Introducing 'fido'

Right from Puppy's inception, we have been criticized for running as root. I have finally decided to offer a choice.

Pizzasgood did a superb job in converting Puppy 421 to multiuser:
http://bkhome.org/blog/?viewDetailed=01183

Recently, kirk and 01micko have been implementing a web browser running non-root, as user 'spot'. Kirk has done this in FatDog64. 01micko has posted a PET for running Mozilla browsers as spot:
http://www.murga-linux.com/puppy/viewtopic.php?t=57914

Both of the above have issues. Many issues, particularly if logged in as root and trying to run a web browser as spot. Instead, I have implemented a solution in a different way.

Puppy is not multi-user in the normal way. Most users will be running Puppy in a PUPMODE that saves the session to a file, and if you want other family members (for example) to run Puppy on the same computer, they can have their own save-files, with optional encryption.
Or, Puppy is small enough to be able to have multiple installations of Puppy on the same computer, with choice in the GRUB menu at bootup.

At the first shutdown, just before the dialog window comes up to ask which partition you want to save to, another dialog appears that asks if you want to run as administrator (root) or 'fido' -- with some explanation about what this means.

If you choose fido, a script /usr/sbin/root2user is run, which sets up the save file to run as user fido. /etc/inittab is changed to autologin as fido. A password is asked for root.

Note, other distros such as Ubuntu enable a user to go up to root just by prefixing "sudo" before any commands. I have always had my doubts about this, it seems to compromise the whole concept of running as non-root (?), so I have setup Puppy so that any change from fido to root will require the password.

I have created LoginManager in the System menu, that currently only offers a fido user to change back to root permanently.

Most important: both 'root' and 'fido' have /root as the home directory. This avoids many problems.

It works, I get a desktop, but some things need fixing. For example, I can't shutdown unless I 'su' to root, and retrovol fails to start. I will have a bit more of a play, but I might need help from someone who is an expert at configuring permissions/ownership of directories and files in a non-root environment.

All of the above is done in Woof. User fido will be offered in the next Wary alpha/beta.


Posted on 30 Apr 2011, 8:31


Comments:

Posted on 30 Apr 2011, 10:27 by kirk
spot
I'm not aware of any problems running Firefox as user spot, do it every day. The browser can only save files to directories that spot owns, but that's kind of the point.




Posted on 30 Apr 2011, 14:55 by BarryK
Re spot
kirk,
I have only tried 01micko's PET, but I did look inside your ISO and it is basically the same setup that 01micko uses. SM 1.1.18 renders incorrectly, draws the status-bar halfway down the window. Font antialiasing doesn't work. I wasn't able to get any theme other than default.

If you are able to get the browser running nicely as spot, then that is great.

With my solution, every app that accesses the Internet will be running as fido. Also, all the resources are available without having to copy things into /root/spot.

By default I have set the computer drives as unavailable, but if the fido user knows the root password then can mount and use a drive.

With the fido solution, your kids can bootup with their own save-file and be able to surf but not access your hd partitions.



Posted on 30 Apr 2011, 15:01 by BarryK
Re spot
I am still interested in the spot solution, if someone can demonstrate the web browser working perfectly in every respect. That would include GTK themes, SSL, font rendering, etc.

Plus, a mmechanism for downloading files outside of /root/spot is needed. When I tried 01micko's symlink idea it didn't work, which I didn't think you can do anyway, but maybe you can and I did it wrong.



Posted on 30 Apr 2011, 15:11 by BarryK
Re spot
Something that many of us need: drag-and-drop browser to the desktop and other rox windows. Many users expect this, and won't be happy if they can't do it.



Posted on 30 Apr 2011, 15:38 by Iguleder
Permissions
Barry, I faced the same problems in Calf Linux. Exactly the same issues! I made it run under a regular user named "calf" and it could not play audio and access partitions because they had the wrong permissions.

I solved these problems using /etc/busybox.conf (which gives root permissions to executables, no matter who runs them) and "chmod 4755 /bin/busybox". This allows all users to mount, shutdown, run "su", etc'. Also, make sure device nodes have the right permissions, using either udev rules or extra code in the init scripts.

Your idea to use /root for both users is simply great. A single "chown -R" command will fix all permissions.


Posted on 30 Apr 2011, 16:30 by jcoder24
Grafpup
I believe Nathan/grafpup had completely solved the multiuser issue within puppy.


Posted on 30 Apr 2011, 17:26 by BarryK
Re grafpup
Ah, yes, of course Nathan's Grafpup, I forgot about that. I think that 2.0 was the last version. Hmmm, but where to download from?

Found it:
http://www.findthatfile.com/search-824049-fISO/software-tools-download-grafpup-2-00-seamonkey-iso.htm

After grafpup.org went under, the iso's used to be hosted at puppylinux.ca, but that is gone too.

Iguleder,
Yes, using /root for fido is such a simple thing to do, bypasses all the problems that pizzasgood and nathan had to go through with a different home directory.

I tried setting /sbin/reboot as suid, but that doesn't work, and I don't understand why not. My understanding is that suid would enable /sbin/reboot (or /sbin/poweroff) to run as though it is root. I am groping around in the dark a bit here.

Tonight I shall be studying nathan's handiwork! I recall, nathan is a very clever guy, did great work with Grafpup. It is unfortunate that he had to give up working on Grafpup.



Posted on 30 Apr 2011, 19:11 by BarryK
Grafpup 2.00
I have downloaded it, looked inside the iso. As far as I can see, multiuser is not implemented, login is as root. So, did nathan only implement multiuser for 2.01beta?

I can't find anywhere to download 2.01beta.



Posted on 30 Apr 2011, 19:49 by cthisbear
Puppy compromised - When - Where?

"Right from Puppy's inception, we have been criticized for running as root. "

"""""""""""

Which has made it so easy to use.

Which makes it such a great rescue disk.

Ignore the blowhards.

These are the same chimps who logged onto a wireless hotspot at their own Security Conference.

Do goods who don't follow their own rules.

You are above this blind sided crap BK.

Chris.




Posted on 30 Apr 2011, 20:07 by Tony
Puppy root is great
Hi Barry, Puppy running as root has always been a MAJOR selling point for me, no "You don't have permissions" etc, also having icons on the desktop to mount ANY filesystem (would be nice to have automount) is a major plus.
Keep up the great work!



Posted on 30 Apr 2011, 20:20 by JB
Grafpup 201b
Barry,
I have both Grafpup 201a and 201b on my hard drive. Do you have a place to upload so I could get them to you?



Posted on 30 Apr 2011, 20:48 by mavrothal
grafpup
The svn is still up
http://grafpup-linux.googlecode.com/svn/trunk/


Posted on 30 Apr 2011, 21:01 by wombat01
grafpup
JB I can give you some space on smokey01.com if you like although I'm sure Barry has space somewhere.

Smokey01




Posted on 30 Apr 2011, 21:44 by L18L
re permissions
(an expert is a beginner with experience) read somewhere on the forum

Introducing the use of group might solve some of the problems with neither SUID nor SGID .

whoami


addgroup root root
addgroup spot root
echo echo this file owned by root executed by spot.> perm750

chmod 750 perm750
ls -l perm750


su spot
whoami

/root/perm750


Poweroff:
su spot
# /bin/busybox reboot
reboot: Operation not permitted

Seems to me that this is builtin busybox

My Regards
spot






Posted on 30 Apr 2011, 23:36 by Matt Newell
Thoughts about sudo
Barry,

Sudo asks for the user password before it will run. This means you know you are going to do something that could break the system (kind of a warning), but you still have control. If you're not sure of what you're doing, STOP. The best part of being a user is that you can't destroy the system (although your area could be toast). I remember Windows being in essence root and many was the time I accidentally wiped stuff from the system that I really, REALLY needed or that was needed by the system (oops! Reinstall!). You have to use sudo to install programs, but that is OK since you know what you want and once the program is installed the system is secured again.

Matt


Posted on 30 Apr 2011, 24:58 by Sage
Never safe?!
"..many was the time I accidentally wiped stuff from the system that I really, REALLY needed.."

'Stuff' isn't wiped from your HD, it is just marked available, ie for overwriting. "Not everybody knows that". It used to be easy to recover stuff from DOS. It can still be done but isn't always so easy without deep access utilities. Never used XP seriously so not sure whether the 'go-back' utility stores all data? Many crooks have been caught because they believed they had 'deleted' their contacts list. Forensic specialists can often recover sufficient overwritten data to convict, too (not all of the previously used space is necessarily re-used immediately- depends on file size, contiguousness, defrag algorithm, etc.) Not sure how SSD s behave, nor anything about Unix/Linux systems, but a guru is about to tell us all.


Posted on 31 Apr 2011, 4:21 by Dougal
Audio
Barry, you need to create "audio" and "video" groups and then add spot to them.
Same with mounting.
Just look in /etc/group in Ubuntu etc.


Posted on 31 Apr 2011, 5:21 by perthie
Sound in Spot
In both Wary 5.11 and Quirky 1.3, I could not get sound in Spot. I fixed it by increasing permissions.
chmod -R o+rw /dev


Posted on 31 Apr 2011, 7:56 by scottman
some details
As you are using the same dir (/root) for ll users, does this mean that different users cannot have different GTK themes, Xorg configs, WM settings and so on?

Sorry if this is explained somewhere, but what is fido allowed to do? And what is fido NOT allowed to do?

Presumably fido cnnot use the PPM, load SFS, what else?


Posted on 31 Apr 2011, 8:13 by cthisbear
The Marching Morons

You need to do some reading up BK.

You have been conned by con artists.

"""""""""""

Cyril M. Kornbluth

The Marching Morons


The solution

" Barlow derives a solution based on his experience in scamming people into buying worthless land and knowledge of lemmings' mass
migration into (and subsequent drowning in) the sea: convince the morons to travel to Venus in spaceships that will kill their passengers once they fly out of view of land (possibly, the story implies, because they are built by morons,
though obtaining consistent destruction in the
proper flight phase might be beyond their competence)

The con

In a twist of irony, Barlow, a conman, is conned by his erstwhile assistants. "

http://en.wikipedia.org/wiki/The_Marching_Morons

Regards and best wishes...as usual.

Chris.


Posted on 1 May 2011, 8:21 by disciple
grafpup 2.00
> I have downloaded it, looked inside the iso. As far as I can see, multiuser is not implemented, login is as root. So, did nathan only implement multiuser for 2.01beta?

No, 2.00 was supposed to be multiuser.


Posted on 1 May 2011, 8:23 by disciple
windows restore points
> Never used XP seriously so not sure whether the 'go-back' utility stores all data?

No, it does not.
And FWIW it is rubbish - as likely to break your system as to fix it.


Posted on 1 May 2011, 8:45 by BarryK
Busybox shutdown
scottman,
You haven't read my first post carefully enough. There is only one non-root user, fido.

Dougal,
No, reboot and poweroff don't work. Pizzasgood went to the most extraordinary length of running a daemon (as root) to detect when the reboot and poweroff scripts request a shutdown, then run the actual reboot or poweroff -- see his 'power-utils.tar.gz' on this page:
http://www.murga-linux.com/puppy/viewtopic.php?t=47410

However, there is another way of doing it. Busybox has CONFIG_FEATURE_SUID_CONFIG, which enables per-applet permissions for non-root user. It is "kind of a poor man's sudo", quoting from Busybox docs. I am recompiling Busybox right now with this feature, will report back soon.



Posted on 1 May 2011, 9:12 by Pizzasgood
Options are good.
One last time, to all the "OMG STFU r00t 4evar!" people:

Having the option to run as a limited user can be very useful if you want to allow random children (think 3 year olds, or adults with a 3 year old's understanding of computers) to use the computer without much risk of them breaking their OS (and then requiring you to fix it). This is what Fido can help provide. (Yes, long-run you would be well served to teach them how to fix it when they break it, but perhaps that is a bit much for a 3 year old.)

I think it's rather disturbing that people become so opposed to offering options to those few who might need them just because they themselves do not. It is as though they are opposing a wheelchair ramp. Not nearly that severe of course, but there are very real situations where at least a Fido-level of multiuser can be very helpful, and nobody is forcing you to actually use it. By all means, take the stairs if you don't like the ramp.


Posted on 1 May 2011, 12:09 by broomdodger
faster Firefox?
faster Firefox?

http://digitizor.com/2011/04/30/ff6-fast-less-sluggish/

Maybe a faster Seamonkey?

-Bill


Posted on 1 May 2011, 12:18 by broomdodger
QtWeb Internet Browser
Do you have any experience with this?

QtWeb Internet Browser
http://www.qtweb.net/

-Bill


Posted on 1 May 2011, 12:20 by broomdodger
QtWeb Internet Browser
Forgot to post:

Size of executable is 6 MB only, no additional DLLs and other configuration files required


Posted on 1 May 2011, 16:26 by fido
scottman
I am aware that only fido will be added, my post should have said 'both users' not 'all users'... I just wondered, what restrictions are placed on fido - I think it's great to include a user that cannot use the PPM, or add SFS files, or modify /usr/bin, etc... I was just wondering what 'fido' is (and is not) allowed to do...


Posted on 1 May 2011, 18:02 by BarryK
What can fido do
The defaults will have to be decided. There will be a fairly restricted system as default perhaps, but if the user knows the root password then they could access a window to alter what is allowed.



Posted on 1 May 2011, 18:42 by disciple
Grafpup
IIRC Grafpup 2.x was multi-user enabled, but only root existed by default, which might be causing the confusion.


Posted on 1 May 2011, 19:11 by scottman
root2user
Please can we get a look at the contents of 'root2user' so we can get an idea as to what changes are made to save file setup? and if anything, the other changes required to run as fido?

I think Barrys idea of a limited 'fido' user, with the same home dir as root is nice, and easy, and potentially more secure..

I would also agree that auto login fido at boot is the way to go.. better then login screens - very un-puppy! As Barry says, much better to popup a window asking for root password, when required.

But does anyone know how you might go about including a simple (xdialog, maybe) popup, that asks to login as root, whenever root privileges are required - such as loading up the PPM, or deleting a file in /usr/sbin, etc, etc? ... Basically, how do you handle allowing/disallowing events or actions that require extra (root) privileges, when logged in as fido?


Posted on 1 May 2011, 21:18 by kirk
spot
Barry,

If you want to see Firefox running as spot try Fatdog64. On the desktop you'll see a folder named Downloads. This folder is owned by spot. It is also used as a shared folder if you start the Samba server. At shutdown, when you create a save file, if the save file is located on a partition that's not NTFS or FAT, you'll be asked if you want to move the Downloads folder to the same place as your save file.

Firefox, Xine and the email client all run as user spot. One nice thing about using spot is he can't write to your normal user files, which is all we care about anyway, and he can't su to root even if he knew the password. This is overkill given the total lack of malware we have have to deal with, but maybe one day.


Posted on 1 May 2011, 22:51 by Sage
Consider a night at the...
...Opera?!
Don't know about the details, but Opera claims to have a whole bunch of its own security features. Preferences and 'about' provide masses of settings. Has its own idiosyncrasies, but installs nicely and is liked by a majority of Puppy users according to poll. Runs faster and about the same size as FF. Don't like their email client so have to add another; Claws is my preference.


Posted on 2 May 2011, 4:27 by Dougal
Groups
Barry, I was talking more about your audio problems and retrovol not working... you need to make sure that /dev/dsp and retrovol have the right group permissions, too.

As for shutdown, the reason normal users can't do it is obviously that normal users aren't allowed to poweroff a multiuser computer... from what I recall from hacking the XFCE sources a few years ago, they use su for running the shutdown commands, 'though I guess modern systems use things like pamd (and its replacements).


Posted on 7 May 2011, 19:16 by Dejan
fido/root/spot
Sorry for not following your blog, found about this fido thing on forums hence the late reply. I'm glad you finally decided to incorporate multiple users but the way you're doing it sounds wrong to me from the very start. fido/root having the same homedir doesn't solve anything and the whole idea about permanent switching of users also doesn't solve anything as this implies that what you're doing is a quick dirty hacks that will again just hardcode user paths and scripts and not implement the real thing.
Let me explain.
For switching users you're not leting user choose on login manager how to login or to make a quick login/logout between users but instead you switch the autologin script to do that automatically on boot if I understood correctly. Bad.
Also, having same homedir just makes user run apps as limited user but not having different user customizations.
Further I understand that this will not be "multi" but two-user (root-fido) system because adding/deleting or in any way managing of more users will then also be impossible.
Sorry, but just my opinion, the way that Nathan or Pizzasgood did it seems more right to me, it may be the harder way but it's the right way of doing things.



Posted on 7 May 2011, 19:21 by Dejan
sudo
Also, on the sudo thing, my opinion is: don't include it. If public wants a multiuser puppy with protected users do not automate things for them for important things. Let them type su - and launch the important system commands they want like installing new apps or editing stuff out of their home dir.



Posted on 7 May 2011, 19:36 by Dejan
ME again
Barry, don't know if you found working grafpup iso I've uploaded it recently this one is multiuser and even features a graphical login manager
http://www.meownplanet.net/dejan/isos/
There's a threads on forums where members uploaded many vintage puppy isos that were missing from web.