# Always logged in as root, why not?

## Kodama

Everyone tells me that doing everyday work at your computer logged in as root is considered unsafe, why? I started using linux 3 month ago, and I have only been logged in as root, with no problem.

I can use renice, I don't have to su when installing stuff, its great.  :Wink:  Please educate this poor newbie if this is totally wrong.  :Smile: 

----------

## idl

I get sick of suing all the time and end up with a load on consoles open all over the place, so i just use root all the time. Its unsafe because one typo could render your machine fucked. Also some other security risks, but in reailty these secrity risks are very slim.

----------

## Krookednek

But if you think what you are doing is right, you are going to just sudo it anyway, so I dont see how it helps either.

----------

## fyerk

Userspace applications should never be run as root.  If there was a bug in a common application, the security implications would be more severe as root than as a normal user.

For example, let's say you're running BIND as root instead of 'named'. An exploit for BIND comes out.  Now, your entire machine is vulnerable instead of just the space to which named has access.

On the client side, what if there was a similar bug in mozilla that could be exploited? Your entire system is now at stake instead of just your own userspace.

Additionally, there is almost nothing that root can't do. So an accidental 'rm -rf' could hose your entire box.  Doing day to day tasks adds some safeguards against those types of mistakes.

Lastly, if you're su'ing a lot, you should look into 'sudo'. This allows you to run root-level commands (without a password if you want). This obviates the need to 'su' a lot - especially for common commands.

----------

## Lovechild

renicing for a user is a simple patch for the kernel.

----------

## Koon

One of the reasons Linux appears more stable than Windows is that you (should) run 95% of your applications under an account that cannot really do harm. Using a graphical file manager under root priviledges seems really dangerous to me (whoops, mouse dyslexia just trashed my /dev). 

Under Windows you cannot do anything if you aren't Administrator so you run everything as Administrator and any software hole can as such propagate to your whole machine and your whole network. This is one of the reasons why viruses are not efficient on Linux.

It shouldn't be a pain to use su because it should be exceptional. YMMV...

-K

----------

## pjp

I always leave a terminal open in which I've su'd to root.  Not a big deal at home.  At work, I've gotten into the habbit of locking the screen or logging out if for extended periods of time.

----------

## zhenlin

Not using root is a test of your system's permissions. I must say, I have gone completely off using root in a GUI, I had mouse dyslexia once, and I did the GUI equivalent of mv -f /usr /proc... My entire /usr was gone. Although I frequently login as root in console mode.

----------

## carambola5

Have you read the Official Dumb Mistakes Thread (TM)?

You'll see plenty of reasons to not be logged in as root all the time.  Just the thought of 'rm -rf / tmp' scares me (take note of the space between / and tmp)

----------

## dasalvagg

Root stops viruseseses...if there were any for linux.  A virus needs root access to affect your entire system, otherwise the most it can do is whipe out your home directory.  If you are in root it can duplicate its self and possibly add a script to oh say /bin/bash that will send the virus out to others every time its activated.  This is why linux is better than windows.  In windows virus protection is used to scan them, thats the best method.  In Linux..a virus cant spread past permissions, therefore inherently more secure.

----------

## oniq

Because my names not root.

----------

## Arthur Vandelay

Because that is the microsoft way of doing things, and look where it got them. You are always root on a win95/98/ME/ system. Install a game...fucked filesystem. Download mail...virus...fucked system. 

I was like you once, young and full of my own arrogance. 4 shots of vodka later and one stupid typo in a shell script and I deleted my root partiton. I learned my lesson, and you'll learn yours too my friend. Just give it time.

----------

## zaftro

 *oniq wrote:*   

> Because my names not root.

 

Hehe, nice one oniq.

----------

## ahr

 *Arthur Vandelay wrote:*   

> ... 4 shots of vodka later and one stupid typo in a shell script and I deleted my root partiton...

 

Only four? Chickenhead   :Twisted Evil:   :Smile: 

----------

## CountZero

What's the big deal with having to su?

I set up su so that users of the wheel group don't have to type a password to be root.  This could be an issue if you run any type of service on your box but I use this strictly as a desktop machine so  I don't run anything like that.

I realize that this is an unsecure practice, but I would think it less insecure than running my machine as root.

