this post was submitted on 20 Jun 2023
85 points (100.0% liked)

Linux

48721 readers
2272 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I've heard of immutable OS's like Fedora Silverblue. As far as I understand it, this means that "system files" are read-only, and that this is more secure.

What I struggle to understand is, what does that mean in practical terms? How does installing packages or configuring software work, if system files can't be changed?

Another thing I don't really understand is what the benefits as an end user? What kinds of things can I do (or can be done by malware or someone else) to my Arch system that couldn't be done on an immutable system? I get that there's a security benefit just in that malware can't change system files -- but that is achieved by proper permission management on traditional systems too.

And I understand the benefit of something declarative like NixOS or Guix, which are also immutable. But a lot of OS's seem to be immutable but not purely declarative. I'm struggling to understand why that's useful.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 11 points 2 years ago (2 children)

How does installing packages or configuring software work, if system files can't be changed?

On reboot. You install your changes into a separate part of the filesystem that's not running and then "switch parts" on next boot. Different distros do this differently. Vanilla OS has an AB system which basically works like Android does it, openSUSE uses btrfs snapshots and Fedora also uses btrfs I think but they got a more complex layering system on top.

I get that there's a security benefit just in that malware can't change system files -- but that is achieved by proper permission management on traditional systems too.

Is it though? All it takes is a misconfiguration or exploit to bypass it, so having several layers of protection isn't a bad thing and how any reasonably secure system works. And having parts of your system predetermined as read only is a comparably tough nut to crack.

[–] [email protected] 6 points 2 years ago (1 children)

On reboot.

Not necessarily. NixOS has the option to change generations without rebooting.

[–] [email protected] 1 points 2 years ago

so does silverblue

[–] [email protected] 3 points 2 years ago (1 children)

yeah that's true, even properly permissioned users can break their systems

[–] [email protected] 4 points 2 years ago* (last edited 2 years ago)

especially properly permissioned users, even.