Puppy Linux Security Questions!

[diepppy]

Hi, I am using Puppy Linux for the first time and I have some doubts that I would like to ask you:

1 - Are these distributions reliable to use for work? Doesn't running apps as root make it more vulnerable?

2 - Do you keep up to date with security updates?

3 - If I use the Puppy Xenial version, as Ubuntu no longer offers security updates, what problem could I have if I only use it to view trusted web pages, take notes and/or schedule on the calendar? From the Internet, could someone copy the notes that I save or the passwords of the web pages?

Thanks.

[geo_c]

1 - Are these distributions reliable to use for work? Doesn't running apps as root make it more vulnerable?

I'm no security expert or enterprise system administrator, but if you're using these for personal business, I can attest that I've been running my sole-proprietary business using puppy for years without issue. To my understanding running applications as /root user is technically more vulnerable. It really depends on the kinds of applictions you use and network traffic you allow.

2 - Do you keep up to date with security updates?

I update browsers and email clients, things of that nature. But system wide updates on conventional puppy distros like fossapup don't generally happen. Other distros available on the forum are "rolling releases" or are frequently updated, or can handle upstream distro updates. I don't want to pass along bad info, but I think vanillapup, fatdog, and KLV fit this description. I'm sure there are others.

3 - If I use the Puppy Xenial version, as Ubuntu no longer offers security updates, what problem could I have if I only use it to view trusted web pages, take notes and/or schedule on the calendar? From the Internet, could someone copy the notes that I save or the passwords of the web pages?

This depends mostly on the browser. I use portable browsers or appimages that are easy to update. @mikewalsh makes portable Ungoogled Chromium available for instance, which runs-as-spot (other applications can run as spot as well, if launched with the right parameters) also, I use LibreWolf appimage as my go-to browser, which comes out-of-the-box with most privacy/security features enabled, then I use a handful of security extensions/addons, and enable or disable a few features in about.config. LibreWolf appimage is an easy update, and always kept current. Just drop the new appimage in the application folder.

Another option is @BarryK 's EasyOS, which runs every application in it's own container. It's securitry focused.

Hope that helps.

~geo

[Feek]

Doesn't running apps as root make it more vulnerable?

Perhaps I would just add:
very good reading about "running as root":
https://distro.ibiblio.org/fatdog/web/faqs/login.html

From a security point of view it will be advisable to choose from recent puppies/dogs as geo_c suggests. Also general principles, such as turning on the firewall, keeping browsers up-to-date and, among other things, router settings.

[sonny]

Old but gold!
https://unix.stackexchange.com/question ... make-sense

"Debian: hacked, with apps phoning home.
Slackware: hacked.
Arch: never stayed stable long enough to be hacked.
Windows XP: I uninstall the ethernet driver after it registers with Microsoft. 'Nuff said.
OpenBSD: hacked. Yah, I know.
DragonFlyBSD: never penetrated, if it runs at all.
FreeBSD: So far, so good. Using PF. Used less than 8 months.
Puppy: in 6 years, never hacked. Never. It's still my main distro when I'm in need of simplicity and reliability."

[dimkr]

Doesn't running apps as root make it more vulnerable?

Yes, definitely. A buggy or malicious application can do pretty much anything if it runs as root.

I run all internet-facing applications as spot, and regularly make sure that spot can't do the things it shouldn't do. For example, before https://github.com/puppylinux-woof-CE/woof-CE/pull/2952, spot could read and write files under /root (!), including files like .bashrc that can lead to code execution as root.

2 - Do you keep up to date with security updates?

Yes, I use Vanilla Dpup, which has weekly security updates and comes with extra security features like an enabled-by-default firewall with IPv6 support, automatic run-as-spot and more. (But I'm also developing it, so I must use it if I offer it to others)

The next major release, based on Debian 12 packages, will be even better security-wise, and will feature https://github.com/puppylinux-woof-CE/woof-CE/pull/3419 and https://github.com/puppylinux-woof-CE/woof-CE/pull/3484.

3 - If I use the Puppy Xenial version, as Ubuntu no longer offers security updates

It doesn't matter if Ubuntu 16.04 doesn't receive security updates, because XenialPup doesn't have a mechanism that applies Ubuntu security patches anyway: XenialPup doesn't have any of the Ubuntu 16.04 security updates between the XenialPup release and the Ubuntu 16.04 EOL. The versions of packages are frozen, and the packages included in XenialPup at the time it was built are forever stuck with known security vulnerabilities. The same applies to any "one off" Puppy release that doesn't have security updates, not just XenialPup: even the "latest" FossaPup is 2.5 years old by now and has Ubuntu packages with 2.5 years of known vulnerabilities. For example, kernel 5.4.43 was released in May 2020 and doesn't have any of the fixes that went into the 176 (!) stable releases that lead to 5.4.219, released in October 2022.

There's no way around this: you're still vulnerable to remote attack with a latest and greatest browser if it runs as root, uses old libraries (like OpenSSL), trusts outdated CA certificates and runs on top of an ancient kernel. The entire stack needs security updates.

[k1e3w5]

I use LibreWolf appimage as my go-to browser, which comes out-of-the-box with most privacy/security features enabled, then I use a handful of security extensions/addons, and enable or disable a few features in about.config. LibreWolf appimage is an easy update, and always kept current. Just drop the new appimage in the application folder.

Where can I get this from?

[wiak]

Concerns about security, or lack thereof, are always interesting. I believe more generally, security is a measure of 'risk' which is measured as a statistic. So despite the no-doubt correct responses regarding potential dangers (and therefore risk) it would be interesting to obtain some statistics. Afterall, the likes of Puppy (including very old versions) has been used for years and years now, and some are still using extremely old (and thus apparently 'risky' versions), so how many users of these old Pups have, to their knowledge, been hacked over the years? If the answer turns out to be 'many' then that's a warning that shouldn't be ignored; if the answer approaches zero, well, decide for yourself what the risk is I suppose... I have no doubt that running internet-facing apps as root user is risky though - as long as my bank account doesn't get negatively affected I'm probably okay since I keep breaking my system and re-installing from scratch anyway.

[geo_c]

Where can I get this from?

https://gitlab.com/librewolf-community/ ... -/releases

[bigpup]

Yes, definitely. A buggy or malicious application can do pretty much anything if it runs as root.

So what keeps it from doing what root user can do, if it has code in it, to run using the sudo command?

All Linux OS's usually have sudo in them.

What is sudo command used for?

Introduction. The Linux sudo command stands for Super User Do.
Generally, it is applied as a prefix of a few commands that superuser is allowed to execute.
If we prefix the command along with other commands, it would execute that command with high privileges.

There was a time when Puppy did not have sudo in it.

However, recent versions of Puppy include it.
So people trying to use code commands, they find someplace, will work, if sudo is in the command .

People got tired of having to tell people, to take sudo out of the command, to run it in Puppy.

[dimkr]

So what keeps it from doing what root user can do, if it has code in it, to run using the sudo command?

sudo refuses to run if not attached to a terminal (so it will just exit if triggered by a remote code execution vulnerability in the browser, as long as the browser is not attached to a terminal). Plus, if password-less execution is forbidden in /etc/sudoers, non-root users can't run things as root unless they know the password.

(But with all that said, sudo had many vulnerabilities, that's why it's not included in my dpup releases - see https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo.)

(Plus, this security hardening feature in dpup mitigates privilege escalation from spot to root, even if sudo is present and misconfigured or vulnerable - https://github.com/puppylinux-woof-CE/woof-CE/pull/3484)

People got tired of having to tell people, to take sudo out of the command, to run it in Puppy.

Me too, that's why I implemented https://github.com/puppylinux-woof-CE/woof-CE/pull/2950. sudo is just an empty alias, so sudo x will just run x.

I've seen multiple reviews of Vanilla Dpup where the reviewer opens a terminal, runs sudo apt update and explains about the awesomeness of apt, without checking whoami or reading a bit about Puppy before the review.

