On Sat, Aug 25, 2007 at 11:59:02AM -0700, David Brodbeck wrote: > On Aug 25, 2007, at 5:23 PM, s. keeling wrote: > >Ron Johnson <[EMAIL PROTECTED]>: > >> On 08/24/07 11:16, David Brodbeck wrote: > >>> > >>>Also, is there any good reason to have a separate /boot on a modern > >>>system? I always thought /boot was just a kludge to get around old > >>>BIOSes that couldn't load anything that wasn't on the first part > >>>of the > >> > >> I doubt it. I still do it, though, from tradition I guess. > > > >There may be good reason for it still in terms of security. /boot > >doesn't need to be mounted on a running system. I'm not sure if that > >adds a lot of security though. > > I'm thinking no. To alter any of the kernel files you'd need root > privileges, and if you have that, you can do 'mount /boot'.
On the other hand, having /boot separate could be more robust in the event of an unclean shutdown. The system won't boot at all if the kernel file gets corrupted, so having /boot separate, and perhaps mounted ro helps protect it. Having all the other usual directories split off leaving a 300M / helps to protect / in a similar fashion. I was going to say that its also nice to have a static-linked shell for those times when you need init=/bin/sh, however: # ldd /bin/sash /usr/bin/ldd: line 171: /lib/ld-linux.so.2: No such file or directory ldd: /lib/ld-linux.so.2 exited with unknown exit code (127) IMHO a shared library should not have an unknown exit code; ldd should know all exit codes of shared libraries. So what about busybox-staic? The kernel depends on initramfs-tools which depends on busybox which conflicts with busybox-static. initramfs-tools doesn't give the option of busybox-static. It does give an option of busybox-cvs-static but it doesn't seem to be available on amd64. Sheesh. So perhaps having /boot separate doesn't matter (unless otherwise using LVM) since there's nothing for the kernel to boot if the shared libraries get corrupted. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
