Find the answer to your Linux question:
Results 1 to 7 of 7
Like Tree1Likes
  • 1 Post By Irithori
Hey guys. So I am thinking about building a new HTPC, and am thinking about a Linux installation - Ubuntu being at the top of the current list. Alternatively, I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2013
    Posts
    3

    Question Strength of Linux security - integrity of applications


    Hey guys. So I am thinking about building a new HTPC, and am thinking about a Linux installation - Ubuntu being at the top of the current list. Alternatively, I am also considering just paying for a new W7 or W8 license.

    Before I make the Linux plunge, I wanted to understand the security of the distros a bit more carefully. I am pretty security minded, and have a fair bit of experience in information security, cryptography, DRM, etc. etc. So, having a secure system is pretty important to me.

    With due consideration to the obvious problems with the digital signatures of binaries in the Windows world - it's something. It's better to have a $50 lock on your front door than to have none at all. That being said, what does Linux have to ensure that the binaries that you download are legit and not subject to any tampering / man-in-the-middle attacks?

    To be precise, I don't have a problem with downloading the ISO image (which I usually do from multiple sources) and verifying the integrity of the initial image - and trusting it "as is". But, I do have some concerns about the subsequent files I pull down to expand the installation. Are they just "looked up" on some server and pulled up from the closest registered server without any kind of integrity check? i.e. lets say I want to install some media server or even some anti-virus. What kind of integrity checks are present to make sure it's a legit binary that is being pulled down without any tampering?

    Now, if the answer is "there is none" - that's fine. I just want to be fully informed at least.

    On a related note, what's the most security minded mainstream Linux distro you recommend for a HTPC? When I read up about Ubuntu, I noticed that for some odd reason the IP tables firewall that comes with it is disabled by default. Seems like a strange stance to me. So, naturally, I was concerned about the security priority given to other aspects of Ubuntu as well.

    Thanks.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,412
    Hi and welcome

    packages are organized in repositories.
    These repositories and the packages they contain can be signed with a gpg key.
    debian, ubuntu, etc do this by default.
    If 3rd_party repos omit that, it is your choice to use them or not.

    Your machine then needs the public part of the key to verify packages.
    Check the already existing keys on your ubuntu box with
    Code:
    sudo apt-key list
    Phoeniyx likes this.
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    Jul 2013
    Posts
    3
    Quote Originally Posted by Irithori View Post
    Hi and welcome

    packages are organized in repositories.
    These repositories and the packages they contain can be signed with a gpg key.
    debian, ubuntu, etc do this by default.
    If 3rd_party repos omit that, it is your choice to use them or not.

    Your machine then needs the public part of the key to verify packages.
    Check the already existing keys on your ubuntu box with
    Code:
    sudo apt-key list
    Thanks for the quick response. I am not too familiar with Linux commands. Is it possible to check which packages are signed with a gpg key before installation? Essentially, can I download the app first, check if gpg signed, and THEN install much like in the Windows world? Off hand, do you know if any of the Linux anti-virus installs are gpg signed?

    Of course, while the corresponding public key of the package may be in the apt-key list, there is still no guarantee that the app itself is signed with the private key....

    Thanks again.

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,412
    The package check runs automatically and it will refuse to install if the check fails.

    By verifying a repo and the verifying each package, you essentially trust the package maintainer.
    What they create is exactly what gets installed on your machine.

    Hence for the most usecases it is not neccessary to verify each file.
    If a package controlled file is compromised, then it was either
    a) The package creator. In this case a gpg check on files would be useless. Since you trust this key, a check would be always ok.
    b) Yourself. Do you trust yourself?
    c) Someone with unauthorized root access to your machine. In this case, you already have a serious problem.

    Case c) could be countered or at least detected with package verify (compare the checksums of the files against what the package manager knows) or a file integrity scanner, which essentially does the same, but with an outside and readonly compare db.
    Or, if you are *really* paranoic you could lock down your machine with selinux.
    Note, that understanding selinux requires a lot of effort and maintenance of such a box will skyrock.
    Unless the usecase at hand needs a security level close to e.g. a bank, I wouldnt consider selinux.
    You must always face the curtain with a bow.

  6. #5
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,412
    For the record,
    on a debian/ubuntu box you need the tool "debsum" to compare the checksums against the package db

    Code:
    #install the package
    apt-get install debsum
    
    # use the tool
    debsums -c
    On rpm based machine, it would be
    Code:
    rpm -Va
    You must always face the curtain with a bow.

  7. #6
    Just Joined!
    Join Date
    Jul 2013
    Posts
    3
    Quote Originally Posted by Irithori View Post
    The package check runs automatically and it will refuse to install if the check fails.

    By verifying a repo and the verifying each package, you essentially trust the package maintainer.
    What they create is exactly what gets installed on your machine.

    Hence for the most usecases it is not neccessary to verify each file.
    If a package controlled file is compromised, then it was either
    a) The package creator. In this case a gpg check on files would be useless. Since you trust this key, a check would be always ok.
    b) Yourself. Do you trust yourself?
    c) Someone with unauthorized root access to your machine. In this case, you already have a serious problem.

    Case c) could be countered or at least detected with package verify (compare the checksums of the files against what the package manager knows) or a file integrity scanner, which essentially does the same, but with an outside and readonly compare db.
    Or, if you are *really* paranoic you could lock down your machine with selinux.
    Note, that understanding selinux requires a lot of effort and maintenance of such a box will skyrock.
    Unless the usecase at hand needs a security level close to e.g. a bank, I wouldnt consider selinux.
    Thanks. So to elaborate on (a) above, how do you verify the repo and each package? (i.e. what command do you run). Even if you trust the repo, without any malicious intent, the manager may "forget" to sign a particular package - which can be exploited by an attacker. How do you ensure that nothing gets installed without it being verified by a key in your current active repository? Is that possible? Essentially, nothing will get installed unless verified by your "trusted key list". If a (trusted) manager forgets to sign, then sorry, the package will not get installed.

    Going to (c) - root access - assuming something slipped past you and a trojan got installed, how easy is it to catch it under Linux? i.e. how good are the anti-virus, trojan scanners, firewalls, etc. etc. to pickup attempts for a trojan to connect to the outside? I guess for this question, you can assume that once the system is prepped and ready to go, "typical operation" and surfing will be in regular user mode and not in admin/su mode.

    Thanks.

  8. #7
    Linux Guru
    Join Date
    Oct 2007
    Location
    Tucson AZ
    Posts
    3,190
    I can't really give you any more detail than lrithori did above as I'm not that familiar with it. The repositories are controlled very closely by the developers and everything is checked on a regular basis. The only way a program gets in the repositories is if the developers write it or if they get it from someone outside their group, they check it thoroughly. It's not like some dufus can just put whatever program he has written in the repositories. I don't really know but, I would seriously doubt that any single individual is responsible for and individual program.

    without any malicious intent, the manager may "forget" to sign a particular package
    Regular user mode means that if you would happen to get a trojan or virus it would only affect your /home/user directory as everything else needs root access. You can create other partitions for data which would have the same potential problem. There are anti-virus programs for Linux and some of the major anti-virus companies have their own. I don't know how easy it is to find out if I have a trojan or virus as I've never had either. Of course, I've only been using Linux for ten years and have only tried 50-60 of the hundreds of distributions available.

    For a virus or trojan to do anything problematic, it would need to able to do something, in other words be execuatable. Windows executable files will not run on any Linux distribution.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •