss.
I’m pretty sure that’s the case, indeed. I wasn’t referring to available solutions, rather to the user (well, my) needs.
In a sense, whenever I unplug the LAN cable because I’m trying an application I don’t trust, I’m doing just that. I’m taking away a privilege to talk to the network. Of course, network access is only one of available privileges and unplugging a cable isn’t exactly a “software” solution.
One thing to remember is that system security is necessary (but not sufficient) for user data security. This is where user accounts work rather well but they are too inconvenient for more fine-grained access control. No one will setup a separate user account for running a web browser because that’s too much hassle (configuration, file access permissions, different home dirs etc.).
Extensions of this model (sudo, PolicyKit) allow some flexibility but they are still fairly static and are configured at the system level (by an administrator).
This is a misconception – on single-user systems the user _is_ the admin so at any time, he should be able to decide which permission he needs and which permissions he waives (just like I can unplug the LAN cable whenever I want). Think of it as of Android app permissions (except that the user should be able to grant/revoke single permissions even at runtime).
There is simple solution – always be logged as root 😀
Maybe OpenSuse is not designed for his daughter?
What about all the people who use OpenSuse on their servers? What If I have a team of web developers and admins spread across the world and every morning they change the system time because they think it’s not right in their country? What if I don’t want developers at the other side of the world to print crap on my printer?
Opensuse you can print and connect to a network without root. At least in Gnome (KDE?) it uses network manager by default and you don’t need root. It’s only if you use Yast turn network manager off and use ifup do you need root. As Yast is a centralised management system that is right.
Server is a quite different story, isn’t it. First of all there are no interactive session on the server, so the whole issue simply doesn’t apply to you.
Another exception is a classic centrally controlled terminal server configuration. Here also the sysadmin is a “god”.
In both cases the systems are installed and configured by a qualified personnel and don’t change over time. The sysadmin should be able to setup (and lock) time and printers fairly easily.
These use cases are very different from a single-user desktop or a shared workstation, which are far more dynamic and often have no sysadmin at all or maintained collectively anyway. In these scenarios “security” is more about making it less likely to shoot yourself in the foot than about locking down the system. The traditional account-based security model (with holes in form of suid’s, sudo, policykit) kind of does the job but since it was specifically designed for large centralized rigid time-share systems from ’70s there are glitches all over the place and some important aspects of security (user data) are completely neglected.
Server’s are fundamentally different from workstations and as such different security profiles (or whatever you want to call it) would be a good idea.
So what? It’s a workstation. I certainly hope the people in your team who’s half-across the world can change the time if needed and don’t have to wait for someone in your part to wake up and do it for them.
I don’t see what root or not has to do with this. Do you give them all shell access to your workstation or something?
Wireless networking and printing and I see no reason why you should have root or sudo access but in the Linux systems I’m thinking of you don’t need to. Changing the time is different if you set the time in the past, so the file system has files created in the future it going to be a problem you should need root or sudo.
Kerberos tickets (and possibly some other forms of authentication and crypto) are time-dependant. Roughly speaking, the two sides encrypt their timestamps, and the opposite end only accepts if the time is reasonably close to its own. I don’t know if being able to change the time on at least one end would allow any interesting attacks, but it sounds vaguely plausible?
(The typical place to run into this is weird login issues if your local time is horribly wrong.)
Edited 2012-02-29 14:29 UTC
My computer (a mobile phone) uses a single password for everything.
Is that supposed to be OK or not?
I mean, which world are we living in? “root”… “root”!! “root”??? rotten.
More than one password == people will use the same everywhere.
People (THE people) are not geeks. Root means nothing to them. The point is: anything assuming two or more personalities on a (most likely) single-user device is broken by itself.
On multiuser systems: of course it makes sense to require another password for changing the wifi: are you going to let anyone disconnect the network? Or the printer?
So, it depends on the system requirements.
As … always.
I don’t mind needing root passwords for everything, I prefer it in fact. Maybe it’s because I use a lot of BSD.
Might sound moronic to Linus, but imho it prevents Android levels of moronism.
I have absolutely none of those problems. I just run as root all the time. Heck, root IS my user account.
I started with Windows 95, where I was root all the time. Never had any problem whatsoever, not even a virus infection and – wait for this – I didn’t use any anti-virus permanently on, just occasional full disk scans. Then I migrated to Linux, soon got tired of that travesty and decided to be root forever. Suddenly my computer experience was good again. Problems? Nope. Sure, I have deleted one or two things by mistake during all these years, but ‘sudo’ wouldn’t have avoided it. Just run ‘sudo wrecksystem’ and the command will just happily wreck your system.
