How to run Portable Firefox as Spot

Moderator: Forum moderators

Post Reply
User avatar
mikeslr
Posts: 2944
Joined: Mon Jul 13, 2020 11:08 pm
Has thanked: 178 times
Been thanked: 905 times

How to run Portable Firefox as Spot

Post by mikeslr »

Preface: The method described here DID NOT work with Mike Walsh's latest Opera-portable. I suspect [Untested] it probably will not work with Chromium-clones (explained below) but will work with Mozilla based browsers (firefox, seamonkey) and the Palemoon fork. An older Opera-portable honored Spot restrictions. Subsequent posts will examine how that was accomplished and if its method can be used to easily modify current Chromium-clone portables.

Iron run-as-spot
is discussed in the next post.
-=-=-=-=-=-=-
Running as Spot is supposed to (a) prohibit the application from accessing any folder outside the Spot folder(s) assigned to it; and (b) assign permissions to it other than root's permissions = it can not use files which have root permissions and vice-versa.

Puppies run as root/Administrator having access to any location and permission to create, modify or edit anything. A decade ago Barry K developed the Spot device. He didn't think it important then; and even though the Internet is a much scarier place now, I don't think it often important even now. But some desire the additional security; and even I want it when engaged in internet financial activity.

Off-hand, I don’t know how to test whether applications configured to run-as-spot actually lack root permissions*. But it’s easy to test whether web-browsers can access files beyond the Spot folder: just try to download anything to somewhere else. If you succeed, Spot failed.

The only web-browser which didn’t fail was Mike Walsh’s Google-Chrome.sfs (version 78 from here, https://drive.google.com/drive/folders/ ... QVfrDnr5w- which I updated to 81). I like Google-Chrome for its convenience and extensions. I don’t trust it to keep secrets. I thought I had configured fredx181’s portable-firefox, from here, viewtopic.php?f=90&t=96 to honor Spot’s folder restrictions, but a recent test failed.

All your settings might say a web-browser is running as Spot. But if you can save files to other folders so can any hacker. Why bother ‘running’ a web-brower ‘as spot’ if it isn’t really?

As setting up portable-web-browsers is easy, and they can be run from anywhere, I figured “let’s see if it could be done”. I theory all that should be necessary is:
(1) open /root/.spot-status in a text-editor [note the ‘./dot’, it’s a hidden file]. See *** below
(2) insert or edit a line with the name of your web-browser and the argument =false, e.g.
firefox-esr=false.
(3) Save the edited .spot-status file.
(4) With that web-browser closed, open Menu>system>Login and Security Manager
(5) Place an “x” in the radio-box next to the web-browser you added to .spot-status' list, e.g. firefox-esr.
(6) Save the Change.
(7) Maybe in the web-browser's desktop file -- e.g. /usr/share/applications/firefox-esr.desktop-- edit the Exec line to include the run-as-spot command, e.g.:
Exec=run-as-spot firefox-esr.

That didn’t work. One thing which went wrong was (6). An examination of /root/.spot-status not only didn’t read firefox-esr=true, the change in Step 6 should have made; there no longer was any listing for firefox-esr. The same thing happened regardless of what name I added to /root/.spot-status. Editing .spot-status so that firefox-esr=true, saving it and not doing 4 thru 6 also didn’t work: well, firefox-esr=true was still a line in .spot-status; but firefox-esr could save photos outside of the Spot folder.

So I examined the structure and setting of Google-Chrome.sfs and the text of /usr/sbin/loginmanager. Loginmanager is the bash-script activated by Menu>System>Login and Security Manager. Unfortunately, understanding it was above my pay-grade. So I’ll post the problem elsewhere hoping someone with adequate knowledge of bash (and I think gtk-dialog) may be able to solve it. What I was able to take away from that examination was that the name of the web-browser had to be unique.

Not all the following may be necessary. But as it worked and survived a reboot I’ll provide the entire recipe and my reasoning. Feel free to try to figure out something simpler.

Mike Walsh’s Google-Chrome.sfs is physically located in /home/spot. As portable can be run from anywhere, and running them from a folder with root permissions may be part of the problem, move the portable folder to /home/spot.

I used firefox-esr. But do try your favorite and report both successes and failures.

Step 1: Acquire your choice of portable Web-browser. The web-browser will be moved to /home/spot. But before doing so, add the extensions you want and import bookmarks. Portable-Web-browsers can be run from anywhere; and they write their profiles to their own folder. But, once in /home/spot, important bookmarks will require the html be copied to Uploads and its permission changed; and any changes to the Web-browser will require the execution of a Save. Only files hanging from /mnt are permanently changed immediately.

Step 2: (Potentially necessary) My /home/spot was created when Google-Chrome was SFS-loaded. If you don't have that condition install the attached PermissionChanger-3.3.pet. Mike Walsh created this pet. What it will do is create /home/spot, the Upload and Download folders within that; and a mechanism with a launcher on the Task-bar to change permissions, and to move files out of /home/spot/Downloads to /root/Downloads.

Step 3: Copy you portable Web-browser to /home/spot/Uploads.**
Step 4: Left-Click the PermissionChanger Launcher, and select “Root-to-Spot”
Step 5: Open Rox (file-manager) windows to /home/spot and /home/spot/Uploads. Move your Web-browser folder from ...Uploads to just /home/spot.
Step 6: Make a note of the name of the executable, wrapper, or script which starts your browser.
Step 7: File-browse to /my-applications/bin and Right-Click an Empty-Space; Select New>Script. Give it a Unique name. I chose spot-firefox. Open the bash-script in your text editor, and below the line already present which reads, #!/bin/sh add a line providing the path-to and exact name you noted in Step 6, e.g.

/home/spot/firefox64esr/ff

Step 7a: (Optional -recommended) You might as well test to see if the script will open your browser. Just Left-Click it. If it doesn’t, double-check that the path and name are correct: grammar, punctuation, and case matter. If correct, close the browser.

Steps 8 and 9 are only necessary to create a Menu entry (and launching from a panel). Without a Menu entry, the browser can be started as in 7a, or by opening a terminal and typing the name you gave it in Step 7.

Step 8: Select an icon: as necessary downloading and placing it in a folder of your choice. I chose /usr/share/pixmaps for an icon named firefox48.png
Step 9: Create a “Desktop File”: I opened the desktop file of a web-browser in /usr/share/applications and immediately saved it under the name “firefox64esr-spot” before I could accidentally screwed-up the original. Then I edited firefox64esr-spot to read:

[Desktop Entry]
Encoding=UTF-8
Name=firefox64esr-Spot
Icon=/usr/share/pixmaps/firefox48.png
Comment=firefox as Spot from /home/spot
Exec=run-as-spot /root/my-applications/bin/spot-firefox
Terminal=false
Type=Application
Categories=X-Internet-browser
GenericName=firefox web browser

Note: Name= is that which will appear on the Menu; Category= determines where on the menu it will appear; Icon= is the one, and in the location I chose; and Exec= is the path to and name of my bash script prefaced by “run-as-spot”.

Note2: I’m not sure why Step 7 was necessary. It is sometimes possible to open an application via a Menu listing when the Exec= argument spells out the path-to and name of the ‘executable’. Exec=run-as-spot /home/spot/firefox64esr/ff opened firefox, but not as spot even after Step 10.

Step 10: Open /root/.spot-status and add a line with the exact name from Step 7 = true, e.g.
spot-firefox=true. Save the change. DO NOT RUN Menu>system>Login and Security Manager.

Step 11: Do Save the change of your operating system to your SaveFile/Folder.
Step 12: (optional). For later use, do create and save a pet consisting of (a) your script in /my-applications/bin; (b) your icon; and ( c) your ‘desktop’ file. Such pet can be used with a different Puppy; on a different computer; or as a template for a different Web-browser.

=-=-=-=-=--
* Well, actually I thought of one: If it can’t import bookmarks created under root, it doesn’t have root permissions. Employing the permission-changer is the easiest way to solve that; and if the permission changer didn’t work the first time, it probably won’t work the 2nd time.

** If you are going to be doing a lot of Uploads, you can add the /spot/Upload folder to Rox's Right-Click Copy-to menu.

**** I had these Steps wrong. Just booted into a Puppy on which Login & Security Manager had never been run. There was no .spot-status file. Running Login & Security created that file. But only listing the Browser which came with the Puppy. So, it appears that the Steps are (1) If Login & Security has never been run, run it. (2) Edit .spot-status to add your uniquely named manager with the argument =true.
Attachments
PermissionsChanger-3.3.pet
PermissionChanger by Mike Walsh
(11.36 KiB) Downloaded 64 times
Post Reply

Return to “Browsers”