Why I don't like running as root (in Puppy)

For discussions about security.
Message
Author
GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#41 Post by GuestToo »

i just happened to be experimenting with running the xorg X server as user spot (Puppy 1.0.7 beta)

you need to copy some of the config files from /root to /root/spot ... and
chown -R spot:spot /root/spot/

shut down X (you can press ctrl+alt+backspace)
type:
rm /tmp/xerrs.txt
su spot
cd
startx


screenshot

i've tried various things to get rxvt to work ... xhost, setuid bit of rxvt, etc etc ... i haven't tried inittab yet ... i can run rxvt as user root anyway

/root/my-applications/bin/rxvt3:
#!/bin/sh
exec su -c /root/my-applications/bin/rxvt4 - root

/root/my-applications/bin/rxvt4:
#!/bin/sh
. /etc/profile
rxvt -e bash "$@"

to open an rvxt window running as root from spot, click the rxvt3 script

for spot to be able to use su, tinylogin has to be setuid root:

chmod u+s `which tinylogin`

it might be possible to put rxvt4 in rxvt3 by using { }
. /etc/profile would probably not be necessary if rxvt opened as a login shell

anyway, the xorg X server will run as spot about the same as xvesa will

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

Linux firewall in Puppy Tardis

#42 Post by Lobster »

Barry is replacing Morizot with Linux firewall in Puppy Tardis
that should put Puppy in full stealth mode again

When running a new version of Puppy I run the firewall wizard
then connect to the internet

that is the extent of my security

The last attack was from a porn site that I was accessing for research purposes [I have no interest in human sexuality - which is quite normal - right?] :oops: yeah right . . .

:) anyways . . .
using a javascript link the site placed some dll files on my computer (ever hopeful) I just laughed and deleted them

dll files are the same as executibles (but on Windows) and can then be called or run once they are on a windows machine

Most of the distros I use, I set them to auto log in
I am happy to run as spot (user) or root if this remains automatic

Fear of shadows is the mind killer
I recently sent a security bulletin to our senior developers via an image

Go and watch kids - they open every channel - download from any site and still manage to use that Windows thing

Fear of shadows is the mind killer
Who us spreading FUD and who is spreading solutions? 8)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

LarryDC
Posts: 4
Joined: Tue 03 Jan 2006, 14:47
Location: Riverside RI, EE.UU.

Hard Disk Install needs a user login

#43 Post by LarryDC »

I' m with HypoCee on this one.
After a day of trying to get Austrumi to boot as a user ( I think it users the same busybox tinylogin as Puppy) I gave up in frustration & installed (Option 2) Puppy 1.07 w/ Mozilla over it. BEWARE: Austrumi automatically mounts the 17 partitions on one hard drive & then the 4 on my other drive, every time it boots. Then when it would hang because I was trying a for a non-root login, all the partitions were shut down " uncleanly" - luckily I use reisrfs on most of them.

Then I read this thread and did try the adduser but had worse problems than spot.

So like Austrumi it is coming off & will be used only as a live CD.

This would make an EXCELLENT fast booting distro for quick use on a multiboot system as well as a great system for small hardrive... donated (I work for a low income school district) but IMHO it MUST allow none root logins & use.

It is still in my carry around Live CD pack - it boots flawlessly via Xorg. Unlike Austrumi 0.99 which has a bug that won't parse long ddc monitor names like " Visual Sensations" correctly and will not run x-window on this machine without editing /etc/xorg.conf manually to trim the offending line.

I will be checking back to see if a user login gets implemented in the future.
Otherwise great distro.

muskrat
Posts: 24
Joined: Sun 03 Jul 2005, 17:46
Location: Gulf Coast TX-MX
Contact:

#44 Post by muskrat »

You all mentioned Sheilds Up, I have run several test in the last few days and have gotten the same results.

I get three ports Open(RED) on my report. HTTP, FTP, and Telnet. But here's the Kicker those reports were done with the same PC, just swapping out HD's and distros. One was done with Debian 3.1 and Firestarter Firewall, the other was Slackware 10.2 no Firewall software (infact it wasn't even buttoned done for security), and the last one was Puppy 1.0.7 with the Firewall wizard run.

Debian nor Slackware have Telnet installed or running, Also the is no Web servers installed on ether one, as of yet I haven't exploered all of Puppy yet to say exactly what I havehere.

I'm using a DSL phoneline connect with a connected to my PC via a Cat5 cable. This modem can be accessed with a browser to do configuration of the modem.

