Fedora 14 is out

[JD50]

I didn't like the fact that I had to add myself to a "sudoer" list in order to do things as root.

IMO Fedora is just a huge PITA. I could see its use if you need to setup some sort of advanced server. For desktop users I don't find it very interesting.

I don't see how that's archaic. Adding new users to the sudoers list by default is a horrible idea. Kinda defeats the purpose.

 

[JD50]

QFT. Its easy to fix. But things should be secure by default, and require the user to open them up. Not open by default, and require the user to secure.

:thumbsup:

 

[VinDSL]

Maybe I'm missing something.

I know this is a Fedora thread, which I've basically written off as irrelevant to my needs, but...

In Ubu, I've reset the root password, and set myself up as the admin (if you will). Regardless of what I do (at a core level) it asks me for a password,

I've been trying to ween my wife off Winders, to Ubu. Baby steps... Baby steps...

So far, she has been very receptive to the idea. She likes Officer.org Spreadsheet better than Excel (more intuitive), Evolution Mail (IMAP) better than Outlook (POP), etc. She actually wants to learn how to use Gimp, instead of PSP (Corel Paintshop Pro), blah, blah, blah.

Anyway, I set her up as a regular user on my primary box. While the default user account allows her to change personal settings, it doesn't allow her to change any system settings without using my password.

Where is the threat?

If I wanted to restrict her access to this or that, it's a simple matter to change that in the user settings.

Really, to my way of thinking, it's no different than setting up user accounts on my web server.

If I give users the key to the fort, on my web server -- shame on me! It's not CentOS's fault, you know?!?!?

Is Fedora any different?

 

[Nothinman]

Maybe I'm missing something.

I know this is a Fedora thread, which I've basically written off as irrelevant to my needs, but...

In Ubu, I've reset the root password, and set myself up as the admin (if you will). Regardless of what I do (at a core level) it asks me for a password,

I've been trying to ween my wife off Winders, to Ubu. Baby steps... Baby steps...

So far, she has been very receptive to the idea. She likes Officer.org Spreadsheet better than Excel (more intuitive), Evolution Mail (IMAP) better than Outlook (POP), etc. She actually wants to learn how to use Gimp, instead of PSP (Corel Paintshop Pro), blah, blah, blah.

Anyway, I set her up as a regular user on my primary box. While the default user account allows her to change personal settings, it doesn't allow her to change any system settings without using my password.

Where is the threat?

If I wanted to restrict her access to this or that, it's a simple matter to change that in the user settings.

Really, to my way of thinking, it's no different than setting up user accounts on my web server.

If I give users the key to the fort, on my web server -- shame on me! It's not CentOS's fault, you know?!?!?

Is Fedora any different?

Not at all, but the point we're talking about is the default user that's created in Ubuntu. It's setup as a sudoer with full access to run anything as root with only it's own password and there is no root password. So instead of forcing an attacker to hijack your account and then get root via cracking the password or some local exploit he can run whatever he wants via sudo with your account's password.

 

[VinDSL]

I see.

Well, I suppose it's a balancing act, as well as a security issue -- done not by accident -- but rather, deliberately.

I digress...

SOURCE: The new Linux Desktop: Ubuntu's Unity (separate issue, I know)

Ubuntu has always been about making it easy for new users to use Linux.[...]

Canonical has decided that everyone who's ever going to use a "Linux" desktop is already there.[...]

Therefore, to broaden the Ubuntu Linux desktop base they need to reach users who know nothing about Linux.[...]

You might *think* this is a logical inconsistency, but...

Linux, et al. is hard as hell to break into externally. However, if you're logged into a machine, sitting at the keyboard, it's a whole different situation. It's incumbent upon the system admin, to come up with an appropriate user policy, no?

Now, balance that against pissing off n00bs -- the targeted audience - who "know nothing about Linux" -- who can't make Linux work, because it's locked down too tightly -- and you can see the 'problem' Canonical faces. It's a push to anarchy, not incompetence!

Sooo...

I guess 'the trick' is too make Ubu easy enough to attract ppl that don't know jack, but flexible/powerful enough to accommodate ppl that do.

I think Ubu was done pretty well, in this regard.

Anyway, thanks, for the explanation... 😉

 

[Gamingphreek]

I see.

Well, I suppose it's a balancing act, as well as a security issue -- done not by accident -- but rather, deliberately.

I digress...

SOURCE: The new Linux Desktop: Ubuntu's Unity (separate issue, I know)



You might *think* this is a logical inconsistency, but...

Linux, et al. is hard as hell to break into externally. However, if you're logged into a machine, sitting at the keyboard, it's a whole different situation. It's incumbent upon the system admin, to come up with an appropriate user policy, no?

Now, balance that against pissing off n00bs -- the targeted audience - who "know nothing about Linux" -- who can't make Linux work, because it's locked down too tightly -- and you can see the 'problem' Canonical faces. It's a push to anarchy, not incompetence!

Sooo...

I guess 'the trick' is too make Ubu easy enough to attract ppl that don't know jack, but flexible/powerful enough to accommodate ppl that do.

I think Ubu was done pretty well, in this regard.

Anyway, thanks, for the explanation... 😉

It is done deliberately, but it doesn't make it any less of a poor decision to add user to the sudoers group requesting only their root password by default.

I think one thing that you aren't distinguishing is the fact that Linux != Ubuntu in the truest sense. You obviously know it is a Linux distro, but the idea behind Ubuntu is an easy to use Linux. In doing that, they sacrifice basic Unix security principles. This is one of the reasons that most corporations do not use Ubuntu, but they do use Red Hat or OpenSUSE.

Additionally, while, at default, Linux is more secure than Windows, it certainly isn't terribly hard to break from external attack (of course depending on the user it may be harder or easier).

You're last 2 sentences summed it all up perfectly though 🙂

 

[VinDSL]

It is done deliberately, but it doesn't make it any less of a poor decision to add user to the sudoers group requesting only their root password by default.

I think one thing that you aren't distinguishing is the fact that Linux != Ubuntu in the truest sense. You obviously know it is a Linux distro, but the idea behind Ubuntu is an easy to use Linux. In doing that, they sacrifice basic Unix security principles. This is one of the reasons that most corporations do not use Ubuntu, but they do use Red Hat or OpenSUSE.

Additionally, while, at default, Linux is more secure than Windows, it certainly isn't terribly hard to break from external attack (of course depending on the user it may be harder or easier).

You're last 2 sentences summed it all up perfectly though 🙂

All, excellent points! And, I can't disagree with any of your declarations...

Having said that. if they lock down Ubu too much, it'll only piss people off -- at least, the lowest common denominators amongst us. I assume that's Canonical's thinking, as well.

Linux, et al. seems to be stout enough to deflect most assaults, despite attempts at 'dumbing down'. Personally, I've never run any AV software on Linux. I generally don't enable firewalls (another piss off for most users). And, I've never had an intrusion. Maybe, I'm just lucky...

EDIT - I installed LAMP on a Win2K Pro box, years ago, and was busted into. But, that wasn't a true reflection upon Linux. I was simply running Linux apps on a Winders machine. Big mistake!

Heh! As a matter of fact, I don't even bother to log out of forums (like this) and such, even though I know the cookies are set to expire in 2038 or longer.

I'm just wondering if Fedora is any different, in this regard.

Maturation takes care of most of these things, but I don't see n00bs suffering from this deliberate lack of security, in the interim; judging by the threads.

Au contraire, It seems that Linux always comes out 'the winner' in those Black Hat / Defcon Conventions, et cetera. How bad can it be?!?!?

 

[Gamingphreek]

Well removing the user from the sudoers group would result in something like this:
Instead of:
sudo apt-get install BLAH

It would be:
su
[Input Root password]
apt-get install BLAH

It's really not that hard and it really tightens security a lot.

As far as A/V Software - There is a basic principle that you don't hack/exploit the system that you are running. Most hackers develop on Linux or some derivative of Unix, they wouldn't want to hack what they are using. Additionally, when developing an exploit, generally you should be concerned with affecting the most users possible - Windows. Finally, most people who use a *nix derivative (With the exception of OSX users) are much wiser with regards to computers - they are unlikely to fall for the basic tricks that are so prevalent in Windows.

Regarding the firewall - if you are running behind a router, chances are you have a hardware firewall built in. Regardless, in any other case, I would say that is a very poor decision as a Honeypot System will get bombarded regardless of the OS; however, most Linux distros close or stealth every port that is not widely used whether you use iptables et al or not.

As for the cookies - you are, once again, straying into the Network Security realm that is operating system independent. I can execute a successful man in the middle attack even if you are running the most secure operating system in the world. Now, I believe AT ties their cookie for login to some hash of user information, so you are probably ok there, but, once again, this is OS independent.

I don't believe the OS handles anything regarding the cookie expiration. When it is created, it is either given an expiration date or it is left blank (Meaning non-expiring). The browser merely parses this data. Operating System independent.

Linux has a higher security baseline than the other operating systems out of the box. That doesn't make it secure per se. Yes, generally speaking, it is more secure than Windows and OSX (BSD Unix); however, the Linux kernel itself isn't nearly as secure as most novices give it credit for.

What makes you think that someone broke into your server a few years ago?

-Kevin

 

[SickBeast]

Well removing the user from the sudoers group would result in something like this:
Instead of:
sudo apt-get install BLAH

It would be:
su
[Input Root password]
apt-get install BLAH

It's really not that hard and it really tightens security a lot.

Thank-you for posting this. I did not realize that there was a workaround for "sudo". :thumbsup::thumbsup:

 

[Nothinman]

Linux, et al. seems to be stout enough to deflect most assaults, despite attempts at 'dumbing down'. Personally, I've never run any AV software on Linux. I generally don't enable firewalls (another piss off for most users). And, I've never had an intrusion. Maybe, I'm just lucky...

EDIT - I installed LAMP on a Win2K Pro box, years ago, and was busted into. But, that wasn't a true reflection upon Linux. I was simply running Linux apps on a Winders machine. Big mistake!

Yes, lucky like a Mac user because there's so few viruses targeting them both. If whatever Apache/PHP bug got you broken into is generic enough it could affect Linux just as easily, it's just that the payload has to be written for Linux instead of Windows to actually do anything.

I'm just wondering if Fedora is any different, in this regard.

Different defaults is all AFAIK, although I haven't done a recent Fedora install to know if not enabling the root account like Ubuntu is an option these days.

Maturation takes care of most of these things, but I don't see n00bs suffering from this deliberate lack of security, in the interim; judging by the threads.

Largely for the same reason Mac users are "safe".

Well removing the user from the sudoers group would result in something like this:
Instead of:
sudo apt-get install BLAH

It would be:
su
[Input Root password]
apt-get install BLAH

It's really not that hard and it really tightens security a lot.

Or just use gksu instead of gksudo to run synaptic or whatever. I would hope that a distro like Fedora would do that by default.

 

[VinDSL]

Regarding the firewall - if you are running behind a router, chances are you have a hardware firewall built in.[...]

True!

I'm behind a NAT router, which 'acts' as a natural firewall, of sorts. I was going to mention this in the post (above) but I didn't want to muddy the waters too much.

But, yes, you're right!

What makes you think that someone broke into your server a few years ago?

Oh... that was classic! 😀

A little pretext...

We maintain a personal web server, here at the house -- a Slack box. For production sites (due to traffic demands) we run on a CentOS server, in Houston. Otherwise, we would need to get business-level Internet account, here at the abode.

My Internet Service Provider (ISP) will tolerate a certain amount of incoming connections, but if it gets to high, they consider it an unauthorized redistribution of their bandwidth and services, blah, blah, blah.

To the point...

I got a hair up my butt, one day, and thought it would be cute to install LAMP on a Win2K Pro machine, and use it for a second personal web server. Everything went fine; or so I thought.

A couple of days later, I noticed my local connection was moving slower than snot. I didn't think much about it, because at the time, I was running 1GB DSL on a loop from hell -- 16,000 feet away from the CO. I suffered this slowness though the weekend. My plan was to call the ISP on Monday, and have them send out (yet another) repairman/tech, to fix the line.

Monday morning rolled around, and I didn't have ANY connection at all. I called my ISP, and they said my DSL account had been 'red flagged'. Evidently, the "Internet Cops" contacted my ISP, and said I was serving SPAM out of my house. "No way," I said.

The ISP said they didn't think it was intentional, but they had to nick it. They turned my account back on, with the proviso that I fix it ASAP.

As soon as I got off the phone with the ISP, and had a connection, I cranked up a packet sniffer and watched my LAN traffic. And, it was a sight to behold!

Sure as can be... person, or persons, unknown had hacked into the Win2K Pro machine, and were bouncing SPAM off of it -- 100's or 1000's a minute. I couldn't really count how much SPAM was flowing out of that box, but it was massive.

While I was looking at the packets, I could see it was really nasty stuff -- all sorts of porn, et cetera.

LoL! Anyway, so much for that bright idea! :awe:

 

[SickBeast]

I don't see how that's archaic. Adding new users to the sudoers list by default is a horrible idea. Kinda defeats the purpose.

Fair enough. There are several other aspects of Fedora that make it a huge PITA for most people though, in an "archaic" way. It doesn't come with Flash installed, and it ships with the Nvidia "Nouveau" driver by default, which is a PITA to uninstall, and then you have to manually install the NV driver.

Fedora is a nice system and I'm sure it has its uses. If I was setting up an advanced server I would probably use it. It's very secure by default, it's fast, and from what I could tell it seemed stable.

 

[Nothinman]

Fair enough. There are several other aspects of Fedora that make it a huge PITA for most people though, in an "archaic" way. It doesn't come with Flash installed, and it ships with the Nvidia "Nouveau" driver by default, which is a PITA to uninstall, and then you have to manually install the NV driver.

Fedora is a nice system and I'm sure it has its uses. If I was setting up an advanced server I would probably use it. It's very secure by default, it's fast, and from what I could tell it seemed stable.

I'm not sure what needs to be done to pick a video driver without an Xorg file, but with one you can specify whatever driver you want regardless of what others are installed. So if you want to use nv or nvidia, you should just need to make sure the right packages are installed.

 

[TomcaT-SdB]

The nouveau driver is enabled at boot time thanks to KMS. You need to blacklist the kernel driver portion of it using boot parameters and also in the modprobe.d/blacklist file or else it gets loaded and can't be unloaded thanks to it's use in KMS (nvidia binary can't load with the nouveau kernel driver in use).

Once nouveau is blacklisted though, it's easy enough to deal with putting the nvidia driver in place.

A couple of notes about F14 though:

- Flash will crash due to a bug in adobe's flash player (see lwn article on change in glibc). Until adobe updates their flash player, there's a few ways to enable flash (lightspark, gnash, or loading an older glibc version).

- Fedora is a great desktop for developers, or power users like those wanting a solid virtualization solution integrated into the OS.

- Fedora does not and will not ship with adobe's flash player or the nvidia drviers because they aren't open source. Fedora as a distribution is about advancing the state of the art in open source technologies. Ubuntu is about making the desktop experience for the end user as easy as possible. Fedora aims to be a great desktop experience too, but it must do so using only open solutions (from both a licensing and patent perspective). When comparing the out of box experience between Ubuntu and Fedora, it's important to keep this in mind.

The biggest thing that puzzles me though is that both Fedora and RHEL6 released w/o any mention on anand or dailytech.... We need more *nix coverage here. RHEL6 should be big news I'd think.

 

[JD50]

Fair enough. There are several other aspects of Fedora that make it a huge PITA for most people though, in an "archaic" way. It doesn't come with Flash installed, and it ships with the Nvidia "Nouveau" driver by default, which is a PITA to uninstall, and then you have to manually install the NV driver.

Fedora is a nice system and I'm sure it has its uses. If I was setting up an advanced server I would probably use it. It's very secure by default, it's fast, and from what I could tell it seemed stable.

It doesn't ship with flash because it's not free, Fedora stands by it's FOSS principles. A lot of people like that, some don't. Fedora definitely isn't as noob friendly (no offense to Ubuntu people) as Ubuntu is, but it's really not that complicated for a normal Linux user to figure out. Fedora and Ubuntu have different philosophies and a somewhat different target audience.

Also, Fedora is one of the last distributions that I would use as a server due to it's release and support schedule. CentOS or RHEL for me.

 

[JD50]

The nouveau driver is enabled at boot time thanks to KMS. You need to blacklist the kernel driver portion of it using boot parameters and also in the modprobe.d/blacklist file or else it gets loaded and can't be unloaded thanks to it's use in KMS (nvidia binary can't load with the nouveau kernel driver in use).

Once nouveau is blacklisted though, it's easy enough to deal with putting the nvidia driver in place.

A couple of notes about F14 though:

- Flash will crash due to a bug in adobe's flash player (see lwn article on change in glibc). Until adobe updates their flash player, there's a few ways to enable flash (lightspark, gnash, or loading an older glibc version).

- Fedora is a great desktop for developers, or power users like those wanting a solid virtualization solution integrated into the OS.

- Fedora does not and will not ship with adobe's flash player or the nvidia drviers because they aren't open source. Fedora as a distribution is about advancing the state of the art in open source technologies. Ubuntu is about making the desktop experience for the end user as easy as possible. Fedora aims to be a great desktop experience too, but it must do so using only open solutions (from both a licensing and patent perspective). When comparing the out of box experience between Ubuntu and Fedora, it's important to keep this in mind.

The biggest thing that puzzles me though is that both Fedora and RHEL6 released w/o any mention on anand or dailytech.... We need more *nix coverage here. RHEL6 should be big news I'd think.

Well said.

 

[TomcaT-SdB]

Thanks. An additional note about the nouveau drivers, is that in general they work fine w/ compositing and basic tasks, For performance, the nvidia drivers work best, but if you're not gaming or doing other 3D intensive tasks, the nouveau drivers are pretty functional now (started testing them with F13 for 3D, F12 for basic 2D).