Re: Avoid while on line, apache & X as root?

On Mon, 25 Jan 2010, in the Usenet newsgroup alt.os.linux.suse, in article
<hjko5h$buf$1@xxxxxxxxxxxxxxxxx>, script||die wrote:

David Bolt wrote:

As for running a desktop as root, it's been a long time since I've
done that. At the time, I was also hearing the same "it's a bad
thing to do" that you've heard and, I do agree with it that it is a
bad thing to do. There's too much chance to break things, even if
you're careful, so it's best not to take the risk

I'll agree with that - some of the reflex about not using root may
also come from your background. I've had experience in a scholastic
situation, and being root while on someone else's system is like waving
a huge red flag and asking for trouble.

My only worry would be to cause problems for others on the net,
locally there's little I cannot recover from. I do it for maintenance
and such and only off line. Not sure if I could get a lot done from cli.

Admins moan about it all the time. Using a GUI admin tool restricts
what you can do (you can only do what the tool allows), and you may
not be sure what all it's doing. Where this gets to be a problem is
when the GUI is hosed, and you've got to recover without it. If you
know when something was changed that broke things, you may be able to
use 'find / -ctime' or '-mtime' to find the file[s] that the GUI had
changed, but otherwise you are guessing, and that doesn't always work.

A mouse is a device used to point at the xterm you want to type in.

Something the GUI user doesn't think about is that while there may be
a shed-load of commands available, you don't have to know them all.

[compton ~]$ ls `echo $PATH | tr ':' ' '` | egrep -vc '(:|^$)'
3085
[compton ~]$ history | cut -c7- | sed 's/ | / # /g' | tr '#' '\n' | sed
's/^ *//' | cut -d' ' -f1 | sort -u | wc -l
89
[compton ~]$ find `echo $PATH | tr ':' ' '` -type f -atime -90 | wc -l
246
[compton ~]$

The first command shows there are 3085 different commands in my PATH
as a user (root has more), but the second command shows that I'm only
using a tiny fraction of them - in this terminal, just 89 different
commands. The third command looks at all of the commands in my path
to see how many of them have been _accessed_ (which really means used)
by _all_ of the users on this system in the last 90 days - still a
small number of those available. Oh, and where is the icon or GUI menu
item on your desktop that shows this information? ;-)

The main problem with it is when you are having to perform
diagnostics to try and find out why a desktop won't start. In this
case, the common method is to start from runlevel 3 and use startx
to get X started.

I try to avoid using a GUI run-level just for that purpose. If all
else fails, I can just kill X one way or another, and I've still got
a debugable system.

The big problem is when people use su to become root but forget to
use the "su -" form. Without that '-' , su will leave the normal
users environment alone and just elevate the privileges, which
means all those files that X reads and writes end up in the users
home but owned as root.

That can be an advantage when the inept admin does something that
screws up root's environment. Using 'su' without the dash leaves you
with the user's environment - so you have to either give the full PATH
for system commands (often advisable to avoid ``helpful'' aliases set
for the dumb user), or set/export the PATH as needed, but this allows
you to recover from what-ever was done wrong.

Hmm, I never saw it put that way before. What I do is either log in
as root and startx, or in a terminal do su, then run what I need in
the terminal.

That's fine

Don't think I have ever just started one prog with "su -".

It's not so much running one program (which would be 'su -c' anyway)
as completely changing the user. 'su -' (or the equivalent 'su -l')
is _functionally_ doing a full login, meaning your $PATH is changed,
your CWD is changed, and so on.

Sometimes I do "sudo prog" though.

That's fine if 'sudo' is set to allow you to run the desired command.
If not, then you may need 'su -c prog' or even 'su -lc prog'. See
the man page for 'su'.

Old guy
.

Relevant Pages

  • RE: Linux auditing checklist, documents
    ... Edit the hosts.deny file and add the following lines: ... Disallow root login from different consoles ... number of commands and delete it on logout of the user. ... By default, when you login to a Linux box, it tells you the Linux ...
    (Security-Basics)
  • RE: Linux auditing checklist, documents
    ... Edit the hosts.deny file and add the following lines: ... Disallow root login from different consoles ... number of commands and delete it on logout of the user. ... By default, when you login to a Linux box, it tells you the Linux ...
    (Security-Basics)
  • Re: [opensuse] sudoers problem
    ... specific commands only, then gave the ALL commands privilege. ... Even when given root privilege for all commands, ... The script works from root and under sudo but i ...
    (SuSE)
  • Re: Avoid while on line, apache & X as root?
    ... a shed-load of commands available, you don't have to know them all. ... As root I het 3310. ... with the user's environment - so you have to either give the full PATH ... for system commands (often advisable to avoid ``helpful'' aliases set ...
    (alt.os.linux.suse)
  • Re: Help with sudoers and wheel - "Old Guy" or anyone?
    ... (I am root on my home systems, and have "root" user accounts at work, ... Notice - no permissions for normal users to run. ... members of the 'wheel' group could run those commands. ... >Use halt, reboot, shutdown, mount, and tcpdump commands. ...
    (comp.os.linux)