[linux-elitists] random questions

Mike Touloumtzis miket@bluemug.com
Mon Dec 10 23:11:39 PST 2001

On Sat, Dec 08, 2001 at 10:12:22PM -0800, Rick Moen wrote:
> begin Mike Touloumtzis quotation:
> > Rick's page presents _an_ explanation, but I don't think it has much
> > relevance to the real reason why current viruses don't present as much
> > of a threat to Linux as they do to Windows.  It worries me that people
> > lean a lot on "users can't write system files" arguments; to me they
> > don't capture the essential reasons Linux is more robust against virus
> > attacks.
> You know, when you have time, you'd probably find it worth your while to
> read the _full- text of that first essay (and maybe even the three
> related ones that follow).

Hmm, I did read the full text (and the security-related essays which
follow).  I will freely admit that I may have misinterpreted some of
your arguments.

First, in my feeble defense, I might plead that the earlier paragraphs are
pretty categorical about the real thwarted danger (running programs with
system privileges), and these later paragraphs read like a gloss.  I think
I fired up my argumentation dynamo about when I read this sentence:
"If you simply never run untrusted executables while logged in as the
root user (or equivalent), all the 'virus checkers' in the world will
be at best superfluous; at worst, downright harmful."  No matter what
comes later, I still feel that's a hard assertion to justify.

Second, my previous mail was not all about trying to correct your FAQ,
only the first part, but I clearly did a poor job communicating that.
My main point was to participate in a discussion, and in order to make
my point I needed to reiterate some of the things you _do_ explicitly
state in the FAQ.  My audience was the list, not just you.  Thus there's
no need to get all huffy over the assumption that I expected everything
I said to be new to you :-).

Third, I went back and read everything again, and it's clearer to
me now that we have been thinking about basically the same things.
However, even on (carefully) rereading what you say, I think that
the FAQ mischaracterizes the threat model by emphasizing minor points
unnecessarily and by merely alluding to things which I consider to be
crucially important.  Obviously you may disagree.

Upon rereading the paragraphs on auto-executing macros, I see that I
can read them in a way which accords more closely with what I wrote,
but here's what I came away with on my first reading:

-- Unix programmers are wary about writing programs which automatically
   run programs/macros which are received via email.

This is true, but it isn't quite the same thing I was talking about,
or at least it's a subset.  Windows users aren't just taken unawares by
auto-executing programs, they _intentionally_ run programs they recieve
via email, or download from essentially random sites, all the time.
The whole UI is formulated to encourage this behavior; it's as if your
mailcap for shell scripts piped them to /bin/sh.  Based on your reply to
me, you have clearly been thinking about this, but nevertheless the FAQ
seems only to address programs and macros which auto-execute on receipt.
Everyone agrees (by now, at least) that that behavior is stupid.

-- Unix is safer because macros are text, and people will read them before
   running them.

Specifically, you state: "If a friend mailed you a script that would
erase all your files, would you run it?  Of course not."  Well, that's
the thing: Windows users will, and they won't read those scripts even
when they come to Linux.  Their only defense will be a system which
includes a barrier which requires a clue expenditure to convert data
to code.  You allude to this with the "save with the executable bit"
set, but don't discuss the point explicitly.

> One of the reasons people write FAQ-like articles and essays is, of
> course, to avoid needing to retreading old discussions that have been
> done to death and become tedious.  For that reason, I _follow_ these
> discussions where people have read part or all of one of my essays and
> want to dispute it, but have no intention of reiterating what it says.
> Accordingly, I'll (at most) pass lightly over those, and look for new
> aspects the essay doesn't yet address.

Read what you like into my response.  My main point is not that you should
add new material to the FAQ, but that you should remove material that's
currently there, since it's not as relevant as its presentation indicates.
Reading my messages with a "new material only" filter won't yield much,
since I'm attacking (in a good old debating society spirit :-) the
material that's there now.

> > It's especially worrisome given that someone could yet come along (in
> > fact, I expect it to happen) and create an environment which allows
> > Microsoft-style viruses to propagate.
> You'll eventually want to browse my essay's coverage of precisely this
> matter in paragraphs 17-19 (and also paragraph 14).

In my reading of those paragraphs (17-19), you seem to assert: "the Unix
community wouldn't do that, and if they did, the foolishness of those
programs would quickly become apparent to all".  This is different from
my assertion that someone _will_ do it and that the resulting program(s)
might cause widespread harm; you make clear in your reply that you are
also concerned with this stronger form.

> I haven't yet thought through the threat models, but the whole area 
> makes me quite uneasy.  Wider use of chroot jails would make me feel a 
> bit better about it, but I've not seen any move towards same.  (It
> should be used in Web browsers for the same reason.)

chroot jails are still just too damn hard, since too many programs expect
to run within a real Unix environment with all its bells and whistles.
Al Viro's Plan-9-like namespaces direction for the VFS might address
this somewhat; bind mounts already help a little.  Frankly, the best
thing that could happen here IMHO is Debian support for chroot-based
installation of widely used daemons (e.g. Apache, BIND).

> > First, but uninterestingly, there's market saturation. 
> At your convenience, please get around to reading the fourth essay,
> http://linuxmafia.com/~rick/faq/#virus4 , in which I attempted to do
> to death this topic.  

Actually, I was aware that you covered this.  I was in full essay mode
by the time I wrote that, and the presence of something in my mail should
not be construed as an assertion that it's absent in your FAQ :-).  I
have kind of a didactic writing style, as I'm sure you have noticed, and
this is one of the reasons it pisses people off when I don't intend it to.

> > There's also a lack of office software with insecure macro facilities.
> Not an accident.  The reasons why are likewise addressed in the
> aforementioned.


> > I think the really interesting cause is that Linux has always done
> > software distribution out-of-band....
> Likewise addressed in the aforementioned.

Not in quite the same way, at least as far as I can tell.  As I stated
above, it seems like you're only talking about auto-executing macros
and programs, even if that wasn't your intention.

> > -- There's no such thing as a self-installing executable....
> Hmm, I don't remember if I addressed this point in the essays or not.
> I'll see if it can be usefully added.
> If so, this might count as the first useful feedback you've posted.
> Thanks.

If you _really_ think that starting a discussion about Linux and viruses
with fifteen paragraphs about not running code as root is the way to go,
than I don't think my feedback is going to be useful at all.

> > -- You don't even have any writeable directories in your $PATH unless
> >    you explicitly put them there.
> I could have mentioned this in the essays, but it would seem an
> excessively baroque detail for pieces already long enough that a
> presumedly bright fellow like you didn't bother to actually read them 
> before presuming to criticise them.

Again, I read the essay, and even modulo the mention of auto-executing
code, I still feel it misleads its readers.

> Every time I raise this point on-line -- and I could swear I've done so
> here on this mailing list -- some otherwise intelligent people start
> non-replying with non-sequitur objections like "Well, users don't want
> to have to know that."  This happened even on Nick Petreley's late,
> lamented forum.linuxworld.com NNTP newsgroups.  But, as far as I can
> tell, it remains a vital point.

I don't have much sympathy for the "users don't want to know that"
argument either.  Users don't want to know anything, but they want to have
their computers taken over and their credit card numbers stolen even less.


More information about the linux-elitists mailing list