puppy linux security?
Throughout these threads, I was thinking there may be some issues with cupsd. Something I read before. Without doing research, I've been killing it in rc.local
I think one of the first things we should do is rely somewhat on other's research and not try and reinvent the wheel each time we have a security related question specific to an application.
Before making this post I started cupsd and noted that it's listen on port 631 for both tcp and udp. Then googled for info on cups vulnerabilities.
Here's a link to a CUPS Vulnerability article. In a quick read, I get the impression that for some reason PORT 631 might be a safe listening port for local use. Also, the article contains some links to other related information.
I think one of the first things we should do is rely somewhat on other's research and not try and reinvent the wheel each time we have a security related question specific to an application.
Before making this post I started cupsd and noted that it's listen on port 631 for both tcp and udp. Then googled for info on cups vulnerabilities.
Here's a link to a CUPS Vulnerability article. In a quick read, I get the impression that for some reason PORT 631 might be a safe listening port for local use. Also, the article contains some links to other related information.
Great Read. Thanks Bruce.
It's fixed in CUPS 1.3.4
http://www.cups.org/articles.php?L508
What version is in Puppy?
It's fixed in CUPS 1.3.4
http://www.cups.org/articles.php?L508
What version is in Puppy?
When I install Firefox in Windows, I get some options during installation - they just installed automatically in Puppy.Kosh wrote:Oblivious,
You can easily switch that off though, and since you seem the type who's interested in these things I don't see why that would be a problem. It's not a hidden setting.
The news is not there in Windows (maybe it was one of the options I rejected?). Thanks for the info - now I can turn it off.News, or an RSS feed, however, is part of the default package. But again you can easily get rid of it by just deleting it from your bookmark toolbar.
My preference is for programs to tell you what they are doing upon installation and you get the chance to say "yes" or "no" to things you want, or don't want - one, so you know you've got them and two, so you haven't got them if you don't want them. That doesn't happen any more and you get what you are given.
I didn't install weather - it's in Seamonkey which is part of one of the Puppies I've been trying.Regarding FF and weather, that is something that you must have installed yourself, so don't blame FF for it. The weather extension must be installed by the user, it is not part of the program.
Interestingly, despite the fact that automatic update is turned off in Windows, Firefox still contacts Mozilla.....
The only thing with Windows is that MS and HP are identifiable corporations and I've paid for the program so if they do something outrageous I have the ability to sue them or run screaming to the regulatory authorities. I don't (yet) know who CUPS is, what information goes, or where the information goes.....Oblivious seems concerned about Cups making background connections, yet 95% of people use windows, where it's documented that the OS is doing all sorts of surreptitious things.
No, I don't have the technical knowledge to do that - I've come here to ask those who might have that knowledge whether anyone has actually done that.Running any type of computer program involves an element of trust. At some point you have trust that programmers are giving you an untainted product. I mean, have you personally verified that Puppy doesn't contain a backdoor so that The Creator can take over your box at any time?
I agree with you that there is an issue of trust. That trust has been abused by numerous companies and I think it is now reasonable to question what is going on. Even in linux.
There needn't be - I think this is what has been fostered over time to get people to give up control of what goes on their computers to MS and others. I still have my computer that runs Windows 98. If you look up the bulletins for the updates to that machine, they explain in some depth what the update is for, unlike the ones now which are so vague and incomprehensible that you end up installing spyware which phones home to MS.muggins wrote:Regardless of OS, isn't there, as a general rule-of-thumb, an inverse relationship between freedom & security?
And I don't have it But I can try to have a clue what's going on so I can notice if something is not as it should be.Bruce B wrote:As far as security is concerned - I think technical know how is key.
- Pizzasgood
- Posts: 6183
- Joined: Wed 04 May 2005, 20:28
- Location: Knoxville, TN, USA
If 2.17 uses the initd system that 3.xx has, chances are Cups is started from /etc/init.d/cupsd. Anything executable in /etc/init.d gets run with the 'start' option on boot-up (and with the 'stop' option on shutdown). So you could disable it by un-setting the executable bit (chmod 644 /etc/init.d/cupsd, or by right-clicking and going to properties).
tar -xf the_package.tar.gz
Then put the "firefox" folder in /usr/local/ (or anywhere you want, really). Symlink the executable within (named 'firefox') to /usr/local/bin/ by dragging it with the middle mouse button, and choose "relative link" when it prompts.
Presto, firefox is installed. You can drag the executable to the desktop (with the left button) to add a desktop icon. Right-click and go to edit to change the text, and right-click and go to set icon to change the icon (drag any image into the box, and firefox comes with some that work well).
If you ever install flash, put it in /usr/local/firefox/plugins/, and symlink it to /root/.mozilla/plugins/ (/root/.mozilla/ is a hidden directory, so press the "eye" icon on rox's toolbar to show it). You'll probably have to create the "plugins" directory. That should keep it from crashing.
The stuff in Windows programs that you sometimes get to not install usually comes as separate packages in Linux, unless it's of negligible size. Usually it's things like alternate language support, documentation (if there is a ton of it), development libraries, extra content, etc.
You haven't told us how you installed it in Puppy. Chances are you used somebody's PETget or dotpup package, in which case it was packaged by people other than Firefox and may include non-default settings and plugins. I get my Firefox straight from the firefox website. It comes as a .tar.gz file. Extract that like this:When I install Firefox in Windows, I get some options during installation - they just installed automatically in Puppy.
tar -xf the_package.tar.gz
Then put the "firefox" folder in /usr/local/ (or anywhere you want, really). Symlink the executable within (named 'firefox') to /usr/local/bin/ by dragging it with the middle mouse button, and choose "relative link" when it prompts.
Presto, firefox is installed. You can drag the executable to the desktop (with the left button) to add a desktop icon. Right-click and go to edit to change the text, and right-click and go to set icon to change the icon (drag any image into the box, and firefox comes with some that work well).
If you ever install flash, put it in /usr/local/firefox/plugins/, and symlink it to /root/.mozilla/plugins/ (/root/.mozilla/ is a hidden directory, so press the "eye" icon on rox's toolbar to show it). You'll probably have to create the "plugins" directory. That should keep it from crashing.
Most linux programs don't "install", they just decompress. Good ones like Firefox just need to be decompressed and have the executable symlinked into /usr/bin, and any other tweaks. The packages for specific distros usually take care of that stuff. The good packages take care of it by just including those symlinks in the package, so when it decompresses it adds them automatically.When I install Firefox in Windows, I get some options during installation - they just installed automatically in Puppy.
The stuff in Windows programs that you sometimes get to not install usually comes as separate packages in Linux, unless it's of negligible size. Usually it's things like alternate language support, documentation (if there is a ton of it), development libraries, extra content, etc.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
I've done it a couple of times - the first time I used a link on the Seamonkey page. The second time I downloaded it from Mozilla.You haven't told us how you installed it in Puppy.
I was talking about the stuff in Firefox - one is DOM inspector, there was something else as well, which I can't remember. I noticed DOM inspector was just there in linux.The stuff in Windows programs that you sometimes get to not install usually comes as separate packages in Linux
I'll install it how you said if I get the energy to try it all again...... Thanks.
Just to add a little more on the CUPS portion of our discussion.
A basic rule is a server can 'bind' on a single IP address or multiple addresses using the same PORT. It appears that cupsd web like server binds on them all.
I can access the local cups web pages in SeaMonkey with the following address:ports:
http://0.0.0.0:631/
http://127.0.0.1:631/
http://192.168.1.100:631/ (my network address)
I didn't test it with my actual Internet address, because I'd have to set the router to forward UDP and TCP to 192.168.1.100:631 (and was too lazy to set it and test, I'll leave that testing to others)
In my case, even if it is listening on the actual Internet address, it is not susceptible to remote exploit because of the router not forwarding packets.
I presuppose Puppy's firewall will block inbounds on PORT 631 unless otherwise told not to.
I also think the cups configuration file can block / allow if set up properly. But can't tell you how and didn't locate the documentation I was looking for.
A basic rule is a server can 'bind' on a single IP address or multiple addresses using the same PORT. It appears that cupsd web like server binds on them all.
I can access the local cups web pages in SeaMonkey with the following address:ports:
http://0.0.0.0:631/
http://127.0.0.1:631/
http://192.168.1.100:631/ (my network address)
I didn't test it with my actual Internet address, because I'd have to set the router to forward UDP and TCP to 192.168.1.100:631 (and was too lazy to set it and test, I'll leave that testing to others)
In my case, even if it is listening on the actual Internet address, it is not susceptible to remote exploit because of the router not forwarding packets.
I presuppose Puppy's firewall will block inbounds on PORT 631 unless otherwise told not to.
I also think the cups configuration file can block / allow if set up properly. But can't tell you how and didn't locate the documentation I was looking for.
Can I just check something about security, and I know no-one can say 100%, but is Puppy almost 100% safe from all spyware and malware on the net that comes in via browser pop-ups and malware designed websites? These sort of threats are threats via the browser, so does the fact that we are using Linux versions of browsers almost completely rule out these threats, or are these malware sites and popups etc also written to target Linux browsers. (I'm using NOP and Opera 9.24)
Also does the same apply to addons to these Linux browsers like Java and flash ?
Also does the same apply to addons to these Linux browsers like Java and flash ?
- Pizzasgood
- Posts: 6183
- Joined: Wed 04 May 2005, 20:28
- Location: Knoxville, TN, USA
The browser is one of the weak points, actually. Most attacks that use the browser use ActiveX though, which Linux browsers don't have. But you still need to watch out for Java and JavaScript (Java is the more powerful one). I don't know how much Flash can do, but it wouldn't hurt to be careful with that too.
Plugins are another area that could be exploited.
Personally, I leave all that enabled and haven't had any issues over the last three years or so. But I also don't go to shady sites, and don't use any plugins other than for the search bar.
But many people disable it all and only enable it on a site-by-site basis. There's a plugin called noscripts or something similar which is supposed to help.
And of course, the OS doesn't even really matter when it comes to phishing.
Plugins are another area that could be exploited.
Personally, I leave all that enabled and haven't had any issues over the last three years or so. But I also don't go to shady sites, and don't use any plugins other than for the search bar.
But many people disable it all and only enable it on a site-by-site basis. There's a plugin called noscripts or something similar which is supposed to help.
And of course, the OS doesn't even really matter when it comes to phishing.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
Setecio,
I think the basic potential threat is in the kind of sites you visit. It wouldn't matter if you used this forum with or without defenses in place.
Regarding Flash, the rendering engine is platform specific. That's why you would download Flash for Linux or Windows. The actual web object would be the same for either platform.
As far as JavaScript, the code itself could be written to do different things according to platform and browser. And often is, but not necessarily for malicious reasons.
The scripting itself would be browser specific, Mozilla products use JavaScript. IE, I think uses a different in house version to do the scripting.
Then there are platform vulnerabilities as it relates to the scripting.
Let me give one example of Adobe Reader Vulnerability
This was in January 2007. Later I read that the real problem was with Microsoft although it could be dealt with on the Adobe Reader end. I guess it was first thought to be an Adobe problem.
Could any of this affect us? Well Puppy is not running Microsoft (duh), it doesn't have Adobe Readers either.
I also read about some tricks of similar nature with Flash. But often what I read doesn't give specifics enough to know if it is a Windows only thing.
Pizzagood says he uses JavaScript and Flash as default and hasn't had problems. I suppose the majority of Puppy users do the same thing and haven't had problems.
For maximum safety I guess best to keep applications such as SeaMonkey and Flash up to date, the reason being is they often have security fixes in the newer versions.
I enjoy security and privacy discussions. My main hope is none of us get paranoid. I think we are in a pretty safe little cubby.
Best regards,
Bruce
I think the basic potential threat is in the kind of sites you visit. It wouldn't matter if you used this forum with or without defenses in place.
Regarding Flash, the rendering engine is platform specific. That's why you would download Flash for Linux or Windows. The actual web object would be the same for either platform.
As far as JavaScript, the code itself could be written to do different things according to platform and browser. And often is, but not necessarily for malicious reasons.
The scripting itself would be browser specific, Mozilla products use JavaScript. IE, I think uses a different in house version to do the scripting.
Then there are platform vulnerabilities as it relates to the scripting.
Let me give one example of Adobe Reader Vulnerability
This was in January 2007. Later I read that the real problem was with Microsoft although it could be dealt with on the Adobe Reader end. I guess it was first thought to be an Adobe problem.
Could any of this affect us? Well Puppy is not running Microsoft (duh), it doesn't have Adobe Readers either.
I also read about some tricks of similar nature with Flash. But often what I read doesn't give specifics enough to know if it is a Windows only thing.
Pizzagood says he uses JavaScript and Flash as default and hasn't had problems. I suppose the majority of Puppy users do the same thing and haven't had problems.
For maximum safety I guess best to keep applications such as SeaMonkey and Flash up to date, the reason being is they often have security fixes in the newer versions.
I enjoy security and privacy discussions. My main hope is none of us get paranoid. I think we are in a pretty safe little cubby.
Best regards,
Bruce
- yorkiesnorkie
- Posts: 504
- Joined: Mon 04 Jun 2007, 13:11
- Location: George's Island
RE: Assurrances
Hi Bruce,
I remember the first time I set up Puppy, 215CE, and then configured my firewall before connecting to the net for the first time. I kept thinking, that's it? The silence was deafening. That's the part which drives us Windows Refugees crazy, because we're terribly used to constantly being harped at about vulnerabilities. Having that "nagging" disappear takes a bit of getting used to. Puppy has made things much better for me personally in that regard. Prudence while using the computer is one thing, paranoia is another. I'm enjoying the peace of mind.
Maybe they should add a third character to those Mac vs PC commercials.
Mac - Hey I'm a Mac
PC - And I'm a PC
Penguin - Move over guys its Penguin!
Mac and PC - Not him again!
Yorkiesnorkie
I remember the first time I set up Puppy, 215CE, and then configured my firewall before connecting to the net for the first time. I kept thinking, that's it? The silence was deafening. That's the part which drives us Windows Refugees crazy, because we're terribly used to constantly being harped at about vulnerabilities. Having that "nagging" disappear takes a bit of getting used to. Puppy has made things much better for me personally in that regard. Prudence while using the computer is one thing, paranoia is another. I'm enjoying the peace of mind.
Maybe they should add a third character to those Mac vs PC commercials.
Mac - Hey I'm a Mac
PC - And I'm a PC
Penguin - Move over guys its Penguin!
Mac and PC - Not him again!
Yorkiesnorkie
Re: RE: Assurrances
Thanks Bruce.
Yep .... I'm still in the 'takes a bit of getting user to ' process.yorkiesnorkie wrote:I remember the first time I set up Puppy, 215CE, and then configured my firewall before connecting to the net for the first time. I kept thinking, that's it? The silence was deafening. That's the part which drives us Windows Refugees crazy, because we're terribly used to constantly being harped at about vulnerabilities. Having that "nagging" disappear takes a bit of getting used to.