this post was submitted on 03 Jan 2024
72 points (85.3% liked)

Linux

48031 readers
1383 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I have a few Linux servers at home that I regularly remote into in order to manage, usually logged into KDE Plasma as root. Usually they just have several command line windows and a file manager open (I personally just find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system), but if I have an issue, I've just been absentmindedly searching stuff up and trying to find solutions using the preinstalled Firefox instance from within the remote desktop itself, which would also be running as root.

I never even thought to install uBlock Origin on it or anything, but the servers are all configured to use a PiHole instance which blocks the vast majority of ads. However, I do also remember using the browser in my main server to figure out how to set up the PiHole instance in the first place, and that server also happens to be the most important one and is my main NAS.

I never went on any particularly shady websites, but I also don't remember exactly which websites I've been on as root, though I do seem to remember seeing ads during the initial pihole setup, because it didn't go very smoothly and I was searching up error messages trying to get it to work.

This is definitely on me, but it never crossed my mind until recently that it might be a bad idea to use a browser as root, and searching online everyone just states the general cybersecurity doctrine to never do it (which I'm now realizing I shouldn't have) but no one seems to be discussing how risky it actually is. Shouldn't Firefox be sandboxing every website and not allowing anything to access the base system? Between "just stop doing it" and "you have to reinstall the OS right now there's probably already a virus on there," how much danger do you suppose I'm in? I'm mainly worried about the security/privacy of my personal data I have stored on the servers. All my servers run Fedora KDE Spin and have Intel processors if that makes a difference?

top 50 comments
sorted by: hot top controversial new old
[–] lemmyvore@feddit.nl 190 points 10 months ago (2 children)

You seriously need to stop what you're doing. Log in with ssh only. If you need multiple terminals use multiple ssh sessions, or screen/tmux. If you need to search something do it on your desktop system.

The server should not have Firefox installed, or KDE, or anything related to desktop apps. There's no point and nothing good can come of it.

[–] Dirk@lemmy.ml 54 points 10 months ago (1 children)

This. Thread should have officially ended here.

[–] Falcon@lemmy.world 4 points 10 months ago

Yeah there’s a bit of scope to review what op is doing here.

Why is there even a DE on a server if it’s headless. If it’s not headless why not write up some Dockerfiles and manage it from a non-root account?

Are the services running as root?

Also, is it being accessed via wireguard/ovpn? It would be unwise to run a server as root with an open port.

[–] desmosthenes@lemmy.world 2 points 10 months ago

came to say this

[–] remotelove@lemmy.ca 64 points 10 months ago (1 children)

Your frame of mind is "dangerous". If you are browsing on your servers as root, you need to not manage servers anymore. If that sounded harsh, learn about attack surface area first and then I might let you back in the server room.

You won't find discussions about running browsers as root because it's not something you should need to discuss. Also, you don't need to be browsing "shady" websites to get compromised. Get that myth out of your head.

find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system

How is extra steps and added latency more convenient? The latency of a console via remote desktop would drive me crazy. Hell, I haven't installed any kind of desktop environment on Linux server for over 20 years. It's not needed and a waste of resources. Who needs file managers anyway?

[–] Potatos_are_not_friends@lemmy.world 33 points 10 months ago* (last edited 10 months ago)

Your frame of mind is "dangerous". If you are browsing on your servers as root, you need to not manage servers anymore. If that sounded harsh, learn about attack surface area first and then I might let you back in the server room.

You sir/ma'am hit it right on the head.

The "run root on Firefox" isn't the issue, it's the red flag. Security is a mindset. Failure to understand the core philosophy of why we have roles and permissions means you're untrusted. It really isn't personal. It's security.

[–] MimicJar@lemmy.world 59 points 10 months ago

https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/

That's a link to the most recent release of Firefox and the security vulnerabilities that were fixed.

You'll notice the first one listed says, "This issue could allow an attacker to perform remote code execution and sandbox escape."

So if you visited a site that exploited that bug, it escaped the sandbox and ran whatever code it wanted to. Since you were running as root it could do anything it wants. Your device is now the property of someone else. Potentially all your data has been stolen. You probably didn't even notice.

Now. Realistically. You probably didn't get exploited. Your device may not be vulnerable to that particular bug. But new bugs are found, and fixed, and created every day. Can you be sure you weren't exploited?

Let's look at it a different way. Think of it like driving a car with no seatbelt or airbags. As long as you don't crash, you're fine. The car still works fine without seatbelts and you have more freedom to move your arms around.

Let's look at it a different way. Do you ever lock the door to your home/apartment? Heck do you even close the door? Why not leave it wide open?

At the end of the day security is about layers and the trade offs for convenience. You can run KDE as root, and you can run Firefox as root. You'll probably be fine. It's like driving without a seatbelt or leaving your front door wide open, but you can do it. If you do drive with a seatbelt and at least close your front door, you can probably run KDE and Firefox as a regular user.

[–] possiblylinux127@lemmy.zip 44 points 10 months ago

I think there are many security issues with your setup. You really, really shouldn't do everything as root. That is just a time bomb waiting to blow.

[–] taladar@sh.itjust.works 36 points 10 months ago

but no one seems to be discussing how risky it actually is.

That is because people stopped doing it ages ago.

But shouldn’t Firefox be sandboxing every website and not allowing anything to access the base system?

Security is always a matter of layers. Any given layer can fail some of the time but you want to set up your security so situations where all the layers fail together are rare.

[–] FishFace@lemmy.world 32 points 10 months ago

An overarching principle of security is that of minimum privilege: everything (every process, every person) should have the minimum privileges it needs to do what it does, and where possible, that privilege should be explicitly granted temporarily and then dropped.

This means that any issue: a security breach or a mistake can't access or break anything except whatever the component or person who had the issue could access or break, and that that access is minimal.

Suppose that you hit a page which exploits the https://www.hkcert.org/security-bulletin/mozilla-firefox-remote-code-execution-vulnerability_20230913 vulnerability in Firefox, or one like it, allowing remote code execution. If Firefox is running as root, the remote attacker now completely controls that machine. If you have SSH keys to other servers on there, they are all compromised. Your personal data could be encrypted for ransom. Anything that server manages, such as a TV or smart home equipment, could be manipulated arbitrarily, and possibly destroyed.

The same is true for any piece of software you use, because this is a general principle. Most distributions I believe don't let you ssh in as root for that reason.

In short: don't log in to anything as root; log in as a regular user and use sudo to temporarily perform administrator actions.

P.S. your description of the situation shows you don't know the nature of vulnerabilities and security - if you're running servers then this is something you should learn more about in short order.

[–] SpaceCadet@feddit.nl 31 points 10 months ago* (last edited 10 months ago) (1 children)

Realistically it's not super dangerous, and no you probably don't have a virus just from browsing a few tech support sites, but you do eliminate your last line of defense when you run software as root. As you know, root can read/change/delete anything on your system whereas regular users are generally restricted to their own data. So if there is a security problem in the software, it's made worse by the fact that you were running it as root.

You are right though that Firefox does still have its own protections - it's probably one of the most hardened pieces of software on your computer exactly because it connects to the whole wide internet - and those protections are not negated by running as root. However if those protections fail, the attacker has the keys to the kingdom rather than just a sizable chunk of the kingdom.

To put that in perspective though, if there is a Firefox exploit and a hacker gets access to your regular user account, that's already pretty bad in itself. Even if you run as a regular unprivileged user they would still have have access to things like: your personal documents, your ssh keys, your Firefox profile with your browsing history, your session cookies and your saved passwords, your e-mail, your paypal account, your banking information, ...

As root, they could obviously do even more like damage like reading all users' data, installing a keylogger or screengrabber, installing a rootkit to make themselves undetectable, but for most regular users most of the damage is already done when their own account is compromised.

So when these discussions come up, I always have to think about this XKCD comic:

[–] taladar@sh.itjust.works 3 points 10 months ago (1 children)

They might have access to all that data once but a lot of the paths towards making that a persistent threat that doesn't go away after the next reboot and most of the ones towards installing something even deeper in the system that might even survive a reinstall do require root.

[–] SpaceCadet@feddit.nl 6 points 10 months ago

That's what I said yes.

[–] amju_wolf@pawb.social 23 points 10 months ago* (last edited 10 months ago) (3 children)

I don't want to step on your workflow too much since it somehow seems to work for you but your main issue stems from the fact that you clearly don't work with your server as if it actually was a server.

You shouldn't really have a desktop interface running there in the first place (let alone as root and then using it as a regular user). You should ask yourself what it actually solves for you and be open to trying different (and more standard) solutions to what you're trying to achieve.

It'd probably consist of less clicking and using the CLI a bit more, but for stuff like file management you can still easily use mc.

If you need terminal sessions that keep scrollback and don't stop when you disconnect you should learn to use tmux or screen or something like that. But then again if you're running actual software in there then you should probably use a service (daemon) for that.

As for whether it's a security issue, yeah it most definitely is. Just like it's a security issue to run literally any networked application as root. Security isn't black and white and there are trade offs to be made but most people wouldn't consider what you're doing a reasonable tradeoff.

load more comments (3 replies)
[–] henrikx@lemmy.dbzer0.com 21 points 10 months ago

My goodness

[–] Falcon@lemmy.world 14 points 10 months ago

I have no clue how dangerous running Firefox as root is, but it begs the question…why would you do that?

Create a user account for managing things and create a separate user for each service and/or containers.

For managing things use tmux with ssh, if you want to manage files etc. just use ranger/lf/mc. One can also mount the file system with sshfs.

[–] rottingleaf@lemmy.zip 13 points 10 months ago

Yes, it is. As a user you compromise only that user as a consequence of some sandbox escape. Then there may or may not be some successful privilege elevation.

[–] arjache@kbin.social 13 points 10 months ago (22 children)

As a general best practice, you should never directly login as root on any server, and those servers should be configured to not allow remote connections as the root user. You should always log in as a non-root user and only run commands as root using sudo or similar features offered by your desktop environment. You should be wary of even having an interactive root shell open; usually I would only do so on a VM console, when first setting up a system or debugging it.

By doing this, you not only guard against other people compromising your system, but also against accidentally running commands as root that could damage your system. It’s always best to only run things with the minimum permissions they need, and then only grant them additional permissions on an as-needed basis.

load more comments (22 replies)
[–] Anticorp@lemmy.ml 12 points 10 months ago

It's about as dangerous as using IE in the old days, or Edge in administrator mode.

[–] Dyskolos@lemmy.zip 12 points 10 months ago

Just don't do that 😁

I don't get it anyway, if you login remotely, why don't you just open firefox locally but on the remote servers? This makes not much sense.

But If you absolutely have to. .. At least be careful with your surf-targets. A search-engine and wiki would most likely be fine. Some pron-, stream- or warez-sites? Nah. Surely not.

[–] BigTrout75@lemmy.world 11 points 10 months ago

This is like removing a safety feature in your car. Like removing seatbelts or maybe anti-lock brakes.

[–] ThankYouVeryMuch@kbin.social 10 points 10 months ago* (last edited 10 months ago)

I just wanted to add that you can run gui applications through ssh with x11 forwarding, options -X or -Y (untrusted/trusted but at least in Debian back in the day they behaved the same). So if you wanted a gui file manager you run it in the ssh session on the remote server, sudo if you need but NEVER logged as root, and the window will pop on your local DE instead of having to run an entire desktop on each server

[–] hunger@programming.dev 9 points 10 months ago (1 children)

Usig anything as root is a security risk.

Using any UI application as root is a bigger risk. That's because every UI toolkit loads plugins and what not from all over the place and runs the code from those plugins (e.g. plugins installed system wide and into random places some environment variables point to). Binary plugins get executed in the context of the application running and can do change every aspect of your program. I wrote a small image plugin to debug an issue once that looked at all widgets in the UI and wrote all the contents of all text fields (even those obfuscated to show only dots in the UI) to disk whenever some image was loads. Plugins in JS or other non-native code are more limited, but UI toolkits tend to have binary plugins.

So if somebody manages to set the some env vars and gets root to run some UI application with those set (e.g. using sudo), then that attacker hit the jackpot. In fact some toolkits will not even bring up any UI when run as root to avoid this.

Running any networked UI application as root is the biggest risk. Those process untrusted data by definition with who knows what set of plugins loaded.

Ideally you run the UI as a normal user and then use sudo to run individual commands as root.

[–] HiddenLayer5@lemmy.ml 2 points 10 months ago (1 children)

So is the main worry with GUIs that they have potential code execution vulnerabilities? Or is the worry that the plugins themselves are malicious?

[–] hunger@programming.dev 4 points 10 months ago

Plugins are a code execution vulnerability by design;-) Especially with binary plugins you can call/access/inspect everything the program itself can. All UI toolkits make heavy use of plugins, so you can not avoid those with almost all UI applications.

There are non-UI applications with similar problems though.

Running anything with network access as root is an extra risk that effects UI and non-UI applications in the same way.

[–] dbx12@programming.dev 9 points 10 months ago (5 children)

Without any judgement: why are your servers running X11? Just because you dislike SSH'ing to them?

load more comments (5 replies)
[–] GustavoM@lemmy.world 6 points 10 months ago* (last edited 10 months ago)

That'd be the same as asking if leaving your house front door open is dangerous -- it depends. If an ill-intended individual sees it open however, s/he won't think twice to trash your home.

[–] gnuhaut@lemmy.ml 4 points 10 months ago

On a typical home user desktop linux setup, there's virtually no difference between your regular user and root.

Access to your data, emails, passwords, installing software (in /home), access to LAN and so on are already possible without root permissions, so there really is not a whole lot that an attacker cannot do even without root.

And then, if you use sudo or su (or whatever) to switch to root with a password, escalating to root privileges is basically trivial for an attacker. An attacker can divert your PATH to compromised binaries. They could just replace "sudo" with their own little script that steals your password.

[–] FuckBigTech347@lemmygrad.ml 3 points 10 months ago* (last edited 10 months ago)

Firefox does sandbox everything but vulnerabilities exist and sometimes go unnoticed for a while before they're discovered and patched. If a malicious script does manage to escape the sandbox it will be able to do literally anything to the system since it has root privileges. It would have full access to any device that's in /dev, it could create, modify and delete udev or iptables rules, it could mess with the BIOS since the kernel exposes EFI variables, if the mainboard has re-writable flash chips for the firmware it could write malicious code to them since they may show up in /dev, etc. If any of this makes you uneasy then you probably should stop running stuff as root in general except for when you really need to.

Also in general you don't want to run any graphical applications on a Server unless there is a very specific reason for it because it takes up extra resources and therefore makes the machine use more power overall. This is especially bad when the machine in question has no hardware acceleration and renders everything in software. Remote desktop also adds CPU/GPU load and takes up a good bit of I/O and network bandwidth which is not ideal for a NAS server.

[–] 0xtero@beehaw.org 2 points 10 months ago* (last edited 10 months ago) (4 children)

I regularly remote into in order to manage, usually logged into KDE Plasma as root. Usually they just have several command line windows and a file manager open (I personally just find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system)

I'm not going to judge you (too much), it's your system, but that's unnecessarily risky setup. You should never need to logon to root desktop like that, even for convenience reasons.

I hope this is done over VPN and that you have 2FA configured on the VPN endpoint? Please don't tell me it's just portforward directly to a VNC running on the servers or something similar because then you have bigger problems than just random 'oops'.

I do also remember using the browser in my main server to figure out how to set up the PiHole

To be honest, you're most probably OK - malicious ad campaigns are normally not running 24/7 globally. Chances of you randomly tumbling into a malicious drive-by exploit are quite small (normally they redirect you to install fake addons/updates etc), but of course its hard to tell because you don't remember what sites you visited. Since most of this has gone through PiHole filters, I'd say there's even smaller chance to get insta-pwned.

But have a look at browser history on the affected root accounts, the sites along with timestamps should be there. You can also examine your system logs and correlate events to your browser history, look for weird login events or anything that doesn't look like "normal usage". You can set up some network monitoring stuff (like SecurityOnion) on your routers SPAN, if you're really paranoid and try to see if there's any anomalous connections when you're not using the system. You could also consider setting up ClamAV and doing a scan.

You're probably OK and that's just paranoia.

But... having mentioned paranoia... now you'll always have that nagging lack of trust in your system that won't go away. I can't speak to how you deal with that, because it's all about your own risk appetite and threat model.

Since these are home systems the potential monetary damage from downtime and re-install isn't huge, so personally I'd just take the hit and wipe/reinstall. I'd learn from my mistakes and build it all up again with better routines and hygiene. But that's what I'd do. You might choose to do something else and that might be OK too.

load more comments (4 replies)
load more comments
view more: next ›