The Ultimate Solution for running as root

For discussions about security.
Message
Author
Bruce B

#21 Post by Bruce B »

Sylvander wrote: 6. I've never [not that I'm aware of] experienced any problem as a result of running as root....
And never seen anyone report that either.
I have an unsubstantiated report that a Puppy user sprained an eyelash
while running as root. (just kidding, don't worry).

~

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#22 Post by nooby »

6. I've never... seen anyone report that either.
Well I have but only once a year or so. I mention two of them.

One was a kind of drive by. He joined and told he had been attacked when using puppy and then gave some info but did not give us more info when we wanted to find out what could have happened to him.

So the thread just died out. Could that have been one year ago maybe?

Then we had the guy that got crossed over another puppy user and they started to fight each other verbally here in the forum but it had started on teh puppy chat help which I am not active on so I have no recall what on earth made them so upset over each other. But both of them did confirm that the other had hacked himself into the others computer and that him had take measure to stop these attacks and claimed him succeed which the other promised to break soon enough and then I lost track of their fights.

I sent a PM to some regular user of puppy forum and asked for more info what was going on but I received no answer. So I trust that those that know puppy from inside out they can do it any time.

But usually the standard criminals on the internet concentrate on the more common distros to get volume I guess. Too few use Puppy to be interesting for them to exploit I hope.

Don't you guys remember that debacle some years ago. 2009 or was it early 2010 or even 2008?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
dejan555
Posts: 2798
Joined: Sun 30 Nov 2008, 11:57
Location: Montenegro
Contact:

#23 Post by dejan555 »

nooby wrote: Then we had the guy that got crossed over another puppy user and they started to fight each other verbally here in the forum but it had started on teh puppy chat help which I am not active on so I have no recall what on earth made them so upset over each other.
Yes it was between WireWulf and pc Retro<3 but aparently WireWulf has already given him certain access to his PC.
http://www.murga-linux.com/puppy/viewtopic.php?t=54257
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#24 Post by Sylvander »

1. "Well I have....I mention two of them"
In my view, neither of those count because...
(a) The 1st was never confirmed, right?
Only confirmed examples should be counted.

(b) In the 2nd case, access was GIVEN, so that isn't a lack of Puppy security, it's a lack of USER security.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#25 Post by nooby »

Guys I do apology, I missed the part of that him gave him permission first.

Did he give that despite him knowing it would be abused or what? Did he get tricked into it or what?

Gave access how?
I use Google Search on Puppy Forum
not an ideal solution though

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#26 Post by nooby »

Thanks for the link that was the one I talked about yes!

But if one read what 8-bit write
WIreWulf should NOT be banned from the IRC because of your attempt to hack outside of the directory containing the file he was offering you.
You. pc Retro<3, same as admitted you were trying to access directories outside of the one offering the file.
WireWulf tries to help you out and this is the thanks he gets?

This raises a major caution flag for me to NEVER offer you access to any file on my PC.
And I don't care if that pisses you off, because you cannot ban me from your IRC as I am not a member.

Also, admitting that you were trying to hack into someones computer says a lot about the kind of person you are.
http://www.murga-linux.com/puppy/viewto ... 333#408333

I mean is it really as clear cut fault of the other. He did not approve of it did he?

So could you explain what was going on so I understand it. How can one protect against such mean actions by others?

Edit, I guess it is obvious that I fail to get what went on but none explained it on my Nooby level either so it was very scary to read it.
I use Google Search on Puppy Forum
not an ideal solution though

dawg
Posts: 116
Joined: Sun 09 Aug 2009, 14:36
Location: still here
Contact:

#27 Post by dawg »

I'm pretty sure others have said it before (I only come here occasionally, so I can't really know), but while the thread is alive...
I understand why running as root shouldn't be a big deal, but let me share a couple of points for Not wanting to run as root:

(1) - Imagine you have a single computer in a household populated by more than 1 person, all sharing that same computer, young kids and/or other computer-nonproficient and possibly naughty users included.
- The computer has a harddrive where a bunch of each user's stuff that doesn't fit on USB flash drives (videos, music...) is stored that none of the users wants screwed with by the rest of the users.
- Running as root will allow screwing with the said files by anyone (else) in the household, whereas having multiple users added to the system and proper access permissions set for each user's files who can then login separately, will not.
- This is one major point against running as root, even if everybody in the household loves Puppy otherwise. :)

(2) - Even as the single user of a computer, if one isn't the most cautious or "lucid" computer user at all times, things can get screwed up, and maybe even rootkits or exploits caught which can then progress to the root system and hijack it or do other naughty things to it (and everyone's files).
- Nevermind having more people (kids) use the computer - the chances of such a thing happening rise heavily.


I hope this helps everyone understand eachother better.
Feel free to copy/paste these, and even add more points if I missed any ;)

User avatar
puppyluvr
Posts: 3470
Joined: Sun 06 Jan 2008, 23:14
Location: Chickasha Oklahoma
Contact:

#28 Post by puppyluvr »

:D Hello,
Put the stuff you care about in a hidden directory called "system" and it will be safe...LOL...If you are really concerned, bury it in /ect or /opt...above root..
If you are REALLY concerned.....separate save files...
IE..Public, and
Touch it and die....
Close the Windows, and open your eyes, to a whole new world
I am Lead Dog of the
Puppy Linux Users Group on Facebook
Join us!

Puppy since 2.15CE...

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#29 Post by 8-bit »

How about creating a password protected, encrypted pupsave file for each user?
Since the base SFS file is relatively safe from modification, that just might work on a PC with multiple users.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#30 Post by Flash »

Even if it is encrypted, a save file on a shared hard disk could be deleted. How about everyone has their own multisession CD or DVD? When they're done using the computer, they remove their DVD and put it in a safe place.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#31 Post by Sylvander »

"How about everyone has their own multisession CD or DVD? When they're done using the computer, they remove their DVD and put it in a safe place"
Sounds like a "cunning plan".

User avatar
dejan555
Posts: 2798
Joined: Sun 30 Nov 2008, 11:57
Location: Montenegro
Contact:

#32 Post by dejan555 »

Eh, so much options, but after all, modifying puppy scripts to allow multiuser would be much easier I think. Once changed in official woof packages all new builds would have this option.
Puppy in fact is multiuser and has spot limited user by default, but due to puppy's structure and scripts it can't run X server and most puppy scripts would need to be modified.
I never worried about security issues but user accounts for individual settings would be quite usefull instead of creating multiple installs or savefiles and rebooting.
It doesn't have to be a radical change planed for one release but scripts could be inspected and changed from time to time.
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#33 Post by Flash »

My word. I never watched Blackadder. I've been deprived! :lol:

postfs1

#34 Post by postfs1 »

To reedit up to date.
Last edited by postfs1 on Mon 28 Mar 2016, 00:21, edited 1 time in total.

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#35 Post by musher0 »

Flash wrote:Even if it is encrypted, a save file on a shared hard disk could be deleted. How about everyone has their own multisession CD or DVD? When they're done using the computer, they remove their DVD and put it in a safe place.
Yep! The safest and most private solution.

If perchance anything went wrong during your last session, whatever the reason, you just type

puppy pfix=1

at bootup, and puppy boots to the last "healthy" session before that one, and you're back in business!

In any case, if you're booting puppy from cd/dvd, and there is a foul-up, it would have to be your fault, because no external agent can write directly to your cd/dvd without you knowing!

TWYL (talk with you later.)
.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

forfyv
Posts: 4
Joined: Sat 23 Apr 2011, 22:21

Hmm, as root, I want to have users

#36 Post by forfyv »

I would like to add user accounts to my puppy 5.2.5

I really like this distro, and I will be doing the add user at the command line.
The point has been made that apps should never tell a user they CANNOT run as root.

I would like to point that a distro should never tell a root they CANNOT run as a user!

I suppose I may eventually build a pet that adds a user/group manager to Puppy.

I understand that a lot of experienced puppy users scoff at the idea of running in a user account, but then, this is "MY machine". I kinda resent the attitude that I should NOT want to run it as a user, and that I should NOT use Puppy if I DO want to.

The attitude is rather immature, don't you agree?

Some of the experienced developers could build a user/group manager in a short time with minimal effort. To NOT do so, is rather silly.

For a new user like me to accomplish the same thing will require a large effort, and time investment.

I really have better things to do.

Sigh.

45 Mike

www.45inx.com

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#37 Post by musher0 »

Hi, forfyv.

I personally never felt a need for it, but FYI:
"pizzasgood", I believe, has put together a Puppy derivative with separate user capacity (not running as root). Maybe make a search on the forum. Might date from a year ago.

Also, as was mentioned above, you could have each of your users run his/her Puppy "Internet cafe" style, from his/her own DVD. This is perfectly safe and entirely removes the need for additional code for separating users.

Alternatively, you can save the main sfs on hard-disk and each user can have his/her own personal encrypted savefile on hard-disk or usb-disk or flash-card. In this case, the user boots from cd/dvd, but the boot-up script fetches the Puppy sfs and the individual savefile on the user-provided media. Again, very safe. The system also boots much faster that if entirely based on DVD (as in paragraph above).

Those solutions stray from mainstream Linux thinking on the subject of root, but IMHO they are more practical and more user-friendly, while maintaining very high protection and safety for the user, system, and hardware.

Incidentally, Happy Easter, if this applies to the culture you're from.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

forfyv
Posts: 4
Joined: Sat 23 Apr 2011, 22:21

Yes, but . . .

#38 Post by forfyv »

Hi, forfyv.

I personally never felt a need for it, but FYI:
"pizzasgood", I believe, has put together a Puppy derivative with separate user capacity (not running as root). Maybe make a search on the forum. Might date from a year ago.
Yes, I saw the distro you mentioned, it is a 4.x version. I am using the latest release, 5.2.5. I really like this version, why should I downgrade? :-)
Also, as was mentioned above, you could have each of your users run his/her Puppy "Internet cafe" style, from his/her own DVD. This is perfectly safe and entirely removes the need for additional code for separating users.

Alternatively, you can save the main sfs on hard-disk and each user can have his/her own personal encrypted savefile on hard-disk or usb-disk or flash-card. In this case, the user boots from cd/dvd, but the boot-up script fetches the Puppy sfs and the individual savefile on the user-provided media. Again, very safe. The system also boots much faster that if entirely based on DVD (as in paragraph above).

Those solutions stray from mainstream Linux thinking on the subject of root, but IMHO they are more practical and more user-friendly, while maintaining very high protection and safety for the user, system, and hardware.

Incidentally, Happy Easter, if this applies to the culture you're from.
Happy Easter to you as well.
(I am not christian, but appreciate the sentiment!)

Yes, the alternative solutions are valid, and (ahem), they do stray somewhat from normal UNIX paradigm.

I think the point many people are missing here is that a "normal" UNIX solution would be easy to impliment, and does NOT require a new distro.

A developer, (me I guess), could create a PET that allows a root user to manage users and groups. That is all that is needed.

If a puppy user does not want to manage users, fine, don't. However for a distro to NOT have some facility, (beyond CLI), to manage users is rather awkward for a normal UNIX guy. :-)

Another point that the experienced developers here miss, is that for THEM to build such a PET would be almost trivial, if they just decided to do it.
For ME to do it requires another learning curve, and hours trying to get things to work, that an experienced guy would already know.

Silly, because it is just an attitude that is preventing it from being done.

Thanks for your comments!

45 Mike
www.45inx.com

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#39 Post by musher0 »

Hi, forfyv!

I agree that 5.2.5 is a great implementation of Puppy.

I am not a programmer, just an "extreme configuration" guy... ;-) So I can't help you much.

Maybe the simplest solution would be to send a PM to "pizzasgood", and ask him if he'd be willing to post an upgraded script or utility for Puppy 5.2.5 ?

Also, in any Puppy, there is always a "spot" user / directory. I've never used it, but maybe that would be enough to suit your purpose?

TWYL.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

User avatar
Luluc
Posts: 200
Joined: Wed 16 Mar 2011, 07:10

#40 Post by Luluc »

dawg wrote:(1) - Imagine you have a single computer in a household populated by more than 1 person, all sharing that same computer, young kids and/or other computer-nonproficient and possibly naughty users included.
- The computer has a harddrive where a bunch of each user's stuff that doesn't fit on USB flash drives (videos, music...) is stored that none of the users wants screwed with by the rest of the users.
- Running as root will allow screwing with the said files by anyone (else) in the household, whereas having multiple users added to the system and proper access permissions set for each user's files who can then login separately, will not.
If your kids are... erm... curious enough, they could boot from a live CD and still have access to those precious files. Setting up user accounts in Puppy would not prevent that. The best way to prevent that is with encrypted partitions.

Post Reply