On Fri, 1 Aug 2003, James Sparenberg wrote: > On Fri, 2003-08-01 at 00:49, Bill Mullen wrote: > > On Thu, 31 Jul 2003, James Sparenberg wrote: > > > > > I've done it a number of times. Why?... I build boxes for people > > > and when I build the box it has no user. I nonetheless have to > > > configure/setup the box and the only option is to log in as root. > > > (much cleaner than creating / deleting a user just to su to root. > > > and I rarely know who I'm building it for, only that I have to build > > > X number of boxes.) > > > > I disagree that it is "much cleaner", as creating and then later > > deleting a user is such a trivial exercise. > > Trivial ... probably if you only do one box... not if you have to build > install and test 20 30 or more boxes at the same time. (thank god for > PXE)
Yes, trivial. Run "userdel -r username". Boom! Done. > > > Do I do it often on my home box? .... no. But I do, do it. I can't > > > do any more damage that way than I can as a normal user and su/sudo. > > > > No, you can't do *more* damage, but you can do inadvertent damage > > *much* more easily; the GUI's whole function is to make things easier, > > You forget one rule of thumb here... gui's lie. They tell you you can > only do say.... 5 things. When in fact from the command line editing > code and config files you could do a lot more. I'll remind you here that *any* program, including every single GUI one, can be run as root from within a user login - there is still no need for the entire /desktop/ to be running as root. And if you're setting up a lot of boxes and not using things like tarballs of your own pre-tweaked config files, and a few simple scripts to automate the process wherever possible (and to simultaneously limit the error potential therein), then you're making much more work (and risk) for yourself than need be, IMHO. > > and that applies to root blunders just as much as anything else. :) > > Also, since the X server itself is now running as root, > > One of the big reasons it does I'm told is so that users can run root > programs without doing the even more dangerous xhost + localhost I have *never* had to do this on a Mandrake box, and neither have you; you may have done it, but you didn't have to. Try one without it and see. ;) > > you are somewhat more (needlessly) vulnerable to exploits originating > > from elsewhere. This becomes especially important if among the > > remaining configuration tasks is the locking down of the box. > > Wanna bet... 2 days ago I helped someone recover because he'd learned rm > * (btw it was RH where the default isn't aliased to -i )... and did it > in the wrong directory. (he'd meant to do rm core* but forgot the core) > Now tell me... is there a gui equivilent to that? Sure. It's even in the menus for every user - "File Manager - Super User Mode". You don't even have to open a terminal, for gosh sakes! If RedHat doesn't have something like it, well, that's /their/ problem, eh? :) > In a gui he would have gone to a file manager selected the core dumps > and pressed delete. One reason for starting people with a gui over > command line. It's easier to "see" where you are and what you are > doing. It's much harder to do the rm * equivalent in a gui. In fact > gui's often have more "failsafes" than the command line. Again I'll remind you that I'm not saying that there is one single thing wrong with running any GUI configuration app as root within a *user's* X environment. My sole argument is that you don't have to run the whole darn desktop as root to do it! If you need to use drakconf to configure Apache, then obviously drakconf must be run as root; if you need to *test* Apache with a browser during that process, why on Earth does that browser also need to be run as root? It doesn't, plain and simple. > What is the diff between logging in as root and running MCC or su'ing to > root and running it? Nada. With all due respect, I disagree completely with this, James. The glaring difference is that in the former case, *everything* is running as root - X, the window manager, the DE, the panel, every single app, the whole nine yards; in the latter, the specific app that is so invoked is the *only* thing on that user's desktop with root privileges. It's plain as day to me that the latter scenario is far less likely to permit inadvertent results, if only because a /very/ small subset of the full panoply of one's running programs is in any position to cause them in the first place! Again we come back to the *nix truism, "Only do as root that which *must* be done as root". The stricter you apply that philosophy, the less likely you are to wreak havoc on your system. That's all I'm trying to convey in this discussion - fundamentally sound and time-tested sysadmin practices. And I'm not "telling people what they can and can't do with their system", as has been alleged by some others in this thread - I'm offering the very best advice I can in a specific area, and I wish people would take it in the spirit in which it is being offered, instead of getting all up in arms and accusing me of saying things that I am plainly /not/ saying. Sheesh. > > > I also do a lot of "repairs" to boxes. I often login directly as > > > root so that I can do repairs because I don't have a user on the > > > box. > > > > I can understand that, but I don't see where the GUI needs to be > > involved. Drakconf will run just fine in a vtty, for example, as will > > programs like linuxconf (*ptui!* <g>), sndconfig, XFdrake, etc. etc.; > > many other common configuration and/or repair tools are CLI only, of > > course. How is running an X server as root (much less an entire DE) > > truly *necessary* here? > > wish it was always MDK ... but it's not. Slack FreeBSD RH (and boy o > boy do I get frustrated with RH) and more. It also allows me to have 6 > or 7 term windows open at one time. A number of embedded systems I've > dealt with (POS systems for example) only have root. Not all linux > boxes are generic desktops. Ah, but /I'm/ talking about Mandrake boxes here, this being a Mandrake list and all - though not necessarily "generic desktops" (I mostly build Mandrake server boxes, many of which end up running headless and only run X apps remotely once configged, if they run them at all) - which will let you have any number of root xterm windows open *without* requiring the X server, the DE, and everything else in sight to also be running as root. Other distros just aren't as *good* as Mandrake is, of course ... but that goes without saying, doesn't it? ;) -- Bill Mullen [EMAIL PROTECTED] MA, USA RLU #270075 MDK 8.1 & 9.0 "Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done." - Andy Rooney
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
