I want to make Linux my main OS. I’ve used Windows for decades. Since Vista or 7, the Windows security model is this, from what I understand:
- unprivileged programs have limited/no ability to do scary things to your computer. they might be able to read some data, but it’s not going to implant malware in the boot sequence for Windows.
- if a program wants escalation, it triggers a UAC popup and the user has to accept it. Remote programs cannot accept UAC on a physical person’s behalf. Escalated programs have admin level control and can do the scary things.
- As with any OS, there may be privilege escalation vulnerabilities that escalate (1) into (2).
I’ve only had Windows malware a few times since Win7, and the entry point was fairly avoidable. (Running a sketchy EXE, and a possible drive-by malware install via an advertisement. I could never prove the latter.)
I have never run a password on my Windows machines.
On any system, physical access is game over.
On Linux, the password is paramount. I’ve tried to understand the security model and I keep failing. Synthesizing from arch wiki
SSH
Equivalent to local physical access as the user. If it’s a sudoers or root account, it can do scary things. Not a threat if ssh is disabled or well secured (password or key pairs).
If a network has a well configured firewall (on the router), it should block ssh requests from outside the network unless the admin specifically wants SSH outside the network.
As with any OS, there may be bugs that allow remote access outside of SSH.
Local login / password prompts to physical users
Without a password, you can’t escalate to root and install new software. Some software, often dealing with hardware (smartctl) requires sudo/root to run.
Encrypted drives
Passwords can decrypt drives if they are encrypted.
Keyrings
Some DEs (KDE) offer a ‘keyring’ that stores passwords. It’s locked/encrypted with a password, usually the same as the login password.
So what am I missing? Is Windows + UAC + no password secure? What is Linux protecting us from by using passwords?
unprivileged programs have limited/no ability to do scary things to your computer. they might be able to read some data, but it’s not going to implant malware in the boot sequence for Windows.
No, but they can still severely harm your computer/data. Unprivileged programs can still delete or encrypt everything in your home directory or inject themselves into other unprivileged programs or a commonly used shortcut file. You’re probably thinking of containerized apps which are much more limited than the default user permissions and access can be given only to what is needed instead of everything your user has access to.
Linux is as susceptible to this as Windows. It’s not that hard to write a proof of concept malware in Python that copies itself to somewhere in your home directory and appends
python ~/.some-boring-config-directory-most-people-never-open/some/more/subdirectories/for/obfuscation/persist.pyto your bashrc. You can do the same on Windows with Powershell, JScript, or even VBS, all of which can do severe damage even without privilege escalation.For example, there was that fake captcha scam a while back which social engineered people into pasting Powershell scripts into their run window, and is able to persist even without UAC permissions. A well known equivalent attack on Linux are those bash shell tutorial sites with the handy copy button next to the listed commands, which can control what is pasted into your clipboard and might not actually give you the command it appears to give you. Even on a user space bash terminal, something like
rm -rf /*can delete all your data, ironically not the system and application files that can be replaced (since those require root) but it can delete your personal files that you actually care about just fine. They can also persist on your system by appending stuff into your bashrc with>, because that file is owned by your user and therefore doesn’t need extra permissions.Any modern operating system is so complex and has so many parts interacting with each other that it’s always possible to hide something malicious somewhere in the Rube Goldberg machine which most people will never notice. Real malware don’t use the typical persistence methods normal programs do because they are well documented and easy to defend against. Linux can be said to be better than Windows in this regard due to being open source and auditable and therefore doesn’t have nearly as many undocumented hiding places (and Linux is generally less Rube Goldbergy), but it is definitely not immune. Never ever run any untrusted program or script, not even unprivileged. The biggest thing Linux has over Windows in this regard is the package manager, which is actively moderated by your distro maintainers, so you don’t have to download random installers from the internet like on Windows.
Any modern operating system is so complex and has so many parts interacting with each other that it’s always possible to hide something malicious somewhere in the Rube Goldberg machine which most people will never notice.
100%. From what you’re saying, though, it sounds like a Linux password is a red herring, and a secure password even more so. If SSH is disabled the class of attacks to be prevented are users ‘voluntarily’ running malware pretending to be goodware.
Never ever run any untrusted program or script, not even unprivileged. The biggest thing Linux has over Windows in this regard is the package manager, which is actively moderated by your distro maintainers, so you don’t have to download random installers from the internet like on Windows.
