Setting up multiple users in Puppy

[Nathan F]

The Kdrive server (Xvesa) would be far easier to configure individually for each user because it does not read a global config file. Instead you pass it all arguments on the command line, including resolution. Not that it isn't possible with Xorg, it's just probably not as easy (and I've never investigated how because I haven't ever wanted to).

BTW biases: ="sudo"(editable @ users risk) is @!!## BAD !

Personal opinion I think. Sudo is no less secure than su, but if configured badly it can cause severe problems. Sudo allows the admin to specify which commands can be executed by whom with what permissions, and whether they need supply a password. Key points to remember when setting it up - don't allow users to run a program as root which they can escape to a shell from, ie you can easily open a terminal from most filemanagers. And specify the full path to each command, so users can't create an arbitrary program in their home directory with the same name, but malicious code. By contrast, giving the root password and allowing su means anything can be executed without any safety net.

Nathan

[Gn2]

Rationale is well understood - as is better alternatives:

Think group/wheel etal.
Then think Sys admin often owns wheels in danger of falling off

There is a REASON it is optional utility, not S.O.P.
For most "Sys Admins" sudo should have been spelt sloth.

They have yet to learn- playing w/own system does not translate:
Savoire sa lecon into insousciant "Don't put beans in your ears" !

[richard.a]

As a non-technical power user who has interfaced with other operating systems apart from Microsoft's over a number of years, may I make a few comments, trying to stay within the guidelines Nathan outlined in his first post.

Running as root does not frighten me, indeed I find it extremely frustrating with some operating systems I've tried where they go out of their way to prevent you from using the system in the way that you - the owner of it - wish and choose to do.

My experience shows that providing you are careful with how you use your computer, and what you do with it, it is no more or less likely to get invaded, blown up, or destroyed by running as user or root.

I accept the thoughts that as root you can del /*.*

However, if you run puppy in the way it was designed - an unimaginably fast Live-CD system, that keeps all the files it loads from read only by virtue of the media sitting in a read only CD drive, you can't destroy the OS by using puppy.

If you let a nastie in, so what, in actual fact. It isn't going to change anything except what is in RAM or swap file.

If you maintain your own personal file (read-write on an HDD) with regular backups, then if that does get destroyed, even then, so what?

I always back up my work as I go, and at the end of a session most times. Something when I taught AutoCAD users back in Version 2 days I continually emphasised.

With puppy you can restore a clean system and data in simple steps

1. reboot in pfix=ram mode,

2. copy back your pup_save.2fs (or 3fs) file and

3. then reboot again using the restored pup_save file.
It isn't hard, difficult, or really time-consuming.


Multiple users is another thing altogether. I wouldn't want others to browse through my documents, perhaps changing things, or deleting them.

Actually I developed a series of red-coloured root user wallpapers to suit a range of computer OS's (I won't call them distributions because that upsets Unix users - BSD anyway lol). I have published these explaining how SuSE gives its system owners the opportunity to use default wallpaper that continually reminds them of being "root". You should read some of the comments from some on the forums I've shared this information with!!

It isn't hard to make root logins work in KDE even if they've been prevented. Ubuntu is Gnome, and that's a dog of a different colour. I don't like Ubuntu anyway (not for that reason, lol)

I don't like having to keep entering the root password if I'm doing a task that needs root and I am only allowed to do it sudo. It is counter-productive.

You might be interested in looking at my "root wallpaper" page here but don't come back and flame this thread as you will incur Nathan's wrath as he laid down the ground rules in the first post. Like I did in the PC-BSD forums, but that didn't stop the slashdot types lolol

You might even like to look at the (currently four) pages of responses to that thread here.

Richard
Downunder

[Nathan F]

That's not a bad idea, and you gave me a good reminder. I used to have my system set up something like this, and also had things arranged so root used different gtk themes and such. That way even running just one program as root you can tell it visually. I also have my root shell prompt set up a bit differently (besides the standard $ for users, # for root). On the one machine root's shell prompt is always red, while everyone else gets plain green.

Anyway this is good advice for most situations. I need to institute this in my own projects as well.

Nathan

[jimhap]

Another reason Puppy REALLY NEEDS multiuser rebuild.......

Lots of software require multi user......
If you don't they say:

Can't run as root

(something like that....)

Now a real life software example.....

Ever heard of the very popular Xscreensaver?
After installing OpenGL(by Mesa3D) I compiled this.
Then installed it.
And typing xscreensaver in the prompt, an error....

sh-3.00# xscreensaver
xscreensaver: couldn't get user info of uid 65534
xscreensaver: 18:18:05: running xscreensaver-gl-helper: Permission denied
xscreensaver: 18:18:05: already running on display :0.0 (window 0x2800037)
from process 32070 (???@puppypc).
sh-3.00#

Now I wasn't a that much of a newbie, so I went to CHMOD the "xscreensaver-gl-helper"
to 777. It was successful in CHMODing, but running it again.....

sh-3.00# chmod 777 /usr/local/bin/xscreensaver-gl-helper
sh-3.00# xscreensaver
xscreensaver: couldn't get user info of uid 65534
xscreensaver: 18:20:38: running xscreensaver-gl-helper: Permission denied
xscreensaver: 18:20:38: already running on display :0.0 (window 0x2800037)
from process 32070 (???@puppypc).
sh-3.00#

And to find a little more details.....(killing the already running process.....)

xscreensaver: couldn't get user info of uid 65534
xscreensaver: 18:21:42: running xscreensaver-gl-helper: Permission denied
xscreensaver: 18:21:42: locking is disabled (running as <unknown>).
xscreensaver: 18:21:42: locking only works when xscreensaver is launched
by a normal, non-privileged user (e.g., not "root".)
See the manual for details.

Now for a surprise.... This wasn't that much of a detail, right? Look at this.....

sh-3.00# xscreensaver-demo
xscreensaver-demo: 18:24:18: we're still running as root! Disaster!
xscreensaver: couldn't get user info of uid 65534
xscreensaver: 18:24:23: running xscreensaver-gl-helper: Permission denied
xscreensaver: 18:24:23: locking is disabled (running as <unknown>).
xscreensaver: 18:24:23: locking only works when xscreensaver is launched
by a normal, non-privileged user (e.g., not "root".)
See the manual for details.
xscreensaver-demo: 18:24:28: we're still running as root! Disaster!
xscreensaver-demo: 18:24:31: we're still running as root! Disaster!

sh-3.00#

So you can see, xscreensaver DOES NOT want you to be root.

And even creating another user doesn't work!

Running is says access denied, and some errors...

And Puppy hates multi users!

sh-3.00# login demo
Password:
-sh: error while loading shared libraries: libreadline.so.5: cannot open shared object file: Permission denied
sh-3.00#

So can anyone please recompile Linux for multiuser????

A couple notes....

I am developing a dotPup for OpenGL's Mesa3d along with prerequisites and the Xscreensaver itself.

The first shots of the terminal are when XScreensaver is already running. The last ones are no running processes of XScreensaver.

[John Doe]

*bump*

[DavidBell]

I was just wondering the last couple of days, could you do a frugal/multisession multiuser just by swapping pup_save files? My undestanding is these files contain all your settings and docs (if you save into it).

So if it found pup_save_david.2fs and pup_save_johnny.2fs both in mnt/home it would just pop up a dialog and let you select the one you want, the same as it does now when it finds .sfs files there. Maybe a SaveNow for frugals could have an option of making a new pup_save.

I guess it would have to be earlier in the boot process so things like XOrg setting would stick etc.

I can't really follow it, but maybe this is what people are already suggesting above? Seems easy from my amateur perspective.

David

[richard.a]

David,

Two things...

1 -- I've found that in many cases, regardless of what computer hardware has been seen when a pup_save.(x)fs file is created - ie even if it wasn't the machine you are currently seated at (with different hardware etc) that you can use that file in the new location with probably little more than having to run xorgwizard over again.

2 -- I have even copied the same pup_save.(x)fs file under several different names to the same drive filesystem root directory, for subsequent editing into specific different configurations.

You probably need to remember to keep evident in the filename the version of puppy, because otherwise you run the risk of destroying the configuration by accidentally upgrading to a more recent version. Like this...

pup_save_202basic.3fs
pup_save_215ce.3fs
pup_save_216ex.2fs

I regularly save to different drives (including USB IDEs) and different partitions without much of a problem.

