On 2011-12-26, Bernhard R. Link <brl...@debian.org> wrote: > * Philipp Kern <pk...@debian.org> [111226 12:02]: >> Sorry, but what kind of argumentation is that? If the admin doesn't notice >> reboots and/or file tampering, I could just replace the kernel with my >> modified >> one and reboot. Now of course you could increase your paranoia and boot the >> kernel from an immutable disc. But then I'd just load all relevant modules >> in >> the initramfs and set modules_disabled there instead of doing custom built >> kernels just to get rid of modules. > As you pointed out so nicely: modules_disabled is only a replacement if > you have a custom initramfs and do not allow that to be modified > automatically. So from the point of the original discussion, > modules_disabled is no solution.
You just stuff a file into /etc/initramfs-tools/local-bottom and regenerate the initramfs. I think that's much less effort than recompiling the kernel with the right bits built-in. I'll grant the "boot the kernel from the outside" bit, but then I could just kexec into my new kernel, if the admin wasn't careful enough. Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjfidce.2qr.tr...@kelgar.0x539.de
