How to add XDM (for security)?

Booting, installing, newbie
Post Reply
Message
Author
dolphin
Posts: 17
Joined: Mon 26 Nov 2007, 16:08

How to add XDM (for security)?

#1 Post by dolphin »

can anybody help me ?
i think it is not secure if puppy doesnt have xdm

Bruce B

Re: how to add XDM ?

#2 Post by Bruce B »

dolphin wrote:can anybody help me ?
i think it is not secure if puppy doesnt have xdm
I'm not sure it this has been done before. You may be blazing new puppy trails.

I must confess: I don't see a security issue, and would appreciate it if you would elaborate.

FYI Puppy runs X with the -nolisten tcp switch, although this is not related to xdm, it is a security item I think worth mentioning. If it's not listening, it's not answering.

dolphin
Posts: 17
Joined: Mon 26 Nov 2007, 16:08

#3 Post by dolphin »

but i dont want anybody use my computer,
when power on, thereis no xdm.
and puppy boots directly to X.
anybody can use my pc.
how can i add user for my puppy ?
running as root can make mistake

Bruce B

#4 Post by Bruce B »

dolphin wrote:but i dont want anybody use my computer,
when power on, thereis no xdm.
and puppy boots directly to X.
anybody can use my pc.
how can i add user for my puppy ?
running as root can make mistake
I was thinking, you were thinking along those lines, just wanted to be sure.

As far as security concerns, these are concerns about an insider intrusion.

Allow me to outline three lines of defense.

1) BIOS setup

set it for boot only from hd, this prevents anyone from inserting a live cd and running it

set a password to deter someone from changing BIOS setup - it you set it for system - it is even more of a deterrent.

2) Require login and password for Puppy

edit /etc/inittab with a text editor

change line 2 from

tty1::respawn:/sbin/getty -n -l /bin/autologinroot 38400 tty1


to

tty1::respawn:/sbin/getty 38400 tty1

This will require login and password if one is set. I believe Puppy's default password is woofwoof, but of course you can change that.

3) If you have a Frugal install you can make pup_save an encrypted file

------------------

Regarding running as root - yes indeed you have all admin privileges and can therefore make mistakes beyond that of a typical user account.

Everitt
Posts: 331
Joined: Tue 19 Dec 2006, 21:59
Location: Leeds,UK or Birmingham, UK

#5 Post by Everitt »

As far as I can tell puppy 3.01 doesn't have a root password, or at least, when logging into tty2 all I need to type is 'root' and hit enter twice.

dolphin
Posts: 17
Joined: Mon 26 Nov 2007, 16:08

#6 Post by dolphin »

i have already set a passwd for root

Bruce B

#7 Post by Bruce B »

Everitt wrote:As far as I can tell puppy 3.01 doesn't have a root password, or at least, when logging into tty2 all I need to type is 'root' and hit enter twice.
Everitt,

I have no reason to disbelieve you. On the other hand, I didn't pull that default password out of thin air. I got the idea of Puppy 3.01 having a default password of woofwoof from BarryK

@ http://murga-linux.com/puppy/viewtopic.php?t=21338
you can see where he wrote it.

Regards,

Bruce

Everitt
Posts: 331
Joined: Tue 19 Dec 2006, 21:59
Location: Leeds,UK or Birmingham, UK

#8 Post by Everitt »

Perhaps a peculiarity of wNOP then.

Either way, if 'woofwoof' fails, blank might be worth a shot. :)

macadavy
Posts: 213
Joined: Mon 12 Jun 2006, 07:43
Location: Cascadia's Attic, eh?

Puppy Login

#9 Post by macadavy »

I'm not sure 'cause I haven't used it, but doesn't Xlock provide some of the functionality you're looking for? (I use the BIOS/system password BruceB outlined to secure my pup machine.)
I believe its only set up to be used as a screen lock (i.e. to lock the machine if you're going to be away for awhile but don't want to shutdown), but couldn't it be configured to kick in during the boot process, so that you're challenged for a password at some point as Xwindows is loading the window manager/desktop?
Anyone know how to set this up? Could BruceB's suggested script be used for this purpose?
I was also interested by BruceB's mention of encrypted save files. Puppy 2.17.1 offers this choice at shutdown, but how can one configure other Pups to encrypt the pup_save file? I'm not sure why this could only be used with frugal installs, 'cause Puppy 2.17.1 offers it at the live cd shutdown if you're creating a HD or USB pup_save file. I realize this means slower boot times as Puppy will have to un-encrypt the save file before loading it. It does make things more secure and the trade off might be worth it for the security-minded: you're challenged for a password during boot before puppy does the save file decryption.
TIA
[i]Welcome to my weird, wild, wonderful, wired world![/i]

Bruce B

#10 Post by Bruce B »

Everitt wrote:Perhaps a peculiarity of wNOP then.

