Re: dangerous to leave root logged in?

From: Keith Keller (kkeller-usenet_at_wombat.san-francisco.ca.us)
Date: 03/29/05 

Date: Mon, 28 Mar 2005 17:43:20 -0800

IIRC you mentioned that you do not have this box on the network, so I'm
filtering my response through that. But I can't find that post now, so
either I'm hallucinating or I'm clueless. Either way, if I'm wrong
please correct me.

On 2005-03-29, hans_schulze98@yahoo.de <hans_schulze98@yahoo.de> wrote:
>
> There's a tool here that checks for updates and tells me which ones are
> out there (about 1 per day), what it updated and why. Every time it
> starts it hogs the cpu and disk for 2 minutes (rpm database or
> whatnot), and you have to stare at the screen for 2 minutes before it
> runs. Or you just leave it running (which I do).

Or you put it in crontab, pipe the output to a file, and read the file
as an unprivileged user. You run this job out of cron at 3am, or
whenever you expect there to be less of a load. (If I'm wrong, and the
box does have net access, some crond's can send the output to an address
not on the box.)

> There's some email sent to root about small things here and then. You
> can periodically log in to see if there's mail. Or you leave the mailer
> running (which I do).

Have root's mail sent to an unprivileged user. If you need multiple
people to share the mail, have it sent to each user, or create a dummy
account that's unprivileged. Look at /etc/aliases or equivalent. (If
you have the crond which can send mail off the box, you can use this,
too.)

> There's small jobs to do with changing config files or changing file
> permissions or moving files between accounts here and then. You can su
> each time. Or you leave a root xterm running.

Personally, I su each time. But I have configured my boxes so that I
seldom need root.

> And so on. Probably everything can be done with su/sudo per-command,
> probably even on a text terminal. It only takes twice as much typing.

I don't think it's twice as much. :) Once you've configured things so
that your mortal account can do most of the work, you hardly ever need
the root password. The hard part lies in configuring things so that
your mortal account can do most of the work. But when you do have a
fumblefingers, you'll either be glad that you did set it up this way, or
regret that you didn't.

--keith 

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom
see X- headers for PGP signature information