[conspire] Parititioning revisited briefly

Rick Moen rick at linuxmafia.com
Fri Oct 15 22:19:22 PDT 2010 

A few words about that 'recovery' partition:


# <file system> <mount point>   <type>  <options>       <dump>  <pass>

## sda is (obviously) the boot drive.  73 GB SCSI.
/dev/sda1       /boot           ext2    defaults        0       2
/dev/sda5       none            swap    sw              0       0
/dev/sda6       /var            ext2    noatime,nodev,nosuid 0       2
/dev/sda7       /               ext3    defaults,errors=remount-ro 0       1
/dev/sda8       /recovery       ext3    defaults        0       2
/dev/sda9       /usr            ext2    nodev,ro        0       2


The flags for it actually probably should include (and used to include) 
'noauto', the flag you include when you want a filesystem to be easily 
mountable because it has an entry in fstab, but never automatically 
mounted at boot time.

As I mentioned in my initial message, many of the ideas behind partitioning 
'have to do with anticipating and disarming threat models'.  That is,
you encountered some debacle in the past, or know people who did, and
want to ensure that you build into your system a way to defeat the
problem or recover from it.

Everyone who's used Linux long enough has done something really dumb
with the root account during one of those special moments of stupidity,
like this:

   cd /usr/lib
   chmod 644 *

...forgetting that there are a lot of subdirectories under there, among
other problems.  That is one of innumerable one-line ways to turn your
system into a basket case.  

Or, you might have gotten an intruder.  Or, you might have accidentally 
deleted, or recursively deleted, some critical tree.  Or, you might have
had apt-get go crazy during the dpkg installation phase of a large
number of critical packages such that the system libs get fatally
mislinked.  (This once happened to me.)  Contemplating all such cases, 
or just the possibility of them, you might wonder if it's feasible to
have a fallback mini-system that you can switch over to, for a while, 
until you can properly rebuild the main system.  

'Just use a live CD' is a possible answer, with the minor objection of
questionable performance and the larger problem that the live CD is 
probably not going to closely match your installed system.

So, you might end up trying something like my 500 MB /recovery
partition.  If you're like me, you'd think 'I'm not sure this is going
to end up being practical, but I'll never know without trying, and it's
only 500 MB.'

The idea is to keep /recovery normally unmounted.  (/recovery itself 
would be just a convenient access directory for maintenance.  If ever
put into service, the partition would get set to serve as the system '/'
partition.)  You would aim to keep all the essential libs, binaries, 
system configuration files, and other key functional parts of the system 
updated within /recovery in case they ever need to stand in for '/'.

The idea is:  Just before driving to work in the morning, you come to
the disturbing conclusion that someone has cracked your Web server and
is on it committing mischief.  You kick the intruder off, set the
machine to temporarily run from the recovery partition, boot it that
way, grab your hat, and go to work.

I'm still not 100% sure it's a good and practical measure, but it's only
500 MB.

More information about the conspire mailing list