Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: dennisw
The honest answer is any version of Linux you use is going to have significant security vulnerabilities right out of the box as well. LWN.NET is a website for Linux users that maintains vulnerability lists for many common Linux distros, and there are literally hundreds of holes listed for most versions of Linux (http://lwn.net/Alerts/).

And while Linux distros have a large number of unplugged holes to begin with, you will also find the method of patching Linux is in most cases more difficult than applying patches for Windows or OSX. Rather than just simply "pointing and clicking", you will often find yourself at the command line typing obsure commands. As an example, here are the procedures for a patch for Suse dated December 4 (http://lwn.net/Alerts/61612/):

**** Step 1: Determine the needed kernel type

Please use the following command to find the kernel type that is
installed on your system:

rpm -qf /boot/vmlinuz

The following options are possible (disregarding the version and build
number following the name, separated by the "-" character):

k_deflt # default kernel, good for most systems.
k_i386 # kernel for older processors and chipsets
k_athlon # kernel made specifically for AMD Athlon(tm) family processors
k_psmp # kernel for Pentium-I dual processor systems
k_smp # kernel for SMP systems (Pentium-II and above)

**** Step 2: Download the package for your system

Please download the kernel RPM package for your distribution with the
name starting as indicated by Step 1. The list of all kernel rpm
packages is appended below. Note: The kernel-source package does not
contain any binary kernel in bootable form. Instead, it contains the
sources that the binary kernel rpm packages are made from. It can be
used by administrators who have decided to build their own kernel.
Since the kernel-source.rpm is an installable (compiled) package that
contains sources for the linux kernel, it is not the source RPM for
the kernel RPM binary packages.

The kernel RPM binary packages for the distributions can be found at these
locations below ftp://ftp.suse.com/pub/suse/i386/update/.

7.3/kernel/2.4.18-20031204
8.0/kernel/2.4.18-20031204
8.1/rpm/i586
8.2/rpm/i586
9.0/rpm/i586

After downloading the kernel RPM package for your system, you should
verify the authenticity of the kernel rpm package using the methods as
listed in section 3) of each SUSE Security Announcement.


**** Step 3: Installing your kernel rpm package

Install the rpm package that you have downloaded in Steps 3 or 4 with
the command
rpm -Uhv --nodeps --force
whereis the name of the rpm package that you downloaded.

Warning: After performing this step, your system will likely not be
able to boot if the following steps have not been fully
applied.


If you run SUSE LINUX 8.1 and haven't applied the previous
kernel update (SUSE-SA:2003:034), AND use the freeswan package,
you also need to update the freeswan rpm as a dependency as offered
by YOU (Yast Online Update). The package can be downloaded from
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/

**** Step 4: configuring and creating the initrd

The initrd is a ramdisk that is being loaded into the memory of your
system together with the kernel boot image by the bootloader. The
kernel uses the content of this ramdisk to execute commands that must
be run before the kernel can mount its actual root filesystem. It is
usually used to initialize scsi drivers or NIC drivers for diskless
operation.

The variable INITRD_MODULES (set in the files /etc/rc.config up to
7.3) or /etc/sysconfig/kernel (after and including 8.0)) determines
which kernel modules will be loaded in the initrd before the kernel
has mounted its actual root filesystem. The variable should contain
your scsi adapter (if any) or filesystem driver modules.

With the installation of the new kernel, the initrd has to be
re-packed with the update kernel modules. Please run the command

mk_initrd

as root to create a new init rmadisk (initrd) for your system.
On SuSE Linux 8.1 and later, this is done automatically when the
RPM is installed.


**** Step 5: bootloader

If you have a 7.x system, you must now run the command

lilo

as root to initialize the lilo bootloader for your system. Then
proceed to the next step.

If you run a SUSE LINUX 8.x or a SLES8 system, there are two options:
Depending on your software configuration, you have the lilo bootloader
or the grub bootloader installed and initialized on your system.
The grub bootloader does not require any further actions to be
performed after the new kernel images have been moved in place by the
rpm Update command.
If you have a lilo bootloader installed and initialized, then the lilo
program must be run as root. Use the command

grep LOADER_TYPE /etc/sysconfig/bootloader

to find out which boot loader is configured. If it is lilo, then you
must run the lilo command as root. If grub is listed, then your system
does not require any bootloader initialization.

Warning: An improperly installed bootloader may render your system
unbootable.

**** Step 6: reboot

If all of the steps above have been successfully applied to your
system, then the new kernel including the kernel modules and the
initrd should be ready to boot. The system needs to be rebooted for
the changes to become active. Please make sure that all steps are
complete, then reboot using the command
shutdown -r now
or
init 6

Your system should now shut down and reboot with the new kernel.

(end excerpt)

That may be easy for you and you may even look forward to it. But the bottom line remains there are many default holes in Linux, and they are typically harder to patch, no matter what the Linux crowd may want you to believe.

10 posted on 12/09/2003 8:08:55 AM PST by Golden Eagle
[ Post Reply | Private Reply | To 1 | View Replies ]

To: dennisw
Sorry about those links, apparently the close parenthesis stuck to the link. Here they are again:

http://lwn.net/Alerts/

http://lwn.net/Alerts/61612/
12 posted on 12/09/2003 8:11:28 AM PST by Golden Eagle
[ Post Reply | Private Reply | To 10 | View Replies ]
To: Golden Eagle; dennisw
DW, you just got some rather high-powered FUD dumped on you from a dedicated microsoftie. The facts are that there are a number of different ways to handle keeping your system updated, and these vary from one distribution to another. I find that KRUD works well for me, without all the fuss. If I want to upgrade my kernel to the latest versions of all the the software including the kernel, I just pop the 1st CD in the drive, boot, and I have a fully patched system in minutes. The rebooting part isn't even necessary for much of anything but a kernel upgrade.

golden eagle tries to frighten with phrases like "hundreds of holes' and such, but the facts are that you're much safer with just about any distribution of Linux than you are with any version of windows. When you see this particular FUD line, you can bet that the poster is lumping every possible program in that you could possibly install as a part of the distribution, while trying to claim that "windows" is just the operating system and should shouldn't count 3rd-party drivers, or other applications that you need to actually make the computer a useful device.

Now to get to something that may actually help you out...

Knoppix and Mandrake have done some interesting work in the past year. They have a single CD distribution, that you just pop in your drive and boot from. Each will load up a fully functional distribution with internet connectivity, browsers, email clients, office apps, and just about everything you want. In normal operation these are pretty much 'stateless' in that they don't actually save anything to your hard disk unless you specifically invoke that functionality. (They make excellent rescue disks when windows won't boot any more.) Each of these is essentially a demo of a full desktop that you can boot from and play with without having to worry about toasting your normal configuration. This is a great way to see if you like the linux way of doing things without making a commitment on your computer.

30 posted on 12/09/2003 9:37:30 AM PST by zeugma (If you eat a live toad first thing in the morning, nothing worse will happen all day.)
[ Post Reply | Private Reply | To 10 | View Replies ]
To: Golden Eagle
Oh, come on. SuSe is a tweak's Linux, not for beginners, and generally more popular in Europe than the USA. Nobody running Red Hat, Debian, or Mandrake (which is a modified Red Hat, made even easier for beginners) ever has to deal with that stuff.

By the way, that patch you cite the complicated installation for would not let a net user onto his machine -- it would let a LOCAL user, someone who sits at the keyboard and HAS HIS OWN LOGIN, get root access (which is bad. Root access, is superuser access, which means that you can modify any file -- kind of like any user on a Windows box).

What concerns Dennis, I think, is not that his housemaid is a secret hacker able to get root on his finance box, but more likely malware coming over the net -- the technical term for this is a "remote exploit." If you are not concerned about in-house abuse of your system, you can only patch "remote exploits" forever, and you'll never have a problem.

Also, one thing worth noting, Dennis's plan seems to be to have his financial stuff on on box with *n*x and his regular surfing, FReeping, and email on another -- this makes odds of a remote exploit MUCH lower. (Still best policy is to stay up to date).

d.o.l.

Criminal Number 18F
32 posted on 12/09/2003 10:36:24 AM PST by Criminal Number 18F
[ Post Reply | Private Reply | To 10 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson