Physical and Network Security: Disk encryption and boot loader password protection, are two very important security features that you may use to boost the physical security posture of any operating system. And until I can figure out how to encrypt the root partition on Mandriva 2011, or until somebody can show me evidence that it can be done, I just say that support for disk encryption is only partial.
The situation with the boot loader password protection makes my head spin. On August 2, 2011, I wrote a tutorial on how to install Mandriva 2011 on a btrfs file system. For that article, I used a second release ISO installation image, and in the second paragraph, I wrote that “Though the second release candidate still spots some bugs, the installer will not change when the stable edition is released on August 29, 2011.” Was I wrong!
This is the screenshot of the boot loader configuration step I used in that article.
And this is one from the same step in the stable release. Can you spot the difference? Do you know why the security feature was removed?
Still on physical security, even something as simple and as basic as screen-locking (screensaver), is not enabled by default.
With regards to network security, by default, the system is left completely unprotected by a firewall – the firewall is not enabled. As far as I can recall, this is the first Mandriva desktop edition that shipped with the firewall disabled out of the box. Shown below is the main interface of the graphical firewall in its default state.
I do not know what informed the decision to disable the firewall out of the box, but whatever it is, the decision is a bad one especially given the fact that a new installation (of Mandriva 2011) has ports 111, 139 and 445 open. The latter two ports, point to a running instance of Samba server. I do not know how easy or difficult it is to compromise a Samba server, but protecting it with a firewall will make any attempt a little bit more difficult.
For the record, the first paragraph of the Network and Internet Connection Management documentation (Chapter 3.1) of Mandriva 2010.2, states that, “By default, your computer is protected by a firewall so as to avoid bad surprises such as intrusions into your system.” If that statement is true for Mandriva 2010.2, it should be true of Mandriva 2011 or any other distribution or operating system.
Final Thoughts: There are so many new and good features on Mandriva 2011, and so many things that are wrong with it too. The good features are not exactly perfect, but they point to a brighter future. What really bothers me are the things that are wrong with it. And that is because they are so minor and so in-plain-sight that I wonder how the QA missed them. Are there any QA’s left in Mandriva?
Considering that this was a major and highly expected release of a major Linux distribution, did anybody in management bother to take it for a spin to see if basic features work? I have visions of Steve Jobs getting involved in every phase of his company’s products development. There does not seem to be a Steve Jobs in Mandriva’s management team.
None of the shortcoming of Mandriva 2011 will stop me from upgrading one of my permanent test systems running Mandriva 2010.2, but my laptop, which I use for serious stuff, on which physical security is just as important as any other feature, will continue running the old system until I figure out how to configure disk encryption when installing my favorite Linux distribution. If you know how, let me know.
Resources: DVD-sized ISO installation images for 32- and 64-bit platforms may be downloaded from here, and the Release Notes are here. Support questions may be posted here and on Questions and Answers.
Screenshots: View more more screenshots from test installations of Mandriva 2011.
A login screen of Mandriva Desktop 2011. Keep in mind that this is not the default login screen, but a custom one on one of my test machines. Guest account and user management on Mandriva 2011 gives step-by-step instructions on how to make one for your system.
TimeFrame tab of the ROSA Launcher or SimpleWelcome. By default, it is not functional. Nepomuk has to be enabled first. See how to customize Mandriva 2011 on how to enable it.
The main view of the KDE Plasma Netbook interface. Note that the Rocketbar has been replaced with the traditional KDE panel on the Desktop interface. That is why the Rocketbar is not visible at the bottom of the interface.