Puppy's Philosophy: FEAR NOT ROOT!

Posts: 14
victorinux
Joined: 08 Jun 2015
#1
Before you say that logging in as root is"unsafe", please ask yourself -"unsafe" from who? Remember this is a home desktop computer we are talking about, not a shared server in large networked environments. In this context, logging in as non-privileged user only protects you from one person - yourself (ie from your own mistakes). It also protects you from doing exactly one thing: destroying the system.

But consider this:

* restoring [an OS as] Fatdog operating system is a 5 seconds job assuming you have Fatdog CD/DVD/USB around, and
* logging in as unprivileged user does not protect you from mistakes in wiping out your own data.

What is more important and irreplaceable - your data, or the operating system files?

--o--

Question: But what about network programs?

Answer: Network security should not be equal to local security (same way Android).

How is this any different from standard non-privileged user login?

Consider this - lets say you login as your regular non-privileged user ("regular" means the user id you use for day-to-day work, so this is the user id that owns your home directory, owns your data, etc) and run network programs as that user too. This is how typical Linux distros do it. Now lets assume that there is a security hole in the network program that enables a remote attacker to gain access to your system. When a remote attacker manages to do this, he/she will gain access as your regular user id (because this is the user id used to run the network program, remember?).

What can the remote attacker not do? Among other things:

he/she cannot delete operating system files.
he/she cannot read certain operating system passwords.
he/she cannot modify operating system files (e.g. to implant a system-wide keylogger to monitor every user in the system).

Big deal. Lets see what the remote attacker can do (among other things):

he/she can delete your data
he/she can read all of your data, including your passwords, your credit card numbers, your tax returns, etc
he/she can modify and install programs executed by you at every startup - such as installing keylogger to monitor everything you type.

Thus - what exactly does logging in as non-privileged user protect? What is more important and irreplaceable - your data, or the operating system files?

taken from
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://distro.ibiblio.org/fatdog/web/faqs/login.html"
linktext was:"http://distro.ibiblio.org/fatdog/web/faqs/login.html"
====================================
Posts: 1,445
skidoo
Joined: 09 Feb 2012
#2
here's a link to a similarly titled blog post"Fear Not Root" by the author of spaceFM:

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://igurublog.wordpress.com/2010/01/16/fear-not-root/"
linktext was:"https://igurublog.wordpress.com/2010/01 ... -not-root/"
====================================


victorinux, your post doesn't indicate whether you agree with, or are critical of, that puppian"philosophy".
Personally, I'm uncomfortable with the (limited) extent most puppy spins utilize"run as spot" ~~ it's implemented for web browser only (not applied for ALL web-facing apps).

puppy Puli applies several additional protections

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://murga-linux.com/puppy/viewtopic.php?t=96964"
linktext was:"http://murga-linux.com/puppy/viewtopic.php?t=96964"
====================================

I haven't used/recommended it because it employs a"Precise +PPAs" base, not a slackware base, but I'm interested in adopting some of its protection mechanisms
(e.g., wrapper for PDF reader app drops network connection prior to launching the PDF reader)

In the context of a"desktop distribution" and for"desktop users", I do recognize the merit of employing sudo. However, I would pointedly ask: who among us is a"desktop user"?
If I'm not running a multi-user install and find myself continually relegated to performing"administrative tasks" in the course of daily use
and (and, for me, this is the kicker) am running in a live session with semi-automatic (throwaway) persistence
...sudo usage seems more like a self-imposed barrier, one which provides a false/misplaced sense of security.

