# Need a way around sudo and su, is root really so bad?

## blain3

K before tearing me apart, I have been looking, and found tons of irrelevant and outdated information on this topic. I'm not a Linux genius, when i have time ill delete and reinstall Gentoo but these are mostly projects to understand and learn with. I always have a stable install but I'm running into a problem with typing my root password every time I want to do just about anything it seems. File editing, bash scripting / programing (I'm learning), things like this among others require sudo, su and that junk so ill end up using su in a few terminals and have them ready. How can i create a user that can edit files and change settings, mount drives, and so on. I do a lot of this kind of stuff, I learn from it. Now is there a way to enable a user to do most of this?, or should i just either a) add my user to root group b) work around the no root logins to desktop managers, or ?. Now i know plenty of kids i go to college with who don't use antivirus software past their norton expiring and on top of that most don't bother using passwords. My root password is almost 20 letters. I'm also not working for a company, and using a laptop to boot. Is it really so bad to use root for someone like myself? If its a you might break things argument, I don't mind, I'm used to it.

----------

## BillWho

blain3,

I get lazy sometimes so I un-commented this in sudoers 

## Same thing without a password

%wheel ALL=(ALL) NOPASSWD: ALL

and added an alias alias sb='sudo bash' in .bashrc

I'm the only one that uses this laptop...so I'll live with the consequences if I do something wrong   :Wink: 

----------

## Hypnos

The purpose of account security in a multi-user system is to contain the damage a user might do to his own account.

What does this mean for a Linux system with one user?  Well, if all your executables are owned by root, it means that anything malicious that might happen in your account (e.g. an attack through your web browser) happens only to your data files, not the programs you run -- this lessens the risk of a virus or worm, but still compromises your data.

Anyway, so what's wrong with keeping an su pseudo-terminal or root virtual console open for doing root's business?

----------

## Ottre

 *blain3 wrote:*   

> [snip]
> 
> How can i create a user that can edit files and change settings, mount drives, and so on.
> 
> [snip]
> ...

 

There are text editors that can open a root terminal in the background, so you type your password once and then edit protected files without having to log in and out. Emacs does this with tramp-mode.

Mounting a drive is a privilege because the OS has no way of detecting the hardware read/write status of a device. You must pass the correct options to the mount command. And that makes it a task for the root user. 

Whether or not everyone can access the drive (-o gid=100,dmask=007,fmask=117) is a different issue.

----------

## Mad Merlin

 *blain3 wrote:*   

> File editing, bash scripting / programing (I'm learning), things like this among others require sudo, su and that junk so ill end up using su in a few terminals and have them ready. How can i create a user that can edit files and change settings, mount drives, and so on.

 

None of that requires root privileges, with the possible exception of editing system config files, which you probably don't do that often. It's likely that you've got tons of files in your home directory now owned by root because you've been using root all the time, let's fix that first:

```

chown -R blain3:users /home/blain3

```

As for mounting drives, if they're not one-off mounts, you can put them in your /etc/fstab with user in the options list and then your regular user will be able to mount them.

----------

## ulenrich

a simple mount should not be dangerous, or?

a new line in /etc/sudoers:

yourname  ALL = (root) NOPASSWD: /usr/bin/mount

----------

## PaulBredbury

No need to install sudo, PAM is sufficent to become root conveniently.

----------

## mv

 *ulenrich wrote:*   

> a simple mount should not be dangerous, or?
> 
> a new line in /etc/sudoers:
> 
> yourname  ALL = (root) NOPASSWD: /usr/bin/mount

 

Very bad idea: This opens your system to all sorts of exploits. Starting from simple "bind"ing of files/dirs up to loop mounting with offsets and all kind of file systems; any bets, this is sufficient to install a rootkit. mount already is SUID root, and the save operations are (or can be) allowed. If you really need it only allow exactly those mount commands which you need.

----------

## mv

 *PaulBredbury wrote:*   

> No need to install sudo, PAM is sufficent to become root conveniently.

 

"No need to write 7 symbols on a paper - a computer with a full-blown text setting system with an attached printer could do this for you as well".

Seriously, if you do not really absolutely need some advanced PAM features (and I cannot think of any reason on a normal desktop unless you have a special hardware device which you want to use for authentification), it is much more secure to not install it: No need to introduce an unnecessary complexity layer.

