From the Canyon Edge -- :-Dustin

Tuesday, April 14, 2009

Your Article is Incorrect: Linux Magazine


Here is an article from Linux Magazine with a very unfortunate title:
In my opinion, this piece is a bit of sensational journalism targeted at the Ubuntu Server.

sensationalism: the notion that media outlets often choose to report heavily on stories with shock value or attention-grabbing names or events, rather than reporting on more pressing issues to the general public

I believe that this article was more about generating attention than improving distro security or the Linux ecosystem. To achieve the latter, one could easily file bugs and discuss the issues on any one of several mailing lists, forums, or IRC.

Update: Linux Magazine has assured me that the Novell/Microsoft advertisement is a coincidence, so there's no deeper conspiracy theory here, as suspect as it looks. I have also been assured that this article was not meant to pick on Ubuntu, but that this would be the first in a series of articles about insecurities introduced by distros in the interest of easier install processes.

We, the Ubuntu distribution, are leading the industry in a number of areas of Linux security. 8.10's encrypted-private feature (shown on the first page of his article) is unique among all Linux distributions, and 9.04's encrypted-home extends the functionality even further. As far as I'm aware, this is the first Linux distribution to provide seamless, per-user home directory encryption in the installer.

As of 9.04, if you choose to encrypt your home directory, it has 700 permissions. And if not, yes, your home directory is perm'd 755, with an option to create an encrypted Private directory, perm'd 700. These design choices delicately and intelligently toe the line between security and usability.

The Ubuntu Security Team has engineered a secure toolchain and compiler flags, by which all Ubuntu packages are built. These carefully constructed options affect nearly all packages built and hosted in the official Ubuntu archives, and have eliminated several classes of classic security vulnerabilities.

For the more paranoid, the Ubuntu kernel provides administrators with both Mandatory Access Control (MAC) models enabled and available at their discretion--AppArmor by default, as well as SELinux. And ufw (the Uncomplicated Firewall) is a truly elegant solution for administrators to control network access.

Finally, the author's arbitrary "grades" against Ubuntu are, in order: A-, B, A-. Is this really enough to justify a sensational headline in an otherwise respected Linux publication?

These sound like 3 reasonable wishlist bugs filed in Launchpad.

:-Dustin

10 comments:

  1. Elegant, correct and direct response. I wish the actually read it and learn a bit.

    ReplyDelete
  2. Makes you wonder what the headline would be if a distro were to have a C grade, or even worse a D or F.

    ReplyDelete
  3. It's even more horrible than the dreaded Linsux Format! (http://linsux.org/index.php?topic=948.0)

    ReplyDelete
  4. Apparmor is techically crap.

    Tomoyo LSM added true support for path based secuirty. Apparmor has not be updated to support it.

    Could you please find out when Ubuntu is going to update Apparmor and send it mainline or are they going to keep on using a Mandorary access system that cannot pass review.

    ReplyDelete
  5. Dustin I think you miss the point.

    We could have the safest choices be the default ones, but we don't.

    Encryption should be enabled by default, not the other way around. I guess we'll eventually get to that mindset.

    Perhaps a good sequel article would be "Ubuntu 9.04, first with full encryption and directory encryption" - which is as much as a stretch :)

    ReplyDelete
  6. Coming from a Slackware env.
    I'm surprised Ubuntu would give /bin/sh to users that do not need an interactive login.

    My first thought is that it is simply an oversight. I do see that /etc/shadow comes with the usual does of '*' and '!'. So someone was on the correct path, just apparently didn't finish.

    Where does one post bugs for Ubuntu? This is one that should be easy to fix and is in need of being fixed.

    With lots of love to the Ubuntu team,
    Justin

    ReplyDelete
  7. Hi Justin-

    You can file a generic bug against Ubuntu at:
    * https://bugs.launchpad.net/ubuntu/+filebug?no-redirect

    Or, if you know the package specifically that it needs to be filed against (shadow in this case?):
    * https://bugs.launchpad.net/ubuntu/+source/shadow/+filebug?no-redirect

    You can subscribe me (kirkland) to it, if you like.

    :-Dustin

    ReplyDelete
  8. While the headline may be poorly chosen, I'd have to agree with magicfab on this one - the guy actually has a point. I'm not sure about all of the things he mentioned, but it does bother me that the default /home permissions are 755, encryption available or not. I'd rather see 700 default, and 700 with encryption as the option. If the argument is that would be confusing to home users, perhaps the server install CD should have a different configuration than the desktop CD.

    ReplyDelete
  9. I have to agree with Tony Yarusso in regards to the /home permissions issue that the article raises. Even Apple's OS X sets permissions to 700 on users' home directories - this is true even if FileVault is not enabled. For ease of sharing files with other users of the system, OS X does include a "Drop Box" directory within each user's profile with permissions set to 733.

    ReplyDelete

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin

Printfriendly