[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rwxr-xr-x /root

On Sat, Nov 11, 2000 at 06:58:48PM -0500, Andres Salomon wrote:
> Of course, then there's the fact that there's really no reason for root
> to HAVE files; others may disagree w/ me, but honestly, why would you
> need to?  You should be doing things like compiling tarballs as a normal
> user, and sudo'ing to make install.  The only files that would be owned
> by root would be in places other than /root and /home.  Of course, if
> you're not using sudo, and regularly logging in as root, then you're
> probably not too concerned with security to begin with..

The files I keep under /root are mainly system-specific stuff, such as
upgrade logs, uninstall information for stuff I install by hand, backups
of various custom-made system scripts and config files (automatic
packaging systems aren't perfect, y'know, sometimes they trash your
custom-made files). No reason anyone other than root should want to read
these files, since the information is useful only for root.

As for compiling/installing... I *never* compile anything as the root
user. Never ever. The fact that makefiles can execute arbitrary commands
is reason enough to be paranoid. In fact, I don't even like building
.deb's as root -- fakeroot suffices. Only the actual installation of
.deb's are done as root, mainly 'cos there's no other way (currently) to
do it. :-) My main user account is in the group src, and /usr/src is sgid
src, so I do all compilation and testing that way. In general, I don't
like running complex programs as root, such as gcc, etc.. As far as
possible, I force daemons to run under their own dedicated uid.


He who sacrifices functionality for ease of use, loses both and deserves

Reply to: