Newbie question - do development as root?

I’m starting out with Rails on a Linux platform. How much of my
development should be done as root? Should I be worried about
permissions issues down the road, or just go on happily doing
everything as root on my development machine?

Thanks,
Brian

Brian wrote:

I’m starting out with Rails on a Linux platform. How much of my
development should be done as root?

Almost none. To install you will occassionally ‘sudo gem install …’.

Should I be worried about
permissions issues down the road, or just go on happily doing
everything as root on my development machine?

That’s a Linux FAQ; modern Linux goes a long way towards discouraging
flight-time as root, and towards helping you not need to.

The general rule of thumb is this: Imagine if your Linux box actually
had
multiple concurrent users. (It has far greater potential for them than
WinXP
does, for example.) Anything you do that could affect them (except
trivial
things like mount a CD-ROM), you should do as root. Because installing
software affects them, you should sudo to install.

Do everything else as a normal user. If you don’t upgrade Rails or Gems,
you
can work on any aspect of your development website as a normal user.

(After you are proficient with sudo, you can get into /etc/sudoers and
remove the password requirement. That’s only if you understand the
implications!)

Modern Linux discourages running as root because you might accidentally
overwrite a system file and leave the computer open to others. Or lock
you
out.


Phlip
http://www.greencheese.us/ZeekLand <-- NOT a blog!!!

Brian said the following on 02/11/2007 10:22 PM:

I’m starting out with Rails on a Linux platform. How much of my
development should be done as root? Should I be worried about
permissions issues down the road, or just go on happily doing
everything as root on my development machine?

Please do not do ANYTHING except install and administer the machine
using root.

One of the evils of doing things with elevated privilege is that your
applications end up needing it, which is a Bad Thing™.

So that malware that might target me while reading mail or browsing the
web

  • since, remember, there is now malware that doesn’t need you to
    ‘accept’ or
    run it - cannot affect more than a restricted space, I never run with
    elevated privilege except when doing maintenance.

However many ignorant application designers DO write code that HAS to be
run
as admin. Windows developers seem particularly prone to this, and its
very
difficult to explain to them that this shouldn’t be the case,

The reality is that XP and earlier don’t come shipped with ‘admin plus
other’, as will Vista - which is catching up with where *NIX was about
10
years ago, according to the presentation I attended last week - so many
small developers don’t bother setting up non-admin accounts.

When I audit - that’s my profession - corporate sites, I find they get
it
right. The cubicle worker’s machine is set up so that they don’t have
admin
privileges. But what the heck, they’re not developers.

Too many developers seem to think -erroneously - that they need God-like
powers in order to get their job done. Not so.

Strictly speaking, you don’t even need to be root to install ruby, rails
and
gems. The site where I host my Typo-based blog didn’t have ruby 1.8.4
or
rails or gems. I created local $HOME/bin, $HOME/lib and $HOME/.gem,
downloaded and compiled a local version of ruby 1.8.4, installed local
gem,
downloaded local gem packages and rails … and I was up an running.

I did all this WITHOUT being root - the ISP would have been outrageously
stupid if they were to allow customers to have root access! You can set
up
your machine like this too - its much safer to not be able to wipe out
the
machine with a small error

There is no reason whatsoever you should develop under root, and doing
so
may expose you and your application to risks. I can imagine a few, both
‘accidents’ and ‘targeted’.

There’s no reason you should EVER log in as root once the machine is
installed[1]. You can treat it, for the most part, like an ISP account.
In fact you should set up your machine so that

  • you can only log in as root from the text-mode console
  • you can’t log in as root from the GUI - EVER

I then go a bit further. Only a designated administration account can
SU to
root, and that account is only used for administering the machine.

Everything else is done with SUDO rather than SU, for a couple of
reasons.

  • using SU you can forget to drop privilege and go on to make
    mistakes
  • using SUDO makes you think about which accounts should be allowed
    to do
    what (and when and why)

SU, by the way, is roughly similar to XP’s “runas”.

By analogy: you don’t give users unrestricted access to every method and
direct access to the database in a Rails application. That’s what root
amounts to. only scaled up to the machine.

[1] Other *NIX users will disagree with me here. but the reality is that
if
you are enough of a newb to Linux to ask this question then most of
the
reasons you might need root, pouring over system logs, hacking
system
files, are probably outside you experience and needs. You might as
well
be running from a “LiveCD” except for your development area.

If you need to do 'system stuff' the GUI menu item run in
non-privileged mode for it will ask you the root password and behave
much like SUDO, executing that one command.  Since you aren't 

familiar
with Linux, this is safer than hacking the system files directly or
using the command line.

