[linux-elitists] random questions

Rick Moen rick@linuxmafia.com
Sat Dec 8 22:12:22 PST 2001

begin Mike Touloumtzis quotation:

> Rick's page presents _an_ explanation, but I don't think it has much
> relevance to the real reason why current viruses don't present as much
> of a threat to Linux as they do to Windows.  It worries me that people
> lean a lot on "users can't write system files" arguments; to me they
> don't capture the essential reasons Linux is more robust against virus
> attacks.

You know, when you have time, you'd probably find it worth your while to
read the _full- text of that first essay (and maybe even the three
related ones that follow).

One of the reasons people write FAQ-like articles and essays is, of
course, to avoid needing to retreading old discussions that have been
done to death and become tedious.  For that reason, I _follow_ these
discussions where people have read part or all of one of my essays and
want to dispute it, but have no intention of reiterating what it says.
Accordingly, I'll (at most) pass lightly over those, and look for new
aspects the essay doesn't yet address.

> It's especially worrisome given that someone could yet come along (in
> fact, I expect it to happen) and create an environment which allows
> Microsoft-style viruses to propagate.

You'll eventually want to browse my essay's coverage of precisely this
matter in paragraphs 17-19 (and also paragraph 14).

Mind you, I realise the essay has gotten awfully long-winded over time
(so I won't get too huffy over your erroneous assumption that I've
missed this point, and consequently completely wrong characterisation of
its contents).  That's because it covers a lot of territory.
Occasionally, one of these discussions has brought up a new angle worth
addressing:  A few days later, the essay got that much longer -- and
this has been going on for the better part of a decade.

As it happens, I've been brooding of late over the matter you mention,
nonetheless -- both before Evolution 1.0's release, but more so since
then.  Before I start getting mail again from the good folks at Ximian,
I should stress that I haven't yet dug into specific security issues
with their stunningly attractive and generally impressive package.  But
there are pitfalls with that _sort_ of application that I worry about.

Specifically, what everyone seems to _want_ these MUA/PIM packages to do
is erase completely the distinction between running some code and
viewing some data:  Both are referred to as "opening" a file -- which is
often a file of dubious origin.  That key distinction is thereby kept
completely out of the user's consciousness, through sleight of jargon
(assuming some possibility exists of the concept perching there).

In the standard Unix-ish model, when a MIME or similar encoded inclusion
arrived in e-mail, you could save it (piped through an appropriate
decoder) to /tmp or somewhere, with no executable bit.  Executing its
contents required a very deliverate act of some sort, either feeding it
to an interpreter or doing chmod u+x and such.  Cautiously, many MUAs
have added a user command to pipe some attachments to forked external
processes according to their MIME types.  Theoretically, the MUA
designers and packagers are careful about what files are permitted this
treatment, and such processes _could_ run as an EUID of carefully
limited privilege.  To my knowledge, the latter isn't yet done.

The risks increase as more surprising actions can be triggered via
external interpreters running with the user's authority, and would
increase further when and if MUAs _auto_-launch such processes without
affirmative triggering by user commands.

I haven't yet thought through the threat models, but the whole area 
makes me quite uneasy.  Wider use of chroot jails would make me feel a 
bit better about it, but I've not seen any move towards same.  (It
should be used in Web browsers for the same reason.)

> First, but uninterestingly, there's market saturation. 

At your convenience, please get around to reading the fourth essay,
http://linuxmafia.com/~rick/faq/#virus4 , in which I attempted to do
to death this topic.  

Again, I don't blame you for mouthing off about my four virus essays after
apparently having read only about the first two paragraphs of the
_first_ one.  They're long and probably a bit tedious.  But I always 
read (and welcome) feedback to them, even from readers who didn't pay 
attention, because sometimes I hear new (to me) angles that those esssay
should address.

> There's also a lack of office software with insecure macro facilities.

Not an accident.  The reasons why are likewise addressed in the

> I think the really interesting cause is that Linux has always done
> software distribution out-of-band....

Likewise addressed in the aforementioned.

> -- There's no such thing as a self-installing executable....

Hmm, I don't remember if I addressed this point in the essays or not.
I'll see if it can be usefully added.

If so, this might count as the first useful feedback you've posted.

> -- There is no way to install software straight from a link on the
>    Web.

Are you sure?  It might depend on what you mean by "straight from".
Boundary cases might include Real Player.

> -- For many reasons, people don't email programs to one another.

Likewise addressed (somewhat indirectly) in the aforementioned.
> -- No file distribution tools (mailers, Web browsers) save downloaded
>    or distributed files in executable form (+x).

Likewise addressed in the aforementioned.

> -- You don't even have any writeable directories in your $PATH unless
>    you explicitly put them there.

I could have mentioned this in the essays, but it would seem an
excessively baroque detail for pieces already long enough that a
presumedly bright fellow like you didn't bother to actually read them 
before presuming to criticise them.

> In short, it would be perfectly possible given Linux's security model to
> write a package manager designed to install per-user software packages in
> home directories....

Yes, worth watching out for.

> Another way of characterizing this form of virus security is that it
> comes not from the user/root distinction, but from a careful distinction
> between code and data even within a single privilege domain. 


This is, of course, the point I was mentioning above -- and one I've
been brooding over how to address most usefully (if at all) in my virus
essays.  As mentioned, the essays are already a bit over-long, but I
think this might count as a key point.

Every time I raise this point on-line -- and I could swear I've done so
here on this mailing list -- some otherwise intelligent people start
non-replying with non-sequitur objections like "Well, users don't want
to have to know that."  This happened even on Nick Petreley's late,
lamented forum.linuxworld.com NNTP newsgroups.  But, as far as I can
tell, it remains a vital point.

> P.S. Any of you know xauth well enough to describe a secure setup for
> running your web browser under a different user ID for security reasons?

OK, we're on the same wavelength, then.  I won't hold against you the 
misreading of my essays for more than a few years.  ;->  But,
personally, I'd regard it as sufficient for only some called processes
to run under a different EUID -- e.g., plugins.

This message falsely claims to have been scanned for viruses with F-Secure
Anti-Virus for Microsoft Exchange and to have been found clean.

More information about the linux-elitists mailing list