DSL Ideas and Suggestions :: Security  - Features, or afterthought ?



Hello,

Please take this as comments and suggestions, for constructive
purposes, not simply as a criticism.

Allow me to leave some of my thoughts here about DSL and MyDSL.
I'm getting better with Enlish but I'm not a native English
speaker, please bear with me and I appreciate it if you can
point out my mistakes.

I think Knoppix Live CD is the greatest leap as of late of Linux
and OSS.  Allowing for Knoppix Remastering is another strength
of OSS, I whole-heartedly applaud the effords and great work to
allow a small distribution like DSL to experiment with new and
creative ways to get some work done.

I really love the idea of "small is beautiful" of DSL.  Also
love the "automation" idea and real code to do just that of
MyDSL.

My reservations, however, are a bit more complex.  Let me cut
to the chase here and say the potential bad things with DSL
and MyDSL.  Then give some examples of similar school of thinking.

DSL allows the default "dsl" user/account to have sudo everything.
It is great if you are doing a hdd rescue, or backup.  I'll
venture to say it may be OK for your own LAN not connected to
the Internet, let's not argue about this last statement because
everyone has their own opinion.  The real problem is if you run
DSL on the internet and someone can exploit some security holes
and became the "dsl" user.  They can find out very easily if
not already know "dsl" can sudo everything.  Now your machine
is owned by someone else, which can become a spambot, a DDOS-node,
or a node along a trail of crackers' path and they can wipe out
the log files at will.

Sure someone may jump in and argue this is not the case if you
run from CD, or turn off the high-speed connection...  I'm simply
pointing out that if you imagine your invention became popular
and everyone is using it, what might happen?  In other words,
please be considerate of your actions.

MyDSL is great if I were to customize it for my own use, and can
build and share those *.dsl packages with trusted friends.  I enjoy
the similar automation motto, too.  The problem with MyDSL is the
very problem of "Ms. LookOut" and "Ms. Internet-Exploder"; Well
you can call that Ms. or Mrs. as in calling some middle-age lady,
or old lady if you like.  The idea is to simplify complicated
configuration and setup steps, just simply do things automatically.
It is a well intentioned thing, but if taken beyond the original
intention, it can be very disturbing to say the least.

These "intention" things happened in live, not simply in computer
fields.  One example if I remember correctly is that the Nobel
invention of explosives intended for mining or road construction...
but later being used in warfare.  Later in life Mr. Nobel try
to setup the Nobel Peace price.  An example about "minding your
own business, what I do don't concern you." is the Drunk-Driving
situations.

OK, I'll try to throw in my suggestions of one way I can think of,
but there are many ways to slice the pie...

For DSL, the way it runs from the live-CD I have no problems with
especially to help rescue a troubled-machine.  For hard-drive, or
even USB-drive install, it may help if an additional user account
is created without sudo privileges by default.  It may be an extra
password to remember but it is probably better for us all on the
internet.

For MyDSL, the folks doing the core of these MyDSL scripts and
programs already know enough about ramdisk and what root can to
the system.  Imagine what a rogue MyDSL in the wild can do?  Perhaps
using that ramdisk and overwritting the root file structure would
be best done in a chroot/jail environment?  Like what the old UML
(User-Mode-Linux) was working on?  I say that because I think UML
has recently change focus to tinker with VM-Ware/Bochs ideas.  Using
MyDSL in a chroot envrionment with more restriction on sudo might
be quite a bit more work but will be much better for a hard-drive
or USB-drive installation.  But be mindful that a rouge MyDSL in
current implementation (2005/01) running even from a CD can wipe
out entire hard drives in just a few moments the way that DOS/Windoze
virii have done.  Or it could be worse, it cout turn those machines
into zombies on the internet.

Best regards,

Just a concerned Netizen (Net-citizen).
I understand your concerns and your points are technically valid, but I do not lose any sleep over them.

Why?

I do not use any mydsl extensions that have not been superficially tested in the repository.  While it is possible that someone could sneak something in, the really obvious attempts at sabotage would be quickly identified and the extension would be removed from the repository.

The same risks exist for the user of other distros that downloads and installs slackware, rpm and debian packages from an untrusted source.   The apt-get / dpkg process uses root authority so bad things can also happen.

The only difference is the volunteer-oriented contributor base and the ease-of-use that exists with the myDSL system and even the click-n-run stuff isn't too far away from the click-n-install functionality that you can get with GUI package managers like Synaptic or kpackage so the myDSL gui isn't any worse than the traditional software installers.

It is impossible to build a livecd distro that achives the goals of the DSL developer team without some marginal security risk.   You can make it more difficult to install software or do other things as root but sooner or later the user will need to get to the root authority to do something on their system and this cannot be prevented.  It is impossible to create a secure password on a livecd that is distributed publicly in ISO form with user documentation unless you choose to not tell anyone about it which makes the password useless.

DSL comes with the ability to change the password of the dsl and root user accounts on a hard drive installed system, so the tools are there if someone wants to use them.
Quote
DSL comes with the ability to change the password of the dsl and root user accounts on a hard drive installed system, so the tools are there if someone wants to use them.


Exactly, all the tools are there to make a hdinstalled box as secure as any other linux box out there.

But while runing from ramdisk (cd/usb/frugal), if something goes wrong, you just reboot. The ramdisk versions are bulletproof. Even if you somehow manage to delete the kernel while running from ramdisk, you 're okay! Just reboot! In ramdisk, you can do no wrong (unless you are messing with partitions, etc, of course)!

-J.P.
simple-user, do you think some proccess (terminal or flua) where the user would need to log into the liveCD each time with a password (whatever they want, could be different every startup)?  Then if they want to su or sudo the would need that password?
Other security that was taken into consideration:

1. No open ports or default daemons running upon boot up.
    If you want to run ftp or ssh then you start it. You change the passwords.

2. All code that is "DSL" is writen in script, be it bash, sed, awk, perl, or lua/flua.
   Why? So that even the developers cannot introduce spyware or backdoors.
   We also use scripts for the users to read/learn/modify and have fun with.
    Some of us like to call this the "University of DSL"

3. We do not accept custom code in the user contributed extensions.
   Why, the same reasons as No.2 above.
Next Page...
original here.