Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Linux Distros Insecure by Default?

Posted by timothy on from the no-good-down-that-road dept.

An anonymous reader submits Two articles on Codefez and NewsForge review releases of Linspire 5.0 and Linare. Both these distributions let the user run as Root by default after installation, and don't prompt to set up a user ID. Is this a start of a new trend of 'dumbed down' Linux distributions that will damage the Linux reputation for security?"

11 of 122 comments (clear)

  1. Mod summary: wrong by oldosadmin · · Score: 2, Informative

    Linspire *does* have a "setup your computer" window come up. One of the buttons on it is to create a user account.

    Not perfect, but not as egregious as it was in Linspire 4.5 either.

    --
    Jay | http://oldos.org
  2. Somewhat old news by stoborrobots · · Score: 3, Informative

    Linspire (formerly Lindows) made that decision a long time ago, and it has been brought up on Slashdot many-a-time...

    A quick search reveals this article from 2003 in which the founder of Lindows states his case for the matter...

    And this review from 2002 (linked to by /.) also noted this problem...

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  3. Re:No by Proud+like+a+god · · Score: 2, Informative

    Mandrake sets up the root account, but the default MdkKDM gui login doesnt allow root login, only the other accounts you set up at install.

  4. Re:What are the true risks? by mysidia · · Score: 2, Informative

    The root account is for administering the system, installing and upgrading globally software installed globally on the system (for shared use), changing settings that effect users, managing, etc: root owns the system files.

    Because root has access to bypass all security measures, it should not be used, except where necessary.

    Suppose you surf the web as root: if you visit a malicious web site that exploits a bug in your browser, now your system is at their mercy.

    If you had been following best practice and surfing the web as a normal user, a dirty hacker could still run code, but they could not wipe out your system without first gaining root.

    Also, it's easily to accidentally trash the system configuration if you are operating as root when not necessary.

    When running as root, there is a certain danger, and care needed with every command, particularly on production systems.

  5. the other direction by fred+fleenblat · · Score: 2, Informative

    What I'd like to see is even more user granularity. One account for browsing the web, another for reading email, another for ftp'ing. Even if you download or click on some malware, not only is your OS protected, but now your user id's files are also safe.

    When it comes time to actually use the files you downloaded, there should be a malware-scanning chown that checks the file is safe before assigning it over to you, perhaps on top of a check that firefox's chroot jail is not disturbed.

  6. Re:Ubuntu got it right... by adric · · Score: 5, Informative
    After some consultation on IRC, I learned that Ubuntu has no root account by default
    Not quite. Ubuntu doesn't set a root password by default, which leaves the account locked (to interactive logins), but it's still very much present. The traditional behaviour can be restored simply by running the passwd command via sudo.
    --
    not plane, nor bird, nor even frog...
  7. Re:No by aonaran · · Score: 3, Informative

    That is what I liked most about Ubuntu.

    It ships with the root account DISABLED!
    It threw me off at first, but the documentation clearly explains how to use sudo and why they decided it is better to set up the first user as a sudoer rather than set up an active root account and a dumbed down user account for day to day stuff.

  8. Re:Morons by Jeremiah+Cornelius · · Score: 2, Informative
    And it isn't NEWS!

    Linspire has been doing this - and making excuses for the practice - ever since Hector was a pup.

    That's about four years, or somethin'.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  9. Re:Yes!... NO! by pr0c · · Score: 2, Informative

    Considering that a lot, if not most, computers are used by one user then the whole root access thing is moot.

    1.) All the important, not easily recoverable files are typically in /home/ which is obviously (intentionally) vulnerable 2.) Malware can still run automatically from things like ~/.bash_rc everytime the user logs in which is typically how a lot of malware works on windows too ...run_once/run/etc in registry.. autoexec.bat.. whatever. Going back to my first statement, if only one user uses a machine and he/she/it gets malware the whole root thing doesn't help. All you really saved was the OS and thats easily replaced (don't mistake time for simplicity). Does linux, freebsd and soloaris have a better security model than windows? Yes obviously (IMHO). Is it going to save you from malware? Hell no... Will it protect your valuables? Not likely. Any asshole can whip something up to scan for r/w directories and empty the contents. Hell its easier to do than in windows with shell scripts. From my point of view a root account wouldn't be much more useful than the user account you want to spy on.

  10. Re:Yes!... NO! by minus9 · · Score: 2, Informative

    If malicious software is installed by a user, when you type ps ax or use top or whatever gui tool you use to find out why the hell your machine is so slow you will see it running. Then you say "Oh shit! Rebuild time!". If the software gets onto your machine via the root user it can replace all these tools, or even insert a kernel module to intercept syscalls. It could then slowly corrupt all your data over several months (slowly screwing up all your backups along the way), or sit there spewing out spam and DDOS attacks. In the second case the only way to tell something is wrong is that your machine seems slower.

  11. Re:No by drsmithy · · Score: 2, Informative
    Can someone point me to a good description of how to set up sudo and the advantages to doing so?

    There's enormous amounts of material on the 'net for setting up sudo (which, be warned, is a very non-trivial task if you want to do it properly), so I won't try and replicate any of that.

    The biggest advantages are:

    1. An audit trail (every sudo command is logged).

    2. The ability to restrict what a user can 'sudo' to individual commands (even individual parameters, I suspect, although I've never tried).

    I guess I can see the advantage in a multiuser system where some users should have access to some root commands others shouldn't, but in a single user system, where the user is also the administrator, I see sudo as a security liability.

    I wouldn't say it was a security liability. A security irrelevance, perhaps - at least with todays default configurations.