|author||Tails developers <firstname.lastname@example.org>||2013-10-02 13:23:29 +0000|
|committer||Tails developers <email@example.com>||2013-10-02 13:23:29 +0000|
More detailed design doc.
Diffstat (limited to 'wiki/src/contribute/design/persistence.mdwn')
1 files changed, 48 insertions, 4 deletions
diff --git a/wiki/src/contribute/design/persistence.mdwn b/wiki/src/contribute/design/persistence.mdwn
index 4a53fca..c5715a6 100644
@@ -376,8 +376,9 @@ version won't be used too long in the meantime.
-The root directory of the persistent volume filesystem root is owned
-by `root:root`, with permissions 0775:
+The root directory of the persistent volume filesystem root is created
+by the persistence configuration assistant, owned by `root:root`, with
* group-writable so that we can grant write access to other users with
@@ -388,11 +389,54 @@ by `root:root`, with permissions 0775:
The persistence configuration assistant is run with password-less sudo
as the `tails-persistence-setup` dedicated user. It creates and
-updates configuration files that are owned by
-`tails-persistence-setup:tails-persistence-setup`, with permissions
+updates a configuration file called `persistence.conf`, that is owned
+by `tails-persistence-setup:tails-persistence-setup`, with permissions
0600 and no ACLs. It refuses to read configuration files with
+Migration from pre-0.21 persistent volumes
+Before Tails 0.21, the persistent volume and configuration file had
+weaker permissions. An attacker who could run arbitrary code as the
+desktop `amnesia` user could tamper with the persistence
+configuration, and — with some minimal amount of imagination — give
+themselves persistent root credentials, etc.
+A migration process allows users to move to the new setup relatively
+safely and (in most cases) very easily. This section describes how the
+migration is performed.
+When persistence is enabled read-write on Tails 0.21, any persistent
+volume that has not had this new set of ownership and permissions
+applied (such as, if it was created with an older version), or that
+still has a `live-persistence.conf` file, sees the following changes
+* The new set of ownership, permissions and ACLs is applied to the
+ filesystem root.
+* Unless the parent directory had correct ownership, permissions and
+ ACLs already, `live-additional-software.conf` is treated as
+ untrusted and disabled (renamed to
+ `live-additional-software.conf.disabled`). A new empty file is
+ created with the correct ownership and permissions, so that users
+ just have to edit it without having to care about giving it the
+ proper ownership etc.
+* Known-safe persistence settings are migrated from the old
+ configuration file (`live-persistence.conf`) to a newly created one
+ (`persistence.conf`). If all settings could be migrated
+ automatically, then the old configuration file is deleted; else, it
+ is renamed to `live-persistence.conf.old`.
+Then, after login, if some settings could not be migrated
+automatically (i.e. if `live-additional-software.conf` or
+`live-persistence.conf.old` is found), a desktop notification makes
+the user aware of it, and points them to the [[migration
+documentation|doc/first_steps/persistence/upgrade]] so that they can
+hand-migrate the rest themselves.
+The migration code will be removed in a latter version of Tails.
<!-- FIXME (0.22) -->
<!-- When persistence is activated at boot time, any persistent filesystem -->
<!-- is ignored unless its root directory and persistence configuration -->