Paranoid Penguin - Security Features in Ubuntu
Now that I've explained how Ubuntu's repositories are structured, I can describe how to use them. Obviously, there's a lot more to system security than installing or not installing software. But, software is one of the biggest, if not the biggest, differentiators between Linux distributions, so it's a logical place to start.
One interesting thing about the Ubuntu Desktop installer is that at initial setup/installation, it doesn't ask you which software packages to install. It installs a static set of applications, and subsequently you can only add to or remove from it. Nor does the Ubuntu Desktop installer configure firewall rules or allow you to set any other security parameters, beyond creating the first nonroot user account.
Clearly, this installer emphasizes simplicity and speed. Luckily, Ubuntu is configured with reasonably good security by default.
For example, it isn't possible to log in as root. Instead, you log in using an account with administrative privileges, such as that initial account the installer creates for you, then you use the sudo command to execute individual commands as root. (You can use the Users and Groups applet in the System→Administration menu to grant or revoke administrative privileges to users.)
Using sudo prompts you for your own password (the root account on Ubuntu doesn't even have a password!), and then executes the given command. Graphical programs in Ubuntu automatically use sudo and prompt you for your password as needed.
Using sudo provides granular control over who can execute what privileged commands. It also logs all commands it executes. Having the root account present but essentially disabled also makes it somewhat more difficult for hostile code to gain root access. In short, I heartily approve of this design decision in Ubuntu. For more information, take a look at the Ubuntu RootSudo page (see Resources).
Once you've installed Ubuntu, you can install additional software packages as needed, using the Install and Remove Applications applet (Add/Remove... in the Applications menu) or the Synaptic Package Manager (in the System menu under Administration). Figure 1 shows the Install and Remove Applications applet.
This applet is very simple to use, and it comes preconfigured with a set of Ubuntu repositories on the Internet. If you want to install packages from universe or multiverse, you need to enable this under Preferences. By default, only packages from main and restricted are shown.
Personally, I prefer the Synaptic Package Manager (Figure 2). It handles dependencies more gracefully and offers more options for filtering and listing packages. It also lists raw packages (all the individual deb packages that make up an application), whereas the Add/Remove Applications applet lists packages only by application name (which isn't as precise). If installing an application involves four separate component packages plus seven dependencies, I want to know it.
Note that both the Add/Remove Applications applet and the Synaptic Package Manager use the Software Sources applet to obtain current lists of available packages. You need to know this, because by default, neither the universe nor multiverse repositories are enabled, and the Software Source applet is where you enable them. In the Ubuntu desktop's System menu, open the Administration submenu to find the Software Sources applet. If you make changes in this applet, you'll be prompted to download fresh package lists before quitting.
Before I discuss actual packages, here's one more note about obtaining them: besides the Ubuntu repositories on the Internet, you also can install packages from the Ubuntu Desktop 7.10 CD. However, beyond the packages installed automatically, this CD contains only 29 additional packages from main and three from restricted. Therefore, in practice, you'll have to download most of the software you install after the initial system installation.
- March 2015 Issue of Linux Journal: High-Performance Computing
- Not So Dynamic Updates
- April 2015 Video Preview
- Users, Permissions and Multitenant Sites
- New Products
- Flexible Access Control with Squid Proxy
- Security in Three Ds: Detect, Decide and Deny
- Non-Linux FOSS: MenuMeters
- DevOps: Everything You Need to Know
- Tighten Up SSH