Linux Gazette... making Linux just a little more fun! Copyright © 1996-98 Specialized Systems Consultants, Inc. _________________________________________________________________ Welcome to Linux Gazette! (tm) _________________________________________________________________ Published by: Linux Journal _________________________________________________________________ Sponsored by: InfoMagic S.u.S.E. Red Hat LinuxMall Linux Resources cyclades stalker LinuxToday Our sponsors make financial contributions toward the costs of publishing Linux Gazette. If you would like to become a sponsor of LG, e-mail us at sponsor@ssc.com. Linux Gazette is a non-commercial, freely available publication and will remain that way. Show your support by using the products of our sponsors and publisher. _________________________________________________________________ Table of Contents January 1999 Issue #36 _________________________________________________________________ * The Front Page * The MailBag + Help Wanted--Article Ideas + General Mail * More 2 Cent Tips * News Bytes + News in General + Software Announcements * The Answer Guy, by James T. Dennis * Booting Linux with the NT Loader, by Gustavo Larriera * Defining a Linux-based Production System, by Jurgen Defurne * EMACSulation, by Eric Marsden * Evaluating postgreSQL for a Production Environment, by Jurgen Defurne * Introducing Samba, by John Blair * Linux Installation Primer, Part 5, by Ron Jenkins * Linux on a Shoestring, by Vivek Haldar * The Linux User, by Bryan Patrick Coleman * New Release Reviews, by Larry Ayers + Kernel 2.2's Frame-buffer Option * Running Your Own Domain Over a Part Time Dialup, by Joe Merlino * Setting Up a PPP/POP Dial-in Server USING Red Hat Linux 5.1, by Hassan Ali * Touchpad Cures Inflammation, by Bill Bennet * Through the Looking Glass: Finding Evidence of Your Cracker, by Chris Kuethe * USENIX LISA Vendor Exhibit Trip Report, by Paul L. Lussier * X Windows versus Windows 95/98/NT: No Contest, by Paul Gregory Cooper * Announcements by Sun and Troll Tech by Marjorie Richardson * The Back Page + About This Month's Authors + Not Linux The Answer Guy The Graphics Muse will return next month. _________________________________________________________________ TWDT 1 (text) TWDT 2 (HTML) are files containing the entire issue: one in text format, one in HTML. They are provided strictly as a way to save the contents as one file for later printing in the format of your choice; there is no guarantee of working links in the HTML version. _________________________________________________________________ Got any great ideas for improvements? Send your comments, criticisms, suggestions and ideas. _________________________________________________________________ This page written and maintained by the Editor of Linux Gazette, gazette@ssc.com _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ The Mailbag! Write the Gazette at gazette@ssc.com Contents: * Help Wanted -- Article Ideas * General Mail _________________________________________________________________ Help Wanted -- Article Ideas _________________________________________________________________ Date: Wed, 30 Dec 1998 05:04:56 -0800 From: "Fields, Aubrey", Aubrey.Fields@PSS.Boeing.com Subject: I have two ideas for articles. I am a new user to the Linux community. I have two ideas for articles that I would read, print, and distribute to the other Linux newbees that I know. 1. PPP using minicom. I have read several articles on using PPP, pppd, minicom and other dialup and networking issues. Being a new, however, I would find it very valuable to read "the definitive new users guide to configuring PPP on Linux". I've gotten a lot of pointers and some advanced tips, but what I'd like to see is how to setup a stand alone Linux 2.0.x machine (Red Hat v4 in my case) for dialing up via PPP using minicom with dhcp and dns provided by an ISP. 2. basic xfree86 / fvwm95 config tricks. For example, how to change the word "start" on the menu button at the bottom of fvwm95 to ANYTHING else! I kick Bill Gate off my PC for a reason! I don't find it cute, funny, nor reassuring to see the "I want to be windows95 'Start'" button on my Linux machine. also, how to use icons, get rid of the "virtual" desktop so that I can see my entire window without scrolling. Thank you very much, the Linux Gazette has proven to be a valuable resource! -- Aubrey _________________________________________________________________ Date: Wed, 02 Dec 1998 13:33:11 PST From: David Camara, cpdj2@hotmail.com Subject: connecting to novell 3.12 servers... Hi, I'm trying to connect to netware 3.12 servers. I am using the IPX module and ncpfs 2.2.0.7-1 (for Debian 2.0). Now, I don't use the auto_primary and auto_interface since a number of old posts recommend adding the ipx interface manually. I use: ipx_interface add -p eth0 802.3 xxxxxxxx When I cat /proc/net/ipx_interface: Network Node_Address Primary Device Frame_Type xxxxxxxx yyyyyyyyyyyy Yes eth0 802.3 When I try to slist, I get: slist: No server found in ncp_open When I try to mount a Novell volume using: ncpmount -S server_name -U user_name -V sys /mnt/ncp I get: ncpmount: No server found when trying to find server_name All this as su root... Any ideas? Thanks! -- David _________________________________________________________________ Date: Tue, 8 Dec 1998 12:16:20 -0500 From: Blazek, Daniel, blazek@globalserve.net Subject: Ethernet Which Ethernet cards are compatible with Linux with minimum ease of installation, also does the make/model of the hub matter? -- Dan _________________________________________________________________ Date: Tue, 15 Dec 1998 12:29:37 +0000 From: Tomos Llewelyn, tml@aber.ac.uk Subject: "Unable to open console..." Why? Can anyone tell me why I'm getting this message? Trying to boot a 2.0.36 kernel on a PII350 with an ATI Xpert@Play 8Mb AGP card. Should I be tweaking the video mode? -- Tom Llewelyn _________________________________________________________________ Date: Mon, 14 Dec 1998 12:46:57 -0500 From: Michael Bright mabright@us.ibm.com Subject: Token Ring Errors with SuSE 5.3 Hi, I would seriously appreciate any help you can give. I had the evaluation copy of SuSE 5.3 running fine on this machine. I loaded the full version of SuSE 5.3 and the Token ring went south. During install everything went fine, including loading the token ring module. I have replaced the ibmtr.o module file from a working machine with _no_ change in the error. I also checked the /etc/conf.modules file to make sure the alias is defined right ( alias tr0 ibmtr.o ) and the options line is right ( options ibmtr io=0xa20 ). At this point I see two options, reload the machine with the eval copy and do an upgrade or recompile the kernel and hope for the best. initialising tr0 general protection: 0000 CPU: 0 EIP: 0010:[] EFLAGS: 00010212 eax: 00000003 ebx: 0009e658 ecx: fffffff7 edx: 00000000 esi: f000f84d edi: 00000003 ebp: 00000000 esp: 019b7e0c ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018 Process insmod (pid: 66, process nr: 16, stackpage=019b7000) Stack: 0009e658 00000000 00000003 019b7e4c 00000008 0010ca1c 00000003 00000000 019b7e4c 019b7e4c 00000003 00000000 0009e658 0010bae1 00000003 019b7e4c 001f9b7c fffffff7 00108e00 00000003 00000000 0009e658 ffffff50 00000018 Call Trace: [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] Code: 0f b6 56 2f 83 fa 01 0f 84 9e 07 00 00 83 fa 02 0f 85 a9 07 Aiee, killing interrupt handler OS: SuSE 5.3 Hardware: IBM ISA Auto 16/4 Tokenring adapter. Thanks, -- Michael _________________________________________________________________ Date: Wed, 16 Dec 1998 14:33:55 -0600 From: David Caliguire, djc@sgi.com Subject: Driver for Netflex III card on Linux I noticed a question posed to the Gazette about drivers for Netflex 3 cards on Compaq on Linux. I have a Compaq with this card and would like to know where I could get a driver for this card for Linux....... Thanks -- Dave _________________________________________________________________ Date: Wed, 16 Dec 1998 16:06:42 -0300 From: Saltiel, Hernan Claudio, hsaltiel@infovia.com.ar Subject: Help Wanted!!! I have a Linux box, with S.u.S.E., and a Lotus Notes server. I want to e-mail the status of my workstation to another user that belongs to the Notes Network. Does anybody know how to do that, or just the concepts to do this? -- Hern´n Claudio Saltiel _________________________________________________________________ Date: Sun, 13 Dec 1998 14:35:20 -0500 From: John, john@maxom.com Subject: Accounting I am looking for some inexpensive Accounting w/Inventory Software that will run on Linux . If you could point me in the right direction I would be greatly thankful Thank You -- John Nelson _________________________________________________________________ Date: Thu, 24 Dec 1998 14:47:09 +0200 From: "tdk001", tdk001@mweb.co.za Subject: Linux and UNIX I am a 2nd year computer science student. I have looked everywhere for the answer and found only basic answers. My question is what exactly is the difference between Linux and UNIX, excluding size and speed. I would appreciate it if you could just send me a few of the differences. Thank you -- Frans _________________________________________________________________ Date: Tue, 22 Dec 1998 12:33:42 -0000 From: "James Jackson", james.jackson@3f.co.uk Subject: Intellimouse Does anybody know how to enable the wheel on an Intellimouse under Linux? (Red Hat 5.2) -- James _________________________________________________________________ Date: Sat, 19 Dec 1998 13:53:33 PST From: "Thomas Smith", highminded015@hotmail.com Subject: Upgrading Red Hat I just installed Red Hat 5.0 and I hear about the newer versions out there and I want to upgrade but I don't want to buy a brand new CD or download everything and then re-install. I have been to a couple of sites and I have found no real help for this at any of them, so could you please help me out. Thank you. -- Thomas _________________________________________________________________ Date: Fri, 18 Dec 1998 23:20:12 -0800 From: Taro Fukunaga, tarozax@earthlink.net Subject: How to get CPU info I am writing a Tcl/Tk program that prints info about the CPU, memory usage, processes, and disk usage of a Linux computer. On problem I have is in getting info about the CPU. Because the contents (ie field names) of /proc/cpuinfo may vary from one machine (perhaps kernel build is the right answer) to the next, I decided to use the program uname. However, this also doesn't work well, and simply lists my processor as "unknown". I looked at the source code, and "unknown" is the default value for the CPU! So my question is, is there any way to write a program that can get the type of CPU on any Linux computer? Thank you, anyone. -- Taro _________________________________________________________________ Date: Thu, 31 Dec 1998 21:19:48 -0600 From: dcramer@midusa.net Subject: Does Linux have multimedia support? I just finished reading Marjorie Richardson's comments about Linux in the January '99 issue of Computer Shopper, and I was wondering if Linux now has, or will support any of the multimedia formats supported by Windows, such as AVI, JPG, WAV, MOV, etc? I have looked into some of the basics of the OS, but I have not tried to install it. Thank you. -- Don Cramer _________________________________________________________________ Date: Wed, 30 Dec 1998 14:03:42 -0500 From: Soraia Paz, spaz@rens.com Subject: LILO Problems I originally had Windows NT on my PC with some room left for Linux. I installed Linux and I set up LILO to boot both operating systems. I got into Linux fine but when I tried to get into NT it kept on crashing. I tried using DOS's fdisk to get rid of Linux but LILO is still there. How can I get rid of it? -- Soraia _________________________________________________________________ Date: Wed, 30 Dec 1998 09:42:23 -0600 From: Bill McConnaughey, mcconnau@biochem.wustl.edu Subject: DB9 serial port I degraded my floppy disk drive, apparently by doing fdformat with inappropriate parameters and/or media. In order to back up my work, I want to use minicom or seyon to transfer files over the DB-9 serial port. I can get the computers to type to each other, but file transfer protocols (xmodem and ymodem) don't work. There is no Kermit in my installation and I don't know where to get it. What is the correct wiring for a direct connection of the DB-9 com ports on two pc's? How can I transfer files? -- Bill _________________________________________________________________ Date: Tue, 29 Dec 1998 10:40:15 -0500 (EST) From: ive.db@usa.com Subject: HELP I have a jamicon 36X cd player. It doesn't work under Linux. I tried to install Linux but I failed. Could you please help me with this. I also need to say that you can set my cd-player master,slave and CSEL with a jumper. _________________________________________________________________ Date: Mon, 28 Dec 1998 03:49:21 -0500 From: "david marcelle", marcelle@avana.net Subject: Audio-Only CDRs Do you have for sale or do you know where I can purchase audio-only blank CDRs (for my phillips CD recorder) for $4.00 each or less? Thanks -- David _________________________________________________________________ Date: Mon, 28 Dec 1998 02:15:26 -0500 From: "Clayton J. Ramseyer", cyberzard@earthlink.net Subject: IP Masquerading and related I am writing this message to you, because I am new to Linux. (I love it by the way) Anyway, I have a small LAN setup at home and would like to provide access to the Internet for my other machine. The HOWTO is a bit confusing when it comes to setting this up. If someone could write me with a possible offer for help, I'd surely appreciate it. The commands I have are probably correct. Yet the HOWTOs don't mention which machine these commands are entered on. I assume it would be the machine connected to the net. By the way, I connect with a USR 56K v.90 compatible modem. My service provider is earthlink. I look forward to your responses. Thanks, -- CJ _________________________________________________________________ Date: Sat, 2 Jan 1999 23:05:13 +0530 From: "L.V.Gandhi", lvgandhi@vsnl.com Subject: Netscape help I have installed NC4.5 for Linux. I could edit preferences both as root and an user. Once closed and then restarted I am unable to do that. I am not sure from when it happened. It may be due improper shutdown due to power outage or hanging of nc after many windows are open. I have system PII with 780MB partition for Linux with 64 MB swap space, 32 MB ram. Is there any easy way to remove an installed software and reinstall it in Linux? -- L.V.Gandhi _________________________________________________________________ Date: Sat, 2 Jan 1999 23:03:35 +0530 From: "L.V.Gandhi", lvgandhi@vsnl.com Subject: help for microsoft intellimouse I have installed RH5.0 and upgraded to 5.1. I have Microsoft intellimouse and logitech super mouse. when I configure mi, the same is not recognized by Linux and xserver. The same is recognized in win98. But logi mouse is recognized in both. Any solutions welcome. -- L.V.Gandhi _________________________________________________________________ General Mail _________________________________________________________________ Date: Tue, 1 Dec 1998 13:39:58 -0500 From: Brad Gerrard, bradgerrard@x-stream.co.uk Subject: The Future Of Artificial Intelligence and Linux Can you imagine, 'eureka' you've done it, you're going to make millions neigh billions, you've created a programme that gives a computer the seeming ability to think. There it is flashing away 'walking the walk', bezazz it thinks. Hold on a moment the operating system, no the skeleton of this thinking machine has crashed. What say you, shall we change the operating system? Not arf we will. How about something a little more stable, how about an operating system that will go for at least a year. Is that to much to ask? One might well wonder were we not acquainted with the genie in the bottle, yes 'Linux'. Linux is gaining in popularity, that makes it commercial, that means money, and money means more thinkers are turning their attention towards it as a viable alternative to some of it's less exciting competition. Linux is a stable operating system, freely available, an operating system for Man All Born Equal as written in the American constitution, yes could this operating system level out the playing field. Artificial Intelligence requires a very stable platform, and I believe that given the limitations of present day hardware, AI requires an operating system with a small foot print in order to possibly tackle the problem of achieving any potential of new thought, which could possibly be termed artificial intelligence in it's true sense. Linux is a Unix operating system, it can be and usually is networked, this is a plus when it comes to composing an AI operating programme. The very makeup and variable structure lends it's self to AI. Yes I believe that Linux is an operating system with a bright future. -- Brad _________________________________________________________________ Date: Tue, 1 Dec 1998 13:39:58 -0500 From: "Serge E. Hallyn", hallyn@CS.WM.EDU Subject: happy hacking keyboard wow. $140 for a keyboard because it has fewer keys? I simply don't think the arguments in favor make sense - namely that you don't have to reach for any keys, because you should never need to with other normal keyboards either. Let's see: * control not being next to A should never be a problem for anyone who'd dare call him/herself a hacker, happy or otherwise - if you can't figure out how to remap caps lock,... * escape should not be a problem, since any self-respecting vi user uses ctrl-[ anyway * backspace: ctrl-h (well, OK, emacs users are out of luck :) * tab, if it's a really weird keyboard, ctrl-i, though i seldom do that $140. ridiculous. -- serge _________________________________________________________________ Date: Tue, 01 Dec 1998 12:28:06 -0600 From: Tim Kelley, tpkelley@winkinc.com Subject: Jeremy Dinsel's review of keyboard ... He did not mention something which many people would be very interested in knowing - is it a clicking, spring action style keyboard or a membrane (mushy) style keyboard? At that price (~$150), I can't believe it's one of those cheap membrane things, but one can never be sure. Actually, at that price, I can't believe anyone would buy it, but whatever. -- Tim _________________________________________________________________ Date: Wed, 2 Dec 1998 01:32:06 +1000 (GMT) From: Norman Widders winspace@paladincorp.com.au Subject: Linux Gazette I just read David Jao's article in Linux Gazette #35 and enjoyed it. He had one fact wrong though, he mentioned: Currently, a limitation of the UW IMAP server is that a folder cannot contain both messages and subfolders. This is not a limitation of the UOW server. It is a limitation of the default UNIX mail files... There are other available mailbox types available on the UNIX platform that will allow UOW to create subfolders... see the release notes with UOW for more info :) -- Norman _________________________________________________________________ Date: Tue, 1 Dec 1998 08:24:43 -0500 (EST) From: Walt Taninatz, waldo@voicenet.com Subject: Re: Linux Gazette #35 Thank you for the reminders and for making such a great magazine. The content is always useful, interesting and well written. Best Regards, -- Walter _________________________________________________________________ Date: Thu, 03 Dec 1998 13:52:14 -0800 From: Jauder Ho, jauderho@transmeta.com Subject: Re: IMAP on Linux: A Practical Guide I have some comments on the article written by David Jao. There are some inaccuracies that I need to correct. We use IMAP here and it is indeed excellent technology. * NS 4.08 is out. NS 4.5 is actually pretty stable when it comes to IMAP based mail, we have no problems using it. * By default, imapd uses UNIX spool. This is horrendously inefficient. So I am not surprised by it crashing over 1000 messages. HOWEVER, if you change the mailbox format to something like mbx (Modify the Makefile, change unixproto to mbxproto), it can easily handle much more messages and allow concurrent access. I have users with 8000 messages in their in box with not problem. * Netscape is now beta testing Linux versions of their Messaging and Directory servers. * There is one more way to do IMAP securely and that is to use stunnel under IMAP. More information about what we do site specific can be found at http://www.carumba.com/imap/ -- Jauder _________________________________________________________________ Date: Wed, 02 Dec 1998 08:46:18 +0100 From: "Thomas Diehl", th.diehl@dtp-service.com Subject: Editor's Choice Awards: Most Desired Port? This is on your "Editor's Choice Awards", esp. the following from your article "Most Desired Port--QuarkXPress": For layout, we must have an MS Windows 95 machine in order to run QuarkXPress... We are more than ready to be rid of this albatross and have a total Linux shop. Next, like everyone else, we'd like Adobe to port all its products to Linux. I'm a professional DTPer and a Linux user myself. So I would certainly like to see the whole Acrobat suite for Linux as well as good font and printing solutions from Adobe. And, of course, I don't have anything against porting PM, Frame, PShop, Illustrator, or XPress to the penguin platform. No doubt about it. I find it problematic, however, that hardly anybody in the DTP area seems to do justice to the fact that there is a complete suite for our kind of work coming up just NOW: Corel promised repeatedly to port _all_ their DTP programs to Linux: Ventura, Draw, PhotoPaint as well as a lot of helpful apps like WordPerfect and their whole Office suite. (See eg www.zdnet.co.uk/news/1998/45/ns-6073.html) This would be an incredible step forward for Linux -- but somehow nobody in DTP seems to care. I wonder why? Of course, I'm fully aware of the bad reputation Corel software has among DTPers (and also how much of this they deserved). But I can assure you and everybody from daily, first hand experience that the situation has incredibly improved over the last years. Today the Corel DTP apps brings a wealth of functionality to the users that, as a whole, is unmatched by anything I know in this area. I'm also aware that this will not be enough to make XPress users really consider a switch and that they have perfectly good reasons for this attitude. But, nevertheless, I would appreciate it VERY much if the Corel announcements would at least be taken into account when talking about this area. If Corel keep their promise there will be a complete publishing suite for Linux very soon. And I would ask everybody to spread the good news, esp. those who may be held "opinion leaders" by many people out there. I'm sure it would be a real loss for everybody if Corel would get second thoughts about their plans because of apparent "lack of demand" among professional DTPers. Just in case you are prepared to look a little more at this I'm attaching some more material on the aptness of Corel DTP software. Kind regards, -- Thomas We use many of Corel's products including Ventura (for book layout). Editor's choice is after all my opinion only, but I do know that many magazines besides Linux Journal use QuarkXPress for layout. --Editor _________________________________________________________________ Date: Tue, 8 Dec 1998 16:30:53 -0500 From: "Adams, Ranald", Ranald.Adams@ctny.com Subject: Compaq There's a lot of this sort of thing on Compaq's forum. Please publish to interested parties so that they can become subject to the appropriate level of ridicule (in a caring, motivationally productive kind of way). Topic: Servers - Banyan-Unix Subject: Linux and Compaq Servers From: COMPAQ - Robert G 05/11/98 09:10:13 Compaq now or in the future will not be providing Linux drivers. This is because the Linux operating system is a public domain OS. There is not a single source of ownership to go to when trying to resolve OS issues like there is for SCO Unix and other versions of Unix on the market. Because there is no single source for the compiled binary code required to install and run the OS there is no way to guarantee driver compatibility with all the flavors of Linux. Compaq Engineering has decided that they will not provide or release hardware drivers unless they can be fully certified and supported. Since Linux does not have a single source manufacture, this is not possible with Linux. But you can by all means make a formal request in writing to Compaq Engineering concerning your need for Linux drivers. The address is: Compaq Computer Corp. Attn. Engineering Dept. MS. 050702 20555 State Hwy. 249 Houston, TX 77070 b4 _________________________________________________________________ Date: Sat, 5 Dec 1998 10:53:00 -0800 From: Mike Wiley, npg@integrityonline.com Subject: Corel Ventura would be best DTP port I agree that Linux needs a DTP program, but the one which should be desired is Corel Ventura Publisher, not Quark. CVP version 8 is at least one generation ahead of Quark and include many features which we use regularly =97 features which are completely absent from Quark. It is more powerful and easier to use. From my perspective, Quark shows all the signs of product arrogance which arises from having a monopoly, or near monopoly, in a field. Another point: Corel Corp has made a commitment to Linux. Adobe and Quark, to my knowledge have not. Why not support those who support you, especially when those who support you have the best product? Just a couple of thoughts... Sincerely, -- Mike We support Corel in every way we can, but Quark is more suited for our purposes in printing the magazine than is Ventura. Corel's NetWinder will be featured on the April Linux Journal cover. --Editor _________________________________________________________________ Date: Fri, 11 Dec 1998 14:19:43 -0500 From: "Nils Lohner", lohner@debian.org Subject: Debian Powers 512 Node Cluster into Book of Records Over 512 computers were assembled for the CLOWN (CLuster Of Working Nodes) system that ran on the night of December 5-6. This cluster used a modified version of the Debian GNU/Linux distribution (reduced in size to a mere 16 MB, and boot script modifications) to run a combination of PVM (Parallel Virtual Machine) and several application programs. These programs included povray (a ray tracing program used to calculate frames for a film), Cactus, a program that solves the Einstein Equations, which are ten non-linear joint hyperbolic-elliptical partial differential equations. These are used to describe Black Holes, Neutron Stars, etc. and are among the most complex in the field of mathematical Physics. For more information, please visit the following sites (mostly in German): http://www.ccnacht.de/ http://www.linux-magazin.de/cluster/ http://www.heise.de/ix/artikel/1999/01/010/ http://europium.oc2.uni-duesseldorf.de/cluster/tech.html -- Nils _________________________________________________________________ Date: Fri, 11 Dec 1998 02:31:14 -0500 From: Paul Iadonisi, iadonisi@colltech.com Subject: Re: USENIX LISA Vendor Exhibit trip report There were a lot of what I call "Want-Ad" booths to. Collective Technologies (formerly Pencom System Administration), Sprint Paranet, Fidelity, and several other companies there for sole reason of trying to recruit people. Hmmm. I take exception to this. We (Collective Technologies) have many reasons for being at LISA. Like any business, we work to get name recognition. We want people to know who we are. But we also seek to educate our members (look in the rear of the Attendee List for the list by company and you will see how many of us went -- I think we have the largest number of attendees) and give back to the System Administration community at large. Take a look at the Technical Talks and BoFs and you will find four events each sponsored by a Collective Technologies member. Five of our members also wrote summaries for SANS in the August issue of ;login:. I hope no one sees this as a marketing message and my intention is not to try to sell my company on a Linux mailing list. The point is that we do all of this without tootin' our own horn that much. I think reducing our booth to a "Want-Ad" type booth is a little unfair. I normally wouldn't post a message like this on this list, but couldn't let the '...there for sole reason of trying to recruit people...' comment pass, especially since we were the first company listed. No ill will, I just wanted to clear that up. -- Paul Iadonisi You must be clairvoyant! :-) That article is just being posted in this issue. Of course, it's on Paul's web site, but to know to send a copy of your letter to me. Wow! --Editor _________________________________________________________________ Date: Fri, 11 Dec 1998 20:09:57 -0500 From: Kevin Forge, forgeltd@usa.net Subject: Quark Most Desired Port--QuarkXPress Hate to say it but "BUY A MAC". Mind you I don't like the Mac. I don't use a Mac. I don't even like the few occasions when I must attempt to repair a Mac ( often it's cheaper to ditch it than buy parts ). All this considered even Microsoft uses Quark on a Mac to do it's manuals and stuff. As far as I know a Mac used in this post may never crash. Sure Mac OS isn't Linux quality in terms of stability but it beets NT. In the mean time whine for a port ... It may never happen though since even the windows port is 1/2 harted, unstable and not quite what the printers want ( they all use Macs. ) -- Kevin We started out with a Mac but at that time it wasn't as easy to network a Mac with Linux as it now is with Netatalk. So the decision was made to go with Windows. It happens. --Editor _________________________________________________________________ Date: Tue, 22 Dec 1998 21:13:56 -0600 From: Sam, myoldkh@earthlink.net Subject: Sponsorship gts global >>myoldkh<< 12-22-98 09:15:32 PM: You will be very pleased to know that yesterday I made a credit card order on the Web for a copy of the Linux OS from one of your sponsors - Red Hat Software. I support quality web sites and their sponsors! (I am also sick and tired of MS Windows crashing my computer all of the time - I think that Microsoft writes software about the same way that GM builds cars - I know cause I drive a Pontiac lemon!) -- Sam _________________________________________________________________ Date: Thu, 17 Dec 1998 19:46:04 -0600 (EST) From: "Michael J. Hammel", mjhammel@graphics-muse.org Subject: Logo From LG Editor: I get at least one letter a month asking that we change the quote in the logo to be attributed directly to Gandhi rather than a movie actor, as well as ones requesting that the graphic be made smaller. What do you think? Is it time to make either of these changes? I'll look at making the image smaller, but it may not be till next month. I'm still getting things back together at home. As to the quote, I'll stick to the attribution until someone provides a definitive resource that attributes it to Gandhi. I'm fairly certain he would have said it, but I don't want to give him the attribution unless I can find some other resource to back it up. After all, I only know about it because of a movie. I have no objection to changing it - I just need some other definitive attribution to do so. -- Michael _________________________________________________________________ Date: Mon, 28 Dec 1998 16:46:13 -0800 From: Randy Herrick, HERRICK@PACBELL.NET Subject: graphics on title page Great site, just one thing, I think Tux needs to look like, well, the real Tux, in real Tux colors. In the beginning there were several kinds of birds from seagulls to penguins, but I think nowadays most everyone has adopted the standard Tux penguin that is siting down (looking happy from eating herring-as Linus Torvald's put it )in the black and white and yellow colors. We need to have a standard logo for Linux, don't you think? Thanks for your time. :) -- Randy As far as graphics go, I trust Michael's judgment in all things--even the way Tux is drawn. --Editor _________________________________________________________________ Date: Sun, 27 Dec 1998 13:38:52 -0600 From: Lyno Sullivan, lls@freedomain.org Subject: MPDN - Minnesota Public Digital Network I would appreciate your support of the following initiative. Specifically, I will need the help of the free software community during discussions of item 4 and the excerpt listed below: December 27, 1998 The full MPDN announcement may be viewed at: http://www.freedomain.org/^lls/free-mn/19981222-mpdn.html This post constitutes an invitation to join discussions concerning the MPDN. Beginning in January, 1999, I will present each goal of the MPDN for discussion within the MN-NETGOV listserv. If you are a stake holder to these goals, please join the listserv. Anyone can join that listserv by sending an email to mailto:mn-netgov-subscribe@egroups.com Members may view past messages, calendars, and other group features at: http://www.egroups.com/list/mn-netgov/ ABSTRACT In preparation for my requesting Legislative hearings in 1999, this article explains my vision of the Minnesota Public Digital Network (MPDN), which is: 1) to provide every Minnesota citizen with a secure and authenticated email address within the mn.us hierarchy, 2) to assure that every citizen can use email to dialogue with the elected and the appointed offices of government, 3) to assure that every local community has a high speed digital network and a repository for the creative works and letters of the Minnesota people, and 4) to collect the free software tools necessary to attain these goals, within the Government Information Freedom Toolbox (the GIFT), which will be created as a byproduct of Minnesota State government's conversion to free software. EXCERPT GOAL 1) Effective immediately, freeze (at current levels or lower) all spending for non-free, closed source, software. Establish a Legislative audit to determine the Total Cost of Operation (TCO) costs of non-free server and desktop software. Establish a cost reduction plan that will result in the elimination of spending on non-free software. Collect all those monies, identified by the TCO analysis, together into a revolving Software Freedom Fund, to be administered by the Office of Technology. Require that all further purchases and upgrades of non-free, closed source server and desktop software must be approved by the Minnesota Office of Technology's, Information Policy Council (IPC). The IPC will be charged to develop a statewide model of the MPDN. The IPC will be charged to connect every public sector worker in Minnesota to the MPDN. Savings within the Software Freedom Fund may be spent on writing free software. Revenues of the Software Freedom Fund must be spent, to endow the creation of free software and free content, all of which, must be licensed under the GNU General Public License (GPL) or a suitable copyleft license. -- Lyno Sullivan _________________________________________________________________ Published in Linux Gazette Issue 36, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Next This page written and maintained by the Editor of Linux Gazette, gazette@ssc.com Copyright © 1999 Specialized Systems Consultants, Inc. _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ More 2¢ Tips! Send Linux Tips and Tricks to gazette@ssc.com _________________________________________________________________ Contents: * Forcing fsck on Red Hat 5.1 * Personal Listserver * Re: Back Ups * ANSWER: Your Supra Internal Modem Problems * ANSWER: Single Floppy Linux * ANSWER: Re: scsi + ide; boot ide * ANSWER: Numlock at startup * ANSWER: Re: graphics for disabled * ANSWER: BTS: GNU wget for updating web site * ANSWER: Linux Boot-Root * Replies to My Questions in Nov. 98 Linux Gazette _________________________________________________________________ Forcing fsck on Red Hat 5.1 Date: Tue, 08 Dec 1998 18:20:28 -0500 From: James Dahlgren, jdahlgren@netreach.net I don't know if this is a 2 cent tip or what, and since it's distribution specific, it's applicability is limited, but I still thought it was worth sharing. The shutdown command accepts a -F switch to force a fsck when the system is rebooted. This switch just writes a flag file /forcefsck, it is up to the initialization scripts do do something about it. In Red Hat 5.1 ( I don't know about 5.2 ) the rc.sysinit script uses a different method to force a fsck. It checks for the existence of /fsckoptions and if it exists uses it's contents as a switch when calling fsck. The command "echo -n '-f' > /fsckoptions" will create a file, /fsckoptions, with "-f" in it and will force a fsck the next time the system is booted. The rc.sysinit script removes the /fsckoptions file after remounting the drive read-write, so that the fsck won't be forced every time the system is booted. If you want the -F switch from the shutdown command to work, a little editing of the /etc/rc.d/rc.sysinit file will do it. near the beginning of the rc.sysinit file is the following: if [ -f /fsckoptions ]; then fsckoptions=`cat /fsckoptions` else fsckoptions='' fi This is where it checks for the /fsckoptions file and reads its contents into a variable for later use. We add an elif to check for the /forcefsck file and set the variable accordingly: if [ -f /fsckoptions ]; then fsckoptions=`cat /fsckoptions` elif [ -f /forcefsck ]; then fsckoptions='-f' else fsckoptions='' fi Now the /forcefsck flag file created by using the -F switch with shutdown will force a fsck on reboot. Now we need to get rid of the /forcefsck file, or it will force the check every time the system is started. Further down in the rc.sysinit file, after the disk is remounted read-write, is the following line which removes any existing /fsckoptions file: rm -f /etc/mtab~ /fastboot /fsckoptions We just add /forcefsck to the list of files to delete: rm -f /etc/mtab~ /fastboot /fsckoptions /forcefsck Now we have two ways to force the fsck, we can use the -F switch when running shutdown, or we can put specific flags in a /fsckoptions file. CAUTION! The rc.sysinit file is critical to system startup. A silly typo in it can make the system hang when it boots. ( I've been there! ) Make a backup before you edit it. Edit it carefully. If you do blotch it, you can recover by rebooting and using the -b switch after the image name on the lilo command line. This brings you up in maintenance mode without running the rc.sysininit script. The disk is in read-only mode. mount -n -o remount,rw / will get you to read-write mode so you can fix the problem. mount -n -o remount,ro / after fixing the problem to prepare the system for continuing startup. exit or ctl-d to exit the maintenance shell and continue on to the default runlevel. Hope this is of some use to someone. -- Jim _________________________________________________________________ Personal Listserver Date: Mon, 07 Dec 1998 01:59:48 +0100 From: "Soenke J. Peters", peters@simprovement.com An often unused feature of "sendmail" is it's "plussed user feature" which makes mails to "user+testlist@localhost" match "user@localhost". I will show you how to use this to implement personal mailing lists. First, you have to set up "procmail" to act as a filter on your incoming mails. This could be done inside sendmail by setting it up as your local mailer, or simply via your "~/.forward" file. Now, you should get a mailing list program. I prefer BeroList, because it's easy to configure. Compile it (don't forget to adjust the paths!) and install it somewhere in your home directory. Done that, you have to tell procmail what mails are to be passed to the mailing list program. This is done inside "~/.procmailrc" and should contain something like the following for every list (in this example, the list is called "testlist", the mailname of the user is "username"): :0 * ^To:.*username\+testlist | path/to/the/listprogram testlist The last step is to prepare the configuration files for the mailing list. As this is specific to the program you use, I can't tell you here. For a german description see: http://www.simprovement.com/linux/listserver.html -- Soenke Jan Peters _________________________________________________________________ Re: Back Ups Date: Tue, 1 Dec 1998 10:07:46 -0500 (EST) From: Jim Buchanan, c22jrb@koptsv01.delcoelect.com From: Anthony Baldwin: Disk space is relatively cheap, so why not buy a small drive say 500Meg which is used for holding just the root /lib /bin /sbin directories. Then setup a job to automatically back this up to another drive using "cp -ax" (and possibly pipe it through gzip and tar). This way when the unthinkable happens and you loose something vital, all you have to do is boot from floppy mount the 2 drives and do a copy. This has just saved my bacon while installing gnu-libc2 A good idea as far as it goes, but there is one gotcha. If lightning or some other power surge takes out one drive, it might take out the on-line backup as well. I use a very similar method where each night, on each machine, I have a cron job back up vital information to another HD in another machine on my home network. In addition to the nightly back-ups, I do a weekly backup to removable media, which I keep in a separate building (my workshop at the back of my lot). That way if lightning takes out everything on the network, I have lost a weeks or less work. The separate building part might be paranoia, but I really recommend at least weekly off-line back ups. -- Jim Buchanan _________________________________________________________________ Tips in the following section are answers to questions printed in the Mail Bag column of previous issues. _________________________________________________________________ ANSWER: Your Supra Internal Modem Problems Date: Tue, 1 Dec 1998 09:48:10 -0500 From: "Brower, William" wbrower@indiana.edu Richard wrote: I have a PII (350MHz) running with an AGP ATI 3DRage graphics card (which works fine) and a Sound Blaster 16 PnP (which also works fine). But, I can't get my internal SupraExpress 56k modem to work. Your modem sounded familiar from a past search I had done, so I went to Red Hat's www site (http://www.redhat.com/) and followed the support | hardware link. You will find this reference in the modem category: Modems that require software drivers for compression, error correction, high-speed operation, etc. PCI Memory Mapped Modems (these do not act like serial ports) Internal SupraExpress 56k & also the Internal SupraSonic 56k It appears that your modem is inherently not compatible with Linux. I use an inexpensive clone modem called the E-Tech Bullet, pc336rvp model - paid $28 for it and it operates with no problems at all. Good luck in finding a compatible modem! -- Bill _________________________________________________________________ ANSWER: Single Floppy Linux Date: Tue, 01 Dec 1998 22:05:59 -0800 From: Ken Leyba, kleyba@pacbell.net To: roberto.urban@uk.symbol.com There are a few choices for a single floppy Linux (O.K. some are more than one floppy). I haven't tried them, but I will be doing a Unix presentation next month and plan to demo and handout a single or double floppy sets for hands-on. muLinux (micro linux): http://www4.pisoft.it/~andreoli/mulinux.html tomsrtbt: http://www.toms.net/rb/ Linux Router Project: http://www.linuxrouter.org/ Trinux: http://www.trinux.org/ Good Luck, -- Ken _________________________________________________________________ ANSWER: Re: scsi + ide; boot ide Date: Sun, 29 Nov 1998 07:42:29 -0800 (PST) From: Phil Hughes, fyl@ssc.com The amazing Al Goldstein wrote: I have only linux on a scsi disk. I want to add an ide disk and want to continue to boot from the scsi which has scsi id=0. Redhat installation says this is possible. Is that true? If so how is it done? First, you should be able to tell your BIOS where to boot from. Just set it to SCSI first and all should be ok. If that isn't an option, just configure LILO (/etc/lilo.conf) so that it resides on the MBR of the IDE disk (probably /dev/hda) but boots Linux from where it lives on the SCSI disk. -- Phil _________________________________________________________________ ANSWER: Numlock at startup Date: Thu, 03 Dec 1998 21:51:08 -0800 From: "D. Cooper Stevenson", coopers@proaxis.com To: bmtrapp@acsu.buffalo.edu Here's a bit of code I found while searching the documentation for "numlock" It turns numlock on for all terminals at startup! The bolded code is the added code in the /etc/rc.d/rc file of my Redhat 5.1 Linux: Is there an rc directory for this new runlevel? if [ -d /etc/rc.d/rc$runlevel.d ]; then # First, run the KILL scripts. for i in /etc/rc.d/rc$runlevel.d/K*; do # Check if the script is there. [ ! -f $i ] && continue # Check if the subsystem is already up. subsys=${i#/etc/rc.d/rc$runlevel.d/K??} [ ! -f /var/lock/subsys/$subsys ] && \ [ ! -f /var/lock/subsys/${subsys}.init ] && continue # Bring the subsystem down. $i stop done # Now run the START scripts. for i in /etc/rc.d/rc$runlevel.d/S*; do # Check if the script is there. [ ! -f $i ] && continue # Check if the subsystem is already up. subsys=${i#/etc/rc.d/rc$runlevel.d/S??} [ -f /var/lock/subsys/$subsys ] || \ [ -f /var/lock/subsys/${subsys}.init ] && continue # Bring the subsystem up. $i start done # Turn the NumLock key on at startup INITTY=/dev/tty[1-8] for tty in $INITTY; do setleds -D +num < $tty done fi _________________________________________________________________ ANSWER: Re: graphics for disabled Date: Wed, 16 Dec 1998 00:13:19 GMT From: Enrique I.R., esoft@arrakis.es In a previous message, Pierre LAURIER says: - control of the pointer device with the keyboard You can do it with any windowmanager. It's a XFree86 feature (v3.2, don't know of older versions). You only have to use the XKB extension. You enable it hiting the Control+Shift+NumLock. You should hear a beep here. Now you use the numerical keypad to: Numbers (cursors) -> Move pointer. /,*,- -> l,r&m buttons. 5 -> Click selected button. + -> Doubleclick selected button. 0(ins) -> Click&Hold selected button. .(del) -> Release holded button. Read the XFree86 docs to get details. -- Enrique I.R. _________________________________________________________________ ANSWER: BTS: GNU wget for updating web site Date: Thu, 24 Dec 1998 03:15:16 -0500 From: "J. Milgram", milgram@cgpp.com Re. the question "Updating Web Site" in the Jan 1999 Linux Journal, p. 61 ... Haven't tried the mirror package - might be good, but you can also use GNU wget (prep.ai.mit.edu). Below is the script I use to keep the University of Maryland LUG's Slackware mirror up-to-date. "Crude but effective". #!/bin/bash # # Update slackware # # JM 7/1998 # usage: slackware.wget [anything] # any argument at all skips mirroring, moves right to cleanup. site=ftp://sunsite.unc.edu sitedir=pub/Linux/distributions/slackware-3.6; cutdirs=3 localdir=`basename $sitedir` log=slackware.log excludes="" for exclude in bootdsks.12 source slaktest live kernels; do [ "$excludes" ] && excludes="${excludes}," excludes="${excludes}${sitedir}/${exclude}" done # Do the mirroring: if [ ! "$*" ]; then echo -n "Mirroring from $site (see $log) ... " wget -w 5 --mirror $site/$sitedir -o $log -nH --cut-dirs=$cutdirs -X"$excludes " echo "done." fi # Remove old stuff # (important, but wipes out extra stuff you might have added) echo "Removing old stuff ..." for d in `find $localdir -depth -type d`; do pushd $d > /dev/null for f in *; do grep -q "$f" .listing || { rm -rf "$f" && echo $d/$f; } done popd > /dev/null done echo "Done." -- Judah _________________________________________________________________ ANSWER: Linux Boot-Root Date: Mon, 7 Dec 1998 12:57:34 +0100 From: Ian Carr-de Avelon, ian@emit.pl This is an answer to one of the letters in the December '98 issue. Date: Wed, 04 Nov 1998 19:01:02 +0000 From: Roberto Urban, roberto.urban@uk.symbol.com Subject: Help Wanted - Installation On Single Floppy My problem seems to be very simple yet I am struggling to solve it. I am trying to have a very basic installation of Linux on a single 1.44MB floppy disk and I cannot find any documents on how to do that. My goal is to have just one floppy with the kernel, TCP/IP, network driver for 3COM PCMCIA card, Telnet daemon, so I could demonstrate our RF products (which have a wireless Ethernet interface - 802.11 in case you are interested) with just a laptop PC and this floppy. I have found several suggestions on how to create a compressed image on a diskette but the problem is how to create and install a _working_ system on the same diskette, either through a RAM disk or an unused partition. The distribution I am currently using is Slackware 3.5. Making a "boot-root" disk is not too difficult and there is information and and examples available: http://metalab.unc.edu/LDP/HOWTO/Bootdisk-HOWTO.html http://www.linuxrouter.org/ Maybe the new LDP site should have a link from every page of Linux Gazett: http://metalab.unc.edu/LDP/ I build boot-root disks quite regularly and they have lots of uses Eg: 1. change an old PC into a dial on demand router for a net. 2. Give clients and emergency disk which will ring in to us so we can log in and fix things. (Even if the main OS on the machine is not Linux) 3. Turn any Windows PC on the net into a terminal, or testbed for network hardware. 4. Clients often bring laptops for installations with no easy way of connecting them to the net. A bootroot disk and a PLIP cable gives me a simple way to get the laptop to let me telnet to it and ftp files across. Basicly it is just a matter of reducing what you are trying to something which will fit on the floppy and following the HOWTO. If you are short of space you can usually gain a little by using older versions. Having said that you are putting yourself up against some additional problems here. Laptops are notorious for being only PC compatable with drivers which are only available for Windows. Even here there is some support: http://www.cs.utexas.edu/users/kharker/linux-laptop/ but you should realise that not all PCMCIA chip sets are supported and that is before you get onto support for the card itself. Obvioulsy if the card is your own product you have some advantages as far as getting access to technical information :-) but in general if the laptop and card manufacturers are unwilling to give information you can end up wasting a lot of time on reverse engineering and sometimes still fail. -- Ian _________________________________________________________________ Replies to My Questions in Nov. 98 Linux Gazette Date: Tue, 15 Dec 1998 20:23:48 -0800 From: Sergio Martinez, sergiomart@csi.com Last month, Ms. Richardson published a short letter I wrote that asked some questions about the differences among the terminology of GUIs, window managers, desktops, interfaces, and a bit about the differences among GNOME, KDE, and Windows. These matters came to mind as I switched from Windows 95 to Linux, with its multiple choices of window managers. Several people were kind enough to send long replies. I'm forwarding them to you in case you would like to consider using one as an article, or editing them into one. I suppose the title could be something like "A Vocabulary Primer to GUI's, Window Managers, Desktops, Interfaces, and All That". I'm leaving all this to your judgment. It would be an article for newbies, but I found most of the replies very informative for this migrant from Windows 95. -- Sergio E. Martinez -------------------------------------------------------------- Date: Tue, 1 Dec 1998 13:44:20 -0500 From: Moore, Tim, Tim.Moore@ThomsonConsulting.com I don't have time to write a full article, but I can answer your questions. Unfortunately, I'm using MS Outlook to do so (I'm at work and I have to )-: ) so sorry if this comes out formatted funny in your mailer. Terminology: The differences (if any) among a GUI, a window manager, a desktop, and an interface. How do they differ from X windows? In the X world, things tend to be split up into multiple components, whereas in other systems, everything is just part of the "OS". Here are some definitions: Interface is a general term which really just means a connection between two somewhat independent components -- a bridge. It is often used to mean "user interface" which is just the component of a computer system which interacts with the user. GUI is another general term, and stands for graphical user interface. It's pretty much just what it sounds like; a user interface that is primarily graphical in nature. Mac OS and Windows are both GUIs. In fact, pretty much everything intended for desktop machines is these days. On Mac OS and Windows, capabilities for building a graphical interface are built into the OS, and you just use those. It's pretty simple that way, but not very flexible. Unix and Unix-like OSes don't have these built in capabilities -- to use a GUI, you have to have a "windowing system." X is one of them -- the only one that sees much use these days. All X provides is a way to make boxes on the screen (windows) and draw stuff in them. It doesn't provide a) ways to move windows around, resize them, or close them, b) standard controls like buttons and menus, c) standards or guidelines for designing user interfaces for programs, or for interoperating between programs (e.g., via drag and drop or a standard help system). A window manager is a program which lets you move windows around and resize them. It also usually provides a way to shrink a window into an icon or a taskbar, and often has some kind of a program launcher. The user can use any window manager that he or she wants -- any X application is supposed to work with any window manager, but you can only run one at a time. That is, you can switch between window managers as much as you want, but at most one can be running at a time, and all programs on screen are managed by whichever one is running (if any). A widget set is a library of routines that programmers can use to make standard controls like buttons and menus (which are called widgets by X programmers). The widget set that an application uses is chosen by the *programmer* (not the user). Most people have multiple widget sets installed, and can run multiple programs using different widget sets at the same time. Finally, there's the desktop environment. This is the newest and most nebulous X term. It basically means "the things that the Mac OS and Windows GUIs have that X doesn't but should" which generally consists a set of interacting applications with a common look and feel, and libraries and guidelines for creating new applications that "fit in" with the rest of the environment. For example, all KDE applications use the same widget set (Qt) and help program, and you can drag and drop between them. You can have multiple desktop environments installed at the same time, and you can run programs written for a different environment than the one you're running without having to switch, as long as you have it installed. That is, if you use GNOME, but like the KDE word processor KLyX, you can run KLyX without running any other KDE programs, but it won't necessarily interoperate well with your GNOME programs. You can even run the GNOME core programs and the KDE core programs at the same time, thought it doesn't really make much sense to, as you would just end up with two file managers, two panels, etc. Do all window managers (like GNOME or KDE or FVWM95) run on top of X windows? Yes, though GNOME and KDE aren't window managers (they're desktop environments). KDE comes with a windowmanager (called KWM). GNOME doesn't come with a window manager -- you can use whichever one you want, though some have been specifically written to interoperate well with GNOME programs (Enlightenment being the furthest along). But yes, they all require X to be running. What exactly does it mean for an application to be GNOME or KDE aware? What happens if it's not? Can you still run it? It just means that it was written using the GNOME or KDE libraries. This means a few things: 1) programs will probably *not* be both GNOME *and* KDE aware, 2) you have to have the GNOME libraries installed to run GNOME-aware applications, 3) you can run GNOME applications and KDE applications side-by-side, and to answer your question, 4) you can always run non-aware applications if you use either environment. What exactly do the GTK+ (for GNOME) or Troll (for KDE) libraries do? GTK+ and Qt (which is the name of the product by Troll Tech that KDE uses) are both widget sets. That is, they provide buttons, menus, scrollbars, and that sort of thing to application developers. Note that applications can use GTK+ or Qt without being GNOME or KDE aware, but *all* GNOME apps use GTK+ and *all* KDE apps use Qt. How does the history of Linux (or UNIX) window managers compare to that of say, the desktop given to Win98/95 users? How, specifically, does Microsoft limit consumer's choices by giving them just one kind of desktop, supposedly one designed for ease of use? This is a much more complicated question. In essence, Windows provides a built in windowing system, window manager, widget set, and desktop environment, so everybody uses those instead of being able to chose the one they like. What's happening with Common Desktop Environment? Is it correct that it's not widely adopted among Linux users because it's a resource hog, or not open source? Yes. Also, it costs a lot of money. You can get it from Red Hat, though. -- Tim -------------------------------------------------------------- Date: Wed, 2 Dec 1998 00:34:46 +0100 (AMT) From: Hans Nieuwenhuis, niha@ing.hj.se I read your mail today in the Linux Gazette and decided to answer (or try to) your questions. Here it goes: X-Windows is designed as a client-server system. Advantage is that you can run the server on another machine then the machine your monitor is connected to. Then you need a client. This can be a program or a window manager. A window manager communicates with the server by asking it to create a window. When the server fullfilled the requests the windowmanager ads a nice titlebar to it and lets the application create its interface. Basicly the window manager stand between the server and the application, but that is not necessary. It is possible to run an application on a X server without a window manager but the only thing you are able to do is run that specific application, close it and kill the X server. A GUI is a Graphical User Interface, which means all of the information presented on the screen is done by windows, menus, buttons etc... Just like Windows. Also all the interaction, the interface is based upon those windows and buttons. The main goal of a GUI is to provide a uniform system of presenting windows and gathering information. A good example in MS Windows is the Alt+F4 keystroke, with this keystroke you can close any window on your screen. A window manager can be part of this system. This is what happens with KDE and CDE. They both feature their own window manager and then you are able to bring this same uniformity to your desktop. Basicly what I see as a desktop is the set of applications which are availeble on a certain system. A uniform GUI can bring also features like drag and drop and "point and shoot", associate applications to a certain filetype. One question you ask about the awareness for GNOME or KDE, this means, that a program that is designed for those environment is (or should be) able to communicate with other programs that are designed for those environments. This brings you for example drag and drop. Some programs can indeed not run without the desktop environment for which they are designed, but some can. For example I use KDE programs, but I do not like their window manager so I use Window Maker, which is not designed for use in the KDE environment, therefore I have to lack some features. The libraries: GTK+ and Qt (Troll, as you mentioned it) are toolkits. What they basicly do is draw windows, buttons and menus. These are tour Legos with which you build your interface. And yes, if you want to run applications designed for a specif environment, say GNOME, you need atleast the GNOME libaries, like GTK+ and a few others. As I mentioned before, the client-server design of X-Windows gives the user the flexibility to choose a window manager they like, but basicly they do the same as the win95/98 system. Win95/98 limits you to one look and feel (yeah you can change the color of your background, but that is about it), but manages also windows. But it does not give the user the freedom to experiment with other looks and feels. Most modern window managers permits you to define other keybindings and such. And if you don't like GNOME you can use KDE and vice versa (there are a few others btw). All I know about CDE is that it is based on the Motif toolkit (compare GTK+ and Qt) and this toolkit is not free (better say GPLed software) like GTK+. I think that is the main reason why it is not used very much on Linux. But if it is a resource hog I do not know. Personally the main reason why I will not use it is because it looks ugly :-) Well that is about it, I hope this information is a bit usefull. If you have questions, do not hesitate... -- Hans Nieuwenhuis -------------------------------------------------------------- Date: Sat, 05 Dec 1998 00:29:34 -0500 From: sottek, sottek@quiknet.com I thought I would take the time to send you some information about the questions you have posted on Linux Gazette. From your question I can tell that even though you are new to Linux you have seen some of the fundamental differences in the interface workings. I currently work for Intel where I administrate Unix Cad tools, and am having to explain these differences to management everyday... I think you will understand far better than they do :) 1.Terminology: The differences (if any) among a GUI, a window manager, a desktop, and an interface. How do they differ from X windows? X windows is a method by which things get drawn on your screen. All x windows clients (the part drawing in front of you) have to know how to respond to certain commands, like 'draw a green box', 'Draw a pixel' allocate memory for client images... This in itself is NOT what you think of as "Windows". All applications send these commands to your client. This is done through tcp/ip, even if your application and your client are both on the machine in front of you. This is VERY VERY important. The #1 design flaw in MS Windows is the lack of this network layer in the windows system. Every X application (any window... xterm netscape xclock) looks at your "DISPLAY" environment variable to find out who it should tell to draw itself. IF your DISPLAY is set to computer1:0.0 and you are on computer2 and you type 'xterm' it will pop up on computer1's screen (Provided you have permission) This is why on my computer at work I have windows open from HP's RS6000's Sun's... Linux(when I'm sneeky) and they all work just fine together. 2.Do all window managers (like GNOME or KDE or FVWM95) run on top of X windows? Well, yes. Given the above you should now know that X is the thing that draws. Anything that needs to draw has to run "on" X. BUT, we need to get a better understanding of the window manager because I didn't tel you about that yet. In MS Windows when a program hangs it sits on your screen until you can kill it. There is usually no way to move it, or minimize it. This is design flaw #2 in windows. Every MS Windows program has to have some code for the title bar, close, maximize, and minimize buttons. This code is in shared libs so you don't have to write it yourself but never the less it IS there. In X windows the program knows nothing about its titlebar, or the buttons on it. The program just keeps telling X to draw whatever it needs. Another program, the window manager does those things (It 'Manages windows') The window manager draws the title bars and the buttons. The window manager also 'hides' a window from you when it is minimized and replaces it with an icon. The program has NO say so in the matter. This means that even is a program is totally locked up it can be moved, minimized, and killed. (Sometimes not killed unless you window manager is set to send a kill -9) That being said here is the bad news. KDE and gnome and NOT window managers. They do not draw title bars, allow you to resize windows and stuff like that. They are just a program that does things like provide a button bar (which some window managers do too) and the stuff like telling programs how they should look. 3.What exactly does it mean for an application to be GNOME or KDE aware? What happens if it's not? Can you still run it? gnome aware applications do what I was just about to mention. They pay attention to gnome when it tells them how to look and act. If gnome says 'you should have a red background' they do it. Also there will be some advanced things like an app can ask gnome if it can have a spell checker and gnome can supply it with one (See CORBA stuff) KDE is the same way minus the CORBA (I think) 4.What exactly do the GTK+ (for GNOME) or Troll (for KDE) libraries do? This is a hidden layer called widgets. It allows you do say 'draw a button' rather than 'draw a box, draw an edge on that box so it looks 3d, put some text in that box, make sure this box looks for mouse clicks, if a click happens remove that 3d stuff and put it back pretty quick'. It would not be a good idea to try to program complex things without a widget set. 5.How does the history of Linux (or UNIX) window managers compare to that of say, the desktop given to Win98/95 users? How, specifically, does Microsoft limit consumer's choices by giving them just one kind of desktop, supposedly one designed for ease of use? I think you can get this from the other answers. really the limit are... 1. You have to run the program on the same machine where you want to see it. 2. You can't choose another window manager if you don't like the way windows works. 3. No matter how configurable windows is, if there is just 1 thing you need that it doesn't have built in , there is no way to get it. With X you just use a different wm,desktop,widget set, whatever. 6.What's happening with Common Desktop Environment? Is it correct that it's not widely adopted among Linux users because it's a resource hog, or not open source? CDE what a thing driven by big Unix verdors for their own needs. Things that start that way get re-invented to suit everyones needs, hence Gnome and KDE. Well, when I get going I can sure waste some time. I hope I haven't taken up too much of you time with this. I'll leave you with just 1 thing. I know hundreds of world class programmers, and administrators who are gods on BOTH NT and Unix. I know not a single one who prefers NT. Keep learning until you agree, I know you will. -- SOTTEK -------------------------------------------------------------- Date: Sat, 5 Dec 1998 09:48:43 -0600 From: Dustin Puryear, dpuryear@usa.net desktop, and an interface. How do they differ from X windows? X windows is what sits behind it all. More or less, it controls the access to your hardware and provides the basic functionality that is needed by the wm. The wm controls windows, and how the user interacts with them. A desktop, such as KDE or GNOME, provides more services than a wm. For instance, drag 'n drop is a feature of a desktop, not a wm. Do all window managers (like GNOME or KDE or FVWM95) run on top of X windows? Yes. What exactly does it mean for an application to be GNOME or KDE aware? What happens if it's not? Can you still run it? They use the functions provided by GNOME or KDE, not just X. What exactly do the GTK+ (for GNOME) or Troll (for KDE) libraries do? GTK+ and Qt (KDE) provide the basic foundation for the desktops. For instance, Qt provides the code to actually create a ListBox (a list of items a user can choose). KDE just uses this code to do it's thing. Note that Qt can be used for console apps just as well as for X apps. I'm not familiar with GTK+, so I can't comment. What's happening with Common Desktop Environment? Is it correct that it's not widely adopted among Linux users because it's a resource hog, or not open source? Well, Red Hat used CDE for a while (I think). However, they could not actually fix anything with it since it's was closed source. They have since moved to GNOME. However, there are some CDE clones out there. -- Dustin -------------------------------------------------------------- Date: Sat, 05 Dec 1998 19:45:34 +0000 From: "Richard J. Moore", moorer@cs.man.ac.uk Hope this helps: 1.Terminology: The differences (if any) among a GUI, a window manager, a desktop, and an interface. How do they differ from X windows? A GUI (Graphical User Interface) is a general term that refers to the basic idea of using a graphical representation to communicate with the user (as opposed to a text based interface such as the command line). A window manager is an idea that is really specific to X windows. In X windows the policy for how windows are arranged and controlled is separated from the core system, the window manager is a special program that does this. This allows people to choose a window manager that has a policy that is good for them, and allows new window managers to be created that have different policies. The window manager draws window borders, minimise/maximise buttons etc. You can mix and match window managers, but most GUI toolkits for UNIX will provide one as standard. A desktop is a metaphor used by many GUIs it is basically an attempt to make computers fit in with the way people would work in an office. The hope is that this will make it easy for people to operate the system. The term is also used more generally to refer to a combination of window manager, toolkit (the box of parts used by the programmers of the system), and other 'standard' applications. If a set of tools is referred to as a desktop, it generally means that it will provide all of these things, and that they will be designed to work together in an integrated fashion. An example would be KDE (http://www.kde.org/). An 'interface' is just an abbreviation for a user interface. This is the view that a program presents to the user, and (for a graphical user interface) is usually composed of widgets such as menus, checkboxes, push buttons etc. Finally X windows is a toolkit for actually getting all of the widgets etc. onto your screen. It provides routines for drawing lines, circles etc. and these are used to draw everything you see. X windows is a lot more complicated and powerful than this really, but it would take a book to explain why. If you want this level of detail then look at the O'Reilly X windows programming series. 2.Do all window managers (like GNOME or KDE or FVWM95) run on top of X windows? Yes, though neither Gnome nor KDE is a window manager. Both of these are complete desktops and though they provide window managers, there is much more to them than just that. The window manager in KDE is called kwm. 3.What exactly does it mean for an application to be GNOME or KDE aware? What happens if it's not? Can you still run it? It means the app will talk to the window manager to get support for special features of that environment, and that it will use the standard look and feel of the desktop. If the app is not compliant then it should still work fine, but the special features will be unavailable. The other situation is using a compliant app with a nonstandard window manager, in this case too the app should work fine (but some feature may be unavailable). It is possible for window managers other than the standard ones to be compliant, for example there is now a KDE-Compliant version of the BlackBox WM. 4.What exactly do the GTK+ (for GNOME) or Troll (for KDE) libraries do? They provide tools such as edit widgets, menus etc. in a form that makes them easy to reuse. The library used by KDE (called Qt, see http://www.troll.no/qt) is written in a language called C++ and also provides tools for programmers such as routines for platform independent access to files and directories etc. GTK+ is similar though it has narrower scope and is written in C. 5.How does the history of Linux (or UNIX) window managers compare to that of say, the desktop given to Win98/95 users? Badly :-( How, specifically, does Microsoft limit consumer's choices by giving them just one kind of desktop, supposedly one designed for ease of use? They restrict the system to a single view which may not be the best one for the job. Allowing people the choice means people can choose the best for them, even if it is nonstandard. The downside of this is that if everyone uses a different window manager then supporting and managing the system becomes difficult. In between these two options is the choice made by most UNIX toolkits - have a standard window window manager, but allow people to use another if they want. 6.What's happening with Common Desktop Environment? Is it correct that it's not widely adopted among Linux users because it's a resource hog, or not open source? CDE is based on Motif which is an old C toolkit that is (IMHO) looking rather dated. Motif is very slow, and as you say is very resource hungry. In the past linux versions have often been buggy, though this situation may have improved. I found CDE itself to be quite poor, it works fine if you spend all your time in a single application (such as emacs), but using the drag and drop, and some of the built in tools was generally problematic. IMHO It is unlikely to take off on linux because it it pricey and of lower quality than the free alternatives. -- Rich _________________________________________________________________ Published in Linux Gazette Issue 36, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ This page maintained by the Editor of Linux Gazette, gazette@ssc.com Copyright © 1999 Specialized Systems Consultants, Inc. _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ News Bytes Contents: * News in General * Software Announcements _________________________________________________________________ News in General _________________________________________________________________ February 1999 Linux Journal The February issue of Linux Journal will be hitting the newsstands January 11. This issue focuses on Cutting Edge Linux with an article on wearable computers by Dr. Steve Mann. Also, featured are articles on COAS, Csound, VNC, KDE and GNOME. Check out the Table of Contents at http://www.linuxjournal.com/issue58/index.html. To subscribe to Linux Journal, go to http://www.linuxjournal.com/ljsubsorder.html. _________________________________________________________________ Open Source Petition Date: Sat, 05 Dec 1998 15:20:19 -0500 A petition has recently been launched asking the General Services Administration of the US Government to evaluate Open Source software (OSS) alongside commercial software whenever it buys or upgrades computers. The goal of the petition, written by Prof. Clay Shirky and sponsored by the Open Source Iniative and O'Reilly and Associates, and hosted on www.e-thepeople.com, is to point out that OSS has reached a level of quality, reliability and support that makes it competitive with existing commercial products. The ultimate hope is to get vendors of Open Source software included in contract bids for Federal Government work. If you are interested in this petition, there are three things you can do: * Sign it: http://www.ethepeople.com/etp/affiliates/national/fullview.cfm?ETP ID=0&PETID=74386&ETPDIR=affiliates/national/ * Post the press release URL on sites or in other forums whose members might be interested in such a thing: http://www.shirky.com/opensource/petition.html * Pass this message on. For more information: Clay Shirky, clay@shirky.com _________________________________________________________________ LinuxWorld Conference & Expo - March 1999 IDG World Expo, the world's leading producer of IT-focused conferences and expositions, will produce LinuxWorld Conference & Expo, the first international exposition addressing the business and technology issues of the Linux operating environment. Addressing the needs of both the Linux business and development communities, LinuxWorld Conference and Expo, headed by Charles Greco, President of IDG World Expo, features a high-level, technical conference program led by industry luminaries offering advice and solutions on the industry's fastest growing operating systems technology. An exhibit floor highlighting leading service providers, solutions integrators, and development organizations -- Pacific HiTech, Enchanced Software, Linux Journal, Knock Software, and Oracle among others -- will also include customized event areas such as Start-up City, Developer Central and Developer Greenhouse, which will spotlight the latest developments and emerging companies in the Linux arena. The first LinuxWorld Conference and Expo will be held March 1-4, 1999 in San Jose, California at the San Jose Convention Center. The target audience includes Linux developers, Fortune 1000 business leaders, enterprise managers, CIOs, service providers, system administrators, software solution providers, computer consultants, and solutions integrators. Dr. Michael Cowpland, President and CEO, Corel Corporation, Mark Jarvis, Senior Vice President of World Wide Marketing, Oracle and Linus Torvalds, Creator of Linux, the open source operating system, will be the featured keynote speakers on Tuesday, March 2. Keynotes are open to all registered attendees. For more information: http://www.linuxworldexpo.com/ _________________________________________________________________ Debian Project Adopts a Constitution December 14, 1998 The Debian Project adopted a constitution which can be viewed at http://www.debian.org/devel/constitution/. The highlights of the constitution include the creation of the Technical Committee, the Project Leader postion, the Project Secretary position, Leader Delegate positions and a voting proceedure. The constitution was proposed in September 1998, and after a discussion period the vote took place in December 1998. It was virtually unanimously in favor with 86 valid votes. The discussion about the constitution began in early 1998 and was carried out on the Debian mailing lists. Most of the discussion can be found in the archives of the debian-devel mailing list at http://www.debian.org/Lists-Ar chives/. Details of the vote can be found at http://www.debian.org/vote/19 99/vote_0000. The constitution describes the organisational structure for formal decisionmaking within the Debian Project. As Debian continues to grow, this will be a valuable document to ensure that Debian continues to evolve and grow with the input and contributions from its membership. For more information: http://www.debian.org/ _________________________________________________________________ Linux Links Linux is the cover story of December Network Magazine: http://www.networkmagazine.com/ Perl Web site at The Mining Co.: http://perl.miningco.com/ LinuxCAD review: http://pw2.netcom.com/~rwuest/linuxcadreview.html Comdex and the Linux pavilion: http://marc.merlins.org/linux/comdex98/ Tea Party: http://marc.merlins.org/linux/teaparty/ The Internet an International Public Treasure: A Proposal: http://firstmonday.dk/issues/issue3_10/hauben/index.html Linux and Apple: http://www.techweb.com/wire/story/TWB19981215S0011 "The money's too good": http://www.salonmagazine.com/21st/rose/1998/10/23straight.html _________________________________________________________________ Software Announcements _________________________________________________________________ Applix Adds Applixware for Linux On Compaq Alpha Date: Fri, 4 Dec 1998 18:28:28 -0500 WESTBORO, Mass.--Dec. 1, 1998--Applix, Inc. announced today the release of Applixware 4.4.1 for Linux running on COMPAQ's Alpha processor. Applixware includes Applix Words, Spreadsheets, Graphics, Presents, HTML Author and Applix Data which provides database connectivity to Oracle, Informix, Sybase and other Linux databases. Applix Builder, a graphical, object oriented development tool with CORBA connectivity is also included in the suite. Microsoft Office 97 document interchange is provided through an Applix developed set of filters for Word, Excel and PowerPoint. For more information: Applix, Inc., Richard Manly, rmanly@applix.com http://linux.applixware.com/ _________________________________________________________________ NetBeans Announces Support for the Java Development Kit 1.2 New York, Java Business Expo, December 8, 1998 - NetBeans today announced that its Java(tm) IDE, NetBeans DeveloperX2, supports and runs on Sun Microsystems, Inc.'s Java Development Kit (JDK version 1.2). This latest release of the JDK provides a rich feature set of new class libraries and tools, making it easier than ever for developers to create portable, distributed, enterprise-class applications. Sun's announcement of the availability of the next version of the JDK was made today during the Java Business Expo in New York. NetBeans Developer X2 2.1 (beta) supports JDK 1.2 and uses it internally. It is available to NetBeans' Early Access Program participants. In addition to overall performance improvements, Sun's new version of the JDK enhances the NetBeans IDE by offering features such as drag 'n drop, Beans enhancements, collections, JDBC 2.0, and Swing 1.1. Among other new features, NetBeans DeveloperX2 will utilize the new APIs for grouping and manipulating objects of different types and for extending server functionality. JDK 1.2 will also strengthen NetBeans users' ability to design more user-friendly interfaces, process images, address multilingual requirements, use stylized text, and print. The final release of NetBeans DeveloperX2 2.1 will be available in January, 1999. NetBeans Developer will also be available in a concurrent version, which will continue to support JDK 1.1.x. NetBeans Enterprise, a multi-user edition of the IDE due in Beta version in January, 1999, will support JDK 1.2. The full release of this edition of the IDE is due in Spring, '99. For more information: http://www.netbeans.com/ Helena Stolka, helena.stolka@netbeans.com _________________________________________________________________ Zope Goes Open Source Date: Sat, 5 Dec 1998 06:19:32 -0500 (EST) Just in case you missed this in LWN, http://www.zope.org/ just went online. It's a really nice product for developing web sites. The company that created it gave a talk at the DCLUG meeting a few months back. They dropped are strong Linux supporters. It's there principal platform in house. For more information: http://www.zope.org/ _________________________________________________________________ KDE on Corel's Netwinder Ottawa, Canada--November 25, 1998-- Corel Computer and the KDE project today announced a technology relationship that will bring the K Desktop Environment (KDE), a sophisticated graphical user environment for Linux and UNIX, to future desktop versions of the NetWinder family of Linux-based thin-clients and thin-servers. A graphical user interface is a necessary element for Corel Computer to create a family of highly reliable, easy-to-use, easy-to-manage desktop computers. The alliance between Corel Computer and KDE, a non-commercial association of Open Source programmers, provides NetWinder users a sophisticated front-end to Linux, a stable and robust Unix-like operating system. Corel Computer has shipped a number of NetWinder DM, or development machines, to KDE developers who are helping to port the desktop environment. Additionally, NetWinder.Org developers, Raffaele Saena and John Olson, were responsible for championing development of KDE on the NetWinder. Corel Computer plans to announce the availability of desktop versions of the NetWinder running KDE beginning in early 1999. Early demonstrations of the port, such as the one shown at the Open Systems fair in Wiesbaden, Germany, in September, have been enthusiastically received by potential customers. Based on the Open Source model, Corel Computer is devoting internal development resources to the improvement of the KDE project including rigorous testing of the environment on the NetWinder. As a developing partner, Corel Computer will release its work back to the KDE development community. For more information: http://www.corelcomputer.com/ htt://www.kde.org/ _________________________________________________________________ New Perl Module Enables Application Developers to Use XML Date: Wed, 25 Nov 1998 06:36:08 -0800 (PST) Sebastopol, CA--Perl is the language operating behind the scenes of most dynamic Web sites. XML (Extensible Markup Language) is emerging as a core standard for Web development. Now a new Perl module (or extension) known as XML::Parser allows Perl programmers building applications to use XML, and provides an efficient, easy way to parse (break down and process) XML document parts. Perl is renowned for its superior text processing capabilities; XML is text that contains markup tags and structures. Thus Perl's support for XML offers a natural expansion of the capabilities of both. XML::Parser is built upon a C library, expat, that is very fast and robust. Perl, expat and XML::Parser are all Unicode-aware; that is, they read encoding declarations and perform necessary conversions into Unicode, a system for "the interchange, processing, and display of the written texts of the diverse languages of the modern world" (http://www.unicode.org/). Thus a single XML document written in Perl can now contain Greek, Hebrew, Chinese and Russian in their proper scripts. Expat was authored by James Clark, a highly respected leader in the SGML/XML community. For more information: http://www.perl.com/ http://www.oreilly.com/ http://perl.oreilly.com/ _________________________________________________________________ QLM for IT Reduces Cost & Guarantees Certainty of Application Development Newton, Mass., December 9, 1998 - Kalman Saffran Associates, Inc. (KSA), a leading developer of state-of-the-art products and complex IT systems for data communications, telecommunications, financial, and interactive/CATV industries, today announced the availability of its new Quantum Leap Methodology (QLM(tm) ) for IT. QLM for IT is an innovative process for information technology organizations looking to decrease expense and speed application development. Using QLM for IT, KSA increases productivity and certainty by pre-empting the mistakes that have historically created barriers to IT project success. Successful application of QLM for IT allows upper management to refocus on strategic planning and IT objectives, and away from budget and schedule overruns. At the same time the methodology sharpens an organization's focus on assessment, implementation, verification, customization and quantification. This approach allows KSA to guarantee speedy results and high quality. The QLM for IT offering is available starting at $20,000. Companies interested in QLM for IT analysis and recommendations or learning more about KSA's comprehensive training program should call 1.888.597.9284 For more information: kalsaf@email.msn.com _________________________________________________________________ Spectra Logic Announces Alex 4.50, Has Linux Support BOULDER, Colo., Dec. 15, 1998 - Spectra Logic Corp. today announced the availability of Version 4.50 of its award winning Alexandria Backup and Archival Librarian software. Alexandria 4.50 adds a number of significant new features to provide users with greater functionality, reliability, and ease-of-use for backup and recovery of large distributed databases and data center applications. Alexandria 4.50 has been ported to Red Hat and Slackware Linux OSes, and additional ports are being developed for Linux OSes from SuSE, Caldera, and TurboLinux. Alexandria Linux support is available on the Red Hat distribution CD or from Spectra Logic's website at www.spectralogic.com/linux/index.htm http://www.spectralogic.com/linux/index.htm. For more information: http://www.spectralogic.com/ _________________________________________________________________ WebMaker Date: Thu, 10 Dec 1998 21:22:25 GMT WebMaker, an HTML Editor for UNIX, version 0.6 is out now. (Copyright - GPL) Main features: * nice GUI interface; * menus, toolbar and dialogs for tag editing - like HomeSite and asWedit; * HTML 4.0 support; * preview for tag (see screenshot); * color selectors for bgcolor and other color attributes; * color syntax highlighting; * preview with external browser (Netscape); * ability to filter editor content through any external program that support stdin/stdout interface; * KDE integration. For more information: http://www.services.ru/linux/webmaker/ _________________________________________________________________ Published in Linux Gazette Issue 36, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ This page written and maintained by the Editor of Linux Gazette, gazette@ssc.com Copyright © 1999 Specialized Systems Consultants, Inc. "The Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ (?) The Answer Guy (!) By James T. Dennis, answerguy@ssc.com Starshine Technical Services, http://www.starshine.org/ _________________________________________________________________ Contents: (!)Greetings From Jim Dennis (?)Routing and Subnetting 101 (?)No STREAMS Error while Installing Netware for Linux (?)More than 8 loopfs Mounts? (?)eql dual line ppp --or-- EQL Serial Line "Load Balancing" (?)who to report gcc bug to? --or-- Where to Report Bugs and Send Patches (?)RedHat Linux (5.1) and Brand X --or-- How to "get into" an Linux system from a Microsoft client (?)Linux File System recommendations --or-- Where to Put New and Supplemental Packages (?)Your book --or-- Book: Linux Systems Administration (?)FTP Site... --or-- 'ls' Doesn't work for FTP Site (?)very general process question --or-- An Anthropologist Asks About the Linux "Process" (?)Locating AV Research --or-- Looking for a Hardware Vendor: In all the Wrong Places (?)question for answerguy --or-- Letting Those Transfers Run Unattended (?)where can i find information about LOFS, TFS --or-- Translucent, Overlay, Loop, and Union Filesystems (?)Modem dial out (?)Linux Gazette --or-- Mea Culpea (?)PAM & chroot (fwd) --or-- 'chroot()' Jails or Cardboard Boxes (?)The Linux Swap File --or-- Swap file on a RAM Disk (?)RedHat Linux (5.1) and Brand X --or-- How to "get into" an Linux system from a Microsoft client (?)Dynamic IP Address Publishing Hack (?)Why 40-second delay in sending mail to SMTP server? (?)how to install two ethernet cards for proxy server for red hat linux --or-- Linux as Router and Proxy Server: HOWTO? (?)ey answer guy! answer this! --or-- PostScript to GIF (?)troubleshooting (?)More on: "Remote Login as root" (?)Thank You --or-- Kudos (?)Question --or-- Linux Support for Intel Pentium II Xeon CPU's and Chipsets (?)isp --or-- Linux Friendly ISP's: SF Bay Area (?)Hello I need some help --or-- Eight Character login Name Limit (?)Locked Out of His Mailserver (?)Changing the color depth for your x-server? --or-- Changing the X Server's Default Color Depth (?)Num Lock and X apps --or-- NumLock and X Problems (?)NE2000 "clones" --- not "cloney" enough! --or-- Expansion on NE-2000 Cards: Some PCI models "okay" (?)MySql --or-- Finding info on MySqL? (?)read please very important --or-- Spying: (AOL Instant Messenger or ICQ): No Joy! (?)Tuning monitors for use with X --or-- Fraser Valley LUG's Monitor DB (?)chattr =u and then what? --or-- ext2fs "Undeletable" Attribute (?)How to Install Linux on an RS6000? (?)Real PS Printing --or-- Advanced Printer Support: 800x600 dpi + 11x17" Paper (?)TAG suggestions (?)password change --or-- CGI Driven Password Changes (?)ifconfig reports TX errors on v2.1.x kernels (?)Trident 9685 tv --or-- Support for Trident Video/Television Adapter (?)Looking for info on BIOS setup --or-- Plug and Pray Problems (?)Mount linux drives from win9x/nt? password encryption seems to be a problem... --or-- Sharing/Exporting Linux Directories to Windows '9x/NT (?)Mail processing (?)Printing question --or-- Extra Formfeed from Windows '95 (?)Root password --or-- Can't Login in as Root (?)Alternate root-password recovery option --or-- Alternative Method for Recovering from Root Password Loss (?)Journal File Support and Tarantella? --or-- SCOldies Bragging Rights (?)Remote tape access, using local CPU --or-- Application Direct Access to Remote Tape Drive (?)Mounting CD Drives from SoundCard --or-- Mounting multiple CD's (?)Re: leafnode-1.7 -- news server for small sites --or-- More on Multi-Feed Netnews (leafnode) (?)rsh config --or-- Getting 'rsh' to work (?)update on your answer - netware clients --or-- Linux as a Netware Client (?)LILO Default (?)uninstall help --or-- Uninstalling Linux (?)Compiling kernel --or-- Making a Kernel Requires 'make' (?)memory usage --or-- Using only 64Mb out of 128Mb Available (?)Manipulating Clusters on a Floppy ... (?)Setting up ircd (?)Sendmail on private net with UUCP link to Internet (?)Linux in general --or-- Complaint Department: (?)A Dual Modem configuration... how do I get it to work? --or-- eql Not Working (?)HELP: fetchmail dies after RH 5.2 upgrade --or-- Upgrade Kills Name Server (?)Question (what else?) --or-- MS Applications Support For Linux (?)Linux as a Home Internet Gateway and Server (?)lilo --or-- Persistent Boot Sector (?)preference=20 --or-- Secondary MX Records: How and Why (?)LPD forks and hangs/Linux --or-- 'lpd' Bug: "restricted service" option; Hangs Printer Daemon (?)Dual booting NT or Win9x with Linux (Red Hat 5.2) --or-- Dual Boot Configurations (?)Can you give me a Suggestion?/ --or-- Microtek Scanner Support: Alejandro's Tale (?)Offer to make available Winmodem interface spec --or-- Modem HOWTO Author Gets Offer RE: WinModems (?)I do know i am boring (ma windows fa veramente cagare) --or-- Condolences to Another Victim of the "LoseModem" Conspiracy (?)Kai Makisara: Re: audio-DAT on SCSI streamer? --or-- More on: Reading Audio Tapes using HP-DAT Drive (?)Just a sugestion... --or-- Best of Answer Guy: A Volunteer? (?)more on keybindings --or-- termcap/terminfo Oddities to Remotely Run SCO App (?)Arabic? --or-- Arabic BiDi Support for Linux (?)Updates: Risks and rewards --or-- Automated Updates (?)Liam Greenwood: Your XDM question (?)rsh on 2.0.34 --or-- 'rsh' as 'root' Denied ____________________________________________________ (!) Greetings from Jim Dennis Happy New Year everybody. I would say more, but I think I've said enough for this month... ____________________________________________________ (?) Routing and Subnetting 101 From pashah on Wed, 18 Nov 1998 on the L.U.S.T List Hullo list, what is the way to devide a net into subnets according to bits bourder? (!) This is a very large subject --- and your question isn't sufficiently detailed to offer much of a clue as to how much background you really need. However, I'm writing a book on Linux Systems Administration, and I have to put some discussion of this somewhere in around chapter 12, so I might as well try here. "subnetting" is a means of dividing a block of IP addresses into separately routable groups. If you are assigned a class C address block (255 addresses) it often makes sense to subnet those in some way that's appropriate to your LAN layout. (!) [Paul Anderson] Also known as a /24, IIRC. TTYL! Paul Anderson - Self-employed Megalomaniac Member of the Sarnia Linux User's Group http://www.sar-net.com/slug For example you might split the block (lets say it's 192.168.200.*) into two subnets of 126 hosts each. We might assign half of them to an "external" or "perimeter" segment (an ethernet segment that contains all of our Internet visible hosts) while we assign the other addresses to our "internal" LAN. (Actually there are better ways to do that --- where we use "private net" (RFC1918) addresses on all of our internal LAN's --- and masquerading and/or proxying for all Internet access and internetwork routing. However, we'll ignore those methods for now). To do this we use a "netmask" option on the 'ifconfig' commands for each of the interfaces on our network. We'll have to put a router between our two segments. Conventionally primary routers are assigned the first available address on their subnets. So we'd assume that we're using a Linux system with two ethernet cards as our router. This would use the following commands to configure those two addresses: ifconfig eth0 192.168.200.1 \ netmask 255.255.255.128 \ broadcast 192.168.200.127 ifconfig eth1 192.168.200.129 \ netmask 255.255.255.128 \ broadcast 192.168.200.255 ... note that the 129 address in our original block becomes the first address in our upper subnet. We have subnetted into two blocks. (None of this makes sense unless you look at these numbers in binary). For this to work we'll also have to configure corresponding routes. In the 2.0 kernels and earlier it is/was necessary to do this as a separate operation. In the 2.1 kernel a route is automatically added for each 'ifconfig' command. For our example the routes would look like: route add -net 192.168.200.0 eth0 route add -net 192.168.200.120 eth1 ... I'm assuming, in this case, that we also have an ISP that has assigned this address block. Actually my examples are using addresses from RFC1918, these are reserved for "private" or "non-Internet" use --- and would never actually be issued by an ISP. However, they'll serve for our purposes. Let's assume that you had a simple PPP link to your ISP (or to some external ISDN, xDSL, CSU/DSU or other ISP provided device which is your connection point to them). They might have assigned one of their addresses to your border router, or they might expect that you'll assign your .1 address to it. Somewhere on their end they'll have a route that looks something like: route add -net 192.168.200.0 gw 192.168.200.1 This says that your router (.1) is the gateway (gw) for that network (192.168.200.*). Note that their netmask for you is 255.255.255.0 --- their's differs from your idea of your netmask. That's because your router will handle the routing internal to your LAN. It might be the case that you have to assign your .1 address to your ppp0 interface, and perhaps your .2 address to eth0. That won't affect any of what I've said so far (other than the one digit in one of our 'ifconfig' commands). All of our routes are the same. In any event we'll want a default route to be active on our router anytime our connection to the Internet is up. The hosts on either of our subnets can all declare our router as their default route. Thus all of the hosts on the 192.168.200 subnet (2 through 126) can use a command like: route add default gw 102.168.200.1 ... while all of the hosts on our upper subnet (192.168.200.128 --- 129 through 254) would use: route add default gw 102.168.200.1 Note that we can't use hosts numbered ...127 and ...255 in this example. For each subnet we create we "lose" two IP addresses. One is for the "network number" (offset zero from our subnet) and the other is for the broadcast address (the last offset from our network number for our subnet). We can have routes to gateways other than our "default." For example if I had a more complicated internetwork with a set of machines with addresses of the form 172.16.*.* (another RFC1918 reserved block) I could use a command like: route add -net 172.16.0.0 gw 192.168.200.5 ... to declare my local system (....5) as the gateway to that whole block of Class B addresses. Locally I don't care how the 172.16.*.* addresses are subnetted on their end. I just send all of their packets to their routers and those routers figure out the details. Of course if our .1/.129 router (from our earlier examples) has this route, than all of our other client systems on both 192.168.200 subnets could just use their default route. This might result in an extra hope for the systems on the 192.168.200.0 lower network (one to the .1 router, and another from there to the .5 router). However, it does centralize the administration of our locate routing tables. All of the routing that I've been describing is "static" (I've using the 'route' command to establish all of the routes). Another option for larger and more complicated networks is to use a dynamic routing protocol, such as RIP. To do that, we have to run the 'routed' or (better) the 'gated' command on each of our routers. In a typical leaf site (a LAN with only one router, therefore only one route in or out) we only run 'routed' or 'gated' on the router. All nonlocal traffic has to go to that one router anyway. In many cases we want our routers to be "quiet" (to listen to our routes, but not advertise any of their own). There are options to the 'routed' and 'gated' commands to do this. As you get into the intricacies of routing in larger environments, and of dynamically maintaining routes (like ISP's must do for their customers) you enter into some pretty specialized and rarefied territory (and will fly past my level of expertise). Routing on the Internet is currently managed through the BGP4 protocols, as implemented in 'gated' and various dedicated router products like Cisco's IOS. More about ' gated 'can be found at the Merit site: http://www.gated.merit.edu/~gated In order to participate in routing on the Internet (to be a first tier ISP like UUNet, PSInet, etc) or to be a truly "multi-homed" site (to optimally use feeds from multiple ISP's concurrently) you'd have get an AS (autonomous systems) number and "peer" with your ISP's. Because any mistake on your part can propaget bogus routes to your peers --- which can cause considerable disruption across the net --- this is all way beyond the typical network administrator. * (I'm told that the routing infrastructure has been tightened up quite a bit in the last of years. Some of the great Internet "blackouts" from '96 and '97 were caused by erroneous route propations across the backbone peers. So now most of these sites have configured their routers to only accept appropriate routes from each peer.) The subnet I've been describing is a "1-bit" subnet. That is that we're only masking off one extra bit from the default for our addressing class. In other words, the default mask for a Class C network block is 255.255.255.0 --- which is a decimal representation of a 32-bit field where the first 24 bits are set to "1" our subnet mask, represented in binary, would have the first 25 bits set. The next legal subnet would have the first 26 bits set (which divides a Class C into four subnets of 62 hosts each). Beyond that we can subnet to 27 bits (eight subnets of 30 hosts each), 28 bits (16 subnets of 14 hosts each), 29 bits (32 subnets of 6 each) and even 30 bits (64 subnets of 2 each). So far as I know a 31 bit mask is useless. A 32 bit mask defines a point-to-point route. Ultimately all these masks and subnets are used for all routing decisions. In a typical host with only one interface the subnet mask is used only to distinguish between "local" and "non-local" addresses. For any destination IP address the host "masks off" the trailing bits, and then compares the result to the "masked off" versions of each local interface address. If the the masks match then the address is local, and the kernel (or other routing code) looks for a MAC (media access control) or lower level (framing) address. If one isn't found an ARP (address resolution protocol) transaction is performed where the host broadcasts a message to the local LAN to ask where it should set a locally destined packet. If you have a bad subnet set on a host one of two things can happen. It might be unable to communicate with the hosts on any other subnets (it thinks those are local addresses and tries to do ARP's to find them --- then it figures they must be down since there's now response to the ARP requests). It might also send locally destined packets to the router (which should bounce them back to the local net --- if the router is properly configured). Of course that might only work if the bad subnet mask doesn't interfere with the host's ability to get packets to it's gateway/router. Obviously it's better to have your subnet masks properly defined throughout. If the address isn't local to any interface than the routing code searches through its list of routes to look for the "most specific" or "best" match. If there is a default route (pointing to a gateway) then anything with no other match will get sent to that. Obviously one of the constraints posed by this classic routing and subnetting model is that you can only subnet to a few even sized blocks. We can't define one block of 14 or 30 addresses (for our perimeter net) have all of the rest routed to our larger internal LAN segment. Actually it is possible, with some equipment, to do this. That's called "variable length subnetting" or VLSN sometimes called VLSM's for VLS "masks"). RIP and the other old routing protocols (EGP, IGRP, etc) don't support VLSN (from what I've read in the Cisco FAQ). However, the modern OSPF, BGP4, and EIGRP protocols do. Each routing table entry has it's own independent mask or "prefix" number. It appears that Linux can handle VLSN by simply over-riding the netmask for a given network when defining static routes. Presumably packages like 'gated' can also provide the appropriate arguments when updating the kernel's routing table, so long as the route exchange protocol can provide it with the requisite extra information. Thus, going back to our example, you might configure your 192.168.200 network into a block of 30 addresses for the perimeter network (one eth0 in our example) and put the rest unto the interior net (using eth0). I'm just guesing here --- since I haven't actually done this, but I guess that you'd define the netmasks in the ifconfig command to be "255.255.255.0" (24 bit), while over-riding it in the routes with commands like: route add -net 192.168.200.0 \ netmask 255.255.255.224 eth0 route add -net 192.168.200.0 \ netmask 255.255.255.0 eth1 At a glance this would appear to be ambiguous. There would seem to be two possible routes for some addresses. However, the routing rules handle it just find. One of the masks is longer than the other --- and the "most specific" (longest mask) wins. That's why we can have a host route (one without the "-net" option) that over-rides any of our network routes. (It's mask is 32 bits long). Note: although I've shown these in order, most specific towards least so --- it shouldn't matter what order you add the routes in. It's also possible for us to have these two subnets separated from one another by intervening networks. I should be able to define a gateway to a subnet with a command like: route add -net 192.168.200.0 \ netmask 255.255.255.0 gw 172.17.2.1 ... where 172.17.2.1 is some host, somewhere, to which I do have a valid route. In any event I did hit Yahoo! to try and confirm that Linux supports VLSN's. I found a message from a frustrated network manager who had prototyped a whole network, testing it with Linux and depending on VLSN support --- and then finding that Solaris 2.5 didn't support them. (That was in early '97 --- allegedly 2.6 has added this support and presumably the new Solaris 7 also supports them). I also know that the route commands will actually add entries to your routing table (I created some bogus routes on another VC while I was writing this). However, I don't have time to set up a proper experiment to prove the point. It appears that Linux has supported VLSN's for some time. Throughout this message I've talked about "classes" of addresses. These were classic categories into which IPv4 addresses are cast which define the default netmasks and addressing blocks for them. For example 10.*.*.* is a Class A network. (In fact it is the one Class A address block that is reserved for private network use in RFC1918 et al). 56.*.*.* is the Class A network assigned to the United States Postal Service, and 17.*.*.* is reserved for Apple Computing Inc. However, these classes are being phased out of the Internet routing infrastructure through a process called "supernetting" or CIDR (classless Internet domain routing). Support for VLSN is a requirement for CIDR. (That's a matter for your ISP or your ISP's NAP -- network access point --- to worry about). In the old days if you got a block of addresses and you changed ISP's you'd take your addresses with you. You new ISP would add your block of addresses to his routing tables and propagate this route to his peers and so on through the Internet routing chain. The problem was that this isn't scaleable. The routing tables were getting so big that the first tier routers couldn't handle them. So we started using CIDR. CIDR block is a large chunk of addresses (32 Class C's minimum). These are given to NAP's and ISP's, and a single route, for the whole block, is added to the top level routers. The ISP then subnets those and handles the routing locally. Although addresses are now routed in a "classless" manner --- we still talk about the addressing classes in networking discussions. It's convenient, though sometimes not technically precise. The main implication of this for most of us is that you don't get "take your addresses with you" if you change ISP's. You can keep your domain name, of course. That's completely independent of the routing. (Theoretically it's always been possible to have a block of addresses with no associated DNS at all. I don't know anyone that does that --- but there isn't any rule against it). I said earlier that the "better" solution to your internal network addressing is to use private network addresses (per RFC1918) and use IP masquerading, NAT (network address translation) or applications level proxies at your borders for all of your client Internet access. In this model you only assign "real" IP addresses to your publicly accessible servers. This is "better" for several reasons. First, you conserve addresses. You can have thousands of hosts on your network and they can all access the Internet using only one or a few "real" IP addresses. This is particularly handy these days since ISP's (feeling a bit of an addressing crunch themselves) often charge premium rates for larger subnets. In the "old days" you got a Class C or larger address block for any dedicated Internet connection that you established. Now you usually get a subnet. For the xDSL line I just got into my office/home I got a subnet of 30 addresses (255.255.255.224, or 27 bits for the netmask). So, you can use 192.168.x.* addresses for all/most of your clients and reserve your "real" IP's for your router, and your mail, web, FTP, DNS, proxy and other servers (including any old-fashioned virtual web hosting; newer HTTP 1.1 style web hosting doesn't require an extra IP address and IP aliasing but "virtual hosting" for most other protocols and services does). If you're really ambitous you could probably configure a server with 'ipportfw' and/or 'ipautofw' (or 'ipmasqadm') to redirect each service on this list through a masquerade to its own dedicated server(s). I've heard that there's even a "load balancing" patch to one of these port forwarders. That would conserve more addresses by making one system appear to be running many services --- while allowing you to isolate those services on their own systems for security or load management reasons. Another advantage of this model is that you can change ISP's more readily. For any network of more than about five IP hosts, address renumbering is difficult and expensive. You want to avoid it. Of course you can use DHCP to make that easier --- but then you have to carry around your DHCP infrasture, and you can only imagine the disruption that this might still cause for your internal servers. I've known companies that were very unhappy with their ISP but not quite mad enough to shutdown their network for a week to renumber (large novice userbase, small IS staff, mostly Windows clients --- it's a real concern). Yet another advantage relates to your network security. It is easier to enforce your network policies and protect your internal systems if you prevent direct routing into your internal LAN. It is much easier to ensure that a few machines (your routers, proxy servers, and publicly accessible hosts) are secure from known attacks (source routing, "ping of death" and various things like nestea, boink, land/latierra, etc) than to apply those patches to every host on your network. (Indeed in many cases it is not possible to apply necessary patches to some of those hosts because they are running proprietary, or "closed source" operating systems --- and you have to wait for your vendor to make correct patches or "service packs" available). It is folly to think that no new attacks of this sort will be discovered. It is also usually futile to have an unenforced policy that no insecure services be allowed on internal systems. So you should use IP masquerading and/or applications proxying for most hosts on most networks. Of course you can use "real" IP addresses and still "hide" them behind a firewall (any combination of packet filters, and proxying can be called a 'firewall'). However, there's no reason (at that point) to do so. It should be noted that use of masquerading and/or proxying will not inherently improve your security overall security. These are not a panacea. If an attacker can gain sufficient access to any of the hosts that do have a valid route into your internal LAN (such as the interior routers and/or proxy hosts) or trick any such system into routing packets for them (with source routing, for example) or embed hostile code into any of the data streams that will be executed by any of your systems ... if they can do any of that then the firewall will just be a minor nuisance to their other mischief. Indeed using masquerading and proxying is a bit of a nuisance. It's an extra step in configuring your systems, and you'll probably still occasionally bump into some new or obscure protocol that can't be easily proxied or masqueraded. Luckily, as the number of sites that must use firewalls increases (the percentage of "directly routable clients" decreases) the programmers and groups that design these protocols and tools becomes more aware of the problem and less likely to implement them in problematic ways. One aspect of this that is a bit confusing is that you can put multiple subnets and IP address blocks on a single ethernet segment. For example, a few years ago I was the admin of a large site which had established permanent connections to three ISP's. They had not yet applied for an AS number and were not "peering" with those ISP's. So they were assigning addresses to different groups of computers from all three ISP's (about eight different Class C addresses). However, they used a VLAN architecture internally. (That --- and the fact that they were using direct routing to clients --- was counter to my recommendations; but I was just a lowly "junior" netadmin, so they didn't listen, until much later --- after I'd left). So they had a flat internal topology and some routing problems (their senior netadmin didn't know how to trick the Ciscos into this using static routes and we didn't use IP RIP or anything like internally). I used IP aliases on a Linux box and defined the static routes there. Under current versions of Linux you can use IP aliases in your route commands: ifconfig eth0 192.168.200.1 \ netmask 255.255.255.0 ifconfig eth0:1 192.168.100.1 \ netmask 255.255.255.0 route add -net 192.168.200.0 eth0 route add -net 192.168.100.0 eth0:1 ... here I've route the 200 net to eth0, the 100 net to eth0:1 (a "sub-interface" or IP alias), and added routes to each. Under the newer (2.1.x) kernels this works a little differently --- you just use the device name without the aliasing suffix in the route command. In other words the ifconfig commands would the be same, the first route command would be unecessary (its added automatically) and the second route command would just refer to eth0 --- not eth0:1. This may look a bit odd. (It certainly did to me at the time). You clients on the 100 network are sending their 200-net destined packets to this host which is then resending them over the same LAN segments back to destinations on the 200 net and vice versa. I still think its a stupid way to do it --- but it worked. I personally think that VLAN's are a bad idea --- and they seem to have been a kludge to deal with overgrown clusters of NetBIOS/NetBEUI (MS Windows) boxes that were too braindead to talk IP. One thing I haven't covered in this (extremely long) discussion is "proxyarp." This is a technique to allow one system to accept IP packets for other systems without changing the subnet masks and/or routes for the rest of the segment. It's most often used with PPP or SLIP dial-up lines --- though I've seen examples posted to newsgroups that were done between ethernet segments. Basically, the proxyarp host will respond to ARP requests IP addresses that are not assigned to any of it's interfaces, and. The proxyarp host needs a valid route to the proxied IP address --- but other systems will consider it to be a "local" address (local to their LAN segment). Obviously the address to be proxied must be valid for one of the subnet masks on the "local side." I'm sure this is all very confusing. So I'll give a simple example: I might have a host on 192.168.200 net with its own address of 192.168.200.13 (eth0). I might also have a system connected to that system's ppp0 port --- and that might be configured to use 192.168.200.44. When any of the systems on my LAN (eth0) have packets for 192.168.200.44 (which is local to them according to their subnet masks and routing tables) they perform an ARP (or search their ARP cache, of cours). My system (listening on 192.168.200.13) responds with its ethernet MAC address. So the localhost hosts and routers send those packets to me. (So far as they are concerned that's just another IP alias of mine). When I (.13) get this packet I find that it is NOT an alias of mine, but I have a valid route to it (over my ppp0 interface) so I forward it. The .44 system presumably has it's ppp0 interface configured as the default route and certainly has 192.168.200.0 routed to it's ppp0 --- so any packets to my (.13's) ethernet LAN get routed, too. Note that I (the .13 host) don't have to publish routes to .44. The routers and other hosts on the 200 LAN don't know or care whether I really am .44 --- just that IP packets for .44 can be encapsulated in data frames addressed to my ethernet card, where I'll deal with them as though it were my address (so far as they know). I realize it's a bit confusing. I've probably over-simplified in a few areas and probably gotten some of this completely wrong (corrections gratefully accepted). However, that's the basics of routing and subnetting. One of these days I really should read Comer's "Internetworking With Tcp/Ip : Principles, Protocols, and Architecture Vol 1" which I've heard is essentially the TCP/IP bible. However, I've had Christian Huitema's "Routing in the Internet" (a 300 page text book on routing) sitting next to my desk for about a year --- and Comer's book is much larger and not to hand. So, in answer to your original question: You divide a group of systems into subnets by assigning them addresses that lie within valid groupings of your address blocks, and creating routes to those blocks. Most of this is done with the 'ifconfig' command's "netmask" option and with appropriate 'route' commands (if you're using static routes). (Any other readers want to tell me how 'routed' and 'gated' get their routes? I guess that you still add static routes for your local nets and the local daemon picks them up and publishes/propagates them via broadcasts and their own router discovery mechanisms). ____________________________ (?) Subnetting and Routing 101 (continued) Some examples and tables From Pavel Plankov on Fri, 20 Nov 1998 L.U.S.T List (?) Thank you, that was very informative, but could you be more specific about "masking off" For example I have a 62.200.34 net, how can I subnet it? ...the only thing I am sure about is that 62.200.34.0/24 - is the C subnet. the quote at the bottom sounds rather vague %) (!) The subnet I've been describing is a "1-bit" subnet. That is that we're only masking off one extra bit from the default for our addressing class. In other words, the default mask for a Class C network block is 255.255.255.0 --- which is a decimal representation of a 32-bit field where the first 24 bits are set to "1" our subnet mask, represented in binary, would have the first 25 bits set. The next legal subnet would have the first 26 bits set (which divides a Class C into four subnets of 62 hosts each). Beyond that we can subnet to 27 bits (eight subnets of 30 hosts each), 28 bits (16 subnets of 14 hosts each), 29 bits (32 subnets of 6 each) and even 30 bits (64 subnets of 2 each). Any Class C (or 8 bit network) can be subnet into the following combinations: 1 subnetwork of 254 hosts (255.255.255.0)/24 2 subnetworks of 126 hosts each (255.255.255.128)/25 4 subnetworks of 62 hosts each (255.255.255.192)/26 8 subnetworks of 30 hosts each (255.255.255.224)/27 16 subnetworks of 14 hosts each (255.255.255.240)/28 32 subnetworks of 6 hosts each (255.255.255.248)/29 64 subnetworks of 2 hosts each (255.255.255.252)/30 ... or (from what I gather) it can be treated as a set of 254 separate point-to-point links. A subnet consisting of a network number and a broadcast address is absurd -- so we don't have "128 nets of 0 hosts each" with a mask ending it 254). Notice that I've specified the netmask and the number of network bits in the last column of this table. So. Let's say I didn't have this table. (I didn't when I started this message). So I want to find all of the valid netmasks on an eight bit network. I start the 'bc' command (big calculator --- it's a multi-precision "calculations shell" and scripting language that's included with most versions of Unix and Linux). I issue the following commands: ibase=2 10000000 11000000 11100000 11110000 11111000 11111100 This sets the input base to 2 (binary), leaving the output base at the default (decimal). Then, entering each of these binary numbers (note that this is every combination of 8 bits with anywhere from one to six leading one's and a corresponding number of trailing zeros. All (modern) legal netmasks have this property. As each of these numbers is entered, 'bc' spits out the decimal equivalent: 128 192 224 240 248 252 ... which matches my table -- these are the valid ways to subnet on 8 bits. (Actually I memorized those along time ago --- but hopefully this makes it clear where they came from). For "classic" subnetting, you pick any one of these entries. You then divide your network that number of segments (2, 4, 8, etc) with up to the corresponding hosts per segment (126, 62, 30, etc), and you use the corresponding netmask in the 'ifconfig' commands for all hosts on that network. 'route add -net' commands will default to following the chosen netmask. VSLN (variable length subnetting) is a little more confusing, so we won't cover it at this point. Given that we've chosen a subnetting paradigm (one line from this table) we now have to figure out what the valid network number, broadcast addresses, and range of host IP addresses are within each subnet. We could have a table for each of these. This would take too much space (actually it's about 128 lines long plus headers, etc). So, I'll give an example of the .224 netmask used to created 8 subnets. For all of these the netmask would be 255.255.255.224 (as listed in our previous table). The three prefix octets would be same in all cases (62.200.34 in your example). Here's our networks: 8 subnetworks of 30 hosts each (255.255.255.224) net# broadcast Hosts: low high 0 31 1 30 32 63 33 62 64 95 65 94 96 127 97 126 128 159 129 158 160 191 161 190 192 223 193 222 224 255 225 254 ... I think I got all those right (I just made up that table). It should be fairly obvious that the networks begin every 32 IP's between 0 and 256. The rest of the table is constructed by adding or subtracting one from the current or next network number or the by subtracting one from the broacast address. The lowest permitted host number in every subnet is that network's number plus one. The broadcast address for any subnet is the network number of the NEXT network minus one. The highest allowed host address on a subnet is the broadcast number minus one. So, your fourth subnet on this table would be 62.200.34.96/27. You're netmask would be 255.255.255.224 (as I said before), and the broadcast for this subnet would be 62.200.34.127. In other words, all of the hosts from 62.200.34.97 through 62.200.34.126 would use the 62.200.34.127 address for ARP requests and other broadcasts. Those from ...161 to ...190 would use the .191 address for their broadcasts. They'd be on the ...160 subnet. I'll do another one for comparison: 16 subnetworks of 14 hosts each (255.255.255.240)/28 net# broadcast Hosts: low high 0 15 1 14 16 31 17 30 32 47 33 46 48 63 49 62 64 79 65 78 80 95 81 94 96 111 97 110 112 127 113 126 128 143 129 142 144 159 145 158 160 175 161 174 176 191 177 190 192 207 193 206 208 223 209 222 224 239 225 238 240 255 241 254 ... That table is twice as long (obviously) and the number is it "look weird" However, it should be obvious where these number came from. Start with zero can keep adding 16 until we get to 256 to get the first column. Those are the network numbers. 256 can't be a network number. To get the second column we add fifteen to the network number (or we subtract one from the next network's number -- which is the network number on the next line). To get the third column we add one to the network number. To get the last column we subtract one from the broadcast number (the second column). I'll include one last table because it's shorter than the others: 4 subnetworks of 62 hosts each (255.255.255.192)/26 net# broadcast Hosts: low high 0 63 1 62 64 127 65 126 128 191 129 190 192 255 193 254 ... I really hope this one comes as no surprise. From here I would hope that you'd be able to generate the larger tables of 32 and 64 subnets if you were insane enough to use those. (The only organizations I know of that subnet that way are ISP's). I could write a perl script to generate subnet tables like these in far less time than this message took to write. Now, if you wanted to use VLSN, to create one small subnet and one larger one, I guess you'd pick a block of addresses, suitable for any of these subnets --- reserving the whole block (from the network# through the broadcast) and only assigning those in the range (from the low to high numbers). Those would be a subnet. You'd construct your route for that subnet, and put one of those addresses (the low or the high usually) unto one of your interfaces, and point your route (with its netmask override) to that interface. You'd put the rest of your network unto another interface with a broader route (one with fewer network bits in the netmask) to that. Example: Let's put a 14 host subnet on our perimeter and hide the rest of our hosts behind our router (with packet filters): We'll arbitrarily choose the first available 14 host subnet (from our table above). This should make it easier to remember which hosts are "outside" and which ones are available for assignment "inside" So we assign eth1 an address of 14 (the highest available address in this block --- I'm assuming that .1 is already in use by another router on that subnet, and we give eth0 (the interface to our internal network) an address of .17 (the first available address that's after our subnet). Then we set that up like so: ifconfig eth1 62.200.34.14 \ netmask 255.255.255.240 broadcast 62.200.34.15 route add -net 62.200.34.0 \ netmask 255.255.255.240 eth1 ifconfig eth0 62.200.34.17 \ netmask 255.255.255.0 broadcast 62.200.34.255 route add -net 62.200.34.0 \ netmask 255.255.255.0 eth0 I haven't actually done VLSN. However I think this would work. One important consideration about this would be that every internal system would have to know about this first route (the one with the .240 netmask). They could have this as a static route, or it could be propagated to them via some routing protocol (I'm not sure if RIP can handle that --- I think there was a RIPv2 that could --- while RIP would have to propagate this as a list of 14 host routes rather than a subnet route --- or some silly thing like that). The other thing that we'd have to be sure of is that we didn't use any of these subnet addresses inside of our domain. That includes the network number and the broadcast address. By choosing the first subnet for my example I cheated. You'd never try to assign the .0 address anyway. However, if you'd picked a subnet from somewhere in the middle of your address range --- everything should work. It would just be more confusing. Notice that I also skipped .16 (which would be the "next" network number if we were to use two of these subnets --- while leaving the rest on one segment. This should be unnecessary. However, I'd avoid assigning it an address just in case I need to add the additional small subnet later. Actually if you wanted to use a sophisticated address allocation strategy, to minimize the disruption that would be caused by most future subnetting strategies you could limit yourself to assigning addresses from the following groups: 1-14, 17-30, 33-46, 49-62, 65-78, 81-94, 97-110, 113-126, 129-142, 145-158, 161-174, 177-190, 193-206, 209-222, 225-238, 241-254 ... or better yet: 2-13, 18-29, 34-45, 50-61, 66-77, 82-93, 98-109, etc ... so that you're not issuing the possible network numbers, broadcast numbers, and first or last addresses in each of your possible subnets. Using this strategy you could start with a flat topology and later break it into anywhere from two to sixteen classic subnets or split off VLSN's (and add/propagate appropriate routes to them). As I've said, this sort of obtuse allocation strategy isn't necessary for most of us these days because we can use private net (RFC1918) addresses for our internal networks. However, if you're going to use direct routable addresses in your domain --- following this allocation schedule might actually help (and can't really hurt if you simply prepare the list ahead of time). It's possible to define some netmasks that aren't on even octet boundaries. For example the RFC1918 group of Class B addresses is 172.16.*.* through 172.31.*.*. That can be described with the address/mask 172.16.0.0/12 (which you could then then subnet into various ways). Most sane people reduce that ugliness to a "known" problem for which we've already described a solution. They treat these as a large group of Class C addresses and do all their network design based on those. The RFC1918 addresses: 192.168.x.* (for x from 0 to 255) is usually described as 255 contiguous class C address blocks. However, there is nothing prevent us from using this as a single 16-bit network (192.168.0.0/16). The only case where I've used these notations is when I'm writing a set of packet filters. I customary add the following four address masks to the source deny lists on perimeter routers: 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 These are denied in both directions. The outbound denials are "anti-leakage." We shouldn't be sending any packets onto the Internet which claim to be from these IP addresses. They are "non-routable" on the open Internet. So, any that "try" to get out are either a mistake (they were supposed to go through masquerading or network address translations --- NAT), or they are hostile actions possibly by users on our networks or by some subverted services or hosts (something's been "tricked" into it). The inbound denials are part of an anti-spoofing screen. No legal packet should get to us from any of these addresses (there should be no legal route back to any such host over the Internet). The 127.* filtering is also interesting. If I actually allowed packets through my router that claimed to be from "localhost" I might find that some services on some hosts could be exploited using it. I've heard of such packets being referred to as "martians." However, I'm not sure if the term is supposed to apply just to packets that claim a 127.* source address or to any of these "bad boys." To complete our anti-spoofing we also want to deny any inbound packets that claim to be from any of our real IP addresses. Thus you'd want to add a rule to deny 62.200.34.0/24. All of the hosts which are legitimately assigned any of those IP addresses should already be inside your network perimeter --- none should be traversing the inbound interface on any of your border routers. I might add a rule to block: 214.185.47.32/27 if I was given the second 30 host subnet on the 214.185.47.0 network (for example). Anti-spoofing gives us considerable protection from a variety of exploits. It really doesn't leave us "secure" --- IP ADDRESSES AND DNS HOSTNAMES ARE NOT AUTHENTICATION CREDENTIALS! However it limits the exploits that can be mounted from outside of our network. That's why you should ideal have sets of anti-spoofing packet filters at your border (between the Internet and your perimeter network) and at your interior router (between your internal and your permimeter networks). In some organizations you may also want to have anti-spoofing between your internal client networks and your "sanctum" of servers. In addition to the anti-spoofing rules it's a good idea to add a couple of rules to limit some known-to-be-bogus destinations (Thus far we've only been discussing packet filtering policies based on source addresses). I suggest that any of your local "real" IP addresses that translate into network or broadcast numbers for your network topology should be forbidden as destinations. These extra rules may seem unnecessary --- but there have been "denial of service" exploits that used these sorts of addresses to create packet storms and disrupt your networks. (A few broadcast packets that get in can cause reponses from all or most of your active hosts). So you should at least add: $YOURNET.0 and $YOURNET.255 to your denied destinations list (where these are the network number and broadcast for your block of assigned addresses. No one outside your domain has any business addressing packets to your whole network. If you are subnetted in other ways --- you'd face the possibility that some attacker might try sending to $YOURSUBNET.31, etc. However, this is probably just not such a big problem. If you use IP masquerading and/or proxying for all or most of your client hosts (as I recommended in my last post) you won't see any of that anyway. Meanwhile, how much do you need to subnet your banks of servers (in most cases, not much). (?) Thanx in advance. Pavel Piankov (!) Gosh I hope that helps. I also hope I haven't bored the rest of the list too much with this. I simply don't know of a way to describe subnetting and routing more concisely than this. If you really understand what I've written in these two messages --- you can probably get a job as a junior netadmin. ____________________________________________________ (?) No STREAMS Error while Installing Netware for Linux From Sean McMurray on Tue, 17 Nov 1998 I'm trying to install Caldera Netware for Linux on Redhat 5.1. Following the instructions from ftp://ftp.caldea.com/pub/netware/INSTALL.redhat, I get to Step 5 under "Downloading the Files." (!) Well, I haven't played with this yet, since I don't have any Netware client systems around here. (Maybe one of these days I'll fire up one of my old XT's to use for clients). (?) When I type in rpm -i kernel-2_0_35-1nw_i386.rpm, I get the following error: ln: boot/vmlinuz-2.0.35-1nw-streams: No such file or directory Can you tell me why? More importantly, can you tell me how to fix it? (!) Well, the Netware for Linux requires a kernel with STREAMS and IPX patches built into it. STREAMS is an alternative to BSD sockets. It's a programming model for communications within a Unix or other kernel --- between the applications interfaces and the devices. The Linux kernel core team has soundly reject suggestions that Linux adopt a STREAMS networking model for its native internal interfaces and we won't go into their reasoning here. (I'm inclined to agree with them on this issue in any event.) So, this error suggests that the 'ln' command (creates hard and symbolic links) can't find the '/boot/vmlinuz...' files to which it refers. One trick to try is to view the contents of the rpm file using 'mc' (Midnight Commander). Just bring up 'mc', select the RPM file with your cursor keys and highlight bar, and hit [Enter]. That will treat the RPM file as a "virtual directory" and allow you to view and manually extract the contents. Look in RPM:/boot for the kernel file --- also look for the README files. I've occasionally manually extracted the files from an RPM and just put them in place myself. Then I read through any scripts that and docs contained therein to see what should have been done by the rpm system. (Usually this sort of dodge is only necessary when doing piecemeal upgrades to the rpm package itself). There are other times when I have to resort to 'rpm -i --force --nodeps ...' to get things to work. Note that this kernel may not support you hardware configuration (that's one reason why many Linux users build custom kernels). So you may have to find and install the kernel source patches and build your own --- or at least build a set of modules that match that version. Probably your best bet would be to subscribe to the caldera-netware mailing list. Look to Liszt to help find specific mailing lists and newsgroups: Liszt: caldera-netware http://www.liszt.com/cgi-bin\ /start.lcgi?list=caldera-netware&server=majordomo@rim.caldera.com ____________________________ (?) No STREAMS Error while Installing Netware for Linux From Sean McMurray on Wed, 18 Nov 1998 Jim Dennis wrote: >When I type in rpm -i kernel-2_0_35-1nw_i386.rpm, I get the >following error: >ln: boot/vmlinuz-2.0.35-1nw-streams: No such file or directory >Can you tell me why? More importantly, can you tell me how to fix it? Well, the Netware for Linux requires a kernel with STREAMS and IPX patches built into it. Shouldn't it be included in Caldera's RPMs then. It seems that the first they their install does is try to build a new kernel.Also, does the fact that ncpfs is built in indicate that the STREAMS and IPX patches already exist - the IPX patches, anyway? (!) It is. That's what that kernel is saying. However it seems that the /boot directory isn't there (my to 'mkdir' that) and, for some reason, your 'rpm' command isn't or can't make it. (If you do have a /boot directory --- maybe you've used 'chattr +i' to make it immutable. Maybe you have a file named /boot so that a directory can't be made by that name. Who knows?). (?) Midnight Commander won't open the RPMs on my system, but I executed rpm -qpl kernel-2_0_35-1nw_i386.rpm > dump.txt to get a listing. The /boot files are: /boot/WHATSIN-2.0.35-1nw /boot/vmlinuz-2.0.35-1nw The only files with the word stream in the title is /lib/modules/2.0.35-1nw/misc/streams.o (!) ... that would be the STREAMS loadable kernel module. The other support and IPX patches are compiled into that kernel, and the FAQ tells you how to build a kernel to match the shipping one (close enough to load the requisite modules and route/utilize the IPX protocols anyway). (?) There are other times when I have to resort to 'rpm -i --force --nodeps ...' to get things to work. I tried to rpm -e kernel-2_0_35-1nw_i386.rpm, but rpm says that it isn't installed. (!) That tries to "erase" (uninstall) that package --- except that you have to use the package's name not the package *file's* name. kernel-2.0.35-1nw is probably the package name. The filename is independent of that, though it is conventionally similar. You can use the 'rpm -qpi' command to extract information about the RPM file including the package name. In general the -i and -p options to 'rpm' refer to file while others refer to "packages." If you issued the command 'rpm -ql foo-1.2.3-bang' RPM would list all of the files that are "owned by" the foo-1.2.3-bang package. If you issue the command 'rpm -qpl foo-1.2.3-bang.i386.rpm' then the command would list all of the file in that package file. If (by some chance) you had a different implementation of the same package these two lists might differ. (That's a minor problem with the RPM system --- there's no central naming authority on package naming and versioning so you can have differences between, for example, the S.u.S.E. and Red Hat packages, with some differences in dependencies --- etc. Actually it's a rather major pain in the patootie when you're a S.u.S.E. user and you keep getting packages that are contributed to the Red Hat site. However, it's still usually easier than building them from tarballs and the "right" answer for me is probably for me to learn enough about building my own RPM's that I can grap the source RPM packages and modify them to fit. The "right" answer for Red Hat and S.u.S.E. and Caldera is to make their packages as compatable with one another as possible --- particularly with regards to dependences and provision identification). (?) So I tried to rpm -e kernel-2_0_35-1nw_i386.rpm again, but rpm says it's already installed (!) That sounds wrong. Are you sure you typed exactly that? (?) I don't know rpm (or Linux) well enough to trust not hosing my kernel. I guess it's not that big of deal. I can just re-install RH5.1 from scratch. (!) After awhile building and installing new kernels will seem as routine and editing an old DOS CONFIG.SYS file (though you probably won't do anywhere near as often. (?) Probably your best bet would be to subscribe to the caldera-netware mailing list. I'm subscribed, but impatient. Thank you for your help. (!) I'd manually extract the kernel file from that RPM file, put it in the /boot/ directory, edit your /etc/lilo.conf file, run the /sbin/lilo command and try to reboot. Search through the old back issues of LG to read many messages about how LILO works -- or just read the HOWTO at: http://www.ssc.com/linux/LDP/HOWTO/mini/LILO.html (... and other LDP mirrors all over). Naturally you'll want to leave an entry for your existing (working) kernel so that you can reboot into that if this Caldera supplied kernel is inappropriate for your system. You'll also want to prepare a boot/root (rescue) diskette. Although one (image) comes with each Red Hat distribution I personally prefer Tom Oehser's "rtbt" (a full mini distribution on a single floppy --- with a suite of Unix tools sufficient to do most networking and rescue operations). You can find that at: http://www.toms.net/rb ____________________________________________________ (?) More than 8 loopfs Mounts? From Philippe Thibault on Fri, 20 Nov 1998 I've setup an image easily enough and mounted it with the iso9660 file system and asigned it to one of my loop devices. It works fine. What I was wondering was, can I add more than the eight loops devices in my dev directory and how so. What I'm trying to do is share these CD images through SMB services to a group of Win 95 machines. Is what I'm trying to do feasable or possible. (!) Good question. You probably need to patch the kernel in addition to making the additional block device nodes. So my first stab is, look in: /usr/src/linux/drivers/block/loop.c There I find a #define around line 50 that looks like: #define MAX_LOOP 8 .... (lucky guess, with filename completion to help). So, the obvious first experiment is to bump that up, recompile, make some additional loop* nodes under the /dev/ directory and try to use them. To make the additional nodes just use: for i in 8 9 10 11 12 13 14 15; do mknod /dev/loop$i b 7 $i; done I don't know if there are any interdependencies between the MAX_LOOP limit and any other kernel structures or variables. However, it's fairly unlikely (Ted T'so, the author of 'loop.c' hopefully would have commented on such a thing). It's easier to do the experiment than to fuss over the possibility. In any event I doubt you'd want to push that value much beyond 16 or 32 (I don't know what the 'mount' maximums are --- and I don't feel like digging those up too). However, doing a test with that set to 60 or 100 is still a pretty low-risk and inexpensive affair (on a non-production server, or over a weekend when you're sure you have a good backup and plenty of time). So, try that and let us know how it goes. (Ain't open source (tm) great!) Of course you might find that a couple of SCSI controllers and about 15 or 30 SCSI CD-ROM drives (mostly in external SCSI cases) could be built for about what you'd be spending in the 16 Gig of diskspace that you're devoting to this. (Especially if you can find a cachet of old 2X CD drives for sale somewhere). ____________________________________________________ (?) EQL Serial Line "Load Balancing" From Jim Kjorlaug on Mon, 30 Nov 1998 (?) I live in an area where ISDN services have been promised but no delivered. I had read a howto for EQL but can no longer find the documention on this method of ganging two modems together. Can you please let me know where I can find the source for this and the howto. Thanks for any help you can offer. Jim Kjorlaug (!) The README.eql (EQL Driver: Serial IP Load Balancing HOWTO) by Simon "Guru Aleph-Null" Janes (simon@ncm.com) doesn't seem to be in the LDP HOWTO Index. However it is included with the Linux kernel sources under .../drivers/net/README.eql ... so that's probably your best bet. Naturally the sources to the driver are also included therein. This README doesn't appear to have been updated since 1995. Note that this requires support from your ISP. In other words, to use EQL to effectively double you bandwidth, you need support for the same version of EQL load balancing at each end of the connection. Most ISP's are likely to be somewhat averse to this prospect (or to charge extra) since you'll be taking up two of their modems while connected over EQL. Another thing to consider is the difference between latency and bandwidth. Bandwidth refers to the amount of data that can be transmitted over a communications channel in a given amount of time. Latency refers to the propagation delay --- the amount of time before the first bits get to one end or the other of the channel. EQL can provide more bandwidth. However modem latency is pretty high and nothing can improve that within the constraints of the current standards. ____________________________________________________ (?) Where to Report Bugs and Send Patches From Elwood C. Downey on Mon, 30 Nov 1998 (?) Hello, I have found (and believe fixed) a bug in gcc libc, version 2.7.2.3 related to handling of daylight savings time and timezones. I would like to know exactly to whom I should send the report so it gets into the correct hands asap. Part of my confusion is gcc vs the new egcs (or whatever the new one is). I happen to be running Red Hat 5.1 if that matters. Thanks, Elwood Downey President/Chief Programmer Clear Sky Institute, Inc. (!) One of the "dirty little secrets" of FSF/GNU documentation is that "they" have an official bias against 'man' pages. If you look at the 'gcc' man pages you'll find that they refer you to the "Info" (or "Texinfo" pages) and list the man pages as non-authoritative, deprecated, unmaintained etc. 'Info' is a hypertext documentation system which is nothing like HTML. The easiest way to access them for this case would be to issue the command: info gcc There we'll find a node/link labeled "Bugs::" and following that will provide us with some guidelines for reporting problems. I'll refer you to those pages so that you'll get the full details rather than just an @ddress. Since 2.8.1 is the current version from the Free Software Foundation (http://www.gnu.org) you might encounter some resistance to accepting patches for 2.7.x at this point. Their maintainers may refer you to the more recent version. You might want to try the Debian package, which might include patches that update the GNU version. According to the Debian site (http://www.debian.org) the maintainer for the Debian GCC package is Galen Hazelwood. You can use 'alien' to to convert among RPM (Red Hat et al), Debian, SLP (Stampede Linux Packages) and Slackage package formats. Note that egcs is a spinoff of the GCC development. ____________________________________________________ (?) How to "get into" an Linux system from a Microsoft client From WRB on Mon, 30 Nov 1998 (?) I know you don't like questions concerning Brand X (w95 and nt40), however, I am a NEWBEEEEE to RedHat Linux (5.1) and I don't know where to go for this answer. Over my internal network, when I try to get into the RedHat (5.1) machine using Brand X (nt40 SP4), I get the message "\\computer4 is not accessible" "the account is not authorized to log in from this station" I don't have a problem with the other Brand X product (W95 OSR2.1), it goes right in. I have no problems with FTP or TELNET with either of the Brand X machines. Without getting tooooo condescending, is this a Brand X problem or is it a RedHat (5.1) issue? Thanks for your help Ron Botzen (!) The big problem here is with the phrase "get into." By this you seem to mean "share files on my Red Hat (Linux) system from on of my MS Windows clients" or "make my Linux system a file server to my MS Windows clients." My clue that this is your intent is from the syntax "\\computer4" is an SMB UNC (so-called "universal naming convention") designation which is used for file and print services over the SMB protocols (server message block). Samba is the Unix/Linux package that provides SMB services to your MS Windows, OS/2, and similar clients. Also Linux supports an 'smbfs' module and 'smbmount' command to allow it to act as a client in an SMB network. So, install the Samba package from your RH CD set, and read the docs therefrom. For the latest information on Samba go to: http://samba.anu.edu.au/samba/samba.html (or one of its mirrors). ____________________________________________________ (?) Where to Put New and Supplemental Packages From Lew Pitcher on Tue, 01 Dec 1998 (?) Hello from the Great White North. A few months ago, I installed the Slackware 3.3 distribution on a second-hand 486 system, and upgraded the kernel to the (then current) 2.0.35 level. I've been slowly accumulating packages (like Smail and iBCS) that I'd like to put up on this machine, and have a question about the placement of package installs. Given that I've acquired a system-level package with source code, where in the file system should I install it? From inspection, it looks like I've got several alternatives... /usr/src looks like the obvious place to start, but /usr/local also looks good. Do the Linux FileSystem Standards specify a place to put packages? If not, do you have a recommendation in this regard? (!) The Linux FHS (File Hierarchy Standard --- the descendent of the FSSTND --- filesystem standard) does have guidelines for system administrators and distribution developers and maintainers. I would say that the latter groups (those who produce and maintain general purpose distributions and packages) should be strongly encouraged (nigh on required) to follow these conventions. Sysadmins should be encouraged to follow them to the degree that makes sense for their site. Home users can do whatever the heck they like. I suggest '/usr/local/' for normal freeware packages that I install from tarball and compile myself. For commercial packages that are distributed as binaries I recommend '/opt' (which is, in my case, a link to '/usr/local/opt'). One of my continuing gripes about Red Hat and Debian is that there is no easy way for me to "partition" my packages such that all packages installed or updated after the initial OS/program load (IPL) default to installation on '/usr/local'. This, and the fact that I sometimes have a perfectly legitimate reason for concurrently maintaining two or more versions of a given package are my main gripes about those package management tools. The canonical home of the FHS seems to be: Filesystem Hierarchy Standard http://www.pathname.com/fhs (?) Thanks in advance for the advice. (!) You're welcome. (?) Lew Pitcher Joat-in-training If everyone has an angle, why are most of them so obtuse? (!) Shouldn't that be JOAT (jack of all trades)? ____________________________________________________ (?) Book: Linux Systems Administration From Jim Buchanan on Tue, 01 Dec 1998 (?) I hope to finish my book real soon now. Let us know when it's done. I'll surely order a copy. (!) I'll do my best to promote it without getting crass. (?) Aeleen Frisch's Essential System Administration Unix System Administrator's Handbook by Evi Nemeth et al Some real competition. I certainly wish you well, such a book would be a valuable addition to the many other Linux books available. (!) I'm focusing a bit more on "soft skills" like requirements analysis, recovery and capacity planning, the view that security considerations permeate all aspects of professional systems administration, and the design of whole networks rather than isolated hosts. These are elements that seem to be missing from the existing literature. (?) Macmillan Computer Publishing: The Macmillan folks are really nice people. They host our local LUG, INLUC (Indiana Linux Users Consortium, http://inluc.tctc.com) (!) My editor mentioned something along those lines. (?) If you ever make a trip to the Indiana Macmillan offices, maybe we can arrange the date so that you can come to one of our meetings, which are usually held on the third Wednesday of the month. Jim Buchanan (!) If I can afford it I'll do a full tour. Thanks for your supportive comments. Now all I have to do is get the thing done! ____________________________________________________ (?) 'ls' Doesn't work for FTP Site From Reuel Q. Salamatin on Tue, 01 Dec 1998 (?) Mr. James T. Dennis, I am so happy to have known that you are available to anwer Linux questions. I have tried emailing persons I found from how-to files and documentations about ftp, but as of yet, got no answers. Here's my problem. Our ftp site doesn't seem to support the ls command. Usually, upon log-in, or with a browser it should display directory listings. Now it worked just like that before. But now, it doesn't. I don't actually remember how it came about to be like that. I have followed instructions listed on the ftpd man page, about making a copy of the ls command on the bin directory of ftp home. I did just that but still no directory listing output. I was wondering what else could have gone wrong. Thank you even now in anticipation of your response. Sincerely yours, Mr. Roland Reuel Q. Salamatin (!) Assuming that you're using one of the traditional FTP servers (daemons) such as the BSD derived one, or WU-FTPD (which has been the default on most Linux distributions for several years), this probably relates to one of three problems. All have to do with the 'chroot' jail in which anonymous FTP (and the "guestgroups" from WU-FTP) operate. The idea here is that we've tried to minimize the risks to your system that are associated with having untrusted parties (anonymous and guest FTP users) accessing your directories. So we set up a psuedo "root" directory and issue the 'chroot()' system call to "lock the process into a directory." On problem with this approach is that most Unix/Linux programs need access to files like '/etc/passwd' and '/etc/group' (to map the numeric ownership codes that are stored in the inodes of file and directories to the associated names and groups. Also most modern programs (dynamically linked ELF binaries) require access to '/dev/zero' (a psuedo-device) for fairly obtuse reasons that amount to "because that's the way they work." So we need to build a skeletal copy/shadow of the system's directory structure to support this. That must contain at least the following files: * 'ls' binary in the [chroot]/usr/bin * Fake 'passwd' and 'group' files for [chroot]/etc * A copy of (or hard link to) /dev/zero and /dev/null under [chroot]/dev/ * (Possibly) copies of any shared libraries to which your copy of 'ls' is linked. (You can compile a statically linked 'ls' or you can use the 'ldd' command to get a list of the required shared libraries). Another option is to replace the BSD or WU ftp daemon with Mike Gleason's 'ncftpd', or with ProFTPD which both have built-in static 'ls' support. 'ncftpd' is not free. It is shareware and can be registered for about $200 for a high volume server (more than 50 concurrent users) or ~$40 for a smaller server. Mike Gleason continues to support and release the best FTP client for free. There is also a free "personal use" option (upto 3 concurrent users). You can find out more: http://www.ncftp.com Of the FTP daemons that I've tried, 'ncftpd' was the easiest to set up and definitely the easiest to configure. It also supports "virtual FTP hosting" (where one host appears to be several different FTP servers, each with different directory structures and separate user lists). My only complaint was that this server doesn't seem to like being dynamically loaded from 'inetd' (unlike the normal ftp daemons --- but more like 'sendmail' and most web servers). ProFTPD is under the GPL. I know know the author's name and it may be a whole team that's worked on it. http://www.proftpd.org I have yet to try this one. However it looks very ambitious --- and might appeal to Apache webmasters in particular. The configuration files and directives are intentionally set to match or resemble Apache configuration options wherever possible. From what I've read the original author started working on a security audit and patch set to WU-FTPD and gave up. He then wrote the whole thing from scratch. So, I hope that helps. Naturally you could just fuss with the existing ftp daemon and "get it to work." Alternatively either of these replacements might be much better for your needs --- and considerably easier, as well. If not then there are a few other choices: BeroFTPD: ftp://ftp.aachen.linux.de/pub/BeroFTPD This is a WU-FTPD derivative. Troll Tech FTP Daemon: http://www.troll.no/freebies/ftpd.html Troll Tech is the publisher of the Qt libraries on which KDE is built. anonftpd ftp://koobera.math.uic.edu/www/anonftpd.html by D.J Bernstein (author of qmail) --- very lightweight FTP daemon, purely for read-only anonymous access. (Doesn't support normal user or "guest" accounts). Main focus is on security and low memory footprint. ... and I'm sure we could find many others. ____________________________________________________ (?) An Anthropologist Asks About the Linux "Process" From donald.braman on Mon, 23 Nov 1998 (?) I don't know if you cover non-technical questions, but here goes... (!) Then you haven't read enough of the back issues. I babble about all sorts of things and have even been know to respond to questions that have NOTHING to do with Linux. (Usually those responses are less than cordial --- but hey, you can have answers that are good, courteous, quick, and/or free (pick any three)). (?) I'm interested in finding a summary of the process by which LINUX is maintained and updated. Where is Linus in the LINUX community and loose organizational structure, and how does he decide what to do with all of the stuff he get? (I always see "Linus just released kernel 2.xxx" messages.) (!) Linus "owns" the kernel. He primarily focuses his work on the developmental kernels (2.1.x right now --- will probably be 2.3.x within a month or so). The stable kernels (2.0 currently) are largely maintained by Alan Cox, though they are still sent to Linus for final approval and official release. When Linus decides that the work is complete on the 2.1 series he'll declare it to be "2.2" --- then he'll start a 2.3 series (and there will be a quick flood of patches posted to that, since we've been in "feature freeze" for a couple of months and there are people who have been privately working on some new features in anticipation of the next development cycle. I've heard that Linus plans to turn the maintenance of 2.2 immediately over to Alan and Stephen Tweedie. That will allow him to focus on the next version exclusively. Although there has been some effort to minimize the number of bugs that will be in the 2.2 release --- it is almost certain that we'll have at least a few 2.2.x releases within the first few months. Many of these will account for bugs that only affect a small subset of the available hardware configurations (one user in 10,000 or less). For the 1.0 series we had about nine releases to the stable kernel set. For the 1.2 series we had about 13 or so. In 2.0 we have had 36 (the versioning skipped from 1.3 to 2.x due major structural changes in the kernel). Don't just graph that to project an estimate --- unless you also scale the graph over the time frames involved. Even than you'd find some anomalies --- the differences between 1.2 and 2.0 are as great as the versions numbers suggest. As for how Linus decides what to incorporate and what to ignore or kick back ... that's one of the mysteries to which mere acolytes and initiates such as myself are not privvy. Linus is swamped. He gets direct e-mailed patches from countless programmers and programming students around the world. (The Savvy ones actually read the FAQ at http://www.tux.org/lkml before trying to contribute to the Linux kernel). See below for more on that. (?) What if, no offense intended, Linus died tomorrow? (!) This class of events has been discussed (usually in less morbid terms --- using the term "retiring" rather than references to "expiriing"). This would be a great loss to the Linux community. However, the sources are out there under a license that ensure that they will remain freely available and "alive" (able and likely to be upgraded, ported to new platforms, and generally improved upon). The great advantage that Linux has had over FreeBSD, (and it's brethren) has been Linus. He focuses on the kernel, and on code and quality, and almost completely eschews politics. He let's others deal with "user space" issues (libraries, compilers, and all of the suites of utilities and applications that go into any Linux distribution). We've benefitted immensely from our "benign dictactor" model --- we accepted Linus as "the Linux kernel God" (we hold none before him and we're monotheistic in this regard). When Linus eventually retires, moves on to other conquests, or whatever (may it happen long after my own demise), then the hope among the Linux kernel developers is that we'll be able to adopt, appoint, agree upon a successor --- a new benign dictator. That might be someone like Alan Cox, or Stephen Tweedie, or it might be just about anyone who's name appears regularly enough on the Linux-kernel mailing list (I don't know enough to say). Linus as jokingly referred to his daughters and Linus 2.0 and 3.0 (we could make it a heriditary oligarchy, if they take the interest and aquire the proficiency). Check back in with us in about 15 years on that. (?) Further, I'd like to find a place where (tentative) plans for future releases are discussed, and even a vague timeline is given. In short, is there a project management site/organization that contains a summary of (debates about) where LINUX is going and how it's going to get there? (!) Here's the real fun question. Anyone who's seriously involved in Linux kernel development is subscribed to the Linux-kernel mailing list hosted by Rutgers University (Read the FAQ listed above for exact instructions on how to subscribe, where to find archives and how to search through them). linux-kernel is a very busy mailing list. I've received well over nine thousand pieces of e-mail on that list in just the last few months. It gets close to a hundred items per day. (The only Internet mailing list that I've been on that seemed busier was the old cypherpunks list when it was hosted at Toad Hall --- and maybe the Firewalls list that was started by Brent Chapman at Great Circle Associates). With that volume of traffic, you can be sure that many busy developers (such as Linus) don't get to read everything. (Linus has a family life and a full-time job --- mostly in addition to his kernel work; although Transmeta apparently does provide him with some work time to devote to Linux --- as per his contract with them). Of course, the best way for you to learn about the social dynamics of the Linux kernel developers is to immerse yourself in it for awhile. Start with some research (read the FAQ, and a month or two's worth of the archives), then subscribe to the list and lurk (read and don't post) for a month. If you're doing research on us --- please let us know where we can read any papers that you put together. We have one participant (esr, or Eric S. Raymond who has referred to himself as the Linux community's "anthropologist" but it might be interested to have an alternative set of opinions from a more "objective" source). (Eric has been a hacker since before Linux was developed. He helped to compile and publish the "New Hacker's Dictionary" --- which is also a pretty good source of background if you want to understand the Linux community as a subculture. Take it with a grain of salt, of course --- but read it anyway). (?) Donald Braman Yale Anthropology ____________________________________________________ (?) Looking for a Hardware Vendor: In all the Wrong Places From Scott Tubbesing on Thu, 03 Dec 1998 (?) Mr. Dennis, My name is Scott Tubbesing and I am just starting to support Linux on my new job. I read "The Answer Guy" in The Linux Gazette for the first time. My employer is in the process of purchasing a Linux server. You mentioned AV Research as a possible and recommended vendor. I couldn't find a WEB page on this company and wonder how to contact them. Appreciate your article and your assistance. Have a good day. Communication is the secret to success...Pass it on. Scott Tubbesing (!) That's VA Research (initials VAR, as in value-added reseller). They're at http://www.varesearch.com You can find a whole list of other Linux friendly hardware vendors at Linux International: http://www.linux.org/hardware Hope that helps. ____________________________________________________ (?) Letting Those Transfers Run Unattended From Terry Singleton on Wed, 02 Dec 1998 (?) While at home, dialed into work with my 56Kb modem, I sometimes run across very large interesting looking applications. I often wish that there were a way for me to telnet to my Linux box at work and start the download. When I got to work the next day the download would have hopefully completed. Question: Is there a way for me to start my download remotely, disconnect from the Linux server and have the server continue to download the file(s)?? (!) Yes. The most obvious is to use 'screen' - this will let you start interactive processes over a dialup or telnet connect (or within an xterm, on a VC), then you can "multiplex" multiple interactive programs and you can "detach" the whole session from your terminal/connection. Later, when you reconnect you can re-attach to your 'screen' session using the command: screen -r ... assuming that you only have one of them going. If you've started multiple 'screen' sessions you can select the one to which you want to re-attach using additional command switches (read the man page for that). I routinely use 'screen' (I'm using from a virtual console right now). If I leave this session like this and connect from my terminal in the living from (to watch a little CNN or "Law & Order" as I work) I just use the command: screen -r -d ... to simultaneously detach and reattach my screen session --- to effectively "yank it over to my terminal." Another advantage of using 'screen' is that my session is preserved if I get disconnected. (There's an "auto-detach" feature). So, you can leave the same session saving state in up to ten programs for weeks, even months at a time. (I have three copies of xemacs, a copy of lynx and a couple of shell prompts to the local and some of the other hosts on my net open as I type this). I do try to force myself to drop out of my screen session at least once a month. If you're using FTP to get these files you can also use the 'ncftp' command line features, including a "re-dial" which will keep trying to get to that busy FTP site until it gets your files. There's also a program called 'lftp' that is a "command line driven, script friendly" FTP client. Another approach would be to use 'expect' and/or Kermit scripts which you start at the remote and run "asynchronously" (in the background by slapping an '&' ampersand on the end of the command or by hitting [Ctrl]+[Z] to "suspend" the job and issuing the 'bg' command to restart it as though you'd put the '&' on it to begin with. Note that this "job control" feature (the [Ctrl]+[Z] and 'bg' stuff) only works with non-interactive programs. Interactive programs are likely to stop with a "waiting on terminal input" message. 'screen' and any properly written 'expect' script will cope with those because they set up a Unix domain socket as a sort of "virtual" terminal to control the interactive software. (?) Regards, Terry Singleton Canadore College, Network Analyst ____________________________ (?) Letting Those Transfers Run Unattended From Terry Singleton on Fri, 25 Dec 1998 (?) Where do I find screen I searched my system and www.freshmeat.net but could not find the app you mentioned. I am running RedHat 5.1 and I believe installed almost everything. thanks. (!) That's odd. When I use freshmeat's "Quickfinder" it's the first entry that shows up. (Maybe the older version wasn't listed. A new version was just released recently --- after you sent me this message I think). Here's the Freshmeat "AppIndex" URL: ( freshmeat ) - ( details of "screen" ) http://appindex.freshmeat.net/view/913939067 ... and here's the main web page: screen - GNU Project - Free Software Foundation (FSF) http://www.gnu.org/software/screen It's also easy to find at the Filewatcher site (http://filewatcher.org formerly lfw.linuxhq.com) and at the Linux Archive Search (http://las.ml.org). However, Freshmeat returned the most recent version and the canonical web site, while the others showed dozens of links to older versions and other packages (with the string 'screen' in their names) and no information about the package. So Freshmeat's my first choice at this point. ____________________________________________________ (?) Translucent, Overlay, Loop, and Union Filesystems From c17h21no4 on Wed, 02 Dec 1998 (?) Where can i find information/documentation about the loopback filesystem and the translucent file sytstem under linux. From what i see on the mail lists there is support but the links are old or outdated (Ben's link) and i seem to not be finding any info on it. (!) According to an old version of the CD-ROM Howto: Once upon a time there was an IFS (inheriting filesystem). This was written by Werner Almesberger for Linux version 0.99p11 was similar in principle to the "translucent fs" from Sun. This was a "copy-on-write" system, sometimes referred to as an "overlay" or "union" fs. All of these are different terms for the same concept, you mount two (or possibly more) filesystems on the same point. Accessing files under these mount points is presents files from one of the underlying filesystems. The most common case would be to lay a CD-ROM fs over a normal (ext2, minix, xiafs) filesystem. Any files on the "normal" (read-write) fs take precedence over any file with a colliding name on the CD-ROM. Any write attempt of a file results in a copy (or possibly a "diff" on a log-structured fs). Later access to such files will refer to the copy rather than the original. An early version of the Yggdrasil Plug-n-Play Linux (*) distribution supported this (IFS) as an installation method, if I recall correctly. * (the first CD-ROM distribution ever released as far as I know) As far as I know Werner's IFS hasn't been updated in years and there isn't any support for any of these union/translucent etc fs variants in the standard kernel. I did find on pretty obscure set of patches that appear to provide "overlay" filesystem support for 2.0.31 kernels at: LOFS Patches for Linux: http://www.kvack.org/~blah/lofs ... this has no README files or other documentation so my guess about their intent is purely from reading the patches. I think "Blah" in this URL refers to Mr. Benjamin LaHaise who apparently wrote the following to the Linux-Kernel mailing list in May of 1997: > Now is a very good time to tell me if > someone else has already got a working lofs :-) I wrote one quite some time ago, and finally made patches against 2.0.30 last week. They're at ftp://dot.superaje.com/pub/linux/lofs-2.0.30.diff It's not perfect, but it works. (I do have a fancier 2.1.x version, but it'll be a while before i get anymore work done on it.) This was in response to a Mr. Jon Peatfield's query. (The ftp link therein does not work). He mentioned some additional work on his 'lofs' as late as August of '97 --- quoted in a response by Linus regarding some VFS semantics. I presume this is the "Ben" to which you are referring. I've blind copied his last known @ddresses. (Sorry if you get three copies of this). There's a similar concept called a "cachefs" and there's a couple somewhat different concepts called "loop" filesystems. A Linux "loop" or "loopback" filesystem allows one to mount a regular file as a filesystem. This only works if the file is an image of a supported filesystem. Thus, if you have a boot diskette image you can mount it on /dev/loop0, 'cd' into the mount point and view the contents. I've leard of another interpretation of the phrase "loop back filesystem" that involves remounting the same filesystem with different option at different mount points. Thus you might mount one at /usr with "read-only" options and somewhere else with read-write and no-exec" However, I don't know which versions of Unix use this and it doesn't seem to match the Linux implemtation at all. It is possible to enable encryption on your loop devices using the 'losetup' command (see the man page in section 8). However, this is more of a proof of concept than a real utility. See my column last month for pointers to some real cryptography packages, or look at the "privacy protected disk driver" (ppdd) which is one I forgot to mention last month. 'cachefs' and 'tmpfs' are filesystems that are supported by Solaris. The CODA project at http://coda.cs.cmu.edu also has some interesting replication and caching features. Obviously when we start talking about specialized filesystems we see myriad terminology collisions and ambiguities. For now I'd say that Linux LOFS/Translucent filesystems are not "ready for prime time." However, if you're interested in working on the code --- go for it! ____________________________________________________ (?) Modem dial out From Infinite Loop on Wed, 02 Dec 1998 Hi Jim, How are you? I'm want to write a program that enables my Linux system to dial a page to my beeper, this function to be activated upon certain events. I am learning C. I came across a system call ioctl that is supposed to let me control the devices, but I cannot find further information on it's usage. Or is there other programs/functions that you can advise me to work on to achieve the result? Thanks. (!) You might want to try the Linux Gazette "Search" feature. I wrote a fairly extensive piece on this back in May. Using the search phrase "pager software" at http://www.linuxgazette.com the following was the fourth hit: The Answer Guy 28: Email Alpha-Paging software http://www.ssc.com/lg/issue28/tag_paging.html Granted I wasn't able to find it so easily using Yahoo! and Alta Vista. When I elaborated on the phrase to include: pager software linux source code ... I got a surprise: Debian Package - hylafax-doc 4.0.2-5 http://cgi.debian.org/www-master/debian.org/Packages/stable/comm/hylaf ax-client.html HylaFAX support [sic] the sending and receiving of facsimiles, the polled retrieval of facsimiles and the send [sic] of alphanumeric pages. ^^^^^^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~ (emphasis mine). (?) Regards, Joseph Ang (!) I'd get those packages and read through their sources a bit. ____________________________ (?) Promptness: It's Just a Lucky Shot From Infinite Loop on Fri, 04 Dec 1998 (?) Hi Jim, Thanks for your prompt reply! I'm very surprised to receive your reply in just a day! Really, really appreciate that :) Best regards, Joseph Ang (!) You were just lucky. The question was easy and appealed to me. Unfortunately there are many questions that I just don't "get to." Especially since I'm getting about five times more TAG traffic this month then last. ____________________________________________________ (?) 'chroot()' Jails or Cardboard Boxes From Clifton Flynt sometime before Wed, 02 Dec 1998 Hi, You recently stated: You can set up inetd.conf to call simple chroot call to a jail before launching ftpd -- which will automatically use the /etc/passwd that's relative to the chroot directory. The You can even use shadow passwords in the chroot. It does take a bit of tweaking -- but it can be done. Could you point me to a FAQ or HowTo for this? I'm upgrading a 4.2 based firewall system to 5.1, and already tried the obvious tricks of copying the /lib/security and /etc/pam.d directories to the playground/jail directory. Thanks, Clif (!) I don't know of an FAQ or HOWTO on this. I haven't had time to write one myself. One trick is to use the 'ldd' command extensively to identify shared libraries that must be copied into the 'chroot()' jail. Another is to use 'strace' to capture system call traces of each program (particularly those that fail to run properly in the jail) and compare the calls to 'open()' between the version run in the jail and the one that works normally within your normal environment. The brute force method is to simply install a whole distribution unto another filesystem. Mount that as the jail and trim out everything you don't need. It should be noted that 'chroot()' jails are not "root safe" under normal implementations of Unix and Linux. If an attacker does successfully gain 'root' privileges with the jail it is a simple matter to "break out." 'securelevel' is a set of features in BSD (Free|Net|Open and BSDI/OS) to minimize the persistence of such compromise. These try to prevent root from exercising various privileges while the system is in "server" or "production" or "secure" mode. There were some patches for 'securelevel' that were under development for Linux. However, Linus rejected them and has accepted an alternative that may offer more flexibility, finer grained control and still allow for relatively easy "securelevel emulation." These features (what POSIX.1e refers to as "capabilities lists" but which are better described as "VMS like privileges") are built in the 2.1.x kernels and will almost certainly be part of 2.2. In addition to the possibility that these will allow us to "emulate 'securelevel'" these may also prevent many forms of process subversion that lead to 'root' compromise. Normal 'securelevel' does nothing to prevent the attacker from gaining root. It doesn't very little to limit what the attacker can do with that privilege during the session in which it is obtained. In other words the successful attacker still has control of the system. 'securelevel' primarily prevents persistent changes to the filesystems (no changing immutable flags to mutable and "append-only" files to random access read/write, no remounting read-only filesystems in read/write mode, etc). Some other securelevel features prevent loading of kernel modules and access to /dev/kmem (/proc/kmem for Linux users). This doesn't address the mechanism by which the attacker gained 'root' and only places relatively minor limitations on what 'root' can do to the state of the system. Those limitations mostly prevent sniffing on other processes, hiding the attacker tracks, and leaving 'rootkits' laying around. With the "privs" features the Linux kernel add more fine-grained delegation and limitation semantics. One can provide a process (and its descendents) with the ability to open a "privileged" TCP port (below the conventional Unix 1024 watermark) and/or with just read-only access to all files, without allowing that process to write to, change the ownership or permissions/mode or filesystem dependent attributes/flags on them, etc). Basically these "privileges" split the implications of "SUID root" into separately maskable and delegateable items. Instead of one "god flag" we have a whole pantheon of them, each with its own sphere of influence. The kernel support for this is just the tip of the iceberg. Consequently we probably won't see effective use of this for several month after Linux ships and it will be much longer until we have "full" support for this security model. Currently the only way to use these features with 2.1 kernels would be to write wrapper programs that set/mask the privilege sets (there are "allowed, effective, and inheritable" sets; the "inheritable" set is a mask which strips these privs from children). These wrapper/launchers could then start processes with small lists of required privileges and some (small?) assurance that these processes couldn't perform some forms of mischief directly. To emulate 'securelevel' you'd write wrappers that started 'init' and/or 'inetd' and various daemons like 'sendmail' and your web server with a set of privileges masked off. These processes and their children would be unable to exercise certain sorts of system calls (possibly including the equivalent of 'chroot(..)' to chdir/chroot out of a jail) and file operations. They would not be able to inherit these privileges even from an SUID 'root' program --- such programs would only be able to exercise the subset of privileges that were inherited and allowed. (*) * (The attack vector would then have to be via subversion of some running process that retained its privileges i.e. via some form of interprocess communication rather than by direct execution. If 'init' was stripped of its "chatter +i" priv then no process on the system could make immutable files mutable. Naturally you'd construct the wrapper or patches to 'init' such that these features would be enabled at specific runlevels or disabled with certain boot-time parameters). Later it will be possible to store these privilege sets as attributes of executable files. Thus the 'rsh' and 'rlogin' commands would have their "bind to privileged IP port" bit set, and all others would be unset. (Note we're not masking off the other privs, we're merely not granting them). Thus the reason why these two command are "SUID 'root'" is accounted for, without giving these programs a host of other system privileges that are not required for their proper operation. The filesystem support for these features will presumably be added in the 2.3 kernel series. It looks like Linux 2.3 will mostly be about filesystems, "large" file support, ACL's, logging/journaling, b-tree directory structuring, and other features of that sort. It's not clear whether these will be rolled into ext2 or whether they will be incorporated into a new ext3. If this whole "privs" security model seems complex and difficult to administer and audit, then you're reading me loud and clear. Determining the precise set of requisite flags for each program and process will be a monumental pain. It is unclear how effective these efforts will eventually be. VMS has had these sorts of features since its inception, and they are similar to features in MLS/CMW (multi-level security for compartmented mode workstations) versions of Unix (usually billed/sold as the B2 Security Package, Option, or Version --- and generally only used by the U.S. military or similar organizations). Personally I would like to see a "true capabilities" subsystem implemented. This is a completely different security model that is so much unlike Unix, NT, and other identity/ACL based systems that you may have to spend a year or two unlearning what you know about operating systems design before you "get it." (It took me about two --- but I'm unusually stubborn). I've talked about this security model in this column before. Do a keyword search on EROS (extremely reliable OS) and/or KeyKOS to find some links about it. Ironically I've never used a system that incorporated "capabilities." However, I've grudgingly come to the conclusion that they represent a better security model than the ones we use in all major software today. The catch is that programs would have to be significantly retooled to work under such a system. There's also been almost no interest in this from the programmers that I've talked to. (That would suggest that I'm just a ranting crackpot --- since I'm not a programmer myself). In any event, hopefully these "privileges" will make your system somewhat more secure and make a chroot() jail more than just a cardboard box. If security is not your primary concern -- if all you want is to provide virtual FTP hosting, just look at ncftpd and or ProFTPD. ____________________________________________________ "The Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ (?) The Answer Guy (!) By James T. Dennis, answerguy@ssc.com Starshine Technical Services, http://www.starshine.org/ _________________________________________________________________ (?) Swap file on a RAM Disk From Mathieu Bouchard on Wed, 02 Dec 1998 (?) Hi, Some have even reported that using 100 or 200K RAM disk with a swap file on it will dramatically improve the performance over using all of your memory as straight RAM. Do you have any rational explication to this? I'm not a kernel expert, but it makes no sense -- especially because AFAIK, Linux RAM disks are swappable (and lazily-allocated), and mutual containment (in this context) makes no sense; (!) No. I don't have a rational explication or explanation for this. (?) but in the event that a RAM disk wouldn't be swappable, then, swapping from RAM to RAM isn't anything more than a CPU hog and unnecessary complexity -- it's a kind of Alice in Wonderland to me. It would make sense if some compression was done while swapping, which would look like a Macintosh RAMdoubler. But Linux has no such feature -- six months ago I asked the Linux guys and they said that they didn't like the idea. Is it possible that such a report would be gibberish? in which case I would like you to get the precise facts and publish them. I think that even though it is a detail, the Linux community doesn't deserve to have anything done wrong. I'm not [bf]laming, I just want to correct a situation. matju (!) However, I can make a guess. Many of the memory management code paths may have to special case the situation where no swap/paging space is available. The routines invoked to handle this special case may result in a slow down when no swap is available. You're welcome to search the Linux-Kernel mailing list archives yourself. You can also just try it (run some tests with no swap space "mounted" and then run them again with just a small swap file located on a small RAM disk. I haven't actually tried this experiment, so I made an effort to identify my statement as hearsay. If you'd like to so some research on it --- you could publish your results (probably in LG --- perhaps as a 2-cent tip or as a full article). ____________________________________________________ (?) How to "get into" an Linux system from a Microsoft client From WRB on Wed, 02 Dec 1998 (?) Jim, thanks for the samba reference, I'm going to spend some time there. By the way, it appears I did not give you enough information the first time around. When I mentioned "get into" I meant from the NT40 explorer window, network neighborhood. I can see the Linux machine (computer4) shown there, but when I try to "click" on it and log in (YYYYYYYY4 with password XXXXXXX), that's when I get the message. This happens with NT40 only. (!) That is what I'd guessed. You're trying to share files that are on the Linux system. Those must be exported/published to you via Samba. By the way, I've blotted out the computer name and password that you included in your text. Please don't include any password or other private information in posting to any stranger on the net. Particularly one like me, that publishes such messages in a widely read monthly webazine. (?) When I do the same thing with W95 explorer window, network neighborhood (click on computer4), I go right to the directory I assigned to the W95 computer (/home/computer1). I set up a link from there (/home/computer1) to / and now I can browse all over the Linux machine - using W95. I just can't find the right "trick" to do the same thing with NT40. (!) You'll want to read the Samba FAQ. This is one of the situations they cover therein. Basically there is a difference between the way that your Win '9x and NT 4.0 clients are attempting to authenticate to the Linux system. Samba FAQ http://us1.samba.org/samba/docs/FAQ Search on the string "nt4" to jump to the first relevant paragraph. However, I'd suggest reading the whole FAQ. Then you'll know more about Samba then I currently do. (I hardly ever use it). (?) Thanks again for your time Ron Botzen ____________________________________________________ (?) Dynamic IP Address Publishing Hack From Ronald Kuetemeier on Sat, 05 Dec 1998 (?) Here is an expect script that you might find useful for your article. It keeps a connection to the internet up and running with a dynamically assigned ip address. It updates html file(s) with the assigned ip address and ftps it to a well known server on the internet. Ronald > ===================================================================== #!/usr/bin/expect -f #expect script to keep a www server connected to the internet over #dynamically assigned ip address #Ronald Kuetemeier 11/1/1998 dket@mail.saber.net #Replace all xxxx with your values #initial ppp server address to see if we are already up #change this to your ftp server ip addr. set server xxx.xxx.xxx.xxx #use of ppp script to make sure ppp is down and can be restarted #change this to your local ppp up/down script proc logon {} { system xxxx stop close wait sleep 10 system xxxx start close wait sleep 35 ping 1 } #get ip's from ifconfig proc getip {} { spawn ifconfig expect -re "P-t-P:\[0-9\]+.\[0-9\]+.\[0-9\]+.\[0-9]+" close wait setip $expect_out(buffer) } } #find local ip and remote server ip address from ifconfig proc setip {out} { global server set ips [string range $out [string first "Point-to-Point" $out] [string length $out]] regexp P-t-P:\[0-9\]+.\[0-9\]+.\[0-9\]+.\[0-9]+ $ips server_1 regexp addr:\[0-9\]+.\[0-9\]+.\[0-9\]+.\[0-9]+ $ips client_1 regexp \[0-9\]+.\[0-9\]+.\[0-9\]+.\[0-9\]+ $server_1 server regexp \[0-9\]+.\[0-9\]+.\[0-9\]+.\[0-9\]+ $client_1 client changeaddr $client } #ping to see if connection is still up proc ping {i} { global server while {1} { if {$i == 6} { logon getip set $i 0 } spawn ping -c 1 -n $server expect { "bytes from" break "100% packet loss" close ret=-1 close } wait incr i puts $i sleep 3 } close wait } #change to your local userid and passwd and file transfer proc ftp {} { #change to your ftp server spawn ftp xxx.xxx.xxx expect "Name*:" send "xxxx\r" expect "Password:" send "xxxx\r" expect "ftp>" #change to your ftp server directory,i.e public_html send "cd xxxxx\r" expect { #change file to transfer [file] "2*ftp>" [send "put xxxx.xxxx\r"] "550*ftp>" ftp_error } expect { #change or delete file 2 transfer [file 2] "2*ftp>" [send "put xxxx.xxxx\r"] "No such file" ftp_error } close wait } proc ftp_error {} { puts "FTP ERROR\n" close wait } # use sed to replace unique name with ip addr in a file proc changeaddr {client} { #change file names and local dns name # [DNS] [in.file] [out file] system sed 's/xxxx.xxxxxxx.xxx/$client/' xxx.xxxx > xxxx.xxxx close wait #change file names and local dns name or delete this # [DNS] [in.file] [out file] system sed 's/xxxx.xxxxxx.xxxx/$client/' xxxx.xxxx > xxxx.xxxx close wait ftp } ping 6 while {1} { puts "Main loop\n" ping 1 sleep 9 } (!) I'll just leave this as is. However, I'd suggest that the 'pppup' script documented in the 'pppd' man pages would provide some of the IP addresses that you are laboriously extracting from spawn command outputs using regexes. Also It would make a lot of sense to write up an article around this script and publish that in LG yourself. ____________________________________________________ (?) Why 40-second delay in sending mail to SMTP server? From Steve Snyder on Sat, 05 Dec 1998 (?) On my LAN, when my (Win95- and OS/2-based) mail clients retrieve mail from my (RedHat v4.2) Linux server, it is all but instant. When sending mail to the server, there is a 40 - 45 second delay before the sent mail is accepted. Mail retrieval by the clients are done via POP3; mail is sent via SMTP. (!) Sounds like attempts at reverse DNS and/or 'ident' (?) These are the relevant lines from my /var/log/maillog. These lines are the result of sending mail from mercury.snyder.net (client running OS/2) to solar.snyder.net (server running Linux). Note that the second line contains the text "delay=00:00:40". Hmm. > Dec 2 09:12:05 solar sendmail[21694]: JAA21694:\ > from=, size=403, class=0, pri=30403,\ > nrcpts=1, msgid=<199812021411.JAA21694@solar.snyder.net>,\ > proto=SMTP, relay=mercury [192.168.0.2] > Dec 2 09:12:05 solar sendmail[21724]: JAA21694:\ > to=, ctladdr=\ > (500/500), delay=00:00:40, xdelay=00:00:00, > mailer=local, stat=Sent I should also note that I don't use DNS on my LAN. Name resolution is done via a hosts file on each machine. I haven't done any tweaking of (version 8.8.5) sendmail. It is pretty much as-is from the RedHat installation. In case it isn't already obvious, I'm a newbie at mail configuration issues. Any advice on how to eliminate this delay in sending mail from my client machines? Thank you. *** Steve Snyder *** (!) Newer versions of 'sendmail' have features that are intended to minimize abuse by spammers and miscreants. Some of these involve doing doubled reverse DNS lookups to check that the forward and reverse names are consistent. Sendmail normally will not use the /etc/hosts file to map host names to IP addresses. This is because the standards call for it to look up DNS MX records in preference to other types of address records. In other issues I've described how I get around that on my private LAN (which also doesn't use DNS for mail routing or internal host resolution). [ Jim has at several points in the past revealed fragments of our main control file, sendmail.cf, so the Linux Gazette search box should be able to reveal it pretty easily if you use that filename as a keyword. -- Heather ] ____________________________________________________ (?) Linux as Router and Proxy Server: HOWTO? From kdeshpande on Sat, 05 Dec 1998 (?) we want to setup linux server as a proxy server with two ethernet cards. kindly guide me for installtion process. i am ms win 95 user and does not know any thing about unix / linus pl. reply on [another mail address]. (!) You'll want to start with the "Linux Installation and Getting Started." That's an LDP guide that's often included with Linux distributions in the /usr/doc directory and is available on-line at any mirror of the LDP. That covers the basics of Linux (although it is getting a bit long in the tooth). Configuring a proxy server and router is a fairly advanced process and will involve a considerable understanding of Unix and of TCP/IP concepts. It sounds like your skills in English may make some of my explanation inaccessible to you. Hopefully the guide to routing that I've also written for this month's LG article (should appear for the January 1999 issue) will help. There are a couple of other HOW-TO documents written on using Linux as a "Firewall" (proxies are often a component in a firewall). Many of these have been translated into various languages. You'll want to see if there's one in your native language. Personally I'd suggest that you get a consultant to come in and configure it for you. That is likely to be far easier and less of a hassle than trying to do it yourself. Now, with all of those disclaimers out of the way here's a simple configuration: _________ 192.168.1.x -------| proxy |------ the Internet ^^^^^^^^^ In order to have a proxy system, you have to have a "multi-homed host" (a system with two interfaces in it). In this case you've specified that you want to have two ethernet cards. So, first you install those. Be sure to set their IRQ's and I/O base address settings to non-conflicting values. The exact process varies greatly from one card to another. With the 3c5x9 and 3c900 cards you use a program to set them (3C5X9CFG.EXE under MS-DOS, or the appropriate utility that was written for Linux --- I found a copy at the VAResearch ftp site: ftp.varesearch.com under a relatively obvious name). Let's say that you have one of them set to IRQ 10, I/O 300 and the other set to IRQ 11, I/O 330 (make sure that these don't conflict with any SCSI, sound or other cards that you have installed). Typically you'll also want to disable any "Plug & Play" support on your motherboard since these features may change the settings on your ethernet card while you boot, causing you no end of consternation later. You'll also have to make sure that the appropriate driver is linked into your kernel, or that you've built the appropriate modules. It is also common for the Linux kernel to require that you provide it with a hint that there are multiple ethernet cards to initialize. You just provide the kernel with a boot parameter (read the 'bootparam(7)' man page and/or the "Boot Parameter HOWTO" for details). The HOWTO has an example at: http://metalab.unc.edu/LDP/HOWTO/BootPrompt-HOWTO-7.html#ss7.1 ... showing the command case using: ether=0,0,ether1 ... (no spaces --- and don't change the case of any letters). This option is passed to the kernel by typing it in at the LILO boot prompt, or adding an append directive to your /etc/lilo.conf like: append="ether=0,0,ether1" ...(the double quotes are required). This option forces the kernel to look for a second ethernet adapter (the first ethernet adapter is labelled as 'ether0' and will normally be detected automatically). The 0,0 forces it to search for the IRQ and I/O base addresses automatically. If that's not successful, or you want to be conservative, you can just provide the information manually. This is extensively documented in the "Ethernet HOWTO" at: http://metalab.unc.edu/LDP/HOWTO/Ethernet-HOWTO-10.html#ss10.1 You should see boot time message indicated that the ethernet cards have been found. You can use the 'dmesg' command to review those after the system is finished booting and you've logged in. The last step in the hardware/driver layer is to issue 'ifconfig' command for each of these interfaces. Let's say your ISP router (cable modem, ISDN or DSL gizmo, whatever) is using address 172.17.100.1 on your ethernet (that's a private net address from RFC1918 --- but let's pretend is was your real address). Let's fill in our diagram a bit more: _________ __________ 192.168.1.x -------| proxy |------| router | -- Internet ^^^^^^^^^ ^^^^^^^^^^ eth0 eth1 ^-------- 172.17.100.1 192.168.1.1 172.17.100.2 Here we see a private network (all of 192.168.1.*), our proxy servier with two ethernet interfaces, with eth0 on our "inside LAN" (taking up the conventional .1 address for a router --- it is the router to the outside/perimeter segment. eth1 is the proxy host's interface on the "perimeter" or "exposed" segment (outside of our LAN). There is a small perimeter segment in this case. In many organizations it will be populated with web servers, DNS and mail servers and other systems that are intended to be publicly visible. Obviously each of the systems that are shown on this segment (the proxy and the router) need their own IP address. I've assigned 172...2 to the proxy since I said that 172...1 was the border router's inside address. The border router would also have some sort of link (usually a point-to-point (PPP) link over a modem, ISDN, frame relay FRAD, CSU/DSU codec, DSL ATM or other device --- the telephony is not my specialty they hand me a "black box" and I plug the wires into the little tabs where they fit). For our example we don't care what the IP addresses over the PPP link are. all we care about is that our ISP gets packets to and from the 172...* network or subnet. They have to have routes to us. This example will work with any subnet mask --- we'll assume that we have a whole class C range, from 172.17.100.1 through 172.17.100.254 for simplicity's sake (read all about subnetting and proxyarp for gory details on those scenarios). So, on our Linux proxy server we use the following commands to configure our interfaces: ifconfig eth0 192.168.1.1 netmask 255.255.255.0 ifconfig eth1 172.17.100.2 netmask 255.255.255.0 ... we could leave the netmask option off the first command since it will default to this mask due to the address class. With most modern ISP's we'll have to use some other netmask for the second case --- unless we're paying for a whole Class C block. We might need to anyway (our ISP might have a Class B address block and be subnetting it into Class C chunks). We'll just assume that we need it on both of them. We can optionally specify the broadcast addresses for these --- however it shouldn't be necessary if we're following normal conventions. It will default to the last valid number in the address range (192.168.1.255 for the first case and 172.17.100.255 in the other). * (If we'd had a netmask of 255.255.255.240 in the first case then our broadcast address would be 172.17.100.15, if our addresses had been 172...33 and 172...34 with that netmask our broadcast would have been 172...47 --- again these are just examples; the explanation is a bit involved.) So we have IP addresses on each interface. Now we need routes. In the newer 2.1.x kernels (and presumably in the 2.2 kernels and later) the 'ifconfig' operation automatically results in an addition to the routing table. This is more like the way Solaris works. Under earlier kernels you have to add routes with commands like: route add -net 192.168.1.0 eth0 route add -net 172.17.100.0 eth1 ... this defines routes to the two local segments (one on the inside, and one on the outside). Again, newer kernels may not require this entry. Now, for our proxy to reach the Internet we'll have to set a "default route" like: route add default gw 172.17.100.1 If we have other networks that must be accessed through our LAN (something like a 10.*.*.* network in the back office or for our server room) we may also want to add other "static" routes to this list. Let's say that 192.168.1.17 was a router between our desktop LAN and our 10-net server segment. We'd add a command like: route add 10.0.0.0 gw 192.168.1.17 Notice that we are not forwarding packets between our interior LAN and the outside world. If we did the routers on the Internet will not have any valid routes back to us (that's what these 192.168.*.* and 10.*.*.* addresses are all about. Read RFC 1918 for details on that). 172.16.*.* through 172.31.*.* addresses (16 Class B blocks) are also reserved for this use --- but we're "pretending" that 172.17.100.* is a "real address" for these examples. So now we need to enable our interior systems to access the outside world. We can use IP Masquerading and/or proxying to accomplish this. Masquerading is a bit easier than proxying under Linux since the support is compiled into most kernels. Masquerading is a process by which we make a group of systems (our internal clients) look like one very busy system (our proxy). We do this by re-writing the "source" addresses on each package as we route it --- and by patching the TCP port numbers. TCP "port" numbers allow a host to determine which process on a system is to receive a given packet. This is why two users on one system can telnet to another system without there being ambiguity. Using masquerading all of the connections that are being handled at any given modem essentially look like "processes" or "sockets" on the proxy server. Thus IP masquerading is "network layer proxying." Do do this under Linux 2.0.x and earlier (back to the 1.3.x series) we could simply use a command like: ipfwadm -F -m -a accept -S 192.168.0.0/16 -D 0.0.0.0/0 ... which adds (-a) a masquerading (-m) rule to accept packets from any source address matching 192.168.*.* (16 bits of the address are the "network part" --- that's equivalent to a netmask of 255.255.0.0) and whose destination is "anywhere." This rule must be added to the "forwarding" (-F) set of packet filters. The Linux 2.0.x IP packet filtering subsystem (kernel features) maintain four sets of rules (tables): Accounting, Input, Forwarding, Output ... we only care about the "forwarding" rule in this case. With all recent Linux kernels we also have to issue a command like: echo 1 > /proc/sys/net/ipv4/ip_forward ... to enable the kernel's forwarding code. These kernels default to ignoring packets that aren't destined to them for security reasons (this and a TCP/IP "option" called "source routing" have been used to trick systems into providing inappropriate access to systems --- so it is better for systems to leave these features disabled by default). Older versions of Unix and Linux were more "promiscuous" -- they would forward any packet that "landed on them" so long as the could find a valid route. Lastly we'd just configure our client systems with IP addresses in the range 192.168.1.2 through 192...254 and cofigure them to treat 192.168.1 as their default route. Packets will get to the proxy from any of these, be re-written to look like they came from some socket on the 172...2 interface and forwarded out to the Internet. Returning packets will come in on the socket which will provide the kernel with an index into a table that stores the 192.168.*.* owner of this connection, and the return packet will be re-written and forwarded accordingly (back into the internal network). That's how masquerading works. Applications layer proxying is actually a bit easier than this. You install packages like SOCKS, Delegate, the FWTK (firewall toolkit), and a Squid or Apache caching web server unto the proxy system. These listen for connections on the inside interface (192.168.1.1). Proxy aware software (or users) on the internal system direct their connections to the proxy server (on port 1080 for SOCKS and Delegate) and then relay the real destination address and service to the proxy server. The proxy server, in turn, opens up its own connection to the intended server, makes the requests (according to the type of service requested, and relays the information back to the client). In addition to the basically relaying a good proxy server can provide caching (some multiple requests for the same static resource are handled locally --- saving time and conserving bandwidthy), additional logging (so big brother can tell who's been bad), and can enforce various access control policies (no FTP to popular mirror sites in the middle of the day, all users must be Kerberos authenticated in order to access the Internet, whatever). The main disadvantage to applications layer proxying is that the proxy clients must be "socksified" or proxy aware. Either that, or with some of them (FWTK and optionally DeleGate) the user of a normal client (such as FTP) can manually connect to the proxy server and use some special command (login sequence) to provide the proxy with the information about the real destination and user/account info. (Almost needless to say that a compromised proxy host is a great place to put password grabbing trojan horses!) However, one of the major advantages of the proxy system is that it can support strange protocols --- like "active FTP" which involves two co-ordinated IP connections, one outbound control connection and one inbound data channel. There are other protocols that connection pass information "in band" and make masquerading more difficult and sometimes unreliable. It's possible to use both, even concurrently with just one host acting in both roles. So far my favorite applications proxy package is "DeleGate" by Yutaka Sato, of the Electrotechnical Laboratory (ETL) in Japan. You can find it at: http://wall.etl.go.jp/delegate ... it's easy to compile and configure and it's available under a very liberal license (very BSD'ish but less wordy). DeleGate can be used as a SOCKS compatible server (i.e. SOCKSified client software will work with DeleGate); and it can be "manually operated" as well. My only complaint about DeleGate is that the English documentation can be a bit sparse (and my paltry studies of Japanese are nowhere near the task of reading the native docs). The easiest way to install SOCKS clients on your Linux systems is to just grab the RPM's from any Red Hat "contrib" mirror. That's also the easiest way to install a SOCKS server. To configure the clients for use with the SOCKS5 libraries you have to create a file, /etc/libsocks5.conf, to contain something like: socks5 - - - - 192.168.1.1 noproxy - 192.168.1. - ... note that the "noproxy" line ends with a "." to specify that this apples to the whole 192.168.1.* address range. configuring the socks server you need to create a file, /etc/socks5.conf and put it at least something like: route 192.168.1. - eth1 permit - - - - - - ... and you might have to change that inferface for our example (I don't remember but I think it's "destination addresses and target interface). Naturally the docs on these are abysmal. However, I did eventually get this setup working when I last tried it. ____________________________________________________ (?) PostScript to GIF From Jamie Orzechowski on Fri, 05 Jun 1998 (?) Hi There .. I am trying to convert a .PS to .GIF .... no luck so far ... I got the progrma ppmtogif but it WILL NOT compile ... can;t get it working at all ... I was wondering if you had the binary to ppmtogif (linux redhat) or know where I can get a source distribution that will compile ... or any other program that will convert ps to gif ... thanks! (!) You could use the pstogif perl script by Nikos Drakos of Leeds University. It apparently accompanies the LaTeX2HTML package. I discovered that by simply switching to a shell prompt and typing "ps{TAB}{TAB}" and looking that the list of utilities that bash' command completion offered me. Then I look for a man page and then just looked that the file itself. Running the 'rpm -qf' command to see which package included this 'pstogif' file I found that it came with "l2h-96.1.h-5.rpm" on the 'Canopus' and with "xemacs-19.15p2-2.rpm" on 'Antares' (A couple of my machines here). There are a dizzying array of pbm, ppm, and pgm conversion filters. The three formats seem to be very similar (for "portable bitmap," "portable pixmap," and "portable graymap" respectively). So, like you, my first thought would have been to use one of them. In all honesty I avoid graphics files as much as possible so I don't have an easy answer to this. (Incidentally this is an old message. I'm trying to clear out my old drafts folder by the end of the year). ____________________________________________________ (?) troubleshooting From Matthew Easton on Wed, 06 May 1998 (?) One thing I notice as I try to learn more about Linux, is that much of the information I come across is very specific to a particular situation or a particular piece of software. I'd like to get away from the 'step by step instructions for software x' and construct a "bag of tricks" that will allow me to solve problems myself. To explain: In my job I troubleshoot Macintosh hardware and software. If you had a problem with a Mac I could tell you some things to check and several procedures to try-- and even if I was unfamiliar with the particular application that was failing you, chances are pretty good that things would be functioning in the end. (!) That is why we have professional technical support, system administration, help desk, repair technicians etc. The issue is similar for a number of trades and professions. Even the Mac for all its vaunted "easy of use" and consistency really requires a significant acculturation to a large number of assumptions. I know this from very recent first hand experience since I gave my mother her very first computer earlier this year --- it was a Mac Performa. (?) Granted the user interface is greatly simplified under Macintosh compared to Linux, but are there any general principles or things to look for, or standard procedures for troubleshooting software under Linux, or tools? (!) The simplicity of Macs and Windows can largely be summed up as: If you don't see a menu option, button or dialog for it --- you probably can't do it. (I realize this is a bit of an over simplication --- there are whole books of Mac and Windows "tricks" that are slowly gleaned over time). These system make a reasonable subset of their functionality available on their face (through full-screen menu driven user interfaces). That whole issue of "icons" and "GUI's" is completely a red herring since they really are just menus under all the hype. I have a friend who said that the easiest system she'd ever worked on was an AS/400 (running OS/400 naturally enough). She described (even showed me, once) the interface and it did sound pretty handy. Unix is usually described as a "toolbox." The analogy is reasonable. If I handed you a real box full of hammers, screwdrivers, nail guns, pliers, drills, saws, wrenches sockets, and similar physical tools it wouldn't help you build or rewire your house, fix your car or anything --- until you learned the appropriate construction and mechanical trades that use these tools. Similarly we find that some programmers under Unix can be just as confused and incapacitated when faced with system or technical administrative issues as an auto mechanic might be when faced with a plumbing problem. Naturally a plumber or mechanic is more likely to successfully take on other "handyperson" repairs than someone with no related experience. Another way of thinking about these OS' is in terms of culture and language. Natural language (including idiom) is entwined with many cultural assumptions. Unix/Linux conventions can be seen as a "language" for expressing demands of your computer (via the shell, through myriad configuration files, even in the Motif, KDE, OpenLook and other GUI's that we encounter). The advantage of this "linguistic" point of view is that it approaches the level of complexity of a Unix system. When I was an electrician I doubt I encountered more than two hundred different tools, and probably less than two thousand different components (connectors, fittings, brackets, etc). (Thousands of sizes and minor differences --- but not different in terms of usage semantics). On this Linux box if I switch to a bash shell prompt and double tap on the "Tab" key on a blank line (forcing it to try command completion) it warns me that I have over 2300 commands available to me. Many of these are full programming languages or environments like awk, perl, and emacs (elisp). Similarly I once determined that my copy of emacs (or was it xemacs) had about 1500 interactively accessible functions built into it. (If I installed the emacs 'calc' (a large mathematics package) that would probably double. So there's quite a bit of depth and breadth available. (?) For example: How do I deal with a segmentation fault? Or, if an application installs broken and reinstalling the RPM package still does not work, is there a way to get Linux to tell me what is missing or corrupted? And what can I do about a program that (under X windows) briefly appears and then dies without error messages? (!) In many cases these can be tracked down using 'strace' (the system call tracer). Any segmentation fault is a bug in the program (or corruption in its binaries or libraries). Robust programs should handle bad data, corrupted configuration files, etc, gracefully. Packages that fail to operate as expected might be buggy, or they migh have inadequate documentation. I personally like to see programs that have some sort of "diagnostics" or "check option" to help me track down problems with them. ('sendmail' and 'named' are notable culprits in this case). (?) Thanks for any clarification on these or any other mysteries. . . Matt Easton (!) That will take an entire book. (Incidentally I found this message languishing in an old drafts folder and decided to finish it up and send it off. I really wanted to say much more on this topic --- but I decided to write a book instead. ____________________________________________________ (?) More on: "Remote Login as root" From Eric Freden on Fri, 04 Dec 1998 (?) Here is a legitimate use for remote login as root: My kid plays some svga game on my console and locks the keyboard (for instance). I want to telnet in and /sbin/shutdown -r now (!) Actually you can often recover from this without a shutdown. But its a trick. Eventually we might have something like KGI/GGI to provide more robust SVGAlib support. (The trick is to start X from your telnet/terminal session. This usually does a complete video system reset as a side effect. WARNING!: This might hang the system --- so close any running text mode apps, save any accessible documents and issue a few calls to 'sync' before trying it). (?) For RedHat 5.0 (and all other RedHat versions I've used) only root can do this. Changing to su and executing shutdown won't reboot! Perhaps you could find a workaraound for this scenario? Eric Freden (!) If that's your experience then something is wrong with your 'su' command! Did you issue 'su -' (the dash is pretty important --- as it forces the 'su' command to run your .login/.profile scripts and initialize root environment (and shell variables, etc). Another approach is to tweak the permissions on 'shutdown' Here's the recommended method: Create a group such as "shutdown" or use the "wheel" group. Add your regular user account (and mom's?) to that group. Issue a command like: chown root.$GROUP $(which shutdown) ... to set the file group association appropriately. You could also use 'chown' then 'chgrp' seperately, of course. Make it SUID with a command like: chgrp 4550 $(which shutdown) N.B. I set the execute bit for owner and group but not for "other/world" This allows people in the associated group to issue the 'shutdown' command. That command will run with root' privileges. The 0 permissions for "other" prevent "others" from executing this command at all. (Other users have no valid reason to issue a shutdown command). Setting binaries to be SUID always has implications for system security. However, it is one of the primary forms of authority delegation available in Unix/Linux. In this case we minimize the risk by limiting the number of accounts that can access the command. This technique is generally useful and should be considered for all Unix/Linux SUID commands. ____________________________________________________ (?) Kudos From Gray, Robert C on Fri, 04 Dec 1998 (?) Answer Guy I have been reading your column in the Linux Gazette for four months (I've also gone to the archives and read several past articles). I am very new to Linux, I installed Redhat 5.0 in July '98' and built a new Kernel on 2.0.34 after that. In any one column that you have written I find more information than I can possibly absorb. Though I can't give a specific example the information you provide has helped me through some small problems and increased my knowledge of how Linux works by an unbelievable amount. Despite the fact I generally suffer from information overload before I finish your column or the Gazette THANK YOU and the Gazette for that information and please keep it up. Robert Gray Novice Linux user. "The word bipartisan usually means some larger-than-usual deception is being carried out" George Carlin (!) Thanks for the kudos and encouragement. I like the .sig quote. ____________________________________________________ (?) Linux Support for Intel Pentium II Xeon CPU's and Chipsets From mpasadas on Fri, 04 Dec 1998 (?) Hello! I have a little technical question, because revising the information about the subject it is not clear at all if the several versions of Linux disponible at this moment can run without problems on the very new Pentium II Xeon microprocessor of Intel. If you have the answer to this question, please send it to me via e-mail, at the following address [snipped for privacy] (!) VA Research (http://www.varesearch.com), a fairly well-known Linux friendly hardware vendor, offers Xeon based systems with Linux pre-installed. PenguinComputing (http://www.penguincomputing.com) also offers quad and dual Xeon based Linux systems and I'm sure other HW vendors do as well. (Disclaimer, the principles of VA Research and PenguinComputing are friends of mine --- though I get no compensation for mentioning them. Darn!). If I recall correctly VA Research demonstrated a 4-way SMP Xeon system "The Future of Linux" meeting that was jointly sponsored and organized by SVLUG (http://www.svlug.org) and Taos Mountain (http://www.taos.com) last summer. That event was reviewed in LG: http://www.linuxgazette.com/issue31/roelofs.html So, I don't know of any problem with this, and a quick Yahoo!/AltaVista search didn't reveal any problems either. ____________________________________________________ (?) Linux Friendly ISP's: SF Bay Area From Cdoutri on Fri, 04 Dec 1998 (?) Hi, I'm looking for some Internet Service Providers in San Francisco that would have a connection software working under Linux, can you help me with that ? Many thanks, C. (!) Many ISP's are "Linux" and "Unix" friendly. I personally have accounts with a2i (http://www.rahul.net) and Idiom (http://www.idiom.com run by David Muir Sharnoff). I also know people at Best (http://www.best.com). a2i uses Solaris, the other two use FreeBSD. However, all are friendly to Linux users. This is one nice thing about the Silicon Valley and SF Bay areas --- they are such strongholds of Unix that most of the local businesses and techies speak the same language. I hear that life it somewhat harder in other parts of the country. Many ISP's that run Unix or Linux on their own servers (over 70% run some form of Unix on most of their customer server systems) will refuse to support its use by the customers. The only reasonable response to that is "vote with your feet." There are plenty of ISP's out there, pick one that meets your needs rather than dictates your software choices. The whole point to standardized protocols (particularly networking protocols) is to allow customers and users choice (FREEDOM) in selecting their clients and their servers. That's what the client/server paradigm is all about! The best resource I ever found for comparison shopping of ISP's is at: http://thelist.iworld.com ... (which I guess used to be run by Boardwatch Magazine, which is now owned by Mecklermedia). Oddly enough a2i Communications (operated by Rahul Dhesi) is not on this list. Hope that helps. ____________________________________________________ (?) Eight Character login Name Limit From CHOSICA on Fri, 04 Dec 1998 (?) My name is Felix. I am new using linux. I just saw your web pages after making a search on altavista. I have set up my mail server on Linux 2.0.29 and I am only able to create accounts with a maximun of 8 character. I was trying to create an account call webmaster@myname.com and it does not make it . The server only creates accounts with 8 character or less than 8 characters. Do you know a way to increase the characters, so I can create account with 9 or 10 characters. There should be a way I do not know how? If you can help me I would really appreciate. Thanks in advance. Felix (!) This is a common limitation in many versions of Unix. It is determined by the libraries (primarily 'libc' the set of libraries that are compiled into virtually all Unix programs). Using glibc 2.x (a.k.a. Linux libc 6) it is possible to create longer login names (up to 31 characters). So, you could just install a newer copy of Red Hat, Mandrake, Debian or any other glibc based Linux distribution. However, you should consider the issue carefully before using this feature. You'll want to ensure that all of your binaries are able to cope with the longer login names. Also if there's any chance that you'll want or have to share account information across multiple versions of Unix it's a bad idea to take this chance. (I think that newer versions of Solaris and HP-UX support longer login names as well. I don't know about AIX, SCO ODT, or any others). I'd suggest using the name: 'webman' or 'www' for your "webmaster" or "web manager" account. You can easily configure your mail system to route mail addressed to "webmaster" to 'webman' (just us an aliase) and you can even configure your 'sendmail' to re-write outgoing mail from 'webman' such that it appears to come from "webmaster" (that would be in the generics, virtuser, or userdb FEATURES() in your sendmail .mc file). So, if the only reason you want the long name is for e-mail addressing --- just use a short name and let the MTA (mail transport agent) do the work. ____________________________________________________ (?) Locked Out of His Mailserver From Henry A. Lee on Fri, 04 Dec 1998 (?) I am having trouble logging into my Linux mailserver, as any of my users or as ROOT. All passwords are incorrect. I had to bring all my users up on WinNT / Exchange box yesterday to get the email rolling again. Do you know of ANY way to hack the box? I have about 15 hours of mail that I need to get off the box, and without being able to login, I can't forward it to the new server. I can't login at the server itself, can't telnet into it, but I can FTP SOME files from it and can maybe get some files back to it. Looking at the PASSWD and PASSWD- files in a text editor, seem fine. Any suggestions would be immensely appreciated. Thanks for your time, Henry (!) I don't know what's caused your inability to log in. It sounds like your /etc/passwd file might have been converted to shadow format ('pwconv' or similar utility) while your authenticating utilities and services aren't shadow capable. However that is only one of several possibilities (the passwd file could be corrupt, it's permissions could be wrong, you might have missing or corrupt PAM modules, etc). [ I've seen corrupted shadow-passwd files prevent logins before; in both cases, there was the wrong number of colons (:) on a line, and everyone after that couldn't get in. If you managed to break the first line, that would prevent root getting in. -- Heather ] As for fixing the problem or "hacking the box" as you put it. If you have physical access to the system it is trivial to "hack into" it. Normally this can be done by using the [Ctrl]+[Alt]+[Del] (PC "nerve pinch" or "three finger salute"), to reboot the system (most Linux systems have an entry in their /etc/inittab that looks something like: # what to do when CTRL-ALT-DEL is pressed ca::ctrlaltdel:/sbin/shutdown -r -t 4 now ... which allows the 'init' process (the grandfather of all processes) to respond to this console event. Failing that you can wait for a bit while there is minimal disk activity and reset or power cycle the system. As you reboot you wait until the LILO boot load prompt is display and type in a command like: linux init=/bin/sh ... (assuming that you have a boot stanza named "linux" --- hit the [Tab] key at that prompt for a list of those). This passes a parameter to the kernel which forces it to use an alternative to the 'init' program (a copy of the shell in this case). From there you might need to mount the /usr filesystem (assuming that the system follows professional conventions rather than common Linux installation defaults). Then you can issue the '/usr/bin/passwd' command to set a new root password. If that doesn't solve the problem you can edit the passwd file. if necessary remove everything but the entry for root --- don't put any comments or blank lines in this file! (Obviously you should save a copy if you're going to try that). If that still doesn't work, and if there are no clues in your logs (look at /var/log/messages for hints), then you have some other troubleshooting to do. At that point it might be best to just call a consultant for some voice support. You don't provide enough information for me to explain the next troubleshooting without writing a whole book (and I'm already working on one). I can do phone support or you can look for anyone in the Consultants HOWTO. (Considering that you have data on this system that you don't want to lose, and that it sounds like you don't have any backups, I wouldn't suggest too much experimentation and learning curve climbing while trying to recover from this situation). If you have another Linux or Unix system anywhere else on your network --- one with 'sendmail' properly installed (assuming that the affected system was also running 'sendmail') it's possible to copy all of the files from /var/spool/mqueue to some arbitrary directory on the working system (from the ailing one, obviously). Then you can run a command like: /usr/lib/sendmail -v -q -O QueueDirectory=/tmp/q ... to tell sendmail to verbosely (-v) make a processing pass through the queue (-q) with the option (-O) to over-ride the QueueDirectory set to some place like /tmp/q (or where ever you ftp'd those df and qf files to). As for the user mail that's already been delivered to "mbox" files under /var/spool/mail, you can copy those to another system and append them to file under the /var/spool/mail on the new system. To avoid possible corruption you'd want to disable the sendmail and popd (etc) processing on the new system before trying this. The easiest way to do that is to shut the system down to single user mode after you've copied (ftp'd) all of the mbox files (inbox folders) to the system. Naturally you'll need to create user accounts that correspond to each of these users from the old system, and you'll need to ensure that the ownership and permissions of each mbox file are set properly. There are other ways to do this. However they depend on the situation and/or involve some more complicated command lines then I'd want you to try without a thorough understanding of how they work. In the 'procmail' man pages there is an example of a script to "postprocess" an mbox. It would be possible to use something like that to "break apart" each mbox file and resend it to the original recipient. If your users were using MH, 'elm' or 'pine' (or most any Unix/Linux mail reading package) they could copy an mbox file to any convenient place and either treat it as a folder ('elm -f') or "incorporate" it into their MH folders using the 'inc' command. These users should either know how to do that, or read the man pages for their favorite mail user agent for details. If you do hire a consultant, look for one that will provide you with some good tutorial/mentorship on Linux and consider having him or her help you prepare a comprehensive "Recovery Plan and Disaster Procedures" package. This will be vital to your company's IS/IT regardless of what OS or platform you choose for your future needs. My phone number can be found on my web pages: Starshine Technical Services http://www.starshine.org ... I normally don't advertise my consulting services in this column, and I don't plan to do so often. However, there are situations where the most prudent advice I can give is: "Call someone to walk you through this." As I say, you are encouraged to find a Linux consultant that is local to you. Look in the Consultant's HOWTO at: http://metalab.unc.edu/LDP/HOWTO/Consultants-HOWTO.html ... You can also find a wealth of help at any Linux Users Group (LUG) and there are a couple of "Lists of LUG's" that I've listed in previous columns. There's even a Users Group HOWTO at: http://metalab.unc.edu/LDP/HOWTO/User-Group-HOWTO.html ... which includes links to the three biggest lists of LUG's. I wish I could say: "Look for the union label" when considering entrusting your system's integrity to a consultant or volunteer. However, there is no widely recognized certification for sysadmin's yet. There isn't even a "better business bureau" of sysadmins and/or consultants. As a member of SAGE (the SysAdmin's Guild) I'm involved in an ongoing effort to provide some such process. However it's a contentious issues, and Unix sysadmins are a contentious lot(*). I'll be continuing this work while I'm in Boston next week at the annual LISA conference. * (Certainly your chances of getting a competent and experienced sysadmin are better if you find someone who went to the effort to join SAGE, or at least has cogent reasons for not doing so; and they are drastically diminished if you're talking about someone who's never heard of USENIX or SAGE). Good luck. ____________________________________________________ (?) Changing the X Server's Default Color Depth From Peter Waltman on Wed, 02 Dec 1998 (?) I'm using redhat v.5.1 and have just installed it, so I have not made too many modifications yet. The default window manager rh 5.1 uses is fvwm2. I have been trying to figure out how to configure these window managers (fvwm and fvwm2) for some time now, when I realized I guess that rh 5.1 is using FvwmM4 to parse the rc files. I've looked through those, as well as the FvwmM4 man page to figure out how to change the color depth. I think it has to do with the Color PANEL setting or the RGB_PIXELS setting, but I'm not sure where or how to set it. In the XF86Config file? One of the of the fvwm2rc.* files provided by rh?. The FvwmM4 man page says that you can define these settings, but have I tried to do this without much success. Any help or links to info on how to modify rh window manager would be GREATLY appreciated. (!) Window Managers have nothing to do with setting your X server's color depth. A window manager is an X client --- it talks to the server. By the time any clients are being loaded and issuing X protocol requests of the server (to draw windows on your display, or recieve mouse and keyboard events, for example) it is too late to change the color depth. You are correct regarding M4. Some window managers use 'cpp' or 'm4' (macro preprocessor utilitiies) to expand your configuration files into their internal configuration language. I pointed out in my other response that you can change this setting in your XF86Config file. In my discussion of modifying the xdm Xservers file I forgot to mention that any error can cause your system to appear hung. (You might have to log in via telnet or a serial terminal to kill the X server if you make a syntactical mistake in that file). As for broader advice on X Windows configuration, read the XFree86 FAQ (as I listed in my other response) and browse through some resources that are devoted to X. Some very extensive link lists are at: Kenton Lee's: Technical X Window System and Motif WWW Sites http://www.rahul.net/kenton/xsites.html ... and one of my favorites listed there is: Brandon Harris': X: End of Story http://www.gaijin.com/X ____________________________ (?) Changing color depth for xdm? From Peter Waltman on Wed, 02 Dec 1998 (?) I just checked out the 2 cent tips, which have a page describing how to change and set up multiple x servers for differing color depths. the only thing is that this describes how to change the startx script, whereas I am using xdm when I boot up. I don't think modifying the strartx script would have any effect for xdm. Am I wrong in this? If not, how/what would I modify to change the color depth for xdm? (!) Add the following entry to the active "Screen" section of your XF86Config file: DefaultColorDepth XX ... where XX is the desired depth (8, 16, 24, or 32). Another way to do this is to edit the '/usr/X11R6/lib/X11/xdm/Xservers' file and add the -bpp parameter to the :0 (and possibly any :1 and other similar lines) therein. xdm reads the 'Xservers' file to find the command line with which it can invoke an X server. There should a a line something like: :0 local /usr/X11R6/bin/X :0 vt07 -quiet ... in there. You can change that to something like: :0 local /usr/X11R6/bin/X :0 vt07 -quiet -bpp 16 (?) again, thank you very much Peter Waltman (!) That should do the trick. Oddly enough this is not in the FAQ at http://www.XFree86.org, though I've copied the maintainer of that document since I've seen the question several times. Hopefully he'll add it. Meanwhile, remember to check in the XFree86 FAQ for questions about that package. ____________________________________________________ (?) NumLock and X Problems From Alan Shutko on Thu, 26 Nov 1998 More Expansions and Corrections: (?) Re Victor J. McCoy message on 11 Oct 1998, here's a possible explanation. It seems that Victor is using an X button to start up PPP. And the button (and lots of other things) don't work when the numlock key is on. That's because somewhere along the line (X11R6 I think), the handling of numlock changed from a server-handled thing to acting as a modifier. Many programs which don't handle this new modifier will fail to display menus, let buttons work, etc, when numlock is on. Certain key bindings won't work. The solution is to turn off numlock. If that doesn't work, it's a different problem. Alan Shutko (!) I'll let this speak for itself. Maybe the new XFree86 3.3.3 fixes this. ____________________________________________________ (?) Expansion on NE-2000 Cards: Some PCI models "okay" From Kenneth.Scharf on Thu, 26 Nov 1998 (?) In general your answer is correct. There are however a breed of PCI ne-2000 cards based on the Real-Tek chip that do work fine under Linux. I bought two of these cards for less that $15. They came with drivers for Windows (3.1, 95), os2, even sco unix. I tried to get these cards to work under windows 95 and failed! Both and early version on win95, and osr2B failed to work with these cards. The Linux ne2k driver (both the old isa driver and the new pci specific driver) work very well with these cards and required no special parameters. They autodetected just fine. I did have to re-set the bios in my computer to perform a fresh pnp cycle in order to get the interrupts correct, but after a single re-boot all was well forever. My computer is a K6-233 on an Intel TX (triton2) chipset based motherboard (made by AZZA). I agree that there are much better ethernet cards than these Real-Tek ne2000 el-cheapos, but they work fine in my home lan with one linux machine and two windows machines. (the windows machines have 3c509 isa cards in them). The network is thin-net coax, and is used to share the internet connection with the modem on the linux machine. It will also provide shared printer service and file backup. (!) It sounds like damning with faint praise here. I wish the DEC Tulip chipset was staying in production --- since the $29(US) Netgear cards using those are rock solid 10/100Mbps PCI adapters. They are my favorite and I only have a couple left unopened. The newer Netgear cards (same model) seem to be "okay" as well (actually much better than these Real-Teks that you're talking bout). [ What I miss about those marvelous DEC Tulip chips is that the drivers just plain work - both in Linux, and in Windows... because there is only one MS Windows driver for them! With some other "plug and play" cards there are several drivers available, and if you pick the wrong one, your net is flaky or worse. But, enough said about Brand X for now. -- Heather ] ____________________________________________________ (?) Finding info on MySqL? From Minh La on Thu, 26 Nov 1998 (?) Where can I get more info on MySqL? Thanks. (!) I guess the publisher is from Sweden: MySQL by T.c.X. DataKonsultAB http://www.tcx.se ____________________________________________________ (?) Spying: (AOL Instant Messenger or ICQ): No Joy! From ONeillDD on Thu, 26 Nov 1998 (?) hey I really need to know if you could tell me how I could go about reading instant messages from and by other people. If you know what I mean some people call it spying. This is very important so if you please contact me A.S.A.P. THANK YOU (!) I presume this question was about AOL or ICQ messaging. I know nothing about these protocols though I suspect that a straight network sniffer strategic place on some multiple access medium (ethernet) between the person on whom you are trying to spy would do the trick. Sorry to take so long on the response. I've been pretty busy so Turkey Day has been my first chance to really clean out my inbox in a few months. ____________________________________________________ (?) Fraser Valley LUG's Monitor DB From Ruth Milne on Thu, 26 Nov 1998 This is more of a "2-cent Tips" entry but here's a reader comment: (?) The Fraser Valley LUG at http://www.netmaster.ca/LUG have a monitor database that accepts a monitor make and model and spits out a working descriptor text for X setup. Dave Stevens ____________________________________________________ (?) ext2fs "Undeletable" Attribute From J.S. Moore on Wed, 26 Aug 1998 (An old AG that I never answered) (?) Hello. The manpages indicate that a file with the u option set is undeleteable, but it doesn't say how. Any ideas? J.S. Moore (!) I think this bit was reserved for future use and that it would/will require a userspace program (or use of an API by programs like 'mc' and other file managers) to actually browse and recover "deleted" files. I think the current feeling in the development community is to implement a new filesystem or some new extensions to ext2 that would allow full versioning support. However, I don't know the real skinny on it. ____________________________________________________ (?) How to Install Linux on an RS6000? From ESPEJEL GOMEZ ERIKA PAOLA on Thu, 26 Nov 1998 (?) My question is How install linux in a workstation (RS6000)? Thank you for your help. (!) Newer RS/6000's are built around PowerPC CPU's. I've heard of some people running LinuxPPC and MkLinux on some RS/6000 systems, but I'm not sure that there's enough support (device drivers, etc) to make this more than a curiosity. The place to start looking for answers to these questions would be at the LinuxPPC and MkLinux web sites: LinuxPPC: Linux for PowerPC Systems http://www.linuxppc.org MkLinux: Mach Microkernel with a Linux Server/Personality http://www.mklinux.apple.com ... There's recently been alot more activity on the Linux-PPC mailing lists so I know that active development is going on. In fact they have recently released BootX which is a package for MacOS that allows one to boot LinuxPPC without adjusting the OpenFirmware settings on your system. This is akin to LOADLIN.EXE for MS-DOS, but more important since Apple and the MacOS clone manufacturers didn't quite "get it" when it comes to implementing OpenFirmware/OpenBoot support. (Many models of PowerMac and their clones don't support manual console operation of the OF command prompt and many options don't seem to be supported or documented). When I talked to a couple of IBM researchers at ONE ISPCon a few months ago one of them expressed some interest in porting mkLinux or LinuxPPC in house, and having some of his team contribute some drivers to it. So, this may get some support "from the source" at some point. However, for now, it would be a hacker's project. It's not suitable for immediate production deployment from what I've heard. ____________________________________________________ (?) Advanced Printer Support: 800x600 dpi + 11x17" Paper From Karl Raffelsieper on Thu, 26 Nov 1998 >I am running Caldera 1.3 on my small networked P75 with 40MB Ram and >Several SCSI drives and Scanner, attached to the Parallel port is my >Xerox 4520 PostScript printer. I wish to have the P75 act as a print >server to the other PCs (running S.u.S.E. 5.1) This all works find, Here's >the problem. Is this a real PostScript printer, with a PostScript interpreter and a full CPU built into it? Is your print server passing the raw print jobs to the printer or is it passing them through it's own 'gs' (ghostscript), aps, nenscript, or other filters? _______ Yes this is a genuine Adobe Level 2 PostScript 20 Megs of RAM built in -- RISC processor, 24 page/min screamer of a network printer, (less the network card) and you can drop the raw PS data to it without ghostscript or other filters. (This is Xerox's answer to the HP 5si) This is were I am having my trouble. The driver installed is a generic Post Script driver, and it does not seem to make all the printer capabilities available. Even locally on the server. How can I make configuration modifications to all workstations so when Star Office 5.0 (as an example) is aware of the printers paper sizes. My limited understanding of the Post Script language is all the page definition, font info, formatting, etc. is actually written into the document. Thus so long as the data is sent raw to the server and it will send it raw to the PS printer the Adobe chips in the printer will do the rest. But I suspect I must report the printer capabilities to the OS some place. I started at /etc/printcap but it didn't seem obvious to me where to make the changes. (!) What applications are you running? (In other words, what applications are generating the PostScript). If they only use a subset of the PostScript supported by your printer then they have to be updated to generate more advanced PostScript. If you are dropping/sending raw PostScript to your printer then Linux isn't involved at all. It's between your applications and your printer. If you have Something like apsfilter (ASCII/text to PostScript) or nenscript (New "enscripting") listed in your /etc/printcap entry to transform text into PostScript that that's where you'd need to make the changes (though that should affect pages produced through Applixware, StarOffice, xfig, TeX/LaTeX/LyX etc since those are producing their own PostScript or their own .dvi or raw printer files). In the cases where TeX/LaTeX and/or LyX are involved the applications generate a .dvi file. This can be converted to PostScript using the 'dvips' command, or they can be used directly by any of the printer specific dvi drivers (called "dviware" by TeXnophiles). That's why I suggested calling Xerox to ask if they have or know of dviware for your printer. ____________________________________________________ (?) TAG suggestions From john on Thu, 26 Nov 1998 (?) I think that the way you are laying out TAG right now makes it a little hard to navigate. It would almost be better if you ran them all together on one big page, a la $.02 tips. The one word descriptions of other solutions at the bottom of each page are also pretty tough to figure out. How about an onMouseOver window.status() description for each, or something to the same effect? Great job, by the way! -- John (!) Heather (my wife) does all of the markup. She's spent many hours, for the last several months refining a script that does the bulk of the conversion from e-mail (adjusted for the quirks of how I format my responses) to HTML. However, one of the things that we both refuse to do is to rely about non-standard, browser dependent, and particularly upon JavaScript, features. [ Actually, this is not specifically because I have anything against javascript, though the abuse of certain features on the open web does annoy me considerably; nor because I don't write usable javascript code, for there's certainly a world of tested scripts at http://www.developer.com/ to go with the old Gamelon archives of Java applets; but rather, because I have no interest in making the folks with "modern" browsers lose more memory to a feature that they probably won't use. and the very idea of shipping someone 90+ full titles of messages, every time they read one of them, is insane. Don't even go there. I'm getting off this soapbox before I scorch it. -- Heather ] Originally all I wanted was for the URL's that I embed in my text to be wrapped with anchors. However, Heather and Marjorie (my editors) like to have the TAG messages split and like to over some navigation between them. Heather doesn't like sites that only offer "up, next, previous" options in their page footers, so she's implemented the scheme that you're describing. [ Also, at least one querent begged to be able to go to seperate messages without having to go back up to the index. Others thanked us for switching to an indexed format, as it was much easier to read the index alone and decide what messages they wanted to read. As for the "tough little words"... I thought it would be nicer than numbers, which is what my script actually generates. The good thing is that they can be figured out at all. They are short so that I can format the table at the bottom so it doesn't look lame and cost more space than the message bodies. As it is, there's so many this time, they're staying numbers. They'll probably go back to words next month, but I won't say for sure. -- Heather ] One problem I used encounter when TAG was "all one big page" was with search engines. I'd get a new question that correlated a couple of different concepts (IMAP plus Netscape Navigator/Communicator) and I'd get all sorts of spurious hits pointing to my own previous TAG articles. So I'm glad that we don't still smash all my articles into one page. [ However, masochists are encouraged to read 'The Whole Damn Thing'... the streamed version of the Linux Gazette. And if I see more than this one request, I may link 'The Whole Damn Answer Guy' (that is, the version I turn in to our Overseer for inclusion to TWDT) as an option off the Answer Guy index. But we're certainly not going back to the old format. Too many people like it, and I've put too much effort into the scripts I use to convert it, to go back. -- Heather ] However, Heather and Marjorie will see this message (along with other LG readers). I leave the details of formatting for publication entire up to them. Indeed when I first started answer these questions I didn't even know that they'd be published. (I just offered to take on technical questions that were misdirected to the editors). So, I'll focus on providing technical answers and commentary. [ I make a sincere effort to keep the resulting message looking as close as HTML allows to what the email looks like. When you only see it on the web, it could be hard to recall that it was a plain slice of mail. I feel it's important to keep that feeling. Real people use this software, real people have ordinary problems with it, and real people give a shot at answering them. Which is the last tack in the coffin of using browser-specific features... real people aren't going to change browsers just to read a webazine, and they're not gonna be happy if it crashes their browser because someone went a bit overboard on the HTML. So, I've kept changes minimal. I did all the graphics you see here, but except for color, and the split messages, I feel it's still pretty close to the original effort. (The astute reader, or especially the reader without color support, will note that I use EM and STRONG to support color usage, so the color is gratuitous, but does make for more comfortable reading if you have it and there's a lot of quoting.) You can look at the older Gazettes if you'd like to see what they used to look like... I think they look a lot better, but I'm biased ;) Still, if Jim keeps getting messages about the formatting that I'm really responsible for, I'm gonna have to draw my own speak bubble. I still have the blank bubble so it'll be easy. Gimp is cool, when it doesn't crash. Maybe some month when the load isn't too high I'll write an article about the script and how I did the gifs. -- Heather ] (Personally when I'm browsing through a series of related pages I prefer to bounce back up to the upper/dispatch page and then down to the next. This keeps my current "depth" a bit shorter when I want to back out of my browser completely. (Since I get interrupted and sidetracked frequently while browsing I like to make sure that I'm "done" with each page that's still on the "stack" by backing completely out to the "first document"). ____________________________________________________ (?) CGI Driven Password Changes From Terry Singleton on Sat, 05 Dec 1998 (?) Hi there, We recently installed a LINUX box that runs sendmail 8.9.1, we need someway for a user to be able to change their own password, most ISP's have a html form that allows them to do this. I know this can be done with CGI and Perl, question is does anyone have anything or know of anywhere I can find something that will do the trick.. I just bought a perl/cgi so I am working in that direction, we need something asap though. I would even pay for something. Regards, Terry Singleton Network Analyst (!) I once wrote a prototype for such a CGI script. It wasn't fancy but it used the following basic method: The form has the following fields: userid (login name): current/old password: (repeated): new password: (repeasted): ... and the script does the following: * Check the consistency between the current password and the repeat (and issue a retry screen if that fails). * start an expect (or Perl comm.pl) script that: + telnet to localhost + waits for a "login:" prompt + sends the userid + waits for a "password:" prompt + send the current password + waits for one of: o a shell prompt (sends passwd command) o the passwd prompt (if the user shell is set to /usr/bin/passwd). o a "login incorrect" message (aborts and returns HTML error form). * if the process gets to .../bin/passwd's prompt: + send the old password + wait for new password prompt + send the new password + wait for repeat prompt + sent the new password again + wait for O.K. message + returns HTML success page. So mostly it's a matter of writing the expect or comm.pl script. Unfortunately I don't have the real script handy. It looked something like: #!/usr/bin/expect -f ## by Jim Dennis (jimd@starshine.org) ## This should check a username/password ## pair by opening a telnet to localhost ## and trying to use that to login ## -- you might have to adjust the last ## expect block to account for your ## system shell prompts, and error messsages ## It returns 0 on success and various non-zero ## values for various modes of failure set timeout 5 log_user 0 gets stdin name gets stdin pw spawn "/usr/bin/telnet" "localhost" expect { -- "ogin: $" { send -- "$name\r" } timeout { send -- "\r\r" } eof { exit 253 } } expect { "ssword: $" { send -- "$pw\r" } } expect { "ast login: " { exit 0 } "(\\\$|%)" { exit 0 } "ogin incorrect" { exit 1 } timeout { exit 254 } eof { exit 253 } } ... so you'd replace the "exit 0" clauses with something like the following to have it change the password instead of merely checking the password as the example above does. set password [lindex $argv 1] send "/bin/passwd\r" expect "password:" send "$password\r" expect "password:" send "$password\r" ... this assumes that you got to a shell prompt. If you use the old trick of setting the users' login shell to /bin/passwd then you'd add another expect close to the original script to respond to the prompt for "Old password" --- which you'd get in lieue of a shell prompt. Obviously in that case you wouldn't be "send"-ing the /bin/passwd command to the shell prompt as I've done in the second line of this second code example. There's a package that purports to do this at: Linux Admin CGI Package Docu (English) http://www.daemon.de/doc_en.html ... so you can try that. You can also look at the Linux-admin mailing list archives where I'm sure I've seen Glynn Clements point people to some utility he wrote (I think I've seen this about a dozen times). A quick trip to the Linux-Admin FAQ (http://www.kalug.lug.net/linux-admin-FAQ) led me to a list of list archives, which lead me to one with search features. Searching on "web password change" got me to a message that refers to: ftp://win.co.nz/web-pwd ... I'm sure there are others out there. ____________________________________________________ (?) ifconfig reports TX errors on v2.1.x kernels From Peter Bruley on Tue, 15 Dec 1998 (?) Answer Guy: I have tried various 2.1x kernels every - once and a while to see how the new version is coming along. What I have noticed is errors being reported by "ifconfig" on the TX only (both ppp & eth). Do you know why ? TX Error (!) That's a good question. On the ethernet, I'd expect that most of them would be due to frame collisions. Basically they'd happen whenever any two cards on your segment tried to send dataframes at close to the same time. On the PPP link I'd expect them to be due to line noise. However, I'm not sure and I don't know why you wouldn't see any RX errors. Are you saying that you only see these under the 2.1.xxx kernels? I can assure you that some errors are perfectly normal (under any kernel). Too many may indicate a flaky card (yours, or any other on your network segment), bad cabling (thinnet/coax is particularly bad --- also using cat 3 UTP and/or running any sort of cable too close to flourescent light ballasts and other sorts of transformers and "noisy" RF generating equipment). On one of my systems (a 486 router, two 3c509 ISA ethernet cards, each on relatively short quiet cat 5 UTP segments, running 2.0.36) I have 0 errors in both the TX and RX segments out of about 200,000 packets routed. This is over an uptime of about 20 days. I picked that systems uptime and stats more or less at random (I'm using it's console as a telnet/terminal to get to my 'screen' session as I type this). On another system (a 386DX33 with on 3c509 adapter, running 2.0.30) I see six million packets received and 26 thousand RX errors (no TX errors out of about 3 million packets transmitted). That's been up for 71 days. I supposed we could commission a study to see if different ethernet cards, kernels and other factors produce wildly different statistics. But that sounds too much like a graduate project. ____________________________ (?) 'ifconfig': TX errors From Peter Bruley on Fri, 25 Dec 1998 (?) Hi: Jim Thanks for your reply, sorry I'm slow getting back. Here is a print out of my "ifconfig" after about 5 min. on the ppp connection to my ISP: lo Link encap:Local Loopback inet addr:127.0.0.1 Bcast:0.0.0.0 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:166 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:24679 dropped:166 overruns:0 carrier:0 coll:0 eth0 Link encap:Ethernet HWaddr 00:40:05:60:71:DD inet addr:10.40.150.1 Bcast:10.40.150.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:288 errors:0 dropped:0 overruns:0 frame:0 TX packets:86 errors:74789 dropped:507 overruns:0 carrier:0 coll:0 Interrupt:10 Base address:0x7000 ppp0 Link encap:Point-to-Point Protocol inet addr:226.186.100.56 P-t-P:226.186.100.249 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:576 Metric:1 RX packets:156 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:14836 dropped:135 overruns:0 carrier:0 coll:0 Here is are some of my software versions: Kernel is 2.1.128 libc.so.5 => libc.so.5.4.44 depmod (Linux modutils) 2.1.121 ppp-2.3.5 net-tools 1.432 Things seem to work properly. (all network services) except for some utilities that report modem activity ie/ xmodemlights (http://www.netpci.com/~dwtharp/xmodemlights) Note that my ethernet card is also reporting errors. Now assuming that these are real errors; how come when I boot up into a v2.0.34 kernel all the errors go away (on both ethnet & ppp) and my xmodemlights utility works flawlessly ? I have tried the v2.1.(85-131) kernel on apx 3-4 different boxes and I have observed the same problems. I'm alone on this issue or do you know of others reporting the same problems ? Peter (!) I don't know if there's any problem here. However, I would check the kernel mailing archives and possibly (after downloading, installing and testing the 2.1.132 or later kernel) post a message to the kernel developers list to inquire about it. I might be that the old 2.0.x driver wasn't reporting errors for your cards. They may have been buggy. It's also possible that they may have been driving your hardware slower, causing fewer errors, or fewer detections of errors. Of course it could be bugs in the latest drivers which we'd like fixed before we go to 2.2. So, check with the kernel developers and possibly get onto the comp.os.linux.* newsgroups (networking or hardware) with this question to poll other users for their results. [ In the "late breaking news" department, the kernels are starting to be called 2.2.pre so now is the time to start trying them out if you've been interested but afraid to go for a beta kernel. -- Heather ] ____________________________________________________ (?) Support for Trident Video/Television Adapter From Daniel Robidoux on Mon, 14 Dec 1998 (?) Looking for a manual for a trident 9685 with tv. I'm trying to get output to my tv but nothing works. Can you offer any suggestions. (!) Call Trident? I answered a question about the Providia 9685 chipset back in issue 31 --- but that had no mention of a TV tuner. There is a "video4linux" project that supports at least the BTTV (Hauppage et al) chipsets. I've never used it but you can feel free to hit Yahoo! and browse through the 2200 hits that you'll get with a search string like: "video4linux 9685" ... see what that nets you. ____________________________________________________ (?) Plug and Pray Problems From Tony Grant on Mon, 14 Dec 1998 (?) Hi, Problem: USR Sportster ISDN TA will not work on AMD K-6/II machine. Solution: Force D-Link Ethernet card to use IRQ 5 and ioports in the 0300 - 031f range so as not to interfere with the ioports needed by the Sportster. Question: How do I force the Ethernet card to behave? On bootup my kernel (2.0.36) tells me that IRQ / io etc are being set by BIOS. I want to set them myself. TIA for pointers to the correct doc. Cheers Tony Grant (!) My first guess would be that you're encountering a problem with some "ISA Plug and Play" adapters. The first option would be to see if there's a setting to disable "plug and pray" on one or both of these boards, and manually set them (possibly using an MS-DOS or Windows) utility). Failing that you can look for a Linux package called 'isapnptools' --- I've never used it --- but it seems to have helped a few people out there. I've read many messages from people who've resorted to booting DOS, running the configuration utilities from there and then loading their Linux kernel via LOADLIN.EXE. This is more of a workaround than a real solution --- but it seems to be effective for most and I don't know of any downside for normal operation (just that mild distaste that running MS-DOS to configure you hardware every time you boot might leave in your mouth). Console yourself with the fact that you rarely have to reboot Linux. ____________________________ (?) Plug and Pray Problems From Tony Grant on Mon, 14 Dec 1998 Jim Dennis wrote: ..snip This is more of a workaround than a real solution --- but it seems to be effective for most and I don't know of any downside for normal operation (just that mild distaste that running MS-DOS to configure you hardware every time you boot might leave in your mouth). Console yourself with the fact that you rarely have to reboot Linux. (!) Jim, Thanks for your prompt reply if only M$ offered such aftersales support =;-) Loadlin looks like a last resort solution that I will have to turn to. I really didn't want to install W$ or DOS on this machine (it is a headless server) so booting is no problem, the machine is up all of the time, only SW upgrades will imply rebooting. Cheers and thanks again Tony Grant ____________________________________________________ (?) Sharing/Exporting Linux Directories to Windows '9x/NT From markr on Mon, 14 Dec 1998 (?) I have a 5 system LAN at home with 2 linux, 2 win98, and 1 NT machine. From any of the 98/NT machines, I can see the linux boxes in Network Neighborhood. However, I am unable to connect to shares on the linux boxes. I have logged out of windows and back in as both 'root' and 'mark', both valid users on the linux systems, but when I try to access a share I'm prompted for a password which, although correct, is promptly rejected. I can go from Linux to win, and Linux to Linux, but I need to be able to go the other way as well.... Any advice? thanks, Mark Rolen (!) Have you read through the Samba man pages (smbd(8), nmbd(8), smb.conf(5), samba(7), smbstatus(1), etc), and the Samba FAQ and web site (http://www.samba.org)? Start there and make sure that you have 'smbd' and 'nmbd' running in the correct order, and that you have a valid 'smb.conf.' The best place to ask this sort of question is the comp.protocols.smb newsgroup. This is where the most avid Samba users exchange notes and commiserate over the latest MS CIFS machinations. When you ask them a question, be sure to include the simplest version of your smb.conf that you've tried and representative samples of any relevant syslog messages from /var/log/messages. Read their FAQ thoroughly for more details about the sorts of information to include in your support queries. [ Actually, your conf files are probably fine, since you see the share announced, and actually get a dialog back... except that you're missing one. Win98 and NT use encrypted passwords (or Win95 since one of the OSR packs) which a new enough version of SaMBa can answer, but it needs to be fed the passwords your win boxes will be using. Go into the FAQ and search for 'smbpasswd' and you should find the rest of the details. -- Heather ] ____________________________________________________ (?) Mail processing From Juan Cuervo on Mon, 14 Dec 1998 (?) Hello Answerguy, My name is Juan Cuervo and I was wondering if you could help me with this: I need all the incoming mail of my mail server users to be send to their mailboxes (as usual), but also to be processed by an external program (I mean , not a MTA). So, I need so send a copy of the mail to this external program if the mail user has a file in their home directory (called, lets say, ~/.myprog ) wich indicates that the mail messages for that user should be parsed by this external program too. Thank you for your help. Juan Cuervo (!) You can create an '/etc/procmailrc' and define 'procmail' as your local delivery agent. This is the most straightforward way to do this. However, it is pretty dangerous (the called program will be called as 'root') and it might result in unacceptable levels of overhead (depending on your number of users and their mail volumes). In any event the contents of /etc/procmailrc would look something like: :0c | /root/bin/mailfilter/.myprog .... to send a copy of each mail item through a program as you described. Personally, I don't recommend this, as it sounds like several disasters just begging to happen. However, you're welcome to experiment with this on a test system for a little bit to learn how it works. Many Linux distributions include 'sendmail' configured to use 'procmail' as their LDA by default. Look for a group of lines in your /etc/sendmail.cf that looks like: Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40, T=DNS/RFC822/X-Unix, A=procmail -Y -a $h -d $u ... to see if this is the case. If not, either replace the Mlocal clause that's in your /etc/sendmail.cf (yuck!), or add an entry like: MAILER(`procmail')dnl ... to your ".mc" (M4 configuration file) and regenerate your .cf file with the appropriate m4 command like: m4 < foo.mc > /etc/sendmail.cf Note that sendmail involves quite a bit more than this --- so you may want to get more detailed advice before trying this on a production mail server. There's a 900 page book from O'Reilly that's probably the best reference to 'sendmail' available. Arguments that we should also switch to 'qmail' or Wietse Venema's 'PostFix' (formerly known as 'Vmailer') may not help in your case. ____________________________________________________ (?) Extra Formfeed from Windows '95 From Jerry W Youngblood on Mon, 14 Dec 1998 (?) Is there a way to supress the extra formfeed when I print on my Linux HP540 printer from Windows95 on the network. Everything prints great, however there is an extra page that always comes out after the print job. How do I supress this? (!) I think there is a Win '9x control panel setting that can be tweaked to prevent this. However, I do as little with Win '9x as I can, so I don't know precisely where in that morass of dialogs and menus you might find this setting. (I suppose another option would be to set a special printcap entry for your Win '95 system to use, and have that use one of the settings for supressing formfeeds or use a special filter or something). I should warn that I also do as little printing as I can get away with. ____________________________________________________ (?) Can't Login in as Root From David Stebbins on Mon, 14 Dec 1998 (?) Hey Jim, After reading the letters to you and your responses I feel kind of silly writting to you with my little problem, but here it is. I am a very, very new linux 5.2 redhat (Macmillan) user and after installing the OS and establishing a user account for myself I have not been able to login as the root user. I type the same exact password that I used when I set the system up (as the root uesr), but cannot get back in (...very frustrating). perhaps you have a solution for me? I was logging in as "root" (w/o the " marks) and then just entering my password. What am I doing wrong? Thanks David (!) Is this at the console? If not, it's probably just securetty (read the man page in section 5). Can you login as a normal user and then use the 'su' command to attain 'root' status? If not then you probably have lost or forgotten the password or corrupted your /etc/passwd file. In those cases you can boot from a floppy diskette or boot and issue the 'init=/bin/sh' LILO option (as I described last month) to get into the system in single user mode without requiring any password (requires console access, obviously). Keep in mind that the passwords are case sensitive. You must remember which letters you typed in [Shift]-ed mode and in lower case. Also, if you look at you /etc/passwd file you shouldn't seen any blank lines, any comments, and any "junk" characters (control characters, etc). Read the passwd(5) on any working system to get the details of proper 'passwd' file formatting --- or just copy one from your boot floppy and recreate the accounts as necessary. Note, if you create a new passwd file you may create "orphan" files in this process, as your new account names might have mismatches to the old numeric UID's and GID's under which these files were created. The easiest way to fix that on a small system is to look at the numeric UID's of the files (any "orphan" file will show up with a numeric owner during an 'ls -l' and you can use the command 'find / -nouser -ls' to list all of them) --- then using your personal knowlege of who these files belong to, set their /etc/passwd account to match those numerics. Unfortunately the full details of all of this are far to complicated to describe in detail at this hour (it's 3:00am my time, I just got back from Boston, Massachusetts from the USENIX/SAGE LISA Conference). Once you get your system straightened out, make a backup copy of your /etc/passwd and /etc/group files --- just mount a floppy and copy them to it. That will make restores much easier in the future (even if you you have a full backup system in place it's often handy to restore these files before trying the rest of your restore --- some versions of 'tar' and 'cpio' for example don't restore files under numeric UID's and GID's -- they'll "quash" the ownership to root.root for all of them! If you really get stuck, call my number (800) 938-4078 to leave voice mail. It would make more sense to walk you through the recover than to type up every possible recovery technique in this message. ____________________________________________________ (?) Alternative Method for Recovering from Root Password Loss From David C. Winters on Mon, 14 Dec 1998 (?) Just discovered the LG, and your column, today. I sent you a message a few minutes ago asking a question; here's a submission. You finish up your "No Echo During Password Entry" answer in your Issue #35 column with a method for recovering from losing root's password. I've used another method, using LILO. During boot, when the "LILO boot:" prompt appears, hitting the key will give you a list of all of the kernels (by label) that LILO knows about. On my system, I'd see > LILO boot: > 2.0.30 2.0.30-orig > boot: ("2.0.30-orig" is the default Red Hat 2.0.30-3 kernel on 4.2; "2.0.30" is the label for the kernel I compiled.) If I append " single" to a kernel label, eg, "2.0.30 single", it'll boot using that kernel but come up in single-user mode. Just calling passwd() will let you change root's password. You then want to use exit() to continue bringing yourself back up to your normal runlevel (3 on my machine). (!) I'm well aware of this technique. However, using 'init=/bin/sh' will work in cases where 'single' won't. Some systems have their 'single user' mode entries in /etc/inittab set to call an 'sulogin' command --- which requires a root password. Ooops! I glossed over the details due to my own time constraints. (?) Useful, but a large security hole. Unless you secure it, anyone sitting down on console can reboot the machine and come up as root. To close this hole off, chmod() /etc/lilo.conf to 600 (or 660 if it's owned root:root) and add the "restricted" and "password=" lines, like the following example /etc/lilo.conf file: (!) Quite right. (?) boot=/dev/sda map=/boot/map install=/boot/boot.b prompt timeout=50 restricted password=AnswerGuy image=/boot/vmlinuz label=2.0.30 root=/dev/sda2 initrd=/boot/initrd read-only image=/boot/vmlinuz-2.0.30-orig label=orig root=/dev/sda2 initrd=/boot/initrd read-only Run lilo(), then reboot. Entering "2.0.30 single" will get you to a password prompt. When you enter "AnswerGuy", the LILO password won't be echod to the screen as per normal for entering passwords, and LILO will bring you up as root. This obviously requires remembering yet another password, but it's something to look into because, by default, LILO isn't password-protected on the Debian or Red Hat distributions I've used. (!) Also quite right. The principle problem with this is that it doesn't prevent the user from booting from a floppy (such as a Tom's Root/Boot (http://www.toms.net/rb) or even just an MS-DOS diskette with a disk/hex editor). Some PC's have the ability to "lock out" the floppy drive and protect the CMOS with a password. That helps. However, it isn't much help. Many (possibly most) BIOS/CMOS sets have "backdoors" such that their support technicians can help customers "get back into" their systems. This is a bad idea --- but seems to be pretty common. In addition it's possible to open the system case and temporarily remove or short (with a resistor) the battery on the motherboard, or remove the clock chip (where the CMOS data, including the password, is stored). So, to achieve any semblence of console security you must at least do the following: * Lock the PC in a cabinet, closet or case (or install one or more locking bolts in the case.) * Verify that the BIOS has no back door (how?) or replace the BIOS with a custom one or one that has been audited and verified by some trusted party as having no back doors. * Disable floppy and CD-ROM boot. * Enable CMOS password protection to prevent changes to the boot and other CMOS settings. (?) Debian: Whatever version was current two years ago; we switched to RH. Red Hat: 4.2 D. (!) Thanks for the prompting. I personally like the design of the Corel Netwinder (StrongARM/RISC based "thin clients" or "network computers" with embedded Red Hat Linux and KDE), and the Igel "Etherterm/Ethermulation" (PC based X Terminal, thin client, and character mode ethernet terminals, with custom embedded Linux --- and Java, Netscape and other optional tools on solid state disks). Corel Computing, a division of Corel Software, Inc: http://www.corelcomputer.com Igel USA: http://www.igelusa.com These systems are specifically designed with no support for removable media. This makes this much better suited to deployment in hostile user environments (such as libraries, kiosks, Internet cafes, public access and college computing labs). It is unfortunate that these systems are currently a bit more expensive than similarly powered PC's. Since they are currently produced in somewhat volumes and they are currently niche markets, they command a higher margin and don't benefit from the full economies of scale. However, that's the main reason I don't own any of these. (Another advantage to these systems, over and above security, is that they offer much less power draw and much quieter operation than standard PC's with that incessant fan and disk noise). ____________________________________________________ (?) SCOldies Bragging Rights From David C. Winters on Mon, 14 Dec 1998 (?) In your response to Anthony's second message (re: a coworker teasing him about SCO's capabilities), you say: I figured. About the only things the SCOldies can hold over us right now are "journal file support" and "Tarantella." Abject curiosity makes me ask: What are these two capabilities? D. (!) "Journaling Filesystems" and "Logging Filesystems" are those which store and utilize transaction logs (journals) of file operations until those changes are "committed" (synchronized). Thus a set of small data structures on your filesystems are automatically synchronized (like in a "write-through cache") while the rest of the fs benefits from normal write caching. The net effect is that filesystems can be quickly checked and repaired after a castastrophic shutdown. In other words, you don't have to wait for hours for 'fsck' to finish fixing your filesystems after someone kicks the plug on your server (or the power supply fails, etc). This is likely to be added to Linux by version 2.4 or 3.x. Some preliminary work as already been done. Many versions of Unix (such as SCO, Novell/SCO Unixware, and AIX) have their own implementations of these features. In addition there is a company called Veritas * (http://www.veritas.com/corporate/index.htm). You can get some similar effect from Linux, at considerable performance cost, by selectively mounting your important filesystems with the 'sync' option (mount -o sync ....). "Tarantella" is a unique feature of SCO's. It provides Java/Web based access to your Linux desktop. The closest match is the VNC package (virtual network computer) from the Olivetti/Oracle (Joint) Research Laboratory * (http://www.orl.co.uk/vnc/index.html). VNC is a network windowing system (like X Windows, but more "lightweight") which allows you to connect to your systems remotely via an MS Windows (Win '95/'98/NT), MacOS, or Java client. VNC also allows you to remotely connect to Win '9x/NT system from it's X Windows (or other Win/MacOS/Java) clients. Actually VNC might be close enough in features that SCO couldn't get much mileage out of touting it over Linux with VNC. VNC is under the GPL. ____________________________________________________ (?) Application Direct Access to Remote Tape Drive From Yves Larochelle on Mon, 14 Dec 1998 (?) Hello, I have a simple problem. I run a FORTRAN program that makes calls to a C library to read data from a DLT SCSI tape drive. Everything is fine when I run from a drive on my host machine. (!) Oddly enough I was just writing in my book about how the tape drives under Unix (and Linux) are available for general purpose spooling of applications data sets (like the old mainframe spooling and job control model) but are rarely used in this fashion. It's amusing to see that someone is doing this. (?) But I haven't been able to open/read the tape drive on a remote host. I have read your previous answers on remote tape access: http://www.ssc.com/lg/issue31/tag_backup.html and http://www.ssc.com/lg/issue29/tag_betterbak.html but it doesn't solve my problem. I want to use local memory and CPU, so "rsh" is not an option. In my C library I have tried to change: > fd = open ("/dev/st0", flag, 0); > ... to: > fd = open ("remotehost:/dev/st0", flag, 0); > or even: > fd = open ("operator@remotehost:/dev/st0", flag, 0); without success: Open failed on tape No such file or directory (!) Yep. That's right. Inspection of the code for 'tar' and 'cpio' would reveal that these do use an implicity 'rsh' to the remote host, and pipe their data streams over TCP connections thereto. This ability to access devices remotely is not built into the C libraries, it is built by your program through the native network mechanisms (or at least via judicious use of the 'system()' library call). (?) I do have setup /etc/hosts.equiv (and /$HOME/.rhosts) so I can access my account on the remote host without password I have been told to use "rmt", but how to do it within the C library ?? (!) I don't know much about 'rmt' but you can pick up the 'dump' package in which it is included and read the man page therefrom. I'd pick up the sources to that package so you can read some sample source code to understand how 'dump' uses it. (Obviously if you want to actually cut and paste the source code for use in your project, you'll want to read and comply with the license --- probably GPL. This may be of no consequence if you won't be redistributing your program --- and should be know problem if you're willing to release your sources under a compatible license. It should also be no problem if you read these sources to gain and understanding of the API's and code your own functions. However, read the license for yourself). (?) Can you help me with this one ??? (!) Since I'm not a programmer --- not much directly. However, as I've said, you can study examples of this sort of code in the 'tar', 'cpio', and 'dump' sources. (?) If at all possible, (!) ... (e-mail ellided) I always respond via e-mail whenever I respond at all. The mark-up to HTML is done at the end of each month by my lovely assistant (and wife), Heather. ____________________________________________________ (?) Mounting multiple CD's From ali on Mon, 14 Dec 1998 (?) HI I've just recently purchased a copy of Red Hat Linux 5.0 and a new CD drive(ie. I now have 2 CD drives) and I need to know how to mount them. The 2 drives are connected to the IDE on my soundblaster AWE-64 sound card and I need to know how to mount the drives from there. (I previously had one drive and mounted it using /dev/cdrom but now what do I use?) (!) /dev/cdrom is normally a symbolic link (sometimes a hard link) to some other device node such as /dev/hdc (first device on the second IDE channel) or /dev/scd0 (first CD device on the first SCSI channel). (?) The two drives are: 1) Samsung SCR-2030 2) HP CD-Writer Plus 8100 (!) These (and the fact that you refer to your Sound card) sound like SCSI devices. You'd simply find out which of these your /dev/cdrom is linked to (by mounting it as normal or inspecting the 'ls -il' output of your /dev/ directory). [ And, you could tell which one it was since its light will flash when you mount the disc. -- Heather ] For the other you'd use a command like: mount -t iso9660 -o ro /dev/scd1 /mnt/cdrom1 ... where the -t specifies the filesystem type (ISO 9660 is the standard for normal CD's), -o is a set of options (read-only in this case) and the next two parameters are a device name (second SCSI CD drive), and an arbitrary mount point (usually an empty directory under the /mnt tree --- or an empty directory in any other convenient location). You could name that mountpoint anything that your filesystem will allow (just about anything). I use /mnt/cd* or /mnt/cdrom* as prefixes to these names for obvious reasons. If this new drive is on an IDE interface its likely that you'd use something like /dev/hdc or /dev/hdd for the device name. (?) Any help will be appreciated. Thanks Ali ____________________________________________________ (?) More on Multi-Feed Netnews (leafnode) Some additional comments by one of the authors/maintainers of leafnode(?). From The Answer Guy on Mon, 14 Dec 1998 (?) Jim, I have a question in the "Answer Guy's" inbox regarding multi-feed leaf netnews. I don't remember which package my querent was using (leafnode, suck?, ???) but his question regarded whether it's possible using any of these packages to download news from multiple sites and upload/ feed them back selectively). (!) It is possible with suck/INN, of course. (Everything is possible with this combination, I suppose :-) . It is also possible with leafnode, starting from 1.7. The config file should look like this: server = news.a.org supplement = news.b.com expire = 14 # expire messages after that many days create_all_links = no # optional, saves disk space Leafnode should be able to figure out everything else on its own. If you need usernames and passwords for servers, it becomes a bit more complicated, but leafnode can handle this as well: server = news.a.org username = user_at_a password = password_at_a supplement = news.b.com username = user_at_b password = password_at_b expire = 14 create_all_links = no HTH, - --Cornelius. /* Cornelius Krasel, U Wuerzburg, Dept. of Pharmacology, Versbacher Str. 9 */ ____________________________________________________ "The Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ (?) The Answer Guy (!) By James T. Dennis, answerguy@ssc.com Starshine Technical Services, http://www.starshine.org/ _________________________________________________________________ (?) Getting 'rsh' to work From Anthony Howe on Mon, 14 Dec 1998 (?) Oh hum. I'm having trouble with getting rsh to work between two machines for a specific task. I've read the rsh, tcpd, and hosts.allow man pages and I still can't get it to work. 1. the same user "joe" with the same password exists on both "client" and "server" machines. 2. server's hosts.deny: ALL:ALL 3. server's hosts.allow: in.rshd:1.2.3.4 4. server's inetd.conf: "shell" line uncommented 5. I have an A record for: client A 1.2.3.4 6. and I have a PTR record for: 4.3.2.1.in-addr.arpa PTR client Now every time I try and do something as simple as: joe@client$ rsh server '/bin/ls /home/joe' I get "Permission denied". The logs on neither client nor server provide no reason for the "Permission denied". Maybe I just over-tired, but I can't figure out what I'm overlooking. Can anyone please tell me what I'm missing? (!) What is the precise line in your /etc/inetd.conf? Some versions of in.rshd and in.rlogind have options which force the daemon to ignore .rhosts files (-l) allow 'superuser' access (-h), syslog all access attempts (-L), and perform "double reverse lookups" (-a). It looks like your forward and reverse records are alright (assuming that the client's /etc/resolv.conf is pointing at a name server that recognized the authority for the zones you're using). Note: If you are going through IP Masquerading at some point (some sort of proxy/firewall package) then there's also the remote chance that your source port is being remapped to some unprivileged (>1024) port as the packets are re-written by your masquerading/NAT router. I did complain to the Linux/GNU maintainers of the rshd/rlogind package about the fact that their syslog messages don't provide more detailed errors on denial. However, I'm not enough of a coder to supply patches. To test this without TCP Wrappers at all try commenting out the line that looks something like: shell stream tcp nowait root /usr/sbin/tcpd in.rshd -a ... and replacing it with something like: shell stream tcp nowait root /usr/sbin/in.rshd in.rshd -L (note: we just changed the tcpd to refer to rshd). ____________________________________________________ (!) Linux as a Netware Client From Jedd on Sat, 05 Dec 1998 (?) Howdi, In the December issue of LG, you answered someone's query regarding accessing their netware servers from Linux, by pointing him at Caldera or the ncpfs package. The caldera system is quite fine, albeit based on Redhat, and between the two companies they seem to have not only ignored the old FSSTND, but positively danced on its grave. Trying to get the Caldera Netware client working under Debian, btw, was a right pain (I've still not done it), so it may not be feasible. Looking at their archives, it appears that even getting it to work under pure Redhat is a bit, uhm, 'challenging'. However, for your info, the ncpfs package does support NDS (Netware 4 & 5) connections - and has done for the last two minor releases. I'm still experiencing some problems with this feature - when trying to concurrently authenticate to two servers in the same tree - but I hope/ suspect that's me doing something funny. Cheers, Jedd. (!) Some more feedback that I'll just present on its own merits. ____________________________________________________ (?) LILO Default From Steven W.Cline on Mon, 07 Dec 1998 (?) Answerguy, I've been searching for this but can't find it. I would like to change the default OS that lilo loads. Right now it is Linux. How can I change the default to DOS? This is because I am the only one using Linux and the rest of the family uses DOS. Steven W.Cline San Bruno, Ca. (!) The default is the first "stanza" (boot image) listed in the /etc/lilo.conf. So, just edit that file and move the block for your Windows stanza to place it after any global directives and before any other OSes that you have listed. Alternatively you can just use the default= directive to specify the label of the image that you want to use. (Hint: searching the lilo.conf(5) man page on the term "default" leads us to the answer within a few shots. [ I should only comment on layout stuff, but here, I just gotta. Once upon a time when antares was a multi-boot machine, I had it set up so that CTRL-ALT-DEL would always reboot you into "the other OS". For a while it was so handy, I'd even forgotten how we did it... so I wasn't able to tell Jim! But here's a trick that should work: Add a line to /etc/inittab that reads: ms::boot:/sbin/lilo -R dos (assuming you've named your stanzas linux and dos). The 'ms' is a gratuitous identifier; it could really be anything, as long as the other inittab lines have a different first value. The '-R' stores a LILO command choice for only one session, so on the next reboot (from DOS, which isn't saying anything special to LILO) you'll go back to the other OS... unless sometime during your linux session, you run another lilo -R command that mentions a different command line to default to. However, you leave the lilo default to linux this way. I suppose you could use this to run /sbin/lilo -R linux so that reboots from Linux will tend to stay in Linux, with the default set as Jim described to dos so that power-on, and reboots in DOS, will tend to stay in DOS. I don't know if there's a LILO control program for DOS these days, but with LOADLIN and a copy of the kernel stored in DOS-accessible space, you could even create a script that would let you add "Linux" to your DOS or Windows menu system. If you prefer to go that way, you could even uninstall LILO and put back a plain DOS master boot record, so it would never ask anymore. Or, you can set LILO to delay forever, so you can always choose which OS ... though this loses the benefit of being able to ignore the system while it boots. -- Heather ] ____________________________________________________ (?) Uninstalling Linux From Tom Monaghan on Fri, 18 Dec 1998 (?) i cannot find any info on the best way to uninstall Red Hat Linux 5.2. I must reinstall DOS as linux does not support my video driver (yet). Any help would be appreciated. Thanks. (!) When you installed Linux, you probably created a set of partitions on one of your hard disks. You can just go into the Linux 'fdisk' (using your installation diskette or CD) and delete all of your Linux parititions (including swap and "native" (ext2)). Once you done that then DOS/Windows should be "willing" to create new partitions in the unallocated portions of disk space that you've created by deleting your Linux partitions. If the whole disk was devoted to Linux and you want to trick MSDOS into believing that this whole drive is "fresh from the factory" you can use the following trick: WARNING! THIS WILL WIPE OUT ALL DATA ON YOUR DISK! Boot into Linux (on a rescue diskette or into the working copy that you have installed) Login as root. Issue a command like the following: dd if=/dev/zero count=1 of=/dev/hda ... NOTE: The "of" parameter should point at the device node for your disk. If are doing this to the first or only IDE drive on your system (the most likely case) you'd use /dev/hda as I've shown. If you're doing this to the first SCSI drive it would be /dev/sda, if you were doing it to a second IDE or SCSI drive that would be /dev/hdb or /dev/sdb respectively, and so on. To get some idea of which drives and partitions you have Linux installed on you could use the command: fdisk -l | less ... to look at the partitions on all drives that Linux can see. Note that you'll see partitions like /dev/hda1 and /dev/hda5, etc. These are partitions on the first IDE drive (/dev/hda). When we zero out the first sector of the drive, operating systems will consider the whole drive to be blank and will install just as you would on a brand new hard drive. (Technically under MS-DOS you could just wipe out the two bytes at the end of the first sector --- which is a signature value that MS-DOS FDISK.COM (or FDISK.EXE) uses to detect a partiton table or MBR. Naturally you could also delete the partitions (as described earlier) and then boot from a DOS floppy and issue the command: FDISK /MBR ... this will work on MS-DOS 5.0 and later. Otherwise use the 'dd' method from Linux. Incidentally I rather doubt that Linux doesn't support your video card. It is probably more formally correct to say that XFree86 doesn't support your video card. You don't need to run a GUI to use most of Linux (I rarely go into X Windows). [ They just released XFree86 3.3.3 recently, so maybe you should check again with a fresh X package from http://www.xfree86.org/ and see if it has your card in it now. -- Heather ] As I point out in other messages there are a couple of alternatives to XFree86 including some freely distributed binary X servers (source code unavailable) which can be found at the Red Hat contrib site and other mirrors and software archives, and there are a couple of commercial X Windows System packages for Linux (from Xi Graphics: http://www.xig.com, and MetroLink: http://www.metrolink.com). ____________________________ (?) Uninstalling Linux From Tom Monaghan on Fri, 18 Dec 1998 Thanks. Since I was in a hurry, I just ran the install and deleted all my linux partitions via Disk Druid (coincidentally the same tack you suggest) and booted out of the install. So now I am back to DOS :( I have RH 5.2 at home, so deleting linux here at work does not end my experimentation with this OS. The thing I am stuck on at home is getting my modem to connect to my ISP. This is so freaking frustrating I had to step away for a day or so...Will continue to bang on linux until I get it right. It's funny, I have a decent amount of UNIX experience under my belt (I am ashamedly a Software Developer), but when it comes to configging stuff I am a moron! Super L/User ____________________________________________________ (?) Making a Kernel Requires 'make' From Mohd. Faizal Nordin on Fri, 18 Dec 1998 (?) Hai everybody.... I am having problem to compile my kernel in order to set my ppp and diald. The problem is when I want to compile kernel for RedHat 5.1 I got error msg: " make : bash command not found ". Can someone pls help me on this problem. Cheers... fiber... (!) It sounds like you need to install 'make' (the package that interprets "makefiles" and traverses the sources resolving dependencies by compiling, linking and otherwise manipulating the sources, object files, etc). (Either you need to install the package or make sure that it and your other development tools are properly on your PATH). You also need gcc (the GNU C compiler) and the 'binutils' package (which contains 'ar' 'ld' and the assemblers and other tools that are needed to build most C programs). It seems odd that you need to recompile your kernel for PPP support. Most distributions ship with that built in or with a modular kernel and a selection of pre-compiled modules. ____________________________________________________ (?) Using only 64Mb out of 128Mb Available From Terry Singleton on Thu, 17 Dec 1998 (?) When I run the admin tool "top" it appears as if my system is only using 64MB of memory. 11:00am up 4 days, 23:39, 2 users, load average: 0.07, 0.03, 0.00 40 processes: 39 sleeping, 1 running, 0 zombie, 0 stopped CPU states: 0.3% user, 0.1% system, 0.0% nice, 99.6% idle Mem: 64168K av, 57420K used, 6748K free, 19820K shrd, 19816K buff Swap: 104384K av, 24K used, 104360K free 23932K cached The results show 64168K av which indicates 64168K of available memory yet our system has 128MB RAM? I have the same results on 2 other Linux servers with more than 64MB RAM. I am running RedHat 5.1, is there anything special I have to do to tell the system I have more than 64MB, recompile the kernel..? (!) This is a classic FAQ. The BIOS standards for memory query (Int 12h?) don't support the return of more than 64Mb of RAM. There are a number of different mechanisms for doing this on different chipsets, and some were "dangerous" (in the sense that they might hang some systems with a different API/BIOS). So, Linux didn't support automatic detection of more than 64Mb on most systems until very recently (2.0.36?). You've always been able to over-ride this with a kernel parameter. As you may know from my earlier articles or from the LILO man pages you can pass parameters to the Linux kernel using an append= directive in your /etc/lilo.conf file (and subsequently runing /sbin/lilo, of course) or by manually appending the parameters on the command line at the LILO prompt (or on the LOADLIN.EXE command line). To do this with lilo.conf you add lines of the form: append="mem=128M" ... to each of the Linux stanzas to which you want this to apply. (I'd leave one of them without it for the first try so you have a working configuration into which you can boot in case there's a problem with your system. I've heard of some cases where users had to reduce their memory configuration by 1Mb for odd reasons). With the newer 2.0.36 and 2.1.x kernels you shouldn't need to do this (they have new autodetection code that should handle all of the common chipsets). One trick for programmers --- if you want to ensure that your code or distribution will run in limited memory constraints you can do a quick test using a smaller mem= parameter to force the kernel to run in less space than it normally would. WARNING: If you forget the trailing 'M' the kernel load will fail when it tries to allocate the specified amount of RAM in bytes. (Don't do that!). In any event you might want to check out some of the FAQ's on Linux since I'm sure this is in a couple of them. ____________________________ (?) Using only 64Mb out of 128Mb Available From Terry Singleton on Fri, 18 Dec 1998 (?) Thanks Jim.I added the line as you suggested, however it did not seem to take am I supposed to be it under the boot image section itself? Memory is still 64000av. (!) Sorry, I should have been more detailed. You need to add this append= directive to each of the stanzas to which it applies. (You could have a couple of stanzas that referred to reduced memory configuration if you were a software developer, tester or reviewer so that you could test a package's behaviour under varying memory constraints). (?) This is what I have: boot=/dev/sda map=/boot/map install=/boot/boot.b prompt timeout=50 append="mem=128M" image=/boot/vmlinuz-2.0.34-0.6 label=linux root=/dev/sda1 initrd=/boot/initrd-2.0.34-0.6.img read-only should it be: boot=/dev/sda map=/boot/map install=/boot/boot.b prompt timeout=50 image=/boot/vmlinuz-2.0.34-0.6 label=linux root=/dev/sda1 initrd=/boot/initrd-2.0.34-0.6.img read-only append="mem=128M" (!) Yes. (Also remember to re-run /sbin/lilo to read this config file and build the new boot blocks and maps therefrom). Incidentally it would have been quicker and reasonably safe (in this case) to just try the experiement. It should have worked and you'd have gotten your answer much quicker. I can understand a degree of hesitation about experimenting with the boot blocks and partition tables (a data structure that's stored in the the same block as the MBR first stage boot block). Obviously a mistake means that you can't boot at all. However, it's wise to have a backup and a working rescue floppy and to practice using them before you make any changes to your /etc/lilo.conf. ____________________________________________________ (?) Manipulating Clusters on a Floppy ... From Padma Kumar on Thu, 17 Dec 1998 Sir, I'am basically want to write an application which needs to mark a particular predefined cluster as bad, and also need to change dynamically the value contained in the specific cluster. Is there any way by which we can write some data into a cluster, mark that cluster as bad, again i need to mark that bad cluster as usable and update the data in the cluster and then mark it as bad again. I would be greatful if you could help me out with this task or tell me where i can find some information regarding this. Thanking you for your consideration. With Regards Padma Kumar (!) This is a rather dubious request. You'd have to write you're own custom programs to do this (for each filesystem type that you wanted to support --- since different filesystems have different mechanisms for marking clusters as bad). I've heard of MS-DOS virus writers, and some copy protection schemes, that used similar techniques to covertly write keying information on people's systems back when software copy-protection seemed feasible. The demise of this technique has two major dimensions: There were chronic technical problems caused to legitimate users (thus decreasing customer satisfaction while increasing support costs). (Problems resulting from restoration of user programs and data after a hardware failure or upgrade are one example). A moderately skilled cracker could easily reverse engineer and bypass these measures (often by "NOP-ing" out the portions of code that performed the objectional hackery). Many users/customer simply rejected the whole adversarial stance of software companies employing these techniques. We still see tacit acceptance of "dongles" (hardware keys, typically attached to parallel or serial ports which are queried by a program to enable its operation, typically with some sort of challenge response protocol). However, those are only used for a small number of high end packages. To write your own code, just look at the examples in the programs: badblocks, mke2fs, and e2fsck. These all manipulate the badblocks lists on Linux' ext2 filesystems. Naturally you can look at the sources for similar programs for each other fs which you intend to support. Note that most of these programs are under the GPL. While studying them and writing your own code is probably a fair use, if you intend to "cut and paste" code from them you must read and respect their licenses (which would be in conflict with any copy-protection applications which you might have in mind). I realize I'm reading a lot into your question. I don't know of any other rational uses for bogus "bad blocks." ____________________________ (?) Manipulating clusters on a floppy ... From Padma Kumar on Sun, 20 Dec 1998 (?) Sir, Thanks for spending time for answering my question ... Basically i'm trying to write the code in Delphi (Assembly code in Delphi) for Windows 95 stand-alone PC. I hope this clarifies ur doubt in short. (!) It clarifies things just fine. This is the Linux Gazette. I answer questions that relate to Linux. If you have programming questions that related to Win '95 and/or Delphi --- please go to Yahoo! and look for a Win '95 or Delphi "Answer Guy" (or other support forum). You paid money for that commercial software --- with the stated or implied benefit of technical support. It's really a pity that the companies that sold you these packages aren't delivering on that promise. As I said, you can look at the Linux sources for many examples of manipulating many types of filesystems (including MS-DOS/Win '95) -- those examples are mostly in C. (?) Thanking you once more for ur consideration Expecting a reply soon (!) Have you ever read any of my other answers? How did you find my address without getting any indication of the focus of my work? Is it just that using all that vendorware has left you desparately seeking support from anyone you can find? ____________________________________________________ (?) Setting up ircd From paul maney on Thu, 17 Dec 1998 (?) hi there i cant set up ircd on redhat Linux i haveing big pog what can i do to get it to work a.s.p pls from paul marney you can get me on [phone omitted] or [email omitted] (!) I'm afraid this question is below the literacy threshold. I think this translates to: I can't set up 'ircd' on my Red Hat Linux system. I'm having "big problems" (with it). What can I do to get it to work? Please reply ASAP. First, I've never set up an IRC server. I've only used IRC as a client on a few occasions (less than ten in the last ten years). I presume that I could set on up if I tried (and I know some of the people who created Undernet -- one of the larger IRC networks, so I'm sure I could get help if I needed it). However, your question shows a remarkable lack of motivation. You don't provide any information about what version of Red Hat you are using, where you got the your IRC (Internet Relay Chat) daemon package (I've never seen one included with Red Hat Linux CD's --- though admittedly I wasn't looking for it). More importantly you don't give any indication of what you've tried or what sort of problems you've encountered. Based on your message it doesn't appear that you've even read whatever man pages, README files, and other documentation came with your ircd package. Glancing around I found an ircd21002.tgz in the Slackware contrib directory on ftp.cdrom.com (Walnut Creek, manufacturers of many fine collections of free software --- including the Slackware Linux distribution and FreeBSD). Grabbing that I find a set of documents and an example ircd.conf file that give some hints as to how you'd use this particular version of IRC. It turns out that this one is the "UnderNet" version of ircd (I'd heard that they'd written their own, but coming across here it was just by chance). You could look at the UnderNet web site (http://www.undernet.org) but that doesn't seem to lead to any technical documentation of the sort that you'd need to set up your own server or join one of the relay networks. You'd have to know to look at http://www.undernet.org/documents (since there don't seem to be any links from the index page down to this page). However that doesn't include anything that you need either. My next stop would be Yahoo!: Computers and Internet:Internet:Chat:IRC:Networks http://dir.yahoo.com/Computers_and_Internet/Internet/Chat/IRC/ ... and I'll leave it to you to search through those links. Naturally you could also hunt through the IRC channels and ask the regulars in those that are appropriate. I suspect that some of the people who install, configure and maintain these servers are also IRC users. I think there's also a couple of news groups that are appropriate (search your local lists of newsgroups for the string "irc"). If you ask for help from any other parties, I'd suggest putting some careful thought into crafting your questions --- most people won't spend nearly the time that I just have on answer a question that's presented as badly as this. ____________________________________________________ (?) Sendmail on private net with UUCP link to Internet From rkblum on Tue, 15 Dec 1998 Hello Answer Guy! Thanks for all of your excellent advice. I really enjoy your columns. In your December issue, you had an answer for RoLillack for using Sendmail on a local private network. You mentioned that your network is connected to the Internet via a UUCP hub for mail purposes. I would like to follow-up on that comment. I do volunteer work at a local K-6 school and we were looking for a similar mail solution. Your answer got the wheels rolling and we think we have a good, inexpensive e-mail solution for the school. The only piece that we are missing is the sendmail.cf file for the UUCP hub. We have not been able to find a good example of how to configure the hub to route all outbound mail to the ISP UUCP host, as well as not do DNS lookups for our clients running Eudora. Unfortunately, we have not been able to find the SendMail book in our local bookstores. We would appreciate any help you could give us in this direction. (!) I don't know how you'd convince Eudora and other mail user agents not to do DNS queries for MX records. I use a trick with sendmail (specifying an IP address of the form '[192.168.1.x]' --- note the square brackets --- in my nullclient.mc file). In my case I have an "all Linux" network. The rare occasions when I try to run some MS or Apple based OS around generally don't involve setting them up with access to the Internet and certainly don't involve my trying to read my mail on them. You might be able to do the same, or you might have to create a DNS server that "claims" to be authoritative for the root domain (then one called "."). I've heard of people setting up these sorts of disconnected DNS zone but I don't have an example handy. I'd suggest grabbing the DNS HOWTO and searching through the archives of the Linux-admin list for some suggestions on that. Incidentally I hear there are some pretty good Linux Users' Groups in Indiana. Sadly I note that there is no SAGE (SysAdmin's Guild) chapter for your area. USENIX/SAGE is hoping to greatly expand the number of SAGE local chapters around the world and across the country in the near future. All it takes are a few professional system administrators to get together (SAGE is OS neutral, though the membership shows a decided preference for Unix-like systems). As for my particular setup, here's the M4 config file from one of my clients: divert(0)dnl VERSIONID(`@(#)clientproto.mc 8.7 (Berkeley) 3/23/96') OSTYPE(linux) FEATURE(nullclient, `[192.168.1.3]') ... that's all you need. You can then use m4 to generate a /etc/sendmail.cf file from this (as I've described in past columns. Newer versions of sendmail provide a 'makefile' to make this generation step even easier. The effect of this .mc file is to forward all mail to my mail hub (which is the mail store for my LAN and is the gateway to the rest of the world). On my client workstations I retrieve mail using 'fetchmail' (via POP-3). Thus if I mail 'star' (my wife) the mail gets sent to 'antares' (the hub) even though she has an account on the local host. This means that she, my father, and others with accounts on my workstation, don't need to maintain .forward files on 'canopus' or any of the other workstations around the house. All of their mail (and mine for that matter) gets sent to antares. My mail gateway's .mc file looks like: divert(-1) divert(0)dnl include(`../m4/cf.m4')dnl VERSIONID(`$Id: antares.mc,v 1.3 1998/03/17 02:22:55 root Exp root $ by James T . Dennis, Starshine.org $Date: 1998/03/17 02:22:55 $') OSTYPE(`linux') FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`always_add_domain')dnl FEATURE(`nodns')dnl FEATURE(`nocanonify')dnl FEATURE(`local_procmail')dnl FEATURE(`uucpdomain')dnl MAILER(`smtp')dnl MAILER(`uucp')dnl MAILER(`procmail')dnl MAILER(`uucp')dnl MASQUERADE_AS(`starshine.org')dnl undefine(`BITNET_RELAY')dnl define(`confDEF_USER_ID',"8:12")dnl define(`SMART_HOST', `uucp-dom:XXXX')dnl On this last line I have the name of my UUCP provider listed in place of those X's. By defining a mailer and host pair for my SMART_HOST I force 'sendmail' to deliver all of my non-local mail to my UUCP provider through the "uucp-dom" mailer. "uucp-dom" is a mailer that delivers mail via uucp even though it uses "domain style" (DNS) address syntax. This last file is probably a bit more elaborate than you actually need --- and it's simplified a bit for this example. (I actually use the "mailertable" FEATURE to trick the system into deliver mail that appears to be to one of my LAN hosts into delivering it to a virtual hosted mail server that's really maintained by my ISP). (?) Thanks again for all of your great answers! Rich Blum Trader's Point Christian Schools Indianapolis, Indiana (!) I'm glad I could help. You are right, UUCP is still a good way to get e-mail and netnews without getting a full Internet connection and without having the connection used by web browsing or other protocols which you might prefer not to run into your site. (Conversely it's also a great way to preserve your PPP bandwidth to interactive uses while your mail and/or news gets spooled quietly away for other times). ____________________________ (?) Re(2): Sendmail on private net with UUCP link to Internet From rkblum on Wed, 16 Dec 1998 Jim - Thanks for your quick response and acurate answers! The sendmail.cf sample you sent was exactly what we needed. I think that I unneccessarilty muddied the waters with my Eudora question. It turned out that it was not a DNS problem with Eudora, it was my mistake of not having the IP addresses in the ip_allow. The Eudora clients work fine now. I have asked our local bookstore to order the SendMail book for me - I think I need it! Thanks again for your help - keep up the good work! Rich Blum ____________________________________________________ (?) Complaint Department: From T Elliot on Sun, 20 Dec 1998 (?) Having worked with Unix (1983-1989) and (gasp) MS-DOS (from DOS 2.11) and Windows (from Win 3.0 to NT Server 4.0 - I once installed the NT5 beta, but decided it was too risky) and occasionally been tempted into trashing my spare PC to install Linux, one of the biggest problems I find with Linux is the lack of coherent tools and user interfaces. If I install a package under Windows, I get a shortcut to the program(s) via a menu or window (program group). (!) So don't use it. (?) Do the same under Linux and then I have to write down the main program name or remember it (after examining the files to be installed so I can figure out what the actual command is) - sure it will probably be installed in the path, but I'm getting old and the memory is failing. (!) Yep. I know. Tough isn't it? (?) My spare PC is currently running RedHat 5.2 and this afternoon I downloaded Code Crusader et al and therein lies the tale... NOT ccrusader, NOT codecrusader or variations thereof, but "jcc" - no additions to the "start menu" if using Fvwm2 or any other window manager, in fact, no indication that the system had new software except that the disk free space had decreased. Until this type of thing is resolved, then Linux will only gain the support of the lab-coats or the enthusiast. (!) ... and professionally administered sites where a sysadmin or delegate evaluates packages before installing them --- figures out what is going where and deploys them according to their needs. This is a rather boring message. I'm not the Linux complaint department. You can send your suggestions to Red Hat Inc., S.u.S.E., Caldera, and many others. Incidentally, S.u.S.E. does have some scripts that maintain your system default window manager menus when you install new packages. As for the implied suggestion --- I know that some people at Red Hat are working on something like this. However, since there is no central authority over Linux development and there are no "code and interface police" to enforce your notion of "how things should be done" --- there are practical limits to what can be accomplished. For those that care, the usual technique I use when installing RPM's is to list and/or browse the contents of the package before I install it. You can list them with a command like: rpm -qpl ... and you can narrow that do just the docs using: rpm -qpd You can browse through an RPM file interactive using Midnight Commander ('mc'). Just highlight the file using mc's "Norton Commander inspired" interface and hit [Enter]. This will traverse down into the RPM file as though it were a directory tree --- and you can browse through and view the file contents to your heart's content. When you use mc's [F3] key to view a file, it can interpret several types of files. Thus you can view the man pages from inside of an RPM file without installing anything. Since many of the most useful programs available under Linux and other forms of Unix are designed as filters, or intended to be run as services (possibly as dynamically launched 'inetd' based daemons) or cron jobs --- or are otherwise non-interactive --- it often doesn't make sense to add menu options for them. However, I've suggestion to Red Hat and S.u.S.E that RPM maintainers and builders be encouraged to add entries for programs that constitute "user interfaces" (for character mode and/or X Windows --- and for any other interfaces that might arise in the future --- such as Berlin). One of Red Hat's senior people disagreed with the whole notion, though that may be more a deficiency in my presentation than anything. (?) PS. My main PC runs NT server 4.0 sp4 with sql server, iis, etc, etc. I use it for software development using DevStudio (c++) and even though I have to reboot the &^^% thing every time I touch something in its config, I'd rather that than guessing at what I've installed and what the comand line is. (!) Great. More power to you. So, do a Yahoo! search to see if you can find the "complaintguy" somewhere. Let me know if you find him (or her) and I'll bounce mail like this to the appropriate venue. The problem here is that you seem to have confused me with some Linux advocate. I use Linux and I prefer it to other systems that I've used (although FreeBSD is a very close second). I've espoused the opinion, on several occasions in this column, that the selection of any tools (software or otherwise) should be done through a process of requirements analysis. Some requirements can be met with a number of solutions. So, after we've found a basic list of possible solutions that meet the requirements we can narrow down that list by measuring them against our constraints and make final selections (if choices still remain) based on preferences. The time is rapidly approaching when you can run a complete KDE or GNOME system and never see a command line. Developers of KDE, GNOME, and eventually GNUStep applications will be free to integrate their interfaces in the ways that are appropriate to each of those systems. The KDE developers have already shown an amazing predilection for generating KDE interfaces to existing programs. Once nice thing about Linux and Unix is that it's relatively easy to design an application in a client/server model --- and to provide multiple front ends (clients) which each provide unique forms of access to the same application functions. This is just good programming design. Another nice thing is that we can concurrently run programs from many GUI's under the same desktop. Thus I can run a GNOME application under KDE and vice versa. Indeed using VNC and XNest I can run whole X sessions within a window under one of my X sessions. Of course, people who just stick with the front ends will be constrained from access many of those powerful filters and tools that I described earlier. It's unlikely that front ends will be built for all of them. However, most people only use a few applications, anyway. (?) PPS. The main gripe is - USER TOOLS and EASE OF CONFIGURATION. (!) So find someone to gripe to. I'm here to answer questions. (P.S. the various "advocacy" newsgroups are perfect for this sort of message). ____________________________ (?) More on "Complaint Department" From T Elliot on Fri, 25 Dec 1998 (?) Thank you for your comments and suggestions. I appreciate that I have probably wasted your time, but you have answered most of my questions (including to whom to gripe). (!) If I was worried about "wasting my time" I wouldn't have signed up for this. However, one of the few rights I reserve for myself in this column is the right to be a curmudgeon. ____________________________________________________ (?) eql Not Working From Brett on Thu, 24 Dec 1998 (?) I have had absolutely no luck with eql getting my two USR 56k modems working in sync. I can get both of them connected, but only one uses bandwidth... and if I disconnect #1 then #2 takes over the bandwidth job... I am just wondering if I can get this working and somewhere that you could point me to get it working... any reply would be much appreciated... (!) If you read the eql docs carefully I'm pretty sure it points out that you must establish both connections to a server/router/terminal server that supports this mode of operation. Essentially you must be connected to two modems on a single other system running something that is like and compatible with eql. If ISP isn't specifically working with you on this --- then you won't be able to get it working. So call your ISP and explain your needs to them. According to the README.eql file Linux eql driver is compatible with the load balancing (round robin routing) on some Livingston (CommOS?) router/terminal servers. I suggest a careful re-reading of /usr/src/linux/drivers/net/README.eql ... and perhaps a follow up of that FTP link to see if there are any updates are additional notes available on that site. There are a couple of e-mail reports from users appended to this file --- perhaps one of them can help more. I've never used the eql drivers since speed was never my problem with online access --- it's just the latency and dial time delays that used to drive me crazy. ____________________________________________________ (?) Upgrade Kills Name Server From Anonymous on Fri, 25 Dec 1998 (?) I just upgraded"= to Red Hat 5.2 and set up everything as I had it before and now I get the following: fetchmail: POP3 connection to mail.nashville.com failed: temporary name server error Netscape can't recognize mail.nashville.com either. I am having to send this from Windows email. My etc/hosts file looks the same as it did before. What other files do I need to check and/or post? Thanks!! (!) I'm just going to guess that the upgrade renamed some of your files (probably your DNS zone files, possible even your /etc/resolve.conf) to add the 'rpmorig' extension. So, search for rpmorig files and look for the files that were put in place of them. You'll have to manually resolve the differences. (Use the 'diff' program). I've complained to them before about their penchant for moving your files out of the way when they to a upgrades. Their concern is that the old configuration files may be incompatible with the new ones. I've said that the disruption caused by users doing an upgrade when they never realized or tracked which files there changed and "configured" tends to outweigh the chances that a new package upgrade will completely fail when presented with an older format of its own configuration file. One problem to consider is that you old version of Linux may have been running BIND 4.9.x or earlier (I'm guessing that your system is providing it's own DNS services). The new version (5.2) might be installing BIND 8.1.2. These do have incompatible file formats for the base configuration file --- however the name has chagned too. The old one used named.boot. The new version uses /etc/named.conf. There is a utility with the package to convert a named.boot file to named.conf format. Actually the new format is much easier to set up. Anyway it is almost certain that you need to configure your 'named' (BIND). Unix mail doesn't normally refer to your /etc/hosts file since that can't convey information about MX records and preferences. SMTP mail routing is done via MX records --- not by host address (A) records. So it doesn't matter what your /etc/hosts file look like for this. ____________________________________________________ (?) MS Applications Support For Linux From Marty Bluestein on Fri, 25 Dec 1998 (?) Is there a mechanism that enables MS apps to run under Linux? Is anyone working on an autoloader for Linux? (!) There are a few projects. The most prominent is WINE (http://www.winehq.com). The goal of WINE is a complete re-implementation of the Windows API's to achieve full binary compatibility under any x86 Unix with X Windows (Linux is the predominant platform but any other modern x86 Unix should be a reasonable platform for WINE). Another is Bochs (which has recently moved it's web pages to http://www.bochs.com). Bochs is a package which emulates an x86 CPU and PC chipset (similar to Connectix' "Virtual PC"). It runs on any platform that can compile its C sources. I've heard that it works reasonably well but is to slow for production use (for running Win 95 or 98 on a PC). Considering that you're using a PC to emulate a full PC CPU and chipset this is not a surprising limitation. For older MS Windows applications (3.1 and earlier) you might try WABI --- a commercial Windows Applications Binary Interface which is available for Linux from Caldera (http://www.caldera.com). This is not be updated and is unlikely to ever support Windows '95 or later applications. For DOS (non-Windows) you can run a copy of MS-DOS, DR-DOS FreeDOS or just about any other "real mode" x86 OS under the Linux 'dosemu'. (Just search for it in Yahoo! using "+linux +dosemu"). [ Its home page is hosted by SuSE ... http://www.suse.com/dosemu/ ... I use it to run dBase stuff and it works pretty well at this point. -- Heather ] The DOS support is pretty good these days, though I don't use any MS-DOS applications any more so I don't have much first hand experience with it. The WABI support was pretty fast (it felt faster running typical Windows 3.x programs under Linux than it did under native MS-DOS on similar hardware --- probably do to Linux more efficient filesystem and memory management). When thinking about the limitations of Linux support Win '9x and NT applications support (Win 32S) it is helpful to keep in mind that these limitations are almost certainly a key design goal at Microsoft. Although Linux was not on thier "radar" during the design of Windows '95 and NT --- OS/2 certainly was. Enmeshing the interfaces at various levels to make applications difficult or impossible to support under competing operating systems is one of the key strategies that Microsoft employs. The current DoJ case against them is only a tip of the backlash that consumers are now directing to this monopoly. The fact that Linux installation tripled in the last year --- and that many organizations are now considering Linux for their desktop applications platform is ample evidence of that. * (personally I think it's still a bit premature to be touting Linux as typical workers desktop system --- though the introduction of Corel's WordPerfect for Linux, and the release of an updated Wingz Professional for the platform do certainly bode well for the coming year. I've heard that Applixware 4.4.1 is also greatly improved and the next version of StarOffice 5.x should stabilize and mature that suite. Meanwhile GNOME, KDE, LyX, and GNUStep are plodding along towards "prime time" availability). So that fact that there is only limited support for MS apps under Linux is a testimony to the skills of Microsoft's programmers. We can surmise that preventing these applications from running on non-Microsoft operating systems was given higher priority than robustness, security, stability, integrity, or performance. Probably the only features that were given priority over "trap the user" were those that would enable magazine writers, and corporate purchasing agents to "review" the products and feel that they had evaluated them with about 15 minutes to an hour of actual work time exposure. This forces the application programmer to put all sorts of "features" onto menus, button bars, toolbars, icon ribbons, and otherwise clutter the screens and windows. This is an endemic problem in commercial software --- it's written to get reviews and make sales, not to satisfy long term users. Of course an alternative to direct MS Applications support is support for their document formats. However this is another of those key "customer trapping" opportunities. They do everything short of strong (non-exportable) encryption to lock your data into .DOC, .XLS, and .PPT formats. The latest Linux applications suites and word processors are making some headway in this --- and I can often extract contents from Word '97 files without too much fuss. Earlier versions of Word are pretty well supported at this point. You can bet that the next version of Office will egregiously break format compatability. MS can't allow its customers any freedom of choice or portability of documents to "other" platforms. That's much too dangerous to their upgrade revenue scheme. I've talked about MS Windows support and the evils of proprietary document formats before. I personally think that the only rational remedy for Microsoft's monopolistic practices would be for the DoJ to impose a rule that MS produce freely available (open source) "reference implementations" of standards C source code to peform a reasonable suite of conversions and manipulations on all "documents" produces by their applications (including .EXE and .DLL "documents" produced by their programming "applications"). Under this plan any upgrade to any MS product that failed compatibility test suites with there freely available reference implementation (converters, tools and filters) would result in an immediate injunction on distribution until the reference implementation as updated and vetted as compatible. (Note that I didn't say that MS has to release any of the sources to any of their products. Only that they must release some reference implementation that is compatible with the file formats, and freely usable in competing products --- free and commercial. Their contention is that their products enjoy superior market share as a result of superior interface and integration with one another --- this would give them a unique opportunity to prove that). I have no idea what you mean by an "autoloader for Linux." (?) Thanks. Marty Bluestein ____________________________ (?) Automount/autoloader From Marty Bluestein on Fri, 25 Dec 1998 (?) OK. Guess I should have fully read your message before I responded. By the term "autoloader" I mean a self installing function - you stick in the CD and Linux (or some other OS) sets itself up. I wasn't aware that MS was already loading their user's work (.DOC,. XLS, etc.) with gotchas. I wonder if the DoJ is aware of and pursuing this? Marty (!) There are several packages that will automatically mount CD's (and floppies, NFS directories etc) for Linux. This is referred to generically (under Unix) as "volume management" or "automounting" (the latter term is more often used with regards to network file systems while the former is exclusively used for local media). Under Solaris there is a daemon called 'vold' that manages CD's. Under Linux you can use the 'amd' (automount daemon) or an old program called "Supermount" (Stephen Tweedie, if I recall correctly). Under newer Linux kernels you can look for a module called "autofs". I haven't played with these much so I can't give real advice on using them. However, you now have some key words to search on. If you get one of them working in a way that seems like it would meet a typical requirements scenario --- write it up as a mini-HOWTO and solicit people to contribute sample configurations and descripts for other common usage scenarios (or at least write up an "unmaintained" mini-HOWTO and encourage the readers to adopt and maintain it. ____________________________ (?) More on: MS Apps Support From Marty Bluestein on Fri, 25 Dec 1998 (?) Although my ire against Gates, et al would like to see a good platform running his apps that will probably be a moving target. Better, I think, to develop a good set of apps that can work on the docs that MS apps produce. MSs response would have to be to encumber a user's work with junk to make it incompatible with any other apps. The result of that could very well be disaster for MS. Could you imagine having your work suddenly become incomprehensible because of the cute little things your app put in it? Marty (!) I don't have to imagine this scenario. I've seen it happen many times. ____________________________ (?) MS Applications Support For Linux From Marty Bluestein on Fri, 25 Dec 1998 You are right on. My appreciation of MS coincides with yours. I wish I had the time and the money to pursue that emulation of 95 and NT. Even better would be a good, competitive set of apps. Corel's latest release for Linux may indicate some movement in that direction. TNX for your response. Happy Xmas. Marty Bluestein ____________________________ (?) More on: MS Apps Support From Marty Bluestein on Sat, 26 Dec 1998 (?) I've just installed Redhat. It is "auto loading". I now have a problem which Redhat and I must resolve. I'll write it up and post it when it's corrected. To whit.. WIN95 now crawls along as if it had a bigger bag of sand on it's back. Re MS: I'd rather see MS broken up into two separate companies. One doing APPS and the other doing OS. TNX for responses. HAPPY XMAS, MERRY CHANUKAH, SWINGING KWANZA and JOYFUL RAMADAN. (!) I can't help with the Win '95 problem. It's probably confused about WINS (Windows Naming System) or some other networking issue. Re: Breaking up MS. Historically this has done NO GOOD with other monopolies. Go read a decent historical account and business analysis on JP Morgan (and wash that down with some Noam Chomsky). I'd recommend a book for you --- but I'd have to refer to my father to find one. My knowlege is definitely second-hand on this --- but I've discussed it with a couple people whose background in the fields of finance and history I respect. Breaking them up is a fundamentally flawed approach. The controlling interests -- the OWNERS will still be the same. The resulting companies would clearly have mutual interests, complementary product lines, and interlocking boards of directors. Unfortunately this approach would "appease" the masses and actually work in Bill G's favor (as it did with JP Morgan). It will allow the DoJ to appear competent and be touted as a "tough on (corporate) crime" victory. So, it's the most likely outcome. It's also just about the worst way to deal with the problem. (It's even worse than sitting back and doing nothing) since it sets another bad precedent. ____________________________________________________ (?) Linux as a Home Internet Gateway and Server From Nilesh M. on Thu, 24 Dec 1998 (?) Hi, I just have some questions about setting up linux to run as a server for my home computer and to share an internet connection and also to setup as a server for the internet. (!) O.K. That is three different roles: 1. Network Server (which services) 2. Internet Gateway (proxy and/or masquerading) 3. Internet Host/Server (which services) It is possible for Linux to concurrently handle all three roles --- though having all of your "eggs in one basket" may be not be a good idea with regards to security and risk assessment. Traditionally your concerns would also have encompassed the capacity planning --- but a typical modern PC with 200+ Pentium processor, 32Mb to 256Mb of RAM and 4Gb to 12Gb if disk space has quite a bit of capacity compared to the Unix hosts of even 5 to 10 years ago. (?) Do you know if I can setup a linux box with one 10mbs ethernet for a modem and a 100mbs ethernet for a network in my house? Where do I start and how would I do it. (!) I presume you're referring to a 10Mbps ethernet for a cable modem, ISDN router (like the Trancell/WebRamp, or the Ascend Pipeline series), or a DSL router. These usually provide 10Mbps interfaces and act as routers to the cable, ISDN or xDSL services to which you're subscribed. It's certainly possible for you to install two or three ethernet cards into a Linux system. Any decent modern 100Mbps ethernet card will also automatically handle 10Mbps if you plug them into such a LAN. So you'd just put two of these cards into your system, plug one into your router and the other into your highspeed hub. You often have to add the following line to your /etc/lilo.conf to get kernel to recognize the second ethernet card: append="ether=0,0,eth1" ... the 0,0, is a hint to autoprobe for the IRQ and I/O base address for this driver. Alternatively you might have to specify the particulars for your cards with a line like: append="ether=10,0x300,eth0 ether=11,0x280,eth1" ... instead. This line must be present in each of the Linux "stanzas" (groups of lines which refer to different Linux kernels with their corresponding root filesystem pointers and other settings). Of course you must run the /sbin/lilo command to read any changes in your /etc/lilo.conf file and "compile" them into a new set of boot blocks and maps. If you have a normal modem connected to the system --- it's possible to use that as well. You can use PPP (the pppd program) to establish Internet connection over normal phone lines. There are also internal ISDN, T1 "FRADs" (frame relay access devices) and CSU/DSU (or Codecs --- coder decoder units) that can be installed into your PC and controlled by Linux drivers. I've seen references to the ipppd to control some sorts of internal ISDN cards. I think most of the others have drivers that make them 'look like' a modem or ethernet driver to Linux. (?) I just want to buy two 100mbs ethernet cards to hook up to each other... so I don't think I'd need a hub do I? I only want two computers hooked up to this makeshift network. (!) You either need a hub, or you need a "crossover" ethernet patch cord. A normal cat 5 ethernet patch cord isn't wired correctly to directly connect two ethernet cards. (?) Any help would be appreciated, especially something like a link to a document which would give me a step by step setup. (!) I don't have such a link. As you may have realized there are a couple of hundred HOWTO documents on Linux and many of them relate to configuring various services. Let's go back to our list of different roles: Network Server (which services) Internet Gateway (proxy and/or masquerading) Internet Host/Server (which services) Starting at the top. You have a small network that is not normally connected to the Internet (there isn't a permanent dedicated Internet connection). So, you probably want to use "private net" addresses for your own systems. These are IP addresses that are reserved --- they'll never be issued to any host on the Internet (so you won't create any localized routing ambiguities by using them on your systems). There are three sets of these number: 192.168.*.* 255 Class C nets 172.16.*.* through 172.31.*.* 15 Class B nets 10.*.*.* 1 Class A net ... I use 192.168.42.* for my systems at home. ... These addresses can also be used behind firewalls and Internet gateways. The classic difference between a router and a gateways is that a router just routes package between networks (operating at the "transport" layer of the ISO OSI reference model) while a gateway does translation between protocols (operating at the applications or other upper layers of the reference model). In the case of Linux we can configure our one Linux system to act as local server and as an Internet gateway. Our gateway can operate through "proxying" (using SOCKS or other applications layer utilities to relay connections between our private network and the rest of the world), or through IP masquerading (using network address translation code built into the kernel to rewrite packets as they are forwarded --- sort of a network layer transparent proxying method). However, we're getting ahead of ourselves. First we need to setup our Linux LAN server. So we install Linux and configure its internal ethernet card with an IP address like 192.168.5.1. This should have a route that points to our internal network, something like: route add -net 192.168.5.0 eth0 ... to tell the kernel that all of the 192.168.5.* hosts will be on the eth0 segment. Now, what services do you want to make accessible to your other systems. By default a Linux installation makes a common set of services (telnet, NFS, FTP, rsh, rlogin, sendmail/SMTP, web, samba/SMB, POP and IMAP etc) available to any system which can reach you. Most of these are accessible via the "internet service dispatcher" called 'inetd'. The list of these services is in the /etc/inetd.conf file. Some other services, such as mail transport and relaying (sendmail), and web (Apache httpd) are started in "standalone" mode -- that is they are started by /etc/rc.d/*/S* scripts. NFS is a special service which involves several different daemons --- the portmapper and mountd in particular. That's because NFS is an "RPC" based service. The fact that any system that can route packets to you can request any service your system offers, and the fact that most Unix and Linux systems offer a full suite of services "right out of the box" has classically been a major security problem. Any bug in any service's daemon could result in a full system compromise which could be exploited from anywhere in the world. This is what led to the creation of TCP Wrappers (which is installed in all major Linux distribution by default --- but is configured to be completely permissive by default). It is also why we have "firewalls" and "packet filters." It's tempting to think that you'll be too obscure for anyone to break into. However, these days there are many crackers and 'script kiddies' who spend an inordinate amount of time "portscanning" --- looking for systems that are vulnerable --- taking them over and using them for further portscanning sniffing, password cracking, spamming, warez distribution and other activities. I recently had a DSL line installed. So, I'm now connected to the Internet full time. I've had it in for less than a month and there are no DNS records that point to my IP addresses yet. I've already had at least three scans for a common set IMAP bugs and one for a 'mountd' bug. So, I can guarantee you that you aren't too obscure to worry about. You are also at risk when you use dial-up PPP over ISDN or POTS (plain old telephone service) lines. The probabilities are still reasonably on your side when you do this. However, it's worth configuring your system to prevent these problems. So, you'll want to edit two files as follows: /etc/hosts.allow ALL:LOCAL /etc/hosts.deny ALL:ALL ... that's the absolute minimum you should consider. This configuration means that the tcpd program (TCP Wrappers) will allow access to "local" systems (those with no "dots" in their host names, relative to your domain), and will deny access to all services by all other parties. For this to work properly you'll have to make sure that all of your local hosts are given proper entries in your /etc/hosts file and/or that you've properly set up your own DNS servers with forward and reverse zones. You'll also want to make sure that your /etc/host.conf (libc5) and/or /etc/nsswitch.conf (glibc2, aka libc6) are configured to give precedence to your hosts files. My host.conf file looks like: # /etc/host.conf order hosts bind multi on and my /etc/nsswitch.conf looks like: passwd: db files nis shadow: db files nis group: db files nis hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files glibc2 has hooks to allow extensible lookup for each of these features through modular service libraries. Thus we'll soon be seeing options to put 'LDAP' in this services switch file --- so that hosts, user and group info, etc could be served by an nss_ldap module which would talk to some LDAP server. We could see some user and group information served by "Hesiod" records (over DNS or secure DNS protocols) using some sort of nss_hesiod module. We might even see NDS (Novell/Netware directory services) served via an nss_nds module. But I'm straying from the point. Once you've done this, you should be able to provide normal services to your LAN. Precisely how you set up your client system depends on what OS they run and which services you want to access. For example. If you want to share files over NFS with your Linux or other Unix clients, you'd edit the /etc/exports file on your Linux server to specify which directory trees should be accessible to which client systems. Here's an exports file from one of my systems: # / *.starshine.org(ro,insecure,no_root_squash) # / 192.168.5.*(ro,insecure,no_root_squash) /etc/ (noaccess) /root/ (noaccess) /mnt/cdrom 192.168.5.*(insecure,ro,no_root_squash) ... note I've marked two directories as "noaccess" which I use when I'm exporting my root directory to my LAN. I do this to prevent any system in the rest of my network from being able to read my configuration and passwd/shadow files. I only export my root directory in read-only mode, and I only do that occasionally and temporarily (which is why these or commented out at the moment). My CDROM I leave available since I'm just not worried about anyone in the house reading data off of any CD's I have around. Keep in mind that NFS stands for "no flippin' security" --- anyone in control of any system on your network can pose as any non root user and access any NFS share "as" that user (so far as all filesystem security permissions are concerned. NFS was designed for a time when sites only had a few host systems and all of those were connected and tightly controlled in locked rooms. NFS was never intended for use in modern environments where people can carry a Linux, FreeBSD, or even Solaris x86 system into your office under one arm (installed on a laptop) and connect it to the nearest ethernet jack (now scattered throughout every corner of modern offices --- I've seen them in the reception areas of some sites). To do filesharing for your Windows boxes you'd configure Samba by editing /etc/smb.conf. To act as a fileserver for your MacOS systems you'd install and configure 'netatalk'. To emulate a Netware fileserver you'd install Mars_nwe, and/or buy a copy of the Netware Server for Linux from Caldera (http://www.caldera.com). There are ways to configure your system as a printer server for any of these constituencies as well. Beyond file and print services we move to the "commodity internet services" like FTP, telnet, and HTTP (WWW). There's generally no special configuration necessary for these (if you've installed any of the general purpose Linux distributions). If you create an FTP account in your /etc/passwd file then anonymous FTP will be allowed to access a limited subdirectory of files. If you rename this account to "noftp" or to "ftpx" or to anything other than "ftp" and/or if you remove the account entirely than you system will not allow anonymous FTP at all. If you allow anonymous FTP you can simply put any file that you want made public into the ~ftp/pub directory --- and make sure that they are readable. By default the FTP services are run through tcpd so they will respect your hosts.allow/hosts.deny settings. If you're going to set up a "real" FTP site for public mirroring or professional "extranet" applications you'd want to use ncftpd, proftpd, or beroftpd instead of the now aging WU-ftpd or the old BSD FTP daemon (in.ftpd). These alternative FTP daemons have their own configuration files and can support virtual hosting and other features. In some of them you can create "virtual users --- accounts that are only valid for FTP access to specific FTP subtrees and/or virtually hosted services --- accounts that can be used to access any other service on the system. Web services are controlled with their own configuration files. There are a couple of whole books just on the configuration of Apache servers. By default they let anyone view any web pages that you put into the 'magic' directories (/home/httpd/docs or something like that). It's possible to limit access to specific directories according the the IP addresses (or reverse DNS names) of the clients. As with TCP Wrappers this should not be considered to be a form "authentication" --- but it can be used to distinguish between "local" and "non-local" systems IF YOU HAVE ANTI-SPOOFING PACKET FILTERS in place (a part of any good firewall). telnet, rlogin, rsh, and other forms of interactive shell access are generally pretty easy to setup. Like many Unix/Linux services it is harder to disable or to limit access to these services than it is to allow it. Under Red Hat Linux access to these and other "authenticating" services can be controlled by editing PAM configuration files under /etc/pam.d/ So, the short answer to the question "How do I set up Linux as a server?" is you install it, setup its address and routing, then you install and configure the services that you want to provide. Now, when we we want to use Linux as a gateway to the Internet (or any other network --- to connect you home network to your office or to a friend's network) you first resolve the addressing and routing issues (set up your second interface and add the appropriate routes). Then you use IP masquerading or proxy services (SOCKS) to allow your systems (using the non-routable "private net" addresses) to access services on the Internet. To use IP masquerading with the old ipfwadm code (as present in the standard 2.0.x kernels you just issue a command like: ipfwadm -F -a accept -m -D 0.0.0.0/0 -S 192.168.5.0/24 ... which adds (-a) a rule to the forwarding (-F) table to "accept" for "masquerading" (-m) any packets that are "destined for" (-D) anywhere (0.0.0.0/0) and are from source IP addresses (-S) that match the pattern 192.168.5.0/24 (an address mask that specifies the first 24 bits, or three octets as the "network portion" of the address --- and therefore covers that whole class C network). You should definitely use a modular kernel and almost certainly should have 'kerneld' loaded when you use this masquerading technique. That's because there are several common protocols (especially FTP) which require special handling for masquerading (in the case of FTP there's a data connection that comes back from the server to the client, while the data connection when in the usual direction from the client to the server. For this reason I actually prefer applications proxying. To use that you go to the "contrib" directory at any Red Hat site and download the SOCKS server and client packages. You install the server on your Linux gateway then you install the clients on any of your Linux clients. On the SOCKS gateway you create a file: /etc/socks5.conf with something like this for its contents: route 192.168.5. - eth0 permit - - - - - - ... there are many options that you can use to limit access to the socks gateway --- but this is the simplest working example. On the Linux clients you create a file named /etc/libsocks5.conf with an entry in it that looks something like: socks5 - - - - 192.168.5.2 noproxy - 192.168.5. - ... where the ".2" address is the one on which I was running this SOCKS server. For the non Linux clients you have various different configuration methods. Most Windows TCP/IP utility suites (other than Microsoft's) support SOCKS proxies. There are replacement WINSOCK.DLL's that support this proxying protocol transparently for most/all other Windows services. The MacOS applications also seem to support SOCKS pretty widely. There are a few alternatives to NEC's SOCKS servers. I've found "DeleGate" to be a pretty good one (search for it on Freshmeat). DeleGate as the advantage that you can use it as a "manually traversed" proxy as well as a "SOCKS" compatible one. The SOCKS proxying protocol allows the client software to communicate with the proxy server to relay information about the request to it, so that it can, in turn, relay that to a process that runs on the external servers. This is called "traversal." Non-SOCKS proxies have to have some other traversal mechanism. Many of them are "manually traversed" --- I telnet or ftp to the TIS FWTK proxies (for example) and I log in as "myname@myrealtarget.org." --- in other words I encode additional account and destination information into the prompts where I'd normally just put my account name. DeleGate allows you do use this manual traversal mechanism when you are stuck with a non-SOCKSified client. I've also seen reference to another SOCKS server package called "Dante" --- that's also listed at Freshmeat (http://www.freshmeat.net). There are also a few other types of proxies for special services. For example the Apache web server, and the CERN web server and a few others can be used as "caching web proxies." Squid can proxy and cache for web and FTP. Some services, such as mail and DNS are inherently "proxy" capable by design. I can't adequately cover DNS or e-mail services in this message. There are full-sized books on each of these. So that's the very basics of using Linux as a gateway between a private LAN and the Internet. If you get a set of "real" IP addresses, and you insist on using these to allow "DRIP" (directly routed IP) into your LAN you don't have to do any of this IP masquerading or proxying --- but you should do some packet filtering to protect your client systems and servers. Good packet filtering is difficult. I alluded to one of the problem when I pointed out that FTP involves two different connections --- an outgoing control connection and an incoming data connection. There's also a "PASV" or "passive" mode which can help with that --- but it still involves two connections. This wreaks havoc with simple packet filtering plans since we can't just blindly deny "incoming" connection requests (based on the states of the "SYN" and "ACK" flags in the TCP packet headers. One of the "advantages" (or complications) of "stateful inspection" is that it tracks these constituent connections (and the TCP sequencing of all connections) to ensure consistency. A decent set of packet filters will involve much more code than the set of proxying and masquerading examples I've shown here. I personally don't like DRIP configurations. I think they represent too much risk for typical home and small business networks. However, here's a sample # Flush the packet filtering tables /root/bin/flushfw # Set default policy to deny /sbin/ipfwadm -I -p deny /sbin/ipfwadm -F -p deny /sbin/ipfwadm -O -p deny # Some anti-martian rules -- and log them ## eth1 is outside interface /sbin/ipfwadm -I -o -W eth1 -a deny -S 192.168.0.0/16 /sbin/ipfwadm -I -o -W eth1 -a deny -S 172.16.0.0/12 /sbin/ipfwadm -I -o -W eth1 -a deny -S 10.0.0.0/8 /sbin/ipfwadm -I -o -W eth1 -a deny -S 127.0.0.0/8 # Some anti-leakage rules -- with logging ## eth1 is outside interface /sbin/ipfwadm -O -o -W eth1 -a deny -S 192.168.0.0/16 /sbin/ipfwadm -O -o -W eth1 -a deny -S 172.16.0.0/12 /sbin/ipfwadm -O -o -W eth1 -a deny -S 10.0.0.0/8 /sbin/ipfwadm -O -o -W eth1 -a deny -S 127.0.0.0/8 ## these are taken from RFC1918 --- plus ## the 127.* which is reserved for loopback interfaces # An anti-spoofing rule -- with logging /sbin/ipfwadm -I -o -W eth1 -a deny -S 222.250.185.16/28 # No talking to our fw machine directly ## (all packets are destined for forwarding to elsewhere) /sbin/ipfwadm -I -o -a deny -D 222.250.185.14/32 /sbin/ipfwadm -I -o -a deny -D 222.250.185.30/32 # An anti-broadcast Rules ## (block broadcasts) /sbin/ipfwadm -F -o -a deny -D 222.250.185.15/32 /sbin/ipfwadm -F -o -a deny -D 222.250.185.31/32 # Allow DNS ## only from the servers listed in my caching server's ## /etc/resolv.conf /sbin/ipfwadm -F -a acc -D 222.250.185.18/32 -P udp -S 192.155.183.72/32 /sbin/ipfwadm -F -a acc -D 222.250.185.18/32 -P udp -S 192.174.82.4/32 /sbin/ipfwadm -F -a acc -D 222.250.185.18/32 -P udp -S 192.174.82.12/32 # anti-reserved ports rules ## block incoming access to all services /sbin/ipfwadm -F -o -a deny -D 222.250.185.16/28 1:1026 -P tcp /sbin/ipfwadm -F -o -a deny -D 222.250.185.16/28 1:1026 -P udp # Diode ## (block incoming SYN/-ACK connection requests) ## breaks FTP /sbin/ipfwadm -F -o -a deny -D 222.250.185.16/28 -y ## /sbin/ipfwadm -F -o -i acc \ ## -S 0.0.0.0/0 20 -D 222.250.185.16/28 1026:65535 -y ## simplistic FTP allow grr! # Allow client side access: ## (allow packets that are part of existing connections) /sbin/ipfwadm -F -o -a acc -D 222.250.185.16/28 -k There are bugs in that filter set. Reading the comments you'll see where I know of a rule that handles most FTP --- but opens risks any services that run on ports above 1024 --- like X windows (6000+) etc. This would simply require the attacker to have control of their system (be root on their own Linux or other Unix system --- not too tough) and for them to create package that appeared to come from their TCP port 20 (the ftp data port). That's also trivial for anyone with a copy of 'spak' (send packet). So, I have this rule commented out and I don't show a set of rules to allow localhost systems to connect to a proxy FTP system. Note that these addresses are bogus. They don't point to anything that I know of. The only parts of this set of filters that I feel confident about are the parts where I deny access for incoming spoofed packets (the ones that claim to be from my own addresses or from non-routable or "martian" addresses like localhost). I also have rules to prevent my system from "leaking" any stray private net and/or martian packets out into the Internet. This is a courtesy --- and it has the practical benefit that I'm much less likely to "leak" any confidential data that I'm sharing between "private net" system on my LAN --- even if I screw up my routing tables and try to send them out. I've read a bit about ipfil (Darren Reed's IP Filtering package --- which is the de facto standard on FreeBSD and other BSD systems and which can be compiled and run on Linux. This seems to offer some "stateful" features that might allow one to more safely allow non-passive FTP. However, I don't know the details. The 2.2 kernels will include revamped kernel packet filtering which will be controlled by the 'ipchains' command. This is also available as a set of unofficial patches to the 2.0 series of kernels. This doesn't seem to offer any "stateful inspection" features but it does have a number of enhancents over the existing ifpwadm controlled tables. Your last question was about configuring Linux as an Internet server (presumably for public web pages, FTP or other common Internet services. As you might have gathered by now; that is the same as providing these service to your own LAN. Under Linux (and other forms of Unix) any service default to world-wide availability (which is why we have firewalls). I've spent some time describing how Linux and other Unix systems need to be specially configured in order to limit access to services to specific networks. Otherwise someone in Brazil can as easily print document on your printer as you. To be an Internet server all you have to do is have a static IP address (or regularly update your address record at http://www.ml.org). Once people know how to route requests to your server --- assuming you haven't taken steps to block those requests --- Linux will serve them. Most of the challenges in setting up networks relate to addressing, routing, naming and security. Most of us still use "static" routing for our own networks --- just manually assigning IP addresses when we first deploy our new systems. Most of us with dial-in PPP get dynamic IP addresses from our ISP's. Some sites now use DHCP to provide dynamic addresses to desktop systems (servers still need consistent addresses --- and using DHCP for those just introduced additional opportunities for failure). For routing, subnetting, and LAN segmentation issues --- read my posting on routing from last month (I think Heather is publishing it this month). That's about 30 pages long! (The one thing I glossed over in that was "proxyarp" on ethernet. It's covered in another message this month so glance at it if you'd like to learn more.) I hope I've imparted some hint on the importance of considering your systems security. Even if you have nothing of value on your systems --- if the thought of some cracker vandalizing your files for kicks is of no concern to you --- it is irresponsible to connect a poorly secured system to the Internet (since your compromised system may be used to harass other networks). (?) I would like to write a faq about this after I'm done... hopefully I can help other after a bit of exprimenting myself. (!) While the offer is appreciated --- it would be more of a book than an FAQ. However, I would like to see some "Case Studies" --- descriptions of typical SOHO (small office, home office), departmental, and enterprise Linux (and heterogenous) installations. These would include network maps, "sanitized" examples of the addresses, routing tables and configuration files for all services that are deployed in the network, on all of the clients and servers present. Company, domain and other names, and IP addresses would be "anonymized" to discourage any abuse and minimize any risk represented by exposure. (E-mail addresses of the contributors could be "blind" aliased through my domain or hotmail, or whatever). The important thing here is to define the precise mixture of services that you intend to provide and the list of users and groups to which you intend to provide them. This is a process that I've harped on before -- requirements analysis. You need to know who you are serving and what services they need. (?) Thanks Nilesh. ____________________________________________________ (?) Persistent Boot Sector From Hummingbird Designs on Thu, 24 Dec 1998 (?) Hi, I installed Linux on my PC at work and had everything working with System commander, I have to use NT for some apps we use at work. anyway, I was trying to get the nic card working so I tried using the setup tool to install the kernel from the Cdrom that is used to install linux off a network. Now everytime I turn on the machine it gives me the screen as if I had installed a bootdsk like when you first install Linux. I have done EVERYTHING I know of to get that out of there . . .I used a zerofill utility that goes over each and every sector of every track and fills it with 0's including the MBR. and that damn message still comes up everytime I boot. . . I was thinking of removing my Hard drive and seeing if it flashed my BIOS or something cause according to Quantum9its a quantum drive) their utility is almost like a low level format. (!) "the setup tool..." (what setup tool?) "the screen as if I had installed a bootdsk[sic]" (what screen?) "EVERYTHING" (what is "everything?"). "zerofill utility" (what utility?) "that damn message" (what damn message?). You do seem to be a bit sketchy on the specifics so I'll have to guess. You had (some distribution of) Linux installed on your system in a dual boot configuration with NT. You were using System Commander as your primary boot manager. Presumably you installed LILO (the Linux loader) into the "logical boot record" (the "superblock") of one of your Linux filesystems (presumably the root fs). While trying to configure or troubleshoot some problem with a network card (NIC) you used some sort of "setup" utility which somehow configured your system to bypass System Commander's boot record (presumably by overwriting it with a copy of LILO). You've tried some ways to restore your System Commander installation, and/or to build a new MBR, and those have been unsuccessful. O.K. Given that guess work I have a hypothesis. You may have run something like 'FDISK /MBR' from your NT boot disk. This may have enabled the active partition in your MBR. The DOS MBR code would load the logical boot record of the active partition. If your Linux partition (with its copy of LILO in the superblock" ) just happened to be the active partition at the time --- you might see that copy of LILO (one of two that had been installed on your disk, one on the MBR and the other in the LBR/superblock) as the first screen on boot up. (I'm not sure this scenario accounts for all of your symptoms since this is all based on guesswork). I have no idea what your "zero fill" utility is doing --- but it almost certainly is not zero'ing out track zero of your hard drive (including the MBR). That would render the system unbootable and would destroy the primary copy of your partition table (the last 50 bytes or so of the MBR). The Linux/Unix command to do this is very simple: dd if=/dev/zero of=/dev/hda bs=512 count=63 ... where /dev/hda is the first IDE drive, 512 is the bytes per sector and count is the number of sectors in a typical track. DON'T DO THIS! (If you insist on doing this, first double check which device you want to use, the first IDE is /dev/hda and the first SCSI is /dev/sda, then check the number of sectors per track --- which should be listed in your CMOS setup for an IDE drive and would be listed in your vendor documentation and possibly by your SCSI adapter diagnostics firmware). You could save a copy of your MBR and partition table using dd with a command like: dd if=/dev/hda bs=512 count=1 of=/root/mbr.bin ... which you can use in scripts to compare and replace your MBR in future mishaps. It's possible that System Commander's boot loader is still in the MBR --- but that it's been configured to skip it's opening menu/selection prompting and boot directly off of your Linux partition. Of course it's also possible that Linux as completely taken over your system; that's it's run amok and overwritten every partition and drive on the system. In my experience that would only happen if you (or someone) told it do do this. I've never seen Linux touch any part of a hard drive unless it was "told" to do so. (Unlike MS-DOS, OS/2, and Windows which periodically trash the MBR when they hang --- apparently scribbling register or random memory contents over track zero, sector zero when those zero's just happen to be in the the register during the dying spasms of those systems). There is virtually no chance that Linux touched your flash BIOS --- so this is not a bug in your firmware. I'd say that this "zerofill" utility is highly suspect. Obviously Linux users just use the 'dd' command for this sort of thing. As for how to fix you problem. You could try re-installing System Commander. I've never used it --- but it seems that it can find most types of partitions during installation --- so it should be able to find your NT and Linux filesystems and install a new copy of it's boot loader code to start either of these systems. I've never used System Commander --- but it is commercial software --- so it SHOULD come with some technical support. Perhaps they can walk you through the re-installation. Keep in mind that LILO can still be installed on your MBR, your superblock, or both, so it might still show up after you have System Commander or NT's boot manager installed. It should then only come up after you've selected an option from your primary boot loader. This can be a bit confusing --- so you can reconfigure lilo to bypass any prompts or delays when you're calling it in this fashion. Keep in mind that you can also find, download, and install LOADLIN.EXE into a DOS directory somewhere on your system. You can use that instead of LILO (it's a DOS program that loads linux kernels). I've heard a rumor that there is an NT native console application (an NT .EXE that you'd run under a CMD.EXE shell) to load Linux. I've never seen it. If you end up having to re-install Linux and NT (probably unnecessary --- but it might be the easiest way) you can configure Linux to boot from floppy and never touch the boot records on your hard disk. It's also possible to configure Linux to use some other hard disk on your system --- and not have it touch your primary drive at all. Read through back issues of this column and go through the various multi-boot HOWTO's and mini-HOWTO's at the LDP site (http://metalab.unc.edu/LDP) and it's mirrors. There are many options. (?) C's from home and a nic card I know to install linux over the network and see if that gets rif of it. (!) I don't get this at all. How would you expect installing Linux (over a network or otherwise) to get rid of a Linux boot loader. (?) any help would be appreciated Brian Korsund ____________________________________________________ (?) Secondary MX Records: How and Why From Craig Capodilupo on Thu, 24 Dec 1998 (?) Some domains have multiple MX records. Sometimes the MX record of lower preference, say 20, is an off-site domain. Does this off-site server have to be configured to hold mail until the primary exchanger is back online? I am going to use my UNIX server as a secondary mail exchanger but I am not sure if it has to be configured. (!) In the good old days there was no special tricks to providing secondary MX for your friends. They would just add you mail server to their DNS records, listing you as a "less preferred" mail exchanger (an MX record with a higher value than any of yours). Mail would be relayed automatically. This was in the days of "promiscuous mail relaying" --- it was easier to just let anyone relay mail though anyone else. However, just as venereal disease contributed to the demise of the "free love" promiscuity of the '60's --- the blight of spam as spelled the end of open e-mail relaying in our decade. The problem was that spammers would dump their e-mail on any open relay --- one piece of mail that might be addressed to thousands of happless recipients (and with the return addresses forged on top of that). When you install 'sendmail' version 8.9.x and later the open relay to which early versions defaulted are now closed. You'll have to create a relay map (default location in /etc/mail/relay-domains) to enable relaying for your sites). There are some questions that relate to this in the 'sendmail' FAQ at: http://www.sendmail.org/faq/section3.html#3.27 ... although you could disable this feature and allow promiscuous relaying --- I'd not suggest this. You'd eventually get hit by a spammer and then you'll probably end up on Paul Vixie's "Real-time blackhole list" (the RPL) or on "DorkSlayer's" ORBS (open relay blocking system). There are many sites these days that subscribe to these free DNS lookup services in their "check_relay" macros --- and deny any mail access whatsoever from any site listed on one or either of these. However, that should be all there is to it. Normally your mail would just get tossed into the queue at your MX secondary's site where it will languish until your site is back up (or less busy, or whatever). In other words whatever connectivity problem the original sender's site had in getting to your primary MX host will probably go away within a few hours --- and your secondary MX will relay your mail during its normal queue runs. The orginal sender will get delay notifications (4 hours, 4 days, etc) according to the settings in your secondary's configuration files. Some people use these features in their firewall configuration --- they place a higher MX host outside their main network (on the exposed network segment) --- and all outside mail has to hit it first (since they can never connect to the preferred hosts inside due to the packet filters). The packet filters then allow that exposed host (and only that exposed host) to transfer files into the domain. Thus the potential attacker can't attempt to directly exploit bugs in the internal SMTP daemon (especially if the "exposed" host is behind an anti-spoofing screen, and has "source routing" disabled, which all Linux systems default to). A more elegant approach is to use "split DNS" --- so that the external/exposed MX host appears (to the outside world) to be the preferred mail destination while the real preferred system (to your internal systems, and to your exposed host itself) is sequestered on your internal network using non-routable "private net" addresses. The advantage to this is that your potential attackers don't have any information about your internal structure --- and they can't route packets to your internal hosts at all (those don't have "real" IP addresses). Thus the outside attacker has to resort to high wizardry to get packets to your hosts, before any exploits can even be attempted. (I should note that any attacks that can be carried through the mail contents will still get delivered to you. The bugs this protects you from are those in the TCP connection handling of the daemons --- not in the parsing of headers and message contents). I've heard of some sites that maintain separate queues for their relay neighbors. I don't know exactly how that works --- but its similar to the way that ISP's maintain queues for their SMTP customers. Basically they create a rule (probably an entry in their mailertable) that calls the relay mailer with an extra parameter. Thus all the queue items end up in special, separate directories. Then the SMTP ETRN command can be used (by customers) to force a queue delivery (something like: 'sendmail -q -O QueueDirectory=/var/spool/mqueue.customerX') when the customer's connection comes up. Then there are sites that deliver all mail to a given site into a single mail spool (mbox) file. Hopefully they are adding the "X-envelope-To:" headers as they do this. Then their clients use 'fetchmail' to grab these messages, split them back out and dispatch them according to the delivery policies at the disconnected site. Personally I still prefer UUCP for handling mail to disconnected sites. However, it is getting increasingly difficult for new users to find people who understand UUCP. (Oddly one study showed that the use of UUCP hasn't decreased at all -- it's grown at a slow, steady couple of percent all along. However, compared to the explosive growth of the Internet it as seemed, by comparison to completely disappeared. I think UUCP is still a very good option for emerging countries and for anyone that isn't maintaining dedicated connections to the Internet --- though I'd say that a bit of work should be done on simple configuration tools and examples. It's easy enough to use UUCP as a transport for DNS/Internet "domain" style addresses. So we don't need to ever return to the bad old days of "bang paths"). (?) TIA, Craig ____________________________________________________ (?) 'lpd' Bug: "restricted service" option; Hangs Printer Daemon From Michael Martinez on Thu, 24 Dec 1998 (?) The lpd that RedHat linux supplies has a problem. If you send it a print job across the network, and you do not have an account on the print serve, lpd forks a child, creates an entry for you in the queue, then hangs because it can't find your user id. Do you know a remedy for this? Michael Martinez System Administrator, C.S. Dept, New Mexico Tech (!) I think I read about this in the security mailing lists recently. It seems to be related to the "restricted service" (rs) option in your /etc/printcap. One option would be to remove the rs option from the printcap and use packet filtering and hosts_access (TCP_Wrappers) to restrict access to your print server(s). Then look for updates to the packqage itself. The first thing to do is to report this to Red Hat Inc. after checking their web site and for any updates to this package. First find the package name using rpm -q /usr/sbin/lpd. This will tell you which RPM package included the lpd command. Then connect to ftp://updates.redhat.com (or one of its mirror sites). I don't see one there yet. If you aren't already using the most current Red Hat version (5.2 at this point) then check for that package in the RPMS directory for the latest. Red Hat Inc normally embeds the version in the package and file names. My S.u.S.E. system (which uses RPM format but uses a different suite of RPM files) reports lprold-3.0.1-14 as the package name that owns '/bin/sbin/lpd' --- so I'd look for a S.u.S.E. RPM that was later than that. Failing that look for a Debian package (an update) and try using "alien" to convert that into an RPM. Look up the Debian maintainer for that package at the http://www.debian.org web site. If that doesn't work, look for a canonical "home" site for the package (lpr/lpd is a classic BSD subsystem --- so looking at the FreeBSD NetBSD and/or OpenBSD sites for a later version of the "tarball" (sources in .tar format) might work. Look in the man pages and run 'strings' on the lpd binary --- and look through other docs (use rpm -ql for a list of all files in that package) to see if an author or maintainer for the base package is listed. Then you can look at that maintainer's web site or FTP server, and/or possibly e-mail them. (The BSD sites are http://www.freebsd.org, http://www.netbsd.org, http://www.openbsd.org, in case you needed them.) If you have a competent programmer on hand (I'm am not a competent programmer) you could have them look through the sources and apply a fix. Then you'd e-mail the diffs to your patches to the maintainer of the package (possibly copying Red Hat Inc as well). If you also looked at the Debian site for an update you can copy their maintainer on your fix as well. They may not accept your patches --- but they will certainly appreciate the effort and it may help them focus on the right part of the code. This is how Linux got where it is today. (I've sent patches in on 'sendmail', 'md5sum' and 'tripwire' in the past --- and I'm not a programmer. So anyone who does feel competent in the art should not be intimidated by the notion, and won't have to spend nearly as long poring over the sources as I did for my pathetic little suggestions). I'd like to suggest one modest "New Year's Resolution" to every Linux user: Find one bug or typo. Fix it. ... hunt through the man pages, docs, sources, etc of a few of your favorite packages. Find one thing that's wrong or missing, correct it (or find someone to do it with you) and submit the patch to the appropriate parties. Last year was the first year Linux was taken "seriously." Let's make this the year that we prove that the "open source" (TM) process is maintainable and yields truly superior and mature results. ____________________________ (?) LPD forks and hangs/Linux From Michael Martinez on Sat, 26 Dec 1998 Thanks a bunch for your great, documented help. Just so you know, RH 5.2 ships with this problem. So, I'll check out the other resources you gave me. I've considered writing a patch for it - I might just do it! Merry Christmas, Michael Martinez System Administrator, C.S. Dept, New Mexico Tech ____________________________________________________ (?) Dual Boot Configurations From Justin Jenkins on Thu, 24 Dec 1998 (?) I'm ashamed to ask this but I don't know how! i got a copy at work, and installed it on an old 166 I would like to install it on my 450 can you help me?? -thanks Justin (!) Have you tried the HOWTO? http://metalab.unc.edu/LDP/HOWTO/mini/Linux+DOS+Win95+OS2.html ____________________________________________________ (?) Microtek Scanner Support: Alejandro's Tale From AmericanPride88 on Sat, 26 Dec 1998 (?) Hello Alejandro, I'm pretty annoyed that when I went to download the file at Microtek Ibelieve it was this?/ epp 264 exe. They didn't have it available , They should at least include some info about their hardware on a CD so that my Hardware Wizard can setup the right driver for the Damn Scanner, someone suggested. I try a HP scanner. I believe I will Return the C3 tomorrow. It was my Christmas present it's been nothing but a Dissapointment to me. Thank you... If you can suggest a compatible Driver or anything else please do. Thanks again!1 Sincerely, Rebecca (!) Who is Alejandro? Rebecca, it looks like you have sent this message astray. First I'm not Alejandro, I'm Jim Dennis. You sent this to "answerguy@ssc.com" which is the access point to the Linux Gazette "Answer Guy" column --- providing free technical support (and a bit of spleen venting and curmudgeonly commentary) for users of Linux. Your message doesn't relate to Linux as far as I can see. We don't often use ".exe" files and Linux doesn't need a "Hardware Wizard" to find and use any of its devices (except for the guy at the keyboard, perhaps). The primary resource for supporting scanners under Linux would be SANE (Scanner Access is Now Easy) at: http://www.mostang.com/sane ____________________________________________________ (?) Modem HOWTO Author Gets Offer RE: WinModems From bf347 on Sat, 26 Dec 1998 (?) I'm the author of the new Modem-HOWTO. Someone sent me email saying that he could put me in touch with someone who might release the info needed to write a driver for Lucent LT Winmodems. Is anyone interested? Is the first line of this message truncated? It is on my dumb terminal. I'm writing this from a BBS that allows no editing of this message. Dave Lawyer bf347@lafn.org (!) Ironically I was just answering another correspondent who got burned by one of these things. As I said there, I'll never purchase any internal modem. However, I'll post this message to my editor (it should appear in the February LG if at all). Maybe someone else will be interested. [ February when you got it in December? I sometimes defer by one month, but not short messages like this one. Get more coffee. BTW the other querent has a Lucent WinModem, so I'm sure there's at least one interested reader. Contrary to usual, I've left his address available in case any readers want to make contact to take on the task. -- Heather ] You could also send a message to the SVLUG (Silicon Valley Linux Users Group) list --- since you appear to be in Los Angeles. I realize that L.A. doesn't have as large and active a LUG as the SF Bay and Silicon Valley areas --- thought I've heard that you're working on it. Look at http://www.svlug.org and http://www.balug.org for a couple of Linux users groups up in Northern Cal that might have some interested programmers. Also be sure to shop it around at your local UG's and in the newsgroups and mailing lists. I'm sure that someone will pick off the job --- if the people at Lucent, or wherever, aren't too onerous. The message came through fine. ____________________________________________________ (?) Condolences to Another Victim of the "LoseModem" Conspiracy From simone on Sat, 26 Dec 1998 (?) I think I allready know th answer... Well I have a Lucent modem 56K (it has been a mistake i didn't know winmodems existance I was so happy with my old 14400) It doesn't work with linux or solaris (so sad) Do you have any suggestions? (!) Return the modem. Complain bitterly to the retailer and get their assurances that they will stop ripping off their customers with these pieces of garbage posing as computer peripherals. Then get an external modem. So far I've never heard of an external "winmodem" --- and I've heard that it's not feasible to design one. Sticking with external modems has always been a good idea. They are more expensive but they've always been better products. Generally they are more reliable (probably less power fluctuation and electronic crosstalk from the other components inside the PC). It's also safer and better for the rest of the PC (less crosstalk with the internal modem, less heat in the case, virtually no chance that a modem that gets zapped by a phone line power surge will destroy your CPU or memory chips in the computer, etc). Finally it's much more convenient for most users (you have status lights; you can move the modem to other systems easily and replace it with an old "test" modem easily). I personally will not ever buy an internal modem. Not ever! (?) thanks for reading sorry for bad English waitig for an answer (!) No problem. I still have some other messages in Spanish, Portugese, and maybe some in Italian that I haven't answered yet. I haven't had the time to cut and paste them into Babelfish for the "rough" translation. (?) Un cordiale saluto Montanari ____________________________________________________ (?) Reading Audio Tapes using HP-DAT Drive From Thomas Kruse on Fri, 25 Dec 1998 (?) Hi! I wonder, if you can help me with the following issue: I bought a brand new SCSI HP-DAT streamer. In the manual it is described to treat audio-dat tapes as if they were read-only. I tried to fetch the data from the tape, but I get always i/o erorrs. (I tried "cat /dev/st0" "dd if=/dev/st0...") Do I need special software or is it impossible to "read" audio tapes with Linux? (I heard rumors, that this is possible with special Win95 software) Regards, Thomas (!) That's an excellent question. I have absolutely no idea. I guess you could look at the Linux st driver sources and see if they need to be changed. I guess you might even write to the author or maintainer of the st driver to ask for advice. Looking under /usr/src/linux I find, in .../drivers/scsi/st.c that the 2.0.36 sources list Kai Makisara as the author. I've blind copied his addresses on this response. Kai, thanks for the work on the 'st' driver. What would prevent one from reading audio tapes using /dev/stX under Linux? I'm sorry if you're getting two copies of this I wasn't sure which address from the st.c file to use. (Note: this message is in response to a Linux Gazette "Answer Guy" question. I'll be happy to post any response --- which may end up prevent future questions on this topic. If this is buried in an FAQ, HOWTO, or man page somewhere, please point us at it and forgive us for not finding it). ____________________________ (?) More on: Reading Audio Tapes using HP-DAT Drive From Kai Makisara on Sat, 26 Dec 1998 (?) There are (at least) two issues when using audio DAT tapes in a computer DAT drive: 1. You may or may not be successful in using audio media to record digital data. The tape cartridge does not contain the MRS (Media Recognition System) identification data that most of the digital tapes nowadays have. The drive uses this data to determine the tape length, etc. By default, the HP drives I have seen treat any non-MRS tapes read-only. You can change this with a switch. I assume this is what the HP manual means but not what you are interested in. 2. You may be able to read audio data using a computer DAT. This depends on the firmware of the DAT driver. As far as I know, most computer DAT drives are unable to read audio data. There have been some drives from Silicon Graphics that were able to read audio data. As far as I know, they were ordinary Archive DATs with special firmware. You needed special SCSI commands to read audio data (I don't know the commands). The Linux SCSI tape driver does not currently have any support for reading audio data. Kai (!) Thanks Kai. I presume this is a result of the music industry's lobbying. The big record companies (Sony, Columbia, et al) have been interferring with the digital electronics industry for years in a misguided effort to discourage bootlegging. Oh well. We're already at the stage where some people are providing free writing --- the beginnings of an "open content" movement. This will probably encompassing music and literature much as the "open source (TM)" movement has made an impact on software. I don't object to spending money on a good book or a decent CD. I'd just like to see more of it go to the artist and I'd like some assurance that corporate politics and big business aren't exerting undue control over the contents. However, I'll leave it at that before this becomes overly political (and overtly subversive). ____________________________________________________ (?) Best of Answer Guy: A Volunteer? From EvilEd on Fri, 25 Dec 1998 (?) Hi, I've been reading "Answer Guy" for a while now. I have to say, it's really informative and cool. Would'nt it be great to have an archive or a separate page for "Best of Answer Guy 1998"? Thanks and more power, EVILed (!) Wow! That sounds like a great News Year's project. Would you like to do it? Would anywhere like to do it? If y'all put together your favorite 50 or 100 questions, answers and rants from me --- I'll annotate them with updated links and comments. So you'll get a retrospective on how things have changed since I wrote some of those messages. (In many cases I've learned more after that fact --- often from reader comments and corrections. In other cases things have just changed since I wrote my responses). However, I can't do this myself. I wrote all that stuff and the thought of reading back through all of it is mind numbing. So, if someone wants to volunteer on this --- let me know. ____________________________________________________ (?) termcap/terminfo Oddities to Remotely Run SCO App From Eric Freden on Fri, 25 Dec 1998 (?) Dear Answer Guy, I managed to solve my keybinding problem without your help (thanks anyway). Here is a synopsis: I needed to run proprietary software (in Cobol, no less) on a PPro running SCO Unixware via telnet from a PII running RedHat 5.0. The SCO box had a limited termcap file, none of which matched type linux (Linux console) or xterm (for Linux X). Changing TERM in Linux does not alter function key bindings! The only way I could change keybindings was to mess with /usr/lib/kbd/keytables which changes bindings at boot or /usr/X11/lib/X11/xkb which alters bindings upon startx. Both of these methods are global in nature and will "break" existing applications like emacs. I read the man pages on xterm where there is an option to change to Sun style function keys bindings (which was not SCO compatible either). Then I noticed that xterm and nxterm (i.e. color xterm) bind F1--F4 differently!?!?! By sheer luck, SCO has a termcap entry called coxterm that is compatible with nxterm keybindings. There is no termcap or terminfo entry for nxterm in Linux. Why not? For that matter, I see no effect in function keymappings after changing existing termcap entries, compiling with tic, and rebooting . Why not? Eric Freden (!) Last I heard Eric S. Raymond was still maintaining the termcap file. He's also listed in the author's section in the 'terminfo' man page. So perhaps he'd be the best person to address these issues? (I've copied him on this. Hi Eric! Missed you at LISA. Hope to see you at LinuxWorld Expo next March). ____________________________________________________ (?) Arabic BiDi Support for Linux From Anas Nashif on Fri, 25 Dec 1998 (?) Hi, I was wondering if its possible in one way or another to use arabic on linux.. Is there anything being done in this field? and how difficult it is to implement it? thanks, anas Anas Nashif Universitaet Mannheim (!) Sorry it took me so long to answer this question. I finally did get around to doing a Yahoo! search on "+Linux +Arabic" and found this reference: Linux in Turkey http://www.slashdot.org/articles/98/09/05/1624256.shtml ... the references to Arabic ensued from the thread discussion after the main article. So far as I know there is no direct BiDi (bidirectional text) support for Linux yet. Some applications such as emacs/xemacs with MULE (multi language extensions) do provide some support for this. However I don't know much about the details. Happy Ramadan, and good luck. ____________________________________________________ (?) Automated Updates From Josh on Fri, 25 Dec 1998 (?) A quick suggestion for the updates question. A student at georgia tech has written two excellent scripts, autorpm and logwatch. Autorpm will automatically keep your system up to date with the current redhat updates. Autorpm can be found at ftp.kaybee.org. It saves a lot of work on the system admins part. He was going to add them to the LSM, but I'm not sure if he has yet. Josh (!) There's also an 'autoup.sh' script for Debian systems. I'd suggest that these systems be used with considerable trepidation (if at all). However, they do make sense for some cases. For example I'm pretty sure you can configure these to watch some internal server. So, as the sysadmin for a medium to large installation you could manually grab and test updates --- or set up a "sacrificial" system to automatically grab them. Then, when you've vetted the updates you can post the RPM or .deb files to your internal server where you're client systems would pick it up. There's also a package called 'cfengine' by Mark Burgess which can help with various configuration details that might need to be tuned after any sort of automated update or software/configuration file distribution. (The old fashioned Unix way to automate updates to client systems is to use 'rdist' --- preferably over 'ssh' for better security). 'cfengine' is the "awk of configuration management." Basically a 'cfengine' script is a series of class descriptions, assertions and corrective actions. So you can express policies like: All Red Hat Linux systems running 2.0.30 kernel in this DNS subdomain and in this NIS netgroup, on any Tuesday (a series of class specifications) should have less than 100Mb of log files under /var/log (an assertion) and should have more that 40Mb of free space thereunder (another assertion) OR we should rotate the logs, removing the really old ones and compressing the other non-current ones (a corrective action). 'cfengine' is an interesting project I'd like to see the security features beefed up considerably and I'd like to see it undergo a comprehensive security audit (by the OpenBSD and/or Linux SecAudit teams). Naturally 'cfengine' is one of those tools with which you can shoot off your foot, at about the HIP! So you should be very careful when you first start playing with it. More info on that package can be found at its canonical home page: http://www.iu.hioslo.no/cfengine Kirk Bauer (autorpm's author) doesn't seem to maintain a web page touting it's features. So you'll have to grab the file via FTP. There's also a package called 'rpmwatch' which is listed at: http://www.iaehv.nl/users/grimaldo/info/scripts More info on autoup.sh can be found in the Debian FAQ: http://www.debian.org/doc/FAQ/debian-faq-10.html ... or directly at these sites: http://www.taz.net.au/autoup http://csanders.vicnet.net.au/autoup ____________________________________________________ (!) Liam Greenwood: Your XDM question From Liam Greenwood on Fri, 25 Dec 1998 Here's a suggestion that I'll just pass along. (!) To run XDM and not run have XDM start an Xserver on your local host: telinit 3 # go to runlevel 3 (no xdm) edit the file /etc/X11/xdm/Xservers and comment out the line which looks like this: :0 local /usr/X11R6/bin/X ...by putting a # at the start. telinit 5 # go to runlevel 5 to start xdm (on a Red hat system... others may have the config file in another place). Cheers, Liam _______ Don't tell my Mother I'm a programmer... ...she thinks I'm a piano player in a brothel. ____________________________________________________ (?) 'rsh' as 'root' Denied From Walt Smith on Thu, 24 Dec 1998 (?) hi, I can run a program using rsh as 'user' on the same pc. i.e. rsh pcname ls (or thereabouts) It won't run as 'root'. There is one file that is supposed to be used as a config if running as root. It makes no difference. Do I need to recompile rsh wil a particular option? (!) You probably won't need to recompile it. The most common version of 'in.rshd' that's included with Linux will allow you to invoke it with the -h option (added to the appropriate line in the target system's /etc/inetd.conf file) to over-ride this restriction. If you're using Red Hat with PAM then you'll have to consider reconfiguring the appropriate file under /etc/pam.d/ to remove the option that prevent root access therein (I don't have that configuration file handy since I'm not using PAM on any of my boxes at home, at this point). All of this is in the man pages (in.rshd for the daemon). I'll go on record to recommand that you ban 'rsh' and 'rlogin' from your networks completely --- using 'ssh' instead. Later, when we have ubiquitous deployment of IPSec (transport layer security for TCP/IP) and Secure DNS (the ability to digitally sign and authenticate hostname/IP records) it may be acceptable to re-introduce these protocols.... maybe. (?) regards, Walt...in Baltimore respond to XXXXXXX@bcplXXXXXX (!) Did you ever program in BCPL? _________________________________________________________________ Copyright © 1999, James T. Dennis Published in The Linux Gazette Issue 36 January 1999 _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Booting Linux with the NT Loader By Gustavo Larriera _________________________________________________________________ On these days technical professionals like you and me often must deal with the following scenario: To make Linux and NT peacefully coexist on the same machine. Many HOW-TOs have been written -and it's a good advice to give them a look- about how to configure LILO (The Linux Loader) to do the task. Unfortunately, classic documentation have little references about the NT Loader. Yes, I know for some people there's some kind of religious war between Linux and NT out there :-) But from the point of view of a IT professional, the main objective is to have the job well done. In many real-life situations we must tackle with a installation where it is not desirable to alter the NT boot process. May be it is your machine's boss and he/she prefers to keep on booting the same way for ever ;-) In this article I will focus on how to configure the NT Loader so as to boot Linux (and continue booting NT also!). I hope these tips will help Linux users to successfully boot Linux through the NT Loader the easiest way. The procedure I will explain works for NT Server 4 and NT Workstation 4 running on Intel-compatible PC. The Scenario After long conversation you have convinced your boss to put Linux on her computer machine. She is a happy NT user, she loves Word and Excel and such. She also is a clever person and has decided to give Linux a try. So she wants to have Linux installed. Just a moment: She prefers to keep booting with her familiar loading menu, from where she can choose to boot NT or DOS. Her wishes are your wishes, so you decide not to use LILO to dual-boot her computer. The MBR considered useful The most important thing you must always remember is that many software products sit on your unique precious hard disk's Master Boot Record (MBR). So does NT without asking and so optionally does LILO if you want to. The machine's BIOS executes code stored on the active partition to initiate your preferred OS. When NT is installed, the MBR is modified to load a program called NTLDR from the active partition's root directory. The original MBR is saved on a small file called BOOTSECT.DOS. After a NT installation, be careful never overwrite the MBR, because the NT will no longer boot. To fix this problem, a NT user needs the NT's Emergency Repair Disk (ERD). With those things in mind, take note you must be careful to configure LILO *not* to install on MBR. Instead you will need to configure LILO on the root partition of Linux. That's safe for NT and Linux can live without the MBR. NT loading process Once the NTLDR program launchs the NT user watch the "OS Loader V4.xx" message. Then NTLDR shifts the processor to 386 mode and starts a very simple file system. After that, it reads the file BOOT.INI to find out if there are other operating systems and prompts the user with a menu. A typical BOOT.INI looks like this: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(2)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINNT="NT V4 is here" multi(0)disk(0)rdisk(0)partition(2)\WINNT="NT V4 VGAMODE" /basevideo /sos C:\="DOS is here" The BOOT.INI file has two sections. The "boot loader section" specifies how long in seconds will be the menu on screen and the default menu choice. The "opearating systems section" specifies the different OSs the user can choose. We can read the machine boots NT (either in normal mode or in VGA diagnosing mode) and also can boot DOS. We can deduce from this example that DOS boots from the partition C: (first partition on first disk) and NT boots from the second partition. Typical installations have a C: partition formatted with DOS's FAT file system and NT on another partition formatted with its NTFS (NT File System). If the user chooses to load NT, another program NTDETECT.COM runs to check the existent hardware. If everything was okay, the NT kernel is loaded and that's all we need to know. Let's examine what happens if the user decide to choose other OS rather than NT. In this situation, NTLDR needs to know which is the boot sector required to load the non-NT OS. The appropiate boot sector image must exists on a small 512-byte file. For instance, to load DOS, NTLDR searches for a boot sector image file called BOOTSECT.DOS. This image was created by the NT installation. So, what if I want to load Linux? It's quite simple, all we need is a boot sector image file, let's name it BOOTSECT.LIN (later we'll see how to obtain this file). You must put BOOTSECT.LIN on C: and edit BOOT.INI, the "operating systems section" now looking something like this: [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINNT="NT V4 is here" multi(0)disk(0)rdisk(0)partition(2)\WINNT="NT V4 VGAMODE" /basevideo /sos C:\="DOS is here" C:\BOOTSECT.LIN="Now Linux is here" The BOOT.INI can be edited with any plain ASCII text editor. Normally this file has system-hidden-readonly attributes, so you must change them using the 'attrib' DOS command or within NT, from the file's property dialogbox. The Linux side of the story Now let's concentrate on the Linux shore. We need to install Linux, configure LILO and create the BOOTSECT.LIN file. The first step is to have Linux installed. We all know how to do that: Choose appropiate partitions for Linux system, swap and user's stuff, run installation program, etc. Easy cake, first step is completed okay in less than 45 minutes. Then we must configure LILO. We also know how to do that, but be careful *not* to install LILO on the MBR (unless you hate NT too much :-)) When configuring LILO, choose to install it on your Linux root partition. If you don't know how to configure LILO, spend some minutes reading the HOW-TOs or use some of the useful setup programs most modern Linux distributions have. My installation is S.u.S.E., so I use the 'yast' (Yet Another Setup Tool). Once LILO is configured (let's asume the Linux root partition is /dev/hda3) we must use 'dd' to create the boot record image. Login as root and do the following: # dd if=/dev/hda3 bs=512 count=1 of=/dosc/bootsect.lin Prior you have mounted the FAT C: partition as /dosc. Just in case you cannot access to this partition, for instance if it's formatted with NTFS, just write BOOTSECT.LIN to a DOS-formatted diskette or some partition where NT can read from. If you put BOOTSECT.LIN in a place othet than C:\ remember to modify the BOOT.INI file accordingly. Now your boss can choose Linux from her NT Loader's menu. The NTLDR will load the BOOTSECT.INI and she'll see the LILO prompt. Then she'll plunge into her new Linux box. Finally, if you configured LILO to load Linux and also the DOS on C: when LILO prompts, your boss will reload from the active C: partition, again into NT Loader. The procedure described may be repeated if you wish to boot several Linuxes, you must just create appropiated boot sector image files for each of your Linuxes. _________________________________________________________________ Copyright © 1999, Gustavo Larriera Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Defining a Linux-based Production System By Jurgen Defurne _________________________________________________________________ Introduction In a previous article ("Thoughts About Linux", LG, October) I browsed upon several topics to use Linux in business, not only for networking and communication, but also for real production systems. There are several conditions which need to be fulfilled, but it should be possible to define a basic database system, which is rapidly deployed and has everything that is needed in such a system. The past two months I have been increasing my knowledge about Linux and available tools on Linux. There are several points which need further elaboration, but I have a fairly good idea of what is needed. Goal The goal is to have a look at the parts which are needed to implement a reliable production database system, together with the tools needed to provide for (rapid) (inhouse) development, but for a fairly lower cost than is needed with traditional platforms. It must be reliable, in the sense that all necessary procedures for a minimum downtime are available, with the emphasis that a little downtime can be tolerated. I do need to place a remark here. I worked on several projects, where people tried to save time by asking for rapid development, or trying to save money by reusing parts which lay around, or by converting systems. What happened in all cases was that both money and time were lost, the main reason being not understanding all aspects of the problems. This is a mistake I don't want to make. I think that I now have enough experience to show a way to achieve the above defined goal, describing a Linux-based production platform which has lower deployment and exploitation costs. Basic recommendations These are general guidelines. The first part in creating and exploiting a successful production system is in constraining the amount of tools that are needed on the platform. This leads to the second part of success, understanding and knowing your tools. Experience is still the most valuable tool, but depending on the amount and complexity of tools, much time can be wasted trying to get to know the tools that are at hand. Good handbooks with clear examples and thorough cross-references are a great help, as are courses on the subjects that matter. Hardware At the moment I won't go very deep into hardware. The base platform should be a standard PC with an IDE harddrive on a PCI controller which is fast back-to-back capable. I tested the basic data rate of a Compaq Despro system (166 MHz, Triton II chipset) and got a raw data-speed (unbuffered, using write()) of 2.5 MB (megabytes)/s. I suppose that for a small entry platform this is fairly reasonable. Further tests should be developed to test the loading of the machine under production circumstances. The most important part , however, is that all machines running Linux with production data, should be equipped with a UPS. This is because the e2fs file system (as most Un*x filesystems) is very vulnerable in the case of an unexpected system shutdown. For this reason, a tape drive is also indispensable, with good backup and restore procedures which must be run from day 0. Production tools Our main engine is the database management system. For production purposes, the following features must be available : * Fast query capability * Batch job entry * Printing * Telecommunication * Transaction monitoring * Journaling * User interfacing Fast query capability This feature is especially necessary for interactive applications. Your clients shouldn't wait half a minute before the requested operation is fulfilled. This capability can be enhanced by buffering, faster CPU's, faster disk-drives, faster bus-systems and RAID. Batch job entry This is a very valuable production tool. There are much jobs which depend on the daily production changes, but which need much processing time afterwards. These are mostly run at night, always on the same points of time, daily, weekly, monthly or yearly. Printing Printing is a very important action in every production system and should be looked after from the design phase. This is because many companies have several documents that are official. Not only printing on laser- or inkjet printers should be supported, but also printing with heavy duty printing equipment for invoices, multi-sheet paper, etc. Telecommunication Telecommunication is not only about the Internet. There are still many systems out there that work with direct lines between them. The main reason is that this gives the people who are responsible for the services, a much greater degree of control over access and implementation. In addition to TCP/IP; e-mail and fax, support for X.25 should also be an option in this area. People should also have control over the messages and/or faxes they send. A queue of messages should be available, where everybody can see all messages globally (dest, time, etc) and where they have access to their own messages. Transaction monitoring With transaction monitoring, I mean the ability to rollback pending updates on database tables. This feature is especially needed when one modification concerns several tables. These modifications must all be committed at the same time, or be rolled back into the previous state. Journaling This capability is needed to repair files and filesystems which got corrupted due to a system failure. After restarting the system, a special program is used to undo all changes which couldn't be committed. In this sense, journaling stands very close to transaction monitoring. User interfacing This is a tricky part, because it is part development and part production. On the production side, the interface system should give users rapid access to their applications and also partition all applications between departments. Most production systems I have seen do this with menu's. There are several reasons. The main reason is that most production systems still work with character-based applications. There are many GUI's out there, but production systems will still be solely character based (except for graphics and printing, but I consider these niche markets), even on a GUI. The second reson is that a production system usually has lots and lots of large and little program's. You just can't iconify them all and put them in maps. Then you would only have a graphical menu, with all icons adding more to confusion than clarity. What's available ? Note : When I name or specify products, I will only specify those with which I am already familiar. I presume that any one of you will have his/her own choices. They serve as basic examples, and do not imply any preferences on my side. The only database system on Linux I personally know for the moment, is PostgreSQL. It supports SQL and transaction monitoring. Is it fast ? I don't know. One should have a backup of a complete production database, which can then be used to test against the real production machine, with interactive, background and batch jobs running like they do in the real world. For batch jobs, crond should always be started. In addition to this, the at and batch commands can be used to have a more structured implementation of business processes. For printing, I know (and use) the standard Linux tools lpd, Ghostscript and TeTeX. There might be a catch however. In some places you need to merge documents with data. The main reason for this is that a wordprocessing package offers more control over the format and contents of the document, instead of printing the document with a simple reporting application. On my current workplace, a migration to HP is busy. The solution there is WordPerfect. In the past, I have used this solution under DOS, to automatically start WP and produce a merged document. Is this possible too with StarOffice ? Are there other print solutions which offer more interactive control over the printing process than lpd ? Users should have more easy access to their printjobs and the printing process. Telecommunication is a real strong point of Linux. I won't enumerate them all. Even if it doesn't support X.25, it is still possible to use direct dial-up lines using SLIP or PPP. Journaling is the weakest point of Linux. I have worked with the following filesystems : FAT, HPFS, NTFS, e2fs, the Novell filesystem and the filesystem of the WANG VS minicomputer system. With all these systems, I have had power-failures or crashes, but the only file-system that gives trouble after this is e2fs. In all other cases, a filesystem check repairs all damage and the computer continues. On WANG VS, index-sequential files are available. When a crash occurs, the physical integrity of an indexed file can be compromised. To defend against this, there are two solutions. The first is reorganizing the file. This is copying the file on a record-by-record basis. This rebuilds the complete file and its indices, and inserts or deletes which were not committed are rejected. The second option is using the built in transaction system. A file can flagged as belonging to a database. Every modification to these files is logged until the transaction is completely committed. After a failure has occurred, the files can be restored in their original states using the existing journals. This is a matter of minutes. I think that the only filesystem on PC which offers comparable functionality is that of Novell. The e2fs file system check works, but it does offer not enough explanation. When there is a really bad crash, the filesystem is just a mess. Development tools I will describe here the kind of tools that I needed when I was maintaining a production database in a previous job. The main theme here is that programmers in a production environment should be productive. This means that they should be offered a complete package, with all tools and documentation necessary to start immediately (or in a relatively short time). This means that for every package there should be a short, practical tutorial available. I will divide this section into two parts, the first being necessary tools, the second being optional tools. Also necessary for development is a methodology. This methodology should be equal through all delivered tools. The easiest way to do this is through an integrated development environment. Compulsory development tools Which tools are the minimum needed to start coding without much hassle ? I found these tools to be invaluable on several platforms : * An integrated development environment * A powerful editor * An interactive screen development package * A data dictionary * A high-level language with DBMS preprocessor support * A scripting language Integrated development environment Your IDE should give access to all your tools in an easy and consistent manner. It should be highly customisable, but be delivered with in a configuration which gives direct access to all installed tools. Editor If you have a real good editor, it can act as an integrated development environment. Features which enhance productivity are powerful search-and-replace capabilities and macro features (even a simple record-only macro feature is better than no macro features). Syntax colouring is nice, but one can live easy without it. Syntax completion can be nice, but you have to learn to live with it. Besides, the editor cannot know which parts of statement you don't need, so ultimately you will have more clutter in your source, or you waste your time erasing unnecessary source code. Screen development This is an area where big savings can be done. For powerful screen development you need the following parts in the development package : 1. Standard screens which are drawn upon information in the data dictionary 2. Easy passing of variables between screens and applications 3. A standard way of activating a screen in an application The savings are on several places. If you create a new screen, then you should immediately get a default screen with all fields from the requested table. After this, only some repositioning and formatting to local business standards needs to be done. I worked with two such systems, FoxPro and WANG PACE, and the savings are tremendous in all parts of the software cycle (prototyping, implementation and maintenance). Data dictionary A data dictionary is a powerful tool, from which much information can be extracted for all parts of the development process. The screen builder and the HL preprocessor should be able to extract their information from the data dictionary. The ability to define field- and record-checking functions in the data dictionary instead of the application program, eliminates the need to propagate changes in this code through all applications. With the proper reports, one should also be able to look at different angles into the structure of the database. High level language with DBMS preprocessor support You can't do complete development without a high-level language. There are always functions needed which can't be implemented through the database system. To make development easier, it should be possible to embed database control statements in the source program. The compiler should be invoked automatically. Scripting language A scripting language is very useful in several aspects. Preparing batch jobs is part of it. I also found out that a business system consists of several reusable pieces, which can be easily strung together using a scripting language. Also, the overall steering and maintenance of the system can be greatly simplified. Optional development tools These are tools that were avalailable on several platforms, which can come in handy, but aren't necessarily usable to deliver production environment applications. I found out that these are little used. * Interactive query system * Report editor Interactive query system This is often designed to be used by people which are not programmers. Experience has thaught me however that people who are not programmers in a business, don't have the time to learn these tools. It is a useful tool for a programmer to test queries and views, but it isn't really useful as a production tool. Only in some cases, for real quick and dirty work, is it worth using. Report editor This is even a more overestimated tool. I shared thoughts about this with other programmers, and our conclusion was : bosses always ask reports which are much more complicated than a simple report editor can handle. It would be far better to use a programming language specifically designed for reporting (any one know of such a thing ? Any experiences with Perl for extraction and reporting ?). What's available ? Note : I will direct my attention only at the compulsory development tools. The rest of the environment will be centered around the features of PostgreSQL. As an integrated development environment, EMACS is probably the first which comes to mind. It integrates even with my second subject, a powerful editor. Is it even at all possible to draw a line between the two ? Is EMACS a powerful editor which serves as a development environment, or is it a development environment which is tightly integrated with its editor? The data dictionary, the screen development package and the DBMS preprocessor are more thightly bound than other parts of the package. The screen editor and the DBMS preprocessor should get their information from the data dictionary, and the DBMS HL statements should also provide for interaction with screens. It should be both possible to develop screens for X-windows, as well for character-based terminals. In the field of high level languages, there are several options, but a business oriented language is still missing. Yes, I am talking COBOL here, although an xBase dialect is also great for such applications. I have programmed for eight years in several languages, only the last two year in COBOL, and it IS better for expressing business programs than C/C++. If anyone would ask me now to write business programs in C/C++, I think the first thing I would do was write a preprocessor so that I could express my programs with COBOL-like syntax. I don't know how ADA goes for business programs, but a combination of GNAT, with a provision to copy embedded SQL statements to the translated C-source and then through the SQL preprocessor would maybe work. I only had a small look at Perl, and from Tcl and Python I know absolutely nothing, but while interactive languages are fine for interactive programs, you should also bear in mind that some programs must process much data, and that therefore access to a native code compiler is essential. There is another point in which only COBOL is good. This is in financial mathematics. This is due to the use of packed decimal numbers up to 18 digits long where the decimal point can be in any place. You should have compiler support for that too. On the x86 platform this capability exists in the numerical processor, which is capable of loading and storing 18 digit packed decimal numbers. Computations are carried out in the internal 80-bit floating point format of the co-processor. When you have a Linux system, the first scripting language you run into is probably that of the bash shell. This should be sufficient for most purposes, although my experiences with scripting languages is that they benefit greatly from statements for simple interaction (prompting and simple field entry). What should be delivered ? As I said before, this list doesn't present any endorsement from me towards any of these products or programs. This list should be expanded with all products which fit in either one of these categories, so all hints all wellcome. Another weak point in some areas of Linux is documentation. For a production environment, the Linux documentation project is probably a must, preprinted from the Postscript sources. For the commercial products, good documentation is also not a problem. For other parts of Linux tools, the books from O'Reilly & Associates are very valuable. HOWTO's are NOT suited for a production environment, but since they are more about implementation, they are suitable for the people who put the system together. The catch is this : when a system is delivered, all necessary documentation should be prepared and delivered too. I worked with several on-line documentation systems, but when in a production environment, nothing beats printed documentation. Production system DBMS - Fast query/update - Transaction processing - Journaling postgreSQL mySQL mSQL Adabas c-tree Plus/Faircom Server ... Communication ppp slip efax ... Batch job entry crond at batch Printing lpd User interfacing ? Development system IDE EMACS Editor EMACS vi Screen development Depends on DBMS Data dictionary Depends on DBMS Application language C C++ Cobol ? Perl Tcl(/Tk) Python Java Scripting language bash Summary I am still trying to drag Linux into business. If you want to do business using Linux, you should be able to deliver a complete system to the customer. In this article I outlined the components of such a system and some weaknesses which should be overcome. As a result, I created a table enumerating the needed components for such a system. This table is absolutely not finished. I welcome all references to programs and products to update this table. It should be possible to publish an update once a month. What I also should do, is extend the table with references to available documentation. Another part which needs more attention is developing tests to assess the power of the database system, ie. what can be expected in terms of throughput and response under several load scenarios. _________________________________________________________________ Copyright © 1999, Jurgen Defurne Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ EMACSulation By Eric Marsden _________________________________________________________________ This column is devoted to getting more out of Emacs, text editor extraordinaire. Each issue I plan to present an Emacs extension which can improve your productivity, make the sun shine more brightly and the grass greener. _________________________________________________________________ Why is the word abbreviate so long? Time saving You've probably noticed that Emacs goes to a fair bit of trouble to save you typing. The minibuffer offers a history mechanism which allows you to recall and edit previous commands, and many minibuffer entry prompts try to complete whatever you're typing when you hit TAB. This behaviour was the inspiration for the readline and history libraries, which are used in several shells and commandline interpreters. This column is dedicated to another of these keystroke-saving features in Emacs: the abbreviation facility. Do you get sick of typing in repetitive phrases such as your company's name, or your phone number? Abbreviations are here to save your fingers. For example, you could ask Emacs to expand LAAS to Laboratoire d'Analyse et d'Architecture des Systèmes. The expansion happens once you type a non word-constituent character after the abbreviation (a space, for instance, though the exact definition of a word separation depends on the mode you are using). This is the Emacs abbrev mechanism. You can either use a minor mode called abbrev-mode, which will cause abbrevs to expand automatically (you enable the minor-mode by saying M-x abbrev-mode), or you can expand them on demand by saying C-x a e with the cursor positioned after the abbreviation. Your abbreviations can be saved to a file when you quit Emacs and reloaded automatically when you launch it: ;; if there is an abbrev file, read it in (if (file-exists-p abbrev-file-name) (read-abbrev-file)) Defining an abbrev To create an abbrev definition, type the abbreviation (LAAS in the example above) in a buffer, say C-x a i g, then enter the text you would like it to expand to in the minibuffer. This slightly arcane sequence creates a global abbrev, which will apply in all modes. Try it out by entering the abbreviation and saying C-x a e (e for expand). Emacs also allows you to create abbreviations which will be active only in a specific mode by saying C-x a i l instead (in a buffer which is already in the appropriate mode). M-x list-abbrevs displays a list of all currently defined abbrevs. Mail abbrevs Since the dawn of time, Unix mail programs have used the ~/.mailrc file to allow users to create their own email aliases. The mail-abbrevs mechanism reads in the contents of this file and defines abbreviations which will be expanded in the To: and Cc: fields of any email you compose in Emacs. Here is an example of the ~/.mailrc alias syntax: alias dsssl dssslist@mulberrytech.com alias cohorts rabah jarboui almeida behnia alias bond "James Bond " There are other more sophisticated addressbook systems around, such as Jamie Zawinski's BBDB, but they won't allow you to share aliases with other mailers. You can have mail-abbrev minor mode activated whenever you compose an email in Emacs using the following line in your ~/.emacs: ;; unnecessary if you use XEmacs (add-hook 'message-setup-hook 'mail-abbrevs-setup) Dynamic abbrevs The standard abbreviation facility requires you explicitly to register your abbrevs, which is fine for things you type every week, but is a hassle for expressions which only occur in one document. Emacs also supports dynamic abbrevs, which try to guess the word you are currently typing from the surrounding text. This is very useful for programming in languages which encourage VeryLongVariableNames: you only need type the variable name once, after which it suffices to type the first few letters followed by M-/, and Emacs will try to complete the variable name. To be very precise, dabbrev searches for the least distant word of which the word under the cursor is a prefix, starting by examining words in the current buffer before the cursor position, then words after the cursor, and finally in all the other buffers in your Emacs. If there are several possible expansions (ie the text you have typed isn't a unique prefix), pressing M-/ cycles though the successive possibilities. Saying SPC M-/ lets you complete phrases which contain several words. Diehard vi users might be interested to read the tribulations of a user who tried to implement a limited version of dabbrevs in vi. Completion The Completion package, by Jim Salem, is similar in function to dynamic abbrevs, but uses a different keybinding (M-RET) and a subtly different algorithm. Rather than searching for a completion which is close in the buffer, it starts by searching through words which you have typed in recently (falling back to searching open buffers if this fails). The history of recently used words is saved automatically when you quit Emacs. To enable completion (you can use it instead of, or as well as, dabbrevs), put the following in your ~/.emacs: (require 'completion) (initialize-completions) Hippie Expand Filename completion in the minibuffer is a truly wonderful keystroke saver, and you might find yourself wishing you could use it when entering a filename in a regular buffer. Wish no longer: this is one of the features offered by the fabulous hippie-expand package. Hippie-expand, by Anders Holst, is a singing and dancing abbrev mechanism, which is capable of many different types of dynamic abbrevs. It can expand according to: * file name: if you type /usr/X then hit the expansion key, it will expand to /usr/X11R6/; * exact line match: searches for a line in the buffer which has the current line as a prefix; * the contents of the current buffer, and other buffers on failure, just like dabbrev; * the contents of the kill-ring (which is where Emacs stores text that you have killed, or ``cut'' in MacOS terminology, in a circular buffer). Rather than typing M-y to cycle through positions in the kill-ring, you can hippie-expand on the first word in the killed text. Hippie-expand is not active by default, so you need to bind it to a key. Here's what I use: (define-key global-map (read-kbd-macro "M-RET") 'hippie-expand) Go forth and save keystrokes. Feedback Glenn Barry sent me a comment on the EMACSulation on gnuclient/gnuserv: Just read and enjoyed your article on gnuserv/gnuclient in the Linux Gazette. But you forgot the use of gnuserv/gnuclient that makes it incredibly useful; one can access their full running emacs session by logging-in via a tty remotely (rlogin/telnet) and running "gnuclient -nw" ... makes working from home a breeze (even over low speed (28.8) links). Note you do have to rlogin to the system running the emacs w/gnuserv, as the gnuclient -nw does not work over the net (at least that's what the man page says). It took me awhile to figure this out so it would be nice to make sure folks know about this great capability. The -nw switch asks Emacs to start up in console mode, which makes it much more useable over a slow connection than using a remote display with X11. Note that XEmacs is able to use ANSI colors on the console or in an xterm, while GNU Emacs currently can't do color but does offer a text-mode menubar. Glenn also gave an illustration of the power of ffap: he has customized it to recognize Sun bug numbers under the cursor and dispatch a dynamically generated URL to a web front end for their bug tracking system. Next time ... Next month I'll look at skeleton insertion and templating mechanisms in Emacs. Don't hesitate to contact me at with comments, corrections or suggestions (what's your favorite couldn't-do-without Emacs extension package?). C-u 1000 M-x hail-emacs ! PS: Emacs isn't in any way limited to Linux, since implementations exist for many other operating systems (and some systems which only halfway operate). However, as one of the leading bits of free software, one of the most powerful, complex and customizable, I feel it has its place in the Linux Gazette. _________________________________________________________________ EMACSulation #1, February 1998 EMACSulation #2, March 1998 EMACSulation #3, April 1998 EMACSulation #4, June 1998 EMACSulation #5, August 1998 _________________________________________________________________ Copyright © 1999, Eric Marsden Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Evaluating postgreSQL for a Production Environment By Jurgen Defurne _________________________________________________________________ Introduction With the advent of relatively powerful, free and/or cheap software, I wanted to see if I was able to create a production environment around Linux and a DBMS. In the past I have worked with several DBMS products in several environments. My goal was to evaluate the Linux/postgreSQL against the several environments I am familiar with. Out of these environments I will pick the aspects which I think are important in a production environment. Past production environments I have worked in three stages of production environment. These were the unconnected PC environment, the connected PC environment (file/print server networking), and multi-user/multi-tasking environment (minicomputer). I will introduce the several tools in order of this complexity. Some terms will need to be explicitly defined, because the xBase terminology is sometimes confusing. The term 'database' here means the collection of several related tables which are needed to store organised data. The term 'table' is used to define one collection of identical data, a set. This is because in the original xBase languages, 'database' was used as to mean 'table'. FoxBase Effectively being a much faster clone of dBase III, FoxBase contained the minimum necessary to define the tables of a database and a programming language which contained all necessary to write applications very quickly. A database consisted of several tables and their indexes. The association of tables and their indexes must explicitly be done using commands. The programming language used is completely procedural. It contains statements to create menu's, open and close tables, filter tables (querying), insert, update and delete records, view records through screens and a browse statement. Defining all these things in a program is quite straightforward. Records are manipulated as program variables. All data is stored in ASCII format. One special feature which originated in dBase, are 'macro's'. These macro's are text strings, which could be compiled and interpreted at run-time. This was a necessary feature, because most statements took string arguments without quotes, e.g. OPEN MY_TABLE. If you wanted to define a statement with a parameter, you could not directly refer to a variable. Trying to execute OPEN ARG_TABLE, the program would search for the file 'ARG_TABL'. To circumvent this problem you need to code the following : ARG_TABLE = "MY_TABLE" OPEN &ARG_TABLE Clipper Clipper originated as a dBase compiler, but added soon after powerful extensions to the language. I have also worked with the Summer '87 and the 5.0 version. At the database level, nothing changed very much from FoxBase, but at the user interface level and the programming level, several advanced features offered faster development turn-around times and advanced user interfacing. The macro feature was still available, but Clipper expanded it through code blocks. In the original implementation, a macro needed to be evaluated every time it was used. In cases where macro's where used to filter data, this amounted to waste of computing time. The introduction of the code block made it possible to compile a macro just once and then use the compiled version. Other features where the introduction of some object-oriented classes for user interfacing, a powerful multi-dimensional array type, declarations for static and local variables and a plethora of functions to manipulate arrays and tables. The flipside of all this was that learning to effectively use the language took some more time. I have two books about Clipper 5.0 and they are quite large. FoxPro 2.0 FoxPro was the successor of FoxBase. It added GUI-features to the text-interface, making it possible to work with overlapping windows. FoxPro 2.0 also added embedded SQL statements. It was only a subset with SELECT, INSERT, UPDATE and DELETE, but this offered already a substantial advantage over the standard query statements. It also offered a better integration between tables and their indexes, and one of the most powerful query optimizers ever developed. They also provided some development tools, of which the most important where the screen development and the source documentation tools. Clipper and FoxPro made it also possible to program for networks and thus enable multi-user database systems. WANG PACE WANG PACE is a fully integrated DBMS development system which runs on the WANG VS minicomputers. It offers an extended data dictionary with field- and record-level validation, HL-language triggers and view-definitions. All defined objects contain a version count. When an object is modified and subsequent programs are not, then a runtime error is generated when compiled versions don't match DD versions. It also offers a powerful screen editor, a report editor and a query-by-example system. Access through COBOL, COBOL85 or RPGII is available with a pre-processor which compiles embedded statements into API-calls. Summary of important features If I look in retrospect to these systems, what were the important features which made programming more productive ? This reference must be made against postgreSQL and the available libraries for interfacing to the back-end. It must also be made from the point of the production programmer, who must be able to write applications without being bothered by irrelevant details. * Field names translate to native variable names Defining a field name for a table makes it available under the same name to the program which can then use it as an ordinary, native variable. * Uniform memory allocation system The xBase systems have a dynamic memory allocation scheme, which is completely handled by the runtime library. COBOL is fully statically allocated. In none of these languages the programmer needs to be concerned with tracking allocated memory. * Direct update through the current record The manipulated record is available to update the table through one or another UPDATE statement. * Database statements have the same format as the application language When programming in xBase, the statements to extract and manipulate data from the database tables formed an integral part of the procedure language. In COBOL, the statements where embedded and processed by a preprocessor. The syntax of the available statements was made to resemble COBOL syntax, with its strong and weak points. * Simple definition and usage of screens In xBase, there are simple yet powerful statements available for defining screens. Screens are called through only one or two statements. In WANG PACE, screens can only be defined through the screen editor. There are three statements available : one to use menu's, one to process one record in a cursor and an iterative version to process all records in a cursor. Most screen processing is handled through the run-time libraries. Features available when installing postgreSQL The four first features can be installed using the ecpg preprocessor. This makes it possible to use native program variables, you don't have to worry about memory allocation, because the run-time library takes care of it, and updates can also take place using the selected program-variables. What is missing, is a special form of include statement. Now you need to know which fields are in a table if you want to use a 'exec sql declare' statement. It would be better if there was something like 'exec sql copy fields from '. If the tabledefinition then changes, recompiling the program will adjust to the new definitions. Using the pgaccess program (under X-windows) provides access to the data dictionary in a more elegant manner. Summary I started out to write a critique on postgreSQL because of the summary documentation which is delivered in the package. This made it rather hard to find and use all the components which provide additional functions. I started describing my experiences on other platforms to get an insight in what a production environment should deliver to the programmer. Then I started to look closely at the delivered documentation and to my surprise all components that I needed where in fact in the package. The following critique still remains however. The documentation of the package is too much fragmented, and most parts of the documentation are centered around technical aspects which do not bother the production programmer. This is understandable however. The documentation is written by the same people that implement them. I know of my own experience that writing a user manual is very hard and it is easy to get lost in the technical details of the implementation that you know about. The following parts of postgreSQL are important for the production programmer, and their documentation should be better integrated. * The psql processor This is a nice tool to define all necessary objects in a database, to get acquainted with SQL and to test ideas and verify joins and queries. * The ecpg preprocessor This is the main production tool to write applications which use database manipulation statements. This capacity should probably be extended to other languages too. Since all bindings from the selected cursor are made to program variables, records can be processed without the hassle of converting them from and to ASCII, and updates can be made through the 'exec sql update' statement. * The pgaccess package The pgaccess package provides access to all parts of the database and offers the ability to design screens and reports. It is still in a development phase. I hope it will be extended in the future, because the basic idea is excellent and the first implementations are worthwile. The libpq library is of no real value to a production programmer. It should be mainly a tool to be used in implementing integrated environments and database access languages. It could e.g. be used to create an xBase like environment (for those who wish to use this). Further research In the following weeks (months) I hope to setup a complete database system over a network, with one server and several types of clients (workstation, terminal, remote computer) through several interfaces (Ethernet, serial connections). I will investigate the several platforms for application development. I intend to have a closer look at the provided tools in the postgreSQL package (developing a simple database for my strip book collection), but I will also look at the possibilities that Java offers a development platform with JDBC, screen design and application programming. One last note : for the moment I concentrate on using tools that I don't need to pay for, because I need the money for my hardware platforms and for my house. This does not mean that I am a die-hard 'software should be gratis' advocate. A production environment favors to pay for software, because then it knows that it has a complete tool with support and warranty (horror stories about bad support not withstanding). _________________________________________________________________ Copyright © 1999, Jurgen Defurne Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ A Linux Journal Review: This article appeared first in the July 1998 issue of Linux Journal. _________________________________________________________________ Introducing Samba By John Blair _________________________________________________________________ The whole point of networking is to allow computers to easily share information. Sharing information with other Linux boxes, or any UNIX host, is easy--tools such as FTP and NFS are readily available and frequently set up easily ``out of the box''. Unfortunately, even the most die-hard Linux fanatic has to admit the operating system most of the PCs in the world are running is one of the various types of Windows. Unless you use your Linux box in a particularly isolated environment, you will almost certainly need to exchange information with machines running Windows. Assuming you're not planning on moving all of your files using floppy disks, the tool you need is Samba. Samba is a suite of programs that gives your Linux box the ability to speak SMB (Server Message Block). SMB is the protocol used to implement file sharing and printer services between computers running OS/2, Windows NT, Windows 95 and Windows for Workgroups. The protocol is analogous to a combination of NFS (Network File System), lpd (the standard UNIX printer server) and a distributed authentication framework such as NIS or Kerberos. If you are familiar with Netatalk, Samba does for Windows what Netatalk does for the Macintosh. While running the Samba server programs, your Linux box appears in the ``Network Neighborhood'' as if it were just another Windows machine. Users of Windows machines can ``log into'' your Linux server and, depending on the rights they are granted, copy files to and from parts of the UNIX file system, submit print jobs and even send you WinPopup messages. If you use your Linux box in an environment that consists almost completely of Windows NT and Windows 95 machines, Samba is an invaluable tool. [INLINE] Figure 1. The Network Neighborhood, Showing the Samba Server Samba also has the ability to do things that normally require the Windows NT Server to act as a WINS server and process ``network logons'' from Windows 95 machines. A PAM module derived from Samba code allows you to authenticate UNIX logins using a Windows NT Server. A current Samba project seeks to reverse engineer the proprietary Windows NT domain-controller protocol and re-implement it as a component of Samba. This code, while still very experimental, can already successfully process a logon request from a Windows NT Workstation computer. It shouldn't be long before it will act as a full-fledged Primary Domain Controller (PDC), storing user account information and establishing trust relationships with other NT domains. Best of all, Samba is freely available under the GNU public license, just as Linux is. In many environments the Windows NT Server is required only to provide file services, printer spools and access control to a collection of Windows 95 machines. The combination of Linux and Samba provides a powerful low-cost alternative to the typical Microsoft solution. Windows Networking Understanding how Samba does its job is easier if you know a little about how Windows networking works. Windows clients use file and printer resources on a server by transmitting ``Server Message Block'' over a NetBIOS session. NetBIOS was originally developed by IBM to define a networking interface for software running on MS-DOS or PC-DOS. It defines a set of networking services and the software interface for accessing those services, but does not specify the actual protocol used to move bits on the network. Three major flavors of NetBIOS have emerged since it was first implemented, each differing in the transport protocol used. The original implementation was referred to as NetBEUI (NetBIOS Extended User Interface), which is a low-overhead transport protocol designed for single segment networks. NetBIOS over IPX, the protocol used by Novell, is also popular. Samba uses NetBIOS over TCP/IP, which has multiple advantages. TCP/IP is already implemented on every operating system worth its salt, so it has been relatively easy to port Samba to virtually every flavor of UNIX, as well as OS/2, VMS, AmigaOS, Apple's Rhapsody (which is really NextSTEP) and (amazingly) mainframe operating systems like CMS. Samba is also used in embedded systems, such as stand-alone printer servers and Whistle's InterJet Internet appliance. Using TCP/IP also means that Samba fits in nicely on large TCP/IP networks, such as the Internet. Recognizing these advantages, Microsoft has renamed the combination of SMB and NetBIOS over TCP/IP the Common Internet Filesystem (CIFS). Microsoft is currently working to have CIFS accepted as an Internet standard for file transfer. [INLINE] Figure 2. SMB's Network View compared to OSI Networking Reference Model Samba's Components A Samba server actually consists of two server programs: smbd and nmbd. smbd is the core of Samba. It establishes sessions, authenticates clients and provides access to the file system and printers. nmbd implements the ``network browser''. Its role is to advertise the services that the Samba server has to offer. nmbd causes the Samba server to appear in the ``Network Neighborhood'' of Windows NT and Windows 95 machines and allows users to browse the list of available resources. It would be possible to run a Samba server without nmbd, but users would need to know ahead of time the NetBIOS name of the server and the resource on it they wish to access. nmbd implements the Microsoft network browser protocol, which means it participates in browser elections (sometimes called ``browser wars''), and can act as a master or back-up browser. nmbd can also function as a WINS (Windows Internet Name Service) server, which is necessary if your network spans more than one TCP/IP subnet. Samba also includes a collection of other tools. smbclient is an SMB client with a shell-based user interface, similar to FTP, that allows you to copy files to and from other SMB servers, as well as allowing you to access SMB printer resources and send WinPopup messages. For users of Linux, there is also an SMB file system that allows you to attach a directory shared from a Windows machine into your Linux file system. smbtar is a shell script that uses smbclient to store a remote Windows file share to, or restore a Windows file share from a standard UNIX tar file. The testparm command, which parses and describes the contents of your smb.conf file, is particularly useful since it provides an easy way to detect configuration mistakes. Other commands are used to administer Samba's encrypted password file, configure alternate character sets for international use and diagnose problems. Configuring Samba As usual, the best way to explain what a program can do is to show some examples. For two reasons, these examples assume that you already have Samba installed. First, explaining how to build and install Samba would be enough material for an article of its own. Second, since Samba is available as Red Hat and Debian packages shortly after each new stable release is announced, installation under Linux is a snap. Further, most ``base'' installations of popular distributions already automatically install Samba. Before Samba version 1.9.18 it was necessary to compile Samba yourself if you wished to use encrypted password authentication. This was true because Samba used a DES library to implement encryption, making it technically classified as a munition by the U.S. government. Binary versions of Samba with encrypted password support could not be legally exported from the United States, which led mirror sites to avoid distributing pre-compiled copies of Samba with encryption enabled. Starting with version 1.9.18, Samba uses a modified DES algorithm not subject to export restrictions. Now the only reason to build Samba yourself is if you like to test the latest alpha releases or you wish to build Samba with non-standard features. Since SMB is a large and complex protocol, configuring Samba can be daunting. Over 170 different configuration options can appear in the smb.conf file, Samba's configuration file. In spite of this, have no fear. Like nearly all aspects of UNIX, it is pretty easy to get a simple configuration up and running. You can then refine this configuration over time as you learn the function of each parameter. Last, the latest version of Samba, when this article was written in late January, was 1.9.18p1. It is possible that the behavior of some of these options will have changed by the time this is printed. As usual, the documentation included with the Samba distribution (especially the README file) is the definitive source of information. The smb.conf file is stored by the Red Hat and Debian distributions in the /etc directory. If you have built Samba yourself and haven't modified any of the installation paths, it is probably stored in /usr/local/samba/lib/smb.conf. All of the programs in the Samba suite read this one file, which is structured like a Windows *.INI file, for configuration information. Each section in the file begins with a name surrounded by square brackets and either the name of a service or one of the special sections: [global], [homes] or [printers]. Each configuration parameter is either a global parameter, which means it controls something that affects the entire server, or a service parameter, which means it controls something specific to each service. The [global] section is used to set all the global configuration options, as well as the default service settings. The [homes] section is a special service section dynamically mapped to each user's home directory. The [printers] section provides an easy way to share every printer defined in the system's printcap file. A Simple Configuration The following smb.conf file describes a simple and useful Samba configuration that makes every user's home directory on my Linux box available over the network. [global] netbios name = FRODO workgroup = UAB-TUCC server string = John Blair's Linux Box security = user printing = lprng [homes] comment = Home Directory browseable = no read only = no The settings in the [global] section set the name of the host, the workgroup of the host and the string that appears next to the host in the browse list. The security parameter tells Samba to use ``user level'' security. SMB has two modes of security: share, which associates passwords with specific resources, and user, which assigns access rights to specific users. There isn't enough space here to describe the subtleties of the two modes, but in nearly every case you will want to use user-level security. The printing command describes the local printing system type, which tells Samba exactly how to submit print jobs, display the print queue, delete print jobs and other operations. If your printing system is one that Samba doesn't already know how to use, you can specify the commands to invoke for each print operation. Since no encryption mode is specified, Samba will default to using plaintext password authentication to verify every connection using the standard UNIX password utilities. Remember, if your Linux distributions uses PAM, the PAM configuration must be modified to allow Samba to authenticate against the password database. The Red Hat package handles this automatically. Obviously, in many situations, using plaintext authentication is foolish. Configuring Samba to support encrypted passwords is outside the scope of this article, but is not difficult. See the file ENCRYPTION.txt in the /docs directory of the Samba distribution for details. The settings in the [homes] section control the behavior of each user's home directory share. The comment parameter sets the string that appears next to the resource in the browse list. The browseable parameter controls whether or not a service will appear in the browse list. Something non-intuitive about the [homes] section is that setting browseable = no still means that a user's home directory will appear as a directory with its name set to the authenticated user's username. For example, with browseable = no, when I browse this Samba server I will see a share called jdblair. If browseable = yes, both a share called homes and jdblair would appear in the browse list. Setting read only = no means that users should be able to write to their home directory if they are properly authenticated. They would not, however, be able to write to their home directory if the UNIX access rights on their home directory prevented them from doing so. Setting read only = yes would mean that the user would not be able to write to their home directory regardless of the actual UNIX permissions. The following configuration section would grant access to every printer that appears in the printcap file to any user that can log into the Samba server. Note that the guest ok = yes normally doesn't grant access to every user when the server is using user-level security. Every print service must define printable = yes. [printers] browseable = no guest ok = yes printable = yes This last configuration snippet adds a server share called public that grants read-only access to the anonymous ftp directory. You will have to set up the printer driver on the client machine. You can use the printer name and printer driver commands to automate the process of setting up the printer client on Windows 95 and Windows NT clients. [public] comment = Public FTP Directory path = /home/ftp/pub browseable = yes read only = yes guest ok = yes [INLINE] Figure 3. Appearance of Samba Configuration in Windows Explorer Be aware that this description doesn't explain some subtle issues, such as the difference between user and share level security and other authentication issues. It also barely scratches the surface of what Samba can do. On the other hand, it's a good example of how easy it can be to create a simple but working smb.conf file. Conclusions Samba is the tool of choice for bridging the gap between UNIX and Windows systems. This article discussed using Samba on Linux in particular, but it is also an excellent tool for providing access to more traditional UNIX systems like Sun and RS/6000 servers. Further, Samba exemplifies the best features of free software, especially when compared to commercial offerings. Samba is powerful, well supported and under continuous active improvement by the Samba Team. Resources The Samba home page, at http://samba.anu.edu.au/samba/, is the definitive source for news and information about Samba. The documentation distributed with Samba is relatively unorganized, but covers every aspect of server configuration. If you have questions about Samba, first consult the FAQ, then try the Samba Mailing List. The location of both can be found on the Samba home page. The book Samba: Integrating UNIX and Windows, by John Blair and published by SSC, covers all aspects of installation, configuration and maintenance of a Samba server. _________________________________________________________________ Copyright © 1999, John Blair Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Linux Installation Primer, Part 5 By Ron Jenkins _________________________________________________________________ Copyright Ó 1998 by Ron Jenkins. This work is provided on an "as is" basis. The author provides no warranty whatsoever, either express or implied, regarding the work, including warranties with respect to its merchantability or fitness for any particular purpose. The author welcomes corrections and suggestions. He can be reached by electronic mail at rjenkins@qni.com, or at his personal homepage: http://www.qni.com/~rjenkins/. Corrections, as well as updated versions of all of the author's works may be found at the URL listed above. NOTE: As you can see, I am moving to a new ISP. Please bear with me as I get everything in working order. The e-mail address is functional; the web site will be operational hopefully around mid December or early January. SPECIAL NOTE: Due to the quantity of correspondence I receive, if you are submitting a question or request for problem resolution, please see my homepage listed above for suggestions on information to provide. I only test my columns on the operating systems specified. I don't have access to a MAC, I don't use Windows 95, and have no plans to use Windows 98. If someone would care to provide equivalent instructions for any of the above operating systems, I will be happy to include them in my documents. ADDENDUM TO LAST MONTH'S COLUMN: I neglected to mention that you should consider purchasing some cable ties, coaxial clips, or other devices to dress your cabling properly. These should be available at your local computer store, or a large selection can be found on page # 163 of the Radio Shack 1999 Catalog. (Space limitations preclude listing them all.) This will allow you to bundle the cable or cables neatly together, attach them firmly to the baseboard or whatever area in which you are installing them, and make troubleshooting and maintenance of cabling problems much easier. Finally, consider marking each end of your cables in some way so you know which ends go together. There are a variety of ways to do this, including simply writing on the cable itself with a sharpie or white pen, noting the location or machine it is intended for, or my favorite, using color coded tape wrapped at each end. Also, each connection on a 10BASE2 coaxial bus network will require a BNC "tee" connector. This should be included with your network card. If not go to Radio Shack and get some (PN# 278-112.) They are cheaper than buying them at a computer store. Finally, don't forget the termination devices. You will need two. These are available either at your local computer store, or at Radio Shack (PN# 278-270.) Part Five: Deploying a home network This month we will utilize the home networking plan we prepared last month, and bring it to fruition. This is going to involve several steps, and I will present them in the order I recommend, but ultimately it will be up to you to choose your deployment method. Additionally, I will offer step by step instructions on the configuration of the networking components and protocols. This will give you the basic functionality upon which you will add to as this series continues. The goal of this installment will be to get the networking hardware and software installed, provide basic connectivity, and simple name resolution and file sharing services. The more advanced services, such as sendmail, DNS, routing, ftp, web, print services, and gateway service will be covered in the next installment. As with each installment of this series, there will be some operations required by each distribution that may or may not be different in another. I will diverge from the generalized information when necessary, as always. In this installment, I will cover the following topics: * Pre-installation planning. * Preparing the cabling. * Preparing the file server. * Preparing the workstations. * Installing the cabling. * Installing the hardware. * Installing the software. * Configuration of the file server. * Configuration of the work stations. * Testing the installation. * Troubleshooting the installation. * References. * Resources for further information. * Preview of next months installment. * About the Author. Assumptions that apply to the following installation instructions: To keep this installment to a manageable size, as well maintaining an acceptable level of simplicity, the following things will be assumed. We will be installing a three node network, consisting of a file server, one Windows NT client, and one Linux client. Physically, all three machines are on a single table. The Linux client is at the extreme left, the Linux fileserver is in the center, and the NT client is at the extreme right. In the 10BASE2 (coaxial or bus configuration,) the cabling will be run along the rear edge of the table and fastened by clips available for this purpose either from a computer store or at Radio Shack as previously mentioned. In the 10BASET or star configuration, the hub will be placed alongside the file server, and the cabling will emanate from the hub to the various machines, The three cables will be bundled together with cable ties, forming one larger diameter group of cables that can be treated as a single cable. This will be attached to the back of the table using clips as described above. The NICs I will use are NE2000 ISA bus combo cards, with both a BNC and a RJ-45 interface. The cards will be Plug and Play cards which require you to use a utility diskette under DOS, provided with the card, to configure it. This utility diskette also contains the NT drivers for the card. I use FREE DOS, available at http://sunsite.unc.edu to create the DOS boot disk. You may or may not have to create your own DOS boot disk, depending on what kind of NIC you have. Two of our NE2000 NICs will be set to the following: IO = 0x320 (320), IRQ = 10 The third one will be configured by NT. These are by far the most common cards people usually start out with. If you are using something different, the instructions should be similar. Just make sure you can turn off the Plug and Play feature (bug?) for the Linux machines, if necessary. This usually only applies to ISA NICs, as kernels => 2.0.34 usually do a pretty good job of snagging PCI NICs. This should provide the information required for most any size network, the steps will just need to be duplicated for the extra clients and/or servers. I will use the terms UNIX and Linux somewhat interchangeably, except where I am explicitly referring to something unique to a particular flavor of UNIX, in which case I will note the difference. If you will be integrating Novell or MAC clients, you're on your own. I have not touched Novell since 3.1, and I don't have access to a MAC machine. The AppleTalk and IPX HOW-TOs may be of some assistance to you. Further, it will be assumed you are using "reserved" IP addresses for your home network. We will use the Class C reserved network 192.168.1.0. The netmask for our network, thus will be 255.255.255.0. We will give the file server the IP 192.168.1.2, and the hostname fileserver01. The Linux client's IP will be 192.168.1.3, with the hostname linux01. Finally, the NT client's IP will be 192.168.1.4, with a hostname of nt01. I am keeping the 192.168.1.1 address and the hostname gateway01 for the gateway machine we will build next month. The domain name of this network will be home.net. The NT domain (not to be confused with the actual domain) name will be HOME. The NT client will access the file services using SAMBA, and the Linux client will access file services using the native Network File System (NFS.) Name resolution will be accomplished using common hosts and resolv.conf files, and a little trick for the NT box. When finished you should be able to ping all machines both by IP address, and hostname. Additionally, you should be able to access the disk storage on the file server from either client, with both read and write access. Pre-installation planning: Review of the network plan: Look over the network plan ONE LAST TIME. Make sure you have acquired all the necessary hardware, software, and cabling, as well as a hub or termination devices, if required. Preparing the common files: Since we will not be using DNS for name resolution at this point, we will rely on primarily three files for the UNIX machines, and one file for the NT box. Unique to the UNIX machines will be: /etc/hosts.conf /etc/resolv.conf These two files will be propagated throughout the Linux portion of the network, along with the hosts file described below. The first file, hosts.conf, simply tells the Linux box what means to use to resolve IP addresses to hostnames, and the order in which it should use them. There are basically two methods utilized for name resolution. The hosts file (see below for more information,) which we will use in this installation, and a DNS server, usually another UNIX box running a program called the Berkeley Internet Name Daemon (BIND.) First, cd to etc/, then open the hosts.conf file, or create it if necessary, and edit it to contain the line: order hosts,bind Then close the file. This simply tells the Linux box to first check its hosts file to find another machine on the network before trying anything else. Next, open the resolv.conf file, or create it if necessary, and edit it to contain the lines: domain home.net search home.net After you are finished, close the file. This tells the Linux box it's domain name, and to search this domain first before implementing any external name resolution. The purpose of this is to keep your local network name resolution on the local network. This will become important later when we hook these machines up to the Internet through a gateway machine. Common to both the NT and UNIX machines will be: A hosts file, which is simply a listing of all the machines on a local area network, which translates IP addresses to hostnames. Open the hosts file with your favorite editor, again creating it if necessary, and create entries for the loopback adapter, also known as the localhost, and each machine on your network. This file will be copied to each machine, thus allowing both the UNIX boxes and the NT machine to find each other by hostname. Entries in the hosts file are created using the following syntax: IP address Fully Qualified Domain Name (FQDN) hostname For example, for the machine bear.foobar.net, with an IP of 206.113.102.193, the proper entry would be: 206.113.102.193 bear.foobar.net bear A SHORT NOTE ON THE LOOPBACK ADAPTER: this interface, also known as the localhost, MUST be the first entry in any hosts file. So, to create the hosts file we will be using across our entire network, edit it to contain the following lines: 127.0.0.1 localhost 192.168.1.1 gateway01.home.net gateway01 192.168.1.2 fileserver01.home.net fileserver01 192.168.1.3 linux01.home.net linux01 192.168.1.4 nt01.home.net nt01 On the UNIX machines, this file also lives in the /etc directory, while on the NT machine it will live in /winnt/system32/drivers/etc directory. Now that we have prepared our common files, we can move to actual deployment preparations. Logistics and downtime: While this is not as great a concern on a home network as it is on a commercial LAN, it is still important to consider the impact the network installation will have on your machines, as well as what if any interruption of productivity might occur. You have two major, and one minor option in this regard: * The blitz method: This method entails setting aside a period of time when all machines may be downed, cabling, hardware and software installed and configured all in one contiguous session. Best for very small networks, and non commercial networks. * The phased method: This method involves a more conservative, cautious approach. Individual machines or sections of the network are downed one at a time, configured, tested, and brought back up before moving to the next section. This minimizes the interruption of productivity, and loss of computer services. Best for larger networks or most any commercial network. * A combination of the two: In any installation other than an extremely small network such as our example here, some combination of the two methods is usually the most practical approach. For instance, you may choose to blitz all the server machines, so that file services and other services will be immediately available to the client machines. After the blitz of the servers, you may then choose to slowly integrate the client machines by department, by priority of use, or most commonly, the suits first, then everyone else. As an aside, if you are deploying a network in a commercial environment, never underestimate the effect of office politics in your planning. While the executives may not technically need to be on the network as soon as your programmers or designers, remember to keep the man with the checkbook happy, and you will find your next upgrade much easier to justify. Preparing the cabling: 10BASE2: Double check that you have sufficient coaxial cable, in the proper lengths, to interconnect all the machines on your bus. Remember, the cable strings from machine to machine, so I recommend physically laying out the cable between each machine to make sure you have enough, and the proper lengths. Finally, be sure you have the proper clips and ties to dress the cables neatly. 10BASET: Depending on whether you bought the cables already made up, or made them yourself, the same general rules stated above will also apply here. Placement and layout of the cabling will be largely determined by your placement of the hub. Try to place the hub in such a way as to assure the shortest average length from the hub to each machine. As mentioned above, make sure you have sufficient materials to neatly run, anchor, and wrap your cabling. Preparing the file server: Memory issues: A good rule of thumb for any computer, and especially servers, is the more RAM the better. Since this is a home network, this is not as big an issue, but still important. Disk storage issues: If you can afford it, get SCSI drives. They work better and last longer. If you are on a budget, EIDE or UDMA drives will do in a pinch, but be aware they will not stand up as well under heavy, constant use. Backup device issues: I use a SCSI DAT drive, and have always had good results with it. Whatever you choose, MAKE SURE IT IS SUPPORTED BY Linux BEFORE YOU BUY IT! And backup up anything on any of the machines you will be working on that you cannot afford to lose! Power interruption and loss of data: You should consider at least protecting your fileserver with an Uninterruptable Power Supply (UPS.) I can recommend APC and Tripp-Lite products here. Why? Because they put they're money where they're mouth is on the warranty provided. Try to get one with two protected outlets, and jacks for your phone line. This will come in handy later when we do the gateway. Surges don't just come over the power lines. Ideally all your machines should have one, but try to make sure you get one for the file server. Preparing the client workstations: Linux box: not really much to do here, as most everything you need should already be installed. All your networking software should already be there. The only possible exception to this is if you have a RedHat machine, and you chose dialup workstation during installation. In this case, you may or may not have to install additional packages. Check your documentation. NT box: Here you will need to have your CD-ROM handy, as the networking software is probably not on your machine unless you explicitly requested it during the installation process. The software I am talking about here is separate and distinct from what is required for Dial Up Networking (DUN.) Surge protectors: If you cannot afford a UPS for each machine, at least put a quality surge protector on the two clients. Avoid the temptation to buy a bargain one. APC and Tripp-Lite are ones I can recommend for the same reasons as stated above. If either of these machines has any peripherals connected to it such printers, modems, scanners, etc. make sure these are protected as well. Installing the cabling: 10BASE2: This is a fairly straightforward process. Simply lay the cable along the back on the table (or whatever your machines are on,) where you plan to install them. Do not anchor the cables at this time. 10BASET: Once you have determined where your hub will be located, lay out the cable from the hub to each machine. Do not bundle or anchor the cables at this time. Installing the hardware: Network Interface Cards: This is fairly straightforward. Power off your machine. Remove the case cover and find an empty expansion slot appropriate for your type of card. Make sure it is firmly seated, and that you replace the screw that holds it in place. If the card is an ISA card, and is going into one of the Linux boxes, be sure to disable the Plug and Play feature and make note of the IO address and IRQ the card is using. There is usually some of setup program to help you with this. Write these values down as you will need them later. A QUICK NOTE ON IO ADDRESSES AND IRQ's: Some cards may require you to manually set the IO and IRQ values using jumpers on the card. Use care here. If you choose an IO address or IRQ already in use by another device, all sorts of nasty things can happen. Here are some good ones to try that generally work: IO Address: 0x300 (300) 0x310 (310) 0x320 (320) IRQ: 10, 11, or 12. If the card is a PCI card, have a go at auto detection first, then failing that, use the DOS setup program if required. Here at most, you may have to specify the IO address, which usually looks something similar 0x6xxx. In any case, once the card is set, be sure to write the pertinent information down. You will need it later on the Linux boxes, and you may or may not need it on the NT box. 10BASE2: * Connectors and termination: Connect the tee to the NIC. On the Linux client and the NT client, place a termination device one side of the tee. Then using the cables you laid out earlier, connect the machines together. 10BASET: * Installing the hub: This should consist of nothing more than setting it down on the table and plugging it in. In other situations, you may or may not find it advantageous to mount it on the wall, or even under the table. * Connecting to the hub: Using the cables you laid out before, connect one end of each cable to the appropriate NIC. Now you may bundle, but not anchor the cabling, starting at the each client on either end, and working toward the fileserver in the middle. Installing the software: Required software: Common: The /etc/hosts file: as specified above. The /etc/hosts.conf file: as specified above. The /etc/resolv.conf file: as specified above. Specific to the file server: If necessary, copy the above common files to the appropriate directories. SAMBA: This may or may not already be present on your system. If not, use pkgtool on a Slackware box to install it, and glint or the command RPM:ivh to install it on a RedHat box. Once you have verified it is installed, configure it as follows: * In the /etc directory, there should be an smb.conf-sample file. You may copy this to a new file called smb.conf, or create your own from scratch. I recommend using the sample one at first. * Edit the line workgroup = WORKGROUP and change it to workgroup = home.net * Next, look for a line similar to the following: hosts allow = xxx.xxx.x. Where xxx.xxx.x. represent the first three octets of your network address, 192.168.1. in the example. Additionally, be sure to allow the loopback interface. So the correct entry would be : hosts allow = 192.168.1. 127. * Finally, look for the line: remote announce = xxx.xx.x.xxx and change it to 192.168.1.255 for our example network. NFS services: This should already be installed on your Linux boxes. A possible exception is RedHat, again if the NFS server and client options were not selected during installation. If necessary, install them. Once you have verified the software is installed on your system, configure as follows: The /etc/exports file: This is fairly simple. There is much more to NFS than what I will present here, but briefly, and entry in the exports file uses the following syntax: /name/of/directory/to/export (type of access) who.can.access So as an example, to export the home directory with read and write permissions, to anyone in the home.net, the correct entry would be: /home (rw,no_root_squash) *.home.net Specific to the NT client: Copy the hosts file ONLY to the specified location. Insert your NT CD-ROM and choose start/settings/controlpanel/network. Depending on whether you have been using this machine for DUN, you may or may not have some of the software already installed. If not just follow the prompts, with the following objectives: Install ONLY the TCP/IP protocol. When the time comes to install your Network Adapter (NIC), you can try to let it auto-detect first, then failing that, choose Have Disk and use the diskette supplied with your NIC. You can safely accept the defaults at this point. If prompted for information such as hostname, IP address, or netmask, refer to the stated configuration above. You may be prompted to reboot several times. Do so. Specific to the Linux client: Copy the common files to the appropriate directories. The only exception would be if you desired to make directories on the Linux client available to the NT client. If this is the case, simply repeat the SAMBA instructions for the file server above on the Linux client as well. Configuration of the file server: Basic Networking the first step on the UNIX boxes is to get the NIC recognized. On a Slackware machine, this is done by editing /etc/rc.d/rc.modules and uncommenting the line that will load the kernel module necessary for your particular NIC, and possibly passing the IO address and/or the IRQ to help Linux find the card. Scroll down to the Network Device Support section, and look for the line: #/sbin/modprobe/ ne io=0x320 #NE2000 at 0x320 Uncomment the line by deleting the pound sign. Depending on what release of Slackware you are using, you may or may not have to specify the IRQ as well. This should not be necessary if you are using release 3.5 or higher. Next, you will want to configure your networking software. Use the netconfig utility for this. Follow the prompts, with the following in mind: When asked if you will be using only loopback, answer no. Leave the default gateway blank. Leave the nameserver stuff blank. In RedHat, you can use the linuxconf utility in either text mode or under X. I have had a few bad experiences with the X version, so I recommend using the text mode version. At the command prompt, type linuxconf You will be presented with a dialog box. Choose Config/Networking/Client tasks/Basic host information. First, set your hostname to fileserver01.home.net, then tab to quit to return to the previous screen. Choose Adaptor 1, use the spacebar to select the following parameters: * Enabled * Config mode Manual Next enter the proper hostname, domain, IP, netmask, device number, kernel module, IO, and IRQ for machine. In our case, the proper data is: fileserver01.home.net fileserver01 192.168.1.2 255.255.255.0 eth0 ne 0x320 10 If at any point, you are prompted for a default gateway, leave it blank for now. After you have entered this information, choose quit, accept, quit, quit, quit, until you are asked to activate your changes. If you want, you can use linuxconf to add your user accounts now, or do it manually later. Reboot. Configuration of the workstations: Configuration of the NT client Choose start/settings/controlpanel/network. Select the Identification tab. Make sure your Workgroup is set to HOME. Select the Protocols tab. Highlight TCP/IP. Click on Properties. Select the IP Address tab, and make sure Specify an IP address is selected, and that the IP and netmask are correct. Additionally, make sure the Default Gateway is blank. Select the DNS tab. Enter your hostname (nt01) and domain (home.net) in the appropriate boxes. Select the WINS Address tab. Make sure the WINS server boxes are blank, and uncheck the Enable DNS for Windows Resolution and Enable LMHOSTS Lookup boxes if necessary. Select OK. When prompted that one of the adapters has an empty WINS something or other, select yes to continue. Select close. You will be prompted to reboot. Configuration of the Linux client The network configuration will be the same as the fileserver instructions. Testing the installation: If any of these testing procedures fail, go to the troubleshooting section for suggestions on how to correct the problem. Testing for physical connectivity To test physical connectivity, ping one of the other hosts on the network. You should see some return information and statistics. Depress Ctrl+C to exit. Testing the loopback adapter To test the loopback adapter, simply ping 127.0.0.1. Testing the NIC To test the NIC, simply ping the IP address of the NIC. Using ifconfig and ipconfig - In Linux and NT, there are utilities provided to assist you in assessing the condition of your networking setup and hardware. They are called ifconfig and ipconfig, respectively. On a Linux box, at the command prompt: ifconfig should yield two entries one for the Loopback Adapter called lo, and one for your NIC, called eth0. On an NT box the command ipconfig should yield one entry, describing your Ethernet adapter. Testing name resolution To test name resolution simply ping by hostname, such as fileserver01, nt01, linux01, etc. Testing file services * Linux NFS To test the NFS services, CD to /mnt, and create a directory called test. Then try to mount the remote directory to it. For instance, in our example above, we are exporting /home on the fileserver machine, so lets mount it under test: mount t nfs fileserver01:/home /mnt/test . If all went well, you should now be able to access the remote directory from the Linux client. * NT SAMBA double-click on Network Neighborhood. Under Home, you should see both your NT client and the Linux machine, fileserver01. Double click on the entry for fileserver01. If your user account has been created on the Linux box, you should be able to enter your username and password when prompted, and be taken directly to your home directory on the Linux box. Troubleshooting the installation: Troubleshooting physical connectivity problems * ping 127.0.0.1. If this fails, you have an improper networking configuration. Go back and recheck all your settings and required files. If this works, try to ping the IP address of the NIC installed in the machine. If this does not work, make sure the card is being recognized by Linux. If the NIC has more than one interface e.g. RJ-45 (10BASET) and a BNC (10BASE2,) make sure you have the correct one activated. If all goes well up until this point, try to ping another machine on the network by IP address. If this fails, see the next section on cable integrity. Cable integrity * If you cannot ping any other machine on the network, and you have tried all of the above, here are some tips for isolating cabling problems. * 10BASE2 move the termination of the bus to the next machine in line. Try to ping it. If this fails, try another cable. Repeat the ping test. If it still fails, suspect a termination problem. See below. * 10BASET check that the RJ-45 connector is firmly seated in the NIC and the hub. If the cable is good, there should be an LED lit up above the port on the hub into which the cable is inserted. If the LED is not lit, try another cable. Termination integrity * This only applies to 10BASE2 or bus networks. Terminators are usually a pass or fail type of deal. Either they work or they don't. First try another cable, and check to see if you are getting link lights on the NIC. Finally, double check combo cards to make sure the BNC interface is active. Troubleshooting name resolution problems: * First, try to ping by IP address. If this fails, check cabling, termination, and NIC recognition at boot time. On the UNIX boxes, ifconfig should show the loopback interface and eth0. If the NIC is not recognized, make sure Plug and Play is turned off, and you have passed the correct IO and IRQ parameters to the kernel. On an NT box, ipconfig should yield similar results. If not, check your network configuration. /start/programs/administrative tools/nt diagnostics may be of some help here. * If the ping by IP is successful, try to ping by hostname. If this fails, check your hosts file and make sure it matches the one above. If this is a UNIX box, check your hosts.conf and resolv.conf files and make sure they match the examples. If this is a NT box, make sure you placed the hosts file in the proper directory as specified above. Troubleshooting NFS problems * If you cannot mount a remote drive, check the /etc/exports file on the machine that physically contains the directory you are trying to mount. Make sure the desired directory is being exported correctly. * If you can mount the remote directory, but can read and/or write, go back to the exports file and check the permissions. Troubleshooting SAMBA problems * If the Linux box does not show up in the Network Neighborhood, make sure that both the NT box and the /etc/smb.conf files are using the HOME workgroup. * If the Linux box shows up, but you cannot access the shares, see if you are running Service Pack 3. If so, read the SAMBA docs for the required registry change that will need to be made to the NT machine. * Finally, make sure the username/password combination you are trying to use exists on the UNIX box as well as the NT box. References: Previous columns: Linux Installation Primer parts three and four Other: Ethernet HOW-TO Net-3 HOW-TO Network Administrators Guide Mastering Windows NT Server 4 (3rd Edition) Resources for further information: The Linux Documentation Project http://www.patoche.org/LTT/ http://www.ugu.com/ http://www.stokely.com/unix.sysadm.resources/ alt.unix.wizards comp.security.unix comp.unix.admin alt.os.linux.slackware comp.os.linux.networking comp.os.linux.hardware linux.redhat.misc Coming in Part Six: the long awaited Internet Gateway! _________________________________________________________________ Previous ``Linux Installation Primer'' Columns Linux Installation Primer #1, September 1998 Linux Installation Primer #2, October 1998 Linux Installation Primer #3, November 1998 Linux Installation Primer #4, December 1998 _________________________________________________________________ Copyright © 1999, Ron Jenkins Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Linux on a Shoestring By Vivek Haldar _________________________________________________________________ This article first appeared in the September 1998 issue of PC Quest, India's leading infotech magazine. _________________________________________________________________ Table of Contents * INTRODUCTION * SAVE RAM! + RECOMPILE THE KERNEL + STOP SOME SERVICES! + HOW TO REMOVE SERVICES FROM A RUNLEVEL + WHICH SERVICES TO KEEP, AND WHICH TO REMOVE + SERVICES YOU MIGHT WANT TO KEEP * SAVE DISK SPACE + HOW TO REMOVE A PACKAGE + WHICH PACKAGES DO I REMOVE? * WINDING UP _________________________________________________________________ INTRODUCTION With every operating system out there screaming "Give me more!" - more disk space, more RAM, more Mhz - it's comforting to know that there is one savior out there for those of us not endowed with the sizzlingly latest hardware. Yes, I am talking about Linux. Though Linux shines as a network operating system, and is often projected as one, the fact is that it makes a great single user OS as well - something that one could use on a non-networked home PC. And in that case, there are a number of ways in which you could tweak your system to get more punch out of it - even on machines as antiquated as 486s, and with as little RAM as 8MB. Now please remember that you need to be logged in as root to do all the following things. Our attack will be two pronged - to minimize usage of RAM, and to save disk space. SAVE RAM! RECOMPILE THE KERNEL The kernel that is installed out of the box does the job, but its a catch-all kernel, with almost everything compiled into it. Which means that its bigger than it has to be for you. If you compile your own kernel from the kernel sources, it could be upto 100kb smaller than the default vmlinuz kernel. Besides, its very helpful to know how to compile the kernel. It's quite simple actually. You first configure it, that is, you say what all you want in your kernel. And then you compile it. Linux has reached that advanced stage in its evolution where even the kernel configuration can be done graphically. The kernel sources usually reside in /usr/src/linux. To get the graphical configuration running, do "make menuconfig"(for text based menus), or "make xconfig"(for graphical setup in X). You'll be presented with a long list of configurable options, and before deciding, it is advisable to see the sagely help note which goes along with each. The notes always give sound advice, and you should follow it. By doing so, you'll land up with exactly the things that you need compiled into your kernel, and nothing else. I would also suggest reading the README file in the source directory. Once you've configured everything, quit X if you're running it. This is so that you can do the compilation in text mode, without a heavy X running, and with more available RAM. Do "make dep; make zImage", go have coffee, and come back after some time. Once that is done, the README explains in no uncertain terms what to do with your new kernel, and I would only be reproducing it if I told you. STOP SOME SERVICES! When a normal Linux system is running, there are a number of background jobs constantly running on it, each for a specific purpose - these are called daemons. For example, sendmail, the mail daemon, is the process which takes care of all the sending and routing of mail. A number of such daemons are started at bootup. And to group together sets of daemons that you might want to start for specific purposes, you have runlevels, which are simply groupings of services to start and stop. For example, on a normal Linux system runlevel 1, which is single user mode, will obviously need a lot fewer services to be running than runlevel 3, the full fledged multi user mode. Linux, by default, boots into runlevel 3. Now it turns out that of the myriad services started in that runlevel, some of them a simple non networked home PC could do without. For example, you obviously wouldn't want to waste precious RAM by running sendmail on such a machine. Yeah, it can be fun to send mail back and forth between root@localhost, and someuser@localhost, but that wears off pretty fast. HOW TO REMOVE SERVICES FROM A RUNLEVEL With RedHat, it's all very simple. Administration is definitely one of the areas in which RedHat scores over other distributions. After logging in as root, start X, and from an xterm, start "tksysv". This is the graphical runlevel editor. You'll see six columns, one for each runlevel. Now we'll only be fiddling with runlevel 3, the one which Linux normally boots into. Each column will have two halves, the top one for services to start at bootup, and the botton one for services to stop at shutdown. All you have to do to remove a particular service is to select it, and press Del. Thats it. Just remember to save your changes before quitting. WHICH SERVICES TO KEEP, AND WHICH TO REMOVE Actually, it's much simpler to tell you which ones to keep. Remember, all this tweaking is only in runlevel 3. Now the bare essentials are : * kerneld - nothing will work without this! * syslog - must have around for kernel to log messages. The logs are helpful for seeing what was going on with your system in case something goes wrong(actually, nothing ever goes wrong with Linux!). * keytable - you need this if want to be able to use your keyboard! * rc.local - this is where some trivial nitty gritties happen, after all the other services have been started. You simply need to have the above four services. Without them, as some say, "not everything will work." SERVICES YOU MIGHT WANT TO KEEP Then there are the fence sitters - non critical services which you might want to keep, if you need them, or if you fancy them. * crond - this runs a number of trivial jobs periodically, the most important of which is to make sure that your log files don't get too large. you can run it if you're paranoid. * atd - this deamon is required if you want to run "at" jobs, i.e., jobs which begin execution at a time specified by you. people working on large, multi-user systems which are up 24 hours, everyday, use this to run heavy computational jobs at night, when loads on the system are lighter. but on a simple home machine, i don't see much use for it. after all, you're the only one using it! * gpm - this allows you to use the mouse in text mode. useful sometimes only if you work in text mode, and a complete waste if you work in x. SAVE DISK SPACE Actually, there's nothing much you can do here, except removing unwanted packages. Redhat linux has a superb, easy to use, and comprehensive package management system which can keep track of almost every non user file on your disk. Everything installed on your system is part of some package, and packeges can be uninstalled. HOW TO REMOVE A PACKAGE Just run "glint", the graphical interface to the redhat package management system, from a command line while in x, and you will get a graphical interface to all the packages installed on your system. The packages are classified, and show up in a directory browser like window. To remove a package, just select it and click on the "uninstall" button on the right side. WHICH PACKAGES DO I REMOVE? Beware though, there are some critical packages which shouldn't be uninstalled. In glint, it's generally advisable to not touch the "base" and "library" packages unless you know exactly what you are doing. For others, see their description(click the "query" button). If you haven't used that package in a long time, or don't foresee using it, it's generally safe to remove it. In case removing a package affects any other package, glint will tell you. It's all quite safe. If you do end up needing the package, you can always reinstall it from the CD. WINDING UP These were only a few suggestions that you could try out. The more comfortable you get with Linux, and the more you explore, the more ideas you'll get to tweak your system to get the most out of it. Linux is an OS which is more forgiving to experimentation than most others. So think, and try it out! _________________________________________________________________ Copyright © 1999, Vivek Haldar Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ The Linux User By Bryan Patrick Coleman _________________________________________________________________ Who uses Linux? This question has changed as Linux evolves. Originally none but the ultra hacker or the core developers of the OS were the ones to use it. As different functionality got added, more and more less technically oriented people began to use Linux. Now the question is how far will Linux go toward being an OS for the end user. The response that is the healthiest for continued growth would be as far as one can go. What you say would you turn Linux into a next generation Windows. No, but there is more to it than that. nifty To effectively become an end user product and keep the hackable quality of Linux should be the new focus. That means when developing open source software you are developing for everyone from the ultimate power user / hacker to the less than average user that may have never used a computer before. Yes some people have never used computers before still in this day and age. What does this mean for development? First and foremost make everything you possible can configurable. Not just different makes for different needs but truly extendable interfaces using guile or python for example. But also there need to be defaults. So after your application is installed a user can simply start your program and it look polished. As long as your source code is available the hard core hacker is happy. But for hacker wouldi-be's it is very important that source code is internally documented. But wait we can go a step beyond simply creating fully configurable applications that are extendable and come with default settings. How about "smart" applications. Maybe you have installed application A on your system and application B comes along from the same people that brought you A. Wow you would love to have it so you install it and low and behold all of the little tweaks that you have made to A are already configured for application B. Since A and B are smart applications they have communicated and B now knows what you like. Of course not everyone likes there applications deciding what they like so all smart applications should be lobotomyzable. Now for the real fire. How about all this plus the application is ready for immediately distributed computing, not only distributed but PVM aware so if you connect to a Beowulf cluster your application is ready to do some super computing. Groups can be formed across the web i.e. ready made intranet. Security is of course built in so you company or organization can just set up there own key and away they go. Why stop at just X or the console or even Linux. I your application is completely system aware no matter where you are or what computer your using a person just has to start up there application and it does the rest going so far as trying to figure out which way you like your application and if your going to be doing distributed work. In short the new wave of computing will be all things for all people. This new approach needs a new name I think. I prefer liquid or fluid UI or interfacing framework. Some might think of Java. Java however is slow, slow and in the end it is only one library. What I have in mind would be more of a set of wrapper classes one for each library used. And one wrapper that would handle all of the calls to the widget sets and do all of the AI work. This double wrapper approach would cut a lot of the time and effort of emulating multiple classes. _________________________________________________________________ Copyright © 1999, Bryan Patrick Coleman Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Kernel 2.2's Frame-buffer Option By Larry Ayers _________________________________________________________________ Introduction The long-awaited new stable version 2.2 of the Linux kernel is on the verge of release as the new year begins; a great variety of new features and drivers will be included. One of the new features is the option to use a new device type for the virtual consoles, the frame buffer device (/dev/fb[0-7].) This new device type isn't really essential for the many Linux users running Intel machines, but those people using Alpha, Sparc, PPC, or any of the other platforms supported by Linux should benefit, as the idea behind the frame buffer console is to provide a hardware-independent console device. Geert Uytterhoeven, a Belgian programmer and one of the primary frame buffer developers, wrote a succinct introduction to one of the frame buffer documents included with the kernel source: The frame buffer device provides an abstraction for the graphics hardware. It represents the frame buffer of some video hardware and allows application software to access the graphics hardware through a well-defined interface, so the software doesn't need to know anything about the low-level (hardware register) stuff. Users of Intel machines already have methods available to vary the size of the text console screen, such as the video=ask Lilo parameter and the SVGATextMode utility. I've used SVGATextMode for quite some time to set the console text to a 116x34 resolution. It works fine, but while configuring recent 2.2 beta kernels with menuconfig I couldn't help but be intrigued by the choices offered in the Console Drivers sub-screen. My video card these days is a Matrox Mystique, and when I saw a new frame buffer driver for Matrox cards and another option for Mystique support I just had to give it a try. Installation Tips The first time I tried a kernel with Matrox frame buffer support I could see that the card was detected (as the boot messages scrolled by) and the penguin logo's appearance at the upper right corner of the screen seemed to indicate that at least part of this compiled-in feature was working, but the console was the same old 80x25 default. Back to the documentation, where I learned that a utility called fbset would be helpful. This small program (written by Geert Uytterhoeven and Roman Zippel) is used to change or query the current frame buffer mode. Even more important, the installation of fbset creates the special device files /dev/fb[0-7] which are needed for frame buffer functionality. The fbset archive can be found at this FTP site. Another document found in the fb subdirectory of the kernel source's Documentation directory is called matroxfb.txt. Written by Petr Vandrovec, the Czech developer responsible for the Matrox frame buffer drivers, this document is a great help in setting up workable frame buffer modes. Another, more generic document called vesafb.txt can be consulted when setting up modes for other VESA-2.0 compliant video cards. There are two ways to tell the kernel which frame buffer mode to use. While experimenting, setting the mode specification at the Lilo prompt is a quick way to try a mode out. Let's say that your main dependable kernel is the first one in the /etc/lilo.conf file, and the frame buffer kernel is the second and is named bzImage-2.2. Your computer boots, the LILO prompt appears, and you press the shift key. Here is an example of a mode being set: LILO bzImage-2.2 video=matrox:vesa:0x188 If the mode is acceptable, the console screen will switch to the new mode (in this case, 960x720) soon after the boot messages begin to scroll by. The relevant boot messages will look something like this: matroxfb: Matrox Mystique (PCI) detected matroxfb: 960x720x8bpp (virtual: 960x4364) matroxfb: framebuffer at 0xE0000000, mapped to 0xc4807000, size 4194304 Console: switching to colour frame buffer device 120x45 fb0: MATROX VGA frame buffer device If you like the mode, a variation of the above Lilo command can be inserted directly into the /etc/lilo.conf file; the line should look something like this: append="video=matrox:vesa:392" The quotes are essential, and notice that the hex number 0x188 has been converted to its decimal equivalent 392, since Lilo can't understand hex numbers in the lilo.conf file. Once the frame buffer kernel is booted the fbset utility can be used to switch to other modes. Mode specifications can be derived from X modes, but not wanting to spend hours fooling around with this I took the easy way out. Before I edited the lilo.conf file so that the mode would be set automatically when booting, I tried several different hex numbers at the Lilo prompt. After booting each one I ran fbset without any arguments. When run this way fbset outputs to the screen the current mode specs in a format usable in the (initially nonexistent) config file /etc/fb.modes. Here's a sample of the output: kbdmode "name" # D: 56.542 MHz, H: 45.598 kHz, V: 59.998 Hz geometry 960 720 960 4364 8 timings 17686 144 24 28 8 112 4 endmode Several of these mode specs can be pasted into a new /etc/fb.modes file, substituting different mnemonic names for the "name" in the pasted output. One useful mode to include is a basic, non-color text mode, either by trying one of the text modes described in the documentation or simply by running fbset -depth 0. SVGAlib console graphics programs won't run properly in frame buffer consoles with higher color-depths. Once a fb.modes file has been created the frame buffer mode can be changed by running the command fbset name, where "name" is one of the mode names in the file. Frame Buffers and X Naturally, the big question many readers will have is "Will X Windows run when started from a frame buffer console?". The answer is "It depends.". Some combinations of X servers and video cards are known to have problems, especially when switching back and forth from X to a virtual console. This can be a problem with SVGATextMode as well. The XFree86 3.3.3 SVGA server I've been using with my Matrox card has worked well with the frame-buffer consoles. Your mileage may vary. There is a special server available in source form; it's called XF68_FBDev and it's included in the XFree86 3.2 (and later) sources. Binaries aren't available, and the server is unaccelerated and would mainly be of interest to those running Linux on non-standard hardware such as PPC. Conclusion The majority of Linux users probably won't be using the frame buffer kernel options any time soon. It has advantages with some hardware, but it takes time to figure out and use effectively, and the benefits are nice for console users but won't be of much use to those who spend most of their time in X Windows. I think that the reason it will be a part of the next stable kernel release is that frame buffer devices aren't Intel-specific, as is much of the current console code. It's likely that the much-anticipated release of XFree86 4.0 (possibly this year) will include more frame buffer compatibility in its server modules, such as seems to exist now in the SVGA server. _________________________________________________________________ Last modified: Sun 3 Jan 1999 _________________________________________________________________ Copyright © 1999, Larry Ayers Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Running Your Own Domain Over a Part Time Dialup By Joe Merlino _________________________________________________________________ You love your linux box. You love the power. You love the flexability. You love the freedom. You really love the utter non-microsoftness of it. But deep down inside, you know there's something missing. A deep longing sits within you, crying out to be assuaged. Your friends with full-time ethernet connections have it. Your really rich friend with a T-1 to the house has it. They can log into their linux boxen any time they want. They have their own domain names. You probably even have an account on one of their machines. But look what you're stuck with. Sure your modem's pretty fast, but it only dials up when you tell it to, and you can't tell it when you're not logged in. Even if you set it up to run as a cron job, you wouldn't know where to telnet to because your ISP gives you a different IP number every time you dial in. How do you get remote access? Fear not. There Is A Way. For the price of a dialup PPP account, you can have that precious remote access. And if you're willing to pay the freight to InterNIC (you can scrape up seventy bucks, can't you?) you can even have your own domain. Here's how: _________________________________________________________________ STEP 1 - SETTING UP PPP The general setup of PPP connections on Linux is well documented elsewhere, so I won't go into it, except to say that you need to have PPP set up to run non-interactively from a command line. Graphical programs to activate PPP such as EZPPP or Red Hat's netcfg won't work. This is because you're going to create a script to be run as a cron job, and that script needs to be able to call your PPP-connecting script. For the purposes of this article, my PPP-connecting script is called /etc/ppp/ppp-on, and the script that ends the PPP connection is called /etc/ppp/ppp-off. You should be able to find examples of these sorts of scrips on the web. _________________________________________________________________ STEP 2 - DYNAMIC DNS SERVICE You probably have Domain Name Service (DNS) through your ISP, but your ISP doesn't keep track of your particular connection because it changes every time you dial in. Your ISP does this because it has more users than it does IP numbers. This makes sense when you consider that most of the people who use the service only connect for a short time - a couple of hours at most. You can probably get a full-time connection and a static IP number from your ISP, but such things are typically pretty expensive. The thing is, you don't really need a static IP number to have a constant domain name. As long as the Domain Name Server where your domain name lives knows what your IP number is *at any given time*, you can get to your machine. And the DNS server where you domain name lives doesn't have to be the same one that belongs to your ISP. I use a service provided by a company called Dyndns (www.dyndns.com) Dyndns will, for a fee, maintain your domain name in its database. The domain name you get can either be a subdomain of theirs (i.e. yourdomain.dyndns.com), which is cheaper, or your can have your own unique domain name (i.e. yourdomain.com), which is somewhat more expensive. If you want a unique domain name, irst, you have to register your domain name with InterNIC (www.internic.net). Dyndns will do this for you, for a fee, but it's so easy to do, you might as well save yourself the money and do it yourself. When you register with InterNIC, you have to supply the IP numbers of a primary and secondary DNS server. These numbers are available on Dyndns's web page. Once all of this goes through (read: is paid for), you're good to go. The next thing you do is download a client program from Dyndns's website. They have a couple of different clients you can choose from (one in C, and one in Perl), and it might take some experimenting to figure out which one is better for you (even then, I had to have a friend of mine hack the Perl client a little to make it work). When you are logged into your ISP, you run the client program. The client program gets your current IP number from the output of the 'ifconfig' command, and reports it to Dyndns's DNS server. Your domain name is now pointed at your machine. [Note: Nothing I've said in this section should be considered an endorsement of or advertisement for Dyndns. I've used their service as an example because it's the service I use, and it's what I'm familiar with.] _________________________________________________________________ STEP 3 - AUTOMATING THE CONNECTION You've got the domain name, you've got the DNS service, amd you've got the client program working. Now you need a way to make the computer log itself onto your ISP without your actually being there to do it. Ah, the wonders of Linux! This is taken care of with a simple shell script. Here's what I use: #!/bin/bash # This is a script that attempts to log into a remote dialup and # establish a PPP connection. If it is sucessful, it runs 'ntpdate' # (network clock set), NamedControl.pl (a perl script to update # the dynamic DNS), and fetchmail for all accounts. If it fails, it # makes two more attempts, and then exits. # This script is released under the GNU General Public Licence. No # warrenty whatsoever is expressed or implied. # Original version was written by Joe Merlino , November, # 1997. # If you have an idea for an improvement to this script, please let me # know. # set iteration counter at 1 i=1 while [ $i -le 3 ] do # This part tests for the availability of the modem. If the modem # is available, it runs /etc/ppp/ppp-on. If not, it reports and # exits. ( if (test -e /var/lock/LCK..modem) then echo modem not available # for some reason this didn't work. exit 0 else /etc/ppp/ppp-on sleep 45 fi ) # This part tests for the modem lock file, and if it exists, runs # the various programs needed to update the system from the network. # if the lock file is not found, it reports and exits. ( #!/bin/bash if (test -e /var/lock/LCK..modem) then /etc/ppp/netpack #invoke 'netpack' script echo done else echo no connection fi ) sleep 60 # This part again tests for the lock file, and if it finds it, sets # the iteration counter to 4 (so the script will exit). If the lock # file is not found, it incriments the counter by one. if (test -e /var/lock/LCK..modem) then i=3 fi i=`expr $i + 1` echo $i done You'll notice that this script calls another script, 'netpack'. I've done that because I have a set of things I like to do when my machine logs itself in. At the very least, 'netpack' should include your dynamic DNS client script. I would also recommend that it include whatever you use to download your email (e.g. 'fetchmail' or 'popclient' or whatever). It would also be possible to replace the line that calls 'netpack' with a series of lines that call the various programs, but I like the modular design because I can edit 'netpack' on it's own. I put both this script (which I named 'auto-up'), and 'netpack' in /etc/ppp/. Once you've got all that set up, try running it manually to make sure it works. (Don't forget to give yourself execute permission.) Once you've established that it works, set it up as a cron job (using the 'crontab -e' command) to run whenever you want to have remote access to your linux box. Also, set up /etc/ppp/ppp-off to run when you want your access to end. [Note: Some ISPs have a limit on the amount of time you can be connected without doing anything. This is to keep people from logging in and simply leaving their computers connected indefinitely. You should be aware of your ISP's policy with regard to this.] And there it is. You now have remote access to your machine at specified times. Now you can start pining for a full-time connection. Addendum: Between the time I wrote this article, and the time that this issue of Linux Gazette was posted, DynDNS added a web-based update system to its already existing methods. This means that you can update DynDNS manually, with your browser. It also gives us the opportunity to write another Perl client. This one can be much more compact, and should work "out of the box" with only one small hack required for your account information. If you want to use it, simply copy the text between the ---CUT--- lines to a file, give yourself execute permission, and use it in place of the other client program. ---------------CUT------------------ #!/usr/bin/perl # # Client script for HTTP update of DynDNS's Dynamic Domain service. # Written by Joe Merlino 12/31/98 # Licence: GNU GPL # use IO::Socket; # Replace the values below with your information as indicated $host = "master.dyndns.com"; $myhost = "myhost"; #replace with your hostname $myname = "postmaster"; $mypass = "mypass"; #replace with your password # This part opens a connection to DynDNS's web server. $remote = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "http(80)" ) or die "couldn't open $host"; # This part sends an HTTP request containing your information. print $remote "GET /dyndns/cgi/DynDNSWeb.cgi?name=$myname&passwd=$mypass&domain =$myhost&IP=AUTO HTTP/1.0\n\n"; #This part extracts and prints DynDNS's response. while ($hrm = ) { if ($hrm =~ /UPDATE/) { $message = $hrm } if ($line =~ /THERE/) { $message = $hrm } } print "DynDNS: $message"; -close $remote; ---------------CUT------------------ _________________________________________________________________ Copyright © 1999, Joe Merlino Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Setting Up a PPP/POP Dial-in Server USING Red Hat Linux 5.1 By Hassan Ali _________________________________________________________________ DISCLAIMER: This worked for me. Your mileage may vary! OBJECTIVES: To install PPP and POP/IMAP services on a Red Hat Linux 5.1 server for dial-in users. TOOLS: Red Hat Linux 5.1 CDs ASSUMPTIONS: You have a PC with basic installation of Red Hat Linux 5.1 with a Linux kernel that supports IP forwarding. _________________________________________________________________ STEP 1: Install "mgetty" (if not yet installed) from Red Hat 5.1 CD #1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Login as "root", insert Red Hat 5.1 CD #1 in the CD-ROM drive and mount it using the command: # mount -t iso9660 /dev/hdb /mnt/cdrom (It is assumed that your CD-ROM drive is device /dev/hdb, if not change it accordingly) 2. Get to the RPMS directory: # cd /mnt/cdrom/RedHat/RPMS 3. Install "mgetty" rpm files: # rpm -Uvh mgetty* This will install mgetty and all its cousins, but who cares!! If you hate extended family, have your way and replace "mgetty*" with "mgetty-1.1.14-2.i386.rpm". 4. At the end of /etc/mgetty+sendfax/mgetty.config file, add the following set of three lines for each serial port connected to a modem for dial-in users. Here is an example for /dev/ttyS1 and /dev/ttyC15: # For US Robotics Sportster 28.8 with speaker off port ttyS1 init-chat "" ATZ OK AT&F1M0E1Q0S0=0 OK answer-chat "" ATA CONNECT \c \r # For Practical Peripheral 14.4 with fax disabled and prolonged # carrier wait time (90 sec) port ttyC15 init-chat "" ATZ OK AT&F1M0E1Q0S0=0S7=90+FCLASS=0 OK answer-chat "" ATA CONNECT \c \r Notes: 1. AT&F1 sets hardware flow-control mode on many modems. For other modems use appropriate initializations in the init-chat line. 2. Just in case you wonder why I took as an example a ttyC15 port; well, you may have such a port if you have a multiport serial card. If you need one, I recommend Cyclades cards. 5. In /etc/mgetty+sendfax/login.config file, search for the line that starts with /AutoPPP/. Make sure that it is not commented (i.e. there is no "#" at the beginning of the line), and edit it to be: /AutoPPP/ - a_ppp /etc/ppp/ppplogin If you wish to have users' login names (rather than "a_ppp") to appear in the /var/run/utmp and /var/log/wtmp log files, then the above line should be: /AutoPPP/ - - /etc/ppp/ppplogin 6. In /etc/inittab file, search for the section that runs "getty" processes and add at the end of that section one line of the following form for each modem port. Example here is given for ttyS1 and ttyC15. 7:2345:respawn:/sbin/mgetty -x 3 ttyS1 8:2345:respawn:/sbin/mgetty -x 3 ttyC15 [the first number (7,8) is arbitrary (in fact I have seen in some cases "s1", "s2", etc, used instead). Just give a different number for each port. And why not you go by the order!!? Me wonders!] 7. Connect the modems to the serial ports, switch them ON and then initialize "mgetty" with the command: # init q NOTE: If you spawn "mgetty" on a serial port with no modem connected to it, or the modem is not switched ON, you'll get lots of error messages in "/var/log/messages" or/and in the other mgetty ("/var/log/log_mg.ttyXX") log files. In fact those error messages may continuosly pop up on your screen. Quite annoying, eh? To avoid this annoyance, each serial port that has no modem connected to it should have its corresponding lines commented out in /etc/inittab and in /etc/mgetty+sendfax/mgetty.config files. _________________________________________________________________ STEP 2: Install PPP (if not installed) from Red Hat 5.1 CD #1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. If the Red Hat CD #1 is properly mounted (see STEP 1.1), to install PPP type the following command: # rpm -Uvh /mnt/cdrom/RedHat/RPMS/ppp* 2. Edit /etc/ppp/options files to read as follows: -detach crtscts netmask 255.255.255.0 asyncmap 0 modem proxyarp NOTES: 1. Use appropriate netmask for your network. It doesn't have to be 255.255.255.0, in fact in my case it was 255.255.255.224 2. Read man pages for "pppd" to understand those options. 3. Edit /etc/ppp/ppplogin file (create it if it doesn't exist) to read as follows: mesg n tty -echo /usr/sbin/pppd silent auth -chap +pap login Make the file executable using command: # chmod +x /etc/ppp/ppplogin NOTE: We're going to use PAP authentication BUT using the ordinary /etc/passwd password file. That's what "+pap login" means. 4. For each serial port connected to a modem, create a corresponding /etc/ppp/options.ttyXX file, where "XX" is "S1" for ttyS1 port, "S2" for ttyS2 port, "C15" for ttyC15, etc. In one such file put the following line: myhost:ppp01 where "myhost" is the hostname of the PPP server - change it accordingly to the actual hostname of your Linux box. If you're more forgetful than you can REMEMBER to admit, remind yourself of the hostname of your server using the "hostname" command. # hostname The word "ppp01" used above is just an arbitrarily chosen name for the virtual host associated with one of the PPP dial-in lines and its corresponding IP address as defined in /etc/hosts file (to be discussed later). In another /etc/ppp/options.ttyXX file, you may wish to type in the following line: myhost:ppp02 That is, here you define a different PPP hostname, "ppp02". Use a different hostname for each serial port. You can choose any names that your lil' old heart desires! They don't have to be ppp01, ppp02, ppp03, etc. They can be "junkie", "newbie", "noname", whatever! 5. Edit /etc/ppp/pap-secrets file and add one line as shown below for each IP address that is to be dynamically assigned to PPP dial-in users. This, of course, assumes that you have a pool of IP addresses that you can assign to your dial-in clients: # Secrets for authentication using PAP # client server secret IP addresses * * "" 10.0.0.3 * * "" 10.0.0.4 This says: no PAP secrets (passwords) set for any client from anywhere in the world with the shown IP address. We don't need to use PAP secrets if we will be using /etc/passwd instead. If you are REALLY not paranoid, you can have just one following line that will serve all the IP addresses (yours and your neighbour's!): # Secrets for authentication using PAP # client server secret IP addresses * * "" * 6. Make /usr/sbin/pppd program setuid "root" by using command: # chmod u+s /usr/sbin/pppd 7. Edit /etc/hosts file to assign IP addresses to all PPP hostnames you used in STEP 2.4. Use the pool of IP addresses used in STEP 2.5: 10.0.0.3 ppp01 ppp01.mydomain.com 10.0.0.4 ppp02 ppp02.mydomain.com NOTE: Replace "mydomain.com" with the actual domain name of your PPP server. Just in case you're confused, I assume your PPP server is "myhost.mydomain.com". _________________________________________________________________ STEP 3: Install POP/IMAP servers (if not installed) from Red Hat 5.1 CD #1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ 1. With the Red Hat CD #1 properly mounted, issue the following command to install POP and IMAP: # rpm -Uvh /mnt/cdrom/RedHat/RPMS/imap* 2. Check /etc/inetd.conf file to see if "pop-2", "pop-3", and "imap" service lines are all uncommented. If not, uncomment them (i.e remove the leading "#"). If you only want to support POP3 clients, just uncomment the "pop-3" line. If POP2 and POP3 files are not in the "imap*" RPM file, try to see if you have "ipop*" RPM file and use it instead. 3. Activate the new services by using command: # kill -HUP `cat /var/run/inetd.pid` _________________________________________________________________ STEP 4: Enable IP fowarding ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. If you use the already compiled Linux kernel that comes with Red Hat 5.1, it does normally have support for IP forwarding. If you compile your own Linux kernel, you have to enable "IP: forwarding/gatewaying" networking option during compilation. For RFC compliance, the default bootup process does not enable IP forwarding. Enable IP forwarding by setting it to "yes" in /etc/sysconfig/network file, like so: FORWARD_IPV4=yes 2. Activate IP forwarding by using command: # echo "1" > /proc/net/ip_forward or by rebooting the system. _________________________________________________________________ STEP 5: Test the server ~~~~~~~~~~~~~~~~~~~~~~~ 1. First create users (if not ready). You can give them "/home/username" home directory and "/bin/bash" login shell if you want them to have both "PPP" and shell access. Give them "/home/username" home directory and "/etc/ppp/ppplogin" login program if you want them to have PPP access but not shell access. It's better to use "usercfg" tool to set-up new users. Typical /etc/passwd file entries may be as follows: jodoe:tdgsHjBn/hkg.:509:509:John Doe:/home/jodoe:/bin/bash jadoe:t8j/MonJd9kxy:510:510:Jane Doe:/home/jadoe:/etc/ppp/ppplogin In this example, John Doe will have both PPP and shell access, while Jane Doe will only have PPP access. If you have just started to wonder how John Doe may have PPP access, the answer lies with the /AutoPPP/ configuration in "mgetty" - it does the magic. Any user that will dial in and talk PPP, mgetty will give him/her the /etc/ppp/ppplogin program. So, if John Doe dials-in using Windows 95 dial-up adaptor which is set up to make a PPP connection, mgetty will give John Doe PPP access. If he dials in with any other communication software e.g HyperTerminal, (with no PPP negotiation) he will be given the normal login shell. This will never happen for Jane Doe. She will always be welcome by the "/etc/ppp/ppplogin" program. In fact "mgetty" allows you to use the same modem lines for various protocols. For example, your UUCP clients (if you have any) may use the same modem lines as your PPP clients! Of course, you have to give your UUCP clients "/var/spool/uucppublic" home directory and "/usr/sbin/uucico" login program. 2. Assuming you have a web server (Apache) already setup (it's a piece-a-cake to setup Apache), use a web browser, and a POP e-mail client (e.g Eudora) on a remote PC connected to a modem and a phone line. If it is a Windows 95/98 PC, setup the Dial-up Adaptor appropriately by specifying the IP address of the PPP server as the Gateway, use correct DNS IP address, and specify that the server will assign an IP address automatically. In the POP client (e.g Eudora), set SMTP and POP host as the IP address of the PPP/POP server. Now dial-up the server and wait for connection. Test out web browsing, and POP mail sending and receiving. If it doesn't work... something is wrong somewhere ;-) _________________________________________________________________ REFERENCES: 1. PPP-HOWTO 2. NET-3-HOWTO 3. "Using Linux", Bill Ball, published by Que (around US$30 - highly recommended) 4. mgetty documentation _________________________________________________________________ Copyright © 1999, Hassan O. Ali Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Touchpad Cures Inflammation By Bill Bennet _________________________________________________________________ Here are some reasons to go to a little touchpad for Linux: 1. It will exercise your whole hand digit by digit. 2. When you take the pressure off of your "clicker finger" your chronic carpal tunnel and joint soreness will go away in a few days. 3. When you work without soreness, you will enjoy your Linux box even more than you do now. 4. You can really truly do magic hand gestures to make your machine go. 5. It works better in Linux than in the monopoly system! So, what make and model are we talking about? It is the Elite 800 dpi EZ-Pointe serial touchpad by PC Concepts. I got mine at Computer Avenue (www.computeravenue.com). Developed for the Windows-Intel monopoly system, it comes with a diskette that holds the "drivers" for Microsoft's DOS and their 16-bit and 32-bit window managers. The DOS setup of the pad is simply a matter of putting the diskette in the floppy drive and copying the "drivers" over to your machine. You get the usual triple set of instructions: one for DOS, one for 16-bit gui DOS and one very "clickety" set of instructions for 32-bit gui DOS 7.0. After about twenty minutes of fiddling and adjusting, you are back to square one: you have installed a serial pointing device. Yes, you can enter in some key bindings coupled with clicks of the primary and secondary switches. You can set up hotspots accessible from a set of keys and clicks of switches. When the play-time is done (about twenty minutes or so - depends how playful you feel), you have to reboot your machine to record the settings. Ok, no problem. Now you can use the pad. You will find that all of the fiddling and customizing was a waste of time, since you will just be doing same-old, same-old with a new pointing device. When it comes to RSI, you can get yourself a better mouse or you can get yourself a totally new pointing device. The time comes when you want to see this thing work in Linux. Then you realize that your DOS fiddlings with "drivers" will be impossible in Linux because all of the "drivers" are written for the Widows-Intel monopoly system. It makes me think. Where does the typical hardware problem start? Right! It starts with standard manufacturing procedure: you follow the market. So the typical hardware problem in Linux is about hardware that will work only when a set of mystical registers is set up; those settings which can only be set with DOS software. We all know that the majority of PC owners are forced to get DOS software when they buy their machine. All we need is hardware that works on its own interface (like your BIOS and CMOS at startup) and hardware that will accept signals from any software, as long as the signals are correct. The non-standard hardware that uses non-standard settings is often (too often) kept from us by manufacturers who force the signing of a NDA (non-disclosure agreement) in order to protect their secrets. Ask yourself: is it a secret because it is simple and elegant? My answer is that these companies are afraid of a certain big, bad wolf company that steals innovation; this same thief claims to be the leading innovator! It is no wonder, then, that certain hardware is not yet open to Open Source. We also need for the manufacturers to hear that Linuxians will purchase from "Linux friendly" companies first. First and foremost, the consumer can really influence the computer industry by supporting the protocols that are open and free for all users. So do not buy from a company that seeks to own the protocols and do buy from companies that adhere to the protocols as they have been established. Enter the serial port protocol for the serial mouse. A mouse is a mouse. Evidence for the DOJ: a "regular" mouse is a Microsoft mouse. If any of you folks think that there is no need to curb monopolies and their anti-competitive, locked in, exclusive contracts, remember this: a "regular" mouse used to be an Apple mouse. Apple had the home computer mouse first and they played fair. It is my contention that Apple needed to play a bit more hard-nosed. Just look at who "owns" (influences) them now. The defacto standard for a "regular" serial mouse is based on its ubiquitous placement as an accessory for the monopoly system PC. Besides, we users like pointing devices. For the sake of clarity, you even call a "regular" mouse or the touchpad a Microsoft mouse when you install Linux. Well, it is time to leave the pad plugged in and reboot the machine to Linux. Good. Let us see if it works without all of these DOS driver fiddlings. You wait. You hope. You curse the monopoly. Then it happens. Gpm -t ms is running. You brush a digit across the pad. It's alive! Now for startx. The pad will work as a regular mouse in Linux without any of those annoying "drivers" because the Linux mouse config is ready for any serial mouse. No drivers. No fiddling. And the left and right buttons work just fine. In fact, it seems to me that the motion is smoother. Give me a bit of skin anyday The standard procedure for operating a mouse is odd to watch if you look at it like a non-computer-familiar person. The operator holds the hand in readiness on top of the mouse. Whether you are a "micro-wrist-twitch" artist or a "full-shoulder-pusher" or a "swing-punch-twister" it all looks the same: your finger rests on the clicker and moves in one axis, making a tiny movement over and over. The term "clickfest" was coined as a derisive remark by some person with an aching "mouse wrist" and and a sore "clicker finger", I'll bet. Enter the pad, man. Brush a finger, any finger across the smooth touch pad. Your cursor will follow. Skin is in. Try a knuckle. Any skin covered body part will do. Now do a little light tap on a menu button. It responds. Do a light double tap. This light double tap is now your new "clickety-click". You do have switches, and they make drag and drop a little easier. I prefer to do the light stroke thing at this time; it just is way too cool and human, if you know what I mean. Then you try some fine pointer movement, such as in xpainting or GIMP-ing. Wow! The finest single pixel motion is waiting for you with a touchpad. It is done with a "fingerprint rollover" of a fingertip; just like you get when they throw you in a holding cell at your local ticket giving outlet. You get good traction and positive one-to-one feedback from the pointer with none of that annoying mouse-ball slippage. The finishing touch is the drag and drop, where you can move to your target, take your digit away from the pad surface (the cursor stays put), move it to one edge of the pad, touch down and tap twice to light up the target, and drag your targeted item to its destination. It is just a pleasure to work with a touchpad. So that is it. No HOWTO is needed for this seriously fun way to point and click on your screen. Best of all, there is no fiddling with no damn "drivers". When your carpal tunnel soreness goes away you may once again be carefree and easy-going at your monitor. Do you suppose that flame wars are due to pain from mousing in addition to the pain in the usual place? Adios from this desktop. _________________________________________________________________ gpm note The gpm for a two button mouse is gpm -t bare. It also works on gpm -t ms if you want or need three-button emulation. _________________________________________________________________ 3 button emulation note As a three-button mouse emulator, the pad is very nice because the middle pair of left/right switches are about 1 millimeter apart and can easily be pressed together with one finger. The point is that you do not have to make any adjustments from your "regular" mouse setup, which is in /etc/X11/XF86Config in the pointer section. Just plug it in and make it go. _________________________________________________________________ rodent protocol To see the various rodent protocols, type "man mouse" to see the fine documentation. _________________________________________________________________ I was set up! XF86Setup is the graphical setter upper for your mouse and X Windows. Xconfigurator is the console/xterm setter upper for this same job. xf86config is the text based setter upper.-- pick a binary, any binary _________________________________________________________________ Reference reading: XFree86 HOWTO -- required reading for Linuxians -- see secret video timings 3-Button-Mouse HOWTO -- you might have fun with this -- prep for surgery Loadlin+Win95 mini-HOWTO -- to beat the "DOS only" hardware trick "Loadlin.exe Installer", Linux Gazette issue #34, November, 1998 -- step by step _________________________________________________________________ made with Emacs 20.2.1 on an i486 with GNU/Linux 2.0.32 The word damn is used to emphasize an adamant position and is in no way meant as an affront to sincere readers. _________________________________________________________________ Copyright © 1999, Bill Bennet Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ Through the Looking Glass: Finding Evidence of Your Cracker By Chris Kuethe _________________________________________________________________ You've subscribed to Bugtraq and The Happy Hacker list, bought yourself a copy of The Happy Hacker, and read The Cuckoo's Egg a few times. It's been a very merry Christmas, with the arrival of a cable modem and a load of cash for you, so you run out and go shopping to start your own hacker lab. A week later, you notice that one of your machines is being an especially slow slug and you've got no disk space. Guess what - you got cracked, and now it's time to clean up the mess. The only way to be sure you get it right is to restore from a clean backup - usually install media and canonical source - but let's see what the "h4x0r" left for us to study. In late October of this year, we experienced a rash of attacks on some workstations here at the University of Alberta's Department of Mathematical Sciences. Many of our faculty machines run RedHat 5.1 (there's a good platform to learn how to try to secure...) since it's cheap and easy to install. Workstations are often dual-boot with Windows 95, but we'll be phasing that out as we get Citrix WinFrame installed. This paper is an analysis of the compromise of one professor's machine. One fine day I was informed that we'd just had another break-in, and it was time for me to show my bosses some magic. But like a skilled cardshark who's forced to use an unmarked deck, my advantage of being at the console had been tainted. Our cracker had used a decent rootkit and almost covered her tracks. In general, a rootkit is a collection of utilities a cracker will install in order to keep her root access. Things like versions of ps, ls, passwd, sh, and other fairly essential utilities will be replaced with versions containing back doors. In this way, the cracker can control how much evidence she leaves behind. Ls gets replaced so that the cracker's files don't show up, and ps is done so that her processes are not displayed either. Commonly a cracker will leave a sniffer and a backdoor hidden somwhere on your machine. Packet sniffers - programs that record network traffic which can be configured to filter for login names and passwords - are not part of a rootkit per se, but they are nearly as loved by hackers as a buggered copy of ls. What wouldn't want to try intercept other legitimate user passwords? In nearly all cases, you can trust the copy of ls on the cracked box to lie like a rug. Don't bet on finding any suspicious files with it, and don't trust the filesizes or dates it reports; there's a reason why a rootkit binary is generally bigger than the real one, but we'll get there in a moment. In order to find anything interesting, you'll have to use find. Find is a clever version of 'ls -RalF | grep | grep | ... | grep '. It has a powerful matching syntax to allow precise specification of where to look and what to look for. I wasn't being picky - anything whose name began with a dot was worth looking at. The command: find / -name ".*" -ls Sandwiched in the middle of a ton of useless temporary files and the usual '.thingrc' files (settings like MS-DOS's .ini) we found '/etc/rc.d/init.d/...'. Yes, with 3 dots. One dot by itself isn't suspicious, nor are two. Play around with DOS for about two seconds and you'll see why: '.' means "this directory" and '..' means "one directory up." They exist in every directory and are necessary for the proper operation of the file system. But '...' ? That has no special reason to exist. Well, it was getting late, and I was fried after a day of class and my contacts were drying up, so I listed /etc/rc.d/init.d/ to check for this object. Nada. Just the usual SysV / RH5.1 init files. To see who was lying, changed my directory into /tmp/foo, the echoed the current date into a file called '...' and tried ls on it. '...' was not found. I'd found the first rootkit binary: a copy of ls written to not show the name '...' . I will admit that find is another target to be compromised; in this case it was still clean and gave me some useful information. Now that we knew that '...' was not part of a canonical distribution, I moved into to it and had a look. There were only two files; linsniffer and tcp.log. I viewed tcp.log with more and made a list of the staff who would get some unhappy news. Ps didn't show the sniffer running, but ps should not be trusted in this case, so I had to check another way. We were running in tcsh, an enhanced C-syntax shell which supports asychronous (background) job execution. I typed './linsniffer &' which told tcsh to run the program called linsniffer in this directory, and background it. Tcsh said that was job #1, with process ID 2640. Time for another ps - and no linsniffer. Well, that wasn't too shocking. Either ps was hacked or linsniffer changed its name to something else. The kicker: 'ps 2640' reported that there were no processes available. Good enough. Ps got cracked. This was the second rootkit binary. Kill the currently running sniffer. Now we check the obvious: /etc/passwd. There were no strange entries and all the logins worked. That is, the passwords were unchanged. In fact the only wierd thing was that the file had been modified earlier in the day. An invocation of last showed us that 'bomb' had logged in for a short time around 235am. That time would prove to be significant. Ain't nobody here but us chickens, and none of us is called bomb... I went and got my crack-detection disk - a locked floppy with binaries I trust - and mounted the RedHat CD. I used my clean ls and found that the real ls was about 28K, while the rootkit one was over 130K! Would anyone like to explain to me what all those extra bytes are supposed to be? The 'file' program has our answer: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked, not stripped. Aha! So when she compiled it, our scriptkiddie forgot to strip the file. That means that gcc left all its debugging info in the file. Indeed, stripping the program brings it down to 36K, which is about reasonable for the extra functionality (hiding certain files) that was added. Remember how I mentioned that the increased filesize is important? This is where we find out why. First, new "features" have been added. Second, the binaries have verbose symbol tables, to aid debugging without having to include full debug code. And third, many scriptkiddies like to compile things with debugging enabled, thinking that it'll give them more debug-mode backdoors. Certainly our 'kiddie was naive enough to think so. Her copy of ls had a full symbol table, and source and was compiled from /home/users/c/chlorine/fileutils- 3.13/ls.c - which is useful info. We can fetch canonical distributions and compare those against what's installed to get another clue into what she may have damaged. I naively headed for the log files, which were, of course, nearly as pure as the driven snow. In fact the only evidence of a crack they held was a four day gap. Still, I did find out something useful: this box seemed to have TCP wrappers installed. OK, those must have failed somehow since she got in to our system. On RH51, the TCP wrappers live in /usr/sbin/in.* so what's this in.sockd doing in /sbin? Being Naughty, that's what. I munged in.sockd through strings, and found some very interesting strings indeed. I quote: You are being logged , FUCK OFF , /bin/sh , Password: , backon . I doubt that this is part of an official RedHat release. I quickly checked the other TCP wrappers, and found that RedHat's in.rshd is 11K, and the one on the HD was 200K. OK, 2 bogus wrappers. It seems that, looking at the file dates, this cracked wrapper came out the day after RH51 was released. Spooky, huh? I noticed that these binaries, though dynamicically linked, used libc5, not libc6 which we have. Sure, libc5 exists, but nothing, and I mean nothing at all uses it. Pure background compatiblity code. After checking the other suspect binaries, they too used libc5. Thats where strings and grep (or a pager) gets used. Now I'm getting bored of looking by hand, so lets narrow our search a little using find. Try everything in October of this year... I doubt our cracker was the patient sort - look at her mistakes so far - so she probably didn't get on before the beginning of the month. I don't claim to be a master of the find syntax, so I did this: find / -xdev -ls | grep "Oct" | grep -v "19[89][0-7]" > octfiles.txt In english: start from the root, and don't check on other drives, print out all the file names. Pass this through a grep which filters everything except for "Oct" and then another grep to filter out years that I don't care about. Sure, the 80's produced some good music (Depeche Mode) and good code (UN*X / BSD) but this is not the time to study history. One of the files reported by the find was /sbin/in.sockd. Interestingly enough, ps said that there was one unnamed process with a low (76) process id owned by uid=0, gid=26904. That group is unknown on campus here - whose is it? And how did this file get run so early so as to get that low a PID? In.sockd has that uid/gid pair... funky. It has to get called from the init scripts since this process appears on startup, with a consistently low PID. Grepping the rc.sysinit file for in.sockd, the last 2 lines of the file are this: #Start Socket Deamon exec in.sockd Yeah, sure... That's not part of the normal install. And Deamon is spelled wrong. Should a spellchecker be included as an crack- detector? Well, RedHat isn't famous for poor docs and tons of typos, but it is possible to add words to a dictionary. So our cracker tried to install a backdoor and tried to disguise it by stuffing it in with some related programs. This adds credibility to my theory that our cracker has so far confined her skills to net searches for premade exploits. The second daemon that was contaminated was rshd. About 10 times as big as the standard copy, it can't be up to anything but trouble. What does rsh mean here? RemoteSHell or RootShell? Your guess is as good as mine. So far what we've found are compromised versions of ls, ps, rshd, in.sockd, and the party's just beginning. I suggest that once you're finished reading this, you do a web search for rootkit and see how many you can scrounge up and defeat. You have to know what to look for in order to be able to remove it. While the log files had been all but wiped clean, the console still had some errors printed on it, quite a few after 0235h. One of these was a refusal to serve root access to / via nfs at 0246h. That coincided perfectly with the last access time to the NFS manpage. So our scriptkiddie found something neat, and she tried to mount this computer via NFS, but she didn't set it up properly. All crackers, I'd say, make mistakes. If they did everything perfectly we'd never notice them and there would be no problems. But it's the problems that arise from their flaws that cause us any amount of grief. So read your manuals. The more thorougly you know your system, the more likely you are to notice abnormalities. One of the useful things (for stopping a cracker) about NFS is that if the server goes down, all the NFS clients with directories still mounted will hang. You'll have to 120-cycle the machine to get it back. Hmmm. This presents an interesting tool opportunity: write a script to detect an NFS hack, and if a remote machine gets in, ifconfig that interface off. Granted, that presents a possible denial-of-service if authorized users get cut off. But it's useful if you don't want your workstation getting compromised. At this point I gave up. I learned what I'd set out to do - how to find the crap left behind by a cracker. Since the owner of this system had all her files on (removed) removable media there was no danger of them being in any way compromised. The ~janedoe directory was mounted off a Jaz disk which she took home at night, so I just dropped the CD into her drive and reinstalled. This is why you always keep user files on a separate partition, why you always keep backups and why it's a good plan to write down where to get the sources for things you downloaded, if you can't keep the original archives. Now that we've accumulated enough evidence and we're merely spirited sluggers pulverizing an equine cadaver, it's time to consider the appropriate response. Similar to Meinel's you-can-get-punched and you-can-go-to-jail warnings in The Happy Hacker, I would suggest that a vicious retaliatory hack is not appropriate. In Canada, the RCMP does actually have their collective head out of the sand. I am not a lawyer, so don't do anything based on these words except find a lawyer of your own. With that out of the way, suffice it to say that we're big on property protection here. Aside from finding a lawyer of your own, my advice here is for you to call the national police, whoever they are. People like the RCMP, FBI, BKA, MI-5 and KGB probably don't mind a friendly phone call, especially if you're calling to see how you can become a better law-abiding citizen. Chances are, you'll get some really good tips, or at least some handy references. And of course you'll know someone who'll help you prosecute. My communication with RCMP's Commercial Crimes unit (that includes theft of computing and/or network services) can be summarized as follows: E-mail has no expectation of privacy. You wish email was a secret, but wake up and realize that it's riskier than a postcard. As systems administrator, you can do anything you want with your computer - since it's your responsibility either because you own it or because you are its appointed custodian - so long as you warn the users first. So I can monitor each and every byte all of my users send or receive, since they've been warned verbally, electronically and in writing, of my intent to do so. My browse of the FBI's website shows similar things. But that was only browsing. Don't run afoul of provincial or state laws regulating the interception of electronic communication either. NOTE: While I have attempted to make this reconstruction of events as accurate as possible, there's always a chance I might have misread a log entry, or have misinterpreted something. Further, this article is solely my opinion, and should not be read as the official position of my employer. Appendix A: Programs you want in a crack-detection kit * find, ps, ls, cp, rm, mv * gdb, nm, strings, file, strip * (GNU)tar, gzip, grep * less / more * vi / pico * tcsh / bash / csh / sh * mount For security reasons these should all be statically linked. Appendix B: References WinFrame: http://www.citrix.com/ RedHat 5.1: http://www.redhat.com/ http://www.rootshell.com/ http://www.netspace.org/lsv-archive/bugtraq.html About the filesystem: McKusik, M.K., Joy, W.N., Leffler, S.J., Fabry, R.S., "A Fast File System for UNIX" Unix System Manager's Manual, Computer Systems Reseach Group, Berkeley. SMM-14 April 1986 LEA and Computer Crime: http://www.rcmp-grc.gc.ca/html/cpu-cri.htm http://www.fbi.gov/programs/compcrim.htm _________________________________________________________________ Copyright © 1999, Chris Kuethe Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ USENIX LISA Vendor Exhibit Trip Report By Paul L. Lussier _________________________________________________________________ Thu, 10 Dec 1998 I went into Boston yesterday, 09 December, for the Vendor Exhibit at the LISA conference. My most immediate and overwhelming feeling was one of major disappointment in myself for not having pushed on my management to send me to this conference :( It looks like it's a really great conference. Alas, I'm trying to be positive and look at it from the point of view of "Why waste a trip to your own backyard that might be better spent traveling elsewhere :)" Anyway, the vendor exhibit was fantastic, though my guess is it's only really good for those of us who do hard-core sysadmin'ing for a living. The average Linux enthusiast might have been bored, since it really is nothing more than a lot of vendors hawking their wares (Though *everyone* would have enjoyed all the free stuff :) Ironically, the one major vendor who was conspicuously absent was Sun. All the other vendors were there, Network Appliance, Auspex, Compaq (never did see maddog though), IBM, SGI (at least I saw a booth with an INDY in it). There were a lot of what I call "Want-Ad" booths to. Collective Technologies (formerly Pencom System Administration), Sprint Paranet, Fidelity, and several other companies there for sole reason of trying to recruit people. The Open Source contingent was there in full force with booths for RedHat OpenBSD, The Free Software Foundation, etc. There were several booths from various software companies, most of whom I've heard of, and even several I haven't. I spent a lot of time talking to various companies for things directly related to my needs here at work, and got in some personal geek talk re: Linux as well. I stopped by the RedHat booth, and was kind of disappointed. They just didn't seem excited to be there. Maybe it was because I keep to much up-to-date on them and they had *absolutely nothing* new to tell me that I didn't already know. I got the distinct impression they were tired of being there. It very well could have been that they wanted to be talking to those who aren't yet converted to Linux yet, but instead kept getting inundated with the RH fan club :) I don't think they've adjusted to be on top of the world yet. I heard someone come by and say, "Hey, we're planning on another 10 RH Linux servers in then month of so!" The RH response, was an un-enthusiastic "Oh, that's cool." As if they had heard the same thing all day long, and really didn't want to hear it anymore. I don't think they knew how to deal with their success. It could also have been that this particular guy was one of the RH developers, not a PR/Marketing person. I spoke with a guy at the OpenBSD booth, I think it was Theo de Radt himself. I mentioned I tried to get the latest release from amazon.com last week, which, according to the OpenBSD site, is selling it. Yet amazon doesn't have any mention of 2.4, only 2.3. He basically got really upset at that, mentioning that *they* sent him an e-mail the same day of the 2.4 release announcement stating they had already gotten 170 requests for it. His only response was "Well then fix your web page. You just lost $1700US. They all bought it off the OpenBSD site!" So, needless to say, I'll be getting 2.4 directly from them :) There were 3 sw booths I stopped at that really got me intrigued. First there was Aurora Software from Pelham, NH (I think). Their product is called SARCheck. It's for Solaris, and it's a front end reporting mechanism for ps and SAR. Supposedly it assists in performance monitoring and tuning by taking the output of ps and sar, translating it into English, and then making recommendations on what to change, why, and how. I think the sw is $150 per system, not per CPU (this means that I can use it on my 14 processor Sun E4500, and only pay $150). This sounds really good, and I'm hoping to be able play with it real soon. The next company was Shpink Software (yes, really!:) . Their product is the Network Shell (nsh). This looks *really, really, really cool*. In short, it's a client/server system where you can 'cd' to a UNC path on another machine. This differs greatly from NFS in that nsh has the ability to *execute commands* on the remote system. For example, say I have 3 systems, a Linux box, an NT box, and a Solaris box. From my Linux system I can: linux> tar cvf //solaris/foo.tar //nt/users or: linux> cd //solaris/etc linux> vi passwd Basically, nsh removes the need for rlogin/telnet sessions to a system and provides for heavily encrypted sessions, user/machine ACLs, and many other niceties. The price is incredibly reasonable at $150 per seat. The advised way of using nsh is to set up a limited number of machines as "administration" hosts, and run the server daemon where ever else you need to. Nsh comes with Perl modules to allow access from perl programs, and works on all major versions of Unix/Linux, with the nsh daemon available for W95/NT. Now, for the last, but one of the neatest! Spiderplant. This is an environmental monitoring gizmo that can connect to the serial port of any system. In short, you can designate any system as an environment monitoring station and connect this little black box to your serial port. It costs $100 for "The little black box" and 1 probe, $15 extra for each additional probe. The software is Open Source so you can hack it to your heart's content :) Here are the vital stats: Temperature Range: -55/+125 C in 0.1 C. Accuracy: 0.5 C. Sensors: 15 (or more) per device, 16 devices per serial line. Data Connection: RS-232, 1200 baud, 8,N,1. DB9 or DB25 connector to computer. Size: Main unit measures 3.5" x 2.25" x 1". Comes with 14-foot serial cable, 10-foot probe cable. Certification: Complies with FCC rules part 15 (Class B, for home or office use, US and Canada). Here are the URLs for the products mentioned: http://www.openbsd.org/ http://www.sarcheck.com/ http://www.shpink.com/ http://www.spiderplant.com/ http://www.shpink.com/ Hopefully someone will provide a trip report of the rest of the LISA conference for those of us unfortunate enough to have missed it. -- Paul _________________________________________________________________ Copyright © 1999, Paul Lussier Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ "Linux Gazette...making Linux just a little more fun!" _________________________________________________________________ X Windows versus Windows 95/98/NT: No contest By Paul Gregory Cooper _________________________________________________________________ In the December Issue of the Linux Journal Sergio Martinez wrote in asking for a (quick) article about the differences between X and Windows 95/98/NT (w95) -- see below. This is my attempt to answer his questions - I remember asking similar things when I started using UNIX 4 years ago. [More answers can be found in the 2 Cent Tips Column. --Editor] I've tried to aim this article at the 'Linux newbie' and as I am not an X hacker, and never been a w95 hacker, there may well be inaccuracies, but I have tried to capture the ideas and spirit of X (and w95, such as it has any). I would be pleased to hear from Xperts and newbies alike. Sergio has asked questions relating to GNOME and KDE and for the most part I treat them as equivalent (in the same way I'm treating all window managers as equivalent). I should state now that I prefer using GNOME over KDE, irrespective of the ongoing KDE / Open Source debate, hence I have more experience in GNOME than in KDE. This too may lead to inaccuracies. Mail criticisms to pgc@maths.warwick.ac.uk. _________________________________________________________________ This is Sergios mail; I'm just writing in with an idea for a quick article. I've been using the GNOME desktop. I'm a relative Linux newbie though, and I think that many of your less experienced readers could probably benefit from a short article about window managers. These are some things I currently don't quite understand: 1.Terminology: The differences (if any) among a GUI, a window manager, a desktop, and an interface. How do they differ from X windows? 2.Do all window managers (like GNOME or KDE or FVWM95) run on top of X windows? 3.What exactly does it mean for an application to be GNOME or KDE aware? What happens if it's not? Can you still run it? 4.What exactly do the GTK+ (for GNOME) or Troll (for KDE) libraries do? 5.How does the history of Linux (or UNIX) window managers compare to that of say, the desktop given to Win98/95 users? How, specifically, does Microsoft limit consumer's choices by giving them just one kind of desktop, supposedly one designed for ease of use? 6.What's happening with Common Desktop Environment? Is it correct that it's not widely adopted among Linux users because it's a resource hog, or not open source? These are some questions that might make an enlightening, short article. Thank you for your consideration. -- Sergio E. Martinez _________________________________________________________________ Before I try to answer each point I'll try to give a quick intro into X-windows. Think of X as just another program. When you type startx what happens is that X starts (shock!), in the background, and runs the .xinitrc file. The .xinitrc tells X what programs to start once X itself has started - more on this later. (Some systems use the .Xclients file instead of .xinitrc - I'll just use .xinintrc). So X is just another program but what does it do? Roughly speaking X takes control of the screen from the command line and provides the system with the ability to create windows and communicate with them. Basically that's ALL it does - decorating, moving, resizing, focus, etc, (i.e. managing the windows X provides) is left to the window manager. What's clever about X is uses a client/server model and is network transparent. This is a bunch of jargon - what does it mean? When you type startx you are starting the X-server, when you run an 'X-application', e.g. netscape, this is a client to which the X-server gives a window. Similarly xterm is an X-app which puts the command line in a window. Network transparency doesn't mean much if you're not networked so let's suppose the computer you started X on is called fourier and is networked. Now a program on any computer on the network can ask the X-server on fourier to start a window for it (on fourier), for instance from fourier you could telnet to cauchy (another computer on your network) and run netscape and have the netscape window appear on your screen (connected to fourier). In fact it works the other way round too - an X-server can have many screens (or, as it calls them, displays) connected to it at once - all different - and those screens can be at the other end of a network. This goes back to (one of) the original design purpose(s) of X which was for X-terminals, i.e. things that looked like a computer but were no more than a screen, some memory, a bios, and a network card connected to one (or many) UNIX mainframe(s). See this page for details of how to turn old 386/486's into xterminals. 1.Terminology: The differences (if any) among a GUI, a window manager, a desktop, and an interface. How do they differ from X windows? Ok, so we have more jargon - I hope I get this right ;-). An interface is the way in which a piece of software interacts with the user. Unix commands use a command line interface (CLI) whereas X-applications use a graphical user interface (GUI). However different applications tend to use different approaches to the GUI, for instance when you select a menu does one click bring the menu up (e.g. netscape) or do you have to hold the mouse button down (e.g. ghostview). What GNOME, KDE, and w95 try to provide a consistent GUI amongst all applications, or at least amongst the common parts of applications, e.g. menus, file selection, window controls, scrollbars, etc. See the GUI hall of fame/shame for examples of good/bad GUI design (in windows environment). As was mentioned above a window manager takes over where X leaves of - that is, controlling the windows X gives it. Window managers usually give you alot more that the just the ability to move, resize, or iconify windows. Many also provide virtual desktops, taskbars, themes, app managers, etc. See Window managers for X for a list of most, if not all, wm's. Desktop has (as far as I can tell) two usages. We use 'the desktop' to refer to the background part of the screen. GNOME, KDE, W95, and MacOS all 'provide a desktop' meaning the background is more that just a canvas for a nice picture - it acts like any directory in the system. Technically all this means is that you can place files onto it. However these may be data (like a letter to gran) or programs, (e.g. netscape, emacs, etc). Usually this 'background as directory' philosophy is coupled with a graphical file manager, so that when you (double) click on a file either it runs (if it's a program) or a suitable program is started to read the data in the file. In this context 'desktop' can also include a GUI, so that when people say that all Linux/UNIX is missing is a 'desktop' what they mean is a consistent design of common parts of programs, a graphical file manager, and the ability to leave files littered on the desktop ;-) 2.Do all window managers (like GNOME or KDE or FVWM95) run on top of X windows? I like to think of the window manager, fvwm95, window maker, etc, and the desktop, GNOME or KDE, as running in conjunction with X - but this is just semantics. The window manager and/or desktop is started (in the .xinitrc file) after X has started. The traditional (i.e. pre KDE/GNOME) setup of .xinitrc (after some environment settings) is to have some xterms and a window manager, so the last lines of the .xinitrc might look like; xterm & xterm & fvwm95 The window manager is the last thing started by .xinitrc and when the wm exits, .xinitrc finishes and then X terminates. If you were using GNOME the last few lines of the .xinitrc would now be; fvwm95 & gnome-session And for KDE it would be; startkde As before GNOME (KDE) are the last things started by .xinitrc and so when you logout of GNOME (KDE) the gnome-session (startkde) termintes, .xinitrc finishes, and then X terminates. In both these examples the xterms are left out as GNOME and KDE provide sessions management, which means any application left running when the session ends get started when you startup the next time. Windows has some session management too. See the next answer as to why the window manager is started for GNOME but not for KDE. 3.What exactly does it mean for an application to be GNOME or KDE aware? What happens if it's not? Can you still run it? AFAIK an application is a GNOME (KDE) application of it conforms to the GNOME (KDE) GUI guidelines/specifications and uses the Gtk+ (qt) libraries. All this means is that GNOME apps use Gtk+ to build menu's, buttons, scroll bars, file selectors, etc and they do so in a consistent way (as defined by the GNOME team), e.g. all menus are left justified, all apps have a FILE menu as the left-most menu, etc. Same for KDE except they use the qt library by Troll Tech (and possibly a different set of design guidelines). Any GNOME app will run provided you have Gtk+ (and the other GNOME libraries) installed and similarly any KDE app will run so long as you have qt (and other KDE libraries) installed - you do not have to be running GNOME/KDE to use a GNOME/KDE application. The only other additional thing GNOME/KDE apps may have is drag and drop awareness, e.g. in GNOME you can drag a JPG from a GMC (file manger) window into an ElectricEyes (graphics viewer) window and ElecticEyes will display this file. You can do similar things in KDE. GNOME and KDE have different attitudes to window managers. KDE prefers to work with its own window manager Kvm, and GNOME is 'window manager agnostic' - well those are the 'party lines'. You can get other wm's to work with KDE (so I'm told) and GNOME should work with any wm but prefers to work with a window manager that is ICCCM compliant and 'GNOME aware'. I'm not sure what this means but I know the only totally compliant wm is Enlightenment DR0.15 (which is only available through CVS at the moment) followed by icewm, and with blackbox and windowmaker a little way behind. I think that the KDE team are working towards making KDE less dependent on Kvm and defining what a KDE wm should be. 4.What exactly do the GTK+ (for GNOME) or Troll (for KDE) libraries do? Whoops - I think I answered this above. Gtk+ and qt are toolkits for building menu's, buttons, scrollbars, dialog boxes, and loads more. 5.How does the history of Linux (or UNIX) window managers compare to that of say, the desktop given to Win98/95 users? How, specifically, does Microsoft limit consumer's choices by giving them just one kind of desktop, supposedly one designed for ease of use? I'm not sure I understand this question let alone know how to answer it, so instead I'll answer what I think you might be asking which is; What's the difference between UNIX + X and W95/98/NT. The first thing to point out is the component nature of the UNIX approach to a GUI/Desktop. First we have the OS itself, in our case Linux, on top of that we have the window system, X, and in conjunction with that we have the window manager, fvwm (for example), and in conjunction with these two we have the desktop/gui, either GNOME or KDE. This follows the general philosophy of UNIX which is to build small tools that interact which each other in well defined ways. It may seem shambolic but it is a strength. It means that one or other of the pieces can be interchanged, which gives the user lots of choice (perhaps too much), and also allows for technological improvements. For instance X is just one windowing system and may not last forever (gasp!) There are others, e.g. the hungry programmers Y. This also gives the user the choice of which window manager or desktop to use, or in fact whether to use windows and desktops at all - it may seem strange but some people prefer the command line, and others use X and a window manager but don't like GNOME or KDE. Windows95/98/NT on the other hand is a different kettle of fish. Here the OS, GUI, WM, and desktop aren't clearly separated (as in UNIX) but are all rolled into one. Thus you have whatever choice Microsoft happen to give you, i.e. windows themes. For Microsoft this is an advantage - it stops people butting in and rewriting parts of their OS which could potentially lose them money. For instance they realized that with the old windows 2/3.1 you could simply replace MS DOS with another compatible DOS such as DR DOS from Caldera. In an ongoing court case Caldera allege that MS added code to windows to make it seem like there was a bug in DR DOS. With 9*/NT being all rolled in one there is no need to resort to such tactics. IMO the W95 desktop is inferior because the user is limited to one design whereas on a linux system there is a wm + desktop to suit just about everybody (including those that don't want either a wm or a desktop). 6.What's happening with Common Desktop Environment? Is it correct that it's not widely adopted among Linux users because it's a resource hog, or not open source? It's not widely adopted because it is commercial, not open source, a resourse hog, has security problems (RedHat stopped selling it for this reason), and is IMHO outdated. _________________________________________________________________ Copyright © 1999, Paul Gregory Cooper Published in Issue 36 of Linux Gazette, January 1999 _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back Next _________________________________________________________________ Linux Gazette Back Page Copyright © 1999 Specialized Systems Consultants, Inc. For information regarding copying and distribution of this material see the Copying License. _________________________________________________________________ Contents: * About This Month's Authors * Not Linux _________________________________________________________________ About This Month's Authors _________________________________________________________________ Hassan Ali Hassan is a Ph.D. degree holder in numerical techniques applied to electromagnetics from the University of Ottawa, Canada. He is presently working with NORTEL NETWORKS in Ottawa, Canada, as a specialist in software tools used to predict signal integrity, and electromagnetic compatibility (EMC) on printed circuit boards. Having been introduced to Linux by a friend about 2 years ago, he has never stopped having fun with it. Hassan loves to write about whatever little he knows about for others to learn or to correct him. Larry Ayers Larry lives on a small farm in northern Missouri, where he is currently engaged in building a timber-frame house for his family. He operates a portable band-saw mill, does general woodworking, plays the fiddle and searches for rare prairie plants, as well as growing shiitake mushrooms. He is also struggling with configuring a Usenet news server for his local ISP. Bill Bennet Bill, the ComputerHelperGuy, lives in Selkirk, Manitoba, Canada; the "Catfish Capitol of North America" if not the world. He is on the Internet at www.chguy.net. He tells us "I have been a PC user since 1983 when I got my start as a Radio Shack manager. After five years in the trenches, I went into business for myself. Now happily divorced from reality, I live next to my Linux box and sell and support GPL distributions of all major Linux flavours. I was a beta tester for the PC version of Playmaker Football and I play `pentium-required' games on the i486. I want to help Linux become a great success in the gaming world, since that will be how Linux will take over the desktop from DOS." It is hard to believe that his five years of university was only good for fostering creative writing skills. John Blair John currently works as a software engineer at Cobalt Microserver. When he's not hacking Cobalt's cute blue Qube, he's hanging out with his wife Rachel and newborn son Ethan. John is also the author of Samba: Integrating UNIX and Windows, published by SSC. Bryan Patrick Coleman Bryan attends the University of North Carolina at Greensboro where he is persuing a B.S. in both Computer Science and Anthropology. He has been involved with Linux since 1994 kernel?, and helped found the Triad Linux Users Group located in central North Carolina. His future plans are for a PhD in computer science and a career where he can use Linux. Paul Cooper Paul is a Ph.D. student at the Mathematics Institute Warwick university. To help finance his studies he also works in the dept. computer support team, mostly writing documentation. His main interest outside of Maths and Linux, is American Football, in particular playing for the university team, the Warwick Wolves. Jurgen Defurne Jurgen is an Analyst/programmer in financial company (Y2K and Euro). He became interested in microprocessors 18 years ago, when my eyes saw the TRS-80 in the Tandy (Radio Shack) catalog. I read all I could find about microprocessors, which was then mostly confined to 8080/8088/Z80. The only thing he could do back then was write programs in assembler without even having a computer. When he was 18, he gathered enough money to buy his first computer, the Sinclair ZX Spectrum. He studied electronics and learned programming mostly on his own. He worked with several languages (C, C++, xBase/Clipper, Cobol, FORTH) and several different systems in different areas: programming of test equipment, single- and multi-user databases in quality control and customer support, and PLCs in an aluminium foundry/milling factory. Jim Dennis Jim is the proprietor of Starshine Technical Services. His professional experience includes work in the technical support, quality assurance, and information services (MIS) departments of software companies like Quarterdeck, Symantec/ Peter Norton Group, and McAfee Associates -- as well as positions (field service rep) with smaller VAR's. He's been using Linux since version 0.99p10 and is an active participant on an ever-changing list of mailing lists and newsgroups. He's just started collaborating on the 2nd Edition for a book on Unix systems administration. Jim is an avid science fiction fan -- and was married at the World Science Fiction Convention in Anaheim. Vivek Haldar Vivek is a third year BTech student at the Indian Institute of Technology, and has been using Linux for the past two years, both at home and college. Ron Jenkins Ron has over 20 years experience in RF design, satellite systems, and UNIX/NT administration. He currently resides in Central Missouri where he will be spending the next 6 to 8 months recovering from knee surgery and looking for some telecommuting work. Ron is married and has two stepchildren. Gustavo Larriera Gustavo teachs database courses at Universitario Autonomo del Sur (Montevideo, Uruguay). He is also the webmaster of the only official mirror site of Linux Gazette in his country [http://www.silab.ei.edu.uy/lg/]. He is a Linux average user and also a Microsoft Certified Professional in NT. He hopes that is not considered a great disadvantage :-) Joe Merlino Joe Merlino is a library assistant at Georgia Tech. He lives with his wife in Athens, Georgia. Consequently, he spends a lot of time in the car, where he thinks up projects to try on his linux box. _________________________________________________________________ Not Linux _________________________________________________________________ Thanks to all our authors, not just the ones above, but also those who wrote giving us their tips and tricks and making suggestions. Thanks also to our new mirror sites. With the Holidays, I took a week vacation to go back to Houston and visit family and friends. I had a wonderful time. My grandchildren are smarter and more beautiful each time I see them. I have a new picture of Sarah and Rebecca on my home page. My best friend, Benegene, had arranged for a get together with three friends from our university (Baylor) days. We had a lot of fun catching up and talking about old times. It was amazing how different the memories were that stood out in each of our minds. Only goes to prove that what one person finds remarkable may be quite "ho hum" to the next. Ah well, it was a good evening and one I hope will be repeated. Have fun! _________________________________________________________________ Marjorie L. Richardson Editor, Linux Gazette, gazette@ssc.com _________________________________________________________________ [ TABLE OF CONTENTS ] [ FRONT PAGE ] Back _________________________________________________________________ Linux Gazette Issue 36, January 1999, http://www.linuxgazette.com This page written and maintained by the Editor of Linux Gazette, gazette@ssc.com