mullvad browser issue

[darksun]

Hi,
first of all I am new here, not new to linux as I fell in love with it since 2005.

Bookworm pup 64 rocks!

I am attempting to install this

https://mullvad.net/en/help/install-mul ... wser#linux

following those steps, the browsers' files get copied into the /home/spot/Downloads directory, and the files and directory's owner is root:root .

I launch the program not via ./start-mullvad-browser.desktop (as the script exits with the error saying it cannot run as root) but via Browser/mullvadbrowser (solution found within this forum).

My questions are concerning the safety of using a web browser as root, I wish to use mullvad browser as user spot as it should "theoretically increase security" .

Is the solution it is configured above valid or it could be improved? Any consideration?

I have read the forum sections about puppy security paradigm and the use of root and spot users, yet I am not sure about this case scenario, hence I am asking here.

Thank you very much!!

DS

[darksun]

furthermore, I keep getting a fatal error if I install the browser with the method listed above, the official method, this error comes up

Code: Select all

# ./mullvadbrowser
/usr/bin/lsb_release: line 8: warning: setlocale: LC_ALL: cannot change locale (C.UTF-8): No such file or directory
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
[Parent 24172, IPC I/O Parent] WARNING: process 24280 exited with status 127: file /var/tmp/build/firefox-ed471a474010/ipc/chromium/src/base/process_util_posix.cc:270
Segmentation fault

instead I have to install it with this method to avoid that fatal error

Code: Select all

# wget --content-disposition -P /tmp -c https://mullvad.net/en/download/browser/linux-x86_64/latest{,/signature}
# gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
# gpg --verify /tmp/mullvad-browser-*.asc
# tar -C ~/.local/share -J -x -f /tmp/mullvad-browser-*.tar.xz
# cd ~/.local/share/mullvad-browser/Browser
# ./mullvadbrowser

[dogcat]

Hi darksun, welcome to the forum!

Looks like you have some file permission issues, puppy is famous for that.

All the files in /home/spot/mullvad-browser/ directory need to belong to spot user and spot group.

What I did to launch mullvad

1. Downloaded the mullvad-browser-linux-x86_64-13.0.7.tar.xz file from the link in the first post and extracted that.
2. Copied the extracted mullvad-browser directory and its files to the /home/spot/ directory
3. Changed ownership of the /home/spot/mullvad-browser directory and all files under that directory to spot:spot ownership (spot user and spot group)
4. Launched a terminal in the /home/spot/mullvad-browser directory and ran the command su spot to make the terminal window belong to spot user.
5. Copied the executable line (text that follows the Exec=) from the start-mullvad-browser.desktop file and then launched that line from the terminal opened in step 4. That launched the browser.

After first run of mullvad, the original Exec= command modified the Exec= line in the start-mullvad-browser.desktop file to aim itself at the /home/spot/mullvad-browser/ directory (to allow the .desktop file to launch the browser from menu, etc.), but the modified desktop file will not launch the browser due to a syntax error. The quick workaround was to copy that new modified line (text that follows the Exec=) and make a script file from that which can then be copied to anywhere in the system and will launch the mullvad installed at /home/spot/mullvad-browser/ The script looks like this.

Code: Select all

#!/bin/ash
su spot -c '"/home/spot/mullvad-browser/Browser/start-mullvad-browser" --detach || ([ !  -x "/home/spot/mullvad-browser/Browser/start-mullvad-browser" ] && "$(dirname "$*")"/Browser/start-mullvad-browser --detach)' dummy %k

The main thing is to have the mullvad-browser directory and all its files belong to the spot user and spot group.

Script attached

mullvad-launch.sh.tar.zip

(409 Bytes) Downloaded 44 times

This was the first launch with original Exec= line from the desktop in the terminal.

mullvad-first-run.png (188.23 KiB) Viewed 1093 times

[darksun]

thank you very much! it works.

if I have understood well, there is an issue caused by a syntax error from the mullvad browser itself.

I do not know about you, but I find it annoying thou that every time I need to launch the web browser we need to use a workaround, a sh script.

Maybe I am missing something, but I would rather prefer/wait for a definitive fix for this issue, instead of running a sh script.

Please do not get me wrong (English is not my first language), I am not complaining to you but thanking you, acknowledging the issue and disliking the idea of running a script to workaround that syntax error (wherever it is).

I am prone to stick to run mullvad browser as root for now, as my understanding is that, seen puppy linux security paradigm, the increase security of running the web browser as spot is "theoretical" .

Furthermore mullvad browser (Firefox) has a sandbox , and has ublock origin built-in which includes a set of filters that block known malicious website. All of this + puppy linux with frugal installation + good surfing hygiene makes me enough confident with my threat model in the view of running the web browser as root. I apology if this last sentence if OT.

Thank you again.

DS

[dogcat]

I think the syntax error resides in the .desktop file, I don't know why the same command line I used in the script does not work in the .desktop file? Could be a bash vs. ash thing...

I just dragged the script file to the desktop and renamed it, i think one could could also attach an icon to it to make it blend in with the other icons.

Anyways, thanks for alerting us to the mozilla-based mullvad browser!

[bigpup]

The idea of spot is not actually a user, but a restricted operation of a web browser. Run as spot.
Spot is only a special way to have web browsers handle downloads of anything it downloads.
The spot directory is a restricted location for web browsers to be able to download to.
So if the browser downloads some type of evil execute file, it has no way of executing, spot is not doing the execution.
You are still the root user and you can do anything, but the spot permission issues are still there, because it is in the spot directory.
The spot directory was never designed as a place to run stuff from.

Running a program that refuses to run as root.
run-as-spot, as an added command to the execute, tricks the program into thinking it is running as user spot. The program startup process thinks it is running as spot.

When you download a program you want to add to Puppy.

First move the program package out of spot directory.
Then do whatever is needed to install it.
any other location in the Puppy file system is permission-ed for root user.