-
mnt-system read-only?
Hallo,
is there any way to boot Knoppix 7.20 with mnt-system read-only?
I have configured my Knoppix with overlays and would like to use the system without write access to my usb-stick.
Thank's Moritz
-
Senior Member
registered user
Greetings, moritz.b.
The purpose of Knoppix using a LiveUSB is usually to allow writing data
to a persistence file somewhere on it.
/mnt-system is usually on a fat32 partition with all your cloop-compacted
overlays. Using a separate reiserfs partition for persistence makes it
unnecessary to write anything to the fat32 system, unless you want to modify
some /boot, /efi or reference material there.
If you actually never want to record ANY changes, then a LiveCD or LiveDVD
would seem a better and cheaper answer than restricting a LiveUSB to read-only.
Last edited by utu; 09-02-2013 at 12:12 AM.
-
Partition with /mnt-system read-only
Originally Posted by
utu
Greetings, moritz.b.
/mnt-system is usually on a fat32 partition with all your cloop-compacted
overlays. Using a separate reiserfs partition for persistence makes it
unnecessary to write anything to the fat32 system, unless you want to modify
some /boot, /efi or reference material there.
Yes, I use a separate reiserfs partition for persistence and I a want to prevent anyone to write on my KNOPPIX-Partition.
Originally Posted by
utu
If you actually never want to record ANY changes, then a LiveCD or LiveDVD
would seem a better and cheaper answer than restricting a LiveUSB to read-only.
Knoppix from stick is very faster.
Thanks Moritz
-
knoppix 7.20 mnt-system read-only
I have my problem solved with a new cheatcode and adaption the init.
moritz.b
-
Please post your solution, the boot parameter list and the adaptation to init. I would like to implement it.
-
Senior Member
registered user
This is very interesting in the context of USB, and possibly also SSD-disk, use. If, for example, /mnt-system is mounted ro, and the overlay is on ramdisk, concerns about media wear-out are greatly reduced. Overlay could, for example, be read into ramdisk from /mnt-system, or another partition, on boot, and on shutdown, there could be an option for saving it. There are also safety concerns - if overlay is never saved after performing potentially dangerous operations (typically websites wanting to run scripts modifying your browser configuration), one is much better protected.
I consider publishing modified init scripts here a part of best Knoppix practices
-
Senior Member
registered user
Originally Posted by
moritz.b
I have my problem solved with a new cheatcode and adaption the init.
moritz.b
I have two concerns with the initial premise here.
Unless your Knoppix user is denied root privileges,
making that partition which contains /mnt-system read-only on a write-able
medium offers no real protection against unauthorized changes to the contents
of /mnt-system.
If the Knoppix user is denied root privileges completely,
there are many useful things his Knoppix can't do.
I'd like to see how changes to init might get around these considerations.
-
Senior Member
registered user
Originally Posted by
utu
I have two concerns with the initial premise here.
Unless your Knoppix user is denied root privileges,
making that partition which contains /mnt-system read-only on a write-able
medium offers no real protection against unauthorized changes to the contents
of /mnt-system.
If the Knoppix user is denied root privileges completely,
there are many useful things his Knoppix can't do.
I'd like to see how changes to init might get around these considerations.
Even if it is possible to remount /mnt-system rw, having it mounted ro by default is clearly a safety measure. And, for example, everything could be placed in loop-mounted ISO images. So that you have to re-create it each time you want to update your persistent store. This could be equivalent to using one or more cloop/squashfs overlays.
-
Senior Member
registered user
Originally Posted by
moritz.b
I have configured my Knoppix with overlays and would like to use the system without write access to my usb-stick.
I think of cloops as read-only by definition, only written by specific intent, not somehow 'accidentally'. I count on this myself as
protection against my overwriting a rw persistence file. Once my rw persistence content is relatively 'mature', I button its content up
in a cloop to protect against possibly spoiling it myself. This also compacts things and I never really see any performance penalty.
My expectation is that Moritz might be expecting to protect against another Knoppix user purposefully changing Moritz' product,
which I expect that user probably can do if he has Knoppix root privileges. If he doesn't, he surely misses a lot of its power.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
1U BareMetal pfsense opnsense Router Firewall DNS Server 6x 10GB Ethernet Ports
$149.00
Watchguard XCS 570 Firewall SuperMicro 1U Server Intel 4GB VPN Router LINUX 🍁
$182.65
PFSENSE 15" Depth Server Router Firewall Supermicro X11SSH-F E3-1240 V5 32GB RAM
$382.00
SQL Server 2019 Standard (10 CAL) - Windows and Linux, Physical License
$249.00
Domino Lotus Server 5.0.7 for OS/2 WSeB, RH Linux 6, Solaris, AIX, HP-UX, Win NT
$60.00
Red Hat Enterprise Linux 5 Server - New and Sealed
$16.99
IBM CS821 20-Core 2.827GHz 128Gb 1.92Tb SSD 1U Linux Server - 8005-12N Power 8
$449.96
IBM E850 Power8 2x 12C 3.02GHz 512Gb 1.8Tb SAS 10GbE 16Gb Linux Server 8408-E8E
$674.96
8x 240GB SSD 1U Rackmount Deduplication Compression Backup RAID Server X10DRW-iT
$499.00
1U Open Source Router Firewall X10SLH-N6-ST031 E3-1270 V3 6x 10GB Ethernet 16GB
$419.00