Root with GUI

[Chris Tyler]

On Thu, 2010-04-15 at 14:32 -0400, Bill Davidsen wrote:
> Good. Because if you have root password then all you have accomplished 
> with nanny login is to force the user to type the root password for 
> every GUI, or force the user to try to use su and a possibly unfamiliar 
> CLI to do things.

Not quite. The difference between (a) logging in as root and (b) logging
in as a mortal user and escalating privilege as necessary (via
consolehelper/su/sudo) is that:

(1) activities that don't require root on the desktop will run with
user-level privilege. For example, it's not uncommon to need to look
something up on the web when doing sysadmin activity; if the user is
logged in as root, then Firefox (and all of its plugins) are running as
root as well. With the many recently-reported security problems in
AcroRead (as an example), this is a definitely a significant risk. In
the worst case, _the web owns your root_ (what could possibly go
wrong?!).

The same applies to other desktop apps such as OOo; don't tell me a
sysadmin never creates a spreadsheet.

If the user is logged in as a regular user, then Firefox and plugins,
OOo, etc. run as that user, limiting damage in the event of a compromise
through those tools. The user can still run selected tools
(system-config-* for example) with elevated privilege, right alongside
the other windows.

(2) logging in as root causes the desktop environment (window manager,
file manager, applets, userspace side of FUSE, and so forth) to run as
root as well, significantly increasing the surface area for an attack.

(3) creating files as root tends to encourage future login as root in
order to conveniently access those files.

>    "We have more to fear from the bungling of the incompetent than from
> the machinations of the wicked."  - from Slashdot

Exactly.

-Chris