Page 2 of 4
Posted: Sat 23 Apr 2011, 12:36
by Jasper
Hi.
Yesterday I raised a query about add-ons and bookmarks (finally, I "cheated" by reinstalling those I wanted).
However,
if I click my desktop browsesafe icon it loads Firefox, but if I open my console on top of Firefox and then execute "whoami" the answer is always "root" (never "spot" as it presumably should be).
My regards
Addendum and correction:
rcrsn51 in a later post in this thread has kindly explained that Firefox, in this particular case, is actually running as user spot..
01micko has kindly explained in a later post in this thread that the code to use in this particular case is "ps|grep firefox" not "whoami".
--------------------------
However (as now underlined above was originally in large text and was followed in large bold text by the word "disturbingly"). This is now amended since all worked as was intended and nothing was "disturbing" except my faulty understanding.
Posted: Sat 23 Apr 2011, 12:44
by nooby
Jasper you know computers much better than I do so if the following is totally out on the limb take it with a broad smile.
I only try to be logical and that usually fails when I do it.
On top of Firefox. My poor logic says you need to move .mozilla within the Spot directory and start it up there and then as you say on top open a terminal within spot and then ask who am I and it will say Spot
I am wrong most likely but that was what my confused brain came up with
Posted: Sat 23 Apr 2011, 12:54
by rcrsn51
Jasper wrote:However, disturbingly
Not at all. You are only the user spot in the temporary environment that is running Firefox. Outside of that, you are still root.
This is not like Ubuntu where you can log in as a completely new user.
While you are running your spot-Firefox, download a file and try to save it to /mnt/home or /bin. What happens?
Posted: Sat 23 Apr 2011, 13:06
by Jasper
Hi rcrsn51,
Thank you very much for your encouraging explanation.
My regards
Posted: Sat 23 Apr 2011, 13:15
by rcrsn51
rcrsn51 wrote:While you are running your spot-Firefox, download a file and try to save it to /mnt/home or /bin. What happens?
What happened?
Posted: Sat 23 Apr 2011, 13:20
by nooby
And Rcrsn51 can you explain better. Does it mean there is no added security or was this your way to assure that it is safer to run as spot then? I fail to be sure what you say to Jasper.
I agree that it is as you say I only fail to get the implications of that fact.
Posted: Sat 23 Apr 2011, 13:22
by nooby
rcrsn51 wrote:rcrsn51 wrote:While you are running your spot-Firefox, download a file and try to save it to /mnt/home or /bin. What happens?
What happened?
As I remember it can only be saved within spot and then I need to start up Rox as root for to get access to it and move it elsewhere.
I tested this with a picture from a site and it ended up in spot and not on mnt/home as I wanted it to be
As I wrote I have tested with other pic and what happened was that I failed to place it outside of Spot. So that is something I like but others say it does not help much due to the criminals know all the tricks something.
But I find it likely it is a bit safer so oklay I will wait for Jasper's answer then
Posted: Sat 23 Apr 2011, 13:29
by rcrsn51
nooby wrote:And RC can you explain better
Not until Jasper answers my question above. With all due respect, talk is cheap. The only way to resolve issues is with actual physical testing.
Have you tried my suggestion yet?
1. Run a browser as spot.
2. Download
this file. DON'T install it!
3. Try to save it to /mnt/home or /bin. What happens?
Posted: Sat 23 Apr 2011, 13:37
by rcrsn51
nooby wrote:I tested this with a picture from a site and it ended up in spot and not on mnt/home as I wanted it to be :)
Exactly. That's because the user spot does not have write permission on /mnt/home. Similarly, a piece of malware could not install itself into a system folder like /bin. However, it could still destroy all your personal files in spot.
Clearly, you don't want to save lots of files in spot because it fills up your savefile. So go to /mnt/home and make a folder called "spot-download". Give its ownership to spot
Code: Select all
chown spot:spot /mnt/home/spot-download
Now you have a better place to download files. Of course, this folder is now theoretically vulnerable to attack.
You could also symlink spot's .mozilla profile into this area because spot has the correct permissions to use it. Or for that matter, you could delete the current spot user and create a new one whose home directory was a subfolder of /mnt/home. I haven't tested this yet.
Posted: Sat 23 Apr 2011, 13:38
by 01micko
To test if you are browsing as spot run this:
(replace firefox with seamonkey if required)
Posted: Sat 23 Apr 2011, 13:40
by Luluc
rcrsn51 wrote:1. Run a browser as spot.
2. Download
this file. DON'T install it!
3. Try to save it to /mnt/home or /bin. What happens?
"Data File Host
Accessing directly the download link doesn't work. The download only starts if you click from the download page."
It's what the page says!
nooby wrote:As I remember it can only be saved within spot and then I need to start up Rox as root for to get access to it and move it elsewhere.
I tested this with a picture from a site and it ended up in spot and not on mnt/home as I wanted it to be
You still can save files inside /mnt/home. Do it like this:
Create a new directory:
Make spot the owner of that directory:
Now you can download files with the browser, browse to /mnt/home/spotfiles and save the files there when prompted for a download location.
Posted: Sat 23 Apr 2011, 13:48
by nooby
Thanks rcrsn51, Micko, Luluc all of you
My question is:
I have saved the following text and promised myself to test it out but I am so afraid of failure so I have postponed it the whole day. Can you guys confirm it is good advices. Apology to the author L18L that I failed to remember that you told me how to.
nooby wrote:
How does one change the password for spot and what does it have now?
Code:
# passwd spot
Changing password for spot
New password:
Retype password:
Password for spot changed by root
#
Code:
# cat /etc/passwd | grep spot
Cheers
spot since 10 minutes Very Happy
Edited: but more important is to change root's password Exclamation
by simply typing in a console
Code:
passwd
Running FF as spot
It's not hard to run Firefox or SeaMonkey as Spot, I just demonstrated how in a different thread.
Boot puppy normally.
Open the terminal.
enter "su spot" (no quotes) at the prompt.
enter "firefox" (no quotes) next.
When it launches, Firefox will be running under user Spot.
Link to screenshot
http://www.murga-linux.com/puppy/viewto ... 399#511399
Note, starting from default browser icon you are root.
dragging defaultbrowser.desktop to the desktop and then klicking that will start defaultbrowser as user spot.
Posted: Sat 23 Apr 2011, 14:00
by Jasper
Hi guys,
@ nooby - rscrn51 is saying that I was actually running Firefox as spot (even though it seemed (to me) I was running as root).
@ rcrsn51 - I have now tried two downloads and so I can personally confirm what you already knew and advised.
It is rare (perhaps the first time) that I have used large and emboldened text - but I was worried for other users (though I did say "presumably" as I'm only too aware I'm not all-knowing).
So now, thanks to you, I have a hugely improved understanding and confidence that browsesafe works.
My big, big mistake was in thinking that "whoami" would return my Firefox status. My apology for that and, with hindsight, for raising my query so strongly.
@ 01micko - thank you also for your pet and your help.
My regards
Posted: Sat 23 Apr 2011, 14:04
by rcrsn51
Deleted. See my post three down from here.
Posted: Sat 23 Apr 2011, 14:06
by nooby
rcrsn51 thanks for that one. Most instructive. The problem is that I have deleted .mozilla from root and reuse an old .mozilla that I placed in mnt/home and it would fail to link to that one from this new dir you made.
One would need to do what? Copy over a copy of that old one into that dir then?
Ahh now I get it "browsesafe " is a script or pet that Micko has made?
Posted: Sat 23 Apr 2011, 14:12
by Jasper
Hi nooby,
Go to opening item in this thread and install browsesafe-0.5.pet and chose the icon option during installation.
My regards
Posted: Sat 23 Apr 2011, 14:25
by rcrsn51
There are two problems that we are trying to resolve:
1. Run the web browser as an unprivileged user for security reasons.
2. Keep the browser's profile and any downloaded content outside of the user's savefile.
Try this. It assumes that your Puppy installation has a /mnt/home folder AND it is formatted with a Linux file system like ext.
If you have a full install, use something like
Then run your browser with
This will automatically create a .mozilla profile in the new home directory. No symlinking is required. The default download folder is in the bsafe user's home directory outside of the savefile.
Posted: Sat 23 Apr 2011, 14:26
by Luluc
nooby wrote:The problem is that I have deleted .mozilla from root and reuse an old .mozilla that I placed in mnt/home and it would fail to link to that one from this new dir you made.
What do you mean by "fail to link"?
Whenever you link something, remember that the link points to a file or directory that has its own permissions. In other words, if you just link /root/.mozilla to /root/spot/.mozilla, the second one is just a link, the permissions on the first one are still in force, and those do not allow spot to use /root/.mozilla. In such circumstances, Firefox will probably choke and panic when run as spot.
It's more feasible to do the opposite: move .mozilla from /root/ to /root/spot, then make spot the owner of /root/spot/.mozilla, then link /root/spot/.mozilla to /root/.mozilla. That way, when root runs Firefox, the config files will belong to spot, but root can still use them because root can do everything. However, if root creates any new file or directory there, it will be owned by root and forbidden for spot. So linking .mozilla is generally a bad idea, too prone to errors. Ideally, only run the browser as spot, never run it as root.
Posted: Sat 23 Apr 2011, 14:29
by nooby
Dead Ringer Band – Things Don't Come Easy to me by Kasey Chambers
Haha things don't comes easy on this computer either
I did what rcrsn51 told me.
# deluser spot
# adduser -h /mnt/home/spot spot
Changing password for spot
New password:
Retype password:
Password for spot changed by root
# su -c defaultbrowser spot
su: can't chdir to home directory '/mnt/home/spot'
# # su -c defaultbrowser spot
# su: can't chdir to home directory '/mnt/home/spot'
>
> (firefox-bin:21952): libgnomevfs-WARNING **: Unable to create ~/.gnome2 directory: Permission denied
> Could not create per-user gnome configuration directory `/mnt/home/spot/.gnome2/': Permission denied
end of quote
Thanks Luluc.
Well I have the profile on mnt/home so I need then to move that one to spot.
Posted: Sat 23 Apr 2011, 14:38
by rcrsn51
nooby wrote:su: can't chdir to home directory '/mnt/home/spot'
Go to your /mnt/home folder. Is there a subfolder named 'spot'?
Check its ownership. Does it belong to user spot?