Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 29 Jan 2020, 18:13
All times are UTC - 4
 Forum index » Advanced Topics » Puppy Derivatives
EasyOS Buster 2.2.5, January 22, 2020
Moderators: Flash, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 136 of 151 [2256 Posts]   Goto page: Previous 1, 2, 3, ..., 134, 135, 136, 137, 138, ..., 149, 150, 151 Next
Author Message
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 9183
Location: Perth, Western Australia

PostPosted: Tue 10 Dec 2019, 19:52    Post subject:  

Here is a new tutorial on the "Copy session to RAM & disable drives" boot menu option:

https://easyos.org/user/ultra-secure-web-browsing.html

I posted it last night, then edited it a bit this morning.

For maximum security, you need to be running Easy Pyro 1.2.9.1 or Buster 2.1.9.1, with 5.4.x kernel.

The thing is, is there any way to access the drives? The invitation is open to those with in-depth knowledge of Linux security to have a go at breaking out.

If there is a way of breaking out, then further steps can be taken to lock the user (and any intruder) into the RAM.

One thought is the possibility of getting at the UEFI setup. But the kernel lockdown might prevent that.

_________________
https://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
zygo

Joined: 08 Apr 2006
Posts: 241
Location: UK

PostPosted: Tue 10 Dec 2019, 20:31    Post subject: signing  

Barry,

Why don't you sign your uploads and host the signing key elsewhere?

Z
Back to top
View user's profile Send private message 
ras

Joined: 30 Oct 2019
Posts: 19

PostPosted: Tue 10 Dec 2019, 21:16    Post subject:  

scsijon wrote:
EDIT: and I wonder if there is the possability of having Permanent and separate Temporary Containers. Permanent exist in their own savefile and don't loose parts until deliberately deleted, Temporary are 'cleaned out' when closed.


I have been wishing along the same lines. A desktop container that doesn't keep it's .session unless one chooses to. I know that one can rollback a container to the same effect, but a "save" or "don't save" dialog when exiting the container would be sweet, (with a way to tick a box to make either the default) . One could stay in the same desktop session and have a lite version of "copy session to ram" without having to reboot.

_________________
RAS
Back to top
View user's profile Send private message 
ras

Joined: 30 Oct 2019
Posts: 19

PostPosted: Tue 10 Dec 2019, 21:40    Post subject: downloaded .deb in container  

Barry,
Did a frugal install of Easy 2.1.9.1 for a quick test to see if I could put a claws-mail .deb into a container. the deb worked fine on the main desktop, but when I created a container for it all seemed well until I clicked on the icon that was created. I could not find /../../claws-mail/container/mnt
Code:

# ec-chroot claws-mail
mkdir: can't create directory '/mnt/sda1/b2/containers/claws-mail/container/mnt/wkg/': No such file or directory
snip
mkdir: can't create directory '/mnt/sda1/b2/containers/claws-mail/container/mnt/wkg/': No such file or directory
gtk-update-icon-cache: Cache file created successfully.
gtk-update-icon-cache: Cache file created successfully.
Executing: DISPLAY=:0  pflask --mount=bind:/mnt/sda1/b2/home/shared:/mnt/wkg/home/shared --keepenv --mount=bind:/tmp/.X11-unix/X0:/tmp/.X11-unix/X0 --no-ipcns --no-netns --mount=bind:/dev/snd:/dev/snd --mount=bind:/dev/mixer:/dev/mixer --caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,-net_admin,-mknod,-sys_module,-sys_nice,-sys_resource --no-userns --chroot=/mnt/sda1/b2/containers/claws-mail/container --  /.control/ec-run claws-mail
[✘] Could not create mount dest /mnt/sda1/b2/containers/claws-mail/container/mnt/wkg/home/shared: No such file or directory
[✘] Child failed with code '1'
Unmounting: /mnt/sda1/b2/containers/claws-mail/container
Unmounting: /mnt/sda1/b2/containers/claws-mail/.ro0
Container claws-mail stopped

and
Code:
#Information for setting up and running the container

#Connect to X by abstract socket, pipe or unix domain socket (abstract|pipe|unix):
EC_XSOCKET='unix'
#Use Xorg or Xephyr server (xorg|xephyr):
EC_XSERVER='xorg'

#For security, unshare these namespaces:
EC_NS_UNSHARE_MOUNT='true'
EC_NS_UNSHARE_UTS='true'
EC_NS_UNSHARE_IPC='false'
EC_NS_UNSHARE_NETWORK='true'
EC_NS_UNSHARE_PID='true'

#Clear environment variables, except some such as TERM and DISPLAY:
EC_UNSHARE_ENV_VARS='false'
#Tick to run as user zeus in container:
EC_ENV_ZEUS='false'

#Specify what you are allowed to access outside the container:
EC_ACCESS_NET='true'
EC_ACCESS_SND='true'
EC_ACCESS_FOLDER='true'
EC_ACCESS_FOLDER_PATH='/home/shared'

#Drop these Linux capabilities:
EC_CAP_system='true'
EC_CAP_file='true'
EC_CAP_network='true'
EC_CAP_module='true'
EC_CAP_resource='true'
EC_CAP_mount=''

#If security-preset was ever chosen, this is it:
EC_SEC_PRESET='seclevel_3'

#Uncomment if you want to load another .sfs file, resident in the releases folder of the current version of Easy.
#Glob wildcard accepted, in fact is recommended for automatic version updating:
#EASY_LAYER_RO1='devx*.sfs'


will try a couple of different configurations when more time allows

_________________
RAS
Back to top
View user's profile Send private message 
FeodorF


Joined: 07 Jul 2010
Posts: 273
Location: Heidelberg, Germany

PostPosted: Wed 11 Dec 2019, 07:33    Post subject: Buster 2.1.9.1
Subject description: German keyboard characters '@{[]}..' don't work
 

Hi Barry!

Found one problem while running 'Buster-2.1.9.1 containerized desk'.

The extra characters '@{[]}..’ don't work - ’ÄÖÜß' do. (f.e. WWW, sakura)

Using easy-2.1.9.1-amd64.img.gz and a BIOS dual core box with German keyboard for testing. (Same problem while running easy-2.1.9-amd64.img.gz) At first run/install I'm using '11' for 'de' keyboard.
Back to top
View user's profile Send private message 
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 9183
Location: Perth, Western Australia

PostPosted: Wed 11 Dec 2019, 09:39    Post subject:  

Another tutorial has been written, for developers:

https://easyos.org/dev/coding-for-easyos.html

_________________
https://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 9183
Location: Perth, Western Australia

PostPosted: Wed 11 Dec 2019, 09:45    Post subject:  

There is one little problem if you update an existing installation to 1.2.9.1 or 2.1.9.1

The "Copy session to RAM & disable drives" boot menu requires this in the boot parameters:

Code:
lockdown=confidentiality


So EFI/BOOT/refind.conf in the boot partition will need this:

Code:
menuentry " Copy session to RAM & disable drives" {
 loader /vmlinuz
 initrd /initrd
 ostype linux
 options "rw qfix=cap2 lockdown=confidentiality"
}


For an existing installation, you will have to add this manually.

_________________
https://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
rufwoof


Joined: 24 Feb 2014
Posts: 3717

PostPosted: Wed 11 Dec 2019, 11:09    Post subject:  

The kernel lockdown feature looks interesting.

For instance if I have a usb attached as sdb and I navigate to /sys/block/sdb/device/driver and do a ls then it shows sym linked folders.

I can unbind that using

echo "2:0:0:0" | tee /sys/block/sdb/device/driver/unbind

(in my case) and sdb (usb) is no longer bound in that kernel session.

If I alternatively do that via /sys/bus/pci/drivers/ehci-pci (and do ls to note the device, 0000:00:12.0 in my case)

echo "0000:00:12:0" | tee /sys/bus/pci/drivers/ehci-pci/unbind

Disables it, but then I can rebind it again

echo "0000:00:12:0" | tee /sys/block/sdb/device/driver/bind

At least that is the case for Fatdog.

lockdown I presume (haven't checked it out yet myself) can prevent access to the likes of the above. But with greater security comes restrictions. I assume with lockdown enabled then it fixes things at bootup and you have less in session (userland) flexibility - even as root.

Personally I prefer the physical approach, plug and unplug a usb stick, and best if you use two sticks, one for boot, the other for data (plugging a boot stick into a potentially compromised running system risks that sticks OS files also being compromised).

If you go down the physical (hard) approach path, then there's no real need (from a single user desktop system perspective) for lockdown. If you use the lockdown (software) approach and attached devices then as ever there is risk of bugs/work-arounds, either present and unknown (or known but not fixed), or yet to come (later releases that fix one problem/bug, but introduce others). Of the two the former (physical) is the better IMO.

I boot Fatdog from usb, that is unplugged during init, isolating the MBR/bootloader/kernel ...etc. I only ever save after making changes from a clean cold booted system (nothing else before or after). Otherwise boot that known 'clean' system, no system changes/saves, and save data separately (incremental saves of data, with off-site copies also being stored). For sensitive operation, such as online banking, boot a clean session, go direct to your bank, nowhere else before or after, cold shutdown afterwards.

Great to see EasyOS having moved in the direction of supporting that style of operation (ability to run totally in ram and leave no remnants) Smile

_________________
( ͡° ͜ʖ ͡°) :wq
Fatdog multi-session usb

echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh
Back to top
View user's profile Send private message 
scsijon

Joined: 23 May 2007
Posts: 1565
Location: the australian mallee

PostPosted: Thu 12 Dec 2019, 06:28    Post subject: ssd install fails  

Can't seem to install pyro 1.2.9.1 via EasyDD frontend for dd to a Lenovo Thinkpad with a 128gb sata3 ssd in it.

>Clean ssd (nothing installed);
>Created a fresh gpt drivetable;
>formatted as a single partition to test (ok);
>Started EasyDD and picked the 1.2.9.1 ..gz file.

It said it was installing(, in the reverse order to start with)? But at the end, when it said it was finished, I noticed the drive letters for the boot usb had changed from sdb to sdc and only the sdc2 was still on the screen????.

A reboot back into 1.2.9.1, and gparted showed that it was a blank drive (no partitions), any sugestions where to go from here, or have I found you another bug.

I will have a go with 1.2.9 tomorrow and report that (as a Edit: here) in case it's a kernel thing, can't think of what else as it previously it had 0.8.1 which worked ok.


EDIT: 1.2.9 installed without a problem, all working ok, looks like something else to sort out for the new kernel.

Last edited by scsijon on Thu 12 Dec 2019, 17:40; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website 
Sage

Joined: 04 Oct 2005
Posts: 5511
Location: GB

PostPosted: Thu 12 Dec 2019, 06:48    Post subject:  

Really don't understand why folks persist with the CLI for USB/SD installs? Get a copy of one of the 'majors' loaded up and use the GUI USB Image Writer which seems foolproof. Just got to extract the .gz compression to yield the .img file.
Not quite sure where the Pup is going - it started out as tiny 29Mb, fast basic distro until the clever guys started expanding it with the proverbial kitchen sink until, now it's as much as half the size of a major and capable of predicting the end of the world....
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12948
Location: Stratford, Ontario

PostPosted: Thu 12 Dec 2019, 08:34    Post subject:  

Sage wrote:
Not quite sure where the Pup is going - it started out as tiny 29Mb, fast basic distro until the clever guys started expanding it with the proverbial kitchen sink until, now it's as much as half the size of a major and capable of predicting the end of the world....

So keep using the old ones.
Back to top
View user's profile Send private message 
Sage

Joined: 04 Oct 2005
Posts: 5511
Location: GB

PostPosted: Thu 12 Dec 2019, 09:37    Post subject:  

Quote:
So keep using the old ones.

Yes, always at hand!
Back to top
View user's profile Send private message 
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 9183
Location: Perth, Western Australia

PostPosted: Thu 12 Dec 2019, 19:27    Post subject:  

rufwoof wrote:
The kernel lockdown feature looks interesting.

For instance if I have a usb attached as sdb and I navigate to /sys/block/sdb/device/driver and do a ls then it shows sym linked folders.

I can unbind that using

echo "2:0:0:0" | tee /sys/block/sdb/device/driver/unbind

(in my case) and sdb (usb) is no longer bound in that kernel session.

If I alternatively do that via /sys/bus/pci/drivers/ehci-pci (and do ls to note the device, 0000:00:12.0 in my case)

echo "0000:00:12:0" | tee /sys/bus/pci/drivers/ehci-pci/unbind

Disables it, but then I can rebind it again

echo "0000:00:12:0" | tee /sys/block/sdb/device/driver/bind

At least that is the case for Fatdog.

lockdown I presume (haven't checked it out yet myself) can prevent access to the likes of the above. But with greater security comes restrictions. I assume with lockdown enabled then it fixes things at bootup and you have less in session (userland) flexibility - even as root.

Personally I prefer the physical approach, plug and unplug a usb stick, and best if you use two sticks, one for boot, the other for data (plugging a boot stick into a potentially compromised running system risks that sticks OS files also being compromised).

If you go down the physical (hard) approach path, then there's no real need (from a single user desktop system perspective) for lockdown. If you use the lockdown (software) approach and attached devices then as ever there is risk of bugs/work-arounds, either present and unknown (or known but not fixed), or yet to come (later releases that fix one problem/bug, but introduce others). Of the two the former (physical) is the better IMO.

I boot Fatdog from usb, that is unplugged during init, isolating the MBR/bootloader/kernel ...etc. I only ever save after making changes from a clean cold booted system (nothing else before or after). Otherwise boot that known 'clean' system, no system changes/saves, and save data separately (incremental saves of data, with off-site copies also being stored). For sensitive operation, such as online banking, boot a clean session, go direct to your bank, nowhere else before or after, cold shutdown afterwards.

Great to see EasyOS having moved in the direction of supporting that style of operation (ability to run totally in ram and leave no remnants) Smile


Thanks for the feedback. I will have look around in /sys as you have suggested.

Regarding physical versus software approaches, my method hides ALL drives, including those builtin to the PC. It is the builtin drives that I mostly want to hide.

_________________
https://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 9183
Location: Perth, Western Australia

PostPosted: Thu 12 Dec 2019, 19:36    Post subject: Re: ssd install fails  

scsijon wrote:
Can't seem to install pyro 1.2.9.1 via EasyDD frontend for dd to a Lenovo Thinkpad with a 128gb sata3 ssd in it.

>Clean ssd (nothing installed);
>Created a fresh gpt drivetable;
>formatted as a single partition to test (ok);
>Started EasyDD and picked the 1.2.9.1 ..gz file.

It said it was installing(, in the reverse order to start with)? But at the end, when it said it was finished, I noticed the drive letters for the boot usb had changed from sdb to sdc and only the sdc2 was still on the screen????.

A reboot back into 1.2.9.1, and gparted showed that it was a blank drive (no partitions), any sugestions where to go from here, or have I found you another bug.

I will have a go with 1.2.9 tomorrow and report that (as a Edit: here) in case it's a kernel thing, can't think of what else as it previously it had 0.8.1 which worked ok.


EDIT: 1.2.9 installed without a problem, all working ok, looks like something else to sort out for the new kernel.


You have booted from a USB-stick, which was sdb, and afterward changed to sdc?!!!

That is very wrong, something seriously amiss.

What device name was the ssd? /dev/sda?