If they are FAT partitions where you save them, though, they often become badly fragmented, which the NT defragmenter isn't always clever at handling. One reason I keep win98SE around is for defragmenting big files like these, and also VMware Virtual Machine files which also seem to get laid down badly.

If you have your pup_save files on an USB IDE HD, then you can transport them to a w98 computer to defrag them


Regarding sfs files, I haven't yet discovered what you need to do to select them, because I've never seen a menu. Perhaps you can enlighten me here?

Richard

[DavidBell]

Regarding sfs files, I haven't yet discovered what you need to do to select them, because I've never seen a menu. Perhaps you can enlighten me here?

When I restart X in 2.16 I get the attached dialog, maybe you need some sfs in /mnt/home before it shows? Anyway it occured to me something very similar could let you select the 'user' by presenting a list of 'pup_saves'.

I started thinking about this, because recently I've been using a frugal install on HDD, saving documents to /mnt/home (ie direct to HDD instead of via pup_save). This way pup_save just has my applications and settings, and I use it to set up new installs without remastering (which I haven't tried yet).

Point taken on keeping different versions marked.

DB

[minoruhackerguy]

*Sigh* Boy, people have such misconceptions about hackers. Ok, basically, hacking is not breaking into others computers. That's cracking (CRiminal hACKING). Or, if you prefer, black hat hacking. MOST hackers aren't like what you here about on tv. *If you google search ethical hacking, you'll see what I mean.* Hackers test security with consent. There are even government issued hacking licenses. Besides that, 9 out of 10 cracker only know enough to cause a little trouble. In order to hack a linux box, you need a lot of skill. I agree completely with making a multiuser puppy. But really, it IS like.. impossible to hack a linux computer. The only way it's possible is by users making extreme changes to security or using things like IM clients that are old and insecure. *Even then, you normally can't cause much damage*

Still it would be nice to know that, if a cracker got into the computer, it would be hell for them to cause damage.[/b]

[stevenbinion]

I'm glad I found this thread. will be quite useful.

[Farwater]

Hi everyone!
Glad to meet you!

I'd like to continue describing the solution on multiple users proposed by monkeyweb. What'd like to show here is how to extend his idea to actually use all the programs like openoffice or sound mixer. And thus to create a truly usable second user account with fuctionality restricted only for security reasons. This is what I'm currently using on my puppy 3.01 installed onto my HD (not frugal).


Create a decent home directory for spot user

Code: Select all

mkdir /home/spot

Copy the user profile from root's template

Code: Select all

cp -R /root/* /hоmе/spot/
chown -Rh spot /home/spot

In /etc/init.d let's create an inituserspot script to initialize
the permissions for the whole spot group every time we boot up

Code: Select all

echo "echo '' > /tmp/xerrs.log ; chgrp -R spot /tmp ; chmod -R g+rw /tmp ; chgrp spot /etc/.XLOADED ; chmod g+rw /etc/.XLOADED" > /etc/init.d/inituserspot

Don't forget to make the script executable, of course

Code: Select all

chmod 755 /etc/init.d/inituserspot

And finally reboot and login as spot into a complete, but still secure working environment.

With this simple setup spot can work pretty much with all the programs installed in the system and modify any files in his directory and in /tmp/. What he can NOT is summarized below:

1. Modify the files in the directories which are not his, unless he was allowed explicitly.
2. Install/uninstall programs.
3. Mount/umount, create, delete and format file systems.
4. Start xterm or rxvt. ( although, he can leave X to a command line).
5. Switch off/reboot the system.


PS: Sorry if this method is already outdated

[Farwater]

In my original post above I used the idea to change the user's permissions, however later I changed the code to focus on group permissions.

This way the whole group spot can now run X with applications. It means that now we are not limited by a single user any longer - we can add more !

So, let's add them! Currently I'm writing a script for generating X-applications capable user accounts automatically. The script is based on the method proposed above - just automated for our convenience.

[Farwater]

The script is ready.

The usage is as follows:

Code: Select all

onemorexuser USERNAME UID [ STUBDIR  [ HOMEDIR ] ]

The script accepts 2 mandatory arguments - the name of the user you'd like to create and his/her UID. The other two arguments are optional.

The third argument is the name of the directory you'd like to use as a template - in order not to leave him with just plain X server. The default value is /root

The fourth argument is the name of the home directory which will be created as a copy of STUBDIR. The default value is /home/USERNAME

So, everything is just really easy. You run the script as a root. Wait patiently until it copies the whole STUBDIR. After that it will prompt you for a password for the newly generated user. And that's it!

Code: Select all

Ctrl-Alt-Bcksp   ;  logout  ;   login USERNAME  ;  xwin

And you will see your shining desktop with all the applications ready!

Examples.

Code: Select all

onemorexuser  puppyuser  123  /puppyhome   /home/myself

will create a user puppyuser with UID=123 with home dir at /puppyhome copied from /home/myself

Code: Select all

onemorexuser  justme 124 

will create a user justme with UID=124 with home dir at /home/justme copied from /root

Code: Select all

onemorexuser  alsome  125  /home/me/secondme

will create a user alsome with UID=125 with home dir at /home/me/secondme copied from /root


Two more things are to be mentioned:

1. The users which it creates are real. I.e., they won't disappear after rebooting. To delete them you'll have to erase the records from /etc/passwd and /etc/shadow

2. All of the users created by the script belong to the same group spot GID=502. Through their membership in this group they share the ability to manipulate X, /usr/bin, etc., etc. You are free to add them to other groups, however, better don't delete them from 502.

For further details please see the code - its really simple and self-explaining.

The version has been tested on HD-full-install and USB-frugal.
With frugal the only problem I found was accessing openoffice from .sfs

Recently added:

xonemoreuser - the same program, but with GUI for X with GTK (standard).

It doesn't require any command line options: all the customizations are done using menus and dialogs.

Please note that the final step (setting a password for the newly created users is propted automatically by the console version of the script only. If you are planning to use the GUI version, after adding each user please don't forget to setup a password for the user by typing in the console:

Code: Select all

passwd newusersname

, where newusersname is the name of the user you've just created with xonemoreuser.

Have fun!

[Farwater]

I apologize before the one who already have downloaded the script. I found a small, but very nasty mistake in it which prevented users from writing into their own directories. It's not even a bug - it's just I forgot to add one more line to the current file.

Now the file is updated and I can assure you that it works properly !!!

[Pizzasgood]

Cool. I definitely want to make the next Pizzapup multi-user friendly, among other things, so I will come back to read this stuff in detail when I start working on that. For now I'm way to busy to think about multiuser, so I wanted to at least let you know there is interest in this and that it isn't being ignored.

[Farwater]

Thanks for your encouragement, Pizzasgood! I'm glad to hear at least one positive response, since I'd also like to see puppy multiuser.

In the meanwhile I've fixed a couple of bugs, made it work more stable and predictabe. The new version of the script is available for download from the current post.

[Auda]

I have been waiting for a multi-user puppy since um well I'm using 109ce and haven't seen a good reason to change. Grafpup 2 was looking very good but unfortunatly had a few bugs, mounting drives was my main one, then Nathan F. stopped working on it and now I see that grafpup.com is no more. If you and pazzasgood get a bugfree multi-user pup working you will have a real winner.
Keep up the good work
Auda

[jcoder24]

and now I see that grafpup.com is no more.

That's because it was moved to grafpup.org

Grafpup 2 was looking very good but unfortunately had a few bugs, mounting drives was my main one, then Nathan F. stopped working on it

Nathan stopped working on it because of a change in profession which left/leaves him with virtually no time to work on it. However, I think grafpup is an excellent puplet (in some ways ahead of its time) that can hopefully be continued as a community project.

[Auda]

That's because it was moved to grafpup.org

I was doing a cleanout of old bookmarks on a seconadry computer and many grafpup.com ones came up, I had forgotten that the address has changed.

Nathan stopped working on it because of a change in profession which left/leaves him with virtually no time to work on it

I had heard that, its a shame that there isn't a note to officialy say so on his news page, it looks like an abandonded project with the last news dated August 13th, 2007

that can hopefully be continued as a community project.

That would be good is there any work being done on it ?