Why I don't like running as root (in Puppy)

For discussions about security.
Message
Author
User avatar
edoc
Posts: 4729
Joined: Sun 07 Aug 2005, 20:16
Location: Southeast Georgia, USA
Contact:

#91 Post by edoc »

SirDuncan wrote:Personally, I always change the root password. I may forget to do it at first, but I eventually get around to it.
Is that still possible in Puppy 4/Dingo?
[b]Thanks! David[/b]
[i]Home page: [/i][url]http://nevils-station.com[/url]
[i]Don't google[/i] [b]Search![/b] [url]http://duckduckgo.com[/url]
TahrPup64 & Lighthouse64-b602 & JL64-603

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#92 Post by Pizzasgood »

I don't see why not. Just run passwd
Keep in mind that if CUPS asks for the password, you will have to use your new password rather than woofwoof.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
SirDuncan
Posts: 829
Joined: Sat 09 Dec 2006, 20:35
Location: Ohio, USA
Contact:

#93 Post by SirDuncan »

edoc wrote:Is that still possible in Puppy 4/Dingo?
Absolutely.
Pizzasgood wrote:Just run passwd
Exactly.
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#94 Post by Flash »

Anyone could drive a stake through this thread's heart anytime, by actually proving they had a problem which was caused by running Puppy as root. For instance, a computer that was taken over by malware which couldn't have worked if they hadn't been running as root. Until I see proof that it actually caused a problem, I'm not going to worry my pretty little head over running as root. :lol:

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#95 Post by cthisbear »

" Anyone could drive a stake through this thread's heart anytime,
by actually proving they had a problem which was caused
by running Puppy as root. "

Log onto the Whirlpool forum for their grief fest on Puppy.

Reminds me of that old Kinks song.
Paranoia the destroyer .

http://www.youtube.com/watch?v=ZBbAZVw3_7A

Chris.

User avatar
urban soul
Posts: 273
Joined: Wed 05 Mar 2008, 17:03
Location: "Killing a nerd is not as much fun as ist sounds" B.Simpson
Contact:

#96 Post by urban soul »

Barry probably thought: 'how much can I cut out of Linux and it still works ?' Afterwards things can be 'filled in' again anyways. This is a very creative approach in my opinion.

jglen490
Posts: 9
Joined: Sun 09 Mar 2008, 18:25

#97 Post by jglen490 »

Flash wrote:Anyone could drive a stake through this thread's heart anytime, by actually proving they had a problem which was caused by running Puppy as root. For instance, a computer that was taken over by malware which couldn't have worked if they hadn't been running as root. Until I see proof that it actually caused a problem, I'm not going to worry my pretty little head over running as root. :lol:
A better project would be to apply that idea to ANY Linux distro. Puppy is Linux, or so I've heard, the only difference being the intent of being an always "live" distro, rather than a full time, permanent distro.

You can run any Linux as root, if you are bold/brave/foolish enough. The point to running Linux as mostly non-root is to protect the heart of the OS - to the extent possible - while letting non-root account(s) take the hit, should one occur. A reasonable philosophy as long as the non-root account(s) are backed up periodically.

And, oh by the way, Linux security has nothing to do with account names. It has everything to do with strong passwords, up-to-date software, permissions, and some monitoring. Being careful doesn't take a lot of time. But it's your system, do as you will.

kirk
Posts: 1553
Joined: Fri 11 Nov 2005, 19:04
Location: florida

#98 Post by kirk »

The point to running Linux as mostly non-root is to protect the heart of the OS - to the extent possible - while letting non-root account(s) take the hit, should one occur.
Exactly, and the heart of the Puppy OS is read-only. So there's no need to run as non-root. However some applications do run as non-root, http servers come to mind. And in Puppy it's not possible to su to root from a non-root user, it's never needed. A machine running an http server with Puppy is actually more secure than with other multi-user distros.

jglen490
Posts: 9
Joined: Sun 09 Mar 2008, 18:25

#99 Post by jglen490 »

That's true. However, the simple act of you acting in a root account opens up your entire system to an attack. Once in, changing the mode on any file from read only is a relatively trivial exercise.

Please, don't get me wrong. I have nothing against Puppy Linux, nor do I believe that an attack against you or anyone else running Puppy is imminent. My whole point is that if you are going to run a Linux system, and I love running Linux, give yourself the best possible experience while still using the best OS in the world.

kirk
Posts: 1553
Joined: Fri 11 Nov 2005, 19:04
Location: florida

#100 Post by kirk »

That's true. However, the simple act of you acting in a root account opens up your entire system to an attack. Once in, changing the mode on any file from read only is a relatively trivial exercise.
No, It's not possible to change the files in a squashfs file system from read only. Wish it was. Can you download and install software that erases files? Yes. But in multi-user distros, people download and install software as there own user, which could erase user files (The only really important files). Or they can sudo or su to root, which must be done for lots of software, which could erase system files (easily fixed in puppy, not so with others). As far as other ways to open "your entire system to an attack" when using puppy, other than installing software, I'm not aware of any.

User avatar
SirDuncan
Posts: 829
Joined: Sat 09 Dec 2006, 20:35
Location: Ohio, USA
Contact:

#101 Post by SirDuncan »

jglen490 wrote:That's true. However, the simple act of you acting in a root account opens up your entire system to an attack. Once in, changing the mode on any file from read only is a relatively trivial exercise.
Root doesn't need to change the file permissions. As root, you can just delete everything regardless of permissions. On a *nix system, root is omnipotent.

Still, as I pointed out, it is also trivial for a non-root user to gain root power with sudo. If Puppy ever goes multi-user, I hope that Barry will exclude that command.

However, I think what Kirk and others have referred to is that the CD is read-only and not even root can delete its contents. Many people run from the CD in some way (multi-session, save file on the HD or flash drive), so they have no worries about their system files.

Even if you are running with a HD install, you don't have to worry about it unless you did a full HD install. On a frugal install, if the baddies delete your system files its not a big deal. You just have to restore 4 files and maybe GRUB. This takes a few minutes. Then restore the backup of your save file (you are making backups, right?). You may have lost some data, but you probably didn't lose too much if you make frequent backups.

A full HD install is a bit trickier. Backups are more difficult, and the file system is spread across hundreds of files. you've lost all of the ease in system restoration and not gained any security.
jglen490 wrote:It has everything to do with strong passwords
Exactly. Regardless of whether you run as root or as jimmybob16, the most important protection is a strong password.

Kirk posted while I was writing this. Kirk, you are correct that the files inside of the squashfile cannot be individually tampered with, but you can delete the whole squashfile if you are not running from CD.
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath

jglen490
Posts: 9
Joined: Sun 09 Mar 2008, 18:25

#102 Post by jglen490 »

Part of the alleged "fun" of hacking into someone's system is not complete destruction, but rather control in such a way that a) the owner of the system is unaware and b) the the controller can use the one platform to gain control of more platforms.

Never say never. If something can be originally written to a squashfs, it can be re-written. It's technology, not magic. I wouldn't be as concerned about what is on the CD, as you say if files are on a CD-R, not even root can alter them. Once they are in memory, that's another story, plus Puppy can write certain files to disk for permanent use even in a frugal install or a memory only install. So be careful what you download and what you save/keep, and monitor what ends up as saved

Again, I have no ill-will towards the concept of Puppy Linux, the creator of Puppy Linux, or any Puppy Linux user. The myth of infallibility, is just that - a myth. The risk may be different in some use cases, but that's all.

Applying good security practices including strong password usage (with or without the use of sudo), will serve you better than anything else, including reliance on the good will of others when you are on-line.

kirk
Posts: 1553
Joined: Fri 11 Nov 2005, 19:04
Location: florida

#103 Post by kirk »

I don't think it's reasonable to add the extra aggravation to run as a non-root user because your system may be compromised by some inconceivable attack. Especially since Puppy is so absurdly easy to fix. If I applied the same logic to the rest of my life I'd have to live in a bio-bubble inside a bomb shelter.

Again, unless you install malicious software, you won't have a problem. People who install malicious software, do so thinking it's safe. So if they run a multi-user system and the software package says you must be root to install, the user will su to root to install it. The myth that a multi-user installation protects you from mal-ware is just that - a myth. Unless you don't know the root password. Multi-user systems are great when you actually have multiple people using it.

