Preface: The method described here DID NOT work with Mike Walsh's latest Opera-portable. I suspect [Untested] it probably will not work with Chromium-clones (explained below) but will work with Mozilla based browsers (firefox, seamonkey) and the Palemoon fork. An older Opera-portable honored Spot restrictions. Subsequent posts will examine how that was accomplished and if its method can be used to easily modify current Chromium-clone portables.
Iron run-as-spot is discussed in the next post.
-=-=-=-=-=-=-
Running as Spot is supposed to (a) prohibit the application from accessing any folder outside the Spot folder(s) assigned to it; and (b) assign permissions to it other than root's permissions = it can not use files which have root permissions and vice-versa.
Puppies run as root/Administrator having access to any location and permission to create, modify or edit anything. A decade ago Barry K developed the Spot device. He didn't think it important then; and even though the Internet is a much scarier place now, I don't think it often important even now. But some desire the additional security; and even I want it when engaged in internet financial activity.
Off-hand, I don’t know how to test whether applications configured to run-as-spot actually lack root permissions*. But it’s easy to test whether web-browsers can access files beyond the Spot folder: just try to download anything to somewhere else. If you succeed, Spot failed.
The only web-browser which didn’t fail was Mike Walsh’s Google-Chrome.sfs (version 78 from here, https://drive.google.com/drive/folders/ ... QVfrDnr5w- which I updated to 81). I like Google-Chrome for its convenience and extensions. I don’t trust it to keep secrets. I thought I had configured fredx181’s portable-firefox, from here, viewtopic.php?f=90&t=96 to honor Spot’s folder restrictions, but a recent test failed.
All your settings might say a web-browser is running as Spot. But if you can save files to other folders so can any hacker. Why bother ‘running’ a web-brower ‘as spot’ if it isn’t really?
As setting up portable-web-browsers is easy, and they can be run from anywhere, I figured “let’s see if it could be done”. I theory all that should be necessary is:
(1) open /root/.spot-status in a text-editor [note the ‘./dot’, it’s a hidden file]. See *** below
(2) insert or edit a line with the name of your web-browser and the argument =false, e.g.
firefox-esr=false.
(3) Save the edited .spot-status file.
(4) With that web-browser closed, open Menu>system>Login and Security Manager
(5) Place an “x” in the radio-box next to the web-browser you added to .spot-status' list, e.g. firefox-esr.
(6) Save the Change.
(7) Maybe in the web-browser's desktop file -- e.g. /usr/share/applications/firefox-esr.desktop-- edit the Exec line to include the run-as-spot command, e.g.:
Exec=run-as-spot firefox-esr.
That didn’t work. One thing which went wrong was (6). An examination of /root/.spot-status not only didn’t read firefox-esr=true, the change in Step 6 should have made; there no longer was any listing for firefox-esr. The same thing happened regardless of what name I added to /root/.spot-status. Editing .spot-status so that firefox-esr=true, saving it and not doing 4 thru 6 also didn’t work: well, firefox-esr=true was still a line in .spot-status; but firefox-esr could save photos outside of the Spot folder.
So I examined the structure and setting of Google-Chrome.sfs and the text of /usr/sbin/loginmanager. Loginmanager is the bash-script activated by Menu>System>Login and Security Manager. Unfortunately, understanding it was above my pay-grade. So I’ll post the problem elsewhere hoping someone with adequate knowledge of bash (and I think gtk-dialog) may be able to solve it. What I was able to take away from that examination was that the name of the web-browser had to be unique.
Not all the following may be necessary. But as it worked and survived a reboot I’ll provide the entire recipe and my reasoning. Feel free to try to figure out something simpler.
Mike Walsh’s Google-Chrome.sfs is physically located in /home/spot. As portable can be run from anywhere, and running them from a folder with root permissions may be part of the problem, move the portable folder to /home/spot.
I used firefox-esr. But do try your favorite and report both successes and failures.
Step 1: Acquire your choice of portable Web-browser. The web-browser will be moved to /home/spot. But before doing so, add the extensions you want and import bookmarks. Portable-Web-browsers can be run from anywhere; and they write their profiles to their own folder. But, once in /home/spot, important bookmarks will require the html be copied to Uploads and its permission changed; and any changes to the Web-browser will require the execution of a Save. Only files hanging from /mnt are permanently changed immediately.
Step 2: (Potentially necessary) My /home/spot was created when Google-Chrome was SFS-loaded. If you don't have that condition install the attached PermissionChanger-3.3.pet. Mike Walsh created this pet. What it will do is create /home/spot, the Upload and Download folders within that; and a mechanism with a launcher on the Task-bar to change permissions, and to move files out of /home/spot/Downloads to /root/Downloads.
Step 3: Copy you portable Web-browser to /home/spot/Uploads.**
Step 4: Left-Click the PermissionChanger Launcher, and select “Root-to-Spot”
Step 5: Open Rox (file-manager) windows to /home/spot and /home/spot/Uploads. Move your Web-browser folder from ...Uploads to just /home/spot.
Step 6: Make a note of the name of the executable, wrapper, or script which starts your browser.
Step 7: File-browse to /my-applications/bin and Right-Click an Empty-Space; Select New>Script. Give it a Unique name. I chose spot-firefox. Open the bash-script in your text editor, and below the line already present which reads, #!/bin/sh add a line providing the path-to and exact name you noted in Step 6, e.g.
/home/spot/firefox64esr/ff
Step 7a: (Optional -recommended) You might as well test to see if the script will open your browser. Just Left-Click it. If it doesn’t, double-check that the path and name are correct: grammar, punctuation, and case matter. If correct, close the browser.
Steps 8 and 9 are only necessary to create a Menu entry (and launching from a panel). Without a Menu entry, the browser can be started as in 7a, or by opening a terminal and typing the name you gave it in Step 7.
Step 8: Select an icon: as necessary downloading and placing it in a folder of your choice. I chose /usr/share/pixmaps for an icon named firefox48.png
Step 9: Create a “Desktop File”: I opened the desktop file of a web-browser in /usr/share/applications and immediately saved it under the name “firefox64esr-spot” before I could accidentally screwed-up the original. Then I edited firefox64esr-spot to read:
[Desktop Entry]
Encoding=UTF-8
Name=firefox64esr-Spot
Icon=/usr/share/pixmaps/firefox48.png
Comment=firefox as Spot from /home/spot
Exec=run-as-spot /root/my-applications/bin/spot-firefox
Terminal=false
Type=Application
Categories=X-Internet-browser
GenericName=firefox web browser
Note: Name= is that which will appear on the Menu; Category= determines where on the menu it will appear; Icon= is the one, and in the location I chose; and Exec= is the path to and name of my bash script prefaced by “run-as-spot”.
Note2: I’m not sure why Step 7 was necessary. It is sometimes possible to open an application via a Menu listing when the Exec= argument spells out the path-to and name of the ‘executable’. Exec=run-as-spot /home/spot/firefox64esr/ff opened firefox, but not as spot even after Step 10.
Step 10: Open /root/.spot-status and add a line with the exact name from Step 7 = true, e.g.
spot-firefox=true. Save the change. DO NOT RUN Menu>system>Login and Security Manager.
Step 11: Do Save the change of your operating system to your SaveFile/Folder.
Step 12: (optional). For later use, do create and save a pet consisting of (a) your script in /my-applications/bin; (b) your icon; and ( c) your ‘desktop’ file. Such pet can be used with a different Puppy; on a different computer; or as a template for a different Web-browser.
=-=-=-=-=--
* Well, actually I thought of one: If it can’t import bookmarks created under root, it doesn’t have root permissions. Employing the permission-changer is the easiest way to solve that; and if the permission changer didn’t work the first time, it probably won’t work the 2nd time.
** If you are going to be doing a lot of Uploads, you can add the /spot/Upload folder to Rox's Right-Click Copy-to menu.
**** I had these Steps wrong. Just booted into a Puppy on which Login & Security Manager had never been run. There was no .spot-status file. Running Login & Security created that file. But only listing the Browser which came with the Puppy. So, it appears that the Steps are (1) If Login & Security has never been run, run it. (2) Edit .spot-status to add your uniquely named manager with the argument =true.
How to run Portable Firefox as Spot
Moderator: Forum moderators
- mikeslr
- Posts: 2944
- Joined: Mon Jul 13, 2020 11:08 pm
- Has thanked: 178 times
- Been thanked: 905 times
How to run Portable Firefox as Spot
- Attachments
-
- PermissionsChanger-3.3.pet
- PermissionChanger by Mike Walsh
- (11.36 KiB) Downloaded 64 times
Jump to
- General Information
- ↳ Before Installing Forum Distributions, README FIRST
- ↳ Installation Reports
- ↳ Getting Started and System Requirements
- ↳ Internationalization
- Distributions
- ↳ Mainline Puppy Linux Distros
- ↳ Bionic
- ↳ BookwormPup
- ↳ DPupStretch
- ↳ F96-CE
- ↳ Fossapup64
- ↳ LxPupSc
- ↳ Raspbian Buster
- ↳ Slacko
- ↳ SPups
- ↳ Tahr
- ↳ Vanilla Dpup
- ↳ VoidPup
- ↳ Xenial
- ↳ Legacy
- ↳ Kennel Linux Distros
- ↳ KLV-Airedale
- ↳ KLV-Bspwm
- ↳ KLV-Spectr
- ↳ KLV-Swayland
- ↳ KLV-HyprlandCE
- ↳ KLA
- ↳ KLU-jam
- ↳ KLF
- ↳ KL minis
- ↳ KL_full2fr
- ↳ KL-Dev_Work
- ↳ How-To
- ↳ firstribit
- ↳ Virtualization
- ↳ Puppy Derivatives
- ↳ Re-masters
- ↳ Specialized
- ↳ Built from woof-CE Recipes
- ↳ NoblePup64
- ↳ F96CE-XFCE-FUSILLI
- ↳ PuppEX
- ↳ Puppy For Older Low Powered Computers
- ↳ 32 Bit
- ↳ 64 Bit
- ↳ Distributions Archive
- House Training
- ↳ Announcements
- ↳ Beginners Help
- ↳ Users
- ↳ Bug Reports
- ↳ Instructional HOW-TO Section
- ↳ Boot
- ↳ Browsers
- ↳ Compile
- ↳ F96-CE+
- ↳ File Management
- ↳ Graphics/Video
- ↳ Install
- ↳ Network/Server
- ↳ Printing
- ↳ Repair
- ↳ Security
- ↳ Sounds
- ↳ Tips & Tweaks
- ↳ Upgrade/Backup
- ↳ Utility
- Advanced Topics
- ↳ Additional Software (PETs, n' stuff)
- ↳ AppImages, Snaps and Flatpaks
- ↳ Browsers and Internet
- ↳ Business
- ↳ Compiling
- ↳ Desktop
- ↳ Documents
- ↳ Drivers
- ↳ Educational
- ↳ Emulation
- ↳ Engineering/Science/Simulation
- ↳ Eye Candy
- ↳ Backgrounds
- ↳ Filesystem
- ↳ Games
- ↳ Graphics
- ↳ Java
- ↳ Kernels
- ↳ Multimedia
- ↳ Network
- ↳ Package Collections/Repositories
- ↳ REQUESTS
- ↳ Security/Privacy
- ↳ System
- ↳ Utilities
- ↳ Virtualization
- ↳ WINE
- ↳ WINE 64 BIt
- ↳ WINE 32 Bit
- ↳ Puppy Projects
- ↳ Cutting Edge
- ↳ Hardware
- ↳ Servers
- ↳ woof-CE
- ↳ Programming
- ↳ Scripts
- ↳ Development
- Dog House
- ↳ DebianDogs
- ↳ UbuntuDogs
- ↳ Debian-Live Starter Kit
- EasyOS
- ↳ Containers and VMs
- FatDog
- ↳ FatDog64
- ↳ Software
- Puppy Linux International
- ↳ Für deutschsprachige Anhänger
- ↳ Italian Puppy Linux Forum
- ↳ Pour les francophones
- ↳ Usuarios de habla Hispana
- ↳ Standard Chinese Language PET's
- ↳ Russian - Россия
- Off-Topic Area
- ↳ Security
- ↳ Forum Organization & Structure Council
- ↳ Other Distros
- ↳ FirstRib (old archived info)
- ↳ ForumLink
- ↳ About
- ↳ Announcements
- ↳ HowTo
- ↳ Software
- ↳ Beginners
- ↳ Users
- ↳ Programming
- ↳ Bug_Reports
- ↳ Blog
- ↳ Comparisons
- ↳ Dog Incubator
- ↳ dCoreDog
- ↳ Corepup