Revision [19516]

This is an old revision of security made by CrustyLobster on 2011-11-14 23:15:20.

 

Security involves protection from data loss, data theft and data corruption.text

Security Precautions


In puppy linux your user account is called root, but is not root. In puppy root is user.

Root in puppy root is the underlying ramdisk. the main "PUPversion.sfs" is, or contains (actually, installs again each startup), the root file system. When you start your puppy the real root filesystem gets copied to ram, or swap. You use the copies of the root files in ram or swap. When you shut down your ram/swap copy of your main sfs root is deleted. Next time you start the main sfs installs another copy of itself to ram/swap. Real roots don't get any more secure than that, especially if the real root is on non-writable CD.

Running puppy frugal from a CD there is no way your main sfs root files can be altered. Running frugal with the main sfs copied to HD, the main sfs is copied from HD to ram/swap, then is not touched again. It can be altered by someone mounting it and opening it with another puppy, since HDs allow writing and erasing. But if anyone roots you during a session they root your user-root account for the session only. If they install a rootkit it installs to your pup-save and can install from there again next session. You can prevent that by erasing the contents of your pup-save, so your ramdisk root writes fresh files to it when you start your next session. You need to move files you want to save out to a back-up save file before you wipe your pup-save contents (don't wipe the whole pup-save, only all files in it).

To modify your real root system in puppy you have to run the "remaster puppy live-CD" program from the setup menu. That's how you " su " in puppy. You have to make your modifications in your user-root puppy first, adding and subtracting what you want. You make your new root account when you do the remaster of what you have set up..

I check the integrity of my main sfs files when I copy them to HD for frugal installs (I don' t full install, so I don' t know if files are secure in those) by making hashes of my main SFS files when I first copy, then re-hashing hem and checking against the first hash from time to time. So far I have not found a main puppy sfs file to change.

Renaming puppy root isn't a good option because lots of files look for "/root" and don't find it if it's named something else. Those who have set up multi-user puuppies have found that finding and changing every pathname instance is tedious and frustrating.

Puppy Linux is single-user per session and pup-save. It's the way it works. Each user launches his own ramdisk-root from the same main sfs root and modifies his or her own session from his or her pup-save store of preferences. For personal files each using the same computer has to make his or her own password protected encrypted save-file, or have his or her own flash-drive.


See also
Privacy, Fido, Puppy GROWL, WarDog

References
http://sectools.org/index.html
http://www.virustotal.com/
http://www.cryptoheaven.com/
http://epic.org/privacy/tools.html
http://news.cnet.com/8301-13880_3-20010350-68.html?tag=mncol;mlt_related
http://murga-linux.com/puppy/viewtopic.php?t=41146
IPtables: http://www.murga-linux.com/puppy/viewtopic.php?p=405147#405147
Potential Flash point
http://www.builderau.com.au/program/linux/soa/10_things_you_should_do_to_a_new_Linux_PC_before_exposing_it_to_the_Internet/0,339028299,339274586,00.htm?feed=rss
Security forum thread
Linux Security
Security History
Linux security Howto
10 tips
NSA in Windows
Top Cyber Security Risks
Live Linux CD for security
Password protect GRUB
group51.org
http://www.murga-linux.com/puppy/viewtopic.php?p=405903#405903

Appendix

Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cyber-criminals when banking online. The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows: 'If you are using the internet for a commercial transaction, use a Linux boot up disk - such as Ubuntu or some of the other flavours. Puppy Linux is a nice small distribution that boots up fairly quickly. It gives you an operating system which is perfectly clean and operates only in the memory of the computer and is a perfectly safe way of doing Internet banking'. Source

N.B. choice of operating system becomes irrelevant if recommended security precautions are not applied

Security set-up for Puppy 2.16 onwards
1 Open console type 'passwd'. enter your new password twice.

2 Run 'lock' on desktop and enter password from step 1

*you may want to select 'blank' from the config to save on processor usage

3 edit /etc/inittab to look like this:
::sysinit:/etc/rc.d/rc.sysinit
tty1::respawn:/sbin/getty 38400 tty1
tty2::respawn:/sbin/getty 38400 tty2
::ctrlaltdel:/sbin/reboot


*this keeps someone from killing lock with ctrl+alt+backspace and logging back in automatically and also gives the option on bootup to enter 'root' and 'password'.

Create Password
Boot Puppy

ctrl+alt+F2 (because my eyes are going and this is easier to read than in a console)

"
puppypc login :root
Password : well known and published password
#passwd
Changing password for root
New password : a new and unpublished password
Retype password : a new and unpublished password
Password for root changed by root
"

ctrl+alt+F3 (back to GUI)(F4 for some puppies)

Open terminal and type: passwd

Create a user to run applications.

Open terminal and type: cd / && mkdir home

Think of your new user name and then type in console: cd /home && mkdir YourNickHere

Now copy these files to /home/YourNickHere
.bashrc, .fonts.cache-1, .gtkrc-2.0, .gtkrc.mine, .Xdefaults, .Xresources

Open terminal and type: adduser YourNickHere

Run applications as YourNickHere by typing su -c application YourNickHere
example: su -c gaim YourNickHere

Make applications run as YourNickHere by default:

Edit application launchers to resemble this, su -c application YourNickHere

Puppy has a personal wiki called DidiWiki, with its own inbuilt HTTP server, so is accessed from a web browser, either locally or over a network/Internet. What we do in this case is run DidiWiki as user "spot". We can run an individual server application as a restricted non-root user, even though you yourself are still logged in as root.


Categories
CategorySecurity
CategorySoftware
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki