0

I'm thinking about migrating to Fedora, but I'm not a big fan of Gnome3 so I'm thinking about using their Cinnamon spin. I've read in the past arguments whether or not Linux Mint is as secure as other distros, so I had a question:

Is it possible for the Cinnamon DE to bring any "security problems" to the Fedora operating system, and actually degrade Fedora's security? And, is this the case in general? Are you better off just using the default environment from a security standpoint, or does using an environment you install yourself not really alter the security of Linux?

FWIW, I'm pretty new to Linux so I'm exploring the different options I have. I've also started to take my security more seriously (partially what prompted me to move towards Linux), and I had a hard time finding a good answer to this question. Hopefully someone can help!

astrobase_go
  • 1
  • 1
  • 3
  • 1
    It's hard to say whether this desktop environment is better than that. Both could have vulnerabilities. At any rate, be sure to install security updates as they come out to help mitigate this risk. – 700 Software Oct 11 '16 at 15:06
  • Most Linux, like Windows, is a classical OS, with user-accounts per user, and are subject to a similar set of badware or trojans which you may accidentally install. On the other hand, Android and Chrome OS offer separate user accounts or sandboxing respectively so that apps are isolated from each other. You may wish to consider obtaining the open-source version of one of these, for example CloudReady for Chrome OS, if your desktop needs are simple enough. – 700 Software Oct 11 '16 at 15:10
  • this question is bad, but the answer is good: http://security.stackexchange.com/questions/4641/why-are-people-saying-that-x-windows-is-not-secure – Neil McGuigan Oct 11 '16 at 17:26
  • The window manager or desktop environment is unrelated to the distribution, except insofar as what they install by default. You can install and use any WM or DE; I have a standard Ubuntu installation where I have replaced the desktop with Xfce, for example, because I happen to like that better. – user Feb 09 '17 at 21:59

4 Answers4

1

The key question is what untrusted inputs they process and how different the processing is.

Window managers do process icons and titles. Most of the time, they are trusted (they come from apps running with the same privileges), but – for example – some webpage might try to set a very long title, causing a bufferr overflow in the window manager. I believe that such threats are usually minor.

But desktop environment is not just window manager. It might use even a file indexer. I've recently seen an attack technique where a webpage causes a file download (Chrome saves such files by default) and exploits indexing engine. Because it can parse various types of files, attacker might have a large number of potentially vulnerable libraries to attack.

Desktop environment can also contains some widgets and utilities that download some data (e.g. weather forecast) over the Internet. Those are also somehow exposed to attackers.

If you are concerned about local security, you might want to compare screenlocks. However, screen locks work against less sophisticated attacks only.

To sum it up: When you are using traditional distros, there probably will not be significant differences, especially if you turn file indexing (if there is some present) off. Unless you use some totally bad desktop environment. However, if you are interested in securing your desktop OS, you might want to look at QubesOS. but this goes far beyond your original question.

v6ak
  • 609
  • 5
  • 12
0

You have mentioned that you are new to Linux. In which case, you can try out the main distributions such as Ubuntu to see how you go in terms of preference.

Now in terms of security, it's not a good approach to look at the question of "which distribution is the best for security" because you also need to consider what your use case is. Some people will find Qubes OS to be the best one for their use case, others will want to use Tails, other Whonix, others are fine with Ubuntu. Security-oriented distributions (like Whonix) will have certain features already available, like being able to send email over Tor.

If you are new to Linux (espcially if you are coming from environments like Windows, or some areas are not familiar to you like using the shell), I would suggest first going with a mainstream operating system like Ubuntu 16.04 LTS and then trying out the less mainstream options out there. But ultimately, a lot of the time what you define is security is fairly broad.

NASAhorse
  • 310
  • 1
  • 7
0

Using a different Desktop Environment shouldn't affect the security of the Fedora core. What can happen is that the DE you install has some vulnerabilities on top of that

Telling if a DE is more secure than other is hard to say and IMO has no sense to ask. What is more interesting is to know which ones have a better process to handle vulnerabilities once they're discovered

I would pick a regularly maintained DE. A good disclosure policy from the maintainers is nice to have, specially if you're subscribed to the security newletters that some organizations offer (f.e. I'm a Debian user and I receive almost daily mails about new security patches and which vulnerabilities they patch). This is IMO the best approach as you can look now for the "securest" software for your use case but nothing ensures it will remain secure forever

Mr. E
  • 1,954
  • 9
  • 18
-1

When it comes to security, then the major concern you should have is Network based applications. like apache, varnish, nrpe, Java based web server, or any network aware application, that accepts connections from outside world , sitting on your server/desktop. the more ports (network based apps) you open, at more risk your server/desktop is at.

As far as i know, desktop applications are nothing but non-network Local applications, which generally do not pose much threat to security as they dont listen on ports acting as servers for certain requests. so In this POV, Desktop applications dont pose much of security risk

Hamza Islam
  • 204
  • 1
  • 9
  • 2
    Desktop Applications could still contain vulnerabilities. For example, buffer overflow attacks on image thumbnails. However, you are generally correct that the risk is quite a bit lower than that of a network-accessible service. – 700 Software Nov 10 '16 at 18:09
  • I think you may be confusing desktop environments and desktop applications. The original question was asking about desktop environments, such as Gnome, KDE, Cinnamon, etc. Also, non-networked desktop applications can also be a threat vector. Think of all of the issues associated with Adobe's PDF reader on windows. – Dan Landberg Feb 09 '17 at 22:29