ผู้ค้าหุ้นออนไลน์ Best. Each ของโบรกเกอร์เหล่านี้มีคุณสมบัติบางอย่างที่ตั้งนอกเหนือจากคนอื่น ๆ Trade King คิงค้าเป็นที่ชื่นชอบส่วนตัวของโครงสร้างการค้าของฉันคิงค้าเป็นหนึ่งในดีที่สุดในธุรกิจการค้าสต็อกส่วนลดรวมทั้งสำหรับนักลงทุนที่ ต้องการเรียนรู้วิธีการค้าเช่นผู้เชี่ยวชาญด้านตลาดหลักทรัพย์เรียนรู้วิธีการระบุโมเมนตัมที่ดีที่สุดของการค้ากิ่งยังมีการคืนเงินให้กับลูกค้าใหม่ได้ถึง 150 เพื่อโอนทรัพย์สินของพวกเขาไป Trade King การแข่งขันได้บังคับนวัตกรรมการซื้อขายหุ้นออนไลน์ราคาถูกและคุณสมบัติเพิ่มเติมเช่นศูนย์การศึกษาและฝึกอบรมบทความวิดีโอการสัมมนาทางเว็บฟรีห้องแชทและฟอรัมเครือข่ายทางสังคมซอฟต์แวร์ภาษีฟรีเพื่อติดตามผลกำไร การสูญเสียและอื่น ๆ หวังว่าคุณสามารถใช้ข้อมูลนี้เพื่อหานายหน้าซื้อขายออนไลน์ส่วนลดที่ดีที่สุดสำหรับความต้องการของคุณเป้าหมายของเราคือการแสดงให้คุณเห็นบาง f ค่าที่ดีที่สุดในพื้นที่นายหน้าส่วนลดและแสดงให้เห็นบางส่วนของคุณสมบัติชั้นนำที่พวกเขาเสนอ Online Broker ส่วนลดอินเดียมีบัญชีซื้อขายหลักทรัพย์ออนไลน์ App การซื้อขายหุ้นออนไลน์และผลประโยชน์อื่น ๆ เราเป็น บริษัท นายหน้าส่วนลดที่ดีที่สุดในอินเดียออนไลน์สต็อกสินค้าผู้ประกอบการค้าที่ดีที่สุด เพื่อหาเว็บไซต์การซื้อขายออนไลน์ที่ดีที่สุดสำหรับผู้เริ่มต้นเรา demoed แหล่งข้อมูลการศึกษาการสนับสนุนลูกค้าและประสบการณ์การใช้งานของแปดแพลตฟอร์มยอดนิยมวิทยุออนไลน์และบริการสตรีมวิดีโอที่มีรายวันไม่มีผู้ค้าอนาถาการศึกษาการวิเคราะห์ทางเทคนิคกำแพง ความคิดเห็นของ Street ที่ให้ความคุ้มครองที่ชัดเจนของการค้าฟรีเป็นเวลา 60 วันและรับได้สูงสุด 600 เมื่อคุณเปิดตัว E TRADE Account Options House มีราคาต่ำสุดสำหรับการซื้อขายหุ้นออนไลน์มาตรฐานจากโบรกเกอร์ที่ระบุไว้ในบทวิจารณ์ Stock Momentum Trader Strategy 4 Online หลักสูตรคุณต้องการเรียนรู้วิธีการค้าเช่นเดียวกับผู้เชี่ยวชาญด้านตลาดหลักทรัพย์เรียนรู้วิธีระบุโมเมนตัมที่ดีที่สุด Th ey มีอินเตอร์เฟซที่เนียนและง่ายต่อการใช้งานการซื้อขายหุ้นราคาถูกศูนย์การเรียนรู้พิเศษการสัมมนาทางเว็บฟรีการเข้าถึง Maxit Tax Manager ฟรีเพื่อติดตามผลกำไรและความสูญเสียของคุณและระบบ more. Binary Options 44 Scholastic Online Course. For ข้อมูลเพิ่มเติม, หรือเพื่อเปิดบัญชี Trade King เยี่ยมชม Online Stock Trader Best การซื้อขายหุ้นมาตรฐานมีค่าใช้จ่ายเพียง 4 95 และธุรกิจการค้าแบบเลือกซื้อซึ่งเป็นหนึ่งในอุตสาหกรรมที่ดีที่สุดในอุตสาหกรรมนี้ให้ดูที่ Options House review สำหรับข้อมูลเพิ่มเติมที่คุณทำให้ Binary Options ตัวเลือก Buddy 4 0 หากต้องการค้นหา เว็บไซต์การซื้อขายออนไลน์ที่ดีที่สุดสำหรับผู้เริ่มต้นเราสาธิตทรัพยากรทางการศึกษาการสนับสนุนลูกค้าและประสบการณ์การใช้งานของแปดแพลตฟอร์มยอดนิยม T ชุมชนการนายหน้าออนไลน์ของเขาเติบโตขึ้นโดย leaps และขอบเขตในไม่กี่ปีที่ผ่านมาซึ่งเป็นที่ดีสำหรับนักลงทุนที่ต้องการมีส่วนร่วม ซื้อขายหุ้นผ่านระบบออนไลน์ตัวเลือก Trojan Ssh Daemon ส่วนประกอบตัวเลือกไบนารี Hwclock Stock Momentum Trader Strategy 4 หลักสูตรออนไลน์คุณต้องการเรียนรู้วิธีการค้าเช่นผู้เชี่ยวชาญด้านการแลกเปลี่ยนเรียนรู้วิธีการระบุ โมเมนตัมที่ดีที่สุดลูกค้าใหม่จะได้รับการซื้อขายหุ้นฟรีเป็นเวลา 60 วันเมื่อเปิดบัญชีใหม่และระดมเงินฝากขั้นต่ำ 10,000 ภายใน 60 วันไม่ได้มีคุณลักษณะเหล่านี้ทั้งหมดที่ บริษัท นายหน้าซื้อขายลดและบางโบรกเกอร์เสนอ ดีกว่าคนอื่น ๆ เราได้มุ่งเน้นไปที่ บริษัท ที่เป็นที่นิยมมากขึ้นอย่างต่อเนื่องที่ปรากฏในความคิดเห็นของรางวัลอุตสาหกรรมรวมทั้งโดย Smart Money และผู้ค้าหุ้นของ Kiplinger Online อายุที่ดีที่สุดของตัวเลือกไบนารีเงาตัวเปรียบเทียบนี้จะให้ข้อมูลเบื้องต้นเกี่ยวกับการกำหนดราคา โครงสร้างและด้านล่างแผนภูมิเปรียบเทียบเป็นคุณลักษณะเฉพาะบางอย่างเกี่ยวกับแต่ละ บริษัท นายหน้าซื้อขายหลักทรัพย์ออนไลน์เหล่านี้ผู้ค้าหุ้นออนไลน์การเทรดอีอีเทรดที่ดีที่สุดคือเสนอ บริษัท นายหน้าบริการเต็มรูปแบบและธนาคารออนไลน์ซึ่งช่วยให้สามารถเชื่อมโยงบัญชีและโอนเงินไปยังและ จากผู้ประกอบการค้าที่เสรีภาพ PRO การฝึกอบรมตลาดหลักทรัพย์ Stock หลักสูตรการวิเคราะห์ทางเทคนิคใช้โชคชะตาของคุณในมือของคุณลงทุนด้วยความมั่นใจและให้สำหรับคุณ r ในขณะที่ธุรกิจการค้าของพวกเขาไม่ได้เป็นที่ถูกที่สุดของ บริษัท จดทะเบียนที่พวกเขาเสนอหลากหลายของบริการและคุณสมบัติไม่พบกับโบรกเกอร์ส่วนลดอื่น ๆ อีกมากมายออนไลน์เพื่อหารายได้ใน Galaxy On Fire 2.he ชุมชนนายหน้าซื้อขายหลักทรัพย์ออนไลน์ได้เติบโตขึ้นโดยเผ่น และขอบเขตในไม่กี่ปีที่ผ่านมาซึ่งเป็นที่ดีสำหรับนักลงทุนที่ต้องการมีส่วนร่วมในการซื้อขายหุ้นออนไลน์สต็อกสินค้าผู้ประกอบการค้าออนไลน์ตัวเลือกที่ดีที่สุดบ้านได้รับการจัดอันดับ 1 โดย Barron s ในประสบการณ์ของผู้ใช้ 25 วิธีในการสร้างรายได้การค้า E ได้รับรางวัลมากมายสำหรับทั้งสองของพวกเขา บริการนายหน้าและบัญชีออมทรัพย์ออนไลน์ของพวกเขาสกุลเงิน Forex เรียนรู้ Online Trading Archives นี่เป็นนายหน้าซื้อขายหลักทรัพย์ที่ดีสำหรับนักลงทุนที่เกี่ยวข้องกับต้นทุนต่อการค้า OWA. MIS 1 Work Of The Exchange Forex OWA Outlook Web Access Microsoft Exchange Server Yahoo OWA Outlook Web Access Microsoft Exchange Server Yahoo OWA Outlook การเข้าถึงเว็บ OWA Outlook .2011-06-23, ,,, 2016 15 19 7 2016, 60 ไบนารีตัวเลือกที่สองขูด 200965, วีไอพี, วีไอพี 1, 2 SBS JP 1948 2009 2, ข้อมูลการประมวลผลห้าลักษณะบุคลิกภาพ,,,,,. วิธีการหารายได้ศูนย์บริการของ SBS JP 1948 2009 10 300 0 001-0 006 1,000 40 1,489 1,000 20 40 1,469,772 1,469,772 วิธีการทำความเข้าใจเกี่ยวกับหนังสือในตลาดหลักทรัพย์ 4044 1000 401,000 1,0004 MIS MIS MIS ระบบรายได้มวลชน 2014 - MIS MIS MIS 15.30 21 MIS, 11 --- 444777 5, 4 3 11 .2011-06-17 2011-06-23 TO001.2011-06-27 4 ., 4, คือการซื้อขายตราสารทางเลือกไบนารีในแอฟริกาใต้ 100 โบนัส OWA Outlook. เซิร์ฟเวอร์ Exchange Server AD เซิร์ฟเวอร์ MIS Exchange 2 MIS Exchange Server IP Outlook Outlook 3 71 Q A 63 T 2 MoooFitApp app MISVIP MIS แดเนียลเจ 4 72013,, 102023 5 2013 35 2 ,, ,, 539 10109-10 11 25 หุ้น Stock Bull Pen 63000 63 89 89 77 T 2 63089 64 64000 64 91 91 22 192 63717 6371763089628 628 Platformy Forex Forum. Fxstreet Eur Cad Forex. Forexindo Indonesia Execution. estimated value คือ 11,132 45 โดยมี 2789 visites โดยประมาณต่อวันและรายได้จากการโฆษณา 8 37 COM Registry Domain ID 203021410DOMAINCOM-VRSN นายทะเบียน WHOIS Server com URL ของรีจีสตรี URL ที่อัปเดต 2015-08-30TZ วันที่สร้างข้อมูล 2005-08- 30TZ ทะเบียนการลงทะเบียนวันที่หมดอายุ 2016-08-30TZ นายทะเบียน Inc การดำเนินการของ Forexindo Indonesia ไม่ว่าจะเป็นไปได้ที่จะได้รับเงินเล่น Point Blank Berita Forex - ฟอรัม Forex อินโดนีเซีย - นายหน้าตรวจสอบ Forex Portal และผู้ค้าฟอรัม komunitas forex นายทะเบียนอินโดนีเซีย IANA ID 625 Reseller Domain Status client โอนย้ายชื่อผู้จดทะเบียนชื่อผู้จดทะเบียนระบบจดทะเบียนชื่อ Whois Agent Registrant องค์กร Whois Privacy Protection Service, Inc โดเมนมีค่าประมาณ 15 3,360 00 และมีรายได้ประจำวันจาก 213 00 Google Pagerank เป็นโดเมน na และเป็นพอร์ทัลคำอธิบายของ Commerce และฟอรั่มของผู้ประกอบการค้า forex อินโดนีเซีย Menyediakan สัญญาณฟรี, นักลงทุนสัมพันธ์และผู้เชี่ยวชาญด้านการวิเคราะห์ analisa teknikal, analisa เว็บไซต์นี้ไม่ได้ใช้ Javascript สำหรับการโต้ตอบของผู้ใช้ไซต์นี้ใช้งานได้กับ Apache 2 2 31 Unix modssl 2 2 31 เปิด SSL 1 0 1e-fips modbwlimited 1 4 เว็บเซิร์ฟเวอร์ Forexindo Indonesia Execution Previso Da Taxa De Cmbio Forex โปรตุเกส Filipina Death Row นักโทษ Mary Jane ย้ายจากอินโดนีเซีย Execution Island จาการ์ตา Globe News Channel Berita Forex - ฟอรัม Forex Indonesia รายละเอียด Portal และฟอรั่มของผู้ประกอบการค้าขาย forex อินโดนีเซียเว็บไซต์นี้ถูกสร้างขึ้นในวันที่ 30 08 2005 ซึ่งปัจจุบันเป็นของบุคคลที่ไม่มีอยู่ สหรัฐอเมริกาและกำลังทำงานอยู่ใน IP 139 162 2 140 ที่ลงทะเบียนโดย NAME มูลค่าประมาณ 12,935 73 โดยมีจำนวนผู้เข้าชม 3239 ราย s ต่อวันและรายได้จากโฆษณาของ 9 72 Berita Forex - ฟอรั่ม Forex อินโดนีเซีย - โบรกเกอร์ทบทวน Forex Portal และฟอรั่มของผู้ประกอบการค้า forex อินโดนีเซีย gorexindo, fbrexindo, fcrexindo, fmrexindo, fyrexindo, foaexindo, foiexindo, fowexindo, forwxindo, forxxindo, foreindo, foreoindo, forepindo, forexindo, forexmndo, forex, forex, forex, forex, forex, forex, forex, forex, forex, forex, forex, forexindx, forexindx, forexndo, bforexindo, fuorexindo, fzorexindo, fodrexindo, fonrexindo, foprexindo, fowrexindo, forcexindo, forefxindo, forejxindo, forexindoq, forexindoq, forexindoq, ชื่อโดเมน FOREXINDO. Registrant Street PO Box 639 Registrant City Registrant เมือง Registrant State Registrant State จังหวัดรหัสไปรษณีย์ 98083 Registrant ประเทศผู้ลงทะเบียนของสหรัฐอเมริกา โทรศัพท์ 1 4252740657 ผู้ลงทะเบียนโทรสาร 1 4259744730 ผู้จดทะเบียนอีเมลรหัสผู้ดูแลระบบชื่อผู้ดูแลระบบ Whois Agent Admin Organization Whoi s การจัดทำดัชนีความเป็นส่วนตัวของฟอร์ติเน็ตอินโดนีเซียการดำเนินการของ Google PageRank คือ 0 และเป็นโดเมนที่มีเนื้อหา Maquetas De Celulas Filipina Death Row นักโทษ Mary Jane ย้ายจาก Indonesia Execution Island จาการ์ตาช่องข่าวโลกเป็นเจ้าภาพโดย PT Infinys System Indonesia Linode LLC และอื่น ๆ COM LLC เป็นนายทะเบียนรายแรกตอนนี้ถูกย้ายไปที่ NAME เราพบว่ามี socialized ต่ำในส่วนที่เกี่ยวกับเครือข่ายทางสังคมใด ๆ Forex 10 Pips Al Giorno D Oggi Berita Forex - ฟอรั่ม Forex - รีวิวโบรกเกอร์ Forex และฟอรั่ม forex พอร์ทัลอินโดนีเซียตาม My Wot และ Google an toànเรียกดูการวิเคราะห์เป็นโดเมนที่น่าเชื่อถืออย่างเต็มที่โดยไม่มีการแสดงความคิดเห็นของผู้เข้าชมขณะที่ไม่มีภัยคุกคามที่ใช้งานอยู่ได้รับรายงานเมื่อเร็ว ๆ นี้โดยผู้ใช้ SAFE เพื่อเรียกดูฟรีสัญญาณ Menyediakan, berita และ analisa harian, diskusi berbagai strategi ผู้เชี่ยวชาญการซื้อขายหุ่นยนต์ ที่ปรึกษา analisa teknikal, analisa basic เป็นเว็บไซต์ที่ใหญ่ที่สุดในโลก 358664 th เว็บไซต์นี้ไม่ได้ใช้จาวาสคริปต์สำหรับผู้ใช้งาน บนไซต์นี้กำลังรันอยู่บน Apache 2 2 31 Unix modssl 2 2 31 เปิด SSL 1 0 1e-fips modbwlimited 1 4 เว็บเซิร์ฟเวอร์ Forexindo Indonesia การดำเนินการคำคมตลาดโลกแบบสแตนด์อโลนเว็บไซต์ถูกสร้างขึ้นใน 30 08 2005 ซึ่งเป็นของ na ที่ตั้งอยู่ในปัจจุบัน เนเธอร์แลนด์และใช้งานอยู่ใน IP 139 162 2 140 ที่ลงทะเบียนโดย NAME การจัดเตรียม lanquage การเขียนโปรแกรมฝั่งเซิร์ฟเวอร์ของไซต์คือ PHP 5 5 30 Forexindo Indonesia Execution Admin ถนน PO Box 639 Admin เมือง Kirkland รัฐ Admin Admin จังหวัดรหัสไปรษณีย์ 98083 Admin ประเทศ US Admin Phone 1 4252740657 ผู้ดูแลระบบแฟกซ์ 1 4259744730 Admin Email Tech ID ชื่อเทค Whois Agent Tech องค์กร Whois Privacy Protection Service, Inc ได้รับการจัดอันดับ 6260 จากอินโดนีเซียซึ่งมีการจัดอันดับ 7540 มีผู้เข้าชม 2 คน 45,000 คนและมีผู้เข้าชม 712,000 หน้าต่อวันโดย PT Infinys เป็นเจ้าภาพ System Indonesia, Linode LLC และอื่น ๆ COM LLC เป็นนายทะเบียนคนแรกตอนนี้ถูกย้ายไปที่ NAME เราพบว่ามีการติดต่อทางสังคมที่ไม่ดีในส่วนที่เกี่ยวกับเครือข่ายทางสังคมใด ๆ ขณะนี้โดเมนมีจำนวน 54, 196 อันดับในการเข้าชมทั่วโลกเว็บไซต์นี้มีอันดับ Google Page Rank 1 จาก 10 การดำเนินการของ Forexindo Indonesia ฝั่งเซิร์ฟเวอร์ด้านการเขียนโปรแกรมของ Lanquage ไม่ใช่เว็บไซต์ของ Klenger Investment Optiounen Zu Ltzebuerg ในช่วงเวลาดังกล่าวได้รับการจัดอันดับให้สูงที่สุดเท่าที่ 80 599 แห่งในโลก ขณะที่การเข้าชมส่วนใหญ่มาจากประเทศอินโดนีเซียซึ่งมีจำนวนถึง 3 545 ตำแหน่งขนาดตลาดตัวเลือกไบนารีไซต์นี้กำลังทำงานบน Apache 2 2 31 Unix modssl 2 2 31 เปิด SSL 1 0 1e-fips modbwlimited 1 4 webserver. Gsecurity Print version. grsecurity คือชุดของแพทช์สำหรับเคอร์เนลเคชั่นโดยเน้นการเพิ่มความปลอดภัยแอ็พพลิเคชันทั่วไปของมันอยู่ในเว็บเซิร์ฟเวอร์และระบบที่ยอมรับการเชื่อมต่อระยะไกลจากสถานที่ที่ไม่น่าเชื่อถือเช่นระบบที่ให้การเข้าถึงเปลือกแก่ผู้ใช้ เริ่มทำงานเมื่อเดือนกุมภาพันธ์ พ. ศ. 2544 เป็นพอร์ตสำหรับโครงการเสริมสร้างความปลอดภัย Open Linux Project สำหรับ Linux 2 4 รุ่นแรกของ grsecurity สำหรับ Linux 2 4 1. องค์ประกอบหลักที่มาพร้อมกับ grsec urity เป็น PaX ซึ่งเป็น patch ที่เหนือสิ่งอื่นใด flag ข้อมูลหน่วยความจำเช่นที่อยู่บนกองเป็น non-executable และหน่วยความจำโปรแกรมที่ไม่สามารถเขียนได้เป้าหมายคือเพื่อป้องกันไม่ให้หน่วยความจำ executable หน้าจากการเขียนทับด้วยรหัสเครื่องฉีด ซึ่งจะช่วยป้องกันการใช้ประโยชน์จากช่องโหว่ด้านความปลอดภัยหลายประเภทเช่น buffer overflows PaX ยังจัดเตรียม ASLR แบบพื้นที่ว่างที่อยู่ซึ่ง randomizes ที่อยู่หน่วยความจำที่สำคัญเพื่อขัดขวางการโจมตีที่พึ่งพาที่อยู่ดังกล่าวเป็นที่รู้จักได้ง่าย PaXX ไม่ได้พัฒนาขึ้นเองโดยนักพัฒนา grsecurity, และนอกจากนี้ยังมีอิสระจาก grsecurity 1.Role - based Access Control แก้ไขอีกองค์ประกอบที่น่าทึ่งของ grsecurity คือว่ามันให้การควบคุมการเข้าถึงตามบทบาท RBAC ระบบ RBAC มีวัตถุประสงค์เพื่อ จำกัด การเข้าถึงระบบนอกเหนือจากสิ่งที่เป็นปกติให้โดย รายการควบคุมการเข้าถึงของยูนิกซ์โดยมีจุดมุ่งหมายในการสร้างระบบสิทธิพิเศษอย่างน้อยที่สุดซึ่งผู้ใช้และกระบวนการมีสิทธิ์ขั้นต่ำสุดที่แท้จริง eges ทำงานได้อย่างถูกต้องและไม่มีอะไรมากขึ้นด้วยวิธีนี้ถ้าระบบถูกบุกรุกความสามารถโดยผู้โจมตีจะเกิดความเสียหายหรือได้รับข้อมูลที่สำคัญในระบบสามารถลดลงอย่างเห็นได้ชัด RBAC ทำงานผ่านบทบาทของบทบาทแต่ละบทบาทสามารถมีข้อ จำกัด ของแต่ละสิ่งที่พวกเขา สามารถหรือไม่สามารถทำและบทบาทและข้อ จำกัด เหล่านี้เป็นนโยบายที่สามารถแก้ไขได้ตามต้องการข้อ จำกัด Chroot Edit. grsecurity จำกัด chroot ในหลายวิธีเพื่อป้องกันช่องโหว่จำนวนมากการโจมตีการเพิ่มสิทธิพิเศษและเพิ่มเช็คและยอดคงเหลือ . ไม่ต้องติดตั้งหน่วยความจำที่ใช้ร่วมกันนอก chroot. No ฆ่านอก chroot. No ptrace นอกสถาปัตยกรรม chroot independent. Miscellaneous Features Edit. grsecurity ยังเพิ่มการตรวจสอบเพื่อ kernel Linux สามารถกำหนดค่าการตรวจสอบกลุ่มผู้ใช้เฉพาะตรวจสอบ mounts unmounts ของอุปกรณ์การเปลี่ยนแปลงเวลาของระบบและวันที่ chdir เข้าสู่ระบบในหมู่สิ่งอื่น ๆ บางส่วนของสิ่งอื่น ๆ เหล่านี้ให้ผู้ดูแลระบบเพื่อเข้าสู่ระบบ d ความพยายามของทรัพยากรที่พยายามล้มเหลวและการเข้าสู่ระบบ exec โดยใช้อาร์กิวเมนต์การดำเนินการเส้นทางที่เป็นรอยต่อเป็นอีกทางเลือกหนึ่งที่สามารถใช้เพื่อป้องกันไม่ให้ผู้ใช้รันไบนารีที่ไม่ได้เป็นของผู้ใช้ root หรือสามารถเขียนได้ทั่วโลกซึ่งจะเป็นประโยชน์ในการป้องกัน ผู้ใช้จากการรันไบนารีที่เป็นอันตรายของตัวเองหรือตั้งใจทำงานไบนารีระบบที่อาจได้รับการแก้ไขโดยผู้ใช้ที่เป็นอันตรายที่สามารถเขียนได้ทั่วโลกนอกจากนี้ยังทำให้แข็งตัววิธีการทำงานของ chroot คุกคุก chroot สามารถใช้เพื่อแยกกระบวนการเฉพาะออกจากส่วนที่เหลือได้ ซึ่งสามารถใช้เพื่อลดความเสียหายได้หากมีการบุกรุกบริการอย่างไรก็ตามมีวิธีแยกตัวออกจากความพยายามในการดักจับ chroot jail grsecurity เพื่อป้องกันปัญหานี้นอกจากนี้ยังมีคุณลักษณะอื่น ๆ ที่เพิ่มความปลอดภัยและป้องกันไม่ให้ผู้ใช้เข้าถึงข้อมูลที่ไม่จำเป็น ความรู้เกี่ยวกับระบบเช่นการ จำกัด คำสั่ง dmesg และ netstat ให้กับผู้ใช้ root 2. รายการคุณลักษณะเพิ่มเติมและการปรับปรุงความปลอดภัย . proc ข้อ จำกัด ที่ don t ข้อมูลรั่วไหลเกี่ยวกับเจ้าของกระบวนการเชื่อมโยงข้อ จำกัด hardlink เพื่อป้องกันการ rams. Hardlink ข้อ จำกัด เพื่อป้องกันไม่ให้ผู้ใช้จาก hardlinking กับไฟล์ที่พวกเขาไม่ได้เป็นเจ้าของ Fifo ชื่อข้อ จำกัด ท่อ dmesg 8 restriction. Enhanced การดำเนินการ Trusted Path Execution กลุ่ม ข้อ จำกัด ซ็อกเก็ตที่ยึดตามหนังสือเล่มนี้ใช้คำศัพท์ที่แตกต่างกันซึ่งบางส่วนมีความหมายเหมือนกันเราได้ระบุข้อกำหนดและคำจำกัดความเหล่านี้ไว้ในที่นี้แล้วหนังสือเล่มนี้ยังมีลิงก์อินไลน์ที่เกี่ยวข้องกับบทความ Wikipedia article. access จากบทความ Wikipedia ที่เกี่ยวข้อง รายการควบคุมการเข้าถึง ACL คือรายการของสิทธิ์ที่แนบกับวัตถุรายชื่อระบุว่าใครหรือสิ่งที่ได้รับอนุญาตให้เข้าถึงวัตถุและสิ่งที่ดำเนินการได้รับอนุญาตให้ดำเนินการกับวัตถุในบริบทของหนังสือเล่มนี้ ACL ใช้เพื่อหมายถึง บทบาทเดี่ยวหรือคำจำกัดความเรื่องหรือโดเมนไฟล์นโยบายทั้งหมดด้วยโดเมนที่คุณสามารถรวมผู้ใช้ที่ไม่ได้อยู่ในกลุ่มเดียวกันรวมทั้งกลุ่มดังนั้น th ที่พวกเขาร่วมนโยบายโดเมนเดียวทำงานเช่นเดียวกับวัตถุบทบาทวัตถุเป็นส่วนหนึ่งของระบบที่ใช้โดยโปรแกรมที่ทำงานบนระบบอาจเป็นเส้นทางที่แน่นอนไปยังแฟ้มหรือไดเรกทอรีความสามารถทรัพยากรระบบธง PaX การเข้าถึงเครือข่ายนโยบาย IP ACLs นโยบายคือชุดของกฎที่บังคับใช้โดย grsecurity คำอธิบายที่ดีมากมีให้ในบทความการควบคุมการเข้าถึงที่บังคับใช้การดำเนินการใด ๆ โดยเรื่องใด ๆ กับวัตถุใด ๆ จะได้รับการทดสอบกับชุดของกฎการให้สิทธิ์ aka นโยบายเพื่อ ระบุว่าการดำเนินงานได้รับอนุญาตบทบาทบทบาทคือสิ่งที่เป็นนามธรรมซึ่งรวมถึงผู้ใช้และกลุ่มดั้งเดิมที่มีอยู่ในการแจกแจง Linux และบทบาทพิเศษที่เฉพาะเจาะจงกับบทบาท grsecurity สามารถใช้เพื่อแยกความรับผิดชอบในการบริหารระบบออกเป็นชุดความรับผิดชอบที่มีขนาดเล็กลงได้เช่น เป็นผู้ดูแลระบบฐานข้อมูลหรือผู้ดูแลระบบ DNS เปรียบเทียบวิธีนี้กับการใช้ superuser เดียวเช่น root ที่ใช้ในการทำ ta administrative ทุกตัว sk ใน ruleset ระบบ ruleset ใช้มากในลักษณะเดียวกับรายการควบคุมการเข้าถึงมันอาจจะใช้บ่อยกว่าเพื่ออ้างถึงคำจำกัดความของ role หรือ subject กว่าเรื่องไฟล์ policy ทั้งหมดเรื่องที่ใช้และเข้าถึง objects และ ruleset ของ subject enforces อะไร วัตถุที่ใช้และในทางใดทางหนึ่งในทางปฏิบัติส่วนใหญ่มักเป็นโปรแกรมที่รันอยู่บนระบบใน grsecurity เนื้อหาจะถูกกำหนดเป็นเส้นทางสัมบูรณ์สำหรับโปรแกรมปฏิบัติการที่เกิดขึ้นจริงเช่น sbin init หรือไดเร็กทอรีเช่น lib hal สคริปต์ต่อไปนี้ คำแนะนำจะนำคุณผ่านขั้นตอนการดาวน์โหลดคอมโพเนนต์ทั้งหมดที่จำเป็นสำหรับการใช้ grsecurity บนระบบของคุณดาวน์โหลดส่วนประกอบต่างๆในไดเร็กทอรีเดียวกันบนคอมพิวเตอร์เวอร์ชันล่าสุดที่มีเสถียรภาพของรุ่นการจับคู่ grsecurity. A ของโปรแกรม gradm โปรแกรมอรรถประโยชน์การจัดการสำหรับ grsecurity. Full source code ของเคอร์เนล Linux นอกจากนี้คุณยังจำเป็นต้องมีโปรแกรมที่จำเป็นสำหรับการสร้างการกำหนดค่าและติดตั้งเคอร์เนลที่กำหนดเองสำหรับระบบของคุณวิธีที่ต้องการและ ต้องใช้เครื่องมือในการติดตั้งขึ้นอยู่กับการแจกจ่าย Linux ที่คุณกำลังใช้อยู่ถ้าคุณประสบปัญหาเกี่ยวกับการกำหนดค่าหรือติดตั้งเคอร์เนลโปรดอ่านเอกสารการจัดจำหน่ายของคุณดาวน์โหลดแก้ไข grsecurity แก้ไขจุดเชื่อมต่อของคุณเพื่อคลิกที่ลิงค์ดาวน์โหลดจากนั้นเลือก มีเสถียรภาพหรือแพทช์ทดสอบตั้งแต่วันที่ 9 กันยายน 2015 มีการปรับปรุง grsecurity ที่มีเสถียรภาพให้กับลูกค้าเชิงพาณิชย์เท่านั้นสำหรับจุดประสงค์ของเอกสารนี้เราจะติดตั้ง grsecurity เวอร์ชันเสถียรล่าสุดสำหรับ kernel 3 2 50 ดังนั้นไฟล์ patch จะได้รับการเรียกว่า grsecurity ทั้งหมด แพ็คเก็ตมีสตริงเวอร์ชันในชื่อของพวกเขามันมีทั้งรุ่นของรุ่นตัวเองและรุ่นเคอร์เนลมันมีความหมายสำหรับตัวอย่างเช่นสายรุ่น 2 9 1 - 3 2 50 -201308052151 บอกเราว่ารุ่นของการปล่อย grsecurity นี้คือ 2 9 1 และมีความหมายสำหรับ kernel version 3 2 50 ส่วนสุดท้ายของ version คือ timestamp ในกรณีของเราเราดาวน์โหลดไฟล์ดังต่อไปนี้ - นี่คือลายเซ็นดิจิทัลของ release. Downloading gradm นี้เมื่อดาวน์โหลด gradm ยูทิลิตีการจัดการสำหรับระบบการควบคุมการเข้าถึงตามบทบาทของ grsecurity คุณต้องดาวน์โหลดเวอร์ชันที่ตรงกับรุ่นของแพทช์ grsecurity ที่คุณดาวน์โหลด Gradm ตั้งอยู่ที่ หน้าดาวน์โหลดเดียวกันเป็น grsecurity ในกรณีของเราเราดาวน์โหลดไฟล์ต่อไปนี้ - นี่คือลายเซ็นดิจิทัลของรุ่นนี้ดาวน์โหลดโปรแกรมแก้ไขเคอร์เนลลินุกซ์แพทช์ grsecurity สามารถใช้ได้กับเคอร์เนลวานิลลาการแจกจ่ายจำนวนมากจะแก้ไขเคอร์เนลที่เป็นทางการด้วยแพทช์เพิ่มเติมซึ่งหมายความว่าแพ็คเกจแหล่งที่มาของเคอร์เนลที่ได้รับผ่านตัวจัดการแพคเกจของพวกเขาคือ น่าจะเข้ากันไม่ได้กับ grsecurity ด้วยเหตุผลนี้เราจะดาวน์โหลดเคอร์เนลที่ยังไม่ได้แก้ไขอย่างเป็นทางการจากดาวน์โหลดแพ็กเกจเคอร์เนลเต็มรูปแบบและลายเซ็นของไฟล์และตรวจสอบให้แน่ใจว่ารุ่นของซอฟต์แวร์ตรงกับรุ่นของแพทช์ grsecurity ที่คุณดาวน์โหลดในเอกสารฉบับนี้มีเวอร์ชัน 3 2 50 รุ่นที่ต้องการไม่น่าจะเป็นรุ่นล่าสุดดังนั้นคุณจำเป็นต้องได้รับจาก kernel เก็บสนับสนุนอย่างเป็นทางการสำหรับรุ่น kernel 2 6 32 61 ปิดที่ส่วนท้ายของ 2013.If คุณได้มี terminal เปิดคุณสามารถใช้ ด้านล่างคำสั่งเพื่อดาวน์โหลดทั้งต้นกำเนิดเคอร์เนลและลายเซ็นไปยังไดเรกทอรีการทำงานปัจจุบันหมายเหตุรุ่นของแพทช์ grsecurity และเคอร์เนลต้องตรงกับ การตรวจสอบความถูกต้องของการดาวน์โหลด Grsecurity และชุด Gradm ได้รับการลงนามในแบบ cryptographically เพื่อให้ผู้ใช้สามารถตรวจสอบว่าซอร์สโค้ดยังไม่ได้รับการแก้ไขเนื่องจากเป็นแพคเกจคุณสามารถค้นหาคีย์สาธารณะที่ใช้ในการลงชื่อเข้าใช้จากหน้าดาวน์โหลดเดียวกันกับ grsecurity Scroll down หน้าจนกว่าคุณจะเห็นหัวเรื่องที่ระบุว่าดาวน์โหลดเหล่านี้ด้วย GPG ด้านล่างหัวเรื่องเป็นลิงก์ไปยังคีย์สาธารณะดาวน์โหลดคีย์ไปยังไดเร็กทอรีที่คุณวาง grsecurity ไว้ก่อนที่คุณจะสามารถยืนยันการดาวน์โหลดคุณจำเป็นต้องนำเข้าคีย์ grsecurity ไปที่ พวงกุญแจสาธารณะของคุณโดยใช้ Gnu Privacy Guard GPG หากคุณไม่คุ้นเคยกับ GPG และต้องการทราบข้อมูลเพิ่มเติมโปรดดูที่คู่มือความเป็นส่วนตัวของ GNU เมื่อต้องการนำเข้าคีย์ให้เรียกใช้คำสั่งต่อไปนี้ในไดเร็กทอรีที่มีการดาวน์โหลด grsecurity และคีย์ของคุณ นำเข้าคีย์ตรวจสอบแพ็กเกจ grsecurity และ gradm ที่ดาวน์โหลดมาโดยเรียกใช้คำสั่งด้านล่างในไดเร็กทอรี grsecurity ของคุณด้านล่างเป็นตัวอย่างของการยืนยันลายเซ็นที่ล้มเหลว ไฟล์ ATCH ถูกแก้ไขเพื่อให้การยืนยันล้มเหลวตราบใดที่ GPG รายงานว่าลายเซ็นเป็นสิ่งที่ดีคุณไม่จำเป็นต้องกังวลเกี่ยวกับคำเตือนเกี่ยวกับคีย์ที่ไม่ได้รับการรับรองด้วยลายเซ็นที่เชื่อถือได้หากคุณได้ลงนามคีย์ grsecurity ด้วยตัวคุณเอง คุณจะไม่ได้รับคำเตือนถ้าการตรวจสอบไฟล์ล้มเหลวเช่นถ้าคุณได้รับข้อความลายเซ็น BAD ให้ดาวน์โหลดไฟล์ที่ต้องการอีกครั้งและลองอีกครั้งแพคเกจแหล่งเคอร์เนลของ Linux ได้รับการลงนามด้วยเช่นกันโปรดทำตามคำแนะนำใน เว็บไซต์เคอร์เนลลินุกซ์เพื่อตรวจสอบแพ็กเกจที่มาของเคอร์เนลเมื่อคุณตรวจสอบไฟล์ที่ดาวน์โหลดแล้วเสร็จเรียบร้อยแล้วคุณก็พร้อมที่จะตั้งค่า grsecurity. Configuring และการติดตั้ง grsecurity คำแนะนำต่อไปนี้จะนำคุณไปสู่กระบวนการ patching kernel ของ Linux ด้วย grsecurity การกำหนดค่า คุณสมบัติและการรวบรวมและการติดตั้ง patched kernel การจับเคอร์เนลของคุณด้วย grsecurity Edit ในเอกสารนี้ที่เก็บข้อมูลเคอร์เนลจะถูกเรียกและ matc hing grsecurity patch ไฟล์ทั้งสองไฟล์อยู่ในไดเร็กทอรีเดียวกันเปลี่ยนไปใช้ root และเรียกใช้คำสั่งต่อไปนี้ในไดเร็กทอรีที่คุณดาวน์โหลดไฟล์ไปที่คำสั่งแรกจะขยายแพคเกจต้นฉบับของ Linux และโปรแกรมที่สองใช้ patch กับเคอร์เนลคุณอาจ จำเป็นต้องติดตั้งโปรแกรมแก้ไขด้วยเครื่องมือการจัดการแพคเกจของคุณที่ต้องการกำหนดค่า Kernel Edit. The แพคเกจที่มาของเคอร์เนลมีแฟ้มการกำหนดค่าทั่วไปที่ควรจะทำงานโดยไม่มีการปรับเปลี่ยนใด ๆ ที่สำคัญการกระจายของคุณอาจมีกระบวนการของตัวเองและเครื่องมือสำหรับการกำหนดค่าและสร้างเคอร์เนล, ในกรณีนี้คุณควรอ่านเอกสารของพวกเขาอย่างไรก็ตามคุณควรจะผ่านตัวเลือกและตรวจสอบให้แน่ใจว่าตรงกับฮาร์ดแวร์และการตั้งค่าปัจจุบันของคุณการกำหนดค่าเคอร์เนลโดยใช้การกำหนดค่าเริ่มต้นเป็นฐานให้เปลี่ยนเป็นไดเร็กทอรีของเคอร์เนลเช่น usr src linux-3 2 50 และรันคำสั่งด้านล่างคุณอาจต้องติดตั้งแพ็กเกจที่ขาดหายไปและไลบรารี - ทำตามข้อความแสดงข้อผิดพลาดสำหรับ ทิศทางเคอร์เนลโต้ตอบเมนูการตั้งค่าจะเปิดตัวในเมล็ด 3 x และ 2 6 ตัวเลือก grsecurity อยู่ภายใต้ตัวเลือกการรักษาความปลอดภัย Grsecurity คำอธิบายรายละเอียดของแต่ละตัวเลือกและผลกระทบต่อระบบสามารถดูออนไลน์บนหน้า Grsecurity และ PaX Configuration Options หรือโดย ใช้ฟังก์ชันความช่วยเหลือในตัวของระบบกำหนดค่าเคอร์เนลตรวจสอบให้แน่ใจว่าคุณเข้าใจตัวเลือกแต่ละตัวก่อนที่คุณจะเปิดใช้งานหรือปิดใช้งานเมื่อคุณออกจากเมนู Configuration แล้วคุณสามารถเรียกใช้งานได้อีกครั้งโดย rerunning make menuconfig ขอแนะนำให้คุณเริ่มต้นด้วยการตั้งค่า ตัวเลือกวิธีการกำหนดค่าให้อัตโนมัติและกำหนดค่าชนิดการใช้งานและตัวเลือกอื่น ๆ ให้พอดีกับสภาวะแวดล้อมและความต้องการของคุณคุณสามารถปรับการตั้งค่า Grsecurity และ PaX ทั้งหมดในส่วน Customize Configuration หากต้องการคำแนะนำ Edit. Enable อินเทอร์เฟซ sysctl Grsecurity กำหนดค่าคอนฟิก Sysctl สนับสนุนมันจะช่วยให้คุณสามารถเปลี่ยนตัวเลือกที่ grsecurity ทำงานด้วยโดยไม่ต้อง recompiling th e kernel คุณลักษณะนี้เป็นประโยชน์มากโดยเฉพาะอย่างยิ่งเมื่อคุณใช้ grsecurity เป็นครั้งแรกวิธีการกำหนดค่า - Automatic จะเปิดใช้งานคุณลักษณะนี้โดยค่าเริ่มต้นตัวเลือกการตรวจสอบบางตัวจะสร้างข้อความบันทึกมากที่สุดโดยเฉพาะ Exec และ Chdir logging GRKERNSECEXECLOG และ GRKERNSECAUDITCHDIR ตามลำดับ หากคุณเปิดใช้งานทั้งสองระบบตรวจสอบให้แน่ใจว่าระบบบันทึกของคุณได้รับการกำหนดค่าอย่างถูกต้องเพื่อป้องกันไม่ให้บันทึกท่วมตรวจสอบ Grsecurity ปรับแต่งตัวเลือกบันทึกการกำหนดค่าเป็น wellpiling และการติดตั้ง Kernel Edit. On Debian และ Ubuntu Edit เพื่อรวบรวมเคอร์เนลและสร้างแพคเกจ Debian deb รันคำสั่งด้านล่างในไดเร็กทอรีของเคอร์เนลผู้ใช้ Ubuntu ควรอ้างอิงหน้าชุมชน Ubuntu และตัดสินใจว่าต้องการใช้ไดเรกทอรีซ้อนทับ ubuntu-package ในอาคารหรือไม่สำหรับการสร้าง Maverick จาก git checkout โปรดดูที่วิธีการคอมไพล์ Ubuntu 10 10 kernel หากต้องการติดตั้งแพคเกจ Debian ที่สร้างขึ้นใหม่ให้เรียกใช้สำหรับข้อมูลเพิ่มเติมเกี่ยวกับการสร้างjądraใน Debian, โปรดดูที่ Debian Linux Kernel Handbook การกระจายอื่น ๆ ความแตกต่างของการแก้ไขความแตกต่าง Edit. As คุณกำลังรวบรวม kernel patched กับ grsecurity คุณจะสังเกตเห็นความแตกต่างบางส่วนข้อแตกต่างเหล่านี้จะปรากฏขึ้นเมื่อสิ้นสุดการรวบรวมและอาจมีลักษณะคล้ายกับคำเตือนนี้คือ ไม่เป็นอันตรายตามที่ทีม PaX ได้อธิบายไว้ในรายการการจัดส่งทางอีเมล grsecurity นอกจากนี้คุณยังจะสังเกตเห็นคำเตือนเพิ่มเติมจากคอมไพเลอร์เมื่อคอมไพล์เคอร์เนลที่มี grsecurity นี่เป็นเพราะธงเตือนเพิ่มเติมที่ได้รับการเพิ่มลงในกระบวนการสร้างเพื่อช่วยให้เฉพาะจุด ของข้อผิดพลาดคุณสามารถละเว้นคำเตือนเพิ่มเติมเหล่านี้ขั้นตอนการแก้ไข Edit. Pr กรรมสิทธิ์ของ NVIDIA Driver Patching แก้ไขหากคุณกำลังใช้ grsecurity บนเดสก์ท็อปและวางแผนที่จะใช้ไดรเวอร์ NVIDIA ที่เป็นกรรมสิทธิ์คุณจะต้องแก้ไขให้สามารถทำงานได้อย่างถูกต้องด้วย grsecurity โดยทำตามขั้นตอนต่อไปนี้: ดาวน์โหลดไฟล์ไดรเวอร์ NVIDIA จากเว็บไซต์ของ NVIDIA ดาวน์โหลดแพกเกจ PaX สำหรับโปรแกรมควบคุม NVIDIA จาก. Run sh n ame ของไฟล์ NVIDIA - x. cd ชื่อ basename ของไฟล์ NVIDIA ติดตั้งไดรเวอร์โดยใช้โปรแกรมติดตั้ง nvidia Administration Utility. Gradm ยูทิลิตีการจัดการสำหรับระบบควบคุมการเข้าถึงตามบทบาทเป็นเครื่องมือที่มีประสิทธิภาพที่จะแยกวิเคราะห์ ACL ของคุณ Access Control ดำเนินการบังคับใช้นโยบายฐานความปลอดภัยเพิ่มประสิทธิภาพ ACL รวมทั้งจัดการการแยกวิเคราะห์บันทึกการเรียนรู้ผสานเข้ากับชุดข้อมูล ACL ของคุณและแสดงผล ACL สุดท้ายก่อนที่คุณจะติดตั้งโปรแกรมการเรียกเดอร์ลงในเคอร์เนลของคุณที่มีการติดตั้ง patchs grsecurity คุณสามารถคอมไพล์ gradm ในเคอร์เนลใด ๆ ที่คุณต้องการ แต่การติดตั้งจะล้มเหลวหากเคอร์เนลไม่สนับสนุน grsecurity. Installation Edit ถ้าการแจกแจง Linux ของคุณมีแพ็คเกจ kernel grsecurity พร้อม ๆ กันจะมีแพคเกจสำหรับ gradm มากเกินไปหากเป็นเช่นนั้น คุณควรพิจารณาใช้มันก่อนที่จะรวบรวม gradm yourself. Before รวบรวมและติดตั้ง gradm ให้แน่ใจว่าคุณมีโปรแกรมต่อไปนี้ติดตั้งในระบบของคุณ lex หรือดิ้นและ byacc หรือกระทิงถ้า y ou จำเป็นต้องใช้โมดูล Pluggable Authentication Modules สนับสนุน PAM ติดตั้งไฟล์ส่วนหัวสำหรับระบบของคุณแพคเกจที่บรรจุไฟล์เหล่านี้จะเรียกว่า libpam-dev หรือ similar. A note ควรเพิ่มเข้าไปเพื่อบอกว่าถ้าคุณกำลังรวบรวม Gradm บนเคอร์เนลลินุกซ์ดีฟอลต์โดยไม่มี Grsecurity สนับสนุนการคอมไพล์จะล้มเหลวและคุณจะสามารถคอมไพล์หลังจากที่คุณรีบูตเข้าเมล็ด grsecurity ใหม่ของคุณเปิดใช้งานเคอร์เนลเปลี่ยนไปไดเรกทอรีที่คุณดาวน์โหลด gradm และ grsecurity ไปก่อนหน้าในเอกสารนี้ชื่อของแพคเกจที่บีบอัดคือคลายแพคเกจและเปลี่ยนแปลง ไปยังไดเร็กทอรี gradm โดยการรันคำสั่งต่อไปนี้เพื่อติดตั้ง gradm ด้วยการสนับสนุน PAM ในฐานะผู้ใช้ที่ไม่ใช่ผู้ดำเนินการ root โปรดดูข้อมูลจากข้อมูลตรวจสอบให้แน่ใจว่าคุณไม่เห็นบรรทัดใกล้ถึงจุดสิ้นสุดว่าไม่สามารถตรวจพบส่วนหัว PAM ได้ , การปิดการใช้งานการสนับสนุน PAM หากคุณติดตั้งไฟล์ส่วนหัว PAM และเรียกใช้คำสั่ง make อีกครั้งหากต้องการติดตั้ง gradm โดยไม่ต้องสนับสนุน PAM ให้รันขั้นสุดท้ายเป็น root รันขั้นตอนการติดตั้งจะ llowing. Installs โปรแกรม gradm และ grlearn เพื่อ sbin. Creates directory etc grsec และไฟล์สองไฟล์ในนั้นถ้ายังไม่ได้นำเสนอ learnconfig และ policy. Installs gradm s pages man เพื่อแชร์ user man8 man8 grlearn ไม่ได้มาพร้อมกับ man page มันใช้ภายในโดย gradm. Finally และที่สำคัญที่สุดถ้านี่เป็นครั้งแรกที่คุณติดตั้ง gradm ในระบบของคุณคุณจะถูกขอให้ใส่รหัสผ่านสำหรับผู้ดูแลระบบ RBAC เลือกแบบยาว รหัสผ่าน แต่อย่างใดอย่างหนึ่งที่คุณจะจำโดยเฉพาะอย่างยิ่งถ้าคุณเริ่มต้น gradm จาก initscript ไม่ใช้รหัสผ่านเดียวกันเป็นรหัสผ่าน root ของคุณถ้าคุณต้องการเปลี่ยนใด ๆ ของตำแหน่ง binary หรือ man page แก้ไข Makefile เพื่อแสดงคำสั่งทั้งหมดที่มี สวิตช์บรรทัดที่เรียกใช้ gradm - help. Learning Mode Edit โหมดการเรียนรู้จะแตกต่างจากที่พบในระบบรักษาความปลอดภัยอื่น ๆ โหมดการเรียนรู้ของ Grsecurity สามารถใช้งานได้ในแต่ละหัวข้อหรือตามบทบาทรวมถึงทั้งระบบ เมื่อใช้โหมดการเรียนรู้ในกระบวนการหรือบทบาทเดียวระบบอื่น ๆ ที่เหลือจะได้รับการปกป้องตามที่กำหนดไว้ในนโยบายโหมดเรียนรู้สามารถเรียนรู้ทุกอย่างที่ระบบ RBAC รองรับไฟล์ความสามารถทรัพยากรที่ IP แอดเดรสใช้ประโยชน์ได้ บทบาทและการใช้ซ็อกเก็ตระบบการเรียนรู้จะลดการทำงานของระบบแฟ้มและการเข้าถึงเครือข่ายอย่างชาญฉลาดเพื่อลดขนาดนโยบายเพิ่มความสามารถในการอ่านและลดปริมาณการปรับแต่งด้วยตนเองที่ต้องการในภายหลังนอกจากนี้ระบบการเรียนรู้บังคับใช้ฐานความปลอดภัยที่สามารถกำหนดค่าได้ไฟล์ etc grsec learnconfig ช่วยให้ผู้ดูแลระบบสามารถระบุไดเร็กทอรีไฟล์ที่ควรได้รับการพิจารณาว่าเป็นแหล่งข้อมูลที่ได้รับการป้องกันโดยระบบการเรียนรู้ระบบการเรียนรู้จะช่วยให้มั่นใจว่าการลดกฎทำได้โดยเฉพาะกระบวนการที่เข้าถึงทรัพยากรที่ได้รับการป้องกันผ่านการใช้งานตามปกติจะได้รับสิทธิ์เข้าถึงผ่านทางที่สร้างขึ้น นอกจากนี้จะสร้างหัวข้อใหม่สำหรับกระบวนการที่เข้าถึงทรัพยากรที่มีการป้องกันโดยสร้างขอบเขตสิทธิพิเศษที่ทำให้กระบวนการเหล่านี้มีการป้องกันเพิ่มเติมการเรียนรู้ระบบอย่างสมบูรณ์เพื่อให้สามารถเรียนรู้ระบบได้อย่างสมบูรณ์ให้เรียกใช้ gradm เป็น root พร้อมด้วยตัวเลือกต่อไปนี้ ระบบควบคุมการเข้าใช้ตามบทบาท RBAC และ initi ate full system learning That is, gradm will monitor and log what your system does The log can then be used to build a least privilege policy for your system. Run and use the application s that you normally do, several times This is important, since the learning mode uses a threshold based system to determine when access should be given to a file or whether it should be given to a directory If four or more similar accesses are made in a single directory such as writing to several files in tmp , access is granted to that directory instead of the individual files This reduces the amount of rules you have and ensures that the application will work correctly after the final ACLs are compiled. Do not perform any administrative tasks outside of the admin role while full system learning is enabled. To perform administrative tasks while full system learning is enabled, authenticate to the admin role with. Remember to exit your shell or unauthenticate from the admin role with gradm - u when you are done performing administrative tasks. Once you feel you ve given the system the normal usage it would see in real life, disable the RBAC system with gradm - D Disabling RBAC is a necessary step, as it forces the learning daemon to flush its buffers to disk Using learning logs obtained before RBAC has been disabled will produce incomplete results Once RBAC is disabled, execute. This will place the new learned ACLs at the end of your ruleset You can test the policy by enabling grsecurity run gradm - E , and making sure all applications are functioning the way they re supposed to. Process and Role-Based Learning Edit. Using this learning mode is very simple All you have to do is add l the small letter L, not the number 1 to the subject mode of the process, you want to enable learning for To learn all necessary access for a given binary that does not yet have an established policy, add the following subject. To learn on a given role, add l to the role mode For both of these, to enable learning, e nable the system by executing. When you are done, disable the ACL system with gradm - D or alternatively, go into admin mode with gradm - a , and use. This will place the new learned ACLs at the end of your ruleset Simply remove the old ACLs and you are ready to go. etc grsec learnconfig Edit. This configuration file aids the learning process by tweaking the learning algorithm for specific files and directories It accepts lines in the form of. Where command can be inherit-learn no-learn inherit-no-learn high-reduce-path dont-reduce-path protected-path high-protected-path and always-reduce-path inherit-learn no-learn and inherit-no-learn only affect full system learning, while the others work on all modes of learning. inherit-learn changes the learning process for the specified path by throwing all learned accesses for every binary executed by the processes contained in the pathname into the subject specified by the pathname This is useful for cron in the case of full system learning, so that scripts that eventually end up executing mv or rm with privilege don t cause the root policy to grant that privilege to mv or rm in all cases. no-learn allows processes within the path to perform any operation that normal system usage would allow without restricti on If a process is generating a huge number of learning logs, it may be best to use this command on that process and configure its policy manually. inherit-no-learn combines the above two cases, such that processes within the specified path will be able to perform any normal system operation without restriction as will any binaries executed by these processes. high-reduce-path modifies the heuristics of the learning process to weigh in favor of reducing accesses for this path. dont-reduce-path modifies the heuristics of the learning process so that it will never reduce accesses for this path. always-reduce-path modifies the heuristics of the learning process so that the path specified will always have all files and directories within it reduced to the path specified. protected-path specifies a path on your system that is considered an important resource Any process that modifies one of these paths is given its own subject in the learning process, facilitating a secure policy. read-protected - path specifies a path on your system that contains sensitive information Any process that reads one of these paths is given its own subject in the learning process, facilitating a secure policy. high-protected-path specifies a path that should be hidden from all processes but those that access it directly It is recommended to use highly sensitive files for this command. Note that regular expressions are not supported for pathnames in this configuration file. Examples Edit. The command pspax - p processid displays information about a specific process, identified by its PID It is unlikely that you happen to know or remember the PID of a process, so it is easier to refer to them by name The below example uses the pidof command to find the PID of a process which it then passes on to pspax. Managing the Executable Stack of Binaries execstack Edit. Execstack is a tool to set, clear or query executable stack flag of ELF binaries and shared libraries It is part of the prelink program, but your Linux distribution may provide it as a separate package. Installation Edit. You are very likely to find the prelink and or execstack packages using your distribution s package management system At least Gentoo, Debian, Red Hat and distributions based on them provide a prelink and or execstack packages. To display all available command-line switches, run execstack --help Read the man page for more detailed information Online version of the man page can be found at. Examples Edit. To check if a library has executable stack enabled, run. The dash means libcrypto does not require an executable stack If it did, the line would start with a capital X instead of a dash. To query the status of all libraries in your system, run. What Is an RBAC System Edit. A role-based access control RBAC system is an approach to restricting system access to authorized users You need an RBAC system if you want to restrict access to files, capabilities, resources, or sockets to all users, including root This is similar to a Ma ndatory Access Control MAC model The other features of grsecurity are only effective at fending off attackers trying to gain root, so the RBAC system is used to fill in this gap Least privilege can be granted to processes, which, in turn, forces attackers to reevaluate their methods of attack, since gaining access to the root account no longer means that they have full access to the system Access can be explicitly granted to processes that need it, in such a way that root acts as any other user Though grsecurity and its RBAC system are in no means perfect security, they greatly increase the difficulty of successfully compromising the system. In grsecurity, the RBAC system is managed through a policy file which is essentially a system-wide set of rules When the RBAC system is activated with gradm the policy file is parsed and checked for security holes, such as granting the default role access to certain sensitive devices and files like the policy file itself If a security hole is found, gradm will refuse to enable the RBAC system, and will give the user a list of things that need to be fixed The policy file is protected when the RBAC system is active, and only the admin role may access it during that time To make it easier to create a secure policy, gradm has the ability to learn how the system functions, and build a least-privilege policy based on the collected data see Learning Mode. Limitations of Any Access Control System Edit. So as not to contribute further to the false sense of security many have regarding access control systems whether they be grsecurity s RBAC, SELinux RSBAC SMACK TOMOYO AppArmor etc it s important first to describe the limitations of any access control system. There is a fundamental architectural limitation to the kind of guarantees an access control system can provide when the policy decision-making code resides alongside the Operating System s kernel A compromise of the Operating System can easily result in compromise of the access control s ystem, and it is common practice for exploits which compromise the kernel to disable any active security systems. Grsecurity is in no way immune to this fundamental limitation, though it does contain several features to help prevent exploitation of the kernel in the first place and furthermore to make the kernel a more hostile environment to an attacker if they do manage to exploit certain types of bugs The project will continue to make adding similar protections one of its main goals. Specifically, the following features are involved in kernel self-protection and increasing the difficulty of kernel exploitation. There also exist some features of grsecurity which are always active and thus have no configure-time option which aid in the above goals These include the read-only and non-executable vsyscall page and its shadow page on amd64, hardening of the BPF interpreter buffers, and many more. Though these features have been successful at preventing previous vulnerabilities from being explo ited and surely will continue to do so there have still been many vulnerabilities it did nothing to prevent exploitation of, and there are entire classes of vulnerabilities such as missing capability checks, some race conditions, etc that it can likely never do anything to prevent exploitation of. It s partially due to this fundamental limitation of any access control system that grsecurity s RBAC system was designed as it was to be as automated as possible, to provide a sufficient level of access control, to have easily editable human-readable configurations, and to enforce secure base policies to eliminate some administrator error. Neither grsecurity s RBAC system nor any other access control system should be used to separate classified information from unclassified information on the same machine There is no virtual replacement for a physical air-gap. Policy Structure Edit. The policy is made up of roles, subjects and objects Role is an abstraction that encompasses traditional users and groups that exist in Linux distributions and special roles, that are specific to grsecurity Subjects are processes or directories, and objects are les, capabilities, resources, PaX flags, and IP ACLs The location of the main policy le is etc grsec policy. Policy Structure in a Nutshell Edit. To see a small example policy, look at the default etc grsec policy file that is installed with gradm In a nutshell, RBAC policies have the following structure. Using the default policy as an example. Rules for Policies Edit. Policy generalization Edit. There exist some features of the RBAC system to aid in simplification and generalization of policies One of these is the recently added replace rule The replace rule allows you to assign a string to a variable, and then use that variable within any subject or object pathname to have it replaced with the string The