Security Features

What security features have linux got

Hmm … a better question might be what security measures could be implemented that most Linux distributions don’t have by default :slight_smile:

Short answer … paranoid level security features :slight_smile:

Longer answer … OK, here goes, I’m bound to miss a few here, and probably explain it badly … I’ve had a bottle (or two) of wine … so thank god for spell checkers :wink:

a) Separation of user and kernel space … a user cannot edit kernel space, nor can any program a user runs.

b) File permissions … any file or folder can be given read/write/execute permissions for different users and groups … they can also be “owned” by different users and groups.

c) anything coming in from the outside world will have the execute bit disabled … even if it could be run (without manually having the execute bit enabled) and was malicious, it would only be able to affect files with the user who ran its privileges, and not the system as a whole.

d) by far the majority of software will be installed with a couple of mouse clicks form a central software repository that can easily be checked for malicious code … think of the iTunes model for iPhones/iPads and you’ll be approaching the Linux software repository/package manager system … the Linux software repository/package manager model is the envy of other OS’s, that’s why Apple have tried to emulate it (badly) … unlike Apple, what makes it into the repos tends to get there on technical merit rather than for commercial or political reasons.

e) by far the majority of software is open source, the source code is freely available … so if any software contained any security risk, or malicious code it would be quickly spotted by the “many eyes” approach to software scrutiny.

f) executables that traverse a network will have the execute bit disabled at the other end (if the other end is a Linux box).

g) outside user space, a user (or any app run by the user) does not have permission to install software, or edit anything he (or any software run by him) has not been given permission to edit.

Add these things together, and you’ll see that -

  1. if anyone wrote any malicious code, they’d have a hell of a game getting it into the distribution channels

  2. if it did get into the distribution channels, it would be quickly spotted.

  3. if a user was stupid enough to install malicious code from outside the software repositories … it could not affect anything they don’t have permission to change … ie. it could only affect that users files, and not the system as a whole.

  4. anything that arrives on the system from the outside world needs to have the execute bit manually enabled before it can run … and if a “user” enables the execute bit, see 3 above.

  5. anything given permission to traverse a network (between linux boxes) would have its execute bit disabled at the other end … ruling out automatic running of malicious code at the other end.

Any virus or malware needs to reproduce or be spread faster that it is killed off to survive … Linux puts so many barriers in the way that this is impossible … this is NOT to say that malicious code cannot be written for Linux … it CAN … what it means is that it cannot spread, and cannot do system wide damage unless expressly given system wide access by the root account

As long as you don’t log in and run unknown software as “root” you will find it impossible to do system wide damage … if you are daft enough to run unknown applications as root (requiring the root password), then YES (as in any OS) you could screw up the whole system, though this is mitigated by the fact that there are NO known Linux viruses in the wild … the idiots that write them have no incentive, they would quickly die and do no real damage.

This is NOT a case of Linux not being targeted “because it doesn’t have enough market share” as some Windows fans would have you believe … think about it, the worlds servers pretty much all run Linux, Linux has a bigger target on its back than Windows does … virus writers are motivated by reputation, what would be better for your reputation, to bring down a few Facebook users Windows PC’s or bring down the Stock Exchange, or Googles servers ?

Anyway, enough babbling by me …

These links may explain it better:

…and as such very few malicious virus writers are interested in attacking the Linux platform. :slight_smile: