security in ubuntu

[Hungry Man]

Quote:

CUPS runs as an unconfined admin process on most Linux distros. Ubuntu has an AppArmor profile for it, but many distros do not.

Yep. But any distro with LSM will let the user confine it and Ubuntu/Mint, the two most popular user distros come with it enabled by default.

I'm not really asking for that much, really. Definitely nothing hardware intensive. I'm not really asking for anything as I will be providing this myself in (hopefully) the next 6 months - 1 year.

I don't think even an educated user can be blamed (not that this is what you're saying.) We're simply incapable of practical analysis. An antivirus heuristics engine is looking at the code itself, it's checking it against trends in malware, it's incredibly complex. We're amazing beings but we're not designed for that and we're very trusting. Blaming humans for being human is just lazy.

Quote:

Originally Posted by Serapis

Windows defaults are ok?

Can anyone tell me why Windows has file/printer sharing and Netbios on by default?

In latest Windows versions, "automatic" services are trigger-started. Which means they are off by default, only on when they are needed. See: http://windowsteamblog.com/windows/b...roduction.aspx

@HM, Windows services run isolated. See: http://windowsteamblog.com/windows/b...isolation.aspx

[Hungry Man]

I know they're isolated. That's to stop shatter attacks. If they're attacked they still have admin rights and can do anything they like.

The difference is that in XP everything is "user 0" (admin) and can interact with any other process in that user account. This is separated in Vista to prevent shatter attacks - one of the reasons why XP is so easily exploited.

It's great but entirely irrelevant because it's two different types of attack. If one of your user 0 services is exploited you're still screwed.

Now you want services to not have admin rights.

I can't even imagine the nightmare of compatibility issues that such a move would bring to the platform.

I hope Microsoft keeps improving the services to be resistant against attacks instead of simply removing their rights.

[Hungry Man]

Quote:

I can't even imagine the nightmare of compatibility issues that such a move would bring to the platform.

Literally none at all. If a service can perform its tasks and nothing but its tasks there will be literally no compatibility issues by definition. Instead you've got the print service able to:
1) communicate with all other services
2) do anything it likes to the system

Cupsd does just fine in AppArmor. It runs as root, has quite a lot of capabilities, but significantly low file access rights.

You can't get that on Windows. Instead you get Stuxnet attacking a printer service.

Quote:

Originally Posted by Hungry Man

Literally none at all. If a service can perform its tasks and nothing but its tasks there will be literally no compatibility issues by definition. Instead you've got the print service able to:
1) communicate with all other services
2) do anything it likes to the system

Cupsd does just fine in AppArmor. It runs as root, has quite a lot of capabilities, but significantly low file access rights.

You are thinking about one service and one scenario usage. Apps use many other services for many other scenarios.

For example, what would happen with Chrome's auto-updating service if it couldn't have file access rights?

Quote:

Originally Posted by Hungry Man

You can't get that on Windows. Instead you get Stuxnet attacking a printer service.

There was a vulnerability that allowed it. It was fixed. There is no need to break printer devices.

[Hungry Man]

Why would it not have file access rights? It will have those file access rights but only what it needs. That's what least privilege is, the least amount of access given that the program can function and do exactly what it needs to do and nothing else.

Quote:

There was a vulnerability that allowed it. It was fixed. End of story.

Hardly the end of the story. There will always be vulnerabilities and they will never all be fixed in any complex program that changes over time.

If a service is exploited on Windows your system is compromised.
If a service is exploited on Linux... it's stuck in the apparmor sandbox (assuming we're talking about one of the ones that comes with apparmor.)

If appcontainer works the way I hope it does (ie: nearly exactly like apparmor) Windows 8 will be much closer to Ubuntu.

You're assuming that one can catalog all the programs in existence that make use of services and see exactly what they need to do.

Yeah, right.

[Hungry Man]

No, I'm not. I'm talking purely about Windows services right now, which I think we can agree are Microsoft's duty to secure, yes?

In terms of protecting all programs there's no way to implement least privilege through MAC without developer cooperation.

Quote:

Originally Posted by Hungry Man

No, I'm not. I'm talking purely about Windows services right now, which I think we can agree are Microsoft's duty to secure, yes?

So, what Windows services are vulnerable? How can they be further restricted without breaking some of the insane number of third-party (old and new) apps/drivers/whatever that may use them?

[Hungry Man]

How should I know? I don't know the details of which files and capabilities each Windows service should have. It should be obvious that they don't need as many rights as they have because why does my DNS cache service need the ability to read my documents folder (example) ?

Internet facing services on Ubuntu, like the printer/file sharing service, are apparmor'd and restricted quite a lot.

How do you know that your DNS cache is reading your documents folder?

[Hungry Man]

It's not about what it's doing it's about what it can do. It has full read access to the entire system.

The syslog service on Linux needs root. On Windows such a service would therefor have access to the entire file system and capabiltiies.

On Linux it runs in an apparmor profile that significantly limits it.

Quote:

/dev/log wl,
/var/lib/*/dev/log wl,

/dev/tty* w,
/dev/xconsole rw,
/etc/syslog.conf r,
/sbin/syslogd rmix,
/var/log/** rw,
/{,var/}run/syslogd.pid krwl,
/{,var/}run/utmp rw,
/var/spool/compaq/nic/messages_fifo rw,

r = read, m = mmap, w = write, ix = inherit execution, etc

Instead of accessing the entire file system it can pretty much only read/ write to a small set of folders/ files.

If it were compromised my personal data in /home/ would be safe and my system would not be in peril.

Again, were this on Windows the entire system would be read/writable.

Where are you checking the access rights of each native Windows service?

[Hungry Man]

They run at the System Integrity. Any service running as Admin/ System can read/write to the entire file system. That's how integrity works. If you can find anything showing me otherwise please do.

edit: Or anything running as "High" can. System is a separate level that works differently. Such a pain int he ass to find out what can/ can't be accessed.

Can't you use SetACL to "fix" the permissions to whatever you want?

I'm very noob with these technical things. Be patient, lol.

[Hungry Man]

Looks pretty cool. It's possible that it allows you to work with them. Chrome does something with XP's ACLs at least.