Do most people just run a linux desktop as root?

Red Squirrel

No Lifer
May 24, 2003
68,342
12,562
126
www.anyf.ca
I know it's not advised, but, how in the world does one cope with having to enter a password every bloody time an app is started? Even to do updates. Do people just normally run as root so they can actually access everything? If you were to get a Linux virus (not that there are a lot of them out there but I'm sure there are) it would bypass the security anyway, so is the argument pretty much moot? It's like in Windows whether you are admin or restricted user, if you go online and catch a virus, the PC is infected anyway.

Things like changing screen res are also very annoying if not under root. Can't even do it, have to make it generate the config file, then copy and paste it as root. To me this is very counter productive, I rather have full access to MY system.

I'm talking from a desktop perspective. Am I maybe just doing something wrong? I'm new to the world of Linux desktop. Playing with VMs at this point but I'd love to convert my main system when I feel that I'm ready.
 

sivart

Golden Member
Oct 20, 2000
1,786
0
0
I'm using Ubuntu (as standard user, not root) and the only time I'm asked for my password is during updates (no big deal) and when I manually issue a sudo command.

Changing preferences, opening programs, etc. do not require me to enter a password. Of course, changes to system settings (not preferences) will require a password, but once you have that setup there is not much reason to touch it...especially everyday.


I use this on my laptop as my only OS. So far the only thing I've found I can't do is print me some target coupons :(
 

Rifter

Lifer
Oct 9, 1999
11,522
751
126
I'm using Ubuntu (as standard user, not root) and the only time I'm asked for my password is during updates (no big deal) and when I manually issue a sudo command.

Changing preferences, opening programs, etc. do not require me to enter a password. Of course, changes to system settings (not preferences) will require a password, but once you have that setup there is not much reason to touch it...especially everyday.


I use this on my laptop as my only OS. So far the only thing I've found I can't do is print me some target coupons :(

What he said, im running Mint 8(based on ubuntu 9.10) and it only askes me when i download updates or install a program. or uses sudo. Typing it in every few days is fine if you are forced to do it all the time you must have a setting set wrong or something.
 

xSauronx

Lifer
Jul 14, 2000
19,582
4
81
Am I maybe just doing something wrong?

sounds like it. ive never felt overwhelmed by ubuntu or debian on the desktop asking for a password. the major thing is installing software....thats really the only common thing that i can think of. and some certain system settings.

it was never as annoying as UAC in windows vista, so it was never annoying enough to bother me.
 

Fox5

Diamond Member
Jan 31, 2005
5,957
7
81
Most people don't run as root since Ubuntu doesn't offer it as an option.

You only have to enter the password to make system config changes (rare), installing software (one-time activity), and updates (turn on auto updates and you don't have to worry, also the only major updates to any software release as part of the 6 month cycle, so updating isn't a major concern unless you've added a ppa).
 

sourceninja

Diamond Member
Mar 8, 2005
8,805
65
91
I know it's not advised, but, how in the world does one cope with having to enter a password every bloody time an app is started? Even to do updates. Do people just normally run as root so they can actually access everything? If you were to get a Linux virus (not that there are a lot of them out there but I'm sure there are) it would bypass the security anyway, so is the argument pretty much moot? It's like in Windows whether you are admin or restricted user, if you go online and catch a virus, the PC is infected anyway.

Things like changing screen res are also very annoying if not under root. Can't even do it, have to make it generate the config file, then copy and paste it as root. To me this is very counter productive, I rather have full access to MY system.

I'm talking from a desktop perspective. Am I maybe just doing something wrong? I'm new to the world of Linux desktop. Playing with VMs at this point but I'd love to convert my main system when I feel that I'm ready.

What distro? I've never ran as root.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
I know it's not advised, but, how in the world does one cope with having to enter a password every bloody time an app is started? Even to do updates. Do people just normally run as root so they can actually access everything?

It's not only not advised, it's not necessary. There's only a few things that actually need root access. I run as a standard user and just use root when doing system level things. I tend to keep a root shell open inside of screen, but my desktop and such is all just me.

If you were to get a Linux virus (not that there are a lot of them out there but I'm sure there are) it would bypass the security anyway, so is the argument pretty much moot?

Huh? "Bypass the security"? This isn't Star Trek where someone can flip a few isolinear chips to bypass the security protocols.

It's like in Windows whether you are admin or restricted user, if you go online and catch a virus, the PC is infected anyway.

No it's not. And Windows isn't like that either. You have absolutely no idea how security in either system works, do you?

hings like changing screen res are also very annoying if not under root. Can't even do it, have to make it generate the config file, then copy and paste it as root. To me this is very counter productive, I rather have full access to MY system.

A. With the new Xorg system you shouldn't need an xorg.conf and you should be able to change resolution at runtime with something like xrandr.
B. Even if you do need an xorg.conf, you create it once with all of the resolutions you want and you're done. You don't need to modify your xorg.conf every day. And again, then you'd just use something like xrandr or keyboard shortcuts to change resolution.

I'm talking from a desktop perspective. Am I maybe just doing something wrong? I'm new to the world of Linux desktop. Playing with VMs at this point but I'd love to convert my main system when I feel that I'm ready.

You're doing something very wrong if you need root access constantly during normal usage.
 

Red Squirrel

No Lifer
May 24, 2003
68,342
12,562
126
www.anyf.ca
I've seen viruses bypass security. That's what a virus is designed to do. It exploits the system. Heck you can easily bypass windows security by booting up with a linux CD. The virus basically does the same thing. instead of using the windows API calls it just does it at a lower level.

I did notice in Ubuntu 9.10 it's a bit better as far as requiring root for stuff. I was in fact able to change the resolution but it seems to only work for the user I changed it for.

but considering apps install everywhere on the system instead of a designated folder, wont I need to be root to run most apps? Lot of apps put their config in /etc.
 

sourceninja

Diamond Member
Mar 8, 2005
8,805
65
91
I've seen viruses bypass security. That's what a virus is designed to do. It exploits the system. Heck you can easily bypass windows security by booting up with a linux CD. The virus basically does the same thing. instead of using the windows API calls it just does it at a lower level.

Very misinformed. To access the 'low level' you are going to need to to though the kernel. There quite simply (without booting from a liveCd as you mentioned) no other way to get where you want to go on the operating system. The exploits you are talking about do not go around the windows kernel or the linux kernel, they instead exploit some hole in an application with the privileges it already needs. Linux has many systems designed to defeat these kind of attacks such as SELinux and chroot jails.

Yes if your restricted user gets a virus, his personal files (everything he can read) are compromised. However, the virus can only write to things that user already has write permission to (which should really just be his /home directory). So while the virus could screw up your files, it's not going to affect any other user on the system. Also with proper settings to prevent execution from /home it will not be able to execute and propagate in the first place.

Unlike windows, 99% of all attacks are going to require you as the user to run the bad application in the first place. This means that you are going to need to tel the system to execute code you do not trust. If you are running applications from sources you don't trust, then you deserve to get what is coming to you.

Obviously no system is 100% secure, however the default security settings in modern linux distro's are very secure and in my opinion way better then most users currently have on their windows XP desktops today. It's safe to say you will probably not get a Trojan or virus while using linux as a desktop.

I did notice in Ubuntu 9.10 it's a bit better as far as requiring root for stuff. I was in fact able to change the resolution but it seems to only work for the user I changed it for.
Different users may want different screen resolutions.....

but considering apps install everywhere on the system instead of a designated folder, wont I need to be root to run most apps? Lot of apps put their config in /etc.

Again, very misinformed. The user has read only permissions to the folders needed to run applications. These are designated folders for designated things. For example /etc/ holds system wide configuration files. /usr/local/bin holds user installed binaries (think of them as exe files). Your user can run those programs because they have read permissions on those files.

So now you say "But how can my user change their settings in that app without root access then?". The answer is each app will store it's settings for that user in the user's home folder. If you do a ls -la on the terminal you will see a bunch of folders for your applications such as .applicationName. Inside that folder you will see configs related to the individual user. This is how it is done typically. I personally think OSX does this even better having a Library folder in the users home directory that contains all application related user specific files. But OSX lacks a proper package management system.
 

her209

No Lifer
Oct 11, 2000
56,336
11
0
I've seen viruses bypass security. That's what a virus is designed to do. It exploits the system. Heck you can easily bypass windows security by booting up with a linux CD. The virus basically does the same thing. instead of using the windows API calls it just does it at a lower level.
You can do a lot of things by having physical access to the system. For example, you can take out the hard drive and read the contents on another computer. You can perform a denial of service attack by unplugging the computer.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
I've seen viruses bypass security. That's what a virus is designed to do. It exploits the system. Heck you can easily bypass windows security by booting up with a linux CD. The virus basically does the same thing. instead of using the windows API calls it just does it at a lower level.

That makes absolutely no sense at all and if you understood how the Linux and NT kernels handle processes and security you'd know that. A process running as a regular user can't access the hardware or BIOS directly let alone boot off something else to continue it's infection.

