Re: RFS: fsprotect
I've just found this reply that was post in debian-devel using google. Please
CC me or keep the discussion in debian-mentors or CC debian-mentors. I'm not
subscribed to debian-devel.
> On Sun, Mar 22, 2009 at 06:17:45PM +0200, Stefanos Harhalakis wrote:
> > fsprotect ease the pain of protecting a system. By using an init script
> > and a initramfs script it can make the root and other filesystems
> > immutable. It uses aufs and tmpfs.
> Please provide further information. A Debian system without root access
> does not need a different layer of protection, especially as it brings
> in another piece of kernel code (aufs).
There actually is. Public computers require such protection for various
a) Because users can change their own settings. Using fsprotect, all data (not
only root's) aren't altered.
b) It is convenient to have existing filesystems mounted as RO. This results
in no problems when computers are turned off
c) No root-owned processes can ever change disk data. This means that logs
don't grow, etc.
d) Combined with other techniques it may even makes it somehow safe in the
futire to provide root access. This was somehow possible with BSD security
levels since you could forbid remounting and raw disk access, so it was
impossible to change data on disk. (Is there something similar today?)
e) I bet that there are uses for flash-based disks to prevent disk writes.
Of course, some things may also be done with other ways/tools, but from my
experience on this subject I found this to be the easiest and safest
It is also possible to use it on PCs for testing purposes (i.e. test
etch->lenny upgrades). I've used it to test KDE4.2 from experimental on a PC
that had KDE3.5 :-)
The best thing of fsprotect is the simplicity of using it. It takes about 5
minutes (max) to install, RTFM and configure and your PC is "fixed". It
attempts to do some of the things that deepfreeze does for windows and/or
Even if fsprotect is a native debian package, it is not unique to debian.
Other distributions may also use it but it needs to be packaged
per-distribution. It isn't possible to provide a generic package. Don't judge
it as if it was a modification to debian. Consider it as a generic package.