Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For various reasons, I am considering a change from Ubuntu to Linux Mint, however the one thing that is still making me "um" and "ah" is security - Ubuntu may not be the most secure Linux-based operating system out there, but when it comes to Linux-based operating systems targetting "everyday" users, it famously sits pretty high on the list with regards to security.
I already know that Linux Mint does not use App Armour - but what about the rest of the security in Linux Mint?
* Does Linux Mint run with low-level privileges by default, and is Polkit implemented at all?
* Ubuntu comes with a firewall pre-installed and configured (with the GUI part being optionally installed by the user) - does Linux Mint do the same?
* Are there any extra steps that Linux Mint take to "harden" its operating system or packages, like Canonical does (by using things such as buffer overflow protection when compiling packages)?
* How about encryption? Is there support for full-disk encryption within Linux Mint?
I found numerous articles that were critical of Linux Mint's security - but all of them were from several years ago, at which time Linux Mint were vowing to focus on enhancing security with the operating system... I was not able to find anything about Linux Mint's security which is recent-ish.
Yes I know that both Ubuntu and Linux Mint have their own forums, but I thought I'd ask over here and hopefully get some neutral answers, rather than those without bias...
Linux Mint is 99% Ubuntu, using the Ubuntu LTS repos, while adding some utilities, design, themes etc. of its own.
I am running Mint 19.1 and apparmor is included in the distro.
sudo apparmor_status gives me:
Code:
apparmor module is loaded.
22 profiles are loaded.
20 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/freshclam
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/ippusbxd
/usr/sbin/ntpd
/usr/sbin/tcpdump
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
man_filter
man_groff
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
4 processes have profiles defined.
4 processes are in enforce mode.
/sbin/dhclient (13137)
/usr/sbin/cups-browsed (30354)
/usr/sbin/cupsd (30353)
/usr/sbin/ntpd (1247)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
So, I'd be really interested where you got your "I already know that Linux Mint does not use App Armour" statement from.
Oh, and yes, polkit is implemented, the firewall comes configured and gufw is included (but you have to switch it on after installing), you can have full disk encryption, etc. etc.
To be honest with you, I am quite amazed that you haven't asked on the Mint forums due to your perception of "bias" - a fact is a fact no matter where it comes from, and the folk at the Linux Mint forums will have greater knowledge of their system and what it does and doesn't contain.
but when it comes to Linux-based operating systems targetting "everyday" users, it famously sits pretty high on the list with regards to security.
As an "everyday" user I find the security in Ubuntu 18.04 fine for my needs "at the present time".
I added "at the present time" on purpose. As I learn more, I am being more security conscious to my computer operations and possible limitations to any OS in this age of hacking, government surveillance, nefarious business models, malicious coding, and computer OS internal operations. The latest episode of Firefox is troubling for several reasons.
If memory serves me correctly, it was in a couple of forum threads on different sites that I saw this...
Perhaps they were discussing an older version of Linux Mint?
Must have been. Seriously, also ask your specific questions on the Mint forums, as they relate to the current Mint 19.x. I too would be interested in the replies. For example, I don't know if Mint take any steps over and beyond the ones that Ubuntu takes in order to harden their distro. Given that Mint relies extensively on the Ubuntu repositories, such further hardening would probably be based around configuration rather than in the packages themselves.
Just re-reading your post, the root user (as I think it also does in Ubuntu) is set by default as having no password and being locked so that the password never matches. Normal operations are done on the user level and sudo is used to gain admin privileges, with polkit support built into some packages.
Distribution: Slackware/Salix while testing others
Posts: 1,718
Rep:
IMO both fall under questionable with regards to Security. Ubuntu is a little better, Mint a little worse, both on the questionable side of the scale. Mint has improved some over the last few releases, but the "some" is marginal. Keep in mind, I think both are better at security then Windows.
Do a DuckDuck search for Mint + Security concerns then do another for Ubuntu + Security concerns then Ubuntu + Privacy concerns. Then have fun reading with your favorite beverage. I'm having Chrysanthemum tea at the moment.
IMO both fall under questionable with regards to Security. Ubuntu is a little better, Mint a little worse, both on the questionable side of the scale. Mint has improved some over the last few releases, but the "some" is marginal. Keep in mind, I think both are better at security then Windows.
