greengeek wrote:rufwoof wrote: Adding rover to group video gets rid of the messages.
Sorry for my ignorance - could you suggest how this is done please? cheers!
Once you've created a container for sakura, open that and it will be running as root with q.sfs as the bottom layer and its own containers .xsession folder at the top to store changes. Very much like running a normal session. As root running
addgroup audio rover for instance will set user rover belonging to both netshare and audio groups (its set to be in group netshare as part of the standard build).
What I then did was copy .gtkrc-2.0 ... and whatever over from /root to /home/rover within the container and then chown'd all files under that chown -R rover:netshare /home/rover along with chmod'ing /root /mnt so rover can't access /root or /mnt and also set a password for rover using passwd rover ... and entering a password twice.
So conceptually user rover can be run as though a normal user, but its running inside a container with its own q.sfs and .xsession file/folder stack.
I then created a .bashrc in the containers /root folder where my current content for that looks like
Code: Select all
#############################################################
#
# NOTES
#
#CAP_NET_ADMIN - Perform various network-related operations - interface configuration - administration of IP firewall, masquerading and accounting - modify routing tables - bind to any address for transparent proxying - set type-of-service (TOS) - clear driver statistics - set promiscuous mode - enabling multicasting - use setsockopt() for privileged socket operations
#CAP_NET_BIND_SERVICE - Bind a socket to Internet domain privileged ports (less than 1024)
#CAP_SYS_ADMIN - Very powerful capability, includes: - Running quota control, mount, swap management, set hostname, ... - Perform VM86_REQUEST_IRQ vm86 command - Perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects - Perform operations on trusted.* and security.* extended attributes - Use lookup_dcookie
#CAP_SETPCAP - Allow the process to add any capability from the calling thread's bounding set to its inheritable set, and drop capabilities from the bounding set (using prctl()) and make changes to the securebits flags.
#CAP_SYS_BOOT Use reboot() and kexec_load()
#CAP_SYS_CHROOT Use chroot()
#CAP_SYS_MODULE - Load and unload kernel modules
#CAP_SYS_RESOURCE - Another capability with many consequences, including - Use reserved space on ext2 file systems - Make ioctl() calls controlling ext3 journaling - Override disk quota limits - Increase resource limits - Override RLIMIT_NPROC resource limits
#
#############################################################
# Option here to access the container as a normal root type session for admin purposes
echo "Press the 'r' key to enter root userid mode."
echo "Any other key or wait 2 seconds for rover userid mode"
read -t 2 -n 1 R
if [ "$R" = "r" ]; then # ensure permissions of files are 'normal' and drop to standard shell
DISPLAY=:0 export DISPLAY
# chmod 755 /usr/sbin
# chmod 755 /sbin
# chmod 755 /bin/busybox
# chmod 755 /bin/chmod
# echo "if you're seeing errors from chmod permissions then you haven't deleted"
# echo "something like /mnt/wkg/containers/sakura/.session/bin/chmod"
# echo "so that prior q.sfs chmod permissions show through to the top layer"
/bin/sh
exit
fi
#########################################################
#
# Or we drop into a rover userid shell, where root is extremely limited bordering on
# ineffectual, so even if a browser or other break out occurs elevating privileges is
# difficult and even if root level authority in the container is achieved that is pretty
# much useless
#
#########################################################
# Note with the permissions we set, tail and tr functions are unavailable (being in busybox)
# and /etc/profile sets the DEFAULTBROWSER ... etc. type environment variables using those
# functions so in this container they are all empty i.e. runs
#DEFAULTBROWSER="`cat /usr/local/bin/defaultbrowser | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#DEFAULTDRAW="`cat /usr/local/bin/defaultdraw | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#DEFAULTHTMLEDITOR="`cat /usr/local/bin/defaulthtmleditor | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#DEFAULTMEDIAPLAYER="`cat /usr/local/bin/defaultmediaplayer | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#DEFAULTPAINT="`cat /usr/local/bin/defaultpaint | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#DEFAULTSPREADSHEET="`cat /usr/local/bin/defaultspreadsheet | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#DEFAULTTEXTEDITOR="`cat /usr/local/bin/defaulttexteditor | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#DEFAULTWORDPROCESSOR="`cat /usr/local/bin/defaultwordprocessor | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#DEFAULTIMAGEVIEWER="`cat /usr/local/bin/defaultimageviewer | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#DEFAULTIMAGEEDITOR="`cat /usr/local/bin/defaultimageeditor | tail -n 1 | tr -s " " | cut -f 2 -d " "`"
#export DEFAULTBROWSER DEFAULTDRAW DEFAULTHTMLEDITOR DEFAULTMEDIAPLAYER DEFAULTPAINT DEFAULTSPREADSHEET DEFAULTTEXTEDITOR DEFAULTWORDPROCESSOR DEFAULTIMAGEVIEWER DEFAULTIMAGEEDITOR
. /etc/profile >/dev/null 2>&1 # avoid showing all the tr and tail errors
#########################################################
#v1.0.5 need to override TERM setting in /etc/profile...
#export TERM=xterm
# ...v2.13 removed.
#export HISTFILESIZE=2000
#export HISTCONTROL=ignoredups
#...v2.13 removed.
#Number SIG Meaning
#0 0 On exit from shell
#1 SIGHUP Clean tidyup
#2 SIGINt Interrupt
#3 SIGQUIT Quit
#6 SIGABRT Abort
#15 SIGTERM Terminate
trap finish 0 1 2 3 6 15
finish()
{
exit
}
# Haven't got this working yet as permission denied to create
# folders under /sys/fs/cgroup !!!
#mkdir /sys/fs/cgroup/memory
# limit container memory to 1GB
#echo "100000000" > /sys/fs/cgroup/memory/memory.limit_in_bytes
# Limit CPU share to 50% (1024 being 100%)
#echo 512 > /sys/fs/cgroup/memory/cpu.shares
# set the current PID to adopt that group
#echo $$ > /sys/fs/cgroup/memory/tasks
# May already be set, so redirect so stderr not showing
#chmod 700 /root >/dev/null 2>&1
#chmod 000 /usr/sbin >/dev/null 2>&1
#chmod 000 /sbin >/dev/null 2>&1
#chmod 000 /bin/busybox >/dev/null 2>&1
#chmod 000 /bin/chattr.e2fsprogs >/dev/null 2>&1
#chmod 000 /bin/dd >/dev/null 2>&1
#chmod 000 /bin/kmod >/dev/null 2>&1
#chmod 000 /bin/login >/dev/null 2>&1
#chmod 000 /bin/mount >/dev/null 2>&1
#chmod 000 /bin/mount-FULL >/dev/null 2>&1
#chmod 000 /bin/pupkill >/dev/null 2>&1
#chmod 000 /bin/umount >/dev/null 2>&1
#chmod 000 /bin/umount-FULL >/dev/null 2>&1
#chmod 000 /bin/chmod >/dev/null 2>&1
chmod o-wrx /mnt /root /sbin /bin/busybox /bin/kmod /usr/sbin /bin/chattr.e2fsprogs /bin/login \
/bin/mount /bin/mount-FULL /bin/pupkill /bin/umount /bin/umount-FULL /bin/chmod
HOME=/home/rover export HOME
DISPLAY=:0 export DISPLAY
XDG_DATA_HOME=/home/rover/.local/share
GTK2_RC_FILES=/home/rover/.gtkrc-2.0
USER=rover
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
XFINANSDIR=/home/rover/.xfinans
XDG_CONFIG_HOME=/home/rover/.config
XDG_CACHE_HOME=/home/rover/.cache
LOGNAME=rover
cd /home/rover
capsh --drop=cap_chown,cap_sys_admin,cap_sys_chroot,cap_net_admin,
cap_net_bind_service,cap_sys_boot,cap_sys_module,
cap_sys_resource,cap_setpcap,cap_setgid,cap_setuid,
cap_sys_rawio,cap_mknod,cap_net_raw,cap_audit_control,
cap_mac_override,cap_mac_admin,cap_syslog,cap_audit_read,
cap_audit_write,cap_fsetid --keep=1 --user=rover --uid=1003 -- -c /bin/sh --
exit
#############################################################
NOTE : I've separated the capsh single line into multiple lines in the above otherwise the forums thread width expands out to be way too wide a display. i.e. all of those capsh values starting from capsh --drop= are on a single line.
So when the container starts (and is running as root) it rolls through that and either runs /bin/sh if r is pressed within 2 seconds or otherwise falls through to run /bin/sh as rover that has been capsh'd quite heavily. So if I want to install firefox I'd use that r option and install (extract) firefox under /usr/libs ... or otherwise don't use the r option and just run firefox as rover (run /usr/lib/firefox/firefox).
To get sound working you have to install Oscar's apulse and edit/create a user.js file under /home/rover/.mozilla/... sub folder (as per how other threads describe to get apulse and firefox sound working).
Very much a case of rover (or it could be spot or fido) can be made to actually work in a 'puppy' now.
In my prior 0.9 version, as part of that .bashrc I severely crippled the container such as setting /sbin to no permissions even for root along with other files/folders, but that's only appropriate once you've set everything up as afterwards its pretty fixed/difficult to change. That way even if a privilege elevation from rover to root occurred inside the container, then that's still pretty much useless. You could reset the permissions from the main session however i.e. something like chmod'ing /mnt/sda2/easy/easy-0.91/containers/sakura/.session/sbin ... or simply just delete sbin in that folder so the q.sfs version shines through as the top level.
EDIT: Nearly forgot. I also create a .profile in the containers /home/rover folder containing
Code: Select all
DISPLAY=:0 export DISPLAY
HOME=/home/rover export HOME
XDG_DATA_HOME=/home/rover/.local/share export XDG_DATA_HOME
GTK2_RC_FILES=/home/rover/.gtkrc-2.0 export GTK2_RC_FILES
XFINANSDIR=/home/rover/.xfinans export XFINANSDIR
XDG_CONFIG_HOME=/home/rover/.config export XDG_CONFIG_HOME
XDG_CACHE_HOME=/home/rover/.cache export XDG_CACHE_HOME
to as to set up its environment.
That could all be created and made into a sfs I guess, so a basic rover command prompt could be more easily shared around/installed by others. Also the capsh command could be set to run firefox by default rather than /bin/sh i.e. the second parameter from the end of that long command line.