Void's Forums

[Void Main]

As some of you know from past experience with me, I have on more than one occasion gotten into deep discussions regarding Viruses. I try to enlighten people on why viruses are not really a problem on Linux and UNIX and why I don't really ever see them becoming a problem.

Well it happened again. :) Towards the end rather than going through my usual speech of several pages I decided to save some breath and do a search for someone elses take on it. I found this which is pretty much bang on in my humble opinion. Thought you may enjoy reading it. The other rants on that page are good reads as well.

Don't waste your money on AV software for Linux, unless you are using it to check/clean Windows viruses on Samba shares. I don't have to even do that because I no longer use Windows in any form, but I digress.

[Tux]

My God, I read the 'Well it happened again' link. Grr it made me cringe, I can't stand stupid people. And stupid AND stubborn people just drive me over the edge. How that guy could try and argue without even having an idea of what a virus actually is, well that's beyond belief.
Anyway, I hope while he'sin his happy AV software bubble his outdated version of Apache and bind get hacked and he loses all his contracts for being inept.
Keep on fighting 'em void!

[Void Main]

Well, I wouldn't go so far as to call them stupid (on another web site I might, but not this one). :) Misguided or uninformed might be a more appropriate term. They just need to be guided onto the proper path rather than following the herd blindly.

[Tux]

Well, I wouldn't go so far as to call them stupid (on another web site I might, but not this one). Misguided or uninformed might be a more appropriate term. They just need to be guided onto the proper path rather than following the herd blindly.

Haha, i'm young, im quick to call people stupid. I'll be wiser when i'm your age (hopefully)

[agent007]

A quick question.....But what about the people who login as ROOT? A virus could attack and if the payload is deadly, then the system is toast correct? I think such people will require to use the Anti-Virus software....

rgds,
007

[Void Main]

A quick question.....But what about the people who login as ROOT? A virus could attack and if the payload is deadly, then the system is toast correct? I think such people will require to use the Anti-Virus software....

Uhhh, wouldn't it be much easier and cheaper for those people to just follow the rules and not log in as root? People who log in as root when they should be logging in as a normal user deserve what they get IMHO. That's why we need to keep pressure on companies like Lindows not to make Linux people stupid.

To be honest I can't remember the last time I actually "logged in" as root using Linux or any other UNIX. It's been a few years for sure. I just did two Red Hat 9 installs and on first boot I logged in with my normal user account that I created during installation. Sure I "su" periodically when I need to make a configuration change and if you run a graphical administrative app that requires root level authority it prompts you and you type in a password but that is MUCH MUCH safer than doing *everything* as root. And of course you have to be careful of what you run/install when switched to the root user using "su".

[agent007]

Thing is I always login as root, bcause of the fact that the normal user accounts are quite restricted....For example, if I login as a normal user, the "init 6" command dosent work......There are many other restrictions but I cannot think of them right now..

rgds,
007

[Calum]

why not just unrestrict those things you want normal users to be able to do?

i can't believe your answer to that is simply to compromise your entire computer by running as root! you might as well be using another popular (but more expensive and less open) "operating" system.

[Tux]

Thing is I always login as root, bcause of the fact that the normal user accounts are quite restricted....For example, if I login as a normal user, the "init 6" command dosent work......There are many other restrictions but I cannot think of them right now..

rgds,
007

Ever heard of sudo?

[agent007]

This sounds interesting!! How do I go about doing this guys? I'm on RH 8....Are them some Access Control Lists that I have to edit manually?

thanks & rgds,
007

why not just unrestrict those things you want normal users to be able to do?

i can't believe your answer to that is simply to compromise your entire computer by running as root! you might as well be using another popular (but more expensive and less open) "operating" system.

[agent007]

So, this means to sudo every executable in the /usr/bin folder? pls elaborate..

thanks,
007

Thing is I always login as root, bcause of the fact that the normal user accounts are quite restricted....For example, if I login as a normal user, the "init 6" command dosent work......There are many other restrictions but I cannot think of them right now..

rgds,
007

Ever heard of sudo?

