Users get to the root of Linux security holes

While identifying Microsoft as a large source of IT security snafus, respondents to a SearchOpenSource.com survey also found holes in Linux security.

While identifying Microsoft as the source of most IT security vulnerabilities, respondents to a SearchOpenSource.com survey also found holes in Linux and open source software (OSS) security.

Linux and Windows users were asked in the survey to compare the two operating systems and indicate their differences and their strengths and weaknesses. The survey also asked users to comment on what Linux needs to do to remain safe in 2006.

Overall, survey respondents said they'd had fewer security problems with Linux than Windows. Generally, they complained about Microsoft's slow responses to security vulnerability exposures and weaknesses in such products as Microsoft Internet Explorer browser and Internet Information Services Web server.

On the flip side, Windows security IT professional Andy Canfield wrote about two security weaknesses in Linux that he thinks should be addressed.

More on this topic:

IT managers, beware: US-CERT study faults app security more than Linux

Masked malware, VM and Linux attacks coming in 2006

Canfield is a member of Firebird Foundation Inc., which is a group that supports and advances the development of the open source Firebird relational database engine. He works on the Firebird Relational Database Project and is a long-time SuSE Linux user.

"I believe that Linux needs to get rid of 'root,'" Canfield said in an e-mail to SearchOpenSource.com. "Root is not a user; root is a capability to surpass security. As long as that capability exists, there will be ways to hack it."

In a computer file system organized as a hierarchy or tree, the root directory is the directory that includes all other directories.

Canfield said there will always be theoretical reasons why a user would have to have complete access to the entire hard disk, but, in those cases, the initial boot should be done from a CD-ROM.

"The kernel stored on the hard disk should not even have [this] capability built into it," he said.

To achieve this feat, a developer would have to practice more restraint. The convenient practice of dropping a root into software whenever -- as is the case when a user wants to change the network settings of a company laptop to fit the LAN that they are attached to -- must stop, Canfield said.

"[Root] is easy, it is convenient and it is a security hole. I can remember the day, only a few years ago, when you had to be in root to dial in to the Internet. Doing it the right way takes more work but gives more security.

"Why should changing the LAN settings require write access to the entire hard disk?" he asked.

Canfield said there is still potential for root in the partitioned versions of Linux, where root is not global but is only local to some portion of the system.

The second security weakness identified by Canfield was that device drivers run in kernel space. Since driver space equals kernel space, he said, driver bugs equal kernel bugs.

"Linux would be significantly improved if device drivers were forced to operate in some sort of driver space separate from kernel space," Canfield said. "On startup, the driver should inform the kernel about the types of hardware access that it needs, and the kernel can block accidental attempts to perform other types of access."

This process would not only protect against bugs, he said, it would allow the kernel to identify driver conflicts at run time.

The wet finger in the wind

IT pro Sid Boyce said he did not believe that, in his own words, "the wet-finger-in-the-wind analysis" applies to Linux as it does with Windows.

Boyce, a retired IBM/Amdahl mainframe tech support specialist, said the assumption that Linux was just as prone to attacks as Windows because it ran on a PC is incorrect.

"I'm not saying Linux isn't vulnerable, but to compare it in the same light as Windows is a gross distortion," Boyce said.

Boyce said it would be disingenuous to compare the two because even with a larger installed base Linux would still not have a "magical number" of users that would attract the attention of virus writers.

Canfield also noted this distinction. He said a major difference between the two is that Windows is the target of automated systems, while Linux is the target of human beings.

"Windows malware is everywhere; Linux hackers pick their targets," he said.

For this reason, both agreed, a firewall is more important in Linux than in Windows. A tool to monitor network traffic for malicious attacks makes sense in Linux.

Have you experienced security problems with Linux, open source apps, Windows or proprietary applications? Tell Jack Loftus about them. Click here to send an e-mail to Jack.

This Content Component encountered an error

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close