Big security hole: Should have implimentation.

What features/apps/bugfixes needed in a future Puppy
Message
Author
securityfreak
Posts: 2
Joined: Wed 12 Mar 2014, 03:07

Big security hole: Should have implimentation.

#1 Post by securityfreak »

One thing with the system is that it really NEEDS to have a User account, THEN root on top of that. This way a person can USE the system, but then also be able to SU to the administration account to further administrate the system.

Because if you are using it on an older system, and want to have users on it, but for them to NOT have full access of it all, then it should not have root access from the get go.


This is a MAJOR security hole in the system, makes the system volatile to attacks and hacks and all fro the outside world if the system is on the internet.

p310don
Posts: 1492
Joined: Tue 19 May 2009, 23:11
Location: Brisbane, Australia

#2 Post by p310don »

Can everyone who has used puppy for years please detail the hacks they have been victims of please?

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#3 Post by James C »

p310don wrote:Can everyone who has used puppy for years please detail the hacks they have been victims of please?
Zero here.

dancytron
Posts: 1519
Joined: Wed 18 Jul 2012, 19:20

#4 Post by dancytron »

No problems here.

OP, if running as root is a problem, you should just use a different distribution.

User avatar
Fossil
Posts: 1157
Joined: Tue 13 Dec 2005, 21:36
Location: Gloucestershire, UK.

#5 Post by Fossil »

Can everyone who has used puppy for years please detail the hacks they have been victims of please?
Have been using various Puppy incarnations every day, for eight - 8 - years. NEVER any attack or problem.
If you ain't happy with the product - move on!

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#6 Post by Sylvander »

Once...and only once...upon a time...
When visiting some [malicious?] website...

I found windows opening on the desktop...
Displaying the contents of the Puppy CD-RW.

As I closed the windows, new windows would open.
So I used ctrl+alt+backspace to drop to a command prompt and rebooted.

Once back to the desktop, the problem was still there...
So...

I rebooted into a different Puppy CD-RW...
Deleted the pupsave of the problem Puppy...
Restored a good/clean recent backup copy [held on an external USB connected HDD, normally powered off] of a pupsave for the problem Puppy.
Then booted the original Puppy that had displayed the problem.

The problem was GONE! :D

This is the only seeming security problem I've ever detected since beginning to use Puppy in Dec 2008.

These days, my Puppy doesn't save any session changes back to the pupsave on the internal HDD [neither during the session, nor at shutdown/reboot], unless I tell it to.
So I can [and sometimes do] power off improperly.
At next boot, the Puppy automatically scans&fixes the ext3 host partition file system and also the ext3 pupsave partition file system.
So far, doing this has never caused a problem [none of which I'm aware].
Hence, in the event of a problem I can just hold in the power button to power off.

User avatar
RSH
Posts: 2397
Joined: Mon 05 Sep 2011, 14:21
Location: Germany

#7 Post by RSH »

Never had any problem since I'm using Puppy. And I had just once a problem when I was a windows user (should not have opened that unknown email :wink: ).
This is a MAJOR security hole in the system, makes the system volatile to attacks and hacks and all fro the outside world if the system is on the internet.
The security hole usually is sitting on a chair in front of the computer: clicking and opening just everything that blinks, flickers and is offered to open and/or download it.
[b][url=http://lazy-puppy.weebly.com]LazY Puppy[/url][/b]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#8 Post by mikeb »

Hmm like sylvander someone sent me to a site that had some horrible javascript which had windows flying open all over the place...seems like the browser was going doo lally but made doing anything impossible...cant remember how I forced it off...crtlaltdelete or backspace or perhaps the power button.
After restarting firefox was a little upset and wanted to take me back to the same site which for some reason I choose not to do but otherwise no harm done apart from my time wasted.

Apart from that we are looking at 8 years of running as root. Yes I managed to delete an entire partition of stuff though a bad script I made while learning (did recover most of it as it happens) so to me not being root guards against user stupidity NOT the internet which is a different matter.

As it happens I added multiuser to my puppies...not a major undertaking and it works as expected.... the lack of it is laziness and convenience since slax, another live distro, DOES provide full multiuser ability.

On a last note I recently did a weird one... created a user and then ssh to myself as that user and then ran firefox through x forwarding as that user...I felt suitably sandboxed :D Of course this also requires additions to standard pups ...just though I would throw it in.

mike

User avatar
Moose On The Loose
Posts: 965
Joined: Thu 24 Feb 2011, 14:54

#9 Post by Moose On The Loose »

p310don wrote:Can everyone who has used puppy for years please detail the hacks they have been victims of please?
With very little effort on my part, I could misunderstand your request to include those that I have been victim to while using other OSes. That would make the list so long that I would not want to type it all so here is the first and the last few viruses I had trouble with.

First:
Back when my computer used two floppies and had no hard drive, I discovered that somehow a new TSR got onto my MSDOS-3 boot disk and was making a copy of its self on any new floppy. This meant that I could not get the full use of the space on the floppy.

2nd Last:
On a XP machine fresh out of the box, as soon as I connected to the internet but before I downloaded the antivirus software, a massive string of network actions happened and the machine froze up.

Last:
On a Win-7 machine, quite suddenly in the middle of my doing something, it began doing a huge number of network accesses and bogged down and then went into the shutdown all on its own.


I have been using Puppy since 4.10 was the latest version and so far have never had a virus etc get me.

User avatar
dejan555
Posts: 2798
Joined: Sun 30 Nov 2008, 11:57
Location: Montenegro
Contact:

#10 Post by dejan555 »

puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#11 Post by musher0 »

p310don wrote:Can everyone who has used puppy for years please detail the hacks they have been victims of please?
None whatsoever.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

catsezmoo
Posts: 26
Joined: Sun 09 Feb 2014, 04:59

#12 Post by catsezmoo »

javascript which had windows flying open all over the place...seems like the browser was going doo lally but made doing anything impossible...cant remember how I forced it off...crtlaltdelete or backspace or perhaps the power button.
After restarting firefox was a little upset and wanted to take me back to the same site which for some reason
NOT being logged in as root wouldn't prevent such a javascripted browser exploit

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#13 Post by mikeb »

NOT being logged in as root wouldn't prevent such a javascripted browser exploit
never said it would...please don't tell me what I have supposed to have said.

The point was about javascript on the net being the only problem ever experienced...a browser crash is the worst thing that has happened.... the subject of root is irrelevant in this case.

mike

User avatar
ally
Posts: 1957
Joined: Sat 19 May 2012, 19:29
Location: lincoln, uk
Contact:

#14 Post by ally »

over 3 years solid puppy

no issues

:)

starhawk
Posts: 4906
Joined: Mon 22 Nov 2010, 06:04
Location: Everybody knows this is nowhere...

#15 Post by starhawk »

RSH wrote:The security hole usually is sitting on a chair in front of the computer: clicking and opening just everything that blinks, flickers and is offered to open and/or download it.
This.

The one time I've ever gotten a virus (it was on Windows!) I felt pretty stupid in the aftermath, because I was dumb enough to click on one of those "you just got a free e-card" links in my email.

To be fair, my mother was away at the time and I was lonely -- something must've clouded my thoughts enough to make me think that it could possibly be from her... :oops: well, that idea went away real quick! Fortunately, I had antivirus software that cleaned things up quite nicely...

There's quite a bit to be said for safe browsing/emailing habits!

That said, I've been using Puppy "recreationally" since shortly after joining this forum... and I've been using it steady as my main OS for a month or two now. No problems of any kind (other than some bugs in my specific Puppy version of choice, that I was able to work around) that I couldn't attribute to my own occasional stupidity ;)

User avatar
RSH
Posts: 2397
Joined: Mon 05 Sep 2011, 14:21
Location: Germany

#16 Post by RSH »

starhawk wrote:to click on one of those "you just got a free e-card" links in my email.
Yes, that's really funny.

So it happened to me in the end of the year 2000 or begin of 2001.

Everyone did send e-cards then.

I was totally unexperienced and did a search for a anti-virus program especially for this virus, that has overcome my computer's data.

Found one.

Did erase almost everything from HD what was existing! :lol:
[b][url=http://lazy-puppy.weebly.com]LazY Puppy[/url][/b]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#17 Post by greengeek »

p310don wrote:Can everyone who has used puppy for years please detail the hacks they have been victims of please?
1) My wife keeps using my Puppy PC when her Win7 PC is non-functional with virus problems

2) My daughter keeps using my Puppy PC while her XP PC is unusable during system updates

3) My son keeps using my Puppy PC while he is doing a system restore on his Win7 netbook.

Why do these hacks keep using my machine?? I'm seriously thinking of ditching my Puppy PC so I can get some work done.

User avatar
saintless
Posts: 3862
Joined: Sat 11 Jun 2011, 13:43
Location: Bulgaria

#18 Post by saintless »

May be the right question is why puppy lost multiuser option if it can have it almost without adding extra size? It still can use autologin as root.

I know the usual answer - Do not use Puppy if you need user account!
I also hate to type sudo and like to use root account.

But the question is still there:
Why puppy lost multiuser support if it adds almost nothing to the size and it will bring new users attention to puppy linux?
What will Puppy loose if it has multiuser support? Nothing.
What is lost since it doesn't? More Puppy linux users.

Toni

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#19 Post by mikeb »

Why puppy lost multiuser support if it adds almost nothing to the size and it will bring new users attention to puppy linux?
question for barry really.

Multiuser changes adds nothing in itself.. just script changes...busybox init can handle it. Many puppy scripts are coded for root rather than ~ so thats a bit of a sticky point... better desktop managers like XFCE4 are easier to deal with.

For the full job there needs to be a nice login manager, (slim I used), better login apps rather then tinylogin, and a skel folder for user profile creation. That adds up to ~ 500k uncompressed.

thats is really

mike

User avatar
dejan555
Posts: 2798
Joined: Sun 30 Nov 2008, 11:57
Location: Montenegro
Contact:

#20 Post by dejan555 »

All of those are true saintless, well puppy actually didn't loose multiuser support technically speaking you can still add/remove users but you can't run Xorg and gui apps.
The reason for this are choices Barry made when creating puppy scripts and way of working.
Permissions for various devices and places are not set so another user can access them and a lot of puppy scripts use hardcoded /root directory for configuration instead $HOME.
There were several puplets that made workarounds for these limitations (grafpup on 1.x series, pizzasgood's 4.21 multiuser, I even have it kinda working on dpup486 now, you can test if you like)
But these fixes are individual per puplet and would need to be implemented in puppy skeleton/woof.

Later Barry was experimenting with fido/spot but he used wrong approach by assigning them to same home directory as root.
(It's not only about restricted user security it's also about having separate configs and separate home directories)
I don't know how much additional mess that added to scripts but it could be fixed.

I'm actually thinking of joining that woof-CE project and start implementing some small fixes to scripts for multiuser. It wouldn't be hard to do if other developers accept the idea.

Even I'm sometimes joking about not using puppy for other then root I also think that it's a shame not to have this ability.
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]

Post Reply