Thursday, June 26, 2008

Customizing Linux Live CDs - Ubuntu 8.04 - Desktop

This is based on the an article from Linux Journal for Ubuntu 7.04, and i have made some adjustments, with the following tags:

my - is where i added something it wasn't there.

myc - is where i corrected something

----------------------------------------------------------------
Paranoid Penguin - Customizing Linux Live CDs, Part I
May 1st, 2008 by Mick Bauer in


Make your desktop completely portable with a custom live CD.

In my recent column “Security Features in Ubuntu” (LJ, March 2008), I mentioned that the live CD method of running Linux from a CD-ROM or DVD rather than directly from a hard drive has important and useful security ramifications. I went on to promise that this would be the topic of a future column.

Never one to renege on a promise, this month I bring you the first of a multipart series about Linux live CDs. In this month's column, I describe some security usages for bootable Linux CDs and demonstrate a quick-and-easy way to customize the standard Ubuntu Desktop CD that allows you to change its included bundle of software.
Uses of Bootable Linux CDs

At this point, you may be wondering, “What's the big deal about bootable Linux CDs? Aren't all Linux installation CDs bootable?”

On the one hand, yes. Linux installation CDs always have been bootable. But, not all Linux installation CDs offer you the option of simply running Linux from the CD without installing it right away. This is the difference between a live Linux CD and an installer CD.

Live CDs are especially handy for trying out a distribution before committing it to your hard disk. Usually, they include an installer applet that makes it easy to make that commitment, if you so choose. But, these are very general live CD uses.

For the security-conscious user, or for the conscientious-security user (but not for the unconscious user), live CDs also are useful, among other things, for the following:

* Using untrusted hardware, such as public-use PCs at coffee shops.

* Analyzing computers that may have been compromised.

* Recovering data from systems that no longer boot for some reason.

* Running software you'd prefer not to install on your hard disk.

Depending on your needs, you might be perfectly happy using an existing Linux live CD distribution, such as Knoppix, BackTrack or Ubuntu Desktop. But, what if you want to apply the very latest security patches to the live CD's installed applications? What if your favorite live CD lacks an application you really need? Or, what if you don't want to have to configure things manually, such as network settings, after every single time you boot?

These are some of the many reasons you might want to customize your Linux live CD. For the remainder of this month's column, I walk through the process of patching and adding security software to Ubuntu Desktop 7.10. Much of what follows applies directly to other squashfs-based distributions, such as Linux Mint, SLAX and BackTrack, and indirectly to most other live CD distributions.
Prerequisites

Before you can customize your Ubuntu Desktop live CD, you need several things:

1. An ISO file for the current version of Ubuntu Desktop (or Linux Mint).

2. The squashfs-tools package installed on your system.

3. The mkisofs package installed on your system.

You can get the ISO file in one of two ways: download it from www.ubuntu.com, or create it from an actual Ubuntu CD via the dd command, like this:

bash-$ dd if=/dev/cdrom of=./ubuntu-7.10-desktop-i386.iso

For the remainder of this article, I assume your ISO image resides in your home directory. I also assume you're running Ubuntu, but if you aren't, for commands that begin with sudo, you instead should do whatever else you usually do to become root temporarily (for example, su or su -c).

The squashfs-tools package provides utilities for creating and mounting squashfs filesystems. Most of an Ubuntu live CD is taken up by one enormous squashfs image that is uncompressed and mounted as / when you boot the CD. To remaster the CD, you need to mount a copy of its squashfs image, change various files and directories in it, and save the edited directory structure as a new squashfs image.

Finally, you'll use the mkisofs command to convert the various files and directories you've just edited into a single ISO image file.

In describing how these three prerequisites relate to each other, I also discuss the three stages of the live CD remastering process: mounting the squashfs image, changing it in various ways and incorporating it into a new ISO image.
The Procedure

The procedure I'm about to step through is based on the one at www.debuntu.org (see Resources). Much of what follows won't be very security-focused; in subsequent columns, I'll go into greater depth in applying this stuff to security applications. Right now, my immediate goal is to tell you what you need to know to begin experimenting with your own customized live CDs right away, and I'm sure you'll think of cool things to do between now and my next column.

In demonstrating these commands, I'm going to try a new convention that bends reality a little bit and will number each bash-prompt: 01-$, 02-$, and so on. This way, I'll be able to refer to each command by line number. We'll see whether this helps, or whether I'm just getting nostalgic for my BASIC programming days—send me an e-mail if you have an opinion either way.

First, log on as a nonprivileged user, open a command window (none of what we do here will require the X Window System), and navigate to your home directory. Type this command to create mountpoints for the old ISO image and its squashfs image, a top-level directory for creating the new CD file hierarchy and a directory for rebuilding the root filesystem that will become the new squashfs image:

01-$ mkdir -p ./isomount ./isonew/squashfs ./isonew/cd ./isonew/custom

Next, mount the original ISO image, and copy everything in it, except the squashfs image itself, into the ./isonew/cd directory:

02-$ sudo mount -o loop ./ubuntu-7.10-desktop-i386.iso ./isomount/

03-$ rsync --exclude=/casper/filesystem.squashfs -a ./isomount/ ./isonew/cd

Line 03 uses rsync rather than cp, so you don't need to repopulate the isonew/cd directory every time you make a new ISO image. Whenever rsync encounters identical files, it copies only the differences in the new file to the old one, rather than copying the entire file (if there are no differences, it leaves the “target” version alone).

Note: if you're working within some directory other than your home directory, and if that directory is on a Windows partition rather than a native Linux partition (such as ext2, ext3 or ReiserFS), you'll get many errors when copying files around—some of which may cause this procedure to fail. You don't need to do all of this within your home directory, but you should do it on a Linux partition.

You've copied the skeleton of the original CD into isonew/cd, so now you can get busy with the squashed root filesystem by enabling squashfs support in your running kernel and mounting the squashfs image:

04-$ sudo modprobe squashfs

05-$ sudo mount -t squashfs -o loop ./isomount/casper/filesystem.squashfs ./isonew/squashfs/

Next, copy the original root filesystem into the rebuild directory:

06-$ sudo rsync -a ./isonew/squashfs/ ./isonew/custom

Before you enter the Matrix by chrooting into this root filesystem and customizing it, you should make sure networking and the apt system will work once you do, by copying some configuration files from your running system:

07-$ sudo cp /etc/resolv.conf /etc/hosts ./isonew/custom/etc/

08-$ sudo cp /etc/apt/sources.list ./isonew/custom/etc/apt/

This assumes, of course, that your running system is communicating with the network properly and that its sources.list file includes entries for the universe, multiverse and partner repositories (or anywhere else from whence you intend to obtain packages). If you have anything else you'd like to include in your custom live CD, such as other configuration files, documents, images and so on, now is a good time to copy those over too. Just remember that space is precious.

Now you're ready to enter your new root filesystem. I've written extensively about using chroot jails to contain server dæmons, so that if they're hijacked, the attacker gains access to only a small subset of your filesystem. Well, right now, you're about to chroot yourself, so that all changes you make—adding and removing packages, downloading updates, editing configuration files and so on—are applied to your custom ISO's root filesystem, not your underlying system's root filesystem.

Here's how to swallow the Blue Pill:

09-$ sudo chroot ./isonew/custom

From this point on, until you type the command exit (step 22, below), you'll be in an environment in which / is no longer your underlying filesystem's root, but actually /home/you/isonew/custom (where /home/you is your local home directory, or wherever else you created the isonew hierarchy).

Now that you're jacked in, you need to bring the proc and sysfs filesystems on-line, so that your “real” system's kernel can interact properly with the “fake” system represented by your soon-to-be-customized root filesystem. Now, set your home directory to /root (actually /home/you/isonew/custom/root):

10-# mount -t proc none /proc/

11-# mount -t sysfs none /sys/

11.5(my)# mount -t devpts none /dev/pts

12-# export HOME=/root

Note that the prompts in my examples have switched to # from $, indicating that you're now running in a root shell. This is necessary, because you'll need to be root in order to exit the chroot jail you've voluntarily entered.

Now you're ready to customize. This is the part when you don't necessarily need my help; you can be creative. For example purposes though, let's make some space for new packages and update the ones that are left.

What are you going to use your new live CD for? Secure Web browsing using untrusted hardware isn't a bad start. You shouldn't need OpenOffice.org for that, and it takes up something like 85MB of your compressed squashfs image (remember, a standard CD ISO can't be larger than 650MB).

You can remove OpenOffice.org, plus a couple of things upon which only OpenOffice.org depends, like this:

13-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n'
↪|grep openoffice`

Did you notice the embedded dpkg-query...|grep... command? It queries the root filesystem's deb-package database for a complete list of installed packages. The output of this is piped through a grep search for the string “openoffice”. You can use the command in line 13 to find and purge other groups of packages by simply changing the grep query.

Suppose you also want to get rid of The GIMP, which takes up more than 6.5MB (after compression) on your live CD image. So, swap out the string “openoffice” in the previous command with “gimp”, like this:

14-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n'
↪|grep gimp`

Other good candidates for removal include non-English language packs (which take up anywhere from 0.5–1.5MB compressed), and multimedia applications such as Rhythmbox, totem and sound-juicer, which take up a few megabytes each, even after compression, and are unlikely to be useful for security purposes.

Decide for yourself. Browse through the list of installed packages with a quick aptitude search ~i |less. If you mistakenly purge something you decide you actually need, you always can exit the chroot jail and re-execute the rsync command on line 06.

aptitude vs. apt-get

Note that I'm using apt-get here, rather than the more-sophisticated aptitude. This is because one of aptitude's key features, the ability to delete packages that are no longer necessary automatically, can be dangerous when used on any system on which packages have been installed by any tool other than aptitude.

Because aptitude maintains its own database of installation histories, it can miss key dependencies in this context and remove packages that you do, in fact, need. Therefore, you should use aptitude only to remove programs that you installed with aptitude. If you later need to undo an installation that included automatically installed dependencies, you can use apt-get autoremove to achieve the same thing.

So, now you've made room for your custom toolkit. If you want to use your live CD for anonymous Web surfing, you may want to install Tor and Privoxy. First, you need to update your custom root filesystem's package database to synchronize it with the sources.list file you copied over in line 08:

15-# apt-get update

Now, you can use apt-get install just as you would on any other live system to install your custom packages:

16-# apt-get install tor privoxy

As a professional paranoiac, I'd be remiss if I didn't point out that both of these packages are from Ubuntu's universe repository, and as such, they aren't provided with the same level of support as packages in the main and restricted repositories, although the Ubuntu MOTO Security Team does its best to keep up with security patches. This is a trade-off you'll probably find yourself making frequently, however. As I pointed out in my column in the March 2008 issue, many of Ubuntu's most useful security utilities are available only in the universe and metaverse repositories.

After you've installed your custom applications, make sure your entire system is fully patched. As with any other Ubuntu (or other Debian-based) system, you can use apt-get dist-upgrade. Because this will result in quite a bit of updates being downloaded and installed, and because space is at a premium on our ISO image, immediately follow the upgrade with a clean:

17-# apt-get dist-upgrade

18-# apt-get clean

Come to think of it, this one step—upgrading the live CD's packages—may be the only security-related reason you need to customize your live CD. Applying security patches is that important!

There's just one more thing to do before packing up your new ISO: custom configuration. You may want to edit the hosts or resolv.conf files you copied over before (or, after exiting the chroot jail, you simply may want to copy over them with the originals from ./isonew/squashfs/etc). You may want to preconfigure Tor by editing /etc/tor/torrc and /etc/tor/tor-socks.conf, and Privoxy via the files in /etc/privoxy.

As with removing and installing packages, this process is the same as on any other system: fire up your (non-GUI) text editor of choice (nano, vi and ed are all present in the standard Ubuntu ISO), and edit anything that needs editing.

Are you done customizing? If so, you can take your Red Pill and exit the Matrix—I mean, the chroot jail. On your way out, empty the /tmp directory, and unmount the chrooted /proc and /sys filesystems:

19-# rm -rf /tmp/*

20-# umount /proc/

21-# umount /sys/

21.5(my)-# umount /dev/pts

22-# exit

You're back in reality (at least, back in your previous working directory on the underlying system). Before you pack up your ISO, you'll have to build a new manifest file (a list of all packages in the new live CD root filesystem), recompress the customized root filesystem into a squashfs file and regenerate the md5sum of your live CD files.

First, to rebuild your manifest file:

23(myc)-$ chmod a+w ./isonew/cd/casper/filesystem.manifest

24-$ sudo chroot ./isonew/custom dpkg-query -W --showformat='${Package} ${Version}\n' > ./isonew/cd/casper/filesystem.manifest

25-$ sudo cp ./isonew/cd/casper/filesystem.manifest ./isonew/cd/casper/filesystem.manifest-desktop

In line 23, you made the old manifest file writeable, so you could copy over it. In line 24, you temporarily popped back into the root filesystem chroot jail to generate the package list with dpkg-query. And in line 25, you copied the new manifest into an identical file called filesystem.manifest-desktop.

Now you can resquash your root filesystem:

26-$ sudo mksquashfs ./isonew/custom ./isonew/cd/casper/filesystem.squashfs

If you like, you can edit the DISKNAME parameter in the file ./isonew/cd/README.diskdefines. Regardless, next you should regenerate your live CD's md5sum, so you can detect tampering later on:

27-$ sudo rm ./isonew/cd/md5sum.txt

28-$ sudo -s

29-# cd ./isonew/cd

30-# find . -type f -print0 | xargs -0 md5sum > md5sum.txt

31-# exit

And, you've reached the final step. Now you can write your finished ISO image file:

32-$ cd ./isonew/cd

33(myc)-$ sudo mkisofs -r -V "Ubuntu-Live-PrivateSurf" -b isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l -no-emul-boot -boot-load-size 4 -boot-info-table -o ~/Ubuntu-Live-7.10-PrivateSurf.iso -pathspec ./

Your home directory now contains a new customized live CD ISO file, named Ubuntu-Live-7.10-PrivateSurf.iso. You can boot it directly from hard disk using VMware, QEMU or some other virtualization engine to test it. Or, of course, simply burn it to CD using your CD-writing utility of choice.
Conclusion

You've now got the basic technique for customizing an Ubuntu live CD. Although I didn't go into much depth showing actual customizations beyond removing and adding packages, I'll continue this series next time with detailed guidance on bundling and preconfiguring specific security tools into your live CD.

Until then, have fun experimenting with live CDs, and of course, be safe!

Appendix

Here's the complete procedure, in the form of a raw list of all commands described in this article. The $ prompt indicates commands executed as an unprivileged user, and the # prompt shows commands that are executed by root.

00-$ dd if=/dev/cdrom of=./ubuntu-7.10-desktop-i386.iso

01-$ mkdir -p ./isomount ./isonew/squashfs ./isonew/cd ./isonew/custom

02-$ sudo mount -o loop ./ubuntu-7.10-desktop-i386.iso ./isomount/

03-$ rsync --exclude=/casper/filesystem.squashfs -a ./isomount/ ./isonew/cd

04-$ sudo modprobe squashfs

05-$ sudo mount -t squashfs -o loop ./isomount/casper/filesystem.squashfs ./isonew/squashfs/

06-$ sudo rsync -a ./isonew/squashfs/ ./isonew/custom

07-$ sudo cp /etc/resolv.conf /etc/hosts ./isonew/custom/etc/

08-$ sudo cp /etc/apt/sources.list ./isonew/custom/etc/apt/

09-$ sudo chroot ./isonew/custom

10-# mount -t proc none /proc/

11-# mount -t sysfs none /sys/

11.5(my)# mount -t devpts none /dev/pts

12-# export HOME=/root

13-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n' |grep openoffice`

14-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n'
↪|grep gimp`

15-# apt-get update

16-# apt-get install tor privoxy

17-# apt-get dist-upgrade

18-# apt-get clean

19-# rm -rf /tmp/*

20-# umount /proc/

21-# umount /sys/

21.5(my)# umount /dev/pts

22-# exit

23(myc)-$ chmod a+w ./isonew/cd/casper/filesystem.manifest

24-$ sudo chroot ./isonew/custom dpkg-query -W --showformat='${Package} ${Version}\n' > ./isonew/cd/casper/filesystem.manifest

25-$ sudo cp ./isonew/cd/casper/filesystem.manifest
↪./isonew/cd/casper/filesystem.manifest-desktop

26-$ sudo mksquashfs ./isonew/custom
↪./isonew/cd/casper/filesystem.squashfs

27-$ sudo rm ./isonew/cd/md5sum.txt

28-$ sudo -s

29-# cd ./isonew/cd

30-# find . -type f -print0 | xargs -0 md5sum > md5sum.txt

31-# exit

32-$ cd ./isonew/cd

33(myc)-$ sudo mkisofs -r -V "Ubuntu-Live-PrivateSurf" -b isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l -no-emul-boot -boot-load-size 4 -boot-info-table -o ~/Ubuntu-Live-7.10-PrivateSurf.iso -pathspec ./

Resources

Debuntu.org's “Customize Your Ubuntu Live CD” Tutorial: www.debuntu.org/how-to-customize-your-ubuntu-live-cd

Jeffery Douglas Waddel's “Secure Boot CDs for VPN HOWTO”: www.linux.org/docs/ldp/howto/Secure-BootCD-VPN-HOWTO.html

Daniel Barlow's “Building Your Own Live CD”: www.linuxjournal.com/article/7246

Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.

Copyright © 1994 - 2008 Linux Journal. All rights reserved.



Taken From: Linux Journal, nº 169 May 2008 - Customizing Linux Live CDs, Part I,
by Mick Bauer's Paranoid Penguin

Customizing Linux Live CDs - Ubuntu 7.10 - Desktop

Paranoid Penguin - Customizing Linux Live CDs, Part I
May 1st, 2008 by Mick Bauer in

Make your desktop completely portable with a custom live CD.

In my recent column “Security Features in Ubuntu” (LJ, March 2008), I mentioned that the live CD method of running Linux from a CD-ROM or DVD rather than directly from a hard drive has important and useful security ramifications. I went on to promise that this would be the topic of a future column.

Never one to renege on a promise, this month I bring you the first of a multipart series about Linux live CDs. In this month's column, I describe some security usages for bootable Linux CDs and demonstrate a quick-and-easy way to customize the standard Ubuntu Desktop CD that allows you to change its included bundle of software.
Uses of Bootable Linux CDs

At this point, you may be wondering, “What's the big deal about bootable Linux CDs? Aren't all Linux installation CDs bootable?”

On the one hand, yes. Linux installation CDs always have been bootable. But, not all Linux installation CDs offer you the option of simply running Linux from the CD without installing it right away. This is the difference between a live Linux CD and an installer CD.

Live CDs are especially handy for trying out a distribution before committing it to your hard disk. Usually, they include an installer applet that makes it easy to make that commitment, if you so choose. But, these are very general live CD uses.

For the security-conscious user, or for the conscientious-security user (but not for the unconscious user), live CDs also are useful, among other things, for the following:

* Using untrusted hardware, such as public-use PCs at coffee shops.

* Analyzing computers that may have been compromised.

* Recovering data from systems that no longer boot for some reason.

* Running software you'd prefer not to install on your hard disk.

Depending on your needs, you might be perfectly happy using an existing Linux live CD distribution, such as Knoppix, BackTrack or Ubuntu Desktop. But, what if you want to apply the very latest security patches to the live CD's installed applications? What if your favorite live CD lacks an application you really need? Or, what if you don't want to have to configure things manually, such as network settings, after every single time you boot?

These are some of the many reasons you might want to customize your Linux live CD. For the remainder of this month's column, I walk through the process of patching and adding security software to Ubuntu Desktop 7.10. Much of what follows applies directly to other squashfs-based distributions, such as Linux Mint, SLAX and BackTrack, and indirectly to most other live CD distributions.
Prerequisites

Before you can customize your Ubuntu Desktop live CD, you need several things:

1. An ISO file for the current version of Ubuntu Desktop (or Linux Mint).

2. The squashfs-tools package installed on your system.

3. The mkisofs package installed on your system.

You can get the ISO file in one of two ways: download it from www.ubuntu.com, or create it from an actual Ubuntu CD via the dd command, like this:

bash-$ dd if=/dev/cdrom of=./ubuntu-7.10-desktop-i386.iso

For the remainder of this article, I assume your ISO image resides in your home directory. I also assume you're running Ubuntu, but if you aren't, for commands that begin with sudo, you instead should do whatever else you usually do to become root temporarily (for example, su or su -c).

The squashfs-tools package provides utilities for creating and mounting squashfs filesystems. Most of an Ubuntu live CD is taken up by one enormous squashfs image that is uncompressed and mounted as / when you boot the CD. To remaster the CD, you need to mount a copy of its squashfs image, change various files and directories in it, and save the edited directory structure as a new squashfs image.

Finally, you'll use the mkisofs command to convert the various files and directories you've just edited into a single ISO image file.

In describing how these three prerequisites relate to each other, I also discuss the three stages of the live CD remastering process: mounting the squashfs image, changing it in various ways and incorporating it into a new ISO image.
The Procedure

The procedure I'm about to step through is based on the one at www.debuntu.org (see Resources). Much of what follows won't be very security-focused; in subsequent columns, I'll go into greater depth in applying this stuff to security applications. Right now, my immediate goal is to tell you what you need to know to begin experimenting with your own customized live CDs right away, and I'm sure you'll think of cool things to do between now and my next column.

In demonstrating these commands, I'm going to try a new convention that bends reality a little bit and will number each bash-prompt: 01-$, 02-$, and so on. This way, I'll be able to refer to each command by line number. We'll see whether this helps, or whether I'm just getting nostalgic for my BASIC programming days—send me an e-mail if you have an opinion either way.

First, log on as a nonprivileged user, open a command window (none of what we do here will require the X Window System), and navigate to your home directory. Type this command to create mountpoints for the old ISO image and its squashfs image, a top-level directory for creating the new CD file hierarchy and a directory for rebuilding the root filesystem that will become the new squashfs image:

01-$ mkdir -p ./isomount ./isonew/squashfs ./isonew/cd ./isonew/custom

Next, mount the original ISO image, and copy everything in it, except the squashfs image itself, into the ./isonew/cd directory:

02-$ sudo mount -o loop ./ubuntu-7.10-desktop-i386.iso ./isomount/

03-$ rsync --exclude=/casper/filesystem.squashfs -a ./isomount/
↪./isonew/cd

Line 03 uses rsync rather than cp, so you don't need to repopulate the isonew/cd directory every time you make a new ISO image. Whenever rsync encounters identical files, it copies only the differences in the new file to the old one, rather than copying the entire file (if there are no differences, it leaves the “target” version alone).

Note: if you're working within some directory other than your home directory, and if that directory is on a Windows partition rather than a native Linux partition (such as ext2, ext3 or ReiserFS), you'll get many errors when copying files around—some of which may cause this procedure to fail. You don't need to do all of this within your home directory, but you should do it on a Linux partition.

You've copied the skeleton of the original CD into isonew/cd, so now you can get busy with the squashed root filesystem by enabling squashfs support in your running kernel and mounting the squashfs image:

04-$ sudo modprobe squashfs

05-$ sudo mount -t squashfs -o loop
↪./isomount/casper/filesystem.squashfs ./isonew/squashfs/

Next, copy the original root filesystem into the rebuild directory:

06-$ sudo rsync -a ./isonew/squashfs/ ./isonew/custom

Before you enter the Matrix by chrooting into this root filesystem and customizing it, you should make sure networking and the apt system will work once you do, by copying some configuration files from your running system:

07-$ sudo cp /etc/resolv.conf /etc/hosts ./isonew/custom/etc/

08-$ sudo cp /etc/apt/sources.list ./isonew/custom/etc/apt/

This assumes, of course, that your running system is communicating with the network properly and that its sources.list file includes entries for the universe, multiverse and partner repositories (or anywhere else from whence you intend to obtain packages). If you have anything else you'd like to include in your custom live CD, such as other configuration files, documents, images and so on, now is a good time to copy those over too. Just remember that space is precious.

Now you're ready to enter your new root filesystem. I've written extensively about using chroot jails to contain server dæmons, so that if they're hijacked, the attacker gains access to only a small subset of your filesystem. Well, right now, you're about to chroot yourself, so that all changes you make—adding and removing packages, downloading updates, editing configuration files and so on—are applied to your custom ISO's root filesystem, not your underlying system's root filesystem.

Here's how to swallow the Blue Pill:

09-$ sudo chroot ./isonew/custom

From this point on, until you type the command exit (step 22, below), you'll be in an environment in which / is no longer your underlying filesystem's root, but actually /home/you/isonew/custom (where /home/you is your local home directory, or wherever else you created the isonew hierarchy).

Now that you're jacked in, you need to bring the proc and sysfs filesystems on-line, so that your “real” system's kernel can interact properly with the “fake” system represented by your soon-to-be-customized root filesystem. Now, set your home directory to /root (actually /home/you/isonew/custom/root):

10-# mount -t proc none /proc/

11-# mount -t sysfs none /sys/

12-# export HOME=/root

Note that the prompts in my examples have switched to # from $, indicating that you're now running in a root shell. This is necessary, because you'll need to be root in order to exit the chroot jail you've voluntarily entered.

Now you're ready to customize. This is the part when you don't necessarily need my help; you can be creative. For example purposes though, let's make some space for new packages and update the ones that are left.

What are you going to use your new live CD for? Secure Web browsing using untrusted hardware isn't a bad start. You shouldn't need OpenOffice.org for that, and it takes up something like 85MB of your compressed squashfs image (remember, a standard CD ISO can't be larger than 650MB).

You can remove OpenOffice.org, plus a couple of things upon which only OpenOffice.org depends, like this:

13-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n'
↪|grep openoffice`

Did you notice the embedded dpkg-query...|grep... command? It queries the root filesystem's deb-package database for a complete list of installed packages. The output of this is piped through a grep search for the string “openoffice”. You can use the command in line 13 to find and purge other groups of packages by simply changing the grep query.

Suppose you also want to get rid of The GIMP, which takes up more than 6.5MB (after compression) on your live CD image. So, swap out the string “openoffice” in the previous command with “gimp”, like this:

14-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n'
↪|grep gimp`

Other good candidates for removal include non-English language packs (which take up anywhere from 0.5–1.5MB compressed), and multimedia applications such as Rhythmbox, totem and sound-juicer, which take up a few megabytes each, even after compression, and are unlikely to be useful for security purposes.

Decide for yourself. Browse through the list of installed packages with a quick aptitude search ~i |less. If you mistakenly purge something you decide you actually need, you always can exit the chroot jail and re-execute the rsync command on line 06.

aptitude vs. apt-get

Note that I'm using apt-get here, rather than the more-sophisticated aptitude. This is because one of aptitude's key features, the ability to delete packages that are no longer necessary automatically, can be dangerous when used on any system on which packages have been installed by any tool other than aptitude.

Because aptitude maintains its own database of installation histories, it can miss key dependencies in this context and remove packages that you do, in fact, need. Therefore, you should use aptitude only to remove programs that you installed with aptitude. If you later need to undo an installation that included automatically installed dependencies, you can use apt-get autoremove to achieve the same thing.

So, now you've made room for your custom toolkit. If you want to use your live CD for anonymous Web surfing, you may want to install Tor and Privoxy. First, you need to update your custom root filesystem's package database to synchronize it with the sources.list file you copied over in line 08:

15-# apt-get update

Now, you can use apt-get install just as you would on any other live system to install your custom packages:

16-# apt-get install tor privoxy

As a professional paranoiac, I'd be remiss if I didn't point out that both of these packages are from Ubuntu's universe repository, and as such, they aren't provided with the same level of support as packages in the main and restricted repositories, although the Ubuntu MOTO Security Team does its best to keep up with security patches. This is a trade-off you'll probably find yourself making frequently, however. As I pointed out in my column in the March 2008 issue, many of Ubuntu's most useful security utilities are available only in the universe and metaverse repositories.

After you've installed your custom applications, make sure your entire system is fully patched. As with any other Ubuntu (or other Debian-based) system, you can use apt-get dist-upgrade. Because this will result in quite a bit of updates being downloaded and installed, and because space is at a premium on our ISO image, immediately follow the upgrade with a clean:

17-# apt-get dist-upgrade

18-# apt-get clean

Come to think of it, this one step—upgrading the live CD's packages—may be the only security-related reason you need to customize your live CD. Applying security patches is that important!

There's just one more thing to do before packing up your new ISO: custom configuration. You may want to edit the hosts or resolv.conf files you copied over before (or, after exiting the chroot jail, you simply may want to copy over them with the originals from ./isonew/squashfs/etc). You may want to preconfigure Tor by editing /etc/tor/torrc and /etc/tor/tor-socks.conf, and Privoxy via the files in /etc/privoxy.

As with removing and installing packages, this process is the same as on any other system: fire up your (non-GUI) text editor of choice (nano, vi and ed are all present in the standard Ubuntu ISO), and edit anything that needs editing.

Are you done customizing? If so, you can take your Red Pill and exit the Matrix—I mean, the chroot jail. On your way out, empty the /tmp directory, and unmount the chrooted /proc and /sys filesystems:

19-# rm -rf /tmp/*

20-# umount /proc/

21-# umount /sys/

22-# exit

You're back in reality (at least, back in your previous working directory on the underlying system). Before you pack up your ISO, you'll have to build a new manifest file (a list of all packages in the new live CD root filesystem), recompress the customized root filesystem into a squashfs file and regenerate the md5sum of your live CD files.

First, to rebuild your manifest file:

23-$ chmod +w ./isonew/cd/casper/filesystem.manifest

24-$ sudo chroot ./isonew/custom dpkg-query -W --showformat='${Package}
↪${Version}\n' > ./isonew/cd/casper/filesystem.manifest

25-$ sudo cp ./isonew/cd/casper/filesystem.manifest
↪./isonew/cd/casper/filesystem.manifest-desktop

In line 23, you made the old manifest file writeable, so you could copy over it. In line 24, you temporarily popped back into the root filesystem chroot jail to generate the package list with dpkg-query. And in line 25, you copied the new manifest into an identical file called filesystem.manifest-desktop.

Now you can resquash your root filesystem:

26-$ sudo mksquashfs ./isonew/custom
↪./isonew/cd/casper/filesystem.squashfs

If you like, you can edit the DISKNAME parameter in the file ./isonew/README.diskdefines. Regardless, next you should regenerate your live CD's md5sum, so you can detect tampering later on:

27-$ sudo rm ./isonew/cd/md5sum.txt

28-$ sudo -s

29-# cd ./isonew/cd

30-# find . -type f -print0 | xargs -0 md5sum > md5sum.txt

31-# exit

And, you've reached the final step. Now you can write your finished ISO image file:

32-$ cd ./isonew/cd

33-$ sudo mkisofs -r -V "Ubuntu-Live-PrivateSurf" -b
↪isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l
↪-no-emul-boot -boot-load-size 4 -boot-info-table -o
↪~/Ubuntu-Live-7.10-PrivateSurf.iso .

Your home directory now contains a new customized live CD ISO file, named Ubuntu-Live-7.10-PrivateSurf.iso. You can boot it directly from hard disk using VMware, QEMU or some other virtualization engine to test it. Or, of course, simply burn it to CD using your CD-writing utility of choice.
Conclusion

You've now got the basic technique for customizing an Ubuntu live CD. Although I didn't go into much depth showing actual customizations beyond removing and adding packages, I'll continue this series next time with detailed guidance on bundling and preconfiguring specific security tools into your live CD.

Until then, have fun experimenting with live CDs, and of course, be safe!

Appendix

Here's the complete procedure, in the form of a raw list of all commands described in this article. The $ prompt indicates commands executed as an unprivileged user, and the # prompt shows commands that are executed by root.

00-$ dd if=/dev/cdrom of=./ubuntu-7.10-desktop-i386.iso

01-$ mkdir -p ./isomount ./isonew/squashfs ./isonew/cd
↪./isonew/custom

02-$ sudo mount -o loop ./ubuntu-7.10-desktop-i386.iso ./isomount/

03-$ rsync --exclude=/casper/filesystem.squashfs -a ./isomount/
↪./isonew/cd

04-$ sudo modprobe squashfs

05-$ sudo mount -t squashfs -o loop
↪./isomount/casper/filesystem.squashfs ./isonew/squashfs/

06-$ sudo rsync -a ./isonew/squashfs/ ./isonew/custom

07-$ sudo cp /etc/resolv.conf /etc/hosts ./isonew/custom/etc/

08-$ sudo cp /etc/apt/sources.list ./isonew/custom/etc/apt/

09-$ sudo chroot ./isonew/custom

10-# mount -t proc none /proc/

11-# mount -t sysfs none /sys/

12-# export HOME=/root

13-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n'
↪|grep openoffice`

14-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n'
↪|grep gimp`

15-# apt-get update

16-# apt-get install tor privoxy

17-# apt-get dist-upgrade

18-# apt-get clean

19-# rm -rf /tmp/*

20-# umount /proc/

21-# umount /sys/

22-# exit

23-$ chmod +w ./isonew/cd/casper/filesystem.manifest

24-$ sudo chroot ./isonew/custom dpkg-query -W --showformat='${Package}
↪${Version}\n' > ./isonew/cd/casper/filesystem.manifest

25-$ sudo cp ./isonew/cd/casper/filesystem.manifest
↪./isonew/cd/casper/filesystem.manifest-desktop

26-$ sudo mksquashfs ./isonew/custom
↪./isonew/cd/casper/filesystem.squashfs

27-$ sudo rm ./isonew/cd/md5sum.txt

28-$ sudo -s

29-# cd ./isonew/cd

30-# find . -type f -print0 | xargs -0 md5sum > md5sum.txt

31-# exit

32-$ cd ./isonew/cd

33-$ sudo mkisofs -r -V "Ubuntu-Live-PrivateSurf" -b
↪isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l
↪-no-emul-boot -boot-load-size 4 -boot-info-table -o
↪~/Ubuntu-Live-7.10-PrivateSurf.iso .

Resources

Debuntu.org's “Customize Your Ubuntu Live CD” Tutorial: www.debuntu.org/how-to-customize-your-ubuntu-live-cd

Jeffery Douglas Waddel's “Secure Boot CDs for VPN HOWTO”: www.linux.org/docs/ldp/howto/Secure-BootCD-VPN-HOWTO.html

Daniel Barlow's “Building Your Own Live CD”: www.linuxjournal.com/article/7246

Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.

Copyright © 1994 - 2008 Linux Journal. All rights reserved.


Taken From: Linux Journal, nº 169 May 2008 - Customizing Linux Live CDs, Part I,
by Mick Bauer's Paranoid Penguin

Monday, June 23, 2008

Asterisk Web Frontend - VoiceOne on Ubuntu 8.04

----------------------------------------
Pre-requisites

# Install VoiceOne with it's Documentation #####
$ sudo apt-get install apache2 apache2-doc

# Start Apache (it's probably already started) #####
$ sudo /etc/init.d/apache2 start



# Testar o Apache #####

Type on Mozilla Firefox: http://127.0.0.1/
It should read: It works!

Nota: The web page with the message It works!" is on the
/var/www directorie, wich is apache's root directorie,
this is were we are going to install voiceone.



# Install MySQL #####

$ sudo apt-get install mysql-server mysql-client
Type MySQL the following password: voiceone, in the textbox
that will be presented to you in the bash shell.



# Install the needed packages #####


$ sudo apt-get update
$ sudo apt-get install sox madplay php5-cgi php-pear asterisk-mysql

$ sudo apt-get install php5 php5-cli php5-common php5-dev
$ sudo apt-get install libapache2-mod-php5
$ sudo apt-get install php5-mhash php5-mysql php5-odbc


Check that asterisk starts correctly by /etc/init.d/asterisk start followed by asterisk -r. The remote connection will complain if asterisk hasn’t started properly. Check /var/log/asterisk/messages.log for errors to resolve. You only need Asterisk to run and respond. Don't worry about configuration files yet.

Disable magic quotes in php.ini located in:

/etc/php5/apache2/php.ini
/etc/php5/cgi/php.ini
/etc/php5/cli/php.ini

magic_quotes_gpc = Off



# Create a Database the VoiceOne Database on MySql:

$ mysql -u root -p

mysql> create database voiceone;



# Unpack voiceone 0.6.1 into /var/www directory #####

$ cd /var/www
$ sudo tar xvfz /path_to_voiceone_tar_gz/voiceone-0.6.1.tar.gz



# Using visudo add the following line to the end of /etc/sudoers: #####

$ sudo visudo

www-data ALL=NOPASSWD: /var/www/voiceone_webservices/config/script/vo-tools.sh

Or

$ sudo pico /etc/sudoers

www-data ALL=NOPASSWD: /var/www/voiceone_webservices/config/script/vo-tools.sh



# Edit /etc/asterisk/modules.conf file using gedit (or other):

$ sudo gedit /etc/asterisk/modules.conf


- and add this line immediately after: #####

;preload => res_config_odbc.so
preload => res_config_mysql.so



# Create a fresh /etc/asterisk/extconfig.conf file using gedit (or other):

$ sudo gedit /etc/asterisk/extconfig.conf

- containing:

[settings]
agents.conf => mysql,voiceone,ast_config
extensions.conf => mysql,voiceone,ast_config
;iax.conf => mysql,voiceone,ast_config
meetme.conf => mysql,voiceone,ast_config
;misdn.conf => mysql,voiceone,ast_config
musiconhold.conf => mysql,voiceone,ast_config
queues.conf => mysql,voiceone,ast_config
sip.conf => mysql,voiceone,ast_config
zapata.conf => mysql,voiceone,ast_config
;iaxusers => mysql,voiceone,iax_buddies
;iaxpeers => mysql,voiceone,iax_buddies
sipusers => mysql,voiceone,sip_buddies
sippeers => mysql,voiceone,sip_buddies
voicemail => mysql,voiceone,voicemail_users
extensions => mysql,voiceone,extensions_table



# Create /etc/asterisk/res_mysql.conf using gedit

$ sudo gedit /etc/asterisk/res_mysql.conf

- file containing:

[general]
dbhost = localhost
dbname = voiceone
dbuser = root
dbpass = voiceone
dbport = 3306
dbsock = /var/run/mysqld/mysqld.sock



# Create /etc/asterisk/cdr_mysql.conf using gedit (or other)

$ sudo gedit /etc/asterisk/cdr_mysql.conf

- file containing:

[global]
hostname=localhost
dbname=voiceone
table=cdr
user=root
password=voiceone
port=3306
sock=/var/run/mysqld/mysqld.sock
userfield=1



# Edit /etc/asterisk/manager.conf using gedit (or other)

$ sudo gedit /etc/asterisk/manager.conf

- and ensure these three lines are included:

[general]
enabled=yes
#include "manager.d/*.conf"



# Create /etc/asterisk/manager.d/voiceone.conf using gedit (or other)

$ sudo mkdir /etc/asterisk/manager.d/

$ sudo gedit /etc/asterisk/manager.d/voiceone.conf

- containing

[admin]
secret=qwerty_123_mnbvc
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read=system,call,log,verbose,command,agent,user
write=system,call,log,verbose,command,agent,user



# Rename both config.inc.php.default in DOCUMENT_ROOT/voiceone/admin/config and DOCUMENT_ROOT/voiceone_webservices/config in config.inc.php (i.e. config.inc.php.default -> config.inc.php), using the following comands:


$ sudo rm -rf /var/www/voiceone/admin/config/config.inc.php

- rename
$ sudo mv /var/www/voiceone/admin/config/config.inc.php.default /var/www/voiceone/admin/config/config.inc.php


$ sudo rm -rf /var/www/voiceone_webservices/admin/config.inc.php

- rename
$ sudo mv /var/www/voiceone_webservices/config/config.inc.php.default /var/www/voiceone_webservices/config/config.inc.php



# Edit /var/www/voiceone/admin/config/config.inc.php using gedit (or other)

$ sudo gedit /var/www/voiceone/admin/config/config.inc.php

- and change $soapUsername and $soapHostname to the following:

$soapUsername = "root";
$soapHostname = "localhost";


# Edit /var/www/voiceone_webservices/config/config.inc.php using gedit (or other)

$ sudo gedit /var/www/voiceone_webservices/config/config.inc.php

- and change the following to match:

//Mysql ACCOUNT
$synDBHost = "localhost";
$synDBUser = "root";
$synDBPassword = "voiceone";
$synDBName = "voiceone";


# Enter the following sequence to finish off permissions & paths:

$ cd /var/www
$ sudo chown www-data voiceone -R
$ sudo chown www-data voiceone_webservices -R
$ sudo chmod 777 voiceone/sandbox -R
$ sudo chmod 777 voiceone/admin/public/template/cache -R
$ sudo chmod 755 voiceone_webservices/config/script/vo-tools.sh
$ sudo chmod 777 voiceone_webservices/utility/provisioning/firmware/data
$ sudo ln -s /usr/share/asterisk /var/lib/asterisk
$ sudo ln -s /usr/share/asterisk/moh /usr/share/asterisk/mohmp3
$ sudo mkdir /usr/share/asterisk/moh/voiceone
$ sudo mkdir /usr/share/asterisk/moh/voiceone/default




# Restart Apache #####

$ sudo /etc/init.d/apache2 restart



# Delete Apache's Test Webpage #####

$ sudo rm -rf /var/www/index.html



# Configure VoiceOne #####

Type on Mozilla Firefox:
http://127.0.0.1/voiceone/setup.php
and follow the presented voiceone instructions.
.


# Using VoiceOne

Type on Mozilla Firefox:
http://127.0.0.1/voiceone/index.php
to use Voiceone

And that's it you are ready to rumble.

Sunday, June 15, 2008

gXine Error - No demuxer found - stream format not recognized

Just installed Ubuntu 8.04 LTS - Hardy Heron and tried to watch a movie on DVD with gxine (libdvdcss2 is installed). This is the resulting error message:

The xine engine failed to start.
No demuxer found - stream format not recognized.


I fixed it by installing the following in the Synaptic Package Manager: -

libxine1-ffmpeg

or just type on the bash shell:

$ apt-get install libxine1-ffmpeg


And thats it.




Taken from: http://ubuntuforums.org/showthread.php?t=461442

Monday, June 2, 2008

Build Essentials - Develop C/C++ in Ubuntu

If you want to develop in C or C++ you have to install the basic packages that include among other things the C/C++ standard libraries, otherwise you migth have the C/C++ compiler (gcc/g++) and you are getting compile errors.


To install these basic C/C++ developement packages just do:

$ sudo apt-get install build-essential


To test it, just save the C code below in a file like "hello.c"


#include

main()
{
printf ("Hello World!\n");
}


now then compile it:

$ gcc hello.c


and run it:

$ ./a.out

it shoul print "Hello World!"


And thats it you are ready to start developing C/C++ in Ubuntu.