Linked by Howard Fosdick on Sat 17th Dec 2011 00:26 UTC
Linux Without corporate backing or advertising, Puppy Linux has become one of the world's ten most popular Linux distributions. In the past few months Puppy has whelped a litter of like systems, each with its own unique DNA. This article summarizes Puppy and then describes the new brood.
Order by: Score:
Security
by ozonehole on Sat 17th Dec 2011 01:23 UTC
ozonehole
Member since:
2006-01-07

I hesitate to make this comment because I know exactly what's going to happen, but here goes...

Puppy always runs as root without a password. Yes, it is possible (if you open a terminal and use the command line) to login as unprivileged user "spot" (again, without a password). "Spot" can launch apps at the command line, but the graphic desktop will always belong to root. And most users will not go to the trouble to become spot, they will just launch apps as root. Many have pointed out that this is a risky strategy in terms of security. Puppy lacks the tools to configure it as you would most distros - running the desktop and all apps as an unprivileged user.

This issue has been mentioned about a million times already in numerous Linux forums. Usually within minutes after somebody raises the issue, Puppy fans jump in and insist that Puppy is perfectly secure, surfing the Internet as root poises no security risk at all, and if you don't agree with them you are a "Puppy-hater" and deserve to die. I've found myself in this argument so many times now that it's gotten weary, which is why I hesitate to post this.

Nevertheless, reality is that surfing the net as root carries some real risks, whether Puppy users wish to admit it or not. I would never do online banking or credit card purchases with Puppy for this reason.

This does not mean I hate Puppy. I used it for quite a while on my netbook, though lately I've found other alternatives which I prefer. I still keep a Puppy CD and USB stick around just in case I need an emergency boot-up device to rescue data or fix a broken installation. Puppy does have many endearing features - I understand why people like it.

Now, if somebody would just fix this security problem, I'd probably be using it on an everyday basis.

My advice about ANY distro is that people should not get emotional about it. I've used quite a few distros since I started with Linux over 10 years ago. Every distro has some flaw - either you learn to live with it, or ask the developers to fix it (if you can't fix it yourself), or move on to another distro. But denying the flaw won't make it go away, even if the denial makes you feel better.

Edited 2011-12-17 01:34 UTC

Reply Score: 14

RE: Security
by daedliusswartz on Sat 17th Dec 2011 02:10 UTC in reply to "Security"
daedliusswartz Member since:
2007-05-28

Everytime someone makes a comment like this, a puppy dies!

Reply Score: 14

RE: Security
by Soulbender on Sat 17th Dec 2011 02:13 UTC in reply to "Security"
Soulbender Member since:
2005-08-18

Puppy lacks the tools to configure it as you would most distros - running the desktop and all apps as an unprivileged user


That's a bit of an odd design decision, to say the least.

I would never do online banking or credit card purchases with Puppy for this reason.


While always logging in as root is indeed not a good idea it has little to do with compromising your personal data. Your personal data is just as vulnerable when you surf the net as an unprivileged user.

Reply Score: 11

RE[2]: Security
by UltraZelda64 on Sat 17th Dec 2011 05:11 UTC in reply to "RE: Security"
UltraZelda64 Member since:
2006-12-05

While always logging in as root is indeed not a good idea it has little to do with compromising your personal data. Your personal data is just as vulnerable when you surf the net as an unprivileged user.

I know this is a stretch, but if you have a secondary user account for more important, confidential things like online banking and use the UNIX user/group/permissions system properly, then your banking stuff is pretty damn safe while browsing the web for porn or something on your standard everyday account. Just be sure to be safe and wear a NoScript condom and keep your vaccinations (system updates) up to date. Heh.

Yeah, I know that's completely not funny, but I just had to twist it in that direction. Hey, it still gets the point across.

Use 'chmod 600 filename' (for owner rw) or 'chmod 400 filename' (for owner ro) on files that you intend to keep private. Do 'chmod 700 dirname' on directories whose entire contents you want to keep private.

Hell, you can even just put your "confidential" user account in its own group; if you run Debian and don't change the defaults, this is automatically done for you... instead of, for example, user 'uz64' being in group 'users' he will be in a group of the same name, 'uz64'. Completely segregates users and all of their data. Might still be good practice to properly set permissions though, and if you're really extreme about security you'll want to consider encrypting your files.

Reply Score: 4

RE: Security
by KLU9 on Sat 17th Dec 2011 12:47 UTC in reply to "Security"
KLU9 Member since:
2006-12-06

Has there ever... ever... ever... been an actual documented case of a Puppy system being compromised due to this issue? Ever?

Reply Score: 2

RE[2]: Security
by Dasher42 on Sat 17th Dec 2011 20:53 UTC in reply to "RE: Security"
Dasher42 Member since:
2007-04-05

Running as root on Unix systems is anathema for any real use. It subverts the entire model of security and goes well beyond the browser itself. It's what made Windows ridiculously insecure to begin with, and that platform still hasn't entirely shaken the consequences.

Puppy: something to run off of a flash drive occasionally. Look elsewhere for a general-purpose system.

Reply Score: 3

RE[3]: Security
by KLU9 on Mon 19th Dec 2011 14:41 UTC in reply to "RE[2]: Security"
KLU9 Member since:
2006-12-06

clearly it's anathema, that's obvious from pretty much every post on the issue. But I wasn't asking about emotions. My question was: is there any actual data?

Reply Score: 2

RE[4]: Security
by UltraZelda64 on Mon 19th Dec 2011 15:13 UTC in reply to "RE[3]: Security"
UltraZelda64 Member since:
2006-12-05

No idea, but anyone knows it's insane to always run as root for real work where security is even a slight concern, and for that reason Puppy is nothing more than a toy to them. If you asked a security person to do real-world tests on Puppy to get this data and they'll probably laugh and think you're joking. They'd probably think it's retarded to even do such a test targeting Puppy specifically when there is plenty real-world data to go through on the act of just running as root/admin alone. It's well documented; it's bad no matter what, just because it's Puppy and its users seem to be crazy rabid fanboys doesn't make it better.

Edited 2011-12-19 15:14 UTC

Reply Score: 3

RE[2]: Security
by WereCatf on Sun 18th Dec 2011 03:10 UTC in reply to "RE: Security"
WereCatf Member since:
2006-02-15

Has there ever... ever... ever... been an actual documented case of a Puppy system being compromised due to this issue? Ever?


Most likely not as usually Puppy is used just as a temporary solution and usually not run as a server. However, something not being documented does not equal that it has never happened.

Edited 2011-12-18 03:11 UTC

Reply Score: 5

RE[3]: Security
by KLU9 on Mon 19th Dec 2011 14:39 UTC in reply to "RE[2]: Security"
KLU9 Member since:
2006-12-06

yes, yes I know absence of evidence is not evidence of absence.

But some actual *data* to base opinions on would be nice, wouldn't it?

Reply Score: 1

RE[4]: Security
by zima on Sat 24th Dec 2011 23:11 UTC in reply to "RE[3]: Security"
zima Member since:
2005-07-06

Well I'd guess, at the least, it breeds people who think running as root is fine ...that alone is a bad thing, a bad idea to propagate.

(also: another reason for the more sensible all around Kitten Linux)

Reply Score: 2

RE: Security
by WereCatf on Sun 18th Dec 2011 03:06 UTC in reply to "Security"
WereCatf Member since:
2006-02-15

Nevertheless, reality is that surfing the net as root carries some real risks, whether Puppy users wish to admit it or not. I would never do online banking or credit card purchases with Puppy for this reason.


I do mostly agree with but this is something I don't understand: why would doing online banking or credit card purchases as root be any less secure than as a regular user? Your local user account bears no significance to the security of the data that leaves the machine, it doesn't carry over.

Running as root is bad because of LOCAL privileges, ie. a root user can modify system files, access other operating systems' disks and/or partitions etc. whereas a non-privileged user can't. But a non-privileged user can still access his or her own files, and a keylogger won't need root privileges to log what you're typing.

My point being that running as non-root is not some damn magic bullet after which you can just blindly trust anything anywhere.

Reply Score: 5

RE[2]: Security
by mike99 on Tue 20th Dec 2011 16:51 UTC in reply to "RE: Security"
mike99 Member since:
2011-12-20

Good answer.(actually the best answer i read so far). Even though the % of fraud is lower from computing, i tell my anyone when the subject comes up to not do "Online Banking". So, lets say you cannot get to "your bank" when you want/need.You can run Puppy from a CD-R quickly. Puppy was meant as a personal O/S. An alternative. You could spend your money, or someone elses, but, suit yourself.
*Sent from this old clunker P550 Intel 810 chipset with 192mb RAM.

Reply Score: 1

RE: Security
by jello on Mon 19th Dec 2011 19:51 UTC in reply to "Security"
jello Member since:
2006-08-08

If someone is interested here is the official security statement off the Puppy Wiki:

In Puppy Linux your user account is called root, but is not root. In puppy root is user.

More here: http://puppylinux.org/wikka/security

Also AFAIK some Puppy distros have (in addition to that) a special user named spot that is used when starting internet apps. (The distro I know that does that is FatDog64 - 64 bit Puppy Linux)

In addition Puppy always runs in ram not hard disk...

Edited 2011-12-19 19:52 UTC

Reply Score: 1

good vm candidate?
by bnolsen on Sat 17th Dec 2011 01:41 UTC
bnolsen
Member since:
2006-01-06

Seems like a good candidate for running in a VM. I found that FatDog64 is all 64bit. I'm downloading and will check how well this might work for a commercial software build environment. I really don't need that much, just basic 64bit but with a c++11 capable compiler.

Reply Score: 2

RE: good vm candidate?
by Pro-Competition on Sun 18th Dec 2011 17:27 UTC in reply to "good vm candidate?"
Pro-Competition Member since:
2007-08-20

That might be a good subject for a small article on this site. I will be curious about your results.

I will soon be migrating my system from a single OS to a VM environment with many small single-purpose VMs, so I am interested in lightweight, small footprint OSes. Even more than usual. ;^)

Reply Score: 2

Say what?
by Soulbender on Sat 17th Dec 2011 02:37 UTC
Soulbender
Member since:
2005-08-18

It manages connections and prompts servers when problems occur.


It does what now? Prompts the *servers*? Some explanation regarding this seemingly fantastical technology might be called for.

I installed Ubuntu 11 on an end user's system recently and was embarrassed in front of the client by its unintelligible boot-time menu.


Unintelligible? Really? 3 clearly labeled entries is unintelligible? There's almost no difference between grub and grub2 when it comes to using the actual menu.

Reply Score: 3

RE: Say what?
by broken_symlink on Sat 17th Dec 2011 02:46 UTC in reply to "Say what?"
broken_symlink Member since:
2005-07-06

"Puppy is uniquely effective with slow or unreliable internet connections. It manages connections and prompts servers when problems occur. I have a friend who has poor line quality -- and few options, living in a rural area. He runs Ubuntu 10.04 LTS, Windows XP SP3, and Puppy 5. He favors Puppy because of its more reliable internet connectivity."

I was also wondering what this meant.

Reply Score: 3

RE[2]: Say what?
by benali72 on Sun 18th Dec 2011 03:59 UTC in reply to "RE: Say what?"
benali72 Member since:
2008-05-03

I've found that Puppy's package manager is more reliable for downloads. Of course all you have to do on other systems is install a free Download Manager and you've got the same thing, so no big feature IMHO.

Reply Score: 1

RE: Say what?
by ozonehole on Sat 17th Dec 2011 05:41 UTC in reply to "Say what?"
ozonehole Member since:
2006-01-07


Unintelligible? Really? 3 clearly labeled entries is unintelligible? There's almost no difference between grub and grub2 when it comes to using the actual menu.


I'm going to agree with the original author on this point - GRUB (legacy) was much better than GRUB2. I tip my hat to the Puppy developers for sticking with the old GRUB. I never understood why it was necessary to make GRUB2 so complicated to configure. Simplicity is bliss.

Edited 2011-12-17 05:43 UTC

Reply Score: 2

RE[2]: Say what?
by Soulbender on Sat 17th Dec 2011 05:43 UTC in reply to "RE: Say what?"
Soulbender Member since:
2005-08-18

GRUB (legacy) was much better than GRUB2


Perhaps but there's little difference when it comes to how the gui works when selecting boot entry. Saying that it is unintelligible is nonsense because menu in grub looks and works pretty much the same way.
If it is cluttered then the same menu would be cluttered in grub.

Reply Score: 2

RE[3]: Say what?
by ozonehole on Sat 17th Dec 2011 05:50 UTC in reply to "RE[2]: Say what?"
ozonehole Member since:
2006-01-07

Perhaps but there's little difference when it comes to how the gui works when selecting boot entry. Saying that it is unintelligible is nonsense because menu in grub looks and works pretty much the same way.
If it is cluttered then the same menu would be cluttered in grub.


Your point is well taken. However, the nice thing about GRUB legacy is that to reconfigure your menu entries, you simply have to edit file /boot/grub/menu.lst. GRUB2 is far messier - in fact, every time I've had to rework the menus, I needed to go back and read the documentation on how to do it. I actually find it easier to just nuke GRUB2 and install GRUB legacy, which is still available in Ubuntu and Debian (though GRUB2 is now the default).

Edited 2011-12-17 05:55 UTC

Reply Score: 3

RE[4]: Say what?
by Soulbender on Sat 17th Dec 2011 05:54 UTC in reply to "RE[3]: Say what?"
Soulbender Member since:
2005-08-18

Yeah, configuring grub 2 is a horrible mess. Who's brilliant idea was it that the config directory should contain 1000's of files?
grub2 has one nice feature though, the rescue prompt. When grub1 fails to load you're left up shits creek without a paddle while in grub2 you get the rescue prompt and can actually remedy the situation and manage to boot.

Reply Score: 2

RE[5]: Say what?
by ozonehole on Sat 17th Dec 2011 05:57 UTC in reply to "RE[4]: Say what?"
ozonehole Member since:
2006-01-07

Yeah, configuring grub 2 is a horrible mess. Who's brilliant idea was it that the config directory should contain 1000's of files?
grub2 has one nice feature though, the rescue prompt. When grub1 fails to load you're left up shits creek without a paddle while in grub2 you get the rescue prompt and can actually remedy the situation and manage to boot.


That's a good point. Although GRUB is very reliable, it's possible to break it if you fool around (with root privileges). With GRUB legacy, if things get buggered, you might need a rescue disk. Well, that's actually one of the things I still use Puppy for (a rescue disk).

Edited 2011-12-17 05:58 UTC

Reply Score: 2

RE[4]: Say what?
by judgen on Sun 18th Dec 2011 15:48 UTC in reply to "RE[3]: Say what?"
judgen Member since:
2006-07-12

'yeah' they did move it, so now it is harder? /boot/grub/grub.cfg is containing all the menu.lst stuff.

Reply Score: 3

Puppularity?
by Nth_Man on Sat 17th Dec 2011 17:34 UTC
Nth_Man
Member since:
2010-05-16

> Puppy Linux has become one of the world's ten most
> popular Linux distributions
No. It just means that its link it's one of the most clicked in a particular website. That doesn't mean that is one of the "world's ten most popular Linux distributions"

Reply Score: 4

RE: Puppularity?
by benali72 on Sun 18th Dec 2011 04:11 UTC in reply to "Puppularity?"
benali72 Member since:
2008-05-03

Good point. As per Distrowatch:

"The DistroWatch Page Hit Ranking statistics are a light-hearted way of measuring the popularity of Linux distributions and other free operating systems among the visitors of this website. They correlate neither to usage nor to quality and should not be used to measure the market share of distributions. They simply show the number of times a distribution page on DistroWatch.com was accessed each day, nothing more."

Reply Score: 2

RE[2]: Puppularity?
by righard on Sun 18th Dec 2011 15:33 UTC in reply to "RE: Puppularity?"
righard Member since:
2007-12-26

Also why would I as a happy Arch/Debian user ever visit those distros on Distrowatch?

Reply Score: 4

RE[2]: Puppularity?
by UltraZelda64 on Mon 19th Dec 2011 15:40 UTC in reply to "RE: Puppularity?"
UltraZelda64 Member since:
2006-12-05

Not to mention, Puppy has been releasing on new versions on a regular basis (monthly, from a quick glance on DistroWatch using the news filter) and recently made a release. On top of that, DistroWatch themselves ran a story/review... so duh, obviously it's going to get more page hits at their site.

Face it, the more often a distro puts out a new version, the more often DistroWatch puts it on its front page, the more often it's listed in DistroWatch Weekly, the more often that distro's page gets visited. More news means more visibility, and therefore more clicks. People like news, it interests them... simple. It's human nature.

Reply Score: 4

Good Article
by Pro-Competition on Sun 18th Dec 2011 17:35 UTC
Pro-Competition
Member since:
2007-08-20

Thanks for another good article, Howard.

I have some aging hardware that I want to resurrect, and I don't have as much time as I used to for non-work research, so I find these articles to be very helpful.

Reply Score: 3

I tried Puppy, but it was not good.
by axilmar on Tue 20th Dec 2011 13:31 UTC
axilmar
Member since:
2006-03-20

After reading the article, I tried it on Virtual Box.

The UI seems at least 15 years behind from an aesthetic point of view.

It did not support resolutions greater than 800x600, and so many windows were not fully visible. I had to press enter blindly in order to continue the installation. Other Linux distributions running under VBox don't have a problem with higher resolutions.

The installation GUI was horrible. There were little buttons/icons everywhere that have extremely non-descriptive pictures on them. I just tried them all to see what they do.

The installation forced me to partition the hard disk manually. It did not make any suggestions on possible partitions, like other distros.

After playing with it for a while, I erased it and installed Kubuntu, which is light years ahead of Puppy, in almost every domain. In fact, Kubuntu 11.10 is so polished, it can be easily compared to Windows 7, and perhaps be found better than Windows 7.

Reply Score: 3

Nth_Man Member since:
2010-05-16

Just right. I wish I could mod you up.

Reply Score: 2

mike99 Member since:
2011-12-20

If you are used to a KDE UI, you might try a Puplet for newer H.W. . Teenpup 2010 beta has some KDE elements builtin and is better for P4 on up. And, you wont have to go out and "fetch" anything to do most of your stuff.

Reply Score: 1