Hello, I've just found this reply that was post in debian-devel using google. Please CC me or keep the discussion in debian-mentors or CC debian-mentors. I'm not subscribed to debian-devel.
> On Sun, Mar 22, 2009 at 06:17:45PM +0200, Stefanos Harhalakis wrote: > > fsprotect ease the pain of protecting a system. By using an init script > > and a initramfs script it can make the root and other filesystems > > immutable. It uses aufs and tmpfs. > > Please provide further information. A Debian system without root access > does not need a different layer of protection, especially as it brings > in another piece of kernel code (aufs). There actually is. Public computers require such protection for various reasons: a) Because users can change their own settings. Using fsprotect, all data (not only root's) aren't altered. b) It is convenient to have existing filesystems mounted as RO. This results in no problems when computers are turned off c) No root-owned processes can ever change disk data. This means that logs don't grow, etc. d) Combined with other techniques it may even makes it somehow safe in the futire to provide root access. This was somehow possible with BSD security levels since you could forbid remounting and raw disk access, so it was impossible to change data on disk. (Is there something similar today?) e) I bet that there are uses for flash-based disks to prevent disk writes. Of course, some things may also be done with other ways/tools, but from my experience on this subject I found this to be the easiest and safest approach. It is also possible to use it on PCs for testing purposes (i.e. test etch->lenny upgrades). I've used it to test KDE4.2 from experimental on a PC that had KDE3.5 :-) The best thing of fsprotect is the simplicity of using it. It takes about 5 minutes (max) to install, RTFM and configure and your PC is "fixed". It attempts to do some of the things that deepfreeze[1] does for windows and/or linux. Even if fsprotect is a native debian package, it is not unique to debian. Other distributions may also use it but it needs to be packaged per-distribution. It isn't possible to provide a generic package. Don't judge it as if it was a modification to debian. Consider it as a generic package. [1] http://www.faronics.com/html/Deepfreeze.asp -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
