Loading ...
Sorry, an error occurred while loading the content.

Re: [LINUX_Newbies] Re: kernel upgrade X server fc4

Expand Messages
  • Robert C Wittig
    ... Heh! Having FreeBSD on my desktop in addition to Red Hat Enterprise 3 and Windows 2000, and two OpenBSD servers exposed to the Internet, I err on the side
    Message 1 of 17 , Jul 31, 2006
    View Source
    • 0 Attachment
      Arsenic wrote:

      > As far as whether or not I should leave SEL off, that you guys don't use
      > it (and in fact, Robert had never heard of it) leads me to believe it's
      > not really necessary but...
      > (here comes my rant) I think part of my problem when it comes to things
      > like this is that the people who make/use Linux don't seem to be very
      > vocal about security. Maybe I'm wrong about that but every time I ask
      > someone a security question, I get an answer like "Don't worry about it,
      > Linux is safer than Windows".

      Heh!

      Having FreeBSD on my desktop in addition to Red Hat Enterprise 3 and
      Windows 2000, and two OpenBSD servers exposed to the Internet, I err on
      the side of paranoia, where security is concerned.<g>

      A lot has been written about *nix security, and I am a serious reader of
      what was and is being written.

      I'm sure that Google will point the way for you, as it has for me.



      --
      -wittig http://www.robertwittig.com/
      . http://robertwittig.net/
    • Chad Martin
      Once again, I m slow on replying to things... ... There was a response to this which was Google it , but for those who want just a quick synopsis of why Linux
      Message 2 of 17 , Aug 5, 2006
      View Source
      • 0 Attachment
        Once again, I'm slow on replying to things...

        Arsenic wrote:
        > (here comes my rant) I think part of my problem when it comes to things
        > like this is that the people who make/use Linux don't seem to be very
        > vocal about security. Maybe I'm wrong about that but every time I ask
        > someone a security question, I get an answer like "Don't worry about it,
        > Linux is safer than Windows".
        >
        > This makes me nervous. At least when you use Windows you know what
        > you're getting yourself into. There's bucketloads of documentation and
        > a whole host of expensive (and not so expensive) software to help you
        > stay secure. It's not that I've ever had a problem in Linux (I wonder
        > if I would even know if I *did* have a problem) but a combination of not
        > having taken what seems like *enough* security measures and not being
        > entirely comfortable with the OS (not knowing where things are, not
        > knowing how to fix things when they break) leaves me constantly on edge.
        > I know that I've had security problems in Windows but I only know about
        > it because of the wonderful people at Symantec.
        >
        > I worry, when it seems like the only thing standing between my machine
        > and the rest of the world is me. I don't know if that makes any sense
        > but there it is. As an old Windoze user who needs lots of reassurance
        > to feel comfortable, I would kill for a Linux 'System Works' and Linux
        > 'Internet Security'. I guess the high configurability of Linux and all
        > the different flavours might make it hard to develop such software.

        There was a response to this which was "Google it", but for those who
        want just a quick synopsis of why Linux is more secure, here's how I see it:

        1) In-kernel firewall. It's robust and has been improved over many
        years. It's an inherent part of Linux, not just an add-on.

        2) Non-administrative users. Sure, you can run as a non-administrative
        user in Windows, but it's a pain in the ass. Some programs will
        actually tell you that they won't work properly unless you've got
        administrative privleges. Most people run it that way. That means when
        a virus runs while you're logged in, it has access to the whole system.
        Linux is much more properly set up to do this right. When you run a
        virus under a normal user in Linux, all it has access to is the stuff
        that that user has access to, which isn't much.

        3) Open source. There are a lot more people out there that are trying
        to fix security bugs than are trying to exploit them. When you have the
        code out there for everyone to see, the problems can be found and the
        fixes can be deployed well before they're ever exploited. All the
        algorithms used in common encryption techiques are open source. Think
        about it.

        4) Software updates. Most distros will aggregate the software updates
        of all the software that they offer. This means that every time you
        update your Linux box, all your software is being patched for the latest
        security updates. With a Windows machine, you have to chase those
        patches down from all your software vendors. Microsoft won't do that
        for you. Again, you could do it yourself, but chances are that it's too
        much effort, or you have to pay for those upgrades.

        This is just the tip of the iceberg. I hope you feel more at ease about
        the security in Linux.

        Chad Martin
      • Arsenic
        ... (I have another question (surprised?) and since it is security-related, I might just append it to this post.) You know, I really do. :) Thanks, Chad. The
        Message 3 of 17 , Aug 6, 2006
        View Source
        • 0 Attachment
          On Sat, 2006-08-05 at 15:43 -0400, Chad Martin wrote:
          > Once again, I'm slow on replying to things...
          > for those who want just a quick synopsis of why Linux is more secure,
          > here's how I see it:
          >
          > 1) In-kernel firewall.
          > 2) Non-administrative users.
          > 3) Open source.
          > 4) Software updates.
          > This is just the tip of the iceberg. I hope you feel more at ease
          > about
          > the security in Linux.

          (I have another question (surprised?) and since it is security-related,
          I might just append it to this post.)

          You know, I really do. :) Thanks, Chad. The interesting thing is that
          now that I've read all that, I think I sort of knew it already, in a
          vague sort of way. I just had never put all those ingredients together
          to see what I ended up with, I guess.

          Anyway, to veer back towards the original topic a bit, I've learned more
          about SEL and I realize I was quite wrong about what it actually does
          and why it broke my system. I was imagining it to be just an internet
          security thing (where it wouldn't allow traffic to/from servers or url's
          or whatever) but apparently, it's job is to limit the amount of
          access/control given to applications/processes, to the rest of the
          system. Not sure if I said that right. The NSA says; "The
          Security-enhanced Linux kernel enforces mandatory access control
          policies that confine user programs and system servers to the minimum
          amount of privilege they require to do their jobs."

          Apparently, it does this a little too well for kernel 2.6.17, or
          something was fundamentally wrong in the policy that I have installed.

          I'm *guessing* now that whatever was actually broken (X11 and probably a
          whole host of other things) just wasn't allowed to start properly
          because it was trying to do things that it wasn't permitted to do.

          Because it appears that the settings were different (or needed to be
          changed) between the two kernels, I figured the only way I could
          possibly work it would be to start in console mode and configure the
          policy entirely through the command line, to allow system-wide access
          for processes like 'audit', which I believe is what was causing most of
          my problems. (feel free to correct me on all this btw, if you think I'm
          way off track) I'm pretty certain that that would take me whole day of
          wandering around the cmd line (not a nice prospect for me), so I decided
          I would just leave it for now.

          Is there another way? I've noticed over the past few days that
          recompiling kernels appears to be a tried and tested way of making
          things work/install that don't usually work/install. So, I'm wondering,
          if I were to recompile my kernel (which I've been told to do for several
          reasons now, including so that I can install Duzuko, to enable on-access
          scanning with KlamAV), is it possible that this would help with the SEL
          thing somehow? I was just thinking, maybe rather than trying to
          reconfigure SEL, there might some other way around it by
          uninstalling/reinstalling SEL, and/or recompiling the kernel or
          something. I know that's a pretty vague question (not even a question,
          really) but I'm just looking for options.

          ~~~~~

          Now for my next proper question, which occurred to me while I was
          reading about SEL.

          We all know we shouldn't run our system as 'root'. If I 'su' to do
          something (i.e. run yum update/install), is that access restricted to
          the application I'm running, or is it a system-wide thing? I guess I'm
          wondering, if I'm logged in as root in a shell, will other things (bad
          things) be able to run themselves as root? (I use yum as the example
          because it needs an active internet connection, which means I'm
          accessing the net as root, which seems kinda risky by nature)

          Cheers for putting up with me btw. I know I've been spamming all your
          inboxes quite a bit of late. I just have a lot of questions and there's
          no denying that it's often easier to just ask (and to voice vague
          home-grown theories), than to sift through countless web pages looking
          for answers that may or may not be there.

          arsenic.



          [Non-text portions of this message have been removed]
        • Chad Martin
          ... Well, compiling your own kernel is the basic way to get new drivers into your system. There s also a lot of functionality that is kernel-based, like the
          Message 4 of 17 , Aug 8, 2006
          View Source
          • 0 Attachment
            Arsenic wrote:
            > Is there another way? I've noticed over the past few days that
            > recompiling kernels appears to be a tried and tested way of making
            > things work/install that don't usually work/install. So, I'm wondering,
            > if I were to recompile my kernel (which I've been told to do for several
            > reasons now, including so that I can install Duzuko, to enable on-access
            > scanning with KlamAV), is it possible that this would help with the SEL
            > thing somehow? I was just thinking, maybe rather than trying to
            > reconfigure SEL, there might some other way around it by
            > uninstalling/reinstalling SEL, and/or recompiling the kernel or
            > something. I know that's a pretty vague question (not even a question,
            > really) but I'm just looking for options.

            Well, compiling your own kernel is the basic way to get new drivers into
            your system. There's also a lot of functionality that is kernel-based,
            like the firewall. That's the reason you see this crop up so much.
            There's a lot in there. If you need something enabled for something
            you're working on, you'll have to recompile, but I hesitate to say it
            "fixes" anything.

            > We all know we shouldn't run our system as 'root'. If I 'su' to do
            > something (i.e. run yum update/install), is that access restricted to
            > the application I'm running, or is it a system-wide thing? I guess I'm
            > wondering, if I'm logged in as root in a shell, will other things (bad
            > things) be able to run themselves as root? (I use yum as the example
            > because it needs an active internet connection, which means I'm
            > accessing the net as root, which seems kinda risky by nature)

            Nope. If you're running as root, then all your child processes will
            also run as root. So, if you're running as root in a terminal window
            and invoke top, top will be running as root, but the window itself will
            be running as the normal user, since the normal user is what started
            that program.

            Chad Martin
          Your message has been successfully submitted and would be delivered to recipients shortly.