Security in Puppy Linux: running as Root

For discussions about security.
Message
Author
rdog
Posts: 25
Joined: Mon 18 Oct 2010, 20:47
Location: Quesnel, BC, Canada

#21 Post by rdog »

In general, puppy is secure because it is different. Malware is coded with a specific environment in mind.

However, consider this...

Running as root means that you have the right to run any command. A script running "dd if=/mnt/home/puppy/usb-image.iso of=/dev/sdc" as an example can burn an ISO image to the CD. Is it possible to ruin a CD and make it not bootable with dd? Yes, I believe so. Perhaps it would not be a loss of data for you depending on your practice but definitely it could be a time consuming annoyance to get back up and running.

Running as a restricted user would protect from such a command. But the nature of viruses and malware is that the payload is not always immediately evident. One can get a seemingly harmless program and use it for a very long time before the harmful payload is seen. In this case to protect from such a payload you would have to make a practice of always running as a restricted user, any code that could be infected.

Requiring buttons to be pressed, drives to be mounted, or scripts to run to perform "administrative" functions only adds protection if these requirements are not known to the attacker, or if they are not able to be run or done as the restricted user that the attacker has managed to get access to. (Note: GUI elements such as buttons, don't "do" anything in themselves, they call scripts or binary code to perform the activity).

Ultimately we have to make a decision to trust the code we are running, the source of that code and so on. Even the Linux kernel could have deliberate security vulnerabilities, but we trust that those people who review the source code, and the source code for the compilers which produce the binary executable, have our best interests in mind.

For my part, I use the browser as Spot. I generally download and compile from source the programs that I include in my SFS files. I remove any code that has been installed into the personal save files, and in the case of my USB puppy I only save changes at shut down and then I'm prompted by the shutdown script to decide if I want to save (customizations I have made). I trust that the original puppy ISO is free of malware. I use OpenVPN to tunnel to my home network for Internet access when I am away, so my communication is encrypted even if I'm connecting to an open wireless access point. I have Avast antivirus and occasionally update the definitions and scan all the files. Even Avast and the definitions are loaded from an SFS file at boot time.

Besides having backups of the personal save files and other data saved on separate USB sticks there is not much else to do.

My only real reason for wishing for multiuser support beyond Spot in Puppy has been when installing 3rd party binary applications where they refuse to run as root. Many of them will not run as Spot either.

Take Care,
Rob

User avatar
666philb
Posts: 3615
Joined: Sun 07 Feb 2010, 12:27
Location: wales ... by the sea

#22 Post by 666philb »

rdog .....

which apps are you wanting to run?
Bionicpup64 built with bionic beaver packages http://murga-linux.com/puppy/viewtopic.php?t=114311
Xenialpup64, built with xenial xerus packages http://murga-linux.com/puppy/viewtopic.php?t=107331

rdog
Posts: 25
Joined: Mon 18 Oct 2010, 20:47
Location: Quesnel, BC, Canada

#23 Post by rdog »

666philb wrote:rdog .....

which apps are you wanting to run?
Hi 666philb,
Sorry I didn't get back to you sooner.

The first app I tried to run was Lotus Notes 8.5.2. I finally gave up and installed the windows version to run from wine. Not an easy project and not the most desirable way to run it.

My next most desired app to run from puppy is Vmware Workstation. I will be putting some effort into this since I have several Vmware guests that I would like to run, some are required for my job.

I haven't tried using Fido which I see has appeared with Puppy Slacko. But now I have been distracted by trying to build my own puppy with woof LOL.

I've had some issues with woof which I'll save for another thread.

Take Care,
Rob

User avatar
666philb
Posts: 3615
Joined: Sun 07 Feb 2010, 12:27
Location: wales ... by the sea

#24 Post by 666philb »

hi rdog,

whilst i can't actually test the software you're wanting to use, i've had some success using this to run stuborn 'root hating' programs http://www.murga-linux.com/puppy/viewtopic.php?t=72667 once installed you'll need to alter the' /usr/bin/puppy-chrome ' script to point at the binary you're trying to run.

puppy does have vwmare player, http://www.murga-linux.com/puppy/viewtopic.php?t=62492 how it differs to work station i don't know.but i've had windows7, various linux's and iox running on it
Bionicpup64 built with bionic beaver packages http://murga-linux.com/puppy/viewtopic.php?t=114311
Xenialpup64, built with xenial xerus packages http://murga-linux.com/puppy/viewtopic.php?t=107331

rdog
Posts: 25
Joined: Mon 18 Oct 2010, 20:47
Location: Quesnel, BC, Canada

#25 Post by rdog »

666philb wrote:hi rdog,

whilst i can't actually test the software you're wanting to use, i've had some success using this to run stuborn 'root hating' programs http://www.murga-linux.com/puppy/viewtopic.php?t=72667 once installed you'll need to alter the' /usr/bin/puppy-chrome ' script to point at the binary you're trying to run.

puppy does have vwmare player, http://www.murga-linux.com/puppy/viewtopic.php?t=62492 how it differs to work station i don't know.but i've had windows7, various linux's and iox running on it
Thank you for that info 666philb, I'll come back to this issue soon.
Take Care,
Rob

snayak
Posts: 422
Joined: Wed 14 Sep 2011, 05:49

#26 Post by snayak »

Hi All,

What I see is in this forum is,

1. many says running puppy as root has problem, it is not safe.

2. many says running puppy as root has no problem, it is safe.
-Do they mean, running puppy from CD/DVD is safe?
-Do they mean, running puppy from HDD frugal is safe?
-Do they mean, running puppy from HDD full installation is safe?

When I goto IRC, it prints, running root is unsafe! Still we can go. But biggest trouble is, some IRC servers like DALNet doesn't even let us go in! Directly refusing stating that you are logged in as root!

What to do about it?

Sincerely,
Srinivas Nayak
[Precise 571 on AMD Athlon XP 2000+ with 512MB RAM]
[Fatdog 720 on Intel Pentium B960 with 4GB RAM]

[url]http://srinivas-nayak.blogspot.com/[/url]

User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

Security in Puppy Linux: running as Root

#27 Post by Monsie »

snayak,

I think many Puppy Linux users would agree that safety really is up to the individual using common sense whether one runs as root or not...
When I goto IRC, it prints, running root is unsafe! Still we can go. But biggest trouble is, some IRC servers like DALNet doesn't even let us go in! Directly refusing stating that you are logged in as root!

What to do about it?
In this circumstance, one can choose to run as a user with limited rights (non root access) in Puppy Linux. One can use spot:

Code: Select all

# su -l spot
# whoami
spot
# exit
logout
# whoami
root
Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#28 Post by nooby »

Seems to be very individual these things.
I am a pessimist. I trust that nothing on internet is safe.

As soon as you connect to internet some ill willing person
can have a program that target you personally and them
do their best to hack in.

What I have heard is that being non-root only protect the
files in that restricted use area. The hacker could still
hack themselves into the root account if they have that knowledge
and resources and so on.

So maybe we should not be too overly confident but
also be realistic about it?

I know too little.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

#29 Post by Monsie »

rdog wrote:
My only real reason for wishing for multiuser support beyond Spot in Puppy has been when installing 3rd party binary applications where they refuse to run as root. Many of them will not run as Spot either.
For the record... Will you provide some examples of 3rd party apps you've found that refuse to run either as root or as spot in Puppy?

Thanks,
Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

snayak
Posts: 422
Joined: Wed 14 Sep 2011, 05:49

#30 Post by snayak »

Hmmm...

Another thing is that, many of our members say, puppy linux was created to be used as a single user system. It cant be used as a server.

1. To my knowledge, linux itself is a multiuser os.
So, how puppy linux is single user system?

2. We are happy that puppy linux be better used as a Desktop os, a single user system. When question os adding another user comes, why people think that it shall be used as a server? I think, when people say, add another unpriviledged user, they mean providing a less permitted user, but again they will use their system as a simple Desktop, not a server in the university or their office! Cant we make it such that it adds just a less priviledged user and yet work as Desktop only, no server functionality and no connections from outside to the machine. (which i think, is the need of a server)

3. Does providing add user facility, shall increase the size of puppy linux os?

4. What ways a multi user Desktop os (like windows xp?) differs from now a days puppy?

I am new to all these. Forgive.

Sincerely,
Srinivas Nayak
[Precise 571 on AMD Athlon XP 2000+ with 512MB RAM]
[Fatdog 720 on Intel Pentium B960 with 4GB RAM]

[url]http://srinivas-nayak.blogspot.com/[/url]

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#31 Post by musher0 »

I agree with gposil in this old thread:

http://murga-linux.com/puppy/viewtopic. ... 60&t=49025

Why are we going over this again?
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#32 Post by greengeek »

musher0 wrote:I agree with gposil in this old thread:
That old thread was well worth a read. I thought I would repost Aragon's contribution regarding secure hardware:
Attachments
secure hware.jpg
(35.13 KiB) Downloaded 1078 times

gcmartin

Helping a user

#33 Post by gcmartin »

@Snayak asks some very good questions.

Some of our most honored security persons should address these. And, it probably should be done, not so much as a security question, but in terms of how he presents his questions of us.

Microsoft, nor Apple, nor mainstream Linux, nor Unix are viewed as single user. (security issues aside for a moment)

BarryK started his Linux project distro in a effort to keep it as simple as possible for ease of understanding and ease of implementation. As such he took steps to "trim" the system to what he felt is a easy to implement system that should you have a router and an ethernet cable will get you a desktop office that will connect to the internet. This is notwithstanding that there are other LAN services present. His PUPPY implementation will make use much of what the LAN has to offer without ever offering any services from the PC to the LAN. This, in essence, intended to be a client ONLY distro.

Over the years, community members have added/attempted to add services to this client model such that PUP can extends services to other members on the LAN. Examples of these "server" services are FTP, SMB, NMB, etc. such that files/folders/applications that are created or exist on the PUP can be used by other LAN members just as those non-PUP LAN members have been providing to the LAN for years.

Today, excepting for couple of PUP distro, PUPPY continues to follow that model. But, what has changed is that knowledgible members can add server services to the LAN such that PUPs can participate just as those other non-PUPs provide the LAN.

There are several reasons why PUPPY started as it did. The most prevalenet is that it started when dial-up internet was the most prevalent internet service available in the world. 2nd, many users still had 486s/Pentium1-2-3 class PC that were due for retirement. By getting Puppy, one could recommission those old PCs and the download sizes were somewhat reasonable.

Today, much of that has changed. And, Puppy, at least for 32bit, has also been positioned to take advantage of internet speeds, shorten download times, internet reliability, 1995+ processors, and the 2006 model where PC manufacturers mandated a 1GB+ RAM model for all PCs sold with Microsoft loaded.

I know NONE of what I have shared addresses security, but, it at the very least provides a little understanding of what I have seen in my Puppy lifetime.

Several security discussions have arose over the years. And, as such, many ideas have been promoted.

Puppy will probably continue its current model for awhile as it does offer some very useful benefits. There are some things Puppy could do better, but, most of the changes that come are from members who offer an alternative. And over time, the good ideas are spotted and incorporated into the Woof build process for distro builder's inclusion. And, for those fuller server versions that provide OOTB services, they, too, are as secure as they come.

Security is NOT a back burner item, either in Linux or in Puppy.

I have been keeping a watchful eye over the years in this forum of discoveries of security breaches. Thus far, in observation, there has been much discussion, much from scares and warnings, ideas about multi-user(s), and thoughts. This far, I have not seen any reports of PUPPY being used as a launch threat within its LAN, nor Puppy being penetrated, thus far. But, in watching, no one as yet has provided a security monitor that would provide alerts in the Puppy LAN or the Puppy PC of a security breach or a PC security announcer to the console user. .

But, I am apprehensive that someone will be coming forward...hopefully or as someone percieves a real need in this product as it continues to mature.

Here to help

User avatar
vovchik
Posts: 1507
Joined: Tue 24 Oct 2006, 00:02
Location: Ukraine

#34 Post by vovchik »

Dear gcmartin,

Very useful thoughts - I have been around here, too, for years and have been contributing - but not so much on the security front. But security is not a trivial question...and many supposedly secure systems are breached. We will get ideas, I am certain, and provide some solutions where security is critical. We are not the dumbest guys in the world... :)

With kind regards,
vovchik

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#35 Post by 8-bit »

I have Windows Vista on one hard drive and A bunch of versions of puppy on another on my PC.
I had an antivirus program, AVG free installed with Vista.
Then I found and installed a utility on Vista that would allow access to linux partitions.
Darned if the antivirus took some of my Puppy files and put them in it's locker.
I am pretty sure it is a false positive that is causing it.
I do not want to have to go to the locker and restore a Puppy file or files every time this happens.
So should I restore and exempt those files and then remove that utility that allows Vista and the antivirus to see the linux partitions and their contents?

Or should I take note of what Puppy files got put in the locker and download them again after removing the utility that is allowing access to the linux partitions?

gcmartin

#36 Post by gcmartin »

8-bit wrote: ... I do not want to have to go to the locker and restore a Puppy file or files every time this happens.
So should I restore and exempt those files and then remove that utility that allows Vista and the antivirus to see the linux partitions and their contents?

Or should I take note of what Puppy files got put in the locker and download them again after removing the utility that is allowing access to the linux partitions?
I sure that others will offer other views, but here one that I have used for the past 14 years.

Whenever I install Linux, I have ALWAYS installed to a LInux formatted partition. In most cases, unless you extend Microsoft or Apple somehow, it will not link/mount/assign a drive letter that Microsoft OS will path for application usage. The SWAP is provided for system stability and performance, while the Linux partition exist for Puppy-Linux use while providing insulation from Microsoft when Microsoft is active.

For example I have several PC where I have partitioned their HDD to include a SWAP partition and an EXT2 or EXT3 or EXT4 partition while keeping the Microsoft partition intact.

By doing so, Microsoft will not provide I/O path for application use

Here to help

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#37 Post by cthisbear »

AVG free...
" I am pretty sure it is a false positive that is causing it. "

an absolutely crappy AV.

Remove same.
You will notice the speed difference....especially Vista.

:::::::::::

Use Avira.

http://www.avira.com/en/avira-free-antivirus


You can select what you don't want scanned.
It nags you....
you can disable most of it.

"""
September 27, 2012, 10:07 am
No Advertising Pop-ups for Avira Free AntiVirus Users

Users of Avira Free AntiVirus who install the Avira SearchFree toolbar
will no longer have pop-up ads displayed to them.
This SearchFree toolbar includes Browser Tracking Blocker and
Website Safety Advisor so users get the double benefit of no ads
and more secure browsing.

Now Avira lets you ‘live Free’ completely ad-free."

http://techblog.avira.com/2012/09/27/av ... curity/en/

Their search use to be Ask...
which in the past they used to block.

Old post....about 8 down near the middle of page.

How to Remove the Ask Toolbar in Avira:

http://www.murga-linux.com/puppy/viewtopic.php?p=586216

http://fred151.net/?p=projects/nonotifyavira

::::::

http://www.avira.com/en/avira-free-antivirus#tab2

Download it here...not the author's site.
I always use >>> Internode link.....as it's much faster.

http://www.majorgeeks.com/Avira_AntiVir ... _d955.html

""""""""

AVG Remover 2013 at Majorgeeks

http://majorgeeks.com/AVG_Remover_d7000.html

" AVG Remover eliminates all the parts of your AVG installation
from your computer, including registry items, installation files,
user files, etc. AVG Remover is the last option to be used in case
the AVG uninstall / repair installation process has failed repeatedly. "

Majorgeeks is a great download site.

Avoid Cnet at all costs.

Chris.

snayak
Posts: 422
Joined: Wed 14 Sep 2011, 05:49

#38 Post by snayak »

Dear All,

Thanks to gcmartin for his nice post. I too was not bothered about security till last month.

Last month I started using IRC. Soon I found that somebody caught me and said, why are you using irc as root? I was surprised. He immediately told me my residence address. I was afraid! I thought, he started tracking me. I immediately closed my chat and never going back to irc, with a fear. :-(

So, came and ask here. Immediately got a reply that, don't use puppy! I must say sorry to our friend gposil. In this connection, I shall be happy to say that, puppy, itself is a virus, that does not affect computers but affects humans and that to affects mind. I am infected by puppy, and can you please advice, how can I leave it? Now, I shall blame puppy, who taught me about irc. I recently get to know about irc from attym chat that comes with puppy! :-D

Lets say, I will use irc as root with puppy's firewall, I shall not run any bots/scripts from others, I shall not accept any files from others, I shall not use any irc commands without knowing what it does, shall not use the advices others may give over irc, can anybody still can be an intruder to my pc and steal private informations?

I mean, following all the good practices for security, is there still a chance that one can intrude?

Sincerely,
Srinivas Nayak
[Precise 571 on AMD Athlon XP 2000+ with 512MB RAM]
[Fatdog 720 on Intel Pentium B960 with 4GB RAM]

[url]http://srinivas-nayak.blogspot.com/[/url]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#39 Post by nooby »

cthisbear wrote: Avoid Cnet at all costs.

Chris.
http://en.wikipedia.org/wiki/CNET

You mean for download of software? Okay

What then do you know about what snayak
asks us about the IRC channel. I had same experience
as him and a guy told me that "I will kill you" and him
living just 30 minutes by car from me that scared the hell out of me.

And this where the Puppy channel on IRC. So I never used it again.

as snayak ask would such a mean spirited person be able to break in?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#40 Post by greengeek »

snayak wrote:Lets say, I will use irc as root with puppy's firewall,
I have seen very little information about configuring Puppy's firewall. How many ports are open? How exposed are we? I know that someone , somehow, is tracking my emails and using my outgoing emails as a means of targeting me with spam, but I don't have any idea if it is because I use puppy, or if it is something to do with my email provider.

Without a tightly configured firewall I think we are all very exposed.

Post Reply