Linux Mint Forums

[dutrow]

For some reason, my root/administrator account does not show the lock-box that indicates software patches are available. I can see it on my other user accounts, but I cannot perform the updates from there. So, two questions.

1) How to I reclaim the lockbox icon in my root/administrator account?

2) How do I perform updates/installations while logged into a regular user account?


(I am a Linux Mint newbie, but a moderate Linux user.)

[FedoraRefugee]

For some reason, my root/administrator account does not show the lock-box that indicates software patches are available. I can see it on my other user accounts, but I cannot perform the updates from there. So, two questions.

1) How to I reclaim the lockbox icon in my root/administrator account?

2) How do I perform updates/installations while logged into a regular user account?


(I am a Linux Mint newbie, but a moderate Linux user.)

You should NEVER need to log into your root account! Everything can be done from the user account using either sudo or su. If you need a graphical application you can open it with gksu or gksudo (they are the same).

What problem are you having trying to run the update manager in your user account? Is it not popping up the sudo password window?

[rich_roast]

This seems to be coming up frequently lately.

A related thread, which includes a brief explanation of why it's a bad idea to run x as root, is here.

It occurs to me that there might be an unknown number of users of Mint logging in to an X session regularly as root, an idea which just made me shiver a little despite the clement weather. It might be a good idea if somebody stickied a note to not do this in one of the boards, perhaps the newbie one or rules & notices (or both). It also occurs that it could be added to the user manual and also to that little board that appears when you first log on to a fresh install.

[edit:]a more drastic alternative is to somehow make it so that, when installed, root may not log in, at least not in runlevel 5. I'm not 100% on how to achieve this, though. Also, browsing default user settings here on fluxbox CE, I just noticed that root doesn't have permissions to do anything, including connect to the Internet (which is how it should be). Is this Fluxbox specific? If not, are people actually going ahead and deliberately granting root permissions?

[remoulder]

a more drastic alternative is to somehow make it so that, when installed, root may not log in, at least not in runlevel 5

GASPS - you can't do that - you'd have the open source is a democracy brigade up in arms However I do agree, though it has to be done via pam.

[rich_roast]

a more drastic alternative is to somehow make it so that, when installed, root may not log in, at least not in runlevel 5

GASPS - you can't do that - you'd have the open source is a democracy brigade up in arms However I do agree, though it has to be done via pam.

That did occur to me, as it happens, but I reasoned that if a user ever really wanted to put it back then there'd be nothing stopping them looking up pam's documentation and doing it. This would also be a litmus test that the person were sufficiently skilled to know what they're doing by granting root's login - with freedom comes responsibility .

Thanks for reminding me about pam, btw, it's been a while since I really went under the Linux hood and I'd forgotten about authentication modules. Time was I was configuring that myself for my Linux From Scratch...

[FedoraRefugee]

Fedora did EXACTLY that! You cannot log into root in init5! That is one of the main reasons I LEFT Fedora!!! See, as much as I agree with not running as root, and believe me, read my posts in here or the things I have written as JN4OldSchool in the Fedora forum, I will not even help anyone if I even have a suspicion they are running as root, I do not condone dumbing down Linux. You should be free to do whatever you want in Linux, even if it is detrimental to your system. The bad part about this one though is the possibility of creating Linux zombies unknowingly spamming the world. This hasn't happened yet, but who knows...Running as root does pose a risk to everyone.

Even so, education is the best safeguard. It is the same as with firearms. You want to decrease accidents? Then TEACH kids HOW to use guns!!! Sure, there will always be the dorks that buck the system, but most people, once you explain the alternatives, will come to understand the foolishness of running as root when there are alternatives.

[rich_roast]

Fedora did EXACTLY that! You cannot log into root in init5! That is one of the main reasons I LEFT Fedora!!! See, as much as I agree with not running as root [...] I do not condone dumbing down Linux. You should be free to do whatever you want in Linux, even if it is detrimental to your system.

