Page 1 of 1

Non-Root-User

Posted: 11 Jan 2011, 04:13
by Rava
What with the idea of having a generic "non-root" user, and that that one is the one starting X with KDE / XFCe / whatever, including a tutorial how to "su" into root via shell... like when one wants to use konqueror to activate modules...

My approach is: even when I run a Linux, and with the "always fresh" mode to boot, it is still better to not run everything as root, but to be only root when really necessary...


Sure... making it easy for the user, especially for newbies, is one thing, but we should not do the same mistakes that Microsoft did all these years, with neglecting security by making it easier for the users....

Re: Non-Root-User

Posted: 11 Jan 2011, 06:47
by brokenman
This is an important point ... and a much debated issue. We will meditate on it and get back to you.

Posted after 16 minutes 11 seconds:
After short meditation (well a quick snooze actually) and a talk between 32/64 bit maintainers, we have decided to cast a poll for the answer. Please make your vote on the front page.

Re: Non-Root-User

Posted: 11 Jan 2011, 07:41
by Mithrandil
for module activation and similar you can write a script using sudo and configure /etc/sudoers to not ask password at all

Code: Select all

user user=NOPASSWD:/usr/bin/activate *.lzm
this is a smaller security issue than run everything as root...

Re: Non-Root-User

Posted: 12 Jan 2011, 01:43
by Rava
Mithrandil wrote:for module activation and similar you can write a script using sudo and configure /etc/sudoers to not ask password at all

Code: Select all

user user=NOPASSWD:/usr/bin/activate *.lzm
this is a smaller security issue than run everything as root...
You could also open just one TAB or one terminal as root and use activate there.

BTW, activate should not be executable by non-root users anyway, since they only would get error messages...


But... when I am not mistaken you can even use the hash of the password with some kind of trick to su ... but I kinda forgot how that went.

I actually use 2 scrips... one that changes the root password to a simple one so that I can login and / or su, the other one to restore root to its secure password that is more a pain in the backside to be used... and both scrips only use that password hash... and sure only can be run by root himself. (I configured all my slaxes to first use the weak root password, and once I am logged in, have started X as normal user and have one terminal running as root, I "harden" the root password.

I think that trick is quite okay, since I usually plug out the network cable, too, when I give root a weak password for a short time before I go back to giving him/her/it the strong one again...

The code goes like this:

Code: Select all

echo 'root:$1$2$3' | chpasswd -e 
$1$2$3 being the (here: fake) hash from /etc/shadow...

Sure.... I would love if there would be a way if that could be automatized in a secure way, but so far a clever idea not struck me.


...

I just hope I could phrase all that stuff in a okay way, sometimes I struggle with my English (being no native tongue) when it comes to more techy stuff... :sorry: