Introducing 'fido'

Right from Puppy's inception, we have been criticized for running as root. I have finally decided to offer a choice.

Pizzasgood did a superb job in converting Puppy 421 to multiuser:
http://bkhome.org/archive/blog2/200910/multiuser-puppy.html

Recently, kirk and 01micko have been implementing a web browser running non-root, as user 'spot'. Kirk has done this in FatDog64. 01micko has posted a PET for running Mozilla browsers as spot:
http://www.murga-linux.com/puppy/viewtopic.php?t=57914

Both of the above have issues. Many issues, particularly if logged in as root and trying to run a web browser as spot. Instead, I have implemented a solution in a different way.

Puppy is not multi-user in the normal way. Most users will be running Puppy in a PUPMODE that saves the session to a file, and if you want other family members (for example) to run Puppy on the same computer, they can have their own save-files, with optional encryption.
Or, Puppy is small enough to be able to have multiple installations of Puppy on the same computer, with choice in the GRUB menu at bootup.

At the first shutdown, just before the dialog window comes up to ask which partition you want to save to, another dialog appears that asks if you want to run as administrator (root) or 'fido' -- with some explanation about what this means.

If you choose fido, a script /usr/sbin/root2user is run, which sets up the save file to run as user fido. /etc/inittab is changed to autologin as fido. A password is asked for root.

Note, other distros such as Ubuntu enable a user to go up to root just by prefixing "sudo" before any commands. I have always had my doubts about this, it seems to compromise the whole concept of running as non-root (?), so I have setup Puppy so that any change from fido to root will require the password.

I have created LoginManager in the System menu, that currently only offers a fido user to change back to root permanently.

Most important: both 'root' and 'fido' have /root as the home directory. This avoids many problems.

It works, I get a desktop, but some things need fixing. For example, I can't shutdown unless I 'su' to root, and retrovol fails to start. I will have a bit more of a play, but I might need help from someone who is an expert at configuring permissions/ownership of directories and files in a non-root environment.

All of the above is done in Woof. User fido will be offered in the next Wary alpha/beta.

---

Comments

spot
Username: kirk
I'm not aware of any problems running Firefox as user spot, do it every day. The browser can only save files to directories that spot owns, but that's kind of the point.

Re spot
Username: BarryK
"kirk, I have only tried 01micko's PET, but I did look inside your ISO and it is basically the same setup that 01micko uses. SM 1.1.18 renders incorrectly, draws the status-bar halfway down the window. Font antialiasing doesn't work. I wasn't able to get any theme other than default. If you are able to get the browser running nicely as spot, then that is great. With my solution, every app that accesses the Internet will be running as fido. Also, all the resources are available without having to copy things into /root/spot. By default I have set the computer drives as unavailable, but if the fido user knows the root password then can mount and use a drive. With the fido solution, your kids can bootup with their own save-file and be able to surf but not access your hd partitions.

Re spot
Username: BarryK
"I am still interested in the spot solution, if someone can demonstrate the web browser working perfectly in every respect. That would include GTK themes, SSL, font rendering, etc. Plus, a mmechanism for downloading files outside of /root/spot is needed. When I tried 01micko's symlink idea it didn't work, which I didn't think you can do anyway, but maybe you can and I did it wrong.

Re spot
Username: BarryK
"Something that many of us need: drag-and-drop browser to the desktop and other rox windows. Many users expect this, and won't be happy if they can't do it.

Permissions
Username: Iguleder
"Barry, I faced the same problems in Calf Linux. [b]Exactly the same issues![/b] I made it run under a regular user named "calf" and it could not play audio and access partitions because they had the wrong permissions. I solved these problems using /etc/busybox.conf (which gives root permissions to executables, no matter who runs them) and "chmod 4755 /bin/busybox". This allows all users to mount, shutdown, run "su", etc'. Also, make sure device nodes have the right permissions, using either udev rules or extra code in the init scripts. Your idea to use /root for both users is simply great. A single "chown -R" command will fix all permissions.

