Re: from / to /usr/: a summary
On 2011-12-26, Bernhard R. Link <firstname.lastname@example.org> wrote:
> * Philipp Kern <email@example.com> [111226 12:02]:
>> Sorry, but what kind of argumentation is that? If the admin doesn't notice
>> reboots and/or file tampering, I could just replace the kernel with my modified
>> one and reboot. Now of course you could increase your paranoia and boot the
>> kernel from an immutable disc. But then I'd just load all relevant modules in
>> the initramfs and set modules_disabled there instead of doing custom built
>> kernels just to get rid of modules.
> As you pointed out so nicely: modules_disabled is only a replacement if
> you have a custom initramfs and do not allow that to be modified
> automatically. So from the point of the original discussion,
> modules_disabled is no solution.
You just stuff a file into /etc/initramfs-tools/local-bottom and regenerate the
initramfs. I think that's much less effort than recompiling the kernel with
the right bits built-in.
I'll grant the "boot the kernel from the outside" bit, but then I could just
kexec into my new kernel, if the admin wasn't careful enough.