root vs user
Tom 'Needs A Hat' Mitchell
mitch48 at sbcglobal.net
Fri Mar 19 04:04:46 UTC 2004
On Thu, Mar 18, 2004 at 05:35:07PM -0500, Mitch Wiedemann wrote:
> First, I'd like to advise that you don't log in as root at all *ever*
> unless you have no choice.
> To do system maintenance I'd advise this procedure:
> 1. Log in to your normal user account
> 2. Open a "Terminal" or "Console" window
> 3. su (to gain root privileges)
3. "su - " (to gain root privileges)
> 4. Do what you need to do.
> 5. exit the root terminal when you're done.
> I NEVER log in as root unless I've done something to completely hose my
> normal user account. :)
Mitch has some good advice and a typo: s/su/su - / above.
It is true that the less you operate as UID=0 (root) the less risk
there is for doing damage to the system.
Of interest this topic of changing roles is a hot and opinionated topic.
There are a number of different strategies for managing a
system... pick one and stick to it as best you can.
To make the point about strategies, in the file /etc/pam.d/su there
are two important 'auth' lines presented with comments.
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
This makes permissive or restricts to a member of group "wheel" su
privileges. On a test and tinker desktop I use these to open things
up for me. On a firewall or server I use these and more to tighten
Also other pam modules like pam_console can be used to further restrict
There are people that will only login as root to do root things and
never changed roles to root from a normal user account.
There are people that will only login as a normal user and then "su -"
to do root things and never login at the console as root except for
major updates and install.
There are people that only use "sudo" or "consolehelper" types of role
Some of the difference in opinion have to do with what you know.
Do system maint in ways that you know and understand.
Some of the difference in opinion have to do with shared
responsibility and footprints for audit.
Use "sudo" if there are many fingers, "su -" if it is only you.
Keep a notebook. For systems as reliable and stable as Linux the
"do you remember" issues become real. A setup and configuration decision you
made six months ago could be hard to remember when upgrade time arrives.
Use paper, you cannot read stuff on line when you are fixing the
machine with the notes on it.
BTW: When I login as root my background is a harsh nasty red.
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
More information about the users