is linux a secure operating system?

cartonoak

New Member
Joined
Sep 3, 2024
Messages
2
Reaction score
1
Credits
22
I use both linux and windows, the linux distribution I currently run is Fedora Silverblue.

I started reading in different forums and internet websites about linux, and two pages in particular called my attention about security in linux, and I would like to share them here and know what you think about it, I don't want it to be misunderstood, I love linux and I have tried several distributions, I always heard that linux is more secure than windows and I always took it for granted, but to my surprise when I started reading about linux security in these pages and everything they talked about, then from there this topic does not stop itching my curiosity.

 


I'll take Linux over MS every day. Neither are anywhere near 100% secure. I believe Linux to be more secure though. If for no other reason than there isn't 1,000,000,000,000,000+/- viri written for it. That said, neither one is more secure than the person sitting at the keyboard.
 
Your link is total FUD. Read this link:

https://easylinuxtipsproject.blogspot.com/p/security.html

By the way, your link rates a "Caution" on Norton's safe web. I would advise everyone NOT to click on it. I guess I have to make a new browser profile now, which sucks because I just made this one over the weekend. :mad:

Untitled.jpg
 
Last edited:
When I was switching from Windows to Linux I was reading a lot about security in Linux to get an idea where I'm going. Things got very technical at some point and I stopped. What I got from my search, and for me it was enough, is that Linux is my best bet compared to Windows and Mac and here I am ever since
 
Linux is inherently more secure than Windows, with windows you must have both fire wall and antivirus, with Linux most of us old timers will have a firewall installed but not bother with AV. window s are attacked more than any other operating system, firstly because of its poor construction and second because of the number of users, last month Microsoft issued a stack of security updates some were zero day [critical] updates to fix problems they have known about for many months, with Linux having so many active members patches if required are usually far quicker. as Linux gains popularity, then perhaps we may need to look again at security issues,
some distributions are considered more secure than others [not to be confused with security distribution, which are totally different] but this only holds true if you install and run them as you get them OTB, once you start changing, applications and other parameters you lose any extra benefit.
well, that's my opinion as a 20Yr + user
 
I did move this to security sub-forum.

I did let this through the queue so that folks have the chance to dispute the claims. If there's a rebuttal here then there's something online for people to find.
 
to me the way the article in post one is linked to, reads like a sponsored advertisement not a clinical autopsy
 
Agreed...... Also the "https://madaidans-insecurities.github.io/linux.html" link below ...

Just a few quick excerpts......not in any particular order.....this has to have been wroitten by someone with a SERIOUS gripe where Linux is concerned.

If even one third of this were true, there would be no Linux.....it would have been wiped from the face of the earth long ago.

Linux being secure is a common misconception in the security and privacy realm. Linux is thought to be secure primarily because of its source model, popular usage in servers, small userbase and confusion about its security features. This article is intended to debunk these misunderstandings by demonstrating the lack of various, important security mechanisms found in other desktop operating systems and identifying critical security problems within Linux's security model, across both user space and the kernel. Overall, other operating systems have a much stronger focus on security and have made many innovations in defensive security technologies, whereas Linux has fallen far behind.


and then criticises:



Sandboxing


Flatpak


Firejail


Exploit mitigations..."Most programs on Linux are written in memory unsafe languages, such as C or C++, which causes the majority of discovered security vulnerabilities.""


Then praises win 10, windows HVCi etc etc


All in all a shabby attempt to discredit the Linux system and the people who safeguard it.


""The Linux kernel itself is also extremely lacking in security."".....maybe Linus Torvald should be made aware.....Linus has apparently been writing code for kernels in memory unsafe language.



""Microsoft moved all font parsing out of the kernel and into a separate, heavily sandboxed user space process, restricted via AppContainer. Windows also implemented a mitigation to block untrusted fonts from specific processes to reduce attack surface. Similarly, macOS moved a substantial portion of its networking stack — the transport layer — from the kernel into user space, thereby significantly reducing remote kernel attack surface and the impact of vulnerabilities in the networking stack. Linux, however, does not focus on such systemic approaches to security.""


The Nonexistent Boundary of Root





etc etc


Why does Linux.org allow crap such as this to be published on its site?
 
to me the way the article in post one is linked to, reads like a sponsored advertisement not a clinical autopsy

It seems more like trolling to me, but I figured I'd let it through and we can see what the rebuttals are.

Why does Linux.org allow crap such as this to be published on its site?

So that you can post your response to it.

The best defense against FUD is accurate information.
 
What bothers me the most is the caution rating on Norton's safe web. And dummy me I clicked the link before checking.
 
What bothers me the most is the caution rating on Norton's safe web. And dummy me I clicked the link before checking.

Yeah, that one tells me not to trust 'em.

But, assuming you're using a modern browser, it's harmless. Just don't install anything you see there. Just visiting the site isn't going to cause any harm. It doesn't even try to load any malicious scripts.
 
Madaidan's Insecurities is absolutely correct. The site also provides solutions. I doubt though that many actually bothered to harden kernel. Here is the simple kernel config checker that scans kernel config
https://github.com/a13xp0p0v/kernel-hardening-checker
to see how many options in the kernel should be modified
how many ever modified kernel to harden it not to mention use this
https://github.com/anthraxx/linux-hardened/releases

OP's is making some mistakes though:
Linux gives user full control over OS internals so it is possible to harden any distro.
Default settings are secure enough for average user so not to worry

Madaidan's Insecurities talk about things that can be improved now and things that may be fixed in the future.

Today the only secure Linux distro out of the box is Qubes OS. I doubt that many users installed Qubes or even heard about it. Still Qubes is not perfect in terms of security.

Advice for OP: OS security is very complicated topic so don't get crazy about security yet. Again your Fedora is safe.
 
I will dispute that point by point, as politely as I can.
  1. "On Desktop Linux, GUI applications run under your user, and thus have access to all of your files in /home". That is not necessarily true in all cases, as there are many mechanisms that can enforce the opposite. SELinux policies and all package formats that operates in a containerised way, such as Flatpak, provide a set of permissions that act exactly on this. Those are just two examples any intermediate user can throw on the discussion, and I am pretty sure that claim can be disputed much better by someone that talks the languge of Mordor SELinux.
  2. "Linux Hardening Myths" is just fluff. It doesn't make any informed claim in either way.
  3. "Lack of verified boot" is false.
    1. Linux supports and is a foundational party in the development of Secure Boot. I use Linux with Secure Boot enabled and enforced.
    2. Then, it rambles about the filesystem structure, which is not only unrelated, but pointless and also incorrect.
      1. The Kernel Space and the User Space is very well delimited at runtime by the CPU, to which Linux can only abide.
      2. The system packages and the user packages are installed in different directory trees, / and /usr. The author has the answer in his own text, as it talks about /usr/bin and /usr/local/bin, where the answer would be /bin v. /usr/bin
      3. The user can verify the integrity of "the system" by many means otuside the health of the filesystem, by means of package managers and the overal status of the daemons that have been inited.
      4. macOS has the exact verbatim "problem", as I can install many applications in the Unix traditional filesystem tree by using .pkg distributables instead of .dmg images. That, without even thinking on things like homebrew.
      5. Windows? Three quarters of the same. I can throw anything anywhere.
      6. The atomic distributions like Silverblue, Vanilla and many others obliterate these arguments --but they are nor really critical to this. The author is upset about the filesystem structure but doesn't know that, as said, there are other integrity indicators and macOS is not sandbox-only. That's all.
  4. "Lack of sandboxing" is not true.
    1. Flatpak, Snaps, and AppImages are here since decades ago. Are they optional? Yes, as in macOS --the previous point largely covers this.
    2. The atomic disitributions enforce sandboxed user-installed applications
    3. Their understanding of "Portals" is completely in reverse: Portals are there to open access to parts of the system, not optional to prevent so.
    4. No application expecs full access to /dev, which is owned by root, and fine-grained by different groups. That's a severely misinformed point
    5. "As a result, Flatpak maintainers often opt to have extremely lax permissions to the point where they have to grant filesystem=home, filesystem=host, socket=pulseaudio or devices=all, otherwise apps will break and give users a bad experience." That's an overstatement and an opinion, not a fact.
    6. "The only way to systematically fix this problem is to design a whole new system from scratch with a permission model like that of Android in mind" Android is Linux. Case closed.
  5. "But Linux is open source!" I agree with the author. Yes, I do.
  6. "But there is less malware on Linux!" I agree with this sentence "Security by irrelevance does not work. Just because there are fewer users of your favorite operating system does not make it any safer.", but the rest of the section builds up on the prevalent lack of information of the previous part of the article.

    Or, if we want to attribute malice --which I will leave it for you--, intentional disinformation.
However, under all this fluff, unsubstantiated claims, reality cherry-picking and lack of information from the author, all those logical fallacies and opinions, there is some good points. I personally concede two:
  • We need better end-user controls. For example, the devices could have better security controls in place in terms of permissions to reproduce sound v. permissions to record. Yeah, there are hardware and software switches, but there's value on recognising room for improvement.
  • In general, the security systems on Linux are quite diverse and form a multi-layered set of policies that, although effective, are difficult to grasp as a whole. What is worse, they are very different. SELinux and AppArmor have the same scope but are as different as two thing could possible be. It's hard to have solid understanding on both.

In my opinion, there's no system secure by default and there's always a human factor in this. What a system needs to provide is a set of controls that are effective and that can be understood an actioned by the user. Currently I don't see great differences between Windows, macOS and Linux, so these kind of articles have very little point nowadays --it's not 2001 anymore.
 
PS -- I wouldn't worry excessively about having clicked the link.

Virus Total says 1 out of 93 vendors flag the link as malicious, so caution is advised, yes, but the classification is not an industr-wide consensus.

I opened it with the same Firefox Container I open some facebook links, so that all the malicions parties can be malicious together in a malicious disposable sandbox.
 
On the topic of, Madaidan's Insecurities

if we want to attribute malice --which I will leave it for you--, intentional disinformation.
Amen.
 
I wonder why, secure boot is even mentioned as being secure? Never was or will be.
Apparmor is specific for Debian and derivatives and Selinux for RH and derivatives. Neither provide security out of the box. Apparmor is path dependend and easy to circumvent, selinux requires knowledge beyond average user willingness to learn.
As history have shown open source means honesty, not security.

As I explained, Qubes OS is the only Linux distro secure out of the box but security comes with the price so not many use it.

Being defensive is a mistake.

Grsecurity was kicked off because they proved again and again that kernel is not safe. Good thing is that currently a lot of their ideas is being implemented by kernel devs.

In secure environment each app would require system administrator to give permission to access system resources.

Flatpaks as security measure? So often with outdated software. Not to mention that if for example each provide own ssl lib then in fact this is security nightmare.

Example from Fedora forums:
https://discussion.fedoraproject.org/t/how-secure-are-verified-flatpaks/120135/8

Irrelevant of OS security is difficult topic.

"As a result, Flatpak maintainers often opt to have extremely lax permissions to the point where they have to grant filesystem=home, filesystem=host, socket=pulseaudio or devices=all, otherwise apps will break and give users a bad experience." That's an overstatement and an opinion, not a fact.
https://discussion.fedoraproject.or...rivilege-escalation-what-to-do-instead/112651
No, this is an issue.
 
Maybe read this first

Few examples (plenty more to come in the future)
It is broken because secure boot is just a db. No way to fix this. Not to mention that Linux does not really need it.

The guy, is Whonix’s maintainer. Whonix is usually listed as secure Linux distro. I doubt that one can contest his experience. So I am baffled why the first reaction is denial.

The only way to make OS secure is to learn about OS insecurities. Personally I don't dualboot. I am trying to make OS as secure as possible but to do this I am reading as much as possible about existing or possible issues. I don't feel offended when someone asks about Linux flaws.
A lot of issues mentioned by Madaidan were fixed a lot fixes is just not enabled. Check out Gentoo relevant pages.
If even one third of this were true, there would be no Linux.....it

Well I remember grsecurity guys talking about simple web page that when visiting would crash Linux. Linux survived that.
 
@Aristarchus :-

.......and if you truly believe everything you read online, then you will NEVER want for moonshine. Getting to the bottom of - and creating - an "unassailable" argument in favour of "X", "Y" or "Z" involves a LOT more than simply publishing a bunch of links that appear to support your argument.

All that proves is that you believe what you're saying, and tend to read a lot specifically to FIND stated 'links'. This is no reflection on you, personally, since it's become endemic on the modern web. General public consensus these days is that "if it's online, then it must be 'gospel truth'".

You - as in people generally, NOT you specifically - need to have a truly in-depth knowledge of what it is you're trying to disprove/debunk. And in all honesty, very, VERY few people actually do......along with the fact that of this tiny percentage, most are more concerned with doing something about it than endlessly waffling about it online.

Just because something is publshed online, doesn't mean I instantly believe it.

(shrug...)

This is one of those subjects that could go round & round in circles indefinitely.....until it disappears up its own backside through sheer lack of impetus.


Mike.
yawn-small.gif
 
Last edited:


Top