EasyOS version 2.3.2, June 22, 2020

[wdt]

I decided to give easy a try, seems to work OK, even network manager,, BUT
it is a bit lacking and specifically this
I reflashed the firmware on a ryzen mb, and powered off and reloaded defaults
It had lost the ESP and nothing I could do would get it back
All it could boot was win(32bit) and easy,, BUT easy does NOT have efibootmgr
(and win is useless, even if it was an efi version, which it was not)
Eventually I made a refind usb stick and used efi shell and bcfg
Maybe if unplugged every drive except for the one with the ESP the firmware might have found it???
Anyway, if efibootmgr is too big, put efi shell and add a stanza to refind.conf
Sometimes, even if rarely, you need to deal with that, if nothing more than adjusting boot order
I could not find it with pup-get (efibootmgr)
I use refind as bootmgr, when it merges the easy ESP the icon is 3 paint cans,
you can pretty it by copying whatever icon to the easy ESP/EFI/BOOT/
and renaming it to BOOTX64.PNG (it has to the "right" kind of icon of course)
ie cd /boot/efi/EFI/BOOT/icons; cp os_easy.png ../BOOTX64.PNG

[greengeek]

Is the following link of any concern with regard to Easy's use of containers?

https://nakedsecurity.sophos.com/2019/0 ... -patch-now

[rufwoof]

Is the following link of any concern with regard to Easy's use of containers?

https://nakedsecurity.sophos.com/2019/0 ... -patch-now

Short answer, no.

That link highlights a flaw in runc that involves obtaining root cli inside, and using that to break out of the container. EasyOS easy container runs as root inside the container, but where capabilities are dropped (to the extent root inside the container is comparable to a restricted user) so even if a remote hacker achieves root cli they cannot break out of the container (chroot capabilities are dropped - and chrooting out of a container is the typical method to break out of the container. I posted such a exit-chroot a few posts earlier that enables breaking out of EasyOS main session back into the initrd cli (when the main session is started using chroot instead of switch root), but that code fails inside the easy container (lack of chroot capabilities)).

[rufwoof]

In follow up
A neat trick if you launch the main session using chroot rather than switch_root is that you can mount a partition from within the initial init before chrooting (init, within initrd)

.
.
mkdir -p /mnt/sda3
mount /dev/sda3 /mnt/sda3
exec chroot easy_new

... so that sda3 partition is already mounted ... to a mount point that is inaccessible to the main X/gui desktop real root session. So you boot to the normal/full root desktop, can see sda3 listed as a drive icon in the bottom left, but you can't mount or access the content of that, even though you are (full/real) root.

If you then exit X (to command line), and run exit-chroot (so you're back into the initial/small root cli) and then restart the main session again, but disabling chroot

capsh --drop=cap_sys_chroot --chroot=/easy_new --

then you can restart the X desktop again, but you can't even chroot back out of that. That does however also mean you can't launch any containers - as they depend upon chroot.

Whilst you can't access sda3 (in this example) via the main/real root desktop, you can ctrl-alt-Fn into another terminal session, login as root and exit-chroot from that, which then opens up /mnt/sda3 content (and you could copy files to/from that into the main desktop session i.e. cp /mnt/sda3/somefile.txt /easy_new/root/somefile.txt
(having something like mc within the initial init would be useful for such copying of files around **A)).

Even if the X desktop is hacked, then they can't access the initial/small cli - so can't get access to sda3, as the kernel has dropped chroot permissions (capsh). Only local access can gain access to sda3.

EDIT: **A ... Copied the mc bin into initrd's /bin, did a ldd on mc and copied the indicated libs over to the initrd's /lib, copied /usr/share/mc to the same in the initrd's (also copied /usr/share/mc and /mnt/wkg/home/mcedit ... and several other mc config files (filepos, history, ini, panels.ini, Tree)) ... and providing you TERM=linux export TERM before running mc within the initrd it all seems to work. initrd is now 11MB. A series of snaps ,,, in a pdf file (fake .gz, rename it without that) Actual tty snaps were taken using fbgrab. I've had to compress down the pdf so it could be uploaded so quality of the images are just just modest.

