+- nixers (https://nixers.net)
+-- Forum: General (https://nixers.net/Forum-General)
+--- Forum: Community & Forums Related Discussions (https://nixers.net/Forum-Community-Forums-Related-Discussions)
+--- Thread: Root user rc files (/Thread-Root-user-rc-files)
Root user rc files - dionys - 23-11-2020
By convention, the root account is for minimal necessary admin and shouldn't be used for work that can be done as a normal user. Some distros even disable root login by default in an attempt to hide potential footguns from new users.
What do you think should (or shouldn't) go in .profile, .bashrc, etc for the root user account? Do you have any special safeguards, custom prompt, or user provisions for the root shell?
RE: Root user rc files - jkl - 23-11-2020
Two of my servers don’t have a remotely accessible non-root account because I only log into them to maintain the system. (Which is ok because I don’t need any convenience shell toys for that.)
That said, I recommend to keep the root (and, even more so, toor if it exists) account as unmodified as possible: No non-static shell, no dependencies on external tools. Maintaining the system can and will leave the system in a half-working state at least temporarily.
RE: Root user rc files - venam - 23-11-2020
I can vouch for jkl 2 idioms.
I also disable root ssh login, and leave the root account as clean as possible. It's only a last resource maintenance/recovery/single-user-mode account. Most of the things can already be done via sudo/doas/polkit and other good access control policies, so there should be no need to login directly as root.
As far as safeguard goes I have this:
Code:
export SUDO_PROMPT="\e[0;31m[Switching User] > "RE: Root user rc files - dionys - 23-11-2020
One idea, discussed in a medium post here:
- Auto-comment history using PROMPT_COMMAND to avoid accidental execution of stored commands.
RE: Root user rc files - venam - 24-11-2020
There are many questions are that more or less self-explanatory and can add points to your main one:
- Does the root user actually need a home in /root as in separate from other users, probably for safety reasons
- What's the harm in running things as root, you can nuke your system easily
- If the root user has a home does it mean you should use it like any other home and store files and software in it, maybe only administrative
- Should the root user shell profile be customized like any other users, and does this pose any risks
- Should the root user have a command history, or should it be erased everytime to start from a new clean environment
RE: Root user rc files - dionys - 24-11-2020
I remember reading a blog somewhere where the guy advocated the opposite (i.e. tossing out the security model and running everything as root).
Pretty sure it was this guy --> garyshood. From his tone I would guess he's joking, but he ends with an anecdote suggesting there may be at least a few like-minded individuals.
RE: Root user rc files - z3bra - 24-11-2020
The only thing I change for the root user is the /root/.ssh directory, where I push some keys (both private and public) so my backup server can connect to the other servers and run the backup routines fully privileged.
Other than that, I never connect as root.
RE: Root user rc files - dionys - 28-05-2021
(24-11-2020, 06:17 AM)z3bra Wrote: Other than that, I never connect as root.
How about something to propagate X11 credentials to root? Maybe for remoting to a box and running something via sudo that needs X?
su -l my_user -c 'xauth list' | grep $(echo $DISPLAY | cut -d ':' -f 2 | cut -d '.' -f 1 | sed -e s/^/:/) | xargs -n 3 xauth add