WingNews logo WingNews
top | item 40167415

(no title)

Faelian2 | 1 year ago

Just my two cents about the security aspect.

All Linux binaries are compiled with PIE nowadays. You can run `checksec` on any binaries on Ubuntu, and it will have those properties. (You can install checksec with `pip install pwntools`).

On the other hand, GLIBC has, to my knowledge, the most hardened heap implementation out there. And there are more mitigations for double-free and other heap exploits on GLIBC.

So in that regard, Alpine is less secure by using musl. Having a small, understandable system is a real advantage when it comes to security.

discuss

order

blueflow|1 year ago

> Having a small, understandable system is a real advantage when it comes to security.

How did that look like in your mind that it is a point for (and not against) glibc?

balder1991|1 year ago

That got me confused too.

LinuxBender|1 year ago

I run checksec on everything all the time and on all my Alpine nodes all the processes come back like this not pasting the full output for brevity... I have never see anything built by Alpine missing these flags.

    COMMAND    PID RELRO             STACK CANARY           NX/PaX        PIE
    init       1 Full RELRO        Canary found           NX enabled    PIE enabled
    [snip...]
    crond 422838 Full RELRO        Canary found           NX enabled    PIE enabled

crest|1 year ago

> On the other hand, GLIBC has, to my knowledge, the most hardened heap implementation out there. And there are more mitigations for double-free and other heap exploits on GLIBC.

Check the OpenBSD libc...

0xbadcafebee|1 year ago

Re: Linux security, if someone can run any code at all on your system, you're screwed. Linux is swiss cheese. The only reason it isn't just as overrun with malware as Windows is nobody uses Linux for a desktop, so malware authors don't really try. (honestly I'd say modern Windows and MacOS both have a superior security architecture)

realusername|1 year ago

Linux distributions just have a different security model, based on trust. Maintainers form with developers a chain of trust from the repo to your machine.

Windows and MacOS on the other hand have an untrusted security model, everything is assumed to be potentially dangerous.

Security isn't just about how the code behaves.

nolist_policy|1 year ago

OTOH ChromeOS, one of the more secure operating system s (behind QubesOS, on par with Android and iOS) is GNU/Linux.

But in normal Linux land things are moving too: Flatpack, Wayland, immutable rootfs, systemd service sandboxing, ...

Also browsers on GNU/Linux are generally well sandboxed, the interfaces are there.