Linux Timesaving Techniques For Dummies

  • Published on
    08-Dec-2016

  • View
    237

  • Download
    22

Transcript

LinuxTimesavingTechniquesFORDUMmIESby Susan Douglas and Korry Douglas01a_571737ffirs.qxd 7/2/04 7:55 PM Page i01a_571737ffirs.qxd 7/2/04 7:55 PM Page iLinuxTimesavingTechniquesFORDUMmIESby Susan Douglas and Korry Douglas01a_571737ffirs.qxd 7/2/04 7:55 PM Page iLinux Timesaving Techniques For DummiesPublished byWiley Publishing, Inc.111 River StreetHoboken, NJ 07030-5774Copyright 2004 by Wiley Publishing, Inc., Indianapolis, IndianaPublished by Wiley Publishing, Inc., Indianapolis, IndianaPublished simultaneously in CanadaNo part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by anymeans, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted underSections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of thePublisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center,222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for per-mission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd.,Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, e-mail: brandreview@wiley.com.Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest ofUs!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trade-marks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and othercountries, and may not be used without written permission. All other trademarks are the property of theirrespective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTA-TIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THISWORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FIT-NESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMO-TIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERYSITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN REN-DERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE ISREQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUB-LISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANI-ZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OFFURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMA-TION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READ-ERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED ORDISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services or to obtain technical support, please contact ourCustomer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not beavailable in electronic books.Library of Congress Control Number: 2004101962ISBN: 0-7645-7173-7Manufactured in the United States of America10 9 8 7 6 5 4 3 2 11V/SR/QX/QU/IN01a_571737ffirs.qxd 7/2/04 7:55 PM Page iiAbout the AuthorsSusan Douglas is the CEO of Conjectrix, Inc., a software consulting firm specializing indatabase- and security-related issues. When shes not busy at the computer, Susan isprobably throwing pottery, glassblowing, or horseback riding.Korry Douglas is the Director of Research and Development for Appx Software. Whenhes not working on computers, hes making elegant sawdust in the woodshop.Together, they are the coauthors of Red Hat Linux Fedora Desktop For Dummies andPostgreSQL.Susan and Korry enjoy life on a farm in rural Virginia where they raise horses and smalllivestock. They both telecommute, so they have more time to spend with their 200 or soanimal friends. If theyre not at home, theyre out riding roller coasters.Authors AcknowledgmentsWe would like to thank all the staff at Wiley who have supported this project, from startto finish. Without the help and direction of Terri Varveris, organizing this book wouldhave been an impossible task. Becky Huehlss editorial help and guidance have kept thisproject rolling along on schedule (fairly painlessly, we might add). We also want toextend a big thanks to the technical editors whove kept us honest throughout thecourse of the book.Thanks go also to all the supporting staff at Wiley that weve never met. We know youreout there, and we appreciate your efforts and support.Thank you also to all the programmers and developers that make open-source softwaresuch an interesting, productive, and fun environment to work in.01a_571737ffirs.qxd 7/2/04 7:55 PM Page iiiCompositionProject Coordinator: Barbara MooreLayout and Graphics: Lauren Goddard, Denny Hager,Stephanie D. Jumper, Michael Kruzil, Lynsey Osborn,Jacque SchneiderProofreaders: Laura Albert, Vicki Broyles,Brian H. WallsIndexer: Steve RathAcquisitions, Editorial, and Media DevelopmentAssociate Project Editor: Rebecca HuehlsAcquisitions Editor: Terri VarverisSenior Copy Editor: Kim DarosettTechnical Editors: Terry Collings, Corey HynesEditorial Manager: Leah CameronMedia Development Manager: Laura VanWinkleMedia Development Supervisor: Richard GravesEditorial Assistant: Amanda FoxworthCartoons: Rich Tennant (www.the5thwave.com)Publishers AcknowledgmentsWere proud of this book; please send us your comments through our online regis-tration form located at www.dummies.com/register/.Some of the people who helped bring this book to market include the following:Publishing and Editorial for Technology DummiesRichard Swadley, Vice President and Executive Group PublisherAndy Cummings, Vice President and PublisherMary Bednarek, Executive Editorial DirectorMary C. Corder, Editorial DirectorPublishing for Consumer DummiesDiane Graves Steele, Vice President and PublisherJoyce Pepple, Acquisitions DirectorComposition ServicesGerry Fahey, Vice President of Production Services01a_571737ffirs.qxd 7/2/04 7:55 PM Page ivContents at a GlanceIntroduction 1Part I: Making the Desktop Work for You 5Technique 1: Finding the Power in KDE Protocols 7Technique 2: Getting GNOME Virtual FileSystems to Do the Work for You 13Technique 3: Streamlining Your Work withFile Associations 18Technique 4: Prompting Yourself with aCustom Prompt 23Technique 5: Getting There Quick withDynamic Shortcuts 30Technique 6: Using cd Shortcuts for Rapid Transit 34Technique 7: Typing Less and Doing Morewith Handy Automagic Variables 38Technique 8: Logging In, Logging Out 45Technique 9: Making History (Work for You) 50Technique 10: Keeping Your Life Simple withAliases and Functions 55Part II: Getting the Most fromYour File System 63Technique 11: Sharing Files and Printers in aWindows World 65Technique 12: Finding What You Need 73Technique 13: Moving Made Easy with Archives 82Technique 14: Downloading and Uploading Files in a Snap 88Technique 15: Building a Playpen withUser Mode Linux 94Part III: Good Housekeeping with Linux 101Technique 16: Red-lining RPM Queries 103Technique 17: Installing Made Easy with RPM 108Technique 18: Getting Comfortable with RPM 115Technique 19: Keeping Up-to-Date with aptand Synaptic 119Technique 20: Setting Up Automatic Services 126Technique 21: Making Your Inner SystemAdministrator Happy (And Productive) 130Technique 22: Spring Cleaning Essentials 137Part IV: Tweaking the Kernel onYour Linux System 149Technique 23: Taking Good Care of Your Kernel 151Technique 24: Creating a Custom Kernel 157Technique 25: Coping with the SELinuxSecurity System 164Technique 26: Finding Out about Your System with /proc 170Part V: Securing Your Workspace 177Technique 27: Closing Those Prying Eyes 179Technique 28: Using Encryption for Extra Security 184Technique 29: Securing a Large Networkwith Custom Authentication 194Technique 30: Customizing Authentication with PAM 203Technique 31: Gaining Privileges 209Technique 32: sudo Pseudonyms 213Technique 33: Securing Your Connections with SSH 21801b_571737ftoc.qxd 7/2/04 7:55 PM Page vPart IX: Backing Up Means Never Having to Say Youre Sorry 369Technique 49: Getting Ready to Back Up Your Data 371Technique 50: Backing Up Your Data 377Technique 51: Quick Backup to Remote Storage 386Technique 52: Archiving Changes with CVS 391Part X: Programming Tricks 401Technique 53: Using Open-Source APIsto Save Time 403Technique 54: Timesaving PHP Tricks 414Technique 55: Using the DDD GraphicalDebugger with Perl 422Part XI: The Scary (Or Fun!) Stuff 429Technique 56: Burning CD-Rs withoutGetting Burned 431Technique 57: Search and Destroy setuid and setgid Programs 437Technique 58: Quarantining SuspiciousPrograms with UML 443Technique 59: Troubleshooting PersnicketyPrograms 448Technique 60: Securing the Fort with Bastille 455Technique 61: Creating a Second Lineof Defense with LIDS 467Technique 62: Getting Graphical with Shell Scripts 474Index 479Part VI: Networking Like a Professional 227Technique 34: Protecting Yourself with a Firewall 229Technique 35: Using VNC to Connect toRemote Desktops 239Technique 36: Streamlining Your NetworkSurveillance 247Technique 37: Evaluating Your NetworkSecurity with Nessus 255Technique 38: Person-to-Person Networking with IRC 265Part VII: Monitoring Your System 271Technique 39: Controlling TroublesomeProcesses at the Command Line 273Technique 40: Taking Care of New (And Old) Users 282Technique 41: Keeping an Eye on Your System 291Part VIII: Serving Up the Internet and More 305Technique 42: Keeping an Apache Server in Top Form 307Technique 43: Keeping an Eye on Your Servers 317Technique 44: Making a MySQL ServerYour SQL Server 328Technique 45: Safeguarding Your ApacheServer with SSL Certificates 340Technique 46: Retrieving HTTPMail Usinghotway and Evolution 349Technique 47: Stopping Spam with SpamAssassin 356Technique 48: Using Webmin to SimplifySendmail Configuration 36401b_571737ftoc.qxd 7/2/04 7:55 PM Page viTable of ContentsIntroduction 1Saving Time with This Book 1Foolish Assumptions 2Whats in This Book 2Part I: Making the Desktop Work for You 2Part II: Getting the Most from Your File System 3Part III: Good Housekeeping with Linux 3Part IV: Tweaking the Kernel on Your Linux System 3Part V: Securing Your Workspace 3Part VI: Networking Like a Professional 3Part VII: Monitoring Your System 3Part VIII: Serving Up the Internet and More 3Part IX: Backing Up Means Never Having to Say Youre Sorry 3Part X: Programming Tricks 4Part XI: The Scary (Or Fun!) Stuff 4Icons Used in This Book 4Part I: Making the Desktop Work for You 5Technique 1: Finding the Power in KDE Protocols 7Discovering Your Protocols 7Working with CD Audio Tracks Using audiocd: 8Managing Snapshots with the camera: Protocol 9Remote File Management with fish: 10Getting Help with help:, info:, and man: 10Viewing Your Local Network with the smb: Protocol 11Other KDE Protocols 11Technique 2: Getting GNOME Virtual FileSystems to Do the Work for You 13Using GNOME VFS Modules 13Stacking VFS Modules 15Working with Packages: rpm and rpms 15Putting VFS to Work at the Command Line 17Burning CDs with a VFS 17Skinning Your Desktop with VFS 17Technique 3: Streamlining Your Work withFile Associations 18Classifying Data with MIME 18Creating KDE File Associations 19Creating New MIME Types with GNOME 20Technique 4: Prompting Yourself with aCustom Prompt 23Making Basic Prompt Transformations 23Adding Dynamically Updated Data to Your Prompt 24Colorizing Your Prompt 26Seeing a Red Alert When You Have SuperuserPrivileges 27Saving Your Work 28Technique 5: Getting There Quick withDynamic Shortcuts 30Completing Names Automatically 30Using the Escape Key to Your Advantage 31Customizing Completion for Maximum Speed 32Technique 6: Using cd Shortcuts forRapid Transit 34Using cd and ls to Navigate through bash 34Setting Your CDPATH Variables to Find Directories Fast 35Remembering Where Youve Been with pushdand popd 36Manipulating Your Stack with dirs 36Technique 7: Typing Less and Doing Morewith Handy Automagic Variables 38Show Me the $$: Giving Temporary FilesUnique Names 39Streamlining Archive Searches 39Turning the Output of a Command into a Variablewith $( ) 40Using $UID and $EUID in Shell Scripts 41Getting Quick Access to Programs with $PATH 42Customizing Variables for Rapid Transit 4301b_571737ftoc.qxd 7/2/04 7:55 PM Page viiLinux Timesaving Techniques For DummiesviiiSharing Linux Resources with Other Computers(SMB Clients) 67Adjusting the workgroup name and creating user accounts 67Giving a Windows machine access to yourhome directory 68Sharing Linux files and directories with other computers 69Hooking Everyone Up to the Printer 69Sharing Linux printers with SWAT 69Using a Windows printer from Linux 70Plugging In to Remote Data with Linux Programs Quickly 71Technique 12: Finding What You Need 73Finding Files with locate 73Finding Files with find 74Qualifying Your Search with the find Command 75Doing updated filename searches 75Adding time-based qualifications 75Filtering by file size 76Joining qualifications with AND and OR operators 77Perusing commonly used qualifications 77Acting on What You Find 78Cracking open a files info with -ls 78Displaying specific info with -printf 79Checking disk usage by user 79Executing commands with find 80Building Complex Commands with xargs 81Technique 13: Moving Made Easy with Archives 82Creating Archives with File Roller 82Inspecting and Extracting Archives with File Roller 84Adding Functionality to tar with Complex Commands 85Building archives from the command line 85Archiving complex search results 86Backing up an installed package 86Uprooting Entire Directory Trees with scp 86Splitting Big Files into Manageable Chunks 87Technique 8: Logging In, Logging Out 45Finding the Right Shell Script 45Choosing your victims 46Timing is everything 46Cleaning up made easy 47Changing prototype scripts 48Customizing Your Autostart File 48Technique 9: Making History (Work for You) 50Navigating the History List 50Scrolling 50Summoning a command by number 51Searching through history 51Customizing the History List 52Adjusting key default settings 52Filtering the history list 52Executing Commands Quickly with History Variables 53Technique 10: Keeping Your Life Simplewith Aliases and Functions 55Viewing Your Aliases 55Creating Simple Timesaving Aliases 56Using Aliases for Complex Commands 57Automating Tedious Tasks with Functions 58Filtering file searches by file type 58Automatic downloading 58Monitoring Your System in a Snap 59Un-tarring the Easy Way 60Part II: Getting the Most fromYour File System 63Technique 11: Sharing Files and Printersin a Windows World 65What Is Samba? 65Getting Up and Running with Samba 66Checking whether Samba is installed 66Enabling Samba 6601b_571737ftoc.qxd 7/2/04 7:55 PM Page viiiTable of Contents ixTechnique 14: Downloading and Uploading Files in a Snap 88Building Software from Downloaded tarballs 88Compiling a tarball: The basic steps 89Downloading and compiling SuperKaramba 89Versatile Downloading with wget 91Mirroring sites with wget 91Verifying your bookmarks with wget 92Downloading files with wget 92Downloading and unpacking in one quick step 92wgets optional flags 92Downloading and Uploading with curl 93Technique 15: Building a Playpen withUser Mode Linux 94Choosing the ADIOS Version of User Mode Linux 94Setting Up ADIOS 95Downloading ADIOS 95Burning ADIOS to CD 96Installing ADIOS 96Finding Your Way around UML 97Connecting to the Internet from an ADIOS VM 98Using a GUI with UML 98Installing Software into UML 98Merging Changes to Your Prototype 99Part III: Good Housekeeping with Linux 101Technique 16: Red-lining RPM Queries 103Querying RPM Packages for Content 104Digesting Information 105Creating a Package Index 105Querying for Prerequisites 106Dont Put That in Your Drive; You Dont Know Where Thats Been! 106Technique 17: Installing Made Easy with RPM 108Dissecting an RPM Package 108Using RPM at the Command Line 109Removing RPMs 110Flagging Down RPM 110Getting Graphic with RPM 110Quick installations from distribution mediawith Fedoras Package Manager 110Using SuSEs package manager to your advantage 112Using Rpmdrake to install from media 113Installing from your Konqueror browser 114Technique 18: Getting Comfortable with RPM 115Saving Time with - -upgrade 115Verifying Your System 116Reading the Tamper-Proof Seal 117Technique 19: Keeping Up-to-Datewith apt and Synaptic 119Setting Up Synaptic and apt in a Snap 119Keeping Up-to-Date with apt and Synaptic: The Basics 120Upgrading Your Entire Computer 122Handy Hints about Synaptic 123Changing repositories 123Viewing package details 123Installing new packages with Synaptic 124Importing the Keys to the Repository 124Technique 20: Setting Up Automatic Services 126Letting Task Scheduler Work for You 126Scheduling a new task 127Editing a task 128Adding environment variables 128Technique 21: Making Your Inner SystemAdministrator Happy (And Productive) 130Reining In Resources with Disk Quotas 130Installing the quota RPM package 131Enabling file system quotas 131Getting your files together 132Setting quotas 132Reviewing your quotas 134Using System Accounting to Keep Track of Users 134Setting up system accounting 134Looking up user login hours 135Checking out command and program usage 13501b_571737ftoc.qxd 7/2/04 7:55 PM Page ixLinux Timesaving Techniques For DummiesxTechnique 26: Finding Out about Your System with /proc 170Exploring the Process-Related Entries in /proc 170Surveying Your System from /proc 172Closing Down Security Gaps with /proc 174Popping the Cork: Speeding Up WINE with /proc 175Part V: Securing Your Workspace 177Technique 27: Closing Those Prying Eyes 179Reading and Understanding File Permissions 179Controlling Permissions at the Command Line 181Changing File Permissions from a Desktop 182Technique 28: Using Encryption forExtra Security 184Encryption Made Easy with kgpg and the KDE Desktop 185Creating keys with kgpg 185Sharing your key with the world 186Importing a public key from a public-key server 187Encrypting and decrypting documents with drag-and-drop ease 188Encrypting Documents with gpg at the Command Line 189Sharing a secret file 189Creating a key pair and receiving encrypted documents 189Encrypting documents on your home system 190Encrypting E-Mail for Added Security 191Encrypting with Ximian Evolution 191Setting up Mozilla e-mail for encryption 192Sending and receiving encrypted messages with Mozilla mail 193Technique 29: Securing a Large Network with Custom Authentication 194Using Cross-Platform Authentication with Linux and Windows 195Prepping for cross-platform authentication 195Setting up cross-platform authentication 196Technique 22: Spring Cleaning Essentials 137Running Down the Runlevels 137Runlevel basics 138Customizing runlevels in Fedora 138Customizing runlevels in SuSE 139Customizing runlevels in Mandrake 140Customizing runlevels at the command line 141Switching to a new runlevel 141Disabling Unused Services 141Removing Unneeded Services 143Removing Old Users and Their Files 144Part IV: Tweaking the Kernel on Your Linux System 149Technique 23: Taking Good Care of Your Kernel 151Adding and Removing Kernel Modules 152Learning about modules 152Installing a module with insmod 152Taking care of dependencies automatically with modprobe and depmod 152Loading a module for a slightly different kernel with insmod and modprobe 153Removing modules with rmmod 154Manipulating Boot Time Parameters 154Technique 24: Creating a Custom Kernel 157Reconfiguring Your Kernel Ready, Set, Go! 158Step 1: Making an Emergency Plan, or Boot Disk 158Step 2: Finding the Source Code 160Step 3: Configuring a New Kernel 160Step 4: Customizing the Kernel 161Step 5: Building the Kernel 162Technique 25: Coping with the SELinuxSecurity System 164Understanding the Principles of SELinux 164Everything is an object 165Identifying subjects in SELinux 165Understanding the security context 165Disabling or Disarming SELinux 166Playing the Right Role 167Finding Out about Your SELinux Policy 16801b_571737ftoc.qxd 7/2/04 7:55 PM Page xTable of Contents xiUsing PAM and Kerberos to Serve Up Authentication 197Establishing synchronized system times 197Testing your domain name server (DNS) 199Setting up a Key Distribution Center 199Setting up automatic ticket management with Kerberos and PAM 201Adding users to the Key Distribution Center 202Technique 30: Customizing Authentication with PAM 203Understanding Modules and Configuration Files: The Basics of PAM Authentication 204Finding a Module and Customizing Its Rules 204Building Good Rules with PAM 204Phase 205Control level 205Module pathname 205Arguments 205Dissecting a Configuration File 206Skipping a Password with PAM 208Technique 31: Gaining Privileges 209Feeling the Power 209Gaining Superuser Privileges 210Pretending to Be Other Users 210Limiting Privileges with sudo 211Technique 32: sudo Pseudonyms 213Installing sudo 214Adding Up the Aliases 214Adding Aliases to the sudo Configuration File 214Defining the Alias 215Creating a User_Alias 215Creating a Runas_Alias 215Simplifying group managment with a Host_Alias 216Mounting and unmounting CDs without the superuser password 216Managing access to dangerous commands with command aliases 216Technique 33: Securing Your Connections with SSH 218Using SSH for Top-Speed Connections 219Setting Up Public-Key Authentication to Secure SSH 219Generating the key pair 219Distributing your public key 220Passing on your passphrase 220Logging In with SSH and Key Authentication 221Starting from the command line 221Getting graphic 222Creating Shortcuts to Your Favorite SSH Locations 222Copying Files with scp 223Secure (And Fast) Port Forwarding with SSH 223Part VI: Networking Like a Professional 227Technique 34: Protecting Yourselfwith a Firewall 229Finding Your Firewall 229Setting up a simple firewall in Mandrake Linux 230Setting up a simple firewall in Fedora Linux 231Setting up a simple firewall in SuSE Linux 232Editing the Rules with Webmin 233Starting a Webmin session 234Reading the rules with Webmin 234Changing the rules 236Editing existing rules 236Adding a new rule with Webmin 237Technique 35: Using VNC to Connect toRemote Desktops 239Sharing Desktops with VNC 239Inviting Your Friends to Use Your Desktop 240Serving Up a New Desktop with VNC Server 241Using tsclient to View Remote Desktops from Linux 242Using tsclient with a VNC server 243Using tsclient with an RDP server 24301b_571737ftoc.qxd 7/2/04 7:55 PM Page xiLinux Timesaving Techniques For DummiesxiiFinding Fellow Mandrake Users in the MandrakeChat Room 268Customizing KSirc Who Do You Want to Be Today? 268Part VII: Monitoring Your System 271Technique 39: Controlling TroublesomeProcesses at the Command Line 273Processing Processes with procps 273Keeping Track of Process Status with ps, pstree, and pgrep 274Using ps to filter process status information 274Viewing ps output the way you want to see it 275Making parent-child relationships stand out in a ps listing 277Climbing the family tree with pstree 277Finding processes with pgrep 278Killing Processes with pkill 280Killing Processes with killall 280Closing Windows with xkill 280Getting Your Processes Priorities Straight 281Technique 40: Taking Care of New (AndOld) Users 282Managing Users and Groups with the Fedora/Mandrake User Manager 283Adding new users 283Modifying user accounts 284Adding groups 285Filtering users and groups 286Managing Users and Groups with the SuSE User Administrator 286Adding new users 287Modifying user accounts 289Adding groups 289Filtering users and groups 290Technique 41: Keeping an Eye on Your System 291Keeping an Eye on the System Logs 292Viewing and filtering log files with Fedora and Mandrake 292Adding and deleting log files from the viewer 293Making Cut and Paste Commands Work on a Remote Desktop 244Creating New VNC Desktops on Demand 245Switching display managers in SuSE Linux 245Switching display managers in Mandrake Linux 245Connecting gdm and VNC 246Technique 36: Streamlining Your NetworkSurveillance 247Exploring Your Network with lsof 247Running lsof 248Interpreting the lsof output 248Reading file types 249Discovering Network Connections 249Other Timesaving lsof Tricks 250Packet Sniffing with the Ethereal Network Analyzer 251Starting Ethereal 251Capturing packets 251Applying filters to screen packets 252Peeking in packets 253Color-coding packets coming from your network 253Technique 37: Evaluating Your NetworkSecurity with Nessus 255Getting Up and Running with Nessus 256Installing programs Nessus needs to run 256Installing Nessus 256Adding a user to Nessus 257Generating a certificate 258Using Nessus to Scan Your Network 258Starting the daemon and the interface 259Reading the grim results 262Keeping Your Plug-ins Up-to-Date 263Technique 38: Person-to-Person Networking with IRC 265Finding the Answers You Seek in a Linux Chat Room 265Chatting in the Fedora Chat Room 267Looking for Answers in the SuSE Chat Room 26801b_571737ftoc.qxd 7/2/04 7:55 PM Page xiiTable of Contents xiiiSetting up alerts and warnings 294Viewing your log files from SuSE 295Monitoring your log files from SuSE 295Customizing Your Log Files 296Keeping an Eye on Resources with KDE System Guard 298Finding and killing runaway processes 298Prioritizing processes to smooth a network bottleneck 300Watching your system load 300Creating a new worksheet 301Creating system resource logs 302Displaying network resources 303Part VIII: Serving Up the Internet and More 305Technique 42: Keeping an Apache Server in Top Form 307Setting Up Apache Quick! 307Using Synaptic to download and install Apache 308Installing Apache from disc 309Starting the Apache Service 310Building a Quick Web Page with OpenOffice.org 312Taking Your Site Public with Dynamic DNS 313Understanding how dynamic DNS works 313Setting up dynamic DNS 313Updating your IP address 314Keeping Your Apache Server Up-to-Date the Easy Way 314Installing the Fedora HTTP Configuration tool 315Putting the HTTP Configuration tool to work 315Technique 43: Keeping an Eye on Your Servers 317Watching Your Web Server Traffic with apachetop 318Installing apachetop 318Running and exiting apachetop 318Navigating apachetop 319Switching among the log files (or watching several at once) 319Changing the display time of apachetop statistics 320Monitoring MySQL Server with the MySQLControl Center 320Downloading and installing the MySQLControl Center 320Accessing MySQL Control Center features 321Viewing, managing, and repairing a databasewith the Databases controls 321Putting the Server Administration controls to work 323Adding a new user 324Watching Your MySQL Traffic with mtop 325Gathering all the packages that mtop needs 325Installing mtop 326Monitoring traffic 326Technique 44: Making a MySQL Server Your SQL Server 328Building a MySQL Server 329Installing the necessary packages 329Starting the MySQL server 329Replicating MySQL Data 330Configuring replication: The three topologies 330Setting up replication for a single slave and master 331Choosing a Method to Back Up MySQL Data 332Backing Up and Restoring with mysqldump 332mysqldump backup options 332Backing up multiple databases 333Compressing the archive 333Restoring a mysqldump archive 334Backing Up with File System Tools 334Making a mysqlhotcopy of Your Database 334Archiving a Replication Slave 335Taking Care of Business with MySQL Administrator 335Installing MySQL Administrator 335Starting MySQL Administrator 336Exploring MySQL Administrators tools 336Technique 45: Safeguarding Your ApacheServer with SSL Certificates 340Understanding the Basics of How Certificates Work 340Choosing an SSL Certificate 34101b_571737ftoc.qxd 7/2/04 7:55 PM Page xiiiLinux Timesaving Techniques For DummiesxivPart IX: Backing Up Means Never Having to Say Youre Sorry 369Technique 49: Getting Ready to Back Up Your Data 371Deciding What to Archive 372Choosing Archive Media 372Tape drives 372Removable and external disk drives 373Removable media 373Optical media (CDs and DVDs) 374Online storage 374Choosing an Archive Scheme 374Full backups 374Differential backups 374Incremental backups 375Incremental versus differential backups 375Choosing an Archive Program 376Technique 50: Backing Up Your Data 377Estimating Your Media Needs 377Creating Data Archives with tar 378Backing up files and directories 378Backing up account information and passwords 378Targeting bite-sized backups for speedier restores 379Rolling whole file systems into a tarball 379Starting a Differential Backup Cycle 380Starting an Incremental Backup Cycle 381Restoring from Backup with tar 382Backing Up to CD (Or DVD) with cdbackup 383Creating the backup 383Restoring from a CD or DVD backup 384Restoring from a disc containing multiple archives 384Technique 51: Quick Backup to Remote Storage 386Combining the Power of tar with ssh for Quick Remote Backups 387Testing the ssh connection to the remote host 387Creating a tar archive over the ssh connection 387Backing up to tape drives on remote machines 388Creating a Certificate Signing Request 341Creating a Self-Signed Certificate 344Creating a Signing Authority with openssl 345Creating a certificate authority 345Signing a CSR 346Trusting in Trusted Certification Authorities 347Exploring Your Certificate Collection with Mozilla 347Technique 46: Retrieving HTTPMail Using hotway and Evolution 349Introducing hotway 349Getting Started with hotway 350Setting Up Evolution to Read HTTPMail Accounts with hotway 350Ringing the Bells and Blowing the Whistles:Your Evolution Summary Page 353Technique 47: Stopping Spam withSpamAssassin 356Installing SpamAssassin 356Installing from the distribution media 357Installing from RPM downloads 358Starting the service 358Fine-Tuning SpamAssassin to Separate the Ham from the Spam 358Customizing settings 359Saving your settings 360Adding a New Filter to Evolution 361Serving Up a Big Bowl of the RulesDuJour 363Technique 48: Using Webmin to SimplifySendmail Configuration 364Registering Your Address 364Taming a Sendmail Server 364Tweaking Your Configuration Files with Webmin 365Serving up mail for multiple domains 366Relaying e-mail 366Using aliases to simplify mail handling 36701b_571737ftoc.qxd 7/2/04 7:55 PM Page xivTable of Contents xvBacking Up to a Remote Computer with rdist and ssh 388Testing the ssh connection to the remote host 388Creating the distfile 389Backing up 390Technique 52: Archiving Changes with CVS 391Getting Started with CVS 392Checking whether CVS is installed 392Discovering what to use CVS for 392Creating a CVS Repository 392Populating Your Repository with Files 393Checking Files In and Out (Or Playing in YourSandbox) 394Simplifying CVS with cervisia 395Installing cervisia 395Putting files in your sandbox 395Adding more files to your repository 396Committing your changes 396Diplomacy 101 resolving conflicts 397Browsing your log files 397Marking milestones with tags 398Branching off with cervisia 399Part X: Programming Tricks 401Technique 53: Using Open-Source APIs to Save Time 403Using the libcurl Library (C Programming) 404Uploading a File with a Simple Program Using libcurl 404Line 7: Defining functions and data types 405Line 14: Calling the initialization function 405Lines 18 21: Defining the transfer 405Line 23: Starting the transfer 407Line 26: Finishing the upload 407Installing the Ming Library 407Building a Simple Flash Movie with Ming 408Examining the program 408Compiling the program 410Running the program 410Building Interactive Movies with Ming 411Examining the program 411Compiling the program 413Running the program 413Technique 54: Timesaving PHP Tricks 414Doing the curl E-shuffle with PHP 415Combining PHP with curl and XML: An overview 415Checking out the XML file 415Downloading and displaying the XML file with a PHP script (and curl) 416Sending E-Mail from PHP When Problems Occur 420Technique 55: Using the DDD GraphicalDebugger with Perl 422Debugging Perl Code with DDD 423Installing and starting DDD 423Examining the main window 423Reviewing and stepping through source code 424Making Stop Signs: Using Breakpoints to Watch Code 425Setting a breakpoint 425Modifying a breakpoint 425Tracking Variable Values in the Data Window 426Opening the data window 426Adding a variable to the data window 426Changing the display to a table 427Using the Backtrace feature 428Using the Help menu 428Part XI: The Scary (Or Fun!) Stuff 429Technique 56: Burning CD-Rs withoutGetting Burned 431Making Fedora Distribution CDs 432Downloading the ISO images 432Verifying the checksums 433Burning an ISO File to Disc at the Command Line 433Finding the identity of your drive 433Running a test burn 433Burning the distribution discs 434Creating an ISO Image at the Command Line 434Burning CDs without Making an ISO First 43501b_571737ftoc.qxd 7/2/04 7:55 PM Page xvLinux Timesaving Techniques For DummiesxviKeeping the daemons in check 461Securing sendmail 461Closing the gaps in Apache 461Keeping temporary files safe 462Building a better firewall 462Port scanning with Bastille 464Youre almost done! 465Keeping Abreast of Security Issues 466Technique 61: Creating a Second Line of Defense with LIDS 467Turning LIDS On and Off 467Testing LIDS before Applying It to Your System 468Understanding the LIDS Access Control List 468Controlling File Access with LIDS 469Hiding Processes with LIDS 470Running Down the Privilege List 471Technique 62: Getting Graphicalwith Shell Scripts 474Getting Graphical at the Command Line 475Getting graphical in GNOME 475Getting graphical with KDE 477Staying desktop neutral 478Index 479Technique 57: Search and Destroy setuid and setgid Programs 437Exploring How setuid and setgid Can Be Dangerous 437Identifying the Potential Troublemakers Fast 439Finding setuid quickly and easily with kfind 439Finding setuid and setgid programs at the command line 440Deciding to Turn Off setuid or setgid 441Changing the setuid or setgid Bit 441Technique 58: Quarantining SuspiciousPrograms with UML 443Who Belongs in Jail? 444Using UML to Jail Programs 444Changing the Default Password to the Jail 446Installing New Software and Resolving Conflicts 446Technique 59: Troubleshooting PersnicketyPrograms 448Using lsof to Find Out Which Files Are Open 449Debugging Your Environment with strace 450Investigating Programs with ltrace 451Handy strace and ltrace Options 452Recording Program Errors with valgrind 453Technique 60: Securing the Fort with Bastille 455Hardening Your Hat with Bastille 455Downloading and installing Bastille and its dependencies 456Welcome to the Bastille 456Addressing file permission issues 457Clamping down on SUID privileges 457Moving on to account security 458Making the boot process more secure 459Securing connection broker 460Limiting compiler access 460Limiting access to hackers 460Logging extra information 46001b_571737ftoc.qxd 7/2/04 7:55 PM Page xviIntroductionLinux is open-source software at its finest. Open-source software isall about taking control of your desktop away from the big corpora-tions and putting it into the hands of the developers working withyour best interests at heart. The software is freely available on theInternet for you to download you can even help develop the projects ifyou want to get involved. Decisions about whats on your desktop arentbeing made based on the profit margins yielded by the software. Instead,the best interests of the user are of primary concern to the developers.Although open-source software is great, have you ever tried to read thedocumentation that comes with it? Some of it is very good, but most of itis written for geeks, by geeks, and a good part of it is flat-out missing.Dont blame the developers they are doing this for free after all. . . .Our goal in writing this book is to empower you with some of thestronger features of Linux (and some great open-source tools) to solveeveryday problems, without the headaches and lost time that go withtrying to figure out how to use the tools. Linux provides simple, fast, andpowerful solutions to meet the demands of day-to-day computer use andsystem administration our goal is to save you time, while making thetools easy to use.Saving Time with This BookThe Timesaving Techniques For Dummies books focus on high-payofftechniques that save you time, either on the spot or somewhere downthe road. And these books get to the point in a hurry, with step-by-stepinstructions to pace you through the tasks you need to do, without anyof the fluff you dont want. Weve identified more than 60 techniques thatLinux users need to know to make the most of their time. In addition,each technique includes figures that make following along a breeze.Decide for yourself how to use this book: Read it cover to cover if youlike, or skip right to the technique that interests you the most.02_571737cintro.qxd 7/2/04 7:56 PM Page 1Introduction2to an individual user or a large corporate network,but we assume you know which one you are.We assume you make backups on a regular basis. Ifyou dont, go immediately to Part IX: Backing UpMeans Never Having to Say Youre Sorry.We assume you dont want to get bogged down ina lot of useless details, so we concentrate ongetting techniques implemented quickly, withouta lot of overhead spent on theory. Thats a big time-saver, too.Whats in This BookThis book is organized into parts groups of tech-niques about a common subject that will save youtime and help you get your system running better.Each technique is written to be independent of theothers, so you only need to implement those tech-niques that are important to you and your users.From time to time, we may send you to another tech-nique to implement a feature that well be using inour current technique we just dont want to wastevaluable space repeating ourselves. Each of the partsis about a different facet of a Linux system so youcan scan the part title easily, looking for problem-solving techniques that will help you, quick.Part I: Making the Desktop Work for YouPart I is full of tips and techniques to help you makethe most of your time at the desktop. Teaching yoursystem how to recognize file types (so you donthave to specify them every time you open a file),keyboard shortcuts, and customizing your promptare included among the techniques. We also includea rundown on the KDE protocols and the GNOMEvirtual file systems the handy tools that work in abrowser window to access other sources (like cam-eras or CDs). Youll also find techniques about usingautomagic variables and history files to make thecommand line simple, easy, and quick.In Linux Timesaving Techniques For Dummies, youcan find out how to Tame time-consuming tasks: Were letting you inon more than 60 tips and tricks for your Linuxsystem, so you can spend more time on creatinggreat results and less time on fiddling with a fea-ture so that it works correctly. Take your skills up a notch: Youre already famil-iar with the basics of using Linux. Now this booktakes you to the next level, helping you become amore powerful user. Customize Linux to meet your needs: Spendingsome upfront time customizing Linux so that itworks faster, more reliably, and more like howyou work on a daily basis can save you time (andaggravation) later. Fine-tune your system: You can fine-tune yourLinux system for better performance and usabil-ity. Customizing your system to better serveusers saves everyone time. Improve your system security: Building a secureuser environment with good user hygiene andregular backups will save everyone time. Withadequate security in place, your chances of hav-ing to restore your system are minimized. Automate repetitive tasks: You can automateand schedule repetitive tasks to run while youreaway, and save the bandwidth for the times thatyou need it most.Foolish AssumptionsWe assume very little. We do, however, assume youhave a computer that is currently running Fedora,Mandrake, or SuSE Linux (or that youre consideringa conversion), and that you more than likely are con-nected to the Internet.We assume that you know the needs of your usersand the demands of your system. We try to clearlyidentify what aspects of a technique are best suited02_571737cintro.qxd 7/2/04 7:56 PM Page 2Whats in This Book 3Part II: Getting the Most from Your File SystemThis part focuses on moving and sharing data. UsingWindows filesharing across a network, finding thefiles you need when you need them, and some quickdownloading techniques are included in this part.This part also includes a technique about using UserMode Linux to create a playpen with a built-in copyof Fedora handy if you need to jail a server or justwant to experiment with program modificationssafely.Part III: Good Housekeeping with LinuxYoull find techniques to help you make the most ofthe RPM tool (the Red Hat Package Manager) forinstallations, updates, and queries. Part III alsoincludes a technique introducing you to Synaptic a handy tool that will keep your software currentand up-to-date with just a few clicks of the mouse.Well also introduce you to task scheduling tools thatcan help you automate administrative tasks to runwithout any supervision at all. Everyday timesavingdoesnt get much better than Part III.Part IV: Tweaking the Kernel on Your Linux SystemThe techniques in Part IV are dedicated to the ker-nel. Well show you how to build a new kernel, cleanup an old kernel, or find out about the condition ofyour existing kernel. Well also introduce you to SELinux the new security-enhanced kernel freshwith this release of Fedora.Part V: Securing Your WorkspacePart V is all about security well introduce you toPAM (Pluggable Authentication Modules), and showyou quick ways to encrypt e-mail and files to keepthe prying eyes of snoops out of your personal docu-ments. Well also show you how to safeguard yoursystem by using sudo to dole out the superuser privi-leges to only those users on your system who needthem. Your system will be a safer place with thetechniques in Part V implemented.Part VI: Networking Like a ProfessionalThe techniques in Part VI focus on using networkfeatures and network analysis tools to your advan-tage. Well show you how to set up and use remotedesktops from your local system, as well as how toshare desktops with remote users. Well also showyou how to take care of your network security bybuilding sturdy but supple firewalls, and how toharden those firewalls with the network securityanalysis tool, Nessus. Well also show you how towatch network traffic to see whats traveling acrossyour network to your users.Part VII: Monitoring Your SystemIn this part, well introduce you to tools that willhelp you keep an eye on your system resources andcontrol runaway processes. Well also show yousome quick ways to take care of users and theiraccounts both new users and old.Part VIII: Serving Up the Internet and MoreIn Part VIII, well focus on server-related issues. Wellshow you the quick way to build and configure anApache Web server, a Sendmail mail server, and aMySQL database server, as well as how to monitoryour servers once theyre in place. Well also showyou how to make your new Web site a more secureplace with SSL certificates, and the easy way to cre-ate your own certificate signing authority. Then welldelve into e-mail youll save a ton of time withour techniques that help you avoid spam withSpamAssassin and retrieve your HTTPMail (thatsHotmail, MSN, and Lycos mail) with hotway, avoidingall of the ads and pop-ups that come with mostInternet mail accounts.Part IX: Backing Up Means Never Having to Say Youre SorryThe techniques in this part are all about backing up.Techniques include getting ready to back up yourdata, choosing a fast but sturdy backup scheme,implementing a good backup routine, and backing02_571737cintro.qxd 7/2/04 7:56 PM Page 3Introduction4throw in an introduction to Zenity a handy toolkityou can use to add graphical prompts to any usershell scripts you use on your system.Icons Used in This BookEach technique in this book has icons pointing tospecial information, sometimes quite emphatically.Each icon has its own purpose.When theres a way to save time, either nowor in the future, this icon leads the way. Homein on these icons when every second counts.This icon points to handy hints that will helpyou work through the steps in each techniqueor to handy troubleshooting info. These icons are your trail of breadcrumbs,leading back to information that youll want toremember.When you see a Warning icon, theres achance your data or your system is at risk. Youwont see many of these, but when you do,proceed with caution.up to remote storage. Well also introduce you toCVS archiving a great way to keep not only cur-rent renditions of projects, but also a living historyof a projects growth.Part X: Programming TricksThese techniques will help you save time in yourprogramming projects. Youll find a technique thathelps you use prewritten, open-source APIs in yourown code to help you cover ground quickly. Youllalso find a technique that focuses on moving data inand out of your PHP code. Well also introduce youto a great graphical debugger (DDD) that will saveyou time when you need to debug your code thats the last thing you want to spend too muchtime on.Part XI: The Scary (Or Fun!) StuffThis part contains a medley of timesaving tech-niques that will help you burn CDs, find dangerousprograms, create a UML jail, troubleshoot problemprograms, and more. Well introduce you to Bastille,a system-hardening, open-source tool that makesmost security schemes look wimpy. Well also giveyou the rundown on LIDS an under-documentedbut powerful security tool that you can use on yoursystem to create a secure user environment. Well02_571737cintro.qxd 7/2/04 7:56 PM Page 4Part IMaking the DesktopWork for You03_571737p01.qxd 7/2/04 7:56 PM Page 503_571737p01.qxd 7/2/04 7:56 PM Page 61 Finding the Powerin KDE ProtocolsWhen you type a typical URL, such as http://www.google.com/index.html, into your Web browser, you likely dont think abouthow youre making use of it. That is, you dont think abouthttp:// being a protocol, www.google.com being an address that the proto-col handler knows how to deal with, and index.html identifying aresource at that address.If you havent thought about URLs and their individual parts for a while,you may be surprised to find out that KDE adds a number of new protocolhandlers, called KIO slaves, that know how to serve up data from new andunusual sources, such as CDs and remote systems, through the KonquerorWeb browser.Using the right protocol saves you the time of manually copying resourcesall over the Web. The protocols are a varied bunch. In this technique,we show you protocols that work with audio CDs or your digital camera,handle remote file management, manage printers and e-mail, and readdocumentation. Check them out you can save time in lots of ways.Discovering Your ProtocolsFinding out about KDE protocols is not an easy task. They arent welldocumented, and they can be tough to find. Some are universally helpful,whereas others are more specialized (such as the LinPoch project at linpoch.sourceforge.net, which lets you interact with Nokia cell phonesfrom KDE applications). Heres how to see what protocols are installedon the following versions of Linux: Fedora: Open the KDE Menu and choose System ToolsInfo Center;then click Protocols. SuSe: Open the KDE Menu and choose SystemMonitorInfo Center. Mandrake: Open the KDE Menu and choose SystemConfigurationKDEInformationProtocols. TechniqueSave Time By Creating links to allowquick access to importantdata Moving audio and imagefiles with Konqueror fishing for remote fileswith a secure connection Easily accessing localnetwork information Reading documentation fast!04_571737c01.qxd 7/2/04 7:57 PM Page 7Technique 1: Finding the Power in KDE Protocols8(See the preceding section to find out how toview a list of available protocols.) See Table 1-1for details on what the options do and how theywork. Figure 1-1: The KDE audiocd: protocol.Not all copies of KDE are created equal. Thecopy of KDE currently distributed with Fedoraincludes support for copying to .wav, .cda,and .ogg files, but it doesnt include the infor-mation to create MP3s. You can get a copy ofKDE that has MP3 compiled in at www.kde.org.Depending on your MP3 player, you may beable to save lots of time loading files. If yourplayer can emulate a hard drive, you can openit with Konqueror and drag your music on andoff the player.The Available IO Slaves column displays a list ofavailable protocols. For more information about aprotocol, click the protocol name, and the documen-tation is displayed in the right column.Some of the protocols are not documented. Ifyou find one that sounds interesting, search theWeb to see if someone has written about it.Depending on which version of KDE you haveand which options are installed, the protocolsyou find will vary.Working with CD AudioTracks Using audiocd:Linux gives you all sorts of ways to rip the tracksoff audio CDs, but we havent found anything easierthan KDEs audiocd: protocol. This protocol is abreeze to use:1. Insert a music CD into your drive.If your CD player program starts, just close it.2. Open the Konqueror Web Browser.3. When Konqueror opens, enter audiocd:/ in theLocation bar and press Enter.If your copy of KDE was compiled with audiocd:support, the Web browser displays options forripping the audio files, as shown in Figure 1-1.TABLE 1-1: RIPPING AUDIO FILES WITH AUDIOCD:Option What Is It? How to Use ItCDA Files A directory that contains one file for each audio track Drag one of these .cda files to your desktop (or to on the CD (track01.cda, track02.cda, . . .). another folder), and audiocd: copies the raw audio track to the new location.By Track A directory that contains one file for each audio track Drag one of these .wav files to your desktop (or to (track01.wav, track02.wav, . . .). another folder), and audiocd: converts the audio track to WAV format.Ogg Vorbis A directory that contains one file for each audio track, Drag one of these .ogg files to your desktop (or to in Ogg Vorbis format (such as 16 Burning Down The another folder), and audiocd: converts the audio House.ogg, 14 Once In A Lifetime.ogg, . . .). track to Ogg Vorbis format.04_571737c01.qxd 7/2/04 7:57 PM Page 8Managing Snapshots with the camera: Protocol 9Managing Snapshots withthe camera: ProtocolThe camera: protocol treats your digital camera likeits just another storage device, only this one is fullof pictures. camera: gives you thumbnail previews ofthe photos on your camera, so you can easily iden-tify and move your images to where you need them.Just drag the images to your desktop (or to anotherfolder). Double-click an image file to open it withyour favorite editor (see Technique 3 to find out howto choose an editor), and youre working in a snap.You can also use an image as your desktopwallpaper. Drag the thumbnail to the desktopand choose Set as Wallpaper from the menuthat appears.To use the camera: protocol, follow these steps:1. Plug in your digital camera and be sure itsturned on. 2. Open the Konqueror Web Browser.3. Type camera:/ in the address line and pressEnter.Thats all there is to it (see Figure 1-2). Figure 1-2: The camera: protocol, in action. From here, finding your way around the inside ofyour camera is just a matter of exploring.When we plug in our HP PhotoSmart 320digital camera and use the camera: protocol,we see the single directory HP PhotoSmart 320(PTP mode). Underneath the HP PhotoSmart320 folder, our pictures are in a subdirectorynamed store_00010001/DCIM/100HP320.The directory structure used by your digitalcamera is likely to be different. Use Konquerorto find your way around the inside of yourcamera. After you know where your imagesare stored, you should be able to open thoseOption What Is It? How to Use ItMP3 A directory that contains audio tracks Drag an .mp3 file to your desktop (or to another in MP3 format. folder), and audiocd: converts the audio track toMP3 format.By Name A directory that contains audio tracks (with song names) in WAV format (16 Burning Down The House.wav, 14 Once In A Lifetime.wav, . . .). This directory is similar to By Track, except that you get to see song titles in the By Name directory (By Track only shows you the track numbers). You wont see a By Name directory if Konqueror cant find your CD in the Webs cddb database.Album Name A directory that contains one file for each audio track, in WAV format (identical to By Name except that the directory name is the album name).04_571737c01.qxd 7/2/04 7:57 PM Page 9Technique 1: Finding the Power in KDE Protocols10archive, open, and browse remote files the sameway you handle files stored on your computer. Open fish: folders on two (or more!) systemsand copy files or even entire directories from onemachine to another by dragging from one win-dow to another. Create a secure link on your local desktop thatpoints to a remote system. When you open thelink, fish: prompts you for login informationso not just anyone can get access via your com-puter. To create a desktop link, right-click on yourdesktop and choose Create NewFileLink toLocation (URL). Type in a name for your link andenter a URL in the form fish://computer-name/directory, for example fish://bastille/home/freddie/Desktop. Edit remote files with KWrite. When you opena remote file (such as fish://versaille/.bash_profile), any changes that you make areautomatically saved back to the remote system.The KDE protocols are a part of KDE, notLinux. That means that any KDE-friendly appli-cation (Kate, Konqueror, KMail, and so on) canuse them, but non-KDE applications wontunderstand them. You can open a fish: URLin just about any KDE application, and theresource appears as if it were on your localsystem. Note that not all KDE applications areprotocol-enabled, which means that theywont understand fish: URLs. Youll just haveto try out each application.Getting Help with help:,info:, and man:KDE protocols give you fast access to help when youneed it. KDE sports three documentation protocols:man:, info:, and help:. To use the protocols, openyour Konqueror browser, enter the protocol name inthe Location line, and press Enter. Konqueror willtake you to the top-level index for the protocol youchoose:images directly from KDE-friendly applicationslike KuickShow and KView.Dont bother trying to remember a long, com-plex URL that corresponds to where your pic-tures are stored. Instead, drag the folder toyour desktop and choose Link Here. Then,whenever you want to play with your camera,plug it in and click the shortcut.One thing to note your pictures reside only inyour camera until you copy them onto your com-puter. Be sure to store the pictures on your com-puter before deleting them from your camera. Afteryou copy the pictures you want to keep, its easy toerase the images from your camera; just delete themor drag them to the trash like any other file.Remote File Managementwith fish:fish: is a remote file access protocol. Using fish:,you can work with files stored on a remote Linuxsystem as if they were located right on your desktop.To use fish:, open a KDE browser (Konqueror is agood choice) and enter fish:// followed by the hostname (or IP address) of the machine youre fishing for. Under the hood, fish: uses SSH (Secure Shell) to doits work, so you must have an SSH server up andrunning on the remote machine before you can gofishing. fish: prompts you for a user name and pass-word on the remote system before allowing youaccess to files. After youve connected, you caninteract with the remote files and directories inthe same way you would deal with local files: Dragthem to your desktop, drag them to other folders,drag them to the trash, or just edit them in place.Here are some quick things you can do with thefish: protocol: Manage files on another system with theKonqueror file manager/browser. Using fish:and Konqueror, you can easily move, copy,04_571737c01.qxd 7/2/04 7:57 PM Page 10Other KDE Protocols 11 man: When you browse through the man: proto-col, you see a short index that provides accessto the ten or so sections of the Linux man pages. The man: protocol is a great way to read manpages because the documentation is pleas-antly formatted and cross-referenced. When you navigate down one level from themain index, the second level leaves a bit to bedesired. For some reason (we assume thatsomeone intends to fill in more informationlater), it says no idea in a column to the rightof the topic list. Just ignore this and click yourtopic, and youll find the information you need. info: This protocol gives you access to docu-mentation written in the Texinfo format, a formatpopular with GNU software. Like man:, info:documentation is cross-referenced and displaysa browsable menu with links that take you to thedocumentation you want to read. help: This protocol lets you read documentationin KDEs documentation format. To find subjectswithin help:, type help:/, followed by the topicname. (For example, help:/kate takes you to theKate handbook.) If you need general informationabout your KDE environment, a good startingpoint is help:///khelpcenter.Just like Web page bookmarks that youcan create when surfing the Web, documen-tation bookmarks are great navigational time-savers. Bookmark your favorite man pagesso theyre easily accessible the next time youneed them! To create a new bookmark, justchoose BookmarksAdd Bookmark.Viewing Your Local Networkwith the smb: ProtocolUse the smb: protocol to quickly browse othermachines on your local SMB (Samba and Windowsfile/printer sharing) network. Enter smb:/ in theKonqueror address line and press Return to see theSMB workgroups in your local network. Click an SMBworkgroup to see all the computers in that work-group. Click one of the computers, and you see theresources that computer is willing to share. Just dragand drop the data you need or make clickable linksto resources the time you save will amaze you.Use smb: to create desktop shortcuts to yournetwork locations. Just start your copy ofKonqueror, enter smb:/ in the address line,and press Enter. Choose a workgroup andthen a computer within that workgroup. Nowdrag a share name to your desktop. Next timeyou need data from that machine, you have itat the click of a button. Other KDE ProtocolsWe havent covered all the KDE protocols in thistechnique. There are quite a few others you canexplore. Check out the ones listed in Table 1-2.TABLE 1-2: OTHER KDE PROTOCOLSProtocol What You Do with Itprint: Manage printers, print jobs, andprint queues from your Webbrowser.devices: Find all your storage deviceshere hard drives, NFS andSamba file systems, andremovable media.imap: Send, receive, or just play around pop3: with your mailbox as if it were a mailto: local file system.webdav: Modify a remote Web site or col-laborate with others over the Web.You can find more protocols on the Web.Search for KIO slave at your favorite searchengine.04_571737c01.qxd 7/2/04 7:57 PM Page 11Technique 1: Finding the Power in KDE Protocols12KDE protocols versus GNOME VFSKDE has protocols, and GNOME has the VFS (virtual filesystem). KDE protocols and GNOME VFS modules dopretty much the same thing: They make data availablefrom unconventional sources. The name protocol mayseem a bit misleading, but its called that because the nameof the protocol goes in the protocol part of a URL. We thinkthat virtual file system is a more straightforward name thanprotocol because a virtual file system basically createsmake-believe file systems and lets you use them to quicklyaccess your data. Both the KDE protocols and the GNOME VFS work fromwithin a Web browser, but the GNOME VFS works best atthe command line. We have to admit that were fond ofKDE for its usability and speed. However, sometimesGNOME can be a real timesaver, as you discover inTechnique 2.04_571737c01.qxd 7/2/04 7:57 PM Page 122 Getting GNOMEVirtual File Systemsto Do the Workfor YouLinux supports a wide variety of physical file systems. A file systemsjob is to make sense of the bytes stored on a disk so that other pro-grams dont have to interpret them. A file system module, for exam-ple, might look at the bytes in sector 52033 on your hard disk and say,Hey, thats a directory. File system modules also work in the otherdirection as well. For example, a program might ask for a listing of the/tmp directory, and the file system knows how to find that data on thedisk. A file system module creates order out of the billion or more bytesof chaos on your disk.GNOME takes the physical file system one step further by introducingthe virtual file system (or VFS for short). A virtual file system performsthe same function as a physical file system except that the underlyingdata comes from somewhere beyond your disk. A virtual file system gath-ers data from an unusual source and makes that data appear as a set ofdirectories, subdirectories, and data files. Using a VFS, you can peek intotar, gzip, and RPM archives, treat remote files as if they were local, andeven access CD audio tracks as if they were normal data files. GNOMEalso has some handy preview tools that let you view fonts and desktopthemes as if they were normal files. In this technique, we show you how to save time by using some of themore useful GNOME VFS modules. When you use the VFS, you dont haveto waste time finding (and opening) the right program to view a file in anunconventional location GNOME does the hard work for you. Whetheryou use the VFS in a browser or at the command line, the time you saveand the power you gain will surprise you.Using GNOME VFS ModulesThe GNOME VFS is still evolving, and not all GNOME applications are VFSsavvy. Weve found that most (if not all) VFS modules work when you useTechniqueSave Time By Using GNOME virtual filesystems Combining VFS modules Using VFS to work withpackages Burning CDs and DVDsfrom a browser Previewing fonts andthemes with Nautilus05_571737c02.qxd 7/2/04 7:58 PM Page 13Technique 2: Getting GNOME Virtual File Systems to Do the Work for You14module is actually installed. You also have to checkfor the library in /usr/lib/ gnome-vfs-2.0/modules/.To save you some time, Table 2-1 lists some of themost commonly included VFS modules./proc is a virtual file system that works in eitherKDE or GNOME and exposes kernel data seeTechnique 26 for more information.We cover only a few of the VFS modules dis-tributed with Linux, but you can find others onthe Web. If you find another module you wantto use, youll likely need to download andcompile it. See Technique 14 for help withdownloading and compiling programs.them from the command line, but some fail instrange and quirky ways when you try to use themfrom a browser. If you cant get a VFS URL to work,try it at the command line (we show you how in amoment). If it works there, the problem is in thebrowser.To use a VFS module, simply use the module nameas if it were a protocol. For example, to open a fontthats installed on your system, you can browse tothe URL fonts://Courier. Finding out which VFSmodules are installed on your system can be tricky.The VFS modules are listed in a group of files in/etc/gnome-vfs-2.0/modules, but just because youfind a module listed there doesnt mean that theTABLE 2-1: COMMONLY INCLUDED VFS MODULESModule Name What It Doeshttp: Accesses data stored on a Web serverhttps: Accesses data stored on a secure Web server (typically an e-commerce site)ftp: Accesses data stored on an FTP servermailto: Sends e-mailbzip2: Peeks inside bzip2 archivescdda: Treats CD audio tracks as if they were normal filesfile: Accesses data stored in a local physical file systemnntp: Reads newsgroups by using the network news transport protocolgzip: Peeks inside gzip archivesdav: Accesses data stored on a WebDAV serverpipe: Accesses data sent to a pipessh: Connects to a remote SSH servertar: Peeks inside uncompressed tar archivesfonts: Accesses font informationburn: Burns CDs from within a browserthemes: Accesses desktop themes installed on your system05_571737c02.qxd 7/2/04 7:58 PM Page 14Working with Packages: rpm and rpms 15Stacking VFS ModulesGNOME VFS URLs can be stacked together. Forexample, if you have an uncompressed tar file locatedon a remote system, you can stack a tar URL on topof an http:// URL to get to the data stored inside.Suppose that you have an uncompressed tar archivenamed /tmp/pics.tar that contains an image namedfreddie.jpg and you want to view that picture withGNOMEs Eye Of Gnome viewer.Sure, you could un-tar the archive and tell the viewerto open the JPG photo (reminding yourself to cleanup all the temporary files after you finish). But youcan save yourself time and trouble by making VFSworry about those details. Rather than extractingthe image to a temporary location, you can use aVFS URL like this:$ eog file:///tmp/pics.tar#tar:/freddie.jpgHeres how the pieces of the command fit together.First, the eog part is the name of the command thatyoure running (Eye Of Gnome). Next, you see a typi-cal URL (file:///tmp/pics.tar) that uses the file:protocol to open /tmp/pics.tar. Next comes themagical part: #tar:/freddie.jpg. That tells GNOMEto treat everything that precedes #tar: as a tararchive and to access the freddie.jpg memberwithin.What happens if the picture that you want to view isstored in a compressed tar archive? Simple, just putanother VFS component (gzip) on the stack, like this:$ eog file:///tmp/pics.tgz#gzip:#tar:/freddie.jpgIf the pics.tgz file lives on a remote Web server, youcan combine the http: protocol with gzip: and tar:like this:$ eog http://myserver.example.com/pics.tgz#gzip:#tar:/freddie.jpgMost of the VFS documentation that you findtells you that you can stack VFS URLs with thefollowing syntax: url#url/suburl. For exam-ple, if you have a tar archive named /tmp/foo.tar that contains a file named bar.txt,the GNOME VFS documentation tells youthat you can access the bar.txt file with theURL file://tmp/foo.tar#tar/bar.txt.You cant the documentation is wrong.Instead, you have to use file://tmp/foo.tar#tar:/bar.txt. Notice the extra :between tar and /bar.txt. Without thatcolon, the #tar/bar.txt component acts likea named anchor in an HTML document, notlike a VFS module.Working with Packages:rpm and rpmsThe rpm: VFS module lets you peek inside an RPMinstaller file. You can use the rpm: VFS to extractselect files from an RPM package without having toinstall the whole thing. rpm: also lets you extractmetadata (such as the name of the package ven-dor, the target distribution, and copyright) froma package.The rpm: module creates a virtual file system thatrepresents the contents of the RPM file. If you listthe directory of an rpm: URL, you see the name ofeach file that would be installed by that RPM. Youalso see a number of virtual files that expose theextra data stored inside the RPM. Heres an example:[freddie@bastille] cd /mnt/cdrom/Fedora/RPMS[freddie@bastille] gnomevfs-ls file:gnome-applets-2.4.1-1.i386.rpm#rpm:-r--r--r-- 1 root root 941 Oct 3 2003HEADER-r-xr-xr-x 1 root root 39 Oct 3 2003INSTALL-r-xr-xr-x 1 root root 39 Oct 3 2003UPGRADE05_571737c02.qxd 7/2/04 7:58 PM Page 15Technique 2: Getting GNOME Virtual File Systems to Do the Work for You16-rw-r--r-- 1 root root 8364 Oct 3 10:28/etc/gconf/schemas/cdplayer.schemas-rw-r--r-- 1 root root 21092 Oct 3 10:27/etc/gconf/schemas/charpick.schemas...The first 28 files listed are virtual files, and the restare real files that would be installed on your systemif you installed this particular package.You can extract a single file from an archive by usinggnomevfs-cat, for example:[freddie@bastille] gnomevfs-catfile:gnome-applets-2.4.1-1.i386.rpm#rpm:HEADERName : gnome-appletsRelocations: (not relocateable)Version : 2.4.1Vendor: Red Hat, Inc.Release : 1Build Date: Fri Oct 3 10:29:07 2003Install Date: (not installed)Build Host: daffy.perf.redhat.comGroup : User Interface/DesktopsSource RPM: gnome-applets-2.4.1-1.src.rpmSize : 11210002License: GPLSignature : DSA/SHA1, Tue Oct 2819:10:23 2003, Key ID b44269d04f2a6fd2Packager : Red Hat, Inc.URL : http://www.gnome.org/Summary : Small applications for theGnome panel.Description :Gnome (GNU Network Object ModelEnvironment) is a user-friendly set ofapplications and desktop tools to be usedin conjunction with a windowmanager for the X Window System. Thegnome-applets package providessmall utilities for the Gnome panel.Notice that you can access both virtual and real fileswithin the RPM.The rpms: module (note the s on the end) lets youtreat the database of installed software as a virtualfile system. In other words, when you view thedr-xr-xr-x 3 root root 0 Oct 3 2003INFO-r--r--r-- 1 root root 0 Oct 3 2003INFO/NAME-VERSION-RELEASE-r--r--r-- 1 root root 0 Oct 3 2003INFO/GROUP-r--r--r-- 1 root root 0 Oct 3 2003INFO/BUILDHOST-r--r--r-- 1 root root 0 Oct 3 2003INFO/SOURCERPM-r--r--r-- 1 root root 0 Oct 3 2003INFO/DISTRIBUTION-r--r--r-- 1 root root 0 Oct 3 2003INFO/VENDOR-r--r--r-- 1 root root 0 Oct 3 2003INFO/DESCRIPTION-r--r--r-- 1 root root 0 Oct 3 2003INFO/SUMMARYdr-xr-xr-x 1 root root 0 Oct 3 2003INFO/SCRIPTS-r--r--r-- 1 root root 0 Oct 3 2003INFO/SCRIPTS/POSTIN-r--r--r-- 1 root root 0 Oct 3 2003INFO/SCRIPTS/ALL-r--r--r-- 1 root root 0 Oct 3 2003INFO/PACKAGER-r--r--r-- 1 root root 0 Oct 3 2003INFO/URL-r--r--r-- 1 root root 0 Oct 3 2003INFO/SERIAL-r--r--r-- 1 root root 0 Oct 3 2003INFO/COPYRIGHT-r--r--r-- 1 root root 0 Oct 3 2003INFO/LICENSE-r--r--r-- 1 root root 0 Oct 3 2003INFO/BUILDTIME-r--r--r-- 1 root root 0 Oct 3 2003INFO/RPMVERSION-r--r--r-- 1 root root 0 Oct 3 2003INFO/OS-r--r--r-- 1 root root 0 Oct 3 2003INFO/SIZE-r--r--r-- 1 root root 0 Oct 3 2003INFO/REQUIRENAME-r--r--r-- 1 root root 0 Oct 3 2003INFO/OBSOLETES-r--r--r-- 1 root root 0 Oct 3 2003INFO/PROVIDES-r--r--r-- 1 root root 0 Oct 3 2003INFO/CHANGELOG-rw-r--r-- 1 root root 63419 Oct 3 10:28/etc/gconf/schemas/battstat.schemas05_571737c02.qxd 7/2/04 7:58 PM Page 16Skinning Your Desktop with VFS 17content of an rpms: URL, you see a list of the pack-ages (sorted by category) installed on your system.You can also use the deb: module to play withDebian Package Manager packages.Putting VFS to Work at theCommand LineThe GNOME VFS system includes a few VFS-friendlyprograms that you can use at the command line (orwithin shell scripts): gnomevfs-cat: This program is equivalent to thenormal Linux cat command: It writes the contentsof a file to standard output. Unlike the simple catcommand, gnomevfs-cat can deal with VFS URLs.gnomevfs-cat deals with all of the normal hassleof downloading, unpacking, and cleaning up tem-porary files when youre finished. For example:$ gnomevfs-cat http://myserver.example.com/index.html > index.html gnomevfs-copy: This handy file copy utility ispowerful. When you run this program, you canspecify a URL for the source, the destination, orboth. Just like gnomevfs-cat, gnomevfs-copyhandles the dirty work it downloads (oruploads!) files for you, inserts new content intoexisting archives, or extracts content from anarchive without all the prep-work and cleanup.For example, heres how to copy a file from aremote Web site to your local system:$ gnomevfs-copy http://myserver.example.com/foo.txt file:///tmp/foo.txt gnomevfs-info: This program displays tidbits ofinformation about a given URL. You can see themodification time, file size, and MIME type. (SeeTechnique 3 for more information about MIMEtypes.) gnomevfs-ls: This program lists the contentsof a directory accessed through a VFS URL.gnomevfs-ls is great when you want to browsethrough an archive (or an RPM package) storedat a Web site, but you dont want to downloadthe file first. For example, to list the contents ofan RPM file, use the following command:$ gnomevfs-ls http://myserver.example.com/foor.rpm#rpm: gnomevfs-mkdir: Use this program to create adirectory with a VFS URL. Youll probably findthis program most useful when you need to cre-ate a directory on a remote system (using thehttp:, smb:, or ftp: protocols).Burning CDs with a VFSOne of the handiest VFS modules is burn:///, whichlets you burn CDs and DVDs from within the Nautilusbrowser. If you have a CD or DVD burner, browse toburn:///, and Nautilus shows you an empty folder.From there, to burn a CD you just drag a file to thefolder, insert a blank CD into your drive, and clickWrite to CD (on the toolbar). Dont forget that youcan drag a remote file directly into the burn:///folder just open a second Nautilus window andbrowse to the server that holds the file you want. Skinning Your Desktop with VFSThe themes: VFS gives you quick access to the desk-top themes installed on your system. Browse tothemes:///, and Nautilus shows you all the themesinstalled on your system. If you find a theme thatyou like, just double-click the preview, and youvechanged your desktop theme.Another handy VFS is fonts:. The fonts: VFS exposesall the fonts installed on your system. Browse tofonts:/// to see thumbnail samples of all the fontsavailable on your system (along with the font names).If you see a font that you want to use as yourdesktop font, right-click the icon and chooseSet as Application Font from the drop-downmenu.05_571737c02.qxd 7/2/04 7:58 PM Page 17Save Time By Understanding howMIME classifies data andhow your files areaffected Tweaking file associa-tions in KDE Creating MIME typesquickly with GNOMEStreamlining YourWork with FileAssociationsClick a JPEG file, and KDE opens the image in KuickShow. Click anHTML desktop file, and GNOME opens that file in Mozilla. How doesLinux know which program to use? It consults a MIME not thosefolks on street corners wearing striped shirts and tons of makeup, but aregistry of data types that associates a file type with a specific application.The default associations are a fine place to start, but after you developyour own preferences about which applications you want to use for certainfile types, the defaults can begin to get in your way. Youll save time (andeffort) in the long run if you tweak these MIME types to establish quicklinks between your data files and your favorite applications. For example,if you edit a lot of graphics files but have several graphics editors, youmost likely have a favorite. Instead of opening and navigating throughyour favorite program every time you have to open a graphics file, giveyour favorite editor the highest priority. Double-click the data icons, andyouve opened not only your data, but also your favorite program!In this technique, we show you how to create new MIME data types andassociate your applications with the data types that you use frequently.The technique is a little different depending on which desktop environ-ment (KDE or GNOME) you use, but either way, its quick and easy. Classifying Data with MIMEBefore you start tweaking your file associations, its helpful to knowthe basics about how MIME works with your files. Originally, MIME(Multipurpose Internet Mail Extensions) was designed for e-mail clientsto categorize e-mail attachments. Nowadays, its used in many other pro-grams as well, such as Web browsers, graphics utilities, and productivitytools. The MIME registry performs two distinct functions, but the linebetween those functions is pretty blurry: MIME looks at a chunk of data (usually a data file) and categorizes itbased on the file extension or based on patterns in the data. The MIME registry connects applications and data by associating anapplication with each data type.3Technique06_571737c03.qxd 7/2/04 7:58 PM Page 18Creating KDE File Associations 19Thus, opening a file with MIME is a two-step process:MIME categorizes the data, and then it finds an appli-cation that knows how to deal with that kind of data.Typically, a program that knows how to process agiven file type automatically creates MIME associa-tions for that type, but thats not always the case: If you open a file that doesnt have a MIME asso-ciation, Linux prompts you to select a programto use. You have to do the grunt work of settingthe association yourself. You may find that you have more than one appli-cation that knows how to process a given filetype. For example, text/html is often associatedwith both Konqueror and Mozilla. If a MIME typeis associated with more than one application,Linux chooses the application with the highestpriority when you open that file type. You cantell Linux which application to use by giving theprogram you prefer the highest priority in theMIME registry.Web pages make great desktop links. Afteryou associate HTML files with your favoritebrowser, add the links you use most fre-quently to your desktop. Double-click a link,and it opens in your favorite browser.When you begin customizing your file associations,youll find that MIME data types are arranged in atree-structured hierarchy. At the bottom of the tree,you find the data type definitions themselves. Upperlevels in the tree group similar data types. For exam-ple, text/html describes the html data type withinthe text group. MIME can determine a files datatype in two ways: By extension: When you open a file such asbackup.tar, MIME searches for the extension(.tar) in its database of known file types. If itfinds a match, MIME classifies the file by exten-sion (in this case application/x-tar). By content: Several extensions can map to thesame MIME data type; for example, .htm and.html are both classified as text/html. If youopen a file whose extension is not recognized,MIME peeks inside the file and tries to recognizea pattern. For example, all JPEG picture filesinclude the string JFIF near the beginning of thefile; PNG pictures include the string PNG nearthe beginning of the file; and Real Player audiostreams begin with four bytes whose values are0x2e7261fd.Creating KDE File AssociationsMost applications that create data of a given typeautomatically associate with that type, but occasion-ally you need to adjust those associations. For exam-ple, say that you frequently work with buttons onWeb sites, so you always design new buttons asJPEG files in Icon Editor. You can save yourself thetime of poking around in the interface by simplychanging your default JPEG editor from KuickShowto Icon Editor.You can use file associations to open a newtext file in your favorite editor in a snap withthe KDE desktop. Just right-click on the desk-top, choose Create New, and then choose TextFile from the list of data type options. Enter aname for the new file and click OK, and KDEadds the icon to the desktop. Now, a simpledouble-click opens the new file in the editoryou set with file associations.With MIME, you can associate any number of appli-cations with a single MIME type, and KDE uses theapplication with the highest priority to open data ofthat type. Its easy to change the default programthat opens your data in KDE:1. In Fedora or SuSE, open the KDE menu andclick Control Center.If youre using Mandrake, open the KDE Menuand choose SystemConfigurationConfigureYour Desktop.2. On the left side of the Control Center, click KDEComponents and then click File Associations.06_571737c03.qxd 7/2/04 7:58 PM Page 19Technique 3: Streamlining Your Work with File Associations20With the same dialog that you just used to changethe application preference order, you can also do thefollowing: To associate a new file extension with theselected MIME type, click the Add button in theFilename Patterns box. If you need to add a dif-ferent spelling of a filename extension (whichyou probably wont have to do often), this is theplace to do it. Choose the icon to the left of the FilenamePatterns box to change the icon for this type.Control Center displays a palette of alternateicons that you can choose from just click theone you like.Changing the icon to something you canremember lets you instantly recognize filetypes in your browser or on your desktop. Well-behaved KDE applications (such as Kate,the KDE programmers editor) know how todeal with MIME file associations. If you open afile whose data type isnt included in KatesMIME associations, KDE opens the programyouve assigned to that file type in your MIMEregistry.Creating New MIME Typeswith GNOMEThe GNOME MIME mapping system is a bit more com-plex than KDEs. GNOME lets you define an icon foreach MIME type, a default action (such as print, view,or edit), and a list of applications that know how todeal with that type. MIME defines a two-level hierar-chy for data type; for example text/html describesthe html type in the text group. GNOME introduces anew layer that collects related groups in categories.This practice is handy in theory, but it makes it a littleharder to find the MIME type youre looking for. This next example sets your JPEG editor to xview an oldy but a goody that needs special treatment.The File Associations Control Center dialog(shown in Figure 3-1) appears, displaying the pre-defined MIME types in the Known Types area. Figure 3-1: The File Associations - Control Center dialog.3. In the Known Types area, expand the relevantgroup to show a list of known image types.For our example, we click the Image group.4. Click the file type whose association you wantto set or change.We click jpeg. The right side of the dialog dis-plays the current file associations.5. In the Application Preference Order box, if youdont see the application that you want to asso-ciate with the file type, click the Add buttonand use the file chooser to find the programthat you want.6. In the Application Preference Order box, selectthe application you want to make the first pri-ority, and then click the Move Up button untilthe application appears at the top of the list.In our example, we select Icon Editor and thenclick the Move Up button to move Icon Editor tothe top of the list. 7. When youre finished, click Apply to save yourwork and close the dialog.Now, when you open the file type (such as a .jpg,or .JPG file), KDE opens the file with the applica-tion you selected (Icon Editor, for example). 06_571737c03.qxd 7/2/04 7:58 PM Page 20Creating New MIME Types with GNOME 21xview isnt included in the Default Action list, so youneed to add it as a custom program. To associate anew application with an existing MIME type:1. Open the GNOME menu and choosePreferences.2. Click File Types and Programs.The File Types and Programs dialog, shown inFigure 3-2, appears. Figure 3-2: The File Types and Programs dialog inGNOME.If youre using SuSE, open the GNOME menuand choose Desktop PreferencesAdvancedFile Types and Programs.3. Click the arrow next to the category you wantto change, and youll see the list of MIME typesin that category.In our case, we chose Images.If you ever need to add a new MIME type(one that doesnt already appear in the list ofknown types), open the File Types andPrograms dialog, click the Add File Type but-ton, and follow the on-screen prompts.4. Click the MIME type you want to change andthen click the Edit button. Because we want to assocate xview with JPEGphotos, we clicked JPEG Image.The Edit File Type dialog opens, as shown in Figure 3-3. Figure 3-3: The Edit File Type dialog in GNOME.5. Select Custom from the Default Action drop-down list.6. Click the Browse button (to the right of theProgram to Run box), and find the applicationthat you want to associate with this type.The xview program is located in /usr/bin/X11,so we pointed the file chooser to that directory,highlighted xview, and clicked OK.xview is now your default JPEG editor, and it hasbeen added to the Default Action list. Now if youever switch to a different default editor again,you can easily go back to xview because its onthe list.7. If you want to associate an icon with the newlydefined file type, click the No Icon button andselect an icon from the icon palette. Click OKwhen youre finished.After you choose the icon, your new icon is dis-played at the top of the Edit File Type dialog.By changing the icon to something morememorable, you can quickly recognize filetypes in your browser or on your desktop.8. Click OK and then click Close to save yourwork.06_571737c03.qxd 7/2/04 7:58 PM Page 21Technique 3: Streamlining Your Work with File Associations22image as an attachment, Evolution allows you to viewthe image without firing up an external application the image displays in-line.When youre modifying MIME types, the ViewerComponent drop-down list is disabled unlessGNOME has a component that can handle your file.In some cases, GNOME can display your file typewith a number of different components; choose theone you prefer from the Viewer Component drop-down list.You may have noticed that the Edit File Type dialoghas a drop-down list labeled Viewer Component. MostGNOME-savvy applications can display certain filetypes in-line. This means that if you open a file thathas a built-in viewer component, the file is displayedwithin your application you dont have to stopwhat youre doing and open a new application justto see your data.For example, if youre using the Evolution e-mail client(a GNOME-savvy application) and you receive a JPEG06_571737c03.qxd 7/2/04 7:58 PM Page 224 Prompting Yourselfwith a CustomPromptYour prompt is your connection to the Linux world when youreworking in the shell. If you havent already modified it, yourprompt displays your machine name and current directory. Butwhy settle for less information than you could really use?Customize your prompt to keep information that you need in plain sightwhen youre working at the command line. You can add information suchas the time, date, number of users, and more. In addition to displayingsystem information, your prompt can change colors. If you use multipleterminal windows connected to multiple machines, use a different-coloredprompt on each machine to give you a quick clue about your location, allwithout taking up screen space.The prompt also reflects your status as a superuser (or as a mere mor-tal). Keep an eye on your privilege level to prevent damage from the acci-dental use of privileges. Weve included code in this technique to makethe prompt change color when you hold elevated (and thus potentiallydangerous) privileges.In this technique, we show you how to manipulate your prompt to dis-play the information that lets you get the job done quickly. Information ispower, and power definitely saves time.Long prompts can take up a lot of screen real estate and also consumea lot of space on the printed page. In this technique, we show youcomplete prompts that enable you to see useful info quickly and eas-ily. However, you dont want to work with these prompts all the time.In other techniques, we shorten the prompt to $ or # to save space. Making Basic Prompt TransformationsIn the bash shell, the prompt is controlled by a set of environment vari-ables, the most important of which is $PS1. Change $PS1, and you changeyour prompt. The $PS1 variable is displayed when bash is waiting for acommand from you. The $PS2 variable is also worth mentioning itsdisplayed when bash needs more input to complete a current task. TechniqueSave Time By Keeping useful informa-tion handy Colorizing your prompt toconvey useful information Saving your prompt pref-erences Warning yourself whenyou hold potentiallydangerous privileges07 571737c04.qxd 7/2/04 7:59 PM Page 23Technique 4: Prompting Yourself with a Custom Prompt24You can mix dynamic macros and static text in thesame prompt. To enclose the date and time in brack-ets, just include the brackets in $PS1:[freddie@bastille] PS1=[\d \t] [Thu Dec 18 03:37:50 ] Its usually a good idea to end each promptwith static text (a character like ], -, or >) anda space to make the prompt easier to read.If you press Enter a few times with this prompt, yousee that the macros in $PS1 are evaluated each timethe prompt is displayed:[freddie@bastille] PS1=[\d \t] [Thu Dec 18 03:37:51 ] [Thu Dec 18 03:37:51 ] [Thu Dec 18 03:37:58 ] [Thu Dec 18 03:38:01 ] You can include as many macros as you want, in anyorder that you want, in $PS1. For example, to displaythe current date and time, your user name, yourhost name, and the current working directory (inthat order), try this:[freddie@bastille] PS1=[\d \t \u@\h:\w] [Thu Dec 18 03:40:20freddie@bastille:/home/freddie] Spacing is important. Be sure to leave some whitespace between macros to make the info easier toread. Table 4-1 lists some of the most useful macrosthat you can include in a bash prompt.If $PS1 contains a simple text string (such as Hi,Im the prompt), that string is displayed whenevera command completes and the shell is waiting forthe next command. Modifying the prompt is easy:Just enter strings that you want to test and hit Enter,and the results are displayed instantly. Saving yourchanges takes a bit of maneuvering, but we coverthat in the next section. Heres a quick example ofhow to change the prompt:[freddie@bastille] PS1=Hi, Im the prompt Hi, Im the prompt Notice how the prompt changed from[freddie@bastille] to Hi, Im the prompt. Adding Dynamically UpdatedData to Your PromptStatic prompts, such as the example in the precedingsection, are kind of boring, so bash lets you includespecial character sequences (well call them macros)that represent changing data. Each macro starts witha backslash and is followed by a single characterthat tells bash which chunk of data you want to dis-play. For example, if you want to display the currentdate and time whenever the prompt is displayed,use the \d (date) and \t (time) macros like this:[freddie@bastille] PS1=\d \t Thu Dec 18 03:37:48 TABLE 4-1: HANDY MACROS FOR YOUR PROMPTMacro What It Does/Displays Timesaving Bonus Info\a Speaker beep To keep users on their toes, code the $PS2 variable to beep whenthe user needs to input additional information. Just enter$PS2=\a >, and the computer beeps when it needs attention!\d Weekday (SunSat), month name, and date Handy when youre pulling all-nighters and you need to know (Thu Dec 18, for example) when Saturday morning rolls around.07 571737c04.qxd 7/2/04 7:59 PM Page 24Adding Dynamically Updated Data to Your Prompt 25Macro What It Does/Displays Timesaving Bonus Info\D{} Date and/or time in a format of your choosing The \D macro must be followed by a format string enclosed inbraces. bash interprets the format string by using the same rulesas the strftime library function (see man strftime for moredetails). If the format string is empty, the braces are still required,but bash chooses a display format appropriate to your locale.\e Escape character; used for complex strings Escape characters introduce complex, unfriendly terminalcommand sequences. We show you a better way later in thistechnique.\h Host name up to the first . (dot) If you work on a number of different hosts from the same work-station, \h can help you remember which one youre currentlyconnected to.\H Entire host name Similar to \h, but takes up too much screen real estate for ourtaste.\n Newline Use a new line to create a multiline prompt.\s Shell name such as bash or csh Weve never found a particularly good use for this one becausewe always stick to bash.\t Current time in 24-hour (HH:MM:SS) format\T Current time in 12-hour (HH:MM:SS) format\@ Current time in 12-hour (am/pm) format Is it 5:00 yet?\A Current time in 24-hour (HH:MM) format\u Current user name Include \u if you need to do work on someone elses behalf (inother words, if youre an administrator). That way you wont for-get who you are and send flaming e-mail using someone elsesname!\W Trailing component of your current This is probably the most useful macro you could include in a working directory custom prompt sort of a You Are Here sign.\w Entire current working directory Similar to \W, but takes up a lot of room on your command line.\\ Backslash character\! History number Every command that you execute is stored in a history log, andyou can refer to a specific command in the log by its history num-ber. Include the \! macro in your prompt, and youll see the his-tory number assigned to each command. (We talk more abouthistory processing in Technique 9.)\$ If the effective UID is 0, a #; otherwise a $ The \$ macro displays a pound sign (#) if you hold superuserprivileges or a dollar sign ($) if you dont. You can use the \$macro to help you remember when you have enough privileges toseriously damage your system, but we show you a better way inthe section Seeing a Red Alert When You Have SuperuserPrivileges, later in this technique.07 571737c04.qxd 7/2/04 7:59 PM Page 25Technique 4: Prompting Yourself with a Custom Prompt26knows the right escape sequences, so youdont have to spend time looking them up.The blue prompt in the preceding example looks likethis when you use tput:[freddie@bastille] BLUE=$(tput setaf 4)[freddie@bastille] BLACK=$(tput setaf 0)[freddie@bastille] PS1=\[$BLUE\]\u@\h]\[$BLACK\] [freddie@bastille] The first line uses tput to find the character sequencethat changes the foreground color to blue. The sec-ond line finds the character sequence that changesthe foreground color to black. Notice that you dontneed to know the magic escape sequences; tputkeeps a database of terminal descriptions and con-sults that database to find the sequence that corre-sponds to the terminal (or terminal emulator) youreusing. The third line patches the $BLUE and $BLACKsequences into the $PS1 prompt string. The $PS1 string, however, is still more complicatedthan it needs to be its got a few extra \[ and \]sequences. Those extra characters are required sothat bash knows which prompt characters take upscreen real estate and which ones dont (the invisiblecharacters must appear between a \[ and \] pair). When you use tput, you can clean up extracharacters a bit more by including those extracharacters in the $BLUE and $BLACK variables:[freddie@bastille] BLUE=\[$(tput setaf4)\][freddie@bastille] BLACK=\[$(tput setaf0)\][freddie@bastille] PS1=$BLUE\u@\h]$BLACK [freddie@bastille] tput can do much more than just change the foregroundcolor of the prompt. Table 4-2 shows a few of the more use-ful tput sequences. (For a complete list, see man tput andman terminfo.)Colorizing Your PromptChanging the color of your prompt may not save youtons of time, but it can make the prompt more read-able and convey extra information without taking upscreen real estate. What kind of information can you encode withcolorized prompts? Just about anything. Turnyour prompt green when youre logged intoone host and blue when youre logged intoanother. Display your prompt in green whenthe system load is low, yellow as it increases,and red when youre running into resourcebottlenecks. Or, just change the color of yourprompt to a fixed color so that it stands out onthe screen.You can colorize your prompt two ways. The mostcommon (but not the most timesaving) way is toinclude special escape characters (characters thatyour terminal window understands, but humansdont) in your prompt. For example, the followingstring turns your prompt blue:[freddie@bastille] PS1=\[\033[0;34m\][\u@\h]\[\033[0m\] [freddie@bastille] Of course, because this is a black-and-white book, youcant see the color here, but if you try this example,youll see that the prompt turns blue. This methodworks, but it has two drawbacks. First, the syntax ishard to read (and hard to get right in the first place).Second, this method works only if your terminalemulator supports ANSI escape sequences manyterminal emulators (and many terminals) dont.Fortunately, you can fix both problems at once byusing tput. When changing the color of your prompt, usingtput makes your prompts portable. That is, ifyou move to another terminal emulator, youdont have to change prompts. tput also07 571737c04.qxd 7/2/04 7:59 PM Page 26Seeing a Red Alert When You Have Superuser Privileges 27TABLE 4-2: SOME USEFUL TPUT SEQUENCESSequence What You Use It Fortput sgr0 Reset all formatting.tput bold Display text in bold font.tput rev Display inverse-colored text (white on blackinstead of black on white, for example).tput smul Start underlining text.tput rmul Stop underlining text.tput setaf Set foreground color.tput setab Set background color.These are your choices for foreground and back-ground colors:0 Black1 Red2 Green3 Yellow4 Blue5 Magenta6 Cyan7 WhiteJust find the color you want to use and stick it at theend of the tput setaf or tput setab command.You can combine the different text effects to producecolored and underlined prompts, boldface inversefonts, and any combination of your terminal supports.For example, you can display an underlined blueprompt:[freddie@bastille] BLUE=\[$(tput setaf4)\][freddie@bastille] ULINE=\[$(tput smul)\][freddie@bastille] RESET=\[$(tput sgr0)\][freddie@bastille] PS1=$BLUE$ULINE[\u@\h]$RESET [freddie@bastille] Notice that we used tput sgr0 to restore the textback to its normal state (default color, no underline,no bold). Thats usually a good idea when you usetput to customize your prompt. Otherwise, what-ever you type in after the colorized prompt will becolorized as well.Seeing a Red Alert When YouHave Superuser PrivilegesWe mention earlier in this technique that we canshow you a better way to remind yourself that youhold dangerous superuser privileges. The typicalway to distinguish between superuser status andmere-mortal status is to change one character inyour prompt (usually the last character) from $ to #.But thats a pretty small change and can easily gounnoticed. Superuser privileges are dangerous: onemistake, and youre looking at hours of cleanup. Heres a way to make your privilege level jump outat you: When you hold superuser privileges, yourprompt is displayed in red, and when you dont,your prompt is displayed in blue. The followingsteps explain how to make this change:1. Open a terminal window and give yourselfsuperuser privileges with the su command.$ suPassword:# su2. Open the /etc/bashrc file in your favoriteeditor.# kedit /etc/bashrcIf you prefer GNOME, you can use gedit instead:# gedit /etc/bashrcIf youre using SuSE, modify the/etc/bash.bashrc.local file. If the filedoesnt already exist, it is automaticallycreated when you save your changes.07 571737c04.qxd 7/2/04 7:59 PM Page 27Technique 4: Prompting Yourself with a Custom Prompt28Saving Your WorkWhen you find a prompt that youd like to keep, youwant to store the $PS1 variable somewhere so thatyour prompt returns the next time you log in. Thesafest place to set $PS1 is in your ~/.bashrc loginscript. (This script is executed every time you starta new shell.) To save your fancy new prompt:1. Start your favorite editor (kate, kedit, or theGNOME Text Editor will do).2. Open the file /home/user-name/.bashrc.Make sure you type in your Linux user nameinstead of user-name and make sure you includethe period before the word bashrc. Your .bashrcfile will probably look something like this:# .bashrc# User specific aliases and functions# Source global definitionsif [ -f /etc/bashrc ]; then. /etc/bashrcfi3. Add the following code to the end of the file:# Customize the promptBLUE=\[$(tput setaf 4)\]ULINE=\[$(tput smul)\]RESET=\[$(tput sgr0)\]PS1=$BLUE$ULINE[\u@\h]$RESET 4. Now save your changes and close the editor.If you want to change the default prompt for newlycreated user accounts, give yourself superuser privi-leges and modify the /etc/skel/.bashrc file./etc/skel/.bashrc is copied to a users home direc-tory when his or her user account is created.3. Add the following code to the end the file:function setprompt{local BLUE=\[$(tput setaf 4)\]local RED=\[$(tput setaf 1)\]local RESET=\[$(tput sgr0)\]# If id u` returns 0, you have# superuser privilegesif [ `id -u` = 0 ]thenPS1=$RED[\u@\h:\W]$RESET elsePS1=$BLUE[\u@\h:\W]$RESET fi}setprompt4. Save your work and close the editor; yourefinished!We want to note a couple of interesting points aboutthis sample code: First, you must add this function to the /etc/bashrc file, not your own personal ~/.bashrcfile. Why? Because you want to modify theprompt not only for yourself, but also for thesuperuser. (Remember, /etc/bashrc is executedfor all users, and ~/.bashrc is executed onlywhen you log in.) Second, notice that we created a shell functionand put most of the code inside that function. Bydeclaring the $BLUE, $RED, and $RESET variablesas local, theyre destroyed as soon as the func-tion (setprompt) ends. If you dont wrap the vari-ables inside a function, youll find them in yourlist of environment variables and probably won-der where they came from. We give some morewords of shell-scripting wisdom in Techniques 8and 10.07 571737c04.qxd 7/2/04 7:59 PM Page 28Saving Your Work 29Your ~/.bashrc script is executed whenever you login. If another user logs in, the .bashrc script in thatusers home directory is executed. If you want to cus-tomize the prompt for all users (not just for newusers), store your changes in /etc/bashrc. Technique 8 spells out the rules for deciding whichlogin script you want to modify see that tech-nique for all the details.If youre intrigued by the idea of customizing yourbash prompt and want more information, browsearound the bashprompt project Web site at www.gilesorr.com/bashprompt/howto/book1.htmlThis site offers some great examples and back-ground information.07 571737c04.qxd 7/2/04 7:59 PM Page 29Save Time By Using shortcuts to com-plete filenames Using environment vari-ables to filter results Customizing name com-pletion for remote loginsGetting There Quickwith DynamicShortcutsGraphical applications look nice, but its hard to beat the commandline for pure speed and raw power. Using bash is an obvious choicewhen you need to do something fast, but unless youre the perfecttypist, keyboard errors can slow you down especially if you type fasterbackwards (that is, with the Delete key) or if youre working in a case-sensitive environment like Linux.With a few shortcut keystrokes, bash will complete your command linefor you we call that feature a dynamic shortcut. Not having to retypeincorrectly entered commands or filenames can save you hours in notime. With dynamic shortcuts, you make fewer keystrokes . . . and fewerkeystrokes mean fewer wrong keystrokes. In this technique, we show youhow to use shortcuts at the command line to save time and keystrokesand to avoid typing errors.Completing Names Automaticallybash knows how to complete filenames, command names, user names,and host names on your behalf. Try the following steps:1. Open a terminal window. You can find one in the GNOME or KDEMenu under System Tools (or System, if your version of GNOME orKDE doesnt have a System Tools menu choice).2. Type the first few letters of the command, variable, or whateveryoure looking for and press the Tab key twice.For example, if you type host, a list of commands that start with theletters host appears. See Table 5-1 for more details on autocompletingvariables, user names, and so on.3. If you need to narrow down your options further, type the next fewletters of the command and press the Tab key again.To tell bash how to complete the hostname command, youd type n. Ifyou have more than one command that begins with the letters hostn,bash shows you a list of those commands. Just type enough letters to5Technique08_571737c05.qxd 7/2/04 8:06 PM Page 30Using the Escape Key to Your Advantage 31make the choice unambiguous, and bash willcomplete the command name.4. After bash completes the command name,press Enter, and the command is executed.If, at any time, you press the Tab key and nothing hap-pens (or you just hear a beep), bash either found nocompletions or a bunch of completions. (In this con-text, bunch is a technical term that means some num-ber greater than one.) If you press Tab a second time,you see a list of all possible completions (if any exist).Using the Escape Key toYour AdvantageThe Tab key completes environment variables, usernames, host names, command names, and filenames.You can fine-tune bash completions with the Esc key.Use the Esc key in combination with other keys tolimit the type of completion that bash attempts, orto view or insert several completions at once. Table5-2 has all the details.The Esc-key options are very powerful, butweve never bothered to memorize them all.Your number-one timesaving friend is the Tabkey. We use it all day long.bash can complete any filename pattern, not just aprefix. If you have a few tarballs (that is, files whosenames end in .tgz) in your current directory, add allof them to the command line like this:[freddie@bastille] ls -l *.tgz When you press Esc-*, bash replaces the *.tgz partwith the names of all files matching that pattern.Environment variables that affect filename completionSet the following environment variables to screen out filesyou dont want to include in the completion list: FIGNORE: This is a colon-separated list of file suffixesto ignore during filename completion. For example,compilers often produce filenames that end in .o. Ifyou want the filename completion mechanism toignore those files, set FIGNORE to .o, like this:$ export FIGNORE=.o HOSTFILE: Use this environment variable to tell thecompletion mechanism which hosts to consider whencompleting a host name. If you dont set HOSTFILE,bash searches the /etc/hosts file. You can useHOSTFILE to limit host name completion to onlythose hosts that you use frequently. If youve createda file named ~/myhosts that contains the names ofthe hosts that you frequent, set HOSTFILE like this:$ export HOSTFILE=~/myhostsIf you want your environment variables in place every timeyou log in, see Technique 8, in which we show you how tomodify your login and logout scripts.TABLE 5-1: GETTING THE ITEM YOU WANT WITH AUTOCOMPLETEIf the Partial Text Begins With . . . bash Looks For . . . Example$ A matching environment If you type cd $HO and then press Tab, bash variable translates that to cd $HOME. ~ (tilde) A matching user name Typing cd ~fre and pressing Tab translates tocd ~freddie/. @ A matching host name mail freddie@bas followed by a tab translates to freddie@bastille. No special symbol A command name completion Type more /etc/pass and then press Tab, and bash and, finally, a filename completes your command as more /etc/passwd.08_571737c05.qxd 7/2/04 8:06 PM Page 31Technique 5: Getting There Quick with Dynamic Shortcuts32The -A hostname part tells bash that you want tocomplete host names (from the /etc/hosts file orfrom $HOSTFILE if defined). The ssh part tells bashwhich command you want to customize. You cancustomize several (probably related) commands atthe same time, for example:[freddie@bastille] complete A hostname sshsftp rsh pingThis command tells bash to complete host namesfor ssh, sftp, rsh, and ping. Of course, you can tellbash to use other completion types, too:[freddie@bastille] complete A usernameusermod passwdCustomizing Completion forMaximum SpeedSuppose that you take care of a network of comput-ers and you find yourself logging into remote hostsby using ssh. To ssh to host bastille, you mighttype in ssh b and then press Tab thinking that bashwill fill in the rest of the host name (bastille) foryou. bash doesnt know that ssh is always followedby a host name, so instead of doing what you want,bash goes through its normal search routine tryingto find a matching filename. To tell bash to completehostnames for ssh, use the following command:[freddie@bastille] complete A hostname sshTABLE 5-2: USING ESCAPE FOR COMPLETIONSWhat to Press What It Does Timesaving Bonus InfoEsc-? Displays all possible completions command Esc-? works very much like the Tab key except that it names, filenames, and user names and presents doesnt actually complete a word; it just shows you them in table form for you to read through and the possible completions. If you want to see a (very complete the command. long) list of all the commands in your search path,press Esc-? in a blank command line.Esc-* Inserts all possible completions into your command. This is helpful if you have few possible completions. Esc-/ Completes the filename to the left of the cursor. Esc-/ attempts filename completion only. Thatshandy when you know you want a filename youwont get a host name or user name by accident. Esc-~ Completes the user name to the left of the cursor. Complete user names only dont try the other com-pletion types.Esc-$ Completes the variable name to the left of the cursor. Complete variable names only dont try the othercompletion types.Esc-@ Completes the host name to the left of Complete host names only dont try the other the cursor. completion types. This option is useful when youneed to type a host name, but you dont have a @in the command, for example, ssh bastille.Esc-! Completes the command name to the left of Complete command names only dont try the the cursor. other completion types.08_571737c05.qxd 7/2/04 8:06 PM Page 32Customizing Completion for Maximum Speed 33This command tells bash to complete user namesafter the usermod and passwd commands. The mostuseful completion actions are listed in Table 5-3.TABLE 5-3: USEFUL COMPLETION ACTIONSUse This Action To Do This-A command Complete command names (useful for thewhich command).-A directory Complete directory names (perfect forcd).-A file Complete filenames.-A hostname Complete host names.-A user Complete user names.bash supports many completion actions inaddition to the ones listed in Table 5-3. Seeman bash for more options. You can also customize completion for a command bycreating filters. If you use OpenOffice.org frequently,you may want to customize completion for OOWriterand OOCalc:[freddie@bastille] complete G *.sxwoowriter[freddie@bastille] complete G *.sxcoocalcNow when you type oowriter and press Tab, bashonly completes filenames that end in .sxw (theOOWriter file format). The second command tellsbash to complete OOCalc spreadsheets when yourun oocalc.Dont forget to save your customizations toone of the bash startup files. See Technique 8if youre not sure which file to use.08_571737c05.qxd 7/2/04 8:06 PM Page 33Save Time By Using bash (rather than agraphical interface) forfile management Getting around your diskquickly Defining search paths totake you places fast Remembering whereyouve been with pushdand popdUsing cd Shortcutsfor Rapid TransitYou can use Linux for ages without venturing near the terminal win-dow. With all the graphical programs available, you can do virtuallyanything without ever having to go near the command line. Thedownside of heavy dependence on a graphical interface is that you losespeed few graphical programs provide good looks and high power inthe same package.Getting around quickly is a matter of knowing the fastest route, whetheryoure using the command line or a browser. bash (the program in chargeof the command line) knows this, and helps out with a bunch of handyways to jump to the locations you need when you use the command line.Backtracking at the command line can be a timesaver, too. In this technique,we show you how to use pushd and popd to make a retraceable path.Youll be moving back and forth through your directories in no time.We also introduce you to a handy environment variable CDPATH thatyou can use to make directory changes quickly without searching for thecorrect pathnames. The CDPATH variable makes the command line friend-lier and faster.Cant find your way out of a paper bag? After reading this technique,youll know not only where you are, but also where youve been and thequickest way to get where youre going!Using cd and ls to Navigate through bashThe cd command is the mode of travel through the terminal window.With cd, you can go anywhere fast: To return to your home directory, type cd and press Enter. To go to a specific directory, type cd, a space, and the directory name;then press Enter.6Technique09_571737c06.qxd 7/2/04 8:45 PM Page 34Setting Your CDPATH Variables to Find Directories Fast 35 To go to a specific directory (with less typing),type cd, a space, and the first few characters ofthe directory name, and then press Tab to auto-matically complete the rest of the directory name.(See Technique 5 for more details.) To go to a subdirectory, type cd, a space, and thesubdirectory name; then press Enter. To go to the parent directory of the directoryyoure in, type cd .. and press Enter. To return to the directory you were just in, typecd - and press Enter.Use the up-arrow key () to recall complexdirectory changes from your history file. Justpress the up- and down-arrow keys to scrollthrough the list of commands until you findthe one you need.To find out where you are, use the pwd command.Enter pwd at the command line and press Enter, andbash displays your current directory.To find the contents of your directory at the com-mand line, use the ls command. These are the basicoptions: ls -l gives you expanded information about theitems in your directory. ls -a shows all files even the hidden ones. ls -t sorts by date changed. (This is handy ifyou forget what youve worked on but knowwhen you worked on it. For example, youre try-ing to remember what you did on Monday.) ls -R shows the entire tree listings for directo-ries within your current directory.You can also combine the ls flags. For example, ls -la gives you an expanded listing of all the filesin your directory.With those two basic commands (cd and ls), youcan navigate through your file system. Now read onto find out how to pick up some speed.Setting Your CDPATH Variablesto Find Directories FastThe CDPATH variable contains a list of directorynames that bash searches through when you cd to adirectory without providing a complete path. The directories in your CDPATH should be thedirectories that contain your most commonlyvisited subdirectories. The big timesaver comesafter youve set your CDPATH: Instead of typinga complex directory name with layers of sub-directories, you simply cd to the endpoint.CDPATH should contain a series of directory names,each separated by a colon. Save your CDPATH variableto your startup file ~/.bashrc so you dont haveto type it every time you log in. The following stepsexplain how to set up CDPATH in GNOME and KDE. Files whose names start with a . dont showup on normal directory listings. Theyre there;you just cant see them when you do an ls.To set your CDPATH variable, follow these steps:1. At the command line:If youre using GNOME, enter gedit ~/.bashrcand press Enter.If youre using KDE, enter kate ~/.bashrc andpress Enter.gedit or kate opens, displaying the contents ofyour .bashrc file. If you dont have a .bashrcfile, the editor creates one for you.2. Type the following command:export CDPATH=/home/freddie/work:/etc/sysconfigSubstitute your most commonly used pathnamesinto the preceding string. You can have as manydirectories as you need just remember to sepa-rate each of them with a colon (:).09_571737c06.qxd 7/2/04 8:45 PM Page 35Technique 6: Using cd Shortcuts for Rapid Transit36find your way back $HOME again (sorry, we usually tryto avoid nerdy puns). You can backtrack quicklywithout having to remember where youve been.pushd works exactly like cd except that it recordsyour current directory on a stack of directorynames. popd removes the most recent entry in thelist and cds to that directory for you. pushd puts adirectory on top of the stack, and popd takes a direc-tory back off again in either case, youre alwaysworking at the top of the stack.Heres how to use the two commands to retrace yoursteps:1. Use pushd to move to a directory (just as youwould a cd command):$ pushd /usr/local/src2. Then pushd to another directory:$ pushd /tmpAfter each pushd, your current location is addedto the front of a directory list displayed aboveyour prompt. We discuss how this list is useful inthe next section.3. Enter popd and press Enter.You return to /usr/local/src. pushd remembers multiple moves, so you canpopd back as far as you need to.Manipulating YourStack with dirsEach time you pushd or popd, as explained in the pre-ceding section, bash automatically executes the dirscommand to display the directory stack above yourprompt. Consider it bonus information from bash you may not ask for it, but its there, and useful.You can use the dirs command by itself to makequick changes to the stack. The basic dirs command3. Click Save and then close the editor. The next time you log in, bash will searchthrough all the directories included in CDPATHwhenever you use the cd command.Youve just set the search path for your useraccount. If you want to define cd paths for otherusers, see Technique 8.If your .bashrc file already has stuff in it, makeroom at the top of the file and add CDPATH.This way, if .bashrc includes other programs,its sure to execute the CDPATH commandbefore moving on to the other programs.When youre finished, your .bashrc file will looksomething like this:# .bashrcexportCDPATH=/home/freddir/work:/etc/sysconfig # Source global definitionsif [ -f /etc/bashrc ]; then. /etc/bashrcfiBe careful with CDPATH if you run a lot of shellscripts (such as configure). Most shell scriptsassume that CDPATH is not defined and getterribly confused if it is.Its important to remember that CDPATH is a searchpath. That means that cd starts searching in the firstdirectory you list in CDPATH, and it stops searching assoon as it finds the first candidate. If two (or more)of the directories in CDPATH have identically namedsubdirectories, cd will ignore all but the first (unlessyou cd to a fully-qualified directory name).Remembering Where YouveBeen with pushd and popdThe pushd and popd commands work together toleave a virtual trail of breadcrumbs so that you can09_571737c06.qxd 7/2/04 8:45 PM Page 36Manipulating Your Stack with dirs 37tells you what is on your stack. Use the dirs optionsto manipulate the directory stack to your liking: dirs -c clears the stack. This is handy if yourstack is getting too long, or if you want to eraseevidence of where youve been. dirs -l takes the abbreviations out of yourstack. By default, bash abbreviates your homedirectory to ~. dirs -p shows you the directories youve visitedin a line-by-line format. This is a quick way toclearly see where youve been.09_571737c06.qxd 7/2/04 8:45 PM Page 37Save Time By Using your process ID tocreate unique filenames Using command output tobuild complex commands Scripting tasks to checkfor privileges Creating search paths forcommands and usingshortcuts Creating custom variables Typing Less andDoing More withHandy AutomagicVariablesWorking at the prompt can be a huge timesaver no graphicsprograms to load, no images to refresh, no mouse to chase.What could be better? Well, less typing for starters. It wouldalso be nice if you didnt have to remember things like process IDs or thecomplete pathnames of seldom-used commands. Luckily for you (and us), bash can help. bash uses environment variablesto keep information handy. Some environment variables you define your-self; others (we like to call them automagic variables) are defined bybash. You can use environment variables at the command line or withinshell scripts. In this technique, we show you a few of the more usefulbash variables and how to save time by using variables instead of manu-ally typing everything in. Heres a quick preview of automagic variablespossibilities: The $$ variable holds the process ID of the bash shell. You can use $$to create unique filenames that wont clash with other users. If youwant to browse through a long directory listing, just redirect the out-put from ls into a temporary file named /tmp/$$ and then open thatfile (/tmp/$$) with your favorite editor. When youre finished with it,just delete the temporary file with the command rm /tmp/$$. Shell scripting everyday tasks can save you a lot of time and key-strokes. Tasks such as mounting and unmounting CD drives are wellsuited to scripting, but your scripts should include some verificationof user privileges. Use $UID and $EUID to screen your script users todecide if they should be allowed to run that script. When you need to run a program or shell script, bash needs to knownot only the name of the program but also the location. With $PATH,you can create search paths for bash so that you need to enter onlythe name to run the program. In this technique, we tell you how. Another automagic variable creates command-line arguments out ofprogram results. Save time and space by moving data without havingto create files. Just use $( ) for command substitution, as describedlater in this technique. 7Technique10_571737c07.qxd 7/2/04 8:46 PM Page 38Streamlining Archive Searches 39Show Me the $$: GivingTemporary Files Unique NamesThe $$ variable contains the unique process ID ofthe shell youre running. To see the value of $$, justtype in echo $$. You can use this ID to generateunique names for temporary files.If you have multiple users who create tempo-rary files, setting a naming standard will savetime (and confusion). Tell all your users to use$$ to create the names for their temporaryfiles. Because each process ID is unique, eachfilename will be unique. If youre careful toremove temporary files when youre donewith them, youll avoid lots of confusion inthe long run.Garbage stacks up: Data directories can grow andgrow when youre not looking (nature abhors avacuum, and so does your disk drive). If yourebrowsing through a directory that wont fit on onescreen, you can pipe the output to more like this:$ ls-l | moreA better way to browse through a huge directorylisting is to make a searchable catalog of the files inthat directory, which makes it a lot easier to find thefiles youre looking for. To create and edit a file con-taining the contents of a directory, follow these steps:1. Navigate to the directory you want to list.2. Enter ls -l > /tmp/$$ and press Enter.The file /tmp/$$ now contains a listing of thefiles in your current directory. Of course, because$$ contains your process ID, youve actually cre-ated a file with a name like /tmp/5542 (or what-ever your process ID happens to be).The > directs the output of a command to thefile listed to the right of >. This technique workswith basically any commands that create output.3. Enter gedit /tmp/$$ (if youre using GNOME) oralternately kate /tmp/$$ (if youre using KDE).Your new file opens, ready for you to use.We should point out that using $$ in a filename sim-ply generates a name thats likely to be unique itdoesnt actually create a temporary file. You still haveto delete the file when youre finished with it.Streamlining Archive SearchesWhen you need to find a missing file, searchingthrough tarballs and zip files (with obscure names)that have accumulated in your download directorycan take eons. You can save time by exposing thearchives contents in the easiest and fastest possibleway. Heres how you do it for different file types: Tarballs: To find out whats in a tarball withoutunpacking it, you can easily capture the archivecatalog in a temporary file (and then browse thecatalog with your favorite editor). To do so, usethe following command:$ tar -ztvf tarballname.tgz > /tmp/$$ This command displays the filenames from a tar-ball and captures the output to a temporary filethat you can browse at your leisure. RPM package: If you want to know which filesare included in an RPM package, you can gener-ate a list of the filenames with this command:$ rpm -qpl rpmfilename.rpm > /tmp/$$ Zip file: Zip files also tend to pile up. To peekinside a Zip archive, enter the followingcommand:$ unzip -l zipfilename > /tmp/$$After you have the archive contents in full view, justcheck your temporary file for the contents you need.Cruising through your archives to find missing filesis easy and fast.10_571737c07.qxd 7/2/04 8:46 PM Page 39Technique 7: Typing Less and Doing More with Handy Automagic Variables40Heres another example that shows command substi-tution in action:1. Set up the variable and the command:$ NOW=$(date)The value of $NOW is set to the output of the datecommand.2. To display the value of $NOW, use the echocommand:$ echo $NOWFri Dec 26 13:02:01 EST 2003Of course, you can shorten that whole sequence toecho $(date).Make command substitution a habit it cer-tainly is for us. Command substitution not onlysaves typing but also reduces the chance oferror. Heres a good example of how command substitutioncan reduce typing errors. When you unpack a tarball,files are often scattered all over your system. If youneed to change ownership of all those files, youroptions are to track down and chown those files one ata time, or to build a command with the output gener-ated by another command. Personally, were morelikely to leave a file out of the list than bash is. Thefollowing command converts the output of the tarcommand into a list of filenames for chown to act on:$ chown freddie $(tar -ztvftarballname.tgz)Youve used tar to create list of the files that youreinterested in and then feed that list to chown as a setof command-line arguments. tar isnt the only command that can generate a listof names. In this next example, we use grep to gen-erate a list of user names.The /etc/group file contains one row for each groupyouve defined on your system. Each row contains agroup name, a password, a group number, and thena comma-separated list of the users within that group.A typical group file will look something like this:If you have a lot of archives to go through (theydo accumulate), work with two windows one terminal window and a browser windowopen to your temporary directory. You canopen the file with a quick double-click anddrag it to the trash when youre done. If youre a GNOME aficionado, you can usethe File Roller tool to peek inside most archivesinstead of creating a temporary file to holdthe catalog. Just open Nautilus, jump to thedirectory that holds the archive, and click thefilename.Turning the Output of aCommand into a Variablewith $( ) bash has another trick up its sleeve that can saveyou a lot of time its called command substitution.Command substitution turns the output from a com-mand into a variable. Command substitution is a bighelp with simple results, such as sending e-mail toall the users in a particular group. Command substi-tution is indispensable for complex jobs like chang-ing the ownership of all the files extracted from anarchive.Command substitution is so named because it sub-stitutes the output from a command into the com-mand line. To use command substitution, justsurround a command with parentheses and put adollar sign in front of it, like this:$ file $(which bzgrep)/usr/bin/bzgrep: a /bin/sh script When bash sees the contruct $(command), it executesthe command and builds a new command line basedon the output generate by command. The commandfile $(which bzgrep) is equivalent to:$ which bzgrepscribble down the result (/usr/bin/bzgrep)$ file whatever you scribbled down10_571737c07.qxd 7/2/04 8:46 PM Page 40Using $UID and $EUID in Shell Scripts 41...support:x:500:george,fred,barneyoperators:x:501:elroyacctg:X:502:wilma,betty,judy,jane...You can use grep to pull a specific row out of thegroup file, like this:$ grep support /etc/groupsupport:x:500:george,fred,barneyTo extract the user names from a row, use the cutcommand to pick out a specific column. Because/etc/group uses a colon to separate columns, you canextract the user names with the following command:$ grep support /etc/group | cut -d : -f 4george,fred,barneyThe -d : part tells cut to use the colon characteras a field separator, and the -f 4 part picks out thefourth field.Now you can use command substitution to feed thatlist of user names to the mail program (maybe send-ing a message to everyone in the Accounting, oracctg, department):$ mail $(grep acctg /etc/group | cut -d: -f 4)Subject: DowntimeThe accounting system will be down thisweekend-- Freddie.CC:$ Use variables to hold groups of files or usernames when you need to issue a commandthat affects the whole group. If you want to see a preview of your commandafter substitution but before execution, pressEsc-Ctrl-E. If the preview looks good, pressEnter to execute the command.Using $UID and $EUID in Shell ScriptsWhen you create a user account, Linux assigns anumeric user ID to that user. bash stores the user IDin the $UID variable; your effective user ID is kept inthe $EUID variable. (Your real user ID is always thesame, but your effective user ID changes if youimpersonate another user with the su command.)For example, user freddie might be logged on with a$UID of 500, but if freddie uses su to gain superuserprivileges, his $EUID changes from 500 to 0.A superusers $EUID is always 0. This is a quickand easy way to verify user privileges whenyoure writing shell scripts.You can use $EUID inside a shell script to determinewhether the user running the script holds extra priv-ileges. For example, its easy to write a shell scriptthat mounts the CD drive for users who have enoughprivileges. If youre using Fedora or Mandrake, follow thesesteps:1. Open your terminal window and enter the fol-lowing command:$ gedit /usr/local/bin/mount-cdThis command opens the gedit editor and cre-ates a file called mount-cd in the /usr/local/bindirectory.2. Type in the following text:#!/bin/bashif [[ $EUID -eq 0 ]]thenmount /dev/cdrom /mnt/cdromelseecho Sorry, you must be a superuserecho to mount a CDfi10_571737c07.qxd 7/2/04 8:46 PM Page 41Technique 7: Typing Less and Doing More with Handy Automagic Variables42Getting Quick Access toPrograms with $PATHShell scripts can be big timesavers, but only if youdont have to search for them. Populating your $PATHenvironment variable with the directories that con-tain your most commonly used scripts (and otherprograms) will save you tons of time (and aggrava-tion) because you can start programs with just aprogram name rather than a complete pathname.The $PATH variable is a colon-separated list of direc-tory names that bash searches through to find yourprogram names. Each user has his or her own $PATHvariable.Its a good idea to keep dangerous commands in adirectory thats not on the average users searchpath (that is, the users $PATH variable). If you dont,a naive user might accidentally run a damaging pro-gram when he doesnt mean to. Keeping dangerousprograms out of the normal search path wont stop amalicious user, but it can save you from accidentaldamage.The superusers $PATH should never include aperiod (.). The . directory means the currentdirectory. As you cd from directory to direc-tory, . changes with you. If . is in the supe-rusers search path, a malicious user coulddrop a Trojan horse into a directory that thesuperuser is likely to visit. For example, if amalcontent knows that the superuser spendstime in the /tmp directory, he could create aTrojan horse with an innocuous-looking namelike /tmp/ls.If the superuser cds to /tmp and runs the lscommand, he may be in danger. If . appearsearly in the search path (earlier than /bin/ls),the superuser will run the Trojan horse insteadof the real ls and hell be giving the Trojansuperuser privileges too! Some high-securitysites are even more paranoid they make surethat the superuser has an empty $PATH, forcinghim to type the complete pathname to everycommand.3. Save the file and close gedit.4. At the command line in the terminal window,type this command:chmod a+x /usr/local/bin/mount-cdThis command makes the file executable foreveryone on your system.If your system is running SuSE Linux, follow thesesteps to create a shell script that mounts the CDdrive for users with an effective user ID of 0:1. Open your terminal window and enter the fol-lowing command:$ gedit /usr/local/bin/mount-cdThis command opens the gedit editor and cre-ates a file called mount-cd in the /usr/local/bindirectory.2. Type in the following text:#!/bin/bashif [[ $EUID -eq 0 ]]thenmount /dev/cdrom /media/cdromelseecho Sorry, you must be asuperuserecho to mount a CDfi3. Save the file and close gedit.4. At the command line in the terminal window,type this command:chmod a+x /usr/local/bin/mount-cdThis command makes the file executable foreveryone on your system.Now if users want to mount a CD by using theprogram you just created, all they need to do isenter mount-cd at the command line. Any usercan run this script, but only those users whose$EUIDs are 0 (the superusers) can actually mounta CD.10_571737c07.qxd 7/2/04 8:46 PM Page 42Customizing Variables for Rapid Transit 43To set the $PATH environment variable for a user,follow these steps:1. At the command line, enter gedit~user/.bashrc and press Enter.2. When the editor opens, add the following lineto the end of the file:PATH=$PATH:/foo/bar/bazSubstitute your directory name for/foo/bar/baz.The command you just entered appends thedirectory to the users current search path. 3. Click the Save icon and close the editor. Now, when this user enters a program name, bashsearches through all the directories listed in $PATH. You can add as many directories to the userspath as youd like, but remember that as youhand out easy access to commands, you couldinvite accidents.Customizing Variables forRapid TransitAll the environment variables youve seen so farare automagic variables bash defines them foryou, and they can change value over time. You canalso create custom variables to make your life easier.For example, we spend a lot of time in the directory/usr/local/src (thats where open-source sourcecode typically lives). In our system-wide login script(/etc/bashrc), we define an environment variablenamed $SRC that equates to /usr/local/src. Thatmakes it easy to navigate to our workplace just cd$SRC and were there.Of course, you can use environment variables todo things other than just cd: You can copy files(cp $SRC/foo.c $DST/), create archives (tar -zcvf$SRC/mycode.tgz $SRC/kde/), or just about anythingelse. Unfortunately, most graphical programs dontknow how to deal with environment variables, butthey can sure save you time at the command line.Just think of the pathnames you use over and overevery day, and youll see why custom environmentvariables can be a great timesaver.The following shell script defines a few custom vari-ables you can use to get somewhere quickly:# File name: setvars.bash# Define a few shortcuts#export SRC=/usr/local/src # cd$SRC will take me to /usr/local/srcexport DESK=~/Desktop # cd$DESK will take me to my desktopexport ACCTG=/opt/data/accounting # cd$ACCTG will take me to my bookkeepingdataecho Your custom variables are ready foruseTo use the code:1. Open your favorite editor and create the file~/setvars.bash.$ gedit ~/setvars.bash2. Type in the variables that you want to define(be sure to put the word export in front of eachone).export SRC=/usr/local/srcexport DESK=~/Desktopexport ACCTG=/opt/data/accountingNote: Be sure that you dont have any spacesbefore or after the =; otherwise, bash will com-plain when you try to run your script.3. Save your work and close the editor.At the command line, adjust the permissions for thefile youve just created, making it executable:$ chmod a+x setvars.bash 10_571737c07.qxd 7/2/04 8:46 PM Page 43Technique 7: Typing Less and Doing More with Handy Automagic Variables44the script, bash will start a new shell session, runyour script, and immediately terminate the new shellsession.Why is immediate termination a problem? Becausethe environment variables are defined in the sub-shell (that new shell session) instead of your shellsession. When the sub-shell ends, your fancy newvariables disappear! The source command tells bashto execute a script within the current shell instead offiring up a new shell.After you create the pathname shortcut, youcan move to your source code directory bytyping cd $SRC and pressing Enter. Youre atyour location in a snap!Now, to execute your program and have your customvariables ready for use, just put a period (.) and aspace at the beginning of the command line, like this:$ . setvars.bashYour custom variables are ready for use$ echo $SRC/usr/local/src$When you run a shell script that defines environ-ment variables (like this one does), you have to puta . at the beginning of the command line. The . char-acter is also known as the source command. In fact,you can type source setvars.bash instead of using .,but thats more typing. If you dont source (or .)10_571737c07.qxd 7/2/04 8:46 PM Page 448 Logging In,Logging OutEvery time you log in, Linux launches a chain of startup programsand shell scripts that prepare your desktop and command line envi-ronment. You can customize your command line login scripts toyour liking for example, set color preferences and language prefer-ences and set up the information that will be included in your prompt.You can also arrange for KDE to automatically start programs for you whenyou log in. Not having to find all the programs you need to start your dayis a great timesaver. Calendars, terminal windows, word processors, andeven Tux Racer can be there waiting for you after your first cup of coffee.Linux defines four sets of login/logout scripts. In this technique, we showyou how to decide which scripts you need to change to customize yourwork environment when you log in or log out: System-wide gdm login/logout scripts System-wide shell login scripts Per-user shell login/logout scripts Skeleton (or prototype) shell login/logout scriptsThis technique is all about saving time by having your work environmentready for you when you need it. Finding the right script to modify at loginor logout is the key to success. Finding the Right Shell ScriptWhen you want to customize some aspect of your desktop (or commandline) environment, finding just the right script can be tricky. Some scriptsare shared by all users; others are personal scripts that execute for only agiven user. If youre using a desktop environment like KDE or GNOME, yourchoices are even more complex. The following sections explain how tofind the right script, when to run your code, and finally how to automati-cally arrange your desktop just the way you like it, each time you log in.TechniqueSave Time By Customizing your shellscripts Changing defaults in shellscripts for groups ofusers Customizing your logoutscript Customizing your startupdesktop11_571737c08.qxd 7/2/04 8:46 PM Page 45Technique 8: Logging In, Logging Out46Heres the sequence of scripts that Linux runs whenyou log in to a new GNOME or KDE session managedby gdm (the GNOME display manger):1. /etc/X11/gdm/PostLogin/Default (systemwide)2. /etc/X11/gdm/PreSession/Default (systemwide)3. /etx/X11/xdm/Xsession (system wide)The first three scripts run with superuser privi-leges even if you log in as a non-privilegeduser. Be careful what you do, or you mayintroduce vulnerabilities. 4. /etc/profile (system wide)5. /etc/profile.d/*.sh (system wide)6. ~/.bash_profile (personal)7. ~/.bashrc (personal)8. ~/etc/bashrc (system wide)On SuSE systems, the first two scripts are found in/etc/opt/gnome/gdm instead of /etc/X11/gdm.If youre running SuSE Linux or Mandrake Linux,youre probably using the KDE display manager(kdm) instead of GNOMEs display manager (gdm), andthe login/logout scripts will be different. We recom-mend using gdm even if youre a KDE user (gdm cancreate KDE desktops just like kdm can create GNOMEdesktops). See the sections on switching displaymanagers in SuSE Linux and switching display man-agers in Mandrake Linux in Technique 35 for moreinformation.Youll rarely want to modify any of the first threescripts (in fact, we have never modified them), butits common to modify /etc/profile. If youreuncomfortable modifying /etc/profile, just add anew script to /etc/profile.d/, and bash (actually/etc/profile) will happily invoke it for you.Choosing your victimsStart out by deciding how intrusive you want yourchange to be. That is, do you want to change every-ones settings or just your own? What files you change depends on which of the fol-lowing settings youre changing: Personal settings: If you change your personallogin/logout scripts, you wont interfere withother users. For example, if you want to changeyour own bash prompt (see Technique 4), modify~/.bashrc. Personal settings are stored in yourhome directory. New user prototypes: Change the prototypescripts to provide a starting point for new users(users whose accounts are created after youchange the prototypes). For example, modify/etc/skel/.bashrc (the prototype .bashrcscript) to suggest a default prompt for newusers. When you create a new user account, thescripts found in /etc/skel are copied to the newusers home directory. Prototype scripts arestored in /etc/skel. System-wide settings: If you change system-widescripts, you affect every user on your system. Ifyou want to customize the bash prompt for allusers, modify /etc/bashrc (the system-widebashrc script). System-wide settings are storedin /etc or in a subdirectory of /etc.If you want to modify shared, system-widescripts, you must hold superuser privileges.However, you dont need extra privileges tomodify your own scripts.Timing is everythingNext, determine when your code needs to run. Herethe choices start to get complex. You can modifyscripts that execute when you log in, scripts thatexecute when you start each new shell, and scriptsthat execute when you log out.11_571737c08.qxd 7/2/04 8:46 PM Page 46Finding the Right Shell Script 47Saving your customizations in a separate script(/etc/profile.d/myscript.sh) allows youto more easily debug and maintain the scriptin the future your script wont be tangledup in all the stuff already in /etc/profile.Make sure that the name of any script thatyou save in /etc/profile.d/ ends in .sh.Every time you start a new bash shell (by opening anew terminal window or running a shell script), bashexecutes these scripts:1. ~/.bashrc (personal)2. /etc/bashrc (system wide)Notice that ~/.bashrc runs every time you start anew shell. Dont put any time-consuming tasks in~/.bashrc, or youll spend a lot of time waiting foreach shell session to complete its startup code.~/.bashrc is a great place to define environmentvariables (see Technique 7), aliases, and shell func-tions (see Technique 10).When you log in to your computer without creating anew GNOME or KDE session (by sshing from anothercomputer for example), bash executes these scripts:1. /etc/profile (system wide)2. /etc/profile.d/*.sh (system wide)3. ~/.bash_profile (personal)4. ~/.bashrc (personal)5. /etc/bashrc (system wide)In case you didnt catch it, theres a pattern here. Eachtime you log in to your computer (whether you start anew GNOME or KDE session or ssh from another com-puter), bash runs the profile scripts (/etc/profile,/etc/profile.sh/*.sh, and ~/.bash_profile). Everytime you start a new shell, bash runs the rc scripts(~/.bashrc and /etc/.bashrc). To save yourself sometime, be sure to put long-running tasks (such as fileindexing or mail checking) in a profile script and notin an rc script.When you log out of a command line ssh session,bash executes just one file:~/.bash_logout (personal)The ~/.bash_logout script is a good place to invokecleanup-related tasks. For example, if you have ahabit of creating temporary files, delete them in~/.bash_logout. You may also want to encrypt sensi-tive files when you log out (and decrypt them whenyou log in) see Technique 28 for more informationabout encrypting and decrypting files.When you log out of a KDE or GNOME session, gdm(the GNOME display manager) executes just one file:/etc/X11/gdm/PostSession/Default On SuSE systems, the PostSession/Default script isstored in /etc/opt/gnome/gdm instead of /etc/X11/gdm.Cleaning up made easyNotice that the normal ~/.bash_logout script isnever executed if you use KDE or GNOME all thecleanup code thats stored in ~/.bash_logout isignored. Thats a bit inconvenient because you haveto maintain two different logout scripts: one thatexecutes when you log out from a command line ses-sion and one that executes when you log out from agraphical session.You could try to fix this dual-script problem by creat-ing a new script (with a name of your choosing) andinvoking that script from ~/.bash_logout and /etc/X11/gdm/PostSession/Default. That solution wouldwork, but now youre maintaining three scriptsinstead of one!Heres a better solution to the dual-logout-scriptproblem: Simply modify /etc/X11/gdm/PostSession/Default so that it invokes ~/.bash_logout for you.That way, you (and every other user on your sys-tem) can keep cleanup code in ~/.bash_logout thatruns whether you exit a command line session or agraphical session.11_571737c08.qxd 7/2/04 8:46 PM Page 47Technique 8: Logging In, Logging Out48Linux copies the prototype scripts from a directorynamed /etc/skel (thats skel as in skeleton).If you try to look at the /etc/skel directory with anormal ls command, it looks empty, but its not. Allthe files in /etc/skel have names that start with aperiod ( . ), meaning that they are hidden from thels command. If you really want to see whats in/etc/skel, use ls -a instead (that -a option tells lsto display hidden files as well as normal files). Youllsee (at least) three files: /etc/skel/.bash_profile: Copied to ~/.bash_profile /etc/skel/.bashrc: Copied to ~/.bashrc /etc/skel/.bash_logout: Copied to~/.bash_logout/etc/skel/.bash_profile may be missing if yourerunning SuSE Linux. If you want to change a login(or logout) script inherited by new users, changethe script in /etc/skel. That way, when you createa new user account, Linux copies the modified scriptinto the spankin new home directory.Now you know how the Linux login and logoutscripts work. Whenever you feel a need to modify alogin (or logout) script, be sure to ask yourself whomyou want to affect and when your code needs to run.Customizing Your Autostart FileIf youre like us, each time you log in to your graphicaldesktop (KDE or GNOME), you launch a few handyprograms: xmms to play some music, Evolution toread e-mail, and Mozilla to surf the Web. Wouldnt itbe nice if Linux started those programs automati-cally, every time you logged in to your desktop?Meet Autostart. Autostart is the KDE way to haveyour desktop ready for you every time you log in no extra keystrokes or mouse clicks are required.KDE autostarts the programs you need and has themwaiting for you on your desktop.Follow these steps to run ~/.bash_logout every timeyou log out of your computer:1. Open a terminal window, give yourself super-user privileges, and move into the PostSessiondirectory:$ su Password:# cd /etc/X11/gdm/PostSessionIf youre running SuSE Linux, cd to /etc/opt/gnome/gdm instead.2. Rename the original PostSession/Default script:# mv Default Default.dist3. Use a text editor to create a new file thatincludes the following code:#!/bin/bashif [ -x $HOME/.bash_logout ]thensu -c $HOME/.bash_logout $USERfiSCRIPTDIR=$(dirname $0)exec $SCRIPTDIR/Default.dist4. Save your work to /etc/X11/gdm/PostSession/Default and close the editor.If youre a SuSE user, save your work to /etc/opt/gnome/gdm/PostSession/Default instead.After making this change, your ~/.bash_logoutscript will run whether youre using a KDE session, aGNOME session, or a command line ssh session. Changing prototype scriptsHave you ever wondered how ~/.bash_profile,~/.bashrc, and ~/.bash_logout got into your homedirectory to begin with? When you create a new useraccount, you dont have to write the login and logoutscripts yourself, but they must come from somewhere,right? Right! Each time you create a new user account,11_571737c08.qxd 7/2/04 8:46 PM Page 48Customizing Your Autostart File 49Autostart and the login scripts described earlier aresomewhat related: They both prepare your environ-ment for you. Login scripts set up your commandline environment. Autostart sets up your graphicalenvironment the way you like it.Autostart is easy to set up and change. Just open afew browser windows and surf and drag, and with afew clicks, Autostart is up and running. To removesomething from the Autostart menu, just drag theicon to the Trash.To arrange your desktop with Autostart, follow thesesteps:1. Double-click the Start Here icon on the desktopto open Konqueror.2. Surf to the Autostart directory:/home/username/.kde/AutostartIf you cant see your .kde directory, you canfind it by choosing ViewShow Hidden Files.3. Double-click the Start Here icon again to openanother Konqueror window.Now the fun starts!4. In the second Konqueror window, start surfingfor the programs you want to see on yourdesktop.Start in the Applications directory, where youllfind your tools (and games) in the appropriatefolders.5. When you find a program that you want onyour desktop at login, grab the icon and dragit to the Autostart folder.When you drop it, a little dialog opens.6. In the dialog, choose Link Here.The icon now appears in the Autostart folder.7. Repeat Steps 5 and 6 to add additional icons ifyou want.Thats all there is to it. When you reboot, yourtools are there waiting for you!To remove startup programs, open theAutostart folder again and drag the icons youdont want to the Trash. Youre just throwingaway links, so the originals are still there if youneed them.11_571737c08.qxd 7/2/04 8:46 PM Page 49Save Time By Using history to recallprevious commands Including the historycommand number in yourbash prompt Filtering your history fileto prevent accidents Reusing complex com-mand linesMaking History(Work for You)Like any typical Linux user, you likely have a small core of commands,directories, and files that you work with. The bash shell keeps trackof every command that you type in the history list including thosecommands that you use most frequently. You can take a peek at your his-tory list in a file named ~/.bash_history, where, by default, bash storesthe most recent 1,000 commands.If you know how to move in and out of the history list with ease, his-tory can save you a lot of keystrokes. With Linux, you can use thehistory list to recall previous commands, modify them if you need to,and execute them again without all that typing (and all those typingmistakes).In this technique, we show you how to use the history file to save time atthe command line. Less typing = fewer mistakes. Fewer mistakes = morecommands that work the first time. More commands that work the firsttime = more time left for other things that youd rather be doing.Navigating the History ListTo see the history list, type history and press Enter. With the historylist ready and waiting for you, you can move through it in all sorts ofways. This section explains the different ways to get to the commandyou need quickly. Table 9-1 gives you an overview of your optionsand when its best to use them.ScrollingYou can scroll through the list by using the up- and down-arrow keys: Up arrow: Recalls commands starting with the most recent and movingtowards the oldest. For example, press the up arrow once to see theprevious command and press it again to see the command before that. 9Technique12_571737c09.qxd 7/2/04 8:47 PM Page 50Navigating the History List 51 Down arrow: Moves in the opposite direction itstarts at the current command and moves towardsthe most recent. (You cant use the down-arrowkey until youve used the up-arrow key. The downarrow wont anticipate your next move and makeup a command for you . . . we wish it did.)After you find the command that you want, change itif you need to and then press Enter.Summoning a command by numberEach command is assigned a number when its placedin the history list. (The first command is command 1,and the numbers increase from there.) When you typehistory and press Enter to see the history list, youalso see that a number precedes each command:$ history53 ssh louvre54 ssh versailles55 pwd56 ls -l57 rm *.tmp58 mail franklin59 historyYou can use the command number to recall a specificcommand. Just type an exclamation point ( ! ) andfollow it with the number of the command that youwant to recall. For example, to recall the ssh commandin freddies history, you would enter the following:$ !54ssh versailles[freddie@versailles] If you want to use command numbers to referto your history list, we recommend includingthe command number in your bash prompt;just include \! in $PS1. See Technique 4 formore information.Searching through historyYou can also ask bash to search through the historylist on your behalf. Press Ctrl-R to start an incremen-tal search. As you type each character, bash recallsthe most recent command that includes the charac-ters youve entered. For example, given the commandhistory for freddie, an incremental search for sshwould go like this:1. Press Ctrl-R.The prompt changes from [freddie@bastille] to(reverse-i-search):2. Type s (the first character in ssh).bash finds the most recent command thatincludes an s (which is history), and the promptchanges to(reverse-I-search)s: history3. Type s again (the second letter in ssh).bash finds the most recent command thatincludes ss (which is ssh -A versailles), andthe prompt changes to(reverse-I-search)ss: ssh -A versaillesTABLE 9-1: NAVIGATING HISTORY QUICKLYNavigation Method When Its UsefulScrolling Scroll through your history when you know that the command youre looking for is close by. If you haveto scroll through more than five or six commands to find the one you want, use a different method.Recalling by If you include the history command number in your bash prompt (see Technique 4), you can recall command a specific command by number. That works great if you can see 20 or more commands on your screen number at once.Searching If the command youre looking for is not close by (youve executed a number of commands since theone you want to recall), press Ctrl-R to search for commands that contain a specific pattern. We showyou how in Searching through history.12_571737c09.qxd 7/2/04 8:47 PM Page 51Technique 9: Making History (Work for You)52Filtering the history listYou can also filter out certain commands from thehistory list. After youve used the history featureawhile, youll probably notice that some commandsreally dont belong in the history list. Here are a fewexamples: Its redundant to maintain the history commanditself in the history list. Its unnecessary to record exit commands. (Theexit command will log you out of the shell.) Its a little dangerous to keep rm commands(or other data-destroying commands) in yourhistory list because you might recall them byaccident.You filter out those nasty (or just plain annoying)commands with the $HISTIGNORE variable. Set$HISTIGNORE to a colon-separated list of patterns toexclude from the history list. To filter out the com-mands we just mentioned, use this:$ export HISTIGNORE=history:exit:rm *You may also want to filter out repeated commands.To do so, include the magic character & in $HISTIGNORE:$ export HISTIGNORE=&:history:exit:rm *Occasionally, youll type in a command that you knowyou dont want stored in the history list (maybeyoure restoring files from an archive and you dontwant to risk doing it again later by accident). Toexclude from the history list any command thatstarts with a space or tab, add the pattern [ \t]*to $HISTIGNORE (be sure to include the spacebetween [ and \):$ export HISTIGNORE=[ \t]*:&:history:exit:rm *4. If you want the most recent ssh command (sshversailles), just press Enter. If you want anearlier ssh command (ssh louvre), press Ctrl-Rto tell bash to keep looking.Its easy to make mistakes while youre gettingfamiliar with the history command. You cansave a lot of time if you ask bash to show youeach command after expansion but before thecommand is executed. The histverify shelloption does the trick; just add shopt -shistverify to your ~/.bashrc file.When youre comfortable with the history fea-ture, you may want to turn off histverify.You can still press Esc and then Ctrl-E to pre-view your command line after expansion.Customizing the History Listbash gives you a lot of control over the history list.To customize the history list for how you work, youcan modify the defaults and filter out commandsthat just get in your way.Adjusting key default settingsHere are the defaults that youll likely want to modify: To adjust the number of commands that bashremembers, use $HISTSIZE. To set the number of commands that bashremembers from session to session, use $HISTFILESIZE. To change the location of the saved historyfile from the default (~/.bashrc), modify the$HISTFILE environment variable.See the previous technique (Technique 8) to find outhow to make your preferences permanent so theytake effect every time you log in.12_571737c09.qxd 7/2/04 8:47 PM Page 52Executing Commands Quickly with History Variables 53Now, whenever you type in a command that you wantto exclude from the history list, just put a space (or atab) at the beginning of the command line.Executing Commands Quicklywith History Variables$HOME is the name of your home directory, $PWD is thename of your current working directory, and so on.The history command adds a few more variables tothe mix. The history variables let you treat a previ-ous command, or part of a previous command, as avariable. Master the use of these automagic vari-ables, and youll save time by not having to spot andfix typing mistakes.For a quick refresher course in automagic vari-ables, check out Technique 7. It tells you aboutthe predefined variables that bash makesavailable for your use.Most variable names in bash start with a $character, but the history variable names allstart with !.The !! variable contains the text of the last com-mand. If you type !! at the command line, bash reex-ecutes your last command:$ ps PID TTY TIME CMD5562 pts/4 00:00:00 bash12442 pts/4 00:00:00 ps$ !!PID TTY TIME CMD5562 pts/4 00:00:00 bash12464 pts/4 00:00:00 psOf course, if you all you want to do is reex-ecute the previous command, youd probablyjust press the up-arrow key and then Enterrather than use !!. The real timesaving advan-tage of !! is that it contains the text of theprevious command, which you can use tocreate new commands. If you have a complexcommand that you use frequently, you cansave that command into a file with a meaningfulname and save yourself the effort of re-creatingthe command the next time you need it.Heres an example of how you can use !! to createnew commands. You can use the tar command tomove a directory structure, but the syntax of thecommand is a bit hairy:$ tar -cf - * | (cd $DST ; tar -xf - )After youve executed that command, use !! torecall the command and save it to a file:$ echo !! > $HOME/bin/movedir$ chmod u+x $HOME/bin/movedirThe next time you want to move a directory, justtype movedir and press Enter.Here are some other handy tricks you can do withautomagic variables: Dial up a command number quickly. InTechnique 4, we show you how to include thehistory command number in your bash prompt.Heres the payoff. You can refer to a command byits command number with !n. If you display thehistory command number in your prompt, youcan easily recall complex commands by number.[1028]# w -hsffranklin :0 2:23m Chromiumgeorgette pts/1 0:02m mailxfreddie pts/2 0:0s w -hsf[1029]# killall Chromium[1030]# !1028franklin :0 0:01m bashgeorgette pts/1 0:02m mailxfreddie pts/2 0:0s w -hsf See your command before you execute it. TheEsc, Ctrl-E trick works with history variables,12_571737c09.qxd 7/2/04 8:47 PM Page 53Technique 9: Making History (Work for You)54TABLE 9-2: HISTORY VARIABLESVariable Meaning!! Previous command!n Command number n!-n Current command number minus n commands(!-1 is the previous command, !-2 is the com-mand before that, and so on)!text Most recent command that starts with text!?text Most recent command that includes textSpeaking the lingoSeasoned propeller-heads pronounce ! as bang, notexclamation point. So, !! is pronounced bang bang.The * character is pronounced splat. You can, of course,combine these to come up with witty phrases like bangbang splat. If you enter a room where people are usinglanguage like this, back away slowly. . . .too. To see your command after variable expan-sion but before execution, just press Esc followedby Ctrl-E:[1031]# !1029 (now press Esc Ctrl-E)[1031]# killall Chromium Peel off parts of commands with word designa-tors. You can also refer to parts of a previouscommand by adding a word designator to the endof the history variable. The most useful worddesignators are $ to refer to the last argument ina command, and * to refer to all arguments. Forexample, to create a new directory and thenmove there, use this:$ mkdir /usr/local/src/coolcode$ cd !!$$ pwd/usr/local/src/coolcodeTable 9-2 shows the complete list of history variables.Remember that you can include a word designatorafter the variable name to refer to part of a command.12_571737c09.qxd 7/2/04 8:47 PM Page 5410 Keeping Your LifeSimple with Aliasesand FunctionsAn alias is a command line shortcut. Creating an alias means thatyou spend less time typing. You can create aliases that give mean-ingful names to obscure commands; provide extra safety whenyoure doing something dangerous; create an abbreviation for a long,complex command; or just correct typing mistakes.A function is a series of commands designed to perform a task. Functionscan work with aliases to make it easy to automate tedious and time-consuming tasks. A function can be one or two lines long, or can growinto extremely complex programs that involve user interaction and errorchecking. In this technique, we include functions that make it easy tomonitor your system with a few quick keystrokes and automate the com-plex task of exploring and unzipping archives. In this technique, weve included some of our favorite aliases and func-tions. Without them, wed be correcting our spelling all day long. Usethem or create your own from our examples to save keystrokes and timeat the command line. Viewing Your AliasesViewing your aliases is simple. bash is often configured with a few prede-fined aliases, so you can test this command even if you havent createdany user-defined aliases yet. To view the aliases in your shell, just typealias and press Enter:$ aliasalias l.=ls -d .* --color=ttyalias ll=ls -l --color=ttyalias ls=ls --color=ttyalias vi=vimYou may see a few more (or less) depending on which Linux packagesyouve installed. The first three aliases in the preceding list provideshortcuts for common variations of the ls command, which you can seein Table 10-1.TechniqueSave Time By Using the predefinedaliases that come withbash Making aliases for com-mon commands Correcting your spellingwith aliases Using functions to auto-mate downloading andinstalling13_571737c10.qxd 7/2/04 8:48 PM Page 55Technique 10: Keeping Your Life Simple with Aliases and Functions56These are some common spelling corrections youmight want to include in your alias list:alias pdw=pwdalias mroe=morealias fiel=fileYou may want to add an alias that translates oldfamiliar commands into Linux form:alias dir=ls -lNavigational aliases are handy, too:alias up=cd ..You can create aliases for commonly used (but cum-bersome) commands, such as unpacking tarballs:alias unpack=tar -zxvf To display a list of programs that have open networkconnections (for example, Web browsers or stream-ing audio), create this alias:alias netcon=netstat -p | grep -v^unix Create an alias that protects you against accidents.For example, the rm command (remove file) usuallydoes its work without any more input from you. But, if you include a -i on the command line, rmasks you to confirm each file that it wants to delete.That can be a lifesaver if you ever type rm * .tgzinstead of rm *.tgz. (The extra space after the * inthe first command tells rm to delete everything inyour directory which is probably not what youwanted.)alias rm=rm -ialias cp=cp -ialias mv=mv -iTurning dangerous commands into safe com-mands can save you a lot of time. Most userswould agree that restoring from a backup isnot an enjoyable way to spend an afternoon.TABLE 10-1: THE LS SHORTCUTSType bash Expands To To Do Thisl. ls -d .* --color=tty List directory names andhidden files (files whosenames start with a .[period]) and colorizethe on-screen outputll ls -l --color=tty Display a detailed direc-tory listing (in color)ls ls --color=tty Display the content of adirectory in short format(in color)The fourth predefined alias is there for old UNIXusers who are accustomed to using the vi editor.Linux doesnt include vi anymore, but it doesinclude a much-improved replacement called vim.That old habit of typing in vi now starts the newprogram, vim.These are just a few of the timesaving aliases thatyou may find in your shell. Read on to find out howto create a few aliases yourself.Creating Simple TimesavingAliasesCreating a new alias is easy. Heres an example thatcreates an alias to fix our most common typing error:$ alias pdw=pwdNow, whenever we want to know our current work-ing directory and we accidentally type in pdw, bashhelps out by translating the typo into the correct pwdcommand.bash expands an alias only if its the first word in thecommand line. Some of our favorite aliases fixspelling mistakes, create shortcuts, and help us outwhen were forgetful.13_571737c10.qxd 7/2/04 8:48 PM Page 56Using Aliases for Complex Commands 57Viewing your aliasWhen bash sees an alias name at the beginning of the com-mand line, it replaces the alias name with the body of thealias. Normally, the substitution happens behind the scenes,and you cant see it. If you want to see the substitution beforeyou press the Enter key, just press Esc-E. For example, if youtype fi myfile.sh and then press Esc-E, bash replacesyour command line with find . -name myfile.sh. Anything that could legally follow the alias body can follow the alias name. This means that you caninclude additional options on the command linewhen you use an alias. For example:$ f myfile.sh -ls819 8 -rw-rw-r-- 1 freddie freddie 5104Feb 26 06:57./tmp/myfile.shbash aliases have one weakness: You cant movecommand line arguments to other parts of the com-mand. For example, consider this alias:alias gf=find . -type f -print0 | xargs -0 -e grep -n -e The gf alias combines find and grep to search forspecific text in all the files in a directory tree. Youcan use the alias like this:$ gf Martini./recipes/drinks.txt:200: the perfectMartini./spystories/bond.html:22: I prefer myMartinis shaken, not stirredThe gf alias works great as long as you want tosearch every file in a directory tree, but what if youwant to search through .txt files and ignore .htmlfiles? You cant do that with an alias because the -name qualifier has to go in the middle of the com-mand line; it cant be at the end. Instead, you need afunction, which we explain how to create in the nextsection.To save your aliases, use your favorite editor toadd them to the ~/.bashrc file. This way,each time you log in, your aliases are therewhen you need them. To add system-widealiases, check out Technique 8.Using Aliases for ComplexCommandsYou can also create aliases that execute complexcommands. For example, the following alias con-verts all GIF files in the current directory into PNGform:alias cnv=for fi in *.gif; do giftopnm$fi | pnmtopng > ${fi%%.gif}.png; doneAliases make it easy to create customized com-mands that are preconfigured with the argumentsand options that you most frequently use. The findcommand is a great candidate for an alias or twobecause its such a complex command (seeTechnique 12). Here are two aliases that do theheavy lifting for you:alias f=find . -namealias fi=find . -inameAfter defining these aliases, you can search for a file(by name) like this:$ f myfile.sh./tmp/myfile.shOr, use the second alias to search for a filenamewithout regard to letter case:$ fi myfile.sh./tmp/myfile.sh./work/MyFile.sh13_571737c10.qxd 7/2/04 8:48 PM Page 57Technique 10: Keeping Your Life Simple with Aliases and Functions58find yourself doing over and over again. If you oftendownload, configure, and build software from theWeb, you can save time by creating a simple functionto automate that task:function loadcode (){wget -q -O - $1 | tar -zxvf -cd $(basename $1 .tar.gz)./configuremake}The loadcode function expects a single argument, theURL for a tarball that you want to download andinstall. To use this function, open your favorite edi-tor, type the text for the loadcode function as shown,and save your changes to ~/.funcs.sh (which is justa random filename were using for this example).Now, use the source command to install loadcodeinto your shell:$ source ~/funcs.shNext, find a package that you want to install andthen run the loadcode function like this:$ loadcodeftp://ftp.gnu.org/gnu/barcode/barcode-0.98.tar.gzbarcode-0.98/barcode-0.98/CVS/barcode-0.98/ChangeLogbarcode-0.98/COPYINGbarcode-0.98/Makefile.inbarcode-0.98/INSTALLbarcode-0.98/barcode.h... The loadcode function has four commands insideit. The first command uses wget to download thetarball and feeds the download to tar for unpacking.When you unpack a tarball like barcode-0.98.tar.gz,the content is stored in a subdirectory named barcode-0.98; the second command moves into thatdirectory. The last two commands do the GNU-installAutomating Tedious Taskswith FunctionsA bash function is like an alias on steroids. A func-tion has none of the restrictions of an alias. You canexecute many commands within a bash function,and you can pass arguments to a function and usethose arguments wherever you need them. Filtering file searches by file typeHeres another version of gf, this time written as afunction instead of an alias:function gfn (){find . -name $2 -print0 | xargs -0 -egrep -n -e $1}This function, which weve called gfn to distinguishit from the gf alias, expects two arguments. The firstargument is a filename pattern, such as *.c, thatspecifies which files you want to search. The secondargument to gfn is the text that you want to searchfor. If you want to search through all the files in yourcurrent directory, just use the pattern * (the dou-ble quotes are important). Now you can search fortext in .txt files like this:$ gfn Martini *.txt./recipes/drinks.txt:200: the perfectMartiniThe $1 variable holds the first command lineargument (Martini), and $2 holds the second(*.txt). With a function, you can use thecommand line arguments wherever you needthem. (With an alias, the arguments get tackedonto the end of the command line.)Automatic downloading In its most basic form, a function is a name thatyou give to a sequence of one or more commands.Functions are perfect for automating tasks that you13_571737c10.qxd 7/2/04 8:48 PM Page 58Monitoring Your System in a Snap 59two-step: configure (in this case, with all the defaultoptions) and make. When loadcode completes, justgive yourself superuser privileges and do a makeinstall.loadcode is just a name that youve given to asequence of commands. The commands execute oneafter the other, and if something goes wrong, thescript just keeps going. You can improve this func-tion by adding a bit of error checking:function loadcode (){if ( wget -q -O - $1 | tar -zxvf - )thencd $(basename $1 .tar.gz) || return 1./configure && makeelseecho Cant download $1fi}Now if something goes wrong, loadcode fails insteadof continuing on its merry (and misleading) way. Thenew version of loadcode shows three ways to checkfor error conditions: The first command is now wrapped inside an ifstatement. If the wget or tar commands fail (thatis, if they exit with a result code of 0), loadcodejumps to the else clause and displays a friendlyerror message. If the wget and tar commandssucceed, loadcode jumps into the then clause. The cd command can fail if the tarball that youreunpacking doesnt follow the usual naming con-vention. To catch that sort of problem, loadcodeuses the || (logical or) operator to exit if the cdcommand fails. You can read that command aseither cd successfully or return 1. The configure command can also fail if youdont have all the prerequisites for the packageyoure installing. In this case, loadcode uses the&& operator to catch a configuration failure. Youcan read that command as configure and, ifthat succeeds, make.Adding a timer to loadcodeAliases and functions can work together. Heres an alias thatmakes your computer beep when loadcode is finishedrunning (assuming you have a properly configured audiocard). Its kind of like the timer on a microwave.alias beep=tput belInvoke beep inside the loadcode module, or just use it onthe command line, like this:$ loadcodeftp://ftp.gnu.org/gnu/barcode/barcode-0.98.tar.gz ; beepYoull hear a beep when loadcode has finished its work(loadcode can take a while to run if you have a slow net-work connection).Monitoring Your Systemin a SnapSo far, youve seen functions and aliases designed towork with the command line, but you can also spawngraphical programs from the command line. Here isan alias that spawns a new xterm window that dis-plays the output of the top command (sort of abuild-it-yourself system monitor):alias xtop=xterm -e top &After defining this alias, just type xtop to open a newwindow that runs the top command (see Figure 10-1).If you want to run a program that has a more com-plex command line, just define a function. For exam-ple, the following function opens a new window thatdisplays the last few lines of a file and continues todisplay new text as its added to the file:function xtail () { xterm -e tail -f $1 & }13_571737c10.qxd 7/2/04 8:48 PM Page 59Technique 10: Keeping Your Life Simple with Aliases and Functions60You know that the tar command (at least the GNUversion of tar) can handle uncompressed, gzip-compressed, and bzip2-compressed archives. Itseasy to create a wrapper function that invokes tarwith the right set of flags based on the archive thatyou give it. The tarls function (see Listing 10-1) usesthe file command to determine whether the givenarchive is compressed and, if so, which compressionmethod was used. tarls is much longer than theother functions in this technique, so weve includedtwo timesaving features in this listing: Local variables that hold intermediate results:You could rewrite this function without the localvariables, but it would be much more time-consuming to maintain. Comments that help future maintainers under-stand our rationale: bash syntax can get awfullycryptic, and youll save yourself a lot of time inthe future by commenting your code now. Figure 10-1: Running top in its own window.If you have superuser privileges, you can use xtailto watch the system log file:# xtail /var/log/messagesUn-tarring the Easy WayYou can also save time by creating self-adjustingfunctions that adapt to command line arguments.LISTING 10-1: CHOOSING THE RIGHT PROGRAM BASED ON FILE TYPEfunction tarls (){# Figure what type of file we are working with.local filetype # Output from the file commandlocal tartype # $filetype without filenamelocal compresstype # First word from $tartypelocal tarflags # Flags given to the tar command# Given an argument like:# icons.tgz# filetype will contain# icons.tgz: gzip compressed datafiletype=$(file $1 )# Now strip the leading filename# from $filetype, leaving# gzip compressed data13_571737c10.qxd 7/2/04 8:48 PM Page 60Un-tarring the Easy Way 61tartype=${filetype#$1:}# Finally, grab the first word# from $tartype, leaving# gzipcompresstype=$(echo $tartype | cut -d -f 1 )case $compresstype ingzip) tarflags=-ztvf;;bzip2) tarflags=-jtvf;;POSIX) tarflags=-tvf;;*) echo Unknown archive type; return 1;;esac;tar $tarflags $1}13_571737c10.qxd 7/2/04 8:48 PM Page 6113_571737c10.qxd 7/2/04 8:48 PM Page 62Part IIGetting the Most fromYour File System14_571737p02.qxd 7/2/04 8:49 PM Page 6314_571737p02.qxd 7/2/04 8:49 PM Page 6411 Sharing Files andPrinters in aWindows WorldMost networks sport an assortment of computers. A few Linuxmachines, a couple of Windows machines, and a Mac or two arecombined to create a network that is fast, versatile, and userfriendly. Were not trying to suggest that Linux isnt the best thing sincesliced bread, but in reality, a complete conversion to a Linux-only net-work isnt always possible. Sometimes, the Penguin just has to learn howto get along with Windows.The need to share data across a network is nothing new, but with morenetworks being made up of assorted machines, the open-source softwaremovement has grown to include a lot of excellent (and might we add,free) software that knows how to deal with data sharing programs thatlet you share data and hardware across your network painlessly and fast. In this technique, we show you how to share data and printers acrossyour network. Saving time, saving money . . . all in all, creating a friendlierworld.What Is Samba?Most people think of the Brazilian dance when they hear the word samba.We prefer to think of the triplochiton scleroxylon (commonly known asthe Samba tree), a west African tree having axillary cymose panicles. Wehave no idea what a cymose panicle is, axillary or otherwise.In the Linux world, Samba is a suite of resource-sharing utilities includedin most Linux distributions. You use Samba to share Linux file systems,directories, files, and printers with other hosts on your network. Sambais designed specifically to work with the Microsoft Windows file-sharingand printer-sharing features. Two hosts are involved in every Samba con-nection: The server makes a resource available to clients, and the clientaccesses the resource shared by a server. A Linux host can act as aclient, as a server, or as both. TechniqueSave Time By Using SWAT to configureSamba Getting Linux files fromWindows Getting to your Linuxprinters from Windows Using Windows data fromLinux15_571737c11.qxd 7/2/04 8:49 PM Page 65Technique 11: Sharing Files and Printers in a Windows World66 samba-doc contains the documentation forSamba. samba-swat is a browser-based configurationutility for Samba.If you want your computer to act as a Sambaserver (that is, if you want to expose data orprinters located on your computer), you mustinstall the samba (or samba-server) package.However, we recommend installing all thepackages because it makes life a lot easier. If you install all four packages, your com-puter can act as a Samba client or a Sambaserver, and youll have a nice configurationtool as well. To find out if Samba is already installed on yourFedora host, open a terminal window and type in thefollowing command:$ rpm -q samba samba-client samba-commonsamba-swat samba-docSuSE aficionados should use the command:$ rpm -q samba samba-client samba-docIf you are running Mandrake Linux, type in:$ rpm -q samba-server samba-client samba-common samba-swat samba-docIf rpm reports that any packages are not installed, digout your OS install media and install them. Enabling SambaSamba runs as a service process, hanging around inthe background waiting for client requests. After youhave Samba installed, you have to enable it to startthe Samba server. If youre running Fedora, followthese steps to enable the Samba service:1. Open the GNOME or KDE main menu. 2. Choose System SettingsServer SettingsServices. Under the hood, Samba clients interact with Sambaservers by using a protocol called SMB (ServerMessage Block). SMB is also known as CIFS (CommonInternet File System). A server can expose two kindsof resources: printers and shares. A share is a direc-tory (and all the subdirectories underneath it). Aprinter is, well, a printer.Samba has been around awhile, and its very stable.You can use Samba to share resources even if youdont have any Windows computers in your network. Samba lets you expose resources to the rest of the world. We specifically chose the wordexpose to remind you that Samba can sharesecrets that you may not want to share. Itseasy to make Samba reasonably secure, butits also easy to make Samba insecure. SeeTechnique 37 for some helpful tips abouthardening your system against malicious (or accidental) abuse.Getting Up and Running with SambaBefore you can use Samba to share printers, direc-tory trees, or both, you have to do a little upfrontwork. The following sections help you check yourinstallation and then enable Samba.Checking whether Samba is installedThe first step in preparing to use Samba is makingsure that you have all the parts installed. Samba istypically distributed in five separate packages, butthe exact details vary by distribution: samba-client contains the software required toact as a Samba client. samba contains the software required to act as aSamba server. samba-common contains files required by bothsamba and samba-client.15_571737c11.qxd 7/2/04 8:49 PM Page 66Sharing Linux Resources with Other Computers (SMB Clients) 673. Enter the superuser password if requested.4. Scroll through the list on the left until you seethe SWAT check box.5. Select the SWAT box.That tells Linux to automatically start the SWATservice whenever you boot your machine. (Seethe next section for more on SWAT.)6. Scroll back up until you see the SMB service.7. Select the SMB box next to SMB.This tells Linux to automatically start the SMBservice whenever you boot your machine.8. Click Start (in the toolbar), and a windowappears telling you that the SMB service hasstarted. Click OK to close the window.9. Click Save to save your changes.10. Press Ctrl-Q to quit (or just close the dialog).If youre using Mandrake, start the services at thecommand line with the commands:# /sbin/service smb start# /sbin/service swat startIf youre using SuSE, you can start the services at thecommand line with the commands:# /etc/init.d/smb start# /etc/init.d/swat startNow its time for a little configuration work. Dontworry, configuring Samba is as easy as swatting flies.Sharing Linux Resources withOther Computers (SMB Clients)After you install and start Samba, as described in theprevious section, you can start configuring all thecomputers so that they can share resources, whichis what this section is all about.Samba is controlled primarily by the /etc/samba/smb.conf configuration file. If you were to peek atthat file immediately after you install Samba (whichwe dont recommend), you may find it a tad bitintimidating: Its nearly 300 lines long and has allsorts of options and parameters that you typicallydont need. Fortunately, Samba has a graphical configurationtool called SWAT that makes it much easier to man-age Samba. SWAT runs a mini-HTTP server on yourhost (listening for connection requests on port 901)and manages the Samba configuration file (/etc/samba/smb.conf) and the Samba password file (/etc/samba/smbpasswd) for you. The first time you run SWAT, it installs a new configu-ration file that exposes any printers installed onyour Linux host along with the users home directo-ries. You still have to adjust the workgroup name (ifnecessary) and create Samba user accounts. Thenyou can share the resources on your Linux computerwith other Windows and Linux computers on yournetwork. The following sections contain all thedetails. Adjusting the workgroup nameand creating user accountsBefore a remote computer can access the data thatyou expose on your Linux host, the remote com-puter must prove its identity to Samba. Computersauthenticate themselves by sending a workgroupname, a user name, and a password to your Sambaserver. Of course, you have to tell Samba whichworkgroup names and user names are valid andassign a password to each user account. To adjust the workgroup name and create useraccounts, follow these steps:1. Open your Konqueror browser.To open Konqueror, double-click Start Here onyour desktop.15_571737c11.qxd 7/2/04 8:49 PM Page 67Technique 11: Sharing Files and Printers in a Windows World681. Open a terminal window.2. Type smbclient //localhost/$USER and pressEnter.If you see a message like Connection to localhost failed, the Samba server is config-ured, but not actually running. In this case, logback into SWAT (with your Web browser), clickStatus, and then click Restart All.3. Type in the password that you assigned to yourSamba account and press Enter.Youre greeted with a new prompt (smb: \>) thatindicates youre running the smbclient program,connected to your home directory. You can typels to see a directory listing, cd to move to a sub-directory, and help for a complete command list.Type exit when youre finished.The smbclient program is useful in a pinch (we useit just to make sure everything is configured prop-erly), but you really want to mount your new shareon another computer, which we cover next.Giving a Windows machine access toyour home directoryIf your other computer is a Linux machine, sit tight,and well show you how to mount an SMB share in afew moments. If your other machine is a Windowshost, follow these directions to mount the new share:1. On your Windows desktop, right-click MyComputer or Network Neighborhood andchoose Map Network Drive from the pop-upmenu.2. Type your host name and share name into theFolder field. Windows expects SMB share names to start withtwo backslashes, then the host name (or IPaddress) of the SMB server, a single backslash,and the share name. For example, if your Linuxhost is named bastille and you want to mountthe home directory of user franklin, you wouldenter the folder name \\bastille\franklin.2. To connect to SWAT, enter http://localhost:901 in the Location field and press Enter.A dialog appears prompting you for a user nameand password. You must log in as root and pro-vide the superuser password. If you dont, SWATallows you to log in, but you wont be able to doanything except read the documentation.3. Click Globals.4. Scroll down to the Workgroup box.The default value for Workgroup is MYGROUP. Ifyou already have a Windows workgroup, enterthe workgroups name here. If not, choose aname (MYGROUP is a reasonable choice) andtype it into the Workgroup box.5. Click Commit Changes to write your changes tothe /etc/smb.conf file.6. Click Password.The password management page appears. Thispage lets you create new Samba users, deletethem, and enable and disable their accounts. Usethe top part of the page to manage the Sambaserver. The bottom part of the page (labeledClient/Server Password Management) lets youchange passwords on other (client) hosts.7. Type your user name into the User Name fieldand enter a password into the New Passwordand Re-type New Password fields.SMB clients must provide the user name andpassword that you enter here before they canaccess the resources that you export (well showyou how to share specific resources a little laterin this technique).8. Click Add New User.9. Click Enable User.Thats it! If everything went well, Samba is up andrunning, and you can access your Linux home direc-tory (~) from an SMB client. To verify that every-things working, follow these steps:15_571737c11.qxd 7/2/04 8:49 PM Page 68Hooking Everyone Up to the Printer 693. Click Finish.4. If prompted, enter your Samba user name andpassword and click OK.After a short delay, a window appears (on yourWindows desktop) displaying the contents of yourLinux home directory. You can drag and drop files,copy them, print them, or create new ones. Justremember: The Samba-hosted files you see on yourWindows computer are actually stored on yourLinux computer.Sharing Linux files and directories with other computersThe standard configuration that SWAT choosesexposes home directories (and all printers). SWATmakes it easy to create new SMB shares for otherdirectories (even other devices) on your Linux com-puter. To share your CD drive with others, followthese steps:1. To connect to SWAT, open your Web browserand jump to http://localhost:901.2. Log in as user root when prompted.3. Click Shares.The share manager page appears.4. Type CD-Drive into the field next to the CreateShare button.You can choose any name you like for the sharename, but dont get too fancy. In particular, dontinclude a forward slash or a backward slash inyour share name SWAT will let you do it, butyou wont be able to mount that share fromanother computer.5. Click Create Share.The share parameter page appears.6. Enter a descriptive name (such as Shared CD Drive) in the Comment field.7. Type /mnt/cdrom in the Path field (if youre run-ning SuSE Linux, type /media/cdrom instead).8. Click Commit Changes (near the top of thepage).Now you should be able to remotely access your CD drive from another computer. Note that you stillhave to mount the CD (mount /dev/cdrom) from yourLinux host before others can see it. See the section,Plugging In to Remote Data with Linux ProgramsQuickly later in this technique for more details.Hooking Everyone Up to the PrinterSamba can expose printers as easily as it shares filesand directories. In fact, Samba automatically sharesyour Linux printers with anyone in your SMB work-group. You can also access (from Linux) printers thatare connected to Windows computers. In this section,we show you how to manage Samba printer shares.Sharing Linux printers with SWATIf you have any printers connected to your Linuxcomputer (and youve configured them), Sambaautomatically shares them with other computers inyour workgroup; you dont have to expose themyourself. Samba discovers the printers on your com-puter by reading the /etc/printcap file. Normally,you dont edit the printcap file yourself; you let aKDE or GNOME helper do that for you. If you have a printer that you dont want to share,you can use SWAT to hide it from other computers:1. To connect to SWAT, open your Web browserand jump to http://localhost:901.2. Log in as user root when prompted.3. Click Printers.The printer manager page appears.15_571737c11.qxd 7/2/04 8:49 PM Page 69Technique 11: Sharing Files and Printers in a Windows World703. Youre prompted for the superuser password.Enter the password and click OK.4. Click New.After a short delay, the Add a New Print Queuedialog opens, as shown in Figure 11-2. Figure 11-2: The Add a New Print Queue dialog.5. Click Forward.6. When the next dialog opens, type in a nameand a description for your printer. ClickForward again.7. In the next dialog (see Figure 11-3), select theSMB queue type and highlight the networkshare that you want to use. Figure 11-3: Select the SMB queue type and highlight thenetwork share.8. Click Forward.The Authentication dialog opens, as shown inFigure 11-4.4. Click Choose Printer.The printer parameters page appears.5. Scroll to the bottom of the page and changeAvailable to No.6. Click Commit Changes.Using a Windows printer from LinuxUsing a remote printer makes life much easier whenyoure working on a network. Sharing resourcessaves a small company not only dollars, but also lotsof time in potential maintenance. Sharing a printermeans that if Freddies printer breaks, he can useRobertas printer and still get his work done on timewithout shuffling disks, data, or cables.If youre accessing Windows-hosted resources from aLinux host, you dont need to install the Sambaserver just the client. Now, with a few quickclicks, youll have access to a network printer.Follow these steps:1. Click the printer icon on your taskbar.The GNOME Print Manager window opens (see Figure 11-1).2. If you have no printers loaded, youre asked if you want to run the configuration tool. Click OK. Figure 11-1: The GNOME Print Manager.15_571737c11.qxd 7/2/04 8:49 PM Page 70Plugging In to Remote Data with Linux Programs Quickly 71 Figure 11-4: The Authentication dialog.9. Enter the user name and password you use tolog into the Windows computer and click OK.10. In the next dialog that opens, use the list box(initially labeled Generic) to choose yourprinter type and model.11. Click Finish, and print a test page to verify thatthe printer is properly configured.To print on the remote printer, just click the printerbutton usually found on the toolbar, or navigatethrough the File menu. The Print dialog opens to let you adjust the properties of your print job (see Figure 11-5). Figure 11-5: The Print setup dialog.Plugging In to Remote Data with Linux Programs QuicklyMounting a remote directory on your local system isa great way to use your favorite Linux programs withWindows data (or data stored on another Linux com-puter). Just add a quick line or two to the /etc/fstab file, and Linux mounts a network share withjust one command.In a typical Linux system, you have to hold super-user privileges to mount a file system. Thats verysecure, but not very convenient. If you want a non-privileged user to be able to mount his or her ownhome directory, you need to give some extra privi-leges to the SMB mount program (see Technique 27for more information about file permissions andprivileges):1. At the command line, give yourself superuserprivileges.2. Change permissions for smbmnt:chmod u+s /usr/bin/smbmnt3. Change ownership for smbmnt:Chown root /usr/bin/smbmntGranting privileges to programs (instead of tousers) can create security risks should somehacker discover a flaw in the smbmnt program.Be sure to check out Technique 57 to decidewhether privileged programs are right for you. Now, if you add a line or two to your /etc/fstabfile, mounting a remote SMB share is a snap. To editthe file, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Type kwrite /etc/fstab and press Enter.A KWrite window opens, with /etc/fstabdisplayed.3. Add a line at the end of the file that reads likethis://bastille/freddie /mnt/bastille \smbfs noauto,user 0 015_571737c11.qxd 7/2/04 8:49 PM Page 71Technique 11: Sharing Files and Printers in a Windows World724. Save the file and close KWrite. Youre ready to mount a share!Need more information about the fstab file?For the fastest route to this info, type manfstab at the command line and press Enter.All the documentation is at your fingertips.Use the up- and down-arrow keys to scrollthrough the documentation, and when yourefinished, press q to quit.Need the documentation in a nicer format?Double-click the Start Here icon on your desk-top and enter man:/ in the Location line. Youmight need to search a bit for the documenta-tion, but its more readable and includes hyper-links to other information related to your topic.Oh, and fstab is documented in Section 5.Now, to mount the new share, just use the mountcommand at the command line:$ mount //bastille/freddie Access your new share just like its a part of yourlocal machine. You can work on it with all yourfavorite Linux programs or copy files back and fortheffortlessly.If youre graphically inclined, use Konqueror tonavigate your new file system. It works justlike a part of your local machine now. You need to customize the entry in this step asfollows: The first field, //bastille/freddie, describesthe device to be mounted. This is the computername, followed by the remote directory name. The second field, /mnt/bastille, defines themount point. This is the directory on yourcomputer where the content of the remotedirectory will appear. The mount point can beanywhere in your directory tree that youwould like your share to be, but you need tocreate the directory and set the privilegesbefore you mount it. The third field is the file system type: smbfs.Many file system types work with Linux, butsmbfs is the choice for what youre doing. The fourth field, noauto,user, describes theoptions to invoke for this mount. Set thenoauto option to tell Linux not to mount thisfile system at boot time (you never want toauto-mount a network share), and set theuser option to permit a nonprivileged user tomount the share. The fifth field works with the backup com-mand. You dont want to be backing up thisshare remotely, so set it to 0. The sixth field indicates whether the file sys-tem of the share should be checked at boottime. Again, pass on this option and set it to 0.15_571737c11.qxd 7/2/04 8:49 PM Page 7212 Finding What You NeedWeve all been there you create a new file, and then you forgetwhere you put it and what you called it. How do you find it again?Fortunately Linux has a few options for finding lost data fast.In this technique, we introduce you to the find command. find cansearch through your file system looking for files based upon a diverse setof qualifications that you can combine to create complex searches. Withfind, you can search for your file based on information like the modifica-tion date, the file size, ownership, and other file attributes. find alsoworks with the xargs command to build complex commands based onsearch results. We also show you how to use the locate command tosearch through a system-maintained catalog of files and how to updatethat catalog to be sure it contains current entries. Weve also included a diskusage utility that you can use in conjunctionwith find to play find the disk hog. If you need to free up resources,this is a quick way to find out whos using all the space.This technique is all about finding files fast, with whatever informationyou have on hand. You know what you need to find. You might notremember its name, but well help you find it anyway.Finding Files with locateEvery night, an automatically scheduled program waltzes across yourdisk drive(s) and records all the filenames it can find in a database. Thelocate command searches through that database to find files with a particular name. If you find your installation of Linux is missing the locate command,you can add it by installing the appropriate RPM package: for SuSE,install findutils-locate-version.rpm; for Mandrake, installslocate-version.rpm; for Fedora, install slocate-version.rpm.TechniqueSave Time By Locating files by name Finding files by their quali-fications and attributes Finding out whos hoggingthe disk space Executing simple com-mands with find andexec Building complex com-mands with find andxargs16_571737c12.qxd 7/2/04 8:50 PM Page 73Technique 12: Finding What You Need74 The database is incomplete because the nightlydatabase update excludes several directories(/tmp, /var/tmp, /usr/tmp, /afs, and /net) andremote file systems.If you dont have superuser privileges, or yoursearch requirements are more complex than the sim-ple filename matching that locate provides, youneed to use the find command, which is discussednext.Finding Files with findThe find command is one of the most complex anduseful commands that youll find in Linux. findsearches through a file system looking for files thatfit a pattern (which you define) and then performsan action on those files. The most frequently usedfind command searches for a file with a specificname, starting in the current directory:$ find . -name drinks.txt -print ./recipes/drinks.txtWhen you use the find command, you have to pro-vide three pieces of information: Location: Where to start searching. Typically,you specify . to start searching in the currentdirectory or / to start searching at the root ofyour file system tree. If you list multiple direc-tory names, find searches in all those directorytrees. Qualifications: Which files should be included inthe result. In the example, freddie is looking for afile named drinks.txt. See the next section fordetails on handy qualifiers. Actions: What you want find to do when itlocates a qualifying file. In the example, -printsimply echoes the relative pathname of the file.See Acting on What You Find, later in this chap-ter, for details on putting actions to good use.You can use locate to find data files, directories, orprograms. For example, if you cant remember wherethe ifconfig program is located, just type locateifconfig and press Enter. You instantly see a list ofall the files on your system whose names includeifconfig:$ locate ifconfig/usr/share/man/man8/ifconfig.8.gz/usr/share/man/de/man8/ifconfig.8.gz/usr/share/man/fr/man8/ifconfig.8.gz/usr/share/man/pt/man8/ifconfig.8.gz/sbin/ifconfigThats pretty close but not exactly what you werelooking for. Save some time by using a regularexpression (also known as a filename pattern) tonarrow down the results:$ locate -r /ifconfig$/sbin/ifconfigThe -r flag tells locate to expect a regular expres-sion. In this case, you want a list of all filenameswhere /ifconfig appears at the end of the name. ($ means end of name; see man -S 7 regex for acomplete list of valid regular expressions.)The locate command runs quickly because itsearches through a database rather than thecomplete file system. Its a great tool for sim-ple filename searches.Like anything thats simple and easy, the locatecommand has a few drawbacks: The database becomes outdated quickly if youadd, delete, or rename many files during the day.If you have superuser privileges, you can updatethe database yourself. Use the same commandthat the nightly update job executes:/etc/cron.daily/slocate.cron.16_571737c12.qxd 7/2/04 8:50 PM Page 74Qualifying Your Search with the find Command 75Qualifying Your Search with the find Commandfind gives you a wide variety of qualifiers, and thissection delves into the more timesaving ones. Fordetails on using qualifiers with find, see the preced-ing section.Doing updated filename searchesTwo of the most frequently used qualifiers are -nameand -iname, both of which must be followed by a filename pattern: -name tells find to operate on any files thatmatch the given pattern. -iname does the same except that it ignores casedifferences.You can use the normal shell wildcards with -nameand -iname. For example, -name *.c matches anyfilenames that end with .c. If you include wildcards,you must surround the filename pattern with quotesto prevent the shell from expanding them beforefind gets a chance to see it.The -name and -iname qualifiers make findvery similar to the locate command. locatesearches through a database of filenames,whereas find searches through the file sys-tem. find gives you more up-to-date resultsbut takes much longer to perform a thoroughsearch.Adding time-based qualificationsYou can also search for files based on time of lastaccess, content-modification time, or attribute-modification time. The content-modification time ofa file is updated whenever you write to that file. Theattribute-modification time of a file is updated when-ever you make a change to the files attributes (bychanging ownership or permissions, for example).Table 12-1 lists qualifications that select files basedon their timestamps.TABLE 12-1: QUALIFICATIONS THAT SEARCH FOR TIMESTAMPSQualification What It Finds-atime n True if the file was last accessed n days ago-amin n True if the file was last accessed n minutesago-ctime n True if the files attributes were last changedn days ago-cmin n True if the files attributes were last changedn minutes ago-mtime n True if the files contents were last changedn days ago-mmin n True if the files contents were last changedn minutes agoTo find files in your home directory (and all subdi-rectories) that were last changed a week ago, usethis command:$ find ~ -mtime 7 -printIf you run this command, you may be surprised bythe results. -mtime 7 does not show you all the filesmodified in the previous seven days; it shows thefiles modified exactly seven days ago. To locate filesmodified in the previous seven days (yesterday, orthe day before, or the day before that, . . .), specify -mtime -7 (note the minus sign in front of the 7), asfollows:$ find ~ -mtime -7 -printYou can read that command as find files where thedate of last modification is less than seven daysago. Now suppose you change the command to this:$ find ~ -mtime +7 -print16_571737c12.qxd 7/2/04 8:50 PM Page 75Technique 12: Finding What You Need76TABLE 12-2: EXAMPLES USING THE -SIZE QUALIFIERCommand Result-size 2048c Files exactly 2048 bytes long-size +2048c Files 2049 bytes or larger-size -2048c Files smaller than 2048 bytes-size 2k Files between 1024 and 2048 bytes long-size +2k Files larger than 2048 bytes-size -2k Files smaller than 1025 bytes -size +1k Files larger than 1024 bytes and smaller -size -3k than 2049 bytesThe rounding that find performs can be confusing,so weve written a short shell function that trans-lates a value like 2M (megabytes) or 3G (gigabytes)into the equivalent number of bytes. Listing 12-1shows the unit function. LISTING 12-1: THE UNIT FUNCTIONfunction unit (){# Extract the last character from# the first (and only) parameter.# # Given a value like 5M, the suffix # is the character Msuffix=${1: -1: 1}# Remove the suffix from the argument# and we should be left with number # units (5 if we were given 5M)count=${1%%$suffix}case $suffix inK|k) echo $(expr $count \* 1024)c;;M|m) echo $(expr $count \*1048576)c;;G|g) echo $(expr $count \*1073741824)c;;*) echo $1cesac;} You see a list of files whose dates of last modifica-tion are greater than seven days ago. You can findfiles modified within a range of dates by using boththe + and - signs. For example, to find all files modi-fied four or five days ago, use this command:$ find ~ find . -mtime +3 -mtime -6 -printRead this command as modified more than threedays ago but less than six days ago. You can use the -atime qualifier to find unused (or atleast not recently used) user files on your system:$ find / -atime +90 -printFiltering by file sizeThe find command also lets you filter files based ontheir size. The -size n qualifier selects any fileswhose size is n. The + and - tricks that you can use for time qualifica-tions work with -size qualifications, too: -size +nselects all files larger than n, and -size -n selects allfiles smaller than n. When you use -size n, you canspecify n in terms of bytes, kilobytes, or 512-byteblocks: To specify a byte count, follow -size n with a c. To specify a number of kilobytes (1024 bytes),follow -size n with the letter k. The default unit is 512-byte blocks, but you canmake your intention explicit with a suffix of b. As find examines each file, it rounds the files sizeup to the nearest unit (kilobyte or block) and thenapplies the qualifier. For example, -size 2k selectsfiles between 1025 and 2048 bytes long.Table 12-2 shows a few examples using the -sizequalifier.16_571737c12.qxd 7/2/04 8:50 PM Page 76Qualifying Your Search with the find Command 77Use the unit function to make find behave a bit morepredictably. For example, the following command$ find ~ -size +$(unit 2M) -printtranslates into$ find ~ -size +2097152c -printPress Esc-E to view the translated command linebefore you press Enter. (Notice that unit includedthe c suffix, which forces find to turn off its funkyrounding trick.) The unit function translates kilo-bytes (K or k), megabytes (M or m), and gigabytes (G or g). Joining qualifications with AND and OR operatorsBy joining qualifications, you can get more mileageout of the find command.To quickly find large files that havent beenused in a while, combine -size and -atime. For example, use the following command to searchfor files 5 megabytes or larger that havent beenused in the last 30 days:$ find ~ -size +$(unit 5M) -atime +30 -printBy default, find joins multiple qualifiers togetherwith the AND operator. Given two qualifiers -size +$(unit 5M) and -atime +30 a file qualifiesonly if it meets both criteria. You can also join qualifiers with the OR operator. Tofind all files that are either empty or havent beenused in a while (or both), stick an -or between thequalifiers, like this:$ find ~ -size 0 -or -atime +30 -printWith the -or operator, a file must meet either(or both) of the qualifiers to be selected. You canalso use -not to reverse a qualifier (for example, -not -size 0) and -and to explicitly and qualifierstogether. Use quoted parentheses to build complexexpressions. For example, the following commandfinds large files (larger than 5M) that have not beenaccessed in the previous 30 days and adds emptyfiles to the list as well:find / ( -size +$(unit 5M) -and -atime+30 ) -or -empty -lsThe -empty qualifier is a synonym for -size 0. Perusing commonly used qualificationsTable 12-3 shows the most commonly used qualifiers.TABLE 12-3: COMMONLY USED QUALIFIERSQualifier Result-name pattern Select files that match the given filename pattern.-iname pattern Select files that match the given filename pattern, ignoring differences in letter case.-regex expression Select files that match the given pathname regular expression (similar to -name except that -regex matches the entire path where -name matches only the filename).-iregex expression Select files that match the given pathname regular expression, ignoring differences in letter case(similar to -iname except that -iregex matches the entire path where -name matches only thefilename).-atime [+|-]n Select files that have been accessed (-atime), attribute-changed (-ctime), or content-changed -ctime [+|-]n (-mtime) n days ago. If n is preceded by a +, select files last accessed more than n days ago. If n-mtime [+|-]n is preceded by a -, select files last accessed within that previous n days.(continued)16_571737c12.qxd 7/2/04 8:50 PM Page 77Technique 12: Finding What You Need78$ find ~ -size +$(unit 5M) -ls35525 8204 -rw-rw-r-- 1 freddie freddie8388608 Dec 20 09:52 /home/freddie/bigdatafile44201 6156 -rw-rw-r-- 1 freddie freddie6291457 Dec 20 09:52/home/freddie/tmp/deleteme-ls gives you far more details than are provided by -print. -ls displays the following columns (from leftto right): The files inode number (a number that uniquelyidentifies each file within its file system) The number of 1K blocks consumed by the file The files type and permissions The number of hard links to the file The files owner The files size (in bytes)Acting on What You FindAs we mention earlier in Finding Files with find,actions tell find what to do when it finds a qualifyingfile. The -print command that youve been tackingon the end of each find command displays the nameof each qualifying file, but find can do a whole lotmore than that. The following sections give you thetimesaving highlights.Cracking open a files info with -lsYou can use the -ls action to see more details abouteach selected file:$ find ~ -size +$(unit 5M) -print/home/freddie/bigdatafile/home/freddie/tmp/deletemeTABLE 12-3 (continued)Qualifier Result-amin [+|-]n Same as above except that n specifies minutes instead of days.-cmin [+|-]n-mmin [+|-]n-daytime Measure -atime, -ctime, -mtime, -amin, -cmin, and -mmin from the beginning of the current dayrather than exactly 24 hours ago.-size [+|-] n Select files n bytes long. If n is preceded by a +, select files larger than n. If n is preceded by a -,select files smaller than n.-empty Select empty files and directories.-type filetype Select files of the given filetype. filetype may be b to select block devices, c to select charac-ter devices, d to select directories, p to select named pipes, f to select regular files, l to selectsymbolic links, or s to select sockets. -user username Select files owned by the given username or groupname.-group groupname-nouser Select orphan files (that is, files owned by users or groups that no longer exist on your system).-ngroup-perm [+|-] Select files based on their permissions. The most useful values for permissions are permissions -perm +ug+s; this matches any files that are setuid or setgid and could be used toimpersonate other users (see Technique 57 for more information).-xdev Select files only on the given file system. Use this option to avoid searching other disk drives andremote file systems.16_571737c12.qxd 7/2/04 8:50 PM Page 78Acting on What You Find 79 The date and time of the most recent modification The files nameDisplaying specific info with -printfIn most cases, the -ls action gives you more infor-mation than you really need. You can use the -printf action to view only those nuggets of knowl-edge that you want. To use -printf, you have tofollow the action with directives that specify theinformation you want to display. For example, takea look at the following command:find ~ -size +(unit 5M) -printf %p %s %uThis command displays the files complete pathname(%p), size in bytes (%s), and owner (%u), like this:$ find ~ -size +$(unit 5M) -printf %p %s %u/home/freddie/bigdatafile 8388608 freddie/home/freddie/tmp/deleteme 6291457 freddie-printf offers a wide variety of directives (see manfind for a complete list), but we show you only a fewof the more useful ones in Table 12-4.TABLE 12-4: COMMON PRINTF DIRECTIVESDirective Meaning-%p Complete pathname of the selected file-%f Same as %p with the leading directory namesstripped off%h Same as %p with the filename stripped off the end%u Name of the user who owns the selected file%U Numeric user ID of the user who owns theselected file%s Size of file (in bytes)Checking disk usage by userThe -printf action is extremely useful when youwant to feed the results from a find command intoanother program. With -printf, you can customizethe output from a find command to fit the needs ofthe program that youre running. Listing 12-2 showsa shell script that summarizes disk usage by user.LISTING 12-2: DISK USAGE#!/bin/bash# Filename: diskusage# Create three arrays, each indexed bynumeric user ID# $sizes[] will accumulate the diskspace consumed by each user# $uids[] will store the numericuser ID for each user# $users[] will store the user namefor each user# The caller will send us lines of theform# numeric-user-id filesize usernamewhile read uid filesize userdo# Find the current amount of spaceused by this $uidsize=${sizes[$uid]:-0}# Add the space consumed by thisfile and store it back# in $sized[$uid]let sizes[$uid]=$filesize+$size# Store the numeric user ID anduser name toouids[$uid]=$uidusers[$uid]=$userdone# Weve now accumulated all of the diskspace usage # for the caller, display the resultsfor uid in ${uids[*]}doprintf %15d\t%s\n ${sizes[$uid]}${users[$uid]}done16_571737c12.qxd 7/2/04 8:50 PM Page 79Technique 12: Finding What You Need80When diskusage displays a numeric user IDinstead of a user name, the user account hasprobably been deleted. This is a quick andeasy way to find abandoned files and recycledisk space.Executing commands with findIts time to switch gears and look at a very power-ful (and occasionally dangerous) feature of find: the -exec action.Youve seen that the -print, -ls, and -printfactions display information about selected files. The-exec action executes a program of your choosingwith the files that find has selected. Suppose thatyoure a system administrator and one of yourcoworkers has recently left the company. Your taskis to find all the files owned by that user (call himted) and give them to user franklin. The -user qual-ifier will locate the files that youre interested in, and-exec will execute a command (in this case, chown)on each of those files:$ find / -user ted -exec chown franklin{} ;This command may look a bit cryptic to you (it surelooks cryptic to us). find executes the -exec actiononce for each selected file. When find executesthe command, it replaces {} with the name of theselected file. You must include a quoted semicolonat the end of the command (;). You can probablyimagine all sorts of uses for the -exec action removing old files, moving certain files to otherlocations, fixing permissions, and so on.Never, never, never use the -exec action with-out first viewing the list of qualified files with -ls or -print. Never. Make sure that youknow exactly which files will be acted upon.To avoid running find twice (once to see which filesare selected and again to execute the required com-mands), use the -ok action instead of -exec. WhenTo use the diskusage script, follow these steps:1. Open your favorite editor and type in the textshown in Listing 12-2. 2. Save your script to a file named diskusage in adirectory thats included in your search path. /usr/local/bin is usually a good place.3. Use chmod to make the file executable:chmod a+x /usr/local/bin/diskusage To use diskusage, use the find command to locatethe files that youre interested in and use -printf tocreate the output required by diskusage:$ find /home -type f -printf %U %s %u\n| diskusage211128211 franklin602579 10014525391478 root8756011463 freddieWhenever find locates a qualifying file, it feeds theowner ID, file size, and owner name to diskusage.diskusage adds up the disk space consumed by eachuser and prints the results when find stops feedingit. The nice thing about this combination is that youcan select files so many ways with find, and no mat-ter which qualifiers you choose, diskusage happilysums things up for you. For example, you can changethe previous command to see disk space, by user,that hasnt been accessed within the last 30 days:$ find /home -type f -atime +30 -printf%U %s %u\n | diskusage128211 franklin602579 10014000324962 root22315532 freddieIf you compare these results with the previousresults, youll see that although freddie is a disk hog,hes at least using the data that hes storing. User1001, on the other hand, hasnt even logged in dur-ing the last month. 16_571737c12.qxd 7/2/04 8:50 PM Page 80Building Complex Commands with xargs 81you use -ok, find asks if you want to execute eachcommand. If you answer y (or Y, or yes, or Yes, . . .),find executes the command. If you answer anythingelse, find moves on to the next file.When you select a large number of files, executingthe -exec (or -ok) action on each file, one at a time,can be painfully slow. Many Linux commands canprocess multiple files in a single pass, and you canuse find to produce the argument list for those commands.Building Complex Commandswith xargsThe xargs command builds long command lines foryou. xargs reads filenames from the output ofanother command (like find) and builds commandsby using those filenames. For example, look at thefollowing command:$ echo /tmp/icons.tar | xargs tar -tvf xargs reads the filename from the echo commandand constructs the new command:$ tar -tvf /tmp/icons.tarxargs isnt particularly useful when you need toprocess a single filename, but find usually producesa whole mess of filenames. To use find and xargstogether, craft a find command that locates the filesthat youre interested in and use the action -print0to echo the selected filenames. Pipe the output ofthe find command to xargs like this:$ find /home -user ted -print0 | xargs -0-e grep -n secret passwordWhen you execute this command, find lists thenames of all files owned by user ted and feeds thatlist to xargs, and xargs then constructs (and exe-cutes) a grep command for you. xargs tries to groupmany files into a single command. If you find thethree files /home/ted/secrets, /home/ted/mail, and/home/ted/work, for example, xargs executes thecommand: grep secret password /home/ted/secrets/home/ted/mail /home/ted/work rather than three separate commands. 16_571737c12.qxd 7/2/04 8:50 PM Page 8113Save Time By Creating and extractingarchives with File Roller Sending compressede-mail attachments Using tar at the com-mand line with find andrpm to build complexarchives Uprooting entire directorytrees with scp Splitting large files foreasy uploadingTechniqueMoving Made Easywith ArchivesArchiving data makes it easy to move multiple files with the sameeffort that it takes to move a single file. An archive is a file thatcontains other files. You can build an archive out of just about any-thing: text files, programs, pictures, audio files, and even other archives.Archives are easy to build, and you can compress an archive to helpspeed up data transfers. For example, a tarball is nothing more than anarchive built with the tar command.Using good tools to create archives saves time. In this technique, weintroduce you to File Roller, a handy feature thats included with GNOME.With File Roller, you can not only create an archive, but also inspect anarchives contents before unpacking it. You can save time by choosingjust the portions of archives that you need to unpack. The tar command creates archives at the command line and works wellwith the RPM query commands and the find command. We show youhow to use tar in powerful combinations to build complex, customarchives.The split command can split large files or archives into bite-sized piecesfor transferring. If a connection drops midtransfer, you can resend onlythe portion of the file that didnt make it. We also show you how to usechecksums to make sure that your entire file got to its destination. Every day is moving day on a computer, and doing a good job packingmakes moving easier. Good labels on neat packages make it easier to findthings when you need to unpack them again. In this technique, we showyou tools and tricks that make moving easier.Creating Archives with File RollerYou can e-mail multiple files just as easily as a single file when you bun-dle the files together in an archive. Creating compressed archives fore-mail attachments saves time and bandwidth for both the sender andthe receiver.17_571737c13.qxd 7/2/04 8:51 PM Page 82Creating Archives with File Roller 83If youre running the GNOME desktop, FileRoller is probably installed automatically. Ifyou need to add File Roller, youll find it (inmost Linux distributions) in an RPM pack-age called file-roller-version.rpm. SeeTechnique 17 for help installing RPM packages.GNOMEs File Roller is the easy way to browse andchoose the files to include in an archive. To make atarball using File Roller, follow these steps:1. Open the Main Menu and choose RunCommand.The Run Command dialog, shown in Figure 13-1,opens. Figure 13-1: The Run Command dialog.KDE and GNOME auto-launch File Roller ifyouve configured your MIME database. (SeeTechnique 3 for more information on MIME.)2. Enter file-roller in the Command field andclick Run.The File Roller window opens ready to build atarball (see Figure 13-2).3. Click New on the toolbar to open the NewArchive file chooser (see Figure 13-3).4. In the Archive Type drop-down list, select thetype you want to create. In this case, choose the Tar Compressed withgzip option.5. Enter your tarball name in the Selection fieldand click OK.Now its time to add files to your archive.6. Click Add (on the toolbar) to open the filechooser window. Use the file chooser to browsedirectories for the files that you want toinclude and then add them to the tarball. Double-click a selection to add it to the archive.To add additional files to an archive, click Add onthe toolbar, and double-click the next file to beincluded. Figure 13-2: The File Roller window. Figure 13-3: The New Archive file chooser.17_571737c13.qxd 7/2/04 8:51 PM Page 83Technique 13: Moving Made Easy with Archives84After you open an archive, you can extract a file(or files) from it by following these steps:1. Highlight the file(s) in the list and click Extract. The Extract dialog opens, as shown in Figure 13-4. Figure 13-4: The Extract dialog.2. In the Destination Folder field, type the nameof the folder where you want to save theextracted files, or from the Bookmarks list,choose a bookmark to use for the destination. Add often-used directories such as ~/tmp to the Bookmarks list. Later, when you needone of these directories, just double-click thedirectory to select it as the destination folder.3. If you highlighted more than one file beforeyou clicked Extract in Step 1, choose from thefollowing options in the Files area: All Files: Unpack the entire archive. Selected Files: Extract the files highlighted onthe previous screen (hold down Shift to selectmultiple files). Files: Specify files by name, or groups byusing wildcards (such as *.png or *.txt).You can include a tarball in an archive, but itwont get any smaller. One serving of com-pression per file, please. 7. When youre finished adding files to thearchive, close the File Roller window. The archive is waiting for you in the directoryyou created it in, which is usually your homedirectory. Just attach the archive to your e-mailand send it off.Use File Roller to create archives to send viaSSH or FTP. Multiple files are easier to managewhen theyre bundled, and compressing thedata makes it travel faster. Inspecting and ExtractingArchives with File RollerFile Roller makes it easy to inspect and extract filesfrom archives. With just a few quick clicks, you cansee the contents of the files included in an archive orextract the portion of the archive you need.The File Roller is especially handy if you sharedata via e-mail. Use File Roller to check outthe archives contents before you take thetime to unpack it.To open an archive with File Roller, follow these steps:1. Open the Main Menu and choose RunCommand.2. Enter file-roller in the Command field andclick Run.3. Click Open on the toolbar to open the filechooser.4. Use the file chooser to locate the archive youwant to open. Highlight the archive name andclick OK.The contents of the archive appear in the FileRoller window.17_571737c13.qxd 7/2/04 8:51 PM Page 84Adding Functionality to tar with Complex Commands 854. Check the Re-create Folders box to restore thefolder structure. Weve never encountered a case where we didnt want to re-create folders. If you dontselect the Re-create Folders check box, all the subdirectories and their contents end up in your current directory. Cleaning up theunpacked pile of structureless files wastes time.5. Check the Overwrite Existing Files box toreplace any file with a duplicate name in yourfolder.6. Check the Do Not Extract Older Files box topreserve the most recent copy of the file. If the copy on your computer is more currentthan the archived copy, the older file is notextracted. This option works only if theOverwrite Existing Files option is checked.7. Check the View Destination Folder AfterExtraction box to open a file manager windowwith your newly unpacked archive.8. When youre ready, click OK to unpack thefile(s).If the destination folder doesnt already exist,File Roller asks if you want to create it.Inspect suspicious-looking files that areincluded in a tarball before unpacking it. To doso, right-click the filename and choose ViewFile from the drop-down menu to display thefiles contents. If the file looks questionable,dont open it!Adding Functionality to tar with Complex CommandsThe File Roller enables you to quickly and easilybuild or unpack archives, but sometimes using thecommand line with the tar command is the way togo. The following sections explain how combiningthe tar command with other functions can give youextra power when you need it. Building archives from the command lineYou can build simple archives (containing one file ormany) with the tar command. Here is a basic tarcommand to create a gzip-compressed archive:$ tar -zcvf archivename filestoarchiveIf you want to archive multiple files, just list them atthe end of the command line (separate the nameswith a space character).Compressing an archive increases the time ittakes to create the archive. If you dont needto transfer the file over the Web or if the datais already compressed (such as RPMs), skip the-z or -j options when you create the archive. tar has a lot of powerful options, the most useful ofwhich are listed in Table 13-1.TABLE 13-1: USEFUL TAR OPTIONSOption What It Does-z Compress to (or uncompress from) gzip form.-j Compress to (or uncompress from) bzip2 form.-c Create an archive.-x Extract from an archive.-t Display a list of the files in the archive.-v Verbose tell me what youre doing.-f file Write to (or read from) the archive file.Enter man tar at the command line for a completelisting of tar options and flags.The GNU man pages are handy, but they canbe a bit overwhelming at times. Take a deepbreath and remember that you can close thepage at any time by entering q.17_571737c13.qxd 7/2/04 8:51 PM Page 85Technique 13: Moving Made Easy with Archives86 If you carry your work to and from the office on alaptop, use the scp to copy files from your laptopto your home computer (and back again). You can also use the scp -r command to quicklymove a user from one machine to another. If youre upgrading to a new system, scp -r is aneasy way to quickly transfer your work with nodisruptions. scp was designed to copy files from one com-puter to another. You can also use scp to copya file from one place to another within yourcomputer, just like you would use cp. We findscp to be much more intuitive when it comesto copying directory trees.To move a directory tree with scp, open your termi-nal window and enter this command:$ scp -r user@host:source user@host:destinationThats all there is to it. The -r flag tells scp to copysource and everything underneath it.Table 13-2 highlights two options worthy of mention.TABLE 13-2: WORTHWHILE SCP OPTIONSOption What It Does-C Compresses the data stream for faster transfers.-l limit Throttles file transfers to no more thanlimitK bits per second. (Use this option ifyoure sharing a network connection and youdont want to hog all the bandwidth).Getting familiar with scp (and its secure shellcousin, ssh) is definitely worth the time. scp isa fast, secure, and easy way to move files andarchives from one location to another. scp andssh share many command-line optionsbecause scp is built from ssh. For more infor-mation about ssh, see Technique 33. Archiving complex search resultsUse the pipe character ( | ) to combine programslike find and rpm with the tar command to createarchives that contain the results of complexsearches.Using tar with find can seem complex, but it is veryuseful. One example of a combined command is asfollows:$ find / -user freddie | tar -zcvf fredfiles -T -This command finds all the files owned by the userFreddie and sends the output (the list of filenames)to the tar command. The -T - portion of the com-mand instructs tar to read the list of filenames fromits standard input (which, in this case, is the outputof the find command) rather than from the com-mand line.For more in-depth information about using the findcommand, see Technique 12.Backing up an installed packageUse tar with rpm to create a backup of an installedpackage. To back up an installed copy of the webminpackage, use this command:$ rpm -ql webmin | tar -cvf webminbackup -T -For more information about using rpm queries,see Technique 16. Uprooting Entire DirectoryTrees with scpSometimes, you need to move more than a single file you need to move an entire directory tree (a directory and all the files and subdirectoriesunderneath it). When thats the case, use scp to getthe job done quickly and easily. For example:17_571737c13.qxd 7/2/04 8:51 PM Page 86Splitting Big Files into Manageable Chunks 87Splitting Big Files intoManageable ChunksWhile youre working across the Web or across a net-work, the inevitable happens: You lose the networkconnection mid-upload. You have to go all the wayback to the beginning and start the transfer over.ISPs are known to place limits on the size of incom-ing files. E-mails with oversized attachments arereturned undelivered and unseen by the recipients.How can you get around that?To transfer a large file to a user with limited access(or over a questionable connection), use the splitcommand. split doesnt actually speed up the trans-fer, but it does speed up the recovery if a connectiondrops.split breaks a file (any file archives, pictures,data . . . you name it) into segments that you canreassemble on the other end.To reassemble the split file accurately, all thepieces must be included. split cant tell iftheyre all there or not it just re-assembleswhat it has. If great-aunt Gertrudes nose looksa bit off, you may have lost a segment.Use the following command to break a file into 1-megabyte segments for transfer:$ split --bytes=1m filetosplit segmentprefixsplit appends the segmentprefix with a unique suf-fix. When its finished, you still have the original file,but you also have a set of 1 megabyte segments. Ifyou started with a 2.5 megabyte file, you end up withthree segments: The first two contain 1 megabyteeach, and the third file contains the leftovers.Its a good idea to calculate an MD5 checksum on the original file to compare it to the reassembledresult. Save the number generated by the followingcommand youll need it later:$ md5sum filetosplitmd5 stands for message digest #5. Its a cryp-tographic program thats good at detectingdifferences between files. Its kind of like a fin-gerprint for a file.Send the checksum with the attachments orsave them to compare to the checksum of thereassembled file. If the checksums match, youcan be sure that the entire file was receivedand reassembled.Its easy to move all the segments securely with onescp command:$ scp segmentprefix.* user@host:directoryTo rebuild the file after the upload, use sshto log in to the remote machine, and use cdto move to the directory containing the segments.To reassemble the segments, enter this command:$ cat segmentprefix.* > filenamecat rebuilds the file into its original structure.After the file is rebuilt, run a new MD5 checksum andcompare it to the fingerprint of the original file. Thetwo fingerprints should be identical.$ md5sum originalfilenameIf youve sent the split file to a friend running Windows, the type command willconcatenate split files on Windows.17_571737c13.qxd 7/2/04 8:51 PM Page 8714Technique Downloading andUploading Files in a SnapThe Internet is pervasive. Few days go by when we arent research-ing something on the Web. When you use the Internet, youre con-stantly moving data. Using the right tools to upload and downloadfiles can make a huge difference in the time it takes you to get the jobdone.In this technique, we walk you through downloading and compiling asoftware tarball. You can find tarballs all over the Web, with great, time-saving software just waiting to be downloaded. The example we showyou is for another timesaver SuperKaramba that just happens to befun, too.When it comes to moving data around, dont overlook the command line.Using wget to create mirrors of Web sites you visit frequently is a greatway to save time you dont have to wait for page downloads, and youcan take the entire site with you when you travel. You can even schedulewget to perform mirror updates at night, when the network traffic is low.Now thats a timesaver.wget also has a few other tricks up its sleeve for downloading. It can playspider, cruising the Web sites in your bookmarks or links files checking tosee if all the links still work. wget doesnt give up on downloads if a con-nection drops. Its a persistent agent and will try again to complete adownload. We also show you how to use curl to manage file uploads. Unlike ftp,curl manages uploads with just one entry at the command line. You canschedule your uploads, just like your downloads, to happen without yourhelp.Building Software from Downloaded tarballsFree software packages are all over the Web. Many packages are availablein RPM format, but some of the really good stuff only comes wrapped upin a tarball that you have to compile yourself.Save Time By Building software fromdownloaded tarballs Mirroring Web sites withwget Verifying your bookmarkswith a wget spider Setting $http_proxy toincrease download speed Using curl for unmanneduploads 18_571737c14.qxd 7/2/04 8:52 PM Page 88Building Software from Downloaded tarballs 89No problem you can deal with tarballs. First, wegive you the basic steps and then we explain how touse those steps for SuperKaramba.Compiling a tarball: The basic stepsThe basic steps dont vary much for most softwareyou find on the Web:1. Download the tarball.2. Unpack the tarball (see Technique 13 for moreinformation).3. Use configure to determine the softwareneeds.4. Use the make command to run the compiler.5. Run make install to run the install script forthe package.If there are any variations in the procedure or anysoftware prerequisites, the download page shouldinclude instructions specific to the package. Downloading and compiling SuperKarambaSuperKaramba is a tool that builds custom desktopfeatures. In this section, we present the basic stepsfor downloading and compiling SuperKaramba as afun and useful example of how you apply the basicsteps to an actual program.With SuperKaramba, anyone (not just the propeller-heads) can create desktop acces-sories fast. Use SuperKaramba to display infor-mation youve read over the Internet, createcustom toolbars, or create virtual pets (Chia-Penguins perhaps?). You can download somepretty cool, ready-to-run SuperKarambaresources, too!If youre running SuSE, youre in luck SuperKaramba is already included with theKDE desktop in a standard installation. Ifyoure running SuSE, just open the mainmenu and choose SystemDesktop Appletkaramba. If youre running Mandrake, youll findSuperKaramba is included with the standarddistribution, but you need to install it. Youmay want to download and compile your ownversion anyway, to check out the most recentfeatures as they develop. To build SuperKaramba, follow these steps:1. Open your browser and surf tonetdragon.sourceforge.net2. Click the Download SuperKaramba link at thebottom of the page.3. Scroll down to the Official Releases and clickthe link for SuperKaramba source code.Why use a tarball when an RPM package isavailable? Well, if the RPM package that youfind isnt from an official source, the integrityof the software may be questionable.Although it is possible for someone to intro-duce a Trojan horse into source code (just likea prebuilt version), it doesnt happen often.RPM packages are platform specific, and theplatform you need may not be available.4. Click the link for the most recent release:$ superkaramba-0.33.tar.gz5. The download page instructs you to choose amirror site near you. Click the link for the site nearest you and then save the file to yourdesktop. 6. Open a terminal window and move to yourDesktop directory:$ cd ~/Desktop7. Unpack the tarball with the following command:$ tar -zxvf superkaramba-0.33.tar.gz8. Move into the superkaramba-0.33 directory:$ cd superkaramba-0.3318_571737c14.qxd 7/2/04 8:52 PM Page 89Technique 14: Downloading and Uploading Files in a Snap909. Enter the following command:$ ./configure --prefix=$(kde-config -prefix)configure determines the correct set of toolsand compiler options to customize the softwarefor your computer. The --prefix=$(kde-config -prefix) por-tion of the command is unique to KDE. Useconfigure --help to get more configurationoptions for KDE and non-KDE programs.If configure complains about any problems, nowis the time to correct them. configure doesremarkably well at describing the cause of anyproblem it encounters. If you see an error mes-sage that just doesnt seem to make sense, typethe text of the message in to Google and yourelikely to find a solution waiting for you some-where out there on the Web.10. Enter this command:$ makemake runs the compiler for you. The compiler istranslating the source code into a program onebit at a time. The make program coordinates thebuild think of it as the job site foreman.11. Give yourself superuser privileges:$ suEnter the superuser password when prompted.12. Enter this command:# make installmake install runs the install script for the pack-age. Depending on the package youre installing,the install script includes activities like copyingdocumentation into place, setting up useraccounts, and so on.13. Turn in your superuser privileges with the exitcommand.After SuperKaramba is installed, you can use it todecorate your desktop. See the sidebar, Installing aSuperKaramba theme for details.Installing a SuperKaramba themeAfter you install SuperKaramba, we suggest grabbing atheme or two to see how easy this program makes chang-ing your desktop. SuperKaramba themes are different fromother desktop themes. Theyre active desktop decorations little accessories for your desktop that actually function.One desktop applet that we really like is Liquid Weather++.You could go to KDE-look.org and spend hours lookingthrough the pages of Karamba themes do that later. Tofind Liquid Weather++ quickly, go to www.google.com andsearch for Liquid Weather Karamba, and follow the link.To download and unpack Liquid Weather++, follow thesesteps: 1. Open your favorite browser and surf to thedownload site for Liquid Weather++. 2. Click the download link and save the tarball toyour desktop.Notice that this tarball is different; it ends with the.bz2 file extension. Different flavors of tarballs exist gzips and bzips. Gzips and bzips are basically thesame, but bzips generally offer better compressionand download speed. You can unzip either kindwith Linux.3. Open your terminal window and move to theDesktop directory.$ cd Desktop4. Create a themes directory with this command:$ mkdir themes5. Move to the themes directory:$ cd themes6. Unpack the tarball with this command:$ tar -jxvf ../tarball This extracts the tarball into the themes directory.To start SuperKaramba, open the Main Menu and chooseRun Command. Enter superkaramba in the Commandfield and click Run. The SuperKaramba window opens, asshown in the following figure.18_571737c14.qxd 7/2/04 8:52 PM Page 90Versatile Downloading with wget 91wget has a lot of options that combine to make it aversatile download tool. You can use it in the follow-ing ways: For recursive Web site downloads For updating Web site mirrors As a spider to verify links For executing scheduled downloads As a persistent agent to download large fileswget works quietly in the background with nofurther input from you. You can schedule wget(with Task Scheduler) to start downloads whennetwork use is at its lowest so that you dontinterfere with other users. For more informa-tion about scheduling tasks with TaskScheduler, check out Technique 20. Mirroring sites with wgetYou might wonder why anyone would mirror a Website. Many generous people who support the opensource movement help provide the world with extrainformation and closer, quicker downloads by set-ting up servers and creating sites that mirror anddistribute open source software and information. You can also use site mirrors for quicker access tosites that you use often. Not only do you havequicker access to the site, but you can also take itwith you anywhere you go even without a Webconnection.Download an entire Web site recursively with the following command:$ wget -r -k http://www.website.comThe -r in this command stands for recursive (mean-ing that wget copies the directory you name and allthe files and subdirectories underneath it) bydefault, wget copies five levels of subdirectories toyour local system. The -k (or --convert-links if youwant to type it out) redirects the links on those fivelevels to refer back to your local system. If you leaveTo run Liquid Weather, click Open on the SuperKarambamenu page. Browse to ~/Desktop/themes/liquid_weather_plus and choose liquid_weather.themefrom the files listed. Double-click the icon to open aweather report on your desktop (see the following figure).To customize Liquid Weather, right-click on the weatherscreen and choose Configure ThemeEnter Your LocationsCode. Enter your zip code (or weather code if youre inBritain) and choose OK, and the weather forecast isupdated to your region.Versatile Downloading with wgetwget uses the HTTP, HTTPS, and FTP protocols fromthe command line to retrieve files or Web sites. wgetis handy if you have a slow or undependable Internetconnection. If a connection drops partway through adownload, wget keeps trying. If the server allows it,wget will continue the download where it left off.18_571737c14.qxd 7/2/04 8:52 PM Page 91Technique 14: Downloading and Uploading Files in a Snap92If the download is interrupted, resume the downloadwith this command:$ wget -c ftp://www.sitename.com/filenameThe -c option instructs wget to resume the down-load where it left off.Downloading and unpacking in one quick stepYou can redirect the output of a wget download to atar command to download and unpack in one easystep:$ wget -O - http://tarball | tar -zxvf - The -O option redirects the output to the tar com-mand. tar then unpacks it to a subdirectory in yourcurrent directory.wgets optional flagsDozens of flags work with wget weve noted a fewin Table 14-1. For a complete list, type man wget atthe command line.TABLE 14-1: HANDY WGET OPTIONSOption What It Does-b Goes to background after starting.-q Turns off the output of wget.-v Displays long debugging messages.-nv Displays errors or basic info only.-t count Tries count times before giving up.-nc Doesnt overwrite files.One other option worthy of mention is --limit-rate=bandwidth. Use this flag to limitthe download speed so you dont steal all thebandwidth away from other users on your system.$ wget --limit-rate=20k out the -k option, the documents that you downloadwill still point back to the original Web site.If you find yourself setting up a site mirror, either forinternal use or for the world, youll want to keep itup-to-date. Schedule a job (with Task Scheduler) torun every night:$ wget -r --mirror -khttp://www.website.comThe --mirror option checks your copy of the siteagainst the version published on the Web, and down-loads only those files that have changed. Verifying your bookmarks with wgetIf youre anything like us, your bookmark collectionis, well, a mess. Bookmarks accumulate over timeand pages that you may have been interested in afew months (or years) ago might not be there anymore. Its a good idea to weed out obsolete links nowand then just to keep your bookmark collectionunder control. Use wget to check all the links onyour bookmarks or links page, with one easy com-mand. To make wget impersonate a spider and inves-tigate links, use this command:$ wget --spider --force-html -i bookmarks.htmlwget visits each link, and reports successful orunsuccessful connections for each entry in yourbookmarks page.Forget where you left your bookmarks? Usethe command locate -i bookmark to generate a list of all the files with the wordbookmark in their name.Downloading files with wgetTo use wget to download a file from an FTP server,enter the following command:$ wget ftp://www.sitename.com/filename18_571737c14.qxd 7/2/04 8:52 PM Page 92Downloading and Uploading with curl 93The preceding command limits the download rate to20 kilobytes per second a very generous gesture ifyoure sharing a network link.If you use a proxy server to connect to theInternet, wget can use it, too. wget uses the$http_proxy environment variable to findyour proxy server. Enter the command$ export http_proxy proxyaddress:portat the command line to set the environmentvariable. Add this environment variable toyour bash startup script to run the commandeach time you log in.Downloading and Uploadingwith curlcurl (a client for URL) works with the HTTP and FTPprotocols to download or upload files. curl is aneasy way to upload files when youre maintaining aWeb site, or to keep files synchronized with the workof remote employees. curl is a powerful download tool, too. Formore information about the features of curl,type man curl at the command line. When you upload with ftp, you have to drive theentire process. You have to enter passwords, type inthe put commands one at a time, and disconnectwhen youre finished. Unlike ftp, curl can do its job without additional user input. You can alsoschedule curl to do large uploads when the networkis quietest youll get the best throughput and provide the least aggravation to other users.To upload a file with curl, enter this command:$ curl -T uploadfileftp://ftp.sitename.com/filenameReplace uploadfile with your local filename andsubstitute the ftp sitename information into thecommand, and the file is on its way. Thats all thereis to it.Set up an ftp server where remote employeescan save their work. Schedule a nightly job onthe remote employees machines to keep up-to-date with their important files and theywont have to babysit the upload!If you create an ftp server to hold your employeesnightly updates, youll want that server to be secure.To use curl to upload a file to a secure site, use thefollowing command:$ curl -T uploadfile -u user:passwdftp://ftp.sitename.com/filenamecurl gives you the option to update single files, mul-tiple files, or entire systems with a single command.When you combine the powerful uploads that youcan get with curl with the scheduling features ofTask Scheduler, youll find lots of ways to save time! Visit the CURL Web site at curl.haxx.se fora complete overview of the curl project.The basics of URL syntax Have you ever wondered what that string of characters youtype into your Web browser is made of?A simple address like http://www.wiley.com tells thebrowser to use the http protocol to connect to a hostnamed wiley.com.A more complex address like http://www.wiley.com/newbooks.html tells your browser to open the newbooks.html resource at the host wiley.com.An ftp URL often contains a user name and password for the ftp server. The address ftp://freddie:FuNkY@bastille/mixers.html tells ftp that the user freddie,with a password of FuNkY, wants to log into bastille toaccess the resource mixers.html.18_571737c14.qxd 7/2/04 8:52 PM Page 9315Save Time By Creating a virtual workenvironment with UserMode Linux Using ADIOS to set up aFedora VM Using graphical inter-faces to your advantagein server management Making permanentchanges to your virtualmachineTechniqueBuilding a Playpenwith User ModeLinuxSometimes, you could really use a second computer someplacesafe and secure to hold a server or to try out some new software.Are you interested in trying the latest features in the Linux kernel,but youre stuck with version 2.4 for a while? User Mode Linux (UML) iswhat youre looking for.User Mode Linux is a virtual machine (VM) which is just like a regularcomputer, but its built entirely of software. The physical computer thatcontains the VM is called the host. The host and the virtual machine canshare resources such as files, disk drives, and network interfaces. With UML, you can even simulate hardware that you dont have. If youhave a single Linux computer, you can run two or three UML sessions tosimulate a local area network. You can try out new kernels while safe-guarding your real work on a familiar kernel. You can also use UML tocreate jails for hack-vulnerable programs (such as Apache or DNSservers). A jail is an environment that confines a dangerous program bylimiting access to important files and devices that the program doesntneed (and more importantly, shouldnt damage).In this technique, we show you how to install a UML system based on the Fedora Core distribution. This technique is one you can really buildon. After youve installed a virtual machine, you can jump ahead toTechnique 24 to find out how to build a new kernel and try it out in a safeenvironment before you install it, or you can skip ahead to Technique 58to create a UML jail. Choosing the ADIOS Version of User Mode LinuxYou can download, compile, and install UML by hand, but we know a muchquicker way thanks to the nice folks at the Queensland University ofTechnology in Brisbane, Australia. They have put together a packagenamed ADIOS that makes it easy to install UML, loaded with a Fedora19_571737c15.qxd 7/2/04 8:53 PM Page 94Setting Up ADIOS 95distribution, onto your Linux system. Download andinstall ADIOS, and youll have a complete Fedora Coreserver that you can use for tons of other things. Every Linux computer needs two major components:a kernel and a root file system. The same is true forUML you need a UML kernel and a root file sys-tem. The root file system contains the configurationfiles, data files, and programs that run inside the VM.A UML kernel is a full Linux kernel compiled to runon Linux rather than a real CPU. When the VM needsaccess to a piece of hardware, it asks the host to dothe dirty work. The ADIOS root file system is builtfrom Fedora Core (release 1, Yarrow at the time wewrite this). It includes a version 2.4 kernel and abasic set of Fedora RPM packages. ADIOS offerssome nice features that make it stand apart fromother UML packages: A minimal set of packages is already installed.Each ADIOS root file system comes with a mini-mal set of RPM packages (just enough to get upand running). That means that your VMs are assmall as is practical and are not bloated withsoftware that could introduce vulnerabilities. RPM is already up and running. You can use theRed Hat package manager to install new pack-ages into the virtual machine or to remove thingsyou dont need. Just start the VM, mount yourinstall media, and use the normal RPM com-mands to install new packages. ADIOS automatically configures network inter-faces. Each ADIOS VM comes with a virtualEthernet interface configured to talk to yourhosts TCP/IP network. That means that you can log into the VM from your host, transfer files, mount host drives, and even run a Webbrowser all from the safety of your VM. ADIOS can create an X desktop for you. Whenyou run startx within the VM, a new windowappears on your desktop. Inside that window,you see the VMs desktop. Root privileges are not required. After youveinstalled ADIOS, you can relinquish your super-user privileges. UML lets you create new VMswithout requiring superuser privileges, whichmakes your system less vulnerable to typo-related accidents. The Linux Intrusion Detection System isincluded. Two of the four ADIOS VMs includeLIDS (Linux Intrusion Detection System). LIDSprotects your VM in a number of ways, but mostimportantly, it takes away most of the privilegesfrom the superuser account. When youre run-ning under LIDS, a hacker who somehow gainssuperuser privileges cannot destroy your system.We tell you more about LIDS in Technique 58. SELinux is included. SELinux (security-enhancedLinux) is a hardened version of Linux developedby the U.S. National Security Agency. Like LIDS,SELinux closes vulnerabilities and limits thesuperusers power. SELinux is more difficult touse than LIDS.Setting Up ADIOSNow that weve convinced you to use ADIOS, youneed to set it up. To do so takes three steps: First,you download ADIOS, then you burn it to CD, andfinally, you install it. ADIOS makes it easy to installUML and the Fedora file system.Downloading ADIOSTo download ADIOS, open a Web browser and navi-gate to the address dc.qut.edu.au/adios/iso/uml/.Right-click uml-fedora1-1.00.iso and choose SaveLink Target As. Highlight your Desktop directory,click Open, and then click Save.The version specified in the name of the ISOfile is the operating system inside the VM.In other words, when you install this ISO discimage, youre installing Fedora Linux in theUML VM.The ADIOS package is 121 megabytes long, sowhen you download it, this would be a goodtime to get a cup of coffee, go to a meeting,19_571737c15.qxd 7/2/04 8:53 PM Page 95Technique 15: Building a Playpen with User Mode Linux962. Create a mount point for the loopback driver:# mkdir /mnt/loop3. Mount the disc image over the loopback mountpoint:# mount -o loop ~username/Desktop/uml-fedora-1.00.iso /mnt/loopThe content of the ADIOS disc image appears inthe /mnt/loop directory. (In other words, if youcd to /mnt/loop, you see the file system inside the uml-fedora-1.00.iso disc image.) If youve burnedADIOS onto a CD and mounted the CD, ADIOSappears in /mnt/cdrom. Installing ADIOSTo install ADIOS, follow these steps:1. Make sure you have complete superuser privi-leges by using the su- command:$ su -Password:#2. Move to the mount point (either /mnt/loop or/mnt/cdrom):# cd /mnt/loop3. Run the INSTALL program:# ./INSTALLThe installer program takes a few moments tocopy the root file system to your computer andthen asks you a few questions.4. ADIOS asks whether you want to install MozillaFirebird. Answer y here to run Firebird withinthe UML VMs.5. When prompted, type y to install the IceWMwindow manager.This is a lightweight desktop environment, whichtakes up a lot less room (and CPU) than GNOMEor KDE.and so on. A better idea might be to schedulethis download to happen at night when the net-work load is low see Technique 20 for help. Because this is such a big package to download, you should verify that the bits that you received are really the same bits that the server sent you (in other words, make sure that the file didnt getcorrupted in transit). When the download com-pletes, use your command line to compute the MD5checksum and compare it to the correspondingchecksum from the Web site. Type the followingcommand and then press Enter:$ md5sum ~/Desktop/uml-fedora1-1.00.iso(If you didnt save the download to your Desktopdirectory, substitute the correct pathname.) Thecommand line displays the checksum:bf8237afa555e99ec31b7e1aaff5856eIf your checksum matches the one on the Web site,your download succeeded. Its important to check your sum against theone on the Web site (instead of the one yousee in this book) in case the package has beenchanged.If the checksums dont match, delete your local copyand download the package again. Burning ADIOS to CDADIOS is distributed as an ISO disc image. If youhave a CD burner, copy the ISO image to your CD(see Technique 56 for details). If not, mount the discimage by using the Linux loopback device:1. Open a terminal window and use the su com-mand to give yourself superuser privileges:$ suPassword:19_571737c15.qxd 7/2/04 8:53 PM Page 96Finding Your Way around UML 976. When prompted, enter y to install Xnest onyour host. Xnest lets you view the VMs graphical desktopwithin a window on your desktop.7. If prompted, answer y to add iptables rules tomodify your network firewall so that you cantalk to the VM from your local network.If youre using KDE, the installer creates a new sub-menu (named User Mode Linux) on your KDE mainmenu. To start UML, open the KDE main menu andchoose User Mode LinuxLIDS Off. At installation, UML adds four options to yourmenu. LIDS and SELinux are hardening sys-tems that make your computer less vulnerableto attacks from nasty people. We tell youmore about UML jails in Technique 58 andmore about LIDS in Technique 61. For now,use UML LIDS Off it will behave just like astandard installation of Fedora.A console window appears, showing a typical Linuxboot sequence; thats your new virtual machine (see Figure 15-1). Figure 15-1: The UML login screen.When your UML VM has finished booting, login asuser root (the initial password is 12qwaszx). To shut down your virtual machine, enter haltat the command line.Finding Your Way around UMLWhen you first start up a VM, the host file system ismounted on /mnt/host. This means that the VM canaccess every file and directory on your host. Goahead take a look:[root@uml1/] ls /mnt/hostbin etc jail misc proc tmpboot home lib mnt root usrdev initrd lost+found opt sbin varHere are some more important things youll likelywant to do from the VM: Use the resources of the host computer: Prefacethe resource pathname with /mnt/host. Forexample, to access the CD drive, enter the follow-ing command:$ cd /mnt/host/mnt/cdromBefore you can use a host file system fromwithin the VM, you have to mount the file sys-tem from the host. For example, if you want touse the CD drive from within the VM, youmust mount /dev/cdrom in the host. Thenuse the /mnt/host prefix to access the periph-eral devices. Find the programs on your host: ADIOS has con-figured the $PATH environment variable to matchthe $PATH in your host (adjusting it to find com-mands first within the VM and then on the host).If $PATH is set to /bin:/usr/bin on the host,UML changes that to /mnt/host/bin:/mnt/host/usr/bin. This means that all the programsyou use on the host are available within the VM(although configuration files may not be in theright place).19_571737c15.qxd 7/2/04 8:53 PM Page 97Technique 15: Building a Playpen with User Mode Linux984. Save your work and close the editor.5. Execute the following command to restart yourfirewall with the new rules you just put inplace:# /sbin/service iptables restartIf youre using SuSE, check out Technique 34for information about enabling NAT withinyour firewall. Now you should be able to access the Internet(and your local network) from within the VM.Using a GUI with UMLIceWM is a minimal desktop environment it doesntcome with a ton of bells and whistles, but its alsonot a big resource hog. While youre configuring your VM, the GUIcan be a great help. But after youre up andrunning, youll probably use the command linefor most of your work. Having a GUI thats abit sparse really isnt a problem you wontbe here for that long.To run IceWM, open a virtual machine and enterstartx at the command line. A new window opens,displaying the IceWM window manager. Click the IceWM button in the upper-left corner toopen the drop-down menu. The other buttons on thetaskbar control your workspaces within IceWM,open an Xterm window, or start the Mozilla browser. Installing Software into UMLThe ADIOS distribution of UML comes with the RPMpackage manager installed and ready to use, makingsoftware installation quick and easy. In fact, you Get the IP address: Your new VM has a virtualEthernet adapter. You can find the IP addresswith the ifconfig command:# /sbin/ifconfig eth0 | grep inetinet addr: 192.168.201.1 Bcast:192.168.201.255 Mask: 255.255.255.0Typically, the first VM you create has an IPaddress of 192.168.201.1, the second VM has anIP address of 192.168.202.1, and so on. You canping the VM from your host or ping the hostfrom your VM. You can also ssh from one to theother.Connecting to the Internet from an ADIOS VMIf you want your VM to be able to access the rest ofthe Internet, you need to turn on NAT (NetworkAddress Translation). NAT enables you to share aphysical network interface among multiple comput-ers (in this case, one physical computer and a fewvirtual computers). Heres how to turn on NAT inFedora or Mandrake Linux:1. From the host computer (not from the VM),open your terminal window and give yourselfsuperuser privileges with the su command.2. Enter the following command:# kate /etc/sysconfig/iptablesThe Kate text editor opens, with the iptablesfile ready to edit. 3. Add the following code to the end of the file:*nat:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:PREROUTING ACCEPT [0:0]COMMIT19_571737c15.qxd 7/2/04 8:53 PM Page 98Merging Changes to Your Prototype 99dont have to copy an RPM package into the VMbefore you install it; just mount the host drive thatcontains the package and nab the file by using the/mnt/host prefix. As an example, we walk you through an installationof Webmin. Webmin is a handy tool for managingservers from within a Web browser. Webmin takescare of just about every system administration taskyou can think of, making it a great addtion to UML. Inthe next section, we show you how to install Webmininto the VM prototype so all your VMs have quickand easy access to Webmin.If you need to set up a server that makesresources available to the outside world (suchas a Web server or an e-mail server), build theserver inside a VM. If troublemakers do get in,you can limit their access to the rest of yoursystem. We show you how in Technique 58.To install Webmin in a UML Virtual Machine, followthese steps:1. On your host machine, open a Web browserand browse to www.webmin.com. Click the RPMdownload link in the upper-right corner.You jump to the download server page.You can surf from inside UML and downloaddirectly into your virtual machine, but itsfaster to download to your host machine andaccess the result via /mnt/host.2. Click the Download link for the location thatsclosest to you. When the Download Manageropens, click the Save button to save the file.3. From within the VM, cd to the directory thatcontains the RPM package that you just saved:$ cd /mnt/host/home/userDont forget to include /mnt/host in your pathbecause you saved the package on the host. 4. Unpack the RPM package with the followingcommand:$ rpm -Uhv webmin-1.121-1.noarch.rpmIf you downloaded a new version, substitute itsname in the command.5. Press Enter, and the whirring begins.Webmin creates a miniWeb server inside your VM.You can use Webmin from your host machine to setup the servers you install in the VM. Just open abrowser on your host machine and jump to192.168.201.1:10000Log in as root and enter your password, and you canquickly manage your virtual servers from the com-fort of your hosts browser!Merging Changes to Your PrototypeIf you run many VMs at the same time, each new VM starts out with its own copy of the originalADIOS root file system (we call that the prototypefile system because new VMs are created from thatfile system). This means that software you install inone VM wont show up in the other VMs.Occasionally, you may want to install a tool in everyvirtual machine on your host. To make a permanentchange to your prototype file system, change one ofthe VMs and then merge the changes back into whatthen becomes your new prototype UML virtualmachine. Merging changes can be a timesaver if youneed to set up multiple VMs with similarattributes (for example, you want to useWebmin to manage all your servers). Makeyour changes to one machine and committhose changes to the prototype. New VMs willreflect the changes.19_571737c15.qxd 7/2/04 8:53 PM Page 99Technique 15: Building a Playpen with User Mode Linux100To merge your changes back into the prototype filesystem, follow these steps:1. Open a copy of UML and make the changes youwant reflected in all your VMs.2. Shut down the VM by using the halt command.3. Open a terminal window and enter the follow-ing command:$ uml_moo -d /tmp/root_fs14. Press Enter.Thats it all the changes youve made to thevirtual machine are merged into the prototypeUML. Next time you start a new VM, yourchanges will be waiting for you.Your original root file system is never modifiedby changes you make to an open VM unlessyou merge the changes back into the proto-type. All your modifications are recorded in aseparate file. Peeking into the virtual file cabinetWhen you start a new UML VM, a few new files appear inthe /tmp/uml directory. If you casually browse through/tmp/uml, you may be alarmed to see some huge files. Ifyouve started a single VM, youll see a file named /tmp/uml/root_fs1. Thats the root file system for your VM.Use the ls -l command to see this file, and youll discoverits over 500 megabytes long! Start a second VM andanother 500 megabyte file appears for the second root file system. Dont worry, the apparent file size is very misleading.UML uses a brilliant strategy known as copy-on-write, orCOW. When you start a VM, UML mounts the originalroot file system (/opt/uml/root_fs) in read-only mode,but it also creates a second file (/tmp/uml/root_fs1).When your VM modifies a file within its root file system, thechanges are written to the /tmp/uml/root_fs1 file, not tothe original file. If you really mess up something in yourVM (or if an intruder has made his or her way into your VM), COW makes it easy to revert to a fresh copy ofLinux just remove the COW file (root_fs1) from/tmp/uml. The next time you start the VM, UML creates afresh new COW file for you.19_571737c15.qxd 7/2/04 8:53 PM Page 100Part IIIGood Housekeepingwith Linux20_571737p03.qxd 7/2/04 8:54 PM Page 10120_571737p03.qxd 7/2/04 8:54 PM Page 10216 Red-lining RPMQueriesRPM (the Red Hat Package Manager) is typically used to install soft-ware, but behind the scenes, RPM maintains a database of usefulinformation. Every RPM package includes a mini-database that con-tains basic information about the package itself. When you install an RPMpackage, the mini-database is added to the master database of installedpackages. The rpm command can peek inside the RPM databases to tellyou about software that youve already installed or packages that youmay want to try out.An RPM package typically contains a collection of programs, data files,and documentation. A package can also contain scripts that executewhen you install, remove, upgrade, or verify the package. Each packagealso contains a package digest that contains information about the pack-age itself. The digest can tell you a lot about the package: who built thepackage, when they built it, and what the package is supposed to do. Thedigest also lists prerequisites for the package (that is, you must installpackage A before you install package B).An RPM package also contains two components critical to ensuring thatyoure installing software from a trusted source. When an RPM package iscreated, the person creating the package signs the package with a digitalsignature. You can use the digital signature to determine whether thepackage has been modified since it was signed (a mismatched signaturetells you that the package has been tampered with). Every file installedby a package is fingerprinted at the time the package is created; you cancome back at a later date and verify the fingerprint of the installed ver-sion to make sure that the file has not been tampered with since installa-tion. We show you how to verify digital signatures and fingerprints inTechnique 18.In this technique, we show you how to use the rpm command to queryRPM databases in useful and interesting ways. We also show you how tosave time by creating a complete catalog of your installation media forhandy reference.TechniqueSave Time By Using rpm to locate files Creating a catalog of yourinstall media Finding package dependencies Querying remote pack-ages before bringingthem home21_571737c16.qxd 7/2/04 8:54 PM Page 103Technique 16: Red-lining RPM Queries104When you view a packages digest, rpm tells youwhich group the package belongs to, for example:$ rpm -qi kdebaseName : kdebaseVersion : 3.1.4Release : 2Install Date: Tue 28 Oct 2003 03:11:28Group : User Interface/DesktopsThe kdebase package is part of the group UserInterface/Desktops. You can use the group name toselect the packages that youre interested in. To findall the games installed on your system (or at leastthose games installed with RPM), use this command:$ rpm -qg Amusements/Gamestuxracer-0.61-23chromium-0.9.12-24To display a list of all the RPM group names onyour system, type in the following command: $ rpm -qa --qf %{GROUP}\n | sort -uIn addition to the queries shown in Table 16-1, hereare a few combinations that we find particularlyhandy:Querying RPM Packages for ContentIf youve ever used RPM from the command line,you know about the -i (install) and -U (upgrade)options, but you may not be familiar with RPMsquery features. When you run a query against anRPM database, you have to tell rpm which databaseyou want to view. If you want to peek inside a pack-age file (typically a file whose name ends in .rpm),include --package filename on the command line(or -p filename for short); otherwise, rpm will dis-play information from the master database of pack-ages that youve already installed.Table 16-1 shows some of the most useful rpm queryoptions. To use each of the commands, just open aterminal window and type in the command nospecial privileges are required.You can run each of the commands shown in Table 16-1 against multiple packages (or packagefiles) at once. Just list the names that youre inter-ested in at the end of the command like this:$ rpm -q kdebase gnome-desktopkdebase-3.1.4.2ghome-desktop-2.4.0-1TABLE 16-1: SOME HANDY RPM QUERY OPTIONSTo Do This Use This Query for Installed Packages Use This Query for RPM Package FilesDisplay the package version number rpm -q package-name rpm -qp filename.rpmDisplay the package digest rpm -qi package-name rpm -qpi filename.rpm(a summary of the package content)Display the prerequisites for the pm -qR package-name rpm -qpR filename.rpmpackage rDisplay the list of files installed rpm -ql package-name rpm -qpl filename.rpmby the packageDisplay only documentation files rpm -qd package-name rpm -qpd filename.rpminstalled by the packageDisplay only configuration files rpm -qc package-name rpm -qpc filename.rpminstalled by the package21_571737c16.qxd 7/2/04 8:54 PM Page 104Creating a Package Index 105 rpm -qf filenameThis query displays the name of the package thatowns the given file. Use this query when you runinto a file and you dont know where it camefrom. You have to include the complete path-name of the file that youre interested in, not justthe filename. rpm -qa --last | head -n 10This query displays the names (and install dates)of the ten most-recently-installed packages. rpm -qa | grep -i nameUse this query to locate an installed packagewhen you dont know the exact spelling of thepackage name. (The -i option tells grep to do acase-insensitive search.)Digesting InformationEvery RPM package includes a digest. Heres a run-down of the information included in a typical digest(not all packages include every item that we listhere): Package name: A package whose name includesdevel is meant for developers. A package whosename starts with lib doesnt do anything all byitself; it adds features to other packages. lib-packages are typically prerequisites for otherpackages. Version number RPM build date Author or vendors name Project Web site: The project Web site is a greatplace to look for more documentation, add-ons,and ways to commune with other users. Product license type Product description Name of the source RPM: Most packages arebuilt from a source RPM. The source RPM con-tains the source code for the package. RPM sizeSome open-source software packages are dis-tributed for noncommercial use only. Checkthe information digest to be sure that yourenot violating the license.Creating a Package IndexWhen you download a distribution from the Website, you typically download a set of disc images.The standard Fedora distribution takes four CDs(unless you want the source code, too in whichcase, it takes eight). The Fedora distribution con-tains lots of files . . . 300,682 according to our latestdistribution. What if you need to know which diskjust two or three of them are on?Fortunately, Linux makes that information readilyavailable and easy to store. With just a few easysteps, you can create a complete catalog that con-tains a list of the CD contents. After you make theindex, you can open it with a text editor (like Kate)and search for what you need.Creating (and saving) a package index willsave you time whenever you need to install anew package: You wont have to searchthrough all the CDs for the one you need.To create a package index for the Fedora distribu-tion, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges:$ suPassword:$ 2. Insert and mount the first install disc:# mount /dev/cdrom /mnt/cdrom21_571737c16.qxd 7/2/04 8:54 PM Page 105Technique 16: Red-lining RPM Queries106Querying for PrerequisitesBefore installing an RPM package, its handy to knowwhat other packages youll need to install at thesame time. The prerequisites can vary from needinga specific version of the Linux kernel, to needingsome pretty exotic libraries.To save yourself time and grief, query yourRPM package for its dependencies before youinstall it. If you need a library file that hasntbeen seen in recent history, or 20 or 30 otherobscure files, it might be quicker to find apiece of software thats not so needy.To query an RPM package for its dependencies, usethe following command:$ rpm -qpR name.rpmRun the command on Webmin, and the result lookssomething like this:$ rpm -qpR webmin-1.121-1.noarch.rpm/bin/sh/usr/bin/perlYou can see that Webmin needs a bash shell and perl to install and run properly. These are easyrequirements you can find these two commonpackages on most distribution discs!Dont Put That in Your Drive;You Dont Know Where Thats Been!Everywhere on the Web you see them . . . RPMs justwaiting to be grabbed. But how do you know whatsin them? Should you really be downloading things toyour safe and secure system without at least lookingat them first?3. Move to the RPMS directory:# cd /mnt/cdrom/Fedora/RPMS4. Enter the following command:# for name in*.rpmThis command starts a for loop: The bash shellexecutes each command in the loop a number oftimes. The variable $name holds the name of thenext package file each time through the loop.When you press Enter, the shell displays a differ-ent prompt to tell you that youre in the middleof a complex command.5. Next to the new prompt, enter the next line ofcode and press Enter:> do6. On the next line, enter this command:> rpm -qpi $name >> ~/DiscOneThis command displays the digest from the pack-age file ($name) and appends the output to thefile ~/DiscOne.7. Then enter this:> rpm -qpl $name >> ~/DiscOneThis appends the name of each file in the pack-age to the end of ~/DiscOne.8. Enter done and press Enter.If you have more than one install disc, repeat thissequence for each disc (but change the name of theoutput file to ~/DiscTwo, ~/DiscThree, and so on).The procedure to create a package index issimilar for the SuSE or Mandrake Linux distri-butions. Just substitute the appropriate file anddirectory names.This sequence of commands takes a while to com-plete, but when its done, you have a file in yourhome directory that you can use over and over. Tofind the files you need, just open the package listwith the editor of your choice, and search.21_571737c16.qxd 7/2/04 8:54 PM Page 106Dont Put That in Your Drive; You Dont Know Where Thats Been! 107You can use rpm with a remote FTP site to query forthe contents of a remote package. After you see thecontents, you can decide if its something worthbringing home.Just remember, if someone really wants to bemalicious and change filenames and mask cre-ation information, he or she can. chroot jailscan be a big help in isolating programs youwant to try but dont trust completely (seeTechnique 58 for more information).Usually, downloads from the Web come from an FTPor HTTP server. To perform a remote query on anFTP server, use this command:$ rpm -ql ftp://ftp.example.com/path.rpmTo perform a remote query on an HTTP server, enterthe following command:$ rpm -ql http://www.example.com/path.rpm These queries are straightforward. If you need to,you can include user names and passwords, just likeyou would in a normal URL. See Technique 14 formore information about downloading from Webservers or FTP servers.In Technique 18, we show you how to verify a pack-ages digital signature before you install it. We alsoshow you to find out whether the files installedby a given package have been changed since youinstalled them a great way to watch for tamperingfingers wandering around on your computer.21_571737c16.qxd 7/2/04 8:54 PM Page 107Save Time By Using RPM at the com-mand line for speedyinstallations Using RPM at the com-mand line to removeunwanted programs Using RPM with a graphi-cal interface for a friendlyinstallation Installing from media (CDor DVD)Installing MadeEasy with RPMThroughout the book, we tell you to see Technique 17 for help install-ing RPM packages (that is, software packages installed with the rpmcommand). Heres where we share how this handy trick is done.This is a good technique to bookmark because youll be using it a lot.RPM (the Red Hat Package Manager) works great at the command line orwith a graphical interface. The command line gives you raw speed andpower, but its not as friendly as a browser-based interface. Fortunately,you get to choose the method that you prefer.RPM also makes quick work of uninstalling programs no more lost diskspace or time wasted trying to chase down all the program files. Withone command, you can erase programs that are no longer used or dontlive up to their initial promises.In this technique, we show you how to use RPM to install new software atlightning speeds. Other package managers are available, but RPM is thestandard method for installing software on Linux systems. We dont wantto give you the impression that RPM is the only way to install, but forspeed and simplicity, RPM is a good choice. Dissecting an RPM PackageAn RPM package is a collection of files and (usually) a few scripts thatrun whenever you install or remove the package. You can peek insidean RPM package with the command rpm -qpl package-name (we showyou some other handy RPM queries in Technique 16). The name of an RPM package tells you a lot about whats inside it. Forexample, most Linux distributions include two related packages namedkdeedu-3.1.4-1.i386.rpm and kdeedu-devel-3.1.4-1.i386.rpm. The nam-ing convention for RPM packages is name-version-platform.rpm. In thefirst package, the name of the package is kdeedu, the version is 3.1.4.1,and the platform is i386. The second package is named kdeedu-devel andshares the same version number and platform. Heres how you use eachpart of the package name:17Technique22_571737c17.qxd 7/2/04 8:55 PM Page 108Using RPM at the Command Line 109 Name: This part is how you refer to the packageafter its been installed. For example, if you installthe kdeedu-3.1.4-1.i386.rpm package file andlater want to remove it, you specify only thekdeedu part of the package name. Version: This number is used to compare twoversions of the same package the higher theversion number, the newer the package. Platform: This part tells you which CPU thepackage was built for. An i386 (Intel 80386) pack-age will run on all Intel 80386, 80486, and PentiumCPUs (and compatible CPUs like the Athlon). Ani686 package will run on Pentium CPUs but maynot work on older Intel CPUs. Youll also runacross PPC (PowerPC Macintoshes and IBM RISCcomputers) packages; you cant use these unlessyou have a Power PC CPU. You may also seepackages built for the noarch platform. noarchpackages are not CPU-dependent. A noarch pack-age is typically a program written in a portablelanguage, such as Java or Python, or it may sim-ply be a collection of text files.The kdeedu and kdeedu-devel packages are related.The kdeedu package installs the programs and docu-mentation you need to run KDE Education programs;kdeedu-devel installs the files that you would need ifyou wanted to develop (that is, alter and rebuild) theKDE Education programs. The -devel on the end ofthe package name is your clue that an RPM packageis meant for developers rather than users.Not all package names follow the conventions thatweve described, but the vast majority do.Using RPM at theCommand Line Using RPM at the command line to install a programis an easy and straightforward process. As an exam-ple, we explain how to download and install Webminin this section. Webmin is a great tool that we referto in several other techniques. Use Webmin to manage your system adminis-tration chores. Its a browser-based tool that canhelp you manage users, create disk partitions,restore from backup, and more. Check it out.If you arent sure about the pedigree of thepackage that youre installing, see Technique 18to find out how to trace the lineage of packagesthat come from dubious sources. Technique 18explains how to use digital signatures to ensurethat a package hasnt been tampered with. Adigital signature also ensures that a packagecomes from the person who claims to havecreated it in the first place.To download and install Webmin, follow these steps:1. Open your Web browser and surf towww.webmin.com2. In the upper-right corner of the screen is a linklabeled RPM. Click the link to open a downloadpage.3. Click a Download site near you.The Download Manager window opens. 4. Click Save to start the download and then gomake a quick cup of coffee. . . .5. Open your terminal window and navigate tothe directory holding your new download.The directory name is displayed in the statusbar of the Download Manager.6. Give yourself superuser privileges with the su command.7. Type in the following command:rpm -Uhv webmin-1.121-1.noarch.rpmThe easiest way to enter a long filename likethis is to type the first few letters and thenpress Tab. (See Technique 5 for details.)8. Press Enter. After a short delay, rpm informs you that Webminis installed.22_571737c17.qxd 7/2/04 8:55 PM Page 109Technique 17: Installing Made Easy with RPM110TABLE 17-1: HANDY RPM FLAGSFlag What It Does-i Installs a new package, but displays an error mes-sage if an older version is already installed-U Installs a new package, upgrading an older version iffound -e Uninstalls a package-h Displays a progress bar while its working-v Gives a bit more feedback while its workingOur favorite combination is -Uhv. That installs(or upgrades) a package, displays a progressbar, and displays an informative message ifsomething goes wrong.Type rpm --help | more at the commandline for a quick view of all the flags and options.Getting Graphic with RPMWeb-wide, open-source software is often distributedin RPM form. We refer you to a lot of RPMs in thisbook, but youll no doubt be surfing and findingmore timesavers daily. Fedora, Mandrake, and SuSE each come with theirown tools for managing RPM packages included onthe distribution media. In the sections that follow,youll find step-by-step directions on how to useeach distributions package management tool. Quick installations from distribution media withFedoras Package ManagerAdding packages from the Fedora distribution media(CD or DVD) is easy. To install a package from yourFedora disc, follow these steps:1. Put the DVD or CD in the drive and wait forthe disc to mount. Depending on your currentuser privileges, you may be prompted for apassword.When you install Webmin, you see a messagelike this: You can now login to http://localhost:10000/. Thats the URL of theminiWeb server that Webmin installed onyour system. Jump to that URL in yourfavorite browser, and youre connected toWebmin. Check it out!If you try to install a package that requiresother packages, rpm tells you about it. Checkthe notes on the download page. If the devel-oper is friendly, he or she will tell you what youneed and where to find it. See Technique 18 tolearn about a tool (Synaptic) that helps resolveinterpackage dependencies automatically.Removing RPMsRPM packages are just as easy to get rid of as they areto install. To remove a program installed with RPM,open your terminal window, give yourself superuserprivileges, and issue the following command: rpm --erase package_nameTo find the package name to erase, look at thefile that you used to install the package. Thepackage name precedes the version numberin the name of the package file.If youre having trouble finding the package name forthe software you want to remove, see Technique 16.In that technique, you find a whole mess of RPMqueries that you can use to track down packagesand the stuff that they install.Flagging Down RPMTo put it mildly, the rpm command has a ton ofoptions. Some of the most useful flags are listed inTable 17-1.22_571737c17.qxd 7/2/04 8:55 PM Page 110Getting Graphic with RPM 111The Add or Remove Packages window opens, asshown in Figure 17-1. Figure 17-1: The Add or Remove Packages window.2. Click Forward.Fedora searches your system to see which pack-ages are already installed. Then the Add orRemove Packages detail window opens, display-ing the current status of your system packages,as shown in Figure 17-2. Figure 17-2: The Add or Remove Packages detail window.3. To change the packages that are currently onyour system, either check (to install) oruncheck (to remove) the box next to a package.To the right of the checked package names is afraction that represents the number of programsinstalled and how many programs are availablein that package.The packages with unchecked boxes to the left of their names arent installed, but contain pro-grams that you can install. To view the contentsof a package, click Details to the right of thepackage listing, and a dialog opens, showing thedetailed contents of the package youve chosen(see Figure 17-3). Figure 17-3: The Package Details dialog.The changes you make to the check boxes repre-sent the status of your system packages after theupdate is complete.4. After youve identified the packages you wantto install (or remove), click Forward.A list of changes is displayed, as shown inFigure 17-4.22_571737c17.qxd 7/2/04 8:55 PM Page 111Technique 17: Installing Made Easy with RPM112these steps to install an RPM package from the SuSEdistribution media with YaST:1. Open the Main Menu and choose SystemYaST.Enter your root password if prompted.2. Click Install and Remove Software.3. Use the arrow to the right of the Filter field toopen the drop-down list box and choosePackage Groups. The window displays a list of the available andinstalled RPM packages, as shown in Figure 17-5. Figure 17-5: The YaST package manager.The package manager window features four panels: The upper-left panel displays package groups.Use the tree control to browse through thegroups and subgroups. When you highlight agroup in the tree control, the panel in the upperright displays the packages within that group.The filter selector enables you to change theviews in the upper-left panel: You can choosefrom selections, package groups, search, andinstallation summary. Use the Package Summary panel in the upper-right corner of the window to view a list ofpackages. Figure 17-4: The Package Installation Overview dialog.5. Click Forward.Fedora goes to work, upgrading your system. Ifeverything goes well, you see a screen telling youthe package update is complete.6. Click Finish.One of the nice features of the Add or RemovePackages tool is that it automatically resolves inter-package dependencies for you (the command linerpm command doesnt). One of the not-so-nice fea-tures of Add or Remove Packages is that it onlyworks with packages distributed on the Fedora dis-tribution discs. In Technique 19, we show you howto automatically resolve interpackage dependencies,even for packages that you download from the Web.You can also start Fedoras Package Managerfrom the Main Menu. Open the Main Menuand choose System SettingsAdd/RemoveApplications.Using SuSEs package manager to your advantageThe SuSE Linux distribution comes with a powerfulpackage manager called YaST (Yet another SetupTool). YaST makes adding software a snap. Follow22_571737c17.qxd 7/2/04 8:55 PM Page 112Getting Graphic with RPM 113To the left of the package name is a checkbox. This is not an ordinary check box: Eachtime you click the check box, it displays a newicon. A check mark in the box means that thepackage will be installed. A trash can means itwill be removed. The (slightly cryptic) updatesymbol will check for package updates. The lower-right corner of the screen displays atab-controlled dialog with information about thecurrently highlighted RPM package. Choose fromthe tab controls to view information about thepackage and its dependencies. The lower-left corner of the screen contains ahandy bar graph, displaying your current diskusage.To add a new RPM package, follow these steps:1. Select the check box to the left of the packagename in the Package Summary panel.Want to install a package quick, just to test thetechnique? May we recommend tuxracer. Itslots of good clean fun. Youll find it in theGames category.2. Click the Check Dependencies button.A dialog opens, verifying that all packagedependencies are okay.3. Click the OK button.4. Click the Accept button in the lower-right cor-ner of the screen.A screen opens, displaying the installation progress.YaST takes it from here, adding your new softwareand updating the system.Using Rpmdrake to install from mediaThe Rpmdrake package installer included withMandrake makes it easy to install RPM packages fromthe distribution media. Just follow these steps:1. Open the main menu and choose SystemConfigurationPackagingInstall Software.2. Enter your root password if prompted.The Rpmdrake package installer opens (seeFigure 17-6). Figure 17-6: The Rpmdrake package installer.3. Click the All Packages Alphabetical optionbutton to display a list of the packages onyour installation media.Highlight a package name in the list to seedetailed information about the package in theright panel.4. Click the check box next to the name of thepackage you want to install (see Figure 17-7).If other packages need to be installed to satisfythe packages dependencies, a dialog opens, ask-ing you to verify their installation.5. Click the Install button to add the new package. Rpmdrake takes it from there, installing the newRPM package on your system.22_571737c17.qxd 7/2/04 8:55 PM Page 113Technique 17: Installing Made Easy with RPM114Change to the Files tab to see a list of the filesincluded in the RPM package.3. Click the Install Package with YaST button.Enter the superuser password if prompted.YaST takes it from there, and installs your package!If youre a Mandrake user, follow these steps:1. Open the Konqueror browser and move to thedirectory containing the RPM package.2. Right-click on the packages icon, and chooseSoftware Installer from the pop-up menu.3. Enter your root password if prompted andclick OK.A message dialog opens, asking if you would liketo install the software package on your computeror just save the file.If you need additional files to satisfy thedependencies of the package, youll beprompted to accept their installation as well.4. Click the Install It button.A progress bar opens, and the package is installed.Thats all there is to it!Be sure youre getting RPM packages from areputable source. A not-so-friendly but craftyprogrammer with an axe to grind could poten-tially infect an RPM package with a virus anddo mega-harm to your system. Technique 18shows you how to verify that a package comesfrom the person who claims to have built it. Besure to perform backups on a regular basis ifyoure doing a lot of downloading (seeTechniques 49 and 50 for more informationabout backing up your system). Figure 17-7: The YaST package manager.Installing from your Konqueror browserWith the Konqueror (KDE) browser, you can installRPM packages with just a couple of clicks from thecomfort of your browser window. You can use theKonqueror browser to install RPM packages down-loaded from the Web, or from disk. If youre using Fedora, follow these steps:1. Open your Konqueror browser and navigate tothe directory holding the .rpm file. 2. Double-click the package filename.In a snap, the Package Manager walks youthrough the installation. Follow these steps if youre running SuSE:1. Open the Konqueror browser and surf to thefiles location.2. Click the packages icon to view a descriptionof the packages content.22_571737c17.qxd 7/2/04 8:55 PM Page 11418 Getting Comfortablewith RPMIn Techniques 16 and 17, we show you the fast (and powerful) installa-tion and query features of RPM (the Red Hat Package Manager). In thistechnique, we introduce you to some of the eclectic (but handy) fea-tures that often go by the wayside verify and update.RPM just might be your systems best friend. After all, it knows more aboutyour system than anyone. RPM maintains a database of information aboutthe packages installed on your system. By comparing that database tothe current state of your system, RPM can tell you if a package has beenaltered after you installed it. The --verify feature can help you detectintruders, users trying to do things they shouldnt be doing, or configura-tion problems just waiting to ruin your weekend.RPM can also verify the digital signature (and integrity) of a packagebefore you install it to see if the package has been tampered with. Youcan save yourself hours of misery by keeping your system safe frompotential Trojan horses. If the key signature doesnt match, you dontinstall it.In this technique, we walk you through some RPM features that you maynot be familiar with. Some of these features are great timesavers youjust need to know about them.Saving Time with --upgradeWhen you add a new package to your system, you can use rpm --installto install or rpm --upgrade to upgrade. We recommend going the upgraderoute rather than the install route. rpm --install fails if an older versionof the package is already installed, but rpm --upgrade upgrades an exist-ing package or installs a new one, whichever is appropriate.To use any of the RPM features that modify the rpm database including installing and updating you need to hold superuser privi-leges. If the rpm command displays a cryptic message (such as cannotget exclusive lock or cannot open Packages index), checkyour privileges.TechniqueSave Time By Updating rather thaninstalling your software Verifying your systemintegrity Keeping an eye on fileownership Determining whethera package has beentampered with 23_571737c18.qxd 7/2/04 8:56 PM Page 115Technique 18: Getting Comfortable with RPM116the file content; see the sidebar, Whats this MD5stuff anyway?) for each file in each package. Atyour request, RPM compares the information storedin the database with the installed version of a givenpackage. When you run the command rpm --verify package-name, rpm searches through the list of files owned bythat package and compares the file as it exists onyour hard drive with the information stored in thedatabase. For each file, -verify compares the filessize, permissions, group and owner, modificationtime, and MD5 checksum. RPM verifies that pack-ages youve installed are still in good form andhavent been tampered with.You can verify a single package, a group of packages,or all the packages installed on your computer. Ifyour packages are clean, rpm --verify completeswithout printing any messages. If rpm --verify findsa file thats out of whack, it displays a cryptic look-ing string of characters that tells you whats wrong.The failure codes are listed in Table 18-1.TABLE 18-1: RPM --VERIFY FAILURE CODESCode MeaningS The files size differs from the expected value.M The files permissions differ from the expectedvalues.5 The MD5 checksum has changed this one isimportant because it means someone has tamperedwith a file after you installed it.D This file is a device-interface file, and the majoror minor device numbers differ from the expectedvalues.L This file is a symbolic link but is pointing to thewrong place.U The files ownership has changed watch this one.A change in ownership can alert you to an intruderwhos trying to gain extra privileges or to modifyfiles he (or she) shouldnt modify.G The files group ownership has changed.T The modification time has changed.When you use --install, rpm first looks at your sys-tem to see if the package is already installed. If it is,rpm complains about file conflicts. (And if you lookvery closely, you also see a message that states thepackage is already installed a message thats kindof hard to see among all the other complaints.)When you use --upgrade, rpm checks to see if thepackage is installed and, if so, compares theinstalled package to the version youre trying toinstall. If youre installing a more recent version, rpmupgrades to the more recent version. If youre tryingto install an older version, it tells you that your cur-rently installed software is more recent than thecopy youre trying to upgrade to, and quits. If thepackage is not currently installed on your system,rpm installs it.Heres our favorite command line for installing newsoftware:# rpm --upgrade -vh filename.rpmYou can use this command to do initial installs or toupgrade versions. bash doesnt care which becauseit knows that your intention is to get the most recentcopy of the program on your system as quickly aspossible.An easy timesaver is to use the shortcut ver-sion of the upgrade command to install RPMpackages, # rpm -Uvh filename.rpm.All the command line options that work with --install also work with --upgrade. Check outthe man page (man rpm) for a complete list.Verifying Your SystemWhen you install a package, RPM records detailedinformation about the package content in a data-base. The database includes information such asexpected file size, expected owner, and expectedpermissions. RPM also stores an MD5 checksum(effectively a fingerprint that uniquely identifies23_571737c18.qxd 7/2/04 8:56 PM Page 116Reading the Tamper-Proof Seal 117Weve purposefully damaged one of the files on ourcomputer just to see what --verify reports:$ rpm --verify coreutilsS.5....T d /usr/share/man/man1/yes.1.gzThe failure codes tell us that the file has changedsize (S), its MD5 checksum is wrong (5), and themodification time doesnt match the value storedin the RPM database (T).Check out any inconsistencies that --verify uncoversbecause they could indicate intruders or other prob-lems waiting to bite you: The MD5 checksum value is like a fingerprint ofthe data within a file. If the number changes, thecontent has changed. If the user ownership changes, users might begetting in and giving themselves privileges theyshouldnt have. Likewise, a change in group ownership couldindicate an intruder. If the MD5 checksum has changed, but the modi-fication time has not changed, an intruder maybe trying to cover his or her tracks.To verify a single package, include the package nameon the command line, like this:$ rpm --verify bashYou can also verify all the packages within a group:$ rpm --verify --group Amusements/GamesTo verify all the packages installed on your com-puter, use the following command:$ rpm --verify --allVerifying your entire system takes quite some time,but when youre done, youll have a very thoroughunderstanding of the state of your system.The --verify command can take awhile tocomplete. Start the command and let it runwhile youre in a meeting or when you gohome at night.Whats this MD5 stuff anyway?MD5 is a message-digest algorithm (in fact, MD5 is a ratheruninspired acronym for message digest number 5). A mes-sage digest is like a fingerprint that belongs to a chunk ofdata. Two different chunks of data are highly unlikely tohave the same fingerprint (that is, the same MD5 check-sum). MD5 is cryptographically strong, meaning that itwould take an incredibly fast computer (or an astonishinglybrilliant mathematician) to come up with another chunk ofdata with the same fingerprint. A digest algorithm generates two different digest values fortwo different files. A good digest program pays attentionnot only to the characters in the file, but also to the orderingof the characters in the file (so ab generates a differentchecksum than ba).When an RPM package is first created, RPM computes theMD5 checksum of each file in the package. When youinstall the package, the MD5 checksums are copied intothe RPM database. When you verify a package, RPMrecomputes the checksum of each file in the package (itreads through the whole file and computes the checksumagain from scratch) and compares that checksum to thevalue stored in the database. If the checksums are different,the file has been modified.Reading the Tamper-Proof SealWhen you get a new RPM package, whether from aWeb site or on a disc, you really have no guaranteethat it hasnt been tampered with that is, unlessyou use RPM to verify its digital signature.Just like the tamper-proof seal on a bottle of aspirin,the digital signature is there to protect you frompotential headaches. After all, you would never usemedicine from a bottle with a broken seal. A digitalsignature ensures that a package was created by theperson (or organization) claiming to have producedthe package.23_571737c18.qxd 7/2/04 8:56 PM Page 117Technique 18: Getting Comfortable with RPM118Depending on your distribution, one key ormany keys may exist. If multiple keys exist,install them all before checking the packagessignature. The easy way to do this is to userpm --import RPM-GPG*.4. Move to the directory of the package you wantto verify and press Enter. For our example,enter$ cd /mnt/cdrom/Fedora/RPMS5. Enter the following command:$ rpm --checksig bash6. Press Tab to autocomplete the package nameand then press Enter.rpm displays a message that looks something likethis:bash-2.05b-31.i386.rpm: (sha1) dsa sha1md5 gpg OKFrom this message, you know that your bash pack-age is OK. If the result set returns a NOT OK or MISSINGKEYS, you should at least question the integrity of thepackage. Some system administrators wont installsoftware that doesnt come with proper digital signa-tures to avoid any potential problems.Some open-source software that has integritydoesnt have keys. We wish it did because thesoftware is good, reputable, and worthy ofdownloading. In our example, the key was distributed on the discwith the software. Often, the keys are available atthe projects Web site, as a separate download. If youhave trouble finding the key, consider e-mailing thesite administrator.When you install Linux from a CD or DVD, the discshould include a public key from the packager. Everypackage included in your Linux distribution is (or atleast can be) signed with the packagers private key.You can use RPM (and the public key) to verify eachpackage. When you download a package, lookthrough the projects Web site to see if it makes apublic key available. If you find one, use it. (If youcant find a public key, e-mail the maintainers askingthem to sign their packages.)In this section, we use the Fedora install DVD as anexample of how to import a public key and then usethat key to check the signature of a package weassume most of you have installation media. Not allvendors include keys on their software, but its areally good idea to run an integrity check if they do.To verify the integrity of your Fedora disc, followthese steps:1. Open a terminal window and give yourselfsuperuser privileges.2. Insert and mount either the DVD or the first CDof the Fedora distribution, and move to thecdrom directory.$ cd /mnt/cdrom3. Type the following command and press Enter:$ rpm --import RPM-GPG-KEYThe --import command installs the public key(RPM-GPG-KEY) into your RPM database. After itsthere, RPM will use the public key to verify anypackage you install thats been signed with thecorresponding private key. See Technique 28 formore information ahout how digital signatures,public keys, and private keys all fit together.23_571737c18.qxd 7/2/04 8:56 PM Page 11819 Keeping Up-to-Datewith apt andSynapticKeeping your software up-to-date is important. A new release of yourfavorite software will likely include new features, fixes for old bugs,and most importantly, fixes for security vulnerabilities. Open-sourcesoftware evolves astonishingly fast. Given that most, if not all, of the soft-ware on your Linux computer is of the open-source variety, keeping cur-rent can be quite a chore. Although you could keep a list of your softwarepackages and check the sites regularly for more recent versions, we knowa better way.apt (Advanced Package Tool) is a handy tool that can save you tons oftime. apt by itself is good; apt coupled with Synaptic is even better.Synaptic is an attractive, friendly wrapper around the apt command linetool. Synaptic knows how to check your installed RPM packages againstthe most recent versions, download any updates, and automaticallyresolve package dependencies. If youve installed many packages with RPM, you know what dependen-cies are: When you install a new software package, that package mayrequire (or depend on) other packages. If you use RPM by itself, you haveto satisfy a packages dependencies before you can install the package(that is, you have to install all the other software required by the packagethat you really want to install). Technique 17 explains how to use RPMfrom the command line. Quite often, a dependency has dependencies ofits own. The chain of dependencies can get very long, very fast. WithSynaptic, the frustration and time lost tracking down and installing all theprogram dependencies are gone Synaptic handles the process for you.In this technique, we introduce you to Synaptic. Installing and updatingyour software has never been so quick or easy. Setting Up Synaptic and apt in a Snapapt is a wrapper around the command line tool, rpm. Synaptic is a graphi-cal wrapper around apt. You already have rpm (its a fundamental FedoraTechniqueSave Time By Automating softwareupdates Using Synaptic and aptto resolve RPM packagedependencies Using a software reposi-tory to find tons of open-source software Adding repository keys toyour system key ring24_571737c19.qxd 7/2/04 8:57 PM Page 119Technique 19: Keeping Up-to-Date with apt and Synaptic120Now, download the RPM package for Synaptic:1. Reopen your browser and surf todag.wieers.com/packages/synaptic2. Click the download link forsynaptic-0.45-0.rhfc1.dag.i386.rpm3. Save the package to your desktop.4. Close the Download Manager and the browserwindow, and return to the desktop.5. Click the desktop icon for the Synaptic RPMpackage.The graphical installer begins. Again, you may beprompted for the root password. Now that you have apt and Synaptic installed, youreready to update your system.Keeping Up-to-Date with aptand Synaptic: The BasicsUsing apt with Synaptic is a quick and easy way tokeep your system software up-to-date. To run Synapticand do a package update, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command. 2. Type the following command and press Enter:# synapticSynaptic starts and, after a short delay, displaysthe packages currently installed on your com-puter (see Figure 19-1). The package list is sortedby category and displayed in a tree-type controlpanel in the middle of the screen. Click the littlearrow to the left of a category to view the pack-ages within that category.When Synaptic starts, it displays all the packagesavailable at the default repository (you can addmore repositories later). component), but you need to install apt andSynaptic before you can use the three tools togetherto make quick work of package management.If youre using SuSE, use Google to search for themost recent versions of the apt and synaptic RPMpackages. Youll need two packages the apt pack-age and the synaptic package.To download and install apt with Fedora, followthese steps:1. Open your favorite browser and surf toapt.freshrpms.net2. Click the link to Fedora Linux 1 (rpm 4.2.x). This moves you to the Index of /pub/freshrpms/fedora/linux/1/apt.3. Click the link to download the most recentRPM package. Right now, that isapt-0.5.15cnc3-0-1.fr.i386.rpmThe Download Manager opens (assuming thatyour browser offers a download manager).4. Save the RPM package to your desktop.5. Close the Download Manager and minimize the Web browser (youll be using it again in aminute).6. Click the RPM Package icon on the desktop.7. If youre not already logged in as the super-user, a query window opens, prompting youfor the root password. Enter the passwordand click OK.The RPM graphical installer opens, telling youthat the system is being prepared for packageinstallation.8. When the preparations are complete, clickContinue.The apt package installs.24_571737c19.qxd 7/2/04 8:57 PM Page 120Keeping Up-to-Date with apt and Synaptic: The Basics 121 Figure 19-1: The Synaptic startup screen.3. To filter the choices in the Package list, chooseone of the following options from the Showdrop-down list (shown in Figure 19-2): Installed Packages: Show only the packagesthat are currently installed on your computer. Not Installed Packages: Show packages thatare in the repository but not currentlyinstalled on your computer. Tasks: Show groups of related but otherwiseindependent packages (such as a completeoffice or personal productivity suite). Upgradable (sic): Show currently installedpackages for which newer versions areavailable. Broken: Show packages that are currentlyinstalled but have unsatisfied dependencies. Programmed Changes: Show packagesselected for installation, upgrade, removal,or repair. New in Archive: Show packages that havejust been added to the archive list on yourcomputer.One of the most useful features is theUpgrad(e)able filter. Select Upgradable fromthe Show drop-down list and then click a treecontrol to see the outdated packages in thatcategory (see Figure 19-3). Figure 19-2: The package display options. Figure 19-3: Outdated packages.4. When you find a package that needs to beupdated, click the package name to highlight it.5. Click the Upgrade button (in the lower-rightcorner of the screen).Sometimes a package might be changed toinclude another package in its installation. Ifthis is the case, you need to authorize apt toremove the old package before it can updateto the new version.24_571737c19.qxd 7/2/04 8:57 PM Page 121Technique 19: Keeping Up-to-Date with apt and Synaptic122 Figure 19-5: The Summary dialog.Upgrading Your EntireComputerSynaptic can install and upgrade individual pack-ages, but its real power lies in its ability to upgradeyour entire system with just a few quick clicks of themouse. Synaptic offers two system-update modes: Dist Upgrade: If you want to upgrade to the mostrecent versions of all the packages currentlyinstalled on your system, click the Dist Upgrade(Distribution Upgrade) button on the toolbar.Dist Upgrade updates all the packages on yourcomputer and adds any new software needed tosatisfy program dependencies. Upgrade All: If youre short on disk space, usethe Upgrade All button to upgrade only thosepackages that can be freshened without installingextra software required by new dependencies.In some cases, the package that needs to beremoved isnt included in the new package,but its blocking the installation anyway. Youmay need to reinstall a package after theupdating is complete.6. Depending on the package youre updating, adialog may appear that shows other changesthat you must authorize. If the dialog doesappear, review the additional changes andclick the Apply button.For example, the new version of a package mayhave new dependencies that were not requiredby the currently installed release. Or, you mayhave to upgrade other packages at the same time. The packages to be upgraded are highlighted inthe list, as shown in Figure 19-4. Figure 19-4: Highlighted packages are ready to upgrade.7. To carry out the upgrade (and any relatedchanges), click the Execute button (on thetoolbar).The Summary dialog opens (see Figure 19-5).8. Click the Proceed button in the Summary dia-log to continue.The new versions are downloaded, and theupgrade begins pretty simple.24_571737c19.qxd 7/2/04 8:57 PM Page 122Handy Hints about Synaptic 123Handy Hints about SynapticSynaptic can install new packages too. With so manypackages available, the choices can seem overwhelm-ing. Fortunately, Synaptic has a few tools that canhelp you narrow down the package list to a moremanageable size. You can also find out a lot about apackage before you download and install it on yourcomputer. Changing repositoriesSynaptic works its magic by connecting to softwarerepositories scattered around the Internet. Synapticcomes preconfigured with the information required toconnect to a number of repositories, and its readyto use the repository thats right for a Fedora distri-bution. Most repositories organize packages intotypes and sections. The two most frequently seentypes are rpm (installable packages) and rpm-src(source code for package): Unless you want to buildyour software from source code, stick with the rpmtype. Sections are more diverse. At any given reposi-tory, you may see sections such as testing, stable,and updates. The section name gives you some ideaof how safe the packages are within that section.Stay away from the testing section unless youre inan adventurous mood.By default, Synaptic enables only the safe sections.You may need to make changes to the repository listif a package that you want to install (or upgrade) cantbe found in the preconfigured sections. When youenable a section, the Packages list shows new pack-ages distributed from that section (hopefully, thePackages list contains the package youre looking for). To enable a new section, follow these steps: 1. In Synaptic, choose PreferencesRepositories.A dialog appears, showing the repositories thatSynaptic currently knows about.2. Enable a section by checking the box in theEnabled column to the left of the reposi-tory URL. Its safest to choose from the repositories thatoffer packages for your specific Linux distribu-tion. However, the other repositories includesome great packages that might be worthchecking out when you have some time tospare. 3. Click OK to close the repository list, and thenclick Update List to retrieve a list of availablepackages. This process takes a minute or two, dependingon your Web connection speed. Synaptic dis-plays a pop-up as it retrieves index files.Now when you open a package category, eachpackage is color-coded: The white ones are currently installed. The beige ones have just been added to thelist of known packages. The red ones are broken packages (installedpackages with unsatisfied dependencies). The mint ones are the packages youveselected to install.You can set your own color choices by choos-ing PreferencesPreferences.Viewing package detailsSynaptics main package list can be a bit overwhelm-ing because it displays so many packages. To narrowyour choices a bit, use the Show drop-down list tofilter out packages in different ways. Our favorite fil-ter is Not Installed that filter shows all of thepackages just waiting to fill up your hard drive (seeFigure 19-6).24_571737c19.qxd 7/2/04 8:57 PM Page 123Technique 19: Keeping Up-to-Date with apt and Synaptic124Installing new packages with SynapticWhen you find a package that you want to install,follow these steps:1. Highlight the package name and click InstallLatest Version.If you want to install more packages, highlighteach one and click Install Latest Version.2. When youve finished selecting packages, clickExecute, and the installation begins.Depending on the packages youre installing, adialog may appear that shows other changes thatyou must authorize. If the dialog does appear,review the additional changes and click theApply button.For example, the new package may have requiredother packages or updates to currently-installedpackages.3. Click the Proceed button in the Summary dia-log to continue.The new packages are downloaded, and the installa-tion begins pretty simple.Technique 58 shows you how to set up a UMLjail. Resolving dependencies within a jail canbe a time-consuming chore. Use apt andSynaptic to resolve the dependencies for you. Importing the Keys tothe RepositorySometimes Synaptic prefers that you have the publickeys that were used to sign each package before itallows you to install new software. Its a good idea toinstall the keys so theyre ready when you need them. Figure 19-6: Tons of free software.With so much free software to choose from, its agood idea to check out the package details beforeyou download. When you highlight a package, the frame at the bot-tom of the screen displays information about thatpackage. You can navigate this information by click-ing the following tabs: Common: Contains a short summary of thepackage what section the program belongsto and who maintains the software. Description: Shows a more detailed descriptionof the package. Dependencies: Shows a list of the other packagesrequired by the one youve selected. Anydependencies shown in red are not currentlyinstalled, but thats okay; Synaptic automaticallyresolves dependencies for you. Expert: Offers options for the adventurous usually alternative versions (which might beuntested). Read through the package information care-fully to decide if an alternative package is rightfor you.24_571737c19.qxd 7/2/04 8:57 PM Page 124Importing the Keys to the Repository 125Each repository has its own set of keys, and you haveto hunt around the repository Web site to find them.To download and install the keys to the primaryFedora repository, follow these steps:1. Open your favorite browser and surf tofreshrpms.net/packages.2. Right-click the GPG Key Used to Sign AllPackages link. Save the file to the desktop.3. Open a terminal window and give yourselfsuperuser privileges with the su command. 4. Use the following command to import the keysto the repository:# rpm --import /home/susan/Desktop/RPM-GPG-KEY.txtThe keys to the repository are added to your RPMkey ring, where Synaptic can find them if it needsthem.24_571737c19.qxd 7/2/04 8:57 PM Page 125Save Time By Setting up automatictasks with Task Scheduler Editing existing tasks Creating an environmentfor your automated tasksSetting UpAutomatic ServicesAdministrative tasks such as backing up, updating data files, andupdating Web site mirrors are easy to automate. You can savetons of time by creating automatic tasks that do your job withoutany help from you. To help you automate these tasks, you have twohandy tools at your disposal: Task Scheduler and the ServicesConfiguration Tool.Task Scheduler is a graphical interface that schedules programs to runautomatically with the program cron. Setting up jobs to run when net-work demands are low can save time (and user frustration from thebogged-down network). Task Scheduler has a nice interface and offers aquick way to set up cron jobs.In this technique, well show you how to automate your work with TaskScheduler. Letting Task Scheduler Work for YouTask Scheduler is a graphical interface for cron (the Linux schedulingtool). With Task Scheduler, you can set up recurrent downloads, backups,or other system maintenance jobs to run at night (or when your networkload is the lightest).Task Scheduler is part of the kdeadmin package (if youre using KDE,make sure youve installed the kdeadmin package or you wont find TaskScheduler in the KDE Menu). The Mandrake 10.0 Community Edition dis-tribution does not include the kdeadmin package (although later editionsmay) if you cant find kdeadmin in your distribution, youll have todownload and install it from the Web. GNOME doesnt have an official task scheduler yet, but if you Google forGNOME and Task Scheduler, you should find a few options. 20Technique25_571737c20.qxd 7/2/04 8:57 PM Page 126Letting Task Scheduler Work for You 127Before Task Scheduler will work, you need to startthe crond daemon. To start crond, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Type in the following command and pressEnter.If youre a Fedora or Mandrake user, use thiscommand:# /sbin/service crond startSuSE users should use this command:# /etc/init.d/cron startScheduling a new taskAfter youve started the crond daemon, youre readyto set up automated tasks:1. To start Task Scheduler, open the Main Menuand choose System ToolsTask Scheduler.The Task Scheduler window opens, showing asummary of the scheduled tasks and their envi-ronment variables (see Figure 20-1). Figure 20-1: The Task Scheduler window.If youre logged in as root, you see everyonesscheduled tasks. If not, youre privileged to seeyour own tasks only.2. To add a new task, right-click the Tasks folderand choose New. The Edit Task window opens (see Figure 20-2). Figure 20-2: The Edit Task window.3. To create a new task, fill in the following fields: Comment: Enter a descriptive name. Program: Enter the command you want to run.Its a good idea to use the complete pathnamefor a command, not just the command name.That way, changes to your environment (your$PATH variable in particular) wont affect sched-uled tasks. For example, enter /usr/bin/wget-r --mirror -k http://www.website.com toupdate a Web site nightly. If you dont know thecomplete pathname, use the Browse button tofind your program. Most of the commands arein /bin, /usr/bin or /usr/local/bin.25_571737c20.qxd 7/2/04 8:57 PM Page 127Technique 20: Setting Up Automatic Services128Its hard to predict the environment in whichyour scheduled tasks will run. Use full path-names and define the environment variablesthat you need. That also makes you moreimmune to changes in the system configuration.If youre scheduling a complex task (one thatinvolves running multiple commands), writeyourself a shell script and schedule the scriptinstead of a complex command line. Its mucheasier to debug a script than a complex com-mand line that resides somewhere in the TaskSchedulers database. Technique 10 has somehandy information about creating shell scripts.Editing a taskIf you need to go back and edit a task, open the MainMenu and choose System ToolsTask Scheduler. InTask Scheduler, right-click the task (refer to Figure20-3) and choose Modify from the pop-up menu.When youre done, click Save so that the schedulerremembers the new settings.Adding environment variablesTask Scheduler works in its own environment, soyou need to add any environment variables thatyour task needs to run properly (such as $PATH).To add or edit a variable, follow these steps:1. Choose System ToolsTask Scheduler, right-click Variables, and choose New from the pop-up menu.The Edit Variable dialog opens, as shown inFigure 20-4.2. To add a new variable, fill in the fields on thedialog: Variable: Enter the variable name, or choosefrom the most common variables in the drop-down list. If you dont define the HOME , MAILTO, andSHELL variables, they default to your normalvalues. Change these variables if you want tooverride the defaults. Enabled: Check this box to make the taskactive. If the box isnt checked, the taskwont run. Silent: Check this box to turn off the loggingfeatures. Months: Check the box next to each monththat you want the job to run. Days of Month, Days of Week, or Run EveryDay: You can choose when the task runs inone of three ways. Choose the days of themonth that the job executes, or choose thedays of the week that the job executes, orcheck the Run Every Day box to automaticallychoose all the months, days, and dates. Hours and Minutes: Choose the hours andminutes that the task should begin.Set up network-intensive jobs to execute atnight when network traffic is low. The jobs willrun faster, and youll be saving the bandwidthfor when you really need it.4. Click OK.The new job is added to the Tasks list, as shownin Figure 20-3. Figure 20-3: The new task is added to the list.5. If youre done using Task Scheduler, click Save.Or if you havent defined the environment vari-ables, see Adding environment variables,later in this technique, to do so.25_571737c20.qxd 7/2/04 8:57 PM Page 128Letting Task Scheduler Work for You 129The PATH variable holds the search path thatcron uses to locate your programs. Value: Enter the variables value. Comment: Enter a description of the variable. Enable: Check this box to make the variableactive. If the box is not checked, the variabledoesnt take effect.3. Click OK when youve completed this dialog. Your new variable is added. Figure 20-4: The Edit Variable dialog.4. When youre finished using Task Scheduler,click the Save icon to save your changes andthen close the window. Your newly scheduled programs will run withoutany help from you!If you use a proxy server to access the net,wget can use the http_proxy variable tospeed up data transfers. Create the variablequickly with Task Scheduler, as shown inFigure 20-5. Figure 20-5: Setting the http_proxy variable.25_571737c20.qxd 7/2/04 8:57 PM Page 129Save Time By Using disk quotas to keepresources in check Using system accountingto monitor user activity Watching programactivity with systemaccountingMaking Your InnerSystem AdministratorHappy (AndProductive)As system administrator, you want to be sure that system resourcesare available when needed. Doling out resources to users that needthem and keeping track of the overall system performance areimportant. Fortunately, tools exist that make it really quick and easy.Imposing disk quotas is a quick and easy way to control precious systemresources. Define user quotas to limit the amount of disk space each usercan consume so youre sure that those who need it can get it.Disk quotas are self-governing. After youve set up the quota (and a graceperiod), Linux ensures that users cant use up all your disk space. If youneed to know whether youve budgeted too little space for some users, aquick glance at the disk quota report tells you how well users are stayingwithin their quotas.The Linux system accounting package is a small collection of tools thatgive you quick access to information about how your system is beingused. You can quickly determine which users are spending the most timelogged in and what resources theyre using. You can also spot programsthat shouldnt be used at all. In this technique, we show you how to control your system usage. Yourenot being a control freak youre just ensuring that your users havewhat they need to get their jobs done.Reining In Resources with Disk QuotasIf youre the administrator of a multiuser system, youve probablyencountered disk hogs users who download every game or graphicthey can find, keep a copy of every e-mail theyve ever received, andkeep multiple copies of work in progress. Such users can cause majordisk clogs especially if your resources are limited. 21Technique26_571737c21.qxd 7/2/04 8:58 PM Page 130Reining In Resources with Disk Quotas 131Use the diskquota tool to stop resource problemsbefore they start. Placing limits on the storage spaceor the number of files a user can have on a systemwill make your users more conscientious about notkeeping unneeded files around. If users exceed their allotted disk space, theyreceive a warning, and Linux starts a grace-period countdown. At the end of the graceperiod, these users are not allowed any addi-tional disk space until they clean up their act.Installing the quota RPM packageBefore you can create and allocate disk quotas, youmust install the quota RPM package included withmost Linux distributions. To install quota on yoursystem, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Mount your distribution disc in the CD drive.3. Use the cd command to move to the directorycontaining the quota RPM package.4. Install the quota package with the followingcommand:# rpm -Uhv quota-version.rpmThats all there is to it. The quota package isinstalled and ready to use.If you dont have the distribution disc, butneed the package, just Google for it.Downloads of the quota RPM packageabound on the Web.Enabling file system quotasYou can create disk quotas for any file system onyour computer, but you have to change the mountoptions first. To enable quotas for a particular filesystem, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su - command.Dont forget the hyphen when you type in thesu - command. The hyphen sets up yoursearch path ($PATH) so you can find the super-users tools.2. Open the /etc/fstab file in your favorite editor(which in our case is kedit):# kedit /etc/fstabkedit opens, as shown in Figure 21-1. Figure 21-1: The /etc/fstab file opened with kedit.3. Find the file system that you want to modify.4. Add the usrquota and grpquota options to thefourth column.Finding the correct column in a typical fstab filecan be tricky. The first column contains the devicename, the second column specifies the mountpoint, the third column determines the file systemtype, and the fourth column contains a comma-separated list of options (typically, defaults):LABEL=/ / ext3 defaults,usrquota,grpquota 1 1The preceding code shows the changes neededto add quotas for the root file system.5. Save your changes and close the editor.26_571737c21.qxd 7/2/04 8:58 PM Page 131Technique 21: Making Your Inner System Administrator Happy (And Productive)132Thats it! The quota files are created, populated, andready to use.Remember that systems vary. The precedingsteps work great on our system (and shouldwork well on most simple configurations), butif you need more information about commandoptions that might suit your specific hardwareconfiguration, check out the official documen-tation. Just enter info quotacheck at thecommand line for fast access to the onlinedocumentation. Setting quotasAt this point, the quota tools have been installed,and the control files are in place (which we explainhow to do in preceding sections). Now its time toimpose quotas. Here, we explain how to set quotasfor a user name or group and how to set the graceperiod for users who have met their quotas andneed to clean up their files.The default editor for quota is vi, a powerfulbut unfriendly editor. When you first set quo-tas, we recommend fixing up the quota editora bit. Our editor of choice is kedit or kate.See the following steps to find out how.To set quotas for a user, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su - command. 2. To change the default editor for quota, enterthe following command:# export EDITOR=$(which kedit)If you prefer another editor, just substitute itfor kedit in the preceding command.3. To edit the control files and define quotas,enter the following command:# edquota usernameNow, remount the file system that you modified toenable the new options. The easiest way to remountan active file system is to reboot. Whats the quickest way to reboot fast? Justtype reboot at the command line and pressEnter.Getting your files togetherNow its time to create the quota control files:aquota.user and aquota.group. These files recordthe quotas that you assign to each user (or group)on that file system as well as the amount of spacecurrently in use. Youll find the quota control files inthe root directory of each quota-enabled file system.When you create the control files, Linux computes thecurrent disk usage to create a starting point for you.To create the quota control files, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su - command.2. Type the following command and press Enter:# quotacheck -acugmThe flags in this command tell quotacheck to cre-ate (c) a new control file for users (u) and groups(g) in all currently mounted file systems (a). 3. Type the following command and press Enter:# quotacheck -avugmRunning the quotacheck command again withoutthe create (c) flag populates the control fileswith the current usage information. The currentusage reflects the blocks and files allocated tousers (u) and groups (g) on all quota-enabled filesystems (a) . By default, quotacheck wont com-pute disk usage on mounted file systems. (Ifyouve enabled quotas for the root file system[/], you cant unmount that drive.) The -m flagforces quotacheck to inspect file systems thatcant be remounted in read-only mode.26_571737c21.qxd 7/2/04 8:58 PM Page 132Reining In Resources with Disk Quotas 133edquota creates a temporary file that containsthe current quota settings for username and thenopens that file in the editor that you specified, asshown in Figure 21-2. Figure 21-2: The disk quota file.The quota file that you see contains one line for eachquota-enabled file system (the file system name is inthe first column). edquota lets you control disk usagein 1024-byte blocks. You can also control the totalnumber of files that a given user can create on a filesystem. (The quota tools all refer to inode quotas inode is essentially a synonym for file.)The numbers listed under blocks and inodes showdisk space (and file count) currently used by thegiven user. A Linux quota is defined by three values: Soft limit: This controls the maximum amount ofspace that you should use. Hard limit: This controls the maximum amountof space that you can use. Grace period: When you exceed the soft limit,Linux warns you and gives you a grace period.During the grace period, you can continue toaccumulate more disk space (up to the hardlimit). If, at the end of the grace period, yourestill over the soft limit, the soft limit becomes ahard limit.For example, suppose your soft limit is 2GB, yourhard limit is 2.5GB, and the grace period is one week.As soon as your disk usage exceeds 2GB, Linux dis-plays a warning. You can exceed your soft limit forone week (but you can never go above 2.5GB). Afterthe grace period, you cant create any new files (orwrite more data to existing files) until you clean upenough stuff to fall back to the 2GB soft limit. Youcan exceed the soft limit (for a week), but you cantexceed the hard limit.Deciding how many blocks or inodes a userneeds is a matter of system resources. Ifusers need access only to e-mail, they obvi-ously need fewer files (and less disk space)than users doing development work. If youhave plenty of room, you can allocate largerpieces of the total pie.You can also assign quotas to a group of users. Toassign group quotas, follow these steps:1. Give yourself superuser privileges with the su - command.2. To edit the control files and define the groupquota, use the following command:# edquota -g groupnameThe -g indicates that the following name is thename of a group.3. Edit the quotas as desired (following the samebasic rules we discuss earlier in this section),and then save the file and close the editor.Linux is far kinder than many people wouldbe. If you exceed a soft limit, your files are stillthere (Linux doesnt delete the extra data).You just dont get any more space until youtrim down a bit.To set the grace period, enter the following command:# edquota -tThe editor opens, displaying the current settingsfor the block and inode grace periods, as shown inFigure 21-3.26_571737c21.qxd 7/2/04 8:58 PM Page 133Technique 21: Making Your Inner System Administrator Happy (And Productive)134 Figure 21-4: The user quota report.Worthy of note are the grace columns. If a quota hasbeen exceeded, the amount of time left in the graceperiod is displayed. If the grace period has expired,none appears in the column.Using System Accounting toKeep Track of UsersLinux gives you a number of command-line toolsthat can help you keep track of the resources usedby a given user (not just disk space, but CPU time,connect time, and memory usage as well). Afteryouve installed the tools, with a few quick key-strokes you can determine which users spend themost time at their keyboards.Setting up system accountingTo install the psacct package on Fedora orMandrake, or the equivalent, acct on SuSE, followthese steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Insert and mount your distribution disc. Figure 21-3: The grace period file.Change the grace period if you want you canspecify a number of days, hours, minutes, or sec-onds. Be sure to give yourself a reasonable amountof time to clean things up (at least a day). Save thefile and close the editor when youre finished.Reviewing your quotasTo generate a complete listing of the quota defini-tions and the current system usage, type in thiscommand:# repquota -vugs /homerepquota generates a quota report listing the spaceused by all users (-u) and groups (-g) on the /homefile system. The -v option tells repquota to producea more detailed (or verbose) report that displaysquota definitions that are not currently in use. Bydefault, repquota displays quota information in termsof 1024-byte blocks; the -s flag tells repquota to printthe totals in more readable terms (megs instead ofblocks). The last argument in the command indicatesthe file system in this case, the /home file system.To display quota information for all file systems, usethe -a flag instead (repquota -avugs).The listing shows user quotas first and then groupquotas, as shown in Figure 21-4.26_571737c21.qxd 7/2/04 8:58 PM Page 134Using System Accounting to Keep Track of Users 1353. Use the cd command to move to the directorycontaining the RPM packages.4. Type the following command and press Enter:# rpm -Uhv psacct-version.rpmOn SuSE, install the acct package with thecommand:#rpm -Uhv acct-version.rpm The installation process creates a new back-ground daemon. To start the psacct service (or acct, if yourerunning SuSE), follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Start the service:If youre running Fedora, the command is# /sbin/service psacct startIf youre running Mandrake, use the command:# /sbin/service psacct startIf youre a SuSE user, start the service with thecommand:# /etc/init.d/acct startNow youre up and running. Linux keeps track ofresource usage in the /var/run/utmp and /var/log/wtmp files.The wtmp file can grow quickly. Its a good ideato clean it up every now and then.Looking up user login hoursOf all the information you can call up in a flash, sum-maries of user login hours are among the most use-ful. Use the ac command to find out how long (inhours) your users have been logged in. To generatea list of login hours, itemized by user, enter the fol-lowing command:$ ac -pThe result will look something like this:[freddie@bastille freddie]$ ac -pfreddie 7.03duncan 2.02franklin 6.54root 1.02total 16.61To generate a list of total login hours on a dailybasis, use the -d flag:$ ac -dThe result is a daily list of connect-time hours:[freddie@bastille freddie]$ ac -dFeb 1total 0.33Feb 2total 12.54Todaytotal 1.01One thing to note the daily total is for everyonelogged in.This is a quick way to find out total systemman hours if you need to answer to account-ing about department costs or want to requestmore resources in a budget meeting. The two flags weve listed are probably the mostuseful, but other flags work with the ac commandas well. Check out the man page for more ideas man ac.Checking out command and program usageAnother useful command that comes courtesy ofsystem accounting is the sa command. Use the sacommand to find out which programs are being usedon your system. To use the sa command, first youneed to give yourself superuser privileges with thesu - command. Then to generate a report of com-mand usage, enter the following command:# sa The report shows the command usage for the sys-tem, as shown in Figure 21-5.26_571737c21.qxd 7/2/04 8:58 PM Page 135Technique 21: Making Your Inner System Administrator Happy (And Productive)136The sa command generates a list showing a subsetof all commands. (Commands executed only onceand commands with unprintable characters aregrouped into an entry labeled ***other*.) To see acomplete list, use this command:# sa --list-all-namesTo summarize the list by user, use this command:# sa -mFor a quick overview of system usage that includesstatistics by percentage of resource used, use thefollowing command:#sa -cCombine the sa command with the grep command toshow usage of a specific program:# sa | grep programThe preceding command returns a report includingstatistics only on the command named. Keeping an eye on command usage can tellyou what people are up to. You can find out ifa lot of cping is going on that shouldnt be.These are just some of the options of the sa com-mand. For a complete list, check out the manpage man sa. Figure 21-5: The result set from the sa command.The columns in the result set (from left to right) con-tain the following information: Total number of invocations Total elapsed time Combined system and user time in seconds Average number of I/O operations (not currentlyused in some versions of Linux) Memory usage in 1K blocks Command name 26_571737c21.qxd 7/2/04 8:58 PM Page 13622 Spring CleaningEssentialsCleaning up is an essential part of running a secure and efficient sys-tem. You can use resources most efficiently if your system doesnthave an abundance of unused services hanging around in the back-ground, tying up CPU time. Unnecessary services are also an invitation tohackers. Can hackers exploit an open port youve forgotten about? In thistechnique, we explain the best ways to avoid these pitfalls by Tidying up the runlevel you work in most often: Linux runlevels arecollections of services that define your systems capabilities. Each run-level has a purpose. You can choose from the predefined runlevels orcustomize runlevels for your use. Shutting down the extra services inthe runlevel youre using saves CPU time and system resources. Shutting down unused services: When you leave an unattended serv-ice running, listening for a clients request, it can accept a request fromeither an approved user or a hacker. Shutting down the services thatdont need to be running is a good way to tighten system security.Thats because when you shut down services, you close off the extraopen ports youre not using and hackers cant use them either. Getting rid of old users stuff: Old files are another waste of resources why take up good disk space for outdated data? When users move onand you clean up, be sure to remove all their old files; otherwise, yourejust wasting space by storing data thats unlikely to be used again.The following sections are about cleaning house. By doing so, youll keepyour work environment neat, secure, and productive; and everyone willsave time! Running Down the RunlevelsYou can save time and make better use of your system resources by run-ning at the minimum runlevel you need. A runlevel is a collection of serv-ices. You can customize the services available at each runlevel to makethe most of your system resources.TechniqueSave Time By Customizing yourrunlevels Disabling unused serv-ices to close extra, openports Removing unused serv-ices with the ServiceConfiguration Tool Cleaning up after ex-users27_571737c22.qxd 7/2/04 8:59 PM Page 137Technique 22: Spring Cleaning Essentials138Before you make any changes to your config-uration, be sure that you have a workingemergency repair disk. If you dont, you mightlock yourself out of your computer withoutgiving yourself a way back in. See Technique 24for details on making a boot disk.1. From the Main Menu, choose System SettingsServer SettingsServices.Youre prompted for the superuser password.2. Enter the superuser password and click OK.The Service Configuration window opens,as shown in Figure 22-1. Use the ServiceConfiguration Tool to edit the services thatare enabled for your runlevel or to create anew runlevel. Figure 22-1: The Service Configuration window.3. To modify a runlevel other than the default (5),choose Edit Runlevel on the menu bar andselect the runlevel you want to customize.Runlevels 2 and 4 are user-definable Fedoraset them aside just for you. Be aware thattheyre not graphical, so youll be working atthe command line. If youre managing a Webserver, database server, or e-mail server, con-figure runlevel 4 to run only the services youRunlevel basicsMost Linux distributions define the followingrunlevels:0 Halt1 Single-user mode2 User-definable nongraphical3 Multiuser command line environment4 User-definable nongraphical5 Multiuser graphical environment6 RebootThe different runlevels are used for different reasons.If you need the system all to yourself for repairs orsystem maintenance, booting into runlevel 1 guaran-tees that youre the only user on the system. However,you have to work from a terminal window becauserunlevel 1 doesnt support a graphical interface.If you need to save on the system load and yourusers dont need a graphical interface, you can bootyour system into runlevel 3. If your application soft-ware doesnt need graphics capabilities, your userswill recognize the boost in speed they get from run-ning at the lower runlevel.For all the bells and whistles of a graphical environ-ment, boot your system into runlevel 5. Its definitelythe most comfortable user environment. You can usethe command line if you want, but the graphicaloptions are also available. (Runlevel 5 is the defaultrunlevel for Fedora, Mandrake, and SuSE systems.)Customizing runlevels in FedoraCustomizing a runlevel is easy in Fedora or SuSELinux, but its a little trickier in Mandrake. In thissection, we show you how to use Fedoras runleveleditor. If youre a SuSE or Mandrake user, skip aheadto the appropriate section.To turn Fedora services on or off or to edit the serv-ices included in your runlevel, follow these steps:27_571737c22.qxd 7/2/04 8:59 PM Page 138Running Down the Runlevels 139need you can still switch to runlevel 5 (anda graphical desktop) when you need to man-age your system.Defining a runlevel with only the services youneed to run on your system gives you a leaner,meaner machine. Your users will thank you forthe extra speed.4. Look at the Editing Runlevel indicator abovethe description frame to make sure the run-level displayed is correct. (You dont want toaccidentally edit the wrong runlevel.)5. To edit the runlevel services, scroll through thelist and disable the services your users dontneed or enable services that would be handy.You can enable or disable a service by checkingor unchecking the check box to the left of theservice. If the box is checked, the service is on.You can get a quick description of the serviceby highlighting the service name and lookingat the description box. Most of the descrip-tions are pretty informative.6. After youve changed the services for your newcustom runlevel, click the Save icon on thetoolbar.You now have a leaner, meaner runlevel towork in.Customizing runlevels in SuSESuSE Linux supports runlevels 1 through 6, butyou cant modify runlevel 4 without resorting to a command-line interface. SuSE also adds a fewnew runlevels: Runlevel B corresponds to the bootprocess, and runlevel S is another single-user run-level (just like runlevel 1, but you can customize theservices to create two distinct single-user runlevels). We strongly recommend that you dontchange any of the services in runlevel B (boot)or runlevel 0 (halt), or your system maybecome inoperable.If you need to customize runlevel 4 for somereason, see the man page for the chkconfigcommand.To turn SuSE services on or off, or edit the servicesincluded in each runlevel, follow these steps:Before you make any changes to your configu-ration, be sure that you have a working emer-gency repair disk. A working boot disk willgive you a way back into your system if youaccidentally lock yourself out. See Technique 24for details on making a boot disk.1. From the main menu, choose SystemYaST.Youre prompted for the superuser password. 2. Enter the superuser password and click OK.3. When the YaST Control Center appears, clickSystem (in the left-hand pane).4. Click Runlevel Editor, and then click ExpertMode.The Runlevel Editor displays the services installedon your computer, as shown in Figure 22-2. Figure 22-2: SuSEs Runlevel Editor.5. To start or stop a service, highlight the serviceand click the Start/Stop/Refresh button (nearthe bottom of the window).27_571737c22.qxd 7/2/04 8:59 PM Page 139Technique 22: Spring Cleaning Essentials140 Figure 22-3: The Mandrake Services editor.The name of each service is listed down the left-hand side. 5. If youre not sure what a particular servicedoes, click the Info button to see a shortdescription. 6. To start or stop a service, click the Start or Stopbutton on that row.7. To enable a service, check the box next to thewords On Boot or Start When Requested. Todisable a service, clear the check box. Remember, youre enabling (or disabling) theservice for multiple run levels, not just the cur-rent runlevel.The services labeled Start When Requested arenetwork servers that start when a client tries toconnect to those services. If you disable a net-work service, the client will typically display amessage such as Connection Refused. The serv-ices labeled On Boot are background processesthat run all the time.8. When youre finished, click OK to save yourchanges or Cancel to discard your changes, andthen close the Mandrake Control Center.Your changes will take effect the next time you bootyour computer. The column labeled Running displays Yes if agiven service is currently running or No if theservice is not running.The columns labeled B, 0, 1, 2, 3, 5, 6, and S indi-cate whether the service is enabled or disabledfor that runlevel. 6. To enable or disable a service, check (enable)or clear (disable) the check box next to the run-level you want to change. The check boxes are displayed below the list ofservices (refer to Figure 22-2). 7. When youre done customizing the runlevels,click Finish.8. When prompted, click Yes to save your changesand close the YaST Control Center.Customizing runlevels in MandrakeMandrake Linux offers a runlevel editor thats a bitdifferent. The graphical runlevel editors in Fedoraand SuSE Linux let you customize the set of servicesenabled for each runlevel. Mandrakes graphical edi-tor lets you enable or disable services for all run-levels. In other words, if you disable a service usingMandrakes editor, youve disabled that service forall runlevels. You can customize individual runlevels,but you have to resort to the command line to do it.See the next section for the details.To enable or disable services using the MandrakeControl Center, follow these steps:1. From the Main Menu, choose SystemConfigurationConfigure Your Computer.Youre prompted for the superuser password. 2. Enter the superuser password and click OK.3. When the Mandrake Control Center appears,click System.4. Click Services.The Services editor displays the services installedon your computer, as shown in Figure 22-3.27_571737c22.qxd 7/2/04 8:59 PM Page 140Disabling Unused Services 141Customizing runlevels at the command lineWe mention earlier that Mandrake users must resortto the command line to customize individual run-levels; this section describes how.The graphical runlevel editors are friendly and easyto use, but sometimes its faster to hit the commandline. Regardless of whether youre using Mandrake,Fedora, or SuSE Linux, you can use the chkconfigcommand to adjust the services available at a par-ticular runlevel. You can also use chkconfig to viewyour service configuration. You must have superuserprivileges to use the chkconfig command.To view the configuration for a service, use the com-mand: chkconfig --list service-name. For example,to view the runlevels for your Web server (httpd),type in# chkconfig --list httpdhttpd: 0:off 1:off 2:off 3:on 4:on 5:on6:offIf you leave off the service name, chkconfig willdisplay all services.To enable a service for a given runlevel, use the com-mand: chkconfig --level runlevel service-name on.For example, to enable your Web server at runlevel 2,type in# chkconfig --level 2 httpd onTo disable a service for a given runlevel, use thecommand: chkconfig --level runlevel service-name off. If you want to disable your Web server atlevel 5, type the command# chkconfig --level 5 httpd offSwitching to a new runlevelTo change into your new runlevel, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su - command.2. Enter the following command:# telinit runlevelFor example, to switch to runlevel 2, use this:# telinit 2Your system reboots and presents you with acommand line to log in.Any runlevels lower than 5 arent graphical.If you dont like the new runlevel, use the telinitcommand to return to the previous runlevel and thenfine-tune the service settings to better suit your needs.Disabling Unused ServicesMost services leave open ports that can be exploitedby hackers. Shutting off the services that you dontuse regularly is a good way to close ports that hack-ers could use to gain access to your system.If you use a service infrequently, just turn itoff. It is still available when you need it youcan turn it on with a few clicks of the mouse,and off again when youre done. If you neveruse a service, youre better off removing italtogether. See the next section for details onremoving services.If you find a service that you dont think youll need,we recommend disabling it for a while before youremove it, just in case you change your mind later.Here are some services that you might want todisable:You may not see all of these services on yourcomputer (depending on the software pack-ages youve installed), or you may see a fewthat we havent listed here. acpid: This service controls what happens whenyou press the power button on your computer.The configuration file for this service is empty bydefault, so acpid doesnt actually do anything.(See info acpid for more information.)27_571737c22.qxd 7/2/04 8:59 PM Page 141Technique 22: Spring Cleaning Essentials142in 1972.) Unless youre developing network soft-ware, you can safely disable this service. echo-upd: This service is the same as echo,except it services UDP clients instead of TCPclients. Unless youre developing network soft-ware, you can safely disable this service. irda: If you have a laptop, it most likely has aninfrared port built in. If you dont use it (or youdont have one), disable irda. irqbalance: This service balances the workloadon a multi-CPU computer. If you have only a sin-gle CPU, disable irqbalance. isdn: This service manages ISDN network con-nections. If you dont have an ISDN connection,you dont need this service. ktalk: This is the KDE talk server service. If youdont chat with other users on your computer,disable ktalk. lisa: lisa discovers SMB (Samba) computers onyour local network, giving you a Linux equivalentto the Windows network neighborhood. If youdont have any SMB servers (that is, Samba orWindows servers), you can do without lisa. nfs: The NFS server service provides NFS filesharing to other NFS computers. NFS is a fre-quent target for hackers, so if you dont use NFSsharing, disable NFS (and the nfslock service). nfslock: This service provides file locking forthe nfs service. If youve disabled nfs, disablenfslock too. ntpd: This service synchronizes the date/timeclock on your computer with network timeservers. Enable this protocol if you want to stan-dardize your computers clock with the rest ofthe world, or disable it if youre happy settingthe clock yourself. rawdevices: This service is used by high-performance database servers to access yourhard disk without going through the normal filesystem route. If youre not using a program thatneeds raw disk access, disable rawdevices. apmd: This service monitors the battery level onlaptop computers. If youre not using a laptop,you probably dont need apmd. atd: This service runs jobs that youve sched-uled with the at command. If you dont use theat command, disable this service. autofs: This service automatically mounts filesystems when you first use them. If youre notusing automount file systems (and unless youveconfigured them yourself, youre not), turn offthis service. autofs and the related automountsystem are frequently targeted by hackers. chargen: This silly little network service simplygenerates a stream of characters whenever aclient connects. You can safely live without thisservice. chargen-udp: chargens cousin, this servicesends a stream of characters to a UDP-connectedclient. If you disable chargen, disable chargen-udp as well. cups: This service is the Common UNIX PrintingSystem. If youre not printing anything, you dontneed cups. (You can always turn it back on laterif you need it.) cups-lpd: This service provides an lp-style inter-face to cups. (lp is an older printer protocol.) Ifyou arent sharing printers with other UNIX sys-tems (systems that use the lp protocol), disablethis service. daytime: This network service tells a client com-puter what time it is (at least, what time yourcomputer thinks it is; if youre like us, your VCRalways thinks its 12:00 and so do your comput-ers). daytime is rarely used you can safely dis-able this service. daytime-upd: This service is the same as daytime,except it works with UDP clients instead of TCPclients. Because this protocol is rarely used, youcan safely disable this service. echo: This is another silly network service thatechoes client input back to the client. (Its inter-esting to note that this service and the chargenservice were both proposed by the same person27_571737c22.qxd 7/2/04 8:59 PM Page 142Removing Unneeded Services 143 rsync: rsync is a package that speeds up filetransfers by sending only the differences betweentwo versions of the same file. Disable this serviceif you arent running an rsync server. saslauthd: SASL is an authentication protocolused by mail servers (and other networkservers). If you know you dont need it, disableit; if youre not sure, leave it alone. sendmail: The sendmail service moves e-mailfrom your machine to other machines (that is, itdelivers the e-mail that you send). If you arentsending e-mail from your Linux computer oryoure using a different mail server, you cansafely disable sendmail. services: This service provides a listing of allthe network services that your computer pro-vides to other clients. Disable this service unlessyou know that you need it. smb: If your computer acts as a Samba server(see Technique 11), you need the smb service. Ifnot, you can safely disable this service. snmp: This service is the Simple NetworkManagement Protocol (SNMP) daemon. It serv-ices network management requests. If youreunsure whether you need this, disable it for now(SNMP has been the target of some hackattacks). snmptrapd: This is another component of SNMP.If you disabled snmp, you can disable snmptrapdtoo. swat: SWAT is a miniWeb server that you use toconfigure the Samba server. If you arent runninga Samba server, disable swat. time: This service is similar to the daytimeservice. It sends the current date and time (inseconds, since midnight January 1, 1900) to anyclient that connects to it. You can safely disablethis service. time-udp: This service is the same as time, exceptit serves UDP clients instead of TCP clients. Youcan safely disable this service as well. winbindd: This service pulls user account infor-mation from Windows servers, letting you useyour Windows user name and password on aLinux computer. If you arent intimately sharingauthentication information with a Windowsserver, disable winbindd.Removing Unneeded ServicesHaving extra, unused services on your system canbe a security risk. You may have a service disabledat the moment, but a hacker or Trojan horse canturn it on and exploit its open ports.If you find an obscure service that youll neveruse, remove it so its not available for exploita-tion by a hacker or a Trojan horse.Removing the services you dont need is a good wayto secure your system. Dont worry about removing the services youarent using now. Services are easy to reinstallif you find you need them.If youre a Fedora user, you can use the same ServicesConfiguration Tool that you use to start or disableservices (or configure a custom runlevel) to com-pletely remove services.To remove a service, Fedora users follow thesesteps:1. Open the Main Menu and choose SystemSettingsServer SettingsServices.Youre prompted to enter the root password.2. Type in the root password and click OK.The Service Configuration window opens. 3. Highlight the service you want to remove andchoose ActionsDelete Service from the menubar (see Figure 22-4).27_571737c22.qxd 7/2/04 8:59 PM Page 143Technique 22: Spring Cleaning Essentials144Removing Old Usersand Their FilesWhen users leave, the clutter they may be leavingbehind can tie up valuable system resources. Whystore all of their old files, which arent important any-more, when you can use the disk space for fresh data?After youve made sure that youve saved any of theex-users important documents, you can remove alltraces of these users and their files with a few mouseclicks. Removing (and adding) user accounts is easy,and each distribution provides a graphical tool thatallows you to manage users without resorting to acommand line.In this section, we show you how to remove useraccounts with the Fedora User Manager. If yourea Mandrake user, use the Mandrake User Manage-ment tool (found in the main menu at SystemConfigurationOtherUser Administration). IfSuSE is your favorite flavor, use the User and GroupAdministration tool in YaST (SystemYaSTSecurity and User.A quick follow-up with kfind will find any filesthat former users might have stashed on yoursystem, but that are off the beaten path.Before removing a users account, make noteof his or her user ID. Youll need it to clean upafter deleting the account.To remove an old user account, follow these steps:1. Open the Main Menu and choose SystemSettingsUsers and Groups.Youre prompted for the root password.2. Enter the root password and click OK.The Fedora User Manager opens, as shown inFigure 22-5.3. To delete a user, highlight the users name in thelist and click the Delete button (on the toolbar). Figure 22-4: The Actions drop-down menu.A pop-up window appears asking you to verifythat you want to remove the service.4. Click Yes to remove the service, and in a snap,the service is gone!If youre a SuSE or Mandrake user, you can removea service from the command line by following thisprocedure:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Type in the following command and pressEnter:# /sbin/chkconfig --del service-nameYou can also use the chkconfig command on Fedorasystems if you dont want to take the time to startthe Services Configuration Tool.When you delete a service with the ServicesConfiguration Tool, the underlying programsremain on your system; youve deleted onlythe startup and shutdown scripts for the serv-ice. If you want to completely remove theservice and its underlying programs and datafiles, erase the package with the rpm com-mand (see Technique 17).27_571737c22.qxd 7/2/04 8:59 PM Page 144Removing Old Users and Their Files 145Youre asked to verify that you want to removethe user, as shown in Figure 22-6.4. Check the Delete Users Home Directory box ifyou want to remove the users old belongings.Be sure that you dont need any of the usersold belongings. This is a good time to refer toTechnique 50 and back up the users homedirectory before deleting it.5. Click Yes to remove the users identity andhome directory. Figure 22-5: The Fedora User Manager. Figure 22-6: Verify that you want to remove the usersaccount.After the user is removed from the user list, and hisor her home directory is gone, you can use kfind tosearch for any orphaned files that the user may haveleft in other directories. To search for other files, fol-low these steps:1. Open the Main Menu and choose Run Command. 2. Enter kfind in the Command field and click Run.The KFind window opens (see Figure 22-7) to theName/Location tab. The Name field should con-tain a *. Enter a / in the Look In field. Figure 22-7: The KFind window.3. Click the Properties tab, and enter the user IDof your ex-user in the Files Owned by User field.4. Click the Find button, and the search begins.When the search is complete, the frame at thebottom of the window displays all the now-orphaned files previously owned by the ex-user.5. Right-click the filename to open a pop-up menu,displaying the filename at the top, followed byyour file management choices: Copy Delete Open Directory Open With Open Properties27_571737c22.qxd 7/2/04 8:59 PM Page 145Technique 22: Spring Cleaning Essentials146It might be prudent to consult with the othermembers of that group before deleting the file.9. If the list includes files that you cant recognizeby filename or location, you can Open the file and manually inspect the con-tents. Depending on how prolific the ex-userwas, this might be the best option to startwith. However, if the user left you with hun-dreds of files, youll probably want to use theother option. Narrow the inspection a bit by deleting thethings that arent important. Right-click thefilename and choose Open from the pop-upmenu. Youre treated to a view of the file, inthe default viewer for that type of file.If you see a listing with /proc/processID inthe In Subdirectory column of the result table,it means that the ex-user still has a processrunning somewhere on your system. Make anote of the process ID so you can use KDESystem Guard to kill off the process. (SeeTechnique 41 for complete details; see the fol-lowing steps for the short version.)To kill off abandoned processes, follow these steps:1. Open a terminal window and gain superuserprivileges with the su command.2. Type the following command and press Enter:# ksysguardThe KDE System Guard window opens, as shownin Figure 22-9.3. Click the Process Table tab to move to a list ofcurrently running processes, and look for theprocess ID in the PID column.4. When youve found the process ID, highlightthe entry for that process and click the Killbutton.A dialog opens asking if you really want to killthe selected process (see Figure 22-10).You can delete old system files that containconfiguration information and preferences foryour ex-user without much concern for inter-fering with other users, but most other filesshould be investigated more closely. 6. To delete an old file, choose Delete from thepop-up menu.Youre asked to confirm the deletion. Click Yes todelete the file.You can select multiple files by holding downthe Shift key and highlighting the files with amouse click (or by using the arrow keys toselect multiple files). Then right-click the filegroup and choose Delete from the pop-upmenu. Youre asked to confirm the deletion.Click Yes, and the files disappear quickly!7. If you see files in the list that may contain workor data important to others, right-click andchoose Properties from the pop-up menu toopen the Properties dialog (see Figure 22-8). Figure 22-8: The Properties dialog.8. Click the Permissions tab to view the file own-ership information, and note the name of thegroup that owns the file.27_571737c22.qxd 7/2/04 8:59 PM Page 146Removing Old Users and Their Files 1475. Click Kill to confirm your choice.The process is terminated. Figure 22-9: The KDE System Guard window. Figure 22-10: Confirm the process termination.With a little vigilance, youll avoid the piles of filesthat ex-users can amass on your system and savethe resources for the users that need them.27_571737c22.qxd 7/2/04 8:59 PM Page 14727_571737c22.qxd 7/2/04 8:59 PM Page 148Part IVTweaking the Kernel onYour Linux System28_571737p04.qxd 7/2/04 9:04 PM Page 14928_571737p04.qxd 7/2/04 9:04 PM Page 15023Technique Taking Good Care of Your KernelThe kernel is the software core of your computer. Kernel modulesmake up the software interface between your system hardware andthe system software. On a fresh Linux installation, over 900 kernelmodules are ready to load into your kernel. The actual number may varydepending on the specific hardware that Linux finds when it sets uphousekeeping, but on our Fedora system, 968 modules exist.You can also download and install new kernel modules. You can findmany open-source modules bouncing around the Web that do everythingfrom silencing annoying beeps to enabling wireless network cards. Thebeauty of the system is the flexibility that kernel modules provide thecomputer industry. Every time a new piece of hardware is invented, youdont have to modify and rebuild the Linux kernel you just add a newmodule.Manipulating kernel modules is quick and simple, thanks to a series ofcommands that work at the command line to update your kernel withouta complete rebuild. You can also find-tune your kernel by using the boottime parameters. Boot time parameters are the kernel options that areenforced every time you boot your system. Not all features are modules, and you may want your kernel to be config-ured so that some features cant be changed. If that is the case, a com-plete kernel rebuild is called for (see Technique 24 for information aboutbuilding a kernel from scratch). If you can get by with a simple patch tothe kernel, this is the technique for you. In this technique, we introduceyou to the commands that let you customize your kernel quickly andeasily. Save Time By Manipulating your kernelon the fly Using your boot timeparameters to custom-tailor your kernel29_571737c23.qxd 7/2/04 9:04 PM Page 151Technique 23: Taking Good Care of Your Kernel152LISTING 23-1: VIEWING MODULE INFORMATION WITH MODINFO# modinfo iforcefilename: /lib/modules/2.4.22-1.2115.nptl/kernel/drivers/char/joystick/iforce.odescription: USB/RS232 I-Force joysticks and wheels driverauthor: Vojtech Pavlik, Johann Deneuxlicense: GPLInstalling a module with insmodThe insmod command installs a module into a run-ning kernel (or at least tries to). The typical com-mand syntax is# insmod modulenameTaking care of dependencies automaticallywith modprobe and depmodWe said that insmod tries to install a module, but itsnot always successful. Some modules depend onother modules. For example, if you want to load theIforce joystick driver, you must first load the genericserial joystick driver and USB driver. If you try toload a module with unsatisfied symbols, you seeerror messages like this:unresolved symbol serio_close_R393d70c3unresolved symbol serio_open_R17abfb2funresolved symbol serio_unregister_deviceunresolved symbol serio_register_deviceDeciphering these messages can be nearly impossible. Fortunately, modprobe solves dependency problemsfor you. The modprobe command works with theinformation computed by depmod to automaticallyload any dependent modules.Adding and Removing KernelModulesLinux contains some handy commands you can useto manipulate your kernel while its running. The ker-nel module tools make it easy to experiment withkernel changes without making any lasting or perma-nent changes.These commands dont make permanentchanges to your kernel; the changes last onlyuntil you reboot. To automatically implement achange at boot time, you need to add thechange to a startup script. For the quickestway to make a change to your system startupscript, check out Technique 26, where weshow you a couple of easy-to-follow examplesin the section about closing down securitygaps with /proc.To use the kernel tools, you need to open a terminalwindow and give yourself superuser privileges withthe su - command. Be sure to include the hyphen,which ensures that the module tools are on your$PATH search path.Learning about modulesYou can find out what kernel modules are on yoursystem by entering the following command: # ls -R /lib/modules/$(uname -r)If you dont have the kernel module that youneed to control a device or configure a pieceof hardware, do a Google search for the kernelmodule you need. Lots of modules are avail-able on the Web.The modinfo command displays all sorts of informa-tion about a kernel module, as shown in Listing 23-1.29_571737c23.qxd 7/2/04 9:04 PM Page 152Adding and Removing Kernel Modules 153depmod computes the interdependencies among kernel modules and writes the results to /lib/modules/$(uname -r)/modules.dep. The modprobecommand reads dependency information from thatfile. depmod runs each time you boot your system sothe dependency database is always up-to-date,unless you build or install a new module. To rebuildthe dependency database, use the following command:# depmod -aAs we mention earlier, modprobe uses the informationgathered by depmod to automatically load any mod-ules dependent on the one you want to use. The syn-tax for modprobe is essentially the same as the syntaxfor insmod:# modprobe modulenameIf any of the dependencies cant be resolved, modprobe gives up and undoes any of the work itsalready done.Loading a module for a slightly different kernel with insmod and modprobeBecause modprobe automatically resolves anydependencies for you, why would you ever want touse insmod? Every kernel module is compiled for aspecific kernel version. Occasionally, you run into amodule thats compiled for the wrong kernel, butyoure pretty sure it will work with your version.(For example, you may find a great sound carddriver compiled for kernel version 2.4.22-1.2115.nptl, and youre running 2.4.22-1.2116.nptl.) If youtry to modprobe a module with the wrong version,modprobe wont do it. You can force insmod to loadthe module (even though its been built for thewrong version) by including the --force option onthe command line:# insmod --force iforceBut, insmod will still complain about unresolveddependencies. Dont give up you can still use modprobe to do the hard work for you. Just use the -n and -v options:# modprobe -n -v iforceinsmod input.oinsmod usbcore.oinsmod serio.oinsmod iforce.oWhen you use the -n and -v options, modprobe showsyou the insmod commands that you need in order toload dependent modules in the correct order (but itdoesnt actually execute those commands). Now youcan execute those commands yourself; just be sureto include the --force option when you load the mis-matched module:# modprobe -n -v iforceinsmod input.oinsmod usbcore.oinsmod serio.oinsmod iforce.o# insmod input.o# insmod usbcore.o# insmod serio.o# insmod --force iforce.oThe lsmod command displays a list of the modulesthat are currently loaded on your system (see Figure 23-1). Figure 23-1: Currently loaded kernel modules.29_571737c23.qxd 7/2/04 9:04 PM Page 153Technique 23: Taking Good Care of Your Kernel154kernel arguments (note, you have only a few sec-onds before the boot loader starts your kernel). Ifyoure running Mandrake or SuSE Linux, press theEsc key (while the boot selection screen is dis-played) to reach the Linux boot prompt.If you have multiple kernels or multiple oper-ating systems installed on your system, theyredisplayed on the boot loader selection screen. The Linux kernel supports a huge variety of optionsand parameters, but you only need to know about afew of them. To find a complete (though slightly unattrac-tive) list of boot time parameters, install thekernel-doc RPM package, which is includedwith most Linux distributions. You find the listin /usr/src/linux-$(uname -r)/Documentation/kernel-parameters.txt.Just open the file with your favorite editor. The default command line for Fedora is as follows:grub append> ro root=LABEL=/ rhgbIf youre running Mandrake or SuSE Linux, thedefault command line will differ slightly. Table 23-1 lists various parameters that you maywant to use to alter the default command line. Youcan change the kernel command line to modify theway your Linux kernel boots, or to change the waythe Linux kernel runs after its done booting.Removing modules with rmmodThe rmmod command removes a loadable modulefrom the kernel. You cant remove a module if its inuse (lsmod will tell you whether or not the module isbeing used). To remove a module, use the followingcommand:# rmmod modulenameWhen you delete a module, its still on your com-puter; its just not loaded into the kernel.Manipulating Boot TimeParametersThe Linux kernel is a program just like any otherprogram (well, maybe thats a bit of oversimplifica-tion): It has a command line, and you can specifyoptions and parameters to the kernel when you bootyour system. Each time you boot your system, the boot loaderpauses for a moment at the boot selection screen you usually hit Enter (or just wait for the built-intimer to expire) when you see the selection screen,and your computer happily boots the Linux kernelusing the default boot parameters. Linux can do a lotmore. If youre running Fedora Linux, press the A key whilethe boot selection screen is displayed to modify theTABLE 23-1: FEDORA BOOT-LINE PARAMETERSTo Do This Make This Change to the Timesaving Bonus InfoDefault Linux Command LineView detailed boot Remove the rhgb (Red Hat Removing rhgb saves a little bit of boot time, and you messages (Fedora only). Graphical Boot) from the have a better starting point if you have to investigate a end of the command line. boot problem.29_571737c23.qxd 7/2/04 9:04 PM Page 154Manipulating Boot Time Parameters 155To Do This Make This Change to the Timesaving Bonus InfoDefault Linux Command LineView detailed boot Remove splash=silent from Enabling detailed boot messages can help you pinpoint messages (SuSE or the command line. the cause of a boot problem.Mandrake).Make a menu of screen size Add the vga=ask option to the Choose a larger screen resolution to fit more text on the options appear when you end of the command line. screen. If you like a certain text size, you can make the boot. For example: change permanent by changing the menu.lst file in the grub append> ro root= /boot/grub directory. To do so, open the file with your LABEL=/ rhgb vga=ask favorite text editor and append your changes to the linestarting with the word kernel. Save the file when yourefinished, and next time you boot, the changes take effect.Be careful when you change this file because its easy tomake your system hard to boot.Include more details in the Add the word debug to the If youre having problems booting, this is a quick way boot process as the system command line. to find the problem. boots. For example:grub append> ro root=LABEL=/ rhgb debugIf you dont use any USB Add the no usb command. You may gain a bit of CPU performance. Warning: Makedevices, you can turn off For example: sure you dont depend on USB devices (like mice) the USB device modules. grub append> ro root= before you disable this module.LABEL=/ rhgb no usbTurn off power- Add the acpi=off command You may want to do this if your laptop powers off management to the GRUB command line. intermittently or has battery problems (even when its control features. For example: plugged in).grub append> ro root=LABEL=/ rhgb acpi=offBoot into a runlevel other Add the runlevel (15) to the Server machines typically dont need a graphical environ-than the default. end of the command line. ment most of the time (why run X Windows on a mail or For example: Web server?). Specify the runlevel on the command grub append> ro root= line if you need to do system maintenance work and want a LABEL=/ 5 friendly desktop environment. See Technique 22 for moreinformation about runlevels.Boot into single-user mode Add an S to the end of the This is incredibly handy if you forget the root password. without a password. command line. When youre at the command line, you can change the For example: root password with the command sh-2.05b# passwd. grub append> ro root= Enter a new password and confirm the new password when LABEL=/ rhgb S prompted. When youre finished, type the command sh-2.05b# reboot to reboot the system so you can log inwith your newly assigned password. Warning: Anyone canuse the S option. Be sure you know who has physicalaccess to your computer because with this tidbit of knowl-edge, anyone can bypass the root password.(continued)29_571737c23.qxd 7/2/04 9:04 PM Page 155Technique 23: Taking Good Care of Your Kernel156TABLE 23-1 (continued)To Do This Make This Change to the Timesaving Bonus InfoDefault Linux Command LineBoot into emergency repair Add the word emergency to the Boot into emergency mode if you discover a problem mode. end of the command line. that prevents you from booting into single-user (or multi-For example: user) mode. When you boot into emergency mode, Linux grub append> ro root= does not run any of the normal startup scripts youre LABEL=/ emergency dumped at a command line, and youre ready to fix what-ever it is thats gone wrong.29_571737c23.qxd 7/2/04 9:04 PM Page 15624 Creating a CustomKernelFedora is a collection of applications, daemons, and drivers with aLinux kernel at the core. The kernel deals with hardware and pro-vides basic functions such as creating processes, managing privi-leges, and managing file systems.In most cases, you dont need to build your own kernel plenty of well-configured kernels are available for use. You may need features thatarent currently supported by the kernel included in the most recentFedora release. You may want to Add support for unusual hardware USB scanners, cameras, joy-sticks, and sound cards. Use additional encryption features that arent part of the standardFedora kernel. Explore alternative file systems. Omit drivers for devices you may never have. Omit amateur radio support unless youre really into amateur radio.Many kernel features are included in the form of modules chunks ofcode that are not loaded until you actually use the features. Modules donttake up a lot of space if you dont use them, but removing the unused mod-ules will save you time when youre rebuilding the kernel. You can also gainsome security by omitting modules that you dont need.In this technique, we show you how to build a kernel customized for yourneeds, based on a safe and sound prototype, and with all the drivers thatyou need to get your work done quickly.TechniqueSave Time By Building a custom kernelthat suits your needs Adding the kernel sourcecode and dependenciesin one easy step with thePackage Manager Adding device drivers ornew file systems to yourkernel30_571737c24.qxd 7/2/04 9:05 PM Page 157Technique 24: Creating a Custom Kernel158Step 1: Making an EmergencyPlan, or Boot DiskBefore building a custom kernel, you need to makea boot disk. A boot disk gives you a way back intoyour system in a kernel emergency. If youre running Mandrake or SuSE Linux, you can also create a res-cue disk. A rescue disk is similar to a boot disk, butit also contains diagnostics that can tell you a littlemore about your computer if you run into boot prob-lems. The process of creating a boot (or rescue) diskvaries by distribution.To make a boot disk on a Fedora or Mandrake com-puter, follow these steps:1. Insert a floppy disk in your drive, open the ter-minal window, and give yourself superuserprivileges.2. Type the following command:# /sbin/mkbootdisk `uname -r`After some whirring and clicking, your floppy isbootable. 3. To test the floppy (a good idea), shut downcompletely and restart. To make a rescue disk on a Mandrake system, followthis procedure:1. Insert a floppy disk in your drive, open the ter-minal window, and give yourself superuserprivileges.2. Type the following command and press Enter:# /sbin/mkrescue3. To test the floppy (a good idea), shut downcompletely and restart. If youre running SuSE Linux, use the YaST controlcenter to create a boot disk or a rescue disk (or both):1. Open the main menu and choose SystemYaST.Reconfiguring Your Kernel Ready, Set, Go!The kernel thats included with the Fedora release isa well-functioning and stable piece of software versatile, dependable, and sturdy. But what if itdoesnt include the functionality you need?No problem you can just rebuild it. Stick with us,and well show you how to make it bigger, better, andstronger . . . whatever you need.The process of rebuilding your kernel involves sev-eral steps, and each step is covered in the followingsections. Heres an overview of the process:1. Make a boot disk.2. Find the source code.3. Configure the new kernel.4. Customize the kernel.5. And, finally, build the kernel.Peeling onionsThe Linux operating system is like an onion. If you peelaway the outer layers (the KDE desktop, the bash shell, andso on), you find a layer of operating system libraries. Thelibraries provide commonly used functions that enableapplications to find things like the current date, the IPaddress of a given host, and so on. Underneath the library layer is a set of system calls, which arefunctions that perform low-level operations like changingyour user ID, allocating more memory, and opening a file. At the core of the onion, you find the kernel. The kerneluses device drivers to manage system hardware. The kernelalso schedules disk I/O and CPU usage, responds to exter-nal signals, creates and tears down processes, and performsother low-level operations. But the kernel itself is layered,too. The Linux kernel has a portable layer that runs on anycomputer. At the very center of the onion is a hardware-dependent layer that is customized for each CPU (Intel x86,PowerPC, StrongARM, and so on).30_571737c24.qxd 7/2/04 9:05 PM Page 158Step 1: Making an Emergency Plan, or Boot Disk 1592. When the YaST control center appears, clickSystem (in the left-hand pane).3. Click Create a Boot, Rescue, or Module Floppy.4. Follow the on-screen instructions to create aboot floppy, rescue floppy, and module floppy.You may need to boot into your computersBIOS setup mode to change the boot sequenceto test the floppy. How you enter setup varieswith your machine, but instructions are typicallydisplayed on-screen at boot time.You can also use the first install disc of your distri-butions CD (or DVD) collection to boot into rescuemode.To boot into rescue mode on a Mandrake system, fol-low these steps:1. Place the first install disc in the CD/DVD drive.2. Power up your system.3. When you see the Press for moreoptions prompt, press F1.A screen full of help text appears, followed bythe boot prompt (boot:).4. Type rescue and press Enter.Booting into rescue mode on a SuSE system is similar:1. Place the first install disc in the CD/DVD drive.2. Power up your system.3. When the boot menu appears, use the downarrow key to highlight Rescue System andpress Enter.4. When prompted, choose your preferred lan-guage from the menu and press Enter.To boot into rescue mode on a Fedora computer:1. Place the first install disc in the CD/DVD drive.2. Power up your system.3. When the boot: prompt appears, type in thefollowing command and press Enter:boot: linux rescue(Dont type the word boot:, thats the bootprompt just type in linux rescue and pressEnter.)4. When prompted, choose your preferred lan-guage from the menu and press Enter.5. Choose your keyboard type from the menu andpress Enter.6. At this point, Fedora asks if you want to startthe network devices in your computer. ChooseYes or No (use the left- and right-arrow keys toselect the option that you want) and pressEnter to continue.Fedora will try to find the root file system on yourhard drive and mount that file system so that youcan carry out any repairs that you need to make.If you want to poke around a little without endan-gering anything on your hard drive, tell Fedora tomount the root file system in read-only mode.7. Choose the mount mode you prefer (chooseContinue to mount your root file system in read/write mode, Read-Only to safeguard your filesystems, or Skip to tell Fedora not to mountyour root file system).If Fedora locates and mounts your root file system, you can find it in the directory /mnt/sysimage. If you look in that directory, youll seesubdirectories such as /mnt/sysimage/bin, /mnt/sysimage/boot, /mnt/sysimage/dev, and so on.Those subdirectories correspond to the /bin,/boot, and /dev directories on your computersroot file system.Regardless of which distribution youre using, afteryouve booted into rescue mode, you eventually endup at a command line. From there, you can mountyour root file system (and any other file systemsthat you may need), make any repairs that you need,and reboot.30_571737c24.qxd 7/2/04 9:05 PM Page 159Technique 24: Creating a Custom Kernel160Step 3: Configuring a New KernelAfter making a boot disk and installing your sourcecode, its time to configure a new kernel. To build a custom kernel, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Type the following command and press Enter:# cd /usr/src/linux-2.4If youre using a kernel version newer than 2.4, cdto that directory instead.3. Type the following command and press Enter:# make mrproperThis command cleans up any remnants of previ-ous builds that might confuse your new build.4. Identify the type of processor in your computer:# uname -pThe command displays the processor type thatyoure currently using (we assume i686 in theexamples that follow).5. Copy the configuration file that matches yourprocessor type into your current directory:# cp configs/kernel-2.4.22-i686.config.configBy using a predefined configuration file, yournew kernel starts out in a well-defined and func-tional state.6. Type the following command and press Enter:# make oldconfigThis step runs for a while and displays a ton ofmessages. Just ignore the messages and grabsome caffeine. Step 2: Finding the Source CodeTo rebuild the kernel, you first need to be sure thatthe source code for the kernel is on your system.Fedora distributes the kernel source in the form ofan RPM package. You could use the Red Hat PackageManager to install the kernel source package byhand, but youd also need to install a number ofdependencies. Heres an easier way:Reusing the kernel that is included with thelatest distribution saves time. Its a lot faster toalter a kernel you already have handy than togo through the work of downloading, cus-tomizing, and building a whole new kernelfrom scratch.1. Open the Main Menu and choose SystemSettingsAdd/Remove Applications.2. Enter the root password when prompted. The Package Manager checks the system forinstalled packages and opens the Add or RemovePackages window, showing both the installedand available packages.3. Scroll down the list and check the box next toKernel Development.4. Click the Update button.The System Preparation dialog opens.5. Click the Continue button.If prompted, insert the required disc and click OK.When the installation is complete, a confirmationwindow is displayed.The Add/Remove Applications tool may getconfused if youre installing software from aDVD instead of a CD. If the disc youre usinggives you trouble, just insert it and let theautorun procedure start. Then follow the setupwizard to install additional packages. 30_571737c24.qxd 7/2/04 9:05 PM Page 160Step 4: Customizing the Kernel 161Step 4: Customizing the KernelWhen youre done with the preceding steps, youreready for the fun part: customization. Heres how itworks:1. Enter the following command:# make menuconfigThe Linux Kernel Configuration window opens,as shown in Figure 24-1. Figure 24-1: The Linux Kernel Configuration window.If you run into some documentation that suggests make xconfig rather than make menuconfig, ignore it. xconfig has a nice userinterface, but in the 2.4 kernel series, it has aserious flaw that will cause you all sorts of grief.2. The menuconfig window (refer to Figure 24-1)displays a list of feature groups. Use the arrowkeys to move up and down through the list andpress Enter to select the highlighted group. The left- and right-arrow keys move you throughthe , , and choices at thebottom of the window. To return to the previousscreen, choose .When you select a feature group and press Enter,you see the list of features within that group (seeFigure 24-2). To the left of each feature, you seean indicator that shows the state of the feature(see Table 24-1). Figure 24-2: The File Systems submenu.TABLE 24-1: MENUCONFIG INDICATORSIndicator Description[ ] The feature is not selected and wont beincluded in the new kernel. You can build thefeature as a loadable module.[*] The feature will be included (and can only becompiled) in the new kernel. < > The feature is not selected and wont be compiled as a loadable module. The feature will become a loadable kernel module.Indented lines show separate components of afeature. You cant enable a component withoutthe parent feature.The button displays a help screen thatdescribes the highlighted feature. Most featuresare well documented and include links to moreinformation, as shown in Figure 24-3.Finding features in the Kernel Configurationmenu is like digging around in an old attic.Youll find features for technologies that arelong since retired or so obscure that the aver-age human will likely never know anyone whoneeds them. Still, if you do need them, theyrehere just look around.30_571737c24.qxd 7/2/04 9:05 PM Page 161Technique 24: Creating a Custom Kernel1622. Enter the following command and press Enter:# make cleanThis command cleans up old unwanted files toprepare for the build.3. Choose a name for your new kernel (typically,just add the current date to the end of thename). Use your favorite editor to change theEXTRAVERSION variable in the Makefile file. Touse kate (a KDE-friendly editor), type in the fol-lowing command and press Enter:# kate Makefile4. Add the date to the end of the EXTRAVERSIONvariable (after the word custom).EXTRAVERSION=-1.2115.nptlcustom012504Save the file and close the editor.5. At the command line, type the following com-mand and press Enter:# make bzImageThis step takes quite a while, possibly a fewhours, because youre compiling most of the ker-nel source code here.6. Type the following command and press Enter:# make modulesThis compiles the source code for the kernelmodules that you selected. This step also takessome time. You did make a boot disk and test it, right? If not, stop what youre doing, go back toStep 1: Making an Emergency Plan, or BootDisk, earlier in this technique, and follow thesteps there. 7. Type the following command and press Enter:# make modules_installThis step installs the new kernel modules. Dontworry youre not replacing your current ker-nel; youre just adding another choice. Figure 24-3: The Configuration help screen.3. Make any changes that you want.A couple of useful features to point out are alter-nate file systems and USB support for otherwiseunsupported devices (such as cameras or USBscanners).If you have a single CPU in your machine,(which is likely), you should choose to disableSMP support in your new kernel. This featureis included on the Processor Type and Featuresmenu and is labeled Symmetric Multiprocess-ing Support. Click the button next to the nbefore continuing. 4. When youve chosen the options you want toinclude in your new kernel, choose andsave your work.Step 5: Building the KernelNow its time to start building the kernel. (Note:Some of these steps will run for quite some time, soyou better grab a donut.) Follow these steps:1. At the command line, enter the following com-mand and press Enter:# make depThe make dep command computes dependenciesfor the features that have changed.30_571737c24.qxd 7/2/04 9:05 PM Page 162Step 5: Building the Kernel 1638. Type the following command and press Enter:# make installThis step copies the new kernel into place andadds the kernel to your boot menu. 9. To use the new kernel, reboot and highlight thenew kernel in the list of choices. Then pressEnter.Your system boots with the newly built kernel.Building kernels can be a tricky business. Ifyou experience trouble at boot time (kernelpanic!), reboot into your old kernel, and trybuilding the new kernel again.Write down error messages! You can Googlefor them later to see if other Linux users havehad similar problems and published work-arounds on the Web.30_571737c24.qxd 7/2/04 9:05 PM Page 16325Save Time By Exploring the principles ofSELinux Understanding SELinuxterminology Disabling or disarmingSELinux Finding out about yoursecurity policyTechniqueCoping with theSELinux SecuritySystemFedora Core 2 includes a new enhancement to the Linux kernel:SELinux. Other distributions will incorporate SELinux in laterreleases. You may not have to worry about it now, but this techniquewill come in handy later. The SE in SELinux stands for Security Enhanced.The driving force behind SELinux has been the National Security Agency(NSA), which developed SELinux and donated the code to the open-sourcecommunity.The SELinux package is a collection of kernel modifications, programmodifications, and configuration files that all work together to hardenyour computer against abuse. Old Linux kernels (pre-SELinux) grant allprivileges to a special user named root (actually, privileges are grantedto the user whose numeric user ID is zero, and by convention that user isnamed root). Any process whose user ID is zero is granted all privileges.A process running as user ID zero is called a superuser. If you log in toLinux as user root, you can do anything you want. If you log in as a non-privileged user and then use the su command to become a superuser,you can do anything you want. If you break into a Linux computer andsomehow manage to change your user ID to zero, you can do anythingyou want. SELinux changes that.Under Linux, access rules are based on the user ID, group ID, and file per-missions. With SELinux, access rules are determined by the policy file,and the rules are subject to change. In this technique, we introduce you to SELinux. Its a relatively new addi-tion to the security force patrolling Fedora. Its got some room to grow,but it shows a lot of promise as a timesaving way to super-harden yoursystem. Understanding the Principles of SELinuxWhen you enable SELinux, the kernel grants privileges based on threefactors: the security context of your process, the security context of theobject that youre trying to access, and a database of access rules called31_571737c25.qxd 7/2/04 9:05 PM Page 164Understanding the Principles of SELinux 165a policy. The important feature that SELinux bringsto Linux is mandatory access control (MAC). A stan-dard Linux kernel exercises discretionary access con-trol (DAC). In a DAC system, a user can grant to anyother user access to things that he owns, at his owndiscretion. DAC sounds friendly, but if youre tryingto run a secure organization, you dont want us mereusers granting extra privileges to our friends. In aMAC system, ownership and access are governed bya complex and customizable set of rules controlledby the organization.The normal Linux security mechanism (access modesand user/group IDs) and the SELinux mechanismwork together. Before a process can access an object,the process must satisfy both mechanisms. If youruser ID has write permissions to a given file, it doesntnecessarily mean that SELinux will give its blessing,too it all depends on the policy.SELinux introduces a few new terms to the Linux lexicon, and it helps to have a good understanding of those terms before going much further.Everything is an objectAn object is something that you can protect andsomething that you can access. The Fedora Core 2security policy defines a number of objects: A file isan object, a file system is an object, a network socketis an object, and a device is an object. In all, the FC2policy defines 12 top-level objects: Files (and directories) File systems File descriptors (a handle to an open file) Sockets Network nodes Network interfaces (eth0, ppp0, and so on) Processes IPC mechanisms (shared memory, semaphores,and message queues) The SELinux security server The system log (syslog) Kernel capabilities (kill, reboot, set time, and so on) PasswordsThe policy also defines a number of fine-grained spe-cializations, such as a program file versus a configu-ration file versus a data file.Identifying subjects in SELinuxA subject is something that can act on an object(think back to your elementary school grammarclasses, ugh). A process is a subject. Indirectly, auser is considered a subject, too, because a newprocess inherits its security context from the user. A program can also play a part in determining thesecurity context of a process, so a program is oftenconsidered a subject as well.Every subject and every object have an associatedsecurity context (or context for short). When a subjectwants to access an object, the kernel compares thesubject context, the object context, and the type ofaccess requested against a set of rules called the pol-icy to decide whether to grant or deny the requestedaccess. Understanding the security contextA security context is made up of three components:an identity, a role, and a type. You can see the con-text assigned to your login session with the com-mand id -Z:$ id -Zuser_u:user_r:user_tIn this example, the identity is user_u, the role isuser_r, and the type is user_t. If youre logged in asuser root, you see a different context:# id -Zroot:staff_r:staff_t31_571737c25.qxd 7/2/04 9:05 PM Page 165Technique 25: Coping with the SELinux Security System166$ ls --scontext /usr/bin/passwdsystem_u:object_r:passwd_exec_t/usr/bin/passwdNotice that the type name ends with _exec_t; thatsyour clue that this is a domain transitioning pro-gram. When you run /usr/bin/passwd, your contextchanges from user_u:user_r:user_t to user_u:user_r:passwd_t, giving you just enough privilegesto modify /etc/shadow and /etc/passwd. If thissounds suspiciously similar to a setuid root pro-gram, it is. The important difference is that a domaintransition gives you only the privileges required toact on the protected objects that you need, but asetuid root program gives you all privileges.Given the number of subjects, objects, and accesstypes on a typical Linux system, SELinux securityrules are far more complex than the old system.Disabling or Disarming SELinuxThe SELinux kernel can operate in enforcing mode(the default) or in permissive mode: When you run in enforcing mode, the kernelenforces the security policy that youve installed. When you run in permissive mode, the kernelconsults the security policy, but instead of pre-venting you from doing something that the pol-icy prohibits, the kernel simply logs theviolation. Running in permissive mode will tell you whatkind of problems youre likely to encounterwhen you switch over to enforcing mode.Policy violations appear at the Linux consoleand in the system log file (/var/log/dmesg).By default, Fedora Core 2 boots into enforcing mode. If you want to switch over to permissive modeafter your computer has booted, use the followingcommand:The FC2 policy doesnt create an identity for everyuser: Nonprivileged users share the user_u identity. By convention, role names end with _r, and typenames end with _t. A type that belongs to a processis also known as a domain. A role is a name given toa group of process types. Every user is assigned arole, and the role determines which process types(or domains) the user is authorized to use. To see the security context assigned to a file (ordirectory), use ls -Z (weve trimmed a few columnsto fit it on the page):# ls -Z /varsystem_u:object_r:acct_data_t accountsystem_u:object_r:var_t cachesystem_u:object_r:var_t dbsystem_u:object_r:var_t emptysystem_u:object_r:xserver_log_t gdmsystem_u:object_r:var_lib_t libsystem_u:object_r:var_t localsystem_u:object_r:var_lock_t locksystem_u:object_r:var_log_t log... ...Notice that in this example, the identity assigned toeach file is system_u: Thats a generic identity justlike user_u. user_u is shared by nonprivileged sub-jects, and system_u is assigned to almost every fileobject. Most files share the same identity (system_u)and role (object_r). The type classifies each fileaccording to its security needs. When you run a program whose type ends withexec_t, that program causes a transition from yourcurrent domain into a new domain. For example,take a peek at the program that you use to changeyour password (/usr/bin/passwd). The passwdprogram lets you modify files that are normally protected against nonprivileged users: When youchange your password, the new password is (typi-cally) stored in /etc/shadow a write-protectedfile. If you look at the context assigned to /usr/bin/passwd, you see this:31_571737c25.qxd 7/2/04 9:05 PM Page 166Playing the Right Role 167# echo 0 > /etc/selinux/enforce(You need superuser privileges to write to the /etc/selinux/enforce.) To switch back to enforcing mode,use this command:# echo 1 > /etc/selinux/enforce If you want Fedora to run in permissive mode eachtime you boot, give yourself superuser privilegesand type in the following command:# echo SELINUX=permissive > /etc/sysconfig/selinuxIf you prefer to run in enforcing mode after eachboot, use this command:# echo SELINUX=enforcing > /etc/sysconfig/selinuxIf youre sure that youll never want to use SELinuxon your computer, you can completely disable thekernel extensions with the following command:# echo SELINUX=disabled > /etc/sysconfig/selinuxThe difference between permissive and dis-abled modes is that in permissive mode, thekernel logs policy violations and labels new fileswith the appropriate security context. If youdisable SELinux completely, new files anddirectories are created without a security con-text, and if you ever want to turn SELinux backon, youll have to relabel your computer (thatis, reapply security contexts). Relabeling can bea lot of work we recommend running in per-missive mode instead of disabling SELinux.Playing the Right RoleOne of the consequences of SELinux is that mere-mortal users cant access objects that they mayhave been able to access before. For example, if yoursecurity context is user_u:user_r:user_t and yourun the ps (process status) command, you cant seeprivileged processes.Its very important to use the correct role when youdo system administration work. Some commandswork in the staff_r role but produce the wrongresults. For example, if you create a new useraccount while youre logged in to the sysadm_r role,the home directory for the new account is createdwith the right context:# id -Zroot:sysadm_r:sysadm_t# useradd franklin# ls -Z /home/franklinroot:object_r:user_home_dir_t However, if you create a new account from rootsdefault role (staff_r), the home directory is labeledincorrectly:# id -Zroot:staff_r:sysadm_t# useradd franklin# ls -Z /home/franklinroot:object_r:home_root_tYou may be wondering why the identity componentof each context is root instead of franklin. Theanswer is a bit confusing. franklin is a generic user;that is, franklin appears in the Linux user database,but not in the SELinux policy. That means thatfranklin is not an identity and therefore cant beassigned as the identity for his home directory.Generic users share a common identity: user_u. To create a new Linux user with a correspondingidentity, use seuseradd instead of useradd:# newrole -r sysadm_r# seuseradd -r -m trixieloading new policy...Weve thrown another new command at you in thisexample: newrole. newrole starts a new shell with adifferent security context. Your identity stays thesame, but your role changes to the one yourequested. See man newrole for more details.31_571737c25.qxd 7/2/04 9:05 PM Page 167Technique 25: Coping with the SELinux Security System168rootstaff_rsysadm_rsystem_rfreddiestaff_ruser_rtrixiestaff_rTo see the domains that a given role is allowed toassume, use --roles=name --expand:# seinfo --roles=sysadm_r --expandsysadm_rnull_device_tzero_device_tdevtty_tlocal_login_tremote_login_tEvery object class defines a list of permissions, butits probably easier to think of a permission as anaction. For example, you can mount, unmount, andremount an object belonging to the filesystem class.To see the permissions (actions) defined for a givenclass, use this command:# seinfo --classes=filesystem --expandfilesystemmountremountunmountgetattrrelabelfromrelabeltotransitionassociatequotamodquotagetUse the following command to see the list of types:# seinfo --typesTypes: 291device_tnull_device_tzero_device_tconsole_device_tmemory_device_tFinding Out about Your SELinux PolicyAt the time were writing this, Fedora Core 2 providesfew utilities that you can use to manage SELinuxpolicies. That will change as software vendors andopen-source developers learn more about SELinux.For now, you can use the utilities provided by thesetools and setools-gui RPM packages (included inthe Fedora Core 2 distribution) to find out moreabout the default policy installed on your system.See Technique 17 for more information about install-ing RPM packages. The seinfo command can show you a wealth ofinformation about your policy. For example, to see alist of all identities, give yourself superuser privi-leges and then type in the following command:# seinfo --usersUsers: 5system_uuser_urootfreddietrixieTo see the list of roles defined for your system, usethis command:# seinfo --rolesRoles: 5object_rsystem_rsysadm_ruser_rstaff_rTo see the roles that each identity is allowed toassume, add the --expand option, like this:# seinfo --users --expandUsers: 5system_usystem_ruser_uuser_r31_571737c25.qxd 7/2/04 9:05 PM Page 168Finding Out about Your SELinux Policy 169random_device_turandom_device_tdevtty_t...To see the attributes of a given type, use this command:# seinfo --types=bin_tbin_tfile_typesysadmfileBy convention, an object of type bin_t is a file (it hasthe attribute file_type), and its a system adminis-tration file (sysadmfile).31_571737c25.qxd 7/2/04 9:05 PM Page 16926Technique Finding Out aboutYour System with/procThe /proc file system is a virtual file system full of files representingthe current state of your Linux kernel. The files in /proc dont reallyexist on disk; rather, theyre collections of data that can be viewedand navigated just like real files. If you look at the modification time forthe files in /proc, youll see that the date is always current. Thats accu-rate because the content of each file is being created on demand as youview it.You can discover a lot about your system by viewing the contents of thefiles in /proc. Every process running on your system has a directory in/proc. Each process directory is full of subdirectories and files that con-tain tidbits of data about the process. Because the information is brokendown into small pieces, you can search quickly for just what you need toknow about a process.The /proc file system also contains information about system resources such as memory usage, CPU usage, and system statistics. The files areconstantly being updated, so the information you get from /proc is alwayscurrent. /proc also maintains information files about all the devices onyour network. You can use this information to help debug troublesomenew devices.Using the /proc file system to manipulate the state of the kernel is a realtimesaver. Instead of using complex arguments to adjust your kernel, the/proc file system gives you easy access to many of the kernels variables.You can tighten security with just a few variable settings, and improve onan existing firewall in no time. In this technique, we introduce you to /proc, and show you some subtlebut effective (and quick) changes you can make to the kernel that willmake your system safer and save you a few keystrokes in the long run.Exploring the Process-Related Entries in /procEvery process running on your system has its own directory in the /procfile system. You can use the files in the process directory to identify theSave Time By Using /proc to examinethe processes currentlyrunning on your system Exploring your systemresources and deviceswith /proc Tightening security with/proc Getting your kernel torecognize nativeWindows programs32_571737c26.qxd 7/2/04 9:06 PM Page 170Exploring the Process-Related Entries in /proc 171processes running on your system. You can discoverwhos running the process, what command line argu-ments started the process, and what files thatprocess currently has open.The directory name for each process is taken fromthe process ID. For example, the directory that con-tains information about process 1 (the init process)is named /proc/1. To view the process directory, fol-low these steps:1. Open the Konqueror Web browser. 2. Type file:/proc in the Location field andpress Enter.Press the F9 key to close Konquerors naviga-tion panel and buy more screen real estate forthe directories and files in /proc.Youre treated to a view of the contents of the/proc directory, as shown in Figure 26-1. Figure 26-1: Viewing /proc in Konqueror.3. For the best view of the /proc directory, chooseViewView ModeDetailed List View.The directories with numerical names containinformation about the processes currently run-ning on your system (the directory name corre-sponds to the process number). 4. Double-click a process directory to view thedirectory contents (see Figure 26-2). Figure 26-2: The contents of a process directory.Table 26-1 lists the files and directories whereyou can find some interesting information abouta process.5. To view the contents of any file in the processdirectory, right-click the filename and chooseOpen With from the pop-up menu. 6. Enter kedit in the Open With field and click OK. kedit opens, displaying the file contents, asshown in Figure 26-3. Figure 26-3: Exposing the status file with kedit.32_571737c26.qxd 7/2/04 9:06 PM Page 171Technique 26: Finding Out about Your System with /proc172 Figure 26-4: Exposing the status file with more.If you go to /proc/self, youll find it containsa symbolic link to the process youre running.Look in the Link column for the process ID. Beaware that /proc/self is pretty shifty. If youuse a command like ls to look at the /proc/self directory and then look at it again withanother tool, it changes. /proc/self magicallypoints to whichever process opens it.Surveying Your System from /procFiles that contain configuration information fordevices connected to your computer are scattered7. When youre done exploring the file contents,close the editor window.If you check the Remember Application Asso-ciation for This Type of File box when youopen a file with kedit, you can just double-click to open future files with the editor.If you prefer working at the command line (or youdont have a graphical interface handy), you can usethe more command to display the contents of fileswithin the process directory:1. Open a terminal window and move into theprocess directory. 2. Display the file you want to read with the fol-lowing command:$ more filenameThe contents of the file are displayed in the ter-minal window, as shown in Figure 26-4.3. Press the spacebar to see the next page of data. Whether you get information with kedit or at thecommand line, you can find lots of handy informa-tion about the processes on your system with /proc.TABLE 26-1: PROCESS-RELATED DIRECTORIES IN THE /PROC FILE SYSTEMDirectory What You Findcwd The cwd directory is a symbolic link to the current working directory of the process (the directory named inthe Link column). If youre running a bash shell and your current working directory is /tmp, /proc/$$/cwd is asymbolic link to /tmp ($$ is a shell variable that contains your process ID).fd The fd directory contains one entry for each open file. Like cwd, the files in the fd subdirectory are symboliclinks to the open files. File descriptor 0 is connected to the standard input stream for the process, descriptor 1is connected to the standard output stream, and descriptor 2 is connected to the standard error stream.cmdline Open the cmdline file with kedit to view the command line arguments that started the process.environ Open the environ file to view the environment variables used by the process.mounts Open the mounts file to view a list of currently mounted devices in use by the process.status The status file keeps running statistics about the current process.32_571737c26.qxd 7/2/04 9:06 PM Page 172Surveying Your System from /proc 173throughout the /proc file system. The /proc file system also contains files full of information aboutsystem resources. To find the device or systemresource information on your system, you may needto do some exploring, but we show you some goodplaces to start.A few of the files in /proc that relate directly to hard-ware and system resources are worth mentioning: /proc/bus/usb: This file contains informationabout USB (Universal Serial Bus) devices cur-rently plugged into your system. In this file, youfind a rundown of the mice, cameras, and serialstorage devices currently connected to yourcomputer, as shown in Figure 26-5. Figure 26-5: Viewing the currently connected USBdevices.If youre having trouble getting a camera orscanner to work, look here first to be sure thatthe device is properly connected and identified. /proc/scsi/scsi: This file contains informationabout any SCSI devices currently attached toyour system. Check it out if youre having troublegetting a SCSI device to work.If youre having device driver problems anddecide to appeal to a newsgroup for help,include the information you find in the /procfile corresponding to the device. The /proc filemight contain information that helps a news-group member determine the cause of yourproblem. /proc/cpuinfo: This file contains a collection ofinformation about the systems CPU. This is theplace to look for all the really geeky details aboutyour CPU. /proc/crypto: The /proc/crypto file containsinformation about the current encryption algo-rithms and digital signature tools installed onyour system. /proc/meminfo: This file contains a wealth ofinformation about your systems memoryresources, as shown in Figure 26-6. Figure 26-6: Checking out the status of the systemsmemory.If your system performance is bad, check outthe /proc/meminfo file to find out if yourerunning short on memory. /proc/filesystems: This file contains informa-tion about the file system types that can bemounted on your system. Check out /proc/filesystems to find out what kind of drives youcan mount on your system. If ntfs isnt in thelist, you cant mount Windows drives on yourLinux machine. /proc/uptime: You trivia buffs out there willenjoy this one. This first number in this file is thelength of time the system has been running (inseconds), and the second number is the numberof seconds that the system has been idle.32_571737c26.qxd 7/2/04 9:06 PM Page 173Technique 26: Finding Out about Your System with /proc1743. Open the rc.local file with your favorite edi-tor (were using kedit):# kedit rc.local4. Add the following lines of code to the end ofthe rc.local file:echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsecho 1 > /proc/sys/net/ipv4/conf/*/log_martiansecho 0 > /proc/sys/net/ipv4/conf/*/accept_redirects5. Save the changes and close the editor. 6. Reboot your system to make the changes takeeffect.If youre a SuSE user, you need to make the sameadditions, but to a different file. Follow these stepsto change your kernel variables at startup:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Move to the /etc/init.d directory:# cd /etc/init.d3. Open the boot.local file with your favoriteeditor (were using kedit):# kedit boot.local4. Add the following lines of code to the end ofthe boot.local file:echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsecho 1 > /proc/sys/net/ipv4/conf/*/log_martiansecho 0 > /proc/sys/net/ipv4/conf/*/accept_redirects5. Save the changes and close the editor. 6. Reboot your system to make the changes takeeffect.The three variables weve changed tighten your net-work security a bit. They are as follows:Divide the number of seconds idle by theuptime, and youll find out the percentage oftime that your system is running without beingused. If you have extra CPU time to share, getin touch with setiathome.ssl.berkeley.eduto share the wealth.Closing Down Security Gaps with /procWith just a few quick changes to the files in /proc,you can make a good firewall even better. The Linuxkernel includes a number of variables that affect sys-tem security. The variables receive their default set-tings when the kernel is built, but you can customizethem to tighten up your security even more. With alittle help from /proc, you dont need to completelyrebuild your kernel to take advantage of some ofthese optional benefits; you can tweak the runningkernel with the variables in /proc.Any changes you make in the /proc files will revertback to the stored kernel configuration when youreboot your system. To make the changes take effectevery time you reboot, you can create a startupscript (or modify an existing one) to apply thechanges automatically.By making changes to the kernel variables, you canclose security gaps that are commonly left open inmost kernels. The changes in our example wontkeep out every hacker or shut down all denial-of-service requests, but theyre a good place to start. If you are running Fedora or Mandrake, you canchange the settings of the kernel variables atstartup, by following these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Move to the /etc/rc.d directory:# cd /etc/rc.d32_571737c26.qxd 7/2/04 9:06 PM Page 174Popping the Cork: Speeding Up WINE with /proc 175 icmp_echo_ignore_broadcasts: Enabling thisvariable tells your system to ignore broadcastpings, which can help spare you from denial-of-service attacks. log_martians: Enable this variable to tell thekernel to send a message to the system log whenan illegally addressed packet is received. Aftersetting this variable, monitor the syslog files(see Technique 41) to find out if youre receivingnasty packets. accept_redirects: Disable this variable to helpprevent man-in-the-middle attacks. Turning offaccept_redirects tells your system to preventoutgoing packets from being redirected. Hackerscant grab your outbound packets looking forsensitive information (such as passwords orcredit card numbers). You can change many variables to affect the state ofyour kernel. Some of the variables work like on/offswitches. To turn on a variable (or enable the vari-able), echo a 1 to it in the startup script. To turn avariable off (or disable the variable), echo a 0 to it inthe startup script. Variables that control time settingsor cache sizes are manipulated with integer values. You can find many good resources on theWeb that list kernel variables and what theycontrol. Google for /proc/sys variables,and youll get dozens of hits that will help youfind good settings for your system.Popping the Cork: Speeding Up WINE with /procIf you use WINE in your daily life and want a quickerway to start your programs, using the files in /proccan help. If youre not familiar with WINE (the program,not the beverage), its a package that lets yourun Windows programs on Linux machines.The abbreviation WINE stands for Wine Is Notan Emulator. WINE doesnt emulate Windowsmachines, but it runs their programs in aLinux environment.Normally, to start a program with WINE, you need to preface the command with wine. With a simplechange to the startup file, you can run a Windowsprogram simply by typing its name, just like theLinux programs on your system. To simplify the startup of your Windows programs inFedora or Mandrake, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Move to the /etc/rc.d directory:# cd /etc/rc.d3. Open the rc.local file with your favorite editor:# kedit rc.local4. Add the following commands to the end of the file:modprobe binfmt_miscecho :Wine:M::MZ::/usr/local/bin/wine: > /proc/sys/fs/binfmt_misc/register5. Save your work and exit the editor.6. Reboot your system to make the changes takeeffect.If youre a SuSE user, you can add similar code toyour boot script. To simplify the startup of yourWindows programs in SuSE, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Move to the /etc/init.d directory:# cd /etc/init.d3. Open the boot.local file with your favoriteeditor:# kedit boot.local32_571737c26.qxd 7/2/04 9:06 PM Page 175Technique 26: Finding Out about Your System with /proc176The preceding steps change the boot script that isexecuted at boot time. The two lines shown in Step 4tell Linux to automatically recognize Microsoft Win-dows programs and execute them with wine. Forexample, to play Minesweeper, you can simply typethe command ./winmine.exe.When you make this change, you dont haveto remember to type wine before entering theprogram name. This also makes it easier toinclude Windows programs on menus andshortcuts.4. Add the following commands to the end of the file:modprobe binfmt_miscecho :Wine:M::MZ::/usr/local/bin/wine: > /proc/sys/fs/binfmt_misc/register5. Save your work and exit the editor.6. Reboot your system to make the changes takeeffect.32_571737c26.qxd 7/2/04 9:06 PM Page 176Part VSecuring YourWorkspace33_571737p05.qxd 7/2/04 9:07 PM Page 17733_571737p05.qxd 7/2/04 9:07 PM Page 17827 Closing ThosePrying EyesKeeping private documents out of the hands of snoops is easywith well-assigned permissions and good system administrationpractices.In this technique, we explain how to use file permissions to limit accessto sensitive documents and dangerous programs on a Linux machine.You can set the permissions either at the command line or with a graphi-cal interface. If you have access to a graphical environment (eitherKonqueror or Nautilus will work), its definitely the friendlier way to go. Reading and Understanding File PermissionsKnowing how to read and use file permissions is important for maintain-ing privacy in your file system. Limiting a users access is simple whenyou understand the permissions.Every file and directory in a Linux computer is owned by one specificuser and one specific group. When you try to access a file, youre classi-fied into one of three categories: Owner: Youre the owner if your effective user ID is the same as thefiles owner. Group member: Youre a member of the group if your effective groupID is the same as the files group. Other: Youre an other if youre not the owner and not a member ofthe group.After youve been categorized, Linux looks at the permissions assignedto your category. For example, if youre accessing a file owned by userfreddie and youre logged in as user freddie, Linux examines the ownerpermissions for that file (because you are the owner). If youre not loggedin as user freddie but you are a member of the group that owns the file,TechniqueSave Time By Reading and understand-ing file permissions Limiting file permissionsto block access to sensi-tive information Setting user permissionswith a browser34_571737c27.qxd 7/2/04 9:08 PM Page 179Technique 27: Closing Those Prying Eyes180The listing shows seven groups of information. Fromright to left, they are as follows: File permissions Link count Name of the user that owns the file Name of the group that owns the file File size (in bytes) Date and time the file was last modified File (or directory) nameThe file permissions are displayed as an odd collec-tion of ten characters, with dashes replacing theprivileges that are denied to that user category.For the sake of dissection, weve chosen the followinglisting as an example:drwxr-x--- 4 freddie acctg 65595 Jan 2014:14 tablesThe first letter in the permissions column doesnthave anything to do with permissions. Instead, ittells you what kind of file youre dealing with. Themost common entries are d for directory or - for file.In our example, the d at the beginning of the listingindicates that it is a directory. The next three-letter grouping tells you the accesspermissions for the files owner (user freddie, inthis example). The letters rwx stand for read, write,and execute. freddie has full permissions to thisdirectory. The next three-letter grouping tells you the groupprivileges. In our example, r-x stands for read andexecute. The acctg group isnt allowed to changefiles in the directory.The last three-letter group tells you the file permis-sions for any other user (not the owner and not aLinux examines the group permissions for the file. Ifyoure not the owner and youre not a member of thefiles group, Linux examines the other permissions. Next, Linux compares the permissions (owner per-missions, group permissions, or other permissions)with the type of access youre attempting. If you arethe files owner and are trying to read the file, Linuxchecks the read bit in the owner permissions. Ifyoure trying to modify the file, Linux checks thewrite bit on the owner permissions. You can control three types of access for each usercategory: Read permissions grant (or deny) the right toread a file or to list the contents of a directory. Write permissions control the right to changethe contents of the file or directory. Execute permissions control the right to run aprogram or script. If youre accessing a directory,the execute permissions control whether youcan access the files within the directory. To display the permissions for an entire directory,enter ls -l at the command line. The -l flag forcesls to display permissions (and the files ownerand group) along with the name of each file (seeFigure 27-1). Figure 27-1: The long form of directory contents.34_571737c27.qxd 7/2/04 9:08 PM Page 180Controlling Permissions at the Command Line 181member of the files group). In our example, the ---means that anyone who isnt a member of the acctggroup or isnt the file owner is denied all access tothe file.Controlling Permissions atthe Command LineIf you have access to a desktop environment,maintaining permissions is easy and quick witha browser. If you need to set permissions over anSSH connection or for a dedicated server (withouta desktop environment), you can use the commandline to change ownership and file permissions.See Table 27-1 for details on changing ownershippermissions. Use the chmod command to change the permissionsfor users, groups, or others. Table 27-2 explains how.The chmod command also works with the + (plus)and - (minus) signs to turn permissions on and off.Substitute the plus or minus sign for the equal signin the command, and the permissions listed in theargument are turned on or off. A plus sign turns thelisted permission on, and a minus sign turns it off.For example, the following command turns on readpermissions for the user without changing any of theother permissions:$ chmod u+r filenameThis command turns off write permissions for agroup:$chmod g-w filenameThis command turns off all permissions for non-group users:$ chmod o-rwx filenameYou can see a pattern starting to form. If you need to, you can use the command line to setprivileges, but there is a friendlier way, as describedin the next section.If you really want to test the spin in your pro-peller, you can set the permissions with octalnumbers. The process is a little cryptic, but ifyoure inclined to try it, check out the infochmod page and follow the links to Note FilePermissionsNumeric Modes.TABLE 27-1: CHANGING OWNERSHIP PERMISSIONSTo Do This Use This CommandChange ownership of a file or directory at the command line. $ chown username filenameChange ownership of a directory and all the directories below $ chown -R username directorynameit (that is, just add the -R recursive flag).Change the group ownership of a file. $ chgrp groupname filenameChange the group ownership of a directory and all $ chgrp -R groupname directorynamethe directories below it.34_571737c27.qxd 7/2/04 9:08 PM Page 181Technique 27: Closing Those Prying Eyes182The Properties dialog opens, as shown inFigure 27-2. Figure 27-2: The Properties dialog.4. Click the Permissions tab.The Permissions dialog opens showing the cur-rent permissions for the file (see Figure 27-3).The permissions dialog is easy to interpret andchange. If the check boxes and fields displayed on thewindow are disabled, you dont have enoughprivileges to edit the permissions for that file. Ifyou need superuser privileges to change per-missions for a file or directory, open a terminalwindow and use the su command to gainChanging File Permissionsfrom a DesktopSometimes the command line is your only choice,but if you have access to a graphical interface,theres a friendlier way to manage file permissions:the Konqueror browser.Nautilus offers the same functionality toGNOME users. Double-click the Start Hereicon on the desktop and surf along. To view and modify file permissions with theKonqueror browser, follow these steps:1. Click the Start Here or Home icon on your KDEdesktop or taskbar. 2. When Konqueror opens, locate the file youwant to modify.You can navigate to the file you want to modifyin one quick step by entering file:/pathnamein the Location field to step directly into thedirectory that contains your file.3. After youve located the file you want to workwith, right-click the file and choose Propertiesfrom the pop-up menu. TABLE 27-2: CHANGING FILE PERMISSIONSTo Do This Use This CommandChange the user (owner) permissions to include read, write, $ chmod u=rwx filenameand execute.Exclude a permission from the user. You do this by excluding it $ chmod u=rx filenamefrom the command. For example, to assign read and execute (Note: w is excluded)privileges only, use rx.Set permissions for a group. Note that you substitute a g into the $ chmod g=rwx filenamecommand.Set permissions for users who arent group members or an owner. $ chmod o=rwx filenameDeny privileges to nongroup members who arent owners. $ chmod o= filename34_571737c27.qxd 7/2/04 9:08 PM Page 182Changing File Permissions from a Desktop 183superuser privileges. Then type konqueror inthe command line and press Enter to start acopy of the browser with your newly enhancedprivileges. Figure 27-3: The Permissions dialog.5. To change read, write, or execute privileges forthe file or directory, simply check the boxesnext to User, Group, or Others. If a box is checked, the user (or group) has thatpermission. If the box is empty, that permissionis denied. Before you modify the check boxes in theSpecial column, make sure that you knowwhat youre doing; read the sidebar, Whatmakes a check box Special? for details.6. To change ownership, enter the new user orgroup owner in the appropriate field. Nautilus users: Use the drop-down list boxesto choose from existing users and groupswhen you change the ownership of a file ordirectory.7. After you make the necessary changes to thePermissions dialog, click OK to save yourchanges and close the dialog.What makes a check box Special?Under the column header labeled Special, you see checkboxes next to the labels Set UID, Set GID, and Sticky.These check boxes merit special consideration. Set UID: When a Set UID bit is turned on for a program, your EUID (effective user ID) becomes thesame as the programs owner when you run the program. You also gain all the privileges of the programs owner. In other words, if user freddieruns a Set UID program owned by user root,freddie has superuser privileges while that pro-gram is running.Set UID affects programs only; its really not impor-tant for data files and directories. If you find a SetUID program, read the WARNING!Warning: Set UID programs are potentially danger-ous. Users can gain extra privileges by using files thatgrant them superuser privileges. See Technique 57 forinformation about preventing security breachesuncovered by the setuid and setgid bits. Set GID: The Set GID bit works similarly to Set UID anyone running the program gains all theprivileges of the group.When the Set GID box is checked for a directory,the files in that directory belong to that groupregardless of who puts the files in the directory. Sticky: Checking the Sticky box affects directoriesonly. If this box is checked, you cant remove (orrename) a file in that directory unless youre the fileowner.34_571737c27.qxd 7/2/04 9:08 PM Page 18328Save Time By Using kgpg in your desk-top environment Using gpg at the com-mand line Encrypting and signinge-mail with Evolution Adding Enigmail securityto MozillaTechniqueUsing Encryptionfor Extra SecurityThis technique is all about privacy. Keeping private data private cansave you a lot of headaches. Public-key cryptography provides aquick and easy way to safeguard e-mail messages and sensitive files.Public-key cryptography involves two big numbers: a public key and a pri-vate key. When you create a key pair, you keep the private key to yourselfand share the public key with anyone you wish. The numbers in a key pairare related in a fiendishly clever way: Data that you encrypt with the publickey can be decrypted only with the private key, and data encrypted withthe private key can be decrypted only with the public key (privatedecrypts public, public decrypts private). If you encrypt a message with your friends public key, only your friendcan decrypt it (because your friend has never shared his private key withanyone, even with you). Encrypt a message with your private key andsend it to your friend: If he uses your public key to decrypt the message(and the result looks meaningful), hell know the message came from you.(Nobody else could have sent the message because its encrypted withyour private key, and no one else knows your private key.) You can com-bine these techniques to encrypt and sign a message. In this technique, we show you how to use gpg (the GNU Privacy Guard)at the command line for those cases where you need security but donthave access to a desktop environment. You can use gpg to encrypt,decrypt, and sign e-mail messages. gpg can also encrypt documents thatyou dont intend to share with others, so snoops wont be able to readanything you need to keep private. Encrypt the original document, deletethe unencrypted version, and only you can decrypt it again to read it.kgpg (KGpg) is a graphical interface for gpg that runs in the KDE Desktopenvironment. Its a great tool that packs lots of functionality into a user-friendly package. In this technique, we show you how to download,install, and use kgpg. We also show you how to create a gpg key pair(from the command line and with kgpg). After youve created a key pair,you can distribute your public key to your friends, or you can upload thepublic key to a server a number of public-key registries are availableon the Web. 35_571737c28.qxd 7/2/04 9:08 PM Page 184Encryption Made Easy with kgpg and the KDE Desktop 185In this technique, we also show you ways to keepyour e-mail private. Encrypting e-mail adds a newlevel of security, enabling you to prevent PeepingToms from reading your e-mail as it travels acrossthe Internet. Add a digital signature to your e-mailmessages for extra protection. If your message istampered with, the recipient knows (because the sig-nature is invalid).Encryption Made Easy withkgpg and the KDE DesktopIf youre working in a desktop environment, a graphi-cal package such as kgpg makes gpg encryption muchfaster and easier to use. You still may need to returnto the command line if youre encrypting an entiredirectory tree, but for most of your everyday needs,a graphical tool works great.kgpg is a user interface that works with the KDEDesktop to make using and managing gpg keys easyand fast. With kgpg, you can encrypt and decryptfiles on your desktop in seconds. To get started, you need to create a pair of keys(a public key and a private key). See the sectiontitled Creating keys with kgpg, later in thistechnique, for details. To send encrypted e-mail (or e-mail that containsa digital signature), you have to publish yourpublic key. See the section titled Sharing yourkey with the world, later in this technique, formore information. To read an encrypted e-mail message (or othersecure document), you need to import a publickey first. See the section titled Importing a pub-lic key from a public-key server, later in thistechnique, to understand the process. To encrypt documents that need to be secure,see the section, Encrypting documents on yourhome system.kgpg is part of the kdeutils package in KDEVersions 3.2 and later. If youre using an olderversion of KDE, search the Web for a kgpgRPM package that matches your version.Creating keys with kgpggpg keys (both public and private) are stored in akey ring (which is a set of files in your ~/.gnupgdirectory). The first time you run kgpg, it offers tocreate a new gpg key pair (unless youve already cre-ated a key pair with another tool). Heres what youneed to do to create a key pair:1. Open KGpg:To open kgpg on Fedora Linux, open the Main Menu and choose AccessoriesMoreAccessoriesKGpg. If youre using SuSE, open the Main Menu andchoose SystemSecurityKGpg.On Mandrake, find kgpg by opening the MainMenu and choosing SystemOtherKGpg.2. In the dialog that appears, click Yes.The Key Generation dialog opens, as shown inFigure 28-1.3. Enter your name, e-mail address, and a com-ment and then click OK. Enter your first name for the real name, yourlast name for the comment, and your reale-mail address. When you publish your publickey on a public-key server, it appears asname(comment)e-mail@addr.com, so every-one can tell with a glance who owns the public key. The passphrase dialog appears, as shown inFigure 28-2.4. Enter a passphrase in the Password field andthen reenter it in the Verify field. Click OK tocontinue. 35_571737c28.qxd 7/2/04 9:08 PM Page 185Technique 28: Using Encryption for Extra Security186After youve created a key pair, the taskbar iconbecomes your interface to kgpg. Click the taskbaricon and choose Open Key Manager from the menu.The Key Management window opens, showing thekey youve just created (see Figure 28-4). Figure 28-3: The kgpg icon is now included on thetaskbar.From the Key Management window, you can exportyour key (to a file, to the clipboard, or to an e-mailmessage), get key information, sign your key, makechanges to your keys, import other keys, generatenew key pairs, and more. Figure 28-4: The Key Management window.Sharing your key with the worldAfter you have an encryption key pair, you need topublish the public part. Other people can encrypt Figure 28-1: The Key Generation dialog.Its important to keep your private key private.If gpg simply stored your private key in plaintext, anyone with access to your home directorycould use your private key. Instead, gpg pro-tects your key ring with a passphrase. You mustprovide the passphrase whenever you want toencrypt, decrypt, and sign documents. Dontgive out your passphrase, or others will be ableto decrypt documents encrypted with your key. Figure 28-2: The passphrase dialog.After you click OK in Step 4, the Tip of the Daywindow opens. Look carefully, and youll noticethat an icon has been added to the taskbar. Theicon looks like a padlock covering a sheet ofpaper, as shown in the lower-right corner ofFigure 28-3. This means your key has beencreated.35_571737c28.qxd 7/2/04 9:08 PM Page 186Encryption Made Easy with kgpg and the KDE Desktop 187private messages with your public key, but yourethe only person who can decrypt these messagesbecause you hold the private key. When you send ane-mail, sign the message with your private key andthe recipient can use your public key to verify thatthe message really came from you. How do you dis-tribute your public key? Use a public-key server.A public-key server is a directory that lists peopleand their public keys. kgpg knows how to exportyour public key to a key server and how to importkeys from a key server. kgpg is preconfigured to talkto two public-key servers, but you can add moreservers if you want to.To publish your public key, follow these steps:1. Click the kgpg taskbar icon (which looks like apadlock; refer to Figure 28-3) and choose OpenKey Manager from the menu. The Key Management window opens (refer toFigure 28-4).2. Choose FileKey Server Dialog (or click thetoolbar icon that looks like a globe).The Key Server Operation dialog appears.3. Select the Export tab.The dialog displays two drop-down lists, asshown in Figure 28-5.4. Use the Key Server drop-down list to choosethe server that you want to distribute your key.5. Use the Key to Be Exported list to select thepublic key that you want to export.6. After youve chosen the server and key to beexported, click Export.Now that youve published yourself, your friends canfind your public key on the server that you chose.(Many servers share their public keys with otherservers, so after youve published your public key, itappears on other servers as well.) With your publickey, someone can send encrypted e-mail to you, andno one else can read the e-mail. Figure 28-5: The Export tab of the Key Server Operationdialog.Importing a public key from a public-key serverYou can also use kgpg to locate and import keys froma public-key server. Heres how to find and importkeys:1. Click the kgpg taskbar icon (which looks like apadlock) and choose Open Key Manager fromthe menu. The Key Management window opens.2. Choose FileKey Server Dialog (or click thetoolbar icon that looks like a globe).The Key Server Operation dialog appears.3. Select the Import tab.4. Choose a public-key server from the top listbox and enter the name or e-mail address ofthe person youd like to contact in the secondfield.You can choose any of the public-key serverslisted; they all talk to each other and share thesame database of public keys.5. Click the Search button to continue.The Search Result dialog appears, as shown inFigure 28-6.Common names are likely to yield manyresults. Search by e-mail address to narrow thefield a bit.35_571737c28.qxd 7/2/04 9:08 PM Page 187Technique 28: Using Encryption for Extra Security188The newly encrypted file appears in the samedirectory as the original: The encrypted versionhas .asc tacked on to the end of the filename.kgpg doesnt delete the original version. Figure 28-7: The Encryption dialog.4. If you want to keep the content private, be sureto delete the unencrypted version.To decrypt an encrypted file, follow these steps:1. Click the encrypted file in your Konquerorbrowser. Konqueror asks for the passphrase to unlockyour private key. 2. Enter the proper passphrase.kgpg decrypts the file and saves it in the samedirectory as the encrypted version (the name ofthe encrypted version ends with the extension.asc; the decrypted version does not). Thenewly decrypted file appears in your browserwindow. 3. To view a decrypted file in a simple textbrowser (without saving it), drag the file icononto the kgpg icon in the taskbar, and chooseShow Decrypted File from the menu. If you drag an unencrypted document to thetrash to delete it, its still there (and stillexposed) until you empty the trash. To really Figure 28-6: The Search Result dialog.6. When you find the key youre looking for, clickthe key and then click Import to import that key.After youve imported a public key into your keyring, you can encrypt e-mail (and other docu-ments) with that key. The only person who candecrypt that e-mail is the person who holds thematching private key.Encrypting and decrypting documents with drag-and-drop easekpgp is well-integrated with the rest of KDE, making itquick and easy to encrypt and decrypt files. Keep private information private by encryptingyour personal files. After encrypting a file,delete the unencrypted version. Decrypt thefile again when you need it. Only thoseentrusted with your passphrase can read yourprivate documents. To encrypt a document, follow these steps:1. Open Konqueror and browse to the directorythat contains the file you want to encrypt. 2. Right-click the file icon and choose Encrypt Filefrom the menu.The Encryption dialog opens, as shown in Figure 28-7.3. Highlight the key you want to use and thenclick Encrypt.kgpg encrypts the file with your public key; thatway, only someone with the matching private key(that would be you) can decrypt the file. 35_571737c28.qxd 7/2/04 9:08 PM Page 188Encrypting Documents with gpg at the Command Line 189delete an item, right-click the item and chooseDelete. If you do drag things into the trash,dont forget to take out the garbage by right-clicking the can and choosing Empty Trash Bin!kgpg is well integrated with the Konquerorbrowser. Click an encrypted file, and it decrypts.Right-click a document and choose Encrypt Filefrom the menu to encrypt a file.Encrypting Documents with gpg at the Command LineEncrypting documents with gpg is an easy and quickway to keep information out of the hands of peoplewho shouldnt have it. If youre using SSH or workingon a system without a desktop environment, you canuse gpg encryption from the command line to keepyour private files private.Sharing a secret fileTo encrypt a private document for your friends eyesonly, you need his public key. When youve receivedhis public key (by e-mail or on disk), save it to a direc-tory. To import a public key into your key ring, openyour terminal window, move to the directory contain-ing the public key, and use the following command:$ gpg --import keyname.gpgNow you can encrypt your file with your friends keyby using the following command:$ gpg --encrypt --armor -r keyname filenameShare the file as you normally would you can sendit by e-mail or hand your friend a CD. Unless some-one has your friends private key, that person wontbe able to read the document. To open the file, your friend uses his private keywith the following command:$ gpg --decrypt filenameCreating a key pair and receiving encrypted documentsTo receive encrypted documents, your friend needsyour public key. Follow these steps to generate a public/private key pair with gpg at the command line:1. Open a terminal window and enter the follow-ing command:$ gpg --gen-keyA slightly awkward, but functional menu opens,prompting you to select the kind of key you want.2. Type 1 and press Enter.Youre prompted to enter the key size.3. Type 1024 and press Enter.gpg asks for an expiration date. 4. Type 0 to create a nonexpiring key and pressEnter.gpg notifies you that the key does not expire andasks you to verify that you want to generate apermanent key. 5. Type y and press Enter.6. gpg asks for your real name. Type it in andpress Enter.This is used to identify your key in your friendskey ring. 7. When gpg prompts you for a comment, type onein if you wish. The comment is optional. Remember, if you enterone, the public will see it.8. gpg prompts you for your e-mail address. Typeyour e-mail address and press Enter.gpg displays your name, comment, and e-mailaddress. 9. Verify that the information is correct (or selectthe appropriate item to change). When theinformation is correct, enter O (the letter, notthe number) to verify that the information isokay and then press Enter.35_571737c28.qxd 7/2/04 9:08 PM Page 189Technique 28: Using Encryption for Extra Security190Encrypting documents on your home systemYou can use the same key pair that you created toexchange with others (see the preceding section) toencrypt documents for your own use. Encrypt thedocument and delete the unencrypted version, andonly those users that know your passphrase candecrypt and read the document.Follow these steps to encrypt a document:1. Open your terminal window and move into thedirectory containing the file to be encrypted.2. Enter the following command:$ gpg --encrypt --armor -r keynamefilenameSubstitute the real name you used to create thekey pair for keyname and the name of the file youwant to encrypt into filename.Youre prompted for the passphrase you enteredwhen you created your key pair. 3. Enter the passphrase and press Enter.The new, encrypted file appears in your direc-tory as filename.asc.You can now delete the unencrypted document withthis command:$ rm filenameWhen you need to use your document again, followthese steps:1. Open your terminal window and move to thedirectory containing the encrypted file.2. Enter the following command:$ gpg --decrypt filename.asc > newfileYoure prompted to enter your passphrase.3. Enter your passphrase and press Enter.The file is decrypted and written to the filenamespecified in the command as newfile.Youre prompted for a passphrase.10. Type a passphrase and press Enter.Youre asked to repeat the passphrase.11. Type the passphrase again and press Enter.Thats all there is to it youve created a key.To exchange your key with others so that you cansend and receive encrypted files, you need to do alittle more upfront work:1. Write your public key to a file by using the fol-lowing command:$ gpg --armor --export e-mailaddress >filenameThe --armor option tells gpg to write your publickey in an e-mailfriendly form by using onlyprintable characters. 2. Send the key file to your friends or post it onyour Web site.3. Your friends need to import your public keywith the key file (using the gpg --import com-mand as described at the beginning of this sec-tion) before they can decrypt your messages.Now people can send you encrypted files thatonly you can read with your private key. If you need to encrypt or decrypt messages on aWindows computer, check out A Practical Introduc-tion to GPG in Windows at www.gnupg.org/(en)/documentation/guides.html.To open a message encrypted with your public key,use the following command:$ gpg --decrypt filenamegpg is a powerful encryption program, but itsnot completely foolproof. Weve only scratchedthe surface here. Good key managementmakes a big difference in how well gpg can pro-tect your private bits. Many encryption optionsand security features are available with gpg. Formore information about encrypting with gpg,visit www.gnupg.org. 35_571737c28.qxd 7/2/04 9:08 PM Page 190Encrypting E-Mail for Added Security 191Thats all there is to it. Encryption is a quick, easyway to keep personal documents private onlypeople with your passphrase can read encryptedfiles. If you do a good job keeping that passphraseprivate, no one other than you can access the filesyou want to keep to yourself.Encrypting E-Mail for Added SecurityPublic-key cryptography can help secure your e-mailin two ways: When you send e-mail, encrypt the message withthe recipients public key to ensure that only therecipient can read it. Sign the message with your private key, and therecipient can verify that the message really camefrom you by validating the signature against yourpublic key.Encrypting an e-mail document ensures that anyonewatching the bits fly by on the Web wont be readingyour sensitive information. The only person who canread the encrypted message is the person holdingthe private key.A digital signature seals an e-mail document. If thedocument is changed in any way, the signature willbe disturbed, and the recipient will know about it.When you sign a document, you sign it with yourprivate key. The recipient then uses your public keyto verify that the digital signature is authentic andhasnt been tampered with.The Mozilla e-mail client and Evolution e-mail clientboth support public-key encryption. The built-insupport makes it easy (and quick) to send andreceive encrypted e-mail and to apply and verifydigital signatures.Encrypting with Ximian EvolutionIf youre already using Evolution to manage youre-mail, adding a bit of security to your outgoing andincoming letters is a snap. If youve followed thesteps in the section titled Creating keys with kgpgat the beginning of this technique, Evolution knowshow to find your gpg key ring, and can use the keyson it to encrypt and decrypt e-mail with a simpleclick and a passphrase.If youre not already using Evolution, the setupwizard will set you up in a few simple steps.Answer the questions, and youll be up andrunning in no time!To send an encrypted e-mail with Evolution, followthese steps:1. Open Evolution:If youre using Fedora, open the main menu andchoose InternetEvolution Email to start theEvolution e-mail client.If youre a Mandrake user, open the main menuand choose InternetMainEvolution. On SuSE, open the main menu and chooseInternetE-MailXimian Evolution.2. Click New to create a new e-mail.3. Type the recipients address and your message.4. Click Security (on the menu bar), and chooseGPG Encrypt to encrypt the message and GPGSign if you want to sign the message.Sending an encrypted e-mail encrypts it withthe recipients public key. You have to havethe public key in your key ring; if its not inyour key ring, you get an error message.5. Click Send.The Enter Password dialog appears, waiting foryour gpg passphrase (see Figure 28-8).6. Enter your passphrase and click OK.Thats all there is to it. The encrypted and signede-mail is sent on its way.Opening an encrypted document with Evolution isjust as easy as sending one:35_571737c28.qxd 7/2/04 9:08 PM Page 191Technique 28: Using Encryption for Extra Security1922. Enter your superuser password whenprompted.3. Type mozilla in the command line and pressEnter. You need superuser privileges to install theplug-in, so opening the browser with thoseprivileges transfers the privileges to thebrowser.4. Navigate to enigmail.mozdev.org.5. Click the Download link in the Resources listnear the top of the page.6. Scroll down and choose your download fromthe versions listed under Standard Download.Choose the download that most closely matchesthe version of Mozilla that youre using.To find your Mozilla version, choose HelpAbout Mozilla.7. Click the Install button for the Linux versionthat matches your computer.If cant find an installer for Fedora, Red Hat 9is close enough.A dialog appears, stating that a Web site isrequesting permission to install.8. Click the Install button.After some whirring and clicking, the browserinforms you that Enigmail installation has com-pleted successfully.9. Restart Mozilla at the command line (still with superuser privileges) to complete theinstallation.Now its time to configure Enigmail:1. Open the Edit menu and choose Preferences.The Preferences dialog appears. Figure 28-8: The Enter Password dialog.1. When an encrypted e-mail arrives in your mail-box, click the message. A dialog appears, prompting you for your gpgpassphrase. 2. Enter your passphrase.Evolution now has access to your key ring untilyou close the session.The message automatically decrypts and opens. 3. If the message was signed, click the lock iconnext to the signature to verify the signature. Evolution tells you whether or not the signatureis good. Setting up Mozilla e-mail for encryptionMozilla e-mail can send encrypted e-mail just aseasily as Evolution, but before its ready to deal withencryption, you need to download and install a plug-in. (Plug-ins are snippets of code that enhance thefeatures offered by a program.) Follow these steps to download and install theEnigmail plug-in:1. Open your terminal window and give your-self superuser privileges with the followingcommand:$ su35_571737c28.qxd 7/2/04 9:08 PM Page 192Encrypting E-Mail for Added Security 1932. Choose Privacy & SecurityEnigmail.The Enigmail Preferences dialog appears, asshown in Figure 28-9.3. Check the Use From E-Mail Address for Signingto Determine GPG Key box. Figure 28-9: The Enigmail Preferences dialog.4. Select a default encryption type.Your options are No Default Encryption, Encryptif Possible, or Encrypt + Sign if Possible.5. Click OK to save your preferences.The Enigmail plug-in is installed and configured.Youre now ready to send encrypted e-mail withMozilla!Sending and receiving encrypted messages with Mozilla mailTo send an encrypted and signed message withMozilla and Enigmail, follow these steps:1. Open Mozillas Window menu and choose Mailand Newsgroups.The Mozilla mail client appears2. Click the Compose icon (on the toolbar).A new message window opens.3. Compose an e-mail message as you normallywould.4. When your message is complete, chooseEnigmail from the menu bar. The encryption options appear in the Enigmailmenu, as shown in Figure 28-10. Figure 28-10: The Compose/Enigmail menu options.5. Choose a message type from the drop-downmenu. Choose either Encrypted Send orEncrypt + Sign Send.If you sign an e-mail, the recipient needs yourpublic key to verify the signature.6. Enter your passphrase when prompted andclick OK.Your message is on its way!When an encrypted e-mail arrives in your inbox,Enigmail automatically decrypts it and verifies thesignature. The signature status is shown in the mes-sage header, right above the subject line.If a message does not automatically decrypt,you may need to select Automatically Decrypt/Verify Messages from the Enigmail menu.35_571737c28.qxd 7/2/04 9:08 PM Page 19329Technique Securing a LargeNetwork with CustomAuthenticationIf you have more than a handful of computers in your local network, youknow the routine: Each time you connect to a different system, you haveto type in your user name and password. Chances are, you use the samepassword to log in to most servers, but you havent gotten around to syn-chronizing all your passwords (or maybe you dont want to use the samepassword everywhere, just in case someone discovers it). Keeping yourpasswords straight is a hassle and a good way to waste time.In this technique, we introduce you to some simple (but powerful) toolsthat can make network-wide authentication safe and easy by Streamlining password setup and maintenance: If youre the adminis-trator of a large network, using cross-platform authentication can saveyou time. With only one password file to maintain, you save time notonly in setup but also in maintenance the fewer files you maintain,the less chance youll make a mistake while updating information. Creating a secure, network-wide login system thats more userfriendly: When youre finished with this technique, youll have a loginsystem that requires only one login and one password to access anyauthorized server on your network.To build a better login, all you need are PAM and Kerberos. First, we showyou how to use PAM authentication to access the user database on a Win-dows machine to authenticate Linux users. Sacrilegious? Not if you alreadyhave a Windows domain and youre slowly adding Linux computers.Kerberos a secure, single-login, network-wide authentication service adds security to the mix. When you login to a kerberized network, yougive your user name and password to the Key Distribution Center (KDC),and in return, you receive a ticket that you can give to other kerberizedservers. A Kerberos ticket is like a passport. The KDC verifies your iden-tity and then gives you a set of credentials that you can hand to otherservers: If the server trusts the KDC, it accepts your credentials.By using PAM with Kerberos, you get automagic ticket handling. With onelogin, you have access to all the kerberized servers on your network. Save Time By Using cross-platformauthentication to keepuser information centralized Using Kerberos with PAMfor simple and securethird-party authentication36_571737c29.qxd 7/2/04 9:09 PM Page 194Using Cross-Platform Authentication with Linux and Windows 195If youre adding Linux systems to an existingWindows network, connect PAM to yourdomain controller to centralize your user data-base. If youre setting a (mostly) Linux network,consider using Kerberos to give secure, single-login access to your users.At the time were writing this, Mandrake Linux is notshipped with the software required to handle cross-platform authentication. SuSE Linux does ship withthe required software, but the necessary configura-tion tools in SuSEs YaST control center dont seemto work. The methods that we describe in this tech-nique will only work with Fedora Linux.Using Cross-PlatformAuthentication with Linux and WindowsIf you already have a medium-sized or large networkof Windows computers, youre probably using a Win-dows domain to manage security. A Windows domainis a network of computers that uses a single data-base to hold user information (user names, user IDs,passwords, and the like). A single machine, calledthe primary domain controller, stores all user infor-mation and provides authentication services to therest of the computers in the domain. A Windowsdomain often contains backup domain controllers tolighten the load on the primary controller (and toprovide authentication should the primary con-troller fail).Dont confuse a Windows domain with a DNSdomain name. A Windows domain is a net-work of computers that consolidates all userinformation in a single database. A DNSdomain name is a name that you give to anetwork of computers.PAM (the basic authentication framework on Fedoracomputers) can rely on a Windows domain toauthenticate users. If you keep your authenticationinformation on a Windows machine, a simple additionto your PAM configuration lets you share your Win-dows authentication files with your Linux systems.Keeping your network user database up-to-dateand secure is a lot quicker if you have only onefile to maintain. You need to update the userinformation in only one database, and PAMallows all the Linux machines on your networkto use that database for authentication. Thisstreamlined setup also increases network secu-rity, because you arent storing password filesall over your network.Prepping for cross-platform authenticationYou need three pieces of information to set up PAM/Windows authentication get these from yourWindows administrator (if thats you, odds are youknow these tidbits of trivia): Your Windows domain name: Your domainname is the name assigned to your network oftrust. Its often the same as the name of yourphysical network. The primary domain controllers name: This isthe computer on your network that holds the pri-mary authentication database. A backup domain controllers name: Thismachine keeps a backup of the authenticationdatabase. This is important because if themachine holding your primary authenticationdatabase goes down, you still want your users to have access to the other machines on the network.To set up cross-platform authentication, you alsoneed to have the pam_smb-1.1.7-2.i386.rpm packageinstalled. Check to see if the RPM package is installed with thefollowing command:# rpm -q pam_smb36_571737c29.qxd 7/2/04 9:09 PM Page 195Technique 29: Securing a Large Network with Custom Authentication1964. Check the Enable SMB Support box and thenclick the Configure SMB button.The SMB Settings dialog opens, as shown inFigure 29-2. Figure 29-2: The SMB Settings dialog.5. Enter the workgroup (domain) name in theWorkgroup field.6. Enter the name of the primary domain con-troller in the Domain Controllers field, fol-lowed by a comma and the backup domaincontrollers name.Dont add any spaces between the names andthe comma.7. Click the OK button to close the dialog.8. Click the OK button on the AuthenticationConfiguration window to close that window.Now, whenever you log in to your Linux computer,Fedora asks the domain controller to validate yourpassword. If the primary domain controller fails torespond in a reasonable period of time, Fedora con-tacts the backup domain controller. You still need auser account on your Linux computer (your Linuxuser ID, home directory, and login shell informationare stored in Linux), but the password comes fromWindows.After you follow the preceding steps, theresone more trick to setting up cross-platformauthentication: When you create a user accounton the Linux machine, leave the passwordblank. If you want to change the password youuse to log in to Linux, change your Windowspassword. If the program isnt installed, you need to add it. Con-veniently, its included with the Fedora distribution.Insert and mount your Fedora media and enter thiscommand:# rpm -Uhv /mnt/cdrom/Fedora/RPMS/pam_smb-1.1.7-2.i386.rpmNow youre ready to follow the steps in the next sec-tion, where you actually set up authentication.Setting up cross-platform authenticationWith the pam_smb package in place, youre ready toset up cross-platform authentication:1. Open the Main Menu and choose SystemSettingsAuthentication.A dialog may appear, prompting you for the rootpassword.2. Type the root password (if prompted) andpress Enter. The Authentication Configuration window opens.3. Choose the Authentication tab to view authenti-cation options, as shown in Figure 29-1. Figure 29-1: The Authentication tab.36_571737c29.qxd 7/2/04 9:09 PM Page 196Using PAM and Kerberos to Serve Up Authentication 197Using PAM and Kerberos toServe Up AuthenticationIf your local network doesnt include a Windowsdomain controller, PAM can still streamline authenti-cation and increase your network security usingKerberos. Kerberos is a security protocol that uses atrusted third party to verify authentication informa-tion. With PAM and Kerberos working together, youget a single, secure network-wide login system, whichcan save a lot of time.This technique is best suited to large networks.You should have a domain in place and a DNSserver up and running to take advantage ofthe benefits of using Kerberos with PAM forauthentication.With this setup, Kerberos makes the login moresecure, and PAM makes ticket management auto-matic. Users first access a kerberized server, wherethey must prove their identity to the Key DistributionCenter (KDC). Only after the verification can usersobtain a ticket that represents their fully authenti-cated identity.After users log in, they can log in to any machinerunning Kerberos authentication or use a kerberizedserver on a remote machine without manually obtain-ing a ticket for the session. That means you (or yourusers) log in once and can access any kerberizedserver on your network without proving your iden-tity again for that login session.Kerberos tickets expire over time, so at theend of an eight-hour day, the ticket cant bereused by an intruder.The process of setting up Kerberos to work withPAM has several phases. Heres an overview of whatyou need to do:1. Synchronize the system times.2. Test the DNS.3. Set up a KDC.4. Set up PAM for automagic ticket management.5. Add users to the KDC.The following sections explain each step in moredetail.Establishing synchronized system timesFor extra security, Kerberos tickets are time sensi-tive. Just like a real passport, your Kerberos ticketexpires after some period of time (you have to proveyour identity to the KDC every once in a while toprevent a nefarious hacker from using an old pass-port that youve left sitting around somewhere).The time-sensitive nature of Kerberos tickets meansthat all your kerberized servers (and the KDC) mustagree on the current date and time. If the time variesby just five minutes between a Kerberos clientmachine and the KDC, Kerberos will deny an other-wise valid ticket. To ensure a consistent time, startthe NTP daemon and enable the Network Time Pro-tocol on all the computers on your network. (The fol-lowing steps show you how in just a few quick steps.)The Network Time Protocol (NTP) visits a serverlocated on the Internet and retrieves time updates. It synchronizes the clock on the local machine withthe clock on the time server. Setting up the NTP daemon on all the machines on your network to synchronize their clocks with the same time serverensures a consistent time for Kerberos.Before you enable the Network Time Protocol, youneed to start the NTP daemon:1. Open the Main menu and choose SystemSettingsServer SettingsServicesA dialog opens, prompting you for the rootpassword.2. Enter your root password and click OK.The Service Configuration window opens, asshown in Figure 29-3.36_571737c29.qxd 7/2/04 9:09 PM Page 197Technique 29: Securing a Large Network with Custom Authentication198 Figure 29-4: The Date/Time Properties window.The kind people at Red Hat provide two timeservers for public use. We recommend usingthe same server to synchronize all themachines on your network.Alternatively, if your entire network doesnt haveInternet access, you can set up a time server onone of your own computers and synchronize toit, but its a bit of work. For more informationabout establishing your own time server, visitwww.ntp.org.5. Click OK. A confirmation screen verifies that the update istaking place, as shown in Figure 29-5. After somethought, your machine updates the time settingsto synchronize with the server. When the updatecompletes, the Date/Time Properties windowcloses. Figure 29-5: Confirmation of contact. Figure 29-3: The Service Configuration window.3. Use the scroll bar in the left frame to scrollthrough the list of services until you find theentry for ntpd.4. Check the box next to the ntpd entry and clickthe Start button (on the toolbar).An Information dialog opens, telling you that thentpd started successfully. 5. Click OK to close the dialog.6. Click the Save button to save the changes toyour services.7. Close the Service Configuration window.Now that the ntpd daemon is running, youre readyto enable the Network Time Protocol. To synchro-nize your systems time, follow these steps:1. Open the Main Menu and choose SystemSettingsDate & Time.A dialog opens, prompting you for the rootpassword.2. Enter the root password and click OK.The Date/Time Properties window opens, asshown in Figure 29-4.3. Check the Enable Network Time Protocol box.The Server drop-down list becomes activated.4. Use the Server drop-down list to choose a net-work time server, or add the name of your ownnetwork time server.36_571737c29.qxd 7/2/04 9:09 PM Page 198Using PAM and Kerberos to Serve Up Authentication 199If you configure all your machines to synchro-nize to the same server, time wont interferewith your Kerberos logins.Testing your domain name server (DNS)Kerberos makes extensive use of the DNS server.Before you set up Kerberos, its a good idea to besure that all your computers are on a first namebasis.Every computer on your network can talk to anyother computer just by knowing its IP address, butwith Kerberos, your computers must know eachother by name. The easiest way to verify that DNS isworking is with a series of pings: Ping the Key Distribution Center by name fromeach potential client. Ping each client machine by name from the KeyDistribution Center. Each potential client should ping any otherpotential client (by name) that it will access.Just in case youre not familiar with pinging, a pingis like a handshake across the network. To ping amachine, open the terminal window and enter thefollowing command:$ ping machinenameYour machine sends a note to the other machinetelling it to send back a packet of data. If the DNSservice is working properly, you start getting a streamof replies that looks something like this:$ ping bastillePING bastille (192.168.0.28): 56 databytes64 bytes from 192.168.0.28: icmp_seq=0ttl=64 time=34.893 ms64 bytes from 192.168.0.28: icmp_seq=1ttl=64 time=2.918 ms--- bastille ping statistics ---2 packets transmitted, 2 packets received,0% packet lossround-trip min/avg/max = 2.918/18.905/34.893 msUse the Ctrl-C combination to stop pinging. Setting up a Key Distribution CenterKerberos can make authentication on a large net-work quick and easy. The centerpiece to Kerberosauthentication is the trusted third party the KeyDistribution Center (KDC). All the other machines onyour network look to the KDC for authenticationservices.Time is crucial to using Kerberos successfully theKDC and all the other Kerberos client and servermachines must agree on the current time. Be surethat the NTP (Network Time Protocol) is up and run-ning on all your computers. See the earlier section,Establishing synchronized system times, for details.You should also test your DNS, which we also explainearlier in Testing your domain name server (DNS).Heres how to set up a Key Distribution Center:1. Log in to the computer that you want to use asthe KDC. You can do this at the console, or by using SSHto log in over the network.2. Open a terminal window and give yourselfsuperuser privileges with the su command.3. Insert and mount the Fedora distribution disc. 4. Move to the directory containing the RPM pack-ages (/mnt/cdrom/Fedora/RPMS) and use the fol-lowing commands to install the Kerberospackages:# rpm -Uhv krb5-libs-1.3.1-6.i386.rpm# rpm -Uhv krb5-server-1.3-1.6.i386.rpm# rpm -Uhv krb5-workstation-1.3-1.6.i386.rpm5. To begin creating a script that will automati-cally update a few of the configuration filesthat the KDC needs to operate, open yourfavorite editor and create a file named /tmp/fixrealm:# kedit /tmp/fixrealm36_571737c29.qxd 7/2/04 9:09 PM Page 199Technique 29: Securing a Large Network with Custom Authentication200The script saves a copy of the originals andupdates the working configuration files by usingdefault values it finds on your network. fixrealmshows you its progress as it works.10. Create the KDC database with the followingcommand:# kdb5_util create -sYoure prompted for the KDC database masterkey.11. Type a password and press Enter.Youre prompted for the KDC database master-key again to verify the entry. 12. Retype the password and press Enter.Dont forget this password. Its important!13. Add your own user name to the KDC databasewith the following command:# kadmin.local -q addprinc username14. Enter the password that you want to use whenyou log in.15. Reenter your password when prompted.The creation of your user account is verified byKerberos.Now, you need to start the KDC with the ServiceConfiguration tool. To start the KDC services, followthese steps:1. Open the Main Menu and choose SystemSettingsServer SettingsServices.A dialog opens prompting you for the root pass-word.2. Enter the root password and click OK.3. Use the scroll bar to find the following services: krb524 krb5kdc kadmin4. One service at a time, check the box next to theservice and click the Start icon. You can make all these changes manually, butto save a bit of time, weve added a quickscript to update the configuration files. Thistool works only if your DNS server is runningand you have a domain in place.6. Add the following code to /tmp/fixrealm:#!/bin/bashOLDDOMAIN=example.comOLDREALM=EXAMPLE.COMOLDKDC=kerberos.example.comNEWDOMAIN=$(dnsdomainname)NEWREALM=$(echo $NEWDOMAIN | tr[:lower:] [:upper:])NEWKDC=$(hostname)function fixup(){cp $1 $1.origecho Fixing $1 (original saved in$1.orig)sed s/$OLDREALM/$NEWREALM/ $1.orig |sed s/$OLDDOMAIN/$NEWDOMAIN/ |sed s/$OLDKDC/$NEWKDC/ > $1}fixup /etc/krb5.conffixup /var/kerberos/krb5kdc/kdc.conffixup /var/kerberos/krb5kdc/kadm5.acl7. Save the file and close the editor.Double-check your typing before you save thecode. (We managed to wipe out our Kerberosconfiguration files with just a few typos.)8. Make the script executable with the followingcommand:# chmod a+x /tmp/fixrealm9. Run the script with the following command:# /tmp/fixrealm36_571737c29.qxd 7/2/04 9:09 PM Page 200Using PAM and Kerberos to Serve Up Authentication 201You must click the Start icon after checkingeach box. If you check all three and then clickStart, Fedora starts only the last service youchecked.As each service starts, a dialog opens confirmingthat the service started successfully. Click OK (in the pop-up) and start the next service.5. When all three services have been started,click the Save button (in the toolbar) and closethe Service Configuration window.Your KDC should be up and running and ready to distribute tickets. Dont forget that you needto add each user (or program) that requestsauthentication to the KDC database.Jump ahead to the section Adding users tothe Key Distribution Center for details aboutadding principals to the KDC database.Setting up automatic ticket management with Kerberos and PAMAfter youve synched your clocks, tested your DNS,and established the Key Distribution Center (KDC)on your network (all explained in earlier sections),youre ready to configure your workstation so thatPAM manages your Kerberos login session tickets.To set up Kerberos authentication, you need twopieces of information: The workgroup name of the computers that trustauthentication from your KDC (the Kerberosrealm) The name of the computer that is acting as your KDCFollow these steps to enable Kerberos authentication:1. Open the Main Menu and choose SystemSettingsAuthentication.A dialog opens, prompting you for the rootpassword.2. Enter the root password and click OK.The Authentication Configuration window opens.3. Click the Authentication tab.4. Check the Enable Kerberos Support box.5. Click Configure Kerberos.The Kerberos Settings dialog opens, as shown inFigure 29-6. Figure 29-6: The Kerberos Settings dialog.Fill in the dialog with the information about yourKerberos realm.6. Enter the Realm name in the Realm field. 7. Enter the KDC name in the KDCs field, followedby a colon and the port number 88.computername:888. Enter the KDC name in the Admin Servers field,followed by a colon and the port number 749.computername:7499. Click OK to close the dialog and save the settings.10. Click OK to close the AuthenticationConfiguration window. 36_571737c29.qxd 7/2/04 9:09 PM Page 201Technique 29: Securing a Large Network with Custom Authentication2024. When prompted, reenter the password. The creation of the new principal is confirmedwith a message.5. Repeat Steps 2 through 4 to create more princi-pals (users) and then log out of the KDC whenyoure finished.At this point, you have two passwords: the oldlogin password and the new Kerberos pass-word. If you give the old password when youlog in, PAM doesnt get a chance to do itswork, and you wont be granted a Kerberosticket. If you give the new password, PAMobtains a ticket for you.If you can successfully log in with the new(Kerberos) password, you know that theKerberos and PAM setup is working. After youknow things are running okay, you canremove the old login password.To remove the old login, open the terminal windowand give yourself superuser privileges with the sucommand. Then execute the following command:# passwd -l usernameLocking password for username.passwd: SuccessAfter executing this command, only the new Kerberospassword will work for logins.Now, each time you log in to your workstation, PAMautomatically obtains a Kerberos ticket for you. The Kerberos infrastructure quietly passes thatticket from server to server as you move aroundyour network the ticket proves that you are whoyou claim to be.Adding users to the Key Distribution CenterThe KDC doesnt hand out any session tickets unlessit recognizes the user. Users must verify their identi-ties to the KDC with a password. Only when theyrerecognized are they issued a ticket.To the KDC, the user is known as a principal.A principal can be a host, a user, or a program.A principal is anyone who trusts the KDC. If aprogram needs to honor tickets across the net-work, it must be defined as a principal. After you follow the steps in the preceding four sec-tions, youre ready to add a principal to the KDC:1. Log in to the KDC (as user root):# ssh root@kdcname2. Enter the following command:# kadmin.local -q addprinc username3. When prompted, enter the login password forthe new principal.36_571737c29.qxd 7/2/04 9:09 PM Page 20230 CustomizingAuthentication with PAMSuppose that youve written the worlds spiffiest database program.You install it at a few sites, and your users love it. Now, you sell yourdatabase to a bank that uses a smart card to identify each user. Youhave to modify your database to handle smart card authentication. A fewmonths later, you run into a customer that wants to use a retinal scannerto protect access to his data. Again, you have to modify your database tohandle retinal scanners. Next, someone wants to use voice authentication.More changes.In this technique, we introduce you to PAM, which stands for PluggableAuthentication Modules (or methods). Flexible, well-rounded, and ever-expandable, PAM is a great system resource to get to know. It was designedto hide authentication methods from an application. If you modify yourdatabase to interact with PAM, you dont have to change your code justbecause an administrator wants to try out a fancy new authenticationtool. With PAM, you can Create complex login procedures (two or three passwords, challenge/response mechanisms, and so on). Use high-tech methods like biometric scans to authenticate users.You obviously need extra hardware to use mechanical authenticationmethods, but if the data is valuable enough to justify the cost of theprotection, PAM can help manage the technology. Avoid entering the root password when you need superuser privi-leges. With just a few quick file changes, youll save time wheneveryou need to su (as well as when you need to use the Linux configura-tion tools). We dont recommend using PAM to circumvent root foreveryone, but if youre working on a system that doesnt need to havetight security, it can make administrative or system tasks a breeze.This technique shows you how. If youre interested in setting up a Linuxhost in a Windows domain network or if you want to use Kerberos toauthenticate your users, take a peek at Technique 29 as well.TechniqueSave Time By Understanding the PAMconfiguration files Building your ownauthentication rules Searching the Web forPAM modules Skipping the root pass-word if you dare37_571737c30.qxd 7/2/04 9:10 PM Page 203Technique 30: Customizing Authentication with PAM204Finding a Module andCustomizing Its RulesAdding your own rules to the PAM configuration filesis relatively simple when you understand what thedifferent modules do. If you use Fedora, you can find documentation aboutPAM modules in$ /usr/share/doc/pam-0.77/txtsIf youre a Mandrake user, you find documentationabout PAM modules in$ /usr/share/doc/pam-doc-0.77.txtsIf you use SuSE, look for PAM documentation in$ /usr/share/doc/packages/pam/modulesMove into the directory, and use the ls command to see a list of the documents available. Use the more command to display the contents of the documentation:$ more README.pam_nologinPress the spacebar while the document is displayedto see more of the document.When youve found a PAM module you want to usefor program authentication, add a rule to the pro-gram configuration file that tells PAM when to invokethe module.Building Good Rules with PAMThis is the section where we begin to break downwhat your options are for customizing levels of secu-rity in PAM. A PAM-enabled program can rely on achain of one or more rules to authenticate the user.PAM configuration rules can seem a bit overwhelmingUnderstanding Modules andConfiguration Files: The Basics of PAM AuthenticationPAM (Pluggable Authentication Modules) is the pro-gram that is responsible for authenticating users whoconnect to a Linux system. Most programs packagedwith Linux distributions use PAM for authentication,as do many other open-source projects. PAM gains its flexibility from plug-in modules. PAMitself doesnt do a whole lot, relying instead on mod-ules to do the heavy lifting. Developers write themodules to fulfill a number of diverse tasks. Somemodules store passwords on an smb mounted net-work share, while others are specialized to use hard-ware devices like smart cards and biometricscanners.PAM keeps track of the level of security you desire ina set of configuration files. You can change the PAMconfiguration files to require multiple passwords,limit access based on a user/location relationship, orenable biometric devices. Each configuration filespecifies a set of modules that PAM employs toauthenticate a user.With a little extra hardware and PAM, you canuse biometric scans or other high-tech devicesto secure super-important data.We explain the basics of finding a module and cus-tomizing its rules in the next section. Then, in Build-ing Good Rules with PAM, we explain the basic syntax of rules and what your customizing optionsare. And we help you better understand whats actu-ally in a configuration file in Dissecting a Configura-tion File also later in this technique.37_571737c30.qxd 7/2/04 9:10 PM Page 204Building Good Rules with PAM 205at first, but theyre actually quite simple. The basicformat of a configuration rule is this:phase control-level module-pathname argumentsWe explain what you need to know about each partof a rule in the following sections.PhaseEach configuration file controls four different phasesof the authentication process: authentication, accountmanagement, session management, and passwordmanagement. Each configuration rule belongs to aspecific phase according to the first word in the rule: auth: An auth rule verifies that you are who youclaim to be, by password, biometric scanner,smart card, or other authentication means. account: Account rules allow or deny access toa service based on available system resources (a certain number of users may be allowed tolog in at one time), user location (root usersmust be sitting in front of the computer con-sole), and other factors. You can use accountrules to help control system resources and privileged access. session: Session rules put in place the sessioninformation for the user that is logging in. A typi-cal session rule may mount your home directorywhen you log in or set up a log file that recordsyour entire login session. password: Password rules change the passwordor other authentication means that a moduleuses to identify the user.PAM modules are diverse, each controlling differentaspects of authentication and session management.A given module may service all four phases (authen-tication, account management, session management,and password management) or only a few. For exam-ple, the pam_nologin.so module (which prohibitsuser logins if the file /etc/nologin exists) works inthe auth phase, but doesnt have anything to offerthe password phase.If you need an authentication module for anunusual security application, search the Web.Modules are out there just search the Webfor PAM modules.Control levelThe control level determines what happens if themodule fails. For example, if the user fails to providea proper password but passes a retina scan, you maywant to let that user into your system.Here are the control-level options: sufficient: If a rule is satisfied that is deemedsufficient, you are allowed to continue. A userentering a correct password in a step that isdeemed sufficient is allowed either to continuewith the login process or to access the program. required: This rule must succeed, or the user isnot allowed to run the program. optional: This rule does not need to be satisfiedfor the user to be allowed to use the program. requisite: If two passwords are used to authen-ticate identity, using the requisite control typestops authentication when the first passwordfails. Module pathnameThe third feature in a configuration rule is the path-name to the PAM module that the rule uses. Themodules are located in /lib/security.ArgumentsThe fourth item in a PAM configuration rule is a setof zero or more arguments that gets passed along tothe PAM module when the module is invoked. Thearguments vary depending on the module. The sim-plest of arguments is debug, which causes a moduleto write debugging information to the system log(which is handy if youre having trouble logging intoyour system).37_571737c30.qxd 7/2/04 9:10 PM Page 205Technique 30: Customizing Authentication with PAM206PAM configuration file by prefixing the commentswith a #.The next three rules are invoked, in order, duringthe authentication phase. (They all start with theword auth.) Line 2: The first authentication rule invokesthe pam_securetty.so module. If you trackdown the documentation for that module (see/usr/share/doc/pam-0.77/txts/README.pam_securetty), you see that this module allowsprivileged (that is, root) logins only from specificworkstations. The idea behind securetty is thatyou can physically secure certain workstations(by placing them behind a locked door) and thenallow root logins from only those workstations.Because the rule is required (see the secondcolumn), pam_securetty.so must return a posi-tive response before PAM will continue withauthentication.pam_securetty.so makes sure that privilegedusers (like root) cannot log in from remotecomputers. They have to be sitting at one ofthe workstations listed in /etc/securetty. Line 3: The second auth rule requires that thepam_stack.so module return a positive responsewhen passed the argument service=system-auth.pam_stack.so doesnt really do any authentica-tion checks by itself. Instead, it switches over to acommon set of rules stored in another configura-tion file. Keeping commonly used rules in a singlefile makes it easier to manage PAM configuration.pam_stack.so returns a positive response if therules in the other file (in this case, /etc/pam.d/system-auth) are satisfied.Dissecting a Configuration FileModifying a PAM configuration file isnt difficult, butthe format appears pretty cryptic at first. In this sec-tion, we show you a typical configuration file andexplain what each line does. After you can read aPAM configuration file, you can tailor your own filesto more closely match your needs.Each file in the /etc/pam.d directory controls PAMauthentication for a single client. A client roughlyequates to a program, and the filename is the sameas the program name. The /etc/pam.d/login file contains all the authentication rules for the loginprogram, the sshd file contains all the authenticationrules for ssh, and so on.The contents of your PAM configuration filesmay vary. The following is just an example ofone possible configuration for a login file.To peek into the login configuration file, open a ter-minal window and enter the following command:$ kedit /etc/pamd.d/loginThe PAM configuration file opens, displaying theauthentication rules for the login command, asshown in Listing 30-1.Heres a line-by-line breakdown of the rules in this file: Line 1: The first line in /etc/pam.d/login is acomment. You can ignore that line for now, butnotice that you can include comments in a LISTING 30-1: THE PAM LOGIN CONFIGURATION FILE1 - #%PAM-1.02 - auth required pam_securetty.so3 - auth required pam_stack.so service=system-auth4 - auth required pam_nologin.so5 - account required pam_stack.so service=system-auth6 - session required pam_stack.so service=system-auth7 - session optional pam_console.so8 - password required pam_stack.so service=system-auth37_571737c30.qxd 7/2/04 9:10 PM Page 206Dissecting a Configuration File 207Quite a few modules use the system-authconfiguration file. The system-auth file holdscommon configuration information in one file.Each file that needs the common informationjust refers to the system-auth file instead ofduplicating that information.When the authentication rules found in the system-auth file are satisfied, PAM continues tothe third authentication rule (also required). Line 4: The third auth rule requires a positiveresult from the pam_nologin.so module. Thepam_nologin.so module checks for the existenceof the /etc/nologin file. If the /etc/nologin fileexists, only root is allowed to log in.Create the /etc/nologin file to block otherusers from logging in to the system whileyoure performing system maintenance. Just besure to delete the file again when youre donebecause no other users (other than root) areallowed to log in while /etc/nologin exists.When the authentication rules are met, and PAMis satisfied that the user is who he or she claimsto be, PAM moves on to the account rules.Authentication rules lay out the procedure usersmust follow in order to prove that they are whothey claim to be. Account rules kick in after theauthentication process is completed. Line 5: This is the only account rule in this file.The rule simply defers to the account rules in/etc/pam.d/system-auth. You can use accountrules to enforce policies that arent related toauthentication but are still important passwordaging, disabled accounts, and so on.The system-auth file holds the most com-monly used system configuration rules. Youcan look inside the file with the following command:$ kedit /etc/pam.d/system-authLooking in the system-auth file tells you that thepam_unix.so module is being invoked. Thepam_unix.so module is responsible for passwordaging and other account-related concerns.When the account-related issues have been satis-fied, the login program requests that PAM sat-isfy any session rules that are required. Bylooking in the configuration file (lines 6 and 7),you can see two session rules one requiredand one optional. Line 6: The required rule is applied first. Therequired rule defers to the system-auth configura-tion file rules, where the pam_limits.so moduleand the pam_unix.so module are required to sat-isfy requirements before the login program cancontinue. pam_limits.so enforces limits imposedby the /etc/security/limits.conf file (limits ondisk usage, CPU usage, memory usage, and so on).The requirements of the pam_limits.so modulemust be met before login is allowed to continue. Line 7: Optional rules dont need to be satisfied tocontinue theyre optional. This rule specifiesthat the pam_console.so module may or may notbe satisfied before the login program continues. The pam_console module changes the filepermissions when you log in at the console,and changes them back when you log out.The theory behind pam_console is that if youhave physical access to the machine, youshould have physical access to the peripherals.This is a fairly volatile module, and not one werecommend playing with. Line 8: The password rule is invoked only whenthe login program requests that a password bechanged. Then PAM looks in the configurationfile, sees that the password rule requires that thesystem-auth password rules be satisfied beforethe user is allowed to change the password. Inour system-auth file, the password rule requiresthat the pam_cracklib module be satisfied beforethe new password is accepted. Notice that pass-word rules arent actually part of the authentica-tion sequence theyre only used to change thepassword (or retina scan, or fingerprint, or what-ever you have configured).37_571737c30.qxd 7/2/04 9:10 PM Page 207Technique 30: Customizing Authentication with PAM208The kedit window opens, displaying the contentsof /etc/group.3. Find the line in the file that starts with wheel.4. Add a comma, followed by your username, tothe line.wheel:x:10:root,username5. Save the file and exit.6. Enter the following command:$ kedit /etc/pam.d/system-auth7. If youre using Fedora, find the lines that looklike this:# Uncomment the following line to \ implicitly trust users in the \wheel group.#auth sufficient \ /lib/security/$ISA/pam_wheel.so \trust use_uidIf youre using Mandrake, you wont have the lastline included in your system-auth file.Youll need to add the following line as the sec-ond rule in your system-auth file:auth sufficient \/lib/security/$ISA/pam_wheel.so \trust use_uid8. If youre using Fedora, remove the # from thebeginning of the auth rule.The result should look like this:# Uncomment the following line to \implicitly trust users in the \wheel group.auth sufficient \/lib/security/$ISA/pam_wheel.so \trust use_uidNow, when you use the su command, PAM recog-nizes that you are a member of the wheel group anddoesnt ask for the root password.If you decide to allow PAM to skip passwordprompts and you leave your desktop logged inand unattended, you may be asking for trouble.The pam_cracklib module works only withthe password rule type. It checks the passwordagainst a dictionary to see if the new passwordentered is guessable. If you set pam_cracklibto required, only complex, difficult-to-crackpasswords will be accepted.Skipping a Password with PAMYou can tighten security fast with PAM, but you canalso relax security standards to save time in certaincases. On a system thats not holding data that is life-and-death important, and thats not an integral linkin a network, you can make PAM skip the request fora root password when you need superuser privilegesat the command line.The pam_wheel.so module returns a positive resultwhenever members of the wheel group try to authen-ticate themselves. That means that if youre a mem-ber of the group named wheel, PAM assumes thatyouve already authenticated yourself and lets youcontinue without a password. Whats the significanceof the name wheel? We cant figure it out either.Think twice before disabling root passwords.Never having to slow down to enter a pass-word is a definite timesaver, but its about theloosest security you can have. The following example works for Fedora orMandrake. The same technique will work forSuSE, but because SuSE doesnt use a com-mon configuration file (like system-auth), youneed to decide for yourself which files youwant to modify. To change the PAM configuration files to allowsuperuser access without a password, follow thesesteps:1. Open your terminal window and give yourselfsuperuser privileges.2. Enter the following command:# kedit /etc/group file37_571737c30.qxd 7/2/04 9:10 PM Page 20831 Gaining PrivilegesEvery Linux system has a user who thinks hes better than everyoneelse; a user who wants more privileges than anybody else has; auser who can do things others cant do. We call him the superuser,but his real name is root.This technique shows you how to gain and use superuser privilegessafely from the comfort of your desk no phone booths or funny tightsrequired. Limiting the power of the superuser is important if you want tokeep your system safe and secure. Youll save a lot of time if you donthave to recover from disasters caused by (accidentally) flexing too manysuperuser muscles. Sometimes you need superuser privileges to do sys-tem administrator work like configuration, user management, and privi-lege management. But we show how to limit your exposure by gainingonly the privileges that you need and only when you need them.Feeling the PowerIn most systems, a single user, named root, holds superuser privileges.(You can think of user root as synonymous with superuser.) The superusercan do anything he wants on your system, such as the following operations: Modify (or delete) any file. Change any password. Use any device. Create new user accounts. Delete old user accounts. Lock you out of your system.Sounds like someone you want to keep out of your system, doesnt it?TechniqueSave Time By Knowing the power of thesuperuser Gaining extra privilegeswith the su command Limiting privileges withsudo38_571737c31.qxd 7/2/04 9:11 PM Page 209Technique 31: Gaining Privileges2104. Overwrite the /etc/motd file as follows:[root@bastille /]# echo Bastille willbe down this evening for an upgrade> /etc/motd[root@bastille /]#5. Now heres the most important part: Exit theprivileged shell, forfeiting your new privileges:[root@bastille /]# exit[freddie@bastille /]$Do-it-yourself identity checkingThe bash shell is just trying to be helpful when it changesyour prompt from $ to # (and back again), but if you mod-ify your prompt, you cant rely on this cue. For a moredefinitive hint, the id command is your answer. id printsout your current identity:[freddie@bastille /]$ iduid=501(freddie) gid=501(freddie)groups=501(freddie)Notice that id printed your user ID (and name) and a list ofgroups to which you belong (in this case, a single groupnamed freddie). Now give yourself superuser privilegesand try the id command again:[freddie@bastille /]$ suPassword:[root@bastille /]# iduid=0(root) gid=0(root) groups=0(root),1(bin), ... [root@bastille /]# exit[freddie@bastille /]$ iduid=501(freddie) gid=501(freddie)groups=501(freddie)You see that the su command changes more than just yourprivileges: It changes your identity as well. Pretending to Be Other UsersBecause su gives you a way to become the superuser,you may be thinking that su stands for superuser.In fact, su stands for substitute user: You can imper-sonate any user with su (as long as you know theright password).Sometimes, you need to do those things becauseusers come and go, passwords are forgotten, andfiles need changing. Save yourself a lot of time bylimiting your powers and minimizing the damagethat you can do. Save the power for when you reallyneed it. Gaining Superuser PrivilegesGiven all the exciting and hazardous things that asuperuser can do, how do you become one? Simple:Just type su at the command prompt. Okay, theprocess is not quite as simple as that you alsohave to know the superusers password. Heres a short example. Say that you want to modifythe /etc/motd file. (The content of /etc/motd is dis-played whenever you log in to your system motdstands for message of the day.) Customizing /etc/motd is a quick way to alert your users that some-thing important is happening today. On most sys-tems, /etc/motd can be modified only by thesuperuser, as described in the following steps:1. Log in to your system as a normal (that is, non-superuser) user.2. Type the su command at the prompt:[freddie@bastille /]$ susu requests the superuser password:Password: 3. Enter the password.If youve entered the correct password, theprompt changes from $ to # to remind youthat you hold elevated privileges. See the Do-it-yourself identity checking sidebar for detailson an even better way to see your privilegesat the prompt.[root@bastille /]# At this point, su starts a new, highly privilegedshell for you. 38_571737c31.qxd 7/2/04 9:11 PM Page 210Limiting Privileges with sudo 211One reason that you might want to impersonateanother user is to gain privileges to a particularpiece of software, but you may not need all the privi-leges of the superuser to accomplish what you needto do. If you give yourself only the privileges thatyou need instead of giving yourself the power toaccidentally destroy your system, youll save your-self a lot of grief and wasted time. To see how impersonating a user without gaining allthe powers of the superuser works, take MySQL asan example. When you install a MySQL database,you usually create a new user account for the MySQLadministrator. The MySQL administrator is not a realperson (in most cases), its just a name for a set ofprivileges. To fire up your MySQL database, youmust become the MySQL administrator for a while:[freddie@bastille /]$ su mysql[mysql@bastille /]$ iduid = 301(mysql) gid=301(mysql)groups=301(mysql)[mysql@bastille /]$ mysqld_safe &[mysql@bastille /]$ exitNotice the hyphen in this command, which tells suto invoke the login scripts for user mysql. When yourun su without a hyphen, youre impersonatinganother user. When you run su with a hyphen, youreimpersonating another user and inheriting the envi-ronment variables (and shell aliases and functions)that belong to that user. The most common problem you run into (if you forget the hyphen) is that your $PATHenvironment variable is wrong. For example, ifyou forget the hyphen when you su mysql,its pretty unlikely that the mysqld_safe com-mand will be in your $PATH search path:mysqld_safe is on mysqls search path. Inother words, su - is a complete impersonation.Limiting Privileges with sudoWhats wrong with the su command? Running a shellas the superuser is sort of like hunting squirrels witha bazooka; sure, you can hunt squirrels that way, butits safer to use a smaller armament. If youre run-ning a shell while you have superuser privileges, itsjust too easy to make a typing mistake that deletesimportant information. (Trust us, weve done that afew too many times.)One way to avoid shooting yourself in the foot is touse sudo instead of su. From a users point of view,sudo is very similar to su: Each command starts anew program that holds elevated privileges. su givesyou all privileges, but sudo gives you only the privi-leges granted by an administrator. In other words,sudo gives you a way to grant partial privileges tothose who need them, without giving them thewhole bazooka. Really, you need to su only when you configure sudo.The whole point of using sudo (instead of su)is to save yourself time by avoiding disasters. Ifyou decide to use su in your normal course ofwork, be sure to read Techniques 49 and 50(backup and recovery).sudo is controlled by a configuration file named/etc/sudoers. The layout of a sudoers file can be abit confusing at first, but dont be intimidated. Heresa simple /etc/sudoers file:# file: /etc/sudoersfreddie bastille = /bin/mountThe first line is a comment (anything that follows a #is treated as a comment). The second line grants userfreddie the right to run the /bin/mount command aslong as hes logged into a computer named bastille. Now if freddie wants to mount a file system, hellhave to ask sudo to do the work for him:[freddie@bastille /]$ sudo mount/dev/cdrom /mnt/cdrom[freddie@bastille /]$When you add entries to the sudoers file, besure to include the complete pathname toeach command. If you dont, dastardly users38_571737c31.qxd 7/2/04 9:11 PM Page 211Technique 31: Gaining Privileges212(see Technique 13) to maintain a complete his-tory of all the privileges youve ever grantedon your entire network.Of course, you can also list multiple users in thesame sudoers file:# file: /etc/sudoersfreddie bastille = /bin/mount/dev/cdrom, /bin/umount /dev/cdromfranklin,tex versaille = /usr/bin/reboot,/sbin/dump, /sbin/restoreThe third line grants two users (franklin and tex)the right to reboot and the rights to backup andrestore, but only on a host named versaille. You can see the pattern: Each entry starts with a username (or a list of user names), a host name (or a listof host names), an equals sign, and then a command(or list of commands). Each entry grants a set of privi-leges to one or more users on one or more hosts. The man pages for sudo (and sudoers) statethat you must use the visudo commandto edit the /etc/sudoers file. Thats notreally true; you can use any editor youlike. visudo does some extra error check-ing whenever you save your file, but wefind the error messages to be more con-fusing than helpful.can simply slip a bogus program (with thesame name) into their search path and gainprivileges that you dont want them to have.The first time you edit the /etc/sudoers file,youll notice that its already filled in with sam-ple entries. Dont even look at them. Theyretoo confusing. Just add the one or two linesthat you need and ignore the samples.Freddie can now mount CDs, but he cant unmountthem. Thats easy to fix; just add the umount com-mand to the list of privileges:# file: /etc/sudoersfreddie bastille = /bin/mount, /bin/umountNow freddie can mount and unmount file systems.But what if you want freddie to mount and unmountonly CDs, not other file systems? Thats easy, too:# file: /etc/sudoersfreddie bastille = /bin/mount /dev/cdrom,/bin/umount /dev/cdromSave time by including host names in thesudoers file, maintaining a single master copyof the file, and copying it to each machine onyour network. That way, you dont have to cre-ate a separate sudoers file for each machine.In fact, you can store the sudoers file in CVS38_571737c31.qxd 7/2/04 9:11 PM Page 21232 sudo PseudonymsEvery system administrator walks a thin tightrope. On one hand, youmust secure your system against both accidental and intentionaldamage. On the other hand, you cant tighten security to the pointwhere average users cant get their jobs done. In a traditional Linux (orUNIX) system, privileges are granted to the superuser. If you need a privi-lege, you impersonate the superuser (with the su command). The prob-lem with this approach is that you gain all privileges as soon as you knowthe superuser password. Give yourself enough privileges to mount a CD,and youve also gained enough privileges to delete every file on yourcomputer. sudo (see Technique 31) can help by handing out privileges tospecific users and programs. But if you have a medium- to large-sized net-work, managing sudo privileges can become a time consuming chore.Assigning privileges with sudo aliases can help make quick work of thetask. A sudo alias is an easy way to refer to a group of users, hosts, orcommands when handing out privileges that are normally given to thesuperuser. The elements of the superuser privileges can be assigned indi-vidually, so the administrator doesnt have to give out the root password.Only the privileges that a user really needs are given out.With sudo aliases, you can create User_Alias groups to assign privilegesto groups of users. If the group (or department) gains new users, just addthose new users to the User_Alias, and they automatically have all theprivileges shared by that group. No one gets the superuser password, soyou dont need to worry about runaway superuser privileges.Host aliases allow you to control groups of computers with one set ofprivilege assignments. You can quickly combine user aliases and hostaliases to grant access to machine resources to the users that really needthe resources, but still restrict the superuser privileges that might pose asecurity threat to the system.In this technique, we show you how to save time by using sudos aliasesto assign privileges to groups. When you become a sudo superuser, youreally start to save time. In this technique, we show you how to use sudoaliases to save time assigning privileges. And your system will be a saferplace for it.TechniqueSave Time By Creating a User_Alias tomanage group privileges Using a Host_Alias toassign resource privi-leges to groups Creating a Cmnd_Aliasto keep dangerous com-mands under control Sharing superuser com-mands without sharingthe password39_571737c32.qxd 7/2/04 9:11 PM Page 213Technique 32: sudo Pseudonyms214 Runas_Alias: Using a Runas_Alias allows a userto borrow the privileges of another user (typi-cally, root). A Runas_Alias definition can includeuser names, UIDs, user groups, and otherRunas_Aliases. Host_Alias: Use a Host_Alias to manage groupsof computers if you manage a large network.Assigning a Host_Alias to a group of Web serversallows you to apply sudo rules to all the systemsin the group. A Host_Alias can reference hostnames, IP addresses, netmasks, or other hostaliases. Cmnd_Alias: A command alias groups similarcommands (similar in their danger levels).Grouping commands like rm, mkfs, and parted(potentially dangerous commands) and limitingaccess to them can help decrease the likelihoodthat youll be restoring from backup anytimesoon. A Cmnd_Alias can refer to commandnames, directories, and other command aliases.Adding Aliases to the sudoConfiguration Filesudo aliases are defined in the /etc/sudoers file.Adding an alias is quick and simple:1. Open the terminal window and give yourselfsuperuser privileges with the su - command.2. Tell the visudo command (which you use in a moment) which editor you want to use (thedefault editor is vi, and wed rather not gothere).For example, if you want to use kedit, use thefollowing command:# export EDITOR=keditYou can use kate, emacs, or another editor if youprefer.3. To edit the /etc/sudoers file, enter the follow-ing command:# visudoInstalling sudoTo find out if sudo is installed on your computer, lookfor a file called /etc/sudoers. If its not there, installsudo from your Linux distribution disc. Open a termi-nal window and give yourself superuser privilegeswith the su command. Mount the distribution disk,move into the directory holding the RPM packages,and install sudo with the following command:# rpm -Uhv sudo-version.rpm Adding Up the AliasesThe sudoers file holds sudo configuration informa-tion; program permissions and sudo aliases aredefined in /etc/sudoers. An alias (a sudo alias any-way) is a name that you give to a group of one ormore users, hosts, commands, or run as names. The idea behind an alias is that you can assign(or deny) privileges to the named group ratherthan to each individual group member, makingsetup and maintenance much easier. For exam-ple, you may have a small group of users whoperform system maintenance tasks (such asbackup and restore operations). Rather thanassigning privileges to each individual operator,create an operator alias (a group that includesall your operators) and assign backup andrestore privileges to the alias. That way, if youhire new operators, you simply add them to theoperator alias, and they have all the privilegesthey need. Or, if you switch to a differentbackup program, you can change the privilegesassigned to the operator group rather than toeach individual.By modifying the sudoers file, you can create fourkinds of aliases: User_Alias: A User_Alias creates a group ofusers. A User_Alias definition can contain acombination of groups, individual users, andother user aliases. 39_571737c32.qxd 7/2/04 9:11 PM Page 214Defining the Alias 215The /etc/sudoers file opens.The file contains four commented lines, acting asplaceholders for alias definitions. 4. Enter the aliases under the appropriate headings.For example, if youre creating a Cmnd_Alias,place it under the comment that says # Cmnd_Alias specifications. See the next section,Defining the Alias, for more information aboutthe format of an alias.5. When youre finished adding aliases, save thefile and exit the editor.When you save the file edits, you may get anerror message in the terminal window:Warning: undeclared Host_Alias NAMEreferenced near line 12>>>sudoers file: syntax error, line11Technique 32: sudo Pseudonyms216put a user name, and it will include all theusers. Use the expression ALL where youwould use a host name, and it will interpret itto mean all the hosts it knows about.Instead of using ALL, you can substitute yourown User_Alias into the command and limitthe users that can mount and unmount CDs.After you set up users by following the steps in thissection, the users need to add sudo to the front ofthe mount and umount commands when entering themto use their sudo privileges.Including the NOPASSWD flag exempts your users fromhaving to enter their sudo passwords. Passwordsoffer an extra line of security, but for some things(such as mounting a CD), your users will thank youfor not requiring a password.Managing access to dangerous commands with command aliasesUse command aliases to easily manage privileges fordangerous commands. When a user needs to use adangerous command, you can ration the accessinstead of giving out the superuser password andunlimited access to all commands. Here are somecommands you might consider controlling with sudo: su rm mkfs kill killall partedOne handy command that other users wouldfind helpful, but that normally requires super-user privileges, is rpm. If you read Techniques 17and 18, you already know how handy rpm iswhen it comes to installing and updating soft-ware. And with sudo aliases, you can share thetool without sharing the superuser password.privileges of dozens of users, aliases can really helpspeed things up.Simplifying group managment with a Host_AliasUse the Host_Alias to make management of groupsof computers easier. To add a Host_Alias namedFRANCE consisting of bastille, versaille, and louvre,add the following line to the sudo configuration file:Host_Alias SERVERS = bastille, versaille,louvreYou can also specify computers by IP addresses:Host_Alias SERVERS = 192.168.0.1,192.168.0.36, 192.168.0.22You can use a Host_Alias in combination with aUser_Alias to assign the user group privilegedaccess to a group of computers without giving outthe superuser password. Mounting and unmounting CDs without thesuperuser passwordYou might want to allow users to mount and unmountCDs without becoming the superuser. If you dontwant to expose the privilege on all your computers,create a Host_Alias that includes the computers thatthe users will access. To do so, follow these steps:1. Add the Host_Alias to the Host Alias Specifica-tion section of the sudoers file:Host_Alias CDROMHOSTS = 192.168.0.1,192.168.0.28, 192.168.0.218 2. Add a line in the User Privilege Specificationsection of the sudoers file that gives the privi-leges to everyone:ALL CDROMHOSTS = NOPASSWD: /sbin/umount/dev/cdrom, /sbin/mount /dev/cdromALL is a built-in alias that matches all items ofthat particular kind (all users, all hosts, and soon). Use the expression ALL where you would39_571737c32.qxd 7/2/04 9:11 PM Page 216Defining the Alias 2171. To add a command alias to the sudo configura-tion file, define the Cmnd_Alias with the fullyqualified pathname to the command:Cmnd_Alias DANGER = /usr/su, /usr/bin/kill, /usr/bin/killall, /bin/rm,sbin/mkfsThe location of the commands may vary sys-tem to system. Use the fully-qualified path-name when you define your command alias.2. Add a command alias in the Cmnd Alias Specifi-cations section of the sudoers file to create analias for the RPM command:Cmnd_Alias RPM = /bin/rpm3. Then add a line to the sudoers file under theUser Privilege Specification section:OPERATORS ALL = NOPASSWD: RPMThis line grants access to the rpm command to allmembers of the OPERATORS User_Alias on ALLhost machines.OPERATORS must add sudo to the front of the rpm command in order for sudo to grantthe required privilege: $ sudo rpm -Uhvrpmpackage.rpm.39_571737c32.qxd 7/2/04 9:11 PM Page 21733Save Time By Keeping your private bitsprivate Using a secure GUIacross a network Using public-key authen-tication for remote login Using scp to copy files Forwarding ports tosecurely breach a firewall TechniqueSecuring YourConnections with SSHIn the good old days, if you wanted to log in to a remote computer, yousimply ran telnet. The telnet program would reach across a networkand give you a remote command line. When you typed a commandinto the telnet client, the characters that you typed were sent blissfullyover the wire, and the telnet server on the other end would execute thecommand and send the results back to you. Were we really so young then?With the advent of the Internet, new villains appeared, eager to grab ourpasswords and credit card numbers as they leapt from ISP to ISP. Theproblem with telnet is that everything that you type is sent across the net-work in the clear. Anyone watching the bits stream across the networkcan see your private bits. The solution to this problem is SSH.SSH, which is an acronym for secure shell, encrypts your data as it travelsacross a network so that passwords, financial data, and private e-mail arenever exposed to any hacker who can intercept them. An SSH connectionconsists of two parts: a server and a client. An SSH server waits patientlyon a host computer, listening on a specific port for a client to log in. Whenan SSH client connects to a server, the two programs begin a lengthynegotiating session that results in a fully encrypted connection.SSH provides a remote command line. With SSH, you can start graphicalprograms that run on the server but display their data on your local computer.SSH also provides port forwarding. With port forwarding, you can tunnelthrough firewalls to gain access to machines on the other side. Forwardeddata is protected traveling back and forth to the protected host, while theserver remains secure behind its firewall. In this technique, we introduce you to the benefits of using an SSH client.SSH provides a secure connection across a local network or over the Inter-net, through firewalls, and with great speed, and it merges with your desk-top environment via a quick link. We show you how to use your SSH client(which comes complimentary with Fedora) to do all of these things.40_571737c33.qxd 7/2/04 9:12 PM Page 218Setting Up Public-Key Authentication to Secure SSH 219Using SSH for Top-SpeedConnectionsThe great thing about SSH is that you get all the secu-rity benefits, plus access to a GUI environment withspeeds that cant be matched by the other desktopsharing tools. SSH can compress the bits travelingover the network connection to improve perform-ance. The speed advantage is really evident if youhave a low-bandwidth or high-latency connection. Think of latency as the distance between yourcomputer and the server that youre connectedto. If youre connected to a computer 10 feetaway from you, you probably have a low-latency connection. If you need to log in to acomputer in a foreign land over a satellite con-nection, all your data travels from your com-puter, up to the satellite, back down to earth,and then across the rest of the network: Thats ahigh-latency connection. Setting Up Public-KeyAuthentication to Secure SSHWhen you log in to a typical personal computer, youprovide a password. The password authenticatesthat you are who you claim to be. Anyone who knowsyour password can fake out a server. Passwords aretypically very short and easy to remember; thosetwo qualities make passwords easy to use, but alsomake them incredibly insecure.Public-key authentication is an alternative to pass-word authentication. Public-key authentication isvery secure, and SSH also makes it convenient. Inpublic-key authentication, each key has two parts a public key and a private key. You always keep your private key a secret, but you share your publickey. The two keys are mathematically related in away that only Stephen Hawking can understand. Amessage encrypted with the public key can bedecrypted only with the private key. A messageencrypted with the private key can be decryptedonly with the public key.To authenticate a connection by using a public key,the server encrypts a message with your public keyand sends the result to your client. The SSH clientdecrypts the message using your private key andreencrypts it with the servers public key. In thisexchange, youve proven you are who you say youare and verified that youre connected to the properserver.Public-key authentication is perfect for telecom-muters and those doing customer support workbecause it enables you to easily access comput-ers that you will log in to often. Just copy yourpublic key once, and youre ready to go.The public and private keys are stored in the ~/.sshdirectory. To set up key authentication with SSH,heres an overview of what you need to do:1. Generate the key pair.2. Give the SSH server a copy of your public key(but keep your private key to yourself).You can copy the public key to the server byusing a file transfer tool such as scp (secure cp).3. (Optional) Set up your passphrase so that youdont have to enter it every time you log in.Your public/private key pair is generated from a whole mess of random numbers. Its veryunlikely that any two key pairs will be identical.A typical key is at least 128 characters long.Linux automatically contains everything youneed to use public-key authentication, so youdont have to install any extra software. Yay!Generating the key pairTo generate your public/private key pair, followthese steps:40_571737c33.qxd 7/2/04 9:12 PM Page 219Technique 33: Securing Your Connections with SSH220Follow the steps shown in Listing 33-1 to transferyour public key to the remote system. After youenter each command, youre prompted for yourpassword on the remote system.In the example, substitute your user name onthe remote system for freddie, and the name(or IP address) of the remote system forbastille. Passing on your passphraseIf you did all that work to avoid typing in a pass-word, why should you have to enter a passphraseinstead? The passphrase unlocks your private keyfor use when you log in to a remote system. Withouta passphrase, your private key would be exposed onyour local machine for anyone to see. If you do a lot of work on a remote machine,add the passphrase to your startup procedureand create desktop shortcuts to save you timelogging in and out. The following steps explainhow to arrange for KDE or GNOME toprompt you for the passphrase when you login to your desktop environment. See CreatingShortcuts to Your Favorite SSH Locations forinformation about creating desktop shortcuts.If youre in an environment where security iscrucial, never walk away from your computerwithout first logging out. A troublemaker whowalks up to your unattended computer canimpersonate you if youre logged in. If you fol-low the steps described in this section, anyonewith physical access to your computer can alsouse your private key while youre logged in.1. Open a command line, type the following com-mand, and press Enter:$ ssh-keygen -t rsaYoure prompted to enter a file to save the key in. 2. Press Enter, and SSH will find a good place forthe file.Youre prompted for a passphrase. 3. Enter a good password. Check out the sidebar Choosing good pass-words, later in this chapter, for some ideasabout choosing passwords.4. Enter the same passphrase again to verify it.Remember the passphrase; youll need it later.SSH acknowledges that it has created your keypair and displays the filenames where the keysare saved. ssh-keygen also issues a key finger-print, but you can ignore that for now. To use yourkey pair with SSH, you need to distribute thepublic key, which we explain how to do in thenext section.Distributing your public keyBefore you can use your key pair to log in to an SSHserver, you have to copy your public key into your~/.ssh directory on the server. The easiest way toget your key to the server is to use the scp command.Dont share anything but your public key bye-mail. The private key is always kept private,encrypted on your system.LISTING 33-1: HANDING OUT YOUR PUBLIC KEY$ ssh freddie@bastille mkdir .sshPassword:$ ssh freddie@bastille cat >> .ssh/authorized_keys2 < .ssh/id_rsa.pubPassword:$ ssh freddie@bastille chmod 700 .ssh .ssh/authorized_keys2Password:$40_571737c33.qxd 7/2/04 9:12 PM Page 220Logging In with SSH and Key Authentication 221To eliminate the need to enter your passphrase everytime you log in to a remote system, you have to talkKDE (or GNOME) into asking you for the passphrasewhen you first log in to your local desktop. After thekey is unlocked, its ready for use (and reuse) untilyou log out of your local desktop. If you use KDE, the easiest way to set this up is withKonqueror. Heres how:1. Open your Konqueror browser and surf to thefollowing directory:~/.kde/Autostart2. Right-click on the browser and choose CreateNewLink to Application from the pop-upmenu.3. Name your link (Passphrase) and click theExecute tab.4. In the Command field, enter the following command:/usr/bin/ssh-add5. Click OK.A new Autostart icon appears in the Konquerorwindow. The next time you log in to KDE, youllbe prompted for your passphrase.If youre a fan of GNOME, follow along to edit yourAutostart folder:1. Open the Main Menu and choose PreferencesMore PreferencesSessions.2. Click the Sessions icon to open the Sessions dialog.3. Click the Startup Programs tab and thenclick Add.The Add Startup Program dialog appears.4. Type /usr/bin/ssh-add in the StartupCommand field and click OK.Logging In with SSH and Key AuthenticationWhen you log in to an SSH server using public-keyauthentication, youre greeted with a remote com-mand line. The commands that you enter are exe-cuted by the SSH server until you log out. If you wantto use graphical environments, you can access those,too. We give you the details in the following sections.Starting from the command lineTo use your key authentication to log in to a machinewith SSH, follow these steps:1. At the command line, type ssh bastille andpress Enter.Youre prompted for your passphrase (the oneyou entered when you generated your key set). 2. Enter the passphrase.Youre logged in!A few quick words about fingerprintsThe first time you log in with SSH, your local system addsthe servers public key to its list of known computers andissues a warning similar to the following: The authenticity of host `192.168.0.135cant be established.RSA key fingerprint isb4:2y:88:23:98:33:g1:03:ec:7b:d8:2b:b8:83:y3:f8.Are you sure you want to continue connecting (yes/no)?Type yes and press Enter to continue.In the future, if the servers public key changes, SSH willwarn you.Some nasty people intercept transmissionsand redirect logins to steal password informa-tion that will enable them to get into places40_571737c33.qxd 7/2/04 9:12 PM Page 221Technique 33: Securing Your Connections with SSH2223. In the Command field, enter the following command:gnome-terminal -x ssh bastille4. Click OK.Double-click the new link, and youre logged in andworking. If youve configured your desktop as wedescribe earlier in Passing on your passphrase, youdont need to stop and enter passwords along the way.With your remote terminal, you can open anygraphical application on your Linux host. At the command line, enter the name of theprogram kedit, kate, konqueror . . . thelist is endless.You can open as many windows on your local desk-top as your connection will support. These windowswork like local windows in all respects, with theexception of drag and drop. Instead of drag and drop,we recommend using scp at the command line. Seethe next section for details.If youre using KDE as your desktop environment,you can create a link to a remote file or directory.Double-click a link to a remote directory, and KDEwill open the directory with the Konqueror browser.After you double-click a link to a remote file, KDEopens the file using the right application (based onthe files MIME type). Follow these steps to create anew link to a remote directory:1. Right-click on the desktop and chooseCreate NewLink to Location (URL) from thepop-up menu.2. Enter the following command in the Enter Linkto Location (URL) field and click OK:fish://bastille/homeSubstitute your remote machines name or IPaddress for bastille.fish: is a KDE protocol that provides remotefile management over an SSH connection. SeeTechnique 1 for more information.they dont belong. If the system fingerprintsdont match, SSH will warn you and youll knowyou have a potential man-in-the-middle attack.If that happens, ask the remote system adminis-trator to read you his or her servers fingerprintover the phone.Getting graphicYou can also run graphical programs from yourremote machine on your local desktop. The SSHserver forwards X Windows traffic over the SSH con-nection automatically. Here are a few examples toillustrate how this works: To see what time it is on the remote system, typethe command xclock &. The clock displays thetime on your local desktop, but it also displaysthe time on the server (you cant tell the differ-ence if youre in the same time zone). To see the files on the server, type konqueror &and press Enter. The Konqueror browser startsrunning on the server, but the display appears onyour local desktop.Creating Shortcuts to YourFavorite SSH LocationsSSH is handy at the command line, but you can alsolaunch SSH sessions from a desktop link. And, ifyoure a KDE aficionado, you can use the fish: pro-tocol to create a link to a remote file or folder.To add a desktop link that opens a terminal windowconnected to an SSH server, follow these steps:1. Right-click on your desktop and chooseCreate NewLink to Application.A dialog opens.2. Type a name for the link and click the Exe-cute tab.40_571737c33.qxd 7/2/04 9:12 PM Page 222Secure (And Fast) Port Forwarding with SSH 223When the dialog closes, a link on the servers/home directory appears on your desktop.3. To connect to the remote machine, just double-click the icon.A Konqueror browser window opens, showingthe /home directory.Copying Files with scpscp is similar to the cp command: It copies a file froma source to a destination. The difference betweenscp and cp is that scp can deal with files stored onremote hosts. scp uses the SSH protocol to encryptthe file being transferred and can take advantage ofSSHs compression feature to save you time. You canuse scp to completely replace cp. To copy a file fromone directory to another (on your local machine),use the following command:$ scp /tmp/drink-recipes.txt /home/If you want to copy a file from an SSH server or to anSSH server, include the remote host name on thecommand line, like this:$ scp louvre:/pics/monalisa.jpg /tmp/$ scp /tmp/monalisa.jpg orsay:/pics/If you see a name that includes a colon, itmost likely refers to a remote computer.The first command copies /pics/monalisa.jpg fromhost louvre to the /tmp directory on your local com-puter. The second command copies the picture fromyour local computer to host orsay. If you haventcopied your public key to louvre or orsay, youreasked for a password.You can also use scp to copy from one remotemachine to another remote machine:$ scp louvre:/pics/monalisa.jpgorsay:/picsEnable compression with the -C option:$ scp -C /tmp/monalisa.jpg orsay:/pics/If you dont specify a fully qualified pathname, scpassumes that you want to copy into (or from) yourhome directory on the remote computer. For exam-ple, the command$ scp -C louvre:paintings.list orsay:copies a file from your home directory on louvre toyour home directory on orsay.You can include wildcards in an scp command, butyou have to quote them if you want the wildcards tobe expanded by the computer on the other end ofthe connection. For example, to copy all the .jpgfiles in your home directory on louvre to your localmachine, use the following command:$ scp -C louvre:*.jpg /tmp/If you forget the quotes, the bash shell expands thewildcard before scp ever gets a chance to see it.You can use scp to copy an entire directorytree with the -r option.Secure (And Fast) PortForwarding with SSHNo Web site should be without a good firewallbecause too many villains are out there waiting toattack your computer. Firewalls keep the bad guysout, but they can sure make life tough for those of uswearing the white hats. Fortunately for the goodguys, SSH can slip you past a firewall in no time.Port forwarding lets you securely connect to a spe-cific port on a remote computer without beingblocked by a firewall. Neither the remote machine noryour local system can even tell that a firewall is there.40_571737c33.qxd 7/2/04 9:12 PM Page 223Technique 33: Securing Your Connections with SSH224To set up port forwarding between a PostgreSQLclient running on your local computer and aPostgreSQL server running on louvre, simply useSSH to log into louvre and include a bit of commandline magic:$ ssh -L 5432:louvre:5432 louvreTo break that command down a bit, the ssh commandconnects to the SSH server running on host louvre.The cryptic-looking bit in the middle of the command(-L 5432:louvre:5432) forwards data from port 5432on your local computer to port 5432 on louvre. Nowwhen you start up a PostgreSQL client, you connectto local port 5432, even though the PostgreSQL serveris running on a different computer:$ psql -h localhost -p 5432Welcome to psql, the PostgreSQL interactive terminalfreddie=#If you have a firewall between yourself and louvre,you can ask SSH to forward data across the firewallto a third computer. For example, if bastille is act-ing as a firewall (meaning that you cant directly con-nect to any machines behind bastille), this commandarranges for SSH to carry PostgreSQL data acrossthe firewall and deliver it to louvre:$ ssh -L 5432:louvre:5432 bastilleNotice that with this command, youre logging intobastille, but SSH is forwarding the data to louvre.SSH can forward data to any machine that bastillecan talk to. When SSH forwards data for you, thedata stream is automatically encrypted. If you wantto compress the data as well, just add a -C to thecommand line.Choosing good passwordsChoose your passwords carefully. A good password shouldinclude both upper- and lowercase letters, numbers, andpunctuation if allowed. The system will set a limit on thelength of your password, but generally speaking, the longerthe password the better. Its a bad idea to honor pets, Port forwarding with SSH can solve a lot of problemsfor you, such as the following: Some software packages require access to spe-cific port numbers. You can reach software on the other side of afirewall. Your data is traveling in encrypted form andcant be seen by villains. Your data is compressed and zips through thenetwork much faster.Port forwarding is kind of a strange process. Thebasic idea is that you connect to a port on your localcomputer, and SSH takes all the data that you send tothat port and forwards it to another port on anothercomputer. SSH also sends data back in the otherdirection for a complete connection.Heres an example. PostgreSQL database serverstypically listen for clients on TCP port 5432. Whenyou run a PostgreSQL client application, the clientconnects to the server on that port. The client andserver exchange SQL queries and results over theconnection and disconnect when theyre finished. APostgreSQL client can connect to a server on thesame computer (using local port 5432) or a serverrunning on a remote computer (using the remotehost name and port 5432).You can introduce SSH into this mix to solve threedifferent problems: If a firewall is present between the client and theserver, SSH can carry the data across the firewallfor you. If you have a slow connection to the server, SSHcan compress the data stream to improve performance. If youre transmitting sensitive data across aninsecure network, SSH will encrypt the datastream for you.40_571737c33.qxd 7/2/04 9:12 PM Page 224Secure (And Fast) Port Forwarding with SSH 225children, and spouses in your password unless youve takencare to obscure the name with other characters likeFr3ddi3*! and even then its not a great idea. Its also abad idea to use your license plate number that should beobvious, but youd be surprised how many people do it.Be sure to choose a password that is obscure, but memo-rable. Writing it down leaves the password susceptible tothe prying eyes of anyone who gets access to your work-space. One common mnemonic is to use the first letter ofeach word in a phrase you wont forget. Throw in somepunctuation, or change case now and then, and you have amemorable password thats also hard to guess. All KingEdwards Horses Can Master Big Fences! translates toAkehCmBf!, which is pretty unguessable.40_571737c33.qxd 7/2/04 9:12 PM Page 22540_571737c33.qxd 7/2/04 9:12 PM Page 226Part VINetworking Like a Professional41_571737p06.qxd 7/2/04 9:13 PM Page 22741_571737p06.qxd 7/2/04 9:13 PM Page 22834 Protecting Yourselfwith a FirewallAgood firewall is important to any network because its your firstline of defense against intruders. Obviously, if your system has nocontact with the outside world (either via the Web or by modem),you dont need a firewall. If your system does have contact with the Web, you should consider screening what comes through your networkinterfaces.Network information travels in packets groups of data that are encasedin layers of envelopes. Each layer of the packet contains a different kindof information about the data within the packet. The outermost layercontains information about the hardware that the packet is coming from.The next layer within contains the IP address for the source and the destination. Inside that envelope is the TCP information the port num-bers and sequence numbers of both the source and destination machines.At the heart of the packet is the packet payload the real data thatyoure interested in.A good firewall can filter the incoming or outgoing packets based on the information contained in any of the envelope layers. Because theenvelopes are nested within one another, if you toss the outer enve-lope, the inner envelopes go with it, and the data never reaches yourapplication.In this technique, we show you ways to set up a firewall thats tightenough to protect your system, but loose enough to allow useful data inand out. Youll save time with a safer system that gives everyone theaccess they need to get their jobs done. Finding Your FirewallStarting with kernel version 2.4, most Linux distributions include asophisticated packet filtering package called netfilter. You can use netfil-ter to build firewalls, perform network address translation (NAT), per-form port translation, and alter network packets as they traverse yourTechniqueSave Time By Installing an intruder-proof firewall Preserving networkresources and limitingexposure to nasty virusesby limiting Internetaccess Keeping a tight firewallbut allowing SSH access42_571737c34.qxd 7/2/04 9:13 PM Page 229Technique 34: Protecting Yourself with a Firewall230service that you want to provide to the outsideworld. For example, if you want to log in to yourcomputer from another system, select the SSHServer check box. If youre running an ApacheWeb server, select the Web Server check box. Figure 34-1: The Mandrake Firewall Builder.If you need to temporarily disable your firewall,select the Everything (No Firewall) check box drakfirewall is kind enough to remember youroriginal settings so that you can restore your fire-wall again later.4. When youre finished, click OK to save yourchanges.When you save your changes, drakfirewall savesyour choices to a set of configuration files in the/etc/shorewall directory and executes a sequenceof iptables commands that configures netfilteraccording to your preferences.Mandrake Linux actually uses two firewall builders,one layered atop the other. drakfirewall (the toolwe just described) is a very high-level firewallbuilder its very simple, but not very flexible.Under the hood, drakfirewall drives another fire-wall builder called Shorewall. You can find moreinformation about Shorewall at www.shorewall.net.system. netfilter is part of the Linux kernel youcan configure netfilter with the iptables command.Notice that we said that you can configure netfilterwith the iptables command, not that you should.Creating a firewall by typing in a bunch of iptablescommands is something best left to the propellerheads.Instead, you should use a firewall builder. A firewallbuilder is a tool that (usually) asks you a series ofquestions about how you use your computer andthen runs a sequence of iptables commands onyour behalf. A good firewall builder will store yourchoices in a set of one or more configuration filesand then arrange for the corresponding iptablescommands to execute each time you boot yourcomputer.You can find a variety of firewall builders on theWeb. Some are designed to create a simple firewallas quickly as possible; others are less friendly, butgive you more control over the security of your sys-tem. SuSE, Mandrake, and Fedora each come with afirewall builder (and theyre all different). Setting up a simple firewall in Mandrake LinuxIn keeping with Mandrakes reputation for simplicity,drakfirewall (the Mandrake firewall builder) makesit very easy to configure a simple firewall. To run theMandrake firewall builder, follow these steps:1. Open the main menu and choose SystemConfigurationConfigure your computer.The Mandrake Control Center opens.2. Choose SecurityFirewall.The drakfirewall configuration editor opens, asshown in Figure 34-1.3. Use the check boxes to configure your firewall.Start out by clearing each check box that willlock your system down so that outsiders cantget through your firewall. Then, check each42_571737c34.qxd 7/2/04 9:13 PM Page 230Finding Your Firewall 231Setting up a simple firewall in Fedora LinuxWhen you installed Fedora, you ran a program calledsystem-config-security. You might not have evennoticed it its part of the installation script, andgoes by with just a quick question or two. At installa-tion time, it created a firewall and firewall rules foryou. You may have chosen not to install a firewall atthat time; if thats the case, you have no firewallrules in place.If you chose not to install a firewall when youinstalled Fedora, you can change your mind later.The same configuration tool that runs during theinstall procedure will create (or remove) simple firewall rules. To run Fedoras firewall builder, followthese steps:1. Open the Main Menu and chooseSystem SettingsSecurity Level.Youre prompted for the root password.2. Enter the root password and click OK. If you have a terminal window open and super-user privileges, you can start the configurationtool by entering system-config-securitylevel at the command line.The Security Level Configuration dialog opens.This dialog is similar to the firewall informationwindow you saw at installation time. 3. From the Security Level drop-down list, selectEnable Firewall.If you disable the firewall, any custom rulesyouve created are lost.4. To create the most robust firewall possible,enable the firewall with no trusted services ortrusted devices.That is, deselect all the check boxes, as shown inFigure 34-2.The best way to build a robust firewall is todisallow all traffic, and then relax the restric-tions to allow data to flow. Its easier to recog-nize your friends one at a time. Figure 34-2: A very secure firewall.If you have multiple network cards listed inthe Trusted Devices frame, you can trustdevices that connect to your own network, butdont trust the devices that connect to the out-side world. That way, the devices within yournetwork can access the machine via SSH orTelnet, but the outside world cant get in. 5. Click the OK button to continue.A pop-up opens, warning you that if you con-tinue, youll change the existing firewall configuration.6. Click Yes to continue.42_571737c34.qxd 7/2/04 9:13 PM Page 231Technique 34: Protecting Yourself with a Firewall2324. If your computer has two network adapters,SuSE assumes the second interface is con-nected to a local (internal) network choosethe internal interface from the drop-down list.5. Click Next to move to the next step.The Services list appears, as shown in Figure 34-4. Figure 34-4: The SuSE firewall builder (Step 2).6. Use the check boxes to configure your firewall.Start out by clearing each check box that willlock your system down so that outsiders cantget through your firewall. Then, select each serv-ice that you want to provide to the outsideworld. For example, if you want to log in to yourcomputer from another system, select the SecureShell (ssh) check box. If youre running anApache Web server, select the HTTP check boxand the HTTP with SSL (https) check box.If you need to allow other services through yourfirewall, click the Expert button and list the serv-ice names (or port numbers) in the text box provided.7. Click Next to move to the next step.The Features dialog appears (see Figure 34-5).Setting up a simple firewall in SuSE LinuxThe crew at SuSE have put a lot of work into theirfirewall builder (called SuSE Firewall2), making itpowerful and easy to use. Like the Mandrake andFedora firewall builders, SuSE Firewall2 stores yourpreferences in a configuration file (/etc/sysconfig/SUSEfirewall2) and executes a series of iptablescommands when you apply your changes.To run the SuSE firewall builder, follow these steps:1. Open the main menu and choose SystemYaST.The YaST Control Center appears.2. Click Security and Users (in the left-hand pane),and then click Firewall.The SuSE Firewall2 window appears, as shown inFigure 34-3. Figure 34-3: The SuSE firewall builder (Step 1).3. Choose your external interface from the drop-down list.The external interface is the network interfaceconnected to the outside world (the Internet).42_571737c34.qxd 7/2/04 9:13 PM Page 232Editing the Rules with Webmin 233 Figure 34-5: The SuSE firewall builder (Step 3).8. Select the features that you want, or simplyaccept the default values.We recommend that you select the AllowTraceroute and the Protect All Running Servicescheck boxes. If youre sharing your externalinterface with other machines (in other words, if your computer is acting as a gateway for aninternal network), you should also select theForward Traffic and Do Masquerading check box.The text box on the left side of the windowexplains each option in more detail.9. Click Next to move to the last step.The Logging Options window appears, as shownin Figure 34-6.10. Select the logging and debugging options thatyou want.We recommend accepting the default values.After your firewall has been in place for a whileand youre satisfied that it is working properly,you can disable all firewall logging to conservedisk space.11. Click Next, and then click Continue to saveyour changes and (re)start the firewall. Figure 34-6: The SuSE firewall builder (Step 4). When you save your changes, SuSE Firewall2 executesa whole slew of iptables commands to tell netfilterabout your choices.Editing the Rules with WebminAfter youve configured your firewall with a friendlyfirewall builder, you may want to fine-tune netfilterto better fit your needs. If youre running Mandrakeor Fedora Linux, the graphical firewall builders dontgive you many options. SuSE Firewall2 is a bit morepowerful, but it was really designed to be simple, notflexible. Relax, you dont have to hit the commandline.The quickest and easiest way to tweak your firewallrules is with a system administration tool calledWebmin. With Webmin, you can perform tasks suchas configuring servers, managing users and groups,arranging backups, and scheduling cron jobs, allfrom within your favorite browser. If you prefer, youcan use Webmin to do many of the tasks that arehandled by Mandrake, SuSE, and Fedora administra-tion tools. Many third-party modules are also avail-able to expand on Webmins basic capabilities.42_571737c34.qxd 7/2/04 9:13 PM Page 233Technique 34: Protecting Yourself with a Firewall234The opening window of Webmin is displayed, asshown in Figure 34-8. From this window, movefrom page to page by clicking the round buttons(labeled System, Servers, Networking, and so on)across the top. Each page provides tools to man-age different aspects of your system. Figure 34-8: The Webmin main window.Reading the rules with WebminYou can see and manage your firewall rules from theNetworking tools page in Webmin. Just click LinuxFirewall. If youre running Fedora Linux, Webmin knows howto read the firewall rules created by Fedoras firewallbuilder any changes you make through Webminwill appear the next time you run system-configure-securitylevel. If youre running Mandrake Linux, Webmin will offerto convert your Shorewall configuration files to themore standard Webmin format (if you choose to con-vert, any changes you make through Webmin will bediscarded when you switch back to the Shorewallconfigurator). If you prefer to keep Shorewall inplace, you can use Webmins Shorewall Firewall module instead of the Linux Firewall module. We really like Webmin. Go to www.webmin.comwhen you have some free time, and check itout. Getting familiar with Webmin can be areal timesaver.Technique 17 gives detailed instructions aboutdownloading and installing Webmin. If you haventalready installed Webmin, see Technique 17 for moreinformation.Starting a Webmin sessionWith Webmin installed, start a Webmin session:1. Open a browser and go to http://localhost:10000.Webmin opens, displaying a login window, asshown in Figure 34-7. Figure 34-7: The Webmin login window.2. Enter root in the Username field, and the rootpassword in the Password field. Click Login tocontinue.Unless you trust everyone who has access toyour desktop, we dont recommend clickingthe Remember Login Permanently box.Webmin allows access to some sensitive partsof your system.42_571737c34.qxd 7/2/04 9:13 PM Page 234Editing the Rules with Webmin 235The SuSE firewall builder stores its configurationinformation in a format that Webmins Linux Firewallmodule cant directly read to use the LinuxFirewall module on a SuSE computer, click ModuleConfig (near the top of the page) and select DirectlyEdit firewall rules instead of savefile. Webmin willinterrogate the running kernel to discover the fire-wall rules you have in place. After youve made anynecessary changes, use the iptables-save command(at the command-line) to create a savefile see maniptables-save for more information.In this section, we show you how to read (and mod-ify) firewall rules as they appear in Webmins LinuxFirewall module. We use a firewall generated byFedoras system-config-securitylevel as an example.When you start the Linux Firewall module, the rulesyou established with the system-config-securitylevel tool (see the section, Setting up a simple fire-wall in Fedora Linux, earlier in this technique) areshown in Figure 34-9.The first rule set on the page displays the rulesapplied to incoming packets. If youve chosen thedefault setup for the firewall, the only rule in the setis to always run the chain RH-Firewall-1-INPUT(which we describe in a moment). You can add newrules to this chain with the Add Rule button orremove all the rules from the rule set with the ClearAll Rules button.The second rule set decides the fate of forwardedpackets (packets routed through your computer).Again, the only action defined by default is to runthe chain RH-Firewall-1-INPUT.The third rule set displayed on the screen applies tooutgoing packets. With the default firewall, no rulesare applied to the outgoing packets only incomingpackets.Near the bottom of the page, you see the rules thatmake up the RH-Firewall-1-INPUT chain, as shown in Figure 34-10. This chain is referred to by theIncoming and Forwarded actions (at the top of thepage). The rules in the RH-Firewall-1-INPUT chaincontrol the flow of packets through the firewall. Figure 34-9: Webmin displays the firewall rules.The Condition column lists the constraints that areplaced on incoming packets, and the Action columndictates the actions taken when the conditions aremet. When a network packet arrives at your com-puter, the firewall processes the packet using therules in the RH-Firewall-1-INPUT chain.Take a peek at the chain shown in Figure 34-10. Thefirst rule states that a packet arriving at interface lo0(which is the internal loopback interface that letsyour computer talk to itself) should be accepted. Assoon as a packet is accepted by the firewall, the restof the rules are ignored.If the packet isnt arriving on inteface lo0, its com-ing from some other interface (like your Ethernetcard) and the firewall moves on to the second rule. Ifthe packet is an ICMP message, the firewall acceptsit (ICMP is a low-level network management protocolthats reasonably safe). The third and fourth rulesaccept packets belonging to protocols 50 and 51(those are next-generation IPv6 network packets).The fifth rule states that incoming packets that arepart of a previously established connection are okay.42_571737c34.qxd 7/2/04 9:13 PM Page 235Technique 34: Protecting Yourself with a Firewall236 Exit Chain: Exits the chain and returns to previ-ous chain Run Chain: Moves to another chain of rulesIf a packet doesnt meet the first condition, itstested against the next condition. If the packet meetsthat condition, it is subjected to the specified actionor tested against the next rule in line. This testingcontinues until the packet is either accepted orrejected. By default, the last rule in the chain rejectsany packets that are not accepted by earlier rules.After you understand how the rules are set up inWebmin, you can feel free to change them. The nextsection explains how.Changing the rulesGiven that the default firewall rules are very secure,you may need to relax them a little to better suityour needs. For example, if you host a Web serveron your computer, you may want to allow inboundtraffic on TCP port 80 (the port typically used byWeb browsers). If youre hosting a Web server forinternal use only (that is, you want other computerson your local network to access your server, butnobody else), you can allow inbound traffic on TCPport 80, but only if the packet originates on a nearbyaddress.Editing existing rulesYou can change the actions taken for a condition byfollowing these steps:1. Start a Webmin session (see the earlier section,Starting a Webmin session), click theNetworking button, and then click LinuxFirewall.2. On the Linux Firewall page, scroll down to theAction link in the table and click it.The Edit Rule window opens, as shown in Figure 34-11. You can change either the conditionor action details for a rule from the Edit Rule window.If a packet doesnt satisfy any of the first five condi-tions, the firewall applies the final rule, which rejectsall packets.The default firewall rules are very secure theyallow just enough traffic to get through that youroutbound network connections (like a Web browser)will still work. Figure 34-10: The chain of rules.When a packet enters your network interface,Fedora gives the packet to each rule in the chain, inthe sequence listed. Every inbound packet is evalu-ated according to the Condition listed in the firstrule; if the packet satisfies the condition, Fedoratakes the action specified in the Action column: Do Nothing: Does nothing with the packet butcontinues testing with the chain Accept: Accepts the packet into the network,ignoring the remaining rules Drop: Destroys the packet with no relayed mes-sage to the other end of the connection Reject: Rejects the packet, but notifies the otherend of the connection Userspace: Exports data to a userspace programthats not part of the kernel (you can write yourown filters by using Userspace rules)42_571737c34.qxd 7/2/04 9:13 PM Page 236Editing the Rules with Webmin 237 Figure 34-11: The Edit Rule window.3. To change the action, click the radio buttonnext to the desired action in the Action to Takefield.4. The condition details are a bit more involved,but not hard to change. Under the ConditionDetails portion of the window, use the drop-down list to enable the filter you want toenforce and then enter the condition parame-ter in the field to the right of the condition.For example, to filter packets based on the ICMPnetwork protocol, find the Network Protocol line,change the first list box on that line from Ignoredto Equals, and change the second list box to ICMP.(Dont actually do this, its just an example.)5. After making any changes to rules in the EditRules window, be sure to click the Save buttonto save the changes.You go back to the table (refer to Figure 34-10).6. Click the Apply Configuration button when youreturn to the chain of rules.Your new rule is now in effect.Adding a new rule with WebminThe rightmost column in the rules table is labeledAdd, and it contains a pair of up and down arrows.To add a new rule above an existing rule, click the uparrow. To add a rule below it, click the down arrow.Remember, packets travel through the chain fromtop to bottom, so the order is important.Use the up and down arrows in the Move col-umn to rearrange the order of the rules withinthe chain. You have a really secure firewall in place, but youmay need to open up the system for use by others. If you open up a port for a tool like Telnet, youll beexposing cleartext passwords to anyone who may bespying on your network. Be sure to use secure net-work programs like SSH SSH encrypts everythingthat it sends over your network.To open up your system for SSH use, follow thesesteps:1. Click the down arrow in the Add column of thefirst rule in the chain of rules table.The Add Rule window appears, as shown inFigure 34-12. Figure 34-12: The Add Rule window.2. In the Rule Comment field, enter a commentlike this:Accept incoming SSH packets42_571737c34.qxd 7/2/04 9:13 PM Page 237Technique 34: Protecting Yourself with a Firewall238bandwidth, disk space, and time when you donthave to worry about restoring your system becauseof someone elses careless download.Follow these steps to disable Internet access fromwithin your system (youll have to enable the fire-wall on your computer first; see the section titledFinding Your Firewall at the start of this techniquefor details):1. Click the down arrow in the Add column of thefirst rule in the chain.The Add Rule window appears.2. Enter a comment in the Rule Comment field:Close off Internet Access3. Click the Reject radio button.4. Use the drop-down list boxes to change theNetwork Protocol condition to Equals and TCP.5. Change the Source TCP or UDP Port conditionto Equals Port 80.6. Click the Create button at the bottom of thewindow.Youre returned to the first page where you cansee your new rule has been added to the list.7. Click Apply Configuration to apply the rule.If youre using a proxy server, you need to disablethat port as well. Just add another rule like this oneto reject the packets from that port.Now your system is insulated from incoming packetsfrom the Internet, and disk space and network band-width are preserved for in-house use.The Rule Comment is there to remind you whyyou created the rule. Be sure to include goodcomments in your firewall, and youll save your-self a lot of time later when you need to makeanother change.3. Click the Accept radio button.4. In the Condition Details area, find the NetworkProtocol line and change the list boxes toEquals and TCP.5. Find the Destination TCP or UDP Port line andchange the list boxes to Equals and 22.6. Click the Create button at the bottom of thepage.Youre returned to the first page where you cansee that your new rule has been added to the list.7. Click Apply Configuration to apply the rule. You still need to start the sshd daemons, but the fire-wall will now let an SSH session through. SeeTechnique 33 for useful information about using SSHto share your data without exposing yourself tointruders.In some cases, you may want a computer thatsalready behind a firewall to accept incomingpackets only from machines within your net-work. That way, your corporate firewall can letInternet-originated traffic through, but you cansecure individual machines more thoroughly.To do this, create a firewall on that machinewith a rule that limits inbound packets toaddresses from within your own network.You can limit access to the Internet to protect yoursystem from unfortunate downloads that mightbring in viruses or other trouble. Youll save network42_571737c34.qxd 7/2/04 9:13 PM Page 23835 Using VNC toConnect to RemoteDesktopsVNC (an acronym for virtual network computing) is a client/serverutility that lets you share graphical desktops across a local net-work or across the Internet. Before VNC server came along, youcould use the KDE or GNOME desktop environments only if you wereactually sitting in front of the computer. With VNC server, you can createa separate desktop (KDE, GNOME, or whatever environment you prefer)for use from a different computer located in the next room or inanother country. In this technique, we show you how to set up and use remote viewersand servers. VNC makes it easy. VNC is friendly, intuitive, fast, and free(all in all, some of our favorite software features). You can Combine the best of different platforms on one monitor. Share a desktop with another user to get help or collaborate on a project. Share Linux machines without sharing desktops each user has hisown work environment, complete with privacy. You can even stream-line the setup of private remote desktops by creating new VNC desk-tops on demand.The time you can save by using other desktops without taking a step isamazing.Sharing Desktops with VNCWhen you run a VNC (virtual network computing) server on your Linuxcomputer, you create a new graphical desktop that you can use from aVNC viewer. Linux is a multi-user operating system: Many users can loginto your computer at the same time.TechniqueSave Time By Sharing your desktopwith VNC Extending personal invita-tions to your desktop Exposing your desktop forothers Using tsclient for remoteviewing Turbo charging cut andpaste Creating desktops ondemand with gdm43_571737c35.qxd 7/2/04 9:14 PM Page 239Technique 35: Using VNC to Connect to Remote Desktops240 Figure 35-1: Multiple remote desktops.Inviting Your Friends to Use Your DesktopIf youve installed the KDE Networking package, youcan share your desktop with another user (if youhavent installed the kdenetwork package, flip back toTechnique 17 for a quick refresher). Sharing yourdesktop is a great way to get help from another user,or to collaborate on a project. When you share yourdesktop, the other user connects to your desktopusing a VNC viewer (such as vncviewer or rdesktop).To invite another user to share your desktop, followthese steps:1. Open the KDE menu.2. If youre running Fedora Linux, choose SystemToolsMore System ToolsDesktop Sharing.If youre running SuSE Linux, choose SystemRemote AccessDesktop Sharing.Mandrake users choose InternetRemoteAccessDesktop Sharing.The KDE Desktop Sharing window appears.When you run a VNC viewer, you see a remote desk-top within a window on your local desktop. If youclick the Full Screen option, it feels like youre sittingin front of the VNC server. When you move yourmouse, the cursor follows. When you type at thekeyboard, the characters are sent to the remotedesktop. Open Konqueror on the remote desktopand you can drag files around your remote desktop.VNC is portable: You can run the VNC server on a Linux computer,a Windows computer, a Macintosh, or on a num-ber of different UNIX distributions. You can run the VNC viewer on a Linux com-puter, a Windows computer, a variety of UNIXworkstations, a Macintosh, or even within a Webbrowser. You can run a VNC server on one platform and theVNC viewer on a different platform. For example, ifyou have a nice big screen on a Windows computer,run a VNC viewer on Windows connected to yourLinux VNC server. You may like to keep your e-mailon a Windows-based computer, while using yourfavorite graphics program on a Mac, but use yourLinux desktop for everything else.With just a few mouse clicks, you can have a windowopen for each desktop, with each desktop runningthe programs you like to use on that system. Forexample, in Figure 35-1, you can see three desktops:in the background you see our workstation (FedoraCore running KDE), in the upper-left you see aWindows desktop, and in the foreground is a remotesession waiting for us to log into another Fedorahost.Because each remote desktop appears within itsown window on your local desktop, you can workwith multiple desktops at the same time.Desktop sharing makes it easy to get a secondopinion about a problem on your desktop just let your most technically adept friend login and help.43_571737c35.qxd 7/2/04 9:14 PM Page 240Serving Up a New Desktop with VNC Server 2413. Click Create Personal Invitation.The Personal Invitation window appears, show-ing the display information and password thatthe other user will need to view your desktop.When you create an invitation, other users haveone hour to connect to your desktop using thepassword displayed on your computer.4. Share this information with the other user. Youcan phone your friend and read him the Hostinformation and Password, or e-mail the infor-mation to him.When another user connects to your desktop, awindow will appear asking if you want to acceptthe connection. (The window includes the nameof the other computer so you can see whos try-ing to connect.)5. If you check the Allow Remote User to ControlKeyboard and Mouse box, your friend will beable to take control of your computer from hisdesktop.6. Click Accept Connection.The other user will see the contents of yourdesktop and be able to take control, if you choseto do that.Serving Up a New Desktop with VNC ServerThe KDE Desktop Sharing tool is perfect when youwant to let another user see your desktop, but VNCcan do much more than that.When you run a VNC server on your Linux computer,VNC creates a new desktop that you can see onlywith a VNC viewer. The difference between KDEDesktop Sharing and a VNC server is that, with KDEDesktop Sharing, two or more users are looking atthe same desktop at the same time. The VNC servercreates a private desktop for the viewer.If you need to download VNC server, get theRPM version from www.realvnc.com. Checkout Technique 17 for information aboutinstalling RPM packages.The first time you run the VNC server, VNC creates anew directory named ~/.vnc. VNC also creates anxstartup file in ~/.vnc. By default, the VNC serverassumes that you want to run the twm window man-ager instead of KDE or GNOME. twm is a really old,nasty window manager, which is as powerful andfriendly as a thermonuclear fly swatter.To start your normal desktop environment (KDE orGNOME) in the new VNC desktop instead of twm:$ mkdir ~/.vnc$ cp .Xclients ~/.vnc/xstartupNow open a terminal window, and enter the command:$ vncserver -depth 24The first time you run vncserver, youreprompted to create a password. Rememberthat password because youll need it to con-nect to the new desktop. vncserver displays your new desktop address:New kobe:1 (freddie) desktop is kobe:1Thats all there is to it. Your local machine is nowready to serve VNC viewers.If youre setting up a Windows host, visit www.realvnc.com and download the executables.Using the Setup Wizard, Windows installationis simple and fast, and Windows takes goodcare of you right down to putting the iconson the desktop. VNC Server and Viewer are out there forOSX, but the Web sites are a bit nomadic innature right now. Just use your search engine,and youll find good workable renditions soyou can share desktops with your Mac.43_571737c35.qxd 7/2/04 9:14 PM Page 241Technique 35: Using VNC to Connect to Remote Desktops242 Windows XP Professional Windows Server 2003To run tsclient:1. Open the Main Menu.2. Click Run Command (or Run Application ifyoure a GNOME user).The Run Command dialog appears.3. Type tsclient and click Run.When tsclient starts, you see a window likethat shown in Figure 35-2. Figure 35-2: The tsclient window.If youre connecting to a VNC server, read the nextsection. If youre connecting to an RDP server (a Windows Terminal server, Windows XP, or Citrixserver), skip ahead to the section titled Usingtsclient with an RDP server.We explain a quicker way to create VNC desktops inCreating New VNC Desktops on Demand later inthis technique. Now youre ready to connect to yourserver with a VNC viewer.Using tsclient to View RemoteDesktops from LinuxVNC isnt the only desktop sharing protocol thatyoull run into (but its the most portable). If youhave access to a Windows Terminal Server (orWindows XP), you can use the RDP (remote desktopprotocol) to connect to your Windows desktop.Citrix users can connect to Citrix servers with wfica.You can run VNC server on any Windows computer,but RDP runs much faster if you can use it.tsclient is a user-friendly interface that can makeconnections with VNC, RDP, and Citrix ICA desktops.As if that isnt enough, its included with Fedora andsimple to install. You can be connected to a host inminutes with tsclient. We recommend the tsclient package for all yourremote desktop viewing needs. Its graphical inter-face makes it quick and easy to connect to anyremote desktop using the protocols that youveinstalled. If youve installed the vncviewer RPM package, tsclient gives you a friendly interface toremote VNC desktops. Install rdesktop, and tsclientlets you connect to Windows Terminal Server desk-tops. tsclient will even build Citrix connections foryou if youve installed the Citrix client software onyour computer.Go ahead and install the tsclient and VNC RPMpackages (see Technique 17 if you need help withthe RPM installer). Install the rdesktop package ifyou are going to connect to any of the followingWindows platforms: Windows NT Terminal Server Windows 2000 Terminal Server43_571737c35.qxd 7/2/04 9:14 PM Page 242Using tsclient to View Remote Desktops from Linux 243Using tsclient with a VNC serverTo connect to a VNC desktop:1. Run tsclient following the steps earlier in thissection.2. Choose VNC from the Protocol list box, andtype the remote computer name (or IP address)into the Computer field.If you are connecting to a Linux- or UNIX-hosteddesktop, you may need to include the displaynumber along with the computer name. Forexample, to connect to desktop 3 on hostbastille, you would enter bastille:3. If youdont include a desktop number, tsclientassumes that you want to connect to desktop 0.3. Click More to see all the tsclient controls andthen click the Display tab to choose the initialsize for your viewer window and the colordepth.4. If you have a fast connection to the server,choose a color depth of 24 bits. If you have aslow dial-up connection, choose a lower colordepth.Turn off busy screen savers if youre usingVNC viewer, and VNC will run a lot faster.Any little animated graphic can bog downscreen repaints when all the bits are gettingsent across a network.The other tabs (Local Resources, Program, andPerformance) are not used for VNC connections.5. Click Save As to save your connection profile.The next time you want to connect to the samedesktop, just click Open and choose the connec-tion profile that youve just created.Make good use of VNC to do customer sup-port by opening a window to your customersdesktop. Diagnosing problems and makingfixes over a local network or across the Internetsaves travel time, and it leaves you with accessto books and tools that you might need.Using tsclient with an RDP serverAfter you run tsclient, as explained earlier in thissection, youre ready to set up tsclient so that youcan view the remote desktop. Before you can con-nect to a Windows RDP desktop, you need to be sureyour Windows host is ready. Follow the steps forwhichever Windows version youre using: If the host is running Windows XP Professional:1. Open My Computer and double-clickProperties.2. Choose the Remote tab.3. Check the Allow Users to Connect Remotely box. If the host is running a Windows ServerEdition:1. Choose StartSettingsControl PanelServices.2. Right-click Terminal Services and click Start.To connect to an RDP desktop (one of the Windowsflavors we mentioned earlier):1. Choose RDP (or RDPv5) from the Protocol list-box and type in the name of the computer thatyou want to connect to.When you use the RDP protocol, you have a fewmore options. (Dont forget to click More to seethe full set of tsclient controls.)2. On the General tab, you can supply a UserName and Password, as well as a Domainname.3. Click the Local Resources tab to redirect sound from the remote desktop to your localcomputer.4. On the Programs tab you can specify a startupprogram and directory for the remote desktop.If you dont specify a startup program, theremote desktop runs the Explorer shell.43_571737c35.qxd 7/2/04 9:14 PM Page 243Technique 35: Using VNC to Connect to Remote Desktops244The complete pathname is visible in the bot-tom bar of the Download Manager dialog.3. Extract the tarball with the command:tar -xzvf autocutsel-0.6.2.tar.gzThis extracts the contents of the tarball to a newdirectory called autocutsel-0.6.2.4. cd to the new directory and type the followingcommand and press Enter:./configure autocutsel clicks and whirs and checks forthings it needs.5. Type make and press Enter.6. Give yourself superuser privileges with the su command.7. Type make install and press Enter.8. Type exit to relinquish your superuser privileges.Now, to run autocutsel, type autocutsel& at thecommand line and press Enter.See Technique 8 to find out how to addautocutsel to your Startup folder so it startsautomatically each time you log in.autocutsel runs quietly in the background; youwont see any evidence that its running (exceptthat your clipboard starts working reliably).Even without autocutsel, the clipboard (cutand paste) works sometimes. The clipboardisnt too dependable, but its definitely a time-saver if it works with your programs. If youdont want to take the time to download andinstall autocutsel, cutting and pasting is stillworth a try, but dont waste too much time onthis one it either works or it doesnt.5. Click the Performance tab to optimize the con-nection. We recommend that you check EnableBitmap Caching and Do Not Send MotionEvents.If you see any Windows programs behavingerratically, uncheck Do Not Send MotionEvents the next time you connect.6. Click Save As to create a new profile orConnect to connect to the remote desktop.If youre using a remote Windows desktop,anyone who is in the room with the remotecomputer can see what youre doing allyour mouse movements, typing, and windowsare right there for the world to see. Be awarethat you might be sharing your e-mail (orembarrassing browsing habits) with someoneelse when you share desktops!Making Cut and PasteCommands Work on a Remote DesktopVNC tries very hard to share clipboard content (cut and paste) between the VNC viewer and theVNC server. You can cut (or copy) from one desktopand paste in the other. VNC tries, but without a littlehelp from a program called autocutsel, the clip-board is pretty unreliable. autocutsel synchronizesthe viewer and server clipboards to give you better success and save time in the long run. To installautocutsel:1. To download the tarball, go to http://lepton.fr/tools/autocutsel, click the download link,and save the tarball to your Desktop directory.2. Open a terminal window and cd to the direc-tory that contains the downloaded tarball(~/Desktop).43_571737c35.qxd 7/2/04 9:14 PM Page 244Creating New VNC Desktops on Demand 245Creating New VNC Desktops on DemandIn the Serving Up a New Desktop with VNC Serversection, earlier in this technique, we show you howto manually set up a VNC server. That works well fora quick-and-dirty solution, but to really save time,you can configure the GNOME Display Manager (gdm)to create new desktops on demand. Fedora Linuxuses gdm to manage graphical desktops even if yourerunning KDE. SuSE and Mandrake Linux assume thatyou want to use the KDE display manager. The tech-nique we describe here works only if youre usingthe GNOME display manager, so we also show youhow to switch from the KDE display manager to gdm.When you hook up gdm and the VNC server, a newdesktop is created each time you log in with a VNCviewer. Now thats a timesaver!One really great thing about the gdm/VNCcombination lots of users can log in to thesame machine and each one gets his own indi-vidual desktop. This is a great way to makeLinux converts out of your stalwart Windowsusers.Switching display managers in SuSE LinuxTo switch your SuSE Linux system from kdm (KDEdisplay manager) to gdm (GNOME display manager),follow this procedure:1. Open the main menu and choose SystemYaST.2. If prompted, enter the superuser password andclick OK.3. When the YaST control center appears,choose System, and then choose Editor for/etc/sysconfig Files.4. When the System Configuration Editor appears,open the Desktop section of the tree control (in the left-hand pane).5. Open the Display manager section of the treecontrol and click DISPLAYMANAGER.Your System Configuration Editor window shouldlook like Figure 35-3. Figure 35-3: The System Configuration Editor.6. Open the drop-down list labeled Setting of: DISPLAYMANAGER and choose gdm.7. Click Finish to close the System ConfigurationEditor, and then close YaST.8. Reboot your computer.When your computer reboots, it runs theGNOME display manager.Switching display managers in Mandrake LinuxThe Mandrake Control Center makes it very easy toswitch display managers just follow these steps:1. Open the main menu and choose SystemConfigurationConfigure your computer.2. If prompted, enter the superuser password andclick OK.3. When the Mandrake Control Center appears,click System, and then click Display Manager.4. Click GDM (GNOME Display Manager), andthen click OK.At this point, the Display Manager editor asks ifyou want to restart the dm (display manager)service. Before you click Yes, be sure to close43_571737c35.qxd 7/2/04 9:14 PM Page 245Technique 35: Using VNC to Connect to Remote Desktops246 Figure 35-4: The Login Screen Setup dialog.9. Finally, tell xinetd to re-read its configurationfiles: kill SIGHUP $(cat /var/run/xinetd.pid)Now youre ready to create new desktops when youneed them. When another user wants to connect toyour computer (or if you want a new desktop becauseyoure sitting at a different workstation), just log inwith a VNC viewer. gdm and VNC will be listening forconnections to display 0 (if your computers name isbrussels, you want to connect to brussels:0). Whena connection request comes in, VNC creates a newdesktop, and youre ready to log in.LISTING 35-1: /etc/xinetd.d/vncserverservice vnc{disable = nosocket_type = streamprotocol = tcpwait = nouser = nobodyserver = /usr/bin/Xvncserver_args = -inetd -querylocalhost once securitytypes=none -geometry 1024x768 -depth 24log_on_failure += USERID}any other applications that you have open onyour desktop: When you click Yes, your graphi-cal environment will shutdown and then restartusing gdm.5. After closing all other applications, click Yes torestart the display manager.Connecting gdm and VNCTo connect gdm and VNC:1. Open a terminal window and give yourselfsuperuser privileges:$ suPassword:# 2. Start your favorite editor and enter the textshown in Listing 35-1.You can adjust the -geometry 1024x768 part ifyou want a larger or smaller desktop.3. Save your work in a file named/etc/xinetd.d/vncserver.4. Open /etc/services and add the following lineto the end of the file:vnc 5900/tcp # VNC Server screen :0That defines a TCP protocol named vnc (onport 5900). Whenever xinetd detects a connec-tion attempt on port 5900, it consults /etc/xinetd.d/vncserver to figure out which pro-gram to run.5. Save your work and close the editor.6. Run the gdm configuration program.# gdmsetupThis opens the Login Screen Setup dialog, shownin Figure 35-4.7. Choose the XDMCP tab, check Enable XDMCP,and then click Close.8. At the command line, tickle the gdm daemon tomake it re-read its configuration file:kill SIGHUP $(cat /var/run/gdm.pid)43_571737c35.qxd 7/2/04 9:14 PM Page 24636 Streamlining Your NetworkSurveillanceWatching what your users are up to can tell you a lot about therequirements of your network. It can also alert you to practicesthat are going on that shouldnt be. This technique is all aboutwatching file and network traffic to find out what your users are doing.You use the lsof command to get a list of all the open files on your sys-tem as well as useful information about each file the file owner, theprocess thats using it, and more. You can also use the lsof command tofind a list of all the files currently in use by a single user a quick way tosee what someones up to.When you combine the lsof command with grep, you can query yourcomputer for a list of network services. Its easy to find out whats outthere listening for processes ssh, vnc, webmin, and so on. You can alsouse the combination of commands to generate a complete list of connec-tions and servers to get a clear picture of the activity on your network.The Ethereal Network Analyzer tool is included with most standard dis-tributions, and it gives you a cozy place to watch network traffic. You caneven colorize and filter network traffic to discover details about the spe-cific information types youre watching for. If too much surfing is goingon and clogging network resources, Ethereal helps you to find this out.This tool also tells you whos doing it.This technique is about being a snoop. Snooping can be a bad thing, or agood thing. Snooping to get people in trouble isnt nice, but snooping fora good cause can be useful. Use this technique wisely, and you can watchfor bad guys in your system and network slowdowns that can be avertedwith a quiet word to a coworker. Exploring Your Network with lsoflsof is one of the most powerful tools in the Linux toolbox. lsof displaysa list of all the files currently open on your computer. Browsing throughthe output from lsof gives you a clear picture of whos logged in, whatTechniqueSave Time By Checking out file usagewith lsof Looking for open serverswith lsof and grep Using the EtherealNetwork Analyzer to follow network traffic Adding color to Etherealreports for easy reading44_571737c36.qxd 7/2/04 9:15 PM Page 247Technique 36: Streamlining Your Network Surveillance248use. The columns, from left to right, display the following information: Name of the program thats using the file Process ID User name File descriptor or usage type File type Device where the file is located File size Inode number Complete pathname of the file The column labeled FD displays either a file descrip-tor number or a usage type.If you see a number (followed by a letter or two),thats a file descriptor number. The number isntvery useful except in three cases: File descriptor number 0 is connected to thestandard input stream for the process. File descriptor number 1 is connected to thestandard output stream. File descriptor number 2 is where the programsends error messages.File descriptors 0, 1, and 2 are usually connected toa terminal device (/dev/ttynn or /dev/ptynn) forinteractive processes. If you see one of thosedescriptors connected to a file, you know that thatstream has been redirected with a > or a Discovering Network Connections 249 r means that the file is opened for read-onlyaccess. w means that the file is opened for write-onlyaccess. u means that the file is opened for read and writeaccess.You may see other letters following the file descrip-tor number see the man lsof page for full details.If you dont see a number in the FD column, lsof isshowing you the usage type for that file: cwd: This file (actually a directory) is the currentworking directory for the process. rtd: This directory is the root directory for theprocess. (Its almost always /, except when theprocess is running in a chroot jail.) mem: This is a memory-mapped file (usually ashared object library). txt: This is the full pathname of the program.Again, you may see other usage types, and man lsofwill give you a complete list.Reading file typesThe file type column (fifth from the left, labeledTYPE) tells you what kind of file youre looking at.Linux is known for treating just about anything as if it were a file, so youll see a variety of file types. A typical lsof report shows the following file types: REG: A plain old disk file DIR: A directory FIFO: A named pipe (a connection between twoor more processes) CHR: A character-type device (such as a serialport or terminal) BLK: A block-type device (such as a raw diskdrive or CD) unix: A UNIX-domain socket (an interprocesscommunication link) IPv4: An IPv4 network connection IPv6: An IPv6 network connectionDiscovering Network ConnectionsWhen youre viewing network information with lsof,the last two file types in the preceding list IPv4and IPv6 are the ones that youre interested in.IPv4 and IPv6 files are active network connections ornetwork service providers (v4 and v6 refer to thenetwork address type). When lsof finds a network connection, rather thanshow you a filename, it displays the IP address of thenetwork interface on your computer, the local portnumber, the IP address of the remote side of the con-nection, and the connection state.Heres an example:bastille:38517->louvre (ESTABLISHED)bastille is the name of the local network interface,38517 is the TCP port assigned to this session,louvre is the name of the computer at the other endof the connection, and (ESTABLISHED) tells you thatthe network link is up and running.The local interface name is useful when youhave more than one network card in yourcomputer.Connections listed as (ESTABLISHED) show youactive network connections (such as an ssh sessionor a Web browser connection). If you see a connec-tion listed as (LISTEN), youre looking at a networkserver. For example, if you see*.ssh (LISTEN)44_571737c36.qxd 7/2/04 9:15 PM Page 249Technique 36: Streamlining Your Network Surveillance2503. Add a line at the end of the file with the serv-ice name, port number/protocol, and a com-ment out to the right, as shown in Figure 36-3. Figure 36-3: Adding a friendlier server description.4. Save the file and then exit.The next time you check for open services,youll see the more recognizable name ratherthan the port number. List all servers and active connections: If youwant to see a list of all the servers and activeconnections on your computer, enter the follow-ing command:# lsof -i This command shows you not only the ports thatare open and waiting for a connection, but alsothe ports that are in use.Other Timesaving lsof Trickslsof is a good tool for looking at the network con-nections on your computer, but it has a few moretricks up its sleeve.First off, you can limit the files displayed by lsof in anumber of ways:youre viewing the sshd server. (In this case, the left-most column should tell you that the sshd programis servicing this network port.)In addition to simply looking for network connec-tions, you can do some other handy things to checkout those connections: List all listening servers: You can combine thelsof command with grep to discover the net-work servers running on your system. The command# lsof | grep LISTEN generates a list of services that are listening onyour system Web servers, ssh daemons, VNCservers, and so on (see Figure 36-2). Figure 36-2: The list of open services.If you find that lsof is running very slowly,add -n to the command line. The -n flag tellslsof to turn off host name resolution. Youllsee IP addresses rather than host names, butyoull see them much more quickly. Add components next to port names: If you seea server that displays a port number rather thana service name, you can save yourself time byadding a new entry to the /etc/services file:1. Track down the program thats serving up theanonymous port.2. Open /etc/services with kate (or yourfavorite editor):# kate /etc/services44_571737c36.qxd 7/2/04 9:15 PM Page 250Packet Sniffing with the Ethereal Network Analyzer 251 -c command: Displays files that are opened byany occurrence of the given command. (You canspecify a partial command name here; for example,-c xm displays files opened by commands whosenames start with xm.) -u username: Displays files opened by userusername. -i TCP@host: Displays TCP connections to host. -p processID: Displays files opened by the givenprocess.If youve ever tried to umount a CD thats being usedby another user, you know that Linux wont let you.The other user might not even be using the CD; ifthat user has a terminal window open to the direc-tory, you cant eject the CD until he or she is done.To find out whos hogging the drive, use the follow-ing command:# lsof | grep /mnt/cdromThe result set shows you the device user. Hopefully,this user can surrender the drive so others can use it.Packet Sniffing with theEthereal Network AnalyzerNormally, your machine doesnt read the networkpackets that arent intended for it. The EtherealNetwork Analyzer is a packet sniffer that watches allthe packets that go across your network and letsyou open and read the packets you choose.Starting EtherealTo open the Ethereal Network Analyzer, follow thesesteps:1. If youre running Fedora Linux, open the MainMenu and choose InternetMore InternetApplicationsEthereal.If youre using SuSE, open the Main Menu andchoose InternetAdministration.If youre using Mandrake, open the Main Menuand choose SystemMonitoringEthereal.2. Enter your password when prompted.Ethereal opens, as shown in Figure 36-4. Figure 36-4: The Ethereal main window.The Ethereal Network Analyzer is includedwith most Linux distributions. If its not onyour menu, it should be on the disc. Justinstall the RPMs with the following commands: # rpm -Uhv ethereal-version.rpm# rpm -Uhv ethereal-gnome-version.rpmCapturing packetsTo start capturing network packets in Ethereal, follow these steps:1. Choose CaptureStart.The Capture Options setup dialog opens, asshown in Figure 36-5.2. In the Interface list box, choose the networkinterface that you want to watch.Typically, you choose eth0.3. Check the Update List of Packets in Real Timeand Automatic Scrolling in Live Capture boxes. 44_571737c36.qxd 7/2/04 9:15 PM Page 251Technique 36: Streamlining Your Network Surveillance252 Figure 36-6: Ethereal capturing network packets.Applying filters to screen packetsTo make the traffic easier to follow, apply filters toselect only the packets youre interested in. Etherealfilters screen packets by protocol type. You canchoose from hundreds of protocols, but many are soobscure that youll never encounter them.You can set up an HTTP filter to monitor theInternet traffic between your system and theWeb. If excessive surfing is slowing downthe network, you can screen all the networkpackets for the HTTP protocol and find theprime offenders.To add and apply a filter, follow these steps:1. Choose EditDisplay Filters.The Edit Display Filter List dialog opens, asshown in Figure 36-7.2. Type HTTP Packets in the Filter Name field andtype http in the Filter String field, and thenclick New.3. Click Save and then click Close.Youve created a new filter named HTTP Packets. Figure 36-5: The Capture Options setup dialog.As a rule, checking the Enable Network NameResolution box really slows things down.4. Click OK.Ethereal starts sniffing (see Figure 36-6). If youlook closely at the Source and Destinationcolumns, youll see that packets are flowing backand forth between machines.Use the Start and Stop options in the Capturemenu to sample short segments of networkusage for a quick scan. Unless you tell Etherealto save the captured packets, it doesnt createa log file, but the working file can get big fast.If your system has plenty of power, it wonthurt to leave the capture session running, butif youre running on a slow machine, samplingis a good idea.44_571737c36.qxd 7/2/04 9:15 PM Page 252Packet Sniffing with the Ethereal Network Analyzer 253 Figure 36-7: Adding a display filter.4. To apply the filter, click the Filter button in thelower-left corner of Ethereals main window. 5. In the Display Filter dialog that appears, high-light the filter name and click OK.After a short delay, the packet list shows onlyHTTP packets.Peeking in packetsWhen youve found a series of packets that might beinteresting, you can take a peek inside. Highlight apacket and choose ToolsFollow TCP Stream. A win-dow opens, displaying the contents of the TCPstream. The dialog displays the chatter between themachines, with each machine responding in a differ-ent color.Packet data is not meant to be readable byhumans. Some protocols contain recognizabletext (such as the HTML code that a Webbrowser uses), but other protocols (like SSH)are encrypted.Network chatter is sent in a series of wrappers. Theoutermost layer contains hardware information, andthe inner layers hold the meat of the message. Theoutermost layers are the least human-friendly, andthe inner layer is occasionally understandable. In the middle pane of the Ethereal window, you see adisplay of the wrappers that make up the packet(refer to Figure 36-6). The wrappers that are higherin the tree control are the machine-friendly wrap-pers. The lower wrappers are human-friendly.Expand the lower branches in the tree control to seean interpretation of the packet thats highlighted inthe top panel. The bottom window displays the cor-responding raw data in the packet.Color-coding packets coming from your networkThe packet listing is much easier to read if you col-orize the packets coming from the computers onyour network. Follow these steps to add color to thedisplay:1. Choose DisplayColorize Display.The Apply Color Filters dialog opens.2. Click New.The Edit Color Filter dialog opens.3. Enter a name in the Name field.4. In the String field, enter the IP address youwant to colorize by using the following form(see Figure 36-8):ip.src == 192.168.0.2185. Click the Foreground Color button and use thecolor selector to choose the font color. Thenclick OK.44_571737c36.qxd 7/2/04 9:15 PM Page 253Technique 36: Streamlining Your Network Surveillance2546. Click OK to close the Color Filter dialog.7. Click Save and then OK in the Apply ColorFilters dialog.A dialog opens, charting the progress as the filterruns, and in a snap, the display is colorized. Thenew colors make it easy to tell whos chatteringon your network.Colorize each machine on your local networkto make it easy to spot the traffic thats notbeing generated by a network computer. Itsalso an easy way to monitor an individualusers traffic. Figure 36-8: The completed Apply Color Filters dialog.If you really want conversations to stand out ata glance, choose a background color as well.That can get a bit garish, but its worth experi-menting with.44_571737c36.qxd 7/2/04 9:15 PM Page 25437 Evaluating YourNetwork Securitywith NessusIt doesnt matter if youre the administrator of a big network or a smallone, a hacker running loose on your system can cause mega-damage(and time loss) in a matter of minutes. Running a tight ship is impor-tant. When you set up your network, youre likely to have taken quite afew measures to ensure your networks security, but how do you knowyou havent missed something?A top-notch open-source project called Nessus provides a security scan-ner that can check your (hopefully) tight ship for leaks security vul-nerabilities that hackers could exploit if they had the chance. If yoursystem freely gives up information about open ports (or more specifi-cally, the services running behind them), hackers can exploit that infor-mation easier than they could if they had to make guesses about yoursystem. Nessus can do a lot more than detect open ports. Here are some othertimesaving features Nessus has to offer: If the security tests you need arent included in the distribution, youcan write your own customized plug-ins to get the job done. Nessus has a friendly graphical user interface with easy-to-readreports, or you can run it from the command line. The Nessus project stays up-to-date with recent security issues andprovides easy automatic updates of the security test scripts. Nessus also supports SSL services, making sure your network issecure while it works on your ports. The Nessus plug-ins search for backdoors, denial-of-service vulnerabil-ities, sturdy firewalls, remote shell accesses, peer-to-peer filesharing,useless services, and tons of other security risks. The database cur-rently has over 2,000 plug-ins. Nessus can handle big or small networks with ease, with tailored test-ing that wont waste a lot of time.TechniqueSave Time By Using Nessus to evaluateyour network security Closing any security vulnerabilities you findbefore a hacker canexploit them45_571737c37.qxd 7/2/04 9:16 PM Page 255Technique 37: Evaluating Your Network Security with Nessus256You also need the sharutils package, which isincluded with most Linux distributions. 3. To install sharutils, type the following com-mand and press Enter:# rpm -Uhv sharutils-version.i386After sharutils installs, youve satisfied thedependencies for the Nessus program.Using Synaptic to download a Nessus RPMpackage and install the dependencies is a defi-nite timesaver. Check out Technique 19 forinformation about Synaptic.Installing NessusNow that the program dependencies have been met,youre ready to download and install Nessus. Todownload the latest version of Nessus for your sys-tem, follow these steps:1. Open a Web browser and surf towww.nessus.org/download.html2. Click the link to the most recent copy of Nessusfor UNIX-compatible computers. Youre taken to a download page. 3. On the download page, scroll down to find TheEasy and Less Dangerous Way section.4. Click the link to the server nearest to you. 5. When the new window opens, click the link forthe nessus-installer.sh file. 6. Save the file to your home directory. 7. When the file is done downloading, close thedownload manager and the browser window.Youve downloaded the files, and now you need tocompile and install Nessus. Fortunately, the kindprogrammers at Nessus have provided a prettydecent setup tool. To install Nessus, follow thesesteps:In this technique, we show you how to use Nessus toevaluate your network security. Its a great toolthats easy to use, and the time you save by findingsecurity loopholes before the hackers do will defi-nitely justify the time spent investigating your net-work security.Getting Up and Running with NessusSetting up Nessus is a matter of a few simple steps.Before you can use Nessus, you need to do the following:1. Satisfy its dependencies by installing the otherprograms that Nessus needs to run. 2. Compile and install the Nessus files.3. Create a user identity. 4. Create an SSL certificate to ensure that theNessus transactions are all handled securely onyour system. Follow along, and youll be up and running in notime!Installing programs Nessus needs to runNessus has a couple of prerequisites you need tohave GTK (the Gimp Toolkit) installed on your sys-tem, as well as the sharutils RPM package. If youveinstalled the GNOME desktop environment, GTK isincluded. If not, you need to install it. You can install GTK from your distribution media:1. Open a terminal window and gain superuserprivileges with the su command. Then move tothe directory containing the RPM packages.2. Type the following command and press Enter:# rpm -Uhv gtk2-version.rpmThe RPM for GTK installs.45_571737c37.qxd 7/2/04 9:16 PM Page 256Getting Up and Running with Nessus 2571. Open a terminal window and give yourselfsuperuser privileges with the su command. 2. Move to your home directory, type the follow-ing command, and press Enter:# sh nessus-install.shThe Nessus Installation Script opens, as shownin Figure 37-1. Figure 37-1: The Nessus Installation Script window.3. Press Enter to continue.The installation script begins extracting thearchives and setting up shop. 4. When prompted, press Enter to accept thedefault location for the Nessus installation. 5. Confirm the installation with another press ofthe Enter key when prompted.Nessus begins compiling the libraries and config-uring the sources for your system. You may see afew warnings go by dont worry about themtoo much theyre for the authors of the codeto watch.6. When Nessus prompts you to build libraries,answer y. You see a window confirming that the Nessusinstallation is finished, as shown in Figure 37-2. Figure 37-2: The Nessus Installation: Finished window.You have only a couple more steps to go beforeyoure ready to run Nessus. You still need to add auser and create an SSL certificate for the program.Adding a user to NessusIn the wrong hands, Nessus can make life miserablefor a system administrator. Although most peopleuse Nessus to scan their own networks, Nessus canbe used to discover (and, to a small extent, exploit)vulnerabilities in other computers. To minimize thechances that abuse originates from your computer,Nessus keeps its own user database. Before you canuse Nessus, you need to add a user and create apassword:1. Enter the following command:# /usr/local/sbin/nessus-adduserThe Nessus Add User script starts. The ques-tions are fairly simple and quick.2. The script prompts you for a login. Type youruser name and press Enter.The script prompts you for a means ofauthentication.3. Type pass to use password authentication orcert to use certificate authentication. 45_571737c37.qxd 7/2/04 9:16 PM Page 257Technique 37: Evaluating Your Network Security with Nessus2583. Press Enter to accept the default.4. Enter an appropriate, two-letter country codeand press Enter when youve decided on a loca-tion code.The default is France.5. Enter your state or province and press Enter.6. Enter your city and press Enter.7. Enter your organization name and press Enter.The questions are done, and your monitorshould be displaying a window confirming that your SSL certificate has been created (see Figure 37-3).8. Press Enter to exit the nessus-mkcert programand return to the command line. Figure 37-3: The new SSL certificate has been created.Using Nessus to Scan Your NetworkAfter you download, install, and set up Nessus, addyour user account, and create the SSL certificate,youre ready to scan your network for vulnerabili-ties. The graphical interface makes Nessus quick touse and fairly intuitive. Youll be scanning in no time!4. Press Enter to accept the default (password)and continue.Youre prompted to enter the login password. 5. Enter a good password (one thats easy toremember but hard to guess).Youre prompted to enter a set of rules for theuser. Just accept the default (an empty set) andmove on to Step 6.6. Press Ctrl+D to continue.Youre asked to confirm the entries for the newuser glance through the summary to makesure everything looks correct.7. Press Enter to continue.Youre done creating a user in Nessus. The laststep in the setup process is creating a certificate.See the next section for details.Generating a certificateAfter you add a user for the Nessus security tool, youneed to generate an SSL certificate. The Nessusserver sends the SSL certificate to your Nessus clientso you know that youre connected to the real serverand not someone impersonating your server for das-tardly purposes. (See Technique 45 for more detailson how SSL certificates safeguard your system.) Togenerate the server certificate, follow these steps:1. Still at the command line, start the Nessus cer-tificate generator by typing the following com-mand and pressing Enter:# /usr/local/sbin/nessus-mkcertThe answers to the following questions are usedto create the security certificate.First, youre prompted for the CA certificate lifetime (in days).2. Press Enter to accept the default of 1460 days,or enter another length of time.Youre prompted for the server certificate lifetime.45_571737c37.qxd 7/2/04 9:16 PM Page 258Using Nessus to Scan Your Network 259You need to do the setup and installation only thefirst time you run Nessus. After that, you just startthe daemon and the user interface each time youwant to scan your system.Starting the daemon and the interfaceNessus is a client/server program. Before you canscan other machines on your network, you need tostart the Nessus daemon. To start the daemon, fol-low these steps:1. Type the following command and press Enter:# /usr/local/sbin/nessusd -D2. To start the user interface, type this commandand press Enter:# /usr/local/bin/nessusThe Nessus Setup window opens, as shown inFigure 37-4. Figure 37-4: The Nessus Setup window.3. Enter your Nessus login and password in theappropriate fields in the setup window, andthen click Log In.After validating your password, Nessus opens adialog, offering you choices about your level ofsecurity.4. View and approve the certificate to continue.Nessus moves you to the Plugins tab of theNessus Setup window.A Warning dialog opens, warning you thatvolatile plug-ins have been disabled (see Figure 37-5). Figure 37-5: A fairly ominous-looking warning dialog.By default, Nessus disables dangerous plug-insthat may crash the computer you scan. Thewarning that you see is telling you that yoursecurity audit wont be complete withoutenabling the plug-ins that are a threat to yoursystem.If you enable the dangerous plug-ins, you maycrash the target system. Are you feeling luckytoday?5. Click OK to continue.On the Plugins tab, you see a list of the plug-insthat are currently installed on your system. Theyare grouped according to component type in thetop frame of the window, as shown in Figure 37-6.6. In the Plugin Selection area, highlight one ofthe types to display a list of the plug-ins thatmake up that component in the lower part ofthe window. Use the scroll bar to cruise through the list. Youcan see that the boxes next to the plug-ins thatare considered volatile are not checked, asshown in Figure 37-7.45_571737c37.qxd 7/2/04 9:16 PM Page 259Technique 37: Evaluating Your Network Security with Nessus2607. Hover the mouse pointer over the dangerousplug-ins warning icon (the little yellow yieldsign with the ! on it) to display a tooltip thattells you what might happen to your system ifyou invoke this plug-in (see Figure 37-8). Figure 37-8: Check out the warnings.8. Click the yield sign to display a more graphicexplanation of the problems you mayencounter if you enable the plug-in (see theexample in Figure 37-9). Figure 37-9: The complete explanation. Figure 37-6: The Plugins tab of the Nessus Setup window. Figure 37-7: The Nessus Setup window with volatile plug-ins.45_571737c37.qxd 7/2/04 9:16 PM Page 260Using Nessus to Scan Your Network 261We dont recommend enabling dangerousplug-ins unless you have a specific securityneed. Be sure not to probe someone elsesmachine with a dangerous plug-in enabledbecause some of the plug-ins can crash theremote machine.9. Highlight a plug-in in the list box at the bottomof the window to display a more completeexplanation of the specific security threat itsdesigned to combat (see Figure 37-10). Figure 37-10: Information about the plug-in.10. Across the middle of the Plugins tab are fourbuttons, indicating the plug-ins youd like toapply to your scan. Choose to Enable All: Enable all the plug-ins currentlyon your system. Enable All but Dangerous Plug-ins: Dontenable the plug-ins that might cause problemson the target systems. Disable All: Disable all the plug-ins for a minimal scan. Upload Plugin: Upload any plug-ins that youwrite to the Nessus server. For a good starting place, click the Enable Allbut Dangerous Plugins button. That way, youavoid spending time fixing system corruptionuntil youve done some preliminary scans forloose security. Save the risky endeavors forFridays, before slow weekends, after a goodsolid backup.11. Click the Target Selection tab to select themachine that you want to test. Enter the hostname (or IP address) in the Target(s) field andclick the Start the Scan button.The scan opens another window, where progressbars chart the progress of the scan, as shown inFigure 37-11. When the scan is complete, theoriginal window and a window with the results ofthe scan appear on your desktop. Now, you needto interpret those results, which we discuss inthe next section, Reading the grim results. Figure 37-11: The scan in progress.45_571737c37.qxd 7/2/04 9:16 PM Page 261Technique 37: Evaluating Your Network Security with Nessus262A list of the ports found open in the scanappears in the Port frame, as shown in Figure 37-13. Figure 37-13: The ports that Nessus explored.The icons to the left of the ports tell you whatNessus found when connecting to those ports. Ayellow triangle with a ! in it indicates a port youshould be concerned about.3. Highlight the port name, and the SecurityWarning icon displays in the Severity frame, asshown in Figure 37-14. Highlight the securitywarning to view detailed information about thescan results in the bottom frame of the window. A red stop sign with a line through it indicatesa security hole. A triangle with an exclamation point indicatesa security warning. A light bulb indicates a security note (just abit of trivia you might find interesting).4. Highlight one of the ports with an icon next toit to open the details in the Severity frame.You may find that a given port sponsors morethan one level of offense.You can enter multiple machines in theTarget(s) field by separating the host names(or IP addresses) with a , (comma). Click theStart the Scan button, and a scan of all thesystems displays on the desktop.Reading the grim resultsAt first glance, the scan report looks pretty good; infact, it looks empty (see Figure 37-12). Just wait untilyou start exploring. Figure 37-12: The scan results.The good news is, the reports will tell you what todo about any security breaches Nessus finds. Thebad news, well, bear with us. Heres how to delveinto the report:1. Highlight the subnet for your system in theSubnet frame.The individual machines that youve included inthe scan are listed below, in the Host frame. 2. To see itemized information about what thescan found for each machine, highlight themachine address.45_571737c37.qxd 7/2/04 9:16 PM Page 262Keeping Your Plug-ins Up-to-Date 2635. In the Severity frame, highlight the securitylevel you want to explore to show the scan find-ings in the frame below (see Figure 37-15). Figure 37-14: This port might cause a problem. Figure 37-15: This is a security hole.The really good news is that Nessus doesntleave you hanging; a solution is included in thelower frame (see Figure 37-16). Figure 37-16: A security note.6. Click the Security Note icon in the Severityframe to open a list of recommendations aboutthe port. Be sure to scroll down through thereport to see the recommendations theyreworth the time and effort.7. Its not a bad idea to save your reports for lateruse. Just click the Save Report button at thebottom of the report to open the file selectiondialog. Specify a location to save the file in, andclick OK.Save your reports for later comparisons, andyoull see new problems as they appear.Keeping Your Plug-ins Up-to-DateNessus uses plug-ins to keep its security checks up-to-date. When a new security problem is discovered,its likely that someone (either at www.nessus.org orin the community of Nessus users) will write a plug-in to handle the vulnerability and publish it for thebenefit of other Nessus users. You can update theNessus plug-ins on your system with one simplecommand.45_571737c37.qxd 7/2/04 9:16 PM Page 263Technique 37: Evaluating Your Network Security with Nessus264Weve just scratched the surface of what you can dowith the Nessus tool; its capabilities go far beyondthe reach of this technique. If youre interested infinding out more about Nessus, visit the Web site atwww.nessus.org and explore the online documenta-tion. Also check out the man page: $ man nessus.To update the Nessus plug-ins, open a command lineand give yourself superuser privileges. Then typethe following command and press Enter:# /usr/local/sbin/nessus-update-pluginsIts a good idea to update your plug-ins often.Consider setting the update as part of anightly cron job. Set it up with Task Scheduleras a nightly task, and youll save time, and theprocess will be automated.45_571737c37.qxd 7/2/04 9:16 PM Page 26438 Person-to-PersonNetworking with IRCTheres computer networking, and then theres human networking.You can use IRC channels to network with other Linux users onlineto help solve problems and get the support you need to solveopen-source problems.IRC stands for Internet Relay Chat. Yes, were talking about chat rooms but specifically the chat rooms targeted to open-source and Linux users.Find the right channel though, and you can find quick access to a user ordeveloper who may be able to help solve a problem.IRC networking can put you in touch with experts and amateurswho use (and often write) the open-source projects that you use.Sometimes, when the documentation fails you, going online for theanswers is the quickest way to find a solution for your problem.In this technique, we introduce you to KSirc, which is one of the IRC toolsincluded with the KDE distribution. We also show you the way to someproductive, helpful chat rooms. Networking with the professionals onlinecan be a great timesaver in a pinch. Finding the Answers You Seek in a Linux Chat RoomWeve tried to provide the quickest, most dependable ways we know toimplement system solutions to meet your needs. Unfortunately, systemconfigurations vary, and your needs sometimes extend beyond the bor-ders of what would be considered typical. In those cases, looking throughonline IRC channels for someone whos encountered a similar situationcan help you find a quick solution to your problem.Most standard Linux distributions come with several IRC clients, and lit-erally dozens of IRC clients are out there. One friendly and usable clientis KSirc. KSirc is included in a standard installation of the KDE desktopon both Fedora and SuSE Linux systems.TechniqueSave Time By Networking online with IRC Customizing your KSircworkspace46_571737c38.qxd 7/2/04 9:18 PM Page 265Technique 38: Person-to-Person Networking with IRC266 Figure 38-2: The Connect to Server dialog. Figure 38-3: The KSirc connection window.4. Choose ChannelNew from the menu bar. In the unlabeled field near the bottom of theKSirc window, enter the following command:/listThe list of currently active channels begins toscroll by. Literally hundreds of channels are openat any given time, so the list can take a minute ortwo to load (see Figure 38-4).Use the scroll bar to view the entire list. The list-ing shows the current time, the #name of thechannel, the number of users currently in atten-dance, and a note about the channels subjectmatter.5. To join the active channel discussing Fedora,enter the following command:/join #FedoraTo use KSirc with Mandrake, youll first need to install the kdenetwork-ksirc-version.rpm package. Its included with thedistribution see Technique 17 for informa-tion about installing RPM packages.Follow these steps to use the KSirc IRC client:1. On Fedora, open the Main Menu and chooseInternetMore Internet ApplicationsKSirc.On SuSE or Mandrake, open the Main Menu andchoose InternetChatKsirc.The KSirc Server Control dialog opens, as shownin Figure 38-1. Figure 38-1: The KSirc Server Control dialog.With no connections, the server control is kindof a sad and worthless place. Establishing someconnections is the first step to finding otherLinux users.2. Choose ConnectionsNew Server from themenu bar.The Connect to Server dialog opens, as shown inFigure 38-2.3. Use the arrow to the right of the Group field toopen a drop-down list box of available servers.Scroll down and choose Freenode from the list.Then click the Connect button.The KSirc connection window opens display-ing information about the connection (see Figure 38-3).46_571737c38.qxd 7/2/04 9:18 PM Page 266Chatting in the Fedora Chat Room 267 Figure 38-4: The currently open channels.The Fedora channel is displayed, as shown inFigure 38-5. Figure 38-5: The current activity on the Fedora IRCchannel.To join any of the channels displayed in the listof open channels, enter the command /join#channelname. If youre interested in SuSE orMandrake specific channels, skip ahead to thesections titled Looking for Answers in theSuSE Chat Room or Finding Fellow MandrakeUsers in the Mandrake Chat Room.Chatting in the Fedora Chat RoomYoure almost ready to start chatting. Before joiningthe Fedora conversation, you should read the eti-quette directives at tinyurl.com/anel. Its also agood idea to lurk for a while to check out the flavorof the conversation before jumping in with yourquestions and/or answers.Hackers can be brutal if provoked. Be polite inIRC channels and observe etiquette, even ifyoure chatting with someone who goes bythe nickname of pigfilth.When youre ready to ask a question (or respond toone), follow these steps:1. Type into the unlabeled field (near the bottomof the window) and press Enter when yourefinished.Your question appears in the scrolling region,prefixed with your nickname.Some IRC servers require you to register beforeyou can talk (but you can usually listen withoutregistering). If you run into such a server, followthe directions that it sends your way.You can monitor multiple channels at onetime. As you open each channel, a new tabcontrol is added to the bottom of the KSircwindow (see Figure 38-6).2. When youre done participating in a discus-sion, you can leave a channel by opening theChannel menu and choosing Close.The tab control closes, leaving your remainingchannels intact. If you have only one channelrunning, KSirc closes.46_571737c38.qxd 7/2/04 9:18 PM Page 267Technique 38: Person-to-Person Networking with IRC268chat room on the Freenode IRC server. When you arecomfortable with the rules of conduct, just enter/join #mandrake in the KSirc chat field and pressEnter. The screen promptly presents the currentconversation in the Mandrake chat room and the listof users currently in attendance.When youre finished chatting, just choose ChannelClose.Customizing KSirc Who Do You Want to Be Today?You can customize your KSirc environment to suityour tastes and work habits in a flash with the KSircConfiguration dialog.To customize KSirc, start a KSirc session and chooseSettingsConfigure KSirc. The Configure KSirc dialogopens, as shown in Figure 38-7. Figure 38-7: The Configure KSirc dialog. Figure 38-6: You can monitor multiple channels at onetime.Looking for Answers in the SuSE Chat RoomIf SuSE Linux is more your style, youll find lots ofhelp on the Freenode IRC server. Join the SuSE chat-room by entering the command /join #suse in theunlabeled field at the bottom of the KSirc window.The SuSE channel opens, displaying the current con-versation in the large window on the left, with theactive participants in the panel on the right.After lurking for a while, you may want to join theconversation. Just enter your comments or inquiriesin the field at the bottom of the screen and pressEnter. In a flash, youre participating in the chat.When youre ready to leave the chat room, justchoose ChannelClose. Thats all there is to it!Finding Fellow Mandrake Usersin the Mandrake Chat RoomYou should check out the rules of conversation for theMandrake chat room at http://mandrake.brain.orgbefore joining the conversation in the Mandrake46_571737c38.qxd 7/2/04 9:18 PM Page 268Customizing KSirc Who Do You Want to Be Today? 269The buttons on the left panel control the four config-uration menus: General: Use the General menu to set optionsthat affect the general look and feel of the ses-sion, from the session information included inthe display to the wallpaper. Startup: Use the Startup menu to create a nick-name (or an alternative nickname if Funkmasteris already logged in). Colors: Use the Colors menu to set your colorpreferences for your IRC session. Fonts: Use the Fonts menu to set the font typeand size for your IRC session. After youve set your preferences, click OK to saveyour changes and close the Configure KSirc dialog.The next time you start a KSirc session, your prefer-ences are in place!46_571737c38.qxd 7/2/04 9:18 PM Page 26946_571737c38.qxd 7/2/04 9:18 PM Page 270Part VIIMonitoring Your System47_571737p07.qxd 7/2/04 9:19 PM Page 27147_571737p07.qxd 7/2/04 9:19 PM Page 27239 ControllingTroublesomeProcesses at theCommand LineEvery now and then a troublesome process gets loose on your sys-tem, hogging resources, slowing down the network, and refusing todie. Controlling the troublemakers is a snap, thanks to Linux. WithLinux, you have some great command line tools, all bundled up in one lit-tle RPM package called procps (pronounced proc ps).ps, pstree, and pgrep are the stud finders in the toolbox that help youfind the troublemaking processes. With ps, pstree, and pgrep, you canidentify the process, the user, and the terminal being used. You can alsoget a good idea of what system resources the process is using to decide ifthe process should be terminated. kill, killall, and xkill are the hammers in the toolbox. How big ofa hammer you need depends on the scope of the process or processesyoure trying to stop, and the precision you need to kill them off. Choosefrom the three commands to remove any unwanted processes thatyouve identified.You can use the renice command to level the playing field by assigning thetroublemaking process a nice value. The processes with lower nice valueshave to surrender system resources to processes with higher priorities.In this technique, we introduce you to some handy command line toolsthat make process management a breeze. With these tools in your tool-box, you can build a better system fast, even if you dont have a graphi-cal environment to help you along the way.Processing Processes with procpsThe tools packaged in the procps RPM package are a handy but diversebunch. They can retrieve information about processes or users, kill offunwanted processes, and watch the activities on your system. procps isan all-purpose toolkit designed to provide power at the command line tomake process management quick and easy.TechniqueSave Time By Using the tools in procpsto control processes atthe command line Using ps, pstree, andpgrep to retrieve processdetails Killing off unwantedprocesses at the command line Setting program prioritiesat the command line withrenice48_571737c39.qxd 7/2/04 9:19 PM Page 273Technique 39: Controlling Troublesome Processes at the Command Line274about that process. Knowing the identity of the user,the process ID, and the terminal that is controllingthe process is valuable when you need to trackdown a process and its origins. Statistical informa-tion about the process (such as memory usage andCPU time) is also helpful when you need to catchtroublemaking programs that might be causing per-formance problems. procps provides several goodtools that can help you get that information in theform that helps you most.Using ps to filter process status informationMost Linux users have at least a passing familiaritywith the ps command. ps stands for process status,and it displays just that: the status of a process.If you just type ps without any extra arguments oroptions, you see a quick synopsis of the programsrunning within your terminal window:PID TTY TIME CMD10181 pts/7 00:00:00 bash10521 pts/7 00:00:00 psThis information is organized in four columns: PID: The first column shows the process ID,which is a unique number assigned to eachprocess when it starts running. TTY: The second column displays your ttydevice name. In this example, pts/7 means thatyoure logged into pseudo-terminal number 7.(When you open a new terminal window, you cre-ate a new pseudo-terminal.) TIME: The third column shows the amount ofCPU time used by each process. CMD: The last column shows the name of the pro-gram running within each process.Note that you dont have to live with the defaultcolumns. You can change the way the output looks.See Viewing ps output the way you want to see itlater in this technique.Getting familiar with procps is a good invest-ment of time. After you know the tools, youllturn to them again and again.The procps package contains several tools that youcan use to monitor and control processes: ps sysctl free pgrep pkill top w watchChances are, procps is already installed on your sys-tem. If not, you can find the RPM package on theLinux distribution discs. On Fedora or Mandrake, open a terminal window,and with superuser privileges, mount the disc andinstall the package with the following command:# rpm -Uhv procps-version.rpmIf youre a SuSE user, open a terminal window, andwith superuser privileges, mount the disc and installthe RPM package with the command:# rpm -Uhv ps-version.rpmSee Technique 17 for more information aboutinstalling software with rpm.Keeping Track of Process Statuswith ps, pstree, and pgrepBefore you can control a troublesome process onyour system, it helps to have good, solid information48_571737c39.qxd 7/2/04 9:19 PM Page 274Keeping Track of Process Status with ps, pstree, and pgrep 275The ps command was inherited from UNIX.Thats an oversimplification because many fla-vors of UNIX have existed (HP/UX, AIX, BSD,Digital UNIX, SCO UNIX, and so on). Linuxuses the standard GNU version of ps. As aresult, the ps command supports a wide vari-ety of command line options. Save yourselfsome time and learn the portable (that is, long-format) command line options. For example,use ps --pid 1 instead of the equivalent ps-p 1. The long-form options require a bit moretyping, but theyre much easier to remember.If you want to see all the processes running on yoursystem, add -A to the end of the command line, likethis:$ ps -APID TTY TIME CMD1 ? 00:00:04 init2 ? 00:00:00 keventd3 ? 00:00:00 kapmd4 ? 00:00:00 ksoftirqd/06 ? 00:00:00 bdflush.... ........ ........ ...........5039 tty1 00:00:00 mingetty5040 tty2 00:00:00 mingetty... ........ ........ ...........Notice that the TTY column displays a ? for manyprocesses. Those processes are noninteractive, andtheyre generally server-type processes like Apache,xinetd, or MySQL. To see only the interactiveprocesses (processes associated with a terminal orterminal window), use -a instead of -A.You can also choose processes based on the processcharacteristics shown in Table 39-1.TABLE 39-1: PS PROCESS SELECTION OPTIONSOption Description-C command Displays processes running command-G group Displays processes that have the --group group effective group ID group (groupcan be a group name or a numericgroup ID)Option Description-U user Displays processes that have the --user user effective user ID user (user can be auser name or a numeric user ID)-g group Displays processes that have the --Group group real group ID group (group can be agroup name or a numeric group ID)-u user Displays processes that have the --User user real user ID user (user can be auser name or a numeric user ID)-p process-ID Displays processes that have the --pid process-ID process ID process-ID-t tty-name Displays processes running at --tty tty-name terminal tty-nameIf you list more than one process selector, ps dis-plays all processes that meet any of the constraints.For example, to see all processes with an effective orreal user ID of freddie, use the following command:$ ps --user freddie --User freddieIf you want to select multiple processes based onthe same characteristic (but different values), justlist each value, separating the values with commas.These two commands are equivalent:$ ps -C bash -C zsh$ ps -C bash,zshViewing ps output the way you want to see itYou can also change the columns listed by the pscommand. To specify an output format, use the fol-lowing option:-o column[,column]...ps lets you choose an output format from 126 differ-ent columns! Some of the more useful columns areshown in Table 39-2.48_571737c39.qxd 7/2/04 9:19 PM Page 275Technique 39: Controlling Troublesome Processes at the Command Line276If you put a minus sign in front of a sort specifier, youreverse the ordering. For example, the command$ ps --sort cmd,-pidsorts processes first by command name (in ascend-ing, or AZ, order) and then by process ID indescending (9999991) order.ps comes preloaded with a few predefined outputformats that display the information youre mostlikely to need. The default output format shows theprocess ID, tty, CPU time, and user name. The -l (orlong) format displays a ton of information about thestate of the process (priority, state, process size, andso on). The u option (note: u, not -u) displays user-oriented information (percentage of CPU time, per-centage of available memory, and such).If you experiment with ps, youll probably findthat you frequently use a few output optionsin combination. Use the alias command (partof the bash shell) to create new commandsthat correspond to the options that you prefer.For example, to create a new commandnamed psu that displays user-oriented processinformation, use the following command:$ alias psu=ps -opid,euser,ruser,%cpu,%mem,commandNow, when you type the command psu, yousee only the columns that youre interested in. Of course, you can specify other options when yourun the psu command:$ psu -C bashPID EUSER RUSER %CPU %MEM COMMAND9318 freddie freddie 0.0 0.3 bash9380 franklin franklin 0.0 0.2 bash9428 root root 0.0 0.2 bashSee Technique 10 to find out how to save bashaliases so theyre available every time you log in.TABLE 39-2: PS COLUMN SPECIFIERSColumn Name Description%cpu Percentage of CPU time used by process%mem Percentage of memory used by processComm Command nameArgs Command line argumentsCommand Command name plus command line argumentegroup Effective group nameegid Effective group ID (numeric)rgroup Real group namergid Real group ID (numeric)euser Effective user nameeuid Effective user ID (numeric)ruser Real user nameruid Real user ID (numeric)Pid Process IDStat Process state (running, sleeping, waitingfor I/O, and so on)Cputime Cumulative CPU timeTty Terminal nameDont worry about memorizing the list of columnspecifiers; use the command ps L (thats L, not -L)to display the complete list.Normally, ps displays process information in processID order. You can choose your own ordering with --sort column. For example, to list processes inincreasing order by command name, use the follow-ing command:$ ps --sort cmdYou can use any of the column specifiers displayedby ps L. If you want to sort first by command nameand then by process ID, use this command:$ ps --sort cmd,pid48_571737c39.qxd 7/2/04 9:19 PM Page 276Keeping Track of Process Status with ps, pstree, and pgrep 277Making parent-child relationships stand out in a ps listingWhen youre looking at a long ps listing, its difficultto discern the parent-child relationships amongprocesses. ps has two command line options thatmake that relationship a little easier to see.The -H option indents child processes; each gen-eration is indented a bit more than the previous generation:$ ps -AHPID TTY TIME CMD1 ? 00:00:04 init4993 ? 00:00:00 atd4647 ? 00:00:00 crond5022 ? 00:00:00 dbus-daemon-14240 ? 00:00:00 dhclient5045 ? 00:00:00 gdm-binary5175 ? 00:00:00 gdm-binary5176 ? 00:07:43 X5197 ? 00:00:00 startkde5323 ? 00:00:00 kwrapper5256 ? 00:00:00 ssh-agent.... . ........ .................You can see from this example that the init process(process ID 1) is that ancestor of all the otherprocesses. Process 5175 is the parent of two children(5176 and 5197) and the grandparent of process 5323and process 5256.To see a slightly fancier display, use the --forestoption instead of -H:$ ps -AH --forestPID TTY TIME CMD1 ? 00:00:04 init4993 ? 00:00:00 atd4647 ? 00:00:00 crond5022 ? 00:00:00 dbus-daemon-14240 ? 00:00:00 dhclient5045 ? 00:00:00 gdm-binary5175 ? 00:00:00 \_ gdm-binary5176 ? 00:07:48 \_ X5197 ? 00:00:00 \_ startkde5256 ? 00:00:00 \_ ssh-agent5323 ? 00:00:00 \_ kwrapper.... . ........ .................Personally, we find the --forest option a tadconfusing; we prefer the pstree commandinstead. See the next section for details onpstree.Climbing the family tree with pstreepstree is similar to the ps command, but it has farfewer options. When you run pstree, you see a graphof processes running on your system, similar to thatshown in Figure 39-1. Figure 39-1: Output from the pstree command.You can see that pstree makes the process tree easyto see. By default, pstree compresses the processtree by removing duplicate branches from the dis-play. You can see all the processes running on yoursystem by including the -c, -a, or -p option: -c simply disables compression. -a tells pstree to display the command line argu-ments for each process, as shown in Figure 39-2. -p forces pstree to add process IDs to the graph,as shown in Figure 39-3.You can use the -p and -a options in the samereport. The command $ pstree -pa includesin the output the command line arguments forthe process as well as the process ID.48_571737c39.qxd 7/2/04 9:19 PM Page 277Technique 39: Controlling Troublesome Processes at the Command Line278 Figure 39-4: pstree highlight mode.If you want to see the descendents of a specificprocess, include the process ID at the end of thecommand, like this:$ pstree 5296To see the processes for a particular user, includethe user name at the end of the command line:$ pstree freddieFinding processes with pgrepps and pstree are useful tools when you want to seethe big picture, but it can be tough to find the processyoure looking for in a long list. Thats where pgrepcomes in. pgrep lets you search for specific processesbased on a number of process characteristics. To search for processes running a particular program,run pgrep pattern. For example, heres how to searchfor all processes running mozilla:$ pgrep mozilla5385 5391 5393 5395 5400 Figure 39-2: pstree -a displays command linearguments. Figure 39-3: pstree -p displays process IDs.pstree has a few more options that you might finduseful: -h highlights your current process and all ances-tors (see Figure 39-4), making it easy to find your-self in a complex listing. -u shows the user name associated with eachprocess. (Actually, -u displays the user nameonly when it changes from parent to child.)48_571737c39.qxd 7/2/04 9:19 PM Page 278Keeping Track of Process Status with ps, pstree, and pgrep 279Hmmm . . . that output is a bit terse. Use the -loption to display the program name as well as theprocess ID:$ pgrep -l mozilla5385 run-mozilla.sh5391 mozilla-bin5393 mozilla-bin5395 mozilla-bin5400 mozilla-binpgrep matches program names based on regularexpressions (that is, wildcards), so it displaysprocesses whose names include mozilla. For a com-plete rundown on the regular expression syntaxunderstood by psgrep, see the man page for regex(info regex). If you want an exact match (not a regu-lar expression match), use the -x option. By default,pgrep matches the pattern that you provide againstthe program name for each process. To match thepattern anywhere in the command line (not just inthe program name), include -f on the command line:$ pgrep -fl mozilla5385 /usr/ local/mozilla/run-mozilla.sh 5391 /usr/local/mozilla/mozilla-bin5393 /usr/local/mozilla/mozilla-bin5395 /usr/local/mozilla/mozilla-bin5400 /usr/local/mozilla/mozilla-bin9388 more run-mozilla.shNotice process 9388: The program running there is more, but because the command line argumentsinclude mozilla, pgrep displays it.pgrep can also find processes based on the criteriashown in Table 39-3.TABLE 39-3: PGREP OPTIONS THAT LOOK FOR MATCHING DATAOption Description-P pid Selects processes whose parent isprocess pid-g process-group Selects processes belonging toprocess group process-groupOption Description-s session-ID Selects processes belonging to thelogin session session-ID-u user Selects processes whose effectiveuser IDs match user (user can be auser name or a numeric user ID)-U user Selects processes whose real userIDs match user (user can be a username or a numeric user ID)-G group Selects processes whose effectivegroups match group (group can bea group name or a numeric group ID)-T terminal Selects processes associated withterminal (or pty) terminalIn addition to the matching options described inTable 39-3, you can negate the criteria with the -voption. For example, to find all the processes notowned by user root, use this command:$ pgrep -U root -vYou can also tell pgrep to display only the mostrecent process that matches your criteria. To do so,just include -n on the command line like this:$ pgrep -n xmmsThats handy if you want to find the most recentlyinvoked copy of a program.As explained earlier, pgrep displays a list of processIDs by default, but you may want to see more infor-mation. To help pgrep overcome its minimalism, youfeed the output from pgrep (the list of processes thatmatch your criteria) into another program that knowshow to use a process ID. For example, heres how tosee detailed information about all the processesowned by user freddie or by user franklin:$ ps -l --pid $(pgrep -U freddie,franklin)The bash shell first executes the command insidethe parentheses and then builds a new commandthat incorporates the output from pgrep. That might48_571737c39.qxd 7/2/04 9:19 PM Page 279Technique 39: Controlling Troublesome Processes at the Command Line280Killing Processes with killallpkill is a bit aggressive, and if youre notcareful, it can kill processes that you dontintend to harm. If you want to kill a collectionof processes, exercise some caution and usekillall instead.killall isnt as flexible as pkill when it comes toselecting processes, but it has one very nice feature:interactive mode. killall selects processes basedon program name. When you run killall, use the --interactive option (or -i for short) to tell killallto prompt you before it kills each process:$ pgrep -lf more10512 more mozilla/run-mozilla.sh10513 more /etc/passwd$ killall --interactive moreKill more(10512) ? (y/n) yKill more(10513) ? (y/n) nLike pkill, killall sends SIGTERM by default. If you want to send a different signal, use the --signalsignal-name option:$ killall -i --signal SIGKILL moreKill more(10512) ? (y/n) yKill more(10513) ? (y/n) nClosing Windows with xkillOnce in a while, a window appears on your desktop,and you just dont know where it came from. It mightbe a pop-up ad from a piece of spyware, an annoyingmessage from a program running in the background,or just a program that forgot to identify itself. If youdont know the name of the program that created thewindow, you cant kill it with kill, pkill, or killall.You need xkill, which kills off a program when youclick the programs window. To see xkill in action:sound confusing if youre not familiar with the bashcommand substitution feature, so it may help tobreak the command down a bit. Assume that thepgrep command returns three process IDs:$ pgrep -U freddie,franklin552378798256bash substitutes the output from pgrep into the pscommand like this:$ ps -l --pid 5523 7879 8256You can feed the output from pgrep into any programthat expects a list of process IDs, such as kill. To killall processes owned by user freddie, you can com-bine pgrep and kill like this:$ kill $(pgrep -U freddie)Killing Processes with pkillAn easy way to kill off unwanted processes is pkill.pkill is nearly identical to pgrep (in fact, you canselect processes using the same criteria in Table 39-3,which you can find earlier in this technique) exceptthat pkill kills the matching processes instead ofdisplaying matching process IDs. To kill all processesowned by user freddie, use the following command:$ pkill -U freddiepkill (and its cousin, kill) work by sending a signalto the targeted process. By default, pkill sends theSIGTERM signal to suggest that the target process ter-minate itself. If you find a program thats not willingto honor SIGTERM, you can be more forceful byusing the -SIGKILL option:$ pkill -SIGKILL -U freddieYou can send any signal with pkill. For a completelist of signals (and their meanings), see man 7 signal.48_571737c39.qxd 7/2/04 9:19 PM Page 280Getting Your Processes Priorities Straight 2811. Start up a copy of xmms and tell it to play amedia stream (see www.shoutcast.com if yourelooking for some good music).2. Now, open a terminal window and run the fol-lowing command:$ xkillSelect the window whose client you wishto kill with button 1....Notice that the mouse cursor has changed fromits familiar arrow to something that looks like atarget sight in an F-16.3. Click anywhere on the xmms window, and themedia player is killed.Be careful with xkill you can easily kill off thewrong program with a single click. xkill will kill justabout any window that you click even the KDE (orGNOME) taskbar!Make sure that the window you want to kill isvisible. You cant move to a different desktopby clicking the pager (the multiple-desktopcontrol down on your taskbar) because youllkill the pager instead.If you change your mind after you start xkill,just right-click anywhere on the screen, andxkill will end without doing any damage. xkill isnt foolproof. It cant kill every program, butweve yet to find one that it cant handle. Of course,you need the right privileges to use xkill. You cankill off processes that you own, but you cant killprocesses owned by other users. If you need to kill a process owned by anotheruser, give yourself superuser privileges (withsu) before you run xkill.Getting Your ProcessesPriorities StraightLinux uses a relatively simple scheme for divvyingup available CPU time. CPU time is divided intoshort segments, and each period is called a quantum.As each quantum expires, the kernel chooses a newprocess to run from the list of processes with thehighest priorities. Each process is assigned a prior-ity that can change over time. The base priorityassigned to a process is known as its nice value. The name is a little strange and so is the numberingscheme. Nice values range from +20 (lowest priority)to 20 (highest priority), and most processes startwith a nice value of 0. Think of it this way: A programwith a high nice value is being nice to other processesby giving up the CPU when someone else needs it.To view the nice value of an existing process, usethis command:$ ps -l process-idYou can lower the priority (that is, increase the nicevalue) of your own processes by using the renicecommand. For example, heres how to lower the pri-ority of your bash shell:$ renice +10 $$6297: old priority 0, new priority 10(The $$ shell variable contains the process ID ofyour shell.)If you have superuser privileges, you can increase ordecrease the nice value of any process. You can iden-tify processes by process ID (-p pid), process group(-g process-group), or user name (-u user).You can also use KDE System Guard torenice programs in a graphical environment.Check out Technique 41 for help using KDESystem Guard.48_571737c39.qxd 7/2/04 9:19 PM Page 281Save Time By Using the Fedora/Mandrake user managerto add users and groups Forcing users to updatepasswords Changing passwords witha few clicks Organizing your usersinto groups Using filters to find usersfastTaking Care of New(And Old) UsersEven if youre the only user on your system, you likely already knowthat you need at least two user accounts: you and your alter ego the superuser. Your wild side (the superuser) is there when youneed it to customize configuration files, install software, and remove oldfiles. Your more sensible identity is for moving with speed and agility,without the danger of accidentally wiping out the contents of your onlineworld with a typing error.If you manage a system with multiple users, or you manage a network,youve likely set up each user with his or her own identity so you donthave roots running around willy-nilly changing passwords and unin-stalling packages.Whether you manage two user accounts or 200, the graphical user man-ager that comes with your distribution is the timesaving way to managethem. This tool simplifies account-related tasks, letting you avoid com-mand line interaction. You dont have to remember any commands; justpoint and click to create and manage users and their information. Theprocess of adding new users and modifying existing ones is fast.Using groups to organize file privileges can save you a ton of time. Thegraphical user manager makes it easy to create and populate groups withits handy checklist. Fedora Linux and Mandrake Linux (currently) use thesame user manager tool. As we describe the Fedora user manager, justremember that everything that we tell you applies to the Mandrake usermanager as well.In this technique, we introduce you to the advantages of your distribu-tions user manager. Youll save time (and a lot of typing) by using thissimple tool to keep your user accounts and groups up-to-date. Every fileand program on a Linux computer is owned by a single user and a singlegroup. Every file (and program) also has a set of permissions that deter-mine what the owner can do to the file, what members of the group cando, and what everyone else can do.To make the system a safer place, assign each user a unique user nameand password. When you create a separate account for each user, it hasthe following effects:40Technique49_571737c40.qxd 7/2/04 9:21 PM Page 282Managing Users and Groups with the Fedora/Mandrake User Manager 283 Users cant read each others e-mail or otherprivate documents. Users cant alter each others files. User cant lock others out of the system bychanging a shared password. Users have separate home directories to keeptheir work in. Privileges for programs and data files can beassigned to individuals.This makes your work as a user administrator muchquicker and easier.Managing Users and Groupswith the Fedora/MandrakeUser ManagerIn this section, we give you a tour of the Fedora/Mandrake user manager. If youre a SuSE user, skipahead to the section, Managing Users and Groupswith the SuSE User Administrator.The user manager makes user and group manage-ment a snap. With just a few clicks, you can set upnew users or temporary accounts, change pass-words, and manage groups. The user manager works from either the KDEDesktop or the GNOME desktop. If youre runningFedora Linux, you can start the user manager byopening the main menu and choosing SystemSettingsUsers and Groups. If youre runningMandrake Linux, start the user manager by openingthe main menu and choosing SystemConfigurationOtherUser Administration. In either case, enter thesuperuser password if you are prompted to do so.The user manager then opens, as shown in Figure 40-1.The user manager gives you all the access you needto add and modify groups and users. The easy-to-readuser lists and intuitive dialogs make it a quick tool toget up and running with. Figure 40-1: The Fedora/Mandrake User Manager.Adding new usersTo add a user, follow these steps: 1. In the user manager, click the Add User icon onthe toolbar.The Create New User dialog opens, as shown inFigure 40-2. Figure 40-2: The Create New User dialog.49_571737c40.qxd 7/2/04 9:21 PM Page 283Technique 40: Taking Care of New (And Old) Users284Modifying user accountsUsers come and go thats the nature of business.If youre responsible for many user accounts, youllneed to change forgotten passwords and delete oldaccounts. The user managers graphical interfacemakes quick work of keeping up with the humanresources department.If you need to delete a user, the process is simple:Just select the user and click Delete on the toolbar.When you click the Delete button, take note ofthe Delete Users Home Directory option. Besure that nothing important is in that directorybefore you click Yes.To make changes to a user account, follow thesesteps:1. Double-click a user name in the user manager.The User Properties dialog appears, as shown inFigure 40-3. With the User Properties dialog, youcan change the user account with just a fewclicks. Figure 40-3: The User Properties dialog.2. Adjust different settings on the four tabs, asfollows:2. Fill in the fields in the dialog appropriately: User Name: This is the name that youll seenext to the cursor when you log in to the shell(so make sure its polite). Full Name: This name is for internal use. Ifyoure managing a large company, you mayneed to distinguish between your Bobs orJennifers. Password and Confirm Password: Enter apassword and confirm the password in thenext field. The password has to be at least sixcharacters long, and it can be any combina-tion of upper- and lowercase letters, numbers,and characters. Login Shell: The option you choose from thisdrop-down list determines which shell startswhen the user opens a terminal window. bashis a good, friendly choice, but if the new useris a real macho-type programmer, he or shemight want a more hearty shell like /bin/csh(designed to be friendly to C programmers need we say more?). Create Home Directory: This defaults to/home/username for the user, but you canspecify a different directory if you choose. Create a Private Group for the User: Checkthis box if you want to create a new group. Specify User ID Manually: Check this box ifyou want to choose the user ID rather thanallow the system to manage the numbers. Wedont recommend that unless you have areally good reason. Linux knows best.Never create a user with a UID of 0. The usermanager wont let you do it, but you can do itat the command line. User 0 is always root,and any user with a UID of 0 is also root (andhas superuser privileges).3. After you fill in the dialog, click OK to add thenew user.Youre finished!49_571737c40.qxd 7/2/04 9:21 PM Page 284Managing Users and Groups with the Fedora/Mandrake User Manager 285 User Data: Use this tab to change the userspassword, home directory, or login shell.If a user forgets a password, this is the place togo. The old password is masked, but you canenter a new password for the user in seconds. Account Info: On this tab, check the LocalPassword Is Locked box to lock the user outof his or her account. Check the EnableAccount Expiration option if you want theaccount to expire on a certain date, and thenenter the expiration date. Password Info: Use this tab to controlchanges to a users password. You can specifythe number of days before a change is allowed,or the number of days before a change isrequired. You can also set up a warning date,warning the user that his or her password isabout to expire, or specify the number of daysbefore the account will be rendered inactive.Expiring a password limits the amount of timethat a hacker can use it. It also takes a fairamount of horsepower to crack a password, soif someone gets an encrypted version of yourpassword file, odds are that the password willhave changed by the time that the hackerdecrypts it. Good password management is areal timesaver. Groups: Use this tab to specify the groups towhich a user belongs. You can also specify theusers primary group here.3. When youve finished making changes, clickOK to save your work.Adding groupsA group is a collection of users. Groups make it easyto manage file permissions. If you have several usersthat all need to access the same file, create a newgroup with those users in it.The user manager makes it a breeze to create andmodify groups. To add a group, follow these steps:1. Open the Main Menu and choose SystemSettingsUsers and Groups. 2. Choose the Groups tab.The currently defined groups are displayed, asshown in Figure 40-4. Figure 40-4: The Fedora/Mandrake user managerGroups tab.3. Click the Add Group button on the toolbar.The Create New Group dialog appears, as shownin Figure 40-5. Figure 40-5: The Create New Group dialog.4. Specify a name in the Group Name field. 5. If you need to specify a group number, you cancheck the Specify Group ID Manually box, butwe recommend accepting the default and let-ting Linux assign the group number to avoidpotential conflict.49_571737c40.qxd 7/2/04 9:21 PM Page 285Technique 40: Taking Care of New (And Old) Users286To use the filter, type in the first few letters of theuser name and click Apply Filter. The names arescreened to include only those starting with thatsearch string (see Figure 40-7). Figure 40-7: The Users list, filtered for names beginningwith fr.To refresh the list to show all users, clear the SearchFilter field and click Apply Filter. The list thenrefreshes, showing all users.Managing Users and Groupswith the SuSE UserAdministratorThe SuSE user and group administrator is part of theYaST Control Center. SuSEs user and group tools arepowerful and friendly a timesaving combination.To start the SuSE user administrator, open the mainmenu and choose SystemYaST. (Enter the super-user password if prompted). When the YaST con-trol center appears, click Security and Users andthen Edit and Create Users.The user and group administrator opens, as shownin Figure 40-8.6. Click OK when youre done.The group is created. Now, you need to add themembers. 7. Back in the Groups tab of the user manager,double-click the group in the list.The Group Properties dialog appears, as shownin Figure 40-6. Figure 40-6: The Group Properties dialog.8. To add users to your new group, choose theGroup Users tab. 9. Check the boxes next to the users that will bemembers of the group. 10. Click OK when youre finished.The Groups tab in the user manager is updatedto reflect the new group members.Filtering users and groupsOne really handy feature of the Fedora/Mandrake usermanager is the Search Filter, located in the upper-right corner of the screen. You can apply the SearchFilter to either the Users list or the Groups list.49_571737c40.qxd 7/2/04 9:21 PM Page 286Managing Users and Groups with the SuSE User Administrator 287 Figure 40-8: The SuSE User and Group Administrationdialog.Adding new usersTo add a new user, follow these steps:1. In the user administrator, click Add (near thebottom of the window).The Add a New Local User dialog opens, asshown in Figure 40-9. Figure 40-9: The Add a New Local User dialog.2. Fill in the fields in the dialog appropriately: Full User Name: This name is for internal use.Type in the full name of the new user. User Login: This is the name of the new useraccount (in other words, the login name). Password and Verify Password: Enter a pass-word and verify the password in the nextfield. The password has to be at least fivecharacters long, and it can be any combina-tion of upper- and lowercase letters, numbers,and characters. 3. Click Details to open the Add/Edit UserProperties dialog, shown in Figure 40-10. Figure 40-10: The detailed user properties dialog.4. Change the fields in the detailed properties dia-log to suit your needs: User ID (uid): In most cases, you can acceptthe default user ID chosen by YaST. If, forsome reason, you need to choose a differentuser ID, type in a value between 500 and 6000:YaST will display an error message if the userID you specify is already in use. Home Directory: This defaults to /home/username, but you can specify a differentdirectory if you choose.49_571737c40.qxd 7/2/04 9:21 PM Page 287Technique 40: Taking Care of New (And Old) Users2887. Change the fields in the Password Settings dia-log to enable and adjust the password agingoptions for this user: Days Before Password Expiration to IssueWarning: The typical default value (7) startswarning the user one week before his or herpassword expires. Each time you log in toLinux, the login program compares the cur-rent date to the password expiration date foryour account. If your password is about toexpire, Linux displays a warning and suggeststhat you may want to change your passwordbefore it expires. Days After Password Expires with UsableLogin: This might seem like a strange ques-tion at first. If you can log in even though yourpassword has expired, what good is passwordexpiration? When you log in to Linux afteryour password has expired, you must changeyour password before you can do any otherwork. The default value for this field (-1) letsyou change your expired password at anytime. If you enter some other value in thisfield, you can only change your expired pass-word within that interval after that, youllhave to ask the system administrator to resetyour password for you. Maximum Number of Days for the SamePassword: Enter a value in this field to specifyhow often the user must change his or herpassword. If you enter, say, 7 in this field, theuser must change his or her password everyweek. Minimum Number of Days for the SamePassword: The default value of 0 means thatthe user can change his or her password atany time. If, for some reason, you want theuser to keep the same password for someperiod of time, enter the number of days inthis field. Expiration Date: If you enter a date in thisfield, the user account will be disabled afterthat date. Note that the expiration date isnot the same thing as password aging. Whenyour password expires, you can change it Additional User Information: Enter any extrainformation that you want to note about thisuser. The information that you supply here isignored by most Linux programs, but will bedisplayed if someone fingers this user withthe finger command (see man finger formore information). Login Shell: The option you choose from thisdrop-down list determines which shell startswhen the user opens a terminal window. bashis usually a good choice. Default Group: SuSE typically adds new usersto the users group, but you can choose a dif-ferent one by selecting the group from theDefault Group drop-down list. Additional Group Membership: Use thescrolling list on the right side of the dialog toenroll the user in other groups or to removethe user from other groups.5. When youre finished with the Add/Edit UserProperties dialog, click Next to continue.Note: If you click Back, YaST silently discardsany changes that you made to the Add/Edit UserProperties dialog.6. Click Password Settings to open the PasswordSettings dialog, shown in Figure 40-11. Figure 40-11: The Password Settings dialog.49_571737c40.qxd 7/2/04 9:21 PM Page 288Managing Users and Groups with the SuSE User Administrator 289and continue to use your account. When youraccount expires, you will no longer be able tolog in.8. When youre finished with the PasswordSettings dialog, click Next to continue.Note: If you click Back, YaST silently discards anychanges that you made to the password settings.9. When youre back at the Add a New Local Userdialog, click Create to create the account.Thats it; youve just created a new user account. Younow see the User and Group Administration dialogagain (refer to Figure 40-8). The user account that youjust created will not be active until you click Finish toclose the window.Modifying user accountsYou can also use YaSTs User and Group Administra-tion tool to modify and delete user accounts. If you need to delete a user, the process is simple:Just highlight the user and click Delete. When youdelete a user, YaST will ask if you want to delete theusers home directory as well be sure youvemade a backup of any files that may be importantbefore you click Yes.To modify a user account, highlight the account andclick Edit (or just double-click the user name). Whenyou modify an account, you use the same set ofdialogs that you used to create the account: Simplychange any settings that you want to modify andclick Next to save your work.Adding groupsA group is a collection of users. Groups make it easyto manage file permissions. If you have several userswho all need to access the same set of files, create anew group with those users in it.YaST makes it easy to create and modify groups. Toadd a new group, you use the same User and GroupAdministration tool that we described previously:1. In the User and Group Administrator, click theGroups option button near the top of the dialog.2. Click Add.YaST opens the Add a New Local Group dialog,shown in Figure 40-12. Figure 40-12: The Add a New Local Group dialog.3. Type a name for the new group in the GroupName field.4. Enter a Group ID or accept the default gidselected by YaST. YaST displays an error message if the group IDyou specify is already in use.5. If you want Linux to require a password beforea user can switch to this group, enter (and con-firm) the password.In most cases, you can leave the password blank:You must be a member of a group before you canswitch to that group, so assigning a group pass-word is usually overkill.6. Use the scrolling list at the right side of the dia-log to add and remove members of the newgroup.7. Click Next to save your changes and return tothe User and Group Administration dialog.49_571737c40.qxd 7/2/04 9:21 PM Page 289Technique 40: Taking Care of New (And Old) Users290uid is 0). SuSE Linux defines a number of other sys-tem accounts such as bin (user bin owns most of theprograms in the /bin directory), daemon (used to runmany of the background daemons on a typical Linuxsystem), and mail (user mail owns most compo-nents of the e-mail processing system).To switch between local users (or local groups) andsystem users (or groups), click Set Filter and selectthe filter you want to use.Filtering users and groupsThe SuSE User and Group Administration toolenables you to filter the users and groups that yousee while youre adding and modifying accounts. Bydefault, YaST displays local users. A local user is auser whose numeric user ID is in the range 500through 60,000 (inclusive). A system user is a userwhose numeric user ID is less than 500 or greaterthan 60,000. User root is a system account (roots49_571737c40.qxd 7/2/04 9:21 PM Page 29041 Keeping an Eye onYour SystemLinux log files can provide all sorts of information about your system.In this technique, we show you how to collect and customize thatinformation. We also introduce you to some handy tools that helpyou monitor your log files and system resources.The system log viewer is an easy way to review all your log files at once.An easy graphical interface allows you quick click-and-view access to allthe logs, in one place. You can also customize the displays to call yourattention to problems without having to search through long log files.The filter mechanism built into the system log viewer enables you toquickly and easily find problems related to device failures or programsthat just wont start.The syslogd daemon is responsible for deciding what gets written to thelog files. The daemon comes preconfigured with a standard set of instruc-tions, but you can customize the rules in the /etc/syslog.conf file tomake the daemon more sensitive to problems. We show you how in thistechnique.KDE System Guard is a great graphical tool that creates custom systemand network resource-usage worksheets. You can arrange sensors thatdisplay information from your computer and other machines on your net-work to compare system resources in plotted charts and bar graphs. Youcan also use the process table to manage tasks kill off runaway pro-grams or change the scheduling priority of processes as they execute.You can also tell at a glance whos running what tasks and whos hoggingyour resources.This technique is all about controlling information. Just like a detective,you need sources. The great thing about Linuxs information resourcesis you dont have to pay them off for information. Just keep an eye onthem, and theyll tell you what you need to know about the state of yourcomputer. TechniqueSave Time By Watching the activity inyour system logs Customizing your log files Customizing system noti-fications for better alerts Creating custom resourceworksheets with KDESystem Guard50_571737c41.qxd 7/2/04 9:22 PM Page 291Technique 41: Keeping an Eye on Your System292 Figure 41-1: The Kernel Startup Log file.You may have more log files or fewer (and someof the log files may be empty). Use the scrollbars to scan the displayed log file or use theFilter feature to find specific messages.Follow these steps to use the Filter tool:1. Enter the keywords in the Filter For field andclick the Filter button.Only those lines that include the keywords aredisplayed, as shown in Figure 41-2. Figure 41-2: A filtered result set.Keeping an Eye on theSystem LogsLog files contain information about the activities onyour system. Information about various systemprocesses is recorded into log files. The informationin your log files can provide handy clues whenthings go wrong.System logs contain a ton of information, but theycan be a bit clunky to use. The system log viewer is agreat tool to access your information quickly andconveniently, without the clunk.Graphical system log viewers are included in mostLinux distributions, and include handy search featuresand customizable warnings and alerts. The defaultlog viewers included with Fedora and Mandrake arevery similar weve grouped the instructions fortheir tools together in the next section, Viewing andfiltering log files with Fedora and Mandrake. The logviewer included with SuSE is a bit more primitive,but it still renders a lot of insight into the activity onyour system. You can find instructions for using theSuSE default log viewer later in this technique in thesection, Viewing your log files from SuSE.Viewing and filtering log files withFedora and MandrakeIf youre using Fedora or Mandrake, and want to seewhats going on in your log files with the System Logviewer, follow these steps:1. If youre using Fedora, open the Main Menuand choose System ToolsSystem Logs. OnMandrake, open the Main Menu and chooseSystem MonitoringSystem Log.2. Enter the superuser password (if prompted todo so).The System Logs window opens. The left paneldisplays a list of log names.3. Select a log file to view details of the log in thewindow on the right, as shown in Figure 41-1.50_571737c41.qxd 7/2/04 9:22 PM Page 292Keeping an Eye on the System Logs 293Unfortunately, the Filter tool is case-sensitive;error and Error are two different words as faras the viewer is concerned.2. To show the complete log file again, click theReset button.Adding and deleting log files from the viewerThe log viewer lets you keep your most commonlyviewed log files ready and waiting for you. You canadd more log files to the display or remove log filesthat youre not interested in. The log viewer remem-bers your preferences from session to session. Tocustomize the set of log files displayed, follow thesesteps:1. Choose EditPreferences from the log viewersmenu bar.The Preferences dialog opens, as shown in Figure41-3. It has three tabs: Log Files, Alerts, andWarnings. Figure 41-3: The Preferences dialog.2. If you want, set the refresh rate on the LogFiles tab.The refresh rate determines how often the viewerrereads the log files to display new messages. Thedefault refresh rate is every 30 seconds; use thecontrols next to the field to adjust it.Pressing Ctrl-R refreshes the logs immediatelyfrom any display in the System Log viewer.3. To add a log file, click the Add button on theLog Files tab.The New Location dialog appears, as shown inFigure 41-4. Figure 41-4: Add a new log file with the New Locationdialog.4. Fill in the dialog and then click OK to add anexisting log to the list.The System Log viewer is a viewer only; the logfile must exist for it to show up in the viewer.5. To change the pathname for a log file thats cur-rently in the list, highlight the logs filenameand click Edit.Youll rarely need to change the pathname for anexisting log file unless youve changed the toolthat creates the log.The Log File Locations dialog opens, as shownin Figure 41-5.6. Use the Browse button to find the log file (orjust type in the name if you know it) and thenclick OK to save your new location.50_571737c41.qxd 7/2/04 9:22 PM Page 293Technique 41: Keeping an Eye on Your System294any of the words listed on the Warnings tab (seeFigure 41-7), it displays a warning icon (a yellowtriangle with an ! in it) next to the message. Figure 41-6: The Alerts keyword list. Figure 41-7: The Warnings keyword list.If you want to delete a log file from the viewerslist, select the file and click the Delete button. Thisdoesnt actually delete the log file; it just removesthe log file from the list of log files you see in theviewer. Figure 41-5: The Log File Locations editor.Setting up alerts and warningsWhen youre browsing through a long log file (andlog files can get very long), its easy to miss impor-tant information amidst all of the trivia. The logviewer can search for keywords in a log file and high-light any entries that contain those keywords. Bydefault, the log viewer will search for words likefail, denied, and error and display a bright redstop sign when it finds one (the red stop sign iscalled an alert). More innocuous words like warn-ing are flagged with a yellow triangle (the yellow tri-angle is a warning). You can adjust the alert andwarning keywords to fit your preferences.To set up alerts, choose FilePreferences in the logviewer. Then click the Alerts tab to open a dialogwith a list of keywords, as shown in Figure 41-6.Whenever the log viewer sees a message that con-tains one of the words listed, it displays an alert icon(a red stop sign, with an x in it) next to the message.Use the Add and Delete buttons to customize thekeyword list.To set up warnings, choose FilePreferences inthe System Log viewer and then select the Warningstab. If the log viewer sees a message that contains50_571737c41.qxd 7/2/04 9:22 PM Page 294Keeping an Eye on the System Logs 295Use the Add and Delete buttons to customize theWarnings keyword list. The alert and warning iconsmake problems easy to spot in a crowded log file.Viewing your log files from SuSEThe default log viewer included with SuSE (GNOMESystem Log Viewer) doesnt have as many bells andwhistles as the Fedora and Mandrake versions do,but you can still save time while gleaning informa-tion from your log files with its help. To monitoryour log files from SuSE Linux, follow these steps:1. Open the Main Menu and choose SystemMonitorSystem Log. The GNOME System Log Viewer opens, display-ing the contents of the /var/log/messages file(see Figure 41-8). Figure 41-8: The GNOME System Log Viewer.Use the arrow to the left of the date to open andclose the tree control and display the entries forthat day.2. Double-click an item to open a detailed view ofthe log entry (see Figure 41-9). Figure 41-9: Details of a log entry.Monitoring your log files from SuSEYou can also use the System Log Viewer to monitorthe activity in a log file. To monitor the activity in alog file, follow these steps:1. Choose FileMonitor.The Monitor Options dialog opens (seeFigure 41-10). Figure 41-10: The Monitor Options dialog.2. Highlight a log file in the left panel and clickthe Add button.The log file is moved to the right panel (seeFigure 41-11).50_571737c41.qxd 7/2/04 9:22 PM Page 295Technique 41: Keeping an Eye on Your System296 Facility: The facility tells you which subsystemproduced the message. Table 41-1 shows some ofthe facilities recognized by Linux. Severity: The severity (the syslog documenta-tion calls it a priority) tells you how importantthe message is. Table 41-2 lists the severitycodes defined by Linux. Message text: The message text tells you aboutan event detected by the facility.Most log messages are simply discarded withoutanyone actually seeing them, but you can customizelog handling by adjusting the /etc/syslog.conf con-figuration file. You can route messages generated bya given facility to a separate log file (for easier view-ing) or tell syslogd not to throw out messages thatyou might want to see.Each entry in syslog.conf is made up of three parts:a facility code, a severity code, and a target. Thefacility code and severity code are used to classifyincoming messages, and the target tells syslogdwhat do with matching messages. For example, sup-pose you have an entry like this:mail.error /var/log/maillogsyslogd will route error messages generated by themail facility to a file named /var/log/maillog.Actually, that entry will route error messages and allmessages with a higher severity (crit, alert, andpanic) to /var/log/maillog. If you want to route onlythe error messages, put an equal sign in front of theseverity, like this:mail.=error /var/log/maillogIf you peek at your own syslog.conf file, youll prob-ably see a few wildcards, too. You can use a * oneither side of the dot that separates the facility andseverity: To select all mail messages, regardless of sever-ity (for example), type in an entry like this:mail.* /var/log/maillog Figure 41-11: Adding a log file to the list of currentlymonitored logs.3. Click the OK button to open a monitor dialogfor that log file. The Monitoring Logs dialog opens, as shown inFigure 41-12. Figure 41-12: Current log activity displayed by the LogMonitor.Take a quick trip back in time to view the logentries recorded on a prior date by choosingViewCalendar to open the Calendar dialog.Log files exist for the dates displayed in boldtext click the date to see the log file for thatdate.Customizing Your Log FilesMost log files are recorded by the syslogd daemon.When an application (such as an e-mail relay or alogin program) wants to record a log message, itsends the message to syslogd, and syslogd decideswhat to do with it. Every log message is comprisedof three parts:50_571737c41.qxd 7/2/04 9:22 PM Page 296Customizing Your Log Files 297 To select every critical message, regardless ofthe facility that produced it, use an entry likethis:*.crit /var/log/seriousIts not a good idea to use a wildcard on bothsides of the period because that would selectall facilities and all severities.The first two pieces of a syslog.conf entry (the facil-ity code and the severity code) decide which mes-sages are routed by that entry. The last piece (thetarget) decides what happens to those messages.Most syslog messages are either discarded orrecorded in a log file, but you can also route mes-sages to other destinations. The first character ofthe target tells syslogd whether to send messages toa file, a named pipe, another computer, or a list ofusers. The following list explains what the differentcharacters accomplish: /: If the first character of the target is a /, thetarget is a filename (or the name of a terminaldevice). @: If the first character is @, the target is a hostname (selected messages are routed to thesyslog daemon on the named computer). |: You can route messages to another programby creating a named pipe and prefixing the nameof the pipe with a |. *: Route selected messages to a group of one ormore users by listing the users (separated bycommas), or route messages to all users cur-rently logged in by specifying a target of *. To summarize, here are a few sample syslog.confentries that show you how to specify messagetargets: *.crit /var/log/serious: Writes critical mes-sages to /var/log/serious *.crit /dev/console: Displays critical mes-sages on the console *.crit @bastille: Sends critical messages tothe syslogd daemon on host bastille *.crit |/var/log/messages: Writes criticalmessages to the named pipe /var/log/messages *.crit freddie,franklin: Sends critical mes-sages to users freddie and franklin (if theyrelogged in) *.crit *: Sends critical messages to all usersTABLE 41-1: SYSLOG FACILITIESFacility DescriptionAuthpriv Security and authorizationmessages (you can also spellthis facility Auth)Cron Messages sent by the taskschedulers (cron, at, anacron,and so on)Daemon Messages sent by daemonprocesses (also known asservices)FTP Messages sent by the FTP serverKern Messages sent by the LinuxkernelLpr Messages sent by the printingsubsystemMail Mail-processing messagesNews Usenet news-processingmessagesSyslog Messages sent by the syslogfacility itselfUser Generic messages not falling intoanother categoryUUCP UUCP messages (youll probablynever see UUCP messagesthough)Local0-Local7 User-definable messages (sort ofuser-definable anyway)50_571737c41.qxd 7/2/04 9:22 PM Page 297Technique 41: Keeping an Eye on Your System298If youre using GNOME, KDE System Guardisnt available. Instead, GNOME includes amuch simpler tool called System Monitor. Torun System Monitor, open the Main Menuand choose System ToolsSystem Monitor.Finding and killing runaway processesKDE System Guard makes managing processes easy.Heres how to get started:1. To start KDE System Guard in Fedora, open theMain Menu and choose System ToolsMoreSystem ToolsKDE System Guard.If youre using Mandrake, open the Main Menuand choose SystemMonitoringKDE SystemGuard. From SuSE, open the Main Menu and chooseSystemMonitorKDE System Guard.The KDE System Guard window appears, asshown in Figure 41-13. Figure 41-13: The KDE System Guard main window.2. Click the Process Table tab see a list of theprocesses running on your system and some oftheir more important properties.By default, you see all processes currentlyrunning on your system, but you can limitThe severity component indicates the importance ofthe message. Linux supports the severities shown inTable 41-2.TABLE 41-2: SYSLOG SEVERITIESSeverity DescriptionPanic (or Emerg) Serious problems break outthe fire extinguisher.Alert Somethings about to go wrongunless you do something tostop it.Crit Critical condition encountered(something like out of diskspace or out of memory).Error An error has occurred.Warning Something went wrong, but youcan continue to do whatever youwere doing.Notice Things are okay, but heressomething you might like toknow.Info Things are okay, but youprobably wont be interestedin this.Debug Debug messages intended forpropeller-heads.Keeping an Eye on Resourceswith KDE System GuardKDE System Guard is a customizable system monitorcapable of monitoring not only your local system,but remote systems as well. The information dis-plays in several easy-to-read formats that make it asnap to see where your performance bottlenecksare. KDE System Guard includes a task manager thattells you with a quick glance whos using systemresources. It also gives you easy click-and-kill accessto runaway processes.50_571737c41.qxd 7/2/04 9:22 PM Page 298Keeping an Eye on Resources with KDE System Guard 299the processes with the drop-down list box atthe bottom of the screen (see Figure 41-14). Figure 41-14: The process selection drop-down list box.3. Choose one of the four options in the drop-down list box to limit the view: All Processes shows all processes currentlyrunning on the system. System Processes shows all processes thatare currently running that are owned byroot processes like services and watchdogprograms. User Processes shows all processes that areowned by any user on the system. Own Processes shows the processes that areowned by the user logged in and running KDESystem Guard.4. Click the Refresh button to update the selectedworksheet.By default, the worksheet updates every two sec-onds, but you can change the update interval bychoosing EditWork Sheet Properties from themenu bar. The Worksheet Properties dialogopens (see Figure 41-15). To change the updateinterval, just use the spin control or type in anew number, and then click OK. Figure 41-15: The Worksheet Properties dialog.5. If you see a runaway process, highlight theprocess name in the list and click Kill to stopthe process.A confirmation dialog appears so you can changeyour mind (see Figure 41-16). Figure 41-16: Confirmation of a process kill.6. Click the Kill button in the warning dialog tostop the process.In a second or two, the process table updates,and youll see that the victim process is gone.7. Back in the Process Table tab, check the Treebox to display the parent-child relationshipsamong processes.If you have multiple copies of the same pro-gram running, use the tree format to tell thechild processes apart. 50_571737c41.qxd 7/2/04 9:22 PM Page 299Technique 41: Keeping an Eye on Your System300measures the amount of juice left in your battery(assuming that youre running Linux on a laptop)and the Load Average sensors measure the over-all system load for that past minute, five minutes,or 15 minutes (depending on which Load Averagesensor you choose). Figure 41-17: The System Load worksheet.3. In the Worksheet Properties dialog thatappears, add rows or columns to create emptyslots in the worksheet for the sensors (seeFigure 41-18). Then click OK to close the dialog. Figure 41-18: Add sensors to new fields.Prioritizing processes to smooth a network bottleneckYou can make users play nice by renicing theprocesses that arent quite as important as others.(Each process has a nice value that controls its pri-ority in relation to other processes.) To change aprograms priority, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Type ksysguard at the command line to openSystem Guard.3. Right-click on a process name in the list, andchoose Renice Process from the pop-up menu. 4. Use the bar control to raise or lower the processpriority and click OK to confirm the change.In a system with cramped resources, loweringprocess priorities can give you a short-termsolution to a performance bind. In the long-run, youll probably want to upgrade your sys-tem because lowering someones priority is agood way to make enemies (if they figure outwho did it).Watching your system loadKDE System Guard comes with a built-in worksheetthat displays the current system load in an easy-to-understand format. With a quick look, you can see agraph showing CPU Load, Physical Memory, LoadAverage, and Swap Memory. To use the System Loadtool, follow these steps:1. In the KDE System Guard window, choose theSystem Load tab to open the system monitors,shown in Figure 41-17.2. You can add sensors to this display by choosingEditWork Sheet Properties.Each sensor monitors some aspect of your sys-tem. For example, the Battery Charge sensor50_571737c41.qxd 7/2/04 9:22 PM Page 300Keeping an Eye on Resources with KDE System Guard 3014. Expand the tree control in the Sensor Browserpanel on the left to see the list of availablesensors.5. To add a sensor, drag the sensor name from thetree and drop it on a Drop Sensor Here label(in the worksheet).A pop-up menu appears showing the sensor dis-play options, as shown in Figure 41-19. Figure 41-19: Sensor display options.The sensor types are as follows: Signal Plotter: This is the default display typefor the System Load window. Multimeter: This is a large digital display. BarGraph: Drag multiple sensors into onewindow to show value comparisons. SensorLogger: Create custom logs for yoursystem resources.6. Choose a sensor type from the pop-up menu.The new sensor is added to the display grid.7. To change the properties of a sensor, right-clickon the sensor and choose Properties from thepop-up menu.Popup menuThe Settings window appears, as shown in Figure41-20. The Settings window varies with the sen-sor type. A quick look through the tabs will helpyou decide on the customizations youd like foryour display. Figure 41-20: The Settings window for a Signal Plottersensor type.A few sensors can display the status of multi-ple objects in table form. For example, thePartition UsageTable Sensor displays the freespace available on all disk partitions. Thats ahandy way to view a group of resources quickly.After you set up the sensors and preferences youneed, you can monitor your system for perform-ance or resource bottlenecks.Creating a new worksheetIf youd like to create a new worksheet instead ofrevamping the System Load page, or if you want tocreate multiple worksheets to display the varioussystem attributes, its easy to do with KDE SystemGuard. Heres how:1. Click the New icon on the toolbar.The Worksheet Properties dialog opens. 50_571737c41.qxd 7/2/04 9:22 PM Page 301Technique 41: Keeping an Eye on Your System302Throughout the day, watch the sensors that we men-tion and see how they change as your system loadchanges throughout the day. Watching how the sen-sors vary will help you identify resource bottlenecks.For example, if Disk Throughput is very high butCPU Load is low, you know that your computer isspending a lot of time waiting for the disk drive (andyou may want to invest in some more drives to sharethe load).As you add each sensor, heres how to spot thebottlenecks:1. Choose the Sensor Logger type from the pop-upmenu. The Sensor Logger dialog opens, as shown inFigure 41-21. Figure 41-21: The Sensor Logger dialog.2. Complete the Sensor Logger dialog for eachsensor: Enter the name of the file that you want tocontain the sensor log.2. Enter the number of rows and columns youwant in the new worksheet and then click OK.Your new worksheet is created, ready for newsensors.Drag multiple sensors onto a bar graph displayto compare sensor values.KDE System Guard has a few resizing issues. Ifa worksheet gets too full (or contains toomany sensors), it likes to delete titles and/orhide the sensor browser selector. Its nothingpersonal it does that to everyone.Creating system resource logsYou can use KDE System Guard to create systemresource logs to your custom specifications. If thesystem seems slow at 1:00 p.m., when your userscome back from lunch, you can create a customresource log to help confirm your suspicions andtrack down the bottlenecks.To create a custom resource log, follow these steps:1. Click the New icon on the toolbar to create anew worksheet.The Worksheet Properties dialog opens.2. Enter a title for the worksheet and click OK.A blank worksheet appears, ready for the newsensors.3. Drag sensors onto the worksheet.Here are some sensors you may want to includein a system usage log: Free Physical Memory Free Swap Memory CPU Load Disk Throughput50_571737c41.qxd 7/2/04 9:22 PM Page 302Keeping an Eye on Resources with KDE System Guard 303 If youd like the log to alert you to extremedrops in resources, check the Enable Alarmbox in the Alarm for Minimum Value frameand enter a Lower Limit value in the activatedfield. If you want the log to alert you to extremespikes in resource usage, check the EnableAlarm box in the Alarm for Maximum Valueframe, and enter an Upper Limit value in theactivated field.3. When you suspect a system slowdown, right-click on each sensor and choose Start Loggingto start the log files.Keep an eye on your sensor logs. They can getreally huge really fast (and eat up theresources youre trying to preserve)!4. When you suspect the system is returning tonormal, right-click on the sensor and chooseStop Logging to stop the logs.Most log files are written to the /var/logdirectory, but if you havent started KDESystem Guard with superuser privileges, besure to write the logs to a file you have theprivileges to create.If youve told System Guard to alert you whenextreme values are reached, the worksheet changesthe sensor name to red and notifies you based uponthe settings in your Control Center. To customizeyour notification settings for KDE System Guard, fol-low these steps:1. Open the Main Menu and choose ControlCenter.2. Expand the Sound and Multimedia entry in theIndex tree control.3. Click System Notifications.4. From the drop-down list at the top of thescreen, choose KDE System Guard. The System Notifications window opens, asshown in Figure 41-22. Use this dialog to cus-tomize system notifications for KDE SystemGuard and other tools on your system. Severaloptions for alert customization are available.Experiment to find a combination that will helpyou get your work done, but not drive you nutswith whistles, klaxons, and pop-ups.5. After you finish changing the SystemNotifications, click Apply and then close theControl Center. Figure 41-22: The System Notifications window.Displaying network resourcesOne really cool feature of KDE System Guard is itsability to monitor resources on other computers.System Guard supports a number of methods forestablishing a remote connection, but the quickest(and most foolproof) is to use SSH.Follow these steps to add sensors for anothercomputer:1. Click the Connect Host icon on the toolbar(the icon looks like a plug and socket, pluggedtogether).The Connect Host dialog opens, as shown inFigure 41-23.50_571737c41.qxd 7/2/04 9:22 PM Page 303Technique 41: Keeping an Eye on Your System304 Figure 41-24: System comparison worksheet Kagaversus Kobe.This is a great way to monitor network load and diskspace. Set up signal-plotter graphs for each resourceor use bar graphs to compare resources.Create a bar graph by dragging the sameresources from each machine on a networkinto a single sensor frame to compare resourceusage on the fly. Its easy to spot at a glancewhich system has resources to spare andwhich system needs help.Taking the time to explore KDE System Guard canreally add to your productivity levels. Its a greattimesaving tool that gives you the information in justabout any configuration you could want. Figure 41-23: The Connect Host dialog.2. Enter a host name in the Host field, or choose ahost from the drop-down list.3. The ssh option button is chosen by default. Ifyou dont have an ssh connection to the othermachine, click the Help button for informationabout other connection types.Better yet, see Technique 33 for help settingup an SSH connection. ssh is easy to use andyour best bet.4. Click OK.If youve configured public-key authentication forthe remote host (see Technique 33), the com-puter name appears in the sensor list. If not, youhave to enter a user name and password beforethe remote computer appears. Now you can cre-ate comparison worksheets showing computeragainst computer, as shown in Figure 41-24.50_571737c41.qxd 7/2/04 9:22 PM Page 304Part VIIIServing Up the Internetand More51_571737p08.qxd 7/6/04 2:19 PM Page 30551_571737p08.qxd 7/6/04 2:19 PM Page 30642 Keeping an ApacheServer in Top FormThe Apache Web server is without a doubt the most popular Webserver today. Its easy to use, and its powerful. You can use Apacheto serve up data to users on your own network or to locationsacross the Web. If your company is already bogged down with e-mail, using a Web servercan be a great way to publish information to users on your network. Youcan create company newsletters and change important information quicklyand easily with a WYSIWIG editor like OpenOffice.org. Users can easilybrowse to the companys local site to find out whats going on withoutyour making the information available for the whole world to see.If you do want to take your site public, you may or may not want to rentspace on someone elses host machine. Keeping a server up and runningon your local network is a great idea if your site requires a lot of monitor-ing and upkeep. With dynamic DNS, you keep just a name and IP addressregistered on someone elses server your data stays home where youcan take good care of it. Your IP address may change, but your host namenever will. If your IP address changes, you update the new address to thename server. When customers or associates search for you by nameacross the Internet, the name server relays the current IP address to themto complete the search. You save the high cost of machine rental onsomeone elses servers, and because your system is local, maintenanceis quick and easy.In this technique, we show you how to get your Apache server running atfull speed in no time. We also show you a few quick tools you can use topopulate and distribute your Web site and to keep it running in good con-dition. Serving up data is simple and quick with Apache. Setting Up Apache Quick!The Apache Web server is easy to install, but it has quite a few depend-encies (53!) that can really slow you down. The easiest (and quickest)way to install Apache is from disc (with your distributions installer) orby downloading and installing it with Synaptic. TechniqueSave Time By Using Synaptic or yourdistributions installer toresolve Apachesdependencies Using OpenOffice.orgWriter to set up a quickWeb page Using dynamic DNS tokeep your server at home,but make your data avail-able to the world Using the HTTPConfiguration tool tomake easy changes toyour Apache server52_571737c42.qxd 7/2/04 9:23 PM Page 307Technique 42: Keeping an Apache Server in Top Form308 Figure 42-1: Updating the Synaptic packages.5. Click the Find Next arrow (the right arrow just to the right of the Find field) to movethrough the matches that Synaptic finds andthen click the Install Latest Version buttonwhen you find the following packages:httpd-manualhttpdIf you already have either of these packagesinstalled on your system, the Install LatestVersion button will be labeled Update instead.Update your versions of Apache as long asyoure here. It only takes a minute.6. Click the Execute button (on the toolbar).A Summary dialog opens, as shown in Figure 42-2. 7. Click Proceed to start the download. A dialog opens, showing the progress as Synapticretrieves the package files. When the downloadcompletes, the installation begins. When Synaptic is finished with the installation,another dialog signals that the installation iscomplete (see Figure 42-3). 8. Close the dialog and Synaptic.Your installation of Apache and its dependenciesis complete!You can set up Apache by installing individualRPM packages with the rpm command, butthe process goes a lot faster with a tool likeSynaptic or the Fedora Package Manager.Resolving the dependencies manually canseem to take forever.Using Synaptic to download and install ApacheManually satisfying all the dependencies of a program like Apache can be a real pain and time-consuming. You have to round up and install eachRPM package before the next will allow you to con-tinue. Using a tool like Synaptic can save you a ton of time when you need to install a complex programwith many dependencies. Synaptic is the right tool for downloading orupdating any of the software on your system.Technique 19 is all about using Synaptic tokeep your software current. Check it out fordetails about downloading and installingSynaptic. Its a definite timesaver.If youve installed Synaptic on your system, a pain-free installation of Apache is just a few clicks away.To download and install Apache, follow these steps:1. Open a terminal window and enter thefollowing command:# synapticYoure prompted to enter the root password. 2. Enter the root password and click OK. Synaptic opens. 3. Click the Update button (on the toolbar). Synaptic connects to each repository andupdates the local index that tells Synaptic whichprograms are available (see Figure 42-1).4. Enter httpd in the Find field in the upper-rightcorner of the window. Synaptic finds the first package whose namestarts with httpd. 52_571737c42.qxd 7/2/04 9:23 PM Page 308Setting Up Apache Quick! 309 Figure 42-2: Synaptic, waiting to install new packages. Figure 42-3: The installation is complete.Installing Apache from discIf you have a set of installation discs for your Linuxdistribution, you can use the installer program (theFedora Package Manager, YAST, or Rpmdrake) toinstall Apache instead of downloading Apache fromthe Web. In this section, we show you how to installApache using the Fedora Package Manager. If youre running SuSE Linux, the procedure is similar use SystemYASTInstall and RemoveSoftware; choose the Selections filter and clickSimple Webserver. Mandrake users can installApache using Rpmdrake (Main MenuSystemConfigurationPackagingInstall Software).If you happen to have a copy of Red HatLinux Fedora For Dummies, by Jon maddogHall and Paul G. Sery (published by Wiley),you already have the Fedora distribution onDVD; you can install Apache from that DVD.Just insert the disc, enter the root passwordwhen prompted, and follow along.To install Apache from the Fedora install discs, fol-low these steps:1. Open the Main Menu and choose SystemSettingsAdd/Remove Applications. A dialog opens, prompting you for the rootpassword. 2. Enter the root password and click OK. A dialog opens and confirms that Fedora ischecking the system package status. ThePackage Management window opens.3. Scroll down to the Servers section and checkthe Web Server box (see Figure 42-4). If you plan on incorporating other programs(like PHP or PostgreSQL) into your Webserver, you can save time by adding themnow. Click the Details button to the right ofthe Web Server entry to view the packagecontents. Check the boxes next to any addi-tional packages youd like to add. When yourefinished, click the Close button to return to thePackage Management window.52_571737c42.qxd 7/2/04 9:23 PM Page 309Technique 42: Keeping an Apache Server in Top Form310To start the Apache Web server on a Fedora system,you need to start the httpd service. To start theservice, follow these steps:1. Open the Main Menu and choose SystemSettingsServer SettingsServices. A dialog opens, prompting you for the rootpassword. 2. Enter the password and click OK. The Service Configuration window opens, asshown in Figure 42-5. Figure 42-5: The Service Configuration window.3. Use the scroll bar to scroll down through thelist of services, and check the box next to httpdwhen you find it. The Status frame shows that the httpd service isstopped. 4. Click the Start button on the toolbar.An Information pop-up informs you that httpdstarted successfully (see Figure 42-6). 5. Click OK to close the pop-up. 6. Click the Save button in the ServiceConfiguration window and then close thewindow. Your Apache Web server is up and running! Figure 42-4: The Package Management window.4. Click Update.A dialog opens confirming that the system prepa-ration is completed. 5. Click the Continue button. A dialog opens, confirming that your system isbeing updated. 6. Click Continue, and when prompted, insert theFedora disc and click OK.The last few steps may vary a bit dependingon which disc images youre using. Just followalong and click the Package Manager is easyto get along with.When the system updates are complete, a windowopens confirming the successful installation. Now,you need to start the service, which we explain indetail in the next section.Starting the Apache ServiceThe Apache Web server is a daemon it lurks in thebackground, waiting for inquiries from browsers thatjust happen to come looking for you on TCP port 80. 52_571737c42.qxd 7/2/04 9:23 PM Page 310Starting the Apache Service 311 Figure 42-6: The httpd service is Apache.If youre running SuSE, you can use YaST to start theApache Web server by following these steps:1. Open the Main Menu and choose SystemYaST.2. If youre not logged in as the superuser, SuSEprompts you for the root password. Type in theroot password and click OK.3. Click Network Services, and then click HTTPServer.4. When the HTTP Server Configuration windowappears, click Enabled and then Finish.After a short delay, your Apache Web server isready to serve browser requests.If youre a Mandrake user, follow these steps to startthe Apache Web server using the Mandrake ControlCenter:1. Open the Main Menu and choose SystemConfigurationConfigure Your Computer.2. If youre not logged in as the superuser,Mandrake prompts you for the root password.Type in the root password and click OK.3. Choose SystemServices.4. Use the scroll bar to scroll down through thelist of services, and select the On Boot checkbox next to httpd. 5. Click the Start button (next to httpd).The Apache Web servers starts. 6. Click OK, and then close the Mandrake Controlcenter.The Apache Web server is up and running andwill automatically start each time you rebootyour Mandrake computer.To check the installation and service status of yournew Apache Web server, open a Web browser andsurf to http://127.0.0.1. Your browser displays theApache Server Test Page, shown in Figure 42-7. Figure 42-7: The Test Page for Apache Installation.At this point, youre ready to serve up Web contentto machines on your local network. Apache is aquick way to distribute a company newsletter orshare other in-house information. In the next sec-tion, we show you how to create simple Web contentwith OpenOffice.To make your server accessible to your com-pany or network, but not vulnerable to theoutside world, allow traffic from port 80 atyour local interface, but disallow traffic on port80 from the outside world. See Technique 34for helpful ideas about using Webmin to setup a functional firewall.52_571737c42.qxd 7/2/04 9:23 PM Page 311Technique 42: Keeping an Apache Server in Top Form3124. When youre finished creating your openingWeb page, choose FileSave As from themenu bar. If youre running Fedora or Mandrake Linux, saveyour file as/var/www/html/index.htmlIf youre running SuSE, save your file as /srv/www/htdocs/index.html5. Use the scroll bar next to the File Type field tohighlight the HTML Document (OpenOffice,orgWriter)(.html;htm) option in the drop-down list.6. Click the Save button.Your new Web page is saved where your Apacheserver can find it.To check out your new network Web site, open yourbrowser and surf to http://127.0.0.1.Your new page is displayed; it should appear nearlyidentical to the document you created in Writer (seeFigure 42-8). Figure 42-8: Start your site quick with OpenOffice.org.For a top-notch tour of OpenOffice.org and acomplete rundown of its capabilities, look forOpenOffice.org For Dummies, by Gurdy Leete,Ellen Finkelstein, and Marty Leete (Wiley) atyour favorite online or local bookstore.If you want to serve up data to the rest of the world,you need an IP address and domain name moreabout that later.Building a Quick Web Pagewith OpenOffice.orgAfter you have a server up and running, you need toprovide some content for your users. A quick andeasy way to set up and maintain an internal newslet-ter is with OpenOffice.org. One of the great featuresof OpenOffice.org Writer is a WYSIWIG editor thatlets you create and save HTML documents in notime. Its also very affordable.If you havent already installed OpenOffice,you need to install it before you proceed withthe steps in this section. See Technique 17 ifyou need help installing software on yoursystem.To create a simple Web page with OpenOffice.orgWriter, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Enter the following command and press Enter:# oowriterOpenOffice.org Writer opens to a blank docu-ment, waiting for you to add content to your newWeb page.3. Add content to the Web page text, pictures,and any graphics you want to distribute.If you add graphics, dont forget to copy theminto place within the directory structure ofyour Web page so that Apache can find them.If you copy pictures into an OpenOffice.orgdocument that you later save to an HTML file,the pictures are added as links. The links arereplaced with images when the document isviewed in a browser.52_571737c42.qxd 7/2/04 9:23 PM Page 312Taking Your Site Public with Dynamic DNS 313To edit and update your page with the current newsof the day, just fire up OpenOffice.org Writer andopen your document. Make your changes and savethe file, and your local network site is automaticallyupdated.Taking Your Site Publicwith Dynamic DNSYou can make your Web site public by renting serverspace from an ISP or by obtaining your own domainname and hosting the site from your Apache server.When you rent machine space from an ISP, you paynot only for the room your data takes up, but alsofor the Web traffic to your site. If you have a smalland simple site with little traffic, thats not a prob-lem. If you have a large or complex site with a lot oftraffic, renting server space can get costly.You can save time and money by runninghigh-maintenance Web sites on local machines.If you use PHP to build your site or have livedatabase access from the site, keeping thedata where it can be updated easily is a realtimesaver. In order for others to find your Web site, you have tohave a host name, and the host name must be fullyqualified that is, your host name must include adomain name (something like www.example.com). Ifyour ISP is willing to assign you a fully qualified hostname, youre good to go. If not, dont despair youcan borrow someones domain name by usingdynamic DNS. Understanding how dynamic DNS worksWhen a user surfs to your spanking new Web site, hetypes a name (say www.example.com). His Web browserasks a name server to convert the site name into anIP address. His local name server defers the requestto a well-known name server somewhere on theInternet. Eventually, the name server chain locates aserver thats responsible for the example.com domain.That name server returns the IP address for host www(that is, host www within the example.com domain).A normal name server maintains a database thatconverts host names into IP addresses for the hostson the name servers local network. A dynamic DNSserver provides the same service (host name to IPaddress translation), but it lets you change the data-base. To use a dynamic DNS server, you send your IPaddress and desired host name to the server, and itagrees to give out your IP address whenever some-one asks for your fully qualified host name. Of course,the domain name that you get to use is owned by thedynamic DNS provider, but it gives you a permanent,fully qualified name that you can hand out to friendsand business partners (without purchasing a domainname for yourself).What happens if your Internet service providerchanges your IP address? Simple just update thedynamic DNS database.Setting up dynamic DNSTo use dynamic DNS, you first contact a company(often an ISP) that will register your site name. Youcan find quite a few free (and paid) dynamic DNSproviders online. Each service provider has its own how-tos forsetting up a dynamic DNS service. The basicsare pretty much the same, but read the FAQsfor each service online before registering anaccount with that service.One dynamic DNS service worthy of mention isDynDNS.org. Follow the simple how-to page atwww.dyndns.org/services/dyndns/howto.html to setup your dynamic DNS account in no time. Follow thelinks to do the following:1. Register for an account.Youll receive an e-mail confirming the accountregistration.52_571737c42.qxd 7/2/04 9:23 PM Page 313Technique 42: Keeping an Apache Server in Top Form314You can also update the host information manually byvisiting your account information at DynDNS. Chooseyour host from the list of hosts that you manage, andits server will detect your address. If your addresshas changed, click the Modify Host button to updatethe information. Be sensitive to the fact that updating your IPaddress when it hasnt changed will invoke theire of the good people at DynDNS. CompareIP addresses and update your account only ifthe IP address has changed. Otherwise, yourservice will be interrupted for abusing yourprivileges.Technique 45 is all about creating a self-signedSSL certificate for your Apache Web site.Check it out!Keeping Your Apache ServerUp-to-Date the Easy WayIf you run an Apache server for any length of time,youll probably find it needs a bit of tweaking. Youmay want to enable new features or add virtualhosts (whole new Web sites) to your servers. Youcan make those changes directly with a text editorand the Apache configuration file, but you can savetime by configuring your server with a good graphi-cal tool. Fedora Linux comes with a very friendly configura-tion tool that makes it easy to manage your Apacheserver: Its called the HTTP Configuration tool, andwe show you how to install and use it in this section.If youre using a distribution other than Fedora (say, Mandrake or SuSE), we recommend that youget familiar with Webmins Apache configurationmodule its not as friendly as Fedoras tool, butits better than editing configuration files by hand.See Technique 17 for more information aboutWebmin.2. Confirm the account registration to activate theaccount.3. Add host information for your computer: Choose a host name and an extension. Ourpersonal favorite has to be is-a-geek.com. The DynDNS service automatically detectsand fills in the IP Address field. Select the Wildcard check box if you wantyour name to be accessible from bothwww.sitename.dyndns.com andsitename.dyndns.com.4. Click the Add Host button, and youre done.If your Apache server is running and your firewall isallowing access through port 80, your Web siteshould be exposed to the Web.The exposure you get through the Web is alsoa liability. Build a good, sturdy firewall to pro-tect the rest of your system see Technique 34for more information about firewalls.Better yet, keep your site in a UML jail. VisitTechnique 58 for information about installingApache in a UML jail with ADIOS. Updating your IP addressDifferent ISPs have different policies about changingthe IP address of your local network. If youre con-nected to the Internet using a dial-up account, yourIP address changes each time you connect. Otherconnection types may assign you a semi-permanentIP address or change your address every few days. Ifyour ISP changes your IP address only when you logout, you need to update the dynamic DNS host infor-mation only when youve logged out and back inagain. If your IP address changes more often, youllprobably want to use a client program to monitor thechanges and update the host information for you.52_571737c42.qxd 7/2/04 9:23 PM Page 314Keeping Your Apache Server Up-to-Date the Easy Way 315Fedoras HTTP Configuration tool is an easy-to-use,graphical interface that allows you to access manyof the Apache configuration options with just a fewmouse clicks. For simple configuration changes, orcomplex virtual host setups, its great.Installing the Fedora HTTP Configuration toolThe Fedora HTTP Configuration tool is not installedby default with a standard Fedora installation, but itis included on the Fedora distribution media. So youcan have it up and running in no time.To install the HTTP Configuration tool, follow thesesteps:1. Open the terminal window and give yourselfsuperuser privileges with the su command.2. Mount your Fedora media and move into thedirectory containing the RPM packages.3. Enter the following command:# rpm -Uhv redhat-config-httpd-1.1.0-5.noarch.rpmWith a few whirrs and clicks, the packageinstalls.Putting the HTTP Configuration tool to workAfter you install the HTTP Configuration tool, itsready to use. Follow these steps to open the HTTPConfiguration tool:1. Open the Main Menu and choose SystemSettingsServer SettingsHTTP. A dialog opens, prompting you for the rootpassword. 2. Enter the password and click OK.The HTTP Configuration tool opens, as shown inFigure 42-9. Figure 42-9: The HTTP Configuration tool.The tool features four tabs, each controlling a differ-ent aspect of the Apache service: Main: The Main tab controls the basic setup ofthe server. Use this tab to specify the servername and the Webmasters e-mail address, andto add or change the IP address(es) that Apachelistens to. Click the Edit button to edit the IPaddress and port information (see Figure 42-10). Figure 42-10: Edit the address for your Apache server.If you have multiple network interface cardson your system, each card has a unique IPaddress (and, probably, a unique host name).Specify which card Apache should service byselecting the Address radio button and enter-ing the address of the preferred card. 52_571737c42.qxd 7/2/04 9:23 PM Page 315Technique 42: Keeping an Apache Server in Top Form316 Use the Environment Variables andDirectories menus for advanced managementof scripts and directories. Server: Choose the Server tab on the HTTPConfiguration tool to edit user and group owner-ship information and set the file locations for theprocess ID, lock file, and core dump directory. Performance Tuning: Choose the PerformanceTuning tab to set the number of connectionsallowed to the Apache server, and the connec-tion timeout information.The HTTP Configuration tool manipulates variablesin the Apache configuration file. You can edit theconfiguration file directly with your favorite editor,but if youre trying to keep life simple, the HTTPConfiguration tool is about as quick as it can get. The configuration file for your Apache serveris located at /etc/httpd/conf/httpd.conf.You need superuser privileges to makechanges to this file.We recommend that you make a copy of theconfiguration file before making any changesto the original. Its always good to have some-thing to fall back on. Virtual Hosts: Choose the Virtual Hosts tab toadd or edit information about virtual hosts resid-ing on your Apache server. Your Apache servercan host multiple Web sites. Each virtual Website has its own set of properties defining itsname, where its root directory resides, and secu-rity information for that site.Click Edit to open the Properties window forexisting hosts, or click Add to create additionalhosts. Click the General Options entry in the leftframe to open the Basic Setup menu. Use theBasic Setup menu to enter information aboutthe name and location of the Web site files, aswell as the Webmasters e-mail address. Use the Site Configuration menu to edit thedirectory name list and error pages that dis-play for the virtual host. Click the SSL entry in the left frame of theVirtual Host Properties window to edit the SSLcertificate information for the virtual host. Ifyou choose to enable SSL certification, enterthe location of the certificates on this menu. Use the Logging menu to control the transferlogs and error logs for the virtual host. Adding a reverse DNS lookup to the error logshows you who generates errors, but it alsoslows down your server. Gain a bit of speed bychanging the drop-down list to read NoReverse Lookup.52_571737c42.qxd 7/2/04 9:23 PM Page 31643 Keeping an Eye on Your ServersWhen you expose a server to others, you need to be able to moni-tor the server traffic and statistics. With good monitoring tools,you can find the slowdowns and tailor the servers responses toyour users needs.apachetop is a handy, open-source monitoring tool designed specificallyto return information about an Apache Web server. Its similar in natureto top, running at the command line, and it displays statistics about yourserver and the users who are visiting it. apachetop is easy to install anduse, and although it doesnt go all out with bells and whistles, it returns agood amount of information. You can use apachetop to monitor not onlythe visitors to your server, but also your server speed as it serves up theresources in its repertoire.The MySQL database server is a great tool by itself, but its even betterwith good monitoring and management tools. The MySQL Control Center(MySQLCC) is a graphical tool that lets you monitor, test, and repair thetables in your MySQL databases. You can also use the handy features ofthe Control Center to manage database users and supervise the databaseprocesses.If youre working with MySQL in a nongraphical environment, mtop is ahandy tool that gathers and displays information about the traffic onyour MySQL server. Its similar to top (and apachetop), and its a breezeto use. Installation is a bit of a chore, but dont worry we help youthrough that.This technique is all about using the tools to monitor and improve yourservers. Whether its an Apache server or a MySQL server, keeping trackof the vital statistics about its operation will let you make decisions thatmake your servers run faster and keep your users happy. TechniqueSave Time By Using apachetop to monitor your Apacheserver Using the MySQL ControlCenter to monitor andmaintain your MySQLserver Using mtop to audit yourMySQL statistics at thecommand line53_571737c43.qxd 7/2/04 9:24 PM Page 317Technique 43: Keeping an Eye on Your Servers318This command tells apachetop where to find theApache log file. (The Apache server distributedwith Fedora writes log files in an unusual location,so you have to tell apachetop how to find them.)configure checks out your system, looking forthe compilers and libraries it needs to properlybuild a working program.8. Compile the program with the followingcommand:# make9. Then copy the file into a useful place with thiscommand:# make installWith apachetop installed, youre ready to run theprogram and start putting it to use. See the fol-lowing sections for details.Running and exiting apachetopTo run apachetop, move to the /usr/local/sbindirectory and enter the following command:# ./apachetopapachetop opens, displaying a status window thatshows your server activity (see Figure 43-1). Figure 43-1: apachetop in action.When youre done using apachetop, just type q to quit,and apachetop returns you to the command line.Watching Your Web ServerTraffic with apachetopapachetop is a real-time monitor for the Apache Webserver. Its an open-source project, readily availableon the Web. Installation is quick, and its an easyprogram to use.With apachetop, you can see the host machine thatyour visitors are using, determine whether theycame by way of a search engine, and find out whatpages they visited while they were there.You can also use apachetop to see if your visi-tors are repeatedly asking for documents thatdont exist. You may want to rename your Webpages if the same page name is mistyped overand over.Installing apachetopTo download and install apachetop, follow these steps:1. Open a browser window and surf toclueful.shagged.org/apachetop2. Click the link to download the latest stablerelease. As of this writing, itsapachetop-0.11.tar.gz3. When the Download Manager opens, save thedownload to your home directory.4. Open a terminal window and give yourselfsuperuser privileges with the su command. 5. Unpack the tarball with this command:# tar -zxvf apachetop-0.11.tar.gz6. Move to the apachetop directory:# cd apachetop-0.117. Configure the package with the followingcommand:# ./configure --with-logfile=/etc/httpd/logs/access_log53_571737c43.qxd 7/2/04 9:24 PM Page 318Watching Your Web Server Traffic with apachetop 319Navigating apachetopThe top portion of the apachetop display (refer toFigure 43-1) shows the statistics for the server. Thelower portion of the display lists information aboutspecific HTTP requests. Here are some navigationtricks that help you find your way around apachetop: Use the up- and down-arrow keys to move theselection asterisk through the list of specificrequests. For more information about a specific request,move the cursor to the request line and pressthe right-arrow key. The request screen nowincludes the host and referrer IP addresses forthe visitor, as shown in Figure 43-2. Figure 43-2: Extended information about whos visitingyour server. To customize the information displayed about aspecific request from a user visiting your Apacheserver, type t to view the Toggle Subdisplaymenu. From here, type u to exclude URL information r to exclude or include referrer information h to exclude or include host informationWhen youre finished looking at detailed informa-tion about a specific request, use the left-arrowkey to return to the request list. You can sort the information in the request listby typing s to access the Sort By menu. Fromthis menu, you can choose from r to sort by the number of requests made R to sort by the number of requests persecond b to sort by the size of the request in bytes B to sort by the number of bytes per secondtransferredEnter #apachetop -h at the command line(or type ? while apachetop is running) to seeonline help.Switching among the log files (or watchingseveral at once)By default, Apache records activity in five differentlog files, which you can find in the /etc/httpd/logsdirectory: access_log error_log ssl_access_log ssl_error_log ssl_request_logAt configuration time, we told apachetop to watchthe access_log. To view entries in one of the otherlog files, use the following command:# apachetop -f /etc/httpd/logs/filenameYou can watch many log files at the same time byappending multiple -f logfile options to the end ofthe command line:# apachetop -f /etc/httpd/logs/access_log\-f /etc/httpd/logs/error_log \-f /etc/httpd/logs/ssl_access_log\-f /etc/httpd/logs/ssl_error_log53_571737c43.qxd 7/2/04 9:24 PM Page 319Technique 43: Keeping an Eye on Your Servers320Web site (www.mysql.com). The Control Center (likeMySQL) is dual-licensed see the MySQL Web sitefor licensing specifics.Downloading and installing the MySQL Control CenterTo download and install the MySQL Control Center,follow these steps:1. Open a browser and surf towww.mysql.com/downloads/mysqlcc.html2. Click the Pick a Mirror link for the Linux(x86, glibc 2.3) download.Its the second link in the Linux Downloads por-tion of the page. 3. When the Select a Mirror page opens, click anHTTP link from a mirror close to your location. 4. When the Download Manager opens, save thetarball to your home directory.Were telling you to download and installMySQLCC in your home directory for thesake of having a consistent point of referencefor this technique. You may want to save itelsewhere on your system. To make it easy torun (no matter where you install it), includethe directory in your search path so you canrun it without issuing the complete pathnameevery time. See Technique 7 to find out how.5. Open a terminal window, give yourself super-user privileges with the su command, andunpack the tarball with the following command:# tar -xzvf \mysqlcc-0.9.4-linux-glibc23.tar.gz6. Move into the mysqlcc-0.9.4-linux-glibc23directory:# cd mysql-0.9.4-linux-glibc23Thats it! MySQLCC doesnt come with any fancyinstallers; you just load the program onto yourcomputer and run it as we describe in the nextsection.Changing the display time of apachetop statisticsBy default, apachetop displays statistics for only theprevious 30 seconds. Unless you have a lot of trafficat your server, you may want to extend the displaytime to hold the information longer. You can customize the apachetop display toretain statistics about your server for a longeror shorter length of time, depending on yourneeds. If you have a lot of server traffic, short-ening the display time leaves you with easier-to-read reports. If your server traffic is low, alonger display time allows you to gather infor-mation over the course of hours for the sakeof comparison and easy monitoring.Use the following command to extend the displaytime to an hour (3600 seconds):# apachetop -T 3600The default refresh rate for the display is 5 seconds.If you have a lot of traffic and want the screen torefresh more often, use the following command:# apachetop -r 2Now, the screen refreshes every 2 seconds. Of course,you can combine display options on the commandline:# apachetop -r 2 -T 3600This command refreshes the statistics every 2 sec-onds and displays the request activities for the pre-vious hour.Monitoring MySQL Server withthe MySQL Control CenterOne cool tool for monitoring and maintaining yourMySQL databases in a graphical environment is theMySQL Control Center (MySQLCC). The MySQLControl Center is available from the official MySQL53_571737c43.qxd 7/2/04 9:24 PM Page 320Monitoring MySQL Server with the MySQL Control Center 321Accessing MySQL Control Center featuresAfter you install the MySQL Control Center, youreready to take advantage of its handy tools. Hereshow to get to them:1. Start the Control Center with the followingcommand:#./mysqlccThe MySQLCC window and the Register Serverdialog both open (see Figure 43-3). Figure 43-3: MySQLCCs opening view.2. On the General tab of the Register Server dia-log, enter the name of the computer in the HostName field. If you have multiple MySQL servers running(scattered around your network), you maywant to enter a server name thats meaningfulto you in the Name field to make the differentservers easy to distinguish.3. Click Add to display the session propertiesneatly in the Console Manager (see Figure 43-4). Figure 43-4: The Console Manager.4. Double-click a server name in the MySQLServers frame to expand the tree control anddisplay the controls for Databases, ServerAdministration, and User Administration. 5. Highlight any entry in the Server tree control(Databases, Server Administration, or UserAdministration) to display status informationabout that aspect of the MySQL server.The following sections have more details on eachof these controls.Viewing, managing, and repairing a databasewith the Databases controlsThe Databases controls enable you to view yourdatabase, and you also have tools for managing dataand fixing problems as well. MySQLCC is a complete MySQL client application.You can use MySQLCC to execute SQL commandsand queries, but its really designed to give youa quick overview of the state of your database.To view the statistics for databases, follow thesesteps:53_571737c43.qxd 7/2/04 9:24 PM Page 321Technique 43: Keeping an Eye on Your Servers322 Figure 43-6: A quick view of the fields within a table. Figure 43-7: Table data displayed with the Control Center.The Databases controls include some handy tools tohelp you manage and repair your MySQL database:1. Highlight Tables in the tree control and thenchoose ActionTools to open the drop-downmenu (see Figure 43-8).2. Choose an option from the Tools menu. Hereare your choices:1. Follow the steps in the section, AccessingMySQL Control Center features, earlier in thistechnique, to access the controls.2. Highlight the Databases entry, as shown inFigure 43-5. Figure 43-5: The Databases statistics.3. Click the tree control next to the Databasesfolder to display the databases on the server.4. Click the tree control next to the Tables entryto view the tables in the database. 5. Highlight a table name to view the fields withinthat table (see Figure 43-6).6. Double-click the table name to see the datawithin that table. The table data is displayed, as shown inFigure 43-7.You can adjust the number of rows displayed,but by default, MySQLCC displays the first1,000 rows. To adjust the default row limit,highlight the server (in the left-most pane),click the Edit button (in the toolbar), thenchoose MySQL Options and type a row countinto the limit field.53_571737c43.qxd 7/2/04 9:24 PM Page 322Monitoring MySQL Server with the MySQL Control Center 323 Analyze Table: This tool updates the data sta-tistics used by the MySQL optimizer. Run thiswhen youve made significant changes to thedata in your tables. Check Table: This tool checks the table forerrors. If you get an error message that youdont understand, run Check Table to look forpossible problems. Repair Table: This tool repairs the table.Choose this tool if Check Table reports anyerrors. Optimize Table: This tool reclaims free spaceand rebuilds indexes to increase performance. Show Create: This tool displays the CreateTable and Create Index statements that cre-ated the table. Figure 43-8: The tools included with MySQLCC.After you select the tool that you want to run, apop-up window opens, displaying the tables inyour database (see Figure 43-9).3. Choose the table you want the tool to act on andthen click the Action button (for the AnalyzeTable tool, its labeled Analyze, for the CheckTable tool, its labeled Check, and so on). Figure 43-9: Choose a table from the list.Its a good idea to analyze, check, and opti-mize your MySQL tables on a regular basis tokeep them in top form (database performancetends to degrade over time and the analyzeand optimize tools can give you a quick speedboost). If the Check Table tool reports anyerrors, use the Repair Table tool to correct theproblem.Putting the Server Administrationcontrols to workFollow these steps to begin working with the ServerAdministration controls:1. Follow the steps in the section, AccessingMySQL Control Center features, earlier in thistechnique, to find the Server Administrationcontrols.2. Double-click the Server Administration entryon the tree control to open the AdministrationPanel. The panel has three tab controls. Table 43-1gives you a quick look at what each tab has tooffer.53_571737c43.qxd 7/2/04 9:24 PM Page 323Technique 43: Keeping an Eye on Your Servers3242. Right-click User Administration and chooseNew User from the pop-up menu. The Add User dialog opens, as shown inFigure 43-11. Figure 43-11: The Add User dialog.3. Fill in the dialog and then click the Add buttonto add your new user. Figure 43-10: Live monitoring of activity on the MySQLserver.Adding a new userHeres how to add a new user with the MySQL ControlCenter:1. Follow the steps in the section, AccessingMySQL Control Center features, earlier in thistechnique, to get to the User Administrationcontrols.TABLE 43-1: USING THE MYSQL CONTROL CENTER SERVER ADMINISTRATION TOOLSTab What It Does Timesaving Bonus InfoProcess List Displays a list of the MySQL Click the clock icon at the right end of the toolbar to turn the auto-refresh client sessions option on and off. With auto-refresh on, the Process List tab displays the on-going activities on your server (see Figure 43-10). If a process in the ProcessList is running slow, you can use the MySQL Control Center to kill it off.Check the box in the ID column to the left of the session and chooseActionKill Process.Status Displays statistical The values shown in the Status tab give you a detailed look at how your information about the server MySQL server is being used. You can see the number of client connections,number of queries executed, as well as a count of how many times eachMySQL command has been executed since your server booted.Variables Displays configuration The Variables tab shows you each MySQL configuration parameter and its information for the server information for the servercurrent value.53_571737c43.qxd 7/2/04 9:24 PM Page 324Watching Your MySQL Traffic with mtop 325If you use MySQL, the MySQL Control Center is ahandy tool to add to your collection. Check it out!Watching Your MySQL Trafficwith mtopMySQLCC is a great monitoring tool if youre runningin a graphical environment, but if you keep yourservers and data in a non-GUI environment, use mtop.mtop is a handy command line tool that lets you watchyour database traffic and transactions. You can alsouse mtop to help find and debug slow queries.Graphical tools are available everywhere nowa-days, but you can save money and improveperformance by keeping your MySQL serversin a nongraphical environment. Gathering all the packages that mtop needsYou need a number of prerequisite packages to runmtop. Obviously, you need to be running MySQL. Youalso need the mysql-devel RPM package that goeswith the MySQL version youre running. Both areincluded on the Fedora and SuSE distributions andcan be added with either the Package Manager or asRPM packages from a distribution disc. If youre aMandrake user, youll have to find the mysql-develpackage on the Web.You need to download and install a few Perl modulesbefore you can install mtop. The easiest way to installPerl modules is to use the CPAN (Comprehensive PerlArchive Network) interface. CPAN retrieves Perl mod-ules and installs them on your system automatically.You need to have Internet access for themachine youre using CPAN with.To install Perl modules with CPAN, follow these steps:1. Open a terminal window, give yourself super-user privileges with the su command, and enterthe following command:# perl -MCPAN -e install DBI2. When youre asked if youre ready for manualconfiguration, type no and press Enter.CPAN continues to work, retrieving the Perl DBImodules. Depending on your system and connec-tion speed, this could take a few minutes.3. Enter the following command:# perl -MCPAN -e install DBD::mysqlIf you have trouble installing the DBD::mysqlmodule, be sure youve installed the mysql-devel RPM package. DBD::mysql wontinstall without it.4. Enter the following command:$ perl -MCPAN -e install Getopt::Long5. Enter this command:$ perl -MCPAN -e install Net::DomainThe last Perl module that you need is Curses. At thetime were writing this, the Curses module availablefrom CPAN fails to install on Fedora (and possiblyother distributions as well). To install Curses, followthese steps:1. Open a Web browser and surf tobastille-linux.org/perl-rpm-chart.html2. Click the most recent link to download perl-Curses (Text/Console). Currently, that version is for Red Hat 9; it worksfine with Fedora.3. Save the RPM package to your home directory.4. Open a terminal window and give yourselfsuperuser privileges with the su command. 5. Move to your home directory.6. Install the perl-Curses RPM package with thefollowing command:# rpm -Uhv perl-Curses-1.06-219.i586.rpmNow that the program dependencies are in place,youre ready to download and install mtop, asdescribed in the next section. 53_571737c43.qxd 7/2/04 9:24 PM Page 325Technique 43: Keeping an Eye on Your Servers326When you press Enter, the mtop display opens, showing the activity on your MySQL server (seeFigure 43-12). Figure 43-12: mtop monitoring a MySQL Server. Across the top of the display, you see the vital statis-tics on your MySQL server and its activity. The loadaverage, the length of time that the server has beenrunning, and performance indicators are all includedin the statistical information. Type ? while mtop is running to display a list of com-mand options. Here are some of the more usefuloptions: z: Type z and enter a process ID from theprocess list to zoom in on a process. e: Type e and enter a process ID from theprocess list to display the optimizer plan for thequery that is executing. s: Type s and enter the number of secondsbetween screen refreshing. u: Type u and enter a user name to display onlythe server transactions for the named user. q: Type q to quit.If a given query runs for a while, the color progressesfrom white to purple, yellow, and red to indicate thelength of time the query has run. You can use the kInstalling mtopTo install mtop, follow these steps:1. Open your favorite Web browser and navigate tosourceforge.net/projects/mtop/2. Scroll down and click the download link for themost recent mtop release. 3. When the download page opens, click the linkto download the most recent tarball. 4. On the mirror page, click the link for the down-load site nearest you.5. Save the file to your home directory. 6. Open a terminal window and give yourselfsuperuser privileges with the su command. 7. Extract the contents of the tarball with the fol-lowing command:# tar -xzvf mtop-0.6.4.tar.gz8. Move into the mtop directory:# cd mtop-0.6.49. Now youre ready to compile mtop. Enter thesecommands:# perl Makefile.PL# make# make installmtop is now installed in /usr/local/bin and isready to use!Monitoring trafficmtop is a MySQL client application so you must pro-vide a MySQL user name when you run mtop. To startmtop, use the following command:$ ./mtop --dbuser=rootYou can substitute any reasonably privilegeduser for root in our example.53_571737c43.qxd 7/2/04 9:24 PM Page 326Watching Your MySQL Traffic with mtop 327option to kill off unwanted or runaway processes.Type k, type the process ID, and press Enter to ter-minate the process (see Figure 43-13). If youre running MySQL servers in a non-graphical environment, mtop is a definite time-saver. Getting acquainted with its features canhelp you monitor and manage your serverwith just a few keystrokes. Enter $ ./mtop --help at the command lineto display a list of command line options touse at startup. Figure 43-13: mtop killing off an unwanted process. 53_571737c43.qxd 7/2/04 9:24 PM Page 327Save Time By Setting up replication onyour MySQL servers Backing up MySQL datawith mysqldump Using file system tools toback up MySQL data Taking care of businesswith MySQLAdministratorMaking a MySQLServer Your SQLServerMySQL is a fast, powerful, reliable, low-cost database thats distrib-uted with most Linux systems. You can use MySQL to store busi-ness records, baseball scores, user account information, networkconfigurations, and just about anything.MySQL is very flexible. One of the hallmarks of MySQL is that when itcomes to performance, you dont pay for features that you dont need.When you store data in a MySQL database, you can choose from a varietyof storage engines. If you dont need the extra reliability offered by securetransactions, you gain extra performance (and reduce multiuser con-tention) by using nontransactional tables. If the data that youre storingjust has to be right (maybe youre storing payroll information or cus-tomers credit card numbers), use InnoDB tables. They offer ACID (thatis, safe) transactions in exchange for a bit of performance.We dont have enough room to give you a complete overview of MySQL(we recommend Paul Duboiss wonderful book, MySQL [New Riders/Sams Publishing]), so we give you a few tips that can make MySQL yourdatabase. In this technique, we cover these topics: Installing MySQL the easy way. The MySQL team has turned a com-plex procedure into a simple two-step process. Pushing your data to remote offices (or just spreading a heavy userload across multiple servers) with MySQLs replication features. Keeping your data safe by archiving it with MySQL-specific tools orfile system backup tools. Using the up-and-coming tool MySQL Administrator. MySQLAdministrator is an enterprise-level control center written by theMySQL team. Its designed for MySQL version 4 (and above), but manyfeatures work with older servers. 44Technique54_571737c44.qxd 7/2/04 9:25 PM Page 328Building a MySQL Server 329The MySQL software is distributed under adual licensing scheme. If youre not redistribut-ing MySQL as part of a closed-source pack-age, you can use MySQL under the terms ofthe GNU General Public License. If you areredistributing MySQL as part of a proprietarysoftware package, or you want warranty sup-port from MySQL AB, you have to purchase alicense. Were not attorneys, so please see theMySQL Web site (www.mysql.com) for theofficial license policies.Building a MySQL ServerIf youve slogged through the installation instructionsat the MySQL Web site, youll be happy to know thatcreating a MySQL server on Linux is surprisinglyeasy. The MySQL team has followed all the instruc-tions on your behalf and wrapped everything up in atidy RPM package that does all the dirty work for you.Installing the necessary packagesTo create a MySQL server on your computer, useyour distributions installer to install the MySQLserver, MySQL client, and all necessary dependencies. If youre a Mandrake user, use Rpmdrake and selectServerDatabaseOtherMySQL. Rpmdrake auto-matically installs the MySQL client and a whole slewof dependencies for you. If youre a Fedora user, use Add/Remove Packagesand scroll down to the Servers section. Click theDetails link next to SQL Database Server and chooseMySQL-server. Fedora automatically resolves alldependencies and installs the MySQL client softwarefor you.SuSE fans should use YaST2 to install MySQL. Youllfind MySQL in ProductivityDatabasesServers. Like the Fedora and Mandrake installers, YaST2 will install the MySQL client software and anydependencies.Starting the MySQL serverBefore you can use MySQL, you need to start theMySQL server:1. Open the Main Menu and choose SystemServices (or, if youre using GNOME, chooseSystem SettingsServer SettingsServices).2. Enter the root password if prompted.3. Scroll through the list of services (in the left-most column) and find the service namedmysqld.4. Check the box to the left of mysqld and thenclick Save (on the toolbar).5. Click Start (also on the toolbar).A message appears confirming that the mysqldservice started successfully.6. Click OK and close the Service Configurationwindow.You must hold superuser privileges to start theMySQL server. Open a terminal window and giveyourself the required privileges with the su -command.To start the MySQL server on a Mandrake system,type in the following command:# /etc/init.d/mysql startOn a SuSE computer, use this command:# /usr/sbin/rcmysql startIf youre running Fedora, use the following command:# /etc/init.d/mysqld startMySQL is up and running. The first time you startthe MySQL server, it creates the server environmentand an empty database named test. The data files for your MySQL database arestored in the /var/lib/mysql directory.For convenience, we refer to that directoryas $MYSQL.54_571737c44.qxd 7/2/04 9:25 PM Page 329Technique 44: Making a MySQL Server Your SQL Server330system crash, or normal maintenance), a slavedatabase can take over. It improves the overall performance of yourdatabase. Create a replication slave on a sepa-rate computer, and youve spread the user loadonto two systems. MySQLs replication architec-ture makes it easy to configure as many slaveservers as you need. It improves availability while youre backingup your data. Because the slave servers containthe same data as the master, you can take a slaveoffline and archive the data from there instead offrom the master server.Configuring replication: The three topologiesDifferent database vendors offer different replicationtopologies (the topology of a replication systemdescribes which servers push data to other servers).MySQL supports three basic topologies: Single-master/single-slave Single-master/multiple-slave Single-master/chained-slavesThe single-master/single-slave topology is easiest to understand. One server acts as the replicationmaster. When you change a table in the master, themodification is pushed to another server, called thereplication slave. A single replication master can push data to multipleslave servers. Thats a single-master/multiple-slavetopology.A replication slave can push changes (which itreceives from the replication master) to another slave,resulting in a single-master/chained-slaves topology. Replication data always flows in one direction:from the master to the slave. The replicationmaster records all data modifications to abinary (that is, not human-readable) log file.When a replication slave connects to the mas-ter, it reads the log file and applies all thechanges to its own copy of the data. If you plan to use MySQL in your daily work,its a good idea to configure your system tostart the MySQL server each time you bootyour computer: See Technique 20 for thedetails. Just remember, the MySQL service isnamed mysql on SuSE and Mandrake sys-tems, and mysqld if youre running Fedora.After you start the server for the first time, create aMySQL password for the root user:1. Open a terminal window and give yourselfsuperuser privileges:$ su -Password: 2. Type in the following command (substitutingyour desired password for new-password):# mysqladmin -u root password new-passwordNow youre ready to use your MySQL server. Ifyoure already comfortable with MySQL, we give youa few more timesaving tips in the rest of this chapter.If not, its time to hit the books. You can find a widevariety of books on MySQL in your local book store(or at a bookseller online), but we happen to thinkthat MySQL [New Riders/Sams Publishing] by PaulDubois is one of the best.Replicating MySQL DataMySQL supports data replication. When you config-ure replication, MySQL automatically forwards datamodifications (INSERTs, UPDATEs, and DELETEs) fromone MySQL server to another. If you have a geo-graphically distributed organization, MySQL canautomatically push data from your central databaseout to your branch offices. Changes that you maketo the master database appear almost instantly ineach of the remote servers.Replication offers three important benefits: It improves the overall reliability of your data-base. If the master database becomes unavail-able for some reason (hardware problems, a54_571737c44.qxd 7/2/04 9:25 PM Page 330Replicating MySQL Data 331That means that you should never change thedata on a replication slave. If you do changedata on a slave, the master and slave serversget out of synch, and you may lose data. Whenyou create a slave, you start with a copy of thedata as it exists on the master.MySQL lets you choose which tables you want toreplicate (you dont have to replicate all the tables ina database). That means that a single server can actas both a master and a slave, as long as its a masterfor some tables and a slave for others.Setting up replication for a single slave and masterCreating a single-slave/single-master topology is easy,but you have to do a bit of work on both the masterand slave servers, as outlined in the following steps:1. Log in to your MySQL server on the replicationmaster:# mysqlWelcome to the MySQL monitor. Commandend with ; or \g.Your MySQL connection id is 5 to serverversion 3.23.58Type help; or \h for help. Type \c to clear the buffer.mysql>2. Create a new MySQL user account the repli-cation slave will log into the replication masterusing this account:mysql> GRANT FILE ON *.