Security - running as root

For discussions about security.
Post Reply
Message
Author
User avatar
tronkel
Posts: 1116
Joined: Fri 30 Sep 2005, 11:27
Location: Vienna Austria
Contact:

Security - running as root

#1 Post by tronkel »

The australian police are advising people who use their computer for on-line banking to use a live CD and mention amongst other distros, Puppy Linux. This has been widely reported recently.

Thing is, Puppy always runs as root and therefore could still be vulnerable to hidden downloaded executables that could read and subsequently re-transmit any sensitive data such as passwords that are resident in RAM during the on-line session.

In order to close down this possibility, it would be better to at least have the option of logging in to Puppy as a non-root user - even while running from live CD, so that rogue applications have no ability to install without appropriate authentication.

Would be a great step-up for Puppy to have this available from now on - maybe starting with the planned 4.4CE version.
Life is too short to spend it in front of a computer

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#2 Post by MU »

You may use such a script:
/usr/local/bin/seamonkeyspot

Code: Select all

#!/bin/bash

su spot -c seamonkey
make it executable:
chmod 755 /usr/local/bin/seamonkeyspot

Then add it to the desktop.
This runs seamonkey as spot.
Works in newyearspup, in Puppy 3 I used a more complicated method:
http://www.murga-linux.com/puppy/viewtopic.php?t=28014

Mark
[url=http://murga-linux.com/puppy/viewtopic.php?p=173456#173456]my recommended links[/url]

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#3 Post by Pizzasgood »

Been there, done that. Built the Puppy, made a revision, wrote lots of documentation.... No t-shirt though :(
Multiuser Puppy
It doesn't come with a limited user already installed though (well, there is spot, but he isn't configured any differently from in the standard Puppy, so you would probably prefer to create a limited user to use, who would then have a normal desktop). You have to boot once as root, add other users, remember to change your password, disable the autologin, and then reboot. The reason I did it that way is to make it transparent, so that the rest of us who like being root don't notice any change. That way it would be easier for a developer to slip this into an official Puppy without causing riots. :lol: People are free to remaster it into a version that has different defaults if they want a version that comes preset to be used with pfix=ram or whatever.



But the nice thing about MU's method rather than actually running completely as the user is that if only Seamonkey is spot, then if Seamonkey is compromised, it can only modify things spot can modify, which is nearly nothing outside of the /root/spot/ directory. On the other hand, if you were logged in as a limited user named tronkel, and just running Seamonkey normally (so that it was also running as tronkel), then if Seamonkey were compromised, it would be able to modify anything that tronkel can modify.

In a purely ram situation, where there is no preserved data at all, there isn't as big of a difference since tronkel wouldn't have much data around anyway, and still wouldn't be allowed to modify system files. But for an installation where data is preserved, tronkel will presumably have all his personal data stored owned or at least readable by the tronkel user, so that he can read it without jumping through hoops. In that case, being a limited user does not protect you at all from a privacy standpoint if your browser is compromised, since it has the same permissions you do.

So to be really paranoid you would want to run as a limited user, but then run your browser as a different (and even more limited) user. This could probably be done fairly painlessly with sudo so that you wouldn't have to input a password just to run the browser as user "browser", but could still have the browser user password protected from the other users (in case you have multiple people involved, or in case you want to isolate other applications too, like IRC or email, and don't want them to be able to read eachother's data).
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
tronkel
Posts: 1116
Joined: Fri 30 Sep 2005, 11:27
Location: Vienna Austria
Contact:

#4 Post by tronkel »

MU wrote:
You may use such a script:
/usr/local/bin/seamonkeyspot

Code:
#!/bin/bash

su spot -c seamonkey
Running this returns:
su: chdir(/): Permission denied
even if I chmod to 755.

This might be to do do with the fact that I'm running this in Puppy 4.3.1

What's wrong here I wonder.
Life is too short to spend it in front of a computer

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#5 Post by MU »

not certain, must test it on my own in Puppy 4.3 tomorrow.
It cannot change to a directory because of wrong permissions.
Might be wrong permissions for /tmp

Try this command:
chmod 777 /tmp

In newyearspup this is set by default.

Mark
[url=http://murga-linux.com/puppy/viewtopic.php?p=173456#173456]my recommended links[/url]

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#6 Post by MU »

hm, in Puppy 4.3.0 (frugal installation) it works.
I will test Puppy 4.3.1 tomorrow, as it takes some hours to download using a mobile internet connection that I use this week.

I attach the script, just in case a typo error was the case for your problem.

I also slightly modified it, so it tells you, who you are:

Code: Select all

#!/bin/bash

su spot -c "whoami  >/tmp/whoami.txt;sync;xmessage 'running as user: `cat /tmp/whoami.txt`';seamonkey"
And thanks, Pizzasgood, for writing a more detailed explanation :)
Mark
Attachments
seamonkeyspot.tar.gz
(209 Bytes) Downloaded 824 times
[url=http://murga-linux.com/puppy/viewtopic.php?p=173456#173456]my recommended links[/url]

jabu2
Posts: 46
Joined: Tue 08 Apr 2008, 03:19
Location: Australia

secure browser mode for 4.4CE

#7 Post by jabu2 »

Tronkels proposal is a really useful new capability for Puppy, and removes one minor shortcoming - security for traveller-users (compared to other distros).

"the option of logging in to Puppy as a non-root user - even while running from live CD, so that rogue applications have no ability to install without appropriate authentication.
Would be a great step-up for Puppy to have this available from now on - maybe starting with the planned 4.4CE version
."

This capability will need to be a simple on/off toggle for the average puppy user - implying some neat programming from you linux-majors who know how to do that, and make a gui.

Tronkels description of purpose could be put in plain English ie
"logging in to Puppy as a non-root user" could become
"use ultra-security" (or words to that effect). And perhaps it should default back to the root-user mode at logoff (fail-safe position for several reasons).

And adoption by Technosaurus into 4.4CE specs

And notifying to future potential users by Lobster via the 4.4 wikka......http://puppylinux.org/wikka/Puppy44


jabu2 (4.31 with firefox, and 4.3.1 final on Fujitsu lifebook)

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#8 Post by Pizzasgood »

Why do people keep forcing me to break out the big fonts?

Download a MULTIUSER Puppy HERE

Can I get a QED? :lol:
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#9 Post by amigo »

MU, /tmp should be chmod'ed 1777, to prevent non-root users from being able to delete the directory.

User avatar
tronkel
Posts: 1116
Joined: Fri 30 Sep 2005, 11:27
Location: Vienna Austria
Contact:

MU script problem solved!

#10 Post by tronkel »

Ok, seem to have found the permissions problem with the su command.

chmod-ing /tmp to 777 didn't work. The problem was with the permissions of the root directory in Puppy, i.e. '/' (not /root).

After chmod-ing this to 777 everything started working.

Many thanks for the cool idea MU.
Life is too short to spend it in front of a computer

User avatar
tronkel
Posts: 1116
Joined: Fri 30 Sep 2005, 11:27
Location: Vienna Austria
Contact:

#11 Post by tronkel »

Attached is a dotpet that contains MU's seamonkeyspot script
plus a GUI exectutable. All the GUI does is to run the script. GUI was made using FLTK and C++

The pet makes a menu entry called "safemonkey secure browser"
This starts your seamonkey browser as user "spot" who has no access to system files. This should ensure that no malware can be installed without your knowledge, even running as a live cd.

Seems to work, apart from a profile problem that causes the seamonkey main window to corrupt slightly. It's an old Mozilla problem - not sure what the solution is yet.

Will test it further. Let me know what you find.

edit: see lower down the thread for an updated dotpet that includes exception handling that checks for the existence of seamonkeyspot script in /root
Attachments
safe-seamonkey-1.0.pet
(114.25 KiB) Downloaded 875 times
Last edited by tronkel on Wed 28 Oct 2009, 17:03, edited 1 time in total.
Life is too short to spend it in front of a computer

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#12 Post by Lobster »

Seems to work OK Tronkel
I have done much the same here (I hope) in script
but also included running Puppy Browser securely
and Screen Lock enhancement 8)

GROWL
http://www.murga-linux.com/puppy/viewto ... 697#353697
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#13 Post by Pizzasgood »

.... it is not a good idea to make / 777. If you do that, any limited user can rename the top level directories (they cannot actually delete them if there is any content within them that they don't have permission to change, but they can rename just fine).

You are better off running Seamonkey as root than doing that.

And anyway, you definitely should not need to make / 777 just to run seamonkey as spot. The problem must be something else.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

retry3
Posts: 131
Joined: Tue 15 Aug 2006, 23:48
Location: Ohio

safeseamonkey secure browser experience & questions

#14 Post by retry3 »

HP Notebook 1.4Ghz 512MB, dying HD - 431 Frugal Live CD

Installed safeseamonkey (great application idea)

My financial website would not let me have access even with all the correct passwords etc.

When I tried to quit safeseamonkey, the dialog box would not close even after it went all gray with no fields or data and safeSM would not quit until I used kill.

Tried to open safeSM again but got stuck in a loop in the dialog box and it failed to open.

Next I changed to user "spot" & ran normal Seamonkey and was able to log in & access my account OK.

II would like to use safeSM but I don't know what to do next; reinstall?

My question is, whether I am just as secure by being spot first and then opening my regular SM, as using safeSM alone? Something Pizzagood wrote makes me wonder..

User avatar
tronkel
Posts: 1116
Joined: Fri 30 Sep 2005, 11:27
Location: Vienna Austria
Contact:

#15 Post by tronkel »

Hi retry3

Yes, as far as I can see, you're just as safe running a user spot directly.

The safeseamonkey GUI is only an attempt to make it friendlier for newbies to think more about security stuff without having to get to grips with scripting and such-like.

Can you make sure that the seamonkeyspot script is actually in your /root folder? It it wasn't there, that would be a reason why the program would crash.

This was only a first shot at this. I should really have included some exception handling that checks if the script is actually there.

Thanks for the feedback. Let me know what happens.
Life is too short to spend it in front of a computer

User avatar
tronkel
Posts: 1116
Joined: Fri 30 Sep 2005, 11:27
Location: Vienna Austria
Contact:

#16 Post by tronkel »

@retry3

Attached is an updated dotpet for safeseamonkey that includes code that checks if the seamonkeyspot file actually exists in /root.

The seamonkeyspot script also assumes that defaultbrowser exists and is executable.
Attachments
safe-seamonkey-1.0.pet
(142.94 KiB) Downloaded 524 times
Life is too short to spend it in front of a computer

retry3
Posts: 131
Joined: Tue 15 Aug 2006, 23:48
Location: Ohio

#17 Post by retry3 »

Thanks Tronkel, your efforts to help and the GUI work are much appreciated as well as what MU did in scripting safeseamonkey.

I have been working on a response to your questions in the last post ,but since it takes over 20 minutes for me to reboot (hardware problems) it goes slowly. In addition, I have limited knowledge of Linux and can't run the CLI much beyond "whoami" so my reports will miss a lot.

There were 2 places that had the SSM icon, the "/" and "~" directories.
The menu entry in Internet would start SSM with both dialog boxes of "go" and "Okay". Clicking on the Icons would only bring up the Okay box, but all three ways would open the program.

As I wrote before,after I closed the program, it would not start again by any way except twice, for no reason that I could figure.

A reboot restored the ability of all three ways to open the program.

After re-reading your post a few times, I decided to delete the Icon that was not in "/", so I deleted the one in "~", thinking that would leave the Icon where you said it should be, with no possible conflicts.

Now, I'm not so sure. I think "/" means root and "~" means Home, so when you say the program file should be in "/ root", I may have misunderstood.

After the deletion the SSM entry under Internet does not work, all I get is the initial box that says"Cage the Puppy" and clicking on Go does nothing; but clicking on the icon in "/" brings up the "user: spot - Okay" box and clicking Okay opens SSM..

The regularSM is working fine.whether I'm root or spot.

I will try your new pet package ASAP and hope this feedback is of some use. You understand that some of us really need a GUI while struggling with learning Linux.

Regards - retry3

User avatar
tronkel
Posts: 1116
Joined: Fri 30 Sep 2005, 11:27
Location: Vienna Austria
Contact:

#18 Post by tronkel »

In Puppy what is usually referred to as the root folder, has the following absolute path : /root

In other Linuces the root (admin) folder usually has the absolute path: /home/root

Otherwise the "root file system" is always at: /

Now this is very confusing and will give even experts trouble - far less Linux novices.

That I'm afraid is just the way things are in the world of the penguin.

The petget package will automatically install the seamonkeyspot script to /root. If for any reason you need to change the path to the browser, all you have to do is to open the seamonkeyspot script as a text file and replace "defaultbrowser" with the absolute path to wherever your browser executable is stored.

Normally what you should see, if everything is set up OK, is a message box confirming who you are. After clicking on OK, you can then start the safe browser by clicking Go! in the main GUI window.
Life is too short to spend it in front of a computer

Post Reply