Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 30 Jul 2014, 21:45
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Why I don't like running as root (in Puppy)
Post new topic   Reply to topic View previous topic :: View next topic
Page 6 of 9 [130 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8, 9 Next
Author Message
Pizzasgood


Joined: 04 May 2005
Posts: 6270
Location: Knoxville, TN, USA

PostPosted: Tue 06 Mar 2007, 16:57    Post subject:  

The cool thing with Puppy is that you can reinstall in mere minutes. Sure, that doesn't protect your personal data, but that's going to be open to attack even with multi-user (except from other users).

Actually, with Puppy the system files are impossible to edit, unless something specifically targets Puppy and you have a frugal install or a re-writable disk. They're stored in pup_xxx.sfs, which is read-only. When you try editing them, Puppy places a copy in your save-file and masks the original with it, but the original is still there. If you go behind UnionFS's back and delete the copy of the file, the original will re-appear.

So if something compromised your Puppy and left your personal files alone, you could just mount the save-file directly and delete all system files and relavent .wh* files. Then reboot, and the original system files are back.

If it does harm your personal data, just delete the save-file and start over. The personal data would have been harmed anyway, because you'd still have permissions to it.

All that's assuming you maintain a save-file. If you don't, and just run in ram, all you do is reboot and poof! Pristine system. If you use multi-session, just roll back a couple sessions. Simple.


Now, if you have a full-HD install, you're in a different boat. There are times when a full install is preferable, but it loses the majority of Puppy's benefits, especially with regard to security and fast installs.



The biggest reason I see for having true multi-user in Puppy is to protect the user from himself, especially when said user is a kid. Encryption is more effective at protecting data, and multiple save-files is generally good enough for multiple users. But I would welcome a small transparent optional multi-user setup so long as it still auto-logged-in as root like it does now. Just for those rare cases when true multi-user is needed.

_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send private message Visit poster's website 
paulsiu

Joined: 16 Jan 2007
Posts: 187

PostPosted: Sat 10 Mar 2007, 18:00    Post subject:  

Nice thing about puppy is that everyone can have a personal puppy on a key. No matter how secure a computer is, someone will accidently find a way to wipe out the hard disk. If everyone has their own personal puppy, they can only damage their own copy.
Back to top
View user's profile Send private message 
setecio

Joined: 01 Nov 2006
Posts: 326
Location: UK

PostPosted: Mon 16 Apr 2007, 18:14    Post subject:  

Bookmarked.
Back to top
View user's profile Send private message 
edoc


Joined: 07 Aug 2005
Posts: 4341
Location: Southeast Georgia, USA

PostPosted: Fri 27 Apr 2007, 11:51    Post subject:  

paulsiu wrote:
Nice thing about puppy is that everyone can have a personal puppy on a key. No matter how secure a computer is, someone will accidently find a way to wipe out the hard disk. If everyone has their own personal puppy, they can only damage their own copy.


What is the current status of Puppy on a USB stick?

Compatibility with a wide range of laptop and desktop hardware?

Is there a list of laptops and desktops which will boot Puppy from
USB?

I have just acquired a used Dell Latitude C400 which did not come with
a CD drive. Should I anticipate being able to boot Puppy from a USB
stick?

I like the idea of my OS and key apps on a 1 or 2G USB stick! Perhaps
a couple of different sticks, each optimized for a different set of apps.

_________________
Thanks! David
Home page: http://nevils-station.com
Don't google Search! http://duckduckgo.com
Puppy upup Raring 3992 & Lighthouse64-b602
Back to top
View user's profile Send private message Visit poster's website 
jglen490

Joined: 09 Mar 2008
Posts: 9

PostPosted: Fri 04 Apr 2008, 18:11    Post subject:  

Ho-hum.

All the arguments about personal freedom and about being the only user and "I can do whatever I want, because ...".

What is comes down to, is whether you always run as root or run as a non-privileged user most of the time, most of us DO SOMETHING to protect our system or try to not pass on infected files or try to pay attention to security in some way.

I don't run Puppy - for a variety of reasons, most of which have nothing to do with this thread. Anybody who runs any sort of Linux is going to show up as stealthy on Steve Gibson's site. It's the nature of the OS, unless you DO SOMETHING to open yourself up. By the way, that has nothing to do with being, or remaining secure. Just refer to any number of Linux pubs that discuss security and publish security problems with various Linux programs. Yes, these DO get cleared up fairly quickly, but the problems still come back. So it is necessary to DO SOMETHING to stay on top of security.

It has been suggested that you can clear out Trojans, viruses, etc. by rebuilding your backup file periodically. You all know how to do that, I don't, so I won't comment any further on that. So even in Puppy you need to DO SOMETHING to protect your security.

Do any of you run antivirus products in Linux? Do you know that such things exist? "But you can't get a virus in Linux!" Sorry, that's baloney. Two reasons. Linux is not yet a big enough target -- Linux will be some day. The other is that secure usage of Linux involves not only the usual things that "safe computing" means an implies, but also the normally inherent separation of root use and regular user us. By keeping the two separate, successfully attacking a Linux system is more difficult; not impossible, just more difficult. The more difficult it is for the "bad guy" to a) get in and b) severely compromise a system, or your home, or your business, the less likely you will be targeted..

O.K., so you keep all the stuff that's important to you in your $HOME directory anyway. So if someone gets to your user it's gone, anyway. Well, a) you do backup right? and b) if the rest of your system is intact, recovery is simpler - because you do backup right?

Puppy Linux runs in RAM. That's good, so each time you reboot it's like a new install. What about if you just leave your system up for a few hours/days/weeks. You're as vulnerable as anyone else PLUS, you're running as root!!

You do what you need to do, but I rely on my personal Linux system to provide me with a secure and reliable platform to do my daily and other personal tasks. This is not a business system, but because it is personal, I need it to do the "SOMETHINGS" that I do in the best way possible. If I didn't care, and if my Linux system wasn't just that good, I'd be running Windoze in admin mode (like most personal users run it).
Back to top
View user's profile Send private message 
trapster


Joined: 28 Nov 2005
Posts: 1999
Location: Maine, USA

PostPosted: Fri 04 Apr 2008, 18:53    Post subject:  

(paranoid)
_________________
trapster
Maine, USA

Asus eeepc 1005HA PU1X-BK
Frugal install: Puppeee4.31 + 1.0, Puppy4.10 + Lupu52
Currently using Slacko AND lupu52 w/ fluxbox
Back to top
View user's profile Send private message Visit poster's website 
Pizzasgood


Joined: 04 May 2005
Posts: 6270
Location: Knoxville, TN, USA

PostPosted: Fri 04 Apr 2008, 19:31    Post subject:  

Quote:
O.K., so you keep all the stuff that's important to you in your $HOME directory anyway. So if someone gets to your user it's gone, anyway. Well, a) you do backup right? and b) if the rest of your system is intact, recovery is simpler - because you do backup right?
I use Puppy as a Frugal install. Backup and restoration are so ridiculously easy that jumping through the hoops of limited users would be absurd. Why do all that for the ease of just restoring my home directory, when I could not do all that and then just restore the pup_save.2fs file? Which is actually easier, since I don't have to mount the old pup_save.2fs file to replace the compromised home directory.


The best arguments for multi-user in Puppy that I've seen so far are:
A. Avoiding becoming a zombi
B. Keeping the illiterate from borking themselves very often
C. When you're in an actual multi-user situation and don't want the duplication of having two save files (though you could remaster the duplicated portions into the pup_xxx.sfs file to offset this, but whatever)
D. Running apps that were written by paranoid fascists and thus refuse to run as root


Those reasons are good enough that I'll be making the next version of Pizzapup be multi-user friendly out of the box.

_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send private message Visit poster's website 
jglen490

Joined: 09 Mar 2008
Posts: 9

PostPosted: Sun 06 Apr 2008, 22:35    Post subject:  

trapster wrote:
(paranoid)


No thanks, I only need one noid at a time Rolling Eyes .

I understand -- it's a choice. Just responding to the thread and explaining my position. Actually, I'm not at all fearful of what's beyond the walls of my home. It just is so ridiculously easy to use my "normal" user for everything EXCEPT for those things that affect my overall system health. The rest is just normal Linux. Puppy is the exception, not the rule, but Puppy also has a good reputation as an easy to use distro. So press on with whatever distro you want to use.
Back to top
View user's profile Send private message 
edoc


Joined: 07 Aug 2005
Posts: 4341
Location: Southeast Georgia, USA

PostPosted: Fri 11 Apr 2008, 12:20    Post subject:  

Quote:
I use Puppy as a Frugal install. Backup and restoration are so ridiculously easy that jumping through the hoops of limited users would be absurd. Why do all that for the ease of just restoring my home directory, when I could not do all that and then just restore the pup_save.2fs file? Which is actually easier, since I don't have to mount the old pup_save.2fs file to replace the compromised home directory.


Wish I could run a Frugal Install. 3.01 has a bug of some sort that made booting as Frugal non-functional on two different laptops and one desktop here so they are all Full Installs.

Any word when we will see 3.02 and 4.x/Dingo?

