How can the OS running programs only from repositories?

I hope the programs running is installed from repositories, that would keep me far away from malwares or viruses, but linux (or Windows) allows any programs and processes running, even it is unknown. Is it a hard work to avoid unknown programs or processes from executing?

It is most likely user discipline and education.

  • Don‘t click anything in mails like „ We found 145 security issues on your PC. Click HERE to remove them now for free. 100% secure!!!“
  • install software only from official distribution sources
  • think twice before clicking anything on the internet
  • keep your system up to date to always have the latest security patches
  • use sandboxing when using unknown/strange software
  • don‘t disable security functions of your distribution as long as you are not 200% sure what you are doing (firewall, AppArmor, …)
  • use brain.exe :wink:

@jusjun:

  • Never, ever, read e-Mail or, browse the Internet, with a user who has administrator privileges.
    Such as, the user “root” …

  • Consider using the Spam filter at your e-Mail Service Provider – login to the Web interface of your e-Mail Service Provider and check in “Settings” …
    If you e-Mail Service Provider doesn’t offer a Spam filter, consider installing a Spam filter on your Linux e-Mail Client.

  • Trust the separation of User and System processes inherent in UNIX® and Linux systems.

  • Make use of User Groups with related login Users to isolate specific tasks from one another.
    UNIX® and Linux are inherently multiple user systems with the ability to strictly separate the Users in any given (User) Group from, the Users in another specific (User) Group.

No, just iOS like in iPhone only allowed running apps in official repositories.

I am not sure what you mean with “apps”.

But when there is an executable file on a Unix/Linux system, the allowance to execute it by a user is the permission bit for execution (the x-bit, and the corresponding w-bit is also needed) corresponding with the user (read about file ownership by user and group and the permission bits that go with it).

As system manager you are the one responsible for the installation of programs on the system. When you do not want programs being usable on the system that are not installed from repositories, then do not install those programs (e.g. no direct download of scripts or binaries, no building of tarballs, etc.). And BTW, you can of course also restrict programs being installed (by yourself as system manager) in the system from certain repositories (e.g. non “standard” ones), by simply not adding those repositories to your repolist.

As system manager it is however rather difficult to block your users from downloading executables into their own directories (within their home directory), setting the x-bit for the owner and then execute them. Likewise it is very difficult to block users from creating programs themselves. It only needs an editor to create e.g. a bash script and execute that.

I have no idea about that environment, but the above is how Unix/Linux works.

Thanks to your answer to hui, it’s now more or less clear as to where your thoughts are heading –

  • Yes, in the past, UNIX® and Linux were quite immune to unwanted influences to any given system’s behaviour.
    Apart from the fact that, any given user is able to execute whatever they wanted to, within their privilege area –
    The area where their UID and GID allowed them to read and write files –
    «For the case of UNIX® and Linux, “everything is a file” … »
    And, UNIX® began as a tool to aid scientific research within Bell Labs – therefore the scientists were allowed to read and write whatever they wanted to within their storage area …

Fine, but, the world has moved on and, currently Linux desktops are moving towards “The user shall be allowed to install whatever they want to.” – without any intervention by a system administrator …


So, as far as Linux is concerned, we have two situations –

  1. Systems (usually servers) where only the system administrators are allowed to install or remove applications.

  2. Systems (usually desktop systems) where the system’s user is allowed to install or remove applications as they want to – but, only within their user space …

For the second case, please note that, the “user” is singular …

Further, for the second case, it’s a single user system with only that user’s data stored on it –

  • If it breaks (due to the user’s behaviour), re-install it …

Bottom line:

Yes, UNIX® and Linux are inherently secure and reliable systems but, we can’t “save the world”.

  • If any single user introduces something terrible to the system then, that user’s data is in danger and, may well be destroyed.