How to surf as user fido

How to do things, solutions, recipes, tutorials
Post Reply
Message
Author
FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

How to surf as user fido

#1 Post by FossLab »

Surfing As fido

How To Surf As Any Non-root User in Puppy-Slacko-6.3.0

The following steps outline a procedure for how to surf as user fido
starting from the Puppy-Slacko-6.3.0 CD/DVD (32 bit version -
the 64 bit or any Puppy-Tahr versions have not yet been tested)

This procedure is a drop-down process (system starts normally with root auto-login) whereby there is no traditional login as fido as used in many Linux systems.

The procedure was designed to work around the login/initialize scripts like /usr/bin/xwin

Modifying these files to permit auto-login as say fido could represent a formidable challenge that would have to be modified with each new system release.


The entire 10 steps must be completed as user root.

Is is not recommended to try any of these steps on a production machine/environment.

Recommendation: Boot using CD only (with no hard drive connected) or boot from inside a virtual machine using Puppy-Slacko-6.3.0 iso file.

As well, the process assumes that the reader has well-beyond-newbie knowledgeable of a Linux system and is well acquainted with system management.

If any step is not crystal clear then perhaps the reader should do more research before trying anything suggested here.

The user fido is being used in this procedure since the groups for fido have already been set up, thus leaving one less step to document.

In theory, any user account (like rover or ralph) could be created.


This entire procedure is essentially an experiment as a proof of concept that user a non-root user in Puppy Linux is possible.

It is hoped that some experienced users will take an interest in this idea and will then make some suggestion to improve the permissions so that more applications work as expected.

Some applications do not work as expected when logged in as user fido.

Suspect there are a few scripts where logic like
if [ "$(whoami)" != "root" ] ...
has never been properly tested.

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

Surfing As fido Steps 1 and 2

#2 Post by FossLab »

Step 1 Start the computer using the Puppy-Slacko-6.3.0 CD/DVD

This would be a good time to copy any extra script files from hard drive or usb.
Customize the desktop as normal.


Step 2 Connect to the internet (if not done automatically) and setup the firewall.

Use the Puppy Package Manager (select Slackware 14.1 as source) and install sudo-1.8.12

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

Surfing As fido Step 3

#3 Post by FossLab »

Step 3 Manually edit the file /etc/group (using geany, nano, vi, etc.)

***** Do not try this step in a production environment! *****


This step assumes that the reader fully understands the /etc/group file format and the implications of manually editing this file.

Manually editing the file is a very quick and dirty way to make changes for a test in an environment that will probably be discarded anyway.

Readers are free to make the changes any way they feel is suitable and safe.

This step just mentions the changes that must be made.


As released (in Puppy-Slacko-6.3.0) this file has the following inconsistencies
there are two tty groups, first one has group ID 2, the second has group ID 109
the bin group also has an ID of 2

Try the following steps (in order)

Change group ID of bin group to 3,
delete the first tty group with ID 2,
change the group ID of the second tty group from 109 to 2.

During a previous re-master operation it was found that some /dev/files in the remastered directory were owned by group 109.

The /etc/fstab options for devpts include mounting with gid=2.
User fido (or any non-root user) will not be able to open any urxvt windows if the permissions in /dev are not consistent


As well in /etc/group

Removing any inconsistencies in /etc/group should make for easier modifications later on.

While editing the /etc/group file, might as well add a wheel group with group id of 4 and add root to that group.

After editing /etc/group it is advisable to check all items in /dev to ensure that no file/directories have unknown groups (i.e. a number not found in /etc/group)

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

#4 Post by FossLab »

Step 4 Manually edit the /etc/passwd file

***** Do not try this step in a production environment! *****

This step assumes that the reader fully understands the /etc/passwd file format and the implications of manually editing this file.

Manually editing the file is a very quick and dirty way to make changes for a test in an environment that will probably be discarded anyway.

Readers are free to make the changes any way they feel is suitable and safe.

This step just mentions the changes that must be made.

Many of the functions like adduser go through busybox and these functions do not seem to be as robust as similar utilities on other systems.

At this point since fido has no home directory, deleting user fido and then recreating fido might be better (but not as fast)
Proceed at your own risk.


Change the home directory for user fido from /root to /home/fido

There are also some inconsistencies in the /etc/passwd file

User man has user ID 65534 & group ID 65534 and
user nobody has user ID 65534 & group ID 65534

From /etc/group, user nobody has group ID 65534

Suggest changing the user ID of man to 65533 (leaving man in group 65534 might be OK for now but it is not known why these two user accounts were setup this way).
Proceed at your own risk.

At this point it is highly recommended to change the password for fido (might be needed later)
Anyone re-mastering a sfs file or a CD should keep in mind that passwords are stored in /etc/shadow.

It might be a good idea to copy the modified files /etc/passwd and /etc/group to a storage media like a usb flash drive in case this entire procedure need to be repeated for what ever reason.

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

#5 Post by FossLab »

Step 5 [Optional] Modify permissions for /bin/busybox

Readers who wish to be able to $(su root) as fido from any urxvt window may have to
chmod 4755 /bin/busybox # change setuid bit

However, readers must appreciate that doing so may open some security holes.

If using this step then readers are highly recommended to create the file /etc/busybox.conf
The file format is similar to the following example

[SUID]
su = ss- root.users
deluser = ss- root.root
# Add more lines to lock down apps like delgroup

For this example, fido is part of the users group so fido should be given permission to run su.

Ideally a special group, like sugrp, should be created for users who can su.

The root password would still be required to run $(su root).

There are at least 10 other utilities that are processed by busybox that should be given root-only access.

It would be far better practice to figure out all the permissions necessary for ordinary users to use the system normally so that su access would not be required.

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

#6 Post by FossLab »

Step 6 Create a home directory for fido

Start by $(mkdir -p /home; cp -R /root /home/fido)

Some files (like anything spot related) should be deleted.

The links in /home/fido/.jwm/root_menus must be modified (should be obvious where the links point)

In /home/fido/.jwmrc change all occurrences of /root/ to $HOME/ (ensure it is $HOME/ and not /home/fido/ so the directory can be used as a template for adding other users).

In /home/fido/.xinitrc change all occurrences of /root/ to $HOME/ (ensure it is $HOME/ and not /home/fido/ so the directory can be used as a template for adding other users).

Any mozilla-based browser will want to create the directory $HOME/.mozilla so using /root will not work properly (would not recommend opening up permissions on /root).

The modified /home/fido directory turned out to be less than 1024K in size (before fido login) so not really a big deal.

After login, /home/fido (with browser setup files) used something like 30 MB, still not unreasonable.

Note: Presently finalizing a script file to automatically copy /root to /home/fido (details later)

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

#7 Post by FossLab »

Step 7 Modify permissions in /dev

The following commands are required so fido can open urxvt windows

chmod 755 /dev/pts 2>/dev/null
chgrp tty /dev/ptmx

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

#8 Post by FossLab »

Step 8 Create a file that fido uses to start X/JWM

The file name /tmp/runx is suggested

The following commands might help

echo '#!/bin/bash' > /tmp/runx
echo $(ps -o cmd -C xinit | tail -1) >> /tmp/runx
# change /root/ to $HOME/ (not /home/fido) in /tmp/runx
chmod 755 /tmp/runx

The command root used to start X is now stored in /tmp/runx

Since root has already gone through the process of login and setup of all files required for X/JWM, the file /tmp/runx permits fido to start X without running through the xwin set of files which require root permission to run properly.

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

#9 Post by FossLab »

Step 9 Exit to command line

Now run the command

su -l fido # switch to fido with login shell

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

#10 Post by FossLab »

Step 10 Start JWM (as fido)

whoami # First ensure logged in as fido

/tmp/runx # to start X/JWM


This idea bypasses a traditional login procedure.
If the xwin set of files are modified in the future then perhaps this procedure might require little or no change.


Now some applications do not work as expected.
Reboot/shutdown result in exit to command line (fido can run reboot or poweroff from command line)

Three of the five tray dock apps do not work as expected.

The internet connection can be disabled (asks for fido password) and then reconnected (without password)
but for the most part /usr/bin/netmon_wce wants root permission

/usr/bin/firewallstatus will not turn the shield icon from shield_no.svg (red) to shield_yes.svg (green) even though the firewall is active.

firewallstatus may be checking if [ (iptables -L | wc -l) > 10) ] to determine if the firewall is active.
User fido does not have access to iptables nor is it generally a good idea to do so.

A custom helper application might be required (but more research is required).

/usr/bin/parcellite (clipboard) wants root permission.

DVD/CDs and usb flash drives can be mounted with pmount (click on mount icon on desktop) It should prompt for a password but does not. Perhaps it's another app that has not been fully tested since a non-root user might have not been available for testing.


The good news: a mozilla based browser can be setup (with addons) and can surf the internet (tested with youtube by watching a video about Puppy Linux).

Posting this information as user fido in X/JWM from Puppy-Slacko-6.3.0

Have not tried to install flash (which must be done as root)


If readers wish to go back to root JWM then
exit to command line
type exit to end the $(su -l fido) process
(verify with whoami - should be root now)
type xwin to start X/JWM again

Since going back and forth between root and fido is fairly easy, readers may wish to skip step 5 (setuid for /bin/busybox)

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

#11 Post by FossLab »

Extra Thoughts

This procedure is rather rough and may be difficult to follow but instead of waiting for user-friendly script files and documention to be produced, a decision is made to release the raw ideas so that experienced users could start testing the process of using X/JWM as a non-root user.

Hopefully no important steps were missed in the haste to release the procedure.

Perhaps if developers could have an easier way to setup regular users, some of the system script files could be tested and maybe fixed in future releases.

From a developers perspective, it would not be unreasonable to ask users/volunteers to test as fido to see if solutions could be found for permission problems.

If only a few people are interested in surfing as fido then one might ask why the developers should spend extra time on features people people use.

Please do not ask developers to get fido working in the next release until reliable/solid solutions for all the missing permission problems can be found. This procedure is experimental and needs extensive testing. Use at your own risk.

Right now this procedure is just something for people to experiment with and maybe develop solutions to make the overall process more robust.

The learning process was long and difficult (for someone new to the Puppy system files).

Overall, the effort was worthwhile as being able to run X/JWM as a non-root user opens possibilities for the future.

It would be nice if some issues could be resolved so that the root user exits to the command line and then logs out and then the regular user logs-in and starts X/JWM. This way a computer could be shared by say a family with young kids who would not need to login as root.

The amount of shell script in these posts is not that much. Interested readers can copy/past to make their own script files to automate the setup process.

It took longer to find solutions and document the process than to write the bash script.

This procedure represents baby steps in comparison to the amount of work that goes into each new Puppy Linux release.

Hopefully users can appreciate how much work is involved in maintaining/releasing Puppy Linux.

FossLab
Posts: 14
Joined: Tue 05 Jan 2016, 00:07

#12 Post by FossLab »

Sorry for the typos but too tired right now to go back and edit previous posts.

It would be nice if some people could try the procedure and report back with any findings. There are many little things to do and it's easy to miss one item.

It took me at least two runs from booting with the Slacko CD to get everything documented as even with the complete list I missed a few steps and had to go back.

There is still much work to be done before the Surfing as fido issue is resolved. The smaller problems seem to take longer to solve than the bigger proof-of-concept issues.

Extensive testing has not been completed, only proof of concept.

Post Reply