Christopher Taylor said: > > Walter Reed wrote: > >> laziness or incompetence. This entire thread is full of a bunch of > >> crap about baseless DESIRE but there has yet to be any real concrete > >> reasons as to the NEED for GDM level root login. The answer is obvious > >> - there ARE no reasons. They don't exist. All that exists is a > >> juvenile urge to > > > > Of course users never *need* to log into gdm as root -- you don't > > *need* GDM in the first place -- but it makes things easier in some > > cases. On the opposite end, nobody has given a convincing argument > > for why you *need* to keep root logins away from gdm!
Oh PLEASE. Virtually Every single book and article on UNIX security talks about why you don't login as root (gdm isn't the issue here.) Go read one. In fact, I'll go one further. You shouldn't be able to login as root at the console either unless booted in single-user mode. > There are some applications out there that a) must be installed as root > and b) can only be installed from a graphical UI installer. Since the > default Debian configuration also does not permit root to use a user's X > Windows display, this only leaves the option of disabling some of the > Debian default "security" measures. "security" measures - Pah. man xhost man su It's really quite simple. Go ahead and run the installer as root after you login as a normal user. This is NOT hard people. Yes, it's different than Windows. So is the Mac. So is a Mainframe. And so on. Spend a little time to learn the OS you use. Read some books and articles. I WILL agree that some things could be a little easier in Debian or other flavors of Linux. For example it would be nice to have a GUI root-wrapper that could be accessed via the standard menu like the "Run Program...", or maybe even just a checkbox option to Run Program that does the "su" thang. It would also be nice if admin level apps would just ASK for the root password if needed, and continue on. From a raw security perspective this is sub-optimal due to the possibility of userland trojans, but we seem to be focusing on user-owned desktops here so it's not a big issue in this context. The bottom line, though, is that it's just not that hard to do it with the existing methods. In fact, it's MUCH faster and easier to just open a term window and /bin/su and do your stuff than to logout, login as root, do stuff, then logout again, and re-login as a normal user as the "pro-root-login" camp is pushing. The "root IS my normal user" camp is just too loopy to even address here. The "default" in Debian should ALWAYS fall on the side of greater security. In fact, many argue that the default is not secure enough, but there have been some usability tradeoffs. Maybe the installation procedure could have an optional extra "security" menu to alter some of the default security settings to be more appropriate for single user workstations, multiuser, and servers.
