Configuring X Window

Each distribution seems to have it's own thing for configuring X:

xf86config

Standard X Window configuration tool

system-config-display

Red Hat/Fedora X-window configuration tool

redhat-config-xfree86/Xconfigurator

Older Red Hat and Fedora versions

sax

Suse Linux

CD recording stuff

Detecting the CD recorder

cdrecord -scanbus

To burn a CD

cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject speed=2 archive.iso
Omit the -multi if it's a single session CD.

To burn a multisession CD

First burn:
cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject session1.iso
For subsequent burn:
First create the ISO
Place the CD in the drive. Execute
cdrecord dev=0,1,0 -msinfo
0,27139
mkisofs -o session2.iso -Jr -V Session2 -C 0,27139 -M 0,0,0 /path/to/files/

Alternately:
mkisofs -o session2.iso -Jr -V Session2 -C $(cdrecord dev=0,1,0 -msinfo) -M 0,0,0 /path/2/files/

Now burn (dropping the -multi for the last burn):
cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject session2.iso

Simplify the cdrecord command line

To keep the cdrecord command line simple, put common options in /etc/default/cdrecord:
#/etc/default/cdrecord
CDR_DEVICE=0,0,0
CDR_SPEED=2

Now the command line can be greatly simplified to:
cdrecord archive.iso


To erase a CD-RW

cdrecord -v dev=0,0,0 blank=all
where

-v

verbose

dev

cdrom device (detected using cdrecord -scanbus)

blank=all

blanks the entire disk.

Creating a hybrid ISO

mkisofs -a -J -r -v -V vol_label -L -o img1.iso ~/cds/cd0/
where:

-a

Include all files on the ISO9660 file system. Files that contain '~' or '#' will be included.

-r

Use rockridge naming conventions

-J

Generate Joliet directory records in addition to iso9660.

-L

Allow file names to begin with a period.

-o outputfilename

output file name.

Test the created ISO by mounting it with mount -o loop.

Changing role in SELinux enabled FC4

To run a command with a different role, first use newrole to change the role. For example, to switch to the sysadm_r role:
newrole -r sysadm_r

Enabling public_html for Apache in FC4

To enable per-user web directories on SELinux enabled FC3+, edit /etc/httpd/conf/httpd.conf:

• Comment out the line UserDir disable
• Add UserDir public_html.
• Save the file and run service httpd reload

Each user who needs web directories must do the following:

• Create ~/public_html, and populate it.
• Change perms with chmod
• Change the security context of the folder recursively:
  chcon -R -t httpd_user_content_t ~/public_html/


At this point, it should work. If it does not, check to see that the Boolean that enables user home directories is enabled:

• Run system-config-securitylevel
• Under the SELinux tab within the Modify SELinux Policy area: enable Allow HTTPD to read home directories.
• Alternatively, execute
  setsebool httpd_enable_homedirs true

Preventing console message flooding

To prevent kernel messages flooding the console:
dmesg -n 1


SE Linux essentials (FC3)

Bare minimal SElinux:

• SELinux in FC3 uses a targeted policy by default. One could opt for a strict policy too, which was default with FC2. The policy files needed are in these RPMs
  selinux-policy-strict-.rpm and selinux-policy-strict-sources-.rpm
  • selinux-policy-targeted-.rpm and selinux-policy-targeted-sources-.rpm
  The policy source resides in /etc/selinux/policyname/src/policy, when it is installed, and the binary policy file is in /etc/selinux/policyname/policy.
• Use system-config-securitylevel to change SELinux based settings.
• The ls command's -Z option will display the security context of a file
• The id command's -Z option will display the security context of a user
• The ps command's -Z option will display the security context of a process.
• Don't take policy switching lightly. Unless of course, it's for learning :)
• To change the policy - easy way - run system-config-securitylevel, change the policy and reboot.
• To change the policy manually -
  1. Edit /etc/selinux/config and change the type of policy to SELINUXTYPE=policyname.
  2. Set the mode to permissive. SELINUX=permissive.
  3. Tell the init scripts to relabel the system on reboot with the command touch /.autorelabel.
  4. Reboot the system.
  5. Confirm your changes took effect with the command sestatus -v. With the new system running in permissive mode, check /var/log/messages for avc: denied messages. Fix any problems.
  6. When you are satisfied that the system runs stable under the new policy, enable enforcing by changing SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.
• Ordinary backups will not backup the security context which are stored as extended attributes. Use star to backup files on an SElinux protected system. In particular, use the -xattr and -H=exustar options. Eg:
  star -xattr -H=exustar -c -f ../test.star ./*

• The variable SELINUX in /etc/selinux/config can take the values disabled, enforcing, or permissive. Booting the kernel with enforcing=0 is the same as SELINUX=permissive. Similarly, ooting the kernel with enforcing=1 is the same as SELINUX=enforcing
• As a safer alternative to booting with selinux=0, use SELINUX=disabled in /etc/selinux/config.
• To temporarily turn off the enforcing mode, use setenforce 0. To return to enforcing mode, setenforce 1.
• To turn off selinux at bootup, add selinux=0 to your kernel command line. Note that if you boot with selinux=0, any files you create while SELinux is disabled will NOT have SELinux context information. If booting with selinux=1 fails, relabel the files with a touch /.autorelabel and reboot into single user mode.
• /usr/sbin/sestatus -v displays status info about SELinux
• To relabel a directory, use restorecon -v -R /path.
• If you have file systems shared by both SELinux enabled and non-SELinux machines - eg a dual-boot Suse and FC4 sharing the same /home, it sort of spells trouble when booting into SElinux as it may require relabelling.
• Mounting a non-SELinux file system via NFS results in SELinux treating all the files in the share as having a context of nfs_t. To override the default context to say, system_u:object_r:tmp_t to SELinux:
mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo
• To change and load the security policy:
cd /etc/selinux/targeted/src/policy
make clean
make load


Upgrading CentOS 4.0 to CentOS 4.1

CentOS 4 is basically Red Hat Enterprise Linux 4. I just upgraded it to CentOS 4.1 using the rpms using these steps:

• Download the rpms from CentOS/4.1/os on any mirror.
• Download the updates from CentOS/4.1/updates on any mirror.
• Download any extra modules that depend on the kernel version. In my case, I had to download linux-ntfs rpms for the 2.6.11ELhugemem kernel.
• Disable selinux using
  setenforce 0.
  (Failing to do this made the rpm postinstall fail for some rpm files. Off the cuff, I recall the rpms for bzip2-libs, and krb5-* failing.)
• From the directory containing the 4.1 rpms, run
  rpm -Fvh *.rpm
  You do need a lot of free disk space for this to work. Alternately, freshen a few rpms at a time :)
• Now enable selinux with setenforce 1.
  
• Reboot in run level 1 so that no services start up
• Run
  /sbin/fixfiles relabel
  Alternately, to speeden things up, you can also use
  /sbin/restorecon -R pathname
  to recursively restore security context on the specified path - in my case /lib and /usr/lib were definitely affected. I opted for the fixfiles approach rather than weed out directories individually.
• Change to the normal runlevel

That's all there is to it :-)

Adorning links in HTML with images

Not really linux - more HTML+CSS stuff :-) I always wondered if it would be too painful to get images next to links like the way they have in some wikis. Seems for every HTML problem, there's a CSS solution lurking, just waiting to jump out :-) You need to do something like this:
<style>
.whatever {
background-color: transparent;
background-image: url(imgfilename);
background-attachment: scroll;
background-repeat: no-repeat;
/* Change following to 'right' instead of 'left' if you need it right aligned. */
background-position: left;
/* Change following to 'right' instead of 'left' if you need it right aligned. */
padding-left: 18px;
}
</style>
<body>
... Testing <a class="whatever" href="...">links</a>
</body>

I'll probably separate out the HTML stuff from this blog if there are too many of these HTML tips.

Installing grub on removable media

Grub is a really nifty boot loader. I especially love two things about it:

• A command-line interface
• No reinstallation for kernel changes

Even if the OS boot loader gets knackered, you can probably restore it if you have a grub floppy.

Installing grub on a floppy
Here's how to get grub on a floppy:

• Kiss the prior contents of the floppy goodbye ;-)
• Change to the directory /usr/share/grub/i386-redhat (on fedora) or /usr/lib/grub (on Suse) or /usr/share/grub/i386-pc if you built and installed grub yourself
  
• Execute the commands:
dd if=stage1 of=/dev/fd0 bs=512 count=1
dd if=stage2 of=/dev/fd0 bs=512 seek=1


You ought to be able to get a grub prompt on booting with this disk.

Here's another way to do the same thing - not so destructively

• Mount a ext2-formatted floppy to say /mnt/floppy
• Copy the contents of the /usr/share/grub/i386*/{stage1,stage2,e2fs_stage1_5} to /mnt/floppy/boot/
• Optionally create a /mnt/floppy/boot/menu.lst
• Execute grub-install --root-directory=/mnt/floppy fd0
• Umount the floppy

If you dont have grub-install, or are paranoid about using it, there's yet another way - boot into a grub prompt either using a floppy created using the destructive way outlined above, or on some machine with grub installed on the hard disk. Drop to a grub prompt. Then place the ext2 floppy in the drive and execute:
root (fd0)
setup (fd0)
You ought to have a grub-bootable on your hands now. I think the grub-install part ought to work with USB drives as well tho' I haven't really tried it.

Installing grub on a CD

• mkdir -p iso/boot/grub
• cp /usr/share/grub/i386-*/stage2_eltorito iso/boot/grub
• Optionally create a iso/boot/grub/menu.lst.
• Create an iso image:
  mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot \
  -boot-load-size 4 -boot-info-table -o grub.iso iso
• Burn the grub.iso image to cd.

Hopefully if all goes right, you have a bootable grub CD. Of course, try this with rewriteable CDs if you *really* need to be sure :)

Unzipping large files in Linux

Infozip's Unzip program has certain file size limits. It may not support files whose unzipped size is larger than 4GB and instead produce this error:
skipping: yeas3/yeas3.TRC need PK compat. v4.5 (can do v2.1)
Support for unzipping large files will come with Unzip 6.x - the current version is 5.52.
So what if you want to unzip a large file on unix *now*? You could either unzip on Windows with any number of utilities (7-zip/PowerArchiver/Izarc) and somehow get the file over to Linux/Unix - or locate the unix version of 7-zip's command line utility (7za) called p7zip. All you need to do is build the executable from source:
make
make install
Then run:
7za x file.zip [filename ...]
Till unzip 6.0 arrives, this one is going to be one fixture on my machine.

NSD - Name Server Daemon

Ack! Now here's a good replacement for BIND if your requirements aren't too heavy. It's a high-performance authoritative name server. Being authoritative is good I guess since it

• separates cached & authoritative data
• simplifies the software
• avoids BIND bugs and security flaws

It caters to the security conscious with DNSSEC. I've yet to try it - looks promising, tho'.

Newsforge's 10 commandments of system administration

Newsforge has a nice collection of articles for system administration titled
The Ten Commandments of System Administration

In short:

1. Thou shalt make regular and complete backups
   Use whatever floats your boat for this one - amanda, rsync, tar, etc.
2. Thou shalt establish absolute trust in thy servers
   using file integrity tools like tripwire, aide, and afick.
3. Thou shalt be the first to know when something goes down
   using tools like Nagios, Big Sister and Zabbix
4. Thou shalt keep server logs on everything
5. Thou shalt document complete and effective policies and procedures
6. Thou shalt know what cable goes where
7. Thou shalt use encryption for insecure services
8. Thou shalt not lose system logs when a server dies
9. Thou shalt know the openings into your servers
   using the well-established nmap program.
10. Thou shalt not waste time doing repetitive and mundane tasks

TrueType and Mozilla

Downloaded and installed that latest version of Mozilla? You may need to tweak some settings - if you create a new profile, these steps would have to be repeated

1. In the location bar, type about:config
2. In the filter bar that appears, type font
3. Locate the line "font.FreeType2.enable". If the value here is false, change it to true
4. Edit the /default/firefox.js or /default/unix.js and add a line for each directory with TrueType/OpenType fonts like this:
   pref("font.directory.truetype.1", "/usr/local/share/fonts/TrueType");
pref("font.directory.truetype.2", "/usr/share/fonts/TrueType");


Now hopefully mozilla will render fonts better. If not, check this page for anything I may have missed out.

Changing display managers

To use kdm as the default display manager instead of gdm in Fedora/Redhat/Mandrake distributions, edit /etc/sysconfig/desktop and add DISPLAYMANAGER="kdm" (or just edit the DISPLAYMANAGER line if it already exists.) Mandrake has two versions of KDE display manager - the normal version is kdm, and Mandrake's tweaked version can be referred to with DISPLAYMANAGER="KDE".

For Suse Linux, you need to play with /etc/sysconfig/displaymanager and edit the DISPLAYMANAGER line either using a text editor or the /etc/sysconfig/Editor in YaST.

xargs and maverick tars

Ever had a tar file which didn't have a directory as it's top level entry? I really hate these maverick tarballs - I really like the idea of tarballs storing a directory and it's contents rather than merely a directory. Why? So that when untarred, it doesn't spew files in the current directory and mess things up. Sybase's ASE tarballs come to mind on this one. Anyways, if you have to clean the mess, it's not a big deal. I use
tar tf filename.tar | xargs rm
Of course, use jtf for filename.tar.bz2 and ztf for filename.tar.gz. :)

grep is good, grep is fun, grep is good for every1

I love the GNU grep over the normal U*x grep. It has a few cool extensions over the POSIX grep. One of them is the -R option that lets you recurse through directories to search for a pattern. That's one of the reasons I've always compiled the GNU grep on U*x machines as well. If there's no option but to use the standard grep, all isn't lost - xargs and find along with grepdo the same job. i.e.
find -type f -print| xargs grep -li "pattern"

It's no fun having three processes to do something instead of merely one, but that's the only option when in a bind.

Which ports in use? Who opened them?

Two questions I get frequently asked is:

• How do I figure which ports are in use?
• How do I figure which program is holding this port open?

Q. How do I figure which ports are in use?
A. Every OS with TCP/IP as a network stack includes a command called netstat. Use
netstat -na
to display all open port numbers.

The -a and -n are probably the most portable command options to netstat. You can fine-tune the output - say for example you want to see only TCP ports and not UDP, IPv4 only and not IPv6, etc. Those are pretty OS specific options tho'. For example, Linux's netstat has the option -l to list only listening ports. The netstat version supplied with Windows 2000 or Solaris does not have an equivalent option! It's best to check up the help text (man pages on U*x) to determine the supported options

Q. How do I figure which program is holding port open?
A. Use lsof. In particular, use
lsof | grep "nn"
to figure the process holding the port open. Of course you can also use
lsof| grep -i "progname"
to figure the ports the program progname has open.

It may not be present on all U*x machines, but no big deal - download the sources off ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/lsof and compile. At least you get prebuilt binaries for Linux and Solaris. Other than these platforms, lsof works fine with AIX 5, Apple Darwin 7.7.0, *BSD, HP-UX and Tru64 UNIX 5.1. Sorry, lsof doesn't do Windows. Use Sysinternal's Process Explorer to determine open ports for Windows machines.

Screen captures in Unix/Linux

There are several tools around for screen caps in Unix/Linux.

First option:
GNOME users: Use the built-in tool to take a screen shot. You don't need to go as far to launch it. A PrintScreen to take a screenshot of the desktop is enough. Want only a window? Get the window into focus and hit Alt+PrintScreen.

KDE users: ksnapshot is pretty impressive. It too can take images of the desktop or window.

Second option (in order of preference):
gimp: GIMP can take screenshots - gimp1 seems to dither on Solaris 8 tho'. At least on the installation I worked with it didn't work too well. It still worked a lot better than Solaris's own sdtimage.

xv: A fast image viewer - it can also take screenshots. :) The reason it is second in preference is it is shareware - it may not readily be available on the machine.

stdimage: This tool is available on Solaris only. Not too impressive - kept crashing in Solaris 8 :(

Last option: Use the command line. My favorite in order of preference:
import: Part of ImageMagick's impressive suite.

xwd and convert: xwd can capture X-Window dumps but the format is not understood by most image viewers. ImageMagick's convert however can convert these files into a gif/jpeg/whatever else.

There probably are other means too, but I'm not really aware of any other than the tools mentioned above.

Installing truetype fonts in Suse Linux

Damn! There's no ttmkfdir in Suse 9.1 - I looked, but I couldn't find it. Maybe I'm missing something. :( In any case, the help for installing new fonts is in the Administration Guide, Chapter 4, section 2.

Simply install the fonts in some directory which is a subdirectory of the directories listed in /etc/fonts/fonts.conf. For example, /usr/X11R6/lib/X11/fonts/truetype Alternately, use KDE's font installer from the Kontrol center. Either way the result is the same.

If the fonts are already present in some other partition - for example, the /fonts/ directory on the Windows partition, create symlinks to those fonts using SuSEconfig --module fonts

This is applicable for all font types - bitmap fonts, TrueType and OpenType fonts, and Type1 (PostScript) fonts. It isn't applicable to CID fonts. CID-keyed fonts must be installed in /usr/share/ghostscript/Resource/CIDFont.

In any case, given that ~/.fonts is mentioned in /etc/fons/fonts.conf in both Red Hat/Fedora and Suse, one of the simplest ways to install fonts - one common to both flavors of Linux would be to drop the fonts in ~/.fonts.

Displaying multipage fax documents

A received fax is usually a TIFF file - but if it's multi-page, the usual image viewing proggies like gimp, xv, et al do not show more than one page. That's when KFax comes to the rescue - navigation with KFax thru a multi-page document is as simple as using PgUp and PgDn.