BionicDog (updated: 2018-06-04)

[anikin]

@Flash et rcrsn51:

The picture posted by Flash suggests xserver can't get root permission. Before proceeding with the firmware and vesa solutions, I'd first try the following:

Run BionicDog again. When it halts, run:

Code: Select all

apt-get update && apt-get install xserver-xorg-legacy 
startx

In theory this should be enough to get you going as xserver-xorg-legacy driver will assign root automatically. If still no go, then run this:

Code: Select all

echo "needs_root_rights=yes" >> /etc/X11/Xwrapper.config
startx

read more here:
https://manpages.debian.org/stretch/xse ... .5.en.html

Edited the tip to be a little bit more nuanced.

[rcrsn51]

@anikin: That method doesn't help.

But if you start with a frugal install and include Fred's firmware squashfs module, it will boot directly to desktop and use the Xorg radeon driver.

[Flash]

I ain't doing no frugal install!

I been running Puppy in RAM, booting from DVD, since the days of multisession and I don't see no reason to change. Except no Puppy can do multisession any more, so now the best I can do is remaster -- if I can ever find a recent Puppy that works in this computer.

I'll try what anikin suggests, but it might be a few days.

[rcrsn51]

@Flash: See my solution on the previous page.

This has been tested and confirmed on a Radeon machine.

----------------

[tlchost]

Anyone using bluetooth with BionicDog? What do I need to install to make it play? Thanks

[anikin]

@Flash

I slightly modified the tip, please read my previous post again.

[fredx181]

The picture posted by Flash suggests xserver can't get root permission. Before proceeding with the firmware and vesa solutions, I'd first try the following:

Run BionicDog again. When it halts, run:
Code:
apt-get update && apt-get install xserver-xorg-legacy
startx
In theory this should be enough to get you going as xserver-xorg-legacy driver will assign root automatically. If still no go, then run this:
Code:
echo "needs_root_rights=yes" >> /etc/X11/Xwrapper.config
startx

@Flash
Above suggestion cannot make a difference because it's already included exactly like that in BionicDog.
Try what rcrsn51 suggested.

Fred

[Flash]

Hooray, I'm posting from Bionic Dog! I tried what anikin suggested, but, as both Fred and rcrsn51 said it would, it didn't make any difference. Lots of stuff seemed to download after I entered the first line and something happened after I entered the second line, but the third line, startx, only gave the same result as before. Sorry, anikin, but thanks for the effort.

Then I did what rcrsn51 said (the vesa option) and it worked. I took a screenshot of the intermediate result. I thought Fred might want to see it.

[rufwoof]

I'm running using a onboard ATI Radeon graphics setup and installing BionicDog frugally and booting didn't boot to desktop, running apt-get install linux-firmware and boots to desktop OK.

All working well so far. Currently messing around with hardening running firefox under user Puppy as the current BionicDog /usr/local/bin/firefox-puppy.sh is pretty weak. The attached is my current messy script that I'm using for testing purposes, it unshares PID so when run user Puppy sees PID 1 as its own, and there's heavy capsh'ing already in place. I've also removed some further groups from user Puppy ... but yet to figure out what file/folder permissions to set to further harden firefox running under user puppy.

[rcrsn51]

FWIW, the Stretch Live Starter Kit addresses this problem by including the Radeon firmware in the ISO. Unlike Ubuntu, Debian packages it separately as firmware-amd-graphics.

[rufwoof]

EDIT : FOUND THAT THE FOLLOWING IS TOO AGGRESSIVE i.e. problems such as apt-get not working correctly afterwards

This seems to work OK, note that I've split the capsh command line(s) over several lines purely for forum display purposes (otherwise it would make the forum thread wide). They're all a single line capsh command line

Code: Select all

#/bin/sh
#
# Potential hardening of /usr/local/bin/firefox-puppy.sh in BionicDog
#
# delgroup the following groups from user puppy
# adm sudo wheel disk plugdev netdev
#

chmod 770 /root /mnt /usr/sbin /sbin /bin/busybox /bin/dd /bin/kmod /bin/login /bin/mount /bin/umount bin/chmod

xhost +local:puppy

mkdir /run/user/1000 # rids us of dconf error messages by creating 1000 (puppy) run folder
chmod 777 /run/user/1000
mkdir /run/user/1000/dconf 
chmod 777 /run/user/1000/dconf

cd /home/puppy
if [ ! -d .local ]; then
  mkdir .local
fi
if [ ! -d .local/share ]; then
  mkdir .local/share
fi
echo "#!/bin/sh" >/home/puppy/run-ff
echo "HOME=/home/puppy export HOME" >>/home/puppy/run-ff
echo "DISPLAY=:0 export DISPLAY" >>/home/puppy/run-ff
echo "GTK2_RC_FILES=/home/puppy/.gtkrc-2.0" >>/home/puppy/run-ff
echo "USER=puppy" >>/home/puppy/run-ff
# fix dconf error (using puppy uid of 1000)
echo "XDG_RUNTIME_DIR=/run/user/1000" >>/home/puppy/run-ff
echo "XDG_DATA_HOME=/home/puppy/.local/share" >>/home/puppy/run-ff
echo "XFINANSDIR=/home/puppy/.xfinans" >>/home/puppy/run-ff
echo "XDG_CONFIG_HOME=/home/puppy/.config" >>/home/puppy/run-ff
echo "XDG_CACHE_HOME=/home/puppy/.cache" >>/home/puppy/run-ff
echo "PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin" >>/home/puppy/run-ff
echo "cd /home/puppy" >>/home/puppy/run-ff
echo "/usr/bin/apulse /opt/firefox/firefox" >>/home/puppy/run-ff
echo "exit" >>run-ff
chmod +x /home/puppy/run-ff

unshare -p --mount-proc=/proc -f /sbin/capsh --drop=cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,

cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,

cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,

cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource, cap_sys_time,

cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,

cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,

cap_audit_read+ep --keep=1 --user=puppy -- -c /home/puppy/run-ff --

# Change it to the following i.e. execute /bin/sh and you can see what is accessible
# i.e. try things such as su command, or run capsh --print to see what's capped ...etc.
#unshare -p --mount-proc=/proc -f /sbin/capsh --drop=cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,

cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,

cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,

cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,

cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,

cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,

cap_audit_read+ep --keep=1 --user=puppy -- -c /bin/sh --
####################################################

Pretty much restricts user puppy to be more secure than the current run as puppy firefox version in BionicDog. Concept being you run local stuff as root, but run the browser as Puppy (browser being the greatest of being a target to be hacked).

Running firefox using that now as I post this, and in another window a youtube is playing fine (including sound).

There are reasonable guides as to the capability values in man 7 capabilities

Code: Select all

capsh --print

can be used to show current capability settings (but not under user puppy when the above permissions are set (see attached))

[fredx181]

@Flash

Then I did what rcrsn51 said (the vesa option) and it worked. I took a screenshot of the intermediate result. I thought Fred might want to see it.

Yes, thanks, once I've seen similar errors as the last lines (not being valid yet) but no idea where it's coming from.
If you have time can you run "apt-get update" again and see if it's still like that ? (for me it's fine, atm, but it may have to do with different timezone).

Anyone else have seen this "not valid yet" errors when running apt-get update ?

FWIW, the Stretch Live Starter Kit addresses this problem by including the Radeon firmware in the ISO. Unlike Ubuntu, Debian packages it separately as firmware-amd-graphics.

Yes,better -in my opinion- how Debian handles that, also separate firmware packages for wifi. (in Ubuntu you have to install the whole big package linux-fimware)
I think it's better to include xserver-xorg-video-vesa in next BD release, btw.

@rufwoof, thanks, new territory for me, this "hardening"

Fred

[rufwoof]

@rufwoof, thanks, new territory for me, this "hardening"

Firefox just updated to 60.0 and the above still works OK (for the one sneekylinux youtube that I used to check sound was being heard ok).

Only very lightly tested so far and there may be issues i.e. apt-get update is currently failing (seeing your repo's but not Ubuntu's) which I'm hoping/suspect might be at the Ubuntu end of things - but maybe not.

As a alternative to the current firefox-puppy.sh it would make things more difficult for potential hacks i.e. firefox (internally) running in a level 3 sandbox along with running firefox as a very restricted userid (puppy). But does detract from what user puppy can actually do for other things (but might as well stick with running under root for those anyway).

"Hardening" is just Seccomp (Linux)/Pledge (BSD) type terminology i.e. limiting a program/function to just the things it needs to work as intended. Start off with simple/loose wrappers/controls and progressively refine those (harden) to make it more secure. Mozilla have been hardening access to memory (sandboxing - first focusing upon Windows, but now more recently Linux - which is more difficult to the great variations) and adjusting timing precision to make the likes of Meltdown/Spectre type attacks that more difficult (increased timer precision from 5 microseconds up to 20 microseconds so preemptive code execution stuffing is much less reliable), such that combined with hardening the userid that runs firefox makes it more difficult to hack into the system and privilege elevate. But as ever by no means certain. Prize money at Pwn2Own 2018 was relatively low this year with Richard Zhu taking home the lion share not due to better security, but because the Chinese who usually wipe the field but have been restricted from partaking this year.

[rcrsn51]

Anyone using bluetooth with BionicDog? What do I need to install to make it play? Thanks

I ran a few tests of bt4stretch v1.1 in BionicDog and it works. BD already has mplayer.

[dancytron]

This seems to work OK, note that I've split the capsh command line(s) over several lines purely for forum display purposes (otherwise it would make the forum thread wide). They're all a single line capsh command line

Would this be less complex if an ID without adm sudo wheel disk plugdev netdev was created just to run the browser?

A long time ago I did a Debian Dog Chrome remaster with a user "cat" iirc without sudo and wheel that I used to run the browser.

[rufwoof]

Would this be less complex if an ID without adm sudo wheel disk plugdev netdev was created just to run the browser?

A long time ago I did a Debian Dog Chrome remaster with a user "cat" iirc without sudo and wheel that I used to run the browser.

I guess that the puppy userid could simply be adjusted to have lower privileges if you're only using that for internet type programs/activities. That's basically what I did but adding even further limitations to make it more 'useless' for anything other than running the browser. Egyptian cat style

[Smithy]

Hi, I keep getting quite a few (errors?) with Light 48 browser.
It keeps saying sites are unsecure and I keep having to add an exception. Google brought a wry smile, and youtube won't show up, but it is quite a drag. Is there a setting that can fix this?
Oh sorry, posted in the wrong thread. Tried the below solution from Flash, but still a problem, might have a look in about:config. Thanks.

[zagreb999]

hi Smithy,

those are bugs in light firefox,
not in bionicdog...

[Flash]

Smithy, I get those invalid certificate warnings too. They don't bother me so I haven't tried this, but you might try (in the browser) Preferences -> Advanced -> uncheck Query OCSP responder servers...

YouTube played right out of the box for me in Bionic Beaver.

[majka]

Does Bionic Dog accommodate tethering to mobile phone for internet?
Can't see anything obvious on first glance.
Tethering with USB cable.
On other Linux's the phone connects as a storage device (to copy imgs etc),
then on the phone, enable 'tether via USB'.
This is how I would normally do it.

EDIT:
Every subsequent attempt, tethering to phone for internet was acheived automatically.
No problem. Not sure what happened first time.

BUT:
I can't seem to see the phone as a generic drive (when untethered), in order to
swap photos between phone and computer. Solution??

thks.