[This Usenet article has been re-edited to make it more comprehensive. Short version: Some of what's been said about Lindows/Linspire and "running as root" is untrue, though the true story is still disturbing, mostly as to the light in which its spokesmen are cast.]

From: Rick Moen <rick@linuxmafia.com>
Subject: Re: winspire
Newsgroups: comp.os.linux.hardware
Organization: If you lived here, you'd be $HOME already.
User-Agent: tin/1.7.10-20050815 ("Grimsay") (UNIX) (Linux/2.4.27-2-686 (i686))
Date: Wed, 11 Jan 2006 19:53:51 -0500

Dave Stanton <me@privacy.net> wrote:

> I assume you are aware of the one major flaw with Linspire. That is
> because they have made it as close as possible to Windows, it runs as
> root.


The reason this factual error keeps being repeated is that we traditional Linux users, not being in the target market, have little motivation to seek out Linspire, and so seldom have an opportunity to observe that it's simply not so. (On rare occasions, Linspire's management makes public a "coupon" to download LinspireOS ISOs without charge. I've pulled down a couple of those, out of curiosity, since I try to be familiar with all common distros and a selection of uncommon ones, too.)

The misconception became established because the first release of LindowsOS (now LinspireOS) completed its installer without offering the option to create a non-root user at all. Although the installed KDE-based system was thus fully multi-user capable, and had all the security controls of any standard Linux system, the path of least resistance was to use the root login for everything. This struck just about everyone else as a design error — and, in particular, as a nasty pitfall for the unwary newcomers who are Lindows/Linspire's target audience — and they got flamed for it.

Which was only fair. What is not fair is that "the tale grew in the telling", i.e., critics suggested that LindowsOS 1.0 could not do anything except as root, which wasn't true even then, let alone subsequently.

Post-1.0, the company has somewhat grudgingly cleaned up its act somewhat, and should be given credit for that. In the current 5.0 release (and, to my knowledge, all other >1.0 releases), right near the end of installation an "Advanced Settings" screen gets shown, which has explanatory text and six buttons:

     Set Password                Configure Dial-up Settings
     Add Users                   Rename this Computer
     Set Display Resolution      Configure Network Settings

Screenshot: http://shots.osdir.com/slideshows/slideshow.php?release=293&slide=36

One could fairly criticise Lindows by saying that this is still much too low-key: Novice users are rather likely to breeze right past any "Advanced Settings" setup screen though the traditional method of keeping your elbows on the Next button.

Most other Linux distributions specifically prompt you to create a non-root user (or, like Ubuntu/Kubuntu, push the user towards using only a non-root user, with only sudo access to root-user authority), and oblige anyone bypassing the "create non-root user" routine to see some scold-for-risky-behaviour warning text. Most will agree that Linspire is negligent for not doing so.

Moreover, Linspire's CEO and other spokesbeings have become notorious for making (in my opinion) irresponsible statements defending LinspireOS's installation defaults, claiming that there's nothing wrong with routine use of the root account for desktop boxes not offering network services. Which is, of course, nonsense.

For example, CEO Michael Robertson, in an interview, was quoted as saying:

I think, like everything, it's a question of balance. Ease of use, versus security. I defy anybody to tell me why is it more secure to not run as root. Nobody really has a good answer. They say "oh, yeah, it is!", but it really isn't. Here's why: What's the most important thing on your desktop? It's the data. If someone gets access to your libraries or whatever, who cares? Your data is the most precious thing on your computer. And whether you log in as root or log in as user, you have access to that data, technically anyone who's compromising your account has access to your data as well. [...] So, people always say "it's less secure", but I defy anyone to point out a single instance, and people all go "Well, I, erm, it's theoretical!".

It's not theoretical, Mr. Robertson. A piece of malware that a user starts with ordinary-user authority will be significantly handicapped in what tools it can apply to the user's system, for starters: Quite a lot of system utilities capable of doing havoc to the user's system and to other, remote systems cannot be run at all, or cannot be run to any effect, unless run as a privileged user. The attitude you urge gives them the keys to the kingdom.

Moreover, it gives it the means to bulldoze that kingdom. The user's data, while vital, are the furniture, clothing, and pantry supplies with which the kingdom has been supplied. Much as it's terrible to arrive home and find all of one's belongings stolen and the family home empty, it's even worse to find only a bare spot on the ground where the house used to be.

That is, Robertson's approach allows malware, or user error, or garden-variety software bugs to destroy (or corrupt, or twist to suit software criminal's agenda) not only what's in the user's home directory, but also all system software, all system libraries, etc.

A simple real-world example will suffice: Imagine the user downloading and getting convinced to run an ELF-infecting virus for x86 Linux such as "Vit" (see: http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5). If the user is running as a non-root user, the virus will have zero effect, because typically the user will not have write access to even a single ELF binary. If the user is running as root, by contrast, every single ELF executable and library on the system will be altered by the virus at that time — effectively, corrupted.

That's a difference that matters, and it is grossly irresponsible to tell newcomers that it doesn't.

Equally lame is Robertson's assumption that this crippling of security is required for "ease of use". Much better Linux distributions, likewise aimed at novice users, manage to make their system's famously easy to use, with prompting for explicit root-user authority only when absolutely required, using "sudo". (This is the approach that Apple Macintosh System X uses.) The obvious example would be the world's most successful Linux desktop distribution, Ubuntu Linux.

All of that having been said, it's still simply incorrect to say categorically that LinspireOS "runs as root".