Thread: Why is running programs as root so bad?

  1. #46
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    Quote Originally Posted by nvoigt View Post
    You guys focus a lot on malicious code and hackers and evil doers. Are you so divine in administrating computers that you never make mistakes? If you have the least privileges you can do the least harm. Even unintentionally without anyone being evil. "Never attribute to malice that which can be adequately explained by stupidity".
    "Are you so divine in administrating computers that you never make mistakes?"

    My point was, yes I am. Other than one mistake almost a decade ago, I have never caused any accidental harm, during thousands and thousands of hours. Neither have I been the victim of anything malicious.

    About a month ago on the Ubuntu board, tho, there was someone who discovered a sort of trojan horse in a dysfunctional screensaver they had downloaded somewhere. It was just a crude shell script; my analysis of it was that with root privileges it could use ping to forward the IP and wget to replace itself at any point. The site that it pinged was not the site where it was distributed and was also handing out World of Warcraft "phishing" kits, ie, for password cracking. I figure the dude was starting to experiment with Denial of Service attacks since he had amassed a bunch of machines that alerted him when online and could be used to simultaneously send requests anywhere, without doing any harm to the infected machine or the user knowing.

    And low and behold, he really had amassed a bunch of machines. Within hours, there were a half dozen or so people just wandering the ubuntu board who noticed this and recognized the site where the "screensaver" was distributed. Seems they all had downloaded a screensaver or gtk theme, installed it, it did not work, so they forgot about it figuring it was just "defective". But they all also had variations of that script in the same location. There's no saying what else could have been installed, of course, so I wrote a simple script people could run in the background that would tell them if the same kind of thing was still going on. AFAIK there wasn't.

    Now, some of those people were running root. I promise I would never fall for something so simple. While I can't deny a more complex version could get me, it seems to me based on the success of that enterprise that what the perpetrators were aiming at is a naive majority.

    So I'm not saying non-privileged users and groups are a dumb feature. What I am saying is that Yarin probably does not have much to worry about.

    Quote Originally Posted by zacs7 View Post
    I doubt very much the programs you run need access to the entire machine. There are many permission schemes available, why not use them? You've pretty much just chucked the idea of "groups" and "users" out the window. As well as wasting space by storing file permissions .
    In fact, the historical purpose of those things was for large installations with many terminals and different users. That is where and why they are successful. Nobody uses my computer but me.

    I totally agree that most daemon processes should run as their own group, not root. I haven't hacked apache to run as root. I have an ftp server and when it's on, I certainly don't let it run as root. I run as root. If I were a sys admin somewhere, I wouldn't let everyone do that, either.

    Consider a small bug in Firefox that allows code from web pages or images to be run.
    Yes, which is why web browsers should also run setuid/setgid like web servers. I NEED to browse the web while working on code. Even if I had an account, "mk27", that thereby protected the system, it still would not do anything to protect what is most important to me -- the code in my home directory, etc. But right now, that is a very difficult proposition, since you would have to log in as the group you want to run firefox safetly as, start X, keep your bookmarks etc in the firefox account, and then log in thru a terminal to access your code as some other users. Lot of awkwardness in this one -- if you like GUI file browsers, you wouldn't have access to the material you were trying to protect! Instead, we just say "oh, just have one user account for yourself and do everything with that", as if that were the ideal answer or that it is so much safer than running root.

    The user/group permissions system is very useful and a good thing. But I take issue with this naive and simplistic assumption/assertion that the purpose of it is so you can run as "bob" and sudo when you need to, and that makes everything safe, and that setuid is pointless or wrong-headed, etc. That is just a caveat for newbies and an introduction to the principles involved.
    Last edited by MK27; 01-12-2010 at 10:53 AM.
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

  2. #47
    Registered User jeffcobb's Avatar
    Join Date
    Dec 2009
    Location
    Henderson, NV
    Posts
    875
    Quote Originally Posted by happyclown View Post
    It's still showing in the theatres, so how can you watch it on the TV?
    Will only say that theaters are not the only place it is showing ^__^

    But you are right; short of abusing temporal mechanics I couldn't possibly be watching it at home...

    Besides, I *could* be referring to http://en.wikipedia.org/wiki/Avatar_The_Last_Airbender
    Last edited by jeffcobb; 01-12-2010 at 11:21 AM.
    C/C++ Environment: GNU CC/Emacs
    Make system: CMake
    Debuggers: Valgrind/GDB

  3. #48
    Registered User jeffcobb's Avatar
    Join Date
    Dec 2009
    Location
    Henderson, NV
    Posts
    875
    MK27: I would posit that the point of sudo isn't to make things "safe" but to leave a clear trail of who did what which is completely missing when running as root. Sudo is definitely targeted at a multiuser environment....another use of sudo is to run as a different user....say user X is having problems doing some task or whatever; you as admin can sudo X and become them to see what they are seeing as a problem domain. IOW gaining superuser rights isn't the only use of sudo. This may not apply to your situation but definitely applies to the intended purpose of a multiuser OS.

