Beginner questions about Linux

[Pamela Owens]

Hi there,

I don't know much about Linux, but I've heard that it's a very secure alternative to Windows. With big data breaches becoming more and more common, I am starting to think maybe I need to educate myself more on it and consider whether I can/should consider Linux at some point in the future and whether it even makes sense for me to consider using it..?  

Do you think it would be beneficial for someone with little to no experience with Linux to attend a meeting, or would the conversation be too advanced and I'd be better off to start with some online resources and tutorials first? If the latter is true - then would you be able to recommend some beginner resources for me? *Like how to determine if Linux is a good fit... and is it even necessary to consider using it for personal use when I'm not in a tech job/field? 

Thank you so much for your help, 

Pamela Owens

[Tim Holloway]

Hi Pamela,

In theory, Windows NT and its descendants up to Windows 11  (not Windows 95/98)  should be at least as secure as Linux.

However, the Windows OS design was based on single users and giving the user access to as much resources as possible.

Linux is descended from Unix, which was based on multiple users, many of which were college students, and therefore likely to screw around with each other's toys. Not to mention the OS itself. So security was essential from the beginning, not added on later.

And despite historical slander, I actually think it's easier to install Linux these days than Windows. It's just that most systems come with Windows already on them.

I use Linux as my only desktop OS and have for years. For a while, I'd steal a Windows box to do taxes and Microsoft Flight Simulator, but taxes are a web app these days and, alas, I haven't "flown" recently. Someday I may try the Linux simulator, though/

I do software development in many languages, mainly Java, Python and C++, do CAD works for 3-D printing and my CNC router as well as electronics design. All my word processing and other office needs are done with LibreOffice and I have use GnuCash for finances. I also have a Rasberry system set up for musical composition and play with MIDI peripherals. I've used Linux for shortwave control and FAX decoding (marine maps from New Orleans) and have a Raspberry Pit set up with a 7-inch touchscreen that can play stored music and videos as well as play/record off-the air TV stations.

And I never have to worry about -the Software Police doing an audit because it's all open-source/free license.

Also, I run an enterprise-grade server farm (mousetech.com) with Jigh Availability via things like failovers, distributed filesystems, nightly and weekly backups, and automated provisioning sytems. I use both PostgreSQL and MySQL (and if someone's paying me for it, Oracle and DB2). I run multiple VMs and containers and the Nagios outage monitor.

So Linux has been very good to me over the years.

Returning to Linux security, the basic security that Linux inherited from isn't very fine-grained, but it's quite effective. For more serious security, there's selinux as well. While my gold standard is IBM's RACF for the mainframe, where I ca set up rules that say that only these programs can do these things with these files, but only for users on the west side of the third floor of Building C from 8am to 5:30pm, selinux an do a lot of that out of the box.

But no, the JAXLUG is not a bunch of geeks who think that basic conversations deal with setting up virtual networks between containerized applications and the like. In general they're more interested in simply having fun with Linux. You'd be most welcome!

   Tim

--
You received this message because you are subscribed to the Google Groups "JaxLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jaxlug+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jaxlug/CADuJiXszJzVStW%2BsppGbSL7kNPm%2BrzVuyxoTqUg60yB1Jj4jFw%40mail.gmail.com.

[Pat Augustine]

Hi, Pamela.

I'd like to respectfully disagree (partially) with the good gentleman Tim Holloway who responded before me. I do think the underlying Linux security system is superior to Windows. He's right that Windows COULD be as secure, but Microsoft has traditionally chosen ease of use rather than security every time they had to make such a decision, leaving many ways to attack Windows. Windows versions starting with 8 and through the most current (11) have been gradually improving and making more security conscious choices. Windows is getting there, but it's still much easier to find an attack vector against a fully updated Windows system than against a fully updated Linux system. Neither are perfect, however, and I suspect Tim and I would only differ by degrees. He's a smart guy after all. The original Unix user/group/other permissions system is considerably less fine grained than advanced windows permissions, that's true. It's also supplemented by both roles and extended permissions, as well as SELinux. For a home user, though, most of that is probably over your head and you are more worried about how easy it is for an attacker to get in. The best solution on ANY operating system is to run as a non-privileged user, and only use the "Administrator" (for Windows) or "root" (for Unix/Linux) account when absolutely necessary. Unfortunately, Windows was designed from the beginning to allow all users to be Administrators and many applications assume you have Admin rights. The average Windows user will eventually stop fighting the OS and allow themselves to be Administrator (heck, I even do that, but I use my Windows machine only for games. If it has to be erased, it's no big deal). Linux makes that EASY. Your account has limited privileges and if you need more privileges there are several ways to get them temporarily. Windows makes it cumbersome to work that way. So in that regard, regardless of the underlying security system, Windows systems are often configured with the average user having too many privileges and thus creating more attack vectors. That may be too complex for a new user, but it means by default if you were to take the same machine and just put a default Windows install on it, and identical hardware with a default Linux install, out of the box, the Linux box should be harder to attack, simply because Unix (and therefore Linux which came after it) puts security FIRST and Windows puts Security somewhere down around 4th or 5th. It's the nature of trying to maintain compatibility with what was once a single-user only computer paradigm. I do think Microsoft will eventually get there, as each major Windows release gets better. But it's not there yet.

The LUG would be great for a first timer. Sure there's us old gray-beards, but there are younger people just starting out with Linux and the LUG regularly has presentations on various features, sometimes very basic and other times more complex. It varies by presenter and by month. But most of us are very friendly and outgoing and like helping newbies come over to the light side and see the joy that is Linux.

I, myself, don't get to go to many meetings any more due to my health, but it's a very welcoming and friendly group and I'm sure they would love to have you.

[Tim Holloway]

I first felt that Windows as beginning to  get serious about security at Windows 7.

Incidentally, Windows 11 is supposed to be experimenting with something similar to the Linux sudo facility. But by all accounts, Windows 11 is alleged to be a real horror show.

Supposedly the "systemd" people are plotting to replace sudo, just as they have slowly been supplanting cron and filesystem mounts. But sudo is a very capable facility. You can set it up so allow certain users the ability to run only some privileged apps and determine whether they will need to enter a password to do so or not. For example, I can run the Bacula console app without a password.

   Tim

--

You received this message because you are subscribed to the Google Groups "JaxLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jaxlug+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jaxlug/7fd09a81-22fc-43e3-ac9f-77dcbb1972f9n%40googlegroups.com.

[Pamela Owens]

Thanks so much Pat and Tim for the responses! 

Tim, your explanation of the original design of Windows vs Linux was really helpful—and simple. That alone was a better summary than what I've found online so far. I'm not familiar with most of the other systems you mentioned, so I can see that there is a lot to dig into and learn here (especially as someone who does not work in tech). And Pat, thanks for sharing your thoughts on the security side. This is great insight and the security aspect is what first got my curiosity up to begin with, and prompted me to consider exploring alternatives to Windows. Thank you both for extending the meeting invite - that's very kind. Are all of the meetings in person, or can people attend virtually? I can't make the August one, but I will aim to attend one this fall. 

Thanks again, 

Pamela 

--

[JaxSmart Admin]

Pamela, I'm Michael.  Check your gMail. I sent you some info.

MJB

[Tim Holloway]

Hi Pamela,

I should have replied sooner, but I've just finally gotten some sanity after upgrading my servers + having my Internet line get fried. After that, what's an impending hurricane? :)

Many organizations take the Summer off, so keep an eye on this board for meeting announcements. In times past, we have had online meetings and video transcriptions of them, though what the current strategy is, I couldn't say.

As I get more and more reclusive,  actually getting up and showing at a meeting is something I almost never do. But I do hang around online.

Addressing security and Linux. You can certainly find plenty of info on the legacy security facilities Linux got from Unix. Users and groups. You can also, if you're interested, dig deeper into the security underpinngs like PAM (Pluggable Authenthication Modules), although for the most part you won't have to deal with them directly.

Then there's selinux, which brings military-grade security. It adds a whole extra set of attributes to fine-tune what can be done by whom and where. It's also kind of confusing, so a lot of people turn it off. Nut recent distros are more or less set up to have all the proper selinux configurations applied as you install packages, so it's no longer as necessary to decide between fighting it and switching it off.

Also, selinux has an in-between mode ("permissive"). It's good for setting up security without interfering with productivity, since it can log "illegal" operations without actually blocking them.

The last few days, selinux and I have been having lots of fun together, as many of my systems run services in containers and I've been adapting them to run as non-root users (for better security!).

   Tim

[Pat Augustine]

I agree. They’ve been gradually improving the base security since Windows 7. I run Windows 11 and I think it’s better yet, but it does have some real issues with weirdness from time to time. Why does it forget my graphics driver? Who knows.

Systemd is one of those divisive things amongst Linux/Unix folks. I, myself, HATE systemd and I think they are purposely destroying much of the Unix philosophy and taking away some of our flexibility by replacing “small tools that do one job well” with a monolithic tool that gradually takes over everything. Other people are very pleased with it. And to be fair, it’s not the first to try to solve some of the problems that come from our base “init” application having been designed in the 1960s (though the SysV version was written in the 1980s). 

Sun, for example, implemented SMF (Service Management Facility) to handle processes like services. To do so they had to add XML files to what was previously a simple init script so that the running operating system knew how to get the state of managed services and could restart them if they failed (a function init itself never had). You still had run levels, you still had human-readable configuration, and you gained some simple “service” commands (similar in effect to systemctl commands added by systemd). I, personally, prefer SMF but it’s not available in Linux. 

One of the more common complaints about systemd is not technical, but rather than the lead developer is a bit of a jerk and doesn’t take user issues and bugs seriously if they come from outside his team. This is not uncommon behavior for particularly smart people, admittedly, but it does rub me wrong.

Let me be clear, though, that I come from a background of working in Enterprise companies, places like CSX or Merrll-Lynch and we  have a different set of needs than the average home user or even small company. Runlevels are ignored by most Linux users, but not by Enterprise. We actually make sure that data center computers are not allowed to ever boot into a full GUI, for instance, by removing those programs completely.

The hobbyist, the home user, will never want to do that. They will want the full GUI and they will want features that data center servers never do. So my experience managing hundreds of servers is dramatically different than someone looking to use Linux at home and all of my comments must be taken in context here. For an average user, or even a new user, the difference between init and systemd is probably insignificant. The benefits of systemd - that it can detect when something crashed and clean it up and restart it - likely easily outweigh the learning curve to use it or the fact that the logs are written in binary and have to be read by special tools, things only serious admins will ever need to do.

We all have different backgrounds and different needs. I’ve managed Solaris, Tru64, actual AT&T SysV, AIX,RedHat, Suse and debian installs in business environments. At Rackspace, everybody was allowed to run whatever distribution they wanted on their desktop, but for servers we had a shorter list. :)

As an example of the kinds of differences, things you’ll never have to deal with, EMC is a company that makes SANS (Storage Area Network). These are huge cabinets full of disk drives that you divide up and connect to multiple computers, usually using fibre-channel fiber optic cables. If you have difficulty with your very expensive SAN and need to call EMC for support they have a support matrix of things they will talk to you about. If your computers/operating systems are not on the support matrix, you get no help from them at all. For many years the only Linux on the support matrix was RedHat and SuSE. When Ubuntu finally came out with a Long Term Support version, it  was about 2 years before EMC added Ubuntu LTS to the support matrix. But if you are running Fedora or any of the desktop systems, they simply won’t talk to you. You are on your own. Now, in a home environment you would never do that, so it doesn’t matter. Those SANS are hundreds of thousands of dollars and that’s before you fill them with disk drives. I mention this only because I know some of my own biases are because I’ve had support issues in the past in an Enterprise space and I have to be cautious not to make someone who will never be in that environment leery of a product just because it wouldn’t be allowed in that space.

God I hope that makes sense and doesn’t seem like rambling!

--------------------------------------------

Pat Augustine

pat.au...@gmail.com

If you wish to send me encrypted mail, send to pat.au...@protonmail.ch

You received this message because you are subscribed to a topic in the Google Groups "JaxLUG" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jaxlug/CINkAjs9XA8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jaxlug+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jaxlug/a4ce194c23e9eafc4907227723f519f11fa567eb.camel%40gmail.com.

[Tim Holloway]

I agree with Pat about systemd and Poettering.

In the other hand, I have found some reasons to appreciate it.

The original daemon manager was sysyinit/initd and it was simple. You had init scripts for each service. You could invoke them directly, although for some systems (like redhat), there was also a master "service" program that could invoke the system scripts.

Because the system scripts were just plain old scripts, you could make them understand any commands you wanted to and do anything you wanted to.

Systemd changed all that. Instead of init scripts, you had service descriptors. In software terms, that means moving from /procedural/ programming to /declarative/ programming. The virtue of declarative program is that since you only have a iimited syntax, you can automatically detect bad configurations. The curse of declarative programming is that you only have a limited syntax.

Some of the original problems with that have been fixed over the years. For example, systemd can now run pre/post service scripts.

The thing that ultimately reconciled me to systemd was that as my systems got more complex, the criteria for when a service could be started or stopped became more convoluted and initscripts weren't designed for that. In systemd, you can define what pre-requisites must be fulfilled before (or if) a service will start. So, for example, if I have my web pages stored on an NFS share, I can make my webserver dependent on my NFS share being up and mounted.

The flip side to this is that systemd has been slowly eating other simple subsystems. Systemd can automatically mount devices. But now if you edit your /etc/fstab, you have to have to tell systemd about it (daemon--reload).

The one part of systemd that I don't agree with is that it keeps logs in a binary database instead of simple text files as was historically done. I've never seen a clear advantage to that (especially if you're trying to pull logs off a dead system disk), and in fact, a lot of services continue to log to text files. Haing said that, the original Unix/loggers were rather coarse-grained, and while journalctl logs aren't much better, they do have some filtering so that I don't get buried in firewall violations while looking for what went wrong with a systemd-managed service.

   Tim

To view this discussion on the web visit https://groups.google.com/d/msgid/jaxlug/4FB5998A-6F82-4E05-A750-09E922F1EBB3%40gmail.com.