Freeze SO Linux, it's possible?
loic.grenie at gmail.com
Thu Dec 11 15:17:55 UTC 2008
2008/12/11 Bart Silverstrim <bsilver at chrononomicon.com>:
> Loïc Grenié wrote:
>> You do not need to. You can store your system on a rewritable medium:
>> I use an USB key, but a hard disk would work as well (and faster).
>> You can even choose to not do the "squashfs" part, but you will probably
>> need to modify the initial ramdisk a little.
> Part of this is to explain what I do know to people unfamiliar with DF...
> The thing with deep freeze is that it lets you make any change you
> want...infect it, install P2P, install trojans...and it will let you if
> the OS will let you do it. It doesn't interfere with programs as they
> run. At reboot, ALL changes are gone.
> If you're using a non-RW media, you will get errors if anything tries to
> alter a file. If /etc is on a CD (like...I don't know, maybe devil linux
> does this) you'll get an error if you try to alter contents of apache's
> If you run from memory, you'd be able to make changes but whenever you
> reboot you again need to alter contents. Unless you edit the non-rw
> media. That's the safe part...it can't be altered, so no one can slip
> changes or trojans or rootkits onto non-alterable media.
> If you're using USB you can make changes that persist across reboot.
> That's defeating the purpose of deep freeze.
> Deep Freeze means that you can have users with extra privileges that
> will possibly infect, alter, or fiddle with workstation settings, and
> even if there's an infection in an NTFS alternate filestream or a
> rootkit hiding from tools and disinfectors, a reboot will wipe the
> changes away, and at the same time they have the ability to run
> problematic programs that balk if permissions are secure or some other
> antimalware measures interfere with legitimate (yet badly designed)
> While others are suggesting what are essentially snapshots and backups,
> there isn't an actual equivalent I've ever seen in Linux.
> Rsync/tar is just backing up at intervals. You'll take malware with the
> backups if you didn't catch it in time.
> Permissions locking and SElinux magic and the like are just being
> secure...it gets in the way of user convenience, administration
> overhead, etc...it's a replay in some ways, from the user perspective,
> of moving to Vista's constant security blocking and nagging, and if the
> user can install programs or do updates etc. then you still defeat the
> purpose of deep freeze.
> Live CD's need editing if you want to update or alter configurations.
> Closer still is virtualbox, where you take a snapshot of the state of
> the machine, makes changes, then revert back to the previous state and
> lose any and all changes. That's essentially what DF is doing from what
> I can gather.
I'm proposing (and myself using) something in between. I use a live CD
that is physically stored on an USB key.
There is a read-only filesystem stored on the USB key.
There is a read-write filesystem that can be stored in memory or on disk
Both partition are unioned with aufs (earlier it was unionfs). The resulting
partition is read-write, but nothing can occur to the read-only partition
(precisely because it is read-only). All modification you make to the
unioned partition (including file deletion) are stored on the read-write
partition. After eah session you can either choose to just throw away the
read-write partition (that's the way the live CD works) or keep it (if it is
stored on some kind of disk -- in which case you have a system very
similar to a usual one) or use the unioned partition to recreate a new
"read-only" partition (if you want to do an upgrade, update, installation
of software). This is "Live CD" but with the default system upgradeable
and stored on any medium (regular hard drive, CD, USB key, external
drive). I suspect it would fly on a regular disk (on the key it's a bit slow).
As far as I can tell it is very similar to Deep Freeze but it is probably a
bit more difficult to use: I need to manually recreate the snapshot whe
I upgrade the system. When I've configured my USB key (~1.5 years ago,
it was with Feisty Fawn) I had to slightly modify the files of the initial
ramdisk because I did not really needed the exact same features of
Ubuntu Live CD; I don't know if the current initrd of Ubuntu is usable
More information about the ubuntu-users