    As for only one mistake in 10 years, human failings being what they are I would say you haven't made a system-killing mistake...yet.

    To quote the great sage Bill Cosby, never tempt worse
    C/C++ Environment: GNU CC/Emacs
    Make system: CMake
    Debuggers: Valgrind/GDB

  4. #49
    Registered User
    Join Date
    Oct 2006
    Posts
    250
    The attitude reflected in the responses of certain people in this thread just ........es me off.

    In our company we develop high pressure pneumatic systems. A number of my coworkers insist that it is unnecessary to perform testing behind a blast screen, because "its not going to explode anyway". Most of the time this is true. However when something does blow, the shrapnel is as lethal as a gun-fired bullet. It actually so happened that once upon a time a thread failed, which sent a nut flying halfway through the workshop, which is about 10 meters, and leaving a thumb sized hole in a glass window before lodging itself in the wall. Fortunately, there were no body parts in its way.

    Moral of the story: safety first. Even though the likelihood of some mishap occurring may be very very small, there is still a chance that something may go wrong.

    In the case of running as root on your typical linux home desktop, the damage will be limited to yourself, your own data, noone else is involved. Its your responsibility and you will have to live with the consequences of your negligence.

    However, when other people are involved, it is not up to you to decide that its worth taking the risk. They may get hurt. And if they do, I hope they sue your ass to hell.

  5. #50
    {Jaxom,Imriel,Liam}'s Dad Kennedy's Avatar
    Join Date
    Aug 2006
    Location
    Alabama
    Posts
    1,065
    Quote Originally Posted by jeffcobb View Post
    which is completely missing when running as root.
    assuming bash, history.

    Now, granted if you allow an untrusted user to be root, then that user would probably delete all history, however, if the user makes a mistake, history CAN provide a record of what happened. Note that this is not always the case (as root really could screw something up and thus render the system useless prior to the history file being created). Though, the OP's original question sounded much like this was a machine that is exclusively his/hers.
    Last edited by Kennedy; 01-12-2010 at 02:09 PM.

  6. #51
    Reverse Engineer maxorator's Avatar
    Join Date
    Aug 2005
    Location
    Estonia
    Posts
    2,318
    Quote Originally Posted by MWAAAHAAA View Post
    The attitude reflected in the responses of certain people in this thread just ........es me off.

    In our company we develop high pressure pneumatic systems. A number of my coworkers insist that it is unnecessary to perform testing behind a blast screen, because "its not going to explode anyway". Most of the time this is true. However when something does blow, the shrapnel is as lethal as a gun-fired bullet. It actually so happened that once upon a time a thread failed, which sent a nut flying halfway through the workshop, which is about 10 meters, and leaving a thumb sized hole in a glass window before lodging itself in the wall. Fortunately, there were no body parts in its way.
    Assuming we don't have USB machine gun turrets plugged into our computers, we should be safe.
    "The Internet treats censorship as damage and routes around it." - John Gilmore

  7. #52
    Registered User jeffcobb's Avatar
    Join Date
    Dec 2009
    Location
    Henderson, NV
    Posts
    875
    Quote Originally Posted by maxorator View Post
    Assuming we don't have USB machine gun turrets plugged into our computers, we should be safe.
    First, USB gun turrets are fun time-wasters on boring projects.

    But seriously work on a few medical devices and risk takes on a whole new meaning.
    C/C++ Environment: GNU CC/Emacs
    Make system: CMake
    Debuggers: Valgrind/GDB

  8. #53
    Registered User jeffcobb's Avatar
    Join Date
    Dec 2009
    Location
    Henderson, NV
    Posts
    875
    Quote Originally Posted by Kennedy View Post
    assuming bash, history.

    Now, granted if you allow an untrusted user to be root, then that user would probably delete all history, however, if the user makes a mistake, history CAN provide a record of what happened. Note that this is not always the case (as root really could screw something up and thus render the system useless prior to the history file being created). Though, the OP's original question sounded much like this was a machine that is exclusively his/hers.
    Well kinda true and kinda not. Yeah you will know someone acting as root did something stupid but in the case of sudo you will know who the culprit was unless the culprits acct was hacked in which case you have a whole new set of fun circumstances.
    C/C++ Environment: GNU CC/Emacs
    Make system: CMake
    Debuggers: Valgrind/GDB

  9. #54
    Reverse Engineer maxorator's Avatar
    Join Date
    Aug 2005
    Location
    Estonia
    Posts
    2,318
    Quote Originally Posted by jeffcobb View Post
    But seriously work on a few medical devices and risk takes on a whole new meaning.
    If the program operating the machines messes up, it doesn't matter if it takes the OS with it, it has already killed the patient anyway.
    "The Internet treats censorship as damage and routes around it." - John Gilmore

  10. #55
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    Quote Originally Posted by MWAAAHAAA View Post
    The attitude reflected in the responses of certain people in this thread just ........es me off.

    In our company we develop high pressure pneumatic systems. A number of my coworkers insist that it is unnecessary to perform testing behind a blast screen, because "its not going to explode anyway".
    That is a totally absurd analogy. NO ONE IS GOING TO GET INJURED HERE FOOL.

