 |
Puppy Linux Discussion Forum Puppy HOME page : puppylinux.com "THE" alternative forum : puppylinux.info
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in|
The time now is Sun 19 Aug 2018, 06:20 All times are UTC - 4 |
 Forum index » Advanced Topics » Cutting edge |
|
Script to run everything as 'spot'
Moderators: Flash, Ian, JohnMurga |
 
|
View previous topic :: View next topic |
| Page 1 of 2 [19 Posts] | Goto page: 1, 2 Next |
| Author | Message | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
jamesbond
Joined: 26 Feb 2007 Posts: 3151 Location: The Blue Marble |
Puppy introduced the concept of "run-as-spot", whereby an application run as the user 'spot' despite the fact that the logged-in user is 'root', long time ago. It was / is used to run 'didiwiki', a personal webserver providing wiki functions, as the user 'spot' to reduce the impact of someone breaking into the webserver. There was a blog post from mid 2008 that talked about it, but by that time it was already quite established that didiwiki always run as spot; the first implementation must be much earlier than that - could be 2006 or 2007. For a very long time until now, didiwiki was the only application that run as spot. Fatdog elaborated on the concept and use the idea to run most network programs as spot - most prominently is the browser. A few days ago Barry decided to expand the model too and adopt Fatdog's approach to run more programs as spot, first of all is seamonkey (a web browser), see this blog post. I'm attaching a script that allows *any* program (proper ones!) to run as spot. This is the same script that is currently used in Fatdog, except that Fatdog uses "dash" shell instead of "sh" to reduce memory footprint. How to use: 1. Gunzip, then chmod +x the script. 2. Copy it to /usr/bin 3. Prefix any app you want to run with "run-as-spot". It has been tested on: - firefox, seamonkey, thunderbird, pidgin, geany, libreoffice, chromium, and a few others I can't remember. Enjoy. Feedback and contributions welcome.
_________________ Fatdog64, Slacko and Puppeee user. Puppy user since 2.13. Contributed Fatdog64 packages thread. |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
 |
|||||||||||||||||||||||||
Ted Dog
 Joined: 13 Sep 2005 Posts: 4013 Location: Heart of Texas |
Nice a central script for run as spot... Could you add a control flag to run as root. I generally edit seamonkey-spot to seamonkey-bin to get around the issues of download corruptions and upload errors when ever I edit stuff as root and need to do something with the files upload/download using seamonkey to my webserver. However if we could run all apps as spot it should reduce those types of issues. Could you give us a taste of the script in the next release of FatDog64? |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
Karl Godt
 Joined: 20 Jun 2010 Posts: 4208 Location: Kiel,Germany |
Have probably few usages for such for local games servers . These tend in newer versions to check for root and abort . Was modifying the source then ie
For the Xauthority env var I have no experience with but I would write it like
or
>/dev/null is only needed if the / rootfs is ro , which should not be 
_________________ «Give me GUI or Death» -- I give you [[Xx]term[inal]] [[Cc]on[s][ole]] . Macpup user since 2010 on full installations. People who want problems with Puppy boot frugal  |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
sc0ttman
 Joined: 16 Sep 2009 Posts: 2581 Location: UK |
I've looked at your script james, and I've no idea what half of it does (other than the obv).. What's all the Xauthority stuff? Can I get an 'in english for dummies' explanation? Not trying to plug anything as such, trying to share something that may be useful, if fatdog uses spot like akita... Akita has had a "Run as Spot" menu item in its main menu since around the time fido was first developed - cos fido stuff was too hard, so I ended up adding spot as a real user, correcting /dev permissions etc, adding the popup user login thing, etc (repeating half of pizzagoods barrys work to get there) - long story short, having done that, akita can run firefox, vlc etc as spot, with the cmd `run_as_spot $1` (sound works, etc) The script run_as_spot basically contains
If this is how you did it, then the full script might be of use, it includes a gtkdialog GUI for choosing from the apps in /usr/share/applications ..
_________________ Akita Linux, VLC-GTK, Pup Search, Pup File Search |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
Q5sys
 Joined: 11 Dec 2008 Posts: 1126 |
awesome work! |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope |
From a users point of view what would be different? I mean how would I notice that I am now spot instead of root? I think of saving a picture to the sda1 HD from Firefox? Would it ask fir password each time? Would it refuse to save it and only allow it to save to Spot directory and if I want to move it from there to HD would it have permissions set to only be viewed in Spot? How does it behave from the user perspective? Edit thanks to Scottman below for that detailed explantion. would not the downloaded things still end up in Spot and not allowed to be moved why else use spot if it does not protect? I am a noony obviously 
_________________ I use Google Search on Puppy Forum not an ideal solution though Last edited by nooby on Tue 04 Jun 2013, 15:41; edited 1 time in total |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
sc0ttman
Joined: 16 Sep 2009 Posts: 2581 Location: UK |
nooby, you can set different GTK themes for different users, so the programs they use will look different... The easy way to do this is to make sure you dont have the files /root/spot/.gtkrc and /root/spot/.gtkrc.mine ... If you dont have the same GTK theme settings (gtkrc etc) in both /root and /root/spot then the programs will look different depending on if run as root or not.. If run as root programs will look 'normal', if not, they will have different (probably uglier) theme settings.. Hope that's clear. EDIT: I attached a screenshot, so you can see.. The 1st is run as root, the second is run as spot (using `run_as_spot vlc-gtk` in akita)
_________________ Akita Linux, VLC-GTK, Pup Search, Pup File Search |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
jamesbond
Joined: 26 Feb 2007 Posts: 3151 Location: The Blue Marble |
Instead of using "seamonkey-spot" just use "seamonkey" and it will run as whatever logged in user you are in. Same for firefox - just use "firefox" instead of "firefox-spot", etc.
Yes you already can. Go to Control Panel --> System --> User manager and create a new user (don't forget to set the password too). After you create a new user you can launch a second desktop too. Switch between desktops by pressing Ctrl-Alt-Fxxx (the first desktop is F4, second is F5, third is F6, etc). While there, you can also choose whether you want to automatically logged in as "root" or as any other user. If you don't like autologin (as root or as any other user), go to Control Panel --> System --> Login manager to choose how to to login to the system, you have 3 choices: autologin, console login, or graphical login. It's all in the login FAQ
Xauthority is the (old) security model of X server to prevent anyone who happens to know your IP address to connect to your Xorg and display an annoying popup ad banner message But relax this won't happen in Fatdog or Puppy because in both, X server is configured *not* to listen to any IP address.
It is there because when running Fatdog with the slim graphical login manager, slim creates an X authority file, and if that file isn't made available to spot, spot will not be able to display anything on screen. On regular sessions (ie console login / autologin), Xauthority isn't used.
Fatdog's run-as-spot script used to be a one-liner like that, but there are a few others things that need to be set properly, otherwise certain apps will not run. What it does: 1. Copy Xauthority as explained above. 2. Set $XDG_* environment variables needed by many freedesktop-compliant programs such as geany, libreoffice, chromium, etc. 3. Make sure after switching to spot we stays in the current directory (if current directory is readable by spot) 4. Make sure if the app requires arguments that has space in it, that space is preserved and passed correctly after switching to spot. _________________ Fatdog64, Slacko and Puppeee user. Puppy user since 2.13. Contributed Fatdog64 packages thread. |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
Smithy
 Joined: 12 Dec 2011 Posts: 909 |
Sorry if I am a bit thick, but number one (1.) is change the permission so it is executable? 3. Can a prefix be applied to a .desktop file (say firefox)? in the exec bit. Could you show us a template or two. Reason I ask is because the Fatdog 64 runs seamlessly with the spot and that firewall is tight. A good combo there jamesbond. But I was trying 01micko's browse as spot on a regular puppy and it wouldn't work properly, was moaning about some firefox profile or something. I was hoping spot might just use the executable and that's it. And can spot be applied to certain aspects of an app? Was thinking about wine aspects after mikeb mentioned mbr wipes occasionally. |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
jamesbond
Joined: 26 Feb 2007 Posts: 3151 Location: The Blue Marble |
Sure. In terminal, instead of typing "firefox" to run the web browser, you type "run-as-spot firefox". In firefox.desktop file, you usually have the line "Exec=firefox" so change that to "Exec=run-as-spot firefox".
You can always open a terminal and do "run-as-spot sh"; to get a new shell that runs as spot, proper. From there you can try to run firefox directly, and see any error messages you've got. If you've got errors it's most likely because the permission are not set correctly. E.g. sometimes the browser's profile under spot (/root/spot/.mozilla) is linked to an external partition outside the savefile (/mnt/sdb5 or something) but spot doesn't have access to that partition. This needs to be solved: either you give spot the permission to that partition, or move the browser profiles to somewhere else that spot has access to.
Hope that helps. _________________ Fatdog64, Slacko and Puppeee user. Puppy user since 2.13. Contributed Fatdog64 packages thread. |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
Smithy
Joined: 12 Dec 2011 Posts: 909 |
Yes it does help thanks, I've been wanting to try spot for yonks but it seemed a bit complicated, this should be easy now. |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
Smithy
Joined: 12 Dec 2011 Posts: 909 |
Blast, it doesn't work. Altered the firefox desktop file
Tried with and without the "brackets" surrounding the exec Downloaded Geoffrey's Paint programme and Lazz Paint. And it let me install them both. Checked usr/bin/run as spot script. Opened in terminal.
Any ideas. |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
mikeb
 Joined: 23 Nov 2006 Posts: 11146 |
A bodge is never going to work as well as doing it properly...wine is another awkward one. I made puppy 2.12 and 4.12 true multiuser with slim login manager some years ago..I might do lucid if it snows. It was not rocket science even for an idiot like me so why has it never been done with puppy releases? Only really makes sense if looked upon as a live cd that never gets installed...mind you SLAX manages it ok and its a live CD. Not really pursued it at it seems a waste of time anyway for our general use and being a true user is awkward especially with puppy and its weird scripts and methods though feeding of such as ubuntu should mean it works better now. On the other hand if you want to run a server (use puppy for that...NEVER!!!  ) or have machines in public use or a family with bad habits then true multiuser would be of benefit.
mike Last edited by mikeb on Mon 09 Mar 2015, 08:33; edited 1 time in total |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
mavrothal
 Joined: 24 Aug 2009 Posts: 2971 |
JWM/Rox do not read the desktop file You should change /root/.jwmrc (for the menu entry) and /usr/local/bin/defaultbrowser (for the desktop icon). The desktop file works with other window managers _________________ == Here is how to solve your Linux problems fast == |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
Smithy
Joined: 12 Dec 2011 Posts: 909 |
Ok, usr/local/bin default browser, that works, thanks Mathrothal. Is there any way to alter the script so it just works on the firefox executable or does it have to use profiles(I suppose it does), keeps locking out, can't find the profile. Anyway to make the script point to the profile? Sort of "please find xnxxjhxhfj.default folder." I do recognise the usefulness of limiting execution of downloads, I think it's a good idea, and you can still in an instant just go and wreck/alter your puppy which we all like to do from time to time. I agree mike, restricted user would be total crap. Someone's making a server puppy I think 
|
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
Script to run everything as 'spot'
| Page 1 of 2 [19 Posts] | Goto page: 1, 2 Next |
|
|
View previous topic :: View next topic |
|
Forum index » Advanced Topics » Cutting edge |
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum |
Powered by phpBB © 2001, 2005 phpBB Group