Ubuntu Server: Good Concept, Flawed Execution - Page 2

By Carla Schroder | Posted Nov 19, 2007
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Missing Sudo and Root Users

The installer prompted me to create only an unprivileged user, which is standard for Ubuntu. Ordinarily this would be a sudo user with full administrative privileges. But that didn't happen — my user was an ordinary unprivileged user who did not exist in /etc/sudoers. So there I was with a server that I couldn't do anything with. Until I booted with a rescue CD and fixed it by resetting the root password, that is.

You always need a "real" root user anyway; some commands don't work with sudo, and the ext3 file system reserves 5% exclusively for the root user, so if a user process goes nuts and fills up the filesystem, the root user can still save the day.

Security

Just like Debian, Ubuntu starts services immediately after installation. (Run netstat -untap as root to see what ports are open). So out of the box your server is open for business. I would rather that none of them start until I've had a chance to configure some access controls, and am darned good and ready to start them. So be extra careful until you have things configured the way you want.

AppArmor is supposed to be the "real world" alternative to SELinux. Unfortunately there is nothing included that explains the default AppArmor configuration, or how to modify it.

Of course you get iptables for packet filtering, just like in any Linux.

Ubuntu pulls packages from Debian Testing, Unstable, and even Experimental. These are not supported by the Debian security team. In addition, the default repositories (/etc/apt/source.list) include Universe and Multiverse, which include these scary messages:

"## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team..software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team....."

Summary

This turned into a long ole review, so let's sum up. First the good stuff: It's an easy, one-CD installation. It's a lean, barebones package selection with no lard, which I like because it's easier to add things than to wade through and figure out what needs to be deleted.

Some users might have an expectation that Ubuntu Server will be all shiny and easy like Ubuntu Desktop. It's not—you need to know what you're doing, because it doesn't do any hand-holding. It's a honest-to-gosh proper server with no X windows or GUI tools cluttering it up. You can have a GUI via remote administration; for example, Webmin is a high-quality and popular remote GUI adminstration tool for servers.

The bad stuff: Poor documentation on the Ubuntu-specific customizations; it's too hard to find out what's in it before downloading it. Bleeding-edge package versions are scary for servers, and I question the effectiveness of putting something like AppArmor on a system that is already security-questionable. LAMP security is famously difficult even with conservative package choices and careful attention to security patching. Quality control seems in need of some quality control.

Regarding expectations, I expect that with the funding, resources, and commercial aspirations behind Ubuntu, it should be a marvel of quality, security, and stability, and with the awesomest documentation of all. Debian succeeds at all of these with hardly any funding. Debian and Fedora both show how release notes should be done.

The concept behind Ubuntu Server is wonderful— a lean, carefully-selected batch of packages that gets you up and running quickly, and that you can easily add to as you need. I can see using Ubuntu Server as a LAN server, and as a training server, but I think opening it up to the Internet is asking for trouble.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter