Why I don't like running as root (in Puppy)

For discussions about security.
Message
Author
User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#31 Post by MU »

You can start Puppy with several pup00x

You could modify your grub-menu like this:

Code: Select all

title Puppy for Walter
        rootnoverify (hd0,0)
        kernel /puppylinux1.0.6/vmlinuz root=/dev/ram0 PFILE=pup001-PasSwOrD1
        initrd /puppylinux1.0.6/image.gz

title Puppy for ME
        rootnoverify (hd0,0)
        kernel /puppylinux1.0.6/vmlinuz root=/dev/ram0 PFILE=pup002-PasSwOrD2
        initrd /puppylinux1.0.6/image.gz

Mark

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#32 Post by GuestToo »

you can run X as an unprivileged user (for example, spot) fairly easily ... (setuid X and tinylogin, setup config files in /root/spot, chmod or chown or delete a file or 2 in /tmp, su spot, type xwin)

rxvt/aterm will not run as spot ... i tried a few things like xhost and setuid root, but didn't get it to work ... i have not tried changing the configuration in inittab yet (i would need to remaster Puppy or install Puppy to a hard drive, option 2) ... rxvt will run as root, so terminals are still available

many or most dotpup and pupget packages assume Puppy runs as root and assumes $HOME is /root ... they assume the configuration files, like menus, are in /root and that you have write permissions to /root ... MUT and pmount assume you have supervisor powers ... and things like "my-documents is owned by root" need to be fixed

it can be done, but it will break a lot of 3rd party packages ... running as root is less safe, but it is simpler

User avatar
Alucard_the_dex
Posts: 317
Joined: Wed 05 Oct 2005, 01:53

#33 Post by Alucard_the_dex »

I keep getting Told to stop running as a root in IRC @.@
~Puppy Linux~ Where mans best friend becomes PCs best friend

User avatar
aahhaaa
Posts: 341
Joined: Fri 07 Oct 2005, 03:21
Location: Lower Michigan, North America

#34 Post by aahhaaa »

I don't see a lot of consensus here on actual facts... :?

its one thing to say 'can't happen' when you are really competent with Linux and have the knowledge to see a prob if it develops, but the advice is being given to everybody...

almost everything I've read about Linux in general says 'DON"T RUN AS ROOT unless you have to, and offline.' I'd like something pretty solid to contradict that, and expect most first-lookers would too. I understand about the CD providing some immunity to screwups & malware, but...

...manyof the people here are at least partially HD installed as dual boot with a WinOS. While Win is dormant, the HD & CPU are not. I'm real fuzzy on what might get thru an open port in this situation, but I've discovered that Symantec 'doesn't support' dual boot machines of any kind. With corporate pirates getting into rootkits, etc* I'd guess there could be a problem.

*I know this isn't the same as running in root. But, doesn't 'not running in root' confer a sort of blanket protection in writing to the HD? Then the write file attribute is checked first for everything right?

sorry for that confusing sentence, best I can put it... sorry if I don't know something basic here. :roll:

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#35 Post by Flash »

Some people are said to have installed the Sony rootkit in their computers at work where I presume they were not running as root. If that's the case, maybe the whole root argument is moot.

User avatar
aahhaaa
Posts: 341
Joined: Fri 07 Oct 2005, 03:21
Location: Lower Michigan, North America

#36 Post by aahhaaa »

Flash- & that's a hoot. :wink:

Dex

#37 Post by Dex »

I think puppy shoudl come with its system files undeletable. I think lobster was the one who posted on how to do that. If puppy did running aas a root would be a Little less dangerus and plus new comers wouldnt be able to delete system files ^_^

User avatar
rarsa
Posts: 3053
Joined: Sun 29 May 2005, 20:30
Location: Kitchener, Ontario, Canada
Contact:

#38 Post by rarsa »

System files are on the LiveCD so they are undeletable ;)

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#39 Post by Pizzasgood »

Most of the ones in /root (and thus /etc) ARE editable. Some are overwritten with each boot, though.

The stuff in /usr can be "deleted" through the use of union fs, but it's still there in usr_cram.fs, just hidden from Puppy.

Everything else is invincable.

And, even the stuff you do edit can be regained if you delete your pupfile, because the data on the cd is still there.

That only applies to non-hd installs, though.