I agree with the assertion that dumbing down Linux is a bad thing, but I am not convinced that setting the default install to bar root from logging in at init5 necessarily means that. I am assuming that anyone wishing to reconfigure pam to allow them to login as root at that runlevel would be able to do this; pam's online documentation doesn't seem to have been finished but it seems to me that someone wishing to run X as root would be able to educate themselves to that effect - thereby learning about Linux and security. The problem at this time appears to be that an unknown number of users seem to be logging in to an X session as root on a regular basis without necessarily knowing about the potential dangers - dumb Linux.

It's probably quite easy to overstate the dangers of running X and GUI apps as root, too. I'm pretty sure that in the heady days of my Linux youth (FC 2, then later LFS) I ran X as root once or twice, usually after installing to make some pretty hefty configuration changes before settling down to regular use. To my knowledge I was never burned. That said, this was also because back in them days there wasn't the same level of ease in getting the OS to run satisfactorily post-install as a regular user (IIRC - or maybe it was just me being a mewling newbie ), and these days I can't think of any good reason to log in as root, although I'm open to suggestions.

As it is, I stand by my thinking that it would be a good idea to bar root from logging in on the default install (or provide a recommendation to do this during the install process with an explanation - although this would probably mean a somewhat significant amount of adapting the installer program), and as a minimum a notice somewhere visible that logging into an X session as root is a bad idea. I'm all in favour of education and see these suggestions as the most effective way to achieving this; as it is I think users are using their root account in an uneducated manner because there's no direct incentive to check any documentation before just doing it, which in these days of "instant gratification" (that some other threads seem to be talking about) is possibly the norm.

[FedoraRefugee]

Fedora did EXACTLY that! You cannot log into root in init5! That is one of the main reasons I LEFT Fedora!!! See, as much as I agree with not running as root [...] I do not condone dumbing down Linux. You should be free to do whatever you want in Linux, even if it is detrimental to your system.

I agree with the assertion that dumbing down Linux is a bad thing, but I am not convinced that setting the default install to bar root from logging in at init5 necessarily means that. I am assuming that anyone wishing to reconfigure pam to allow them to login as root at that runlevel would be able to do this; pam's online documentation doesn't seem to have been finished but it seems to me that someone wishing to run X as root would be able to educate themselves to that effect - thereby learning about Linux and security. The problem at this time appears to be that an unknown number of users seem to be logging in to an X session as root on a regular basis without necessarily knowing about the potential dangers - dumb Linux.

It's probably quite easy to overstate the dangers of running X and GUI apps as root, too. I'm pretty sure that in the heady days of my Linux youth (FC 2, then later LFS) I ran X as root once or twice, usually after installing to make some pretty hefty configuration changes before settling down to regular use. To my knowledge I was never burned. That said, this was also because back in them days there wasn't the same level of ease in getting the OS to run satisfactorily post-install as a regular user (IIRC - or maybe it was just me being a mewling newbie ), and these days I can't think of any good reason to log in as root, although I'm open to suggestions.

As it is, I stand by my thinking that it would be a good idea to bar root from logging in on the default install (or provide a recommendation to do this during the install process with an explanation - although this would probably mean a somewhat significant amount of adapting the installer program), and as a minimum a notice somewhere visible that logging into an X session as root is a bad idea. I'm all in favour of education and see these suggestions as the most effective way to achieving this; as it is I think users are using their root account in an uneducated manner because there's no direct incentive to check any documentation before just doing it, which in these days of "instant gratification" (that some other threads seem to be talking about) is possibly the norm.

It is quite easy to reconfigure pam. In fact, a new user does not ever go through the "don't run in X" indoctrination, they simply search "log in as root" in the forum and follow the easy, laid out directions in the 20 how-to's in that forum! In fact, my good buddy Rahul (one of the devs) will waste all his breath arguing FOR this feature then he writes his own how-to in the Fedora wiki to bypass it. And can just not recognize the hypocrisy involved. But I digress... It has reached the point where it is like telling a ten year old kid "don't you dare do this, I will not allow it, I will lock the door so you can't get it!" then leaving the key on the table. What the heck do you think the kid is going to do? I just fail to see the point.

Anyway, you are also correct in that threads that evolve into the "don't dare run as root" will always overstate the dangers. We have all logged in as root, the function is there for a purpose. Once we get our Linux legs we figure out we really do not need to do this, but the dangers are minimal. It is just as easy to bork something running as su in the user account. And other than root kits I have yet to hear about any serious Linux threats. I suppose you could be hacked, but...

Anyway, the point is why not just spend the time educating people on the correct way to do things? That has always been my approach. Linux used to be straight-forward and simple (at least in function, maybe not so much in execution). I miss that. I just do not need all these added complications, especially when they are pointless.

[remoulder]

Personally I blame MS for making XP so unusable as an ordinary user that you just had to log in as administrator in order to use the system. Users have become blasé about this and brought this attitude over to linux. It's a difficult call to make , education is probably the most enlightened but there are always going to be users who 'know' better - usually (but always) teenagers Perhaps - even though easily bypassed by those determined - setting the initial default as prohibited makes sense if it discourages the majority?

FedoraRefugee - a small request - do you think you could be more selective in your quoting?

[rich_roast]

...remoulder got there first but I think what I have to contribute also addresses his contribution.

[...]
It is quite easy to reconfigure pam. In fact, a new user does not ever go through the "don't run in X" indoctrination, they simply search "log in as root" in the forum and follow the easy, laid out directions in the 20 how-to's in that forum! In fact, my good buddy Rahul (one of the devs) will waste all his breath arguing FOR this feature then he writes his own how-to in the Fedora wiki to bypass it. And can just not recognize the hypocrisy involved. But I digress... It has reached the point where it is like telling a ten year old kid "don't you dare do this, I will not allow it, I will lock the door so you can't get it!" then leaving the key on the table. What the heck do you think the kid is going to do? I just fail to see the point.

D'oh! :facepalm: That's a tragically hilarious state of affairs, thank you for apprising me. I haven't bothered to look lately, not needing to run X as root anyway. I agree with your analysis, by and large, it might be a futile exercise. Besides, hosing one's own install is a good education in itself, and will no doubt stick with a user much better than any number of portentous warnings from smug Linux boffins anyday Speaking of which...

[...] threads that evolve into the "don't dare run as root" will always overstate the dangers. We have all logged in as root, the function is there for a purpose. Once we get our Linux legs we figure out we really do not need to do this, but the dangers are minimal. It is just as easy to bork something running as su in the user account. And other than root kits I have yet to hear about any serious Linux threats. I suppose you could be hacked, but...

Agreed... I've already expressed doubts about the privileges dichotomy between root and the regular user (and the ease with which a regular user substitutes root in) in a certain security related thread. Later in that thread I also pointed to the package users solution from LFS, although I still suspect that's far too involved a solution for the time being.

I think the fact is that as a personal computer user, using it for your own business, there isn't a sufficient incentive for a cracker to go to the effort of even checking to see if you're running X as root. For those systems that count, the administrator with the root password should know better than to login as root anyway. Hopefully... Hmph.

Anyway, the point is why not just spend the time educating people on the correct way to do things?

Am I right in thinking that mod privileges are needed to sticky something in the forum? Well, here's a draft message that a wandering mod might feel like sticking someplace:

**********************************************************
*Dangers of logging in to the GUI desktop as root*
**********************************************************

It seems that some users of Linux Mint are logging in as root, without necessarily knowing the full implications.

While you are perfectly entitled to do this, it is not a recommended course of action, because there is a chance that it could harm both your own system and, if you use your computer to connect to the Internet, those of other computer users.

The reason for this is that, as opposed to your regular user account (the one that you created during the installation process, or another that you have created subsequently to installing), root has the ability to do almost anything, anywhere in the file system.

Note also that when logged in as root, any applications that you launch also run with this dangerously high level of privileges.

This means that if, when logged in as root, a malicious software package is executed on your system, it will have the ability to write commands, cron jobs (processes which will run at certain times), and settings to anywhere in your operating system's file hierarchy.

It also means that should there be a bug in a GUI application (such as the web browser Firefox), this could compromise your system, even though that same application is perfectly safe to run as a regular user.

Furthermore, since GUI applications (such as the web browser Firefox) are not written with being run as root in mind, there may be security issues that may allow a malicious third party to compromise your system. Even with the best security intentions in mind, there is still always the possibility of zero-day attacks (whereby a bug is exploited before the software developers have a chance to patch it) which will leave your system vulnerable.

The bottom line is to never log in the graphical interface as root.

This is simply good security practice, and an everyday part of running a GNU/Linux operating system.

There should be no need to log in to the graphical interface as root. You may always use the "sudo" and "gksudo" commands to run command line interface and graphical user interface applications in situations where you need to obtain root privileges, temporarily, to install software or change configuration settings. If you run applications which require these privileges from the main menu, they will pop up a window requiring your password. If you run applications from the command line that require these privileges, an error message to the effect of "access denied" will alert you to the need to obtain these privileges by prepending "sudo" to the command is necessary.

It is ultimately in everyone's interests that logging in to an X session as root is minimized.

[FedoraRefugee]

Yeah, good notice!

You even touched on the fact that most apps are NOT designed to be run as root. I have seen more problems by this than anything else! People running as root try and install something and it will never work right.

I guess experience is usually the best teacher. Those that argue about running as root generally don't stick around long anyway.

[rich_roast]

FedoraRefugee's post prompts me to also reaffirm that there might be plain old bugs as well as security flaws which will prevent GUI apps from being run as root full stop - great point.

Another addition might be a web developer (like I want to be) might want to use /var/www regularly - my solution has been to chown that to my regular user; if this is a bad idea I'd like to be informed now, but I figured it was better than doing my web development as root.

Note that I'm not serving to anything other than localhost.

[remoulder]

Good well worded notice Richard. John any chance you can sticky this?

[Fred]

FedoraRefugee wrote:

And other than root kits I have yet to hear about any serious Linux threats. I suppose you could be hacked, but...

One avenue that may have slipped past you is the fact that many attacks these days occur through the browser. A malicious script or java app. run as root by the browser would have the run of the "candy store." True most are tailored to Windows but that's only because their isn't much of a Linux target of root permission browsers, yet. Though as has been pointed out in this thread there is an increasing number of new users running root X sessions. Writing a simple java routine to take advantage of this would be trivial.

Fred

[Biker]

Considering FireFox has gone through a couple of security updates, and 3.5x is still the latest in the repository, getting nailed through a browser exploit is more than feasible. And while many don't consider the threat to Linux as something to worry about, I do. Regardless of the active threats in the wild, all it takes is one to compromise your machine.

[rich_roast]

This kind of serves as a bump for John too, but it genuinely just occurred to me that logging in as root is frankly a PITA further down the line when returning to log in as a regular user afterwards, if only for the simple fact of having to chown or sudo to modify or remove any files created during the root session. For example, let's say I'm taking notes in mousepad or whatever on a complicated process that I logged in as root to do, also let's say I'm saving them to my regular home directory for safekeeping and to refer to later. Or that I downloaded a couple of tutorial pages from the Internet (shock, horror!) and saved them.

Now I might be able to read said files but when it comes to the time I want to remove them or modify them I have to go through the rigmarole of changing owner or, a worse solution, sudo a command every time.

Let's say, alternatively, that I'm just saving them to /root. That's even worse, really. Now I have to go looking for them in an unusual place.

It's all getting a bit work intensive for my liking (I'm a big fan of streamlining). And ultimately undeserved; it all could have been avoided by not logging into X as root as the first place.

Perhaps it's a small point but, if memory serves, one that actually did irritate me back when I did log in to X as root those times. I was never seriously burned by logging in to an X session as root, but I did still suffer, even in this small way.

Logging in to an X session as root is just goofy in probably 95% or more of cases. This is a down to earth rather than scary example of why this is so.