PDA

View Full Version : root password



motika
06-24-2005, 12:58 AM
Can somebody explain to me why do I have to supply the root password of
my system to download and play a stupid little game? This flies in the face of all
I ever told my clients about computer security...

motika

Harry Kuhman
06-24-2005, 01:18 AM
This flies in the face of all I ever told my clients about computer security...
Greetings motika, welcome to the forums.

Perhaps you're not giving your clients good advice. Linux security makes a lot of sense. The user normally doesn't run at a security level that gives him/her full write access to everything. This has a lot of positive benefits. A user can't accidently delete *.* from the top down like they can on some systems we will not talk about. Even if a rare Linux virus does get in, it can't run wild and infect everything if it doesn't have access to everything (one of the things that help keep them rare). And since Linux security is much better thought out and set up, users don't have to run in supervisor mode to do routine things like burn a CD. And, in an office enviroment like your clients have, a user who walks away from their computer while it is still loged in may put their own files at risk, but doesn't put all users and the entire system at risk if they are not logged in as root or a super user.

What in the world are you telling your clients that conflicts with this?

UnderScore
06-24-2005, 02:00 AM
Permissions are at the heart of both Windows & Linux. In windows, typically the default installed user is also the administrator. In effect they are GOD of their own PC. This at first glance appears to be a sound & rational policy. It is however a dangerous policy. All it takes is some clueless user to click on a Nak3d Ch1x0rs spam email or M0rtgage Rate$ ad and now they become infected with viruses, adware, spyware etc. Perhaps if they were not running as administrator then the malware would not be able to exploit the user as a source of infection.

Since Windows OSs have the largest slice of the installed base on the desktop they are the frequent targets of attacks. Furthermore, Windows OSs, save Win2k3 server, are all full of holes. The unsecured windows desktop PC is the exploit vector for a majority of IT works & sysadmin's problem. I wish that all Windows desktop users are not running as administrator by default but that would take a HUGE undertaking by MS. In a home office or in an enterprise LAN, noone except IT gurus or staff (even then most of the time its not necessary) should be running as administrator. In a company, this includes C level staff too. A CEO or CFO has no reason to be running as admin on his laptop, esp since he has probably has priviledged financial data stored on it which could be deleted or worse stolen by spyware. Locking down every single Windows PC should prevent the shear majority of malware problems. Sure end-user usability issues pop up, but they are a cakewalk compared to recovering from a virus ladden zombie winxp systems.

In Linux and Unix and even Mac OS X, the default user is NOT administrator (called root). A non-root user has many read-only permissions to devices, paths in the filesystem while the root user is again GOD of the box. So in order to provide good security while at the same time allowing users to access certain hardware devices or run possibly dangerous programs, the concept of groups come into play. If a user is a member of the cdrw group then they can burn CDs. If the user is a member of the game group, then they can play games. It should be fairly obvious that this type or priviledge separation is usefull but can be real annoying. The question remains: Like Windows, should the user of a Linux box be root or GOD all the time so that he can access all devices & files without running into annoying permissions problems? Many people smarter than myself believe that the user should not run as root by default and that you should only use administrative powers when it is necessary. By using common sense privilege separation by default, Linux gains what Windows loses.

I too would like to know your opinions on security.

motika
06-24-2005, 03:02 AM
This flies in the face of all I ever told my clients about computer security...

What in the world are you telling your clients that conflicts with this?

That unless they know exactly what is the good reason some piece of software needs root access,
they should never grant such access. Someone phoned me earlier today and said something like:
I just downloaded single-player board game xyz from Klik, the downloader is now asking me to
type in my root password. Is this normal...?

I repeat my question above: why would a simple game program need root access? Why should
the user need to trust some game program writer or downloader with the root password to his or
her computer?

motika

Harry Kuhman
06-24-2005, 05:23 AM
OK, I see what you're saying now. That makes a bit more sense. Since we're talking about Klik I hope Probono will join in and explain the issue. It might help him if you would mention what stupid little game.

motika
06-24-2005, 03:42 PM
I better apologize...: I fired off the opening message of this thread
before I had time to look at Klik and the particular game in detail.

The game is inconsequential, and my characterization of it inappropriate:
so let's agree we are talking about an application that:

1) is something completely optional; it is in no way required for the
correct operation of the computer or user's regular work-flow.

2) does not need to interact with any other user or system data, and
any hardware other than GUI I/O devices and its own disk file(s).

3) does not need to use any external (network) connection.

4) the program writer is somebody that the user has no prior experience
with and consequently has no reason to place any trust in.

5) it is likely to be used/tested a few of times, and discarded
thereafter if found of little (or no) value.

I generally advise users to run such software as a user (account) set
up specifically for such applications. (Obviously, many "recreational"
applications fall into this category).

The problem is that Linux application writers follow the paradigm
developed in Unix multiuser / workstation / mainframe days: they assume
all application software will be "system-wide" - with its executable,
documentation and general configuration files placed in root hierarchy,
and available to all users of the computer. This paradigm made (some)
sense when there were few applications on the computer, there were few
sources for application software and users had long-term established
relationship with application vendors. It makes no sense whatsoever
for "personal computers" and a plethora of applications, from an
endless number of sources, easily obtainable via internet.

Apple OSX application bundle is close to what the "packaging" and
distribution of applications (specifically, those that follow the
above description) should look like; and upon my first exposure to
Klik this is what I have mistaken it to be.

So let me rephrase the question: if the application writer understood
that a user of his software has no reason to trust him with root
password, and root did not count him among those that should be
allowed to place files in the root (as opposed to user's home)
hierarchy, could Klik be used to package and distribute such
application?

Thank you all for your comments,
motika

bfree
06-24-2005, 07:56 PM
Can somebody explain to me why do I have to supply the root password of
my system to download and play a stupid little game?
Quite simply klik uses compressed image files as it's intended usage method. What this means is that when "install" klik, it places a couple of scripts in your home directory, one (~/.klik) is used when you click on link like klik://xyz and it downloads the required software, prepares it and creates a filesystem image (similar to, and could actually be, and iso9660 cd image file) of all the required files. Now you will have a xyz.cmg file, and if you click on it to run it, the second script (~/.zAppRun) will actually mount the compressed image and run the program from within it.

The problem of course is that users cannot simply mount an image. The suggested way to work around this with klik is to edit the /etc/fstab file, so that a predefined set of mount points can be used (see the sticky thread). Klik can prompt the user for the root password to make this change, or just prompt the user for the root password to mount the file each time they want to. Usually (in klik terms, i.e. on a system with kde) this should use kdesu which will display the full command it is going to perform as root so the user can review it.

Now if someone does not have root access, cannot get it and can't get whoever has it to setup fstab for them, they can extract the cmg to a folder and then run the wrapper script from within that folder instead (or if they have just installed the program they can just copy the appropriate folder out of /tmp).

Removing any requirement for root at all would be ideal, solutions welcomed.

Hope this makes it all clear.