Use of Root

Jerry Feldman gaf at blu.org
Mon Jan 31 17:01:20 EST 2005


On Monday 31 January 2005 16:35, karina.popkova at verizon.net wrote:

> I know there is an on-going argument on the
> priviledge of using Root.
>
> If you are a System Admin, you do not
> want the User to have Root priviledges.
> If you are a Heavy Duty User, you want
> access to root, for expediency.
>
> That argument aside, and assuming security is not
> an issue on a small closed network, (yes, I know
> that security is always an issue!),
>
> what are the kinds of things a User can do
> if having Root priviledges, that makes his (her)
> job (daily life) easier in a Linux environment?
Let me start, but we have some experienced sysadmins on this list too.
First, all users should use their personal account for normal use, and use 
root privilege only when needed (on Unix, Linux, OpenVMS, et. al.). 


I was hired to write a Unix device driver, but the system admin people 
refused to give me root privs on the machine I was using. After 6 weeks of 
negotiating, they relented, but then went to corporate security, and 
because I was a contractor, deemed that there had to be an employee to 
watch every keystroke I made as root. I had root privs in another location, 
so we shipped the board down to my location where I had root privileges.

In a corporate environment there are several dynamics. 
First there is the corporate network. The admin people have a responsibility 
to protect that network. In this case, only authorized people should have 
privileges on the network. 

On the local work station there are 2 opposing issues. The first is that the 
corporate IT people who are responsible for support want to keep these work 
stations at a known level, and that can also prevent the loading of 
software that is against company policy. (The installation of pirated 
version of MS Office, for instance, which is a liability issue).

By giving a person root privs, that person has much more flexibility. Note 
that my systems at work are running SuSE Linux 9.2 Professional with my 
personally licensed copy of Crossover Office and a corporate licensed copy 
of MS Office XP. But, if something happens on my system, I am responsible. 

In both cases, the workstation user my have some corporate assets, such as 
code, spreadsheets, documents, and other data. The IT people are 
responsible for some protection of that data. 

Going back to my war story, the IT people's argument was that it would be 
easier for me to undermine their network, and that I could change the root 
password, thus preventing IT from being able to do something on the 
machine. Both of these are valid points. With root privileges, I can easily 
run a network sniffer and attack the network from within. The second 
argument is valid when the IT people want to push an upgrade from a central 
location (such as a kickstart). 

So, it comes down to support, security, and data integrity. 
-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix user group
http://www.blu.org PGP key id:C5061EA9
PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9



More information about the Discuss mailing list