Security

Security is a major concern for me as the computer will be used on public networks for banking and share trading.

Does anyoine know if the security kernel modules have been implemented with the linpus compiled for installation on the Aspire One? Apparently they have not been inplimented on the eeePC.

That is - does Linpus have netfilter implemented - this is the firewall, and then there is the front-end for configuring that, iptables, to which one can install a graphical front-end such as Firestarter or Guarddog.

I would be keen to find an answer to this question FIRST - if the answer is no I will start a second thread to discuss the level of risks involved.

I hope someone can assist - Linpus have npot responded to my emails - ACER advised that they could not assist and to contact Linpus!

 

I just had a good reply from Linpus - I am in discussion with them to understand their email better. However, it appears that they have not implemented the security modules but there may be options.

 

Wow.. they actually replied?

Do share when you've figured out what they're trying to say

 

Hi
I'm interested too in iptables and firewall under linpus.

Plz respond when u have new things

regards

 

I'm interested in tightening security up on here as well. One concern I have is the simple "sudo su" and the lack of a need for the user to login with a password. There is no security as long as this is possible.

I've looked online and I've seen that you're just supposed to "edit the sudo config file". But this detail is too vague for me. I need to know what line to change so you don't have super user access to everything. And if that disables sudo I need to know what applications need that and how to include them in the config file.

If there is a security suite to install I might be interested in that as well.

 

THE main security on a linux box is a STRONG root/sudouser password. PERIOD. Sudo can prove to be a better security feature than su because everyone knows a user named "root" is available on a Linux system, but not necessarily the name of a user with admin privileges through sudo. At least, that is the approach taken by the folks at Ubuntu. With the Aspire One, the user is called "user", so that doesn't offer any more protection.

I'm not convinced a firewall makes any difference for a system like this. Linux is essentially a firewall to start with through its iptables. Ports are only opened when a service is installed and run - that needs to open up a new port. Even these ports can be protected without a firewall by using things like the tcpwrapper for certain services that use this function and hosts.allow and hosts.deny configurations.

Cheers.

 

Try here for information on how to edit the sudoers file:

http://ubuntu-tutorials.com/2007/03/01/allowing-limited-sudo-access-with-visudo/

 

Has anyone portscanned the default Linpus to see what it's listening to? I agree that a firewall might not be useful, but I wouldn't say for sure until I know what runs by default on these. For instance the eeepc has a samba server listening that had a well known vulnerability in it

Also you might be able to make your own kernel modules for it. The config file for their kernel is in /boot. However I'm not sure how many patches they've done to the kernel that would affect modules.

 

there is a SELinux folder in the file system. there are executables in it. not a SELinux user and don't know the ins and outs. maybe someone familiar with fedora and SELinux can fill us in...

I would like to have a firewall so I can (believe) (pretend) I'm more secure administering networks with the acerone.

 

Read it and weep.

http://www.nsa.gov/selinux/info/faq.cfm#I3

Cheers

 

I haven't run any specific tools against it, but I did capture this from a 'netstat -an | grep LISTEN' before I started messing with anything:

Code:

tcp        0      0 0.0.0.0:6000                0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN

[excludes sockets]

So that's X11 (port 6000) and cups (port 631). Cups is set to only listen for connections from the localhost (e.g. not an external network).

The xorg server version, out of the box w/ no updates, is 1.3.0.0, rpm version 33. The latest Fedora 8 xorg version is still 1.3.0.0, but rpm version 47. Since Fedora[1] applies/backports patches the "rpm version" can correlate back to what they've done. So for example between rpm version 33 and 47 the following CVEs have been patched:
* Thu Jun 12 2008 ... 1.3.0.0-46
- cve-2008-1377.patch: Record and Security Extension Input validation
- cve-2008-1379.patch: MIT-SHM extension Input Validation flaw
- cve-2008-2360.patch: Render AllocateGlyph extension Integer overflows
- cve-2008-2361.patch: Render CreateCursor extension Integer overflows
- cve-2008-2362.patch: Render Gradient extension Integer overflows

* Fri Jan 18 2008 ... 1.3.0.0-38
- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
- cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability
- cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability
- cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability
- cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability
- cve-2008-0006-server-fixup.patch: PCF Font Vulnerability

A quick look at the CVE descriptions for the above have all of them as "context-dependent" or "local user" vulnerabilities. I do not know what Acer/Linpus may have done to the xorg package and configuration they shipped that might already mitigate some of these. If you want to see what the current Linpus xorg has been patched for, open a terminal and run:

Code:

rpm -q --changelog xorg-x11-server-Xorg | more

Firestarter is packaged for Fedora 8 and can be found here (get the one with "fc8" on the end) if a 'yum install' as root doesn't grab it:
http://koji.fedoraproject.org/koji/pack ... ageID=1729
I have not tried it on Linpus, so I don't know what extra might be required to get it working.

[1] This is not intended to imply that other Linux distros do patch their packages as well.

 

Re the sudoers file--that Ubuntu article didn't mention the big part of the Linpus problem, that one can do everything without a password.

In the /etc/sudoers file there are two lines

%wheel ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL

That second line is the bad one. Put a # in front of it to comment it out (that is, make it into a comment that will be ignored by sudo). Then, any command requiring root privilege will require a password.

Additionally, you can disable automatic login--do a quick search of these forums for disable autologin (or maybe disable auto login). It's a quick edit to /etc/rc.d/rc.S that the poster explains in full.

 

Thanks Scottro! I got the user login working.

Hey when I comment out the 2nd wheel line the password sudo requires to run as root is actually the user password and not the root. Any info on that? Also when I boot up it takes longer for the desktop to initialize. I lose the pretty GUI. The calculator and the printer icon vanish. I can't run anything in settings. Alt-F2 gets disabled. And wifi won't even start. I suppose the sudoers file will need a lot of work to keep everything working??? I uncommented the line and rebooted and now everything works again.

 

ok.... sob ....

what are the firewall options? there should be an easy way to firewall the box... what is it?

 

I second that: Commenting out that line brought my complete system to halt when rebooting. I ended up on a screen all black, only showing the mouse cursor. No clicks or e.g. Alt+F2 worked. The only way to recover my system was to boot it up with a live version of DSL on a USB stick ("Damn Small Linux", which proved to be a great tool for this operation), mount the SSD and remove the comment.

It seems that the Acer desktop relies somehow on the system's ability to do sudo without password?

In other words: don't comment out that line, unless you are willing to spend an hour or so on recovering your system to get it booting again (apparently this hack worked on Scottro's system, but the problems reported by burntbit and my own experiences show that there's at least a risk that things don't work afterwards...)

 

I've read it now - what are the implications for individual users like me??

 

Linpus Lite is really well customized for the hardware of the Acer Aspire One... the graphics are pretty darn good for a notebook/netbook with what they've done. In my opinion if you want performance over security stick with Linpus Lite. If security is an issue I would recommend switching to Ubuntu... although in my experience this doesn't work as well with 3D gaming or video playback of high quality videos.

Linpus Lite is very reliant on a lot of Acer's custimizations... as for the sudo stuff I don't see that you should tamper with that unless you really know what you're doing. Also make sure you can ALT-CTRL-F1 over to a console before you do any major changes (since if you mess something up this would be the easiest way to fix it).

I can't speak on Linpus security from network attacks or the like... but as far as personal access:... basically anyone who gets there hands on the laptop can see it all... if you want secure files use "aescrypt" on files you want to "pack away" more securely. Just make sure you keep those files backed-up elsewhere as well.

As far as physical access to the laptop with Ubuntu on it... unless they guess your password they're not getting in. And if you have the SSD drive built in with the linux model laptop (which I assume you do), then I don't forsee anyone taking that SSD drive out to read it from another computer seeing as how it's built-in (this would require an uber geek at modding).

The reason I recommend Ubuntu is mainly because of hardware compatibility and user support, which is amazing. There's plenty of documentation. You may have to do a little configuring to get the wireless network working but that should be about it. It takes longer to boot up, and runs slower. But if you're like me and only want to develop on it, use it as a netbook, and don't care to try to much demanding media... then Ubuntu's perfect. That is not to say that Ubuntu is "slow" on this laptop, because it's not. It'll get the job done.

Linpus = optimized great speed and performance (done by Acer themselves)
Ubuntu = secure (in my humble opinion)

As far as how secure Ubuntu is I can't say. Atleast you get your system passworded.

NOTE: I just remembered there should be something I saw in the bios... user and admin password??? My mind vaguely recalls this. Might be worth checking out?

 

Recompiling the kernel with support for iptables may be simplest, but I haven't done it yet.

 

So Higgy what was the translation of Linpus's reply to you?
Having just got a Aspire one I'm very impressed with it, but after years of Norton, Kaspersky etc on Windows PC's I don'tknow if I feel a little exposed on this machine.
Regards.