I did notice in Ubuntu 9.10 it's a bit better as far as requiring root for stuff. I was in fact able to change the resolution but it seems to only work for the user I changed it for.

Which is a good thing. Why would you expect it to apply globally?

but considering apps install everywhere on the system instead of a designated folder, wont I need to be root to run most apps? Lot of apps put their config in /etc.

Not even close. Again, you need to do some reading on how this stuff works.
 
Last edited:

Red Squirrel

No Lifer
May 24, 2003
68,342
12,562
126
www.anyf.ca
That makes absolutely no sense at all and if you understood how the Linux and NT kernels handle processes and security you'd know that. A process running as a regular user can't access the hardware or BIOS directly let alone boot off something else to continue it's infection.

I can't speak for Linux but I've seen it in Windows and I work in IT. People using restricted user accouts will land on a bad site or what not, and since the standard at most work environments is IE6 which is full of security holes, it will just let the virus right through, and execute as whatever user the virus is designed to run as, probably SYSTEM, and from there the whole machine is infected. If it's not fixed fast enough it may spread to other machines depending on what the particular virus is designed to do. I've seen entire school computer networks shut down by viruses and worms, and it was contracted by a user running as a restricted account.
 
Last edited:

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
I can't speak for Linux but I've seen it in Windows and I work in IT. People using restricted user accouts will land on a bad site or what not, and since the standard at most work environments is IE6 which is full of security holes, it will just let the virus right through, and execute as whatever user the virus is designed to run as, probably SYSTEM, and from there the whole machine is infected. If it's not fixed fast enough it may spread to other machines depending on what the particular virus is designed to do. I've seen entire school computer networks shut down by viruses and worms, and it was contracted by a user running as a restricted account.

I work in IT as well and I understand how the underlying systems work. Either they are actually running as admin users and you just don't know it or whatever virus it is knows about some unpatched vulnerability in those systems. Processes just don't run as whatever user they want. The latter isn't something you can really fix because there will always be a hole somewhere, but if you have a good layered security policy (i.e. patching, AV, firewall, possibly a filtering proxy, etc) you can minimize the risk to the point where it's virtually non-existant.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
I've seen viruses bypass security. That's what a virus is designed to do. It exploits the system. Heck you can easily bypass windows security by booting up with a linux CD. The virus basically does the same thing. instead of using the windows API calls it just does it at a lower level.

That isn't just bypassing Windows security, its bypassing physical security. The same attack would work on Linux.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Very misinformed. To access the 'low level' you are going to need to to though the kernel. There quite simply (without booting from a liveCd as you mentioned) no other way to get where you want to go on the operating system. The exploits you are talking about do not go around the windows kernel or the linux kernel, they instead exploit some hole in an application with the privileges it already needs. Linux has many systems designed to defeat these kind of attacks such as SELinux and chroot jails.

Which, you know, have holes in them. ;)

Unlike windows, 99% of all attacks are going to require you as the user to run the bad application in the first place. This means that you are going to need to tel the system to execute code you do not trust. If you are running applications from sources you don't trust, then you deserve to get what is coming to you.

Do you have a source for your numbers? I'd bet that the attack general vectors for Linux desktops are similar to Windows. Browser? Check. Email? Check. Users? Check. Bad administration? Check.

With a properly setup Windows system you can avoid a lot of the issues people see today (bad defaults).
 

Red Squirrel

No Lifer
May 24, 2003
68,342
12,562
126
www.anyf.ca
I work in IT as well and I understand how the underlying systems work. Either they are actually running as admin users and you just don't know it or whatever virus it is knows about some unpatched vulnerability in those systems. Processes just don't run as whatever user they want. The latter isn't something you can really fix because there will always be a hole somewhere, but if you have a good layered security policy (i.e. patching, AV, firewall, possibly a filtering proxy, etc) you can minimize the risk to the point where it's virtually non-existant.

Exactly. Viruses (at least most) attack vulnerabilities, perhaps ones that are not even known yet, so it does not matter what user you're running as. In a corporate environment patches usually take a long time to get applied due to all the red tape and crap, so even old ones will still work.
 

Fallen Kell

Diamond Member
Oct 9, 1999
6,093
455
126
Do most people just run a linux desktop as root?

NO. Plain and simple. The only times you should need root is for changing system configuration (i.e. services that are running, network address, installing some software, and account management). Otherwise, you don't need it and shouldn't be running as root. It is one of the fundamental security improvements in linux.

Things like changing screen res are also very annoying if not under root. Can't even do it, have to make it generate the config file, then copy and paste it as root. To me this is very counter productive, I rather have full access to MY system.

Sounds like you are not setting up the config file properly. You should put all resolutions that you want to be able to use in the config file, not just the single one that you wish to be using that moment. Then you can use the "Ctrl+Alt+"+" or "Ctrl+Alt+"-" to change resolutions up or down without even needing to go to a menu...
 
Last edited:

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Exactly. Viruses (at least most) attack vulnerabilities, perhaps ones that are not even known yet, so it does not matter what user you're running as. In a corporate environment patches usually take a long time to get applied due to all the red tape and crap, so even old ones will still work.

Of course it still matters. Do you leave your house unlocked because someone can just pick the lock or break a window to get in? And lots of viruses do get stopped in their tracks if you're an unprivileged user because it was safe to assume a Windows user would be runnign as admin up until recently.

And in a corporate environment patches might be somewhat behind, but not more than a month or so. If you've got a company that won't let you apply patches at least monthly then they deserve what they get.

If you truly believe all of that then you really have no idea how security works.
 

Fallen Kell

Diamond Member
Oct 9, 1999
6,093
455
126
I can't speak for Linux but I've seen it in Windows and I work in IT. People using restricted user accouts will land on a bad site or what not, and since the standard at most work environments is IE6 which is full of security holes, it will just let the virus right through, and execute as whatever user the virus is designed to run as, probably SYSTEM, and from there the whole machine is infected.

And that is very true for Windows because in Windows, IE ties into EVERYTHING! Which means, when there is an exploit to it, ANYTHING can be done with full admin rights. UNLIKE Windows, Linux DOESN'T integrate something like a web browser into the system KERNEL! The only thing that can happen when an exploit is found for a web browser on a linux system are commands that the user running the web browser had access to on the system. And since you are NOT running as ROOT, you have very limited access to do things on the system, and would need to use another exploit on the system to elevate the privileges to root. So, moral of the story is that if you are NOT running as ROOT, the system is a LOT HARDER to exploit!
 
Last edited:

Fallen Kell

Diamond Member
Oct 9, 1999
6,093
455
126
I can't speak for Linux but I've seen it in Windows and I work in IT.

Also, the first part of the sentence here is why you should be listening to those of us who CAN speak for linux AND work in IT... I personally deal with Unix and linux system security configurations as a large part of my job.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
And that is very true for Windows because in Windows, IE ties into EVERYTHING! Which means, when there is an exploit to it, ANYTHING can be done with full admin rights. UNLIKE Windows, Linux DOESN'T integrate something like a web browser into the system KERNEL! The only thing that can happen when an exploit is found for a web browser on a linux system are commands that the user running the web browser had access to on the system. And since you are NOT running as ROOT, you have very limited access to do things on the system, and would need to use another exploit on the system to elevate the privileges to root. So, moral of the story is that if you are NOT running as ROOT, the system is a LOT HARDER to exploit!

IE is used by a lot of things, but iexplore and the MSHTML rendering engine (Trident?) are still run as whatever user was doing the browsing. IE and MSHTML aren't integrated into the kernel in any way. The main problem is that in the past most Windows users were running as an Admin, now that's not the case with Vista and up by default so we should see a lot less system level problems with them.
 

Fox5

Diamond Member
Jan 31, 2005
5,957
7
81
I can't speak for Linux but I've seen it in Windows and I work in IT. People using restricted user accouts will land on a bad site or what not, and since the standard at most work environments is IE6 which is full of security holes, it will just let the virus right through, and execute as whatever user the virus is designed to run as, probably SYSTEM, and from there the whole machine is infected. If it's not fixed fast enough it may spread to other machines depending on what the particular virus is designed to do. I've seen entire school computer networks shut down by viruses and worms, and it was contracted by a user running as a restricted account.

Windows XP's security is pretty weak, I can usually bypass it just with flaws in GUI provided options, depending on how restricted things are. It seems to handle security in a black-list type of way, anything is allowed until it's been explicitly disallowed, and there's more than one way to access files on a computer.

However, I don't think the same applies to Vista and beyond.

Exactly. Viruses (at least most) attack vulnerabilities, perhaps ones that are not even known yet, so it does not matter what user you're running as. In a corporate environment patches usually take a long time to get applied due to all the red tape and crap, so even old ones will still work.

I'd be willing to bet that most viruses don't infect because of exploits, but because of dumb users. A user browses to a web site and clicks yes to whatever message pops up and gives the virus permission to infect the system.
I'd say it's very rare to a virus to just mozy through scanning ports (or whatever the attack vector is), find an open one, exploit a security hole, and infect a system, I'd bet 99% of the time, it's the user's fault.