Forgot your password?
typodupeerror

Michael Robertson Says Root is Safe 1174

Posted by timothy
from the he-calls dept.
Kez writes "HEXUS.net caught up with Michael Robertson, CEO of Linspire, at the UK launch of Linspire 5. Their interview with Mr. Robertson covers everything from hardware support to software patents, but a comment from Mr. Robertson on using root is perhaps the most interesting: "I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't." I would imagine a few Slashdotters would dispute that."
This discussion has been archived. No new comments can be posted.

Michael Robertson Says Root is Safe

Comments Filter:
  • Okay now... (Score:5, Insightful)

    by DarkHelmet (120004) * <mark@@@seventhcycle...net> on Monday April 18, 2005 @06:47PM (#12275337) Homepage
    Let's see
    • Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful. Running something like apache as root, and any vulnerability in programs such as phpMyAdmin will make your whole server go poof.
    • rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.
    • ActiveX and a lot of spyware is contained in windows when running as non-administrator. It's running as admin (like most people do), that cause the majority of problems with things.
    This kind of talk is pandering to the lowest common denominator of user. Honestly, I feel users SHOULD learn a little bit about privileges before being handed the machine, and clicking on that file attachment.

    I know Slashdot attempts to soundbite things just like any other modern news media, so I'll quote:

    Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.

    MySQL, for instance, runs as a separate user. If I so desired, I could limit the login / password for my MySQL account to only allow row INSERTs and SELECTs, but no DELETEs or DROPs. If someone were to break into my account, they could see my data, but at least they couldn't delete from the table. As root, they could stop and start the actual service, and wipe out the whole directory for that matter.

    I generally see what he's saying about data being king. But if your data is that important, you'll have other safeguards for protecting it, typically via (dun dun dun), user management! For instance, keep your accounting files under a different user, home directory chmodded to 700. Stuff like that.

    Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit.

    Cars happen to have seat belts. Roads also have speed limits, so this analogy is flawed.

    The best way for Linux to break into the market isn't to emulate windows entirely. The best way is to take the best of what windows has to offer, and augment it with the best of what Linux has to offer. After all, look at Firefox. Firefox didn't choose to adopt ActiveX, or adopt Microsoft's proprietary style transitions, or render CSS in the same broken way, right? Neither should Linux, or in this case, Linspire.

    • Re:Okay now... (Score:5, Insightful)

      by malfunct (120790) on Monday April 18, 2005 @06:59PM (#12275489) Homepage

      Even if user data is the most important thing, if you run as root on a multi user box you put every users data at risk instead of only your own.

      The other thing, and this isn't easy to do in many OS's, that would be nice is granular escalation of privledge. As you point out in your SQL example, if you need someone to do inserts you shouldn't have to allow them to delete.

      • by Anonymous Coward
        Even on a single-user system, there is a damn good reason to run non-root: otherwise, if an attack makes its way in, you'll have no way to know about it. That's because every utility you could use to verify the integrity of the binaries and libraries and kernel you use can be altered by root.

        Not everyone takes proper advantage of the root privelege separation. Popping up dialog boxes asking you to enter your root password, for example, was a terrible design decision on the part of most distros. And sudo
    • Re:Okay now... (Score:5, Informative)

      by Phleg (523632) <stephen@NOSpaM.touset.org> on Monday April 18, 2005 @07:02PM (#12275526)

      rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.

      I dare you to try this. Dare.

      Note: you may wish to back your home directory up first. Preferably somewhere not under /, or using with someone else's permissions.

    • Re:Okay now... (Score:5, Insightful)

      by bfields (66644) on Monday April 18, 2005 @07:03PM (#12275534) Homepage
      Any exploitable program you run as another user will still need a local escilation exploit in order to do anything harmful. Running something like apache as root, and any vulnerability in programs such as phpMyAdmin will make your whole server go poof.

      He's not talking about daemons--presumably apache, mysql, etc. are still run as a separate user under Linspire, as they are in Debian. There's no reason to change that, since those users don't have usernames that people need to enter.

      He's talking about the user account that's used by the real physical user of a desktop system.

      In that case, no local exploit is needed--the attacker either uses sudo, or just sniffs the password the next time the user uses su (or whatever graphical equivalent pops up next time they try to upgrade some software).

      rm -Rf / as nonroot will make you give a sigh of relief. As root will be your nightmare.