So my question is, Is it posible that these ports are open on the modem even if my PC has all the ports closed? If so what kind of a threat does this pose for me and my boxes?
Steve (Muskrat) McMullen
http://www.muskratsweb.com
Registered Linux User #305785

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#45 Post by GuestToo »

Is it posible that these ports are open on the modem even if my PC has all the ports closed?
yes, i think so

if you have more than 1 pc connected to your dsl modem, the ports may be open on another pc ... all the pc's on your network will have the same internet ip address, and a scan will show open ports on your entire network

if you have only 1 pc connected to your modem, it may be the modem that is causing the open ports ... but it seems more likely that if those ports are open (connecting to running programs), they are connecting to running programs on your computer

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#46 Post by BarryK »

Yes, I have stealthed ports on my pc.
For dialup, shieldsup shows them as all stealthed, but when I go to my friend's place and connect to Internet via router modem, the ports show as all closed, except telnet port is open.
...I guess though, my pc is still safe.

User avatar
jmarsden
Posts: 265
Joined: Sat 31 Dec 2005, 22:18
Location: California, USA

#47 Post by jmarsden »

This post is probably overkill,but:
BarryK wrote:Yes, I have stealthed ports on my pc.
For dialup, shieldsup shows them as all stealthed, but when I go to my friend's place and connect to Internet via router modem, the ports show as all closed, except telnet port is open.
...I guess though, my pc is still safe.
Yes. But your friend's "router modem" is probably not safe -- it leaves its telnet port open to the public Internet. That is what "shieldsup" found, almost certainly.

I suggest that your friend may want to reconfigure his router not to allow incoming telnet, unless there is truly a very good reason for him providing telnet access to his router (and so probably to his entire network, if someone guesses a router login/password!) to the entire Internet world!

BTW, in my view those Internet-based "security checkers" are generally not all that good at their job, and they allow anyone watching your traffic to/from them to see exactly what holes they find on your machine. In my view, it's better by far to use a local tool running on a second local machine on your (protected) local LAN to check host security and firewalls. That way, noone but you knows what the host's weaknesses are -- so you can fix them before anyone else exploits them! Try nmap and (if desired) Nessus to get started. Of course, if you only *have* a single PC available to you, and still need to do network-based security checking of it, something like "shieldsup" could be an appropriate solution.

Of course, before you even bother running "shieldsup" or setting up nmap on a second PC for checking a machine's network security, a quick

Code: Select all

# netstat -nl --inet
on the machine under test will tell you if you actually have anything listening on Internet sockets that might actually be worth firewalling :-) [[ I'm not running Puppy right now so I'm not sure if its netstat has those options... adjust as necessary, those are the common Linux ones for checking out server and desktop machines. On *BSD boxes, it would be closer to

Code: Select all

# netstat -na -f inet
but then you nede to readthe output more carefully, because it will contain established connections as well as listeners (network daemons/services). ]]

Jonathan

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#48 Post by GuestToo »

i don't think a router or modem should have a telnet port open either

the thing is, a router or modem is usually a little computer, with a cpu and ram and flash memory instead of a hard drive ... or it might have a hard drive ... so it is potentially as vulnerable as a computer is ... if a cracker can hack into your router, he can potentially gain full access to all the machines on your network

though why a router/modem would be running a web server or ftp server i don't know ... that is why i wondered if it was another computer on your network with the open ports

my grc test results

i don't really care about "stealth" ... closed ports are good enough for me ... though i have noticed that when you run completely "stealthed", there does seem to be a little less trafffic trying to worm into your system

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#49 Post by GuestToo »

by the way, the forum seems to imply that i started this thread Why I like running as root (in Puppy)

i did not ... i do not like running as root at all

the reason my name is attached to the thread is because the thread was moved, and it probably used my name because i was the last one that posted to the thread before it was moved

User avatar
jmarsden
Posts: 265
Joined: Sat 31 Dec 2005, 22:18
Location: California, USA

#50 Post by jmarsden »

GuestToo wrote:though why a router/modem would be running a web server or ftp server i don't know ...
Well, most consumer routers use a web server to provide their easy-to-use administration interface. By default they only serve web pages on their internal (LAN) interface, but often you can enable the web service (either http or https or both) on the external (WAN) side too if you so choose. It does sound as though this particular router may not be configured optimally, and I'd definitely encourage BarryK to let his friend know of this, and (if necessary) suggest that his friend seeks help in getting it more securely configured.

Jonathan

muskrat
Posts: 24
Joined: Sun 03 Jul 2005, 17:46
Location: Gulf Coast TX-MX
Contact:

#51 Post by muskrat »

Ok I see your logic, and aggree somewhat to what your saying about root not being any worse danger than a normal user. Except for some programs such as Xchat.

In Windows you can issue a command in chat and crash all windows systems on that channel. Now if I'm running root, is it possable to run commands that will effect me as Root reading these bits of script with a chat program?

As you said, your personal data is what's important, because Puppy is protected on CD, but lets say I get compromised, just for aguements sake. Is my pup001 file then contaminated?
Steve (Muskrat) McMullen
http://www.muskratsweb.com
Registered Linux User #305785

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#52 Post by Flash »

muskrat wrote:... lets say I get compromised, just for aguements sake. Is my pup001 file then contaminated?
If you are running Puppy from the live CD, the hard drive is the only thing that could be contaminated. Probably the contamination would be limited to the pup001 file but as far as I can see there is nothing stopping Puppy from writing to the hard drive outside the pup001 file. In that case it would most likely just screw up your hard drive rather than install a rootkit or something like that, which would require the attacker to have intimate knowlege of your OS and configuration. I think.

It seems to me that the best solution is to back up your pup001 file, or at least the bits that are important to you, in an isolated repository on a regular schedule. And always wear your mittens.

muskrat
Posts: 24
Joined: Sun 03 Jul 2005, 17:46
Location: Gulf Coast TX-MX
Contact:

#53 Post by muskrat »

Ok, here's the humdinger then, my pup002 file is in the home directory/partion of a duel install of slackware and debian, which both use the same partion for home. Puppy doesn't mount the root nor boot partions of ether of these. So I'm assuming that they are safe. Am I right in this asumtion?
Steve (Muskrat) McMullen
http://www.muskratsweb.com
Registered Linux User #305785

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#54 Post by GuestToo »

a rootkit would allow people to connect to your operating system as user "root", which would enable them to do anything that you can do (look at any of your files, delete files, change files, reconfigure anything, install programs, install keyloggers, install password sniffers, download, upload, surf to web sites, etc etc) ... they would probably be doing this from a text console, but it's also possible for them to see what you are seeing on the screen

a rootkit not only sets up your system so they can connect to it, it changes some of the system files so you don't notice anyone is connected ... it might change ls so you don't see the rootkit files, it might change md5sum so you don't know that certain files have been changed, ps and top so you don't see the rootkit programs running, ifconfig and netstat so you don't see that they are connected to you ... etc etc

one advantage to running Puppy, is that any changes to /bin, /sbin, /lib will be gone when you reboot ... and any changes to /usr will be visible if you look in /root/.usr (unless you have an option 2 install, in which case, you don't have most of the advantages of running Puppy anyway)

if you have a rootkit, anyone can use your operating system to mount/unmount any drives they like, snoop in them, install rootkits on those drives if they like

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#55 Post by Flash »

muskrat wrote:Ok, here's the humdinger then, my pup002 file is in the home directory/partion of a duel install of slackware and debian, which both use the same partion for home. Puppy doesn't mount the root nor boot partions of ether of these. So I'm assuming that they are safe. Am I right in this asumtion?
I only run puppy from the live CD. I have a dual-boot computer with Windows 2000(NTFS)/Mandrake Linux(ext3) on the hard drive. The Puppy live CD sees the Mandrake ext3 Home partition and puts the pupxxx file there. As far as I can tell, Puppy has never written anything anywhere else to the hard drive except the pup001 file. The "Only Possible Screwup" :lol: that I can see is if you try to enlarge the pup001 file when there's not enough room in the partition. For all I know, even that possibility is accounted for. I've enlarged my pup001 file to about 2 GB with no problems.

muskrat
Posts: 24
Joined: Sun 03 Jul 2005, 17:46
Location: Gulf Coast TX-MX
Contact:

#56 Post by muskrat »

So I guess in all reality it's not a good idea to run Puppy as root with a drive you value, that has another linux instalation on it. It could be compromised along with puppy. Even though puppy reboots and all is well your native linux might not be.

Is the any way to convert puppy to using a normal user, and su to do root. Just like a native install of linux?

Or an after thought, could I remove the root and boot partions from my Puppy fstab file? Would that help in making them unseen/unaccessable? Kind of out of site out of mind.

I like puppy and would like to experment some more with it. But realy don't like the idea of root kits getting placed in my native installations.
Steve (Muskrat) McMullen
http://www.muskratsweb.com
Registered Linux User #305785

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#57 Post by GuestToo »

It could be compromised along with puppy
well, the potential is there

you can run X as user "spot" ... it isn't hard to do, though there are problems, like permissions, and mounting/unmounting and accessing drives, etc etc

running as spot would not prevent someone logging onto your system as root ... if he could do it when you run as root, he can do it when you run as spot
realy don't like the idea of root kits getting placed in my native installations
it's not impossible, no matter what you do ... there are hardened Linux distros and BSD "distros", if you are paranoid ... maybe someone could make a hardened version of Puppy

i run Puppy most of the time, and i don't feel really unsafe

muskrat
Posts: 24
Joined: Sun 03 Jul 2005, 17:46
Location: Gulf Coast TX-MX
Contact:

#58 Post by muskrat »

I'm not parinod, I just believe internet security is up to each indavidual. It's also a on going campaign.
it's not impossible, no matter what you do ... there are hardened Linux distros and BSD "distros", if you are paranoid ... maybe someone could make a hardened version of Puppy
Maybe somebody ought to build a hardened version of Puppy, espiacally since it runs as root all the time. Since I'm running just a desktop with no local network, I don't believe I'm much of an atracktion for hackers. But like you said no computor is hack proof, some are just harder than others.

I've also found the harder your system is the more diffacult it is to use. Puppy is easy to use because it doesn't restrick the user he can mount, unmount, change system config files and any other items normally only root is allowed to do.

To be totally honest, since I've gone to linux 100% for my personal use I've relaxed somewhat about security. My wife still uses windoze, and it's aa never ending battle keeping out intruders. Even with firewalls and a wadfull of anti-software, they still get in and trash the system every couple of months or so.
Steve (Muskrat) McMullen
http://www.muskratsweb.com
Registered Linux User #305785

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#59 Post by Lobster »

muskrat wrote: To be totally honest, since I've gone to linux 100% for my personal use I've relaxed somewhat about security. My wife still uses windoze, and it's aa never ending battle keeping out intruders. Even with firewalls and a wadfull of anti-software, they still get in and trash the system every couple of months or so.
Very interesting what you say Steve,

I too have relaxed. I had to be so vigilant (I did not use a virus protection package in Windoesn't - just care). Virus protection in my view is more of a menace than most viruses I have encountered. However key loggers and trojans and phishers and all sorts are rife on Windows - it is the main reason I changed - I was losing the battle.

Running from CD is so hot! (or is that cool) - Programs are safe. What about the data?
I get my data onto the web as soon as possible - let some server with BSD and all sorts, protect my data. All my secret data (mostly secret fish sauce recipes) is probably of little interest - though Tux has expressed an interest . . . he likes fish too . . .
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
ezeze5000
Posts: 347
Joined: Tue 10 May 2005, 17:48
Location: Missouri U.S.A
Contact:

#60 Post by ezeze5000 »

jmarsden wrote:This post is probably overkill,but:
BarryK wrote:Yes, I have stealthed ports on my pc.
For dialup, shieldsup shows them as all stealthed, but when I go to my friend's place and connect to Internet via router modem, the ports show as all closed, except telnet port is open.
...I guess though, my pc is still safe.
Yes. But your friend's "router modem" is probably not safe -- it leaves its telnet port open to the public Internet. That is what "shieldsup" found, almost certainly.

I suggest that your friend may want to reconfigure his router not to allow incoming telnet, unless there is truly a very good reason for him providing telnet access to his router (and so probably to his entire network, if someone guesses a router login/password!) to the entire Internet world!

BTW, in my view those Internet-based "security checkers" are generally not all that good at their job, and they allow anyone watching your traffic to/from them to see exactly what holes they find on your machine. In my view, it's better by far to use a local tool running on a second local machine on your (protected) local LAN to check host security and firewalls. That way, noone but you knows what the host's weaknesses are -- so you can fix them before anyone else exploits them! Try nmap and (if desired) Nessus to get started. Of course, if you only *have* a single PC available to you, and still need to do network-based security checking of it, something like "shieldsup" could be an appropriate solution.

Of course, before you even bother running "shieldsup" or setting up nmap on a second PC for checking a machine's network security, a quick

Code: Select all

# netstat -nl --inet
on the machine under test will tell you if you actually have anything listening on Internet sockets that might actually be worth firewalling :-) [[ I'm not running Puppy right now so I'm not sure if its netstat has those options... adjust as necessary, those are the common Linux ones for checking out server and desktop machines. On *BSD boxes, it would be closer to

Code: Select all

# netstat -na -f inet
but then you nede to readthe output more carefully, because it will contain established connections as well as listeners (network daemons/services). ]]

Jonathan
I tried this code on my puppy:

Code: Select all

 # netsat -na -f inet

But it worked better this way: 

[code] #netsat -na -F inet

I got a good readout with this.

am I correct?

Post Reply