Linux security

Stephen R Laniel steve at laniels.org
Sat Apr 29 00:15:33 UTC 2006 

On Fri, Apr 28, 2006 at 11:03:47PM +0100, Daniel Carrera wrote:
> I'm certainly a big fan of sudo. But what it does is protect the OS 
> itself, the system files. I don't want to diminish sudo, but it doesn't 
> protect your data files.

That's a rather narrow conception of the ways that people
can access or destroy your data files. A great many security
problems in Windows occur because a vulnerability allows
arbitrary code to run with the privileges of the current
user. Since the current user in most cases has adminstrative
rights, this gives attackers full control of a machine --
from which they could do whatever they want with anyone's
data. Allowing people to execute individual commands as root
lowers the chance of this happening.

> chroot is fantastic, but it protects the core OS, and other users. It 
> won't protect your data files.

Unless you're running bind or Apache under chroot, and
someone manages to exploit the vulnerability to break in.
Then you will notice the value of chroot in protecting your
data.

> Daniel: Linux is more secure than Windows.
> MS guy: Why?
> Daniel: It has better separation of priviledge (sudo, chroot)
> MS guy: But that won't protect the user's data which is what
>         really matters.

Not many of these conversations are valuable. I think you
could profitably break down such conversations as follows:

1) Conversations with business people running servers. These
   people very much do care about sudo, chroot, and so
   forth.

2) Ordinary users. These people probably don't care much
   about security, or else they would have bailed on Windows
   long ago.

I don't think that what's keeping people away from Linux is
a fear that their data are more vulnerable.

> So, besides user data, what else are we trying to protect? Are you 
> thinking of bot-nets? How would you argue that bot-nets are more 
> difficult to create with Linux? After all, a virus could edit your Gnome 
> startup file (notice, no need to escalate priviledge) to start the 
> program every time your computer turns on.

That wasn't my point. My point was that if someone else's
Windows machine is insecure, that affects me -- because
now that user's machine can be taken over and used to attack
my servers. My security depends on their security.

-- 
Stephen R. Laniel
steve at laniels.org
Cell: +(617) 308-5571
http://laniels.org/
PGP key: http://laniels.org/slaniel.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060428/2484cb31/attachment.sig>

More information about the ubuntu-users mailing list