Tiny Core state - assessment question

[tclfan]

It appears that Tiny Core has matured at this point, qualified by:
1. Modular architecture solidified
2. Excellent network support (from the beginning)
3. Application infrastructure developed and streamlined in the form of extensions for most important applications
4. Video support through drop-in graphics and Xorg
5. Drop-in modules for variety of Windows Managers
6. Last but not least - fantastic drop-in integration of desktops - XFCE and LXDE!

Thanks again to the creator and development team! Greatly appreciated!

My question now relates to Tiny Core security. Is security sufficient in Tiny Core, or it can be enhanced? Specifically, this relates to root password and perhaps user password. This has been discussed in the past and as much as I remember it was left with no plans.
1. Tiny Core runs as user. This is great - those running as root are unacceptable (e.g. Puppy, Austrumi). However no password is required to act as root. Is this a big security problem or nothing to worry.
2. If there was password (be it hard-coded) on user, would this be more secure or would not make any difference.

Just to stress, this has nothing to do with multi-user capability, but security. E.g. SliTaz, which is also run-all-in-ram tiny does implement password for root and Zenwalk implements password for both...
Thanks again.

[danielibarnes]

As an experienced user (and participant in the previous discussions) you already know this, but here is some basic info for newer users.

To save/restore root and tc user passwords:
1) Set passwords for root and tc user using passwd or chpasswd.
2) Add /etc/shadow to /opt/.filetool.lst.
3) Make backup.

The /etc/sudoers file controls how sudo operates. Here is more info:
http://www.gratisoft.us/sudo/man/sudoers.html

The making and restoring of backups is covered in the Wiki:
http://wiki.tinycorelinux.com/tiki-index.php?page=Backups

Security isn't mandatory in Tiny Core precisely because it is an option you can enable and customize. I believe the result of the previous discussion was to add a section to the Wiki, but I've not had the time to do it myself.

Since we're on the topic, I believe your last concern was that firefox did not run with a modified /etc/sudoers. Was it possible to resolve this? If not, I think we should use the information to begin the Wiki entry.

[roberts]

There is also the boot options of secure and noautologin

[tclfan]

Thanks roberts for this summary of what was established in prior discussions.
And yes - security in TC is not mandatory. As long as can be easily configured as you described and works seamlessly with applications, data permissions, etc., it can be considered available in TC...

[danielibarnes]

I added a Wiki page to get us started:
http://wiki.tinycorelinux.com/tiki-index.php?page=Security

However, we have an issue to address:
1) boot TC "base norestore"

2) edit /etc/sudoers and change
tc ALL=NOPASSWD: ALL
to
tc ALL=ALL

3) Start Appbrowser and try to mount an extension. It will fail.

[^thehatsrule^]

The tc user was designed to be the main account to do those kinds of tasks, and sudo is used for some of those.

If this is for a multi-user system, perhaps the best way would be create new user accounts for each untrusted user.

[danielibarnes]

perhaps the best way would be create new user accounts for each untrusted user.

Good idea. Creating a new user and disabling login for the tc user will give tclfan or anyone else the security they need without adjusting the Tiny Core architecture. I will work out the details and add it to the wiki.