Security  - Features, or afterthought ?


Forum: DSL Ideas and Suggestions
Topic: Security  - Features, or afterthought ?
started by: simple-user

Posted by simple-user on Jan. 25 2005,16:04
Hello,

Please take this as comments and suggestions, for constructive
purposes, not simply as a criticism.

Allow me to leave some of my thoughts here about DSL and MyDSL.
I'm getting better with Enlish but I'm not a native English
speaker, please bear with me and I appreciate it if you can
point out my mistakes.

I think Knoppix Live CD is the greatest leap as of late of Linux
and OSS.  Allowing for Knoppix Remastering is another strength
of OSS, I whole-heartedly applaud the effords and great work to
allow a small distribution like DSL to experiment with new and
creative ways to get some work done.

I really love the idea of "small is beautiful" of DSL.  Also
love the "automation" idea and real code to do just that of
MyDSL.

My reservations, however, are a bit more complex.  Let me cut
to the chase here and say the potential bad things with DSL
and MyDSL.  Then give some examples of similar school of thinking.

DSL allows the default "dsl" user/account to have sudo everything.
It is great if you are doing a hdd rescue, or backup.  I'll
venture to say it may be OK for your own LAN not connected to
the Internet, let's not argue about this last statement because
everyone has their own opinion.  The real problem is if you run
DSL on the internet and someone can exploit some security holes
and became the "dsl" user.  They can find out very easily if
not already know "dsl" can sudo everything.  Now your machine
is owned by someone else, which can become a spambot, a DDOS-node,
or a node along a trail of crackers' path and they can wipe out
the log files at will.

Sure someone may jump in and argue this is not the case if you
run from CD, or turn off the high-speed connection...  I'm simply
pointing out that if you imagine your invention became popular
and everyone is using it, what might happen?  In other words,
please be considerate of your actions.

MyDSL is great if I were to customize it for my own use, and can
build and share those *.dsl packages with trusted friends.  I enjoy
the similar automation motto, too.  The problem with MyDSL is the
very problem of "Ms. LookOut" and "Ms. Internet-Exploder"; Well
you can call that Ms. or Mrs. as in calling some middle-age lady,
or old lady if you like.  The idea is to simplify complicated
configuration and setup steps, just simply do things automatically.
It is a well intentioned thing, but if taken beyond the original
intention, it can be very disturbing to say the least.

These "intention" things happened in live, not simply in computer
fields.  One example if I remember correctly is that the Nobel
invention of explosives intended for mining or road construction...
but later being used in warfare.  Later in life Mr. Nobel try
to setup the Nobel Peace price.  An example about "minding your
own business, what I do don't concern you." is the Drunk-Driving
situations.

OK, I'll try to throw in my suggestions of one way I can think of,
but there are many ways to slice the pie...

For DSL, the way it runs from the live-CD I have no problems with
especially to help rescue a troubled-machine.  For hard-drive, or
even USB-drive install, it may help if an additional user account
is created without sudo privileges by default.  It may be an extra
password to remember but it is probably better for us all on the
internet.

For MyDSL, the folks doing the core of these MyDSL scripts and
programs already know enough about ramdisk and what root can to
the system.  Imagine what a rogue MyDSL in the wild can do?  Perhaps
using that ramdisk and overwritting the root file structure would
be best done in a chroot/jail environment?  Like what the old UML
(User-Mode-Linux) was working on?  I say that because I think UML
has recently change focus to tinker with VM-Ware/Bochs ideas.  Using
MyDSL in a chroot envrionment with more restriction on sudo might
be quite a bit more work but will be much better for a hard-drive
or USB-drive installation.  But be mindful that a rouge MyDSL in
current implementation (2005/01) running even from a CD can wipe
out entire hard drives in just a few moments the way that DOS/Windoze
virii have done.  Or it could be worse, it cout turn those machines
into zombies on the internet.

Best regards,

Just a concerned Netizen (Net-citizen).

Posted by cbagger01 on Jan. 25 2005,18:13
I understand your concerns and your points are technically valid, but I do not lose any sleep over them.

Why?

I do not use any mydsl extensions that have not been superficially tested in the repository.  While it is possible that someone could sneak something in, the really obvious attempts at sabotage would be quickly identified and the extension would be removed from the repository.

The same risks exist for the user of other distros that downloads and installs slackware, rpm and debian packages from an untrusted source.   The apt-get / dpkg process uses root authority so bad things can also happen.

The only difference is the volunteer-oriented contributor base and the ease-of-use that exists with the myDSL system and even the click-n-run stuff isn't too far away from the click-n-install functionality that you can get with GUI package managers like Synaptic or kpackage so the myDSL gui isn't any worse than the traditional software installers.

It is impossible to build a livecd distro that achives the goals of the DSL developer team without some marginal security risk.   You can make it more difficult to install software or do other things as root but sooner or later the user will need to get to the root authority to do something on their system and this cannot be prevented.  It is impossible to create a secure password on a livecd that is distributed publicly in ISO form with user documentation unless you choose to not tell anyone about it which makes the password useless.

DSL comes with the ability to change the password of the dsl and root user accounts on a hard drive installed system, so the tools are there if someone wants to use them.

Posted by SaidinUnleashed on Jan. 25 2005,18:57
Quote
DSL comes with the ability to change the password of the dsl and root user accounts on a hard drive installed system, so the tools are there if someone wants to use them.


Exactly, all the tools are there to make a hdinstalled box as secure as any other linux box out there.

But while runing from ramdisk (cd/usb/frugal), if something goes wrong, you just reboot. The ramdisk versions are bulletproof. Even if you somehow manage to delete the kernel while running from ramdisk, you 're okay! Just reboot! In ramdisk, you can do no wrong (unless you are messing with partitions, etc, of course)!

-J.P.

Posted by clacker on Jan. 25 2005,19:19
simple-user, do you think some proccess (terminal or flua) where the user would need to log into the liveCD each time with a password (whatever they want, could be different every startup)?  Then if they want to su or sudo the would need that password?
Posted by roberts on Jan. 25 2005,23:29
Other security that was taken into consideration:

1. No open ports or default daemons running upon boot up.
    If you want to run ftp or ssh then you start it. You change the passwords.

2. All code that is "DSL" is writen in script, be it bash, sed, awk, perl, or lua/flua.
   Why? So that even the developers cannot introduce spyware or backdoors.
   We also use scripts for the users to read/learn/modify and have fun with.
    Some of us like to call this the "University of DSL"

3. We do not accept custom code in the user contributed extensions.
   Why, the same reasons as No.2 above.

Posted by mikshaw on Jan. 25 2005,23:40
Quote (clacker @ Jan. 25 2005,14:19)
simple-user, do you think some proccess (terminal or flua) where the user would need to log into the liveCD each time with a password (whatever they want, could be different every startup)?  Then if they want to su or sudo the would need that password?

I kinda like that idea.

At the same time I believe it is the responsibility of the user to deal with passwords.  If a person thinks a passwordless root is unsafe, he has the ability to fix that himself.  Something that simple shouldn't be a cause of worry.

Posted by DonttPanic on Jan. 26 2005,03:00
Quote (simple-user @ Jan. 25 2005,11:04)
But be mindful that a rouge MyDSL in
current implementation (2005/01) running even from a CD can wipe
out entire hard drives in just a few moments the way that DOS/Windoze
virii have done.  Or it could be worse, it cout turn those machines
into zombies on the internet.

I would be concerned with that. A person running DSL from liveCD would assume their hard drive is safe. But what if a hacker could get control of the computer without the user noticing? The hard drive could probably be mounted and deleted.
Posted by sci_fi on Feb. 06 2005,21:39
clacker, simple-user:

In response to the question below:

I personally would like to see such a process to allow setting a session-only sudo password, perhaps available thru the dsl library. I can re-master to include at my discretion.

I believe that the live-CD approach offers a huge opportunity to move linux into the mainstream. A DSL based live CD offering the user virtually total security while surfing the net would meet a currently unmet user need.

Such a CD could include virus scanning capability and anonymous surfing capability and Open Office  (for email attachments) as well. The key is to make this live CD nearly brain-dead simple to use, so the Windows users (the target market) have a painless introduction to linux while surfing safely on their existing PC.

Any interest in working on this. I am experimenting but am still pretty much a linux newb so progress is slower than I would like.

Thx.

Greg

--------------------------------------------------------------------------------
simple-user, do you think some proccess (terminal or flua) where the user would need to log into the liveCD each time with a password (whatever they want, could be different every startup)?  Then if they want to su or sudo the would need that password?

Posted by yyyc514 on Sep. 02 2005,16:47
Quote (roberts @ Jan. 25 2005,18:29)
3. We do not accept custom code in the user contributed extensions.

What exactly does this mean pratically?
Posted by WoofyDugfock on Sep. 08 2005,17:16
Quote
Quote (roberts @ Jan. 25 2005,18:29)
3. We do not accept custom code in the user contributed extensions.

What exactly does this mean pratically?


My guess would be that this means extensions containing binaries made from (or altered with) contributors' own private, non-publically testable code should not be submitted, as opposed to binaries compiled from source code that is available and verifiable in the public domain.

PS: I saw somewhere that Debian is in the process of setting up automatic verification of the gpg signatures of .deb packages (perhaps it is already working).
That might be something worth considering one day for dsl extensions.

Posted by ke4nt1 on Sep. 08 2005,18:06
Quote
DSL comes with the ability to change the password
of the dsl and root user accounts on a hard drive installed system,
so the tools are there if someone wants to use them.


Same with any frugal, pendrive, or liveCD system as well.

Simply add the "secure" option at boottime to your startup entry,
or add this option to your lilo.conf/menu.list bootloader configs,
and choose some strong passwords when prompted..

73
ke4nt

Posted by adssse on Sep. 12 2005,04:11
ke4nt1, thanks for bringing this up. I forgot about it but just started using it. My question is I am not sure how it works or what exactly it is doing. I realize that it sets passwords for dsl and root, but I am still able to sudo without the password. Sorry for my ignorance, I enjoy the bootcode, just more interested in it and couldnt seem to find much info on it.
Posted by ke4nt1 on Sep. 12 2005,05:38
It can be helpful in many instances..
ssh server? ( ssh into your dsl box )
betaftp server? ( ftp access into your dsl box )
..anywhere a password is needed to login as user dsl ..

I frequently see the opposite occuring in the forums,
where someone is using the betaftp or ssh servers for the first time,
and fail to connect, because they don't know the password.
It's usually because they haven't created one yet.

Relating to this thread specifically..
If someone wants to use DSL for a base to build a public server,
kiosk, ftp site, webserver, then in the interest of security,
strong passwords are recommended to be used for all accounts.

73
ke4nt

Posted by adssse on Sep. 12 2005,13:05
As always, thanks for bringing me up to speed.
Powered by Ikonboard 3.1.2a
Ikonboard © 2001 Jarvis Entertainment Group, Inc.