RunAsNonRoot
From Inveneo
Currently Puppy defaults to running as root.
There is an unprivileged user (spot), but by default it's only used by didiwiki (which is stripped out of InveneoPuppyLinux)
In order to login as spot, need to replace autologinroot with autologinspot in /etc/inittab:
$ vi autologinspot.c
int main() {
execlp( "login", "login", "-f", "spot", 0);
}
$ gcc -o autologinspot autologinspot.c $ strip autologinspot
cp /mnt/home/puppy/RunAsNonRoot/autologinspot /mnt/home/puppy/puppy-unleashed/rootfs-complete/bin sed 's/autologinroot/autologinspot/' /mnt/home/puppy/puppy-unleashed/rootfs-complete/etc/inittab > /tmp/inittab.tmp mv /tmp/inittab.tmp /mnt/home/puppy/puppy-unleashed/rootfs-complete/etc/inittab
Need to pre-configure the hardware settings to allow /usr/X11R6/bin/xwin to work:
echo "psaux" > /mnt/home/puppy/puppy-unleashed/rootfs-complete/etc/mousedevice echo "5" > /mnt/home/puppy/puppy-unleashed/rootfs-complete/etc/mousebuttons echo "ps/2" > /mnt/home/puppy/puppy-unleashed/rootfs-complete/etc/keyboardtype echo "uk.map" > /mnt/home/puppy/puppy-unleashed/rootfs-complete/etc/keymap echo "/usr/share/kbd/consolefonts/lat1-12.psfu" > /mnt/home/puppy/puppy-unleashed/rootfs-complete/etc/fontmap echo "ISO-8859-1" > /mnt/home/puppy/puppy-unleashed/rootfs-complete/etc/codepage echo "0x0117 1024x768x16" > /mnt/home/puppy/puppy-unleashed/rootfs-complete/etc/videomode
Need to fix some permissions:
chmod +x /mnt/home/puppy/puppy-unleashed/rootfs-complete/usr/share/kbd/keymaps/i386/azerty chmod +x /mnt/home/puppy/puppy-unleashed/rootfs-complete/usr/share/kbd/keymaps/i386/dvorak chmod +x /mnt/home/puppy/puppy-unleashed/rootfs-complete/usr/share/kbd/keymaps/i386/include chmod +x /mnt/home/puppy/puppy-unleashed/rootfs-complete/usr/share/kbd/keymaps/i386/qwerty chmod +x /mnt/home/puppy/puppy-unleashed/rootfs-complete/usr/share/kbd/keymaps/i386/qwertz sed 's/etc\/.XLOADED/tmp\/.XLOADED/' /mnt/home/puppy/puppy-unleashed/rootfs-complete/usr/X11R6/bin/xwin > /tmp/xwin.tmp mv /tmp/xwin.tmp /mnt/home/puppy/puppy-unleashed/rootfs-complete/usr/X11R6/bin/xwin chmod +x /mnt/home/puppy/puppy-unleashed/rootfs-complete/usr/X11R6/bin/xwin
Need to copy/move the configs from /root to /root/spot:
cd /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0 cp -r Choices spot cp -r OpenOffice spot cp -r my-applications spot cp -r my-documents spot cp -r my-roxapps spot cp .bashrc spot cp -r .beaver spot cp -r .gaim spot cp -r .gxine spot cp -r .jwm spot cp .jwmrc spot cp -r .mozilla spot cp -r .sylpheed-2.0 spot cp -r .Trash spot cp .rxvt.menu spot cp .Xdefaults spot cp .xinitrc spot cp .Xresources spot
Need to ensure that spot can write these files:
chown -R spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/* chown -R spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.beaver/* chown -R spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.gaim/* chown -R spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.gxine/* chown -R spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.jwm/* chown -R spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.mozilla/* chown -R spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.sylpheed-2.0/* chown -R spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.Trash/* chown spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.bashrc chown spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.rxvt.menu chown spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.Xdefaults chown spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.xinitrc
Should be unnecessary with simplified X settings:
chown spot /mnt/home/puppy/puppy-unleashed/rootfs-complete/root0/spot/.Xresources
Xvesa needs to be suid (otherwise a SegFault occurs!):
chmod u+s /mnt/home/puppy/puppy-unleashed/rootfs-complete/usr/X11R6/bin/Xvesa
Once running, need a way of doing root tasks:
sudo/sudoedit is now in 1.08, but not configured (/etc/sudoers)
I'd suggest an Ubuntu-like config where all actions are allowed (just need the password) & a DSL-like config (can type 'sudo su' without needing to know the password & use 'sudo insmod' for hardware detection)
spot ALL=(ALL) ALL spot ALL= NOPASSWD: /bin/su, /sbin/insmod
Thread discussing the pros/cons of this: http://www.murga.org/%7Epuppy/viewtopic.php?t=1246
From GuestToo:
i was experimenting with running X as user spot it seemed to work ok except rxvt woudn't run
i read somewhere that the rxvt binary might need to be setuid root so it can connect to the X server ... i haven't tried it yet ... i tried things like xhost but it didn't seem to work
there are a few other problems running as spot ... spot can't change /etc/windowmanager, so windowmanager should be in $HOME ... files in my-documents belong to root, and spot can't change them or delete them ... spot would have trouble mounting and unmounting and writing to drives
---
you can run X as an unprivileged user (for example, spot) fairly easily ... (setuid X and tinylogin, setup config files in /root/spot, chmod or chown or delete a file or 2 in /tmp, su spot, type xwin)
rxvt/aterm will not run as spot ... i tried a few things like xhost and setuid root, but didn't get it to work ... i have not tried changing the configuration in inittab yet (i would need to remaster Puppy or install Puppy to a hard drive, option 2) ... rxvt will run as root, so terminals are still available
many or most dotpup and pupget packages assume Puppy runs as root and assumes $HOME is /root ... they assume the configuration files, like menus, are in /root and that you have write permissions to /root ... MUT and pmount assume you have supervisor powers ... and things like "my-documents is owned by root" need to be fixed
it can be done, but it will break a lot of 3rd party packages ... running as root is less safe, but it is simpler
i just happened to be experimenting with running the xorg X server as user spot (Puppy 1.0.7 beta)
you need to copy some of the config files from /root to /root/spot ... and chown -R spot:spot /root/spot/
shut down X (you can press ctrl+alt+backspace) type: rm /tmp/xerrs.txt su spot cd startx
screenshot
i've tried various things to get rxvt to work ... xhost, setuid bit of rxvt, etc etc ... i haven't tried inittab yet ... i can run rxvt as user root anyway
/root/my-applications/bin/rxvt3:
- !/bin/sh
exec su -c /root/my-applications/bin/rxvt4 - root
/root/my-applications/bin/rxvt4:
- !/bin/sh
. /etc/profile rxvt -e bash "$@"
to open an rvxt window running as root from spot, click the rxvt3 script
for spot to be able to use su, tinylogin has to be setuid root:
chmod u+s `which tinylogin`
it might be possible to put rxvt4 in rxvt3 by using { } . /etc/profile would probably not be necessary if rxvt opened as a login shell
anyway, the xorg X server will run as spot about the same as xvesa will
NB To mitigate against the dangers of running as root, Puppy2 is incorporating PupSafe:
http://puppylinux.com/news.htm (Jan 19,20,21)