syntax of replace rules are. The defined variable can then be used as follows. The variables defined with replace rules can be reassigned at any location in the policy All rules in the policy until another redefinition of the variable will use that new assigned value for the variable For example. would cause the following object rules to be created. Special Cases Edit. There are some special cases you should know about when writing policies for the RBAC system. There exist some unique accesses to filesystem objects that require specific object modes For instance, a process that connects to a unix domain socket dev log for example will need rw set as the object mode for that socket. Adding the setgid or setuid flag to a path requires the m object mode. Creating a hard-link requires at minimum a cl object mode The remaining object flags must match on the target and the source So for instance, if a process is creating a hard-link from bin bash to bin bash2, example rules would be. Creating a symlink requires the wc object mode. Wildcarded Objects Edit. One very useful feature of the RBAC system is the support of wildcards in objects The c haracter matches zero or more characters, matches exactly one character, and can be used to specify an inclusive or exclusive list or range of characters to match Depending on how these wildcard characters are used, they have different effects Here are four examples of the use of wildcards. The first example would match dev ttya dev tty0 dev ttyS0 etc Since a at the end of a path can match the character as well, if a dev tty somefile path existed, the first example would match it also. The second example would match home user1 bin home user2 bin etc Note that this rule would not match the path home user1 test bin as the wildcard characters will not match unless it appears at the end of a path To use the particular wildcarded object for this example, a home object must exist as an anchor for the wildcarded object If you forget to add one, gradm will remind you. The third example would match dev tty0 dev tty1 dev tty9 and nothing else. The fourth example would match dev ttya and dev tty0 jus t like the first example, but would not match dev ttyS0 since only one character can match the wildcard. Wildcards are evaluated at run-time, providing a powerful way of specifying and simplifying policy Since wildcard matching is based off pathnames and not inode device pairs though, they aren t intended to be used for objects which are known to be hardlinked at policy enable time. Roles exist essentially as a container for a set of subjects, put to use in specific scenarios There exist user roles, group roles, a default role, and special roles See Flow of Matches to see how a role gets matched with a particular process. User Roles Edit. In a simplified form, user roles are roles that are automatically applied when a process either is executed by a user of a particular UID or the process changes to that particular UID In the RBAC system, the name of a user role must match up with the name of an actual user on the system. A user role looks like. Group Roles Edit. As with user roles, group rol es pertain to a particular GID The name of the group role must match up with the name of an actual group on the system Note that this is tied only to the GID of a process, not to any supplemental groups a process may have Group roles are applied for a given process only if a user role does not match the process UID. A group role looks like. Default Role Edit. If neither a user or group role match a given process, then it is assigned the default role The default role should ideally be a role with nearly no access to the system It is configured in such a way if full system learning is used. A default role looks like. Special Roles Edit. Special roles are to be used for granting extra privilege to normal user accounts Some example uses of special roles are to provide an admin role that can restart services and edit system configuration files Special roles can also be provided for regular users to keep their accounts more secure If they have their own publichtml directory, the user role for the user could keep this directory read-only, while a special role to which the user is allowed to transition could allow modification of the files in the directory. Special roles come in two flavors, ones that require authentication, and ones that do not On the side of special roles that require authentication, the RBAC system supports a flag that allows PAM authentication to be used for the special role See Role Modes for a list of all these flags. Special roles by themselves won t do anything unless there exist non-special user, group, or default roles that can transition to them This transitioning is defined by the roletransitions rule, described in the Role Attributes page. To authenticate to a special role, use gradm - a rolename To authenticate with PAM to a special role, use gradm - p rolename To transition to a special role that requires no authentication, use gradm - n rolename. Special roles look like. Domains Edit. With domains you can combine users that don t share a common group ID as well as groups so that they share a single policy Domains work just like roles, with the only exception being that the line starting with role is replaced with one of the following. As it is with user and group roles, all domain members must exist, and if they re not, an error is raised. Subjects Edit. Subjects can describe directories, binaries or scripts Regular expressions are currently not permitted for subjects The ability to place a subject on a script is unique, as it permits one to grant privilege to a specific script instead of generally to the associated script s interpreter For this to function properly, make sure the script s interpreter directive does not use usr bin env but rather the full path to the interpreter. Capability Restrictions Edit. When no capability restriction rules are used for a given subject, all capabilities that the system grants normally to processes within that subject are allowed to be used An exception to this is if the subject involved uses policy inhe ritance In that case, the capability restrictions would come from the subject s being inherited from Capability rules have the form CAPNAME or - CAPNAME CAPALL is a pseudo-capability meant to describe the entire list of capabilities It s mainly used to remove all capability usage for a subject, or in conjunction with a small number of rules granting the ability to use individual capabilities Provided below are some example scenarios of capability restriction usage, along with an explanation of how the policy is interpreted. Scenario 1 In this scenario, we re removing all capabilities from su but CAPSETUID and CAPSETGID. Scenario 2 In this scenario, we re making use of policy inheritance Note that the default subject allows CAPNETBINDSERVICE and CAPNETRAW In our ping subject, we re removing CAPNETBINDSERVICE, but since we re inheriting from the default subject note the lack of the o subject mode on the ping subject , we are still allowed CAPNETRAW Granting important capabilities to default subjects is not something allowed by the RBAC system, so this is just an example. Auditing and Suppression Auditing of attempted capability use and suppression of denied capability usage is possible as well Capability auditing and suppression supports the same policy inheritance rules as normal capability rules The below example demonstrates auditing the use of CAPNETRAW and the suppression of CAPNETBINDSERVICE denials. For a full listing of the capabilities available, see Capability Names and Descriptions Note that not all of the capabilities listed may be supported by your particular version of the Linux kernel. Resource Restrictions Edit. One of the features of grsecurity s ACL system is process based resource restrictions Using this feature allows you to restrict things like how much memory a process can take up, how much CPU time, how many les it can open, and how many processes it can execute Also in this section, we will discuss a fake resource implemented in grsecurity s ACL syste m called RESCRASH that helps guard against bruteforce exploit attempts, which is necessary if you re using PaX. A single resource rule follows the following syntax. An example of this syntax would be. This would allow the process to open a maximum of 3 les all processes have 3 open le descriptors at some point stdin standard input , stdout standard output , and stderr standard error output. To clarify what the soft limit and hard limit are, the soft limit is the limit assigned to the process when it is run The hard limit is the maximum point to which a process can raise the limit via setrlimit 2 unless they have CAPSYSRESOURCE In the case of RESCPU, when the soft limit is overstepped, a special signal is sent to the process continuously When the hard limit is overstepped, the process is killed. A person who is less familiar with Linux should stick to setting limits on the number of les, the address space limit, and number of processes Of course, you can always use the learning mode of grsec urity to set the resource limits for you The RESCPU resource is the only one that accepts time as limits The time defaults to units of milliseconds You can also append a case sensitive unit to your limit. Some examples would be.100s 100 seconds.25m 25 minutes.65h 65 hours. The other resources either operate on a number itself or on a size, in bytes For these you can use the following units K, M, and G, like.2G 2 billion.25M 25 million.100K 100 thousand. If you don t want any restriction for the soft or hard limit for a resource, you can use unlimited as the limit Here are some more examples to help you understand how this works. For a list of accepted resource names and units, see System Resources. RESCRASH Edit. This fake resource limit is expressed by using the name RESCRASH and has the following syntax. For example, if you wanted to allow the program to crash once every 30 minutes, you would use the following. What happens when this threshold is reached Well, the only way to ensure that the process won t crash again is to keep it from being executed If the process is a suid sgid binary run by a regular user, we kill all processes of that regular user and keep them from logging in for the amount of time, specied as the second parameter to the RESCRASH resource So for the above example, the user would be locked out of the system for 30 minutes If the process is not a suid sguid binary, we simply keep the binary from being run again for the amount of time specied as the second parameter to the RESCRASH resource, after killing all processes of that binary. Socket Policies Edit. The RBAC system supports policies on what local IP addresses and ports can be reserved on the machine, as well as what remote hosts and ports can be communicated with These two different accesses are abstracted to bind and connect rules, respectively The syntax for the rules is. proto can be any of the protocol names listed in etc protocol or anyproto to denote any protocol socket type is most commonly ip , dgram , or stream , but can also be rawsock , rdm , or anysock to denote any socket type Most of the parameters for these rules are optional, particularly the netmask and port or port range If a port is supplied, then at least an IP address of 0 0 0 0 0 needs to be supplied. As with capability restrictions, resource restrictions, and many other RBAC features, if the socket policies are omitted for a given subject, then the subject is allowed to bind or connect to anything normally allowed by the system Note though that if a connect rule is given, then at least one bind rule must also be specified Older versions of gradm before the 9 16 09 2 1 14 release will treat the unspecified rule as a disabled rule, whereas new versions will generate an error on such policies. Unlike with file objects and capabilities, policy inheritance has not been implemented for sock et policies Therefore, the socket policies for a given subject are solely determined by that subject alone. Here are some example rules. In this example, ssh is allowed to connect to ssh servers anywhere on the class C 192 168 0 X network It is also allowed to do DNS lookups through the host specified The hostname is resolved at the time the RBAC system is enabled. In this example, netcat is allowed to listen on ports 1024 through 65535 on any local interface for TCP connections It is also able to connect to TCP port 5190 of the 22 22 22 22 host. This example illustrates how you can have bind disabled but still specify connect rules, or conversely, have connect disabled and only specify bind rules. As you can see from the examples above, you can have as many socket policies as you wish for a given subject, and as you ll read below there are some powerful extensions to the socket policies. Per-interface Socket Policies Edit. are allowed, giving you the ability to tie specific socket rules to a single interface or by using the inverted rules mentioned below, all but one interface Virtual interfaces are specified by the ifname vindex syntax If an interface is specified, no IP netmask or host may be specified for the rule. Inverted Socket Policies Edit. are allowed, which allows you to specify that a process can connect to anything except to port 80 of with a stream TCP socket The inverted socket matching also works on bind rules. PaX Flags Edit. In more recent versions of the RBAC system, PaX flags have been changed from single-letter subject modes to more closely resemble how capabilities are handled within the policy Therefore, PaX flags can now be fully controlled on or off for any given subject by adding PAX feature or - PAX feature within the scope of a subject For a full listing of the PaX flags available, see PaX Flags. Flow of Matches Edit. Each process on the system has a role and a subject attached to it This section describes how a process is matched to a role and subject , and how matches are calculated against the objects and capabilities they use Understanding the flow of matches is necessary for manually creating policies. Role Hierarchy Edit. When determining a role for a process, the RBAC system matches based on the following role hierarchy, from most specific to least specific. Both user and group roles are permitted to have the roleallowip attributes When checking the UID or GID against the user or group role, respectively, the roleallowip attributes come into play Imagine the following policy. If someone attempted to log in to the machine as user1 from any IP address other than 192 168 1 5, they would not be assigned the user1 role The matching system would then fall back on trying to find an acceptable group role, or if one could not be found, fall back to the default role. Subject Object Hierarchy Edit. Hierarchy for subjects and objects involves matching a most specific pathname over a less specific pathname So, if a bin object exists, and a bin p ing object exists, and a process is attempting to read bin ping the bin ping object would be the one matching If bin su were being accessed instead, then bin would match. The path from most specific to least specific pathname isn t linear however, particularly in the case of subjects using policy inheritance Imagine the following policy. If root test blah was being accessed by usr bin specialbin it would not be able to write to it The reason for this is that when going from most specific to least specific for a given path which involves stripping off each trailing path component and attempting a match for the resulting pathname , the matching algorithm will look in order from most specific to least specific in each of the subjects the current subject inherits from In this case, the algorithm saw that no object existed for root test blah in the usr bin specialbin subject, so upon checking the subject for it found a root test blah object, thus resulting in the read-only permission. When goi ng from most specific to least specific, a globbed object such as home is treated as less specific than home blah if the requested access is for home blah Globbed objects are matched in the order in which they re listed in the RBAC policy So in the following example. If a process were accessing home testing somefile it would only be allowed to read it, since the home rule was listed first It was likely that the policy writer didn t intend this behavior because the home test rule would never match so the home test object should be swapped to the line the home object is on. Capability Hierarchy Edit. When determining whether a capability is granted or not, the RBAC system works from most specific subject to least specific in the case of policy inheritance The first subject along that path that mentions the capability in question is the one that matches To illustrate. In this example, bin su is able to use only CAPSETUID and CAPSETGID A lookup on CAPNETBINDSERVICE would fall back to the bin s ubject, since bin su inherits from it and did not explicitly list a rule for CAPNETBINDSERVICE The bin subject specifies that CAPNETBINDSERVICE be disallowed Matching against another capability, CAPSYSADMIN for instance, would end up falling back to the subject, where it would match - CAPALL and be denied. Policy Recommendations Edit. Try to remove as many capabilities from default subjects as possible The more you remove, the closer root comes to acting as a regular user The more capabilities you remove, however, the more subjects you will have to create for programs that need those capabilities The RBAC system will enforce that a minimum level of capabilities be removed from all default subjects. Use full system learning It will generate a better policy than you would have generated by hand Make sure you re making full use of the etc grsec learnconfig file to specify the files and directories particular to your system that you want protected gradm will do all the heavy lifting of creatin g privilege boundaries for processes that access or modify important data. Administrative programs, such as shutdown or reboot, should require authentication instead of giving everyone the capabilities to run them. Always inspect your kernel logs The RBAC system provides a great amount of human-readable information in every kernel log Of particular importance is what role and subject were assigned to the process causing an alert If you think that the alert doesn t match up with what you expect from your policy, make sure that the role and subject actually match If they don t, then you may have issues with a roleallowip rule that s preventing the proper role from being applied. Familiarize yourself with Linux s capabilities and what they cover A full listing of them is available here Capability Names and Descriptions. Avoid using policy inheritance until you understand fully how it forms the policy for a given subject Even then, use it sparingly, reserving it generally for cases where a def ault subject is configured least privilege, with no readable writable executable objects and no capabilities. Wherever possible, avoid granting both write and execute permission to objects This gives a potential attacker the ability to execute arbitrary code Similar to how PaX prevents arbitrary code execution within a given process address space, one of your goals in creating policies is to prevent this on the file system as well. Be careful using the suppression s object flag, especially when applying it to to ignore accesses a program does not really need to operate correctly A change in glibc or another library the subject uses could cause the application to fail in a way that will be difficult to debug unless your first step is to remove the suppression flag. Sample Policies Edit. Below is the sample policy provided with a gradm installation. Below is a full user role policy that covers the behavior of cvs-pserver when run as the non-root cvs user, providing anonymous read-only CVS rep ository access. Here s all that s needed for an unprivileged sshd account. This page lists applications that need specific settings to work with grsecurity and PaX If you wish to add an application to the list, you are most welcome to do so Please keep the list in alphabetical order and remember to update the table of contents on the front page. ATI Catalyst fglrx graphics driver Edit. When using Xorg and the proprietary ATI Catalyst graphics driver, CONFIGPAXUSERCOPY must not be set as PAXUSERCOPY prevents a real overflow from occurring in the ATI driver that is still unfixed This is in addition to what s shown in the section on Xorg below. As of 11 8, CONFIGPAXMEMORYUDEREF must also be disabled. cPanel jailshell Edit. Because cPanel s jailshell needs to mount filesystems including bind mounts after chrooting, both chrootcaps due to needing CAPSYSADMIN and chrootdenymount will need to be disabled To do this, either disable the respective options in your kernel configuration CONFIGGRKERNSECCH ROOTCAPS and CONFIGGRKERNSECCHROOTMOUNT or disable them in an init script if GRKERNSECSYSCTL is enabled Use the following commands. We will be working with cPanel developers to see if the need for this workaround can be avoided in future jailshell versions. Firefox or Iceweasel in Debian Edit. Mozilla Firefox and possibly all, if not some of, the files in the folder usr lib firefox with the Firefox binary called usr lib firefox firefox need mprotect disabled for flash to function Without the Firefox binary having disabled mprotect Firefox will enter an infinite loop at startup or take minutes to load Without the files having mprotect disabled any page encountered with Flash will surely run an infinite loop and the Firefox process will have to be killed. The option must be disabled for just-in-time compilation of certain scripts for both xulrunner-stub and xulrunner-bin See Grsecurity forums for more details 3 The safest option would of course be denying mprotect and boycot sites that use j ust-in-time JIT flash scripts You may disable JIT compilation in the browser by initiating the address about config, search for jit in the page s integrated search bar, and double-click the options and to set them to false. Firefox 3 5 may need RANDMMAP to be disabled , if not it will enter in an infinite loop during startup To disable, execute paxctl - r firefoxbinary Usually the binary is somewhere in usr lib64 firefox See for more details As of at least Firefox 13 on Ubuntu-based distros you can enable RANDMMAP. Google Chrome 15 0 874 106 Edit. On Google Chrome. These PaX flags work well on my system with flash Chrome s nacl does throw this however. Grub uses nested functions and thus needs either PAXEMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAXEMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist T o add EMUTRAMP, use the - CE argument to paxctl To remove MPROTECT, use - Cm. GUFW UFW firewalls or Update Manager Edit. GUFW is an optional graphical application interface for the Ubuntu firewall UFW , both of which use Python Update Manager is a Gnome application for updating packages that also depends on Python Really, any application that uses Python try enabling EMUTRAMP for the version of Python that is the dependency of your affected program GUFW or Update Manager Example paxctl - E usr bin Python2 7.IOQuake3 Edit. Ioquake3 requires disabling mprotect restrictions to run correctly. ISC DHCP Server Edit. NOTE grsecurity patches released as of May 4th, 2014 do not require the below modifications. On some systems, after upgrading to a grsecurity-enabled kernel with GRKERNSECPROCUSERGROUP enabled, the kernel log may be spammed with. This may be due to unprivileged users not having access to proc net dev as this dhcpd requires You can confirm by running dhcpd - f from the command-line, which sh ould display the following error. To fix this, grep your kernel config for CONFIGGRKERNSECPROCGID, then add a group for that gid to etc group if it doesn t already exist Then add dhcpd to that group The added line will look similar to. As the DHCP server is continually attempting to respawn, upon making this change you should find it running properly. With problems with an epoll stack trace lookup 4 Also there is a problem with just-in-time compilation Disable mprotect for usr lib jvm java-6-sun-1 6 0 10 jre bin java and usr lib jvm java-6-sun-1 6 0 10 jre bin javaws. Nagios Edit. Nagios needs to be able to view all processes on the system in order to accurately portray service status and performance statistics It must therefore be run with the group of the CONFIGGRKERNSECPROCGID you configured, or as set with the grsecprocgid kernel command-line option. needs to execute arbitrary code at runtime To permit this, mprotect needs to be disabled On most systems, this can be accomplished with the command. Note For certain apps like electron, you will need to disable mprotect for both the electron and nodejs executables. uses two binaries which need custom settings to work Both and need to have unrestricted mprotect 5.the same as but need to have unrestricted mprotect for. usr lib jvm java-6-openjdk-amd64 jre bin java to work if you use libreoffice-base Database. PHP and other applications that set their own resource limits Edit. While Apache PHP run very well with a grsec PaX enabled kernel, you could feel like there are possible memory leaks or strange OOM out of memory errors with PHP using a PaX enabled kernel with the SEGMEXEC flag enabled There s no memory leak, and the OOM errors are normal, particularly if you didn t set high enough resource limits. Concerning abnormal memory usage with PHP and SEGMEXEC flag enabled, see spender s answers on comments. might need some specific kernel settings during configuration depending on the hardware and the drivers used X won t run with non-executable pages PAXNOEXEC The problem manifested especially in XFree4 Although, recent versions of are known to work with non-executable pages enabled If you run into problems with X watch your non-executeble settings. Some users experience mouse freezes when the system load is high Typically the mouse pointer is reset, but stays in the upper left corner of the screen This behaviour was found to occur with certain pre-emption settings 6 7 It seems to be an interaction between forced-preemption and KERNEXEC You should be able to re-enable KERNEXEC as long as you disable preemption or use voluntary preemption. According to the Pax-Team KERNEXEC should work as is, since the changes should be only basic functions like open close functions If you should experience problems switch to voluntary or none pre-emption. Contacts Edit. Submitting bug reports to the proper d eveloper will help get your bug resolved quicker Though the developers of PaX and grsecurity will forward bug reports to each other, doing so may delay the resolution of your problem. For bugs within grsecurity features, submit bug reports to For bugs within PaX, submit bug reports to. Bug reports can also be submitted to the gsecurity forums this is the preferred method The developers monitor RSS feeds of the forums to be able to respond to bug reports quickly. If possible, avoid submitting bug reports to the grsecurity mailing list, as it is mainly intended for announcements or other important topics. Requirements Edit. To be able to reproduce the problem you re experiencing or properly debug it, information will be requested of you depending on the type of bug you are reporting For any large files that are requested, such as the kernel s vmlinux file, please attempt to make these available via a website you can use a free file uploading service as they will likely be rejected by the deve lopers mail servers Additional information may be requested for debugging purposes particularly if the problem cannot be reproduced by the developers , but below is specified the minimum requested information. For any bug you report, please specify the name of the patch you have applied to the kernel Please also note that the developers only support the latest test patches, as a bug reported in an older patch may have already been fixed in the latest test patch. A properly submitted bug report that includes the requested information below up-front greatly improves turnaround time for getting your problem solvedpilation Errors Edit. A copy of your kernel. Build Linking Errors Edit. A copy of your kernel Your binutils version ld --version. RBAC Problems Edit. A copy of your kernel A copy of your policy file A listing of the steps performed to produce the problem. Kernel Crashes Hangs Edit. A copy of your kernel Your binutils version ld --version A copy of your vmlinux file from the kernel source tree A copy of your bzImage file from the boot directory A copy of your file from the boot directory The OOPS report, if one exists take a photo of the screen if you are unable to capture it on disk Note we previously required that GRKERNSECHIDESYM be disabled for bug reports This is no longer the case Any recent grsecurity patch doesn t require GRKERNSECHIDESYM to be disabled for symbols to be displayed in OOPs messages A description of the machine s hardware particularly any non-standard hardware Information about your Virtual Machine setup if applicable preferred execution mode and kernel paravirtualization Steps required to reproduce the crash if not before init starts. roletransitions Edit. Role transitions specify which special roles a given role is allowed to authenticate to This applies to special roles that do not require password authentication as well If a user tries to authenticate to a role that is not within his transition table, he will receive a permission denied error A common mistake when creating a new special role is forgetting to create a roletransitions rule for the role that will transition to the special role, which a user confuses with having entered an incorrect password The roletransitions rule is added below the declaration of a role, but before any subject declaration. roleallowip Edit. This rule restricts the use of a role to a list of IPs If a user is on the system who would normally get the rule does not belong to the specified list of IPs, the system falls back through its method of determining a role for the user checking for an applicable group role then falling back to the default role This rule can be specified multiple times for a role Like roletransitions it should be added below the declaration of a role, but before any subject declaration. A netmask of 0 0 0 0 32 permits use of the role only by local processes that haven t been used by remote clients 8.roleumask Edit. This rule can, depending on the mode specified, ensure a number of security properties on files under the control of a given user One use case is to ensure that a user cannot accidentally or intentionally create a file that others can read a confidentiality issue Another is to ensure a user cannot accidentally or intentionally create a file that can be written by others an integrity issue Like previous role attributes, it should be added below the declaration of a role, but before any subject declaration. Unlike conventional umasks, the roleumask support in grsecurity s RBAC also restricts the permissions allowed to be set by chmod, fchmod, and POSIX ACLs. Allow configuration of process accounting. Allow configuration of the secure attention key. Allow administration of the random device. Allow examination and configuration of disk quotas. Allow configuring the kernel s syslog printk behaviour. Allow setting the domainname. Allow setting the hostname. Allow calling bdflush. Allow mount and umount , setting up new smb connection. Allow some autofs root ioctls. Allow nfsservctl. Allow VM86REQUESTIRQ. Allow to read write pci config on alpha. Allow irixprctl on mips setstacksize. Allow flushing all cache on m68k syscacheflush. Allow removing semaphores Used instead of CAPCHOWN to chown IPC message queues, semaphores and shared memory. Allow locking unlocking of shared memory segment. Allow turning swap on off. Allow forged pids on socket credentials passing. Allow setting readahead and flushing buffers on block devices. Allow setting geometry in floppy driver. Allow turning DMA on off in xd driver. Allow administration of md devices mostly the above, but some extra ioctls. Allow tuning the ide driver. Allow access to the nvram device. Allow administration of apmbios, serial and bttv TV device. Allow manufacturer commands in isdn CAPI support driver. Allow reading non standardized portions of pci configuration space. Allow DDI debug ioctl on sbpcd driver. Allow setting up serial ports. Allow sending raw qic 117 commands. Allow enabling disabling tagged queuing on SC SI controllers and sending arbitrary SCSI commands. Allow setting encryption key on loopback filesystem. Allow setting zone reclaim policy. Allow raising priority and setting priority on other different UID processes. Allow use of FIFO and round robin realtime scheduling on own processes and setting the scheduling algorithm used by another process. Allow setting cpu affinity on other processes. Override resource limits Set resource limits. Override quota limits. Override reserved space on ext2 filesystem. Modify data journaling mode on ext3 filesystem uses journaling resources NOTE ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too. Override size restrictions on IPC message queues. Allow more than 64Hz interrupts from the real time clock. Override max number of consoles on console allocation. Override max number of keymaps. Allow manipulation of system clock. Allow irixstime on mips. Allow setting the real time clock. Introduction Edit. This table lists all syste m resources that can be restricted by grsecurity Grsecurity supports all the resources Linux supports, but uses slightly different names for them The RLIMIT prefix has been replaced with RES For example, the Linux resource RLIMITCPU is called RESCPU in grsecurity. For detailed information about resources in Linux, see the man page of getrlimit. Syntax and Examples Edit. A single resource rule follows the following syntax. An example of this syntax would be. This would prevent the process from creating files that are bigger than 5 Kilobytes. Using unlimited is valid for both the soft limit and the hard limit, to denote an unlimited resource Note that by omitting a resource restriction, the system s default limits are used as set by PAM or the application itself If a resource is specified within the policy, the specific limits override the system s default limits for the given subject. A number of suffixes are allowed when specifying resource limits They are described below. On this page you wil l find documentation regarding permissions to use material written by others before this Wikibook was started. The Original grsecurity Documentation Edit. The original documentation for grsecurity was written by Brad Spengler, the author of grsecurity This includes the ACL documentation and the grsecurity Quick-Start Guide PDF. Permission to Use the Official Documentation Edit. Below is the correspondence between myself Meev0 talk and Brad Spengler regarding the use of his works in this Wikibook. Sent at Mon Apr 20, 2009 5 56 pm You may publish my answer to the original request and this request too You may copy republish any and all parts of the grsecurity documentation I don t think I put an explicit license on the documentation, but I consider it to be essentially public domain. Sent at Mon Apr 20, 2009 5 27 pm Thanks. I m making a separate page for the book that will include credits, links to the original documents and a copy of your message where you grant this permission. Just so that the re is no misunderstanding 1 May I publish your answer to my original request 2 In my request I mentioned wanting to copy parts which is very vague Basically what s needed IMO is you clearly stating what parts of the grsecurity documentation can be published under the GNU Free Documentation License I m not a copyright lawyer, but I think the clearer the situation the better. I ll try to limit the amount of text I need to copy, as I like writing documentation, but most of technical notes are better left as they are. Sent at Sat Apr 18, 2009 7 59 pm Of course, that s fine with me Thanks again for your work, and hope things get better for you personally. Sent at Sat Apr 18, 2009 5 41 pm Hi Brad. I wanted to ask about using the Grsecurity QuickStart guides the and the in the Wikibook As you are the copyright holder of both documents, I need your permission to copy parts from those files Mainly I would like to copy the ACL documentation, as it would be silly for me to start writing it from scrat ch Naturally I would credit you and include a link to the original documents. You can reach me by replying to this PM or by email at. Installing Mandriva 2006 Linux-Mandrake 11 0 on an IBM Thinkpad A22p. Permanent URL. Last updated 2009-10-28.This is my page dedicated to Mandrake Mandriva GNU Linux on an IBM Thinkpad A22p This version covers Mandrake 11 0 also known as Mandriva 2006 , but there are earlier pages about Mandrake 8 0 8 1 and 9 1 This information has been drawn from many sources thanks to all of you Any feedback on this page would be welcome Copying is permitted see below In addition, this page led to the computing course I wrote for my students, introducing Linux, which is here. This Thinkpad is actually very Linux-compatible Although I haven t documented it here, I ve run 8 0,8 1,8 2,9 0,9 1,and 10 2 on it and Knoppix Basically, everything works well, therefore, this is partly a quick run through the installer, partly a list of things I think are important useful to change on a GNU Linux system, and partly a memo-to-self about my preferences for the next install I also have a desktop system, so there is a lot of general Mandrake information here Lastly, I ve included some useful scripts, binaries and config files I have denoted commands and files like this. It is worth mentioning also and Linux on laptops , Linux on Thinkpads, and the mailing list , ThinkWiki the Linux on Thinkpads webring and the Knoppix bootable Linux demo rescue CD This is also a good place to warn about lm-sensors do not install it, since it can destroy some thinkpads Lastly, don t forget to subscribe to the security announcement mailing list. This is an IBM A22p, model TA2USUK, with 15 1600x1200 display, PIII 1 GHz, and CD-RW The RAM was upgraded from 128 MB to the maximum supported 512 MB Crucial RAM is cheaper than IBM and seems fine 128 MB is rather marginal for intensive use under Linux Everything works although I never tested the S-video in out The interesting challenges are encryp tion trackpoint sensitivity making suspend work reliably and the modem driver. The hardware maintenance manual for the A22p is here Spare parts can be purchased from IBM s online parts store or from laptopbits Parts are identified by their FRU Field Replacement Unit number, for example, spare trackpoint caps are 84G6536.I also purchased a Port Replicator 10 on eBay , which is extremely useful it saves frequently plugging unplugging many cables, and it acts as a stand to tilt the keyboard Everything works, except the DVI connector Lastly, the ugly Designed for Windows98 sticker was removed, and the top of the lid adorned with a 40mm-high tux. Download the ISOs Yes, I joined MandrivaClub Burn to CD using cdrecord Test using dd if dev cdrom md5sum You can also buy the CDs cheaply from for example The Linux Emporium Sometimes, a perfectly good CD will not verify correctly because of padding I downloaded the set of 6 CDs available as Mandrake Club Silver Edition, however if you download just the 3 Free GPL CDs, and then add all the urpmi sources, then install non free packages java, realplayer, flash, acroread you will end up with the same result. Read the release notes and the Errata. Backup everything especially home, including hidden files within home on an external disk, or over the network rsync via ssh Check it using diff - r It s also worth keeping the old etc If there is anything useful in var, remember to keep that too eg Postgres databases, html, logfiles, crontab, mailspool If the IP address is static, write it down and the other network settings This is true for updates as well as fresh installs. Power off take deep breath, get coffee. In the BIOS, make sure that all the devices are configured to be enabled, and that the hardware clock is set to GMT Set the boot order to CD-ROM, then HDD Set the HDD password but not the poweron password Set the lid-close button to be inactive, not to suspend this prevents a race-condition. Have a copy of Knoppix handy, and also note tha t the Installer Disk 1 is a recovery CD especially useful if you destroy the bootloader. Plan Encryption and security. Please note, I am not an authority on this - and I am only documenting what I did Corrections would be welcome. Consider How important is security here Given that it is a laptop, it might well be stolen, and in this case, the data would be compromised Is encryption useful Is it worth the performance penalty and hassle I decided to do the following, however, you may decide otherwise Here is a helpful threat model The worst thing, of course, is a false sense of security Nothing is guaranteed to be safe Security means adding several layers which makes it more difficult to attack The more layers you add, the more inconvenience you ll get until it actually stops you of getting any work done You have to find the right balance looking at how important your data is, how much effort and resources your attacker will can put into getting at the data, and how much inconvenience you r e comfortable with in taking measures against a possible attack. I set the Hard Disk password in the BIOS This is fairly impenetrable, IBM certainly won t get it back for you , but it is probably circumventable by a talented data thief Don t forget it It also means that the laptop cannot boot up unattended I didn t set a BIOS password, since the HDD password is sufficient and stronger than the BIOS password anyway From the Linux-thinkpad mailing list The Hard Disk password is pretty secure The protection is provided by the drive itself one needs to disassemble the drive, separate the drive platters from its internal IDE controller and replace this controller to get to the data. One important thing to know about Thinkpads is that if you also set a poweron password in the BIOS, the harddrive password gets copied to an EPROM on the motherboard As a consequence, not setting a poweron password and only a harddrive password decreases the risk of an attacker to get to the data. Most systems give n an attacker with physical access can be booted up, either using Knoppix, or by pressing Escape while Lilo is starting, and then typing linux single So the login password alone is no protection at all Even if CD-ROM boot is prevented by a BIOS password, and Lilo single-user boot is disabled, the Hard disk can still be read by placing it in another machine. Encrypt home since it contains my data. Encrypt var since it contains all sorts of things logs, postgres database etc. Encrypt swap because anything could end up there and in the clear Swap is the easiest to encrypt, and most transparent, so I d recommend to encrypt that, even if nothing else. Not encrypted the root directory , because it s all open source anyway Furthermore, this is quite a complex operation, especially if trying to install there And the performance hit would be most significant if the applications were encrypted Yes, there is a little information which could leak out via etc but for me, this isn t important - besides which, my email address is written on the bottom of the laptop. Not encrypted boot because this would be impossible If worried about a trojaned kernel being installed here, boot only off a USB-key, and keep the key in your sight at all times. I decided to use losetup rather than dm-crypt, since losetup is more established, and at least partially supported by a broken Mandrake script dm-crypt might actually work OK with Mandriva 2006, but it certainly didn t when I originally set this up under 10 2.Using losetup means that suspend-to-disk is dangerous, since the RAM will be in clear on the disk But I only ever want suspend-to-RAM anyway dm-crypt would allow cryptographic suspend-to-disk Also, newer versions of suspend2 also have native encryption support via the crypto-API of the Linux kernel But Mandriva doesn t seem to use suspend2.Firewire can be dangerous IEEE1394 devices can, by design, snoop on the host s memory This is useful for debugging, but can be considered harmful The laptop has no inbuilt 1394 device, but a PCMCIA card would be helpfully hotplugged by Mandrake So prevent the modules from loading. The implication of the setup which I have chosen is that. When the system is switched off, if someone tries to access the hard disk, we are protected by encryption. When the system has booted up, all the encrypted partitions are mounted We are now protected by the kernel, the login program, file permissions, and a strong password. When the system is left running, but unattended, xscreensaver is used to lock the display We now are protected by xscreensaver And sshd, if on a network. Obviously, choose a strong password and passphrases Also, there are some useful articles on data-hygiene published by The Register, on internet anonymity and data security. Here are some other encryption resources which may be of interest Note that losetup is older than dm-crypt. Loopback AES Readme. Linux device-mapper cryptography dm-crypt and the dm-crypt wiki. How to encrypt the entire hard disk. Linux Journal article Implementing Encrypted Home Directories but slightly old, not referring to dm-crypt. Disk and email encryption in Linux covers Open PGP and Mandrake 9 1.Encrypting the whole disk using Gentoo and losetup Not really relevant here. Cryptoloop howto Mounting an encrypted file instead of a partition. EncFS doing everything in userspace Uses Fuse Easier, but less efficient. GPG Encrypting file-at-a-time Useful for emails. StegFS plausible deniability by having multiple layers of encryption. Other attacks include listening to the sound of the keyboard listening to the sound of the CPU and sampling diffuse visible light from the monitor. Tom s Hardware intro LUKS. Other considerations. Can the encrypted home partition be locked without unmounting it Eg before invoking the screensaver, or suspending, somehow forget the key, without first having to close all the applications and unmount home I can t see why this shouldn t be possible, but it would appear to need a kernel modi fication. Can we trust the login program Yes, probably provided the password is good enough Thus, when the system is running, we are protected by the passwords The encryption protects against someone with physical access to the machine, who can remove the hard disk or use a bootable CD. Can we trust xscreensaver to do the locking Yes, probably provided that the password is sufficiently strong, and that there are no root logins on the virtual consoles, which xscreensaver cannot protect Xscreensaver uses PAM, so it is as good as login Disabling Ctrl-Alt-Backspace would be a good idea If there were some way to crash X or xscreensaver without logging out, this would leave home exposed. What about the daemons Could sshd or apache compromise things Make sure that permissions are not world-readable What about. publichtml Obviously, we need to run a fully up-to-date system, with no known local-root exploits. What about the risk of a dictionary attack on etc shadow Obviously, I use a password which is not a dictionary word But a really sophisticated attacker could perhaps surreptitiously borrow the unattended laptop, copy etc, run some crack against etc shadow, return the laptop, wait for me to log in, then steal it A possible improvement is adapting your pam configuration to replace the standard unix authentication with use your ssh passphrase to log in or use a usb-stick to log in But obviously, losing a usb-stick is very easily done. Can we use PAM to automate any of this, to reduce the number of times the passphrase needs to by typed Is there any reason why root password, my user password, and SSH passphrase should be different. Can the SysRQ key do anything bad It appears not, according to the documentation in. We are still vulnerable to a brute-force attack with sufficient computing power to theft of the laptop while unlocked or to theft while locked, but powered on, and with sufficiently clever electronic probing of the motherboard or via firewire. Newer thinkpads, with biometric fingerprint sensors should not rely on these The sensors do not reliably discriminate between users, and are very easy to fool Furthermore, one s fingerprints can easily be retrieved from the laptop. If any of this is wrong, please tell me. If you want to have an encrypted system, first initialise the HDD by filling it up with random data This will destroy any previous information there, so be warned Either boot knoppix, or run this from the current system, and run dd if dev urandom of dev hda bs 1M This will take about 5 hours for a 32GB disk dev random is better cryptographically, but would take a year. Now, the install itself This went fine, with no problems So just a quick summary. The new Mandrake installer is very slick, and just works expert mode has gone away There is a very useful rescue mod e on the first CD, in case you mess up the system. It did prompt me to upgrade from 9 1, which would probably have worked fine However, I decided to do a full reinstall, and re-partition. Accept license Read release notes British English UK keyboard. Security high don t choose paranoid - you can make your system almost unusable Security admin rjn this is the person who gets the email from msec etc. Mouse any PS 2 or USB the default. Partitions If you are not using encryption or just encrypting swap , I would recommend something simple, eg. Package Selection it is usually easier to install a small system, then add urpmi sources, and select more packages once it is done So I just accepted the default groups NOTE DO NOT install lmsensors it can destroy some thinkpads - see Mandrake do not include it by default, and lmsensors should now safely exit before damaging vulnerable machines, but it s worth making sure This also means avoiding glms, ksensors, and not running sensors-detect. Define a root password, a user rjn and password. Put the Lilo bootloader on the MBR Master Boot Record. At Summary , I went through all the config options. Timezone - London, Hardware Clock GMT, Use NTP. Printers - configure after install. GUI - Generic Flat Panel Display, 1600x1200, Rage 128 Mobility, Xorg 6 8 2 with hardware acceleration, 16 bit per pixel Note It is necessary to choose 16 bit pixel and not 24 bpp in order to have hardware acceleration working glxgears gives 787 FPS at 16 bit, but only 158 FPS at 24 bitwork - LAN set eth0 to DHCP Do NOT assign host name from DHCP address Do not set DHCP hostname Choose start at boot Get DNS servers from DHCP Zeroconf hostname blank Note Unlike earlier versions, 10 2 will background the DHCP request to allow boot to proceed faster However, you can also set a timeout. Firewall off all but SSH, and ping. Bootloader - 5 second delay Clean tmp at boot No need to specify precise RAM size ACPI is now supported, so allow it Previously, I used APM Add splash verb ose panic 60 to the bootloader options respectively make bootsplash verbose, so that the boot messages are visible reboot after a kernel panic rather than hang. Services - deactivated many of these In particular, unless you need them, deactivate anything to do with NFS netfs, nfslock, portmap and Zeroconf mdadm, mDNSResponder, nifd Here is what I am running on my laptop Note that some of these choices may not suit everyone I don t have a printer on the laptop, no cups I do web-development and I have internet connection sharing enabled for use when travelling dhcpd, squid, named ACPI is now supported, although APM works too I have no bluetooth hardware, and I never change the ultrabay Irda causes crashes and anacron causes the disk to thrash rpmv, msec for 20 minutes. These are running alsa, acpi, acpid, atd, cpufreq, crond, dhcpd, dm, haldaemon, harddrake, hotplug, keytable, kheader, messagebus, named, network, ntpd, partmon, pcmcia, postfix, postgresql, shorewall, smartd, sound, squid, sshd, syslog, udev, xfs. These are not running anacron, apmd, apmiser, bluetooth, cups, cpufreq, cpufreqd, dund, hidd, iptables, irda, laptop-mode, mDNSResponder, mdadm, netfs, netplugd, nfslock, nifd, oki4daemon, pand, pcscd, rawdevices, ultrabayd, vncserver. Post Installation. The system booted straight up - all seems well Nevertheless, there is a lot left to do This being Linux, there is a huge amount that can be configured In particular, before trying to do any further setup, I d recommend configuring sudo and urpmi and then installing bash-completion. 1 Quick tests. Some quick tests to check status. check hard disk performance Is DMA enabled it should be hdparm - tT dev hda Test data rate hdparm - tT dev hda I get 287 MB s, 19 MB sec respectively. check memory status free - m more info. check disk space df - h and what is mounted where mount. is swap enabled swapon - s. check which kernel is running uname - a. check 3D acceleration glxgears I get 787 FPS. check which processes are running top ps aux less chkconfig --list service --status-all. check network ifconfig - a. check for system error messages dmesg var log messages var log kernel. 2 Configuring lilo. The kernel parameters are listed in I use the following. splash verbose - so that the boot-up messages are visible Mandrake defaults to hiding them with splash silent The old way just text is splash none. panic 60 - so that, if there is a crash, the system will try to reboot after 60 seconds Useful if unattended We could also install the watchdog. acpi off - this would be used if we want APM rather than ACPI To have ACPI, no entry is required. inotify - so that inotify is enabled, which allows KDE s volume manager to detect changed media eg CDROMs or USB-keys. vga 794 - so that the console uses a much higher resolution which makes it far more pleasant To see which modes are possible, run hwinfo --framebuffer then convert it using this table. Thus, a typical stanza might look like. For faster bootup, reduce the value of timeout from 50 to 30 Then, remember to run sbin lilo so the changes take effect. 3 Configuring. Add the following to so that these modules are automatically loaded on bootup. The pcspkr module provides the ability to have the PC-speaker system bell eg Ctrl-G at a console, or gnubeep See this bug The e100 module is loaded here to force it to be loaded instead of eepro100 and before pcmcia starts see the network section for why. Configuring sudo. This is to save having to type the password each time I, the only user of this laptop, wish to become root Add the rjn line to etc sudoers under the currently existing root line where rjn is your login name. alias sud sudo su So, you can now become root by simply typing sud More information here. Note sudo su does not usually set up X authentication, so if you then try to run a GUI application eg xclock , it fails with the error message Xlib connection to 0 0 refused by server The solutions are any of. Permit the root user to access your normal xsession run as yourself xhost local root. Invoke the GUI application directly sudo xclock. Use the sux wrapper script instead of su to transfer the X credentials. Configuring urpmi sources. 1 Introduction. Urpmi user RPM install is the Mandriva package manager It is a delight to use once configured, simply urpmi PACKAGENAME and it will download and install it for you However, first you must set up some software sources urpmi media Virtually every package that you will ever need is available via an urpmi source, and it is important to choose the correct sources Also, you should never bypass or force RPM When installing from source, I recommend using checkinstall so that RPM is always correctly aware of the system status There is a graphical interface to urpmi, which is rpmdrake. For more urpmi information, see the Advanced uses of Urpmi section. 2 Systems and Sources. There are 3 possible systems do not mix and match These are. Official - this is the stable release Recommended for servers. Devel Community - this is the slightly more bugfixed and updated system and is required by some PLF packages Recommended for desktops. Cooker Bleeding edge, and usually broken Recommended only for Mandriva developers. Official vs Community PLF only support the Community branch of Mandriva, which is actually a living version of the official branch, with all updates merged instead of being distributed separately Moreover, some limited backports are provided, whereas official is absolutly frozen Using PLF packages with official will often work, but not always. To set up the urpmi sources, it is possible to use but probably easier to visit Easy Urpmi or the Mandriva Club Mirror Finder. Firstly, remove the sources corresponding to the install discs - a Then, set up the following sources via EasyUrpmi. Main the 3-6 CDs you download Core distribution. Contri b packages built by other volunteers - over 2GB of useful stuff, but not officially in the main distribution. PLF Penguin Liberation Front - packages that might cause legal headaches in some countries, mainly multimedia PLF is split into plf-free and plf-nonfree Note PLF is designed to work with Community, not Official. Updates updated packages fixing bugs and security problems Only official has an updates source for devel or cooker, updates are subsumed into the other media. If you are a member of the Mandriva Club, you may also wish to add the Club media I would recommend removing the club media after you have downloaded the desired packages Remember log into MandrivaClub first, and make sure to replace PASSWORD with the actual value There are. Club Open source packages updated packages available to MandrakeClub members You may wish to pick and choose these rather than adding the urpmi source if so, browse the mirror with lftp. Club Commercial non-free, binary packages such as Java and Fl ash These are available as RPMS from MandrivaClub if you prefer, you can download these directly from Sun, Macromedia etc. You may also wish to add the cooker backports source provided by the excellent Hawkwind at SeerofSouls.2006 RPMS - updates for many and various packages, built for Mandriva 2006.KDE 3 5 RPMS - packages for KDE 3 5. 3 Applying updates and adding packages. Now, apply the updates, using updates urpmi --auto-select Also, install the latest kernel, from the updates source, using urpmi kernel-i686-up-4GB-2 6 12 12mdk and then remember to edit and run lilo. Now, if desired, you can add any other package I d recommend adding the following gnome-alsamixer, anacron, abiword, antiword, bash-completion, catdoc, checkinstall, dos2unix, faces-penguin, gscanbus, lyx, nc, nano, sane, openssh-clients, unix2dos, mandrivadoc-en, shorewall, units, xfig, X11R6-Contrib. 4 My Urpmi Configuration. Hopefully, that isn t too confusing By way of example, these are the urpmi sources I am using. maincommunity. contribcommunity. plf-free and plf-nonfree and mandrake non-free 2006 0.mandrivaclub Only temporarily configured, to download Java, Flash, OpenOffice2 then removed. Configuring bash. The Bash shell is extremely versatile, and can be customised by editing. Bash completion sophisticated tab-completion. Tab completion is wonderful, and installing the bash-completion package is incredibly useful it makes tab-completion far more pervasive For example, it will complete on urpmi packagename killall processname ssh hostname and it will suggest completions in KDE s run command dialog Alt-F2 Under Mandriva 2006, the installation of bash-completion has changed, and if you already are an existing user on the system, it won t just work These are the steps. urpmi bash-completion. etc bashcompletion in your. edit the file etc sysconfig bashcompletion. To test if it is working, create a file and directory with similar prefixes touch testfile mkdir testdir Then type cd test TAB If bash-completion is installed, it will know that cd can only apply to a directory, and will complete the command to cd testdir Otherwise, it will print both options. Lastly, bash-completion will occasionally refuse to complete a command which you know is valid Use Alt - to force filename completion. Optimising tab-completion. Most other distributions which I have tried have tab-completion configured far less-than-optimally This usually manifests itself as the question how do I disable the system bell. In all distributions if the word is unambiguous, pressing Tab once will complete it. In Mandrake, if the word is ambiguous, pressing Tab once will print a list of options with no beep. In most other distributions, if the word is ambiguous, pressing Tab once will just beep at you You have to press Tab twice to get the completion options This rapidly gets irritating, and causes lots of beeping. The secret edit either etc inputrc or. and add these lines. Then, the beeps become useful and much rarer. More Bash tips. Typing help will give a guide to the bash builtins info bash or man bash are extremely useful reading the man page in konqueror man bash is easier. Here is a useful reference the Advanced Bash Scripting Guide Also, a list of special characters and string functions. Mandrake defines a lot of helpful aliases such as cd and s Type alias to list them. Keyboard shortcuts in bash readline are described in info bash Command Line Editing or man readline There are very many here are some of the most useful. Clear screen except for current line. Reverse-search through history. Single quoted phrases in bash are literal Within sinqle quotes, you may never use another single-quote, not even with a preceeding backslash See QUOTING in the bash manpage. Double-quoted phrases in bash treat backtick , and backslash specially Double-quoted doublequotes may be escaped by Beware of characters within interactive shells echo Oops will c ause an error. Conatenation is allowed TEXT What s your name n My name is Richard echo - e TEXT. Without quoting, filename globbing takes place and have special meanings see PATTERN MATCHING in the manpage. Globbing is the process by which special characters are expanded to match filenames For example ls lists all files ending in But consider what happens when there are no matches By default, bash falls back to a literal shopt - s failglob makes it throw an error shopt - s nullglob makes it result in the empty string All choices are problematic - consider. i 0 for file in ZZZ do let i done echo There are i files matching when there are no relevant files Without failglob nullglob, this will give the answer 1 when it should be zero nullglob is best. ls ZZZ The default neither nullglob nor failglob results in ls ZZZ No such file or directory However, with nullglob, it becomes just ls listing the entire directory. IFS is the input field separator By default, it is space tab newline Any of these characters are treated as delimiters when tokenising input For example set echo first second echo 1 is 1 and 2 is 2 results in 1 is first and 2 is second whereas IFS set echo first second third echo 1 is 1 and 2 is 2 results in 1 is first second and 2 is third. Some customisations in make it very much more useful Here are some of the things I have added. Here are some snippets from root s In particular, the root prompt is in red, and the konsole tab has a in it. Setting Up Encryption. Now that we have a system installed, it is time to encrypt it It is possible to encrypt partitions on-the-fly, and it is maybe even possible to install to an encrypted disk But the following is the easy well, easiest way. Note that you aren t really supposed to put a journalled file system on a loopback device you may need to use reiserfsck --rebuild-tree if you are unlucky. 1 Encrypt Swap. Encrypted swap is the easiest thing to set up, and potentially the most useful since you never know what gets swapped out, you can never be sure what is on the swap file Try reading it using cat dev swap-partition strings and you may be surprised If you have lots of RAM, you might consider disabling swap altogether Even better, encrypted swap is all automatic, and you never need to set a password It adds no significant overhead to the system See man swapon for more details. Check that the loopback device is enabled. In the 2006 0, I find that there is an error message at bootup Activating swap unable to open device dev loop0 This arises because the symlink dev loop0 - dev loop 0 doesn t get created fast enough It s OK on faster machines Also, when rebooting after a kernel panic, the loopback device itself doesn t get created, and we need to encourage udev a bit. The cure is to modify to include the 2nd paragraph below. If you wish to undo the encrypted swap eg to use suspend - to-disk , you will have to re-create a normal swap partition with mkswap mkswap dev hda6. 2 Encrypt other partitions spare, home and var Using losetup. This is the easier way to do it on Mandrake, since the init-scripts sort-of understand Here is how it works losetup creates an encrypted loopback device, such that dev loopX is unencrypted and can have a filesystem mounted on it , but connects to a matching hard disk partition dev hdaX which is encrypted The first time, losetup will require a passphrase I use at least 30 characters, and have all 3 partitions with the same passphrase The mount options in etc fstab are loop use loopback device , encryption aes256 type of encryption and encrypted used by to know that it is encrypted When mounting, if you get an error about a bad superblock, it means you used the wrong passphrase It is possible to encrypt a partition leaving the data in place, but it is easier to back it up The partition should be prepared by filling it up with random noise. 2 1 Encrypt partition dev hda8, mounted as spare. remove backup directory. 2 4 Make sure that the partitions will mount at bootup. So far, so good We ve done the hard part, BUT there will be problems when we reboot When we boot, we want to always mount the encrypted partitions However the init script will give only one chance to mount, and if you mistype the passphrase, it will just skip it This will cause serious difficulties, since the system cannot properly boot without var, and you cannot start kde without home. Edit etc sysconfig autofsck and change the line to AUTOFSCKCRYPTOTIMEOUT 600 This should mean that instead of timing out after 15 seconds, the computer will wait 10 minutes for a user to enter a passphrase before it continues to boot However, this setting only applies in the case where the filesystem is unclean, and the normal setting is hardcoded in. Back up cp Now, edit it. 2 4 1 Fix the timeout for mounting encrypted filesystems on boot-up It should wait a long time Edit the line just above the comment Mounting Encrypted filesystem and change the timeout to 600 The correct line reads - z AUTOFSCKCRYPTOTIMEOUT AUTOFSCKCRYPTOTIMEOUT 600. 2 4 2 Fix so that, if you get the passphrase wrong, it asks you again and again 10 times Edit the section which begins Mounting Encrypted filesystem. Replace this part of the script. 2 4 3 Fix the section beginning with Check loopback filesystems so that it doesn t check filesystems which are both loopback AND encrypted It should read. 2 4 4 Side effect service udev status is untruthful udev is started very early by before var is mounted service udev start tries to save the status by touching var lock subsys udev This failure is harmless, but it will mean that service udev status wrongly claims that udev is stopped when it isn t To check the truth, use pgrep udevd instead If desired, add this to immediately after mounting var in section 2 4 2 above. 3 Other considerations. Set the hard disk password in the BIOS See above. Firewire modules could be harmful Prevent them from being loaded run bin true instead of installing the module by adding this to. 4 Conclusions. This now works Test it by comparing the result of cat dev hda9 strings with what you would usually see It is gobbledegook. Don t use diskdrake to set up encryption it won t work, and it won t allow you to encrypt var anyway. As a consequence of var being on a separate partition, and the need not to waste disk space, postgresql may need to live in home rather than var lib pgsql. Remember to lock the screen if you use a screensaver. See note below on suspend to RAM. Keep a copy of your new because if you upgrade or update with urpmi, it will be overwritten by the defaults In order to prevent this occuring, add this to. 5 An aside on dm-crypt cryptsetup. Actually, dm-crypt is the most promising way, but it involves too much fighting with Mandrake s init-scripts Also, diskdrake doesn t understand, and I would guess that drakupdatefstab won t There is no need to use it loop-AES is fine , but since I attempted it, here are some brief notes. It works - but it won t work on reboot yet. To make it automatically mount on reboot, we need to get the cryptdisks init script Download it from here save in etc init d with mode 700, and comment out the line which reads set - x ln - s usr bin cryptsetup sbin cryptsetup since the Mandrake package puts cryptsetup in usr bin and the script expects it in sbin. Save a copy of then edit it Just after the line service udev start put. This will work, provided that we fix the cryptdisks script so that it keeps prompting for a passphrase if the wrong one is entered It might be possible to make udev do this However, cryptsetup create returns 0, whether or not it succeeded This makes it hard to distinguish success from failure in a script. Note that, unlike losetup, umounting a mapped-device does not cause the encryption key to be forgotten This may, or may not, be a good thing You can forget the key with cryptsetup remove. Configuring X and the Trackpoint. Most of this works just fine as installed But, we can do better Note to make a change take effect, it is necessary to restart X Logging out is not sufficient if using kdm Restart the display manager from the console with service dm restart. 0 Upgrading the version of Xorg to 6 9 0.When Mandriva 2006 was released, an unstable version of xorg was used xorg-cvs20050915 This basically works, but EmulatedScroll didn t work quote properly Since 6 9 0 is now out as of December 2005 , and SeerofSouls have provided a cooker backport, it is worth installing UPDATE April 2006 Xorg 6 9 is now in the mandriva community main urpmi source, so just use urpmi. Find out which xorg packages are installed rpm - qa grep - E xorg X11R6 I had the following. Download these from I didn t set this as an urpmi source because I don t want to pull in all the upgrades from here. Install the packages with urpmi urpmi. Get the updated packages from the community mirror - a urpmi --auto-select. Log out Then restart X service dm stop service xfs restart service dm start. 1 Graphics Driver and 3D. The graphics card is an ATI Rage 128 Mobility This used to use the r128 driver But now, use the ati driver This is correctly detected by Mandriva, and the driver is both free and stable In case of difficulty, the vesa driver works universally.3D acceleration just works on this ThinkPad under Mandrake, without any need to install binary drivers from ATI ATI drivers only started being binary-only ugh for 3D in their later cards However, it is necessary to set the graphics to 16 bit colour as there is insufficient memory for DRI at 24 bit color You can test 3D acceleration by running glxgears I get about 780 frames sec at 16-bit The performance is good enough to enjoy tuxracer, or helios In case of 3D problems, see below. Various graphics modes resolutions are available by default there are 1600x1200, 1280x1024, 800x600 and 640x480 To switch between these, eg to play tuxracer, or to use a projector , use xrandr or xvidtune. xrandr is invoked xrandr - s NUMBER and all ows you to re-size the entire desktop xrandr is X rotate and resize. krandrtray is invoked krandrtray and is a KDE system-tray GUI for xrandr. arandr is a graphical version of xrandr, that runs on various desktop environments. xvidtune is invoked xvidtune - next and changes the viewport onto the desktop For example, an 800x600 viewport which can be panned around on top of a 1600x1200 desktop. In Mandrake 9 1, it was necessary to increase the HorizSync and VertRefresh ranges in but this is no longer requred The defaults of 31 5-90 and 60 are fine. The resolution at the virtual terminals may be increased by using vga 794.Aside for X22 laptop install driconf, and run driconf as normal user No need to restart X afterwards This allows you to enable HyperZ which improves glxgears performance from 400fps to 970fps This option isn t relevant for the A22p. 2 External Display. The external display is normally a copy of the LCD although it can be used as a dual-head setup - I ve seen this in W98, and believe that it can be done using Xinerama The BIOS uses Fn-F7 to cycle between , and it takes about 3 seconds for the display to initialise. However, most projectors won t work at 1600x1200 In order to guarantee success. Make sure that the mode such as 1024x768 or 800x600 is working on the internal LCD. Plug in the projector, and use Fn-F7 If both LCD Projector are enabled, then with some projectors, there may be problems with timing errors The symptoms are Distortion Flickering LCD monitor may complain about timing frequencies Projector may fail to display anything, or mis-sync giving a sliced image If so, use Fn-F7 again to have only the projector of course, this means that there is no Autocue , so have a printout of the slides available. Use xrandr - s 800x600 to resize the desktop as necessary to fit onto the projector. Give the presentation NB practice in advance text not too small test projector in advance have printout of notes check timing speak slowly be calm. Aside for X22 laptop ibmacpi doesn t properly co-exist with Fn-F7 To enable Fn-F7 to switch displays between LCD CRT Both, it is necessary to enable BiosHotKeys in the Device section of. 3 S-video ports. The A22p has S-video input and output ports I ve never had occasion to use them, but atitvout - f may help. 4 Font Sizes. The fonts are too small This is because most monitors are 75 dpi, whereas this one is actually a wonderful 133 dpi Three alterations are needed. Add the DisplaySize line to. Change the dpi line in etc X11 Xresources to. where 133 is the value of xdpyinfo grep resolution. Unfortunately, the gnome-font-properties program which configures GTK applications does not respect the value from the X-server Start gnome-font-properties, click details , and manually change the resolution from 96 dpi to 133 dpi. Then, logout and re-start X The fonts should all look better and larger The fonts faces themselves and anti-aliasing are described below. 