Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 20 Apr 2014, 07:00
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Why I don't like running as root (in Puppy)
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 9 [130 Posts]   Goto page: Previous 1, 2, 3, 4, ..., 7, 8, 9 Next
Author Message
Bruce B


Joined: 18 May 2005
Posts: 11050
Location: The Peoples Republic of California

PostPosted: Tue 19 Jul 2005, 06:47    Post subject:  

Michael Robertson CEO of Linspire has had lots of criticism setting up the OS to run as root.

It is also a fairly major distro. Read what he has to say here:

http://info.linspire.com/askmichael/question9.htm

-----------------

More on my arguments;

Argument 1

    What do I want to protect? For the most part I want to protect user files. If I value my user files I should have regular back-up procedures in place. Meaning, methods of protecting my important documents and files.

    I'm not particularly worried about losing system files. I have the Puppy, Suse, and Vector CD-ROMS within arms reach.


Argument 2

    It is not necessarily easier to intrude on root than it is a user. For example, suppose there were a way of gaining control over my computer through Firefox. The exploit would be just as successful on root as it would be a user.

    The hacker, if he gained my level of permissions and access, could read, write and execute anything I can read, write and execute. My user documents, the most important documents are at his mercy.


Argument 3

    If my computer was intruded on, I would consider it compromised. I'd want to clean house and figure out how it took place and put the preventive measures in place.

    Regardless of if the computer was compromised with me a user or root, it is still a compromised system.


Argument 4

    It is not happening. Personal computers running Linux and not running services such as proxies, ftp, http are simply not being exploited to any significant degree, although the services they run are targets.

    My computer gets hit often several times an hour. Fully 90% of the hits are on ports 1026 and 1027. Many of them are from China and Japan. There is a big exploit there on XP - the DCOM services for people who have not applied the patches.

    DCOM doesn't exist in Linux and it is not bound to these ports. There is nobody home to answer the door for the hackers.

    Reference: http://grc.com/port_1026.htm

    Other ports are 21, 80, 8080, 22 and a range of ports for known Windows trojans. I've never seen a scanner scan 65535 ports. They go for known ports with exploits and those are almost without exception, known Windows trojans, robots, and other Windows exploits. Of course non OS specific common service ports.

    We are not running this software, and that is the primary reason there is not much to concern ourselves with.

    Sort of like having a cabin in the wilderness and no one ever has come around to bother you.

    Also, gaining access to an open port doesn't mean a successful hack. Port 8 the ping port is software written to respond to ping requests. It is not going to edit a graphic file, hand over root's password or allow entry to the system.


Changind subject to something fun.

    I used to run an unprotected HTTP server for the public. It was specially written to always say yes to the hackers and give them an error code of 200 and hand them a clear 1x1 Gif file. Plus log all their activities.

    The hacker script would sends requists like ../../cmd.exe and all kinds and combinations of CGI scripts exploits. My HTTP server would always say OK and immediately hand them the GIF image. That is all it was programmed to do, say yes to everything and give it an invisible GIF image.

    Not to mention, keep precise and detailed logs of everything the hacker would do. This way I could tell with precision what was being done. The hacker getting good feedback on his end would go the whole nine yards with his scripts and techniques.

    The point being that even have the software bound to the port and servicing the hacking industry, it was safe because it wasn't actually going to let someone in. It wasn't programmed that way.


Everything is good.
Back to top
View user's profile Send private message 
edoc


Joined: 07 Aug 2005
Posts: 4307
Location: Southeast Georgia, USA

PostPosted: Mon 08 Aug 2005, 13:33    Post subject:  

Bruce B wrote:

If you wish to maintain the position about other people being affected or bad Netizenship, I think it fair to ask you to back up this moral stance with some specifics.

    1) who got affected remotely because someone else was running their personal computer as root, where they would not have been affected otherwise?

    *The lists run in the thousands, including major business and government sites. Where have you been? It has been all over the news for years.

    2) when and where did it happen?

    *All over the world.

    3) what was the nature of the adverse affect?

    *Lost data, stolen private data, lost business, wasted taxes due to harm to government productivity (already minimal), compromised security, compromised safety.

    4) if possible, how was it that running as root caused the problem?

    *Allowed hackers to use the host computers to attack systems and find their vulnerabilities, or allowed them to overwhelm and shut down systems.

    *I apologize for sounding harsh but I canot imagine any computer literate person being unaware of the massive harm that has been occuring across the world because of unsecured personal and business computers.

    *I just ran everything on ShieldsUp on my Suse laptop. 100% secure.

    *Carefully climbing down off my soapbox ... doc

Back to top
View user's profile Send private message Visit poster's website 
Rich

Joined: 04 May 2005
Posts: 278
Location: Middlesbrough - UK

PostPosted: Mon 08 Aug 2005, 18:55    Post subject:  

[quote="edoc"]
Bruce B wrote:

............... wasted taxes due to harm to government productivity


That one doesn't apply over here in England. Our Government has little or no beneficial productivity anyway and don't need an excuse to waste our taxes.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10668
Location: Arizona USA

PostPosted: Mon 08 Aug 2005, 23:11    Post subject:  

edoc, you make a lot of assertions but don't give any concrete examples. I would really appreciate it if someone could cite an instance where browsing the internet while running as root is the reason a computer was compromised, or caused more damage when it was compromised than if it had been running as a user with less privileges than root. Until I see some real data, I'm going to side with Bruce B.

Besides, Puppy is a special case. If I don't install Puppy to the hard drive, but instead run from the CD, and I'm the only user, then I think the argument about the dangers of running as root needs to be revisited. Mr. Knopper made it so hard to run as root in Knoppix that I found Knoppix to be all but useless. When I heard about Puppy (in the Knoppix forum) I tried it out and never went back to Knoppix.

Running as root certainly isn't the only reason I like Puppy better than Knoppix, but it definitely is a big one. It's hard enough for me to get things to work; why make it more complicated unless there is some provable benefit?
Back to top
View user's profile Send private message 
edoc


Joined: 07 Aug 2005
Posts: 4307
Location: Southeast Georgia, USA

PostPosted: Fri 12 Aug 2005, 18:24    Post subject:  

Flash wrote:
It's hard enough for me to get things to work; why make it more complicated unless there is some provable benefit?


On this point we agree for sure! Wink Smile :-\

doc
Back to top
View user's profile Send private message Visit poster's website 
loulou35
Guest


PostPosted: Wed 05 Oct 2005, 12:01    Post subject: Puppy Linux for my family  

Puppy is just great: little, fast, usefull, especially when installed on hard disk of old hardware configuration... Very Happy

For my very young children, I keep skeptical about letting them as root removing any configuration file. Embarassed

Please, insert multi user ability including root, as DSL proposes: you'll get perfect. Very Happy
Back to top
klhrevolutionist


Joined: 08 Jun 2005
Posts: 1124

PostPosted: Wed 05 Oct 2005, 12:12    Post subject: the answer  

It seems people don't want to run as root. Most of these people that
want a user have children. And then again, some people read about it,
and assume they also, need a user. Maybe, it might be possible to add a user
in the near future. My understanding of linux is not the best, but I do
wonder about the lot of us that use a hard drive. A little ssh & someone
could do about anything. That is unless you take precaution to prevent
these actions.
So, personally I don't mind being root as I like full control of my computer.
Any other distro, I always use root.

_________________
Heaven is on the way, until then let's get the truth out!
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10668
Location: Arizona USA

PostPosted: Wed 05 Oct 2005, 12:58    Post subject: Re: the answer  

klhrevolutionist wrote:
...It seems people don't want to run as root. Most of these people that want a user have children. And then again, some people read about it, and assume they also, need a user... I do wonder about the lot of us that use a hard drive. A little ssh & someone could do about anything. ...

The genius of Puppy is that it can run entirely from CD or DVD. If you replace your hard drive with a DVD burner, running from root in multisession Puppy is nothing to worry about. Each user can have his own (removable) disk containing his personal settings and everything he is working on.
Back to top
View user's profile Send private message 
rarsa


Joined: 29 May 2005
Posts: 3053
Location: Kitchener, Ontario, Canada

PostPosted: Wed 05 Oct 2005, 13:01    Post subject:  

flash wrote:
Each user can have his own (removable) disk containing his personal settings and everything he is working on.
What if the computer owner is a woman, or has a wife or daughter? Razz

klhrevolutionist wrote:
A little ssh & someone could do about anything. ...
Logging in as a limited user WON'T protect you from this. When someone connects through ssh, a new session is created with its own loggin. If the atacker can guess, findout or crack your root password, the atacker will get controll of your computer, whether you are running as root or not. The moral of this story: If you enable SSH, Choose a secure password that you can remember but it's difficult to crack.

