nooby wrote:Even if M$ are totally innocent I still care about security in linux.
I know too little to protect myself enough.
Puppy at least has a firewall that I can activate in set up while neither Elive nor Antix had such and the one in ubuntu and Mint I totally failed to understand if it was active or not.
Puppy has promised me that it is active when I set it up.
I am at their mercy.
The first question you need to ask is what are you protecting yourself
from.
On Windows. the answer is viruses and malware. On Linux, those aren't a concern as they don't really exist for the platform. They are specific to Windows, as they hook into Windows code to do their work.
To be root seems to not the best thing to be. and there do exist a puppy that allow one to create users and passwords.
And I wish that were standard in Puppy.
One of the changes Windows made as of Vista was to make the default user profile a "Power user" profile as a security measure. Previous versions of Windows through XP assumed the logged in user was administrator with full powers to modify the machine. A lot of viruses and malware require that access to do their dirty work, and bounce off if the user doesn't have it.
Vista's switch to defaulting to Power User caused much wailing and gnashing of teeth, but it's arguably what Windows
should have done all along.
Puppy is like MS-DOS and older versions of Windows. It assumes the user running it is the administrator.
Viruses and malware aren't really problems in *nix, but casual root access can be. Historically, Unix systems were mullti-user, with more than one user logged on and working at a time, and I've spent time over the years locking down systems so users
couldn't casually get get root access and possibly shoot somebody
else in the foot. Normal users get the equivalent of power user profiles, can only install software and make changes in their own home directory and directories below it, and
can't affect the rest of the system.
The whole point of a firewall is to prevent unauthorized access and control traffic between your system and others. Like other distros, Puppy uses iptables to implement a firewall. Do a search on iptables to get a better idea of what it does and how it does it.
Your real question is "Can someone from outside get unauthorized access to my Puppy system?" The general answer is "Probably not. First, they'd have to be aware it existed. Then, they'd have to have a way to get in. And last, they'd need a reason to try."
I don't worry about it on my Puppy box. At home, it's behind a hardware firewall as well as the software firewall Puppy makes, and it's one of many thousands of systems in my area. And if someone
does manage to get into it, there's nothing of value for them to get at.
People trying to break into systems will be motivated by bragging rights or material gain. In either case, there's nothing of interest on my system. They won't get bragging rights breaking into a dinky single user Linux system, and they won't get access to anything that might get them money, like access to the userids and passwords to my bank and credit card accounts. I don't do that stuff from the Puppy machine.
Maybe next puppy should be set up so one can chose if one want to be root or more protected.
I'd be
delighted if proper multi-user support got put back into Puppy. You don't have to be root to do the vast majority of things you normally do on Linux. You only need to be root to install software (and not always then) or make other changes that affect the whole system.
Puppy gets away with "All root, all the time", because it's an explicitly single-user system, and the person who installed and configured it is almost certainly that user. If you shoot yourself in the foot doing the wrong thing as root, hey, it's
your foot. No one else suffers collateral damage.
In a different setting, like a corporate desktop where more than one person might use the machine, Puppy is the last Linux distro you would install. You need a distro with honest to God multi-user support, where each user can have their own ID, and the ID can be customized for what that user will do with the machine.
On current flavors on *nix, even the administrator doesn't
run as root. They log in as a normal user, and if they need admin powers to do something, they use su or sudo to acquire them, and return to a normal ID when they are done. Solaris systems won't
let you log on as root unless you are at the system console. From anywhere else, you must use a normal ID and then su to become root.
Does it take a few extra steps to do administrative stuff? Yes. Is this bad?
No. It
should be harder to make changes that can affect or even put down the whole system.
I've been an administrator responsible for multiple systems, logged into several at any given time. I took pains to do things like customize my prompts and use different color schemes in telnet session to make obvious just what box I was on in a session and whether I was on as root. It would have been way too easy to shoot everyone in the foot by typing the wrong commands into they wrong system.
I run as root in Puppy because I
have to, and I wish I didn't. I'm used to being able to create IDs customized for various purposes and being able to use them to do specific things.
I've never quite understood the rationale behind making Puppy root only and removing the normal multi-user infrastructure, unless it was a matter of "It's easier to install and maintain the system if you don't have to worry about permissions problems". Perhaps, but you
should worry about permissions, and there are at least a few applications out there that complain or refuse to run if you are root because of potential security problems.
______
Dennis