Properly setup BionicPup64 (or another puppy)

[Mike Walsh]

@ bigpup

I don't get it either. still on our laptops (both windows 10 and 7 -we will still have laptops with windows 7 until first quarter 2021). windows explorer is not showing anything other than partition 1 IF it's in a windows friendly format.

The only explanation I got is that there may be some restrain: we are not administrators on our laptop, just users, and a lot of features in the "computer management" are disabled. In case of need we have an utilitycalled TempUser which creates a temporary user (3 hours) with administrative privileges.

we can't even delete shortcuts from the desktop, let alone access the Program folders or the root of C:\. No access to diskpart and other core windows unilities. Only as temporary administrators.

@ UncleScrooge:-

Don't take this the wrong way, but even by normal business practice, your top brass sound absolutely paranoid to me.....

It's always the same where money's concerned....


Mike.

[bigpup]

No access to diskpart and other core windows unilities. Only as temporary administrators.

That is normal restrictions if you are not administrator.

You do understand that the partition setup I showed works for Windows 10 on my computer?
Windows 10 can see and access the fat 32 and ntfs partitions.

Well, I am booted in Windows 10 as a normal user.
Can access all drives in the file manager.

Sounds like yours is setup with more user restrictions.

Log on as this temporary administrator and see what file manager can do.

Did a company IT, setup these laptops with the restricted user?
Ask them about the problem.

That does seem a strange option, to have for people, you want to restrict access.
You log on as this user with limited access, but if you need to, for 3 hours, you can log on as this temporary administrator.

[UncleScrooge]

@ Mike Walsh

why would I take it the wrong way? you are perfectly right.

My personal thought: in a world where socio/psychopathic traits are sold to the public as "virtues" (the "homo economicus" theory and the likelyhood crap), no wonders we end up with a leadership of paranoid (and narcissistic and etc etc) psycopaths.

@ bigpup

you are right. logging in as temporary administartor windows explorer works differently.

as normal practice we do not log on as temporary administartors, we create, with that utility (TempUser) an administartor identity with 3 hrs life which will then have a name and password we can use to carry out actions (upading drivers, deleting desktop icons, computer housekeeping in general, even renew permission of hardware access to our proprietary process control tools!!) that require admisistrative privileges:

this practice, among other things lead us to have something like 50/60 zombie identities per quater on our hard disk on average. here is my curent list of "dead" users since beginning of March (last survey and cleanup by th ITs):



this is by far one of the two core reasons why we have this Linux USB project ongoing in the first place: freed the field personnel from hassles by the IT security and let them carry out the job they are paid for without having to continuously answer to security popup windows, or even worse, have tools blocked in the middle of a job, sometimes perhaps even in critical situations (for example: while adjusting the PIDs parmas of the load sharing of a 12 MW busbar with 4 gensets @ 100% of load: it happened [!!])

[bigpup]

freed the field personnel from hassles by the IT security and let them carry out the job they are paid for without having to continuously answer to security popup windows, or even worse, have tools blocked in the middle of a job, sometimes perhaps even in critical situations (for example: while adjusting the PIDs parmas of the load sharing of a 12 MW busbar with 4 gensets @ 100% of load: it happened [!!])

So they give you a laptop, as a tool to do your work, but not the complete ability to use it to do the work
If it was me.
Me, the IT department, and top management, would be going round and round about this. Till I got complete control, of this laptop tool.

This looks like a way to record who uses the laptop.
I can understand having a log on to access, but the 3 hour time limit is just dumb!
We trust you, but only for 3 hours!

[UncleScrooge]

So they give you a laptop, as a tool to do your work, but not the complete ability to use it to do the work

almost a catch 22.......

If it was me.
Me, the IT department, and top management, would be going round and round about this. Till I got complete control, of this laptop tool.

consider that a commissioning in say Singapore pays handsomely to the engineer(s) in charge. stretching the stay cuz the needed time gets inflated for someone well above his paygrade, decided his pace gotta proceed like a hiccup.... you got the picture.
But of course it couldn't go on indefinitely. Plus we went through quite a few instances where safety issues (a ton of near miss and a couple of serious accidents) started the fire under the big brass arses.

This looks like a way to record who uses the laptop.
I can understand having a log on to access, but the 3 hour time limit is just dumb!
We trust you, but only for 3 hours!

it does not look like: IT IS exactly that!!!
the five Ws: who, when, why, where... WTF

[UncleScrooge]

Ok, this morning the axis of benevolent evil ( ), read my bosses, came out with a novelty: they want each single user of the thumbrive to setup their own password.

So remembering that:
- The bloody thumdrive is ready for use as it is
- The savefile is encrypted (LUKS) I did that at first start up / shutdown after final installation.
- The partition where BionicPup resides is 46 GB
- the bionicpups64save_luks is now 37 GB (4 GB used 33 GB still free)

Is it possible to change the password or do I have to create a new savefile?

PS:
I saw that in this thread:
http://www.murga-linux.com/puppy/viewto ... 1499637916
bigpup is giving support while creating a new savefile, I wouldn't go for that if I can help it

[vtpup]

I'm not answering your question, Unca Scrooge, but I do suggest you read the following initial FAQ re. Luks (especially warnings section 1.2) for possible problems to avoid which could yield irrevocable data loss:

https://gitlab.com/cryptsetup/cryptsetu ... dQuestions

[UncleScrooge]

@vtpup
thnx for the link.

so my next question would be: how about creating a master USB win an unencrypted puppySave (all SW and data included) already of the intended size; clone it and then encrypt each puppysave file in the clones with cryptsetup?

is that gonna work?

[vtpup]

Try it.

I would suggest re-mastering your main puppy first to include every piece of additional linux software you intend to have aboard as standard. That will make a large (fat) puppy, but there's no need to encrypt all of the working portion of your installation. Or am I forgetting that was a company requirement? Nevermind......

EDIT: Also, in view of the warnings in the cryptsetup Luks FAQ mentioned earlier, it might be wise to prevent users from easily altering the partition structure, or reinstalling puppy (since it might clobber the luks required partition data), so you may want to eliminate gparted and the puppy installer in the re-master

You could do a trial re-partition on a throwaway test install to see if gparted or puppy installer causes problems with cryptsetup.

[UncleScrooge]

Try it.

I would suggest re-mastering your main puppy first to include every piece of additional linux software you intend to have aboard as standard. That will make a large (fat) puppy, but there's no need to encrypt all of the working portion of your installation. Or am I forgetting that was a company requirement? Nevermind......

sounds like a better idea, correct me if I am wrong, but since remastering will then generate a big bionicPup.sfs with everything inlcuded, will that start as a "first install" booting it elsewhere?

can I still use frugalpup_20 to set an EFI/MBR fresh USB with the remasterd sfs? it sounds like it but I am not sure.

cuz if so that'll spare me some headaches: the users will choose their own passphrase for the first save/encryption and the master key will be unique for every single thumbdrive. which will be the perfect solution

[mikeslr]

...
Is it possible to change the password or do I have to create a new savefile?...

Serendipity? Today by petracus: "I have been researching the cryptsetup command and I have managed to change the password of my pupsave file from with this command!:
cryptsetup luksChangeKey /route to your pupsave file
For example:

cryptsetup luksChageKey /mnt/sdb1/xenialpupsave_luks-xxxxxx.4fs

Once entered, it asks you for the old password and then for the new one.
Best regards!", http://www.murga-linux.com/puppy/viewto ... 39#1059239

However, this being an area in which I don't even have a dabbler's familiarity, may I also suggest you might examine the LotsaLuks v1.0.0 package jafadmin created, published on the thread on which I asked " I was wondering how Luks can be used with a SaveFile. Can an existing SaveFile be converted? What problems are likely to arise using a Luks encrypted SaveFile?" and he responded, http://www.murga-linux.com/puppy/viewto ... 21#1056621. I also suggest that you pm jadadmin for technical details which would have 'gone over my head'.

At any rate, if petracus' solution is pertinent, you can easily use the command in a script, add an icon and a desktop file (optionally packaged it as pet) if anyone receiving the USB-Keys finds implementing terminal commands challenging.

[vtpup]

Try it.

I would suggest re-mastering your main puppy first to include every piece of additional linux software you intend to have aboard as standard. That will make a large (fat) puppy, but there's no need to encrypt all of the working portion of your installation. Or am I forgetting that was a company requirement? Nevermind......

sounds like a better idea, correct me if I am wrong, but since remastering will then generate a big bionicPup.sfs with everything inlcuded, will that start as a "first install" booting it elsewhere?

Yes.

can I still use frugalpup_20 to set an EFI/MBR fresh USB with the remasterd sfs? it sounds like it but I am not sure.

cuz if so that'll spare me some headaches: the users will choose their own passphrase for the first save/encryption and the master key will be unique for every single thumbdrive. which will be the perfect solution

I believe that should work as well.

Basically, you are creating your own Puppy variant.

Please also see my late edit, in my last post, although I'm not sure if you could remove the Puppy installer in this case since you might need it for the user to do the initial setup. Ideally you'd simplify the choices available in the Installer script, so the user just needs to choose a password, everything else defaults to what you have decided is right for your Puppy stick.

[UncleScrooge]

Wow guys, you definately rock, all of you!
anyways... @mikesir
since you seuggested the reading of this (and very wisely so), I did change my mind about the process:

6.15 Can I clone a LUKS container?

You can, but it breaks security, because the cloned container has the
same header and hence the same master key. Even if you change the
passphrase(s), the master key stays the same. That means whoever has
access to one of the clones can decrypt them all, completely bypassing
the passphrases.
While you can use cryptsetup-reencrypt to change the master key,
this is probably more effort than to create separate LUKS containers
in the first place.
The right way to do this is to first luksFormat the target container,
then to clone the contents of the source container, with both containers
mapped, i.e. decrypted. You can clone the decrypted contents of a LUKS
container in binary mode, although you may run into secondary issues
with GUIDs in filesystems, partition tables, RAID-components and the
like. These are just the normal problems binary cloning causes.
Note that if you need to ship (e.g.) cloned LUKS containers with a
default passphrase, that is fine as long as each container was
individually created (and hence has its own master key). In this case,
changing the default passphrase will make it secure again.

keeping in mind that if it were for me I wouldn't give a toss about encryption, the section above tells me that my initial idea (clone the damn thing and just change passphrase using the petracus magic wand ), it's a no go even under a mildly paranoid frame of mind, since the brass and ITs are gonna read that quote sooner or later.

vtpup suggestion (which also bigpup recommended a few posts back) on the other habd seems like the right way to proceed.

and btw the jafadmin tool is priceless...

[UncleScrooge]

Try it.
.....
EDIT: Also, in view of the warnings in the cryptsetup Luks FAQ mentioned earlier, it might be wise to prevent users from easily altering the partition structure, or reinstalling puppy (since it might clobber the luks required partition data), so you may want to eliminate gparted and the puppy installer in the re-master

You could do a trial re-partition on a throwaway test install to see if gparted or puppy installer causes problems with cryptsetup.

absolutely. good hint.

[bigpup]

If you use Frugalpup Installer to do installs to USB sticks.

You do not need the Puppy Universal Installer.
Gparted is not needed, as long as the USB drives, are already correctly partitioned and formatted.

To remove stuff built into Puppy Linux.
Use menu->Setup->Remove Builtin Packages
Be very careful. It lists everything. You can easily remove something, that may be needed to run Puppy or another program.
Keep to actual program names, in the Puppy main menu, should be safe.

Do this before remastering.

Because the stuff is in the main Puppy sfs (read only file).
Remove Builtin Packages does not actually remove stuff, but white lists it, so it is no longer seen.
When remastering. This stuff, in white list file, is kept out of the new remaster.

[UncleScrooge]

@ bigpup

message well received
I have no intention to remove anything else other than the installers, partitioners and maybe some other stuff "potentialy" dangerous to the usage of the tool (the thumbrive itself, aka its integrity).

-------------------------------

on another topic: I labelled the NTFS partition "Windows_share" initially for easy reference to the user.
Now I need to make it sure that the partition will be automatically mounted at boot time, and have an "easy to find" reference , (ROX Filer mainly, unless you have a better file manager/navigator to suggest).

I cannot use pMount to set the "mounting at boot" flag since I cannot be sure what ID the disk will have: that'll depend on the configuration (number of HDD, other USBs) of the machine at boot time, it can be sdb1 or sdc1, or even sda1 if there's no other disk connected.
I cannot even use the UUID, epsecially since I will be remastering rather than cloning. all I have as unique ID is the label from which I can backtrack the device name grepping blkid (I noticed there is no etc/fstab file in bionic pup).

So my plan would be to write a script to run at start up time that will ID the partition, place a fresh link on the desktop (and clear the stale one) and possibly have a mount point easily reachable through the file manager (a link in /root?)

any hint?

[mikeslr]

Nic007 has packaged several of his Utilities in a suite, http://www.murga-linux.com/puppy/viewto ... 10#1053410. Within the suite are utilities for converting a SaveFile or Folder into either a READ-ONLY adrv or ydrv as well as doing a remaster.

[Elsewhere you'll find a post about adding other READ-ONLY XXXX_drv.sfs. You're not limited to just two if you think of criteria beyond the division discussed below.].

At any rate, my recommendation is that rather than remastering all the changes, additions, bootup-settings and customizations into one new puppy_bionicpup64-8.0.sfs, you break that project down: Exclude from the remaster ALL 'full applications', such as word-processors and web-browsers.

(1) Review what you'll installed -- PPM>Uninstall >Snapshot.
(2) Start with OOTB puppy_bionicpup64-8.0.sfs. Install only 'frameworks' [QT, Wine?*, python and libraries needed by other applications].
(3) Remaster creating a new puppy_bionicpup64-8.0.sfs.

Anything you later add will be in a 2nd stage SaveFile/Folder. 'Frameworks' will now be part of your puppy_xxx.sfs

To the extent that you are not going to use Application.SFSes, portables and AppImages:

(4) Install Applications you are unlikely to change over the course of time, i.e. NOT Web-browsers -- creating a new SaveFile/Folder/
(5) Use nic007's Save2SFS to convert your new SaveFile/Folder into an adrv.
(6) Boot without loading the adrv. Install applications you're likely to change creating a 3rd stage SaveFile. Convert that SaveFile/Folder into a ydrv.

Less is likely to go wrong during the remaster. As your puppy can boot without the ydrv it fairly easy to quickly create a new updated version of ydrv when appropriate.

Your final distributable puppy will consist of READ-ONLY files and one small encrypted (Final: 4th Stage) SaveFile to hold the customizations of the individual users. Emphasizing: (1) Encryption only is needed for the distributed version's SaveFile and (2) that file remains small, and less prone to problems.

* Wine?: If you're not going to use the portable. But, in any case the 32-bit Compatibility SFS should be used rather than installed. Installing doesn't work any better than using the SFS. The FINAL SaveFile can load it as one of the 'settings'.

[vtpup]

Excellent advice all around.

Heh, Unca Scrooge, you're on a steep learning curve!

But what other distro has this kind of nuttiness available, along with a community of non-conformists, and mad scientists messing with every aspect ot what's possible?

[vtpup]

Set a new UUID on the stick. Then you'd know what it was.

How about:

Code: Select all

acce55 decaf c0ffee ea7 57a1e fe1afe1

[UncleScrooge]

Excellent advice all around.
Heh, Unca Scrooge, you're on a steep learning curve!

no shit buddy!.... .

But what other distro has this kind of nuttiness available, along with a community of non-conformists, and mad scientists messing with every aspect ot what's possible?

now you're braggin' about...
but i couldn't agree more