Why is it bad to log in as root?

151,462

Solution 1

It defeats the security model that's been in place for years. Applications are meant to be run with non-administrative security (or as mere mortals) so you have to elevate their privileges to modify the underlying system. For example, you wouldn't want that recent crash of Rhythmbox to wipe out your entire /usr directory due to a bug. Or that vulnerability that was just posted in ProFTPD to allow an attacker to gain a ROOT shell.

It's just good practice on any operating system to run your applications on a user level and leave administrative tasks to the root user, and only on a per-need basis.

Solution 2

Just one word: security.

  1. You're logged as root = all applications are running with root privilegies -- every vulnerability in Firefox, Flash, OpenOffice etc. now can destroy your system, because possible viruses now have access everywhere. Yes, there are only few viruses for Ubuntu/Linux, but it's also because of good security and default unprivileged user.
  2. It's not only about viruses -- small bug in an application could erase some system files or...
  3. When your're logged as root, you can do everything -- the system won't ask! Do you want to format this disk? Ok, just one click and it's done, because you're root and you know what you're doing...

Solution 3

Running as root is bad because:

  1. Stupidity: Nothing prevents you from doing something stupid. If you try to change the system in anyway that could be harmful you need to do sudo which pretty much guarantees a pause while you are entering the password for you to realize that you are about to make a possible big/costly change.
  2. Security: It has been mentioned already quite a few times in this question but basically it's the same thing, harder to hack if you dont know the admin user's login account. root means you already have one half of the working set of admin credentials.
  3. You don't really need it: If you need to run several commands as root and you are annoyed by having to enter your password several times when sudo has expired all you need to do is sudo -i and you are now root. Want to run some commands using pipes? Then use sudo sh -c "comand1 | command2".
  4. You can always use it in the recovery console: The recovery console allows you to try and recover from doing something stupid or fixing a problem caused by an app (which you still had to run as sudo :)) Ubuntu doesn't have a password for the root account in this case but you can search online for changing that, this will make it harder for anyone that has physical access to your box to be able to do harm.

The reason why you couldn't find information about why it's bad is because, well, there is way too much data in the internet :) and that a lot of people that have been using Linux for a long time think like you do. This way of thinking about the root account is fairly new (a decade maybe?) and a lot of people still get annoyed by having to use sudo. Especially if they are working on a server which means they went in with the intention to make system changes. Probably brought on from previous bad experiences and security standards most sysadmins know better but they still don't like it :).

Solution 4

This is a good question. I think the answer is slightly different depending on whether you're talking about a server or a desktop installation.

On a desktop, it is uncommon to use the root account. In fact, Ubuntu ships with root access disabled. All changes requiring superuser privileges are done through sudo and its graphical cognates gksudo and kdesudo. Given that it's easy to set a root password, however, why don't people do it?

One reason is that it gives you an additional layer of security. If you run a program as root and a security flaw is exploited, the attacker has access to all data and can directly control the hardware. For example, it might install a trojan or key-logger into your kernel. In practice, though, an attack can do a large amount of damage even without superuser privileges. After all, all user data - including documents and stored passwords - is accessible without root access.

A more valid point, on a single-user system, is that the user is prevented from accidentally rendering the system unusable. If the user unintentionally issues a command that deletes all files, they will still be able to boot the system, even if the data is lost.

Additionally, most user-facing (X11) applications today are built on the assumption that they're run as a regular user account and without administrator rights. Thus some programs might misbehave when run as root.

On a multi-user system with non-graphical shell access only, many of these reasons do not apply. However, Ubuntu still reasonably defaults to an inaccessible root account. For one thing, there is a real difference between gaining access to a user account (with sudo rights) through a security hole and gaining access to root, as in the first case disrupting other users will require running sudo and will still prompt for the account password as an additional security step. For another, it is useful to perform many administrative tasks from a user account and only invoking sudo when the superuser privileges are absolutely required. Thus when installing a program from source, it is advisable to build the source - running configure and make - inside the user's directory and only using sudo make install in the final step. Again this makes it more difficult to shoot oneself (and other users of the multi-user system) in the foot, and it decreases the likelihood of build scripts wreaking havoc with the system. Thus even on a server it is good advice to stick to Ubuntu's sudo-based administration.

