root - openSUSE Security - openSUSE Mailing Lists

newer
SuSE manual

root

older
Re: [suse-security] NFS Security...

HARDY.BOEHM＠LHSYSTEMS.COM

10 Aug 1999 10 Aug '99

02:49

Hi Folks! Would someone please explain to me, why I shouldn't use my system as root but as a "normal" user instead? I think I got the principle from some posts, but I want to make sure I get it right... So please use the Version for 3-Year-Olds :-) BYe...Hardy

Reply

Sign in to reply online Use email software

Show replies by date

Jeff

10 Aug 10 Aug

04:12

New subject: [suse-security] root

On Tue, Aug 10, 1999 at 04:49:45AM +0200, HARDY.BOEHM@LHSYSTEMS.COM wrote:

Hi Folks!

Would someone please explain to me, why I shouldn't use my system as root but as a "normal" user instead?

Ok. This is the biggest reason: (don't try this at home, I am a trained professional, I just needed to say that ;) # rm -rf / You can run this command as root, and any Unix operating system won't ask you about what you are telling it to do. Basically, this command wipes out your _entire_ filesystem, deleting every single file and directory (except for some very very special expceptions). When you are logged in as root, the computer does what you tell it to. This in itself can be especially dangerous when combined with deleting files, partioning utilities, formatting utilities and other things that can basically wipe out your system. You can and probably will destroy your system on accident. This is the biggest reason. If you absolutely need to do something as root, is it so hard to switch to a different virtual terminal and log in? Or just use su, or pop up a new xterm, and su there, or whatever. It is two seconds, and you don't have to worry about what you might do to your system when you are just using your computer.

I think I got the principle from some posts, but I want to make sure I get it right...

So please use the Version for 3-Year-Olds :-)

That was my standard "don't run as root" lecture.. I hope it's understandable. -- Jeff -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/M/>P d-(pu) s+:- a17>? C++(++++) L+++ UL++(+++)@>++++$ P+ E W++@ N+ o? K- w--- O? M V- PS+ PE(--)@ Y++@ PGP t+ 5 X++@ R++@ !tv@ b++ DI++++ D- G e- h! r++ y? ------END GEEK CODE BLOCK------

Reply

Sign in to reply online Use email software

Mark Lutz

10:16

New subject: [suse-security] root

* Jeff writes:

This is the biggest reason. If you absolutely need to do something as root, is it so hard to switch to a different virtual terminal and log in? Or just use su, or pop up a new xterm, and su there, or whatever. It is two seconds, and you don't have to worry about what you might do to your system when you are just using your computer.

You forgot to mention "sudo" (Serie "ap"). "man visudo", "man sudoers", "man sudo". Really hardly any need to use root.

Reply

Sign in to reply online Use email software

Ralf Biedert

13:56

New subject: [suse-security] root

* Jeff writes:

...
This is the biggest reason. If you absolutely need to do something as root, is it so hard to switch to a different virtual terminal and log in? Or just use su, or pop up a new xterm, and su there, or whatever. It is two seconds, and you don't have to worry about what you might do to your system when you are just using your computer.

You forgot to mention "sudo" (Serie "ap"). "man visudo", "man sudoers", "man sudo". Really hardly any need to use root.

Jeff and Mark, YOU ARE RIGHT !! Just yesterday I wanted to remove a single file out of my /usr/local/bin directory (as root) , but this time I was too fast - I wrote : :/usr/local/bin/ > rm gl I wanted to press <tab> to add the suffix for the file but in the same moment I added * for everything with gl* (donŽt ask why, sometimes IŽm just typing, not thinking :-) the result was : :/usr/local/bin/ > rm glib-config * Without notice I pressed enter ... So I spent some hours to recompile all packages ... Nice, isnŽt it ? So if you are user root *ALWAYS* keep an eye on what youŽre doing - next time, it could be /usr/bin ..... :-O

Reply

Sign in to reply online Use email software

Jeff

20:05

New subject: [suse-security] root

On Tue, Aug 10, 1999 at 12:16:19PM +0200, Mark Lutz wrote:

* Jeff writes:

...
This is the biggest reason. If you absolutely need to do something as root, is it so hard to switch to a different virtual terminal and log in? Or just use su, or pop up a new xterm, and su there, or whatever. It is two seconds, and you don't have to worry about what you might do to your system when you are just using your computer.

You forgot to mention "sudo" (Serie "ap"). "man visudo", "man sudoers", "man sudo". Really hardly any need to use root.

ery good point. Thank you for bringing it up. For our original poster, sudo is a program that allows you to run certain programs as root from another account. You can configure it yourself, you can set it up so that you don't have to login as root to shutdown the system, and other stuff like that (a handy use is to allow you access to pppd and scripts as a normal user, so you wouldn't have to connect to your ISP as root, but I think this problem has been fixed by kppp and other such utilities...). I do believe that there is another package called "super" that does essentially the same thing, but is apparently easier to use and configure. I also saw some stuff about dorking up recursive commands (commands that traverse multiple directories) and commands with regular expressions (*). I've done that before, I messed up the home directories of my friends computer... even his httpd directory (ouch, that was painful to fix). There are somethings which you do need to log in as root to do, configuring your system, security patches, and other good stuff. So, while there is little need to use root, it occasionally comes up. Double check before you make serious changes as root, and make sure you know how to undo your damage. Look before you rm. Use an ls with the same arguement as rm, and see what pops up, or before a recursive chown, etc. Backup a config file before you manually edit it. Paranoia is your friend. That is my best advice for how to be careful. Good luck, and have a lot of fun. -- Jeff -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/M/>P d-(pu) s+:- a17>? C++(++++) L+++ UL++(+++)@>++++$ P+ E W++@ N+ o? K- w--- O? M V- PS+ PE(--)@ Y++@ PGP t+ 5 X++@ R++@ !tv@ b++ DI++++ D- G e- h! r++ y? ------END GEEK CODE BLOCK------

Reply

Sign in to reply online Use email software

Seth R Arnold

17:20

New subject: [suse-security] root

Would someone please explain to me, why I shouldn't use my system as root but as a "normal" user instead?

rm -rf / is a plenty good reason.... but I wanna tell my story. :) I was moving some files around on my system, and was chmodding them to 400 so the other folks who sometimes use my machine wouldn't muck them up. Well, somewhere along the way, I forgot I had done a cd /dev -- and ran chown -R sarnold:sarnold * chmod -R 400 * Luckily I had about six xterm windows open, and a rlogin to a machine running redhat. BY HAND I chown and chmod as many of the files that are similar between the two systems -- after a frantic email to the great people at suse support. One of their support guys gave me a great idea on fixing the problem, but said he didn't want to test on his own computer. heh heh heh. It worked great. And, I learned a nice lesson -- don't muck around as root. Run as a standard user, and avoid doing truly idiodic things like setting all your devices to read and write only by one user. <bow> </bow> :) However, the reasons go beyond just saving you from yourself. Any trojan horses that might be installed on your system will have full root access if you are running as root -- and can do Bad Things. If you are running as a normal user, the worst they can do is touch your data files. Which you have backups of, right? (heh, I love asking that... :) -- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/

Reply

Sign in to reply online Use email software

Nick Zentena

17:56

New subject: RBL

Seth R Arnold wrote:

-- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/

Well you offered-) I can't figure out where to put the FEATURE(rbl) statement. Thanks Nick -- --------------------- Nick Zentena SuSE 6.1 Linux 2.2.11 Proudly rejecting all Yahoo mail since 1999 ---------------------

Reply

Sign in to reply online Use email software

Seth R Arnold

18:48

New subject: [suse-security] RBL

Nick, that FEATURE(rbl) is only if you have sendmail 8.9. I *think* that version is commercial. I would imagine that if you have it, the following commands owuld get you there: vi `locate sendmail.mc` # this assumes only one copy of the right file # on your computer -- if this worries you # then perhaps locate and vi should be two commands # :) Then add FEATURE(rbl) anywhere it would make sense -- I bet teh first line would make do, or perhaps search it for "FEATURE" -- there may be other FEATURES turned on as well.. add it near them, if there are. :) Then, re-run whatever command parses the .mc file into the sendmail.cf file. I don't know this command myself. I *think* it is m4. If, however, you have sendmail 8.8, then you could either download the rbl.m4 file and pout HACK(rbl) into your sendmail.mc file, or cut-n-paste the code from http://maps.vix.com/rbl/usage.html into your sendmail.cf. I think if you haven't touched your sendmail.cf much, cut-n-paste works fine. Of course, the sendmail book is a great place to start if you want to know what the snippet does. (sendmail.cf is located in /etc -- but not sendmail.mc...) After all that, please do test your RBL setup -- both from people you want to accept, and form people that you do not want to accept. A nice fellow has setup his machine to be in RBL so you can test by bouncing messages off his machine. http://maps.vix.com/rbl/usage.html I am far from a sendmail guru -- this here is just about my whole knowlege of the thing. :) when I offered to help, it was more along the lines of: from the full headers, figure out which computers sent the mail, and then contact the domain administrators for that domain, using info from whois -- and ifspam from that domain continues then email their upstream providers, complaining the whole time about RBL. Do be nic to them, but make it obvious you mean business. The amount of spam I get these days is pretty small, despite newsgroup postings, maillist postings, it is on my webpage which is indexed in the engines (I put it there to help propogation of my resume :) -- and the amount of spam I get in a month is less than the error mailings I get from suse-security (such as that guy that doesn't exist in agulla.wherever, or people that setup vacation improperly, etc...) whenever I post. So I figure I must be doing something right. :) On Tue, Aug 10, 1999 at 01:56:44PM -0400, Nick Zentena wrote:

Seth R Arnold wrote:

...
-- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/

Well you offered-) I can't figure out where to put the FEATURE(rbl) statement.

Thanks Nick

-- --------------------- Nick Zentena SuSE 6.1 Linux 2.2.11 Proudly rejecting all Yahoo mail since 1999 ---------------------

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- Seth Arnold | ICQ 3172483 | http://cswww.willamette.edu/~sarnold/ I prosecute unsolicited bulk emails, using the RealTime BlackHole List. You should too. Ask me how, or visit http://maps.vix.com/rbl/

Reply

Sign in to reply online Use email software

Steffen Moser

19:40

New subject: [suse-security] RBL

Hello, On 10 Aug 99, at 11:48, Seth R Arnold wrote:

Nick, that FEATURE(rbl) is only if you have sendmail 8.9. I *think* that version is commercial.

You can download "sendmail-8.9.3" (which is the lastest version) at http://www.sendmail.org. There is also a commercial version (Sendmail Pro and Sendmail for WinNT) at the site: http://www.sendmail.com. AFAIK the feature "RBL" works also in the non-commercial version of sendmail-8.9.x. But if you are using sendmail-8.8.8 you'll have to do some additional work to enable "RBL". Bye, Steffen

Reply

Sign in to reply online Use email software

Steffen Moser

19:34

New subject: [suse-security] RBL

Hallo, On 10 Aug 99, at 13:56, Nick Zentena wrote:

Well you offered-) I can't figure out where to put the FEATURE(rbl) statement.

You should put it into your "mc" file that you use to build your "sendmail.cf" file. I used "linux.mc" which came with SuSE to build by "sendmail.cf" but I don't use RBL. Hope that helps... Bye, Steffen

Reply

Sign in to reply online Use email software

Stefan Troeger

19:07

Hi, On Tue, Aug 10, 1999 at 10:20 -0700, Seth R Arnold wrote:

Luckily I had about six xterm windows open, and a rlogin to a machine running redhat. BY HAND I chown and chmod as many of the files that are

The next time this happens, try rpm --setperms devs rpm --setugids devs It's much less work :-) Ciao, Stefan

Reply

Sign in to reply online Use email software

Scott McEachern

12 Aug 12 Aug

03:42

New subject: [suse-security] root

Reply

Sign in to reply online Use email software

9033

Age (days ago)

9035

Last active (days ago)

Download

11 comments

9 participants

tags

participants (9)

HARDY.BOEHM＠LHSYSTEMS.COM
Jeff
Mark Lutz
Nick Zentena
Ralf Biedert
Scott McEachern
Seth R Arnold
Stefan Troeger
Steffen Moser