On Sat, Nov 3, 2012 at 6:34 AM, Alexander Yerenkow <yerenkow_at_gmail.com>wrote: > 2012/11/3 Lev Serebryakov <lev_at_freebsd.org> > > > Hello, Alexander. > > You wrote 3 ноября 2012 г., 16:14:21: > > > > AY> Hello all! > > AY> Some time ago I got somewhere idea, that base OS should be RO - > > readonly. > > AY> And should be updated easily (ACID) and with possibility of fast > > rollback. > > Why it is better than nanobsd? > > > > Of course, that's all IMHO and fit for my usage: > 1) Same FreeBSD, as in laptop/desktop, (e.g. really same - GENERIC kernel > is used, without dropping any kerberos or else), and yes, I know that > nanobsd can that; > 2) .vmdk simply deployed into Esxi/virtualbox (not sure nanobsd can produce > that) > 3) Transparent /etc/ modifiying VS nanobsd approach (edit, don't forget > mount /cfg, copy there;) > 4) Only OS, no packages included - e.g. I can upgrade/downgrade packages > without touching any byte of OS. Except for symlinks :) nanobsd specified > that if you want packages - you need built them in. > > Of course differences not so big, and I'm not saying that my way is more > better. > It just raised question deep in me - why OS still aren't modularized, and > most of it not in RO (while it should). > > Something like this > > > > > > -- > > // Black Lion AKA Lev Serebryakov <lev_at_FreeBSD.org> > > > > > > > -- > Regards, > Alexander Yerenkow > One of my goals for the FreeBSD usage is as follows : Search all of the FreeBSD sources for the file opens and write statements . Divert all of the file opens and write statements outside of FreeBSD base directories , for example into /var . Modify base to prohibit any load of executable from /var , and /tmp , and other directories which are not included into "base" part . Select a primary collection of packages . Divert all of their file opens and writes to /var . Make /home a separate partition , not included into /usr . For any user , if it is selected , allow his/her home unit definition in a removable drive . Prepare a list of programs which can only be executed by root , and move them to a root allocated directory , and make this list a reserved names list . Do not allow any user to execute these programs whether they are supplied by themselves . In a similar way , make a list of executable programs for the "base" system and "packages" in the "base" part , make them "reserved" names and do not allow any other program with the same name . Delete from the base system the "PATH" concept , and require that all of the executable names are supplied by complete path . If access privileges of a directory is not **x|**x|**x do not allow any program to be executed from such a directory ( recursively from its sub-directories ) . At present , file access privileges should be ***|***|**x for searching directories . This definition is causing security vulnerabilities for directories because it is exposing it to "OTHERS" . Convert all of the parts requiring ***|***|**x to r**|r**|--- for directory searches . In that way , if the user is defined in that way , prevent others to access to a directory and make this as default . Record "base" part into a SDHC card and make it "write protected" . Prepare the "base" SDHC card in a computer that is NOT connected to a network and it is physically protected from intrusion . When a change is required , prepare a new SDHC card in the clean computer and use the new SDHC card . Replicate SDHC cards as many as required for different computers . In that way , there will be an impenetrable system which on boot we will know that it is clean . There a some live CD/DVD compilations , but they are not usable for everyday requirements because they are not designed in that way . For such a work , the best one with respect to my opinion , is http://puppylinux.org/main/Overview%20and%20Getting%20Started.htm among other live CD/DVD compilations . I did not try that one in a SDHC card . I do not know exact data transmission rate of SDHC cards , but , I think , it is faster than CD or DVD . For CD and DVD , at present there is NO any only READ CD or DVD devices . They are disappeared from the market . For writable CD or DVD , it may be possible to append some files at the end of recorded area , and the media may be corrupted by re-recording ( I think ) . Thank you very much . Mehmet Erol SanliturkReceived on Sat Nov 03 2012 - 14:01:10 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:31 UTC