I think Linus’ rough attitude is quite warranted in light of how preachy, sanctimonious and plain stupid Linux users get around other Linux users who run as root. All of their arguments are something like this:
1) You are stupid for running as root. Because. What could happen? Well, many things. More specifically? Well, it’s insecure. How exactly? Look, it’s wrong, OK? Don’t ask why. Just look down, accept that it’s wrong and make sure to repeat that to everyone you know. Oh, look, that monkey is climbing the ladder! We’re gonna get wet! Let’s beat the hell out of him!
2) Aaaargh!!! Aaaargh!!! Aaaargh!!! You’re running as root!!! We are all doomed!!!! Take cover!!! The Mayans were right! The end is nigh!!! Aaaaaaaaaaaaaaaaaaaargh!!!
3) Running as root is very dangerous. If you do, the sky will come tumbling down on your head, your crops will be destroyed by BOTH flood and drought, and your mother-in-law will move in with you. You’ve been warned.
4) You run as root? Wow, you’re dumb. Who ties your shoes in the morning? I am not dumb. No, siree! I am one very smart fellow, I do exactly what I’m told. One of these days I will get my medal. You will see. You don’t get any medals. Damn, no. You run as root! You are dumb. Yes, dumb. Heehee. Heehee. Heehee. Ma, come look at the dumb guy! He is funny! Heehee. Heehee.
So Linus tells some of those dumbasses to take a hike and people get upset? Please. If you let that kind of people have their way, soon they will be trying to force you to believe that Adam and Eve really existed and the Earth is just 6,000 years old.
Many unix-like systems install and boot as root by default: Slackware, Arch, BSD unix… It’s no big deal. In fact, you should do that to your entire life.
Read: http://www.garyshood.com/root/
Oh, and the VLC developers may kiss my rooty ass. Mplayer is a much better media player.
and
wtf
This is the high testosterone you’ll never take me alive bastards school of computing?
Seriously using root as your account how is that anything other than stupid? What is difficult about sudo –i if you don’t want to sudo all the time? You want to enable root no problem to administer the system but to use it as your personal account?
Surely Linus’s point is you should only need to use root to administer the box not to use it.
I think he’s being sarcastic, what with the Windows 95 reference and all. At least I hope he is.
Relevant.
http://www.theregister.co.uk/2006/02/24/bofh_2006_episode_8/
While humorous illustrates an important point.
Not running as Root is for people that can’t be trusted.
If it is your own box and you decided to do something that requires root, you are just going to say “f–k it I will use sudo” .. and run the command anyway.
Super user is there for an Admin to stop stupid people killing their systems. I don’t consider myself stupid.
So I run as Admin … and I use my intelligence to defend against threats.
I am also one of the few people that have worked in a development company that didn’t have a development environment … well I did but it was also the Live environment so I like to fly by the seat of my pants.
Edited 2012-02-29 18:42 UTC
Despite his way to express his opinion he hits the nail.
There is no usability in the distros, the only ones that care to work on that is GNOME and it just makes the desktop, not the distro.
I agree. Somebody went as far, years ago, as saying that there is no reason why you shouldn’t login as root: http://imperial-command.net/myths-about-root.html
There is a security paranoia among *nix users and developers, and that includes OS X as well. You are asked for your password far too often. I agree with user Gullible Jones: “Windows prompts you about admin actions every time, without requesting a password.”
And yet *nix operating systems are much safer by design.
Running as root != not requiring a password for privilege elevation. Distros like Puppy that run as root all the time won’t prompt you at all if something tries to install a rootkit. Windows 7 will, at least in theory.
(In practice it may not, due to holes in UAC. But it’s better than nothing.)
Of course neither will protect you from a userspace keylogger that steals your passwords, and only stays hidden by virtue of not having a GUI. Sure, you could find it in top/TaskMgr, but by then it might have your PIN!
“please just kill yourself now. The world will be a better place”
lol
that would get me in trouble but HE’S RIGHT FUCKERS
For decades, operating systems and applications have been the target of hackers because of major and minor holes in security. The most mundane holes can easily be exploited. Unless linux wants to fix the entire OS so that it is protected at hardware level, the only solution is to secure everything.
