Root Login [Solved]

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Hoser Rob
Level 20
Level 20
Posts: 11806
Joined: Sat Dec 15, 2012 8:57 am

Re: Root Login

Post by Hoser Rob »

dorian_mode wrote:... I was interested in a more detailed explanation of 'why' never gui as root?
Jeez. Try a search engine. Say with the string "linux why you should not be root".

In larger multiuser unix/linux installations, typically there is only one staff person with root privileges. The system administrator. An SA I know has a T shirt that says "I am root. Kneel before me". This is only partly for security reasons.

In unix/linux if you have root privileges ... n.b. this is not the same as sudo privileges ... the system will assume you know exactly what you are doing. This is much worse than buggering up ownership of files. You can seriously break your system.

The bottom line for me is that if you need to ask why you shouldn't be root, and why ubuntu doesn't have a root password by default, you sure as hell should not be root.
For every complex problem there is an answer that is clear, simple, and wrong - H. L. Mencken
User avatar
austin.texas
Level 20
Level 20
Posts: 12003
Joined: Tue Nov 17, 2009 3:57 pm
Location: at /home

Re: Root Login

Post by austin.texas »

Please note that any text editor or any graphical program, should be opened with the command "gksudo" not "sudo".

Using sudo to run a graphical program opens up a possibility of messing up file permissions.
Sudo runs as the current user with elevated privileges. This has the potential of changing file permissions of certain user config files (relating to your graphical environment) when running graphical apps. You may find errors occurring when running these apps again without sudo, because some of the configuration files may have become owned by root instead of the user.
gksudo (kdesudo under KDE) runs the apps as root user thus any file permissions touched are on root's files, not the users files.
Running these apps again without gksudo/kdesudo will always have the normal behavior.
Mint 18.2 Cinnamon, Quad core AMD A8-3870 with Radeon HD Graphics 6550D, 8GB DDR3, Ralink RT2561/RT61 802.11g PCI
Linux Linx 2018
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: Root Login

Post by Cosmo. »

dorian_mode wrote:I was interested in a more detailed explanation of 'why' never gui as root?
Because in this case the whole environment, in which you are running, runs with elevated rights. That is what Windows does if you login with a admin account and this is the reason, why Windows systems are a comparable easy to vulnerable systems. That means, if an attacker gets somehow into the system (maybe via Internet) he has all rights and can do, what he wants to.

Modern OS's have the ability to make use of privilege separation (also Windows NT, 2000 and up), but Windows practically undermines this, because for MS comfort counts higher than safety. There is indeed no need to do such a stupid thing. A Linux user, who is member of the group sudo (that is at least the user account, which gets created during installation) can do all needed things via sudo (terminal commands) or gksudo (kdesudo in case of the KDE desktop) for graphical programs. But as long as the Linux user does not execute a command for doing some system tasks, all runs with limited privileges. Result is, that the system is protected against attacks.

There are people who argue, that they are the owner of the computer and they want to do whatever they do. They don't know, or they don't understand, that at the moment, when an attacker was successful, they are no longer the owner of the machine; all what they have is the imagination of being the owner. Compare it with your home: You are the owner, but only as long, as the burglar didn't came in, because you missed to close doors and windows properly. It least I don't know any person who would leave all possible entries open with the "argument" "I am the owner".
cwsnyder

Re: Root Login

Post by cwsnyder »

Why never GUI as root?

Many errors never show up in a GUI. Also, many warnings never show up in a GUI. Simply launch (without sudo) some of your favorite applications and watch the terminal screen to see the results, which will show that I speak truly.

Do you know exactly what your application in a GUI does? Have you examined the code, including all system calls on dependencies? Do you know what temporary and configuration files are used in what folders, with what owners, and what is changed during operation of the program? How well does your GUI clean up after itself? Are you aware of buffer overflow and underflow boundary conditions? These aren't a problem if you run as a normal user, but can really mess up your system for any 'normal' user login from a root login.

I would not say never GUI as root, for example Synaptic package manager and archive manager may not operate as required if run as a normal user, but certainly never run a program as root which can be run as a normal user.

Even distributions which set up a root user as default warn about logging in as root except under specific circumstances, which usually precludes logging in to a graphical desktop.
dorian_mode

Re: Root Login

Post by dorian_mode »

Thank you both, Cosmo and cwsnyder for the detailed explanation. This is very helpful, I appreciate it.
dorian_mode

Re: Root Login

Post by dorian_mode »

austin.texas wrote:Please note that any text editor or any graphical program, should be opened with the command "gksudo" not "sudo".

Using sudo to run a graphical program opens up a possibility of messing up file permissions.
Sudo runs as the current user with elevated privileges. This has the potential of changing file permissions of certain user config files (relating to your graphical environment) when running graphical apps. You may find errors occurring when running these apps again without sudo, because some of the configuration files may have become owned by root instead of the user.
gksudo (kdesudo under KDE) runs the apps as root user thus any file permissions touched are on root's files, not the users files.
Running these apps again without gksudo/kdesudo will always have the normal behavior.
Thank you for this. I was reading an example earlier today where someone operating as root had inadvertently changed file ownership to root and was unable to access them as user. Thankfully his problem was resolved with help from forum members. His experience combined with your explanation is gratefully appreciated. :)
dorian_mode

Re: Root Login

Post by dorian_mode »

Hoser Rob wrote:
dorian_mode wrote:... I was interested in a more detailed explanation of 'why' never gui as root?
The bottom line for me is that if you need to ask why you shouldn't be root, and why ubuntu doesn't have a root password by default, you sure as hell should not be root.
There are a lot of things I want to learn, and I am not to proud to ask. Please point out for me where I asked "why ubuntu doesn't have a root password by default."
dorian_mode

Re: Root Login

Post by dorian_mode »

I appreciate the response to this thread, I have learned more about this topic in one day from the explanations given here than I did in a year using ubuntu. Although the ubuntu forum is extremely helpful, I always felt stymied when asking about this topic. Thanks to everyone, I'm sure this thread will benefit more than just me. :)
II-Trax-II

Re: Root Login [Solved]

Post by II-Trax-II »

<quote> any mentioning logging into Root</quote>

Adding to this thread. Pjotr was right in his warning "Don't activate the root account and for God's
sake don't ever login graphically as root."

Editing Fstab I changed the UUID's to paths (/dev/XXX) they were correct. I had a situation with Win10 I won't get into as it would take a leap of faith, yet requred the format of the Windows partition. Logging into Linux Mint Cinnimon the first time since the Fstab edit I was in what seemed a new Install of mint.

The Fstab was back to UUID's and Gparted showed that Root and Home had changed positions with me being in Root yet called home. Switching the UUID's of Root with Home got me back but each day is a different error, missing program, or problem of some sort. I'd be the first to admit I can't pull out of this one and be required to reinstall my Mint OS.
F M Waterman

Re: Root Login [Solved]

Post by F M Waterman »

Although it has been some time since anyone has added to this post, I would like to comment that of all the posts I've read in all of the forums I participate in, or have participated in, this specific post is one of the most cogent and informative that I have had the pleasure to read,

Thank you to all that have participated in its creation.
fruitkiller

Re: Root Login [Solved]

Post by fruitkiller »

I want to be able to login as root, just once and quick, the way I found for Linux Mint Rebecca (17.1) worked once as a kind of "enter your login" which Ubuntu and Mint had in the past, not sure about Ubuntu now, I quit when 12.04 was making my hair stand up in anger at times, and when I "upgraded" to 12.10, it couldn't handle gnome-classic, it would boot but it was impossible to click on anything then I switched to Mint 13 and 15 quickly thereafter and followed up 16, 17.3 (not going into 18 territory yet, as it is not compatible with some hardware on my main desktop.

Anyway, my VPN service, which I mainly add openvpn servers to the network-manager to, is in the greats, the kind you settle on after looking at that gigantic table of VPN services and their features (or bugs) or outright failures. Mine's pretty solid for various reasons, and I was rather curious when it was the first vpn service that had instructions on how to use L2TP/IPSEC protocol. So just to test, I followed the guide and added just 3 servers and tried it and yep, it worked. I got L2TP IPSec VPN Applet and L2TP IPSec VPN manager. That's all nice and dandy, it's already much more of a pain than in windows where they have a gui, they don't for linux, gotta add the files and the key files etc. logins and passes all manually and then 3 months later you need to delete a bunch you installed because they are no longer operational and you need to download the config files and the key-files again. Anyway, I found that in case I can't use OpenVPN for some reason, L2TP IPSec meanwhile could be an option better than pptp (for god's sake, they should stop, microsoft even replaced it with sstp which just a little vpn providers offer, likely for very good reasons).

The problem is when I say reboot or shut down the PC cleanly, through System->Shut Down or Restart, I'll see Mint's Logo and then it will disappear and I will see some text, modemmanager shutting down, and something about Amsterdam-3, Stockholm-8, Austria-9 (not actual names, but the 3 servers) being somehow shown,I'm not sure it's saying disconnecting (if it would, I would have panicked a long time ago, but that's stuff happening in the back, or in the other user I created just to be able to "debug" caja when suddenly (rarely happens, but it does, it will go into Zombie mode and there's no folder browsing possible, so I made that other user to log in and do a short command to bring back caja to life and logout. Is there a logfile of your last shutdown and/or restart? I could show you, I want to know what's going on, and since it's not something that should show up as it's not a PID, if I don't turn on the manager, the icon doesn't show up in the notification area. So that's why I want to go into root and somehow delete L2TP related packages while there. But first, being able to remember what happens at shutdown, something I see rarely would be useful for me and others to have a guess at what is going on.
User avatar
JerryF
Level 16
Level 16
Posts: 6554
Joined: Mon Jun 08, 2015 1:23 pm
Location: Rhode Island, USA

Re: Root Login

Post by JerryF »

Hoser Rob wrote: Jeez. Try a search engine. Say with the string "linux why you should not be root"...
Then why have a forum?
fruitkiller

Re: Root Login [Solved]

Post by fruitkiller »

^^
Indeed, let's all just trust our masterminds at google. *cough*duckduckgo*cough*ixquick*.

But also don't believe what you read on the internet, it's all false, especially on these dark corners of the internet called "forums" or BBS'! :roll:
Wompoo
Level 6
Level 6
Posts: 1116
Joined: Sat Dec 28, 2013 2:42 am

What is "login to root"?

Post by Wompoo »

Thanks for this thread dorian, and to all the respondents for the good replies.
I take the unanimously agreed advice to never login to root.
So, what then is "login to root" please?
I am asking this not because I want to do so, against the good advice, but to know exactly what it is and so avoid doing so inadvertently.

Also, how does one (again inadvertently) open a program as root?
I am asking this due to prolonged permission problems I experienced with gaining access to my own file in LibreCad. So much so, that I finally abandoned the application. It is only now I realise that it was my incorrect management of my operating system most likely.
Desktop PC #1
Linux Mint 20.3 MATE desktop (64-bit), Asus
ASUSTeK model: P5G41T-M LX, 8 Gb RAM
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: What is "login to root"?

Post by Fred Barclay »

Wompoo wrote: Mon May 07, 2018 7:06 pm Also, how does one (again inadvertently) open a program as root?
sudo <program_name> or gksudo <program_name is probably the most common way of opening a program with elevated permissions (read that: as root). It's not precisely the same as really running it as root, but it has much the same effect. (To actually run as root, you'd have to either log in as root or do su root first. These may no longer be immediately possible on Mint 18.3 if I recall correctly).

TL;DR: don't run a program with sudo or gksudo unless you actually have to. You'd basically be running it as root.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Wompoo
Level 6
Level 6
Posts: 1116
Joined: Sat Dec 28, 2013 2:42 am

Re: Root Login [Solved]

Post by Wompoo »

Thanks for that explanation Fred.
It lays to rest the suspicion that I opened LibreCad as root when I had all the trouble with permissions.
I have never opened an application that way.
Desktop PC #1
Linux Mint 20.3 MATE desktop (64-bit), Asus
ASUSTeK model: P5G41T-M LX, 8 Gb RAM
mik007san

Re: Root Login [Solved]

Post by mik007san »

Correction Please w.r.t. the admonition to never login as root -

There is certainly at least one instance I can think of when the supreme operator MUST login as root - And that is when changing the Linux Mint "administrative" account's user ID and group ID, assuming there are only two accounts on the server system. One cannot run the "usermod -u <NEWUID> <LOGIN>", "groupmod -g <NEWGID> <GROUP>", "find / -user <OLDUID> -exec chown -h <NEWUID> {} \;", and "find / -group <OLDGID> -exec chgrp -h <NEWGID> {} \;" commands from a sudoers or a semi-persistent "su -" root session because the "administrative" account must be totally closed and logged-out. Any presence of "administrative" account activity will nix the ability to change the UID and GID.

Of course one should NEVER login as root while in a public area - including directly connected to the Internet without some solid firewall protection. However, network admins inside a secured Intranet have been logging in as root via ssh and console for years without dire results.

The biggest problem I have ever dealt with is Java programmers and their supervisor inserting a DMZ police information server with a blank JBOSS password - It took the Chinese/Indonesians/Romanians/Russians (The successful attack was actually a chained hand-off) about 3 hours to discover the ID10T "flaw" - And another 5 minutes for me to recognize the problem and kill the server. Fortunately I refused to give their JBOSS account root privileges, which made it easy to 'bash' trace the actions taken by these foreign enemies - and all they got from their troubles was a 5 minute cloned ssh attack. 8)
Locked

Return to “Other topics”