EasyOS version 2.3.2, June 22, 2020

[rufwoof]

Easy 0.9.3 pupradio/puptelly doesn't work for me.

Code: Select all

# pupradio
/usr/local/pupradio/pupradio: line 108: /root/.pupradio/config: No such file or directory

Other graphical/multimedia programs such as screen recording using FFConvert do seem to be working fine

[Rodney Byne]

To rufwoof,
I read your post with interest when you say pupradio
isn't working.
The only thing is, you don't spell out exactly WHAT isn't working.
Not working is vague, however comparing your post
# pupradio
/usr/local/pupradio/pupradio: line 108: /root/.pupradio/config: No such file or directory
with my working app, does agree the same.

Q: does the app actually launch?

If the app does launch, try pressing button 6 vpr bbc.
This ALWAYS works and none of the other buttons work in UK
because their URL links are defunk.

Button 6 announcement is
"This freestream of the bbc is provided by Vermont Public Radio.
Please make a gift to support it at VPR.net"

This announcement proves the app works in principle.
So the only job left to do is insert your own preferred
remaining station names to button numbers and known
URL streaming link strings.
If you live in UK, I can supply suggested info as required above.

How am I doing so far? BTU.
Regards.

[rufwoof]

When I click the pupradio menu option ... nothing happens at all. No sign of life whatsoever.

Running pupradio from the command line showed the output I posted. I put that down as being the fault, but as you're saying that you get the same message in a working version ??? Looks like it might just be my configuration/setup then (if it works for some (you), but not me - then that's a issue for me, not Barry).

Testing further ... I had no /root/.pupradio/config, touching that file and pupradio starts up fine now. Somehow, not sure how, I must have lost that config file.

Presets all seem to be working for me (I'm in the UK). Switched one over to being LBC that is one of my regular radio stations that I early morning listen to.

[Rodney Byne]

Well done problem solved, just a temporary blip then.

I find Pup's only eight channels are a bit restricted.
I prefer a radio playlist with lots of stations running
on audacious rather than Pup.
Great sound quality that program has with its extra
wide stereo filter - a good idea Barry had including
it in Easy.

Am also running a homespun worldTV playlist
on Barry's mpc-qt.
When there's no buffer bloat causing picture breakup,
the HD quality is superb.
Trouble is, at certain times of day even on faster fibre,
too many people hog the data bandwidth, running gaming
or downloading Netflix!

Cheers.

[scsijon]

Barry, just something that may be of use with containers userspace.
https://proot-me.github.io/
and a container engine
https://github.com/resin-os/balena

[BarryK]

There are several posts above, that I have only seen now. Will study them later.

For the last few days, have been working on encryption. And here it is, version 0.9.4:

http://bkhome.org/news/201806/easyos-py ... eased.html

Let me know if it does anything odd, now that the folders in the working-partition are encrypted. Limited testing by me, it seems OK. There doesn't seem to be any slowdown.

One thing I didn't mention in the blog announcement: the boot menu on UEFI-based PCs now has all the sub-options at the top level. This makes them much more obvious.

rufwoof,
A quick note about "Rollback to last snapshot" in the boot menu. if you haven't made any actual snapshots, then rollback will be to the very first automatically-created snapshot, which is repositories/easy-0.9.4/rw-0.9.4.sfs, which has nothing in it -- meaning that at bootup it will be same as a pristine first-time bootup.

...oh, and welcome back!

[Billtoo]

I installed 0.9.4 to a 32gb usb-3.0 flash drive:

video-info-glx 1.5.3 Wed 6 Jun 2018 on Easy Pyro64 0.9.4 Linux 4.14.44 x86_64
2.0 VGA compatible controller: Intel Corporation 82G33/G31 Express Integrated Graphics Controller (rev 10)
oem: Intel(r)Q33/Q35/G33 Graphics Chip Accelerated VGA BIOS
product: Intel(r)Q33/Q35/G33 Graphics Controller Hardware Version 0.0

X Server: Xorg Driver: intel
X.Org version: 1.19.1
dimensions: 1920x1080 pixels (508x285 millimeters)
depth of root window: 24 planes

direct rendering: Yes
server glx vendor string: SGI
server glx version string: 1.4
OpenGL vendor string: Intel Open Source Technology Center
OpenGL renderer string: Mesa DRI Intel(R) G33
OpenGL version string: 2.1 Mesa 17.0.7

Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
Core 0: @1221 1: @1220 MHz

I added some pets.
I have Firefox and Lxterminal running in a container, I have cmus
playing a radio station in the lxterminal container, is it secure?

On 1st boot I entered a password to enable encryption, now enter the
password on each bootup (it won't boot until I do enter the password).

That's it so far.
Thanks.

[rufwoof]

rufwoof,
A quick note about "Rollback to last snapshot" in the boot menu. if you haven't made any actual snapshots, then rollback will be to the very first automatically-created snapshot, which is repositories/easy-0.9.4/rw-0.9.4.sfs, which has nothing in it -- meaning that at bootup it will be same as a pristine first-time bootup.

But I did have snapshots, both for the main system and for snapshots), above and beyond the first boot backup that the system automatically creates. I'll recheck after I've downloaded and cleanly installed 0.9.4 as it might have been a consequence of other things/tests made before trying out the rollback. Wondering if it might be consequence of using frugal (to HDD) installation - we'll see.

[BarryK]

Hi Barry

I found a couple of bugs in

There's another bug in the containers code Barry. Add a sfs to a container such as ff.sfs using the container manager, and its recorded in the container configuration file as EASY_LAYER_RO1=ff.sfs-*.sfs ... and doesn't get picked up/used.

Thanks, fixed.

[Billtoo]

I have Firefox and Lxterminal running in a container, I have cmus
playing a radio station in the lxterminal container, is it secure?

I entered the password to enable encryption.
I changed the root password.
I put firefox and lxterminal in a container.
I run cmus in the lxterminal container.

So I ask you again @Barry, is it secure???

[rufwoof]

Nothing is truly secure. More a case of usability versus risk. Look at what OpenBSD do for instance - things such as randomising where/how the kernel is arranged in memory, zapping the fixed memory boot code after having booted, randomising where bins/libs etc are in memory, encrypting swap, randomise PID's, running regular checks of system files - bin/lib and important config file checksums, checking programs run within certain boundaries (Pledge) ... etc. All by default. Along with ongoing audits of code. "Secure by default" as they say, but where that is subjective to how it is used as its relatively easy for a individual to change things, perhaps with good intent, but where the changes/additional code/added features potentially negates security.

Security is more a scale comparison

entered the password to enable encryption.
I changed the root password.
I put firefox and lxterminal in a container.
I run cmus in the lxterminal container.

So I ask you again @Barry, is it secure???

Securer perhaps. But subject to if a flaw exists in the additional code added to provide such features, alongside how those programs are used.

The intent of Containers/Easy is to make things securer. Personally I only run rover inside containers, and add additional capsh'ing on top of what Barry currently capsh's. To the extent that when I run Firefox60 as a heavily restricted rover userid and where even root access is significantly crippled inside the container it feels considerably right shifted security wise (more secure).

[rufwoof]

Downloaded 0.9.4 by navigating to the link for 0.9.3 in the first post of the thread and going up to the Parent folder and down in to 0.9.4.

md5 the Easy file and validated the md5 checksum matches that of the file downloaded.

Unzip'd it.

Running OpenBSD so ... Inserted a MMC card and ran dmesg | grep MMC that identified that as being sd3. Ran disklabel sd3 that identified /dev/rsd3c

Just finished the dd if=easy...img of=/dev/rsd3c bs=1M;sync command and about to boot it via old style press F12 whilst booting and select the SD/MMC BIOS boot menu choice. The dd took less time than it took to write this post.

Edit ... minutes later back to edit this post using containered Seamonkey within Easy 0.9.4. Entered a weak password during boot and the keyboard worked fine (didn't have to wait 5 minutes as the prompt indicated might be the case). Initial boot as usual with Easy for me resulted in a command line, having to run xorgwizard and select my Radeon ATI, 1440x900 resolution and then confirm that and run xwin to start the gui. After going through the firstrun-setup ... mostly ticking things and selecting UK/GB country choices, my first port of call is to Jwmdesk manager to first set it to the max size of 700 wide and then select the maximum 130 dpi. Once that has been run I manually edit the /root/.Xresources file to increase it further to 157. That has the effect of blowing out the EasyApps program display that doesn't cater for such a high 157 dpi, but other than that 157 works better for me. I also run the gtk config to manually enter a Font of Sans size 11. After that the display is more consistent and comfortable for me.

Next port of call for me is to open up the containered SeaMonkey (top centre of screen), let it run through its first run setup and then immediately shut it down again and use Menu, Filesystem, EasyVersionControl ... and near the bottom make a snapshot image of the Seamonkey container, so that I have a clean/fresh version that I can roll back to each time I want to subsequently browse the web.

Something (firmware or ??) is apparently amiss for me with Easy as sometimes it boots direct to gui on subsequent runs, other times it does have to have xorgwizard re-run again to re-enter Radeon/ATI and 1440x900 values again. Seemingly spuriously.

About to reboot now, as I've set the q.sfs to be rebuilt using gz compression.

Edit 2. Back again. Reboot asked for password and after it was entered it showed the compression progress bar ... for a few minutes or so until the q.sfs was recompressed. Continued booting and again fell out to the command line with xorgwizard having to be re-run. The MMC card I'm using (connected to the PC via a MMC caddie) is 2GB in size and the bottom near right space icon shows 1.2GB of Personal space with 728MB free space. Past experience indicates a 2GB MMC is usable, but 4GB would be more preferable IMO. Using Menu, Filesystem, EasyVersionControl I rolled back to the seamonkey snapshot so pristine again ran Seamonkey and edited this post. With the boot MMC now prepared ... I'm off for dinner. Before I forget however, I usually install firefox in a container as that has NoScript which I generally consider to be a mandatory extension other than for private web surfing (when its best to have no addons loaded). A container being relatively secure however opens up the potential to just run without NoScript, and just roll back to a prior known clean version of seamonkey each time you run it. So whilst I don't usually use seamonkey, for 0.9.4 I think I'll give it a go.

[rufwoof]

I've changed my seamonkey containers ec-run to include removal of most group memberships and to wipe out pretty much all capabilities. Leaving membership of video and audio group ensures seamonkey can still play/hear youtubes.

/mnt/sdd2/containers/seamonkey/container/ec-run content of (seamonkey has to be running)

Code: Select all

#!/bin/sh
MOUNTS="$(busybox mount 2>/dev/null)"
if [ "$(echo "$MOUNTS" | grep '/proc ')" == "" ];then
 busybox mount -t proc proc /proc
 MOUNTS="$(busybox mount)"
fi
[ "$(echo "$MOUNTS" | grep '/shm ')" == "" ] && busybox mount -t tmpfs shmfs /dev/shm
[ "$(echo "$MOUNTS" | grep '/pts ')" == "" ] && busybox mount -t devpts -o newinstance devpts /dev/pts
[ "$(echo "$MOUNTS" | grep '/sys ')" == "" ] && busybox mount -t sysfs none /sys
EXE="$1"; shift
ARGS=''
[ $1 ] && while [ "$1" ]; do ARGS="$ARGS \"$1\""; shift; done #put quotes around each argument.

#delgroup tty
delgroup scanner 
delgroup disk 
#delgroup audio 
delgroup lp 
delgroup dialout 
delgroup kmem 
#delgroup video 
delgroup floppy 
delgroup cdrom 
delgroup tape 
delgroup plugdev 
delgroup lpadmin 
delgroup shutdown 
delgroup crontab 
delgroup bluetooth

ADDITIONALS="cap_fsetid,cap_setgid,cap_setuid,cap_linux_immutable,cap_net_bind_service"
ADDITIONALS="$ADDITIONALS,cap_net_broadcast,cap_net_raw,cap_ipc_lock,cap_ipc_owner"
ADDITIONALS="$ADDITIONALS,cap_sys_rawio,cap_sys_pacct,cap_lease,cap_audit_write"
ADDITIONALS="$ADDITIONALS,cap_audit_control,cap_mac_override,cap_mac_admin,cap_syslog"
ADDITIONALS="$ADDITIONALS,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep"

if [ "$EC_CAP_DROP" ];then #180427
 capsh --drop=${EC_CAP_DROP},${ADDITIONALS} -- -c "${EXE} ${ARGS}"
else
 ${EXE} ${ARGS}
fi

The less authority root has in a seamonkey container the better IMO. Reducing it down to a restricted/normal userid level or lower whilst still being able to perform the task in hand (browser), but still be 'root' so copying files between main and container doesn't involve file ownership issues. Could perhaps even add to that by chmod'ing the sbin's so not even root in the container can access any super-user type binaries.

[Rodney Byne]

Advice requested please.

For practice session, I want to insert this file;
tor-browser-7.5.3-x86_64.sfs
into a container, but am struggling
to achieve this.
It always installs only in the Menu/Internet,
but never inside a container.

Step by step instructions to get it right
for a newbie would be welcome please
and once learned I can follow same again
for such as LxTerminal.
Thanks in advance.

[BarryK]

I have Firefox and Lxterminal running in a container, I have cmus
playing a radio station in the lxterminal container, is it secure?

I entered the password to enable encryption.
I changed the root password.
I put firefox and lxterminal in a container.
I run cmus in the lxterminal container.

So I ask you again @Barry, is it secure???

There is no such thing as "secure"

Not an absolute guarantee of security anyway. With Easy, security is a work-in-progress. It is also a work-in-progress for all operating systems.

You have some protection running in a container.

[BarryK]

The intent of Containers/Easy is to make things securer. Personally I only run rover inside containers, and add additional capsh'ing on top of what Barry currently capsh's. To the extent that when I run Firefox60 as a heavily restricted rover userid and where even root access is significantly crippled inside the container it feels considerably right shifted security wise (more secure).

Yes.

Still running as "root" inside a container, but it is a very crippled root.

The next step I was planning, is to introduce a kind of "superoot" and assign ownership to superoot of various folders and executables, so the crippled root in the container won't be able to execute them.

One of the capabilities disabled by default inside a container, forget its name, enables the ownership/group checks that unpriviledged users have to do. So root in the container cannot execute everything.

I was thinking of naming this super-root "xeus", who was the king of the Greek gods. Unless there is a suitable doggy name...

[rufwoof]

"xeus", who was the king of the Greek gods

I thought it was Zeus?

[Cu Chulinux]

It is Zeus, probably a typo. X and Z are right beside each other.

How about Cerberus, the dog guardian of Hell? Or is that too literal?

Anubis, the Egyptian god of the afterlife, had a dog head.

Or simply "Rex", lots of dogs named Rex, means king.

[rufwoof]

I was thinking of naming this super-root "xeus", who was the king of the Greek gods. Unless there is a suitable doggy name...

OR! Just don't have the main system auto logging in and running as "root". It's common nowadays to have root login totally disabled, and instead have a userid that has root like permissions/authority. That way you have to know both the userid and the password - so more protective. Which would simplify things such as file copying/permissions between the main system and a container ... root-like userid outside of container, heavily restricted userid inside container, but the same userid/file owner name inside and outside of containers. That way and there's no need for "Zeus", as that would be "root", but if Rex (adopting Cu Chulinux's suggestion) is pretty much as good as root anyway outside of a container !!!

[Cu Chulinux]

If I open the seamonkey container with seamonkey running already as root then the resulting "container" seems to be another instance of the root seamonkey.

I have been mainly running as root because in a container I do not have sound in the browser. I opened the container seamonkey when I installed 0.9.4 to see if that had changed but already had seamonkey open as root. Sure enough I had sound (testing on youtube). Then I realized I had all my previous websites and bookmarks I'd used in the root one.

I exited both and started the container by itself. No previous addresses, no bookmarks, and no sound.

I had not done anything to change the container setup from default.

Edit: this also works the other way too. If I open seamonkey in container then open seamonkey outside of container then I end up with two instances of the containerised seamonkey.

Edit2: If I open container shell and run seamonkey from that then it is a completely separate instance of seamonkey from the already-running root instance.

BTW how can I enable sound in the container?