Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 30 Aug 2014, 16:36
All times are UTC - 4
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Browsers and Internet
Browse as user "Spot"
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 6 of 6 Posts_count   Goto page: Previous 1, 2, 3, 4, 5, 6
Author Message
ggg

Joined: 26 Apr 2011
Posts: 65

PostPosted: Thu 28 Apr 2011, 07:49    Post_subject:  

Hello,

If Firefox [root or spot] is configured to request the download location, can anything be downloaded [malicious or clean - possibly except cookies] secretly [i.e without user knowledge] whether running as root or running as spot?

If a download [perhaps an iso, an sfs, a pet, etc,] is executed from within spot, how does that provide more security than if spot had not been used?

Tor does not appear to be included in the mozilla definition for use with spot?

Cheers
Back to top
View user's profile Send_private_message 
rcrsn51


Joined: 05 Sep 2006
Posts: 9061
Location: Stratford, Ontario

PostPosted: Thu 28 Apr 2011, 09:14    Post_subject:  

ggg wrote:
If a download [perhaps an iso, an sfs, a pet, etc,] is executed from within spot, how does that provide more security than if spot had not been used?

You couldn't install a PET while you are running your browser as spot. Spot does not have permission to write files to folders like /usr/bin. To install the PET, you would terminate the browser session and go back to being root.

Spot couldn't mount an ISO or SFS because it doesn't have rights to /mnt. And you wouldn't be doing that from within a browser session anyway.

So from a security standpoint, you gain nothing by downloading these files as spot.

The real problem with downloading these large files is finding a place to save them. You need a folder with enough free space where spot has write permission.

Quote:
If Firefox [root or spot] is configured to request the download location, can anything be downloaded [malicious or clean - possibly except cookies] secretly [i.e without user knowledge] whether running as root or running as spot?

That's why you have to keep your version of Firefox updated.

The theoretical danger from running your browser as root comes from malicious scripts buried on a web page. If one of these attempted to modify your system, the damage would be limited to the files inside /root/spot. (Unless the script was able to elevate its privilege.)
Back to top
View user's profile Send_private_message 
ggg

Joined: 26 Apr 2011
Posts: 65

PostPosted: Thu 28 Apr 2011, 10:21    Post_subject:  

Hello rcrsn51,

Thank you for your explanations, though with my second question about executing from within spot we may be at cross purposes [because I did not stress that Firefox had been closed before execution]. Then as I can, as root, install/execute a pet [or whatever] that is located within my spot folder; am I right to think that executing from inside spot provides no extra security?

However, it does seem to be safer to use browser spot mode so that secret and malicious downloads, if any, could only be to the spot folder and, I assume, would remain safe there, in a "vault", even after the browser closed so long as there was no deliberate execution.

If you have the time, would you please expound a little further if my interpretation of your explanation is imperfect.

Thank you
Back to top
View user's profile Send_private_message 
rcrsn51


Joined: 05 Sep 2006
Posts: 9061
Location: Stratford, Ontario

PostPosted: Thu 28 Apr 2011, 10:32    Post_subject:  

ggg wrote:
Then as I can, as root, install/execute a pet [or whatever] that is located within my spot folder; am I right to think that executing from inside spot provides no extra security?

Correct.

Quote:
However, it does seem to be safer to use browser spot mode so that secret and malicious downloads, if any, could only be to the spot folder and, I assume, would remain safe there, in a "vault", even after the browser closed so long as there was no deliberate execution.

Correct. But consider this. The vast majority of Linux users run non-privileged. Yet Firefox is constantly releasing security patches to protect people from the latest exploit. Does that mean that running as non-root does not really offer protection? What do these upgrades protect you from?
Back to top
View user's profile Send_private_message 
ggg

Joined: 26 Apr 2011
Posts: 65

PostPosted: Thu 28 Apr 2011, 17:32    Post_subject:  

Hello rcrsn51,

Thank you very much for your clarification. Having thought hard about your two questions in your final paragraph, I can only suggest that apart from any speed or non-security improvement(s) then possibly Firefox upgrades may sometimes stop some exploitation instead of users having to rely upon "spot-type" isolation? Also, Firefox upgrades for Linux and Windows seem to happen almost concurrently [with seemingly identical version numbering] so on some occasions might the upgrades be aimed at the protection of Windows users rather than Linux users?

Cheers
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 6 of 6 Posts_count   Goto page: Previous 1, 2, 3, 4, 5, 6
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Browsers and Internet
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0532s ][ Queries: 13 (0.0054s) ][ GZIP on ]