Running as root vs. alternatives

[Mike_Walsh]

Moderator note: off-topic split off from the Veit Kannegieser repo topic

The change the prevents the "Check for updates, but let me choose whether to install them" was done when protecting against running as root user.
If you want to revert that back, you would need to remove the file /usr/lib/palemoon/updates, after every update. I can not recommend that.

Heh.

I'm only hazarding a guess here, but I think you'd absolutely hate Puppy. We 'run-as-root' ALL THE TIME. Which makes sense, TBH, given that she was always designed to be deployed as a single-user, "hobbyist" distro for 'tinkerers'. Zero percentage in asking the system for permission to use it when you're the sole user.....and with read-only system files in Puppy, she's all but 'bomb-proof' anyway.

Don't get me wrong. 'Sudo' does have its uses......in a large organisation, with lots of different users, it absolutely makes sense. For us, though, it's kinda pointless.

No different to the early days, really, before multi-user became a thing. We all ran as root.....and you learned to be 'careful'.

(*shrug...*)

Mike.

[Lucio Chiappetti]

Not so sure about the early days, at least for me.
Early days were the '90s and we were running various Unixes (from SunOS to Tru64) at work. With NIS. Most machines were for a single user, but we had the normal unprivileged user, and root. Power users knew the root password and did su - to log in as root (the other asked the sysman).
We continued that under openSuse and now (x)ubuntu.
I see that the ubuntu purists (or puritans ) for home users advocate for no login as root, but one of the first things I do on my home machines is to allow login as root. I do use sudo and have even a custom /etc/sudoers for particular commands, but it's another story.
Concerning Pale Moon (specially for personal use) I do not see any reason to load it from a deb repo, since there are tar files. I have Pale Moon installed under my username (but for a softlink from /usr/bin), and the internal updater works more than nicely.

[Moonchild]

I see that the ubuntu purists (or puritans ) for home users advocate for no login as root, but one of the first things I do on my home machines is to allow login as root. I do use sudo and have even a custom /etc/sudoers for particular commands, but it's another story.

From a strictly security point of view, it can also be argued that sudo is actually more dangerous than using root explicitly; it shifts the system's highest security protection to every sudoer with their normal credentials, basically multiplying the attack points to every sudoer on the system, not just a single root account. And does so through various scattered mechanisms to boot: group membership, a plaintext config file that can be accessed through e.g. a compromised process, etc. making it not only a broader attack surface but also potentially harder to detect unless you explicitly monitor not only root access but also account elevation events.

[andyprough]

From a strictly security point of view, it can also be argued that sudo is actually more dangerous than using root explicitly; it shifts the system's highest security protection to every sudoer with their normal credentials, basically multiplying the attack points to every sudoer on the system, not just a single root account. And does so through various scattered mechanisms to boot: group membership, a plaintext config file that can be accessed through e.g. a compromised process, etc. making it not only a broader attack surface but also potentially harder to detect unless you explicitly monitor not only root access but also account elevation events.

Which is why doas exists. Anyone concerned about sudo security can simply purge it from their system and setup doas, which I believe is borrowed from openbsd. Or, you can keep using sudo for use by system services, but keep the user accounts limited to doas. I'm pretty sure those options exist. I've used systems with sudo, with sudo and doas, and with just doas.

[Moonchild]

Which is why doas exists. Anyone concerned about sudo security can simply purge it from their system and setup doas

doas is just a more minimalist and more user-friendly alternative to sudo, though...

The two benefits doas has over sudo are that it’s smaller in size, the configuration file is empty, and its syntax is smaller and easier to remember, requiring almost no effort to audit.

i.e. it's advantage is that it's smaller and less complex to configure/use (sudoers can get a bit thick in its syntax), but the main function and mechanics remain the same...
It doesn't change the fact that a regular user doesn't seem to need special credentials to run a command as root though, which is my main concern with sudo. Any user with elevation privileges can run things as root with their own credentials; so if that end-user account gets compromised, the compromised credentials also grant access to root without any further barriers.
That's why I'm apprehensive about it and make the argument it can really be worse than root logins when specifically needed.

[andyprough]

It doesn't change the fact that a regular user doesn't seem to need special credentials to run a command as root though, which is my main concern with sudo. Any user with elevation privileges can run things as root with their own credentials; so if that end-user account gets compromised, the compromised credentials also grant access to root without any further barriers.
That's why I'm apprehensive about it and make the argument it can really be worse than root logins when specifically needed.

But can't you just set up a different required password in sudo/doas for running commands as root? I thought that was part of the configuration. Admittedly, I have not delved deeply into the subject, and sudo has lots of configuration options. But I believe you can set it up to be about as secure as you like. Sounds like your concern is about the way that distros like Ubuntu set up sudo by default.

And you do need special credentials - you need to be in the sudoers file. If your system has an administrator, they are likely to be very picky about who gets sudo root privileges, and what groups your user can belong to and so forth.

I'm sure none of this is news to you though. The deeper you dig into any operating system, the more layers of security configuration options you'll find. I'm sure that Windows can be configured for far greater security than what it presents by default to the average "Home" user.

[Lucio Chiappetti]

Mah ... as an user of my own machines at home, of my "personal" machine at work, and of other machines at work (of all of which I have also the root password, though rarely I may use it), the thing for which sudo is convenient for the user is to define some commands as NOPASSWD, and to alias some invocations of "sudo command options...".
E.g. mounting and umounting NFS disks, starting and stopping a VPN, manipulating iptables, calling the distro manager (yast or synaptic).
Even giving access to some commands to a CGI script (using a nologin user).

[Moonchild]

But I believe you can set it up to be about as secure as you like. Sounds like your concern is about the way that distros like Ubuntu set up sudo by default.

That's the problem though: those defaults are what everyone and their uncle uses. I'm not specialist in sudo or what it's full array of options are, or how secure it can possibly be made with additional passwords or what not, I was just highlighting the fact that, in general, it's probably less secure than people might think because in its default use, the credentials asked for will be the end-user's password and not something else, making the system's security much more easily compromised.

Mah ... as an user of my own machines at home, of my "personal" machine at work, and of other machines at work (of all of which I have also the root password, though rarely I may use it), the thing for which sudo is convenient for the user is to define some commands as NOPASSWD, and to alias some invocations of "sudo command options...".

Of course context is key Just highlighting an issue I see with it in less secure context/more volatile environments.

[andyprough]

That's the problem though: those defaults are what everyone and their uncle uses. I'm not specialist in sudo or what it's full array of options are, or how secure it can possibly be made with additional passwords or what not, I was just highlighting the fact that, in general, it's probably less secure than people might think because in its default use, the credentials asked for will be the end-user's password and not something else, making the system's security much more easily compromised.

Fair enough. But it's similar to performance. Pretty much every OS/distro is restricting performance by default to give a better and more stable experience for the nontechnical user. But you can sure go in and tweak the hell out of it in most cases, just like you can overclock chips in a lot of cases. Just depends on what you want and how deep you want to dive.

[Basilisk-Dev]

Huh. My username on Linux and Unix systems has always been root. I never ran into any permissions issues. Am I doing something wrong?

Also relevant: https://www.garyshood.com/root/

[andyprough]

Huh. My username on Linux and Unix systems has always been root. I never ran into any permissions issues. Am I doing something wrong?

Also relevant: https://www.garyshood.com/root/

You're not really cool until your name in real life is Root. Neal Stephenson's character 'Enoch Root' across several of his novels spanning numerous centuries makes for an interesting view of some of the potential implications.