Hi folks,

Despite the various mounting woes that one can find with the search feature of this fine forum, noone seems to have reported anything about BSD partitions. Maybe people who usually deal with BSD know what they're doing (I guess so). I don't usually deal with BSD, and at any rate I haven't found anything directly related to my problem.

I'm in charge of cracking root access to a machine of PC architecture with FreeBSD, NetBSD, Win98 and an unknown flavor of Linux installed, and it has been agreed to backup as much data as possible before any cracking. First I want to secure the most valuable data and some program source (if I can find it), and then I'd like to clone the hard-drives, followed by cracking the machine. Knoppix is my tool of choice for the fist two tasks. I used the 5.0.1 EN CD version.


The players
When I run fdisk -l I find two hard-drives:
/dev/hda, an IDE drive of 160 GB
/dev/hdb, an IDE drive of 40 GB

The layers
The BSD /etc/fstab shows the following mount configuration:
On hda: 6 BSD partitions on hda, one swap partition, one MSDOS partition (Win98)
On hdb: 5 BSD partitions
CD-ROM: 5 drives (It's primary purpose is for recording audio and burning CDs.)
External: 2 USBstick mount points

There are also some Linux partitions that are not mounted by BSD. (These are essentially irrelevant for the moment.) I wish I had thought of actually saving the fsdisk output. :roll:

The problem
For the task of cloning I plan to use dd. However, for securing the valuable data I would just like to mount the BSD partitions, find and select the relevant files, and copy them to a USB hard-drive. My problem so far comes with mounting. Knoppix recognizes the drives and makes fstab entries for all the partitions, including the BSD, MSDOS and Linux partitions. It has a problem, however, with mounting the BSD partitions.

The /etc/fstab entries in Knoppix for the BSD partitions (and all others) uses "auto" for fstype. After failing to mount by right-clicking the desktop icons and selecting mount, I decided the simplest thing to do would be to just use explicit mount commands. I opened an X terminal (Konsole), switched to superuser, and after studying the mount manpage to refresh my memory, entered such commands as
# mount -t ufs -o rw /dev/hda2 /media/mnt/hda2
# mount -t ufs -o ufstype=44bsd /dev/hda2 /media/mnt/hda2
# mount /dev/hda2 /media/mnt/hda2 ... and so on.

Nothing worked. I didn't copy the error messages, but it was along the lines of
mount: wrong fs type, bad option, bad superblock on /dev/hda2,
or too many mounted file systems Now I'm not too sure about the "too many mounted file systems", I just found that code snippet on the forum and it resembles what I recall. I remember Knoppix finding a total of 14 partitions on hdb; together with 7 or so partitions on hda, could there be some kind of limit? I don't think so, because when I gave the above mount commands, none of the other partitions were mounted.

The question
What could I be overlooking? FreeBSD definitely uses the ufs filesystem by default, and that is what is declared in the BSD fstab. Why should Knoppix have this trouble?

Thanks

Dos/linux partitions are called disk slices in BSD. These in turn are divided in BSD partitions according to a table called the disklabel. Each (bsd) partition holds a file system (or swap space). There's no way you can directly mount hda2 as you've tried. hda2 is a primary partition, which itself is divided in sub-partitions according to the BSD scheme. On one system, I have FreeBSD 5.2 installed to hdc4:

root@choubleu:/etc# sfdisk -l /dev/hdc

Disk /dev/hdc: 24792 cylinders, 255 heads, 63 sectors/track
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start End #cyls #blocks Id System
/dev/hdc1 * 0+ 1019 1020- 8193118+ b W95 FAT32
/dev/hdc2 1020 21578 20559 165140167+ f W95 Ext'd (LBA)
/dev/hdc3 23557 24173 617 4956052+ a6 OpenBSD
/dev/hdc4 24174 24791 618 4964085 a5 FreeBSD
/dev/hdc5 1020+ 14073 13054- 104856223+ 7 HPFS/NTFS
/dev/hdc6 14074+ 14606 533- 4281291 83 Linux
/dev/hdc7 14607+ 15104 498- 4000153+ 83 Linux
/dev/hdc8 15105+ 15602 498- 4000153+ 83 Linux
/dev/hdc9 15603+ 16100 498- 4000153+ 83 Linux
/dev/hdc10 16101+ 16598 498- 4000153+ 83 Linux
/dev/hdc11 16599+ 21578 4980- 40001818+ 7 HPFS/NTFS
/dev/hdc12 24174 24199- 26- 204800
/dev/hdc13 24199+ 24248- 49- 393216
/dev/hdc14 24248+ 24281- 33- 262144
/dev/hdc15 24281+ 24313- 33- 262144
/dev/hdc16 24313+ 24640- 327- 2621440
/dev/hdc17 24640+ 24791- 152- 1220089

The "partitions" we're interested in are the ones at the end, whose type is unknown to sfdisk.
They're also briefly shown at boot time:


root@choubleu:/etc# dmesg | grep hdc
ide1: BM-DMA at 0xdc08-0xdc0f, BIOS settings: hdc:DMA, hdd:DMA
hdc: Maxtor 6B200P0, ATA DISK drive
hdc: max request size: 1024KiB
hdc: 398297088 sectors (203928 MB) w/8192KiB Cache, CHS=24792/255/63, UDMA(133)
hdc: hdc1 hdc2 < hdc5 hdc6 hdc7 hdc8 hdc9 hdc10 hdc11 > hdc3 hdc4
hdc4: <bsd: hdc12 hdc13 hdc14 hdc15 hdc16 hdc17 >

in fstab I have the following entry:


/dev/hdc14 /FreeBSD ufs ro,ufstype=44bsd,noauto,users,exec 0 0

If you substitute hda for hdc in the commands above, you should be able to identify the names (hdaxy) linux gave to your BSD partitions. You can also try the "b" command of "fdisk". Be careful as it allows you to edit the BSD disklabel - better stick to the "p" (print) option.

I must admit I have only ever been able to mount the roout (BSD "a") partition under linux; if anyone knows how to acccess the other BSD filesystems from linux, I'd be glad to learn.

One last advice, the above might help you access and backup the BSD partitions content from linux, but if you want to reset passwords and need to write to the BSD partitions, you should probably be using a BSD live CD instead of knoppix!

Perfect! This has been one of those eureka moments.

To help me understand your post better, I looked at the FreeBSD handbook more carefully:
Basics Disk-Slice-Part (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disk-organization.html#BASICS-DISK-SLICE-PART)

Although your post was quite illuminating for me, it and the above doc individually didn't make things clear enough. But together they do more. In any case if all I could mount is the root partition, I still couldn't smuggle out the valuable data. So I did some more Googling until I came up with:
http://gentoo-wiki.com/HOWTO_Mount_UFS_partitions
which is based on:
http://forums.gentoo.org/viewtopic-t-209074.html

Not the first time Gentoo documentation has helped this Debian user. :) I think you will also find some info there to help you learn how to mount the other BSD filesystems; more below.

That last (forum) link helped me even more to understand the BSD disk organization. To review, I'll sum up in my own words how I do and don't understand it. A BSD slice is the equivalent of what is commonly called a partition; more specifically, what is often referred to as a primary partition: according to the FreeBSD handbook, "Slices are numbered, starting at 1, through to 4." I say this explicity because of its equivalence to "normal" hard-drive speak, which I previously thought quasi-universal, though now perhaps just sort of standard:
There is a max number of 4 partitions allowed, which are also called primary partitions. Only one can be the active (bootable) primary partition. One and only one of the primary partitions can be assigned as the extended partition. The extended partition can be used to create more than 4 partitions. In the strict sense of the word, the additional partitions are not partitions (there are only 4 of these), so we call them logical drives or (to confuse things more) even logical partitions. Microsoft refers to both partitions and drives as volumes.

So BSD slices are what I understand as primary partitions. BSD does not, however, work with extended partitions and logical drives. I don't know whether the extended partition and its logical drives are recorded in the MBR, but I suspect not: I understand that the MBR is the whole reason we're limited to 4 partitions in the first place. (It is a rather small collection of bytes after all.) My suspicion, without bothering to look it up, is that the extended partition creates its own bookkeeping of logical drives in its own sectors. (That would explain why even GRUB cannot boot systems located in logical drives.) According to what you wrote BSD does something similar: it writes its own record of "logical volumes" (BSD partitions) in each partition (BSD slice), in a table called the disklabel. BSD can distinguish between its BSD partitions using the disklabel the same way Linux and DOS distinguish between primary and logical volumes. Fdisk also understands how to interpret BSD partitions, although it doesn't display them as if they were logical drives. As you say, no wonder I can't mount hda2: It's like trying to mount an extended partition instead of a logical drive within the extended partition.

According to the fdisk manpage, a BSD disklabel (in each BSD slice?) can create 8 BSD partitions. The third one should be "the same size as the enclosing slice. This allows utilities that need to work on the entire slice (for example, a bad block scanner) to work on the c partition. You would not normally create a file system on this partition." [FreeBSD handbook] Weird, but I think I get it. Also, due to backward compatibility, the fourth BSD partition is usually not created.

According to the BSD handbook, "you can have logical slices inside physical slices of the appropriate type. These extended slices are numbered starting at 5", directly analagous to extended partitions and logical drives, so there is only a very high limit to the number of BSD filesystems that a BSD system can recognize.

There is a snag to my newfound "knowledge." What I've described allows BSD to create its BSD partitions inside of each slice. This implies that each slice can contain BSD partitions, contrary to the analogue of only one partition (the extended one) containing logical drives. This is one aspect I don't understand.


Now for the practical application. Here is an approximation of the relevant parts of my to-be-cracked system's fstab:

dev mntpnt fstype
-------- -------- -------
ad0s4b none swap
ad0s4a / ufs
ad0s4g /home ufs
ad0s4f /tmp ufs
ad0s4h /usr ufs
ad0s4e /var ufs
ad0s2a /sa ufs

ad0s1 /bill msdos

ad2s4a /sam
ad2s4e /sam/var
ad2s4f /sam/home
ad2s4g /sam/usr
ad2s2a /sam/sa

The prefix ad signifies an IDE disk, and ad0 will be the master while ad2 will be the second drive. (I would have expected ad1, but I guess the IDE assignments could get complicated with 5 IDE CD-ROMs.) The indexes s4 and s2 indicate slice numbers. The / for example is located on slice 4, in the first BSD partition (a). There are a, b, e, f and g partitions (c the 3rd and d the 4th are skipped as above) on slice 4, and the a partition on slice 2 is mounted as /sa (also user data).

On the second disk, ad2, the fourth and second slices are again used, apparently for system backups. Of course, Bill's OS resides on what BSD interprets as the first partition of the first slice, that is, C:\.

According to the Gentoo wiki FreeBSD versions below 5 use UFS1, so I'll mount using -t ufs. The main difficulty will be making sure that Linux can also interpret the UFS filesystem. According to the Gentoo forum post, "Linux doesn't know about slices. The BSD partitions are represented just like any other partition types. So /dev/ad0s1a under FreeBSD becomes /dev/hda1 under Linux, /dev/ad0s1f is /dev/hda8 and so on. Linux only sees partitions other than /dev/ad0s1a if the kernel supports BSD disklabels." I am hoping that this is compiled into the Knoppix kernel. Otherwise, maybe I can load a module.

Considering that there are 4 BSD slices on 2 disks, along with one NetBSD slice, an MSDOS primary partition and several Linux partitions, I have quite some calculating to do to get the right partitions mounted. Fortunately, I have the FreeBSD fstab and fdisk output to help me. There may be some trial and error, but I'll be sure to use the -r option when mounting. With BSD support, I probably can use "dmesg | grep" to good use, as both you and the Gentoo wiki mention.

Well thanks, you've helped me along by leaps and bounds!

One last advice, the above might help you access and backup the BSD partitions content from linux, but if you want to reset passwords and need to write to the BSD partitions, you should probably be using a BSD live CD instead of knoppix!

To reset the root password I can possibly use the init.rd levels, since with physical access it isn't protected against such intrusion. Good tip though, in case I get stuck.

Here's a follow up on mounting the BSD slices/partitions. The results were very positive. After booting into Knoppix I opened a root terminal, and just in case I did
modprobe ufs

As previously reported, the following did not work:
mount -t ufs -o ufstype=44bsd /dev/hda2 /media/hda2

After reading a bit more in the mount manpage I tried a varation and, funnily enough, the following did work:
mount -t ufs -o ro,ufstype=44bsd /dev/hda2 /media/hda2 Why the "ro" option made the difference, I don't know. Nevertheless, I was thus able to mount any of the partitions I wanted, and copied most of the data I wanted. Only time demands prevented me from getting everything.

Note to future forum searchers: The -o ufstype=44bsd is appropriate to UFS1, which is the case since I am dealing with FreeBSD 4.11. For UFS2, I believe -t ufs2 should work.


Thanks to kirol's comments, the output of fdisk -l and previous access to the fstab of the BSD installation, I was able to figure out fairly easily which partitions were which. I find it interesting that the comment from kirol, "There's no way you can directly mount hda2 as you've tried", by chance turned out to be wrong. The reason why, which he did not know at the time he posted, is because there is only one BSD partition on slice 2 (mounted at /sa as can be seen in the fstab listing two posts above). In Linux terms, partition 2 (/dev/hda2, a primary partition) is not subdivided into further partitions. It can therefore be mounted per the commands above. Slice 4 (primary partition 4) contains by contrast 6 BSD partitions (/, /home, /tmp, /usr, /var and swap, again see fstab listing above). These appear as partitions hda8, hda9, hda10, hda11, hda12 and hda13. Partitions hda5, hda6 and hda7 are claimed by the NetBSD installation on slice 3 (primary partition 3).

That Knoppix recognizes this at least partially can be seen from the output of dmesg, which I captured after booting into Knoppix. Here is a relevant extract:
hda: max request size: 512KiB
hda: 312581808 sectors (160041 MB) w/8192KiB Cache, CHS=19457/255/63
hda: cache flushes supported
hda: hda1 hda2 hda3 hda4
hda2: <bsd: >
hda3: <netbsd: hda5 hda6 hda7bad subpartition - ignored
bad subpartition - ignored
bad subpartition - ignored
bad subpartition - ignored
bad subpartition - ignored
bad subpartition - ignored
bad subpartition - ignored
>
hda4: <bsd: hda8 hda9 hda10 hda11 hda12 hda13 >
hdb: max request size: 512KiB
hdb: 78165360 sectors (40020 MB) w/2048KiB Cache, CHS=16383/255/63
hdb: cache flushes supported
hdb: hdb1 < hdb5 hdb6 hdb7 hdb8 > hdb2 hdb3 hdb4
hdb2: <netbsd: hdb9 hdb10 hdb11 hdb12 hdb13 hdb14bad subpartition - ignored
bad subpartition - ignored
bad subpartition - ignored
>
hdb3: <bsd: >
hdb4: <bsd: hdb15 hdb16 hdb17 >
I'm not so sure what the "bad subpartition - ignored" messages signify, but it apparently didn't affect me.

In terms of my little project, so far, so good! After making sure I've gotten everything of value, I'll clone the whole hard-drive.

Then it's down to cracking the root password and the dirty business of trying to figure out whether we can configure and keep using the system as is, or whether we have to try to achieve a different setup.