Linux Mint versus Ubuntu security


Updated: June 20, 2014

Controversy, here we go. If you have followed the Linux world news in the past months, you will surely have come across a number of clickbaitful articles claiming that Linux Mint comes with a degraded security level compared to Ubuntu, and then the official rebuttal and all that. What you did not see was the chief arbiter give his own opinion, i.e. me.

All right, I am going to do that right away. I will give you MY perspective on the whole security thingie, what it is and what it is not, and then how you should handle these two distros on the security front. It will also tell you whether you should heed the fear and drama in the headlines. Follow me.

Teaser

Linux security in a nutshell

We have discussed this almost ad nauseam before. First we talked about the necessity of an anti-virus program in Linux, then the linear attitude Windows users have when switching from their proprietary system to Linux. Hint, you don't need an anti-virus program in any which environment you use, including Windows. And finally, there's my OSNews article, about practical security tips. All of these are still very much valid and true when it comes to Linux security.

Therefore, if you spend some times reading, you will learn that getting infected on Linux is not likely, for many reasons, including the lack of code portability, overall tech savviness of the average user, the root and user separation, frequent updates from official repositories, and a bit more besides. It is difficult to say which one counts the most, but if you ask me, it is most likely the user's skill rather than any specific software. Because when people want to install something, they will, and nothing will stop them.

The claim

So it starts with the claim that Mint is less secure because they offer certain security updates, mostly related to the kernel and Xorg, later than Ubuntu. The reason for this is the fact that Linux Mint uses a level system to mark their updates. Those branded 1-3 are considered safe and stable. Those marked 4-5 are considered unstable and risky, and they are not marked by default for installation.

Mint updates mechanism

This is where the drama begins. Now, there is nothing to prevent you from installing these, manually. You just mark them, and move on, and they will happen. Therefore, the security level is pretty much identical. However, by default, for those who do not bother making any changes to their update settings, there will be a certain time window, a delay if you will, between Ubuntu getting the packages out, and Mint users having their boxes patched.

The risks involved

Now, the big question is, how much of a risk this really is. Namely, what is going to happen if your Mint box does not receive all of the Ubuntu security updates for a while, and keep running with older, unpatched software?

The answer is: not a biggie. To explain this, we will veer into the realm of Windows, which according to doom preppers and security vendors, is constantly under the threat of Ebola and AIDS and malware. And there, you can safely go about not installing security updates for months. You merely need to use a good and patched browser, and not install crap on your own, as in pr0ndownloader2013.exe. If you abide by these simple rules and ignore emails asking you to confirm your personal details on random sites across the Web, you will be fine.

Now, Mint. You get browser updates with the rest of them, so your Firefox is fully up to date. You also have the firewall enabled and running in Mint. Sudo mechanism is there, the repositories are signed. So far so good. How about open ports? Well, by default Ubuntu ships with no open ports, as a policy, whereas Mint does offer file and printer sharing for the local network. Perfectly sane in both cases. Comparing the few systems I have at home, which are configured for normal human use, pr0n-over-LAN, Ubuntu:

sudo nmap -A -T4 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-15 19:01 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000058s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
631/tcp open  ipp         CUPS 1.7
Nmap done: 1 IP address (1 host up) scanned in 24.03 seconds

And Mint:

sudo nmap -A -T4 localhost

Starting Nmap 6.00 ( http://nmap.org ) at 2014-03-16 19:06 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000077s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
631/tcp open  ipp         CUPS 1.6
Nmap done: 1 IP address (1 host up) scanned in 23.44 seconds

AppArmor!

Aha, I knew it. There you go. Linux Mint does not ship with AppArmor or any profiles. Well, interesting, not. The thing is, security tools like Apparmor or SELinux are much like HIPS software in Windows. In other words, not necessary. Moreover, they usually cause more harm than good by blocking legitimate software from running. What we like to call the false positive, or fail publicly (FP).

Indeed, if I look at the history of my involuntary use of Apparmor and SELinux in various distros, I have seen the former kick in only once, and the latter about three dozen times, and each example was a case of a legitimate program being mislabeled. In theory, yes, they might prevent exploits, but you're not running a commercial Web server, so relax.

Jan 17 19:23:18 rogerfast kernel: [  311.401223]
type=1400 audit(1389979398.214:86): apparmor="DENIED"
operation="open" parent=1265
profile="/usr/lib/libvirt/virt-aa-helper"
name="/home/uroger/.local/share/gnome-boxes/images/boxes-unknown"
pid=3322 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0

And the most important message

This is the crux of it, watch carefully please:

Conclusion

The default Linux Mint security level is different than Ubuntu. No argument there. But to say it is not as secure is like saying Leopard 2 is not as secure as Abrams. In both cases, the landscape of actual practical usage is so far off the reality scale, there is no reason to waste time contemplating it. And yes, you can install all of the packages you want, so you are not limited in any way.

The Linux malware threat is far smaller than the chance of a user deleting their own data or voluntarily sharing personal info on social networks. Backup and restore, that's the most important piece, and yet, it is so easily overlooked. Your disk will fail sooner than you will get pwned by your latest Tijuana donkey streaming toolbar for Linux. Relax, enjoy life, and forget about sensational security nonsense. In fact, there's a new Mint available, and it's a Long Term Release, so why not install and test it, you will be delighted.

Cheers.

RSS Feed icon

del.icio.us del.icio.us stumbleupon stumble digg digg reddit reddit slashdot slashdot



Advertise!

Would you like to advertise your product/site on Dedoimedo?

Read more

Donate to Dedoimedo!

Do you want to
help me take early retirement? How about donating
some dinero to
Dedoimedo?

Read more

Donate