openSUSE vs Ubuntu security

openSUSE vs Ubuntu in terms of security…
Which one is more secure?

BrownieCat wrote:
> openSUSE vs Ubuntu in terms of security…
> Which one is more secure?

i can only suppose your question is:

Which default install is the most secure?

because if a security expert tunes both (after the install), they will
be equally secure–since openSUSE is Linux and Ubuntu is Linux, and
the flavor of Linux picked has nothing whatsoever to do with the level
of security available to any Linux…

the answer to the relative merits of the default install question is
then:

it is a matter of opinion, circumstance and need…and therefore no
clear cut answer like “This one is better than the other.” is possible…

that said, i can add: with just a few changes to openSUSE’s default
install i’m pretty comfortable with what i have…

and, since i’ve never installed Ubuntu (though i have installed Red
Hat, Fedora, Mandrake, Mandrivia, Knoppix, Puppy, DSL, Xandros and
several others) i can’t even give you an opinion other than: it
depends on what you want (level of paranoia) and need (where and how
will you operate it…are you trying to keep dorm friends out, or
professional crackers, or spambot network builders, or the NSA, or
who??)…

i do remember others talking about some of the decisions made by the
Ubuntu folks (to make it easier for micro$ofties to transition) that
made their setup more prone to cracking…but, i don’t recall what
those were/are…


platinum

That’s a tough question.

One issue I have with Ubuntu is the ability for somebody to drop into root from the start up splash screen without a password out-of-the-box.

I was surprised that I had to open my firewall for sharing a printer in Ubuntu, but then again I’ve had to manually open a firewall port for Samba file sharing in openSUSE (receiving, not hosting).

A while ago I was in some obscure website I cannot recall which had embedded video on it. Ubuntu would not run it but openSUSE ran it without questions. Not sure if this is a good thing or not, but it was a difference between the two. (Note: it could have been a Silverlight video not Flash for all I know).

The question is an easy one. Everybody who has a proper security team would not have let the OpenSSL lack-of-randomness bug slip in.

Both in general are more secure then windows to be sure, Ubuntu and openSUSE seem to be on par with eachother.
Of course security bugs are bound to pop up no matter what OS you use.

Due to the “great” idea of setting “Use the same Password for root” as default in the installer when adding the first restricted user, openSUSE is now as “secure” as a standard Ubuntu installation.

The only difference is, you can easily uncheck this “feature” during installation, but as many new users will just doing it the “Windows turned me into some kind of “analphabetic retard” by teaching me to ignore all message boxes or help windows not read what the OS tells me”-way, it is not very difficult to guess the outcome.

As a consequence, getting the password of the normal, restricted user working on that machine, you are able to get root access, now how “secure” is that?

I hope this will be changed in the future, it’s just plain utter stupid to set this as a default.

If it already has been changed (my last “new installation” of an openSUSE version is some time ago), then it’s a step into the right direction.

People (or distributions) who still think “sudo” should be used as the standard (and in default setting only!) way to do system administration, are completely incompetent on security matters and should not be considered when talking about “secure” setups.

Just my 0,02 €uros.

i agree!


platinum

Trying to figure out the user’s username AND the password instead of knowing one piece (username = root) and just needing the second?

  1. On a system with secure configuration, you will not be allowed to login as root remotely, no matter if you knew his password.

  2. How many remote attacks start with a direct login as root?

  1. If you have several users on a “we use sudo instead of su”-system you will have several users with potentially weak passwords.

If you give them elevated rights via sudo for all actions (aka “the Ubuntu way”, although this then has to be done explicitely for anyone but the first user), you gain one potential security hole per new user.

The whole concept is flawed due to the simple fact, that sudo was never designed for that job.

Sudo is a great tool if used for its real purpose and used in secure way to give certain users only elevated privileges for certain commands.

Let me show you an example:


axel@Fatboy:~> sudo zypper up
axel's password:
Daten des Repositorys laden...
Installierte Pakete lesen...

Die folgenden Pakete werden aktualisiert:
  java-1_6_0-openjdk java-1_6_0-openjdk-plugin 


Gesamtgröße des Downloads: 25,8 M. Nach der Operation werden zusätzlich 991,0 K belegt.

Yes, it might makes sense (also for the admin) if users were allowed to update the system.


sudo rm -rf /
axel's password:
Sorry, user axel is not allowed to execute '/bin/rm -rf /' as root on Fatboy.

NO, it’s not a good idea to let stupid users like that axel-guy delete the root partition.

****, editing is not allowed in this subforum:

In a nutshell, an IMHO secure setup could look like this:

  • Installer forces the user to add root and another user with secure passwords (minimum length and complexity)

  • Remote login as root is not allowed

  • Local login as root into the GUI is also not allowed (this is more to prevent users from doing stupid things they “learned” from another OS)

  • SSH has to be activated explicitly, default is off

  • a minimal amount of services which can be reached remotely are running by default

Other options:

  • no running service listens by default on other addresses except localhost if not absolutely necessary (cups comes to mind, if you don’t have a network printer, then why should cups listen on all interfaces?). Of course at least SSH has to be an exception as his only purpose is to allow remote access (maybe also ftp-servers, httpd/apache not necessarily, a Web developper might want to run his webserver only locally to test his stuff).

  • When configuring SSH via YaST, it should explicitly show you a dialog to use key-based authentification, you should be forced to deactivate that feature to use “normal” passwords (this might be really tricky to implement in an easy way).

Other, less secure setups should be possible but not the default, of course the problem arising from this is also clear, more users complaining “xyz not working”, because it means you have to look more closely when configuring a new service.

Yes but the advantage of Sudo comes when changing the password of the admin, when in a traditional linux root system you need to remember two passwords in sudo you need to remember one.
For new users to have just one password alone can be confusing, especially former XP users who dont know why passwords are so important.
I find it easier to use Ubuntu’s sudo then the tradtional root, no extra commands needed to change the admin accounts passwords and settings.
I wish there was an easy way to change the root password instead of having to open up a terminal.

Correct me, if I’m wrong but:

a) if “admin” is the first user with admin privileges, then you don’t need sudo for that (just passwd)

b) if “admin” means root here, then changing his password is against the security concept of Ubuntu including root not having a real password

[quote=“TaraIkeda,post:12,topic:34266”]
in a traditional linux root system you need to remember two passwords in sudo you need to remember one.



's/remember/crack/g'

's/remeber/bruteforce/g'

:-)

[QUOTE=TaraIkeda,post:12,topic:34266"]

For new users to have just one password alone can be confusing, especially former XP users who dont know why passwords are so important.
I find it easier to use Ubuntu's sudo then the tradtional root, no extra commands needed to change the admin accounts passwords and settings.

[/quote]



And by that, less secure (as nearly always).

As mentioned above, you are not supposed to change root's password in *Buntu, it's against their security concept.


[quote="TaraIkeda,post:12,topic:34266"]

I wish there was an easy way to change the root password instead of having to open up a terminal.
[/quote]


Again, in *Buntu you are not supposed to do that and in openSUSE use YaST.

I love the fact of not having to use a virus scanner and things like that. As long as you keep your root password secure…

I read OpenSuse has a great firewall.

Unfortunately, it hasn’t been changed, still there to uncheck in 11.3. IIRC the Auto-Login also requires unchecking, but someone correct me if I am wrong. I have to always uncheck both those.

Either can be perfectly secure (…just leave the disk in the box :wink: ) or perfectly insecure; depends on the decisions that you make. Choose passwords like ‘password’ and you are not going to have much chance, irrespective of your choice of distro.

Having said that, some distros are better at responding rapidly to advisories, and while that is a real difference, you can completely negate it by not doing updates in a timely manner.

While I don’t really like the way that Ubuntu handles the root account and some of the defaults, you can make an adequately secure box with either (assuming some stuff like physical access control) assuming a level of competence on the part of the administrator and assuming a level of competence on the part of the administrator, the fact that some defaults are, err, unhelpful can be overcome.

On Mon, 2009-09-21 at 03:56 +0000, BrownieCat wrote:
> openSUSE vs Ubuntu in terms of security…
> Which one is more secure?
>
>

Some would say Ubuntu because it doesn’t easily allow you to log in as
the root user… but it’s not really that big of a deal. Using sudo
with logging is just a way of giving everyone access to root in a mostly
anonymous way… I mean, you’ll know they did something, but depending
on the command, you’ll have no idea of the specifics… and of course,
just being able to do something as root means Ubuntu’s defaults can be
altered/changed easily.

In the past installing packages in Ubuntu would result in their
automatic configuration (with some really bad defaults) and their
IMMEDIATE start up (!!!).

So… Ubuntu ain’t no thang… they just think they are…

Just to clarify, not all users on an Obongo system can use sudo to gain root, only those in the adm group.

Hmm, are we so short of things to discuss about openSUSE that we have to dig up dead threads? :slight_smile:

/me starts handing out the shovels.

Maybe we need some sledge hammers and axes to. Zombies abound when you dig up the dead.

On Sat, 2010-08-07 at 00:06 +0000, Jonathan R wrote:
> ken_yap;2202634 Wrote:
> > Just to clarify, not all users on an Obongo system can use sudo to gain
> > root, only those in the adm group.
> >
> > Hmm, are we so short of things to discuss about openSUSE that we have
> > to dig up dead threads? :slight_smile:
> /me starts handing out the shovels.
>
> Maybe we need some sledge hammers and axes to. Zombies abound when you
> dig up the dead.

I don’t know… maybe digging up an old thread is better than making…
yet another new thread with the same subject line…