Make me a sandwich. Ok!

Warning: This blogpost has been posted over two years ago. That is a long time in development-world! The story here may not be relevant, complete or secure. Code might not be complete or obsoleted, and even my current vision might have (completely) changed on the subject. So please do read further, but use it with caution.
Posted on 01 Feb 2011
Tagged with: [ root ]  [ sandwich ]  [ sudo

I have to admit it: grew up with unix “the wrong way”. Instead of having decent user-accounts for every employee, all our work was done under the root-account. The main reason for this is that our software deployment system didn’t really worked the way it should and I guess nobody really cared. It worked.. login as root on our (private) systems and call the compile+install script… Furthermore, there were about 14 different unix-flavours available, and only 2 or 3 persons with access to them. Again, all internal systems just for compiling and testing. A good thing.. yes and no.. It feels like I started learning to ride a bike on a ATB instead of a tricycle I guess..

It worked perfectly but every single thing you did was done with the full force of the root-account behind it. Simple Dr Jeckyll commands turned into the Mr Hyde instantly when you made a typo but who was I too argue? It was my first real job as a programmer and I didn’t know too much about all those unix-systems that surrounded me. For me this all was a common practice… You screwed up, you re-installed the box yourself. No real harm done except for some downtime compiling and to be honest, installing every unix-OS a few times over is dull, but it sure as hell teach you a lot..

But did not work on unix-systems as a root. I has some dail-in shell accounts at the early-day ISP’s where you could telnet into your shell, read your email (I was still a point in the almighty fidonet, so didn’t too much internetsy emails) and maybe setup your homepage with some CGI-BIN thingies like a guestbook or a hit-counter at some ~user page.. I didn’t need to setup configurations or read logfiles or other “administrative” task on those systems so I was perfectly fine with having no root access and I didn’t miss it either.

Although times have changed, I still find it hard NOT to work under root. I don’t consider it evil per se, but more or less like driving a motorcycle without a helmet or a car without seatbelts. It’s fine, I know the risks, I decided to take the risks and I don’t cry when something happens. (Things are different when dealing with production systems though).

But I do have some info / tips for new (and experienced) linux users:

  • Direct root-login should be forbidden.
    This also applies for other “shared” accounts. Use your own account to login, and switch to the correct user if you want. But at least some information about who entered the system will be available, which makes tracking problems much easier for admins in the end.

  • Don’t use root, use sudo
    I know, do-as-I-say-not-as-I-do advice, but still good practice: sudo remembers your password, so the only thing you need to do is type sudo in front of your commandline. It’s not that hard. Sudo actually can be used to give some kind of “root”-lite access to others. (i trust some users on restarting apache, but not on doing stuff to the MTA for instance).

  • Keep your filesystem tidy when using root
    Don’t create files or directories in somebody’s homedir which they cannot remove themselves. It’s really annoying. It’s even annoying when you did it yourself, and you have to chown whole directories or files just to access them.

  • Being root is not evil, being an inexperienced user who is root is evil.
    Sure, the impact is much greater when something wrong happens, but the world isn’t going to end just because you switched to root. But please, do your thing and get out of the account if you don’t prefer sudo. It’s so much better: you’ve got your home-settings like bash, vi etc again, and you don’t have to explain yourself over and over again to others :)

http://xkcd.com/149/