site  contact  subhomenews

Rolled back to gtk2 version of yad

September 15, 2021 — BarryK

EasyOS is staying with the gtk2 version of 'gtkdialog', in fact, I am hanging onto gtk2 apps indefinitely.

Today it was brought to my attention that 'yad', as compiled in OpenEmbedded, is linked with gtk3. There are some issues, for example here:

It was a pleasant surprise that although yad now links with gtk3. the gtk2 version is still maintained, for Fatdog64:

So, I have created a recipe for it in my EasyOS layer in OpenEmbedded, and named the package 'yad0'. Compiled it for amd64 and aarch64, and changed the package-list in woofQ to build with 'yad0' instead of 'yad'.

The maintainer is "step-", don't know who that is. Will have to send him/her a message that his/her maintenance project is now in EasyOS, from version 3.0.   

Tags: easy

Chromium SFS runs as user chromium in EasyOS 3.0

September 15, 2021 — BarryK

Yay, works great!

I downloaded one of peebee's Chromium SFSs, and copied the contents to a folder named 'chromium_93.0.4577.63-bk1_amd64'. I changed usr/lib64 to usr/lib, usr/bin/chromium to a symlink to usr/lib/chromium/chromium, and made sure that usr/share/pixmaps/chromium.png (48x48) exists. Then ran 'dir2sfs':

# dir2sfs chromium_93.0.4577.63-bk1_amd64

...this has to be done in EasyOS 3.0, which is not yet released.

A few GUI windows popup, including asks if want to default to run chromium as a non-root client -- I clicked the "YES" button, and a SFS was created. Copied it to /mnt/wkg/sfs/easyos/oe/dunfell, then from the menu "Filesystem -> Easy BootManager", chose to add the Chromium SFS at bootup. Then rebooted.

Some notes, with pictures, on using 'dir2sfs' can be found here:

...though in this case we aren't interested in the container parts of that page.

After rebooting, looked in /clients:


And looked in /clients/chromium:


...Chromium will only be able to save files inside /clients/chromium, and defaults to /clients/chromium/Downloads.

I chose "Internet -> Chromium web browser" from the menu, and Chromium works. Chromium can also be launched by typing "chromium" in a terminal window, or by clicking on the icon in the above window.

I haven't checked, but sc0ttman's "Default Applications Chooser" is in the "Setup" menu, and it should be possible to choose Chromium as the default web browser, so when you click on the "www" icon on the desktop, Chromium will run.

This is good. For those who haven't followed earlier blog posts, this has nothing to do with containers. Chromium SFS is running on the main desktop, as non-root user 'chromium' and group 'chromium'. This provides excellent security.

However, Chromium could also be run in a container, and I will investigate this next.

The Chromium SFS requires EasyOS 3.0 or later, so those who are keen to use Chromium in the Dunfell-series will have to wait a little while! It will of course be available via the "sfsget" icon on the desktop.    

Tags: easy

Infrastructure in place to run each app as a separate user

September 14, 2021 — BarryK

The 'spot' user was broken in EasyOS, for the situation in which a password is entered at bootup and folders in the working-partition are encrypted. After some experimenting and lucky guesses, this problem was solved, see previous blog post:

I have now embarked on a significant change in how EasyOS works: run any app that accesses the Internet as a non-root user. Not 'spot', but each app will run as its own user.

I got this idea a couple of years ago, when reading how Android works. This is how Android works, each app runs as a separate user. This then can be the basic mechanism for access permissions. For example, if file /etc/group has a group for "camera", like this:


...on the end is a comma-delimited list of users allowed to access the "camera" group.

Running an app as a non-root user also means that it can't write just anywhere in the filesystem, can be constrained to only write in its own home folder. And if required, can be prevented from reading critical files.

Of course Easy already has "crippled root" in containers, so running, say, SeaMonkey, on the main desktop as a non-root user would have to be seen as an alternative security strategy. SeaMonkey will run a little bit faster, and won't have the issues that some people have reported with running SM in a container, such as problem with network connectivity.

If each app is run as its own user, this means that EasyOS can implement a permissions management GUI like in Android. Like, do you want this app to be able to access the camera, network, audio, folders outside the "home" folder? ...etc.

So, have started to setup the infrastructure to support this. The idea is that top-level /clients folder will have these non-root users, though I would like to refer to them as "clients".

