There is a lot of heat directed towards anyone who logs in on his own computer in root. One of the reasons which I have assumed was correct, was the increased vulnerability in root, when you are for example, always on.

I have a Dell Laptop Inspiron 2650 and use Mandrake 9.1. dual boot with XP. I have not changed security from the install default option.

I connected the other day to www.grc.com, and ran a Shields Up test. User had all ports though 1055 stealth, except port 113, which was closed.

Root was identical.

Neither would respond to pings.

By the way, I tried XP, and the only thing I have done to it was install the patch which fixed Worm Blaster, and it had 1025 OPEN and 5000 OPEN. There were a very few which were stealth: 135; 137; 138; 139; 179; 445; and 593.

All others were there but closed. It accepted pings.

Anyway, I am curious. If all ports are are stealth or closed, how can root be vulnerable to attack over cable or DSL or whatever?

I do not need an in-depth answer. Even a basic summary, or something like that, should let me look for stuff in google. At this point, I don't even know what to look for. Thanks for any tips.

I want to find out how to make that port 113 stealth, but know where to start searching for that.

Running as root might not be bad from a networking standpoint, but from a local standpoint, it is a bad idea. Say for example you wanted to remove a directory foo located at /foo. If you typed in rm -rf / foo, you would wipe out your disk. Now, if you did that as a normal user, you would only harm your home directory and anything else you have access to.

--SN

f you are in irc or browsing the internet as root then you are vulnerable if some hack/security hole is exploited.

http://justlinux.com/forum/showthread.php?s=&postid=657101

There are quite a few threads on this.

hlrguy

Anyway, I am curious. If all ports are are stealth or closed, how can root be vulnerable to attack over cable or DSL or whatever?

You have a fundamental misunderstanding of multi-user operating systems.

The purpose of running as a restricted user rather than as a super user is to protect your computer from accidental damage. A popular favorite is rm -rf / directory, but malicious scripts and binaries, as well as other people using your computer when you step away for a minute are all dangers that can be greatly reduced by running as a restricted user.

Also, running as a restricted user limits your access to your own home directory, so you're less likely to save your crap all over the drive.

This also applies to Windows, in case you were wondering.

Lets say your logged in as root using X-chat to talk in irc, using gaim, or maybe have a apache server running as root.. If that application is running with root privileges, and happens to get exploited. It can then be possible to execute code with roots rights on that machine. Once that were to happen the attacker could cause all kinds of havoc like create additional user accounts on the computer, infect it with a Trojan or some kind of backdoor, get personal information, attack other computers etc..


It also creates a higher risk of general user error. Run as root if you must, but I personally think that having a separate user account for general use is a good habit to get into to.

Originally posted by Hayl
f you are in irc or browsing the internet as root then you are vulnerable if some hack/security hole is exploited.

You see, that is exactly what I am trying to research. I hope to find some clues so I can google more information, on what hack/security hole can exist when there are no open ports. Not the details, just the names or concepts so I know where to start.

Originally posted by SuperNu
Running as root might not be bad from a networking standpoint, but from a local standpoint, it is a bad idea. Say for example you wanted to remove a directory foo located at /foo. If you typed in rm -rf / foo, you would wipe out your disk. Now, if you did that as a normal user, you would only harm your home directory and anything else you have access to.

--SN

I am aware of that argument, and believe it is not an issue. I have repeatedly challenged those who believe this is why root should not be used for this reason, to run rm -f * in / and tell us what happens. If you are in user, and su to delete a file and make the same mistake, you will have the same result.

If you issue that command in user, and it won't work, you will obviously go to su and the result will be the same.

In any case, my question in this thread had to do with Web vulnerablility, since these two things are not exactly the same. Note that others are claiming net vulnerability is the main argument.

I want to know what is right. I hate being wrong, and am trying to find out what is true, and what is linux hoax.

Originally posted by hlrguy
http://justlinux.com/forum/showthread.php?s=&postid=657101

There are quite a few threads on this.

hlrguy

I am well aware of this continuing discussion. I am here because I am trying to deal one at a time with the various arguments for never logging in as root. Failure of anyone to do a rm command in su and let us know what happens to their machine has me convinced they know this is not an argument against root. If you try to make a mistake in user, and then you su, that same mistake will equally destroy your machine.

This thread came about because I checked ports in root and user to see just how much more vulnerable root is online than user.
Sheilds Up gave identical results for both log-ins, which really surprised me. I know little about Web security issues of this type, and need a handle to start with. Thus, I started this thread to try to find out at least a vague idea how stealth and closed ports can be used to destroy your machine.

I still do not doubt that anyone who can break into your machine, can use root powers to wipe you out. That may not be true, but I have as yet no basis for doubting it. So, I have narrowed my study to how they get into stealth and closed ports, leaving the other root vulnerability claims as separate issues.

On the general root vulnerability thread, someone said there were URl's which if you go there in root, it will wipe out your machine. I have an old machine which is ready for a later version, and I asked for those URL's so I can see for myself, and I wil report the results. I am waiting.

I want to know the truth. I hate being wrong, and if you guys are right, I want to prove it. This is common in those folks who are attracted to linux, and I think it is time to stop repeating root vulnerability platitudes and come up with hard data. It's the linux way.

http://www.helpdesk.umd.edu/topics/security/136/
'You should under no circumstances ever use IRC chat while running as root. IRC opens up a lot of security holes that can be exploited if you are running as root. Also, many IRC's will not let you access them if you are running as root user.'
' You should never su to root over a telnet connection. Since telnet does not use any sort of encryption, this will send you root password over the network as plain text and can be obtained by anyone monitoring the network. If you need to have root access remotely, please see our page on Installing Secure Shell.'

If you are on IRC, then your firewall port for that service must be open. If you telnet over the internet, then your telnet port is open.

On the application as root front.
http://www.polarhome.com:793/manual/xsane-0.89/xsane.ROOT
'A: 1) It does not matter if you are the only user on your system. There still is a big security problem also in this case. When you run XSane as root then XSane has pemission to remove or change any file on your system. XSane is a really complex program and for sure there are still bugs that may cause an unexpected behaviour like removing or writing into files.'

Do you really want to learn that, when using RealPlayer, it core's and oops, your X11 session is no longer functioning because it didn't close the resources or corrupted the open files? Or that k3b has a bug that when running as root, when you select option x-z-b in that order, it accidentally messes up your /etc/fstab?

You can run as root, but it is not recommended, and you would be surprised to see, in this forum alone, how many people can't recover from
chmod -r 777 /
/* The entire partition tree */
instead of entering
chmod -r 777 .
/* Their picture archive */

hlrguy

Originally posted by nextbillgates
You have a fundamental misunderstanding of multi-user operating systems.

The purpose of running as a restricted user rather than as a super user is to protect your computer from accidental damage. A popular favorite is rm -rf / directory, but malicious scripts and binaries, as well as other people using your computer when you step away for a minute are all dangers that can be greatly reduced by running as a restricted user.

Also, running as a restricted user limits your access to your own home directory, so you're less likely to save your crap all over the drive.

This also applies to Windows, in case you were wondering.

What you are doing is what an earlier poster did, leave the specific thread topic of Web vulnerability and going back to protecting idiots from themselves. I have been involved in those debates, and this thread was specifically to find out that specific thing, Web vulnerability. There are all sorts of arguments given against root log ins, and I am trying to verify or reject them one at a time.

I am reminded of a Criminal Justice research paper I did in College. It was alleged that marijuana turned you into a raging killer. I started looking for research to back that up, and couldn't find it. After that was eliminated, they claimed marijuana leads to hard drug use. After I debunked that with hard evidence, they claimed it affected your driving ability. Studies showed pot use had less affect than booze.

The final argument was that marijuana somehow destroyed your neurons. After that was debunked, the argument flipped back to marijuana turns you into a raging killer.

I am running into the same stuff on root. No matter what I ask, trying to find out the truth, the argument is changed to something else. I still suspect root is more vulnerable to Web attacks, but I have no clue how to research it.

(Note that I do not use pot. I don't even like my half aspirin a day. Drugs including prescription meds suck, and can even kill you. If I need to escape harsh reality, give me a chick.)

Finally! An answer. You can be sure I will attempt to follow your links.

You obviously know something about the issue, which is what I want to do. Most who discuss this issue merely repeat platitudes, and obviously know nothing about the issues. You do, and I appreciate it more than I can tell you. Cool!

Telnet and IRC is covered in your posting. Can regular URL's attack through the port you open to communicate? As I said, I want to hit some of them with an old computer before I reinstall, and I will dutifully report the results if and when I get any.

Originally posted by hlrguy
http://www.helpdesk.umd.edu/topics/security/136/
'You should under no circumstances ever use IRC chat while running as root. IRC opens up a lot of security holes that can be exploited if you are running as root. Also, many IRC's will not let you access them if you are running as root user.'
' You should never su to root over a telnet connection. Since telnet does not use any sort of encryption, this will send you root password over the network as plain text and can be obtained by anyone monitoring the network. If you need to have root access remotely, please see our page on Installing Secure Shell.'

If you are on IRC, then your firewall port for that service must be open. If you telnet over the internet, then your telnet port is open.

On the application as root front.
http://www.polarhome.com:793/manual/xsane-0.89/xsane.ROOT
'A: 1) It does not matter if you are the only user on your system. There still is a big security problem also in this case. When you run XSane as root then XSane has pemission to remove or change any file on your system. XSane is a really complex program and for sure there are still bugs that may cause an unexpected behaviour like removing or writing into files.'

Do you really want to learn that, when using RealPlayer, it core's and oops, your X11 session is no longer functioning because it didn't close the resources or corrupted the open files? Or that k3b has a bug that when running as root, when you select option x-z-b in that order, it accidentally messes up your /etc/fstab?

You can run as root, but it is not recommended, and you would be surprised to see, in this forum alone, how many people can't recover from
chmod -r 777 /
/* The entire partition tree */
instead of entering
chmod -r 777 .
/* Their picture archive */

hlrguy

>>I do not know any professional system adminstrator who works
all the time as root.

I agree with this, not from personal knowledge, but as a matter or principle. Those who have the strongest need to log in as root are the beginners, who simply can't deal yet with the constant su crap to do simple things. I used root only since 1999 (see my registration date) because I was almost exclusively experimenting and dong stuff to learn (actually I was not on that much because of constant travel, yesterday I drove 740 miles). I simply was not going to be contantly fighting with permissions to do those things.

Last spring, when I bought a new laptop, I decided I knew enough to start running as user. I can handle the occasional problem, or I can log out and log in long enough to do the job, then log in as user again.

I do think it is correct to teach beginners, the sort of thing in the previous posting with the links. But, be ready to give real explanations, not just repeat platitudes as usually happens. Give real data. And "protects you idiots from yourselves" is not a real convincing explanation. I had full admin powers on every computer I owned since 1980 and never once wiped out my system, nor any important files. You learned very young not to do rash things, and if you did, you didn't complain about it.

Protects you from Xsane bugs or k3b bugs is a POWERFUL argument! Root password visible to the world in IRC or Telnet is a POWERFUL argument. That's what newbies need to hear.

I will try to dig up more security issues. There are some programs, such as X11, I believe that can't have the setuid bit set because of security flaws, and simply the access to libraries that could provide a user. On the IRC front, here is a link.

http://www.irchelp.org/irchelp/security/

I also have a recollection of some version of Netscape's use of the RealPlayer plugin allowing access to the client machine through the IP pipe that is set up between the server and your machine. The malicious cracker (don't know if it ever came to be, just a security advisory) could imbed malicious commands into the stream and gain control of the computer. Might have only been windows? Anyone remember that? This was a direct way where 'surfing' as root could technically have compromised your machine.

hlrguy

URL's that delete your system I didn't know was possible but I do know that javascript can read files from your system so it would be possible to create a page that reads your /etc/passwd and /etc/shadow files. Of course they would have to be able to log into your computer to make use of this.

Actually, there have been times when I have logged onto sites and have been told 'unable to update your computer' when I register for something. I guess that the website is trying to update some files on a windows machine and I suppose it should be possible to target the same type of thing at a linux box (assuming it is not vbscript of course). So logged in as root it could be possible to update any file from this type of page.

The problem with what you are asking is that it relies on bugs in programs and when they are found they are ususally fixed pretty fast. You most likely need to look around to find old vulnerabilities found in web browsers and the like. If they allow the modification of files or anything like that then being logged in as root will be a problem.

I really appreciate the ongoing input. I am NOT trying to encourage anyone to log in as root, since I believe there are valid reasons not to do so. However, over the last 4 years (see registration date to know when I started on linux), there has been so many nasty things said, which I finally discovered are often deliberate lies. So, I am trying to sort out the valid reasons one at a time.

I am convinced that it is always wrong to tell lies to try to convince someone to follow your advice. If the truth doesn't do it, then it shouldn't be done. I am convinced in this case, the truth will be sufficient for most folks most of the time.

Just this week, on another JL forum, (the thread in technical was on logging directly into root with no password, behind a firewall with total backup) someone said he could give us some URL's which if you opened them in root, you would be sorry. I asked him for those URL's, because I have an old computer I can risk to see what he is talking about, and he admitted he knew of none, that he "(*cough*)" was trying to start people thinking about the risks. Not so. He was just lying. And, it wasn't the first time someone has (*cough*) lied trying to intimidate others not to use root instead of giving the sort of valid reasons supplied by several helpful folks on this thread.

I am on sort of a search to find the truth so hopefully it can be disseminated. And, I appreciate any help I can get, all the help I have already received. Thanks, l01yuk, that was very interesting stuff in the last posting.

So far, I haven't actually communicated with anyone who has suffered damage from being attacked via the internet while logged in as root, all comments have apparently been hypothetical or heard from someone else... Of course, if few use internet as root, that would be expected.