Puppy Linux Security Questions!

[diepppy]

Hi, I am using Puppy Linux for the first time and I have some doubts that I would like to ask you:

1 - Are these distributions reliable to use for work? Doesn't running apps as root make it more vulnerable?

2 - Do you keep up to date with security updates?

3 - If I use the Puppy Xenial version, as Ubuntu no longer offers security updates, what problem could I have if I only use it to view trusted web pages, take notes and/or schedule on the calendar? From the Internet, could someone copy the notes that I save or the passwords of the web pages?

Thanks.

[geo_c]

1 - Are these distributions reliable to use for work? Doesn't running apps as root make it more vulnerable?

I'm no security expert or enterprise system administrator, but if you're using these for personal business, I can attest that I've been running my sole-proprietary business using puppy for years without issue. To my understanding running applications as /root user is technically more vulnerable. It really depends on the kinds of applictions you use and network traffic you allow.

2 - Do you keep up to date with security updates?

I update browsers and email clients, things of that nature. But system wide updates on conventional puppy distros like fossapup don't generally happen. Other distros available on the forum are "rolling releases" or are frequently updated, or can handle upstream distro updates. I don't want to pass along bad info, but I think vanillapup, fatdog, and KLV fit this description. I'm sure there are others.

3 - If I use the Puppy Xenial version, as Ubuntu no longer offers security updates, what problem could I have if I only use it to view trusted web pages, take notes and/or schedule on the calendar? From the Internet, could someone copy the notes that I save or the passwords of the web pages?

This depends mostly on the browser. I use portable browsers or appimages that are easy to update. @mikewalsh makes portable Ungoogled Chromium available for instance, which runs-as-spot (other applications can run as spot as well, if launched with the right parameters) also, I use LibreWolf appimage as my go-to browser, which comes out-of-the-box with most privacy/security features enabled, then I use a handful of security extensions/addons, and enable or disable a few features in about.config. LibreWolf appimage is an easy update, and always kept current. Just drop the new appimage in the application folder.

Another option is @BarryK 's EasyOS, which runs every application in it's own container. It's securitry focused.

Hope that helps.

~geo

[Feek]

Doesn't running apps as root make it more vulnerable?

Perhaps I would just add:
very good reading about "running as root":
https://distro.ibiblio.org/fatdog/web/faqs/login.html

From a security point of view it will be advisable to choose from recent puppies/dogs as geo_c suggests. Also general principles, such as turning on the firewall, keeping browsers up-to-date and, among other things, router settings.

[sonny]

Old but gold!
https://unix.stackexchange.com/question ... make-sense

"Debian: hacked, with apps phoning home.
Slackware: hacked.
Arch: never stayed stable long enough to be hacked.
Windows XP: I uninstall the ethernet driver after it registers with Microsoft. 'Nuff said.
OpenBSD: hacked. Yah, I know.
DragonFlyBSD: never penetrated, if it runs at all.
FreeBSD: So far, so good. Using PF. Used less than 8 months.
Puppy: in 6 years, never hacked. Never. It's still my main distro when I'm in need of simplicity and reliability."

[dimkr]

Doesn't running apps as root make it more vulnerable?

Yes, definitely. A buggy or malicious application can do pretty much anything if it runs as root.

I run all internet-facing applications as spot, and regularly make sure that spot can't do the things it shouldn't do. For example, before https://github.com/puppylinux-woof-CE/woof-CE/pull/2952, spot could read and write files under /root (!), including files like .bashrc that can lead to code execution as root.

2 - Do you keep up to date with security updates?

Yes, I use Vanilla Dpup, which has weekly security updates and comes with extra security features like an enabled-by-default firewall with IPv6 support, automatic run-as-spot and more. (But I'm also developing it, so I must use it if I offer it to others)

The next major release, based on Debian 12 packages, will be even better security-wise, and will feature https://github.com/puppylinux-woof-CE/woof-CE/pull/3419 and https://github.com/puppylinux-woof-CE/woof-CE/pull/3484.

3 - If I use the Puppy Xenial version, as Ubuntu no longer offers security updates

It doesn't matter if Ubuntu 16.04 doesn't receive security updates, because XenialPup doesn't have a mechanism that applies Ubuntu security patches anyway: XenialPup doesn't have any of the Ubuntu 16.04 security updates between the XenialPup release and the Ubuntu 16.04 EOL. The versions of packages are frozen, and the packages included in XenialPup at the time it was built are forever stuck with known security vulnerabilities. The same applies to any "one off" Puppy release that doesn't have security updates, not just XenialPup: even the "latest" FossaPup is 2.5 years old by now and has Ubuntu packages with 2.5 years of known vulnerabilities. For example, kernel 5.4.43 was released in May 2020 and doesn't have any of the fixes that went into the 176 (!) stable releases that lead to 5.4.219, released in October 2022.

There's no way around this: you're still vulnerable to remote attack with a latest and greatest browser if it runs as root, uses old libraries (like OpenSSL), trusts outdated CA certificates and runs on top of an ancient kernel. The entire stack needs security updates.

[k1e3w5]

I use LibreWolf appimage as my go-to browser, which comes out-of-the-box with most privacy/security features enabled, then I use a handful of security extensions/addons, and enable or disable a few features in about.config. LibreWolf appimage is an easy update, and always kept current. Just drop the new appimage in the application folder.

Where can I get this from?

[wiak]

Concerns about security, or lack thereof, are always interesting. I believe more generally, security is a measure of 'risk' which is measured as a statistic. So despite the no-doubt correct responses regarding potential dangers (and therefore risk) it would be interesting to obtain some statistics. Afterall, the likes of Puppy (including very old versions) has been used for years and years now, and some are still using extremely old (and thus apparently 'risky' versions), so how many users of these old Pups have, to their knowledge, been hacked over the years? If the answer turns out to be 'many' then that's a warning that shouldn't be ignored; if the answer approaches zero, well, decide for yourself what the risk is I suppose... I have no doubt that running internet-facing apps as root user is risky though - as long as my bank account doesn't get negatively affected I'm probably okay since I keep breaking my system and re-installing from scratch anyway.

[geo_c]

Where can I get this from?

https://gitlab.com/librewolf-community/ ... -/releases

[bigpup]

Yes, definitely. A buggy or malicious application can do pretty much anything if it runs as root.

So what keeps it from doing what root user can do, if it has code in it, to run using the sudo command?

All Linux OS's usually have sudo in them.

What is sudo command used for?

Introduction. The Linux sudo command stands for Super User Do.
Generally, it is applied as a prefix of a few commands that superuser is allowed to execute.
If we prefix the command along with other commands, it would execute that command with high privileges.

There was a time when Puppy did not have sudo in it.

However, recent versions of Puppy include it.
So people trying to use code commands, they find someplace, will work, if sudo is in the command .

People got tired of having to tell people, to take sudo out of the command, to run it in Puppy.

[dimkr]

So what keeps it from doing what root user can do, if it has code in it, to run using the sudo command?

sudo refuses to run if not attached to a terminal (so it will just exit if triggered by a remote code execution vulnerability in the browser, as long as the browser is not attached to a terminal). Plus, if password-less execution is forbidden in /etc/sudoers, non-root users can't run things as root unless they know the password.

(But with all that said, sudo had many vulnerabilities, that's why it's not included in my dpup releases - see https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo.)

(Plus, this security hardening feature in dpup mitigates privilege escalation from spot to root, even if sudo is present and misconfigured or vulnerable - https://github.com/puppylinux-woof-CE/woof-CE/pull/3484)

People got tired of having to tell people, to take sudo out of the command, to run it in Puppy.

Me too, that's why I implemented https://github.com/puppylinux-woof-CE/woof-CE/pull/2950. sudo is just an empty alias, so sudo x will just run x.

I've seen multiple reviews of Vanilla Dpup where the reviewer opens a terminal, runs sudo apt update and explains about the awesomeness of apt, without checking whoami or reading a bit about Puppy before the review.

[8Geee]

The most important, but most difficult thing to do is CONFIGURE THE BROWSER. Even Firefox needs many changes. You will also need AT LEAST these 3;

uBlock
ClearURLs
CSSexfil

Good luck.

8Geee