[rufwoof]

Further Security Hardening (my remastered version of) EasyOS
=======================================================

Personally I like to consider security from the angle that our home network is just as insecure as using our local libraries or any other network. Accordingly to use that untrusted network a pristine clean OS and system pre-configured to as-desired is the best approach. Accordingly I don't like to save potentially dubious sessions across reboots. For my EasyOS HDD frugal installed setup I've modified EasyOS so that my sda3 (data) partition is mounted within initrd (init), as that way once mounted the chroot (that I use instead of switch-root) cannot access that mount point, nor mount sda3 as its already mounted. ctrl-alt-F1 (console cli) can however exit-chroot into the initrd's cli (I have mc installed in that to aid in moving files between sda3 and the main or easy containers areas). To 'get to' that sda3 a remote hacker has to break out of the Easy container and get to the main (real) root, and then break out of that real root into the initrd level cli (as not even real root in the main session can access sda3). A high enough series of hurdles for comfort.

I have my EasyOS setup to that it boots to initrd's init cli, and running startx from that loads up a init level mc (cli file manager) on ctrl-alt-F1, the main real root X desktop on ctrl-alt-f4 (when started the easy container X desktop loads to ctrl-alt-f3). So basically after booting I have initrd cli running mc on ctrl-alt-F1 (CA1), the main real root X on CA4 and the Easy container on CA3, with the intent that the bios boot code and grldr loader have been verified as clean, along with rolling back to known clean versions of the main system and easy container after each boot. As part of further hardening ...

BIOS
====

The MBR is basically a 512 byte segment on the very first sector of your hard drive and it is composed of 3 parts: the boot code (446 bytes long), the partition table (64 bytes long) and the boot code signature (2 bytes long).

To backup the boot code itself and nothing else:

Code: Select all

# dd if=/dev/sda of=/tmp/mbr.img_backup bs=446 count=1

and restore with

Code: Select all

# dd if=/tmp/mbr.img_backup of=/dev/sda bs=446 count=1

Also check the partition table and boot code signature i.e. as above, but using 512 instead of 446

sda1's grldr (file) should be checked (loader),

We can record diffs or checksums for the purpose of ensuring integrity

OS
==

Booting the same known clean OS and Easy Container

Code: Select all

/mnt/sda1/easy/easyremastered/.session/.rollback.flg
format 
,YYYYMMDDHHMM

i.e.

Code: Select all

,201902181247

Restores for example ...

Code: Select all

/mnt/sda1/easy/easyremastered/releases/easy-1.0/rw-201902181247.sfs

Which can be checksum or diff validated from records kept on sda3

Once (re)booted to a clean main system, can use the desktop easy containers manager to restore the Easy container, but to also ensure that hasn't been changed we checksum, diff or copy in our own known clean version ...

Container restored from for example

Code: Select all

/mnt/sda1/easy/easyremastered/containers/easy/rw-201902180100.sfs

again using checksum or diff checked versions

[rufwoof]

Doing a automatic restore/rollback of the main session to a known 'safe' version at each boot, I've also extended easy_version_control to include a shutdown option - that rolls back the Easy container to a known safe version as part of the shutdown process. I also changed the Cancel button label to a Quit label (as I have it otherwise loop back around again with a $0 & call rather than just exiting).

That Rollback/powerdown button is now my regular choice of powerdown (so when the system is next booted it starts with a pristine main session on ctrl-alt-F4 and a pristine Easy container on ctrl-alt-F3).

[BarryK]

Version 1.0.8 is released. I wanted to get this release "out of the door", so that testers can try the new minibase-network utilities, that I have named "UltraSNS".

usns works for me, I can plug and unplug ethernet and wifi devices, and the network reconnects automatically. Whether it will be so good on other hardware remains to be seen.

See announcement:

http://bkhome.org/news/201902/easyos-x8 ... eased.html

[Sage]

Testing, testing, testing!
And thanks for the .iso, too!
Later.
USB & .iso
Wired USNS: yes, can plug and unplug infinitely.
Wifidongle: USNS works first time, but if unplugged and re-plugged, p/w panel is greyed out in USNS and not able to reconnect except using Dougal's SNS which seems to do an unplug routine before permitting re-entering P/W. Sounds reasonable?
No laptop test; could differ since wifi would be powered continuously.
Otherwise, pretty good & faster.

[rufwoof]

I can plug and unplug ethernet and wifi devices, and the network reconnects automatically. Whether it will be so good on other hardware remains to be seen.

Unplug/replug works ok on my ethernet hardware/setup (hdd frugal install).

[rufwoof]

Easy container, add a file to /mnt/wkg/home, close container, make a snapshot of the container, restore the container ... and the added file no longer exists.
Easy version control excludes /mnt when making a snapshot. What I did in 1.0 was to mv /mnt/wkg/home to /mntwkghome before making the mksquashfs - so the contents are preserved. As part of easy in the container (initial script run) I added a test to see if /mntwkghome exists and if so then replace the /mnt/wkg/home folder with that ... i.e restored the preserved contents.

I also adjusted /usr/sbin/set_bg to add at the end cp $1 /usr/share/background/default.jpg as a crude means to preserve Easy containers background when changed (otherwise it reverts to the default original).

Another change I made was to add a please wait prompt to easy_version_control's ec_rollback, that closes once the rollback has completed. As is it just closes as soon as you click a container rollback giving the appearance that it has finished, however for a large save area it can take 5+ seconds to complete the unsquashfs and if you start the container before then it can screw up the container/operation (unpredictable outcome).

The only other change I made was as per http://murga-linux.com/puppy/viewtopic. ... 64#1017564

[BarryK]

Wifidongle: USNS works first time, but if unplugged and re-plugged, p/w panel is greyed out in USNS and not able to reconnect except using Dougal's SNS which seems to do an unplug routine before permitting re-entering P/W. Sounds reasonable?

Yes, the password panel would be greyed-out, as minibase remembers the password.

I also tested with a wifi dongle, and was able to reconnect after unplug and replug. I will test again, with some variations in procedure, and will test some other wifi dongles.

[rufwoof]

Xephyr, unshare, capsh and chroot ... as a container works really well. Impressed with how Barry managed to sort all of that out let alone the excellent wrapper all around that. Just been trying out using the same, but where I chroot into / (of the main system).
http://murga-linux.com/puppy/viewtopic. ... 33#1019133

[Rodney Byne]

To Barry,
Re 1.0.8
Gnome- MPV from PetGet doesn't run
because three .so library files are missing.
I also had a similar problem with running VLC
and I loathe Xine.

I know you're busy with specials, but I just wish more
emphasis could be placed on ensuring the basic
apps work OOTB before OS general release.

At least older version 0.9.4 still works well
cos it's simpler - far less to go wrong.
Best regards.

[Sage]

1.0.8 USB:
Everything went well on D/T but transfer to HPCQ laptop shows two issues.
Usual issue - tapping default not set; usually 'left'. Tedious!
The internal (Atheros) wifi offered just 'CONNECT', apparently knowing it had been successfully used previously - but it didn't/doesn't. Furthermore, no means for (re-)inserting P/W. Had to resort to Dougal's SNS, but needed restarting three times before options (WPA, etc and P/W) were offered. Eventually it worked. Something still needs tweaking?

[Philh]

With usns when you click connect the gui goes away and youre left wondering did something happen.
Little popup saying connected or finished might be good.

Using usns on my laptop I get wifi not working.
But if I try sns I get the ssid list and I can connect.

[rufwoof]

Clicking a gzip'd initrd (initrd.gz), opens it, allows for editing, clicking again offers to save changes and close it ... but the changes are not stored. Works fine if just initrd (not compressed), its only if you've converted it to a .gz

[Rodney Byne]

To Barry,
Further to above,
In addition to MPV and VLC installs, SMPlayer is also affected
by the common missing Petget library files
after installation, identified as:

LIBVA.DRM.SO.1
LIBVA.SO.1
LIBVA-X1

Regards.

[T_B]

Gave EasyOS a spin, works pretty well. Only issue I have is no sound in Seamonkey or Firefox. Sound is working and using the YoutubeDL program result in video's that play fine. Any advise?

[rufwoof]

I have a mini mixed bag of EasyOS things in this ... (less than 8MB) that I've compiled under EasyOS 1.0.8 (amd64) https://drive.google.com/file/d/1OjBF6x ... sp=sharing ... containing ... cwm window manager, vifm file manager (requires vim), tmux, elinks, lynx, fbgrab (grabbing screenshots of console/tty) ... and cmus (terminal music player). More for my own purposes but as I'd EasyPak'd it I thought I'd also post it here.

Drop it into the ....sfs/easyos/oe/pyro folder and you can load it into either the main system or a container using Menu, System, Boot Manager. Once installed, just open a terminal (or ctrl-alt-F2 and login as root (password woofwoof ... unless you've changed it)) ... and ... for example from the command line run cmus (or tmux or elinks or ... whatever).

cmus takes a little getting used to - each of keys 1..6 toggle different option screens and if you go to 5 there's a folder tree where you can use the arrow keys (and Enter to select) to navigate to a .mp3 file.sound and Enter that. Left/right arrow keys move you up/down the track.

I've included my own version of /etc/tmux.conf in that, as I don't like the default tmux look-n-feel.

What I'm doing for these smaller terminal program like compiles is grabbing a zip version from git, extracting it, loading the devx (and rebooting to load it) and then

Code: Select all

./configure
make
make -DESTDIR=/rufmix install

So the installs aren't going into my running system but into /rufmix which I then used to run EasyOS's dir2sfs to create the EasyPak.

EasyPak's are a extension of normal sfs's, so I suspect it/they could also be used in puppy's.

First image shows vifm and cmus, second image is tmux running with several windows (running/labelled lynx, vi, top) and the active (lynx) window split into three panes, showing lynx, cmus and top (you can zoom/unzoom panes in tmux).

[spotted]

I was copying easy 64 arm to a micro SD card using dd. It wrote most of it but easy.sfs was zero bytes.
I thought its time to zero the card, there fickle piddley things. "dd" got through the exercise but at the end it said no space left on device. But it didnt dd at all, it was still all there and there was a .REC file placed on the micro SD card as well. Now it is really locked as a read only filesystem and nothing I can find on the net can touch it. Anyone know a command that will blow that sda1 petition out of the water then dust it up some.

fdisk: cannot open /dev/sdb: Read-only file system

dd if=/dev/zero of=/dev/sdb bs=1M count=2
dd: failed to open ‘/dev/sdb’: Read-only file system

dd if=/dev/zero of=/dev/sdb bs=4096 conv=sync,notrunc
dd: failed to open ‘/dev/sdb’: Read-only file system

chmod 777 /mnt/usb1
chmod: cannot access ‘/mnt/usb1’: No such file or directory

chown root /mnt/sdb1
chown: changing ownership of ‘/mnt/sdb1’: Read-only file syste

hdparm -r0 /dev/sdb
/dev/sdb:
setting readonly to 0 (off)
readonly = 0 (off)
/mnt/sdb1:
setting readonly to 0 (off)
BLKROSET failed: Inappropriate ioctl for device
BLKROGET failed: Inappropriate ioctl for device

mke2fs /dev/sdb
mke2fs 1.42.12 (29-Aug-2014)
Found a dos partition table in /dev/sdb
Proceed anyway? (y,n) y
/dev/sdb: Read-only file system while setting up superblock

# dosfsck -a /dev/sdb1
fsck.fat 3.0.28 (2015-05-16)
0x41: Dirty bit is set. Fs was not properly unmounted and some data may be corrupt.
Automatically removing dirty bit.
Reclaimed 150627 unused clusters (616968192 bytes) in 2 chains.
Performing changes.
/dev/sdb1: 177 files, 156852/163260 clusters
Writing 512 bytes at 0 failed: Operation not permitted
Writing 32 bytes at 1327712 failed: Operation not permitted
Writing 32 bytes at 1328672 failed: Operation not permitted

even tried to write a grub backup to it to get rid of the petition
cat/sdb_mbr_bak > /dev/sdb
sh: /dev/sdb: Read-only file system

echo "0" > /sys/block/<yoursdcard>/ro

fsck.msdos -aw /dev/sdb1
fsck.fat 3.0.28 (2015-05-16)
0x41: Dirty bit is set. Fs was not properly unmounted and some data may be corrupt.
Automatically removing dirty bit.
Write 512 bytes at 0:Operation not permitted

mount -orw,remount /dev/sdb1
mount: cannot remount /dev/sdb1 read-write, is write-protected