Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

What does your non-Debian desktop look like?

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What does your non-Debian desktop look like?

#1456 Post by Head_on_a_Stick »

debiman wrote:i'll never understand why people use one of the most secure operating systems there is, only to then hand all their usage stats over to the big G...
This thread on @misc will get you reaching for the tin-foil:

https://marc.info/?l=openbsd-misc&m=153736113411281&w=2

Note Theo's reaction :twisted:
debiman wrote:chrome isn't even open source!
No but www/chromium is. Chrome doesn't even work on OpenBSD.

OpenBSD users favour Chromium because of it's tight integration with both pledge(2) and unveil(2) and also because Theo says it's better than FF:

https://marc.info/?l=openbsd-misc&m=152872551609819&w=2

https://marc.info/?l=openbsd-misc&m=152872744210957&w=2
deadbang

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: What does your non-Debian desktop look like?

#1457 Post by GarryRicketson »

OpenBSD users favour Chromium ---snip---
Shouldn't that be "some OpenBsd users", I know of at least 1 that doesn't , maybe "most" do but I don't know on that :
Image

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: What does your non-Debian desktop look like?

#1458 Post by debiman »

Head_on_a_Stick wrote:
debiman wrote:chrome isn't even open source!
No but www/chromium is. Chrome doesn't even work on OpenBSD.
strange, i wonder if i misread what ruffwoof wrote.
anyhow - show to me where *BSD removes all calls to google servers from chromium's code!

PS:
Image

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: What does your non-Debian desktop look like?

#1459 Post by GarryRicketson »

Looks like that is what they said:
ruffwoof>Chrome is pretty much my gui desktop, calculator.html, text.html, online email, mp4/mp3 player ... etc. Also tracking -current myself now and Chrome + Pledge + unveil is working very well. I've also shifted from dual boots to just OpenBSD now (whole disk install).
Side note, For what ever it is worth:
show to me where *BSD removes
To lump all the bsd's into one category, is sort of like lumping all the linux distros , based on Debian, into 1 and saying "show me where the *Debians",... OpenBsd is not the other BSD's.

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: What does your non-Debian desktop look like?

#1460 Post by GarryRicketson »

Here is my "gui" and calculator, no need for Chrome and some website for a calculator :mrgreen:
Image

Just kidding around here, please don't take me to serious.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What does your non-Debian desktop look like?

#1461 Post by Head_on_a_Stick »

debiman wrote:i wonder if i misread what ruffwoof wrote
No, I think ruffwoof wrote "chrome" because the browser is called from a wrapper script at /usr/local/bin/chrome
debiman wrote:show to me where *BSD removes all calls to google servers from chromium's code!
AFAIK there is no such removal, the general presumption here is that because chromium is open source then the Big G would be committing commercial suicide by attempting to hide such a device in a place viewable by anybody.
GarryRicketson wrote:Shouldn't that be "some OpenBsd users"
Yes, quite right, thanks for the correction Garry :)
deadbang

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: What does your non-Debian desktop look like?

#1462 Post by GarryRicketson »

Actually, in a way I am using "chromium" as well "Iridium" is based on chromium,... but some times I use other browsers as well.
Ahh, and on a side note, I also have a rather high number of packages, most are packages I don't even need or use, but installed when I was trying to run some tests, or see if I could duplicate a problem some one else was having. On the VM's I have even more.

ruffwoof
Posts: 298
Joined: 2016-08-20 21:00

Re: What does your non-Debian desktop look like?

#1463 Post by ruffwoof »

Yep! Should have said Chromium as that's what's installed, but you run chrome from the command line or wherever to run it.

I have a /etc/hosts snippet that blocks google (and facebook) that I append to Steven Blacks hosts list (that's as good as ad-block). Not sure how that google list was formed (many I suspect were mapped using traffic flows), but it does a good job and the browser is much quicker at loading some web pages that otherwise can be very sluggish to load/view. When I do want to do a google type thing I just revert to Steven Blacks list only as a temporary measure. I set /tmp as my chromium disk-cache-dir so pretty much start off with a clean browser at each reboot. I don't store bookmarks in chromimum either, I maintain my own html file for those that shows the date/time in the tab title.

Image

Normally I have tmux and chrome maximised and just flip between the two with alt-tab (and then select the relevant tab/window in either chrome or tmux for the thing I want to do). No root actions within X (that runs as user (no su or doas/sudo)), I use the console (ctrl-alt-F1) only for root actions. Docs/data are stored under root ownership and fed in/out of user's sight on a as-and-when basis.

Chrome(ium) in OpenBSD 6.4 with unveil and pledge is pretty much sandboxed, when running under user ... well privilege elevation in OBSD is tough to say the least (randomised kernel, fileid's, process id's, write xor execute memory separation, no setuid's ...etc. etc.).

Try for instance installing xdotool (for simplicity), open a xterm window and su into root within that. Open another xterm window as user and run something like

Code: Select all

xdotool search --name xterm
to identify the first xterm's window id, and then run

Code: Select all

xdotool windowactivate 6291469 type "$(printf 'date\r')"
but substituting the window id from earlier instead of 6291469 that was the window id in my case. You could have run rm -rf / (DON'T), or targeted perhaps a file manager window running as root to stuff keystrokes to perhaps use its open-terminal-here option and then stuff keystrokes into that root xterm window. A very trivial example of how a single browser flaw (Firefox tend to publish details of how remote code exploits were available in older versions) could open up remote command execution at the level the browser was running under (user), and where that could facilitate elevation to root if another window were running something as root.

User avatar
pawRoot
Posts: 603
Joined: 2016-12-28 18:26
Has thanked: 1 time
Been thanked: 1 time

Re: What does your non-Debian desktop look like?

#1464 Post by pawRoot »

Head_on_a_Stick wrote: However, there is no way that an installed package can expose a vulnerability
It can on Windows :mrgreen: (not sure about Linux)

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What does your non-Debian desktop look like?

#1465 Post by Head_on_a_Stick »

^ It's probably a bad idea to have a full build system installed because this can potentially allow an attacker to make their own toolkit... :cry:
deadbang

User avatar
Nili
Posts: 441
Joined: 2014-04-30 14:04
Location: $HOME/♫♪
Has thanked: 5 times
Been thanked: 3 times

Re: What does your non-Debian desktop look like?

#1466 Post by Nili »

Image

Credits:
OS: Devuan
WM: Openbox
Music Player: DeaDBeeF
GTK2/3 Theme: Qogir
Icons: Hedra
Others: Compton | conky-std | URxvt/tmux with manta color palette.
openSUSE Tumbleweed KDE/Wayland

♫♪ Elisa playing...
Damascus Cocktail ♪ Black Reverie ♪ Dye the sky.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: What does your non-Debian desktop look like?

#1467 Post by debiman »

Head_on_a_Stick wrote:
debiman wrote:show to me where *BSD removes all calls to google servers from chromium's code!
AFAIK there is no such removal, the general presumption here is that because chromium is open source then the Big G would be committing commercial suicide by attempting to hide such a device in a place viewable by anybody.
commercial suicide?
why so? phoning home is considered utterly normal these days, and 99% of exploitable data providers (a.k.a. "users") don't care or understand either way.
please have a good look at this, esp. around "Most of the additional features..."

btw, i don't mean to lump anything together.
i'd be happy to see such proof from any one of the BSDs.

PS:
Image
Image
Image
https://notabug.org/ohnonot/DarK-theme

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What does your non-Debian desktop look like?

#1468 Post by Head_on_a_Stick »

debiman wrote:
Head_on_a_Stick wrote:
debiman wrote:show to me where *BSD removes all calls to google servers from chromium's code!
AFAIK there is no such removal, the general presumption here is that because chromium is open source then the Big G would be committing commercial suicide by attempting to hide such a device in a place viewable by anybody.
commercial suicide?
why so?
Well it seemed to cause a bit of a fuss the last time Google were caught with their hand in the cookie jar:

https://www.reddit.com/r/linux/comments ... mium_devs/

EDIT: for the record, I am not bothered about data harvesting from my machine, it is a non-issue for me. I do not store sensitive information on electronic devices, that would be foolish.

p.s.

Image
deadbang

ruffwoof
Posts: 298
Joined: 2016-08-20 21:00

Re: What does your non-Debian desktop look like?

#1469 Post by ruffwoof »

OpenBSD 6.4

My primary daily system is basically just base OpenBSD that includes a httpd server, X, window manager(s) ...etc. + chromium + mc (file manager/text editor). With that I can cover most of my needs - word processor (text -> html -> PDF using chromium), mp4 player, online email ...etc. And as Chromium is now both pledged and unveiled ... as good as sandboxed.

As I use ddns so my desktop system is also a server (can share stuff using the httpd server etc.), and I also have it setup so I can ssh into it remotely. Console/cli stuff for that is great as you can use practically any low powered device to ssh in and re-attach to a tmux session that is running mc, alpine (mail), calcurse (calendar/diary) ...etc. As long as the device can ssh then the load is very (very) low. And its all consistent across devices/locations.

