Re: Linux vs Win
Добавлено: 28 окт 2004, 10:09
some staff ...Vasek писал(а):На интервью задали вопрос:
What is difference between Windows and Linux core security model?
как-то кривовато он звучит... Но может у кого есть идеи?
1. The Windows architecture is built so that even components that may never be used are required for normal operation. For example, even a stand-alone Windows 2000 server will require LDAP libraries even though they may never be used - and every Windows server requires Internet Explorer even though you will (hopefully) never use it for web browsing. What does this mean? It means that almost every vulnerability or bug that comes up on Windows or on a Windows subsystem will almost certainly require you to patch your server.
2. Linux, on the other hand, can be installed with only the components required for the task at hand. That is one of they key security advantages of open source software -- unneeded components can be excluded at compile time, so the software doesn't just have unnecessary feature X disabled (like Windows), it isn't even compiled in to begin with
3. The Linux world has several tools and methods for mitigating the damage that any given vulnerability may have otherwise allowed. Here are three:
-You can "chroot" a process, which means you lock it in a directory when
it starts, and it can't get out.
- You can have services that start with root (administrator) privileges and
then after they start drop those permissions permanently and continue
running as a non-privileged user account.
-You can use the Linux kernel's "capabilities" mechanism to lock down certain actions from ALL accounts on the box, so that even someone with
root privileges cannot perform these actions
4. Windows does not have the ability to lock a process into a certain subdirectory. The best that can be done is to create a separate partition (drive letter), and try to lock the application's data files in there. This still lacks the effectiveness of chroot, however: the Windows application's .exe files still require certain system libraries that are in %SYSTEMROOT%. Windows does not appear to be capable of restricting the privileges of the built-in LocalSystem account.
The difference is that the high severity vulnerabilities found in Linux are not related to the core OS and can therefore be ignored if your system is not affected. Furthermore, open source software has historically had
these type of severe vulnerabilities fewer and further between - and when they are found they are usually mitigated by the procedures mentioned above
Another source is: Security Report: Windows vs Linux:
http://www.theregister.co.uk/security/s ... ticmetrics