Protect each OS in dual boot [SOLVED]

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
bobo61
Level 2
Level 2
Posts: 59
Joined: Sun Feb 07, 2016 3:23 am

Protect each OS in dual boot [SOLVED]

Post by bobo61 »

Hi,

I am a new Linux Mint desktop user, I have been a Unix server user for a number of years although I only use the basics but due to the invasive nature of windows 10 I thought I would look to switching to Linux instead on my desktop.

I have successfully installed linux mint alongside my windows 7 installation on a new partition but on the same hardrive after following a tutorial that advised me to create my own partitions rather than let mint do it for me and have turned various sections off following another tutorial to make it more secure and have been very impressed by mint so far.

I have then added a couple of programs to try to secure it a bit further, these were Sophos anti-virus, even though a lot of linux users suggest you dont need anti-virus I just dont feel safe without something. I have then installed firejail which is a sandboxing program, again this is from years worth of using Sandboxie on windows this gives me a little more confidence that my system is safer.

However, when looking through file manager in linux mint I could see my windows drive, I wasnt expecting that as I thought the two OS's couldnt access each other. After a bit of searching this doesnt seem to be the case and both OS's could potentially infect each other.

I have prevented mint from automounting the windows drives but from what I have read this doesnt actually prevent them from being accessible by malware etc.

My more important files on windows are in encrypted containers but people have suggested to prevent each OS from being able to access each other each OS would need full drive encryption, which I havent set up on either system and even then you may not be safe. Full drive encryption can then cause issues with restoring apparently.

As I have already set up mint can I still encrypt the partitions or would I need to start again or are there any other potential solutions or is this being too paranoid?

It is likely I wont get rid of windows 7 even if I love mint as although 99% of my time is spent on the internet or using open office the other 1% is for things that linux currently doesnt support such as iTunes so I need a secure solution to this is the likely option I will have to choose as I dont have another laptop and have heard mixed reviews about Wine.

Thanks inadvance.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
austin.texas
Level 20
Level 20
Posts: 12003
Joined: Tue Nov 17, 2009 3:57 pm
Location: at /home

Re: Protect each OS in dual boot

Post by austin.texas »

Most of what you are concerned about is not even an issue. Paying attention to security is fine, but you don't want to spend your life huddled in your closet with a shotgun, either.

A Windows virus can not affect your linux OS, even if Windows could read the linux partitions - which it can't, by default.
Linux has pretty good security built it. If someone were to create a linux virus, and if it were on your computer, it would not affect the Windows OS - because it is a linux, not Windows, virus.
The only real possibility is that you could get a Windows virus in an email or some other form, and intentionally copy that to Windows. For that possibility, some people install a virus scanner in linux, to scan for Windows virii.
Mint 18.2 Cinnamon, Quad core AMD A8-3870 with Radeon HD Graphics 6550D, 8GB DDR3, Ralink RT2561/RT61 802.11g PCI
Linux Linx 2018
helloimustbegoing

Re: Protect each OS in dual boot

Post by helloimustbegoing »

Putting an AV on your Mint install actually makes you less secure. Here are a couple of links with good info. The bottom line is: a desktop user of Linux doesn't need an AV.

https://sites.google.com/site/easylinux ... t/security
http://www.howtogeek.com/135392/htg-exp ... en-you-do/
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: Protect each OS in dual boot

Post by Fred Barclay »

In addition to the other guys' very good points about antivirus (you don't need it, and it actually makes you less safe as a Linux desktop user), you don't have to worry about Linux being able to read the Windows partition. While Linux can read Windows file systems, Windows can't natively read Linux file systems, so any nasties on your Windows partition will stay there and not be able to touch your Linux partition. :)

BTW: using firejail is a great idea and highly recommended.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
bobo61
Level 2
Level 2
Posts: 59
Joined: Sun Feb 07, 2016 3:23 am

Re: Protect each OS in dual boot

Post by bobo61 »

Thanks for the replies everyone.

The anti virus that I installed got good reviews concerning scanning for windows viruses as well which is one reason I installed it. I have read quite a few articles about anti virus not being needed on linux but also a lot of contradicting articles as well so I am a bit confused.

I understand I am probably being paranoid but it is difficult coming from windows where a antivirus is definitely needed to linux where it may not be but I am new to dual booting as well so this adds another layer of complication for me to understand concerning the security.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: Protect each OS in dual boot

Post by Fred Barclay »

bobo61 wrote: I have read quite a few articles about anti virus not being needed on linux but also a lot of contradicting articles as well so I am a bit confused.

I understand I am probably being paranoid but it is difficult coming from windows where a antivirus is definitely needed to linux
No worries, mate. :)

This is an excellent read concerning antivirus/security and Linux, written by one of our best members here on the forums.
I'll try and summarise my position (which closely corresponds to that of the article linked above):

First of all, Windows viruses simply cannot run on Linux, much in the same way a Chinese speaker can't understand English (and vice-versa). Windows and Linux speak two completely different "languages," so any software written for Windows (be it a virus or a legitimate software) can't be run on Linux.
The only exception to this is if you use the Wine software suite, which allows Windows software to run (with varying degrees of success) on Linux. Since a Windows virus is a piece of software just like any other Windows program, occasionally one can run inside Wine. This is why I recommend removing Wine from your system if at all possible.
Does this mean that Wine is horrible? No! It's a very valuable software that allows many folks to run Linux and still use a few Windows softwares that they just can't live without--also, your chances of getting a virus with Wine are lower than getting a virus with Windows. Still, the possibility exists.
So, if and only if you use Wine, would I suggest that antivirus might be necessary. Otherwise, absolutely no Windows viruses can run in Linux.

Second point: Every "Linux" antivirus I've ever seen only scans for Windows malware, not Linux. As mentioned above, without Wine, no Windows code can possibly run in Linux, so there is no real reason to scan for them. Inside Linux, a virus is just a harmless bit of code. I've actually got a few Windows virii saved to my hard drive to play with. They pose no threat since I'm only using Linux.

Third point: Since antivirus is useless in Linux, what does it do? Well, it wastes system resources, for one... :roll: Other than that, not much.

Fourth point: Antivirus itself is becoming a target for hackers. AV runs with relatively high permissions, and is usually inadequately guarded, so it presents a tempting attack surface for hackers. If you run AV on Linux, you actually open up a vulnerability in your system--probably not what you had in mind. :lol:

Fifth point: You may notice that I've only mentioned Windows malware so far. Surely there's Linux malware, right? Of course there is, but AV is helpless against it:
(a). There have only been about 40 linux "viruses" discovered so far--nearly all of which were purposely created in the lab by researchers and never released "into the wild." All of these vulnerabilities have been patched in Linux, so these viruses are no good any more. Compare that to the thousands of Windows virii discovered each and every year!
(b). AV can only protect against threats it already knows about--the 40 or so Linux viruses created to date (and no Linux AV I've ever found even scans for these) which have already been fixed within Linux. If a new Linux virus were to be created, Linux AV wouldn't know about it and wouldn't help.

Sixth point: This is more for future reference than anything else. You'll hear that Linux users are only secure because of "security through obscurity": that since Linux is only used on about 5% of desktop computers, hackers don't waste their time writing viruses for them when there are far more tempting Windows targets. Nothing could be further from the truth! Linux and its cousin, Unix, are used in about 90% of servers world-wide, controlling trillions of dollars (pounds? euros?) of currency. I don't know about you, but to me, that sounds like plenty of motivation! Yet there are so few linux viruses in the wild? Why is this?

It's because Linux is by design much harder to hack and infect than Windows, due to a strong set of system permissions. Windows is just so much simpler to hack, and much more likely to be successful, that hackers focus their efforts on Windows computers.

Now, with all this said, does that mean Linux is impervious to attack? Of course not! Nothing is immune to attack, and Linux has had its share of exploits and bugs over the years--and no doubt will have more in the future. I've seen two "hacks" of Linux in my time with it--one was a Firefox hack and the other a Google Chrome hack. But thanks to the permissions system in Linux, the threat was entirely contained in the browsers' profiles. All that was needed was to delete the profiles and restart the browsers--they didn't even have to be reinstalled!

If any type of Linux threat increases in the future, I suspect it will be similar to the ones I described above. Browsers and a few other applications are highly OS-independent (a firefox exploit on Windows will nearly always work the same way in Linux) and therefore the most vulnerable packages. On a positive note, a firefox exploit in Windows can relatively easily be turned into a system-wide hack, while the same FF hack on Linux will most likely be limited to the browser profile as outlined above. But still, running these processes inside a sandbox such as firejail is highly recommended to even further reduce the damage any exploits of these might cause.

Hope this isn't too confusing... :?
Fred
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
srs5694
Level 6
Level 6
Posts: 1386
Joined: Mon Feb 27, 2012 1:42 pm

Re: Protect each OS in dual boot

Post by srs5694 »

Fred Barclay wrote:you don't have to worry about Linux being able to read the Windows partition. While Linux can read Windows file systems, Windows can't natively read Linux file systems, so any nasties on your Windows partition will stay there and not be able to touch your Linux partition. :)
I disagree with this conclusion, but for reasons that haven't been mentioned: Accessing Windows' core files from Linux is inherently dangerous for a couple of reasons:
  • Lack of filesystem security controls -- Linux and Windows both offer file ownership and permissions, but they implement these controls in very different ways. Thus, Linux won't honor the Windows security controls. The result is that you'll be able to trash the whole Windows installation as an ordinary user from Linux. To be sure, many people go for years without running into problems; but the risk is increased compared to a single boot, or to dual-booting with the Windows filesystem unmounted, or at least mounted read-only.
  • Risk of filesystem corruption -- Linux's NTFS driver is reverse-engineered. I have no hard data on how safe it is, but I'd be shocked if it were more reliable than Microsoft's driver. Thus, accessing it from Linux is likely to increase the risk of damage to the filesystem. This risk is likely to be rather small, else the forums would be flooded with problem reports, which they aren't; but still, it probably is an increase in risk.
Personally, I recommend creating a separate data-exchange partition to be used only for shared data -- and preferably for temporary data, with long-term storage in one OS or the other. (That last may be a problem if you require easy and instant access to personal files from either OS.) You can then leave the Windows C: partition unmounted in Linux.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: Protect each OS in dual boot

Post by Fred Barclay »

srs5694: you're absolutely right! I did mean from a perspective of Windows malware running on Linux, but didn't even consider filesystem corruption. Now granted, I've not heard of filesystem corruption from accessing Windows files with Linux--usually the other way around when folks install ext2fsd with read-write permissions and go poking around in their linux boxes--but it certainly seems like a risk. Thanks for pointing this out!


Now, imagine the OP had a Word.docx in his Documents folder in Windows. Would there be any risk that you're aware of from mounting the Windows partition, copying the Word.docx file into Linux, and modifying it from there? So far as I can tell the Windows filesystem would only be read from, not written to.
Thoughts?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
George Stamford

Re: Protect each OS in dual boot

Post by George Stamford »

bobo61 wrote:Hi,
However, when looking through file manager in Linux mint I could see my windows drive, I wasn't expecting that as I thought the two OS's couldn't access each other. After a bit of searching this doesn't seem to be the case and both OS's could potentially infect each other.
Linux uses the ext4 format which can read NTFS and FAT32 systems used by Windows, however Win cannot read ext 4.

Although you can see and access your Windows drive in Linux, if using Win you won't see nor have access to the Linux files.
JusTertii

Re: Protect each OS in dual boot

Post by JusTertii »

bobo61 wrote:I have prevented mint from automounting the windows drives but from what I have read this doesnt actually prevent them from being accessible by malware etc.

My more important files on windows are in encrypted containers but people have suggested to prevent each OS from being able to access each other each OS would need full drive encryption, which I havent set up on either system and even then you may not be safe. Full drive encryption can then cause issues with restoring apparently.

As I have already set up mint can I still encrypt the partitions or would I need to start again or are there any other potential solutions or is this being too paranoid?
Bobo, as far as I understand you, you're saying:
1. you're worried about linux being able to access your windows partition, and
2. that you'd like some help to prevent this.

Is that right?

As far as 1. is concerned, the answer's extremely well explained in Fred's post above. I'll content myself with a shorter version -- I wouldn't be worried. I also dual-boot Win and Mint, and my Mint install has never (yet) damaged my Win partition; nor have I encountered any malware.

For 2., if you're dead set against letting Mint access your Windows partition, there may be a way to forbid Mint from mounting a certain partition (ie, your Windows files). However, I haven't the expertise to help with that.
srs5694
Level 6
Level 6
Posts: 1386
Joined: Mon Feb 27, 2012 1:42 pm

Re: Protect each OS in dual boot

Post by srs5694 »

Fred Barclay wrote:imagine the OP had a Word.docx in his Documents folder in Windows. Would there be any risk that you're aware of from mounting the Windows partition, copying the Word.docx file into Linux, and modifying it from there? So far as I can tell the Windows filesystem would only be read from, not written to.
I'm not familiar with how the NTFS driver that Mint uses works on a low enough level to know if there might be any writes to the source partition when copying a file. Certainly there shouldn't[/] be, but there could be a bug, a design inefficiency, or a quirk in NTFS itself that would require such a write. Also, if the filesystem is mounted read/write (as it is by default), there will necessarily be writes to the filesystem when it is mounted and again when it is unmounted. This is because NTFS, like most filesystems, provides a "dirty flag" -- that is, an indication that it's been mounted. The idea of this flag is that it's set when the filesystem is mounted, so if the system crashes, it will serve as a hint that the OS should perform a filesystem check before mounting the filesystem again. Thus, at a minimum, mounting a filesystem read/write means that its dirty flag will be adjusted.

In practice, once the filesystem is mounted read/write, you can't know what else might be changed on it. You might open a text file to read it, but that operation might change its time stamp, or you might accidentally use the "save" feature that will cause it to be re-written. A program might create a temporary file in the filesystem, perhaps even without your knowledge. And so on.

You can greatly reduce such risks by mounting a filesystem read-only. This will prevent any writes to the filesystem -- even the dirty flag will be untouched. In Linux, this is typically done by modifying its entry in /etc/fstab. (You may need to create such an entry first, in some cases.) Specifically, you add the "ro" option to the filesystem options. For instance, you might have an entry like this:

Code: Select all

/dev/sda2   /mnt/excess ntfs-3g    defaults    0   0
You'd change "defaults" to "ro":

Code: Select all

/dev/sda2   /mnt/excess ntfs-3g    ro    0   0
Note that these aren't optimal NTFS /etc/fstab entries in other respects. There are lots of options you might want to use instead of "defaults," in which case you'd add "ro" to a comma-delimited list of options, rather than replace "defaults" with "ro."

Creating such an entry with "noauto" instead of "defaults" (or in addition to other options) will keep the partition from being mounted at all, at least until you do so manually (via "sudo mount...."). Keeping the filesystem unmounted will reduce what little risk is associated with a read-only filesystem.

Of course, as long as the disk on which the filesystem exists is available, there remains some risk -- a bad blunder as root (via sudo) can trash anything on the disk. Thus, the only way to completely eliminate the risk of Mint damaging NTFS is to use two computers, one for Mint and one for Windows. (You could use two disks and plug and unplug them as necessary, but that creates new risks of physical damage, or of software damage should you fail to unplug a disk.)
bobo61
Level 2
Level 2
Posts: 59
Joined: Sun Feb 07, 2016 3:23 am

Re: Protect each OS in dual boot

Post by bobo61 »

Many thanks all for the replies, I have had a quick read and will reply later as I am a bit pushed for time now.
DrHu

Re: Protect each OS in dual boot

Post by DrHu »

I'll offer one more
Windows of any stripe (XP-->10) won't boot Linux, although they can see the other OS
--unless you run multiboot and fix up the boot menus from either side (Linux (GRUB) or Windows (NTLDR)

Cross-platform viruses can be a concern

Using separate partitions or even drives for each OS keeps them separate enough to avoid most boot problems that can happen with either

Being able to see the windows OS is a convenience (Samba) for the Linux user, and of course one can copy data from either side (under the user's control)
bobo61
Level 2
Level 2
Posts: 59
Joined: Sun Feb 07, 2016 3:23 am

Re: Protect each OS in dual boot

Post by bobo61 »

Fred Barclay wrote:
This is an excellent read concerning antivirus/security and Linux, written by one of our best members here on the forums.
Thanks Fred for your detailed post, I had previously read the article as the tutorial I actually used to configure mint was by the same author. Pleased about the recommendation concerning firejail as well.
srs5694 wrote:
Personally, I recommend creating a separate data-exchange partition to be used only for shared data -- and preferably for temporary data, with long-term storage in one OS or the other. (That last may be a problem if you require easy and instant access to personal files from either OS.) You can then leave the Windows C: partition unmounted in Linux.
srs5694, I have left all of my windows partitions unmounted as I have no interest in access the files between and wouldnt want to potentially corrupt them. Thanks for describing how to make them read only though.

JusTertii wrote:
For 2., if you're dead set against letting Mint access your Windows partition, there may be a way to forbid Mint from mounting a certain partition (ie, your Windows files). However, I haven't the expertise to help with that.
I think I have told Mint to not mount the windows partitions but will check this is still correct when I next log on there.
JusTertii

Re: Protect each OS in dual boot

Post by JusTertii »

bobo61 wrote:I think I have told Mint to not mount the windows partitions but will check this is still correct when I next log on there.
The best solution for that is srs5694's, particularly his "noauto" idea (highlighted in below quote).
srs5694 wrote: You can greatly reduce such risks by mounting a filesystem read-only. This will prevent any writes to the filesystem -- even the dirty flag will be untouched. In Linux, this is typically done by modifying its entry in /etc/fstab. (You may need to create such an entry first, in some cases.) Specifically, you add the "ro" option to the filesystem options. For instance, you might have an entry like this:

Code: Select all
/dev/sda2 /mnt/excess ntfs-3g defaults 0 0



You'd change "defaults" to "ro":

Code: Select all
/dev/sda2 /mnt/excess ntfs-3g ro 0 0



Note that these aren't optimal NTFS /etc/fstab entries in other respects. There are lots of options you might want to use instead of "defaults," in which case you'd add "ro" to a comma-delimited list of options, rather than replace "defaults" with "ro."

Creating such an entry with "noauto" instead of "defaults" (or in addition to other options) will keep the partition from being mounted at all, at least until you do so manually (via "sudo mount...."). Keeping the filesystem unmounted will reduce what little risk is associated with a read-only filesystem.
gold_finger

Re: Protect each OS in dual boot

Post by gold_finger »

bobo61 wrote:I have left all of my windows partitions unmounted as I have no interest in access the files between and wouldnt want to potentially corrupt them.
As long as you don't purposely mount them in Mint you shouldn't have anything to worry about. Mint won't mount them by itself without you telling it to. Sounds like your current setup (without automounting the Windows partitions) is good.
bobo61
Level 2
Level 2
Posts: 59
Joined: Sun Feb 07, 2016 3:23 am

Re: Protect each OS in dual boot [SOLVED]

Post by bobo61 »

The windows partitions are still unmounted so things look ok. Thanks for all your help.
Locked

Return to “Installation & Boot”