Paranoid Penguin - Customizing Linux Live CDs, Part I
In my recent column “Security Features in Ubuntu” (LJ, March 2008), I mentioned that the live CD method of running Linux from a CD-ROM or DVD rather than directly from a hard drive has important and useful security ramifications. I went on to promise that this would be the topic of a future column.
Never one to renege on a promise, this month I bring you the first of a multipart series about Linux live CDs. In this month's column, I describe some security usages for bootable Linux CDs and demonstrate a quick-and-easy way to customize the standard Ubuntu Desktop CD that allows you to change its included bundle of software.
At this point, you may be wondering, “What's the big deal about bootable Linux CDs? Aren't all Linux installation CDs bootable?”
On the one hand, yes. Linux installation CDs always have been bootable. But, not all Linux installation CDs offer you the option of simply running Linux from the CD without installing it right away. This is the difference between a live Linux CD and an installer CD.
Live CDs are especially handy for trying out a distribution before committing it to your hard disk. Usually, they include an installer applet that makes it easy to make that commitment, if you so choose. But, these are very general live CD uses.
For the security-conscious user, or for the conscientious-security user (but not for the unconscious user), live CDs also are useful, among other things, for the following:
Using untrusted hardware, such as public-use PCs at coffee shops.
Analyzing computers that may have been compromised.
Recovering data from systems that no longer boot for some reason.
Running software you'd prefer not to install on your hard disk.
Depending on your needs, you might be perfectly happy using an existing Linux live CD distribution, such as Knoppix, BackTrack or Ubuntu Desktop. But, what if you want to apply the very latest security patches to the live CD's installed applications? What if your favorite live CD lacks an application you really need? Or, what if you don't want to have to configure things manually, such as network settings, after every single time you boot?
These are some of the many reasons you might want to customize your Linux live CD. For the remainder of this month's column, I walk through the process of patching and adding security software to Ubuntu Desktop 7.10. Much of what follows applies directly to other squashfs-based distributions, such as Linux Mint, SLAX and BackTrack, and indirectly to most other live CD distributions.
Before you can customize your Ubuntu Desktop live CD, you need several things:
An ISO file for the current version of Ubuntu Desktop (or Linux Mint).
The squashfs-tools package installed on your system.
The mkisofs package installed on your system.
You can get the ISO file in one of two ways: download it from www.ubuntu.com, or create it from an actual Ubuntu CD via the dd command, like this:
bash-$ dd if=/dev/cdrom of=./ubuntu-7.10-desktop-i386.iso
For the remainder of this article, I assume your ISO image resides in your home directory. I also assume you're running Ubuntu, but if you aren't, for commands that begin with sudo, you instead should do whatever else you usually do to become root temporarily (for example, su or su -c).
The squashfs-tools package provides utilities for creating and mounting squashfs filesystems. Most of an Ubuntu live CD is taken up by one enormous squashfs image that is uncompressed and mounted as / when you boot the CD. To remaster the CD, you need to mount a copy of its squashfs image, change various files and directories in it, and save the edited directory structure as a new squashfs image.
Finally, you'll use the mkisofs command to convert the various files and directories you've just edited into a single ISO image file.
In describing how these three prerequisites relate to each other, I also discuss the three stages of the live CD remastering process: mounting the squashfs image, changing it in various ways and incorporating it into a new ISO image.
The procedure I'm about to step through is based on the one at www.debuntu.org (see Resources). Much of what follows won't be very security-focused; in subsequent columns, I'll go into greater depth in applying this stuff to security applications. Right now, my immediate goal is to tell you what you need to know to begin experimenting with your own customized live CDs right away, and I'm sure you'll think of cool things to do between now and my next column.
In demonstrating these commands, I'm going to try a new convention that bends reality a little bit and will number each bash-prompt: 01-$, 02-$, and so on. This way, I'll be able to refer to each command by line number. We'll see whether this helps, or whether I'm just getting nostalgic for my BASIC programming days—send me an e-mail if you have an opinion either way.
First, log on as a nonprivileged user, open a command window (none of what we do here will require the X Window System), and navigate to your home directory. Type this command to create mountpoints for the old ISO image and its squashfs image, a top-level directory for creating the new CD file hierarchy and a directory for rebuilding the root filesystem that will become the new squashfs image:
01-$ mkdir -p ./isomount ./isonew/squashfs ./isonew/cd ./isonew/custom
Next, mount the original ISO image, and copy everything in it, except the squashfs image itself, into the ./isonew/cd directory:
02-$ sudo mount -o loop ./ubuntu-7.10-desktop-i386.iso ./isomount/ 03-$ rsync --exclude=/casper/filesystem.squashfs -a ./isomount/ ↪./isonew/cd
Line 03 uses rsync rather than cp, so you don't need to repopulate the isonew/cd directory every time you make a new ISO image. Whenever rsync encounters identical files, it copies only the differences in the new file to the old one, rather than copying the entire file (if there are no differences, it leaves the “target” version alone).
Note: if you're working within some directory other than your home directory, and if that directory is on a Windows partition rather than a native Linux partition (such as ext2, ext3 or ReiserFS), you'll get many errors when copying files around—some of which may cause this procedure to fail. You don't need to do all of this within your home directory, but you should do it on a Linux partition.
You've copied the skeleton of the original CD into isonew/cd, so now you can get busy with the squashed root filesystem by enabling squashfs support in your running kernel and mounting the squashfs image:
04-$ sudo modprobe squashfs 05-$ sudo mount -t squashfs -o loop ↪./isomount/casper/filesystem.squashfs ./isonew/squashfs/
Next, copy the original root filesystem into the rebuild directory:
06-$ sudo rsync -a ./isonew/squashfs/ ./isonew/custom
Before you enter the Matrix by chrooting into this root filesystem and customizing it, you should make sure networking and the apt system will work once you do, by copying some configuration files from your running system:
07-$ sudo cp /etc/resolv.conf /etc/hosts ./isonew/custom/etc/ 08-$ sudo cp /etc/apt/sources.list ./isonew/custom/etc/apt/
This assumes, of course, that your running system is communicating with the network properly and that its sources.list file includes entries for the universe, multiverse and partner repositories (or anywhere else from whence you intend to obtain packages). If you have anything else you'd like to include in your custom live CD, such as other configuration files, documents, images and so on, now is a good time to copy those over too. Just remember that space is precious.
Now you're ready to enter your new root filesystem. I've written extensively about using chroot jails to contain server dæmons, so that if they're hijacked, the attacker gains access to only a small subset of your filesystem. Well, right now, you're about to chroot yourself, so that all changes you make—adding and removing packages, downloading updates, editing configuration files and so on—are applied to your custom ISO's root filesystem, not your underlying system's root filesystem.
Here's how to swallow the Blue Pill:
09-$ sudo chroot ./isonew/custom
From this point on, until you type the command exit (step 22, below), you'll be in an environment in which / is no longer your underlying filesystem's root, but actually /home/you/isonew/custom (where /home/you is your local home directory, or wherever else you created the isonew hierarchy).
Now that you're jacked in, you need to bring the proc and sysfs filesystems on-line, so that your “real” system's kernel can interact properly with the “fake” system represented by your soon-to-be-customized root filesystem. Now, set your home directory to /root (actually /home/you/isonew/custom/root):
10-# mount -t proc none /proc/ 11-# mount -t sysfs none /sys/ 12-# export HOME=/root
Note that the prompts in my examples have switched to # from $, indicating that you're now running in a root shell. This is necessary, because you'll need to be root in order to exit the chroot jail you've voluntarily entered.
Now you're ready to customize. This is the part when you don't necessarily need my help; you can be creative. For example purposes though, let's make some space for new packages and update the ones that are left.
What are you going to use your new live CD for? Secure Web browsing using untrusted hardware isn't a bad start. You shouldn't need OpenOffice.org for that, and it takes up something like 85MB of your compressed squashfs image (remember, a standard CD ISO can't be larger than 650MB).
You can remove OpenOffice.org, plus a couple of things upon which only OpenOffice.org depends, like this:
13-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n' ↪|grep openoffice`
Did you notice the embedded dpkg-query...|grep... command? It queries the root filesystem's deb-package database for a complete list of installed packages. The output of this is piped through a grep search for the string “openoffice”. You can use the command in line 13 to find and purge other groups of packages by simply changing the grep query.
Suppose you also want to get rid of The GIMP, which takes up more than 6.5MB (after compression) on your live CD image. So, swap out the string “openoffice” in the previous command with “gimp”, like this:
14-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n' ↪|grep gimp`
Other good candidates for removal include non-English language packs (which take up anywhere from 0.5–1.5MB compressed), and multimedia applications such as Rhythmbox, totem and sound-juicer, which take up a few megabytes each, even after compression, and are unlikely to be useful for security purposes.
Decide for yourself. Browse through the list of installed packages with a quick aptitude search ~i |less. If you mistakenly purge something you decide you actually need, you always can exit the chroot jail and re-execute the rsync command on line 06.
aptitude vs. apt-get
Note that I'm using apt-get here, rather than the more-sophisticated aptitude. This is because one of aptitude's key features, the ability to delete packages that are no longer necessary automatically, can be dangerous when used on any system on which packages have been installed by any tool other than aptitude.
Because aptitude maintains its own database of installation histories, it can miss key dependencies in this context and remove packages that you do, in fact, need. Therefore, you should use aptitude only to remove programs that you installed with aptitude. If you later need to undo an installation that included automatically installed dependencies, you can use apt-get autoremove <packagename> to achieve the same thing.
So, now you've made room for your custom toolkit. If you want to use your live CD for anonymous Web surfing, you may want to install Tor and Privoxy. First, you need to update your custom root filesystem's package database to synchronize it with the sources.list file you copied over in line 08:
15-# apt-get update
Now, you can use apt-get install just as you would on any other live system to install your custom packages:
16-# apt-get install tor privoxy
As a professional paranoiac, I'd be remiss if I didn't point out that both of these packages are from Ubuntu's universe repository, and as such, they aren't provided with the same level of support as packages in the main and restricted repositories, although the Ubuntu MOTO Security Team does its best to keep up with security patches. This is a trade-off you'll probably find yourself making frequently, however. As I pointed out in my column in the March 2008 issue, many of Ubuntu's most useful security utilities are available only in the universe and metaverse repositories.
After you've installed your custom applications, make sure your entire system is fully patched. As with any other Ubuntu (or other Debian-based) system, you can use apt-get dist-upgrade. Because this will result in quite a bit of updates being downloaded and installed, and because space is at a premium on our ISO image, immediately follow the upgrade with a clean:
17-# apt-get dist-upgrade 18-# apt-get clean
Come to think of it, this one step—upgrading the live CD's packages—may be the only security-related reason you need to customize your live CD. Applying security patches is that important!
There's just one more thing to do before packing up your new ISO: custom configuration. You may want to edit the hosts or resolv.conf files you copied over before (or, after exiting the chroot jail, you simply may want to copy over them with the originals from ./isonew/squashfs/etc). You may want to preconfigure Tor by editing /etc/tor/torrc and /etc/tor/tor-socks.conf, and Privoxy via the files in /etc/privoxy.
As with removing and installing packages, this process is the same as on any other system: fire up your (non-GUI) text editor of choice (nano, vi and ed are all present in the standard Ubuntu ISO), and edit anything that needs editing.
Are you done customizing? If so, you can take your Red Pill and exit the Matrix—I mean, the chroot jail. On your way out, empty the /tmp directory, and unmount the chrooted /proc and /sys filesystems:
19-# rm -rf /tmp/* 20-# umount /proc/ 21-# umount /sys/ 22-# exit
You're back in reality (at least, back in your previous working directory on the underlying system). Before you pack up your ISO, you'll have to build a new manifest file (a list of all packages in the new live CD root filesystem), recompress the customized root filesystem into a squashfs file and regenerate the md5sum of your live CD files.
First, to rebuild your manifest file:
23-$ chmod +w ./isonew/cd/casper/filesystem.manifest 24-$ sudo chroot ./isonew/custom dpkg-query -W --showformat='${Package} ↪${Version}\n' > ./isonew/cd/casper/filesystem.manifest 25-$ sudo cp ./isonew/cd/casper/filesystem.manifest ↪./isonew/cd/casper/filesystem.manifest-desktop
In line 23, you made the old manifest file writeable, so you could copy over it. In line 24, you temporarily popped back into the root filesystem chroot jail to generate the package list with dpkg-query. And in line 25, you copied the new manifest into an identical file called filesystem.manifest-desktop.
Now you can resquash your root filesystem:
26-$ sudo mksquashfs ./isonew/custom ↪./isonew/cd/casper/filesystem.squashfs
If you like, you can edit the DISKNAME parameter in the file ./isonew/README.diskdefines. Regardless, next you should regenerate your live CD's md5sum, so you can detect tampering later on:
27-$ sudo rm ./isonew/cd/md5sum.txt 28-$ sudo -s 29-# cd ./isonew/cd 30-# find . -type f -print0 | xargs -0 md5sum > md5sum.txt 31-# exit
And, you've reached the final step. Now you can write your finished ISO image file:
32-$ cd ./isonew/cd 33-$ sudo mkisofs -r -V "Ubuntu-Live-PrivateSurf" -b ↪isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l ↪-no-emul-boot -boot-load-size 4 -boot-info-table -o ↪~/Ubuntu-Live-7.10-PrivateSurf.iso .
Your home directory now contains a new customized live CD ISO file, named Ubuntu-Live-7.10-PrivateSurf.iso. You can boot it directly from hard disk using VMware, QEMU or some other virtualization engine to test it. Or, of course, simply burn it to CD using your CD-writing utility of choice.
You've now got the basic technique for customizing an Ubuntu live CD. Although I didn't go into much depth showing actual customizations beyond removing and adding packages, I'll continue this series next time with detailed guidance on bundling and preconfiguring specific security tools into your live CD.
Until then, have fun experimenting with live CDs, and of course, be safe!
Appendix
Here's the complete procedure, in the form of a raw list of all commands described in this article. The $ prompt indicates commands executed as an unprivileged user, and the # prompt shows commands that are executed by root.
00-$ dd if=/dev/cdrom of=./ubuntu-7.10-desktop-i386.iso 01-$ mkdir -p ./isomount ./isonew/squashfs ./isonew/cd ↪./isonew/custom 02-$ sudo mount -o loop ./ubuntu-7.10-desktop-i386.iso ./isomount/ 03-$ rsync --exclude=/casper/filesystem.squashfs -a ./isomount/ ↪./isonew/cd 04-$ sudo modprobe squashfs 05-$ sudo mount -t squashfs -o loop ↪./isomount/casper/filesystem.squashfs ./isonew/squashfs/ 06-$ sudo rsync -a ./isonew/squashfs/ ./isonew/custom 07-$ sudo cp /etc/resolv.conf /etc/hosts ./isonew/custom/etc/ 08-$ sudo cp /etc/apt/sources.list ./isonew/custom/etc/apt/ 09-$ sudo chroot ./isonew/custom 10-# mount -t proc none /proc/ 11-# mount -t sysfs none /sys/ 12-# export HOME=/root 13-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n' ↪|grep openoffice` 14-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n' ↪|grep gimp` 15-# apt-get update 16-# apt-get install tor privoxy 17-# apt-get dist-upgrade 18-# apt-get clean 19-# rm -rf /tmp/* 20-# umount /proc/ 21-# umount /sys/ 22-# exit 23-$ chmod +w ./isonew/cd/casper/filesystem.manifest 24-$ sudo chroot ./isonew/custom dpkg-query -W --showformat='${Package} ↪${Version}\n' > ./isonew/cd/casper/filesystem.manifest 25-$ sudo cp ./isonew/cd/casper/filesystem.manifest ↪./isonew/cd/casper/filesystem.manifest-desktop 26-$ sudo mksquashfs ./isonew/custom ↪./isonew/cd/casper/filesystem.squashfs 27-$ sudo rm ./isonew/cd/md5sum.txt 28-$ sudo -s 29-# cd ./isonew/cd 30-# find . -type f -print0 | xargs -0 md5sum > md5sum.txt 31-# exit 32-$ cd ./isonew/cd 33-$ sudo mkisofs -r -V "Ubuntu-Live-PrivateSurf" -b ↪isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l ↪-no-emul-boot -boot-load-size 4 -boot-info-table -o ↪~/Ubuntu-Live-7.10-PrivateSurf.iso .
Resources
Debuntu.org's “Customize Your Ubuntu Live CD” Tutorial: www.debuntu.org/how-to-customize-your-ubuntu-live-cd
Jeffery Douglas Waddel's “Secure Boot CDs for VPN HOWTO”: www.linux.org/docs/ldp/howto/Secure-BootCD-VPN-HOWTO.html
Daniel Barlow's “Building Your Own Live CD”: www.linuxjournal.com/article/7246
Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.