3.2b1 Duet 3 (DCS is not started)

Dougal1957

@bcrazycramer it was to me asking me to run the journal cads to see what was happening!

bcrazycramer

chrishamm

@bcrazycramer That's looking good. You should be able to connect to your board over HTTP.

The GitHub releases and package feeds have been updated with the latest hotfixes as promised. If you're having problems, consider running another software update.

A Former User

@chrishamm said in 3.2b1 Duet 3 (DCS is not started):

I suspect there may be a permission issue going on because we changed from root to a dedicate dsf user in the latest pre-release.

Can you explain the thinking behind changing from root to a dsf user?

As to be honest if it was working before, this seems to be a prime example of changes being made for the sake of it for diminishing returns.

As my old journeyman used to say : if it's working fuc*ing leave it alone.

Phaedrux

@CaLviNx Running things as root is generally frowned upon for security sake.

A Former User

@Phaedrux that I understand but in this instance it should be fine as people "should" have their home network secured.

My printers all connected via my own wireless "intranet" that is not connected to the outside world, so no one can get into that small network, house innternet itself is run through a Secure DDWRT equipped router which is well locked down, and I'm not the most IT tech savvy but I'm I am happy to run my printers in "Root" mode.

So to find yet another thing changed for the sake of change just trips things/people up as this instance proven

Phaedrux

@CaLviNx said in 3.2b1 Duet 3 (DCS is not started):

"should" have their home network secured.

Defence in depth would urge you to not assume any favorable circumstances exist.

A Former User

@Phaedrux and to counter that why should people not be allowed to choose for themselves and a notification in the docs would suffice?

dc42

Given the huge number of hacking attempts made against everyone these days, we would rightly be castigated if we continued running DSF as root. This is even more important now that DSF supports plugins.

dc42

@CaLviNx said in 3.2b1 Duet 3 (DCS is not started):

@Phaedrux and to counter that why should people not be allowed to choose for themselves and a notification in the docs would suffice?

If you want to run DSF as root, you can modify DSF - it's open source. If you don't know how to, then IMO you shouldn't be trusted to run DSF as root. I don't want your RPi running DSF to be part of a botnet.

A Former User

@CaLviNx said in 3.2b1 Duet 3 (DCS is not started):

@Phaedrux and to counter that why should people not be allowed to choose for themselves and a notification in the docs would suffice?

because secure by default solves more problems than it can create? (ref OpenBSD it won't stop you from pulling down your pants, even though it ships with belts and suspenders)

bot

@dc42 said in 3.2b1 Duet 3 (DCS is not started):

[...] I don't want your RPi running DSF to be part of a botnet.

Wait... is that, like, discouraged or something?

A Former User

So these replies bring me to ask the next question.

If running in "root" is as dangerous as YOU GUYS are pushing it to be, why was this not implemented from the get go ?

For it to be as dangerous as is being said and for it to only be being implemented now many many months after the Rpi image was released shows recklessness and a lack of care for users in the extreme....

Phaedrux

It's a best practice. I'm sorry it wasn't implemented initially and I'm sorry implementing it now has inconvenienced you. Your point about change for change sake is taken.

A Former User

@Phaedrux

So it has just been proven that best practice has not been followed, but im the one getting preached at from multiple directions for even mentioning it...

On one hand being lectured about how important security is.

Then after its pointed out about the delay the importance of said security gets glossed over as "not best practise"

hypocrisy much.........

oliof

At a hazard, this came up during architecture review for plugins and has now been implemented, which is good. (Also, botnet membership is not the only risk; exposure in an internal network and being used for lateral moves or persistent footholds inside an internal network that has bridges to the outside somewhere is another risk scenario)

Somewhat related: Gina Häußge is fighting to keep people from exposing Octoprint to the internet unsecured, yet you can easily find many instances that are at risk if you know where to look.

I'm pretty sure if someone were to sponsor a thorough security review of DSF, that the results would be more than welcome by the Duet3D team.