WoofQ is now defaulting to run SeaMonkey as a client. That is, it will run as user "seamonkey" and group "seamonkey". So, in woofQ, have built EasyOS, and running it, this is what is seen under /clients folder:


...'rover' and 'zeus' were experiments, they may get removed. 'spot' is deprecated, may also get removed.

The idea is that each client app will have a folder under /clients, which is actually the home-folder for that app. Clicking on 'seamonkey' will show what that client has to "offer":


The 'Downloads' folder is SeaMonkey's default file download and open location. Clicking on the 'seamonkey' icon will run SeaMonkey. I don't know what 'Desktop' folder is for, SeaMonkey created that automatically.

Of course, SM can still be launched in the usual way, from the "www" icon on the desktop, or via the menu. And it will run as a client, that is, as user 'seamonkey'.

As before, SeaMonkey can be changed to run either as a root user, or client 'seamonkey', via the menu "System -> Login & Security Manager". Just like before, with 'spot'.

There is a file that shows what apps are running as a client, it is file /root/.clients-status. Here it what it has on my currenly running EasyOS:


Which means that SM will run as a client. If it had "seamonkey=false", or seamonkey completely missing from the file, then SM will run as root. The "Login & Security Manager" writes to this file.

Scripts for client management are now grouped under /usr/local/clients. WoofQ runs one of these, 'setup-client', when building EasyOS, if it is chosen to run SM as a client. The main thing that the script does is create a special script for running SM, /usr/bin/seamonkey (and the original is renamed to seamonkey.bin). Here is the script:

[ -f /clients/seamonkey/.mozilla/seamonkey/a2bvafqx.default/places.sqlite ] && ln -snf /usr/lib/seamonkey/seamonkey /usr/bin/seamonkey.bin
#script to run $APPbin as a client...
if [ $1 ];then
while [ "$1" ]
#do not put quotes around if a single word. example is "-edit" for seamonkey, the quotes stuff it up entirely...
if [ "${1/ /}" == "${1}" ];then
ARGS="${ARGS} ${1}"
ARGS="${ARGS} \"${1}\""

if [ $(id -u) -ne 0 ]; then
exec "$APPbin" $ARGS
#if inside a container, do not run as client...
if [ -f /INSIDE_* ];then
exec "$APPbin" ${ROOTOPTS} ${ARGS}

#this is a method to authorize x server to run by user. works when server running.
#note: this setting does not seem to be stored in a file. it affects the currently
# running x server and will be lost when x quits.
ALLOWflg="$(xhost | grep -o ":${APPname}$")"
if [ ! "$ALLOWflg" ];then
xhost +SI:localuser:${APPname}

[ $XAUTHORITY ] && cp $XAUTHORITY -f /clients/${APPname}/.Xauthority 2>/dev/null
touch /clients/${APPname}/.Xauthority
#following line is mostly there to catch any root:root files that may have got copied in...
chown -R ${APPname}:${APPname} /clients/${APPname} &
sleep 0.1
export XAUTHORITY=/clients/${APPname}/.Xauthority
export XDG_CONFIG_HOME=/clients/${APPname}/.config
export XDG_CACHE_HOME=/clients/${APPname}/.cache
export XDG_DATA_HOME=/clients/${APPname}/.local/share

#20210912 need to allow write inside encrypted fs...
which keyctl >/dev/null
if [ $? -eq 0 ];then
IDflg="$(grep -o " logon " /proc/keys)"
if [ "$IDflg" ];then
exec su -l ${APPname} -s /bin/sh -c "DISPLAY=${DISPLAY} /usr/local/clients/run-client-indirect \"$APPbin\" $ARGS"
exec su -l ${APPname} -s /bin/sh -c "DISPLAY=${DISPLAY} \"$APPbin\" $ARGS"

This is the content of /usr/local/clients/run-client-indirect:

#when running in fscrypt encrypted folder, need to run this so as
#to enable write-permission when logged into a non-root client.

APP="$1"; shift
#[ $1 ] && while [ "$1" ]; do ARGS="$ARGS \"$1\""; shift; done
if [ $1 ];then
while [ "$1" ]
#do not put quotes around if a single word. example is "-edit" for seamonkey, the quotes stuff it up entirely...
if [ "${1/ /}" == "${1}" ];then
ARGS="${ARGS} ${1}"
ARGS="${ARGS} \"${1}\""

ID="$(grep " logon " /proc/keys | head -n 1 | cut -f 1 -d " ")"
if [ "$ID" ];then
keyctl link 0x${ID} @us #link fscrypt key to user-session.

exec ${APP} ${ARGS}

Have posted these technical details for whoever is interested, but from the user perspective, you just want it to work, and be easy to use.