I would recommend the OP to install a user who is allowed ALL in sudoers. Then use either "sudo -s" or write wrapper scripts for the commands which you really frequently use (about 20 or so will likely be sufficient; no need to waste RAM in every shell with aliases).

I would also recommend to make sure in iptables that this user cannot access "outgoing" internet so that not by accident you start a browser or another internet connection with it.

For browsers etc, I would recommend similar sudo wrappers with a specially "untrusted" user with even more reduced permission (e.g. if you use hardened-sources there are very convenient ways to limit such users even from executing their own binaries).

----------

## cwr

Unless I'm running emerge to install software I tend not to need root - it might be

worth digging around to see which directories root (or bin) own that need to be

owned by the user.  In my case it's just two directory trees, /home/XXX and

/home/projects and with these owned by my standard login (XXX) I seldom

need to switch to root.  When I do I just use "su -", but there are a couple of

commands in /etc/sudoers, one to shut down the machine and one to mount and

unmount a CD.

Will

(Running as root is in fact risky, too risky for me, and I have a pretty complete

set of backups.  I can't remember when I last blew stuff away uninintenionally,

but I have wiped filesystems by mistake in the past.  Run as an ordinary user,

and set your system up accordingly.)

----------

## mv

 *cwr wrote:*   

> Unless I'm running emerge to install software I tend not to need root

 

eix-sync, eix-update, emerge, etc-update, burning CDs, (re)starting certain init-scripts (e.g. net.* on a laptop), genlop, cleaning logfiles, editing config's, scripts for cleaning/comparing config's, gcc-config, eselect, some mount commands, scripts for compiiling/installing the kernel ... I have a list of almost 40 commands which I need more or less regularly for administration but which would be dangerous to allow usage for all users without a password. Not to speak about certain cases when a file needs to be chown'ed to be shifted from an untrusted account to a trusted account (the converse is not necessary since trusted users can just become members of untrusted groups).

----------

## wcg

A way around sudo and su is to switch virtual consoles (alt-F[digit])

[edit:] ctrl-alt-F[digit] if you are in an X session[/edit] 

and simply login as root. Do not connect to the www or other

online resources from the root console (except maybe "emerge --rsync",

and I do not know that you actually need to be root to do that),

and remember to logout from that console before you leave the room,

so that someone else cannot sit down at your console and be logged

in as root.

I use these aliases in root's .bashrc (adjust if you use a different

login shell than bash):

```

alias rm="rm --preserve-root"

alias chown="chown --no-dereference --preserve-root"

alias chgrp="chgrp --no-dereference"

alias chmod="chmod --preserve-root"

export rm chown chgrp chmod

```

(Helps mitigate the impact of distractions, lack of sleep, and symbolic link

virtual land mines.)

----------

## blain3

well, and sorry for taking so long to reply but school is taking a lot of time. As for editing config files yes i do a LOT of this. I'm the kid who broke all his toys open to see whats inside I guess, and I'll get distracted but yeah, I want to install a system that I'll actually not intentionally disfigure, and this is my new laptop with the SSD and I'm getting there, with the newer hardware its a pain, networking, even worse considering my year and a half old laptop (10x slower) took me maybe a few hours to get a working xfce Gentoo install. So while i work on this crap I figured I would ask. I mean if someone actually got into my system? I'd just repartition it from my second OS, which is lately Arch. I'll definitely look into these suggestions, and I understand that running root isn't something new users should do as I went through that, and still do, I just didn't know how much of a risk it was, unseen variables i hadn't thought of? that kind of thing, and advice is always a good thing, and respected here above others. thanks guys for the input.

----------

## blain3

huh.. well I decided to use pentoo's repo, which had in the past never let me past command on boot on this new laptop. Well I must say being stubborn has me pretty happy rite now. Anyway by default with this i run everything as root. Honestly I'll not say or advise anyone else.. especially new to Linux or even Gentoo / Arch type distro's but I just simply cant live without the freedom. Now when i finish college or if I do any type of corporate work, Obviously I would never be so careless. Yet rite now, with the desire to learn the system and programing this works for me. I am going to keep all suggestions in mind meanwhile though. Now I just need to back up my data I suppose and hope my SSD holds out for a few years or so. thanks again guys, I think I'd rather just deal with anything negative from this, I'm using a hardened kernel, firewall, almost 20 character root pw so.. ill back it all up on my 2nd HDD just in case.

----------

## mv

 *blain3 wrote:*   

> I'm using a hardened kernel, firewall, almost 20 character root pw so.. ill back it all up on my 2nd HDD just in case.

 

If you use a browser as root, all these things are completely superfluous - if you klick a site which tries to attack your machine by any browser exploit, it will just install its rootkit without any difficulties.

----------

## mv

 *wcg wrote:*   

> 
> 
> ```
> 
> alias rm="rm --preserve-root"
> ...

  The -h switches I found convenient, too. However, I am not getting why you do the rest: --preserve-root is the default and thus superfluous, and exporting aliases has no effect unless you have a very strange setup. I recommend to use zsh instead of bash also as root, because it has some further sanity checks built in. (However, if you do this, make sure to use only config's for which you really understand the consequences so that you will not get tricked if e.g. you cd to /tmp and a user has setup there some /tmp/.git to trick e.g. a "convenient" prompt script).

----------

## wcg

I use command line options explicitly that are the default

in aliases in case the default changes out from under me

after a package update. If an option like --preserve-root is

specified explicitly, it does not matter whether that is

the default or not. (It only matters that the way it actually

works matches the documentation.)

bash's export command is not needed with aliases for

the alias to have the same value in subshells of the

shell instance where the alias was assigned a value?

----------

## mv

 *wcg wrote:*   

> bash's export command is not needed with aliases for
> 
> the alias to have the same value in subshells

 

First of all, bash's export command exports variables (and since a few versions also functions if you use export -f; at least 4.2_p37 cannot yet export aliases, and I doubt that this will ever be implemented). So you "export" command actually only marks 4 variables (which probably are all unset in your case) as "to be exported".

Concerning the scope, it is the same as with shell-variables which are not exported: They are inherited by subshells, but if you modify them in the subshell the modifications are not "pulled back", of course. Of course, aliases are also not inherited by external programs (like scripts starting a new instance of bash or with sudo, but in scripts aliases are inactive by default anyway).

----------

## The Doctor

You password is kind of irrelevant here. As pointed out above, now all the stuff you are running can destroy you system. Particularly with internet browsing, you have no defense. Iptables is completely bypassed in this case since you are the one initiating internet contact.

Running as root really is that bad. If you really don't care about local attacks, then just do as BilWho said and give yourself passwordless sudo. Another side effect is that most applications are not meant to run as root. Doing so can have unforeseen consequences, such as malfunctioning programs. There are also a large number of GLSAs that have exploits with the "privilege of the process", in other words you would give them root access.

You can't run Linux like windows. These levels of security are in place for a very good reason: the system itself is resistant to attack. You are literally stripping away all that security for the sake of convenience. Iptables and Hardened sources will not protect you. PaX changes the memory adreeses to prevent _applications_ from being used to attack you due to predictable memory locations. It does nothing to prevent applications from following instructions from the web to attack you or to carry out their programmed function to attack you. In short, it does not stop malicious code that directly implements its attack. Iptables also only filters internet traffic based on very simple logic: "if the user started this, its okay, if not drop it" type of stuff. It does not check content at all.

 A computer connected to the net can last about 10 minutes without virus protection. Without yours, how long do you think you will make it?

----------

## Jaglover

There is also an ethical side to it. Opening up your box for cyber-criminals. There are already millions of Windows computers used to gain impunity and commit various crimes. Why add a Linux box to their botnets?

----------

## blain3

So the fact that I've literally been doing this with either BT5, Pentoo/Gentoo for Months now and have yet to have my email hacked (happened with win 7). Things like clamav, firewall, and *99% of the time* I'm using no scripting plugins, add blocking plugins, foxyproxy, ghost, etc.. That, or I tend to use Links / Seamonkey and sometimes opera. I mean as for viruses? Never had one that i know. No data that cannot be replaced is on my system normally, its all on my external backup. I guess my argument is this: if i install ubuntu > 11.10 im getting un-asked for spyware integrated into my system. Use google chrome? id cut my fingers off before I would give google even more access then they already have on the general public. Now don't take this as me dismissing your arguments, because until now, no one has given me so much as a clear reason. Now for the sudo thing, really pita for me so if i add a user and say put him in the root group, would this be better? or say put him in groups needed to use emerge, edit sys files, save over config files in Geany.. I have no SSH setup, or RDesktop, for that matter. If i do add a user with slightly escalated priv's to possibly use vmware to create a bridge network or some such to hide my main computer, at least while at home?

----------

## PaulBredbury

mv, PAM is enabled by default in Gentoo. That's how dangerous the devs think it is  :Wink: 

blain3, just set up PAM or sudo so that typing in a one-character command switches you to root. It's really that simple. Please note that these threads about "I wanna be root all of the time" are always by beginners. I switch between my normal user and root often, and don't need to ludicrously compromise security to do it. In fact, I run AppArmor too, to protect Internet-facing apps such as firefox, evolution, webserver, skype, instant-messaging, chrony.

We don't want your PC to be vulnerable, because we don't want to receive viagra spam emails from it when it gets taken over by a Chinese botnet, thanks  :Rolling Eyes: 

I'd also recommend reading this.

----------

## The Doctor

<rant> The basic point here is you can't hide your browser from the net. You use the net and therefore request all those pop ups and spyware. It does not matter how heavily you guard your system. Quite frankly, hardened Gentoo and iptables guard against the TV form of hacking, ie freckled teenage computer genius who breaks into you system remotely. By simply restricting you SSH daemon you can dramatically reduce this risk. Of course, by "restrict" I really mean "use correctly", ie disallow root logins and use public key authentication whenever possible. This type of attack is really not a threat to a normal desktop.

 *Quote:*   

> So the fact that I've literally been doing this with either BT5, Pentoo/Gentoo for Months now and have yet to have my email hacked (happened with win 7).

 

You don't necessarily know if you have been compromised. A good fraction of malware is not meant to reveal itself. *Quote:*   

> I'm using no scripting plugins, add blocking plugins, foxyproxy, ghost, etc.. 

 Good, but foxyproxy has nothing to do with malware. It simply redirects your internet. Ad blockers are also nice for eliminating the p0rn pop ups, but again they don't necessarily stop malware. If by no scripting plugins you mean disabled flash support, javascript that that is a step in the right direction but is again absolutely no guarantee. The site itself can be a threat. *Quote:*   

> I mean as for viruses? Never had one that i know.

 The exist for linux. The eases way to remain blissfully ignorant of this is not to use root for everyday use. *Quote:*   

> No data that cannot be replaced is on my system normally, its all on my external backup.

 This is actually bigger than just you. If your box is compromised it can affect hundreds of people. Not all attacks are about vandalism. I would actually say those are the minority. See Jaglover's post. *Quote:*   

> Use google chrome?

  Chrome, maybe. Chromium is open source, so it gets vetted. Either way, its safer than running as root. Lets face it. No one really cares about you. All they want is your credit card number. *Quote:*   

> Now for the sudo thing, really pita for me so if i add a user and say put him in the root group, would this be better?

  Making a second root user? Not really.

Basically, using root breaks the security model. I would assume that was a reason for choosing Linux. If you just want to play with config files as root, then add this one liner to you sudoers file:

```
%wheel ALL=(ALL) NOPASSWD: /usr/bin/vim
```

 and then add this to your .bashrc

```
alias vim="sudo vim"
```

 or similar. That way you can do everything you want to as root without being bothered but without breaking the security model.

Alternatively, let me offer you this piece of advice: if you are running everything as root you may as well disable you firewall and switch back to gentoo-sources. You have already negated the entire security system. Basically you are tying to use a screw driver as a hammer. It may work for a while, but it is not the right tool for the job. Besides allowing for ill-placed keystrokes to do damage, you entire system is open to the net and/or to buggy applications. 

To sum up: you should not run as root because doing so negates the security design of the system. Its akin to using windows without installing virus software.<\rant>

EDIT: Link to information about linux malware Note one of the greatest strengths is the lack of root access.

EDIT2: Think of the root account as a chest that contains all the good stuff and the root password as the key. If you leave it open all the time the key is irreverent. Having that 20 character key is a complete waste. The chest is never locked.

----------

## wcg

 *Quote:*   

> at least 4.2_p37 cannot yet export aliases,

 

Thanks for the insight into bash's export command, aliases,

and subshells.

----------

## mv

 *The Doctor wrote:*   

>  *Quote:*   So the fact that I've literally been doing this with either BT5, Pentoo/Gentoo for Months now and have yet to have my email hacked (happened with win 7). 
> 
> You don't necessarily know if you have been compromised. A good fraction of malware is not meant to reveal itself.

 

This is the main point: Most hackers want to have a bot net which they can use to send spam mails. If you are a victim of such an attack, the only thing you can realize (if you are not an expert and examine the harddisk carefully from a boot CD) is that you lose a few percent of computer time and a few percentage of your internet bandwidth (and only in some less frequent cases when your machine e.g. takes part in a child porn ring also some harddisk space); of course, all this is well hidden and cannot be seen with the compromised tools which the hackers most likely installed with their root kit.

 *Quote:*   

> The site itself can be a threat.

 

Note that even reliable organizations can have been hacked - it is not so rare as one might think. Usually, they repair their hacks when they realize it (after some hours/days) and if they commercial, they usually do not want to make popular that they had been hacked. Recall that even organizations driven by linux specialists (debian, kernel) and with (hopefully) careful security policy have been victims of such attacks.

----------

## mv

 *PaulBredbury wrote:*   

> mv, PAM is enabled by default in Gentoo. That's how dangerous the devs think it is 

 

Yes, it is the first thing I change after a fresh installation. I think PAM is on by default, because LDAP is on by default: The defaults are obviously chosen for computers which are part of a big net in a company and where it is necessary to have a central user database. There is absolutely no reason to have LDAP login on a single-user ("isolated") desktop and thus no reason for PAM on such a machine.

(Unfortunately, there is one problem with it: With acroread one cannot edit documents for which this is allowed by acrobat, because acroread for some strange reason wants the ldap library in that module - if anybody has an idea how to avoid this, I would be very grateful)

----------

## Hypnos

PAM is a way to authenticate users without having to setuid programs such that they can read /etc/shadow .

In practice, there are few programs which need to read /etc/shadow but aren't run as root or setuid anyway, such as screen lockers.  xlock has a workaround for this, in which you store a password in a read-only file in your home directory for the sole purpose of screen locking.

The problem with acroread is the ldap dependency; I suppose things like this can happen to binary-only or poorly-written programs.

NOTE: Edited for precision 09:59 UTC

----------

## mv

 *Hypnos wrote:*   

> PAM is a way to authenticate users without having to setuid programs such that they can read /etc/shadow.

 

Already this makes your system in a way more vulnerable to brute-force attacks (although probably there are again PAM modules to limit this somewhat, I have not checked recently), but actually PAM is much more, of course, with all its plugins.

 *Quote:*   

> The problem with acroread is the ldap dependency; I suppose things like this can happen to binary-only or poorly-written programs.

 

Yes, of course, but unfortunately there is no other program to annotate a PDF file under Linux. Or do you know some?

(Okular and AFAIK evince can make annotations, but these can only be viewed with Okular or Evince, respectively, and thus not e.g. be returned to a publisher who uses only acrobat).

----------

## Hypnos

 *mv wrote:*   

> Already this makes your system in a way more vulnerable to brute-force attacks (although probably there are again PAM modules to limit this somewhat, I have not checked recently), but actually PAM is much more, of course, with all its plugins.

 

Why would brute-force attacks be more effective on a PAM system than a non-PAM system?  Doesn't it just come down to password quality?

There is indeed a way using PAM to blunt brute-force attacks. (EDIT: It's in Portage already as sys-auth/pam_abl)

 *Quote:*   

> Yes, of course, but unfortunately there is no other program to annotate a PDF file under Linux. Or do you know some?

 

Sadly I do not, which is why I also have acroread installed.

----------

## mv

 *Hypnos wrote:*   

> Why would brute-force attacks be more effective on a PAM system than a non-PAM system?

 

Normal login has a severe time delay built in by default. For the PAM library this is not necessarily the case. Of course, it depends on which modules are active and how you configured it. If I understand your reply correctly, a delay is not active in Gentoo's default configuration (I did not install PAM for a long time).

My main point is: PAM is an additional layer and thus increases the possibility to overlook something (either by the user in configuration files, e.g. if I he did not think about the mere possibility of brute-force attacks, or also by the PAM program hidden somewhere in the code itself). So if you do not really need what it offers (e.g. I do not need any screenlocker functionality at home), better do not use it.

----------

## Hypnos

Indeed, you can introduce a delay in pam logins using the pam_fail_delay function, and there is a pam_delay module out there as well.  I agree with your main point; there is always a balance to be struck between complexity and functionality.

Finally, let me add that x11-terms/tilda makes a nice root console for X11 -- just 'su -' in it and forget it.

----------

## LoTeK

I recently thought about adding a "web-user" with very limited privileges (no member of the wheel group, another group as my main user) and with no files in /home/webuser. So I would log in as normal user, start a shell, do su web-user and from this shell I'd start firefox. Would this be more secure or just more complicated? 

As I started with linux as a "not-only-consumer" I had the same questions as the original poster, because it's so exhausting to type a 20 character password just to install a program. Although I never bothered reading about su/sudo, the sudo-way was always unappealing to me because one can do root things with the normal password. So since then after logging in as normal user I always start a shell with su (or I log in as root with <ctrl><alt><F2> in another session) and if I have to do "root-things" I do it in this shell. But I always had the feeling that this is also not a very good solution. Is this just a unjustified feeling? Or would it be better to overcome laziness and always log out the root shell and if its needed again to login again?

And for the computer hijacking thing: is there a way to have total control over your computer or is it way to complex even for an expert? I hate the feeling that very very much is going on when I'm starting my computer but I just see a wallpaper   :Smile: 

How should I understand this network-thing, is it the case that as soon as you are connected to the web, then you'll be seen and automatically many programs try to get access to your system?

----------

## Hypnos

If you want to thwart your adversaries you must understand the battlefield at least as well as they do.  This means understanding computer architecture, or at least heeding the advice of those who do.

As to your questions:

1) Of course if you run network-facing application as a separate user whose account has no critical datafiles it provides a barrier against a compromise of more important things on your machine -- critical data, software.  Whether it's worth the complication is up to you.

2) I don't see any problem leaving open a root shell in a terminal, whether a GUI pseudo-terminal or virtual console, as long as you have physical control over the machine.

3) As long your motherboard runs closed-source firmware you are not in complete control of your machine.  (discussion)

4) It's a matter of luck whether or not malicious agents will attack the open ports you expose to the Internet.  Usually they attack known ports like ssh 22 or www 80 on fixed IPs, imputing that servers listening on those ports are valuable.

----------

## LoTeK

 *Quote:*   

> If you want to thwart your adversaries you must understand the battlefield at least as well as they do. This means understanding computer architecture, or at least heeding the advice of those who do. 

 

very true, but unfortunately there is probably always someone that understands more    :Smile: 

 *Quote:*   

> 1) Of course if you run network-facing application as a separate user whose account has no critical datafiles it provides a barrier against a compromise of more important things on your machine -- critical data, software. Whether it's worth the complication is up to you.

 

Then I'll do it because its not much more complicated.

 *Quote:*   

> 3) As long your motherboard runs closed-source firmware you are not in complete control of your machine. (discussion) 

 

I also thought about that (I don't have read the whole discussion yet), therefore I've always recommended the lemote yeelong laptop, when somebody asks what are good laptops, which has open hardware/firmware but unfortunately it's too less powerful. 

 *Quote:*   

> 4) It's a matter of luck whether or not malicious agents will attack the open ports you expose to the Internet. Usually they attack known ports like ssh 22 or www 80 on fixed IPs, imputing that servers listening on those ports are valuable.

 

so obviously one has to close as many ports as possible, and therefore it will be a fight between "total security - no connection at all" and "no security - all ports open"

----------

## mv

 *LoTeK wrote:*   

> I recently thought about adding a "web-user" with very limited privileges (no member of the wheel group, another group as my main user) and with no files in /home/webuser. So I would log in as normal user, start a shell, do su web-user and from this shell I'd start firefox. Would this be more secure or just more complicated?

 

This is what I do. This web-user belongs to the "untrusted" group in hardened-sources and thus can start only programs in directories owned by root.

For exchanging files (e.g. for download/upload), it makes sense to give this user umask 007 and make your normal user a member of that user's group (but not vice versa, of course).

Be aware that you have to pass Xauthority data to that user, since otherwise he cannot start firefox. Of course, this means that he will also be able to do keylogging and perhaps also send keys to other windows, so you must be aware of that (however, "unprivileged permissions" turned out to be too restrictive for "normal" working with firefox).

 *Quote:*   

> the sudo-way was always unappealing to me because one can do root things with the normal password.

