Linux user
-
Do you use root as the primary user to manage your servers or another user who has sudo access? If a different user, what unique names you have for the user?
-
Sudo, I use an account linked to my username that has sudo permissions. Other admins have the same thing. If something happens it is easy to audit the sudo logs to see who issues what commands.
-
I don't use root, I use my own account. Pretty much that is how Linux or any UNIX today is really meant to be managed, by a normal user account using privilege escalation. You should not be using shared accounts ever and special accounts are unnecessary.
-
But if your the sole user on the server, does it still make since to create just a single user?
-
@anonymous said:
But if your the sole user on the server, does it still make since to create just a single user?
Yes. Same as on Windows. Most basic rule of computing in the post-DOS era: don't run as the administrator.
Even if you are the only user and it's a personal system, I've never run as the local admin except for the few years that I had a secondary DOS machine where there were no users at all.
-
@anonymous said:
But if your the sole user on the server, does it still make since to create just a single user?
Yes, it can help prevent those moments where you fat finger a command. I generally pay extra close attention when I run things with sudo.
-
But isn't it true that if I run sudo I can do just as much harm as running as root? If that is true, whats the difference?
-
Personally, I create a account for another reason. I like to use SSH keys, and SSH keys on a root account is bad form. Also, I disable root login via SSH - this just makes good security sense. If I need access I have to access via console.
-
@anonymous said:
But isn't it true that if I run sudo I can do just as much harm as running as root? If that is true, whats the difference?
Couple of things...
- It blocks most accidental typos. If you are just doing normal tasks, no reason to risk exposing the system. If you are typing rm -rf /opt/mytestfiles and accidentally hit enter too soon as root, the system is dead. Do it as a normal user, nothing happens.
- It makes you aware when you are doing something risky. If it suddenly asks you for sudo access, you can stop and think whether you meant to do that thing or not.
- It stops malware that gets to you as the end user from escalating to root. Click the wrong website link as root, and your system is pwned. Do it as an end user, you are completely safe (at a system level.) No Linux malware on the market can breach the root escalation point (today.)
- Not really applicable to single user but... tracking. You'll have far better visibility into who is using root. Helps you to know if your account or the root account is compromised.
-
@anonymous said:
Personally, I create a account for another reason. I like to use SSH keys, and SSH keys on a root account is bad form. Also, I disable root login via SSH - this just makes good security sense. If I need access I have to access via console.
SSH Keys to root are only bad form because it is bad form to ever run as the root account. SSH Keys to root on their own are not bad at all. Root remote access, also only bad because of inheritance.
All of those, along with the base question of why not to run as root, are all because of "bad form."
-
@scottalanmiller said:
- It blocks most accidental typos. If you are just doing normal tasks, no reason to risk exposing the system. If you are typing rm -rf /opt/mytestfiles and accidentally hit enter too soon as root, the system is dead. Do it as a normal user, nothing happens.
However if I type:
sudo rm -rf /opt/mytestfilesThen it's game over right? I think I remember you saying that you remove the need for retype your password to use sudo?
-
@scottalanmiller said:
- It makes you aware when you are doing something risky. If it suddenly asks you for sudo access, you can stop and think whether you meant to do that thing or not.
For some people I am sure that's true, but you would be surprised how often I see someone using sudo before EVERY command
-
@anonymous said:
@scottalanmiller said:
- It blocks most accidental typos. If you are just doing normal tasks, no reason to risk exposing the system. If you are typing rm -rf /opt/mytestfiles and accidentally hit enter too soon as root, the system is dead. Do it as a normal user, nothing happens.
However if I type:
sudo rm -rf /opt/mytestfilesThen it's game over right? I think I remember you saying that you remove the need for retype your password to use sudo?
I do, but by default you normally do not.
-
@scottalanmiller said:
- It stops malware that gets to you as the end user from escalating to root. Click the wrong website link as root, and your system is pwned. Do it as an end user, you are completely safe (at a system level.) No Linux malware on the market can breach the root escalation point (today.)
I assume we are talking about servers here? I never browse websites on my servers
I find it very hard to do from the command line
-
@anonymous said:
@scottalanmiller said:
- It makes you aware when you are doing something risky. If it suddenly asks you for sudo access, you can stop and think whether you meant to do that thing or not.
For some people I am sure that's true, but you would be surprised how often I see someone using sudo before EVERY command
that's extremely weird. And only works if they disable passwords for it (which I do, but I rarely recommend.)
-
@scottalanmiller not trying to argue, just working it out in my head
At the end of the day my point is that you can't fix ignorance. If you don't know, you don't know. The key is know what your doing BEFORE you do it. And always have a backup just in case
-
I'm sure this goes against every best practice, but when I'm doing a bunch of admin stuff i issue a sudo bash and open up a new bash shell with sudo privileges
-
@brianlittlejohn said:
I'm sure this goes against every best practice, but when I'm doing a bunch of admin stuff i issue a sudo bash and open up a new bash shell with sudo privileges
Not uncommon, and I do that a bit too (I use sudo -i su) but one of the good things about that is that it still tracks your user, it does not treat you as root for auditing.