Attached shows a split tmux pane (that when using you can zoom in/out), but personally I don't tend to use such split panes, instead I just just a single maximised window for each program in separate tmux windows and I've set F12 to step between those, i.e. top of screen shows separate tmux windows for mc, alpine, calcurse (the visible window in the image), cmus music player, lynx web browser and ispell.

Image

I leave a (cwm window manager) 1 pixel top of screen 'gap', so I can click the desktop even when windows are maximised to show the cmw menus and flip between them that way, however as I tend to only have chromium and tmux 2 windows, alt-tab between them is easier (or alt down arrow)

Image

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What does your non-Debian desktop look like?

#1470 Post by Head_on_a_Stick »

@ruffwoof: do you use xenodm?

OpenBSD -current lost the ability to `startx` in this morning's snapshot, I am not happy.

I think this will also apply to 6.4 -stable once the patch is applied.

EDIT: also, those dotted lines in the terminal programs can be made solid by using the stock xterm (bitmap) font; it's the only one that actually renders correctly, IMO.
deadbang

ruffwoof
Posts: 298
Joined: 2016-08-20 21:00

Re: What does your non-Debian desktop look like?

#1471 Post by ruffwoof »

Yes I use Xenodm. Someone (developer I believe) on reddit suggested that it was more secure to run X as user that way. I was tracking current (having only recently switched over to that from stable), but a late upgrade had no chromium available on the mirror I use so I reverted to 6.4 release.

The image was captured by running a tmux in X, more usually I run that on the console so the dotted lines return anyway (using TERM=pccon0 keeps the colours and seems to work well IME). Works great when you ssh into that box and tmux attach to its session. (I know you know all this but for the benefit of others) Any old low powered device - provided it can run ssh then has access to all of the tmux windows/functions. Nice for collaboration also as you both can control/see the exact same things when actions/changes are made.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What does your non-Debian desktop look like?

#1472 Post by Head_on_a_Stick »

ruffwoof wrote:Someone (developer I believe) on reddit suggested that it was more secure to run X as user that way
Yes, I see now that X is running as the _x11 user, this means it uses a chrooted sandbox, which is a major advantage.

I can get X working without xenodm on my -current box by applying the setuid bit to the Xorg binary but then X runs as my user (which is Very Bad).

This message on cvs@ cleared things up for me:
Theo de Raadt wrote:Disable setuid on the X server. We have always known it is a trash fire
and we held out hope too long.
https://marc.info/?l=openbsd-cvs&m=154050453117246&w=2

So it looks like I should have been using xenodm all along... :oops:

Also, I used the setuid bit in my Alpine Linux box so I could run X as my normal user rather than root — how dumb is that decision looking now? :roll:

Scrot:

Image

EDIT: to avoid bad mirrors, try the redirect service:

Code: Select all

Puffy:~$ cat /etc/installurl                                   
https://fastly.cdn.openbsd.org/pub/OpenBSD
Puffy:~$
^ That should work well anywhere in the world (theoretically).
deadbang

ruffwoof
Posts: 298
Joined: 2016-08-20 21:00

Re: What does your non-Debian desktop look like?

#1473 Post by ruffwoof »

I was running X as user myself until it was pointed out to use Xenodm. Others are also seeing some light https://old.reddit.com/r/openbsd/commen ... scalation/ and one of those links to https://www.openbsd.org/errata64.html
001: SECURITY FIX: October 25, 2018 All architectures
The Xorg X server incorrectly validates certain options, allowing arbitrary files to be overwritten. As an immediate (temporary) workaround, the Xorg binary can be disabled by running: chmod u-s /usr/X11R6/bin/Xorg
A source code patch exists which remedies this problem.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: What does your non-Debian desktop look like?

#1474 Post by Head_on_a_Stick »

^ I was tempted to submit a patch for the webpage to correct their tagline, which will have to be changed to
Only three remote holes in the default install, in a heck of a long time!
No wonder Theo is so pissed...
deadbang

ruffwoof
Posts: 298
Joined: 2016-08-20 21:00

Re: What does your non-Debian desktop look like?

#1475 Post by ruffwoof »

I don't have any root owned setuid's open to 'others', chmod'd them all so only owner and group have access to those. But then again I don't run any root windows/tasks under X, and 'user' isn't a member of group wheel (no su), nor have I any doas configured (no sudo type functions either). I only run root/admin tasks from within a console session (tmux/mc/dialog).

Code: Select all

# find / -user root -perm -4000 -exec chmod o-wrx {} \;
Primarily I use X only to run chromium (pledged/unveiled) and use that for playing mp4's, viewing/creating PDF's ...etc. so contained, as though X/chromium were in a sandbox/container. Data (docs etc) are owned by root (isolated from user).

Post Reply