----------

## sundiver2k

First of all, not all Windows require "root/administrator" access to do anything.  We're 100% Win2k where I work, and nobody has administrator rights on their desktop.  Of course, it took us quite a bit of time to set up the security rights so things would work correctly, but that's true of Linux too.  From an administrative point of view, setting things up that way has kept us from hiring at least 2 more people to do support.  When everyone was free to do whatever they wanted, we couldn't get any major projects completed because we were constantly fixing machines where the user "didn't do anything to the machine."  "It just broke." 

The security systems are there to help you rather than hinder you.  Take advantage of them.  Make it a game and see how low you can set them and still be able to use your machine.  I'll bet you'll learn more about how everything works in the process.  Isn't that one of the reasons for Gentoo anyway?

----------

## zenon

aside from all these technical reasons, for me it's a mentality.  I su in and it's now the "big leagues" "time to take care of biznits" I don't delete move remove or edit ANYTHING until I've made a backup or comment first.  What makes Linux so flexible and bloat free is also it's achilles heel, It is very fragile ONE wrong character in one wrong file and your whole system could need servicing.... And unfortunately I'm the mechanic so I like to make the fixups a few cp's and I'm done:)

If I hadn't learned to use a normal user I would prolly carry over my microcrap mentality and have bombed my system many more times than I have and a few would have been nukes compared to firecrackers (making a wrong move with the kernel can be a real PITA lol don't ask how I know:))

----------

## jufoa

this is one thing that i like in linux. you can do almost anything with normal user account. settings and all customizations can be stored in home directory. and incorrectly working programs can not mess the whole system up. and if i need super user rights i just take them with su.

----------

## Koon

 *sundiver2k wrote:*   

> First of all, not all Windows require "root/administrator" access to do anything.  We're 100% Win2k where I work, and nobody has administrator rights on their desktop.  Of course, it took us quite a bit of time to set up the security rights so things would work correctly, but that's true of Linux too.  From an administrative point of view, setting things up that way has kept us from hiring at least 2 more people to do support.  When everyone was free to do whatever they wanted, we couldn't get any major projects completed because we were constantly fixing machines where the user "didn't do anything to the machine."  "It just broke."

 

I tried to restrict user rights on my Windows 2k net and I encountered difficulties. Developers needed to have "act as part of the operating system" priviledge just to debug IIS... (yes, there's no way to start IIS without System/Admin priviledges, say for a test setup on a non-priviledged port). Even infographists had problems (due to buggy Adobe software) running their software and printing without Admin priviledges. 

I gave up : only the people that just use Office (20% users) could run without Admin rights. It's not all due to W2k, it's often due to buggy third-party software, but it's the past Windows history (everyone was Admin) and laziness that made them write software that can blindly do anything (insecure by design).

So I prefer the "do everything as user by default" approach, since it leads to secure by design software, good habits and natural resistance (I didn't say invulnerability) against viruses (especially macro-viruses) and intrusion through software holes.

-K

----------

## MasonMouse

I've been running various Linux distros for years, I never create user accounts (anymore) and I've never had a problem. As someone else pointed out, if you're planning on doing major file management or system changes, you're already going to be doing it as root so the excuse that you might mess up something doesn't really hold water. I adminstrate other Linux systems where they have user accounts setup and it's always nice to come home where I'm not having to type and retype passwords every 30 seconds.

----------

## drakonite

Two days ago I went to uncompress a file.  Suddenly there was a billion and a half error messages.  The file (a zip file btw) wanted to extract to a lot of places in my filesystem that can't be written to as a normal user.  After looking into it a little bit I realized it would have done a lot of damage to my system if it had been able to put the files it wanted to put where it wanted to put them.

Don't worry... After the first time you have a program that you've made a small typo in the config file destroy your entire system you'll never use root unless you absolutly have to again...

----------

## henke

 *Arthur Vandelay wrote:*   

> I was like you once, young and full of my own arrogance. 4 shots of vodka later and one stupid typo in a shell script and I deleted my root partiton. I learned my lesson, and you'll learn yours too my friend. Just give it time.

 

Remember the words young Grashopper. Remember that people tried to warn you...  :Twisted Evil: 

----------

## zephyr1256

 *MasonMouse wrote:*   

> I've been running various Linux distros for years, I never create user accounts (anymore) and I've never had a problem. As someone else pointed out, if you're planning on doing major file management or system changes, you're already going to be doing it as root so the excuse that you might mess up something doesn't really hold water. I adminstrate other Linux systems where they have user accounts setup and it's always nice to come home where I'm not having to type and retype passwords every 30 seconds.

 

Actually, it does hold water.  First, you shouldn't be needing root access every 30 seconds.  If you need it THAT often, I guess you might be asking for trouble anyway.  So anyway, to reiterate a very possible mistake that could be easy to make if root access is the norm:

```

rm -rf / mydirectorypath

```

If you are in a hurry typing things, mistakes like this could hose your system, even if you aren't doing 'risky' operations.  Then there is the issue that you are more vulnerable to all security vulnerabilities in the programs you run.

If you need to su a lot, you could use a different colored terminal for that purpose, which would make it more deliberate without having to type a password all the time.  I currently have a different prompt for root and I check password on su, which works for me and doesn't bother me.  Whatever works for you(different terminals, no password check but deliberate su or sudo, and so on), but its not secure to be logged in as root all the time.

----------

## kraylus

 *CountZero wrote:*   

> What's the big deal with having to su?
> 
> I set up su so that users of the wheel group don't have to type a password to be root.  This could be an issue if you run any type of service on your box but I use this strictly as a desktop machine so  I don't run anything like that.
> 
> I realize that this is an unsecure practice, but I would think it less insecure than running my machine as root.

 

how do you do that? i have my non-priv users in the wheel group, but i still have to su and type in a pw to be root. i would like to avoid that if possible... thanks!

ryan

----------

## Jarjar

Actually, the "virus" risk should be as big using sudo as using root. Imagine that you've configured sudo to allow your user all root commands (like i have). Then a malicious program simply run "sudo rm -rf /", same effect?

 :Embarassed: 

----------

## drakonite

 *Jarjar wrote:*   

> Actually, the "virus" risk should be as big using sudo as using root. Imagine that you've configured sudo to allow your user all root commands (like i have). Then a malicious program simply run "sudo rm -rf /", same effect?
> 
> 

 

That's why allowing sudo to all command without a password is a bad idea too.  It will make it so you have to dilberatly act as root which will lower the chance of accidentally "rm -rf / somedirectory" to your filesystem but won't give any real protection against malicious programs.

----------

## PowerFactor

 *Jarjar wrote:*   

> Actually, the "virus" risk should be as big using sudo as using root. Imagine that you've configured sudo to allow your user all root commands (like i have). Then a malicious program simply run "sudo rm -rf /", same effect?
> 
> 

 One good reason to not give your user sudo access to rm.  :Very Happy: 

 If you give your user passwordless sudo access to every command it doesn't really offer much protection at all.

EDIT:doh! drakonite beat me to it. preview wasn't fast enough  :Rolling Eyes: 

----------

## bos_mindwarp

once I did:

```
rm -rf / tmp/somedir/hej.doc
```

note the space after first slash   :Embarassed: 

----------

## maca

if you dont like typing su ...make a symbolic link to it with s. Im not going to belabour the points that all the others have made .... but put simply if your in a production environment things should be more stable .... root is used for configs and such like, not for day to day scripting and or coding .... my advise is learn to use chmod chown chgrp and put users where they belong "behind a big farking wall that stops them doing anything" rember 99% of problems are between the keyboard and the chair.

----------

## tomk

 *kraylus wrote:*   

> 
> 
> how do you do that? i have my non-priv users in the wheel group, but i still have to su and type in a pw to be root. i would like to avoid that if possible... thanks!

 

You can do this with sudo, once it's emerged edit the /etc/sudoers file and uncomment the line below the line that says 'Same  thing without a password'.

This will allow all users in the wheel group to sudo without a  password. 

You obviously still have to be careful with sudo, but at least it makes you think about what you're typing.

----------

## RedBeard0531

I run as root and the onlything i've hosed in the past few years has been my home dir whih runnen as a user wouldnt protect me from.  :Laughing:  I type rm ~/ .gaim or whatever and poof! there goes myhome dir. the ironic thing is that since gaim is a directory it isnt deleted. A few years ago i hosed a mdk system while installing aim for linux. I untared it to my /root instead of to my /  dir( I was new and both are called the root directory). When i went to delete ~/usr, I forgot the ~. After that I swore i'd never run as root again. Shortly after i started usen gento, I went back to runnen as root. It is a lot easier.

I have a question though- Why the -f switch on rm? seems like a wasted letter as rm -r works for me.

----------

## baigsabeeh

I hate to have a normal user and I never had one in Fedora Core 3 when I used that for nearly a year as the root user.  How dangerous is it to work and do stuff regularly as the root user?

----------

## codergeek42

Moved from Desktop Environments to Networking & Security as it does not seem to be a question of installing/configuring/using a graphical environment, but of security concerns.

You should only be running things as root on *nix when absolutely needed (such as editing a base system configuration file or the like). In fact, the strict user/root separation of priveleges and enforcement of that is one of the fundamental architecture designs of *nix that help make it more secure by default than some other operating systems.

Hope that helps.

----------

## jballou

It's insecure, like how Windows has every user need to be an administrator to do anything but use Notepad. It also keeps the dummy-proofing element out, as a user I can't be in the wrong dir, say, one with essential system files, and rm * -r. As root, if I'm switching between term tabs and I accidentally delete /etc instead of ~/.fvwm I am in a world of hurt.

----------

## Monkeh

 *baigsabeeh wrote:*   

> How dangerous is it to work and do stuff regularly as the root user?

 

Incredibly dangerous. Never, ever, EVER, do ANYTHING as root unless you HAVE TO. And you do not have to for any non-system-administration task. So don't.

----------

## pjp

 *codergeek42 wrote:*   

> Moved from Desktop Environments to Networking & Security as it does not seem to be a question of installing/configuring/using a graphical environment, but of security concerns.

 That would've been fine.  I just happened to know about this thread.  Might as well move it to N&S -- the '03 thread was in Chat.

----------

## codergeek42

Nifty.  :Smile:  Thanks, pjp.

----------

## baigsabeeh

Then could I just use root until I have all my programs setup to the point that I wouldn't need to install more and then just make an everyday user that would be allowed to use those programs.  How would I configure a new user anyway?

----------

## maca

man useradd

----------

## abaelinor

aaLast edited by abaelinor on Tue Oct 21, 2008 1:41 pm; edited 1 time in total

----------

## c4

 *kraylus wrote:*   

>  *CountZero wrote:*   I set up su so that users of the wheel group don't have to type a password to be root. 
> 
> how do you do that? i have my non-priv users in the wheel group, but i still have to su and type in a pw to be root. i would like to avoid that if possible... thanks!

 

Check the settings of File: /etc/pam.d/su There you can either allow certain users to use 'su' without needing a password, or the entire wheel group if you like.

----------

## bacentergt

When I try to run xsane, I get the following warning:

 *Quote:*   

> You are trying to run xsane as root, thats really dangerous!!!, dont send
> 
> bugs or look for help, you are alone!!

 

and then:

 *Quote:*   

> "continue at your own risk"

 

Why is it so dangerous, and how i can create a new user.?

----------

## RuiP

among other things:

rm -rf / 

can do funny things (delete ALL your OS is fun and pedagogic)

allow you, when you are tired, to do rm -rf / (i just do it an hour ago... luckly i backup yesterday:))

install whatever at once

allow anyone who are access to your computer delete or install whatever at once

etc.

to add a user (do it as soon as possible)

just type:

adduser

----------

## codergeek42

Merged bacentergt's thread, "Why is root so dangerous?????" with this thread.

----------

## sundialsvc4

It's always weirded-me-out that tens of thousands of Windows installations are out there .. with security turned off, and no one's telling anyone (almost) that the feature even exists.  Much less how to use it.  Completely dumb:  people lock their cars, doors, and windows at night, but not their computers?!  And what's worse:  nobody's telling them that they should do it?

Anyhow...  remember:  any program that you execute, executes as you.  That means that it can do, what you can do, whether you intended for it to do so or not.  Ahh, there's the rub.  And that's why viruses exist.  The virus, executing with administrative powers, tells the computer to do something totally evil and stupid, and the computer obeys.

Even if you are "the god of your machine," you don't pull out your magic-wand at every moment.  Most of the time you're just an ordinary person.  Exercising "godly powers" ought to require an explicit act on your part, and this very simple mechanism does just that.

----------

## MidighToker

does it make me a bad man to have "sudo /bin/bash" in my .bashrc file on the mac?

----------

