Linked by Howard Fosdick on Sat 17th Dec 2011 00:26 UTC
Linux Without corporate backing or advertising, Puppy Linux has become one of the world's ten most popular Linux distributions. In the past few months Puppy has whelped a litter of like systems, each with its own unique DNA. This article summarizes Puppy and then describes the new brood.
Thread beginning with comment 500356
To read all comments associated with this story, please click here.
Security
by ozonehole on Sat 17th Dec 2011 01:23 UTC
ozonehole
Member since:
2006-01-07

I hesitate to make this comment because I know exactly what's going to happen, but here goes...

Puppy always runs as root without a password. Yes, it is possible (if you open a terminal and use the command line) to login as unprivileged user "spot" (again, without a password). "Spot" can launch apps at the command line, but the graphic desktop will always belong to root. And most users will not go to the trouble to become spot, they will just launch apps as root. Many have pointed out that this is a risky strategy in terms of security. Puppy lacks the tools to configure it as you would most distros - running the desktop and all apps as an unprivileged user.

This issue has been mentioned about a million times already in numerous Linux forums. Usually within minutes after somebody raises the issue, Puppy fans jump in and insist that Puppy is perfectly secure, surfing the Internet as root poises no security risk at all, and if you don't agree with them you are a "Puppy-hater" and deserve to die. I've found myself in this argument so many times now that it's gotten weary, which is why I hesitate to post this.

Nevertheless, reality is that surfing the net as root carries some real risks, whether Puppy users wish to admit it or not. I would never do online banking or credit card purchases with Puppy for this reason.

This does not mean I hate Puppy. I used it for quite a while on my netbook, though lately I've found other alternatives which I prefer. I still keep a Puppy CD and USB stick around just in case I need an emergency boot-up device to rescue data or fix a broken installation. Puppy does have many endearing features - I understand why people like it.

Now, if somebody would just fix this security problem, I'd probably be using it on an everyday basis.

My advice about ANY distro is that people should not get emotional about it. I've used quite a few distros since I started with Linux over 10 years ago. Every distro has some flaw - either you learn to live with it, or ask the developers to fix it (if you can't fix it yourself), or move on to another distro. But denying the flaw won't make it go away, even if the denial makes you feel better.

Edited 2011-12-17 01:34 UTC

Reply Score: 14

RE: Security
by daedliusswartz on Sat 17th Dec 2011 02:10 in reply to "Security"
daedliusswartz Member since:
2007-05-28

Everytime someone makes a comment like this, a puppy dies!

Reply Parent Score: 14

RE: Security
by Soulbender on Sat 17th Dec 2011 02:13 in reply to "Security"
Soulbender Member since:
2005-08-18

Puppy lacks the tools to configure it as you would most distros - running the desktop and all apps as an unprivileged user


That's a bit of an odd design decision, to say the least.

I would never do online banking or credit card purchases with Puppy for this reason.


While always logging in as root is indeed not a good idea it has little to do with compromising your personal data. Your personal data is just as vulnerable when you surf the net as an unprivileged user.

Reply Parent Score: 11

RE[2]: Security
by UltraZelda64 on Sat 17th Dec 2011 05:11 in reply to "RE: Security"
UltraZelda64 Member since:
2006-12-05

While always logging in as root is indeed not a good idea it has little to do with compromising your personal data. Your personal data is just as vulnerable when you surf the net as an unprivileged user.

I know this is a stretch, but if you have a secondary user account for more important, confidential things like online banking and use the UNIX user/group/permissions system properly, then your banking stuff is pretty damn safe while browsing the web for porn or something on your standard everyday account. Just be sure to be safe and wear a NoScript condom and keep your vaccinations (system updates) up to date. Heh.

Yeah, I know that's completely not funny, but I just had to twist it in that direction. Hey, it still gets the point across.

Use 'chmod 600 filename' (for owner rw) or 'chmod 400 filename' (for owner ro) on files that you intend to keep private. Do 'chmod 700 dirname' on directories whose entire contents you want to keep private.

Hell, you can even just put your "confidential" user account in its own group; if you run Debian and don't change the defaults, this is automatically done for you... instead of, for example, user 'uz64' being in group 'users' he will be in a group of the same name, 'uz64'. Completely segregates users and all of their data. Might still be good practice to properly set permissions though, and if you're really extreme about security you'll want to consider encrypting your files.

Reply Parent Score: 4

RE: Security
by KLU9 on Sat 17th Dec 2011 12:47 in reply to "Security"
KLU9 Member since:
2006-12-06

Has there ever... ever... ever... been an actual documented case of a Puppy system being compromised due to this issue? Ever?

Reply Parent Score: 2

RE[2]: Security
by Dasher42 on Sat 17th Dec 2011 20:53 in reply to "RE: Security"
Dasher42 Member since:
2007-04-05

Running as root on Unix systems is anathema for any real use. It subverts the entire model of security and goes well beyond the browser itself. It's what made Windows ridiculously insecure to begin with, and that platform still hasn't entirely shaken the consequences.

Puppy: something to run off of a flash drive occasionally. Look elsewhere for a general-purpose system.

Reply Parent Score: 3

RE[2]: Security
by WereCatf on Sun 18th Dec 2011 03:10 in reply to "RE: Security"
WereCatf Member since:
2006-02-15

Has there ever... ever... ever... been an actual documented case of a Puppy system being compromised due to this issue? Ever?


Most likely not as usually Puppy is used just as a temporary solution and usually not run as a server. However, something not being documented does not equal that it has never happened.

Edited 2011-12-18 03:11 UTC

Reply Parent Score: 5

RE: Security
by WereCatf on Sun 18th Dec 2011 03:06 in reply to "Security"
WereCatf Member since:
2006-02-15

Nevertheless, reality is that surfing the net as root carries some real risks, whether Puppy users wish to admit it or not. I would never do online banking or credit card purchases with Puppy for this reason.


I do mostly agree with but this is something I don't understand: why would doing online banking or credit card purchases as root be any less secure than as a regular user? Your local user account bears no significance to the security of the data that leaves the machine, it doesn't carry over.

Running as root is bad because of LOCAL privileges, ie. a root user can modify system files, access other operating systems' disks and/or partitions etc. whereas a non-privileged user can't. But a non-privileged user can still access his or her own files, and a keylogger won't need root privileges to log what you're typing.

My point being that running as non-root is not some damn magic bullet after which you can just blindly trust anything anywhere.

Reply Parent Score: 5

RE[2]: Security
by mike99 on Tue 20th Dec 2011 16:51 in reply to "RE: Security"
mike99 Member since:
2011-12-20

Good answer.(actually the best answer i read so far). Even though the % of fraud is lower from computing, i tell my anyone when the subject comes up to not do "Online Banking". So, lets say you cannot get to "your bank" when you want/need.You can run Puppy from a CD-R quickly. Puppy was meant as a personal O/S. An alternative. You could spend your money, or someone elses, but, suit yourself.
*Sent from this old clunker P550 Intel 810 chipset with 192mb RAM.

Reply Parent Score: 1

RE: Security
by jello on Mon 19th Dec 2011 19:51 in reply to "Security"
jello Member since:
2006-08-08

If someone is interested here is the official security statement off the Puppy Wiki:

In Puppy Linux your user account is called root, but is not root. In puppy root is user.

More here: http://puppylinux.org/wikka/security

Also AFAIK some Puppy distros have (in addition to that) a special user named spot that is used when starting internet apps. (The distro I know that does that is FatDog64 - 64 bit Puppy Linux)

In addition Puppy always runs in ram not hard disk...

Edited 2011-12-19 19:52 UTC

Reply Parent Score: 1