[Void Main]

I have no problem running any of those commands and I wouldn't suggest sudo for all of them although sudo is great for certain situations. You need to get familiar with the "su" command. To do an "init 6" do this:

$ su -
Enter root's password
# init 6

Requiring a password is what makes Linux secure. You can set it up to not require a password (e.g. sudo) but you give up some security when you do this. Please, for me, do not log in as root. Bad agent007. :)

On a side note, why are you doing an "init 6"? I do this to reboot a remote system but for a local desktop where I am logged on graphically there is a "restart computer" option when you log out or when you are at the graphical login it's on the menu at the bottom of the screen. If you are using the graphical environment it would be better to be logged out when you reboot anyway. Yes if applications behave properly they should shut themselves down properly when signalled but it's generally better to have things shut down when you reboot your machine.

[agent007]

Thanks for the info VoidMain....My desktop environment is Window Maker...I like it b'cause of the great flexibility it offers for editing the menus and apart from that it's sooooo lightweight.

So, if I run an application from the menu, how is it possible to su? I mean, the application will be executed directly from the menu, wherein the path to the executable is specified...

The su will work only via the prompt correct?

thanks,
007

[Void Main]

Give me an example and I'll try and help you out. Red Hat does this with all of it's graphical administrative tools. You click on an admin tool and it will pop up with a root password box before it runs, and when it does run it runs as root.

It does this with a program called "consolehelper" which is part of the "usermode" package. I believe this package was written by the Red Hat guys but I also believe it to be a fairly standard package on most every Linux distro. It is very easy to add an application that you need to run under root.

$ man consolehelper

Say you want to start a konqueror file manager as root from your normal user desktop and you want to be able to just add it as a menu item or ICON on your desktop. What I do is first create link in /usr/bin to consolehelper with the name I want to use to start the program (konqueror-root might be a good name):

$ su -
# cd /usr/bin
# ln -s consolehelper konqueror-root

Now I create a text file called /etc/security/console.apps/konqueror-root that contains this:

Code: Select all

USER=root
PROGRAM=/usr/bin/konqueror
SESSION=true


I'm not sure if this "/etc/security/console.apps" directory is the same on all distros, I would guess not. Also, look at the other files in that directory and make sure they are set up similar to my example above. The last thing I need to do is create a /etc/pam.d/konqueror-root:

Code: Select all

#%PAM-1.0
auth       sufficient   pam_rootok.so
auth       sufficient   pam_timestamp.so
auth       required     pam_stack.so service=system-auth
session    required     pam_permit.so
session    optional     pam_xauth.so
session    optional     pam_timestamp.so
account    required     pam_permit.so


Actually if you look in /etc/pam.d you might see the names of other programs in there. You can just copy one of them to the name of your program in the same directory.

Now if everything goes right at a shell prompt you can type:

$ konqueror-root

and it will pop up with a graphical password box asking for root's password. If you type it in properly it should bring konqueror up running under root's ID and in root's home directory. If all works then add "/usr/bin/konqueror-root" to your menu or desktop ICON. When you click it it should prompt you for root's password.

Just follow the same example for any program you want to run as root from a desktop icon without giving up too much security. It's better to give up a little security here and there and only when you need it rather than just throwing your hands up and saying there's no point in even trying.

Now, when you absolutely have to run a command as root from another ID without a password, or for allowing other users who do not have root access to be able to run selected programs as root, then "sudo" is the proper command. But I always at least try to find another solution first and use "sudo" as a last resort. In fact I try and set things up so I don't have to "su" all that much period. The fewer things that need root access the better. Good file system security is also very important.

And of course you can run any command directly at a shell prompt without any configuring necessary as root just by using "su":

$ su - -c "konqueror"

[agent007]

WOW! Thats a lot of stuff I wasn't aware of VoidMain...Guess these Official RedHat are totally useless..Coming back to the point, from what I understood so far, (pls correct me if I'm wrong)

1) The consolehelper is used to authenticate root users via the GUI

2) SU is used to authenticate root users via a terminal, command prompt.

Also, how can the password for certain progs like KPP be disabled alltogether via consolehelper?

thanks,
007