Run puppy as spot

For discussions about security.
Message
Author
noryb009
Posts: 634
Joined: Sat 20 Mar 2010, 22:28

Run puppy as spot

#1 Post by noryb009 »

Would it be possible to add something to puppy/woof that lets you run all of puppy (or at least X and a few other things) as spot via su? You would choose to use spot or not as either a kernel option, question when turning on, or something else. It would be a simple way to get a multiuser puppy running by editing 1/2 files, but I don't know if it would work, or how to edit the boot files to try it out.

Anyone know if this is possible?
Last edited by noryb009 on Tue 26 Apr 2011, 02:08, edited 1 time in total.
[url=https://github.com/noryb009/lick/releases/latest]LICK - Install Puppy Linux from Windows[/url]

User avatar
Luluc
Posts: 200
Joined: Wed 16 Mar 2011, 07:10

#2 Post by Luluc »

Puppy runs as root. It's by design. It's in the attitude. Get used to it.

noryb009
Posts: 634
Joined: Sat 20 Mar 2010, 22:28

#3 Post by noryb009 »

Puppy runs as root. It's by design.
Then let's redesign it.

Running as spot is what some people want. You may not want it, I might not want it, but some people do want it. Running as a unprivileged user is a feature, and more secure (fixes all puppy viruses I know about - 0) but does make it harder for people to be infected (especially with puppy's way of package management - google and download a random .pet).

Also, it would make reviewers give puppy more "points", making more people want to use it.
Last edited by noryb009 on Tue 26 Apr 2011, 02:08, edited 1 time in total.
[url=https://github.com/noryb009/lick/releases/latest]LICK - Install Puppy Linux from Windows[/url]

User avatar
Luluc
Posts: 200
Joined: Wed 16 Mar 2011, 07:10

#4 Post by Luluc »

Let's NOT redesign it. All the other 8,936 Linux distros in the world enforce this dumb idea that running as root is dangerous. Puppy is the smart one that refuses to endorse the dumbness. It's meant to be that way. Those who choose to repeat mindlessly over and over that running as root is dangerous (but have no idea why, they just keep repeating it) have all the other 8,936 knee-jerk distros to choose from.

noryb009
Posts: 634
Joined: Sat 20 Mar 2010, 22:28

#5 Post by noryb009 »

All the other 8,936 Linux distros in the world enforce this dumb idea that running as root is dangerous.
One of the reasons they don't want users to run as root is so that they don't delete /, but also for multiple users to be able to elevate to root and not get into somebody else's files.
Those who choose to repeat mindlessly over and over that running as root is dangerous (but have no idea why, they just keep repeating it)
And puppy users keep repeating it's not dangerous, even though it is (kind of). It's not dangerous because their is nothing to be afraid of. A lot of people who upload .pet files could easily add in a keylogger, spyware, or something else. And what is stopping them from doing it? For all we know, every package uploaded has a puppy virus! Let's not wait until the horse leaves the barn before we close the door.

Root is dangerous in certain cases, but downloading from a trusted source with a signature check makes it a lot less dangerous. Oops.
[url=https://github.com/noryb009/lick/releases/latest]LICK - Install Puppy Linux from Windows[/url]

User avatar
Bernie_by_the_Sea
Posts: 328
Joined: Wed 09 Feb 2011, 18:14

#6 Post by Bernie_by_the_Sea »

noryb009 wrote:Running as a unprivileged user is a feature, and more secure (fixes all puppy viruses I know about - 0) but does make it harder for people to be infected (especially with puppy's way of package management - google and download a random .pet).

Also, it would make reviewers give puppy more "points", making more people want to use it.
And how many people have been infected? Zero. Puppy has many package management methods but downloading random .pets is not the one recommended.

How many "points" does Puppy need? Are our sales figures dropping? Will dividends and bonuses be cut this year? Is Puppy's primary goal to become the most popular distro?

I run most distros as root. The first time I logged in as root in one the wallpaper came up with a huge skull and crossbones warning me of imminent danger. I ventured on past the crocodiles and radioactive pits with my Indiana Jones hat and whip. Guess what? I saw the Ark before I saw the Giant Virusaurus with his glistening fangs and pointed tail.
noryb009 wrote:For all we know, every package uploaded has a puppy virus!
That would be nice since no one has ever seen a Puppy virus.
Attachments
virus.jpg
(74.9 KiB) Downloaded 3368 times


User avatar
Luluc
Posts: 200
Joined: Wed 16 Mar 2011, 07:10

#8 Post by Luluc »

noryb009 wrote:One of the reasons they don't want users to run as root is so that they don't delete /, but also for multiple users to be able to elevate to root and not get into somebody else's files.
Oh, why didn't you say that before? This has nothing to do with running as root. If the the risk of deleting / is THE REAL reason, then Linux should come without the 'rm' command. There, problem solved.
noryb009 wrote:And puppy users keep repeating it's not dangerous, even though it is (kind of).
Ah. Usually it's "a gaping wide security hole." Now it's "kind of dangerous." I see we're making some progress here.
noryb009 wrote:A lot of people who upload .pet files could easily add in a keylogger, spyware, or something else. And what is stopping them from doing it? For all we know, every package uploaded has a puppy virus! Let's not wait until the horse leaves the barn before we close the door.
We finally agree on something. That problem is very present and very real. Unfortunately, it doesn't look like Puppy has the manpower/resources to fix that problem. And it has nothing to do with running as root.

noryb009
Posts: 634
Joined: Sat 20 Mar 2010, 22:28

#9 Post by noryb009 »

And how many people have been infected? Zero. Puppy has many package management methods but downloading random .pets is not the one recommended.
"My computer has never had an undetected virus."

So you are saying to not trust random pets from this forum? That leaves compiling everything yourself. Take green_dome's wine pets for example. Less then 100 posts by green_dome (less when green_dome started the thread). Does posting ~100 times make you trustworthy? (Just using green_dome as an example). This is more of an package management issue, which is another topic. What I was trying to point at is that it is easier to infect root then it is to infect a user (and keep it hidden from the user better).
How many "points" does Puppy need? Are our sales figures dropping? Will dividends and bonuses be cut this year? Is Puppy's primary goal to become the most popular distro?
One of puppy's purposes is for making old computers work like new. How is it to achieve that goal if no one recommends it to friends because they are scared of them running as root 24/7?

A few days after the puppy linux review at distrowatch, the hit ranking for 7 days is at 661 - much lower then the 6 month average (804). A big part of the review talked about root, and how the user can switch to spot after doing a bunch of work. More info about the actual distro (in place of the root section) would give users a better look at the distro, make them want to try it, and maybe convert. Like Luluc said: "Unfortunately, it doesn't look like Puppy has the manpower/resources to fix that problem."
That would be nice since no one has ever seen a Puppy virus.
Correction: That would be nice since no one has ever detected a Puppy virus.
I know that there is a 0.1% chance any .pets on this forum have anything bad in them, but someone could easily go onto this forum, post 100 times, compile a smaller/faster ls, then get everyones credit card. That wouldn't be good.

(In case your wondering, the ls would download and install a new infected library for the default browser randomly. This is just an example)
Oh, why didn't you say that before? This has nothing to do with running as root. If the the risk of deleting / is THE REAL reason, then Linux should come without the 'rm' command. There, problem solved.
And puppy users keep repeating it's not dangerous, even though it is (kind of).
Ah. Usually it's "a gaping wide security hole." Now it's "kind of dangerous." I see we're making some progress here.
Let's compromise: It's a gaping wide security hole that has a sign saying "Please do not exploit.".

-------------------------------------------------

I keep bring up the issue of .pets by random people because it's a real issue that isn't going to be fixed anytime soon.

User avatar
runtt21
Posts: 1649
Joined: Sun 08 Jun 2008, 02:43
Location: BigD Texas
Contact:

#10 Post by runtt21 »

pet2tgz NAMEOFTHEPET.pet

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#11 Post by rcrsn51 »

As Luluc said, the issue of malicious PET packages is entirely separate from running as root. Suppose Puppy was changed so the default user was unprivileged. In order to install a package, you would then have to login as root. At that moment, you have given the package all the permission it needs to install its payload. If it wants to steal my credit card number, running as non-root won't protect me.

LInux is all about trust. You have to trust that my PET is safe. I have to trust the developer whose program I packaged. He has to trust the developers whose libraries his program uses.

User avatar
666philb
Posts: 3615
Joined: Sun 07 Feb 2010, 12:27
Location: wales ... by the sea

#12 Post by 666philb »

noryb009

If all these idea's came to fruition, puppy having passwords, puppy saying permission denied, having to sudo to change the wallpaper and mount your drives, or install an officially vetted .pet. The whole 'Additional software' thread being removed (it would have to be untill every single posted pet was vetted! literally thousands!) No posting code in threads.
Would it still be the same puppy that we all love? and the same forum that we all enjoy?

Puppy as a distro, and the puppy forum as a community are both very special and somewhat unique.....as a distro puppy is supremely versatile, all the things that you wanted done to puppy in your original post are able to be done by you, using information found in the forum. Pizzapup has posted a technical 'how to' on how to make a multiuser puppy. Or you could download his iso, or you could have each user have there own encrypted savefile, or you could have each user have their own multi save cd/dvd or they could have their own usb. They are lot's of solutions.....to just run a browser as spot there's lobsters growl.

Puppy booted live with a cd and pfix=ram is more secure than any installed operating system, presuming you trust Barryk and the developer of your particular puppy, you know that you have a completely pristine operating system. Even booting a frugal that is on the harddrive or on a usb, all it takes is to check the md5 of the puppy.sfs to be as certain of a pristine OS as with the live CD.

If you're not doing you're internet banking from a live cd, then you really aren't taking security that seriously, what ever operating system you have. And however many times you sudo. The same goes to storing creditcard numbers on your computer, and important passwords (paypal) in your browser. You shouldn't be doing that on any operating system!!!

As to this forum, this is a really friendly and helpful place, an absolute mine of information, solutions and development, where else do you have the devs helping beginners, without dictating to them. It's a genuine open society, and that's a special thing. That people can share .pets for the benefit for everyone is marvelous! Lots of the things that are now part of puppy, started by being posted in the 'applications'section, and were improved by people trying them and giving feedback.

Puppy is pretty consistantly in the top10 on distro watch out of how many linux distro's? and i believe that is because people like it, because puppy is puppy!

I for one, do not want, passwords, multiuser & sudo to be part of my puppy, however, i have no problem with someone making a pet (properly vetted :) ), or releasing a puplet which has these features. There are a small minority of people like yourself that are wanting these features. So why not get together, and using the information on the forum, experiment and see if you can come up with something. Remastering puppy is simple, and once you start, I think you'll find it will be fun.

666philb
Bionicpup64 built with bionic beaver packages http://murga-linux.com/puppy/viewtopic.php?t=114311
Xenialpup64, built with xenial xerus packages http://murga-linux.com/puppy/viewtopic.php?t=107331

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#13 Post by nooby »

Pizzasgood did that multiuser for Puppy 421? and read more here
http://www.murga-linux.com/puppy/viewtopic.php?t=47409
This is a multiuser version of Puppy 4.2.1. Initially, it should work just like a normal 4.2.1 Puppy - you are automatically logged in as root. However, there are a few new wizards in the Setup section of the menu. One for adding new users. One for changing your password. And one for disabling the automatic login. The idea here is that this could be used as a standard Puppy, without impacting the vast majority who like to be root, while still allowing the few who really have good reasons to not be root to do as they choose with minimum effort. Which also means they stop complaining about how they don't like being root. So it's a win for everybody.

There were a great many changes that had to happen under the surface for this to work nicely. See the above link to read the gory details. I'll just list a summary of the features here:

Wizards for adding new users and configuring the autologin feature.
Has sudo
Users in the "disk" group can mount/unmount partitions.
Users in the "audio" group can use audio devices.
Users in the "power" group can poweroff and reboot.
Users can have a personalized xorg.conf file at /etc/X11/$USER/xorg.conf. (This must be created by hand, as the xorgwizard is root-only.)
The Xvesa video wizard will allow user-specific configuration.
Has virtual terminals 1-6 configured. X will run on 7.
Global /etc/bashrc file.
Includes the real shadow utilities (useradd, gpasswd, etc.).
There is also Lighthouse puppy that can have users but read on their page. I am not the guy to explain how they set it up.

http://www.lhpup.org/release-lhp.htm

As I remember it took him many weeks to get it going. And none has had the knowledge to do it after him. So it is not as easy as remastering at all. One need to know Puppy like a Dev knows it. Many details that has to fit together. IIRC I asked him if he every wanted to do it again with a more modern version and AFAIK he where not motivated to ever do such tedius work again. So it was a one time off. None has the patience to do it again as I get it.
I use Google Search on Puppy Forum
not an ideal solution though

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#14 Post by cthisbear »

666philb's last post says it all.

I am entirely ticked off by all this security crap.

Give it a rest.

////////

Security people....controlling tossers.

http://www.theinquirer.net/inquirer/new ... conference

Chris.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#15 Post by 01micko »

Chris

http://www.murga-linux.com/puppy/viewto ... 151#515151

That's 666philb's other "root" thread. Visit his link and enroll.

You'll be in elite company. Jesus, Rambo, ... just to name a few.

Cheers!
Puppy Linux Blog - contact me for access

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#16 Post by nooby »

Nooby is there and spoiling all the fun though.

Micko your BrowseSafe pet ran just fine when I really read your instructions. So thanks for providing it.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Bernie_by_the_Sea
Posts: 328
Joined: Wed 09 Feb 2011, 18:14

#17 Post by Bernie_by_the_Sea »

noryb009 wrote:So you are saying to not trust random pets from this forum? That leaves compiling everything yourself. Take green_dome's wine pets for example. Less then 100 posts by green_dome (less when green_dome started the thread). Does posting ~100 times make you trustworthy? (Just using green_dome as an example). This is more of an package management issue, which is another topic. What I was trying to point at is that it is easier to infect root then it is to infect a user (and keep it hidden from the user better).
No, that is not what I said and you did not say “this forum.

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#18 Post by cthisbear »

Your security is already cracked before you load Puppy.

How many use phones in Wi-Fi hotspot?

http://www.guardian.co.uk/technology/20 ... hones-risk

" Not only could the information be used to steal identities, hijack email accounts and commit fraud but also to gather information about individuals and company employees. With the information gained in our investigation, fraudsters could have bought goods online or sent multiple e-gift vouchers worth as much as £1,000 each to pre-set email addresses. It is believed that such vouchers are already being traded by crooks over the internet. '

/////////

Better if we developed a Hotspot Shield alternative.

http://hotspotshield.com/


Chris.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#19 Post by nooby »

Chris thanks for those links but the Hotspotshield has this text.

quote

9. Third-Party Transactions.

9.1 Advertisements. AnchorFree may deliver third-party advertisements ("Advertisements") within the content of any web page accessed. Advertisements may be injected into the top of the page, inserted directly into the page content, or even displayed to overlay the page.

You hereby acknowledge and consent that AnchorFree may alter the content of any web page accessed for the purpose of displaying Advertisements.


Additionally from time to time, AnchorFree may prevent any user's access to the product or continued use thereof until such user has successfully participated in applicable advertising programs, surveys, or other activities that collect and monetize users' personal information.

AnchorFree does not endorse any information, materials, products, or services contained in or accessible through Advertisements.
...
/quote

I mean wow they "may" alter pages with content from their Third parties.
That is not something one want. They even say if one don't give them evidence that one read these then one are not shown what one wanted to read.
I use Google Search on Puppy Forum
not an ideal solution though


Post Reply