This is the biggest myth you hear when people are trying to say Linux is secure.
Unix design first is not called Unix. Its called Posix. So yes name is wrong to start off with.
Lets just go over what Posix covers for 1 min.
System will have a root user to admin system. This is first problem most OS's like Solaris and Linux that people like to call Unix existence of a Root user is optional. Its a historic relic of the Unix days. Reason why its optional is that it a security risk.
Services run as lower users ok up until a point. Posix standard never formally ratified Posix Capabilities. So all services connect to ports under 1024 must at least partly start up as root on an as per Unix model system. Linux and Posix Capabilities allow powers of root to be granted in a segmented way.
No firewall is defined anywhere in the Posix define of what should be there.
There is no defined Mandorary Access Control.
Now as you can see Unix Model security is not that great. Linux, OS X, BSD's, Solaris have all extended past this model. All the Unix Model does is provide some common sense ideas.
Worst part of this Unix Model worship is the myth that root user is good. Sorry root user is one of the biggest design flaws in the complete Unix Model.
Sudo and su are from the Unix world both flawed ideas. What is the root users most dangerous problem. Operations performed by root are not logged by default. There is no way to tell what user who has access to root power did what.
Policykit and more modern systems of the Posix world provide far better logging and finner grain control over users of it. Even selinux role based security provides finer control. You don't hear any of them yelling from the roof tops that X distribution comes with selinux role based security enabled.
Sorry everyone some typos sneaked in. Boy do I like this method at least I can fix them.
Subscribe to:
Post Comments (Atom)
8 comments:
All I've ever heard is that selinux is a bitch to configure properly.
If you do it manually with a text editor yes selinux is killer.
http://seedit.sourceforge.net/ Something like that is kinda a required. Think of selinux as windows group policy on over drive really on overdrive. People get upset about windows group policies as well if they don't have good tools.
Thing that makes selinux worse is get it wrong you can disable root user and the systems means to boot. Its basically nuts to take it on without seedit or equal to give you a chance to avoid typos. Highly powerful security system + typos tell it to do the wrong things is going to hurt.
http://seflow.sourceforge.net/ This kinda gives you a idea how far selinux can go. Right the way to control how you can build applications.
seflow is being design so selinux can control exactly what files can link with each other. So GPL files cannot be linked into a incompatible license. So even that you can access see open touch files does not mean you can merge or send them anywhere. Yes can cause some really interesting effects like kdevelop having 1 document open and not being able to open another because its in conflict with selinux rules. Yet close kdevelop restart it then you can open the other document but then cannot open the first one.
Yes selinux can have users going what the. Saving new file can also end up with the selinux permissions of the files you have open connected. Yep no simple way out of this one. With Selinux XACE extension in X11 you cannot screen capture or copy paste your way out of it either. It can allow you to copy in but not out to lower security too. Basically you can build walls between what ever you like in the OS with selinux.
Selinux is a truly powerful security system. Pays to handle with care the effects it can cause can make people really be going what the. Solaris imported selinux design due to how good it really is left what Solaris had at the time for dead.
Selinux is not a black and white security system it has shades of grey. If you are doing X and Y you can do Z kind of rules and if not doing both of X and Y you cannot do Z can be applied from selinux. Kinda does make it interesting for an attacker. Have I found the admin user or not do I need to do a special combination of stuff to make the admin features appear.
Selinux is one of the most complex but also one of the most powerful security systems in existence.
With respect and right tools Selinux is not that bad to handle. Smack its relation is simpler to handle if you want to text edit. Really who wants to do that. I would personal prefer a tool giving me advice when handling a powerful security system.
Well i'm sorry but anyone who thinks anything man made is completely fool proff or secure is an idiot. Unix Windows Linux BSD I don't care what anyone says, non of them are the be all and end all of security, nothing that has been devised by the human brain can ever be.
Quick and dirty rule, if it has been created by man it can be cracked by man as there is allways someone smarter round the corner.
All you will ever get is varying levels of security, yes one system can be more secure than the other but no system can ever be totally secure.
So this is not really a stab at unix, more at teh stupid people that get complacancy in anything that they use.
smiffy
smiffy what you said is another issue.
Same words you have used I hear people use as the same reason not to try to make 100 percent security.
Totally secure is possible but it Sux's badly. Tasks Item performs must be highly regulated. So yes its a myth that Totally secure is imposable.
Secuirty systems are kinda a balancing act between allowing users to do things and what Totally secure would allow.
Totally secure system could be a simple little device with an OS working as an watch dog to restart servers as needed. Since user cannot tamper with it and its function is limited every flaw can be removed. So its Totally Secure. You can also make items like ATM's totally secure to software attack. Again limited function.
Hardware can be used to enforce the no you cannot tamper. Like embedding the OS and data inside the cpu itself then removing read from the outside.
Of course if your base OS security does not provide the right amount of functionally to 100 percent cover everything you want to do OS is not 100 percent secure.
For a generic desktop machine there is still no security system that covers every possible event.
If people are not trying to create better we will not get strong and more resistant systems. Comparing to old past security there use by date systems like posix model gets us nowhere.
Looking at old posix model for ideas to improve on is just doing your history.
you arguments are good, but sorry you can't get totally secure, don't be complacent, there is no such thing. There is always an answer, just because you don't know it yet does not mean it's not there somewhere and someone else is clever enough to find it.
DOn't switch the computer on, thats as secure as you get, the highest, but not very usable, if it's not on it cannot be infultrated can it.
But then wait, what if someone breaks into your house and swiches it on for you.
Like you said earlier, remove the lan and your secure from remote issues, but local ones can still work.
nothing is tottally secure, how many bank vault makers have told their customers that until the latest bacnk robber uses that method or trick that no one thought of.
It doesn't matter how secure you think it is, there is allways one variable that you cannot account for totally, human error, as human error is not predictable ranging from error to stupidity.
Sorry buddy but you won't shift me on this one, nothing man made can be secure. that goes for computer security too. Best you will ever get is a happy medium, enough security but still useable.
Quite simply
"Totally secure is possible but it Sux's badly"
is just wrong, you cannot get 100% secure as you do not know what is round the corner, use your might and knowledge to find a counter strike, but i'm not using pc knowledge as my tool here i'm using logic and real world examples which unfurtunately apply to pc's too.
smiffy
I was thinking totally secure from a coders point of view. Not allowing for local hardware access.
Totally secure systems from a coders point of view are build from covering every possibility from the code side. And I do mean every. Then presumes you put the required real world security around it as well.
Now a highly complex system like a general desktop its basically imposable to do that. One day that might change but I don't see it for at least 3 years.
Buffer overflows and security holes don't magically appear in code just because a different event shows up.
Secuirty flaws always had to have always been there. Event would be showing something that always existed.
Think of a computer program like a maze. If the walls of the maze are unbreakable. The exits(flaws) to the maze you can use has to have always existed. This maze in real world if you are dropped in the center of it and its walls are too high to climb and you cannot dig out and there are no exits you are screwed. The paths you can walk are set by the maze. Exactly the same as totally secure software does it set exactly where the user can go and can do. No flaws.
Yes it is possible to build something in the real world like that and it is totally secure as long as person cannot cheat.
Computer code is different to real world examples. Real world examples someone invents a new tool they can under use it directly to break the secuirty. Only way to under break the security of correctly audited software is a hardware defect that had to exist when the device was created or direct hardware access to the device to add a defect.
Real world physical security is way harder to be sure of than software. Software is different because you can cover every option.
"Software is different because you can cover every option."
And you can be sure that you have covered EVERYTHING!!.
And you would be totally happy in the knowledge that you hadn't forgot ANYTHING at all??.
Cool, the end of the bug as we know it ;)
No one is capable of getting it 100% right and account for every possibility, where only human after all...
smiffy
For a limited function device you can be 100 percent sure you have covered everything. Issue here is complexity.
Secure software design also takes the failures of humans into account. Reason why part of the process is automatic tools.
Yes we are human. Computers that assist us are not. Lot of programs automatically map out code paths threw the application allowing for every value that could ever be present to the application.
Basically the computer does not make human error. Once human error is removed from its code no major problems are left.
Idea that 100 percent secure code is impossible is basically a myth.
Issue is simply for highly complex environments like desktops we don't have tools to cover every event yet. Every year the tools to do it get closer.
Major point here is if everyone is using the best tools to find flaws every year particular types of exploitable flaws should disappear for good.
Means to detect buffer overflows from source code scanning was designed 7 years ago. Buffer overflows should have went the way of the grave yard then. Software to detect sql injection flaws in web sites has also existed as long.
The list goes on. Numbers of flaws should be reducing as more and more areas are covered by secure program.
Major area of limitation for flaw scanning software is multiuser. How to rule out what should and should not be allowed. Of course at some point that major limitation will disappear.
Post a Comment