5 1 Mouse device. As of kernel 2 6, instead of using separate devices for each mouse, the kernel merges them together into dev input mice This is fine, provided that you are not trying to do anything too clever such as having a graphics tablet However, we can, if desired, specify the correct mouse This will be one of dev input mouseX but the value of X may vary depending on what is plugged in The solution is to use udev to create a symlink to the correct device. We can discover which mouse we want by doing cat dev input mouseX and wiggling the mouse In this case, it happens to be dev input mouse0.We want to create a udev rule to symlink dev input trackpoint - dev input mouse0.Find out about the device with udevinfo udevinfo - a - p sys class input mouse0.Add the following to. Modify to refer to dev input trackpoint rather than dev input mice. Reboot since the PS 2 port doesn t like hotplugging. This works Note the following. If multiple mice are now needed, the ServerLayout section should have one CorePointer and the others to SendCoreEvents. For the A22p, it is also valid to use dev psaux for the trackpoint device. Note we don t want dev input eventX nor do we want dev input tsX since these can cause subtle errors. If the Xserver fails to start, Mdk will helpfully re-detect the mice, and over-write your carefully constructed file So keep a copy. 5 2 Mouse buttons. The buttons on the Thinkpad A22p are exceptionally well-arranged, and the resulting behaviour is extremely flexible. Button 1 ordinary Left-click. Button 3 ordinary Right-click. Button X ordinary Middle-click i e paste Button X is achieved by pressing btn1 and btn3 together. Button 2 move trackpoint Vertical AND Horizontal scroll. Here is a diagram of the layout. To achieve this, we need the following. Emulate3Buttons on this means that Button 1 Button 3 emulated middle button. EmulateWheel on this means that Button 2 move mouse emulated scroll wheel. EmulateWheelTimeout 0 this means that Button 2 does not generate middle-clicks Only Button X does. YAxisMapping 6 7 Vertical scroll generates a series of button 4,5 events, which the application treats as a vertical scroll. XAxisMapping 4 5 Horizontall scroll generates a series of button 6,7 events, which most applications treat as a horizontal scroll. No, that s not a mistake it cancels another bug, namely the existence of etc X11 xinit d mousebuttons which swaps buttons 4 6 and 5 7.Horizontal scrolling is misinterpreted as forward back in Mozilla See below for fix. Newer Thinkpads have 3 buttons in a row As of Xorg-6 9, they can use EmulateWheelTimeout, to allow Button 2 to be both scroll and middle-click This works extremely well, except for a few applications xfig pcb which use middle-button drag, so cannot coexist with EmulateWheel For older versions of X, see here for alternatives. The mouse options are documented in man 4 mouse But there is sometimes another mouse manual page of the same name documenting the electronic protocol for mice To get the right man page, use man. For testing, use xev to identify button presses and xmodmap - pp to show the button mapping. Note, before upgrading xorg to 6 9 0 as above the following things were different. The X and Y axes were switched i e Option YAxisMapping 4 5 Option XAxisMapping 6 7 because etc X11 xinit d mousebuttons didn t work. EmulateWheelTimeout had no effect It w as stuck on the default 200ms. The ZAxis mapping to some non-existent buttons was needed. 5 3 Cursor Theme. The cursor theme can be selected by running choosecursor or from kcontrol - Peripherals - Mouse I like the crystal cursors theme. 5 4 mouse. Here is the mouse section of my. 6 Trackpoint sensitivity. The trackpoint can be set to have a very light touch, which I prefer The old way, using the excellent tp4d is described here but it doesn t work with Mandriva 2006, preferring a 2 4 kernel with apm and XFree86 There is now a driver in the kernel, but it requires either a patch and recompile, or a kernel 2 6 14 or later See below for the kernel upgrade. Once the kernel has been upgraded to 2 6 14, the trackpoint can be configured by echoing values from 0-255, without a trailing newline into the appropriate file in sys Eg echo - n 255 sys devices platform i8042 serio0 sensitivity Once adjusted to taste, add to. The result is a very light sensitivity for the trackpoint Note don t rest your finger on the trackpoint if it starts to drift , take your finger off it for a second to allow it to re-calibrate this is normal behaviour, especially at high sensitivity Negative inertia is explained by IBM. Lastly, set up the Xorg mouse acceleration in kcontrol - Peripherals - Mouse - Advanced I use Pointer acceleration 2 0x Pointer threshold 4 pixels Mouse wheel scrolls by 5 lines. CAPS-LOCK is evil It always seems to lurk in waiting on top of the tab key Furthermore, it is the correct, and natural position for the Control Key. Either use xmodmap, by including this in. Or use the KDE control center Accessibility - Keyboard Layout - Xkb Options - Make CapsLock an additonal Control. Special and Accented Characters can be entered using the AltGr key For example, the symbol is entered with AltGr-M To get accented characters such as use AltGr and one of followed by the character to accent Alt-Gr is sticky in this context Alternatively, GTK applications support entering Unicode characters directly to enter U 00B5 the symbol , type Ctrl-Shift-U, B, 5 the leading 0s are optional. Ctrl-Alt - Del Backspace Esc are used to respectively reboot, restart X, kill an application KDE now traps Ctrl-Alt-Del, so it won t instantly reboot the machine But Ctrl-Alt-Backspace will instantly ki ll the X-server This is dangerous especially if you use sticky keys So, uncomment this line in the ServerFlags section of. Ctrl-Alt-Esc is occasionally useful it s a shortcut for xkill. There are quite a few modifier keys used by X, and listed in kcontrol - Keyboard Layout - Xkb Options Here is a brief summary. Meta is roughly Emacs-speak for Alt Sun keyboards have Meta, whereas PC keyboards have Alt. AltGr RightAlt is AlternateGraphic for other characters such as , which is entered as AltGr mpose is an alternative way to get composite characters Eg is entered with the sequence Compose o c However, unless using Unicode , it only duplicates the functionality of AltGr and isn t really required. Super is often mapped to the Windows-key which isn t present on ThinkPads , and is usually used for extra Window-manager functions and custom global program-shortcuts. Hyper is also sometimes, but uncommonly used It may be mapped to the Menu key not present on ThinkPads. Mod1 - Mod4 are the internal names used by the X-server for the modifiers up to 4 are allowed Usually, Mod1 Alt Meta Mod2 NumLock Mod3 AltGr KDE 3rd level , and Mod4 is free. Space Cadet Keyboards have all of the above, and can enter 8000 characters Of course, this leads more to parody than to usabilty. Note that many Linux programs still only understand ASCII 7-bit, 128 characters max, see man ascii , or if you are lucky, they understand one of the extended upper-half character sets such as Latin-1 8-bit, 256 characters The right way to do it is Unicode with UTF-8.See below to fix the GTK keyboard shortcuts. 8 Miscellaneous. Here are a few random snippets of information. Fn-F7 switches between LCD, LCD CRT, CRT But if you are in a virtual console, the LCD is blank in LCD CRT mode Under X, the LCD works as expected. Switch on screen expansion in the BIOS Otherwise, 800x600 will only use the central quarter of the screen. LCDs look horrible at non-native resolution But it s much better for games since it reduces the CPU-load, and allows a higher frame-rate Eg tux-racer at 640x480.There was in 9 1 a bug in the r128 driver which caused occasional lockups with 3D GL things This appears to have been fixed, but for reference, here is the information. The xev XEvent program is very useful to see what is going on - it prints keycodes keysyms button-press diagnostics to the screen. xmodmap allows you to change particular keyboard and mouse-button mappings. setxkbmap gb allows you to set default keyboard mappings Useful if you did something stupid with xmodmap. xbindkeys allows you to define key-combinations to launch programs. xclip copies and pastes from stdin out to from the clipboard. xmacro lets scripts generate key mouse events eg echo - e KeyStr Z n xmacroplay 0.For the PC-speaker, or Bell see sound. 9 Mouse Emulation. Mouse emulation in X KDE works as follows The keys below refer to the numeric keypad, so this is really more relevant to desktop machines. Shift-Numlock turn mouse emulation on or off.82,46,7913 move mouse pointer up, down, left, right, diagonally.5 press the mouse button. select which mouse button is emulated by pressing 5 respectively left, middle, right. 0 double-click, click-and-drag. Note 1 when restarting the X-server, it is necessary to restart the dm service Logging out is insufficient Note 2 Make sure to keep a copy of since Mandriva helpfully re-writes it whenever anything goes wrong Unfortunately, making the file non-writeable doesn t help, because processes running as root don t respect file-permissions However, we can set the file attributes to be immutable using chattr Immutable files cannot be altered by anything without first unsetting the immutable flag So, as root, do chattr i See also lsattr Note 3 This is also a good time to introduce RCS version control Use ci - l to check-in the latest revision of the file, and generate an RCS file, with a, v extension , The - l makes ci check out the file again immediately See also co. 11 Aside EmulateWheelTimeout for X - and T - series. In the recent updates for Xorg, the EmulateWheelTimeout function has temporarily broken This is irrelevant on the A-series, but of vital importance for users of T - and - X series thinkpads which have 3 buttons in a row For these machines, we have to use EmulateWheelTimeout in order to have both scroll and middle-click functionality Unfortunately, although it has been fixed in xorg the Mandriva packages have not included the patch This means compiling it directly To do so, use rpmbuild. Get the latest xorg from the SRPMS directory on the mirrors I used the one from SeerOfSouls. Install with rpm - i. Get this patch attached to comment 8 on the xorg Bugzilla. Apply it to the source. Now build the RPM cd usr src RPM SPECS rpmbuild - bb. Finally, the RPMS will be in usr src RPM RPMS i586 install the packages as desired. Now, clean up or there will be over a GB of wasted disk space When the rpm tool installs a it merely unpacks its source into the usr src RPM SOURCES directory Thereafter, it isn t listed by rpm - qa and cannot be removed with rpm - e So, some judicious use of rm - rf in the directories usr src RPM SOURCES and usr src RPM BUILD is required. 1 Font sizes. First, sort out the font-sizes by configuring X correctly see above This is necessary, since the 1600x1200 screen has a much higher DPI than normal. 2 Font Types bitmap, truetype, antialiased, hinted - Introduction. De-uglification of the fonts is quite easy to do examples , but fairly long to explain Here is my short summary There are several types of fonts. Bitmap fonts 75dpi, 100dpi These are the old-style X fonts, and cannot be scaled They also cannot be printed However, they look excellent on screen, iff they are displayed at their native size Only certain point-sizes are available, and these fonts cannot be anti-aliased Eg Helvetica 8,9,13pt look excellent 11pt looks poor, 10,12pt are unavailable. True-type scalable fonts These fonts are the modern , resizable ones, which look curvy The outlines are generated from vectors, and mapped onto a pixel-grid However, how exactly should the fonts be scaled to match the pixels. Scale, but don t anti-alias Each pixel is either black or white This means that the font is sharp, and easy to focus on, but the coarse pixellation usually results in a horrid, spidery effect with jagged outlines This is the well-known bad Arial fonts on Linux problem Here s a sample comparison left right. Scale and anti-alias Fudge the curves by setting the intermediate pixels to varying shades of grey This blurs the edges of the font, creating a smooth outline which is on average faithful to the original vector For very large fonts in headlines , and fonts used in images, it looks good But for normal text, it is a matter of taste Some people like the smooth edges, but I personally find them blurry, and out of focus - and they give me eye strain It s not quite so bad on this wonderful 133dpi monitor of the ThinkPad, but dreadful anywhere else Sub-pixel rendering is a possible solution it uses the 3 coloured pixels of the LCD to triple the horizontal resolution of the anti-aliasing But the result is colour-fringing of the fonts If you look at the result using xmag kmag you will see what I mean However, some people do really like this smoothing effect The Bitstream Vera or DejaVu fonts are the best for this. Use properly Hinted fonts and don t anti-alias Hinting means that when the font is scaled, instead of keeping its shape perfectly the same, it is carefully distorted to fit better over the pixels The result is that the font face looks slightly different, but it is always sharp, and free from ugly artifacts For example, the letter e sacrifices its Times-New-Roman-nature in favour of clarity These correctly hinted fonts do not need anti-aliasing and anti-aliasing often makes them worse at small sizes The Microsoft fonts are best for this For interest, here s a comparison of Microsoft s and Apple s different approaches to smoothing. Lastly, when the font is very large eg 15 pt or used in an image , anti-aliasing makes the edges less jagged, without harming readability. Here are some images of the different fonts Try enlarging it with xmag kmag to see the details not firefox-zoom, which will antialias More examples are here scroll down. Bitmapped clear, but un-scaleable.- For termina ls. True Type, non-antialiased spidery. You ve probably guessed that this means I like the hinted, non-anti-aliased fonts The snags are that most of the Linux fonts are not well hinted, and that the bytecode interpreter for interpreting hinting information is covered by an evil software patent The Mandriva packages use the autohinter, which works adequately with the Bitstream fonts, but very badly with the MS fonts The PLF packages use the bytecode-interpreter which works very well with the MS fonts, but not with the Bitstream fonts Furthermore, many fonts look better at certain sizes than at others This means. Install the Microsoft corefonts which are free-as-in-beer These are very well hinted. Install the plf version of libfreetype6.Set up the applications to use the new fonts. No half-measures a compromise will be much worse than either extreme. 3 Configuring Freetype, installing well-hinted fonts. So, actually doing it. Take a screenshot of how things look now with ksnapshot for later comparison. Install the Microsoft Core Fonts Before I wiped out Win98, I kept a tarball of C Windows fonts Install the files, but not the files using either the Mandrake Font Installer in Mandrake Control Center , or KDE s font installer KDE - kcontrol - System - Font Installer Alternatively, there are the Microsoft webfonts which are free as in beer , which can be downloaded from sourceforge Tahoma isn t necessarily included in corefonts, but it is available for download here. Installing a version of libfreetype with support for the Bytecode interpreter hinting. First, download the penguin-liberation-front packages for libfreetype6 and - devel and. Then, install them instead of the Mandriva packages However, urpmi won t upgrade them since the replacement version is in fact slightly earlier If you use urpme to remove the Mandriva packages before installin g the PLF ones, you ll end up uninstalling your entire system This is one of those rare occasions when using rpm with --nodeps is justified Find the names of the packages which are installed rpm - qa grep libfreetype. Forcibly uninstall them, without removing packages which depend on them rpm - e --nodeps libfreetype6-2 1 10-9 1 20060mdk libfreetype6-devel-2 1 10-9 1 20060mdk. Install the PLF packages urpmi. Prevent urpmi --auto-select from re-installing the mandriva packages Add this to. Restart X logout, service dm restart. 4 Font settings for applications. Now, we need to configure the applications to use the new fonts We want to use hinted fonts, with anti-aliasing off except for large font sizes Note that the precise font sizes need to be controlled per machine, since the display resolution affects their weight Eg Tahoma 10 looks a lot better than Tahoma 9 or 11 Also, it is worth playing with the upper limit of the Antialiasing exclude range generally, the higher the resolution DPI of the monitor, the smaller this number can be the aim is to make headlines look smooth, and text look sharp Lastly, to add confusion, OpenOffice and Mozilla Firefox work in pixels not points Here are the settings which I use on the A22p at 133 dpi and, for comparison, my desktop machine at 99dpi. Font Thinkpad A22p, resolution 133dpi. Font Desktop, resolution 99dpi. Repeat for root If desired, repeat the above with sudo for applications when they run as root eg Mandriva Control Center. Web browser font test Web browsers show dif ferent fonts dependning on the CSS font-family property Note that you can configure the browser as to precisely what font it should show for the various families, as well as allowing disallowing the use of web-page specified fonts Here are the various families, so you can see what they look like in your browser. This is your chosen serif font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is your chosen sans-serif font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is your chosen cursive font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is your chosen fantasy font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is your chosen monospace font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. This is what you get for the times named font abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text. 5 Fix GTK weirdness. Fix GTK applications with KDE Unfortunately, there is a problem with GTK applications every time X is restarted, they lose their font settings which are defined by gnome-font-properties , and go back to ugly defaults The way to fix this is to run gnome-settings-daemon This could also be achieved by starting and stopping gnome-font-properties Note that the side effect is to start xscreensaver and the gnome-accessibility stuff key repeats Unfortunately, there doesn t seem to be a simple workaroud in the complicated. Thus, I append this to the end of my kde-startup script. Log out and in again if desired to check everything Take another screenshot if desired, and enjoy the difference. 7 A few more notes on fonts. Selecting fonts xfontsel is useful A font is unambiguously described by both foundry and name and size, style eg adobe-times-iso8859-1 However, in KDE, fonts are known just by their name when unambiguous e g Bitstream Vera Sans and with the foundry in brackets when it is required, e g Fixed Misc or Fixed Sony Also, note that Times adobe-times-iso8859-1 and Times New Roman Microsoft TTF are quite different fonts It s also possible to use fontconfig to make substitutions, for example, so that whenever an application asks for Arial , it actuallly gets Tahoma After updating the font configuration, it s often necessary to update fontconfig s cache fc-cache - v. For desktop users, with antialiased fonts and LCD monitors without DVI LCD monitors auto-adjust by aligning their clock with vertical lines in the image But, if all the fonts are antialiased, there are no hard edges to crunch on, and the monitor calibration is often poor Here is a 1280x1024 chessboard view it at 100 size, then press audo-adjust on the monitor. The point is a unit of length, defined as 1 point 1 72 27 inch in computing, it is usually redefined to 1 72 instead A 10-point font means that that the full height of a row of text is 10 points The em is the height of an M or the width of an m in that font For example at 96dpi, 12pt 16 px at 133dpi, 10pt 18px. The GIMP freefonts are good, and may be downloaded from here Also, have a large number of fonts available for preview. Summary it s all about personal choice If you get used to AA, then switching back to non-AA feels a bit weird for a while Likewise, vice-versa. 1 Introduction. Xscreensaver is a much nicer package than the KDE screensaver, and has a wonderful configuration program toy xscreensaver-demo The really slick screensavers and fireflies are also great Install the following packages xscreensaver xscreensaver-gl xscreensaver-extrusion xscreensaver-matrix rssglx fireflies rssglx-matrixview Configure xscreensaver xscreensaver-demo to lock the screen and when suspending the laptop , or there is no use having an encrypted laptop To start xscreensaver automatically, first disable the KDE screensaver, then add the following into. xpenguins - a - b and xearth are also fun - but you need to enable Programs in desktop window in KDE - Control Centre - Look and Feel - Behaviour. 2 r128 ati Workaround. There is an obscure bug in the r128 ati graphics card driver when it interacts with GL programs and the mouse cursor theme The effect is that, whenever a GL program is running, the mouse cursor changes from the nice blue crystal-cursors theme to a black-and-white mottled one I suspect this bug is too obscure to troubleshoot However, it can be worked-around by one of. Revert to core X-default cursor-theme, or. De-select the GL screensavers in xscreensaver-demo, or. Kill and restart xscreensaver every time it unblanks. Here is a script to do the last one automatically save it as. and start it in. instead of directly running xscreensaver Note this must be started before gnome-settings-daemon. 1 Sound configuration ALSA. In Mandriva 2006, sound just works The snd-cs46xx modules are correctly detected for ALSA, and even better, ALSA now has dmix enabled by default Previously, sound applications required an exclusive lock on dev dsp and would not share it Sound servers such as Artsd were a partial solution, but the latency was a problem and not every application had an arts-output capability Artswrapper soundwrapper didn t always work However, with dmix, all is happy Multiple applications can output sounds to the sound card simultaneously, provided that they use ALSA output rather than OSS i e dev dsp. Most applications eg mplayer, amarok, vlc can do this simply set the output plugin to be alsa. Even the KDE sound server can output to Alsa But see below. Some applications only understand OSS eg usr bin play In these cases, use aoss to intercept the call to dev dsp and redirect it to ALSA eg aoss usr bin play Actually, play itself is just a script, and can be edited to include the aoss anyway. QEMU doesn t work with aoss, so it has to have the sound card to itself. CD playback can be done digitally, via alsa eg by alsaplayer, kscd, vlc or directly through the sound card. For more technical details on ALSA, see this excellent introduction this tutorial and this page about dmix If you have multiple sound devices eg external USB soundcard , finding the correct name in alsa-terminology is slightly complex To get information, use aplay - l amixer - c 0 scontrols and look in proc asound For example, default 1,0 means use the default alsa-interface to the second soundcard, on the first channel dmix 1,0 explicitly forces alsa to use dmix, whereas hw 1,0 usually prevents dmix from working. Finally Artsd has a very noticeable startup latency especially when playing system notifications , and it is finally obsolete Arts can be configured to use ALSA for output, but it is unncessary I have the KDE sound system kcontrol - Sound - Sound System disabled and play system-notification sou nds thus. kcontrol - LookNFeel - System Notifications - Player Settings - Use external player. External player is. bin I have the following script named. 3 System bell. To get the system bell to work, it is necessary to load the pcspkr module See above Then, in kcontrol - Sound - system Bell, make sure Use system bell instead of system notification is checked, and set the beep to 440 Hz Concert A and duration 30ms. Make sure Konsole is set to use it by choosing Settings - Bell - System Bell Then, test by pressing Ctrl-G, and you should be instantly greeted by a short, friendly beep. For use in scripts echo - e a Or install gnubeep, and try for i 200i. 4 Sound Mixer. The mixer volumes are changed with kmix or gnome-alsamixer alsamixergui , and if required, can be manually saved restored with alsactl aumix is obsolete, and doesn t support all the mixer-controls To reduce hiss, keep all volumes below 90 , and ensure that the Mic channel is muted As with all internal soundcards, one can hear some interference from the CPU. The Thinkpad has some buttons for Volume up down mute These are in series with the mixer If desired, their state can be displayed on-screen by using tpb. amixer is a very useful non-interactive command-line mixer control usable in scripts etc. speaker-test is helpful for identifying which channel is connected where, and emitting a test sine-wave. 5 Microphone. On my Thinkpad, the internal Mic is broken However, the Mic input is fine This input provides a bias voltage, capable of powering an electret microphone A pair of headphones will work as a quasi moving-coil microphone, however I have been extremely impressed by the Microphonics microphones tiny, high-quality electret condensers built into a stereo 3 5mm jack plug and costing a mere 7 10 It is also necessary to enable the 20dB Mic Boost in the mixer. Recording sound isn t as straightforward as expected You may find that even though you can get the mic to work through the speakers, you can t record from it This usually indicates that the ADC is disabled Here s what I had to do. Start gnome-alsamixer. Make sure that all 3 of the Mic and ADC and Capture controls are set to Record. Mute the Mic input the speaker icon should be greyed out This prevents feedback unless you are using headphones. Optionally, enable the Mic boost 20dB This gives much greater sensitivity at the expense of some extra hiss. It should now work Try using the command record - i mic and you should be able to see the left and right levels move up and down If so, it s working. An alternative is to use the alsa program arecord thus arecord - f cd - t wav - D front. amixer can be used to turn on the required mixers. Note1 the record program is part of the xawtv-misc package Note2 Audacity disables the Capture input - and you need to re-enable it Note3 Gtkguitune is an oscilloscope frequency counter - useful for tuning instruments. MIDI is a way to synthesise music by sequencing samples of various instruments Midi files are a very highly compressed way to store music or musical notation Despite the existence of dev sequencer this machine doesn t have support for Hardware MIDI synthesis however excellent results can be obtained by using the software synthesiser, TiMidity It s also necessary to install a patch set i e some samples , such as timidity-patch-freepats. Mandrake also provides a timidity service T his doesn t work well it seems necessary to run the timidity daemon as a normal user, and not via the timidity service However, my suspend script above doesn t account for this, and must be modified to kill restart timidity on suspend Otherwise, sound will not come back on resume. An excellent article about MIDI is provided by the Linux Journal Part 1 Part 2 Part 3 Part 4 Music composition score-editing tools include rosegarden and hydrogen. Note that the KDE control centre s Test Midi button doesn t work - and in fact has never worked. 7 Multimedia Applications. There is a vast number of media players available Generally, you need to install the PLF versions to have the full functionality These are the ones I like the best. Mplayer - plays practically everything Run it from the command-line, or use gmplayer for the GUI, or mplayer-plugin from mozilla. VLC videolan client - also plays virtually everything Probably the best for DVDs. Amarok - excellent program for enjoying and files Use the xine back-end. JuK - similar to Amarok some prefer it. XMMS - somewhat venerable, but rapid startup, and very good for audio. Kmidi GUI and TiMidity CLI - for playing MIDI files. Alsaplayer - for playing music, and CDs A key feature is adjustable speed playback even reverse. KsCD - CD Audio playback. usr bin play - a wrapper for sox, which plays sound files. festival, espeak, mbrola - speech synthesis programs. play, rec, cdp, cdplay, ogg123,mpg123,sox, aplay - useful command-line programs. I recommend uninstalling noatun and kaffeine. 8 Audio Streaming. To set up your own audio or video stream, use VLC It s surprisingly easy here s the howto. To listen to a real-audio stream, use mplayer or realplayer See below. Here is how to record from internet audio streams. It is also worth mentioning personalised radio , which requires the latest version 1 4 1 of Amarok. Another collaborative filtering system is iRate. 9 Multiply opened dev dsp. Normally, dev dsp can only be used by one application at a time This is the case with most hardware such as my desktop intel motherboard , and is why we need ALSA dmix However, the A22p s sound card does permit dev dsp to be opened multiple times simultaneously This is directly due to the hardware not to the kernel or to ALSA although I m sure it wasn t supported in kernel 2 4 Experimentally, we can have up to 32 simultaneous accesses before failing to open dev dsp Thus, much buzzing for i in seq 1 32 do play - d dev dsp sleep 0 05 done. 10 Soundcard distortion CPU whine and Hiss. The CPU causes a very quiet whine to be heard over the soundcard It isn t really noticeable, except with an external amplifier, or headphones It is caused by the CPU power state switching back and forth between idle and active A test, is to force the CPU to always run at full speed nice - n 19 yes dev null This doesn t harm performance, but it s too ugly to use as a proper fix besides which, it eats battery, and will make the CPU fan come on A slightly less ugly solution is modprobe - r thermal processor The best solution would be the Dynamic Tick patch from here. There is also a slight degree of hiss This can be nearly eliminated with the following mixer settings use gnome-alsermixer. Ensure that no level is set to maximum This includes the hardware volume control from the volume buttons 90 is fine. Mute every unneeded control Mic, IEC958Input. Set 3Dcontrol-switch to ON, but the sliders to 0 No idea why this helps. Increase signal-noise ratio by ke eping the software mixers high 90 and controlling the sound level with the hardware volume control. There is also a slight pulsed buzzing about 0 5 seconds, every 2 seconds which occurs when any USB removable storage device is present. 11 External USB soundcard. When playing back music through an external amplifier, it s worth buying an inexpensive external USB soundcard, such as the Creative MP3 , or Behringer UCA202 These provide dramatically better quality, because they don t pick up interference from the other signals inside the computer case Thinkpads are much better in this regard than most, but not ideal It s also a simple way to make sure that when music is played loudly, system sounds and beeps are not excessively amplified. 12 Soundcard troubleshooting. For sound troubleshooting, Mandriva recommend the following sequence. lspcidrake - v fgrep - i AUDIO will tell you which driver your card uses by default. grep sound-slot will tell you what driver it currently uses. sbin lsmod will enable you to check if its module driver is loaded or not. sbin chkconfig --list sound and sbin chkconfig --list alsa will tell you if sound and alsa services are configured to be run in this level. aumix - q will tell you if the sound volume is muted or not. sbin fuser - v dev dsp as root, if necessary will tell which program uses the sound card in OSS-mode Programs which access the soundcard via ALSA rather than by writing to dev dsp will not show up here. sbin fuser - v dev snd as root, if necessary will tell you which programs are currently outputting sound to ALSA. Don t forget to check whether sound is also muted in hardware use the volume buttons , or in the application itself. 1 Lucent WinModem driver. The internal modem is a Lucent WinModem, with a proprietary driver There is no free driver in the kernel, but the modem does work. Ensure you have the source for your current kernel installed see below. Download and run the scanModem for information. Download the source package. Untar, and change into the directory tar xvzf cd ltmodem-8 31b1.Become root. buildmodule to compile the module don t try buildRPM, since it has specfile problems Repeatedly press Enter This results in the modules and. ltinst2 to install the modules This fails to complete the first time don t worry, it will succeed in a moment. cd source make mdkinstall cd This succesfully installs the modules in the destination. ltinst2 Finish the installation. autoload Make the modules load automatically at boot time Adds ltserial to. checkout Finish. dev modem is now a symlink to dev ttyLTM0 Test it by querying the modem with kppp. Note it is necessary to repeat the above buildmodule ltinst2 cd source make mdkinstall cd ltinst2 every time a new kernel is installed. 2 The Mars driver - for kernels 2 6 15 and above. As of kernel 2 6 15, the internal kernel interfaces have changed eg MODULEPARM becomes moduleparam and the ltmodem driver above no longer compiles Furthermore, there is now a much better way, putting ths proprietary stuff into userspace which no longer taints the kernel More details on the Martian driver are here To install and use it. Untar Read the README. In the driver directory, do make clean make make install. Add martiandrv to. In the helper directory, do make make install. Run usr sbin martianhelper dev MODEMNAME This creates dev MODEMNAME, which talks to martiandrv, which in turn talks to the modem. Add this to. Note it is necessary to repeat the above make clean make make install every time a new kernel is installed. 3 Configuring kppp modem dialer. Here is how to set up the kppp modem dialer. Use dev modem. Use Dynamic IP Do NOT Auto-configure hostnamefrom this IP. Default gateway Assign the default route to this gateway. Disable existing DNS servers during connection. BUG Kppp fails to actually assign the default route during the connection So, in Accounts - Execute, add. Before connect sudo ifdown eth0 sudo mv sudo touch. Upon disconnect sudo ifup eth0.This will work. Define the modem network interface for the firewall add ppp0 to etc shorewall interfaces. For occasional use, has provided good service Or, try for which no signup is required - just use it. PCMCIA just works Make sure that the pcmcia service is running, and that pcmcia-cs is installed Always eject cards in software with cardctl eject before physically unplugging them Otherwise, the kernel will probably panic You must also eject cards before suspending to RAM To find information on a PCMCIA card, use cardctl ident. IrDA - Infrared. The Thinkpad has a 4 Mbit sec FIR Fast IR port, although it can also do SIR Standard IR, 115 kbps IrDA basically works straight off once the right device is set Edit etc sysconfig irda and change the device from dev ttyS2 to dev ttyS1 The IR should also be enabled in the BIOS if necessary Then, restart irda service irda restart and switch it on permanently chkconfig --add irda. The irda service will also handle kernel module loading, and starting irattach You should also see the network device irda0 which shows up in ifconfig Don t forget to firewall off the irda0 interface Some extra entries in dev will be created if the correct modules are loaded Eg modprobe irnet creates dev irnet and modprobe ircomm-tty creates dev ircommX. To test IrDa, as root, run irdadump - this shows the raw packets, and should show up reflections from the thinkpad s own transmissions Also, cat proc net irda discovery should show up other devices, and give addresses You can ping other devices using irdaping daddr where daddr is the value such as 0x0d7357f2 from grep daddr proc net irda discovery This may take a few seconds to respond You can also see IR light directly using a CCD videocamera, or a phototransistor. Other things to be investigated IR networking, file transfer, IR-remote control via lircd IR modem connection to mobile phone See also the Infrared-HOWTO. Bug 1 chkconfig --add irda doesn t work This is easily fixed edit etc init d irda and change the line. Bug 2 Severe irdadump can panic the kernel I reported this bug which may, or may not be specific to the Samsung S300 phone For now, disable IrDA UPDATE 2006-08-03 this bug is now fixed upstream It now works perfectly in the 2 6 17 7 kernel fromwork LAN and WiFi. 1 Internal ethernet Intel Ethernet Pro 100.The internal 10 100 ethernet port used to use the eepro100 module however it should now use the e100 module Otherwise, random dropouts occur The eepro100 module is obsolete it hasn t been revised since 2000, whereas the e100 is maintained, and works with kernel 2 6 See here and here for more details However, by default, the kernel loads the eepro100 module To make sure that the correct module is used, add or modify this line in. This also has the beneficial side effect that the ethernet module is always loaded before PCMCIA starts, and so eth0 is always the internal port It also seems necessary to prevent the eepro100 driver from loading Add this to. Configuration with Mandriva s configuration tool mcc just works Remember that, if using DHCP, it is not necessary to configure the DHCP hostname , it is different to the hostname , and that zeroconf should not be used ifplugd will bring up, and shut down the interface as and when it is plugged in. N ote this port is not auto-sensing, so you will need a crossover cable to connect it directly to another laptop. 