Linux security

Stephen R Laniel steve at laniels.org
Fri Apr 28 21:21:23 UTC 2006


On Fri, Apr 28, 2006 at 10:31:06PM +0100, Daniel Carrera wrote:
> One of the selling points we use to promote Ubuntu is greater security. 
> Figuring out exactly how that is true is relevant here.

Sudo alone is huge. Windows makes security a user-by-user
decision -- she's an admin user, he's not. Under Linux, you
can choose to execute certain commands as an admin user.
This granularity is damned handy.

Suexec is very secure: run a process as a separate user so
that if someone breaks into your machine, he or she can only
access a small fraction of your files.

Chroot is a security bonus, and there is nothing like it
under Windows.

Noncommercial OSes have their security strengths and
weaknesses. Microsoft will do exactly as much as it needs to
do to maintain its market share; as Bruce Schneier has
repeatedly pointed out, Microsoft treats security flaws as
PR problems. Linux doesn't have PR to worry about; we're
scratching our own itches.

Peer-produced OSes have their own advantages, or could: by
stitching together small pieces, I have to be careful about
the data that I get from you. So I may end up being more
careful about sanitizing my data than someone whose system
-- like Windows -- is monolithic.

Likewise, Windows crams a lot of stuff into one monolithic
code base. If I want to run a secure server, I take
everything off of it that I don't need -- X, GNOME, etc.
What's left is a minimal device that's less vulnerable to
attack.

Obviously a culture of openness is better at finding,
diagnosing, and fixing bugs. In its own way, this is the
basic premise of democracy. As Schneier has again stressed
repeatedly, democracies are more secure than tyrranies.

There's plenty that's more secure. I'm sure Windows has its
own advantages. This is not a theoretical question; it's a
question that can be answered by looking at data. All the
data I've seen so far, however, have tended to treat all
bugs identically, for instance. But not all bugs have equal
severity. Not all bugs leave my machine open to exploitation
by others.

So for one thing, I think you have the wrong idea about why
we want security. It's not just about protecting your data.
We live in a networked world: if you run an insecure
machine, it affects me. A secure machine is one that
protects you and your neighhor.

-- 
Stephen R. Laniel
steve at laniels.org
Cell: +(617) 308-5571
http://laniels.org/
PGP key: http://laniels.org/slaniel.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060428/ab63cafb/attachment.pgp>


More information about the ubuntu-users mailing list