Linux user
-
Personally, I create a account for another reason. I like to use SSH keys, and SSH keys on a root account is bad form. Also, I disable root login via SSH - this just makes good security sense. If I need access I have to access via console.
-
@anonymous said:
But isn't it true that if I run sudo I can do just as much harm as running as root? If that is true, whats the difference?
Couple of things...
- It blocks most accidental typos. If you are just doing normal tasks, no reason to risk exposing the system. If you are typing rm -rf /opt/mytestfiles and accidentally hit enter too soon as root, the system is dead. Do it as a normal user, nothing happens.
- It makes you aware when you are doing something risky. If it suddenly asks you for sudo access, you can stop and think whether you meant to do that thing or not.
- It stops malware that gets to you as the end user from escalating to root. Click the wrong website link as root, and your system is pwned. Do it as an end user, you are completely safe (at a system level.) No Linux malware on the market can breach the root escalation point (today.)
- Not really applicable to single user but... tracking. You'll have far better visibility into who is using root. Helps you to know if your account or the root account is compromised.
-
@anonymous said:
Personally, I create a account for another reason. I like to use SSH keys, and SSH keys on a root account is bad form. Also, I disable root login via SSH - this just makes good security sense. If I need access I have to access via console.
SSH Keys to root are only bad form because it is bad form to ever run as the root account. SSH Keys to root on their own are not bad at all. Root remote access, also only bad because of inheritance.
All of those, along with the base question of why not to run as root, are all because of "bad form."
-
@scottalanmiller said:
- It blocks most accidental typos. If you are just doing normal tasks, no reason to risk exposing the system. If you are typing rm -rf /opt/mytestfiles and accidentally hit enter too soon as root, the system is dead. Do it as a normal user, nothing happens.
However if I type:
sudo rm -rf /opt/mytestfilesThen it's game over right? I think I remember you saying that you remove the need for retype your password to use sudo?
-
@scottalanmiller said:
- It makes you aware when you are doing something risky. If it suddenly asks you for sudo access, you can stop and think whether you meant to do that thing or not.
For some people I am sure that's true, but you would be surprised how often I see someone using sudo before EVERY command
-
@anonymous said:
@scottalanmiller said:
- It blocks most accidental typos. If you are just doing normal tasks, no reason to risk exposing the system. If you are typing rm -rf /opt/mytestfiles and accidentally hit enter too soon as root, the system is dead. Do it as a normal user, nothing happens.
However if I type:
sudo rm -rf /opt/mytestfilesThen it's game over right? I think I remember you saying that you remove the need for retype your password to use sudo?
I do, but by default you normally do not.
-
@scottalanmiller said:
- It stops malware that gets to you as the end user from escalating to root. Click the wrong website link as root, and your system is pwned. Do it as an end user, you are completely safe (at a system level.) No Linux malware on the market can breach the root escalation point (today.)
I assume we are talking about servers here? I never browse websites on my servers
I find it very hard to do from the command line
-
@anonymous said:
@scottalanmiller said:
- It makes you aware when you are doing something risky. If it suddenly asks you for sudo access, you can stop and think whether you meant to do that thing or not.
For some people I am sure that's true, but you would be surprised how often I see someone using sudo before EVERY command
that's extremely weird. And only works if they disable passwords for it (which I do, but I rarely recommend.)
-
@scottalanmiller not trying to argue, just working it out in my head
At the end of the day my point is that you can't fix ignorance. If you don't know, you don't know. The key is know what your doing BEFORE you do it. And always have a backup just in case
-
I'm sure this goes against every best practice, but when I'm doing a bunch of admin stuff i issue a sudo bash and open up a new bash shell with sudo privileges
-
@brianlittlejohn said:
I'm sure this goes against every best practice, but when I'm doing a bunch of admin stuff i issue a sudo bash and open up a new bash shell with sudo privileges
Not uncommon, and I do that a bit too (I use sudo -i su) but one of the good things about that is that it still tracks your user, it does not treat you as root for auditing.
