Browse as user "Spot"

[Luluc]

1. Run a browser as spot.

2. Download this file. DON'T install it!

3. Try to save it to /mnt/home or /bin. What happens?

"Data File Host
Accessing directly the download link doesn't work. The download only starts if you click from the download page."

It's what the page says!

As I remember it can only be saved within spot and then I need to start up Rox as root for to get access to it and move it elsewhere.
I tested this with a picture from a site and it ended up in spot and not on mnt/home as I wanted it to be

You still can save files inside /mnt/home. Do it like this:

Create a new directory:

Code: Select all

# mkdir -p /mnt/home/spotfiles

Make spot the owner of that directory:

Code: Select all

# chown -R /mnt/home/spotfiles

Now you can download files with the browser, browse to /mnt/home/spotfiles and save the files there when prompted for a download location.

[nooby]

Thanks rcrsn51, Micko, Luluc all of you

My question is:
I have saved the following text and promised myself to test it out but I am so afraid of failure so I have postponed it the whole day. Can you guys confirm it is good advices. Apology to the author L18L that I failed to remember that you told me how to.

nooby wrote:
How does one change the password for spot and what does it have now?

Code:
# passwd spot
Changing password for spot
New password:
Retype password:
Password for spot changed by root
#

Code:
# cat /etc/passwd | grep spot

Cheers
spot since 10 minutes Very Happy

Edited: but more important is to change root's password Exclamation
by simply typing in a console
Code:
passwd

Running FF as spot

It's not hard to run Firefox or SeaMonkey as Spot, I just demonstrated how in a different thread.
Boot puppy normally.
Open the terminal.
enter "su spot" (no quotes) at the prompt.
enter "firefox" (no quotes) next.
When it launches, Firefox will be running under user Spot.
Link to screenshot
http://www.murga-linux.com/puppy/viewto ... 399#511399

Note, starting from default browser icon you are root.
dragging defaultbrowser.desktop to the desktop and then klicking that will start defaultbrowser as user spot.

[Jasper]

Hi guys,

@ nooby - rscrn51 is saying that I was actually running Firefox as spot (even though it seemed (to me) I was running as root).

@ rcrsn51 - I have now tried two downloads and so I can personally confirm what you already knew and advised.

It is rare (perhaps the first time) that I have used large and emboldened text - but I was worried for other users (though I did say "presumably" as I'm only too aware I'm not all-knowing).

So now, thanks to you, I have a hugely improved understanding and confidence that browsesafe works.

My big, big mistake was in thinking that "whoami" would return my Firefox status. My apology for that and, with hindsight, for raising my query so strongly.

@ 01micko - thank you also for your pet and your help.

My regards

[rcrsn51]

Deleted. See my post three down from here.

[nooby]

rcrsn51 thanks for that one. Most instructive. The problem is that I have deleted .mozilla from root and reuse an old .mozilla that I placed in mnt/home and it would fail to link to that one from this new dir you made.

One would need to do what? Copy over a copy of that old one into that dir then?

Ahh now I get it "browsesafe " is a script or pet that Micko has made?

[Jasper]

Hi nooby,

Go to opening item in this thread and install browsesafe-0.5.pet and chose the icon option during installation.

My regards

[rcrsn51]

There are two problems that we are trying to resolve:

1. Run the web browser as an unprivileged user for security reasons.

2. Keep the browser's profile and any downloaded content outside of the user's savefile.

Try this. It assumes that your Puppy installation has a /mnt/home folder AND it is formatted with a Linux file system like ext.

Code: Select all

adduser -h /mnt/home/bsafe bsafe

If you have a full install, use something like

Code: Select all

adduser -h /mnt/sda1/bsafe bsafe

Then run your browser with

Code: Select all

su -c YOURBROWSER bsafe

This will automatically create a .mozilla profile in the new home directory. No symlinking is required. The default download folder is in the bsafe user's home directory outside of the savefile.

[Luluc]

The problem is that I have deleted .mozilla from root and reuse an old .mozilla that I placed in mnt/home and it would fail to link to that one from this new dir you made.

What do you mean by "fail to link"?

Whenever you link something, remember that the link points to a file or directory that has its own permissions. In other words, if you just link /root/.mozilla to /root/spot/.mozilla, the second one is just a link, the permissions on the first one are still in force, and those do not allow spot to use /root/.mozilla. In such circumstances, Firefox will probably choke and panic when run as spot.

It's more feasible to do the opposite: move .mozilla from /root/ to /root/spot, then make spot the owner of /root/spot/.mozilla, then link /root/spot/.mozilla to /root/.mozilla. That way, when root runs Firefox, the config files will belong to spot, but root can still use them because root can do everything. However, if root creates any new file or directory there, it will be owned by root and forbidden for spot. So linking .mozilla is generally a bad idea, too prone to errors. Ideally, only run the browser as spot, never run it as root.

[nooby]

Dead Ringer Band – Things Don't Come Easy to me by Kasey Chambers

Haha things don't comes easy on this computer either
I did what rcrsn51 told me.

# deluser spot
# adduser -h /mnt/home/spot spot
Changing password for spot
New password:
Retype password:
Password for spot changed by root
# su -c defaultbrowser spot
su: can't chdir to home directory '/mnt/home/spot'

# # su -c defaultbrowser spot
# su: can't chdir to home directory '/mnt/home/spot'
>
> (firefox-bin:21952): libgnomevfs-WARNING **: Unable to create ~/.gnome2 directory: Permission denied
> Could not create per-user gnome configuration directory `/mnt/home/spot/.gnome2/': Permission denied

end of quote

Thanks Luluc.

Well I have the profile on mnt/home so I need then to move that one to spot.

[rcrsn51]

su: can't chdir to home directory '/mnt/home/spot'

Go to your /mnt/home folder. Is there a subfolder named 'spot'?

Check its ownership. Does it belong to user spot?

[nooby]

oops sorry I did have a dir spot there and I did look at permissions and it seems to be owned by the whole world. But I had not read your post then and was looking for bsafe and that one was no where to be found so I deleted the spot dir and wanted to start all over.

How does one see if it is owned only by spot. Every box was filled in it.

When I tried to do the bsafe it did look like it worked but none such could be found

Ahh I should have done this one?

quote
rcrsn51 wrote
Clearly, you don't want to save lots of files in spot because it fills up your savefile. So go to /mnt/home and make a folder called "spot-download". Give its ownership to spot
Code:
chown spot:spot /mnt/home/spot-download

Now you have a better place to download files. Of course, this folder is now theoretically vulnerable to attack.
/quote

But if it is vulnerable to attack then what is the usage? I mean that was why we wanted to be spot in the first place To get away from such vulner things

[L18L]

... Apology to the author of it that I failed to remember who it was...

Accepted

But the part Running FF as spot is not from me! see http://murga-linux.com/puppy/viewtopic.php?p=516037

spot

coming from download of RPhoto_rcrsn-0.4.0.pre to ~/spot/Downloads

[rcrsn51]

Accepted
spot

coming from download of RPhoto_rcrsn-0.4.0.pre to ~/spot/Downloads

???

Are you confirming that something worked? For the sake of other readers, please explain.

[L18L]

Sorry, there was this forum bug again (spaces in URL)
I confirm that I am running defaultbrowser as spot and the download goes into spot/Downloads

I did not install the pet just applied seaside's advice in http://murga-linux.com/puppy/viewtopic.php?p=516037

EDIT
nooby,
don't worry, this time it was me who was confusing


Edit
And I did not try to use root's bookmarks

[nooby]

Sorry for all the confusion. I have collected things about it and my ADHD makes it impossible for me to add everything because then it just blur out. So I forget to add in sources and links and whome wrote what.

Back on topic.

Browse as Spot.

Yes I want to but I also want to use the prefs I have already set up.

Okay Luluc seems to describe how that is possible. By doing thing in right sequence the owner of the prefs will be spot and the .mozilla placed in that spot directory that is password protected and root has a new password too


and the big problem is that I should not ever run root there to change something. Only use spot apart from using root to move pictures out to mnt/home if I want to keep them also for root to look at when not logged in as spot?

The problem for me is that I do want to use the browser as root.
So I need to reboot into a clone that is root then? Or maybe have one browser like FF3.6.16 as owned by root and one FF4.0 as owned by Spot?

[L18L]

...keep them also for root...

No, root may and can do everything inclusive viewing of pictures of all users

[nooby]

L18L refer to these exchanges
http://murga-linux.com/puppy/viewtopic. ... 665#515665

Sorry I am always confusing

[nooby]

But I did try to follow what rcrsn51 wrote but maybe something in my set up here made it to fail or some space in teh code whatever. the bsafe never got created.

I can start with spot again though.

okay about root I still ahve the problem that my body will not be able to refrain from starting browser as root. it don't ask my persmission it just go doing it and then later I realize that hours ahs gone by as root

[rcrsn51]

But if it is vulnerable to attack then what is the usage? I mean that was why we wanted to be spot in the first place :) To get away from such vulner things

Again, this is the crucial issue. There is nothing magic about the user spot. If you let a piece of malware into your system (like a script off a web page) that wants to delete or alter your files, it doesn't matter who you are logged in as. It can change any file that it has permission to do so. If it is running as spot (or any other unprivileged user) it can delete ANY file belonging to that user. But it cannot change your system files or start a malicious process like a bot. (This presumes that the malware didn't gain privilege elevation through some other method.)

But if you are running your browser as root, the malware can attack any file owned by root - which is all of them!

Consider what happens in Windows. If you are like many people and routinely login as the admin user, then a malicious script has full rights to your file system. That's how it inserts itself into the Windows registry and numerous other spots.

Personally, I have come to accept bugman's view of Internet security. The single most important thing you can do is control web page scripting.

What is a mystery to me is why Firefox's implementation of Javascript is still so vulnerable to exploits. Does anyone have a explanation for this?

[nooby]

I would love to migrate to using spot as often as possible but latest failure makes me have severe headache Wow it was much more difficult than I thought.

What about the advice to just drag default browser icon to spot? and then it is owned by spot or something? maybe that is the easiest if I find the right icon that is. is it the one named Browse on the Desktop?

so I create a dir on mnt/home and go into permissions and tell it to be powned by spot? I change password for spot and for root too and then it should just work?

okay I need to move the .mozilla dir to spot too.