site  contact  subhomenews

How to give super-powers to zeus

June 20, 2018 — BarryK

This is very interesting! I have a user named 'zeus', your normal underprivileged user. How can I give zeus admin-privileges, without actually becoming root -- because, that is what 'sudo' does, can bump up to 'root' to perform admin operations.

I want to perform some admin operations, while still being zeus. Never mind why I want to do this, I just do.

The 'capsh' utility, in the 'libcap' package, can do it. I wrote about "Linux capabilities" recently:

http://bkhome.org/news/201805/improving-linux-capabilities.html

...however, I am not interested in the cap_sys_mount patch anymore.

Puppy Linux and derivatives such as Easy and Quirky, run as 'root', with the ability to run Internet applications as user 'spot', and in Easy in containers with unprivileged-root -- the latter is achieved by using 'capsh' to drop privileges when chroot into a container.

Anyway, running as root, it would seem that capsh could be used to switch to a normal user, yet keep any privileges that we want to keep. In Easy, there is a user named 'zeus', that I created especially for this experiment.

I thought that capsh would work (using "--secbits"), however, it didn't. I am using libcap version 2.25, which the original author stopped work on some years ago. I discovered that some further work has been done on libcap, to add that missing/broken feature:

https://git.kernel.org/pub/scm/linux/kernel/git/morgan/libcap.git/commit/

...thanks Andrew!

I modified the source slightly, copied from the kernel source /usr/src/linux-4.14.44/include/uapi/linux/capability.h, prctl.h, and securebits.h, to libcap-2.25/libcap/include/uapi/linux/, and changed the "DYNAMIC..." line in Make.Rules to this:

DYNAMIC := $(shell echo yes)

...so as to get dynamically liked executables.

Then just ran the usual:

# make
# new2dir make install

Running "capsh --print" prints out all of the capabilities. Now, if I want to change to user zeus and keep all of those capabilities:

# capsh --keep=1 --user='zeus' --inh='cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read' --addamb='cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read' --
# whoami
zeus
# rm -f NewFile1
#

'NewFile1' was owned by root, and a user would not be able to delete it, which I checked was the case when I just did a normal "su zeus". Yippee, zeus has super-powers!

Note, the order is important:

capsh --keep=1 --user='zeus' --inh='...' --addamb='...' -- 

The "--" causes bash to run, so you have a new shell, and get back to root by typing "exit".

Tags: easy, linux, quirky

LibreOffice, Scribus open/save path fix

June 09, 2018 — BarryK

Although running as 'root' in Easy and Quirky, I want all applications to default to open and save files at /mnt/wkg/home for Easy and /file for Quirky.

The latest release of Easy, 0.9.4, has libreoffice and scribus PETs, and these default to open/save at /root. I have fixed these, so at installation they will detect whether installing in Easy or Quirky and set the default path accordingly.

Tags: easy, quirky

Contemplations on Easy, Quirky, the forum, the future

May 26, 2018 — BarryK
Ruminating over where EasyOS is heading... I receive helpful advice, not just on the forum, but emails also. I do not think of Easy as ever being a mainstream Linux distribution, just a niche player. Furthermore, I am just doing what interests me. There is no master plan, no ambition for Easy to be widely adopted, I am just meandering along, having fun.

Easy is also a learning tool for me. Hence my implementation of Easy Containers, a grassroots container system, rather than using LXC, Docker, or whatever. Even though they may be considered "better" or "superior". KVM is another one, I might look at it, one day.

A couple of days ago, I communicated with 'rufwoof' (forum name) via email. He has provided helpful testing of the containers in Easy. However, he got banned from the forum, due to some heated exchanges. Hence, we resorted to emails.

What rufwoof objected to is the *Dog distributions, for example DebianDog. He considers them to be too un-Puppy-like to be using the Puppy Forum.

I have seen it happen many times on the forum. Spontaneous responses can wind up, become flame wars. Anyway, this question about the *Dogs...

Consider democracy and personal freedom in the USA, one might argue that it has tipped into chaos. A country full of criminals and neurotic people!

On the otherhand, diversity, what might seem like borderline chaos, might be a rich breeding ground for new ideas and growth. Or maybe not.

The diversity on the Puppy forum has been said to be confusing for newcomers. So, should the forum be reined in?

These are just my ruminations, I do not have admin rights on the forum, nor puppylinux.com or puppylinux.org. I retired from all of that, back in 2013.

Personally, I read bits and pieces from all over the forum, and find the diversity interesting and useful. Cross-pollination does happen. But, I do understand the counter-argument.

I am using the forum for EasyOS and Quirky Linux feedback. But what of the future? If Easy becomes more popular, I can see the argument in favour of a focused forum, EasyOS and nothing else, or maybe a special section for "off topic" or whatever.
So, it is on the cards, might start a new forum.

What about Quirky? One problem for me is that I take on too much. I am seriously considering dropping Quirky development, just keep Easy. Also, on PC platforms only support x86_64. Might add ARM boards, but maybe only aarch64.

Then there is the ability of woofQ to build a distro from binary packages from Ubuntu, Slackware, etc. I recently did a "Easy Beaver" build, but it was a lot of work, and there are still unresolved issues. As usual, I was disappointed by the bloat, the build was 480MB, and that is with far less apps than my Easy Pyro builds.

And, Ubuntu is forcing gtk3 onto me, which is one of my pet peaves.

So, I might focus on only building from packages compiled in my fork of OpenEmbedded. Although Easy Pyro has a small package respository, I can gradually build it up. Of course, it will never get anywhere near the size of the mainstream repos.

I must stress that these are just thoughts for now, not necessarily what will happen.

Tags: easy, quirky

Easy-to-see mouse pointer

May 24, 2018 — BarryK

I use a small 1080p TV as the monitor for my desktop system, so I run at 1920x1080 pixels. It's nice, plenty of room on the screen, except I sometimes "lose" the mouse pointer.

I then jiggle the mouse, trying to see it. I think that many people reading this can relate to the moment of frustration!

Easy and Quirky have 'Pcur', in the 'Desktop' category of the menu, for selecting a different mouse cursor theme, however, it requires the 'pcur' PET package to be installed. Those themes are installed in /root/.icons

I want a new default cursor theme, seen at first power-up of Easy/Quirky. This link explains how to install cursor themes system-wide:

https://www.xaprb.com/blog/2006/04/24/beautiful-x11-cursors/

...except that the correct path for Xorg is /usr/share/icons, not /usr/share/cursors/xorg-x11.

I have put the 'jaguarx' theme into rootfs-skeleton/usr/share/icons/jaguarx, with rootfs-skeleton/usr/share/icons/default setup as explained in the above link.

jaguarx is not a big mouse pointer, but is more visible than the original default. A bit of colour too, with a whirling ball when there is action.

Tags: easy, quirky

ROX-Filer right-click Open With menu

May 18, 2018 — BarryK

I should have done this years ago. The Right-click-Easy PET created by don570 has reminded me of this. I wrote about his PET recently:

http://bkhome.org/news/201805/right-click-easy-pet.html

Up until now, woofQ has fixed entries for the right-click Open With (or Send To) menu, that may be totally inappropriate for the file being right-clicked on. For example, Geany text editor is in the menu, but that is not appropriate for, say, an image file.

So, I have written /usr/sbin/build-rox-sendto, which builds a complete mime-sensitive Open With menu in /etc/xdg/rox.sourceforge.net, by reading the .desktop files in /usr/share/applications. Note, it also erases everything in /root/.config/rox.sourceforge.net/SendTo

Now, the menu is appropriate to the type of file, for example:

image

Those applications are all able to open an image from the commandline. The bottom group, Bcrypt and gHasher, will appear in all cases, regardless of mime-type.

Furthermore, the menu is updated when a package is installed or removed by the PPM. The modified scripts are /usr/local/petget/installpkg.sh and removepreview.sh.

I kept thinking that we need this, amazing how procrastination can keep delaying something year after year!

I have removed don570's PET from the repository, as it will conflict.

EDIT 19 May 2018
Continuing to refine the context-sensitive right-click menu, lots of good things happening. For example, right-click on a PET package:

image

...as you can see, the mime-sensitive choices appear on the top-level, no need to burrow into the "Open With..." sub-menu. For PET packages, there is now the very convenient choice of "pet2dir" which is a utility to expand the PET to a folder, or "petget" to install the PET.

Tags: easy, quirky

NVMe support in Easy and Quirky

April 09, 2018 — BarryK

Recently, Puppy Forum member 'scsijon' alerted me to the new NVMe Solid State Drives, and I compiled the Linux kernel with support for these drives enabled:

http://bkhome.org/news/201803/linux-kernel-41427-compiled.html

However, that is only the start of it. There are several scripts in woofQ (the Easy/Quirky builder) that need to be modified. 'wdlkmpx' has been adapting woof-CE to support NVMe:

https://github.com/puppylinux-woof-CE/woof-CE/issues/1115

The last couple of days, I have sifted through the woofQ scripts. Basically, just had to search for the string "mmc" or "mm", where there is special handling for MMC drives (SD cards), and add the special handling for NVMe.

NVMe drives have device nodes in /dev of the form "nvme[0-9]n[1-9]". Partitions are appended as "p<number>", for example "nvme0n1p3".

We should be ready to go for NVMe with the next release of EasyOS, coming soon.

Useful links on NVMe:

https://www.pcworld.com/article/2899351/everything-you-need-to-know-about-nvme.html

https://wiki.archlinux.org/index.php/Solid_State_Drive/NVMe

https://wiki.gentoo.org/wiki/NVMe

https://itpeernetwork.intel.com/finding-your-new-intel-ssd-for-pcie-think-nvme-not-scsi/ 

Note, I have compiled kernel 4.14.32, getting ready for the next release of EasyOS.

Tags: easy, quirky

Module-loading options fixed

March 20, 2018 — BarryK

The BootManager, /usr/sbin/bootmanager, which is in all pups going back many years, has three options for choosing which modules to load at bootup. There is "blacklist", "add" and "preference".

The "blacklist" option manages a list of modules that are blacklisted, that is, will not be loaded. This list is in variable 'SKIPLIST' in file /etc/rc.d/MODULESCONFIG, which is written to /etc/modprobe.d/blacklist.conf by /etc/rc.d/rc.sysinit at bootup.

One qualification though, a blacklisted module can still be loaded manually, using the 'modprobe' utility, and will also be loaded if it is a dependency of another module that is loaded. Note, if you want to absolutely blacklist a module, including the above two, a line like this  in a .conf file will do it: "install <module name> /bin/false"

The "add" option is a list of modules that will be loaded, that would not have done so automatically. This is variable 'ADDLIST' in /etc/rc.d/MODULESCONFIG, and they are loaded by /etc/rc.d/rc.sysinit

The "preference" option is to give one module preference over another, in the situation where two (or more) are contenders for the same hardware. This  was variable 'PREFLIST' in /etc/rc.d/MODULESCONFIG, and was loaded by 'pup_event_backend_modprobe'. However, this script has been removed, see earlier blog post:

http://bkhome.org/news/201802/revisiting-pupevent-first-changes.html

Also, variable 'PCI_OVERRIDES' is no longer supported, now removed. The "preference" option is removed from BootManager.

It's ok, the "preference" option is redundant anyway, blacklisting suffices.

Tags: easy, quirky