Running as root 6762

Erik Funkenbusch

Is that a money back guarantee? Because Office insists on writing into program files. You can make it run as a normal user, but requires some fiddling with file system permissions, and you have to allow writing into directories under program files, which sort of defeats the point of running as a restricted user.

And since I'm the guy in IT setting the machines up, I know how they were configured. And this is one step I always have to take; allowing a restricted user to write places no sane software should be writing in the first place. But in the windows world, sane software packages are few and far between.

I'm getting ready to start working on an Office 2k to XP upgrade, so we'll see if this has been fixed. Somehow, given that MS consistently demonstrates that they are still very single-user-workgroup focused (or maybe just can't figure out anything beyond that), I'd doubt it. But you never know.

My experience shows otherwise. Since I trust you as far as I can throw my house, I'll rely on that, rather than anything you say. The problem, of course, is that much software buttumes that the user will have full write access to the local disk.

I don't follow anything he says, but if he advocates such a practice, then yes. And since I consider Linspire to be a rather poorly designed distribution (where a normal user runs as root), well, there ya go. I much prefer K-Ubuntu's way of doing things, where a user can't even login as root by default. K-Ubuntu is now my preferred distribution, for this and many other reasons. What I'm usually stuck using is RHEL though.

OK... Is that our DR 101 lesson for today?

Well, I don't have any "single user machines". But even for those, there's no such thing as being overly paranoid about security. The only exception to this would be if required core functionality is disabled. Being able to just fire off synaptic (or whatever a given distribution uses to install new packages) without entering a pbuttword does not qualify. And I don't like users installing patches until the patch has been vetted.

And, of course, if you're running as root-administrator, it makes it much easier to get malware on a box. That's sort of the point; defense in depth. I make it as hard as possible at every point for any nasties to get to a users machine, and for those that do, make it as hard as possible for them to actually execute. But at the same time, I always try to balance this so that users see as little of it as possible. And that's the point here Eric: keeping the nasties off the box in the first place, not worrying about it afterward. Of course, finding out that "you're f***ed" seems to be a common part of the XPerience.

So far, I've managed to dodge the bullet. But I also know that at some point, I'll miss something, or be one finger short of plugging the leaks in the dike, and I'm going to get hit, and it's probably going to be very, very bad. I also don't make any buttumptions about whether the break in will come from the windows side of my networks, or the *NIX side. I just know I dread that day.

Bah... you're another one that doesn't get it. But I knew that already.

-- Ignorance is a condition. Stupidity is a way of life.