Root v multiuser
- darrelljon
- Posts: 551
- Joined: Sun 08 Apr 2007, 11:10
- Contact:
Root v multiuser
Root or multiuser or other? How would you like Puppy Linux? Poll to gauge opinion during May 2008.
I would like it if Puppy were could be multi-user, but not the type we normally see in other distros.
We cannot have sudo. We can have su, in fact we should, but not sudo as it defeats the minor amount of security multi-user gives you.
Puppy can continue to be a root distro, just make adduser work so that people who want to may have other users. This gives the small benefit to security that so many have been griping about and lets the rest continue the way they always have. It shouldn't create any significant overhead, either.
Of course, I'll be just as happy if we stay root only, but multi-user would be nice.
We cannot have sudo. We can have su, in fact we should, but not sudo as it defeats the minor amount of security multi-user gives you.
Puppy can continue to be a root distro, just make adduser work so that people who want to may have other users. This gives the small benefit to security that so many have been griping about and lets the rest continue the way they always have. It shouldn't create any significant overhead, either.
Of course, I'll be just as happy if we stay root only, but multi-user would be nice.
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath
I like it simple, I like to get to the screen the first time.
::::::::::::::::::::::
All those wanting security....try Ubuntu or Debian...that worked.
http://www.technologyreview.com/Infotec ... ?nlid=1085
Security....dream on.
From the same people that have a Myspace page.
http://www.wired.com/politics/security/ ... 01/myspace
From those who have wireless internet and have never
put in a password in the router.
http://idahofallz.com/2007/03/27/your-u ... weak-link/
:::::::::::::::::::::::::
From those who continually enter contests online
or in shoppng centres...giving away all their details.
And how many government agencies have lost laptops, and USBs
that we know of....let alone the paperwork left by banks,
hospitals in garbage bins.
http://www.smh.com.au/news/national/pri ... 54244.html
""""""""""""""""""'''''
No! Leave Puppy alone.
Those that want more can make their own Puplet.
Vista is irritating customers....so they just turn off UAC.
Chris.
::::::::::::::::::::::
All those wanting security....try Ubuntu or Debian...that worked.
http://www.technologyreview.com/Infotec ... ?nlid=1085
Security....dream on.
From the same people that have a Myspace page.
http://www.wired.com/politics/security/ ... 01/myspace
From those who have wireless internet and have never
put in a password in the router.
http://idahofallz.com/2007/03/27/your-u ... weak-link/
:::::::::::::::::::::::::
From those who continually enter contests online
or in shoppng centres...giving away all their details.
And how many government agencies have lost laptops, and USBs
that we know of....let alone the paperwork left by banks,
hospitals in garbage bins.
http://www.smh.com.au/news/national/pri ... 54244.html
""""""""""""""""""'''''
No! Leave Puppy alone.
Those that want more can make their own Puplet.
Vista is irritating customers....so they just turn off UAC.
Chris.
If puppy is to be changed to multi users, I give my support to the notion of SU only
Also let the multi user be admin approval mode, so that proper control over security can be maintained
A simple guide demonstrating necessary backup procedure is about all I think would be needed,
but ideally Puppy's quickstart procedure should not be interfered with - let multi user be selected after bootup by logout,
rather than make the main bootup go multi user automagically
Aitch
Also let the multi user be admin approval mode, so that proper control over security can be maintained
A simple guide demonstrating necessary backup procedure is about all I think would be needed,
but ideally Puppy's quickstart procedure should not be interfered with - let multi user be selected after bootup by logout,
rather than make the main bootup go multi user automagically
Aitch
What I'm saying is that we leave Puppy with only a root account by default, and leave it so that it automatically logs in. We just make adduser work right, and then let people make more accounts and turn off auto-login if they want multi-user. It makes everyone happy and doesn't add any significant overhead (we already have adduser, it is just broken). We also don't add sudo (we don't have it right now anyway).
The way I see it, this isn't even a compromise, because everyone gets exactly what they want.
The way I see it, this isn't even a compromise, because everyone gets exactly what they want.
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath
- Pizzasgood
- Posts: 6183
- Joined: Wed 04 May 2005, 20:28
- Location: Knoxville, TN, USA
Actually, to do it "right" we'd need to tweak some things and get people into the habit of writing multi-user friendly code. All the scripts with /root hardcoded into them would need to be changed to use ~/ or $HOME. That isn't as bad since Puppy 2.00 came out and the whole filesystem was writable. We'd also have to start packaging packages to not come with their configuration in /root. Either that, or tweak PETget to put the /root directory of packages into $HOME automatically,
The commands that scripts run would also have to be watched, or they'll only work with root.
I believe there are also some tweaks needed to make X function correctly when it's run as other than root.
So no, I don't think there would be much overhead in getting multi-user working. Just effort. I think it would be worth it, but not high priority.
The commands that scripts run would also have to be watched, or they'll only work with root.
I believe there are also some tweaks needed to make X function correctly when it's run as other than root.
So no, I don't think there would be much overhead in getting multi-user working. Just effort. I think it would be worth it, but not high priority.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
- Lobster
- Official Crustacean
- Posts: 15522
- Joined: Wed 04 May 2005, 06:06
- Location: Paradox Realm
- Contact:
You can have multiple users, when you save and encrypt or not. Do these different saves have a password protection request if you boot up from an encrypted save?
Another multi user possibility is individual multi sessions.
Puppy is not really a network distro (one OS per machine more like) However Puppy is flexible enough to provide networkable puplets as has and is happening
Another multi user possibility is individual multi sessions.
Puppy is not really a network distro (one OS per machine more like) However Puppy is flexible enough to provide networkable puplets as has and is happening
I say keep it simple: Puppy should run as root only. Adding multi-user capability complicates things for both users and developers, as Pizzasgood points out. I still haven't seen a single report of a problem caused because Puppy runs as root, that wouldn't have happened if there were limited-power users instead.
There are situations in puppy where I'd like to have multi-user but there are also situations where I'd like root only. If it was an option during installation, It might work for me.
I need help with my forum. [b][u]LINK:[/u][/b][url]http://www.programers.co.nr/[/url]
[url]http://www.freewebs.com/programm/iframe.html[/url] is my gateway page...
[url]http://www.freewebs.com/programm/iframe.html[/url] is my gateway page...
- Nathan F
- Posts: 1764
- Joined: Wed 08 Jun 2005, 14:45
- Location: Wadsworth, OH (occasionally home)
- Contact:
Once again there is a lot of misinformation here.
Sudo is in itself no less (or more) secure than su. If anything it is more secure, because to use 'su' you must know the root password and can therefore run ANY program as root. Sudo is weak when it is configured badly, which amounts to user error.
The adduser program in Puppy IS slightly broken, but fixing it does not make it possible to log in to X as another user. There are a lot of other changes required. I have some small amount of experience here.
Creating scripts that function in a multi-user environment is NOT difficult for the user or developer. Only a few habits need changed for the person doing the coding, and they are minor.
Flaming Debian about ONE security hole in how many years? That's a bit crazy I think. It was a bad hole to be sure, and it was left untouched for far too long. But it was ONE hole. I can gaurantee we have more than that in Puppy but not many people are using it for mission critical server installations, and in fact not very many power users at all in comparison with Debian. So our potential security problems may go undiscovered for even longer, sir.
I have stated my piece about this subject at other times and my purpose is not to convince anyone of the merits of running as root or running as nonroot. I would just ask that people stop posting as fact things which are factually inaccurate. Do your homework please.
Nathan
Sudo is in itself no less (or more) secure than su. If anything it is more secure, because to use 'su' you must know the root password and can therefore run ANY program as root. Sudo is weak when it is configured badly, which amounts to user error.
The adduser program in Puppy IS slightly broken, but fixing it does not make it possible to log in to X as another user. There are a lot of other changes required. I have some small amount of experience here.
Creating scripts that function in a multi-user environment is NOT difficult for the user or developer. Only a few habits need changed for the person doing the coding, and they are minor.
Flaming Debian about ONE security hole in how many years? That's a bit crazy I think. It was a bad hole to be sure, and it was left untouched for far too long. But it was ONE hole. I can gaurantee we have more than that in Puppy but not many people are using it for mission critical server installations, and in fact not very many power users at all in comparison with Debian. So our potential security problems may go undiscovered for even longer, sir.
I have stated my piece about this subject at other times and my purpose is not to convince anyone of the merits of running as root or running as nonroot. I would just ask that people stop posting as fact things which are factually inaccurate. Do your homework please.
Nathan
Bring on the locusts ...
- Nathan F
- Posts: 1764
- Joined: Wed 08 Jun 2005, 14:45
- Location: Wadsworth, OH (occasionally home)
- Contact:
Well I got sick of seeing the uninformed posts about this subject, and even sicker of replying to them. So I wrote the bulk of my thoughts that I thought were important down in a blog page and I'm going to start saying look HERE whenever I see another one of these. In some ways it amounts to a rant but I'm OK with that right now. If you get offended I really don't care. I miss Bladehunter...
Nathan
Nathan
Bring on the locusts ...
Congratulations, Nathan on an excellent & informative Blog
Yes, do point to it, as I certainly shall
Far from being a rant, I found it to be well balanced and offering sound reasoning & clear explanation
In fact, the only thing differentiating this piece from a professional magazine writer, was the sheer absense of cr*p
Applause, applause
I'm glad to hear that the minor differences between yourself & BarryK,
do not make you feel a need to set off independently, and I appreciate your unprovoked honesty on that front
Thank you
Aitch
PS: never came across Bladehunter AFAIK
Though it sounds like a Movie character, but I don't go out much now....
Yes, do point to it, as I certainly shall
Far from being a rant, I found it to be well balanced and offering sound reasoning & clear explanation
In fact, the only thing differentiating this piece from a professional magazine writer, was the sheer absense of cr*p
Applause, applause
I'm glad to hear that the minor differences between yourself & BarryK,
do not make you feel a need to set off independently, and I appreciate your unprovoked honesty on that front
Thank you
Aitch
PS: never came across Bladehunter AFAIK
Though it sounds like a Movie character, but I don't go out much now....
- Nathan F
- Posts: 1764
- Joined: Wed 08 Jun 2005, 14:45
- Location: Wadsworth, OH (occasionally home)
- Contact:
Bladehunter was an extremely knowledgeable, but extremely cantankerous guy who used to liven up the forum back in the 1.0-something days. He finally got really angry one day and just had John M. remove his membership and hasn't been heard from again to the best of my knowledge.PS: never came across Bladehunter AFAIK
Though it sounds like a Movie character, but I don't go out much now....
The mention was a bit of an inside joke meaning I realize I probably sound a bit cranky.
Nathan
Bring on the locusts ...
hmm seems like i remember BladeHunter but I wasn't into the forum as much back then... and I agree with Sir Duncan puppylinux is a very useful as a root distro but the option to run as a user would be iceing on my cake you know where my vote is...
Yes I do run Debian ... BUT that bug was only a problem if you had an SSH port open or were tunneling over some other port.... I was a serious issue but my install of Debian updated itself before i even knew about it so on that front i am pretty impressed and they certainly didn't try to cover it up
one thing that bothers me is that puppy is compiled from T2 right? well why aren't there more packages from T2 in puppy? like all 3000 of them?
Yes I do run Debian ... BUT that bug was only a problem if you had an SSH port open or were tunneling over some other port.... I was a serious issue but my install of Debian updated itself before i even knew about it so on that front i am pretty impressed and they certainly didn't try to cover it up
one thing that bothers me is that puppy is compiled from T2 right? well why aren't there more packages from T2 in puppy? like all 3000 of them?
Taking Puppy Linux to the limit of perfection. meanwhile try "puppy pfix=duct_tape" kernel parem eater.
X86: Sager NP6110 3630QM 16GB ram, Tyan Thunder 2 2x 300Mhz
Sun: SS2 , LX , SS5 , SS10 , SS20 ,Ultra 1, Ultra 10 , T2000
Mac: Platinum Plus, SE/30
X86: Sager NP6110 3630QM 16GB ram, Tyan Thunder 2 2x 300Mhz
Sun: SS2 , LX , SS5 , SS10 , SS20 ,Ultra 1, Ultra 10 , T2000
Mac: Platinum Plus, SE/30
Nathan, that was a superb post. It's good to hear it explained by someone more knowledgeable about the subject. I had not realized that sudo was not broken by default, but I guess that's because the only distro where I really had to use it was Ubuntu. I also didn't realize that Apache forced itself to run as non-root, I just assumed it would run as whatever you told it to.
All in all, it was very informative.
All in all, it was very informative.
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath
- klhrevolutionist
- Posts: 1121
- Joined: Wed 08 Jun 2005, 10:09
There are plenty of ways to run as user and not know the difference. Obviously there are security holes everywhere somewhere. It is just a matter of whom gets hit first.
