Page 1 of 1

Linux security no longer a non-trivial issue?

Posted: Fri Dec 12, 2014 5:04 pm
by runbei
After reading about the Turla Trojan on Linux, I'm concerned. Particularly eye-opening is the fact that the X system is apparently horribly insecure.

See this PC World article: http://www.pcworld.com/article/2859122/ ... it-is.html

I would surely love to see a step-by-step article on locking down a Mint main edition system to block these threats.

Also, do the Mint developers plan to replace X, as Ubuntu appears to be doing with Mir? Here's a cut from the PC World article:
X.org has security issues going back 20+ years

Late last year, we learned there are a huge list of security vulnerabilities in the X.org graphical server and its libraries. Some of these security holes have been around for more than 20 years. The researcher who discovered these holes said X.org security was a disaster, and “it’s worse than it looks.”

This week, many of these security vulnerabilities were made public knowledge. Your Linux distribution should be rolling out security updates for your X.org server and proprietary NVIDIA driver shortly, if it hasn’t already. But, even after these patches, X.org security still doesn’t inspire much confidence.

X.org is such a big problem because it’s based on the X11 architecture, which originated 30 years ago. Thankfully, new graphical server technologies like Wayland and Ubuntu’s Mir are about to take X.org’s place.

Re: Linux security no longer a non-trivial issue?

Posted: Fri Dec 12, 2014 10:24 pm
by Edward M. Grant
1. Don't install trojans.
2. Exploiting X bugs usually means that the code performing the exploit is already running on your machine, so your machine is already toast.
3. Wayland and Mir are sure to have exciting new security holes.

Re: Linux security no longer a non-trivial issue?

Posted: Fri Dec 12, 2014 11:18 pm
by Mute Ant
Here are testable facts, and fixes...
http://www.x.org/wiki/Development/Secur ... 014-12-09/
...they are not complicated...someone skipped elementary software procedure, like input-sanitisation, boundary checks, overflow/carry tests. So X bravely tries to display a 16GiB wallpaper and crashes, that sort of thing.

Re: Linux security no longer a non-trivial issue?

Posted: Fri Dec 12, 2014 11:36 pm
by monkeyboy
I always ask myself how many people do I know who have gotten burned and then act accordingly. Happily I haven't seem big/any numbers on this threat yet and the local user group is clean too.

Re: Linux security no longer a non-trivial issue?

Posted: Sat Dec 13, 2014 12:54 am
by WharfRat
I'm sure more and more exploits will be discovered soon and made public.

For the really paranoid you can compile the kernel with PaX and Grsecurity

http://www.insanitybit.com/2012/05/31/c ... rsecurity/

Another alternative is hardened gentoo

http://wiki.gentoo.org/wiki/Hardened/In ... ned_Gentoo

Another trick, while you're incorporating Pax or compiling hardened gentoo's kernel, is to change all module options to built-in and disable loadable module support.

Good luck :wink: