Moving Root to Spot makes Puppy secure?

For discussions about security.
Post Reply
Message
Author
nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

Moving Root to Spot makes Puppy secure?

#1 Post by nooby »

In a post in another thread Clam01 wrote
http://www.murga-linux.com/puppy/viewto ... 491#543491
Clam01 wrote
Our object is to make our puppy (any breed or cross) more secure. As we all know, our puppies are not secure because we run as root.

To be secure we want to run as spot. The easy way to do this is to move our root to spot.

To do this just open two file windows (one if you run one of those two-paner file managers), go up one level to /, in one and open the other to spot.

Then drag root from the / window and drop it in the spot one. That's all there is to it. Our root is now safe in spot. We are all done. Literally.

Everything we do from this point on that triggers a call to a file in root will stop for being unable to find root.

Nothing can get instruction from root, now tucked safely away in spot, secure even from us and our own computer.

What is really cool and real virus like is the way all our open programs continues to work until we try to do something with one, whereupon it immediately freezes up. It's proper virus-infection behavior.

To recover demonstrates the first-most security feature of puppy. We have to hard-reboot, since root being lost makes everything stop (including, fortunately, writing the move of root to the pup-save file).

When our puppy reboots it reboots through a normal restart to a normal puppy rebuilt from the main sfs, pup-save and additional sfs files. A healthy puppy, all recovered, no longer sick. Puppy is, indeed, virus-proof, and idiot-proof! Not, however, that pup-saves can collect malware and should be cleaned every now and again.

For convenience, if you customize settings, and add programs, set your puppy up as you want and build a custom that incorporates what you want as you want it, so all is in your main sfs, then save everything important to one or two files in your pup-save that you can move out to a partition before you clean your pup-save (mouse a frame around all contents and quiet-delete).
I wish I was more computer savvy, I am an absolute computer challenged guy but what you say in my quote above is interesting.

I wish somebody geeky could test it and explain how to use it for us Noobs.

Could you tell more about this part?
For convenience, if you customize settings, and add programs, set your puppy up as you want and build a custom that incorporates what you want as you want it, so all is in your main sfs,

then save everything important to one or two files in your pup-save that you can move out to a partition before you clean your pup-save

(mouse a frame around all contents and quiet-delete).
I feel very dense when I read that part. Sorry wish I knew what you refer to.

Important question.

To do hard reboots that is not something good to do. So that one needs a less dangerous solution!
I use Google Search on Puppy Forum
not an ideal solution though

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#2 Post by CLAM01 »

Nooby,

You forgot to include the line before the first you quoted, that identified the recipe for a "puppy virus". Here is some further explanation from the other thread:

Note that my recipe for "securing" root by moving it into spot is a puppy-virus recipe. It is fun in puppy because it does no serious harm (though you should do it on a frugal-installed puppy you don't have personal files in, just in case). It isn't a cure for anything, except maybe acute boredom. Computer programs find things they need by following paths to them. Putting root in spot removes root from the path programs follow to find it. Coming to a dead-end a program stalls. This effectively kills the running puppy. This does no harm with puppy because the running puppy is a copy. It is a clone of the puppy main sfs modified per white and black lists and additional instructions, and files, in the pup-save, and additional sfs's added on startup.

Basically all my "puppy-virus" does is illustrate and demonstrate the puppy structure that makes puppy root secure and provides puppy's first-line of security against infections. To bring in LPS into the discussion, for a nod to the thread, this first-line defense is the same that LPS uses (which LPS almost certainly has from puppy, which is famous for it, via GPL).

The means to "propagate" the "virus", moving root to spot to make root secure, is for fun. It is one of those "too good to be true" things, "so easy why didn't the experts ever think of it?" Because they are fun I like to think of these things.

Caveats: Because I have never full-install installed a puppy I don't know if the virus works the same, or messes things up in a full install. Also, I don't know if a puppy that saves to USB periodically will always fail to save the root-in-spot configuration to its pup-save. If your puppy does not restart normally, reboot in ram, mount the pup-save, move personal files out to /mnt/home, then mouse draw to compass all files in the pup-save, quiet-delete all, close the empty window, unmount the pup-save (by left-clicking on it), then reboot the computer, not saving your ram session. When the puppy main sfs re-populates the pup-save you can customize it again and move your personal files from /mnt/home back in.


What you quote in your second quote is just saying that to make reorganizing your puppy easier after a cleaning its pup-save (from a ram session, as said above), when you have your puppy the way you want it do a remaster. That will give you a custom puppy with most of what you have set it up with installed in the main sfs. You still have to redo minor tweaks.

Putting all your personal files in one or two folders makes it easy to move them out of your pup-save before you rm -r its contents to force the main sfs to re-populate it with clean, unmodified, from the main sfs, folders and files.

Puppy remakes root from the main sfs, then tweaks it with your preferences from pup-save each time you start a puppy. wiping the whole contents of your pup-save makes puppy do the same for the pup-save. These are things you can do if you are paranoid and lazy. They are easier than setting spot up with a password and permissions.