Well, it should be easy. SeaMonkey works as normal, except that cannot save files outside its home, /clients/seamonkey. Not by default anyway.

By means of the "Login & Security Manager", you should be able to select any app to run as a client.

Testing with SeaMonkey, all is good, except for the Composer module. I use this regularly, and want to be able to edit html files anywhere. Not quite sure how to handle this -- might setup SeaMonkey-Composer to run as root only.

There are some issues to resolve, so it will be awhile before the next release. It is likely that the next release of EasyOS will have a version bump to 3.0.

I have got Chromium SFS running as a non-root user. This was a problem, see earlier posts. Will probably have it default to run as a client, so there will be a folder /clients/chromium, just like have for SM.

So, what to choose? Do you run SM as a client on the main desktop, or as "crippled root" in a container. Or... this is a possibility, run SM as a non-root client inside a container -- I don't yet know if that will work, but it sure would be the ultimate in security.  

Tags: easy

Fscrypt now works in user spot

September 12, 2021 — BarryK

Continuing from yesterday:

Analysed it a bit more. In the 'init' script in the initrd, /proc is getting mounted like this:

mount -o hidepid=1 -t proc none /proc #20210407

That "hidepid=1" is a security feature, which seemed like a good idea at the time. I think a repercussion is, when login as spot, it won't see all of root's /proc.

To get around this, I have created a new group, in /etc/group:


Then I changed the mounting of /proc in the 'init' script:

mount -o hidepid=1,gid=118 -t proc none /proc #20210407 20210912

...this disables the "hidepid=1" for any users belonging to group "fscryptgrp".

I now have fscrypt working, but had to do a few more things... writing it down here, as just got it working, and want to record exactly what I did! Here we go...

As root, did this:

# keyctl show
Session Keyring
5898855 --alswrv 0 65534 keyring: _uid_ses.0
382717390 --alswrv 0 65534 \_ keyring: _uid.0
448736447 --alsw-v 0 0 \_ logon: ext4:6db5ac6afa4a5042
# keyctl setperm 448736447 0x3f3f3f3f
# keyctl chgrp 448736447 118

...I don't know if changing the permissions to "0x3f3f3f3f", which means everything enabled, is necessary.

Now login as spot:

# su -l spot
# cat /proc/keys
02547b7e I--Q--- 1 perm 1f3f0000 502 65534 keyring _uid_ses.502: 1
1abf2cbf I--Q--- 1 perm 3f3f3f3f 0 118 logon ext4:6db5ac6afa4a5042: 72
341d39dd I--Q--- 2 perm 1f3f0000 502 65534 keyring _uid.502: empty
# keyctl link 0x1abf2cbf @us
# ls -a
. .cache .didiwiki Downloads .local spot.png .Xauthority
.. .config .DirIcon .history README.txt
# echo 'abc' > testfile1
# cat testfile1


Tags: easy

Fscrypt broken in user spot

September 12, 2021 — BarryK

I have posted about being unable to get Chromium and Chrome to run as user spot:

It turns out that there is a fundamental problem in EasyOS. If a person entered a password at the very first bootup, Easy creates encrypted folders in the ext4 working-partition. So, if anyone steals your usb-stick or hard drive, they won't be able to access the files in those folders.

The encryption mechanism works on a per-folder basis, and the init script in the initrd will unlock those folders when the correct password is entered at bootup. It works great, however, falls apart if login as a non-root user...

I have a utility, 'keyctl', from the 'keyutils' package. I have today compiled that in OE and added it to the package list, so it will be in future releases of EasyOS. It is for managing the kernel keys. I know hardly anything about this topic, but let's explore...

# keyctl show
Session Keyring
1025593870 --alswrv 0 65534 keyring: _uid_ses.0
668976992 --alswrv 0 65534 \_ keyring: _uid.0
291187953 --alsw-v 0 0 \_ logon: ext4:6db5ac6afa4a5041
# ls -a /root/spot
. .cache .didiwiki Downloads .local spot.png
.. .config .DirIcon .history README.txt .Xauthority

That highlighted entry looks like the encryption of the ext4 filesystem. OK, now let's login as spot:

# su -l spot
# keyctl show
Session Keyring
766538552 --alswrv 502 65534 keyring: _uid_ses.502
676258719 --alswrv 502 65534 \_ keyring: _uid.502
# pwd
# echo 'abc' > testfile1
-sh: testfile1: Required key not available
# ls
6rW37WId+lKMnweIIvtagzdl6yDbnlwV oqjFdCBsfmOhji42Vcl25rPB11d8rQhm
8njV2L9wUPwq00z9kbB9h5gewrv31HGY README.txt
adx4yf4hAOVnM2cVKKvWawXQLPXCBMOz spot.png
cTXh+5oKTshqUql5A30nVWaCWTLObsx2 UCUPdY5gOs0rEYI,6tpi9Ap,n7nh4ppB
Downloads Y09MYYqmfJzqU7sPrUbUDnuZV55Dctsp
E3lquNhL1RiXxPvFoSUWSW87Q77hnI8A yCXJJnoom8XbLB65uNAZ,anhMcUHIV+W

Now isn't that interesting!

It seems that the ext4 filesystem key is not available when logged into spot.

Note that "ls" does list some files and one folder correctly. The others are encrypted.

So, the big question, how do I activate that "ext4:6db5ac6afa4a5041" key when logged in as spot?

I haven't solved this yet, as don't know much about kernel keys, how they work and how to manage.

Progress! Was reading the 'e4crypt' man page:

 e4crypt add_key [-vq] [-S salt ] [-k keyring ] [ -p pad ] [ path
       ... ]
              Prompts the user for a passphrase and inserts it into the
              specified keyring.  If no keyring is specified, e4crypt
              will use the session keyring if it exists or the user
              session keyring if it does not.

'e4crypt' is a utility in the 'e2fsprogs' package. It is compiled statically and used in the initrd to create the encrypted folders. What turned on the lights for me is this: "e4crypt will use the session keyring if it exists or the user session keyring if it does not".

"user session" is the root user. The 'keyctl' utility has names for these: "@s" and "@us". The session keyring should be available if I login later on as spot. Let's find out...

# keyctl link @s @us
# su -l spot
# pwd
/root/spot# keyctl show
Session Keyring
766538552 --alswrv 502 65534 keyring: _uid_ses.502
676258719 --alswrv 502 65534 \_ keyring: _uid.502
# echo 'abc' > testfile1
-sh: testfile1: Required key not available
# whoami
# ls -a
. .cache .didiwiki Downloads .local spot.png
.. .config .DirIcon .history README.txt .Xauthority

The improvement is that the folders are now unencrypted, but still cannot write a file.

EDIT 2021-09-12:
Ignore that "keyctl link @s @us", I was just learning, don't think that does anything.

Have got fscrypt to work in spot, see next blog post:       

Tags: easy

Xarchive now extracts DEBIAN control folder

September 11, 2021 — BarryK

Jon (scsijon in the Puppy Forum) is helping me to get Chrome and Chromium working non-root. This has resulted in me making a discovery yesterday, about the Xarchive archiver and extraction GUI tool.

Jon downloaded a Chrome 64-bit DEB file, and clicked on it, in a running EasyOS 2.9, to install it. The PETget installer, if sees a post-install script, will execute it. Then he got it working as user 'spot'.

He emailed instructions to me, including to edit script /usr/bin/google-chrome.

I downloaded the same DEB, opened it up using Xarchive to examine its contents, then manually copied the files to install it. It did not have script /usr/bin/google-chrome.

The penny dropped. Xarchive does not extract the 'DEBIAN' control folder. This has a post-install script that creates /usr/bin/google-chrome.

I want to use Xarchive to view and extract exactly what is inside a archive file!

I have modified /usr/lib/xarchive/wrappers/, inserted a line:

    -e) # extract: from archive passed files 
# convert deb to a temporary tar file
tmptar="$(mktemp -t tartmp.XXXXXX)"
$DEB_PROG $CONVERT_OPTS "$archive" > "$tmptar"
# extract files from the temporary tar
$TAR_PROG $TAR_EXTRACT_OPTS "$tmptar" "$@"
#20210911 BK include control info in extraction...
$DEB_PROG -e $archive DEBIAN
# remove temporary tar
rm "$tmptar"
exit $wrapper_status

...where DEB_PROG=dpkg-deb

Unfortunately, the DEBIAN folder is not listed when viewing the .deb file contents in Xarchive. Probably could be done, but complicates the script immensely.

At least now, when extract a .deb file, will get the DEBIAN folder and can examine what is in it. Not a perfect solution, but passable.

Note, some other pups are using Xarchiver, which is a different project, does the same thing. Xarchive is a dead project, last release in 2006:

However, Puppy developers have worked on it since, and it has been internationalized. There are also posts about additional wrapper scripts. Here is one old post:

Here is the source that I use:    

Tags: easy

Attempted compile Firefox in EasyOS

September 09, 2021 — BarryK

Some applications, over the years, have become more bloated and more difficult to compile. Firefox included.

The Linux From Scratch people have instructions, for example:

Rust and clang (LLVM) are required to compile Firefox. This is how to install Rust:

# curl -4 --proto '=https' --tlsv1.2 -sSf | sh

Choose custom install, and type in "1.51.0" for Default toolchain.

Installs to /root/.cargo

A dependency is 'cbindgen', a rust package, install:

# cargo install cbindgen

Another dependency is 'nodejs', obtain from here, the LTS package, doesn't need to be compiled:

Python3 is also required, unlike SeaMonkey that is still stuck on needing Python2. Python3 is already in EasyOS, with the "devx" SFS loaded of course, for the full Python3.

I compiled the LLVM package in OpenEmbedded, which includes 'clang'. I was shocked that the binary package, xz-compressed, is 2GB, but that includes a lot of ".a" files. The library "libllvm*so" on its own is 60MB, and prior to now did not have it in the OE Dunfell build -- even though it means some GPU drivers in the 'mesa' package could not be built.

It really does go against the grain for me, to include such a huge library in EasyOS, and I won't. I have compiled it in OE only for the purpose of compiling Firefox (in a running EasyOS), with the intention that Firefox will be an SFS, not builtin to EasyOS.

So, LLVM and clang, compiled in OE, binary package now installed in running EasyOS 2.9, getting ready to compile Firefox...

Actually, it is not Firefox itself that needs clang and libllvm, it is 'cbindgen', the rust package. Cross fingers that won't need libllvm in the final firefox executable.

Final steps to getting ready for the compile, set some variables:

# export PATH="/root/.cargo/bin:${PATH}"
# export SHELL=/bin/sh
# export CC=gcc
# export CXX=g++

Here is the 'mozconfig' file, that needs to be in the Firefox source folder:

mk_add_options MOZ_OBJDIR=obj-x86_64-pc-linux-gnu
ac_add_options --enable-application=browser
ac_add_options --prefix=/usr
ac_add_options --host=x86_64-unknown-linux-gnu
ac_add_options --disable-dbus
ac_add_options --disable-accessibility
ac_add_options --disable-updater
ac_add_options --disable-parental-controls
ac_add_options --enable-strip
ac_add_options --with-system-jpeg
ac_add_options --with-system-zlib
ac_add_options --disable-tests
ac_add_options --disable-crashreporter
ac_add_options --with-system-libvpx
ac_add_options --disable-necko-wifi
ac_add_options --without-system-nspr
ac_add_options --without-system-nss
ac_add_options --without-system-icu
ac_add_options --disable-pulseaudio
ac_add_options --enable-alsa
ac_add_options --enable-system-ffi
ac_add_options --enable-system-pixman
ac_add_options --disable-debug
ac_add_options --with-system-libevent
ac_add_options --enable-optimize='-O2'
ac_add_options --enable-ffmpeg
ac_add_options --disable-webrtc
ac_add_options --enable-printing
ac_add_options --disable-jack
ac_add_options --without-system-webp
ac_add_options --disable-elf-hack

I downloaded the latest source, version 92.0, from here:

Copied 'mozconfig' into it, then ran:

# ./mach configure


# ./mach build compiled for a couple of hours, then compile fail.

Tried the legacy ESR version 78.x, see here:

Source package:

...compile also failed, different place, in "netwerk/dns/mdns".

What requires mdns? WebRTC does, and I have "--disable-webrtc" in mozconfig. Worth a punt, have taken that out, trying again...

# rm -rf obj-x86_64-pc-linux-gnu/
# ./mach configure
# ./mach build

...failed again, this time in "modules/libjar/zipwriter".

Haven't given up yet! Downloaded the Firefox source from Debian:

Expanded the "debian" package inside the Firefox source, then applied the patches:

for aP in $P
patch -p1 --dry-run < debian/patches/${aP} >/dev/null 2>&1
if [ $? -eq 0 ];then
echo "PATCH: ${aP}"
patch -p1 < debian/patches/${aP} >/dev/null 2>&1
echo "FAILED: ${aP}"

Off we go again...

...failed again. Oh well, will just use an already-compiled package to create a Firefox SFS.    

Tags: easy