Chad Perrin: SOB

19 March 2007

how to decide to ignore someone (a case study)

Filed under: Geek — apotheon @ 01:39

I’m going to keep this brief. You don’t need to know all the sordid details.

There was a discussion on a mailing list. Someone asked, in all innocence and with honest curiosity, if there was an actual impact on system security running a Linux system as root all the time rather than using a separate, unprivileged user account for most tasks. The pertinent question in the original post in that thread was:

If a Linux machine is built and used by a single person, why not always log in as root?

Some answers were offered, including one from me, that helped to explain that yes, there are security concerns — both in terms of whether an outsider can more easily crack security, and whether the user can more easily do accidental damage to the system. My response read as follows:

I’ll demonstrate the potential security issues via an example.

Assume you log in as root.

Now assume you run an IRC client, and connect to a channel at freenode.

Now assume someone there notices your IRC client is Xchat.

Assume that person knows of an arbitrary remote code execution exploit for Xchat.

Your system has just been rooted.

This is an extreme example. Other, very different, examples are similarly possible (and similarly extreme).

It’s just a good idea to run as something other than root most of the time. Similarly, it’s a good idea to ensure that your user account doesn’t have complete administrative access via sudo, so that compromising the normal user account doesn’t give the person unfettered access to your system via sudo.

There was also at least one person who expressed in no uncertain terms that he thought it really made no security difference at all. Just to be totally clear, this was not the OP — I’m speaking of someone else who joined the discussion. He claimed that the separation of root and nonprivileged user accounts was purely historical, and offered this tasty morsel:

While a few (or many) bigots may believe that root/SUSER logins are horrible as a regular practice, they really need to mind their own business when comes to personal systems.

So, apparently, I’m a bigot now. So too are the others who responded to the OP in the affirmative.

. . . but wait, there’s more. He responded directly to me, or at least quoted me as though he were responding directly to me (though, considering the lack of threading in his replies, it appears he fails to understand the “reply” button in his mail client):

Assume that person knows of an arbitrary remote code execution exploit for Xchat.

It's just a good idea to run as something other than root most of the
time.  Similarly, it's a good idea to ensure that your user account
doesn't have complete administrative access via sudo, so that
compromising the normal user account doesn't give the person unfettered
access to your system via sudo.</blockquote>

Local system SUSER exploits are more common than network deamon SUSER exploits, so it’s not always necessary for an attacker to gain direct ROOT access, just access to the remote machine, then exploit the more common local SUSER exploit with any trojan access.

So, it frequently doesn’t matter if the user is root or not, if the machine has a determined attacker targeting it. Good practice is always use a hardware firewall with reasonable settings to minimize external connectivity anyway.

He posted several times to the list, not as replies but as their own root-level new threads, all with the same reply subject line. There’s something seriously wrong with his mail client, its configuration, or with his use of it. Maybe there’s something wrong with the list — the online archives have holes in them. Regardless, he expounded further on his ideas, mostly by repeating himself in different words. For instance:

Restricted control of such admin tasks for multiuser/server machines makes sense, and is totally bogus for a personal “single owner” personal machine.

. . . and, in response to the previously quoted example I presented of a possible root exploit problem:

You make a clear (FALSE) arguement about getting “rooted” because of being logged in SUSER, when the exact same case you state will get you clearly compromised so that ALL your non-root files are compromised, which for a personal machine, is everything that is important.

So your assertion is that you are somehow “Safe” or “Safer” by running non-root …. which is a farse at best, as your example still leave the machine compromised, and doesn’t address the safety issues of root/non-root you are trying to make a case for.

Getting “rooted”, as compared with simply compromised, is nearly insignficant for a personal machine — your data is compromised, and full network access is available for trogans bots, spam servers, and porn P2P servers.

Please explain just what I missed that was important about your flawed argument, that I did carefully read.

Okay, so at this point maybe he’s really trying to be reasonable — except for that “bigot” remark earlier. I’ll give him the benefit of the doubt. This was my response, off-list:

I refer you back to your own statements about how certain programs SUID root can lead to problems, et cetera, and ask you to realize that running everything as root means that SUID is immaterial. At that point, you may as well make rm, ls, and youtube-dl all SUID root.

I also said:

Also, it would be nice if you’d just acknowledge that “doesn’t always make much of a difference” is not the same as “never makes any difference at all”.

. . . and:

I never said there wasn’t sometimes reason to run stuff as root. I just pointed out that there is a real security impact to running everything as root, regardless of how bit an impact it may be in practice.

Last, but certainly not least:

Your continued implications that people who feel it’s better to separate administrative and daily system access are bigots or idiots are really beginning to get old. That’s the main reason I chose to address you in the first place, and it’s now the main reason I don’t care to address you any longer — at least until you provide some actual substantive response to my above identified points.

SUID root” basically just means that you’ve configured something to always run as though it were run as the root user (Administrator, in Microsoft-speak). Here’s something he said in his response email:

The problem is the “one size fits all” solution you are making. The security aspects for a commercial business are critical, and near zero for a personal machine for many of these choices. A compromised business server it an expensive event. A home hobbiest that is compromised, is not, and frequently there is little or no difference between a user-kit compromise and a root-kit compromise for a home system.

I, and many other Systems Architects, are VERY concerned about security policy and implementation on critical mission systems. Those concerns, and the policies we create for IT staff, simply do not apply to home hobbiest users. The “mantra” we hear pushing business IT polices onto home hobbiests, and with a firm assertive tone, is simply bigotry:

Bigot \Big”ot\, n. 2. A person who regards his own faith and views in matters of religion as unquestionably right, and any belief or opinion opposed to or differing from them as unreasonable or wicked. In an extended sense, a person who is intolerant of opinions which conflict with his own, as in politics or morals; one obstinately and blindly devoted to his own church, party, belief, or opinion.

So, my initial post clearly separated what is reasonably right for a business, and what is reasonably right for a hobbiest.

The “mantra” that it’s simply technically wrong for a hobbiest to run logged in as root, is simply an unfounded carry over from business policies. For a typical Linux Distro, the security differences are moot, which has been your main defense of the policy. The operational difference between reloading 95% of a hard drive from backups to recover a users home directory, projects, and archives, and the additional couple gigabytes for the core OS release is also moot when the users does a blind “rm -rf *” from the wrong directory.

For a business, that mistake potentially means idling dozens/hundreds of employee’s and/or turning the business sales off for half a day while the system is recovered. So policies to avoid it, have a significant economic justification, that simply do not apply to a typical home desktop system.

. . . and:

> Also, it would be nice if you’d just acknowledge that “doesn’t always

make much of a difference” is not the same as “never makes any difference at all”.

Oh, but I have, from the beginning …. starting with what is proper for business IT staff, and what is acceptable for home hobbiests.

. . . and:

> I never said there wasn’t sometimes reason to run stuff as root. I just

pointed out that there is a real security impact to running everything as root, regardless of how bit an impact it may be in practice.

“Real security impact”? … I disagree strongly, and have provided clear examples why not. The real difference, is the operational impact of mistakes. Which for a business system, can be frequently measured in annual salaries, and for a home system, the cost of reloading a desktop system from scratch.

. . . and finally:

> Your continued implications that people who feel it’s better to separate

administrative and daily system access are bigots or idiots are really beginning to get old. That’s the main reason I chose to address you in the first place, and it’s now the main reason I don’t care to address you any longer — at least until you provide some actual substantive response to my above identified points.

I’m sorry, but people that apply a one size fits all “manta” about what’s correct for business to hobbiests, with a strong “religious like” conviction, void of a strong techical justification are simply ….

What a nice guy.

So, I offered some responses:

When did I say “one size fits all”? I pointed out that there are security impacts to keep in mind. I didn’t say you weren’t allowed to run everything as root. If you don’t care about the difference in security between different approaches to managing administrative access, or consider the difference to be less valuable a consideration than whatever negatives you perceive to accompany observance of such a security measure, that’s your business. That doesn’t change the fact that there is a real, concrete impact on security.

