Results 1 to 7 of 7
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 07-18-2013 #1
- Join Date
- Jul 2013
Strength of Linux security - integrity of applications
Before I make the Linux plunge, I wanted to understand the security of the distros a bit more carefully. I am pretty security minded, and have a fair bit of experience in information security, cryptography, DRM, etc. etc. So, having a secure system is pretty important to me.
With due consideration to the obvious problems with the digital signatures of binaries in the Windows world - it's something. It's better to have a $50 lock on your front door than to have none at all. That being said, what does Linux have to ensure that the binaries that you download are legit and not subject to any tampering / man-in-the-middle attacks?
To be precise, I don't have a problem with downloading the ISO image (which I usually do from multiple sources) and verifying the integrity of the initial image - and trusting it "as is". But, I do have some concerns about the subsequent files I pull down to expand the installation. Are they just "looked up" on some server and pulled up from the closest registered server without any kind of integrity check? i.e. lets say I want to install some media server or even some anti-virus. What kind of integrity checks are present to make sure it's a legit binary that is being pulled down without any tampering?
Now, if the answer is "there is none" - that's fine. I just want to be fully informed at least.
On a related note, what's the most security minded mainstream Linux distro you recommend for a HTPC? When I read up about Ubuntu, I noticed that for some odd reason the IP tables firewall that comes with it is disabled by default. Seems like a strange stance to me. So, naturally, I was concerned about the security priority given to other aspects of Ubuntu as well.
- 07-18-2013 #2
Hi and welcome
packages are organized in repositories.
These repositories and the packages they contain can be signed with a gpg key.
debian, ubuntu, etc do this by default.
If 3rd_party repos omit that, it is your choice to use them or not.
Your machine then needs the public part of the key to verify packages.
Check the already existing keys on your ubuntu box with
sudo apt-key listYou must always face the curtain with a bow.
- 07-18-2013 #3
- Join Date
- Jul 2013
Of course, while the corresponding public key of the package may be in the apt-key list, there is still no guarantee that the app itself is signed with the private key....
- 07-18-2013 #4
The package check runs automatically and it will refuse to install if the check fails.
By verifying a repo and the verifying each package, you essentially trust the package maintainer.
What they create is exactly what gets installed on your machine.
Hence for the most usecases it is not neccessary to verify each file.
If a package controlled file is compromised, then it was either
a) The package creator. In this case a gpg check on files would be useless. Since you trust this key, a check would be always ok.
b) Yourself. Do you trust yourself?
c) Someone with unauthorized root access to your machine. In this case, you already have a serious problem.
Case c) could be countered or at least detected with package verify (compare the checksums of the files against what the package manager knows) or a file integrity scanner, which essentially does the same, but with an outside and readonly compare db.
Or, if you are *really* paranoic you could lock down your machine with selinux.
Note, that understanding selinux requires a lot of effort and maintenance of such a box will skyrock.
Unless the usecase at hand needs a security level close to e.g. a bank, I wouldnt consider selinux.You must always face the curtain with a bow.
- 07-18-2013 #5
For the record,
on a debian/ubuntu box you need the tool "debsum" to compare the checksums against the package db
#install the package apt-get install debsum # use the tool debsums -c
rpm -VaYou must always face the curtain with a bow.
- 07-18-2013 #6
- Join Date
- Jul 2013
Going to (c) - root access - assuming something slipped past you and a trojan got installed, how easy is it to catch it under Linux? i.e. how good are the anti-virus, trojan scanners, firewalls, etc. etc. to pickup attempts for a trojan to connect to the outside? I guess for this question, you can assume that once the system is prepped and ready to go, "typical operation" and surfing will be in regular user mode and not in admin/su mode.
- 07-19-2013 #7
- Join Date
- Oct 2007
- Tucson AZ
I can't really give you any more detail than lrithori did above as I'm not that familiar with it. The repositories are controlled very closely by the developers and everything is checked on a regular basis. The only way a program gets in the repositories is if the developers write it or if they get it from someone outside their group, they check it thoroughly. It's not like some dufus can just put whatever program he has written in the repositories. I don't really know but, I would seriously doubt that any single individual is responsible for and individual program.
without any malicious intent, the manager may "forget" to sign a particular package
For a virus or trojan to do anything problematic, it would need to able to do something, in other words be execuatable. Windows executable files will not run on any Linux distribution.