Is Linux really that secure, with only root password denying external access?

Question

While I was searching online for information about Linux security, the most typical explanation was: Linux is secure, because the root password is required to access the kernel and install new applications - therefore external malicious software can't do any harm as long as the administrator is the only person to know the password.

OK, that sounds good. But when a password is the only thing that stands between restricted access and total control of the system, is the system really that secure? By that I mean all kinds of tricks hackers think of to access systems, and particularly to reveal data (passwords).

Answer 1

"Linux" (as some aggregate of all the installations) typically has quite a bit more than just a password denying external access.

First, there's a uniform set of discretionary access controls: read/write/execute permissions, for user/group/everybody else. Traditionally, these permissions are actually used, rather than ignored and/or worked around. Additionally, some subset of installations have SELinux installed, configured and working, so that finer-grained, access control list style of permissions is enforced.

Second, servers usually run as a designated special user. NTP processes run as as user "ntp". Web server processes run as a user "http", MySQL databases runs as a user "mysql", for example. The descretionary access controls described above almost always prevent the NTP user ID from doing much more than reading some of the HTTP user ID's files.

Third, the software installed base is highly fragmented. There's a huge number of different distributions. After that, not every installation runs Apache HTTPD, or sendmail SMTP server. There are alternatives, and there's usually only a plurality of installations with a given server. Versions of software are also highly fragmented. With every distribution compiling and maintaining its own choice of web server, it's very, very rare for two installations to run a server that has the same bugs, or even the same compilation options.

So, for instance, someone going after a Linux machine via WordPress password guessing can maybe guess the WordPress password. That might get the attacker something running as user "http" or "apache". Bad and horrifying as that might be, it's not everything. The "http" or "apache" user almost certainly can't overwrite very many files at all, only HTML and what have you in the DocumentRoot directory. It would take another leap, guessing the "root" password for some distributions, or exploiting a local privilege escalation, to get to some kind of universal file access.

This really is multiple layers, but note that it's mainly by culture and tradition, and it's also a sort of "herd immunity". It's always possible that some combination of exploits would yield root access on a given system, but that combination probably wouldn't apply to very many other systems.

Answer 2

While I was searching online for information about Linux security, the most typical explanation was: Linux is secure, because the root password is required to access the kernel and install new applications - therefore external malicious software can't do any harm as long as the administrator is the only person to know the password.

You're right in that it's not the password that makes a system safe, it's the tools and the culture (but let's not completely discount the password). The easier you make it for people to set up and administrate user groups, accounts, and privileges, the easier you make it for a system to be secure.

In earlier Windows versions ⁽¹⁾, having a single user account with all privileges was the norm. No password, full administrator rights. This basically meant that Uncle Joe could do whatever he needed to do without worrying about things like elevated privileges. It also meant that any code managing to execute under his name would have free rein over the machine. It was up to individual programs, if they so chose, to implement fail-safes and 'Are you really, really sure?'-boxes.

By contrast, Unix/Linux have long been multi-user systems by design. They are built with the idea that there will be different roles with different security requirements:

• Administrators maintain the system. They may need to upgrade the operating system, modify programs, add/remove groups and privileges... All this means they need pretty much unfettered access.

• Users are everyday consumers of the system services, the Uncle Joe from above. They use software to write letters, read documents, surf the web, play games, and so on. They can install software to a degree, but only within their own sphere of influence; they can't modify system software or libraries.

• Running services are often given their own user accounts as well, because they tend to have very limited, well-defined needs. MySQL will need some directories it can write to, a network port it can open, and so on, but it does not need access to Uncle Joe's documents or the ability to overwrite/modify software (even itself).

So even if a running service is compromised (an HTTP server, for instance), if it is itself not running under the highest privileges, it is limited in the amount of lasting damage it can do. This mindset of running under limited privileges is what makes it a more secure system.

---

OK, that sounds good. But when a password is the only thing that stands between restricted access and total control of the system, is the system really that secure? By that I mean all kinds of tricks hackers think of to access systems, and particularly to reveal data (passwords).

That's kind of like saying a vault isn't safe because people with the combination can get in.

But still, you make a fair point. Become root, get full access.

Any system where someone needs special access leaves room for that someone to be impersonated. That's why the number one rule for any password protected system is not to leak the password.

There are mitigation strategies that you can use to limit the damage of a compromised root account, such as whitelisting only specific IP address ranges, changing passwords once every while, or disallowing some roles from elevating to root regardless of password.

It's not perfect. But it sure beats Uncle Joe's no-password administrator account.

---

(1) But don't Windows Vista and later also make this distinction? Even before Windows Vista, separate accounts with separate privileges were available but, in my experience, not commonly used.

Answer 3

There is no secure system. There are only systems which might be sufficiently secure against specific kind of attacks, and attack scenarios might change fast.

Linux as a desktop system profits from low adoption, which means that you are not an attractive target for mass attacks. Also it provides better segmentation between security boundaries, that is, it is usually not enough to just click OK to execute something as administrator. You also have to explicitly set the executable permission on a file to make it an executable, because this property is not derived from the file name like in Windows.

Linux as a server system can be secure too, but unfortunately lots of administrators just believe that Linux is secure and don't live security. For example, they don't keep all software on the system updated on a daily basis, check log files, etc. This often makes Linux an easy target for attacks against vulnerable web applications (WordPress plugins, etc.). And once the attacker gets access as a local user this way, it is usually easy to become root, too. There were enough privilege escalation vulnerabilities in recent years for Linux which can be used.

So Linux can be made sufficiently secure for lots of tasks, but don't believe the hype and just install the system and then forget about it. And also don't believe that Windows is insecure - recent versions can be made sufficiently secure, too, but you still have to know what you're doing and keep everything up-to-date.

As requested, some tips on how to keep the systems (Linux and Windows) secure enough. There might be more resources online, but these are the main points from my experience:

• Keep the systems as up-to-date as possible. This means that you only install supported software. In Linux it is mostly enough to stay with the software coming with the system and running updates regularly or use automatic updates. On Windows it is much harder, because you don't get too much with the system. The software you really need then comes either with their own updater (Adobe Flash, Adobe Acrobat Reader, Oracle Java, iTunes, etc.), requires you to check the vendor's site for updates on your own or is not supported at all. Often you will run old software you bought once, but which is no longer supported, because you don't want to pay again just to get a supported version (which might need better hardware too, etc.). On Linux of course you have to update any software from external sources too, for example, something like WordPress plugins.
• Then you should only install software you really need. The less software you have, the smaller the attack surface is and the easier is it to stay up-to-date. Especially on Windows this is not easy, because you often just get a software bundle with lots of other software. For example, you once got the Safari browser together with iTunes on Windows. This browser is no longer supported on Windows and now you have lots of systems with an insecure and unsupported software on it.
• Avoid software with a bad security record if possible. This currently means at least Java, Flash, and Acrobat Reader.
• Lower the attack surface when surfing. This means not only to avoid the dark corners of the Internet, but also to install some ad-blocking to avoid malvertising, etc.
• On Windows you should install some virus scanner.
• And of course be careful. Don't open any suspicious mails, etc. Think twice if you do online-banking and other sensitive tasks. Maybe use a special Linux system from USB-stick for these tasks.

Answer 4

I think this Q/A site maybe not the best place for discussing the whole of Linux security, but:

• root access is usually restricted to local accounts, which you first have to get
• application installation is usually restricted to software sources, not executable installers
• linux has fewer users, and those users keep to better software practices (mainly because updating/upgrading is easier/less costly) and are therefore less of a target

Choosing a good root password is of course of the utmost importance, especially if you do allow other users to have access to your systems. In the end it is just another layer of security though.

Otherwise it would be a good idea not to expect too much from protection of the root account.

Answer 5

Additional to the above answers, I'd like to point out that Linux PAM makes it possible to add additional security checks for any user (and thus also for root). For example requiring a certificate, a usb key (like YubiKey), etc.