Why I don't like running as root (in Puppy)

For discussions about security.
Message
Author
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

in principle better

#61 Post by Lobster »

or better still

Code: Select all

#netstat -na -F inet
:oops: ('t' missing) but in principle better
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

Guest

#62 Post by Guest »

According to this, (second entry; WMF vulnerability) running as a user with limited NTFS rights doesn't prevent execution of malware. I don't really understand the explanation though.

wayover13
Posts: 4
Joined: Mon 27 Feb 2006, 18:31

#63 Post by wayover13 »

This discussion seems to sort of miss an essential point (the poster observes, not having read the whole thread). Sure, someone should be able to operate as root on their own computer. Just as someone can drive their own car however they want, shoot their own gun, etc. Of course it should be borne in mind that people are expected to demonstrate a certain degree of mastery in those things before they can legally do them, and so a person running as root should have a certain degree of mastery (read: solid knowledge of how their computer works and, especially if they are on a network, what the vulnerabilites and dangers are). But again, this is a bit beside the point. The problem with Puppy is not that it runs as root by default: it obviously does that just fine. The problem is there is no way for users who do not want to run as root to do so: just as someone should be able to run as root if they choose (and hopefully they will have the necessary understanding to do so safely), so the user should have the choice of not running as root. The problem here is that Puppy provides no easy and effective way of doing so. That is a shortcoming of the distro, no matter how you cut it: it should be there for those who want it. The question of whether you should be "allowed" as a matter of principle to run as root is rather irrelevant to answering to the fact that Puppy has no easy and effective way to set up non-root users. Is any work being done on this?

James

flavour
Posts: 125
Joined: Thu 08 Sep 2005, 20:26
Location: Bicester, UK

#64 Post by flavour »

the user should have the choice of not running as root. The problem here is that Puppy provides no easy and effective way of doing so. That is a shortcoming of the distro, no matter how you cut it: it should be there for those who want it. The question of whether you should be "allowed" as a matter of principle to run as root is rather irrelevant to answering to the fact that Puppy has no easy and effective way to set up non-root users.
This sums it up perfectly for me :)
Whilst many (or even most) users are happy with the current approach, there are many others who would really like to widen the Puppy audience, but need RunAsNonRoot to be in-place first.
Is any work being done on this?
I am little by little & some of this is being passed upstream into the main distro (e.g. it now includes sudo by default)

This, I believe, is how to start tackling it - fix the little errors in the system scripts which hardcode /root instead of $HOME
Include this in the guidelines on 3rd party packages.
Then get an option in the Universal Installer to RunAsNonRoot.
- liveCD can be left as-is (to now annoy those that like the current system), but an *option* in the installed versions (where it matters more)

Would be *great* to see this in the first release of Puppy2 :)

F

flavour
Posts: 125
Joined: Thu 08 Sep 2005, 20:26
Location: Bicester, UK

#65 Post by flavour »

My work-in-progress HowTo is here:
http://wiki.inveneo.org/index.php/RunAsNonRoot

I got quite far in 1.07 but got stumped by SegFaults which I didn't manage to track down (happened just after running xorgwizard - whether selecting xvesa or xorg).

I will try again with 1.08 & be more persistent with tracking down the source of any SegFaults by putting debug statements into various possible files:
.xinitrc
xwin
xrdb -merge -nocpp ~/.Xresources
/usr/bin/autocutsel

F

User avatar
Dyno Spoid
Posts: 37
Joined: Tue 05 Sep 2006, 14:39
Location: Milwaukee, Wisconsin, U.S.A.
Contact:

Running as Root is actually good

#66 Post by Dyno Spoid »

Although I'm a security-crazed person, root user in Puppy seems the right way to go.

- Adding user accounts to Puppy and having everything work is a lot of work for the developers. It also increases size, complexity, and documentation requirements.

- Puppy works, right out of the box. I can do whatever I need. sudo or su works well for UN*X fans, but not Windoh!z fans. Ubuntu is popular for a reason-it works by putting in the CD. Same for Puppy.

- If something exploits Firefox, user files are accessable as root or generic user Spot. The OS is sort of unique, so scripts don't generally have the same effect.

There are some downsides:

- If you're not behind a firewall, AND you're running a server (messaging, Samba, etc.), you're at risk. Putting virus scanning and firewall software enable/disable in the Live CD startup would be great.

- root can mount anything, any time. Running off Live CD is great until you realize your NTFS partition can be whacked. Reinstalling Puppy on the hard drive is no problem (assuming your config files are backed up), but two days installing Windo--Boot Sector corrupted-please reinstsall Win#$@ [blue-screen], arrg! wrong Authentication #, rebooting, and all the software, AND the configurations for each application (which aren't easily exportable) is a pain.

Would I like user accounts? Yes.
Is it practical? No.
Do I love Puppy? You bet!

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#67 Post by Flash »

Puppy is so unique that a virus or worm which would work on another version of Linux might not make Puppy sick, and if Puppy is further customized for an application such as a server ...

Perhaps most of your objections to running Puppy as a public server connected to the internet can be dealt with by remastering Puppy as a server and then running it from a CD-ROM drive. Give it a hard reboot once an hour, say, to delete any malware that might have accumulated. If the server uses a static database, the whole thing could be put on a CD or DVD and run from a CD- or DVD- ROM drive.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69321][color=blue]Puppy Help 101 - an interactive tutorial for Lupu 5.25[/color][/url]

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#68 Post by GuestToo »

it is not difficult to create new groups and or users ... a simple wizard could be written to do that

it is not difficult to run programs (like Firefox, Thunderbird, Sylpheed etc etc) as an unprivileged user, like spot

it would take lot of work to get Puppy to run as an unprivileged user so that it would run about the same as it does as root

mostly, a lot of the packages that were built for Puppy-running-as-root would have to be modified and rebuilt for Puppy-running-as-spot

see: http://www.murga.org/~puppy/viewtopic.php?t=10732

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#69 Post by GuestToo »

Apache must be started as root, and automatically runs as user "nobody" ... so it really does not make much difference if your shell is running as root or as spot, as far as the server is concerned

it is easy to run Puppy's tiny nullhttpd server (/root/ghttpd) as spot or as nobody ... i have a dotpup package that is a Rox appdir that will start/stop httpd as user nobody

User avatar
Dyno Spoid
Posts: 37
Joined: Tue 05 Sep 2006, 14:39
Location: Milwaukee, Wisconsin, U.S.A.
Contact:

Puppy Server

#70 Post by Dyno Spoid »

This is NOT targeting Flash or anyone else for a flame. 'You' is the generic reader.

Isn't everything a public server? Unless there is no possible route from a network to the Internet, I consider it potentially public.

Example: Your home MP3 server is wireless. Your neighbor (me) sniffs your WAP out, snorts 1 MB of data, cracks your WEP, adds my MAC address to the Permissible list (you did create one, right?), and changes your WAP password so you have no idea I added myself should something go wrong. You just think your password got typed in wrong initially and the reset button is the answer. Problem is, I'm not really your neighbor, but cracked his Windows box running NMAP and a Windows exploit script. You didn't notice me install a root kit on your laptop before I changed your WAP password back (since this is a public forum, I won't state where I got it from, but it's not extremely difficult to obtain), and now your laptop opens a port and finds me whenever you aren't looking. The great thing is you also use your laptop at work, where they don't use VPN or ssh connections to the server, so I can sniff all the data that even you don't have direct access to. Whatever is interesting gets compressed and sent over a HTTP request to a web server I cracked two years ago. What's interesting? The managerer's desktop, for one. Good thing it's a Windows box behind a corporate firewall--that makes it secure. Oh, except for your laptop being on the same network...

Okay, so most every computer can be considered connected to the Internet. What about hourly reboots? If I invite some friends for a party, do I want my music stopping every hour? Not practical. What about leaving all the MP3s on DVD with the OS? They don't need to be written to, but what happens when I want to save a new one I bought today so I can play it later? Remaster the DVD-RW in another computer and put it back on the server drive? Have compact flash in the server and burn a new DVD when that fills up? Possibly...

The solution I've come up with is to use Puppy and ssh to access a server with user accounts, where the MP3_Player group can only read, normal users can read/add, and admins can remove +previous. For connection from Windows-like boxes, Samba runs in a Virtual Machine environment on the server, meaning Samba gets to run on it's own computer (virtually). So if Samba is hacked, it still can't write to the file server, because the Samba machine has a read-only mount as defined by the file server, not the Samba server. Since Samba runs on a VM, the VM can be defined as an appliance, meaning every time it's restarted it starts fresh.

We can't expect Puppy to do all this and still be Puppy. I think the authors did a great job on keeping things small and fast. If you (again, a generic 'you') need more, try hand-rolling Gentoo into what you need. It can be fast, small, and exactly what you need, even booting off USB Flash drives and PXE. However, you now have to take the time to roll it, where as Puppy is working and stable. The same goes for hand-rolling a WAP appliance, which is even funner. Did you know the new ones support external USB hard drives and CF? Yes, that means a full server with a network switch, 5 ethernet ports, wireless networking, printer, and without any moving components (other than the printer) and consuming only 5 watts of power. Maybe you can get it to use 15 watts if you really push it.

Q
Posts: 61
Joined: Mon 10 Jul 2006, 14:19

#71 Post by Q »

Question for Kernel experts and developers.
whats your thought about this:
http://it.slashdot.org/it/06/10/03/2122220.shtml

2 comments I liked:
Whether this is a show-stopper or not, it's a great example of what can happen with tons of eyeballs on a project. This is the type of bug that proprietary vendors would suffer to discover with such limited resources on a single project. It makes me wonder how often proprietary kernels are retooled *after* a flaw has been found in a similar OSS product.
and the other one not just because it was funny but canny :twisted:
OMFG! I have a security flaw... but you have to be _root_ to execute it! AHHHHH It's the end of the world!

I discovered a new one too... if you run rm -rf / as root you'll bork your system!

We should all go back to windows, where rm doesn't exist ^_^
:o

User avatar
Gn2
Posts: 943
Joined: Mon 16 Oct 2006, 05:33
Location: virtual - Veni vidi, nihil est adpulerit

#72 Post by Gn2 »

To root at length -on these matters, or not - is the question:

Puppy- Esp. live - is configured to do what it does and do it well with the very minimum of user intervention

Most of above reflect very specific concerns - many of which do not exist running a liveCD (RAM)

When granting users access to client services > Puppy use is then trying to fill the role of a server

IMHO that is outside the goals of the originator

BonaPon
Posts: 1
Joined: Sat 03 Mar 2007, 20:25

#73 Post by BonaPon »

I've been setting up a box for a person who doesn't even know how to use a mouse. Do I want that person having super powers?
That is why I want to set up an account for him and have him log in as an ordinary user. I don't wan't to be constantly at his place to repair his box.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#74 Post by Flash »

Let us know how it works out, BonaPon. I suspect you'll have to help your friend a lot either way. You could give him a remastered CD to boot from, preconfigured with the applications and settings as he wants it.

paulsiu
Posts: 187
Joined: Wed 17 Jan 2007, 02:58

#75 Post by paulsiu »

I am jumping into this conversation late. I have a technical background but is not an expert in security or Linux, but I’ll throw in my two cent:

Puppy Linux seems to be a throwback to the earlier days of computing. Early OS like DOS, Macintosh OS, and Windows (pre-XP) were really single user machines. When you turn on the computer, it booted directly into the desktop and gives the user full permission to everything. There was no concept of user accounts.

Linux, which follows the UNIX model, comes from the corporate world where security is necessary. Everyone has to login so that some nobody off the street can’t steal data by switching the computer on. Access may be placed to prevent employee from seeing personal data on another employee or to install new programs that may crash the system. On such a system, there is usually a separate group call the administrators that have full rights to the system. All other users have only limited rights.

While Puppy is a Linux derivative, the designer chose to use a simple model where everyone boots into root. The advantage of this system is that everything is simpler. On other Linux systems, you have to login as admin to install software. You may have get errors because you the permission didn’t allow you to mount a device or connect to X-window. What you do give up in exchange is security.

For example, suppose you run a Trojan horse program by accident, such as when you launch an attachment, or click on a popup that deposits a program on your drive. If you run as root, the malicious program has full permission to attack everything. If you run as a limited user, you can trash your user files, but the rest of the system is safe.

Keep in mind that you’re probably OK for now. Most of the virus only target windows, so if some popup deposit a DLL on your drive or cause you to run a windows program, nothing will happen. I would not however, use Puppy as a server that may contain sensitive data.

I’ll be real careful about running Wine, or if you have a dual boot where the virus may be able to infect your DOS partition. If Linux becomes really popular, and we start seeing Linux computer viruses, then I would worry.

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#76 Post by Pizzasgood »

The cool thing with Puppy is that you can reinstall in mere minutes. Sure, that doesn't protect your personal data, but that's going to be open to attack even with multi-user (except from other users).

Actually, with Puppy the system files are impossible to edit, unless something specifically targets Puppy and you have a frugal install or a re-writable disk. They're stored in pup_xxx.sfs, which is read-only. When you try editing them, Puppy places a copy in your save-file and masks the original with it, but the original is still there. If you go behind UnionFS's back and delete the copy of the file, the original will re-appear.

So if something compromised your Puppy and left your personal files alone, you could just mount the save-file directly and delete all system files and relavent .wh* files. Then reboot, and the original system files are back.

If it does harm your personal data, just delete the save-file and start over. The personal data would have been harmed anyway, because you'd still have permissions to it.

