Jack Wallen takes a look at a new Linux distribution with a very unique and impressive way of employing security.
I’ve tried just about every concept behind every Linux desktop on the market. Some of those concepts are nothing more than a change in the UI, whereas others become so complex as to make the distribution nearly impossible to use, especially for those who aren’t familiar with Linux.
SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)
However, every so often I come across a new idea that’s so mind-blowing that I can’t believe someone hasn’t thought of it before. That’s what Vanilla OS is.
What is Vanilla OS?
Vanilla OS aims to be as vanilla a GNOME installation as you can get: Very few changes have been made to the stock GNOME desktop.
That, of course, is not the mind-blowing part. What the developers have done is make it easy to switch between a read-write file system to a read-only file system. That’s right — this is on-demand immutability.
Vanilla OS use cases
With this feature, you can create a desktop operating system that doesn’t allow a user to install anything or make changes. Set everything up that is needed, set the immutable option and hand the machine over.
Although Vanilla OS is in beta, I tested this feature out and it shows incredible promise. It’s far from ready for general usage, but you can see exactly where the developer is going with the project.
The immutability of the OS isn’t the only cool trick up the Vanilla OS sleeve. Another fantastic feature is that applications are all installed within isolated sandboxes for security. Here’s how it works:
- First, the system must be in rw mode, which can be achieved with the command
sudo almost enter rw.
- Once the system is in rw mode, you initialize a container with the command
apx init.
- With the container created, you can then install an app with a command like
apx install htop.
- After the installation completes, you can run it from the GNOME Application Overview.
Another wonderful aspect of Vanilla OS is that it allows you to select your package manager of choice. On the first login, you can select from Flatpk, snap or AppImage. With the help of the selector (Figure A), you can choose one or all three.
Figure A
Of course, Vanilla OS is not without its hiccups. For example, my go-to editor of choice is nano. Attempting to install that software failed because there is no desktop entry found for the app. Since nano is a command line tool, it seems Vanilla OS doesn’t know what to do with it.
What does that mean? From what I can see, Vanilla OS is only capable of installing applications that offer a GUI component. But as far as GUI apps are concerned, everything goes off without a hitch. To get around that, use Snap or Flatpak. With Snap, I was able to install nano.
Let’s go back to the immutability issue. As I’ve mentioned, you switch between rw and ro with the commands:
sudo almost enter rw:
for read/write.sudo almost enter ro:
for read-only.
You can check to see which mode you’re in with the command:
sudo almost check
You’ll see something like:
Mode: ro
System is read-only
This is where another hiccup made itself known. Even once I’d set the system to read-only, I was still able to create files within the root file system. It seems to me that shouldn’t be possible in ro mode.
Maybe that’s just a product of Vanilla OS being so young in its development lifecycle, but according to the project documentation: “Vanilla OS is an on-demand immutable distribution. The system is read-only to prevent unwanted changes and corruption from third-party applications or a faulty update. Some paths are still writable, such as the home directory. This allows the user to keep their files and ensure the normal functioning of applications.”
It also turns out that three directories are immune to the immutability in Vanilla OS. Those directories are /home, /etc and /var. Good to know. To test that out, I set the system to ro mode and issue the command:
sudo touch /test
To my surprise, the file was created. I was also able to edit the file with the nano editor, using the command sudo nano /test
. I expected to not be able to write to that file, but I was able to, even in read-only mode. As I said, this is probably due to the beta nature of the OS, so I would expect the behavior of the immutable mode to change once the distribution is ready for the masses.
Who is Vanilla OS for?
This Linux distribution is certainly not one for those who are new to Linux — at least from an admin perspective — but you could set up Vanilla OS exactly how you need it, set it in read-only mode and hand it over to a user, knowing they couldn’t make catastrophic changes to the system.
This distro would also be great for community computers, kiosks and other situations where the inability to make changes beyond specific directories would be a benefit.
Vanilla OS isn’t ready for prime time, but the idea behind the system is long overdue. There are tools you can add to create a similar Linux setup, but Vanilla OS putting all of this together in a simple-to-use package makes for a very intriguing setup.
This will be a project you’ll want to keep a close watch on. Once it’s ready for the masses, I think Vanilla OS could be a real game-changer.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.
Source of Article