So far the reasons I've saw for running as non-root are:

* It gives me protection from the unknown for unknown reasons.
* It makes the hapless type sudo before screwing up there system

Edit: Just read Pizza's post on the previous page, totally agree and I have to add one more reason to my list:

* Avoiding becoming a zombi :lol: :lol:

I guess I'm done with this thread.

User avatar
nipper
Posts: 150
Joined: Sat 22 Mar 2008, 16:08

#104 Post by nipper »

My next door neighbours do not lock the front door of their house when they leave, either for the day or for a two week vacation.

They can't think of a reason to lock it. Does it follow logically that there is no valid reason?

In over 10 years they have not had anything stolen. Does if follow logically from that that they never will?

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#105 Post by 8Geee »

Sir Duncan:
If by that you mean "can you change the root user name or password?", the answer is, yes you can change the password. I don't know if you can change the user name. It would be a good idea, though. Changing the name may cause some problems with scripts and such, but it is good security practice.
That will cause me to edit my former post, and render Puppy and derivitives as most acceptible. Being the ex-Win user, I can toss the old desktop into the recycler. I knew someone got the root secured, it certainly isn't the default OS in the Eee.

Many thanks

oblivious
Posts: 303
Joined: Sat 14 Apr 2007, 05:59
Location: Western Australia

#106 Post by oblivious »

nipper, I think your analogy with household security is a good one. The way I see it is this - you should lock your house, you should insure its contents, you should have security screens/window locks, have someone collect your mail if you go away, etc. And if all you have is a black&white tv on a milkcrate, perhaps not even that....

But you do not need 24-hour patrols by armed guards with dogs, a set of monitored security cameras, direct panic button access to the cops, etc. I consider much of the security measures promoted in linux are analogous to the security measures needed for a vital commercial service, not for a home computer with dog photos and recipes. I would find it annoying having to enter a 16-digit security code and call into base to get into my house and some of the security measures are similarly annoying to me.
Part of the alleged "fun" of hacking into someone's system is not complete destruction, but rather control in such a way that a) the owner of the system is unaware and b) the the controller can use the one platform to gain control of more platforms.
Yes, they could make your computer a zombie. How is hiding "zombieness" achieved? How can such access be hidden? If you get made a zombie, can't you see that your processor is working away, sending stuff? Or your modem flashing away? How is it hidden?

There are different aspects to security and they are all bundled up and discussed as if they are one thing. For example - In a business, your system files are important, even a day without the system can be a nightmare - so you need to keep users away from them so they can't crash the system. Root/user is essential. It may also be essential where you've got dopey kids on a home system. But it may not matter at all when you've got a single user home computer with an easily reinstalled system.

Data files - protection in a business is essential. Loss/corruption catastrophic. Home system - it depends what you've got on the computer. Root/user and file access permissions are more important for important data.

Hacker/zombie issues - these should be of concern for all systems, but how does root/user come into it? Can a hacker do nothing from a user account? How are processes hidden? How does a hacker get into a system connected by a router which is "fully stealthed"? What happens next? If a user downloads a file with something "dodgy" in it, how is the system compromised (if at all?) Is it only of concern if a root user downloads a dodgy file? How do you detect dodgy files?

There are different aspects and I don't find the "you must never run as root!" admonitions particularly useful in understanding exactly what's being talked about and what the specific risk avoided is in each case.

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#107 Post by Pizzasgood »

A limited user can be almost as good of a zombie as the root user. Not being root would be a slight inconvenience, but for most systems it wouldn't be a show stopper. To stop this, you would have to severely limit the limited user. Probably the best would be if there's a way to prevent a limited user from making his own files executable and to prevent him from preserving the executable bit of an extracted file. I don't know if there's an easy way to do that. I think partitions can be mounted with a "noexec" flag that prevents anything on them from being executable, so if you confine the user to such a partition and ensure that they have no write permissions on any other partition, then I think that would be pretty secure (assuming there are no holes letting the user increase his permissions). The user would be unable to download and run any code. That would make the biggest remaining holes the root password and any buggy apps. Or if the user was a complete dunce and copy-pastes an entire program into the console.



If you were a really good hacker, you could replace the network and CPU monitoring tools with tweaked versions that would not show your processes or CPU cycles. Then if you carefully craft your code to not run the processor very hard and to only send data when other data is being sent also, you could make it much harder for an unsuspecting victim to notice you. I don't know how practical this would be, but AFAIK it's entirely possible.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
nipper
Posts: 150
Joined: Sat 22 Mar 2008, 16:08

#108 Post by nipper »

Pizzasgood wrote:A limited user can be almost as good of a zombie as the root user.
Consider that one more time, slowly. In the "big" distros "limited" means limited, a limited zombie doesn't have necessary permissions to run a mail relay (to distribute spam, etc) or to change system configuration files or a lot of the important binaries. A limited zombie would be, well, limited and thus less of a threat to any but the users own files.
Pizzasgood wrote:Not being root would be a slight inconvenience, but for most systems it wouldn't be a show stopper. To stop this, you would have to severely limit the limited user.
*Most* systems, or only those which give the normal user admin rights? Until the *buntus, etc showed up a "severely" (your term) limited user was the norm, it still is except for the so called newbie-friendly distros.
Pizzasgood wrote:Probably the best would be if there's a way to prevent a limited user from making his own files executable and to prevent him from preserving the executable bit of an extracted file. I don't know if there's an easy way to do that. I think partitions can be mounted with a "noexec" flag that prevents anything on them from being executable, so if you confine the user to such a partition and ensure that they have no write permissions on any other partition, then I think that would be pretty secure (assuming there are no holes letting the user increase his permissions).
What you are describing can be done for individual files and directories, no matter which partition they are on and in the secure multiuser-distros the only place the user can write is in their own home directory. You have the concept absolutely correct.
Pizzasgood wrote:If you were a really good hacker, you could replace the network and CPU monitoring tools with tweaked versions that would not show your processes or CPU cycles. Then if you carefully craft your code to not run the processor very hard and to only send data when other data is being sent also, you could make it much harder for an unsuspecting victim to notice you. I don't know how practical this would be, but AFAIK it's entirely possible.
One doesn't even have to be that good, scripts exist that do the heavy lifting. Something you haven't mentioned, crackers also modify logging to hide their presence, sometimes just delete logs. Change the binaries for tools like rootkithunter, and chkrootkit so they show a clean run, etc.

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#109 Post by Pizzasgood »

I admit I don't know a whole lot about true multi-user systems and I might be missing something. I let my mouth get ahead of my mind in that last post and started talking like I know more than I do. Sorry. For me, any user limited enough to be "safe" is too limited for my needs, so I may tend to underestimate how limited they really are. (I had no idea about sudo until recently though; I always thought it was analogous to 'su -c <cmnd>')

Does a limited user have permission to send data over the network? If so, my my thinking that user can be a zombie. Maybe it can't run a mail server, but I imagine it could still participate in a DOS attack. If it can phone home, it can also be a data collector. Another possibility is that it could try to crack into yet another machine, possibly one with less security.

Of course, I could be wrong. It could be that the user can only run a very small number of network applications, such as a browser, mail client, and wget. But even wget would let a zombie eat somebody's bandwidth.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
nipper
Posts: 150
Joined: Sat 22 Mar 2008, 16:08

#110 Post by nipper »

Actually, Pizzasgood, it seems to me that you are thinking a lot about this and that can trump whatever lack of knowledge because you will ultimately increase the knowledge.

Re multi-user distros: Lots of the binaries are owned by root and can only be executed by root.

I understand what you mean about being too limited, for that case you can use the groups to which a user belongs to allow "extended" privileges for that user. i.e. being a member of the admin group.

One useful part about limited users is that, even if the userspace gets compromised, the system is still OK. Root can logon the system, eliminate that username and all associated files (they are in the user's home dir anyway) Even if it could "phone home" is could only "collect" data about that user, it can't read any other user's files (unless configured that way) nor could a user run a keylogger on another user's input.

Accounting, with a multi-user system it can be easier to know just who did what, this can be useful for training or discipline, as appropriate.

In the type of system we are currently discussing the system administrator has a great deal of freedom configuring what an individual user can do, you could even stop the user from being able to configure their own desktop if that was deemed necessary. It would be possible to restrict network access and/or anything else. However, you are correct, there is no guarantee that nothing bad can happen when people are allowed Internet access.

Since sudo is new to you, you might also want to have a look at sux.

Post Reply