[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: fsprotect


I've just found this reply that was post in debian-devel using google. Please 
CC me or keep the discussion in debian-mentors or CC debian-mentors. I'm not 
subscribed to debian-devel.

> On Sun, Mar 22, 2009 at 06:17:45PM +0200, Stefanos Harhalakis wrote:
> > fsprotect ease the pain of protecting a system. By using an init script
> > and a initramfs script it can make the root and other filesystems
> > immutable. It uses aufs and tmpfs.
> Please provide further information. A Debian system without root access
> does not need a different layer of protection, especially as it brings
> in another piece of kernel code (aufs).

There actually is. Public computers require such protection for various 

a) Because users can change their own settings. Using fsprotect, all data (not 
only root's) aren't altered.
b) It is convenient to have existing filesystems mounted as RO. This results 
in no problems when computers are turned off
c) No root-owned processes can ever change disk data. This means that logs 
don't grow, etc.
d) Combined with other techniques it may even makes it somehow safe in the 
futire to provide root access. This was somehow possible with BSD security 
levels since you could forbid remounting and raw disk access, so it was 
impossible to change data on disk. (Is there something similar today?)
e) I bet that there are uses for flash-based disks to prevent disk writes.

Of course, some things may also be done with other ways/tools, but from my 
experience on this subject I found this to be the easiest and safest 

It is also possible to use it on PCs for testing purposes (i.e. test 
etch->lenny upgrades). I've used it to test KDE4.2 from experimental on a PC 
that had KDE3.5 :-)

The best thing of fsprotect is the simplicity of using it. It takes about 5 
minutes (max) to install, RTFM and configure and your PC is "fixed". It 
attempts to do some of the things that deepfreeze[1] does for windows and/or 

Even if fsprotect is a native debian package, it is not unique to debian. 
Other distributions may also use it but it needs to be packaged 
per-distribution. It isn't possible to provide a generic package. Don't judge 
it as if it was a modification to debian. Consider it as a generic package.

[1] http://www.faronics.com/html/Deepfreeze.asp

Reply to: