Is running as root a security risk?

[dimkr]

This sounds like the sort of thing you're involved with at work, yes?

Yes and no. Without saying too little or too much, we deal with all kinds of possible attack vectors, and fixing wrong permissions is something very basic you might be able to do yourself without buying an automation product.

However, some security features in Vanilla Dpup, which Bookworm Pup64 inherited, were developed from a "prevent misconfigurations so they don't become a security issue" mindset. For example, spot can't access files under /root even if you give all users permissions to access this directory, thanks to a Landlock-based sandbox that filters file system access (a second layer of defence on top of classic file permissions), and spot can't gain root privileges via SUID root executables like sudo (if they can be fooled to run an arbitrary command, it runs as spot and not root). Turns out Bookworm Pup64 has wrong permissions for /root, probably still a common phenomenon in Puppy releases, allowing spot to view this directory. But, in this case, the sandbox kicks in and the messed up permissions don't become a big security issue.

[tammi806]

Alright I believe I got this right this time as I was able to boot up and then pull the USB stick and I tried it again after a shut down and all worked again.

PUPMODE =5 in the event manager.

USB stick is unplugged and setting on the table.

Thank You All for your help and patience and encouragement.

[wizard]

@williwaw

The dedicated USB seems worthwhile..
can you expand on how you "harden" your browser?

Each browsers settings are a little different, but the objectives are the same.
1. disable everything that stores or sends data
2. disable everything that grants access
3. enable things that increase security

General things:
1. make bookmarks for sites you will use and limit your use to those sites only

Since Bookworm Pup64 comes with Firefox, here are the settings I use for it. Note that much more can be done, but these settings will be better than OOTB.

Open a settings tab.

General:
enable - Check for updates but let you choose to install them

Home - Firefox Home Content
disable all

Privacy & Security:
enable - Delete cookies and site data when Firefox is closed
disable - Ask to save logins and passwords for website
disable - Autofill addresses
disable - Autofill credit cards
enable - Firefox will Never remember history
disable - Suggestions from the web
disable - Suggestions from sponsors
disable - Improve the Firefox Suggest experience

Privacy & Security - Permissions
disable - Location
disable - Camera
disable - Microphone
enable - Notifications
disable - Autoplay
disable - Virtual Reality

Privacy & Security - Firefox Data Collection and Use
disable all

enable - Enable HTTPS-Only Mode in all windows

Extensions:
add - Ublock Origin - this blocks pop-ups and other unwanted noise

You can find more information on increasing browser security on the internet, but this is a good start

Thanks
wizard

[Chelsea80]

@ wizard

Out of interest, from me using Firefox 117.0 (32-bit) -

Is it then your opinion that HTTPS-Only Mode -

HTTPS provides a secure, encrypted connection between Firefox and the web sites you visit. Most web sites support HTTPS, and if HTTPS-Only Mode is enabled, then Firefox will upgrade all connections to HTTPS.
Learn more
Enable HTTPS-Only Mode in all windows
Enable HTTPS-Only Mode in private windows only
Don’t enable HTTPS-Only Mode

Is more secure than -

DNS over HTTPS
Domain Name System (DNS) over HTTPS sends your request for a domain name through an encrypted connection, creating a secure DNS and making it harder for others to see which web site you’re about to access.
Learn more
Status: Off
Learn more
Firefox won’t use secure DNS on these sites
Enable secure DNS using:
Default Protection
Firefox decides when to use secure DNS to protect your privacy.
Increased Protection
You control when to use secure DNS and choose your provider.
Max Protection
Firefox will always use secure DNS. You’ll see a security risk warning before we use your system DNS.
Off
Use your default DNS resolver

I ask because, purely from a user point of view, I would take it that from the above DNS is possibly a bit stronger in security -

Or is it the case that DNS is used first and then flips over to HTTPS -

Best regards

Chelsea80

[wizard]

@Chelsea80

The two are different. In the context of secure use for financial and sensitive data both are important.

When you enter a URL, such as amazon.com, that request is first sent to a DNS server to lookup the actual IP address.
DNS over HTTPS is encryption of the DNS request between your computer and the DNS server. Anyone intercepting that request cannot read it

When your computer connects using that IP address, HTTPS is encryption of the data between your computer and the site. Again, anyone intercepting that connection cannot read it.

wizard

[dimkr]

DoH doesn't add much security. Its main advantage over DNS is encryption: DNS allows anyone who can capture your traffic to see which domains you access (not URLs, not page contents or your input). DoH encrypts that.

No matter if you use DNS or DoH, as long as you visit only sites over HTTPS, you're protected against spoofed DNS responses because your browser verifies the HTTPS certificate of the site it thinks it's visiting. If somebody redirects you to a different website by attacking your DNS server, your browser detects that.

[tammi806]

In Firefox settings Privacy & Security under Browser Privacy "Enhanced Tracking Protection" should we used Standard or Strict or Custom.

Thanks.

[wizard]

@dimkr

DNS allows anyone who can capture your traffic to see which domains you access

Seems DoH's value is hiding that info. If the bad guys capture you are visiting something like "sellmygold.com" or "bankofamerica.com" they now have information they can potentially use in a spoof and it increases your value as a target.

Thanks
wizard

[wizard]

@tammi806

Firefox settings Privacy & Security under Browser Privacy "Enhanced Tracking Protection" should we used Standard or Strict or Custom.

Try Strict and test if it affects the sites you use.

wizard

[dimkr]

Seems DoH's value is hiding that info. If the bad guys capture you are visiting something like "sellmygold.com" or "bankofamerica.com" they now have information they can potentially use in a spoof and it increases your value as a target.

Maybe, but his information is not very valuable (your partner probably knows you're visiting your bank site ) and not very useful for phishing: attacking you by spoofing DNS responses (leading you to a malicious server that pretends to be bankofmerica.com) is not a very good attack vector nowadays, because your session against the malicious site would be unencrypted (so your browser shows the "insecure" icon) or with an invalid TLS certificate (so your browser shows you a big red warning you must ignore before you can continue to the site).

That's why phishing is common in social media and hosting services like wordpress.com or cPanel: they provide a valid TLS certificate generated by a legitimate entity for a legitimate entity (say, the facebook.com certificate is valid, generated by some trusted CA and generated for Facebook), encryption of the malicious payload and easy masking of the attacker identity (accounts are free and easy to create without identifying information like a credit card).

As long as you force HSTS, do your browsing over HTTPS, suspect the content on any HTTP URL and don't enter any input and avoid suspicious subdomains (things like bank.wordpress.com), you don't gain much from DoH. If your computer is single-core or super slow, like a netbook I have, DoH can slow down your browsing a lot (due to TLS).

(woof-CE customizes Firefox: it disables some features to reduce resource consumption and increase privacy, but doesn't force DoH - see https://github.com/puppylinux-woof-CE/w ... XUPHACK#L6)

[tammi806]

@tammi806

Firefox settings Privacy & Security under Browser Privacy "Enhanced Tracking Protection" should we used Standard or Strict or Custom.

Try Strict and test if it affects the sites you use.

wizard

All seems to be working well so far may give the Custom a try later on and see what it does.

Thanks again.

[Chelsea80]

@ wizard

OK, so if I have this right in my head -

DNS only encrypts my actual request for a particular web site -

HTTPS encrypts my interaction with a particular web site -

But it can't be both -

So as you said, it is better to use HTTPS -

Thanks for the info and patience -

@ dimkr

DoH doesn't add much security. Its main advantage over DNS is encryption: DNS allows anyone who can capture your traffic to see which domains you access (not URLs, not page contents or your input). DoH encrypts that.

No matter if you use DNS or DoH, as long as you visit only sites over HTTPS, you're protected against spoofed DNS responses because your browser verifies the HTTPS certificate of the site it thinks it's visiting. If somebody redirects you to a different website by attacking your DNS server, your browser detects that.

Thanks for expanding on the detail -

I read on the Firefox page that the default of DNS as being better security -

So I have set Firefox to: Enable HTTPS-Only Mode in all windows -

Best regards to you both

Chelsea80

[wizard]

@Chelsea80

DNS only encrypts my actual request for a particular web site -

NO

DNS is a lookup service that converts a URL into the IP address your computer browser needs to connect to the site.
It's like you tell the browser go to "amazon.com", the browser doesn't know anything about "amazon.com" so it request the IP address from a DNS server and the server sends back something like "96.127.0.0"

DNS over HTTPS (DoH) will encrypt the request so no one can see where you want the browser to go.

But it can't be both -

Yes it can be both, the HTTPS encryption can work for both the DNS request AND the connection to the web site.

As @dimkr pointed out, HTTPS connection to the web site is the most important.

wizard

[Chelsea80]

@ wizard

OK, so I messed up -

Thought URL and IP Address were one of the same, silly me -

Didn't realise both HTPPS and DNS could be used at the same time -

So now I have belts and braces -

Enabled HTPPS-Only Mode in all windows

and

Enabled DNS Max Protection

Thanks for taking the time to explain it all -

@ tammi806

Apologies for butting in on your Thread. I'll get out of your hair now -

Best regards

Chelsea80

[tammi806]

@ tammi806

Apologies for butting in on your Thread. I'll get out of your hair now -

Best regards

Chelsea80

@Chelsea80

Not a Problem. No apologies necessary.

Because of your butting in I learned a few things I was not aware of.

There's a lot of good stuff here.

[d-pupp]

spot should not be able to read files under /root!

I agree with this however my issue is I don't keep my data files in /root I keep them in a data folder on a separate partition.
I want to secure these. If I change the permissions to 700 on the parent folder is that good enough to protect all the folders and files under it?
They still have their default permission of folders 755 and files 644.

[ozsouth]

@d-pupp - if you want all lower folders to have the same permissions, use: chmod -R 700 /root

[d-pupp]

@ozsouth Thanks but what I'm really looking for is to understand how access permission work. The stuff on line is sometimes confusing.
Some say the effective permission is the most restrictive and other's say no everything in Linux is a file and directory permission don't change file permission. ie if you have no access to a directory that contains a file you have read access to I can still read the file if there is a link to it.
So I'm looking for some info or a good resource.

[Burunduk]

ie if you have no access to a directory that contains a file you have read access to I can still read the file if there is a link to it.

It seems it has to be a hard link [1] and it's not possible for a restricted user to create one:

Code: Select all

root# mkdir testdir
root# echo 'classified foo' >testdir/file.txt
root# chmod 700 testdir
root# ln testdir/file.txt hard
root# ln -s testdir/file.txt soft
root# ls -l testdir/file.txt
-rw-r--r-- 2 root root 15 Sep 12 01:54 testdir/file.txt
root# run-as-spot bash
spot$ bat testdir/file.txt
[bat error]: 'testdir/file.txt': Permission denied (os error 13)
spot$ bat soft
[bat error]: 'soft': Permission denied (os error 13)
spot$ bat hard
───────┬───────────────────────────────────────────────────────────
       │ File: hard
───────┼───────────────────────────────────────────────────────────
   1   │ classified foo
───────┴─────────────────────────────────────────────────────────── 
spot$ ln testdir/file.txt hard2
ln: failed to access 'testdir/file.txt': Permission denied
spot$ 

[greengeek]

So for banking and other sensitive personal use a better choice is to use a Linux distro that is not running as root user.

There seem to be plenty of hacking examples impacting companies that already avoid using root user so being non-root user in your own computing is definitely no guarantee of safety.

Basically the issue of what you yourself can do to preserve your data safety comes down to where you keep your personal data and how you protect your Puppy operating system code.

Although it seems laughable to some people the following is worth consideration:

- Don't keep personal information on the computer which you use for internet access (This is as simple as keeping your data on a removable usb stick or SSD)

- Boot your puppy from a CD (yes it is slow to boot but it means that the risk of hackers altering your operating system files is pretty much nil as far as I can see). This is probably the safest thing you can do to improve the security of any online banking you do.

- Never, ever run a save file or save folder, or any persistence of any kind - on the computer you use for internet access.

The root/nonroot discussion pales into insignificance if you yourself take the responsibility to do these basic things.

Banking passwords and login details etc are not necessarily hacked from your hard drive - much more likely to be stolen from your bank's system or "echoed" by dubious software or even by your own ISP router to dubious third parties.

If you did not go to the extent of writing your own firewall and wifi router microcode then I wouldn't lose too much sleep worrying about root issues. Your data leaks will occur for many other reasons.

Boot from CD. Don't use persistence.

[dimkr]

There seem to be plenty of hacking examples impacting companies that already avoid using root user so being non-root user in your own computing is definitely no guarantee of safety.

There are many examples of healthy people who smoke for many years and are (still) in good health. Many of them even buy health insurance (despite the price increase for people with big risk factors), because they know what's coming, or at least don't deny the possibility

Running as root puts you at risk because an attacker who runs as root can do more damage: for example, encrypt personal files (and demand ransom) anywhere in the system and not just those under the home directory, or implement persistent malware by replacing your UEFI (so running a non-persistent Puppy won't help against this) or kernel instead of doing this in a way that's much easier to detect (like a file in ~/.local/bin).

[williwaw]

Running as root puts you at risk because an attacker who runs as root can do more damage: for example, encrypt personal files (and demand ransom) anywhere in the system and not just those under the home directory, or implement persistent malware by replacing your UEFI (so running a non-persistent Puppy won't help against this) or kernel instead of doing this in a way that's much easier to detect (like a file in ~/.local/bin).

If one were to not boot from a cd, but wish to retain as many of the advantages as possible that the CD boot offers while using writable disks, what other precautions can you offer besides not running as root?

[dimkr]

If one were to not boot from a cd, but wish to retain as many of the advantages as possible that the CD boot offers while using writable disks, what other precautions can you offer besides not running as root?

Keep your Puppy updated (the recently disclosed libwebp CVE demonstrates why it's important) unless you're convinced that a read-only but old and vulnerable OS is more secure than a fully patched OS, verify the integrity of your Puppy files using external means (checking SHA512 on your computer won't work because an attacker can replace your hashing tool), enable Secure Boot + Lockdown LSM if you can, use fwupd to keep all your firmware (UEFI/BIOS, SSD firmware, etc') up to date, enable UEFI/BIOS rollback protection, enable early microcode loading if your Puppy supports it (super important since Skylake), and enable 2FA (preferably using SMS or something else that's not accessible through your computer, where an attacker is assumed to be capable of capturing any input) everywhere you can.

And, if you want, you can install Puppy to a read-only ext4 partition on an internal drive. You'll still need to verify that your OS is unmodified, because an attacker can remount the partition read+write and tamper with your OS.