The officially official Devuan Forum!

You are not logged in.

#1 Re: News & Announcements » Devuan Jessie 1.0.0 Stable LTS is here!!! » 2017-05-28 14:22:30

fsmithred wrote:

@rufwoof:
You're right that there's no console autologin in debian-live jessie. That's a new thing for jessie, and I don't know if it was intended that way or a consequence of deprecating live-build. Lack of autologin doesn't add much in the way of security, since the login and password are public knowledge.

The console autologin is enabled in /lib/live/config/0160-sysvinit.

sed -i -e "s|^\([^:]*:[^:]*:[^:]*\):.*getty.*\<\(ttyS\?[0-9]*\).*$|\1:/bin/login -f ${LIVE_USERNAME} </dev/\2 >/dev/\2 2>\&1|" /etc/initta

Since you're modifying the images, you can do it however you need. You could remove live-config or modify the script or create a hook script to disable the sed line.

Thanks for that pointer fsmithred. As I'm using a HDD installed live session (and different userids/passwords than the defaults) that is useful info. Thanks again.

#2 Re: News & Announcements » Devuan Jessie 1.0.0 Stable LTS is here!!! » 2017-05-26 22:09:05

fsmithred wrote:
rufwoof wrote:

Wow. MAJOR SECURITY FLAW where for at least one boot choice anyone can just Ctrl-Alt-Fn to another terminal session .... that is already logged in. Yep. Choice of each/any of all six of 'em, all conveniently pre-logged in.

You must be looking at one of the live isos. Autologin to desktop and console has been a standard debian-live feature for as long as I've been using it. (since Lenny). I think the reasoning behind it is that if you are running a live session, then you are probably sitting at the computer and will shut down the session and take your live media with you when you are finished. Autologin gets disabled for the installed system unless you change the defaults in the installer.

Note that on a regular installation, if you ctrl-alt-Fn to console and login and don't log out, that login will still be accessible even if you go back to desktop and lock the screen. This is not new and not unique to devuan. I first discovered it on debian.

The Debian Jessie I run the same way (HDD installed live-boot) presents a login prompt upon Ctrl-Alt-Fn.

I prefer booting using filesystem.squashfs as that's read only and compressed, so faster (changes are also written to ram rather than disk so runs quicker on that front also). When updates are apparent I extract the sfs and boot as though a full install, apply the updates and reform a new/modified sfs. i.e. between such updates it boots the exact same every time (read only, but I have /home set as persistent (stored on another partition) so that diary, user config, browser ...etc changes are preserved across sessions).

... Just tried a fresh install of Debian standard (command line only), stripped that down to required only packages, installed live-boot (was already from a live-boot iso but that got stripped out as part of my purge script), jwm, pcmanfm, wicd as the DE and booting that 200MB filesystem.squashfs has ctrl-alt-fn present login prompts at all consoles.

#3 Re: News & Announcements » Devuan Jessie 1.0.0 Stable LTS is here!!! » 2017-05-26 13:37:04

Wow. MAJOR SECURITY FLAW where for at least one boot choice anyone can just Ctrl-Alt-Fn to another terminal session .... that is already logged in. Yep. Choice of each/any of all six of 'em, all conveniently pre-logged in.

#4 Re: DIY » browser security DIY » 2017-04-23 18:55:43

It doesn't really help for the likes of Mozilla (Firefox) to publish details of vulnerabilities

Description

Mozilla developers and community members Christian Holler, Jon Coppeard, Marcia Knous, David Baron, Mats Palmgren, Ronald Crane, Bob Clary, and Chris Peterson reported memory safety bugs present in Firefox 52, Firefox ESR 45.8, and Firefox ESR 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

... along with pointers to near enough exactly where any hacker might focus their attention to figure out potential means to break into any systems that are detected as using older versions (user hasn't upgraded their browser).

My stance is to not run browser, kodi, skype ...etc as either root or as a userid that can sudo or su. Along with setting permissions on files/folders (chmod, chown, chgrp) so that the restricted account/userid is limited to where it can see if a hacker manages to break-out of a browser/skype/whatever.

My sda3 is a NTFS format partition and to enable that to have permissions set I include a appropriate entry in /etc/fstab (see clickable thumbnail image).

sec.png

My sda2 is a ext format partition, so that already has permissions setting capabilities.

For day to day usage I simply Ctrl-Alt-Fn between the likes of userid devuan desktop that is pretty much unrestricted (can su, sudo ...etc), where I store personal files/folders that I'd rather a hacker couldn't see, and the restricted userid (that I call ff and have it assigned to a group of ff i.e. mostly files/folders are owned by either root or devuan, and have a group allocation of either root or devuan ... so chmod o-wrx <folder/file> prevents anyone other than root or devuan from accessing/entering the file/folder(s).

I spend most of my time using that ff userid accounts desktop (browsing whilst listening to the radio or using skype ...etc.), and even do documentation/office work using that ... but later move the files using devuan userid (that can see ff's files) to another folder owned by devuan userid out of harms way.

My devuan and ff users desktops are pretty much the same except the wallpaper (as a visual indicator) and I don't include quick launch icons/panel launchers for network type programs such as browser/skype ...etc on the devuan userid's desktop (bit of a visual reminder to switch to ff's desktop to launch such programs).

The best train of thought IMO is have a browse around your personal data/docs and see what you can see with the userid that you use to run your web browser ... and if you're not happy about what you can see then you need to make some changes. I don't know if my choice of closing the door is the best or in truth much about the alternatives either, it works for me (within my limited skills/capabilities) and provides a element of mental comfort. I appreciate however that nothing is truly safe. Systems files/configurations are replaceable ... personal data/files (wedding photos whatever) aren't. A good backup plan storing irreplaceable/invaluable personal files/photos offsite and multiple copies as-ever is the best approach.

#5 Re: Devuan » Which is more helpful for Devuan for me to run, Ascii or Jessie? » 2017-04-23 17:55:59

As a single user desktop user I'd hope that Jessie was your preferred focus smile. I'll be sticking with that for a year or so after Debian release Stretch as the current-stable and only then consider upgrading i.e. Jessie a year into old-stable (few updates, still being security updated). However having tried Devuan out for less than 24 hours I'm somewhat hooked smile

Not found anything wrong yet myself ... other than (perhaps/maybe) Ctrl-Alt-Fn terminal switching takes me to a already logged in (as devuan userid) sessions on each one. In contrast to in Debian where I was presented with a logon prompt on each. But that maybe just the way I have installed/set things up. No bother to me either way as I only tend to use that for switching to a more secure userid that I set up specifically for general use (no su, no sudo, limited to what other files/folders it can see).

I like using Firefox but find how they publish vulnerabilities such as this one to be a bit .... daft. In effect guidance for potential hackers of how to breach versions that haven't upgraded. Accordingly my policy is to limit the scope of the userid that I use to run Firefox (and Skype, Kodi ...etc.) and Devuan userid doesn't fit that purpose/objective. Instead I create another userid that uses restricted bash, has no su nor sudo, its own group separate from the root and devuan owner/groups across the system ... and I just restrict access to the folders from 'others' so that that userid can't even see the data/personal files/folders that I choose to restrict access to.

#6 Re: Hardware & System Configuration » Updates » 2017-04-23 14:21:53

I downloaded yesterday and Unattended updates isn't installed (by default)

#7 Re: DIY » Devuan Frugal » 2017-04-23 14:19:26

You can take that type of installation further.
If you create a ext3 file filesystem
dd if=/dev/zero of=somefile bs=1M count=4096
to create a 4GB sized file filesystem. And then format it
mkfs.ext3 somefile
then you can mount that
mkdir mountpoint
mount somefile mountpoint
... and copy a similar sort of setup into that.
In Debian, with some mods to initrd you can even have that as being writeable within a NTFS partition.
Which means that you can have a small boot USB containing initrd, vmlinuz and a live folder with a empty filesystem.squashfs ... that boots and finds that larger filesystem file (that might for instance be in the root folder of a NTFS partition ... that boots up and runs nicely.

A easy form of first user type setup. Download a small USB image and burn that to a USB stick for bootup purposes. Download a compressed version of that 'somefile', uncompress it on their Windows box ... and boot up Devuan smile (They do have to hard shutdown windows and disable secure boot).

And all changes can be persistent ... as before (or not if you so desire).

#8 DIY » Devuan Frugal » 2017-04-23 14:06:42

rufwoof
Replies: 6

Downloaded the 1.0 Devuan RC liveCD iso file
Mounted the iso and extracted the initrd, vmlinuz and /live/filesystem files from that
Starting from a empty /dev/sda1, formatted to ext3, set the boot flag on, gave the partition a label of 'persistence'
grub4dos bootloader installed (that creates grldr and menu.lst files) to that partitions MBR
Created a persistence.conf file containing

echo / union >persistence.conf
echo >>persistence.conf

Moved the iso extracted initrd and vmlinuz files to the / folder
Created a /live folder and moved the filesystem.squashfs file into that folder
Created a /live/jessieamd64xfce file for the bootloader to be able to 'find'

In effect that creates a HDD installed liveCD type setup, that can be booted. Its also the persistence partition that liveCD type boot can save changes to. The same single partition is a boot, save and main filesystem containing partition. If you create a file type swap file then it can even also be the "swap partition".

cd to the live folder and extracted its content
unsquashfs -f -d /mnt/sda1 filesystem.squashfs

Edited menu.lst to look like

# menu.lst
color white/blue black/cyan white/black cyan/black
#splashimage=/tempest.xpm
timeout 3
default 0

title Devuan PERSISTENCE RW
find --set-root /live/jessieamd64xfce
kernel /devuan/vmlinuz boot=live username=devuan rw showmounts persistence persistence-label=persistence persistence-storage=filesystem
initrd /devuan/initrd

title Devuan PERSISTENCE RO
find --set-root /live/jessieamd64xfce
kernel /devuan/vmlinuz boot=live username=devuan rw showmounts persistence persistence-read-only persistence-label=persistence persistence-storage=filesystem
initrd /devuan/initrd

title Devuan FILESYSTEM ONLY RO
find --set-root /live/jessieamd64xfce
kernel /devuan/vmlinuz boot=live username=devuan
initrd /devuan/initrd

With those three boot choices you can either boot the content of the filesystem.squashfs only (third one in the list) but where no changes will persist across reboots, which is handy if other files get corrupted. Or you can boot where all changes are preserved as they're made (first one in the list); Or boot where changes aren't preserved across reboots (second one in the list). 2 and 3 are very similar at first, but if you boot RW and make changes then they'll be stored in the persistence partition (i.e. in my case sda1 partition files), which might then be booted read-only (1) that sees those prior changes (that will make it different from if you'd booted the unchanged version i.e. (3) that uses filesystem.squashfs).

2 and 3 are great for trying things out, perhaps some changes, and then being able to reboot without those changes being preserved. 1 is good for booting up, making changes (perhaps updates) and then perhaps rebooting using 2 or 3 again so that no further changes are preserved.

You can take that a step further, and set it up to boot as though a full install. Just add a chain from the grub4dos menu.lst to Grub's menu.lst (or whatever). Handy for when a kernel update occurs as persistence type boots don't usually cater for such kernel updates.

I use that all the time. Mostly I only boot (1) style to initially set things up the way I like and then I use (2) style so that I boot the exact same factory fresh/pristine version each and every time. Then when updates are apparent I'll boot (1) again and apply those updates

apt-get update
apt-get upgrade

and then reboot back to (2) again

If things turn bad and there are problems, I'll boot (3) style (original setup).

If a kernel update is required I'll boot as though a full install and apply the updates before booting (2) again.

(2) is a pain in that no changes aren't preserved across reboots. So browser bookmarks, orage calendar entries ... etc changes are all lost. However if you move the HOME folder to another partition then any changes are to that folder tree are preserved (diary/calendar/bookmarks ...etc.).

You can recreate a new /live/filesystem.squashfs at any time. Boot using another linux and
cd to the /live folder and run something like

mksquashfs /mnt/sda1 filesystem.squashfs -e live

mksquashfs and unsquashfs requires that squashfs-tools to have been installed from the repository
(apt-get install squashfs-tools).

So far I've setup
Kodi (multimedia)
Skype (telephone calls)
MasterPDFEditor (pdf editor)
Openshot (along with blender and inkscape that are required for it to work properly) for video editing
Audacity for sound editing

along with the more usual Libre office suite already being installed ...etc

Tweaked the layout to how I like (pretty much a empty canvas (desktop) ready to have work files dropped into, and with the more common programs I use in the panel. pavucontrol installed ... and sound/images all working great (listen/watch youtube in firefox whilst playing radio station using kodi ...etc.)

image.png
clickable thumbnails
image.png

Board footer

Forum Software