[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root privilege (SOLVED)

On Thu, Jan 11, 2007 at 05:15:19PM EST, Douglas Tutty wrote:
> On Thu, Jan 11, 2007 at 03:15:51PM -0500, cga2000 wrote:

> > yes .. but what I'm really not too comfortable with is mostly the
> > non-granularity of privileges ..  I'll have to play with groups a bit
> > and see if this might provide better solutions.  Also do some googling
> > and look for those who went down that road before me .. see if they came
> > up with useful conclusions.
> > 
> What sorts of things do you find you need root for?  I use root (e.g.
> su - ) for these things only:
> 	install packages with aptitude:
> 		aptitude has the option of being run by a user then
> 		prompt for the root password when needed but then the
> 		user's extended package attributes are stored separatly
> 		than if root (or another user) runs it.  Until that
> 		problem is solved, I'll stick with running it as root.
> 	Edit config files:
> 	after both, run samhain -t update

I've tried tripwire in the past for similar purposes but found it rather
messy .. lots of false positives .. huge reports that I soon got into
the habit of deleting without looking at them.. Probably didn't spend
the time to read and understand the manual and configure it correctly.

I'll give samhain a look..  Looks promising.

> 	run my backup script since I end up tar.bz2ing stuff that I as a
> 	regular user can't read.
> 	Do anything with disks and partitions (check smart drive status,
> 	alter the LVM setup).

This is what root's recently been up to on my laptop:

· manually adjusting the system & hardware clock
· bouncing the network
· starting/restarting/stopping daemons
· adding "local" stuff to the /etc/rc.* boot scripts
· adding/removing test users
· resetting the wife's password
· running a password cracker
· running chkrootkit
· viewing logs
· accessing /var/spool/
· shutting down the system
· starting a vmware image
· starting my chroot etch install
· moving stuff to a fat file system
· looking for and deleting core files
· teaching myself the intricacies of cron
· loading/unloading modules 
· adding/removing software with apt
· kernel upgrades/reconfiguration (partially as root) 
· make-installing software compiled from source 
· running dpkg-reconfigure
· manually running updatedb
· sync'ing file systems
· renicing tasks
· changing file ownership/permissions
· adding an entry to the terminfo database
· running lilo
· mounting/unmounting file systems
· running backups
· creating/burning iso images
· system tools such as fdisk that may require root privileges 
· same for the network -- ifconfig .. ip .. tcpdump ..
· editing config files in the directory tree
· killing misbehaving processes
· changing root's password
· testing the OP's problem


1. It's well past midnight here so it's a bit late to bother structuring
   the above.  I think it mostly boils down to what you indicated with a
   few personal extras that you probably have no use for.
2. A significant number of tasks do not require root privileges .. some
   simple stuff such as adding /sbin to my $PATH .. adding myself to a
   couple of groups .. etc. would let me perform these at least in part
   under my regular account.  
   But then I'd have to think .. does this particular option or feature
   require root privileges .. ??  I don't want to have to think about
   such aspects.  I mean, I'm looking for clues in /var/log .. some logs
   are world-readable and others are not..  The problem I'm dealing with
   may be quite serious..  I am already in a foul mood .. Do I really
   need the additional aggravation of having to switch accounts while
   This is a personal decision and not the same thing as being sloppy.  
   Generally speaking, I happen to wear two different hats on this
   system ..  user and administrator.  In order to keep things separate
   I prefer to use two different accounts.  I have been doing this since
   I started playing with linux 6-7 years ago and I haven't had any
   problems so far.  Rule of conduct: If I have the slightest doubt
   about the outcome of what I plan to do after su'ing to root .. I
   don't do it.  
3. I have excluded some stuff from the above that was done in single
   user mode .. things like adding a partition .. fsck'ing file systems
   ..  moving the /usr/local tree to a separate partition .. etc.

4. my ultimate fantasy is to run a final "rm -rf *" under '/' and watch
   the dying throes of a linux system .. as soon as I can afford a new
   laptop and before giving the old one away to charity.  
   Or maybe much sooner, who knows...  Sh*t happens..


> Everything else I do as myself.  I wouldn't want anyone other than root
> doing any of that.

I think this last statement would make a rather nice sig.



Reply to: