Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 19 Jun 2018, 02:18
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Is Full Install Secure?
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 3 [38 Posts]   Goto page: Previous 1, 2, 3 Next
Author Message
Mike Walsh


Joined: 28 Jun 2014
Posts: 3792
Location: King's Lynn, UK.

PostPosted: Thu 24 May 2018, 03:44    Post subject:  

@sleeper48:-

Galbi wrote:
Comming from Windows or from one big distro (Debian, Ubuntu, etc) it's natural to think that full installs are the correct way, but Puppy was designed for frugal installs.

Another advantage, with frugal+backup you can play "learning by breaking"
Smile


Absolutely could not agree more. And IMHO, it's the best way to learn; I've always found that mistakes made like that are ones that tend to stick with you.


Mike. Wink

_________________
MY PUPPY PACKAGES | 'Thanks' are always appreciated!
--------------------------------------

Back to top
View user's profile Send private message Visit poster's website 
greengeek


Joined: 20 Jul 2010
Posts: 5045
Location: Republic of Novo Zelande

PostPosted: Thu 24 May 2018, 14:32    Post subject:  

Any install that allows system files to be writable is inherently insecure.

This is true for both full installs and any frugal install that uses a save file or save folder.

Frugal installs (using auto save techniques) are not more secure - just easier to back up (usually)

A more secure option is to remaster your changes inside the main puppy.sfs. However that is not something easily explainable to new users.

There are other methods to improve security too - mostly focusing on ensuring that system files are readonly and contained within "sfs" files - not contained as read/write files as is done in a full install or a frugal+save.

Personal files are different - they should be stored off the system (away from system files) backed up regularly to multiple locations, and saved manually, rather than relying on save files or save folders to do the job automatically.
Back to top
View user's profile Send private message 
mostly_lurking

Joined: 25 Jun 2014
Posts: 259

PostPosted: Thu 24 May 2018, 18:58    Post subject:  

sleeper48 wrote:
I read this somewhere, just wonder is it true or not?

"Are you quite sure that you should have done a full install? Remember that Puppy runs as root, so it is not secure when run from HD. The frugal install, where the file lives on the HD but is still run from RAM, is recommended for that reason."

Source of that quote:
https://www.linuxquestions.org/questions/linux-newbie-8/how-to-update-slackopuppy-4175597299/#post5653882

Whether a full install is less secure than a frugal one depends on what "secure" means to you - and it has little to do with running as root; you have the same root privileges and file access rights no matter how you run Puppy.

If "secure" means protecting your system:
A frugal install makes is easier to repair if the system gets messed up, especially if you have a backup of your savefile (and if you don't have that, you can at least restore the system to a working state by booting without the save). With a full install, you lose your whole system if it breaks and you can't manage to fix it.
There is also the possibility to configure a frugal Puppy so that it doesn't automatically write all changes to the savefile, but asks you if you want to save on shutdown, thus giving you the chance to avoid saving a session that has gone bad:
Remove automatic pupsave for frugal installs
(Normally, frugal Puppies installed on a hard drive run in "pupmode 12", a state in which they write all changes to the savefile immediately, while installs on USB media use "pupmode 13", which saves at user-defined time intervals and on shutdown.)

If "secure" means protecting your personal files:
In both frugal and full installs, you - and any programs you run as root - have full access to your files. If you have a frugal install with a savefile, I assume storing your files inside the save might put you at a risk of losing them should the savefile get corrupted, so it may be better to keep them out of there.

If "secure" means protection against some hypothetical hacker/malware threat:
First of all, that's very unlikely to happen. Linux home systems aren't a popular target, and Linux won't run Windows-specific malware. (Unless you have Wine installed, and even then it won't run Windows applications automatically. And you hopefully haven't told your browser to open any random Windows executables that it finds on the web with Wine.) The much-publicized security problems that have popped up lately (Meltdown/Spectre, Shellshock...) are mainly a concern for servers, less so for home systems.
Still, if we assume that there may be a threat from surfing the web, a frugal install wouldn't offer any more security than a full one - if your browser (and any hypothetical piece of malware that comes through it) runs as root, your system and personal data could be compromised either way. You might gain a little more security by running your browser as non-root user, so that it doesn't have administrator privileges and can only modify files in that user's home directory. Some newer Puppies have a "Login and Security Manager" in the System menu, where you can select some applications (browsers) to run as restricted user "spot". For older Puppies or other programs, you might find some solution on the forum if simply typing sudo -u spot <programname> in a terminal to run that program as spot (or su spot to switch users for more than one command line) doesn't do the trick.

To summarize: a frugal install is "more secure" only in that it makes it easier to restore the system if it breaks (and configuring it to not save automatically might even prevent damage past the current session), but it doesn't protect your personal data any more than a full install does. Running your browser as non-root user might reduce the already very small and rather theoretical risk of malware.

Here is an article by Barry Kauler, the creator of Puppy Linux, which explains the root-vs-user security question as it applies to Puppy (especially when it is run frugally):
http://bkhome.org/archive/puppylinux/technical/root.htm
(There are also some links at the bottom of that page for further reading about this topic - two by the makers of the Puppy spin-offs Fatdog and Grafpup, and one about Linux in general.)

sleeper48 wrote:
Burn_IT wrote:
There are bigger things than security issues.
Most of Puppy was actually DESIGNED to run frugally.
There are a lot of features that either do not run as well or are just not supported when it is fully installed.

Puppy is not like other Linuxes. Don't try to force it to be.


That's the point. How many newbies would know this? I didn't. Puppy should make this all clear at time of install.

It does. The Puppy installer states that the frugal method is recommended, and lists some advantages of frugal installs. The problem, as dancytron mentioned, seems to be that the terms "frugal" and "full" suggest that the first is some kind of "crippled" install, leading people to choosing the full one instead. I've seen that Xenialpup's installer now says that full installs should only be used for computers with too little memory/slow CPU, so that's a step forwards to making it clearer. I'm not sure if renaming these things after so many years would be a good idea; it might cause confusion for new users when every piece of documentation here or elsewhere uses different terms than their Puppy system does.
Back to top
View user's profile Send private message 
sleeper48

Joined: 24 Dec 2017
Posts: 14

PostPosted: Fri 25 May 2018, 02:01    Post subject:  

Quote:

mostly_lurking wrote:
It does. The Puppy installer states that the frugal method is recommended, and lists some advantages of frugal installs. The problem, as dancytron mentioned, seems to be that the terms "frugal" and "full" suggest that the first is some kind of "crippled" install, leading people to choosing the full one instead. I've seen that Xenialpup's installer now says that full installs should only be used for computers with too little memory/slow CPU, so that's a step forwards to making it clearer. I'm not sure if renaming these things after so many years would be a good idea; it might cause confusion for new users when every piece of documentation here or elsewhere uses different terms than their Puppy system does.


So, it's clear as mud then. Laughing
If they put Recommended after Frugal & Not Recommended or Security Risk after Full, maybe that would help.

Last edited by sleeper48 on Fri 25 May 2018, 11:45; edited 1 time in total
Back to top
View user's profile Send private message 
Burn_IT


Joined: 12 Aug 2006
Posts: 3106
Location: Tamworth UK

PostPosted: Fri 25 May 2018, 07:57    Post subject:  

It is very simple!!

ANY system that has ANY connection to ANY external source of ANY kind is inherently insecure - and that includes a keyboard.

_________________
"Just think of it as leaving early to avoid the rush" - T Pratchett
Back to top
View user's profile Send private message 
sleeper48

Joined: 24 Dec 2017
Posts: 14

PostPosted: Fri 25 May 2018, 11:55    Post subject:  

Burn_IT wrote:
It is very simple!!

ANY system that has ANY connection to ANY external source of ANY kind is inherently insecure - and that includes a keyboard.


True, nothing is totally secure, but some things are more secure than others. The more Puppy (or any distro) can simplify things, the better.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1570
Location: N.E. USA

PostPosted: Fri 25 May 2018, 12:53    Post subject:  

I will also add this... If 'it' broadcasts a signal, such as BluTooth, Wifi, cellular, etc. it can be intercepted, or sniffed, or even cracked. The only mitigation is full client/server encryption of at least TLS1.2-256 bit forward secrecy. Many BT connections are open, and WPA2-FSK was only recently patched for end-users, but problems still remain for the host (server).

One should also consider Meltdown/Spectre and the new SSBD (split or cache-level side-channel attacks). A malicious script in an otherwise ordinary picture or webpage can circumvent these mitigations. That means BROWSER ! Even some Atom processors had to be added to the vunerable list due to SSBD.

I will opine that whatever it takes for the machine to be 'safe enough' has to be done to the browser.

Regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1067

PostPosted: Fri 25 May 2018, 14:05    Post subject:  

8Geee wrote:
I will also add this... If 'it' broadcasts a signal, such as BluTooth, Wifi, cellular, etc. it can be intercepted, or sniffed, or even cracked. The only mitigation is full client/server encryption of at least TLS1.2-256 bit forward secrecy. Many BT connections are open, and WPA2-FSK was only recently patched for end-users, but problems still remain for the host (server).

One should also consider Meltdown/Spectre and the new SSBD (split or cache-level side-channel attacks). A malicious script in an otherwise ordinary picture or webpage can circumvent these mitigations. That means BROWSER ! Even some Atom processors had to be added to the vunerable list due to SSBD.

I will opine that whatever it takes for the machine to be 'safe enough' has to be done to the browser.

Regards
8Geee


I wonder to what extent VPNs like tinc can be jsed to mitigate against weakness in wifi security.
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 12314
Location: Gatineau (Qc), Canada

PostPosted: Fri 25 May 2018, 15:21    Post subject:  

Burn_IT wrote:
It is very simple!!

ANY system that has ANY connection to ANY external source of ANY kind is
inherently insecure - and that includes a keyboard.

Well my head being a system connected to my body, and my eyes connected
to my head and my hands connected to my forearms...

Yiiiiiiiiiiiiiikeees, I am a totally insecure system!!!!!!!!!!!!! (ROFL) Laughing

Come on, guys, let's get serious, shall we?

_________________
musher0
~~~~~~~~~~
"Logical entities must not be multiplied beyond necessity." | |
« Il ne faut pas multiplier les entités logiques sans nécessité. » (Ockham)
Back to top
View user's profile Send private message 
slavvo67

Joined: 12 Oct 2012
Posts: 1529
Location: The other Mr. 305

PostPosted: Fri 25 May 2018, 15:53    Post subject:  

It's a loaded question. Nothing is totally secure; unless you're not connected to the web. Then, you're probably okay... especially if you encrypt.
Back to top
View user's profile Send private message 
Sylvander

Joined: 15 Dec 2008
Posts: 4352
Location: West Lothian, Scotland, UK

PostPosted: Fri 25 May 2018, 16:38    Post subject:  

slavvo67 wrote:
...unless you're not connected to the web. Then, you're probably okay...

Unless someone gains access to your hardware...
A breakin while you're away? Sad
Back to top
View user's profile Send private message 
slavvo67

Joined: 12 Oct 2012
Posts: 1529
Location: The other Mr. 305

PostPosted: Fri 25 May 2018, 21:11    Post subject:  

Did we miss the "Especially if you encrypt?!"

Many puppies have older browsers so you should at least make sure you update to he latest version of Firefox, Chromium, Iron, whatever....
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1067

PostPosted: Fri 25 May 2018, 21:40    Post subject:  

slavvo67 wrote:
Did we miss the "Especially if you encrypt?!"

Many puppies have older browsers so you should at least make sure you update to he latest version of Firefox, Chromium, Iron, whatever....


Ransomewhere is found of encryption.
Back to top
View user's profile Send private message 
Moat


Joined: 16 Jul 2013
Posts: 842
Location: Mid-mitten, USA

PostPosted: Sat 26 May 2018, 03:36    Post subject:  

greengeek wrote:
Frugal installs (using auto save techniques) are not more secure...


True. The key is to disable the periodic saves. Personally, I think that should be the default for frugal + save installs (for instance; pupmode 13, ask to save at shutdown (setting 0 or -0?), w/no save after timeout... i.e.; you snooze, you lose).

Next best thing to a remaster!

Just make progressive backups (using the Pupsave Hot Backup utility) as you modify/experiment & save system changes - eventually molding the system to your liking. Then from that point on... select "shut down" and walk away. Always where you last left it at next boot.

Bob
Back to top
View user's profile Send private message 
bigpup


Joined: 11 Oct 2009
Posts: 10568
Location: Charleston S.C. USA

PostPosted: Sat 26 May 2018, 05:35    Post subject:  

If you have one of those talking head devices in your home. (Amazon Echo, Alexa, etc....)
There is no security!!!!

Story is all over the news.
Quote:
Amazon Echo Recorded And Sent Couple's Conversation — All Without Their Knowledge

_________________
I have found, in trying to help people, that the things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected Shocked
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 3 [38 Posts]   Goto page: Previous 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0736s ][ Queries: 14 (0.0127s) ][ GZIP on ]