PDA

View Full Version : Enough about the root account !!!



gn9500
26th December 2008, 09:36 PM
Iíve just about had it with all the Linux guru wannabees telling me what I can and canít do as root. Iím pretty sure these are the same types who want to force me to wear a seatbelt while driving or a helmet when motorcycling. They are the Linux analogues to the nanny state.

They know whatís best for everyone, and come hell or high water, theyíre going to force everyone to conform to their idea of security whether we like it or not.

As an adult who owns myself and a number of Linux servers I believe it is my choice whether to take certain risks. I donít need a bunch of holier-than-thou zealots doing everything in their power to stop me from getting where I want to go.

See: <http://townhall.com/columnists/WalterEWilliams/2006/06/14/the_slippery_slope>
and <http://townhall.com/columnists/WalterEWilliams/2006/05/24/click_it_or_ticket>

On earlier Fedora systems you couldnít telnet to the root account without modifying the /etc/securetty file. With Fedora 10 weíve reached the point where the root account canít even login at the console.

Under the PackageKitFaq we find this:

ďThe second is that GTK+ tools should not be run as root. Any GTK+ program run as the root user is a massive security hole -- GTK+ just isn't designed with this in mind. There are numerous attack vectors when running as root, and so we shouldn't be letting programs do such insane, insecure things.Ē

Yet PackageKit in Fedora 10 has significant errors that prevent users from updating their systems easily. The same is true for many other parts of Fedora 10. I had to hunt for a solution then modify the Grub kernel command in /boot/grub/menu.1st following installation before the system would come up.

Letís concentrate on getting features and code actually working rather than worrying about whether someone, somewhere might be using the root account.

A word to the wise is sufficient. Leave it at that, stop preaching, and stop making it difficult or impossible to use the root account for routine maintenance tasks.

virus
26th December 2008, 09:43 PM
you are crazy

JN4OldSchool
26th December 2008, 09:44 PM
Roflmao!!!

bd54338rre
26th December 2008, 09:59 PM
stupid answer removed by bd54338rre

bob
26th December 2008, 10:51 PM
As a personal opinion, I agree with you, however in the Forum, we're all just users helping users as I'm sure you know since you've been here for over 3 years. So, while the blood's still boiling a bit, why not put your words where they might have some effect? http://fedoraproject.org/wiki/Communicate

stevea
26th December 2008, 11:59 PM
Nothing crazy about it. OK gn9500 is obviously blowing some steam, but these "training wheels" approaches are bad, stupid and wrongheaded. FWIW even bash includes some "training wheels" type protections that can become a huge headache.


I have no problem w/ the Fedora developers including safety features as the default .. but these should be easy for the admin to disable. The problem is that the Gnannie-Gnomes are building all sorts of /features/ into the desktop and it's not easy to bypass.

I DON'T want or need the root lockouts
I DON'T want the login/logout to impact the network config.
I DON'T want the desktop to automount every partition it can find.
These actions are based on stupid assumptions. Especially NetworkManager - which only makes sense on a laptop IMO.

A/ You can allow gdm root logins with
su -
sed -e 's/^auth.\+root.\+/#&/g' -i /etc/pam.d/gdm
Maybe you want to run the sed command for /etc/pam.d/xdm too.

B/ Better yet use the kdm installer
su -
yum -y install kdebase-workspace
echo "DISPLAYMANAGER=KDE" > /etc/sysconfig/desktop
reboot

You're already aware of how to bypass the telnet/ftp issue. Personally I would never use ftp or telnet off a secured LAN, but that's just me. I'd never impose that restriction on you.




The most egregious assumption is that "root" is a special account. Both the capabilities and SELinux can remove the special importance of the root(uid=0) account. Alternatively you can give capability or selinux context to any login - making the whole login test scheme silly.

stlouis
27th December 2008, 02:06 AM
I agree, use KDE... I'm not much of Gnome fan myself...

I typically login to the console as my normal user, but "su" to root as soon as I open my terminal... Especially when doing any admin work... I simply find type "sudo" or "su -c" a pain and too repetitive for me...

I don't really care about the preaching much, it just overlook all the "bloat" and focus on the details...

My 2 Cents

virus
27th December 2008, 10:48 AM
...why not put your words where they might have some effect?...

i do it regularly on www.fedoraonline.it: :)