Fatdog64-720 and 721 Final [11 Jan 2018]

A home for all kinds of Puppy related projects
Message
Author
User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#381 Post by rufwoof »

243MB FuguIta Live OpenBSD iso image (amd64) with rsshfs script added (into /sysmedia folder) (243MB)

Create a empty /data folder in Fatdog. Unzip the iso (gzip -d command) and burn the iso, boot it, make a note of your Fatdog IP and in Fuguita/OpenBSD run the rsshfs script passing it your Fatdog IP e.g.

Code: Select all

cd /sysmedia
./rsshfs 192.168.1.4
That will just sit there, having (hopefully) mounted its /root/shared folder to Fatdog /data mountpoint.

On OpenBSD switch to another console (ctrl-alt-F2) and cd /root/shared and mount a HDD folder ...etc and that will be reflected through to Fatdogs /data folder (mount point).

sshd needs to be running in fatdog and if you've the firewall on (eztables) then you'll need to allow ssh through (see earlier postings).

Likely if unfamilar with OpenBSD you'll have to read up about how to identify and mount things under OpenBSD (also partially outlined in earlier posts). Here's a starter for mounting a USB https://www.cyberciti.biz/faq/openbsd-m ... -harddisk/

Fatdog /etc/ssh/sshd_config

Code: Select all

PermitRootLogin yes
PasswordAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 10000
Fatdog /etc/eztables/eztables.cfg

Code: Select all

ENABLE_SYSLOG=1

DENY_SSH_BF=1
DENY_SSH_BF_IP="$DEFAULT_IF"
DENY_SSH_BF_PORT=22


GOOGLE_DNS1=8.8.8.8
GOOGLE_DNS2=8.8.4.4

DNS_SERVERS="
    
    $GOOGLE_DNS1
    $GOOGLE_DNS2
"

WEB="

    80/tcp
    443/tcp
"

DNS="

    53/udp
    53/tcp
"

NTP="

    123/udp
"

SSH="

    22/tcp
"

BASIC_SERVICES="

    $WEB
    $DNS
    $NTP
    $SSH
"

APPSERVER1=192.168.123.2

allow_in any $eth0 any "$SSH"
allow_out any any any "$BASIC_SERVICES"
allow_icmp any any 


# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops 
# incoming connections from that host. Beyond a burst of 100 connections we 
# log at up 1 attempt per second to prevent filling of logs.
-N SSHBRUTE
-A SSHBRUTE -m recent --name SSH --set
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
-A SSHBRUTE -j ACCEPT

# Accept worldwide access to SSH and use SSHBRUTE chain for preventing 
# brute-force attacks.
-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
Fuguita /sysmedia/rsshfs

Code: Select all

#!/bin/sh
#
# Rufwoof September 2018
#
# OpenBSD LiveCD boot script to mount a local folder /root/shared to a remote /data mountpoint
# using reverse sshfs
# Once mounted you can mount HDD folder(s) to /root/shared on the OpenBSD box so that they
# are accessible from the remote machines /data folder
#

if [ -z $1 ]; then
  echo "Usage rsshfs <IP>"
  echo 
  echo "  Reverse sshfs mounts local folder /root/shared as a mount point /data on <IP>"
  echo "  remote machines /data folder must already exist and be empty"
  exit
fi
if [ ! -d /root/shared ]; then
  mkdir /root/shared
fi
if [ ! -d /root/shared ]; then
  echo "Unable to find/create /root/shared"
  exit
fi
fifo=/tmp/rsshfs-$$
rm -f "$fifo"
mkfifo -m600 "$fifo" &&
    < "$fifo" /usr/libexec/sftp-server |
               ssh root@$1 sshfs -o slave :/root/shared /data '' > "$fifo"
rm "$fifo"
PS : there is a option to
5. optional: If you made a directory called "livecd-config" on any FFS partition, you can save all your files, installed packages, etc on Running FuguIta, then you can load them at next boot.
(see http://fuguita.org/index.php?FuguIta%2FBBS%2F7#h328b23e)
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

FanDog
Posts: 30
Joined: Thu 25 May 2017, 18:13

mplayer complains of libbluray

#382 Post by FanDog »

Hello. Trying to get mplayer from Gslapt:

-- clicked update, mplayer appears on search;
-- libbluray was already installed; (perhaps it's a version thing?)
-- mplayer-static has the same problem (which is strange)

symptom:

Code: Select all

# mplayer
mplayer: error while loading shared libraries: libbluray.so.1: cannot open shared object file: No such file or directory
Any help appreciated.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#383 Post by rufwoof »

Open a terminal and enter the commands ...

