On 04/15/2010 10:12 AM, users-request@lists.fedoraproject.org wrote:
From: "Dr. Michael J. Chudobiak"mjc@avtechpulse.com Subject: Re: Root with GUI
On 04/15/2010 08:24 AM, Richard Shaw wrote:
On Thu, Apr 15, 2010 at 7:21 AM,hewjr1000@gmail.com wrote:
How do I make myself root in the GUI
Running a root GUI login is very much frowned upon.
You forgot the stage directions: "Folds arms across chest, wags finger at suitably cowed and humiliated user.."
It's 'frowned upon' by religious zealots who wish to impose their 'the sky could fall' fears upon everyone. A***oles piss me off.
If you want to log in as root, you will have to start by logging in as a user, then 'su' yourself to root in a console, and cd to /etc/pam.d
Run 'grep -H -n "!=" *' You should see something like:
[root@tor1 pam.d]# grep -H -n "!=" * gdm:3:#auth required pam_succeed_if.so user != root quiet gdm-password:3:#auth required pam_succeed_if.so user != root quiet gdm-password.rpmsave:3:#auth required pam_succeed_if.so user != root quiet gdm.rpmsave:3:#auth required pam_succeed_if.so user != root quiet racoon:3:#auth required pam_succeed_if.so user != root xdm:3:#auth required pam_succeed_if.so user != root quiet
except in your case, there will be no '#' preceding the 'auth' in those files. Edit to add the '#" in all of the files your system lists, thus commenting out the line. Those lines make the authentication process quietly fail, if you are root. Stupid idiotic nanny-statism circumvented.
There will be a test however, to see if this works and that you are awake. This test should have been done 15 days ago. Do 'su -', 'cd /' and then 'rm -rf *'. If you cannot log in after first considering whether you should follow these instructions, and you in fact followed them, then you have failed.
Geoff
Tux says: "Be regular. Eat cron flakes."
On 04/15/2010 09:01 AM, R. G. Newbury wrote:
On 04/15/2010 10:12 AM, users-request@lists.fedoraproject.org wrote:
From: "Dr. Michael J. Chudobiak"mjc@avtechpulse.com Subject: Re: Root with GUI
On 04/15/2010 08:24 AM, Richard Shaw wrote:
On Thu, Apr 15, 2010 at 7:21 AM,hewjr1000@gmail.com wrote:
How do I make myself root in the GUI
Running a root GUI login is very much frowned upon.
You forgot the stage directions: "Folds arms across chest, wags finger at suitably cowed and humiliated user.."
Oh, come now!
It's 'frowned upon' by religious zealots who wish to impose their 'the sky could fall' fears upon everyone. A***oles piss me off.
Those who accuse people who caution against this very ill-advised practice "religious zealots" or "A***oles" certainly demonstrate their massive experience and maturity, don't they?
In my 35 years of being in this business, I've had to support a large number of Linux, BSD and SYSV systems in the hands of former Windows users (and others with similar brain damage). I can say from experience that a root-based GUI is a very dangerous thing and those who claim otherwise either haven't supported large numbers of neophyte users or have been extraordinarily fortunate to have escaped unscathed.
It so very much easier to damage a system from the GUI than from a command line. A single icon click or "Proceed" click can run literally tens or hundreds of CLI commands. As root, there's no restriction on what's run. Brilliant! The ramifications can be (and have been) devastating in my experience. This is specifically why root-based GUIs have been disabled by default.
All that being said, if one is a godlike user and/or is willing to deal with the carnage that can (note I said _can_) ensue with root- based GUIs, then by all means edit the pam files and have at it. No one is stopping you.
However, one shouldn't call people who take a more conservative and safer route (often based on past experience) derogatory names.
(getting off my soap box) I'm done with this thread. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, C2 Hosting ricks@nerd.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Give me ambiguity or give me something else! - ----------------------------------------------------------------------
Rick Stevens wrote:
On 04/15/2010 09:01 AM, R. G. Newbury wrote:
On 04/15/2010 10:12 AM, users-request@lists.fedoraproject.org wrote:
From: "Dr. Michael J. Chudobiak"mjc@avtechpulse.com Subject: Re: Root with GUI
On 04/15/2010 08:24 AM, Richard Shaw wrote:
On Thu, Apr 15, 2010 at 7:21 AM,hewjr1000@gmail.com wrote:
> How do I make myself root in the GUI
Running a root GUI login is very much frowned upon.
