Unpleasant Linux Observations
Most IT professionals are serious about security in the server space. The desktop space is another topic.
I am no security expert. Despite the usual hoopla about Linux being a secure environment, there are a handful of unpleasant security facts about Linux based systems.
- The X graphic stack lacks app isolation.
- There is no firewall support to sandbox apps.
- No built-in ability to sandbox apps.
- Long Term Support (LTS) distro releases remain a hodge-podge of security patches.
- Kernel hardening is more less a special interest group activity rather than mainline.
Some might argue the problem is not the Linux kernel, where developers stress the philosophy that the kernel does not break user space. That is, the security issues are user space problems.
The basic ’nix model is built on multi-user support and security. Certain security work-arounds exist, such as ACLs, PolicyKit, ConsoleKit, PAM, AppArmor, SELinux, CGroups, Firejail, or Qubes OS. The work-arounds are much like a quilt patch project. The overall desktop design does not address these issues.
Likely this will remain the case even as Linux continues to gain traction in the desktop space. When desktop popularity reaches a certain critical mass, malware authors will have fun attacking Linux systems. Then developers might finally provide some of this missing security.
I do not have answers. I appreciate that many people will choose convenience and dancing pigs over security, which makes security design challenging. I appreciate that computers are complex tools, perhaps one of the most complicated ever invented. Security is not black and white. Security is not easy. Security is and always will be a balancing act of risk versus benefit. I only wish some of these observations did not exist.