Paranoid Penguin - Security Features in Ubuntu
For a couple years, I resisted my friends' attempts to get me to check out Ubuntu. I thought, “What's the big deal? It's just another Debian derivative.” But, of course, I was wrong. Ubuntu is remarkably easy to install and use, and although it is indeed based on Debian, its emphasis on usability and simplicity sets it apart.
Furthermore, both the Desktop and Server editions of Ubuntu use dual-purpose live CDs that can be used either to install Ubuntu or run it from CD without affecting any other operating systems on your hard disk. This makes it easy to test-drive Ubuntu before installing it to your hard disk. (The live CD method of booting Linux has important, useful security ramifications; however, that will be the topic of an entire future column.)
So, I have been messing around with Ubuntu quite a bit lately and thought you might enjoy a survey of its security capabilities.
First, a quick note about the scope of this article—I'm sticking to Ubuntu Desktop; space doesn't permit me to include Ubuntu Server, but I might cover it in a future column. Suffice it to say for now that Ubuntu Server is a subset of Ubuntu Desktop, lacking the X Window System and most other non-server-related software.
I also do not explicitly cover Kubuntu, which simply is Ubuntu running the KDE desktop rather than GNOME; Edubuntu, which emphasizes educational applications; or Xubuntu, which is Ubuntu with the Xfce desktop. Everything I cover in this article should apply to these Ubuntu variants, but there may be subtle differences here and there.
Note also that Gobuntu, an experimental subset of Ubuntu consisting only of completely free/unencumbered software packages, probably has considerably fewer security features and packages than Ubuntu proper.
Ubuntu security isn't very far removed from Debian security; underneath the GUI, Ubuntu is very similar to Debian. In this sense, Ubuntu shares all of Debian's security potential, and then some. If a given security tool is available as a deb package that works correctly in the current version of Debian, it also can be installed in the current version of Ubuntu.
So, why dedicate an entire article to Ubuntu security? Two reasons. First, because it has been more than a year since my last article on Debian security. Second, Ubuntu has a few key differences from standard Debian: its status as a live CD distribution (which among other things makes it a good choice for running on untrusted hardware) and its ease of use, which on the one hand, doesn't yet much apply to Ubuntu's security features, but it does make Ubuntu more attractive to non-expert users than Debian proper, amplify the ramifications of Ubuntu security. Ubuntu also uses AppArmor, a powerful means of restricting dæmon behavior.
Software is the key difference between Debian and Ubuntu. I've long been of the opinion that Debian's staggering array of software packages is also one of its biggest challenges. Figuring out which of those thousands of packages you need can be confusing even for expert users. A key design goal of Ubuntu is, therefore, to support a smaller, carefully selected subset of Debian's packages.
Ubuntu, however, doesn't merely rebundle standard Debian packages. Ubuntu maintains its own versions, and according to Wikipedia, in many cases, Debian and Ubuntu packages aren't even binary-compatible. (The Ubuntu team has pledged to keep Ubuntu compatible with Debian by sharing all changes it makes to Debian packages, but the Debian team has grumbled about Ubuntu's team not being prompt enough in doing so.)
The biggest source of confusion I've experienced with Ubuntu personally is that Ubuntu uses a different package repository schema than Debian, and Ubuntu's own Web pages aren't terribly clear as to how it works. But, it's actually straightforward.
The main repository consists of fully supported, free (unencumbered) packages that are maintained by the Ubuntu team, the core of which is employees of Canonical Ltd. The main repository, therefore, is the heart of Ubuntu.
The restricted repository consists of nonfree (copyrighted) packages that are nonetheless fully supported and maintained, due to their critical nature. The majority of these packages are commercial hardware drivers that lack open-source equivalents.
The universe repository contains free software packages that are not considered part of Ubuntu's core, and therefore, they are not fully supported. The Ubuntu team takes no responsibility for security patches for these packages; unlike those in the main repository, security patches for universe are issued only when the software's developers issue them.
The multiverse repository contains commercial or otherwise IP-encumbered packages that are not part of Ubuntu's core, and it has the least amount of support from the Ubuntu team. As with universe, multiverse security updates are purely opportunistic.
In all four repositories, the vast majority of Ubuntu packages correspond with Debian packages. But, again, because all Ubuntu packages are maintained separately, don't assume it's safe to install a package from the universe or multiverse repositories just because it's fully supported in Debian. The Ubuntu team is committed to providing prompt security patches only for the main and restricted repositories.
In my opinion, this is a perfectly justifiable trade-off, just as it is in RHEL and CentOS—the fewer packages a distribution supports, the greater the feasibility of supporting them well, and the lesser the complexity of the distribution. High complexity and effective security seldom go together. However, the fact that you can't rely on timely security updates for universe and multiverse packages also means that Ubuntu may not be the best choice for you if you're going to depend heavily on packages from those repositories.
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
|Dart: a New Web Programming Experience||May 07, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- Validate an E-Mail Address with PHP, the Right Way
- New Products
- Developer Poll
- Tech Tip: Really Simple HTTP Server with Python
- direct cable connection
7 min 44 sec ago
- Agreed on AirDroid. With my
18 min ago
- I just learned this
22 min 10 sec ago
52 min 14 sec ago
- not living upto the mobile revolution
3 hours 43 min ago
- Deceptive Advertising and
4 hours 19 min ago
- Let\'s declare that you have
4 hours 20 min ago
- Alterations in Contest Due
4 hours 21 min ago
- At a numbers mindset, your
4 hours 22 min ago
- Do not get Just Almost any
4 hours 25 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.