_________________
Thanks! David
Home page: http://nevils-station.com
Don't google Search! http://duckduckgo.com
Puppy upup Raring 3992 & Lighthouse64-b602
Back to top
View user's profile Send private message Visit poster's website 
mill0001

Joined: 01 Feb 2007
Posts: 375
Location: "People's Republik of Kalifornia"

PostPosted: Sun 11 May 2008, 01:08    Post subject: Running as root  

BarryK, I'm running fresh frugal install of 4.00 with Linux firewall enabled. I just ran Shields up scan a few minutes ago after reading this post and got full stealth results. This puppy is workin good Boss.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 33
Location: N.E. USA

PostPosted: Tue 13 May 2008, 15:02    Post subject:  

Bruce B said 3 years ago:
Quote:
When I used to run Windows 9x, I never got infected with a virus or a trojan. I use Windows 9x as an example because it is as if one is 'root' in terms of permissions. In most cases the infection is a user interaction. Not something that just happens. That is one reason why I never got an infection.


I used W98se for 8 years. Finally the 2nd MoBo died last month, and thats it. Never cared for Xp or Vista, and the admin problems there. The web is too complex for 98se: USB sticks are APITA, new builds are moving away from ISO9660 on CD/DVD. I bought an Eee. It also has migrated away from ISO9660, and won't look back.

As a former W98se user, I can verify Bruce's statements. The caveat was always, SpyBot, SpyBlaster, and a Firewall (I chose Sygate 5.6), previous to them, an AV was ESSENTIAL. But NOT after that trio was installed. ==> 2nd edit: Since the root can be secured, I will be using the pupeee version.

1st edit==> after re-reading this thread I have noted one obvious missing point. The reluctance to share if the modem 'pinged when attacked'. I just bought a new all-in-one modem/net/wifi box. Its cheaper than the two separate devices: modem and router. Straight off to grc.com. All the ports are stealthed but the modem pinged when attacked. Bad modem, bad bad modem, no XP for you! And the ASUS Eee has no native suport for a firewall... why? NO IPtables. Bad Eee, bad bad Eee. Kernal rebuild solves tough, but alas I didn't buy it to hack it. Maybe replace it, but not hack around in the dark fixing stuff.

2nd point is related to post 98se Windoze systems. Elevated root privilidges. THAT, is what keeps you busy and behind with M$. Lotsa apps can elevate themselves. Bad M$, bad bad M$.

Last edited by 8Geee on Sat 24 May 2008, 17:13; edited 1 time in total
Back to top
View user's profile Send private message 
urban soul


Joined: 05 Mar 2008
Posts: 276
Location: "Killing a nerd is not as much fun as ist sounds" B.Simpson

PostPosted: Thu 15 May 2008, 07:19    Post subject:  

I just want to throw in that a compromised system is a compromised system is a compromised system. If you are root or not doesnt matter. If I compromised a user account I will compromise the root account later. Later means there's time to fix it. Thats true.
Back to top
View user's profile Send private message Visit poster's website 
SirDuncan


Joined: 09 Dec 2006
Posts: 836
Location: Ohio, USA

PostPosted: Thu 15 May 2008, 13:45    Post subject:  

The problem with people saying that running as root will get you hacked is this:
Most distros give you the ability to run sudo to get root power. If the hacker compromises your unprivileged account, all he/she has to do is type sudo before any nasty command. At that point the hacker has your password, which is what you give when you run sudo.

That means that in that kind of environment the only advantage of an unprivileged account is that it protects the user from the user.

In other words, Puppy is no less secure than, say, Ubuntu because it runs as root. On either system, the hacker needs only to compromise a single account and can then do whatever he/she wants. On Puppy, the hacker cracks root's password and then types "rm -f -r /*". On Ubuntu, the hacker compromises bob's password and then types "sudo rm -f -r /*" followed by bob's password when prompted.

The only small advantage the non-root system has here is that the hacker has to find a user name, whereas the root account name is already known.

Still, I would like to see Puppy gain multiuser power at some point.

_________________
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath
Back to top
View user's profile Send private message Visit poster's website 
8Geee


Joined: 12 May 2008
Posts: 33
Location: N.E. USA

PostPosted: Thu 15 May 2008, 15:04    Post subject:  

Very good and touche. However, placing a Root name/pass in the mix to access root.might ward off the attacker. Having a default immutable name/pass defeats the purpose. Fortuneately Stephanie over at eeeusers forum was able to come up with a user/pass scheme (and mega-thankyous) for that rather broken distro, and Root can be protected (but see the recent news about the SSL flaw in Debian derived Operating Systems). Is the Root user/pass is mutable here?
Back to top
View user's profile Send private message 
SirDuncan


Joined: 09 Dec 2006
Posts: 836
Location: Ohio, USA

PostPosted: Thu 15 May 2008, 15:35    Post subject:  

8Geee wrote:
Is the Root user/pass is mutable here?

If by that you mean "can you change the root user name or password?", the answer is, yes you can change the password. I don't know if you can change the user name. It would be a good idea, though. Changing the name may cause some problems with scripts and such, but it is good security practice.

Personally, I always change the root password. I may forget to do it at first, but I eventually get around to it.

_________________
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 6 of 9 [130 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8, 9 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1094s ][ Queries: 12 (0.0071s) ][ GZIP on ]