this post was submitted on 03 Jan 2024
80 points (85.1% liked)

Linux

48338 readers
385 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I have a few Linux servers at home that I regularly remote into in order to manage, usually logged into KDE Plasma as root. Usually they just have several command line windows and a file manager open (I personally just find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system), but if I have an issue, I've just been absentmindedly searching stuff up and trying to find solutions using the preinstalled Firefox instance from within the remote desktop itself, which would also be running as root.

I never even thought to install uBlock Origin on it or anything, but the servers are all configured to use a PiHole instance which blocks the vast majority of ads. However, I do also remember using the browser in my main server to figure out how to set up the PiHole instance in the first place, and that server also happens to be the most important one and is my main NAS.

I never went on any particularly shady websites, but I also don't remember exactly which websites I've been on as root, though I do seem to remember seeing ads during the initial pihole setup, because it didn't go very smoothly and I was searching up error messages trying to get it to work.

This is definitely on me, but it never crossed my mind until recently that it might be a bad idea to use a browser as root, and searching online everyone just states the general cybersecurity doctrine to never do it (which I'm now realizing I shouldn't have) but no one seems to be discussing how risky it actually is. Shouldn't Firefox be sandboxing every website and not allowing anything to access the base system? Between "just stop doing it" and "you have to reinstall the OS right now there's probably already a virus on there," how much danger do you suppose I'm in? I'm mainly worried about the security/privacy of my personal data I have stored on the servers. All my servers run Fedora KDE Spin and have Intel processors if that makes a difference?

you are viewing a single comment's thread
view the rest of the comments
[–] taladar@sh.itjust.works -5 points 10 months ago (29 children)

you should never directly login as root on any server, and those servers should be configured to not allow remote connections as the root user. You should always log in as a non-root user and only run commands as root using sudo or similar features

That is commonly recommended but I have yet to see a good solution for sudo authentication in this case that works as well as public key only SSH logins with a passphrase encrypted key and ssh-agent on the client-side. With sudo you constantly have to use passwords anyway which is pretty much unworkable if you work on dozens of servers.

[–] ElderWendigo@sh.itjust.works 4 points 10 months ago (17 children)

Whose letting you run dozens of servers if managing dozens of passwords is "pretty much unworkable" for you?

[–] taladar@sh.itjust.works -5 points 10 months ago (16 children)

Of course I can store dozens of passwords but if every task that requires a single command to be run automatically on e.g. "every server with pending updates" requires entering each of those passwords that is unworkable.

[–] 4am@lemm.ee 4 points 10 months ago (1 children)

FreeIPA and your password is the same on every machine: yours. (Make it good)

Service accounts should have either no sudo password or use something like Ansible with vault and keep every one of them scrambled and rotate regularly (which you can do with Ansible itself)

Yes, even if you have 2 VMs and a docker container, this is worth it.

[–] taladar@sh.itjust.works -3 points 10 months ago

FreeIPA and your password is the same on every machine: yours.

Any network based system like that sucks when you need to fix a system that has some severe issue (network, DNS, disk,...) which is exactly when root access is the most important.

load more comments (14 replies)
load more comments (14 replies)
load more comments (25 replies)