Code: Select all

cd /usr/lib64
ln -s libbluray.so.2.0.1 libbluray.so.1
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

eowens2
Posts: 177
Joined: Wed 27 Aug 2008, 17:57

#384 Post by eowens2 »

I have downloaded Thunderbird60.0 from mozilla and created a package for Fatdog64-721 which installed without problem

I used a thunderbird.desktop file from an earlier version, setup run-as-spot, created /usr/bin symlink, etc, and everything seems to be working OK when clicking on 'thunderbird.desktop"

The only problem is the desktop.thunderbird icon is a generic binary-looking icon. Where can I find a thunderbird '.png' file and where do I put it so that it shows up on the desktop associated with desktop.thunderbird?

User avatar
smokey01
Posts: 2813
Joined: Sat 30 Dec 2006, 23:15
Location: South Australia :-(
Contact:

#385 Post by smokey01 »

eowens2 wrote:I have downloaded Thunderbird60.0 from mozilla and created a package for Fatdog64-721 which installed without problem

I used a thunderbird.desktop file from an earlier version, setup run-as-spot, created /usr/bin symlink, etc, and everything seems to be working OK when clicking on 'thunderbird.desktop"

The only problem is the desktop.thunderbird icon is a generic binary-looking icon. Where can I find a thunderbird '.png' file and where do I put it so that it shows up on the desktop associated with desktop.thunderbird?
Just search for thunderbird.png in google. https://goo.gl/images/HDzPUh
Place it in /usr/share/pixmaps

eowens2
Posts: 177
Joined: Wed 27 Aug 2008, 17:57

#386 Post by eowens2 »

Hey smokey01,

That is great info.

Such a wide selection.

One of the 48x48 icons was exactly the right size.

Thank you!

User avatar
dr. Dan
Posts: 96
Joined: Mon 20 Apr 2015, 17:45
Location: Oregon, U.S.A.

#387 Post by dr. Dan »

The link in the help files from the touchpad page to _xf86-input-libinput_ man page is broken. It seems to be missing on ibiblio.

FanDog
Posts: 30
Joined: Thu 25 May 2017, 18:13

Thanks

#388 Post by FanDog »

@rufwoof

Thanks! it works. As perhaps compensation, I'd suggest you check out the "video=" boot option, since it accept an interface parameter before the resolution, like DVI, HDMI and whatnot.. something that confused me, as it used to refer to drivers such as uvesafb and the like (as per the Kernel documentation, which u also linked to). You may need to see dmesg for auto-detecting that, for example, Fatdog docs (or was it vanilla puppy?) state a particular kind of DVI is more common and most likely what I needed but it turned out to be different here.

btw, really liked your experiments. Many of which I've been also doing for quite some time now, if not as elegantly ;), as necessity forced my time and effort to be redirected there. Another thing to keep in mind besides the compromised box stance, is that anything you set up to be able to do in software, an adversary would also be able to do, once compromised. You need a "Hardware Kill Switch" for that, eject in this case :-} but once one realize that fact, removing a usb stick would do just as well. (tho Eject is much easier to do remotely ;))

In other words, using a CD/DVD-R sounds great in principle, until you allow software to bypass its ROM nature. Tinycore for instance, allows a file/flag to be placed on the boot media to enable unmounting it after booting (maybe something to consider, if adding that to FD64)

Regarding X, if you look at the screenshot you took showing the CLI parameters for running processes, you see that, in FD, X is run with "-bs --nolisten", the latter for both tcp and local. Wouldn't that prevent most attacks, at least remotely? (disregarding gained access to spot, which would mean worse problems than that I guess)
Well, X is best avoided anyways.


@All

Really glad to hear about FatDog 800 at least being considered! \o/
If I may chip in, the only thing left for it to become my Ultimate Desktop Distro(tm) is to have Blender working with accelerated Rendering. AMD, perhaps surprisingly (hehe), done its part at least on the Blender Cycles* part. On the other hand AMDGPU seems to be having an uphill (upstream?:D) battle making its way into the Kernel, yet I know I can run OpenCL on this hardware, did back then with the fglrx driver. So I'm hopeful, but now people seem to be having lots of problems with the new stuff. openBSD btw likes AMD way more than it likes nVidia, so I'll probably be trying that soon. :)


Onwards!

* https://www.blendernation.com/2017/04/1 ... -par-cuda/

znekk
Posts: 10
Joined: Sun 22 Jul 2018, 21:37

#389 Post by znekk »

Hello.

I'd like to point out that the nluug.nl mirror link on the web page doesn't work for me, here is the right one I believe :
http://ftp.nluug.nl/os/Linux/distr/fatdog/

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#390 Post by s243a »

I just last night updated to the latest version of fatdog from either 710 or 720 beta (not sure). I think 710 beta. Anyway, I kept the same save file. To get firefox to work I had to change the home director of spot to the new location in /etc/passwd. The update the base sfs script didn't work so I replaced initrd with the orginal one I had from the 721 iso.

Anyway, One thing that I noticed is there is no menu option to exit the xserver into the shell. Being able to exit the xserver is helpful when running cpu intensive applications like freenet. So anyway, how do I exit the xserver to the shell in fatdog 721????
Last edited by s243a on Fri 28 Sep 2018, 17:11, edited 2 times in total.

znekk
Posts: 10
Joined: Sun 22 Jul 2018, 21:37

#391 Post by znekk »

On Fatdog64 721, you should be able to use the "ctrl+alt+backspace" shortcut, then startx to get back in.

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#392 Post by s243a »

znekk wrote:On Fatdog64 721, you should be able to use the "ctrl+alt+backspace" shortcut, then startx to get back in.
lol, brainfart! The funny thing is I probably did exactly that yesterday but today I was too focused on finding it on the menus. Thankyou :)

Edit

cntrl-alt-backspace isn't working for me now. Maybe due to my system load being to high. Is there something I can type in the shell instead? Come to think of it It might have not worked yesterday either.

User avatar
SFR
Posts: 1800
Joined: Wed 26 Oct 2011, 21:52

#393 Post by SFR »

s243a wrote:Is there something I can type in the shell instead?
Yes:

Code: Select all

wmexit terminal
You can also set DONT_ASK variable, to suppress the confirmation dialog:

Code: Select all

DONT_ASK=true wmexit terminal
Greetings!
[color=red][size=75][O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource[/size][/color]
[b][color=green]Omnia mea mecum porto.[/color][/b]

User avatar
smokey01
Posts: 2813
Joined: Sat 30 Dec 2006, 23:15
Location: South Australia :-(
Contact:

#394 Post by smokey01 »

Ctrl+Alt+Backspace

xwin to return.

znekk
Posts: 10
Joined: Sun 22 Jul 2018, 21:37

#395 Post by znekk »

Wmexit is a good one to know about... There are many great little utilities hidden in that Fatdog. :)

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#396 Post by rufwoof »

For Fatdog 8 could /dev/fb0 and /usr/bin/gtksu (and perhaps su) permissions be changed to chown root:wheel. Sits better with convention i.e. if you create a non root userid as the default boot then allocating that userid to group wheel or not sets whether that user can run admin/root tasks/programs or not.

I'm LiveDVD booting FatDog directly into user X desktop and where that user has no admin access so it can't mount/access the HDD (and is restricted to selected folders on HDD when root has mounted the HDD). If I want to run admin tasks I just ctrl-alt-F2 and login as root to do that.

One issue with barring gtksu access/permissions is that root type tasks/programs are still visible, but when clicked nothing is returned, so in addition to the above some form of wrapper might also be desirable such as a pop up to say permission is denied.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#397 Post by rufwoof »

Don't like how save2flash (desktop save ram layer icon) runs even without root authority. Conceptually a hacker could make changes to their .profile or whatever and save those changes in a session that you might normally just boot and not save (assuming you're looking to reboot the exact same image each time you boot).

I changed my version of /usr/sbin/save2flash to include

Code: Select all

if [ $(id -u) -ne 0 ]; then
	if [ "$DISPLAY" ]; then
		gtksu "run as root" "${0}" "${@}"
		exit
	else
		echo "Need to run as root. Enter root password"
		su -c "${0}" "${@}"
		exit
	fi
fi
at the top of the script and modified the ack request later in the code (around line 45 or so) to look like

Code: Select all

	# acknowledge request
	bginfo "Request to save RAM layer content is queued. Please wait,
this message will disappear when the save has occurred ..."
... so now if you run save2flash as non-root you have to enter the root password in order to initiate a save.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#398 Post by rufwoof »

As outlined in earlier posts, I have Fatdog set to autologin to root cli, and in root's .profile I start tmux - that loads multiple tmux windows, one of which is to run X as user, so that the gui desktop automatically loads when the system is booted.

That has no entry of root or user passwords, so the password entry can't be captured by a dark-hat (hacker). Running the gui desktop as user does mean that actions requiring root could mean having to enter the root password - I've disabled that however i.e. I don't run su nor gtksu. Instead I ctrl-alt-f1 into the root cli/tmux session and run admin commands from there. To better facilitate running such commands using a dialog is quite nice, as one of my tmux windows can sit there with that dialog all ready to be used. An example is ...

Code: Select all

#!/bin/sh

_main () {
tempfile3=/tmp/t3
dialog --title "Admin Tasks" \
           --menu "Please choose an option:" 17 50 15 \
                   1 "switch to users X desktop" \
                   2 "mount sda2" \
                   3 "umount sda2" \
                   4 "shutdown" \
                   5 "reboot" \
                   6 "show source code of this dialog" \
                   7 "run graphical gslapt on Users X desktop" \
                   8 "SAVE session" \
                   9 "exit/end users X session" \
                  10 "Exit this dialog" 2> $tempfile3

   retv=$?
   choice=$(cat $tempfile3)
   [ $retv -eq 1 -o $retv -eq 255 ] && exit

   case $choice in
	1) chvt 4
	    _main
	    ;;
	2) mount /dev/sda2 /mnt/sda2
	    _main
	    ;;
	3) umount /mnt/sda2
	    _main
	    ;;
	4) DISPLAY=:0 DONT_ASK=true wmpoweroff
	    ;;
	5) DISPLAY=:0 DONT_ASK=true wmreboot
	    ;;
	6) dialog --textbox $0 0 0
	    _main
	    ;;
	7) DISPLAY=:0 gslapt &
	    chvt 4
	    _main 
	    ;;
	8) clear
	    save2flash
	    _main 
	    ;;
	9) DISPLAY=:0 DONT_ASK=true wmexit terminal 
	    _main 
	    ;;
	10) exit 
	    ;;
   esac
}
_main
that looks like the attached.

Note how for the option 7, run gslapt, you can set that to open on the user's X desktop by prefixing the command with the DISPLAY value, for example if I run DISPLAY=:0 galculator & in root cli/tmux, then galculator (graphical calculator) will show on the users X desktop, that user can control - but will be running as root. The ampersand at the end of the DISPLAY=:0 gslapt & command for option 7 just throws that action into the background, so the admin dialog is freed to carry on running other actions (rather than sitting there locked whilst waiting for the gslapt command to complete). chvt 4 is similar to pressing ctrl-alt-F4 i.e. flips to the users X window - so that after starting gslapt from the terminal you're automatically taken to the X window where gslapt (running as root) will be displayed.

Run that way and the desktop/X session and usual programs all run as user, so even if hacked such as breaking out of a browser session then the hacker cannot see files/folders owned/restricted to root only access, for example your data could be securely stored under root. They can't mount drives (assuming userid user is restricted to not have admin type powers) ...etc. If they sit there waiting for a user or root password to be entered so they can capture it ... well we don't do that so they'll have a long wait. They could sit there waiting for a root X window to pop up and stuff their own choice of key strokes into that and gain root access that way, so some care still has to be taken (Ideally better if root is run solely from cli, but convenience wise such as running gslapt some risk tolerance is acceptable/inevitable).

Generally a reasonable single user desktop setup IMO is to have one partition as your boot/OS's partition - with grub installed and perhaps a range of choices of OS's that you might boot and where those gui's run as user. And another partition that is used for your data, and being less easily replaced is primarily owned by root and managed using cli. Like a vault in some respects, where selected files might be removed for user to use (edit using gui programs etc.) and later returned to that vault. Running everything as root in contrast is like having a open vault, likely your more precious/irreplaceable data is at risk of being copied/altered/deleted by anyone at anytime.
Attachments
admin.png
(41.71 KiB) Downloaded 626 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#399 Post by rufwoof »

I guess I should have used fatdog-control-panel.sh instead of gslapt as a example launch item in the post above ... as that encompasses gslapt as well. Using alpha's instead of numerics for each option is also nice ... r for reboot ...etc. as then you just have to press a single character to jump to that menu item (and then Enter to run it). I've set tmux to automatically jump to that admin window as the default case once loaded and added xdotool key ctrl+alt+F1 as a desktop and quicklaunch icons ... easier to jump to the console that way rather than having to press ctrl-alt-F1. As system messages can still show on the console however I've also added a redraw option to the tmux admin dialog (just a "clear" command before looping back around to _main) so that if the display of the menu/dialog is messed up with system text messages I can use d) clear; _main ;; type entry to repaint/re-draw it clean.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
dr. Dan
Posts: 96
Joined: Mon 20 Apr 2015, 17:45
Location: Oregon, U.S.A.

a hard-working team

#400 Post by dr. Dan »

@Kirk, @James, @SFR and @step:

re: James' blog post.

Whew! Thanks to all of you! I'm looking forward to opening it up and seeing what's new.

Dan

Post Reply