Cannot run "SeaMonkey 2.53.5.1" on "Precise Light 5.7.2" using user spot

[m-cuda]

@6502coder recommends 32-bit "SeaMonkey 2.53.5.1" as a usable browser for really old and weak hardware - viewtopic.php?p=11054#p11054. I extracted the downloaded .bz2 file to a mounted partition (outside of the Puppy save partition) and using the console chown of everything in the extracted directory to spot and tried to run SeaMonkey on "Precise Light 5.7.2" using sudo as user spot. This did not start.

Code: Select all

chown -R spot:spot seamonkey-2.53.5.1.linux-i686/
cd seamonkey-2.53.5.1.linux-i686
sudo -u spot -s
./seamonkey
...
(seamonkey:27223): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-ocgQxYEfnT: Connection refused
###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost

However, It will run using user root. However, I feel this is not secure. I formerly used Windows and for the things I do I think Puppy is better than Windows with one strong exception. In my opinion Puppy is really weak with respect to security.

When running seamonkey as user root I observed that two processes - 28178 and 28179 were started:

Code: Select all

# ps aux|egrep dbus
spot      3754  0.0  0.0   3268   712 pts/3    S+   07:34   0:00 egrep dbus
503       6615  0.0  0.0   2088   656 ?        Ss   02:00   0:00 /usr/bin/dbus-daemon --system
root     28178  0.0  0.0   3248   412 ?        S    02:54   0:00 dbus-launch --autolaunch 3f114b61ed6b1d49dba3ca515fc99819 --binary-syntax --close-stderr
root     28179  0.0  0.0   2088   752 ?        Ss   02:54   0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
#

Incidentally, I also agree with @6502coder assessment that PaleMoon is not usable for really old and weak hardware.

[mikeslr]

I take it that you are referring to this post, viewtopic.php?p=11054#p11054. It would have been helpful if you had provided a link rather than leaving us to guess how you deployed seamonkey. Or perhaps, better yet, posted to the Precise Light thread as the issue is more likely to be specific to that Puppy than to either seamonkey or 'running as spot'.

Although Precise Light 5.7.2 is an updated version of Precise (with some newer components) it is also a light version (with some components removed). The following may not immediately solve your issue. But it will tell you if it is solvable and provide information toward the possible solution.

File-browse to the Seamonkey binary. It will be in the Seamonkey folder and appropriately named Seamonkey. It will probably look like a gear. Right-Click it and from the pop-up window select ListDD. ListDD list dynamic dependencies will also be found on the Utilities menu. If your Puppy doesn't have it you can install it from here, http://murga-linux.com/puppy/viewtopic. ... 028#802028. When ListDD's window opens, click the Missing Tab on the bottom panel. That will provide you a list of all of Seamonkey's dependencies which are not found in your system. You can copy the list to a text file for further reference.

Searching, https://rockedge.org/psearch/, using the phrase "seamonkey dbus" revealed the advice from shinobar that "Some Puppy need dbus and dbus-glib to run seamonkey official build." http://murga-linux.com/puppy/viewtopic. ... 533#758533. That may be your situation; and if so, Puppy Package Manager should be able to provide them. But ListDD may have revealed that to run so recent a seamonkey you may also need gtk3 (doable, http://murga-linux.com/puppy/viewtopic. ... 04#1024504) and/or a more recent glibc. If the latter, see if Mike Walsh or watchdog have any suggestions. An operating system can only have one 'internal' glibc. Watchdog developed the technique of packaging other glibc libraries within a web-browser along with instructions that the application use them. Mike Walsh has worked with that technique several times.

Also tell us exactly how you deployed seamonkey. There are two ways to 'run-as-spot'. One involves locating the seamonkey folder within the /spot folder.. It's the best way to assure that the application actually adheres to the intended limitation that only the /spot folder can be accessed. But if only the spot folder can be accessed every dependency must be within the spot folder.

[ndujoe1]

on the contrary PUppylinux is very secure, imo. Go to Steve Gibson's site and run the Shield's up test Puppy passes with good results. grc.com

[m-cuda]

@mikeslr I fixed my post as you suggested. if this was a dynamic dependency problem then would not SeaMonkey also fail to run using user root? SeaMonkey runs quite well using user root but I think running browsers as user root is unsafe so I want to run it as user spot.

Code: Select all

# ldd seamonkey
	linux-gate.so.1 (0xb77ad000)
	libpthread.so.0 => /lib/libpthread.so.0 (0xb777c000)
	libdl.so.2 => /lib/libdl.so.2 (0xb7778000)
	libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7686000)
	libm.so.6 => /lib/libm.so.6 (0xb7648000)
	libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb7629000)
	libc.so.6 => /lib/libc.so.6 (0xb7503000)
	/lib/ld-linux.so.2 (0xb7795000)
# 

[m-cuda]

@ndujoe1 In my opinion Puppy Linux compared to other systems is architecturally very weak with respect to security. Other systems use a multi-layered defense against infection. Specifically, technologies such as DAC, MAC (SELinux, AppArmor, seccomp) strongly limit the damage an infecting agent can do. If Puppy becomes infected the damage an infecting agent can do is unlimited if the agent has root privileges. Essentially, other systems tries to protect you even after your system is infected but Puppy does not.

[mikeslr]

Hi m-cuda,

You posted while I was having 'an afterthought': "Also tell us exactly how you deployed seamonkey. There are two ways to 'run-as-spot'. One involves locating the seamonkey folder within the /spot folder.. It's the best way to assure that the application actually adheres to the intended limitation that only the /spot folder can be accessed. But if only the spot folder can be accessed every dependency must be within the spot folder."

Just noticed that you mentioned it run well as Root. As ndujoe1 wrote, PUppylinux is very secure. And this is especially so if you follow the instructions here, viewtopic.php?p=2235#p2235. The second way to run seamonkey as spot locates the seamonkey folder anywhere other than within the Spot folder, but with instructions that anything downloaded be limited to the /spot folder. With seamonkey, it is possible that all you have to do is open Menu>System>Login and Security Manager and click to put a check mark in the radio button next to the name Seamonkey. Click OK & re-start (maybe reboot after Saving).

The above is more than adequate from a Security prospective. From the prospective of privacy the only occasion I consider that important is when involved with online financial transactions. I've been working to develop LibreWolf for recent Puppies. But it's only for 64-bit systems. For 32-bit systems I would recommend firefox with these addons: Adguard and privacy possum. I just unsuccessfully to install them in Seamoney 2.57. There are several other recommended privacy addons available for firefox. Hence, firefox.
Firefox is also the only web-browser I found to fully comply with spot's limitations even if its folder is not within /spot. To be clear, I only use firefox when doing online financial matters. For everything else, I use a different browser, often palemoon.
Regardless of which web-browser you use, you may also want to install any or all of these search engines and use them rather than google: metager, swisscows, qwant.

[bigpup]

About root, spot

This is a short explanation of why users run as the administrator (root) in Puppy Linux, and/or use the non-root spot account.

In a nutshell, root login gives you total access to everything, whereas a non-root login gives you restricted access (that is configurable for each user by the administrator).
Puppy is not a multi-user system as are most other Linux distributions, in which there is a root login plus any number of non-root login accounts.
Puppy on the other-hand, has root, plus just one non-root login, named spot.
root

There are two main objections to running as root: firstly, that you might accidentally do something dumb, such as delete important files, secondly that if someone gains access to your computer, either remotely via the Internet/network, or locally, they will be at root-level and able to do much more damage than if they gained access as a non-root user.
Doing something dumb

In the case of accidentally wiping important files, which files are important to you? Your own personal files and data of course, which regardless of whether you are logged in as your non-root account, or logged-in as root, you are just as prone to doing the same dumb thing.
That is, your personal files, settings, applications, are all owned by the non-root user, and can just as easily be deleted by the non-root user as can be deleted by the administrator.
In other words, this argument against running as root is itself dumb. At least in respect to the safety of your own files.

Where the "doing something dumb" argument is valid is in a multi-user system, where the administrator could accidentally delete or otherwise compromise another user's files. However, Puppy is not multi-user.

With regard to system files, they can easily be restored, in fact Puppy makes this easy as the entire system is in one Squashfs file.
In a frugal install of Puppy.
These files are read only.
Changes are only in the pupsave.

spot

This brings us to 'spot', which is a classical name for a dog. But, spot is not a normal user, you don't login as user spot. Instead, you bootup in the normal way as the root user, but you can choose to run some Internet applications as the restricted user spot.
This means that you have unfettered access to your local system, all the benefits of root, no hassles with file/directory ownerships and permissions, no restrictions on access to all hardware.
But, you can run, for example, SeaMonkey (browser, Composer, mail&news, IRC-chat suite), as spot. The home directory for spot is /home/spot, and SeaMonkey will only be able to (normally) edit/create/write files inside /home/spot.

With spot, you have the best of both worlds. Freedom in your local system, a restricted user for Internet access.

Run any application as spot with: run-as-spot app [arguments]
You can also create a script to automate this

[Uten]

I wonder if there is a missunderstanding of philosophy here.
The run-as-spot scripts does a bit more than changing ownership of the seamonkey files.

It also looks like you just unpacked seamonkey into a directory? Might work, I don't know. Try to run seamonkey like this:

Code: Select all

cd your-seamonkey-path
run-as-spot seamonkey

As for the root is not a secure thing. I love my puppy because I can use my computer. It is not locked down. I suppose you could hack it, but there is a catch. When I reboot, your hack is gone! So I always boot a secure fresh version for banking and such. Security is a habit. Trying to hard to design it into a system has proven to be a failure every time.

[m-cuda]

@bigpup , @Uten your suggestion to use "run-as-spot app [arguments]" works - thank-you very much. I did not know about "run-as-spot". Since, Puppy is derived from Ubuntu, I have been using the Ubuntu documentation as my Puppy documentation. Although, this in general works quite well, it does mean I will not learn about Puppy specific commands like run-as-spot. So, what is the magic of run-as-spot?

Code: Select all

#!/bin/ash
# generic wrapper to run as spot (when currently running as root)
# (C) James Budiono 2012, 2017
# License: GPL version 3 or later
#

#set -x

CWD=$PWD
CMD=''
while [ "$1" ]; do
	CMD="$CMD \"$1\""
	shift
done

[ "$CMD" ] || exit

SPOT_HOME=$(awk -F: '$1=="spot" {print $6}' /etc/passwd)
CURDIR=$PWD

if [ $(id -u) -eq 0 ]; then
	[ $XAUTHORITY ] && cp $XAUTHORITY ${SPOT_HOME}/.Xauthority 2>/dev/null
	touch ${SPOT_HOME}/.Xauthority
	export XAUTHORITY=$SPOT_HOME/.Xauthority

	export XDG_CONFIG_HOME=$SPOT_HOME/.config
	export XDG_CACHE_HOME=$SPOT_HOME/.cache
	export XDG_DATA_HOME=$SPOT_HOME/.local/share

	export DBUS_SESSION_BUS_ADDRESS=""

	exec su spot -s /bin/ash -c '
# try to switch to original directory, unless it is /root
! [ "'"$CURDIR"'" = /root ] && cd "'"$CURDIR"'"
exec '"$CMD"'
'
else
	exec ash -c "exec $CMD"
fi

As can be seen, run-as-spot is setting the environment for the command to be run in. In particular, the environment variables XDG_*_HOME are set to refer to sub-directories of ~spot. If you just do a sudo these environment variables remain referring to sub-directories of ~root. These sub-directories have "drwxr-xr-x" permissions. This means seamonkey running as user spot will not be able to create files in these sub-directories of ~root and it probably needs to create these to run.

[m-cuda]

@Uten wrote

As for the root is not a secure thing. I love my puppy because I can use my computer. It is not locked down. I suppose you could hack it, but there is a catch. When I reboot, your hack is gone! So I always boot a secure fresh version for banking and such.

Are you booting from read-only media, eg CD, DVD, ...? If not then if I can infect a process running with root privileges, I can replace your kernel "/initrd/mnt/dev_save/vmlinuz" with my weaponized kernel. The next time you boot you will not have" a secure fresh version" but you will boot into my weaponized kernel (and you will not even suspect that your kernel has been replaced). My kernel can monitor all the websites you visit, all the data you type on the keyboard. It can learn your bank, bank account-no and password and send this to my remote site over the Internet. The mantra "The next time I boot I will have have a secure fresh version" is only absolutely true if you are using read-only media. For distros where the default user is not root this mantra is again not absolutely true since as long as the media is writable there will always exists the possibility that an infection may find some way to write to it but it is closer to being true than it is for Puppy where the default user is root since without root privileges to begin with it is much more difficult to replace the kernel. For me and I think for many others using a CD or DVD is not a viable option as my netbook doesn't even have a optical drive.

[m-cuda]

It occurred to me that the "run-as-spot" script can be hacked to also run seamonkey portably. Using a bit of code from mikewalsh's portable Iron browser I wrote the following:

Code: Select all

#!/bin/ash
# wrapper to run seamonkey portably as spot (when currently running as root)
# should be located in the same directory as the seamonkey binary
# hacked from the run-as-spot script by
# (C) James Budiono 2012, 2017
# License: GPL version 3 or later
#

CWD=$PWD
CMD='./seamonkey'
SPOT_HOME=$(awk -F: '$1=="spot" {print $6}' /etc/passwd)
HERE="$(dirname "$(readlink -f "$0")")"
CURDIR=$PWD

echo 'HERE = ' $HERE

if [ $(id -u) -eq 0 ]; then
	[ $XAUTHORITY ] && cp $XAUTHORITY ${SPOT_HOME}/.Xauthority 2>/dev/null
	touch ${SPOT_HOME}/.Xauthority
	export XAUTHORITY=$SPOT_HOME/.Xauthority

	export XDG_CONFIG_HOME=$HERE/.config
	export XDG_CACHE_HOME=$HERE/.cache
	export XDG_DATA_HOME=$HERE/.local/share

	export DBUS_SESSION_BUS_ADDRESS=""

	exec su spot -s /bin/ash -c '
# try to switch to original directory, unless it is /root
! [ "'"$CURDIR"'" = /root ] && cd "'"$CURDIR"'"
exec '"$CMD"'
'
else
	exec ash -c "exec $CMD"
fi

It simply moves the .cache directory from ~spot to the seamonkey directory.