A false sense of security? Yeah. The example I've repeatedly raised, across several years (in my antix forum posts) is this:
"user duly sudoes whatever program, then winds up inadvertently launching web browser AS ROOT by clicking a"Help" button within the program"

edited to add:
2010 article by Joanna Rutkowska (architect of QubesOS)

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://theinvisiblethings.blogspot.com/2010/08/ms-dos-security-model.html"
linktext was:"http://theinvisiblethings.blogspot.com/ ... model.html"
====================================
Last edited by skidoo on 01 Oct 2015, 23:42, edited 1 time in total.
Posts: 2,238
dolphin_oracle
Joined: 16 Dec 2007
#3
A false sense of security? Yeah. The example I've repeatedly raised, across several years (in my antix forum posts) is this:
"user duly sudoes whatever program, then winds up inadvertently launching web browser AS ROOT by clicking a"Help" button within the program"
oh, I hate that!
Posts: 1,445
skidoo
Joined: 09 Feb 2012
#4
dolphin, I don't bristle if something manages to invoke dillo, via xdg-open or exo-open... but I do use the following to guard iceweasel launch:

mv /usr/lib/iceweasel/iceweasel /usr/lib/iceweasel/iceweasel_real

v--- SaveAs /usr/lib/iceweasel/iceweasel
and chmod 755 /usr/lib/iceweasel/iceweasel

Code: Select all

#!/usr/bin/python
import subprocess
import os
import sys
import gtk
gooniebird = os.geteuid()
args = sys.argv
if len(sys.argv) < 2:
    args.append("")
if gooniebird == 0 :
    ouch = gtk.MessageDialog(None, gtk.DIALOG_MODAL, gtk.MESSAGE_INFO, gtk.BUTTONS_OK, None)
    ouch.set_keep_above(True)
    ouch.set_title('!')
    ouch.set_default_size(800,10)
    ouch.set_resizable(True)
    ouch.set_markup("\nprevented <b>sudoer / root</b> from launching iceweasel\n\n")
    lbl = gtk.Label('the attempted destination was:')
    ouch.vbox.pack_start(lbl,False,False,0)
    dest = gtk.Entry()
    dest.set_text(args[1])
    ouch.vbox.pack_start(dest)
    ouch.show_all()
    ouch.run()
    sys.exit(0)
else:
    if args[1] =="":
        subprocess.call(["/usr/lib/iceweasel/iceweasel_real"])
    else:
        subprocess.call(["/usr/lib/iceweasel/iceweasel_real", args[1]])
    # yes, discard any additional args
    ### note: if launched from terminal, the following nuisance notice is expected
    ###     GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed
    sys.exit(0)

This script wouldn't suit someone who uses multiple iceweasel profiles, unless it's modded to handle additional commandline args.

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://developer.mozilla.org/en-US/docs/Mozilla/Command_Line_Options"
linktext was:"https://developer.mozilla.org/en-US/doc ... ne_Options"
====================================
Posts: 14
victorinux
Joined: 08 Jun 2015
#5
skidoo wrote:... your post doesn't indicate whether you agree with, or are critical of, that puppian"philosophy"...
I'm not a fluently English speaker nor a wise i-tech, for that matter, but, undoubtly, there are"fundamental truths" about the security of a home computer, as Puppy Distro points out.
Beyond"su" and"sudo" we also have to deal with a Policy Kit by the distro, a Policy Kit by the desktop, etc. (or simply put several Polkit daemons which can conflict among them), besides that CIA's program SELinux (security enhanced).
Life should be easier...
Posts: 1,445
skidoo
Joined: 09 Feb 2012
#6
.
in the default antix install, selinux is a non-issue
(support for selinux is present, but you would need to install/setup extra components to make it functional)

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://wiki.debian.org/SELinux/Setup"
linktext was:"https://wiki.debian.org/SELinux/Setup"
====================================


"Debian packaged Linux kernels have SELinux support compiled in, but disabled by default."
antix15-full here. Kernel is"4.0.5-antix.2-amd64-smp" and
/lib/x86_64-linux-gnu/libselinux.so.1
/lib/x86_64-linux-gnu/security/pam_selinux.so
are present, but they can do nothing unless additional components (and policyfile) are installed.
here's a quick bit of background reading, if you're interested:

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.linuxtopia.org/online_books/getting_started_with_SELinux/SELinux_installation.html"
linktext was:"http://www.linuxtopia.org/online_books/ ... ation.html"
====================================


Here are a couple of quick ways check/verify that selinux isn't up-and-running:
/etc/selinux/config {is absent in default antix install}
ls -lZ /etc/
For extra peace of mind, you can add bootline arg selinux=0

AFAICT, the"sliver of sepolicy" present in antix15 is simply the result of (is installed by) debian package"libsepol1",
which is a dependency of the debian sysvinit package.
Posts: 1,445
skidoo
Joined: 09 Feb 2012
#7
.
POLICYKIT by the distro, POLICYKIT by the desktop

"PolicyKit is a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes."

Here are the policykit packages present on my antix15-full system.
gir1.2-polkit-1.0
lib-polkitagent-1-0
libpolkit-1-0
libpolkit-backend-1-0
policykit-1
libpolkit-gobject-1-0

All except the last item in that list could be uninstalled with minimal consequence.
Minimal, as in, it would be necessary to forego ONE dependent program (gufw).

The last item, libpolkit-gobject-1-0, is a dependency of"slim" (the login manager provided in antix) and of"udisks".
several Polkit daemons which can conflict among them
Hmmm, maybe you're referring to"all the stuffs" displayed by the output of htop command?

First of all,"console-kit-daemon" is different from policykit.
Many distros configure htop so that the redundant consolekit processes are suppressed, by default, from display.
antix devs have chosen"everything" as the default display mode. You can hide the noisy consolekit entries using the 'H' toggle in htop.
Second, note the pid for each of the /usr/lib/policykit-1/polkitd processes listed in htop.
The polkitd pids are nearly sequential. They are not competing/conflicting ~~ they are launched necessarily, during slim and/or session startup.
undoubtly, there are"fundamental truths" about the security of a home computer, as Puppy Distro points out.
Above, I've tried to clarify for you that antix doesn't"add lots of layers and complexity".
In contrast, Puppy"throws away, by default" basic protections ~~ forcing us to go out of our way to PREVENT anyone
(any process) from mounting any hard drive attached to the system, or to PREVENT anyone (any process) from launching a server (service) process, etc.
Posts: 14
victorinux
Joined: 08 Jun 2015
#8
I know AntiX 15 is a great distro: a rooky"linuxer" (like me) can learn a lot from it -more than trying to compile a kernel or install a distro like gentoo __{{emoticon}}__

However, not all Linux stuff is a piece of cake for the rooky. I repeated the experience of this Venezuelan iTech"Piccoro" Mckey -the one who elaborated the now abbandoned distro"Venenux"- with a Debian basic system and the LXDE desktop:
Debian Bug report logs - #669646

lxpolkit conflict with other polkit daemons

Reported by: PICCORO McKAY

Subject: lxpolkit conflict with other polkit daemons, bug 677171 in bugzilla
Package: lxpolkit
Version: 0.1.0-1
Justification: renders package unusable
Severity: grave

During login (lxde) this error pops up:

GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent
already exists for the given subject

and then lxpolkit its unusable! due some other ahve in running ... specialy
gnome-polkit!! grrrrr

A rasonable solution is so go into"Preferences->Desktop
Session Settings" and un-check"PolicyKit Authentication Agent" as LXDE runs
it's own LXPolKit Authentication Agent, but now solve due message still
show!
This its due network-manager-gnome need explicy the gnome-polkit agent, so
this could be a solution if n-m applet not depends too many stupid gnome parts..
but..
I understand the"gnome" name in the packages involucrated, but for
end-users theres no others solutions in debian for manage USB conection, gnome-ppp
its no good for manage USB conections due have to restart in many times if
conection lost...

GNOME maintainers refused to reorganized the agent, instead they suggested
to hardcode the agent somewhere. This was part of the"PolkitAgentReorg"
featurethat never happened.
Posts: 4,164
rokytnji
Joined: 20 Feb 2009
#9

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://www.youtube.com/watch?v=s5wkBRlQy74"
linktext was:"Fear Not Groot."
====================================
Posts: 1,445
skidoo
Joined: 09 Feb 2012
#10
a modified (to include bleachbit in the flow) annotated version of the script I posted previously:

Code: Select all

#!/usr/bin/python

# this script, chmodded 755 and residing at /usr/lib/iceweasel/iceweasel
# ( after having renamed the original iceweasel executable to /usr/lib/iceweasel/iceweasel_real )
# prevents sudo/root from accidentally launching the browser, which happens due to, for instance, clicking"Help" button in certain apps.
#
# For non-root user, provides the benefit of launching bleachbit ahead of the browser,
# so the user has opportuninty to (is reminded to) clean flash cookies ( ~/.macromedia/* ) and whatnot.
#
# Separately, because a an inline prompt here would be a nuisance,
# should advise users to NEVER (or seldom, AND think twice before doing so!)
# never tick the"Firefox } Backup files" cleaner option.
# Doing so will obliterate backup copies of bookmarks file/db and, if browser crashes during the next session, ALL bookmarks may wind up being lost!
# Similarly, even if you are"overly privacy conscious" (I am), think twice before deciding to tick the"Firefox } Session restore" cleaner option.

#    related note:
#    Depending on the version of firefox installed, it may not generate bookmark.bak files period,
#    unless you visit about:config and change (or create, if missing) these prefkeys:
#        browser.bookmarks.autoExportHTML = true   (instructs browser to ALSO save bookmarks.html file, instead of just storing in a sqlite file)
#        browser.places.importBookmarksHTML = True (instructs browser to load bookmarks.html. Useful in case the sqlite db becomes corrupt/damaged)

import subprocess
import os
import sys
import gtk

gooniebird = os.geteuid()
args = sys.argv
if len(sys.argv) < 2:
    args.append("")
if args[1] =="-migration" or args[1] =="-ProfileManager" or args[1] =="-safe-mode" or args[1] =="--g-fatal-warnings" or args[1] =="-search":
    args[1] ="intercepted_unwanted_iceweasel_STARTUP_arg_____" + args[1]
if gooniebird == 0 :
    ouch = gtk.MessageDialog(None, gtk.DIALOG_MODAL, gtk.MESSAGE_INFO, gtk.BUTTONS_OK, None)
    ouch.set_keep_above(True)
    ouch.set_title('!')
    ouch.set_default_size(800,10)
    ouch.set_resizable(True)
    ouch.set_markup("\nprevented <b>sudoer / root</b> from launching iceweasel\n\n")
    lbl = gtk.Label('the attempted destination was:')
    ouch.vbox.pack_start(lbl,False,False,0)
    dest = gtk.Entry()
    dest.set_text(args[1])
    ouch.vbox.pack_start(dest)
    ouch.show_all()
    ouch.run()
    sys.exit(0)
else:
    subprocess.call(["/usr/bin/bleachbit"])   # and wait
    print 'bleachbit finished'
    if args[1] =="":
        subprocess.call(["/usr/lib/iceweasel/iceweasel_real"])
    else:
        subprocess.call(["/usr/lib/iceweasel/iceweasel_real", args[1]])
    # yes, discard any additional args
    ### note: the following nuisance notice is expected
    ###    GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed

    sys.exit(0)
#gtk.main()
In addition to using the script above, I've also created an alias within /root/.bashrc

Code: Select all

alias iceweasel='roxterm --title=__NO_BROWSER_LAUNCH_FOR_ROOT__'
Last edited by skidoo on 27 Jan 2016, 17:51, edited 4 times in total.
Posts: 850
fatmac
Joined: 26 Jul 2012
#11
The most obvious reason for not being permanently the root user is the rm command, if you add a * to it, everything is gone!
Posts: 20
darry1966
Joined: 01 Apr 2013
#12
I've used Puppy for many years and not worried about the running as root. Basically running as a user doesn't stop you from f----------- up your system. I have borked apt before and needed to re-install.

Basically running as root I change the password and I don't use the RM command as I have said many times - common sense is the best defence, and I also run distros with user accounts I just don't care about the"root" issue.