COMP 3000 2011 Report: Liberté Linux
Background
In this day and age, anonymity, privacy and liberty are at the forefront of people’s minds. Whether it’s being able to surf the web anonymously and securely; access sites that have been arbitrarily blacklisted by various governments, or more importantly, the capability of communicating secretly in dire situations where anonymity is paramount for survival. If you're an activist or a spy, Liberté Linux is the distribution for you. <ref name="liberte">Kammerer, Maxim. DE(E)SU - Liberté Linux. DE(E)SU. Retrieved 17 October 2011, from http://dee.su/liberte </ref>
Liberté, which translates to freedom in French is supposed to exemplify this very concept. The notion of freedom of communication governs this particular distribution. To put it aptly, Liberté’s primary focus is to allow secure and reliable communication in hostile environment. <ref name="liberte"></ref>
It is interesting to note, the Liberté trademark (displayed on the left) is a composite of several different logos: <ref name="logo">Kammerer, Maxim. DE(E)SU - Liberté Artwork. DE(E)SU. Retrieved 17 October 2011, from http://dee.su/liberte-logo </ref>
- The emblem of the United Nations
- The flag of Anonymous
- Blank globe, focus on Africa
- The URSS aviation Kremlin Red Star
- The Black Triforce (The creator mentions he was inspired by the triforce in Legend of Zelda) <ref>Kammerer, Maxim. DE(E)SU - Liberté Linux FAQ. DE(E)SU. Retrieved 18 October 2011, from http://dee.su/liberte-faq</ref>
- Essays 1743 font (for the title Liberté)
Finally the motto encompassing the logo states: Anonymus / Ultima ratio libertatis / Nomen illis legio. <ref name="logo"></ref>
Liberté Linux is a Gentoo based Live CD/USB/SD distribution, created by Maxim Kammerer and can be easily obtained from sourceforge.
Installation/Startup
Live USB
(As a caveat, because Liberté Linux was installed in one of its native environments (USB) and not on a virtual machine, I was unable to provide personal screenshots. As such all screenshots in this section have been taken from the official liberte site.)
Liberté Linux takes up approximately 200mb of disk space, and requires no more than 192mb of RAM allocated, to run efficiently.<ref name="liberte"></ref> Very lightweight and an absolute breeze to install on a USB (Sandisk Cruzer 8GB) using a Windows machine. I installed the ZIP file, extracted it to the root of the USB, located the setup.bat, ran it as an administrator and then 10 seconds later...voila! The installation process was successfully completed.
Upon startup, I was prompted to set a LUKS passcode. Afterwards it took several minutes for an RSA key to be generated. As the distro was booting up, I was greeted with a Hammer & Sickle as my background (pictured to the right). What a glorious way to startup.
Once the desktop loaded, Liberte had issues identifying the battery charge percentage accurately. Whenever I’d unplug the laptop, I’d be greeted with a blinking popup warning me that my laptop had less than 5 mins of battery charge left, despite the fact that this was not the case. At this time, I have not been able to diagnosis the reason for this bothersome popup.
Basic Operation
It is important to note that Liberte's main design goal is security. As a result, all basic operations done on the platform have to be done securely. This includes, but is not limited to network traffic. Liberte improves on the Privacy Enhanced Live Distribution of Linux, which transparently routes traffic through tor (including DNS requests), by forcing applications to create connections on the loopback interface. The ultimate goal here is to not leak IP addresses. Therefore, browsing and general network traffic is kept anonymous. <ref>Kammerer, Maxim. DE(E)SU - Security and Anonymity in Liberté Linux DE(E)SU. Retrieved 14 November 2011, from http://dee.su/liberte-security </ref>
Since I'm neither a dissident or located in a hostile environment, I'm not the typical user that Liberte is targeted to. I attempted to use Liberte for relatively basic tasks.
I loaded up Midori, the secure web browser that comes installed with the operating system. On my first attempt, I tried to visit a popular social networking site. Once the page loaded, I was informed that javascript is automatically disabled. I went sifting through the browser settings to enable javascript. After five minutes of searching I was unable to do this trivial task. I was left with no choice, but to forgo my pride and navigate to the help option. Upon close examination of the online documentation I stumbled onto something about enabling "userscripts". Seemed like this was my ticket to javascript galore! After enabling the userscript add-on, I restarted my browser, and was happy to see that my current tabs were restored and no longer did I receive the remainder that I needed to enable javascript. Finally after logging into the popular social networking site, I was greeted with a lovely warning informing me that my account was locked, because I had accessed my account from an unrecognized device. I was prompted to answer several security questions in order to regain access. The first security question asked me to re-enter the text I saw displayed in the textbox...except for one problem. Where's the text? I frantically clicked on "try different words" and still. Nothing. My preference for security began to diminish at a rapid rate. Mainly because of the roadblocks I had encountered at every step of the way. After many failed attempts, I restored my account on another operating system. Apparently, as it turns out, the social networking site in question detected that someone had accessed my account from the Netherlands! Impressive, I dare say. This example perfectly illustrated the tor-enhanced traffic.
Usage Evaluation
There is no doubt that Liberté Linux meet its design goals. It allows a user to browse and communicate anonymously and securely in the most hostile of regions. In that sense, you can claim that liberté linux is a success. To meet this goal, the Liberte Linux distribution comes prepackaged with a wide variety of secure tools, such as: Midori (with tor enhancements), Claws Mail (with cable communication built in) etc.
Security enhancements aren't just limited to the applications that are provided but also right down to the kernel (the very core of the operating system). <ref name="liberte"></ref> The author of this distribution has provided wide range of modifications and enhancements to the hardened gentoo kernel to protect the operating system from attacks and subsequently from its user. <ref name="github">Kammerer, Maxim. Github Liberté Repository.Github. Retrieved 16 November 2011, from https://github.com/mkdesu/liberte </ref> The ability to perform administrative actions on the system were a nuisance (if you want to make any modifications, that is). For example, if you want to enter root mode, you need to restart the operating system in a different mode with a two minute limit on your root access. Moreover, if you want to install additional applications you must completely rebuild the operating system image every time. This distribution is clearly not intended for the average user, because of all the figurative hoops you have to jump through to perform basic operations. In summary, Liberté is a solid security-based operating system, and for its intended purpose it's superb. That being said, I don't recommend it for the layperson.
Software Packaging
Liberté is a gentoo-based operating system using the portage package management system. Portage consists of two main parts: the ebuild system and emerge. The ebuild is responsible for compiling and installing packages, while as emerge is responsible for managing dependencies and the ebuild repository. Portage is a command line package manager, but several frontend applications exist for the visually inclined, such as Portage and Portato. The package format is provided in a form of source code and configuration instructions. More specificially, “ ebuilds are shell scripts with variables and functions which contain a description of the software, and instructions on how to obtain, configure, compile, and install it." <ref name="portage"></ref> It is important to note, that not all packages are source packages. For instance, binary packages do exist in the .tbz2 file format.
Searching Packages
Currently, there are approximately 27 000 ebuilds available for download <ref name="portage">Portage(software). Wikipedia. Retrieved 18 December 2011, from http://en.wikipedia.org/wiki/Portage_(software)</ref> You can use several commands to search through for a particular package:
emerge --search or emerge -s or echo /usr/portage/*/*[SEARCH STRING]* <ref name="gentooPortage"></ref>
Just to note, the last way is quicker but not as informative.
Adding Packages
To add a package the command is as follows: emerge [insert package name] <ref name="gentooPortage">Portage - Gentoo Linux Wiki. (n.d.). Gentoo Linux Wiki. Retrieved December 18 2011, from http://en.gentoo-wiki.com/wiki/Portage</ref>
Removing Packages
To remove a package use the command emerge -- unmerge [insert package name] <ref>Gentoo Linux Documentation-- Initscripts. (n.d.). Gentoo Linux -- Gentoo Linux. Retrieved December 18 2011, from http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=1</ref>
Major Package Versions
Package Name | Liberte Version | Upstream Version | Upstream Source | Modified by Author | Information/ Reason |
---|---|---|---|---|---|
Hardened Gentoo (kernel) | 2.6.39 | 3.0.4 | source | Yes, for bug fixes and security reasons<ref name="github"></ref> | Hardened Gentoo was chosen because of it's secure nature. |
Grsecurity/PaX (kernel) | 2.2.0 | 2.2.2 | source | No | Patches to enhance the security for the kernel. |
Unionfs (kernel) | 2.5.10 | 2.5.10 | source | No | Efficient file system. |
Fbcondecor (kernel) | 0.9.6-2.6. | 0.9.6-3.0 | source | No | Standard console decoration (I assume the author could have picked any other). |
GTK+2 | 2.24.5 | 3.0.12 | source | No | Commonly used and supported graphics toolkit. Many applications (listed in this table) require GTK support. |
Midori | 0.4.0 | 0.4.2 | source | Yes, because browser connections are all tor-ified | Standard open source browser. |
Claws Mail | 3.7.10 | 3.7.10 | source | Yes, with cables communication (a liberte feature) <ref name="liberte"></ref> | Provides a secure and anonymous channel of communication for email. |
NetworkManager | 0.8.4.0 | 0.9.2.0 | source | No | Popular network package for linux |
Bash | 4.1.9(2) | 4.2 | source | No | Popular shell |
Pidgin with OTR | Pidgin - 2.10.0 / OTR - 3.2.0 | Pidgin - 2.10.0 / OTR - 3.2.0 | source (Pidgin) source (OTR) | No | Pidgin is a popular open source client, and the OTR plugin was chosen for it's privacy enhancement. |
Gedit | 2.30.4 | 2.30.2 (site indicates this is the latest stable release) | source | No | Popular open source text editor |
ls | 8.7 | coreutils-8.9 | source | No | Standard Linux tool |
Laptop Mode tools | 1.5.5 | 1.6 | source | No | Enables laptop mode in linux, and saves power/reduces the number of spin downs. |
Initialization
During startup, all scripts in the /etc/runlevels folder are executed. First the subdirectory /boot scripts, and then the subdirectory /default scripts are executed. "Usually the scripts are executed in alphabetical order, but some scripts have dependency information in them, telling the system that another script must be run before they can be started." <ref>Gentoo Linux Documentation-- Initscripts. (n.d.). Gentoo Linux -- Gentoo Linux. Retrieved November 15 2011, from http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=4</ref>
Init first starts by reading in the configuration from /etc/inittab. On Liberté linux, the first initialization step is to initialize the runlevel to runlevel 3. Then it proceeds to run the /sbin/rc sysinit command to mount local filesystems. There are two initialization scripts run here: devfs, dmesg, udev. At this point, only the udev processes are started.
It then brings the runlevel up to the boot runlevel using /sbin/rc boot. At this point, there are total of twenty-three different scripts run at this stage. Including: alsasound (loads drivers), consolefont (sets font for the console), consolekit (starts the consolekit daemon), hwclock etc. A few processes are started at this level, such as irqbalance, console-kit-dae, and metalog.
The most interesting runlevel is the default runlevel, which initializes many of processes that are unique to liberte. The processes started at this point are acpid, gpm, NetworkManager, nginx, nscd, privoxy(non-caching web proxy), smartd, and tordate.
Subsequently, the virtual consoles are initialized. And finally, the display manager XDM is initialized.
All programs and their respective descriptions were found using the ls command to search through the specified /etc/runlevels folder, unless otherwise noted.
References
<references />