Browse as user "Spot"

Browsers, email, chat, etc.
Message
Author
Jasper

#21 Post by Jasper »

Hi.

Yesterday I raised a query about add-ons and bookmarks (finally, I "cheated" by reinstalling those I wanted).

However,

if I click my desktop browsesafe icon it loads Firefox, but if I open my console on top of Firefox and then execute "whoami" the answer is always "root" (never "spot" as it presumably should be).

My regards

Addendum and correction:

rcrsn51 in a later post in this thread has kindly explained that Firefox, in this particular case, is actually running as user spot..

01micko has kindly explained in a later post in this thread that the code to use in this particular case is "ps|grep firefox" not "whoami".

--------------------------
However (as now underlined above was originally in large text and was followed in large bold text by the word "disturbingly"). This is now amended since all worked as was intended and nothing was "disturbing" except my faulty understanding.
Last edited by Jasper on Sun 24 Apr 2011, 09:33, edited 1 time in total.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#22 Post by nooby »

Jasper you know computers much better than I do so if the following is totally out on the limb take it with a broad smile.

I only try to be logical and that usually fails when I do it.

On top of Firefox. My poor logic says you need to move .mozilla within the Spot directory and start it up there and then as you say on top open a terminal within spot and then ask who am I and it will say Spot :)

I am wrong most likely but that was what my confused brain came up with :)
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#23 Post by rcrsn51 »

Jasper wrote:However, disturbingly
Not at all. You are only the user spot in the temporary environment that is running Firefox. Outside of that, you are still root.

This is not like Ubuntu where you can log in as a completely new user.

While you are running your spot-Firefox, download a file and try to save it to /mnt/home or /bin. What happens?

Jasper

#24 Post by Jasper »

Hi rcrsn51,

Thank you very much for your encouraging explanation.

My regards

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#25 Post by rcrsn51 »

rcrsn51 wrote:While you are running your spot-Firefox, download a file and try to save it to /mnt/home or /bin. What happens?
What happened?

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#26 Post by nooby »

And Rcrsn51 can you explain better. Does it mean there is no added security or was this your way to assure that it is safer to run as spot then? I fail to be sure what you say to Jasper.

I agree that it is as you say I only fail to get the implications of that fact.
Last edited by nooby on Sat 23 Apr 2011, 13:26, edited 1 time in total.
I use Google Search on Puppy Forum
not an ideal solution though

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#27 Post by nooby »

rcrsn51 wrote:
rcrsn51 wrote:While you are running your spot-Firefox, download a file and try to save it to /mnt/home or /bin. What happens?
What happened?
As I remember it can only be saved within spot and then I need to start up Rox as root for to get access to it and move it elsewhere.
I tested this with a picture from a site and it ended up in spot and not on mnt/home as I wanted it to be :)


As I wrote I have tested with other pic and what happened was that I failed to place it outside of Spot. So that is something I like but others say it does not help much due to the criminals know all the tricks something.

But I find it likely it is a bit safer so oklay I will wait for Jasper's answer then :)
Last edited by nooby on Sat 23 Apr 2011, 13:36, edited 1 time in total.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#28 Post by rcrsn51 »

nooby wrote:And RC can you explain better
Not until Jasper answers my question above. With all due respect, talk is cheap. The only way to resolve issues is with actual physical testing.

Have you tried my suggestion yet?

1. Run a browser as spot.

2. Download this file. DON'T install it!

3. Try to save it to /mnt/home or /bin. What happens?

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#29 Post by rcrsn51 »

nooby wrote:I tested this with a picture from a site and it ended up in spot and not on mnt/home as I wanted it to be :)
Exactly. That's because the user spot does not have write permission on /mnt/home. Similarly, a piece of malware could not install itself into a system folder like /bin. However, it could still destroy all your personal files in spot.

Clearly, you don't want to save lots of files in spot because it fills up your savefile. So go to /mnt/home and make a folder called "spot-download". Give its ownership to spot

Code: Select all

chown spot:spot /mnt/home/spot-download
Now you have a better place to download files. Of course, this folder is now theoretically vulnerable to attack.

You could also symlink spot's .mozilla profile into this area because spot has the correct permissions to use it. Or for that matter, you could delete the current spot user and create a new one whose home directory was a subfolder of /mnt/home. I haven't tested this yet.
Last edited by rcrsn51 on Sat 23 Apr 2011, 13:39, edited 1 time in total.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#30 Post by 01micko »

To test if you are browsing as spot run this:

Code: Select all

ps|grep firefox
(replace firefox with seamonkey if required)
Puppy Linux Blog - contact me for access

User avatar
Luluc
Posts: 200
Joined: Wed 16 Mar 2011, 07:10

#31 Post by Luluc »

rcrsn51 wrote:1. Run a browser as spot.

2. Download this file. DON'T install it!

3. Try to save it to /mnt/home or /bin. What happens?
"Data File Host
Accessing directly the download link doesn't work. The download only starts if you click from the download page."
It's what the page says! :lol: :lol: :lol:
nooby wrote:As I remember it can only be saved within spot and then I need to start up Rox as root for to get access to it and move it elsewhere.
I tested this with a picture from a site and it ended up in spot and not on mnt/home as I wanted it to be :)
You still can save files inside /mnt/home. Do it like this:

Create a new directory:

Code: Select all

# mkdir -p /mnt/home/spotfiles
Make spot the owner of that directory:

Code: Select all

# chown -R /mnt/home/spotfiles
Now you can download files with the browser, browse to /mnt/home/spotfiles and save the files there when prompted for a download location.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#32 Post by nooby »

Thanks rcrsn51, Micko, Luluc all of you

My question is:
I have saved the following text and promised myself to test it out but I am so afraid of failure so I have postponed it the whole day. Can you guys confirm it is good advices. Apology to the author L18L that I failed to remember that you told me how to. :)

nooby wrote:
How does one change the password for spot and what does it have now?

Code:
# passwd spot
Changing password for spot
New password:
Retype password:
Password for spot changed by root
#

Code:
# cat /etc/passwd | grep spot

Cheers
spot since 10 minutes Very Happy

Edited: but more important is to change root's password Exclamation
by simply typing in a console
Code:
passwd

Running FF as spot

It's not hard to run Firefox or SeaMonkey as Spot, I just demonstrated how in a different thread.
Boot puppy normally.
Open the terminal.
enter "su spot" (no quotes) at the prompt.
enter "firefox" (no quotes) next.
When it launches, Firefox will be running under user Spot.
Link to screenshot
http://www.murga-linux.com/puppy/viewto ... 399#511399

Note, starting from default browser icon you are root.
dragging defaultbrowser.desktop to the desktop and then klicking that will start defaultbrowser as user spot.
Last edited by nooby on Sat 23 Apr 2011, 15:04, edited 1 time in total.
I use Google Search on Puppy Forum
not an ideal solution though

Jasper

#33 Post by Jasper »

Hi guys,

@ nooby - rscrn51 is saying that I was actually running Firefox as spot (even though it seemed (to me) I was running as root).

@ rcrsn51 - I have now tried two downloads and so I can personally confirm what you already knew and advised.

It is rare (perhaps the first time) that I have used large and emboldened text - but I was worried for other users (though I did say "presumably" as I'm only too aware I'm not all-knowing).

So now, thanks to you, I have a hugely improved understanding and confidence that browsesafe works.

My big, big mistake was in thinking that "whoami" would return my Firefox status. My apology for that and, with hindsight, for raising my query so strongly.

@ 01micko - thank you also for your pet and your help.

My regards
Last edited by Jasper on Sat 23 Apr 2011, 14:08, edited 1 time in total.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#34 Post by rcrsn51 »

Deleted. See my post three down from here.
Last edited by rcrsn51 on Sat 23 Apr 2011, 16:27, edited 3 times in total.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#35 Post by nooby »

rcrsn51 thanks for that one. Most instructive. The problem is that I have deleted .mozilla from root and reuse an old .mozilla that I placed in mnt/home and it would fail to link to that one from this new dir you made.

One would need to do what? Copy over a copy of that old one into that dir then?

Ahh now I get it "browsesafe " is a script or pet that Micko has made?
Last edited by nooby on Sat 23 Apr 2011, 14:13, edited 1 time in total.
I use Google Search on Puppy Forum
not an ideal solution though

Jasper

#36 Post by Jasper »

Hi nooby,

Go to opening item in this thread and install browsesafe-0.5.pet and chose the icon option during installation.

My regards

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#37 Post by rcrsn51 »

There are two problems that we are trying to resolve:

1. Run the web browser as an unprivileged user for security reasons.

2. Keep the browser's profile and any downloaded content outside of the user's savefile.

Try this. It assumes that your Puppy installation has a /mnt/home folder AND it is formatted with a Linux file system like ext.

Code: Select all

adduser -h /mnt/home/bsafe bsafe
If you have a full install, use something like

Code: Select all

adduser -h /mnt/sda1/bsafe bsafe
Then run your browser with

Code: Select all

su -c YOURBROWSER bsafe
This will automatically create a .mozilla profile in the new home directory. No symlinking is required. The default download folder is in the bsafe user's home directory outside of the savefile.
Last edited by rcrsn51 on Sat 23 Apr 2011, 18:29, edited 4 times in total.

User avatar
Luluc
Posts: 200
Joined: Wed 16 Mar 2011, 07:10

#38 Post by Luluc »

nooby wrote:The problem is that I have deleted .mozilla from root and reuse an old .mozilla that I placed in mnt/home and it would fail to link to that one from this new dir you made.
What do you mean by "fail to link"?

Whenever you link something, remember that the link points to a file or directory that has its own permissions. In other words, if you just link /root/.mozilla to /root/spot/.mozilla, the second one is just a link, the permissions on the first one are still in force, and those do not allow spot to use /root/.mozilla. In such circumstances, Firefox will probably choke and panic when run as spot.

It's more feasible to do the opposite: move .mozilla from /root/ to /root/spot, then make spot the owner of /root/spot/.mozilla, then link /root/spot/.mozilla to /root/.mozilla. That way, when root runs Firefox, the config files will belong to spot, but root can still use them because root can do everything. However, if root creates any new file or directory there, it will be owned by root and forbidden for spot. So linking .mozilla is generally a bad idea, too prone to errors. Ideally, only run the browser as spot, never run it as root.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#39 Post by nooby »

Dead Ringer Band – Things Don't Come Easy to me by Kasey Chambers :)

Haha things don't comes easy on this computer either
I did what rcrsn51 told me.

# deluser spot
# adduser -h /mnt/home/spot spot
Changing password for spot
New password:
Retype password:
Password for spot changed by root
# su -c defaultbrowser spot
su: can't chdir to home directory '/mnt/home/spot'

# # su -c defaultbrowser spot
# su: can't chdir to home directory '/mnt/home/spot'
>
> (firefox-bin:21952): libgnomevfs-WARNING **: Unable to create ~/.gnome2 directory: Permission denied
> Could not create per-user gnome configuration directory `/mnt/home/spot/.gnome2/': Permission denied

end of quote

Thanks Luluc.

Well I have the profile on mnt/home so I need then to move that one to spot.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#40 Post by rcrsn51 »

nooby wrote:su: can't chdir to home directory '/mnt/home/spot'
Go to your /mnt/home folder. Is there a subfolder named 'spot'?

Check its ownership. Does it belong to user spot?

Post Reply