That's lazy though. If you have points to make about the level of security of the current versions of Ubuntu and Mint then surely you should enumerate them here rather than make hazy claims and ask other folk to search the web (and probably get confused with the myriad of search results that refer to the security of the unrelated mint.com). You probably have valid points to make, but better to actually list them here and let them be debated.
Distribution: Slackware/Salix while testing others
Posts: 1,718
Rep:
Quote:
Originally Posted by hydrurga
That's lazy though. If you have points to make about the level of security of the current versions of Ubuntu and Mint then surely you should enumerate them here rather than make hazy claims and ask other folk to search the web (and probably get confused with the myriad of search results that refer to the security of the unrelated mint.com). You probably have valid points to make, but better to actually list them here and let them be debated.
Privacy and Security go hand in hand and it boils down to trust. Linux Mint (not so much LMDE) inherits all of the flaws from Ubuntu, custom patches, over patches adnauseum. Each custom patch that is distro specific creates holes that the original developers have no clue about nor how to patch it. Its best to stay as close to upstream as possible. With Ubuntu, they inherit Debian's flaws, then build flaws on top of it, Linux mint inherits Debian and Ubuntu then adds flaws to it. Often in the name of convenience and being user friendly.
People often forget that the more user friendly something is the easier it is to hack/crack/break open etc... There is a reason safes are not user friendly, locks on doors are not very user friendly and at times damn inconvenient, of course crooks would prefer the most user friendly of all....open door, or no door, or better yet, Windows that are wide open. .
Just some rambling thoughts.....Guess it boils down to when a person started using *nix, if their first use was Ubuntu then all of the above is moot, if it was Debian then some concerns are raised, if Slackware or Unix or BSD then even more concerns come up...
PS: with that said, its nice to see Mint made some changes and they should continue to do so. Sacrificing security for convenience is generally bad policy.
Referring to the two Mint-related articles, Mint updates the kernel through the GUI Update Manager, and has done for some time now. The default setting is for all available updates to be listed and updated, so there is also no delay for any packages in the Ubuntu repos reaching a Mint system.
Distribution: Slackware/Salix while testing others
Posts: 1,718
Rep:
Quote:
Originally Posted by hydrurga
Cheers ChuangTzu.
Referring to the two Mint-related articles, Mint updates the kernel through the GUI Update Manager, and has done for some time now. The default setting is for all available updates to be listed and updated, so there is also no delay for any packages in the Ubuntu repos reaching a Mint system.
One of those articles relates to a website hack from the years ago (which is unrelated to the distro itself), and one of those articles refers to "the Amazon thing", which only applied if you made searches from the (Unity) Dash - not to mention the fact that Canonical addressed this about five years ago and it is no longer relevant considering GNOME is used these days.
Ubuntu collecting data about your PC? Pfft.
I was using Ubuntu when they made the change (back to) to GNOME and since Day 1 (of the post-Unity Ubuntu) they have made it abundantly clear how to disable this!
The only argument you have made which is actually worth listening to - though it is troubling enough to overshadow all of your other comments (in my opinion) - is Linux Mint's policy of only updating the kernel via manual Terminal commands... It's not a big issue for me personally as I use terminal a lot (including for regularly checking of updates), but it does look rather bad for Linux Mint as a distro and thus, I will be looking into whether this policy is still in place.
That's a good change then. Don't mind my occassional crankiness.
PS: how long is the sync delay between Ubuntu and Mint updates, hours, days?
There is no delay. Mint uses the Ubuntu repos in /etc/apt/sources.list.d/official-package-repositories.list. As soon as a package changes in the Ubuntu repos, it is available to Mint users.
The only argument you have made which is actually worth listening to - though it is troubling enough to overshadow all of your other comments (in my opinion) - is Linux Mint's policy of only updating the kernel via manual Terminal commands... It's not a big issue for me personally as I use terminal a lot (including for regularly checking of updates), but it does look rather bad for Linux Mint as a distro and thus, I will be looking into whether this policy is still in place.
This is no longer the case, as I mentioned above, and hasn't been for a while. The kernel is updated through the GUI Update Manager in the same way as application packages.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Don't mind my occassional crankiness. 
