[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: from / to /usr/: a summary

On 2011-12-26, Bernhard R. Link <brlink@debian.org> wrote:
> * Philipp Kern <pkern@debian.org> [111226 12:02]:
>> Sorry, but what kind of argumentation is that?  If the admin doesn't notice
>> reboots and/or file tampering, I could just replace the kernel with my modified
>> one and reboot.  Now of course you could increase your paranoia and boot the
>> kernel from an immutable disc.  But then I'd just load all relevant modules in
>> the initramfs and set modules_disabled there instead of doing custom built
>> kernels just to get rid of modules.
> As you pointed out so nicely: modules_disabled is only a replacement if
> you have a custom initramfs and do not allow that to be modified
> automatically. So from the point of the original discussion,
> modules_disabled is no solution.

You just stuff a file into /etc/initramfs-tools/local-bottom and regenerate the
initramfs.  I think that's much less effort than recompiling the kernel with
the right bits built-in.

I'll grant the "boot the kernel from the outside" bit, but then I could just
kexec into my new kernel, if the admin wasn't careful enough.

Kind regards
Philipp Kern

Reply to: