Complete Article


Complete Article


Complete Article

It's bound to happen as *nix becomes more popular. I think the *nix community will be better equipped to deal with it though. Clearly, anything that can disrupt government/business should be taken seriously. As a "home" *nixer with my "pet" computer, it doesn't fill me with the same heartstopping dread new malicious Win code does.

I suspect it will provide the *nix community yet another opportunity to outshine that other somewhat popular OS. Most *nix users are hackers (in its original sense) and probably represent a greater threat to themselves just by their constant tweaking anyway!

Marketoid FUD doesn't impress me at all.

Isn't this the same thing that Simile did? I don't see how this is any different/new.

No, it isn't ... and the real defense is still the same (for both Windows and Linux): intelligent use of user-accounts and privileges.

Basically, you can't prevent a "rogue program" from getting run. But you can make sure that it can't do anything harmful to your computer -- just by making sure that you are not using an "all-powerful" user account. The account that you use every day should be an "ordinary joe." In Windows-land, that's a "limited user."

In order to be effective, a virus has to run with fairly godly privileges -- or it has to be run on a system where all of the available file-protection mechanisms aren't being used. And that .. unfortunately .. describes the garden-variety Windows machine as currently deployed.

i respectfully disagree... deleting all of my precious documents and/or getting me in trouble with my ISP for sending 1,000 SPAMs or even virus infected emails per hour is pretty harmful in my book... and neither of those things require root privilages...

i do understand what you are saying, though, and it's true that the non-root user accounts do cut you some slack - as far as the system is concerned... but still, at the end of the day the most important thing we have is our data in /home/$USER... how many of us have our /home directories mounted noexec?? not many, and as such we could get hit hard by a "rogue program" if we aren't careful, or if we're too, ummm, overconfident about our non-root user accounts...

If that's in response to my post, then care to expand on why it's not?

I think that in many ways its good that its been done and is public because linux has had a major virus problem heading its way for a while now and so the sooner we start to tighten up our virus security the better.

Personally I don't think this deserved to be news at all. Firstly Linux has had viruses for ages and they have mostly been proof of concept so this is not new. This is just a way to create FUD and drive people away from Linux because they will think its security model is just as poor as Windows. One thing I worry about, is that some of these antivirus companies actually create these things to make money (call me a conspiracy theorist).

I'd like to ask a question based on win32sux's post.

I'm new to Linux (we've been a windows free household for 12 months as of two days ago) and I'm still learning, but having read win32sux's post I played around with making my home directory non-executable. This had the desired effect - no programs could be run, but obviously I still need to be able to run some programs from my user login.

Since my approach was obviously too simplistic, could someone please take the time to elaborate on win32sux's post and explain to me how I can make my home directory non-exec (to protect against malware), but still run the applications I need.

Mike.

That's a misconception that is becoming all too common. Viruses in Unix-type systems will only ever be able to cause damage from a user's home account. Unless one is constantly using the root account for day-to-day tasks, one has very little to worry about. Intelligent system design which completely separates the system from the user ensures that we'll never see the same level of devastation under any of the *nixes that we see constantly under Windows.

There's two things that always strike me in these articles, and people answering question on LQ about viruses. One is the lack of proper "translation" to NIX systems about threats in general. If you talk to wintendo users asking about viruses please include the threat of worms, exploits, rootkits on NIX platforms. Without mentioning those and our defenses no answer is complete in my opinion.

The second thing, and many pointed that out, is that due to Discretionary Access Control (DAC, std owner-based permissions) no virus can infect a whole system. The ancient DAC saves our hide each and every time. No Linux virus at this time has the capability to cross the DAC-line, but once anything foreign is on the system it has the advantage of simply being on the system: gaining a foothold is invaluable. Once there it has the time to do whatever because on most systems users are considered "trusted", period. So, how to stop it? What should be focussed on, on top of DAC, is Mandatory Access Control (MAC), which for instance GRSecurity or SELinux provide (* note they don't cooperate). MAC allows you to design rules that exactly name capabilities, limits and any type of access for an application. So you could have one that gives named application read rights on /etc/password but nothing else in the /etc tree, traversal and read rights in the /some/dir/www tree, but only read rights in /var/log/somedir. On a tightly configured system applications that don't have rules attached will not run.

Features in kernel patchsets that add MAC can also help answering one of the questions asked here:
@sundialsvcs: Basically, you can't prevent a "rogue program" from getting run. / @MikeGS make my home directory non-exec: Yes, you can. Enter "Trusted Path Execution" (TPE). GRSecurity, LSM and LIDS feature TPE. From the GRSecurity kernel patched kernel documentation:
Does it stop there? No. Since Linux is "the networking workhorse" let me highlight one more feature GRSecurity provides: disallowing sockets. Simply by adding their group to a special group (defined at compiletime) you can deny (groups of) users any socket access, inbound (running services) or outbound (connecting as client).


We know Linux systems are powerful. Since it is much easier to find a vulnerable Linux system and use it's resources for profit (gain power or money instead of destroying it, which still is the trend) defending against the threat from worms, exploits and rootkits is what we should focus on in my humble opinion, so: discuss, plan, act.

ditto that!

We have a lot better understanding of IT security, than those stupid windoze users...

My point was that as the number of *nix machines in the home grows, the OS is likely to become a more popular target. Even if the only thing that gets hosed is one user's account, it's still malicious, and that's what (I guess) motivates people to create viruses. But, you're right, the greatest security weakness on a *nix system is the user spending too much time as root.

Specifically, you found that no programs located in your home directory could be run. To run programs, therefore, you would place them someplace else on the system where executables were allowed.

Ideally this protects you since most malware is going to find itself in your home directory, having arrived in an email or some such, and if it can't execute then it can't do a thing to you.

Myself, I don't set my home as noexec; most people don't. Keep in mind that the security of a *nix system can be set waaaaaaay up, but the consequence is to make it annoying to use.

Set the security to deal with the most likely threats. Given that virii are not a big threat in the *nix world, and given that proper usage procedures minimize that threat still further, leaving exec turned on in /home/ is safe enough most of the time.

The real important thing is to not be root, unless you have to, and then only for so long as you have to. Also, don't put your home directory or your current directory into the path. Follow those two rules and you will more than likely be safe from what comes down the road.