Is running as root a security risk?

[williwaw]

Y'know, Dima, despite that I've always appreciated your many contributions to the community over the years - along with being quite envious of your obvious talents - I think I'd hate to be you. At times, it sounds like your life must be one long joyless, soulless, dismal existence of being thoroughly suspicious of everyone & everything around you, ALL THE TIME. God, I know I'd get SO frustrated if that was me.... :o

This is NOT me having a go at you, rather somebody making an observation from far enough away to be able to differentiate the "wood from the trees". Don't you ever get fed up with it?

I know I would. I couldn't live like that all the time.

(*shrug...*)

Mike, In spite of your claiming you are not having a "go" at Dima, It comes off that way to me in an underhanded sort of way.
Thats a little over the top coming from a mod considering Dima has a lot of work into helping Puppy keep up with the times.

[mikewalsh]

@williwaw :-

(*sigh...*) Aye, you're right, of course. I'm having one of those "funny" days today.

I have no wish to offend any more of our community than those I already do. Especially not those who are really, really concerned about security...

Being a blunt-spoken, no-nonsense Yorkshireman means I have a nasty habit of speaking my mind. But it does seem to me that every time any of our community get enthusiastic about anything, Dima seems to come along and pour cold water all over it. I've seen it so many times. Anyway, I've edited that section out. Apologies all round.

Mike.

[ozsouth]

Mike, I agree it's rather gloomy. Sadly, that's our online world. Teams of call-centre folk in poor countries don't eat unless they can rip someone off & get a small slice of the ill-gotten gain. In my Fossa64-Mid (& Less), I compiled Busybox, Wget, Openssl & Curl, to TRY to increase security. There is only so much you can do. I found (like muggins) that the wrong timezone setting invalidates some certificates. Running a browser as spot & updating it regularly also helps. I use a Chromebook mostly, so although Google have my info, (probably) few others do. That's the price I pay for decent security. As dimkr alluded to, cutting off the likes of google to 'go alone' on security is fraught. That said, I still believe that a short session on an up-to-date Puppy, in ram only, is fairly safe.

[williwaw]

came to Puppy to get away from all that nonsense.

the implementation of sudo combined with making it diffucult to log on as root is very annoying.

finding an easy way for the user to be logged on as root and also as an unprivileged user at the same time only when the user is physiscally present at the machine shouldnt be that hard or inconvient.

[Grey]

@rockedge @mikewalsh
He (@dimkr) meant that you just don't know about the fact of hacking. A hacker came in, looked at your porn collection, read your diaries... then he shrugged his shoulders, whispered "Gee," and quietly left. According to this version, it was a "white hat" that didn't steal or break anything. That's why dimkr asked you to specify the monitoring tools, although he knows perfectly well that there were none and everything was determined "by eye"

[mikewalsh]

@ozsouth :-

Nah. The point's well-taken, Oz.

I know I perhaps went a bit OTT in my 'rant'. But honestly, "sudo this" & "sudo that" used to drive me up the wall under Ubuntu. And the funniest bit was, if you dared to mention this on the Ubuntu Forums you were slapped-down in fairly short order - HARD - and made to feel a raw beginner for daring to question those upon their ivory towers that oh! so clearly knew much better than I.....

Hell, I know there's no malice intended in Dima's posts. He's just being realistic, of course.....though I still hold to the imagery of "pouring cold water over everything"! It comes across to me like that, anyway. It paints an incredibly dim picture of anything to do with 'puters.....and makes you wonder why anybody would be daft enough to have owt to do with 'em in the first place!

Unfortunately, there's always that small percentage of individuals on this dirtball that seem to think everybody else owes them a free meal......so the rest of us have no option but to watch our backs.

------------------------------------------

Of course, things are done the way they are for good reason. 95% of Linux users are NOT geeks like me & thee. These folks are mostly 'refugees' from that 'other OS' ( ), who don't have the technical knowledge and almost certainly couldn't give a fig about what's going on "under the hood". As in Windows, they just want to switch the black magic box on & for everything to simply 'work', without any fuss. And most Linux distros have made huge strides to achieve just that paradigm.

Puppy is one of the rare exceptions to the rule. As a standalone, single-user system there's precious little point in trying to 'shield' its single user.......because that single user is invariably the admin as well. And he/she HAS to know the ins & outs of their system, 'cos there's no 'expert' in some hypothetical IT department who's going to take care of it for them....

But I still consider 'sudo' to be a double-edged sword, giving a very false sense of security. As well as being a complete PITA to have to work with!

Mike.

[rockedge]

although he knows perfectly well that there were none and everything was determined "by eye"

Wrong assumption, but you see that is classified information.

What I do to analysis my fiber optic coupler and router's traffic is no one's business. Why would you think that someone who operates web sites locally and remotely for 20 years is not equipped with port scan detection, and an ability to track and make sense of net traffic logs or if unwanted processes are running?

I thought the question was condescending. My son is a computer engineer responsible for cyber security at Deutsch Telekom and formerly AirBus so I can have recommendations when I need it

[Grey]

My son is a computer engineer responsible for cyber security at Deutsch Telekom and formerly AirBus so I can have recommendations when I need it

In this case, he cannot recommend you to use root, so that the question of his professional suitability does not arise at work. And @dimkr will tell you about traffic and hacking in the morning, I was just explaining to you his approximate logic

[rockedge]

@Grey I am perfectly clear on where dimkr is coming from. I like freedom of choice. Even still as the choices become slim and those who tell me what to do and when want more control and more conformity.

I really don't like being constantly told what I am doing wrong by people who feel and think they always know better.

[Grey]

@rockedge By the way, today many of my compatriots are happy. Because "Russian hackers" (not proven) hacked the state websites of Latvia. But there is not much to be happy about, because this triggers a chain reaction and a series of "retaliatory measures".

[wiak]

But I still consider 'sudo' to be a double-edged sword, giving a very false sense of security. As well as being a complete PITA to have to work with!

Perhaps sudo (and similar techniques) does give a very false sense of security. But my point would be that most of the time we are not using sudo anyway - not doing any admin work at all.
I do find running a desktop as root user very convenient too of course, and I do it a lot also (partly from habit). On some machines, such as those critical for a business, I have no doubt that I shouldn't though.

Mike, I agree it's rather gloomy. Sadly, that's our online world. Teams of call-centre folk in poor countries don't eat unless they can rip someone off & get a small slice of the ill-gotten gain.

And it has become big business. Maybe would be fine running as root if just using computer to run games or watch pornography, which Grey cites as typical use. Only issue there, is that computer games is huge money-earning business nowadays, comparable perhaps with pornography, and don't you think such activities encourage mafia-type involvement and more likely hacking attempts involving specially tailored websites???!

I don't myself find running the occasional sudo type of command a major pita, but certainly find it annoying sometimes (and inconvenient) when a download, for example, fails to save because the user doesn't have sufficient permissions to the resource media. The inconvenience then becomes needing to take extra time using the likes of chown -R to that media or some other similar permissions adjustment, but that can be really annoying unless the system is carefully designed to make such matters simple.

For me, therefore, being able to autologin as 'either' a normal user or root user is helpful overall. Choice being a good thing. As ozsouth also said, running as root for a short time only is clearly less dangerous anyway; doing the likes of internet banking after hours at root user desktop is more likely to give trouble - just a matter of time in terms of statistics, depending on likelihood of someone being interested to target you. But problem is that many of us do tend to stay logged in for hours at a time so the window of attack opportunity is then pretty wide.

I also, however, would agree that we don't want all distros to become so similar they are pretty much 'the same', but that shouldn't mean that some traditional aspects of a distro can't be altered to provide extra choice/security in operational approach. I'd continue to use both approaches: sometimes running as root user, sometimes running as normal user.

[Grey]

But getting back to the topic. What exactly is root most dangerous about? By external influence in the person of a hacker, or is the user himself (who can do EVERYTHING) dangerous first of all?
If the latter, can an experienced user be considered a threat neutralization?

Maybe would be fine running as root is just using computer to run games or watch pornography, which Grey cites as typical use.

Absolutely typical Computers have evolved thanks to these two typical things.

[tammi806]

THERE IS A RISK.

So for banking and other sensitive personal use a better choice is to use a Linux distro that is not running as root user.

Would this be correct.

[dimkr]

But getting back to the topic. What exactly is root most dangerous about?

root can do things like infecting your firmware, MBR or boot loader with malware, and that can be harder to detect or remove.

[dimkr]

And now the most prominent of our current developers want to make Puppy into a boring clone of every other identical distro out there..?

If that's a question, the answer is "no". If this is not a question, I wonder what makes you think that way, because the latest Puppy release allocated its own forum (Bookworm Pup64) doesn't look or behave like Debian.

[fredx181]

THERE IS A RISK.

So for banking and other sensitive personal use a better choice is to use a Linux distro that is not running as root user.

Would this be correct.

Or run an app as normal user e.g. spot run-as-spot <mybrowser>

[ozsouth]

Headline just now in Oz:

Russian ransomware gang AlphV targets ... firms in latest string of attacks.
AlphV claims to have stolen at least 4.95 terabytes of data, which it has threatened to publish.

... were all clients of ... who confirmed his company was the victim of a cyber-attack.
"We've communicated with all of our clients about the attack,"
"We're not really aware of what information has been compromised … it's not our data so we don't know."
... has since regained control of its systems after shutting down access to all affected accounts, resetting
login details for administrators, resetting client passwords and hiring forensic cybersecurity specialists.

Internet is risky. Mass data theft & disruption happens. Fallout is ????

[dimkr]

Internet is risky.

So is life, in general. You eat well, maintain your hygiene, exercise and get good sleep to reduce health risks, monitor your health regularly and buy health insurance to make your life easier if something bad happens. To reduce your exposure to cyber security risks you should do something similar (consume only software without bad track record of causing security issues, remove old and unmaintained software that's exposed to the network, set up monitoring and check your logs ...). Big organizations also buy insurance

[rockedge]

The city that borders the one I live in had it's hospital (a well respected, highly rated institution) get caught up in a ransom ware attack. The majority of the hospital's data suddenly encrypted and a price to pay to get the cipher key. They had good backup habits fortunately and could restore the system without paying the ransom but the recovery took many months and caused quite a turmoil. Apparently not a direct network hack but began with an email that had an attachment that was a script that pulled in several stages of payloads and then eventually had all the pieces in place to allow the malicious program to encrypt the storage mediums.

Several school systems and a few companies also had suffered from ransomware attacks also triggered by email attachments in the state of Connecticut.

Very early in the 1990's I read this book The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage and remembering watching some older students in my high school's computer club in 1976 easily login to a bank's new computer in New Haven, CT which was also a PDP-11/70, it was clear that security was a thing. Got me to read more ("Hacker") and followed the exploits of Kevin Mitnick and Karl Koch along with the Chaos Computer Club from Hamburg, Germany and their famous Digital Equipment Corporation break in to actually change the operating system source code at the factory to add in the very famous "login/logout patch" that shipped included in DEC's operating systems.

Computer security has been a "thing" for a long time.........

[wizard]

@tammi806

So for banking and other sensitive personal use a better choice is to use a Linux distro that is not running as root user.

Not necessarily. With any Linux, the longer the system is on and connected to the internet, the greater the chance it can be compromised.

Doing these things can increase security for financial transactions:

*run a newer version of Puppy (Bookworm Pup64 in your case)
*install Puppy to a USB flash drive
*enable Puppy firewall
*run a newer version of a web browser
*configure your browser to "harden" it against attack (settings are a little different for each brand)

Once you are satisfied with your settings use nicOS-Utility_Suite to save your changes into a SFS file (this will now be read only and will load automatically).

Finally, boot from this USB with no savefile (also referred to as "ram only"), and conduct your transactions.
When finished, shut down, DO NOT SAVE, and remove your USB.

wizard

[tammi806]

Or run an app as normal user e.g. spot run-as-spot <mybrowser>

I tried this and had no success. run-as-spot firefox-esr

I remember back when I first started using Puppy that there was a way to sign in or login to spot where can that be found.

@tammi806

So for banking and other sensitive personal use a better choice is to use a Linux distro that is not running as root user.

Not necessarily. With any Linux, the longer the system is on and connected to the internet, the greater the chance it can be compromised.

Doing these things can increase security for financial transactions:

*run a newer version of Puppy (Bookworm Pup64 in your case)
*install Puppy to a USB flash drive
*enable Puppy firewall
*run a newer version of a web browser
*configure your browser to "harden" it against attack (settings are a little different for each brand)

Once you are satisfied with your settings use nicOS-Utility_Suite to save your changes into a SFS file (this will now be read only and will load automatically).

Finally, boot from this USB with no savefile (also referred to as "ram only"), and conduct your transactions.
When finished, shut down, DO NOT SAVE, and remove your USB.

wizard

What you are suggesting isn't that similar to running as live version in ram as PUPMODE=5 with the changes to harden the browser.

[dimkr]

You can reduce risk of persistent malware even further if you boot with pfix=ram or pfix=copy, let it copy everything to RAM and unplug the flash drive before you connect to any network

[Grey]

So is life, in general. You eat well, maintain your hygiene, exercise and get good sleep to reduce health risks,

But in the end, the result is always the same

Russian ransomware gang

Why a gang at once ? There may be an initiative group of caring enthusiasts who wanted to show the vulnerability of infrastructure and in general the meaninglessness and frailty of human existence.
It sounds much better this way

[dimkr]

But in the end, the result is always the same

So why don't you just give us your credit card info, your browsing history and all your cookies now?

---

Booted a clean VM with the top option offered in puppylinux.com, "FossaPup64 9.5", and this is what I see:

This is why the general recommendation of running the browser as spot isn't good enough. I can recommend only a Puppy where this simple test results in "permission denied"

[Grey]

So why don't you just give us your credit card info, your browsing history and all your cookies now?

Because I'm more of a philosopher than an idiot

[fredx181]

I tried this and had no success. run-as-spot firefox-esr

Mmm.. don't know about EasyOs (as you probably use), what is the "no success" message ?

[tammi806]

I tried this and had no success. run-as-spot firefox-esr

Mmm.. don't know about EasyOs (as you probably use), what is the "no success" message ?

The no success message is when I enter

Code: Select all

run-as-spot firefox-esr

in the terminal nothing happens.

I use Easy OS also.

[fredx181]

I tried this and had no success. run-as-spot firefox-esr

Mmm.. don't know about EasyOs (as you probably use), what is the "no success" message ?

The no success message is when I enter

Code: Select all

run-as-spot firefox-esr

in the terminal nothing happens.

I use Easy OS also.

Strange, there should be some error message in terminal, I think.
Perhaps you don't have one of the two, or not both, check with;
which firefox-esr
which run-as-spot

[tammi806]

My output

Code: Select all

# run-as-spot firefox-esr
# 

I tried to do a screenshot but i can't seem to get it to work.

I don't know anymore sure seems like Puppy's ain't like what I remember them to be as I don't recall ever having these kind of issues with the older Puppy's.

[tammi806]

I think I'm just going to stay with using Easy OS.
I install it and it works OOTB.
To update Easy OS I click on the update icon on the desktop.
I just ain't got the patience for all of this anymore.
I'm an install and use type of user.

I really appreciate the help and replies but just more than I want to deal with at my age.

Thanks again.