Users browsing this thread: 1 Guest(s)
dionys
Members
By convention, the root account is for minimal necessary admin and shouldn't be used for work that can be done as a normal user. Some distros even disable root login by default in an attempt to hide potential footguns from new users.

What do you think should (or shouldn't) go in .profile, .bashrc, etc for the root user account? Do you have any special safeguards, custom prompt, or user provisions for the root shell?
jkl
Long time nixers
Two of my servers don’t have a remotely accessible non-root account because I only log into them to maintain the system. (Which is ok because I don’t need any convenience shell toys for that.)

That said, I recommend to keep the root (and, even more so, toor if it exists) account as unmodified as possible: No non-static shell, no dependencies on external tools. Maintaining the system can and will leave the system in a half-working state at least temporarily.
venam
Administrators
I can vouch for jkl 2 idioms.

I also disable root ssh login, and leave the root account as clean as possible. It's only a last resource maintenance/recovery/single-user-mode account. Most of the things can already be done via sudo/doas/polkit and other good access control policies, so there should be no need to login directly as root.

As far as safeguard goes I have this:
Code:
export SUDO_PROMPT="\e[0;31m[Switching User] > "
dionys
Members
One idea, discussed in a medium post here:
  • Auto-comment history using PROMPT_COMMAND to avoid accidental execution of stored commands.
venam
Administrators
There are many questions are that more or less self-explanatory and can add points to your main one:
  • Does the root user actually need a home in /root as in separate from other users, probably for safety reasons
  • What's the harm in running things as root, you can nuke your system easily
  • If the root user has a home does it mean you should use it like any other home and store files and software in it, maybe only administrative
  • Should the root user shell profile be customized like any other users, and does this pose any risks
  • Should the root user have a command history, or should it be erased everytime to start from a new clean environment
dionys
Members
I remember reading a blog somewhere where the guy advocated the opposite (i.e. tossing out the security model and running everything as root).

Pretty sure it was this guy --> garyshood. From his tone I would guess he's joking, but he ends with an anecdote suggesting there may be at least a few like-minded individuals.
z3bra
Grey Hair Nixers
The only thing I change for the root user is the /root/.ssh directory, where I push some keys (both private and public) so my backup server can connect to the other servers and run the backup routines fully privileged.

Other than that, I never connect as root.
dionys
Members
(24-11-2020, 06:17 AM)z3bra Wrote: Other than that, I never connect as root.

How about something to propagate X11 credentials to root? Maybe for remoting to a box and running something via sudo that needs X?

su -l my_user -c 'xauth list' | grep $(echo $DISPLAY | cut -d ':' -f 2 | cut -d '.' -f 1 | sed -e s/^/:/) | xargs -n 3 xauth add