    I don't see anyone recommending that eg, NASA or even the public library allow everyone to log in as root and do what they want.

    Beyond that, I also don't see the value in being so paranoid about the computer you use at home to do work on, esp. if, like me, you use multiple installations and always back up. IMO that is a much safer and more responsible practice than than just creating a username for yourself and believing you now have everything bulletproof, because the instruction manual tells you that
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

  11. #56
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    Well, I agree the comparison was way off. But backups aren't a security measure, either.
    How about, get a username, use it AND make backups? But I guess that's too much work.

    Maybe Linux much simpler and intuitive model sucks after all. That would explain why sudo is so much of a trouble to some of you.

    EDIT:
    Seriously, it's not what anyone does with their machine. Be my guest. But I'd expect at the very least a Do as I Say, Not As I Do type of argumentation. But to actually devalue or argue against the use of Linux file based security system is the last thing I'd expect from Linux users. One of the most important features of the Unix operating system that set it apart from anyone else back in the day and allowed for its acceptance is now being ignored by you people that so much enjoy criticizing the competition security models? Frankly!
    Last edited by Mario F.; 01-13-2010 at 11:37 AM.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  12. #57
    Reverse Engineer maxorator's Avatar
    Join Date
    Aug 2005
    Location
    Estonia
    Posts
    2,318
    Quote Originally Posted by Mario F. View Post
    Well, I agree the comparison was way off. But backups aren't a security measure, either.
    How about, get a username, use it AND make backups? But I guess that's too much work.

    Maybe Linux much simpler and intuitive model sucks after all. That would explain why sudo is so much of a trouble to some of you.
    Sudo actually is annoying to use all the time. I often have to modify configuration files or the grub boot list. It is really annoying that I just can't go into the folder where it is and open the file and edit it. Instead I have to open the command line, open the text editor with sudo, and then open the file. And that every time I need to edit something (since Linux generally doesn't have a good GUI configuration manager, I have to edit configuration files often).

    I'm switching to root soon.
    "The Internet treats censorship as damage and routes around it." - John Gilmore

  13. #58
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    Quote Originally Posted by maxorator View Post
    I'm switching to root soon.
    Don't be afraid
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

  14. #59
    Frequently Quite Prolix dwks's Avatar
    Join Date
    Apr 2005
    Location
    Canada
    Posts
    8,057
    I should mention that I've never lost any data under linux, but I have accidentally run "rm -rf /" in a shell script (I actually had "rm -rf /$fullpath", with "fullpath" typed in the wrong case so as to evaluate as an empty variable). Fortunately, because I was a non-root user, I got pages and pages of "permission denied" messages as it tried to delete /usr, and I was able to hit CTRL-C before anything was actually deleted.

    Running as root all the time is just stupid. Perhaps you haven't made any mistakes yet, perhaps you haven't yet been cracked into as a malicious user. But you still could. I know that if I walked up to a laptop whose owner had left it for a minute or two and saw "root@jayjay33# " I wouldn't think that they were an experienced Linux user . . . .
    dwk

    Seek and ye shall find. quaere et invenies.

    "Simplicity does not precede complexity, but follows it." -- Alan Perlis
    "Testing can only prove the presence of bugs, not their absence." -- Edsger Dijkstra
    "The only real mistake is the one from which we learn nothing." -- John Powell


    Other boards: DaniWeb, TPS
    Unofficial Wiki FAQ: cpwiki.sf.net

    My website: http://dwks.theprogrammingsite.com/
    Projects: codeform, xuni, atlantis, nort, etc.

  15. #60
    Registered User C_ntua's Avatar
    Join Date
    Jun 2008
    Posts
    1,853
    Quote Originally Posted by maxorator View Post
    If the program operating the machines messes up, it doesn't matter if it takes the OS with it, it has already killed the patient anyway.
    Which would have no reason to have all purpose OS in the first place. If you want maximum security you use a maximum security system. The better way not to get a virus from the internet is simply not to use the internet. You won't run unecessary programs either.

    To answer the question, what do you mean so bad.
    It is already proven that there is some bad.

    If this is the "driving can kill you so don't drive" type of morals, nobody is buying it.
    On the other hand, if there is 0.001 % chance of something going wrong by running a program as root, why do so? You can gamble with other things...

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Running Linux from a ramdisk (root)
    By cyberfish in forum Tech Board
    Replies: 2
    Last Post: 05-09-2009, 02:45 AM
  2. running programs within c++
    By pktcperlc++java in forum C++ Programming
    Replies: 7
    Last Post: 01-01-2005, 03:20 PM
  3. Running my programs
    By ComDriver in forum C Programming
    Replies: 3
    Last Post: 01-01-2005, 06:39 AM
  4. Running programs
    By Trauts in forum C++ Programming
    Replies: 6
    Last Post: 07-30-2004, 01:42 PM
  5. how to compile & run c programs in unix?
    By Unregistere in forum C Programming
    Replies: 2
    Last Post: 10-09-2002, 10:53 PM