I for one like being able to edit. That's one of the problems I have with Windows. It's always trying to operate itself and block me from tweaking it. If I want to crash my computer, I have that right. Puppy might think I'm killing him, but I'm really giving him a heart transplant.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

HypoCee

Some Of These Users Are Not Like The Others

#40 Post by HypoCee »

Counterexample to the argument that "It's a LiveCD, so who cares about security?": I just discovered Puppy a few days ago, and so far I'm loving it. I do lots of system modification, though, and I'm not going to deal with popping the disc in an out all the time, so I had planned from the start for a HDD install. It was while looking for details on the process that I discovered this thread, and it's really pulled me up short to discover that there is no realistic way to run as a non-root. I come from a partial OpenBSD background and I need sub-root users for the stuff I do, for fun and for work, on a daily basis. I need to be able to set up guest logins who can only access specific folders, I need to have safety checks on some files for my own convenience, I need to have support for different desktops and profiles without rebooting and cryptic cheatcodes, and I need to run various servers with unproven stability under their own access rights. It's a shame - Puppy's still great (I love elegance) and it's still going to go on my MP3 player, but I had planned to use it as the base for a minimalist, serious Linux desktop. I look forward to doing so when it goes multiuser.

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#41 Post by GuestToo »

i just happened to be experimenting with running the xorg X server as user spot (Puppy 1.0.7 beta)

you need to copy some of the config files from /root to /root/spot ... and
chown -R spot:spot /root/spot/

shut down X (you can press ctrl+alt+backspace)
type:
rm /tmp/xerrs.txt
su spot
cd
startx


screenshot

i've tried various things to get rxvt to work ... xhost, setuid bit of rxvt, etc etc ... i haven't tried inittab yet ... i can run rxvt as user root anyway

/root/my-applications/bin/rxvt3:
#!/bin/sh
exec su -c /root/my-applications/bin/rxvt4 - root

/root/my-applications/bin/rxvt4:
#!/bin/sh
. /etc/profile
rxvt -e bash "$@"

to open an rvxt window running as root from spot, click the rxvt3 script

for spot to be able to use su, tinylogin has to be setuid root:

chmod u+s `which tinylogin`

it might be possible to put rxvt4 in rxvt3 by using { }
. /etc/profile would probably not be necessary if rxvt opened as a login shell

anyway, the xorg X server will run as spot about the same as xvesa will

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

Linux firewall in Puppy Tardis

#42 Post by Lobster »

Barry is replacing Morizot with Linux firewall in Puppy Tardis
that should put Puppy in full stealth mode again

When running a new version of Puppy I run the firewall wizard
then connect to the internet

that is the extent of my security

The last attack was from a porn site that I was accessing for research purposes [I have no interest in human sexuality - which is quite normal - right?] :oops: yeah right . . .

:) anyways . . .
using a javascript link the site placed some dll files on my computer (ever hopeful) I just laughed and deleted them

dll files are the same as executibles (but on Windows) and can then be called or run once they are on a windows machine

Most of the distros I use, I set them to auto log in
I am happy to run as spot (user) or root if this remains automatic

Fear of shadows is the mind killer
I recently sent a security bulletin to our senior developers via an image

Go and watch kids - they open every channel - download from any site and still manage to use that Windows thing

Fear of shadows is the mind killer
Who us spreading FUD and who is spreading solutions? 8)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

LarryDC
Posts: 4
Joined: Tue 03 Jan 2006, 14:47
Location: Riverside RI, EE.UU.

Hard Disk Install needs a user login

#43 Post by LarryDC »

I' m with HypoCee on this one.
After a day of trying to get Austrumi to boot as a user ( I think it users the same busybox tinylogin as Puppy) I gave up in frustration & installed (Option 2) Puppy 1.07 w/ Mozilla over it. BEWARE: Austrumi automatically mounts the 17 partitions on one hard drive & then the 4 on my other drive, every time it boots. Then when it would hang because I was trying a for a non-root login, all the partitions were shut down " uncleanly" - luckily I use reisrfs on most of them.

Then I read this thread and did try the adduser but had worse problems than spot.

So like Austrumi it is coming off & will be used only as a live CD.

This would make an EXCELLENT fast booting distro for quick use on a multiboot system as well as a great system for small hardrive... donated (I work for a low income school district) but IMHO it MUST allow none root logins & use.

It is still in my carry around Live CD pack - it boots flawlessly via Xorg. Unlike Austrumi 0.99 which has a bug that won't parse long ddc monitor names like " Visual Sensations" correctly and will not run x-window on this machine without editing /etc/xorg.conf manually to trim the offending line.

I will be checking back to see if a user login gets implemented in the future.
Otherwise great distro.

muskrat
Posts: 24
Joined: Sun 03 Jul 2005, 17:46
Location: Gulf Coast TX-MX
Contact:

#44 Post by muskrat »

You all mentioned Sheilds Up, I have run several test in the last few days and have gotten the same results.

I get three ports Open(RED) on my report. HTTP, FTP, and Telnet. But here's the Kicker those reports were done with the same PC, just swapping out HD's and distros. One was done with Debian 3.1 and Firestarter Firewall, the other was Slackware 10.2 no Firewall software (infact it wasn't even buttoned done for security), and the last one was Puppy 1.0.7 with the Firewall wizard run.

Debian nor Slackware have Telnet installed or running, Also the is no Web servers installed on ether one, as of yet I haven't exploered all of Puppy yet to say exactly what I havehere.

I'm using a DSL phoneline connect with a connected to my PC via a Cat5 cable. This modem can be accessed with a browser to do configuration of the modem.

So my question is, Is it posible that these ports are open on the modem even if my PC has all the ports closed? If so what kind of a threat does this pose for me and my boxes?
Steve (Muskrat) McMullen
http://www.muskratsweb.com
Registered Linux User #305785

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#45 Post by GuestToo »

Is it posible that these ports are open on the modem even if my PC has all the ports closed?
yes, i think so

if you have more than 1 pc connected to your dsl modem, the ports may be open on another pc ... all the pc's on your network will have the same internet ip address, and a scan will show open ports on your entire network

if you have only 1 pc connected to your modem, it may be the modem that is causing the open ports ... but it seems more likely that if those ports are open (connecting to running programs), they are connecting to running programs on your computer

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#46 Post by BarryK »

Yes, I have stealthed ports on my pc.
For dialup, shieldsup shows them as all stealthed, but when I go to my friend's place and connect to Internet via router modem, the ports show as all closed, except telnet port is open.
...I guess though, my pc is still safe.

User avatar
jmarsden
Posts: 265
Joined: Sat 31 Dec 2005, 22:18
Location: California, USA

#47 Post by jmarsden »

This post is probably overkill,but:
BarryK wrote:Yes, I have stealthed ports on my pc.
For dialup, shieldsup shows them as all stealthed, but when I go to my friend's place and connect to Internet via router modem, the ports show as all closed, except telnet port is open.
...I guess though, my pc is still safe.
Yes. But your friend's "router modem" is probably not safe -- it leaves its telnet port open to the public Internet. That is what "shieldsup" found, almost certainly.

I suggest that your friend may want to reconfigure his router not to allow incoming telnet, unless there is truly a very good reason for him providing telnet access to his router (and so probably to his entire network, if someone guesses a router login/password!) to the entire Internet world!

BTW, in my view those Internet-based "security checkers" are generally not all that good at their job, and they allow anyone watching your traffic to/from them to see exactly what holes they find on your machine. In my view, it's better by far to use a local tool running on a second local machine on your (protected) local LAN to check host security and firewalls. That way, noone but you knows what the host's weaknesses are -- so you can fix them before anyone else exploits them! Try nmap and (if desired) Nessus to get started. Of course, if you only *have* a single PC available to you, and still need to do network-based security checking of it, something like "shieldsup" could be an appropriate solution.

Of course, before you even bother running "shieldsup" or setting up nmap on a second PC for checking a machine's network security, a quick

Code: Select all

# netstat -nl --inet
on the machine under test will tell you if you actually have anything listening on Internet sockets that might actually be worth firewalling :-) [[ I'm not running Puppy right now so I'm not sure if its netstat has those options... adjust as necessary, those are the common Linux ones for checking out server and desktop machines. On *BSD boxes, it would be closer to

Code: Select all

# netstat -na -f inet
but then you nede to readthe output more carefully, because it will contain established connections as well as listeners (network daemons/services). ]]

Jonathan

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#48 Post by GuestToo »

i don't think a router or modem should have a telnet port open either

the thing is, a router or modem is usually a little computer, with a cpu and ram and flash memory instead of a hard drive ... or it might have a hard drive ... so it is potentially as vulnerable as a computer is ... if a cracker can hack into your router, he can potentially gain full access to all the machines on your network

though why a router/modem would be running a web server or ftp server i don't know ... that is why i wondered if it was another computer on your network with the open ports

my grc test results

i don't really care about "stealth" ... closed ports are good enough for me ... though i have noticed that when you run completely "stealthed", there does seem to be a little less trafffic trying to worm into your system

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#49 Post by GuestToo »

by the way, the forum seems to imply that i started this thread Why I like running as root (in Puppy)

i did not ... i do not like running as root at all

the reason my name is attached to the thread is because the thread was moved, and it probably used my name because i was the last one that posted to the thread before it was moved

User avatar
jmarsden
Posts: 265
Joined: Sat 31 Dec 2005, 22:18
Location: California, USA

#50 Post by jmarsden »

GuestToo wrote:though why a router/modem would be running a web server or ftp server i don't know ...
Well, most consumer routers use a web server to provide their easy-to-use administration interface. By default they only serve web pages on their internal (LAN) interface, but often you can enable the web service (either http or https or both) on the external (WAN) side too if you so choose. It does sound as though this particular router may not be configured optimally, and I'd definitely encourage BarryK to let his friend know of this, and (if necessary) suggest that his friend seeks help in getting it more securely configured.

Jonathan

Post Reply