Today’s “whack yourself on the forehead and say ‘why didn’t I think of that?!’” moment…
Don’t just put the kernel images in your /boot partition. Put an Ubuntu server instance in that partition. THEN create the desktop installation on the rest of the disk. You need to do a little bit of work to merge the two GRUB configurations (and I’ll admit I haven’t done this yet) but when you’re done you have a fully functional second Ubuntu installation that will be around in case you screw up your desktop installation. You won’t have the GUI but that shouldn’t be a problem if all you’re doing is repairing the desktop instance.
Why not just use a rescue CD? Two reasons. First, you may not have one handy. Second, the stock rescue CDs don’t know the details of your installation. Keeping a server instance in your /boot partition means you can also perform critical backups to that partition and have it handy in case things go wrong. You could create a custom rescue CD/USB stick with the local details but review the first point again.
(It never ceases to amaze me that I constantly run across packages of unopened USB sticks when I’m not looking for one but the instant I need one they all disappear.)
There’s potentially a second benefit to having this instance. If you’re potentially compromised you should boot from a CD and mount the partition(s) read-only/noexec before running your checks.1 In the real world it’s enough for most people to just boot into this server instance and work from it. If there’s a problem you’ll want to reinstall the OS anyway.2
(You do have a separate /home partition so reinstallation of the OS is relatively painless, right?)
1. If there’s the remotest possibility of this going to court you need to remove the media, set it to read-only (via the jumpers) if possible, then attach it to another system just long enough to create a mirror of the entire disk before sealing the drive and handing it to a lawyer or other secure facility for storage. PATA cables should have the ‘write’ line cut, I don’t know what you can do with SATA cables. Ideally all done by a properly certified and disinterested third party.
In practice nobody but a large company or someone specializing in computer security has the resources to take a matter to court.
2. Never try to ‘fix’ a compromised system and never restore the OS from a backup. It’s too easy to miss something or restore a compromised system. Linux installation is a lot easier than it used to be and Ubuntu 11.04 introduced “.override” files that make it even easier.
This is THE reason for having a separate partition for /home and each of your services. It’s easy to trust separate backups and restorations if I have a separate /home partition that’s always mounted nosuid/noexec/nodev, If everything is in one big partition… system restorations after an OS reinstall are a lot more complicated.