Re grafpup
Username: BarryK
"Ah, yes, of course Nathan's Grafpup, I forgot about that. I think that 2.0 was the last version. Hmmm, but where to download from? Found it: http://www.findthatfile.com/search-824049-fISO/software-tools-download-grafpup-2-00-seamonkey-iso.htm After grafpup.org went under, the iso's used to be hosted at puppylinux.ca, but that is gone too. Iguleder, Yes, using /root for fido is such a simple thing to do, bypasses all the problems that pizzasgood and nathan had to go through with a different home directory. I tried setting /sbin/reboot as suid, but that doesn't work, and I don't understand why not. My understanding is that suid would enable /sbin/reboot (or /sbin/poweroff) to run as though it is root. I am groping around in the dark a bit here. Tonight I shall be studying nathan's handiwork! I recall, nathan is a very clever guy, did great work with Grafpup. It is unfortunate that he had to give up working on Grafpup.

Grafpup 2.00
Username: BarryK
"I have downloaded it, looked inside the iso. As far as I can see, multiuser is not implemented, login is as root. So, did nathan only implement multiuser for 2.01beta? I can't find anywhere to download 2.01beta.

Puppy compromised - When - Where?
Username: cthisbear
" "Right from Puppy's inception, we have been criticized for running as root. " """"""""""" Which has made it so easy to use. Which makes it such a great rescue disk. Ignore the blowhards. These are the same chimps who logged onto a wireless hotspot at their own Security Conference. Do goods who don't follow their own rules. You are above this blind sided crap BK. Chris.

Puppy root is great
Username: Tony
"Hi Barry, Puppy running as root has always been a MAJOR selling point for me, no "You don't have permissions" etc, also having icons on the desktop to mount ANY filesystem (would be nice to have automount) is a major plus. Keep up the great work!

Grafpup 201b
Username: JB
"Barry, I have both Grafpup 201a and 201b on my hard drive. Do you have a place to upload so I could get them to you?

grafpup
Username: mavrothal
"The svn is still up http://grafpup-linux.googlecode.com/svn/trunk/

grafpup
Username: wombat01
"JB I can give you some space on smokey01.com if you like although I'm sure Barry has space somewhere. Smokey01

re permissions
Username: L18L
"(an expert is a beginner with experience) read somewhere on the forum Introducing the use of [b]group[/b] might solve some of the problems with neither SUID nor SGID . [code]whoami addgroup root root addgroup spot root echo echo this file owned by root executed by spot.> perm750 chmod 750 perm750 ls -l perm750 su spot whoami /root/perm750 [/code] Poweroff: su spot # /bin/busybox reboot reboot: Operation not permitted Seems to me that this is builtin busybox My Regards spot

Thoughts about sudo
Username: Matt Newell
"Barry, Sudo asks for the user password before it will run. This means you know you are going to do something that could break the system (kind of a warning), but you still have control. If you're not sure of what you're doing, STOP. The best part of being a user is that you can't destroy the system (although your area could be toast). I remember Windows being in essence root and many was the time I accidentally wiped stuff from the system that I really, REALLY needed or that was needed by the system (oops! Reinstall!). You have to use sudo to install programs, but that is OK since you know what you want and once the program is installed the system is secured again. Matt

Never safe?!
Username: Sage
""..many was the time I accidentally wiped stuff from the system that I really, REALLY needed.." 'Stuff' isn't wiped from your HD, it is just marked available, ie for overwriting. "Not everybody knows that". It used to be easy to recover stuff from DOS. It can still be done but isn't always so easy without deep access utilities. Never used XP seriously so not sure whether the 'go-back' utility stores [i]all[/i] data? Many crooks have been caught because they believed they had 'deleted' their contacts list. Forensic specialists can often recover sufficient overwritten data to convict, too (not all of the previously used space is necessarily re-used immediately- depends on file size, contiguousness, defrag algorithm, etc.) Not sure how SSD s behave, nor anything about Unix/Linux systems, but a guru is about to tell us all.

Audio
Username: Dougal
"Barry, you need to create "audio" and "video" groups and then add spot to them. Same with mounting. Just look in /etc/group in Ubuntu etc.

Sound in Spot
Username: perthie
"In both Wary 5.11 and Quirky 1.3, I could not get sound in Spot. I fixed it by increasing permissions. [b]chmod -R o+rw /dev[/b]

some details
Username: scottman
"As you are using the same dir (/root) for ll users, does this mean that different users cannot have different GTK themes, Xorg configs, WM settings and so on? Sorry if this is explained somewhere, but what is fido allowed to do? And what is fido NOT allowed to do? Presumably fido cnnot use the PPM, load SFS, what else?

The Marching Morons
Username: cthisbear
" You need to do some reading up BK. You have been conned by con artists. """"""""""" Cyril M. Kornbluth [b] The Marching Morons[/b] The solution " Barlow derives a solution based on his experience in scamming people into buying worthless land and knowledge of lemmings' mass migration into (and subsequent drowning in) the sea: convince the morons to travel to Venus in spaceships that will kill their passengers once they fly out of view of land (possibly, the story implies, because they are built by morons, though obtaining consistent destruction in the proper flight phase might be beyond their competence) [b]The con[/b] In a twist of irony, Barlow, a conman, is conned by his erstwhile assistants. " http://en.wikipedia.org/wiki/The_Marching_Morons Regards and best wishes...as usual. Chris.

grafpup 2.00
Username: disciple
"> I have downloaded it, looked inside the iso. As far as I can see, multiuser is not implemented, login is as root. So, did nathan only implement multiuser for 2.01beta? No, 2.00 was supposed to be multiuser.

windows restore points
Username: disciple
"> Never used XP seriously so not sure whether the 'go-back' utility stores all data? No, it does not. And FWIW it is rubbish - as likely to break your system as to fix it.

Busybox shutdown
Username: BarryK
"scottman, You haven't read my first post carefully enough. There is only one non-root user, fido. Dougal, No, reboot and poweroff don't work. Pizzasgood went to the most extraordinary length of running a daemon (as root) to detect when the reboot and poweroff scripts request a shutdown, then run the actual reboot or poweroff -- see his 'power-utils.tar.gz' on this page: http://www.murga-linux.com/puppy/viewtopic.php?t=47410 However, there is another way of doing it. Busybox has CONFIG_FEATURE_SUID_CONFIG, which enables per-applet permissions for non-root user. It is "kind of a poor man's sudo", quoting from Busybox docs. I am recompiling Busybox right now with this feature, will report back soon.

Options are good.
Username: Pizzasgood
"One last time, to all the "OMG STFU r00t 4evar!" people: Having the [i]option[/i] to run as a limited user can be very useful if you want to allow random children (think 3 year olds, or adults with a 3 year old's understanding of computers) to use the computer without much risk of them breaking their OS (and then requiring you to fix it). This is what Fido can help provide. (Yes, long-run you would be well served to teach [i]them[/i] how to fix it when they break it, but perhaps that is a bit much for a 3 year old.) I think it's rather disturbing that people become so opposed to offering [i]options[/i] to those few who might need them just because they themselves do not. It is as though they are opposing a wheelchair ramp. Not nearly that severe of course, but there are very real situations where at least a Fido-level of multiuser can be very helpful, and nobody is forcing you to actually [i]use[/i] it. By all means, take the stairs if you don't like the ramp.

faster Firefox?
Username: broomdodger
"faster Firefox? http://digitizor.com/2011/04/30/ff6-fast-less-sluggish/ Maybe a faster Seamonkey? -Bill

QtWeb Internet Browser
Username: broomdodger
"Do you have any experience with this? QtWeb Internet Browser http://www.qtweb.net/ -Bill

