Re: Good fdisk Practices
On Sat, Aug 25, 2007 at 11:59:02AM -0700, David Brodbeck wrote:
> On Aug 25, 2007, at 5:23 PM, s. keeling wrote:
> >Ron Johnson <ron.l.johnson@cox.net>:
> >> On 08/24/07 11:16, David Brodbeck wrote:
> >>>
> >>>Also, is there any good reason to have a separate /boot on a modern
> >>>system? I always thought /boot was just a kludge to get around old
> >>>BIOSes that couldn't load anything that wasn't on the first part
> >>>of the
> >>
> >> I doubt it. I still do it, though, from tradition I guess.
> >
> >There may be good reason for it still in terms of security. /boot
> >doesn't need to be mounted on a running system. I'm not sure if that
> >adds a lot of security though.
>
> I'm thinking no. To alter any of the kernel files you'd need root
> privileges, and if you have that, you can do 'mount /boot'.
On the other hand, having /boot separate could be more robust in the
event of an unclean shutdown. The system won't boot at all if the
kernel file gets corrupted, so having /boot separate, and perhaps
mounted ro helps protect it. Having all the other usual directories
split off leaving a 300M / helps to protect / in a similar fashion.
I was going to say that its also nice to have a static-linked shell for
those times when you need init=/bin/sh, however:
# ldd /bin/sash
/usr/bin/ldd: line 171: /lib/ld-linux.so.2: No such file or directory
ldd: /lib/ld-linux.so.2 exited with unknown exit code (127)
IMHO a shared library should not have an unknown exit code; ldd should
know all exit codes of shared libraries.
So what about busybox-staic? The kernel depends on initramfs-tools
which depends on busybox which conflicts with busybox-static.
initramfs-tools doesn't give the option of busybox-static. It does give
an option of busybox-cvs-static but it doesn't seem to be available on
amd64.
Sheesh.
So perhaps having /boot separate doesn't matter (unless otherwise using
LVM) since there's nothing for the kernel to boot if the shared
libraries get corrupted.
Doug.
Reply to: