linux magazine uk 28 by Добавил Добавил

Welcome

COMMENT

The brighter side We pride ourselves on the origins of our publication, which come from the early days of the Linux revolution.

Dear Linux Magazine Reader,

The year started with bad news. Disney won the Eldred case which meant that anything made after 1920 in the USA will never go out of copyright. This was a bitter blow to free press publications who had hoped to be able to print many works on the internet. The free publishing would have allowed some books to be read in differing formats such as the braille or moon systems for the blind. Due to low demand, these would not be produced by the current publishers. Poorer nations will also not get the chance to self publish. The same day MandrakeSoft filed for the equivalent of Chapter 11 bankruptcy protection. Apple announced that its new Safari browser was built around the Konqueror engine rather than the one from Mozilla, much to the anger of some Mozilla supporters. SCO was rumoured to be considering that it would charge all Linux users $90 royalty payments for intellectual property for use of its IP technology. Fortunately the gloom started to lift with SCO disputing the claim. Mandrake

Get connected! This month we focus on the network. Whether you are running a Small Office / Home Office of your own or connecting into a large multi-site work domain, the ability to cope with a network will effect us all. Even on a single machine we can network between host and guest operating systems. In our world, we continually come up against other operating systems. Connecting to these may be necessary or just a convenience.To help you in this chore we have expanded the network feature to include Samba.

9.1 Beta started to hit the mirrors and Konqueror supporters pointed out that Apple chose on quality, not for history. Just to show that not all court cases go the wrong way for Free Software, Jon Johansen was acquitted over the DeCSS DVD region cracking code by the Norwegian Supreme Court. Competition is a good thing for Free Software. When you are involved in a project and a rival launches a new version, you get a small sinking feeling that they are doing things better and all your efforts are wasted. They have a shiny new toy with different colors and features. Everyone is talking about it and yours is forgotten. Fortunately, sanity then takes back its hold on your mind and you realize that they may have a good feature that you should possibly include, but they are doing everything wrong. This spurs you into a coding frenzy with the rest of the team. Finally, you release your next version, causing the rivals to go through the same process. Slowly both of the projects improve until they are unrecognizable to any user who has not updated frequently. New versions cause offshoot projects. More programs to satisfy every niche. Over time the software evolves. A user of the Linux desktop just a couple of years ago would be amazed at the current modern versions. Will this continue? So far the trend has showed no sign of levelling out. In fact the rate of improvements is increasing. KDE and Gnome both still continue to battle for the desktop, causing each to be more inventive. The major distributions throw us new versions each with more features and easier-to-use options. A whole host of new ‘design yourself a Linux distribution’ projects have sprung up and the number of new novel software projects announced each month

Our sister publication in Germany, founded in 1994, was the first Linux magazine in Europe. Since then, our network and expertise has grown and expanded with the Linux community around the world. As a reader of Linux Magazine, you are joining an information network that is dedicated to distributing knowledge and technical expertise.We’re not simply reporting on the Linux and Open Source movement, we’re part of it.

keeps increasing. This could be due to the winter weather keeping everyone inside with nothing to do but code, or it could be that coders are becoming more inventive and the thought of making what would have been a personal exercise into a free and open project is more appealing. Or to quote Linus’ Law from Eric Raymond: “Given enough eyeballs, all bugs are shallow.” Happy Hacking,

John Southern Editor

www.linux-magazine.com

March 2003

LINUX MAGAZINE

March 2003

NEWS

Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Business

...............................................8

World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Insecurity Kernel

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Networking Basics

No matter if you are simply connecting to a network or use a laptop at home and at the office to log on to different networks every day; the mystery of connecting up to a network remains the same. Fortunately, there is no black magic involved – it is just a question of understanding the basic procedures. With just a few clicks in the right menus you will be happily connected to a new network.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Letters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 COVER STORY

Networking Intro

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Networking Basics

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Red Hat Network Configuration . . . . . . . . . . . . . . . . . . . 24 Discover the tools for setting up small local networks.

SuSE Network Configuration . . . . . . . . . . . . . . . . . . . . . . . 28 Let SuSE’s YaST lend a hand in network configuration.

SMB Clients

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Provide convenient access to genuine Windows shares.

Samba Share Configuration . . . . . . . . . . . . . . . . . . . . . . . . 34 Who is allowed to access, to view which directories?

Samba Domains

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Intergrating NT4 domains with Samba.

Samba Authentication

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Explore the important aspects of Windows user access.

Check Point SecurePlatform

Check Point’s SecurePlatform provides a hardened Red Hat Linux with Check Point’s own Firewall-1 NG and allows you to install an extremely well-secured firewall and a minimal Linux distribution yourself within just a few minutes – without any of the usual assistance from system integrators or consultants. The system can be set up for either a business or a small office.

REVIEWS

Check Point SecurePlatform

58 . . . . . . . . . . . . . . . . . . . . . . . 44

Crossover Office

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Get Microsoft Office Suite running on Linux.

Bochs PC Emulator

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 A free portable x86 emulator.

KNOW HOW

LaTeX Workshop: Part II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Putting some structure into your LaTeX documents.

SMB Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

March 2003

www.linux-magazine.com

SMB Protocol

The Server Message Block (SMB) protocol specifies how Windows computers communicate on a network. SMB provides access to files, printers, serial lines and communication channels such as named pipes and mailslots. Samba is a free SMB implementation. We explain the history and the basics of the protocol to enable you to use SMB-capable computers as both clients and servers for peer-to-peer networking, sharing that all important data.

March 2003

LINUX MAGAZINE

SYSADMIN

Cryptography

If an attacker gains direct access to a computer, any data stored there is up for grabs, even if they have to physically remove the hard disk. The only safeguard is to encrypt. Rather than spend time encrypting on a file by file basis, you should opt for an encrypted file system. It is not necessary to set up another partition, as you can use the loopback device to mount files as block devices.

Charlyâ&#x20AC;&#x2122;s column

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Real System Admin tips and tricks to help you.

Cryptography

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

rsync

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Synchronize local and remote files and directories by checking for differences first.

PROGRAMMING

Stadrin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Secure dynamic authentication mechanisms with the Stadrin system.

Coin 3D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

LinuxBIOS

If you have not come across the LinuxBIOS project yet, you may be amazed at what it sets out to do. The project releases yet another part of your PC to Open Source software. By changing the software on the BIOS chip itself, you can boot the Linux kernel within seconds of turning the machine on.

Qt and Coin, the Open Inventor clone, make programming 3D worlds easier than with OpenGL.

LinuxBIOS

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

LINUX USER

KTools: KNewsticker

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Get the latest world headlines delivered to you desk.

DeskTOPia: Icewm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Out of the Box: Highlight

. . . . . . . . . . . . . . . . . . . . . . . . . . 86 Syntax highlighting improves code readability.

Creating CD images: mkisofs & dd

. . . . . . . . . . . . . . . . 88 Make an image, then test mount before burning to CD.

Dr. Linux: Help for Woody

DeskTOPia: IceWM

There is no need to throw away your old hardware. It may not be able to cope with KDE and Gnome, but IceWM is small and neat. With a little planning you will be able to still use last yearâ&#x20AC;&#x2122;s make of computer with a modern GUI environment. Even with such a small footprint, this window manager has all the essential features that you require.

. . . . . . . . . . . . . . . . . . . . . . . . . . 90 We take you through the initial obstacles of Debian GNU/Linux 3.0.

COMMUNITY

Brave GNU World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 The User Group Pages

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

SERVICE

Events / Advertiser Index / Call for Papers

. . . . . . . 96

Subscription CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Next Month / Contact Info . . . . . . . . . . . . . . . . . . . . . . . . . 98

www.linux-magazine.com

March 2003

NEWS

Software

Software News ■ KDevelop

■ Free Light backup

The KDevelop team has announced the third and final alpha release of KDevelop 3.0. Sources can be downloaded and binary packages will be available soon. Since the previous alpha release almost all known crashes have been eliminated, many bugs have been fixed and an integrated valgrind part has been added. All users of earlier versions of Gideon are encouraged to upgrade, and KDevelop 2.1 users are also encouraged to try Gideon out. ■ http://www.kdevelop.org

Arkeia Corporation has released Arkeia Light, a fully enabled free version of the company’s Arkeia V5 enterprise software for open source environments. Arkeia Light is designed to provide Linux-based PCs and small networks with enterprise-calibre backup capability at no cost for personal or commercial use. Arkeia is the most widely used professional backup solution in the Linux environment with more than 90,000 networks world-wide protected by either the Light or the full version. This new version of Arkeia Light features the Arkeia V5 user interface, including a calendar interface for periodic backup and exception management. Arkeia Light adds support for OpenBSD and NetBSD clients and many new Linux distributions, including the recently announced UnitedLinux. Arkeia Light is a complete version of the Arkeia solution (without any time limit) for 1 Linux backup server attached to a SCSI single-tape tape drive and 2 desktop-class client machines (i.e. Linux, FreeBSD, BSD/OS, OpenBSD, NetBSD and/or a Microsoft Windows workstation – Apple MacOS X support is scheduled for quater 1–2 of 2003). ■ http://www.arkeia.com/arkeialight.html

■ Multi-rooted Nautilus Wolfgang Pichler has been working on a new multi-rooted tree view for Nautilus. He has released the code to try out. ■ http://www.dialog-online.at/pichler/ media.tgz

■ Celestia released Celestia is a free real-time space simulation that lets you experience our

universe in three dimensions. It lets you travel not only around the surface of the Earth but throughout the solar system, to any of over 100,000 stars, or even beyond the galaxy. Celestia features seamless travel with an exponential zoom feature which lets you explore space across a huge range of scales, from galaxy clusters down to spacecraft only a few meters across. It has a ‘point-and-goto’ interface which makes it simple to navigate through the universe to the object you want to visit and a scripting interface. ■ http://www.shatters.net/celestia/

■ Anjuta 1.0.0. Heard of Anjuta? It’s the IDE for the GNOME 1.x platform, initiated by Naba Kumar and named after his girlfriend. Recently, he announced a latest stable version – nicknamed Diwali, after the popular Indian festival of lights. ■ http://www.anjuta.org/

■ Scriptable apps Trolltech, has released the beta version of Qt Script for Applications (QSA). QSA is Trolltech’s new multiplatform scripting toolkit for Qt-based application developers. Qt Script for Applications lets developers and end-users extend and customize Qt applications through an ECMA standard scripting environment. As the scripting libraries are integrated most Qt applications are inherently scriptable. Applications do not need to be re-written to implement this functionality.

March 2003

QSA features the QSA library, Qt Script and Qt Scripter. Qt Script is based on ECMAScript, which is also the foundation of JavaScript. Qt Scripter is an Integrated Development Environment (IDE) that can be deployed on a royaltyfree basis with QSA-enabled Qt applications. End users and VARs (Value Added Resellers) can use Qt Scripter to visually design custom forms, and to write, run and debug forms and Qt Script code in script-enabled applications. C++ developers can create a scriptenabled Qt application by specifying

www.linux-magazine.com

which features should be scriptable. The script-enabled application may then be distributed, including QSA libraries, and the Qt Scripter. The system utilizes the same ‘Signals and Slots’ mechanism as Qt. QSA has not had its pricing set yet. QSA will be released under a commercial license for Linux/Unix (X11), Windows and Mac platforms. QSA will be released under the GPL for free software development on the Linux/Unix (X11) platforms. ■ http://www.trolltech.com

■ Better graphics nVidia Corporation has announced a series of new corporate initiatives that will extend the company’s position in the Linux market. As part of the their commitment to the Linux community, they revealed details of a technical support program for end users and professional customers: a new software driver package that includes performance enhancements and new features for nVidia’s advanced graphics features, including nVidia’s CineFX architecture delivered by nVidia’s Unified Driver Architecture (UDA), and support for the latest PC technologies, including AGP 8X and OpenGL 1.4. All nVidia products, including the GeForce, GeForce Go, and NVIDIA Quadro family of graphics solutions, as well as the nVidia nForce platform processors, have been fully optimised for the Linux operating system for all major PC platforms, including those based on the Intel Pentium, Intel Itanium, and AMD Athlon CPUs. The software release also marks the first time a graphics manufacturer has publicly released Linux drivers for AMD’s upcoming Hammer platform, providing developers and OEMs an early ability to take advantage of AMD’s Athlon 64 processors before they are officially released to the market. With nVidia’s latest software release, users of nVidia Quadro-based graphics solutions can look forward to performance improvements by up to 30%, compared to previous driver versions. Additionally, professional users will appreciate the performance parity on Linux versus traditional operating systems, support for multi-monitor configurations and certifications for Maya and Softimage|XSI, Shake, oil industry visual interpretive technologies and other applications used in today’s post production, special effects houses and other professional markets. ■ http://www.nvidia.co.uk

■ ACME 2.0 released ACME is a small GNOME tool to make use of the multimedia buttons present on most laptops and internet keyboards: Volume, Brightness, Power, Eject, My Home, Search, E-Mail, Sleep, Screensaver, Finance, WWW, Calculator, Record, Close Window, Shade Window, Play, Stop, Pause, Previous, Next, Groups, Media, Refresh and Help buttons. ACME works on all the platforms GNOME supports (laptops and PCs). It uses either OSS or ALSA for Volume control. Adding other sound backend is pretty easy but for those that are not so sure, an invite, to contact the author, has been sent out to anyone in difficulty, especially if you have access to other hardware/platforms where ACME doesn’t work. ■ http://www.hadess.net/misc-code.php3

NEWS

Business

Business News ■ SGI Linux Supercluster SGI released the SGI Altix 3000 family of servers and superclusters. SGI Altix 3000 systems combine SGI’s supercomputing architecture with Intel Itanium 2 processors and the Linux operating system. For users in physical and life sciences, manufacturing, oil and gas, government and defence markets, SGI Altix 3000 superclusters offer scalability and performance increases over traditional Linux-based clusters and UNIX OS-based servers. Each node runs a single Linux operating system image with up to 64 Itanium 2 processors and 512GB of memory. With multiple nodes using the SGI built-in cluster interconnect, data is transmitted up to 200 times faster than with conventional clustering methods, enabling SGI Altix 3000 to scale to hundreds and eventually thousands of processors. Supercomputers typically require massive amounts of global shared memory to tackle complicated models, like global climate prediction or wind tunnel simulations for aircraft design, which cannot be easily solved in smaller pieces. The marriage of global shared memory and the Linux operating system creates opportunities for technical users on a standards-based platform that is built like a cluster yet works like a supercom-

puter. The foundation of this system is the balanced system architecture provided by the SGI NUMAlink system interconnect fabric. Common to both the SGI Origin 3000 server and the new SGI Altix 3000 family, NUMAlink delivers memory and communication information between cluster nodes up to 200 times faster than standard clustering switches. Data crosses over an SGI NUMAlink switch, round-trip, in as little as 50 nanoseconds-less time that it takes a beam of light to travel 50 feet – enabling balanced, sustained application performance on supercomputing workloads. The ultra-fast NUMAlink connection’s low latency and high bandwidth provides the basis for global shared memory. The SGI Altix 3000 family of servers and superclusters are available in both desk-side entry-level and the scalable supercluster models. The entry-level server is available in the first quarter of 2003 and starts at US $70,176 (U.S. list) at four processors with up to 32GB of memory and scales to 12 processors and 96GB of memory. The supercluster model, also available this quarter, scales to hundreds of processors and over 1TB of memory, with future scalability to 2,048 proces-

sors and 16TB of global shared memory. A 64-processor SGI Altix 3000 system starts at US $1,129,262 (U.S. list), roughly one-third the price of a 64processor IBM eServer pSeries 690-based system and less than half the HP Superdome. ■ http://www.sgi.com

fees. This will contribute to the consolidation of our municipal budget. Second, based on Linux’s excellent grades from the experts on security, our IT structure will become more secure. Third, the choice of open standards ensures interoperability among different technical offerings.” “Schwäbisch Hall’s decision reflects the strongly growing acceptance of Linux in enterprises and governments around the world,” said Boris Nalbach, CTO of SuSE Linux AG. “With the lower software licensing fees, as well as the lower administrative costs associated with Linux, the town will be able to provide

the most cost effective civil services to its citizens.” Initially, the project includes the migration from Windows and Microsoft Office to the SuSE Linux Enterprise Client and OpenOffice.org for 120 client PCs, which will increase up to 400 client PCs in the final stage. On the server side, SuSE Linux Enterprise Server will be deployed on IBM’s eServer xSeries systems. The overall project is accompanied by an innovative financing package that enables the Municipality to accommodate customized extensions. ■ http://www.suse.de/uk/company/press/

■ LinuxVille The German city of Schwäbisch Hall (population 36,000) will build its IT infrastructure entirely on SuSE Linux – replacing a more costly Windows installation. The town will deploy SuSE Linux on IBM Intel-based servers as well as up to 400 PCs – saving the city an estimated amount of more than Euro 100,000 over the Windows installation. “My decision for Linux is based on three factors,” said Hermann-Josef Pelgrim, Mayor of Schwäbisch Hall, Baden-Württemberg, Germany. “First, I expect a considerable reduction of our IT expenses due to lower software license

March 2003

www.linux-magazine.com

NEWS

Business

■ Embedded market grows MontaVista Software Inc., has released MontaVista Linux Consumer Electronics Edition 3.0 (CEE) – a Linux operating system and cross-development environment specifically designed for consumer electronics applications such as mobile phones, digital televisions, set-top boxes and automotive telematics. Recently, several global consumer electronics companies, including Sony, Panasonic (Matsushita), Toshiba America and Yamaha, have taken equity positions in MontaVista. CEE targets consumer device-specific processors and will initially support the TI OMAP 1510/5910 (and the associated Innovator Development Kit) and the IBM PowerPC 405LP (and the associated Arctic II Reference Board). Other processing platforms will be supported in the future. CEE forms the foundation of solution stacks from software partners in key

■ Red Hat for governments mobile, home and automotive vertical markets. It includes the fully preemptive MontaVista Linux kernel and real-time scheduling, small footprint targets and flash-based journaling file systems. Consumer Electronics Edition 3.0 also incorporates dynamic power management features, file system enhancements and new tools to measure performance, system timing and memory size. It features support for XIP (eXecute In Place) of the kernel and applications, as well as streaming media optimizations. CEE integrates with consumer market middleware such as the J2ME compatible WebSphere Micro Environment from IBM, and graphics packages such as QT/E from and MontaVista Graphics. Companies like Holland-based Zintec Holding and Araneo in Israel have also chosen MontaVista Linux for their digital television market products. Linux is becoming essential for many mobile and wireless applications because of its flexibility and ease of use. Texas Instruments’ wireless customers will benefit from the power management, file system and new tools. Consumer Electronics Edition 3.0 will be available in the first quarter of 2003. ■ http://www.mvista.com

Red Hat, Inc. announced the appointment of Tom Rabon as executive vice president of Corporate Affairs. Rabon brings more than 25 years of experience working in the government and the private sector. Tom Rabon worked extensively with governments around the world to create market opportunities in emerging markets such as China and South America. Rabon will lead Red Hat’s government affairs and public policy initiatives. Rabon most recently served as vice president of Global Government Affairs at Lucent for six years. He led a team of government professionals in the U.S. and other countries who were responsible for representation of Lucent with all local, state, federal and international governments. Prior to that Rabon spent 13 years as a state vice president of Law and Government Affairs at AT&T. Before working in the private sector, Rabon was a member of the North Carolina State Legislature. Rabon received a BA in political science from the University of North Carolina. As many governments deploy open source technologies so their nations can participate in the global knowledge based economy. Red Hat has the international presence, and with its skills and ambition hopes to lead this trend. ■ http://www.redhat.com/about/

administration of clusters, providing a range of commercially-supported, easy to implement cluster management solutions. Incorporating workload management, system monitoring and administration through an easy to use browser-based interface, Clusterware supports multiple scheduling policy centers. Clusterware provides a standards-based architecture and is easy to extend with SOAP/XML interfaces for web services and open APIs, and runs on a variety of Linux distribu-

tions including Red Hat, Debian and SuSE Linux. Platform technical support is available via email and through the Platform website. ■ http://www.platform.com/clusterware

■ Easier clusters Platform Computing Inc. has said that it will offer a £75-CPU, entry-level version of Platform Clusterware for small-scale Linux compute clusters. The Clusterware can be deployed in a matter of minutes on smaller clusters of up to 64 CPUs running Linux on 32-bit hardware. Small workgroups, startup businesses or departments can roll out low-cost industry standards-based clusters faster and so reduce operational costs. Platform also support Clusterware Pro, which supports both Linux and Unix environments with more than 64 CPUs. This product is an entry-level integrated software package for the use and

March 2003

www.linux-magazine.com

NEWS

World

World News ■ Norwegians free to use DeCSS It was back in January, 2000 when the Motion Pictures Association of America, and the DVD Copy Control Association Inc. contacted Økokrim, Norway’s police department to deal with economical and environmental crime. In turn, a 16 year old from Lardal south of Norway’s capital Oslo, was accused to have acted illegally when he released the DVD decryption program DeCSS (developed by him using decryption code by others) on the internet. This, claimed the prosecutors, could enable pirate copying of DVDs. Although the original DeCSS was a Windows program, Jon Lech Johansen’s defense strategy mainly used the argument that he intended to watch his legally bought DVDs under Linux. As no licensed player for Linux had been available at this time, his defense lawyer came up with the following argument:

“If one holds a letter against a light in order to glance at the content, this means irregular access. But as it’s my own letter, it’s not criminal.” 7th January, 2003, the unique law suit at Oslo court finally found a happy end: Jon Lech Johansen won on all counts when judge Irene Sogn declared accessing legally bought DVDs using means not intended by the DVD producers was legal, and thus made it clear that unlicensed DVD-players are legal in Norway. Økokrim failed to prove evidence for pirate mass copying of DVDs using DeCSS in Norway, and the court ruled that “DVD Jon” couldn’t be punished if others used his program to illegally watch DVD movies as long as the software had a legal right to exist. Økokrim considers filing an appeal. ■ http://www.aftenposten.no/english/ local/article.jhtml?articleID=466519

■ India discusses Open Source business model

■ Knoppix distribution goes Taiwanese

In a cash-strapped economy, earning from Free/Libre and Open Source software (FLOSS) can still be a major concern. Dr. Tarique Sani (tarique@ sanisoft.com) has published the SANIsoft Open Source Business Model on his company’s site to enforce discussion. If you think: “What’s the fuzz?”, Raj Mathur (raju@linux-delhi.org) of Delhi’s arguments may help Westerners to see the problems: “India is a very human-resource-rich country, so perception of product value tends to be much higher than service value. I personally believe that Linux and FLOSS are the means to switch an IT economy from product-based to servicebased. However, that’s not going to happen in India until the person who can get a haircut for 20 cents and a livein maid for $30 per month starts appreciating the value of time, expertise and experience.” ■ http://www.sanisoft.com/openmodel.php

Many Taiwanese Linux users have been amazed by the power of the Knoppix distribution that allows a more flexible use of Linux. Consequentially, a Taiwanese version named “bv0103” using Chinese Big5 characters recently came into being. The latest version adds the iocharset= big5 mount option to the /etc/fstab so that windows files on FAT16, FAT32, and NTFS partitions automatically show up with Chinese Big5 filenames, and resolves problems with spaces in file or directory names. Further changes include an update of the knx-hdinstall program that installs Knoppix on a hard disk to version 0.37 and a newer kernel 2.4.20. Contrary to the original Knoppix, bv0103 can be restarted from USB (not only from floppy) disk. It detects LCD monitors and PS/2 mice, and shuts down monitor power automatically. ■ ftp://cle.linux.org.tw/pub2/KNOPPIX/ bv1al/KNOPPIX-bv-20030108.iso

March 2003

www.linux-magazine.com

■ Linus is a hero 365 heros on one poster – this is how the (nominally) catholic Dutch radiostation KRO (“Katholieke Radio Omroep”) bid farewell to old year 2002. Most of the choosen men and women are Dutch, the

rest internationally known politicians, artists, activists, athletes, scientists, celebritites and heros of a day like Kofi Annan, Marlene Dietrich, Jane Godall, The Dalai Lama, Rigoberta Menchú and New Yorks firebrigade. Plus two single computer people: Tim Berners-Lee of WWW-fame and Linus Torvalds. ■ http://www.kro.nl/gevoeldelen/helden/ view.php

■ Israeli army to deploy Linux Briefly after the Israel Defence Forces (IDF) signed a three years contract with Microsoft, the new commander of the IDF’s central computer facility “Mamram”, Avi Kochba, admitted that the deployment of Linux and Open Source software is being considered by the armed forces – mainly as a means of cutting cost. In an interview with Israelian daily “Ha’aretz” he said: “We will, for example, be the first in Israel to operate Linux based on the IBM mainframe computer” but added that Microsoft won’t be on the way out of the army in the near future. ■ http://www.haaretzdaily.com/hasen/ objects/pages/PrintArticleEn. jhtml?itemNo=246791

World

NEWS

■ GNOME in Kannada

■ GNUnifying festival

■ Video Whale from Pakistan

For a region struggling to get Linux solutions working in languages spoken by tens of millions, some interesting developments are being reported of late. Whilst Arun Sharma back in September, 2002 showed off with KDE desktop parts in Kannada on the Kannada mailing list, it was recently Pramod R’s turn to proudly present some screenshots of GNOME applications in this South Indian language spoken by some 47 million speakers. Meanwhile, Gurupkar Waraich (waraich@linuxmail.org) is about to start a new team for Punjabi localization. Says he: “Volunteers please get in touch so that we can start working.” Punjabi is spoken by some 96 million, not just in India but also across the border in Pakistan. ■

Symbiosis Institute of Computer Studies and Research (SICSR) is a college in the central Indian city of Pune with over 16,000 students from more than 32 countries. Each year SICSR organizes a fest called “Unify”, which is composed of various cultural, academic events and contests. This year, the institution is adding on “GNUnify – The All India Free Software Festival” in order to contribute to and

Computers in Pakistani schools and colleges? The only cost-sensible legal solution are low cost PCs running Linux and other Open Source software. To provide educational institutions with quickly set up videowalls for use in the classrooms, Umer Anwar Sheikh from Peshawar based company “North West Research” initiated and funded a videowall implementation using Gstreamer and Xinerama. Developed by Zeeshan Ali Khattak, the Video Whale Project came into being. ■ http://www.gstreamer.net/apps/vw/

http://kannada.sourceforge.net/ gnome-screens/screenshots.html http://www.sharma-home.net/mailman/ listinfo/kannada http://punjabi-linux.sourceforge.net/

encourage the Free Software movement in India by “awarding the best and motivating the rest”. Events scheduled on February 15–16, 2003 will include openfor-all code presentations in the fields of application and embedded Linux development, networking programming, kernel and device driver development. There will also be paper presentations for students, hands-on workshops, a Linux and GNU/Hurd install fest and more. If possible, this might coincide with Richard Stallman’s visit to India. ■ http://www.sicsr.ac.in/gnunify/

■ Open standards for The Netherlands The Dutch government puts its money where its mouth is. In response to a study by the Ministries of Economics and of the Interior showing that open standards and Open Source software can help to economize public finances, a program to push both of them has been launched. The “Programma voor Open Standaarden en Open Source” is intended to inform about open standards and Open Source, to advise and simplify its deployment during a three years period. It will be implemented by the ICTU (the Dutch organisation for information and communication technology and government), and has a budget of 3 Mio. Euros. To avoid reinventing the wheel, the program aims at cooperation with

several national and European initiatives and organisations, amongst them the recently established OASE (“Open Aanbod Software Expertise”, aanbod = offer) project. With the latter, Syntens, a Dutch organisation promoting the usage of and investment in information and communication technology in companies, wants to point small and medium businesses at the existence and benefits of Open Source. Whilst discussing the finances of the ICTU program, it was suggested to migrate all software used by governmental institutions to open standards and Open Source until 2006. But this has not been decided yet … ■ http://www.ez.nl/upload/docs/ Nieuwsbijlage/PDF-Documenten/ Programmavoorstel_OSOSS.pdf (Dutch)

■ UK Health & Safety The UK’s Health and Safety Executive has completed a preliminary assessment of Linux for safety related systems. The report (RR 011) considers the availability and quality of evidence for the safety integrity of Linux – defining three criteria for the suitability in safety related applications: • the operating system must be sufficiently well understood, • that it must be suitable for the characteristics of the safety related application, • and that it must be sufficiently reliable. Linux is assessed, and a framework for the hazard analysis of the interaction between applications and operating system is given. The report concludes that Linux would be suitable for use in many safety related applications with Safety integrity level (SIL) 1, SIL 2 integrity requirements, and that certification to SIL 3 would be possible. It states it is not likely to be either suitable or certifiable for SIL 4 applications. ■ http://hse.gov.uk/research/

www.linux-magazine.com

March 2003

NEWS

Insecurity

Insecurity News ■ micq Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE separator causes all versions to crash. For the current stable distribution (woody) this problem has been fixed in version 0.4.9-0woody3. For the old stable distribution (potato) this problem has been fixed in version 0.4.3-4.1. For the unstable distribution (sid) this problem has been fixed in version 0.4.9.4-1. ■ Debian reference DSA-211-1 micq

guarantee that it is safe any longer, because there is a way for code to be executed within the Safe compartment to alter its operation mask. Thus, programs that use a Safe compartment only once are not affected by this bug. This problem has been fixed in version 5.6.1-8.2 for the current stable distribution (woody), in version 5.004.05-6.2 and 5.005.03-7.2 for the old stable distribution (potato) and in version 5.8.0-14 for the unstable distribution (sid). ■ Debian reference DSA-208-1 perl

■ perl

The SuSE security team discovered a vulnerability in kpathsea library (libkpathsea) which is used by xdvi and dvips. Both programs call the system() function insecurely, which allows a remote attacker to execute arbitrary commands via cleverly crafted DVI files. If dvips is used in a print filter, this allows a local or remote attacker with print permission execute arbitrary code as the printer user (usually lp).

A security hole has been discovered in Safe.pm which is used in all versions of Perl. The Safe extension module allows the creation of compartments in which perl code can be evaluated in a new namespace and the code evaluated in the compartment cannot refer to variables outside this namespace. However, when a Safe compartment has already been used, there’s no

■ tetex-bin

Security Posture of Major Distributions Distributor Debian

Security Sources Info:www.debian.org/security/, List:debian-security-announce, Reference:DSA-… 1)

Mandrake

Info:www.mandrakesecure.net, List:security-announce, Reference:MDKSA-… 1)

Red Hat

Info:www.redhat.com/errata/ List:www.redhat.com/mailing-lists/ (linux-security and redhat-announce-list) Reference:RHSA-… 1)

SCO

Info:www.sco.com/support/security/, List:www.sco.com/support/forums/ announce.html, Reference:CSSA-… 1) List:www.slackware.com/lists/ (slackware-security), Reference:slackware-security …1)

Slackware

SuSE

Info:www.suse.de/uk/private/support/ security/, Patches:www.suse.de/uk/private/ download/updates/, List:suse-security-announce, Reference:suse-security-announce … 1)

Comment Debian have integrated current security advisories on their web site.The advisories take the form of HTML pages with links to patches.The security page also contains a note on the mailing list. MandrakeSoft run a web site dedicated to security topics. Amongst other things the site contains security advisories and references to mailing lists.The advisories are HTML pages,but there are no links to the patches. Red Hat categorizes security advisories as Errata:Under the Errata headline any and all issues for individual Red Hat Linux versions are grouped and discussed.The security advisories take the form of HTML pages with links to patches. You can access the SCO security page via the support area.The advisories are provided in clear text format.

Slackware do not have their own security page, but do offer an archive of the Security mailing List. There is a link to the security page on the homepage. The security page contains information on the mailing list and advisories in text format. Security patches for individual SuSE Linux versions are marked red on the general update page and comprise a short description of the patched vulnerability.

1) Security mails are available from all the above-mentioned distributions via the reference provided.

March 2003

www.linux-magazine.com

This problem has been fixed in version 1.0.7+20011202-7.1 for the current stable distribution (woody), in version 1.0.6-7.3 for the old stable distribution (potato) and in version 1.0.7+20021025-4 for the unstable distribution (sid). xdvik-ja and dvipsk-ja are vulnerable as well, but link to the kpathsea library dynamically and will automatically be fixed after a new libkpathsea is installed. ■ Debian reference DSA-207-1 tetex-bin

■ dhcpcd Simon Kelly discovered a vulnerability in dhcpcd, an RFC2131 and RFC1541 compliant DHCP client daemon, that runs with root privileges on client machines. A malicious administrator of the regular or an mistrusted DHCP server may execute any command with root privileges on the DHCP client machine by sending the command enclosed in shell metacharacters in one of the options provided by the DHCP server. This problem has been fixed in version 1.3.17pl2-8.1 for the old stable distribution (potato) and in version 1.3.22pl2-2 for the testing (sarge) and unstable (sid) distributions. The current stable distribution (woody) does not contain a dhcpcd package. ■ Debian reference DSA-219-1 dhcpcd

■ Samba A remotely exploitable stack buffer overflow exists in the Samba server daemon. Versions 2.2.2 through 2.2.6 of Samba contain a remotely exploitable stack buffer overflow. The Samba Team describes the vulnerability as follows: There was a bug in the length checking for encrypted password change requests from clients. A client could send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. The attach would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. A remote attacker can execute arbitrary code with superuser privileges or can cause smbd to crash. ■ CERT reference VU#958321

Insecurity

■ cups iDefense reported several security problems in CUPS that can lead to local and remote root compromise. An integer overflow in the HTTP interface can be used to gain remote access with CUPS privilege. A local file race condition can be used to gain root privilege, although the previous bug must be exploited first. An attacker can remotely add printers to the vulnerable system. A remote DoS attack can be accomplished due to negative length in the memcpy() call. An integer overflow in image handling code can be used to gain higher privilege. An attacker can gain local root privilege due to a buffer overflow of the ‘options’ buffer. A design problem can be exploited to gain local root access, however this needs an added printer (which can also be done, as per a previously noted bug). Wrong handling of zero-width images can be abused to gain higher privilege. Finally, a file descriptor leak and DoS due to missing checks of return values of file/socket operations. ■ Mandrake reference MDKSA-2003:001: cups

■ wget A vulnerability in all versions of wget prior to and including 1.8.2 was discovered by Steven M. Christey. The bug permits a malicious FTP server to create or overwrite files anywhere on the local file system by sending filenames beginning with “/” or containing “/../”. This can be used to make vulnerable FTP clients write files that can later be used for attack against the client machine. ■ Mandrake reference MDKSA-2002:086: wget

■ krb5 A stack buffer overflow in the implementation of the Kerberos v4 compatibility administration daemon (kadmind4) in the krb5 package can be exploited to gain unauthorized root access to a KDC host. Authentication to the daemon is not required to successfully perform the attack and according to MIT at least one exploit is known to exist. kadmind4 is used only by sites that require compatibility with legacy administrative clients,

and sites that do not have these needs are not likely to be using kadmind4 and are not affected. ■ Mandrake reference MDKSA-2002:073-1: krb5

■ MySQL Two vulnerabilities were discovered in all versions of MySQL prior to 3.23.53a and 4.0.5a by Stefan Esser. The first can be used by any valid MySQL user to crash the MySQL server, the other allows anyone to bypass the MySQL password check or execute arbitrary code with the privilege of the user running mysqld. Another two vulnerabilities were found, one an arbitrary size heap overflow in the mysql client library and another that allows one to write. ■ Mandrake reference MDKSA-2002:087: MySQL

■ Fetchmail Updated Fetchmail packages are available for Red Hat Linux versions 6.2, 7, 7.1, 7.2, 7.3, and 8.0 which close a remotelyexploitable vulnerability in unaltered versions of Fetchmail prior to 6.2.0. A bug in the header parsing code allows a remote attacker to crash Fetchmail and potentially execute arbitrary code by sending a carefully crafted email which is then parsed by Fetchmail. All users of Fetchmail are advised to upgrade to the errata packages containing a backported fix which corrects this issue. ■ Red Hat reference RHSA-2002:293-09

■ Canna The Canna server, used for Japanese character input, has two security vulnerabilities including an exploitable buffer overrun allowing a local user to gain ‘bin’ user privileges. Canna is a kana-kanji conversion server which is necessary for Japanese language character input.A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user ‘bin’ which could lead to further exploits. Updated packages for Red Hat Linux are available. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to

NEWS

this issue. A lack in the validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN2002-1159) Red Hat Linux 7.1, 7.2, 7.3, and 8.0 ship with a Canna package vulnerable to these issues; however, the package is normally only installed when Japanese language support is selected during installation. All users of Canna are advised to upgrade to these errata packages which contain a back-ported security fix and are not vulnerable to this issue. Red Hat would like to thank hsj and AIDA Shinra for the responsible disclosure of these issues. ■ Red Hat reference RHSA-2002:246-18

■ cyrus imapd The cyrus imapd contains a buffer overflow which could be exploited by remote attackers prior to logging in. Attackers could generate oversized error messages and overflow buffers inside imapd. Additionally to this fix, an overflow in the SASL library (as used by the cyrus imapd) has been fixed. This bug only affects SuSE Linux 8.1, the SuSE Linux Enterprise Server 8 and the SuSE Linux Openexchange Server. Since there is no workaround possible except shutting down the IMAP server, SuSE strongly recommends an update. Please download the update package for your distribution and verify its integrity. The SuSE website will have more details on how best to do this. Once done, install the package using the command “rpm -Fhv file.rpm” to apply the update. The packages are being offered to install from the maintenance web. To be sure the update takes effect you have to restart the IMAP server by executing the following commands as root: /etc/rc.d/cyrus restart

and (if using saslauthd) /etc/rc.d/saslauthd restart

■ SuSE reference SuSE-SA:2002:048

www.linux-magazine.com

March 2003

NEWS

Kernel

Zack’s Kernel News ■ Bug Hunter The effort to track Kernel bugs via a semi-automated system continues to pose thorny problems for developers. Martin J. Bligh and others continue to maintain the Bugzilla server, and many developers continue to claim bugs and work on them. Over the course of December 2002, it became clear that not all developers were happy with the new system. John Bradford in particular, decided to write an entirely new bug tracking system on his own. His idea is to create a system that is specific to the Linux kernel, rather than being a generic bug database. By the end of 2002 he had already completed an initial version of his system, and had put it up at http:// grabjohn.com/kernelbugdatabase/ (Note that to log in as a guest, you need to use the username “guest” and the password “guest”). The basic theory is to automate

the system as much as possible, so that developers can focus on their particular areas of the kernel very quickly, and not waste a lot of time navigating the system by hand. The early stages of the program still have restrictions, such as having to email John directly for a personal account. There is also some controversy over the whole idea of writing a new program, rather than simply modifying existing systems such as Bugzilla itself. John’s answer to this has been that it’s easier to start from scratch than to wade through so much existing code that would have to be changed. From the initial stirrings of his project (which still appears to have no official name), it seems clear that Bugzilla has a good head-start, so John’s replacement will probably have to show a big improvement if it is ever going to take its place completely. ■

■ User Limits Linux continues to be good fodder for school projects. Over the years, many programmers have chosen to implement new algorithms or rewrite whole subsystems, to satisfy their college requirements.. Martin Waitz is one of these. Due in January 2003, his project involved creating a resource container that would allow sysadmins to control access to various resources, not just on a per-user basis, but according to any set of policies they could devise. The subject came up on the linuxkernel mailing list when Frederik Dannemare asked if there was any way to limit the amount of CPU a given user could use at a given time. Martin offered his project as one method of doing this, but apparently he is not the only one interested in this sort of thing, and various patches to try to solve this problem have been floating around for a long time.

March 2003

A patch from Connectiva against 2.4 had been forward ported to 2.5, and Karol Golab had a small patch to provide a similar service. Within a day of his initial question, Frederik was drowning in patches to limit CPU usage. Even Martin offered to send his unfinished school project to anyone who was interested. The hunt for a good per-user (or peranything) resource control system is very important. Without it, there are fairly trivial ways for any user to bring a Linux system to its knees. As far back as July 2000, Marcelo Tosatti predicted that decent per-user resource limits would make it into the 2.6 kernel, and then be back-ported into the 2.4 kernel; at that time there was almost no code to support this prediction, though several projects were underway. By January 2003, with the feature freeze in full swing, it seems that the resource limits were still not part of the 2.5 kernel tree. ■

www.linux-magazine.com

INFO The Kernel Mailing List comprises the core of Linux development activities.Traffic volumes are immense and keeping up to date with the entire scope of development is a virtually impossible task for one person. One of the few brave souls that take on this impossible task is Zack Brown. Our regular monthly column keeps you up to date on the latest discussions and decisions, selected and summarized by Zack. Zack has been publishing a weekly digest, the Kernel Traffic Mailing List for several years now, reading just the digest is a time consuming task. Linux Magazine now provides you with the quintessence of Linux Kernel activities straight from the horse’s mouth.

■ Change PCI It seems that /proc/pci is out of favor with Linus, and may one day be replaced by a user-space utility, lspci. This may not take place in the 2.6 time frame, but apparently Linus has been convinced that there is little reason to keep /proc/pci around, if lspci could be made to display the proper information. Historically, the /proc/pci interface has fallen in and out of favor. The dilemma rests in the fact that /proc/pci is not absolutely essential, because the information it presents can be accessed in other ways by user-space tools; while at the same time, it is likely that those user-space tools would not be available to a system that was in the predicament of actually needing them, such as during the initial installation of the Linux system itself. These are tricky ideas to grapple with, because it’s hard to pin-point exactly when something will be needed, and whether it will be available at that time. Someone might say that Linux installers already handle PCI autodetection; while someone else might counter with the idea that embedded systems must be installed using non-standard tools. Whatever the arguments on either side, it seems that for the moment, /proc/pci is once again deprecated, and slated to be removed in favor of lspci and other fully-user-space tools. ■

Kernel

■ Framebuffer woes

■ Success with IDE

The Framebuffer code has still been causing problems. James Simmons and others have been working hard to straighten things out, but progress sometimes seems slow. Even Linus Torvalds is having trouble getting things to work with the Framebuffer patches as they arrive, so getting them into the main 2.5 tree has been proving to be a problem. More fixes continue to come forward, and more drivers continue to be ported. Part of the problem appears to be the design of the Framebuffer interfaces. Apparently, the Framebuffer code makes certain assumptions, that some video cards just don’t conform to. On the other hand, it’s very difficult to simply change those interfaces, because of all the user-space code that has come to rely on them over the years. The 2.5 kernel introduces a new Framebuffer API, but it seems to be targeted at solving other problems, and will not address the deeper design issues. ■

Andre Hedrick’s IDE work appears to be going into the 2.4 tree. Such a large change to a kernel in the stable series is generally rejected, and this will be the second time in the 2.4 series that a completely new subsystem is dropped in to replace the old. The first being the adoption of Andrea Arcangeli’s Virtual Memory subsystem in the early days of 2.4. Linus took a lot of flack for that change, and shortly thereafter turned 2.4 maintenance over to Marcelo Tosatti. Now it is Marcelo’s turn to make the risky choice, but it seems that Andre’s new IDE code will be met with more jubilation than Andrea’s VM did. Apparently the IDE subsystem has been such a nightmare mish-mash of horrifying hacks for so long, that Andre’s cleanup just has to go in. With out this change it is feared that the system will soon prove to be unmanageable Some of you may remember in the Summer of 2002, Marcin Dalecki had

NEWS

been given maintainership over the 2.5 kernel IDE tree, and made a valiant attempt to rip out all the broken code, and bring the subsystem to a simpler, more reasonable state. Unfortunately the politics of long-term IDE breakage proved too much for him, and he abandoned maintainership when various other developers, notably Bartlomiej Zolnierkiewicz, started their own IDE trees, instead of helping Marcin fix the main version. At the time, Linus felt that Andre was still too difficult to work with, so Alan Cox volunteered to be the official IDE maintainer, with Andre leading the development effort itself. Andre in turn has been trying to get his temper under control, and taking advice from folks like Al Viro about how best to organize his patches so that they will be acceptable to Linus and others. In December 2002, it seems, these efforts had started to bear tangible fruit and a sensible solution is near. ■

NEWS

Letters

Letters to the editor

Write Access ■ Comic Review I purchased your magazine for the first time in December. As a designer of Windows NT/2K systems, who operates both NT and Linux systems at home, I was intrigued by your cover, promising to inform me about inter-connecting Windows and Linux based systems and also a review of Windows XP, from the point of view of a Linux user. I have to say though, that I was extremely disappointed with your review of XP, it seems to me that it was printed merely as an excuse to deride a system of which the reviewers clearly had little or no knowledge, or any desire for this knowledge. Much of the core functionality of XP wasn’t even hinted at, such as the encrypted file system or offline file replication. The reviewers were patronising towards the reader: (‘Closed source is a curious software system that denies the end user the confidence that the code has been subjected to public scrutiny.’) and talked down support for the system, stating that when installing device drivers onto XP, you would need to ‘reboot back into Linux and see if the device drivers are available on the Internet.’ It obviously didn’t occur to your reviewers to mention that the vast majority of modern hardware would have drivers on the XP CD-ROM, never mind the fact that you will be able to connect to the internet via XP. The reviewers then proceeded to imply that the only way you would be able to get any useful software onto the XP system would be to install Cygwin, again failing to mention that there is more free software (or shareware) available for Windows based OSes than any other OS in existence. Why did your reviewers feel the need to portray this staggeringly unprofessional image? Do you think that this will advance the open source community by convincing companies and enthusiasts to leave their current, usually Windows based, OSes in favour of Linux systems?

March 2003

I will continue to purchase your magazine, as I found most of the rest of the articles both interesting and informative, but please bear in mind that just because something isn’t Linux, doesn’t mean it is automatically worthy of derision. Fraser MacIntosh, by e-mail

LM Yes, it is hands up time we’re afraid, the most obvious error in the article was the absence of the smiley at the end. For this, and for any confusion it may have cause, we are sorry. The XP review was meant as a light hearted piece. As Linux is often judged from a Windows biased point of view, we just did the opposite and “tested” Windows from a Linux biased point of view. Yes, it was very biased but then, this is a Linux magazine. We are glad to hear that you found other articles interesting and informative. We are aiming to present our readers with the best technical content of all Linux magazines. Still, we thought it might be a good idea to present our readers something more light and entertaining for the Xmas holidays – like the XP review. Maybe others will follow, so be on your toes. ■

■ Networking from scratch While I do enjoy most of my Linux Magazine, I sometimes find myself disheartened at the lack of basic information. I feel that I am much more likely to ‘play’ with subjects like networking than I ever was with a Windows system, cost being a major influence. I often feel that I am trying to clear the hurdle of ‘prior art’ when it comes to fundamentals, presumably learnt in the Windows world. I hope that I am not on my own with this opinion, so this is a plea from the less knowledgeably well off to remind you that some of us need the occasional priming. Sally Leah, by e-mail

www.linux-magazine.com

Please send your comments and suggestions to letters@linux-magazine.com LM The situation is well appreciated, after all, we have all had to climb that learning curve at some point. Our magazine is unashamedly aimed at readers who have already made some ascent on this curve, but we do also hope that some of our articles each month make for an approachable challenge to those with less experience. We are not passing on the responsibility, but we think it might be useful to remind people of some of the other sources of information available. One of the boasts made about Linux is the amount of documentation available for it. While this true, the documentation is sometimes not as helpful as one might have hoped for. The solutions for many problems lie in one of the many HOWTOs available, which leads to a further problem of understanding the HOWTO itself. Many are now quite old and really are from a different era. We fear that many new users might be put off by being directed to HOWTOs as a first port of call. Luckily, there are more and more sources of information becoming available, like http://www.mandrakeuser.org/ site, an excellent resource for Mandrake users, as well as other distributions. Things will improve too, as the user base increases, so too will the amount of documentation about Linux increase, at all levels. For those of you that feel the same way as Sally, you are in luck this month with our Networking Basics article. ■

Networking Intro

COVER STORY

Networking made easy

Get connected! N

etworking with a Linux computer is one of the strong points always listed when trying to convince someone that it is the one true operating system. Although this maybe true it does not mean that connecting your computer system to a network is a trivial matter. With just a few pointers in the right direction, however, you will soon be joining systems and making the most of their resouces with ease. We first present an article of network basics. No matter if you are new to networking or just need to ensure you understand it all, we will explain. This is followed by a step by step guide to act as a recipe for two of the most popular distribution. Following these walkthroughs will soon get you connected and enable you to browse and use email whenever and wherever you choose. We then continue by looking at how you can make your data available to others. One of the advantages of being

Cover Story Networking Basics ..............20 It is just a question of understanding the basic procedures.

Red Hat Configuration ......24 Discover the tools for setting up small local networks.

SuSE Configuration .............28 Let SuSEâ&#x20AC;&#x2122;s YaST lend a hand in network configuration.

SMB Clients................................31 Provide convenient access to genuine Windows shares.

Samba Shares ..........................34 Who is allowed to access, view what directories ?

Samba Domains ....................38 Intergrating NT4 domains with Samba.

Samba Authentication ......41 Explore the important aspects of Windows user access.

In todays high tech world we all have to deal with computers. Whether it is part of a multi-nationals work group or just a Small Office/Home Office, the chances are we need at some point to connect to a network. Here Linux rules above all others. BY JOHN SOUTHERN

connected is the ability to share information and cooperate on tasks. Allowing others to share specific data directories lessens some of the burden for communication.

Dancing with Samba We then continue with our exploration of networking but follow the Samba route. In all our daily lives it is often hard to avoid contact with Windows machines. Samba allows both the control and flexibility for our Linux computers to live and co-operate in a multioperating system environment. We first consider sharing data and how permissions of access are handled. By emulating the response of a Windows server to an incoming client we can often gain all the functionality needed. With the withdrawal of support for NT4,

Samba can provide a free alternative to users as well as administrators. Find out how Linux Samba servers can be added to your existing domains and how to set them up as the Primary Domain Controllers on your network. We take you through the configuration files to make the task simple and explore adding NT machines back. Our final article concerns user management and authentication for Samba. By offering a highly granular access control system, administrators tend to be spolit in the choice of options. We discuss the really important aspects of Windows user access and account management. We start by looking at user level security and show the pitfalls that are more common with Samba password management. â&#x2013;

www.linux-magazine.com

March 2003

COVER STORY

Networking Basics

Linux in LANs

Safely Sharing Data It does not matter if you are simply connecting a host to a network or that you use a laptop at both home and at the office to log on to different networks every day; the mystery of connecting up to a network can remain the same. BY MARC ANDRÉ SELIG

early all of us will, at some time in their career, have cast jealous glances at experts connecting their Linux laptops up to the networks at the office, at home, or even at conferences and immediately getting on to the Internet, as if nothing had happened in the meantime – this is especially true if the two or three machines in our SOHO network have been giving us a hard time. Fortunately, there is no black magic involved – it is just a question of understanding the basic procedures. Thanks to the sophisticated setup tools that are supplied with most modern Linux distributions, we often require very little user intervention to connect to a local network. Even if things do not work straight away, a few clicks in the

appropriate menus will normally see the laptop happily connected to a new network. A fully automated network configuration supplied by DHCP [1], for example, will allow your machine to retrieve any necessary information automatically. Even if automation fails there is no need to panic. In this article we will be taking a look at the configuration steps those GUI tools perform inside to ensure that the connection to your LAN and

LAN: The expression “Local Area Network”describes a network of neighboring computers typically connected by simple network media (although they may connect to a wireless LAN, such as WaveLAN [2]). The most important difference between a LAN and other types of networks is the fact that a LAN does not use leased lines, such as serial, ISDN or DSL lines.The WAN or “Wide Area Network”is the opposite of a LAN.

PCMCIA: The “Personal Computer Memory Card International Association”published a PC card standard of the same name (amongst other things).The standard permits uniform hardware extensions for laptops and similar devices.The adapters are typically referred to as PCMCIA adapters, a name that immediately identifies the device type, in contrast to a “PC Card”which could be anything. CardBus is a successor of the PCMCIA standard and was designed for faster data transfer rates.

from there to the Internet works. Anything those tools can do, can of course be done manually.

Hardware At the lowest level, a machine requires a network device with appropriate cabling to connect to a network (refer to [2] for more information on wireless LANs). The network device can be embedded in the machine, reside on an adapter card or – as is the case for most modern lap-

GLOSSARY

March 2003

www.linux-magazine.com

USB: The “Universal Serial Bus”is a convenient way of attaching peripheral hardware to a computer. Even primitive USB devices like mice or keyboards need a lot of embedded intelligence, although this normally provides for fully automatic configuration.The USB standard specifies that the driver installation should not require user intervention! That does not always work on Linux, but that’s no big deal, as it doesn’t work on other systems either…

Networking Basics

There are two possible reasons for ifconfig failing to display an eth0. The less likely, but less troublesome variant would be that your distribution has not accessed the network adapter yet, and is waiting for you to wake it up. How do you wake up a sleeping NIC? A kiss is not going to help, so let’s try ifconfig instead:

Listing 1: A configured network adapter mas@swan:~$ /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:00:C0:77:D8:F5 inet addr:172.16.45.12 Bcast:172.16.45.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2565 errors:0 dropped:0 overruns:0 frame:0 TX packets:10723 errors:21 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:596219 (582.2 Kb) TX bytes:3753306 (3.5 Mb) Interrupt:9 Base address:0x2000 [...]

tops – be integrated on the motherboard. Of course you might also have a PCMCIA adapter or an external USB device. A driver is required to allow Linux to communicate with the adapter. In the “Plug & Pray” age the driver should hopefully be loaded automatically. You can use one of the most important network configuration commands to ensure that this step has actually worked: ifconfig. The command without any parameters displays the current configuration information for the network interface (Listing 1). If you are not currently working as root, ifconfig will probably not be in your path. In this case, you should supply the path explicitly: /sbin/ifconfig. Every Linux system displays at least one interface, the local “loopback”device lo. But LAN jockeys will only be interested in interfaces that start with the magic letters eth for “Ethernet”. The output in Listing 1 shows the most important data for each network connection: • The hardware address (HWaddr) identifies the network adapter in the so-called Data Link layer, that is at a purely hardware based level. The six colon-separated bytes are also referred to as the MAC address which is a globally unique address, unless a malevolent hacker has been messing around with it, that is. Well managed networks tend to integrate the MAC address in the configuration – that is why you should avoid replacing your office desktop with your laptop without any preparatory steps. • The IP address (inet addr) identifies your computer on the network. This is the address that the programs on your computer use. But although the name

COVER STORY

might suggest otherwise, the IP address is not necessarily accessible via the Internet. The address shown in our example, 172.16.45.12, is part of a standardized pool of private IP addresses used for private networks. • The broadcast address (Bcast) and the netmask (“network mask”, Mask) provide a more accurate description of the network the computer attaches to. In simple terms, part of the enormous IP address space is specified as the network neighborhood. It used to be possible to derive these parameters from the IP address, but this is no longer possible today. Fortunately, these parameters are not that important for a stand-alone system such as a laptop. If you do happen to know the correct values, ensure that you set them correctly – anything else often leads to a disaster. These values are followed by a whole bunch of statistics about the interface. The received (RX) and transmitted (TX) packet counters are particularly interesting. A word of warning: Our example does not indicate that 10723 errors have occurred, but merely errors:21. The Linux ifconfig display is rounded off by information on the interrupt used and other hardware data for the network interface card. If your network card was recognized and configured without any trouble, but still does not work, you should look at these figures first!

mas@swan:~$ su Password: [secret_root_password] root@swan:~mas# /sbin/ifconfig U eth0 up 172.16.45.12 netmask U 255.255.255.0

If your kernel recognizes the network card, you are done. If the other possibility now rears its ugly head, you will see error messages such as the following: eth0: unknown interface: U No such device SIOCSIFADDR: No such device

This indicates that the kernel module that contains the driver for the network card is missing, or was not loaded correctly. The system may require more details on the hardware. In this case, you should try searching with Google or reading appropriate newsgroups such as comp.os.linux.hardware or comp.os. linux.networking.

On the Net! Armed with just the basic equipment discussed so far, your Linux machine should be able to exchange packets with its neighbors. If you know the IP address of a computer in the same LAN, you can test your system using the steps shown in Listing 2. The ping command transmits test packets to the specified target. If the packets reach their target, the target machine will send “pong” packets back. This makes ping a perfect network diagnostic tool. You will need to type [Ctrl-C] to quit the continual pinging, when you finally get bored.

Listing 2: Is anybody out there? mas@swan:~$ ping 172.16.45.1 PING 172.16.45.1 (172.16.45.1) from 172.16.45.12 : 56(84) bytes of data. 64 bytes from 172.16.45.1: icmp_seq=0 ttl=62 time=210 usec [...]

www.linux-magazine.com

March 2003

COVER STORY

Networking Basics

Linux is still incapable of talking to the outside world, that is to other networks – unless of course your distribution offers a tool that automagically takes care of this behind your back… Linux can deliver packages within its local network directly (within the address block covered by the network configuration to be more precise). Of course there are a lot of sophisticated things going on in the background, but you typically do not need to pay attention to them. Linux needs help to deliver packets to external networks. Instead of delivering the packets itself, Linux will send them to another computer that will take care of the job. This other computer is referred to as a gateway or default router. This may be a WAN access point at your office, or an ISDN adapter or modem at home. The so-called routing table describes what packets are sent where. You can use the route command (or /sbin/route, if you are not working as root) to list the table. If you really want to perform a manual configuration, add the -n flag as shown in Listing 3 to prevent delays caused by translating IP addresses to symbolic names. Each line contains a routing table entry. Take a look at the first and last columns for a quick overview. The first column with the Destination shows the data packets the entry refers to (experts will quickly notice that the third column is also significant. The rest of us will just have to rely on intuition to do the right

thing). Thus, the first line in Listing 3 shows what happens to packets sent to IP addresses that start with 172.16.45. The last column shows what Iface – “interface” will be used to transmit the packets, in this case eth0 as discussed previously. The second line follows the same pattern structure and defines that packets for IP addresses starting with 127 will be sent to the lo interface. As previously mentioned, this is the “loopback” device, which a machine can use to talk to itself. The third line is a kind of joker. Any target addresses not previously covered follow the rule defined in this line. And this is where the gateway, or default router appears. Any packets whose target address does not start with 172.16.45 or 127 are passed on by Linux to a machine with IP 172.16.45.1. This is also the machine that will take care of everything else. Practical, isn’t it? Your computer only knows two networks, and one of those is its own backyard, but it can still talk to the whole world. The bad news is that users working with laptops can expect to run into trouble with default routes sooner or later. After all, you can not just log on to the office network, your SOHO network, use a mobile phone, or a modem in your hotel room, and simply hope that your laptop does not make any mistakes! Many distributions really start to panic when faced with promiscuous traffic of this form. The most common symptom

Listing 3: The Route mas@swan:~$ /sbin/route -n Kernel IP routing table Destination Gateway 172.16.45.0 0.0.0.0 127.0.0.0 0.0.0.0 0.0.0.0 172.16.45.1

Genmask 255.255.255.0 255.0.0.0 0.0.0.0

Flags U U UG

Metric 0 0 0

Ref 0 0 0

Use 0 0 0

Ref 0 0 0 0

Use 0 0 0 0

Listing 4: Somewhat Confused mas@swan:~$ /sbin/route -n Kernel IP routing table Destination Gateway 195.71.150.164 0.0.0.0 172.16.45.0 0.0.0.0 127.0.0.0 0.0.0.0 0.0.0.0 172.16.45.1

March 2003

Genmask 255.255.255.255 255.255.255.0 255.0.0.0 0.0.0.0

www.linux-magazine.com

Flags UH U U UG

Metric 0 0 0 0

of promiscuity is a broken default route. The network connection still works okay, but the default route is missing or points to a black hole. Listing 4 shows an example. This machine’s LAN connection (eth0) is correctly configured and works fine. As it happens, it is not connected to the LAN at present, but has just dialed up the network via a mobile phone (ppp0). Unfortunately, the default route for the LAN is still set, and Linux will now attempt to send any packets destined for the Internet via the LAN adapter and not via the mobile phone. Of course, that is not going to work. Help is at hand in the form of the route command, which can be used to manipulate the routing table (Listing 5). root first invokes route del (as in “delete”) to remove the default route and adds the new route by typing route add. This applies for -net (that is the network and not only to a single address), default (that is for any unspecified IP addresses) and points to the gw (“Gateway”) 195.71.150.164. It is a good idea to copy this IP address from the route table viewed previously.

Now, what was your name?

So far we have only referred to computers and networks in terms of IP addresses, but IP addresses are no use whatsoever under real life conditions. After all, who wants to type 208.62.23.150 if they can reach the target far more easily by typing www.zpid.com? Name resolution is provided by a service called DNS, “Domain Name Service [3]. To be more precise, it is the so-called resolver that is responsible for translating symbolic Iface names into IP addresses, and eth0 vice versa. In contrast to lo many other UNIX services the eth0 resolver is not a daemon but part of a standard UNIX library. However, the resolver does not know all of the myriad computer names on the interIface net itself; instead it asks a ppp0 DNS server on the Web. So, if eth0 you want to work with symlo bolic host names (and you eth0 should!), you will need to tell

Networking Basics

root@swan:~mas# /sbin/route del default root@swan:~mas# /sbin/route add -net default gw 195.71.150.164

Linux where to find a DNS server. The bad news is that you need a different DNS server for each access type – office, mobile, home etc. The current configuration file for the resolver is called /etc/resolv.conf, and the only relevant entry in the file is the nameserver. You can either adopt a cautious approach and leave all the other entries in this file untouched, or “boldly throw” them out. The resulting resolv.conf should then look as follows: nameserver 208.62.23.150

Short and sweet. Who do you ask for details on the name server? In a real LAN situation you would simply ask your friendly network administrator. At home you are your own admin and you need to simply enter your server’s IP. Things are a little more complicated for those with dialup connections, but fortunately you can normally rely on your distribution to take care of this automagically. Usually the distribution will query the dialup server for the authorized DNS server and update your /etc/resolv.conf using the new data. Mad idea? Well, it does come from Microsoft.

Name Resolution for Experts Experts and purchasers of modern distributions should know that resolver configuration involves more than the steps just discussed. Firstly, some distributions use socalled caching name servers. That means every computer runs a DNS server, even your laptop. The name server corresponds with the local software and relays queries from the local software to the internet. In a scenario of this type, you are well advised to steer clear of /etc/resolv.conf – as the file will only refer to the local host in this case. However, you can manipulate the local DNS server configuration instead, although this is often unnecessary as the DNS cache often does not depend on the Internet provider’s DNS server.

Secondly, packet filters (often referred to as firewalls) have been introduced to the major distributions. Of course, they need to be informed of any name server address changes and updated accordingly. Fortunately, this is another step that is typically performed automatically.

Web and Mail When moving from one LAN to another, one or two things that are relevant to application software may change. This is not typically a problem, but you may need to look into two areas: Web proxies and email. A proxy will save a copy of a website transferred to it. If another computer request the same page, it will first access its local memory before it searches the internet – this saves both time, in that the local memory access is faster than downloading over your connection and money, where the less you have to access means others can access quicker and so you reduce their time and in turn their costs. Dynamic WWW pages have seen the gradual demise of proxies as you need the current dynamically generated information and not that of the old cached proxy. If you do use a proxy, you will probably need to update your configuration if you change your Internet access point. When sending email, it is uncommon to transfer messages directly to the receiver’s mail server nowadays. Many professional mail providers explicitly prohibit this variant for security reasons. That means that both your mail program (e.g. kmail or Mozilla) and your local mail server (e.g. sendmail, qmail or postfix) need a relay that will receive and forward email messages. The relay works along the same lines as a mail box. Your computer puts your outgoing mail in the box and someone comes along and takes care of delivering or forwarding your messages to the recipient. The relay or mail box is known as a smart host. Your environment and your personal preferences will define who plays the

role of the smart host. In principle, both your email provider and your Internet provider can act as a smart host. I personally prefer the former. If you opt to transmit mail via your Internet provider, moving from one network to another will involve changing your smart host. So do not forget to update your mail configuration!

Prospects This short tour allowed you a quick glance at the most important nuts and bolts that you will need to loosen and retighten when moving your computer from one (or no) network to another. The manpages for ifconfig and route contain a lot more detail and are specifically recommended. Both of these tools provide critical functionality in networked environments, but you can experiment on stand-alone systems. Rebooting normally resolves any problems that have occurred, and while you are experimenting, why not take a detour to the hidden depths of /proc/net and /proc/sys/net? If you are interested in more functionality and magic, you should check out DHCP. Nearly all the issues and challenges discussed in this article can be resolved by a fully automatic network configuration. Of course, it won’t always work, but it is surprisingly good. And being in the know as regards the background operations can not be a bad thing … ■

INFO [1] Bruce Richardson, Linux Magazine, Issue 23, p44 [2] Cover story Linux Magazine, Issue 25 [3] Marc André Selig, Linux Magazine, Issue 26, p86

THE AUTHOR

Listing 5: A new default route

COVER STORY

Marc André Selig spends half of his time working as a scientific assistant at the University of Trier and as a medical doctor in the Schramberg hospital. If he happens to find time for it, his currenty preoccupation is programing web based databases on various Unix platforms.

www.linux-magazine.com

March 2003

COVER STORY

Red Hat Networks

Network Configuration Under Red Hat Linux 8.0

Easy Network Access Setting up small local networks is a task that today’s users are faced with daily. This article discusses the tools that Red Hat Linux 8.0 has to offer for this job. BY THOMAS DRILLING

he purchasing price of network equipment is negligible, and configuring a network should not be more difficult for home users than attaching a printer, for example. In contrast to SuSE or Mandrake, Red Hat does not have a history of providing a centralized configuration tool. This is in line with the US market leader’s product philosophy. For one thing the entry version of Red Hat Linux is still available as a free FTP download – and this goes a long way towards justifying Red Hat’s lack of commitment to proprietary development; for another thing Red Hat argues that you should be able to configure a good Linux distribution with standard tools, so there should be no need to customize them just for Red Hat. Red Hat relies on easy-to-use GTK tools for basic network configuration tasks, although the current 8.0 version has seen the demise of the Red Hat Control Center, which was available in version 7.3.

Control Center and Personal Desktop The desktop icon Start Here provides a useful substitute for the former Control Center. Red Hat uses the icon to provide access to a series of tried and trusted configuration tools for critical system and network based tasks. In contrast to Red Hat version 7.3 they mainly comprise familiar tools that simply appear fresher and newer after re-working with Red Hat’s new BlueCurve technology.

March 2003

Some familiar tools have simply been given new names in the Start menu and, while we are on the subject, Red Hat’s BlueCurve desktop unifies the appearance of KDE and Gnome applications. BlueCurve is more than just window dressing, Red Hat have introduced individual design elements to this desktop. No matter whether you choose a KDE or Gnome desktop, you will find the same entries at the same positions in the Start menu. This prompted to refer to the menu generically as the Red Hat menu instead of specifying whether the version sports a KDE or Gnome logo on its Red Hat. Assigning common names to various favorite tools may confuse some old Red Hat hands. Although many of the tools discussed in this article are still available via the Red Hat menu, some are missing. And as many tools have been renamed to fit the redhat-xxx-config template, even experts may struggle to find some of their favorite programs. At least the Start Here icon is a worthy substitute for the former Control Center. Double clicking on the icon launches the Nautilus file manager with a hierarchical configuration window that contains four symbols: Server Configuration, System Configuration, Preferences and Programs. Clicking on Server Configuration provides access to the same configuration tools (and more) that are available in the Red Hat menu. The same principle applies to System Configuration and Preferences.

A Network Device As regards network configuration, you should start by setting up the network

www.linux-magazine.com

devices (such as network interface and ISDN cards), that is, if you did not already complete this step during the basic Red Hat Linux installation. The configuration tool, neat (Network Administration Tool for Red Hat Linux), is to be found under System Configuration/Network in the Red Hat menu. Red Hat’s neat can be used to set up all kinds of network devices (Ethernet and ISDN cards, modems, wireless and DSL devices). You need root privileges to configure the network settings. neat is well organized. Network profiles are a new feature compared to previous Red Hat versions. The upper panel provides a number of buttons that allow you to create new profiles, and the lower panel contains four configuration tabs. Let’s look at a simple Ethernet connection first. We’ll assume that the network interface card has been inserted correctly. Click on Add in the Device tab, choose Ethernet Connection in the list of device types and then click Forward. You can configure the network adapter in the tab that appears.

Red Hat Networks

Figure 1: The “Start Here” desktop icon replaces the former Control Center. All of Red Hat’s Linux critical configuration tools are pooled in a single Nautilus window

You can either choose automatic IP address assignment via DHCP in the upper part of tab, or assign a valid static IP address in the lower part. In this case you can optionally enter a default gateway address if you use another Ethernet Interface to route your Internet traffic to another host. After clicking on the Forward button, you can click on Close to finish configuring the network connection.

If required: Additional Network Devices You can follow the same steps to add an ippp device for an ISDN connection. In the main menu, simply choose ISDN Connection as the connection type and select a service provider from the provider database in the next window. Call-by-Call providers are available in a tree structure below UK/National. When

GLOSSARY FQDN hostname: A “Fully Qualified Domain Name”is an Internet hostname of the www.linux-magazine.com format. Resolving the name to an IP address requires either a Domain Name Server or a host table entry in /etc/resolv.conf.

you return to the main tab in neat, Common, shows you an overview of the network connections you have configured. You can click the Edit button here to edit a connection at a later stage. The only difference between the Edit dialog and Add is the fact that two additional checkboxes are available. You can use them to specify that the device should be activated at boot time, or that all users should be permitted to enable or disable the device – this would make sense for Internet access via a DSL device, for example.

COVER STORY

If you do not want to configure DNS, or do not have a DNS server on your network, you can add the host addresses of all the hosts in your local subnet here and thus allow your users to work with FQDN hostnames instead of IP addresses. Red Hat Linux parses /etc/hosts first before sending a request to a DNS server, although you can change this behavior by modifying /etc/resolve.conf. You can use the Hardware tab to check whether all your network devices have been correctly recognized. If not, you can click on Add to manually insert additional or unrecognized devices from a long list before configuring them in the Device tab. This is also the place to configure specific hardware parameters, such as IRQ levels or memory I/O addresses (for old ISA cards, for example). The DNS tab allows you to modify the client DNS configuration by entering the addresses of up to three DNS servers. Additionally, the names and order for the search path can be entered in the Search Domain box. Domain names are added automatically if, for example, you want to access a machine via its hostname only, such as server. BlueCurve fans will also find an Internet Configuration Druid under System Tools in the Red Hat

Hosts or DNS? Besides the Device tab three additional tabs are available for configuring your network hardware, managing your hosts lists, and configuring DNS. The Hosts tab allows you to add individual hosts to the /etc/hosts configuration file to provide static name resolution (without DNS).

Figure 2: Neat is an extremely convenient network device configuration tool. If you use a second Ethernet adapter to communicate with a DSL modem, ensure that you use neat to create the card and assign a static IP address before commencing xDSL configuration

www.linux-magazine.com

March 2003

COVER STORY

Red Hat Networks

pattern, that is 192.168.0.34, 192.168. 0.45, but you can use hostnames instead of IP addresses if name resolution has been configured correctly. You can assign basic permissions, such as Read Only or Read/Write here by clicking on the radio Figure 4: Network device control allows conbuttons. More comvenient activation and deactivation of network plex parameters, such devices. This also applies to ISDN dial-up, for as no_root_squash for example example, need to be entered manually in the /etc/exports file Configuration Tools (You can use this parameter to allow the subgroup is interestlocal administrator, root, of a client ing for networked machine to access a share with root perenvironments. A click missions, this not permitted by default). on the Details hyperThe no_root_squash parameter is critical link reveals the to security. The entry in the /etc/exports individual packages configuration file might appear as that this group comFigure 3: The device type druid is extremely powerful and can be used follows: prises. Besides the for all kinds of network devices network configuration tools we already discussed, such as neat, menu, but the druid simply points you to /mnt/Data/ *(rw,no_root_squash)U in the redhat config network package, the neat tool. 192.168.0.102(rw,no_root_squash) you will discover additional tools like the Network Services NFS server configuration tool or redhatThe Apply button re-parses the exports config-services, a convenient xinetd file and exports the newly defined share After ensuring that all your basic configuration script. via NFS – of course this assumes that the network devices are up and running, you NFS server is running, although this is can now start configuring individual NFS default behavior for Red Hat Linux. network services. Red Hat also provides Instead of the kernel based NFS server a bunch of tools in the new BlueCurve The NFS configuration tool is interesting. you might also install a userspace NFS outfit for this purpose – they are hidden Click on Server Settings in the Red Hat under Server Settings in the menu. menu. If you are runAs already discussed, the same tools ning more than one are available in Start here/Server ConfiguLinux machine on your ration. The available services will local network, you can obviously depend on the Red Hat version use NFS to share direcyou are using. You can use System -Settories. tings/Packages to launch the Red Hat The GTK tool NFS Package Manager and check the network Server Configuration in and server tools and packages that are its new BlueCurve outfit available to you, or have already been is easy to use. Click on installed. Add to add a new share, The new look Package Management and type the full path of tool fires up with an attractive menu the server directory you selection Add or Remove Packages, and want to share in package grouping is clear cut. There are Directory. You can use main groups, such as Desktop, Applicathe Browse button to tions, Server etc. and each main group point and click to a comprises a few subgroups – in the directory. The Hosts text Server area, these are Web Server, Mail box allows you to specServer, DNS Server etc. ify the hosts allowed to You can simply check the checkboxes share the directory. The Figure 5: The NFS Server Configuration Tool allows you to set up NFS to install the packages. The Server list follows the typical shares quickly, provided you keep to basic parameters

March 2003

www.linux-magazine.com

Red Hat Networks

Level Configuration tool. The Security Level pull-down at the top of the tool allows you to select a generic security level: High, Medium or No Firewall. However, the Customize check box is more interesting, as it allows you to define the services that will be available on a network interface, and the valid TCP ports Figure 6: The Security Level Configuration tool allows basic firewall for the interface. configuration This provides a simple means of permitting external server, although this is seldom seen access to common services on your local nowadays. network, such as a Web server, for examMiscellaneous ple, despite running a firewall. Clicking on StartHere/ServerConfiguNetwork Printing ration/Services provides access to a useful service and runlevel configuration The printer configuration tool Start tool. This GUI tool allows you to specify Here/SystemConfiguration/Printing (Red the services you want to activate at boot Hat Printer Config) is used to provide up. Start, Stop and Restart buttons are access to a network based printer available for the services in the list. The list additionally shows the current runlevel to which your modifications will be applied. You can use Edit Runlevel to change the settings for another runlevel. The Windows file and print server, Samba, is not launched automatically, for example. So to run a Red Hat based Samba server you will need to locate the SMB service, check the service, and then click the Start button to ensure that the SMB daemon is launched automatically (refer to the Samba articles in this issue for more details on Samba). Clicking on StartHere/SystemConfiguration provides access to additional settings for network operations, such as tools for configuring Security Levels, User Management and the Printing tool, that allows you to set up a network printer.

COVER STORY

attached to a Windows or Linux machine on your local network. Clicking on New launches the first step in the Printer Wizard Add a New Print Queue. This tool is an old friend from Red Hat 7.3. The following backends are available for network printing: Unix Printer (only for LPD), Windows Printer (via Samba/SMB), Novell Printer (via NCP) and HP Jetdirect. Unfortunately, the tool does not support CUPS/IPP printing. The SMB protocol does provide browsing capabilities, so it should be possible to search for Windows printers in the domain or workgroup, however, the Red Hat Printer Wizard does not support this functionality. You should seriously consider using Red Hat CUPS instead. You need to know the IP address and printer name of Unix network printers that you intend to access using LPD.

Conclusion Most Red Hat 8.0 tools are old friends from earlier versions, although some of them have been put into a new BlueCurve outfit, or renamed – which is not particularly useful in some cases. The basic network configuration tool, neat boasts enhanced functionality, but most critical aspects of the network configuration are possible without having to modify configuration files. ■

Firewall Clicking on StartHere/SystemConfiguration/Security Level launches the Security

Figure 7: Red Hat’s Printer Wizard provides quick configuration of network printers attached to Windows computers on the network. Unfortunately, CUPs or IPP printing is not supported

www.linux-magazine.com

March 2003

COVER STORY

SuSE Network Configuration

The SuSE Distribution Network Configuration

Networking with YaST With an ifconfig here, and a route there – the network configuration commands are anything, but intuitive. Most people are only too happy to let distribution specific tools such as SuSE’s YaST lend a helping hand. BY NICO LUMMA AND PATRICIA JUNG

ou have probably been through this before; of course it is fantastic to have a new network card, but after putting it into your machine you step back and wonder where to go from there. SuSE users can relax and leave the hard work to YaST (“Yet another Setup Tool”), a comprehensive tool provided by the distributor that allows you to configure more or less everything, and luckily, that also includes the network environment. There are various ways of launching the program, for example by typing the following command kdesu /sbin/yast2 &

in an X terminal. After launching the program, you need to provide the root password. You should then see that the “Network” configuration area is divided into two sections Network/Basic and Network/Advanced (see Figure 1).

GLOSSARY DHCP: A Server can use the “Dynamic Host Configuration Protocol” to assign important network configuration data, such as the IP address, the gateway address, and name server to client computers.

March 2003

The view is slightly different if you launch the KDE Control Center to load the required YaST module. To do so, select YaST2 Modules in the Index tab.

What to configure

icon, YaST automatically shows the Ethernet cards in your computer. You can normally rely on the network card being recognized correctly, unless you are using exotic or ancient hardware. If your computer has multiple network cards, YaST will display all of them. You can now click on a card to select it and then click Configure…. If the device has already been configured, you can select Edit… to change the configuration (this may be called

Setting up a network adapter is certainly a basic network configuration task, so let’s go for Network/Basic. This selection opens the way to a collection of items that allow the admin user to choose whether she wants to set up a network adapter, configure a modem, an ISDN or adapter for Internet access, or set up a Mail Transfer Agent. You can also specify the network services to be launched on starting up your machine Start/stop services). To attach a machine to the local network, Network card configuration is the place to start. Figure 1: Setting up network adapters is just one of many basic network When you click the configuration options

www.linux-magazine.com

SuSE Network Configuration

COVER STORY

Figure 2: You can select “Edit…” to change the configuration for a pre-

Figure 4: Specifying the IP address and network mask manually rather than

installed card

the DHCP option

Modify… in some distributions) (see Figure 2). This will take you to an overview window (Figure 3) where you can select the device whose settings you want to modify. Normally (that is, for a machine with only one network card), the list will only contain the device eth0. Now click the Edit button to enter details for the network card. If a DHCP server is available to supply the machine with a suitable IP address for your network, you will want to select the Automatic address setup (via DHCP). If not, you should select Static address configuration and enter the IP address and Subnet mask yourself (Figure 4). The latter is simply another word for Network mask.

Figure 3: Overview of network cards

Naming Your Computer and Name Services You need to supply a few more details under Host name and name server (Figure 5). Type a name for the local machine in (Host name) and add the Domain name, followed by up to three name servers and a domain search list. If you do not have a domain of your own, you can use one of the reserved domains, example.com, example.net, or example.org for your local network. You should steer clear of any domain names that might really exist on the Web! Your provider or network administrator will be able to supply details of the name server – if you happen to be the administrator for this LAN, it is your responsibility to decide whether you

need a DNS Server of your own for the local network, or if you will be using an /etc/hosts file on each machine to provide name resolution. Use the Domain search or Domain search list boxes to specify the domains in which to search for hosts by name only i.e. without specifying a domain. If you type example.org here, you will be able to access the host comp1.example. org simply by referring to it as comp1. If you intend to access the Internet from this machine, do not forget to click the Routing button shown in Figure 4. This is where you specify the gateway through which your machine will access the global Internet (Figure 6). You can now finish configuring the network card and return to the tab

Figure 5: Host name, name server and co

www.linux-magazine.com

March 2003

COVER STORY

SuSE Network Configuration

Figure 7: If you are not offering Internet services, you should seriously con-

Figure 6: The route to the Internet is via the gateway. Here you need to enter

sider disabling inetd

the IP Address that gives you access

overview page that now shows the configured options. Check the upper panel to see if there are any other unconfigured cards that need your attention. If you now click on Finish, the SuSEconfig tool is launched and writes the new data to the appropriate configuration files below the /etc/sysconfig/network directory. To tidy up your network configuration you might now like to select Start/stop services in YaST’s Network/Basic panel (Figure 1), in order to specify the services provided by the “super server” inetd. On normal home computers you should disable inetd, since every network service you start, without really knowing why, is a potential security hazard. Of course this is no substitute for a firewall configuration.

Figure 8: You can use the old YaST1 tool just as well as YaST2 for all of your network configuration tasks

Figure 9: Configuring a networking device

Ye Olde YaST Users of older SuSE versions can use the older YaST1 instead of the colorful YaST2 we have discussed so far. This text based tool was ditched in SuSE 8.0 – a fact that provoked severe criticism from some users as there is no real text based substitute for this tool. Also many users still prefer YaST1 to it successor.

March 2003

Figure 10: Configuring a static IP address for a machine

www.linux-magazine.com

Select the System Administration menu item, and then Integrate hardware into system and finally to Configure networking device (Figure 8). At the Network type prompt (Figure 9) enter the type of network card you are configuring. This will normally be eth0. Networking device type allows YaST1 users to specify a kernel module to load, that is a driver. If the exact device type is unknown, you might like to take a look at the card itself; the type is normally printed on a chip somewhere. Now you need to set your networking numbers. Use the Networking configuration menu item and select Network base configuration to do so. YaST1 distinguishes between Auto IP and IP address, where the former item means you will be using a DHCP server to provide networking information and the latter is used for manual configuration (Figure 10). After completing the base configuration, you can additionally change the host name and specify the name server. Finally, you might like to take a look at the network services before jumping in at the deep end of your network. ■

SMB Clients

COVER STORY

Using Windows Shares

Share With Me! Linux computers are flexible – apart from running Samba to serve files up to Windows computers, they can also provide convenient access to genuine Windows shares. We explore using the Samba client to make the most of any Windows shares rather than needing a full Samba server. BY NICO LUMMA

hen Windows users set up shares to provide other users access to their data, Linux users do not need to resort to rebooting a dual-boot system to gain access. All they need to know is that Samba (http://www.samba.org/) is not only a software package that provides a file server for Windows after installation, but also comprises programs that allow Linux to access Windows (or Samba) shares. Now it is slightly over the top to install a Samba server on your desktop just to access the data on a Windows computer, and for this reason most distributions divide the Samba goodies up into a number of packets. The task we have in hand merely necessitates installing the Samba client package (and paying attention to any dependencies); you do not need the Samba server.

Windows Files in the Command Line Admittedly, the Samba project initially provides command line only access via the smbclient program; if you prefer a GUI approach and rely on your mouse, you will need to call on something different.

The smbclient is not as bad as it sounds; you can think of the program as a kind of FTP client for Windows servers. The following command:

sensitive) turns out to be a Samba server with a number of shares, such as nico, which contains the home directory for the user nico. nico can use the following syntax to access the share:

smbclient -L computername smbclient //TURNIP/nico -U nico

allows you to locate Windows shares on a specific computer. Just ignore the password prompts for the time being and keeping hitting the [Enter] key. If this does not work, you will need to authenticate yourself to the target machine by providing a user name and a password: smbclient -L computernameU -U username

In the example in Listing 1 the target machine turnip (the name is not case

This syntax reminds one of Windows, although it uses normal slashes instead of the Windows backslash (“\”) to specify the server and the share. The smbclient uses the smb: \> prompt to show that it has logged on to the Windows server and can now upload or download files, in other words, it can access the share. There are some similarities to FTP here, reflected in commands such as dir (directory listing), put and get (upload or download files), mkdir (make directory) and cd (change directory). The commands in Listing 2 create a new directory, Test, on the Windows share, change to that directory, and copy a file called hello.pl from a local working directory on the Linux machine to the directory. The final command downloads the same file from the Windows share across the network to the local machine – of course this would not make much sense in a production environment, unless the file had been modified in the meantime (by the user of the machine providing

www.linux-magazine.com

March 2003

COVER STORY

SMB Clients

the share, for example). To log off, simply type the smbclient quit command.

Backup Solution The smbclient can do a lot more. Listing 3 shows the user nico using smbclient to log on to a file server, where he creates a tarball with the Test directory (smbclient option -T – the -c option comes from “create”). The interesting thing is that the archive file, test.tar, is created on the local machine and not on the Windows share. Returning to the Linux shell let’s just ensure that the tarball really has been created: ls shows that test.tar really was stored locally; and typing tar -tfv to list the contents shows all the data available in the Test directory on the Windows share. So, if you have been looking for a quick and convenient way to back up Windows files on your Linux machine, this is it. Of course, you can just as easily expand the data in a local tarball on a remote Windows share. To do so, you need smbclient-Option -x for “extract” in addition to -T: smbclient //turnip/nico -U nicoU -Tx test.tar Test

Message in a Bottle

THE AUTHOR

Incidentally, you can misuse smbclient as a primitive communications system. If you send a message to a Windows computer, as shown in Listing 4, the Windows machine pops up a window displaying the message contents. The -M is followed by the Windows target; if the target allows you to deliver a message, you simply type the text and then press [Ctrl-D] to send it. You should not expect to reach a Samba server admin using this technique. If you require a similar functionality in the Linux world, you might like to take a look at LinPopup (http://www.littleigloo.org/downloads_ 002.php3).

Nico Lumma is the Head of IT at Orangemedia.de GmbH and looks back on years of experience with the practical application of Linux in enterprise environments.

March 2003

Listing 1: What shares are available on turnip? linux:~ # smbclient -L TURNIP -U nico added interface ip=192.168.1.247 bcast=192.168.1.255 nmask=255.255.255.0 Got a positive name query response from 192.168.1.2 ( 192.168.1.2 ) Password: Domain=[ORANGEMEDIA] OS=[Unix] Server=[Samba 2.2.7-SuSE] Sharename --------print$ docs IPC$ ADMIN$ nico Server --------TURNIP Workgroup --------ORANGEMEDIA

Type ---Disk Disk IPC Disk Disk

Comment ------Printer Drivers Documentation IPC Service (Samba 2.2.7-SuSE) IPC Service (Samba 2.2.7-SuSE) Home Directories Comment ------Samba 2.2.7-SuSE Master ------TURNIP

Listing 2: Data manipulation on the share smb: \> mkdir Test smb: \> cd Test smb: \Test\> put hello.pl putting file hello.pl as \Test\hello.pl (3.3 kb/s) (average 3.3 kb/s) smb: \Test\> dir . D 0 Tue Dec 17 08:21:55 2002 .. D 0 Tue Dec 17 08:19:55 2002 hello.pl 262 Tue Dec 17 08:21:55 2002 39265 blocks of size 1048576. 15507 blocks available smb: \Test\> get hello.pl getting file \Test\hello.pl of size 262 as hello.pl (8.3 kb/s) (average 8.3 kb/s) smb: \Test\> quit

Listing 3: Compressing files on the Windows host locally nico@linux:~> smbclient //turnip/nico -U nico -Tc test.tar Test added interface ip=192.168.1.247 bcast=192.168.1.255 nmask=255.255.255.0 Got a positive name query response from 192.168.1.2 ( 192.168.1.2 ) Password: Domain=[ORANGEMEDIA] OS=[Unix] Server=[Samba 2.2.7-SuSE] directory \Test\ 262 (262000.0 kb/s) \Test\hello.pl tar: dumped 2 files and directories Total bytes written: 512 nico@linux:~> ls -al test.tar -rw-r--r-1 nico users 2560 2002-12-17 08:27 test.tar nico@linux:~> tar -tfv test.tar tar: Record size = 5 blocks drwxr-xr-x 0/0 0 2002-12-17 08:21:55 ./Test/ -rw-r--r-- 0/0 262 2002-12-17 08:21:55 ./Test/hello.pl

www.linux-magazine.com

SMB Clients

COVER STORY

Figure 1: LISa needs to be installed to allow Konqueror to be able to access

Figure 3: The Konqueror LAN browser is hidden in a tab that appears after

the SMB shares. Simple setup is in the KDE control center

clicking on the lower yellow asterisk (“KDE Services”)

Konqueror for Share Access If smbclient in the command line is a bit too cumbersome for your taste, you can use everybody’s favorite browser and file manager, Konqueror, to access your Windows shares. To do so, you will need to install a few packages, the names of which differ from distribution to distribution. The current SuSE 8.1 version requires the RPM packages samba-client (since smbclient will be working in the background in this case), kdenetwork3lisa, kdenetwork3-lan and kdebase3samba. The ominous abbreviation, LISa, refers to the “LAN Information Server” for KDE, a daemon that scans the network for services in the background. kdebase3-lisa and kdenetwork3-lan provide plug-ins for Konqueror to allow convenient access to Windows shares.

Before you can tell LISa to retire to the background, you will need to perform a variety of configuration steps in the KDE control center (Figure 1). The easiest way to do this, is by clicking on the Guided LISa setup …” button of the LISa Daemon tab in Network / LAN Browsing (Figure 2). No need to worry when you are prompted for all those numbers! You only need to know your own machine’s IP and the netmask for your network, and the wizard will normally supply correct values. If it comes to the worst, you can always ask your admin – or simply type the /sbin/ifconfig command to find out for yourself. After completing the configuration, LISa needs to be relaunched by root; if you do not

have administrative privileges for your Linux machine, you should ask for help before clicking Apply in the control center (please note that some KDE installations require root privileges to configure LISa). If everything works out okay, the network neighborhood will appear in your Konqueror browser and allow you to access Windows shares directly. You can use the Address line to enter a URL with the following format: smb://computer/share

Figure 3 shows an example of this working in Konqueror. ■

Listing 4: Message for a Windows Box 01

nico@linux:~> smbclient -M WINBOX

added interface ip=192.168.1.247 bcast=192.168.1.255

Got a positive name query response from 192.168.1.23

Connected. Type your message, ending it with a

nmask=255.255.255.0 ( 192.168.1.23 ) Control-D 05

Can you get me a coffee? :)

sent 26 bytes

nico@linux:~>

Figure 2: The LISa Configuration Wizard needs just a few simple facts to solve your connection needs

www.linux-magazine.com

March 2003

COVER STORY

Samba Share Configuration

Looking through Windows The view a Windows user has of Samba is defined by various parameters for shares, file permissions and locking. And this is exactly what we will be investigating in this article:Who is allowed to access what directories, who can view or modify what? BY THOMAS DRILLING AND MICHAEL MIELEWCZIK

Parameters and Shares The ubiquitous Samba configuration file, “/etc/smb.conf”, is also used for setting up shares. The names of any shares that Samba needs to manage are reflected by entries here. The “[homes]” and “[printers]” sections of “/etc/smb.conf” are particularly significant when creating new shares. They must occur at a position between the pre-configured “[global]” section and any other sections in “smb.conf”. “[homes]” is a special Samba share that allows users to access their own home directories. Any further sections used to defined shares start with the share name surrounded by square brackets.

March 2003

Hannes Keller, visipix.com

inux and Windows use completely different filesystems and fundamentally diverse approaches to permission management. This makes mapping directories and files belonging to one filesystem on the other a complicated task, governed by a multitude of parameters. You will not always need Samba to reflect SMB based functionality in all respects. Often it is simply a case of emulating the response of a Windows server to an incoming SMB client request without really doing anything spectacular on the Linux side of the equation. Locking is a particularly delicate issue that affects access to shared files and directories and involves Samba mapping typical Windows behavior to the technical facets of the Linux filesystem. File and directory names, and how they are encrypted for transmission, is another equally complex topic that includes the major difference between the operating systems with respect to case sensitivity and the length of filenames.

Basic Access Control The most important parameters are “path” and/or “directory” as they specify the directory to be shared by Samba: [executive_photos] path = /home/samba/boss/images

The following parameter is used to display shares in the client’s network neighborhood: comment = pictures of the boss

This comment appears next to the share name. You can use the following parameter to display the name of a specific directory, but prevent access to it: dont descent = /too_embarrassing

“veto files” defines a list of files and directories that clients will not be able to view or modify. The entries can contain

www.linux-magazine.com

meta tags such as “*” or “?”. Multiple entries are separated by the “/” character: veto files = /*.tmp/*.conf

Further attention is required to define directories as veto files. The “browseable = yes” parameter makes the share visible in the browse list requested by the client. The command line tool, “net view”, or the network neighborhood can be used to view shares. The “browseable = no” setting removes the share from the browse list, but it will not prevent access to shares whose names are known. DOS/Windows and Unix are completely different in their handling of access permissions and file attributes. Samba has to act as a proxy here to allow any access whatsoever. This does not mean that Samba introduces its own access mechanisms; instead it relies on the access control features provided by the Unix system: that is, DOS attributes need to be mapped to Unix file permissions.

Samba Share Configuration

COVER STORY

Figure 1: Access privileges for a share are the logical product of the “create

Figure 2: Webmin also allows you to define most locking parameters. In this

mask”,“directory mask” and “force directory mask” entries

case, the Webmin fieldnames actually correspond to the parameter names

Three statements are used for this purpose: “map”, “create mask” (or “create mode”) and “force create mode”. “map” uses the executable bit “x” for Linux files, which does not have a counterpart under DOS/Windows, to store three DOS file attributes that are not available on Linux. For example, the following entries: map archive = yes map system = yes map hidden = yes

allow Samba to assign the DOS archive bit to the owner’s executable bit, the DOS system bit to the group executable bit, and the DOS hidden bit to the world executable bit. The “create mask” argument is a bit pattern of the type used by the Unix “chmod” command. The default value is “0744”, which means that group members and all other users have read-only access to the owner’s files. The following statement: create mask = 0740

would prevent universal readability. However, the parameter only specifies the maximum privileges that a file can have; if the user or the Windows program specify reduced privileges, this request will be honored. The “force create mode” can be used to enforce mandatory attributes. The following statement:

force create 02

stipulates “rw-rw—-” for example, if the above mentioned example originally stipulated “rw-r—--”. These parameters apply to simple files; “create directory” and “force directory” with corresponding parameters are used for directories. The default value for directories is “755”, as access is impossible without the executable bit. “read only = yes” will make complete shares read only. The “guest ok” parameter (or alternatively “public”) allows guests to access this share via their clients. The permissions granted to the guest account are defined by the “guest account” parameter. The “ftp” user is often used to assign guest privileges for client PCs. The entry in the share section must appear as follows: guest account = ftp

deny hosts = nutcase, spy

The IP address, network group and/or network group/netmask can also be specified as parameters. Group names must be preceded by a “@” character. The following entry: deny hosts = @interns

would deny share access to any hosts in the NIS “interns” group. deny hosts = 192.168.1.0/255.U 255.255

The default setting for guest access is the user “nobody”.

Logon and Permissions If the share configuration entry specifies: allow trusted domains = yes

the share can only be accessed by clients belonging to the same domain. If the share configuration entry specifies: available = no

client is not permitted to the share. The administrator can use this option to specify who will have access to the share. The “deny hosts” option allows you to specify hosts that will be denied access to the share. This assumes that the host is not additionally listed in “hosts allow” as this entry has priority:

would deny access to any clients with IP addresses in the range 192.168.1.0 through 192.168.1.255. The parameters for “allow hosts” follow the same pattern. However, user based access control makes more sense than a host based equivalent. “valid users” is the best option for admins that only need to provide access to a few users. The following statement: valid users = bigboss, pr, mom

www.linux-magazine.com

March 2003

COVER STORY

Samba Share Configuration

would restrict access to the directory with the bosses pictures to the named users. Again, you can specify group access by prepending an “@” character. In a similar way, “invalid users” will deny users. The “read list” allows you to define a list of clients that will receive read-only access to a Samba share which is writable by default:

blocking locks = false

The “true” option would enable blocking locks for a share. The “oplocks” option enhances the Samba servers performance and is enabled by default. If you are experiencing difficulty in your network environment, you might like to disable this option by specifying:

read list = @marketing, michael oplocks = false

A share which is read-only by default can be made writable for users by adding them to the “write list”. Possible insecurities in the Samba configuration can be removed by stipulating “follow symlinks = no”. Samba will follow symbolic links by default, even if they point to sources outside the share. You can alternatively stipulate “wide links = no” in combination with “follow symlinks = yes”. This will prevent Samba from following links outside the share.

The performance boost is achieved by client side caching of data and commands. Clients that do not respond to an “oplock break” request are a special case for the Samba server. You can set the “oplock break wait time” to tell Samba to wait for a number of milliseconds before sending an “oplock break” request to a client for this share. The corresponding entry would appear as follows: oplock break wait time = 10

Locking Parameters The handling of concurrent access to a file is one of the most difficult tasks for any network operating system. The “blocking locks” is a critical, albeit very specific option that allows you to influence the Samba daemon’s behavior. The status of the option becomes apparent when a client stipulates “byte range locking” on requesting an open file from a shared directory and when a time limit has additionally been set. If “blocking locks” is enabled (default) the requested lock is queued and the request automatically repeated until it is successful or a timeout occurs. If the option is disabled, the request is denied if the lock range cannot be released:

If there is a danger of too many oplock requests occurring for a specific file on a Samba share in close succession, you can use the “oplock contention limit” option to set a limit for the number of requests that will receive a positive response. The “level2 oplocks” option became available in Samba version 2.2.1, and has been part of Samba ever since. This option allows an NT client that possesses a read-write oplock for a file to demote itself to a “read-only oplock” status, when a second user requests access to the file. This can improve performance for some file access operations as it avoids reissuing an oplock request. The following statement is used to enable Level 2 oplocks for a share: Level2 oplocks = true

Figure 3: The Samba “smbclient” command can be used to quickly view existing shares

March 2003

www.linux-magazine.com

Level 2 oplocks assume that “oplocks” are enabled and kernel oplocks disabled. The “strict locking” option allows you to influence the file locking behavior of a Samba server for a Samba share. If the option is enabled, the “file locking” status is checked whenever

read or write access is requested. If locks are in place, the request is denied automatically. If the option is disabled, the client must explicitly request a file locking status check: strict locking = yes

enables the option. If the general oplock functionality for a share is enabled, you can use “veto oplock files” to mark any files to be excluded from oplocking: veto oplock files = /*.conf/

Running Command Line Tools The “exec” option allows you to run a command on the server before opening a connection between the client and a share. The following “/etc/smb.conf” entry provides an example of a typical configuration: preexec = echo "Connecting %u to %S by %m" >> /tmp/log

This example would display a message on the client to the effect that the client was connecting. The “exec” and “preexec” configuration options are synonymous. The “postexec” option can be used to run a command shortly before closing a Samba connection. This allows you to display a short message for example: postexec = echo "Closing Samba Connection"

The “root postexec” option allows you to run a command with root privileges shortly before closing the connection. The basic configuration is the same as the “postexec” option. The “root preexec” option can be used in a similar way to “root postexec” to run a command with root privileges before opening a connection between a client and a specific share.

Connection Configuration Parameters The “max connections” option specifies the number of connections the server permits. This option is useful if your Samba server’s performance drops due to a large number of simultaneous

Samba Share Configuration

sessions. The following settings allows an unlimited number of simultaneous connections: max connections = 0

The “volume” option simply defines the volume name for a Samba share. This may not sound important, but some programs that are launched from CDs need a specific volume name if they are to run. The following statement sets the name of the Samba share volume to “Install” for example: volume = Install

Granular Access Permissions Samba relies on Unix/Linux access control for file permissions, thus allowing consistent mapping of permitted access between the worlds of Unix and Windows. Whereas Unix offers a clearcut file mode with nine access bits, Windows relies on detailed Access Control Lists. An ACL can stipulate different

COVER STORY

Windows clients to view and modify rights for arbitrary groups and users, ACLs – provided you have compiled thus allowing combinations that the Samba “--with-acl-support”. Windows Unix mechanism cannot reflect. NT/2000 ACLs are far more complex that The Posix ACLs provide an ACL system those provided by Posix, however, so for Linux, although it is not compatible to Samba again needs to act as a proxy, the NT ACL system. The ACL support although this should not cause any probprovided by the operating system lems in most practical applications. ■ depends on the kernel version and distribution. Posix ACLs provide both the familiar file mode bits and an arbitrary number of entries for additional users and groups. Users or groups explicitly listed here are assigned individual access permissions (read, write, and execute). The permissions that can be assigned by the ACL are defined in the ACL mask. The ACL can be manipulated by the “setfacl” commando on the Linux side; “getfacl” shows the assigned permissions. Figure 4: The “testparm” command provides a quick list of Samba 2.2 and later allows default “global” parameters, and of the share parameters

COVER STORY

Samba Domains

Integrating NT4 Domains with Samba

The Boss Microsoft will soon be withdrawing its support for Windows NT4, but Samba for Linux offers a free alternative that provides both users and administrators with a familiar environment. Samba servers are also easily added to existing domains. BY BERNHARD RÖHRIG

entral user management always becomes an issue when users need to access multiple servers on a network. If your network mainly comprises Windows clients, an NT4 type domain is a good choice as it allows your Windows clients to cooperate both with Samba and with Windows servers. There are four major administrative tasks involved: • Adding Samba servers to existing NT domains • Setting up Samba as a Primary Domain Controller (PDC) (and possibly as a Backup Domain Controller (BDC) • Adding Samba servers to the Samba domain • Adding NT servers and workstations to the Samba domain. It is quite simple to integrate a Samba host as a member server of an NT domain. The NT domain controller needs an account on the host, that is a machine account, in Microsoft terms this is also known as a trust relationship. You can use normal Microsoft tools to set up the trust relationship. The computer name refers to the NetBIOS name of your Samba server, which is located in the: netbios name =

entry in smb.conf: If the entry is missing or blank, you can use the server’s DNS hostname, which can be discovered by typing the following command on the server: #

hostname -s

Three entries in the configuration file need to be added or modified on the member server:

March 2003

security = DOMAIN workgroup = DWARFKINGDOM password server = ALBERT

DWARFKINGDOM is the name of the NT domain the server will be joining, ALBERT the NetBIOS name of the Primary Domain Controller. If the domain comprises Backup Domain Controllers, you can add them after the PDC entry. The names in the list are separated by spaces. A single command allows the Samba server to join the domain: # smbpasswd -j DWARFKINGDOMU -r ALBERT

Before issuing the command, you will need to stop the smbd and nmbd processes on the Samba server. The processes need to be restarted after the

Listing 1: Samba as a Primary Domain Controller 01 [global] 02 workgroup = DWARFKINGDOM 03 security = USER 04 encrypt passwords = yes 05 os level = 65 06 local master = yes 07 preferred master = true 08 domain master = true 09 wins support = yes 10 domain logons = yes 11 12 [netlogon] 13 comment = Domain-Controller 14 path = /home/samba/netlogon 15 public = no 16 read only = yes 17 browseable = no

www.linux-magazine.com

server has joined the domain. Scripts are available for both steps.

Making Samba the Boss Of course Samba is a useful supplier of hard disk capacity and printing services, but it can also assume the role of the PDC in an NT domain. In this role, the Samba server will manage both the user accounts and the browsing lists for the domain, which include the IP addresses of the Windows and Samba PCs in the various subnets in a router based infrastructure. The Samba server provides the following features: • User level security (the server will not request authentication credentials from any other server) • Encrypted password • Domain Master Browser (i.e. the server will collate the subnet lists) • WINS Server (the server will map IP addresses to NetBIOS names) • the ability to respond to domain logon requests • a special directory for the domain logon service. The smb.conf entries required for these features are shown in Listing 1. Otherwise, the Samba server configuration follows the typical pattern. The server can provide shared directories, print queues, and allow network access to mounted CD ROMs – of course, as required. The size of your network and your security requirements will define whether you assign a dedicated machine to handle authentication requests or simply use an existing Samba machine for this task. Using a Samba server as a Backup Domain Controller is slightly more tricky. As Microsoft has still not pub-

Samba Domains

lished the interface required for this task, it should not work at all. Getting it to work despite this fact is complex, and the results may not be completely stable, as the Samba documentation infers [1].

and Samba. The password is required when an XP/2000 client joins the domain, and plays no other role on the network apart from this.

Creating Trust

The other Samba servers on the network can now become member servers of the domain. The [global] section of their configuration files contains the following entries:

To allow NT type machines – including any other Samba servers – to talk to a new PDC, you need to set up a machine account for each of these machines on the Samba host. From the viewpoint of the Linux system, a machine account is just a normal user account. However, the task in hand requires a special setup and management. The most obvious give away is the user name we will be using, as it comprises the NetBIOS name of the member server and a terminating $ character. You might like to assign UIDs from a special pool to prevent confusion with normal system users. Setting up a machine account for a computer called winnie requires three steps: useradd -u 1001 -d /dev/null -sU /bin/false winnie$ passwd -l winnie$ smbpasswd -am winnie$

The -u flag of the useradd command assigns a UID from a special pool to the machine account. There are no restrictions to where you place the pool, but you will need to avoid duplicate UID assignments. Now let’s set up a triple barrier to prevent Linux users from logging on with the machine account: • no home directory on the filesystem (-d flag) • no login shell (-s switch) • account disabled (-l flag in passwd). The -m option tells the smbpasswd program that the account is a machine account. This ensures that a password is automatically created and encrypted without any intervention by the admin user. To allow Windows 2000/XP clients to perform a domain logon on the Samba server, the system administrator root must be added to the Samba password file: #

smbpasswd -a root

For security reasons root should be assigned different passwords for Linux

Come together

workgroup = DWARFKINGDOM security = DOMAIN encrypt passwords = yes password server = PINOCCHIO

The PDC just set up on Linux/Samba will be called pinocchio and is in charge of the DWARFKINGDOM domain. The commands required to add the member server to the domain after completing the configuration steps are shown in Listing 2; the example is based on SuSE Linux. The smbpasswd command is identical no matter what Linux system you are using. After the re-launch, the member server will request authentication information from the domain controller pinocchio. All that remains to do now, is to ensure that the users of the client systems log on to the DWARFKINGDOM domain log, and not to local systems or stand-alone servers. This will allow them to access the resources provided by the member servers within the constraints of their user accounts without needing to re-authenticate. If the workstations involved are NT/2000/XP type machines, you will need to repeat the steps described above to create machine accounts for them on

COVER STORY

the Samba PDC. Windows 9x/Me clients do not need a machine account. A client running Windows XP Professional requires an additional setting DomainMember:Digitally encrypt or sign secure channel data (always) = Disabled in the Control Panel/Administrative Tools/Local Security Policy/Local Policies/Security Options. A member server will normally attempt to change its machine account password on the PDC at regular intervals. The default period for a Samba server is one week, or 604800 seconds, just like for an NT machine. You can use the following smb.conf entry: machine password timeout = 86400

to shorten the interval to one day.

Welcome Friends The final task is adding existing NT servers to your Samba domain. After creating machine accounts for these computers on the Samba PDC, the required steps are performed on the individual NT servers. Right click on the Network Neighborhood icon on the Windows desktop to open the applet. The Identification tab shows the NetBIOS name of the server and the name of the workgroup or domain the server currently belongs to. Click on the Change button to open the Identification Changes dialog box. Now select the domain radio button and type DWARFKINGDOM in the domain text box (see Figure 1). Do not check the Create Computer Account checkbox, as a machine account for the server has already been set up on the Samba PDC. Click on OK to confirm and after a short

Listing 2: Joining a Samba Domain 01 # /etc/init.d/smb stop 02 Shutting down SAMBA nmbd done 03 Shutting down SAMBA smbd done 04 # smbpasswd -j dwarfkingdom -r pinocchio 05 2002/12/31 16:48 : change:trust_account_password: Changed password for 06 domain DWARFKINGDOM. 07 Joined domain DWARFKINGDOM. 08 # /etc/init.d/smb start 09 Starting SAMBA nmbd done 10 Starting SAMBA smbd done 11 #

www.linux-magazine.com

March 2003

COVER STORY

Samba Domains

machine to the domain. Again, you will need to restart the Windows machine.

Enhanced Service

wait a message will appear to welcome the new member server to the domain. You will now need to restart your Windows NT server to apply the changes permanently. The procedure for adding Windows 2000 and XP workstations that share their hard disk and printers on the network to the domain follows a similar pattern; the main difference being that you access the configuration options via the My Computer icon on the desktop (instead of the Network Neighborhood). Right click the icon and select Properties in the drop-down menu to open the System Properties dialog box. The Identification tab displays two buttons. The lower button, Properties, opens the Identification Changes dialog box, which additionally provides the More button.

Using a Samba server as your PDC allows you to use scripts to simplify the logon procedure for your users. In this case the scripts will be a sequence of DOS or Windows commands that are stored centrally, but run locally on the individual desktops when the client logs on. They are useful for tasks such as adjusting the click to the Windows time server, assigning local drive letters for shares on the Samba servers, and the ilk. As these scripts are parsed by Microsoft systems, you must ensure that they contain the correct end-of-line character – so pay attention when using UNIX editors. To use a script add an entry such as logon script = %U.bat to the smb .conf on the PDC to run a logon script for each individual user (macro %U). You can stipulate %m to run machine specific scripts. The admin user will need to opt for one of these approaches. Samba expects the scripts to be located in the netlogon share, which is set by the path statement in the [netlogon] section of the configuration file. User profiles are another useful feature. They are comprised of a mass of information that defines the appearance and behavior of the individual user environments, such as the desktop scheme and the contents of the Start menu.

Windows Pages

Managing Roaming Profiles

You can click on this button to open the DNS Suffix and NetBIOS Computer Name dialog box. The Change primary DNS suffix when domain membership changes checkbox is checked by default. As Samba environments currently do not use Active Directory, you will need to remove the checkmark. When you close the dialog box, ensure that you toggle from workgroup to domain mode in the lower part of the Identification Changes dialog box. Enter the DWARFKINGDOM domain just like on your NT servers. Click on OK to access the Samba PDC which will prompt you for authentication credentials. Type root as the username, supply the Samba password, and again click on OK to add the

Windows NT and its successors create a profile for each user, and profiles can optionally be defined for Windows 9x/Me systems. In contrast to local profiles, which are stored on the individual workstations, server-based

Figure 1: Connecting an MS Windows NT server to a Samba domain is easy

March 2003

Listing 3: Centrally Managed User Profiles 01 [global] 02 logon path = \\pinocchio\profile\%U 11 [profile] 12 path = /home/samba/profiles 13 read only = no 14 browseable = no 15 create mode = 0600 16 directory mode = 0700

www.linux-magazine.com

(roaming) profiles are stored and managed independently of any workstations. From the user’s viewpoint this means logging on to a familiar environment no matter where. Profile information is automatically copied back and forth, and more or less transparently for the user. The Samba configuration file requires a statement in the [global] section and a special [profile] for this purpose. Listing 3 shows the additional entries. Do not make the mistake of confusing the logon path with the path in the [netlogon] share. The latter is used for logon processes, is owned by root, and contains logon scripts for all users. In contrast, the directories below /home/ samba/profiles are owned by individual users, can only be read and written to by these users, and they are used for storing profile information. An overview such as this article cannot give a product such as Samba true justice, so let us conclude by mentioning a few additional configuration options.

Reduce Administrative Effort The different approaches to user management on Windows NT and Linux have always proved challenging. The winbindd server process introduced in Samba 2.2.2, and the associated statements in smb.conf (Winbind options section in Swat’s Advanced View) provide more or less painless integration of these two realms. The domain admin group and domain guest group options insmb.conf also help. Manually creating Linux user accounts on all your servers can cause headaches, but the winbind daemon can prove useful in this situation. The configuration statements required are add user script and delete user script. The (default) allow trusted domains = yes entry allows trust relationships between domains. Samba version 3.0 sees the introduction of the Net tool, which can perform one particularly neat trick (amongst other things); typing net rpc vampire will migrate an entire NT security database to a Samba PDC. ■

INFO [1] “How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain.”Samba documentation (“Samba-BDC-HOWTO.html”)

Samba Authentication

COVER STORY

User Management and Authentication for Samba

Access Control Samba offers a highly granular access control system. In this month’s Linux Magazine we will be discussing the really important aspects of Windows user access and account management. BY BERNHARD RÖHRIG

obody likes to show their cards before playing them. Applying this to data management on a server means that every user should only be allowed to read and modify the information belonging to them. This information should not be available for other users to read or access. The Samba server provides a whole range of features for this purpose, and the /etc/smb.conf file is where these options can be modified. The central configuration directive is: security = securitylevel

This options sets the security level, which is the basic method for securing resources on the server and the type of authentication required from users wanting to access these resources. Box 1: Security Levels provides an overview of the four security levels implemented to date.

Share or User Level Security The following setting is the simplest way to share resources to users: security = SHARE

This level provides minimal protection against unauthorized read and write access to shared directories and is simple to set up. On the other hand, every user with a password for the share will have at least

read access. This is why the security level can only be recommended for access to CD ROM or print servers, or in absolutely friendly environments, particularly if used in combination with guest access – set by the the smb.conf directives guest account, guest ok and guest only. To provide a more sophisticated kind of user management, you might like to try: security = USER

This level requires the users to identify themselves only once by means of a formal username and password based login. You can specify encrypted passwords for this level. After logging on to a server users can access any shares available to their user account within the bounds of the read and write permissions defined by their Linux user privileges. It often makes sense to utilize the usernames and passwords defined in the Linux system’s /etc/passwd and /etc/shadow for Samba. Authenticating with these credentials means sending the password in the clear to the server, which will then launch the crypt() function to compare the credentials with /etc/shadow. The challenge response mechanism used by Samba is not available at this point as the mechanism is not capable of transferring the password.

You do not necessarily need to supply the password file if you are using the default paths and names as specified when compiling the Samba server. Ensure that only root has read and write access to the file, as it contains the encrypted Windows passwords in a version for Windows 9x and NT (or later). The file also contains the user ID of the UNIX account whose access privileges the Samba user gains after successfully logging on. You can run the smbpasswd command to manage the password file. The following syntax: # smbpasswd -a dwarf

creates a Samba account for the user “dwarf”, provided a Linux account with this name already exists. For security reasons, you should not use the same password as for the Linux account, that is, if the user is even allowed to log on interactively. Otherwise, you can type the following command: #

to disable the Linux account. The admin user can type the following command to change the Samba password: #

Password Encryption In addition to the “security = user” directive two additional configuration options must be set to use encrypted passwords: encrypt passwords = yes smb passwd file = /etc/samba/U smbpasswd

passwd -l dwarf

smbpasswd dwarf

The user “dwarf” only needs to type: >

smbpasswd

The following command deletes the account: #

smbpasswd -x dwarf

www.linux-magazine.com

March 2003

COVER STORY

Samba Authentication

Figure 1: Swat interface

If you cannot get used to the smbpasswd command, it is possible to maintain the smbpasswd file via the Web based Swat interface (Figure 1). To allow your users to change their own passwords via the Swat interface, you must ensure that the Linux account has not previously been disabled (passwd -l). You can still prevent interactive logins by assigning /bin/false as the login shell in /etc/passwd. The alternative is to use /usr/bin/smbpasswd as the shell and to use Windows Telnet or Putty when changing passwords. Putty offers the advantage of sending passwords through an SSH tunnel, whereas Telnet will transmit passwords in the clear across the wire. Of course, transmitting clear text passwords should be avoided at all costs. If the passwords for the Samba and Linux accounts are identical, both accounts can be compromised with a single password – and this can have far reaching consequences for the security of your server. In environments where many, or even the majority of users, require an interactive login in addition to file access, it might still be preferable to use the same password for both accounts. When changing passwords – and this is a task most users perform themselves – it makes sense to change the Linux password at the same time, without requiring additional user interaction. Samba uses the following smb.conf macro to automate this task: unix password sync = yes passwd program = /usr/bin/U passwd %u passwd chat = *New*password* %nU \n *new*password* %n\n *changed*

March 2003

The first line is self-explanatory. The second line contains the complete path to the Linux password management program (“%u” is the parameter for the username). The dialog between the administrator and the program, or password chat, must be emulated by the SMB daemon to allow password management. Our example was created for SuSE Linux 8.1 and will need some attention for other Linux installations. ”%n” is the parameter for the new user password (this is provided by smbd at runtime), “\n” represents the terminating “[Enter]” character when entering the password. Asterisks act as wildcards for any string. Make sure that you retain the correct case, as in “new”. Whenever a user launches smbpasswd to change their password, the password is first set to the new value in /etc/passwd. This ensures that the old password is never required, as this process runs with “root” privileges. If anything goes wrong along the way, the Samba password is simply left unchanged.

Password Management Password synchronization is tricky. On many Linux systems it will work for an individual user but not when the system administrator runs smbpasswd interactively. Additionally, password modifications often fail due to the strict controls that many Linux systems impose for new passwords, as many users will be unaware of these restrictions – and the non-descriptive error message that the smbpasswd program issues in this case is not much help. If you have more than three Samba servers on your network, individual user account management on each machine can be troublesome at the best of times. The following smb.conf syntax provides a useful alternative: security = SERVER

User authorization is no longer checked by an individual Linux machine; instead credentials are passed to a central server that either okays or refuses access to shared resources on the requesting machine. The advantage is that Samba accounts can be centrally managed thus reducing the workload on the admin.

www.linux-magazine.com

If a Windows NT Domain Controller with the required user accounts is available on the network, the admin can simply add the following configuration file entry to the “security” setting we just discussed: password server = DWARFKINGDOM

This assumes that the NetBIOS name of the domain controller is “DWARFKINGDOM”. This line can also contain multiple entries, separated by space characters. To access the resources on the Samba servers users will still need Linux accounts for the individual Linux machines, but accounts of this type do not require permission to logon interactively, and can even be disabled by invalid password entries. Solutions such as the following: add user script = U scriptlaunch %u delete user script = U scriptlaunch %u

Box 1: Security Levels in Samba 2 SHARE refers to share management introduced with WfW 3.11 (where a share is a common directory or print queue on a server). Linux users who access Samba resources receive this type of access provided they are included in the user list for the resource and know the correct password. USER is the default setting as of Samba 2.0. The user authenticates once only on connecting and can access all the shares on the SMB server within the bounds of her Linux permissions. SERVER is the same as USER with respect to access to resources. However, identities are not verified against /etc/passwd on the Samba server itself but against a dedicated password server, which can be (but does not have to be) an NT Domain Controller.The main advantage is centralized administration of the user database. DOMAIN has a similar effect to SERVER, with the exception that a Primary or Backup Backup Domain Controller in the Windows NT Domain is used as a password server. Samba version 2.2.3 or later can provide this functionality. After successfully logging on, users have access to any resources within the domain for which their accounts have been assigned permissions.

Samba Authentication

and the additional “winbindd” daemon (man smb.conf, man winbindd) allow the system administrator to completely neglect account management for this account type. Instead of a Windows Domain Controller you can also use any Samba server for password management, provided the server has a user database (“security = user” in smb.conf, and its own smbpasswd). The server does not need to be a PDC. Centralized user management is useful even without a domain structure. If you want to stick to Windows conventions, you can stipulate the following smb.conf setting for your Samba servers: security = DOMAIN

with the possible exception of one server that will assume the role of the Primary Domain Controller.

Protecting and Sharing The resources of the machine running the Samba server are made available to authenticated users by means of a highly granular system of permissions. At the lowest level this will mean access privileges to those files and directories for which users are authorized due to their ID or group memberships. Samba provides additional options that can be applied by means of directives in the configuration file. Access permissions of this type are assigned on by directory and are thus located in a “[share]” section of smb.conf where “share” represents the share name of a directory made available to Windows clients. For example: The administrator has created a directory of sharable programs in /home/samba/shared _progs and now wants to publish the directory as “programs” on the Windows network. The Listing „User Access Control“ shows one possible approach to configuring this scenario in smb.conf. The “writeable = no” entry makes the directory read-only, which is the default setting. The write list specifies the users and groups who will be assigned write privileges, in our example these are the users “snowy” and “sleepy”. Similarly, the read list comprises users who will receive read-only access to the

share. This setting still applies if the directory is set to “writeable = yes”. The argument in our example is a group name, as is highlighted by the prepending @ character. Note that the write list directive takes priority, which means that the user “sleepy” will have read and write access to the protected directory, although he is a member of the “dwarves” group. “admin users” are a potential security hazard. If a Samba user logs on with one of these IDs (“prince” in our example), the user will have unrestricted root access to all the files and directories in the share despite their Linux permissions. Although you can add a share definition to smb.conf manually, Swat provides a far more convenient approach. You might like to enable the Advanced View which shows and allows you to edit all the Security Options you will require. Box 2: Additional smb.conf Access Control Directives lists other directives that may be crucial to your daily administrative tasks.

What Else? The techniques discussed so far cover most of the daily user management tasks a Samba admin may need to perform. Let’s close with a look at one or two less common features and new developments. User passwords can not only be verified against a local smbpasswd or a central password server, but (due to a recent development) also by reference to PAM (Pluggable Authentication Modules) or optionally LDAP (the Lightweight Directory Access Protocol). These two approaches to reducing administrative overheads are covered by two howtos in the Samba documentation [1], [2]. The following directive is used to map Windows usernames to Linux user accounts via the smbusers file:

COVER STORY

username map = /etc/sambaU /smbusers

This approach is commonly adopted to provide the user “Administrator” or “Admin” with superuser privileges. The entry in /etc/samba/smbusers is: root = administrator admin

Similar mappings are also common for guest access as provided by the “guest” user on Windows. ■

Box 2: Additional smb.conf Access Control Directives guest ok: No password is required to access this share.The privileges assigned to the guest account are used for access. guest account: A Samba user who accesses a share where guest ok has been stipulated without supplying a password does so with the permissions granted to the Linux user specified by this directive.“nobody”or “ftp” are typically used. guest only: Only guest access is available to this (guest ok must also be stipulated). valid users: A list of users and/or groups allowed to access this share (the read list and write list provide a more granular approach).The “%S”parameter is normally used to provide access only to the owner of the “[home]”share. force user: After logging on with their Samba account, users are assigned the ID and group memberships assigned to this Linux user.This provides for shared access by mapping multiple Samba accounts to a single Linux account. Samba 2.0.5 and later additionally modify the group memberships of the user; a bug in earlier versions meant that group memberships were left unchanged. force group: Similar to force user; groups stipulated here will overwrite the group memberships assigned by force user. hosts allow, hosts deny: These additional security features restrict or deny share access by reference to hostnames and IP addresses, and follow a similar approach to TCP wrappers (the man hosts_access manpages provide more details).

INFO

Listing: User Access Control [programme] path = /home/samba/shared_progs comment = shared program directory writeable = no write list = snowy, sleepy read list = @dwarves admin users = prince

[1] “Configuring PAM for distributed but centrally managed authentication”, part of the Samba documentation (“PAMAuthentication-And-Samba.html”) [2] “Storing Sambas User/Machine Account information in an LDAP Directory”, part of the Samba documentation (“SambaLDAP-HOWTO.html”)

www.linux-magazine.com

March 2003

REVIEWS

Check Point SecurePlatform

Check Point SecurePlatform with Firewall-1

Quick Hardening Check Point’s SecurePlatform provides a hardened Red Hat Linux with Check Point’s own Firewall-1 NG and allows you to install a firewall yourself within a few minutes – without any assistance from system integrators or consultants. BY JÖRG FRITSCH

SecurePlatform

Manufacturer: Check Point [2] Content: Minimal and hardened Red Hat Linux, combined with Check Point’s Firewall1, Floodgate-1, Policy Server, User Authority Server and Smartview Monitor. All of these products as NG (Next Generation) version, Feature Pack 3 (FP3). License: Euro 3,240 for 25 IP addresses, for details see the “Licensing”box. Parts of the Secure Platform are released under the GPL or BSD license. Hardware: Intel platform, multiple network interface cards. For details see the “Hardware Requirements”box

March 2003

basic knowledge of the Firewall-1 structure and licensing to provide the right answers to the questions posed during installation. This makes it easier for end users to set up the Firewall-1 themselves, and avoid integration fees with the exception of licenses (see box “Licensing”) and media. Simply put, Check Point works the market on the basis of the Coca-Cola principle. The soft drinks manufacturer supplies its products to franchising partners who bottle it and sell it to distributors, who in turn sell it to retailers, who finally sell to real customers. The Firewall-1 follows a similar pattern. Check Point sells its products to European distributors, who in turn sell to integrators, who in turn sell the customer both the product and the consulting services the customer may require. The SecurePlatform interrupts this supply chain as it is pre-integrated. Although customers should be pleased, the product has caused a shake up on the European market. Integrators are not prepared to sell licenses off the shelf and act as firefighters if customer installations fail to scale.

Installation The installation of the SecurePlatform is similar to that of a minimal Linux distribution. The system boots a character based installer from CD, asks a few questions (keyboard, 2 tier or 3 tier system) and installs a working Firewall-1 in about 4 minutes. Non-recoverable errors can only occur at two stages: the installer prompts the user to choose between an Enterprise or Small Office system (Figure 1). The second hurdle is the Products Configuration: this detailed

www.linux-magazine.com

configuration option is only available for the Enterprise system. The selection of a Small Office or Enterprise system affects the choice of products in the subsequent dialog (Figure 2) and on the installed system. Small Office systems are configurable by HTTPS and web server only (“admin_httpd”, “cp_httpd”), SSH access is not available. This option is thus suited to small networks with less than 25 clients. Larger networks may experience scalability issues, and this will mean twice the amount of work for the admin user. The system created when you select the Enterprise option is a completely different matter. This installs 94 RPM archives with a total of 210 Mbytes of software, without a web server, but including OpenSSH. There is no way to influence the choice of packages, the partitioning or the hostname during installation. Table 1 shows how the finished system is partitioned; the Check Point software is stored below the “/opt” directory.

THE AUTHOR

heck Point’s SecurePlatform [1] provides a combination of the recent Check Point Firewall-1 NG FP3 (Next Generation, Feature Pack 3) with a hardened, minimal Linux distribution on a single CD. The CD is bootable on Intel systems, and installs a customized Red Hat distribution and the Check Point software within a few minutes. The installation creates an extremely well secured system. An in-depth knowledge of Linux, which the admin user would normally need to harden the system and perform meaningful partitioning, is not required for this product. The admin merely requires

Jörg Fritsch majored in Chemistry at university, has been working with Unix/ Linux since 1994, and got into the IT business via programming jobs. He is currently working for Tesion as an Internet service/Hosting system specialist.

Check Point SecurePlatform

REVIEWS

Figure 1: The SecurePlatform installation allows you to choose between an

Figure 2: The admin user can install various other Check Point products in

Enterprise Version and a Small Office Version. The latter is fairly inflexible as

addition to Firewall-1. The available options depend on the version being

it only provides a Web-based administration interface

installed – Enterprise or Small Office

Many packages are available under the GPL or BSD license, but the Check Point software itself is proprietary. The package names all end with “cp” (for example, “bash-2.05-8cp”). Check Point is obliged to disclose any changes made to GPL sources. As we were particularly interested in bash, we requested the sources and actually received them within 24 hours. The bash source is identical to the GNU original, despite the “cp” extension. The only difference is the size of the archive, but this is due to compression (Gzip, Bzip2).

Hardening and Operations The installed system is extremely impressive. After installing the system you will not find any setUID files on the hard disk, and inetd does not launch any services; the system accepts only robust passwords (due to the cracklib installation). Remote access is only available by SSH, direct root logins are not permitted. There are no manpages for the GNU

packages or the proprietary software. Manpages for various Unix derivatives (such as Solaris, FreeBSD and Red Hat) have provided a favorite attack path for rootkits in the past. Most of these security problems were caused by the Catman system, which is responsible for caching and displaying formatted texts. Catman is a setGID (“man” group) or even setUID tool (the user “man” even needs a valid login shell). To close regularly occurring security holes, you can let the man viewer rebuild pages when they are requested, instead of serving up prebuilt pages. The interesting aspects of this distribution are below the surface. Only the root and Admin user entries in “/etc/passwd” (both of which are UID 0) are active users. Only the Admin user is allowed to logon remotely via SSH. The proprietary CP shell (whose sources are not available) is assigned as this user’s login shell. The shell is more like Cisco IOS than a traditional Unix shell. You can

type a question mark to display a list of available commands. The CP shell (at least in the Enterprise installation) includes a series of integrated commands, most of which refer to the Check Point software. These commands are all you need to manage the Firewall-1. Configuration commands for the Secure-XL API (Check Point Performance Pack for increased throughput) and Cluster-XL commands are also available.

Expert Included The “expert” command is one of the built in commands and is available in both installation versions. The command works in a similar way to the “su” command and launches bash as a subshell for the root user (Figure 4). This provides root with several additional GNU system management commands, allowing the root user to create additional directories, mount filesystems (such as CD ROMs) or write shell scripts.

Hardware Requirements Hardware requirements depend on the throughput the finished firewall (or cluster) will need to handle.The installation procedure allows you to specify various environments for the product – from Small Office and Firewall-1 XL to VSX.VSX is a virtual system mainly used for commercial security service providers.

Simple Hardware is often enough Simple hardware and a few network interface cards (a trusted and an untrusted interface, for example) are sufficient to provide fairly good throughput, claims the manufacturer. An Intel based computer with a 32 MHz PCI bus and two interfaces attained speeds of 200 Mbps without encryption. Under practical conditions this value will tend to be lower, but these value reflect two factors:You do not need specialist hardware for a 2 Mbit Internet connection and it is unlikely that the CPU will prove to be to slow.Without the Secure XL Performance Pack you would normally expect the system bus to be a bottleneck.

Figure 3: After logging on initially, the CP shell forces the admin user to supply a password. Cracklib prevents passwords that are too short or not sufficiently robust

www.linux-magazine.com

March 2003

Check Point SecurePlatform

REVIEWS

"ssh admin@IP-Address" Secure Platform CP-Shell Administration for Check Point FW-1

"expert"

GNU-Bash Administration for Linux systems

Figure 4: The admin can use SSH to launch the SecurePlatform CP shell. The “expert” command allows bash access, and thus to standard Linux functions

Admin also needs to launch expert mode to install additional packages. The SecurePlatform can also be clustered with Rainwall [3] – this assumes that the GNU C++ library supplied with Rainwall has been installed. Although some manual intervention is required, you do get a cluster without superfluous ballast for your effort. The platform envisages only the two users we discussed previously, both of which are UID “0” (Root/Expert and Admin). You cannot log on as root either remote or locally. Although the GNU “useradd” and “passwd” commands do exist, we were unable to create a new user. Manual editing of the “/etc/passwd” and “/etc/shadow” files was equally unsuccessful.

The problem is that the “passwd” command seemingly changes the admin user’s login password, no matter what user launches the program or what user you need to edit. The sources for this command are unchanged. This behavior may be caused by PAM modules, but we could not find anything unusual there either. And asking the manufacturer, Check Point, did not get us any further.

A Direct Route The network adapters in the system or VLAN (Virtual LAN) tagging can be configured in the CP shell; the “sysconfig” command takes care of this. Strangely enough there is no submenu to change the speed or operating mode (full duplex FDX, half duplex HDX) of the network

adapters. It looks like the admin user is forced to rely on the autosensing function of the network adapters, and that often leads to problems in production environments. A firewall should negotiate as few dynamic parameters as possible. The sysconfig “Products Configuration” menu item is interesting. You can opt for a simple or distributed (that is 2tier or 3-tier) installation. A 2-tier installation (Figure 5) involves two machines: the admin workstation with a GUI for configuring a set of rules and the machine running the firewall itself. A 3tier installation (Figure 6) involves three computers. The firewall is then distributed across a machine that manages the ruleset and receives logfiles, and a machine with the filter and routing function proper (the firewall module). 3-tier installations provide better performance, but licensing is complicated. This installation type is best suited to clusters and for large environments with lots of firewall modules at various positions. After completing all the items in the sysconfig menu, you should be able to connect to the firewall with the GUI to exchange certificates and set up an initial ruleset (see Figure 7). If this does not

Licensing GUI

Rule basis and objects

Compiler Firewall Module Rules in binary format

Figure 5: In a 2-tier installation, the GUI stores the ruleset on the firewall machine. A compiler translates the rules that control the firewall modules to binary format

Rule basis and objects

GUI

Compiler Firewall Module Rules in binary format

Figure 6: A 3-tier installation uses separate firewall and configuration server machines. This allows a centralized configuration to control multiple firewall modules, a particularly useful architecture for distributed installations

March 2003

www.linux-magazine.com

In Check Point’s case the licensing requirements depend on the number of IP addresses to be protected, and additionally whether you perform a distributed installation (see Figures 5 and 6).The configuration procedure defines one interface (in the simplest case the untrusted interface) as an external interface.The firewall software then counts the IP addresses assigned to all the other interfaces. As the software gets confused by NAT, strictly speaking all the licenses in your LAN should be licensed, whether the firewall actually sees them or not. Check Point licenses are available in various sizes: for 25, 50, 100, 250, or an unlimited number of IP addresses. In the case of a 2tier installation (non-distributed) prices range from Euro 3,240 to 20,520. In the case of a distributed (3-tier) installation, the filter module (without management function) are a lot cheaper (Euro 2,160 to 7,560). Encryption will increase the price by approximately Euro 500 to 1,000. Features such as encryption or the Visual Policy Editor (see Figure 7) require additional licensing.

INFO [1] Check Point SecurePlatform: http://www. check point.com/products/protect/ secureplatform.html [2] Check Point: http://www.checkpoint.com/ [3] Rainwall: http://www.rainfinity.com/ products/rainwall.html

Figure 7: Typical Check Point GUIs allow SecurePlatform administration on a Windows machine

work, because the rules do not allow a GUI workplace, it’s back to the console: the “fw unload all.all” command sets the firewall to permissive mode. The numerous features and APIs that Firewall-1 now provides mean that services will be listening on about 30 TCP ports immediately after installation. With the exception of SSH and the RPC ports 32770 through 32774 all of these open ports belong to Firewall-1 services, for GUI based remote administration, user authentication or logging, for example. To be more precise, not all of these ports are open as the ruleset denies these services by default. An implicit cleanup rule makes sure of this: “any any any deny”. We used a 2-tier installation in our lab environment. After running the CP shell to configure the system, all you need is the Check Point GUI, which is used for creating and managing the ruleset and runs on a Microsoft Windows machine. This was the most time-consuming and confusing item of the whole installation. An experienced Firewall-1 NG user would tend to look for a package called “Management Clients” in the Windows Installer, but unfortunately this was

dropped in FP 3. The Management GUIs previously comprised of three applications: Policy Editor, Log Viewer and Status Viewer. In FP 3 all of them have been renamed to SMART Client (SMART Dashboard, SMART Status and SMART View Tracker).

Conclusion Thanks to the CP shell the configuration and administration of the SecurePlatform is more like an appliance than a normal Linux machine with Check Point Software installed. The SecurePlatform offers two advantages over a typical appliance: First, most appliances provide browser based administration, and that means running a web server on them. If you disable the web server, you might find that administration is not particularly convenient. The SecurePlatform offers text based administration via SSH and the CP shell without needing an additional web server. Additionally, there is a bottom-line advantage, as only normal hardware is required provided it complies with the system requirements. One possible disadvantage is the fact that hardware and software will normally be from different sources in contrast to a genuine appliance. So, if something goes wrong you might expect both parties to disclaim responsibility, although to be fair, this is extremely uncommon in normal circumstances. ■

Table 1: Partitioning layout Device

Filesystem

Typ

Optionen

/dev/hda2

ext3

none

/proc

proc

usbdevfs

/proc/bus/usb

usbdevfs

/dev/hda1

/boot

ext3

none

/dev/pts

devpts

rw,gid=5,mode=620

/dev/hda5

/opt

ext3

none

/dev/shm

tmpfs

/dev/hda3

/sysimg

ext3

/dev/hda7

/var

ext3

REVIEWS

Crossover Office

Crossover Office 1.3

MS Office under Linux T

he major distributors are gunning for the last bastion of proprietary operating systems, the desktop, with Office packages such as Star Office 6.0 and Open Office 1.0. At the same time, many users still rely on Microsoft Office – although this may purely be a question of habit. On the up side some Microsoft groupware components of MS Outlook/ Exchange still provide functionality that free Linux programs cannot offer. The history of the Linux desktop is fraught with this conservative lateral trend: Fvwm95 was an attempt to emulate the look & feel of Windows 95, albeit without any attempt at achieving comparable functionality. And both KDE and Gnome have been seen casting occasional glances in the direction of Redmond from time to time. The commercial Crossover Office package by Codeweavers discussed in this article is capable of running a native MS Office on Linux with some help from Wine. Additionally, it allows the user to access a whole range of commercial Windows software. Version 1.0 of the product showed some promising aspects despite a few serious flaws. The fact that Crossover Office has now reached version 1.3.1 gave us reason enough to test the package in depth.

Installation: Easy The installation has hardly changed in comparison to version 1.0. After logging on as a normal user, one simply launches a shell script and a few questions and answers later, the “~/cxoffice” containing the Crossover libraries – which are based on free Wine package – is automatically created. Many Linux users may be able to omit this step in the near future, as the desktop Linux manufacturers, Xandros, have now integrated Crossover Office in their product. The Lindows and SuSE desktop Linux initiatives promise similarly integrated products in the near future.

March 2003

Codeweavers, the makers of Crossover Office – with more than a little help from Wine – promise to get the Microsoft Office Suite and a few other Windows programs running on Linux without any hassle. BY RÜDIGER BERLICH

Figure 1: An embedded table within an MS Word document

The installation was entirely error free in our lab environment, which included SuSE Linux 7.3, SuSE 8.1, and Mandrake 9.0. Crossover Office can install other Windows programs on Wine. But unfortunately, it is still impossible to integrate programs that exist on a Windows partition without the original install media, although Codeweavers have stated that this feature will be available in Crossover Office 2.0. Lindows has already taken this hurdle, although Jeremy White, the company’s CEO warns that integrating programs from a Windows partition is far more difficult than a new install as the original status of the program is impossible to ascertain.

www.linux-magazine.com

Operations: Mostly Fair Crossover purchasers will have to get used to the fact that only the 2000 and 97 versions of, what is probably the most important program package, MS Office, will install. Codeweavers chief, White, states that they have Office XP running on Crossover Office in their labs, although there were (still) some issues with product activation. Version 1.0 showed that MS Outlook and Internet Explorer from Office 2000 above all refused to co-operate with Crossover Office. This has all changed since the introduction of version 1.3.1. On initially launching Outlook you may still see the ominous, but harmless “Unknown error”

Crossover Office

message that disappears when you restart the program. However, it seems that the entire functionality of Outlook is available. Internet Explorer 5.0 seems to run without any hitches at first glance, but an attempt to run a Java based Internet banking application led to disaster. The applet initially launched and even produced sound output, but any attempts to access the account data were doomed to failure. Quick scrolling in MS Word was a lot less nerve wracking than in earlier versions as previous display bugs have been ironed out – and any temporary glitches do not have any long term effect. We did note two buggy areas: in one case the mouse focus was lost under KDE and this prevented us from clicking the icons in the MS Word title bar. This phenomenon (which we could not reproduce) was easily remedied by pressing [Alt]+[Tab] twice to move another window to the foreground before returning to Word. In another case, the application repeatedly crashes if a highlighted excerpt in a document is copied by pressing [Ctrl]+[C] and inserted at the same position by pressing [Ctrl]+[V]. In contrast to version 1.0, [F1] (which launches the Word help application) no longer crashes the application. The Office assistant, Clippit, is not a pretty site, due to a faulty color display, and additionally fails to fulfill its allocated task. Neat: You

Crossover Office 1.3

Type: Windows Emulator for MS Office Manufacturer: Codeweavers, http://www.codeweavers.com Availability: Distributors are listed at http://www.codeweavers.com/about/ partners.php, alternatively you can purchase online by credit card Single License Price: approx. US $55, you may prefer to wait for SuSE’s Desktop Linux, which will be available for Euro 129 and should include the Acronis OS Selector partitioning tool for NTFS partitions.

REVIEWS

can now select a text passage in a “doc” file you are editing in Abiword, copy it to the Clipboard by pressing [Ctrl]+[C] and then paste it into your MS Word document by pressing [Ctrl]+[V]. Konqueror URLs can be pasted to Internet Explorer in a similar fashion. In addition to Office 97 and 2000 Crossover Office also supports a whole bunch of Windows appliFigure 2: When upgrading MS Internet Explorer, you should ensure cations, such as Lotus you have a license to call your own Notes R5. A list of supported applications can be found at [1]. You should read the licensing agreeCodeweavers envisages installing ments of these products extremely some Windows programs online. The carefully and make sure that you under“~/cxoffice/bin/officesetup” program stand your own legal position. Installing tries to update to Internet Explorer 5.5 Internet Explorer 5.5 off the Internet instead of Version 5.0, which accompalegally stipulates that you own a valid nies Office 2000. Our test showed that Windows family operating system this neither worked for version 5.5 nor license, for example. for IE 6.0 which is not officially Conclusion supported to date. The message of our last test was that a Licenses combination of MS Office 2000/ Crossover Office 1.0 was unsuited for Linux users deciding to install Microsoft use in a production environment. The products cross over the border to the current 1.3.1 version certainly has made realms of commercial/proprietary softsome inroad on the number and seriousware. And this can prove extremely ness of the issues. With a certain degree dangerous to Linux hackers or the of optimism one can now view this comowners of computers with pre-installed bination as a genuine alternative to the Linux software. established Office products for Linux. The integration of existing Windows Pressure off partitions and support for Office XP The existence of emulators like Crossover planned for the next version should see gives rise to fears that the development of Crossover Office doing justice to the equivalent Linux products may slow down; hopes placed on it. And if you are used to after all the pressure is off. working with Microsoft Office, you These fears are not unfounded: Corel’s should definitely take a look at Crossover, WordPerfect for Linux prefers the Wine enviprovided you possess an Office license. ronment rather than a Linux library and the The current Wine vintage shows Linux gaming company Loki Entertainment (who are now bankrupt) also used Wine to Codeweavers holding their own with port their games to Linux.The most recent Microsoft Office and Windows developexample is Borland’s developer environments. We can only hope that they can ment, Kylix. continue to keep up with this pace. And Additionally, a large proportion of the funcalthough you may miss some functiontionality provided by Windows programs ality or features, real Linux programs are running under Crossover Office is already still a genuine alternative. ■ offered by Linux products, whereas Borland’s Kylix and the Microsoft Outlook/Exchange combination offer functionality in areas that Linux products do not currently cover.

INFO [1] Codeweavers Homepage: http://www.codeweavers.com

www.linux-magazine.com

March 2003

REVIEWS

Bochs PC Emulator

he Bochs (say “box”) project has been around since 1994. Its aim is to provide a portable x86 emulator [1]. In this case portable means not restricted to Linux or to the Intel platform. The code has been implemented entirely in C++ for this purposes, so Bochs runs on various platforms, from Linux via Windows to the Macintosh. Bochs even ran on the Linux/zSeries – as is evidenced by Sourceforge bug reports, strangely enough. Platform independence is the main difference to the commercial alternative, VMware. x86 commands are simulated and are thus available on other architectures, whereas virtualization, which allows simulated instructions to run almost at hardware speeds, is restricted to x86 only emulators. Having said that, Bochs is a lot slower than VMware. If you have been keeping track of Bochs developments over the course of the last few releases, you will have noticed the considerable progress that has been achieved with each new release, both with respect to the supported instruction sets and peripherals, and to speed. The project is extremely active and downloading the latest version is definitely worthwhile.

The Bochs PC Emulator

Soft Hardware Although the Open Source community has developed free alternatives to complex Office suites, PC emulators have proved challenging so far. Despite poor performance, the Bochs project is at least interesting for test purposes. BY BERNHARD BABLOK

Hardware Bochs provides a simple PC with the following specs: • 286 through Pentium Pro instruction set (depending on the configuration) • VGA graphics chip • two floppy drives (1.44 Mbytes or 2.88 Mbytes ) • four ATA channels with up to eight devices • mouse and keyboard support • SoundBlaster emulation • NE 2000 support • simulation of up to 15 processors is now possible. The VGA emulation only supports low resolutions and network support is limited to an emulation of a NE 2000 network card, no matter which card is installed on the host system. The hardware specs are definitely not state of the art, but more than sufficient to install and use a guest operating system. Bochs does not place any constrictions on the host operating system, but the

March 2003

more powerful your hardware the better: an emulator program, implemented in C++ and running entirely in userspace simply can’t get enough. Before you can use Bochs, the powers that be dictate that you must first download and configure the program.

Download and Installation The source package and pre-compiled binaries, including RPM format packages, are available on the Bochs homepage at [1]; they contain a disk image of a simple Linux system (“dlx”, with a 1.3 kernel). This article discusses the 2.0.0-pre2 version, although 2.0.0

www.linux-magazine.com

should be available by the time this issue of Linux Magazine hits the shops. With respect to functionality, there is no real reason to download and compile the sources as of version 1.4.1, although previously, it did make sense for users requiring non-US keyboard support. However, the sources comprise a series of patches that have not, or not yet, found there way into the official codebase. So, if you want to do some experimenting of your own, or simply intend to try out the latest features, you might like to compile your own version of Bochs. This is in fact quite trivial, as Bochs supports the typical “./configure

Bochs PC Emulator

options; make; make install”. Selecting the “configure” options will typically take longer than actually compiling the sources. If you do not have a quick and permanent Internet connection, you might like to edit the make file before running “make install”, as the command will otherwise attempt to download an entire Linux disk image. There were two useful “configure” options missing in the Linux binary package, although they no longer work in the 2.0.0-pre2 version. First, there is the “--enable-slowdown” option that allows you to synchronize the Bochs clock with the host system’s internal clock. Without this option, the system tends to apply its own notion of time. The second useful option is “--enableidle-hack”, which reduces the CPU load caused by the emulator when idling – you have to live with permanent full load otherwise. “make install” installs the program below “/usr/local/bochs/latest/”, a link to the current version. This allows you to install multiple parallel versions. The 1.4.1 version is supplied with the current SuSE Linux 8.1, however, this version installs outdated documentation and does not provide adequate non-US keyboard support; so you can look forward to some manual tweaking.

Setting Up Bochs From the user’s viewpoint, Bochs comprises of the actual emulator, “/usr/ local/bin/bochs”, and a configuration file that specifies the hardware and error handling. The program searches for the configuration file at the following locations and in the following order: • “./.bochsrc” • “./bochsrc” • “./bochsrc.txt” • “~/.bochsrc” • “/etc/bochsrc” (as of 2.0). SuSE have patched the source code to search in “/etc/bochsrc” first, a debatable modification, as this prevents multiple users from working with multiple parallel configurations in separate directories. The configuration file itself has a simple format and is exhaustively commented to boot. Listing 1 shows the most important configuration items. As most parameters are self-explanatory, let’s

take a closer look at lines 20 (“com1”) and 27 (“ips”): “com1” can either be a genuine serial line, or alternatively an X terminal (“>pty”). To allow this, you need to launch two XTerms: one for Bochs and the other for your “com1” output. The second terminal uses the “tty” command to query “pty” output. After launching Bochs, the entire serial output will be passed to the XTerm.

Benchmarking The “ips” configuration option means instructions per second and refers to the number of instructions emulated per second. This figure affects the emulator’s behavior with respect to the “vga_update_interval” or the various keyboard delay rates. The figure actually

REVIEWS

controls the timing of the emulator, as is made evident by the system clock of the emulated systems – if there is nothing to do, the clock just races ahead. Unfortunately, the value of “ips” is not constant, but depends on the complexity of the emulated instructions. Experiments with Linux as a guest operating system have shown that there is very little deviation with constant loads, although varying loads can cause deviations of between 1 and 2 powers of ten. To discover an exact value for “ips”, you need to compile the source code yourself and enable an option in the “config.h” file created by “configure” to output the value periodically. If you do not want to take the trouble of discovering the value this way, you will have

Listing 1: “bochsrc” 01: romimage: file=/usr/local/bochs/latest/BIOS-bochs-latest, address=0xf0000 02: megs: 64 03: vgaromimage: /usr/local/bochs/latest/VGABIOS-elpin-2.40 04: floppya: 1_44=/dev/fd0, status=inserted 05: floppyb: 1_44=/var/bochs/floppy_b.img, status=ejected 06: ata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14 07: ata1: enabled=1, ioaddr1=0x170, ioaddr2=0x370, irq=15 08: ata2: enabled=0, ioaddr1=0x1e8, ioaddr2=0x3e8, irq=11 09: ata3: enabled=0, ioaddr1=0x168, ioaddr2=0x368, irq=9 10: ata0-master: type=disk, path=/data/bochs/hda.10M, cylinders=306, heads=4, spt=17 11: ata0-slave: type=cdrom, path=/dev/cdrom, status=ejected 12: ata1-master: type=disk, path=/data/bochs/hdb.10M, cylinders=306, heads=4, spt=17 13: boot: disk 14: floppy_bootsig_check: disabled=0 15: log: /var/log/bochs.log 16: panic: action=report 17: error: action=report 18: info: action=report 19: debug: action=ignore 20: com1: dev=/dev/pts/1 21: parport1: enable=1, file="/var/bochs/parport.out" 22: sb16: midimode=1, midi=/dev/midi00, wavemode=1, wave=/dev/dsp, loglevel=2, log=sb16.log, dmatimer=600000 23: vga_update_interval: 300000 24: keyboard_serial_delay: 250 25: keyboard_paste_delay: 100000 26: floppy_command_delay: 500 27: ips: 2000000 28: private_colormap: enabled=0 29: ne2k: ioaddr=0x280, irq=9, mac=b0:c4:20:00:00:00, ethmod=linux, ethdev=eth0 30: keyboard_mapping: enabled=1, map=/usr/local/bochs/latest/keymaps/x11-pc-de.map

www.linux-magazine.com

March 2003

REVIEWS

Bochs PC Emulator

to make do with the comments in the sample “bochsrc” file. On a Duron 700 system, Bochs is capable of emulating approximately five million instructions per second (this was measured when loading and initializing a Linux 2.0 kernel). On starting up Linux indicates a value of 4.96 bogomips, whereas the Linux host system is capable of 1400 bogomips. Bochs 1.4.1 only managed two million IPS, so the new Bochs release is obviously a lot quicker.

gain in comparison to the old “diskc” and “diskd” syntax in version 1.4.1. Although this fact is little known, you can use hard disks without partitions like enormous floppies. The following command mke2fs -F hdb.img

Figure 1: Hard disk configuration

Floppies and CDs Bochs uses the physical floppy drive (which is configured in line 4 of Listing 1), or a floppy image (line 5 includes sample instructions for a second drive). Images of this type are quite easy to create: dd if=/dev/zero of=floppy.img U bs=1k count=1440 mkdosfs floppy.img

Of course, you can use similar steps to create a floppy with an Ext-2 or Minix filesytem. Floppy images also offer the advantage of being a lot quicker than the physical drive. CDs can also be physical drives or ISO images. As modern CD ROM drives are typically quite fast, there is very little difference compared with a CD image. Bochs version 1.4 or later supports booting CD ROMs, as the BIOS includes El Torito support. This is an enormous gain, as you can now launch the installation CDs of a Linux distribution directly without needing to create boot disks.

Hard Disk Images Hard disks are emulated by image files just like floppies or CDs; although you may also be able to use a raw partition, this approach is not recommended. The values for the “bs” and “count” parameters of the “dd” command are included in the old documentation below “docshtml/install.html”. However, you might prefer to use the new “bximage” tool

March 2003

that prompts you for the size and name of the image file, creates the file and generates an appropriate entry for the “bochsrc” configuration file (Figure 1). Hard disk images can be partitioned using a minimal floppy based Linux system within Bochs. Alternatively, you can launch “fdisk” with the image file as an argument. In this case, you will need to open the expert menu of fdisk before partitioning the file, in order to supply the cylinder, sector and head values manually. The Bochs homepage offers complete images of pre-installed free systems from Minix, through FreeDOS to Debian. The current Debian image weighs in at 77 Mbytes. ATA channels and hard disks are configured as shown in Listing 1 (lines 6 through 12). Again, this is an enormous

creates a filesystem on the image. This is particularly useful for a second hard disk, as an image created this way can also be mounted via the loop device of the host system to support data transfers between the host and guest systems. In version 2.0 you can now access the host system via the tuntab interface. Mounting image partitions via the loop device is somewhat more complex. The loop device will need the correct offset in the image file, and there is some danger of data loss if you miscalculate.

Launching the Emulation After using the configuration file to define the hardware and creating any floppy, CD and hard disk images you might need, you can simply type the “bochs” command to launch the emulator. The configured device will now attempt to load an operating system. Figure 2 shows Bochs launching the current Debian installation CD. You can clearly see the configured hardware (the 10 Mbyte hard disk and an ATAPI CD ROM, for example). The available devices are shown top left in the emulator, however, the icons at the top right do not work, with the exception of

The History of Bochs Kevin Lawton started working on Bochs as a commercial product in 1994 (!). Early in 2000 MandrakeSoft bought the code and placed it under the LGPL. At this time, Kevin Lawton started working for Mandrake on the Plex86 project (the new homepage is located at [2]) which is intended to provide an emulator with similar features to VMware. In March 2001 Bochs became a Sourceforge project with numerous developers involved – the developer mailing list has over 300 members. Anyone who has kept in touch with the bugfixes and patches released since then, will be aware that there is lot going on here.When the New Economy bubble burst, Mandrake was forced to tread more carefully, and dismissed a number of employees, including Kevin Lawton.This effectively put the Plex86 project on ice.

www.linux-magazine.com

Today, the project has moved back to its old homepage www.plex86.org [2], a Sourceforge clone.The news section suggests that work is continuing on the project, but this is contradicted by a lack of new code in the CVS repository. Unfortunately, the last code release is also broken – Linux has made considerable progress in the last few years, and Kevin Lawton is no longer registered as a Plex86 developer, although he has taken up work on Bochs. There would seem to be some close contact between Bochs and Plex86. Ideally, Plex86 should look to virtualizing the simulated x86 instructions provided by Bochs and moving them from userspace to kernel mode, which would certainly ensure an enormous performance boost.

Bochs PC Emulator

the power switch and the configuration icon. You can temporarily overwrite configuration options by stipulating command line parameters. The format is the same as the configuration file. As the options contain shell metacharacters, you will need to enclose them in quotes. This is a bit annoying as it prevents your from using features such as filename completion.

Scripted or Interactive Configuration A shell script provides an easy solution to this, allowing you to pass parameters to the program in typical Unix fashion. A script is included in the “patches” directory of the source distribution. The script additionally defines the size and geometry of floppy and hard disks. Depending on your configure options, Bochs may also include an interactive configuration program, although the tool is unfortunately not exactly intuitive. The tool is either launched on starting the emulator or via the config icon at the top right of the emulator. A note for KDE users, although Gnome probably has the same issue: you may have difficulty switching consoles in the Linux guest system, as KDE will tend to grab keyboard shortcuts, such as [Alt]+[F1]; [Alt]+[F2] launches a minimal command line for example. Some re-mapping is required, for example [Alt]+[Shift]+[F2] instead of [Alt]+ [F2] for the command line. Unfortunately, any communication between the

Figure 3: Network connections on a local area network

guest and the host system will need to be indirect in the 2.0.0-pre2 version. You can exchange data via floppies, CDs or hard disks (as described above). The hard disk method allows you to exchange larger amounts of data, but will require you to terminate and re-launch the emulator. The new tuntab interface now takes care of talking to the host system If your network adapter is supported, the guest system will also be able to communicate with other systems on the network, of course (see Figure 3). The network emulation uses the physical network adapter. To exchange data on the network you will need a second machine running NFS or Samba with mounts both on the host and on the guest system.

Conclusion The configuration, launch, and operations of the Bochs PC emulator are no longer an issue, and the rapid progress the project has made indicates that the Open Source community is still working on a useable emulator. However, the fact that Bochs does without kernel modules has a serious impact on the emulator’s performance (an old 486 that I still possess was 20 time quicker than an emulated PC on a Duron 700). Still, it would be wrong to condemn Bochs as a waste of time. Of course, it is incapable of emulating Windows in order to run a special program that is not available on Linux. This has not stopped me from using Bochs regularly and productively for several projects. These projects are

typically CD installation and restore procedures – or creating CD images to test whether they are bootable, and sometimes destructive operations, such as restoring data to hard disks. In these cases pure performance never has been an issue. And Bochs even offers some advantages over VMware as the environment can be controlled via the command line, and thus lends itself to automated test scripts. It remains to be seen that the Plex86 project (see Insert “The History of Bochs”) will see the current performance problems being resolved in time. Till then, users for whom Bochs’ performance is out of the question will need to turn to one of the commercial alternatives. ■

INFO [1] Bochs homepage: http://bochs. sourceforge.net/ [2] New Plex86 homepage: http://savannah. nongnu.org/projects/plex86

THE AUTHOR

Figure 2: Debian under Bochs

REVIEWS

Bernhard Bablok works as a Group-Leader of the Datawarehouse Group for Allianz Versicherungs AG based at Munich, Germany. His PC-career started with OS/2 version 1.0. After IBM turned down OS/2, he switched to Linux in 1996. Since then, none of his PCs had to suffer anymore under an operating system from Redmond.

www.linux-magazine.com

March 2003

KNOW HOW

LaTeX Workshop: Part II

LaTeX Workshop

Tidying up Documents Part 2 of our LaTeX series focuses on putting some structure into your LaTeX documents – we will be looking into dividing documents into sections and chapters, creating tables of contents, using various list formats and tables, and working with crossreferences and footnotes. BY HEIKE JURZIK

ntuitive commands are available for dividing LaTeX documents into sections and chapters. Before doing so, you will need to define multi-tiered headings that automatically enumerate your document and use different fonts. The following structure elements are available for the various LaTeX document classes (article, book, report, [1]): • \section{…} • \subsection{…} • \subsubsection{…} • \paragraph{…} The text for the heading is enclosed in curly brackets. Note that these commands will need to occur in the correct order: the first \section is section number 1, the following \subsections are numbered 1.1, 1.2 etc. and the following \subsubsections are numbered 1.1.1,

1.1.2 etc. (see Figure 1). The \paragraph structure element is used to define the words to be highlighted at the start of a paragraph. The document classes book and report additionally provide the \chapter element. This kind of structure normally lends itself to a table of contents. You can use the LaTeX \tableofcontents to create one and place it at an appropriate position in your document (see Figure 2).

List Formats LaTeX provides a collection of list formats, such as numbered and unnumbered formats. The latter type – also referred to as bullet lists – are available in the itemize environment; that is, you first type an opening command \begin{itemize}, then the individual points, prefacing the \item keyword, and close the environment by typing \end{itemize}. Lists of this type can be nested; an itemize environment can contain up to four additional levels. Nested levels are indicated by different bullets and indents. Indenting source code is also recommended, to provide for better

Figure 1: Structuring LaTeX Documents

March 2003

www.linux-magazine.com

readability (see Figure 3). Numbered list formats are available in the enumerate environment; they are indicated by consecutive numbers that normally start at 1. Again four levels of nesting are permitted: \begin{enumerate} \item number 1 \item number 2 \begin{enumerate} \item number 2.1 ... \end{enumerate} \end{enumerate}

The top level of the enumerate environment starts with the number 1, small letters are used for the second level, Roman numbers for the third, and capital letters for the fourth. If you need to change the symbols for these levels, you can either apply your changes globally to the document, or locally for a list item. To change only a single \item command, simply append the new symbol in square brackets, e.g. \item[+]. To change the document, you will need to modify the preamble for the current

Figure 2: Creating a Table of Contents with LaTeX

LaTeX Workshop: Part II

Figure 3: Nested Bullet Lists

layout in the .tex file. To do so, define the required command by typing the following \renewcommand new: \renewcommand{\labelitemi}{+} \renewcommand{\labelenumi}{+}

The levels available in the itemize environment are called \labelitemi, \labelitemii, \labelitemiii, and \labelitemiv. The enumerate environment refers to them as \labelenumi, \labelenumii, \labelenumiii, and \labelenumiv. The description environment provides so-called definition lists for use with glossaries and the like. The entries each comprise the expression to be defined and the corresponding description: \begin{description} \item[Linux Magazine] U The magazine for advanced U Linux know-how \item[Linux-Magazin] U German sister publication U of Linux Magazine \end{description}

All of the list formats described so far can be nested in a mix and match fashion, but do make sure that you include an opening and closing command for each list format (see Figure 4).

Tabulators and Tables LaTeX ignores spaces and tabs in the source code when you launch latex. So, you will again need some special LaTeX commands if you want to insert a tab stop.

KNOW HOW

Figure 4: Mixed Lists

The so-called tabbing environment allows you to: • set a tab stop by typing \= • jump to a tab stop by typing \> Lines are separated by typing \\: \begin{tabbing} This is \=a tab and U \= this is another one\\ \end{tabbing}

You can then type \> in the following line to jump to the tab presets (Figure 5). As the example shows, tabbing is not exactly a practical way of creating tables. Fortunately, LaTeX provides an additional environment for tables, known as the tabular environment. The format is as follows: \begin{tabular}[position]U {columntype} ... \end{tabular}

The parameter indicating the position can either be a [t] (justifies the top line of the table with the current environment) or a [b] (justifies the bottom line of the table with the current environment). If you leave out the parameter the vertical center of the table is justified. The second option indicates the number of columns and their justification; the {columntype} parameter can include the following definitions: • l – left-justified column • r – right-justified column • c – centered column • | – vertical line separates columns At the same time, the number of columns is enclosed in square brackets.

Thus, you can use the following syntax to define three left-justified columns and use a single separating line: \begin{tabular}[t][{|l|l|l|} ...

The following are available inside a table environment: • & – separates the columns • \\ – indicates a line end • \hline – a horizontal line the width as the table The column width is defined by the length of the content; advanced LaTeX users can, of course, use individual parameters and other formatting syntax to modify any defaults. Let’s just look at one last feature: creating multicolumn headers. The \multicolumn{numberofcols}{justification}{text} command allows you to define, the number of columns, the justification, and the text for a heading. Thus, a few simple instructions allow you to create easily readable tables (see Figure 6).

Cross-References LaTeX documents can include cross-references to other positions in the

Figure 5: Setting Tab Stops

www.linux-magazine.com

March 2003

KNOW HOW

LaTeX Workshop: Part II

Figure 6: Simple Tables in LaTeX

Figure 8: Footnotes – convenient and simple

document wherever you need them. Thus, you can refer to other chapters or to pages in the document. Cross-references of this type comprise two elements – a label and the reference itself. You can use the \label{name} command to insert the former. Two commands are available for referencing labels: • \ref{name} – uses the chapter number • \pageref{name} – uses the page number Label names must be unique, and they are also case-sensitive: ... \section{Cross-References} LaTeX documents can include cross-references to other positions in the document wherever you need them. Thus, you can refer to other chapters

... See also the section \ref{example}, which you will find on p. \pageref{example}. \subsection{How to use labelsU \label{example}} ...

The information pertaining to these cross-references is stored in an .aux file. The file is created when you run latex, and updated on successive runs. In order to position labels and references correctly, LaTeX needs to re-run and evaluate the commands; this is made evident by the output provided by the first latex run: huhn@asteroid:~$ latex U test.tex

... LaTeX Warning: Reference `example' on page 1 undefined on input line 22. ... LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.

Your cross-references are tidied up after re-running (see Figure 7). It is just as convenient and easy to use footnotes in LaTeX documents. A single command, \footnote{footertext}, is all it takes to define and enumerate a footnote and automatically place it in small type at the end of a page in the article document class. The first line of each footnote is indented; the first footnote is separated from the body text by a short horizontal line. If you use the book or report style, instead of article, enumeration will respect chapter numbers, that is the first footnote in a new \chapter will be number “1”. You can change the typeface or font in the footer text itself, or even use mathematical formulae (see Figure 8). ■

INFO [1] Heike Jurzik:“Making up with LaTeX”– LaTeX-Workshop: Part 1, Linux Magazine, Issue 26, p46 [2] Helmut Kopka, Patrick Daly:“A guide to LaTeX”, Addison-Wesley, ISBN 020142777X. Figure 7: LaTeX setting cross-references

March 2003

www.linux-magazine.com

KNOW HOW

SMB Protocol

Blocks and Messages The SMB (Server Message Block) protocol specifies how Windows computers communicate on a network. SMB provides access to files, printers, serial lines, and communication channels, such as named pipes and mailslots. Samba is a free SMB implementation. BY ANDREAS ROESCHIES

MB is client/server protocol based on the request/response principle. The client transmits a request to a server, which in turn transmits a reply to the client. The server will not contact the client without a prior request with the exception of a few specific cases. In the world of SMB, clients are defined as systems that access shares, which are provided by servers. Most SMB capable computers can be used both as clients and as servers (peer-to-peer networking). Microsoft has referred to the SMB as CIFS (Common Internet File System) for quite a while now, after all, it does sound more modern. However, the documentation provided by Microsoft is scanty and incomplete â&#x20AC;&#x201C; an official standard does not exist. The developers of Samba were thus forced to analyze network dialogs and draw their own conclusions. SMB messages have a simple format. An SMB message (sometimes known as an SMB packet) comprises a header and the actual data content. The header always begins with a protocol ID, followed by a single byte of command code. The additional header fields are the error class, the error code, the tree identifier (TID), and the individual ID of the calling process, a user ID and a multiplex identifier.

Simple Message Format Some of these fields are interspersed with blank fields, which are reserved for future use. The content of an SMB message comprises a command or the reply to a command. The length of the command or the reply is variable. Each command has a series of parameters and

March 2003

data that are transmitted at the same time. The first field of the command is 1 byte long and indicates the length of the command. It is followed by the parameter words, a value for the number of parameters, and finally the parameters themselves. To gain a more complete understanding of the protocol it will be helpful to examine a simple network dialog. When a user accesses a shared directory or printer, the session layer is provided by the NetBIOS software interface, which is thus the only dialog partner available to applications. The client transmits a session request packet containing the NetBIOS name of the server and the client to the server. The server replies with session granted to set up the session.

Initiating a Session The client and server can then begin to negotiate the protocol variant. To do so, the client sends another command, SMBnegprot, to the server. This packet contains a list of all SMB protocol variants that the client is capable of. The server replies with a pointer to the protocol variant it prefers, where 0 will point to the first protocol dialect in the list sent by the client. A reply of 0xFF indicates that the server does not speak a compatible protocol and prevents any further communication. In the next step, the client sends a username and the appropriate password,

www.linux-magazine.com

the name of the workgroup and the maximum transferable file size to the server, adding a value for the maximum size of the client queue. The client uses the same messages to send the next command, that is the connect request (tree connect). The server now sends a tree identifier (TID) back to the client, allowing the client to open, read, write and close files. The server additionally sends the service identifier, A, to the client to indicate a shared directory. The other possible service IDs are PT1 for a print queue, COMM for a serial line and IPCQ for a named pipe.

Name Resolution under NetBIOS As is the case for other networks each node must be uniquely identifiable. 16 byte NetBIOS names are used for this purpose. As the 16th byte is used as a service identifier (with a similar function to TCP/IP ports), only the first 15

SMB Protocol

characters are visible and usable. In contrast to DNS, SMB/CIFS is not hierarchical, that is, NetBIOS provides a flat namespace where each host can possess multiple names, provided they are unique on the network. The Name Management Protocol, which is similar to the Appletalk Binding Protocol, handles name management on the network. New nodes repeatedly broadcast a name request. If no other computer replies that it is already using the name, the requesting computer will add the name to its local table. Broadcasts are also used to assign NetBIOS names to network addresses. When setting up a connection, the client will send a packet with a specific name request to the local network, and the machine with the specified name will reply. The Name Management Protocol (NMP) is responsible for name and address negotiation.

Samba Components smbd: This daemon provides file and print services on the network.The configuration file is called smb.conf. nmbd: This daemon provides NetBIOS name resolution and browsing services. It is also configurable in smb.conf. smbsh: This program allows a user to access a directory on another SMB server as if it were local. SMB drives are available below /smb by default. smbclient: This program is a simple SMB client which is similar in functionality to an FTP client. It additionally provides a number of diagnostic routines. smbstatus: Shows active connections.The first section of output shows the share accessed by users.The second section lists any files currently locked by Samba and the third section lists the memory usage of each share. smbtar: A shell script that calls smbclient and performs tar operations. nmblookup: The NetBIOS equivalent to nslookup for TCP/IP, allows the user to resolve NetBIOS names to IP addresses. smbpasswd: Allows users to change their own passwords, and administrators to define passwords for arbitrary users. testparm: This program checks the syntax and consistency of the central smb.conf configuration file. testprns: This tool checks whether the specified printer is defined in the printcap printer configuration file.

Browsing lists allow clients to locate servers and shares quickly, in fact, the browsing list is what the Windows user sees in the network neighborhood. The browse service compiles browsing lists and distributes them on the network. The Local Master Browser (LMB), which permanently provides a more or less current browsing list for its own subnet, is one of the most important components on the network.

Browse Services In principle, any SMB server can assume the role of the LMB; various criteria such as the uptime or operating system version are applied to decide which server will be the master browser. When an SMB server that is configured as an LMB candidate starts up, it can initiate an election to decide the LMB in the local subnet. The Local Master Browser can promote one or multiple LMB candidates to backup LMBs by transferring a copy of its own browsing list to them. If an LMB goes down, its role is assumed by a backup LMB. Clients can continue to browse the network without needing to reconstruct their browsing lists. A Microsoft SMB server decides the number of backup LMBs by reference to the number of NetBIOS nodes on the subnet. Additionally, the administrator can assign hosts to be Domain Master Browsers (DMB). DMBs manage the browsing lists of entire domains, which can comprise multiple subnets. List management on a network will tend to be slow, and this means that SMB servers take a few moments to appear in the lists, and that downed servers appear as ghosts in the browsing lists for almost an hour after being shut down.

SMBs Ancient History The roots of SMB go back to NetBIOS, which was programmed for IBM by Sytec in 1983. NetBIOS was a software interface, as an Application Programming Interface (API) and a matching transport protocol. Although the transport protocol is more or less unused today (and is no longer included in NetBIOS), the API has survived. Servers and clients communicated by exchanging message, so-called Server Messages Blocks (SMB). The transport

KNOW HOW

protocol that NetBIOS comprises is referred to as IBM NetBIOS Frame Protocol (NBF) by IBM. You will often hear references to the NetBIOS protocol, although, strictly speaking, this is a misnomer. The protocol was used exclusively in proprietary IBM PC networks, and was capable of addressing a maximum of 80 nodes. As the IBM PC network proved inadequate over the years IBM developed Token Ring, which can address up to 260 nodes, and also supports subneting (rings can be attached by means of bridges). In 1985 IBM wrote an emulation which allows the use of the NetBIOS interface in Token Ring networks to allow applications to be ported to this environment. NBF was replaced by the NetBIOS Extended User Interface Protocol (NetBEUI). It was at this point that NetBIOS became a pure API. The NetBEUI transport protocol, which was developed for Token Ring, also works in Ethernet networks and is a good choice for small Windows networks without Internet access as it does not require any configuration. The naming scheme, where each node possesses one or more NetBIOS names, was retained for NetBEUI.

Working with Friends Things start to get complicated when other transport protocols are used. In this case NetBIOS names need to be mapped to network addresses. Additionally, addresses in routable networks possess a network address that neither NetBIOS nor NetBEUI can understand in addition to the host address. The only protocol that plays a significant role in the communication between Linux and Windows computers is TCP/IP. Not until later, when techniques were developed to encapsulate SMB data in other transport protocols, was it possible to access shares in routed networks. The encapsulation in TCP/IP is often referred to as NetBIOS over TCP/IP (or NBT/NetBT for short) by Microsoft. This technique is specified in RFCs 1001 (Protocol Standard for a NetBIOS Service on a TCP/UDP Transport; Concepts and Methods) and 1002 (Protocol Standard for a NetBIOS Service on a TCP/UDP Transport; Detailed Specifications). The approaches detailed in these RFCs are

www.linux-magazine.com

March 2003

KNOW HOW

SMB Protocol

designed to allow existing NetBIOS services to run under open standards. The central issue of integration is resolving NetBIOS names to IP addresses. As broadcasts, which are used for name resolution in NetBEUI networks, cannot cross router boundaries, another method of name resolution needed to be found. The technique involves a name server for NetBIOS, or NBNS (NetBIOS Name Server), although Microsoft refers to NBNS as WINS (Windows Internet Name Service).

All that Glitters is not DNS NetBIOS name servers work in a similar way to DNS servers, but for the SMB protocol instead of TCP/IP. One major advantage of WINS over DNS is the fact that clients can register independently with the server, thus avoiding admin intervention. Manual assignments are unnecessary, but possible. SMB servers that do not report to a name server will not appear in the browsing list, but are still accessible on the network. You need to know their names to access them. If there are multiple NBNSs on the network, they can exchange data to ensure that they stay synchronized. Clients can request the nearest NBNS if they need to resolve a name to an address. This reduces network traffic and the load on the routers.

Babylonian Node Configurations A TCP/IP environment provides various configuration options for clients and servers. An SMB computer configured as a B (for broadcast) node will use broadcasts both to register its own name and for name resolution. Normally, routers will refuse to relays broadcasts, which means that B nodes will only see servers on the local network. B nodes on Microsoft Windows first inspect their local NetBIOS name cache when performing name resolution, and only broadcast if they do not come up with a result. If the broadcast is equally unsuccessful they then inspect their local lmhosts files (similar to hosts for TCP/IP). P (for point-to-point) nodes only communicate with NetBIOS name servers, whether they need to register their own

March 2003

names or discover another machine’s NetBIOS name. This assumes that they know the IP of at least one NBNS, of course. The admin user can supply this information manually, or use the DHCP (Dynamic Host Configuration Protocol) option 044. The disadvantage of the P node configuration is that SMB communication will collapse if the NBNS goes down, something that will even affect the local subnet. M (for mixed) mode provides a solution to this issue; the node will first attempt to broadcast before resorting to point-to-point communication with an NBNS if this fails. This theoretically increases the performance in local networks. If the NBNS is not available, the machine can still access SMB servers in its own subnet. H (for hybrid) nodes do exactly the opposite, that is, they resort to broadcasts only when the NBNS is unavailable. Additionally, an H node will attempt to contact the NBNS at regular intervals to reinstate point-to-point operations as soon as the NBNS becomes available. As work on the Samba project started a long time after SMB was introduced, the developer team did not bother to

look into the NetBIOS Frame Protocol, instead opting to author a TCP/IP implementation. To retain compatibility to other implementations, Samba still needs to respect some quirks under TCP/IP such as special name resolution techniques.

More Flexible Than the Original The smb.conf provides a series of configuration parameters that influence the behavior of the server software. Samba provides far more configuration options than Windows itself. These include useful features such as the simultaneous use of multiple SMB names. This is particularly useful if you want to use a single Linux system to replace multiple Windows servers. And Samba also provides more enhanced security features than the original, such as IP address based access control. ■

INFO [1] Richard Sharpe:“Just what is SMB” (detailed introduction): http://www. samba.org/cifs/docs/what-is-smb.html [2] CIFS-Homepage from Microsoft: http:// www.microsoft.com/mind/1196/cifs.asp

GLOSSARY Backup Browser: An SMB server that provides backup browsing services.The server regularly receives a copy of the current browsing list from Local Master Browser and replaces the LMB if it goes down. Browser Election: When an SMB server that is a potential browser candidate starts up, it can force a browser election.This procedure decides which server will be the Local Master Browser. CIFS (Common Internet Filesystem): Another name for the Server Messages Blocks (SMB) protocol. Domain Master Browser: An SMB server that manages browsing lists over multiple subnets.The Domain Master Browser receives the browsing lists compiled by Local Master Browsers. Local Master Browser: The Local Master Browser has the authoritative browsing list for its own subnet. Master Browser: A short form of Local Master Browser. NBF (NetBIOS Frame Protocol): The transport port of the first NetBIOS implementation, replaced by NetBEUI in 1985, sometimes

www.linux-magazine.com

referred to as the NetBIOS protocol, which is, strictly speaking, a misnomer. NBNS (NetBIOS Name Server): A server that manages a table containing NetBIOS name to IP address mappings. An NBNS is only required in routed SMB networks where TCP/IP is used as the transport protocol. NetBEUI (NetBIOS Extended User Interface): A simple, self-configuring, non-routable protocol that works both in Ethernet and in Token Ring networks. NetBIOS (Netword Basic Input Output System): An Application Programming Interface for network applications. Formerly included the NBF transport protocol. NetBT (NetBIOS over TCP/IP): Also known as NBT. Browser candidate: An SMB server capable of maintaining a browsing list. SMB (Server Message Block): A protocol for file, printer and serial line access. Also known as CIFS. WINS (Windows Internet Name Server): The Microsoft implementation of a NetBIOS name server.

Charly’s column

SYSADMIN

The Sysadmin’s Daily Grind: MySQL Backup

No Rest For the Wicked Admins often tend to use mysqldump, a component from the MySQL package, when they need to backup MySQL data. But a more convenient method is never amiss – enter MySQL backup. BY CHARLY KÜHNAST

lthough backing up MySQL databases only takes a few manual steps, I would not be a proper admin if I did not try to automate the process. Laziness may be an acquired habit, but it takes time and attention to make it a way of life, so a tool like MySQL Backup [1] is just what the doctor ordered. MySQL Backup is written in Perl and uses typical Linux tools: “mysqldump”, “nice”, “gzip” and “tar”. The source code is well commented and the program requires only a modicum of basic settings. The first thing to do is to decide where to put your backups. MySQL Backup wants to store them in my home directory, but I can opt to mail them, or FTP them to a remote server. To do so, the “Mime::Lite” or “Net::FTP” modules must be available. It is always a good idea to move backups to another, preferably remote, server. If your datacenter happens to catch fire, and both your production data and your backups are destroyed at the same time, you might find out that your boss is somewhat less than amused.

“$site_name” stores the name of the server where the database(s) reside(s), and “$subject” is used for storing a description, such as “Backup of $site_name is done!”.

If Storage Space is Low Storing the password You can store the MySQL user name and password in the “$user” and “$password” variables in your script. Alternatively, MySQL Backup can read these credentials from a text file whose path is specified in “$cnf_file”. Depending on your approach, you will need to set the “$password_location” variable to “cnf” or “this_file”. I opted for the approach that uses a separate configuration file and protected the file from uninvited attention by typing “chmod 700 mysql_backup.cnf”. To be notified on successfully completing a backup, you need to supply your email address in the “$admin_email_to” variable, and add a source address, for example, “mysql-backup@Domainname.tld” as “$admin_email_from”.

Safeguard your data other from local users.

rsync .............................................66

THE AUTHOR

Synchronize your data with ease.

Charly Kühnast is a Unix System Manager at a public datacenter in Moers, near Germany’s famous River Rhine. His tasks include ensuring firewall security and availability and taking care of the DMZ (demilitarized zone).

0 5 * * * /home/charly/U perlscripts/mysql_backup

And that takes care of both my data and my peace of mind. ■

INFO [1] MySQL Backup:http://worldcommunity.com /opensource/utilities/mysql_backup.html

Backup Script Variables

SYSADMIN Cryptography .........................62

This completes the basic MySQL Backup setup. The tool will use mysqldump to export content to text files, which it then compresses using tar and gzip. As the dump files tend to be rather large, MySQL can delete them after successfully completing a backup – this is the default setting. To prevent this from happening, you can set the “$delete_ text_files” to “no” in your script. The last step is a short cron table entry:

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16

#!/usr/bin/perl # ... $ftp_backup $email_backup $cnf_file $user $password $password_location $mailprog $admin_email_to $admin_email_from $site_name $subject $mysql_backup_dir $delete_text_files # ...

= = = = = = = = = = = = =

'no'; 'no'; '/myhomedir/.my.cnf'; ''; ''; 'cnf'; '/usr/sbin/sendmail -t -oi'; "youremail\@yourhost.com"; "webmaster\@yourhost.com"; 'My Site Name'; "MySQL Backup Done for $site_name"; '/yourhomedir.NOT.webdir/mysql_backup'; 'yes';

www.linux-magazine.com

March 2003

SYSADMIN

Cryptography

Information Security on Linux

Paranoia for Beginners N

o matter how well your firewall is configured, the only way to protect yourself is to use encrypting software, and that is what we will be discussing in this article.

If an attacker gains direct access to a computer, any data stored there is up

Encryption

complicated. The gap caused by this lack of progress was quickly filled by LoopAES [2] â&#x20AC;&#x201C; as the name would suggest, this tool is restricted to AES encryption. AES (Advanced Encryption Standard) was originally known as Rijndael and was chosen as the successor for DES after months of testing by the National Institute of Standards and Technology (NIST) and many other cryptoanalyists, so it is safe to assume that the algorithm is robust. Before installing Loop-AES you need to expand, configure and compile the kernel source code below /usr/src/linux, as Loop-AES requires access to the unpatched version of loop.c and several kernel settings. When configuring the kernel ensure that the modules Kernel Module Loader are enabled, and that Loopback device support under Block Devices is disabled. After installing the new kernel and its modules, Loop-AES can be extracted to a directory and compiled by typing make. This step will not affect the current kernel source code, as Loop-AES simply patches a local copy of loop.c (or accesses a previously patched version) and then installs this as a module. AES support for the kernel is insufficient in itself, as the mount, losetup and swapon

If you have a large number of files to encrypt, it does not make sense to do so on a file for file basis; instead you should opt for an encrypting file system. Fortunately, this does not require a new partition, because you can use the loopback device to mount normal files as block devices (such as hard disk partitions) and encrypt them on the fly during the process. Unfortunately, the standard loop driver only supports an XOR algorithm due to export restrictions on cryptography that apply in some countries. This may protect your data from over inquisitive siblings, but it will not stand up to a serious attack. So you will need to apply a patch to add additional encryption algorithms to the driver. The International Kernel Patch, alias CryptoAPI [1], which adds a variety of algorithms to the kernel, thus allowing encrypting file systems to be used, has traditionally provided the best solution. However, development of CryptoAPI has made very slow progress since the release of Linux 2.4, and the installation is comparatively

March 2003

for grabs, even if it means physically removing the hard disk. BY BĂ&#x2013;JRN GANSLANDT

www.linux-magazine.com

programs also need modifying, although the latter is only needed if you intend to use an encrypting swap partition. All of these programs are components of Util Linux, which is available from [3]. The download version of the archive must match the Loop-AES patch to compile without errors. If the patches are in a different directory, you will additionally need to modify the path variable: patch -p1 < ../util-U linux-2.11y.diff export CFLAGS=-O2 ./configure make SUBDIRS="lib mount"

These steps should place the required tools in the mount subdirectory. You should avoid installing the programs in /bin or /sbin, which would overwrite the original versions, as this may cause conflict with other system components. It is safer to use an alternative name when installing the programs: install -m 4755 -o root mountU /bin/aes-mount install -m 4755 -o root umountU /bin/aes-umount install -m 755 losetup /sbin/U aes-losetup

This approach also offers the advantage of not overwriting the programs each time you upgrade your system. The only

Cryptography

disadvantage is the fact that the test routine make tests in the Loop-AES directory does not know about the alternative names, and thus issues an error message. Now it is finally time to create the encrypting file system. To do so, first create a new file that will contain the encrypting file system. You can alternatively use a hard disk partition – leave out the following step in this case. As you cannot increase the file size later, ensure that the file you create is large enough: dd if=/dev/urandom U of=./secret bs=1024k count=20

This command redirects random data from /dev/urandom to the file ./secret; the file size is the product of bs and count – that is 20 MB in our example. /dev/urandom uses various internal system events to generate random data exactly like /dev/random. Where /dev /random will freeze if insufficient seed data is available, a pseudo-random numerical generator will continue to produce output for /dev/urandom, and this is perfectly okay for the task in hand. The next step involves setting up the loopback device /dev/loop1. If you want to encrypt a partition, supply the device name (e.g. /dev/hdb7) instead of a file name in this step. Of course, this will destroy any data stored on the partition: aes-losetup -e AES128 -T /dev/U loop1 ./secret

losetup should now prompt you for a passphrase with at least 20 characters. If you use the 192 or 256 variants instead of AES128, the minimum length of the passphrase will be 32 or 43 characters. After the system has accepted your password, you can create a file system on the device you have created and then disable the device: mkfs -t ext2 /dev/loop1U aes-losetup -d /dev/loop1

Of course, you can opt for other file systems, but ext2 is your best bet in this case. Finally, you will need to add an entry to /etc/fstab to simplify mounting the device in future – of course, there are no restrictions on the mountpoint:

/directory/secret /mountpointU ext2 defaults,noauto,loop=U /dev/loop1,encryption=AES128 0 0

Provided you have the passphrase, you should now be able to access the file system via aes-mount /mountpoint.

Wipe Out Before you move your confidential data to the encrypting file system, you might like to consider how your non-encrypted data can be effectively wiped. It is by no means sufficient to delete this data, as deleted files are simply cleared for overwriting. Although the data no longer shows up in the file system, it is still on your hard disk and can be restored with little effort. Data that has been overwritten is slightly trickier, but high resolution microscopes should be able to reveal data despite multiple overwrites, as the read heads only provide a certain degree of accuracy and traces of previous data survive at the edges of the current magnetically coded bits. Erasing data beyond the means of any recovery procedure involves overwriting the data with random noise and specific patterns tailored to reflect various data encoding techniques. Wipe [4] and Secure Delete [5] are specifically recommended for this purpose; note that this refers to the Wipe version by Berke Durak and not to the identically named program by Tom Vier [6]. srm, the Secure Delete equivalent to rm overwrites each file 38 times by default, whereas Wipe makes do with a mere 34 times; of course it is debatable whether the four additional operations make a big difference. Both programs additionally rename the file in order to destroy the file name and are capable of processing directories recursively. A quick (but unsafe) mode is available for both programs; use the -q parameter for Wipe and -f for srm. The tools that Secure Delete provides in addition to srm are the major difference between the two tools. For example, sfill can be used to safely erase the free space on a partition, and swap will also delete the swap content, which could otherwise reveal data swapped out of main memory. Extremely paranoid user can additionally launch

SYSADMIN

smem to overwrite the contents of the main memory.

Hideaway Although cryptographic tools are quite capable of protecting the contents of a message from inquisitive third parties, an encrypted file or email message will tend to show up in a mass of clear text messages – and this in itself might attract the attention of an intruder. Steganography (the art of hidden writing) provides a solution to this issue by hiding information in a harmless host medium such as an image without any recognizable manipulation. JPEGs and other image formats are typical hosts as they are inconspicuous and large enough to transport confidential data. The simplest, and for this reason probably the most common tech-

GLOSSARY Encryption: An algorithm that typically uses a key is applied to the clear text to transform it into an encrypted message. XOR: XOR (exclusive or, ⊕) is an operation that returns 0 when both bits it is applied to are identical.The result is 1 for different values. XOR encoding simply adds the clear text and the key bitwise.The same procedure is repeated to decrypt the message, as the key cancels itself out (K ⊕ S ⊕ S = K).This type of encryption is only safe if the key is not repeated; that is where the key is the same length as the message itself (see One time pad). Patch/Kernel patch: A patch file contains instructions on modifications to one or multiple files.This saves download time, as you only need to apply the patch file for the new program version to the existing source code, instead of having to download the new source code. PRNG: A Pseudo Random Number Generator is an algorithm that outputs extremely long, seemingly random data sequences. If the PRNG is used in a cryptographic context, predictable output must be avoided as the entire cryptographic infrastructure is otherwise vulnerable. Open source algorithms avoid this by using a random seed that needs to be kept secret, just like a cryptographic key, and often comprises user dependent events. Mountpoint: A mountpoint is the point where a file system is inserted. After mounting, the content of the file system is displayed as part of the directory chosen as the mount point hiding any data in this directory.

www.linux-magazine.com

March 2003

SYSADMIN

Cryptography

nique to embed data in uncompressed image formats, such as BMP, is to alter the least significant bits of the RGB values (see Insert 1) – after all, this does provide three bits of storage per pixel. Only the least significant bits are manipulated, as they have the least impact on color values, and the effect on the image is thus restricted to more or less invisible color nuances. JPEGs images are a more complicated issue, as the image is not simply stored pixel-wise, but translated into frequency coefficients by so-called discrete cosine transformation. The coefficients are subsequently quantised, which means that high-frequency coefficients (details that the eye can hardly detect) are rounded to zero. Some image information is lost during this process, and this is why JPEG is referred to as an image loss compression method. As the image is then additionally compressed (without any further loss) it is more difficult to manipulate the actual bytes than it would be with a BMP, for example. Instead, the least significant bits of the individual coefficients are overwritten before the loss-free compression of the image begins. In both cryptography and steganography there is constant competition between new algorithms and analytical processes. Thus, the above mentioned method can be broken both by visual attacks and a statistical method. The method relies on recognizing atypical hue value distribution patterns in manipulated images. A program called OutGuess [7] provides one possible solution to this issue, as it avoids changing the typical fre-

quency coefficient distribution patterns and is thus resistant to analytical methods. In practical terms, this means that for every frequency coefficient manipulated within an image, a matching coefficient is manipulated in exactly the opposite direction. So, if a value of 2 is replaced by a 3 at one position, OutGuess will convert a 3 to a 2 at another position. The Java tool F5 [8] also resists statistical attacks by decrementing the coefficient values instead of simply overwriting individual bits; the JPHS tool [9], which we will not be looking into in this article, is equally resistant. Although they use different mathematical methods, all of these programs are used in a similar way. You need a host image, the file with the data to be hidden, and a password that is used to additionally encipher the data. The additional cipher is required to prevent the hidden file from being revealed simply by launching the program, depending on the strength of the algorithm. You should additionally be aware of the fact, that an image cannot be used more than once, and that the original should not be available on the Internet or from any other public source, as the steganographic message could be extracted by simply comparing the image with the original. After selecting a suitable image, you can use the following commands to embed the hidden information:

Discrete Cosine Transformation: Discrete Cosine Transformation (DCT), which is closely related to Fourier transformation, is applied to an image block measuring 8x8 pixels during JPEG encoding and transforms the three dimensional topology (the third dimension is derived from the pixel values) of the block to a discrete frequency amplitude assignment.The frequency of the individual frequency coefficients is used as the scale for modifications to the image; thus a uniform surface will be represented by a low frequency, whereas high-resolution details will be represented by higher frequencies.

History/.bash_history: The Bash (and most other shells) store the commands typed during a session in a history file (which defaults to ~/.bash_history).You can use the unset HISTFILE syntax to delete the environment variable that points to the history file and thus make it impossible to store any commands.

binary messages and keys. Provided that the key really is random, and is only used once, there is no way to break this algorithm.The disadvantage is that you need a large amount of random data, and that the key is just as long (and thus in many cases equally as difficult to keep a secret) as the message itself.

One time pad: One time pad involves encrypting a message with an absolutely random key of the same length as the original clear text. Traditionally, a modulo 26 (that is the remainder after dividing the sum by 26) addition was performed for the each letter of the message and the key.Today, most people tend to XOR

Keyboard logger: A keyboard logger is a program or device that grabs keyboard input, thus revealing passwords and other confidential data.

outguess -k "Bigger is Better"U -d crypto.txt my.jpg my2.jpg

You need a Java Runtime Environment to run the F5 tool. The syntax is as follows:

java -mx40M -classpath $CLAU SSPATH:/usr/local/f5 Embed U -e crypto.txt -p "Bigger is U Better" my.jpg my2.jpg

The $CLASSPATH environment variable contains the path to the classes of the Java Runtime Environment and /usr/local/f5 is the directory where the F5 tool resides. If you use JRE 1.4 by Sun or Blackdown, the command should work without the $CLASSPATH: syntax. The secret message is extracted using the reverse syntax: outguess -k "Bigger is Better"U -r my2.jpg crypto2.txt

Or with the F5 tool: java -mx40M -classpath $CLASSU PATH:/usr/local/f5 Extract -e U crypto2.txt -p "Bigger is U Better" my2.jpg

Unfortunately, new mathematical methods have been developed to break the algorithms used by F5, OutGuess and JPHS. The program authors will of course respond to the challenge – but it is safe to assume that the capacity for hiding information will drop again in the next generation of software. So it makes sense to use an MP3 file as a host medium. Even if the embedding capacity drops to less than one percent, an MP3 should still offer plenty of space. A program called MP3Stego leverages this potential and embeds messages while encoding MP3 files [10]. The following commands are used to hide or extract messages – note that the WAV file must be 16 bit format:

GLOSSARY

March 2003

www.linux-magazine.com

PGP/GPG Mantra: A mantra is a password used by PGP and GPG to encrypt the private key and protect it from undesired access.

Cryptography

Figure 1: F5 also offers a GUI frontend

encode_ix86 -E crypto.txt U my.wav my.mp3 decode_ix86 -X my.mp3 U my2.wav crypto2.txt

MP3Stego insists on playing the WAV file (or what’s left of it) in addition to outputting the hidden message, but you can prevent this “feature” by specifying /dev/null instead of my2.wav One particularly convincing feature that MP3Stego offers is the fact that you are not required to supply a passphrase when launching the program. Instead, you are prompted for the passphrase after launching the tool.

Box 1: Least significant bits Many steganographic algorithms manipulate only the least significant bit.To understand how this works, you must be aware of how numbers are represented in a binary context. Let’s use a pixel in a 24 bit BMP file as an example: the hue values for this pixel are defined by the ratios of red, green, and blue (RGB). Our BMP file uses one byte (8 bits) for each hue value, that is 24 bits per pixel. BMP files store hue values in inverse order. The binary representation is thus as follows: Blue

Green

Red

Decimal

198

113

Binary

11000110

01110001

00101111

If the bits 101 are now embedded, the least significant bits in the three color bytes are modified as follows: Blue

Green

Red

Unfortunately, all the other tools do not offer this feature – so the passphrase ends up in your shell history. If you want to keep your password a secret, you might like to disable your (Bash) history by typing unset HISTFILE for the remainder of the current session.

Advanced Paranoia When dealing with encryption, you should be aware that neither AES, nor any other cryptographic algorithm (with the exception of the extremely impractical one time pad) can be mathematically proven to be secure, although they have proved resistant to attacks launched by the international cryptoanalysis community. Additionally, it is by no means sufficient to regard the algorithm as an isolated occurrence – often, a completely different area of the system will prove to be the weakest link. Thus, a keyboard logger or a cleverly hidden camera can reveal any data entered by a user, including their PGP/GPG mantra, and circumvent any security measures. Electromagnetic emission is another weak point of typical computer systems, and almost any PC component (especially the display) will produce it. A program called Tempest for Eliza [11] shows how easy it is to receive emissions, even using the most simple means, by creating special patterns on screen that can be picked up by radio receivers. Of course, it is possible to insulate your computer room, but signals are transmitted by any cables to which the computer attaches and this makes insulation extremely difficult. Your best bet is

SYSADMIN

to use a laptop in an insulated room, and if possible, to run Tinfoil Hat Linux [12] on it. This distribution fits on a single floppy and comprises both GPG and (Tom Vier’s) Wipe. gpggrid provides protection against keyboard loggers by allowing you to choose a mantra letter by letter from a randomly generated matrix. Additionally, the “Paran0id” option in the Tinfoil menu activates an extremely low contrast color mode that should make eavesdroppers life difficult (or your optician happy, as the case may be). With this option GPG continually encrypts files in the background, to distract you from your own GPG instance. Another tool that is useful in situations where you cannot trust your own screen is morseblink, which can be used to send messages by morse code via the keyboard LEDs. In “Paran0id” mode morseblink is used to transmit random morse code and thus overlay any emissions the keyboard might produce. In standard mode you can use the following command to morse code a file: cat text | morseblink

Finally, the Tinfoil Hat README [13] recommends wearing a hat made of aluminium foil to protect your own thoughts from both external influences and reading – although one might be tempted to question the seriousness of this recommendation. ■

INFO [1] http://www.kerneli.org/ [2] http://loop-aes.sourceforge.net/ [3] http://www.kernel.org/pub/linux/utils/ util-linux/ [4] http://gsu.linux.org.tr/wipe/ [5] http://freshmeat.net/projects/ securedelete/ [6] http://wipe.sourceforge.net/

Decimal

199

112

[7] http://www.outguess.org/

Binary

11000111

01110000

00101111

[8] http://wwwrn.inf.tu-dresden.de/ ~westfeld/f5.html

Expressed as a decimal, modifying these bits will mean a maximum deviation of 2

[9] http://linux01.gwdg.de/~alatham/stego. html

that is 0, +/- 1.Thus the least significant bit has the smallest possible affect on the numerical value, and the hue; in fact, the human eye should not be able to detect any difference from the original.

[10]http://www.mirrors.wiretapped.net/ security/steganography/mp3stego/ [11] http://www.erikyyy.de/tempest/ [12] http://tinfoilhat.shmoo.com/ Figure 2: gpggrid provides – admittedly roundabout – protection from keyboard loggers

[13] http://www.zapatopi.net/afdb.html

www.linux-magazine.com

March 2003

SYSADMIN

rsync

Keeping in sync The rsync [1] program allows you to synchronize local or remote files and directories using the “rsync remote-update protocol” that first checks for differences between the source and target before data transfer commences, thus minimizing the transfer volume. BY HEIKE JURZIK

he rsync program helps you to copy files from local or remote systems, ensuring that file properties (e.g. permissions or owners), and complete directory structures are kept. Launching the program is similar to launching rcp or scp: rsync file(s) target. To save the dir1 directory recursively to the backup directory of your local system, type: huhn@asteroid:~$ U rsync -r dir1 backup

The -r (--recursive) option ensures that every scrap of information in any subdirectories will be transferred, although this does not include symbolic links.

The skipping non-regular file dir2/link message indicates that the link file in the dir2 subdirectory is a symlink and will not be copied. To keep any symbolic links to other files on copying, additionally specify the -l (--links) parameter as in: rsync -rl dir1 backup. To “resolve” symbolic links, instead use the -L (--copy-links) – the former links are then stored as normal files in the backup directory. You can set the -p (--perms) flag to preserve file permissions, and -t (--times) to keep the timestamps. Only root can use an option to keep the file owner (-o or --owner), as normal

Figure 1: rsync makes the first copy of all the files...

March 2003

www.linux-magazine.com

users are just not allowed to give away their files in this way. As the manpage indicates, you can combine all of these flags to create a single option -rlptg – -a (--archive) copies recursively and retains file properties. Again, this requires root privileges.

Patterns The --exclude=searchpattern parameter excludes any files and directories that match the searchpattern from the copy operation. If you want to exclude files

Figure 2: ...and next time the same command only copies the changes.

rsync

SYSADMIN

GLOSSARY Symbolic links: A file reference that an application program will handle exactly if it were referencing the file. If the file the symlink points to is deleted, the link will point to empty space. Symlinks are created using the “ln -s sourcefile targetfile”syntax. File permissions: Besides an owner and a group, files also have specific permissions:The “r”indicates “read”permission, with “w” meaning “write”, and “x”“executable”.The first triplet refers to the file’s owner, the second triplet to the group and the last triplet to any other users on the machine.The combination of letters that appears indicates the permissions, read, write, and execute for the file.

ending in .backup from the backup operation, the syntax is as follows: huhn@asteroid:~$ rsync U --exclude=*.backup source target

You can supply as many --exclude options as you need to exclude specific files. The --exclude-from=file parameter works in a similar way – but uses a file to supply the search patterns (one pattern per line) that describe the files to be excluded. Of course, this also works in reverse: the parameters --include= searchpattern and --include-from=file allow you to specify search patterns for files to be transferred.

Encryption Please For reasons of security, rsync is best combined with ssh. The “Secure Shell” (with the ssh login command and scp for secure file transfer) ensures that your data does not cross the wire in the clear, but is encrypted first. The scp tool soon shows its limitations when transferring files. If an upload or download crashes,

Timestamps: The Linux filesystem stores a variety of file information, for example the time elapsed since the last access (atime), status (ctime), or content change (mtime). Search pattern: Normally comprising two elements: the characters to search for, and an count for the number of times these characters are allowed to occur.When used in combination with rsync, this provides you with a variety of complex character sequences, which are covered by several sections of the manpages.Typical wildcards can be used to perform most tasks. Wildcards: Metacharacters that allow substrings to remain unspecified. A question

the program does not “remember” the files it has copied, and this can be annoying, especially if you are copying directories recursively (scp -r) or transferring high volumes of data. This scenario also fails to provide for version control, that is, new files simply overwrite existing files with the same name. The parameter that causes rsync to use ssh is -e ssh or --rsh=ssh (defines a substitute command for rsh as indicated by the equals sign). If you want the ssh command to use a parameter of its own, such as -1 (to select protocol version 1), you will need to place that section in quotes: huhn@asteroid:~$ rsync U -e "ssh -1" file target

otherwise rsync will attempt to parse the option as its own parameter. You can specify encrypted rsync as default, by setting an environment variable:

mark “?”in a string means that a single character at the position marked by the question mark is undefined (e.g. h?llo => hallo, hGllo, h7llo,…); in contrast to this, an asterisk “*”can represent any number of different characters (e.g. m*ss => mass, morass, or even mss). Environment variable: The shell provides the user with memory space for storing specific information and to allowing access to application programs.These environment variables comprise a name and the assigned value.The standard Linux shell, bash, uses the export command to set variables, whereas csh uses the setenv command.

After setting this variable, you can omit the -e ssh option. Incidentally, rsync can be combined with the --partial option to transfer larger files: huhn@asteroid:~$ rsync U --partial file.avi pluto:films/ Password:

You can then type ls -l to list the partial file on the other machine: huhn@pluto:~$ ls -l .file* -rw------- 1 huhn users 3899392U Jan 6 20:31 .file.avi.yeahkG

If the copy operation crashes, the partial file that has already been transferred is kept. When you re-launch the transfer operation, rsync will first check to see how much of the file has already made the jump and re-start at that point. ■

INFO huhn@asteroid:~$ export U RSYNC_RSH=ssh

[1] http://rsync.samba.org/

More information at: www.linux-magazine.com/Backissues

PROGRAMMING

Stadrin

Protecting Access S

tatic passwords are normally based on an account name and a matching password. These days this is not ideal and so we will look at the authentication mechanism – Stadrin. For securing the identity of the user we usually use static passwords. The main problem is the way it which most users try to keep their passwords secret. As the passwords are the only factor used for checking authentication, it is important to ensure, that nobody, except the user knows the password or even the account/password combination. As passwords are usually maintained by the users, we frequently see that they are often weak, mainly based on a names of children, pets, date of birth, etc., so it is quite easy to guess them and so lead to misuse. Sometimes the situation is made a little bit better and the users selects their passwords from a combination of words with some numeric suffixes or prefixes. Unfortunately it is still possible to find the password using brute force techniques supported by large dictionaries. Static passwords are only secure if no backup copy is kept, either digitally or written on paper and in some cases this is even on the PostIt note stuck on the monitor. Even if we have a strong password and it is securely stored, the problem still remains that security may still be compromised due to other factors. We can easily imagine a Trojan capturing keystrokes and sending them to a potential violator or someone sniffing the Ethernet traffic to get the passwords transported by either clear text or encrypted. Sometimes it is sufficient to have a quick look over someone’s shoulder to watch and remember what they type as a password. The situation is similar if we use magnetic strip cards, smart cards or even biometrics devices. This is because the passwords is still a static form while it is being transferred through communication channel to a server. Is it possible to solve this problem?

March 2003

Everyday we face the problem of securing access to services on our servers. In our personal life we can recognise the other party by their face or some form of ID document. When it comes to electronic access, recognition is harder as the identification may be real or stolen. BY MILAN GIGEL Sure it is. So have a look at how this can be simply done. Whenever we need to increase security we can use a One Time Password (OTP). We typically find this in banking and other financial sectors where the data has a defined monetary value. Even if the password is stolen, security is not compromised as for each use a new OTP is generated. We can use several policies of assigning OTPs including pre-printed OTP sheets, specialised software components or even the hardware authentication calculators, which are now the most preferred method.

Additional Securing of OTPs To increase the level of OTP security it is possible to extend the authentication process to use some additional factors. We usually use PINs and “challenges” for this. To ensure that the OTP received really comes from a trusted party, the server after receiving the account name sends the user a “challenge” which then takes part in an OTP calculation process. The challenge is normally transported using the same communication channel, but for increasing safety levels it is possi-

Figure 1: Stadrin architecture

www.linux-magazine.com

ble to use other means of transport such as GSM Short Message Service etc.

Possible Compromise As a second level of access and authentication, the compromise method of authentication may be used. The most common system being used is based on a set of predefined passwords (different for each user account) which are organised in a matrix array. This usually called a Grid Card, where each cell is represented by a specific row and column and contains a Quasi One Time Password (QOTP). The server after receiving the account name sends a challenge, as an example, the C4 field and after the user picks the respective QOTP it acts as a dynamic password for authentication.

Available Mechanisms Rekonix has recently introduced the Stadrin mechanism http://www.stadrin. com on a Linux platform using the Pluggable Authentication Module (PAM) architecture. This can aid in the implementing of OTPs on existing systems without any need to modify applications and services.

Stadrin

PAM was chosen because of its wide usage. The system is based on using a Stadrin module and Vasco enduser tokens.

Token Cards For calculating OTPs, the Stadrin module uses a wide range of Vasco tokens. These act in the role of calculation authentication terminals responsible for the whole authentication process on the client side. Vasco tokens have been around for many years and experience has shown that they are resistant to everyday damage with a long life between servicing. The purpose of the token is to handle the user specific authentication data, and act as a calculation engine. Data used is based on time specific data, unique user specific stored data, manually entered data using keypad and a 3DES algorithm which then displays the current OTP on an integrated LCD. The token itself is protected against unauthorised use by a user changeable PIN, while there is a wide range of models available, we chose to test the DigiPass 300 model.

The Server Side The server itself implements the Stadrin PAM module which uses a MySQL backend for storing user and token specific data. The information that is stored in the token is handled by a relational database. The admin’s job is to make relationships between accounts and services with the token card data. It is possible to assign the same token to several different accounts and so access several different services. We can force the system to use one of the three supported authentication schemes.

Scheme 1 In live running systems providing services and resources there is a possibility of SPWD authentication. This is the standard authentication scheme used in PAM. For the first steps of the implementation process it is possible to authenticate just a selected group of target users using the tokens, while any others can use a previous authentication mechanism. This is very handy for designing mixed authentication schemes and so lowering the implementation costs.

To extend the authentication process so that all users are using the tokens is quite easily and simply done by changing the authentication policy of the selected target users.

Scheme 2 Response Only mode (RO): The first one from the offered authentication schemes using token hardware is the Response Only Mode. In this case the user uses his token for calculating the OTP after its activation, using a PIN code. A specialised algorithm is used for the OTP calculation, which involves several steps starting with fetching token specific info, unique seed values, time stamp and initialisation vectors to be processed by a predefined 3DES algorithm. The variability of the OTPs is based directly on the timestamp usage within the calculation process, while the generated OTP is usually valid for 38 seconds after the calculation process is finished. This means that the server has to handle the correct time and we can use several mechanisms for this including NTP implementation. A user turns the token on by pressing a button, enters his pin code and pushes the “1” button for accessing the RO application on his token. The OTP is immediately displayed on the LCD. The tokens are pre-programmed for the Stadrin system default of 8 hexadecimal characters.

Scheme 3

PROGRAMMING

uses, as one of the inputs the 3DES, algorithm used for the OTP calculation process. Input parameters for this challenge are passed to a calculation function with a 3DES backend to get a safe OTP. The user is granted the generated OTP which is valid for just 38 seconds. From the users point of view the authentication process starts with specifying the account name, receiving the challenge issued by the server, activating the token using the PIN code and entering the received challenge to the token followed by retyping the generated OTP to the authentication system.

Scheme 4 Message Authentication Code (MAC): Apart from the authentication schemes using the token hardware described above, there is also one more authorisation scheme available, supported by the Vasco tokens, which we will describe here. In this case, the authentication process is directly interconnected with the authorisation of transferred data, so done by using just the one schematic transfer. In one pass the system is able to check the identity of the account in use and validate the consistency of the transferred data throughout the applications transaction data. As within the Challenge Response mode, the challenge is generated on the server side using the specific PAM module, while the user enters, along with the challenge, up to 8 numerical user fields to the token, using keypad. This means that the token will generate something similar to a digital signature of the transaction, which will include the user’s account authentication, with validation data and up to eight system predefinable fields. This is useful in a financial environment.

Challenge Response mode (CR): This is the second authentication method using the token backend. This mode builds on the previous method, increasing the security levels and variability of OTPs. The enhancement of this scheme is based on issuing the Challenge by a server PAM module, which is delivered to the user using the same communication channel as the authentication process itself. Besides the variable timestamp, seed values and initialisation 3DES vectors used in the RO scheme, the challenge also Figure 2: Response Only Authentication scheme

www.linux-magazine.com

March 2003

PROGRAMMING

Stadrin

Implementing Stadrin The installation process of the Stadrin authentication system is quite easy as the package is distributed in the .rpm format. The package requires a Linux kernel greater than 2.2, with a glibc library of 2.2 or better. Of course the MySQL database is also required and this can reside on the same server, or something more distant, thanks to the support of remote database connection used in the Stadrin backend design. The current available version of Stadrin is version 1.1, and is distributed on CD ROM for the system and floppy diskette containing the licence information. So, lets have a look at how the installation process flows. The first step is to mount the CD-ROM drive and invoke the installation process using the rpm package manager: #mount -t iso9660 /dev/cdromU /mnt/cdrom #rpm -ivh /mnt/cdrom/U stadrin-1.1.rpm

The installation script is automatically invoked to start the configuration of Stadrin and the system files that go with its system: Preparing... [100%]

###########

1:stadrin ########### [100%] Creating symbolic link for U Vasco shared library Done. Install complete. Configuring database.

The first step in the configuration process is to specify the database backend information. Currently just the MySQL backend platform is supported, which, as said, can be present on the same system or on any other server, in which case this can provide us with the possibility of creating central account databases. We have to specify the location and user data first (see Listing 1). Now that we have entered the basic data into the database, which will be used in the creation of the database storage backend creation process, we can follow on with the next configuration section (see Listing 2). As we have provided the root user information, all the other creation process can be run automatically using the prepared initialisation script. After following these steps the system is almost ready to run, after providing the licence information and setting up the accounts and PAM system. Before that, the MySQL backend has to be prepared by the init script in order to set the previous definitions, if all is well we get the following message:

Listing 1: Specifying location and user data Enter the location of MySQL database (localhost): localhost Enter name of MySQL administrator (q to quit) [root] : root MySQL administrator is root Is it correct? (yes/no/q/quit) [no] : yes Enter password of MySQL administrator root !!! WARNING : password will be visible !!! : opensesame Is it correct? (yes/no/q/quit) [no] : yes

Creating Stadrin database user Stadrin user created successfully Congratulation! Set-up is done. Use stadrin utility to set-up users and tokens. For instructions see stadrin documentation.

The user licence is distributed on floppy diskette and has to be added to the default configuration directory, /etc/ stadrin: mount /dev/fd0 /mnt/floppy U -t vfat cp /mnt/floppy/stadrin.lic U /etc/stadrin chmod 600 U /etc/stadrin/stadrin.lic

The whole configuration is in a single file /etc/stadrin/stadrin.conf. As we can also see, the database access password is stored here in a clear text form, so it is necessary to make sure, that this file is not readable by any other users accessing the system: database dbname user password

mysql stadrin stadrin opensesame

The second half of configuration file is composed of default properties for account data, synchronisation parameters and parameters regarding to root account, so it will be necessary to customise these settings to adapt to a specific server: active_user active_token method max_bad root_at_login_swpd

yes yes RO/CR/SPWD 5 yes

Listing 2: Creating the database Enter name of database for stadrin [stadrin] : stadrin Database name is stadrin Creating stadrin database with name stadrin Database created successfully. Tables created successfully. Enter name of user for stadrin database [stadrin] : stadrin Stradrin database user is stadrin Enter password of stadrin user stadrin :opensesame Stadrin user will have password opensesami.

March 2003

www.linux-magazine.com

The default authentication scheme: auth required U /lib/security/pam_stack.so U service=system-auth

can be changed to Response Only mode: auth required U /lib/security/pam_stadrin.so

Stadrin

Figure 3: Challenge Response Authentication scheme

#auth required U /lib/security/pam_stack.so U service=system-auth

or to the Challenge Response mode with: auth required U /lib/security/pam_stadrin.so CR #auth required U /lib/security/pam_stack.so U service=system-auth

This is the right place to notice that all the common services natively support SPWD and RO authentication scheme, while the CR scheme is only supported by the login service.

User Token Definitions After activating the authentication schemes we have to make definitions for the user accounts and the tokens. The simplest way is to import users from /etc/passwd using the command: stadrin -sync

Figure 4: Message Authentication Code Authentication scheme

Now we have finished the tasks regarding the user definition process. The next step involves importing the token definitions and their assignments to specific users. The tokens comes with digitally signed and encrypted data files containing specific token information. For each token we have a unique definition file and activation key. The typical importation of the tokens is usually done in a single pass with an immediate assignment to the selected user, as shown in Listing 3. Finally, we have to change the authentication scheme for the users with assigned tokens to a Response Only or Challenge Response mode from the default SPWD scheme: stadrin -m pandoruser RO|CR

It is also possible to assign one token to a specific group of users with a single definitions using: stadrin -st useraccount U tokendefinition

Alternatively, we can use our own importing scripts: cat /etc/passwd | U awk '{split($1,i,":");U print "stadrin -au "i[1];U print "stadrin -m "i[1]}" U SPWD"' | bash -i

PROGRAMMING

After finishing the assignment procedure, with a view to making the authentication scheme complete, we have to test it’s function on any available service such as login. The challenge response mode using the login service appears as follows:

Listing 3: Importing token data stadrin -a pandoruser ./pandortoken.dpx Enter your ini-key, please: U 111111111111111111111111111111110097123456 0097123456 Added APPL 1 Added APPL 2 Added APPL 3

killer login: pandoruser Challenge is 0495 Enter your response: Last login..... killer$

Conclusion From am enterprise point of view, Stadrin is an effective tool for raising the security and safety level of existing systems, especially where the static passwords authentication systems are no longer sufficient. Authentication schemes of this type are most commonly used by banks and insurance companies for securing access to electronic funds. As Stadrin becomes more widespread, we will face OTP authentication systems more often and in more diverse places. We will certainly find it in system and application environments. Although systems like this have been mainly used in a very secure environments in the past, this is bound to change. With its low cost, (Stadrin starts in the range of EUR 100–156 for single user – including the token) it is possible to implement this higher level of security in more standard computing environments, so preventing any unauthorised accesses and violations. A special discount of 25 per cent is available for all the Linux Magazine readers running for a one month period. As we are all aware, most unauthorised system access is made from within a company, dynamic passwords are the best way to protect the services, for through-internet access as well as the local ones. For this reason you should consider changing before you find out the hard way, that your static passwords are no longer secure. ■

www.linux-magazine.com

March 2003

PROGRAMMING

Coin 3D

Interactive 3D Worlds with Coin and Qt

Virtual World Qt and Coin, an Open Inventor clone, make the programming of interactive 3D worlds a lot easier than OpenGL ever has. Speed of image rendering is not always the critical requirement. Quick and easy to follow programming may produce better results. BY STEPHAN SIEMEN

or most people OpenGL, immediately spring to mind when it comes to programming 3D worlds. Often Open Inventor by SGI or the compatible Coin (see “Open Inventor and Coin”) are a better choice: OpenGL may render graphics quickly, but it does involve complex and time-consuming programming. OpenGL’s structure and commands are closely oriented on graphics hardware. Compared to Open Inventor, OpenGL is on the same level as Assembler. The object oriented Open Inventor Toolkit was developed in 1991 by the same SGI programmers that produced OpenGL. Open Inventor maps the functionality of OpenGL to objects. The

Coin Manufacturer: Systems in Motion License: LGPL (GPL for Version 2.0 planned) Stable Version: Coin 1.0.3, SoQt 1.0.1 Coin Professional: Commercial license (per developer and year 2000 US dollars), suitable for proprietary projects Multi platform support: Coin runs on Linux, other Unix type systems and Windows; you need a C++ compiler and an OpenGL library GUI Bindings: Currently supports Qt, Gtk+, Motif and Windows; Coin can be used without these bindings

March 2003

design particularly simplifies programming in C++. Open Inventor itself uses OpenGL to render graphics and thus inherits its superior quality and speed. The toolkit is far more than just a library that provides classes for creating 3D graphics. Open Inventor allows you to describe and store 3D scenes in so-called scene graphs, for example. The file format developed for this purpose was used as a template for VRML (Virtual Reality Modelling Language) in 1994. Open Inventor also allows interaction with the scene. The scene graphs can be used to identify the objects and thus define appropriate reactions. Unfortunately, Coin and SoQt are not included with every Linux distribution (see the “Installation” insert). Both packages contain exhaustive documentation.

3D Graphics with a GUI The biggest difference between programming with Open Inventor and Coin is the GUI integration. The following examples use SoQt to interface with the Qt library, Motif variants are available from [7]. With the exception of the SoQt components, all of these examples also run on SGI’s Open Source Variant of Open Inventor; thus the names Coin and Open Inventor are interchangeable in the following sections. As befits a programming tutorial, our first example will be a Hello World program. It initializes a viewer and displays a three dimensional text. The user can view the text from any arbitrary position. The code is shown in Listing 1 and can be downloaded from [7]. The following command compiles the program: g++ HelloSoQt.cpp -o HelloSoQt U -lCoin -lSoQt -I$QTDIR/include

www.linux-magazine.com

The command binds the Coin and SoQt libraries and uses the “-I$QTDIR/ include” option to specify the location of the Qt header files. The results are shown in Figure 2.

Discovering and Exploring Virtual Worlds The “SoQtExaminerViewer” class (line 31) provides a variety of functions that allow you to view various sections of the scene. The graphic follows mouse movements if you hold down the left mouse button. The viewer provides alternative views of the scene via the wheels and buttons on the window borders. The three wheels are particularly interesting: two of them are in the bottom left corner, and another is located on the lower right. The right wheel, or dolly, influences the distance between the user and the scene (zoom effect). The two wheels on the left rotate the scene about its x or y axis.

Discovery Tools A total of seven buttons are located above the dolly wheel on the right window margin:

Coin 3D

PROGRAMMING

Application Motif SoQt SoXt

Coin

Open Inventor

Qt-GL

OpenGL Operating System Hardware Figure 1:The Coin library mediates between the application and OpenGL.

Figure 2: The sample Hello SoQt program is shown in the viewer. The user

SoQt is used to bind the Qt GUI toolkit while SoXt is an alternative for Motif

can alter the viewing position

• Arrow: Edit mode • Hand: Interactive mode • House: Reset camera position to default • Blue House: Set a camera position (viewer angle) as the new default position • Eye: View the whole scene • Lamp: Set the focus for the zoomer (dolly) • Box: Toggles various transformations. All of these interactions move the camera and not the scene itself. Interactive

mode is automatically enabled on launching the viewer and allows the user to modify the camera position and angle as required using the GUI wheels and the mouse. Additional settings are available in the pop-up menu (right click).

The Scene Graph: Managing 3D Objects Open Inventor uses scene graphs for the efficient management of 3D scenes (3D worlds). The scene graph has a tree structure whose roots allow access to the

objects in a scene. The elements of the scene graph are nodes, which contain various functions. Each of these nodes describes part of the image scene. When calculating and rendering a scene, Open Inventor works its way methodically from the root to the leaves (the lowest nodes) of the scene graph, left to right and top down. Special nodes are used to permit additional modifications, such as transformations and rotation. These modifications affect any subordinate

Listing 1: “HelloSoQt.cpp” 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23

// SoQt header files #include <Inventor/Qt/SoQt.h> #include <Inventor/Qt/viewers/SoQtExaminerViewer.h> // Coin header files #include <Inventor/nodes/SoBaseColor.h> #include <Inventor/nodes/SoText3.h> #include <Inventor/nodes/SoSeparator.h> int main(int argc, char **argv) { // Initialize SoQt library. // The return value points to a Qt window QWidget *window = SoQt::init("test"); // Create a "scene graph" SoSeparator *root = new SoSeparator; root->ref(); // Set the RGB color. Yellow in this case SoBaseColor *color = new SoBaseColor; color->rgb = SbColor(1, 1, 0); root->addChild(color);

24 25 26 27 28 29 30 31

// Create a text SoText3 *text3D = new SoText3(); text3D->string.setValue("Hello SoQt"); root->addChild(text3D);

// Create a viewer SoQtExaminerViewer *b = new SoQtExaminerViewer(window); 32 b->setSceneGraph(root); 33 b->show(); 34 35 // Start the window 36 SoQt::show(window); 37 // Loop until exit. 38 SoQt::mainLoop(); 39 40 // Delete viewer and reference for scene 41 delete b; 42 root->unref(); 43 44 return 0; 45 }

www.linux-magazine.com

March 2003

Coin 3D

PROGRAMMING

chair

seat

front legs

left

right

left

back

right

displacement

displacement 2

displacement 3

displacement 4

leg

leg color

Transformation

ck ba at se lor co ck ba

seat surface

n tio ta ro 5 nt me ce pla dis

seat color

back legs

post 2

post

Separator

Appearance/Design

nodes. At this point a similarity to the OpenGL status machine becomes apparent. A property, for example the color of a 3D object (class “SoBaseColor”) remains active until a new value is assigned to the property. The programmer can organize the objects in the scene graph to manipulate the appearance and behavior of the generated scene. The order of the effects is important. Replacing a rotation with a translation will lead to different generated results. Open Inventor offers a variety of node types that can define surfaces, describe materials or adjust the camera lighting. Other nodes provide interfaces for inter-

Geometry

active operations or describe various transformations.

Nodes: Shapes, Colors, Materials and Light Each node is described in a class. The name of a node class starts with “So”, as in “SoMaterial” or “SoCone”. The “So” prefix is omitted when describing a scene in a file. Node names are VRML like in this case. Each class comprises of fields that characterize the properties of the node. The SGI documentation details the fields available in each node type: the “Open Inventor Nodes Quick Reference” and “Open Inventor C++ Reference” are

Table 1 Shape Classes Nodename

Meaning

Fields

Standard values

SoCone

Cone

parts

ALL (SIDES,BOTTOM)

SoCylinder

Cylinder

SoSphere

Sphere

SoText2

2D text

SoTest3

3D text

March 2003

The following example inserts a new node into a scene graph: SoCone *cone = new SoCone; hcone->height.setValue(4); cone->parts.setValue("SIDES"); root->addChild(cone)

angle. The left and right legs differ only by their position

Cube

Inserting a New Node

leg 2

Figure 3: The scene graph divides the chair into its components:seat, front and hind legs as well as lean

SoCube

available as PDF documents under [3] (enter the document name you require in the search box) In the case of Coin and its extensions (such as SoQt) the documentation is included in the source code. You can use Doxygen to generate a HTML overview.

bottomRadius

height

width

height

depth

parts

ALL (SIDES,TOP,BOTTOM)

radius

height

radius

string

Empty string

spacing

justification

LEFT (RIGHT,CENTER)

string

Empty string

spacing

justification

LEFT (RIGHT,CENTER)

parts

FRONT (SIDES,ALL,BACK)

www.linux-magazine.com

This creates an object of the desired class (“SoCone” in this case) and defines values for some fields. In our example

Open Inventor and Coin In 1996 SGI handed over the development of Open Inventor as of version 2.1 to TGS [2]. This company develops and distributes the latest version (currently 3.1) commercially. In August 2000 SGI decided to publish its own Open Source Open Inventor version (2.1) for Linux [1]. The Norwegians, Systems in Motion [4], offer an implementation of their own, called Coin [5], for Windows, Linux and other Unix systems. Coin is currently available under the LGPL license (version 1.x), although version 2.0 is due to be released under GPL.

More Dynamism with Coin Coin was chosen for this article – its development promises more dynamism than the SGI variant. Coin attempts to implement the new Open Inventor 3.x features, whereas SGI has merely ported Open Inventor 2.1 to Linux.The various extensions provided by SIM are another good reason for choosing Coin. In addition to the standard Motif binding, it also supports Qt, Gtk and Java. These bindings are important since Open Inventor merely describes the 3D scene; the programmer must provide the window frame and the binding to the window manager. OpenGL provides the GLUT extension for this purpose, whereas Open Inventor decided on Motif to simplify this task. However, alternatives such as Gtk and Qt are simpler and more commonly available for Linux than Motif. Qt matches Coin perfectly, as both are implemented in C++.

Coin 3D

the height is set to “4” and the sides are visible. Finally, the node is added to the graph (called root in this case). Table 1 includes the most important shape classes with their fields. We will be discussing how to create nodes in a subsequent article. These elements can be combined to create complex structures, to display a chair for example. To create a graph for this purpose the scene has to be divided into individual components. The more components used to describe a scene, the more realistic the results.

Before starting to encode a program, you should take care to plan the scene graph, as repeated use of duplicate objects saves memory. If multiple instances of subgraphs (for example, the legs in our chair example) can be used, you will not only save memory, but ensure that the scene graph and the source code remain clear. This may not seem important in the context of our example, but in the case of larger projects such as games or CAD programs, the number of objects is a vital criterion.

A Simple Chair as an Example of a Scene Graph

Documentation If you are interested in Open Inventor and cannot wait until the next article appears, you might like to check out some interesting online sources. SGI supplies the most complete documentation [3]. The “Inventor Mentor” is the Bible for Open Inventor programmers. It

Installation Coin requires you to pre-install OpenGL and GLUT.The rendering speed of Open Inventor mainly depends on OpenGL.The Mesa OpenGL library relies on software for 3D calculations, but optimized OpenGL drivers are available for some 3D graphics adapters. The author used a Geforce 2MX and nVidia’s drivers for XFree 4.x.You should enable hardware acceleration if possible, as Open Inventor needs a lot of power, especially in the case of interactions. The Coin source code [6] is easy to compile and install. Simply follow the familiar steps after expanding the archive file: ./configure make make install

seems already very realistical, although it only has a few nodes described

Conclusion and Prospects Coin and SoQt provide for fairly simple interactive programming of three dimensional graphics, without needing to leave the (L)GPL world. The effort involved is often trivial, particularly in contrast to that of programming with OpenGL, but the results are convincing. After all Open Inventor does use OpenGL for rendering operations. The features described in this article only scratch the surface of Open Inventor’s capabilities. Our next article discusses how programmers can provide additional interaction via the menus or with the mouse. ■

INFO [1] Open Source Variant of Open Inventor: http://oss.sgi.com/projects/inventor/ [2] TGS: http://www.tgs.com [3] Technical documentation by SGI: http://techpubs.sgi.com/library [4] Systems in Motion: http://www.sim.no/ [5] Coin: http://www.coin3d.org

Most Linux distributions include Qt, although you will often find that the Qt libraries have been installed without the header files required for programming.You also have to compile the library with OpenGL support. For SuSE 8.1 you will need to install all the Qt 3.0.5 packages, set the “$QTDIR”variable to “/usr/lib/qt-3.0.5”and add “$QTDIR/bin” to your “$PATH”variable.

Figure 4: The chair described in the scene graph

describes the features, such as setting light and camera positions, creating complex geometries, animating scenes and programming interactions. In addition to the Inventor Mentor, you can also to download the “Open Inventor C++ Reference Manual” from SGI. The manual describes the classes that the SGI version of Open Inventor comprises, unfortunately without the Coin extensions. If you want to learn even more about Coin, you might like to take a look at the HTML documentation, which is included with the tool.

The SoQt sources are also available for downloading at [6]; follow the compilation steps as described for Coin. After installing Coin and SoQt, root can invoke the “/sbin/ldconfig”command to make both libraries available throughout the system.

[6] Sourcecode for Coin and SoQt: ftp://ftp.coin3d.org/pub/coin/src/ [7] Files for this article: ftp://ftp.linux-magazin.de/pub/listings/ magazin/2003/02/3d/

THE AUTHOR

A chair is fairly simple to construct; it comprises a seat, a back, and four legs. The legs are the same, apart from their position. Figure 3 shows the scene graph for this construction; every property and the accompanying geometry is described by an individual object. The object oriented approach means that only one definition is required for duplicate objects, as multiple instances can be added to the scene graph. In our chair example, the front and rear legs are each only described once and (following the required transformations) added to the scene graph as and when they are needed. This also applies to the color of the chair legs. The source code for our example is available to download from [7]; Figure 4 shows the results after running the program.

PROGRAMMING

Dr. Stephan Siemen works as a scientist at the University of Essex (UK) where he is involved with creating software for 3D representation of weather systems and teaches computer graphics and programming. Additional information on this subject is available from his website at http://prswww.essex.ac.uk/ stephan/3D/.

www.linux-magazine.com

March 2003

PROGRAMMING

LinuxBIOS

The LinuxBIOS project

Putting Linux on your motherboard L

inuxBIOS releases yet another part of your PC to Open Source software – in this case, the BIOS chip itself. BIOS stands for Basic Input Output System, and the BIOS chip is installed on the motherboard by the manufacturer, and which most users, no matter which Operating System they run on their computer, hardly ever think about. They only ever see the BIOS screen when the machine is first booting up, and it is usually taken for granted as simply another piece of the hardware, which hardly anyone ever considers the idea of changing. The code inside the BIOS chip (which is simply a non-volatile memory device, so that the software is available immediately the computer is powered on) is responsible for starting up the machine, checking for the presence of hardware such as memory and disk drives, and then initialising them so that the real operating system can start booting. Without the BIOS, your computer would do absolutely nothing when it was turned on, because the BIOS contains the very first instructions which the CPU executes in order to start everything working. The LinuxBIOS project replaces the normal BIOS code on your motherboard with the Linux kernel itself, so that your machine boots instantly into Linux within seconds of turning it on. LinuxBIOS has more advantages than simply very fast boot times, however. LinuxBIOS has been mainly developed for cluster systems, because it allows far greater remote management and configuration than a standard BIOS chip does. If you have lots of servers configured in a cluster, and you need to change a (normal) BIOS setting, then going around connecting a screen and keyboard to each machine, rebooting and making a manual change can

March 2003

If you haven’t come across the LinuxBIOS project [1] yet, you may be amazed at what it sets out to do. BY ANTONY STONE

be tedious and inconvenient, to say the least. LinuxBIOS also provides a good amount of bootup diagnostic information on the system’s serial port, and allows control of the bootup process from a serial terminal as well. This can make debugging of hardware problems, or reconfiguration of a system, much easier than the usual vendor-specific keyboard-and-screen method. This article shows you how to swap your BIOS chip for LinuxBIOS, and explains the detailed steps necessary to compile the kernel and program the code into a LinuxBIOS chip. Note that since LinuxBIOS is still very much a work in progress, some details might have changed since this article was written.

Hardware The first thing to check if you’re planning to create a LinuxBIOS system of

www.linux-magazine.com

your own is whether your motherboard is compatible and supported. A very wide range of motherboards, from an impressive list of manufacturers, are supported by the LinuxBIOS project, and your first step should be to check on the LinuxBIOS website to find out which models are likely to work. The most important requirement for a motherboard to run LinuxBIOS is that it has a BIOS chip which is removable from its socket, since this is how you change the physical chip containing the old BIOS code for a larger capacity memory chip containing the LinuxBIOS code. This article describes the PC-Chips’ M810LMR motherboard, which is a fairly cheap but nicely integrated board, containing on-board VGA, ethernet and sound. However, the steps needed for installing LinuxBIOS on any other supported motherboard are very similar to those shown here.

LinuxBIOS

The other main item of hardware required in order to create a working LinuxBIOS system is the Disk-on-Chip memory device, which will be plugged into the BIOS socket on the motherboard, and which has the capacity to contain the Linux kernel and the small amount of bootstrap code which LinuxBIOS generates to initialize the motherboard hardware. Disk-on-Chip devices are memory chips which can be “formatted” to appear like a hard disk device, and which can contain a standard Linux filing system. The LinuxBIOS project uses the Disk-onChip (DoC) to hold the bootup code, and also optionally a root filing system (so it is in fact possible to create a completely standalone diskless machine). The specific DoC device used in this project is the M-Systems’ MD-2800-D08 (part number MD-2802-D08 is a suitable alternative as well). This device is an 8 megabyte flash-programmable device which fits into the standard 32-pin socket used by the 2 megabit BIOS chip. Note the slightly confusing contrast between the DoC devices, which are measured in bytes, and the standard Flash Rom BIOS chips, which are measured in bits. The DoC has a capacity 32 times that of the BIOS chip it is replacing; the simple reason for this being that it is not possible to fit the Linux kernel into 2 megabits. Finally, it is highly recommended that you obtain a 32-pin Zero Insertion Force (ZIF) socket in order to make removal and insertion of the BIOS and DoC devices simple and safe. Part of the process for programming the code into the DoC device involves removing the standard BIOS chip and replacing it with the DoC device – while the power is on and the motherboard is running. Attempting this without the use of a ZIF socket is definitely not recommended.

Getting started The first thing you should do is read the LinuxBIOS FAQ, available from the website [1], and also the LinuxBIOS documentation for your chosen motherboard, which in the case of the M810LMR being used here, is based around the SiS630 chipset. The FAQ gives you a good idea of the overall process, and the steps involved.

Note that, although it is possible to use a “development system” for creating the LinuxBIOS code, programming this into the DoC, and then placing this into a separate “target system” which will actually run the code, it is in fact just as simple, and more convenient, to use a single machine as both development and target systems at the same time. It is assumed that you are already familiar with performing a basic Linux installation on a machine, and that you are comfortable with compiling a kernel and installing it. The steps involved in creating a LinuxBIOS machine are: • Install Linux on your target machine, including support for the flash DoC devices (which most kernels will not have as standard) • Get the LinuxBIOS source code • Get the correct Linux kernel source, patch it and build it • Configure and build the LinuxBIOS boot code for your motherboard • Get the Memory Technology Devices (MTD) utilities and build the “erase” utility • Remove the BIOS chip from its socket (with the power on!) and put a Diskon-Chip in its place • Burn the LinuxBIOS image containing the boot code and the kernel into the Disk-on-Chip • Hit reset to start the new LinuxBIOS system. It is a good idea to plug the ZIF socket into the motherboard, and then place the original BIOS chip into the ZIF socket in order to start the system up (Figure 1). Firstly, note the orientation of the BIOS chip in its socket (there is a notch at one end, or a dot in one corner, of the chip), remove the chip, and plug the ZIF socket into the motherboard socket. Place the lever of the ZIF socket at the same end of the socket as the notch or dot was on the BIOS chip. You may need to bend the pins of connectors nearby to get the ZIF socket to fit – on the M810LMR there is an unused 3-pin fan connector in the way. Make sure you plug the ZIF socket cleanly into all 32 holes on the socket on the motherboard – it’s easy to miss a couple of pins at one end and get the whole thing moved along one place. You will probably want to do this with the motherboard not installed in a case, so

PROGRAMMING

Figure 1: The ZIF socket plugged into the motherboard, with the original BIOS chip inserted

you can look underneath the ZIF socket as you are inserting it. Once the ZIF socket is in place, lift the lever, insert the original BIOS chip (placing the notch or dot at the lever end of the socket) and lower the lever to secure the chip in place. Then reassemble the motherboard into the case and power up the system to make sure you get the usual BIOS startup screen, confirming that the ZIF socket and BIOS chip are correctly installed. If you don’t already have Linux installed on the machine, install a basic Linux system; note that you will require the usual development tools (compilers etc.) for building your own kernel, and you will also need to install Python, as this is used to create the configuration files used for LinuxBIOS. The first thing you should do after installing the basic system is compile the kernel which will be used to create the LinuxBIOS system, so that it contains support for MTD (Memory Technology Devices), which is unlikely to be included in a standard kernel. It is important that you have support for loadable modules on the development machine, since for programming the DoC device in the BIOS socket of the motherboard, it is necessary to run a command before loading the DoC support modules, and therefore you cannot compile this support directly into the kernel. If you use make menuconfig to configure your kernel, the additional options you need to select (accurate for a 2.4.19 kernel) in order to build LinuxBIOS into a DoC device are given in Listing 1. There is an important change needed in one of the kernel source files in order

www.linux-magazine.com

March 2003

PROGRAMMING

LinuxBIOS

to get MTD support working properly. If you do not make this change, you will get errors later on when you try to erase or program the device, such as: /dev/mtd0: No such device /dev/mtd0: Bad file descriptor

The change required is in the kernel source file /usr/src/linux/drivers/mtd/ devices/docprobe.c. Change the line which reads: #define DOC_SINGLE_DRIVER

so that it becomes: #undef DOC_SINGLE_DRIVER

Next, get the LinuxBIOS source by CVS from sourceforge. Press [Return] at the password prompt and ignore errors

about failed to open ./cvspass for reading, and even login aborted: fatal error: exiting. Carry on with: export CVS_RSH=ssh cvs -d:pserver:anonymous@cvs.U freebios.sourceforge.net:U /cvsroot/freebios login cvs -z3 -d:pserver:anonymous@U cvs.freebios.sourceforge.net:U /cvsroot/freebios co freebios

Note that the LinuxBIOS project has grown from an earlier project named FreeBIOS, and therefore this directory name will appear throughout the files used in compiling the LinuxBIOS system. Before unpacking a fresh kernel source to patch with LinuxBIOS, check the LinuxBIOS kernel patches to see which kernel version is supported for your motherboard / chipset.

Listing 1: Kernel options required Loadable module support [*] Enable loadable module support [ ] Set version information on all module symbols [*] Kernel module loader Memory Technology Devices (MTD) <M> Memory Technology Device (MTD) support [ ] Debugging < > MTD partitioning support < > MTD concatenating support --- User Modules and Translation Layers <M> Direct char device access to MTD devices < > Caching block device access to MTD devices < > Readonly block device access to MTD devices < > FTL (Flash Translation Layer) support < > NFTL (NAND Flash Translation Layer) support RAM/ROM/Flash chip drivers ---> Mapping drivers for chip access ---> Self-contained MTD device drivers ---> < > Ramix PMC551 PCI Mezzanine RAM card support < > Uncached system RAM < > Test driver using RAM < > MTD emulation using block device --- Disk-On-Chip Device Drivers < > M-Systems Disk-On-Chip 1000 < > M-Systems Disk-On-Chip 2000 and Millennium <M> M-Systems Disk-On-Chip Millennium-only alternative driver [*] Advanced detection options for DiskOnChip (0) Physical address of DiskOnChip [*] Probe high addresses [ ] Probe for 0x55 0xAA BIOS Extension Signature NAND Flash Device Drivers

March 2003

--->

www.linux-magazine.com

You may be able to apply the patches to a different kernel, but at this stage in the game it’s probably better to build an old kernel strictly by the instructions, and make sure you can get LinuxBIOS working at all. Then afterwards you can try to bring the kernel up to the version you’d like it to be. This article discusses kernel version 2.4.19, because this was the most recent kernel patch file available for the M810LMR motherboard. In this case the patch file is called linux-2.4.19-sis.patch and is found in the FreeBIOS source tree under freebios/src/kernel-patches. This directory contains both the patches for the kernels, and also sample config files for building the new kernel (note that not all of these are guaranteed to work in all situations – you may need to look at other config files and make some manual adjustments to get your particular setup working). It is important to recognize that the kernel patches and config files are for the kernel you will eventually program into the DoC device and boot your LinuxBIOS machine from. They may not be the best choice for the kernel which you use to build LinuxBIOS and burn the DoC before rebooting it. When you build the kernel, simply use make bzImage and then leave the compiled kernel where it is. LinuxBIOS will later look for the file /usr/src/linux/vmlinux as the image to be included in the DoC device.

Building LinuxBIOS It is recommended that you create your own config file based on one of the examples, and make the build images for programming into the DoC device, in a different directory outside the FreeBIOS source tree. This will ensure that they are not deleted when you update your copy of the source code from the CVS repository. Because of the way the directory names are arranged, it is recommended that you create a new directory called linuxbios side by side with freebios, and build the DoC images in there: mkdir linuxbios cd linuxbios cp ../freebios/util/config/U NLBConfig.py . cp ../freebios/util/config/U pcchips.config .

LinuxBIOS

The first cp command copies the Python program which is used to process the configuration file, so that it is in a convenient place for use later on, and the second copies the standard pcchips.config file (which is the one appropriate to the motherboard used in this article) into the newly-created linuxbios directory, where we shall be carrying out the work. Having copied the pcchips.config file into the working directory, edit the new file and make the following changes: • Remove single from the end of the kernel commandline, so that the LinuxBIOS machine boots into standard multiuser mode • Add cpu k7 if you are using an Athlon processor • Add option ENABLE_MII=1 to get the onboard ethernet working • Change option HAVE_FRAMEBUFFER to option HAVE_FRAMEBUFFER=1 (this is simply to eliminate a warning message later on). There may also be some editing of files needed in the LinuxBIOS source tree – for example, in the version of LinuxBIOS being used here, a change is needed in order to get the keyboard working on this particular motherboard. In the file freebios/src/arch/i386/lib/hardwaremain.c, uncomment the function call keyboard_on() around line 344. If you don’t do this, then when you finally boot your LinuxBIOS machine, you will get several hundred error messages pc_keyb: controller jammed (0xFF), and your keyboard will not work. It will not stop your LinuxBIOS system from working, however – you will still be able to log in on the serial port, or ssh across the network. After making these changes, run the Python program to create the build files: python NLBConfig.py U pcchips.config ~/freebios

This creates a subdirectory within the linuxbios directory called pcchips, and creates the following files in it: LinuxBIOSDoc.config Makefile Makefile.settings crt0_includes.h nsuperio.c

Once you have these files, and you have compiled your target kernel (which is left sitting in /usr/src/linux/vmlinux), you can run the makefile to build your LinuxBIOS image: cd pcchips make clean make

Next copy the burn_mtd utility into the newly-created pcchips directory, because by default burn_mtd looks in the current directory for the source files to burn into the DoC device, so there’s a lot less typing involved if the utility is in the same place. cp ../../freebios/util/mtd/U burn_mtd .

The burn_mtd utility doesn’t quite match the filenames generated by the Makefile, so it is useful to edit burn_mtd (which is simply a shell script), in order to use the correct names: Change the first two occurrences of vmlinux (one in the comment on line 3, the other in linux=vmlinux.bin.gz on line 16) to linux (so that line 16 now reads linux=linux.bin.gz). The next step is to get the MTD utilities from [2] and build the “erase” utility – simply download the current version of the kernel tools under the ChangeLog section, and then make erase in the util subdirectory of the download. The final utility needed for programming the DoC devices is flash_on from the freebios/util/sis directory. This utility allows you to use the BIOS socket on your motherboard as a flash programmer (thus saving the need for an expensive separate piece of equipment specially for this job): cd ~/freebios/util/sis make flash_on

PROGRAMMING

ZIF socket and plugged it into your motherboard.

Programming the chip With the power on and your system running, release the lever on the ZIF socket, remove the original BIOS chip and replace it with a Disk-on-Chip. Be very careful to get the orientation correct (the notch in the end of the chip goes at the lever end of the socket) and make sure the pins are lined up properly – remember that the socket has power on it. Secure the DoC in place with the lever on the ZIF socket. Run the command: ./burn_mtd

and it should program a LinuxBIOS chip, ready to run on your motherboard. The output of burn_mtd should look something like: # ./burn_mtd rmmod: module docprobe is not loaded rmmod: module doc2001 is not loaded rmmod: module docecc is not loaded 11+1 records in 12+0 records out 0+1 records in 1+0 records out Erase Total 1024 Units Performing Flash Erase of length 8192 at offset 0x7fe000 done 1+0 records in 1+0 records out 1+0 records in 1+0 records out 126+0 records in 126+0 records out 1536+0 records in 1536+0 records out #

If at this stage, you get the following instead:

Copy the “erase” and “flash_on” utilities which you just built into your search path (for example /usr/local/sbin). Now comes the interesting part of programming LinuxBIOS – removing the BIOS chip from a live, running motherboard, and replacing it with the Disk-on-Chip. This is the point where you are grateful you got yourself a 32-pin

# ./burn_mtd rmmod: module docprobe is not loaded rmmod: module doc2001 is not loaded rmmod: module docecc is not loaded 11+1 records in

www.linux-magazine.com

March 2003

LinuxBIOS

12+0 records out 0+1 records in 1+0 records out File open error dd: opening '/dev/mtd0': No such device dd: opening '/dev/mtd0': No such device dd: opening '/dev/mtd0': No such device dd: opening '/dev/mtd0': No such device #

then you should check the kernel running on your machine: ensure that you edited the file /usr/src/linux/drivers/ mtd/devices/docprobe.c to undefine DOC_SINGLE_DRIVER before building the kernel, that you selected the MTD options listed earlier, and that you rebooted the machine after building the kernel so that it is now actually running. If the burn_mtd output looks good, reboot your machine to test the code programmed into the DoC. If your system reboots and you see a penguin in the top corner of your screen instead of an AMI or Award BIOS startup message, then you have succeeded in creating a LinuxBIOS system, booting the Linux kernel directly from the DoC instead of the hard disk boot sector as usual. Do not worry if bits of the system do not seem to get started properly (e.g. hard disk, ethernet, keyboard, root filing

system etc.). They can easily get sorted out later. The important thing at the moment is to have a running kernel at all. If you do not get a penguin on your screen followed by the normal kernel startup messages, and in fact get nothing at all, then the best way to discover what is happening with LinuxBIOS is to plug a serial cable into the first RS232 port, connect another system running a serial terminal emulator such as minicom (set to 115200 baud, 8 bits, no parity), and press reset. You should get some debugging information and startup messages displayed on the terminal, which will help to indicate how far through the startup process the system is getting. If absolutely nothing happens, then it’s possible that you haven’t got a suitable image burned into the DoC, so power off the motherboard, remove the DoC and put the original BIOS back in again, power the system back up, and see what you have missed from the above instructions.

Silicon disk

The last thing you may want to do once your system successfully boots the Linux kernel directly from the Disk-on-Chip, is to create a root file system in the remainder of the 8 megabyte capacity of the DoC, so that you can dispense with the hard disk drive inside your machine altogether. You will need a few more MTD kernel options turned on in your development system Listing 2: Kernel options for MTD support (to format and write the root fs) and this Memory Technology Devices (MTD) time also in the kernel <M> Memory Technology Device (MTD) support running in the target [ ] Debugging (so that it can read < > MTD partitioning support from the MTD-based < > MTD concatenating support file system). The --- User Modules and Translation Layers options you should <M> Direct char device access to MTD devices enable during make < > Caching block device access to MTD devices menuconfig for the < > Readonly block device access to MTD devices kernels are shown in <M> FTL (Flash Translation Layer) support listing 2. <M> NFTL (NAND Flash Translation Layer) support Once you have [*] Write support for NFTL (BETA) recompiled the kerRAM/ROM/Flash chip drivers ---> nels (remember to Mapping drivers for chip access ---> install the kernel Self-contained MTD device drivers ---> to the development NAND Flash Device Drivers ---> system, and reboot, <M> NAND Device Support then leave the kernel [*] Enable ECC correction algorithm image generated by [ ] Verify NAND page writes make bzImage in /usr/

March 2003

www.linux-magazine.com

src/linux/vmlinux), you should be able to create and format a partition in the remaining capacity of the Disk-on-Chip device: nftl_format /dev/mtd0 0x100000

nftl_format is in the linuxbios/mtd/util directory. You can then use fdisk /dev/nftla to create a single primary partition, occupying the entire available device (about 7 megabytes), and then format this with mke2fs /dev/nftla1 in the usual way. You can change the device where the LinuxBios kernel expects to mount the root file system by modifying the compiled kernel image (before burning it into the DoC): rdev /usr/src/linux/vmlinux U /dev/nftla1

For suggestions on what to place into such a small root fs and still have a working Linux system, consult one of the tiny distributions such as Tom’s Root Boot [3].

Conclusion I found the LinuxBios project absolutely fascinating, and it is an incredible way to boot your machine directly into Linux quickly, easily, and at very little expense. I hope that you have as much fun with the system as I have. ■

INFO [1] LinuxBIOS website: http://www.linuxbios.org/ [2] Memory Technology Device (MTD) Subsystem for Linux: http://www.linux-mtd.infradead.org/ [3] Tom’s Root Boot:http://www.toms.net/rb/

THE AUTHOR

PROGRAMMING

Antony Stone has a degree in Medical Electronics, and has been working with Linux since 1994. He is Technical Director of Rockstone Ltd, a UK company producing Linux-based Firewalls, and is a contractor to Hewlett-Packard Laboratories, working on secure operating systems design. He is a part-time lecturer on the Information Security MSc at the University of London.

LINUX USER

KTools

KNewsticker

The Messenger K

eeping an eye on the headlines is an online activity that most Internet surfers indulge in. But not everybody has the time or the inclination to search the BBC or CNN News websites every day. Wouldn’t it be nice to have the headlines delivered to your desktop free of charge? KDE users can rely on the KNewsticker to supply them with the latest news fresh off the Web. As the program is part of the kdenetwork package, most users can skip the boring installation procedures and they can jump straight to the program configuration step.

Hooked on news? The KNewsticker delivers the latest news hot off the press. By connecting to your favorite news feeds you can have the latest headlines scrolling across your desktop. BY STEFANIE TEUFEL

Ticker Tape

Deutsche Post World Net

Appropriately for a good newsticker – and following in the footsteps of CNN, Bloomsbury and many others – the KNewsticker is displayed as a ticker tape embedded in your desktop’s task bar. If you have room to spare, the program will attach itself directly to the bar, but you can improve the newsticker’s readability by allowing it to use a bar of its own. To do so, right click on the task bar and navigate to the Add / Extension / Child Panel item in the drop-down menu. The developer claims that a new panel should now appear below the KDE control bar by default, but this was not the case on some of our test candidates with the bar appearing on the left, or (in the case of older KDE versions) above the control bar. In the first case you can use the mouse or the menu item Configure Panel to move the new bar to a different screen position. And now it is finally time to launch the news ticker: to do so right click on the

new control bar, and select Add / Applet / KNewsTicker (or Newsticker for KDE 2) in the drop-down menu. If you have a leased line, or if you happen to be online when you launch the program, the ticker tape will immediately start to fill up with news, as shown

KTools

GLOSSARY

In this column we present tools, month by month, which have proven to be especially useful when working under KDE, solve a problem which otherwise is deliberately ignored, or are just some of the nicer things in life, which – once discovered – you would not want to do without.

March 2003

in Figure 1. If you are particularly interested in a headline, simply click on the bar, and KNewsticker will use Konqueror to open the source or page with the full message. Users with wheel mice can profit from a particularly neat feature: move over

RSS:“Rich Site Summary”is an XML and RDF based Internet standard for news tickers (news feeds) that allows you to retrieve current information from content providers and display it on your own website along with a title, an abstract and a link to the full text. RDF:The “Resource Description Framework”provides an infrastructure for the encoding, exchange, and re-use of metadata on the Internet.This unified and extensible metadata format was introduced by the World Wide Web Consortium (W3C), and is based on XML, just like the RSS format.

www.linux-magazine.com

KTools

LINUX USER

Figure 1: World News

the ticker tape and use the wheel to scroll through the headlines. Users with conventional mice will need to left-click on the ticker, hold down the mouse button, and drag the mouse to scroll the ticker backward or forward to a position where they can click on the required message.

Feeding the Ticker In order to access news, the news ticker needs websites that provide information and news in RDF or RSS format. These files contain both headlines and links to the full articles. Fortunately, KNewsticker is provided with a whole bunch of news sources for a variety of topics. If you need more, you can use the configuration dialog to supply new sources, remove older or uninteresting sources, or rename existing sources. To do so, right-click the ticker and select Preferences… in the drop-down menu to access to KNewsticker command center. The News Sources register (Figure 2) provides a variety of options. You can check the news sources whose headlines you want to display in your ticker – KDE 2 shows a list of active news feeds. There are several ways of adding a source. If you know the exact address of

Figure 2: Tapping In to the Source

the RSS or RDF file, simply click on the Add… button, and use the dialog box that then appears (Figure 3) to enter the name, source and category. KDE 3 simplifies this procedure. If you are familiar with the URL of a news feed (BBC World service news has a public beta site available on http://www. bbc.co.uk/syndication/feeds/news/ukfs_ news/world/rss091.xml) for example, simply enter this as your Source file: and click on the Suggest button. The fields, with the exception of the category, fill automatically. Now click on OK to access the new source. The http://www.newsisfree.com/ or http://www.webreference.com/services/ news/ sites provide a good overview of news feeds all around the globe.

Adding New Tickers On the Fly KDE 3 users that happen to stumble across an interesting source while surfing the Web (often recognizable by a XML or RSS button on the page), can simply drag the source to the ticker. KNewsticker asks you to confirm (Figure 4) that you really want to add the feed, and adds it to your database if you click on Yes. This method does have a drawback as the new source will default to Unknown,

Figure 3: Use this window to add new sources under KDE 3

Figure 4: Using drag & drop to extend the database

and you will need to go through the configuration procedure shown in Figure 3 to provide a name. To do so, select the source by clicking on it, and then click on the Edit button. In addition to news feed management, the configuration menu provides a variety of additional options. Does the ticker scroll too fast or too slow for your liking? Or are you unhappy with the font or background color for the ticker? If so, take a look at the Scroller Preferences tab (Figure 5) where you can adjust these settings to your personal taste. Incidentally, this tab is called General on KDE 2. Simply click the Apply button to apply your changes onthe-fly. You do not need to re-launch the KNewsticker. ■

Figure 5: Applying finishing touches to Knewsticker’s make up

www.linux-magazine.com

March 2003

LINUX USER

deskTOPia

Icewm

The Icy Fountain of Youth There are so many howtos about using older machines on networks that another one might seem entirely superfluous. What about using an older machine as a graphical desktop with the Ice Window Manager? BY ANDREA MÜLLER

lmost everyone will have some ancient hardware at home, and in most cases will be using it as a router. Putting older machines to work as desktops does not sound like a reasonable option, with modern desktop environments such as KDE being so demanding with respect to video and main memory, and hard disk capacity. If you are not afraid of alternative solutions and a bit of planning, you may still be able to run a GUI environment on your old hardware.

More RAM! There is one minimum requirement for your hardware: If you can expand your main memory, do so. An X Window system is not really much fun, unless you have at least 32 MB RAM. Less memory will mean frequent swapping and this will bring your system to a standstill (especially if your hard disks are slow). Additionally, you should use XFree version 3.3.6, even if your video adapter supports XFree 4.x. The more recent X server requires far more memory than the older version. Finally, you should consider restricting your applications to a

DESKTOPIA Only you can decide how your desktop looks.With deskTOPia we regularly take you with us on a journey into the land of window managers and desktop environments, presenting the useful and the colorful viewers and pretty toys.

March 2003

single GUI toolkit. The main contenders here are GTK or Tk thanks to the large selection of software based on them.

Spoilt for Choice

The --enable-lite configure parameter generates a slim version of the program. If you additionally drop the imlib library the program will again lose weight, but this does impact the window manager’s ability to add pretty graphics. To launch icewm, you simply add a line such as:

Besides the X server you will definitely need a small footprint window manager. icewm [1] is a good choice as it includes critical properties of a desktop environment, such as a taskbar with a exec /usr/X11R6/bin/icewm clock and a start menu. Table 1 shows a selection of equally suitable window to your ~/.xinitrc or ~/.xsession managers. As many of them do not pro(depending on whether you use a convide a taskbar, the table also suggests sole or GUI login). This setting is some likely candidates. independent of your distribution; you Almost every major distribution might like to create a backup of your includes icewm, so the installation original file before adding the required should not be any trouble. You will line. If your distribution includes the probably find a package called icewm-lite package, your distributor will probably or icewm-light on your distribution CDs, save you the trouble of this step and and it should contain a version of Icewm automatically launch icewm when you compiled with minimal options. start up your X Window system. Depending on your distribution, the A neat desktop should appear the first taskbar or even configuration features time you launch the program (Figure 1), may be missing in this version. Depending on your machine’s equipment, you can opt for a more comfortable or less glitzy version, or even compile a version of icewm, to suit your own needs. Invoking ./configure --help in the source code directory will display the available options. Figure 1: Default icewm configuration on Debian

www.linux-magazine.com

deskTOPia

and desktop operations should be selfexplanatory. The left button in the taskbar conceals the start menu – your distributor may well have placed a number of items in the menu. This is where you launch programs, change the window manager’s appearance, log off, or switch from the current desktop scheme to one of the three others (available by default). The latter task can be performed more easily by clicking on one of the taskbar buttons, labelled 1 through 4. The task list also allows you to access a list of windows, and you can click on the display icon to open an X terminal. The right hand area of the icewm taskbar includes a clock, includes symbols for your mailbox status and the CPU load. The symbols can be configured to open the matching application when you click them. In Debian’s case this means launching the top system monitor when you click the CPU load display. The unused, central part of the taskbar is designed to accommodate icons for the applications you need to launch.

Window Management Windows converts will be pleased to hear that the Click to Raise model is the default window handling procedure. The last application to be launched is automatically placed in the foreground (“raised”) and thus capable of accepting input. Clicking on another window shifts the focus to this window and moves it in turn to the foreground. In contrast to Click to Focus it does not matter whether you click on the title bar or on the middle of the window.

No matter what theme you choose, there will be at least three buttons that close, minimize and maximize your windows. There may also be an addiFigure 2: Access to windows on other desktops via a menu tional button that opens the window menu, which you can also the desktop with the taskbar’s autohide access by right clicking the title bar. If function. Edit the following line: you drag the mouse over the edge or one of the bottom corners of a window, the #TaskBarAutoHide=0 # 0/1 mouse pointer changes, allowing you to hold down the left mouse button and in the preferences file containing the change the window size. basic icewms configuration to: A button appears in the taskbar for every window displayed on the desktop. TaskBarAutoHide=1 # 0/1 You can use the button to restore minimized or hidden windows to the The string 0/1 that follows the second foreground. To access windows on other comment sign, #, shows the possible desktops, click on the window icon to values, where 0 denotes “false” and 1 the right of the start button (Figure 2). denotes “true”. The line TaskBarDouble Height=1 adds a second floor to the A Matter of Taste taskbar, adding a quicklaunch window where you can type the name of the If you are unhappy with the default application you want to launch and press settings, you can create an .icewm direc[Enter]. For console based application, tory in your home directory and copy the such as top, simply terminate the entry sample configuration to it. If you are with [Ctrl-Enter] instead. The following compiling the window manager yourself, entries: the sample directory is located in /usr/local/lib/X11/icewm.rpm based distributions place the sample settings in OpaqueMove=0 /usr/X11R6/lib/X11/icewm, and Debian OpaqueResize=0 users should look in /etc/X11/icewm. You can customize your ~/.icewm which are responsible for drawing copy to your heart’s desire; also note window content while moving and that the comments in sample files and resizing windows, allow more economithe icewm help, which is accessible via cal use of your machine’s resources. the start menu in newer versions of the The icepref [2] tool provides menus for a window manager, provide valuable tips. large number of options for configuraIf your computer cannot display higher tion, and that iceme [3] allows you to than 800x600, you can make room on configure the manager’s menus. ■

Table 1: Alternative Window Managers and Taskbars Window Managers blackbox fluxbox aewm pwm larswm Panels fbpanel hpanel fspanel

LINUX USER

Description small footprint,quick with neat graphics blackbox code based with some enhancements small footprint and plain Window Manager saves your resources,interesting window concept [4] minimalist for keyboard fans panel with clock and application launcher simple panel with desktop switcher miniature (less than 10 Kb footprint) panel with switcher

Website http://sourceforge.net/projects/blackboxwm http://fluxbox.sourceforge.net/ http://www.red-bean.com/~decklin/aewm http://modeemi.cs.tut.fi/~tuomov/pwm

GLOSSARY GUI toolkit: Program library that provides functions for programming graphical user interfaces, which are used for creating menus and dialog boxes.The “Gimp Toolkit”, GTK, and Qt are popular GUI toolkits. autohide: hides the taskbar if not in use.The taskbar re-appears when you drag the mouse over the bottom of the screen.

http://www-personal.umich.edu/~larsb/larswm http://fbpanel.sourceforge.net/ http://www.phrat.de/hpanel-0.2.tar.gz http://www.chatjunkies.org/fspanel/

INFO [1] Icewm: http://www.icewm.org/ [2] Icepref: http://packages.debian.org/ stable/x11/icepref.html [3] Iceme: http://iceme.sourceforge.net/

www.linux-magazine.com

March 2003

LINUX USER

Out of the Box

Highlight

Color Codes When you are integrating your own source code into a webpage or document, syntax highlighting can provide improved readability. Highlight takes care of this task for you. BY CHRISTIAN PERLE

lthough there are dozens of editors capable of syntax highlighting, only a few allow you to store formatted and highlighted document formats. Highlight, a purpose built tool by André Simon fills this gap, and is available at http://www. andre-simon.de/. The source code archive, highlight1.3.tar.gz, is also available on this month’s subscription CD. As there is more to the installation than the standard rule of three ./configure; make; make install, we have also included a shell script called insthighlight.sh. Copy both of these files to a single directory and then type the following command to launch the script: sh insthighlight.sh

During the course of the installation, you will be prompted to supply the root password as the script requires write access to the /usr/local branch of the filesystem – to /usr/local/bin and /usr/local/share/ highlight to be more precise.

Let there be light To launch the program for the first time, simply use the following syntax: highlight -I inputfilenameU > outputfilename.html

Highlight uses the file extension to recognize the input file type. Three output

OUT OF THE BOX There are thousands of tools and utilities for Linux.“Out of the box” takes a pick of the bunch and each month suggests a little program, which we feel is either absolutely indispensable or unduly ignored.

March 2003

formats are available: HTML with Cascading Style Sheets (CSS), Rich Text Format (RTF) and TeX. The -I option includes the style sheet definition in the HTML output file – omitting the option will create a separate file, called highlight.css, in the current working directory. You can use any browser with CSS capabilities to view the output. Figure 1 shows a POV-Ray scene description as viewed in the Mozilla browser.

Colors and Shapes It is quite simple to try out a different color style if the default style is not to your liking. To do so, set the -s flag and supply the style name. My favorites are blue and darkness. The following command provides an overview of the available styles:

Attentive readers may have noticed that the language definition file for POV-ray files used in figure 1, pov.lang, is not listed. The good news is that the file is on the subscription CD – simply copy pov.lang to /usr/local/share/highlight! If your input file does not have an extension, you can use the -S option, followed by the name of the syntax definition to identify the file type, and redirect the input file from standard input using the < character. As an example, Highlight will not automatically recognize your personal start script, ~/.bashrc, as a shell script as the .sh extension is missing. But the following syntax will do the trick: highlight -I -S sh < ~/.bashrcU > bashrc.html

To integrate neatly formatted code into an Office document, you will need to set the -R flag to specify RTF instead of HTML as the output format:

ls /usr/local/share/U highlight/*.style

You can use the following command to discover the source file types supported by Highlight:

highlight -R inputfilenameU > outputfilename.rtf

You can then use the OpenOffice or StarOffice RTF import filter to import the

ls /usr/local/share/U highlight/*.lang

GLOSSARY Syntax highlighting: Typically the use of color-coding to emphasize specific elements in a source code or configuration file. Shell script: A file with shell commands that are parsed automatically. Shell scripts are typically used to automate recurring tasks. Cascading Style Sheets: An HTML extension that abstracts concrete formatting characters from the logical structure of the document.

www.linux-magazine.com

TeX/LaTeX: A professional text layout system that is particularly useful for scientific documents. POV-Ray: A free Raytracing (3D graphics) program that runs on numerous operating systems – such as Linux.The homepage is at http://www.povray.org/. Compiler Directive: A keyword used to control the source code translation process, to omit specific code segments.

Out of the Box

Figure 3: Producing PostScript documents means a small detour

ing in Mozilla

via the TeX format

output file into an existing document. The example in figure 2 shows the installation script embedded in a StarOffice document. Users of the TeX layout system will be pleased to hear that Highlight can produce output in TeX format. The syntax is as follows

•

• highlight -T inputfilenameU > outputfilename.tex

• You can create a PostScript document from the .tex file, and then display the file with gv (Figure 3) or print it using lpr, by passing the file through the TeX interpreter and the dvips conversion tool:

•

the keywords supported by the language, separated by space characters. The list must be typed in a single line. TYPESMODS= is followed by a list of types supported by the language. As is the case in the keyword section, newline characters are not permitted in the list. STRINGDELIMITERS= is followed by a list of characters used to introduce or terminate strings. SINGLELINECOMMENT= is followed by the character (or string) used to designate a single-line comment. MULTILINECOMMENT= designates the character (or string) used for multiple line comments.

• ISCASESENSITIVE= specifies whether Highlight should (true) or should not (false)distinguish upper and lower case for keywords. • DIRECTIVE= specifies the character used by the language to designate compiler directives. • ESCCHAR= specifies the character used to escape non-standard characters in the language. If the language in question does not support one of the categories in this list, you can simply omit the category. The bash shell does not support multiple line comments, for example, so the sh.lang does not include a MULTILINECOMMENT= entry. Highlight’s author would be pleased to receive new language definitions. So, if you are feeling bored, why not create a .lang file an undefined language? ■

THE AUTHOR

Figure 1: HTML syntax highlight-

LINUX USER

Christian Perle currently works as a developer at secunet Security Networks AG. Christian discovered Linux in 1996, after playing around with the Sinclair ZX 81, Atari ST and finally IBM PC.When not hacking Linux stuff he can often be found playing guitar and “Magic:The Gathering”.

tex outputfile.tex dvips outputfile.dvi

The -L option is used to produce LaTeX output, although there was a slight glitch: a curly bracket was missing in the second to last line of the file we created.

Extending the Language Base If Highlight is unfamiliar with the syntax of your favorite programming language, you have the option of defining a new language definition. You do not need to recompile or rewrite the program to do so; instead simply add the keywords to a language file, with the .lang extension and store the file in the /usr/local/share/ .highlight directory. The file format is simple: • Lines starting with a hash sign # are comments and will be ignored. • The KEYWORDS= section contains all

Figure 2: Neatly formatted and imported as RTF

www.linux-magazine.com

March 2003

LINUX USER

mkisofs & dd

Creating CD Images: mkisofs & dd

Imag(in)e your hard disk The commands mkisofs and dd can be used to create images from files on your hard disk, or from a CD, which you can test mount before copying to a new CD. BY HEIKE JURZIK

n image maps a file system to a single file. Data on CD-ROMs are organized in a special file system that differs from the file system used by a hard disk, so you cannot simply copy individual files to the CD.

Extracting a CD Image The abbreviation dd actually stands for “convert and copy” – but cc had already been assigned to the C compiler. The tool transfers data between various storage media, performing conversion operations, when required. dd does not simply copy individual files, but can access devices directly. This allows you to copy complete hard disks, partitions and of course, CD-ROMs. Options are entered without a minus sign. You can specify the block size for the input and output files, and the number of blocks to copy. You can issue the following command to save the boot sector on your first hard disk, for example: asteroid:~# dd if=/dev/hda U of=bootsector bs=512 count=1

The if (“infile”) option specifies the input file (this defaults to standard input); of (“outfile”) specifies the target file. The bs (“blocksize”) parameter allows you to supply the block size; count specifies the number of blocks to copy. So the above command translates to “copy from the first IDE disk

March 2003

(/dev/hda) to a file called bootsector the first block (count=1), which comprises 512 bytes (bs=512).“ Another typical area of application is when creating a boot floppy, for example, by copying the kernel (vmlinuz) to a floppy disk: asteroid:~# dd if=/vmlinuz U of=/dev/fd0

The floppy disk created by this process would allow you to boot your Linux system, despite a Windows installation having overwritten the boot sector. The simplest way to copy a data CD is to use the following: asteroid:~# dd if=/dev/cdrom U of=bla.iso 1349272+0 records in 1349272+0 records out

You do not need to mount the CD to do so – dd works independently of the type

www.linux-magazine.com

of data on the CD, the exception being audio CDs – but you can always use another utility, such as cdda2wav [2], for this purpose.

Imagine! If you want to collect data before writing it to a CD, you will need to create an ISO image, and this is where the mkisofs (“make ISO9660 filesystem” [3]) command comes in useful. The program creates a file based on the ISO9660 guidelines. The following command copies files from a directory to an image: mkisofs [parameter] -o file.isoU /tmp/data

The -o option specifies the output file where the image will be stored (in this case file.iso); the source is /tmp/data. The most common parameters are -r and -J – Rockridge and Joliet extensions – expect to use them often. This ensures

mkisofs & dd

LINUX USER

that your CD can be read by a Windows operating system. Instead of -r you can also specify -R here. This parameter uses Rockridge, but retains the privileges and file ownerships – this is the option to go for when creating a backup of the /home directory on your own workstation.

Bootable CDs The -b option is also useful, as it allows you to create a bootable CD. The file size of the file specified by -b must be 1.2 MB, 1.44 MB or 2.88 MB and the file must contain the image of a bootable floppy – of course the boot sector must be stored in the first 512 bytes. You might additionally like to specify the -c option, which indicates the path to a boot catalog file to be created relative to the root directory of the CD, for example, mkisofs -c images/boot.cat. You can use the -V option to set the VolumeID, that is the “name” of the CD, e.g. -V “Backup for December 1 2002”. Typical Linux Magazine subscription CD ROM images are created by using the following command: mkisofs -V "LU01-2003" -J -r -PU "Linux New Media" -b Boot/U cdrom.img -c Boot/boot.cat U -o lu-2003-01.iso lu01/

Isolinux The usefulness of a 1.44 MB or 2.88 MB boot image is obviously somewhat restricted – if you want to store both the kernel and some modules in the image, you will soon run out of space. The Isolinux system, an extension of the SysLinux floppy boot loader [1], provides an useful alternative. You can use a configu-

Figure 1: mkisofs keeps you informed

ration file to activate an arbitrary kernel stored in the CD file system. It is also possible to load RAM disks required at Linux startup directly from the CD. The Isolinux boot menu is configurable via the isolinux/islinux.cfg file, which contains sections similar to the following (like the LILO configuration file) label linux kernel vmlinuz append initrd=disk.rdz ramdisk_U size=32000 root=/dev/ram3 vgaU =788 automatic=method:cdrom

Both the kernel vmlinuz and the RAM disk disk.rdz are stored in the /isolinux directory on the CD-ROM; subdirectories below /isolinux can also be used. The following mkisofs syntax creates a CD image with an Isolinux boot loader:

mkisofs -J -r -b isolinux/isoU linux.bin -c isolinux/boot.cat U -no-emul-boot -boot-load-size 4U -boot-info-table U -o output.iso directory/

On the Safe Side Before you use your favorite CD creator (such as cdrecord or X-CD-Roast) to burn the new image on a CD, you might like to ensure that the image is error free. The mount command not only allows you to access storage media such as hard disks or CDs into your Linux filesystem, but also to mount ISO images just like any other devices. The admin user root can type the following command to mount an image of this type: asteroid:~# mount -o loop U foo.iso /mnt/tmp/

GLOSSARY Block size: A block is a contiguous collection of bytes on a storage medium. Some devices (appropriately known as “block devices”) organize their data in blocks, in contrast to “character devices”, which perform character oriented operations and read or write individual bytes. ISO: Linux supports various types of filesystem.These include both native filesystems, such as ext2, ext3 or reiserfs, and the vfat and ntfs filesystems used by Windows. ISO 9660, to quote the full name, is the standard for file management on CD ROMs. Although only short file names were originally supported,

the Rockridge and Joliet extensions removed this restriction. Rockridge: The Rockridge Extensions extend the ISO CD filesystem to support typical UNIX file information for the owner and group, access privileges (read, write, execute) and symbolic links.This allows data to be copied from a UNIX filesystem to a CD without any loss of information. Rockridge additionally supports longer file names. Joliet: An alternative extension of the ISO9660 filesystem by Microsoft and named Joliet. Joliet also supports long file names.

The command may need some help recognizing the filesystem; in this case, simply supply an additional parameter, -t iso9660. The image can be unmounted by typing umount /mnt/tmp on the command line. ■

INFO [1] http://syslinux.zytor.com/iso.php [2] http://www.cdda2wav.de/ [3] http://www.tldp.org/HOWTO/ Filesystems-HOWTO-8.html

www.linux-magazine.com

March 2003

LINUX USER

Dr. Linux

Help Is On for Woody D

uring a Woody installation I only specified my CD as a package source. How can I tell APT to additionally use sources on the Internet? I also answered “no” when prompted to specify if I wanted automatic security updates, and I suspect that might not have been such a good idea. Is there any way of selecting that option now? Dr. Linux: Of course you can! Debian experts simply edit the /etc/apt/ sources. list file to do so. You will need superuser privileges. Newcomers to Debian might like to try the apt-setup tool first, instead of tackling the file syntax (Box 1). You can then issue the apt-get update command to ensure that the descriptions of the Debian packages in the local package source are written to a local database and can be accessed offline. If your data sources include directories on servers that you access on the Web, you will need to be online to synchronize your data. The format for the data sources in /etc/apt/sources.list is as follows:

Ever since Woody, aka Debian GNU/Linux 3.0, hit the scene, users have started turning to the flagship amongst the free distributions. Dr. Linux helps you get over some initial obstacles. BY MARIANNE WACHHOLZ Type URI Distribution U [Category1] [Category2] [...]

• Type specifies the package type: If this column contains the deb keyword, the source contains pre-compiled Debian packages. deb-src refers to source code packages. • The URI (“Uniform Resource Identifier”) identifies the actual data source, where the packages can be retrieved. This section will include entries such as ftp://ftp.uk.debian.org/debian/ or http://non-us.debian.org/. The manpage for sources.list shows additional options. Although it might be simple enough to edit the entries for Internet servers manually, you might prefer to use the apt-cdrom tool (or apt-setup) when adding CD ROM sources. • The Distribution entry allows you to specify the Debian version you want to install: stable is the keyword for the current stable version, and unstable will install the current developer version. testing allows you to install a large proportion of the packages in the developer version, but omits anything that is really unstable. If you prefer to do so, you can alternatively type the name of the Debian issue, such as woody for the stable version 3.0, sarge for the current testing version or sid for the developer version. • Each line ends with the package Category from which you want to add

Dr. Linux

March 2003

deb ftp://ftp.uk.debian.org/U debian/ stable main

When editing these resources manually, avoid new lines within entries and space characters at the beginning of new lines, otherwise APT will reject the file and display an error message. If you negated the prompt for automatic updates from http://security. debian.org/ stable/updates main during the installation, the corresponding entry is commented out of /etc/apt/sources. list. Remove the comment character # at the beginning of the line and possibly add additional software categories (such as contrib and non-free) if you additionally require security updates for these categories. Incidentally, the apt-get update command (Listing 1) is not only useful after changing your installation sources, but can be used to update your local package version list. It makes sense to perform this task regularly, if you have added Internet based servers to your sources.list. Be careful not to confuse this command with apt-get upgrade! This

Listing 1: Updating the local package database

Complicated organisms, which is just what Linux systems are, have some little complaints all of their own. Dr. Linux observes the patients in the Linux newsgroups, issues prescriptions here for the latest problems and proposes alternative healing methods.

software to your database. The categories include main, contrib, non-free and non-US. Multiple entries can be separated by space characters. A complete source file description could appear as follows:

woody:/# apt-get update Get:1 http://security.debian.org stable/updates/main Packages [55.1kB] Get:2 http://security.debian.org stable/updates/main Release [110B] Fetched 9203B in 1s (4620B/s) Reading Package Lists... Done Building Dependency Tree... Done

www.linux-magazine.com

Dr. Linux

Figure 1: Selecting a server in apt-setup

command is used to update your Debian installation and will download security updates and updated packages before installing them on top of the version you have already installed. Of course, this requires an up-to-date package database.

Local Flavor The error message shown in Listing 2 has been driving me mad! Can you tell me the right way to set these variables? Dr. Linux: The locales package is the source of this issue. It contains files and tools that support non-US language environments. If this has not yet been installed, ensure that you are root and simply issue the following command

LINUX USER

Figure 2: What language do you want your system to speak?

apt-get install locales

If the package has already been installed on your system, it might simply have “forgotten” your settings during the installation or an upgrade, i.e. the Locale Variables may not have been set. Fortunately, the dpkg-reconfigure tool allows you to reconfigure your packages. Simply pass the name of the package as a parameter: dpkg-reconfigure locales

First, select the languages and character sets you require on you system (Figure 2). The seemingly cryptic abbreviations (such as en_IE@euro ISO-8859-15) are in

Listing 2: Trouble with locales perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "fr_BE@euro" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C").

fact quite easy to decipher. Of course it helps if you know that the language comes first (such as en for “English”), followed by the regional variant (IE for “Ireland”), and finally the character set (ISO-8859-15). @euro indicates the “Euro character”, as this symbol is not part of traditional character sets. The system administrator can then define a default language for the system (Figure 3). You will want to keep the default setting C: this will ensure that your system speaks English and avoid weird side-effects when running scripts. Of course, a multiuser system such as Linux can provide non-English speakers with individual language settings in the command line, if required. After responding to the dpkgreconfigure prompts, the tool will switch back to the command line and tell you that it is generating the “locales” you specified: Generating locales... fr_BE.ISO-8859-15@euro... done fr_BE.ISO-8859-1... done Generation complete.

GLOSSARY APT: The “Advanced Package Tool”is a collection of package management tools for Debian [1].The package management system allows you to install and remove software packages for Debian – either online or offline, depending on the configuration.You can also perform an upgrade to a different version of the distribution. main: All the packages in this category are available for free distribution; the source code is available. As the name would suggest, main comprises the bulk of the Debian distribution.

contrib: This category comprises packages that are free themselves, but require libraries or other programs that are subject to licensing restrictions at runtime. non-free: Conditions may apply to the use of non-free packages, some authors restrict the distribution of their work by CD or require some kind of payment. non-US: This category does not refer to the language base of the package, but to export restrictions for US software. If non-US use of a package is either prohibited or restricted (normally due to it using strong encryption,

such as SSH or PGP), the package will be made available on a separate (normally European) server. Comment out: Scripts and many configuration files allow you to skip lines when parsing a file by prepending the # character at the start of the line.Thus, any lines marked in this way can be used to add comments to a file without affecting its functionality.This additional information is human-readable, but will be ignored on parsing. Adding a comment character to a file is referred to as “commenting out”.

www.linux-magazine.com

March 2003

LINUX USER

Dr. Linux

Figure 3: Selecting the default locale for the whole system

To find out exactly what locales you generated, you might like to take a look at the /etc/locale.gen file. Incidentally, you can complete the whole procedure manually without using dpkg-reconfigure. To do so edit /etc/locale.gen before running the locale-gen command.

Foreign Language Support My last Linux distribution displayed non-English screen output. Can I get Woody to do this? Dr. Linux: Provided the superuser has installed the language-env package, users can invoke the set-language-env command to specify support for their own language environment (Figure 4). The tool prompts the user for a few settings and uses the responses to define a series of personal configuration files. The user will need to log off and back on to apply the changes. set-language-env additionally supports the system and provides a few hints on the packages that root should additionally install to support non-English language users:

Figure 5: KDE Control Center language selection

You should additionally installU the following packages: xfonts-base-transcoded, xfontsU -100dpi-transcoded, xfontsU -75dpi-transcoded Press [Enter] to quit U the program.

Without the packages suggested in this example, desktops or programs will not

Figure 4: set-language-env prompts the user to specify an output language

Box 1: apt-setup The superuser command apt-setup (Figure 2) provides a pseudo-graphical interface for configuring /etc/apt/sources.list. Five menu items are available: cdrom allows you to specify any new CD sets you may have acquired as an installation source. If sufficient bandwidth is available, you might instead or additionally prefer to specify web (http) or FTP (ftp) servers on the Internet. Use the Filesystem option to add update sources in your own file system (such as CD images). Finally, the menu item Edit Source List Manually allows you to manipulate the contents of sources.list by hand using a text editor (this defaults to vi). If you decide to access an FTP server for the update, apt-setup will prompt you to specify if you are interested in packages from the non-free and contrib categories.The first time you select the ftp menu item, you also need to select the country where you will be accessing the machine. If possible, try to select the nearest possible server, for example United Kingdom.Then decide what mirror will be default within this country (Figure 2); you can then specify additional FTP servers. If you have not yet used the automatic security updates provided by http://security.debian.org/, you can start doing so by confirming when prompted at the end of the apt-setup procedure.

March 2003

www.linux-magazine.com

have fonts to support the characters displayed by the ISO 8859-15 character set – this will lead to weird replacements for the Euro character, for example. Figure 5 shows the options you have after installing these fonts in the KDE control center.

Talk to me, KDE! After installing Woody I discovered that KDE refused to talk to me in my own language, which happens to be French. I just don’t believe it! Dr. Linux: The KDE control center needs the appropriate language package in order to support a specific language. If the packages was not installed automatically, or selected manually, during the initial installation procedure, you will need to install it now. The Debian packages are called kde-i18n-xy, where xy refers to the language (fr for “French” and so on). So, if I want KDE to talk French to me, I need to log on as root and install the kde-i18n-fr package. As the saying goes “We have ways of making the control center talk” (Figure 5). ■

GLOSSARY Locale Variables: These variables specify regional settings that program output should adhere to.They define the language used for system messages, the character set used by the display, the time, date, numeric, and currency formats. Programs must be capable of reacting to these settings if they are to support multiple countries and regions.

INFO [1] Martin Loschwitz:“Packman”, Linux Magazine, Issue 23, p49

Brave GNU World

COMMUNITY

The monthly GNU column

Brave GNU World F

irst off, this Brave GNU World will open with one of those little projects which are always in danger of remaining unknown.

Ninvaders Ninvaders [1] by Dettus – his “real” name is Thomas Dettbarn, but he asked me to use Dettus – is a clone of the console classic “Space Invaders.” In order to also be playable via ssh and on the console, Ninvaders is based upon the ncurses [2] library, which gives the game a sort of retro-charm that will certainly be appreciated by many people. The original version of Ninvaders was written during a sleepless night, using C as the programming language. Thanks to the help of Mike Saarna, not long after that the aliens began to move. Since Dettus currently does not have the time to keep developing the game and the project is still hosted by means of Dynamic DNS without additional safety precautions, help is surely very welcome; especially since it appears that a hard disk crash has already impacted upon the project. Being under the GNU General Public License (GPL), Ninvaders naturally qualifies as Free Software, so it will hopefully have a long life.

GNOME-Annotate Another program of the category “small but smart” and still in constant danger of remaining unknown is GNOME-Annotate [3] by Andreas Persenius. GNOME-Annotate is available as Free Software under the GNU General Public License (GPL) and lets you take notes while working with the web browser or another program, by marking text segments and saving them into a file with a single mouse-click. That way a user creates a simple text file in which important text blocks, URLs and other notes are saved. The idea for this tool came from Olaf Grüttner, but since he could not program, Andreas Persenius implemented it

Welcome to another issue of the Brave GNU World. This issue we will introduce a few new GNU projects. From classical games to helping install on old hardware. BY GEORG C.F. GREVE in Python. On Andreas’ site you will also find some other useful little programs. Among them is a program working its way through a list of web pages in order to automatically notify the user whether any of them have changed since it was last run and a small popup for quick Google search. So, paying a short visit to the software page [3] of Andreas Persenius is to be encouraged.

RULE Because hardware is cheap in many countries and most people can afford new computers, it is often forgotten that this is not the case everywhere. In fact we have to expect that many people will have to depend on working with computers for a long time yet that are already considered outdated by our standards. To allow these people access to recent and up-to-date software, the RULE (“Run Up2Date Linux Everywhere”) project [4] was started. Its goal is not creating another GNU/Linux Distribution. Instead, the project bases its work on an existing general purpose distribution by selecting those packages that offer the best functionality while having the least intensive hardware requirements. Also the large integrated graphical user environments have been left out on purpose, since X11 and KDE or GNOME often require massive resources. Instead the projects uses TinyX. The project team – purely out of personal preference – has decided to build upon Red Hat, they also seek to modify the Red Hat installer in a way that it will run with less than 32MB RAM or create a replacement, if necessary. The RULE project co-ordinator is Marco

Fioretti, who is concentrating mostly on documentation, the web page, lobbying, PR and some scripts, with most of the code so far being written by Michael Fratoni. The mailing list for the project has about 100 subscribers. Marco Fioretti also sought to emphasize that the decision to base work on Red Hat was due to coincidental preference of the project founders. Work done within the RULE project itself is also Free Software under the GPL. Even though the team lacks resources to pursue all these directions, such initiatives are clearly needed. The same is true for possible support of non-X86 platforms. Help is wanted in the form of developers, the identification of suitable applications, providing intelligent (automatic) configuration or a logo – and of course through testing the distribution. Should the project be successful, Marco also sees potential “collateral use” for other small platforms like coming generations of PDAs and mobile telephones. Like everything else, please send your comments and questions to the usual address [5]. ■

INFO [1] Ninvaders: http://dettus.dyndns.org/ninvaders/ [2] NCurses home page: http://www.gnu. org/directory/libs/ncurses.html [3] GNOME-Annotate: http://home.swipnet. se/darshiva/software.html [4] RULE home page: http://www.rule-project.org [5] Home page of Georg’s Brave GNU World: http://brave-gnu-world.org

www.linux-magazine.com

March 2003

Events / Advertiser Index / Call for Papers

LINUX MAGAZINE

Call for Papers

Linux Events FOSDEM 2003 Brussels–Belgium

Feb 8–9 2003 www.fosdem.org

NordU/USENIX 2003 Västerås–Sweden

Feb 10–14 2003 www.nordu.org

Desktop Linux Summit San Diego, CA–USA

Feb 20–21 2003 www.desktoplinux.com/summit

CodeCon 2.0 San Francisco, CA–USA

Feb 22–24 2003 www.codecon.info

LinuxPark CeBIT 2003 Hannover–Germany

Mar 12–19 2003 www.linux-events.de/LinuxPark /cebit

e are always looking for article submissions and new authors for the magazine. Although we will consider articles covering any Linux topic, the following themes are of special interest: • System Administration • Useful hints, tips and tricks • Security, both news and techniques • Product Reviews, especially from real world experience • Community news and projects

Open Source Conference CeBIT Mar 17 2003 Hannover–Germany www.exchangeworld.net/osc.html PyCon DC 2003 Washington, DC–USA

Mar 26 –28 2003 www.python.org/pycon

Ruby Con Dearborn, MI–USA

Mar 28–30 2003 www.rubi-con.org

MySQL Conference & Expo 2003 Apr 10–12 2003 San Jose, CA–USA www.mysql.com/events/uc2003

Advertiser Index Advertiser

Web Site

Page

Cyclades

www.cyclades.co.uk

Outside Back Cover

Dedicated Servers

www.dedicated-servers.co.uk

Digital Networks

www.dnuk.com

GeCAD Software

www.ravantivirus.com

Hewlett-Packard

www.hp.com/uk /linuxwhitepaper

Inside Front Cover

LinuxPark CeBIT

www.linux-events.de/ LinuxPark/cebit

Linux Magazine Back Issues

www.linux-magazine.com

Linux Magazine Subscription

www.linux-magazine.com

Bind-in 66–67

Open Source Conference CeBIT

www.exchangeworld.net /osc.html

O’Reilly

www.oreilly.co.uk

Inside Back Cover

Red Hat Europe

www.europe.redhat.com

SuSE Linux Ltd.

www.suse.co.uk

March 2003

www.linux-magazine.com

If you have an idea for an article, please send a proposal to edit@linux-magazine.com. The proposal should contain an outline of the article idea, an estimate of the article length, a brief description of your background, and your complete contact information. Articles are usually about 800 words per page, although code listings and images often reduce this amount. The technical level of the article should be consistent with our typical content. Remember that Linux Magazine is read in many countries, and your article may be translated for use in our sister publications. Therefore, it is best to avoid using slang and idioms that might not be understood by all readers. Be careful when referring to particular dates or events in the future. Many weeks will pass between the submission of your manuscript and the final copy in the reader’s hands. When submitting proposals or manuscripts, please use a subject text that helps us to quickly identify your email as an article proposal for a particular topic. Screenshots and other supporting materials are always welcome. Don’t worry about the file format of the text and materials, we can work with almost anything. Please send all correspondence regarding articles to edit@linux-magazine.com. ■

096-097_service

20.01.2003

16:50 Uhr

Seite 97

Subscription CD

LINUX MAGAZINE

Subscription CD

he CD ROM with your subscription issue contains all the software listed below, saving you hours of searching and downloading time. On this month’s subscription CD ROM we start with the latest groupware software to hit the servers. Included, alongside the Kolab server, we have all the files that we mention in the magazine, in the most convenient formats.

Kolab server The companies Erfrakon, Intevation and Klarälvdalens Datakonsult have been contracted by the German Federal Agency of IT-Security to provide a Free Software groupware solution accessible with Windows running Outlook and GNU/Linux running KDE clients. These companies carry out, as much as possible, the development in an open manner. Kroupware is the name for the activities done by this group under the contract. The server component is called Kolab and is based on already mature Free Software components such as Postfix and Cyrus IMAPD. You can make Outlook talk to the Kolab Server with a Plug-in called InsightConnector from http://bynari.com. This is proprietary software and you will need to aquire a license. Demo versions are available. As the proprietary plug-in already exists and can be used right away, the development group are not expecting to develop a Free Software plug-in for Outlook. On the cost side it is expected that operating a Kolab Server will save significantly more than the cost for the proprietory plug-in licenses. Kervin L. Pierre has recently announced to work on a Free Software plug-in and the development work can be found at sourceforge.net/projects/otlkcon. The Kolab server is designed with maximal scalability in mind. This means targeting possible installations with many thousand and maybe up to millions of users. In order to achive this they have tried very hard to avoid introducing to much complexity. Scalability techniques employed are: • make it possible to distribute the Kolab components across multiple servers. E.g. seperate the MTA and the IMAPD • make it possible to cluster functionality in order to gain high performance and high availability. E.g. use several Postfix MTA's and MX records for HA and HP • Don't put unecessary processing on the Kolab server but use the clients instead • Optimize the architecture for I/O • Allow for distributed clustering • Use latency hiding techniques.

Amaya Amaya is a browser/authoring tool that allows you to publish documents on the Web. It is used to demonstrate and test Subscribe & Save many of the new developSave yourself hours of download ments in Web protocols and time in the future with the formats. Given the very fast Linux Magazine subscription moving nature of Web techCD! Each subscription copy of nology, Amaya has a central the magazine includes a CD role to play. It is versatile and like the one described here free extensible. of charge. Amaya is a complete web browsing and authoring enviIn addition, a subscription will ronment and comes equipped save you over 16% compared to with a "WYSIWYG style" of the cover price, and it ensures interface, similar to that of the that you’ll get advanced Linux most popular commercial Know-How delivered to your browsers. With such an interdoor every month. face, users can easily generate Subscribe to Linux Magazine HTML and XHTML pages, today! as well as CSS style sheets, MathML expressions, and Order Online: www.linux-magazine.com/Subs SVG drawings (full support of SVG is Or use the order form between not yet available, p66 and p67 in this magazine. though). Amaya includes a collaborative annotation application based on Resource Description Framework (RDF), XLink, and XPointer.

Red Hat 8.0 Updates This month we have included a directory containing all the update files necessary to make your Red Hat 8.0 system more secure with the latest security fixes. It also includes package updated and bug fixes to give your applications the latest features.

Games For our games selection we have included Vega Strike. This is a 3D OpenGL Action RPG Space Simulator that allows you to options to trade and bounty hunt in a vast universe. You start out the game in a small ship but can trade and work your way to owning a whole fleet. The graphics are stunning and the playing universe is huge. Vega Strike is a fully functional, commercial quality space simulator under the GPL. You can edit you own missions and code the AI. To explore the region of space around you would take many playing hours so you can use the autopilot feature and F9 and F10 to compress time. Can you face the dangers and decisions that await... ■

www.linux-magazine.com

March 2003

LINUX MAGAZINE

Next month

April 2003: Issue 29

Next month highlights Editor

John Southern, jsouthern@linux-magazine.com Assistant Colin Murphy, Editor cmurphy@linux-magazine.com International Patricia Jung, pjung@linux-magazine.com, Editors Heike Jurzik, hjurzik@linux-magazine.com, Ulrich Wolf, uwolf@linux-magazine.com International Armijn Hemel, Patricia Jung News Editors Contributors Bernhard Bablok, Rüdiger Berlich, Zack Brown, Thomas Drilling, Jörg Fritsch, Björn Ganslandt, Milan Gigel, Georg C. F. Greve, Charly Kühnast, Nico Lumma, Michael Mielewczik, Andrea Müller, Christian Perle, Andreas Roeschies, Bernhard Röhrig, Marc André Selig, Stephan Siemen, Anthony Stone, Stefanie Teufel, Marianne Wachholz Production Hans-Jörg Ehren, Coordinator hjehren@linux-magazine.com Layout Judith Erb, Elgin Grabe, Klaus Rehfeld Cover Design Pinball Werbeagentur Advertising www.linux-magazine.com/Advertise Sales All countries Brian Osborn, ads@linux-magazine.com (except phone +49 651 99 36 216, Germany, fax +49 651 99 36 217 Austria, Switz.) Germany Osmund Schmidt, Austria anzeigen@linux-magazine.com Switzerland phone +49 6335 9110, fax +49 6335 7779 Management (Vorstand) Hermann Plank, hplank@linux-magazine.com, Rosie Schuster, rschuster@linux-magazine.com Project Management Hans-Jörg Ehren, hjehren@linux-magazine.com Subscription www.linux-magazine.com/Subs Subscription rate (12 issues including monthly CD) United Kingdom £ 39.90 Other Europe Euro 64.90 Outside Europe – SAL Euro 74.90 (combined air / surface mail transport) Outside Europe – Airmail Euro 84.90 phone +49 89 9934 1167, fax +49 89 9934 1199, subs@linux-magazine.com Linux Magazine Stefan-George-Ring 24 81929 Munich, Germany info@linux-magazine.com, phone +49 89 9934 1167, fax +49 89 9934 1199 www.linux-magazine.com – Worldwide www.linuxmagazine.com.au – Australia www.linux-magazine.ca – Canada www.linux-magazine.co.uk – United Kingdom While every care has been taken in the content of the magazine, the publishers cannot be held responsible for the accuracy of the information contained within it or any consequences arising from the use of it. The use of the CD provided with the magazine or any material provided on it is at your own risk. The CD is thoroughly checked for any viruses or errors before reproduction. Copyright and Trademarks © 2002 Linux New Media Ltd. No material may be reproduced in any form whatsoever in whole or in part without the written permission of the publishers. It is assumed that all correspondence sent, for example, letters, e-mails, faxes, photographs, articles, drawings, are supplied for publication or license to third parties on a non-exclusive worldwide basis by Linux New Media unless otherwise stated in writing. Linux is a trademark of Linus Torvalds. ISSN 14715678 Printed in Germany. Linux Magazine is published monthly by Linux New Media AG, Munich, Germany, and Linux New Media Ltd, Manchester, England. Company registered in England. Distributed by COMAG Specialist, Tavistock Road, West Drayton, Middlesex, UB7 7QE, United Kingdom

March 2003

Groupware

Lindows

Groupware is based around business e-mail systems with the addition of collaboration software. They rely on a single mailbox as your point of contact, but allow you to access in many ways.

LindowsOS is a new operating system that aims to delivers the power, stability of Linux with the ease of a windows environment. It is designed to be easy to use because of its friendly graphical interface and support for popular Microsoft Windows file types. We take a exhaustive look inside this new version to see if it can match up to all the hype. Find out if this is the answer of an Operating System for your desktop and just how much software is it capable of running.

Groupware is designed to help you work in groups, whether this is for solving problems or communicating it is usually based around email and newsgroups. We examine different systems and compare the best of class for Linux.

Mail User Agents Mail clients play a very important role in our ever increasing reliance of electronic communications. A poorly designed agent can make life unbearable while a well designed product can make you more productive and happier. We investigate a range of MUAs, both standalone and integrated to find out what makes a winning design.

Bootable CDs Boot disks are now considered relicts of a forgotten time – In an emergency they have been necessary and occasionally save your system. Unfortunately the latest range of modern PCs do not come with the drives included.

Multi distributions There are times when you just want to try another Linux distribution for a short amount of time. It may be because you are curious or it has specific features that you need. Rather than lose you current system you can load many distributions onto one machine. All are available whenever you reboot. We give a practical guide to setting up a system with the minimum of effort.

www.linux-magazine.com

With the use of a CD burner, Linux and a boot script you can follow our instructions and make your own multi-booting system. With more options available the stack of diskettes can be reduced to just one CD ROM.

On Sale: 7 March