I ran across this issue on the corporate linux desktop I am working on. I can’t allow users full sudo to install a printer, and even setting sudo to allow domain^users access did not work since the menu item for system-config-printer includes calling gksu, so it prompts for a password anyway. So I have to replace the menu item with one that does not call gksu, I am sure I am going to run across more items like this once it gets deployed.
Linus might be a very competent person, and he has achieve things in life I can only dream of, but he just does not understand security.
The examples he refers to can all be a potencial security exploit, hence the requirement to not allow the normal user account to do those tasks.
Deconstructing his examples:
Adding a printer
Might require access to another driver besides the default one. Which if not installed, will need to be installed thus opening a security exploit, depending on the source of the driver binary.
Attaching to a new wireless network
It exposes the computer to a another network. Depending on the wireless security settings, another exploit vector might now be open to the world.
Changing system time
Many OS services/daemons depend on the current time and take decisions based on time. Every time you change system time, it might have unexpected consequences on system behavior.
All these examples are legitimate user tasks on single-user desktops or shared workstations.
Guess what, the user _will_ do all of this (after jumping through several hops) because he _is_ the admin. OTOH, the user _will not_ create another low privileged account for running his browser or Skype, ideally one per identity, even though that would greatly enhance his own security and privacy.
Centrally managed time-sharing systems are a different story but (1) Linus didn’t talk about them, (2) they have staff who know which distribution to choose or how to change default configuration.
There’s no reason this should require me to give my password or the root password if I have already done so at least once in this session. A UAC like popup prompt would be enough and perhaps that should only be done if a driver install is needed.
This doesn’t require root privileges on any recent distro I have used so I don’t know if/why OpenSUSE does. Maybe it’s a Yast thing or something.
There’s no real security benefit to requiring the root password for this.
See adding a printer.
Note that we’re talking about *personal* workstations and laptops here, not corporate ones or thin clients or servers.
Edited 2012-03-01 11:25 UTC
Agreed installing software should require enhanced security; but, if the user is happy using a pre-installed driver, or a generic driver, why shouldn’t he?
I’ve hit this problem before, but never with plugging in a new Ethernet cable. Since functionally they both have the same potential problems (access to a new possible compromised network), why should one require root password and the other not?
I believe his specific query was changing the time-zone, this would not affect any services, but is a common use case for users of laptops who travel (especially in the US where I understand there are all sorts of places where crossing a county line changes from daylight saving to mean time
I think you’re mistaking technical limitations for ‘security features’. Let’s look at the examples:
Adding a printer
Might require access to another driver besides the default one. Which if not installed, will need to be installed thus opening a security exploit, depending on the source of the driver binary.
-> If the driver runs in user-space, with kernel-managed access to only the specific USB port the printer is connected to, then there should be no security risk
Attaching to a new wireless network
It exposes the computer to a another network. Depending on the wireless security settings, another exploit vector might now be open to the world.
-> Either make it user-land by default (in a desktop environemt) OR just accept that the wireless connection isn’t itself a security risk, but more a vector for attacks on existing flaws,
Changing system time
Many OS services/daemons depend on the current time and take decisions based on time. Every time you change system time, it might have unexpected consequences on system behavior. [/q]
-> Desktop users don’t usually care about the system time, they care about the time that is shown to them. Let’s introduce a per-user clock offset, to allow anyone to set their time to whatever they want.
The underlying OS/Crypto/Daemon systems can still use the ntp-controlled time for internal book-keeping.
What everyone is forgeting when replying is that all your suggestions kind of require special design decisions for the single user use case.
Operating systems are however generic, and must be able to cope between being used by a single user at home, in very expensive servers in the enterprise world, and any scenario in between.
Failing to do so, we end up with Microsoft’s solution, which everyone loves to hate, when there are Windows flavours, each one different, depending on the user use case.
You let people run printer installs with a msi.
…he is trolling. While the salesmen on the road clearly don’t need to enter root password to setup printers if setting up the printers is a part of their job, limiting users’ privleges in offices is a common practice these days. I worked in office environment where this opportunity was specifically and purposely disabled.
Actually tuning the permissions and passwords on Unix-like systems is dead easy. Though Linux has PolicyKit now, it is still not all that difficult to get the user permissions right anyway. Typing the rant in Google Plus actually takes more time then tuning permissions on all the PCs in a family.
Anyway, the question of defaults is pretty streight forward: if you change the distro you shouldn’t expect the defaults you are accustomed to; you should check and fix them according to your likes. Complaining about that is pretty much maroonish.