You forgot the stage directions: "Folds arms across chest, wags finger at suitably cowed and humiliated user.."
Oh, come now!
It's 'frowned upon' by religious zealots who wish to impose their 'the sky could fall' fears upon everyone. A***oles piss me off.
Those who accuse people who caution against this very ill-advised practice "religious zealots" or "A***oles" certainly demonstrate their massive experience and maturity, don't they?
Being immature, opinionated, or even certifiably insane doesn't make him wrong. Those things are not mutually exclusive to being right.
In my 35 years of being in this business, I've had to support a large number of Linux, BSD and SYSV systems in the hands of former Windows users (and others with similar brain damage). I can say from experience that a root-based GUI is a very dangerous thing and those who claim otherwise either haven't supported large numbers of neophyte users or have been extraordinarily fortunate to have escaped unscathed.
Root access by incompetents is a bad thing, the interface is moot. But at any level of competence forcing people to do things in a complex and unfamiliar way make errors more likely. I have scripts to do things I only do a few times a year, as well as set of notes that would have been a wiki had there been such a thing when I started. Bozo should not have root, anyone so trusted should be allowed to use the best tools available.
It so very much easier to damage a system from the GUI than from a command line. A single icon click or "Proceed" click can run literally tens or hundreds of CLI commands. As root, there's no restriction on what's run. Brilliant! The ramifications can be (and have been) devastating in my experience. This is specifically why root-based GUIs have been disabled by default.
Your whole argument only makes sense if you accept the first sentence as true. And frankly I don't, at least using standard Fedora menus.
What tools do you install that would wreak such havoc? I'm looking at the menus (FC13 at the moment) and I find the set of things needing root and the set of things a user trusted with root would want to do have little overlap and minimum danger. Unless you trust root to people who are clearly incompetent, what would they do from GUI that they could screw up worse trying to do it from CLI? Some users have never *seen* a CLI, and find it a "neat new feature." I didn't make that quote up. ;-)
All that being said, if one is a godlike user and/or is willing to deal with the carnage that can (note I said _can_) ensue with root- based GUIs, then by all means edit the pam files and have at it. No one is stopping you.
Good. Because if you have root password then all you have accomplished with nanny login is to force the user to type the root password for every GUI, or force the user to try to use su and a possibly unfamiliar CLI to do things.
I have a high resistance to giving "just users" root in any way, much less blocking access to tools which might do the wrong thing but would at least do it correctly. I have pissed off several managers by requesting a signed authorization to give root to people who are not administrators. And covered my ass once with just such a paper, I am not a trusting person.
On Thu, 2010-04-15 at 14:32 -0400, Bill Davidsen wrote:
Good. Because if you have root password then all you have accomplished with nanny login is to force the user to type the root password for every GUI, or force the user to try to use su and a possibly unfamiliar CLI to do things.
Not quite. The difference between (a) logging in as root and (b) logging in as a mortal user and escalating privilege as necessary (via consolehelper/su/sudo) is that:
(1) activities that don't require root on the desktop will run with user-level privilege. For example, it's not uncommon to need to look something up on the web when doing sysadmin activity; if the user is logged in as root, then Firefox (and all of its plugins) are running as root as well. With the many recently-reported security problems in AcroRead (as an example), this is a definitely a significant risk. In the worst case, _the web owns your root_ (what could possibly go wrong?!).
The same applies to other desktop apps such as OOo; don't tell me a sysadmin never creates a spreadsheet.
If the user is logged in as a regular user, then Firefox and plugins, OOo, etc. run as that user, limiting damage in the event of a compromise through those tools. The user can still run selected tools (system-config-* for example) with elevated privilege, right alongside the other windows.
(2) logging in as root causes the desktop environment (window manager, file manager, applets, userspace side of FUSE, and so forth) to run as root as well, significantly increasing the surface area for an attack.
(3) creating files as root tends to encourage future login as root in order to conveniently access those files.
"We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot
Exactly.
-Chris
-
Bill Davidsen -
Chris Tyler -
R. G. Newbury -
Rick Stevens