On Thu, Apr 09, 2009 at 04:43:17PM +0200, martin f krafft wrote: > also sprach Douglas A. Tutty <dtu...@vianet.ca> [2009.04.09.1532 +0200]: > > > On the other hand, having / in LVM means: > > > * you can enlarge / when necessary; > > > > You should never have to enlarge a 500 MB / > > I bet you'll be wrong in 10 years.
What load of gunk will be dumped into / to take it bigger than 500 MB? If ever / becomes bigger than 500M, then booting my old boxes will again require a separate /boot (so that they can boot lower than the 504 MB limit). > > > > * you can encrypt / if desired; > > > > Why would you need / encrypted (if swap, /tmp, /home, and parts of /var > > are encrypted)? > > Because it contains e.g. /bin/ls and you don't want that to be > trojaned. Obviously, an integrity checker can also help. > How does encrypting / prevent trojaning a binary? I suppose it prevents an attacker gaining root when the box is turned off and not physically secured, but I don't know. Does encrypting root counteract the age-old wisdom that physical acess to the hardware will allow root compromise? An integrity checker would only help if its being run from a known-secure box, not the box with the questionable /bin/ls. Encryption is great to protect secret content, while the box is powered-off. It doesn't help while the box is powered-on (since the filesystems will be decrypted). Doug. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org