Linked by Amjith Ramanujam on Sat 19th Jul 2008 19:01 UTC, submitted by cypress
Linux Linux and UNIX-like operating systems in general are regarded as being more secure for the common user, in contrast with operating systems that have "Windows" as part of their name. Why is that? When entering a dispute on the subject with a Windows user, the most common argument he tries to feed me is that Windows is more widespread, and therefore, more vulnerable. Apart from amusing myths like "Linux is only for servers" or "does it have a word processor?", the issue of Linux desktop security is still seriously misunderstood.
Thread beginning with comment 323724
To read all comments associated with this story, please click here.
Yeah But... How long before
by shotsman on Sun 20th Jul 2008 06:16 UTC
shotsman
Member since:
2005-07-22

There is some piece of malware that relies upon the fact that say 95% of Ubuntu users still use 'sudo' OOTB?
Here is a great gaping security hole.
Personally, I think using 'sudo' without a password is plain crazy and actually go that on step further on all my Linux boxes and disable it completely.

As Distros like Ubuntu ( and its other coats of many colours) grow in popularity I think that it will get the attention of the hackers and a new generation of threat will occur. The old adage of security through obscurity will no longer apply.

Reply Score: 2

RE: Yeah But... How long before
by raver31 on Sun 20th Jul 2008 11:26 in reply to "Yeah But... How long before"
raver31 Member since:
2005-07-06

There is some piece of malware that relies upon the fact that say 95% of Ubuntu users still use 'sudo' OOTB?
Here is a great gaping security hole.
Personally, I think using 'sudo' without a password is plain crazy and actually go that on step further on all my Linux boxes and disable it completely.

As Distros like Ubuntu ( and its other coats of many colours) grow in popularity I think that it will get the attention of the hackers and a new generation of threat will occur. The old adage of security through obscurity will no longer apply.


Clearly you are a little confused, and your post shows you have not used a Distro like Ubuntu.

Sudo always DEMANDS a password before it will allow a command to run, so I do not know where you got the idea it did not use one.

The old idea is that it is secure because no-one is using Linux is also a load of balls, there are millions of internet servers running Linux. If I wanted to write a virus, I would write one that would take out the infrastructure of the internet, rather than hose up some basement dwelling internet poke players/porn junkies pc.

The quote you gave, "The old adage of security through obscurity will no longer apply.", I hope you are aware that the "security through obscurity" idea was put about by Microsoft, when people were looking access to the Windows source code to try and make it as secure as Linux, Microsoft told them, that because the source code is not out in the open, Joe Public could not search for vulnerabilities, so it was in essence security through obscurity.

Now, instead of spouting off crap, actually download and TRY a Linux distro. Until you do so, your opinions are not valid and your post on Linux and Linux security are useless.

Reply Parent Score: 10

shotsman Member since:
2005-07-22

'Dude' I do use Kubuntu on a daily basis on several Servers. I use Xubuntu on my laptops. None have sudo enabled.
I have come upon many Ububtu systems where the user demanded that it was 'Setup like Windows' and the password requirement for sudo was removed.
I was also using an EEEPC earlier today for the first time. It also had no password requirement for using sudo. I don't know if that was the default or not so I can't comment on that.
If it is that easy to remove the requirement for a sudo password then I have to say that it is a security hole big enough to drive a Routemaster through.
I'm of the 'old school' linux user (Since Slackware 1.1, Unix since 1984) who believes in passwords and long ones at that for all critical accounts.
But hey, FOSS is all about choice. You can run your system OOTB or with (from my experience it is quite widespread) sudo passwords disabled if you want to. All I'm saying is that it is all too easy to disable sudo passwords and it could be a major security problem to targetted malware.

Reply Parent Score: 2

Morgan Member since:
2005-06-29

I don't disagree with your take on this, but a small correction is in order. For every terminal session that you have active, you only have to give sudo your password once. Any sudo commands you run after that will not ask for your password again until you close your terminal session and open a new one.

Reply Parent Score: 3

Whats That There Member since:
2005-09-21

Yeah, your Linux Boxes.

Do they say Starting Windows
when you turn them on ?
Your post shows complete ignorance of Linux and especially Sudo.

Sudo will ask for a password when you enter the first command. Then it will stay active, ONLY in that instance. If you want another Sudo instance, you need to type in the password.

Reply Parent Score: 3

RE: Yeah But... How long before
by WereCatf on Sun 20th Jul 2008 11:59 in reply to "Yeah But... How long before"
WereCatf Member since:
2006-02-15

Here is a great gaping security hole.
Personally, I think using 'sudo' without a password is plain crazy and actually go that on step further on all my Linux boxes and disable it completely.


This is something I totally agree with. sudo without a password is essentially the same as running as root. Any virus/malware/hacker etc can do anything they want on your *buntu installation as long as they can run sudo. It might be user-friendly..but it sure as hell ain't secure.

When I was using Gentoo I configured sudo to require password for everything except a few predefined commands, and I'm glad that Mandriva does also require password when you're trying to use sudo.

Reply Parent Score: 2

-oblio- Member since:
2008-05-27

Dude, Ubuntu's sudo requires a password - the user's password - before doing anything.

https://help.ubuntu.com/community/Sudoers

Have you ever used Ubuntu, as the posters before me would say? ;)

# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL

As you can see, it's commented out, so by default it DOES require a password.

Reply Parent Score: 5

RE: Yeah But... How long before
by repvik on Sun 20th Jul 2008 15:15 in reply to "Yeah But... How long before"
repvik Member since:
2005-07-04

There is some piece of malware that relies upon the fact that say 95% of Ubuntu users still use 'sudo' OOTB?
Here is a great gaping security hole.

It still requires a password, so it's not gaping in my opinion...

Reply Parent Score: 2

RE: Yeah But... How long before
by OMRebel on Mon 21st Jul 2008 13:21 in reply to "Yeah But... How long before"
OMRebel Member since:
2005-11-14

Are you saying that 95% of Ubuntu users use sudo without a password???? What are you smoking? You're showing your ignorance on this subject.

Edited 2008-07-21 13:26 UTC

Reply Parent Score: 2