Linked by Thom Holwerda on Wed 31st Mar 2010 14:41 UTC
Windows As geeks, we're well aware of the importance of running as a normal user instead of as root (UNIX/Linux/BSD) or administrator (Windows). However, while this should be common knowledge to anyone reading OSNews, it's often hard to illustrate just how important it is - until now, that is. A report by BeyondTrust looked at how many security bulletins issused by Microsoft are mitigated by simply... Not running as administrator.
Thread beginning with comment 416226
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Not entirely...
by WereCatf on Wed 31st Mar 2010 16:15 UTC in reply to "Not entirely..."
WereCatf
Member since:
2006-02-15

Honestly, most Linux distro's enact the first user as the 'root' user too.

I am not aware of any such distro. I don't use that many distros though, but atleast the one I use a lot, Mandriva, does NOT enact the first user as root. No, you always have to enter root password separately if you wish to install applications or do other similar system administration tasks, just as it should be.

Could you now then elaborate which distros actually do enact the first user as root?

Reply Parent Score: 6

RE[2]: Not entirely...
by darknexus on Wed 31st Mar 2010 16:30 in reply to "RE: Not entirely..."
darknexus Member since:
2008-07-15

Actually, I suspect what the OP meant is that all Linux and UNIX systems have the root user as the first user. It's always there, it has uid 0. That is the first user, there's no arguing that.
That being said, there's a critical difference between what XP and older did for admin versus what *NIX systems do. In the case of XP, any user marked as admin has *full* access to everything just as the first user, which is administrator, does. In *NIX, while the root user is the first user, the installers typically do one of two things. First, they disable the root user and the first account created has sudo privileges (e.g. Ubuntu and Mac OS X), or they make you set a root password and create a user without sudo privileges (e.g. OpenSUSE). Both of these have their advantages and disadvantages, but they do accomplish one thing evenly. That password prompt makes you stop and consciously decide to continue, rather than just letting your user do anything root could do.
With Vista and 7 the situation is slightly better, but only slightly. Administrator accounts do get prompted by UAC but, unlike limited user accounts, they do not get asked for a password. This means that there's no conscious decisions involved, the click-through habit takes over and most users just click continue to get the dialog out of the way. If Microsoft revised UAC to always prompt for a password, we'd probably see a drastic drop in the number of stupid infections. It won't kill infections completely, but even just that split second is often enough to tell you that something's wrong and that greeting card you clicked on shouldn't be asking for your system password.

Reply Parent Score: 4

RE[3]: Not entirely...
by Soulbender on Wed 31st Mar 2010 16:50 in reply to "RE[2]: Not entirely..."
Soulbender Member since:
2005-08-18

It's always there, it has uid 0. That is the first user, there's no arguing that.


Why would he mean that? It has absolutely no bearing whatsoever on the topic at hand.

Reply Parent Score: 3

RE[2]: Not entirely...
by SlackerJack on Wed 31st Mar 2010 16:57 in reply to "RE: Not entirely..."
SlackerJack Member since:
2005-11-12

He/she probably means distros like Slackware, Gentoo and ArchLinux which require the user to make a user account manually, since by default they use is root.

I've always said that Windows users right from XP should have been tutored into creating passwords and one for administrator from the installation.

All OEM machines should have been set-up so that the user would need to set both passwords or some sudo equivalent, like Ubuntu has for example.

Reply Parent Score: 2

RE[3]: Not entirely...
by TemporalBeing on Wed 31st Mar 2010 17:08 in reply to "RE[2]: Not entirely..."
TemporalBeing Member since:
2007-08-22

He/she probably means distros like Slackware, Gentoo and ArchLinux which require the user to make a user account manually, since by default they use is root.


That is absolutely WRONG.

While I haven't run ArchLinux, neither Slackware nor Gentoo require you to run as the root user by default. Anyone that does is out of their mind. Both communities suggest using su/sudo (just like every other distro) for doing admin stuff.

Reply Parent Score: 2

RE[2]: Not entirely...
by TemporalBeing on Wed 31st Mar 2010 17:06 in reply to "RE: Not entirely..."
TemporalBeing Member since:
2007-08-22

Honestly, most Linux distro's enact the first user as the 'root' user too.

I am not aware of any such distro. I don't use that many distros though, but atleast the one I use a lot, Mandriva, does NOT enact the first user as root. No, you always have to enter root password separately if you wish to install applications or do other similar system administration tasks, just as it should be.

Could you now then elaborate which distros actually do enact the first user as root?


Being the OP...

Distro installers always ask you to enact a password for root. That is the first user enacted during the installation.

After that, you can then add a normal user to use.

Reply Parent Score: 2

RE[3]: Not entirely...
by Thom_Holwerda on Wed 31st Mar 2010 17:12 in reply to "RE[2]: Not entirely..."
Thom_Holwerda Member since:
2005-06-29

Distro installers always ask you to enact a password for root. That is the first user enacted during the installation.

After that, you can then add a normal user to use.


Yes, but they don't make you run as root. That's a rather crucial difference.

Reply Parent Score: 4

RE[3]: Not entirely...
by WereCatf on Wed 31st Mar 2010 17:12 in reply to "RE[2]: Not entirely..."
WereCatf Member since:
2006-02-15

Of course distros ask you to set a password for root, but I am not aware of any distro which didn't also create a normal user account. Even Mandriva installation _mandates_ you to create a normal account, you can't continue installation without. And in no situation is the root user the default user; it doesn't log automatically in, it doesn't show up in GDM/KDM and so on.

That is very different from what you at first said.

Reply Parent Score: 3

RE[3]: Not entirely...
by lemur2 on Thu 1st Apr 2010 02:56 in reply to "RE[2]: Not entirely..."
lemur2 Member since:
2007-02-17

"Honestly, most Linux distro's enact the first user as the 'root' user too. I am not aware of any such distro. I don't use that many distros though, but atleast the one I use a lot, Mandriva, does NOT enact the first user as root. No, you always have to enter root password separately if you wish to install applications or do other similar system administration tasks, just as it should be. Could you now then elaborate which distros actually do enact the first user as root?
Being the OP... Distro installers always ask you to enact a password for root. That is the first user enacted during the installation. After that, you can then add a normal user to use. "

In most distros, one MUST add normal users to use.

The root account is there, but it is not noramlly used. Indeed, many Linux distributions login manager will not allow root to login. Users must first login as normal users with limited priveleges, and most of the time run applications as that noraml user. Only when a system administrative change is required would one run someting as root, and the user must supply the root password to become root in order to accomplish such tasks.

On Linux, users do NOT nromally run as root.

Reply Parent Score: 3

RE[2]: Not entirely...
by umccullough on Wed 31st Mar 2010 18:08 in reply to "RE: Not entirely..."
umccullough Member since:
2006-01-26

Could you now then elaborate which distros actually do enact the first user as root?


Debian does... (at least, it does with Debian 5.0 and earlier)

During install, it first prompts you for the root password, and then prompts you for the "first" (second) user and that user's password.

Edit: Oh, you mean that it creates only *one* user at all... nah, dunno.

Edited 2010-03-31 18:10 UTC

Reply Parent Score: 2