Goal:

Run a browser as spot with profile & cache not in ram but rather on static media.

Is this a limited user design limitation?

houndstooth wrote: ↑Mon Feb 12, 2024 9:24 am

Run a browser as spot with profile & cache not in ram but rather on static media.

You are usually root on puppy systems. It is therefore not necessary to confirm everything with a password.

When you start, for example, the browser as spot, you limit its permissions only to the /home/spot folder. So anything that comes from the Internet can only reach the /home/spot folder and will not reach the entire system.

The browser profile and cache are also created (from first launch) in /home/spot. But this does not mean that the profile and cache can only be in the ram and nowhere else. Let's say you have a profile or even a cache in /home/spot, and you press the "save" button. Then this is saved to your save folder like any other change in the system. And the save folder can be on "static media".

Maybe a symlink to /mnt/home would work for the profile, as some puppy users do.

Try just running one of @mikewalsh's portable browsers.

wizard

houndstooth wrote: ↑Mon Feb 12, 2024 9:24 am

Goal:

Run a browser as spot with profile & cache not in ram but rather on static media.

Is this a limited user design limitation?

In Chrome based browsers, you can control where the cache and user profiles are located with command line switches.

google-chrome-stable --user-data-dir=/path/UserProfile --disk-cache-dir=/path/Cache

You may need to create the folders and set the ownership and permissions so that spot can write to them (or not, maybe Chrome creates them, I don't remember).

Ditto what wizard wrote. When you run an application as spot the contents of the files it uses are limited to a folder possessing spot permissions. There can be more than one folder having spot's permissions. /home occupies RAM. So all downloads and web-cache generated by a web-browser using /Home/spot as its folder will use RAM and can do so until your web-browser become unresponsive or crashes.

Mike Walsh's portables are generally run form /mnt/home. Folders 'hanging' from /mnt and /media and their contents do not occupy RAM. They are on your storage media. Mike's portables contain within their folder a spot folder: e.g. /mnt/home/Brave-portable/profile/spot. So downloaded files and web-cache do not occupy RAM. [Suggest book-marking the ...portable/profile/spot/download folder for ease of access].

As dancytron suggests, you could create a spot folder somewhere under /mnt, give it the proper permissions and configure your web-browser to use it. But using one of Mike's portables involves much less work.

Feek wrote: ↑Mon Feb 12, 2024 4:41 pm

houndstooth wrote: ↑Mon Feb 12, 2024 9:24 am

Run a browser as spot with profile & cache not in ram but rather on static media.

The browser profile and cache are also created (from first launch) in /home/spot. But this does not mean that the profile and cache can only be in the ram and nowhere else. Let's say you have a profile or even a cache in /home/spot, and you press the "save" button. Then this is saved to your save folder like any other change in the system. And the save folder can be on "static media".

Maybe a symlink to /mnt/home would work for the profile, as some puppy users do.

Feek's suggestion is good.
Move ('out-source') the profile and the cache to wherever you like and then link them back to where they were before.
It works with the advantage that any save file/folder is not burdened with them.

I do see spot working effectively like a trap, preventing downloads from getting saved. At the same time we can open local files out of spot which seems like vulnerability.

I believe I tried this long ago more naive: spot is supposed to be limited, so linking directories to a limited user without access seems to negate the purpose of a limited user.

I am trying to resolving if tinkering is worthwhile or if futility is design. The quest is to save limited ram while preserving spot protection.

I was under the impression a portable uses standard system directories for profile & cache despite the script, but I will have to examine that more closely.

Mike's portables contain within their folder a spot folder: e.g. /mnt/home/Brave-portable/profile/spot. So downloaded files and web-cache do not occupy RAM. [Suggest book-marking the ...portable/profile/spot/download folder for ease of access].

Is spot within a portable still limited outside of the portable directory? Does it have root access or why is it called spot?

I have tried putting .sfs apps in spot (not the archive but the loaded file), but turns out they are just copied, still present after being unloaded. In the file system or my-applications we can still run apps as spot, but profile & cache are in ram.

Then putting anything in home might trick Conky which is a no-no. We need authentic ram usage reporting.

That you as Root have access to the spot folder --such as creating a bookmark to it-- does not mean that applications running as Spot have FULL access to folders outside of the Spot folder.

Mike's portables are started by executing the included LAUNCH script which in pertinent part (e.g. for Brave) reads:

#!/bin/sh
#

Launcher for 'portable' Brave browser*

#
HERE="$(dirname "$(readlink -f "$0")")"
#
mkdir "$HERE/PROFILE" 2> /dev/null
mkdir "$HERE/PROFILE/spot" 2> /dev/null
mkdir "$HERE/PROFILE/spot/Brave-Browser" 2> /dev/null
#
chown -R spot:spot "$HERE/brave"
chown -R spot:spot "$HERE/lib"
chown -R spot:spot "$HERE/PROFILE/spot"
...
else
run-as-spot "$HERE/brave/brave" --user-data-dir=$HERE/PROFILE/spot/Brave-Browser --disk-cache-size=50000000 --media-cache-size=50000000 --allow-outdated-plugins "$@"
fi

Running Brave (or another Web-browser similarly structured) you can configure it to download to folders other than ones chown'd to spot. But you'll receive a notice that any such attempted download fails.

However, you are right. The Spot formula doesn't entirely isolate the Spot folder. With a Web-browser open, selecting Files from its Menu or entering Ctrl-o in its URL box enables viewing any file on your system and its contents. But AFAICT, provides no means to alter or delete a file so viewed.
Spot appears to provide security, but not privacy.

FWIW, my prior exploration in this area revealed that Spot was as, but no more, effective than running Web-browsers as User under other Linuxes, even when those employed a firejail. To obtain privacy, you have to run Web-browsers in a container; or from a Chrooted subordinate Operating system.

-=-=--=--

• Not sure why this is bolded and Large. Can't figure out how to change.

I'm not sure about Bookworm however in Vanilladpup spot is very locked down. He can only see the contents of his Home. All other's error out.
Could not read ####.
Permission denied

Plus 1 for dmkr. dmkr has posted that there were ways for a hacker to break out of Spot's restrictions but has had the good sense not to detail them so that even fledgling hackers could do so. VanillaDpup is his creation. d-pupp's post suggests that dimkr has plugged that potential escape in his creation.

I forgot to mention in my prior post that there's another way to enhance security. If you run your Puppy under Pupmode 13, having stored settings and located a web-browser in, say, a READ-ONLY adrv.sfs and do not use a SaveFile/Folder, after boot-up all drives are dismounted [and if from a USB-Key the Key can be unplugged). I don't think (don't have the knowledge to make sure) anyone hacking the Web-browser (even if run as Root) can access any drives unless you, as Root, mount them. So configured, downloads and web-cache would occupy RAM. To preserve downloaded files you would select the ones you want and move them, say, to /root/my-documents. You could then wipe cache and downloads before closing the web-browser (and for added protection shutting down wifi). You could then mount a partition and move your downloaded files onto it.

d-pupp wrote: ↑Tue Feb 13, 2024 3:55 pm

I'm not sure about Bookworm however in Vanilladpup spot is very locked down. He can only see the contents of his Home. All other's error out.
Could not read ####.
Permission denied

spot can access /mnt/home. This has security implications, but at least spot can run applications located outside of the save, directly on the partition.