Immutability and Statelessness
Donate
Warning: This is for developers-only!
This wiki page is a work in progress.
An "immutable" system is one where core parts of the system cannot be changed while it is running. A "stateless" system is one where the system forgets everything done on it after a reboot. Kicksecure provides features similar to immutable and stateless systems, via grub-live. This page explains what immutability and statelessness means in practice and how you can choose the right mode for your needs.
Introduction
[edit]The term "immutable" generally means that the running system fundamentally cannot be altered. Immutability does not simply mean that file permissions prevent modification of certain files. An immutable system's filesystem is fundamentally unable to be modified by traditional means (creation, deletion, and modification of files, symlinks, etc.), even by the administrative ("root") account.
In technical terms, this is generally achieved by mount-options and/or and filesystem-based restrictions. By mounting the file system as read-only or by using a read-only file system such as ISO or SquashFS. Directories that store mutable state (such as /home, but also /root, /var, and possibly other paths) are stored.
The term "stateless" generally means that the system forgets all changes made to it when a reboot occurs. Statelessness and immutability have some overlap, since stateless systems are usually implemented by mounting an ephemeral overlay over the top of an immutable filesystem. Unlike merely immutable systems, stateless systems forget changes made to mutable state directories such as /home.
For further explanation and comparisons with other Linux distributions, see Dev/immutable and Dev/Stateless.
Immutability in Kicksecure
[edit]Kicksecure is not an immutable distribution, and does not yet provide an immutable boot mode. It does, however, provide a stateless boot mode via grub-live. See below for more info.
In the future, Kicksecure may provide an immutable boot mode as part of implementing Verified Boot.
Statelessness in Kicksecure
[edit]
Statelessness in Kicksecure is limited to filesystems only. Other forms of state, such as UEFI variables, firmware updates, etc. may be preserved even if the system is otherwise stateless.
Kicksecure currently provides two primary boot modes, live mode and persistent mode.
In live mode, all filesystems that are part of the OS installation (including /home, /var if they are on separate partitions) are mounted read-only. Writable tmpfs overlays are then applied to these filesystems using OverlayFS, to allow the directories to be written to even though the filesystems themselves cannot be changed. Applications can freely read from and write to files on the OS, even on the root filesystem, but these changes are immediately wiped upon shutdown.
Live mode should not be trusted to prevent privileged malware from making persistent modifications to the system. The root filesystem, mounted read-only at /live/image, can be trivially remounted read-write by software that runs as root.
In persistent mode, filesystems are mounted read/write and can be modified normally.
In both boot modes, system folders such as /usr, /etc, /var, /boot, and /root cannot be modified by the user account because of file permissions. This is not a consequence of live mode or immutability. Note that in persistent mode, services that run as root may (and in practice will) make changes to the root filesystem; updatecheck will update apt software lists, systemd-journald will save system logs, etc.
The GRUB boot menu allows you to choose whether to enable stateless operation or not. Want everything read-only? Select live mode. Need saved data to persist? Use persistent mode.
If user-sysmaint-split is installed, file permissions and restrictions on the sudo and pkexec utilities will prevent the user account from making modifications to most files outside of /home. To make permanent changes to system folders like /usr, /etc, /var, /boot, or /root, boot into persistent mode, sysmaint session. For more details, see Sysmaint.
If the user-sysmaint split does not suit your needs, consider using Unrestricted Admin Mode.
Simplified Boot Modes Comparison Table
[edit]| Feature | PERSISTENT Mode (USER Session) | LIVE Mode (USER Session) | LIVE Mode (SYSMAINT Session) | PERSISTENT Mode (SYSMAINT Session) |
|---|---|---|---|---|
| What it’s for | Everyday use with saved personal files and settings. | Temporary use. All changes are forgotten after reboot. | Temporary system repair or maintenance. | Full access for permanent system changes. |
Can change system files (like /usr, /etc)
|
No, prohibited by file permissions | No, prohibited by file permissions and modifications by system services will be lost on reboot | No, modifications will be lost on reboot | Yes, read-write |
Can save files in /home (personal folder)
|
Yes, saved after reboot | No, temporary only | No, temporary only | Yes, saved after reboot |
Advanced users, developers can also have a look at the more complex Boot Modes Comparison Table.
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!