Naïve question about root

[Denise Mangano <De...@complusdata.com>]

I know this is a naïve question, and slightly irrelevant to the newsgroup...

I keep getting told left and right not to work as root.  I heeded this
advice a while back and created a user.  Here is the thing.  My RH 7.3 box,
running Apache 1.3.27 & Tomcat 3.1.17 (no I haven't gotten them connected
with mod_jk yet:) ) is logged in as root.  But I work on my files through a
secure shell from my workstation, where I log in as the user I created.  Is
it not safe to leave my box logged in as root?

My concern is when people access my website can they somehow get into my box
and wreak havoc?  For example with my current setup people are accessing a
website hosted on a machine that is logged in with root access....   Is it
better that I sign in on the actual box as this created user only changing
login to root as needed or does the logon of the actual box not matter as
long as I am not messing around as root...?  If I should sign onto the box
as this user, how can I make sure this user has rights to Apache and Tomcat?
(as of right now this user has rights to execute java commands, but I am not
sure if there is anything special I need to do for apache and tomcat).  On a
side note is there anyway to create a user that has "almost" root access but
can't do the damage root can do?

Again naïve, but thought I would throw it out here anyway :) Thanks!!

Denise Mangano

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Naïve question about root

[Alexander Wallace <aw...@rwsoft-online.com>]

You should not be as root all the time becouse root can do anything, and any 
little mistake could be desastrous, like running rm when you actually meant 
mv, or stuff like that.

It is safe (as far as someone sniffing your root password, or any other 
user's) to use ssh, but don't stay connected as root for the same reason 
above and also if someone else can phisically access your machine.

Running any service as root can be dangerous since the service has the same 
permissions as root. If the service has security flaws, someoune could gain 
the priviledges of the service and do whatever they want in your system. You 
ofcourse need that the service has those flaws and that people know how to 
explode them for this to happen. No reason to risk here.


On Tuesday 17 December 2002 13:53, Denise Mangano wrote:
> I know this is a naïve question, and slightly irrelevant to the
> newsgroup...
>
> I keep getting told left and right not to work as root.  I heeded this
> advice a while back and created a user.  Here is the thing.  My RH 7.3 box,
> running Apache 1.3.27 & Tomcat 3.1.17 (no I haven't gotten them connected
> with mod_jk yet:) ) is logged in as root.  But I work on my files through a
> secure shell from my workstation, where I log in as the user I created.  Is
> it not safe to leave my box logged in as root?
>
> My concern is when people access my website can they somehow get into my
> box and wreak havoc?  For example with my current setup people are
> accessing a website hosted on a machine that is logged in with root
> access....   Is it better that I sign in on the actual box as this created
> user only changing login to root as needed or does the logon of the actual
> box not matter as long as I am not messing around as root...?  If I should
> sign onto the box as this user, how can I make sure this user has rights to
> Apache and Tomcat? (as of right now this user has rights to execute java
> commands, but I am not sure if there is anything special I need to do for
> apache and tomcat).  On a side note is there anyway to create a user that
> has "almost" root access but can't do the damage root can do?
>
> Again naïve, but thought I would throw it out here anyway :) Thanks!!
>
> Denise Mangano
>
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Naïve question about root

[Ken Anderson <ka...@pacific.net>]

Denise Mangano wrote:
> I know this is a naïve question, and slightly irrelevant to the newsgroup...
> 
> I keep getting told left and right not to work as root.  I heeded this
> advice a while back and created a user.  Here is the thing.  My RH 7.3 box,
> running Apache 1.3.27 & Tomcat 3.1.17 (no I haven't gotten them connected
> with mod_jk yet:) ) is logged in as root.  But I work on my files through a
> secure shell from my workstation, where I log in as the user I created.  Is
> it not safe to leave my box logged in as root?

Do you trust the people who have access to your computer? Logging in as 
root over the network isn't recommended, since telnet logins are still 
pretty common, and sniffers can grab plain text passwords from the wire.

Running tomcat or apache as root isn't a good idea, since a minor 
security hole (we've seen dozens of them lately) can be a major problem 
if the user is root.

> My concern is when people access my website can they somehow get into my box
> and wreak havoc?  For example with my current setup people are accessing a
> website hosted on a machine that is logged in with root access....   Is it
> better that I sign in on the actual box as this created user only changing
> login to root as needed or does the logon of the actual box not matter as
> long as I am not messing around as root...?  If I should sign onto the box
> as this user, how can I make sure this user has rights to Apache and Tomcat?



> (as of right now this user has rights to execute java commands, but I am not
> sure if there is anything special I need to do for apache and tomcat).  On a
> side note is there anyway to create a user that has "almost" root access but
> can't do the damage root can do?

Check out sudo, it's probably available on your machine, and allows non 
root users to do some things (you define) as root.

> Again naïve, but thought I would throw it out here anyway :) Thanks!!
> 
> Denise Mangano
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 
> 
> 


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>