But if anybody (puppy,grafpup) decides to go multiuser maybe this will be of interest: http://encurl.com/vb
But if anybody (puppy,grafpup) decides to go multiuser maybe this will be of interest: http://encurl.com/vb
Heaven is on the way, until then let's get the truth out!
root vs multiuser...
Hello everybody.
Thought i have nothing against puppy mono-user orientation, there is a mystery I cant explain:
I cant login as user spot or as any user i created.
i "sanity checked" the libs:
f_tst(){
local TEST="$1"
ldd ${TEST} | gawk -F '>' '{ print $2; }' | grep / | cut -d ' ' -f '2'
}
P_tst(){
local ARG="$1"
for i in "$( f_tst ${ARG} )";
do [[ -e "$i" ]] || echo "$i is missing";
done
}
P_tst "/bin/tinylogin"
=> /lib/libc.so.6 is missing
(it's not, just a symlink pointing to the real file, so no pb
with the libs)
now here's what strange:
fn(){
find / -wholename '/initrd' -prune -o -wholename '/proc' -prune -o -type d -exec chmod 777 {} \;
find / -wholename '/initrd' -prune -o -wholename '/proc' -prune -o -type f -exec chmod 777 {} \;
find / -wholename /initrd -prune -o -name tinylogin -exec chmod u+s {} \;
su spot;
echo $?
}
fn;
=>1
!!!!!!!!!!!!
i dtraced login, and then su to avoid the vhangup, but found nothing more than "/bin/sh : EACCES". this isnt a problem of shell: I get the same thing with bash.
i looked at tinylogin sourcecode, but found nothing that can explain in detail which operation in the (execv "/bin/bash") call is not allowed, nothing more than strace or ltrace. Any idea? I repeat, i dont really need it, it's just for the fun of finding the reason why...
Thought i have nothing against puppy mono-user orientation, there is a mystery I cant explain:
I cant login as user spot or as any user i created.
i "sanity checked" the libs:
f_tst(){
local TEST="$1"
ldd ${TEST} | gawk -F '>' '{ print $2; }' | grep / | cut -d ' ' -f '2'
}
P_tst(){
local ARG="$1"
for i in "$( f_tst ${ARG} )";
do [[ -e "$i" ]] || echo "$i is missing";
done
}
P_tst "/bin/tinylogin"
=> /lib/libc.so.6 is missing
(it's not, just a symlink pointing to the real file, so no pb
with the libs)
now here's what strange:
fn(){
find / -wholename '/initrd' -prune -o -wholename '/proc' -prune -o -type d -exec chmod 777 {} \;
find / -wholename '/initrd' -prune -o -wholename '/proc' -prune -o -type f -exec chmod 777 {} \;
find / -wholename /initrd -prune -o -name tinylogin -exec chmod u+s {} \;
su spot;
echo $?
}
fn;
=>1
!!!!!!!!!!!!
i dtraced login, and then su to avoid the vhangup, but found nothing more than "/bin/sh : EACCES". this isnt a problem of shell: I get the same thing with bash.
i looked at tinylogin sourcecode, but found nothing that can explain in detail which operation in the (execv "/bin/bash") call is not allowed, nothing more than strace or ltrace. Any idea? I repeat, i dont really need it, it's just for the fun of finding the reason why...
@cohinor i don't really know what that means but it would be nice to find out... im not really sure what you are doing...
what is the $?
what is the $?
Taking Puppy Linux to the limit of perfection. meanwhile try "puppy pfix=duct_tape" kernel parem eater.
X86: Sager NP6110 3630QM 16GB ram, Tyan Thunder 2 2x 300Mhz
Sun: SS2 , LX , SS5 , SS10 , SS20 ,Ultra 1, Ultra 10 , T2000
Mac: Platinum Plus, SE/30
X86: Sager NP6110 3630QM 16GB ram, Tyan Thunder 2 2x 300Mhz
Sun: SS2 , LX , SS5 , SS10 , SS20 ,Ultra 1, Ultra 10 , T2000
Mac: Platinum Plus, SE/30
- Pizzasgood
- Posts: 6183
- Joined: Wed 04 May 2005, 20:28
- Location: Knoxville, TN, USA
A $? is a special variable that holds the return status of the last run program. It will generally hold '0' after a successful command.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
[img]http://www.browserloadofcoolness.com/sig.png[/img]