Solution 5

One reason not to run as root that has not (so far) been identified by other answers is traceability. It probably matters less on machines that are primarily single-user machines (your desktop or laptop), but on server machines, if someone is logged in as root, you don't know who to blame for the actions taken. Therefore, most professional organizations with multiple systems and multiple administrators that need root privileges require people to login using their own user ID (and password), and then use sudo or similar programs to operate with root privileges when necessary.

Otherwise, the primary reasons for not running as root are:

  • Minimize risk of damage from accidents. If you run rm -fr / home/me/my-subdir as root, then you've just dramatically eliminated everything of importance from your machine because of that space after the (first) slash - because the stuff that goes first is the stuff that was added first - little things like the kernel, the /bin and the /etc directory. Unix gets upset if you lose those.

  • Minimize risk of damage from malicious outside sites. If you browse as root, you're more nearly vulnerable to drive-by downloads of malicious material.

I use MacOS X more than I do Ubuntu, but there, root is disabled by default, and it still is on my machine. I routinely upgrade the kernel and other similar operations - using sudo (behind the scenes). Similar techniques apply to Linux generally.

Basically, you should only use the all-powerful privileges of root for abbreviated periods of work to avoid the risk of mistakes.

Share:
151,462

Related videos on Youtube

Mussnoon
Author by

Mussnoon

Updated on September 17, 2022

Comments

  • Mussnoon
    Mussnoon about 1 year

    I've often come across posts on forums or other websites where you see people joking in such a manner about running/logging in as root as if it's something awful and everyone ought to know about it. However, there isn't much that a search reveals on the matter.

    It may be widely known to Linux experts, but I really don't know why. I remember always running as root when I first tried Linux years ago (Redhat and Mandrake) and don't remember running into any problems because of that.

    There are actually some distros that have a bright red background with alert signs all over it as wallpaper for the root user (SuSe?). I still use the "Administrator" account for regular use on my Windows installation and haven't ever run into any problems there either.

