Author Topic: Security of Linux Mint  (Read 576 times)

Offline fox

  • Posting Member
  • Sr. Member
  • *
  • Posts: 466
    • View Profile
Security of Linux Mint
« on: March 20, 2017, 12:26:43 pm »
A section of the latest DistroWatch seems to be provoking an animated discussion of potential security issues in Linux Mint; particularly when used by beginners. The discussion stems around Mint's defaults for software updates and the fact that point upgrades of the Linux kernel are not implemented by default. You can read about it here. If I understand correctly, these defaults changed in the latest version of Linux Mint.
Ubuntu 17.10 on 2011 iMac
Linux Mint Cinnamon 18.3 on "late 2015" 5k iMac
Ubuntu 16.04 (Unity, Gnome) and Arch on Dell XPS 13 (4gb RAM, 250gb SSD)

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 603
    • View Profile
Re: Security of Linux Mint
« Reply #1 on: March 20, 2017, 04:11:07 pm »
I'd entirely defend the Linux Mint article. I haven't used it as my regular distro in a couple of years but I know how their update system worked and I've tried the latest version in Virtualbox so I know how it works now as well. Nothing has changed other than in how it is presented to users. Users always had the choice to install all updates should they wish to.

For beginners, you don't want to update the kernel for every new point release right away unless it's a security issue as it can break with hardware and you could end up with an unbootable system. At no time were updates hidden to anybody, unless you went and chose to hide them. Users always had the option to install everything. Honestly, I think their update system is on of the more innovative update managers I've seen.

Btw, most distros don't update the kernel every time a new release comes out except when there are security updates and sometimes those are even backported. I bet you a coffee, Mike, that your distro, whatever you're using isn't using the latest version of the Linux kernel which is 4.11-rc3 according to kernel.org at the time of this writing. I'm using Ubuntu MATE with all the updates installed my kernel is 4.8.0.
Primary: Desktop Tower with Linux Mint 18.2 Cinnamon on Intel Core i5-3470 3.2 Ghz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID 10 array for programs and data and Geforce GT 640 video

Secondary: Toshiba Satellite Z830-00K Ultrabook w/ Intel i3-2367M processor– 1.4 GHz, 4GB DDR3, 128GB SSD

Offline fox

  • Posting Member
  • Sr. Member
  • *
  • Posts: 466
    • View Profile
Re: Security of Linux Mint
« Reply #2 on: March 20, 2017, 06:51:45 pm »
I won't bet you the coffee, but in fact Ubuntu is updating the kernel all the time. My mistake was referring to it as a point release. I think that point releases are much more than security updates; they incorporate new drivers for new hardware. But in Ubuntu I am constantly getting kernel updates within the 4.x.0 series. For example the current default kernel in Ubuntu 16.10 is 4.8.0-41-generic, but the "41" has been updated at least 3 times since the release of 16.10. I assume that these are security updates. I am guessing that the Ubuntu Mate version you are using has been updated several times as well. I am assuming from what I read that Mint wouldn't automatically give you those updates as a default and if my assumption, that these incorporate security updates, is correct, then I partly agree with the dissenter comments that this isn't a good idea for novices.
Ubuntu 17.10 on 2011 iMac
Linux Mint Cinnamon 18.3 on "late 2015" 5k iMac
Ubuntu 16.04 (Unity, Gnome) and Arch on Dell XPS 13 (4gb RAM, 250gb SSD)

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 603
    • View Profile
Re: Security of Linux Mint
« Reply #3 on: March 20, 2017, 07:23:42 pm »
What I meant was that everytime a new kernel release is put out, most distros don't upgrade to *that version* right away. Sometimes it's months before they do. Security updates are often backported, the release number being shown after the hyphen, that is, the 41 in 4.8.0-41. Some even though 4.8.0 isn't the most recent release of the kernel, any security problems noticed after 4.8 have been backported to "fix" it. I seem to recall that Linux Mint does incorporate kernels with backported security updates by default.

I'll have to check into this on the Linux Mint website more and get back to you.
Primary: Desktop Tower with Linux Mint 18.2 Cinnamon on Intel Core i5-3470 3.2 Ghz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID 10 array for programs and data and Geforce GT 640 video

Secondary: Toshiba Satellite Z830-00K Ultrabook w/ Intel i3-2367M processor– 1.4 GHz, 4GB DDR3, 128GB SSD

Offline ssfc72

  • Posting Member
  • Sr. Member
  • *
  • Posts: 363
    • View Profile
Re: Security of Linux Mint
« Reply #4 on: March 20, 2017, 07:52:31 pm »
Your message is time stamped 7:23 pm.  You are going to miss your bus, to get to tonight's Mug! :-)

Bill


What I meant was that everytime a new kernel release is put out, most distros don't upgrade to *that version* right away. Sometimes it's months before they do. Security updates are often backported, the release number being shown after the hyphen, that is, the 41 in 4.8.0-41. Some even though 4.8.0 isn't the most recent release of the kernel, any security problems noticed after 4.8 have been backported to "fix" it. I seem to recall that Linux Mint does incorporate kernels with backported security updates by default.

I'll have to check into this on the Linux Mint website more and get back to you.
Mint 18.2 on an HP Pavilion X360, 11" k120ca notebook
Cellphone Moto G 3rd Gen, PCMobile pay as you go

Offline bobf

  • Posting Member
  • Sr. Member
  • *
  • Posts: 284
    • View Profile
Re: Security of Linux Mint
« Reply #5 on: March 21, 2017, 10:39:54 am »
Bill was probably posting FROM Timmy's, Jason! <^8#

And I've weighed in on this topic many times in the past. My 11" netbook has been LM 17.2 Cinnamon 64-bit forever, and I noticed that the GUI updater would tell me everything's up-to-date, but when I went to the CLI and ran apt-get, updates WOULD be available. Now, the whys and wherefores aside, I want to know that my computer is in the most current state available when I do updates, which simply meant side-stepping the GUI interface for what I've been using forever anyway.

And Jason's pointed out several times that the settings are simple to change, but understanding the intent behind the implementation of updates in LM means that the noob or casual user can't get themselves into trouble they can't get themselves back out of, and I circumvent the "perspective" my way...

And as for the powers-that-be at LM, it may (or may not!) be time to reflect on the continued suitability of their long-standing policy...

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 603
    • View Profile
Re: Security of Linux Mint
« Reply #6 on: March 21, 2017, 07:39:10 pm »
I spend about an hour or two last night researching this not including the time to download and install LM 18.1 to test it again. The issue is a bit complicated and I'm trying to figure out whether it makes more sense to try and explain it here or explain it at a PLUG monthly meeting.

Of course, I'm not a security expert and try hard not to pretend to be one, so still thinking about this. The thing is that LM 18.1 lets users choose one of three settings depending on whether you're a noob or an experienced user so it depends on which setting you go with to start with. So there really is no default now unless you're assuming the placement of the original dot in the center to be it. See attached screenshot. However, even if you use this setting, you may not get all security patches but it appears you get the most critical ones. How I arrived at this conclusion is a much longer post. The noob setting appears to hide any updates that might effect stability.

Primary: Desktop Tower with Linux Mint 18.2 Cinnamon on Intel Core i5-3470 3.2 Ghz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID 10 array for programs and data and Geforce GT 640 video

Secondary: Toshiba Satellite Z830-00K Ultrabook w/ Intel i3-2367M processor– 1.4 GHz, 4GB DDR3, 128GB SSD

Offline fox

  • Posting Member
  • Sr. Member
  • *
  • Posts: 466
    • View Profile
Re: Security of Linux Mint
« Reply #7 on: March 21, 2017, 10:14:26 pm »
If you have a good story on this, it would be worth hearing as part of a meeting. A lot of our group either use Mint primarily or occasionally.
Ubuntu 17.10 on 2011 iMac
Linux Mint Cinnamon 18.3 on "late 2015" 5k iMac
Ubuntu 16.04 (Unity, Gnome) and Arch on Dell XPS 13 (4gb RAM, 250gb SSD)

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 603
    • View Profile
Re: Security of Linux Mint
« Reply #8 on: March 21, 2017, 10:21:15 pm »
Thanks for the encouragement. I'll do a bit more research on this and have something to say about it then. It's quite the paper/net trail looking up kernel updates and how to determine whether they're serious or not. One of the interesting things I've found is that Ubuntu 16.04 LTS uses 4.4 series kernel while 16.10 uses 4.8 series. LM 18.1 (and probably 18, too) might be using the kernel (and updates) for Ubuntu 16.04 LTS.

I'd love if we had a person in the club that contributed Kernel patches or at least knew more about how the development cycle works and how they end up in various distros. It seems there are different versions of the kernel for different uses, too.
Primary: Desktop Tower with Linux Mint 18.2 Cinnamon on Intel Core i5-3470 3.2 Ghz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID 10 array for programs and data and Geforce GT 640 video

Secondary: Toshiba Satellite Z830-00K Ultrabook w/ Intel i3-2367M processor– 1.4 GHz, 4GB DDR3, 128GB SSD

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 603
    • View Profile
Re: Security of Linux Mint
« Reply #9 on: April 04, 2017, 01:53:56 am »
Presentation notes here:

http://forums.plugintolinux.ca/index.php/topic,211.msg1167.html#msg1167

Feel free to come back here if you want to carry on this discussion.
Primary: Desktop Tower with Linux Mint 18.2 Cinnamon on Intel Core i5-3470 3.2 Ghz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID 10 array for programs and data and Geforce GT 640 video

Secondary: Toshiba Satellite Z830-00K Ultrabook w/ Intel i3-2367M processor– 1.4 GHz, 4GB DDR3, 128GB SSD

Offline ssfc72

  • Posting Member
  • Sr. Member
  • *
  • Posts: 363
    • View Profile
Re: Security of Linux Mint
« Reply #10 on: April 04, 2017, 11:22:26 am »
A well done presentation, last evening, at the PLUG meeting, Jason! 
You did a very good job of researching the issue of Linux Mint updates.

Your note that Mint packages numerous, similar updates, into one single update, explains why there is a difference in the number of updates Mint says, is available, and the number reported when doing a command line update.
Mint 18.2 on an HP Pavilion X360, 11" k120ca notebook
Cellphone Moto G 3rd Gen, PCMobile pay as you go

Offline fox

  • Posting Member
  • Sr. Member
  • *
  • Posts: 466
    • View Profile
Re: Security of Linux Mint
« Reply #11 on: April 04, 2017, 12:44:52 pm »
I agree with Bill; well researched and well presented. I haven't tried Mint in a long time, but I did follow the security issue. I'm still unclear as to whether ranking kernel and firmware updates as "5" is a potential security problem for newbies who choose the "safe" route with updates. Granted that many of the changes in same-major-version updates (i.e. the xx in something like 4.4.0-xx) are additional device drivers, but at least some appear to be security fixes, too. Or maybe I missed something in the presentation?
Ubuntu 17.10 on 2011 iMac
Linux Mint Cinnamon 18.3 on "late 2015" 5k iMac
Ubuntu 16.04 (Unity, Gnome) and Arch on Dell XPS 13 (4gb RAM, 250gb SSD)

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 603
    • View Profile
Re: Security of Linux Mint
« Reply #12 on: April 04, 2017, 05:47:01 pm »
Thanks, guys. Glad it was helpful.

Granted that many of the changes in same-major-version updates (i.e. the xx in something like 4.4.0-xx) are additional device drivers, but at least some appear to be security fixes, too. Or maybe I missed something in the presentation?

I think you did. I discussed the security updates, the vulnerabilities they were to be fixing and past kernel security updates since LM 18.1's release. Check the notes, it's pretty much the presentation. You can decide for yourself if it's a concern. Based on the evidence available, I thought not.
Primary: Desktop Tower with Linux Mint 18.2 Cinnamon on Intel Core i5-3470 3.2 Ghz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID 10 array for programs and data and Geforce GT 640 video

Secondary: Toshiba Satellite Z830-00K Ultrabook w/ Intel i3-2367M processor– 1.4 GHz, 4GB DDR3, 128GB SSD

 

SMF spam blocked by CleanTalk