EasyOS version 2.3.2, June 22, 2020

[rufwoof]

If you are running, say, Firefox, in a container, I don't know how the existence of a utility such as exit-chroot can be used.

Older browsers have their vulnerabilities published along with descriptions of the fixes. Some of those include execution of code vulnerabilities ... so a hacker knows where to focus their efforts to potentially exploit anyone who is running a older/unpatched browser. Outbound internet traffic is rarely monitored as are the returns from those outbound requests, so if a breach can install into memory even a small module that simply loops send-requests to the hackers IP and execute whatever command is returned, the hacker in effect has bypassed the firewall. Something like exit-root is just one of the things that might be tried, along with a barrage of others such as scanning around the LAN to see what other devices/systems might be available to have persistent code installed. Imagine a browser flaw that enabled installation into memory of a wget file from hacker site, execute that file in background ... looping type script sending the standard and error outputs out as further http requests ...

I strive to change my user-agent as revealing your browser version and operating system is a great aid in assisting towards targeted exploits. Faking your user-agent can vastly reduce the chances of a initial penetration (wrong exploits/code that wont work thrown at you). Only running root at the console (not under X) is yet another risk reduction choice. The entire 'nix file structure and permissions are geared to security utmost in mind. As are other barriers such as W^X (write exclusive or execute i.e. memory space restricted to being write only or execute only, not both), randomisation (so the structure of memory space changes rather than following a consistent pattern), Pledge (applications assigned sets of things that they are permitted to do, but prevented from accessing command/files outside of that) ...etc.

Security isn't just your data/PC, but anyone and anything else sharing the same LAN.

[belham2]

If you are running, say, Firefox, in a container, I don't know how the existence of a utility such as exit-chroot can be used.

Older browsers have their vulnerabilities published along with descriptions of the fixes. Some of those include execution of code vulnerabilities ... so a hacker knows where to focus their efforts to potentially exploit anyone who is running a older/unpatched browser......

Security isn't just your data/PC, but anyone and anything else sharing the same LAN.

This confuses me. A lot of us rip samba (or any file sharing service) out of our puppies/ddogs, also erect a firewall that automatically blocks cifs/rpc/rsync/rdp/ssh/telnet/ftp/smtp and (if applicable) NetBIOS, along with routers (and its firewall) that is even more hardened than this.

Thus, in a setup like this, just how, when, where and why would it matter what browser you are running? Any hacker will be stymied at every stop trying to execute anything in memory, coming out of the browser. And if you are 100% in ram, with daily reboots, it's game over for anyone trying to come in through memory (and a browser). Plus, any looping process by a hacker installed memory applet will be hugely noticeable in how the cpu is acting.

Containers (and not just in Barry's Easy) emulate and/or help in this process a lot, so I am stumped here at the reasoning....

[rufwoof]

This confuses me. A lot of us rip samba (or any file sharing service) out of our puppies/ddogs, also erect a firewall that automatically blocks cifs/rpc/rsync/rdp/ssh/telnet/ftp/smtp and (if applicable) NetBIOS, along with routers (and its firewall) that is even more hardened than this.

Which blocks inbound. There are no firewalls on outbound. The objective for a hacker is to get that first outbound going, as the system will treat that as a outbound request and allow both that and the returned content/reply through.

Thus, in a setup like this, just how, when, where and why would it matter what browser you are running?

Because a 'faulty' browser might enable things to be loaded into memory and in effect the instruction pointer directed to that. If say you visit a malicious web site and view the content, the content of a image file for instance could include instruction code - do something, jump 20 forward for the next instruction and do that instruction, jump 30 forward ... etc. In other words a program that YOU downloaded into memory. Looked at as just a image and that image might look totally normal, or it might not even be seen, just downloaded along with html instructions to size the display of that image to being just one pixel. The tricky part for hackers is getting the instruction pointer to point to the very first instruction of their program, a faulty browser (or other such) exploit opens up the potential for that.

Any hacker will be stymied at every stop trying to execute anything in memory, coming out of the browser. And if you are 100% in ram, with daily reboots, it's game over for anyone trying to come in through memory (and a browser).

After initialisation of a program ... a lot can happen very quickly. A open window even a few seconds can be more than enough time. Having penetrated even most briefly most hacks will look around for potential means to remain persistent one way or another. Having root/full access to disk/devices etc. makes finding such a option more likely compared to running restricted.

Plus, any looping process by a hacker installed memory applet will be hugely noticeable in how the cpu is acting.

Only if the program is permitted to run away wildly, most hackers would consider that and adjust their programs accordingly. We are after all talking in very simplistic terms here, in practice things are way more complex. Big data for instance where even allowing sites to see what OS, browser, screen resolution ... etc you are using ... along with other measures can enable you to be individually identified (or at least into a sub-set group of limited numbers).

[rufwoof]

Bug list as usual with Puppy, way way too long.

Jwm and Rox are a great partnership but Puppy destroys that.

One example, add a rox panel to the top of screen and no matter what it will be covered by maximised windows, even if you set rox to leave space for the panel, or other associated settings (remain on top ..etc.).

Desktop drive icons if you set to be further up to allow for a larger tray - reset. Desktop icons, remove them and they reappear (I prefer the convenience of dropping icons into the rox panel so you can drag/drop there instead of having to showdesktop to drag to a desktop icon). Use jwm desk setup to edit jwm and add another jwm tray to the left say (I prefer Dock to be over there and have a bottom panel that auto hides and shows menu and tasklist), and Puppy decides to rearrange all that to how it thinks it should be arranged (that doesn't work). Bloat of all the gui's to tweak this and that simply ruin things. Far better to learn a bit of XML syntax and have just a few links to the relevant files (.jwmrc etc.) in which you can 'code' all of your startup commands and configuration. Usable only if you strip out much of the bloat.

But that's all aside from Pyro 0.9. Only issue I've found so far is that if you move a container to the rox panel and remove the desktop icon, it reappears on the dektop again at the next reboot. But again that's not Pyro but Puppy.

Something odd with seamonkey font size settings. Had super small fonts initially but after playing around with UserChrome.css both in the outside and inside of containers I got that settled.

UTC wasn't set by default so the first time I setup the clocks in my other boots were all out by a hour.

Pyro wise I've tried multiple creation/deletions/restores etc. and all seems to work well. I've mostly used terminal containers and just built and run things inside each container, running rox and seamonkey etc. and that's all worked well. Did try running as spot but that didn't work (nobody permissions on the spot folder).

Concept seems to be working well. Particularly like the introduction (simple/third part) text about containers, found the first two technical text documents to be a bit too glazing.

[rufwoof]

A workaround trick with a rox panel having maximised windows covering it is to create a second jwm tray using jwmdesk manager and put that for instance over to the far top right and then create a rox panel of the same height/background colour.

I set the bottom (main panel) to be central and autohide, increasing its height and just left the MENU, showdesktop, tasklist and xload in that tray. The top right tray I set to show the date and dock.

The rox panel (rest of top of screen) now remains visible when a window is maximised, and being a rox panel you can drag/drop files onto those icons (or use the middle mouse button to drag/move to rearrange those icons). Adding a icon to the panel is also just drag and drop

[rufwoof]

This looks interesting xchroot http://www.elstel.org/xchroot/, saves on trying to get xhost localhost:0 type X redirections going between the standard pyro and the container

I changed spot password to one I'd know

passwd spot
spot
spot

I edited /usr/sbin/chroot so as to use xchroot instead of busybox chroot

and then created a sakura container

ec-chroot sakura

... which xchroot'd into a sakura session ... as root.

I then created a simple script ....

#!/bin/sh
login
exit

chmod +x that script and ran it. When prompted to login I logged in as spot (using the spot password I had set earlier).

Running leafpad and up popped the x-window for leafpad

chroot not allowed. Type exit and the exit after the login command in the above script has it disconnect from the container session.

I've messed around with things so much that my current version of pyro is untidy so I'm going to re dd another fresh copy and see if can repeat the above in the same manner.

Conceptually whilst logged into a cli in the container I should be able to install firefox via PPM and then login as spot and run that ... at least that's my thought-train.

[rufwoof]

ssh/ssh-gui not X forwarding

I have a BSD server behind my main Virgin Hub (ISP providers router) that serves as my my server. I also have netsurf installed on that headless system. Another routers WAN connects to that Virgin Hubs WAN and all other PC's/systems connect to that second router i.e. LAD isolation.

More usually I ssh -XC user@192.168.1.x from one of the 10.0.0.x PC's that are behind the second router and then run netsurf and X is forwarded correctly i.e. a browser window is shown. echo $DISPLAY from the ssh cli typically shows localhost:10 or whatever. However using Pyro and both ssh and ssh-gui with X forward option selected show a empty $DISPLAY so running anything X over ssh doesn't work (xcalc, xedit, netsurf ..etc for instance just shows cannot open display).

Yes i did try turning off the firewall etc. And to confirm I did manage to ssh X using Lucid 525 that I used to post this).

[BarryK]

I've messed around with things so much that my current version of pyro is untidy so I'm going to re dd another fresh copy and see if can repeat the above in the same manner.

One thing that needs to be improved, is the reFind boot menu, for UEFI-firmware PCs.

You have to press the F2 key to bring up a submenu, and then there is the option to "rollback".

Firstly, the sub-menu is not obvious, and I should really see if those items can be placed on the main menu.

Secondly, "rollback" actually wipes the read-write layer entirely (the .session folder), going back to a pristine first-bootup situation.
The description in the menu doesn't really state that.

Anyway, you could use that option to wipe everything, without having to do another install.

But it doesn't remove the containers, you would have to use the Container Manager to delete them.

[BarryK]

Guys,
I am not being very responsive to feedback right now, will get onto it soon.

Currently working on getting many old "puppy apps" to compile with aarch64 (64-bit arm) on my fork of OpenEmbedded.

Blog post:
http://bkhome.org/news/201804/first-oe- ... dates.html

Was very pleased this morning, when got 'gwhere' to compile. This is a very old gtk2 app, that has been in the pups from the early days, and I still have it in Easy/Quirky -- though, have no idea if anyone uses it!

Unfortunately, might have to retire inkscapelite. I got it to compile, for aarch64 in OE, and x86_64 in Easy -- but in latter case it crashed at startup.
The binary compile for April Quirky, in T2, still works.
Could trace it at startup, but more inclined to let it RIP.

What got me thinking about aarch64, is Google announced that Android will be all-64-bit by 2020, or something like that.

[stemsee]

I have just used EasyShare to connect on a public encrypted AP with my HP cherrytrail tablet and Panasonic Lumix FZ82 (4k bridge camera) to transfer files from camera to Easy-OS. Only one problem encountered - in the samba setup gui it does not mention that username must be specified from the other end, which is 'root'. Then connected and sent from the camera to the shared folder/directory. Great! Next time I will try direct connection and report.

[rufwoof]

Something to think about, rover could be setup as default on all containers.

After setting up ssh and opening up ssh in the firewall etc. I was able to ssh log in as rover with X forwarding set (had problems with using -XC ssh command that implements authorisation, but -YC was fine, and being the same desktop -Y is fine).

Tried a few security things such as trying to sudo, su, run gparted ...etc. and they were all blocked as desired. Running programs such as galculator and the window popped up as expected.

Did try running seamonkey and seamonkey -no-remote, but both of those failed (segmentation dumps).

[rufwoof]

I've set pyro to not auto login so I can login as either rover or root. Set .jwmrc up for rover along with a rox panel at the top and its working well.

Can alt-Fn between consoles and just have to exit-X and run xwin to switch between root and rover gui desktops.

Haven't got sound working yet and in rover it complains about /sbin/pup_event.ipc - but just flipping to the second desktop avoids that prompt, but otherwise rox, sakura, seamonkey, libre calc/write geany/leafpad, mtpaint and galculator all work fine under rover.

[scsijon]

Do I need another driver or something for a Blu-ray drive (LG M-disc BH16NS55) with Pyro64 0.9? It's only working as a basic CD Drive at present.

[don570]

Tested version 0.9 and works well!!

Tested mypaint 3 and Blender 2.7.9
________________________________________

I put together a package of right click utilities
and made them available to Easy linux users
Right-click-Easy-6.9.0.pet

http://murga-linux.com/puppy/viewtopic. ... 333#989333

___________________________________________

[rufwoof]

Pyro64 0.9. Running from a 2GB MMC card

Posted image using Firefox Quantum 59.0.2 from within a sakura container

Downloaded from firefox, extracted in /tmp and then copied the firefox folder over to the containers /usr/lib folder (/mnt/wkg/containers/sakura/container/usr/lib), started the sakura (terminal) container and ran the firefox executable.

Playing a youtube, but no sound (on screen suggestion is to install pulseaudio). Captured the image from outside of the container's mtpaint, resized and saved that to the containers /root folder - before posting here using tha container firefox window.

[rufwoof]

Created a directory squashfsroot and within that created folders of /usr/lib and copied the /usr/lib/firefox folder into that. Made a sfs (mksquashfs squashfsroot firefox.sfs) and both root and rover outside of the containers can use that firefox.sfs OK (after having copied it to the relevant directory and set it to be mounted in bootloader).

If however I use container editor to add that as a SFS for the sakura container I created, it doesn't load the sfs within the container (I had removed /usr/lib/firefox from within the container and rebooted prior to trying to load the sfs).

[rufwoof]

Made a little progress with running rover userid in a container, notes so far being :

Create a container for sakura (i.e. terminal) making sure that the Namespace for "user" is unticked when creating the container.

Start/run the sakura container i.e. clicking its desktop icon.

As root create a /home/rover/.profile file, adding

HOME=/home/rover export HOME
DISPLAY=:0 export DISPLAY

(not sure if bourne export format should be being used as echo $0 shows sh however /bin/sh links to bash so maybe its export DISPLAY=:0 format ???).

values to that file, and save it.

Edit /usr/bin/seamonkey script to also test for rover in a similar manner
to how it tests for spot, so that it points that rovers /home/rover folder
rather than /root (another if ... else statement), that will ensure it creates
the seamonkey cache etc. in the correct folder for rover

Change /etc/profile.d/pup_gtk from hard coded /root/.gtk... to ~/.gtk..

Add rover to the audio group (adduser rover audio)

Exit the container and restart it again. Make sure you know the password for rover i.e. perhaps passwd rover ... and enter woofwoof twice as the password (or whatever)

Login to rover (login rover ... and enter woofwoof password).

Run seamonkey (or rox or whatever) ... and you're running as rover.

Logout back to root with exit.

Rover can't run ppm i.e. at the command line type ppm and it will prompt for the root password, but reject the request as not having permissions, however as root you can run ppm in the container and add programs ...etc. rover can also su and then run ppm ok, but of course it needs to know the root password and that could be disabled (removed from sudoers or whatever).

More ideally for better security once setup, login into rover should be automatic when you start the container, and the container should close when you 'exit' out of rover, and su should be disabled. That way the only way to change things (add programs or whatever) would be to use the normal (non container) access to add rover to sudoers and then login to the container, su and do whatever, and then remove rover from sudoers again.

[rufwoof]

Pyro 0.9 security audit

See https://docs.oracle.com/cd/E19683-01/81 ... index.html and https://docs.oracle.com/cd/E19683-01/81 ... index.html

Code: Select all

inside pyro 0.9 container ...
find / -type f \( -perm -4000 -o -perm -2000 \)
...

/usr/bin/Xorg
/usr/bin/chage
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/expiry
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/toppler
/usr/lib/pppd/2.4.7/pppoatm.so
/usr/lib/pppd/2.4.7/rp-pppoe.so
/usr/libexec/dbus-daemon-launch-helper
/usr/libexec/ssh-keysign
/usr/libexec/xf86-video-intel-backlight-helper
/usr/sbin/cgi-wrapper
/usr/sbin/hiawatha
/usr/sbin/mtr-packet
/usr/sbin/pppd
/usr/sbin/pppoe
/bin/mount-FULL
/bin/su
/bin/umount-FULL

[rufwoof]

In the desktop icon for my sakura container I right clicked and text edit the file and added a login parameter so it looks like

Code: Select all

#!/bin/sh
exec ec-chroot sakura -l

Opening the container and in /root creating a .bashrc containing

Code: Select all

#!/bin/bash

#Number	SIG	Meaning
#0	0	On exit from shell
#1	SIGHUP	Clean tidyup
#2	SIGINt	Interrupt
#3	SIGQUIT	Quit
#6	SIGABRT	Abort
#15	SIGTERM	Terminate

trap finish 0 1 2 3 6 15
finish() 
{
  exit
}
login
exit

results in a login prompt being provided when the sakura container is opened, and the container shuts down after you exit or ctrl-c or whatever from that session.

[rufwoof]

To help reduce confusion when running rover in a container, I've modified its .profile to

DISPLAY=:0 export DISPLAY
PATH=$PATH:/home/rover/bin export PATH
rox --pinboard=/home/rover/.pinboard

so that when I click on the sakura container and log in as rover instead of just a terminal window on the same (main) desktop, it switches the desktop pinboard - on which I can drop icons that are from within the container, whilst the tray menu etc are still the root level (non container). Which means you can also open a root level rox-filer window and drag/drop files between a rover level rox-filer

Its really neat having root and restricted user rover running layered like that. Seamonkey running as a restricted user (rover) in a container but where you can select text from within the browser window and paste that into a root level text editor ... or whatever.

Still a bit confusing at times however, for instance you can't drag/drop files from a rover rox-filer into a root rox-filer as it hasn't the permissions, you have to go the longer way around and open two root level rox-filers with one showing /mnt/wkg/containers/sakura/container/home/rover .. or wherever inside the container ... and that folder disappears once the session is disconnected (logout of rover). Neatly the rox pinboard also automatically disappears when you logout of rover to reveal the normal root pinboard as before.

Frankly I think Pyro is awesome, Barry's done a outstanding feat, Puppy programs/scripts, root and restricted users running on the same desktop, with version controls etc. I've now installed it frugally to HDD as the 2GB MMC card I was using was getting close to being full.