-1

Possible Duplicate:
What's wrong with always being root?

I have a server running in a datacenter with strong firewall & VPN protection. I have a few java apps which I have written myself running as these boxes.

Currently I only have root user and run everything as root.

Is there any reason why this might be a bad idea?

12
  • 2
    How confident are you that those java apps contain no vulnerabilities? Be honest now. That's what I thought. That is reason #253415 you don't run everything as root. Commented Apr 10, 2012 at 23:18
  • 1
    So your code has zero bugs and zero vulnerabilities? Commented Apr 10, 2012 at 23:21
  • 2
    It's been known to happen; even if you trust your code, there could always be an undiscovered bug in the JRE. Or in the system's standard libraries, upon which the JRE depends. Or even in the kernel (there have been some fun ones in Linux). Commented Apr 10, 2012 at 23:26
  • 5
    "I guess my point is I have limited linux experience" <---- and that is precisely why you should not be running everything as root. Commented Apr 10, 2012 at 23:34
  • 2
    You cannot realistically have confidence in any code your write if that code relies on other code which you did not write and have absolutely no control over. Extreme confidence is one of the most under-rated security risks. Commented Apr 10, 2012 at 23:58

1 Answer 1

9

Your precautions have mitigated a large percentage of the threats that feast on low hanging fruit. I commend you for that.

Two Three broad categories of threats remain:

1. You.

You are your own worst enemy. I am mine. Running everything as root means that you are always one swift keystroke away from doom and lamentation. Even if you know your apps, there are always bugs and squirrely things waiting to be found that you didn't know about. If they are found with root, then weep and howl for your miseries which are coming upon you.

2. Others.

Even if you've mitigated the large percentage of threats that exist in the wild, there are always vulnerabilities that you hadn't thought of or didn't know about. Sure your firewall, VPN and etc. and etc. are safe, but really... maybe your switches aren't or your update server or your... you get the idea. If things are nicely segregated, then you can sleep that little bit better at night knowing that even if there's something that you didn't know about (and there is) at least you've put a few more hurdles in the path to total destruction.

3. Resource Depletion

Running a process as root means it has unfettered access to your server's resources and has the potential to bring it to its knees. Whether that's through a memory leak, maxxing out inodes or a few other possibilities - it's all bad and can more easily be mitigated by running it as a non-root user.

2
  • 2
    Don't forget the weeping, gnashing of teeth, and tearing of clothes. :) Commented Apr 10, 2012 at 23:23
  • 2
    And you can kiss your ass goodbye if you've ever got to pass any kind of official certification, like PCI-DSS, or SOX. Commented Apr 11, 2012 at 0:18

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.