Re: Writing to /etc/ from a "privileged" UI
On Wed, 11 May 2011, Dominic Hargreaves wrote:
> > Sorry but if you alternate physical possession of a laptop with someone whom
> > you suspect of being hostile, no files are secure as long as they're stored
> > on that laptop.
> This is not necessarily the case if a per-user encrypted filestore,
> such as ecryptfs, is in use (where a user may be unlocking access to
> their home directory at the same time as logging in, via a pam hook).
I suppose you do have done the non-trivial steps required to secure the
box against a rogue kernel install by the 'untrusted' person?
This is only one possible attack vector. There are others. There are
defenses, but they go way beyond 'a per-user encrypted filesystem'.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot