LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-12-2013, 06:41 PM   #46
manu-tm
Member
 
Registered: May 2008
Location: France
Distribution: Ubuntu, Debian
Posts: 343

Rep: Reputation: 43

Quote:
Originally Posted by TobiSGD View Post
As I stated before, on Windows being in the Administrator role does not mean that you have all rights, but that you can get all rights. Just open the settings dialog and give yourself the rights to access those folders. Note that you have a GUI dialog for that only on XP Professional, the Home version lacks that dialog.
This is not inconsistent with the Administrator role at all, it just isn't the same as being the root user in Linux.

But anyways, this is a Windows version from 2001, it would be fair if you would use a recent version for comparison, those got major changes when it comes to security.
I have the home version, hence the issue. And I see this as a bug because it happens randomly (I can't link this behaviour to any change in user settings.)

While I agree XP may be a little bit outdated security-wise , I still find Windows file permissions implementation really weird (again IMHO.)
 
Old 03-12-2013, 06:46 PM   #47
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 1,960

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
Quote:
Originally Posted by TobiSGD View Post
My Windows 7 (and Vista before) system does the same, if i want to change something in a system folder it asks me for the permission to do that
Yes, but most Windows users don't see UAC for what it is. They view it as an annoyance, and most of them scramble to turn it off immediately. Just Google "windows UAC annoyance" and see how many results you get... or... simply ask anyone who works in IT and uses Windows 7 if they have UAC switched off on their home computers.

Furthermore, pretty much any software program written for Windows requires Admin-level access just to be installed. Under Linux, I have several programs installed within my user account. Why don't Microsoft set up Windows that way? Why does every single little game or utility need to be installed system-wide? This indicates to me that Microsoft still don't truly understand the importance of separating user space from system space. Popping up a message which asks "Are you sure?" doesn't cut it.

The user should be able to do anything within their own space, including things like running customised mouse settings or specific monitor DPI settings. Windows does not allow this. Linux does.
Quote:
Originally Posted by TobiSGD View Post
Please don't compare Linux with Windows versions from 2001, this is just unfair.
NT has been around for almost as long as Linux. Comparing the two is perfectly fair.
 
Old 03-12-2013, 07:18 PM   #48
guyonearth
Member
 
Registered: Jun 2012
Location: USA
Distribution: Mint
Posts: 410

Rep: Reputation: 82
Quote:
Originally Posted by manu-tm View Post
Totally agree, Windows was and still is unsecure by design. And the file permissions sytem that was implemented as an afterthought was/still is a holy mess. You can be logged in as 'Administrator' and still be denied doing certain things, whereas you can very easily mess things up when logged in as a non-privileged user. Sorry but Windows security is a joke.
Typical statements from someone who really doesn't know that much about Windows, at least the current versions. Windows can be locked down tight as a drum if you want. Just because most people don't have the discipline to use it properly or securely is not an indictment of the security model. And as far as a default Linux install, it can be crashed and burned very easily by either a neophyte or someone determined to do so. I've seen single clicks on the wrong thing stop a system dead.
 
Old 03-12-2013, 07:31 PM   #49
manu-tm
Member
 
Registered: May 2008
Location: France
Distribution: Ubuntu, Debian
Posts: 343

Rep: Reputation: 43
Quote:
Originally Posted by guyonearth View Post
Typical statements from someone who really doesn't know that much about Windows, at least the current versions. Windows can be locked down tight as a drum if you want. Just because most people don't have the discipline to use it properly or securely is not an indictment of the security model.
I admit that I don't use/know last version of Windows that much and that my judgement may be biased. But you can't deny the original design differences. And I've never heard of botnets 'typically' running on millions of infected Linux machines, just because of users' lack of discipline. (OK, for a fair comparaison, I should scale down that number to thousands or so.)

Quote:
Originally Posted by guyonearth View Post
And as far as a default Linux install, it can be crashed and burned very easily by either a neophyte or someone determined to do so. I've seen single clicks on the wrong thing stop a system dead.
Yeah, as root you can totally wipe out your hard drive in no time. No really big news here. (And I also happened to ruin one of my first Linux installs... )

Last edited by manu-tm; 03-14-2013 at 09:42 AM.
 
Old 03-12-2013, 07:41 PM   #50
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 1,960

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
Quote:
Originally Posted by guyonearth View Post
Windows can be locked down tight as a drum if you want.
Why isn't it that way by default?

If they were serious (and let's face it - they're not - it would kill the AV industry), they would really separate system space from user space.

When someone wants to install a piece of software, it should install to their user account by default. This is not the current behaviour in Windows. Why not?
Quote:
Originally Posted by guyonearth View Post
And as far as a default Linux install, it can be crashed and burned very easily by either a neophyte or someone determined to do so.
Absolutely. I've seen it with my own two eyes.

What I've also very recently seen is our "fully locked down" office Windows network taken down by a 5 year old worm (conficker) which somehow "slipped past" our enterprise-wide installation of Symantec AV... The IT dept were here all weekend fixing it.

Last edited by rkelsen; 03-12-2013 at 07:45 PM.
 
Old 03-12-2013, 08:15 PM   #51
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,130
Blog Entries: 2

Rep: Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825
Quote:
Originally Posted by rkelsen View Post
Yes, but most Windows users don't see UAC for what it is. They view it as an annoyance, and most of them scramble to turn it off immediately. Just Google "windows UAC annoyance" and see how many results you get... or... simply ask anyone who works in IT and uses Windows 7 if they have UAC switched off on their home computers.
So if users disable a security system it is somehow the fault of the system? Google for "running <insert distro name here> as root" or something similar and you will get a large number of hits, but that says nothing about the Linux security.

Quote:
Furthermore, pretty much any software program written for Windows requires Admin-level access just to be installed. Under Linux, I have several programs installed within my user account. Why don't Microsoft set up Windows that way? Why does every single little game or utility need to be installed system-wide? This indicates to me that Microsoft still don't truly understand the importance of separating user space from system space. Popping up a message which asks "Are you sure?" doesn't cut it.
Most applications use installers that are not written by Microsoft, you can hardly blame Microsoft for that. Also, most installers let you choose the directory to install in, so if you just give it a path in your user's directory you will be fine and achieve exactly what you want. In fact, at this point the Windows system with installers is more flexible than package managers like APT or RPM.

Quote:
The user should be able to do anything within their own space, including things like running customised mouse settings or specific monitor DPI settings. Windows does not allow this. Linux does.
I haven't tried different DPI settings, but there is absolutely no problem in using custom mouse settings.

Quote:
NT has been around for almost as long as Linux. Comparing the two is perfectly fair.
No, it is not. The current version of the NT tree are Windows 8/Windows Server 2012. You wouldn't find it fair to compare Windows 8 with Slackware 3 either, wouldn't you?

Quote:
When someone wants to install a piece of software, it should install to their user account by default. This is not the current behaviour in Windows.
As stated above, this also isn't the current behavior on Linux. In this point the package management systems used on Linux are unflexible, the installers of Windows software with the ability to choose an installation-path are more flexible.

Quote:
What I've also very recently seen is our "fully locked down" office Windows network taken down by a 5 year old worm (conficker) which somehow "slipped past" our enterprise-wide installation of Symantec AV... The IT dept were here all weekend fixing it.
All known versions of Conficker use the security hole known as MS08-067 (patched for years), a dictionary attack on the ADMIN$ share (weak passwords) or the Autorun mechanism for removable drives (should be disabled on important systems). This is more an indicator for mistakes from IT team than for a security mechanism in an OS.

Last edited by TobiSGD; 03-12-2013 at 08:17 PM.
 
1 members found this post helpful.
Old 03-12-2013, 08:49 PM   #52
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 1,960

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
Quote:
Originally Posted by TobiSGD View Post
So if users disable a security system it is somehow the fault of the system? Google for "running <insert distro name here> as root" or something similar and you will get a large number of hits, but that says nothing about the Linux security.
And for every post on any internet forum about this, there will be at least 3 posts lambasting the person asking the question. This is universally hated by the Linux community.

Compare this to Windows-land, where the top IT journals write about how to disable UAC. Even Microsoft's own knowledge base has articles explaining how to do it.
Quote:
Originally Posted by TobiSGD View Post
In fact, at this point the Windows system with installers is more flexible than package managers like APT or RPM.
Clearly, I was referring to unpackaged software. Yes if you use the system's package manager, it always installs things system-wide.

The thing is, you don't have to use the system's package manager to install extra things. And why would you do that if you wanted something installed to your user account anyway?
Quote:
Originally Posted by TobiSGD View Post
I haven't tried different DPI settings, but there is absolutely no problem in using custom mouse settings.
Yes, as long as you provide UAC with the Admin password because this is not a per-user setting in Windows.
Quote:
Originally Posted by TobiSGD View Post
You wouldn't find it fair to compare Windows 8 with Slackware 3 either, wouldn't you?
No, it wouldn't be fair on Windows 8...
Quote:
Originally Posted by TobiSGD View Post
As stated above, this also isn't the current behavior on Linux. In this point the package management systems used on Linux are unflexible, the installers of Windows software with the ability to choose an installation-path are more flexible.
It's funny. Every installer I've used has always caused UAC to pop up. Why is that?
Quote:
Originally Posted by TobiSGD View Post
All known versions of Conficker use the security hole known as MS08-067(patched for years), a dictionary attack on the ADMIN$ share (weak passwords) or the Autorun mechanism for removable drives (should be disabled on important systems).
Did I mention that our desktops are running Windows 7 locked down as tightly as possible? Patches and updates are pushed out regularly by our IT guys.

As an aside: Have you tried getting Linux to boot via BCD on a UEFI box yet?
 
Old 03-12-2013, 10:29 PM   #53
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,130
Blog Entries: 2

Rep: Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825
Quote:
Originally Posted by rkelsen View Post
Clearly, I was referring to unpackaged software. Yes if you use the system's package manager, it always installs things system-wide.

The thing is, you don't have to use the system's package manager to install extra things. And why would you do that if you wanted something installed to your user account anyway?
As I stated, it is no problem at all to install software on Windows to your user's directory and it is not Microsoft that is writing those installers or, in case an installer uses MSI, writes the settings for the install-script.

Quote:
Yes, as long as you provide UAC with the Admin password because this is not a per-user setting in Windows.
And here it gets funny. I couldn't remember that I had to confirm the UAC when changing mouse settings, so I just tried it. Neither changing mouse settings nor setting up a different DPI invoked the UAC here.

Quote:
It's funny. Every installer I've used has always caused UAC to pop up. Why is that?
This can have different reasons. For example when the installer tries to write to the systemwide part of the start-menu, which a properly written installer asks you (usually they ask exactly that, if you want to install for every user or only for your user).

Quote:
Did I mention that our desktops are running Windows 7 locked down as tightly as possible? Patches and updates are pushed out regularly by our IT guys.
In that case Conficker shouldn't be able to infect the systems.

Quote:
As an aside: Have you tried getting Linux to boot via BCD on a UEFI box yet?
I didn't had time and mood for this yet, there may be another 1-2 months until I can try that.
 
Old 03-13-2013, 05:06 AM   #54
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 1,960

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
Quote:
Originally Posted by TobiSGD View Post
In that case Conficker shouldn't be able to infect the systems.
Exactly right... but it did anyway. It certainly had the IT dept confounded for a few days. They still don't know how it happened.
 
Old 03-13-2013, 07:48 AM   #55
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by TobiSGD View Post
As I stated before, on Windows being in the Administrator role does not mean that you have all rights, but that you can get all rights. Just open the settings dialog and give yourself the rights to access those folders. Note that you have a GUI dialog for that only on XP Professional, the Home version lacks that dialog.
This is not inconsistent with the Administrator role at all, it just isn't the same as being the root user in Linux.
So it is just as insecure as VMS was...

"I only need one privilege... so give me "setpriv".

And that IS equivalent to root.

In linux, doing "su root" or using sudo, doesn't give you all the privileges of root - it only sets the effective UID to root. It does give you the ability to access any file (by default - not true with certain SELinux configurations). To get full root requires doing "su - root" (which sets both the effective UID and real UID to root). The advantage sudo has is that even then, you can be limited in what you can execute and the ability group users into roles, thus a more graduated access to the root account.

There are systems that don't have su (easy peasy - just delete it, but be sure sudo is installed and working as needed).

The problem with using bitmaps to represent privileges is identifying the privilege... By the time you get them all listed, your bitmap has several thousand entries... And somebody will always come up with more. As I recall, VMS was limited to two groups of 32, simply because of the time it takes to test bits, and that was too small. Linux is limited to 32, and that is way too small. Many privileges had to be combined to make things fit. That limitation makes it hard to delegate (same problem in windows) and causes security issues because of the overlaps. Just look at CAP_SYS_ADMIN for one example of an overloaded capability. (ref: http://man7.org/linux/man-pages/man7...ilities.7.html)

When capabilities were implemented I send in suggestions that there should be multiple extensions to the kernel capabilities - the base for kernel protection, then a set for system protections, then a set for site definition. But that got turned down - one of the problems with it is the amount of data needed for each inode... And the presumption that ACLs on inodes would handle that - unfortunately, they don't and they are slow to process.
 
Old 03-13-2013, 12:03 PM   #56
guyonearth
Member
 
Registered: Jun 2012
Location: USA
Distribution: Mint
Posts: 410

Rep: Reputation: 82
Quote:
Originally Posted by rkelsen View Post
Why isn't it that way by default?

If they were serious (and let's face it - they're not - it would kill the AV industry), they would really separate system space from user space.

When someone wants to install a piece of software, it should install to their user account by default. This is not the current behaviour in Windows. Why not?

Absolutely. I've seen it with my own two eyes.

What I've also very recently seen is our "fully locked down" office Windows network taken down by a 5 year old worm (conficker) which somehow "slipped past" our enterprise-wide installation of Symantec AV... The IT dept were here all weekend fixing it.
It's not that way by default, because hundreds of millions of users actually have to use it, and want to do so without learning whole new paradigms or generating millions of new support calls. The vast majority of Windows systems are essentially one-user systems where complex security would be viewed as both a barrier and an annoyance. That's just the reality of how it is. Computers and operating systems are too complex for the average person to want to delve into security mechanics, they just want to get on Facebook, or surf, or play their game, or whatever. I'm not defending that behavior, it's just a market reality that Microsoft has to deal with, or risk alienating a large user base. One could as easily get on the public's case about how they don't maintain their cars, change their oil like they should, lock their doors, etc. There is always going to be a lowest common denominator that won't do it for whatever reason. In the Linux world, which is much smaller and more specialized, and where the typical user is much more aware of security issues and much more inclined to get "under the hood", good practice comes more easily.

One can well ask why they don't separate system space and user space. Actually, they do, in a lot of ways, but the short answer is that since most systems are essentially single user, doing so would not really fundamentally alter the consequences of something like a virus infection or security breach. If the files in the user's space are trashed, the system itself might continue to function, but the computer would still need to be repaired or the system reinstalled. I agree this is probably a cop-out on Microsoft's part, but from a business standpoint, there is no compelling reason to re-architect the system...though I think they will take more steps in that direction. Current versions of Windows are pretty secure, if people would just use common sense and not download and run untrusted software. The exact same problems have presented themselves on Macs, which in theory have better separation of system and user space. Since Linux is really not a target, the amount of untrusted potential malware even available to download is vastly smaller to start with, if it exists at all.

I can't speak to the situation at your company, since I don't know what's going on there. What it boils down to is that somebody probably didn't do their job. We tend to blame systems and machines that can't think or act proactively for our own omissions, more often than not, it's easier than just admitting a mistake. That being said, I've seen lots of companies running security and antivirus solutions that are either misconfigured or hopelessly out of date. That last place I did any real server work at was running a Dell Windows SBS server with an antivirus program that had never been updated since they bought it. I explained that they needed to buy an updated subscription, and that it would cost about $1400, they didn't seem the least bit interested. It's hard to counter that kind of indifference. Admittedly, this was a place where the owner bought a stack of Windows XP HOME editions to use on his Windows domain (Home can't connect to a domain, for those that don't know) on the information he got from "a guy who knows computers" that said they could be "hacked" so they would work....so I'm sitting there with a bunch of Home editions, a bunch of workstations, and I'm supposed to get them on the network that day. He also demanded I get a PowerMac G5-based workstation to not only join the domain, but be able to run the shared WINDOWS applications there. Not surprisingly, I don't do that kind of freelance work any more, it's too frustrating.
 
1 members found this post helpful.
Old 03-13-2013, 03:16 PM   #57
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by guyonearth View Post
Typical statements from someone who really doesn't know that much about Windows, at least the current versions. Windows can be locked down tight as a drum if you want. Just because most people don't have the discipline to use it properly or securely is not an indictment of the security model. And as far as a default Linux install, it can be crashed and burned very easily by either a neophyte or someone determined to do so. I've seen single clicks on the wrong thing stop a system dead.
Only time I've seen that happen is when the user is running the GUI as root.

That is a BIG PEBCAK error.
 
Old 03-13-2013, 06:18 PM   #58
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 1,960

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
Quote:
Originally Posted by guyonearth View Post
It's not that way by default, because hundreds of millions of users actually have to use it, and want to do so without learning whole new paradigms or generating millions of new support calls. The vast majority of Windows systems are essentially one-user systems where complex security would be viewed as both a barrier and an annoyance. That's just the reality of how it is. Computers and operating systems are too complex for the average person to want to delve into security mechanics, they just want to get on Facebook, or surf, or play their game, or whatever. I'm not defending that behavior, it's just a market reality that Microsoft has to deal with, or risk alienating a large user base. One could as easily get on the public's case about how they don't maintain their cars, change their oil like they should, lock their doors, etc. There is always going to be a lowest common denominator that won't do it for whatever reason. In the Linux world, which is much smaller and more specialized, and where the typical user is much more aware of security issues and much more inclined to get "under the hood", good practice comes more easily.

One can well ask why they don't separate system space and user space. Actually, they do, in a lot of ways, but the short answer is that since most systems are essentially single user, doing so would not really fundamentally alter the consequences of something like a virus infection or security breach. If the files in the user's space are trashed, the system itself might continue to function, but the computer would still need to be repaired or the system reinstalled. I agree this is probably a cop-out on Microsoft's part, but from a business standpoint, there is no compelling reason to re-architect the system...though I think they will take more steps in that direction. Current versions of Windows are pretty secure, if people would just use common sense and not download and run untrusted software.
Excellent post.

I believe that's the end of the thread, folks.
 
1 members found this post helpful.
Old 03-15-2013, 03:38 PM   #59
patrick013
LQ Newbie
 
Registered: Dec 2012
Posts: 23

Rep: Reputation: Disabled
Is there a flowchart or a block diagram that illustrates this ?

Something conceptual put in picture form, not a flow diagram of some
specific source code.

Starting with iptables and or the command line, how a packet or a
program starts, is accepted or denied, the actions after that, acceptance
or denial, that keeps the OS secure and running.

Then how that packet or program could proceed to test Linux security layers.
User, root, system, admin, and what that would conceptually look like in
flow diagram form. Basic steps taken to keep intruder code out of those
areas.

And, finally, the kernel. Basic steps taken to keep intruder code out of
the kernel or keep the kernel from doing something it shouldn't. In conceptual
picture and arrow form. But still technically defining the OS modules or
systems running to provide the security actions portrayed.


I found a flow diagram about iptables and how they keep the whole system secure
but not about the lower layers and the kernel. Shouldn't be hard to do.

thx

patrick

Last edited by patrick013; 03-15-2013 at 03:42 PM.
 
Old 03-15-2013, 04:14 PM   #60
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
It doesn't work like that. Things don't "flow" through layers of security. Data flows though the various subsystems though, but security isn't like that.

An introduction to (even though it is a bit dated) SELinux is at

http://docs.fedoraproject.org/en-US/...nhanced_Linux/

And then there is the DAC (discretionary access controls) which are much simpler to understand, mostly because they are more familiar owner, group, other permissions.

In addition, Linux also support access control lists.

Then there are capabilities...

http://www.symantec.com/connect/arti...ities-and-acls
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Anti-spam anti-virus dovecot + postfix mail system xuta Linux - Server 7 06-08-2012 06:31 PM
dual boot without anti-virus, virus now in linux gardner Linux - Security 7 03-09-2009 02:01 PM
Anti Virus/ Anti Spam for Linux? Sp@rticus Linux - Software 3 11-18-2005 03:17 AM
Boot virus or Anti-Virus? AVG Free Anti-Virus Software problems SparceMatrix Linux - Security 9 08-02-2004 03:35 PM
Creating an ultimate anti-virus and anti-spam email gateway markcc Linux - Networking 2 10-08-2003 04:10 AM


All times are GMT -5. The time now is 09:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration