Brian said the following on 02/11/2007 10:22 PM:
I’m starting out with Rails on a Linux platform. How much of my
development should be done as root? Should I be worried about
permissions issues down the road, or just go on happily doing
everything as root on my development machine?
Please do not do ANYTHING except install and administer the machine
using root.
One of the evils of doing things with elevated privilege is that your
applications end up needing it, which is a Bad Thing™.
So that malware that might target me while reading mail or browsing the
web
- since, remember, there is now malware that doesn’t need you to
‘accept’ or
run it - cannot affect more than a restricted space, I never run with
elevated privilege except when doing maintenance.
However many ignorant application designers DO write code that HAS to be
run
as admin. Windows developers seem particularly prone to this, and its
very
difficult to explain to them that this shouldn’t be the case,
The reality is that XP and earlier don’t come shipped with ‘admin plus
other’, as will Vista - which is catching up with where *NIX was about
10
years ago, according to the presentation I attended last week - so many
small developers don’t bother setting up non-admin accounts.
When I audit - that’s my profession - corporate sites, I find they get
it
right. The cubicle worker’s machine is set up so that they don’t have
admin
privileges. But what the heck, they’re not developers.
Too many developers seem to think -erroneously - that they need God-like
powers in order to get their job done. Not so.
Strictly speaking, you don’t even need to be root to install ruby, rails
and
gems. The site where I host my Typo-based blog didn’t have ruby 1.8.4
or
rails or gems. I created local $HOME/bin, $HOME/lib and $HOME/.gem,
downloaded and compiled a local version of ruby 1.8.4, installed local
gem,
downloaded local gem packages and rails … and I was up an running.
I did all this WITHOUT being root - the ISP would have been outrageously
stupid if they were to allow customers to have root access! You can set
up
your machine like this too - its much safer to not be able to wipe out
the
machine with a small error
There is no reason whatsoever you should develop under root, and doing
so
may expose you and your application to risks. I can imagine a few, both
‘accidents’ and ‘targeted’.
There’s no reason you should EVER log in as root once the machine is
installed[1]. You can treat it, for the most part, like an ISP account.
In fact you should set up your machine so that
- you can only log in as root from the text-mode console
- you can’t log in as root from the GUI - EVER
I then go a bit further. Only a designated administration account can
SU to
root, and that account is only used for administering the machine.
Everything else is done with SUDO rather than SU, for a couple of
reasons.
- using SU you can forget to drop privilege and go on to make
mistakes
- using SUDO makes you think about which accounts should be allowed
to do
what (and when and why)
SU, by the way, is roughly similar to XP’s “runas”.
By analogy: you don’t give users unrestricted access to every method and
direct access to the database in a Rails application. That’s what root
amounts to. only scaled up to the machine.
[1] Other *NIX users will disagree with me here. but the reality is that
if
you are enough of a newb to Linux to ask this question then most of
the
reasons you might need root, pouring over system logs, hacking
system
files, are probably outside you experience and needs. You might as
well
be running from a “LiveCD” except for your development area.
If you need to do 'system stuff' the GUI menu item run in
non-privileged mode for it will ask you the root password and behave
much like SUDO, executing that one command. Since you aren't
familiar
with Linux, this is safer than hacking the system files directly or
using the command line.
If you want to become familiar with Linux "innards" rather than just
use
it as a development platform, then go ahead, but don’t do it on the
box
you are using for production. Treat it as a ‘scratch monkey’ box,
that
can be wiped out without loss.
–
I have no special talents. I am only passionately curious.
–Albert Einstein