On Tue, Mar 31, 2015 at 02:37:53PM +0100, Gareth Nelson wrote: > For scripts that are set executable, it works exactly the same way - for > everything else it won't work unless the interpreter is patched, it's still > an overall massive improvement in security. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I don't see this as a massive improvement in security. This is exactly like immutable files until you go back to boot -s. Such a pain in the ass to deal as soon as you want to play with machines to which you don't have direct physical access. Tends to hinder proper backup and timely updates. Murphy's law says you're always going to be on the move when a critical update comes along, which *will require* a full reboot under your scheme. Thus having exactly the reverse effect as to what you're actually looking for.
