Do simple Linux servers really need a non-root user for security reasons?

There are a few reasons:

  • traceabilty: Commands run with sudo are logged. Commands run with bash are sometimes logged, but with less detail and using a mechanism that is easy to block.

  • privilege separation: almost every command is not the same as every command. There's still plenty which doesn't require root

  • file editing: the web files are owned by a non-root user and run by a non-root user... so why would you edit them with root?

  • attack mitigation: Consider the following totally-not-even-hypothetical scenario: Your workstation gets some malware on it which filches your FTP/SCP/SFTP/SSH login out of the stored authentication database from the appropriate client and transmits it to the attacker. The attacker logs on to your device to do some mischief. Now, can they cover their tracks, or will what they do be visible to you? I talk to someone new more than once every week to whom this has recently happened.

  • automated attack mitigation: A hacked server in Brazil is scanning your network and pulls up a listening SSH server. What username does the attacker use for his automated attack? Maybe webuser, or test, or www or admin -- but more than any other: root.

There are certainly many more reasons, but these are the first ones to come to my head.


Just seen this, a bit late, but...

No - a simple web server can be administerd by root and still be basically secure.

It is true that there are some benefits to admining as non-root, but these are minor and vastly overstated by most security advice. It's much more important to secure your network facing services. Keep the web server patched and check for application-layer flaws in your web app.

To respond to tylerl's points:

  • traceability - this might be valid if you had multiple admins, but if it's just you, then you are fully traceable working as root.

  • privilege separation - I expect in practice you would do so little as non-root that this makes no difference.

  • file editing - See above

  • attack mitigation - If you have malware on your workstation, all bets are off. If you use password-less sudo, the attack he mentions still works. If you use su then the malware can get your password using a keylogger.

  • automated attack mitigation - If you follow standard advice of using strong passwords (or use SSH keys instead) then a brute forcer won't get in anyway.

Tags:

Linux

Webserver

Ssh

Network

Web Application

Recent Posts