EDIT:
Thought about it some more, and perhaps nothing is actually wrong. Drive, letters (sda, sdb, etc) are assigned by the kernel in order in which the drives are found, and the kernel usually finds internal fixed drives first.

If the ssd is suddenly available after bootup, maybe the kernel has decided to reassign the letters. Not what I would expect, but conceivable. No, not what I would expect at all, very odd. Might be 5.4 kernel thing.

You would have been better off, after having created the gpt on the ssd, reboot your usb-stick, and the drive letters will then be assigned correctly.

EDIT:
Thinking about it again, and no, something must be wrong.

_________________
https://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
scsijon

Joined: 23 May 2007
Posts: 1565
Location: the australian mallee

PostPosted: Thu 12 Dec 2019, 21:47    Post subject: Re: ssd install fails  

BarryK wrote:
scsijon wrote:
Can't seem to install pyro 1.2.9.1 via EasyDD frontend for dd to a Lenovo Thinkpad with a 128gb sata3 ssd in it.

>Clean ssd (nothing installed);
>Created a fresh gpt drivetable;
>formatted as a single partition to test (ok);
>Started EasyDD and picked the 1.2.9.1 ..gz file.

It said it was installing(, in the reverse order to start with)? But at the end, when it said it was finished, I noticed the drive letters for the boot usb had changed from sdb to sdc and only the sdc2 was still on the screen????.

A reboot back into 1.2.9.1, and gparted showed that it was a blank drive (no partitions), any sugestions where to go from here, or have I found you another bug.

I will have a go with 1.2.9 tomorrow and report that (as a Edit: here) in case it's a kernel thing, can't think of what else as it previously it had 0.8.1 which worked ok.


EDIT: 1.2.9 installed without a problem, all working ok, looks like something else to sort out for the new kernel.


You have booted from a USB-stick, which was sdb, and afterward changed to sdc?!!!

That is very wrong, something seriously amiss.

What device name was the ssd? /dev/sda?

EDIT:
Thought about it some more, and perhaps nothing is actually wrong. Drive, letters (sda, sdb, etc) are assigned by the kernel in order in which the drives are found, and the kernel usually finds internal fixed drives first.

If the ssd is suddenly available after bootup, maybe the kernel has decided to reassign the letters. Not what I would expect, but conceivable. No, not what I would expect at all, very odd. Might be 5.4 kernel thing.

You would have been better off, after having created the gpt on the ssd, reboot your usb-stick, and the drive letters will then be assigned correctly.

EDIT:
Thinking about it again, and no, something must be wrong.


Quote:
You have booted from a USB-stick, which was sdb, and afterward changed to sdc?!!!


Yes, a 1.2.9.1 stick that works ok too, even when plugged into the laptop in question.

That's what I thought, sdb shouldn't become sdc, but it does when I use 1.2.9.1.

The ssd is sda in both 1.2.9 and 1.2.9.1 usb booting (with sda1 boot and sda2 working partitions with 1.2.9 installed).

Quote:
You would have been better off, after having created the gpt on the ssd, reboot your usb-stick, and the drive letters will then be assigned correctly.
I have already tried that, no change, still 1.2.9.1 fails.

As I am not actually using the laptop at present (will do in Jan when i start writing again) I'm leaving it for now so both you and I can have a think about it.

It doesn't make sense other than somehow the Disc Partition table is getting ?re-initialised, or is it? as part of the EasyDD frontend proccess (?or does dd do that) even though it's ok with 1.2.9.

Can I have a copy of your new kernel's DOTconfig file please, maybe scanning through it I can see something admiss or newly added.

Oh, and there is nothing in any of the logs (both good and bad) to help, I tried that step first.
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 136 of 151 [2256 Posts]   Goto page: Previous 1, 2, 3, ..., 134, 135, 136, 137, 138, ..., 149, 150, 151 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Advanced Topics » Puppy Derivatives
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.3148s ][ Queries: 12 (0.2473s) ][ GZIP on ]