If you want to become familiar with Linux "innards" rather than just 

use
it as a development platform, then go ahead, but don’t do it on the
box
you are using for production. Treat it as a ‘scratch monkey’ box,
that
can be wiped out without loss.


I have no special talents. I am only passionately curious.
–Albert Einstein

Brian wrote:

I’m starting out with Rails on a Linux platform. How much of my
development should be done as root? Should I be worried about
permissions issues down the road, or just go on happily doing
everything as root on my development machine?

Thanks,
Brian

If you run

rails myproject

as an “ordinary user”, you’ll get your rails project set up in the
directory “myproject”, writable by the ordinary user.

If you build your project below the myproject directory as that ordinary
user, you can run ruby script/server (as that ordinary user) and access
the application through a web browser on port 3000 normally. You
shouldn’t have any problem with respect to root / none-root.

You have some options for production deployment (mongrel, fast-cgi,
etc), but you should not need to pull out root for that either. In fact,
it is possible to run for example mongrel as an ordinary,
non-www-special user on a non-privileged port (3000, 4000, etc.) and
have your webserver forward requests to that port (or several for
load-balancing)

Hope that helps.

Stephan

Anton A. wrote:

When I audit - that’s my profession - corporate sites, I find they get it
right. The cubicle worker’s machine is set up so that they don’t have admin
privileges. But what the heck, they’re not developers.

Too many developers seem to think -erroneously - that they need God-like
powers in order to get their job done. Not so.

So if I can’t explain to my 11yo rugrat why she shouldn’t click on
every gawd-damned thing that says “download me!”, beginning with
Yahoo’s crap, then I can at least go to the Windows XP Users control
panel applet and switch her account to non-admin, right?

Noope! She can apparently still download them. Give me a reason not to
Linucize this cess-pool? Oh, we wouldn’t be able to watch TV on it
then?!

sigh<

[1] Other *NIX users will disagree with me here. but the reality is that if
you are enough of a newb to Linux to ask this question then most of the
reasons you might need root, pouring over system logs, hacking system
files, are probably outside you experience and needs. You might as well
be running from a “LiveCD” except for your development area.

Oh, and I don’t have enough trouble already getting stuff to install
and integrate correctly to either /usr/ or /usr/local?


Phlip
http://c2.com/cgi/wiki?ZeekLand <-- NOT a blog!!

Phlip said the following on 02/12/2007 12:32 PM:

So if I can’t explain to my 11yo rugrat why she shouldn’t click on
every gawd-damned thing that says “download me!”, beginning with
Yahoo’s crap, then I can at least go to the Windows XP Users control
panel applet and switch her account to non-admin, right?

Noope! She can apparently still download them. Give me a reason not to
Linucize this cess-pool? Oh, we wouldn’t be able to watch TV on it
then?!

Have you actually tried that?

Windows/XP/SP2 - set up an account that does have admin.

Now log in to it and go to … say OpenOffice.Org and download
their installer.

Now try running it to install OpenOffice.

The issue isn’t downloadng. Its INSTALLING.

Some nasty stuff out there tries to install automatically or to trick
the
user into installing.

Unless you have admin permission you can’t install.
THAT’s the point of not running as admin – or root.


Asking if computers can think is like asking if submarines can swim.

Anton A. said the following on 02/12/2007 01:13 PM:

Have you actually tried that?

Windows/XP/SP2 - set up an account that does have admin.

TYPO ALERT *********************************************

Missing “not”
Should read:
set up an account that does NOT have admin.

Unless you have admin permission you can’t install.
THAT’s the point of not running as admin – or root.


Sacred cows make the best hamburgers.
–Mark Twain

Phlip said the following on 02/12/2007 12:32 PM:

Oh, and I don’t have enough trouble already getting stuff to install
and integrate correctly to either /usr/ or /usr/local?

sigh
How about I trade you some of my UNIX experience for some of your Ruby
and
Rails experience?

I don’t seem to have the problems you describe but flounder like a
Coelacanth out of water when it comes to rails. I seem to try
everything
before getting something to work. If ever.

The sketches on my whiteboard of what the pages should look like are
great
and the E-R model is fine, but things like the routes and getting the
parent-child on the page is defeating me.

“Oh, and don’t I have enough trouble …”


What Yoda meant to say:
Java leads to Shockwave. Shockwave leads to RealAudio.
RealAudio leads to suffering.

Thank you all for your insights!

Brian

Anton A. wrote:

TYPO ALERT *********************************************

    Missing "not"
    Should read:
            set up an account that does NOT have admin.

Sacred cows make the best hamburgers.
–Mark Twain

Hmmmm. E. coli!


Phlip
http://c2.com/cgi/wiki?ZeekLand <-- NOT a blog!!

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs