Non-Root-User

New features which should be implemented in Porteus; suggestions are welcome. All questions or problems with testing releases (alpha, beta, or rc) should go in their relevant thread here, rather than the Bug Reports section.
User avatar
Rava
Contributor
Contributor
Posts: 5424
Joined: 11 Jan 2011, 02:46
Distribution: XFCE 5.01 x86_64 + 4.0 i586
Location: Forests of Germany

Non-Root-User

Post#1 by Rava » 11 Jan 2011, 04:13

What with the idea of having a generic "non-root" user, and that that one is the one starting X with KDE / XFCe / whatever, including a tutorial how to "su" into root via shell... like when one wants to use konqueror to activate modules...

My approach is: even when I run a Linux, and with the "always fresh" mode to boot, it is still better to not run everything as root, but to be only root when really necessary...


Sure... making it easy for the user, especially for newbies, is one thing, but we should not do the same mistakes that Microsoft did all these years, with neglecting security by making it easier for the users....
Cheers!
Yours Rava

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Non-Root-User

Post#2 by brokenman » 11 Jan 2011, 06:47

This is an important point ... and a much debated issue. We will meditate on it and get back to you.

Posted after 16 minutes 11 seconds:
After short meditation (well a quick snooze actually) and a talk between 32/64 bit maintainers, we have decided to cast a poll for the answer. Please make your vote on the front page.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
Mithrandil
Power user
Power user
Posts: 29
Joined: 28 Dec 2010, 16:02
Distribution: Gentoo, PixieLive
Location: IT
Contact:

Re: Non-Root-User

Post#3 by Mithrandil » 11 Jan 2011, 07:41

for module activation and similar you can write a script using sudo and configure /etc/sudoers to not ask password at all

Code: Select all

user user=NOPASSWD:/usr/bin/activate *.lzm
this is a smaller security issue than run everything as root...
PixieLive developer www.pixielive.org

User avatar
Rava
Contributor
Contributor
Posts: 5424
Joined: 11 Jan 2011, 02:46
Distribution: XFCE 5.01 x86_64 + 4.0 i586
Location: Forests of Germany

Re: Non-Root-User

Post#4 by Rava » 12 Jan 2011, 01:43

Mithrandil wrote:for module activation and similar you can write a script using sudo and configure /etc/sudoers to not ask password at all

Code: Select all

user user=NOPASSWD:/usr/bin/activate *.lzm
this is a smaller security issue than run everything as root...
You could also open just one TAB or one terminal as root and use activate there.

BTW, activate should not be executable by non-root users anyway, since they only would get error messages...


But... when I am not mistaken you can even use the hash of the password with some kind of trick to su ... but I kinda forgot how that went.

I actually use 2 scrips... one that changes the root password to a simple one so that I can login and / or su, the other one to restore root to its secure password that is more a pain in the backside to be used... and both scrips only use that password hash... and sure only can be run by root himself. (I configured all my slaxes to first use the weak root password, and once I am logged in, have started X as normal user and have one terminal running as root, I "harden" the root password.

I think that trick is quite okay, since I usually plug out the network cable, too, when I give root a weak password for a short time before I go back to giving him/her/it the strong one again...

The code goes like this:

Code: Select all

echo 'root:$1$2$3' | chpasswd -e 
$1$2$3 being the (here: fake) hash from /etc/shadow...

Sure.... I would love if there would be a way if that could be automatized in a secure way, but so far a clever idea not struck me.


...

I just hope I could phrase all that stuff in a okay way, sometimes I struggle with my English (being no native tongue) when it comes to more techy stuff... :sorry:
Cheers!
Yours Rava

Post Reply