Yesterday, land0 rapped me on the knuckles for expressing the thought that any sizeable chunk of humanity could simultaneously be smart enough to run Linux, and dumb enough to use root for personal login.
To the Nix (aka, *nix, BSD, Linux, Unix) world, this is like giving a crook the keys to your office, along with a moving van.
The thing is, my company supports a line of single-function network appliances, many of which go into small businesses and schools. We’ve helped this community for years. And I constantly hear stories over the partition.
Better than that, my tech support manager saw my knuckles get wrapped, too. When he stopped laughing, he gave me the number for one of our more talkative customers, and suggested that I give him a buzz.
Only the name and location have been changed to protect our relationship… Let’s call him Kurt of New Orleans. Apologies to Kurt in advance for any phrases that were not perfectly captured. He talked too fast, and I’m a lousy secretary.
Warning: VIOLENTLY DISTURBING CONTENT. If you continue, you will be exposed to material not suitable for anyone with formal… or even informal… Linux training.
There are over ten million businesses in America that support fewer than 20 employees, each. Many are start-ups or otherwise minimally capitalized, and Linux fills a networking need without straining the budget… especially when they don’t bother hiring professional help.
Kurt manages the office for one of them.
EB: Do you ever login as root?
Kurt: I always login as root. Linux is not my desktop operating system. I don’t use it to read email, browse the web, or instant message my pals. I run a web server, an email server and an ftp server in Linux. So the only time I log on to the system is when I need to administer my servers or install software, which I can only do as root.
EB: Have you ever tried sudo?
Kurt: I don’t do it. It’s too much of a hassle to be switching privileges back and forth. I just pay attention to the commands I’m entering, and pray for the best. So far so good, knock on wood.
EB: Do you ever neglect to log out?
Kurt: All the time. There are only a few people with access to our server room, so we tend to leave our systems logged on. But all of our systems are behind firewalls, so they’re safe.
EB: Have you had occasion to bypass Linux security, like for installation?
Kurt: When installing new software, you almost always have to change permissions on certain files, but it’s easiest to do that as root, too.
EB: Have you ever forgotten to change permissions back after an install?
Kurt: If I did, I don’t remember. I’d never do anything like that intentionally.
I’m as secure as I can figure out how to be, while still taking care of my real job responsibilities on any given day.
As far as I know, my network’s not “owned” by anyone. Until I find out, I’m not going to do anything about it.
EB: How do you feel when people tell you that you shouldn’t log in as root?
Kurt: I shouldn’t exceed the speed limit, either. But I get things done a he** of a lot faster when I do. I’ve got things to do.
EB: What caused you to go to Linux in the first place?
Kurt: Security. IIS is notoriously insecure, so we wanted to switch web servers. So is Exchange. If I’m going to be a half-a** network manager, I’d rather start off with an operating system that’s already reasonably secure. The amount of enterprise-class software we’ve been able to use is incredible, and you just can’t get that in the Microsoft world.
EB: So are you telling me price had nothing to do with it?
Kurt: OK. Security… and price.
EB: How do you manage vulnerability patching and upgrading?
Kurt: I stay as much on top of it as I can. I recently upgraded Apache and several other programs.
EB: Do you use any software that keeps you up-to-date or alerts you?
Kurt: I just pay attention to security sites, and keep the box firewalled off as much as possible.
EB: Would you say your updating is casual?
Kurt: When I’m made aware of a problem, I generally try and fix it.
EB: What kind of administrative training have you gone through?
Kurt: Bootstrapping. I am self-taught. I own almost the whole O’Reilly library. I spend a lot of time digging through message boards when a problem does come up.
EB: So you have no formal training. What made you think you could do this?
Kurt: I’m in a small business. I’ve never let lack of formal training stop me from anything. When a problem needs to be solved, I learn how to solve it. That’s how I was brought up.
EB: Thanks for your time.
Back to Earth…
We have plenty of customers like Kurt running Linux, Windows, and even… no. I don’t believe we have any Kurts riding BSD.
If you think we’re alone, cruise the forums, where you regularly see questions like: “since I connect through a router, do I really need firestarter (firewall) and clamav (anti-virus scanner)?”
As if that’s not bad enough, the world is littered with devices like the old Cisco 675 routers that let DSL users, who have no concept of CBOS/Nix, login as root.
My crew runs into this stuff every day.
So forgive me if I portray a grittier side of the world than those who are certain that all Linux admins play by the rules. I can’t help it.
I’ve run across too many managers who picked up Nix at Barnes and Noble… taped to the outside of a magazine.
If you have any advice for Kurt… Please. Keep it civil. I have a delete button, and I know how to use it.