2 WiFi PCMCIA card. This card is a Netgear WG511 version1, 54Mbit sec It is supported under Linux using the prism54 module, but the card also requires that its firmware should be loaded from the host pc every time it is powered on This firmware is not GPL, and isn t included with Mandriva however it is free to download Without the firmware, iwconfig reports NOT READY dmesg reports could not upload firmware isl3890.The prism54 driver is in the kernel the firmware is available from the prism54 project The firmware required is the fullmac version, named. Rename it to isl3890.Move it to the directory usr lib hotplug firmware. Eject the card cardctl eject then physically remove and re-insert the card. Now enjoy configure with ifconfig iwconfig or mcc Mandrake control center as desired. Useful wireless tools are iwconfig iwlist kwifimanager and netapplet See also the Linux wireless LAN howto. In order to suspend the computer, it is essential to eject the card at least in software, if not physical ly Otherwise, suspend will crash Use cardctl eject to do so On resume, physically re-insert the card, and then do service network restart or just ifup wlan Then run dhclient wlan if necessary to obtain an IP address. This card reports 2 different MAC addresses, depending on its state of initialisation But the network interface scripts identify the interface by its MAC address as a result, the interface can only be brought up once after boot or insertion Subsequent restarts of the interface will fail since the second mac address will not be recognised The simple workaround is to do cardctl eject, and then physically remove reinsert the card every time For more explanation of this difficult bug and its solution, read on. The MAC address as reported by ifconfig - a or udevinfo - a - p sys class net wlan varies between 2 states. When uninitialised before the firmware is loaded , it has the bogus value 00 30 B4 00 00 00 This is not unique between cards, and it belongs to Intersil the chipset manu facturer The first 3 pairs of MAC adddreses are uniquely allocated to the manufacturer the final 3 pairs are allocated by the manufacturer to each card. When initialised after the firmware is loaded , the card reports its true, unique mac address mine is 00 09 5B C1 3A B1 , which which is printed on the card - and belongs to Netgear the wireless card manufacturer. The true mac address persists until the card is powered down or ejected, even if the network is restarted. This is because the real mac address is unknown to the card until the firmware is loaded probably, it cannot read its own mac address out of its EEPROM , usr src linux-2 6 14 drivers net wireless prism54 islpcidev c Credit is due to Mauro Maroni for putting me on the right track by noticing the MAC range owner - thanks. The problem is that Mandriva loads the firmware too late it should be loaded as soon as the card is detected, but, it isn t actually loaded until the network interface is brought up Loading the firmware is ev entually done by sbin firmwarehelper invoked by a udev rule in which is triggered on bringing up the interface. Note enabling logging is very helpful set udevlog info in and then run tail - f var log messages To make udev aware of new rules, run udevstart. But interfaces are identified by their mac address Thus we must have the bogus mac address in etc iftab and etc sysconfig network-scripts ifcfg-wlan to get the interface to come up the first time Once up, the mac address changes So subsequently restarting the interface will fail ifup wlan exits with the error interface wlan not found Device wlan has different MAC address than expected, ignoring A possible workaround to this might be to modify sbin ifup to allow 2 alternative HWADDR XX lines in ifcfg-wlan. Possible solutions. Try to invoke firmwarehelper in the right place with a udev rule Unfortunately, firmwarehelper is undocumented Reading the source of udev-78 extras firmware firmwarehelper c provides some enligtenment the arguments mu st be supplied as environment variables, but it isn t clear what the values ought to be especially DEVPATH. Write a udev rule to change the MAC address to the correct one Use a RUN key to execute sbin ifconfig wlan hw ether 00 09 5B C1 3A B1 as soon as the device is detected Unfortunately ifconfig refuses to do this without the firmware. Bring the interface up and then down again without assigning an IP as soon as the device is detected This causes the firmware to be loaded, and is the best solution We can easily do this by piggybacking on the udev rule to name the wlan interface. Thus, I have the following files. The udev rules in Note that the RUN command must be the full path. The fudge which is executed usr local sbin firmwarefudge remember to make this executable. Now, the real MAC addresses can go into etc iftab and etc sysconfig network-scripts ifcfg-wlan. Finally, run udevstart to make this take effect and enjoy. 2 1 Troubleshooting WiFi connection problems. If the laptop is normally set up to use ethernet eth0 and is firewalled, then you may have some trouble actually connecting via WiFi. Failure to see any access point with iwlist wlan0 scanning means either the hardware isn t working, the driver isn t loaded, or there is no radio signal in reach. Failure to obtain an IP address with dhclient is usually caused by firewalling issues. Failure to reach the wider internet usually, you can ping the access-point but no more is usually caused by having the default-route assigned to the wired-ethernet device Check this by running route To stop eth0, do ifconfig eth0 down Note ifdown eth0 won t necessarily remove the default route. This is a useful shell-alias to make everything work assuming a WEP ASCII key. alias connectmywifi sudo sh - c ifconfig eth0 down you can directly set up a simple ad-hoc network where other machines can connect wirelessly to this laptop To do this, we must put the adapter into Ad - Hoc mode see man iwconfig for more The magic incantations are. On this laptop iwconfig wlan0 essid myessid mode Ad-Hoc enc off ap 00 0e 1e 11 22 33.On other laptops iwconfig wlan0 essid myessid mode Ad-Hoc. The ap 00 0e 1e sets a chosen access-point cell-identity similar to MAC address, but not the same in the privately assigned range the 11 22 33 are a free choice This option is particularly helpful in hotels which charge extortionate rates for wifi, and you want to share it To do so, set up internet connection-sharing with DrakGw as described below. 5 USB Networking. A neat gadget to have in the laptop bag is a USB network adapter I have a Sitecom LN-013 USB 1 1, 10 100 ethernet adapter This just works under Linux, using the rtl8150 kernel module However, this really doesn t like being hot-unplugged, and will panic the kernel To unplug it, ifdown usblan then rmmod rtl8150 and only then unplug it Also, if the LN-013 is plugged in, when a suspend is attempted, the laptop will crash. 6 Firewire networking. Mandriva will very helpfully configure an ethernet over firewire PCMCIA device Unfortunately, this gets the name ethX, and hence adds to confusion So, unless we are going to use it, it can be disabled by adding this to. 7 Network device names. 7 1 The problem. This machine has 2 ethernet interfaces eth0 internal 10 100 ethernet, cat5 and eth1 pcmcia network card, wifi Worse, they keep on swapping around The kernel assigns network interfaces in the order in which they are detected So, boot with pcmcia plgged in and eth0 is the pcmcia card otherwise, it is the 10 100 ethernet This problem gets even worse if one has an extra network card, firewire card, or usb network adapter The root causes are these. Hardware is initialised asynchronously Module loading order isn t necessarily repeatable although it usually is. PCMCIA and USB NICs may not be present - but load before motherboard s onboard adapter if they are. Interfaces are assigned consecutively by the kernel one cannot reserve eth0 yet assign eth1.The wireless network above can get assigned 2 different interface names as its mac changes. 7 2 Solution 1 - simple hack. Add e100 to This forces the e100 module to load before the hardware is scanned for autodection, therefore eth0 is always the internal device. 7 3 Solution 2 - temporarily fix the mess. Go into Mandriva control center mcc and delete all the network interfaces then start again. 7 4 Solution 3 - the old way use ifrename. ifrename is designed to rename interfaces once they are detected, so that they are consistent This is done by using iftab and the MAC address see man iftab and man ifrename However, it is supposedly obsoleted by udev. 7 5 Solution 4 - the Right Way udev. This is this the modern way to do it, and allows us to pick meaningful names eg lan and wlan rather than eth0 and eth1 This assumes that eth0 and eth1 are already configured, but need to be permanently renamed. Create a udev rule to map the MAC address to the kernel s name The MAC addresses can be found by looking at the output from cat sys class net INTERFACE or ifconfig - a or printed on the bottom of the laptop Note that the MAC addresses need to be in lowercase Also, the wlan rules needs to cover both the bogus MAC address and the real one Thus these are defined in. Fix etc iftab so that the device is recognised as already-existing modify the names of devices in etc iftab to reflect the new names Check they are the right way round first I chose to have lan and wlan thus. Note iftab is not used during normal network startup It is, however used by MCC, the GUI tools, and by autoconfiguration of new interfaces. Edit to pair the kernel modules to the devices The interface names must match the kernel modules. Edit ifcfg-foo so that ifconfig knows what the network settings are For each network interface, the settings see man ifcfg are stored as a series of KEY VALUE lines in etc sysconfig network-scripts ifcfg-foo where foo is the name of the interface. Rename the file Eg mv ifcfg-eth0 ifcfg-lan etc. Change the DEVICE entry Eg DEVICE lan. Make sure the MAC address is the right one Eg HWADDR 00 03 47 8d da e9.If using static IP addresses edit etc sysconfig network and change GATEWAYDEV ethX to the correct interface name This isn t relevant for DHCP. Change any other files which refer to the old-style interfaces. Shorewall change the interface names in etc shorewall interfaces and etc shorewall masq. Ifplugd if used, modify. Change the reference to eth0 used in kppp co nfig above. Just in case grep - inr eth 0123 etc. Reboot to check It may suffice to stop the network, rmmod all the modules, and run udevstart. 8 Hostname and etc hosts. The etc hosts file is used to permanently map IP addresses to hostnames It must include localhost, and should also include the hostname of the machine If these are missing, all sorts of weirdness and timeouts may occur The hostname of the machine itself should never change, although a temporary hostname can be defined for each interface. etc hosts may also define other mappings, overriding DNS This is particularly useful if transporting the laptop between 2 networks, one with static IP and the other with DHCP For example, I transport this laptop between two networks On one, using DHCP , it is told to be 192 168 10, whereas on the other using static IP , it is 131 111 193 203 The machine name is always toffee-pecan Our network computers are named after ice-cream flavours , but on the static IP network, it is also Thus this is in etc hosts. By default, Mandriva will set network interfaces to DHCP, and enable Assign hostname from DHCP address I think this is a bug I ve already chosen a hostname, and I d prefer to keep it, thank you very much DHCP can provide an IP address for the specific network interface, but the hostname belongs to the whole machine, and I don t think it should change Besides which, changing the hostname without a reboot can cause all sorts of trouble. To fix this, either. Uncheck the Assign hostname from DHCP address option in the Mandriva control center mcc. Add the line NEEDHOSTNAME no to the appropriate etc sysconfig network-scripts ifcfg-DEVICE. Hack the default to be off it s defined in either or. TODO Actually fix this. 9 Firewall Shorewall , and Internet Connection Sharing. Mandrake uses the Shorewall firewall, configured in etc shorewall or by drakfirewall and drakgw Drakfirewall simply lets you configure which ports should allow connections usually SSH, Ping, and maybe Drakgw sets up a gateway for internet conection sharing, and is a wonderful tool for setting up an entire network. 9 1 Shorewall. Shorewall terminology is as follows. Various zones are defined in etc shorewall zones These are typically net the big, bad internet , fw the firewall, this machine , and loc the local zone, or intranet, i e trusted internal systems For a client-only machine, use fw not loc. Each interface, such as eth0 eth1 and ppp0 is assigned to a zone, in etc shorewall interfaces. General policies are defined in etc shorewall policy Mandrake defaults to allowing all outgoing connections, but restricting inbound connections. Specific rules are defined in etc shorewall rules For example, to allow incoming SSH and Ping from the internet net to reach this machine fw , add these lines. IP masquerading for internet connection sharing is configured in etc shorewall masq Note, etc shorewall nat is not unused. To start stop and clear shorewall, use service shorewall start stop clear Note that the inverse of start is clear , not stop stop will result in a completely closed firewall, whereas clear will result in a completely open firewall, as it was before shorewall was first started In the stopped-state, shorewall is safe against intrusion, but also prevents any new connections though existing ones won t die The cleared-state is most useful for debugging suspected firewall-related connectivity issues This is a change from previous Mandrake initscripts it is now consistent with the shorewall upstream, but not with earlier versions of Mandrake, or some other distributions A consequence of this is that you can lock yourself out of the machine by accident The workaround is to re-enable ssh after shorewall has stopped - add this to etc shorewall stopped. To test the firewall, run a port scan An excellent one is Gibson Research s Shields Up It s also helpful to run netstat - lp --inet to list which local processes are doing what I also recommend ssh-ing somewhere else, and testing that you can get back in. Technical explanation shorewall is actually a front-end to netfilter iptables iptable s is what actually does the filtering in the kernel shorewall just generates and executes iptables commands To see what is happening, run iptables - L An alternative to shorewall is to write the iptables rules manually, then put these into etc sysconfig iptables and run the iptables service to apply them at boot Don t run both the iptables and shorewall services simultaneously they are alternatives. Shorewall Tips. Remember to firewall off all the interfaces that you use, not just eth0 This probably includes irda0 ppp0 and wlan0.Once the shorewall rules are established and tested, run shorewall save this will cache the compiled rules, and it will then start up much faster at boot time. The optional interface option allows Shorewall to come up without that interface being present But you will still generally need to shorewall restart after the interface is up and configured. Note Bug 16917 causes etc shorewall interfaces to be messed up each time a new interface is added Remember to check an d fix it if necessary. DrakGW is used to set up internet connection sharing If this computer has two network ports, it can be used to share its internet access with other machines The drakgw wizard sets up everything, including a dhcp server, named squid and IP masquerading masq , not nat in shorewall. 10 Useful networking tools. Here is a list of some very useful networking tools, commands and files. ifconfig - print information about, or configure a network interface example ifconfig - a ifconfig eth0.ifconfig eth0 1 - create a pseudo interface eth0 1 on the same physical network connection This can have a different IP address to eth0 Up to 9 pseudo-interfaces are supported. ifplugstatus - tells you whether the cable is plugged in and live example ifplugstatus. ifup ifdown - start and stop an interface, according to the network scripts example ifup eth0.ethtool mii-tool obsolete - view or manipulate network interface status Eg the link-status and speed-setting of an ethernet port example ethtool eth0.dhclient - obtain a dynamic IP address for an interface example dhclient eth0.ping - check whether another machine can be reached example ping ping 72 14 207 99.route - which ranges of IP addresses should be routed via which device example route - n route add default gw 192 168 0 1.arp - dis play mapping between hostname IP addresse and MAC address for devices on the local network example arp arp 10 0 0 3cat nc telnet - connect to or listen to another machine on some port example nc - l - p 1234 nc localhost 1234.brctl - configure a network bridge, to make multiple physical interfaces act as one virtual interface example man brctl. service network restart - restart the networking subsystem Also remember to restart shorewall. mcc - mandriva control center GUI to configure networking. iwconfig - print information about, or configure a WEP wireless interface example iwconfig iwconfig wlan essid MYSSID enc off. iwlist - list wireless access points example iwlist wlan scanning. traceroute - print the steps on the path from this machine to another example traceroute. whois nslookup dig - find out the owner of a domain, name of an IP address, or DNS query example whois nslookup 72 14 207 99 dig tcp 8 8 8 8.tcpdump - example tcpdump - vv - i eth1.ethereal now re-named wireshark - very usefu l and flexible GUI for tcpdump Allows you to view the contents of network packets example ethereal. EtherApe - real-time network monitor GUI with impressive graphics example etherape. fping hping - scriptable ping, TCP IP diagnostics example fping. iftop - network interface bandwidth monitor, like top, but for the network example sudo iftopstat - list open connections and sockets on the computer example netstat --inet - lp. nmap nmapfe - map network, scan for open ports example nmap - v 192 168 0.xinetd - network-enable any program xinetd connects stdin and stdout over TCP IP on a defined port example dinnerdogd. NPtcp - measure and diagnose network performance example machine1 NPtcp and open the firewall , machine2 NPtcp - h machine1.airodump-ng - monitor and sniff Wifi example airodump-ng - c channel wlan0. etc sysconfig network - the hostname is defined here Also use the hostname command Iff the IP addresses are static this must also contain the IP of the gateway eg GATEWAY 72 14 207 99 and the name of the network device connected to it eg GATEWAYDEV eth0. etc sysconfig network-scripts ifcfg - - interface-specific settings are defined here Eg the IP address and netmask of eth0. - the DNS servers are defined here. etc hosts - some hostname -- IP mappings are defined here, notably 127 0 0 1 localhost. 11 MAC spoofing. Sometimes, it s useful to spoof the MAC address of an interface, in order to pretend to be another machine. Temporary change ifconfig eth0 hw ether 00 01 02 03 04 08 where 00 01 02 03 04 08 is the mac address you want to have This can only be done while the interface is down so first do service network stop and restart the network when done. Permanent change persistent across reboots add this line to the relevant etc sysconfig network-scripts ifcfg-ethX file MACADDR 12 34 56 78 90 ab lower or uppercase is unimportant. 12 Zeroconf. What is mDNSResponder This is the Multicast DNS responder , designed to allow the operation of Zeroconf networking, This is also known as Apple s Bonjour protocol, and has an alternative implementation by avahi The principle is that devices should be able to discover each others IP addresses, hostnames, and services eg printing on an ad-hoc without any pre-existing configured DNS This is neat, if you like this sort of thing personally I prefer to do it manually. Power Management - ACPI or APM. This Thinkpad can use either APM or ACPI Since ACPI is now maturely supported, it is the recommended choice ACPI will be enabled by default, unless it is disabled in see above , in which case APM will be activated instead It is also important that, when booted, the mains should be plugged in Note do not confuse ACPI with the unrelated APIC. 0 BIOS clockspeed - always switch on with mains power connected. An oddity is that the status of the power source AC vs battery at boot time affects the subsequent maximum performance If the AC is not present when the machine is started, the maximum performance of the machine thereafter will be reduced by 30 This is not reversible by plugging in the mains a reboot is required However, once the machine has booted past the BIOS, I think , subsequent changes switching mains to from battery, throttling the CPU with ACPI, sleeping have no lasting effect Some experimental data. Boot Power source. Current power source. Other condition proc cpuinfo. CPU Frequency proc cpuinfo. BogoMips and CPU frequency are measured by the kernel at boot time, and so do not change with the current-power status. In my setup, the system is configured in the BIOS for Automatic power management while on battery, and High performance while on mains. Measured performance is the result of yes sleep 10 killall yes wc - l roun ded to the nearest million. 1 1 Introduction. ACPI allows system management power control, buttons and lights, cpu, fan, battery monitor etc The acpi and acpid system services need to be enabled See also this page at thinkwiki. To find information, use acpi - V or look at the information in proc acpi The files in proc acpi can be read with cat and modified with echo - n The proc acpi ibm directory is particularly useful For example. cat proc acpi ibm light returns the current status of the thinklight off and the available commands on, off. echo - n on proc acpi ibm light turns the light on. The acpi daemon acpid runs as a system service It monitors system events such as lid close, or plugging in AC power , and then runs scripts in response See man acpid. To monitor what is happening, tail - f var log acpid. etc acpi events contains short files linking the ACPI event eg button sleep to the script which is to be run. etc acpi actions is the directory in which these scripts usually live. To make the daemon aware of changes in etc acpi , do killall - HUP acpid. Note that the function keys Fn-Fx do not generate acpi events until they are enabled with proc acpi ibm hotkey. 1 2 Devices buttons and lights. 1 2 1 On-screen display of events. The tpb program produces a very helpful on-screen display of events, such as the volume level, screen brightness, and output to LCD CRT both It can be installed with urpmi, and is automatically started from etc X11 xinit d It also allows the otherwise non-useful ThinkPad button to do something edit etc tpbrc. 1 2 2 Toy example flash the thinklight. This script is useful for diagnostics or notifications. Fun may also be had with proc acpi ibm beep. 1 2 3 Using Fn-F3 to switch off the backlight. Using APM, this just works however with ACPI, it no longer does. Enable the hotkeys Append this to. tail - f var log acpid and observe what happens when Fn-F3 is pressed. Create etc acpi events fn-f3.killall - HUP acpid See if it works It does. Now, we need to actually switch off the backlight This cannot be done with ACPI, but install radeontool with urpmi , and test radeontool light off sleep 2 radeontool light on. The completed files. Make executable, restart acpid killall - HUP acpid and enjoy. 1 2 4 Using other Fn-keys F4,F7,F12.Fn-F7 works fine without intervention, to toggle between video output on the external display and the LCD Fn-Home and Fn-End change the LCD brightness Fn-PgUp toggles the thinklight Fn-F4 and Fn-F12 are discussed below. 1 3 Mandriva s scripts in etc acpi event. Some actions events are already supplied. proc acpi event lmacadaptor - This is broken it is never triggered. proc acpi event lmbattery - this triggers which does some wizardry involving laptopmode, but doesn t seem to do much. proc acpi event lmlid - this is never triggered I prefer that that a lid-close should merely turn off the backlight via the BIOS anyway. proc acpi event power - a 2 second press of the power button triggers this, and will cause a normal system shutdown with sbin poweroff Pressing it for 4 seconds or more will force an instant poweroff and reset in the BIOS. proc acpi event sleep - see below This is never triggered, but would crash the machine if it were See below. Also, hald-addon-acpi is a client of acpid This will notify KDE. 1 4 CPU throttling. The CPU speed can be controlled by ACPI. To read the CPU speed, do cat proc acpi processor CPU throttling. To set the CPU speed, do echo X proc acpi processor CPU throttling where X is a number from 0 to 7.State 0 represents no throttling, i e 100 of full speed, and is the default. State 7 represents maximal 87 throttling, i e 13 of full speed This is much slower, but has lower power consumption It will also keep the fan inactive. KLaptop can do all sorts of clever things It is configured in kcontrol - Power control - Laptop Battery - Acpi Configuration CPU throttling can also be varied by right-clicking on the battery icon in the systray It is necessary to run Setup Helper Application from the ACPI Config tab. 1 5 Fan speed control. To use APM instead of ACPI, see the configuration in Mandrake 9 1 Note it is important to use my suspendANDresume script and not directly to use apm - s or the machine will crash The apmd service should be on, and the acpi and acpid services should be off. Suspend to RAM. There are two sorts of suspend Suspend-to-RAM sometimes known as sleep and Suspend-to-Disk, sometimes known as hibernate Either may be bound to Fn-F4.During suspend-to-ram, the machine enters a low-power state, stopping almost everything except the DRAM refresh It can last this way for several days on battery Resume occurs on re-opening the lid or by pressing Fn. In suspend-to-disk the machine is totally powered off, and the state is saved to the swapfile On he next boot, the kernel detects the presence of a previously running system, and does some clever gymnastics to switch into it. 2 Suspend to RAM. This covers ACPI suspend for APM suspend, see here ACPI suspend in Mandriva works theoretically in this way. The user or an ACPI event invokes usr bin pmsuspend2 memory Invoke with - d for debug. usr bin pmsuspend2 is a symlink to usr bin consolehelper consolehelper invokes usr sbin pmsuspend2 memory as root, on behalf of the non-root user, who is logged in locally. This sources the configuration variables from etc sysconfig suspend. It then executes memory. then iterates over all the files in etc sysconfig suspend-scripts suspend d invoking them with the argument suspend This is where the system services are shutdown, xorg is chvt d, and the network is stopped etc. then executes an ACPI suspend by doing echo 3 proc acpi sleep. However, it doesn t actually work Here is what is required. When testing suspend, it may well crash X or the kernel Save your work Run IceWM instead of KDE - it s much faster to restart Also, a remote connection via SSH is very useful for debugging Lastly, set debug yes in. First test is the kernel capable of suspending Remove PCMCIA cards, then reboot At the lilo prompt, press Esc, then boot it into runlevel 1 with 2 6 16 20 single Now, echo 3 proc acpi sleep and check that it goes to sleep and the crescent lights up Then, wake it with Fn Check you can do this more than once If so, proceed otherwise, give up now Note Neither 2 6 16 20 nor 2 6 17 7 can resume more than once the second suspend cycle always fails. Mandriv a s own scripts in etc sysconfig suspend invoked by pmsuspend2 memory are insufficient, and a horrific mess of bugs A crash is guaranteed My is a wrapper around pmsuspend the most important things are chvt 1 and cardctl eject For security, xscreensaver is configured to lock the screen. The killall - STOP X killall - CONT X steps are not strictly required they used to be vital with apm , however, they are added for extra safety there is no way the X-server can crash if suspended However, while X is suspended, it can be crashed by e g. xscreensaver-command Mandriva s script starts xscreensaver in the background with leading to a race-condition. It is important to remove the script etc sysconfig suspend-scripts suspend d xfree Unfortunately, just renaming it to will not work it has to be deleted, moved out of the directory, or have the first non-comment line replaced by exit Preserve the changes by adding suspend-scripts to. If sound does not return after suspend, then try restarting the alsa service If alsa cannot be shutdown, then some process possibly timidity has a lock on the soundcard Network applications should survive a restart of the network service, however, it seems necessary to restart it twice pmsuspend already does it once , in order to keep a PCMCIA wireless card happy. The completed files are. Make executable, restart acpid, press Fn-F4, and cross fingers. Set the BIOS to not automatically suspend on lid-close Sometimes, it s useful to keep the machine running with the lid shut also it prevents a possible race-condition between starting the suspend-script above, and triggering a BIOS suspend by closing the lid ALSO, ensure that there is NO ACPI event defined to suspend on lid-close. You may also wish to configure klaptop to automatically suspend on low battery - but only if you trust suspend. Note the screensaver only protects the X-session If there are any logins on the virtual consoles, this i s not secure See above. 3 Suspend to Disc. Don t do it Suspending to disk will cause all the memory to be written to disk in cleartext, thereby completely ruining any sort of security Note an encrypted suspend image doesn t do what you think it might That said, suspend2 does do encrypted suspend, and might be promising. If you want to use suspend to disk anyway with swsusp , the instructions are in It s very easy to do, but it does not co-exist with the encrypted swap space we set up earlier Remove the encryption enty for swap in etc fstab, then regenerate the swapfile with mkswap. With the default Mandriva 11 0 install, Fn-F12 doesn t do anything anyway I ve mapped it to blink the thinklight - as a reminder that something has happened, but it shouldn t be used Download. Thinkpad-specific programs tpctl, configure-thinkpad, configure-trackpoint, tpsmapi, hdaps. configure-trackpoint is a graphical utility to set the trackpoint sensitivity It can be installed with urpmi, but on my system, it doesn t work even though the trackpoint driver itself does work Never mind. tpctl and configure-thinkpad are CLI and GUI utilities to change certain BIOS settings most usefully, the wake-up alarm for the thinkpad They can be installed with urpmi, a nd just work Remember to modprobe thinkpad or add it to first These utilities are crucial on some thinkpads eg 600-series , which do not have a proper configuration menu in the BIOS However, they are not necessary on the A22p The utilities are obsolete for later thinkpads such as the X-series. tpsmapi aims to provide extra system management features via SMAPI System Management Application Program Interface , using tpsmapi This should allow changing the optical drive speed, and manual control of charge discharge At the moment, with tpsmapi-0 22 , the various interfaces are exposed in sys, but it doesn t do anything useful on this machine Also, much of the useful information is already exposed via ACPI look at proc acpi battery BAT0.hdaps is the Hard Disk Active Protec tion System The hdaps kernel module allows the accelerometer to be read, which has serious uses parking the disk head and frivolous ones joystick, or gyroscopic display stabilisation Note one should not park the disk head too frequently, since it can cause unreliability It should only be done if the laptop detects that it is falling Anyway, the hardware is not present on the A22p. External Disks usb-key,1394,camera, compact flash reader with udev. When a mass-storage device most digital cameras , usb-memory-key etc is plugged in, the kernel will recognise it, and assign it a SCSI device dev sdX The individual partitions will be dev sda1, dev sda2 etc The name of the device can be found in the kernel messages dmesg Then it can be mounted, usually with mount dev sda1 mnt tmp files are transferred, and it is then unmounted. Mandriva 2006 KDE 3 5 will automatically pop up a dialog box Detected new device when a new drive is plugged in, and give the option to open in new window This is configur ed in kcontrol - system - storage media Note it is much better in KDE 3 5 than in 3 4 x After this, the device will be mounted at some temporary mountpoint, and the permissions set up to allow the logged-in user full access KDE allows drag-and-drop of files, so all is GUI happiness In order to unmount the drive, visit system media or just media in konqueror, then right click the Removable Device with the usb key logo, and choose safely remove Note system media is a kioslave, and has only one slash Or, look in etc fstab for an entry with the mount-option managed. However, I prefer to have some more control I use ext2 on memory keys, and reiserfs on hard disks, not vfat, and I prefer my jpegs non-executable Also, it s faster to use the command-line This means manually mounting and unmounting the device But which device and which mountpoint SCSI devices are assigned by the kernel in successive order So, if a camera and a memory-key are both inserted, there is no way to detect which of them i s dev sda and which is dev sdb This means we can t specify the relevant options in etc fstab The old way was a really ugly hack but now we can use udev, and everything is wonderful. Udev is a user-space device manager, which is responsible for creating removing the entries in dev as and when the devices exist One of its great features is the ability to create symbolic links based on the system information for a device So, we can have. dev camerae300 - dev sdX1. dev usbkey - dev sdY1.The symlinks which we define are always created consistently, regardless of the changes in the underlying device X and Y Then, we can reliably refer to the devices in etc fstab by their symlinks. 2 Writing and activating udev rules. A tutorial on writing udev rules is here See also man udev These are the stages. Find the relevant device For example, use dmesg to find the relevant device In the case of USB storage, this would be dev sdX1 for the correct X. Obtain the udev information on this device Either find the entry in sys or use the entry in dev Use one of. This will give several paragraphs use the information from any one block You can also narrow it, by using one more block, by using plurals eg KERNEL S We then create the udev rule, for example. Here, we have several key-value pairs Those with are comparisons, which must all be satisfied The assignments with are the operations So, this rule means If a new device is found on the USB bus, with manufacturer OLYMPUS and product E-300 , and the kernel would want to assign it device dev sdX1, then create the entry in dev which the kernel would already have picked also create the symlink dev camerae300.Save the rule into. Now, make ud evd aware of the new rule For a recent kernel, using inotify, the rule will automatically be picked up Just unplug and replug the device Alternatively, run udevtrigger or less optimally , udevstart If inotify is disabled, use udevcontrol reloadrules Note Mandriva 2006 doesn t have udevtrigger, nor a recent udevcontrol. 3 Some examples USB storage devices memory key, camera, ogg mp3-player. 3 1 Olympus E300 digital camera mass-storage device. Plug in the camera Run dmesg to find the device dev sdX1 , and then obtain the udev information on it with udevinfo - a - p sys block sda sda1.Use the information in any one block to define the camera This is my udev rule in. Make udevd aware of the new rule, then plug in the camera When the camera is plugged in, dev camerae300 is automatically created. Create the mountpoint mkdir mnt e300 and add this to etc fstab. Some of the mount options are interesting pamconsole means that the device is always owned by the physically logged-in user so I don t need to become root to mount and unmount it ro is because the computer should never modify the camera s file system noauto prevents the filesystem from being mounted at boot time dmask and fmask create sensible default permissions for the files FAT doesn t have permissions at all, so the defaults are 777 But photographs really shouldn t be marked as executable Lastly, managed is not present man aged denotes that an fstab entry was automatically created - and can be automatically removed. Now, I can just plug in the camera, and mount dev camerae300 without even needing to be root. Note that KDE will no longer pop up a dialog box See below or bug 126208. 3 2 iPod nano. The iPod nano, hugely enhanced by iPod Linux and or RockBox is actually quite a decent player Rockbox also supports Ogg Vorbis - The iPod is a USB mass-storage device, but the iTunes database used by the Apple firmware and iPodLinux must be accessed via gtkpod Rockbox can use either ID3 tags iTunes format with tagcache or a directory-hierachy for file-access. I have dev ipod and mnt ipod The udev rule is. 3 3 USB Memory key. Here is the udev rule for this. and this entry in etc fstab. NOTE this is not mounted with sync As a result, make sure never to unplug without unmounting. 4 Gnome Volume Manager. Although we are running KDE, some of the GNOME subsystems are also running This is a consequence of starting gnome-settings-daemon above Therefore, gnome-volume-manager is also running By default, this will automount all removable media when they are plugged in Personally, I d rather control it by hand, so run gnome-volume-properties and uncheck all the options. 5 Firewire 1394 storage devices. I m using a 20GB Evergreen Fireline Hotdrive firewire drive, with an Evergreen PCMCIA firewire card, and the internals of the drive have been upgraded to 120GB Everything just works, and in a very similar way to USB devices 1 Hotplug the drive 2 Check dmesg for the relevant scsi disk 3 Mount it 4 Unmount it 5 Unplug it. It is no longer necessary to mess around with modprobe ing and rmmod ing sbp2 ohci1394 and ieee1394 every time The disk can be formatted using diskdrake or just with dev sda1 Then, write a udev rule for it For diagnostics, use gscanbus It is also possible to use a DV camcorder as a 10 GB tape drive. But remember - we deliberately broke firewire support back in the encryption section un-break it when needed. 