I have a few Linux servers at home that I regularly remote into in order to manage, usually logged into KDE Plasma as root. Usually they just have several command line windows and a file manager open (I personally just find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system), but if I have an issue, I’ve just been absentmindedly searching stuff up and trying to find solutions using the preinstalled Firefox instance from within the remote desktop itself, which would also be running as root.

I never even thought to install uBlock Origin on it or anything, but the servers are all configured to use a PiHole instance which blocks the vast majority of ads. However, I do also remember using the browser in my main server to figure out how to set up the PiHole instance in the first place, and that server also happens to be the most important one and is my main NAS.

I never went on any particularly shady websites, but I also don’t remember exactly which websites I’ve been on as root, though I do seem to remember seeing ads during the initial pihole setup, because it didn’t go very smoothly and I was searching up error messages trying to get it to work.

This is definitely on me, but it never crossed my mind until recently that it might be a bad idea to use a browser as root, and searching online everyone just states the general cybersecurity doctrine to never do it (which I’m now realizing I shouldn’t have) but no one seems to be discussing how risky it actually is. Shouldn’t Firefox be sandboxing every website and not allowing anything to access the base system? Between “just stop doing it” and “you have to reinstall the OS right now there’s probably already a virus on there,” how much danger do you suppose I’m in? I’m mainly worried about the security/privacy of my personal data I have stored on the servers. All my servers run Fedora KDE Spin and have Intel processors if that makes a difference?

  • lemmyvore@feddit.nl
    link
    fedilink
    English
    arrow-up
    197
    ·
    11 months ago

    You seriously need to stop what you’re doing. Log in with ssh only. If you need multiple terminals use multiple ssh sessions, or screen/tmux. If you need to search something do it on your desktop system.

    The server should not have Firefox installed, or KDE, or anything related to desktop apps. There’s no point and nothing good can come of it.

      • Falcon@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        11 months ago

        Yeah there’s a bit of scope to review what op is doing here.

        Why is there even a DE on a server if it’s headless. If it’s not headless why not write up some Dockerfiles and manage it from a non-root account?

        Are the services running as root?

        Also, is it being accessed via wireguard/ovpn? It would be unwise to run a server as root with an open port.

  • remotelove@lemmy.ca
    link
    fedilink
    arrow-up
    67
    ·
    11 months ago

    Your frame of mind is “dangerous”. If you are browsing on your servers as root, you need to not manage servers anymore. If that sounded harsh, learn about attack surface area first and then I might let you back in the server room.

    You won’t find discussions about running browsers as root because it’s not something you should need to discuss. Also, you don’t need to be browsing “shady” websites to get compromised. Get that myth out of your head.

    find it more convenient to use the command line from a remote desktop instead of directly SSH-ing into the system

    How is extra steps and added latency more convenient? The latency of a console via remote desktop would drive me crazy. Hell, I haven’t installed any kind of desktop environment on Linux server for over 20 years. It’s not needed and a waste of resources. Who needs file managers anyway?

    • Potatos_are_not_friends@lemmy.world
      link
      fedilink
      arrow-up
      33
      ·
      edit-2
      11 months ago

      Your frame of mind is “dangerous”. If you are browsing on your servers as root, you need to not manage servers anymore. If that sounded harsh, learn about attack surface area first and then I might let you back in the server room.

      You sir/ma’am hit it right on the head.

      The “run root on Firefox” isn’t the issue, it’s the red flag. Security is a mindset. Failure to understand the core philosophy of why we have roles and permissions means you’re untrusted. It really isn’t personal. It’s security.

  • MimicJar@lemmy.world
    link
    fedilink
    arrow-up
    64
    ·
    11 months ago

    https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/

    That’s a link to the most recent release of Firefox and the security vulnerabilities that were fixed.

    You’ll notice the first one listed says, “This issue could allow an attacker to perform remote code execution and sandbox escape.”

    So if you visited a site that exploited that bug, it escaped the sandbox and ran whatever code it wanted to. Since you were running as root it could do anything it wants. Your device is now the property of someone else. Potentially all your data has been stolen. You probably didn’t even notice.

    Now. Realistically. You probably didn’t get exploited. Your device may not be vulnerable to that particular bug. But new bugs are found, and fixed, and created every day. Can you be sure you weren’t exploited?

    Let’s look at it a different way. Think of it like driving a car with no seatbelt or airbags. As long as you don’t crash, you’re fine. The car still works fine without seatbelts and you have more freedom to move your arms around.

    Let’s look at it a different way. Do you ever lock the door to your home/apartment? Heck do you even close the door? Why not leave it wide open?

    At the end of the day security is about layers and the trade offs for convenience. You can run KDE as root, and you can run Firefox as root. You’ll probably be fine. It’s like driving without a seatbelt or leaving your front door wide open, but you can do it. If you do drive with a seatbelt and at least close your front door, you can probably run KDE and Firefox as a regular user.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    46
    ·
    11 months ago

    I think there are many security issues with your setup. You really, really shouldn’t do everything as root. That is just a time bomb waiting to blow.

  • taladar@sh.itjust.works
    link
    fedilink
    arrow-up
    36
    ·
    11 months ago

    but no one seems to be discussing how risky it actually is.

    That is because people stopped doing it ages ago.

    But shouldn’t Firefox be sandboxing every website and not allowing anything to access the base system?

    Security is always a matter of layers. Any given layer can fail some of the time but you want to set up your security so situations where all the layers fail together are rare.

  • FishFace@lemmy.world
    link
    fedilink
    arrow-up
    34
    ·
    11 months ago

    An overarching principle of security is that of minimum privilege: everything (every process, every person) should have the minimum privileges it needs to do what it does, and where possible, that privilege should be explicitly granted temporarily and then dropped.

    This means that any issue: a security breach or a mistake can’t access or break anything except whatever the component or person who had the issue could access or break, and that that access is minimal.

    Suppose that you hit a page which exploits the https://www.hkcert.org/security-bulletin/mozilla-firefox-remote-code-execution-vulnerability_20230913 vulnerability in Firefox, or one like it, allowing remote code execution. If Firefox is running as root, the remote attacker now completely controls that machine. If you have SSH keys to other servers on there, they are all compromised. Your personal data could be encrypted for ransom. Anything that server manages, such as a TV or smart home equipment, could be manipulated arbitrarily, and possibly destroyed.

    The same is true for any piece of software you use, because this is a general principle. Most distributions I believe don’t let you ssh in as root for that reason.

    In short: don’t log in to anything as root; log in as a regular user and use sudo to temporarily perform administrator actions.

    P.S. your description of the situation shows you don’t know the nature of vulnerabilities and security - if you’re running servers then this is something you should learn more about in short order.

  • DefederateLemmyMl@feddit.nl
    link
    fedilink
    English
    arrow-up
    33
    arrow-down
    3
    ·
    edit-2
    11 months ago

    Realistically it’s not super dangerous, and no you probably don’t have a virus just from browsing a few tech support sites, but you do eliminate your last line of defense when you run software as root. As you know, root can read/change/delete anything on your system whereas regular users are generally restricted to their own data. So if there is a security problem in the software, it’s made worse by the fact that you were running it as root.

    You are right though that Firefox does still have its own protections - it’s probably one of the most hardened pieces of software on your computer exactly because it connects to the whole wide internet - and those protections are not negated by running as root. However if those protections fail, the attacker has the keys to the kingdom rather than just a sizable chunk of the kingdom.

    To put that in perspective though, if there is a Firefox exploit and a hacker gets access to your regular user account, that’s already pretty bad in itself. Even if you run as a regular unprivileged user they would still have have access to things like: your personal documents, your ssh keys, your Firefox profile with your browsing history, your session cookies and your saved passwords, your e-mail, your paypal account, your banking information, …

    As root, they could obviously do even more like damage like reading all users’ data, installing a keylogger or screengrabber, installing a rootkit to make themselves undetectable, but for most regular users most of the damage is already done when their own account is compromised.

    So when these discussions come up, I always have to think about this XKCD comic:

    • taladar@sh.itjust.works
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      11 months ago

      They might have access to all that data once but a lot of the paths towards making that a persistent threat that doesn’t go away after the next reboot and most of the ones towards installing something even deeper in the system that might even survive a reinstall do require root.

  • Amju Wolf@pawb.social
    link
    fedilink
    arrow-up
    23
    ·
    edit-2
    11 months ago

    I don’t want to step on your workflow too much since it somehow seems to work for you but your main issue stems from the fact that you clearly don’t work with your server as if it actually was a server.

    You shouldn’t really have a desktop interface running there in the first place (let alone as root and then using it as a regular user). You should ask yourself what it actually solves for you and be open to trying different (and more standard) solutions to what you’re trying to achieve.

    It’d probably consist of less clicking and using the CLI a bit more, but for stuff like file management you can still easily use mc.

    If you need terminal sessions that keep scrollback and don’t stop when you disconnect you should learn to use tmux or screen or something like that. But then again if you’re running actual software in there then you should probably use a service (daemon) for that.

    As for whether it’s a security issue, yeah it most definitely is. Just like it’s a security issue to run literally any networked application as root. Security isn’t black and white and there are trade offs to be made but most people wouldn’t consider what you’re doing a reasonable tradeoff.

    • HiddenLayer5@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      2
      ·
      edit-2
      11 months ago

      I had actually moved from a fully CLI server to one with a full desktop when I upgraded from a single board computer to x86. The issue is that it’s not just a NAS, but I regularly use it to offload long operations (moving, copying, or compressing files, mostly) so I don’t need to use my PC for those. To do that I just remote into it and type in the command, then I can turn my PC off or do whatever without affecting the operation. So in a way it’s a second PC that also happens to be a server for my other machines.

      I use screen occasionally, and I used to use it a lot more when it was CLI only, but I find it really unwieldy due to how it manages multiple active terminals where you have to type in the ID of each screen to go back into it, and also because it refuses to scroll even when run in a terminal emulator that supports scrolling, where it just cycles between recent commands when you move the scroll wheel.

      Not trying to make excuses, just trying to explain my reasoning. I know it’s bad practice and none of these are things I’d do if I was managing an actual production server, but since it’s only accessible from my LAN I tend to be a lot more lax with it.

      I’m wondering if I could benefit from some kind of virtualized setup that separates the server stuff while still letting me remote into a desktop on the same machine for doing stuff, or if I can get away with just remoting into not the root user. Though I’ve never used a hypervisor and have no idea how to so I’m not sure how well that would go, since the well-known open source ones like Xen seem really technical and really feels like something not meant to be used outside an actual data centre.

      • Amju Wolf@pawb.social
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        11 months ago

        I see. In that case you should really try tmux; I didn’t vibe with screen either but I find tmux quite usable.

        For the most part I just open several terminal windows/tabs on my local machine and remote with each one to the server, and I use tmux only when I explicitly need to keep something running. Since that’s usually just one thing I can use like two tmux commands and don’t need anything else.

        Oh and for stuff like copying and such I’d use rsync instead of primitive cp so that in case it gets interrupted I only copy what’s needed.

        I wouldn’t bother with virtualization and such; you’d only complicate things for yourself. Try to keep it simple but do it properly: learn some command line basics and you’ll see that in a year it’ll become second nature.

      • giloronfoo@beehaw.org
        link
        fedilink
        arrow-up
        6
        ·
        11 months ago

        I’d go for remoting in as not root as the first (and maybe only) step for better security.

        From there, running the services in VMs would probably be the next step. Docker might be better, but I have gotten into that yet myself.

        As for hypervisor, KVM has worked great for me.

        • pbjamm@beehaw.org
          link
          fedilink
          English
          arrow-up
          2
          ·
          11 months ago

          KVM is awesome. It is the core of Proxmox which is my preferred way to manage VMs and LXC containers now. I used to run debian+KVM+virt-manager or cockpit but Proxmox does all the noodling setup for me and then just works.

  • Falcon@lemmy.world
    link
    fedilink
    arrow-up
    14
    ·
    11 months ago

    I have no clue how dangerous running Firefox as root is, but it begs the question…why would you do that?

    Create a user account for managing things and create a separate user for each service and/or containers.

    For managing things use tmux with ssh, if you want to manage files etc. just use ranger/lf/mc. One can also mount the file system with sshfs.

  • rottingleaf@lemmy.zip
    link
    fedilink
    arrow-up
    14
    ·
    11 months ago

    Yes, it is. As a user you compromise only that user as a consequence of some sandbox escape. Then there may or may not be some successful privilege elevation.

  • arjache@kbin.social
    link
    fedilink
    arrow-up
    13
    ·
    11 months ago

    As a general best practice, you should never directly login as root on any server, and those servers should be configured to not allow remote connections as the root user. You should always log in as a non-root user and only run commands as root using sudo or similar features offered by your desktop environment. You should be wary of even having an interactive root shell open; usually I would only do so on a VM console, when first setting up a system or debugging it.

    By doing this, you not only guard against other people compromising your system, but also against accidentally running commands as root that could damage your system. It’s always best to only run things with the minimum permissions they need, and then only grant them additional permissions on an as-needed basis.

    • taladar@sh.itjust.works
      link
      fedilink
      arrow-up
      2
      arrow-down
      7
      ·
      11 months ago

      you should never directly login as root on any server, and those servers should be configured to not allow remote connections as the root user. You should always log in as a non-root user and only run commands as root using sudo or similar features

      That is commonly recommended but I have yet to see a good solution for sudo authentication in this case that works as well as public key only SSH logins with a passphrase encrypted key and ssh-agent on the client-side. With sudo you constantly have to use passwords anyway which is pretty much unworkable if you work on dozens of servers.

      • exu@feditown.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        11 months ago

        You could implement NOPASS for the specific commands you need for a service user. Still better than just using root.

        • taladar@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          arrow-down
          3
          ·
          11 months ago

          In what way would that be more secure? That would just allow anyone with access to the regular account to run those commands at any time.

          • bluespin@lemmy.world
            link
            fedilink
            arrow-up
            5
            arrow-down
            1
            ·
            11 months ago

            Are you asking why it’s more secure to surface a few commands without password rather than all of them…?

            • taladar@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              arrow-down
              3
              ·
              11 months ago

              I am asking why it is considered to be more secure for the use case where you aren’t limiting access to a few commands because it is access meant for all kinds of admin tasks, not just one specific one (as in access for the people who need to fix unexpected problems among other things).

            • taladar@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              arrow-down
              4
              ·
              11 months ago

              I am well aware that sudo can limit which commands you run but so can force_command in authorized_keys if you really need that functionality.

          • chameleon@kbin.social
            link
            fedilink
            arrow-up
            3
            ·
            11 months ago

            Realistically, there is only a trivial pure security difference between logging in directly to root vs sudo set up to allow unrestricted NOPASS access to specific users: the attacker might not know the correct username when trying to brute force. That doesn’t matter in the slightest unless you have password auth enabled with trivial passwords.

            But there is a difference in the ability to audit what happened after the fact if you have any kind of service storing system logs remotely or in a tamper-proof way. If there’s more than one admin user on a service, that is very very important. Knowing where the compromise happened is absolutely essential to make things safe.

            If there’s only ever going to be one administrative user (personal machine), logging in directly as root for manual administrative tasks is fine: you already know who the user is. If there’s any chance there might be more administrative users later (small but growing business), you should consider doing it right from the start.

            • taladar@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              ·
              11 months ago

              I was aware of the login UID for auditd logging as a difference but as you say, that is only really helpful if the logs are shipped somewhere else or tampering with them is otherwise prevented for admin users. It is not quite the same but the auth.log entries sshd produces on login also contain the key fingerprint used to login these days so on a more limited scale you can at least tell who logged in when from those (or whose key but that is no different than whose account for the sudo approach).

              you should consider doing it right from the start.

              Do you have any advice on how to use the sudo approach without having a huge slow down in every automated process that requires ssh user@host calls for manual password entry? I am aware of Ansible but I am honestly very sceptical of Python tools since they tend to break easily and often from my past experiences and I would like to avoid using additional ones for critical tasks. Plus Ansible in particular seemed to be very late with their Python 3 transition, as I recall I uninstalled it when it was one of the last tools left that did not work with Python 3.

              • chameleon@kbin.social
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                11 months ago

                Well, my recommendations for anything semi-automated would be Ansible and Fabric/Invoke. Fabric is also a Python tool (though it’s only used on the controlling side, unlike Ansible), so if that’s a no-go, I’m afraid I don’t have much to offer.

          • 4am@lemm.ee
            link
            fedilink
            arrow-up
            3
            arrow-down
            2
            ·
            11 months ago

            I thought your passwordless passphrase passkey ssh connection that is superior to passwords was secure. Is it not?

            • taladar@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              arrow-down
              3
              ·
              11 months ago

              It is. That is the whole point. Why would I make extra unprivileged accounts that can run any command I need to run as root at any time without a password on the system just to avoid it. That just increases the attack surface via any other vector by giving an attacker accounts to choose from to break into.

      • ElderWendigo@sh.itjust.works
        link
        fedilink
        arrow-up
        6
        arrow-down
        2
        ·
        11 months ago

        Whose letting you run dozens of servers if managing dozens of passwords is “pretty much unworkable” for you?

        • taladar@sh.itjust.works
          link
          fedilink
          arrow-up
          1
          arrow-down
          6
          ·
          11 months ago

          Of course I can store dozens of passwords but if every task that requires a single command to be run automatically on e.g. “every server with pending updates” requires entering each of those passwords that is unworkable.

          • 4am@lemm.ee
            link
            fedilink
            arrow-up
            4
            ·
            11 months ago

            FreeIPA and your password is the same on every machine: yours. (Make it good)

            Service accounts should have either no sudo password or use something like Ansible with vault and keep every one of them scrambled and rotate regularly (which you can do with Ansible itself)

            Yes, even if you have 2 VMs and a docker container, this is worth it.

            • taladar@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              arrow-down
              4
              ·
              11 months ago

              FreeIPA and your password is the same on every machine: yours.

              Any network based system like that sucks when you need to fix a system that has some severe issue (network, DNS, disk,…) which is exactly when root access is the most important.

          • ElderWendigo@sh.itjust.works
            link
            fedilink
            arrow-up
            6
            arrow-down
            2
            ·
            11 months ago

            Sounds like you’re doing things the hard way, making you believe that you are being forced into choosing between security and convenience.

            • taladar@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              arrow-down
              3
              ·
              11 months ago

              Then enlighten me, what is the easy way to do tasks that do require some amount of manual oversight? Tasks that can be completely automated are easy of course but with our relatively heterogeneous servers automation a la “do it on this one test system and if it works there run it completely automatically on the 100 identical production systems” is not available to us.

              • ElderWendigo@sh.itjust.works
                link
                fedilink
                arrow-up
                4
                arrow-down
                4
                ·
                11 months ago

                Not my circus, not my monkeys. You’re doing things the hard way and now it’s somehow my responsibility to fix your mess? I’m SUPER glad I don’t work with you.

                • taladar@sh.itjust.works
                  link
                  fedilink
                  arrow-up
                  4
                  arrow-down
                  5
                  ·
                  11 months ago

                  You are the one who insists that there is a better way to do things but refuse to say what that better way is.

  • BigTrout75@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    1
    ·
    11 months ago

    This is like removing a safety feature in your car. Like removing seatbelts or maybe anti-lock brakes.

  • ThankYouVeryMuch@kbin.social
    link
    fedilink
    arrow-up
    12
    ·
    edit-2
    11 months ago

    I just wanted to add that you can run gui applications through ssh with x11 forwarding, options -X or -Y (untrusted/trusted but at least in Debian back in the day they behaved the same). So if you wanted a gui file manager you run it in the ssh session on the remote server, sudo if you need but NEVER logged as root, and the window will pop on your local DE instead of having to run an entire desktop on each server