Security compared to other distributions like Ubuntu, Fedora, OpenSUSE

From some time I want to switch from Ubuntu to Arch, EndeavourOS more particularly, but there are some things about the security that concern me. I stumbled on this opinion on reddit about arch mirrors/unsigned database:

The packages, yes, but not the database file. You’re at the mercy of the mirror not to serve you a compromised file (be it of their own malice or after a compromise). Since the database is parsed as root, this means a bug in Pacman could lead to a total system compromise from a bad database file. This issue has been unresolved for over a decade.

Pacman runs everything as root, while apt (and others) drop to a dedicated user for downloading and verifying signatures.

I’m not very educated on this matter, so I’m not sure how true it is. If it is, are there any steps that I can take to minimize the possibility of such a threat?

Ubuntu and Fedora ship with preconfigured Mandatory access control. I played around in a VM and installed Apparmor on EndeavourOS, it comes with some default profiles loaded. Are they sufficient? Are they as effective as the ones on Ubuntu and Debian, or I have to write profiles myself? There are some extra profiles too, but it says that they are not mature enough.

Also, is there some kind of security control over the repos? How is it compared to Ubuntu, Fedora, OpenSUSE?

1 Like

I am not expert by any means, but allow me to just think out loud about your concerns, maybe I will learn something new.

I believe this is a step in the right direction. I have been distrohopping for about a year, tried everything even BSD, Gentoo, Slackware based distros and settled for a year now on EndeavourOS.

Regarding security, so far so good. Not a single issue. I even haven’t read about a security issue with EndeavourOS.

Doesn’t the same apply -theoretically at least- to other distros and servers?

With all my due respect:
1- for almost a quarter of a century I never heard of an issue that is not sorted out within a couple of days or hours even.
2- I am seriously suspicious about neutrality and objectivity of who said this (given point 1), he is either trying to drive users away from Arch / Arch based Linux or promoting something!
3- His use of word “decade” don’t you think it way far exaggerated?!
4- If this is a real issue do you think it will developers of Arch and Arch based distros would not “convert” for a decade?

I am technically not sure of this, but as far as I know, ANY distro would need to be root to be able to install/update anything! Won’t this dedicated user have root privilege to be able to install/update?
I believe EndeavourOS won’t install/update anything unless verified.

Simple thinking, not just anybody has access to the repos.

My humble understanding a developer -ONLY- has access only to the package/software he is developing not to others! Someone correct me if I am wrong.

My final humble point of view. Just go ahead, as I said I am on EndeavourOS for a year without a glitch!

I do agree with @limotux. Most installation systems like pacman need su privileges (as far as I know). Otherwise, they can’t access the root files. Not just pacman, apt in Debian, and dnf in Fedora/RedHat use sudo to gain su privileges.

I don’t what the poster in reddit wanted to do there but unlike other OS which doesn’t use package management systems. Arch or any other does moderate their repositories. They don’t let everyone put whatever in there.

For that, they have the AUR (Arch User Repository). But one always can look at the PKGBUILD file to see what commands get executed. As many would agree it’s the user’s responsibility to check the PKGBUILD file prior to installing the package.

But many of these files are been checked and deemed safe by the community around Arch. If there’s anything bad someone will always capture it and will be marked to remove the package. This is the best thing about open source.

I leave you with a few links to read.

Also, I’ve been on Arch/Endeavour for some time now (Almost 2 years). I had no issues with it. I took some time to make the distro fit me. And never looked back.

Thank you @s4ndm4n
I will take this as a complement and have a bit more self confidence.

Only Wondoze can do that without requesting root privelege!

So, it is not just the developer, this adds more security.

I mentioned I am a bit suspicious about his intentions. He either have something in mind or he doesn’t know enough about Linux.
I can’t imagine such “serious issue” in Linux for over a decade…!

My rule of thumb especially with Linux, any Linux distro, just install, better follow the defaults, only the defaults and that’s all.
It will be more than enough security and stability if you are just using your machine for day to day work or home use.
I hope this makes your life easier.

Yeah, they tried to do that by adding UAC which asks the user if he/she wants to give admin or system-level access. But the issue is we can’t see what’s within the .exe file and what commands it’s going to execute while setting things up.

Arch does have a security team that keeps things safe. But if they miss something awesome Arch community is there. And even with Arch-based distro’s they pull things from the main and maintain a very small amount of their own repors. Except for Manjaro (I think), they got their own thing going there. But even that is vetted down for bad code.

This is why I trust Linus/Open source stuff more than any closed-source stuff. Even on Windows (work lap) I use open-source stuff than closed-source (unless I have no choice).

My advice to OP is to put Arch or Endeavour on a virtual machine and use it for some time there. Then decide if he/she wants to make the move or not.

Using a VM will keep his personal (host) OS safe and his data. Until he makes sure Arch has what he’s looking for.

Nothing is more secure than the person in front of the screen :slight_smile: .

1 Like

I am technically not sure of this, but as far as I know, ANY distro would need to be root to be able to install/update anything! Won’t this dedicated user have root privilege to be able to install/update?
I believe EndeavourOS won’t install/update anything unless verified.

I think it’s about pacman downloading files. Here are some relevant links:

https://lists.archlinux.org/archives/list/pacman-dev@lists.archlinux.org/thread/FAEQGU6PWYOSRURILYSKH3PNU6XAQHJ7/

https://wiki.archlinux.org/title/DeveloperWiki:Repo_DB_Signing

Thanks @Fingon
Now I have better understanding of what OP is talking about. Though I still think he should not be really worried.
Unfortunately I am not up to that level, but as long as it is Linux I feel safe, especially if it is EndeavourOS.

Without doing any investigation, I don’t see anything there that is obviously untrue.

However, how large of a risk that really causes is up to you to determine.

Probably not. I think there are some additional profiles in AUR. However, I have never used them or looked at them.

The packages in the repos are signed. The servers you connect to are mirrors maintained by 3rd parties.

When you think about security, you have to start with what the risks you trying to stop before jumping to solutions. Just trying to “make the system more secure” often leads to the opposite happening if you don’t know what you are doing.

4 Likes

Arch leaves your systems security to you, setting that all up for you would be a huge undertaking and imo go against the KISS model of Arch.

Apparmor defaults is not good if youre looking for security, you would have to create your own profiles for it when it comes to Arch or use community made ones. When it comes to MAC you really arent going to find a better default setup for desktop/workstation use than Fedora. Arch (and through Arch largely EOS also) is about as OOTB as youll get with major linux distros. The setup and security is in your hands for MAC,etc.

The repos regardless of distro could be contaminated by a bad actor potentially so if youre that concerned you should either build and maintain your own packages or simply keep an eye on the ones installed. This goes for Fedora, Ubuntu, etc. as you should treat anything you didnt put together yourself as foreign and a threat.

These days all Arch repo packages are signed and verified when downloaded and even if Apt downloads as a user and not root that doesnt remove the ability for a mirror or repo to be compromised so IMO thats just a bit of FUD targeting Pacman. Apt is no saint and has seen its fair share of issues over the years.

If youre wanting the easiest means to have a default set of MAC, firewall setup, etc. i would recommend Fedora. If you want to learn to set it up yourself and have a better idea of what is going on i would use Arch.

4 Likes

Wisely spoken. Some tools to consider when using Arch and trying to harden it (depending on the user’s day-to-day use & behavior) would be these, in no particular order:

linux-zen

firewalld or ufw - selinux or apparmor - firejail/firetools - opensnitch

unbound (for tls-upstream & filtering) or dnscrypt-proxy

tor-browser-bundle

:v:

You could always just install Opensnitch as your firewall it seems to work great for controlling which applications can access the internet and which cannot.