Open Beta v7.6 | Please help testing and hardening the upcoming release

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
User avatar
MichaIng
Site Admin
Posts: 3357
Joined: Sat Nov 18, 2017 6:21 pm

Re: Open Beta v7.6 | Please help testing and hardening the upcoming release

Post by MichaIng »

Indeed /root is the "root" users home directory, and it breaks the basic privacy and security ideas to grant any user access to another users home directory, most importantly the root users home directory. Home directories may contain secret private keys, like for SSH and other sensitive stuff, that must not be accessed by anyone else.

Since File Browser runs as "filebrowser" service user, this also applies to /home/dietpi, although much less critical.

For sharing files across users, I recommend a directory outside of any users home. If shared write permissions are required, use a shared group, like it is done with /mnt/dietpi_userdata and the "dietpi" group.
User avatar
dwr
Posts: 79
Joined: Thu Feb 18, 2021 3:46 am

Re: Open Beta v7.6 | Please help testing and hardening the upcoming release

Post by dwr »

trendy wrote: Tue Sep 21, 2021 9:36 am This is a bad idea. Leave /root as it is. If you need to store something as dietpi user, use /home/dietpi
I respectfully disagree as you are unaware of my intentions. :) Since I live alone and am very privacy oriented in my endeavours (multiple VPN routing policies, self-hosted recursive DNS server, firewalled at the router, expanded firewall setups on all of my PC's, etc.), I am not concerned with unauthorized access. Additionally, I have root access setup (Samba or FTP) with most of my Pi's so I can access files easier (although the Pi's running backend security do not have root access since they have access outside of my LAN).

Furthermore, this particular Pi that I am working on is my Development/Testing Pi and is not "mission-critical" to anything. I am one of those people that likes to explore new software to get familiar with it as well as to expand my intermediate knowledge of coding (in otherwords, I like to tinker with things).
Joulinar wrote: Tue Sep 21, 2021 9:40 am yes, what is the reason for trying to get web browser access to /root. Due to security we decided for a different user without root-user privileges. ;)

at the end a lot of thinks are possible even to switch file browser user.
My reason is simply to test different things as mentioned above. And as you said, there are many possiblities and I wanted to explore! ;)
MichaIng wrote: Tue Sep 21, 2021 5:39 pm Indeed /root is the "root" users home directory, and it breaks the basic privacy and security ideas to grant any user access to another users home directory, most importantly the root users home directory. Home directories may contain secret private keys, like for SSH and other sensitive stuff, that must not be accessed by anyone else.

Since File Browser runs as "filebrowser" service user, this also applies to /home/dietpi, although much less critical.

For sharing files across users, I recommend a directory outside of any users home. If shared write permissions are required, use a shared group, like it is done with /mnt/dietpi_userdata and the "dietpi" group.
Yes, I understand that it breaks the very essence of security. After reviewing the Filebrowser website, I tried running a permissions change command but was unable to - basically the reason why I asked is because I am failing to understand Filebrower's command line syntax/structure, and with examples I can better understand it. For example, the first question I asked about accessing files outside of /mnt/dietpi_userdata helped me understand their syntax more.

Either way, I appreciate the help - no need to provide me with an answer to this question since I really don't need access to it!
User avatar
trendy
Posts: 368
Joined: Tue Feb 25, 2020 2:54 pm

Re: Open Beta v7.6 | Please help testing and hardening the upcoming release

Post by trendy »

Apart from security aspect, incorrect file and folder permissions can render the system unusable. Changing permissions on linux is something trivial. Therefore if you don't know that, you are classified as a novice user. And linux doesn't protect you from breaking your own system the way windows do. Take all these into consideration and decide what is best for you. It is our duty to warn you.
User avatar
Joulinar
Posts: 5996
Joined: Sat Nov 16, 2019 12:49 am

Re: Open Beta v7.6 | Please help testing and hardening the upcoming release

Post by Joulinar »

just to avoid a misunderstanding. File system access on OS level is not defined somewhere in filebrowser application or can be changed using filebrowser command line tool. This we defined on the service file we created. There we set OS user filebrowser as the one who is running the service. And this OS user is used to perform all activities on the OS/file system. As this user has no root permission, he is not able to access directories or files that or owned by user root. As well this user has nothing to do with the user you use to login to filebrowser web side. filebrowser has an own user management allowing to manage web side access only.

Coming back to the original question: you would need to adjust the service to gain root access.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
dwr
Posts: 79
Joined: Thu Feb 18, 2021 3:46 am

Re: Open Beta v7.6 | Please help testing and hardening the upcoming release

Post by dwr »

trendy wrote: Wed Sep 22, 2021 11:45 am Apart from security aspect, incorrect file and folder permissions can render the system unusable. Changing permissions on linux is something trivial. Therefore if you don't know that, you are classified as a novice user. And linux doesn't protect you from breaking your own system the way windows do. Take all these into consideration and decide what is best for you. It is our duty to warn you.
There is no need to "classify" me as it seems that your understanding of my question is not valid. I will not discuss this further as you have not provided any assistance expect to make assumptions. What you have stated is something that I already understand - please review my responses.
Joulinar wrote: Wed Sep 22, 2021 11:56 am just to avoid a misunderstanding. File system access on OS level is not defined somewhere in filebrowser application or can be changed using filebrowser command line tool. This we defined on the service file we created. There we set OS user filebrowser as the one who is running the service. And this OS user is used to perform all activities on the OS/file system. As this user has no root permission, he is not able to access directories or files that or owned by user root. As well this user has nothing to do with the user you use to login to filebrowser web side. filebrowser has an own user management allowing to manage web side access only.

Coming back to the original question: you would need to adjust the service to gain root access.
Thank you - and yes, I understand. I have already configured root access via Filebrowser as of early this morning. I appreciate your explanation, and I understand the reasoning behind how Diet Pi has configured permissions for this software.

Please consider my inquiry, closed.
Post Reply