      For all the talk about it, I don't think I've ever actually known anyone to do the classic accidental rm -Rf / as root. Although I have heard of somewhat similar catastrophes. I doubt the typical gui/finder-like interface makes this so easy, but perhaps I'm wrong. In any case, as he points out, in the case of a single-user desktop, the most important data is in /home/joeuser. Once "joeuser" has deleted that, they're almost back to square one anyway.

      --Bruce Fields

    • Devil's advocate (Score:5, Insightful)

      by Concern (819622) * on Monday April 18, 2005 @07:11PM (#12275630) Journal
      OK, I'll bite.

      Keeping in mind Linspire is totally Desktop-centric, I can see why they might have a radically different view on the permissions system from most existing Linux users.

      I've already read lots of lengthy posts trashing this contrarian point of view. And they have a lot of good points, as yours does, but ultimately this reads like a single-user vs. multi-user culture clash.

      The fact is that on any operating system when you have a single, important user who runs malicious code, it doesn't matter much whether they're root or not, unless the machine has a security model more fine-grained and well-integrated than anything currently in wide use.

      If that user can access their own files, then their own files can be destroyed. If that user can access the internet, then the compromise can also send their files over it. Or it can simply make them a spam bot. Or a relay. If that user has an address book, then its contents can be targets for viral propagation. And so on, and so forth.

      Frankly, to do most things attackers want to do, "root" is unnecessary. Nothing within the unix "user management" repertoire really lets you deal effectively with this problem, and what few solutions you do have are, let's be honest, ugly, cumbersome, evil hacks.

      What stops all this? A real, heretofore unknown high-level security model, that actually says "The email program can access stored email data, preferences, and can talk to the network on this port, to these hosts" and "the word processor cannot talk IRC" and so forth. This requires a rich resource model, rethinking data storage metaphors, the whole nine yards. Unix does not have this. Windows hosts only have it in the crudest and most limited form with "personal firewalls" that to some extent at least police the network activities of applications.

      So for all the Unix folks, of course, this disdain for the security model is heresy, but for the desktop world (and really, servers benefit greatly from a fresh perspective as well), it's not such a bad point. Unix lacks a security model rich enough to be truly useful to everyday users, and by extension, companies like Linspire that cater to them.
    • Re:Okay now... (Score:5, Insightful)

      by Gary Destruction (683101) * on Monday April 18, 2005 @07:16PM (#12275688) Journal
      I totally agree with you about privilege levels. I was all about running as a non-privileged user. That was until realism and idealism clashed. Some programs literally won't work right without for example administrator rights on Windows. In the corporate environment, at least the Windows corporate environment, there are too many programs that need administrator privileges. Without Administrator rights, Citrix Client will open, try to initiate a session, fail and then close without error.

      While this is a Windows problem, it can result in a misconception that could end up being applied to other platforms. If people are used to using administrator privileges because of programs requiring them, they might think that they'll have to do the same on Linux and other systems. Avoiding Microsoft's mistakes is one thing. Undoing its influence is another.
      • Re:Okay now... (Score:5, Insightful)

        by Dimensio (311070) <darkstar AT iglou DOT com> on Monday April 18, 2005 @07:52PM (#12276135)
        Without Administrator rights, Citrix Client will open, try to initiate a session, fail and then close without error.

        1) A lot of programs where this happens can be fixed by adjusting configuration, or copying registry keys rather than giving the user full Admin rights.

        2) Developers who write software that absolutely requires Administrative rights for common use, and the program is not designed to alter fundamental hardware or OS configuration (such as a registry editor or a graphics driver tweak utility) are incompetent and should be killed.
      • Re:Okay now... (Score:4, Insightful)

        by John_Sauter (595980) <John_Sauter@systemeyescomputerstore.com> on Monday April 18, 2005 @07:52PM (#12276136) Homepage
        ...Some programs literally won't work right without for example administrator rights on Windows. In the corporate environment, at least the Windows corporate environment, there are too many programs that need administrator privileges. Without Administrator rights, Citrix Client will open, try to initiate a session, fail and then close without error.

        In my shop, administrative rights are strictly limited, and so I see this effect also. There is some Kodak camera-handling software that complains if you run it without administrative rights (though it seems to work just fine) and a weather display application that fails like Citrix Client unless it is run as an administrator. I am sure there are other examples.

        My answer to this class of problems is to declare the software not working, and suggest that the user ask the vendor for a version that will run without administrator privileges. I have yet to see a software vendor respond positively to this request, but in the long run I think it is the only solution. I am not willing to give my users administrator privileges so they can run some poorly-written application!
        John Sauter (J_Sauter@Empire.Net)

    • by Mr2cents (323101)
      Don't you get it? He sure does! You see, Windows has 95% of the users, and 99% of the virusses. By making it easier to hijack the system, he hopes to attract some of those great Windows hackers to Linux. Inevitably, users will follow when they see their favorite virusses are now also available on Linux!

      In the future he'll be making statements like "Passwords are for pussies!" and "Bah, firewalls, a lot of hot air I tell you!". It's part of the plan..
    • Re:Okay now... (Score:3, Insightful)

      by composer777 (175489) *
      I ghost my machine every week or two, it seems to work fairly well as far as data protection goes. I think that if you properly back up, then the amount of time saved by running as root is actually higher than the time spent when disaster strikes from running as root.

      I really think the usage model is important. If you use linux like a windows user, and are constantly installing desktop applications (i.e. games, office apps, etc.), then the convenience of running as root is difficult to beat. If, on the
    • Re:Okay now... (Score:3, Interesting)

      by bcrowell (177657)
      Your arguments all make sense, but notice how some of them really apply more to a server. For instance,
      • MySQL, for instance, runs as a separate user. [...] For instance, keep your accounting files under a different user

      Well, sure, but most Linspire users probably don't run MySQL or keep accounting files for a business on their Linspire box. I mean, from the article, it's clearly aimed and Grandma who want to web surf and send e-mail.

      • Running something like apache as root, and any vulnerability in programs
    • Re:Okay now... (Score:3, Insightful)

      by drsmithy (35869)
      MySQL, for instance, runs as a separate user.

      You are no longer talking about scenarios within the realm of the typical end-user desktop and, thus, are talking about a completely different target market to Linspires.

      You also talk about not being able to do any "damage" as a non-root user. That's right - except to your data, the most important data on 99% of machines.

      You have completely missed the point. Thanks for playing.

  • by garcia (6573) * on Monday April 18, 2005 @06:47PM (#12275339) Homepage
    Michael: I think, like everything, it's a question of balance. Ease of use, versus security. I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.

    Techincally it's gaining control over your system without you knowing it and running exploitable programs as root makes that easier. If the hackers get access to your libraries, programs, etc, they can do far more damage to you by sniffing your data w/o your knowledge. Hackers aren't going to just steal your data and run. If they can gain easy access to the system they are going to modify it and snoop everything and keep getting what they came for.

    Michael: Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit. I DO see it's an added pain in the ass when grandma tries to change her wallpaper, and it tells her "you don't have root privileges". What are you talking about, man? I'm just trying to use my computer, or change the clock, or any one of a hundred other things. So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out - In this instance, a machine that's run with the root user could be compromised, in this instance one couldn't be compromised.

    I am in no way a master of Linux/UNIX and I never claimed to be but even I know that if you are exploited while running something as root more damage can be done to a lot more services, files, etc, than if you were just running it as a user. It's not theoretical. It's fucking very real and it's idiots like this guy that make it easier and easier for more zombie boxes to get out there. Look at Windows... Yeah, no, we don't need Linux to end up like that too.

    I want to know who the hell this guy is talking to that don't give him a valid argument. I have a feeling they are and he isn't listening.

    Michael: I know the hardcore geeks feel differently, that's fine. When somebody installs Linspire, we say "do you want to set up users, yes or no", we give them the choice, right there when they start up for the first time. If they want to set up multiple users, they're welcome to do that, but we don't force them to. That's the difference we have.

    It shouldn't even be a choice. Prompt for a password (like OS X) when something that needs root privledges runs. If it has succeeded with the Mac then it can with Linspire users too. If you are so concerned about making the users have a positive Linux experience rewrite the dialog boxes when they ask for "root priveledges" so that they are human readable. Don't just eliminate it and say that there's no valid reason not to. Taking the easy way out doesn't solve the problem.

    Since when is Michael Roberson a trusted source? He's an asshole that's just into pushing the envelope and making waves (remember Lindows and MP3.com?) Right now he's doing exactly the same thing. "See, those Linux users are trying to make it hard for the layperson to use "their" OS and I'm trying to make it easy. Listen to me! I'm trustworthy!"
    • by hackstraw (262471) * on Monday April 18, 2005 @08:44PM (#12276699)

      If this Michael guy has ever seen a rooted Linux system with one of those groovy kernel modules loaded to hide the doings of the people that rooted the box, then he would guess a 2nd time about his assertion that its OK to run Linux as root all the time.

