|author||Tails developers <email@example.com>||2013-11-19 17:38:23 +0000|
|committer||Tails developers <firstname.lastname@example.org>||2013-11-19 17:38:23 +0000|
Update design doc to match how we're dealing with persistence configuration migration and access rights.
Diffstat (limited to 'wiki/src/contribute/design/persistence.mdwn')
1 files changed, 26 insertions, 40 deletions
diff --git a/wiki/src/contribute/design/persistence.mdwn b/wiki/src/contribute/design/persistence.mdwn
index d6e13a9..9268aac 100644
@@ -355,10 +355,10 @@ To this aim, the persistent volume root directory may contain
a `live-additional-software.conf` file that holds the list of packages to install
(from persistence, since they were cached already).
-<!-- FIXME (0.22) -->
-<!-- To be taken into account, this file must be owned by -->
-<!-- `tails-persistence-setup:tails-persistence-setup`, and not be writable -->
-<!-- by anyone else than the `tails-persistence-setup` user. -->
+`live-persist` guarantees that this file, and its parent directory,
+have correct access rights: owned by
+`tails-persistence-setup:tails-persistence-setup`, and not be writable
+by anyone else than the `tails-persistence-setup` user.
First, those additional software packages are installed offline from tails-greeter
@@ -396,6 +396,19 @@ by `tails-persistence-setup:tails-persistence-setup`, with permissions
0600 and no ACLs. It refuses to read configuration files with
+`live-persist` checks these permissions on the persistence root
+directory, on `persistence.conf` and on
+`live-additional-software.conf`. Then, `live-persist` disables every
+such file if the persistent volume has wrong permissions. It also
+disables every such file that has wrong permissions itself.
+After login, if some settings were disabled due to wrong access
+rights, (i.e. if `live-additional-software.conf.insecure_disabled` or
+`persistence.conf.insecure_disabled` is found), a desktop notification
+makes the user aware of it, and points them to the [[migration
+documentation|doc/first_steps/persistence/insecure_disabled]] so that
+they can learn how to fix their configuration.
Migration from pre-0.21 persistent volumes
@@ -405,41 +418,14 @@ desktop `amnesia` user could tamper with the persistence
configuration, and — with some minimal amount of imagination — give
themselves persistent root credentials, etc.
-A migration process allows users to move to the new setup relatively
-safely and (in most cases) very easily. This section describes how the
-migration is performed.
-When persistence is enabled read-write on Tails 0.21, any persistent
-volume that has not had this new set of ownership and permissions
-applied (such as, if it was created with an older version), or that
-still has a `live-persistence.conf` file, sees the following changes
-* The new set of ownership, permissions and ACLs is applied to the
- filesystem root.
-* Unless the parent directory had correct ownership, permissions and
- ACLs already, `live-additional-software.conf` is treated as
- untrusted and disabled (renamed to
- `live-additional-software.conf.disabled`). A new empty file is
- created with the correct ownership and permissions, so that users
- just have to edit it without having to care about giving it the
- proper ownership etc.
-* Known-safe persistence settings are migrated from the old
- configuration file (`live-persistence.conf`) to a newly created one
- (`persistence.conf`). If all settings could be migrated
- automatically, then the old configuration file is deleted; else, it
- is renamed to `live-persistence.conf.old`.
-Then, after login, if some settings could not be migrated
-automatically (i.e. if `live-additional-software.conf` or
-`live-persistence.conf.old` is found), a desktop notification makes
+A migration process, available in Tails 0.21, allowed users to move to
+the new setup relatively safely and (in most cases) very easily.
+This migration code was removed in Tails 0.22.
+Still, after login, if some settings are found that were not fully
+migrated, or never migrated at all (i.e.
+if `live-additional-software.conf.disabled`, `live-persistence.conf`
+or `live-persistence.conf.old` is found), a desktop notification makes
the user aware of it, and points them to the [[migration
documentation|doc/first_steps/persistence/upgrade]] so that they can
-hand-migrate the rest themselves.
-The migration code will be removed in a latter version of Tails.
-<!-- FIXME (0.22) -->
-<!-- When persistence is activated at boot time, any persistent filesystem -->
-<!-- is ignored unless its root directory and persistence configuration -->
-<!-- files have the correct permissions. -->
+learn how to migrate their configuration.