April 2017 PLUG Meeting Announcement & Notes

[Jason]

We should have a very busy meeting. Never tried four topics before! And it's this Monday, April 3, 2017.

More details here:
http://plugintolinux.ca/node/417

[Jason]

Background: Linux Mint 18.1, depending on what setting you choose when you first open the Update Manager, may hide or show but deselect certain patches. Some of these may be security patches so the issue came up in this topic of whether this is a good idea for beginners. My presentation was just an attempt to get at the heart of the issue by analyzing the security updates not installed by default by the Update Manager in some configurations.

First, note the attached screenshot. When you first run the Update Manager, this screen is presented to you. So the option is available, right from the start to Always Update Everything if you wish.

Linux Mint has a level system when it lists patches, 1 through 5. Patch levels 1-3 are either known to be safe from testing or not tested but probably safe. When we use safe here, we mean that system stability won't be affected and programs or the OS won't "break". Level 4 and 5 patches are hidden in the Don't break my computer! setting which is for novices. They are displayed but unselected in the Optimize stability and security setting which is for most users and shown and selected in the Always update everything setting which is for experienced users. Patches that are for security (and they could be at any level) are marked with an exclamation point on the left-hand side in the update list.

I chose the setting for novices but went into preferences of Update Manager after to make visible the level 4 and 5 patches just so we could look at what was hidden and unselected. Initially, I had to install a couple of patches for the Update Manager. After they were quickly installed, then there were 77 patches in the list, two of which were not selected and were security patches. One was for the kernel and the second was for linux-firmware. See the second screenshot.

This led me to an investigation of what the kernel update was for and how worrisome it might be that it wasn't installed by default for novices. The patch was to update to 4.4.0-71.92. The changelog said it was of low urgency which suggested it wasn't that a big deal but I investigated further. I found this in the Ubuntu Security Notice USN-3249-1 (emphasis mine):

It was discovered that the xfrm framework for transforming packets in the
Linux kernel did not properly validate data received from user space. A
local attacker could use this to cause a denial of service (system crash)
or execute arbitrary code with administrative privileges.

Local attacker means that this patch is to prevent a crash or execute code with admin privileges, both bad things, but only from somebody with physical access to the machine and an account. It can't happen from the net. This might not even be an issue for servers, but it's for sure not an issue for a novice since it's not likely nowadays that they're sharing a computer. If you acknowledge the possibility that any kernel update could break something (the kernel is the core of the OS after all and talks to hardware), then this is likely an update it makes sense for most users to avoid, but especially beginners.

The kernel version used in a default install of Linux Mint 18.1 is 4.4.0-53 so I wanted to check if there were other kernel fixes that were now rolled into 4.4.0-71.92 between these versions and found a few.

4.4.0-70.91 patch had an urgency of low and seemed to involve snaps and AppArmor, two features I doubt beginners would use, anyway.

4.4.0.67-88 fixes this vulnerability that you'd need physical access to the machine to hack.

4.4.0-64 was to fix seven vulnerabilities, six of which also required a local attack vector and the seventh could succeed only in crashing the system from an unprivileged (not having admin) account. I assume this could be a remote account, too. Keep in mind though that Linux Mint doesn't have any remote login software installed.

The other security update not enabled for install (or shown in a default novice setting) has an urgency of medium and it was the patch to update to linux-firmware version 1.157.8. I was less able to find information about this issue. I only have the bug report to go by and I didn't understand much in it. It was found in the summer of 2016, but it suggests this was an interim fix until it was rolled into the kernel. So it may be that this update is no longer needed? I'm not really sure. In any case, the only fallout from it appears to be that a driver for hardware might crash. If anybody knows more about this or can help explain it, I'd love to hear it. Here's the bug report.

My conclusion: Though it's early to tell, as Linux Mint 18.1 KDE (the version I used) came out in January 2017, I would argue that the defaults are relatively safe for beginners and even most users. Out of the 10 vulnerabilities that are patched, only one of them is vulnerable remotely and even then an account is required. I can't see how this would be an issue on a single user desktop, especially one that by default doesn't have SSH enabled. Add to that that most users have a firewall that blocks ports anyway. Once you start opening ports on your firewall and install and configure SSH, you're no longer a beginner. I do understand that some people want to install all patches regardless of how it might affect system stability to have everything current and that's certainly your choice. But I don't think it's something that beginners should fight with. And LM gives you the option to do it all, if you wish.

Check out the links and tell me what you think, preferably here as I don't want to clutter up this topic with discussion since it's for notes.

Interesting aside, I found out that LM 18.1 uses the 4.4 kernel series and so does Ubuntu 16.04 LTS (Long Term Support). Each LM release since 17 is also an LTS release so it makes sense that they use the LTS kernel from Ubuntu. Ubuntu 16.10 uses 4.8 kernel series.
Source: https://wiki.ubuntu.com/Kernel/FAQ#Kernel.2FSupport.Ubuntu_Kernel_Release_Schedule

And finally, Mint's Update Manager does show all the updates. When you run sudo apt upgrade and see more updates, that's because LM puts updates that are related to each other in the same patch as I demonstrated at the meeting. 300+ updates showed up as 77 patches in the Update Manager.

[Jason]

I'd like to give special thanks to all the presenters. It was really cool seeing the Raspberry Pi setups of Bill and Mike and Brian's presentation on how he monitors desktops and servers was super informational. And is was very well-attended.

[fox]

For my presentation, I promised to add notes enabling folks to set up their Raspberry Pi to either dual boot, boot from a usb drive or both. Even if you want to boot from a USB drive, the Pi has to start from an SD card, which can be configured to direct the booting process to another drive. Dual booting can be accomplished through the Noobs software or Berryboot, and either can also be used for USB booting. Both Noobs and Berryboot images can be downloaded free from the web, and both include options for installing media systems openELEC and libreELEC, both of which utilize Kodi.

NOOBS
General information and downloading: https://www.raspberrypi.org/documentation/installation/noobs.md
Configure and set up dual boot: https://github.com/raspberrypi/noobs#how-to-create-a-custom-os-version

Berryboot
General information and installation: http://www.berryterminal.com/doku.php/berryboot
Configure and set up dual boot: https://www.howtogeek.com/141325/how-to-multi-boot-your-raspberry-pi-with-berryboot/
Download Berryboot OS images: http://berryboot.alexgoldcheidt.com/images/

While I was able to find several articles dealing with booting from a USB drive, none worked exactly as described. What I ended up having to do was to edit two files (/boot/cmdline.txt and /etc/fstab) to change the boot drive from SD to USB. The USB drive designation is usually going to be /dev/sda2 and that's what you substitute for the SD card designation. Here are some instructions I used to carry out the process (create partition on USB drive, copy boot os(es) from SD card to USB drive, fix config files to boot from USB drive):
https://learn.adafruit.com/external-drive-as-raspberry-pi-root/hooking-up-the-drive-and-copying-slash
https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/msd.md
http://forums.plugintolinux.ca/index.php/topic,187.0.html

[ssfc72]

Thanks very much for posting your info, Mike!

[bobf]

Wow! Great stuff goin' on! Boy, I hated to miss Brian's presentation! Jason, thanks for the comprehensive breakdown on LM GUI updating. Being the guy that always does all of the updates, it's of very great interest to see that the LM system is well thought out and seems very capable at maintaining stability without undue risk, something I've been wondering about for some time now, but never quite found the time to check out!

And I'm still going to be the guy who gets to be first to break stuff, if there's something in there that gets wonky and tries to take everything else with it! <^8#