True, but does anyone operate this way? At that point it becomes an iPad or a Chromebook. (It does look like flatpaks or docker containers isolate behavior, so that’s a win.)
it sounds like a Linux password is a red herring, and a secure password even more so
Yes and no. A secure password is extremely important against some security threats, but completely useless against others. It’s like vitamin C. If you don’t get enough, that’s a massive problem and opens you up to a ton of serious issues, same as if you don’t have enough complexity in your password. But even if you do, it won’t effectively protect you from, say, cancer or unprivileged malware respectively.
There’s nothing stopping any program from attempting to bruteforce your Linux password, literally running through possibilities hoping to guess it. Modern password implementations usually have some form of bruteforce protection. If you’ve ever entered your password wrong in sudo or KDE’s lock screen, it usually hangs for a few seconds before telling you your password is wrong, even though any modern computer will have determined it was wrong in literally an instant. This is to prevent a malicious program from endlessly trying random guesses until it gets it by making the time it would take to guess a sufficiently unique password too long to be practical. Your phone and optional software available for Linux go a step further, imposing longer and longer delays with each subsequent failed password attempt, and also prevents malicious programs from spawning many threads each independently calling sudo to bruteforce in parallel by completely disabling access until the time penalty elapses. Though you absolutely do need a sufficiently secure password, making it overly long has diminishing returns past a certain point, it doesn’t matter how many millions of years it would take to bruteforce with a 1 second delay for wrong attempts, but the upgrade from millions of seconds with a simple password like “hunter2” to years is the important part.
Also, a password with no encryption is like a padlock on a wooden box. Even if they don’t have the key, they can still just cut the box open. In computer terms this would be like if someone accessed the files in your SSD directly and injected malware with root privileges, since both completely bypass the check that’s “normally” supposed to stop unauthorized users. Encryption can help but like you said, physical access is generally considered game over anyway unless they found your computer while it’s off and it is never returned to you for you to enter your password. A computer with encrypted everything wouldn’t be able to boot. Your EFI partition and especially your BIOS/firmware have to be unencrypted, and anything unencrypted can be tampered with by a sufficiently skilled attacker with physical access to add things like keyloggers and backdoors that sit dormant until you graciously decrypt everything for them.
Your password strength matters a lot more with encryption though. If you’re going to the trouble of full disk encrypting your computer, make the password as long and random as you can practically remember. If someone is trying to decrypt your computer’s drive, they’ve probably imaged it and are using a separate machine with no rate limiting whatsoever, and modern GPUs can do a ton of cryptographic operations in a short time. And don’t use that password for your user account once decrypted.
If SSH is disabled the class of attacks to be prevented are users ‘voluntarily’ running malware pretending to be goodware.
More or less as far as I know, provided you don’t have any other way of remote access (VNC, RDP, Anydesk/Teamviewer and similar, that weird Steam remote desktop app, a server running vulnerable software on an open port that can be hijacked, etc). In computing, the general rule to follow is if you don’t need it, don’t enable it, otherwise it’s ripe for abuse. That being said, your router should be configured to block local port access from the internet anyway, but if you have another infected device on your network, that’s a major threat. If you do want SSH, configure it to only accept the keys of your trusted devices and not just respond with a password prompt to any device that comes knocking.
True, but does anyone operate this way? At that point it becomes an iPad or a Chromebook.
“Trust” in computing is fickle and complicated, just like real life. At the end of the day, you have to make a decison on who and what you personally trust. An iPad or Chromebook would be the least trustworthy computers in my mind because they’re locked down and administered by companies I absolutely do not trust, and though the locked down architecture does prevent other malware from infecting it, there’s probably already malware by any other name on it with proper Google or Apple security signatures that came with the device from the factory.
This is the same as if your distro maintainer is untrustworthy. They could slip in malware into the official package manager or installer ISO and you’d never know. I personally trust a reputable Linux distro over the literal biggest tech corporations in the world, but I’m still putting my faith in an organization I do not control nor personally know the people in control.
Open source is more trustworthy than proprietary software because the source code is available, but even that isn’t completely guaranteed to stop malicious code from making it in. The recent xz backdoor comes to mind. You’re still trusting that the other people looking at the source code actually catch the malicious part, and that’s not guaranteed even with the most trustworthy people when everyone working on it are overworked, stressed, and in the grip of tunnel vision to get their small part of it done like software developers tend to be, and even when that happens, it might be months or years down the line after the damage has already been done. There’s a reason a full security audit of an app can cost anywhere from thousands to millions of dollars depending on how big the codebase is. Also, because the vast majority of software aren’t compiled in a reproducible way, you don’t really have a guarantee that the actual binary executable that’s on your computer exactly matches the source code unless you go through the (usually difficult and frustrating) process of actually compiling it yourself. Sure, you can probably assume that the official binary released by the source code authors and signed with their cryptographic keys matches the source code since both come from the same place, but that’s not guaranteed and you’re still trusting a person or organization.
But wait, there’s more! The compiler you use is itself a program that needed to be compiled by another compiler, and so on and so fourth until you literally reach the stage decades back when someone manually wrote the individual bits for the very first compiler in that chain. A malicious compiler can be made to obfuscate the fact that it’s malicious, and only a manual review and reverse engineering of the raw binary (without reverse engineering software, mind you) can prove or disprove it’s compromised.
Finally, there’s hardware. Even if you audit every single literal bit of software, the processor itself has immense complexity that you can’t audit without, 1, extremely expensive scientific equipment, and 2, destroying it in the process, and that’s only one chip out of the tens of chips in a computer. Your processor could have secret instructions that bypass all security and your only real hope is to bruteforce every possible input to see what happens. And proving existence of a backdoor is intrinsically much easier than proving absence.
I’m not trying to scare you, but I do want to illustrate just how hard it is to have absolute trust in any computer. At the end of the day, you can never have a computer you completely trust unless you manually assembeled it from raw materials (not aided by any existing computer) and hand wrote every bit that goes into it. Like I said, we all need to make a decision to have faith in some person or organization we do not know. You can spend every waking minute auditing every last part of your computer, hardware and software, but then you wouldn’t have time to actually use it for the things you want to do. There’s no solution to this, there’s only higher and lower degrees of trust and security, which only you can determine for yourself.
So no, no one operates that way, because it’s impossible.
It does look like flatpaks or docker containers isolate behavior, so that’s a win.
Generally, yes, but remember there’s always the possibility of a bug that allows containers to break out of containers. This is not unique to Docker, any sandbox or hypervisor can be breached if there’s an exploit, just like any other software. Doesn’t invalidate the value of containerization, but it must be kept in mind that nothing guaranteed to be completely safe and “malware proof.”
At uni I logged on a thin terminal that would then connect to a computer with hundreds of users.
You think of your computer as a desktop but in a reality it can be a lot more than that. Hundreds of users could simultaneously use it without bothering you (assuming resources are sufficient).
Obviously that also means you shouldn’t be able to see or edit files from other users
You, like most of us to be clear, are just using it in a very very limited way.
It costs pragmatically nothing to keep this model working and it seriously limit usage to remove that. Now if you do want, you can autologin and skip all this but at your own risk.
TL;DR: a desktop is just a server with a screen, mouse and keyboard, nothing magical about it. If a server can handle hundreds of users, so can your desktop even if that’s not how you use it.
I think part of what you’re missing may be a set of very old assumptions about where the danger is coming from.
Linux was modeled after UNIX, and much of its core software was ported from other UNIX versions, or at least written in imitation of their utilities. UNIX was designed to be installed on large pre-Internet multi-user mainframe+dumb terminal systems in industry or post-secondary education. So there’s an underlying assumption that a system is likely to have multiple human users, most of whom are not involved in maintaining the system, some of whom may be hostile to each other or to the owner of the system (think student pranks or disgruntled employees), and they all log in at once. Under those circumstances, users need to be protected from each other, and the system needs to be protected from malicious users. That’s where the system of user and root passwords is coming from: it’s trying to deal with an internal threat model, although separating some software into its own accounts also allows the system to be deployed against external threats. Over the years, other things have been layered on top of the base model, but if you scratch the paint off, you’ll find it there underneath.
Windows, on the other hand, was built for PCs, and more or less assumes that only one user can be logged in to a machine at a time. Windows security is concerned almost entirely with external threats: viruses and other malware, remote access, etc. User-versus-user situations are a very minor concern. It’s also a much more recent creation—Windows had essentially no security until the Internet had become well-established and Microsoft’s poor early choices about macros and scripts came back to bite them on the buttocks.
So it isn’t so much that one is more secure than the other as that they started with different threat models and come from different periods of computing history.
This is very true, though I’d argue that Windows makes most of the same assumptions with user accounts. Also, the internal threat model is still important because it’s often used to protect daemons and services from each other. Programs not started by the user often run in their own user accounts with least privilege.
You no longer have 10 different humans using the same computer at once, but you now have hundreds of different applications using the same computer, most of which aren’t really under the user’s control. By treating them like different people, it’s better to handle situations where a service gets compromised.
The question is more about passwords which is mostly down to configuration. You can configure Windows to need a password for lots of things and you can configure Linux to not. They just have different defaults.
Well put
This is the correct answer.
Fyi UAC is not strong protection . Also, it really doesn’t matter if you have a password or not, UAC works the same way.
SELinux or other MAC systems (AppArmour?) are complicated but can protect a Linux system in a way similar to the UAC prompts on Windows, although its not convenient at all.
Maybe someone has a gui to make it easy, but I’ve never used it.
I think you may be happy with setting a short or empty user password so a sudo popup is basically the same as clicking allow on a UAC prompt
What is Linux protecting us from by using passwords?
I’d argue: from yourself.
On windows I often spam clicked through dialogues and popups and without thinking got malware or some other unwanted outcome.
On linux, when asked for a password it takes effort to type, so I have a moment of my lazy brain resisting and asking “do we really need to do that” and it makes the action more conscious and responsible. I cought myself one step from fucking something up multiple times this way.
I had some viruses and malware on windows, just like you. But I never had them on linux in mt 15 years of daily driving it.
I think the basic premise of this question, that Windows and Linux somehow have a different foundational security model that is or isn’t based on passwords, is not really true. Passwords play more or less the same role for any modern operating system – be it Linux, MacOS, Android, iOS, etc.
The only major difference is that instead of UAC, Linux has a variety of options (sudo, policykit, run0), which are implemented differently across different distributions. If your privileged user doesn’t have a password, in some cases this could lead to any program being able to elevate their privilege quietly, unlike UAC.
However, in many distributions you can set up a user with a password and enable passwordless local login, which would be almost equivalent to windows with no password.
Answering your question directly, the major threat to most consumer users is physical compromise or theft of device. Your statement that “physical access is game over” is not entirely accurate: disk encryption with a password is a very strong protection against unauthorized data access, but you need to use a password (doesn’t matter if it’s Linux or Windows).
If your privileged user doesn’t have a password, in some cases this could lead to any program being able to elevate their privilege quietly, unlike UAC.
I think this is the most important part. There really isn’t any protection against random processes trying to do some version of
exec sudo $0except for the fact that it requires a password.it always baffles me when people set up disk encryption with the TPM instead of a password
I understand it. Who wants to use two passwords to access their computer?
personally, i have my system is completely off and i boot it up, i just use my luks password then the system is set to auto log into my environment (only one password required)–then if my system is asleep, when i wake it up it will just go to my lock screen where i can use my fingerprint or user password.
I only enter one password for LUKS and have kde autologin
deleted by creator
If you have never used a password on windows or some other authentication mechanism then your Windows is not very secure.
Most of the differences you quote are pretty much the same both systems.
I guess the one exception is the UAC prompt which on Linux is a bit more secure in that it requires a password. Some random person or app cannot just click through it.
UAC can be configured to require a password, just like sudo can be required to not require a password. These things function the same on Windows and Linux.
The big difference between UAC and Sudo is that you can’t as easily script UAC. They can both require (or not require) a password but UAC requires user interaction. Sudo has no way of knowing if it’s being interacted with by a person or a script so it’s easier for applications to escalate their own privileges without a person doing it. UAC needs to have the escalation accepted with the keyboard or mouse.
There’s still plenty of sneaky ways to bypass that requirement but it’s more difficult than
echo password | sudo -SGood point, sounds like a good thing for most people
Any OS with no password is insecure. Hands down.
Linux/Unix has a permissions structure that works at the filesystem level, to be really brief about it.
Files are owned by users. Users can be part of groups to represent a larger number of users for simple organization.
Regular users can only touch files they own, or are owned by a group they are in. Root has master permissions to anything.
As a regular user, your home directory is owned by you. Anything you create is owned by you. All programs executed by you require that you have permissions to those things. Therefore if you’re just bouncing on the system and doing things, you can only harm the files that you own.
Your account having a password prevents access to this account. Though it’s a regular user, anyone with that password can harm your files.
The Root password allows anyone to execute or delete any files on the system. Anyone with this password can get to any file on the system, so you never let anyone know this password.
Your assumption that SSH somehow has different passwords is incorrect. You make a user on a machine and you don’t prevent SSH access…then they can SSH in, but they’re still a regular user.
If no password is needed to do authentication, then any script and any user is able to do whatever they want on your system. Basically every script and application has root access by default. That is something you do not want to have. Even more important in multiuser environments.
This may or may not help, but here’s my two cents:
Windows was originally built to be as user-friendly as possible because its target audience are non-tech-savvy people. It then evolved into being a business OS. So security was never its first priority.
UNIX was built for tech savvy people to do business-sensitive stuff, and required sophisticated security models. Linux was modeled after UNIX (Minix specifically), and thus inherited those same principles. It evolved to become more user friendly. But security remained a priority.
Now, that said, both Windows and Linux are configurable. You can make Windows more secure with effort, just like you can make Linux less secure with effort (and I don’t mean simply using root all the time).
There are diehards on both sides , and they will make excellent (or terrible) arguments for their favored OS. So you need to decide what works best for you and your use case and go with that. 😊
NT was built to be a business OS, and the original Windows was killed off for everyone in favor of NT with XP
Thank you for confirming what I said. 😊
Not really sure what you’re asking here
Is Windows + UAC + no password secure?
No.
What is Linux protecting us from by using passwords?
Bad humans & mistakes. But Linux doesn’t need passwords.
Linux & Windows came from a command-line history, so things like UAC are just a GUI version of
sudo(and there is (was?) a Linux equivalent if you wanted it)So, consider these as options on either OS. If you want it, it’s there, if you don’t, don’t - other options exist depending on your uae case (ie SSH keys, biometrics, etc…)
To the point; not using a password is a choice on convenience over protection.
Linux & Windows came from a command-line history, so things like UAC are just a GUI version of sudo (and there is (was?) a Linux equivalent if you wanted it)
Can confirm that the GUI versions of sudo (and similar privilege escalation interface) exist on Linux, at least for KDE, in the form of kdesu.
It’s there to protect you from crimes of opportunity. Like if your car is locked, a thief could decide to pick the lock, smash the windows in, or find another victim, but they would have no second thoughts if your car were already unlocked. The password deters a casual hacker and buys you some time to notice and deal with anyone seriously trying to break in.
In an ideal case of disk encryption and a well-designed lock screen, the password forces a would-be intruder to either spend lots of time guessing it or shut down the computer, thereby discarding the encryption key from memory and thwarting the attack.
What are passwordless solutions in Windows for remote access, disk/filesystem encryption, keyrings?
BTW in all that cases a password can be replaced with a hardware token, for instance. It is just the simplest, most widely used and one of the less secure options.
I will not address the core questions since others have. I will offer a solution that might do what you want. I disclaim all responsibility if you choose to do this.
You can buy keyboards such that when you press a macro button, it will type an arbitrary string. Some Logitech keyboards have (had?) programmable keys that did this.
I’m not suggesting this is a good solution, but it is a solution.
Edit: idc about the downvotes on this, I’d probably downvote it too. But since OP keeps asking this question over and over and over and over and over and over again I gave him what he wants. I do not endorse doing this. I don’t do it, passwords are important
I don’t believe there is any particular advantage of linux insisting on password input for privilege escalation. Obviously there is no proof of this, but I suspect that the design of this privilege escalation flow in linux is at least partly caused by its popularity as a server OS, for example the UI flow for Windows UAC wouldn’t work if you’re trying to remotely administrate a server through the terminal.
Is Windows + UAC + no password secure?
It should be, in fact I believe that by default if your local admin account doesn’t have a password set, remote logins and run-as is disabled for that account so you might even be able to argue that it is more secure. It’s probably one of the reasons why Windows 11 comes with a recommended option to disable passwords and only authenticate through Windows Hello.
No, that recommend is because your biometrics are worth more to Microsoft than a random password, and they want to push it to seem more friendly to noob users who they’ll push towards a Microsoft online account instead of a local account.
You can use windows hello without biometrics.
With either a physical security key (which no “average user” owns), or a damn numeric pin, which is vastly less secure than a password of the same length.
You can use letters and symbols in windows hello pins.
