-
mnt-system read-only?
Hallo,
is there any way to boot Knoppix 7.20 with mnt-system read-only?
I have configured my Knoppix with overlays and would like to use the system without write access to my usb-stick.
Thank's Moritz
-
Senior Member
registered user
Greetings, moritz.b.
The purpose of Knoppix using a LiveUSB is usually to allow writing data
to a persistence file somewhere on it.
/mnt-system is usually on a fat32 partition with all your cloop-compacted
overlays. Using a separate reiserfs partition for persistence makes it
unnecessary to write anything to the fat32 system, unless you want to modify
some /boot, /efi or reference material there.
If you actually never want to record ANY changes, then a LiveCD or LiveDVD
would seem a better and cheaper answer than restricting a LiveUSB to read-only.
Last edited by utu; 09-02-2013 at 12:12 AM.
-
Partition with /mnt-system read-only
Originally Posted by
utu
Greetings, moritz.b.
/mnt-system is usually on a fat32 partition with all your cloop-compacted
overlays. Using a separate reiserfs partition for persistence makes it
unnecessary to write anything to the fat32 system, unless you want to modify
some /boot, /efi or reference material there.
Yes, I use a separate reiserfs partition for persistence and I a want to prevent anyone to write on my KNOPPIX-Partition.
Originally Posted by
utu
If you actually never want to record ANY changes, then a LiveCD or LiveDVD
would seem a better and cheaper answer than restricting a LiveUSB to read-only.
Knoppix from stick is very faster.
Thanks Moritz
-
knoppix 7.20 mnt-system read-only
I have my problem solved with a new cheatcode and adaption the init.
moritz.b
-
Please post your solution, the boot parameter list and the adaptation to init. I would like to implement it.
-
Senior Member
registered user
This is very interesting in the context of USB, and possibly also SSD-disk, use. If, for example, /mnt-system is mounted ro, and the overlay is on ramdisk, concerns about media wear-out are greatly reduced. Overlay could, for example, be read into ramdisk from /mnt-system, or another partition, on boot, and on shutdown, there could be an option for saving it. There are also safety concerns - if overlay is never saved after performing potentially dangerous operations (typically websites wanting to run scripts modifying your browser configuration), one is much better protected.
I consider publishing modified init scripts here a part of best Knoppix practices
-
Senior Member
registered user
Originally Posted by
moritz.b
I have my problem solved with a new cheatcode and adaption the init.
moritz.b
I have two concerns with the initial premise here.
Unless your Knoppix user is denied root privileges,
making that partition which contains /mnt-system read-only on a write-able
medium offers no real protection against unauthorized changes to the contents
of /mnt-system.
If the Knoppix user is denied root privileges completely,
there are many useful things his Knoppix can't do.
I'd like to see how changes to init might get around these considerations.
-
Senior Member
registered user
Originally Posted by
utu
I have two concerns with the initial premise here.
Unless your Knoppix user is denied root privileges,
making that partition which contains /mnt-system read-only on a write-able
medium offers no real protection against unauthorized changes to the contents
of /mnt-system.
If the Knoppix user is denied root privileges completely,
there are many useful things his Knoppix can't do.
I'd like to see how changes to init might get around these considerations.
Even if it is possible to remount /mnt-system rw, having it mounted ro by default is clearly a safety measure. And, for example, everything could be placed in loop-mounted ISO images. So that you have to re-create it each time you want to update your persistent store. This could be equivalent to using one or more cloop/squashfs overlays.
-
Senior Member
registered user
Originally Posted by
moritz.b
I have configured my Knoppix with overlays and would like to use the system without write access to my usb-stick.
I think of cloops as read-only by definition, only written by specific intent, not somehow 'accidentally'. I count on this myself as
protection against my overwriting a rw persistence file. Once my rw persistence content is relatively 'mature', I button its content up
in a cloop to protect against possibly spoiling it myself. This also compacts things and I never really see any performance penalty.
My expectation is that Moritz might be expecting to protect against another Knoppix user purposefully changing Moritz' product,
which I expect that user probably can do if he has Knoppix root privileges. If he doesn't, he surely misses a lot of its power.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Intel Xeon E3-1270 v6 3.80GHz 4 Cores SR326 LGA1151 CPU Processor
$46.00
Intel - Core i9-12900K Desktop Processor 16 (8P+8E) Cores up to 5.2 GHz Unloc...
$619.99
Intel - Core i7-12700K Desktop Processor 12 (8P+4E) Cores up to 5.0 GHz Unloc...
$419.99
Intel Xeon E5-2697A V4 2.6GHz CPU Processor 16-Core Socket LGA2011 SR2K1
$39.99
AMD Ryzen 9 5950X 16-core 32-thread Desktop Processor
$319.99
E5-2697V4 INTEL XOEN SR2JV 18 CORE 2.30 GHz 45M 9.6 GT/s 145W PROCESSOR CPU
$49.99
Intel Core i5-8500 3 GHz 8 GT/s LGA 1151 Desktop CPU Processor SR3XE
$49.99
Intel - Core i9-14900K 14th Gen 24-Core 32-Thread - 4.4GHz (6.0GHz Turbo) Soc...
$619.99
Intel Core i5-12400 Desktop Processor With HeatSink
$140.00
Intel Quad Core i3-12100 3.3GHz 12MB LGA1700 12th Gen. CPU Processor SRL62
$45.62