No root, please!

When you are dealing with system security, you need to create a secure system from the ground up. This is why you should never need root access to perform your job, even installing software.

The principle of security lies in separation of duty and protecting the core system, even if a component fails.

If you expect a component to fail, and it will, then you are better prepared to deal with it than if it catches you by surprise. There are so many exploits out there that denying a failure or security breach is only for the stupid and naive.

This article talks about Linux and uses an example of a web server. The whole story is true for Windows as well. I just happen to have less knowledge of security on Windows and to me it feels like it is treated as an afterthought, whereas in the UNIX (and Linux derivatives) world, it is a given to think about security and access rights upfront. Although this article is written with servers in mind, it holds truth for your normal day-to-day working system as well. You should not be an administrator when working with Office tools or accessing the web.

It is still common practice that people install software on webservers or install middleware as root. I think this is a fundamental problem in creating a secure, trustworthy infrastructure. If software needs root to be installed, you need to reconsider your options. Proper software can be installed without root access and needs to be installed as such.

It is the duty of the systems administrators to keep the basic system, the kernel, safe. That is why they are the only ones who have root authority. If they run an application as non-root, they can prevent that application for overtaking the whole machine or bringing the machine down. Whether by accident or by attack.

The system administrator should not trust me. Me and my dangerous software which I am going to connect to the internet and the whole world to probe, attack en exploit. So if he does not trust me, he should not give up his safeguards, i.e. root access to the system. A wise sysop never does.

There is a little problem of course. Some actions can only be performed with root access; most notably the usage of ports below 1024. Webservers run default on port 80 (and browsers know this, so you never type http://strelitzia.net:80/, only when you access a non-standard http port, you type it as in http://tomcat.tld:8080/. ‘Normal’ users never do so.)

There are two simple ways around it. Obviously you could create a start script, which runs as root (either sudo or in init.d) and switches the user in the process. Sometimes it is even simpler to run something on a port beyond this 1024 boundary and let the firewall or load balancer in front of it handle it through port mapping. The point is that this needs to be done together with the system admin and he needs to apply the changes! It is his user space so he needs to take care of the changes. (I refer to system administrators as him, as there are way too little females in our profession).

If you weren’t given access in the first place, you cannot make this mistake. You cannot, by accident, start anything, which compromises the basic system and its file systems. You have no access so you cannot make a mistake. You are protected against yourself. This is the best thing, because anybody makes mistakes. Or something complex happened during setup and you aren’t even aware of it.

Another reason a lot of software runs with expanded priviliges, is because a monitoring tool is setup which needs to access the tools, logging etc. When you think about it some more, you’ll notice that running tools as root is merely laziness or incompetence. Don’t let anybody tell you otherwise!

So, next time, if someone offers you to have root access, kindly try to refuse it as a security measure. Just tell them you will not accept the responsibility, which comes with it. Convenience is the root of security problems. Evangelise secure working methodologies.


Leave a Reply

strelitzia.net