The next step, if wiping your pup-save does not seem to have cured everything, is to delete the whole pup-save (wiping out all contents, including the file system), then build another.

The last step, for the totally paranoid, is to delete the main sfs file, too, then reinstall your puppy as brand-new.

What is nice about puppy is that the average computer user, with no experience except as a user, can do all of these things in the GUI, him or herself (and the first puppy does automatically for you, on every restart).

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#3 Post by nooby »

Note that my recipe for "securing" root by moving it into spot is a puppy-virus recipe.
I don't get it on the level needed to decide on it. I am too dense obviously
Sorry
I use Google Search on Puppy Forum
not an ideal solution though

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#4 Post by amigo »

Contrary to what CLAM01 says, changing the name of the /root directory to anything else doesn't have any particular inlfuence on the 'security' of puppy -it simply renders it unusable for any programs which refer to the path to '/root' -either as as a program path or as the path to any required config file. Most of the programs which might be potentially used by some malware are probably located in /sbin or /usr/sbin (they should be there anyway).

The term 'virus', as used here, is completely out of context -'virus' refers to certain types of malware which are usually binary 'blobs' which contain their own executable code which doesn't need to call other installed programs in order to do its' job.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#5 Post by nooby »

amigo wrote:Contrary to what CLAM01 says, changing the name of the /root directory to anything else doesn't have any particular inlfuence on the 'security' of puppy -....
Amigo I don't criticise or have any opinion at all on what you say. I am totally dependent on both of you to sort this out.

But did he really do as you say here? As I remember he drag the root folder to spot.

How is that related to change the name of Root. To me that is two different things.

Not that I have tested neither of them but I have tested to drag the folder named .mozilla to /mnt/home and then dragged it back to / whic his root but only made a symlink.

To drag something is not to rename it is it. So could you explain if it really is the same. Drag and drop is very different is it not?
I use Google Search on Puppy Forum
not an ideal solution though

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#6 Post by nooby »

copy of what he actually wrote
To be secure we want to run as spot. The easy way to do this is to move our root to spot.

To do this just open two file windows (one if you run one of those two-paner file managers), go up one level to /, in one and open the other to spot.

Then drag root from the / window and drop it in the spot one. That's all there is to it. Our root is now safe in spot. We are all done. Literally.
Now can one really say that he rename root as spot?

He place root within spot. Is that not something very different?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#7 Post by rcrsn51 »

CLAM01 wrote:To be secure we want to run as spot. The easy way to do this is to move our root to spot. To do this just open two file windows (one if you run one of those two-paner file managers), go up one level to /, in one and open the other to spot. Then drag root from the / window and drop it in the spot one.
You can't drag a folder into a subfolder of itself.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#8 Post by nooby »

rcrsn51 is my Linux hero, I trust him 100%.

So guys don't give this up now. Sort it out so us noobs can understand.

What was accomplished and how did it work if at all.

Clam you have to reconstruct the whole thing and step by step explain how it works

I go back to bed now and dream that it is solved when I wake up some 10 hours from now. My by now famous sleep apnea makes me sleep for ages.
I use Google Search on Puppy Forum
not an ideal solution though

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#9 Post by CLAM01 »

Amigo,

You are right: I did not create a real virus, or even a real "puppy-virus". Viruses (virii?) are bio-medical organic compound entities capable of altering cell structures. They are life-forms and so are able to invade, infect, propagate, migrate and mutate opportunistically, without human or other aid, except transport and hosting.

What I created was confusion.

It is obviously a good thing puppy security is discussed in an off-topic area here... Though in this discussion's case we should perhaps be in the Truly Off-Topic area, since we are off-topically discussing puppy and a puppy topic. Can anything be more truly off-topic than an off-topic discussion that is on-topic yet off-topic?

I now go off to experiment, to attempt to learn why I am able to make my puppy do the impossible. It may take some time. Every time I do I turn my puppy computer into a perpetual non-motion machine...

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#10 Post by nooby »

Thanks Clam, do tell which Puppy later when you've accomplish something you trust to work.

If you have time. Do test with both pupsave and without pupsave.

With pupsave it maybe corrupt it so use .3fs instead of 2fs?

Without a pupsave with all the personal stuff either outside of the root in /mnt/home or already in the sfs which means it does not corrupt.

Looking forward to a successful experiment.

Later today I maybe try it too on some new frugal install.
I use Google Search on Puppy Forum
not an ideal solution though

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#11 Post by CLAM01 »

nooby,

I am afraid I neglected to emphasize sufficiently that to make the securing of root by moving it into spot work you have to use the puppy you are going to experiment on for a time, saving files to the on-disk pup-save file.

It is the separation of the ramdisk root and pup-save root (in puppy's layering) that makes the silly-trick work. Applications running in ramdisk root saving into pup-save root (which is "impossible" [except for puppy]) set the stage for "saving" root in spot...

Bruce B

#12 Post by Bruce B »

I think the better way to relocate spot is by editing the /etc/passwd* files for the new location.

Then make a new directory to reflect the changes and assign ownership accordingly. Copy old spot files to new directory.

Then modify the script which runs didiwiki also if it needs it.

I haven't done it, but that's the approach I'd take.

~

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#13 Post by BarryK »

Do you guys know about 'fido'?

http://bkhome.org/blog/?viewDetailed=02240

All puppies built with recent Woof support fido, but I haven't done any further development on it since the initial work. It does need bug fixing. Wary 5.1.2 is an example that has it.
[url]https://bkhome.org/news/[/url]

Bruce B

#14 Post by Bruce B »

Barry,

I've read a little about fido. My problem, if we can even call it a problem is I'm running Lupu 5.20. It is easy enough to install, but I have modified things so extensively that I don't want to change. Also, thanks much for the super multimedia support with this disto. Plus all the official .pet packages to add more multi-media support.

My next upgrade will be to Lupu 5.25 probably, unless there is a newer release when I upgrade.

Even at that, it will have spot. I could make another user for web browsing but spot works fine.

The problem with spot is the same anyone would have with fido. I download more than the pupsave file can hold. I resolve this by having download directories with permissions for spot. So it isn't a problem really as it only takes a couple seconds to make the directories outside the pupsave file.

Also thanks for a world class small distribution. I don't have any requests except keep doing what you are doing. If there is something I don't like, I'll probably make a patch for it and post it for others to use. If you like it you can use it. But don't expect to see much, if any in that way.

Kind regards,

Bruce

~

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#15 Post by amigo »

Typically, we seem to betrying to invent a new way of handling multiple users on an OS that was designed to do that from the very beginning. The whole thing of running as root by default could have been implemeted very simply -with a quick edit of just a couple files.

Instead, since great effort was spent to create a root-only distro, by having to hack around on lots of things, we've made it very difficult to re-implement proper multi-user capability.

The proper thing to do here is to get rid of all the hacks and omissions which made puppy root-only in the first place. Then we'd have something which would be easily configurable to run as root-only, multi-user, as a proper server or whatever one wanted.

The idea that root and fido should share a home directory is absolutely preposterous.

Bruce B

#16 Post by Bruce B »

My Puppy configuration is root only. The only notable difference is Firefox runs as user spot. The Firefox operation is seamless and from the operator's perspective works identically to Firefox running as root.

I'm not overly concerned about security, but considering Firefox is the primary vector for any exploits, I figure since everything works the same, I might as well run it as a limited user.

~

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#17 Post by nooby »

BarryK wrote:Do you guys know about 'fido'?

http://bkhome.org/blog/?viewDetailed=02240

All puppies built with recent Woof support fido, but I haven't done any further development on it since the initial work. It does need bug fixing. Wary 5.1.2 is an example that has it.
thanks Barry, yes I trust that most Puppy user are aware of it but we are also aware of that it needs a bit more work by the Devs so that noobs get what it means and some possible bugs gets looked into.

Much appreciated that you cared about us that asked for it but not everybody agree that Fido will satisfy the critics. It may satisfy puppy luvrs like Nooby and others but the "Real Linux" users are known to only get (or feel) satisfied with "real linux" which are multi users and where root is never allowed to be automatically logged into. That is the interpretation I have from some three years of daily reading of forums for Ubuntu and Linux Mint and some other such like LinuxQuestions and the DistroWatch comments at that. Sure I am a true nooby so I can have got the wrong impression of them. :)

I trust in you and all the other Puppy Devs but as you know the Linux users are a diverse lot so it is as it is with their takes on things.

Still Fido is for Puppy luvrs, I don't trust the general linux users with find it enough to satisfy them.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
sszindian
Posts: 807
Joined: Sun 25 Apr 2010, 02:14
Location: Pennsylvania U.S.

Interesting Subject!

#18 Post by sszindian »

Just had to throw this in!!!!!

Just maybe if some (or a bunch of some's) devs would work out the fix many have been asking for for the last year or more...

'Save or No Save Option On Shutdown or Reboot'

We really wouldn't have to worry about any malware attaching to our save-file with the save-session feature once you get your puppy fixed up with the programs, files etc., you need, just don't save the session?

I know that the standard Linux 'shutdown' command isn't in our kernel ( -h shutdown now )
That simple one-liner would do it. Maybe the newer kernels being used will offer that or would it be a big deal to include it in a new kernel? I don't know, just asking?

>>>---Indian------>
Cloud Computing For Every Puppy (a .pet)
[url]http://murga-linux.com/puppy/viewtopic.php?t=69192[/url]

User avatar
sszindian
Posts: 807
Joined: Sun 25 Apr 2010, 02:14
Location: Pennsylvania U.S.

Interesting Subject!

#19 Post by sszindian »

Bummer, double post!!!!!!!!

>>>---Indian------>
Cloud Computing For Every Puppy (a .pet)
[url]http://murga-linux.com/puppy/viewtopic.php?t=69192[/url]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#20 Post by nooby »

Some users have no HDD and don't have an usb in the slot either and boot up from CD or DVD and that way them have some control over such malware

another approach is to have no save file. But I guess as long as one have a hdd that can be mounted it does not help does it?
I use Google Search on Puppy Forum
not an ideal solution though

Post Reply