Root access removed

[Jeff Vian]

Chadley Wilson wrote:

>On Tue, 2004-05-11 at 09:46, Chris Hewitt wrote:
>
>  
>
>>With the Redhat/Fedora model the installation requires making an 
>>unprivilaged user and people tend to log in with that. For things 
>>requiring root access then yes the root password prompt comes up. 
>>Annoying maybe but at least the option is given.
>>
>>In the MS model, no such unprivilaged user has to be made during 
>>installation (I've not used XP so maybe that differs?), so people tend 
>>to log in as Administrator so already have the privilages. I manually 
>>make an unprivilaged user and log in as that but when I need 
>>Administrator privilages for something I simply get a message telling me 
>>I cannot do that. I have to log out then log in again as Administrator, 
>>do what I need, then log out and log in again as my unprivilaged user. 
>>Its not just the time in doing these log out/ins, but in setting up the 
>>programs that I had and getting back to the point where I was before.
>>
>>I think the Redhat/Fedora model is much more user friendly. You could 
>>suggest to your customers that they log in as root all the time. They 
>>would need to accept that making a mistake could have much more 
>>disasterous consequences, which is why non-root access is better.
>>
>>As to why there should be a performance difference, I do not know.
>>
>>    
>>
>Thanks for your input Chris,
>
>But as for the administrative stuff I can understand the need for it to
>require root access and yes the prompts are provided in linux and yes it
>is good.
>
>After much thought I think that I am able to explain my angle.
>Why do things like, kppp setup, disk free, hardware browser, printer
>manager, smb mounts, flash drives, digital cameras etc.. need root
>access in a home environment/office enviroment.
>  
>
These are things that get configured once and used a lot. Regular users 
can use them, root configures them.

>Take shares and removable media they all require root access and
>
Only to configure. My cdrom and floppy can be mounted/unmounted by the 
user logged in when the disk is inserted (and that is default).

>although there are work arounds, I find myself driving out to a client
>only to find that he needs to open a terminal, su to root to mount a
>flash drive, I check the config files and they are right, and I have
>done many. He can use his stick, it works, he saw it work, I saw it
>work, He unplugs it and later plugs it in again now he only has read
>only access and doesn't have permissions. Get in my car drive there, I
>see the flash is already mounted, and without un-mounting it I log into
>a terminl as root and touch a file in the flash dir and guess what
>suddenly the user has RW access again.Without unmounting? mmmm Thats
>without changing anything, it seems the system wants root to first
>access the drive before any other user.
>O.K so now he reboots his PC and can't get it mounted at all at all
>because he needs to be root to mount.
>
>The point is: it is his memstick, it has his junk on it, he doesn't care
>who root is, its not roots memstick it is his. He plugged it in as a
>user not as root, but he still can't access it unless I am there to
>configure everything, I tried to chown user on the flash but then he
>cant access it on his other box because he is not logged in there. so it
>is a real pain in the you know what.
> 
>
/etc/fstab controls the access when mounting.   Configure it there to 
allow the user to mount/unmount and access it.

>One very common problem is with smb mounts for some reason when "I"
>setup the access the user can mount the shares RW, he is given the
>correct permissions from the serving PC and it works (RW). Until you
>unmount and remount, for instance when the guy reboots his machine.
>First problem starts when you unmount if anything is open, showing or
>using the contents of the smb share while attempting to unmount, it
>won't ever unmount the share again, even if you close all apps running,
>at this point I just reboot, The same unmounting problem occurs in with
>the flash. 
>  
>

Open files are a no no when trying to unmount/close.  That rule protects 
data/file integrity.

A little bit if time spent on education is much better in the long run 
than just removing obstacles.  Ever hear the one about "Give a man a 
fish and he eats for a day.  Teach a man to fish and he eats forever.")? 
 It applies to using computers as well.

>So to fix this guy I did a very bad :{ thing and feel bad about it to.
>But I have plenty of reason for it, My petrol bill is witness to that. 
>In the /etc/passwd file I removed the x from the 2nd column on both the
>user and root. now everything works. But its not the right way to do
>things.
>These sort of things should work like stiffy and CD-Rom mounts. The user
>logged in must be king of anything he plugs into his PC, like printers,
>scanners, digital cameras, web cam, etc...
>System files and and security should be for root. 
>I mean what does root care how the dude installs his printer, if he
>shares the damn thing to the whole world he will soon run out of paper
>and ink and soon learn his lesson. 
>Also what do the file on a camera or memstick have to with root?
>  
>
configuration in /etc/fstab easily solves most of those mount/unmount 
problems.

Cost to the user is not really the problem.
A slave with a rootkit installed and access to the internet masquerading 
as someone else is a much bigger problem for us all (No Password -- a 
root kit is not even needed).

>Do you get my point? :'\
>
>Note: for those following this thread, it is not a fight it is a
>civilised discussion please keep it that way. ;-}
> 
>
I understand your point, and as long as the user understands the risks 
of being root user and the ease of causing severe damage to his system 
with a simple typo when he is logged in as root, it is, after all, /his/ 
system.

What I would expect in the long run though is that since you have 
removed the passwords he will get in the habit of using root for routine 
access and the maintenance will likely go up instead of down. -- because 
of typo's, configuration changes, and system file deletion/corruptions.

>I just think that to many tools and apps require root access where the
>user should have full rights.
>
>  
>