[8Geee]

The most important, but most difficult thing to do is CONFIGURE THE BROWSER. Even Firefox needs many changes. You will also need AT LEAST these 3;

uBlock
ClearURLs
CSSexfil

Good luck.

8Geee

[Governor]

Yes, definitely. A buggy or malicious application can do pretty much anything if it runs as root.

I run all internet-facing applications as spot, and regularly make sure that spot can't do the things it shouldn't do. For example, before https://github.com/puppylinux-woof-CE/woof-CE/pull/2952, spot could read and write files under /root (!), including files like .bashrc that can lead to code execution as root.
8<----
Yes, I use Vanilla Dpup, which has weekly security updates and comes with extra security features like an enabled-by-default firewall with IPv6 support, automatic run-as-spot and more. (But I'm also developing it, so I must use it if I offer it to others)
8<----
The next major release, based on Debian 12 packages, will be even better security-wise, and will feature https://github.com/puppylinux-woof-CE/woof-CE/pull/3419 and https://github.com/puppylinux-woof-CE/woof-CE/pull/3484.
8<----
There's no way around this: you're still vulnerable to remote attack with a latest and greatest browser if it runs as root, uses old libraries (like OpenSSL), trusts outdated CA certificates and runs on top of an ancient kernel. The entire stack needs security updates.

When I began using Puppy, I asked about the user having admin privileges (I noticed other brands of Linux advised against it). I was told that Puppy was considered safe, even though the user has root privileges by default. Your statements seem to indicate the opposite.

1) Which Puppy version is the safest?
2) Where can I find instructions to run apps as spot?
3) How can I use Puppy without admin privileges, and can I still save and/or run downloaded files?
4) Is Vanilla Dpup safer than Bookworm?
5) Is EasyOS safer than Puppy?
6) Both Fossapup and Bookworm, seem to be getting slower and slower (I use the same Firefox in both). How can I tell if my system has been compromised?
Thanks!

[dimkr]

I was told that Puppy was considered safe, even though the user has root privileges by default.

Considered safe by who - by the person who told you it's safe? Safety is not boolean, it's a scale between 0 (guaranteed dangerous event) and 1 (complete safety). Some people consider 20% chance of their credit card info getting stolen when entering it in a random site to be "safe enough". And many Linux users don't do any kind of system auditing or malware detection, yet proudly claim that their system was never infected, deny the possibility of infection (despite the absence of any counter measures) or even dismiss the idea of malware as some kind of conspiracy or attempt to sell anti-malware products.

Think of it in terms of risk factors: for example, using an outdated browser with known vulnerabilities (and known ways to exploit them) that's easy to identify by the operator of a malicious site that pretends to be a site you know. This dangerous behavior increases the chance that your system gets compromised and your personal data (like credit card data you type in the browser) gets stolen, but it doesn't guarantee that. On the other hand, using the latest browser doesn't protect you from everything, because maybe it has new security holes discovered and exploited in the wild by attackers, before security researchers found and reported them to the browser vendor.

1) Which Puppy version is the safest?

I can't suggest one version, but the general guidelines I can recommend for choosing a safe Puppy to use are:

1. Timely point releases with all upstream security updates included - the actively exploited security vulnerabilities present in your OS are more likely to be known ones, and if your OS is outdated they probably got fixed already but you don't have the fixes applied
2. Security hardening features - a firewall that's enabled by default and blocks all incoming connections, auto-enabled blocking of malicious/advertising sites, internet-facing or risky applications auto-configured to run as spot
3. A Puppy built using a fully automated build procedure that runs in a sterile build environment, reducing the risk of something malicious sneaking in during the build process (for example, if the computer the build runs on, is infected with malware)
4. Few preinstalled packages that were built long ago, manually, on somebody's computer, possibly on a compromised one, can't be verified to 100% match the source code they were built from (= no malicious changes, intentional or not), and don't receive any security updates
5. Few preinstalled packages that are both unmaintained (= no security updates) and a potential remote attack vector (like a browser) - for example, the Light browser that ships with some Puppy releases, it's a fork of Firefox 48 from 2016, so it misses 8 years of security features and has 8 years old vulnerabilities at this point
6. Few preinstalled packages that have bad reputation - X.Org and sudo are good examples (https://www.x.org/wiki/Development/Security/, https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo)

3) How can I use Puppy without admin privileges, and can I still save and/or run downloaded files?

Puppy had this weird feature of logging in as the "finn" user instead of root, until https://github.com/puppylinux-woof-CE/woof-CE/pull/2302. It was broken for years, didn't get any attention from any developers, and I proposed to remove it because Puppy users enabled this security feature but it broke their system. Nobody volunteered to fix this feature (we have backup of the code before the removal) and restore it since 2021.

4) Is Vanilla Dpup safer than Bookworm?

If you do an apples to apples comparison of the out-of-the-box OS without additions and changes, it's probably a bit safer:

1. It has fewer preinstalled packages
2. It doesn't have any preinstalled .pet packages - it's built from Debian packages and packages built from source (grub4dos in the ISO is the only thing that's prebuilt and old - if you don't use the ISO, it's not a security risk)
3. It has some extra security hardening - for example, X.Org and internet-facing applications like the browser are preconfigured to run as spot
4. It has bi-weekly automated releases with all security updates from Debian
5. The preinstalled Firefox has many privacy-related configuration tweaks applied, they should reduce the attack surface

Development versions of Vanilla Dpup 11.0.x (will be released once Debian 13 is out) bring many more things to the table. They drop X.Org (big can of worms) by switching to Wayland (with Xwayland running as spot, sandboxed), replace packages like Geany with Debian packages that get security updates, make the sandbox for applications running as spot stricter, improve the firewall in various ways, make the system much easier to audit for tampering (because it's super close to stock Debian) and apply various system hardening recommendations by big security organizations. IMO the best new security feature is encryption for save folders, which protects sensitive data against theft and malicious modification by someone with physical access to the drive Puppy is installed on.

With all that said, if you don't have good cyber hygiene (for example, install an outdated browser, run it as root, disable the firewall, ...), the biggest risk factors you have are risks you created yourself, and don't come from the OS you installed in its clean state right after installation.

6) Both Fossapup and Bookworm, seem to be getting slower and slower (I use the same Firefox in both). How can I tell if my system has been compromised?

Slower perceived speed is normal. For example, if Puppy is installed on a slow hard drive and the browser has lots of history, bookmarks and cache to read from disk, the browser might feel slower. It's unlikely that the primary reason for slowness is malware infection, because malware (minus cryptominers or ransomware that encrypts your files, maybe) tends to be stealthy (with varying degrees of success) and slowing down your computer is not exactly stealthy.

If you want to check if your system is compromised, dpkg -V is a good place to start. It will allow you to detect files that came from Debian packages but got modified, either during the build process of this Puppy, or by you after the installation.

[Governor]

8<----snip

If you want to check if your system is compromised, dpkg -V is a good place to start. It will allow you to detect files that came from Debian packages but got modified, either during the build process of this Puppy, or by you after the installation.

▶—— /etc/rc.d/PUPSTATE ——◀
• PUPMODE=13
• PDEV1='nvme0n1p2'
• DEV1FS='ext3'
• PUPSFS='nvme0n1p2,ext3,/Bookworm64_10.0.6/puppy_dpupbw64_10.0.6.sfs'
• PUPSAVE='nvme0n1p2,ext3,/Bookworm64_10.0.6/dpupbw64save-2024-06-25-basic-02'
• PMEDIA='usbflash'

I ran dpkg -V. It tells me I have 30,149 items, most of which are "missing". I know that many of those missing are additional languages which I never use. Some appear to be copyright notices and changelogs. There are some odd entries. I have no idea what the "c" means, nor the question marks, or "5" or "M5". Do I need to do an update of the OS; what is the best way to do that? Thanks!

Code: Select all

missing   c /etc/bash.bashrc
missing     /etc/skel
missing   c /etc/skel/.bash_logout
missing   c /etc/skel/.bashrc
missing   c /etc/skel/.profile
??5??????   /usr/bin/genisoimage
??5??????   /usr/share/applications/mhwaveedit.desktop
??5??????   /usr/share/applications/xdg-desktop-portal-gtk.desktop
??5??????   /usr/share/applications/python3.11.desktop
?M5??????   /sbin/ifconfig
?M5??????   /sbin/route
?M5??????   /bin/login
missing   c /etc/default/hwclock
missing   c /etc/init.d/hwclock.sh
missing   c /etc/login.defs
missing   c /etc/pam.d/login
missing     /usr/bin/faillog
missing     /usr/bin/lastlog
missing     /usr/bin/newgrp
?M5??????   /usr/sbin/nologin

[dimkr]

I ran dpkg -V. It tells me I have 30,149 items, most of which are "missing". I know that many of those missing are additional languages which I never use. Some appear to be copyright notices and changelogs. There are some odd entries. I have no idea what the "c" means, nor the question marks, or "5" or "M5".

man dpkg explains what the dpkg -V output means and you have many lines to go over and explain if you want to use it to ensure that your system is not compromised. And this is only one way to find evidence of compromise, among many.

[fredx181]

I ran dpkg -V. It tells me I have 30,149 items, most of which are "missing". I know that many of those missing are additional languages which I never use. Some appear to be copyright notices and changelogs. There are some odd entries. I have no idea what the "c" means, nor the question marks, or "5" or "M5".

man dpkg explains what the dpkg -V output means and you have many lines to go over and explain if you want to use it to ensure that your system is not compromised. And this is only one way to find evidence of compromise, among many.

I'd say that goes for a pure Debian install, BookwormPup is much different: to make it a "Puppy" , files / applications were added, and on purpose many files are left out , e.g. man / doc / locale files, /etc/skel etc...
The mention of "compromised" may give the wrong idea IMO, as you cannot compare it with a default Debian install.

[dimkr]

@fredx181 True, and this output won't include files from .pet packages, the adrv SFS, etc'. It's not great but it's pretty much the only tampering detection tool available.

[Governor]

@fredx181 True, and this output won't include files from .pet packages, the adrv SFS, etc'. It's not great but it's pretty much the only tampering detection tool available.

Output for "man dpkg" show below. Unfortunately, this is no help to me. It looks like the manual is missing. The screen is cleared before the output, so my initial command is not visible.
BTW, how do I get the prompt to show where it is (full path) instead of just a # tag?

Code: Select all

# dpkg

 Debian package manager.
 Some subcommands such as dpkg deb have their own usage documentation.
 For equivalent commands in other package managers, see <https://wiki.archlinux.org/title/Pacman/Rosetta>.
 More information: <https://manpages.debian.org/latest/dpkg/dpkg.html>.

 • Install a package:

     dpkg -i <path/to/file.deb>

 • Remove a package:

     dpkg -r <package>

 • List installed packages:

     dpkg -l <pattern>

 • List a package's contents:

     dpkg -L <package>

 • List contents of a local package file:

     dpkg -c <path/to/file.deb>

 • Find out which package owns a file:

     dpkg -S <path/to/file>

[dimkr]

@Governor The Puppy you're using probably doesn't include man pages, maybe only this horrible tldr thing that gives only very basic information and only for some things

[fredx181]

@fredx181 True, and this output won't include files from .pet packages, the adrv SFS, etc'. It's not great but it's pretty much the only tampering detection tool available.

Output for "man dpkg" show below. Unfortunately, this is no help to me. It looks like the manual is missing.
.... ...

For the online man dpkg page, see : https://manpages.debian.org/latest/dpkg/dpkg.html

[williwaw]

google
PS1 bash prompt tutorial custom

[geo_c]

google
PS1 bash prompt tutorial custom

That's fun. I've been messing around with it. You can get the present directory at the end of the path, but not the full path. I was wondering if it's possible to embed pwd in the PS1 code.

It's amazing how much one can do without knowing some basic stuff. Like I never realized that the prompt indicates whether the terminal is running as normal user or as root by using # or $

Now I have a colorized prompt to go with a colorized mounting script:

[radky]

Output for "man dpkg" show below. Unfortunately, this is no help to me. It looks like the manual is missing. The screen is cleared before the output, so my initial command is not visible.

@Governor

Traditionally, Puppy Linux limits the number of local man pages (presumably, to keep the distro relatively small). If I understand correctly, dimkr's Vanilla Dpup provides much better support for local man pages, similar to mainstream distros.

On first run, executing tldr in a terminal requires an active internet connection to download a 20M resource database which provides local access to concise descriptions of Linux commands. Depending on your connection, the download may take a few moments and the tldr screen will remain blank until the download is complete. The tldr pages are cached locally in /root/.local/share/tldr.

In BW64, the tldr pages are functionally integrated with man page searches. Specifically, if a man page for a Linux command is not locally available (which is often the case in Puppy Linux), the 'man' search request is automatically transferred to tldr. For example, if you enter man dpkg in a terminal and there is no local man page for the 'dpkg' command, the search will be passed automatically to the tldr utility -- in which case, tldr will provide a concise description of the 'dpkg' command. Used this way, the 'man' command will typically provide useful (concise) results -- even when the actual 'man' page is not available on you local drive.

If you prefer a full man page, the tildr report typically provides a clickable URL near the top of the report that immediately loads the full (comprehensive) online man page in your browser. In lxterminal, simply right-click the right side of the URL and then choose the 'Open URL' option. In urxvt (as implemented in BW64), you can left-click the URL directly.

[williwaw]

That's fun. I've been messing around with it. You can get the present directory at the end of the path, but not the full path. I was wondering if it's possible to embed pwd in the PS1 code.

this one gives the full path and returns 0 if the command runs succesfuly and returns 1 if the command fails

Code: Select all

PS1="\`if [ \$? = 0 ]; then echo \[\e[0m\]0\[\e[0m\]; else echo \[\e[0m\]1\[\e[0m\]; fi\` \w $ "

i saw one once that returned the weather forecast, and another that lit up when it was lunchtime

[geo_c]

i saw one once that returned the weather forecast, and another that lit up when it was lunchtime

I'll play around with that full path prompt. edit It's returning 0 for some reason.

@Governor here's a simple one I settled on last night, also you can always type pwd at the prompt and get the full path in about 1 second:

Code: Select all

PS1="\e[31m[\u]\e[32m\W/\e[32m\e[33m$:\e[0m"

[Keef]

I've posted this link before, but might be useful:
https://bash-prompt-generator.org/

[williwaw]

I'll play around with that full path prompt. edit It's returning 0 for some reason.

always returns 0 unless.......
try cat -geo

[geo_c]

[always returns 0 unless.......
try cat -geo

Oh I misunderstood, it does in fact work. It gives the whole path.

Now I don't really like the 0 or 1 return in the prompt. So I'll see if I can do an edit, and my own customizations to this.

EDIT: Now I see that all you need for the full path is this:

Code: Select all

PS1="\w$"

or if you like spaces in your prompt and between the command, then:

Code: Select all

PS1="\w $ "

[williwaw]

Now I don't really like the 0 or 1 ............

I edited my explanation above. I do find the feature useful when testing scripts. sometimes scripts do exactly what was coded but the coder fails to understand what he actually coded and goes looking for a different kind of error.

[geo_c]

Now I don't really like the 0 or 1 ............

I edited my explanation above. I do find the feature useful when testing scripts. sometimes scripts do exactly what was coded but the coder fails to understand what he actually coded and goes looking for a different kind of error.

Got it, now I think we are hijacking this thread and should start another somewhere else in the forum.

BUT
before we go, @Governor here is a formatted full path prompt, displaying user, full-path, and prompt. Just copy this command to your /root/.bashrc, Don't put the comments, those just describe the prompt.

Code: Select all

PS1="\e[1m\e[31m[\u]\e[0m\e[32m\w/\e[33m$:\e[0m"  ## boldred[user]green[fullpath]yellow/[$:] ##