[ltp] Secure Ubuntu (was Re: IBM Recovery CDs, partitions)

Michael Kaiser linux-thinkpad@linux-thinkpad.org
Thu, 6 Oct 2005 13:54:29 +0200 

Hi!

Thanks for all suggestions and help, after checking various
suggestions, I managed to get my R52 up and running.

Goal: Dualboot Win XPp & Linux, pre desktop area not necessary. Linux
with a crypted root filesystem.

I did the partitioning of the HDD with Ubuntu Linux Installer.

Harddik layout (linuxish)
/dev/sda1  15 G  Windows XP pro
/dev/sda2  1,5 G Linux swap
/dev/sda3  150 M /boot
/dev/sda5  30 G /
/dev/sda6  12 G transfer partition, mountable for Windows and Unix and
a first stage root

I installed a clean WXPP from non-IBM installation CDs. This was
painpul as WinXp was not able to identify a couple of components,
especially all NICs. So I went to the IBM site and downloaded (from
another PC) a couple of drivers and packets: drivers for the NICs
(WLAN and wired), chipset support drivers, ATI drivers and the
software install packet. Burned those packages to a CD and installed
them on the R52. To my surprise, the IBM/ Lenovo Software Installer
made installation of software as easy as Debians apt-get. So all the
missing drivers have been downloaded and installed automagically. So I
got a low fat Windows without all the additional crap.

Time for a backup! I used Rescue and Recovery. The backup looked
pretty consistent, so I am confident that I will be able to recover
from this CD set it nessessary.

<religious distribution bla ahead>
I chose Ubuntu as my Linux distribution for a number of reasons. All
those reasons are mine, you might think I am crazy or sadistc or
whatever, so you might want to choose another distribution.

1. It is a Debian (derivate | fork). I am used to Debian, I like
Debian and I always get back to Debian based distros after trying
others.
2. The Ubuntu installer is a breeze. It handles sata, The Debian Sarge
installer does NOT. At least not, if you want to use a 2.6er kernel.
3. Ubuntus hardware discovery is sophisticated. Yes, Knoppix and
Kanotix are perhaps better, but what else is to detect if everything
works.
4. Ubuntu ships with gnome. I, yes I, ME, MYSELF, prefer gnome oder
KDE. And yes, SuSE/Novell gives me the choice as well
5. It simply works. YMMV, but at least for me, Ubuntu does always work.
</done with the distribution stuff>

So I installed Ubuntu to /dev/sda6 as root and after the installation
finished, I logged on an opened a terminal and did a

sudo init 1

and followed the steps in /usr/share/doc/cryptsetup/CryptoRoot.HowTo

Caveat: "cp -axv / /mnt" copies a file for /dev/null and /dev/console,
so when you have changerooted to /mnt do a

mknod -m 600 /dev/console c 5 1
mknod -m 666 /dev/null c 1 3

to circumvent a possible lockup.
Additionally make shure that /lib/libdevmapper.so.1.01 links to
/lib/libdevmapper.so.1.00. Otherwise mkinitrd will fail. At least it
failed when I tried to.

Reboot.
Et voila, a secure Ubuntu...

--
Banane ist mein Lieblingsgem=FCse,
   denn es hat keine Knochen.