Why the stigma against rooting?

de0u

Mercerenies What makes a smartphone's threat model different from a desktop computer?

People break into "desktop" (and server) computers a lot. And the reasons aren't mysterious! A big problem is what's known as "ambient authority", which means that all programs run by an individual user have the ability to read and modify all of that user's files. So a game app can edit your startup files to install a keystroke logger that sends your passwords to some remote system. Or any app can edit anything.

Typically if a desktop user runs sudo and provides a correct password then sudo won't require a password for some minutes afterward. That means that any malware running as that user can also run sudo.

The bottom line is that most desktop operating systems are insecure in many ways. Fixing those problems is a big compatibility nightmare, so it happens only slowly. That said, year after year macOS locks down various things a little bit more.

One way that the situation is different on phones is that it isn't necessary for 20-year-old legacy software to just work out of the box. Another is that people tend to accidentally leave phones on the bus or whatever.

All in all, some phone platforms have taken steps toward structurally better computer security that many desktop platforms have not. At present, where they differ, most often the phone platforms are making the superior choices.

DeletedUser125

de0u This is all fine, but it shouldn't feel like I don't own my device, where even the simplest of tasks like toggling airplane mode can't be automated. This same "security" model that conveniently prevents us from unbloating regular android phones and control permissions.

Upstate1618

Linux desktop, Windows and macOS are not very secure. Having root access is one of the reasons.

yore

Unfortunately, desktop operating systems are far behind in terms of security. Apps are not confined in a strong system-level sandbox (Linux often has a weak or non-existent sandbox), and malware can gain root access much more easily compared to mobile operating systems. In mobile OSes, there are different trust levels, and full root access is given to very few processes which makes gaining root incredibly difficult, unlike desktop operating systems where there is either an unprivileged user or a superuser (Linux is one of the worst offenders here).

There are many other problems with desktop operating systems

While users are allowed to use and modify their phones as they wish, including rooting their phones, it is not advisable if you want a secure phone. GrapheneOS relies on full verified boot which relies on the principle of least privilege. When you root your phone, you essentially break this model as you give your entire phone full trust, including any malware. A normal non-rooted phone would revert malware upon a reboot via verified boot, but since rooting ruins this process, this powerful security feature is rendered useless.

And there are other reasons which I will not be listing here.

See: https://madaidans-insecurities.github.io/android.html#rooting

boldsuck

yore (Linux is one of the worst offenders here).

In practice, however, ransomware, malware and other malicious programs are always on Windows systems. ;-)
Windows users are either blackmailed by criminals or help antivirus software manufacturers earn billions.

My Tor exits are also guaranteed to be threatened by highly skilled state hackers. Our entire IX only uses Linux & *BSD + Junos OS & Cisco IOS. My ISP too.

AmyIsCoolz

Mercerenies Nobody has ever told me that I should disable "sudo" on a Linux box to make it "more secure".

FYI, secureblue has sudo disabled https://github.com/secureblue/secureblue/releases/tag/v4.2.0

also, not running apps as administrator is like one of the more common Windows security advice.

DeletedUser87

It's also for historical reasons. When computers were first invented, no one was thinking about hackers, the internet and priviliges. Everything was written around that architecture. When the internet came along, all you could really do, is fix problems with bandaids. Redoing desktop operating systems would break pretty much every program ever written. When smartphones came along, we had already learned quite a bit and security was built in by design. In particular thanks to Apple and their locked down iPhone OS. The iPhone was designed first and foremost for business customers, where security and preventing data loss/leaks are valued immensely. Their effort to patch bugs and destroy the jailbreaks is a good indicator of that. Android hadn't the best security at first either, but it was fixed over time to compete with Apple's offerings. Not only for security itself, but also from a marketing perspective (who would buy phones that are notoriously insecure and full of viruses?).
So these might be some additional reasons why mobile OS'es are designed to run with least privileges. Among the fact that a phone has a lot more capabilities to be used as a wiretap compared to a computer and would do more harm to you when hacked.

GrapheneOS

Mercerenies

But I've never really understood that argument.

It's an objective fact, not an argument that's being made.

So I think I understand how the Android model works. All apps run in user-mode, and only the system itself (and ADB, via a trusted computer) run as root. There's no way for a user-level app to promote itself, and similarly there's no way for a user to promote itself.

No, that's not how it works at all. The base OS does not run as root. It follows the principle of least privilege with components being heavily split up and sandboxed.

But that's not how desktop computers work. Every desktop computer I've ever owned has access to root. If I'm in Windows and run something that needs elevated privileges, I get a User Account Control prompt and hit "Yes". On Linux, I just put the word "sudo" before it, enter a password, and now I can run commands as root. Nobody has ever told me that I should disable "sudo" on a Linux box to make it "more secure". Nobody has ever said to me that I should have to hook my personal desktop computer up to another device in order to access the root user. So why is that the conventional wisdom with smartphones? Why is it that, on a desktop computer, it's normal that I can promote myself into root when I need to, but on a smartphone it's viewed as a gross security violation?

Traditional desktop operating systems lack the basic building blocks of security. They're astoundingly poorly designed from a security perspective and lack basic working app sandboxing or sandboxing throughout the OS. They do not have any real implementation of features like verified boot either. UAC and regular usage of sudo on desktop operating systems is purely security theater with no security value coming from it. It exists to make you feel better, not to provide security.

Sorry if this is a bit rambly, but it's been bugging me since well before I started using GrapheneOS, and I'm sort of hoping the security-minded folks here may be able to shed some light on this for me. What makes a smartphone's threat model different from a desktop computer?

Nothing. Traditional desktop operating systems lack basic security, quite contrary to your belief that it's fine.

DeletedUser64

Mercerenies What makes a smartphone's threat model different from a desktop computer?

loss and /or theft.
never heard of someone loosing their desktop computer whilst walking the dog, etc

Carlos-Anso

Also smartphones tend to have a lot more data. They are used for SMS and calls, contacts details, calendar, notes, todo list, photos etc.

Most people take them everywhere.

Because they are more secure they are increasingly used for banking, controlling insulin pumps, payments, authentication etc. They also have cameras, microphones and GPS functionality, which is not the case with all PCs and laptops.

de0u

DeletedUser125 This is all fine, but it shouldn't feel like I don't own my device, where even the simplest of tasks like toggling airplane mode can't be automated.

The GrapheneOS web site contains detailed build instructions. If you choose to build a rooted system, or a system with extra high-privilege apps, you may. And if the GrapheneOS developers choose not to release rooted builds, that is likewise their decision.

GrapheneOS

DeletedUser125

where even the simplest of tasks like toggling airplane mode can't be automated

This is not true.

This same "security" model that conveniently prevents us from unbloating regular android phones and control permissions.

Suggest you avoid derailing threads and making these kinds of attacks on our work. It is in fact a real and very important security model. It's unclear how it stops you from controlling permissions when that is part of what it enables unlike a system without that kind of app sandboxing. It also clearly doesn't stop you using a different OS.

DeletedUser125

de0u Sure except I still need to have a powerful enough rig and not make mistakes and not procrastinate on the updates.

DeletedUser87

DeletedUser125 who said it would be easy/free? Of course you have that feeling since someone else is doing all the work. If you want to feel like you "own" your device, you should actually own it. That implies that you have to invest time, money and labor to get there.

boldsuck

DeletedUser125 Since GrapheneOS is FLOSS and if you also place your builds under a free license, you can use many CI/CD for free.

Xtreix

Even though I've never built GrapheneOS, I still have the feeling that I “own” my device and I wouldn't have the same feeling at all on iOS and Stock Android or via any commercially available smartphone with the default operating system in fact, it may not be perfect but I think others share my feeling.

yore

boldsuck In practice, however, ransomware, malware and other malicious programs are always on Windows systems. ;-)

While attackers do indeed spread malware best on Windows as it has the largest OS market share, it does not change the fact that Linux systems are far easier to exploit than mainstream operating systems. Security researchers are agreed upon this and there is plenty of evidence and studies out there you can take a look at.

To clarify, 90% of web-facing servers use Linux due its extensiblity; I was not referring to servers, but to users who use Linux systems under the impression that it is more secure. Unfortunately, many users mistakenly believe this due to widespread inaccuracies. Linux (and other desktop OSes) has a design problem and no degree of manual hardening will fix these issues.

GrapheneOS

boldsuck GrapheneOS does not use Debian-based distributions and recommends against Debian-based distributions due to very poor security. That sentence has been removed from your post.

de0u

boldsuck In practice, however, ransomware, malware and other malicious programs are always on Windows systems. ;-)

Linux Ransomware: Famous Attacks and How to Protect Your System (June 2021)
From Conti to Akira | Decoding the Latest Linux & ESXi Ransomware Families (August 2023)
Linux Ransomware Exposed: Not Just a Windows Problem Anymore (December 2024)

missing-root

Mercerenies

You should absolutely add a second Linux user account, separate password, never logged in, that has sudo access.

And remove your main user from the wheel/sudo group. run0 and pkexec work just fine.

GrapheneOS

missing-root That makes no practical difference since those provide the same functionality. Even if you entirely avoid all the ways of escalating privileges to root from there, your applications and data is in your main user where they largely run with full access as your user. Sandboxing is largely opt-in and has holes in the containment of apps. It's still designed around granting most access at install time based on whatever the app requests. Anything running as your main user is equivalent root if you ever escalate to root from it, but even if you don't it has access to everything that matters on a typical system without any exploitation involved.

The attack surface of sudo for privilege escalation from unprivileged users is present simply by having it installed as a setuid binary along with other setuid binaries. Any reasonably well contained applications can't make use of those due to having their ability to elevate privileges disabled. On a system that's using whole system MAC policies without huge holes in it, it would barely be relevant but it wouldn't be present on those systems in the first place in practice.