Skip to content

Linux Hardening — Trivia & Interesting Facts

Surprising, historical, and little-known facts about Linux security hardening.

SELinux was created by the NSA and released as open source

Security-Enhanced Linux was developed by the National Security Agency and released under GPL in 2000. It was merged into the mainline kernel in 2003 (Linux 2.6). The irony of the NSA contributing to open-source security was not lost on the community, especially after the Snowden revelations. Despite controversy, SELinux remains the most rigorous mandatory access control system available on Linux.

"chmod 777" is the most dangerous command that everyone learns first

Setting permissions to 777 (read/write/execute for everyone) is almost never correct, yet it appears in countless tutorials as a "fix" for permission errors. A world-writable /etc/shadow or /etc/sudoers is an instant root compromise. The prevalence of 777 in tutorials has been called "the single most harmful piece of advice in Linux education."

The sticky bit was originally about memory, not deletion protection

The sticky bit (chmod +t) on directories now prevents users from deleting other users' files (used on /tmp). But its original purpose on Unix was completely different: it told the kernel to keep the program's text segment "stuck" in swap space after exit, so it would load faster next time. This memory optimization became obsolete and the bit was repurposed.

Linux capabilities replaced the all-or-nothing root model

Before capabilities, a process either had zero privileges or full root power. Linux capabilities (added in kernel 2.2, 1999) split root's power into ~40 distinct capabilities like CAP_NET_BIND_SERVICE (bind to ports below 1024) and CAP_SYS_PTRACE (trace processes). A web server can bind to port 80 without having root's ability to format disks.

AppArmor was Novell's answer to SELinux's complexity

AppArmor, originally called "SubDomain" and created by Immunix Inc. in 1998, uses path-based access control instead of SELinux's label-based system. This makes profiles dramatically easier to write — an AppArmor profile is human-readable text, while SELinux policies require specialized tools. Ubuntu chose AppArmor over SELinux in 2007 specifically because of this usability advantage.

/dev/mem access was the original rootkit vector

Direct read/write access to /dev/mem (physical memory) allowed rootkits to patch the running kernel without loading modules. The CONFIG_STRICT_DEVMEM kernel option, enabled by default since around 2008, restricts /dev/mem access to the first 1 MB (for X11 compatibility). Without this protection, any root process could modify kernel data structures directly.

seccomp was originally for selling CPU time

Seccomp (Secure Computing Mode), added in Linux 2.6.12 (2005), was originally designed by Andrea Arcangeli for a startup that wanted to safely sell unused CPU cycles. The original mode only allowed four syscalls: read, write, exit, and sigreturn. Seccomp-BPF (2012) extended it with programmable filters that power Docker's and Chrome's sandboxes.

The /proc filesystem leaks more information than most people realize

/proc/[pid]/ exposes each process's command line, environment variables, memory maps, file descriptors, network connections, and cgroup membership. An unprivileged user can read most of this for any process. The hidepid=2 mount option for /proc, added in Linux 3.3 (2012), restricts visibility to each user's own processes — a hardening step most distributions still do not enable by default.

ASLR took over a decade to fully mature

Address Space Layout Randomization was first implemented for Linux by the PaX project in 2001, merged partially into the mainline kernel in 2005 (Linux 2.6.12), and not fully effective until kernel 4.x with KASLR (Kernel ASLR). Early implementations only randomized the stack; modern ASLR randomizes the stack, heap, libraries, and kernel base address.

Fail2ban processes millions of log lines but is single-threaded

Fail2ban, the most popular brute-force protection tool on Linux, monitors log files and bans IPs that show malicious patterns. Despite protecting millions of servers, it is a single-threaded Python application that reads logs line by line. On servers with heavy SSH scanning (thousands of attempts per minute), fail2ban itself can become a performance bottleneck.

The nobody user was meant to be powerless — but is often overloaded

The nobody user (UID 65534) was designed as a least-privilege account for untrusted processes. However, running multiple services as nobody is a security anti-pattern: if one service is compromised, it can interact with all other nobody processes via signals and shared /tmp files. Modern best practice assigns a unique system user per service.

Kernel lockdown mode was years in the making

The kernel lockdown LSM, merged in Linux 5.4 (2019), prevents root from modifying the running kernel (no /dev/mem access, no unsigned module loading, no kexec of unsigned kernels). It was proposed by Matthew Garrett in 2012 and took 7 years of heated debate before acceptance. It is required for Secure Boot to be meaningful.