SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
just being curious,
is security in slackware better than fedora?
OMG! Yes!!!
Quote:
Originally Posted by molossus
i mean in a fresh install of both distros. or do they have equal security.
NO!
Quote:
Originally Posted by molossus
correct me if iam wrong, but since in slackware everything is manual, doesn't that make it more difficult to hack than fedora?
um... No.
Basically, had your question been, 'since Slackware requires that you *enable* most things that open ports...', then the answer would have been Yes.
There's a lot of time spent disabling and hardening an RH box, while there is an inverse (but slightly less) amount of time spent on enabling things such as daemons that expose your freshly installed Slackware boxes to the world - providing you ample *security* in knowing that you "really want to start up portmapper and expose your exported filesystems without firewalling those ports or configuring /etc/hosts.deny first".
In a nutshell, on any given Sunday, it is most often the software that has exploits exposed. The Slackware Team, as well as the RH folks both do a good job of staying on top of things like [the recent] vulnerabilities in PHP and BIND, for example.
The difference is, that most things that will find a box vulnerable in a stock Slackware distribution in the first place require a conscious decision for you to fire up, following the understanding that this is what you want and the proactive measures being put in place to guard those services.
I don't think Slackware is inherently more secure than other distros, though I'm also not confident that you could label it as less secure. Certainly it is less secure in the sense that the kernel is very rarely patched after a stable release and only for very critical bugs -- there are *many* security vulnerabilities in the fully patched 2.6.33.4 kernel shipped with Slackware 13.1, for example (and likely even more in previous Slackware versions). Major security vulnerabilities in software are patched fairly adequately, though historically there has sometimes been a delay before it is released officially.
Slackware ships with no enabled firewall and /etc/hosts.deny and /etc/hosts.allow are, I believe, both blank. Certainly that isn't a very secure way to run your box, and upon installing Slackware some of my first tasks include properly setting up those two files and creating an iptables firewall. While this doesn't prevent software exploits it at least produces a simple improvement in security.
Slackware doesn't often add custom software patches, so as long as upstream fully discloses their vulnerabilities and patches them, most software included with Slackware will be patched or upgraded to seal any holes as they are found (as opposed to some other distros, which must watch upstream and review their own patched code to find any holes, thus placing more of the burden in two places instead of one). However, if upstream just releases upgrades in the form of stable versions, without disclosing security fixes or without anyone submitting the (now-fixed) vulnerability to CVE, the hole will likely remain unplugged since Slackware packages are *not* updated for simple bug fixes (only security vulnerabilities). Additionally, older code is likely audited less as time goes on, so running Slackware 8.x, even keeping up with official patched packages, is still probably less secure despite Pat doing all he can.
In the end, I don't believe Slackware to be any less secure than most other distros, but I would hesitate in saying that it is more secure.
Good answers, guys. Perhaps one of the best things that sets Slackware apart from almost everybody else is that simply by going to a Slack mirror site, you have reams of information at your fingertips: everything from the filelist (for a quick overview) to the packages list where every single package has a detailed description of what it is (...well, except for some of the X packages...) so that you, as a user and administrator, can decide if you really want to include packages you'll never use. And if something doesn't work because you haven't included a package that you didn't know you did need, a simple "installpkg foo" solves that issue (and you've learned something new besides).
Changelog, checksums...it's all there in one directory and completely transparent to anyone, anywhere. Try that with anybody else other than Debian. Notice how it's those two long-time workhorse distros that don't bury this information in hard-to-find places.
I have a standard-sized 3-ring binder with every step of a Slackware install, including a list of which packages I omit on both my x86 and x86_64 machines (and it's not always the same packages since each lappy has different hardware), a list of the SlackBuilds I always add on top of a fresh install, my iptables, etc. After no more than a couple of installs using my notes, Slackware actually takes me less time to install (and upgrade any packages that need it) than any other distro, including Fedora, the *buntus, PCLinuxOS, Debian or anything else I can name.
Armed with nothing more than Slackware, this forum, the wiki, Eric & Bob's pages and Robert Love's Linux kernel book, a curious person can learn a lot in their spare time and have fun doing it.
I agree, but I wonder, if it is really a good idea, that inetd is started by default on Slackware...
If you want to expose your machine to the internet, then yes, but probably most users run Slackware on machines behind a firewall/router, and I guess, most installations are on desktop systems. And on these, as well as on many servers, inetd is not needed.
Apart from that: Slackware doesn't include quite a few things, that cause security issues on other systems. On the other hand, there's no firewall by default etc. But this perfectly the scenario described above. You don't need two firewalls enabled (in fact, it could cause even more trouble than none). But if you plan to make a Slackware system your gateway, there are excellent 3rd party solutions available from various repositories, from easy to handle up to very powerful and flexible.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
slackware security
haha
