Real men run as root

News, happenings
Message
Author
jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#21 Post by jamesbond »

@dancytron - you got it right!

@tallboy - no, it does not make any difference. Put it this way - anything that you can access (not only in savefile, but in mounted partitions, external flash drive if connected, etc) - can be accessed by the browser too (and by extension, by an attacker if the browser is compromised) --- if you use the browser with the same account you login with (root or non-root - doesn't matter).

Best is still to use network programs with account that don't share anything else with your main account; unless you specifically allow it to.

Of course, amigo will then come that *anything* that uses Xorg is doomed anyway :lol: ... but that's a different story :) One can use links browser in a virtual terminal if one is so concerned (but of course, under a different account) ...

If you're really paranoid, in Fatdog you can buy a little more security, you can run the browser under sandbox, under LXC-sandbox, under UML-sandbox, under qemu, under VirtualBox, the list goes on and on. Barry's latest toy (Easy Linux) also have container built-in (similar to sandbox/lxc-sandbox concept).
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#22 Post by slavvo67 »

anything that you can access (not only in savefile, but in mounted partitions, external flash drive if connected, etc) - can be accessed by the browser too (and by extension, by an attacker if the browser is compromised)
Hmmm... what about unmounted partitions? I have access to mount so can an attacker, in theory?

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#23 Post by jamesbond »

slavvo67 wrote:
anything that you can access (not only in savefile, but in mounted partitions, external flash drive if connected, etc) - can be accessed by the browser too (and by extension, by an attacker if the browser is compromised)
Hmmm... what about unmounted partitions? I have access to mount so can an attacker, in theory?
Yes, if that browser is run as root. If your browser is run as non-root, then it can't mount because non-root user cannot mount - again in theory (because there are ways to enable non-root user to perform mount without being asked for password, too).
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

User avatar
fredx181
Posts: 4448
Joined: Wed 11 Dec 2013, 12:37
Location: holland

#24 Post by fredx181 »

jamesbond wrote:Put it this way - anything that you can access (not only in savefile, but in mounted partitions, external flash drive if connected, etc) - can be accessed by the browser too (and by extension, by an attacker if the browser is compromised) --- if you use the browser with the same account you login with (root or non-root - doesn't matter).

Best is still to use network programs with account that don't share anything else with your main account; unless you specifically allow it to.
Thanks, jamesbond, makes sense to me.
Then a question comes in my mind: May I conclude then that all the big Distro's e.g. Ubuntu, Fedora etc.. are insecure when it comes to browsing the network?
I mean these distros all (sort of) force you to have one normal user account to login and to do everything only from that user account (including browsing).

Fred

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#25 Post by jamesbond »

The largest Linux distribution on the planet (=Android) is doing it; they even go the extreme - every program (networked or not) runs with its own user account. They may know one or two things about security that we don't.

Anyway, it's not about "secure" or "insecure", but it's about "how secure" you want it to be. Security is like an onion. Multiple layers help to reduce problems if any of those layers are broken.

When you run your browser as the same user account as the owner of all your data; then basically you're depending on __that__ browser to guard your data for you. Some people are comfortable with this conclusion, some do not.

That being said, Ubuntu and the other big distro do have an additional layer that we small distros don't have: a ton of people doing just security fixes. As soon as they hear of any CVE advisories, these guys will jump on it, apply the fixes, and release it; and **hopefully** everyone who uses the distro will update to the fixed version. Someone can argue along the line of "what good is an update if my system is already compromised and my password file has been encrypted by ransomware" and I would agree, but the point here is that this is just another layer that can help (if the system isn't compromised yet).

In pre-systemd days, it's quite easy to setup a secondary user account and use it (within the same desktop) to do browsing. It's a bit inconvenient, but it is certainly do-able and some scripting will help a lot. I can't tell whether systemd-based distros actively discourage (or disable) this feature. You can test this yourself if you want.

PS: When I talk about "browser" of course I mean all network programs.
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

User avatar
fredx181
Posts: 4448
Joined: Wed 11 Dec 2013, 12:37
Location: holland

#26 Post by fredx181 »

Thanks again JB, clarified a lot for me!

Fred

User avatar
tallboy
Posts: 1760
Joined: Tue 21 Sep 2010, 21:56
Location: Drøbak, Norway

#27 Post by tallboy »

jamesbond wrote:If you're really paranoid, in Fatdog you can buy a little more security, you can run the browser under sandbox, under LXC-sandbox, under UML-sandbox, under qemu, under VirtualBox, the list goes on and on. Barry's latest toy (Easy Linux) also have container built-in (similar to sandbox/lxc-sandbox concept).
What about running something in screen?

tallboy
True freedom is a live Puppy on a multisession CD/DVD.

Sailor Enceladus
Posts: 1543
Joined: Mon 22 Feb 2016, 19:43

#28 Post by Sailor Enceladus »

musher0 wrote:I think we scared "Emeritus" (the OP) away! (hehe)
I doubt Emeritus has ever used Puppy or was even interested in understanding how it works. Just registered to troll I think. :(

At least they didn't ask about apt-get :lol:

User avatar
bigpup
Posts: 13886
Joined: Sun 11 Oct 2009, 18:15
Location: S.C. USA

#29 Post by bigpup »

This is Bulldog!

He handles all the Puppy security. :shock: :shock:

If you try to crack into Puppy, we send him after you. 8)
Attachments
bulldog.jpg
(10.92 KiB) Downloaded 235 times
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected :shock:
YaPI(any iso installer)

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#30 Post by musher0 »

Yeah, bigpup. Give the man a fair warning.
So he knows what's in store for him. :twisted:
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

Pelo

Yes you can do more, as root.

#31 Post by Pelo »

Real men run as root ? Of course our speedy Puppy Linux make everybody root, that does not mean everybody is able to modify it..
Is you are simply somebody who wants to play with his computer but not with the OS, you can.
Yes you can do more, as root. Beware, :!: you could break a so nice system .
Puppy is really easy to install.. If you don't change the oficial boot process. Look at all posts about install failures, when you change the rules !

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#32 Post by s243a »

I think there might be some confusion here between running a program as root vs running the operating system as root.

To run a program as another user you don't have to log in as another user. You can simply launch another program as a different user than the one logged into the Os. Here are some examples of how one might do this

Code: Select all

#!/bin/sh
cd /root/spot/Freenet/
nohup su -c "sh run.sh start" spot& 
http://www.pearltrees.com/s243a/startup ... id14245425

Code: Select all

#! /bin/bash
su spot
cd /root/spot/firefox
exec nohup ./firefox -p spot&
http://www.pearltrees.com/s243a/startup ... id14245464

is some systems you can use the sudo command instead of su.

Fatdog64 has a program called gtksu which also might serve this function. Many programs give you command line options to run the program as a different user.

The tor start up script for debian (or ubuntu I forget which) uses
http://manpages.ubuntu.com/manpages/pre ... xec.8.html

to confine tor to to a specific user. This command is from the program called Apparmor. Some people in this form use firejail to sandbox their browsers. If you're really concerned about a specific program than run it in a virtual box. Or one could go to the extreeme and run an Os like qubes-os.

Regarding other distributions, it isn't that they don't run some programs as less privileged users than the one operating the OS; it is that the user might know which programs are ran as a different user and might be overly complacent because they are not logged in as root.

Since puppylinux has fewer programs then most version of linux it is easier to keep track of which privileges that each program has. As a final note; in puppy we don't just need to have the typical three users. Puppylinux actually uses more users. The others are just reserved for specific programs.

On cool thing you can do with the firewall is base your iptables rules on the user that a particular program is running as. The examples for tors seamless proxy do this trick.

User avatar
ETP
Posts: 1193
Joined: Tue 19 Oct 2010, 19:55
Location: UK

Real men run as root

#33 Post by ETP »

To quote Douglas Adams:

"Many were increasingly of the opinion that they'd all made a big mistake coming down from the trees in the first place,
and some said that even the trees had been a bad move, and that no-one should ever have left the oceans."

I suppose had we not left the trees we would be running as Groot.

Code: Select all

groot# whoami
my name is Groot
groot#
Image
Regards ETP
[url=http://tinyurl.com/pxzq8o9][img]https://s17.postimg.cc/tl19y14y7/You_Tube_signature80px.png[/img][/url]
[url=http://tinyurl.com/kennels2/]Kennels[/url]

Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

#34 Post by Wognath »

removed
Last edited by Wognath on Sun 11 Jun 2017, 21:23, edited 1 time in total.

Sailor Enceladus
Posts: 1543
Joined: Mon 22 Feb 2016, 19:43

#35 Post by Sailor Enceladus »

BarryK is online, it would be nice to see him rip Emeritus and this troll thread to pieces :lol:

Post Reply