Re: from / to /usr/: a summary

To: debian-devel@lists.debian.org
Subject: Re: from / to /usr/: a summary
From: Philipp Kern <trash@philkern.de>
Date: Tue, 27 Dec 2011 03:03:42 +0000 (UTC)
Message-id: <[🔎] slrnjfidce.2qr.trash@kelgar.0x539.de>
Reply-to: phil@philkern.de
References: <[🔎] 87zkei197p.fsf@poker.hands.com> <[🔎] 20111225041723.GA27634@leaf> <[🔎] 20111225T120748.GA.edf77.stse@fsing.rootsland.net> <[🔎] slrnjfe4ip.t6i.trash@kelgar.0x539.de> <[🔎] 20111226103810.GA1338@teal.hq.k1024.org> <[🔎] 20111226110143.GA547@thrall.0x539.de> <[🔎] 20111226180337.GB2217@server.brlink.eu>

On 2011-12-26, Bernhard R. Link <brlink@debian.org> wrote:
> * Philipp Kern <pkern@debian.org> [111226 12:02]:
>> Sorry, but what kind of argumentation is that?  If the admin doesn't notice
>> reboots and/or file tampering, I could just replace the kernel with my modified
>> one and reboot.  Now of course you could increase your paranoia and boot the
>> kernel from an immutable disc.  But then I'd just load all relevant modules in
>> the initramfs and set modules_disabled there instead of doing custom built
>> kernels just to get rid of modules.
> As you pointed out so nicely: modules_disabled is only a replacement if
> you have a custom initramfs and do not allow that to be modified
> automatically. So from the point of the original discussion,
> modules_disabled is no solution.

You just stuff a file into /etc/initramfs-tools/local-bottom and regenerate the
initramfs.  I think that's much less effort than recompiling the kernel with
the right bits built-in.

I'll grant the "boot the kernel from the outside" bit, but then I could just
kexec into my new kernel, if the admin wasn't careful enough.

Kind regards
Philipp Kern

Reply to:

Follow-Ups:
- Re: from / to /usr/: a summary
  - From: "Bernhard R. Link" <brlink@debian.org>

References:
- Re: from / to /usr/: a summary
  - From: Philip Hands <phil@hands.com>
- Re: from / to /usr/: a summary
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: from / to /usr/: a summary
  - From: Stephan Seitz <stse+debian@fsing.rootsland.net>
- Re: from / to /usr/: a summary
  - From: Philipp Kern <trash@philkern.de>
- Re: from / to /usr/: a summary
  - From: Iustin Pop <iustin@debian.org>
- Re: from / to /usr/: a summary
  - From: Philipp Kern <pkern@debian.org>
- Re: from / to /usr/: a summary
  - From: "Bernhard R. Link" <brlink@debian.org>

Prev by Date: Re: from / to /usr/: a summary
Next by Date: Boost defaults change (1.46.1 --> 1.48)
Previous by thread: Re: from / to /usr/: a summary
Next by thread: Re: from / to /usr/: a summary
Index(es):
- Date
- Thread