UNIX Security: Don't Believe the Truth?

OSNews has an interesting editorial about security on UNIX-like systems. "One of the biggest reasons for many people to switch to a UNIX desktop, away from Windows, is security. It is fairly common knowledge that UNIX-like systems are more secure than Windows. Whether this is true or not will not be up for debate in this short editorial; I will simply assume UNIX-like systems are more secure, for the sake of argument. However, how much is that increased security really worth for an average home user, when you break it down? According to me, fairly little"

Re:Backup

[pmjordan]

What I continually fail to understand is why everyone I know logs in as an Administrator under Windows, even after falling victim to a virus, spyware, etc. I don't necessarily mean the account with that name, having a personal user in that group amounts to the same thing.

I'm a fulltime Linux user (4 years on the desktop, 7 years otherwise, so no veteran, and no newbie either) and I'd never even consider using logging in as root for any activities that aren't associated with system administration. (guess where "Administrator" comes from) Typing in the root password to install software isn't something I'd call a nuisance or even mildly irritating.

The same thing is of course possible under Windows: Make your main login a 'Power User', or if you feel that's not safe enough, put it in a group with the same policies as the 'Users' group and slowly increase its permissions until you can work productively. (there are problems with debugging code and other niggles by default) Recent versions of Windows will prompt you for an Admin password for stuff your user isn't allowed to touch, although in some cases you have to explicitly right-click the link/executable and select 'run as'. I think there even are some utilities around to make the process even less painful.

If you're doing extensive admin stuff, you can also log in as an Admin explicitly of course, and since XP you can switch between users quite easily without logging out.

It always astounds me how incredibly adverse peoples' reactions are to this suggestion. Sure, it doesn't provide absolute security (ActiveX springs to mind) but that, together with frequent Windows Updates, an enabled WinXP SP2 firewall, and not using IE, I can't imagine you'll have a problem. You might be able to lose some data if you catch a virus, but you're very, very unlikely to bone your system. I do occasionally boot into Windows to play games (Cedega doesn't really work on ATI graphics cards) and I've never caught a virus or spyware, and I don't have an antivirus program installed, as they slow the system down to an infuriating degree IMO.

~phil

Re:Are you on Drugs? Adios Mod Points...

[Floody]

In fact, Windows has a vastly, almost prohibitively more elegant security infrastructure than "Linux": File rights of "Full Control, Modify, Read & Execute, Read, Write," file attributes of "Read-Only, Archive, System, Hidden," very finely-grained ACL-based system security "Policies", a global Kerberos-based directory authentication scheme in Active Directory, etc etc etc.

Complexity does not equal elegance. If you find yourself uttering something as foolish as "prohibitively more elegant", you've stumbled into that territory.

"Linux" has rwx-rwx-rwx. That's it. [Now Linux combined with Novell Directory Services and a Novell File System would be an entirely different cup of tea, but that's a whole 'nother discussion. Although, I'd ask: Does Novell even have a "Policies" ACL-based security infrastructure for KDE or GNOME yet? Are they working on such a thing?]

Indeed. It would appear that the world has moved on since you last looked at "Linux" in the 90s. POSIX 1003.1e/1003.2c access control lists: http://www.suse.de/~agruen/acl/linux-acls/online/.