- This topic has 49 replies, 10 voices, and was last updated Sep 1-7:37 am by Brian Masinick.
-
Posts
-
Brian Masinick
To all new or recent readers:
The suggestions that @rokytnji: has provided are good and solid.
We are, generally speaking, a good and helpful community.Just the same, many of us have many activities, just as you do.
Sometimes we know the answers to questions, but perhaps almost as often,
we have to hunt down the answers too.The suggestions that Roki offered therefore, while not DIRECTLY giving
you any SPECIFIC answers to your questions, are actually excellent suggestions:Take the time to read, study, search, experiment, and try things out.
If you continually and persistently try, usually you will find many answers
yourself, and you will have learned a lot.There are times when you are tired, frustrated, unsure, etc. Most of us
“get that” too. We understand, and we may be able to help. But if you come
to the forum, explain what you are attempting to do, what you have tried,
what the “unexpected” results of your efforts were, and what the “expected”
results are, more than likely someone will be able to help, or at least suggest
a few resources you can search to find a working solution.So there are TWO responses in this forum from “old” veterans, who learned the very
same way, we read, we studied, we tried things out, made mistakes, maybe even had
to rebuild a system 2, 3, 4 or more times. But then we had success. Sometimes we
asked a few questions, but mostly we shared the results of work that came from trial
and error, and that was also based on things we tried after examining the possibilities,
or sometimes just to break it and see what would happen and what we could learn from it.Hope this very general, but experienced expression will ultimately help many people
become the future experts of this forum and the software that we use. Best wishes!--
Brian Masinickseaken64
Hello anilkagi,
lots of good ideas here. and as Roky and Brian have stated you will continue to find good help and support from this group, even if we don’t all know the specifics of a particular task. I stated earlier that I thought this was an “advanced” topic for antiX. But if you keep at it YOU will become our resident expert in setting up antiX to use with restricted users with maximum security. Just be sure to come back and share as you learn new things, as you are doing.
Seaken64
anilkagi
Hello everybody,
The great thing about this forum is, it is very responsive. Members come up to help, giving suggestions, that solve problems. Further if some issues are not made clear by the solution seekers, attempts are made to understand the issue through inquiry and then solutions are provided.
Even though I have posted so many queries and got solutions, I am some times hesitant to ask, afraid that I haven’t tried hard enough to find answers on my own, but then I have exhausted my tries. I then ask hesitantly, but the members of this forum are such lovely people that they pick them up and try to resolve. I am relieved then. Some are quickly resolved, some take time, but the compassionate members keep their efforts on.
When I hate the situation most is, at times when my ignorance is so terrible that I feel I would need hand-holding, to walk me through the process, when I am sure that I am making stupid assumptions and asking stupid things, when I am asking for too much. It is at these times that I feel people would hate me. [Rockytnji, when I said that, I did not have any negative feelings. I was just asking forgiveness for asking too much. I have read many of your great answers. You are one of the most knowledgeable members of the forum.] When I started this thread, I felt like a fool, like one who was expecting absurd things. But the honorable members encouraged me, came up with wonderful suggestions that could actually make it possible.
I have no words to express my gratitude. I have learnt, I have benefited from the forum and Antix. I wanted to say so much about Antix, I wanted to express my thoughts through a couple of posts, but haven’t materialized yet.
I am greatly thankful to all the members for their encouraging words. I will try to be a good member of the forum, abiding by its regulations, avoid being a help vampire and do my best to help other newbies like me wherever and however I can.
Thank you all again. My efforts to accomplish this setup are on. I will come up with what I did and seek further guidance. I would appreciate any further instructions and advice. Regards.
Brian Masinick
@anilkagi: I appreciate your sentiments in every respect.
On one hand, we definitely appreciate it when people at least make an attempt to figure out issues by reading documents, searching for previously solved issues that are similar, etc. However, sometimes the jargon, the tool, or something about the issue is simply too overwhelming, sometimes even for veterans, so we collaborate with one another, “brainstorm” our thoughts, and suggest resources that we may have forgotten.
For someone who doesn’t design, develop, or test software for a living, I can imagine how difficult it can be. Even when there is a software concept or tool that I haven’t used before, it can be challenging, even for a veteran. So don’t be afraid to speak up and write. As long as you demonstrate a willingness to learn, most of us are pretty understanding. Moreover, if you can tell us what you were examining that was confusing to you, it may help our documentation and support team to improve their work, and it may also help those of us who help out from time to time to better assist you. Not only that, speaking up may assist someone else looking for a similar solution, so don’t be afraid to speak up.
When I respond to someone, I may ask them to read and review, but I try to be as understanding as possible, because we all come from a wide, diverse background, with different levels of experience and even completely different languages and cultures. This software community is a great place to demonstrate helpful, kind attitudes to others, regardless of skin color, race, orientation, or age. At least from my perspective, anyone with a polite attitude is welcome here.
NOTE to ALL of us): even when our temperament and attitude isn’t the best, remember that we ALL have good days and not so good days. Try to remember this even if someone is a bit abrupt. We can remind people to be polite, but remember that it can be frustrating when something isn’t working right, so let’s do all that we can to contain our emotions and behavior, consider what it’d feel like to us if we were struggling with multiple things – maybe a job or family issue, plus some misbehaving software – that can be a “cocktail” for less than an ideal exchange. So I caution both the people who have frustrations and the people responding, We can ask to be patient, and we can also provide just a bit more “tolerance” in difficult circumstances. I wish everyone success, cooperation with one another, and we will collectively work together to continue to improve the information and the technology that we provide!
--
Brian MasinickBrian Masinick
With regard to the question at hand, I would say that antiX is an excellent place to construct whatever environment you want to build. It starts out very light and simple. It isn’t set up in any specific way for security however, it is much more geared toward conserving system resources (running light and fast on recent equipment) and working for many years on older equipment.
“Security Enhanced” Linux, commonly known as SELinux, is a collection of tools that help to make a system more secure. You can either seek these tools and packages, add them, learn about them, and configure them. Alternatively you could keep antiX around for certain “light” tasks and also download a distribution that includes many of these types of tools and packages, and that may simplify your work.
Finally, since antiX is pretty “lean and mean”, you may want to run antiX from a USB2 or USB3 stick device, using what’s known as “persistence” to save certain things, making it easier when you run it again. If anything is “compromised” in any way, you can “start over” or replace.
--
Brian Masinick
Dave
In a no-persistence-frugal install, if the system is infected with a malware, the malware can make changes to the system during the session. Of course its effects will be gone after next boot. However the malware can make changes to the system during the session, and make the system to malfunction, during that session. This does not happen to a Read-Only-Root system. No malware can bring any change to the system even during the session, since it is read only.
Yes and no…
Yes in that it is a lot more difficult to write to the root filesystem. However it is already difficult to write to the root file system as a regular user; Albeit a little more difficult with a read only mount (You would probably notice this when trying to run some applications that you actually want to run and they need to make temp files, caches, and libraries/databases). From a security standpoint, it will take a bit of work and monitoring to keep proper. It is not just a switch to a read only file system mount. Aside from this regular malware from browsing the web is fairly unlikely to have root access… so the root file system is kind of already read only from that perspective (granted there is proper permissions and group settings). If you are worried about having some sort of root access to be able to modify a file… well read only will probably slow this down but it is not likely going to stop this (depending on the type of access). Unless you severely limit the system there is nothing stopping someone with root access from issuing a
mount -o remount,rw /
to get the file system back to read / write mode and doing whatever you were trying to restrict.You could then remove some commands from the system and make it “impossible” for even root to change and have the mounts set from withing the initramfs. You would have great frustration then trying to use a usb/cd/dvd 😉 Then carefully consider different avenues for adding the commands back and try and disable them as well. (download and run the needed command/program in tmpfs? do you have exec permissions on the tmpfs mount?) Then at what point does the system become unusable.
I guess this is where the idea of jailing applications / running a chroot / container / virtual machine guest / etc come from. Start another “machine” as if it is the only “machine” running and has only the required files to run only the application you want.
https://wiki.debian.org/chroot
and to see the needed files
ldd YOUR-COMMAND-HERE
And does this ever get tricky to run an application that requires an X server.Computers are like air conditioners. They work fine until you start opening Windows. ~Author Unknown
Hello Dave. Thanks for the nice and detailed explanation.
That “mount -o remount,rw /” was a surprise. Does it need a ‘sudo’ at least or not? Or is it for surpassing root itself? I read that it can be helpful when root password is forgotten.
So there is no such thing as a absolutely secure system. We HAVE to take our chances. Only thing that can be done is, threats can be minimized. Security can be increased only by limiting the system. It is rightly said, “the most secure system is the one not powered on/used”.
I think Frugal-only install combined with Firejail offer quite sufficient security and are the best possible options for the setup that I am seeking.
What are the possibilities of breaking into Firejail? Just curious to know.
PDP-8
Surely this can be done with anti-X as a general-purpose system. More power to you.
Just want to point out that for a locked-down browser for security, and if you don’t have the time to do it with antiX, or vet the fact that the way you do it is actually secure, perhaps a dedicated tool by those who specialize may be called for.
Our friends over at Porteus have a specialized “Kiosk” version, in addition to their regular general-purpose releases which you may want to look into for just the browser/banking/privacy kiosk mode for yourself.
https://porteus-kiosk.org/index.html
Perhaps run that, and see some ideas that you may want to incorporate into your own antiX version you build.
Thanks PDP-8, for the inputs,
I had come across that site when @Dave had mentioned about kiosks, earlier in the discussion, but had just read it fleetingly, focusing more on Firejail. Now when you recommended it, I again went through it more intently. It is interesting. I will study the prospects and see where I can make use of it. Thanks for recommending.
olsztyn
Our friends over at Porteus have a specialized “Kiosk” version, in addition to their regular general-purpose releases which you may want to look into for just the browser/banking/privacy kiosk mode for yourself.
Porteus-kiosk would be a very nicely put together system that would nicely fit secure browsing and banking if not one critical fault that kills such idea for me:
During setup process, which is very comprehensive and well done, you select your Wi-Fi connection and set up login. After you finalize your setup of Kiosk you burn to USB for ‘production’ use. When using such Kiosk you are stuck with the WiFi connection you selected during setup. If it is not available the entire Kiosk becomes practically dead. There seems no way to chose another working WiFi. If you are stuck at home you might be OK using it but if you travel it becomes useless.
Live no-persistence antiX/Frugal does not have this problem. You still can connect to any WiFi available.
Just my two cents…Live antiX Boot Options (Previously posted by Xecure):
https://antixlinuxfan.miraheze.org/wiki/Table_of_antiX_Boot_ParametersHello there,
After lots of permutations and combinations, trials and errors I settled for one setup, which I am happy with. It’s working fine. However, there are some thoughts lingering in my head that I need to verify but let me first report what I did in brief.
I did a frugal install with extlinux as the bootloader. Installed some packages that I needed.
I created an unprivileged user on which I created a VM that houses another antiX-base, on which I shall install GSconnnect and link it to the android phone. (I have not done it yet). I have installed firejail and I can start the VM in firejail without any errors, now. Initially I got some errors but they are resolved now.
I removed the default demo account after creating a new sudo user and edited the slim.conf to get the login screen.
I have customized the OS, remastered it and have kept a backup of the customized & remastered linuxfs file.
I am happy with the setup. It’s fast, clean and crispy.
Thanks to all you great guys I am happily settled with an OS that I love.
Now coming to some musings of mine, I will discuss them under different headings.
1] Firefox browsing history and bookmarks in a frugal install:
In a frugal install, the browsing history is not available after a reboot and one would have to remaster every time one creates a new bookmark. To avoid this, I am thinking of placing 7 files from the /home/user/.mozilla/firefox/profile/ into a separate partition and creating symlinks here. I have tried and checked this and it works. The history and bookmarks are retained that way and it is not necessary to remaster every time I create a new bookmark.
Those 6 files are; formhistory.sqlite, key4.db, logins.json, cookies.sqlite, permission.sqlite, favicons.sqlite, places.sqlite
Now my query here is, in such a setup where the above mentioned files are placed on a separate partition and symlinks for them are created in their source directory i.e. /home/user/.mozilla.firefox/user-profile/; would this reduce the security of the system in any way?
2] Chromium browsing bookmarks in a frugal install:
Similarly with Chromium. I tried by placing the /.config/chromium/defaults/bookmarks file on a separate partition and creating a symlink in the source directory. I don’t need Chromium history. It works. However, would this too reduce the security of the system in any way?
3] VirtualBox VMs
In any system, frugal or not, if the VMs are created and placed in the default folder /home/user/VirtualBox VMs, whenever a reinstall is done a frugal system is replaced, the VMs are lost. In order to avoid this, if the VMs are placed on a separate partition, they can be available even after a reinstall.
Similarly in a frugal install, if the VMs are placed in a separate partition, would that affect the security of the system.
I am asking these questions because, I have carried out the frugal install in order to avoid the corrupting of the OS by some malicious program, that entered the system while working. Every time I reboot, I get a pristine new OS. I would like to know, would this frugal setup be affected in anyway by keeping some system files on separate partitions. That is;
Can a malicious program enter those files placed in a separate partition and persist there and affect the system even after a reboot?
Thanks & Regards.
@anilkagi,
I think you should start new topics for each of your two questions (Firefox/Chromium, VirtualBox).
Seaken64
Brian Masinick
Frugal or fixed, there’s always a slight chance to get compromised by a malicious intruder. The restarted Frugal instance helps. Your approach can work out. There is a greater chance for compromise unless you can also put the saved information on removable storage.
You are the best person to choose the amount of risk versus convenient behavior and security of the information.
--
Brian MasinickThanks Brian,
Your approach can work out. There is a greater chance for compromise
I understand. That was all I wanted to know. I was expecting some huge instability issue or security risk. Still, I will see whether I want it or not.
unless you can also put the saved information on removable storage
That’s an interesting idea.
@anilkagi,
I think you should start new topics for each of your two questions (Firefox/Chromium, VirtualBox).
Seaken64
Thanks Seaken64, for the suggestion.
I thought, since it is related to what I started, I should post it here. Anyways, Brian’s reply was all I wanted. I wanted the opinion of an expert, since I thought it could pose a big problem sooner or later.
Brian Masinick
@anilkagi: I do NOT expect that you will encounter a “huge instability” by adopting your own conventions. Even the potential security issues are probably NOT huge risks, UNLESS the information you store would greatly benefit someone attempting to secure it for a major financial benefit, or if it provided someone with an easy platform to launch threats to others.
I’ve never been compromised on or through either antiX or MX Linux regardless of the manner in which I use them. All I do is exercise reasonable, but not extreme measures. I use a decent password, and follow good overall practices and that’s it.
Using Linux systems, even if they are not 100% perfect, makes them less of a target than old Windows machines, though Windows has also improved a lot in basic security. Sloppy, careless use of passwords and general practices is what opens the door to intrusions on any platform.I’d say that weak passwords and careless use of corporate computer systems pose the highest risk. Good company practices force their users to regularly set good passwords, use the appropriate firewall and other technologies, and take training that teaches them to avoid dangerous practices. That reduces exposure. If a malicious attacker feels they can gain something, they will try, but 95% (or more) of the time they’d rather use something with weak security than take a lot of time to intrude in a place where they are likely to be monitored and prosecuted if caught.
--
Brian Masinick
- You must be logged in to reply to this topic.