 

sudo can do everything which su can, just more: It is up to you whether you configure sudo to use the user's password or the destination's user's (i.e. normally root) password.

You can also configure it to use no password at all: If you access the net only with a separate user, this is perhaps reasonable (although there is the danger mentioned below).

 *Quote:*   

> So since then after logging in as normal user I always start a shell with su (or I log in as root with <ctrl><alt><F2> in another session) and if I have to do "root-things" I do it in this shell. But I always had the feeling that this is also not a very good solution. Is this just a unjustified feeling?

 

In a separate linux console, it is not a problem at all. Within an X session in which you start e.g. also firefox with the unprivileged user, that user - once he has the Xautority data - can access your root console and e.g. emulate that you typed some keys there. Theoretically, he might also control the screen to some extend so that you cannot see this.

 *Quote:*   

> And for the computer hijacking thing: is there a way to have total control over your computer or is it way to complex even for an expert?

 

With sane starting systems (not with crazy interacting daemons like systemd+*kit) it is not hard to have a very good control over your system. However, if a rootkit is installed already and thus programs do not do exactly what they are supposed to, you are lost without booting from a safe medium and comparing checksums or something similar.

For instance, if the netstat utility I mention below was replaced by a rootkit, it will certainly not display an installed troyan listening on some port.

 *Quote:*   

> How should I understand this network-thing, is it the case that as soon as you are connected to the web, then you'll be seen and automatically many programs try to get access to your system?

 

You can be seen, but unless the kernel's network stack is buggy, your machine cannot be accessed. Only daemons listening on ports can be seen. You can run 

```
netstat -tulpe
```

 to see which daemons are listening: Everything listed there whose "Local Adress" does not start with "localhost:" is dangerous and should be either switched off completely or configured in such a way that it listens only to "localhost" (unless you really want that this service can be accessed from everywhere in the world). In order to avoid opening such a port by mistake you can configure iptables to block this, but iptables has a rather high learning curve. For the starters you can use some simple script like "firewall-mv" (from the mv overlay), but make sure to read and understand the configuration options, first. There are certainly also other iptables generators out there, but I have no experience with these.

----------

## LoTeK

 *Quote:*   

> This web-user belongs to the "untrusted" group in hardened-sources and thus can start only programs in directories owned by root.

 

I have a hardened kernel /  hardened profile, do I have to install for example RSBAC to get this "untrusted" group? Why is it good that this user can only start programs from root owned directories? So they would be started in a "root-environment", or do I oversee something?

 *Quote:*   

> This web-user belongs to the "untrusted" group in hardened-sources and thus can start only programs in directories owned by root.

 

Cool, thanks, I didn't know that. Maybe a stupid question, but why is "sudo" not used by everyone? (except for the uninformed).

----------

## mv

 *LoTeK wrote:*   

>  *Quote:*   This web-user belongs to the "untrusted" group in hardened-sources and thus can start only programs in directories owned by root. 
> 
> I have a hardened kernel /  hardened profile, do I have to install for example RSBAC to get this "untrusted" group?

 

No: Security options -> grsecurity -> Customize configuration -> Executable Protections -> TPE. Actually, I realize now that all users except my "main" users are untrusted.

 *Quote:*   

> Why is it good that this user can only start programs from root owned directories?

 

The user cannot start his own binaries (e.g. if he downloaded one from the net or compiled one) but only binaries installed by root. It is not too safe, but a measurement against some of the most common exploits of privilege escalation bugs.

 *Quote:*   

> Maybe a stupid question, but why is "sudo" not used by everyone? (except for the uninformed).

 

I think, it is default for most distributions, meanwhile. However, it is not part of the classical unix toolchain but a relatively young tool (compared to the shadow system). Moreover, whether it is useful depends on the setup, of course: E.g. if you have PAM installed anyway, this might be a more reasonable solution for some applications. As mentioned earlier, perhaps most gentoo systems are servers or a part of a company network (or perhaps at least the devs guess so).

----------

## blain3

I must say, that searching on this topic off and on for a while now, I have never seen so much information piled into a single thread. For now, until i understand more of this i think i will just make a default user and use my root when im not connected to the internet as its easier for some things, or possibly just use su. I guess i can deal with typing out my password. Also i must say, i can find this answer all over, but never have i seen so many arguments, backed up and logicaly thought through and explained. Much more information that I had expected.

----------

