openSUSE vs Ubuntu security

[BrownieCat]

openSUSE vs Ubuntu in terms of security...
Which one is more secure?

BrownieCat wrote:
> openSUSE vs Ubuntu in terms of security...
> Which one is more secure?

i can only suppose your question is:

Which default install is the most secure?

because if a security expert tunes both (after the install), they will
be equally secure--since openSUSE is Linux and Ubuntu is Linux, and
the flavor of Linux picked has nothing whatsoever to do with the level
of security available to _any_ Linux..

the answer to the relative merits of the default install question is
then:

it is a matter of opinion, circumstance and need...and therefore no
clear cut answer like "This one is better than the other." is possible..

that said, i can add: with just a few changes to openSUSE's default
install i'm pretty comfortable with what i have..

and, since i've never installed Ubuntu (though i have installed Red
Hat, Fedora, Mandrake, Mandrivia, Knoppix, Puppy, DSL, Xandros and
several others) i can't even give you an opinion other than: it
depends on what _you_ want (level of paranoia) and need (where and how
will you operate it...are you trying to keep dorm friends out, or
professional crackers, or spambot network builders, or the NSA, or
who??)..

i do remember others talking about some of the decisions made by the
Ubuntu folks (to make it easier for micro$ofties to transition) that
made their setup more prone to cracking...but, i don't recall what
those were/are..

--
platinum

[dragonbite]

That's a tough question.

One issue I have with Ubuntu is the ability for somebody to drop into root from the start up splash screen without a password out-of-the-box.

I was surprised that I had to open my firewall for sharing a printer in Ubuntu, but then again I've had to manually open a firewall port for Samba file sharing in openSUSE (receiving, not hosting).

A while ago I was in some obscure website I cannot recall which had embedded video on it. Ubuntu would not run it but openSUSE ran it without questions. Not sure if this is a good thing or not, but it was a difference between the two. (Note: it could have been a Silverlight video not Flash for all I know).

[jengelh]

The question is an easy one. Everybody who has a proper security team would not have let the OpenSSL lack-of-randomness bug slip in.

[TaraIkeda]

Both in general are more secure then windows to be sure, Ubuntu and openSUSE seem to be on par with eachother.
Of course security bugs are bound to pop up no matter what OS you use.

[Akoellh]

Due to the "great" idea of setting "Use the same Password for root" as default in the installer when adding the first _restricted_ user, openSUSE is now as "secure" as a standard Ubuntu installation.

The only difference is, you can easily uncheck this "feature" during installation, but as many new users will just doing it the "Windows turned me into some kind of "analphabetic retard" by teaching me to ignore all message boxes or help windows not read what the OS tells me"-way, it is not very difficult to guess the outcome.

As a consequence, getting the password of the normal, restricted user working on that machine, you are able to get root access, now how "secure" is that?

I hope this will be changed in the future, it's just plain utter stupid to set this as a default.

If it already has been changed (my last "new installation" of an openSUSE version is some time ago), then it's a step into the right direction.

People (or distributions) who still think "sudo" should be used as the standard (and in default setting only!) way to do system administration, are completely incompetent on security matters and should not be considered when talking about "secure" setups.

Just my 0,02 €uros.

i agree!

--
platinum

[dragonbite]

Quote:

Originally Posted by Akoellh

As a consequence, getting the password of the normal, restricted user working on that machine, you are able to get root access, now how "secure" is that?

Trying to figure out the user's username AND the password instead of knowing one piece (username = root) and just needing the second?

[Akoellh]

1) On a system with secure configuration, you will not be allowed to login as root remotely, no matter if you knew his password.

2) How many remote attacks start with a _direct_ login as root?

[Akoellh]

3) If you have several users on a "we use sudo instead of su"-system you will have several users with potentially weak passwords.

If you give them elevated rights via sudo for all actions (aka "the Ubuntu way", although this then has to be done explicitely for anyone but the first user), you gain one potential security hole per new user.

The whole concept is flawed due to the simple fact, that sudo was never designed for that job.

Sudo is a great tool if used for its real purpose and used in secure way to give _certain_ users only elevated privileges for _certain_ commands.

Let me show you an example:

Code:

axel@Fatboy:~> sudo zypper up
axel's password:
Daten des Repositorys laden...
Installierte Pakete lesen...

Die folgenden Pakete werden aktualisiert:
  java-1_6_0-openjdk java-1_6_0-openjdk-plugin 


Gesamtgröße des Downloads: 25,8 M. Nach der Operation werden zusätzlich 991,0 K belegt.

Yes, it might makes sense (also for the admin) if users were allowed to update the system.

Code:

sudo rm -rf /
axel's password:
Sorry, user axel is not allowed to execute '/bin/rm -rf /' as root on Fatboy.

NO, it's not a good idea to let stupid users like that axel-guy delete the root partition.