QtWeb Internet Browser
Username: broomdodger
"Forgot to post: Size of executable is 6 MB only, no additional DLLs and other configuration files required

What can fido do
Username: BarryK
"The defaults will have to be decided. There will be a fairly restricted system as default perhaps, but if the user knows the root password then they could access a window to alter what is allowed.

root2user
Username: scottman
"Please can we get a look at the contents of 'root2user' so we can get an idea as to what changes are made to save file setup? and if anything, the other changes required to run as fido? I think Barrys idea of a limited 'fido' user, with the same home dir as root is nice, and easy, and potentially more secure.. I would also agree that auto login fido at boot is the way to go.. better then login screens - very un-puppy! As Barry says, much better to popup a window asking for root password, when required. But does anyone know how you might go about including a simple (xdialog, maybe) popup, that asks to login as root, whenever root privileges are required - such as loading up the PPM, or deleting a file in /usr/sbin, etc, etc? ... Basically, how do you handle allowing/disallowing events or actions that require extra (root) privileges, when logged in as fido?

spot
Username: kirk
"Barry, If you want to see Firefox running as spot try Fatdog64. On the desktop you'll see a folder named Downloads. This folder is owned by spot. It is also used as a shared folder if you start the Samba server. At shutdown, when you create a save file, if the save file is located on a partition that's not NTFS or FAT, you'll be asked if you want to move the Downloads folder to the same place as your save file. Firefox, Xine and the email client all run as user spot. One nice thing about using spot is he can't write to your normal user files, which is all we care about anyway, and he can't su to root even if he knew the password. This is overkill given the total lack of malware we have have to deal with, but maybe one day.

Consider a night at the...
Username: Sage
"...Opera?! Don't know about the details, but Opera claims to have a whole bunch of its own security features. Preferences and 'about' provide masses of settings. Has its own idiosyncrasies, but installs nicely and is liked by a majority of Puppy users according to poll. Runs faster and about the same size as FF. Don't like their email client so have to add another; Claws is my preference.

Groups
Username: Dougal
"Barry, I was talking more about your audio problems and retrovol not working... you need to make sure that /dev/dsp and retrovol have the right group permissions, too. As for shutdown, the reason normal users can't do it is obviously that normal users aren't allowed to poweroff a multiuser computer... from what I recall from hacking the XFCE sources a few years ago, they use su for running the shutdown commands, 'though I guess modern systems use things like pamd (and its replacements).

fido/root/spot
Username: Dejan
"Sorry for not following your blog, found about this fido thing on forums hence the late reply. I'm glad you finally decided to incorporate multiple users but the way you're doing it sounds wrong to me from the very start. fido/root having the same homedir doesn't solve anything and the whole idea about [b]permanent[/b] switching of users also doesn't solve anything as this implies that what you're doing is a quick dirty hacks that will [b]again[/b] just hardcode user paths and scripts and not implement the real thing. Let me explain. For switching users you're not leting user choose on login manager how to login or to make a quick login/logout between users but instead you switch the autologin script to do that automatically on boot if I understood correctly. Bad. Also, having same homedir just makes user run apps as limited user but not having different user customizations. Further I understand that this will not be "multi" but two-user (root-fido) system because adding/deleting or in any way managing of more users will then also be impossible. Sorry, but just my opinion, the way that Nathan or Pizzasgood did it seems more right to me, it may be the harder way but it's the right way of doing things.

sudo
Username: Dejan
"Also, on the sudo thing, my opinion is: don't include it. If public wants a multiuser puppy with protected users do not automate things for them for important things. Let them type su - and launch the important system commands they want like installing new apps or editing stuff out of their home dir.

ME again
Username: Dejan
"Barry, don't know if you found working grafpup iso I've uploaded it recently this one is multiuser and even features a graphical login manager http://www.meownplanet.net/dejan/isos/ There's a threads on forums where members uploaded many vintage puppy isos that were missing from web.

Tags: woof