Should the sole user of a *nix system have two accounts?

Question

Should the sole user of a *nix (particularly Linux and MacOS) have two accounts, one with sudo privileges and one without? Years ago I read that on your personal computer you should do your daily tasks as an unprivileged user and switch to a privileged user for administration tasks. Is this true?

Note: I am not referring to whether or not you should log in as root for daily use. That's obviously a bad idea, but should your daily use account be able to use sudo?

Second note: I am specifically referring to personal devices that are not being used as servers or to host any functionality for remote users.

Answer 1

Updated dramatically after 69 upvotes, see answer history for original answer. Thanks to @JimmyJames for the discussion.

---

First, let's talk about threat model: what are you trying to stop the potential attacker from doing?

Threat model: identity theft / ransomeware on a single-user system

Generally for end-user systems the de facto threat model is identity theft / ransomware. If the attacker has access to your documents and/or can run shell commands as you, it's game over. From that perspective, root access doesn't gain the attacker anything; they can get what they want without it.

If identity theft / malware is the only thing you're worried about, then it doesn't seem like it matters much whether your user has sudo powers, or ever whether the browser is running as root.

(I should also point out that malware / connecting you to a botnet can happen without root access since login scripts / scheduling a cron job does not require root).

Randall Munroe at XKCD seems to agree with this view:

Lastly, I'll add this disclaimer: Yes, I'm aware that this goes against the general public opinion that "more security is always better". It's just not true. Sometimes more security is worse, like overly complex password policies that end up forcing people to write down their passwords. You always have to look at the risks and decide how much security is actually appropriate. In this case there's no harm to locking down root access, but you are making your life more complicated and it's not clear that you're gaining anything from it.

Threat model: root access or multi-user system

If you have a threat model where the attacker wants something that only root has access to, or there is more than one user account on the machine, then the answer actually depends on which *nix you're talking about. This is quickly getting away from personal computer cases and into server cases, but I'll discuss anyway. For linux, because of a bug (*ahem feature*) in the Xorg windowing system, your everyday account should probably not have sudo powers. For operating systems that don't use X, it's probably ok.

Linux (running X.org window system)

Here's a great article that shows you how to log all keystrokes on a gui linux machine using a simple user-land (non-root) shell command. In summary:

$ xinput list shows you all connected human-input devices

$ xinput test <id> starts echoing all keystrokes on the selected device.

I tested and I get logs of the password that I type into sudo in a different terminal window. If I lock my computer then when I log back in, I see logs of the password I typed into the lock screen. Apparently this is not a bug in X, it's a feature. Right, I'm gonna go hide under my bed now.

So yeah, this supports the idea that any user you log into in the gui with should not have sudo powers because it's trivial to log your password and then become root. I suppose you should have a dedicated account for sudoing and switch to a TTY terminal (ctrl+alt+#) when you want to use sudo. Whether or not this is worth worrying about is up to you: personally, all the data I care about is already there in my user account, but I probably will change my laptop setup because I'm a security nerd.

Note that in my tests I was not able to keylog across users. Doing "Switch Account" in the gui, or startx in a new tty terminal seems to launch an isolated instance of X.

Thanks to @MichaelKjörling for this observation:

That's one of the things that Wayland [windowing system designed to replace X] actually tries to fix (see the bullet point on security). Remember that X11 originated at a time when the threat model was hugely different from what it is today.

For sysadmins: this reinforces the habit of only interacting with your Linux boxes over ssh, never use the GUI.

Mac OSX

I'm not an OSX expert, but I know that it does not use the Xorg server so I would assume that Apple's GUI handles this properly, but I would love for someone more expert than me to weigh in.

Windows

I'm not a Windows expert either, but I believe that the User Account Control (UAC) feature introduced in Windows 7 addressed this by having admin prompts render in a secure desktop whose input busses are isolated from your regular desktop.

Answer 2

In most situations, requiring a password with sudo is sufficiently enough protection.

The primary difference between suing to another account and sudoing to gain privileges is that with sudo you enter the same password you used to log in. If your threat model assumes that an attacker has your account password, then you're already in pretty deep trouble, more than another password on the root account will protect you from.

Answer 3

I have found that having two accounts on my unix systems is essential for the following reason:

If I ever mess up my .bashrc or other login / terminal setup files I can get into a sitution where I cannot even log in. So I am totally borked. This is the worst situation imaginable as you can't do much if you can't log in.

The only way I was able to fix this on a couple of computers was having the other login which allows me to go in and using sudo, fix the startup files for my primary account. I then log out of my account'2' and back into my regular account.

Sometimes I might be able to use the boot from USB option but to be honest I find being able to log into another account, use sudo and fix my .bashrc then logout and back into the other account can all be done in a few second with the second login and much less scary / unfamiliar than the USB boot to fix option for me. Of course YMMV (Your Mileage May Very)

Answer 4

I'm using this setup, but the reason goes beyond a single system.

If you want backups which provide some protections against ransomeware (and you don't like to assume no-one will write ransomeware for Linux), you need to be backing up to an external system which keeps multiple revisions.

However, I haven't got a dedicated workstation/terminal for administration of the backup server. Logging in as a separate user for this (not using su) provides one layer of protection here. If my normal login had sudo privileges, there'd still be a speed bump, but it would be pretty thin (obscurity, and malware would have to capture the sudo password).

Answer 5

What is the benefits of sudo ?

You don't need to share the root password with every user to perform some type of administrative tasks on your own system.

The authentication automatically expires after a short time (15 min) and you can set timestamp_timeout=0 under /etc/sudoers to makes the sudo password expire every 0 (zero) seconds. This means that every time you use sudo, you will be asked for the password.

What is the disadvantages of sudo :

When a user use a weak password it will allow an attacker to quickly crack the user password and elevate the privilage to get the root access

The root password can be locked by default in some linux distro like Ubuntu. Why?

Because in the presence of the root account , an attacker will try the first time brute-force the root password. It will be more complicated if the root account is disabled .

A user can change the ownership of system files by knowing the root password or harming your system by executing a malicious programs.

Answer 6

All PC users should have at least local admin, but common sense dictates this be password protected (Android users note this.). Depending upon usage I see no reason why there cannot be just one account. This is the case for Puppy Linux and has been quite successful for years. However it is good to have two levels of protection and a separate /sbin folder for those times we are clumsy and/or foolish. It is one thing to butt dial someone, it is another to butt delete directories. Lazy users will just add all they need to the sudoers file. Privilege escalation generally relies upon having access to some account in the first place, so we control this. Accounts on servers and appliances need to be justified, and we care about our workstation being used as a defacto appliance against us. The point is, for many PC's there is no other real user.

Answer 7

Every machine needs a admin account, whatever the OS. Ok, most Linux flavours hide root user by giving it an inexistant password - in the sense that any input will return false - but root does exist and has user id 0.

That admin account can change anything to the system, including things that are not allowed to normal users. The line of defense here, is that if an attacker gains access to the root user by chance (*) he can easily install a backdoor to be able to gain it again at will. And you will hardly notice it unless you consitently analyze the security of your systems (logs, changes in system files, ...) on a regular base.

If an attacker gains access to a non root account by chance, he will only be able to make changes to what is accessible to this account. Ok, he could change the password if he managed to get a shell, but you will certainly notice it next time you try to login!

That means that the defence line of not using root is only against distant attacks - if somebody has physical access to a machine, he can read everything that in not strongly encrypted and write/erase absolutely everything - including the password database to add other admin accounts. The only exception here is that if the whole disk is encrypted, the only possible action is to erase everything and fresh re-install.

But I admit that even if I know that sudo is a great software and can be used to allow fine grained permission. I do not like very much the default Linux way where sudo can do anything, because it is vulnerable to this:

• an attacker gains access to a non root shell allowed to sudo
• he changes the account password
• he sudoes as root and installs a backdoor (or a modified version of su that asks no password - trivial to write)
• he breaks the master password file and goes away

Next time you try to login, you will notice that you cannot, use the recovery procedure to discover that the master password is broken, rebuild it or re-install it from an archived version and if you do not carefully analyze the system, never notice the back door.

---

When I said gain access by chance, I mean in a non reproductible way, for instance, if it uses a vulnerability when you connect to a malicious site. Unless the attacker install a backdoor, he will only gain access again when you come back to that site, which may or not occur.

TL/DR: My opinion is that any machine should have at least 2 account: one non priviledged one for normal usage, and an administrative one for administrative tasks.

Answer 8

Aren't backups the solution to this problem? Backing up the entire hard drive on a regular basis looks like a good idea in general for various reasons, the possibility of screwing up .bashrc is one of them.