* TO repl_slaveIDENTIFIED BY repl_pass;Query OK, 0 rows affected (0.13 sec)3. Exit MySQL and shut down the server:mysql> quit# service mysqld stop4. Create a backup of all the databases that youwant to replicate:# cd /var/lib/mysql# ls mysql prod devel# tar -zcvf data.tgz prod develprod/prod/cust.frmprod/cust.MYIprod/cust.MYD...5. Copy the archive (data.tgz) to the replicationslave:# scp data.tgz slave:/tmp/data.tgztest.tgz 100% 108.0KB/s 00:056. Edit the /etc/my.cnf file and find the sectionthat starts with[mysqld]datadir=/var/lib/mysqlsocket=/var/lib/mysql/mysql.sock7. Add the following lines to the end of that section:log-binserver-id = 18. Restart the master server:# service mysqld startOn the replication slave(s), follow these steps:1. Shut down the MySQL server:# service mysqld stop2. Edit the /etc/my.cnf file and find the sectionthat starts with[mysqld]datadir=/var/lib/mysqlsocket=/var/lib/mysql/mysql.sock3. Add the following text to the end of that section:master-host = master-hostnamemaster-user = repl_slavemaster-password = repl_passserver-id = 24. Unpack the archive you made on the server:# cd /var/lib/mysql54_571737c44.qxd 7/2/04 9:25 PM Page 331Technique 44: Making a MySQL Server Your SQL Server332The mysqldump program creates an archive in theform of a series of SQL commands that will re-createthe data should you restore from the archive. Asmysqldump processes each table, it writes a CREATETABLE command to re-create the table and all indexesdefined for that table. Then it writes an INSERT com-mand for each row in the table.Listing 44-1 shows a snippet from a typical mysqldumparchive.LISTING 44-1: MYSQLDUMP ARCHIVE...---- Table structure for table `customer`--CREATE TABLE customer (id int(11) NOT NULL default 0,name varchar(40) default NULL,address varchar(40) default NULL,city varchar(40) default NULL,state varchar(20) default NULL,zip varchar(9) default NULL,PRIMARY KEY (id),KEY cc_name (name),KEY cc_city_state (city,state)) TYPE=MyISAM;---- Dumping data for table `customer`--INSERT INTO customer VALUES (1,TrixieWare,200 Snack Street,Beltsville,MD,25525);INSERT INTO customer VALUES (2,FranklinBooks,157 Literary Ave.,Seattle,WA,97745);...mysqldump backup optionsThe mysqldump command supports a variety of com-mand line options, many of which affect the formatof the data in the archive itself. One particularlyChoosing a Method to Back UpMySQL DataArchiving (or backing up) the data in a MySQL data-base can be a bit tricky. The archive method thatyou choose is primarily influenced by three factors: Database availability (hot-backup or shutdown) Table type (MyISAM, InnoDB, and so on) Archive sizeIf your database must be online 24/7, you must use ahot-backup technique. If you can afford to take yourMySQL server down for a while, you can use a file-system backup technique.If you can take your server offline, you can use normalfilesystem backup tools (like tar). If you need to use ahot-backup technique, you can use mysqlhotcopy ormysqldump. Or, for the ultimate in availability, use repli-cation to archive your data. We explain how each ofthese backup tools works in the sections that follow.Backing Up and Restoringwith mysqldumpTo back up a table using mysqldump, follow these steps:1. Open a terminal window.2. Execute the following command:$ mysqldump database > backup.sqlReplace database with the name of the databasethat you want to archive.3. Copy the resulting file (backup.sql) to CD (ortape) or move it to a different host to safeguardthe data.54_571737c44.qxd 7/2/04 9:25 PM Page 332Backing Up and Restoring with mysqldump 333handy option is --add-drop-table. This option tells mysqldump to include a DROP TABLE commandbefore each CREATE TABLE command. If you dont use--add-drop-table, the resulting script will fail iftablename already exists when you run the script(which is usually the case). You should also consider using the --all option. --all writes all the table options (character set,comment, row format, and so on) used when eachtable was originally created. If you dont use --all,youll lose all those table options if you restore froman archive script. Table 44-1 lists the mysqldumpoptions that affect the format of the resulting archive.Its a good idea to use the --opt option inmost scenarios. --opt produces an archivethat saves all data (even the extra tableoptions normally saved with the --all flag) ina form thats optimized for quick restores. The --complete-insert option is useful when yoususpect that you may restructure a table betweenthe time you create the archive and the time yourestore from that archive. Backing up multiple databasesTo archive all databases, add the --all-databasesoption to your command line when you create thearchive. Or you can archive a set of databases likethis:$ mysqldump --databases db1 db2 db3Compressing the archiveThe archive produced by mysqldump can getvery big very fast. Instead of storing the rawarchive on disc, you can compress the script thatmysqldump produces by using gzip or bzip2. Because mysqldump writes the script to its standardoutput stream, you can easily pipe the script into thestandard input stream of a compression tool, like this:$ mysqldump database | gzip > backup.sql.gz This command archives the given database, pipesthe resulting script to gzip, and saves the com-pressed script to backup.sql.gz.TABLE 44-1: MYSQLDUMP ARCHIVE OPTIONSOption Description--all Force mysqldump to archive all table options (TYPE, COMMENT, and so on).--complete-insert Include column names in every INSERT command.--extended-insert Insert multiple rows with a single INSERT command.--add-drop-table Insert a DROP TABLE command before each CREATE TABLE.--add-locks Lock each table for WRITE access before inserting new rows.--disable-keys Update indexes after all data has been inserted.--no-autocommit Restore each table in a single transaction.--no-create-db Dont write CREATE DATABASE commands to the script.--quote-names Quote all column and table names in the script. Use this option only if youve created atable (or column) whose name conflicts with a reserved keyword.--xml Produce the archive in the form of an XML document rather than an SQL script.--where=where-clause Only archive rows that satisfy the where-clause.--opt Optimize the archive for best restore performance.54_571737c44.qxd 7/2/04 9:25 PM Page 333Technique 44: Making a MySQL Server Your SQL Server334 customer.frm: Contains the metadata for thecustomer table (that is, the table, column, andindex definitions) customer.MYD: Contains the rows in the customertable customer.MYI: Contains the indexes defined forthe customer table (if any)You can back up an entire database by archiving thefiles in the database directory. For example, use thefollowing command to create a file system backup ofthe acctg database:$ tar -zcvf acctg.tgz /var/lib/mysql/acctgRemember to be safe and shut down your MySQLserver before you copy the table files.If you cant shut down your MySQL server on a regu-lar basis, you can still use file system archive tools,but you have to ensure that the tables that yourebacking up are not being modified at the time youarchive them.Making a mysqlhotcopyof Your DatabaseThe mysqlhotcopy program creates a copy of MyISAMtable files from a running server. When mysqlhotcopyarchives a table, it acquires a READ lock on the table,creates a copy of the tables data files, and thenreleases the READ lock. The READ lock preventsupdates but allows other users to read the table atthe same time. To back up the acctg database using mysqlhotcopy,use the following command:$ mysqlhotcopy acctgThe table files are copied to a directory named/var/lib/mysql/acct_copy. You can use a file systemarchive tool to back up the copy. Restoring a mysqldump archiveAfter youve created an archive with mysqldump, itseasy to restore your data if something goes wrong.Because mysqldump created an SQL script for you, allyou have to do to recover lost data is to run the script.For example, if youve created an archive namedbackup.sql, simply feed that script back into themysql client, like this:$ mysql database < backup.sqlNote that you must provide a database name if youarchived a single database. If you back up multiple databases in the samearchive file with the --all-databases option or the --databases option, you dont have to specify a data-base when you restore (the database names arestored in the archive).To restore from a compressed archive, use the zcatprogram to decompress the script and pipe the resultinto mysql:$ zcat backup.sql.gz | mysql databaseIf you normally back up your data to CD orDVD, see Technique 50 for a handy way tostream your MySQL archive directly onto a setof one or more discs.Backing Up with FileSystem ToolsIf you can afford to take your MySQL server offlineoccasionally, you can use normal Linux backup tools,such as tar and gzip. (See Technique 50 for informa-tion about using file system backup tools to archiveyour data.) MySQL tables are stored in normal file system datafiles. If you have a MyISAM table named customer (ina database named acctg), you see three customer-related files in /var/lib/mysql/acctg:54_571737c44.qxd 7/2/04 9:25 PM Page 334Taking Care of Business with MySQL Administrator 335The mysqlhotcopy utility copies only MyISAM tables,not InnoDB or BDB tables. Using mysqlhotcopy is lessintrusive than taking your database offline, but it canslow things down if youre backing up a busy data-base. (mysqlhotcopy has to wait for the READ lock onall tables before it proceeds and blocks all tablemodifications until it finishes.)Archiving a Replication SlaveAnother very useful alternative to mysqlhotcopy isreplication. When you replicate a database (or a tablewithin a database), the replication slave maintainsan exact copy of the data stored in the replicationmaster. To back up your data, simply shut down the slaveand use a file system backup tool to archive theslave database. While your slave database is offline,users can still read and modify the master. Thenwhen the slave comes back online, the replicationmechanism automatically applies any changes to theslave database. When you back up a replication slave,you must archive the $MYSQL/master.info and$MYSQL/relay-log.info files, too. Taking Care of Business withMySQL AdministratorMySQL Administrator is a graphical interface thathelps you manage your MySQL server. Its a veryyoung tool (in fact, its still in alpha-release land),complete with all the bugs you would expect from aprogram at this stage of maturity. It does show a tonof promise though, and its worth getting familiarwith. We think it has a great future as it grows anddevelops. The official voices at MySQL say that this toolwill not work well with the release-3 servers but only a few of the features dont work.Fedora is currently distributed with release-3servers but should be stepping up to release-4servers any day now. SuSE and Mandrake shipwith MySQL release 4.You can run release-4 MySQL servers on Fedora, buttheyre not standard issue. However, they shouldbecome standard equipment soon.This is alpha-release software. It seems prettystable, but it shouldnt be used in a productionenvironment yet (that is, with really, reallyimportant data). Its a good product to getfamiliar with though just keep lots of back-ups of any data dear to your heart or business.Installing MySQL AdministratorTo install MySQL Administrator, follow these steps: 1. Open a browser window and surf towww.mysql.com/downloads/2. Scroll down the page to the Graphical Clientssection and click the MySQL Administrator link.3. Scroll down the MySQL Administrator page andclick the Pick a Mirror link next to the Linuxdownload labeled Linux (x86, glibc 2.3,stripped).The nonstripped version contains debug infor-mation and other stuff you most likely dontneed, and it will just slow down the download.4. Scroll through the mirror sites to find a down-load location geographically near you. Clickthe HTTP link to start the download.5. Save the download to your home directory(or /tmp you wont need the tarball afteryouve installed it).6. Close the download manager and the browser.7. Open a terminal window and give yourselfsuperuser privileges with the su command.8. Unpack the tarball with the following command:# tar -C / -zxvf mysql-administrator-1.0.2b-alpha-linux-stripped.tar.gz54_571737c44.qxd 7/2/04 9:25 PM Page 335Technique 44: Making a MySQL Server Your SQL Server3363. Enter the connection information for yourMySQL server a user name, password,and host name and then click the Connectbutton.The MySQL Administrator window opens to theServer Information page, displaying informationabout the connection, the server version, andthe client (see Figure 44-2). Figure 44-2: The MySQL Administrator opening window.Exploring MySQL Administrators toolsThe panel on the left side of the MySQLAdministrator window contains menu names for thedifferent features that MySQL Administrator canhelp control. Highlight a menu name to view (andchange) a set of features. Heres an overview of thetools youll find: Service Control: Click Service Control in themenu panel to open the Service Control menu.From this menu, you can monitor the startup logmessages. You can also start and stop the serverby clicking the Stop the Server (or Start theServer) button. Startup Variables: Click Startup Variables tochange the configuration parameters for yourThe installation instructions on the MySQLAdministrator Web page are wrong at thetime were writing this. If youve downloadedversion 1.0.2b-alpha, use the preceding com-mand to install the program in the correctlocation.Starting MySQL AdministratorAfter you install MySQL Administrator, youre readyto start the program and begin using its tools. Tostart the program, follow these steps:1. Move to the directory containing the program:# cd /opt/mysql-administrator/bin2. Start the program with the following command:# ./mysql-administratorAdd /opt/mysql-administrator/bin to yourshells search $PATH, and youll be able to startthe program from anywhere on your systemwith just the program name. See Technique 7for details about updating $PATH.The MySQL Administrator connection dialogopens, as shown in Figure 44-1. Figure 44-1: The MySQL Administrator connectiondialog.54_571737c44.qxd 7/2/04 9:25 PM Page 336Taking Care of Business with MySQL Administrator 337MySQL server. The Startup Variables menu has aseries of tab controls that group the configura-tion parameters into manageable chunks, asshown in Figure 44-3. Figure 44-3: The Startup Variables menu.With the tabs on this menu, you can adjust manyconfiguration parameters, including the following: General Parameters: On this tab, check theDisable Networking box to restrict access toyour MySQL server to those clients on thesame machine as the server. Log Files: On this tab, click the Slow QueriesLog box to generate a log file that displaysslow queries. If you find that performance islagging, this tells you which queries are con-suming the most resources. Security: On this tab, check the Make AllTables Read-Only box for your replicationslave servers. You shouldnt modify replicatedtables from slave servers.Check out all the tabs and the options theyinclude to find new ways to customize and opti-mize your MySQL server. User Administration: Click User Administration inthe menu listing to open the User Administrationmenu. MySQL user accounts are listed in thelower-left frame of the window, as shown inFigure 44-4. Figure 44-4: The User Administration menu.To create a new MySQL user account, click theNew User button. Complete the user informationand then click Apply Changes. Use the SchemaPrivileges and Resource Limits tabs to view (or modify) user privileges.If youre running a version of MySQL youngerthan version 4.0, youll get an error messagewhen you modify user information. Ignore themessage and consider upgrading to a morerecent version of MySQL. Server Connections: Click Server Connections toview all active connections and see what usersare up to. The User Connections tab displays adetailed list of user sessions. Highlight a username to display the active threads for that user,as shown in Figure 44-5.If you have runaway (or really slow) queries,you can kill them off on the User Connectionstab with the Kill Thread button, or terminateall threads for a single user with the Kill Userbutton. Just highlight the thread or user nameand click the appropriate button. Health: Click Health in the left panel to accessgraphs of performance and server statistics foryour MySQL server. The Health menu opens, dis-playing a trio of Connection Health graphs, asshown in Figure 44-6. 54_571737c44.qxd 7/2/04 9:25 PM Page 337Technique 44: Making a MySQL Server Your SQL Server338 Figure 44-7: Status variables for a MySQL server. Server Logs: Click Server Logs in the menu panelto open the log viewer (the log viewer does notappear to work with a version-3 MySQL server).This feature needs a bit of help right now, butwere sure the problems will be worked out. Figure 44-8: Configuration parameters for the MySQLserver. Backup: The Backup menu lets you create (andexecute) backup profiles. With this menu, youcan define jobs that archive all or part of yourserver data. Click the New Profile button andenter a name for the backup profile in the ProjectName field. Highlight a database name in the Figure 44-5: User and thread information on the UserConnections tab. Figure 44-6: Server Health graphs.Every MySQL server maintains a set of statusvariables that track performance and usage sta-tistics. Click the Status Variables tab to see theserver status variables. Highlight a group in theStatus Variables column to view the variableswithin that group, as shown in Figure 44-7.Click the Server Variables tab to view the config-uration parameters for your server. Highlight agroup in the Server Variables column to see theconfiguration parameters in that group, asshown in Figure 44-8.54_571737c44.qxd 7/2/04 9:25 PM Page 338Taking Care of Business with MySQL Administrator 339Databases column and click the right-arrow but-ton to include that database in the BackupContent pane. Expand the database into a treecontrol form by clicking the arrow next to thedatabase name. Check the boxes next to eachtable name to include (or uncheck the boxes toexclude) the tables in the backup (see Figure 44-9). Figure 44-9: Creating a new backup profile.When your profile is complete, click the SaveProject button. To run the backup, click the StartBackup button. In this technique, weve given you other,dependable ways to back up. Theyre notgraphical, but dependability counts whenyoure making backups. Until this productmatures a bit, we recommend sticking to triedand true backups for data you treasure. Restore Backup: The Restore Backup menuselection opens a dialog designed to restore fromarchives created with the Backup menu. For now,we recommend that you use more dependablemethods to back up and restore. Replication Status: The Replication Status menuselection opens a dialog displaying informationabout the state of your replication topology. (Wecover MySQL replication features earlier in thistechnique.) Catalogs: The Catalogs menu selection displaysinformation about the databases and tablesdefined on your MySQL server.The creators of MySQL Administrator are a bitloose with their labels. The Catalogs andSchemata labels both refer to what are nor-mally called databases.Highlight a database name in the Schemataframe to see the tables stored in that database.Highlight a table name in the top panel to displaythe columns within that table, as shown inFigure 44-10.Use the tab controls in the lower panel to viewinformation about the Columns, Indices, TableStatus, and Row Status. Figure 44-10: Table information displayed with MySQLAdministrator.MySQL Administrator should grow up to be anifty timesaving tool. If youre just starting touse MySQL, you may want to avoid the frus-tration (and slowdowns) caused by the bugsand skip the installation of the version distrib-uted with Fedora (3.x). You can download the RPM packages that you need to installMySQL version 4.0 or better from www.mysql.com/downloads.54_571737c44.qxd 7/2/04 9:25 PM Page 33945Save Time By Generating your own SSLcertificate Signing your own SSLcertificates for privateuse Viewing the CAs that yourbrowser currently trustsTechniqueSafeguarding YourApache Server withSSL CertificatesSSL (Secure Sockets Layer) is a security protocol that assures usersvisiting your Web site that you are who you say you are. OpenSSL isa Linux software package that implements the SSL protocol. If yourerunning a Web server that handles financial transactions or sensitivedocuments, an SSL certificate tells your customers or colleagues thattheir information is really in your hands, and not in the hands of sometroll who has intercepted the transaction.To use SSL security at your Web site, you need a signed SSL certificate.Your Web server (typically Apache) sends your certificate whenever abrowser requests a secure connection. You can purchase a signature froma trusted authority, or you can obtain a signature from an intermediateauthority to generate a certificate thats part of a chain of trust. In a chainof trust, a high-level certification authority entrusts an intermediary who inturn signs your certificate, guaranteeing that youre reputable.You can also sign your own certificates by becoming your own certificateauthority without a chain of trust. Your certificate may not convey enoughtrust for consumers to send in their credit card numbers, but within a cir-cle of colleagues, having an active certificate is an assurance that theirtransactions are being handled with respect. In this technique, we explain the trust levels associated with each type ofcertificate. We also show you how to request a signed certificate from atrusted certificate authority, how to create a self-signed certificate thatyou can use to test your Web server configuration, and how to create yourown certificate authority. Youll save time and assure your colleagues andcustomers that they really are in contact with your computer and not aninterceptor. Understanding the Basics of How Certificates WorkIn geek-speak, a certificate is a document that proves your identity.Certificates are like passports in that they contain information about55_571737c45.qxd 7/2/04 9:25 PM Page 340Creating a Certificate Signing Request 341your identity. A passport contains your name, birthdate, and birthplace. An SSL certificate contains yourname, location (country, state/province, and city),organization name, and e-mail address.Passports (and SSL certificates) also provide somemethod for ensuring that your identity is correct.Your passport contains a photograph that someonecan compare with your face. An SSL certificate con-tains the public half of a public/private key pair.A passport also contains safeguards against forgery:Every passport contains a watermark, and manygovernments will soon issue passports that containholograms (which are very difficult to forge). Like-wise, an SSL certificate is digitally signed with theissuers private key, and any tampering makes thedigital signature invalid.Passports and SSL certificates share another impor-tant characteristic: Theyre both issued by trustedthird parties. A border authority isnt likely to trust apassport that youve issued to yourself. Instead, apassport office (the U.S. State Department, for exam-ple) verifies your identity and issues a passport.Foreign governments trust that the passport officehas done a thorough job investigating your identity.SSL certificates work the same way.Choosing an SSL CertificateTo obtain an SSL certificate, you send a request(called a certificate signing request, or CSR), alongwith proof of your identity, to a trusted authority.The trusted authority (also known as a certificationauthority, or CA) compares your request to the proofof identity that you provide, and if its satisfied thatyou are who you claim to be, it issues you a certifi-cate. The certificate that you receive is signed withthe issuers private key you can verify the signa-ture by using the issuers public key.You can get three different types of SSL certificate,and each provides a different level of trust: A self-signed certificate is untrustworthy (butuseful for testing). A certificate signed by a local CA (a CA that youcreate and manage yourself) can be trusted byyour peers. A certificate signed by a well-known CA can betrusted by outside parties (that is, customers).Obtaining a signed certificate costs money. The CAassumes the work of verifying your identity and main-taining a database of valid certificates. A number ofcompanies are in the certification business, and twoof the best known are VeriSign (www.verisign.com)and thawte (www.thawte.com). If you decide to go thisroute, see the following section, Creating a CertificateSigning Request, for details on how to get the certifi-cate from a CA.If you want to test out your Web site before you shellout a few bucks to a CA, you can create a self-signedcertificate. A self-signed certificate looks and actslike a normal certificate except for one very impor-tant difference: You should never trust a self-signedcertificate. Trusting a self-signed certificate is liketrusting a self-issued passport. Anyone can create aself-signed certificate, and more importantly, anyonecan forge a self-signed certificate. We explain howthis is done in the Creating a Self-Signed Certificatesection, later in this technique.In some cases, you may want to act as a CA yourself.For instance, if you head up the IT department at alarge company, you can issue certificates to in-houseWeb servers without having to pay a third-party CAfor each one. You might use your in-house CA to distribute trusted software or deliver confidentialcontent such as payroll information. Creating a Certificate Signing Request To request a signed certificate from a CA, you mustfirst create a certificate signing request (or CSR). The55_571737c45.qxd 7/2/04 9:25 PM Page 341Technique 45: Safeguarding Your Apache Server with SSL Certificates342The OpenSSL program now asks you a series ofquestions regarding your identity.5. Enter the two-letter code for your country.For example, type US for United States or CA forCanada.6. Enter the full name (not the abbreviation) foryour state or province.7. Enter the name of your organization (a com-pany name, for example).8. Enter the name of your department within theorganization. Or, if youre requesting a certifi-cate for your entire organization, just pressEnter.9. Enter the name of your Web server (for exam-ple, www.example.com). If you have (or plan tohave) multiple Web servers at your site, use a *in place of the host name, like this: *.example.com (you still need to include your domainname). Its very important that you enter your real Webserver name here. When the CA issues a certifi-cate, it belongs to a specific Web site. If you tryto use that certificate on a Web server with a dif-ferent name, visitors to your Web site will begreeted with a scary message warning of certifi-cate forgery.10. Enter your e-mail address.11. Next, youre prompted for two extra pieces ofinformation: a challenge password and anoptional company name. Just press Enter twiceto ignore those questions.OpenSSL saves the resulting CSR (certificatesigning request) in /etc/httpd/conf/ssl.csr/server.csr.If youd like to see whats inside the CSR in human-readable form, use the following command:$ openssl req -text -inssl.csr/server.csr. You see a result similar to that shown in Listing 45-1.CSR contains two important pieces of information:your identity and your public key. In an SSL certificate, the identity is called the subject(and the CA is called the issuer). Every subject (and every issuer) is identified by the followinginformation: Location (country, state/province, city) Organization (organization name and organiza-tional unit) Common name (the name of your Web server, asseen by the outside world) E-mail addressIf youre a Fedora user, you can use the toolsinstalled with Apache to generate a CSR (we showyou how in a moment). If youre not using Fedora,you have a bit more work to do: We suggest usingWebmin and Webmins Certificate and Key Manage-ment module to generate a CSR. Technique 17 showsyou how to install and use Webmin (the Certificateand Key Management module is an add-on that youllhave to download separately from the www.webmin.com Web site).Fedora makes it easy to create a CSR (and the public/private key pair that you need in order to sign the CSR):1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Move to the directory /etc/httpd/conf:# cd /etc/httpd/conf3. Type make certreq and press Enter.4. If you have an existing server key (its stored in/etc/httpd/conf/ssl.key/server.key), youreprompted for the passphrase for that key. If youdont have an existing server key, OpenSSL cre-ates a new server key for you and asks for apassphrase that will protect your private serverkey from unauthorized use. In either case, typein the passphrase and press Enter.55_571737c45.qxd 7/2/04 9:25 PM Page 342Creating a Certificate Signing Request 343You can see that the certificate contains all the infor-mation that you entered. The CSR is digitally signedwith your private key; the CA verifies the signatureby using the public key included in the CSR.Send the CSR (/etc/httpd/conf/ssl.csr/server.csr)to the certification authority that youve selected,along with the proof-of-identity documents that itrequires.LISTING 45-1: EXAMINING A CERTIFICATE SIGNING REQUESTCertificate Request:Data:Version: 0 (0x0)Subject: C=US, ST=Virginia, L=Anytown, O=TrixieWare, OU=Cosmology, CN=www.trixieware.com/emailAddress=newdoo@trixieware.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)Modulus (1024 bit):00:ac:fd:51:b4:b0:42:80:eb:cf:7f:53:54:64:1b:8a:13:fe:45:81:9c:7b:d5:a4:58:23:68:3a:d1:84:0e:51:77:57:21:27:b6:3a:5b:e1:50:ca:81:2e:5e:e2:65:36:9e:64:ed:63:88:a7:d0:55:2f:58:a9:19:39:2b:85:0a:c2:a2:3b:a6:ce:3e:a1:57:a8:99:72:32:6d:40:70:32:86:10:a6:f0:09:ac:f9:66:e9:64:c1:a0:d3:ca:7a:61:01:4a:b0:3f:5b:0d:15:1d:58:6a:01:b9:ca:e2:c8:dd:ac:49:03:4e:e4:3e:1d:fb:c3:ef:ca:30:c0:1e:6f:a9:39Exponent: 65537 (0x10001)Attributes:a0:00Signature Algorithm: md5WithRSAEncryption04:61:e0:3d:4b:69:2b:92:27:fb:e7:f1:a1:e2:2a:21:3d:89:7f:ba:67:9a:34:9c:9e:73:00:f4:79:6c:0a:bf:57:99:6d:08:0e:ad:4d:a8:0c:5a:f3:fc:43:a2:4a:fc:5a:24:c7:4b:02:55:1d:be:d8:2a:12:49:91:d0:f1:c3:61:62:d8:73:95:62:c9:f8:ca:6a:c2:34:f7:67:02:34:5d:dc:b6:36:59:46:c7:9d:36:7a:29:8a:4d:de:5e:f6:b9:52:26:33:e5:8d:f2:fd:cf:da:4b:65:f6:4f:fa:12:cf:10:13:d7:bb:1b:f7:22:60:b9:9a:4d:20:49:81:80-----BEGIN CERTIFICATE REQUEST-----MIIB3DCCAUUCAQAwgZsxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJWYTETMBEGA1UEBxMKRnJvZyBMZXZlbDETMBEGA1UEChMKVHJpeGllV2FyZTESMBAGA1UECxMJQ29zbW9sb2d5MRswGQYDVQQDExJ3d3cudHJpeGlld2FyZS5jb20xJDAiBgkqhkiG9w0BCQEWFW5ld2Rvb0B0cml4aWV3YXJlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArP1RtLBCgOvPf1NUZBuKE/5FgZx71aRYI2g60YQOUXdXISe2OlvhUMqBLl7iZTaeZO1jiKfQVS9YqRk5K4UKwqI7ps4+oVeomXIybUBwMoYQpvAJrPlm6WTBoNPKemEBSrA/Ww0VHVhqAbnK4sjdrEkDTuQ+HfvD78owwB5vqTkCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAARh4D1LaSuSJ/vn8aHiKiE9iX+6Z5o0nJ5zAPR5bAq/V5ltCA6tTagMWvP8Q6JK/Fokx0sCVR2+2CoSSZHQ8cNhYthzlWLJ+MpqwjT3ZwI0Xdy2NllGx502eimKTd5e9rlSJjPljfL9z9pLZfZP+hLPEBPXuxv3ImC5mk0gSYGA-----END CERTIFICATE REQUEST-----55_571737c45.qxd 7/2/04 9:25 PM Page 343Technique 45: Safeguarding Your Apache Server with SSL Certificates344Fedora automatically saves the self-signed certificatewhere Apache expects to find it. To see your certifi-cate in action, restart your Apache server:# /sbin/service httpd restartStopping httpd: [OK]Starting httpd: Apache/2.0.47 mod_ssl/2.0.47 (Pass Phrase Dialog)Some of your private key files areencrypted for security reasons.In order to read them you have to provideus with the pass phrases.Server localhost.localdomain:443 (RSA)Enter pass phrase:Ok: Pass Phrase Dialog successful. Notice that Apache now asks for the passphrase thatprotects your servers private key. Now, open a Web browser and connect tohttps://127.0.0.1Notice the preceding URL starts with httpsrather than http. That means its connectingto a secure server.Youve just created a self-signed certificate andinstalled it on your own Apache server. Because your users may receive a warning whenthey encounter this certificate, its a good idea togive them a little forewarning about whats going on.See the sidebar, When Mozilla encounters a self-signed certificate, for details on how this works.When Mozilla encounters a self-signed certificateSelf-signed certificates are not very trustworthy. When youvisit a site with a self-signed certificate, you should receive awarning screen from Mozilla asking if you know this jokerand if his certificate is good enough for you (see the follow-ing figure). From here, follow these steps to examine thecertificate:When you receive the final certificate, simply copy itto /etc/httpd/conf/ssl.crt/server.crt and restartyour Apache server.Creating a Self-SignedCertificateCreating a self-signed certificate with Fedora is justas easy as creating a CSR, but you end up with a testcertificate rather than a request that you send to aCA. Again, if youre not using Fedora, we recommendthat you generate SSL certificates with the help ofWebmins Certificate and Key Management module(see Technique 17 for more details).Here are the steps you need to follow to create a self-signed certificate with Fedora:1. Open a terminal window and give yourselfsuperuser privileges with the su command.2. Move to the directory /etc/httpd/conf:# cd /etc/httpd/conf3. Type make testcert and press Enter.4. Youre prompted for the password that protectsyour private server key. Type in the passwordand press Enter.5. OpenSSL prompts you for the same informationthat you provide when creating a CSR (loca-tion, organization, e-mail address, and so on).Answer each question in turn.After youve answered the last question (youre-mail address), OpenSSL creates a self-signedcertificate and saves it in /etc/httpd/conf/ssl.crt/server.crt.To view the certificate at the command line, use thefollowing command:# openssl x509 -in ssl.crt/server.crt -textYoull see that the issuer and subject are identical thats a self-signed certificate.55_571737c45.qxd 7/2/04 9:25 PM Page 344Creating a Signing Authority with openssl 3451. Click the Examine Certificate button to see thedetails of the certificate (see the following figure).2. Click the Details tab, and then highlight theIssuer line in the Certificate Field frame.In the Field Value frame, youll see the name ande-mail address of the certificate issuer. You can decidefor yourself if this person is trustworthy.Creating a Signing Authoritywith opensslUse openssl to create a certificate authority (CA)yourself if you want to sign certificates for use withinyour organization. Running your own CA can be use-ful if you want to hand out trusted software to otherpeople in your organization. A CA is also useful ifyou want to serve secure content (payroll benefitsand in-house sales, for example).A CA has three responsibilities: Verifying identity Signing requests Maintaining a database of signed certificatesopenssl comes with a program that can handle thelast two responsibilities for you. You still have toverify identities yourself using whatever method isappropriate for your site: If you are creating a CA foryour company, a photo ID card may be sufficient.Creating a certificate authorityTo create a CA, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su - command:$ su -Password:#2. If youre using Fedora or SuSE, move to thedirectory that contains the CA shell script:# cd /usr/share/ssl/miscIf youre using Mandrake:# cd /usr/lib/ssl/misc3. Create the CA infrastructure with the followingcommand:# ./CA -newca55_571737c45.qxd 7/2/04 9:25 PM Page 345Technique 45: Safeguarding Your Apache Server with SSL Certificates3461. Open a terminal window and give yourselfsuperuser privileges with the su - command:$ su -Password:#2. Move to the directory that contains the CAshell script:# cd /usr/share/ssl/misc3. Type in the following command:# openssl ca -policy policy_anything \-in filename.csr \-out filename.crtSubstitute the CSR name where you see filename.csr and the desired certificate namewhere you see filename.crt. For example, if youwant to sign the CSR for your own Apache Webserver, you would type this:# openssl ca -policy policy_anything \-in /etc/httpd/conf/ssl.csr/server.csr\-out /etc/httpd/conf/ssl.crt/server.crtNext, the openssl program asks for the pass-phrase that protects your CAs private key:Enter passphrase for ./dem.../cakey.pem:4. Type in the password that you assigned whenyou created the CA and press Enter.openssl displays the content of the CSR (inhuman-readable form) and asks if you want tosign the certificate.5. Look over the content, and if the informationlooks correct, press Y and then Enter to sign it.6. openssl asks if you want to commit yourchanges to the CA database: Press Y and thenEnter to finish.Thats it! The new, signed certificate is saved in thefile that you specified. If you signed the certificatefor another user, e-mail the certificate to the recipi-ent. If you signed a certificate that you want to use inOn Mandrake and SuSE systems, use this com-mand instead:# ./CA.sh -newcaThe CA script now asks you a series of questions,most of which will be familiar by now. The firststep in creating the CA infrastructure is to createa new, self-signed certificate. Youre promptedfor an existing CA certificate:CA certificate filename (or enter to create) 4. Just press Enter to create a new certificate.5. Enter a passphrase that will protect your CAsprivate key:Making CA certificate ...Generating a 1024 bit RSA private key.................++++++writing new private key to./demoCA/private/./cakey.pemEnter PEM pass phrase:Verifying - Enter PEM pass phrase:6. The CA script prompts you for the same bits ofinformation that you provide when creating aself-signed certificate or a certificate signingrequest. Answer each question in turn.After youve answered the last question, the CA script creates a self-signed certificate in./demoCA/cacert.pem.Take a peek at this certificate with the following command:# openssl x509 -in demoCA/cacert.pem -textNotice that the issuer and the subject are identical that tells you that this is a self-signed certificate. Signing a CSRWhen you have a CA up and running, you can startto sign CSRs (converting them from requests intoactual certificates).To sign a CSR, follow these steps:55_571737c45.qxd 7/2/04 9:25 PM Page 346Exploring Your Certificate Collection with Mozilla 347your Web server (and you followed our example),the certificate is already in place in /etc/httpd/conf/ssl.crt/server.crt; all you have to do now isrestart httpd (the Apache server):# service httpd restartStopping httpd: [OK]Starting httpd: Apache/2.0.47 mod_ssl/2.0.47 (Pass Phrase Dialog)Some of your private key files areencrypted for security reasons.In order to read them you have to provideus with the pass phrases.Server localhost.localdomain:443 (RSA)Enter pass phrase:Ok: Pass Phrase Dialog successful. Trusting in Trusted CertificationAuthoritiesWhen customers visit a Web site with the intent tomake a purchase, they want a serious guarantee thattheir personal information name, address, andcredit card number isnt being distributed acrossthe Internet for just anyone to use. When you connect to a Web site secured with anSSL certificate, a little gold padlock appears in thebrowser tray. Hover your mouse over the lock iconto see a short description of the CA that signed thecertificate. To see more information about the certifi-cate (and the signer), click the lock icon. In the PageInfo window that appears, click View to see all thegory details.Exploring Your CertificateCollection with MozillaAs you browse the World Wide Web, youre bound toencounter certificates from various sites. How doesyour Web browser know which certificates to trust?Each browser (Mozilla, Internet Explorer, Netscape,and so on) comes with a set of predefined trustedauthorities. To explore the certificates and authorities trusted byyour Mozilla browser, follow these steps (the proce-dure is similar if youre using a browser other thanMozilla):1. Open the Main Menu and chooseInternetMozilla Web Browser.The Mozilla Web browser opens.2. To view the certificate authorities that are cur-rently trusted by your Mozilla browser, chooseEditPreferences.The Preferences dialog opens.3. Expand the Privacy & Security portion of thetree control in the Category column and thenclick Certificates.The Certificates dialog opens, as shown in Figure 45-1. Figure 45-1: The Certificates dialog.4. Click the Manage Certificates button to openthe Certificate Manager.55_571737c45.qxd 7/2/04 9:25 PM Page 347Technique 45: Safeguarding Your Apache Server with SSL Certificates348You can remove certificates that are currentlyaccepted by Mozilla with a click of the mousein the Certificate Manager. If you want toremove a certificate, highlight the certificateand click the Delete button. Youll be asked toverify that you want to delete the certificate click OK, and its history.7. You can view additional certificate details byclicking the Details tab on the CertificateViewer (see Figure 45-4). Figure 45-4: Detailed certificate information.8. Highlight the fields in the tree control in thecenter pane to view the specific details of thecertificate in the Field Value pane.5. Click the Authorities tab to see the signingauthorities trusted by your browser (see Figure 45-2). Figure 45-2: The authorities trusted by our browser.6. Highlight a certificate name and click the Viewbutton (located in the lower left-hand corner ofthe Certificate Manager window).The Certificate Viewer dialog opens with informa-tion about the certificate, as shown in Figure 45-3. Figure 45-3: Information about a specific CA.55_571737c45.qxd 7/2/04 9:25 PM Page 34846 Retrieving HTTPMailUsing hotway andEvolutionMost e-mail service providers use three standardized protocols tosend and retrieve e-mail. SMTP is used to send e-mail, and POPand IMAP are used to retrieve e-mail. Some of the larger Web portals such as Microsofts Hotmail, MSN, and Lycos have developedtheir own e-mail protocols based on HTTP, which is the underlying trans-port mechanism used by Web browsers.E-mail accounts from portals using HTTPMail servers often come with acatch: Because of the strange protocol, you must access their serviceswith a Web browser, logging in to their servers and stopping to view allthe advertisements along the way. You can use an open-source tool calledhotway to retrieve your e-mail with an e-mail client, avoiding the hasslesand slowdowns of ads, pop-ups, and online logins.Check with your e-mail provider and make sure that its user serviceagreement doesnt include any legalese that requires you to use abrowser to view your e-mail. In this technique, we introduce you to an open-source project called hotway. hotway can retrieve your mail from an HTTPMail server and deliverit your to e-mail client. hotway can also forward e-mail that you send from a mail client to an HTTPMail server. We also take you on a quick tour ofXimian Evolution a great tool to use in combination with hotway. Youllsave time by accessing your HTTPMail accounts without stopping to viewthe ads along the way, and get to know a great e-mail client in the process.Introducing hotwayThe hotway (hotmail gateway) project at hotwayd.sourceforge.net pro-vides an open-source gateway that retrieves e-mail from an HTTPMailserver and delivers it to your Linux mailbox. You can also send e-mailfrom your Linux client (Ximian Evolution, KMail, Mozilla mail, and so on)to an HTTPMail server.TechniqueSave Time By Retrieving e-mail fromHTTPMail accounts withhotway Using hotway with XimianEvolution to make themost of your e-mailaccounts Customizing Evolution tobring you information fast56_571737c46.qxd 7/2/04 9:26 PM Page 349Technique 46: Retrieving HTTPMail Using hotway and Evolution350Youre directed to a download page listing avail-able mirrors.4. Click a download link to a mirror site near you.5. Save the RPM package to your home directory.6. Close the browser window and the DownloadManager. Open a terminal window and giveyourself superuser privileges with the su command.7. Install the RPM package with the followingcommand:# rpm -Uhv hotwayd-0.8-1.i386.rpmThats all there is to it youre ready to use hotway. xinetd automatically starts the hotway dae-mon when its needed no extra work isrequired.Setting Up Evolution to ReadHTTPMail Accounts with hotwayhotway works with any e-mail client, but were particularly fond of Ximian Evolution. Evolution is aquick, slick e-mail client bundled with most Linuxdistributions. If youve already installed Evolution (it should appear in the Internet menu or InternetMail menu), youre ready to go. If not, installEvolution before proceeding.To set up an e-mail account using Evolution and hotway, follow these steps:1. Open the Main Menu and chooseInternetEvolution E-Mail.The first time you use the Evolution e-mail client,it greets you with the Evolution Setup Assistant.2. Click the Forward button to continue withsetup.hotway works with the following accounts: Accounts at hotmail.com Accounts at msn.com Lycos accounts with the suffixes .co.uk, .ch,.de, .es, .it, or .at Accounts at spray.seGetting Started with hotwayYou typically interact with an HTTPMail server bypointing your Web browser to the portal, typing inyour user name and password, and navigatingthrough tons of advertisements before you can readyour e-mail. If youre using Windows, you can avoidthe portal Web site by reading your e-mail withMicrosoft Outlook (or Outlook Express) mail clients.If youre using Linux, you havent been so lucky until now.Read your e-mail providers end-user agree-ment to be sure that dodging its advertising isokay.hotway is quick and easy to set up, and after its inplace, youll never even know its there. When youinstall hotway, youre running a daemon (backgroundprocess) named hotwayd that listens for e-mailrequests. hotwayd is controlled by xinetd xinetdlurks in the background, waiting for activity on TCPport 2500. When an e-mail request comes in, it firesup hotway to handle the request. To install hotway on your Linux machine, followthese steps:1. Open a Web browser and surf tohotwayd.sourceforge.net2. Click the Download link.3. Click the link forhotwayd-0.8-1.i386.rpm56_571737c46.qxd 7/2/04 9:26 PM Page 350Setting Up Evolution to Read HTTPMail Accounts with hotway 3513. Enter your full name and e-mail address in theappropriate fields. You can also choose to com-plete the Optional Information portion of thewindow to redirect any e-mail responses toanother e-mail account (see Figure 46-1). Figure 46-1: Enter your Identity information.If you want all e-mail responses to be sent to asingle account, enter the e-mail address that youwant to use in the Reply-To field. In most cases,you can leave the Reply-To and Organizationfields blank.4. Click the Forward button to continue.The Receiving Email window opens.5. From the Server Type drop-down list box,choose either the IMAP or POP server type todisplay a more complete Receiving Email form,as shown in Figure 46-2.Unless there is a compelling reason to useIMAP, we usually use POP. Its just a bit morereliable than IMAP.6. Click the Check for Supported Types buttonand Evolution will connect to the server to askit what Authentication Types it supports. Theresults are copied into the Authentication Typelist box. Alternatively, use the list box tochoose the authentication type you prefer. Figure 46-2: The complete Receiving Email form for aPOP server.7. Enter 127.0.0.1 in the Host field and then clickthe Forward button.The Receiving Mail Options window opens.8. Check the Automatically Check for New MailEvery box, and customize the time options todetermine how often Evolution checks youre-mail account.9. Use the options listed in Message Storage tocontrol whether the messages are deleted afterdownload. Be sure to disable support for POP3extensions when youre creating an accountserviced by hotway. Click the Forward buttonto continue.The Sending Mail window opens, as shown inFigure 46-3.10. Enter 127.0.0.1:2500 in the Host field, checkthe Server Requires Authentication box, andmake sure that the Username field contains a complete e-mail address. Click Forward tocontinue.The Account Management window opens, asshown in Figure 46-4.56_571737c46.qxd 7/2/04 9:26 PM Page 351Technique 46: Retrieving HTTPMail Using hotway and Evolution352 Figure 46-5: Choose your time zone.12. Click the map to choose your time zone andthen click Forward to continue.A window opens, indicating youve successfullyentered the information needed.13. Click Apply to continue.Evolution opens, ready to retrieve your e-mail.14. Click the Inbox button in the Shortcuts panelon the left, and then click the Send/Receivemail button on the toolbar.The Send & Receive Mail and Enter Passworddialogs open, as shown in Figure 46-6.15. Enter your password and click OK.Your e-mail should arrive in the inbox any second now! Figure 46-3: The Sending Mail window.11. Enter a user-friendly name in the Name fieldand click the Forward button. Click Forward tocontinue.The Timezone window opens, as shown in Figure 46-5. Figure 46-4: The Account Management window.56_571737c46.qxd 7/2/04 9:26 PM Page 352Ringing the Bells and Blowing the Whistles: Your Evolution Summary Page 353 Figure 46-6: Getting ready to retrieve e-mail.Ringing the Bells and Blowingthe Whistles: Your EvolutionSummary PageWhen you open Ximian Evolution, youre treated to afeast of information, all displayed in a tidy summarypage. Whats the best thing about the summary page?You can customize it in a snap!When you customize your summary page toinclude information, news, and appointments,youre also creating browsable links from youre-mail client to information that is importantto you.Follow these steps to customize your summary inEvolution:1. Choose ToolsSettings.The Evolution Settings dialog opens, as shown inFigure 46-7.You can use the Evolution Settings dialog to cus-tomize the features shown in the left panel. Thetabs in the right panel change to reflect the fea-tures that you can customize. Figure 46-7: The Evolution Settings dialog.2. Use the scroll bar to scroll down and choose theSummary Preferences button in the left panel.The tab dialogs are now labeled as follows (refer to Figure 46-7): Mail News Feeds Weather Schedule3. Click the Mail tab, and then expand the LocalFolders tree control to view the folders you caninclude on your summary page, as shown inFigure 46-8.4. Check the boxes next to the folders you want toinclude on the summary page and then clickApply.56_571737c46.qxd 7/2/04 9:26 PM Page 353Technique 46: Retrieving HTTPMail Using hotway and Evolution354 Figure 46-9: Customize the RSS news feeds displayed onyour summary page.Yahoo! offers a few RSS feeds that you might beinterested in: Yahoo! World News at rss.news.yahoo.com/rss/world Yahoo! Tech News at rss.news.yahoo.com/rss/tech Yahoo! Science News at rss.news.yahoo.com/rss/scienceDo a Web search for RSS news feeds to findfeeds about interesting topics that you canadd to your summary page. To remove a news feed from the summarypage, highlight it in the Shown panel and clickthe Remove button. Click the Apply button to make the changes take effect its quickand easy!7. Click the Weather tab to customize the weatherreports displayed on your summary page.Expand the tree control in the All panel, findthe city whose weather you want to monitor,and click the Add button. Figure 46-8: Customizing the folders on your summarypage.Select the mailboxes you need to access mostoften. Youll have fast access to them with asingle click on your summary page.5. Click the News Feeds tab to add RSS feeds toyour summary page.RSS (Really Simple Syndication) feeds are littlesnippets of headline-making news that you cancustomize to suit your interests (see Figure 46-9). 6. To add an RSS news feed to your summarypage, highlight the name of the feed in the listin the All panel and then click the Add button.When youre finished adding feeds, click theApply button.When you click Add, the feed name is copied tothe Shown panel.You can also find and add new RSS feeds fromthe Web. Click New Feed to open the New NewsFeed dialog. Fill in the Name and URL fields andclick OK to add it to the list of feeds. 56_571737c46.qxd 7/2/04 9:26 PM Page 354Ringing the Bells and Blowing the Whistles: Your Evolution Summary Page 355The name is added to the list in the Shown panel,as shown in Figure 46-10. You can monitor theweather for multiple locations. Figure 46-10: Add custom weather information to yoursummary page.8. You can also choose to display the tempera-tures in Celsius or Fahrenheit, and set therefresh time with the controls found on theWeather tab. Click the Apply button to saveyour changes.9. Click the Schedule tab (shown in Figure 46-11)to customize the calendar and task informationdisplayed on your summary page.10. In the Calendar area, specify the number of daysyou want to display in the calendar. In the Tasksarea, decide whether to display all pendingtasks or just those tasks scheduled for today.Then click the Apply button to save yourchoices. 11. When youve finished customizing your sum-mary page, click the Close button to return toyour newly updated summary.Custom weather, news, and appointments are all waiting for you, along with one-click access to your most frequently used mail folders (seeFigure 46-12). Figure 46-11: Customize your calendar display for thesummary page. Figure 46-12: Create a custom summary of the info youneed for the day.Creating a custom summary page can save you timebecause the information you need is right at yourfingertips. Evolution keeps you up-to-date onappointments, weather, news, and e-mail.56_571737c46.qxd 7/2/04 9:26 PM Page 35547Technique Stopping Spam withSpamAssassin Spam is a major waste of time and resources. The kind of spam weretalking about isnt the pink stuff in a can its junk e-mail. (Wewanted to include a technique about the edible Spam, but our editorssaid no: See www.spam.com for your daily dose of pink meat.) Unsolicitedcommercial e-mail not only takes up your valuable time reading andweeding through it, but also ties up your CPU and consumes valuablestorage space on your server. And its downright annoying. Fortunately,you can reduce the amount of spam you receive with the help of a greattool called SpamAssassin.SpamAssassin has several mechanisms for deciding what is and isnt spam: Rule set that computes a spam threshold: A numerical score identi-fies an e-mail message as spam or ham (ham is the opposite of spam were not making this up). Bayesian filtering: Bayesian filtering figures out what spam looks likeas it reads your e-mail. It learns and evolves to keep up with spam-mers tactics. Character-set and language sensitivity: You can specify languages andcharacter sets that should be considered spam. (For example, unlessyoure conversing in Russian, e-mail composed entirely of Cyrillic char-acters is likely to be spam.)In this technique, we introduce you to your new e-mail assistant, SpamAssassin. With the added tool, RulesDuJour, updating your rule sets is a breeze. With up-to-date rule sets, SpamAssassin learns andgrows to keep up with the ever-changing antics adopted by spammers,and saves you time and frustration by letting you read the ham withouthaving to wade through the spam. Installing SpamAssassinSpamAssassin is an open-source project that screens incoming e-mail forunwanted or commercial e-mail. Its a smart tool, with ever-evolving rulesets that can keep pace with even the slickest of spammers. Save Time By Using SpamAssassin toscreen your e-mail ConfiguringSpamAssassin with theConfiguration Generator Setting up SpamAssassinas a filter for yourEvolution e-mail client Updating your rule setwith RulesDuJour57_571737c47.qxd 7/2/04 9:27 PM Page 356Installing SpamAssassin 357You can install SpamAssassin from the Fedora orSuSE distribution media or by downloading the lat-est RPM packages from www.spamassassin.org, theofficial Web site of SpamAssassin. Installing from the distribution mediaIf youre a Fedora user, the quickest and easiest wayto install SpamAssassin is with the Fedora Add orRemove Packages program and the Fedora distribu-tion media. The procedure is similar on SuSE sys-tems except that you use YAST2 (SpamAssassin iswell-hidden in ProductivityNetworkingEmailUtilities).Check out Technique 56 for details aboutdownloading and burning your own set of distribution discs. To install SpamAssassin from the Linux distributionmedia, follow these steps:1. Open the Main Menu and choose SystemSettingsAdd or Remove Packages. Click theForward button.A scan for currently installed packages begins.2. When the Add or Remove Packages windowopens (see Figure 47-1), scroll down and checkthe Mail Server box.3. Click the Details link to the right of the MailServer entry to open the Mail Server PackageDetails window.4. Check the Spamassassin box to include thepackage in the installation, as shown in Figure 47-2.5. Click the Close button, and then in the Add orRemove Packages window, click the Forwardbutton.The system update is prepared, and a PackageInstallation Overview window appears, display-ing SpamAssassin and any dependencies (seeFigure 47-3). Figure 47-1: Check the Mail Servers box. Figure 47-2: Check the box next to Spamassassin.6. Click the Forward button.The system update begins. When installation iscomplete, the Package Installation Complete win-dow is displayed.7. Click the Finish button.57_571737c47.qxd 7/2/04 9:27 PM Page 357Technique 47: Stopping Spam with SpamAssassin3583. Close the browser and open a terminal window.Give yourself superuser privileges with the sucommand.4. Move to your Desktop directory and install thepackages with the following commands:# cd ~/Desktop# rpm -Uhv perl-Mail-SpamAssassin-2.63-1.i386.rpm# rpm -Uhv spamassassin-2.63-1.i386.rpmThats it the perl-Mail-SpamAssassin package sat-isfies the dependencies of the spamassassin RPMpackage. Youre ready to start the service! See thenext section for details.Starting the serviceYoull get the best performance from SpamAssassinby running it as a client/server installation. Keepingthe spamd daemon alert and on its toes saves startuptime every time you get an e-mail message. To start the SpamAssassin service, open a terminalwindow and give yourself superuser privileges with the su - command. Then enter the followingcommand:# service spamassassin startThe terminal echoes this message:Starting spamd: [OK]Thats it. Youre ready to configure SpamAssassin.Fine-Tuning SpamAssassin to Separate the Ham from the SpamYou can fine-tune SpamAssassin to screen your e-mailmore aggressively or less aggressively. If you screenmore aggressively, you run the risk of missing a mes-sage that might be trapped by mistake; if you dont Figure 47-3: These are the packages that will be installed.Thats it. Fedora (or SuSE) takes care of resolving thedependencies as it installs the spamassassin RPMpackage. Now, you need to start SpamAssassin, asdescribed in the section, Starting the service, laterin the technique.Installing from RPM downloadsIf you dont have the Fedora or SuSE distributionmedia and dont want to take the time right now tomake a set, you can get SpamAssassin up and run-ning with a quick visit to the SpamAssassin Web site. Follow these steps to download and installSpamAssassin:1. Open your favorite browser and surf towww.spamassassin.org/released/RPMs2. Click the download links to retrieve the follow-ing RPMs:perl-Mail-SpamAssassin-version.i386.rpmspamassassin-version.i386.rpmBe sure to choose the most recent version andsave the files to your Desktop.57_571737c47.qxd 7/2/04 9:27 PM Page 358Fine-Tuning SpamAssassin to Separate the Ham from the Spam 359screen aggressively enough, youll be greeted byspam in your e-mail client. Its important to note thatyour e-mail client decides what to do with mail clas-sified as spam, not SpamAssassin SpamAssassinclassifies each piece of e-mail; your e-mail client can throw out spam messages or route it to a spe-cific mailbox (we show you how to configure youre-mail client in the section, Adding a New Filter toEvolution).The easy way to configure SpamAssassin is with thehelp of the SpamAssassin Configuration Generator.Open your favorite browser and surf towww.yrex.com/spam/spamconfig.phpYoure taken to the SpamAssassin ConfigurationGenerator, shown in Figure 47-4. The next two sec-tions explain how to customize SpamAssassin andthen save your configuration file. Figure 47-4: The SpamAssassin Configuration Generator.If youre using Webmin for administrativetasks, be sure to check out the Webmin inter-face for configuring the SpamAssassin MailFilter. You find it in the Servers menu of yourWebmin client. The SpamAssassin Configura-tion Generator at yrex.com is quick and easy,but Webmin gives you finer control overSpamAssassin. See Technique 17 for moreinformation about Webmin.Customizing settingsThe Configuration Generator lists a series of settingsthat you can customize. Check the radio button nextto the desired setting to add that value to the cus-tom configuration file. The settings are described inthe following list: Score Threshold: The first setting in the Configu-ration Generator is for the Score Threshold. Eache-mail is assigned a score based on its content.The higher the score, the more likely the e-mailis spam. For example, if your threshold is set to 5, ane-mail with a spam score of 7 is consideredspam, and an e-mail with a score of 3 is consid-ered ham.If you start out at 5, youll probably want toeventually lower the threshold. Weve noticedthat even at 3, we still get spam. Our sugges-tion is to start at 5, and watch whats gettingthrough before you set the threshold too low. Rewrite Message Subjects: If you check theRewrite Subjects box, the text string shown iswritten into the subject line before the e-mail isadded to your inbox. This feature doesnt workwith the Evolution e-mail reader. If youre usingan e-mail client other than Evolution, a stringsuch as POSSIBLE SPAM - is a good choice thatwill make it easy to spot spam in your mailbox. Encapsulate Spam in Attachments: If you acceptthe default, SpamAssassin encapsulates any mes-sage that scores above the spam threshold into anew message as a MIME attachment. This canhelp prevent accidental virus infection. For evenmore protection, select the Use Text-OnlyAttachments radio button. This feature doesntwork with the Evolution e-mail client either. Use Terse Reports: If enabled, SpamAssassinissues a shorter version of the spam report. Ifyou get a lot of spam, you may want to go with ashorter report. This feature also does not workwith Evolution (dont worry; you dont need it).57_571737c47.qxd 7/2/04 9:27 PM Page 359Technique 47: Stopping Spam with SpamAssassin360 Use Network Checksum Tests: Computedchecksums on known spam are kept in severaldistributed databases. If you select this optionand install the appropriate client software,your incoming e-mail messages are screenedagainst the checksums maintained in the data-bases. Any matches are considered spam andare treated as such. Language Options: You can set SpamAssassin fil-ters to watch for the character sets or recognizedlanguage patterns in the body of the e-mail mes-sage. By default, all languages are accepted check the boxes next to any languages youwould consider to be spam.Check the Use Language Testing box to read thebody text of a message looking for recognizedlanguages that cant be distinguished by thecharacter set alone. Hungarian and English usethe same character set, so check this box toscreen out excessive Hungarian spam.Saving your settingsAfter youve customized your settings in the Configu-ration Generator (as described in the preceding section), follow these steps to save your configura-tion file:1. Click the Generate the Configuration File button.Youre taken to a new Web page, displaying thenew configuration file (see Figure 47-5).2. Click the Download This File button and savethe file to disk.You can either save the file in place or copy itinto place later.To save the configuration file into place for asingle user, enter the following code in the FileName field of the Download Manager:~/.spamassassin/user_prefsTo save the file into place for the entire system,copy the local.cf file into# /etc/mail/spamassassin/local.cfWhen used with Evolution, SpamAssassin actsas a filter. SpamAssassin classifies the e-mail asspam or ham, but it doesnt make modifica-tions to the e-mail. It does, however, put thee-mail into a separate folder so you can speedcruise it later. Bayes Options: By enabling the Bayes Options,you allow SpamAssassin to learn what spamlooks like from e-mails that score highly on thespam threshold. As each message arrives,SpamAssassin Bayesian filter searches it forwords and phrases that appear often in spammessages. If a message contains many words and phrases that are commonly found in spam,SpamAssassin assumes that the new message islikely to be spam as well. SpamAssassin learnswhat spam looks like if you enable Bayes filtering.Rather than shipping a set of rules to every userin the world, a custom set of rules is built foreach user. For example, if a doctor actuallywants all that e-mail about Viagra, he or shecan tell the filter that. Use Bayes System: Accept the default settingto use Bayesian analysis to identify spam. Use Auto Learning: Accept the default settingto allow SpamAssassin to automatically trainits Bayes database based on non-Bayesianclassification rules. Network Test Options: The Network Test Optionsuses information gleaned from the Internet to sep-arate the spam from the ham. The Network Test Options will slow down youre-mail traffic. The more e-mail you get, theslower your e-mail arrives because each pieceneeds to be verified against an Internetresource. Enable RBL Checks: If you accept the defaultand enable RBL (Realtime Black List) checks,your incoming e-mail is compared to a black-list. If the sender of the e-mail is on that list,the e-mail is considered spam.57_571737c47.qxd 7/2/04 9:27 PM Page 360Adding a New Filter to Evolution 361 Figure 47-5: Your new SpamAssassin Configuration File.You may need to create the .spamassassinsubdirectory in your home directory.3. Click Save, and your configuration file iscopied into place.Need to tighten your configuration? Justrevisit the Configuration Generator and copythe new configuration file into place over theold one. Easy!Adding a New Filter to EvolutionAfter youve created an awesome spam filter by con-figuring SpamAssassin, youll want to apply it to youre-mail client. If youre using Evolution, the process issimple:1. Open your Evolution e-mail client.2. Open your Inbox, and choose ToolsFiltersfrom the menu bar.The Filters dialog opens, as shown in Figure 47-6. Figure 47-6: The Evolution Filters dialog.3. Click the Add button.The Add Rule dialog opens, as shown in Figure 47-7. Figure 47-7: Add a new rule for SpamAssassin.57_571737c47.qxd 7/2/04 9:27 PM Page 361Technique 47: Stopping Spam with SpamAssassin362 Figure 47-9: Create a new junkmail folder.The completed rule is displayed, as shown inFigure 47-10. Figure 47-10: The completed rule.The new rule is now included in the Filters list.4. Enter a new name in the Rule Name field. In the drop-down list box to the right of theSender field, choose Pipe Message to ShellCommand. Then to the right of that drop-downlist box, enter:spamc -c > /dev/null5. Use the arrow to the right of the Returns fieldto open the drop-down list box and change thefield to Returns Greater Than.6. Click the Click Here to Select a Folder field toopen the Select Folder dialog, shown in Figure 47-8. Figure 47-8: The Select Folder dialog.7. Click the New button to open the Create NewFolder dialog, shown in Figure 47-9.8. Enter a name for your junkmail folder in theFolder Name field.Harry or Roger would work, but we call oursjunkmail.9. Highlight Local Folders in the Summary list,and click OK. 10. Select your new junkmail folder from the list inthe Select Folder dialog. Then click OK.57_571737c47.qxd 7/2/04 9:27 PM Page 362Serving Up a Big Bowl of the RulesDuJour 36311. Click OK to close the dialog.SpamAssassin is now actively protecting you andyour Evolution account from spam.Serving Up a Big Bowl of the RulesDuJourRulesDuJour is a neat script that downloads newSpamAssassin rule sets. Spammers are becomingmore sophisticated (well, more persistent anyway) onan almost daily basis. Keeping your rule set up-to-datehelps SpamAssassin screen the spam more efficiently.To install RulesDuJour, follow these steps:1. Open your Web browser and surf towww.exit0.us/index.php/RulesDuJour2. Scroll down the page and click the downloadlink for rules du jour. When the downloadmanager opens, save the files to your homedirectory.3. Open a terminal window and edit therules_du_jour file:$ kedit rules_du_jour4. Scroll down and change the entry in line 40 to this:[${SA_DIR}] || SA_DIR=/etc/mail/spamassassin;5. Change the entry in line 44 to this:[${MAIL_ADDRESS}] || MAIL_ADDRESS=example@e-mail.com;6. Save the file and close the editor.7. Make the script executable with the followingcommand:$ chmod u+x rules_du_jour8. To run the script, give yourself superuser privi-leges with the su command and then enter thefollowing command:./rules_du_jourRules Du Jour goes to work and retrieves themost recent rule set for SpamAssassin.This task is a natural for automating. Checkout Technique 20 for information about usingTask Scheduler to schedule RulesDuJour torun nightly, while network usage is low.57_571737c47.qxd 7/2/04 9:27 PM Page 36348Save Time By Installing Sendmail Using Webmin to configure Sendmailoptions Configuring Sendmail toservice multiple domains Allowing e-mail relayingfor remote employees Using Sendmail aliases todistribute e-mailTechniqueUsing Webmin toSimplify SendmailConfigurationThe Internet e-mail system consists of three components: MUA (mail user agent): Evolution and Mozilla mail are both popularmail user agents (also known as e-mail clients). MDA (mail delivery agent): The MDA moves the e-mail from Sendmailinto your local mailbox. Procmail is a popular Linux MDA. MTA (mail transfer agent): The MTA moves e-mail from one machineto another across the Internet. Sendmail is an MTA. Most users interaction with e-mail stops with their mail agent, when theypress the Send button. However, if youre running the mail service for adomain (rather than having an ISP provide the mail service), you need tointeract with the mail transfer agent.Sendmail is easy to use, but also incredibly flexible and powerful. In thistechnique, we introduce you to Sendmail, and the easy-to-use configura-tion interface provided by Webmin. If you need to manage configurationfiles, Webmin is a definite timesaver.Registering Your AddressBefore you can send or receive e-mail with Sendmail, you need a registereddomain name. You can purchase a name with a permanent address from anISP or a name registry, or use a free Dynamic DNS service for sites thatchange addresses from time to time. Technique 42 has good informationabout using Dynamic DNS services check it out.Taming a Sendmail ServerSetting up an e-mail server with Sendmail is simple. The sendmail RPMpackages are included in most Linux distributions, and come with a58_571737c48.qxd 7/2/04 9:28 PM Page 364Tweaking Your Configuration Files with Webmin 365pretty fair configuration file to get you started. Theinstallation and initial setup is super-fast!To install Sendmail, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su - command.2. Insert and mount your distribution media. Usethe cd command to move into the directorycontaining the sendmail RPM packages.3. Install sendmail with the following command:# rpm -Uhv sendmail-version.i386.rpm4. Install the sendmail configuration file with thefollowing command:#rpm -Uhv sendmail-cf-version.i386.rpmBe sure to choose the version that you see onyour distribution media.Thats it Sendmail is installed. To start Sendmail on a Fedora computer, use the fol-lowing command:# service sendmail startIf youre a SuSE user, type in this command:# rcsendmail startOr, if youre running Mandrake Linux, use this command:# /etc/init.d/sendmail startThe configuration can still use some tweaking, butWebmin can help with that, as described in the nextsection. Tweaking Your ConfigurationFiles with WebminIn Technique 17, we walk you through an installationof the top-notch tool, Webmin. If you haventinstalled it already, check out Technique 17 forinstructions.Webmin is a browser-based administrationtool that provides an easy-to-use interface forservers, security issues, and other administra-tive tasks. Its definitely worth getting to know.After installing Webmin, follow these steps to accessthe Sendmail Configuration menu:1. Open your favorite Web browser and surf tolocalhost:10000/Webmin opens to the login screen.2. Enter your user name and password and clickthe Login button.The Webmin main menu appears, as shown inFigure 48-1. Figure 48-1: The Webmin main menu.3. Click the Servers button at the top of the page.The Servers page opens.4. Click the Sendmail Configuration button, nearthe bottom of the page.The Sendmail Configuration menu opens, asshown in Figure 48-2.58_571737c48.qxd 7/2/04 9:28 PM Page 365Technique 48: Using Webmin to Simplify Sendmail Configuration366 Figure 48-3: The Local Domains list.2. Add your domain names to the list and thenclick the Save button.You can send and receive e-mails only fromregistered names that point to your currente-mail address.Relaying e-mailIf you need to allow remote employees to send e-mailthrough your local network, take advantage of theSpam Control (Access) feature of Sendmail. Withmessage relaying, the end user sees your employeese-mail as coming from your local network even if the employee is accessing your mail server from adistance.This feature is really intended to keep nastypeople out of your system. Spammers with illintentions often hack systems to route e-mailthrough unsuspecting Sendmail hosts. Be cau-tious about setting up relays for friends oremployees with loose security habits.From the Sendmail Configuration menu (refer toFigure 48-2), follow these steps to set up messagerelaying: Figure 48-2: The Sendmail Configuration menu.One quick glance tells you that Sendmail is a com-plex but powerful program. Fortunately, most of thedefault configuration options are okay, and the cus-tomizations are simple with Webmin. The followingsections detail how to customize settings from theSendmail Configuration menu.Serving up mail for multiple domainsYou can use Sendmail to retrieve e-mail from multi-ple DNS servers if you have multiple registered namesthat point to the same server address. To serve upe-mail for multiple domains, you need two things: Multiple DNS records that list your server and itscurrent address Multiple listings in the Local Domains list foryour Sendmail configuration fileFrom the Sendmail Configuration menu, follow thesesteps to add the listings to the Local Domains list:1. Click the Local Domains (Cw) button near thetop of the Sendmail Configuration menu.The Local Domains page opens, as shown inFigure 48-3.58_571737c48.qxd 7/2/04 9:28 PM Page 366Tweaking Your Configuration Files with Webmin 3671. Click the Spam Control (Access) button to openthe Spam Control menu, shown in Figure 48-4. Figure 48-4: The Spam Control menu.2. Choose Domain from the Mail Source drop-down list, and to the right of this list, enter thedomain address of your remote employee.Then select the Allow Relaying radio buttonand click Create.The new relay is added to the list of sources.3. Click the Return to sendmail configuration link(at the bottom of the page) to go back to theSendmail Configuration menu.4. Click the Stop Sendmail button at the bottom of the page. When the button name changes to Start Sendmail, click it again to make thechanges to your configuration file take effect.Using aliases to simplify mail handling You can redirect e-mail on your system with Send-mails Alias feature. If you have an incoming addressthat you want distributed to multiple individuals, fol-low these steps:1. Click the Mail Aliases (Aliases) button on theSendmail Configuration menu.The Mail Aliases menu appears.You may want to use the Alias feature to dis-tribute sales inquiries to your entire sales force,technical inquiries to an entire support depart-ment, or a humorous mailing to everyone.2. Enter the address in the Alias Address field.The address should not include a domain or anextension.3. If you want the alias to take effect immediately,check the Enabled radio box.4. In the Alias To drop-down list box, selectAddresses in File, and to the right of the list box, enter the file name, as shown in Figure 48-5.5. Click Create to add the new alias. Figure 48-5: Creating a mail alias.The new alias is created and added to the list. Now,when an e-mail is sent to the address in the alias,Sendmail redistributes it to all the e-mail addressesin the file.You can create e-mail address files quicklywith your favorite text editor. Enter oneaddress per line and save the file somewheresafe but memorable.58_571737c48.qxd 7/2/04 9:28 PM Page 367Technique 48: Using Webmin to Simplify Sendmail Configuration368Any server is a potential security risk. With ane-mail server, you run multiple risks fromhackers that want to exploit the free use ofyour server (and address) to create potentialsystem vulnerabilities. A UML jail might be agood place to keep a mail server seeTechnique 58 for details.58_571737c48.qxd 7/2/04 9:28 PM Page 368Part IXBacking Up MeansNever Having to Say Youre Sorry59_571737p09.qxd 7/2/04 9:28 PM Page 36959_571737p09.qxd 7/2/04 9:28 PM Page 37049 Getting Ready to Back Up Your DataArchiving important data is vital no question about that. Settingup an archiving scheme thats easy to use (and easy to restorefrom) is important. Unless you make the process quick and easy,and enforce your routine with discipline, youll find it too easy to slackoff and forget to back up an irreplaceable piece of work. We know weve had to learn the hard way.For the small system or single computer, the consequences of data lossmight not affect other people, but losing your own work is still losingtime. Having a dependable backup system is just as important to singleusers as it is to administrators of large networks.Choosing the right backup media can make the difference betweenpainful and tedious backup jobs, and backup jobs that are simple andunobtrusive. If youre the administrator of a large network, its especiallyimportant that you choose your media well other peoples work is inyour hands. Choosing dependable media (preferably stored off-site)helps ensure a safe recovery if you do need to restore from backup.In addition to choosing the type of media youll be using to back up yoursystem, you need to consider whether incremental, differential, or fullbackups are best for your system. Differential backups are great ifresources (such as money for media) are limited and you dont need torestore often. Incremental backups are quicker to restore, but they con-sume more media than a differential backup. If you need to restore frombackup often but have the resources to do full backups, automating fullbackups saves restoration time in the long run. Selecting a good archive tool is important, too, and you have a large num-ber of options. Commercial backup tools are typically easy to use andwell suited for both commercial and home use. A ton of free archive toolsare also available, a few of which are already loaded on your computer.In this technique, we give you some food for thought about choosing abackup scheme for your system. Whether your system is large or small, ifyouve got important information on it, backing up is important. We giveTechniqueSave Time By Choosing the rightbackup media Choosing the rightbackup scheme Choosing the rightarchive type60_571737c49.qxd 7/2/04 9:29 PM Page 371Technique 49: Getting Ready to Back Up Your Data372and how much data the media can hold. The value ofyour data should definitely impact your choice aswell. Here are several media types to consider: Tape drives Removable disks (SCSI drives or external harddrives) Removable non-optical media (Jaz and Zipdrives) Removable optical media (CDs and DVDs) Online storage servicesThe size and configuration of your system influencesthe requirements of your backup scheme. Goodbackup media for one system isnt necessarily agood choice for another.Making the tradeWhen putting together a backup plan, a major trade-off toconsider is recovery time versus the amount of media youneed. If youre a small network or single computer user, youcan choose to back up only the things you cant replace e-mail files, data files, high score files for your favorite games,and so on. On the other hand, if you archive data and pro-grams, you wont have to reinstall (and reconfigure) all of theprograms you already have on your system.Tape drivesA tape drive is a good choice for backing up largesystems. In fact, a tape drive is often the only practi-cal choice if you have a lot of data to archive. Manyconsumer and business tape drives are availablewith a wide range of prices and capacities. Tapedrives can be either internal or external, and theycome in a variety of formats. You can choose fromdozens of drive manufacturers.The biggest advantage of a tape backup scheme isthe storage capacity. Depending on the tape drive,the contents of a complete system can easily bearchived onto a single tape. Tape media is also veryaffordable, so keeping archived backups generallyyou some factors to consider to help you choose theright media, archiving scheme, and archive type. Deciding What to ArchiveWhen you consider putting together a backup plan,your first instinct might be to back up everything.That way, if anything goes wrong you can get yourdata back quickly. But consider how much mediayou would need to archive your entire system. Thesedays, its not uncommon to find notebook comput-ers with 60GB hard drives. Given that a CD holdsonly 660MB (or 0.66GB), you would need 100 discsto back up the whole drive. (Actually, you wouldneed fewer than that if you use compression.) Youwouldnt want to back up your system very often atthat rate.Instead, back up only data that you cant easilyreproduce. You know that you can reinstall Linux onyour computer without too much hassle. You canreinstall all the RPM packages and other softwarethat youve loaded. And you certainly dont need oldlog files and temporary files. That narrows yourbackup requirements considerably.So what should you archive? Basically, anything thatyouve created or modified, including the following: Configuration files User home directories E-mail (if you store e-mail on your computerrather than at your ISP) Software (or other projects) that youve developed Choosing Archive MediaChoosing an archive media type is a matter of findinga balance among the following factors: the cost of thebackup device and media, the speed and ease of use,60_571737c49.qxd 7/2/04 9:29 PM Page 372Choosing Archive Media 373isnt a problem. The biggest investment is in the tapedrive itself.Tape drives can range in price from hundredsto thousands of dollars, depending on thebackup capacity. Although the drive might beexpensive, the media is affordable, making itfeasible to archive backups.One disadvantage of using tape backup is the rela-tively high failure rate compared to other mediatypes. Tape drives also tend to be slower than otherbackup types. For a large system, they can be a goodchoice, but for a small system, you might want toconsider other options.Removable and external disk drivesIf youre backing up a single machine, removable orexternal hard disks are good options to consider.Theyre fast and dependable, and the prices are drop-ping almost daily. With an external FireWire drive,you can back up an entire computer in minutes. FireWire is a very fast hardware protocol. Ifyour system supports FireWire, look forFireWire-enabled devices to save time.Removable hard drives are drives that fit into a sloton your computer. Plug one in, and youve got anextra drive that you can use to hold archived data.Unplug it and store it someplace safe so youll have abackup if you need it. Removable hard drives are too expensive for mostpeople to use for archiving backups; buying a bunchof hard drives to store would add up fast. They arealso more fragile than other media jostling aremovable drive in and out of the slot doesnt helpits longevity. Still, for backing up a small system,removable hard drives can be a good choice.External drives are a better choice for many peoplethan removable hard drives. Theyre sturdier, andbecause the connection is made with a cable insteadof a slot, the chance of damaging the drive in theprocess of connecting it is minimal. External driveshold a good amount of data and are very affordable.With a FireWire interface, theyre also fast. Manyexternal drives offer both FireWire and USB connec-tions for more flexibility.Depending on your system, you can also use aFireWire external drive as an alternate bootdisk.Flash drives, SD memory cards, CompactFlash, andother removable media types also deserve mention.Theyre little, but theyre really handy if you justneed to back up a small amount of data.Use a flash drive as a backup container foryour passwords. Make copies of your~/.gnupg directory and ~/.ssh directories, as well as encrypted text files containing otherpasswords you need often. Now, you can eas-ily take your passwords and keys with youwhen you travel. Be sure to encrypt cleartext password files andyour private keys in case you lose the flashdrive. Removable mediaA Zip drive is like a floppy drive on steroids. It canhold a good amount of data, its easy to store off-site,and its portable and network friendly. A Zip drive can be either internal or external (Iomegaeven has an external FireWire available), and themedia itself is rugged and portable. The largest Zipdrive currently holds 750MB thats a little bitmore than a CD. Zip disks are more expensive than blank CDs or DVDs,and most systems now come with a CD or DVD writer.On the upside, Zip drives have two main advantages:Writing data to a Zip drive is much faster than writ-ing to a CD or DVD, and a Zip drive is inherentlyrewritable (its just a disk drive). Zip disks are aboutas durable as CDs.60_571737c49.qxd 7/2/04 9:29 PM Page 373Technique 49: Getting Ready to Back Up Your Data374interface for quick updates to archive files. Theadministrator of a larger system will find conven-ience in scheduling whole-system backups for timeswhen network usage is lowest. In either case, onlineservices are friendly (usually), easy to use, and safe.Choose a dependable service (preferably one thatsbeen in business for a while, with good references),with an interface that works for you. With a fast (andsecure) connection, online storage might be the bestchoice for you. Choosing an Archive Scheme You can choose from three basic backup schemes:full, differential, and incremental. They each haveadvantages some save restoration time, and somesave media.Cost, convenience, and time are the primaryconsiderations when choosing an archivingscheme. For example, if you need to shuffle a lot of discs to do a full backup, run a fullbackup once a week, and schedule unattendedincremental backups on the days in between.Or, if you use a tape changer (or an onlineservice), you can schedule a full backup everynight.Full backupsA full backup is just that an archive that containsall the data that you want to save. You can create afull backup without archiving every program anddata file on your computer; you can pick and chooseonly the files that you cant conveniently re-create.What makes a full backup different from the otherschemes is that you archive all the selected dataevery time you back up.Differential backupsA differential backup saves only the data thatchanges from one day to the next. To build a differ-ential backup set, you start each cycle with a fullOptical media (CDs and DVDs)CDs and DVDs might be the best backup media forthe small network or single system user. Theyre dirt-cheap, durable, easy to use, and fast. They store for-ever (well, a long time anyway) and move easilyfrom one machine to another. Most new computerscome with a CD or DVD recorder, and if its notincluded, its easy to add at a fair price.Whats the downside? A CD doesnt hold very muchdata 660MB or so. A DVD can hold 4.7GB. Is that aproblem? Probably not if youre backing up a singlecomputer or a small network. Each disc holds enoughdata that you can most likely back up an entire sys-tem with just a handful of discs. DVD recorders are just starting to show up inconsumer-level computers, but you can easilyadd an external DVD writer, and the once-highprice tags are dropping fast. A DVD holds con-siderably more data than a CD, so the timeyou can save in backing up makes the invest-ment in a DVD recorder worth considering.CDs or DVDs may not be the perfect storage answerfor a large system, but for a single machine or smallnetwork, theyre great.Online storageOnline storage services abound just run a Googlesearch, and youll find hundreds of them. The serv-ices range in price from free (for 5GB or so of backupspace) to reasonable, and if you have a good (fast)network connection, online backup is a good choice.Online storage has the added advantage that yourdata is being stored at a different physical locationfrom your home or business. If your building burnsdown, you know your backups are safely storedsomewhere else. Of course, if you use an online stor-age service, youre trusting them with your data and it may be difficult to recover your data shouldthe provider go out of business.Online backup services offer the single user or smallnetwork administrator a user-friendly and secure60_571737c49.qxd 7/2/04 9:29 PM Page 374Choosing an Archive Scheme 375backup on the first day. Each backup after that is asnapshot of the changes made since the previousbackup. Keep the initial backup and all the snapshotsin a safe place in case you need to restore data. Everyso often, start the cycle over again. The cycle alwaysstarts with a full backup.You need at least two full sets of backup mediato use incremental media safely so you dontwrite over a backup that you may need torestore from.To restore from a differential backup, apply theentire chain of archives, starting with the mostrecent complete backup and appending each snap-shot in sequence. If the last full backup was a monthago and you back up daily, youll have 31 tapes inyour archive to restore.Incremental backupsTo use an incremental backup scheme, take a fullbackup on the first day and then a differential backupon the second day. The second days backup includesonly those files that have changed since the last fullbackup. The third day of an incremental backupscheme captures all file changes that have takenplace since the last full backup.Incremental versus differential backupsYou may be thinking that an incremental schemesounds suspiciously similar to a differential scheme.They are in fact very similar each scheme archivesonly the data thats changed. The difference is that adifferential scheme archives the changes since theprevious differential backup; an incremental backuparchives the changes since the previous full backup. Heres an example:1. You start with a full backup Sunday night.2. On Monday, you create a new file named/home/freddie/spybusiness.html. Mondaynight, you create a differential archive that con-tains only the new file (spybusiness.html).3. Tuesday morning, you create another new filenamed /home/freddie/gadgets.html. Hereswhere the difference appears: If you create a differential backup, Tuesdaysarchive will only contain gadgets.html. (A differential backup archives the data thatschanged since the previous differentialbackup.) If you create an incremental backup, Tuesdaysarchive contains both files: spybusiness.htmland gadgets.html (an incremental backuparchives the data thats changed since the lastfull backup).You can see that an incremental backup scheme takesmore media than a differential scheme. The bigadvantage of an incremental backup scheme (com-pared to a differential scheme) shows up at recoverytime. If you need to recover from a hardware failure(or from a nasty typo), you only restore the latestfull backup and the last incremental backup.Having a backup planFormalize your backup plans and make them part of a rou-tine instead of just performing a backup when you thinkyouve accomplished something really monumental. Some-times, truly monumental or important things go unnoticeduntil disaster strikes; unless you have a backup, youll lose agreat piece of work. Make a plan and stick with it.Its not good enough to just have a backup plan. You alsoneed to make sure that you can restore a backup if youneed to. Dont wait until the last minute to find out thatyour tapes are unreadable or that an online service is flaky.Test your media whether its on-site or off.How often you back up is a decision only you can make,but consider how long it will take to reproduce the worklost if your backup routine is sporadic. Backing up is easyand painless, but losing a months work hurts.60_571737c49.qxd 7/2/04 9:29 PM Page 375Technique 49: Getting Ready to Back Up Your Data376all archive operations in a relational database(SQLLite, PostgreSQL, or MySQL), which makes itquick and easy for you to find the archive vol-ume that contains the data that youre interestedin. And, because the history is stored in a data-base, you can create custom tools and customreports from the archive history tables.Bacula lives at www.bacula.org. Its motto is Itcomes by night and sucks the vital essence fromyour computers how could you resist a toollike that? Mondo: Mondo is not really an archive programas such its a rescue tool. After you build abootable Mondo rescue disk, you can restoreyour entire operating system without reinstallingeverything from scratch. Combine Mondo with acomplete backup plan, and youll recover fromhardware failures much faster. You can find moreinformation about Mondo at www.microwerks.net/~hugo. tar: Short for tape archiver, tar is the long-running standard for backup. Its versatile,flexible, and reasonably easy to use. Its alsoavailable on every Linux (or UNIX) computeryoure likely to encounter (its even availableon many Windows systems). In the next tech-nique, we show you how to use tar (togetherwith a helper tool named cdbackup) to createmultidisc backup sets on CDs or DVDs.Choosing an Archive ProgramMany archiving programs are available for backingup Linux computers. Here are a few that you shouldconsider: AMANDA (Advanced Maryland AutomaticNetwork Disk Archiver): This suite of tools is designed to archive entire networks. WithAMANDA, you create a single backup server,and from there, you can archive any computerthat you can reach over the network. You can even use AMANDA to back up Windows-based computers. You can find AMANDA atwww.amanda.org. Arkeia Light: Arkeia is another network-enabledbackup tool. You can find it at www.arkeia.org.The free version is missing a few features thatare included in the commercial program, butArkeia Light is still a very useable tool with anice-looking user interface. One of the big advan-tages to Arkeia (the commercial version) is thatyou can talk to a support person if somethinggoes wrong (a service you dont get with open-source tools). Bacula: A relatively recent addition to the open-source archive arena, Bacula has some heavy-duty features that you may need in a largeorganization. Bacula keeps a complete history of60_571737c49.qxd 7/2/04 9:29 PM Page 37650 Backing Up Your DataBacking up data may mean backing up a single file, a directory tree,or an entire system. You may choose to do incremental backups,differential backups, or full backups depending on the amount ofdata you need to store and the value of that data (see Technique 49 fordetails on the different backup types). One way or the other, youll beusing an archiving program.tar is a simple but flexible tool that creates sturdy, portable archives.You can use tar to create archives quickly and easily, and you can writethose archives straight onto your hard drive or onto other devices. Youcan use tar to bundle files into archives, and move them easily andquickly to CDs or thumb drives or across your network.Performing interim backups of important directories that might be lostthrough user error (such as home directories and e-mail files) can saveyou from restoring from a system backup just to extract a single file.tar wont write straight to CD without a helper application its greatwith tape drives, but its not so hot with CDs. Weve found a great helpertool called cdbackup that we show you how to use in this technique.cdbackup works with tar to create archives that can span multiple CDs(or DVDs).In this technique, we show you some useful variations on the tar com-mand and give you a step-by-step introduction to differential and incre-mental backup schemes. Remember, backing up means never having tosay youre sorry.Estimating Your Media NeedsIts nice to know how much media youll need before you start a backup.You dont want to get halfway through and find out that you need to runto Office Depot to pick up more tapes. Its also nice to know your archivesize if youre planning on carrying it with you on a thumb drive or otherremovable media.TechniqueSave Time By Estimating how muchmedia youll need for yourbackup Taking interim backups ofthe directories that aremost likely to be lost Using incremental or dif-ferential backup schemes Using tar and cdbackupto make backup CDs61_571737c50.qxd 7/2/04 9:30 PM Page 377Technique 50: Backing Up Your Data378Backing up files and directoriesBefore you start a backup, use the lsof com-mand to be sure files arent in use. The com-mand lsof | grep directoryname will tellyou if any files are open in the directorynamedirectory tree. If the fourth column has any usor ws in it, someone has a file open in updateor write mode. See Technique 36 for moreinformation about using lsof.To archive a single file or directory with tar, enterthe following command:# tar -cvzf archivename filenameHeres a breakdown of this command: The -c flag tells tar to create an archive. The -v flag tells tar to run in verbose mode (listing the archive content as its created). The -z flag compresses the archive using gzipcompression. The -f archivename option tells tar where towrite the archive. archivename can name a datafile, a device name, or - (standard outputstream).You can follow the first filename with more file anddirectory names to write multiple files to the samearchive.tar can write archives to files, to devices, or to- (standard output). Use the - to pipe thearchive to other commands.In our examples, we use /dev/rmt0 as the devicename a pretty common name for a tape drive.Backing up account information and passwordsUse the following command to back up user accountinformation and passwords: # tar -cvzf /dev/rmt0 \ /etc/passwd /etc/shadowThe easiest way to find out how much media youllneed to hold an archive is to make a dry run first. Ifyoure using tar to create the archive, use the sameoptions that you plan to use when you create thereal backup, but pipe the results to wc -c instead ofwriting it to media:# tar -cvplf - backupcontents | wc -cThe -f - option tells tar to write the archive to itsstandard output stream. When tar completes, wc dis-plays the total number of bytes required to hold thearchive. If you plan to create a compressed archive,be sure to include the compression option when youcompute the archive size; otherwise, youll overesti-mate the amount of media that you need. For exam-ple, if you use bzip2 compression to create anarchive, calculate the archive size like this:# tar -jcvplf - backupcontents | wc -cThe -j flag tells tar to use bzip2 compression; use -z if you want to use gzip compression instead.You need superuser privileges to back up filesthat arent your own. Creating Data Archives with tartar is an archive tool that you can use to createbackups. Its been around for a long time, its stable,and its relatively easy to use. Much of the data andprograms out on the Web are distributed as com-pressed tar archives (affectionately known as tar-balls). tar runs just about everywhere Linux,UNIX, Windows, and Mac so the archives that youcreate are portable. Its included in even the mostbasic of Linux installations, so you dont need tospend any time installing it.tar also has the advantage of knowing how tomanage incremental and differential backups.Thats a huge bonus if youre an administratoron a tight media budget. Of course, you cancompress archives as you create them, savingeven more time and money.61_571737c50.qxd 7/2/04 9:30 PM Page 378Creating Data Archives with tar 379This command tells tar to create a gzip-compressedarchive containing the /etc/passwd file and the/etc/shadow directory and write the archive to atape drive (/dev/rmt0).Any user can read the user account informa-tion stored in /etc/password, but you mustbe the superuser to read the /etc/shadow file(where the passwords are really stored).Targeting bite-sized backups for speedier restoresKeeping individual backups of the data that youremost likely to need is a good idea especially if youuse differential backups on a long backup cycle.Instead of doing a complete restore cycle just torecover the lost home directory of one sad user, youcan unpack the lost data from a small archive.Here are a few directories that you may want toarchive separately to avoid a lengthy restore cycle: /home: The /home directory contains the homedirectories of all the system users. /etc: The /etc directory contains most systemconfiguration files. /spool: The /spool directory contains mail-boxes and print files.To back up the /home directory and the /home/userdirectories of all users, use the following command:# tar -cvzf /dev/rmt0 /homeThe tar command automatically recurses into subdi-rectories, which means all files and subdirectoriesunderneath the parent are included in the newarchive.Rolling whole file systems into a tarballUse the tar command to back up an entire file sys-tem by adding the -l flag to the command:# tar -cvlzf /dev/rmt0 filesystemThe -l (lowercase L) option tells tar to stay withinthe given filesystem. Thats important if you thinkthat filesystem might contain mount points forother file systems.To back up multiple file systems, append a list of the file system names to the end of the command. To find a complete list of the file systems on yoursystem, use the mount command with superuser privileges:# mountThe mount command returns a list of file systemsthat looks similar to the list shown in Figure 50-1. Figure 50-1: The file system listing.Use the listing to find the mounted file systems youwant to include in the backup.If you need to create a multitape archive, add the -Mflag to the command:# tar -cvlzfM /dev/rmt0 filesystemnameThe -M flag wont help if youre using CDs or DVDs tohold your archives, but we show you how to createmultidisc backup sets in the section, Backing Up toCD (Or DVD) with cdbackup, later in this chapter.61_571737c50.qxd 7/2/04 9:30 PM Page 379Technique 50: Backing Up Your Data3802. Next, create a full backup with the followingcommand:# tar -cvlfz /dev/rmt0 \-g /backups/etc.snap /etcSubstitute your tape drive name for /dev/rmt0.This command backs up the /etc directory andeverything underneath it. If you want to back upmore file systems, just append the names to theend of the command line (and choose a moremeaningful name for the snapshot file).Store the backup tape somewhere safe, like in afireproof safe or an off-site location.3. On the second day of the cycle (Tuesday), usethe same command:# tar -cvlfz /dev/rmt0 \-g /backups/etc.snap /etcThis time, tar compares /backups/etc.snap tothe current state of the /etc directory tree andsaves only those files that have changed (or newfiles).tar also updates the snapshot file to reflect thenew state of your archive collection.Store this backup in a safe place.4. On the third day (Wednesday), use the samecommand:# tar -cvlfz /dev/rmt0 \-g /backups/etc.snap /etcAgain, tar compares the snapshot to the currentstate of the /etc directory tree. But this time, thesnapshot records the archive cycle as of the endof the day on Tuesday. So, the archive you createon Wednesday contains only the files that havechanged since Tuesday. When its finished, tarupdates the snapshot file to reflect the state ofyour archive collection.Starting a Differential Backup CycleYou can use the tar command to create incrementalor differential backups. We explain the subtle differ-ences between incremental and differential backupsin Technique 49. You may want to check out thattechnique before deciding on the type thats right for you.Each time you create a backup in a differential orincremental cycle, you include an extra commandline option:-g snapshotFileNameThe snapshot file keeps track of which files anddirectories youve written to an archive. The nexttime you create an archive using the same snapshotfile, tar saves only those files that have changedsince the previous backup. (It knows which files tosave by comparing the current state of your diskwith the information saved in the snapshot.)Its a good idea to store tar snapshot files in adirectory that you arent likely to clean out ona regular basis. Dont put the log files in the/tmp or /var/log directories. Instead, create aseparate directory to hold snapshot files. In ourexamples, we assume that you want to storesnapshot files in /backups.For a differential (or incremental) backup scheme,you start each cycle by creating a full backup. tarcreates a snapshot file that records the fact that thearchive contains a complete copy of everything thatyou want to save.To employ a differential backup cycle, follow thesesteps:1. On the first day of the backup cycle (assume itsMonday for this example), start by removingthe log file:# rm /backups/etc.snap61_571737c50.qxd 7/2/04 9:30 PM Page 380Starting an Incremental Backup Cycle 381Wednesdays archive stores only the changesmade between Tuesday and Wednesday. Thechanges made between Monday and Tuesdayare in the first differential archive.Store Wednesdays tape with Mondays andTuesdays tapes. If you need to restore frombackup, you need all the tapes to capture anaccurate picture of all the changes made to the/etc directory tree.You can see the pattern start to form. This cyclegoes on and on until you start over again with a fullbackup. Each time you start the cycle, delete thesnapshot file first so that the first archive is a com-plete backup.Keep at least two cycles of media to be surethat you have a backup to restore from in caseof emergency.On the upside, although it takes a lot of media to cre-ate a differential backup, it takes less time becauseeach backup represents only one days worth ofchanges.On the downside, if you need to restore data, youhave to restore all the days in the backup cycle.Starting an Incremental Backup CycleIncremental backups are a bit confusing at first, butthe concept is simple when you understand it. Anincremental backup works very much like a differen-tial backup, except you have to manage the snap-shot file more carefully.A differential backup saves only the files that havechanged since the most recent backup. An incremen-tal backup saves only the files that have changedsince the most recent complete backup. In otherwords, an incremental backup contains everythingthats changed since the start of the cycle.tar uses a snapshot file to decide which files itneeds to save. tar only saves files changed since thesnapshot was last updated.So how do you get tar to save all files changed sincethe beginning of the cycle? Simple throw out theupdate snapshot file after each incremental backup.If you start an incremental cycle every Monday, youwant tar to use Mondays snapshot file on Tuesday,Wednesday, Thursday, and Friday. (With a differen-tial scheme, you use Mondays snapshot on Tuesday,Tuesdays snapshot on Wednesday, Wednesdayssnapshot on Thursday, and so on.) Shuffling snap-shot files might seem like an odd way to get a goodbackup, but it does work. The advantage to an incremental backupscheme is when you have to restore lost data.You restore the first archive in the cycle andthe last archive you dont have to apply allthe intermediate archives like you would in adifferential scheme. That might not sound likea big timesaver, but if your backup cycle is 30 days long instead of 7, you get to go homefor the weekend instead of shuffling tapes.Follow these steps to start an incremental backupcycle:1. On the first day of the backup cycle (assume itsMonday for this example), start by removingthe log file:# rm /backups/etc.snap2. Create a full backup with the following command:# tar -cvlfz /dev/rmt0 \-g /backups/etc.snap /etcStore the backup tape somewhere safe.61_571737c50.qxd 7/2/04 9:30 PM Page 381Technique 50: Backing Up Your Data382To restore an entire directory tree, move to the rootdirectory and use the following command:# tar -xzvf /dev/rmt0 /directorynameTo restore a single file, use this command:# tar -xzvf /dev/rmt0 /directory/filenameYou can restore many files (or directories) at onceby listing the names at the end of the command line.Be sure to use the same compression options thatyou used when you created the archive.If youve used an incremental backup scheme,extract the files that you want from the full backuptape first, and then extract the same files from themost recent incremental backup. (If the files that youwant to extract havent changed since the fullbackup, they wont appear in the incrementalarchive, but thats okay. You should still try torestore from the incremental archive just in case.)If youre keeping incremental backups, youllrestore two backups: the first backup and thenthe most recent incremental backup.Restoring from a differential backup is the samebasic procedure, but it takes more time because youhave more tapes to go through. Hopefully youve kept simple interim backupsof the files youre most likely to need torestore (see the section, Targeting bite-sizedbackups for speedier restores, earlier in thistechnique), and youll have to restore from adifferential backup only in the case of anextreme disaster well all hope that doesnthappen.If your system is damaged to the point where youcant boot into Linux, dont panic. Just reinstallLinux and then restore your data from backup. See arent you glad you have a good backup plan?3. On the second day of the cycle (Tuesday), makea temporary copy of Mondays snapshot file:# cp /backups/etc.snap \/backups/etc.tmp4. Now invoke tar, but this time tell it to readfrom (and update) the temporary snapshot filerather than the master copy:# tar -cvlfz /dev/rmt0 \-g /backups/etc.tmp /etctar compares /backups/etc.tmp to the currentstate of the /etc directory tree and saves onlythose files that have changed since the firstarchive in the cycle.tar also updates the snapshot file (/backups/etc.tmp), but youll overwrite that file on thenext day anyway.Store this backup in a safe place.5. On every other day in the cycle, repeat Steps 3and 4.In an incremental backup, each backup afterthe initial backup contains all the changes thathave occurred between the first full backupand the current state of the system.On the downside, incremental backups take longerto create, and they consume more media. On the upside, if you need to restore data, you onlyneed to use two tapes to do it: the initial (full)backup and the most recent incremental.Restoring from Backup with tarRestoring from backup with tar is as easy as backingup with tar. Instead of creating archives, you usetars extract command to extract the data that youneed.61_571737c50.qxd 7/2/04 9:30 PM Page 382Backing Up to CD (Or DVD) with cdbackup 383Backing Up to CD (Or DVD)with cdbackupWithout a little help, tar cannot write archivesdirectly to CD or DVD media. You could write anarchive to your hard drive and then copy the archiveto a CD (or DVD) with a tool like k3b or nautilus, butthats a hassle. Youd need enough free space onyour hard drive to hold the intermediate copy, andyoud have to figure out how to split a big archiveonto multiple discs definitely not a timesavingtechnique. Fortunately, the open-source community comes tothe rescue again. The cdbackup and cdrestore com-mands are helper programs that you can use withtar to write archives onto a CD or DVD. cdbackupwrites straight onto a CD or DVD without layingdown a file system first. That saves you some spaceand time, but you wont be able to read the discswith other programs. cdbackup can write a largearchive to multiple discs (something that tar cantdo by itself). Because cdbackup cooperates so wellwith tar, you can use the combination to createcomplete backups, incremental backups, and differ-ential backups that span multiple discs. You can find the CDBackup package at the authorsWeb site: www.muempf.de/index.html.Creating the backupCreating a multidisc backup with tar and cdbackup iseasy:1. Type in the tar command that archives thedata that you want to save and then tell tar towrite the archive to its standard output stream,like this (but dont press Enter yet):# tar -zcvf - /home /etc2. Then pipe the archive to cdbackup:# tar -zcvf - /home /etc | cdbackup -m-r 0,0,0 -a My BackupIf youre burning a DVD instead of a CD, be sureto include -l 4600 in your command line socdbackup knows that it can write up 4.6GB perdisc (-l 4700 might be safe too, but leave your-self a little wiggle room).tar starts building the archive, and when it hasenough data, cdbackup starts writing it to CD (or DVD).3. Press Enter, and your backup begins.4. When cdbackup fills the first disc, it promptsyou to insert a new one. After you do so, pressEnter to continue.Under the hood, cdbackup uses the cdrecord packageto do the tough work. In fact, you can pass commandline options to the underlying cdrecord commandwhen you invoke cdbackup. Table 50-1 lists some ofthe more useful cdbackup options.TABLE 50-1: HANDY CDBACKUP OPTIONSOption What It Does-m Enables multidisc recording-r device Specifies which CD/DVD drive to record to-s speed Specifies the write speed (the default writespeed is 4, or 4 times the normal writespeed)-a label Adds a descriptive name (label) to thearchive set-l size Tells cdbackup how many megabytes canfit on one disc (the default is 650 aboutthe size of a blank CD)-- options Passes command line options to thecdrecord command61_571737c50.qxd 7/2/04 9:30 PM Page 383Technique 50: Backing Up Your Data384If the file youre looking for is not on the first disc,cdrestore prompts you to insert the next disc; pressEnter to continue. In fact, cdrestore asks you toinsert the next disc even if it does find /etc/passwdon the first disc. cdrestore cant tell when tar hasfinished its work, so when youre sure you have thefiles that you need, you can just press Ctrl-C to killthe job. Be careful though, because the file thatyoure looking for may be split across multiple discs.When you run cdrestore, you can use the normal/dev/cdrom device name instead of -r 1,0,0. The -t 1 option tells cdrestore to read from the first trackon the disc (yes, cdbackup can write multiple tracksso cdrestore can read them). Pipe the output fromcdrestore to tar and tell tar to extract the files thatyou want. Notice that you can use compression(either the -z gzip variety or the -j bzip2 variety).You have to specify the compression type when youcreate the archive and when you restore from thearchive.To see a listing of the archive content, use the following command:# cdrestore /dev/cdrom -t 1 | tar -ztvf - The cdrestore part of the command is the same, butyou use the -t flag to list the content instead of -x toextract it. You can also use the -q flag to view infor-mation about the disc that you have in the drive:# cdrestore -q /dev/cdromTracks: 1Disk size: 666000 kB ( 333000 blocks)Space used: 1872 kB ( 936 blocks)Space avail: 641328 kB ( 320664 blocks)Track 01: 1 MB: Part 2: My BackupRestoring from a disc containing multiple archivesOne of nicest cdrecord features is that you can writemultiple archives to the same disc. For example, ifyou use an incremental or differential backup plan,you might do a complete backup on Sunday and anNo, I dont want a moment to reflect on my backup.By default, cdrecord (and therefore cdbackup) pauses forten seconds before it starts burning a CD, giving you achance to change your mind and cancel the burn. Thatpause can get a bit annoying after a while. You can shortenthe delay by including a cdrecord option at the end of thecommand line:# tar -zcvf - /home /etc | cdbackup -m -r0,0,0 -a My Backup -- gracetime=2The -- flags tells cdbackup to pass the rest of the com-mand line options to cdrecord. In this case, gracetime=2shortens the preburn delay to 2 seconds (the minimumallowed by cdrecord).If you dont know the full name of your CD/DVD recorder,run the following command:# cdrecord -scanbusYou should see a result similar to this:scsibus1:1,0,0 100) TEAC DW-224E F.0A CDRW1,1,0 101) *1,2,0 102) *1,3,0 103) *1,4,0 104) *1,5,0 105) *1,6,0 106) *1,7,0 107) *Find your recorder in the list: The first three numbers onthat line make up the device number. If you see more thanone device in the list, choose your drive by its model name.In our case, we would tell cdbackup to record on device1,0,0.Restoring from a CD or DVD backupTo restore a file (or set of files), you use cdrestoreand tar. For example, to restore the /etc/passwd filefrom a backup set, place the first disc in the driveand then type this command:# cdrestore /dev/cdrom -t 1 | \tar -zxvf - /etc/passwd 61_571737c50.qxd 7/2/04 9:30 PM Page 384Backing Up to CD (Or DVD) with cdbackup 385incremental (or differential) backup every weekday.The weekday backups are likely to be small enoughto fit on a single disc without filling it up. Withcdrecord, just put Mondays disc in the drive whenyou create Tuesdays archive because cdbackup issmart enough to append the new archive to the endof the disc. If you have multiple tracks on the samedisc, cdrestore -q shows you all of them:# cdrestore -q /dev/cdromTracks: 3Disk size: 666000 kB ( 333000 blocks)Space used: 64442 kB ( 32221 blocks)Space avail: 587758 kB ( 293879 blocks)Track 01:10 MB: Part 1: Mondays backupTrack 02:20 MB: Part 1: Tuesdays backupTrack 03:10 MB: Part 1: Wednesdays backupWhen you restore from a multitrack disc set, just tellcdrestore which track you want to start with, as inthe following example:# cdrestore /dev/cdrom -t 2 | \tar -zxvf - /etc/passwd The -t 2 flag tells cdrestore to read from track 2(Tuesdays backup).61_571737c50.qxd 7/2/04 9:30 PM Page 38551Save Time By Creating and movingarchives with tarand ssh Backing up to tape driveson remote hosts Using rdist with ssh forsimple remote backups Creating simple remotebackup commands thatyou can automateTechniqueQuick Backup toRemote StorageThe price of a well-outfitted computer has dropped to the pointwhere its feasible to use a second computer as a backup device.Keeping a backup computer system on your own network or atanother office accessible from the Web is a viable option for many com-panies. You dont need fancy backup software to mirror your data on aremote computer; Linux already includes the tools to do the job.In Technique 50, we show you how to use the tar program to createarchives of your data. In this technique, we show you how to combinetar and ssh (the secure shell) to create archives on a remote computer.When you use ssh to back up your data, the data stream is encrypted, soyoure guaranteed that your important files wont be read by the world.You can use ssh across your local network or across the Web with equalease. Backing up with ssh is easier and quicker than mounting a networkdrive you dont even need superuser privileges.Piping compressed archives created by the tar command to the ssh com-mand makes it easy and quick to back up to remote hosts. You can createan archive containing your important files and move it to a remote hostwith just one command. It doesnt get much quicker than that.You can also use the tar command in combination with ssh to write totape drives on remote machines. Its a quick way to share resources onyour network without a lot of hardware investment or software conflicts.We also introduce you to the rdist command. With rdist, you can createa mirror image of your working system on a remote machine. A completecopy of your important information is not only safe, but also ready to usein an instant. Use the rdist command with ssh to make the remote con-nection simple, fast, and secure. By using Task Scheduler with rdist andssh, you can even automate your nightly backups.In this technique, we show you some shortcuts that work with some oldfavorites to make backing up to remote systems quick and easy. 62_571737c51.qxd 7/2/04 9:30 PM Page 386Combining the Power of tar with ssh for Quick Remote Backups 387Combining the Power of tar withssh for Quick Remote Backupstar is an archiving tool that can create new archives,display the contents of an existing archive, or extractdata from an archive. An archive is just a simple filethat contains other files within it. Archives are handybecause they let you work with (e-mail, copy, or backup, for example) a whole collection of files with ease.When you use tar to create an archive, tar copies thecontents of each file into the archive, along with somebookkeeping information such as the file owner, filepermissions, and modification date. The Linux ver-sion of tar (actually, the GNU version included withLinux) can compress an archive on the fly, and thecompressed archive is usually smaller than the sumof its parts.tar by itself is a useful command, but add the powerof ssh, and youve got a great combination thatmakes it easy to back up your data to a remote sys-tem. You can also use tar and ssh to access tapedrives mounted on remote machines.Testing the ssh connection to the remote hosttar and ssh are installed with most Linux distribu-tions by default you already have a working copyof each program on your system. Before you try touse tar and ssh together, test the ssh connection tothe remote host:$ ssh remotehostIf the ssh connection is good, youre prompted foryour password. Its unlikely that youll get connection errors,but if you do, you need to resolve thembefore you can continue. Creating a tar archive over the ssh connectionAfter youve tested the ssh connection, youre readyto go. To create a tar archive over an ssh connec-tion, use the following command:$ tar -zcv -f - /source | ssh remotehostcat > targetfile.tgzReplace the source and destination names with yourown. Then press Enter to start the backup. Heres a closer look at the preceding command: tar -zcv -f -: Creates a tar archive, using thefollowing options: z: Create the archive in compressed gzip format. c: Create a tar archive. v: Use verbose mode. Display progress on thescreen. -f -: The -f archive option tells tar whereto write the archive. In this case, you want tarto write the archive to the standard outputstream (which youll connect to the standardinput stream of the ssh command with thepipe character | ). /source: Specifies the files and/or directoriesthat should be added to the tar archive. You canadd multiple files or directories to the archive bylisting each filename (or directory name), sepa-rated by a space: $ tar zcvf - /home /usr | ssh remotehostcat > targetfile.tgzThe preceding command creates an archive (on the machine remotehost) containing the contents of the /home directory and the contentsof the /usr directory. |: Pipes the standard output from the first com-mand into the standard input for the secondcommand. ssh remotehost: Opens an encrypted connec-tion to the remote computer. cat > targetfile.tgz: Receives the data com-ing through the standard input of the ssh com-mand and directs it, byte-by-byte, to the filenamed targetfile.tgz. This creates a duplicateof the archive on the remote host, in the filenamespecified.62_571737c51.qxd 7/2/04 9:30 PM Page 387Technique 51: Quick Backup to Remote Storage388Backing Up to a RemoteComputer with rdist and sshrdist is a command line tool that helps you maintainidentical copies of files or directories over multiplehosts. You can use rdist with ssh to distribute salesreports, inventory lists, or other files to remoteoffices that need access to shared data. tar and sshmake it easy to create an archive on a single remotecomputer, but rdist can push complete directorytrees to any number of remote systems.You can easily back up a single system to multiple remote hosts with rdist. You can also use rdist to back up important systemand data files to a remote host. With the cost of well-outfitted computers at an all-time low, keeping a mir-ror image of important files is financially feasible.Using rdist to create a mirror image of treasuredfiles makes backing up quick and easy.An rdist backup isnt a perfect mirror imageof your complete working system. The bootsectors of your local machine and any filesbeing used at the time of backup will be dif-ferent on the remote host.Testing the ssh connection to the remote hostBefore you can use rdist, you need to have a cleanssh connection with each of your targets. Test thessh connection at the command line with a trial connection:$ ssh remotehostnameIf youve lived a good clean life, you should be ableto make an ssh connection to the remote host. If theconnection succeeds, youre prompted for a pass-word and allowed to log in to the remote system.Save time by setting up ssh to handle public-key authentication for you so you dont needto enter a password. Check out Technique 33for details.Whenever the remote command containsspaces, you need to enclose the command inquotes.That simple tar and ssh command makes creatingtar archives on a remote machine about as quickand easy as it gets. Check out Technique 13 for more informationabout using archives and tar. The tar manpage also details tons of options you can addto the tar command to tailor this technique toyour system.When you execute the command, youre promptedfor your password on the other machine. Addingpublic key authentication to the SSH connectionallows you to skip password authentication. Setting up a key ring for authentication takesonly a few minutes and can save you a lot oftime in the long run. See Technique 33 for thelowdown on setting up ssh to accept publickeys. Backing up to tape drives on remote machinesOne other quick trick you can do with tar and ssh isto back up to remote tape drives. Just replace thedestination filename with the device name, and sshdelivers your archive to the tape drive. For example,if the tape drive on your remote host is named/dev/rmt0, use the following command:$ tar zcvf - /source | ssh remotehost cat> /dev/rmt0With just a few variations, the tar command pro-vides a powerful backup tool. Use it with TaskScheduler to automate nightly backups, and youllreally save time! (See Technique 20 for more informa-tion about scheduling automated tasks).62_571737c51.qxd 7/2/04 9:30 PM Page 388Backing Up to a Remote Computer with rdist and ssh 389Creating the distfileAfter youve tested the ssh connection to the remotemachine, you must create a file (called distfile)that contains the information that rdist needs torun such as the remote host name, the files youwant to transfer, and any exceptions to the defaultrules.To create a distfile, follow these steps:1. Open a terminal window to your home direc-tory and enter the following command:$ kedit distfilekedit opens into a fresh file, waiting for yourdistfile code.2. Enter the following code (substituting yourusername and remotehost name):HOSTS = ( username@remotehost )FILES = ( ~/ )EXCEPT = ( ~/Desktop/Trash )${FILES} -> ${HOSTS}install -oyounger,whole target ;except ${EXCEPT} ;3. Click the Save icon on the toolbar and close theeditor.Youve just created a basic distfile. The first threelines of the distfile define a few variables thatmake it easy to write the rest of the file: HOSTS: This variable holds a list of one or morehost names. (If you want to distribute data tomore than one host, list each host name betweenthe parentheses, separated by spaces.) If youreusing ssh to establish the connection to a remotemachine, you can prefix the host name with auser name followed by an @ character, like this:HOSTS = ( freddie@bastille freddie@louvre ) FILES: This variable contains a space-separatedlist of the files or directories that you want tocopy to the remote host. In our example, wewant to copy the $HOME directory. EXCEPT: This variable names the files that youdont want to send to the remote host(s). Youusually dont need a duplicate of the Trash bin.The second half of the distfile contains the com-mands for rdist: The first line tells rdist to move the files (asdefined by the FILE variable at the top of thedistfile) to the hosts named by the HOSTS vari-able (also defined at the top of the distfile). The install command follows with the optionsthat rdist should use for the backup. In ourexample, the option -oyounger tells rdist tocheck the timestamp on the file and update onlythose files that have been changed since the lastbackup. The target names the directory on theremote host that receives the backup. If youleave it blank, rdist creates a duplicate of thelocal directory tree on the host and copies thefiles into the mirror image.The -o needs to be right next to the installoption; otherwise, rdist copies the files into adirectory named whatever install optionyou try to use (for example, if you typed in -o younger instead of the correct -oyounger, rdist would create a directorynamed younger). To use multiple installoptions, chain them together with commas,like this: -oyounger,quiet,remove. The except command tells rdist to skip the filesthat are named in the EXCEPT variable.Table 51-1 lists some of the more useful installoptions.62_571737c51.qxd 7/2/04 9:30 PM Page 389Technique 51: Quick Backup to Remote Storage390Make sure that you want to remove files fromthe backup before you use the remove option.In the process of testing these commands, weaccidentally wiped out the CVS repository forthis book and the results of a (fortunatelycompleted) consulting project on one of oursystems. remove really does remove every-thing. Its a good thing we had backups!For more options to use with rdist, visit therdist manual page: $ man rdist.Backing upAfter youve tested your ssh connection and createdthe distfile, youre ready to back up. Open a termi-nal window and enter the following command:$ rdist -P /usr/bin/sshrdist takes it from there, consulting the distfile forthe information it needs to complete the backup. Itdoesnt get much quicker than that!The last argument in the command must bethe complete pathname to the ssh program. Itwould be nice if you could specify the transferprogram (ssh) in the distfile, but you cant.As a real timesaver, set up a cron job to trans-fer your files every night. See Technique 20 forhelp using Task Scheduler to set up an auto-matic backup in a snap!TABLE 51-1: USEFUL INSTALL OPTIONSOption What It Doesyounger This option compares the datestamp ofthe files on the remote machine to thelocal machine, and updates only the filesthat have been changed since the lastbackup. This is a great option if your sys-tems are time-synced. compare This option compares the contents of thefiles and updates the remote version if thefiles are different. Use the compare optionif your computers arent time-synced; otherwise, you may transfer more datathan you need to, or you may miss impor-tant changes.savetargets This option makes a backup of each file onthe target before it overwrites the content.The backup file is named filename.OLD.whole This option preserves the whole path-name when making the backup copy onthe remote host.quiet This option silences the feedback fromrdist as it creates the backup.remove Use this option carefully because itremoves all the files on the remote hostbefore copying in the new backups of yourfiles. 62_571737c51.qxd 7/2/04 9:30 PM Page 39052 Archiving Changeswith CVSCVS (Concurrent Versions System) enables multiple developers towork on the same project without the risk of losing work. CVStracks changes to the files that make up the project. For example,while writing this book, we stored each technique in a separate file in aCVS repository. When we wanted to make a change to a technique, wechecked out the file, made our changes, and committed the changes backto the repository. We both used the same CVS repository (in fact, Susanwas writing with a Macintosh, and Korry was making typos on a Linuxcomputer). Sometimes, the same technique was checked in and out sev-eral times before it was done. With CVS, theres no risk of data loss. If wewould have both gotten the same technique accidentally, the merge fea-ture would have resolved the differences in the versions (not that itwould ever have happened). We also had a complete history of all thechanges that we ever made.When using a CVS repository, its a good idea to commit your changesfrequently. In addition to ensuring that your coworkers have access tothe latest version of your work, if something happens to your CVS client,the CVS server will always have a copy of your latest work. This tech-nique shows you how to use a CVS system to keep your work safe withminimal time and effort.CVS can be used with any type of file (though its not particularly power-ful for binary files). System administration files, sales lists, artwork, andprogramming projects are all good candidates for a CVS repository. If aproject goes awry, and you need to revert to a previous stage in yourdevelopment, CVS can reconstruct a working version from a previouspoint in the project. We show you how in this technique.CVS is a great timesaver saving you time by avoiding the potentialproblems that come from lost data and crossed development paths. WithCVS, you can secure your files and keep creativity flowing at a pace thatsuits everyone. TechniqueSave Time By Using CVS to archiveprojects Using cervisia to man-age your repository Reverting to a previousproject stage in an emergency Creating project branchesand development lines63_571737c52.qxd 7/2/04 9:31 PM Page 391Technique 52: Archiving Changes with CVS392 Keeping system configuration changes Tracking Web site versions Keeping manuscript backups Tracking sales lists, inventories, art work, and soon basically any project that evolves over timeCVS ensures that you wont lose work. Whateverproject youre working on, you occasionally need toback up, change direction, or just figure out whatchanged. CVS can do all that in a snap, for anythingyou can keep in a file.Creating a CVS RepositoryAfter CVS is installed on your system, youre just afew quick steps away from having a working CVSrepository. Be sure you have plenty of disk space availableon your CVS repository system. Rememberthat its keeping not only the current project,but also the project history. Repositories canbe huge, and not having to move them later isa big timesaver.In this example, you create a CVS repository to trackthe changes in configuration files. You have to play afew games with permissions because configurationfiles can be modified only by someone with superuserprivileges. Most of the Linux configuration files residein the /etc directory (or a subdirectory of /etc).Youll be creating a repository to hold the mastercopies (and revision histories) of each configurationfile. The /etc directory becomes a sandbox; that is,you can check a working copy out of the repositoryand into the /etc directory tree.Follow these steps to create a cvs group (only mem-bers of this group can interact with the repository)and a CVS repository:1. Open a command line and give yourself superuser privileges: $ suGetting Started with CVSA CVS repository contains all the files that are rele-vant to a developing project. Each developer (oradministrator, or author, or artist) checks out a copyof a project file to make changes to it. The revisedfile is then committed back to the repository, alongwith comments (for easy review later). The mastercopies always live in the repository; each developerchecks out a sandbox to play, er, work in.CVS client software is available for most platforms,so having many developers on a mixed-machine net-work is easy. You can work in the environment ofyour choice without causing any conflicts with theoverall project.Checking whether CVS is installedIf you installed the Development Tools package whenyou set up your Linux system, you probably alreadyhave CVS installed. To check, type cvs at the com-mand line and press Enter. If CVS is installed, Linuxdisplays a list of command options.If CVS isnt installed on your system, you can findthe RPM package on your Linux CD (or DVD), or justsearch and download an RPM file from the Web. VisitTechnique 17 if you need help installing the RPM.RCS versus CVSRCS (Revision Control System) is the old versioning soft-ware that is included with Linux. Unlike CVS, RCS worksonly on a local machine, so its usefulness is limited to smallprojects. CVS is constructed as a wrapper around RCS. Thestorage mechanisms are the same, but CVS offers moreadvanced functionality for managing complex projects.Discovering what to use CVS forCVS is good for all sorts of projects. It was developedprimarily to track changes to software developmentprojects, but its great for the following uses as well:63_571737c52.qxd 7/2/04 9:31 PM Page 392Populating Your Repository with Files 3932. When prompted, enter the superuser password.3. Create the cvs group:# groupadd cvsusersIf you see a message stating that group cvsalready exists, just ignore it.4. Move to the root directory:# cd / 5. Create a new directory for cvs:# mkdir cvsKeeping our repository directly under theroot directory is just a matter of preference. Itcan reside anywhere you like.6. Change the group ownership of the CVS repository:# chgrp cvsusers /cvs7. Set the permissions for the cvs directory:# chmod g+srwx /cvsThese permissions allow any member of the cvsgroup to view or modify the files in the reposi-tory. The g+s part ensures that all the files thatyou store within the repository are also ownedby the cvs group.8. Initialize the repository by typing the followingcommand and pressing Enter:# cvs -d /cvs init If you look in your new directory, youll find a subdi-rectory called CVSROOT. The CVSROOT directory con-tains administrative files for use by CVS. Dont forget to add the appropriate users to the cvsgroup (at least add yourself).A fast way to add a user to your new group iswith the command /usr/bin/gpasswd -ausername groupname. To use this command,you must hold superuser privileges.Populating Your Repository with FilesAfter youve created a CVS repository, you need topopulate it. For now, just add a few files; you canalways add more later.To add files to your repository, follow these steps:1. Move to the directory that youll be archiving:# cd /etc2. Check out the top-level CVS directory:# cvs -d /cvs checkout . Dont forget the . (dot) at the end.The checkout command creates a sandbox. Atthis point, the repository holds only CVS book-keeping information, but later, a sandbox willcontain a working copy of each file in the repository.3. The cvs add command inserts a new file intothe repository, so add the hosts file as follows: # cvs add hosts 4. You can also add subdirectories. This com-mand creates a new subdirectory within therepository:# cvs add xinetd.d/ 5. Now move into the /etc/xinet.d directory:# cd xinetd.d/6. Add all the files in /etc/xinet.d:# cvs add *7. After the files and directories are added to therepository, move back to /etc:# cd .. 8. At this point, youve scheduled a few files to beadded to the repository, but you havent com-mitted your changes. To make your changespermanent, use the cvs commit command:# cvs commit -m Adding initial files63_571737c52.qxd 7/2/04 9:31 PM Page 393Technique 52: Archiving Changes with CVS394Now, youve got a copy of the hosts file (in yoursandbox) that you can modify. Fire up yourfavorite editor and czhange the file as you see fit.4. Modify your local copy and then commit yourchanges with the following command:$ cvs commit -m your comment herehostsUse the -m flag to include your comment inyour commit statement. Its not only faster, butalso saves you a trip into vi (or vim). vi canbe a cold, dark place.When CVS is finished, it displays a message likethis:Checking in hosts;/cvs/hosts,v Simplifying CVS with cervisia 395Simplifying CVS with cervisiaLife at the command line is great, if youre used toliving there. But sometimes a great tool can helpspeed up the process and, at the same time, befriendly and easy to use. Numerous graphical inter-faces for CVS are available, but one that works greatwith KDE is included in most Linux distributions. Itscalled cervisia. Use the command line to create your initialrepository. You can use cervisia to check outfiles or add files to an existing repositoryquickly, but its not the right tool for creatingrepositories.cervisia is a CVS client that works with local orremote repositories and provides a user friendly andintuitive work atmosphere, as shown in Figure 52-1. Figure 52-1: cervisia in action.For more information about using cervisiaacross the Web, you can find the full docu-mentation at cervisia.sourceforge.net/documentation/index.html. Installing cervisiacervisia is installed with KDE if you chose to includethe KDE Software Development package when youfirst installed Linux. If cervisia isnt installed and you want to add it, useyour distributions installer to install the KDE Soft-ware Development package (sometimes known askdesdk).Putting files in your sandboxTo start cervisia, click the Start Here icon on yourdesktop to open Konqueror. Navigate to your workdirectory (your sandbox), and click the brick wallicon at the far right of your toolbar. Or, to create a new sandbox with cervisia, followthese steps:1. Open the Konqueror browser and navigate toyour work directory.2. Choose RepositoryCheckout from the menu bar.The CVS Checkout dialog opens, as shown inFigure 52-2. Figure 52-2: The cervisia CVS Checkout dialog.63_571737c52.qxd 7/2/04 9:31 PM Page 395Technique 52: Archiving Changes with CVS3961. Enter the file location in the Location line ofyour browser.2. Right-click the file you want to add, and fromthe pop-up menu that appears, choose Add toRepository. cervisias View menu contains an option toHide Non-CVS Files. If you cant see a file thatyou know is there, make sure that you donthave that option checked.3. When the CVS Add dialog opens, verify that thefile youve selected is listed and then click OK.At this point, the file youve chosen has been ear-marked for inclusion, but it isnt actually in therepository.4. Commit your addition by right-clicking the file-name and choosing Commit.5. Enter a log message (the more meaningful, thebetter) and click OK.Your file is added to the repository.Go work on the file in your sandbox!Committing your changesWhen youve finished editing a file, follow thesesteps to commit your changes to the CVS repository:1. Right-click the filename and choose Commit.A CVS Commit dialog opens (see Figure 52-3). Itshows the name of the file (or files) youre com-mitting and supplies a field in which you canenter a log message.2. Enter a log message and click OK.cervisia checks in your changes.3. In the Repository field, enter the location ofyour repository (/cvs if youve been followingalong from the beginning of this technique).4. Enter a . (dot) in the Module field.5. Enter the pathname of your working directoryin the Working Directory field.6. Click OK.cervisia checks out the contents of your CVSrepository into your work directory. This is either a bug or an undocumented fea-ture, but we need to exit cervisia and restartit before the files show up in the browser win-dow. These things happen.The contents of your sandbox are displayed in yourbrowser window and organized in the followingcolumns: File Name Status Revision Number Tag/Date TimestampTo edit a file, double-click it, and the file opens inyour favorite editor, ready to edit.See Technique 3 to set up the MIME map-pings for your editor. Between cervisia andMIME, you can edit and update your files inno time!Adding more files to your repositoryOften, you have to add files to your CVS repository especially if youre using it for tracking your systemconfiguration files. To add a new file to your reposi-tory, follow these steps:63_571737c52.qxd 7/2/04 9:31 PM Page 396Simplifying CVS with cervisia 397 Figure 52-3: The cervisia CVS Commit dialog.The next time you (or another user) check out thefile, you get a fresh copy that includes your mostrecent updates.Diplomacy 101 resolving conflictsAt some point in time, despite the best efforts of sys-tem administrators, two users will edit the same file,and a conflict will arise. If Freddie and Georgetteboth check out a file, both change it, and then bothcheck it in, CVS will catch the problem and try toresolve it.If Freddie and Georgette changed different parts ofthe same file, CVS graciously merges the changes. If they both change the same part of the file, humanintervention is called for.If Freddie checks in his changes and then Georgettetries to check in hers, Georgette sees an error mes-sage stating that her copy of the file is not current. If Georgette then updates her files, the files status ischanged to Conflict (assuming that CVS could notresolve the differences by itself).cervisia has a handy problem solver built-in: theCVS Resolve feature. If a file is highlighted in red andthe status is listed as Conflict, right-click the file-name and choose Resolve from the pop-up menu.The CVS Resolve dialog opens (see Figure 52-4). Figure 52-4: The CVS Resolve dialog.The merged version in the lower half of the screenpresents four possible merge options (A, B, A+B, andB+A) and the option to edit the merged results. Clickthe >> button to highlight the next conflict, and thenclick the button for the merge option that is the bestsolution to the conflict. If the combinations offeredarent correct, click the Edit button to edit the text.Browsing your log filescervisia includes a nice log file display tool thatshows graphical representations of all the changesin a development tree. The browser enables you toquickly determine where your project is and hasbeen recently.To use the log browser, right-click the filename, and choose Browse Log. The CVS Log dialog opens(see Figure 52-5).63_571737c52.qxd 7/2/04 9:31 PM Page 397Technique 52: Archiving Changes with CVS398The Diff view can be your best friend in timesof trouble. If things get really off course, youcan use Diff to help you quickly find the pointin the revisions that took you off course.The Annotate button shows you a line-by-line view ofthe changes made to reach revision A (we call theAnnotate tool the blame button because you can seewho made a given modification). Hovering over thescreen entries shows revision information about thatline, as shown in Figure 52-7. Figure 52-7: The cervisia CVS Annotate dialog.Marking milestones with tagsThe typical CVS repository holds many (sometimesthousands) of files. Its unlikely that youll modifyevery file in the repository whenever you changeone file in the repository. Instead, troublesome filesare modified frequently, and stable files tend toremain unchanged. That means that at any point intime, youll have some files at revision number 1.5,some files at revision 1.200, and a few at revision 4.2.At certain points, youll want to tag all the files in therepository so that you can get back to that point intime without having to look up all the revision num-bers yourself. A tag marks a point in time. The tag(usually) includes all the files in the repository as ofa given date and time.Its a good idea to tag the repository whenever youreach a point where the collective revisions make upa release or a working version of whatever it is thatyoure tracking.Simple tagging is quick and easy with cervisia. Totag a version, follow these steps: Figure 52-5: The cervisia CVS Log dialog.Choose a revision from the tree, and the informationis transferred to the bottom half of the screen andshown in Revision A.Now, if you middle-mouse click another revision, theinformation is transferred into Revision B. (Left-clickselects a revision into the Revision A fields; middle-click selects a revision into the Revision B field.)If you dont have a middle mouse button,move to the List view, and use the arrow keysand Ctrl-A and Ctrl-B to select your revisions.From the CVS Log dialog, you can use the Diff buttonto display the differences between revisions, asshown in Figure 52-6. Figure 52-6: The cervisia CVS Diff dialog.63_571737c52.qxd 7/2/04 9:31 PM Page 398Simplifying CVS with cervisia 3991. Highlight the top level directory (your sandboxpathname) and choose AdvancedTag/Branch.2. Enter a tag name and click the OK button.That was fast, eh?Here are a few points to keep in mind when choosingtag names: A common naming convention is the projectname followed by a version number. Tag names cant include blanks or punctuationmarks. Tags are most helpful when youve chosen mean-ingful names. Names like WorkingConfiguration orJustPriorToMessingUpMyConfigurationFilesarent a bad idea. They can make it easy foryou to find a place to revert to.To revert to a tagged revision of your project,choose AdvancedUpdate to Tag/Date. You have theoption to change your sandbox copy to a branch, atag, or a previous date.Didnt tag, but need to revert? No problem;just select the Update to Date option button,enter your date, and click OK. Youll have anew old sandbox in no time. Branching off with cervisiaWhen your project branches, it usually means thatone part of your project maintains the current devel-opment path, while another part heads in a new direc-tion. Software developers create branches all thetime. While one release is maintained and stable,another branch is growing with radical changes. Ifthe changes dont work out along the way, the origi-nal, stable branch is still there and available for users,or you can revert to it if needed. By branching off,your project can remain on one development linewhile evolving into another.Use a branch or a tag at any point in develop-ment where your project will take a radicalturn. That way, you have a safe place to goback to!Branching with cervisia is similar to tagging:1. Highlight the top level directory in your sand-box and choose AdvancedTag/Branch.The Tag/Branch dialog appears.2. Enter the branch name, check the CreateBranch with This Tag box, and click OK.Youve branched out!Create your branches in your sandbox, andcommit them just like any other change. 63_571737c52.qxd 7/2/04 9:31 PM Page 39963_571737c52.qxd 7/2/04 9:31 PM Page 400Part XProgramming Tricks64_571737p10.qxd 7/2/04 9:32 PM Page 40164_571737p10.qxd 7/2/04 9:32 PM Page 40253 Using Open-SourceAPIs to Save TimeIf youre a programmer, you know that the best way to save develop-ment time is to build programs using components developed by others.In fact, every time you build a program that runs on a Linux computer,youre using open-source components. The C runtime library, the Linuxruntime library, and even the kernel functions are open-source APIs (APIstands for application program interface). Imagine how difficult your jobwould be if every time you wrote a new program, you had to write a diskdriver, a windowing system, or even a complete operating system. Using open-source APIs saves development time and debugging time. Ifyou start with trusted, well-written components, you can concentrate yourdebugging efforts on the code that youre writing (and, because youreusing prebuilt components, thats a lot less code).Open-source libraries can also make your programs compatible withstandards and protocols used by other applications. In fact, in this tech-nique, we show you how to write simple Web-enabled programs by usingtwo open-source APIs.In this technique, we also show you the power behind curl, which is acommand line program that can upload and download files from FTP andHTTP servers. By adding the curl library (libcurl) to your programs,you can easily interact with FTP, secure FTP, HTTP, secure HTTP, GOPHER,telnet, dict, and LDAP servers. Your programs can handle cookies, usenetwork proxies, and even resume interrupted transfers with just a fewlines of code. Imagine how long it would take to write all that code byhand.We also show you a fun library named Ming. Ming creates Flash movies(Ming, Flash Gordon, get it?). Flash movies are typically played in a Webbrowser, but you can also download a stand-alone player. If youre notfamiliar with Flash, surf to the Macromedia Web site (www.macromedia.com)and watch a few of its Flash showcases. You can use Ming to produce static(unchanging) movies that show bar graphs and pie charts (or just aboutany other type of graph). You can also create interactive movies that youcan control with a mouse and your keyboard. TechniqueSave Time By Using the libcurl libraryto Web-enable your programs Creating Flash movieswith Ming65_571737c53.qxd 7/2/04 9:32 PM Page 403Technique 53: Using Open-Source APIs to Save Time404The multi API is built with functions defined by theeasy API. That means that you can mix functionsfrom both interfaces. Everything that you know about the easyinterface is applicable when you build a moresophisticated program based on the multiinterface. Uploading a File with a SimpleProgram Using libcurlEvery libcurl program starts with a call to an initial-ization function (typically curl_easy_init()) andends with a call to a cleanup function (typicallycurl_easy_cleanup()). In between these calls, youuse the curl_easy_setopt() and curl_easy_perform()functions to create and execute transfer jobs. Listing53-1 shows a simple program (named curlupload)that uses libcurls easy API to upload a file.When you run curlupload (we show you how tocompile it in a moment), include two command lineparameters: The name of the file you want to upload The upload destination, specified in the form of a URLFor example, to upload a file named photo.jpg to anFTP server, use this command:$ curlupload ./photo.jpg ftp://ftp.example.com/pub/upload/When you use this example in your own code,be sure to add some error checking. Checkthe command line arguments and be sure thefiles are valid files. See the libcurl documen-tation to find out how errors are reported toyour program.The following sections take a closer look at somelines in the curlupload program.Using the libcurl Library (C Programming)curl is a command line tool that can upload anddownload files from HTTP and FTP servers. Actually,thats a gross oversimplification; curl knows how todeal with HTTP, FTP, secure HTTP and FTP servers,gopher servers, telnet servers, local files, and manymore protocols.Downloading a file with curl is easy. For example, to download a file named news.html from the example.com Web site (and save it to a file namedmylocalfile), execute the following command:$ curl -o mylocalfile http://example.com/news.htmlcurl is very similar to the more familiar wget, exceptthat wget can only download data; curl can movedata in both directions.You can harness the power of curl in your own Cprograms by making calls to the libcurl API. Thelibcurl library comes in two flavors that you canmix and match. The easy API defines only six func-tions (and you can write useful, network-enabledprograms using only four of those functions). Themulti interface is more complex. When you call afunction in the easy API, your program pauses untilthe function completes. The multi interface, on theother hand, performs transfers in the background,returning control to your program as soon as you ini-tiate a transfer. In other words, the easy API is syn-chronous, and the multi interface is asynchronous. You can find the curl (and libcurl) Web siteat curl.haxx.se. Youll find complete (andeasy-to-follow) documentation about both theeasy and the multi interface.The Fedora, SuSE, and Mandrake distributions allinclude the curl command line program in an RPMpackage named curl. To write libcurl-enabled pro-grams, install the curl package and the curl-develpackage.65_571737c53.qxd 7/2/04 9:32 PM Page 404Uploading a File with a Simple Program Using libcurl 405Line 7: Defining functions and data typesThe libcurl C functions and data types are definedin the curl/curl.h header file, so libcurl-enabledprograms should #include that file (see line 7).Line 14: Calling the initialization functionLine 14 shows the call to the libcurl initializationfunction, curl_easy_init(). curl_easy_init(). Thiscall returns a handle.A handle is a small piece of data that a library usesto keep track of the state of something. In the case oflibcurl, the handle holds the state of a transfer job.In libcurl programs, a handle takes the form of aCURL pointer (see line 11). So what does a CURL pointer point to? Who knows?Thats the whole point of a handle the APIs authorputs anything that he needs into the structure behindthe handle, but the author of a client application(thats you) cant see the data. The API creates thehandle, and the client application just gives it backto the API whenever its needed. Lines 18 21: Defining the transferTo create a transfer job, use curl_easy_setopt()to define the characteristics of the transfer. Eachtime you call curl_easy_setopt(), you pass threeparameters: LISTING 53-1: CURLUPLOAD.C1 /* File: curlupload.c2 ** usage: curlupload 3 */45 #include 6 #include 7 #include 89 int main( int argc, char * argv[] )10 {11 CURL * curl;12 FILE * srcFile = fopen( argv[1], rb );1314 if(( curl = curl_easy_init()) != NULL )15 {16 char errorMsg[CURL_ERROR_SIZE];1718 curl_easy_setopt( curl, CURLOPT_ERRORBUFFER, errorMsg );19 curl_easy_setopt( curl, CURLOPT_UPLOAD, TRUE );20 curl_easy_setopt( curl, CURLOPT_URL, argv[2] );21 curl_easy_setopt( curl, CURLOPT_READDATA, srcFile );2223 if( curl_easy_perform( curl ) != 0 )24 fprintf( stderr, %s\n, errorMsg );2526 curl_easy_cleanup( curl );27 }2829 return( EXIT_SUCCESS );30 }65_571737c53.qxd 7/2/04 9:32 PM Page 405Technique 53: Using Open-Source APIs to Save Time406specified in the form of a URL, and curlupload sim-ply passes along the second command line argument(argv[2]). CURLOPT_URL is arguably the most impor-tant and most powerful transfer option. libcurl supports full URL syntax, so you can includea host name, user name, password, directory, andfile name when you run curlupload. Here are a fewexamples: ftp://example.comA simple URL specifies a protocol (ftp) and ahost name (example.com). libcurl can uploaddata by using http or ftp. You cant upload to aURL this simple because you have to specify atarget filename (but you can download from asimple URL). ftp://freddie@example.comIf you dont specify a user name, libcurl assumesthat you want to log in to an FTP server as useranonymous. If you want to connect using a differ-ent user name, just insert the user name, followedby @ in front of the host name. ftp://freddie:password@example.comYou can also include a password in a URL byinserting a colon (:) and the password followingthe user name. ftp://example.com/pub/A URL that ends with a / specifies a directoryname. You cant upload to a URL that ends with/, but you can download from such a URL. ftp://example.com/pub/drinks.txtBecause this URL does not end in a /, libcurlassumes that drinks.txt is the name of the destination file.Line 21: Telling libcurl where the data residesThe last option (line 21) tells libcurl where to findthe data that you want to upload. You can give uploaddata to libcurl two ways: The CURL handle returned by curl_easy_init() The symbolic name of the option you want tochange The new value for the optionTo upload a file, you must set four transfer options,as shown on Lines 1821.Line 18: Routing libcurl error messagesLine 18 sets the CURLOPT_ERRORBUFFER option. Thisoption tells libcurl where to store any error mes-sages in case something whacks out. When you setthe CURLOPT_ERRORBUFFER option, the third argumentspecifies the buffer where libcurl will store the errormessages. The documentation tells you that the errormessage buffer should be at least CURL_ERROR_SIZEbytes long (see line 16).Speaking of documentation, when you installthe curl RPM package, the documentationfor libcurl is installed as well. See infocurl_easy_setopt (or man curl_easy_setopt if you prefer) for a complete list oftransfer options and values.Line 19: Telling libcurl you want to upload a fileAt line 19, you define the CURLOPT_UPLOAD option tolet libcurl know that you want to upload a file (bydefault, libcurl assumes that you want to down-load data).You may have noticed that the data type for thethird argument to curl_easy_setopt() varies. Insome cases, the third argument is a char *; in others,its a numeric value; and a few options expect aBoolean value. Unfortunately, you have to infer theproper data type from the online documentation.Line 20: Telling libcurl where to send data To tell libcurl where you want the data sent, set the CURLOPT_URL option (line 20). The destination is65_571737c53.qxd 7/2/04 9:32 PM Page 406Installing the Ming Library 407 If the data resides in a file, just fopen() the file(see line 12) and give the resulting FILE pointerto libcurl by using the CURLOPT_READDATAoption. If the data does not reside in a file (maybe yourecomputing the data on the fly), you can write acustom function that libcurl calls whenever it needs more data. See the description of theCURLOPT_READFUNCTION option in man curl_easy_setopt for more information.Line 23: Starting the transferAfter youve primed the CURL handle with all theoptions that you need, start the transfer with thecurl_easy_perform() function (see line 23). curl_easy_perform() carries out the transfer operationthat you defined with the series of calls to curl_easy_setopt(). In fact, you can use the same CURLhandle in a whole series of transfer operations justby changing the options in between each transfer.(Typically, youll change the CURLOPT_URL and CURLOPT_READDATA before you start the next transfer.)If the transfer succeeds, curl_easy_perform() returns0. If an error occurs, curl_easy_perform() stores anerror message in errorMsg[ ], and curlupload dis-plays the text of the message at line 24.Line 26: Finishing the uploadWhen youre finished with the CURL handle, youshould call the curl_easy_cleanup() function (seeline 26). This function discards all the data struc-tures hidden behind the handle and frees anyresources that might still be in use.Installing the Ming LibraryIf youve crawled around on the Web, youve seenFlash-based Web pages. Flash is an interactive movietechnology created by Macromedia (www.macromedia.com). Flash movies typically play within a Webbrowser, and you can often interact with the moviesby using the mouse and keyboard. Most Flash moviesare created with the help of expensive graphical edi-tors, but you can also produce movies from a simpleC program. Ming is a small software library that lets you createFlash movies from several programming languages(C, C++, Perl, Python, and Java). When you run aMing program, you arent viewing the movie; youreonly creating it. You still need a Flash player (or aFlash play plug-in for your Web browser) to watchthe movies that you create. Ming is easy to install, but it doesnt follow the typi-cal download, configure, make tango. Ming comes insource form, so you have to compile it after down-loading. Before you build Ming, make sure you havethe libpng and libungif packages installed on yourcomputer (these two libraries should be included inyour distribution media). Use the command:$ rpm -q libpng libungif If rpm complains that either package is not currentlyinstalled, be sure to install it before you continue(see Technique 17 for help installing RPM packages).Follow these steps to install and compile Ming:1. You can find the latest version of Ming atming.sourceforge.net. Just download the ver-sion you want and unpack it.The Ming Web site currently hosts gzip, bzip2,and zip versions.2. Move into the directory created when youunpacked the tarball and type make to start thecompile process (note, you may see a few warn-ings but its safe to ignore them).3. When the compile step finishes, give yourselfsuperuser privileges and type make install.Thats it the Ming shared library is copied to/usr/lib/libming.so, and the Ming header fileis copied to /usr/include/ming.h.65_571737c53.qxd 7/2/04 9:32 PM Page 407Technique 53: Using Open-Source APIs to Save Time408Line 6: Defining the functions and data typesEvery Ming program must include the ming.h headerfile (line 6). ming.h defines the data types and func-tion prototype for the Ming library. Line 19: Creating an empty movieTo create a new Flash movie, start with a call to thenewSWFMovie() function (see line 19). newSWFMovie()creates a new, empty movie and returns a handle thatyou can use later when you call other Ming functions.Building a Simple Flash Movie with MingListing 53-2 shows a simple Ming program thatslowly rotates the colors in a given photo.Examining the programThe following sections take a closer look at the colors program, shown in Listing 53-2.LISTING 53-2: COLORS.C1 /* File: colors.c2 **3 ** Rotate colors within a photo4 */56 #include 7 #include 8 #include 910 static SWFDisplayItem load_photo( SWFMovie movie, const char * name );1112 int main( int argc, char * argv[] )13 {14 SWFMovie movie;15 SWFDisplayItem item;16 int frames = 40;17 float count;1819 movie = newSWFMovie();20 item = load_photo( movie, argv[1] );2122 for( count = 0; count < frames; ++count )23 {24 SWFDisplayItem_multColor( item, 1.0, 1.0, 1.0 - count/frames, 1.0 );25 SWFDisplayItem_addColor( item, 255 * count/frames, 0, 0, 1.0 );2627 SWFMovie_nextFrame( movie );28 }2930 for( count = frames; count > 0; --count )31 {32 SWFDisplayItem_multColor( item, 1.0, 1.0, 1.0 - count/frames, 1.0 );33 SWFDisplayItem_addColor( item, 255 * count/frames, 0, 0, 1.0 );3435 SWFMovie_nextFrame( movie );36 }65_571737c53.qxd 7/2/04 9:32 PM Page 408Building a Simple Flash Movie with Ming 409Line 20: Adding a photo to the movieAt line 20, you see a call to the load_photo() function.load_photo() is not a Ming function (we show it toyou in a moment in the section, Line 43: TellingMing how to read the photo file). load_photo()returns a handle to a bitmap thats been added tothe new movie. Lines 2228 and 3036: Making the photo move through framesLines 2228 create a number of frames (a movie ismade up of one or more frames), each with a slightlymodified version of the photo.Line 24 adjusts each pixel in the photo. In a Flashmovie, every pixel has four values: a red value, agreen value, a blue value, and an opaqueness value.The color values range from zero (no color) to 255(full color). The opaqueness value (also known asthe alpha value) determines how much of the back-ground shows through. An opaqueness value of zeromeans the pixel is invisible, and a value of 255 meansthe pixel is completely opaque (none of the back-ground shows through).Each time through the loop (lines 2228),SWDisplayItem_multColor() multiplies each colorvalue in each pixel. The first argument identifies the3738 SWFMovie_save( movie, colors.swf, -1 );3940 exit( EXIT_SUCCESS );41 }4243 static SWFDisplayItem load_photo( SWFMovie movie, const char * name )44 {45 SWFBitmap bitmap;46 SWFInput photo_file;47 FILE * photo;48 int height;49 int width;5051 if(( photo = fopen( name, rb )) == NULL )52 {53 fprintf( stderr, cant open photo\n );54 exit( EXIT_FAILURE );55 }56 else57 {58 photo_file = newSWFInput_file( photo );59 }6061 bitmap = newSWFBitmap_fromInput( photo_file );6263 width = SWFBitmap_getWidth( bitmap );64 height = SWFBitmap_getHeight( bitmap );6566 SWFMovie_setDimension( movie, width, height );6768 return( SWFMovie_add( movie, (SWFBlock) bitmap ));6970 }65_571737c53.qxd 7/2/04 9:32 PM Page 409Technique 53: Using Open-Source APIs to Save Time410Line 61 and 6366: Showing Ming how to work with the photoLine 61 reads the photo bits and creates a new struc-ture called an SWFBitmap by calling newSWFBitmap_fromInput().Lines 63 and 64 interrogate the bitmap to find thewidth and height (in pixels), and line 66 changes thesize of the movie to match the bitmap. Finally, load_photo() adds the bitmap to the current frame of themovie and returns a handle to the caller.Compiling the programBefore you can run colors, you have to compile it,and the following steps show you how to do thatusing make:1. Open your favorite editor and enter the follow-ing text:LDFLAGS += -lming -lz LDFLAGS += -lungif -lpng12 -lmcolors: colors.c2. Save your changes in a file named Makefileand close the editor.3. Type make and press Enter.The compiler starts running.If everything goes well, you have a new program inyour current directory named colors. If you see anyerror messages, go back and correct the errorsbefore proceeding.Running the programTo run colors, find a photo (JPEGs work well) thatyou like and then run the following command:$ ./colors /path-to-photoSubstitute the name of your photo for path-to-photo.When colors is finished, youll have a new Flashmovie in your current directory named colors.swf.display item you want to adjust. The second itemspecifies a multiplier for the red value of each pixel (multiplying by 1.0 means the red value isunchanged). The third, fourth, and fifth argumentsspecify the multipliers applied to the green, blue,and opaqueness values for each pixel.Line 24 decreases the blue value by a fraction eachtime through the loop but leaves the other valuesunchanged. The net effect is that the blueness of yourphoto slowly fades away with each frame. Line 25adds a dash of red to each pixel in the frame (again,leaving the other color components unchanged). Lines 3036 do essentially the same thing as lines2228, but rotate through colors in the oppositedirection subtracting some red and adding backthe blue in each frame.Line 38: Saving the completed movieAfter the movie is complete, call SWFMovie_save()to write it to disk (in this case, to a file named colors.swf).Line 43: Telling Ming how to read the photo fileNow take a look at the load_photo() function (start-ing at line 43). load_photo() starts by opening thefile whose name was passed as the second argument.The Ming library cant really do much with a FILEhandle. To read the content of the photo, you have to con-vert the FILE handle into an SWFInput. Whenever theMing library needs to read information from somesource, it uses an SWFInput handle. Ming can createSWFInput handles from a number of different sourcetypes. For example, the newSWFInput_buffer() func-tion will create an SWFInput that can read data froman area of memory. Because you already have a FILEhandle, you can use newSWFInput_file() to convertit into an SWFInput (see line 58).65_571737c53.qxd 7/2/04 9:32 PM Page 410Building Interactive Movies with Ming 411You can watch the movie with any Flash player. If youhave a Flash plug-in installed in your Web browser,simply open the colors.swf file in the browser, andthe movie appears. Youll see most of the blue fadeout of the photo that you chose and then slowly fadeback in. With the right photo, the effect is stunning.Building Interactive Movies with MingYou can also build interactive Flash movies with Ming.When you view an interactive movie, you can manipu-late on-screen objects with the mouse and keyboard.Listing 53-3 shows a short Ming program that pro-duces a movie that contains ActionScript. The moviedraws a small blue circle that you can drag aroundwith the mouse.Examining the programThe following sections take a closer look at thedragme program.Lines 418: Defining the scriptLines 418 define a string of Flash ActionScript. Inthis case, youre defining three anonymous functionsrelated to an object named circle (you create circlein just a moment): The first function is fired when you click themouse while the cursor is over the circle. It sim-ply calls the circles startDrag() method. The second and third functions fire when yourelease the mouse button (after youve started adrag operation). Both functions call the circlesstopDrag() method.You can include almost any ActionScript verb orfunction that Macromedia defines (see the Ming Website ming.sourceforge.net for restrictions).Line 20: Declaring local variablesNow look through the main() function. Unlike thefirst Ming program in this technique, dragme pro-duces a movie that can be viewed only by a Flashplayer newer than version 5 (ActionScript is a recentaddition to Flash).LISTING 53-3: DRAGME.C1 #include 2 #include 34 const char * action_script =5 circle.onPress = function()6 {7 this.startDrag();8 };910 circle.onRelease = function()11 {12 stopDrag();13 };1415 circle.onReleaseOutside = function()16 {17 stopDrag();18 };;(continued)65_571737c53.qxd 7/2/04 9:32 PM Page 411Technique 53: Using Open-Source APIs to Save Time412Lines 3945: Adding movementAt line 39, you create a sprite a sprite is somethingthat can move around on the screen. Line 40 addsthe shape (the circle created at line 34) to thesprite with SWFMovieClip_add(). Line 41 creates anew frame for the sprite. Line 43 adds the sprite tothe movie by calling SWFMovie_add(), which returnsa handle to the sprite display item.Look back at the ActionScript that starts at line 4 each function refers to an object named circle. LineLine 28 and 3035: Creating the new movieUse the Ming_useSWFVersion() function to tell Mingthat you want to create a Flash version 6 movie (seeline 28).At lines 3033, dragme creates a new movie, definesthe width and height of the movie, and sets the back-ground color to a light gray.Next, dragme creates a circle of radius 40 (line 34)and fills it with an opaque shade of blue (line 35).LISTING 53-3 (continued)1920 int main( int argc, char * argv[] )21 {22 SWFMovie movie;23 SWFShape circle;24 SWFFill fill;25 SWFMovieClip sprite;26 SWFDisplayItem f1;2728 Ming_useSWFVersion( 6 );2930 movie = newSWFMovie();31 SWFMovie_setDimension( movie, 550, 400 );32 SWFMovie_setBackground(movie, 200, 200, 200 );3334 circle = newSWFShape();35 fill = SWFShape_addSolidFill( circle, 0, 0, 128, 255 );36 SWFShape_setRightFill( circle, fill );37 SWFShape_drawCircle( circle, 40 );3839 sprite = newSWFMovieClip();40 SWFMovieClip_add( sprite, (SWFBlock)circle );41 SWFMovieClip_nextFrame( sprite );4243 f1 = SWFMovie_add( movie, (SWFBlock)sprite );44 SWFDisplayItem_setName( f1, circle );45 SWFDisplayItem_moveTo( f1, 100, 100 );4647 SWFMovie_add( movie, (SWFBlock)compileSWFActionCode( action_script ));48 SWFMovie_save( movie, dragme.swf, -1 );4950 exit( EXIT_SUCCESS );51 }65_571737c53.qxd 7/2/04 9:32 PM Page 412Building Interactive Movies with Ming 41344 assigns a name (circle) to the display item addedat line 43; after youve assigned a name to an object,you can manipulate that object in ActionScript code.Lines 4748: Compiling and saving the codeLine 47 compiles the action_script code (definedstarting at line 4) into a more compact (and effi-cient) form and adds the result to the movie. Finally,the movie is saved to a file named dragme.swf (seeline 48).Compiling the programTo compile the dragme program, follow these steps:1. If youve already created a Makefile (as wedescribed earlier in the section titled Compilingthe program), open the Makefile in yourfavorite editor, and add the following line tothe end:dragme: dragme.cIf youre creating a Makefile from scratch, theresult should look like this:LDFLAGS += -lming -lz LDFLAGS += -lungif -lpng12 -lmcolors: colors.cdragme: dragme.c2. Save your work and close the editor.3. Type make and press Enter.The compiler starts running.If you see any error messages, correct the problemsbefore proceeding.Running the programAfter youve compiled the program, run ./dragmeto produce a movie file named dragme.swf. You canopen the dragme.swf movie in any Flash player thatsupports Flash version 6.0 or later. When the movieappears, click the blue circle and drag it around withyour mouse. You can find more information about the Flashmovie format on the Web (just do a Googlesearch for SWF). You can also find a numberof books that cover Flash and ActionScript we recommend Flash ActionScript ForDummies by Doug Sahlin (published byWiley).65_571737c53.qxd 7/2/04 9:32 PM Page 41354Save Time By Using curl with PHP toretrieve data from theInternet Using XML data in PHPprograms Using the XML parser tomanage XML data Generating e-mail withPHP when somethinggoes wrongTechniqueTimesaving PHP TricksWhen you write a program in PHP, chances are the program willrun within a Web server (most often, Apache). Although PHP is a powerful, general-purpose programming language, mostpeople use PHP to generate dynamic HTML Web pages. In this technique, we show you how to leverage the power of PHP inter-faces to reach from one Web server to another. Using PHPs curl inter-face, your PHP programs can retrieve information from remote servers(Web servers, FTP servers, and so on). After you have the informationyou need, you can reformat it, pick out only the pieces that youre inter-ested in, and combine it with information from other sources for displayon your own Web site. We also show you how to use PHPs XML parser to find your way throughan XML data stream. If you havent run into XML before, think of it as self-identifying data. For example, the different pieces of a weather report(dew point, wind speed, and humidity) might be represented by the following XML snippet:...72FFrom the West at 23 mph98%...You can see that each element is surrounded by a pair of tags thatdescribes the data within. XML data can get pretty complex, but PHPsXML parser makes it easy to deal with. We show you how to combine PHP, curl, and XML to quickly incorporateweather reports (or just about any other type of dynamic data) in yourown Web pages. You also find out how to save a ton of development anddebugging time by making your PHP programs send you an e-mail whensomething goes wrong. Imagine a program that notifies you whenever itruns into something its not prepared to deal with. Thats a whole lot easier (and faster) than wading through debug logs. Youll never have to ask your users for a complete error message again. 66_571737c54.qxd 7/2/04 9:33 PM Page 414Doing the curl E-shuffle with PHP 415Doing the curl E-shuffle with PHPIf you read Technique 53, you already know quite a bit about curl. curl is a command line tool thatmakes it quick and easy to upload and downloaddata from other computers. curl can interact withWeb or FTP servers, secure servers, and even direc-tory servers. The curl project developers have cre-ated an easy-to-use library, named libcurl, that youcan use to build your own curl-enabled programs.libcurl programs can be written in a number of lan-guages. In the previous technique, you find out howto use libcurl from a C program; in this technique,we show you how to use libcurl from a PHP script.Combining PHP with curl and XML: An overviewPHP scripts usually run within a Web server (notwithin a Web browser). It might seem a bit strangefor a Web server to connect to another server toretrieve information, but thats actually a very usefulthing to do. You may want to relay information (likenews headlines) from a remote server to the Webbrowser. Or, you may want to translate informationyou obtain from another server into a more friendlyand useful format. Using libcurl from a PHP scriptmakes it easy to retrieve remote information.Thousands of Web sites publish information in XMLformat (eXtensible Markup Language). We mentionearlier that XML data is somewhat self-identifying;each piece of data is surrounded by a pair of tags thatdescribe the data contained within. For example, sup-pose you see the following text inside an XML stream:Sunny You could reasonably assume that Sunny is a forecast(probably part of a weather forecast). XML wasdesigned to make it easier for programs to makesense of a piece of data. PHP knows how to parsethrough an XML data stream and pick out the piecesthat youre interested in.In this section, we show you how to use PHP, curl,and XML to display weather conditions on your Web site. Checking out the XML fileThe Web site www.ejse.com publishes XML weatherconditions for your zip code. A typical weatherreport from EJSE might look like Listing 54-1.LISTING 54-1: WEATHER REPORT FOR MICROSOFTRedmond, WA2647F44FCloudyUnlimited 29.43 inches and rising40F0 Minimal77%From the Northwest at 6 mphRenton, WAThursday, February 26, 2004, at 9:53 AM Pacific Standard Time (Thursday, 12:53 PM EST).66_571737c54.qxd 7/2/04 9:33 PM Page 415Technique 54: Timesaving PHP Tricks416Downloading and displaying the XML file with a PHP script (and curl)Listing 54-2 shows a reasonably short PHP scriptthat downloads the current weather conditions for agiven zip code (currently hard-coded to 98052) andparses through the XML.(Thats not a typo; the XML stream misspells temperature.) Notice that each piece of data is surrounded by apair of tags that describes the data within. For exam-ple, the forecast (Cloudy) is surrounded by the tags and thats the essence of XML. LISTING 54-2: FINDING WEATHER CONDITIONS WITH PHP1 Doing the curl E-shuffle with PHP 41740 $tag = $tagName;41 }4243 function endTag( $parser, $tagName )44 {45 global $tag;4647 $tag = ;48 }4950 function dataHandler( $parser, $data )51 {52 global $weather, $tag;5354 $weather[ $tag ] = $data;55 }5657 function displayWeather( $weather )58 {59 echo( \n );60 echo( \n );61 echo( );62 echo( Current Conditions At . $weather[LOCATION] . \n );63 echo( \n );6465 echo( \n );66 echo( \n );67 echo( Current Weather for: . $weather[LOCATION] . );68 echo( \n );6970 echo( );71 echo( Forecast . $weather[FORECAST] . );72 echo( Temperature . $weather[TEMPRATURE] . );73 echo( Wind . $weather[WIND] . );74 echo( Wind Chill . $weather[FEELSLIKE] . );75 echo( Dewpoint . $weather[DEWPOINT] . );76 echo( Pressure . $weather[PRESSURE] . );77 echo( UV Index . $weather[UVINDEX] . );78 echo( );79 echo( \n );80 echo( \n );81 }8283 ?>66_571737c54.qxd 7/2/04 9:33 PM Page 417Technique 54: Timesaving PHP Tricks418Line 26: You see a call to the xml_parser_create()function. xml_parser_create() creates a new XMLparser and returns a handle. An XML parser doesntdo much by itself; it just identifies the various piecesof an XML stream. To make use of an XML parser,you have to provide callback functions. When anXML parser recognizes a chunk of data that youreinterested in, it calls the callback function that youprovide.Line 28: The call to xml_set_element_handler() tellsthe parser that youre interested in elements (or, aswe call them, tags). When the parser finds the begin-ning of an element, it calls the startTag function.When the parser finds the end of an element, it callsendTag (you see startTag and endTag in a moment).Heres a typical XML element:Redmond, WAWhen the parser sees , it calls startTag();when it sees , it calls endTag(). The stuffin between the tags is called character data we cantrap that, too (see the call to xml_set_character_data_handler() at line 29).Line 31: parseWeather() starts the XML parser witha call to xml_parse(), passing the raw XML data thatyou want to parse.Line 32: When xml_parse() completes, the call toxml_parser_free() shuts down the parser and freesup any lingering resources.Lines 3642: startTag() and endTag() are simple.When the parser calls startTag(), it sends along thetag name, which you store in a global variable named$tag. The tagAttributes parameter contains XMLelement attributes (if there are any); the weatherinformation that youre looking at wont containattributes, so you can safely ignore this argument.This script is very simple:Line 5: The script calls loadWeather() to retrieve thecurrent conditions and store them in $xmlData.Line 6: parseWeather() parses the XML stream andstores the result in $weather.Line 7: displayWeather() picks apart the $weatherarray and creates an HTML table thats sent to theWeb browser.Line 9: The loadWeather() function (starting at line9) downloads an XML stream from the URL shownon line 11. (Change the zip code at the end of theURL to match the location that youre interested in.) Line 12: Before you can start a transfer usinglibcurl, you initialize the library and save a copy ofthe handle returned by curl_init().Lines 14 and 15: Next, you see two calls tocurl_setopt(). The first call (line 14) gives the URLto libcurl, and the second call (line 15) tells libcurlthat you want to download data and store it in a vari-able (as opposed to storing the data in a file).Line 17: curl_exec() starts the download, waits forit to complete, and stores the result in $xmlData.When curl_exec() finishes, $xmlData contains thecurrent weather conditions, in XML form, as shownin Listing 54-1.Line 1921: Finally, loadWeather() closes its connec-tion to libcurl (see line 19) and returns the XMLdata to the caller (line 21).Line 24: parseWeather() (lines 2434) expects twoparameters: the destination array ($weather) and theraw XML data ($data). parseWeather() doesnt doany of the hard work itself; instead, it calls on PHPsXML library to pick apart the XML data.66_571737c54.qxd 7/2/04 9:33 PM Page 418Doing the curl E-shuffle with PHP 419Lines 4348: The endTag() function (lines 4348) iscalled whenever the parser sees an end tag. In thisfunction, you simply set the global variable $tag toan empty string. Lines 5056: In between calls to startTag() andendTag(), the XML parser calls dataHandler() tohandle the data within the tags. dataHandler() sim-ply stores the data that its given (a string containedbetween a pair of tags) in the $weather associativearray.The process is clear when you follow a typical ele-ment through the parser. Say that the parser runsinto the following text:Redmond, WAWhen the parser sees the start tag, it callsstartTag(). startTag() stores the tag name(Location) in the $tag global variable. (Actually, theparser converts all tag names to uppercase, so $tagis set to LOCATION.) Next, the parser callsdataHandler() with the chunk of text (Redmond, WA)between the start tag and the end tag. dataHandler()stores the data in an element of the $weather arrayusing the tag name as in index into the array. Inother words: $weather[LOCATION] = Redmond,WA. Finally, endTag() wipes out the global $tag name(thats not strictly necessary, but it makes your codea bit more obvious).When the parser finishes its work, $weather lookslike this:$weather[LOCATION] = Redmond, WA$weather[ICONINDEX] = 26$weather[TEMPRATURE] = 47F$weather[FEELSLIKE] = 44F$weather[FORECAST] = Cloudy$weather[VISIBILITY] = Unlimited... ...Lines 5781: The displayWeather() function buildsan HTML page that it sends to the Web browser. Theresult looks similar to Listing 54-3.LISTING 54-3: WEATHER CONDITIONS IN HTMLCurrent Conditions At Redmond, WACurrent Weather for: Redmond, WAForecast CloudyTemperature 48FWind From the South at 6 mphWind Chill 45FDewpoint 42FPressure 30.22 inches and risingUV Index 0 Minimal66_571737c54.qxd 7/2/04 9:33 PM Page 419Technique 54: Timesaving PHP Tricks420my_err_handler() doesnt do anything without a little help. To enable my_err_handler(), call PHPsset_error_handler() function, giving it the name ofthe function that you want to run whenever an error(or warning) occurs, like this:set_error_handler( my_err_handler );All PHP error handler functions are called with thesame five arguments: The first argument indicates the severity of theproblem encountered. $severity will be one ofthe following values: E_USER_ERROR E_USER_WARNING E_USER_NOTICE E_WARNING E_NOTICE The second argument ($errmsg) contains thetext of the error message. The third and fourth arguments ($filename and$lineno) indicate the point at which the erroroccurred. The last argument is an array that contains thevariable values and variable names in the func-tion in which the error occurred. You can often resolve a problem given only the argu-ment values provided to the error handler function,but on occasion, you need more details. Themy_err_handler() function in Listing 54-4 e-mailsyou the error message, filename, and line number,but Listing 54-5 shows a new version of my_err_handler() that gives much more detail. Use the newversion while youre debugging your PHP code andthe original version when things seem to be hum-ming along tickety boo (thats a technical term).Sending E-Mail from PHP When Problems OccurThe PHP script described in the previous sectionworks well when conditions are perfect. We omittederror-checking code that you would normally includein a real-world application. Quite a few things can gowrong while checking for weather conditions: Theserver (ejse.com) could be down, the zip code youveentered may be incorrect, or the XML stream maycontain invalid data. Checking for errors is impor-tant if you want your Web site to be robust and well-behaved. If you dont do anything special to intercept errormessages, they are displayed in the Web browser.Thats not a very nice way to treat your usersbecause PHP error messages are often detailed, a bit abrasive, and of little use to the user.Given that PHP programs usually run within a Webserver, you dont have too many options when some-thing goes wrong. Youre not sitting in front of a PHPdebugger, so you cant step through the program,checking return codes and variables as the scriptruns. The most obvious way to find out whats gonewrong is to send error messages to the browser, butthats not very friendly (and the chances of a Webuser writing down all the details that you need areslim). You could write messages to a debug log, butthen youd have to remember to look through thoselogs occasionally to check for problems.What you really want is a PHP program thatactively notifies you by e-mail when some-thing goes wrong. Listing 54-4 shows a short PHP function that willintercept errors, warnings, and informational mes-sages and send an e-mail describing the problem tothe recipient of your choice.66_571737c54.qxd 7/2/04 9:33 PM Page 420Sending E-Mail from PHP When Problems Occur 421LISTING 54-5: MAILING DETAILED ERROR MESSAGES FROM PHPfunction my_err_handler( $severity, $errmsg, $filename, $lineno, $context ){$err_text = At . date(Y-m-d H:I:s (T));$err_text .= an error occurred at line . $lineno;$err_text .= of file . $filename . \n\n;$err_text .= The text of the error message is:\n;$err_text .= $errmsg . \n;ob_start(); // Redirect output to the temporary bufferprint_r( debug_backtrace()); // Generate (and format) a stack trace$err_text .= Stack Trace follows:\n;$err_text .= ob_get_contents(); // Add the stack trace to the body of the e-mail messageob_end_clean(); // And clean out the temporary buffermail( my-email@example.com, PHP Script Error, $err_txt );}LISTING 54-4: MAILING ERROR MESSAGES FROM PHPfunction my_err_handler( $severity, $errmsg, $filename, $lineno, $context ){$err_text = At . date(Y-m-d H:I:s (T));$err_text .= an error occurred at line . $lineno;$err_text .= of file . $filename . \n\n;$err_text .= The text of the error message is:\n;$err_text .= $errmsg . \n;mail( my-email@example.com, PHP Script Error, $err_txt );66_571737c54.qxd 7/2/04 9:33 PM Page 42155Save Time By Using DDD to debug Perlprograms Using the data window totrack variable values Watching your code withbreakpoints Using the Backtrace dia-log to view the contentsof your stackTechniqueUsing the DDDGraphical Debuggerwith PerlPerl is often referred to as the duct tape of the Internet. If you needto write a utility or script, Perl is a standard that you can count on.How can you save time when you use Perl? With a good debugger!Unless your code works perfectly the first time through, youll be spend-ing some time behind the window of a debugger, working the kinks out ofyour script.Linux offers a great open-source debugger called DDD (data displaydebugger). DDD is a graphical front end for several different commandline debuggers and saves you time by clarifying and simplifying theprocess of debugging programs. DDD can debug not only Perl code, butalso C, C++, Java, and other programming languages.You can use the source window in DDD to review your source code at aglance; you can even define and delete breakpoints and see cute littlestop signs where your program will stop. DDD also provides an easy but-ton interface to step through your program, stepping into subroutines toview the complete code or bypassing subroutines.With DDD, you can create a graphical display of the variables in your pro-gram and watch their values change as you step through the program.DDD dialogs help you in your debugging tasks by providing easy-to-readinformation about the status of your program. An easy-to-access helpmenu makes certain you have not only technical information, but alsoadvice about debugging your program (in case you get stuck).A lot of good books about the Perl programming language are available.The best timesaver we could think of was a quick introduction to anopen-source debugger that will save you time and make your life a loteasier. In this technique, we introduce you to DDD, which is a hugeimprovement over the command line debuggers of the past.67_571737c55.qxd 7/2/04 9:33 PM Page 422Debugging Perl Code with DDD 423Debugging Perl Code with DDDIf youve written many Perl programs, youre proba-bly familiar with Perls source-level debugger. To runa program under the control of the Perl debugger,use the -d option, like this:$ perl -d program.plAfter a bit of clicking and whirring, the debuggerappears, waiting for commands. If you type h andpress Enter, youre greeted with a helpful page ofintimidation, as shown in Listing 55-1.Dont panic; theres an easier way to debug Perl.Even if youre a hardened Perl veteran (and you havethe mental scars to prove it), youll love DDD, thedata display debugger. DDD is a graphical front endfor a number of different debuggers (GDB, DBX, thePerl debugger, and even the Python debugger).Installing and starting DDDDDD is included on most distribution media, so get-ting it up and running is simple. To install and startthe DDD debugger, follow these steps:1. Open a terminal window and give yourselfsuperuser privileges with the su - command.2. Insert and mount the distribution media. 3. Move to the directory containing the RPM pack-ages and enter the following command:# rpm -Uhv ddd-version.rpm4. To run a Perl program under the control of theDDD debugger, use this command:$ ddd --perl /usr/bin/xql.plDDD opens, displaying a Tip of the Day and aninformation window in front of the main window.If the DDD RPM package isnt included onyour distribution media, you can download acopy of the RPM package from www.gnu.org/software/ddd.Examining the main windowDDD divides the main window into three panes,stacked vertically, as shown in Figure 55-1: The top pane, named the data window, displaysvariable values. (The data window is empty atfirst, but we show you how to put stuff there in amoment.) The middle pane, named the source window,shows the code that youre executing. A biggreen arrow points to the line of code thatsabout to execute. The bottom pane, the Perl console, is where youtype in debugger commands. Figure 55-1: The DDD main window.Data windowPerl consoleSource window67_571737c55.qxd 7/2/04 9:33 PM Page 423Technique 55: Using the DDD Graphical Debugger with Perl424 Figure 55-2: bbc.pl, as viewed from DDD.Reviewing and stepping through source codeIf displaying your code was all that DDD could do, itwould be marginally useful, but not much of a time-saver. But find a Perl program that you want todance through, and well show a few of DDDs moreuseful features.In the following example, we use a script that comeswith the kdeaddons RPM package, but you can useDDD to debug any Perl program.First, fire up the debugger:$ cd /usr/share/apps/knewsticker/scripts$ ddd --perl bbc.plThe DDD debugger window opens, displaying bbc.pl(see Figure 55-2).LISTING 55-1: PERL DEBUGGER COMMANDSList/search source lines: Control script execution:l [ln|sub] List source code T Stack trace- or . List previous/current line s [expr] Single step [in expr]v [line] View around line n [expr] Next, steps over subsf filename View source in file Repeat last n or s/pattern/ ?patt? Search forw/backw r Return from subroutineM Show module versions c [ln|sub] Continue until positionDebugger controls: L List break/watch/actionso [...] Set debugger options t [expr] Toggle trace [trace expr]] [cmd] Do pre/post-prompt b [ln|event|sub] [cnd] Set breakpoint! [N|pat] Redo a previous command B ln|* Delete a/all breakpointsH [-num] Display last num commands a [ln] cmd Do cmd before line= [a val] Define/list an alias A ln|* Delete a/all actionsh [db_cmd] Get help on command w expr Add a watch expressionh h Complete help page W expr|* Delete a/all watch exprs|[|]db_cmd Send output to pager ![!] syscmd Run cmd in a subprocessq or ^D Quit R Attempt a restartData Examination: expr Execute perl code, also see: s,n,t exprx|m expr Evals expr in list context, dumps the result or lists methods.p expr Print expression (uses scripts current package).S [[!]pat] List subroutine names [not] matching patternV [Pk [Vars]] List Variables in Package. Vars can be ~pattern or !pattern.X [Vars] Same as V current_package [Vars].y [n [Vars]] List lexicals in higher scope . Vars same as V.For more help, type h cmd_letter, or run man perldebug for all docs.67_571737c55.qxd 7/2/04 9:33 PM Page 424Making Stop Signs: Using Breakpoints to Watch Code 425The source window shows you the source code forbbc.pl, and a big green arrow points to the first executable line of code in the program. The greenarrow always points to the line of code thats aboutto execute.To step through the source code one line at a time,press F5 (or click the Step button on the pop-upmenu). DDD then executes a single line of code inyour Perl program and moves the green arrow to thenext executable line of code. Making Stop Signs: UsingBreakpoints to Watch CodeWhen you debug your program, you can use break-points to stop the execution of the code at a givenmoment during the programs execution for a closerexamination of the state of the program. This is, ofcourse, assuming your program executes for longenough to reach the breakpoint.Setting a breakpointIn the source window, find some code that you wantto watch and right-click in the blank area to the leftof the code (in other words, right-click in the leftmargin). A pop-up menu appears showing the follow-ing options: Set Breakpoint: Sets a permanent breakpoint atthat line. The debugger will stop when your pro-gram reaches that statement. Set Temporary Breakpoint: Sets a temporarybreakpoint at that line. The debugger will stopwhen your program reaches that statement andthen will delete the breakpoint. Continue Until Here: Sets a temporary break-point and then immediately continues the program. Set Execution Position: Moves the point of exe-cution (that is, the big green arrow) to the lineyoure pointing at.That last option (Set Execution Position) doesntwork with Perl programs sorry.When you set a breakpoint, a little red stop signappears to the left of the code. Modifying a breakpointIn the process of debugging your program, you mayfind you want to temporarily disable or completelyremove a breakpoint. To modify a breakpoint, right-click on a stop sign and choose Properties. TheProperties: Breakpoint dialog opens (see Figure 55-3). Figure 55-3: The Properties: Breakpoint dialog.From the Properties: Breakpoint dialog, you canenable, disable, or delete the breakpoint by clickingthe appropriate button. You can also assign a condi-tion to the breakpoint or associate commands withthe breakpoint, as described next.Assigning a condition to a breakpointYou can assign a condition to the breakpoint tostreamline its functionality. For example, if you wantto break only when $headline is undefined, type thefollowing command into the Condition field and thenclick Apply:!defined( $headline )67_571737c55.qxd 7/2/04 9:33 PM Page 425Technique 55: Using the DDD Graphical Debugger with Perl426MCPAN takes a few moments to download andinstall the stock.pl prerequisites.To start the DDD debugger and step through thestock.pl script, enter the following command:# ddd --perl ./stock.plThe DDD debugger opens, displaying the sourcecode for stock.pl, as shown in Figure 55-4. Figure 55-4: DDD displaying the stock.pl script.Opening the data windowTo open the data window, choose ViewData Window. The data window opens at the top of the display.The data window makes quick work of keep-ing an eye on the value of variables as youstep through a Perl script. Adding a variable to the data windowTo add a variable to the data window, right-click onthe variable and choose Display Variable from thepop-up menu. The variable is added to the data win-dow, with the current value displayed beneath theheader. You can build complex breakpoint conditions withthe usual Perl and, or, and not operators. Associating debugger commands with a breakpointYou can associate debugger commands with a break-point to display variable values or display a stack-trace. Click the Edit button and then enter a list ofcommands for DDD to execute each time the break-point fires. When you assign a command to a break-point, you have to use commands supported by thePerl debugger (refer to Listing 55-1) and surroundthem with double quotes. For example, to print thevalue of the $headline variable when a breakpoint ishit, click Edit and type the following command intothe box provided:x $headlineThen click Apply or Close when youre finished.Tracking Variable Values in the Data WindowThe next example shows the functionality and time-saving values in DDD. This example takes a couple ofsteps to set up, but its worth the time. The Perl script ./stock.pl is a stock value tracker.You need to install a few extra Perl programs beforeyou can run stock.pl, but the MCPAN shell can han-dle that for you easily:1. Open a terminal window and give yourselfsuperuser privileges with the su - command.Enter the following command:#perl -MCPAN -e installFinance::Quote2. When the installation program asks if youwould like it to satisfy the program dependen-cies, press Enter to answer yes.67_571737c55.qxd 7/2/04 9:33 PM Page 426Tracking Variable Values in the Data Window 427You can also add variable displays to the datawindow by entering commands in the Perlconsole. To add the fields to the data windowas shown in Figure 55-5, use the followingthree commands:graph display @tickersgraph display %quotesgraph display $quote->{TIMEOUT} Figure 55-5: Variables and their values in the datawindow.As you step through the code, the values of the vari-ables change in the data window (see Figure 55-6).Use the Step button to step into functions andsubroutines. The Next button steps over thefunction (executing the function) but doesntdisplay the activities within the function line-by-line.When the code executes, the TIMEOUT variable isassigned a value, as shown in Figure 55-7. Figure 55-6: Timeout is currently undefined. Figure 55-7: Timeout now has a value of 10.Changing the display to a tableIf the data displayed is hard to read in a row format,you can change the display to a table. Right-click onthe header for the data display and choose Rotatefrom the pop-up menu to change the orientation ofthe data display.67_571737c55.qxd 7/2/04 9:33 PM Page 427Technique 55: Using the DDD Graphical Debugger with Perl428Using the Help menuClick the Help button in the upper-right corner toopen a drop-down menu of help options. One note-worthy option on the Help menu is What Now. Clickthe What Now option to open a handy dialog withsuggestions of how you might want to proceed, asshown in Figure 55-9. Figure 55-9: What Now?The DDD Reference menu choice on the Help menuopens the DDD documentation. This is a quick wayto get up to speed on using the DDD debugger withPerl.Using the Backtrace featureThe Backtrace feature makes it easy to find the cur-rent point of execution when debugging nested sub-routines. Choose StatusBacktrace to open theBacktrace dialog, shown in Figure 55-8. Figure 55-8: The Backtrace dialog.With a quick glance of the Backtrace dialog, you cansee the contents of your current call stack.67_571737c55.qxd 7/2/04 9:33 PM Page 428Part XIThe Scary (Or Fun!) Stuff68_571737p11.qxd 7/2/04 9:34 PM Page 42968_571737p11.qxd 7/2/04 9:34 PM Page 43056 Burning CD-Rswithout GettingBurnedThis technique is all about writing CDs and DVDs. Burning your ownCDs is a quick and easy way to keep the information you use overand over again at your fingertips. Keep backups of your public/private key pairs, downloaded RPM packages, and data files on CD tosave time and money. CDs are small, inexpensive, portable, and easy tocreate, and with a little care, they last practically forever.Burning a DVD is just like burning a CD, except that DVDs hold a lot moredata and you need a DVD burner to do it. In this technique, if you see areference to burning a CD, you can safely assume that the technique alsoworks for a DVD.As we mention throughout this book, one timesaving set of CDs youllwant to make is a copy of your distribution discs. In this technique, wewalk you through making a set of Fedora distribution media from down-loaded disc images by using cdrecord at the command line. The sametechnique applies to any version of Linux distributed with ISO images just burn each ISO image to a separate CD.You can find a ton of open-source software on the Web, free for down-loading. If you find a package you like, keep an installable copy of theRPM package on CD because open-source projects are known to comeand go. Even if worldwide enthusiasm for the software you like disap-pears, youll still have a copy on CD. You can save time by writing backup files to CD without making an ISOdisc image first, but if you want to write CDs to save RPMs for later use,saving them in ISO image format is much more convenient. You canmount an ISO-formatted disc and explore the contents without using cus-tom software. The ISO file system is an industry standard, so if you wantto share programs with a friend, save them on an ISO-formatted disc,which your friends machine will have a better chance of understanding.In this technique, we show you how to create discs with or without ISOformatting.TechniqueSave Time By Making your own distribution CDs Writing CDs or DVDswithout creating ISOimages first Creating ISO-formattedimages when you need to69_571737c56.qxd 7/2/04 9:35 PM Page 431Technique 56: Burning CD-Rs without Getting Burned432 Figure 56-1: The Question dialog.5. Click the Save As button. 6. When the Save As window opens, as shown inFigure 56-2, click the Save button. Figure 56-2: The Save As window.The download begins. Even with a fast connec-tion, the download takes a while.7. When the download for the first disc com-pletes, repeat the download process for disc 2,and disc 3, collecting the three ISO images.yarrow-i386-disc2.isoyarrow-i386-disc3.isoAfter youve downloaded the three ISO images, youneed to verify the checksums to make sure you havea clean download. The next section explains how todo this.Making Fedora Distribution CDsSure you can download RPM packages off the Webwhenever you need them, but its a whole lot easier(and quicker) to have your own set of distributionCDs, handy and ready for use. You no longer have tosearch Web sites for the packages (hundreds of themexist) that are included with your distribution justpop in the CD and unpack.In this example, we walk you through down-loading and burning a set of distributionmedia for Fedora Linux. The process is thesame for SuSE or Mandrake just downloadand substitute the ISO images from the distri-bution of your choice.Downloading the ISO imagesTo download the ISO images to make your own set ofFedora discs, follow these steps:1. Open your browser window and browse tofedora.redhat.com/download/2. Click the Download the Files You Need link.3. Click the link to the ISO images.An ISO image is like a snapshot of the data ona disc. The image contains not only the files onthe disc, but the structure of the file system aswell. On the download page, you see links for SRPMSdisc images (source RPMs) and i386 disc images.The ready-to-run RPM packages are on the i386disc images.4. Click the link to download yarrow-i386-disc1.iso A pop-up window appears asking if you want toopen the file or save it to disk (see Figure 56-1).69_571737c56.qxd 7/2/04 9:35 PM Page 432Burning an ISO File to Disc at the Command Line 433Verifying the checksumsVerifying a files checksum is like comparing finger-prints. If the fingerprints match, its likely that thedownload was successful. To verify the checksumsof the ISO images youve downloaded, follow thesesteps:1. Click the Back button on your browser toreturn to the first Fedora download page.Below the link to the ISO images, look for thenames of the discs youve downloaded. Each name is followed by an md5 checksum:yarrow-i386-disc1.iso (md5sum:76ef22495d186580e47efd8d7a65fe6b)2. Write down the three checksums; youll needthem to compare to your computed results.3. Open a terminal window and cd to the direc-tory containing the downloaded ISO images. 4. Use the following command to calculate thechecksum for the first disc image:$ md5sum yarrow-i386-disc1.iso5. Compare the result to the checksum from theFedora Web site. The checksums should match. If they dont,download the file again.6. Repeat the process for the other disc files. When you have three ISO files with good check-sums, youre ready to burn the Fedora CDs! See the next section for details.Burning an ISO File to Disc at the Command LineIf you have access to a graphical environment, youllfind easy-to-use tools that help you make CDs orDVDs with a few clicks of the mouse. But the easiestway to burn an ISO image onto a disc is to hit thecommand line.Before you burn an ISO image, you need to find theidentity of your CD or DVD drive and then run a testburn. When those steps are complete, youre readyto burn the discs.The cdrecord package is included in the stan-dard Fedora distribution. It is part of the Soundand Video package and included in mostinstallations by default.Finding the identity of your driveBefore you can burn the ISO file to disc, you need tofind the identity of your CD drive:1. Open a terminal window and enter the follow-ing command:$ cdrecord --scanbusThe results look something like this:scsibus1:1,0,0 100) TEAC DW-224E F.0ACDR1,1,0 101) *1,2,0 102) *1,3,0 103) *1,4,0 104) *1,5,0 105) *1,6,0 106) *1,7,0 107) *2. Find your drive in the list. If you see more thanone device in the list, choose your drive by itsmodel name. The first three comma-separatednumbers make up the drive identifier. Writedown the drive ID because youll need it in amoment.Running a test burnA test burn does everything but turn the laser on. Ittests the system speed and determines whether theimage will fit on a disc. Basically, it prevents youfrom making a shiny coaster.69_571737c56.qxd 7/2/04 9:35 PM Page 433Technique 56: Burning CD-Rs without Getting Burned434Creating an ISO Image at the Command LineYou can put data on a CD or DVD two ways: You canjust burn the bytes that make up the data straightonto the disc, or you can create a file system to holdthe data and then burn the file system onto the disc. Heres an example to clarify what you get with eachoption. Say you want to store your e-mail inbox onCD. Typically, a mailbox is made up of two files: Themail messages are stored in one file (inbox.mbox),and the index is stored in a separate file (inbox.idx).You could simply stream both files onto the CD, oneright after the other, but youll find this method hasa few disadvantages down the road: Youll lose useful information. First, you wouldlose the filenames the filename is part of thefile system, not part of the file content. In fact,you would lose the boundary between the twofiles. If you stream two files to a CD, you cant tellwhere one file ends and the other begins. Youwould also lose the creation and modificationdates for the file, the owner and group IDs, andthe file permissions that information is storedin the file system, not in the file. You cant mount a raw data disc later on. Youllhave to stream the data back off the disc insteadand re-create the two data files yourself. You cant really tell whats on the disc if youforget to label it properly. This is one of thebiggest disadvantages to writing raw data. By creating an ISO image so that the file sys-tem travels with the data, youll reap all sortsof timesaving benefits. The alternative is tocreate a minifile system that holds the twofiles and then burn the file system to disc. Thefilenames are preserved, the owner and groupIDs are preserved, the permissions are pre-served, and the boundary between the twofiles is managed by the file system. You canmount a CD that contains a file system.To run a test burn, move to the directory contain-ing the ISO disc images and enter the following command:$ cdrecord --dummy dev=1,0,0 yarrow-i386-disc1.isoUse the device identifier that you discovered in theprevious section to identify the drive in the com-mand. The test results print to screen, displayingstatistics and errors about the burn.The most common error youre likely to encounter isa buffer underrun. A buffer underrun means yourcomputer wasnt able to feed data to the burnerquickly enough to keep up with the drive. Your com-puter may be too busy or too slow to burn a CD atthe maximum rate supported by your recorder. Ifyou get a buffer underrun error, run another testrecord, but set the speed to half of the speed listedin the statistics of the test burn:$ cdrecord --dummy dev=1,0,0 speed=8yarrow-i386-disc1.isoIf you still have buffer underrun errors, halvethe speed and try again. Dont forget to stopany unnecessary programs running on yoursystem. Burning the distribution discsWhen you get a successful result set from the testburn, take --dummy out of the command line and letthe burning begin:$ cdrecord -eject dev=1,0,0 yarrow-i386-disc1.isoAdd the -eject flag to eject the disc whenthe write is complete.cdrecord displays a nine-second countdown beforeturning on the laser. When the drive is finished writ-ing, the disc ejects. Repeat the steps to make discs 2and 3 of the Fedora distribution, and your set iscomplete!69_571737c56.qxd 7/2/04 9:35 PM Page 434Burning CDs without Making an ISO First 435There are still a few legitimate reasons to create araw-data CD (in fact, we show you how to do that inthe next section), but in most cases, you should create a file system first.Although you can write just about any type of filesystem to a CD (ext2, resierfs, xfs), most computersexpect to find an ISO 9660 (or ISO for short) file system when you put a CD in the drive.To make an ISO file system that holds the two mail-box files, open a terminal window and enter the following command:$ mkisofs -o mailbox.iso inbox.mboxinbox.idxThe -o mailbox.iso option tells mkisofs to write theresulting file system to a file named mailbox.iso.(You typically create the ISO image on your harddrive and then transfer it to a CD.)Use the isovfy command to verify that the ISO file is in good shape: $ isovfy imagename.iso.To write the ISO file to disc, use cdrecord just like wedescribe in the section, Burning an ISO File to Discat the Command Line, earlier in this technique. Forour example, we added the inbox ISO files to thecommand: # cdrecord -eject dev=1,0,0 mailbox.isoOf course, you have to use the device ID that youfound in the section, Finding the identity of yourdrive, earlier in this technique. If you havent tested your recorders burn per-formance, be sure to do a --dummy burn firstto find the correct write speed. You can alsofind details on speed in Running a test burn,earlier in this technique.You can also mount an ISO file system without firstburning it to disc. When you mount an ISO image(using Linuxs loopback adapter), youre sort oftreating the file system like an archive: Its a collec-tion of files and directories just like a tar archive.Any program can look inside a mounted file systemand get to the files inside; you cant do that with atar archive.To directly mount an ISO image, follow these steps:1. Give yourself superuser privileges.2. Create a mount point:# mkdir /mnt/myiso3. Mount the image to the mount point:# mount -o loop ./mailbox.iso/mnt/myiso4. Check out a listing of the ISO image with the lscommand:# ls /mnt/myisoThe mounted ISO image acts just like a drive. Lookinside it and be sure its just right before you write itto disc.Burning CDs without Making an ISO FirstIf an ISO 9660 file system is so great, why would youever want to burn a disc without one? To save time,of course (and disc space, too).Sometimes, burning a raw data disc is the bestway to save time and space. If youre creatinga backup CD or DVD, the archive tool thatyoure using already builds a wrapper aroundall the files in the archive. Why wrap a file sys-tem around an archive when the archivealready contains all the information that youneed (filenames, permissions, owner IDs, andsuch)? Also, it takes time to create an ISOimage. An ISO image takes up space on yourhard drive until youve burned it to disc. If allyou need is the data an ISO has to offer, thendont waste time creating the ISO.69_571737c56.qxd 7/2/04 9:35 PM Page 435Technique 56: Burning CD-Rs without Getting Burned436cdrecord doesnt know how to split the datastream if the stream contains more data thanthe disc can hold. Use the cdbackup programthat we cover in Technique 50 to split thestream across multiple discs.You cant mount a CD or DVD thats been createdthis way because it doesnt have a file system.Instead, you have to use a program that understandsthe raw data. To read a CD that youve created withraw tar data, use tar:# tar -xzvf /dev/cdromThis isnt too difficult, and youve skipped all theintermediate disc image files, too.Dont forget that you can use the Nautilusbrowser with the burn:// protocol to makeCDs. Check out Technique 1 for all the details!You can pipe the output of a command directly intothe standard input of cdrecord without creating anISO image. For this to work, the recorder must sup-port RAW-mode writing. Not all recorders supportRAW mode. If you have a drive that doesnt, you getan error message when you try to burn a CD. To burn a CD (or DVD) with a backup of the /etcdirectory (the /etc directory is full of your configfiles a good thing to back up), enter the followingcommand:# tar -czvf - /etc | cdrecord -ejectdev=1,0,0 -The -f - in the -czvf portion of the command tellstar to write the archive that it creates to its stan-dard output stream. The | directs the output fromthe tar command to the cdrecord command. The -at the end of the cdrecord command tells cdrecordto read a data stream from its standard input(cdrecord burns whatever data you send to its stan-dard input stream when you include a- at the end ofthe command line).69_571737c56.qxd 7/2/04 9:35 PM Page 43657 Search and Destroy setuid and setgidProgramsThere are valid reasons for having setuid and setgid programs onyour system. Programs that allow other users to log in to your sys-tem are often setuid or setgid programs, and they have the powerto grant elevated privileges to otherwise unprivileged users. Hackers are always looking for security loopholes that allow them toexploit even the slightest of vulnerabilities. Fortunately, popular programslike ssh are pretty tight, but other programs might not be so trustworthy.Security is sshs business simple user applications that allow access toyour system through a server might not be so careful to prevent programbreakouts through a shell escape.Keeping a vigilant eye on programs with setuid and setgid privileges isthe quickest way to protect yourself from an intruder posing as aninnocuous user. Closing the back door to hackers that would exploit thatsecurity lapse can save you a lot of time repairing damage to the systemcaused by an intruder. In this technique, we introduce you to setuid andsetgid, and show you how to add another line of security to your systemthat will stop intruders in their tracks. Exploring How setuid and setgid Can Be DangerousEvery user in a Linux system has a unique numeric user ID (called a UID).Every group has a unique numeric group ID (called a GID). If you log intwice (from two different workstations or from a remote computer), youstill have the same UID. The UID is associated with the user, not with thelogin session.TechniqueSave Time By Understanding the truepowers of a users identity Using kfind to identifythe setuid programs onyour system Carefully choosing whichsetuid bits to disable70_571737c57.qxd 7/2/04 9:35 PM Page 437Technique 57: Search and Destroy setuid and setgid Programs438setuid program (owned by, say, user franklin), theeffective UID of the process is changed from freddieto franklin (the real user ID remains freddie). Justby running a setuid program, freddie gains the privi-leges and permissions assigned to user franklin.That isnt a problem if franklin has limited privileges,but what if freddie runs a setuid program owned byroot? The system would be at freddies mercy if hecould start a terminal window from the program hesrunning.Anyone who runs a setuid program owned by root is automatically granted superuserprivileges. Remember, the superuser can Kill off any process Override file privileges Grant program privileges Lock users out Change file ownershipsYou can see from the list of privileges why you wouldwant to limit the number of setuid and setgid pro-grams on your system!When you turn on the setuid and/or setgid bits for aprogram, the files owner and group IDs are veryimportant. Thats because the privileges assigned tothe owner (or group) are now assigned to anyonewho runs the program. If you run a setuid programthats owned by user root, you become the super-user while that program is running. Any processesspawned by the program run with superuser privi-leges, too. Imagine what would happen if you turnedon the setuid bit for the bash shell (which is typicallyowned by user root) anyone who ran the shellwould suddenly become a superuser. Nasty business. Each time you run a program, Linux creates a newprocess for the program to run within. If you run two Solitaire games at the same time, you have twoprocesses (but only one program). Each process hasfour attributes that determine what that process isallowed to do: a real UID, an effective UID (EUID), areal GID, and an effective GID (EGID). When Linux creates a process on your behalf, theeffective and real UIDs are set to your user ID. Theeffective and real GIDs are set to your primary groupID (you can belong to many groups, but at any onetime, you have a single primary group ID).The effective UID and effective GID are used to deter-mine whether the process can access a given file.When you try to access a file, Linux classifies youreffective user ID (and group) into one of three categories: File Owner: If the effective user ID of the processmatches the numeric UID of the file, youre thefiles owner. Group Member: If the effective GID of the processmatches the numeric GID of the file, youre a mem-ber of the files group. Other: Your process is classified as an other ifthe effective UID doesnt match and the effectiveGID doesnt match.After your identity has been classified, Linux checksthe file permissions assigned to your category to besure you have the privileges required to access thatfile. When you run a program that has the setuid bitturned on, the effective user ID of the process ischanged from your UID to the files UID. In otherwords, if youre logged in as user freddie and yourun a normal (non-setuid) program, the effective andreal UID of the process is freddie. If freddie runs a70_571737c57.qxd 7/2/04 9:35 PM Page 438Identifying the Potential Troublemakers Fast 439Just turning on the setuid or setgid bit for aprogram isnt enough to let intruders sneakinto your system. They still need to have exe-cute privileges, either from their own logins orsomeone elses.Identifying the PotentialTroublemakers FastSearch your system with the find command, andyoull be surprised at how many setuid and setgidprograms you have. Most of these programs arebenign, but a real troublemaker needs only one goodopportunity to get in. Changing the setuid or setgidbit can close a door before a hacker finds it open.The first step in checking your system for backdoors through setuid and setgid is to figure outwhich programs have setuid and setgid turned on.You have two ways of doing this: By using an easy-to-use program called kfind or by working from thecommand line. The following sections have all thedetails.Finding setuid quickly and easily with kfindThe KDE Desktop includes a great tool calledkfind that can help you find the setuid pro-grams on your system in no time. kfind has afriendly graphical interface that leads you tothe setuid programs on your system with justa few mouse clicks.To use the kfind File Finder to locate the setuid pro-grams on your system, follow these steps:1. Open the Main Menu and choose RunCommand. 2. Enter kfind in the Command field and thenclick Run. The kfind Find Files dialog opens, as shown inFigure 57-1.kfind can find all sorts of files for you. Its ahandy tool worth getting to know. If youre running KDE, you can also startkfind by opening the Main Menu and click-ing Find Files. Figure 57-1: The kfind Find Files dialog.3. On the Name/Location tab, use the * defaultentry in the Named field. This suits our purposes well we want to findall the files that have the setuid bit set. 4. Enter the directory you want to search in theLook In field.For a thorough system search, start with asearch of the root directory. Just enter a / inthe Look In field.5. Choose the Contents tab and choose SUIDExecutable Files from the File Type drop-downlist. 70_571737c57.qxd 7/2/04 9:35 PM Page 439Technique 57: Search and Destroy setuid and setgid Programs440Finding setuid and setgid programs at the command lineIf you dont have a desktop environment or needmore information about a questionable program youfound with the KDE File Finder, the command linecan give you a more complete rundown on the own-ership and privileges of a setuid or setgid program.To use the command line to generate a complete listof the setuid programs on your system, open the terminal window, give yourself superuser privilegeswith the su command, and enter the following command:# find / -perm +u+s -type f -lsThe results look something like Figure 57-3. Figure 57-3: The programs in the root directory with thesetuid bit turned on.To locate setgid programs on your system, you use aslight variation on the find command:# find / -perm +g+s -type f -lsTo use the find command to locate all the setuidand setgid programs on your system, use the follow-ing command:find / -perm +ug+s -type f -ls6. Click the Find button in the upper-right cornerof the screen. The search begins. Depending on how much ofyour system youre searching, the process cantake a while. Nows a good time to go get a cup of coffee.When the search is complete, a list of the fileswith the setuid bits turned on displays in theresults frame, as shown in Figure 57-2. Figure 57-2: Search results for setuid programs.7. Cruising through the list of names in the resultset, you should recognize most of the programsas commands you use. If a program is unfamil-iar, check it out (see Deciding to Turn Offsetuid or setgid later in this technique fordetails).The File Finder searches only for setuid programs.For a list of the setgid programs on your system, youuse the command line. The next section has all thedetails.Searching out setuid and setgid programs atthe command line can also save you time byshowing you a complete list of ownership andprivileges at the same time. Use the File Finderfor a quick glance, but review any question-able programs in a terminal window. 70_571737c57.qxd 7/2/04 9:35 PM Page 440Changing the setuid or setgid Bit 441Deciding to Turn Offsetuid or setgidThe big secret to creating a more secure system is tofigure out what programs dont need the setuid bitturned on and then turn the bit off for those pro-grams. If you see a setuid or setgid program that youdont recognize, Google for it on the Web. If in doubt,turn off the setuid or setgid bit (see the next sectionfor details) and see if anything breaks.Turning off the wrong setuid bit or setgid bitcan lock you out of your system. Know yourprograms and permissions, and keep a termi-nal window open with superuser privilegesuntil youve tested the program with your regular login.Use sudo to distribute extra privileges to theusers that need them. Its a lot safer thanhanding out unlimited access to everyone. SeeTechnique 31 for some great ideas about usingsudo.Changing the setuidor setgid BitYou may want to disable the setuid or setgid bits onsome of the programs that arent used often or any-thing that you cant really identify.Try to find out what a program is before youdisable its setuid or setgid bit. If the programlooks questionable and leaves a door open, itmay be a security risk. You can tell that a program has the setuid (or setgid)bit turned on by looking at the output from an ls -lcommand. If you see an s in the fourth (from the left)permission column, youre looking at a setuid pro-gram. If you see an s in the seventh permission column, youre looking at a setgid program.If you look at a normal Linux program (that is, a program that is not setuid or setgid), you wont seeany s:-rwxrwxr-- 1 fred fred 1001Dec 13 18:50 myprogramTo turn on the setuid bit, use the following command:$ chmod u+s myprogramls -l then shows this:-rwsrwxr-- 1 fred fred 1001 Dec13 18:50 myprogramYou have to be the files owner (or have super-user privileges) to change the setuid or setgidbits.To turn on the setgid bit, use the following command:$ chmod g+s myprogramls -l then shows this:-rwsrwsr-- 1 fred fred 1001 Dec13 18:50 myprogramA program that has the setgid bit turned onassigns the files group ID to the process. To turn the bits back off again, use these commands:$ chmod u-s myprogram $ chmod g-s myprogram70_571737c57.qxd 7/2/04 9:35 PM Page 441Technique 57: Search and Destroy setuid and setgid Programs442A directory with setuid or setgid privilegesturned on forces all the files and subdirectorieswithin them to be owned by the directoryowner or group instead of the user creatingthe file. A setuid (or setgid) directory is not asecurity risk in the same way that a setuid/setgid program is. You dont have to disablesetuid/setgid directories to make your systemmore secure.If you see an uppercase S instead of a lower-case s, the setuid (or setgid) bit is turned on,but the execute bit is turned off. Thats usuallya nonsensical combination.70_571737c57.qxd 7/2/04 9:35 PM Page 44258 QuarantiningSuspicious Programswith UMLYou can put the most secure server behind a firewall, allow onlysecured logins, and limit administrative access, but somebodysgonna find a way to break in. You can only do so much to keep peo-ple out of your server and still keep it functional. The only truly securesystem is one thats completely isolated from the outside world, whichmakes it pretty hard to offer network services (like e-mail and Web pages).Instead of taking your servers completely offline, create a sacrificial serverthat you can afford to lose if someone does manage to break in. Of course,most of us cant afford to throw out a compromised system and replace itwith new hardware. Instead, you can use UML (User Mode Linux) to cre-ate a virtual server.Running a server from within a UML virtual machine isolates the serverfrom the rest of your system. As far as your server knows, the rest ofyour Linux machine doesnt exist, so to the eyes of an invading hacker,your real computer doesnt exist either.The open-source software movement has a lot to offer, but even high-quality programs sometimes harbor unintentional vulnerabilities. Even ifyou get your software from long-established and trusted sources, soft-ware often contains back doors and Trojan horses. Confining those pro-grams can protect the rest of your system from any viruses, Trojanhorses, or other security breaches that they might include.In Technique 15, we show you how to install User Mode Linux; be sure to review that technique before you go much further. In this technique,we show you how to use UML to create a defensive boundary of protec-tion between vulnerable software and your system. UML can save youfrom having to repair damage to your system, whether accidental orintentional.If youve searched around on the Web for information about creatingjails, youve probably seen references to chroot jails. chroot jails arenotoriously difficult to create and offer limited protection. In this tech-nique, we show you how to build a whole penitentiary with UML instead.UML jails are easier to build and manage, and provide a stronger line ofdefense than chroot jails.TechniqueSave Time By Using UML and LIDS tokeep potentially vulnera-ble programs in a safeplace Keeping hazardous pro-grams from touching your configuration files Resolving LIDS conflictsso servers can reach outfrom inside a jail71_571737c58.qxd 7/2/04 9:36 PM Page 443Technique 58: Quarantining Suspicious Programs with UML444In the sections that follow, we explain how to set upa UML jail and install a simple Apache server in thejail. Its a great way to use a UML jail, and you canhave a secure server up and running in no time.Using UML to Jail ProgramsUML is a jail in and of itself an isolated environ-ment where you can run programs without the pro-grams having easy access to the rest of your systemfiles. ADIOS installs four different UML configura-tions in your KDE menu: LIDS Off, LIDS On, SELinuxPermissive, and SELinux Enforcing. LIDS and SELinuxare hardening tools that further clamp down on vulnerabilities in a Linux system (in this case, a UML VM). Check out Technique 15 for quick installationinstructions for UML.We tell you more about LIDS in Technique 61, but fornow, heres a quick summary: LIDS takes away thesuperhuman powers of the superuser. When yourerunning in LIDS On mode, LIDS doles out superuserprivileges to specific programs (hopefully programsthat you trust) rather than give every possible privi-lege to someone who knows (or absconds with) yourroot password. The big advantage to LIDS is that itprotects your system (or your jail) against a hackerwho somehow manages to impersonate user root.With a few easy steps, you can isolate your host sys-tem, protecting it from adventurous hackers, whilestill offering network services to the outside world. Ifanyone does manage to compromise your server,that person has access only to the files and programsthat youve installed in the jail. If you keep a trustedbackup of your UML jail, recovering from an intrusionis trivial.To create a UML jail, follow these steps:Who Belongs in Jail?In the real world, troublemakers belong in jail. In theworld of computer software, potentially bad or vul-nerable programs belong in jail. The programs anddata youre trying to protect remain outside the jail,beyond the reach of intruders. A UML jail acts as asecurity barrier protecting the sensitive data andprograms on your system from hackers, Trojanhorses, and viruses that might come in by way of aback door through servers or through softwarethat might be a bit suspicious. Good candidates for confinement in a UML jailinclude the following: All kinds of servers, including mail, data, FTP,and Web servers Downloaded but potentially vulnerable softwareTechnique 18 shows you how to check the signature key on downloaded software withrpm -V. Checking the signature ensures thatthe software came from a reliable source (or atleast from the same person who claims tohave built the software). Check it out protecting your system is worth the time.The files that belong outside the jail are the files thatneed protecting: Password files Configuration files Data files Anything really importantBy putting these files outside the jail, you protectthem from the jailed programs and from anyone whomight break into the programs in the jail. With a UMLjail, you create a defensive barrier to protect thefiles outside the jail from both the programs in thejail, and the users with access to those programs.71_571737c58.qxd 7/2/04 9:36 PM Page 444Using UML to Jail Programs 4451. Open the main KDE menu and choose UserMode LinuxLIDS On. 2. When the happy penguin appears, log in as user root (the password is 12qwaszx) (see Figure 58-1). Figure 58-1: The UML login screen.When youre inside a UML VM, you have com-plete access to the host file system through thedirectory /mnt/host. If you peek at /mnt/host,youll see subdirectories like /mnt/host/bin,/mnt/host/etc, /mnt/host/usr, and /mnt/host/home. Those directories correspond to the /bin,/etc, /usr, and /home directories on the hostcomputer.Thats not a good arrangement when youre trying to block off access to those files. 3. To close that security hole, find a directory thatyou do want to expose to the jail (or better yet,just create an empty directory) and grant theVM access to that directory instead. For example, create a staging area like this:# mkdir /tmp/uml/jailRun that command in the host, not in the UML VM.Be sure that the /tmp/uml/jail directorycontains no symbolic links to the rest of thehost system. Use the ls -l command to listthe directory contents; if any of the permis-sions begin with an l, theyre symbolic linksand should be deleted.Any files that you put into /tmp/uml/jail willappear inside the VM in the directory /mnt/host. After you create the jail and add files to it, adjust thescript that boots your VM:1. Open the file /usr/bin/uml with your favoriteeditor.2. Find the line (near the top of the file) that saysLIDS_KERNEL=uml_linux_lids3. Change the line to readLIDS_KERNEL=uml_linux_lidshostfs=/tmp/uml/jailDont forget the quotes, or your UML VMwont boot.4. Find the line that saysSELINUX_KERNEL=uml_linux_selinuxThis line should be just below the line in Step 2.5. Change the line to readSELINUX_KERNEL=uml_linux_selinuxhostfs=/tmp/uml/jail6. Save your work and close the editor.Now you can easily copy files between the host andthe VM to populate your UML jail. You can copyfiles into (or out of) /tmp/uml/jail from your hostsystem. Inside the VM, copy files into (or out of)/mnt/host. It doesnt get any quicker or easier than that. 71_571737c58.qxd 7/2/04 9:36 PM Page 445Technique 58: Quarantining Suspicious Programs with UML4466. Start UML again with LIDS on. Open the mainKDE menu and choose User Mode LinuxLIDS On. Thats all there is to it. To change the root password, log in to theUML VM as root, and use the passwd com-mand, just like you normally would.Installing New Software andResolving ConflictsAfter you set up the jail and change the default password, your new UML jail is ready for software.Remember, any software you need to run (and man-age) inside your new jail must be installed in the jail.You cant reach into the outside world to borrowutilities anymore.One thing you might want to install into your UMLjail is Apache (or, more precisely, the Apache httpdWeb server). The Apache RPM package is includedin most Linux distributions. The following steps explain how to install the ApacheRPM in the UML jail, but you can modify these stepsfor any program:1. From your host machine, copy the RPM pack-age from the distribution CD to the UML VM:# cp httpd-2.0.47-10.i386.rpm/tmp/uml/jail2. Move into the UML jail and make your session aLIDS off session with the following command:# lidsadm -S -- -LIDSThis loosens restrictions on the superuseraccount while you do system maintenance.Actually, it does get a bit quicker. Open a ter-minal window and grant yourself superuserprivileges. Start two Konqueror (or Nautilus)sessions by typing in konqueror (or nautilus)at the command line. With one browser win-dow open to /tmp/uml/jail, and the otherbrowsing for the programs or files you want to add, you can populate your UML jail in notime!When you need to add software to your new UMLjail, you can copy program files in at the commandline, or use your browser. Either way, youll find it asnap to populate the Apache server you set up laterin this technique.Changing the DefaultPassword to the JailThe UML VM comes with a simple and easy-to-remember default password that works as both theroot login and the LIDS password. That might behandy at first, but you should change it quick: Itseasy for everyone to remember, even the bad guys.To change the LIDS password, follow these steps:1. Open the main KDE menu and choose UserMode LinuxLIDS Off. 2. Log in using the default password.The default password is 12qwaszx.3. Enter the following command:# lidsconf -P4. When prompted, enter a new password andthen reenter the new password. 5. Stop the UML VM with the halt command. 71_571737c58.qxd 7/2/04 9:36 PM Page 446Installing New Software and Resolving Conflicts 4473. Move to the directory containing the RPM package:# cd /mnt/host4. Install the RPM package with the followingcommand:# rpm -Uvh httpd-2.0.47-10.i386.rpm5. Start the httpd daemon by entering thiscommand:# service httpd startWhen you start the httpd daemon, you mayget a series of LIDS violation reports. Youneed to resolve any conflicts with the LIDSsecurity issues before your server can run. You are likely to encounter the following errors:Violated CAP_NET_BIND_SERVICETrying to bind port 443Attempt to unlink /etc/httpd/logsTo resolve these errors, follow these steps:1. Give yourself a LIDS off session with the follow-ing command:# lidsadm -S -- -LIDS2. Resolve the first two error messages with thesecommands: # lidsconf -A -s /usr/sbin/httpd -oCAP_NET_BIND_SERVICE 80-80 -j GRANT # lidsconf -A -s /usr/sbin/httpd -oCAP_NET_BIND_SERVICE 443-443 -j GRANT Youve just granted httpd the right to serviceports 80 and 443.3. Resolve the third error message with the following command:# lidsconf -A -s /usr/sbin/httpd -o/etc/httpd/logs -j WRITEYouve just given Apache the right to modify itsown logs.4. Reload the LIDS configuration database:# lidsadm -S -- +RELOAD_CONF5. Restart the Web server daemon:# service httpd startWhen httpd starts, it tells you the IP address ofthe Apache session. Make a note of this IPaddress because youll need it in a moment.6. Return to a LIDS on session with the followingcommand:# lidsadm -S -- +LIDS7. Enter the LIDS password, and youre runningthe Apache server in a secure environment. 8. To verify that Apache is running, open abrowser on the host machine and enter the IPaddress of the service in the Location field:http://192.168.202.1The Apache test screen opens, confirming the server is running. The service isnt config-ured yet you find out how to do that inTechnique 42. The service is secure though.Use the same technique to install other RPMpackages. You may have different LIDS con-flicts to resolve see Technique 61 for moreinformation about LIDS.To make a quick backup of your UML VM,just back up the cow file in /tmp/uml. SeeTechnique 15 for more information about cowfiles.71_571737c58.qxd 7/2/04 9:36 PM Page 44759Save Time By Using lsof to find openfiles Using strace to trackdown trouble spots Watching your programswith ltrace Recording memory usageerrors with valgrindTechniqueTroubleshootingPersnicketyProgramsLinux is a fairly mature operating system. In the early days of Linuxdevelopment, users found problems everywhere they turned. Thatsnot to say that Linux is any different from other operating systems;it takes time to iron out the wrinkles in any program. In fact, the super-buggy stage of Linux development was remarkably short, and you cannow run a Linux system for months at a time without encountering a bug.Often, the problems that you run into arent really bugs theyre config-uration problems. Tracking down the cause of a problem in a program (whether its a bug ora configuration issue) can be tricky, but Linux has a number of tools thatcan help.The lsof command shows you information about open files, opendevices, and open network connections. Ever tried to unmount a CD andfound that some process has a file open on the CD drive? lsof is theanswer. Need to create a clean backup of a complex database? Use lsofto make sure that your database is not in use.We also introduce you to two related tools: strace reaches inside a program and shows you a complete list of allthe system calls (calls into the Linux kernel) made by that program.You can browse through the log produced by strace to find which filesare opened by the program causing problems. Configuration problemsoften appear because a file is missing or protected too strongly. If youhave a program thats reading configuration information from a myste-rious location, use strace to find the hidden files. ltrace is similar to strace. While strace logs all system calls, ltracedisplays calls made to shared libraries. To a programmer, Linux is morethan just a kernel. Its also a huge collection of code libraries, writtenby others, but designed to share among many different programs.Shared libraries take care of operations like memory allocation,encryption, compression, GUI interaction just about everything thatdoesnt happen in the kernel. Watching the library calls made by a pro-gram can help pin down a configuration error whether the problemtrips up the kernel (strace) or a shared library (ltrace).72_571737c59.qxd 7/2/04 9:36 PM Page 448Using lsof to Find Out Which Files Are Open 449Finally, we show you a tool that can help somebodyelse track down a bug. valgrind watches runningprograms for memory usage errors and produces a report that can show a developer exactly where a program gets whacked. If youre a developer, valgrind makes it easy to track down intermittentproblems. If not, run valgrind and send the report to the developer of the program that youre trying to use.In this technique, we introduce you to a few diagnos-tic tools that you should keep in your troubleshootingtoolbox. Each tool exposes different information, soeach one is useful in tracking down a particular typeof problem. Using these tools together, you can makequick work of troubleshooting difficult programs.Using lsof to Find OutWhich Files Are OpenLinux is pretty forgiving when it comes to file shar-ing. In most cases, two (or more) users can work onthe same file at the same time (dont try that with atext editor though). You can share devices, too. Forexample, mount a CD, and anyone with the properprivileges can access the content, even if youreusing the CD at the same time. Sometimes, however,a device (or a file) cant be shared. Say that youre in the middle of burning a multises-sion CD using a program like k3b. Youve just finishedburning the first track, youve selected the files youwant to burn to the second session, you click theBurn button, and youre rewarded with the followingerror messages:Could not retrieve multisession information from diskThe disk is either empty or not appendableNow, you know that the CD is not empty, and yourepretty sure that you selected Start Multisessionwhen you burned the first track. Just to make surethe disc really has something already on it, you tryto mount the CD at the command line:# mount /dev/cdrom /mnt/cdrommount: /dev/cdrom already mounted That looks pretty fishy Linux thinks that someonehas already mounted the CD. Try to unmount the CD:# umount /dev/cdromumount: /mnt/cdrom: device is busyThat explains the original error message (well, sortof thats not a very helpful error message). Howdo you find the culprit? Use the lsof command. lsofprovides information about open files. The lsofcommand operates in three modes: If you run lsof without any arguments, youregreeted with a (very long) list of all the openfiles, devices, and network connections on yoursystem. Give lsof the name of a file, directory, or device,and you see a list of all the processes currentlyusing that file. Finally, if you give lsof a process ID, it showsyou all the files being used by that process. Use the second form to find out whos using your CD drive:# /usr/sbin/lsof /dev/cdromCOMMAND PID USER FD NAMEbash 1406 freddie cwd /mnt/cdromAha! freddie has managed to mount the CD just after you finished burning the first session. The cwd(in the column labeled FD) tells you that the currentworking directory of freddies bash session is /mnt/cdrom. Check out Technique 36 for the complete lowdown on lsof.Now that you know whos using your CD drive, youcan ask him