No, root may and can do everything inclusive viewing of pictures of all usersnooby wrote:...keep them also for root...
Browse as user "Spot"
- L18L
- Posts: 3479
- Joined: Sat 19 Jun 2010, 18:56
- Location: www.eussenheim.de/
L18L refer to these exchanges
http://murga-linux.com/puppy/viewtopic. ... 665#515665
Sorry I am always confusing
http://murga-linux.com/puppy/viewtopic. ... 665#515665
Sorry I am always confusing
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
But I did try to follow what rcrsn51 wrote but maybe something in my set up here made it to fail or some space in teh code whatever. the bsafe never got created.
I can start with spot again though.
okay about root I still ahve the problem that my body will not be able to refrain from starting browser as root. it don't ask my persmission it just go doing it and then later I realize that hours ahs gone by as root
I can start with spot again though.
okay about root I still ahve the problem that my body will not be able to refrain from starting browser as root. it don't ask my persmission it just go doing it and then later I realize that hours ahs gone by as root
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
Again, this is the crucial issue. There is nothing magic about the user spot. If you let a piece of malware into your system (like a script off a web page) that wants to delete or alter your files, it doesn't matter who you are logged in as. It can change any file that it has permission to do so. If it is running as spot (or any other unprivileged user) it can delete ANY file belonging to that user. But it cannot change your system files or start a malicious process like a bot. (This presumes that the malware didn't gain privilege elevation through some other method.)nooby wrote:But if it is vulnerable to attack then what is the usage? I mean that was why we wanted to be spot in the first place :) To get away from such vulner things
But if you are running your browser as root, the malware can attack any file owned by root - which is all of them!
Consider what happens in Windows. If you are like many people and routinely login as the admin user, then a malicious script has full rights to your file system. That's how it inserts itself into the Windows registry and numerous other spots.
Personally, I have come to accept bugman's view of Internet security. The single most important thing you can do is control web page scripting.
What is a mystery to me is why Firefox's implementation of Javascript is still so vulnerable to exploits. Does anyone have a explanation for this?
I would love to migrate to using spot as often as possible but latest failure makes me have severe headache Wow it was much more difficult than I thought.
What about the advice to just drag default browser icon to spot? and then it is owned by spot or something? maybe that is the easiest if I find the right icon that is. is it the one named Browse on the Desktop?
so I create a dir on mnt/home and go into permissions and tell it to be powned by spot? I change password for spot and for root too and then it should just work?
okay I need to move the .mozilla dir to spot too.
What about the advice to just drag default browser icon to spot? and then it is owned by spot or something? maybe that is the easiest if I find the right icon that is. is it the one named Browse on the Desktop?
so I create a dir on mnt/home and go into permissions and tell it to be powned by spot? I change password for spot and for root too and then it should just work?
okay I need to move the .mozilla dir to spot too.
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
Hi, nooby. Open this file with any file editor:nooby wrote:I would love to migrate to using spot as often as possible but latest failure makes me have severe headache Wow it was much more difficult than I thought.
What about the advice to just drag default browser icon to spot? and then it is owned by spot or something? maybe that is the easiest if I find the right icon that is. is it the one named Browse on the Desktop?
so I create a dir on mnt/home and go into permissions and tell it to be powned by spot? I change password for spot and for root too and then it should just work?
okay I need to move the .mozilla dir to spot too.
/usr/local/bin/defaultbrowser
It should contain this:
Code: Select all
exec firefox "$@"
Code: Select all
exec su spot -c firefox "$@"
Luluc thanks for wanting to sort things out but ...
Yes but the code from rcrsn that I used in rxvt deleted user spot and created a new one and then I due to ADHD deleted that dir at mnt/home so I need to know how to recreate that again and move teh .mozilla dir to that one and it should be owned by spot and have the right permission and so on.
in what order should I do all of that then?
Yes but the code from rcrsn that I used in rxvt deleted user spot and created a new one and then I due to ADHD deleted that dir at mnt/home so I need to know how to recreate that again and move teh .mozilla dir to that one and it should be owned by spot and have the right permission and so on.
in what order should I do all of that then?
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
You deleted /mnt/home/spot? After you had moved .mozilla from /root to /mnt/home/spot? So, do you still have .mozilla anywhere? I am afraid you may have deleted all copies of it.nooby wrote:Luluc thanks for wanting to sort things out but ...
Yes but the code from rcrsn that I used in rxvt deleted user spot and created a new one and then I due to ADHD deleted that dir at mnt/home so I need to know how to recreate that again and move teh .mozilla dir to that one and it should be owned by spot and have the right permission and so on.
in what order should I do all of that then?
I agree. But it doesn't have to be a completely new pupsave file. It can be any other recent one. I suspect that nooby is doing all this experimentation on expendable copies of her actual pupsave file.rcrsn51 wrote:@nooby: This is far too confusing. I would suggest that you leave this issue for now and come back tomorrow when clearer heads may prevail.
I would also suggest that you set up a test install with a fresh pupsave file.
BTW, I'm signing off for today. Can't help anymore.
Here is my solution, I did created a new lupu513 subdir based on Snowpu5 and named it snow5spot to know it is prepared to be a spot browser thing.
I used a copy of a backup pupsavefile so what should I do now?
this one have .mozilla on the root and not on mnt/home
I used a copy of a backup pupsavefile so what should I do now?
this one have .mozilla on the root and not on mnt/home
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
I just noticed this thread, and just looked briefly at the first few posts. Since I use spot with sudo and a designated home directory, I'll briefly weigh in. Running a downloaded copy of Firefox from Spot from a terminal is no problem...it will install new config directories in home. If I run from root, it will use .mozilla in /root.
The underlying principle running with non-root user is that basically you start from scratch setting up apps, unless you want to go through the hassle of changing permissions, etc. It's often just easier to run the apps from root unless you have a specific reason not to. Puppy works great the way it is for most users.
The underlying principle running with non-root user is that basically you start from scratch setting up apps, unless you want to go through the hassle of changing permissions, etc. It's often just easier to run the apps from root unless you have a specific reason not to. Puppy works great the way it is for most users.
- Bernie_by_the_Sea
- Posts: 328
- Joined: Wed 09 Feb 2011, 18:14
Javascripts have a number of inherent limitations in them to prevent them from doing malicious things to a network, so at best it can snoop around, issue commands to anything that's not password protected and has a web interface (Assuming it can identify it), etc. Having a rogue Javascript operating in your browser environment is nothing to lose sleep over.
Javascript has been around for over a decade now, and is almost universally enabled by web users. There's a reason why Javascript exploits are almost never attempted: they're not only screamingly obvious and leave a nasty paper trail, but their scope is extremely limited and their chances of finding a successful target quite low. There are any number of better, safer ways to attack a person with absolutely no security sense.
Emphasis added. Above quotes from:Does only accessing the internet on a user account help protect against this?
Well it's a good idea for a lot of other reasons, but no. A Javascript has absolutely no direct access to the system it's running on, so it's no less secure if you're running as root.
http://anti-state.com/forum/index.php?b ... adid=17522
@nooby: The technique of creating a new unprivileged user whose home directory is in /mnt/home won't work for you. It requires that /mnt/home be formatted with a Linux filesystem like ext. You don't have this.
Also, trying to symlink spot's .mozilla profile into /mnt/home won't work either. Spot doesn't have write permission there.
Also, trying to symlink spot's .mozilla profile into /mnt/home won't work either. Spot doesn't have write permission there.
Thanks that explains it then.
I could still run FF as spot though but Spot will be a sub to root? an anything saved that I want to be outside of mnt/home I have to go there as root and move out of spot?
It would still add to security from injection code?
I could still run FF as spot though but Spot will be a sub to root? an anything saved that I want to be outside of mnt/home I have to go there as root and move out of spot?
It would still add to security from injection code?
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
Correct. If you check the properties of the folder /root/spot, you will see that it is owned by spot. That's the only place that spot has permission to save files, other than special locations like /tmp.nooby wrote:I could still run FF as spot though but Spot will be a sub to root?
Correct. If you are running your browser as spot, you cannot automatically download a file to /mnt/home. Spot does not have write permission on that folder.and anything saved that I want to be outside of mnt/home I have to go there as root and move out of spot?
I'm still not clear on that issue. Firefox is constantly releasing updates to fix various security issues. Since most Linux users are unprivileged, one could conclude that even though you are running the browser unprivileged, you are still vulnerable. Or maybe those updates really only apply to Windows users.It would still add to security from injection code?
- Bernie_by_the_Sea
- Posts: 328
- Joined: Wed 09 Feb 2011, 18:14
Just about any and all content on a web page is potentially capable of changing the Windows registry. Hint: ANY Mozilla, Firefox, Safari, or Opera plugin (that uses NPAPI which means almost all) is a doorway to access the registry.rcrsn51 wrote:So if Javascript isn't the culprit, then what content on a web page is capable of changing the Windows registry?
Keep in mind that to change the Windows registry you must first have a Windows registry to change. Even with Wine, the Windows registry that Wine accesses is not the real registry but rather the one stored in Wine itself. Changes to the registry there affect only apps running in Wine. Have many running Linux in general and Puppy in particular have a Windows registry on their computer? Hint: a drive must be mounted to write to it.
Keep in mind that javascript cannot exceed the browser’s level of security (and this has nothing to do with running as root). The only thing a browser can write to is a cookie. The only thing a browser can communicate with is the server. The only data manipulation a browser can do is to the object model of the web page (used with forms and the like).
Note: To avoid teaching hacker/crackers I give only hints that might be used by defenders against hacker/crackers. Discussing things like web pages modifying the registry is dangerous in itself.
Another hint: Here's a handy plugin that can reach the registry on a computer where there are zero root/administrative rights. https://addons.mozilla.org/en-US/firefo ... n-regedit/
OK, here's an experimental version of Browsesafe
It attempts to address some of the things being discussed here, such as other users than spot (an option) and installing config folder outside the savefile (another option). It all takes place at install time with a comprehensive GUI. It takes into account what type of install you have.
Be warned that for success you will probably have to delete any .mozilla files in /root/spot. Also it is experimental. Lots of stuff is going on behind the scenes in that install script so I have tried to be efficient.
Have fun
newer version, fixed bernie's bug and minor ntfs bug, added puninstall script to advise on some manual cleanup
It attempts to address some of the things being discussed here, such as other users than spot (an option) and installing config folder outside the savefile (another option). It all takes place at install time with a comprehensive GUI. It takes into account what type of install you have.
Be warned that for success you will probably have to delete any .mozilla files in /root/spot. Also it is experimental. Lots of stuff is going on behind the scenes in that install script so I have tried to be efficient.
Have fun
newer version, fixed bernie's bug and minor ntfs bug, added puninstall script to advise on some manual cleanup
Last edited by 01micko on Mon 25 Apr 2011, 00:54, edited 2 times in total.
Puppy Linux Blog - contact me for access