LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-23-2004, 04:41 PM   #1
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Rep: Reputation: 30
Question Security Drawbacks


Hi,

I was wondering if there would be any security drawbacks to run a linux server with KDE or GNOME? Is there a way to prevent such drawbacks apart from not installing KDE or GNOME?

Thanks
 
Old 05-23-2004, 07:35 PM   #2
deepsix
Member
 
Registered: Apr 2003
Distribution: ANY
Posts: 337

Rep: Reputation: 31
kde and gnome both run alot of otherwise unneeded services..........and without those services they woulndt operate correctly.......so I would suggest learning how to use the command line.......vi especially........and learn your filesystem structure..........
It seems there are always updates and security fixes for KDE ........as well as Gnome.......
I wouldnt want to run a server while they where running.........hope this helps........
 
Old 05-23-2004, 08:21 PM   #3
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Question KDE Security

Thank you for your reply. I do know the basic commands of the Linux shell however coming from a Windows environment, there is always an urge to use the GUI. I was under the impression that Suse ran with a GUI and that it would be safe to run KDE in a server environment.

Is it situation of use the command line for security or "to get hacked" use the GUI?
 
Old 05-23-2004, 09:35 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Running X, actually does start a service that can be manipulated to forward traffic remotely or allow incoming connections. As a general rule though, the more software you install, the greater the opportunity that you'll have software which is exploitable. That applies not only to server daemons, but to everything that you have installed on your system. While having something innocuous as an mp3 player might not seem like a security threat, it can provide an opportunity for some who has broken in to gain root level access through local privilege elevation.

Most people installing a true server will either choose a "server" option or do a custom installation (how I would recommend doing it if you know what the majority of the packages are). If you are just putting up a box to tool around on in you garage, that's a little different and you can put whatever you want on it. If you are putting up a real production server, having X (and other un-needed packages) is a bad idea.
 
Old 05-23-2004, 10:45 PM   #5
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Question KDE Security

I appreciate what you mean Capt_Caveman, however is there no way I can run a secure server with KDE? I mean I would most certainly remove or uninstall unrequired services such as games, MP3 Player, etc. Given that it will take me extremely long to master all commands which I know I can, I need to start somewhere don't I and the quickest way I can see myself starting Linux is to start from the GUI.
 
Old 05-24-2004, 12:00 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If you need the GUI to actually run the box, then that's better than having a more secure GUI-less box that you can't run at all, right?

One option is to install all the GUI stuff you need, get the thing running properly and then uninstall the GUI as much as you can manage. I used to do that when I was first learning linux. I'd actually install it like that and configure everything in the GUI and then take all the GUI software off and then remove all the peripherals (monitor/keyboard/mouse) and make it a completely headless node that I could ssh into in order to admin stuff.

Once you get it up and running properly, you really shouldn't have to do too much to maintain it. Just things like check all the logs, install updates, put on new content. After awhile you'll be a commandline wizard and won't have to use it at all

However you should definitely still try to limit the amount of extra software you're installing though. Most distros install alot of garbage that you normally don't need in a server environment and have a bad habit of being poorly written (security-wise) and usually end up as entries on the Linux - Security Report.
 
Old 05-24-2004, 01:31 AM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Often, a server is rackmounted somewhere else and is administered using webmin.

Also, you could use 3 as the init default, and only run X-Windows when you are at the server, logging out when done. That would limit the time that the gui environment is running.

You didn't say what kind of service you are running on the server. A gateway computer is usually installed with the bare minimum of services running. It does one thing only and particular attention is paid to denying all other services and keeping it up to date with security updates.
 
Old 05-24-2004, 02:37 PM   #8
Obie
Member
 
Registered: Apr 2004
Distribution: Red Hat
Posts: 290

Original Poster
Rep: Reputation: 30
Question KDE Issues

Thank you guys for your advice. To Capt_Caveman, how do I know what to remove? To jschiwal, I wish to run a Mail and Web Server. I did think about running Webmin however was planning to set everything up using KDE.
 
Old 05-24-2004, 03:12 PM   #9
deepsix
Member
 
Registered: Apr 2003
Distribution: ANY
Posts: 337

Rep: Reputation: 31
just to add to the subject......If I were to use a GUI for a server, I would try blackbox/fluxbox, or windowmaker to do it........they arent as pretty as kde and gnome but require less services to operate.
 
Old 05-24-2004, 07:11 PM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
The most important thing is to remember to change your xinit scripts to start with -nolisten tcp. That will prevent other hosts from exporting applications from your server to their display.
 
Old 05-25-2004, 10:26 AM   #11
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
There is a book called "Firewalls and Internet Security" that you may want to read to learn about network security. It covers running servers in a jail, which setuid-root programs you probably don't need, using netstat -a to 'field strip a host'

If you type the command:
Code:
find / -perm -4000 -user root  -print | wc -l
you can find out how many suid programs are on the server. Take off the endpart to get a listing of each file. That could give you a start on your question about what to get rid off.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Security Questions] Last Login, how good is this feature for security breach info? t3gah Linux - Security 2 06-14-2005 01:02 AM
What are the drawbacks of syscalls and context switches? shy Programming 7 11-25-2004 02:03 PM
Major Linux Drawbacks. rvijay Linux - General 57 10-03-2004 09:27 AM
Any Drawbacks for building Monolithic Kernel linuxboy69 Linux - Software 5 08-26-2004 02:41 PM
Advantages and Drawbacks of Different Partitioning Schemes BillRice Linux - Security 0 03-01-2002 01:39 PM


All times are GMT -5. The time now is 03:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration