I’m still new to Linux, so sorry if my question is naive. Started looking into Linux in October 2021, installed Pop!_OS in February, and switched to Fedora this month. My interest in Linux is based on the cool factor and me increasing my awareness of security and privacy.
Most folks in the Linux community probably know all the benefits and reasons why Linux should be secure, which is why I was surprised when I kept bumping into a minority of users who argued that Linux was actually not secure. This has culminated in the below blog post which is the most detailed rebuttal that I’ve read so far.
First, I’m not very technical yet, so a lot of these things go over my head. Second, I imagine that at end the end of the day the cons presented here and in other places fall in the category of “everything has pros and cons and you have to make decisions based on your threat model.” Third, I figure there are more secure versions of Linux than what I’m using (Fedora 35), but those are either custom configurations that I would have to make which go over my head at the moment or straight up server software (I assume RHEL is more secure than Fedora, for example).
To come back down to earth, my questions are the following.
Is Linux secure enough for the average Joe? (I assume yes)
Does Linux have comparable security to Windows after you take into account the strengths and weaknesses of each?
Besides basic security practices like using a password manager, is there more that I should be configuring on my Linux desktop out of the box?
This is a Linux forum so I expect everyone to say that it is secure, but if I asked this on Reddit I would probably not have a fun time. Still planning on daily driving Linux for now. Please let me know where I can clarify!
A Linux desktop is not nearly as secure as a server that doesn’t run Xorg.
Linux has better security than Windows, due to its inherent separation between admin user and normal one. Admin is a full privilege on Windows. In linux, it’s just a separate utility and some permissions, but under a user, programs can’t go rogue and take over the system, unlike the possibilities around windows UAC.
Maybe full disk encryption. And for when your PC is active, encrypted vaults / containers for very important files, like pictures of your ID card or scans of your contracts and titles.
The problem with modern browsers and JS is that, for all intents and purposes, other people are running code on your machine. They can make JS do anything, from mining crypto, to accessing your files and uploading them, to accessing your save credentials or cookie sessions inside your browser. Browsers try to mitigate those kind of attacks, but best thing is to be cautious on which sites you visit.
On a side note, I absolutely hate snaps and I am somewhat indifferent to flatpak (mostly because I can’t find almost anything for aarch64 in flathub), but in theory, these 2 could mitigate the damage that a program can do to your system if you only allow said program access to only a few restricted directories, like your Downloads folder.
Regarding this piece, the article I linked to actually talks about the difference between root and standard users I think. In Section 4 of the article, they write it can be easy for an attacker to sidestep the limited permissions of a standard user and obtain the sudo password. To quote the first paragraph,>
On ordinary Linux desktops, a compromised non-root user account with access to sudo is equal to full root compromise, as there are an abundance of ways for an attacker to retrieve the sudo password. Usually, the standard user is part of the “sudo” or “wheel” group, which makes a sudo password security theatre. For example, the attacker can exploit the plethora of keylogging opportunities, such as Xorg’s lack of GUI isolation, the many infoleaks in the procfs filesystem, using LD_PRELOAD to hook into processes and so much more. Even if one were to mitigate every single way to log keystrokes, the attacker can simply setup their own fake sudo prompt by manipulating $PATH or shell aliases/functions to intercept the user’s password, completely unbeknownst to the user.
Well, if you use a weak password, it is pretty trivial to get access to anything, yeah. A weak password can be common between Linux and Windows, so that’s user error.
The part of exploiting Xorg and log keystrokes are true though, but it’s not something I would be worried about. Setting up a fake sudo prompt would be difficult to use and difficult to obtain the password from, not only because the user did not expect a sudo prompt, but also because you need quite a bit of control on the machine. Technically, not impossible though. But for the Xorg exploit to work, your password would have to be uncensored. The most an attacker can get from that is the number of characters from what I know, which could still be enough information to prepare for either a dictionary attack and make it more efficient, or a brute-force, if the attacker is really committed. Again, nothing I would worry too much. For a server, it is always a good idea to run headless (no Xorg).
As for the permissions, technically speaking, it’s always better to use a non-sudoer, then su into another user who is a sudoer, or insert the password for the other user when asked for sudo prompts. That way if your main user is compromised, at least an attacker doesn’t have access to root privileges. For Windows, the same applies, but it’s mostly user errors the fact that people are using an admin account all the time, with UAC not even asking to reinsert the password. And UAC is supposedly pretty easy to get around.
But with all the exploits presented for Linux, Linux is still more secure than Windows, because Windows has a far wider selection of vulnerabilities.
I know about the main pros for Linux security. It’s open source, extremely popular everywhere but desktops, and benefits from its small market share by having fewer virus built for it.
However, I also occasionally hear these concerns about the Linux kernel being monolithic, configs and sandboxing not being up to par, and there being problems with the security architecture of it. Because I’m only just diving into the technical side of things recently, I don’t know what I don’t know. At some point I guess I’ll better understand what the claimed cons are and if they’re even valid.
For now, most important thing is I’m on Linux, I know it’s fine, and I don’t have to worry about daily driving a sketchy system.
My threat model doesn’t call for something that extreme.
Before Fedora I was daily driving a chromebook because it’s secure, stable, and cheap while using Linux for a gaming PC. The browser, Android apps, and Linux apps are all sandboxed and the OS itself is immutable. I left it for now at least because of course it’s run by Google and basically requires Chrome.
If I get too in my own head then I may switch to Fedora Silverblue since it’s also immutable, but I think I’m just being jumpy since I’m going from ecosystems whose security came from the support of large companies to an ecosystem where the support comes from a community. It’s just new to me and I feel like I can’t go off the signs I normally would to gauge relative safety, at least not in the ways I’m used to.
For me, I have over 200 email addresses for my own domain name. The email addresses are aliases that forward to my main inbox for filtering and processing. I don’t use any form of plus addressing or catchall for my own domain name. Instead, I simply create email addresses and give them one unique email address per site. So far, I have not received anything that is considered dangerous, so the chances of getting malware through email is reduced. Of course, if all these 200 unique email addresses are for safeguarding against data breaches by deleting compromised email addresses, you are correct, but I’m talking about trying to keep email attacks at bay so I won’t get malware into Linux, Windows, or Mac system.
So yeah, you would be fine with running Pop!_OS if you keep your security hygiene in top shape just as much as I did. There wouldn’t be a need for SELinux in Fedora or Qubes/FreeBSD distribution in order to stay secure. Because the biggest weakness in the cybersecurity chain is us, humans. Or whatever creature we might be.
Linux is secure, but the security of Linux should be the last line of defense against security threats. Why do I mention that? Because if you fall victim to social engineering attack and that attack led you to execute a script that contained a Polkit privilege escalation attack, the error is in you for inadvertently executing a script for your Linux machine.