Note to new puppys: klhrev example is highly hypotetical. SSH server does not come with puppy as a default, it has to be downloaded, installed, configured and enabled for it to be a risk.

Last edited by rarsa on Wed 05 Oct 2005, 13:09; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10668
Location: Arizona USA

PostPosted: Wed 05 Oct 2005, 13:09    Post subject:  

She'll just have to ask the man of the house for help. Twisted Evil
Back to top
View user's profile Send private message 
n8siv


Joined: 25 Jul 2005
Posts: 32
Location: ohio USA

PostPosted: Thu 06 Oct 2005, 17:06    Post subject:  

I like runing as root it,s a bumer to start to do some thig is other distros
when you get the msg you need to be root to do that.
I run a firewall called ipcop on a old toshiba laptop to keep out the hakers.
This firewall work,s great on dialup where i started .

_________________
the fix is out thier Laughing
Back to top
View user's profile Send private message 
seldomseen


Joined: 30 May 2005
Posts: 40
Location: Charleston, SC

PostPosted: Fri 07 Oct 2005, 20:26    Post subject:  

Since starting to use Linux I've gotten used to the root/user system, and it's no great effort to bring up a terminal, type in su and my password, and do root things that way. Actually I've come to appreciate this. In the few seconds it takes to open a root terminal, I'm reminded to put my game face on and get my stuff together 'cause I can now do some real damage if I type the wrong thing. The computer is asking me, "Are you sure? Better be, 'cause you're in for a hell of a ride." Just an extra level of protection.

When running Puppy off the CD, it doesn't matter a whole lot in my case. I'm the only one who uses this computer (unless my dog is surfing for canine porn sites while I'm at work), and it is kinda hard to screw up system files when they're on the CD-ROM anyway.
Back to top
View user's profile Send private message Yahoo Messenger 
gliezl


Joined: 06 Aug 2005
Posts: 322
Location: Manila

PostPosted: Sat 08 Oct 2005, 19:18    Post subject:  

Flash wrote:
She'll just have to ask the man of the house for help. Twisted Evil

what about if she is single, separated or divorced? Smile

can sudo command be included in future versions of puppy?

_________________
"If you have knowledge, let others light their candles in it."
~Margaret Fuller

Back to top
View user's profile Send private message 
mclien

Joined: 19 Jul 2005
Posts: 62
Location: germany

PostPosted: Wed 19 Oct 2005, 09:06    Post subject:  

OK here comes another qoute for multiuser (maybe tiny loggin?)

As guessed before its about networking in environment like family, coworkers etc.

Running linux for a while leads often to something like haing a file-/ printer- / whatever-server. mine should do the following (in the 'end' state):
-file server holding /home /mp3 and doing backup.
-beeing the misic server holding all the mp3s to provide to any computer in the house
-and musicbox as home stereo replacement
-VDR (digtal video disc recorder)
-family calendar/ planer
-sharing the dsl internet connection

so if I want everyone let use any computer in the house with access to her/ his data i NEED nfs-filesharing and multiusers on any comp in the house.

what makes puppy that interessting is its unbelievable speed, even on old machines AND its opportunity to be carried arround, too.

So I'm not very used to generate users/groups from commandline, here is my question:
Is it really that difficult (at least with HD install) to generate users?
What about this:
-generating tiny loggin as dotpup
-a skript (yes commandline, its the linux admin anyway useing this) that generates:
--new lines in /etc/passwd (/etc/shadow)
--home dirctories
--adding the new users to the nesessary groups/ generating the nesessay apps

is this to simple? What else did I forgot to mention...
Back to top
View user's profile Send private message 
jester
Guest


PostPosted: Mon 05 Dec 2005, 06:03    Post subject:  

Is there any news on wether a non root user/login possibility will be built in or not?!

I have been lokking at puppy for a long time to instal on an few old boxes, but I also need the option of normal user access so others can't mess up these computers.


Kind regards,
jester.
Back to top
Display posts from previous:   Sort by:   
Page 2 of 9 [130 Posts]   Goto page: Previous 1, 2, 3, 4, ..., 7, 8, 9 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0893s ][ Queries: 12 (0.0047s) ][ GZIP on ]