      You think that WIndows zombie boxes are a problem? However, those systems are able to be fixed (to my knowledge, don't use windows). A rooted box with a kernel module installed to hide itself, has to be completely restored.

      I'm glad you mentioned OS X. I believe that it is a beautiful compromise between running as a user and asking for permission to escalate the privileges when needed. The best part of it is that it _rarely_ asks for administrator privilege, and when it does it makes sense. If someone opened an email attachment and it asked for administrator privileges, that would be a bit fishy (although some people would fall for it).
  • by ZiZ (564727) * on Monday April 18, 2005 @06:47PM (#12275343) Homepage
    An easier-to-read 'formatted-for-print' version is here [hexus.net]. (Not here [hexus.net], as I tried after decoding the base64-encoded GET, but that's beside the point.)

    Not running as root works like this. Your data is no more inherently safe than it is when you /are/ running as root, but nobody ELSE'S data will fall prey to your screwup, nor will the central integrity of the system. (For granny, this means that grandson Billy can ssh in, recover this morning's backups from the write-once partition, and she can keep going, having lost minimal data.)

    Running as root is like pointing a loaded gun at everyone just in case they're a criminal.

    Not running as root is like fastening your seat belt. Sure, you're not intending to get in an accident...

    Running as root is like driving down the highway with your hood open and your oil cap off.

    Not running as root is like locking your door when you leave.

    Running as root is like posting to slashdot without reading TFA. :)

  • Wow (Score:4, Insightful)

    by bmw (115903) on Monday April 18, 2005 @06:47PM (#12275347)
    You've got to be kidding me. Is this just a big troll or is this guy actually that ignorant? Who the hell has he been talking to anyway? The reasons for doing day-to-day things as a non super user is one of the most basic security concepts ever. Even my parents understand this. The reason you don't run everything as root is to avoid COMPROMISING THE ENTIRE MACHINE if some random application has a vulnerability. You don't want each and every little program you run to potentially allow someone to gain full access to everything on your computer. Not to mention protecting the computer from the application itself. I don't want some poorly written piece of software accidentally deleting important system files or some other user's data. And how about protecting the system from the user themselves? How many people here have accidentally rm'd a bunch of important system files (or all of / for that matter) on accident? I know I have and I consider myself a very careful person when it comes to such things.

    C'mon... How fucking retarded can you be?

    He does _almost_ make a good argument for his case though...

    Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.

    That statement does have some merit but it definitely isn't always true and even then, I would much rather compromise only my data than have someone gain access to the entire system. If they only get my data, that's all they get. If they gain access to the entire system there is no limit to what they can do... What if they want to setup a very well hidden rootkit and snoop around on my box (watching traffic, capture credit cards, etc. etc.) for as long as possible? Not to mention multi-user systems... A compromised super user gives them full access to EVERYONE's stuff.

    And of course, after he says something nearly sensible he goes on to completely shoot himself in the foot by making another completely ridiculous challenge...

    So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out - In this instance, a machine that's run with the root user could be compromised, in this instance one couldn't be compromised.

    What world does this guy live in? Is he completely surrounded by idiots? Remind me never to go anywhere near Linspire.
    • by argoff (142580)
      Uh well, I think he is actually that ignorant (or lost is more like it). This is the guy who started mp3.com and thought that the music industry was going to give him a big pat on the back for it and let them into their billionaires club. Even worse is how he down-talks illegal copying like it's a back-alley dirty activity, when in truth nobody is doing any worse than he has been, is, and will likely continue to do for the rest of his life. IMHO, he is the epitomy of blind love for evil systems. No ma
  • by Anonymous Coward on Monday April 18, 2005 @06:48PM (#12275362)
    But I want to know his IP address.
  • by towaz (445789) * on Monday April 18, 2005 @06:48PM (#12275363)
    Lets do "rm -rf /" and compare the results.
  • by YankeeInExile (577704) * on Monday April 18, 2005 @06:48PM (#12275365) Homepage Journal

    While we all want to start lambasting him for his obvious lack of understanding of the obvious, I think it is actually endemic of the real problem.

    People do not understand anything about computer security.

    They do not understand how to limit exposure.

    They do not understand the vectors of software virus infection.

    They do not understand the true problems of viral infection (that is: they want to eliminate the side effects, but do not care about the primary problem).

    Mocking people for being clueless does not actually make them smarter, nor does it impress them with your 31337 Haxor Skillz.

  • by javaxman (705658) on Monday April 18, 2005 @06:50PM (#12275388) Journal
    I'd like him to run on an account where he's not root, thanks.
  • Define "Secure" (Score:5, Interesting)

    by Stibidor (874526) on Monday April 18, 2005 @06:53PM (#12275417) Homepage
    In the article, Michael defines security as the (in)ability to access personal data. In that respect, he's probably right. But I think he oversimplifies the real question of allowing the users to run under the one account that could really screw up their machine.

    He argues that just because we could possibly drive our cars into brick walls doesn't mean we should all be limited to driving at 10 mph. I don't believe the likelihood of even the least skilled driver actually ramming into a brick wall is quite as much as my grandma's likelihood of completely screwing up her computer were she granted root access. I've seen her mess up her Windows machine pretty nicely.
  • challange accepted (Score:3, Insightful)

    by FidelCatsro (861135) <fidelcatsro.gmail@com> on Monday April 18, 2005 @06:53PM (#12275425) Journal
    "I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say 'oh, yeah, it is!', but it really isn't."
    rm -rf /
    chmod 777 -R /

    amongst a high seas of other things that make running as root unsane on the "woops scale"
    as to be in dangeour from a remote source , well if you make a conection an open conection to someone you dont know when you root then ...
  • Ignorance (Score:5, Insightful)

    by El (94934) on Monday April 18, 2005 @06:55PM (#12275446)
    This is exactly the kind of attitude that I'd expect from someone that learned everything they know about computers from working with MS-DOS... he can't seem to conceive of the notion that there might be more than one person's data on a single machine!
  • by Linux_ho (205887) on Monday April 18, 2005 @06:57PM (#12275458) Homepage
    Why is it more secure not to run as root?

    500,000 Windows zombies should be the only answer you need.
    • In that case, I think running in administrator mode just makes it harder to remove the infection. I think it's trivial to trojan people into running bots that run in user space rather than system space. It's just not necessary to make such a program because it's easier to assume they are running as admin.
  • by emurphy42 (631808) on Monday April 18, 2005 @07:00PM (#12275493) Homepage
    From TFA:
    when grandma tries to change her wallpaper, and it tells her "you don't have root privileges".
    I don't know whether this is hyperbole or just a bad acid trip, but either way, it shoots holes in his credibility big enough to drive a truck through.
  • by arete (170676) <areteslashdot2.xig@net> on Monday April 18, 2005 @07:01PM (#12275502) Homepage
    I have to say I love the OSX solution. For those of you that aren't familiar:

    The method:
    By default you don't use root (although it does exist)

    By default a user may or may not be an "admin" user. An admin user may perform root-like operations by authenticating again, but they give their own same password to the OS to do things.

    It still knows you're you, you're just super-you. So default files are created with you as owner, for instance. This is safer because it reduces slightly the number of escalations necessary.

    The effects:
    The actual user password being compromised is not the reason you need a separate root account, so they removed your need for two passwords.

    Bad apps still need separate priv escalation to do any harm, even if you're running as admin.

    BUT you don't have to logout of your GUI session to have one app - or even ONE PART of one app - run with escalated privledges, if you authorize it to.

    This means you have NO REASON to ever run unnecessary apps as an admin. No downloading just that one file as root because you're in the middle of doing a rooty thing and forgot one.

    The similar linux hack:
    I know you can setup similar things with sudo and a little tweaking. But this is how every OSX box ships, and it ought to be how every GUI consumer linux box ships too.
    • by Relyt (96115) on Monday April 18, 2005 @07:41PM (#12275985)
      Well, Ubuntu Linux is set up with sudo all set up right off the bat, which is probably the way things will be setup in the future. The user can use his or her own password to get root privileges.

      I think that anyone who is considering buying a PC for Lindows would be much better served buying a Mac or Mac Mini and using OS X instead. They'll spend the same amount of money and have an OS that is better-designed and is backed by a corporation and a CEO who actually know what they are talking about.

  • He has a point (Score:5, Insightful)

    by photon317 (208409) on Monday April 18, 2005 @07:01PM (#12275509)

    We all know the reasons not to run anything as root unneccesarily are many, but you have to think from his perspective as well. He's picturing clueless linux desktop users, using a shrinkwrapped distro at home for personal use. If they were to only log in as a user rather than root, what does it buy them? Whoever gets them to run malicious code by exploiting them or their software will still get access to all of their data, since it was all stored as that user. And they still get access to backdoor all of the software they use, since they can screw the user's environment (PATH, LD_LIBRARY_PATH, etc).

    About the only thing not running as root saves the poor nontechnical home end-user from is wiping out their hard drive, but all the data that's important to them contained therein is still destructable.

    His point is in fact arguable - why bother?
  • Modded -1 Flamebait (Score:4, Interesting)

    by HiredMan (5546) on Monday April 18, 2005 @07:03PM (#12275535) Journal
    I knew Michael Robertson in college and he was a technological lamer and pretty much an A-hole. And he doesn't appear to have changed much. He's cobbling together whatever technologies he can get his hands on and then shamelessly pimping^H^H^H^H^H^H^H self promoting whatever his latest project is regardless of merit.

    He unfortunately seems to have learned that there is little fact checking in the business press - especially where technology is concerned - and that if he can create a stir he can probably create profit.

    It was several years before I realized that it was the same Michael but I visted the website and found his picture there - in multiple super high resolutions - seriously why would I want a 1435x1980 pixel image [linspire.com]of him?
    Does he think he's desktop material? There's even information for booking him for speaking engagements... but it's not about ego. *SIGH*

    Look for the stock pump and dump scheme followed by an SEC investigation in 5 - 10 years...

    =tkk
  • by scupper (687418) * on Monday April 18, 2005 @07:03PM (#12275537) Homepage
    I can't take this guy seriously. He's the Billy Mays [atmospheric-violence.com] of the Linux world.

    Just read his responses....[a few of my repiles]

    Jo: On the security front, I noticed during the presentation that you were running everything as root. Is that really a wise idea, to train users to run everything as the one user who can mess everything up whenever they feel like it? Should you not try to teach one basic UNIX security idea, that you really don't want to run things as root?

    Michael: I think, like everything, it's a question of balance. Ease of use, versus security. I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data.[Mikey, that's like saying the people in my car are important, but to hell with the rest of the motorist on the highway. Pretty reckless and selfish. Maybe Linspire should should start "LinNet-Home of the Bots and Trojans] If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well.[Mikey, what is a bot? And how are they born?]

    Michael: Then you could say "Well, it's not really about your data, it's that people could accidentally mess things up!". Well, you could accidentally drive into a wall as well, it doesn't mean we should make all cars drive at 10 miles an hour. So, I don't see the added benefit. I DO see it's an added pain in the ass when grandma tries to change her wallpaper, and it tells her "you don't have root privileges". What are you talking about, man? I'm just trying to use my computer, or change the clock, or any one of a hundred other things. So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!". There's no one area I think you can point out - In this instance, a machine that's run with the root user could be compromised, in this instance one couldn't be compromised.

    Michael: I know the hardcore geeks feel differently, that's fine. When somebody installs Linspire, we say "do you want to set up users, yes or no", we give them the choice, right there when they start up for the first time. If they want to set up multiple users, they're welcome to do that, but we don't force them to. That's the difference we have.

  • by greenrom (576281) on Monday April 18, 2005 @07:04PM (#12275540)
    Running as root is dangerous, but is more dangerous than the average home user is used to? Probably not. The average user probably runs windows from a single user account with admin rights. For most people, the recycle bin is the only protection from stupid mistakes.
  • Accidents (Score:4, Insightful)

    by iamacat (583406) on Monday April 18, 2005 @07:04PM (#12275550)
    Malicious software can always trick user into giving it administrator access. But if you always login and root, one bad mouse gesture in file explorer can make your system unusable. Just yesterday I saw someone with a master degree trying to store MP3 files in /Library on MacOSX.

    Besides, if you have a family PC why would you want everyone messing up each other's files if they can have nice separate home directories?
  • by scupper (687418) * on Monday April 18, 2005 @07:09PM (#12275597) Homepage
    Michael "Root" Robertson is appointed to the Department of Homeland Security's Privacy Board.
  • by houghi (78078) on Monday April 18, 2005 @07:11PM (#12275623)
    ... he should rename his Linspire to something like Lindows.
  • by harmic (856749) on Monday April 18, 2005 @07:15PM (#12275680)
    Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares?

    The most valuable thing on my computer is probably the user name and password to my internet banking facility.. Not that I store them on the machine but I do type them in. Maybe running as non-root does give you access to all the data in a users home dir but it sure makes it more difficult to overwrite those libraries he's talking about with keylogging trojans that will harvest my passwords.

  • by jonesy16 (595988) <jonesy@gCHEETAHmail.com minus cat> on Monday April 18, 2005 @07:23PM (#12275770)
    Before you blow everything out of proportion, take a second to look at a few things from a different perspective:

    1) The end user of Linspire is most probably a windows user trying to switch to something cheaper. The odds of Linspire being heavily used in a multiuser environment are bleak at best.

    2) He makes a valid point, the most valuble information on your computer are things stored in your home directory. Credit card information, social security, emails, etc. Guess what . . . `rm -rf` will eliminate all of that even if you aren't root. Who cares if you accidentally wipe an X library, a reinstall will fix that, it won't get back your emails and resumes.

    3) Everyone's argument for the flaw of running as root seem to stem from services running as root, which is something the enduser of an operating system like Linspire shouldn't be expected to fix anyway, nor will most Linspire users be running apache servers and mysql servers, I'm just guessing at that.

    A windows user or a linux newbie doesn't want to remember several account passwords just to change the IP address of their computer, or to reboot, or mount an external hard drive, or start Samba, etc. They want to know that they have permission to do those things out of the box. That's how windows is set up, that's what they want. Security should be handled by turning chrooted service invocation, firewalling, etc.

    This isn't FreeBSD, tailor to your customers and make them happy, without them you don't have a business.
  • 99% (Score:3, Insightful)

    by blackbear (587044) on Monday April 18, 2005 @07:28PM (#12275834)

    The reason that Robertson didn't get the answer to why not to "run as root" is twofold.

    1.) He didn't want to hear the answer when it was told him.

    2.) probably 99% of people who know that you shouldn't "run as root" don't know absolutly why themselves. They have a pretty good idea, but someone they respect and trust (and who is correct) told them it was stupid.

    The other 1% who could have told him why, weren't consulted. Nor will they be.

    It's no accident that Linspire (Lindows) is modeled after Windows, and it contains Windows' greatest fundamental security flaw.

  • by scupper (687418) * on Monday April 18, 2005 @07:29PM (#12275836) Homepage
    Mikey, what is a bot? And how are they born?
  • by jhantin (252660) on Monday April 18, 2005 @08:09PM (#12276351)
    There have been some very good research projects done on how to build a more secure system, and some of the most amazingly effective ones have been the ones that challenge the basic assumptions of "best practice".

    MIT Kerberos [mit.edu] takes the view that no machine on the network can be implicitly trusted; access to network services is controlled by tickets, mediated by a ticket distribution service with which each user and service has a pre-shared key. This works even for systems in which the local operating systems have no internal access control mechanisms whatsoever.

    Capability-based systems [erights.org] essentially throw out the classic security model of users, roles and permissions, replacing them with a system of nonforgeable references by means of a combination of memory protection and cryptographically strong naming.

    Finally, people need to come to terms with the fundamental fact that content-based security schemes are a losing proposition (1 [stiller.com], 2 [reflex-magnetics.co.uk]). Virus scanners, adware scanners, porn blockers, spam filters, and even national customs departments all face the same problem: they can only inspect what goes by and apply a list of tests to winnow bad items. There is strong economic pressure to find ways to bypass these types of checkpoints, so new tricks are constantly being invented, only to be compensated for by the guardians; thus the guardians are always a step behind.
  • by OrangeTide (124937) on Tuesday April 19, 2005 @02:53AM (#12279074) Homepage Journal
    When one RTFA they will notice that Robertson is talking about a desktop system. Having users log in as some root/admin account is not a big deal because the only thing valuable on that system is the data stored as the only user on their system. Obviously he's not saying "run apache as root". In fact he implies it would be a very bad idea to allow things like a webserver to have write-access to a user's data!

    Now if you are maintaining a multi-user system, root access is more powerful because it grants you full access to all user's information. Although these days a family computer has multiple accounts on it, Little Timmy and Mom's data is seperate. If Timmy downloads some malicious code in some new music sharing program that turns out to be a trojan, at least Mom's calendar, address book and tax information will be protected.

    Of course I'd recommend periodic backups to give you real data security. That's perhaps more important than the root/non-root issue.

"In matters of principle, stand like a rock; in matters of taste, swim with the current." -- Thomas Jefferson

Working...