(old)Puppy Linux Discussion Forum

Running frugal installs from USB flash with personal save files.

When multiple personal files are available at boot time, they are offered as options 1, 2, 3 etc. to chose from.
There is also option 0 -none, which allows booting the 'native' system.

I would like to boot without that option 0 being shown.
Can this be done and if so, how?

Why would I like that?
Because it would prevent unauthorized use of the USB flash if all the personal save files are of the encrypted type.

proebler

proebler wrote:...I would like to boot without that option 0 being shown.
Can this be done and if so, how?...

edit file named init in initrd.gz (just one click on initrd.gz)
change (line 828 ?) to that was how to not show that option

I think disabling that option will be required too:
change (line 837?) to Thus only numbers between 1 and NUMPUPSAVES can be accepted.

Where is TAS

part success!

I now have:
[Lines 775 -787, initrd.gz of Lupu-5.2.8-005]
That works ok for all numbers , however if a non-number key is entered [followed by Enter/Return] or simply Enter/Return, then the 'native, system is still loaded.
Can that be prevented as well?

@L18L:
thank you, TAS is 42.8806° S, 147.3250° E
...und mein Motto ist probieren geht über studieren

proebler wrote:... probieren geht über studieren

So let us change that line to

NUMSAVE=-1;while [ $NUMSAVE -lt 1 -o $NUMSAVE -gt $NUMPUPSAVES ]; do read NUMSAVE; NUMSAVE=$(( $NUMSAVE )); done

Great!
it works now exactly as desired.
Even loads the base system when no personal save file is present.

many thanks
proebler

how do I mark the post as solved in the Subject box?

Just click on the "Edit" button in your post. I changed it for you.

NUMSAVE=-1;while [ `printf '%d' "'$NUMSAVE"` -lt 49 -o `printf '%d' "'$NUMSAVE"` -gt $(( 48 + $NUMPUPSAVES )) ]; do read -n 1 NUMSAVE; done

Still a bit better because no errors when alpha input
Should work up to 9 save files
but needs to be tested in initrd

thanks L18L, I will try it.

proebler wrote: Why would I like that?
Because it would prevent unauthorized use of the USB flash if all the personal save files are of the encrypted type.

proebler

In point of fact it wont. Because a user could enter the kernel parameter pfix=ram at boot time and the system will boot without attempting loading a savefile.
Unless you are removing that functionality as well.

Q5sys wrote:... a user could enter the kernel parameter pfix=ram at boot time...

menu.lst wrote:# menu.lst produced by grub4dosconfig-v1.8.0
color blue/cyan yellow/blue white/black cyan/black
#splashimage=/splash.xpm
timeout 0
default 0

# Frugal installed Puppy

title Puppy precise 5.4.2 (sdb6)
uuid 28afc2de-0d44-484c-a1cd-a1e82531eacb
kernel /vmlinuz pmedia=usbflash pfix=fsck
initrd /initrd.gz

Where can a user enter "pfix=ram"

L18L wrote:

Q5sys wrote:... a user could enter the kernel parameter pfix=ram at boot time...

menu.lst wrote:# menu.lst produced by grub4dosconfig-v1.8.0
color blue/cyan yellow/blue white/black cyan/black
#splashimage=/splash.xpm
timeout 0
default 0

# Frugal installed Puppy

title Puppy precise 5.4.2 (sdb6)
uuid 28afc2de-0d44-484c-a1cd-a1e82531eacb
kernel /vmlinuz pmedia=usbflash pfix=fsck
initrd /initrd.gz

Where can a user enter "pfix=ram"

usually during the splash screen...


its where you can trigger custom kernel commands like, pmedia=usbflash pfix=fsck pfix=clean except you're using the switch pfix=ram
Yes I realize you have the timeout at 0, but dont count on that, ive seen timeouts of 0 being bypassed before. usually by mashing on the space bar as soon as you boot the system. Sometimes you just get lucky and the spacebar is read before the timeout is read.

But all of this is honestly smoke and mirrors...
Anything thats a setting in grub can be changed by simply mounting the drive on another device and editing menu.lst.

So are you actually more secure? The answer is no.
Do you feel more secure? The answer here is probably yes.

If they have access to your hardware they can do whatever they want. In this scenario, you've already acknowledged that someone has hardware access since they have the ability to boot your system. if they have access to your system, they have access to change any security you put in place to stop them from booting it and editing the switches.

@L18L tested, but does not work as intended.
It presents the login with the 1st of the save files by default.
More save files are listed but their selection is not possible.
The initial solution works fine anyway and I am happy with it.
Note 1.
With the initial solution: esc, F-keys and shift[ed] non-alphabet keys [e.g. &] lead to kernel panic.
I have not tested them all. Not a problem for me.
This does not happen with the original initrd.gz.
Note 2.
I put the modified initrd.gz on a CD together with a re-mastered Puppy.
When that boots and I wish to run without the use of a save file, then I must make use of the splash screen and pfix=ram.
The 0 (none) option is of course no longer offered together with the found save files.

@Q5sys
Indeed, I am aware of the limitations and perhaps stating my reason as I did,

Why would I like that?
Because it would prevent unauthorized use of the USB flash if all the personal save files are of the encrypted type.

was not the best way.
My main intention really is modest and simple:
I want to prevent easy [even non-malicious] deletion of a personal save file.
Not being able to willy-nilly boot Puppy -and thus gain access to those files-, is all I want.
It is partly a thought exercise, exploring what can be done.

Having set theGrub4Dos time delay to 0 [as I have], gives a measure of protection.
It would be enough to thwart the unwary, but may, as Q5sys points out, be no obstacle for the determined. [I tried unsuccessfully, but was not all that determined ].
The way I boot, there is no [Puppy] splash screen , so you won’t get any advise about custom commands.
If you do manage to get to the Grub4Dos boot screen, then yes, you can edit in a custom kernel command. But you would need to know what that custom command has to be.
If you are clever at these things, and to make it a bit harder [?], you could perhaps modify Grub4Dos so that it does not show the way to edit [e] or does not allow edit at all.

So, ... having managed to beat the 0 time delay and knowing Puppy’s custom boot commands, the basic Puppy can be booted.
And having managed it, he/she may then as well delete the encrypted save files ... good riddance, I would probably want that!

Acknowledged: There is no absolute security.

I hope that my reasoning is reasonable

proebler wrote: Acknowledged: There is no absolute security.

I hope that my reasoning is reasonable

yes perfectly reasonable. some people go into issues like this thinking they have a perfect solution. there is no perfect solution.
as long as a person is aware of the amount of risk (in this case small), they can manage it in whatever way they feel i acceptable.

as long as you are happy with your solution and understand its limits, thats all that matters.