Either way, if 'woofwoof' fails, blank might be worth a shot. :)
Maybe its all just a joke. The references I've seen to woofwoof as a password have been with CUPS.

My earlier tip 2, which I'll repeat here is no joke, regardless of the existence of woofwoof as the default password.
2) Require login and password for Puppy

edit /etc/inittab with a text editor

change line 2 from

tty1::respawn:/sbin/getty -n -l /bin/autologinroot 38400 tty1

to

tty1::respawn:/sbin/getty 38400 tty1

This will require login and password if one is set. I believe Puppy's default password is woofwoof, but of course you can change that.
To set the password use the passwd utility when logged in as root. It might be best to set it before changing inittab.

If these steps are taken, the system will stop and require login and password, which was core to dolphin's in house security concerns.

dolphin
Posts: 17
Joined: Mon 26 Nov 2007, 16:08

#11 Post by dolphin »

lol ;)
i am not being paranoid here,
just wanna make a login to my system.
so anybody cant enter to my system without passwd.

my opinion here is puppy runs as single user right ? and dont runs as multiuser system like other linux.

my friend from irc channel #puppylinux told me that grufpup(other version

Bruce B

#12 Post by Bruce B »

dolphin wrote:lol ;)
i am not being paranoid here,
just wanna make a login to my system.
so anybody cant enter to my system without passwd.
The instructions on how to do this have been posted already. The instructions will not do a thing for you, unless you use them. The ball is in YOUR court.
dolphin wrote:my opinion here is puppy runs as single user right ?
More less false. But I can see why someone would say that.
dolphin wrote: and dont runs as multiuser system like other linux.
More or less true, from a practical standpoint for full functionality we use root.
dolphin wrote:my friend from irc channel #puppylinux told me that grufpup(other version

jap
Posts: 26
Joined: Wed 14 Nov 2007, 14:48

#13 Post by jap »

BruceB Thanks for the above advice to dolphin ... I didn't realize that puppy has a root password ..... I had wondered about putting a password on (that's how I found this thread), because others use this box, so now I can at least protect it from someone logging on if I want to. I also am giving thought to putting a password on the BIOS, so no one can make changes there either, but I'm not quite that paranoid ...... yet! ;). Thanks :!:
I'd still be interested in making it multiuser, but with the Pup3.01 running so great in RAM, I'm not willing to make the change to Grafpup or any other deriv. I've got this set up just how I want it now, so why make a change?

Bruce B

#14 Post by Bruce B »

jap,

Thanks. Just to be perfectly clear, it's the changes you make in /etc/inittab that will force the login and use of password.

Bruce

jap
Posts: 26
Joined: Wed 14 Nov 2007, 14:48

#15 Post by jap »

Bruce B wrote:jap,

Thanks. Just to be perfectly clear, it's the changes you make in /etc/inittab that will force the login and use of password.

Bruce
Yup! Followed your instructions to try that out and it works fine ......... I had done that already when I posted that, I was just complimenting and thanking you, not being derogatory :D.

Is there any way to change (alias?) the username "root" to something else? That might allay Dolphin's concerns about running in root. If there was a way to change to username to "dolphin", or "witchhazel" or something other than Spot, Rover, et. al. (the default names found on the various Puppy sites), the username "root" wouldn't be recognized as a valid username and then he/she would feel (hopefully) more secure ;). Anyone trying to access the system physically would run into a dead-end if they tried to access it as "root."

I've never 'aliased' before, either in WnDoz or Linux, so I don't know how it works, but I seem to remember back a few years that some geeks at a school I attended were talking about 'aliasing' names, commands, etc. It isn't listed in my 2007 Linux Bible (the only Linux reference book that I have), so that's why I'm asking you about it ;).

Of course, if what Dolphin really wants is a multi-user system, from what I've read, Grafpup would be the best choice for him/her !

Just a thought ........... :roll: :roll:

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#16 Post by PaulBx1 »

Another way to get security is to use an encrypted pupsave and put a password on that. Of course it protects only access to the pupsave data.

Bruce B

#17 Post by Bruce B »

PaulBx1 wrote:Another way to get security is to use an encrypted pupsave and put a password on that. Of course it protects only access to the pupsave data.
I think it only protects access when pup_save.2fs is not in use.

????

Post Reply