Mac vs. Linux: Which is More Secure?

To that, I’ll say I’m marginally more secure on Linux than on a Mac, but I prefer a Mac anyway. I can almost see my inbox filling with flames from you penguin lovers everywhere, but let me explain my opinion.

First, though, I’ll again caveat these opinions by saying that I’m not saying Linux is or isn’t more secure than Apple’s OS X. I’m saying that I’m marginally more secure on Linux than on a Mac. Here’s why.

• True to UNIX This may seem peculiar to many of you, but I find Linux’s security controls to be more true to the UNIX model they were patterned after. OS X, on the other hand, started with the UNIX model, but then diverged rather substantially.

The notion of root and even of the desktop user’s identity and security capabilities, for example, is completely different. The default desktop user, as I pointed out last month, has “administrative privileges,” but is not root per se. It’s just different.

To someone (like me) who is familiar with the UNIX security controls, this requires learning and adapting to the security extensions. In practice, I found myself configuring my OS X desktop environment to be more like a UNIX/Linux one, in that all my installed applications are owned by the real root user, for example, and that my desktop user identity has no “super powers” at all.

None of this was necessary on Linux, on the other hand, as everything that it does (at least at a user level) adheres to the established practices in UNIX. Thus, compartmenting files, users, data, etc., between the administrators and users is quite simple and entirely open to view, modify, and such.

Qualitative score: OS X gets a B- while Linux gets an A-.

• Obfuscation by “GUI-ization” In a similar vein, many of the security and connectivity details are obfuscated from the user’s view in OS X. Although this no doubt enhances its ease of use, it also degrades its ability to fine tune.

User account management is again an example here. The Accounts settings in the OS X Systems Preferences application allows the administrator to create, modify, or remove user accounts (which never show up in the /etc/passwd file, by the way), but the security controls are minimal. Essentially, an account can be designated as either a standard user or as an administrator.

Well, to be fair, the administrator can also control various parental controls that control which desktop applications a user can execute, but that’s about it.

Underneath that GUI exterior lies the normal security controls, including file access controls and such, of a normal UNIX system. You have to push aside the GUI to get to those things, though. (At least, as far as I’ve been able to tell.)

Qualitative score: OS X gets a C while Linux gets an A.

• User data confidentiality All of this UNIX obfuscation aside, OS X does have a nifty feature for protecting a user’s data files. It’s called FileVault, and it can be (optionally) enabled via the System Preferences app.

Basically, what FileVault does is it encrypts all of the user’s files using a symmetric encryption method. This helps protect the confidentiality of the data and reduces the disclosure, for example, of the data on a lost or stolen laptop.

My only confusion here is why Apple chose to make this an optional feature rather than an opt-out one. Perhaps it’s due to the performance hit that you get when you encrypt all your data.

Admittedly, there are a lot of data encryption options available to a desktop Linux user, but none seem to me to be as simple (or included by default) as FileVault.

Qualitative score: OS X gets an A- while Linux gets a D.