Paranoid Penguin - Customizing Linux Live CDs, Part I

Make your desktop completely portable with a custom live CD.

In my recent column “Security Features in Ubuntu” (LJ, March 2008), I mentioned that the live CD method of running Linux from a CD-ROM or DVD rather than directly from a hard drive has important and useful security ramifications. I went on to promise that this would be the topic of a future column.

Never one to renege on a promise, this month I bring you the first of a multipart series about Linux live CDs. In this month's column, I describe some security usages for bootable Linux CDs and demonstrate a quick-and-easy way to customize the standard Ubuntu Desktop CD that allows you to change its included bundle of software.

Uses of Bootable Linux CDs

At this point, you may be wondering, “What's the big deal about bootable Linux CDs? Aren't all Linux installation CDs bootable?”

On the one hand, yes. Linux installation CDs always have been bootable. But, not all Linux installation CDs offer you the option of simply running Linux from the CD without installing it right away. This is the difference between a live Linux CD and an installer CD.

Live CDs are especially handy for trying out a distribution before committing it to your hard disk. Usually, they include an installer applet that makes it easy to make that commitment, if you so choose. But, these are very general live CD uses.

For the security-conscious user, or for the conscientious-security user (but not for the unconscious user), live CDs also are useful, among other things, for the following:

  • Using untrusted hardware, such as public-use PCs at coffee shops.

  • Analyzing computers that may have been compromised.

  • Recovering data from systems that no longer boot for some reason.

  • Running software you'd prefer not to install on your hard disk.

Depending on your needs, you might be perfectly happy using an existing Linux live CD distribution, such as Knoppix, BackTrack or Ubuntu Desktop. But, what if you want to apply the very latest security patches to the live CD's installed applications? What if your favorite live CD lacks an application you really need? Or, what if you don't want to have to configure things manually, such as network settings, after every single time you boot?

These are some of the many reasons you might want to customize your Linux live CD. For the remainder of this month's column, I walk through the process of patching and adding security software to Ubuntu Desktop 7.10. Much of what follows applies directly to other squashfs-based distributions, such as Linux Mint, SLAX and BackTrack, and indirectly to most other live CD distributions.


Before you can customize your Ubuntu Desktop live CD, you need several things:

  1. An ISO file for the current version of Ubuntu Desktop (or Linux Mint).

  2. The squashfs-tools package installed on your system.

  3. The mkisofs package installed on your system.

You can get the ISO file in one of two ways: download it from, or create it from an actual Ubuntu CD via the dd command, like this:

bash-$ dd if=/dev/cdrom of=./ubuntu-7.10-desktop-i386.iso

For the remainder of this article, I assume your ISO image resides in your home directory. I also assume you're running Ubuntu, but if you aren't, for commands that begin with sudo, you instead should do whatever else you usually do to become root temporarily (for example, su or su -c).

The squashfs-tools package provides utilities for creating and mounting squashfs filesystems. Most of an Ubuntu live CD is taken up by one enormous squashfs image that is uncompressed and mounted as / when you boot the CD. To remaster the CD, you need to mount a copy of its squashfs image, change various files and directories in it, and save the edited directory structure as a new squashfs image.

Finally, you'll use the mkisofs command to convert the various files and directories you've just edited into a single ISO image file.

In describing how these three prerequisites relate to each other, I also discuss the three stages of the live CD remastering process: mounting the squashfs image, changing it in various ways and incorporating it into a new ISO image.

The Procedure

The procedure I'm about to step through is based on the one at (see Resources). Much of what follows won't be very security-focused; in subsequent columns, I'll go into greater depth in applying this stuff to security applications. Right now, my immediate goal is to tell you what you need to know to begin experimenting with your own customized live CDs right away, and I'm sure you'll think of cool things to do between now and my next column.

In demonstrating these commands, I'm going to try a new convention that bends reality a little bit and will number each bash-prompt: 01-$, 02-$, and so on. This way, I'll be able to refer to each command by line number. We'll see whether this helps, or whether I'm just getting nostalgic for my BASIC programming days—send me an e-mail if you have an opinion either way.

First, log on as a nonprivileged user, open a command window (none of what we do here will require the X Window System), and navigate to your home directory. Type this command to create mountpoints for the old ISO image and its squashfs image, a top-level directory for creating the new CD file hierarchy and a directory for rebuilding the root filesystem that will become the new squashfs image:

01-$ mkdir -p ./isomount ./isonew/squashfs ./isonew/cd ./isonew/custom

Next, mount the original ISO image, and copy everything in it, except the squashfs image itself, into the ./isonew/cd directory:

02-$ sudo mount -o loop ./ubuntu-7.10-desktop-i386.iso ./isomount/

03-$ rsync --exclude=/casper/filesystem.squashfs -a ./isomount/

Line 03 uses rsync rather than cp, so you don't need to repopulate the isonew/cd directory every time you make a new ISO image. Whenever rsync encounters identical files, it copies only the differences in the new file to the old one, rather than copying the entire file (if there are no differences, it leaves the “target” version alone).

Note: if you're working within some directory other than your home directory, and if that directory is on a Windows partition rather than a native Linux partition (such as ext2, ext3 or ReiserFS), you'll get many errors when copying files around—some of which may cause this procedure to fail. You don't need to do all of this within your home directory, but you should do it on a Linux partition.

You've copied the skeleton of the original CD into isonew/cd, so now you can get busy with the squashed root filesystem by enabling squashfs support in your running kernel and mounting the squashfs image:

04-$ sudo modprobe squashfs

05-$ sudo mount -t squashfs -o loop
↪./isomount/casper/filesystem.squashfs ./isonew/squashfs/

Next, copy the original root filesystem into the rebuild directory:

06-$ sudo rsync -a ./isonew/squashfs/ ./isonew/custom

Before you enter the Matrix by chrooting into this root filesystem and customizing it, you should make sure networking and the apt system will work once you do, by copying some configuration files from your running system:

07-$ sudo cp /etc/resolv.conf /etc/hosts ./isonew/custom/etc/

08-$ sudo cp /etc/apt/sources.list ./isonew/custom/etc/apt/

This assumes, of course, that your running system is communicating with the network properly and that its sources.list file includes entries for the universe, multiverse and partner repositories (or anywhere else from whence you intend to obtain packages). If you have anything else you'd like to include in your custom live CD, such as other configuration files, documents, images and so on, now is a good time to copy those over too. Just remember that space is precious.

Now you're ready to enter your new root filesystem. I've written extensively about using chroot jails to contain server dæmons, so that if they're hijacked, the attacker gains access to only a small subset of your filesystem. Well, right now, you're about to chroot yourself, so that all changes you make—adding and removing packages, downloading updates, editing configuration files and so on—are applied to your custom ISO's root filesystem, not your underlying system's root filesystem.

Here's how to swallow the Blue Pill:

09-$ sudo chroot ./isonew/custom

From this point on, until you type the command exit (step 22, below), you'll be in an environment in which / is no longer your underlying filesystem's root, but actually /home/you/isonew/custom (where /home/you is your local home directory, or wherever else you created the isonew hierarchy).

Now that you're jacked in, you need to bring the proc and sysfs filesystems on-line, so that your “real” system's kernel can interact properly with the “fake” system represented by your soon-to-be-customized root filesystem. Now, set your home directory to /root (actually /home/you/isonew/custom/root):

10-# mount -t proc none /proc/

11-# mount -t sysfs none /sys/

12-# export HOME=/root

Note that the prompts in my examples have switched to # from $, indicating that you're now running in a root shell. This is necessary, because you'll need to be root in order to exit the chroot jail you've voluntarily entered.

Now you're ready to customize. This is the part when you don't necessarily need my help; you can be creative. For example purposes though, let's make some space for new packages and update the ones that are left.

What are you going to use your new live CD for? Secure Web browsing using untrusted hardware isn't a bad start. You shouldn't need for that, and it takes up something like 85MB of your compressed squashfs image (remember, a standard CD ISO can't be larger than 650MB).

You can remove, plus a couple of things upon which only depends, like this:

13-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n'
↪|grep openoffice`

Did you notice the embedded dpkg-query...|grep... command? It queries the root filesystem's deb-package database for a complete list of installed packages. The output of this is piped through a grep search for the string “openoffice”. You can use the command in line 13 to find and purge other groups of packages by simply changing the grep query.

Suppose you also want to get rid of The GIMP, which takes up more than 6.5MB (after compression) on your live CD image. So, swap out the string “openoffice” in the previous command with “gimp”, like this:

14-# apt-get remove --purge `dpkg-query -W --showformat='${Package}\n'
↪|grep gimp`

Other good candidates for removal include non-English language packs (which take up anywhere from 0.5–1.5MB compressed), and multimedia applications such as Rhythmbox, totem and sound-juicer, which take up a few megabytes each, even after compression, and are unlikely to be useful for security purposes.

Decide for yourself. Browse through the list of installed packages with a quick aptitude search ~i |less. If you mistakenly purge something you decide you actually need, you always can exit the chroot jail and re-execute the rsync command on line 06.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


kalahari875's picture

If adding too much software to fit on a CD ISO image, is this approach suitable to simply burning the resulting image on a DVD instead?