January 20th, 2009
Well, I was about to go to bed, but I can’t sleep till I get this written.
This was prompted by yet another comment thread in which people seem to believe Linux has some kind of special sauce that keeps them super-safe from malware.
The problem is, no, no it doesn’t. In practical respects, from the point of view of the individual end-user, a typical modern Linux system is only marginally more ‘safe’ from malware ‘attacks’ than a typical modern Windows system.
There’s some things many people misunderstand, that it’s important to understand. One: most ‘malware’ on Windows, these days, is pretty simple. The majority of it falls into the category known as a trojan, or trojan horse. What this means it is doesn’t use some sort of clever exploitation of a security vulnerability in the operating system in order to propagate itself without human intervention. No, it’s much more dull. Most malware just works by getting the victims to infect themselves. Why bother going to all that trouble to exploit a security vulnerability that’ll probably be patched in a month when you can just write your nasty pop-up ad spawning application, say it’s a porn video or a poker game or a bleeding fart noise generator, and slap a few Google ads on some dodgy porn sites? This is how most modern adware works. It gets run because naive users run it, not by exploiting intrinsic vulnerabilities in the operating system.
Two, most of the much-vaunted Linux / Unix ‘security measures’ have very little relevance to your average desktop Linux user. The whole Linux security model is designed on the basis of a multi-user system. The intent is essentially that every user be allowed to do exactly what the hell s/he wants in his own environment – and only in his/her own environment. And this is done, in general, very well (though there’s usually at least a few unpatched privilege escalation vulnerabilities in the wild – still, never mind). But you have to realize the implications of this.
If you’re in a proper multi-user environment – a single system (however the hardware is set up) with dozens of unprivileged user accounts, and a system administrator – it’s a godsend. For the administrator, and all the smart users. But it does nothing for the dumb users. Why? Well, think about it. The point is that nasty code can only screw up an individual user’s own stuff – basically, his/her home directory. So no other users are affected, and the system administrator can easily deal with the situation. This is what most Linux / Unix security is about.
So, think through the implications. If you’re Joe Dumb User and you just ran a trojan, none of this helps you a jot. Why? Because all the stuff you care about lives…in your user environment. Sure, it’s great to know that Jane Smart User and the BOFH can still truck along hunky dory, but there’s nothing at all to stop the trojan you just ran from popping up several zillion ads on your desktop. Or opening a browser to a selection of the finest in erotic entertainment sites, just as your boss walks in. Or wiping out all your precious files. Because they’re all stored in your flipping home directory, where any process running with your user privileges can do whatever the hell it likes.
Think a little further. If you run Linux on your desktop, you probably don’t run a true multi-user environment. Again, the whole concept of multi-user security does stuff all for you. If you run a trojan, it can annoy you as much as it likes, and kill all the data you care about. Yes, multi-user security prevents it doing anything to any system-wide files. But, so what? There’s very little you actually care about stored in /usr or /etc, is there? All your contacts, presentations and the fifth draft of your Next Great American Novel all live in /home/yourusername, where the trojan can do whatever the heck it likes to them.
Three, and this is the big one, 99% of desktop Linux users run completely arbitrary code as root, on at least a semi-regular basis.
Yes, really, they (you) do. Why? Well, think about what happens when you install a package. The installation process runs as root. And it runs utterly arbitrary code. When you install an RPM package, something called the post script is run with root privileges. That script can be, well, anything at all. There’s something equivalent for DEB packages, and ebuilds, and every other form of package management. It’s not possible to build a package management system without this.
And, shout out if you only ever install properly signed packages from your distribution’s official repositories.
…quiet room, huh?
Just about everyone has installed a package for Some Kewl Application from some random third party website somewhere. Heck, this is a third-party website and I throw up packages for people all the time. When you go to www.mycoollinuxsite.com and install a package for a wireless card driver or a poker game or whatever the crap it is – congratulations, you just ran completely arbitrary code as root. You just did exactly the same thing any Windows-using clown who installs some poker game from www.mycoolwindowssite.com did. You don’t have a single iota more “protection” or “security” than the Windows-using clown. If whoever made that package – and you don’t have a clue who it was – wanted to own your system, they just did. Good job, sport.
I’m not saying this to be negative about the importance of security or how well security is managed on Linux. Security is vital, and Linux distributions generally achieve their security goals rather well. The point is a general one. As long as an operating system lets the user run arbitrary code, it’s always going to be possible for a trojan to do whatever it likes to all the data that user cares about. As long as an operating system wants to make it relatively easy to install applications, it’s always going to be possible for a trojan to do whatever the hell it likes to any system, if someone chooses to install it. There is no security measure against that. The only operating system that can be ‘secure’ against this type of attack is one which is very locked down, and does not allow you to install or run arbitrary code. Like a restricted cellphone operating system. That’s fine, but it’s not what people want on their computers.
It’s really important that everyone who owns a computer understands this. Your computer is not magic. It cannot protect you from malicious code if you choose to run that code, no matter whether your operating system is Windows, Linux, OS X, FreeBSD or bloody BeOS. Dan says that data you keep in just one place is obviously data you don’t care about. I’d add that data you keep on a system on which you run arbitrary code, and nowhere else, is also obviously data you don’t care about.
Most people are not willing to accept the inconvenience that comes with only ever installing code that’s either a) 100% provably provided by a person or company you trust implicitly, or b) that you’ve examined every line of yourself. And that’s fine. But if you’re in this majority, you have to accept that the danger of trojan-type malware is one that can never be designed out by an operating system, and don’t be lulled into a false sense of security by the ‘Linux is invincible’ crowd. Yes, Linux is a properly multi-user operating system and secure from that perspective, in most implementations. Yes, Linux is generally quite well-secured against true ‘viruses’ – malicious code that is run without explicit user intervention. No, it is not magically safe against malicious code unwittingly run by the operator. It can never be.
The bottom line – I could publish a package along with this post which, after you double-clicked on it, entered your root password, and said “yes” to “the package is not signed, install it anyway?”, would zero out your hard disk. I could, by writing this post differently, probably convince quite a lot of people to install said package. Just because it (to my knowledge) hasn’t happened yet, doesn’t mean it can’t. Be careful what you run.