19 KiB
title, icon, description
| title | icon | description |
|---|---|---|
| Linux Overview | simple/linux | Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. |
Linux is an open-source, privacy-focused desktop operating system alternative. In the face of pervasive telemetry and other privacy-encroaching technologies in mainstream operating systems, desktop Linux has remained the clear choice for people looking for total control over their computers from the ground up.
Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed on this page.
Våra Linux-rekommendationer :material-arrow-right-drop-circle:{.md-button}
Privacy Notes
There are some notable privacy concerns with Linux which you should be aware of. Despite these drawbacks, desktop Linux distributions are still great for most people who want to:
- Undvik telemetri som ofta kommer med egna operativsystem
- Maintain software freedom
- Använd integritetsfokuserade system som t. ex. Whonix eller Tails
Open-Source Security
It is a common misconception that Linux and other open-source software are inherently secure simply because the source code is available. There is an expectation that community verification occurs regularly, but this isn’t always the case.
In reality, distro security depends on a number of factors, such as project activity, developer experience, the level of rigor applied to code reviews, and how often attention is given to specific parts of the codebase that may go untouched for years.
Missing Security Features
At the moment, desktop Linux falls behind alternatives like macOS or Android when it comes to certain security features. We hope to see improvements in these areas in the future.
-
Verified boot on Linux is not as robust as alternatives such as Apple’s Secure Boot or Android’s Verified Boot. Verified boot prevents persistent tampering by malware and evil maid attacks, but is still largely unavailable on even the most advanced distributions.
-
Strong sandboxing for apps on Linux is severely lacking, even with containerized apps like Flatpaks or sandboxing solutions like Firejail. Flatpak is the most promising sandboxing utility for Linux thus far, but is still deficient in many areas and allows for unsafe defaults which permit most apps to trivially bypass their sandbox.
Additionally, Linux falls behind in implementing exploit mitigations which are now standard on other operating systems, such as Arbitrary Code Guard on Windows or Hardened Runtime on macOS. Also, most Linux programs and Linux itself are coded in memory-unsafe languages. Memory corruption bugs are responsible for the majority of vulnerabilities fixed and assigned a CVE. While this is also true for Windows and macOS, they are quickly making progress on adopting memory-safe languages—such as Rust and Swift, respectively—while there is no similar effort to rewrite Linux in a memory-safe language like Rust.
Välja din distribution
Inte alla Linux-distributioner är skapade lika. Our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, but our recommendations are aligned with the following guidelines. These are a few things you should keep in mind when choosing a distribution:
Utgivningscykel
Vi rekommenderar starkt att du väljer distributioner som ligger nära de stabila uppströmsutgåvorna, ofta kallade rullande utgåvor. Detta beror på att frysta utgåvor ofta inte uppdaterar paketversioner och hamnar bakom säkerhetsuppdateringar.
For frozen distributions such as Debian, package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes (particularly for less popular software) do not receive a CVE ID at all and therefore do not make it into the distribution with this patching model. As a result, minor security fixes are sometimes held back until the next major release.
Vi tror inte att hålla paket tillbaka och tillämpa tillfälliga patchar är en bra idé, eftersom det skiljer sig från hur utvecklaren kan ha avsett att programvaran ska fungera. Richard Brown has a presentation about this:
Traditional vs Atomic Updates
Traditionellt sett uppdaterar Linuxdistributioner genom att sekventiellt uppdatera de önskade paketen. Traditional updates such as those used in Fedora, Arch Linux, and Debian-based distributions can be less reliable if an error occurs while updating.
Atomic updating distributions, on the other hand, apply updates in full or not at all. On an atomic distribution, if an error occurs while updating (perhaps due to a power failure), nothing is changed on the system.
The atomic update method can achieve reliability with this model and is used for distributions like Silverblue and NixOS. Adam Šamalík provides a presentation on how rpm-ostree works with Silverblue:
"Säkerhetsfokuserad" distribution
Det råder ofta viss förvirring mellan "säkerhetsfokuserade" fördelningar och "pentesting"-fördelningar. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch, or Parrot OS. Dessa distributioner är offensiva distributioner för penetrationstestning som innehåller verktyg för att testa andra system. De innehåller ingen "extra säkerhet" eller defensiva åtgärder som är avsedda för vanlig användning.
Arch Linux baserade distributioner
Arch and Arch-based distributions are not recommended for those new to Linux (regardless of distribution) as they require regular system maintenance. Arch does not have a distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies on your own as they supersede older practices.
For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a mandatory access control system, setting up kernel module blacklists, hardening boot parameters, manipulating sysctl parameters, and knowing what components they need such as Polkit.
Anyone using the Arch User Repository (AUR) must be comfortable auditing PKGBUILDs that they download from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened in the past.
The AUR should always be used sparingly, and often there is a lot of bad advice on various pages which direct people to blindly use AUR helpers without sufficient warning. Similar warnings apply to the use of third-party Personal Package Archives (PPAs) on Debian-based distributions or Community Projects (COPR) on Fedora.
If you are experienced with Linux and wish to use an Arch-based distribution, we generally recommend mainline Arch Linux over any of its derivatives.
Additionally, we recommend against these two Arch derivatives specifically:
- Manjaro: Denna distribution håller tillbaka paket i två veckor för att se till att deras egna ändringar inte går sönder, inte för att se till att uppströmsversionen är stabil. När AUR-paket används byggs de ofta med de senaste -biblioteken från Arch:s arkiv.
- Garuda: They use Chaotic-AUR which automatically and blindly compiles packages from the AUR. Det finns ingen verifieringsprocess för att se till att AUR-paketen inte drabbas av attacker i leveranskedjan.
Linux-libre-kärnan och "Libre"-distributioner
We recommend against using the Linux-libre kernel, since it removes security mitigations and suppresses kernel warnings about vulnerable microcode.
Mandatory access control
Mandatory access control is a set of additional security controls which help to confine parts of the system such as apps and system services. The two common forms of mandatory access control found in Linux distributions are SELinux and AppArmor. While Fedora uses SELinux by default, Tumbleweed defaults to AppArmor in the installer, with an option to choose SELinux instead.
SELinux on Fedora confines Linux containers, virtual machines, and service daemons by default. AppArmor is used by the snap daemon for sandboxing snaps which have strict confinement such as Firefox. There is a community effort to confine more parts of the system in Fedora with the ConfinedUsers special interest group.
Allmänna rekommendationer
Enhetskryptering
De flesta Linux-distributioner har ett alternativ i installationsprogrammet för att aktivera LUKS fde. Om det här alternativet inte är inställt vid installationstillfället måste du säkerhetskopiera dina data och installera om, eftersom krypteringen tillämpas efter diskpartitionering, men innan filsystem formateras. Vi föreslår också att du raderar din lagringsenhet på ett säkert sätt:
Växla
Consider using ZRAM instead of a traditional swap file or partition to avoid writing potentially sensitive memory data to persistent storage (and improve performance). Fedora-based distributions use ZRAM by default.
If you require suspend-to-disk (hibernation) functionality, you will still need to use a traditional swap file or partition. Make sure that any swap space you do have on a persistent storage device is encrypted at a minimum to mitigate some of these threats.
Wayland
We recommend using a desktop environment that supports the Wayland display protocol, as it was developed with security in mind. Its predecessor (X11) does not support GUI isolation, which allows any window to record, log, and inject inputs in other windows, making any attempt at sandboxing futile.
Fortunately, Wayland compositors such as those included with GNOME and KDE Plasma now have good support for Wayland along with some other compositors that use wlroots, (e.g. Sway). Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in hard maintenance mode. If you’re using one of those environments, it is as easy as selecting the “Wayland” session at the desktop display manager (GDM, SDDM).
Vi rekommenderar mot om du använder skrivbordsmiljöer eller fönsterhanterare som inte har stöd för Wayland, till exempel Cinnamon (standard i Linux Mint), Pantheon (standard i Elementary OS), MATE, Xfce och i3.
Proprietär fast programvara (uppdateringar av mikrokod)
Some Linux distributions (such as Linux-libre-based or DIY distros) don’t come with the proprietary microcode updates which patch critical security vulnerabilities. Some notable examples of these vulnerabilities include Spectre, Meltdown, SSB, Foreshadow, MDS, SWAPGS, and other hardware vulnerabilities.
We highly recommend that you install microcode updates, as they contain important security patches for the CPU which can not be fully mitigated in software alone. Fedora and openSUSE both apply microcode updates by default.
Uppdateringar
De flesta Linuxdistributioner installerar automatiskt uppdateringar eller påminner dig om att göra det. Det är viktigt att hålla operativsystemet uppdaterat så att programvaran korrigeras när en sårbarhet hittas.
Some distributions (particularly those aimed at advanced users) are more bare bones and expect you to do things yourself (e.g. Arch or Debian). Dessa kräver att du kör "pakethanteraren" (apt, pacman, dnf, etc.) manuellt för att få viktiga säkerhetsuppdateringar.
Dessutom hämtar vissa distributioner inte uppdateringar av den fasta programvaran automatiskt. For that, you will need to install fwupd.
Verktyg för integritet
Randomisering av MAC-adresser
Many desktop Linux distributions (Fedora, openSUSE, etc.) come with NetworkManager to configure Ethernet and Wi-Fi settings.
It is possible to randomize the MAC address when using NetworkManager. Detta ger lite mer integritet i Wi-Fi-nätverk eftersom det är svårare att spåra specifika enheter i nätverket du är ansluten till. Den gör dig inte anonym.
We recommend changing the setting to random instead of stable, as suggested in the article.
If you are using systemd-networkd, you will need to set MACAddressPolicy=random which will enable RFC 7844 (Anonymity Profiles for DHCP Clients).
MAC address randomization is primarily beneficial for Wi-Fi connections. For Ethernet connections, randomizing your MAC address provides little (if any) benefit, because a network administrator can trivially identify your device by other means (such as inspecting the port you are connected to on the network switch). Randomisering av Wi-Fi- MAC-adresser beror på stöd från Wi-Fi-programmets fasta programvara.
Andra identifierare
Det finns andra systemidentifierare som du bör vara försiktig med. Du bör fundera på om detta gäller för din hotmodell :
- Värdnamn: Systemets värdnamn delas med de nätverk du ansluter till. Du bör undvika att inkludera identifierande termer som ditt namn eller operativsystem i ditt värdnamn och i stället hålla dig till generiska termer eller slumpmässiga strängar.
- Användarnamn: På samma sätt används ditt användarnamn på olika sätt i systemet. Överväg att använda generiska termer som "användare" snarare än ditt faktiska namn.
- Machine ID: During installation, a unique machine ID is generated and stored on your device. Consider setting it to a generic ID.
System Counting
The Fedora Project counts how many unique systems access its mirrors by using a countme variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary.
This option is currently off by default. We recommend adding countme=false to /etc/dnf/dnf.conf just in case it is enabled in the future. On systems that use rpm-ostree such as Silverblue, the countme option is disabled by masking the rpm-ostree-countme timer.
openSUSE also uses a unique ID to count systems, which can be disabled by emptying the /var/lib/zypp/AnonymousUniqueId file.