5 Compact Flash card reader. This is a SanDisk 6 in 1 USB reader, which I m using for a 1 GB microdrive, or for SD cards It just works Use dmesg to discover which virtual scsi device is the new one, then mount dev sdX1 mnt tmp Or write a udev rule, if desired Remember to unmount it before ejecting it, and that unmounting can take some considerable time if files need to be sync d Never remove the disk while it s mounted, or while the light is flashing this can kernel panic the laptop, or corrupt the filestem. It is best to leave the card as FAT16, for compatibility with digital cameras, and use for re-flashing a Zaurus This means no symlinks, and no file permissions However, CF cards can be formatted with ext2, or even reiserfs with care, avoid frequent writes , and then used as silent replacements for IDE drives. Printer, Scanner, Fax, Digital Camera. Having thrown away 3 Epsons in as many years, I purchased an HP Deskjet 5850 This is an excellent machine, and just works Features it s a ne twork printer, has cancel-job button on the printer has duplexer, auto-detection of paper-type, reliable, fast, good value ink Since each ink cartridge contains a new print head, the printer cannot suffer an un-cloggable print head, which is what kills the Epsons if you don t print colour at least once a month. 1 1 Installation. Connect printer to LAN Find printer s default IP address Configure eth0 temporarily to an IP in the same range Log in to web-based printer control panel, and set a sensible static IP address for it Or it can use DHCP. Use Mandriva Control Center to add the printer It s a network printer on port 9100 This is standard Use the recommended ghostscript hpijs driver. Bookmark the printer s web interface - to check ink levels. Set CUPS not to look on the network for other printers, nor to broadcast this one This is the Browsing Off setting in. Now, use KDE s excellent printer tool kups as root to configure the printer settings I created 6 different instances of the printer, for ease of use. bwdraft - greyscale, fastest Still very good Default. bwfine - greyscale, best quality. bwdraftduplex, bwfineduplex - with duplexer. colour - colour. colourphoto - colour, photo paper. 1 2 Using the printer. From the GUI, it just works Useful printing commands are. kprinter kups and xpp are GUI printing tools. lp and lpr print files from the CLI They can print at least pdf ps jpg and STDIN. cancel cancels a print job use with - a for all jobs. lpq to see printer queue status. lpstat - a to see printer status. lpadmin - p printername - E to re-enable a printer which has decided to stop Note the order of arguments is important. 1 3 Troubleshooting. If CUPS takes ages to start, this is a manifestation of the Broken HalDaemon problem below. If you experience long delays, check etc hosts see here. Note - if a print job is cancelled at the GUI, it will usually finish printing the current page, and the next one Use the kill-button on the printer instead. The CUPS web interface is on. For further information, see. 1 3 Using postscript. Unlike MS Windows, Linux speaks postscript natively It s out of the present scope, but look at. Viewers gv kpdf xpdf. Editors lyx tex and openoffice which has pdf export , xfig output to. Printing lp lpr kprinter. Conversion pdftotxt pdf2ps ps2ps ps2pdf pstops psselect psnup convert a2ps etc. Canon CanoScan N670U USB works perfectly Plug it in, and use Kooka for scanning gocr is reasonably good for optical-character recognition, provided that it is scanning only a single column of text For newspaper articles, cut into strips using GIMP xsane is also good for scanning, or the GIMP can scan directly. It is possible to use the modem as a fax. To send and receive faxes, install efax Edit. set to answer after a single ring, and to use tmp for lockfiles There is a GUI frontend efax-gtk and a CLI interface fax. To print directly, use KDEPrintFax as a virtual printer. Don t use ksendfax it s redundant, obsolete, and it segfaults Also, I don t recommend hylafax here it s very sophisticated, but unnecessarily complicated for occasional use. You can also use the excellent free email-fax gateway service from This is simple and reliable, but only supports outgoing faxes A fax coversheet is prepended, which may include an advert from the operator. 4 Digital Camera. My Olympus E-300 is a usb mass storage device and works perfectly See above. It is worth mentioning that some digital cameras mainly expensive Canon cameras are not USB mass-storage devices These can be accessed by using gphoto2.Gphoto2 also works with toy digital cameras such as the Nisis Quickpix QP3 Use gphoto2 --auto-detect to identify it as an Aiptek Pencam , then use gphoto2 - P to download images. There is a bewildering array of digital photography applications available on Linux I personally like albumshaper GWenview F-spot DigiKam Gthumb Eye of Gnome and qiv are also useful. It is possible to extract RAW images and obtain better quality post-processing by using dcraw Hugin allows many photos to be combined seamlessly into a panorama There s also some support for HDR High Dynamic Range images, formed by superimposing different exposures. Most cameras including the E-300 now have a gravity-sensor built in, so they save the orientation inside the EXIF tags in the JPEG The photo can be automatically, losslessly rotated, and the orientation reset, by using Gwenview kipi-plugins, or Gthumb, or exifautotran Also, unless this is done, different applications will display portrait photos in different orientations, since some ignore EXIF tags, and some do not. Image editing and compositing applications include the Gimp OpenOffice Draw Xfig and Inkscape Sadly, the potentially very promising, but not yet finished Xara Extreme project has effectively failed. Mobile Phone Samsung S300.I m using the excellent Samsung S300 mobile phone This can use IrDA, but the phone comes with a serial data cable very nice It is just a regular serial modem, so it s simply a case of plugging in the serial cable and setting the modem device to dev ttyS0 in kppp The same things apply kppp, shorewall as with the internal modem. A neat feature is that one can use extended AT commands to send and receive SMS messages Here is a script to do this. kppp is extremely useful here it has a ter minal for interfacing directly with the modem and typing AT commands It s a lot easier to use than minicom It s buried 4 levels deep though kppp - Configure - Modems - Edit New - Modem - Terminal. KDE configuration and GTK. 1 KDE upgrade to 3 5.KDE 3 4 3 as installed is somewhat old KDE 3 5 2 is much nicer There is an excellent tour of the latest KDE here or a VMWare image here If you decide to upgrade KDE, the RPMS are available from SeerOfSouls. Before starting, save a list of the currently installed packages rpm - qa You can revert to this if necessary. Remove the KDE 3 5 1 urpmi source if you have it , and then add the seer of souls KDE 3 5 2 repository SoS-KDE-3 5 2 with. Warning 1 Bad Things will happen if you allow this upgrade to pull in upgrades to HAL and DBUS from the SoS 2006 repository see below for more details. Prevent k3b from being upgraded add these lines to. It is not necessary despite these instructions to completely remove the existing KDE packages. Download all the new KDE packages urpmi auto-select --test --force Then, install the packages If there are any error messages, make a note of them urpmi auto-select. Logout, and restart X service dm restart. You may find at this point that KDM does n t work, and you cannot log in to KDE The KDM config file is no longer valid I didn t experiment to find the exact root cause, but here is an ugly solution which worked. Forcibly uninstall kdm rpm - e --nodeps kdebase-kdm kdebase-kdm-config-file. Remove the kdmrc config files This is etc kde kdm kdmrc also remove anything RPM has helpfully left behind. Re-install kdm and get a fresh, working config file urpmi kdm. Re-customise KDM from kcontrol if desired. Some enlightenment might perhaps be found in etc kde kdm README. The splash screen and kmenu side-image still identify as KDE 3 4 Fix the splash screen by choosing another one from kcontrol - LookNFeel - Splash screen Fix the menu side-image Mandriva have hard-coded it to be when it ought to be Copy the latter over the former. 2 Un-breaking HAL and DBUS important. 2 1 Explanation. hal haldaemon , and dbus messagebus are the damons which notify userspace about hotplug events and other things If you accidentally allowed urpmi to update them to the ones in the SoS-2006 or KDE 3 5 0 repository, bad things will happen Certain applications will be very very sluggish cups printer-configuration and vlc will take about 25 seconds to start up, and anything using the GTK filepicker eg firefox will appear to stall for 25 seconds before being able to save a file. The reason is that the Mandriva 2006 applications were compiled against an earlier version of libhal libdbus, as shipped with 2006 , and so cannot correctly use the newer one A quick test is to stop the messagebus and haldaemon services if these timeouts go away, this is the cause of the problem You can also use strace. 2 2 Solution. The packages concerned are the dbus and hal ones rpm - qa grep - E dbus hal The incorrect packages are those ending in and the desired ones are those ending in mdk We need to downgrade the packages to earlier versions. Remove the unwanted SoS packages with rpm use --nodeps or half the system will come away with them rpm - e --nodeps. Download the Mandriva 2006 packages from the urpmi media source for main Use lftp and the medium listed in We need and Then install them with urpmi urpmi. Restart the daemons service messagebus stop service haldaemon restart service messagebus start. Remove the offending urpmi source, or, if necessary, block any further updates with. The SoS versions of K3B have dependencies on the SoS libhal libdbus So, uninstall them, and re-install Mandriva s pacakges for k3b k3b-dvd libk3b2 Then, add this to. Run urpmi --auto-select to repair any damage done by the rpm --nodeps above there shouldn t be any To double-check rpm - Va grep dependencies. Consequence of th e fix KDE storage media will now claim HAL backend No support for HAL on this system This doesn t seem to make much difference though. KDE is very configurable Here are some of my settings for the KDE Control Center. Accessibility. Keyboard Layout - Xkb Options - Make CapsLock an additonal Control. Keyboard Shortcuts - Application shortcuts Set up the same bindings as Readline for Ctrl-A and Ctrl-E Select All no shortcut Beginning of Line Home and Ctrl-A End of Line End and Ctrl-E Text Completion no shortcutponent Chooser - Email Client - Use a different email client t s Then create. File Associations set up sensible bindings for multimedia In order of preference. mp3 m3u Alsa Player, Xmms, amaroK, VLC media player. mov wmv VLC media player, Mplayer. Information. Protocols contains a list of the KDE ioslaves Eg fish or media. Background wallpapers as desired, same for each desktop for best performance Advanced use solid black colour behind text OR enable shadow 2 lines for icon text. Behaviour allow programs in desktop window This permits xearth etc to run. Colours to taste I prefer to have Title Blend darker than Title Bar and Inactive Title Bar Blend different from Active Title Bar Blend. Fonts see fonts section. Icons Connectiva Crystal - classic. Launch feedback - disable busy cursor, enable taskbar notification for 5 seconds. Multiple desktops 4.Panels Show RH hiding button, no animation Menu name Description Show side image QuickStart Menu items show the 15 applications most recently used Disable transparency enable background image Appearance - Advanced Options Hide applet handles after you have arranged them as desired. Screensaver none - we are using xscreensaver instead. Splash screen Default the Ga laxy one still says KDE 3 4.Style Keramik Show icons on buttons Disable animations Toolbar text position Icons Only. System Notifications change the most annoying sounds KDE is starting up A critical message is being shown. Taskbar Group similar tasks never Appearance Elegant. Window Decorations Keramik don t draw grab bars below windows, Add custom title-bar button for keep above others. Peripherals. Mouse Single click to open files and folders This isn t MS Windows Theme crystalcursors Mouse wheel scrolls by 5 lines. PowerControl. See section on ACPI. See the section on sound for Arts Alsa Midi. KDE Performance preload an instance of konqueror after KDE startup. Login Manager Echo mode 3 stars Set wallpaper Spot the fish Download from with Blue 21449c background Set font Tahoma, without antialiasing Convenience preselect previous user, focus password If desired, Disable the existing theme in System - KDM Theme Manager. Storage Media see below. Paths set Documents path to home rjn This is KDE s de fault location for saving and opening files it is only coincidentally equal to home rjn Documents i e KDE should always default to home rjn, but I use. Documents for certain files like the Windows My Documents folder. Window behaviour Focus follows mouse Titlebar double-click Maximise Don t display content in moving re-sizing windows for performance Don t animate minimise and restore Don t allow moving and resizing of maximised windows Transparency is fun, but very slow and needs the Composite extension to be enabled in. WebBrowsing. See the web browser section. 3 KDE storage Media. This is KDE s notification system for when you plug in removable devices Actually, anything with a removable filesystem CD-ROM, DVD, blank-CD, USB-key, Digital camera will create an event via dbus, which will cause something to happen as defined here This is a useful feature for beginners personally I d rather use the command-line and dmesg Here is how to set it up. Configuration is in kcontrol - System - Storage Media. Inotify must be enabled, see above , otherwise kded will constantly poll the disks. Devices which are dynamically created with udev rules above , but which have permanent entries in etc fstab will not trigger events. Important media will be automatically mounted, but will not be automatically unmounted It isn t safe to just physically pull the device out Physically removing a device with a mounted, writeable filesystem can crash the kernel also, writes are asynchronous, so saved files may not have been actually written to the device until it has been syn c d Remember to manually umount. This is available with a GUI in konqueror visit the URL media or devices to see mounted and umounted filesytems devices To unmount, right-click - Safely Remove Note the URLs must be typed exactly, with only one slash. The Gnome equivalent is Gnome volume manager, configured by gnome-volume-properties and may also be running as a consequence of the GTK font workaround. Actually defining the behaviour is quite complex, and there are not sufficient behaviours defined by default Here is what I discovered by experiment. The actions are defined by KDE servicemenus These apply to konqueror generally System-wide ones are in usr share apps konqueror servicemenus and user-specific ones are in. For CD burning, we need to have the U or KDE Removable media complains about Bad URL But we dont t want it or k3b will complain Workaround use this command echo U k3b. Added a DVD playback option gmplayer is most user-friendly The command required is usr bin gmplayer - quiet - fs d vd U Note the U is a bug it is required to prevent an erroneous error message. Hack to specify that CDs should be ripped in Grip not kaudiocreator, edit and change Exec kaudiocreator u to Exec grip u. 4 Other KDE settings, tweaks and tips. Wallpaper may be obtained from or from or khotnewstuff There are also some stunning mainly commercial wallpapers from The background can also be set to a slide-show, or a background program Great fun can be had by enabling blending eg hue-shift Saved wallpapers live in. Icon-text background may be a solid colour, OR a drop-shadow This option is hidden in Background - Advanced Options I recommend enabling 2-lines at about 130 columns for icon-text. Icons can be aligned to grid, and then locked in place right-click desktop Finally, as of KDE 3 5 0, the icons stop jumping around between logins However, it is broken in 3 5 2 and not fixed until 3 5 4 Partial workaround turn off Desktop Icons right-click - behaviour , then back on again Or while not running KDE, delete edit. Create shortcuts on the desktop for system and media. If desired, the KMenu icon bottom left can be reverted from the Mandriva star to the KDE default edit. find the section KMenu add it if needed , and then add below it KmenuUseMdvIcon false Then restart kicker. 4 2 Directory structure. Mandriva already created a basic directory structure, some of which I don t like Also, many of the icons on the desktop are special files and do not represent directories or symlinks this means that they don t play nicely with the CLI. Firstly, remove the Mandriva weirdness - this is actually quite tricky Some but not all of it is described in the release notes. Remove any superfluous icons from the Desktop Then remove any unneeeded files including hidden files from. Remove unwanted folders in home rjn Mandriva create Video, Music, Download all with corresponding desktop icons. Get rid of the weird icon for Documents remove. and its contents. The release-notes also suggest touch. Fix the icons in the quick-launch panel of the KDE File-open dialog see below. Create a directory structure as desired This is the one I use. Actual Directories. Symbolic links for convenience ln - s. I also wrote a script to set this up. Incidentally, it is worth setting KDE s Documents path kcontrol - System - Paths to be home rjn rather than home rjn Documents This is KDE s default location for saving and opening files. 4 3 Trash can Wastebin. As of KDE 3 4, and unlike previous KDEs , the Desktop Trash icon is a special file, not the literal directory where the trash lives It has also been renamed to Wastebin in UK It is accessed via the KDE trash ioslave The actual files live in. You can still access it via the command line with kfmclient move trash but this is extremely slow I wrote a bash script, cn as a replacement for this One should get into the habit of typing cn file s directory s rather than rm - rf since it avoides the potential for a slip of the fingers, followed by regret, and locating the backups. 4 4 KDE File-open dialog. The KDE file dialog is extremely versatile. It supports tab-completion. It remembers how large it is Open the dialog, make the window most of the screen size, then close it Voila much easier to see files. It has inline preview. Sort-order can be case-insensitive. Folders can be shown in a separate pane Persistent setting, F12 to toggle. Hidden files can be turned on off F8.The quick access navigation panel on the left F9 can contain certain frequently accessed directories - just right-click it to add them and these can be customised per-application. Klipper the KDE clipboard is one of the killer-features of KDE It s the clipboard icon in the system tray, and allows you to have cut-and-paste history Note X-windows has 2 separate buffers for text. Select text and text is automatically copied Middle-click to paste. Ctrl-C to copy Ctrl-V to paste. In nano, emacs, bash, pico, there is also a 3rd kill-buffer using Ctrl-K, Ctrl-U Ctrl-Y. These buffers are usually synchronised, but not necessarily I set Klipper to have 40 entries in the history, synchronise clipboard and selection, and pop-up the menu at mouse position The shortcut is Ctrl-Alt-V Klipper can also store images, but the X-clipboard mainly works with text Graphical applications Gimp, OODraw etc do their own thing, and use Ctrl-C, Ctrl-V. Here are a few utilities using dcop to use klipper with the CLI klippergetcontents pipe the output of a command to the clipboard klippersetcontents print the contents of the clipboard klipperreadfile read file into clipboard Alternative install xclip. 4 6 Desktop Search Kat, Beagle. Kat and Beagle are the desktop-search engines for KDE and GNOME respectively They are both promising, but the versions supplied with Mandriva-2006 simply don t work Kat, in particular is a dreadful resource-hog, yet it is started by default To prevent kat from being launched automatically, touch. Better yet, uninstall it. The later versions of Beagle look extremely promising but the install process is complex The current version of Kat 0 6 4 is still unusable. The alternatives is to use locate grep and find together with descriptive filenames. 4 7 File associations and service menus. KDE s file associations are configured in kcontrol - components - File Associations This defines what application is launched when you click on a file If several are listed in order of preference, these are listed as options for Open-with when you right-click the file Embedding is also defined here Eg konqueror should open PDFs in a separate window. KDE Servicemenus allow you to define any action which goes in the context menu for a file-type This is extremely powerful There are many for download on Here is one I wrote to Eject Unmount removeable media. 4 8 KDE System monitor. The KDE system monitor ktimemon is really nice to have in the taskbar It is in the kdeaddons package Then, right-click the taskbar, and choose Add applet - System monitor For greatest usefulness, set up colours as follows. CPU Kernel darkgreen User midgreen Nice palegreen IOWait yellow. Memory Kernel darkblue Used midblue Buffers lightblue Cached paleblue. 4 9 Other tips. Sessions If you leave some KDE-applications open when you log out, they will be re-started in the same state when you return Configured in kcontrol - Components - Session Manager. KDE Startup and shutdown scripts Any scripts placed in the and directories are run automatically on starting and exiting KDE This is similar to. note that is not run by default on exiting KDE. IOSlaves These are KDE resources which allow all applications to do some clever things For example, you can edit a remote document over you can use fish to drag-and-drop remote files, and use man and info to view documentation in konqueror Some information is in kcontrol - information - protocols There is also a KIOSlave FUSE module. Keyboard shotrcuts for kwrite Alt-F and Alt-B can be bound to move back forward one word in kwrite settings - configure editor - shortcuts Ctrl-A, Ctrl-E are defined globally above. Konqueror autoscroll Press shift, then up down arrow Konqui will continue to scroll automatically. Scripting KDE here is a useful presentation. Kstart Start program with custom window options eg window title, desktop number skip-task-bar etc kstart --help for more. Ksystraycmd start program, put window into systemtray ksystraycmd --help for more. Kommander a way of doing graphical shell scripting with QT Here is an introduction and a tutorial The Kommander homepage has some more information Also try out this toy word processor. Kdialog KDE dialog box to interact with scripts Like xdialog Eg kdialog --title Fortune Cookie --msgbox fortune. Scripting X see this article also wmctrl and devilspie. 4 10 Show Desktop bug. Since KDE 3 4, the show-desktop button behaves in a most unintuitive way It used to minimise all windows, then wait until you clicked it again, at which point it would restore them Now, the desktop is exposed on the first click, but the windows automatically restore as soon as you have clicked one icon on the desktop This is allegedly a feature, not a bug However, I have written a workaround. This is a bash-script, which uses wmctrl and a hacked version of devilspie together with xprop in order to exactly replicate the old behaviour Installation instructions are in the source of. 5 GTK Configuration. GTK applications fonts, colours are configured with the gnome-control-center. Font settings are configured with gnome-font-properties see above. GTK-2 applications eg firefox are configured with gnome-theme-manager I like the Galaxy2 or GrandCanyon themes. GTK-1 applications xmms, mozilla , are configured from Menu - System - Configuration - Other - GTK Theme Switch usr bin switch or by editing. I prefer Eazel-Blue to give easily visible scroll-bars but with Kcontrol - colours set to Apply colours to non-KDE applications , which makes it less dark-grey. Web browser Mozilla, Firefox, Konqueror configuration. 1 Konqueror. Konqueror is an extremely featureful and versatile browser Here are some configuration changes I prefer, mostly for similar behaviour as mozilla firefox. Settings - Configure Konqueror. Web Behaviour. Tabbed Browsing - Advanced Options uncheck Open new tab after current tab , uncheck Activate previous used tab when closing the current tab. Underline links. Java Javascript Enable globally Javascript - open new windows smart. Web Shortcuts these are extremely helpful, and many are already defined However, only a few such as wp and gg for wikipedia search, google search are active by default. Adblock Filters enable these, and add the same list as for mozilla below. Browser Identification can spoof user-agent as, for example, MSIE on NT5 on a per-site basis, if it is required to defeat stupid browser-sniffing. Plugins Load plugins on demand only, CPU Priority for plugins lowest No more flash except when I click to start it, and no cpu-hogging either - Konqueror will automatically scan for mozilla plugins at startup, and incorporate them automatically. Performance Preload an instance after KDE startup. Settings - Configure Shortcuts. Reload Ctrl-R and F5.Homepage Alt-Home and Ctrl-Home. Leave Ctrl-L as it is Clear Location Bar which also focuses the location bar. Line-editing shortcuts Ctrl-A, Ctrl-E etc are already configured kde-wide above. Konqueror has multiple profiles eg File Management and Web Browsing The home-page is saved with the profile, so visit the home-URL you want, then choose Settings - Save View profile - Web browsing One can also add a Konqueror Profiles applet to the KDE panel. When files are linked on the web, it s better to open them directly within konqueror rather than starting an external kwrite Go to kcontrol - components - file associations Search for txt In the Embedding tab, choose Show file in embedded viewer , and uncheck Ask whether to save to disk instead. Konqueror s mailto handling is configured above. 2 Mozilla suite. Mozilla is all-in-one the Web Email Editor suite It is the predecessor to Firefox Thunderbird and has now been officially retired However, it is still developed by the SeaMonkey project here is a comparison and a Seamonkey review. The advantage of separate programs is principally that they run in separate processes, and individually have allegedly smaller RAM requirements They are also seeing very rapid development, and a vast number of extensions However, the integrated suite is still easier to use, and better integrated. Most of what follows, about Firefox also applies to Mozilla However, there are a few Mozilla or SeaMonkey-specific details. The latest version of the integrated suite can be downloaded from the SeaMonkey project One particularly useful tip Use Ctrl-L to focus the Location bar, then type a query, then press uparrow and enter to search Google. When opening URLs from another applications, and Mozilla is already running, we don t want to start another instanc e, particularly if it would create another profile by accident Multiple instances will fight over accessing the profile, which is A Bad Thing, and results in lots of unwanted, and unsynchronisable profiles If you ever see the Profile Manager , quit and find the lock file don t create a new profile You cannot run more than one mozilla or firefox process at a time to connect to an existing mozilla or firefox, use the mozilla - remote command The default set-up in Mandriva 2006 is usually smart enough to do this automatically. Latest versions. Download the latest versions, if desired Before installing them, back up your profile. and then install them I recommend installation in directories such as HOME bin mozilla d firefox 1 5 06 with a symlink from HOME bin firefox which is in your path The advantage besides simplicity is that firefox can auto-update itself, since it has write access to its own binary Then create a desktop shortcut to the symlink. Don t do this stupid thing which I did during my early steps with Linux a few years ago. Fix keyboard shortcuts. The default keyboard shortcuts for Mozilla and Firefox are the same as in readline emacs and bash Unfortunately, the Mandriva packages use the shortcuts defined by GTK, which match the far less useful defaults for MS Windows To fix this, do. Edit or create if needed. and add or change the line. Use gconf-editor and change the key desktop - gnome - interface - gtkkeytheme from Default MS Windows-like to Emacs. Restart the browser. These are the resulting behaviours for more shortcuts, see the Mozilla Firefox Help. Horizontal scrolling. Mozilla and Firefox have a bug definitely not a feature which means that, by default, the horizontal mouse-wheel scroll maps to back forward This is extremely annoying when you use emulated scroll, and are happily scrolling down the page, and accidentally move slightly sideways Fortunately, it s easy to fix Type about config in the location bar Then filter on Horizontal Change the following values. Of course, you can still use Alt VerticalScroll or Alt Left RightArrow for back and forward. Adblock and prevent timeouts. Install Adblock Download it from here install by clicking the link in firefox , restart firefox, then install the Filterset G Updater to install and automatically-update a list of advertising servers to block This is useful for 3 reasons. It makes web browsing faster and less cluttered. It removes the very anti-social animated flash advertisments which hog a large amount of CPU, and which continue to do so even in background tabs. It prevents the most common occurrence of this bug where the whole mozilla UI locks up for up to a minute - one cannot even close the tab, or the window, nor will the window re-paint This seems to be caused by the server stalling mid-TCP connection usually the overloaded server is a 3rd-party adserver netstat reports that the socket is sitting in CLOSEWAIT Wait 2 minutes, and mozilla will usually come back to life. Alternatively, you can manually configure a list of advertising servers to block I also block fastclick Filterset G provides a collaboratively edited and rather long list of filters Use Filterset G updater, or see these instructions basically, retrieve the most recent filter-file from this directory and then import it with Tools - Adblock - Preferences - Adblock O ptions - Import Filters. Of course, there is a risk that you might loose too much information from the web page this way. Custom Keyword Searches. It is extremely useful to define custom keyword searches For example, just type wp penguin into the location bar in order to search wikipedia for penguins For example, these are really useful. Note that the keyword must not contain a trailing space, but you must leave one between the keyword and the search term I ve chosen the same keywords as konqueror, but there is no other reason to have a colon. To define a keyword for a bookmark, just fill in the Keyword field in the Bookmark s properties If the bookmarked URL contains a s this will be substituted by your search term In Firefox 1 5, it is also possible to right click on any search field and choose Add Keyword for this Search Cute. In Firefox - 1 5, you can also click the search bar, and add extra search engines eg Wikipedia. Preference tweaks about config. A few other enhancements can be made Th ese are also applied in about config and usually take immediate effect no need to restart. By default, if you middle click in the main browser window, mozilla will treat this as a paste and attempt to load the URL just visited It s a neat feature, but can be terribly annoying if you want to open a link in a new tab, but just don t quite hit it it Disable it thus, if desiredwork performance can be improved by changing. Creating a custom home-page is also extremly useful It keeps the most frequently-used information close to hand, and doesn t slow down the browser start-up time You can also add file URLs, Locally hosted ones for web development , and local documentation usr share doc Here is the page which I use it may be a useful base I have the browser home URL set to. Type-ahead-find is another extremely useful feature In any web page, just start typing letters, and the first link containing these letters will be highlighted Start with in order to search the whole page F3 and Shift-F3 fi nd the next and previous matches respectively For example, type penguin to find the first instance of the word penguin on this page To enable, go to Preferences - Advanced - General, and select begin finding when you begin typing. In case you haven t yet discovered it, tabbed browsing is wonderful Middle-click on any link to open it in the background of a new tab. Firefox fonts can be optimised in Preferences - Content - Colours see above I also recommend setting the background colour to pale-yellow rather than white, since it is easier on the eyes. Unlike Mozilla, Firefox has separate search and location bars If you enter a query in the location bar, you will get a Google I m feeling lucky result by default This isn t very helpful here is how to change it Change this setting in about config. For more Firefox tips and tricks, see here and here about config is documented quite fully here. There are lots of other extensions for firefox thunderbird mozilla seamonkey Unfortunately, these cannot be installed system-wide with urpmi, but have to be installed per-version of firefox, and the browser must be restarted Here is a very useful guide to some selected extensions. Extensions I am currently using. Adblock and FiltersetG updater - as described above. Tab Mix Plus - allows drag-and-drop reordering of tabs and many other features It includes a session manager to recover from crashes and allows tabs to be un-closed by right-clicking the tab bar My configuration includes prevent blank tabs when downloading files , Don t show close icon on each tab and Middle-click on tab does not close it. Image Zoom - right click an image, resize it. Web Developer Toolbar - very, very good All sorts of useful things, including local HTML validation, and editing the HTML CSS of pages in the sidebar. Aardvark - very clever way to see, and edit the individual page elements Good for printing. HTML Validator locally, using Tidy. CustomizeGoogle - helpful tweaks for Google. Update Image Zoom functionality is now native to Firefox Consider also Flashblock Facebook Disconnect hack. Extensions I like, but am not currently using. UrlParams nice - but it intereferes with add keyword for this search. Session Saver - allows retrieval of session after a crash, and un-closing of tabs - But this is duplicated by Tab Mix Plus. Colorful tabs - assigns colours to tabs, making it easier to arrange to them. StumbleUpon - Serendipitously find other highly-rated websites. Firebug - another way to see javascript errors in webpages Seems powerful - but I can t actually figure it out. View Formatted Source Fx does view the whole page source anyway, but very neat inline mode. HTML Validator - opens new tab to validate page with W3C s validator - nice, but duplicated by Web Developer toolbar. Some tools which already exist on Linux, so no extension is needed. kruler - screen ruler in pixels. kcolorchooser - select html colours. check-link - check links. 4 Firefox integration with Thunderbird. To make Firefox and Thunderbird work together, see below. 5 Migration to of Firefox. With luck, Firefox will offer to import existing settings from Mozilla with the Wizard However, if you need to manually migrate, or restore from backup, or move from a different computer, here s how to do it manually. Download and install the latest Firefox. out of the way Then run firefox, which now has a clean configuration , and install extensions, plugins and set it up as desired Close mozilla and firefox. Make a backup copy of. The Mozilla and Firefox profile contents are described in detail here The Mozilla profile resides somewhere like. and the Firefox profile resides somewhere like. Copy bookmarks across, by copying the file. Copy passwords across by copying the xxxxxxxx s file across, and renaming it to Also copy. Copy cookies and history and. Some more details are here. Sometimes the profiles break and the salted directory is no longer where Moz Fx expects to find it. For Firefox, simply edit. For Mozilla, create a symlink cd. ln - s so that Mozilla can find the actual profile by looking where it wants to look This is necessary, since Mozilla stores absolute paths. 6 Lightweight browsers. For really fast GUI browsing, try dillo or links-graphic These are much simpler browsers, but very very fast. For CLI browsing, try links or lynx Links is tables-aware, and notices mouse-clicks Navigate with the arrow keys press Esc for menu Also, use wget to download files, and note that less can view HTML. 7 Browser Plugins. Except for Java where the path to the executable must be specified , konqueror will scan for Mozilla firefox plugins at startup, and will just work These plugins are installed by default in the commercial Mandriva system, but must be installed by hand in the GPL version A good test for plugins is the Plugger testing grounds I do not recommend installing mozplugger. Make sure Java is installed - see below. In Konqueror, just specify the path to the java executable Usually, this is just java. In Mozilla and Firefox. Create the mozilla plugins directory, if necessary mkdir. Change into it cd. Create a symlink to the correct java executable ln - s. Restart the browser Test it here. Adobe Macromedia flash is widely used on the web for animations - and misused for adverts GNU are developing a free alternative, Gnash but it isn t ready yet To install. Download Note there won t be a version 8 for Linux we have to wait for 8 5.Untar Close browsers Run flashplayer-installer. To test, look at this CSS box model or John Cleese s Institute for Backup Trauma. To avoid much irritation with flash adverts, use adblock. 7 3 Real Audio. The Real Audio format can also be handled by mplayer and gxine So it is not necessary to use the player from Real However, if it is desired, see below for the installation Then, register the plugin. 7 4 All other formats Mplayer. The Mplayer plugin is excellent, and can play practically anything Just install it, using urpmi mplayerplugin If using Firefox in. bin and not the official RPM, it is also necessary to do. ln - s - For Windows Media files but this is sometimes unstable. ln - s - For Quicktime files. ln - s - For Realplayer rtsp files Or use realplayer. Sometimes rarely there is a file which mplayer cannot play VLC is a good alternative - although I don t recommend installing the vlc - plugin. Mail Client Mozilla, Thunderbird, Pine configuration. 1 Mozilla mail. The old Mozilla mail suite has worked extremely well for a long time It is a shame to say goodbye - but the developers, and bugfixes are now mainly with Thunderbird That said, Seamonkey is still maintained. 2 Thunderbird. 2 1 Installation. This is very similar to the firefox install The profile directories to back up are. Install in HOME bin mozilla d thunderbird 1 5 05 with a symlink from HOME bin thunderbird which is in your path Note Mandriva s thunderbird binary has the same name, so be careful with PATH. Thunderbird s Import wizard is quite good otherwise see Migration below. 2 2 Thunderbird Setup. 2 3 Thunderbird Extensions. 2 4 Migration to of Thunderbird. 3 Other mail clients KMail, Pine. Alternative GUI mail clients include the well-regarded KMail and Evolution the CLI, pine is a delight to use. 4 Other e-mail tips. It s easy to move mail from one client to another virtually all of them support mbox For example, each message folder Foldername in Thunderbird has the following files Foldername the mbox itself , message summary file - this index can be deleted , subdirectory for sub-folders. Some clients use maildir too this is more advanced, but requires efficient storage of small files. To access hotmail as if it were a POP server, use hotwayd. Some mail clients can directly import from MS Outlook however, this isn t so useful if outlook isn t installed on the machine concerned Instead, convert email from OE s mailbox file to an mbox file with oe2mbx This uses liboe, which can be found here archive For Thunderbird, just move the file into the Mail subdirectory of. renaming it without the extension If a previous import attempt has failed, use thunderbird s Remove Duplicate Messages extension to have just one copy of each message. a k a TNEF transport-neutral encapsulation format attachments are Microsoft s proprietary version of MIME Many configurations of Outlook send attachments as by default Here are more details and the thunderbird bug 77811 The solution is to download tnef I use this script. For local mail using the mail program, and to receive email from daemons and cron-jobs, use postfix see below. 5 Firefox Thunderbird and other integration. By default, Firefox and Thunderbird are not paired Clicking a mailto link in Firefox invokes Evolution, not Thunderbird This setting is defined in the Gnome-control-panel despite the fact that we are using KDE, and there is no GUI pref for it in Firefox A similar problem applies to Thunderbird However, it s easily fixed, thanks to this Gentoo tip. To make Firefox open mailto links in Thunderbird. Go to the URL about config. Right-click, and add a new string. To make Thunderbird open ftp URLs in Thunderbird. Go to Edit - Preferences - Advanced and Click the Config Editor button. Right-click, and add new strings. For konqueror, use the script above. 5 Thunderbird. 8 Migration from Mozilla-suite to Firefox Thunderbird. Non-free Software Java, Flash, Realplayer. These are installed by default if you use any of the Club Commercial media However, the Free distribution doesn t include them, and so they must be downloaded and installed direct from their homepages. For now, Sun s Java is the best one Kaffe isn t ready, although GCJ is already very good Note this Mandriva warning to avoid version 1 4 209 To install Java. Download Java from here I recommend the JDK Java Development Kit , which includes both the javac compiler and the JRE Runtime environment Get the package called J2SE TM Development Kit 5 0 Update 7 which is 45MB and not the one with NetBeans which is 140MB, and doesn t install anyway Download the Linux RPM in self-extracting file. Sun s installation instructions are here. Then, as root sh type yes , urpmi It s now installed, but not in the path. Remove any old versions or links to etc alternatives cd usr bin rm java javac javadoc javah javap jar. Create symlinks to the new versions ln - s usr java jdk1 5 007 bin java. See above to install the browser plugin. See above for installing the Flash plugin. 3 RealPlayer. Real Player 10 for Linux can be downloaded as an from here Note that it doesn t use alsa, but requires an exlusive lock on dev dsp or use aoss For the browser plugin, see above To test realplayer, try the BBC Documentary Archive. Alternatives to realplayer are mplayer and xine gxine. To play real audio with xine gxine first install the real audio codecs urpmi real-codecs Then tell gxine where they are located Set the User Interface mode to expert , then go to File - Preferences - Codecs - Path to RealPlayer codecs The path should be usr lib real Then, Firefox can just click on a link Otherwise, xgine gives the error message cannot find. To play the file with mplayer, you have to know which type it is. A file is a real audio playlist, like a m3u It is a short text file containing one or more URLs of a stream With mplayer, look inside the file, or use use - playlist. A URL is the real audio stream It may also specify a start position eg rtsp This can be opened directly in mplayer I r ecommend - cache 100 for improved startup speed. I have written some simple scripts which may be of use plays and saves a stream to ogg. Acrobat Reader can be installed from adobe However, it is totally unnecessary, and not always stable Alternatives are kpdf most full-featured gv fastest xpdf most reliable on all files, even those which cause errors for gv From the commandline, use pdftotext less or pdftops. Ugh Just don t do it Use SIP instead I wrote a VoIP howto which is here. 6 Nvidia Driver. Aside for desktop systems the nVidia driver can be downloaded from here It works quite well - although it is annoying to have to re-install for every kernel Note that, on rebooting into a new kernel, Mandriva will helpfully break your and you have to fix that too. SSH Secure shell, keys. SSH is absolutely wonderful It does all sorts of clever things encrypted remote logins passwordless logins with public-key cryptography file transfers scp X11 forwarding VNC tunneling port forwarding of any TCP protocol. 1 Installation. Installation is simple urpmi openssh-clients openssh-askpass-gnome openssh-server sshd-monitor keychain Check that the service is on with chkconfig --list sshd The default configuration is good, but can be altered in etc ssh if desired It is important to stay current with the security updates on the Mandriva Security announcement mailing list. Check that only SSH protocol 2 is enabled, and prevent direct logins as root an attacker only has to guess the password, not the username too Change the following lines if necessary in etc ssh sshdconfig. Remote logins are now easy, and secure Consider a local user tux sitting at machine iceberg who wants to login with the same username tux on host antarctica Sitting at iceberg tux should simply type ssh antarctica Hostnames should be fully-qualified if necessary the remote username may be omitted if it is the same as the local one SSH connections can be nested. To copy the herring directory from iceberg to antarctica use scp scp - r h ome tux herring antarctica Note the final colon is required. The tab name in konsole can include the hostname see above for. SSH keys are wonderful Not only do they save entering your password repeatedly, but they increase security, since your password is never exposed to the remote machine. Firstly, create a public-private key pair Generate the keys using ssh-keygen - t rsa Do set a passphase This creates a public private key pair in. the private key is. and the public key is. Do not distribute your private key. Keys should always have a passphrase unless you really trust the machine with the private key not to get compromised or stolen Furthermore, any machine which is running ssh-agent can have its decrypted keys easily accessed by root This may then grant access to lots of other hosts too Running ssh-agent on only one machine is preferred see below. Then, any machine which has a copy of the public key will allow passwordless login from any machine containing the private key Do this by appending the public key. on iceberg to the list of authorized keys. on antarctica If necessary, create the directory. and append to an empty file On older versions of sshd, the authorizedkeys file is named. The directory. must have permissions of 700 and your home directory must have permissions at least as restrictive as 755.Now, we need to make sure that the key is authorised This uses ssh-agent and keychain to prompt the user at the first login after booting for the passphrase To set this up, run keychain one time as user it will then be configured to automatically load ssh and GPG keys at every future login keychain will prompt for the passphrase if there is one by using ssh-askpass immediately after the login screen The authorized key will now persist until ssh-agent exits i e probably until the machine is re-booted. At login, only the keys with the default names identity idrsa iddsa will be automatically imported into the keychain This is controlled by the variable KEYS in If you have extra keys these must be added manually with something like this in. You now have to enter your passphrase only once each time you boot the system, and that is it Extremely easy remote access - For convenience, set up some aliases in. eg alias sshantarctica ssh. Should it ever be necessary to restart keychain, do this. Scripts run from cron cannot take advantage of the above, because they do not have KEYCHAINFILE exported into their environment To run, for example, a nightly remote-backup over ssh do this. The backup script must source the relevant keychain file. ssh-agent must be running this means that the user must have logged in at least once since boot, and typed the passphrase The user need not still be logged in. Neither of these is necessary if the ssh key-pair has no passphrase. This page at IBM developerworks is very helpful, but note it refers to. whereas Mandriva uses the file. See also keychain --help and note the option keychain --clear. 3 Copying files. To copy a single file, or a directory, use scp This is the simplest way, but it does copy file-permissions, and it always converts symlinks to real files Eg. scp antarctica - copy the file in the current directory on iceberg to tux s home directory on antarctica Note the colon. scp - r home tux worlddomination puppy antarctica secrets - recursively copy tux s worlddomination directory into dust-puppy s. secrets directory on antarctica. A better way is to use rsync which has a huge number of options In particular, it can synchronise directories without needing to transfer redundant information, also, it can preserve special files eg symlinks which scp does not Note if the source is a directory, the presence or absence of a trailing slash makes a difference Eg. rsysnc - avzS - e ssh pebbles antarctica nest - copy tux s pebbles directory on iceberg into the nest directory on antarctica resulting in home tux nest pebbles rock 12345 o. rsysnc - avzS - e ssh pebbles antarctica nest - copy the contents of the pebbles directory on iceberg into the nest directory on antarctica resulting in home tux nest rock 12345 o. Alternatively, you can ue ssh as a network-transparent pipe Eg cat ssh tux antarctica cat The first cat s stdout is piped to the second cat s stdin. You can also use bash tab-completion of paths on the remote-host with scp rsync To do this, you must have passwordless ssh-access to that sys tem, and enable scp tab-completion with COMPSCPREMOTE Put COMPSCPREMOTE true in your. 4 Nested SSH Connections - SSH ProxyCommand or AgentForwarding. Consider a firewall called ocean which stands between iceberg and antarctica Antarctica is on a private network, visible only to ocean Both machines run sshd, and have tux s public key Tux wishes to ssh into antarctica The easiest way is to first ssh into ocean, and thence to ssh into antarctica But the second connection will require him to type his password, despite having an authorised key. 4 1 SSH ProxyCommand. This is the recommended, and safest method It also supports single-step scp We use ProxyCommand with netcat it is explained in detail here. In summary, we must create an netcat-proxy script on iceberg for simplicity. And then we have to add this to our. Alternatively, to avoid creating the netcat-proxy-command on the firewall, just use this entry in. Also, ensure that nc is installed on the firewall, ocean There are 2 variants of netcat netcat-traditional and netcat-openbsd which interpret the - w option differently In both cases, - w is a timeout period, but for netcat-traditional, this only applies to connections and EOFs, whereas for netcat-openbsd, it also unhelpfully includes stdin Ensure that the former is the one that is installed on ocean, not the latter Otherwise, SSH will terminate within about 1 second, with Write failed broken pipe If both versions are installed, then etc alternatives switches nc from one to the other or you can explicitly use. Using ProxyComm and, we can do the following. SSH directly to antarctica, as though it were on the local network tux iceberg. ssh antarctica. Use SCP tux iceberg. scp antarctica. Use VNC over ssh and a proxy tux iceberg. vncviewer - via antarctica localhost 0. 4 2 SSH Agent Forwarding. BIG FAT WARNING SSH agent forwarding exposes your ssh-agent to hijacking unless you completely trust root on the intermediate machine ProxyCommand is a much better alternative See also the ForwardAgent setting in man sshconfig. The simplest solution is to enable ssh-agent forwarding on iceberg Antarctica then authenticates ocean by asking iceberg for the credentials So ssh-agent forwarding both slightly improves security ssh-agent only runs on the most trusted machine , and improves convenience by eliminating the need to type a password the second time. Don t actually do this To enable agent forwarding, append these lines to either etc sshconfig or. Using AgentForwarding, we can do the following. In two stages, do tux iceberg. ssh ocean and then run tux ocean. ssh antarctica without needing a password on either occasion. In a single leap you can do tux iceberg. ssh - t ocean ssh antarctica The first - t is needed to force it to allocate a pseudo-tty. The networked pipe equivalent is cat ssh tux ocean ssh antarctica cat. 5 Advanced uses. There is even more magic that can be done It really helps to have passwordless key-based logins for this. 5 1 Direct X forwarding. SSH to antarctica, and launch a GUI application such as xclock Magically, it appears on iceberg, on your own display If this does not work, invoke ssh with - X X11 forwarding can be turned on always, by adding ForwardX11 yes into your. Security considerations. When forwarding X11, you are essentially connecting your screen mouse keyboard to the other machine That machine will now have access to your X display, including being able to run a keylogger In general, don t use X forwarding unless you trust the other machine. ForwardX11 ssh - X uses the X-server security extension to prevent untrusted machines from accessing parts of your X display that they should not This is relatively safe, but some older GUI applications will not work. ForwardX11Trusted ssh - Y implicitly trusts the other machine This is potentially unsafe Remember A trusted machine is one that can break your security policy. 5 2 VNC over SSH. Either use vncserver to start a new X-session, or x11vnc too connect to an exisiting one. ssh into antarctica and run either vncserver or x11vnc - localhost - display 0 as appropriate For more on vncserver, see below. Start the vnc viewer tightvnc , using the - via option for an ssh tunnel vncviewer - via tux antarctica localhost DISPLAYNUM where DISPLAYNUM is 0 for x11vnc, and is the number quoted to you by vncserver. Exit the viewer If using X11vnc, the server will exit, leaving the X-session running as before If using vncserver, it will continue to run, until closed with vncserver - kill DISPLAYNUM. Note that, if ProxyCommand is configured, you can have multi-step - via useful if there is an intervening firewall as well as a firewall on the target machine. 5 3 Xpra screen for X. Direct X forwarding is convenient just ssh in and launch the desired program, and it appears on your display, like any other window , but it only really works over a 100M LAN it can be almost unusable over broadband VNC is much more responsive, but is more awkward to set up it forwards the entire desktop, rather than just specific windows Nomachine NX solves this, but is difficult to get working The answer is Xpra which has all the simplicity and integration of rootless X forwarding, and is almost as responsive as VNC An extra benefit is the way it acts like screen , i e you can detatch from it and reconnect later. Simple instructions are given on the Xpra website. SSH into the server, and run the command xpra start 100 --start-child xterm. From the local machine, run xpra attach ssh serverhostname 100 --encoding png. Xpra also starts a panel applet in the systray, which allows configuration and includes a nifty bandwidth monitor graph. Note that the default Encoding H 264 is really a video codec For text editors eg kwrite , it s much more responsive to use one of the PNG encodings or Raw RGB Zlib. 5 4 GUI Drag n Drop. Konqueror uses the fish ioslave to allow remote access via the GUI, and drag-and-drop Just type this as the URL fish tux antarctica home tux nest Note that there is no colon before the path the syntax is web-like, rather than rsync-like sftp is similar, but not supported by all ssh servers. 5 5 Port Forwarding over SSH - L. As above, we have a firewall called ocean which stands between iceberg and antarctica Tux wishes to talk to a web server port 80 on antarctica, but antarctica is on a private network, visible only to ocean. Tux connects to ocean thus ssh - L 8888 antarctica 80 tux ocean In addition to the normal ssh connection, ssh opens a tunnel The far end of the tunnel connects from ocean to antarctica on port 80 The near end is port 8888 on localhost iceberg. Tux can now browse the remote webserver by connecting to. We could run the command ssh - C - f - L 8888 antarctica 80 tux ocean sleep 20 instead This compresses the data - C and causes the connection to fork into the background, and disconnect if nothing subsequently happens for 20 seconds - f sleep 20.Use the - g GatewayPorts option to make local port 8888 listen on other interfaces By default, only local users on iceberg may use the tunnel. A real world example obtaining secure access to Cambridge network from elsewhere, tunneled via the SRCF we want to use the server for because we don t necessarily trust the wireless provider , we want to send outgoing SMTP mail through because we are permitted to use this one , and we can just use POP as normal, via TLS First, set up the two ssh tunnels ssh - L Then, set the konqueror firefox to use the web proxy localhost 8080 set thunderbird to have this default outgoing mail server SMTP localhost 8025 and just use POP incoming mail via secure connection TLS as normal, which doesn t require an extra encrypted tunnel. 5 6 Reverse Port Forwarding over SSH - R. In this example, tux sitting at antarctica wishes to remotely help polar-bear with a Linux install on a new machine, iceberg However, iceberg is located on a dynamic IP behind an unhelpfully configured router firewall, and so there is no way to get in remotely But, polar-bear can connect to antarctica Here s how to do it. Polar bear makes an outbound ssh connection to antarctica thus ssh - C - R 8022 localhost 22 polar-bear antarctica Antarctica will now accept local connections to port 8022, and will tunnel those connections back to the ssh server on iceberg s port 22.Tux can now connect to iceberg by doing ssh - p 8022 - o UserKnownHostsFile dev null localhost Then, for example, tux might run x11vnc in order to assist polar-bear. In this example, the - C is for compression, and the - o UserKnownHostsFile dev null is to stop ssh complaining about the key fingerprint not matching for localhost Note that, by default, the port 8022 opened on Antarctica wil l only accept local connections, from another user sitting at Antarctica. A real world example, with the same usernames tux antarctica which is publicly accessible , and polar-bear iceberg which can only make outgoing connections First, tux must create a temporary account on antarctica for polar-bear to log in Then, polar-bear sitting at iceberg uses this to connect to antarctica, opening a reverse tunnel ssh - C - R 8022 localhost 22 antarctica Then, tux at antarctica connects via the tunnel to iceberg ssh - p 8022 polar-bear localhost - o UseKnownHostsFile dev null At this point, he starts up x11vnc x11vnc - display 0 which runs on iceberg s port 5900 Then, tux at antarctica creates a forwarded tunnel on port 5900 to iceberg s 5900 ssh - L 5900 localhost 5900 polar-bear localhost - p 8022 - o UseKnownHostsFile dev null Tux can now start the vncviewer, to connect through this tunnel, and control iceberg vncviewer - encodings copyrect tight - compresslevel 7 - quality 6 - bgr233 localhost 5900 Notes TCP tunneled within TCP is technically bad but usually works ok We spec ify vnc-encodings manually, since vncviewer doesn t know that localhost isn t actually local This is even easier with ssh-keys. 5 7 Dynamic Port Forwarding Web browsing with SOCKS. Normally, port forwarding only works for a specific server But ssh - D sets up dynamic forwarding, using the SOCKS v5 protocol, which allows the ssh proxy to relay web-browsing To do this. Configure Firefox to use a SOCKS v5 proxy In the network preferences, choose Manual Proxy Configuration , then SOCKS Host localhost 1080 and SOCKS v5.Also ensure that Firefox sends DNS requests through the proxy in about config set true. Finally, set up the ssh tunnel, with - D The autossh program is useful it can reconnect automatically when the tunnel is closed. Here is an example Consider that Tux has gone to a conference in Norway, taking his laptop He wants to tunnel all traffic through his home machine, antarctica So, he runs autossh - D 1080 - L 8025 localhost 25 antarctica This gives him a shell on antarctica, proxies his firefox web browsing DNS, and allows him to send outbound mail too Who needs a VPN 87 UDP over SSH. You can tunnel UDP packets ov er ssh, using netcat Here is how. 5 9 SSH or fish over SSH. This is a special case of the port-forwarding above SSH can be tunnelled within ssh although ssh ProxyCommand is better more usefully, fish can be tunneled for file-transfer In principle, tunneling TCP within TCP is a bad idea duplicated error correction will multiply-up network errors , but in practice, it works fine over a decent network. 5 10 SFTP SSH File Transfer Protocol , with a Chroot. Natively, SFTP just works, when connecting either with the commandline sftp application, or a GUI such as FireFTP It works like normal FTP However, that gives the sftp-user the same access as an ssh-user Sometimes it s useful to have a much more restricted setting, allowing access only to a particular directory Here s how. Based on this enabling chrooted SFTP on a webserver. Create a dedicated sftp user Let s call him puffin Then create a chroot within the home directory this and everything above must be owned by root , and a files directory he can use useradd puffin mkdir home puffin chroot files chown - R root home puffin chown puffin home puffin chroot files. For safety, disable normal logins, by changing the shell to nologin This will politely decline an SSH request, even when sftp is disabled usermod - s usr sbin nologin puffin. We could consider just using SFTP only, without a chroot, but this would then grant read-access to the ent ire filesystem If this is what you wanted usermod - s usr lib openssh sftp-server puffin -- careful. Otherwise, edit etc ssh sshdconfig comment out the line Subsystem sftp usr lib openssh sftp-server and add the following. Restart sshd service ssh restart. Connect with an SFTP program, eg sftp or FireFTP Open the URL sftp puffin antarctica files. 5 11 Executing complex remote commands. Simple commands ssh antarctica cat will run the command cat on machine antarctica The output will be redirected to STDOUT on iceberg and the exit code will be the one from. More complex commands need some escaping. Wrap the whole command in The double quotes protect it mostly from the shell on iceberg the brackets create a new subshell on antarctica which may contain things like if. and should always be escaped singly with another is literal. is escaped as if it is a variable on antarctica, but not escaped if it is to be evaluated on the iceberg before the remote command is run. To have a literal metacharacter on antarctica, it must be triply-escaped Eg n become n. For example, rather than write a script on antarctica and then execute it remotely, tux might wish to have all the logic in a single shell script, running on iceberg This script tells tux whether he has enough herring in his freezer. 5 12 SSHFS - the ssh filesystem. SSHFS allows users to mount a remote directory on a local mountpoint The only requirement is that they have ssh access to the remote server There are 2 implementations sshfs and lufs both based on the userspace filesystem FUSE SSHFS is the more recently maintained version, and I have found it to be reliable Note sshfs does not work well at all over an unreliable link e g slow Wi-Fi It doesn t re-try fast enough after failures, resulting in minute-long timeouts. Download from herepile, and install both fuse and sshfs from source. As root modprobe fuse This creates creates dev fuse with permissions 666.Then mount as a normal user the ssh filesystem as desired sshfs - r - o reconnect tux antarctica nest. mnt nest The - r is for read-only, if desired the reconnect is useful if the connection fails. To unmount, do fusermount - u. If the ssh connection dies, the mountpoint will hang, and cannot be unmounted killall sshfs will fix it. sshfs is most useful if you already have key-based authentication. I have found lufs to be unreliable For completeness. Install with urpmi lufs only required on the client. As normal user , lufsmount sshfs tux antarctica home tux nest. mnt nest - fmask 444 - dmask 555.To unmount, lufsumount. Note if the ssh daemon on the remote end dies, or the network connection fails, this causes serious problems The local mountpoint will become un-unmountable A reboot is required to recover from this furthermore, the machine will not finish shutting down on its own, and will require a reset. killall lufsd may help here I haven t tried it. 5 13 X2X - share a keyboard and mouse between different systems. X2X lets you forward keyboard mouse events from one X-display to another Consider a desktop machine, nest sitting on the same table as a laptop, iceberg The laptop is placed with its screen to the right of the desktop s monitor, but its keyboard mouse are inconvenient to reach On the desktop machine, nest run the command ssh - X iceberg x2x - east - to 0 0 Now, you can move the mouse pointer off the right-hand edge of the desktop display, and onto the left-hand edge of the laptop display The keyboard will go to whichever window has focus X2X is available via urpmi, or from here More details here. X2X is also capable of synchronising the clipboards, though it doesn t seem to work for me Unfortunately, it can t yet drag windows from one display to another N B Don t try to get in a loop between 2 mutual instances of X2X just like back-to-back mirrors, it will never let you out. Encrypting and decrypting files with SSH RSA keys see here. Printing over the network cat ssh antarctica lp. Copy clipboard from one machine to another in. function ccc then type ccc to pull the remote clipboard to the local machine. Tunnelling SSH over if behind restrictive firewalls use corkscrew. HashKnownHosts - this option in. hashed It s a slight security gain, but makes bash-completion on hostnames less useful. AddressFamily inet - this option in. ssh config makes SSH only use IPv4 to connect It can be faster, especially if ip6 addresses exist but fail To test, use the -4 option, e g time ssh -4 antarctica exit. Other Tweaks NTP, Apache, Cron, Postfix, NFS, DVD. 1 NTP configuration. NTP is the network time protocol which can synchronise the computer clock to within 10ms of UTC A more detailed explanation of how NTP works is here. To configure it, run drakclock and ensure that enable ntp is checked Then, pick a timeserver ideally, use your own ISP s time server otherwise, here is how to use It is also a good idea to keep the computer s hardware clock permanently on GMT, rather than setting the hwclock back forward for winter summer To test it, allow ntpd a minute or two to synchronise after restarting, then run ntpstat or ntpq - p. The system service is ntpd and it is configured in See also man ntpd and man hwclock. Alternatives to ntp include chrony or htpdate. 2 Apache setup. The Apache webserver now with 2 3 market-share is very sophisticated, but by default, it just works Files placed in var www html will be served up to the world firewall permitting Mandriva splits apache into lots of modules, which may be installed in combinations as desired, for example apache-modphp and apache-moduserdir. Two things have changed in Mandriva 2006.Support for user s home directories. username , is no longer on by default To enable it, install apache-moduserdir Then, ensure the user has a directory. publichtml and that their files within it are readable by apache, and that directories above it may be traversed by apache i e the directories are executable. files are now ignored Directories protected by will no longer be secure To re-enable this, do TODO FIXME WHAT. If using PHP, remember to ensure that registerglobals is OFF, and that magicquotes are ON. 3 Mail forwarding and Postfix. This explains the setup of postfix, to send email from the local system via the Internet service provider s SMTP server The result is that mail from daemons, cron-jobs, and apache php will be delivered to your normal inbox It does not cover setting postfix to handle incoming mail - just use thunderbird with a pop server, nor does it cover using spamassasin to identify spam nor procmail advanced email processing A simpler alternative aimed primarily at delivering mail from Cron is sSMTP. 3 1 Basic setup required. Install postfix urpmi postfix Make sure the postfix service runs by default chkconfig --list postfix. Normally, postfix will attempt to directly contact the recipient s mail server However, some ISPs block port 25, to prevent this as a spam-mitigation measure for compromised Windows machines If the ISP requires that outgoing email SMTP is routed via their servers, use a relay-host Add edit this line to. If the relayhost requires username password authentication first urpmi libsasl2-plug-login libsasl2-plug-plain then add these lines to. and create a password maps file owned by root, and with mode 600 etc postfix saslpasswd. Define the default email addresses for mail sent from local users Add this line to. and then create the file etc postfix canonical containing. Where should local mail from one user daemon to another local user be delivered If you want it to remain on the local system, just access it directly, with pine Alternatively, it can be forwarded to another address, defined in that user s. file This file contains a single line, with the destination email address It must have permissions 600 and your home directory must only be writeable by you E g. Root s mail is forwarded differently edit etc aliases and change. For security, ensure that Postfix only listens to localhost unless you need to do otherwise In set. For outbound encryption, we can set up opportunistic TLS When Postfix acts as an SMTP client connecting to other servers and the other server supports it, we can encrypt the message This setting falls-back to plaintext if the server can t do TLS Inbound mail encryption is somewhat harder, requiring some SSL certificates See here A useful test for encrypted TLS is provided by checkTLS. Make sure that the security administrator for msec is defined within draksec This user gets the output from the nightly security checks. Restart postfix and check that email is sent mail finish with Ctrl-D, or a single on a line by itself Or echo hello world mail - s hello. To have the serv er notify on reboot, add this to your crontab reboot echo Rebooted were you expecting this mail - s servername rebooted. 3 2 Advanced setup SMTP forwarding for a NAT d subnet. Configure postfix to listen on the internal interface, and accept mail for forwarding from the relevant machines on the subnet Edit. Make sure shorewall allows connections to port 25 from within the subnet edit etc shorewall rules and add. 3 3 Some email debugging tips. If postfix fails to start, run postfix check Remember to restart or reload postfix to apply changes. Errors will be logged to var log mail errors. To test sending mail, use the mail command e g echo hello mail - s test recipient domail or interactively Ctrl-D ends the text input , and look at var log mail info. To read local mail which should probably be forwarded to your normal email account , just use mail q to quit. To send email from the command-line with attachments, use mailx or mutt more. To check the queue status, use postqueue - p and to try to flush it, use postqueue - f. To debug SMTP, try telnetting to the smtp server Instructions are here Simple version. To debug POP, try telnetting to the pop3 server Instructions are here Simple version. Postfix s configuration is documented here. Mandriva s postfix start script runs postmap and postalias automatically Not all distros do this Eg postmap etc postfix canonical postmap etc postfix saslpasswd. Cron, the crond service is a periodic job scheduler It does. System housekeeping every night updatedb msec rpm - Va These run at 4am, and take about 30 minutes. Anything the user scehdules, eg nightly backups. To configure jobs, use crontab - e see also man cron and man 5 crontab. For one-offs, use at and atd instead. If the machine isn t always on, use the anacron service to run skipped cron-jobs shortly after the machine has booted. Note Msec s messages from cron jobs go to the user specified in draksec. 5 NFS Network FileSystem. NFS is the Network File System It is designed to allow remote mounting of a share on a fileserver NFS is capable of many things, including encrypted connections, access-control and read-write file-locking, for which, see the howto Alternatives are Samba designed for Windows , and SSHFS in userspace, via FUSE , but NFS is in kernel-space, and therefore has much higher performance Here is how to set up a basic read-only, world-accessible NFS share, useful for example, as a central jukebox repository for music within a house. On the SERVER install and enable the following services portmap nfs-common nfs-server. Consider that we want to export the directory home public music Place the following entry into etc exports. This exports the directory home public music to all hosts, i e , read-only, and squashes file-ownerships See also man exports You can also use the draknfs GUI. NFS has multiple daemons, which dos not always run on a pre-defined port, and it is necessary t o pin the server s NFS daemon to a known port, if we also want to make it firewall-able This howto explains what to do here is a summary, suitably modified for Mandrake rather than Fedora. Force statd to run on port 4001, and lockd to 4002 There s nothing very special about these port numbers, except that they are unused in etc services Edit etc sysconfig nfs-common and set. Force mountd to run on port 4003 Edit etc sysconfig nfs-server and set. Pin rquotad to 4004, if used, by adding this to etc services. The portmapper service always runs on port 111, and the nfsd service always runs on 2049, so we needn t change this. Restart the portmap nfs-common and nfs-server services Check they are permanently enabled with chkconfig. Now, we have well-defined ports for NFS, we can enable the firewall Make sure the firewall permits both TCP and UDP access to the following ports 111, 2049, 4001, 4002, 4003, 4004 4004 itself may not be required, if you don t use rquotad In etc shorewall rules add. The following diagnostic tools are useful. showmount - show what remote clients have currently mounted which directories. rpcinfo - p - list the ports currently used by the various RPC remote-procedure-call daemons. exportfs - show what directories are currently available to be exported. exportfs - fa - tell the NFS daemon that etc exports has been modified, without needing to restart it. On the CLIENT everything is much easier If you want to have locking of files, then you need to install and run the portmap servic e, but it is not necessary the alternative is to mount with - o nolock For a read-only mount, that is perfectly sufficient Thus, you can mount the share directly with. Or you can add this to etc fstab. There is also a GUI for this, diskdrake - nfs. The mount options are explained in detail in man 5 nfs The important things are that nolock is useful for read-only mounts that soft is important if you want the client to be interruptible in case of network errors otherwise, if the server goes down, the client application cannot be terminated, even with kill -9 and that servername can be a hostname or IP address, but must be an IP address if the mount happens early in the boot process, before the system has working DNS. 6 DVD playback and creation. One can swap the ultrabay CD-RW drive for a DVD drive To play a DVD Linux requires. A DVD of the correct region to match the drive Actually, in most cases, Linux ignores the region-coding on the disc However, if the region of the drive has never been initialised, it may refuse to play So, set the region using regionset. To play most commercial DVDs, it is necessary to break the CSS encryption Install libdvdcss2 from the PLF At least some of these packages are also required libdvdread3, libdvdread-utils, libdvdnav4, libdvdcontrol9, vlc-plugin-dvdnav. Then, to play the DVD, use either VLC, mplayer, xine, or ogle plf versions You can even back it up with mencoder. A very quick offtopic aside on video-editing and DVD creation. Tools kino, cinelerra, mplayer, transcode, mplex, spumux, dvdauthor, growisofs, xine, gimp Usually worth downloading compiling latest versions. Capture from firewire mini-DV camera with kino, edit with cinelerra tutorial. Note cinelerra really wo rks better if you have 2 drives source footage on one, background-rendered output on the other. Create final then check with mplayer. To avoid mice teeth , I recommend de-interlacing the final file before making the DVD. Conversion to mpeg, burning to DVD, DVD-menus see here very detailed My incantation was transcode - i - V - x mplayer, mplayer - y mpeg - F d - Z 720x576 --exportfps 25 --exportasr 2 - E 48000 - b 224 - J smartdeinter - o outputmpeg which results in outputmpeg m2v the video play with mplayer and outputmpeg m2a the sound play with mpg123 Then, mplex the files mplex - f 8 - S 0 - o movie m2v. dvdauthor handles converting to the max 1GB filesize on DVD without a problem, even if the exceed this In total, a standard, single-sided 4 7GB DVD can take 4 3 GB of video a little over an hour discrepancy is 2 30 vs 10 9.DVD cover use xfig, then export to pdf. See also tutorial discussion Linux-Journal. Use DVD-R rather than DVD R for greatest compatibility. Useful Applications. In case of dataloss ex ample heavy-handed use of the delete key , TestDisk and PhotoRec are extremely useful TestDisk allows undeletion of files PhotoRec allows lower-level recovery even after a format, but without the names. In case of faulty media usually dying hard drives , DD-Rescue is excellent There are 2 similarly named tools, with the same purpose but different authors GNU ddrescue and ddrescue. Wine MS Windows Applications. There are various ways to run MS Windows Applications under Linux. Run a Linux-native application Many applications exist under Linux anyway Some are cross-platform eg Firefox, OpenOffice , and many are Linux-native Often, the Linux-native applications are better than their non-Free Windows equivalents. Use Wine Wine is a Free implementation of the Win32 API Wine Is Not an Emulator , now at version 0 9 11 and works very well It is available for download from or in a supported commercial version from Codeweavers WineTools is sometimes a helpful addition, but is increasingly no-longer n ecessary Winehq provide Mandriva RPMs which are more recent, and work better than the official ones Office97,Photoshop, and even InternetExplorer work well OK, even on Windows, Internet Explorer can t really be said to work well , but Wine allows us to check web design for bug-compatibility - Generally, older or simpler Windows binaries are more likely to work perfectly Usually, hardware drivers won t work, but I did have success with a serial-port PIC Programmer If you just need to read MS document files and OpenOffice can t cope , you can download the free beer MS Office viewer or Lotus KeyView. If you still have access to an obsolete Windows box, put VNC on it Then leave the Windows box on the network, suitably NAT ed please , run vncserver on it, and view the application on your local display To maximise server performance, disable all animations, disable show content in moving resizing windows, and set a plain colour for wallpaper maximise viewer performance by optimising - encoding We run MarketEye this way on an old 770Z PII,300, Win98 Advantage VNC is free, and works brilliantly Disadvantage you need an old Windows machine. If you have access to a Windows install disk, or an image of the old hard disk, you can emulate it with QEMU QEMU is brilliant It will run any x86 operating system from within any other it is free, and it is fast Performance is about 5x slower than real life You can also try other Operating Systems, eg the latest Knoppix direct from the disk image Either create a new disk image, boot it in QEMU and install Windows, or with luck you may be able to boot a pre-existing image There is also KQEMU which uses a kernel module to accelerate to near native about 1 2 speeds KQEMU is now GPLd it used to be only free-as-in-beer QEMU will not yet allow you to run hardware devices such as most USB or sound input, although you have access to sound output, network, video, disks Note QEMU disk images are sparse files A guest OS may have a mainly empty 10GB vir tual disk, which takes only 200MB on the host To copy these, you must use cp - a or rsync - aS to do it, or you will loose the efficient packing. Another GPL option is virtualbox I haven t tried this yet. VMWARE is the commercial equivalent of QEMU It is essentially the same, and although expensive, it works well There is also now a free VMWare player, but someone else would have to create the VMWare image Sound input works, and they say that USB devices can be made to work with Windows drivers We run Dragon Naturally Speaking this way. ReactOS is very promising alternative to Windows, especially if combined with QEMU However, it isn t quite ready yet. As you can see, that s quite a long list - and I am not sure I have mentioned them all Just for fun, look at MenuetOS. Stopping it rattling. This laptop lives in the same room as me So I d rather it doesn t rattle the hard disc all the time when I m not using it Check for culprits using find - mmin -2 - print grep - v proc. The worst is mailman, so remove it with urpme mailman. Uninstall process accounting - it s rather pointless on a single-owner laptop It also causes disk writes every 15 seconds Remove with urpme psacct. Shorewall should not write out the logfile to disk to often Edit to have. Check for and remove spurious cron jobs By default, a whole lot of security checks run at 4 00 am, and take about 30 minutes of constant activity If the machine isn t always on, anacron will also run these shortly after the machine has booted Some of these aren t absolutely necessary However, updatedb is really useful. sshd-restarter runs every 5 minutes by default Change this to every 30 minutes in etc cron d sshd-monitor. Stop CUPS regenerating its certificate every 5 minutes once every 2 hours will do Change to have. Mozilla should not check for new messages more than about once per 5 minutes, since this also causes disk activity. Shell Scripts and Files. Advanced uses of Urpmi and RPM. Urpmi is Mandriva s package manager It is User-RPM , and i s intended to make some RPM tasks more friendly It is similar in functionality to Debian s apt. 1 Introduction to RPM and Urpmi. Here is some more information on rpm and urpmi. Adding and removing package repositories and See above. To install a package urpmi PACKAGENAME eg urpmi mplayer Urpmi will automatically resolve dependencies, and fetch the package from the repository If you already have the package downloaded, use eg urpmi Or, you can use rpm - i Multiple packages may be installed in one command You can tab-complete on packagenames. To uninstall a package urpme PACKAGENAME eg urpme mplayer Or, use rpm - e Note that, the packagename does not include the which is appended to the filename RPM is unnecessarily fussy about this. GUI equivalents for urpmi urpme are rpmdrake and rpmdrake-remove. To find out what package contains a certain file urpmf FILENAME eg urpmf. To find the description of a package urpmf --description PACKAGENAME eg urpmf --description mplayer Or, rpm - qi mplayer. To find out whether a package is installed urpmq PACKAGENAME or rpm - q PACKAGENAME or rpm - qa grep PACK AGENAME. To apply package updates Update the package list from the mirror, then select the updates The easiest way is this, which downloads all the packages first, and only then prompts you fwhether to go ahead - a urpmi --auto-select --force -- test urpmi --auto-select Note that, with the 2006-Official distribution as opposed to 2006-Community , the first part is updates The kernel is a special case, and must be dealt with manually To update the entire distribution, see below. To verify installed packages use rpm - Va see below. To install self-compiled packages use checkinstall This is important, since it means that you don t bypass the RPM package database As a result, you can prevent collsions, and can easily uninstall again So, instead of the usual configure make make install use configure make checkinstall this generates an rpm, which you can install as usual. To list unnneeded libraries urpmirpm-find-leaves This prints a list of all packages which are currently installed, but on whic h no other package depends These packages are leaves on the rpm tree , and their removal will not break anything else Many of these packages will be the applications eg Firefox which you actually want, however, old libraries, which nothing uses, can be removed in this way Alternatively, use rpmdrake-remove and select Leaves only. To prevent a package from being selected for automatic upgrade add it to. To downgrade a package to an earlier version remove the newest version without removing its dependencies rpm - e --nodeps NEWPACKAGE then manually download the older version from the mirror with lftp , then install it from the downloaded rpm urpmi then add PACKAGENAME to so that it is not automatically upgraded again Check that the system is self-consistent again with rpm - Va. Various RPM queries to list the files in an RPM, use rpm - ql or use less To list the requirements of an RPM, use rpm - ql To list all installed packages, sorted by size rpm - qa --qf n sort - nr. Source RPMS A is NOT a no rmal package, but a bundle of the program source, some patches, and a specfile If you install rpm - i a it will unpack the tarball specfile onto your system to uninstall, just use rm - rf To rebuild an rpm in such a way that it can be installed on your system, do rpm --rebuild. Building RPMS an excellent introduction is here. Troubleshooting see below if urpmi complains of an invalid package, or if rpm hangs. For further information on rpm see. 2 How to upgrade the Distribution. 2 1 Introduction. It is possible to directly upgrade from one version of Mandrake to the next You can use the installer on the CD, or can do so directly by using urpmi This process works very well, although you will occasionally have to fix breakages The easiest way is to log in via ssh from another computer so you can have multiple tabs in konsole, cut paste, and web access. This should be safe, but back up your data For ultimate safety, copy the entire filesystem onto a different partition, and have Knoppix handy Then, boot into the copy, and modify that see below Important keep a note of any warnings, and which, if any packages are removed Also, check for sufficient disk capacity, especially in var. WARNING PostgreSQL databases will be lost - or become unusable Make sure you back them up pgdump first. 2 2 Performing the upgrade. Log in as root, go to runlevel 3 init 3 It may be easier to do this from another computer, via ssh. Save the list of currently installed packages, just in case rpm - qa. Remove anything from if you put it there Think why it was there Otherwise, the upgrade won t complete. Remove the old urpmi media - a You may want to back up first. Add the new urpmi sources Decide community, or official Add main contrib updates if appropriate plf if desired. Upgrade urpmi itself. urpmi --test urpmi test whether urpmi s upgrade works. urpmi urpmi do the upgrade - if you get no errors in previous step. Upgrade the distribution and packages. urpmi --auto-select --test 2 1 tee test whether the upgrade of the distro will work. urpmi --auto-select 2 1 tee do the upgrade - if you get no errors in previous step. Look for, and remove obsolete libraries urpmirpm-find-leaves will print a list of all packages which are not depended - on by any other package These are either. Very important packages w hich we explicitly want Eg apache. Independent packages with no interrelation to others eg nc. Obsolete libraries which have not been removed. Uninstall these if desired In one line urpmirpm-find-leaves grep - E lib xargs urpme. Upgrade the kernel. urpmi kernel upgrade the kernel you will get a choice pick the one you like uname - a prints the currently running kernel Note that the kernel is not upgraded automatically by urpmi. Edit to make the new kernel the default, and then run sbin lilo. Reboot into the new kernel Watch the log messages on the console. 2 3 Fixing and re-configuring the new system if needed. Are there any kernel-issues This is especially relevant if migrating from kernel 2 4 to 2 6 For example, udev replaces devfsd and Serial-ATA disks become dev sdX rather than dev hdX Have any of the kernel modules changed If so, we may need to edit and. Look at the system s error messages dmesg var log messages and var log kernel. updatedb locate re-build the locate database, then locate all the changed configuration files There are 3 possibilities for package foobar, configured with. If a package s configuration file was never modified by the user, then the new package will be installed over it Otherwise, depending on the package. The old config-file will be kept as and the new one saved as. The new default config-file will be used it becomes and the old one will be backed up as. It is necessary to inspect and merge these files manually Usually, but not always, the packager makes a sensible choice as to whether the new, or old file is mo re appropriate diff or etc-update will help here. Read the Release Notes 2006 and Errata 2006 again - check for gotchas. Check the configuration files of important packages, especially apache and sshd. Are there any new or obsolete system services which should shouldn t be running Use chkconfig --list or mcc. Look for newer packages which may have bcome available and which you might like to install rpmdrake is most useful. Remove any old, unwanted kernels with urpme Don t do this until you are happy with the new one. Upgrade any non-distribution packages if desired necessary. Non-free java, shockwave-flash maybe acroread, realplayer. Binary drivers ugh eg the nvidia 3D driver. Custom-compiled packages built from source remember, use checkinstall instead of make install. Recompile anything which depends on the kernel source eg ltmodem kqemu vmware nvidia-driver. Re-add packages to as necessary Saving the kernel-source package is a good idea. Fix any other breakage There shouldn t be any, but keep a n eye out. 2 4 Explanations and troubleshooting. This method could fail if. You have used rpm --force at some point to install packages. You have installed rpms from an untrusted origin. You have installed rpms not specific for Mandrake. You have installed from source with configure make make install which bypasses the RPM database as opposed to using instead of using configure make checkinstall which RPM is aware of. If you have non-official rpms, this could cause trouble Write down the offending rpms files, remove them and try again. The --test option is great because. It downloads all needed rpm-packages. It tests the installation and provides quite clear error messages. It does not delete downloaded rpm-packages Note this does mean that you need plenty of space in var if necessary, temporarily replace var cache urpmi rpms by a symlink to a directory with a few GB of space. It does not change your current programs. When happy and you do not use --test , as all the packages are already downloaded, your upg rade takes less time. If you get a message like Package foobar cannot be installed because it conflicts with file , remove the package with the offending file To discover which contains offending file, use rpm - qf and remove the package with urpme offendingpackage After completing the upgrade, install a new version of the package urpmi offendingpackage if needed. Use tee and log files so that you have a convenient record of what you did. Urpmi caches downloaded files in var cache urpi rpms So you can install RPMS directly from there. You can use --force with urpmi this means Answer yes to all questions This can be dangerous, but if you have already used --test, and been happy, it may save time Note urpmi s --force is much less potentially hazardous than rpm s --force. 2 5 Cloning the distribution. It is very useful to be able to make a copy of the distribution, whether for backup, or to install on another computer I am going to consider the case where the original system has 4 partitions hda1 , spare hda6 , swap hda5 , home hda7 and we wish to clone onto spare This is easily adaptable. Have a destination partition or partitions ready fdisk and iff necessary. Bring the source system into runlevel 1 init 1 Start networking if required. The directories in are bin boot dev etc home initrd lib mnt opt proc root sbin share spare sys tmp usr var. On the target, these directories should be created empty cd spare mkdir home mnt sys proc tmp. Copy these directories across cp - a bin boot dev etc initrd lib opt root sbin usr var spare Or, use rsync - avz - e ssh. Recreate the mountpoints in spare mnt. Fix spare etc fstab and to reflect the new partition arrangement. Also edit to add the kernel in the new root, and run lilo. Reboot In case you need to fix your bootsector, u se Knoppix see below This step is required if the destination is a different hard disk. Now, you have hopefully 2 identical systems Update one, and be happy that you can easily revert. 3 How to verify the system with RPM. If you break a system package, by some careless use of rm by an unfortunate power-failure, or by doing something daft then RPM will let you verify all the installed packages, and you can then fix them. Verify all the packages, using rpm - Va In particular, look for missing , 5 , and Unsatisfied rpm - Va grep - Ei missing 5 unsatisfied. Note, some errors are usual, eg a modified config file, or permissions which have been changed by msec. If a file is definitely damaged, find out which package it is in urpmf FILENAME. Repair the file by forcibly uninstalling its package, then re-install rpm - e --nodeps PACKAGENAME urpmi PACKAGENAME. 4 Troubleshooting. In the nowadays-unlikely event that rpm or urpmi break the symptom is that they just sit there doing nothing , this is probably because of a stale rpm lock file This can be caused if rpm is somehow killed while running eg by power failure, or a kill -9 These lock files usually serve to prevent more than one instance of rpm accessing the same database simultaneously, and are deleted after the rpm process terminates normally This is what to do. Check rpm isn t currently running use ps aux grep rpm. Remove stale lock files by doing rm - f var lib rpm db as root. Rebuild the RPM database using rpm --rebuilddb. It is also a good idea to delete partially downloaded corrupt files from var cache urpmi rpms if urpmi complains that they are invalid. Also, make sure not to run out of space on var A 1GB var partition will cause problems with urpmi --auto-select --test especially if there is also a have Postgres database in var lib pgsql The solution is to temporarily replace var cache urpmi rpms by a symlink to a directory elsewhere eg home which has more space. Mandriva Kernels intro. Here is a brief introduction to Mandriva kernels It does not cover kernel compiling but discusses some of the Mandriva-specific things. Mandriva kernels usually include support for all hardware, and are compiled with almost everything as modules This means that practically every device will be supported, but then in-memory portion of the kernel is not bloated I have never yet found it necessary to compile a kernel. Mandriva kernels usually have quite a few patches applied often backports from development kernels However, the kernel-linus package is available if you want an unpatched one The kernels come with various options For example. - kernel 2 4 default. kernel-2 6 12 14mdk - kernel 2 6 default. kernel-i586-up-1GB-2 6 12 14mdk - kernel 2 6 compiled for i586 Pentium 1 only with uniprocessor and support for upto 1GB RAM. kernel-i686-up-4GB-2 6 12 14mdk - kernel 2 6 optimised for i686 Pentium 2,3,4 with uniprocessor and support for upto 4GB RAM Use this on the A22p. kernel-smp-2 6 12 14mdk - kernel 2 6 for SMP multiprocessor Most High-end Pentium 4s are dual-core, which counts as SMP. - Unpatched copy of Linus s kernel tree. kernel-source-2 6 - kernel source for the most recent 2 6 kernel. kernel-source-stripped-2 6 - stripped kernel source You can compile against this, but cannot read the source code. To update the kernel, first install the kernel that is desired with urpmi The new kernel will automatically be added into Then, if desired, edit and set the default field to that kernel Then run sbin lilo to write the boot sector Easy. After updating the kernel, it is necessary to recompile reinstall any binary drivers or custom kernel modules Eg ltmodem, kqemu, vmware, nvidia. A gotcha urpmi will install multiple versions of the kernel without difficulty However, it will only install one version of the kernel source Urpmi --auto-select will update the kernel source, but not the kernel So, if you regularly update packages with urpmi, you can end up with a kernel source package which does not match your currently running kernel This means that, should you need to compile ex tra modules, you cannot do so Solution either upgrade the kernel, or downgrade the kernel-source, or compile extra modules sooner It is worth adding kernel-source to in order to stop urpmi doing this automatically. Here are some useful commands. modprobe - insert remove modules and dependencies Eg modprobe pcspkr modprobe - r pcspkr. lsmod - list currently loaded modules. modinfo MODULENAMEM - get information about a module and its parameters. dmesg - view kernel messages. uname - a - print name of currently running kernel. Look at the contents of proc - the kernel s status information Eg proc cmdline. Look at the contents of var log kernel - kernel information and errors. Upgrade to Kernel 2 6 16 Kernel Compilation. 1 Upgrading the kernel. There are 2 compelling reasons to upgrade the kernel from 2 6 12 as shipped to 2 6 14 or greater The trackpoint sensitivity patch is in the official tree, as of 2 6 14, and there is also the improved disk scheduler, which means that interactive processes get priority for disk access Also, if desired, s2ram requires 2 6 17 We can do this in 2 ways. 1 1 Upgrading the kernel to cooker kernel 2 6 14-0.Normally, it is a very bad idea to mix packages from cooker and a stable release However, the kernel package is essentially independent, and in this case, it is ok Look on the cooker mirrors in devel cooker i586 media to find a suitable kernel I downloaded and from contrib N B Save the RPMS, since once they are superseded, they will be gone from the mirrors Install with urpmi, edit to make it the default, run sbin lilo and reboot Re-compile the Modem driver. There is an interesting aside here this kernel requires psmouse to be in it is added by the rpm install script A consequence is that udev rules cannot include DRIVER psmouse I can find no documentation for this, but experimentally, I found the following for Even more weirdly, 2 reboots are required for the changes to occur. BUT this kernel is not very stable 3 simultaneous scp processes can panic it For a more recent one, you have to compile it read on. 1 2 Compiling the latest kernel much easier than I thoughtpiling a kernel is actually very straighforward Here s how. Save the results of lsmod and maybe lspci - vvv somewhere This tells you which modules you need. Download the newest kernel from Get the full version, not the patch I downloaded 2 6 16 20.See This FAQ on compiling. Untar, or unzip the source. Configure the kernel with make xconfig I changed these values from the defaults. Processor type and features - Build arch PentiumIII Timer 1000Hz. Do enable proc acpi sleep deprecated in favour of sys power state. The kernel configuration is saved in Note that we loose Mandriva s bootsplash patch. make Wait a few hours Then, as root install the kernel. make modulesinstall - Install the kernel modules into lib modules kernel-2 6 16 20.cp arch i386 boot bzImage boot vmlinuz-2 6 16 20 - Install the kernel itself. mv linux-2 6 16 20 usr src chown - R root root usr src linux-2 6 16 20 - move the source into usr src , so other modules can be built against it. cd lib modules 2 6 16 20 rm build source ln - s usr src linux-2 6 16 20 build ln - s usr src linux-2 6 16 20 source - correct the build and source symlinks. Mandriva uses an initrd, so we need to create one mkinitrd 2 6 16 20.Edit and copy one of the existing stanzas Here is mine. If desired, change the default line at the top to match the new label line. Then, run sbin lilo and reboot Check everything works. If you forgot a module, re-run make xconfig, make make modulesinstall If just adding a module, the compile will be very quick, and you shouldn t need to reboot If you change a built-in driver, you need to rerun mkinitrd and lilo then reboot. With the new kernel, it s necessary to recompile any necessary drivers These are either the non-free drivers eg ltmodem, kqemu, vmware, nvidia-driver , or the development ones which aren t yet in the official kernel eg rt2500 If necessary, run depmod after compiling them. 2 Enjoying the new kernel. 2 1 Trackpoint Sensitivity. Kernel 2 6 14 provides sys devices platform i8042 serio0 sensitivity which allows the trackpoint sensitivity to be adjusted See above Also, my udev rule for the trackpoint was broken by 2 6 16 20, and it is easier to just use dev psaux in than to fix it. 2 2 Disk I O priorities. With the older kernel, a program at low priority that used lots of disk I O would prevent a program of higher priority from accessing the disk, even though the CPU was available The new scheduler gives a bonus to interactive programs, and takes niceness into account when allocating disk accesses Try this. background program sudo nice - n 19 updatedb. important program bash or sudo su. The important program now gets the disk access that it needs, and can start up much faster. Troubleshooting and diagnostics. Sometimes, inevitably, things sometimes go wrong This section might help. 1 Symptom Applications are slow to start. Sometimes, an application may take about 10-30 seconds to start, during which absolutely nothing happens it is using neither disk nor CPU, but just seems to be waiting There are 2 causes of this. Timeouts caused by the wrong hostname If the machine doesn t have an entry for its own hostname and for localhost in etc hosts then it will be unable to resolve its own name This will result in a DNS timeout about 10 seconds before the application continues This affects all X applications This problem can also sometimes be caused by changing the hostname from within an X-session, whether manually, or by a daft default DHCP option. Many applications are now built with support for HAL DBUS If they are built against the wrong library, they will speak the wrong protocol, and the HAL error will take about 25 seconds to time-out See above. Note that some applications, notably OpenOffice are just very heavy , and are just rather slow to start - but you will see t he CPU load being 100. 2 Symptom X config is messed up e g mouse buttons misbehave. If anything causes X to fail to start up, Mandriva will very helpfully re-write the xorg configuration with a default This is usually manifest in the mouse-buttons reverting to defaults, i e no emulate-wheel , or the horiz vert scrolling being interchanged Solution keep a backup copy of your and replace the broken version Then restart the dm display manager service Close your applications first, since stopping the dm will instantly kill KDE See also. 3 Symptom daemons fail to start. When the system starts, or you restart a service with service SERVICENAME start it is extremely unhelpful when it just says Starting SERVICENAME FAILED Often, the error is in a configuration file if you just changed it , and there will be a helpful message in var log daemons errors or var log messages If this fails, look at the startup script in etc init d and then run this command manually, without the redirection of stderr to dev null Sometimes, the man page for the daemon will have an option to not fork into the background this will ensure that messages are printed to the console. 4 Symptom 3D performance is really poor. This Thinkpad is quite capable of running glxgears at about 760 frames second, and of decent performance for games tuxracer ppracer , fancy screensavers helios and astronomy tools stellarium There are at least 2 ways to mess this up. Don t run at 24 bit colour There isn t enough graphics memory so it seems to run at 24-bit, with acceleration, and it will cause glxgears to drop to only 160 fps Approx 780 fps is achievable when running at 16-bit This is controlled by the DefaultColorDepth setting in. Don t install Mesa Mesa allows you to do indirect rendering of OpenGL in software excellent when there is no hardware support, but far less powerful than raw hardware Interestingly, this won t seriously affect the performance of glxgears, but ppracer stellarium will be totally unusable 2fps glxinfo provides some debugging information this excellent page on DRI Troubleshooting has more details If hardware acceleration is available, you should not have Lib MesaGL installed So, uninstall the Mesa-5 0 2-11mdk and libMesaGL1-5 0 2-11mdk packages Note the libMesaGLU1-5 0 2-11mdk libMesaglut3-5 0 2-11mdk and libMesaGLU1-devel-5 0 2-11mdk packages are innocent. Note when diagnosing Xorg problems, you have to restart the Display Manager service dm restart to make changes take effect I recommend using IceWM for speedy restarts. 5 Symptom Software breakage. If it was working, and then you broke it. For system packages, try verifying the installed packages with rpm - Va See above If necessary, uninstall with rpm - e --nodeps and immediately re-install. If it is an application, try removing or Copy it first. If it was broken to begin with. Check the package s bugzilla, and google, in case it is a known bug Otherwise, file a bug report both upstream with the author, and with mandriva. 6 Symptom Hard disk errors and poor performance. If the hard disk is slow it is possible that DMA direct memory access is not enabled Use hdparm dev hda to check the status hdparm can also measure file-transfer performance hdparm - tT dev hda or change DMA settings hdparm - d 1 dev hda. Check the hard disk for errors Smartctl is part of the SMART System monitoring and reporting tool system for Hard drives These can detect impending failure, and hopefully warn you. smartctl - l selftest dev hda - print the self-test log from the drive. smartctl - a dev hda - print all information that the drive knows about itself. smartctl - t long dev hda - begin a long selftest about an hour This can be run without unmounting the drive. To set up automated monitoring, see here and check that mail root is delivered to a human. There is also a graphical utility, gsmartcontrol. 7 Symptom Wrong file permissions for devices. Mandriva uses pamconsoleapply to change the ownership of various devices to the first locally logged-in user For example, when I am logged in, the sound device has these permissions. The login manager kdm ought to set these To fix the permissions temporarily, do as root. 8 Symptom It won t boot i e the boot sector is messed up. This occurs after. Installing another OS eg Windows on a different partition, and it messed up the bootloader. Ugrading the kernel without running lilo but Mandriva normally does this automatically, when you use urpmi, so this is rare. Copying the hard disk eg with rsync onto a different disk or a new machine. Fortunately, it is quite easy to fix The Mandriva install disk has a recovery mode for repairing bootloaders Here is how to do it with the much more versatile Knoppix. Boot the damaged system up from CD with knoppix Become root sudo su. Mount the hard disk mount - o dev mnt hda1 The - o dev is very important it is not the default for Knoppix. If necessary it usually isn t , copy over knoppix s dev directory ONLY do this if mnt hda1 dev is empty cp - a dev mnt hda1 dev. Chroot into the target system chroot mnt hda1.Edit the target s if needed nano. Run lilo sbin lilo. Note you might expect that without chrooting , lilo - C - b dev hda woul d work For some reason, it doesn t Note2 See also the Knoppix Rescue FAQ. 9 Symptom KDE menus get messed up, and are missing entries. There are confusingly several different inconsistent ways to edit the KDE GNOME ICEWM menu Some 3rd-party installers mess it up, leaving most entries missing To regenerate the KDE menu correctly, run update-menus as root. 10 Symptom random crashes or kernel panics. Dodgy RAM can cause all sorts of problems These range from I O and network errors, to randomly segfaulting processes, to kernel panics It depends which part of kernelspace userspace gets corrupted These errors are often weird and sometimes, but not always repeatable if you retry immediately, the kernel may re-allocate the same memory page. Even expensive RAM can go bad, and once-working RAM can die after a few months years, especially if the computer is running warm, and the warranty has just expired The problem is quite a lot more common than one might expect. The way to test it is to install memtest86 Then, reboot the machine, and choose memtest from the Lilo prompt Or, run memtest from Knoppix Usually, memtest will detect faulty RAM within minutes However, to get a clean bill of health , let it run for at least 12 hours Memtest s report will identify the faulty memory range s , which should identify the faulty DIMM. 11 Symptom Data corruption, or partition cannot be mounted hard disk error. Use ddrescue reiserfsck, then throw disk away. 12 General troubleshooting tips. Look at the log files dmesg var log messages var log kernel var log daemons errors etc. the kernel messages, dmesg are particularly helpful. If it is a hardware problem, try compiling the latest kernel If it s an application bug, try the latest version. Run the application from a terminal, so that the error messages stderr and stdout are visible These are invisible when starting from the GUI though they are appended to. If necessary, you can watch what the program is doing with strace print system calls , and ltrace print libary calls. To see what process is using a particular file, use fuser and lsof as user root. To identify what processes are using the most CPU, use top keys M - sort by memory usage explanation P by processor use S cumulative CPU use. vmstat reports memory usage, and swap disk io bandwidth. Other useful tools include ps, pgrep, nice, ionice, netcat, lshal, lsusb, and digging around in proc. Look at the source code A surprising number of progr ams are actually scripts. Look in the application s bugzilla, or google s Linux pages Google for the exact error message Kdialog lets you select text, for this reason. Remember, once found, to document what you did, and file a bug report if relevant. Figure out how to use the S-Video input and output that the Thinkpad has. Get IrDA to work without crashing. These are some of the significant bugs which I have reported on Mandriva 2006.PC Speaker not working Bug 13627 Trivial, finally fixed in 2008 1.Prism54 firmware Bug 17797 Not really a bug, just an irritation. X - EmulateWheelTimeout doesn t do anything Bug 4291 Fixed in Xorg CVS Fixed in 6 9 0.X - Broken R128 driver Bug 17958 Solution use the ati driver instead. X Must restart dm to make xorg changes take effect Bug 18022 This is Not a bug. Encryption - bug in initscripts Bug 17931 Still not fixed. Swapon race condition need sleep in Bug 17802 Still not fixed. Swapon needs specific dev loopX Bug 17803 Probably a kernel bug Not fixed. Apm suspe nd causes crash solution is sync, chvt, kill - STOP X Bug 17930 Still not fixed. etc bashrc unset i Bug 17799 Trivial, not fixed. etc profile fails to prevent core-dumps Bug 19822 Fixed in Jan 2007.lircmd service starts after the dm service, so it can t be used as an IR mouse Bug 20771 Fixed March 2007.Timidity-init doesn t play nice with alsa Bug 17160 Complicated. Irdadump panics kernel Bug 20443 Being worked on Fixed upstream. Kdialog converts n to n n Bug 111388 Trivial, not fixed May be deliberate. Mozilla has wrong shortcut keys Bug 18024 Default behaviour not a bug although I think it s a misfeature. Need to accept 2 different MAC addresses with WG511 Bug 21840.KDE Removable storage - dynamic devices with udev rules, permanent entries in fstab Bug 126208.This A22p is still, after 5 years an excellent laptop It s my 3rd ThinkPad, and I shall soon buy a 4th It works well under Mandriva, although there is quite a lot of configuring to do I d be more than happy to help anyone else if I can please do contact me if you have any questions, would like help, or alternatively, if you want to point out a glaring error in the above. This page is copyright Richard Neill, 2006 It is intended to be helpful to the community who have given me so much of their help, and is hereby released under the GNU Free Documentation License the code snippets are additionally released under the GNU GPL. Redistribution, translation, copying, wiki-fying etc is encouraged If you wish to link back to this page, please link to. Footnote Linux is a registered trademark of Linus Torvalds However, in most cases above I am using the word as shorthand for GNU Linux.
No comments:
Post a Comment