Linux security oddities on the desktop -- and fixes?

Ranguvar · 2009-06-13 17:52:32

The other Linux security thread here got me thinking about something I have before on several occasions. In order to wipe out the OS, etc., a virus or hacker would need root privileges. More likely an intruder would only be able to get the permissions of a user. This makes sense from a server perspective. But now consider the Linux Desktop(TM). For me at least, I care very little whether the OS survives an attack as long as my data survives. Hell, I'd rather pay for a new computer than lose my personal data. I can bring back an OS, even with extensive customization, in a set amount of time. Much of my data OTOH is irrecoverable.

So, the irony (flaw?) is that it's easier for an intruder to hurt my data than the OS, but I'd rather lose the latter.

What do you guys think about a solution? Keep all data in a subdirectory of your home that requires root privileges? Of course, this presents a problem because most graphical apps do not let you easily become root for a short period of time when opening/saving files. So should you keep your data on a separate partition that has user rights, but requires root to mount? Keep in mind, I'm talking dangers of viruses or online hackers -- I'm not discussing physical data protection. Or perhaps a directory that you make root-owned on logout and make user-owned every login? This could be automated.

Any other ideas, ranging from actual tips to better ideas that would require a lot of software to be rewritten under a new model?

whoops · 2009-06-13 17:58:06

Regular Backup on external / not connected drive. It's just like root-only folders, except that you use a key instead of a password, the machine one has to hack is your house and your anti-virus is the baseball bat under your bed.

Sorry, but I guess someone who can take really good care (skill, knowledge & stuff) of a root-only folder (I know I can't - just "moderately good care") or something like that doesn't solutions like that...

So far, I got along well with:
- rsync data that must just not be destroyed to a software-raid5 (manual mount only - I figure most "attackers" of whatever nature are either not skilled enough or not bored enough to assemble a raid drive they don't know the partition combination of *g*)
- Rsync whole system to another set of drives every few months/years, continue using that one and lock the old one away.
- keeping data that must not be stolen on an external drive, maybe even differently encrypted partitions by "sensibility rating"

(edit6: sry, darn, my typing & copy/paste is laggy today / stupid openoffice)

Last edited by whoops (2009-06-13 18:12:01)

deej · 2009-06-13 18:23:37

Leave a *strongly worded* text file for the blighter, that should do it !

Seriously, interesting subject... encrypted partitions ???

Deej

Nepherte · 2009-06-13 18:55:36

Encrypting partitions doesn't help at all in this case. When someone hijacks a user on a system that is already running means the partitions are already readable/unencrypted.

Last edited by Nepherte (2009-06-13 18:55:56)

cardinals_fan · 2009-06-13 19:38:38

All my data is on a separate partition. At the moment it is owned by me, but I could easily transfer the permissions to root - or mount the partition read-only and remount when I need to write.

Last edited by cardinals_fan (2009-06-13 19:39:01)

deej · 2009-06-13 19:40:42

Then we are looking at a mixture of a physical password [ dongle ] and / or data kept solely on removable media.
For the really paranoid there are other scenarios, but then ease-of-use comes into play.

Deej

fukawi2 · 2009-06-13 23:03:55

Backup. Simple.

The issue has the same implications as any other security task. You have to balance between security and ease-of-use and functionality. You could keep all your data on an encrypted partition on an external drive, and only plug in, turn on and mount that drive very briefly after making sure there's nothing rouge about your computer, then unmounting it, turning it off and locking it back in your fire-proof, water-proof, nuclear-proof safe... But that is too far in the security side, and not enough in the functionality. Moving back to having a functional arrangement means having the data available to the user when it's required, but anytime the data is available to the user, it's available to anything malicious.

If you can't prevent the damage, the next best thing is to negate the effect (ie, by using backups)

Last edited by fukawi2 (2009-06-13 23:04:41)

tkdfighter · 2009-06-13 23:42:34

So let's go through this step by step.

To destroy the whole system, an attacker needs root privileges, which implies that he already has local user privileges. As a desktop user I am the only user who ever su's to root, meaning a simple keystroke logger would suffice to gain root access. As always, the user (aka me) is the weakest link in the chain.
Now, if I stored data (local copies, backups, ...) on a rewritable medium (essentially any mounted partition, be it a built-in/external hd, server, ...) any which way, then a attacker could destroy it when it is connected to the system. Schemas like rotating external harddrives or manually mounting a raid5 array won't save me. Simply dd-ing every connected drive for ~a month and then destroying the local hdds would kill everything, and there's not much I could do about it (unless, of course, I notice something is wrong). Sure, this is a worst-case scenario, but if you're really concerned about IT security you do have to assume the worst case. With some imagination, it's possible to come up with always more secure backup schemes and a matching attack/data loss scheme. There's always something that could go wrong, think about that.

In the end, it really comes down to time, money and, as deej already mentioned, ease-of-use. Do you really want to backup to "write-once" media like DVD-Rs? Or buy multiple external hdds, one for each backup? You could also use a tape robot ...
I guess everyone has to find a suitalbe compromise. Mine is to unison my /home to a server running raid1, then make a ZFS snapshot. Also, I have my music, videos, and - most importantly - pictures, mode 755 owned by root:users on the server. Now my main concern is having copies of some things only on one machine, but at least /home is on a minimum of 2 computers. It always goes on, doesn't it?

generic_ · 2009-06-14 00:25:23

Simple Is cant be convenient. You could get and external hdd buttheir are generally not that safe. I got ont and in 1 month it broke, I RMA'ed it and got another 2 month later im runnig diagnostic tools on it. I RMA'ed again I got the wrong kind back, and sure enough it broke in 1 month. I would suggest getting a flash drive or putting it on on CD/DVD. Im not sure there are write only permission that can be effectively locked so root cant change the permission. One problem is that if someone gets root your done. Though from a hacker point of veie , I would rather stay hidden instead rm a whole HDD, and linux is a less desirable thing to hack.

peets · 2009-06-14 04:40:51

Most likely an attacker is not interested in deleting your files; they just want to use your CPU and internet connection, and they can do that as an unprivileged user. There are always vandals, but I expect them to be lazy and are pretty easily warded off. The main reason why a conficker-like attack would want to become root is so it can replace the programs/systems that would normally help detect and eradicate it. If you don't do sanity checks on what's running from time to time, maybe your computer's running an unprivileged bot under your nose, sending spam or hosting phishing sites.

Ranguvar · 2009-06-16 14:46:14

I know we should backup, and I know that an attacker likely does not want to delete my files. I'm not looking for reassurance though, I want to see if there's a "nice" way to make my _files_ more protected than my OS, because bottom line is I care about them a lot more.

z0phi3l · 2009-06-16 15:30:30

Ranguvar wrote:

I know we should backup, and I know that an attacker likely does not want to delete my files. I'm not looking for reassurance though, I want to see if there's a "nice" way to make my _files_ more protected than my OS, because bottom line is I care about them a lot more.

The only way your files will be 100% "safe" is to not be connected to the internet at all, but as usual that brings up a whole other set of annoyances

R00KIE · 2009-06-16 17:06:23

I have never looked too much into selinux and I find it a big pain because it somewhat conflicts with the system updates (maybe I should learn how to use it properly), but shouldn't selinux help on the security side by allowing certain programs to have write permissions only in certain places and still keep the functionality/practicality.

tkdfighter · 2009-06-16 17:51:20

Ranguvar wrote:

I want to see if there's a "nice" way to make my _files_ more protected than my OS, because bottom line is I care about them a lot more.

How is it possible for your files to be more secure than the OS? That doesn't make sense. But as I described above, what you can do is make your files as secure by doing:

chown root:users
chmod 755

or something similar. It's somewhat impractical, though, but that's the cost of security.

Last edited by tkdfighter (2009-06-16 17:52:15)

moljac024 · 2009-06-16 18:11:34

tkdfighter wrote:

Ranguvar wrote:
I want to see if there's a "nice" way to make my _files_ more protected than my OS, because bottom line is I care about them a lot more.
How is it possible for your files to be more secure than the OS? That doesn't make sense. But as I described above, what you can do is make your files as secure by doing:
chown root:users
chmod 755
or something similar. It's somewhat impractical, though, but that's the cost of security.

He was talking about encryption. With the method you describe the files are not secure at all, they're still in the open on the drive, the OS may not allow you to delete, or even read them, but you can change the OS just like that, just boot a live CD and there goes your security.
And he does have a point, your files should me much more important to you then your OS, you can reinstall an OS in a matter of hours, can you restore lost files ? Erase damage done by stolen files (corporate environment) ? Erase damage done by someone finding out something they shouldn't have ?

zenlord · 2009-06-16 18:28:46

deej wrote:

Then we are looking at a mixture of a physical password [ dongle ] and / or data kept solely on removable media.

I like this solution. Just plug in your Digital ID in the cardreader and your logged in, and pull your card out to umount all drives that have information on it.

Here at the office it could be implemented quite easily I guess, since our /homes are mounted through NFS upon login (auth with LDAP/KRB). So simply logging out makes the data unreachable from the client - of course the server should never be infected Using fingerprint or digital id's to login would make it next to impossible for a hacker to log in to the system I guess...

broch · 2009-06-16 19:53:38

All depends how far you want to go.
simply isolate all network services (firefox, mail, ftp, samba, ssh) for remote security
local access can be controlled by good password/encryption
backup

Instead of NFS, maybe try encrypted remote disk access (cryptfs, or openafs)
fingerprint and digital id were broken already. There is no such thing as "impossible"

You can go further: mirroring RAID, installation of your up to date OS from local trusted CD, fingerprint OS, then configure services, then isolate services, encrypt data, connect to the network. But not sure if this is really worth an effort on a pesonal box.

Last edited by broch (2009-06-16 19:54:20)

tkdfighter · 2009-06-16 20:10:44

moljac024 wrote:

He was talking about encryption. With the method you describe the files are not secure at all, they're still in the open on the drive, the OS may not allow you to delete, or even read them, but you can change the OS just like that, just boot a live CD and there goes your security.
And he does have a point, your files should me much more important to you then your OS, you can reinstall an OS in a matter of hours, can you restore lost files ? Erase damage done by stolen files (corporate environment) ? Erase damage done by someone finding out something they shouldn't have ?

No, he wasn't talking about encryption. Encryption is a moot point when the computer is already running and the partition decrypted. But yes, of course he has a point. User data is more valuable than the system, but I stand to my point that you can't make /home more secure than the OS. As everyone here has already pointed out, once you have root, you have /home, period. You also have all other external media which are connected to the PC over time, if you want.
But yes, once someone has local access (which you should do your best to prevent, anyways) the game is over. If the computer is on, it comes down to gaining root access again. If it's off, it'd better be encrypted.
TrueCrypt is interesting in this regard: it enables you to hide partitions within an encrypted filesystem using steganography.

Encryption in general is an interesting topic, but very involved in high level math. I got the chance to see a presentation by Adi Shamir about "how cryptosystems get broken". Scary, really scary. He was able to crack an RSA key by monitoring the voltage over a USB port. Multiplications and additions use different amount of power and thus cause different spikes. Based on that, he could figure out what the key was (granted, it was on a single core processor, but still impressive). Also, he found out that it's possible to force a certain key to be validated by using known hardware bugs of the CPU, remotely. Anyway, the main point was that even if the math is sound, you can often circumvent the encryption by exploiting weaknesses in the implementation. If you ever get the chance to see him, use it. It's definatly worth the time. I googled for slides, but couldn't find anything. If anyone finds anything substantial on this particular presentation, please post it.

Edit: found out that he referenced to this: Quantum hacking: adding a commercial actively-quenched module to the list of single-photon detectors controllable by Eve

Last edited by tkdfighter (2009-06-16 20:25:35)

fukawi2 · 2009-06-16 22:22:00

z0phi3l wrote:

The only way your files will be 100% "safe" is to not be connected to the internet at all, but as usual that brings up a whole other set of annoyances

Gaaarrrggghhhh, no! Data can never be 100% safe, especially when *any* human has to interact with it.

(sorry, I'm being pedantic I know, but human error causes more problems than anything else IMHO)

generic_ · 2009-06-16 23:12:11

fukawi2 wrote:

z0phi3l wrote:
The only way your files will be 100% "safe" is to not be connected to the internet at all, but as usual that brings up a whole other set of annoyances
Gaaarrrggghhhh, no! Data can never be 100% safe, especially when *any* human has to interact with it.
(sorry, I'm being pedantic I know, but human error causes more problems than anything else IMHO)

You are unfortunately 110% right about that but security. Steps can be taken to human proof your system. The implementation of a root/normal user is an example of this.

choener · 2009-06-17 00:24:18

With more or less unlimited space, you will want Elephant FS (1). Simply spoken, you can neither overwrite nor delete files. If you do "overwrite" the old file is silently backed up.
This could make a lot of sense for your most important 1 Gbyte of data. You still need backups in the case the *physical* drive fails.

(1) http://www.hpl.hp.com/personal/Alistair … ant-hotos/

moljac024 · 2009-06-17 08:56:33

tkdfighter wrote:

TrueCrypt is interesting in this regard: it enables you to hide partitions within an encrypted filesystem using steganography.

That's actually useless, because in order to preserve your data on the second layer you must not touch the first one.
As soon as someone sees that your encrypted files are 12 months old and unchanged since written, they aren't going to get the picture ?

Last edited by moljac024 (2009-06-17 08:57:36)

tkdfighter · 2009-06-17 09:58:06

ls -l
total 31
drwxr-xr-x  214 root     users  214 Jun 10 13:59 flac
drwxr-xr-x  250 root     users  250 Nov 10  2008 mp3
drwxr-xr-x    2 root     users    2 Feb 14  2007 mp3_itrip

Some of my files are way older than that, as you can see. Just depends what you keep in the outer volume.

Maki · 2009-06-17 17:33:48

I was once rootkited, have been running sshd with default ports and been using qwerty as my password.
Reinstalled everything just to be sure. Now i have stronger password and a different ssh port, so i think i'm safe enough.

Arch Linux

#1 2009-06-13 17:52:32

Linux security oddities on the desktop -- and fixes?

#2 2009-06-13 17:58:06

Re: Linux security oddities on the desktop -- and fixes?

#3 2009-06-13 18:23:37

Re: Linux security oddities on the desktop -- and fixes?

#4 2009-06-13 18:55:36

Re: Linux security oddities on the desktop -- and fixes?

#5 2009-06-13 19:38:38

Re: Linux security oddities on the desktop -- and fixes?

#6 2009-06-13 19:40:42

Re: Linux security oddities on the desktop -- and fixes?

#7 2009-06-13 23:03:55

Re: Linux security oddities on the desktop -- and fixes?

#8 2009-06-13 23:42:34

Re: Linux security oddities on the desktop -- and fixes?

#9 2009-06-14 00:25:23

Re: Linux security oddities on the desktop -- and fixes?

#10 2009-06-14 04:40:51

Re: Linux security oddities on the desktop -- and fixes?

#11 2009-06-16 14:46:14

Re: Linux security oddities on the desktop -- and fixes?

#12 2009-06-16 15:30:30

Re: Linux security oddities on the desktop -- and fixes?

#13 2009-06-16 17:06:23

Re: Linux security oddities on the desktop -- and fixes?

#14 2009-06-16 17:51:20

Re: Linux security oddities on the desktop -- and fixes?

#15 2009-06-16 18:11:34

Re: Linux security oddities on the desktop -- and fixes?

#16 2009-06-16 18:28:46

Re: Linux security oddities on the desktop -- and fixes?

#17 2009-06-16 19:53:38

Re: Linux security oddities on the desktop -- and fixes?

#18 2009-06-16 20:10:44

Re: Linux security oddities on the desktop -- and fixes?

#19 2009-06-16 22:22:00

Re: Linux security oddities on the desktop -- and fixes?

#20 2009-06-16 23:12:11

Re: Linux security oddities on the desktop -- and fixes?

#21 2009-06-17 00:24:18

Re: Linux security oddities on the desktop -- and fixes?

#22 2009-06-17 08:56:33

Re: Linux security oddities on the desktop -- and fixes?

#23 2009-06-17 09:58:06

Re: Linux security oddities on the desktop -- and fixes?

#24 2009-06-17 17:33:48

Re: Linux security oddities on the desktop -- and fixes?

Board footer