Why is it bad to log in as root?

It defeats the security model that's been in place for years. Applications are meant to be run with non-administrative security (or as mere mortals) so you have to elevate their privileges to modify the underlying system. For example, you wouldn't want that recent crash of Rhythmbox to wipe out your entire /usr directory due to a bug. Or that vulnerability that was just posted in ProFTPD to allow an attacker to gain a ROOT shell.

It's just good practice on any operating system to run your applications on a user level and leave administrative tasks to the root user, and only on a per-need basis.

Just one word: security.

1. You're logged as root = all applications are running with root privilegies -- every vulnerability in Firefox, Flash, OpenOffice etc. now can destroy your system, because possible viruses now have access everywhere. Yes, there are only few viruses for Ubuntu/Linux, but it's also because of good security and default unprivileged user.
2. It's not only about viruses -- small bug in an application could erase some system files or...
3. When your're logged as root, you can do everything -- the system won't ask! Do you want to format this disk? Ok, just one click and it's done, because you're root and you know what you're doing...

Running as root is bad because:

1. Stupidity: Nothing prevents you from doing something stupid. If you try to change the system in anyway that could be harmful you need to do sudo which pretty much guarantees a pause while you are entering the password for you to realize that you are about to make a possible big/costly change.
2. Security: It has been mentioned already quite a few times in this question but basically it's the same thing, harder to hack if you dont know the admin user's login account. root means you already have one half of the working set of admin credentials.
3. You don't really need it: If you need to run several commands as root and you are annoyed by having to enter your password several times when sudo has expired all you need to do is sudo -i and you are now root. Want to run some commands using pipes? Then use sudo sh -c "comand1 | command2".
4. You can always use it in the recovery console: The recovery console allows you to try and recover from doing something stupid or fixing a problem caused by an app (which you still had to run as sudo :)) Ubuntu doesn't have a password for the root account in this case but you can search online for changing that, this will make it harder for anyone that has physical access to your box to be able to do harm.

The reason why you couldn't find information about why it's bad is because, well, there is way too much data in the internet :) and that a lot of people that have been using Linux for a long time think like you do. This way of thinking about the root account is fairly new (a decade maybe?) and a lot of people still get annoyed by having to use sudo. Especially if they are working on a server which means they went in with the intention to make system changes. Probably brought on from previous bad experiences and security standards most sysadmins know better but they still don't like it :).

This is a good question. I think the answer is slightly different depending on whether you're talking about a server or a desktop installation.

On a desktop, it is uncommon to use the root account. In fact, Ubuntu ships with root access disabled. All changes requiring superuser privileges are done through sudo and its graphical cognates gksudo and kdesudo. Given that it's easy to set a root password, however, why don't people do it?

One reason is that it gives you an additional layer of security. If you run a program as root and a security flaw is exploited, the attacker has access to all data and can directly control the hardware. For example, it might install a trojan or key-logger into your kernel. In practice, though, an attack can do a large amount of damage even without superuser privileges. After all, all user data - including documents and stored passwords - is accessible without root access.

A more valid point, on a single-user system, is that the user is prevented from accidentally rendering the system unusable. If the user unintentionally issues a command that deletes all files, they will still be able to boot the system, even if the data is lost.

Additionally, most user-facing (X11) applications today are built on the assumption that they're run as a regular user account and without administrator rights. Thus some programs might misbehave when run as root.

On a multi-user system with non-graphical shell access only, many of these reasons do not apply. However, Ubuntu still reasonably defaults to an inaccessible root account. For one thing, there is a real difference between gaining access to a user account (with sudo rights) through a security hole and gaining access to root, as in the first case disrupting other users will require running sudo and will still prompt for the account password as an additional security step. For another, it is useful to perform many administrative tasks from a user account and only invoking sudo when the superuser privileges are absolutely required. Thus when installing a program from source, it is advisable to build the source - running configure and make - inside the user's directory and only using sudo make install in the final step. Again this makes it more difficult to shoot oneself (and other users of the multi-user system) in the foot, and it decreases the likelihood of build scripts wreaking havoc with the system. Thus even on a server it is good advice to stick to Ubuntu's sudo-based administration.

One reason not to run as root that has not (so far) been identified by other answers is traceability. It probably matters less on machines that are primarily single-user machines (your desktop or laptop), but on server machines, if someone is logged in as root, you don't know who to blame for the actions taken. Therefore, most professional organizations with multiple systems and multiple administrators that need root privileges require people to login using their own user ID (and password), and then use sudo or similar programs to operate with root privileges when necessary.

Otherwise, the primary reasons for not running as root are:

• Minimize risk of damage from accidents. If you run rm -fr / home/me/my-subdir as root, then you've just dramatically eliminated everything of importance from your machine because of that space after the (first) slash - because the stuff that goes first is the stuff that was added first - little things like the kernel, the /bin and the /etc directory. Unix gets upset if you lose those.

• Minimize risk of damage from malicious outside sites. If you browse as root, you're more nearly vulnerable to drive-by downloads of malicious material.

I use MacOS X more than I do Ubuntu, but there, root is disabled by default, and it still is on my machine. I routinely upgrade the kernel and other similar operations - using sudo (behind the scenes). Similar techniques apply to Linux generally.

Basically, you should only use the all-powerful privileges of root for abbreviated periods of work to avoid the risk of mistakes.

TL;DR: Do things as root only when you have to. sudo makes this pretty easy. If you enable root logins, you can still follow this rule, you just have to be careful to do so. Although enabling root logins is not actually insecure if done right, you don't need to enable root logins because you have sudo.

There are really two related questions here.

• Why is it bad to to log in as root for one's everyday computer use (web browsing, email, word processing, gaming, etc.)?
• Why does Ubuntu default to disabling root logins altogether and using sudo and polkit to enable administrators to run specific commands as root?

Why not run everything as root, all the time?

Most of the other answers cover this. It comes down to:

1. If you use root powers for tasks that don't require them, and you end up doing something you didn't mean to do, you could change or harm your system in a way you don't want.
2. If you run a program as root when you didn't need to, and it ends up doing something you didn't mean for it to do--for example, due to a security vulnerability or other bug--it could change or harm your system in a way you don't want.

It's true that even without doing things as root, you can cause harm. For example, you can delete all the files in your own home directory, which usually includes all your documents, without running as root! (Hopefully you have backups.)

Of course, as root, there are additional ways to accidentally destroy those same data. For example, you could specify the wrong of= argument to a dd command and write raw data over your files (which makes them way, way harder to recover than if you'd merely deleted them).

If you're the only person who uses your computer, the harm you can do only as root might not really be higher than the harm you can do with your regular user privileges. But that is still no reason to expand your risk to include additional ways of messing up your Ubuntu system.

If running with a non-root user account prevented you from exercising control over your own computer, then this would of course be a bad tradeoff. But it doesn't--anytime you actually wish to perform an action as root, you can do so with sudo and other methods.

Why not make it possible to log in as root?

The idea that the ability to log in as root is inherently insecure is a myth. Some systems have a root account enabled by default; other systems use sudo by default, and some are configured with both.

• For example, OpenBSD, which is widely and reasonably considered the most secure general-purpose OS in the world, ships with the root account enabled for local, password-based login.
• Other well-respected OSes that do this include RHEL, CentOS, and Fedora.
• Debian (from which Ubuntu derives) has the user decide which approach will be configured, during system installation.

It's not objectively wrong to have a system where the root account is enabled, provided that

1. you still only use it when you really need to, and
2. you restrict access to it appropriately.

Often novices ask how to enable the root account in Ubuntu. We should not conceal this information from them, but usually when people ask this it's because they are under the mistaken impression that they need to enable the root account. In fact, this is almost never necessary, so when answering such questions it's important we explain that. Enabling the root account also makes it easy to become complacent and perform actions as root that don't require root privileges. But this doesn't mean enabling the root account is by itself insecure.

sudo encourages and helps users run commands as root only when they need to. To run a command as root, type sudo, a space, and then the command. This is very convenient, and many users of all skill levels prefer this approach.

In short, you don't need to enable root logins because you have sudo. But so long as you use it only for administrative tasks that require it, it's about equally secure to enable and log on as root, so long as it's only in these ways:

• Locally, from a non-graphical virtual console.
• With the su command, when logged in from another account.

However, substantial added security risks arise if you log on as root in these ways:

• Graphically. When you log in graphically, a whole lot of stuff runs to provide the graphical interface, and you'll end up running even more applications as root to use that interface for anything. This goes against the principle of only running programs as root that really need root privileges. Some of these programs may contain bugs, including security bugs.

  Furthermore, there's a non-security reason to avoid this. Logging in graphically as root is not well supported--as loevborg mentions, developers of desktop environments and of graphical apps don't often test them as root. Even if they do, logging in to a graphical desktop environment as root doesn't get real world alpha and beta testing by users, as almost nobody attempts it (for the security reasons explained above).

  If you need to run a specific graphical application as root, you can use gksudo or sudo -H. This runs far fewer programs as root than if you actually logged on graphically with the root account.

• Remotely. The root account can in effect do anything, and it has the same name on practically every Unix-like system. By logging in as root via ssh or other remote mechanisms, or even by configuring remote services to allow it, you make it much easier for intruders, including automated scripts and malware running on botnets, to gain access through brute force, dictionary attacks (and possibly some security bugs).

  Arguably the risk is not extremely high if you allow only key-based, and not password-based root logins.

By default in Ubuntu, neither graphical root logins nor remote logins via SSH are enabled, even if you enable logging in as root. That is, even if you enable root login, it's still only enabled in ways that are reasonably secure.

• If you run an ssh server on Ubuntu and have not changed /etc/sshd/ssh_config, it will contain the line PermitRootLogin without-password. This disables password-based root login, but allows key-based login. However, no key is configured by default, so unless you've set one up, that too will not work. Furthermore, key-based remote root login is far less bad than password-based remote root login, in part because it doesn't create the risk of brute force and dictionary attacks.
• Even though the defaults should protect you, I think it's still a good idea to check your ssh configuration, if you're going to enable the root account. And if you're running other services that provide remote login, like ftp, you should check them, too.

In conclusion:

• Do stuff as root only when you need to; sudo helps you do that, while still giving you the full power of root anytime you want it.
• If you understand how root works and the dangers of overusing it, enabling the root account is not really problematic from a security perspective.
• But if you understand that, you also know that you almost certainly don't need to enable the root account.

For more information about root and sudo, including some additional benefits of sudo that I haven't covered here, I highly recommend RootSudo in the Ubuntu help wiki.

Root account is disabled by default - meaning that it exists but it's not usable (except in recovery mode). This means that an attacker is aware of your root account, but couldn't use it even if he/she had the root password. Thus, an attacker has to guess both a user-name which has administrator privileges, AND that user's password (which is far more difficult than just trying to work out the root password).In XP if you have the Recovery Console installed, anyone who has physical access to your box can boot into it (RC) - no password required. Same as Recovery Mode in Ubuntu.

In Ubuntu, when they say that the root is disabled - what is really meant is that the account is locked. An account is locked by changing the password to a value which matches no possible encrypted value. This effectively prevents anybody from being able to log in as root - since there would be no possible way they could enter the password. Since there are still times when root access is necessary - the Ubuntu kernel has been modified to allow root local login only in single-user mode.

Also see this page

Its like arming a little kid with an AK47, while he can happily play with his paintball gun. ;)

I mean its wrong because you and your applications will have more privilege then they need and that is when things can and sometimes will go wrong :(

Very nice question... Let me answer it from a practical point of view:

When I started using Linux, which is more than 10 years ago, the major distributions did not advertise using non-root accounts as much as today. As I was used to Windows I also did not see a point in using a constrained user account. In particular because I had to enter "su" very often - sudo wasn't that popular back then. ;-) So I always logged in as root because I had a lot of maintenance to do to get my system well configured. But guess what, any fresh installed system became quickly very unstable.

One concrete problem for instance: I haven't had that much harddisk space reserved for Linux so it happened to me a few times that I had 0 bytes left on my partition. Maybe I'm not completely precise because I don't know the exact mechanism, but when you fill up a disk with a non-root account there are always a few kilobytes left. But if you really have 0 bytes left, your system makes weird errors and you might end up with some hard to fix damage in your system because there is a lot of system software running in the background...

Another thing is: That division between root and non-root keeps your system well-organized. As a root-user you might be tempted to not cleanly install your new applications which leaves you with a dirty, hard maintainable system.

But the good thing: Modern distributions do most of the administration tasks for you, so seldom you have to fiddle in the guts of your Linux system with a root account. Entering a password from time to time is sufficient, the rest is done by the distributor's scripts.

But I doubt that you haven't had issues on your Windows system with that if you used 95 oder 98. (At least I had issues with that...) Because of the lack of a clear separation between Administrator and regular user "traditional" Windows apps assume they can do anything E.g. install Spyware if they feel like it, even without telling you. Microsoft engaged in that issue when releasing Vista. (Effectively implementing a sudo mechanism.) So people got very annoying dialogues saying "You can't do that". For some non-Vista-compliant software you needed some dirty hacks to install it, even as Administrator...

There are a lot of aspects behind this approach. Some of them are: