Pierre Habouzit <madco...@madism.org> writes: > On Mon, Jun 01, 2009 at 03:08:02PM -0300, Henrique de Moraes Holschuh wrote: >> On Mon, 01 Jun 2009, Pierre Habouzit wrote: >> > Think again, if I do such a package, I would obviously check with some >> > kind of trivial perl programm if the device containing /usr/lib/rootkit >> > is mounted with nodev, would use mount -o remount,dev on the problematic >> > mount point in the preinst, let the unpacking happen, and remount >> > properly in the postinst. >> >> AFAIK, nodev blocks device nodes from _WORKING_ as well. >> >> Anyway, one would need to just remount it "dev" as root to exploit. >> >> Of course, when you have el-crap-o pathbased security plus something locking >> down remounts, the above is an attack vector that separate /usr could close. >> Not something someone using SE Linux would need to care about, though. >> >> > And if you really care about those extra bits of performance, then what >> > I'd do is _not_ to not encrypt /usr but rather to let / be unencrypted, >> >> And now you need /etc as a separate partition, which is a lot worse to pull >> off than /usr as a separate partition... > > cat >> /etc/fstab > /srv/localhost/etc / auto bind > ^D > mount /etc > > done
And if that fails to mount: go await, you don't exist. MfG Goswin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org