All that's assuming you maintain a save-file. If you don't, and just run in ram, all you do is reboot and poof! Pristine system. If you use multi-session, just roll back a couple sessions. Simple.


Now, if you have a full-HD install, you're in a different boat. There are times when a full install is preferable, but it loses the majority of Puppy's benefits, especially with regard to security and fast installs.



The biggest reason I see for having true multi-user in Puppy is to protect the user from himself, especially when said user is a kid. Encryption is more effective at protecting data, and multiple save-files is generally good enough for multiple users. But I would welcome a small transparent optional multi-user setup so long as it still auto-logged-in as root like it does now. Just for those rare cases when true multi-user is needed.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

paulsiu
Posts: 187
Joined: Wed 17 Jan 2007, 02:58

#77 Post by paulsiu »

Nice thing about puppy is that everyone can have a personal puppy on a key. No matter how secure a computer is, someone will accidently find a way to wipe out the hard disk. If everyone has their own personal puppy, they can only damage their own copy.

setecio
Posts: 326
Joined: Wed 01 Nov 2006, 12:09
Location: UK

#78 Post by setecio »

Bookmarked.

User avatar
edoc
Posts: 4729
Joined: Sun 07 Aug 2005, 20:16
Location: Southeast Georgia, USA
Contact:

#79 Post by edoc »

paulsiu wrote:Nice thing about puppy is that everyone can have a personal puppy on a key. No matter how secure a computer is, someone will accidently find a way to wipe out the hard disk. If everyone has their own personal puppy, they can only damage their own copy.
What is the current status of Puppy on a USB stick?

Compatibility with a wide range of laptop and desktop hardware?

Is there a list of laptops and desktops which will boot Puppy from
USB?

I have just acquired a used Dell Latitude C400 which did not come with
a CD drive. Should I anticipate being able to boot Puppy from a USB
stick?

I like the idea of my OS and key apps on a 1 or 2G USB stick! Perhaps
a couple of different sticks, each optimized for a different set of apps.
[b]Thanks! David[/b]
[i]Home page: [/i][url]http://nevils-station.com[/url]
[i]Don't google[/i] [b]Search![/b] [url]http://duckduckgo.com[/url]
TahrPup64 & Lighthouse64-b602 & JL64-603

jglen490
Posts: 9
Joined: Sun 09 Mar 2008, 18:25

#80 Post by jglen490 »

Ho-hum.

All the arguments about personal freedom and about being the only user and "I can do whatever I want, because ...".

What is comes down to, is whether you always run as root or run as a non-privileged user most of the time, most of us DO SOMETHING to protect our system or try to not pass on infected files or try to pay attention to security in some way.

I don't run Puppy - for a variety of reasons, most of which have nothing to do with this thread. Anybody who runs any sort of Linux is going to show up as stealthy on Steve Gibson's site. It's the nature of the OS, unless you DO SOMETHING to open yourself up. By the way, that has nothing to do with being, or remaining secure. Just refer to any number of Linux pubs that discuss security and publish security problems with various Linux programs. Yes, these DO get cleared up fairly quickly, but the problems still come back. So it is necessary to DO SOMETHING to stay on top of security.

It has been suggested that you can clear out Trojans, viruses, etc. by rebuilding your backup file periodically. You all know how to do that, I don't, so I won't comment any further on that. So even in Puppy you need to DO SOMETHING to protect your security.

Do any of you run antivirus products in Linux? Do you know that such things exist? "But you can't get a virus in Linux!" Sorry, that's baloney. Two reasons. Linux is not yet a big enough target -- Linux will be some day. The other is that secure usage of Linux involves not only the usual things that "safe computing" means an implies, but also the normally inherent separation of root use and regular user us. By keeping the two separate, successfully attacking a Linux system is more difficult; not impossible, just more difficult. The more difficult it is for the "bad guy" to a) get in and b) severely compromise a system, or your home, or your business, the less likely you will be targeted..

O.K., so you keep all the stuff that's important to you in your $HOME directory anyway. So if someone gets to your user it's gone, anyway. Well, a) you do backup right? and b) if the rest of your system is intact, recovery is simpler - because you do backup right?

Puppy Linux runs in RAM. That's good, so each time you reboot it's like a new install. What about if you just leave your system up for a few hours/days/weeks. You're as vulnerable as anyone else PLUS, you're running as root!!

You do what you need to do, but I rely on my personal Linux system to provide me with a secure and reliable platform to do my daily and other personal tasks. This is not a business system, but because it is personal, I need it to do the "SOMETHINGS" that I do in the best way possible. If I didn't care, and if my Linux system wasn't just that good, I'd be running Windoze in admin mode (like most personal users run it).

Post Reply