Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've just taken delivery of a brand new Eee PC 901 (Linux, of course). Hardware-wise, its a very neat bit of kit. The keyboard is cramped but usable, and the display is very nice. There are nice aspects of the default distro, as well. As well as very speedy boot, It recognised my USB HSDPA modem automatically. I did have to tweak some things, of course, such as using update-alternatives to change the default terminal to konsole, so that I could set the font size to something readable on a 9" screen, and hacking the simpleui.rc xml file that defines the default tabbed user interface.
Where I have serious concerns, though, is over security, for the following reasons:
sudo is set to allow the user to run any command without a password. Removing the NOPASSWD directive from the relevant line in /etc/sudoers, and setting passwd_timeout, leaves you without a user interface on boot.
There is no support for iptables in the default kernel, and so no firewall.
samba and portmap are enabled by default (for some reason, services are launched from a script - /usr/sbin/services.sh and the standard rc*.d directories appear to be ignored)
The Antivirus package - ESET - (not normally needed in Linux, but I think necessary, given the above) doesn't seem to have a setting for scheduled scans, and is set by default to scan only the user's "My Documents" folder (so ignoring any possibly compromised system folders).
I feel that this version of linux is actually less secure than Windows XP. So, what to do? Install one of the major distros, modified so that it won't thrash the SSD drive? Install XP (since there's so much non-free software here anyway that there's not much moral highground in sight)? Or continue trying to mod the Eee's distro?
If I could just find a list of the specific programs that have to run with sudo but no password, I'd be quite content. I have contacted Asus asking them to address the concerns, but not sure how they will respond.
sudo is set to allow the user to run any command without a password. Removing the NOPASSWD directive from the relevant line in /etc/sudoers, and setting passwd_timeout, leaves you without a user interface on boot. (..) If I could just find a list of the specific programs that have to run with sudo but no password
Commands should be logged?
Quote:
Originally Posted by Robhogg
There is no support for iptables in the default kernel, and so no firewall.
Auch. What kernel does it run anyway?
Quote:
Originally Posted by Robhogg
samba and portmap are enabled by default (for some reason, services are launched from a script - /usr/sbin/services.sh and the standard rc*.d directories appear to be ignored)
Comment out services in /usr/sbin/services.sh plus TCP wrappers for those daemons that adhere to it? Not having a firewall sounds kinda odd though. Could you post an nmap scan of th machine?
Quote:
Originally Posted by Robhogg
The Antivirus package - ESET - (not normally needed in Linux, but I think necessary, given the above) doesn't seem to have a setting for scheduled scans, and is set by default to scan only the user's "My Documents" folder (so ignoring any possibly compromised system folders).
Not that necessary, but could be changed but I think on-access scanning is a performance hit (more than having a kernel with firewalling IMHO) plus lowers the MTBF.
Quote:
Originally Posted by Robhogg
Or continue trying to mod the Eee's distro?
I'd go for that. Modding it sounds interesting plus you'll be helping others. You can always install another distro later on, right?
When I first checked, logging seemed to be very sparse and syslogd was not running. I'd added a line to the services.sh to start it, but just checked and found that it had stopped again. Seems like an update I installed earlier today replaced this script. I've added again, so I'll see what I can see there.
Quote:
Auch. What kernel does it run anyway?
uname -r shows it as 2.6.21.4-eeepc, so custom but not that old.
Quote:
Comment out services in /usr/sbin/services.sh plus TCP wrappers for those daemons that adhere to it? Not having a firewall sounds kinda odd though. Could you post an nmap scan of th machine?
I'd already commented them out, though they were uncommented by the aforementioned update. Not done anything before with TCP wrappers, but I'm not sure I need any of these services running (at the moment, anyway). I'll look at getting a scan of it - netstat shows the following (with the services running):
Not that necessary, but could be changed but I think on-access scanning is a performance hit (more than having a kernel with firewalling IMHO) plus lowers the MTBF.
I have also been considering trying to install tripwire, to monitor the important folders (for suspicious activity, or for updates changing things annoyingly).
Quote:
Modding it sounds interesting plus you'll be helping others. You can always install another distro later on, right?
That's what I was thinking. However, I'm trying to work out how to get started. At the very least, I need a usb CD-ROM drive so that I can boot it after a failure, to see what is being logged. Also, my skills at the moment are not up to any really ambitious modding - it would be more a case of seeing which programs are refusing to run with sudo secured, then creating specific exceptions for them (and perhaps a modified kernel with iptables enabled).
Wrt logging, if you have another machine available on your LAN you could let the other machine serve as syslog server (but if you intend to carry your EEE around a lot you should script some simple logic to make it not log to remote outside of your own LAN). Wrt your kernel maybe rebuilding the eee kernel on eeePC could help enable slash disable some stuff to make it faster slash safer? And if you don't need those services I'd kill them (even though there's not that much, on a public hotspot you probably wouldn't want to advertise any of those to world). Wrt tripwire and booting after SNAFU's, if you have another machine you could use webjob to make the remote handle tripwire binary and logs (the Rootkit Hunter tarball has an example if you want a quick 'n dirty HOWTO). Finally while making backups would be first priority, if the machine has a PXE boot capable NIC then you might want to look into that if you're short on peripherals slash slots.
A little update - after a bit of use, /var/log/auth/auth.notice shows the following commands as having been run with sudo (excluding some that I have sudo'd myself, that I can't see have any particular system purpose):
I'll try setting the system to only allow sudo to run these programs NOPASSWD, when I have a moment to backup everything and then restore from "brick" mode.
The entry for /bin/sh is problematic, though. The full command-line in this case is:
Just a brief note: I have now modified sudoers, and I can still boot and shutdown successfully. I have added the following to the "Cmnd alias specification" section:
I'm not pretending that this work is complete. The programs I have created NOPASSWD exceptions for are those that show up on my machine. For instance, the THREEG Cmnd_Alias is for the Asus "Mobile Phone Tools" which enable my Huawei 3G modem. I suspect that additional exceptions would be needed for Wireless networking, and wired setup using DHCP. I also haven't been using any desktop tools that would need Sudo'ing.
If you have an Eee, and want to check what has been running on your machine using sudo, first enable the syslogd daemon by adding the following line near the top of the /usr/sbin/services.sh script:
/etc/init.d/sysklogd start
Reboot your Eee, then use it for a bit (possibly restarting several times). Then execute:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.