. . . and:

> I, and many other Systems Architects, are VERY concerned about security

policy and implementation on critical mission systems. Those concerns, and the policies we create for IT staff, simply do not apply to home hobbiest users. The “mantra” we hear pushing business IT polices onto home hobbiests, and with a firm assertive tone, is simply bigotry:

Bigot \Big”ot\, n. 2. A person who regards his own faith and views in matters of religion as unquestionably right, and any belief or opinion opposed to or differing from them as unreasonable or wicked. In an extended sense, a person who is intolerant of opinions which conflict with his own, as in politics or morals; one obstinately and blindly devoted to his own church, party, belief, or opinion.

Your name-calling and assertions that everyone who prefers to maintain some separation between root and unprivileged users must be saying that everyone in the world has to adhere to their standards of security are not what I’d consider productive, or even marginally polite.

. . . and:

> “Real security impact”? … I disagree strongly, and have provided clear

examples why not. The real difference, is the operational impact of mistakes. Which for a business system, can be frequently measured in annual salaries, and for a home system, the cost of reloading a desktop system from scratch.

Here, again, you fail to distinguish between “doesn’t always make much of a difference” and “never makes any difference at all” — or, at least, to acknowledge that I’m making such a distinction, and to imply that there isn’t such a distinction for non-business users.

. . . and:

> I’m sorry, but people that apply a one size fits all “manta” about what’s

correct for business to hobbiests, with a strong “religious like” conviction, void of a strong techical justification are simply ….

I’ll refrain from characterizing your simply unacceptable attitude the way you’ve attempted to characterize mine. Didn’t your mother teach you any manners?

So, he answered succinctly:

> That doesn’t change the fact that there is a real, concrete impact on security.

Again … the point is that this is wrong. Let’s stay on topic, … please explain WHY you assert this with a good example.

My response:

Now we’re back to you making broad, sweeping statements, while ignoring my earlier statements.

/ignore

He said:

Calling “real, concrete impact on security” a “fact” is the broad sweeping statement … which I have already provided more than five concrete examples why it’s false.

Your only defense of this, was the chat trojan, which clearly translates into a user-kit compromise, which is effectively a root-kit compromise given several more likely results.

So again … WHY do you believe this?

I said:

That /ignore is about to become a very real, concrete >/dev/null.

He just doesn’t get it:

Sorry Chad, go ahead, it will not protect you from being clueless while you are unable to constructively debate your flawed positions.

I will post an OMG event tomarrow …. thanks framing the discussion :) If you stick around, you might actually learn something about security.

On-list, someone else posted something to the effect that there’s a real security impact when one runs everything as root. He brought up another point — that once a system is rooted, it’s never trustworthy again. You can never be sure it’s clean, because absolutely any binaries on the machine could have been compromised, including everything you’d be able to use to determine whether someone has compromised your system — so that such security auditing software might be compromised, and return erroneously “safe” results while malicious software remains in place. At least if a non-root user account is the only thing compromised, you can save text files and delete, then recreate, the user account, and similarly recreate the user environment, on an otherwise clean system. This other person is the list admin, if I recall correctly — and even if he’s not, he’s about as influential to this mailing list as the admin. My gadfly didn’t have a single bad thing to say in response to that.

I sent this email to the gadfly:

Morbid curiosity caused me to check the list archives when I noticed that [name deleted for privacy] responded to you. I notice that you don’t call him a bigot. Why don’t you have the courage of your convictions?

Don’t bother responding. That was a rhetorical question.

I probably shouldn’t have sent that one, but I really couldn’t resist.

That’s where things lie now. I imagine he wasn’t online when I sent that last email — so I may or may not get a response tomorrow. I’m debating now whether to undo the redirect of all his emails to the oblivion of /dev/null (like the “recycle bin” on Windows, only more permanent), just to see if he responds (though for all I know he may have already).

Quick summary:

  1. He claims that there’s zero security impact, on a single-user system, for the user to do everything logged in as root.
  2. I disagree, and as a result I am a “bigot” and “clueless”.
  3. I tell him I’m ignoring him when he utterly fails to provide substantive responses to what I’ve said, until such time as he actually addresses my points.
  4. He repeats himself, becomes increasingly impolite, reaffirms his opinion that I’m bigoted and clueless, and generally ignores my comment about ignoring him.
  5. I tell him that the next step is to redirect his emails to /dev/null unless he shuts up or addresses my salient points substantively.
  6. He presses on with nothing of value.
  7. He utterly fails to disagree similarly with someone who has an (at least effective) administrative position with regards to the mailing list that expresses an opinion similar to my own, proving himself a brown-noser as well as an asshole.

Comments, anyone? (other than “ignore the troll” — I’m sure I should have done that at the beginning)

8 Comments

  1. You know, you could apply his “bigot” term right back to him. He sounds like he thinks he’s “unquestionably right” since he is disregarding your concerns about security on a single user machine.

    He also seems to think that somehow a person’s computer at home is a mere toy and that it is like crying over spilled milk if something happens to it. I guess he thinks that home users just use their computer for surfing and sharing pictures of the grandkids and that you can’t possibly have something on there worth protecting.

    He wouldn’t let a user at a business have full root access all of the time because it could seriously cripple the operations if it were compromised. Hmmm, I guess that could spill over to someone that has a computer at home, couldn’t it? Just because the computer is in a building that has been given a different name, “work” versus “home”, doesn’t magically change the need for security. What if my “hobby” was doing research on polypeptides related to Alzheimer’s disease in my lab I’ve set up on the back patio; does that mean because I’m at home doing this in my free time, that is it somehow not important? To him it is just merely a desktop reinstall, to me it is years of work and effort, a Nobel Prize, a chance in the books of history, and a retirement castle on the coast of Scotland that has just went up in a puff of smoke.

    For some reason, many people have this idea that the only people who use their computers at home are just mindless drones surfing the ‘net and old ladies that think they are using their VCR with a keyboard. There are countless different ways to utilize a computer in the home or “hobbiest” environment and frankly, his “one size fits all mantra” about what’s important for security to that section of computer users is a bit limiting and narrow-minded.

    Comment by medullaoblongata — 19 March 2007 @ 08:39

  2. You know, you could apply his “bigot” term right back to him.

    Too true. The irony of this guy calling me a bigot that way, in the midst of his behavior, is just incredible.

    To him it is just merely a desktop reinstall, to me it is years of work and effort, a Nobel Prize, a chance in the books of history, and a retirement castle on the coast of Scotland that has just went up in a puff of smoke.

    I was thinking more about stuff like identity theft, but yeah, I guess a retirement castle on the coast of Scotland is a potential concern. Wow.

    I suppose it might be petty of me, but his relentless misspelling of the word “hobbyist” is one of the most annoying things about his emails. “Hobbyist” is one who engages in hobbies; “hobbiest” is “most hobby-like”. I’m pretty sure he’s not too good at consistent application of principles in any system, however.

    Comment by apotheon — 19 March 2007 @ 11:10

  3. The use of “bigot” in a discussion about system security is a bit ridiculous on its face, but to be fair, I’m pretty sure that English is a second language for this guy, and there are cultural differences which impact how one communicates and how others perceive that communication.

    However I will play devil’s advocate and suggest that while lacking in social graces, this guy may have a point, but at a more general level than the security implications of running a personal-use Linux box as root (which, I agree, is quite foolish).

    Perhaps his point is that corporate and group security policies are overkill for the SOHO environment, and if someone wants to compromise his network with foolish security practices, that is his business. They’re his assets that he’s risking, after all.

    Now, rooted systems in home networks can cause externalities, but in general they can be dealt with more easily than a security compromise on an enterprise network. (Well, that’s what Terms of Service are for, anyway.) It would be great if people took care of their shit and didn’t pollute the rest of the community (just like in a real neighborhood), but it’s their property, so there’s only so much we can do proactively.

    Educating others is one way of being proactive, and I’m quite sure that was your intent. Why your friend there chose to perceive that as “bigotry” is something only he can answer. Maybe he thinks that being asked to use his turn signal constitutes fascism as well.

    Comment by Brian Martinez — 19 March 2007 @ 11:52

  4. Perhaps his point is that corporate and group security policies are overkill for the SOHO environment, and if someone wants to compromise his network with foolish security practices, that is his business. They’re his assets that he’s risking, after all.

    I never disputed that. In fact, I even said as much. (see above: “If you don’t care about the difference in security between different approaches to managing administrative access, or consider the difference to be less valuable a consideration than whatever negatives you perceive to accompany observance of such a security measure, that’s your business. That doesn’t change the fact that there is a real, concrete impact on security.”)

    No, I think he’s saying that there’s no security difference. In fact, I know that’s what he’s saying.

    Now, rooted systems in home networks can cause externalities, but in general they can be dealt with more easily than a security compromise on an enterprise network.

    True. I never disputed that, either. I just said that there’s a real, concrete security impact when one runs everything as root. I very carefully pointed out that I was speaking of differences in security level, though, and not absolute security.

    Educating others is one way of being proactive, and I’m quite sure that was your intent. Why your friend there chose to perceive that as “bigotry” is something only he can answer. Maybe he thinks that being asked to use his turn signal constitutes fascism as well.

    It’s worse than that, though — I never even asked him to avoid running his systems as root, and I didn’t ask anyone else to do so either. I just answered a technical question with a technical response, without any value judgments implied.

    Apparently, the very act of mentioning that there’s a security weakness in the policy of running everything as root on a single-user system is “bigotry” to this guy, because it implies (in his mind) that the fact he thinks running everything as root is just hunky-dory is stupid. I went out of my way at one point (quoted above) to point out that if there are usability concerns there’s a trade-off to consider, but that one should not take that trade-off to mean that there’s no security concern at all. He didn’t care about that — he just cared about the fact that I pointed out that there was a security concern, and called me a bigot, then implied I was some kind of stupid, ignorant fool who knows nothing about security.

    I think you’re stretching it a little bit, trying to find reasons to be forgiving of this guy. I gave that up a while ago.

    Comment by apotheon — 19 March 2007 @ 02:12

  5. It seems to me that he had something against you personally before he responded the first time. He was picking a fight.

    Comment by Sterling Camden — 19 March 2007 @ 02:25

  6. Maybe so. I’m really not sure it was just me — it may have been anyone that disagreed with his thesis without having some kind of perceived authority in the community, and I just happened to be “anyone” this time. On the other hand, I may have inadvertently offended him by disagreeing with him in the past.

    Checking the list archives, I see that we were apparently on essentially the same side of a disagreement earlier this month over whether anyone has a legitimate reason to need to update timezone data for new DST standards “by hand”. As such, I don’t see any indication that he had something against me in the archives of this month, though obviously it may have reached further back than that.

    I dunno. He must be a jumpy flame warrior and something of a “bigot” himself, a troll, or someone that just has it in for me, from what I’ve seen. It sure is odd, in any case.

    Comment by apotheon — 19 March 2007 @ 03:04

  7. I think you’re stretching it a little bit, trying to find reasons to be forgiving of this guy. I gave that up a while ago.

    Nah, I was merely suggesting that he might have had a point, had he not been a jerk about it. That doesn’t make his attitude any more forgivable. But I freely admit I could be reading more into the comments you’ve excerpted than is deserved. He could also be the type who just likes to be argumentative. I think in the pre-Internet days we called them “sociopaths”. ;-)

    Comment by Brian Martinez — 19 March 2007 @ 03:26

  8. <humor type=”weak”> I’m not familiar with this term “sociopath”. Is that the same as “troll”? </humor>

    Comment by apotheon — 19 March 2007 @ 04:34

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License