Big security hole: Should have implimentation.
-
- Posts: 2
- Joined: Wed 12 Mar 2014, 03:07
Big security hole: Should have implimentation.
One thing with the system is that it really NEEDS to have a User account, THEN root on top of that. This way a person can USE the system, but then also be able to SU to the administration account to further administrate the system.
Because if you are using it on an older system, and want to have users on it, but for them to NOT have full access of it all, then it should not have root access from the get go.
This is a MAJOR security hole in the system, makes the system volatile to attacks and hacks and all fro the outside world if the system is on the internet.
Because if you are using it on an older system, and want to have users on it, but for them to NOT have full access of it all, then it should not have root access from the get go.
This is a MAJOR security hole in the system, makes the system volatile to attacks and hacks and all fro the outside world if the system is on the internet.
Once...and only once...upon a time...
When visiting some [malicious?] website...
I found windows opening on the desktop...
Displaying the contents of the Puppy CD-RW.
As I closed the windows, new windows would open.
So I used ctrl+alt+backspace to drop to a command prompt and rebooted.
Once back to the desktop, the problem was still there...
So...
I rebooted into a different Puppy CD-RW...
Deleted the pupsave of the problem Puppy...
Restored a good/clean recent backup copy [held on an external USB connected HDD, normally powered off] of a pupsave for the problem Puppy.
Then booted the original Puppy that had displayed the problem.
The problem was GONE!
This is the only seeming security problem I've ever detected since beginning to use Puppy in Dec 2008.
These days, my Puppy doesn't save any session changes back to the pupsave on the internal HDD [neither during the session, nor at shutdown/reboot], unless I tell it to.
So I can [and sometimes do] power off improperly.
At next boot, the Puppy automatically scans&fixes the ext3 host partition file system and also the ext3 pupsave partition file system.
So far, doing this has never caused a problem [none of which I'm aware].
Hence, in the event of a problem I can just hold in the power button to power off.
When visiting some [malicious?] website...
I found windows opening on the desktop...
Displaying the contents of the Puppy CD-RW.
As I closed the windows, new windows would open.
So I used ctrl+alt+backspace to drop to a command prompt and rebooted.
Once back to the desktop, the problem was still there...
So...
I rebooted into a different Puppy CD-RW...
Deleted the pupsave of the problem Puppy...
Restored a good/clean recent backup copy [held on an external USB connected HDD, normally powered off] of a pupsave for the problem Puppy.
Then booted the original Puppy that had displayed the problem.
The problem was GONE!
This is the only seeming security problem I've ever detected since beginning to use Puppy in Dec 2008.
These days, my Puppy doesn't save any session changes back to the pupsave on the internal HDD [neither during the session, nor at shutdown/reboot], unless I tell it to.
So I can [and sometimes do] power off improperly.
At next boot, the Puppy automatically scans&fixes the ext3 host partition file system and also the ext3 pupsave partition file system.
So far, doing this has never caused a problem [none of which I'm aware].
Hence, in the event of a problem I can just hold in the power button to power off.
Never had any problem since I'm using Puppy. And I had just once a problem when I was a windows user (should not have opened that unknown email ).
The security hole usually is sitting on a chair in front of the computer: clicking and opening just everything that blinks, flickers and is offered to open and/or download it.This is a MAJOR security hole in the system, makes the system volatile to attacks and hacks and all fro the outside world if the system is on the internet.
[b][url=http://lazy-puppy.weebly.com]LazY Puppy[/url][/b]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]
Hmm like sylvander someone sent me to a site that had some horrible javascript which had windows flying open all over the place...seems like the browser was going doo lally but made doing anything impossible...cant remember how I forced it off...crtlaltdelete or backspace or perhaps the power button.
After restarting firefox was a little upset and wanted to take me back to the same site which for some reason I choose not to do but otherwise no harm done apart from my time wasted.
Apart from that we are looking at 8 years of running as root. Yes I managed to delete an entire partition of stuff though a bad script I made while learning (did recover most of it as it happens) so to me not being root guards against user stupidity NOT the internet which is a different matter.
As it happens I added multiuser to my puppies...not a major undertaking and it works as expected.... the lack of it is laziness and convenience since slax, another live distro, DOES provide full multiuser ability.
On a last note I recently did a weird one... created a user and then ssh to myself as that user and then ran firefox through x forwarding as that user...I felt suitably sandboxed Of course this also requires additions to standard pups ...just though I would throw it in.
mike
After restarting firefox was a little upset and wanted to take me back to the same site which for some reason I choose not to do but otherwise no harm done apart from my time wasted.
Apart from that we are looking at 8 years of running as root. Yes I managed to delete an entire partition of stuff though a bad script I made while learning (did recover most of it as it happens) so to me not being root guards against user stupidity NOT the internet which is a different matter.
As it happens I added multiuser to my puppies...not a major undertaking and it works as expected.... the lack of it is laziness and convenience since slax, another live distro, DOES provide full multiuser ability.
On a last note I recently did a weird one... created a user and then ssh to myself as that user and then ran firefox through x forwarding as that user...I felt suitably sandboxed Of course this also requires additions to standard pups ...just though I would throw it in.
mike
- Moose On The Loose
- Posts: 965
- Joined: Thu 24 Feb 2011, 14:54
With very little effort on my part, I could misunderstand your request to include those that I have been victim to while using other OSes. That would make the list so long that I would not want to type it all so here is the first and the last few viruses I had trouble with.p310don wrote:Can everyone who has used puppy for years please detail the hacks they have been victims of please?
First:
Back when my computer used two floppies and had no hard drive, I discovered that somehow a new TSR got onto my MSDOS-3 boot disk and was making a copy of its self on any new floppy. This meant that I could not get the full use of the space on the floppy.
2nd Last:
On a XP machine fresh out of the box, as soon as I connected to the internet but before I downloaded the antivirus software, a massive string of network actions happened and the machine froze up.
Last:
On a Win-7 machine, quite suddenly in the middle of my doing something, it began doing a huge number of network accesses and bogged down and then went into the shutdown all on its own.
I have been using Puppy since 4.10 was the latest version and so far have never had a virus etc get me.
NOT being logged in as root wouldn't prevent such a javascripted browser exploitjavascript which had windows flying open all over the place...seems like the browser was going doo lally but made doing anything impossible...cant remember how I forced it off...crtlaltdelete or backspace or perhaps the power button.
After restarting firefox was a little upset and wanted to take me back to the same site which for some reason
never said it would...please don't tell me what I have supposed to have said.NOT being logged in as root wouldn't prevent such a javascripted browser exploit
The point was about javascript on the net being the only problem ever experienced...a browser crash is the worst thing that has happened.... the subject of root is irrelevant in this case.
mike
This.RSH wrote:The security hole usually is sitting on a chair in front of the computer: clicking and opening just everything that blinks, flickers and is offered to open and/or download it.
The one time I've ever gotten a virus (it was on Windows!) I felt pretty stupid in the aftermath, because I was dumb enough to click on one of those "you just got a free e-card" links in my email.
To be fair, my mother was away at the time and I was lonely -- something must've clouded my thoughts enough to make me think that it could possibly be from her... well, that idea went away real quick! Fortunately, I had antivirus software that cleaned things up quite nicely...
There's quite a bit to be said for safe browsing/emailing habits!
That said, I've been using Puppy "recreationally" since shortly after joining this forum... and I've been using it steady as my main OS for a month or two now. No problems of any kind (other than some bugs in my specific Puppy version of choice, that I was able to work around) that I couldn't attribute to my own occasional stupidity
Yes, that's really funny.starhawk wrote:to click on one of those "you just got a free e-card" links in my email.
So it happened to me in the end of the year 2000 or begin of 2001.
Everyone did send e-cards then.
I was totally unexperienced and did a search for a anti-virus program especially for this virus, that has overcome my computer's data.
Found one.
Did erase almost everything from HD what was existing!
[b][url=http://lazy-puppy.weebly.com]LazY Puppy[/url][/b]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]
1) My wife keeps using my Puppy PC when her Win7 PC is non-functional with virus problemsp310don wrote:Can everyone who has used puppy for years please detail the hacks they have been victims of please?
2) My daughter keeps using my Puppy PC while her XP PC is unusable during system updates
3) My son keeps using my Puppy PC while he is doing a system restore on his Win7 netbook.
Why do these hacks keep using my machine?? I'm seriously thinking of ditching my Puppy PC so I can get some work done.
May be the right question is why puppy lost multiuser option if it can have it almost without adding extra size? It still can use autologin as root.
I know the usual answer - Do not use Puppy if you need user account!
I also hate to type sudo and like to use root account.
But the question is still there:
Why puppy lost multiuser support if it adds almost nothing to the size and it will bring new users attention to puppy linux?
What will Puppy loose if it has multiuser support? Nothing.
What is lost since it doesn't? More Puppy linux users.
Toni
I know the usual answer - Do not use Puppy if you need user account!
I also hate to type sudo and like to use root account.
But the question is still there:
Why puppy lost multiuser support if it adds almost nothing to the size and it will bring new users attention to puppy linux?
What will Puppy loose if it has multiuser support? Nothing.
What is lost since it doesn't? More Puppy linux users.
Toni
question for barry really.Why puppy lost multiuser support if it adds almost nothing to the size and it will bring new users attention to puppy linux?
Multiuser changes adds nothing in itself.. just script changes...busybox init can handle it. Many puppy scripts are coded for root rather than ~ so thats a bit of a sticky point... better desktop managers like XFCE4 are easier to deal with.
For the full job there needs to be a nice login manager, (slim I used), better login apps rather then tinylogin, and a skel folder for user profile creation. That adds up to ~ 500k uncompressed.
thats is really
mike
All of those are true saintless, well puppy actually didn't loose multiuser support technically speaking you can still add/remove users but you can't run Xorg and gui apps.
The reason for this are choices Barry made when creating puppy scripts and way of working.
Permissions for various devices and places are not set so another user can access them and a lot of puppy scripts use hardcoded /root directory for configuration instead $HOME.
There were several puplets that made workarounds for these limitations (grafpup on 1.x series, pizzasgood's 4.21 multiuser, I even have it kinda working on dpup486 now, you can test if you like)
But these fixes are individual per puplet and would need to be implemented in puppy skeleton/woof.
Later Barry was experimenting with fido/spot but he used wrong approach by assigning them to same home directory as root.
(It's not only about restricted user security it's also about having separate configs and separate home directories)
I don't know how much additional mess that added to scripts but it could be fixed.
I'm actually thinking of joining that woof-CE project and start implementing some small fixes to scripts for multiuser. It wouldn't be hard to do if other developers accept the idea.
Even I'm sometimes joking about not using puppy for other then root I also think that it's a shame not to have this ability.
The reason for this are choices Barry made when creating puppy scripts and way of working.
Permissions for various devices and places are not set so another user can access them and a lot of puppy scripts use hardcoded /root directory for configuration instead $HOME.
There were several puplets that made workarounds for these limitations (grafpup on 1.x series, pizzasgood's 4.21 multiuser, I even have it kinda working on dpup486 now, you can test if you like)
But these fixes are individual per puplet and would need to be implemented in puppy skeleton/woof.
Later Barry was experimenting with fido/spot but he used wrong approach by assigning them to same home directory as root.
(It's not only about restricted user security it's also about having separate configs and separate home directories)
I don't know how much additional mess that added to scripts but it could be fixed.
I'm actually thinking of joining that woof-CE project and start implementing some small fixes to scripts for multiuser. It wouldn't be hard to do if other developers accept the idea.
Even I'm sometimes joking about not using puppy for other then root I also think that it's a shame not to have this ability.
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]