    • Gaurav Butola
      Gaurav Butola almost 13 years
      I think there is no problem in running a program as root. Its just that, you might harm the core of your OS (even sudoers can do that) if you aren't much wise in linux. other than that I don't thing there is any problem. But that's just my point of view.
    • loevborg
      loevborg almost 13 years
      Related question here.
    • djangofan
      djangofan over 12 years
      The difficulty of getting into root mode varies between distros. I personally am annoyed by how Fedora doesn't allow you to 'sudo' right out of the box. OpenSUSE and Ubunto do have pre-configured sudo though... and so if you choose the right distro, you can minimize your annoyances at not being able to get access to files.
    • strugee
      strugee over 10 years
      @GauravButola even if you're an expert, it's still a bad idea in case an application gets compromised.
    • Rmano
      Rmano almost 10 years
      Well --- AFAIK even running as administrator in Windows is similar to the Ubuntu way --- you are still asked for the authorization to do harmful things (maybe without a password).
    • Rmano
      Rmano almost 10 years
      @DaboRoss the OP comments that he works in windows as administrator; for my (little) experience in that OS, it seems to me that it is more like Ubuntu: it is a privileged account in the sense it can do whatever you want, but it asks for permission before for example installing new software. So probably the equivalent of using user "administrator" in windows translated to Ubuntu would be to run the main user with sudo configured so that it doesn't ask the pass --- running directly as root is much more dangerous.
    • daboross
      daboross almost 10 years
      @Rmano, Ye, I guess that's what I was trying to say. That's basically the difference between running as an 'admin' account and running as root. What I was meaning to say to the OP is that there is a huge difference between root and an admin account.
    • thomasrutter
      thomasrutter over 9 years
    • Joshua
      Joshua almost 8 years
      I used to run as root all the time. I woudn't consider it these days. The world isn't what it used to be and some internet-connected programs present too large of an attack surface. If I were back in my no-internet state I might revert but probably not.
    • SDsolar
      SDsolar about 6 years
      Let's face it. This is like asking what are the risks of typing sudo rm -rf / into terminal.
    • Pryftan
      Pryftan over 5 years
      @Joshua Scary even decades ago...
    • phil294
      phil294 over 5 years
  • Mussnoon
    Mussnoon almost 13 years
    Um. No offense but you might want to read the title of the question and then read the details again.
  • flo
    flo almost 13 years
    This is extremely helpful - and it does relate to the question. It's concerned with the security implications of enabling the account, a prerequisite of running as root.
  • Mussnoon
    Mussnoon almost 13 years
    @Stefano Palazzo: While the information provided may be useful, I sincerely can't see in what part lies an answer to what I needed to know. I've read it multiple times.
  • kit.yang
    kit.yang almost 13 years
    a more clever analogy.(^_^)
  • jippie
    jippie over 11 years
    It is not about blaming someone, it is about being able to figure out why someone made a change.
  • jippie
    jippie over 11 years
    We always complain about our PC's being too slow, but it is as if they are optimized for running an rm like that as fast as possible.
  • chavocarlos
    chavocarlos over 11 years
    @jippie: I mean 'blame' in the same way that a VCS tracks who did what so that the correct person is attributed with the responsibility for the change, for good or bad, and one of the names for the command that does that tracking is 'blame'. It gives you a person to speak to to find out why something happened. It is not always 'fault' (though depressingly often, the reason for needing to know is because something isn't quite working as expected and there's a need to know why not). So, it is about accountability and trackability rather than necessarily faulting the person for what they did.
  • kbeta
    kbeta over 10 years
    This is an entirely inappropriate analogy. A child with an AK47 can kill themselves and other people. A unix-user with root access can at most render their system temporarily inoperable. (One can always re-install the os and recover operation).
  • kbeta
    kbeta over 10 years
    Data files, which are all owned by my user account, are much more valuable to me than system files. All of your above examples are still issues when logged in as a user, except that the easily-replacable system files are safeguarded.
  • omeid
    omeid over 10 years
    @kbeta You're right, my analogy is a bit out of proportion and exaggerated. please move on.
  • Kaz Wolfe
    Kaz Wolfe almost 10 years
    @jippie Because RM just destroys the inode link to the file. Doesn't take long to delete a link and mark a space as "free".
  • Rmano
    Rmano almost 10 years
    ...and it protects you from transforming trivial errors in disasters. I am an Unix user/adm since 1990, but still I can surely slip a space in the exact wrong place doing a rm -rf tmp/tests/*...
  • Eliah Kagan
    Eliah Kagan over 8 years
    On Ubuntu, commands like rm -fr / home/me/my-subdir do not actually attempt to recursively delete /, because / is treated specially to guard against such mistakes. See the documentation of the --preserve-root and --no-preserve-root options in man rm for details. But the principle is sound: single-character typos do exist that result in rm deleting everything. For example, if you mean to remove everything in the current directory by running rm -r *, but you accidentally put a / before *, that would be bad.
  • Wilhelm Erasmus
    Wilhelm Erasmus almost 8 years
    But when you have full sudo, you can sudo su and hide your actions.
  • n611x007
    n611x007 almost 8 years
    @kbeta the analogy is appropriate. the risk is not an inoperable system, but data and privacy loss. the root user can delete the data. please use your phantasy to associate the killing and data loss.
  • phil294
    phil294 over 7 years
    1.) Most people will consider their home directory as more important than root dirs, for the former cannot be re-installed. So I don't see your point. 2.) In terms of security, you are right. But coming from windows (where there is WAY more malware around), where I've used the admin account since ever (as many do), I have a hard time considering this a real danger. I am just too lazy to type sudo and my password for every second command in Linux. Aren't Linux users supposed to be lazy?????
  • phil294
    phil294 over 7 years
    he will still be able to boot the system, even if the data will be lost. - What's the point of this? If my data is lost, my data is lost and that's it. Linux system software can be reinstalled if deleted, why should I care about data loss in such diretories? On the other hand, data loss in ~ is bad. And sudo doesn't protect me from that.
  • Jeremy Hajek
    Jeremy Hajek over 7 years
    Solaris treats this command as undefined behavior according to a wide POSIX interpretation (and Bryan Cantrill) and throws an error
  • Chad
    Chad about 7 years
    Doesn't prevent people being able to log into root.
  • Edgy1
    Edgy1 about 7 years
    disagree -_- :~ :|
  • Constantine
    Constantine over 6 years
    @kbeta you're assuming that you're running on a computer where the only valuables are your data and system files. In reality linux is often used in a system where there are many users using a system simultaneously. In this case the stability of the system (and therefore the system files) is far more valuable and other user files are important too.
  • phil294
    phil294 over 6 years
    @LazyPower thanks for editing your answer, but now I dont understand it anymore. For modifying my private Ubuntu ~ folder, programs dont need sudo rights. Rhythmbox CAN wipe out my entire $HOME/Music directory! And that is all I care about! How is this related to root permissions?
  • lazyPower
    lazyPower over 6 years
    That's a good call out @Blauhirn. I just sent in a follow-up edit to reflect we don't want it deleting the entirety of /usr. In terms of protecting your $HOME folders, nothing like a good backup can help you. I don't think this particular scenario would be related to security as much as good practice. Thanks again for the callout.
  • Juan Quintero
    Juan Quintero almost 6 years
    Another good practice is to have important data backed up. If you wipe out home directory, you could still boot and just copy over files from the backup. Or, let's say you have a small laptop for travel. It might have some pics, travel notes, train schedule - but nothing too crucial. If you wipe the user files, you can still boot the system up and check in for your flight or find out which bus to take.
  • Pryftan
    Pryftan over 5 years
    @Blauhirn And you think that a compromised system can't pose a risk to your personal data? Think again. And no user of any system should be lazy; any one who is lazy when working at a computer is asking for trouble. And that incidentally includes not backing up your file systems (esp your /home and specific other directories which hopefully /home is on a different volume than your system...).
  • Pryftan
    Pryftan over 5 years
    @kbeta Fair enough but a damaged system configuration can also pose a risk to your data... and of course having backups would be a good idea whether your system is at risk currently or not. Working current backup with a disaster recovery plan would be better yet.
  • Pryftan
    Pryftan over 5 years
    @Blauhirn Backups. And there is a chance of recovery even if it looks bleak.
  • phil294
    phil294 over 5 years
    @Pryftan after your logic, youd also need backups of /usr, /bin etc. All I say is that sudo protects the wrong stuff. I feel that for a desktop computer, ~ is more important than /etc. I can get keyloggers in gnome autostart or have my data modified or read without sudo protecting anything. Once a malicious program has access to my home folder, I dont care if it also has access to the admin content (I think you didnt see my second comment).
  • phil294
    phil294 over 5 years
    @Pryftan ...Yes, we can encrypt /home, put it on different volumes, blabla. This is not about individual steps, it is about the obligatory need to protect admin data but ignore snoops on home data. Finally, no, any one who is lazy when working at a computer is asking for trouble I disagree. Yes, you need to make backups. You should also deeply care for your security. But laziness can lead to great innovation. I automize many things in bash scripts because Im too lazy to type them in 10 times in a row. Is that a bad thing?
  • Pryftan
    Pryftan over 5 years
    @Blauhirn Making scripts and programs to do things doesn't equate to laziness; it equates to efficiency. That's the beauty of do one thing well: you can do things that the designers didn't even imagine. And I wouldn't say you'd need a backup of /bin but definitely parts of /usr. 'Unwilling to work or use energy.' 'Characterized by lack of effort or activity.' Automatic: '(of a device or process) working by itself with little or no direct human control.' Even OED disagrees with you.
  • Pryftan
    Pryftan over 5 years
    @Blauhirn And you missed the point I was making, anyway, since given you say the home directory is more important than /etc. Problem is I wasn't saying home directory isn't important. I was saying that the rest of it has a risk too if you don't really care about it. False sense of security is one point but not the only. For that matter /var also has some things you might want to backup as does /root as does... But that's really besides the point I was making. To clarify a point: sudo is for something else, yes, but being privileged always could also be a risk to /home.
  • Pryftan
    Pryftan over 5 years
    'a decade maybe?' Much much longer than that even from when you wrote this. Even without sudo there is su not to mention e.g. the wheel group (for example). Privilege separation is always important and always has been important and always will be important. Otoh not as many people used Unix based OS that many years ago and many who do are used to always being an administrator.
  • Pryftan
    Pryftan over 5 years
    @EliahKagan But yet if you were to do... chown -R nobody:nobody ../ from say /etc would it protect you? If you were to do that on /etc it would cause you a world of hurt. Similarly is .* when recursively running a command.
  • Pryftan
    Pryftan over 5 years
    'If you're the only person who uses your computer, the harm you can do only as root might not really be higher than the harm you can do with your regular user privileges. But that is still no reason to expand your risk' Not to mention it puts you in the habit of it... then you go to another system and what happens? Same with the absurd idea of making people get used to rm -i by way of shell alias. You go to a system that doesn't have that and then what? Baby sitting a user from mistakes like this is never a good idea when you consider humans are very much creatures of habit.
  • Pryftan
    Pryftan over 5 years
    'Maybe I'm not completely precise because I don't know the exact mechanism, but when you fill up a disk with a non-root account there are always a few kilobytes left.' Perhaps you refer to lost+found directory ? If so you can as administrator specify how much to reserve. I want to say the typical default is 5% but I could be wrong and it can be changed. It's quite useful though even if rarely needed. Apparently there is more on it here (I remember it from my years of use): unix.stackexchange.com/questions/18154/…
  • Pryftan
    Pryftan over 5 years
    Although technically there is a way to log actions including every single command. This goes for every user. See process accounting e.g. here: linuxjournal.com/article/6144 And it's only safe truly if you need to be root; otherwise it's not entirely safe (exploit, etc.) even if the command should be safe.
  • Lionel Gaillard
    Lionel Gaillard over 5 years
    Apprently it's not limited to ext filesystems: unix.stackexchange.com/questions/7950/…
  • Pryftan
    Pryftan over 5 years
    Yep. I knew that :) But thanks for adding that too.
  • phil294
    phil294 over 5 years
    I opened a new question in security.se security.stackexchange.com/questions/180555/…. ill come back to the comments later. - (updated link)
  • HopefullyHelpful
    HopefullyHelpful over 5 years
    @jippie, it should have a build in 10 second countdown
  • Andreas H.
    Andreas H. almost 5 years
    Finally a real and differentiated answer, instead of the usual 'never do this'-mantras. +1 and thanks for this.
  • Sean McCarthy
    Sean McCarthy almost 4 years
    Brilliant answer. Best I've seen. Thanks so much for explaining it so well for Linux noobs like me.
  • Heetola
    Heetola over 3 years
    so it means that an application should never be launche this way? : sudo myApp.py because it would be the same as rurring it from root?
  • therobyouknow
    therobyouknow over 3 years
    +1 upvote on anser and upvote on Andreas H.'s comment. Thank you sjas very much: a down-to-earth answer, which is pragmatic rather than dogmatic.
  • Scorpion
    Scorpion about 3 years
    Yes I agree, garyshood.com/root xkcd.com/1200 bkhome.org/archive/puppylinux/technical/root.htm. "Is someone steals my laptop while I' m logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can' t install drivers without my permission."
  • Nils Lindemann
    Nils Lindemann over 2 years
    To learn an OS it is OK to not put any sensible or valuable data on it and log in as root, to be able to see all folders and edit all settings. Then, if you have learned how the system works, reinstall and log in as non-root. I am doing this on Fedora, which is as simple to use as Ubuntu (and in my experience more stable), but allows root logins. I prefer having an option to opt out.
  • Cristy
    Cristy over 1 year
    But if there is only one user on the system and that user needs sudo privileges, aren't the privileges/access rights the same as root?