I think this bit was reserved for future use and that it would/will require a userspace program (or use of an API by programs like 'mc' and other file managers) to actually browse and recover "deleted" files.

I think the current feeling in the development community is to implement a new filesystem or some new extensions to ext2 that would allow full versioning support. However, I don't know the real skinny on it.

How to Install Linux on an RS6000?

From ESPEJEL GOMEZ ERIKA PAOLA on Thu, 26 Nov 1998

My question is How install linux in a workstation (RS6000)? Thank you for your help.

Newer RS/6000's are built around PowerPC CPU's. I've heard of some people running LinuxPPC and MkLinux on some RS/6000 systems, but I'm not sure that there's enough support (device drivers, etc) to make this more than a curiosity.

The place to start looking for answers to these questions would be at the LinuxPPC and MkLinux web sites:

LinuxPPC: Linux for PowerPC Systems

http://www.linuxppc.org

MkLinux: Mach Microkernel with a Linux Server/Personality

http://www.mklinux.apple.com

... There's recently been alot more activity on the Linux-PPC mailing lists so I know that active development is going on. In fact they have recently released BootX which is a package for MacOS that allows one to boot LinuxPPC without adjusting the OpenFirmware settings on your system. This is akin to LOADLIN.EXE for MS-DOS, but more important since Apple and the MacOS clone manufacturers didn't quite "get it" when it comes to implementing OpenFirmware/OpenBoot support. (Many models of PowerMac and their clones don't support manual console operation of the OF command prompt and many options don't seem to be supported or documented).

When I talked to a couple of IBM researchers at ONE ISPCon a few months ago one of them expressed some interest in porting mkLinux or LinuxPPC in house, and having some of his team contribute some drivers to it. So, this may get some support "from the source" at some point.

However, for now, it would be a hacker's project. It's not suitable for immediate production deployment from what I've heard.

Advanced Printer Support: 800x600 dpi + 11x17" Paper

From Karl Raffelsieper on Thu, 26 Nov 1998

>I am running Caldera 1.3 on my small networked P75 with 40MB Ram and
>Several SCSI drives and Scanner, attached to the Parallel port is my
>Xerox 4520 PostScript printer. I wish to have the P75 act as a print
>server to the other PCs (running S.u.S.E. 5.1) This all works find, Here's
>the problem.

Is this a real PostScript printer, with a PostScript interpreter and a full CPU built into it?

Is your print server passing the raw print jobs to the printer or is it passing them through it's own 'gs' (ghostscript), aps, nenscript, or other filters?

Yes this is a genuine Adobe Level 2 PostScript 20 Megs of RAM built in -- RISC processor, 24 page/min screamer of a network printer, (less the network card) and you can drop the raw PS data to it without ghostscript or other filters. (This is Xerox's answer to the HP 5si)

This is were I am having my trouble. The driver installed is a generic Post Script driver, and it does not seem to make all the printer capabilities available. Even locally on the server. How can I make configuration modifications to all workstations so when Star Office 5.0 (as an example) is aware of the printers paper sizes. My limited understanding of the Post Script language is all the page definition, font info, formatting, etc. is actually written into the document. Thus so long as the data is sent raw to the server and it will send it raw to the PS printer the Adobe chips in the printer will do the rest. But I suspect I must report the printer capabilities to the OS some place. I started at /etc/printcap but it didn't seem obvious to me where to make the changes.

What applications are you running? (In other words, what applications are generating the PostScript).

If they only use a subset of the PostScript supported by your printer then they have to be updated to generate more advanced PostScript. If you are dropping/sending raw PostScript to your printer then Linux isn't involved at all. It's between your applications and your printer.

If you have Something like apsfilter (ASCII/text to PostScript) or nenscript (New "enscripting") listed in your /etc/printcap entry to transform text into PostScript that that's where you'd need to make the changes (though that should affect pages produced through Applixware, StarOffice, xfig, TeX/LaTeX/LyX etc since those are producing their own PostScript or their own .dvi or raw printer files).

In the cases where TeX/LaTeX and/or LyX are involved the applications generate a .dvi file. This can be converted to PostScript using the 'dvips' command, or they can be used directly by any of the printer specific dvi drivers (called "dviware" by TeXnophiles).

That's why I suggested calling Xerox to ask if they have or know of dviware for your printer.

TAG suggestions

From john on Thu, 26 Nov 1998

I think that the way you are laying out TAG right now makes it a little hard to navigate. It would almost be better if you ran them all together on one big page, a la $.02 tips. The one word descriptions of other solutions at the bottom of each page are also pretty tough to figure out. How about an onMouseOver window.status() description for each, or something to the same effect? Great job, by the way!
--
John

Heather (my wife) does all of the markup.

She's spent many hours, for the last several months refining a script that does the bulk of the conversion from e-mail (adjusted for the quirks of how I format my responses) to HTML.

However, one of the things that we both refuse to do is to rely about non-standard, browser dependent, and particularly upon JavaScript, features.

[ Actually, this is not specifically because I have anything against javascript, though the abuse of certain features on the open web does annoy me considerably; nor because I don't write usable javascript code, for there's certainly a world of tested scripts at http://www.developer.com/ to go with the old Gamelon archives of Java applets; but rather, because I have no interest in making the folks with "modern" browsers lose more memory to a feature that they probably won't use.

and the very idea of shipping someone 90+ full titles of messages, every time they read one of them, is insane. Don't even go there. I'm getting off this soapbox before I scorch it. -- Heather ]

Originally all I wanted was for the URL's that I embed in my text to be wrapped with anchors. However, Heather and Marjorie (my editors) like to have the TAG messages split and like to over some navigation between them. Heather doesn't like sites that only offer "up, next, previous" options in their page footers, so she's implemented the scheme that you're describing.

[ Also, at least one querent begged to be able to go to seperate messages without having to go back up to the index. Others thanked us for switching to an indexed format, as it was much easier to read the index alone and decide what messages they wanted to read.

As for the "tough little words"... I thought it would be nicer than numbers, which is what my script actually generates. The good thing is that they can be figured out at all. They are short so that I can format the table at the bottom so it doesn't look lame and cost more space than the message bodies. As it is, there's so many this time, they're staying numbers. They'll probably go back to words next month, but I won't say for sure. -- Heather ]

One problem I used encounter when TAG was "all one big page" was with search engines. I'd get a new question that correlated a couple of different concepts (IMAP plus Netscape Navigator/Communicator) and I'd get all sorts of spurious hits pointing to my own previous TAG articles.

So I'm glad that we don't still smash all my articles into one page.

[ However, masochists are encouraged to read 'The Whole Damn Thing'... the streamed version of the Linux Gazette. And if I see more than this one request, I may link 'The Whole Damn Answer Guy' (that is, the version I turn in to our Overseer for inclusion to TWDT) as an option off the Answer Guy index. But we're certainly not going back to the old format. Too many people like it, and I've put too much effort into the scripts I use to convert it, to go back. -- Heather ]

However, Heather and Marjorie will see this message (along with other LG readers). I leave the details of formatting for publication entire up to them. Indeed when I first started answer these questions I didn't even know that they'd be published. (I just offered to take on technical questions that were misdirected to the editors). So, I'll focus on providing technical answers and commentary.

[ I make a sincere effort to keep the resulting message looking as close as HTML allows to what the email looks like. When you only see it on the web, it could be hard to recall that it was a plain slice of mail. I feel it's important to keep that feeling. Real people use this software, real people have ordinary problems with it, and real people give a shot at answering them.

Which is the last tack in the coffin of using browser-specific features... real people aren't going to change browsers just to read a webazine, and they're not gonna be happy if it crashes their browser because someone went a bit overboard on the HTML.

So, I've kept changes minimal. I did all the graphics you see here, but except for color, and the split messages, I feel it's still pretty close to the original effort. (The astute reader, or especially the reader without color support, will note that I use EM and STRONG to support color usage, so the color is gratuitous, but does make for more comfortable reading if you have it and there's a lot of quoting.) You can look at the older Gazettes if you'd like to see what they used to look like... I think they look a lot better, but I'm biased Still, if Jim keeps getting messages about the formatting that I'm really responsible for, I'm gonna have to draw my own speak bubble. I still have the blank bubble so it'll be easy. Gimp is cool, when it doesn't crash. Maybe some month when the load isn't too high I'll write an article about the script and how I did the gifs. -- Heather ]

(Personally when I'm browsing through a series of related pages I prefer to bounce back up to the upper/dispatch page and then down to the next. This keeps my current "depth" a bit shorter when I want to back out of my browser completely. (Since I get interrupted and sidetracked frequently while browsing I like to make sure that I'm "done" with each page that's still on the "stack" by backing completely out to the "first document").

CGI Driven Password Changes

From Terry Singleton on Sat, 05 Dec 1998

Hi there,

We recently installed a LINUX box that runs sendmail 8.9.1, we need someway for a user to be able to change their own password, most ISP's have a html form that allows them to do this.

I know this can be done with CGI and Perl, question is does anyone have anything or know of anywhere I can find something that will do the trick..

I just bought a perl/cgi so I am working in that direction, we need something asap though. I would even pay for something.

Regards,
Terry Singleton
Network Analyst

I once wrote a prototype for such a CGI script. It wasn't fancy but it used the following basic method:

The form has the following fields:

userid (login name):
current/old password:
(repeated):
new password:
(repeasted):

... and the script does the following:

• Check the consistency between the current password and the repeat (and issue a retry screen if that fails).
• start an expect (or Perl comm.pl) script that:
  • telnet to localhost
  • waits for a "login:" prompt
  • sends the userid
  • waits for a "password:" prompt
  • send the current password
  • waits for one of:
    • a shell prompt (sends passwd command)
    • the passwd prompt (if the user shell is set to /usr/bin/passwd).
    • a "login incorrect" message (aborts and returns HTML error form).
• if the process gets to .../bin/passwd's prompt:
  • send the old password
  • wait for new password prompt
  • send the new password
  • wait for repeat prompt
  • sent the new password again
  • wait for O.K. message
  • returns HTML success page.

So mostly it's a matter of writing the expect or comm.pl script.

Unfortunately I don't have the real script handy. It looked something like:

#!/usr/bin/expect -f
## by Jim Dennis (jimd@starshine.org)
## This should check a username/password
## pair by opening a telnet to localhost
## and trying to use that to login
## -- you might have to adjust the last
## expect block to account for your
## system shell prompts, and error messsages

## It returns 0 on success and various non-zero
## values for various modes of failure

set timeout 5
log_user 0

gets stdin name
gets stdin pw

spawn "/usr/bin/telnet" "localhost"

expect {

-- "ogin: $"    { send -- "$name\r" }

timeout         { send -- "\r\r" }

eof             { exit 253  }
}


expect {

"ssword: $"     { send -- "$pw\r" }
}

expect {

"ast login: "    { exit 0   }
"(\\\$|%)"       { exit 0   }
"ogin incorrect" { exit 1   }
timeout          { exit 254 }
eof              { exit 253 }
}

... so you'd replace the "exit 0" clauses with something like the following to have it change the password instead of merely checking the password as the example above does.

set password [lindex $argv 1]
send "/bin/passwd\r"
expect "password:"
send "$password\r"
expect "password:"
send "$password\r"

... this assumes that you got to a shell prompt. If you use the old trick of setting the users' login shell to /bin/passwd then you'd add another expect close to the original script to respond to the prompt for "Old password" --- which you'd get in lieue of a shell prompt.

Obviously in that case you wouldn't be "send"-ing the /bin/passwd command to the shell prompt as I've done in the second line of this second code example.

There's a package that purports to do this at:

Linux Admin CGI Package Docu (English)

http://www.daemon.de/doc_en.html

... so you can try that.

You can also look at the Linux-admin mailing list archives where I'm sure I've seen Glynn Clements point people to some utility he wrote (I think I've seen this about a dozen times).

A quick trip to the Linux-Admin FAQ (http://www.kalug.lug.net/linux-admin-FAQ) led me to a list of list archives, which lead me to one with search features. Searching on "web password change" got me to a message that refers to:

ftp://win.co.nz/web-pwd

... I'm sure there are others out there.

ifconfig reports TX errors on v2.1.x kernels

From Peter Bruley on Tue, 15 Dec 1998

Answer Guy:

I have tried various 2.1x kernels every - once and a while to see how the new version is coming along. What I have noticed is errors being reported by "ifconfig" on the TX only (both ppp & eth). Do you know why ?

TX Error

That's a good question. On the ethernet, I'd expect that most of them would be due to frame collisions. Basically they'd happen whenever any two cards on your segment tried to send dataframes at close to the same time. On the PPP link I'd expect them to be due to line noise.

However, I'm not sure and I don't know why you wouldn't see any RX errors. Are you saying that you only see these under the 2.1.xxx kernels? I can assure you that some errors are perfectly normal (under any kernel). Too many may indicate a flaky card (yours, or any other on your network segment), bad cabling (thinnet/coax is particularly bad --- also using cat 3 UTP and/or running any sort of cable too close to flourescent light ballasts and other sorts of transformers and "noisy" RF generating equipment).

On one of my systems (a 486 router, two 3c509 ISA ethernet cards, each on relatively short quiet cat 5 UTP segments, running 2.0.36) I have 0 errors in both the TX and RX segments out of about 200,000 packets routed. This is over an uptime of about 20 days. I picked that systems uptime and stats more or less at random (I'm using it's console as a telnet/terminal to get to my 'screen' session as I type this).

On another system (a 386DX33 with on 3c509 adapter, running 2.0.30) I see six million packets received and 26 thousand RX errors (no TX errors out of about 3 million packets transmitted). That's been up for 71 days.

I supposed we could commission a study to see if different ethernet cards, kernels and other factors produce wildly different statistics. But that sounds too much like a graduate project.

'ifconfig': TX errors

From Peter Bruley on Fri, 25 Dec 1998

Hi: Jim

Thanks for your reply, sorry I'm slow getting back.

Here is a print out of my "ifconfig" after about 5 min. on the ppp connection to my ISP:

 lo    Link encap:Local Loopback
       inet addr:127.0.0.1  Bcast:0.0.0.0  Mask:255.0.0.0
       UP LOOPBACK RUNNING  MTU:3924  Metric:1
       RX packets:166 errors:0 dropped:0 overruns:0 frame:0
       TX packets:0 errors:24679 dropped:166 overruns:0 carrier:0 coll:0

 eth0  Link encap:Ethernet  HWaddr 00:40:05:60:71:DD
       inet addr:10.40.150.1  Bcast:10.40.150.255  Mask:255.255.255.0
       UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
       RX packets:288 errors:0 dropped:0 overruns:0 frame:0
       TX packets:86 errors:74789 dropped:507 overruns:0 carrier:0 coll:0
       Interrupt:10 Base address:0x7000

 ppp0  Link encap:Point-to-Point Protocol
       inet addr:226.186.100.56  P-t-P:226.186.100.249 Mask:255.255.255.255
       UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:576  Metric:1
       RX packets:156 errors:0 dropped:0 overruns:0 frame:0
       TX packets:0 errors:14836 dropped:135 overruns:0 carrier:0 coll:0

Here is are some of my software versions:

Kernel is 2.1.128
libc.so.5 => libc.so.5.4.44
depmod (Linux modutils) 2.1.121
ppp-2.3.5
net-tools 1.432

Things seem to work properly. (all network services) except for some utilities that report modem activity ie/ xmodemlights (http://www.netpci.com/~dwtharp/xmodemlights)

Note that my ethernet card is also reporting errors.

Now assuming that these are real errors; how come when I boot up into a v2.0.34 kernel all the errors go away (on both ethnet & ppp) and my xmodemlights utility works flawlessly ?

I have tried the v2.1.(85-131) kernel on apx 3-4 different boxes and I have observed the same problems.

I'm alone on this issue or do you know of others reporting the same problems ?

Peter

I don't know if there's any problem here. However, I would check the kernel mailing archives and possibly (after downloading, installing and testing the 2.1.132 or later kernel) post a message to the kernel developers list to inquire about it.

I might be that the old 2.0.x driver wasn't reporting errors for your cards. They may have been buggy. It's also possible that they may have been driving your hardware slower, causing fewer errors, or fewer detections of errors. Of course it could be bugs in the latest drivers which we'd like fixed before we go to 2.2.

So, check with the kernel developers and possibly get onto the comp.os.linux.* newsgroups (networking or hardware) with this question to poll other users for their results.

[ In the "late breaking news" department, the kernels are starting to be called 2.2.pre so now is the time to start trying them out if you've been interested but afraid to go for a beta kernel. -- Heather ]

Support for Trident Video/Television Adapter

From Daniel Robidoux on Mon, 14 Dec 1998

Looking for a manual for a trident 9685 with tv. I'm trying to get output to my tv but nothing works. Can you offer any suggestions.

Call Trident?

I answered a question about the Providia 9685 chipset back in issue 31 --- but that had no mention of a TV tuner.

There is a "video4linux" project that supports at least the BTTV (Hauppage et al) chipsets. I've never used it but you can feel free to hit Yahoo! and browse through the 2200 hits that you'll get with a search string like:

"video4linux 9685"

... see what that nets you.

Plug and Pray Problems

From Tony Grant on Mon, 14 Dec 1998

Hi,

Problem: USR Sportster ISDN TA will not work on AMD K-6/II machine.

Solution: Force D-Link Ethernet card to use IRQ 5 and ioports in the 0300 - 031f range so as not to interfere with the ioports needed by the Sportster.

Question: How do I force the Ethernet card to behave? On bootup my kernel (2.0.36) tells me that IRQ / io etc are being set by BIOS. I want to set them myself.

TIA for pointers to the correct doc.

Cheers
Tony Grant

My first guess would be that you're encountering a problem with some "ISA Plug and Play" adapters. The first option would be to see if there's a setting to disable "plug and pray" on one or both of these boards, and manually set them (possibly using an MS-DOS or Windows) utility).

Failing that you can look for a Linux package called 'isapnptools' --- I've never used it --- but it seems to have helped a few people out there.

I've read many messages from people who've resorted to booting DOS, running the configuration utilities from there and then loading their Linux kernel via LOADLIN.EXE.

This is more of a workaround than a real solution --- but it seems to be effective for most and I don't know of any downside for normal operation (just that mild distaste that running MS-DOS to configure you hardware every time you boot might leave in your mouth). Console yourself with the fact that you rarely have to reboot Linux.

Plug and Pray Problems

From Tony Grant on Mon, 14 Dec 1998

Jim Dennis wrote:

..snip

This is more of a workaround than a real solution --- but it seems to be effective for most and I don't know of any downside for normal operation (just that mild distaste that running MS-DOS to configure you hardware every time you boot might leave in your mouth). Console yourself with the fact that you rarely have to reboot Linux.

Jim,

Thanks for your prompt reply if only M$ offered such aftersales support

Loadlin looks like a last resort solution that I will have to turn to. I really didn't want to install W$ or DOS on this machine (it is a headless server) so booting is no problem, the machine is up all of the time, only SW upgrades will imply rebooting.

Cheers and thanks again

Tony Grant

Sharing/Exporting Linux Directories to Windows '9x/NT

From markr on Mon, 14 Dec 1998

I have a 5 system LAN at home with 2 linux, 2 win98, and 1 NT machine. From any of the 98/NT machines, I can see the linux boxes in Network Neighborhood. However, I am unable to connect to shares on the linux boxes. I have logged out of windows and back in as both 'root' and 'mark', both valid users on the linux systems, but when I try to access a share I'm prompted for a password which, although correct, is promptly rejected. I can go from Linux to win, and Linux to Linux, but I need to be able to go the other way as well....

Any advice?

thanks,
Mark Rolen

Have you read through the Samba man pages (smbd(8), nmbd(8), smb.conf(5), samba(7), smbstatus(1), etc), and the Samba FAQ and web site (http://www.samba.org)?

Start there and make sure that you have 'smbd' and 'nmbd' running in the correct order, and that you have a valid 'smb.conf.'

The best place to ask this sort of question is the comp.protocols.smb newsgroup. This is where the most avid Samba users exchange notes and commiserate over the latest MS CIFS machinations.

When you ask them a question, be sure to include the simplest version of your smb.conf that you've tried and representative samples of any relevant syslog messages from /var/log/messages. Read their FAQ thoroughly for more details about the sorts of information to include in your support queries.

[ Actually, your conf files are probably fine, since you see the share announced, and actually get a dialog back... except that you're missing one. Win98 and NT use encrypted passwords (or Win95 since one of the OSR packs) which a new enough version of SaMBa can answer, but it needs to be fed the passwords your win boxes will be using. Go into the FAQ and search for 'smbpasswd' and you should find the rest of the details. -- Heather ]

Mail processing

From Juan Cuervo on Mon, 14 Dec 1998

Hello Answerguy, My name is Juan Cuervo and I was wondering if you could help me with this:

I need all the incoming mail of my mail server users to be send to their mailboxes (as usual), but also to be processed by an external program (I mean , not a MTA). So, I need so send a copy of the mail to this external program if the mail user has a file in their home directory (called, lets say, ~/.myprog ) wich indicates that the mail messages for that user should be parsed by this external program too.

Thank you for your help.
Juan Cuervo

You can create an '/etc/procmailrc' and define 'procmail' as your local delivery agent. This is the most straightforward way to do this. However, it is pretty dangerous (the called program will be called as 'root') and it might result in unacceptable levels of overhead (depending on your number of users and their mail volumes).

In any event the contents of /etc/procmailrc would look something like:

:0c
| /root/bin/mailfilter/.myprog

.... to send a copy of each mail item through a program as you described.

Personally, I don't recommend this, as it sounds like several disasters just begging to happen. However, you're welcome to experiment with this on a test system for a little bit to learn how it works.

Many Linux distributions include 'sendmail' configured to use 'procmail' as their LDA by default. Look for a group of lines in your /etc/sendmail.cf that looks like:

Mlocal,         P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
                T=DNS/RFC822/X-Unix,
		A=procmail -Y -a $h -d $u

... to see if this is the case. If not, either replace the Mlocal clause that's in your /etc/sendmail.cf (yuck!), or add an entry like:

		MAILER(`procmail')dnl

... to your ".mc" (M4 configuration file) and regenerate your .cf file with the appropriate m4 command like:

		m4 < foo.mc > /etc/sendmail.cf

Note that sendmail involves quite a bit more than this --- so you may want to get more detailed advice before trying this on a production mail server. There's a 900 page book from O'Reilly that's probably the best reference to 'sendmail' available. Arguments that we should also switch to 'qmail' or Wietse Venema's 'PostFix' (formerly known as 'Vmailer') may not help in your case.

Extra Formfeed from Windows '95

From Jerry W Youngblood on Mon, 14 Dec 1998

Is there a way to supress the extra formfeed when I print on my Linux HP540 printer from Windows95 on the network. Everything prints great, however there is an extra page that always comes out after the print job. How do I supress this?

I think there is a Win '9x control panel setting that can be tweaked to prevent this. However, I do as little with Win '9x as I can, so I don't know precisely where in that morass of dialogs and menus you might find this setting.

(I suppose another option would be to set a special printcap entry for your Win '95 system to use, and have that use one of the settings for supressing formfeeds or use a special filter or something).

I should warn that I also do as little printing as I can get away with.

Can't Login in as Root

From David Stebbins on Mon, 14 Dec 1998

Hey Jim, After reading the letters to you and your responses I feel kind of silly writting to you with my little problem, but here it is. I am a very, very new linux 5.2 redhat (Macmillan) user and after installing the OS and establishing a user account for myself I have not been able to login as the root user. I type the same exact password that I used when I set the system up (as the root uesr), but cannot get back in (...very frustrating). perhaps you have a solution for me? I was logging in as "root" (w/o the " marks) and then just entering my password. What am I doing wrong? Thanks David

Is this at the console?

If not, it's probably just securetty (read the man page in section 5).

Can you login as a normal user and then use the 'su' command to attain 'root' status?

If not then you probably have lost or forgotten the password or corrupted your /etc/passwd file. In those cases you can boot from a floppy diskette or boot and issue the 'init=/bin/sh' LILO option (as I described last month) to get into the system in single user mode without requiring any password (requires console access, obviously).

Keep in mind that the passwords are case sensitive. You must remember which letters you typed in [Shift]-ed mode and in lower case. Also, if you look at you /etc/passwd file you shouldn't seen any blank lines, any comments, and any "junk" characters (control characters, etc). Read the passwd(5) on any working system to get the details of proper 'passwd' file formatting --- or just copy one from your boot floppy and recreate the accounts as necessary.

Note, if you create a new passwd file you may create "orphan" files in this process, as your new account names might have mismatches to the old numeric UID's and GID's under which these files were created. The easiest way to fix that on a small system is to look at the numeric UID's of the files (any "orphan" file will show up with a numeric owner during an 'ls -l' and you can use the command 'find / -nouser -ls' to list all of them) --- then using your personal knowlege of who these files belong to, set their /etc/passwd account to match those numerics.

Unfortunately the full details of all of this are far to complicated to describe in detail at this hour (it's 3:00am my time, I just got back from Boston, Massachusetts from the USENIX/SAGE LISA Conference).

Once you get your system straightened out, make a backup copy of your /etc/passwd and /etc/group files --- just mount a floppy and copy them to it. That will make restores much easier in the future (even if you you have a full backup system in place it's often handy to restore these files before trying the rest of your restore --- some versions of 'tar' and 'cpio' for example don't restore files under numeric UID's and GID's -- they'll "quash" the ownership to root.root for all of them!

If you really get stuck, call my number (800) 938-4078 to leave voice mail. It would make more sense to walk you through the recover than to type up every possible recovery technique in this message.

Alternative Method for Recovering from Root Password Loss

From David C. Winters on Mon, 14 Dec 1998

Just discovered the LG, and your column, today. I sent you a message a few minutes ago asking a question; here's a submission.

You finish up your "No Echo During Password Entry" answer in your Issue #35 column with a method for recovering from losing root's password. I've used another method, using LILO.

During boot, when the "LILO boot:" prompt appears, hitting the <TAB> key will give you a list of all of the kernels (by label) that LILO knows about. On my system, I'd see

> LILO boot:
> 2.0.30		2.0.30-orig
> boot:

("2.0.30-orig" is the default Red Hat 2.0.30-3 kernel on 4.2; "2.0.30" is the label for the kernel I compiled.)

If I append " single" to a kernel label, eg, "2.0.30 single", it'll boot using that kernel but come up in single-user mode. Just calling passwd() will let you change root's password. You then want to use exit() to continue bringing yourself back up to your normal runlevel (3 on my machine).

I'm well aware of this technique. However, using 'init=/bin/sh' will work in cases where 'single' won't.

Some systems have their 'single user' mode entries in /etc/inittab set to call an 'sulogin' command --- which requires a root password. Ooops!

I glossed over the details due to my own time constraints.

Useful, but a large security hole. Unless you secure it, anyone sitting down on console can reboot the machine and come up as root. To close this hole off, chmod() /etc/lilo.conf to 600 (or 660 if it's owned root:root) and add the "restricted" and "password=<some_password>" lines, like the following example /etc/lilo.conf file:

Quite right.

 boot=/dev/sda
 map=/boot/map
 install=/boot/boot.b
 prompt
 timeout=50
 restricted
 password=AnswerGuy
 image=/boot/vmlinuz
         label=2.0.30
         root=/dev/sda2
         initrd=/boot/initrd
         read-only
 image=/boot/vmlinuz-2.0.30-orig
         label=orig
         root=/dev/sda2
         initrd=/boot/initrd
         read-only

Run lilo(), then reboot. Entering "2.0.30 single" will get you to a password prompt. When you enter "AnswerGuy", the LILO password won't be echod to the screen as per normal for entering passwords, and LILO will bring you up as root.

This obviously requires remembering yet another password, but it's something to look into because, by default, LILO isn't password-protected on the Debian or Red Hat distributions I've used.

Also quite right.

The principle problem with this is that it doesn't prevent the user from booting from a floppy (such as a Tom's Root/Boot (http://www.toms.net/rb) or even just an MS-DOS diskette with a disk/hex editor).

Some PC's have the ability to "lock out" the floppy drive and protect the CMOS with a password. That helps. However, it isn't much help. Many (possibly most) BIOS/CMOS sets have "backdoors" such that their support technicians can help customers "get back into" their systems. This is a bad idea --- but seems to be pretty common. In addition it's possible to open the system case and temporarily remove or short (with a resistor) the battery on the motherboard, or remove the clock chip (where the CMOS data, including the password, is stored).

So, to achieve any semblence of console security you must at least do the following:

• Lock the PC in a cabinet, closet or case (or install one or more locking bolts in the case.)
• Verify that the BIOS has no back door (how?) or replace the BIOS with a custom one or one that has been audited and verified by some trusted party as having no back doors.
• Disable floppy and CD-ROM boot.
• Enable CMOS password protection to prevent changes to the boot and other CMOS settings.

Debian: Whatever version was current two years ago; we switched to RH. Red Hat: 4.2

D.

Thanks for the prompting.

I personally like the design of the Corel Netwinder (StrongARM/RISC based "thin clients" or "network computers" with embedded Red Hat Linux and KDE), and the Igel "Etherterm/Ethermulation" (PC based X Terminal, thin client, and character mode ethernet terminals, with custom embedded Linux --- and Java, Netscape and other optional tools on solid state disks).

Corel Computing, a division of Corel Software, Inc:

http://www.corelcomputer.com

Igel USA:

http://www.igelusa.com

These systems are specifically designed with no support for removable media. This makes this much better suited to deployment in hostile user environments (such as libraries, kiosks, Internet cafes, public access and college computing labs).

It is unfortunate that these systems are currently a bit more expensive than similarly powered PC's. Since they are currently produced in somewhat volumes and they are currently niche markets, they command a higher margin and don't benefit from the full economies of scale.

However, that's the main reason I don't own any of these.

(Another advantage to these systems, over and above security, is that they offer much less power draw and much quieter operation than standard PC's with that incessant fan and disk noise).

SCOldies Bragging Rights

From David C. Winters on Mon, 14 Dec 1998

In your response to Anthony's second message (re: a coworker teasing him about SCO's capabilities), you say:

I figured. About the only things the SCOldies can hold over us right now are "journal file support" and "Tarantella."

Abject curiosity makes me ask: What are these two capabilities?

D.

"Journaling Filesystems" and "Logging Filesystems" are those which store and utilize transaction logs (journals) of file operations until those changes are "committed" (synchronized).

Thus a set of small data structures on your filesystems are automatically synchronized (like in a "write-through cache") while the rest of the fs benefits from normal write caching.

The net effect is that filesystems can be quickly checked and repaired after a castastrophic shutdown. In other words, you don't have to wait for hours for 'fsck' to finish fixing your filesystems after someone kicks the plug on your server (or the power supply fails, etc).

This is likely to be added to Linux by version 2.4 or 3.x. Some preliminary work as already been done.

Many versions of Unix (such as SCO, Novell/SCO Unixware, and AIX) have their own implementations of these features. In addition there is a company called Veritas * (http://www.veritas.com/corporate/index.htm).

You can get some similar effect from Linux, at considerable performance cost, by selectively mounting your important filesystems with the 'sync' option (mount -o sync ....).

"Tarantella" is a unique feature of SCO's. It provides Java/Web based access to your Linux desktop. The closest match is the VNC package (virtual network computer) from the Olivetti/Oracle (Joint) Research Laboratory * (http://www.orl.co.uk/vnc/index.html).

VNC is a network windowing system (like X Windows, but more "lightweight") which allows you to connect to your systems remotely via an MS Windows (Win '95/'98/NT), MacOS, or Java client. VNC also allows you to remotely connect to Win '9x/NT system from it's X Windows (or other Win/MacOS/Java) clients.

Actually VNC might be close enough in features that SCO couldn't get much mileage out of touting it over Linux with VNC. VNC is under the GPL.

Application Direct Access to Remote Tape Drive

From Yves Larochelle on Mon, 14 Dec 1998

Hello,

I have a simple problem. I run a FORTRAN program that makes calls to a C library to read data from a DLT SCSI tape drive. Everything is fine when I run from a drive on my host machine.

Oddly enough I was just writing in my book about how the tape drives under Unix (and Linux) are available for general purpose spooling of applications data sets (like the old mainframe spooling and job control model) but are rarely used in this fashion. It's amusing to see that someone is doing this.

But I haven't been able to open/read the tape drive on a remote host. I have read your previous answers on remote tape access:

but it doesn't solve my problem.

I want to use local memory and CPU, so "rsh" is not an option. In my C library I have tried to change:

>		fd =  open ("/dev/st0", flag, 0);
> ... to:
>		fd =  open ("remotehost:/dev/st0", flag, 0);
> or even:
>		fd =  open ("operator@remotehost:/dev/st0", flag, 0);

without success:

Open failed on tape No such file or directory

Yep. That's right. Inspection of the code for 'tar' and 'cpio' would reveal that these do use an implicity 'rsh' to the remote host, and pipe their data streams over TCP connections thereto.

This ability to access devices remotely is not built into the C libraries, it is built by your program through the native network mechanisms (or at least via judicious use of the 'system()' library call).

I do have setup /etc/hosts.equiv (and /$HOME/.rhosts) so I can access my account on the remote host without password

I have been told to use "rmt", but how to do it within the C library ??

I don't know much about 'rmt' but you can pick up the 'dump' package in which it is included and read the man page therefrom. I'd pick up the sources to that package so you can read some sample source code to understand how 'dump' uses it.

(Obviously if you want to actually cut and paste the source code for use in your project, you'll want to read and comply with the license --- probably GPL. This may be of no consequence if you won't be redistributing your program --- and should be know problem if you're willing to release your sources under a compatible license. It should also be no problem if you read these sources to gain and understanding of the API's and code your own functions. However, read the license for yourself).

Can you help me with this one ???

Since I'm not a programmer --- not much directly. However, as I've said, you can study examples of this sort of code in the 'tar', 'cpio', and 'dump' sources.

If at all possible,

... (e-mail ellided)

I always respond via e-mail whenever I respond at all. The mark-up to HTML is done at the end of each month by my lovely assistant (and wife), Heather.

Mounting multiple CD's

From ali on Mon, 14 Dec 1998

HI

I've just recently purchased a copy of Red Hat Linux 5.0 and a new CD drive(ie. I now have 2 CD drives) and I need to know how to mount them.

The 2 drives are connected to the IDE on my soundblaster AWE-64 sound card and I need to know how to mount the drives from there. (I previously had one drive and mounted it using /dev/cdrom but now what do I use?)

/dev/cdrom is normally a symbolic link (sometimes a hard link) to some other device node such as /dev/hdc (first device on the second IDE channel) or /dev/scd0 (first CD device on the first SCSI channel).

The two drives are:
1) Samsung SCR-2030
2) HP CD-Writer Plus 8100

These (and the fact that you refer to your Sound card) sound like SCSI devices. You'd simply find out which of these your /dev/cdrom is linked to (by mounting it as normal or inspecting the 'ls -il' output of your /dev/ directory).

[ And, you could tell which one it was since its light will flash when you mount the disc. -- Heather ]

For the other you'd use a command like:

mount -t iso9660 -o ro /dev/scd1 /mnt/cdrom1

... where the -t specifies the filesystem type (ISO 9660 is the standard for normal CD's), -o is a set of options (read-only in this case) and the next two parameters are a device name (second SCSI CD drive), and an arbitrary mount point (usually an empty directory under the /mnt tree --- or an empty directory in any other convenient location).

You could name that mountpoint anything that your filesystem will allow (just about anything). I use /mnt/cd* or /mnt/cdrom* as prefixes to these names for obvious reasons.

If this new drive is on an IDE interface its likely that you'd use something like /dev/hdc or /dev/hdd for the device name.

Any help will be appreciated.

Thanks Ali

More on Multi-Feed Netnews (leafnode)

Some additional comments by one of the authors/maintainers of leafnode(?).

From The Answer Guy on Mon, 14 Dec 1998

Jim,
I have a question in the "Answer Guy's" inbox regarding multi-feed leaf netnews. I don't remember which package my querent was using (leafnode, suck?, ???) but his question regarded whether it's possible using any of these packages to download news from multiple sites and upload/ feed them back selectively).

It is possible with suck/INN, of course. (Everything is possible with this combination, I suppose .

It is also possible with leafnode, starting from 1.7.

The config file should look like this:

server = news.a.org
supplement = news.b.com
expire = 14			# expire messages after that many days
create_all_links = no		# optional, saves disk space

Leafnode should be able to figure out everything else on its own.

If you need usernames and passwords for servers, it becomes a bit more complicated, but leafnode can handle this as well:

server = news.a.org
username = user_at_a
password = password_at_a
supplement = news.b.com
username = user_at_b
password = password_at_b
expire = 14
create_all_links = no

HTH, - --Cornelius.

/* Cornelius Krasel, U Wuerzburg, Dept. of Pharmacology, Versbacher Str. 9 */

"The Linux Gazette...making Linux just a little more fun!"

Getting 'rsh' to work

From Anthony Howe on Mon, 14 Dec 1998

Oh hum. I'm having trouble with getting rsh to work between two machines for a specific task. I've read the rsh, tcpd, and hosts.allow man pages and I still can't get it to work.

1. the same user "joe" with the same password exists on both "client" and "server" machines.
2. server's hosts.deny:
   ALL:ALL
3. server's hosts.allow:
   in.rshd:1.2.3.4
4. server's inetd.conf:
   "shell" line uncommented
5. I have an A record for:
   client     A     1.2.3.4
6. and I have a PTR record for:
   4.3.2.1.in-addr.arpa     PTR     client

joe@client$ rsh server '/bin/ls /home/joe'

I get "Permission denied". The logs on neither client nor server provide no reason for the "Permission denied".

Maybe I just over-tired, but I can't figure out what I'm overlooking. Can anyone please tell me what I'm missing?

What is the precise line in your /etc/inetd.conf?

Some versions of in.rshd and in.rlogind have options which force the daemon to ignore .rhosts files (-l) allow 'superuser' access (-h), syslog all access attempts (-L), and perform "double reverse lookups" (-a).

It looks like your forward and reverse records are alright (assuming that the client's /etc/resolv.conf is pointing at a name server that recognized the authority for the zones you're using).

Note: If you are going through IP Masquerading at some point (some sort of proxy/firewall package) then there's also the remote chance that your source port is being remapped to some unprivileged (>1024) port as the packets are re-written by your masquerading/NAT router.

I did complain to the Linux/GNU maintainers of the rshd/rlogind package about the fact that their syslog messages don't provide more detailed errors on denial. However, I'm not enough of a coder to supply patches.

To test this without TCP Wrappers at all try commenting out the line that looks something like:

shell	stream	tcp	nowait	root	/usr/sbin/tcpd		in.rshd -a

... and replacing it with something like:

shell	stream	tcp	nowait	root	/usr/sbin/in.rshd	in.rshd -L

(note: we just changed the tcpd to refer to rshd).

Linux as a Netware Client

From Jedd on Sat, 05 Dec 1998

Howdi,

In the December issue of LG, you answered someone's query regarding accessing their netware servers from Linux, by pointing him at Caldera or the ncpfs package.

The caldera system is quite fine, albeit based on Redhat, and between the two companies they seem to have not only ignored the old FSSTND, but positively danced on its grave. <hug Debian> Trying to get the Caldera Netware client working under Debian, btw, was a right pain (I've still not done it), so it may not be feasible. Looking at their archives, it appears that even getting it to work under pure Redhat is a bit, uhm, 'challenging'.

However, for your info, the ncpfs package does support NDS (Netware 4 & 5) connections - and has done for the last two minor releases. I'm still experiencing some problems with this feature - when trying to concurrently authenticate to two servers in the same tree - but I hope/ suspect that's me doing something funny.

Cheers,
Jedd.

Some more feedback that I'll just present on its own merits.

LILO Default

From Steven W.Cline on Mon, 07 Dec 1998

Answerguy,

I've been searching for this but can't find it. I would like to change the default OS that lilo loads. Right now it is Linux. How can I change the default to DOS?

This is because I am the only one using Linux and the rest of the family uses DOS.

Steven W.Cline
San Bruno, Ca.

The default is the first "stanza" (boot image) listed in the /etc/lilo.conf.

So, just edit that file and move the block for your Windows stanza to place it after any global directives and before any other OSes that you have listed.

Alternatively you can just use the default= directive to specify the label of the image that you want to use.

(Hint: searching the lilo.conf(5) man page on the term "default" leads us to the answer within a few shots.

[ I should only comment on layout stuff, but here, I just gotta.

Once upon a time when antares was a multi-boot machine, I had it set up so that CTRL-ALT-DEL would always reboot you into "the other OS". For a while it was so handy, I'd even forgotten how we did it... so I wasn't able to tell Jim! But here's a trick that should work:

Add a line to /etc/inittab that reads:

ms::boot:/sbin/lilo -R dos

(assuming you've named your stanzas linux and dos). The 'ms' is a gratuitous identifier; it could really be anything, as long as the other inittab lines have a different first value. The '-R' stores a LILO command choice for only one session, so on the next reboot (from DOS, which isn't saying anything special to LILO) you'll go back to the other OS... unless sometime during your linux session, you run another lilo -R command that mentions a different command line to default to. However, you leave the lilo default to linux this way. I suppose you could use this to run /sbin/lilo -R linux so that reboots from Linux will tend to stay in Linux, with the default set as Jim described to dos so that power-on, and reboots in DOS, will tend to stay in DOS.

I don't know if there's a LILO control program for DOS these days, but with LOADLIN and a copy of the kernel stored in DOS-accessible space, you could even create a script that would let you add "Linux" to your DOS or Windows menu system. If you prefer to go that way, you could even uninstall LILO and put back a plain DOS master boot record, so it would never ask anymore. Or, you can set LILO to delay forever, so you can always choose which OS ... though this loses the benefit of being able to ignore the system while it boots. -- Heather ]

Uninstalling Linux

From Tom Monaghan on Fri, 18 Dec 1998

i cannot find any info on the best way to uninstall Red Hat Linux 5.2.

I must reinstall DOS as linux does not support my video driver (yet). Any help would be appreciated. Thanks.

When you installed Linux, you probably created a set of partitions on one of your hard disks. You can just go into the Linux 'fdisk' (using your installation diskette or CD) and delete all of your Linux parititions (including swap and "native" (ext2)).

Once you done that then DOS/Windows should be "willing" to create new partitions in the unallocated portions of disk space that you've created by deleting your Linux partitions.

If the whole disk was devoted to Linux and you want to trick MSDOS into believing that this whole drive is "fresh from the factory" you can use the following trick:

WARNING! THIS WILL WIPE OUT ALL DATA ON YOUR DISK!

Boot into Linux (on a rescue diskette or into the working copy that you have installed)

Login as root.

Issue a command like the following:

dd if=/dev/zero count=1 of=/dev/hda

... NOTE: The "of" parameter should point at the device node for your disk. If are doing this to the first or only IDE drive on your system (the most likely case) you'd use /dev/hda as I've shown. If you're doing this to the first SCSI drive it would be /dev/sda, if you were doing it to a second IDE or SCSI drive that would be /dev/hdb or /dev/sdb respectively, and so on.

To get some idea of which drives and partitions you have Linux installed on you could use the command:

fdisk -l | less

... to look at the partitions on all drives that Linux can see. Note that you'll see partitions like /dev/hda1 and /dev/hda5, etc. These are partitions on the first IDE drive (/dev/hda).

When we zero out the first sector of the drive, operating systems will consider the whole drive to be blank and will install just as you would on a brand new hard drive. (Technically under MS-DOS you could just wipe out the two bytes at the end of the first sector --- which is a signature value that MS-DOS FDISK.COM (or FDISK.EXE) uses to detect a partiton table or MBR. Naturally you could also delete the partitions (as described earlier) and then boot from a DOS floppy and issue the command:

FDISK /MBR

... this will work on MS-DOS 5.0 and later. Otherwise use the 'dd' method from Linux.

Incidentally I rather doubt that Linux doesn't support your video card.

It is probably more formally correct to say that XFree86 doesn't support your video card. You don't need to run a GUI to use most of Linux (I rarely go into X Windows).

[ They just released XFree86 3.3.3 recently, so maybe you should check again with a fresh X package from http://www.xfree86.org/ and see if it has your card in it now. -- Heather ]

As I point out in other messages there are a couple of alternatives to XFree86 including some freely distributed binary X servers (source code unavailable) which can be found at the Red Hat contrib site and other mirrors and software archives, and there are a couple of commercial X Windows System packages for Linux (from Xi Graphics: http://www.xig.com, and MetroLink: http://www.metrolink.com).

Uninstalling Linux

From Tom Monaghan on Fri, 18 Dec 1998

Thanks. Since I was in a hurry, I just ran the install and deleted all my linux partitions via Disk Druid (coincidentally the same tack you suggest) and booted out of the install. So now I am back to DOS :(

I have RH 5.2 at home, so deleting linux here at work does not end my experimentation with this OS. The thing I am stuck on at home is getting my modem to connect to my ISP. This is so freaking frustrating I had to step away for a day or so...Will continue to bang on linux until I get it right. It's funny, I have a decent amount of UNIX experience under my belt (I am ashamedly a Software Developer), but when it comes to configging stuff I am a moron!

Super L/User

Making a Kernel Requires 'make'

From Mohd. Faizal Nordin on Fri, 18 Dec 1998

Hai everybody....

I am having problem to compile my kernel in order to set my ppp and diald. The problem is when I want to compile kernel for RedHat 5.1 I got error msg: " make : bash command not found ".

Can someone pls help me on this problem.

Cheers...
fiber...

It sounds like you need to install 'make' (the package that interprets "makefiles" and traverses the sources resolving dependencies by compiling, linking and otherwise manipulating the sources, object files, etc). (Either you need to install the package or make sure that it and your other development tools are properly on your PATH).

You also need gcc (the GNU C compiler) and the 'binutils' package (which contains 'ar' 'ld' and the assemblers and other tools that are needed to build most C programs).

It seems odd that you need to recompile your kernel for PPP support. Most distributions ship with that built in or with a modular kernel and a selection of pre-compiled modules.

Using only 64Mb out of 128Mb Available

From Terry Singleton on Thu, 17 Dec 1998

When I run the admin tool "top" it appears as if my system is only using 64MB of memory.

 11:00am  up 4 days, 23:39,  2 users,  load average: 0.07, 0.03, 0.00
 40 processes: 39 sleeping, 1 running, 0 zombie, 0 stopped
 CPU states:  0.3% user,  0.1% system,  0.0% nice, 99.6% idle
 Mem:   64168K av,  57420K used,   6748K free,  19820K shrd,  19816K buff
 Swap: 104384K av,     24K used, 104360K free                 23932K cached

The results show 64168K av which indicates 64168K of available memory yet our system has 128MB RAM? I have the same results on 2 other Linux servers with more than 64MB RAM.

I am running RedHat 5.1, is there anything special I have to do to tell the system I have more than 64MB, recompile the kernel..?

This is a classic FAQ. The BIOS standards for memory query (Int 12h?) don't support the return of more than 64Mb of RAM. There are a number of different mechanisms for doing this on different chipsets, and some were "dangerous" (in the sense that they might hang some systems with a different API/BIOS). So, Linux didn't support automatic detection of more than 64Mb on most systems until very recently (2.0.36?).

You've always been able to over-ride this with a kernel parameter. As you may know from my earlier articles or from the LILO man pages you can pass parameters to the Linux kernel using an append= directive in your /etc/lilo.conf file (and subsequently runing /sbin/lilo, of course) or by manually appending the parameters on the command line at the LILO prompt (or on the LOADLIN.EXE command line).

To do this with lilo.conf you add lines of the form:

append="mem=128M"

... to each of the Linux stanzas to which you want this to apply. (I'd leave one of them without it for the first try so you have a working configuration into which you can boot in case there's a problem with your system. I've heard of some cases where users had to reduce their memory configuration by 1Mb for odd reasons).

With the newer 2.0.36 and 2.1.x kernels you shouldn't need to do this (they have new autodetection code that should handle all of the common chipsets).

One trick for programmers --- if you want to ensure that your code or distribution will run in limited memory constraints you can do a quick test using a smaller mem= parameter to force the kernel to run in less space than it normally would.

WARNING: If you forget the trailing 'M' the kernel load will fail when it tries to allocate the specified amount of RAM in bytes. (Don't do that!).

In any event you might want to check out some of the FAQ's on Linux since I'm sure this is in a couple of them.

Using only 64Mb out of 128Mb Available

From Terry Singleton on Fri, 18 Dec 1998

Thanks Jim.I added the line as you suggested, however it did not seem to take am I supposed to be it under the boot image section itself? Memory is still 64000av.

Sorry, I should have been more detailed. You need to add this append= directive to each of the stanzas to which it applies. (You could have a couple of stanzas that referred to reduced memory configuration if you were a software developer, tester or reviewer so that you could test a package's behaviour under varying memory constraints).

This is what I have:

 boot=/dev/sda
 map=/boot/map
 install=/boot/boot.b
 prompt
 timeout=50
 append="mem=128M"
 image=/boot/vmlinuz-2.0.34-0.6
         label=linux
         root=/dev/sda1
         initrd=/boot/initrd-2.0.34-0.6.img
         read-only

should it be:

 boot=/dev/sda
 map=/boot/map
 install=/boot/boot.b
 prompt
 timeout=50
 image=/boot/vmlinuz-2.0.34-0.6
         label=linux
         root=/dev/sda1
         initrd=/boot/initrd-2.0.34-0.6.img
         read-only
 	  append="mem=128M"

Yes.

(Also remember to re-run /sbin/lilo to read this config file and build the new boot blocks and maps therefrom).

Incidentally it would have been quicker and reasonably safe (in this case) to just try the experiement. It should have worked and you'd have gotten your answer much quicker.

I can understand a degree of hesitation about experimenting with the boot blocks and partition tables (a data structure that's stored in the the same block as the MBR first stage boot block). Obviously a mistake means that you can't boot at all.

However, it's wise to have a backup and a working rescue floppy and to practice using them before you make any changes to your /etc/lilo.conf.

Manipulating Clusters on a Floppy ...

From Padma Kumar on Thu, 17 Dec 1998

Sir,

I'am basically want to write an application which needs to mark a particular predefined cluster as bad, and also need to change dynamically the value contained in the specific cluster. Is there any way by which we can write some data into a cluster, mark that cluster as bad, again i need to mark that bad cluster as usable and update the data in the cluster and then mark it as bad again.

I would be greatful if you could help me out with this task or tell me where i can find some information regarding this.

Thanking you for your consideration.
With Regards
Padma Kumar

This is a rather dubious request.

You'd have to write you're own custom programs to do this (for each filesystem type that you wanted to support --- since different filesystems have different mechanisms for marking clusters as bad).

I've heard of MS-DOS virus writers, and some copy protection schemes, that used similar techniques to covertly write keying information on people's systems back when software copy-protection seemed feasible. The demise of this technique has two major dimensions:

There were chronic technical problems caused to legitimate users (thus decreasing customer satisfaction while increasing support costs). (Problems resulting from restoration of user programs and data after a hardware failure or upgrade are one example). A moderately skilled cracker could easily reverse engineer and bypass these measures (often by "NOP-ing" out the portions of code that performed the objectional hackery).

Many users/customer simply rejected the whole adversarial stance of software companies employing these techniques. We still see tacit acceptance of "dongles" (hardware keys, typically attached to parallel or serial ports which are queried by a program to enable its operation, typically with some sort of challenge response protocol). However, those are only used for a small number of high end packages.

To write your own code, just look at the examples in the programs: badblocks, mke2fs, and e2fsck. These all manipulate the badblocks lists on Linux' ext2 filesystems.

Naturally you can look at the sources for similar programs for each other fs which you intend to support. Note that most of these programs are under the GPL. While studying them and writing your own code is probably a fair use, if you intend to "cut and paste" code from them you must read and respect their licenses (which would be in conflict with any copy-protection applications which you might have in mind).

I realize I'm reading a lot into your question. I don't know of any other rational uses for bogus "bad blocks."

Manipulating clusters on a floppy ...

From Padma Kumar on Sun, 20 Dec 1998

Sir,

Thanks for spending time for answering my question ...

Basically i'm trying to write the code in Delphi (Assembly code in Delphi) for Windows 95 stand-alone PC.

I hope this clarifies ur doubt in short.

It clarifies things just fine. This is the Linux Gazette. I answer questions that relate to Linux.

If you have programming questions that related to Win '95 and/or Delphi --- please go to Yahoo! and look for a Win '95 or Delphi "Answer Guy" (or other support forum).

You paid money for that commercial software --- with the stated or implied benefit of technical support. It's really a pity that the companies that sold you these packages aren't delivering on that promise.

As I said, you can look at the Linux sources for many examples of manipulating many types of filesystems (including MS-DOS/Win '95) -- those examples are mostly in C.

Thanking you once more for ur consideration
Expecting a reply soon

Have you ever read any of my other answers? How did you find my address without getting any indication of the focus of my work? Is it just that using all that vendorware has left you desparately seeking support from anyone you can find?

Setting up ircd

From paul maney on Thu, 17 Dec 1998

hi there i cant set up ircd on redhat Linux i haveing big pog what can i do to get it to work a.s.p pls from paul marney

you can get me on [phone omitted] or [email omitted]

I'm afraid this question is below the literacy threshold.

I think this translates to:

I can't set up 'ircd' on my Red Hat Linux system. I'm having "big problems" (with it). What can I do to get it to work? Please reply ASAP.

First, I've never set up an IRC server. I've only used IRC as a client on a few occasions (less than ten in the last ten years). I presume that I could set on up if I tried (and I know some of the people who created Undernet -- one of the larger IRC networks, so I'm sure I could get help if I needed it).

However, your question shows a remarkable lack of motivation. You don't provide any information about what version of Red Hat you are using, where you got the your IRC (Internet Relay Chat) daemon package (I've never seen one included with Red Hat Linux CD's --- though admittedly I wasn't looking for it). More importantly you don't give any indication of what you've tried or what sort of problems you've encountered.

Based on your message it doesn't appear that you've even read whatever man pages, README files, and other documentation came with your ircd package.

Glancing around I found an ircd21002.tgz in the Slackware contrib directory on ftp.cdrom.com (Walnut Creek, manufacturers of many fine collections of free software --- including the Slackware Linux distribution and FreeBSD).

Grabbing that I find a set of documents and an example ircd.conf file that give some hints as to how you'd use this particular version of IRC. It turns out that this one is the "UnderNet" version of ircd (I'd heard that they'd written their own, but coming across here it was just by chance).

You could look at the UnderNet web site (http://www.undernet.org) but that doesn't seem to lead to any technical documentation of the sort that you'd need to set up your own server or join one of the relay networks. You'd have to know to look at http://www.undernet.org/documents (since there don't seem to be any links from the index page down to this page). However that doesn't include anything that you need either.

My next stop would be Yahoo!:

Computers and Internet:Internet:Chat:IRC:Networks

http://dir.yahoo.com/Computers_and_Internet/Internet/Chat/IRC/

... and I'll leave it to you to search through those links.

Naturally you could also hunt through the IRC channels and ask the regulars in those that are appropriate. I suspect that some of the people who install, configure and maintain these servers are also IRC users. I think there's also a couple of news groups that are appropriate (search your local lists of newsgroups for the string "irc").

If you ask for help from any other parties, I'd suggest putting some careful thought into crafting your questions --- most people won't spend nearly the time that I just have on answer a question that's presented as badly as this.

Sendmail on private net with UUCP link to Internet

From rkblum on Tue, 15 Dec 1998

Hello Answer Guy!

Thanks for all of your excellent advice. I really enjoy your columns. In your December issue, you had an answer for RoLillack for using Sendmail on a local private network. You mentioned that your network is connected to the Internet via a UUCP hub for mail purposes. I would like to follow-up on that comment.

I do volunteer work at a local K-6 school and we were looking for a similar mail solution. Your answer got the wheels rolling and we think we have a good, inexpensive e-mail solution for the school. The only piece that we are missing is the sendmail.cf file for the UUCP hub. We have not been able to find a good example of how to configure the hub to route all outbound mail to the ISP UUCP host, as well as not do DNS lookups for our clients running Eudora. Unfortunately, we have not been able to find the SendMail book in our local bookstores. We would appreciate any help you could give us in this direction.

I don't know how you'd convince Eudora and other mail user agents not to do DNS queries for MX records. I use a trick with sendmail (specifying an IP address of the form '[192.168.1.x]' --- note the square brackets --- in my nullclient.mc file).

In my case I have an "all Linux" network. The rare occasions when I try to run some MS or Apple based OS around generally don't involve setting them up with access to the Internet and certainly don't involve my trying to read my mail on them.

You might be able to do the same, or you might have to create a DNS server that "claims" to be authoritative for the root domain (then one called ".").

I've heard of people setting up these sorts of disconnected DNS zone but I don't have an example handy. I'd suggest grabbing the DNS HOWTO and searching through the archives of the Linux-admin list for some suggestions on that.

Incidentally I hear there are some pretty good Linux Users' Groups in Indiana. Sadly I note that there is no SAGE (SysAdmin's Guild) chapter for your area. USENIX/SAGE is hoping to greatly expand the number of SAGE local chapters around the world and across the country in the near future. All it takes are a few professional system administrators to get together (SAGE is OS neutral, though the membership shows a decided preference for Unix-like systems).

As for my particular setup, here's the M4 config file from one of my clients:

divert(0)dnl
VERSIONID(`@(#)clientproto.mc	8.7 (Berkeley) 3/23/96')

OSTYPE(linux)
FEATURE(nullclient, `[192.168.1.3]')

... that's all you need. You can then use m4 to generate a /etc/sendmail.cf file from this (as I've described in past columns. Newer versions of sendmail provide a 'makefile' to make this generation step even easier.

The effect of this .mc file is to forward all mail to my mail hub (which is the mail store for my LAN and is the gateway to the rest of the world).

On my client workstations I retrieve mail using 'fetchmail' (via POP-3). Thus if I mail 'star' (my wife) the mail gets sent to 'antares' (the hub) even though she has an account on the local host. This means that she, my father, and others with accounts on my workstation, don't need to maintain .forward files on 'canopus' or any of the other workstations around the house. All of their mail (and mine for that matter) gets sent to antares.

My mail gateway's .mc file looks like:

divert(-1)
divert(0)dnl
include(`../m4/cf.m4')dnl
VERSIONID(`$Id: issue36.html,v 1.3 2003/02/03 21:50:25 lg Exp $ by James T. Dennis, Starshine.org $Date: 2003/02/03 21:50:25 $')
OSTYPE(`linux')

FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`nodns')dnl
FEATURE(`nocanonify')dnl
FEATURE(`local_procmail')dnl
FEATURE(`uucpdomain')dnl

MAILER(`smtp')dnl
MAILER(`uucp')dnl
MAILER(`procmail')dnl
MAILER(`uucp')dnl

MASQUERADE_AS(`starshine.org')dnl

undefine(`BITNET_RELAY')dnl
define(`confDEF_USER_ID',"8:12")dnl
define(`SMART_HOST', `uucp-dom:XXXX')dnl

On this last line I have the name of my UUCP provider listed in place of those X's. By defining a mailer and host pair for my SMART_HOST I force 'sendmail' to deliver all of my non-local mail to my UUCP provider through the "uucp-dom" mailer. "uucp-dom" is a mailer that delivers mail via uucp even though it uses "domain style" (DNS) address syntax.

This last file is probably a bit more elaborate than you actually need --- and it's simplified a bit for this example.

(I actually use the "mailertable" FEATURE to trick the system into deliver mail that appears to be to one of my LAN hosts into delivering it to a virtual hosted mail server that's really maintained by my ISP).

Thanks again for all of your great answers!

Rich Blum
Trader's Point Christian Schools
Indianapolis, Indiana

I'm glad I could help. You are right, UUCP is still a good way to get e-mail and netnews without getting a full Internet connection and without having the connection used by web browsing or other protocols which you might prefer not to run into your site. (Conversely it's also a great way to preserve your PPP bandwidth to interactive uses while your mail and/or news gets spooled quietly away for other times).

Re(2): Sendmail on private net with UUCP link to Internet

From rkblum on Wed, 16 Dec 1998

Jim -

Thanks for your quick response and acurate answers! The sendmail.cf sample you sent was exactly what we needed. I think that I unneccessarilty muddied the waters with my Eudora question. It turned out that it was not a DNS problem with Eudora, it was my mistake of not having the IP addresses in the ip_allow. The Eudora clients work fine now. I have asked our local bookstore to order the SendMail book for me - I think I need it!

Thanks again for your help - keep up the good work!

Rich Blum

Complaint Department:

From T Elliot on Sun, 20 Dec 1998

Having worked with Unix (1983-1989) and (gasp) MS-DOS (from DOS 2.11) and Windows (from Win 3.0 to NT Server 4.0 - I once installed the NT5 beta, but decided it was too risky) and occasionally been tempted into trashing my spare PC to install Linux, one of the biggest problems I find with Linux is the lack of coherent tools and user interfaces.

If I install a package under Windows, I get a shortcut to the program(s) via a menu or window (program group).

So don't use it.

Do the same under Linux and then I have to write down the main program name or remember it (after examining the files to be installed so I can figure out what the actual command is) - sure it will probably be installed in the path, but I'm getting old and the memory is failing.

Yep. I know. Tough isn't it?

My spare PC is currently running RedHat 5.2 and this afternoon I downloaded Code Crusader et al and therein lies the tale... NOT ccrusader, NOT codecrusader or variations thereof, but "jcc" - no additions to the "start menu" if using Fvwm2 or any other window manager, in fact, no indication that the system had new software except that the disk free space had decreased.

Until this type of thing is resolved, then Linux will only gain the support of the lab-coats or the enthusiast.

... and professionally administered sites where a sysadmin or delegate evaluates packages before installing them --- figures out what is going where and deploys them according to their needs.

This is a rather boring message. I'm not the Linux complaint department. You can send your suggestions to Red Hat Inc., S.u.S.E., Caldera, and many others.

Incidentally, S.u.S.E. does have some scripts that maintain your system default window manager menus when you install new packages.

As for the implied suggestion --- I know that some people at Red Hat are working on something like this. However, since there is no central authority over Linux development and there are no "code and interface police" to enforce your notion of "how things should be done" --- there are practical limits to what can be accomplished.

For those that care, the usual technique I use when installing RPM's is to list and/or browse the contents of the package before I install it. You can list them with a command like:

rpm -qpl <package.file.name>

... and you can narrow that do just the docs using:

rpm -qpd <package.file.name>

You can browse through an RPM file interactive using Midnight Commander ('mc'). Just highlight the file using mc's "Norton Commander inspired" interface and hit [Enter]. This will traverse down into the RPM file as though it were a directory tree --- and you can browse through and view the file contents to your heart's content.

When you use mc's [F3] key to view a file, it can interpret several types of files. Thus you can view the man pages from inside of an RPM file without installing anything.

Since many of the most useful programs available under Linux and other forms of Unix are designed as filters, or intended to be run as services (possibly as dynamically launched 'inetd' based daemons) or cron jobs --- or are otherwise non-interactive --- it often doesn't make sense to add menu options for them.

However, I've suggestion to Red Hat and S.u.S.E that RPM maintainers and builders be encouraged to add entries for programs that constitute "user interfaces" (for character mode and/or X Windows --- and for any other interfaces that might arise in the future --- such as Berlin). One of Red Hat's senior people disagreed with the whole notion, though that may be more a deficiency in my presentation than anything.

PS. My main PC runs NT server 4.0 sp4 with sql server, iis, etc, etc. I use it for software development using DevStudio (c++) and even though I have to reboot the &^^% thing every time I touch something in its config, I'd rather that than guessing at what I've installed and what the comand line is.

Great. More power to you. So, do a Yahoo! search to see if you can find the "complaintguy" somewhere. Let me know if you find him (or her) and I'll bounce mail like this to the appropriate venue.

The problem here is that you seem to have confused me with some Linux advocate. I use Linux and I prefer it to other systems that I've used (although FreeBSD is a very close second).

I've espoused the opinion, on several occasions in this column, that the selection of any tools (software or otherwise) should be done through a process of requirements analysis. Some requirements can be met with a number of solutions. So, after we've found a basic list of possible solutions that meet the requirements we can narrow down that list by measuring them against our constraints and make final selections (if choices still remain) based on preferences.

The time is rapidly approaching when you can run a complete KDE or GNOME system and never see a command line. Developers of KDE, GNOME, and eventually GNUStep applications will be free to integrate their interfaces in the ways that are appropriate to each of those systems.

The KDE developers have already shown an amazing predilection for generating KDE interfaces to existing programs. Once nice thing about Linux and Unix is that it's relatively easy to design an application in a client/server model --- and to provide multiple front ends (clients) which each provide unique forms of access to the same application functions. This is just good programming design.

Another nice thing is that we can concurrently run programs from many GUI's under the same desktop. Thus I can run a GNOME application under KDE and vice versa. Indeed using VNC and XNest I can run whole X sessions within a window under one of my X sessions.

Of course, people who just stick with the front ends will be constrained from access many of those powerful filters and tools that I described earlier. It's unlikely that front ends will be built for all of them.

However, most people only use a few applications, anyway.

PPS. The main gripe is - USER TOOLS and EASE OF CONFIGURATION.

So find someone to gripe to. I'm here to answer questions.

(P.S. the various "advocacy" newsgroups are perfect for this sort of message).

More on "Complaint Department"

From T Elliot on Fri, 25 Dec 1998

Thank you for your comments and suggestions. I appreciate that I have probably wasted your time, but you have answered most of my questions (including to whom to gripe).

If I was worried about "wasting my time" I wouldn't have signed up for this.

However, one of the few rights I reserve for myself in this column is the right to be a curmudgeon.

eql Not Working

From Brett on Thu, 24 Dec 1998

I have had absolutely no luck with eql getting my two USR 56k modems working in sync. I can get both of them connected, but only one uses bandwidth... and if I disconnect #1 then #2 takes over the bandwidth job... I am just wondering if I can get this working and somewhere that you could point me to get it working... any reply would be much appreciated...

If you read the eql docs carefully I'm pretty sure it points out that you must establish both connections to a server/router/terminal server that supports this mode of operation. Essentially you must be connected to two modems on a single other system running something that is like and compatible with eql.

If ISP isn't specifically working with you on this --- then you won't be able to get it working. So call your ISP and explain your needs to them. According to the README.eql file Linux eql driver is compatible with the load balancing (round robin routing) on some Livingston (CommOS?) router/terminal servers.

I suggest a careful re-reading of /usr/src/linux/drivers/net/README.eql

... and perhaps a follow up of that FTP link to see if there are any updates are additional notes available on that site. There are a couple of e-mail reports from users appended to this file --- perhaps one of them can help more. I've never used the eql drivers since speed was never my problem with online access --- it's just the latency and dial time delays that used to drive me crazy.

Upgrade Kills Name Server

From Anonymous on Fri, 25 Dec 1998

I just upgraded"= to Red Hat 5.2 and set up everything as I had it before and now I get the following:

fetchmail: POP3 connection to mail.nashville.com failed: temporary name server error

Netscape can't recognize mail.nashville.com either. I am having to send this from Windows email.

My etc/hosts file looks the same as it did before. What other files do I need to check and/or post?

Thanks!!

I'm just going to guess that the upgrade renamed some of your files (probably your DNS zone files, possible even your /etc/resolve.conf) to add the 'rpmorig' extension.

So, search for rpmorig files and look for the files that were put in place of them. You'll have to manually resolve the differences. (Use the 'diff' program).

I've complained to them before about their penchant for moving your files out of the way when they to a upgrades. Their concern is that the old configuration files may be incompatible with the new ones. I've said that the disruption caused by users doing an upgrade when they never realized or tracked which files there changed and "configured" tends to outweigh the chances that a new package upgrade will completely fail when presented with an older format of its own configuration file.

One problem to consider is that you old version of Linux may have been running BIND 4.9.x or earlier (I'm guessing that your system is providing it's own DNS services). The new version (5.2) might be installing BIND 8.1.2. These do have incompatible file formats for the base configuration file --- however the name has chagned too. The old one used named.boot. The new version uses /etc/named.conf. There is a utility with the package to convert a named.boot file to named.conf format. Actually the new format is much easier to set up.

Anyway it is almost certain that you need to configure your 'named' (BIND).

Unix mail doesn't normally refer to your /etc/hosts file since that can't convey information about MX records and preferences. SMTP mail routing is done via MX records --- not by host address (A) records. So it doesn't matter what your /etc/hosts file look like for this.

MS Applications Support For Linux

From Marty Bluestein on Fri, 25 Dec 1998

Is there a mechanism that enables MS apps to run under Linux? Is anyone working on an autoloader for Linux?

There are a few projects. The most prominent is WINE (http://www.winehq.com). The goal of WINE is a complete re-implementation of the Windows API's to achieve full binary compatibility under any x86 Unix with X Windows (Linux is the predominant platform but any other modern x86 Unix should be a reasonable platform for WINE).

Another is Bochs (which has recently moved it's web pages to http://www.bochs.com). Bochs is a package which emulates an x86 CPU and PC chipset (similar to Connectix' "Virtual PC"). It runs on any platform that can compile its C sources. I've heard that it works reasonably well but is to slow for production use (for running Win 95 or 98 on a PC). Considering that you're using a PC to emulate a full PC CPU and chipset this is not a surprising limitation.

For older MS Windows applications (3.1 and earlier) you might try WABI --- a commercial Windows Applications Binary Interface which is available for Linux from Caldera (http://www.caldera.com). This is not be updated and is unlikely to ever support Windows '95 or later applications.

For DOS (non-Windows) you can run a copy of MS-DOS, DR-DOS FreeDOS or just about any other "real mode" x86 OS under the Linux 'dosemu'. (Just search for it in Yahoo! using "+linux +dosemu").

[ Its home page is hosted by SuSE ... http://www.suse.com/dosemu/ ... I use it to run dBase stuff and it works pretty well at this point. -- Heather ]

The DOS support is pretty good these days, though I don't use any MS-DOS applications any more so I don't have much first hand experience with it. The WABI support was pretty fast (it felt faster running typical Windows 3.x programs under Linux than it did under native MS-DOS on similar hardware --- probably do to Linux more efficient filesystem and memory management).

When thinking about the limitations of Linux support Win '9x and NT applications support (Win 32S) it is helpful to keep in mind that these limitations are almost certainly a key design goal at Microsoft. Although Linux was not on thier "radar" during the design of Windows '95 and NT --- OS/2 certainly was.

Enmeshing the interfaces at various levels to make applications difficult or impossible to support under competing operating systems is one of the key strategies that Microsoft employs. The current DoJ case against them is only a tip of the backlash that consumers are now directing to this monopoly. The fact that Linux installation tripled in the last year --- and that many organizations are now considering Linux for their desktop applications platform is ample evidence of that.

* (personally I think it's still a bit premature to be touting Linux as typical workers desktop system --- though the introduction of Corel's WordPerfect for Linux, and the release of an updated Wingz Professional for the platform do certainly bode well for the coming year. I've heard that Applixware 4.4.1 is also greatly improved and the next version of StarOffice 5.x should stabilize and mature that suite. Meanwhile GNOME, KDE, LyX, and GNUStep are plodding along towards "prime time" availability).

So that fact that there is only limited support for MS apps under Linux is a testimony to the skills of Microsoft's programmers. We can surmise that preventing these applications from running on non-Microsoft operating systems was given higher priority than robustness, security, stability, integrity, or performance.

Probably the only features that were given priority over "trap the user" were those that would enable magazine writers, and corporate purchasing agents to "review" the products and feel that they had evaluated them with about 15 minutes to an hour of actual work time exposure. This forces the application programmer to put all sorts of "features" onto menus, button bars, toolbars, icon ribbons, and otherwise clutter the screens and windows. This is an endemic problem in commercial software --- it's written to get reviews and make sales, not to satisfy long term users.

Of course an alternative to direct MS Applications support is support for their document formats. However this is another of those key "customer trapping" opportunities. They do everything short of strong (non-exportable) encryption to lock your data into .DOC, .XLS, and .PPT formats. The latest Linux applications suites and word processors are making some headway in this --- and I can often extract contents from Word '97 files without too much fuss. Earlier versions of Word are pretty well supported at this point.

You can bet that the next version of Office will egregiously break format compatability. MS can't allow its customers any freedom of choice or portability of documents to "other" platforms. That's much too dangerous to their upgrade revenue scheme.

I've talked about MS Windows support and the evils of proprietary document formats before. I personally think that the only rational remedy for Microsoft's monopolistic practices would be for the DoJ to impose a rule that MS produce freely available (open source) "reference implementations" of standards C source code to peform a reasonable suite of conversions and manipulations on all "documents" produces by their applications (including .EXE and .DLL "documents" produced by their programming "applications"). Under this plan any upgrade to any MS product that failed compatibility test suites with there freely available reference implementation (converters, tools and filters) would result in an immediate injunction on distribution until the reference implementation as updated and vetted as compatible.

(Note that I didn't say that MS has to release any of the sources to any of their products. Only that they must release some reference implementation that is compatible with the file formats, and freely usable in competing products --- free and commercial. Their contention is that their products enjoy superior market share as a result of superior interface and integration with one another --- this would give them a unique opportunity to prove that).

I have no idea what you mean by an "autoloader for Linux."

Thanks.
Marty Bluestein

Automount/autoloader

From Marty Bluestein on Fri, 25 Dec 1998

OK. Guess I should have fully read your message before I responded. By the term "autoloader" I mean a self installing function - you stick in the CD and Linux (or some other OS) sets itself up. I wasn't aware that MS was already loading their user's work (.DOC,. XLS, etc.) with gotchas. I wonder if the DoJ is aware of and pursuing this?

Marty

There are several packages that will automatically mount CD's (and floppies, NFS directories etc) for Linux. This is referred to generically (under Unix) as "volume management" or "automounting" (the latter term is more often used with regards to network file systems while the former is exclusively used for local media).

Under Solaris there is a daemon called 'vold' that manages CD's.

Under Linux you can use the 'amd' (automount daemon) or an old program called "Supermount" (Stephen Tweedie, if I recall correctly). Under newer Linux kernels you can look for a module called "autofs".

I haven't played with these much so I can't give real advice on using them. However, you now have some key words to search on. If you get one of them working in a way that seems like it would meet a typical requirements scenario --- write it up as a mini-HOWTO and solicit people to contribute sample configurations and descripts for other common usage scenarios (or at least write up an "unmaintained" mini-HOWTO and encourage the readers to adopt and maintain it.

More on: MS Apps Support

From Marty Bluestein on Fri, 25 Dec 1998

Although my ire against Gates, et al would like to see a good platform running his apps that will probably be a moving target. Better, I think, to develop a good set of apps that can work on the docs that MS apps produce. MSs response would have to be to encumber a user's work with junk to make it incompatible with any other apps. The result of that could very well be disaster for MS. Could you imagine having your work suddenly become incomprehensible because of the cute little things your app put in it?

Marty

I don't have to imagine this scenario. I've seen it happen many times.

MS Applications Support For Linux

From Marty Bluestein on Fri, 25 Dec 1998

You are right on. My appreciation of MS coincides with yours. I wish I had the time and the money to pursue that emulation of 95 and NT. Even better would be a good, competitive set of apps. Corel's latest release for Linux may indicate some movement in that direction. TNX for your response. Happy Xmas.
Marty Bluestein

More on: MS Apps Support

From Marty Bluestein on Sat, 26 Dec 1998

I've just installed Redhat. It is "auto loading". I now have a problem which Redhat and I must resolve. I'll write it up and post it when it's corrected. To whit.. WIN95 now crawls along as if it had a bigger bag of sand on it's back. Re MS: I'd rather see MS broken up into two separate companies. One doing APPS and the other doing OS. TNX for responses. HAPPY XMAS, MERRY CHANUKAH, SWINGING KWANZA and JOYFUL RAMADAN.

I can't help with the Win '95 problem. It's probably confused about WINS (Windows Naming System) or some other networking issue.

Re: Breaking up MS. Historically this has done NO GOOD with other monopolies. Go read a decent historical account and business analysis on JP Morgan (and wash that down with some Noam Chomsky). I'd recommend a book for you --- but I'd have to refer to my father to find one. My knowlege is definitely second-hand on this --- but I've discussed it with a couple people whose background in the fields of finance and history I respect.

Breaking them up is a fundamentally flawed approach. The controlling interests -- the OWNERS will still be the same. The resulting companies would clearly have mutual interests, complementary product lines, and interlocking boards of directors.

Unfortunately this approach would "appease" the masses and actually work in Bill G's favor (as it did with JP Morgan). It will allow the DoJ to appear competent and be touted as a "tough on (corporate) crime" victory. So, it's the most likely outcome.

It's also just about the worst way to deal with the problem. (It's even worse than sitting back and doing nothing) since it sets another bad precedent.

Linux as a Home Internet Gateway and Server

From Nilesh M. on Thu, 24 Dec 1998

Hi,

I just have some questions about setting up linux to run as a server for my home computer and to share an internet connection and also to setup as a server for the internet.

O.K. That is three different roles:

1. Network Server (which services)
2. Internet Gateway (proxy and/or masquerading)
3. Internet Host/Server (which services)

It is possible for Linux to concurrently handle all three roles --- though having all of your "eggs in one basket" may be not be a good idea with regards to security and risk assessment.

Traditionally your concerns would also have encompassed the capacity planning --- but a typical modern PC with 200+ Pentium processor, 32Mb to 256Mb of RAM and 4Gb to 12Gb if disk space has quite a bit of capacity compared to the Unix hosts of even 5 to 10 years ago.

Do you know if I can setup a linux box with one 10mbs ethernet for a modem and a 100mbs ethernet for a network in my house? Where do I start and how would I do it.

I presume you're referring to a 10Mbps ethernet for a cable modem, ISDN router (like the Trancell/WebRamp, or the Ascend Pipeline series), or a DSL router. These usually provide 10Mbps interfaces and act as routers to the cable, ISDN or xDSL services to which you're subscribed.

It's certainly possible for you to install two or three ethernet cards into a Linux system. Any decent modern 100Mbps ethernet card will also automatically handle 10Mbps if you plug them into such a LAN. So you'd just put two of these cards into your system, plug one into your router and the other into your highspeed hub.

You often have to add the following line to your /etc/lilo.conf to get kernel to recognize the second ethernet card:

append="ether=0,0,eth1"

... the 0,0, is a hint to autoprobe for the IRQ and I/O base address for this driver. Alternatively you might have to specify the particulars for your cards with a line like:

append="ether=10,0x300,eth0 ether=11,0x280,eth1"

... instead. This line must be present in each of the Linux "stanzas" (groups of lines which refer to different Linux kernels with their corresponding root filesystem pointers and other settings).

Of course you must run the /sbin/lilo command to read any changes in your /etc/lilo.conf file and "compile" them into a new set of boot blocks and maps.

If you have a normal modem connected to the system --- it's possible to use that as well. You can use PPP (the pppd program) to establish Internet connection over normal phone lines. There are also internal ISDN, T1 "FRADs" (frame relay access devices) and CSU/DSU (or Codecs --- coder decoder units) that can be installed into your PC and controlled by Linux drivers.

I've seen references to the ipppd to control some sorts of internal ISDN cards. I think most of the others have drivers that make them 'look like' a modem or ethernet driver to Linux.

I just want to buy two 100mbs ethernet cards to hook up to each other... so I don't think I'd need a hub do I? I only want two computers hooked up to this makeshift network.

You either need a hub, or you need a "crossover" ethernet patch cord. A normal cat 5 ethernet patch cord isn't wired correctly to directly connect two ethernet cards.

Any help would be appreciated, especially something like a link to a document which would give me a step by step setup.

I don't have such a link. As you may have realized there are a couple of hundred HOWTO documents on Linux and many of them relate to configuring various services.

Let's go back to our list of different roles:

Network Server (which services) Internet Gateway (proxy and/or masquerading) Internet Host/Server (which services)

Starting at the top. You have a small network that is not normally connected to the Internet (there isn't a permanent dedicated Internet connection). So, you probably want to use "private net" addresses for your own systems. These are IP addresses that are reserved --- they'll never be issued to any host on the Internet (so you won't create any localized routing ambiguities by using them on your systems).

There are three sets of these number:

192.168.*.* 255 Class C nets 172.16.*.* through 172.31.*.* 15 Class B nets 10.*.*.* 1 Class A net

... I use 192.168.42.* for my systems at home.

... These addresses can also be used behind firewalls and Internet gateways. The classic difference between a router and a gateways is that a router just routes package between networks (operating at the "transport" layer of the ISO OSI reference model) while a gateway does translation between protocols (operating at the applications or other upper layers of the reference model).

In the case of Linux we can configure our one Linux system to act as local server and as an Internet gateway. Our gateway can operate through "proxying" (using SOCKS or other applications layer utilities to relay connections between our private network and the rest of the world), or through IP masquerading (using network address translation code built into the kernel to rewrite packets as they are forwarded --- sort of a network layer transparent proxying method).

However, we're getting ahead of ourselves.

First we need to setup our Linux LAN server. So we install Linux and configure its internal ethernet card with an IP address like 192.168.5.1. This should have a route that points to our internal network, something like:

route add -net 192.168.5.0 eth0

... to tell the kernel that all of the 192.168.5.* hosts will be on the eth0 segment.

Now, what services do you want to make accessible to your other systems.

By default a Linux installation makes a common set of services (telnet, NFS, FTP, rsh, rlogin, sendmail/SMTP, web, samba/SMB, POP and IMAP etc) available to any system which can reach you. Most of these are accessible via the "internet service dispatcher" called 'inetd'. The list of these services is in the /etc/inetd.conf file. Some other services, such as mail transport and relaying (sendmail), and web (Apache httpd) are started in "standalone" mode -- that is they are started by /etc/rc.d/*/S* scripts. NFS is a special service which involves several different daemons --- the portmapper and mountd in particular. That's because NFS is an "RPC" based service.

The fact that any system that can route packets to you can request any service your system offers, and the fact that most Unix and Linux systems offer a full suite of services "right out of the box" has classically been a major security problem. Any bug in any service's daemon could result in a full system compromise which could be exploited from anywhere in the world. This is what led to the creation of TCP Wrappers (which is installed in all major Linux distribution by default --- but is configured to be completely permissive by default). It is also why we have "firewalls" and "packet filters."

It's tempting to think that you'll be too obscure for anyone to break into. However, these days there are many crackers and 'script kiddies' who spend an inordinate amount of time "portscanning" --- looking for systems that are vulnerable --- taking them over and using them for further portscanning sniffing, password cracking, spamming, warez distribution and other activities.

I recently had a DSL line installed. So, I'm now connected to the Internet full time. I've had it in for less than a month and there are no DNS records that point to my IP addresses yet. I've already had at least three scans for a common set IMAP bugs and one for a 'mountd' bug. So, I can guarantee you that you aren't too obscure to worry about.

You are also at risk when you use dial-up PPP over ISDN or POTS (plain old telephone service) lines. The probabilities are still reasonably on your side when you do this. However, it's worth configuring your system to prevent these problems.

So, you'll want to edit two files as follows:

		/etc/hosts.allow
		ALL:LOCAL

		/etc/hosts.deny
		ALL:ALL

... that's the absolute minimum you should consider. This configuration means that the tcpd program (TCP Wrappers) will allow access to "local" systems (those with no "dots" in their host names, relative to your domain), and will deny access to all services by all other parties.

For this to work properly you'll have to make sure that all of your local hosts are given proper entries in your /etc/hosts file and/or that you've properly set up your own DNS servers with forward and reverse zones. You'll also want to make sure that your /etc/host.conf (libc5) and/or /etc/nsswitch.conf (glibc2, aka libc6) are configured to give precedence to your hosts files.

My host.conf file looks like:

		# /etc/host.conf
		order hosts bind
		multi on

and my /etc/nsswitch.conf looks like:

		passwd: db files nis
		shadow: db files nis
		group:  db files nis

		hosts:		files dns
		networks:       files dns

		services:       db files
		protocols:      db files
		rpc:		db files
		ethers:		db files
		netmasks:       files
		netgroup:       files
		bootparams:     files

		automount:      files
		aliases:        files

glibc2 has hooks to allow extensible lookup for each of these features through modular service libraries. Thus we'll soon be seeing options to put 'LDAP' in this services switch file --- so that hosts, user and group info, etc could be served by an nss_ldap module which would talk to some LDAP server. We could see some user and group information served by "Hesiod" records (over DNS or secure DNS protocols) using some sort of nss_hesiod module. We might even see NDS (Novell/Netware directory services) served via an nss_nds module.

But I'm straying from the point.

Once you've done this, you should be able to provide normal services to your LAN. Precisely how you set up your client system depends on what OS they run and which services you want to access.

For example. If you want to share files over NFS with your Linux or other Unix clients, you'd edit the /etc/exports file on your Linux server to specify which directory trees should be accessible to which client systems.

Here's an exports file from one of my systems:

# /       *.starshine.org(ro,insecure,no_root_squash)
# /       192.168.5.*(ro,insecure,no_root_squash)
/etc/   (noaccess)
/root/  (noaccess)
/mnt/cdrom 192.168.5.*(insecure,ro,no_root_squash)

... note I've marked two directories as "noaccess" which I use when I'm exporting my root directory to my LAN. I do this to prevent any system in the rest of my network from being able to read my configuration and passwd/shadow files. I only export my root directory in read-only mode, and I only do that occasionally and temporarily (which is why these or commented out at the moment). My CDROM I leave available since I'm just not worried about anyone in the house reading data off of any CD's I have around.

Keep in mind that NFS stands for "no flippin' security" --- anyone in control of any system on your network can pose as any non root user and access any NFS share "as" that user (so far as all filesystem security permissions are concerned. NFS was designed for a time when sites only had a few host systems and all of those were connected and tightly controlled in locked rooms. NFS was never intended for use in modern environments where people can carry a Linux, FreeBSD, or even Solaris x86 system into your office under one arm (installed on a laptop) and connect it to the nearest ethernet jack (now scattered throughout every corner of modern offices --- I've seen them in the reception areas of some sites).

To do filesharing for your Windows boxes you'd configure Samba by editing /etc/smb.conf. To act as a fileserver for your MacOS systems you'd install and configure 'netatalk'. To emulate a Netware fileserver you'd install Mars_nwe, and/or buy a copy of the Netware Server for Linux from Caldera (http://www.caldera.com).

There are ways to configure your system as a printer server for any of these constituencies as well.

Beyond file and print services we move to the "commodity internet services" like FTP, telnet, and HTTP (WWW). There's generally no special configuration necessary for these (if you've installed any of the general purpose Linux distributions).

If you create an FTP account in your /etc/passwd file then anonymous FTP will be allowed to access a limited subdirectory of files. If you rename this account to "noftp" or to "ftpx" or to anything other than "ftp" and/or if you remove the account entirely than you system will not allow anonymous FTP at all. If you allow anonymous FTP you can simply put any file that you want made public into the ~ftp/pub directory --- and make sure that they are readable. By default the FTP services are run through tcpd so they will respect your hosts.allow/hosts.deny settings.

If you're going to set up a "real" FTP site for public mirroring or professional "extranet" applications you'd want to use ncftpd, proftpd, or beroftpd instead of the now aging WU-ftpd or the old BSD FTP daemon (in.ftpd). These alternative FTP daemons have their own configuration files and can support virtual hosting and other features. In some of them you can create "virtual users --- accounts that are only valid for FTP access to specific FTP subtrees and/or virtually hosted services --- accounts that can be used to access any other service on the system.

Web services are controlled with their own configuration files. There are a couple of whole books just on the configuration of Apache servers. By default they let anyone view any web pages that you put into the 'magic' directories (/home/httpd/docs or something like that).

It's possible to limit access to specific directories according the the IP addresses (or reverse DNS names) of the clients. As with TCP Wrappers this should not be considered to be a form "authentication" --- but it can be used to distinguish between "local" and "non-local" systems IF YOU HAVE ANTI-SPOOFING PACKET FILTERS in place (a part of any good firewall).

telnet, rlogin, rsh, and other forms of interactive shell access are generally pretty easy to setup. Like many Unix/Linux services it is harder to disable or to limit access to these services than it is to allow it.

Under Red Hat Linux access to these and other "authenticating" services can be controlled by editing PAM configuration files under /etc/pam.d/

So, the short answer to the question "How do I set up Linux as a server?" is you install it, setup its address and routing, then you install and configure the services that you want to provide.

Now, when we we want to use Linux as a gateway to the Internet (or any other network --- to connect you home network to your office or to a friend's network) you first resolve the addressing and routing issues (set up your second interface and add the appropriate routes). Then you use IP masquerading or proxy services (SOCKS) to allow your systems (using the non-routable "private net" addresses) to access services on the Internet.

To use IP masquerading with the old ipfwadm code (as present in the standard 2.0.x kernels you just issue a command like:

ipfwadm -F -a accept -m -D 0.0.0.0/0 -S 192.168.5.0/24

... which adds (-a) a rule to the forwarding (-F) table to "accept" for "masquerading" (-m) any packets that are "destined for" (-D) anywhere (0.0.0.0/0) and are from source IP addresses (-S) that match the pattern 192.168.5.0/24 (an address mask that specifies the first 24 bits, or three octets as the "network portion" of the address --- and therefore covers that whole class C network).

You should definitely use a modular kernel and almost certainly should have 'kerneld' loaded when you use this masquerading technique. That's because there are several common protocols (especially FTP) which require special handling for masquerading (in the case of FTP there's a data connection that comes back from the server to the client, while the data connection when in the usual direction from the client to the server.

For this reason I actually prefer applications proxying. To use that you go to the "contrib" directory at any Red Hat site and download the SOCKS server and client packages. You install the server on your Linux gateway then you install the clients on any of your Linux clients.

On the SOCKS gateway you create a file: /etc/socks5.conf with something like this for its contents:

		route   192.168.5.     -       eth0
		permit  -       -       -       -       -       -

... there are many options that you can use to limit access to the socks gateway --- but this is the simplest working example.

On the Linux clients you create a file named /etc/libsocks5.conf with an entry in it that looks something like:

	socks5 	   -	-	-	-	192.168.5.2
	noproxy	   -	192.168.5.	-

... where the ".2" address is the one on which I was running this SOCKS server.

For the non Linux clients you have various different configuration methods. Most Windows TCP/IP utility suites (other than Microsoft's) support SOCKS proxies. There are replacement WINSOCK.DLL's that support this proxying protocol transparently for most/all other Windows services. The MacOS applications also seem to support SOCKS pretty widely.

There are a few alternatives to NEC's SOCKS servers. I've found "DeleGate" to be a pretty good one (search for it on Freshmeat). DeleGate as the advantage that you can use it as a "manually traversed" proxy as well as a "SOCKS" compatible one. The SOCKS proxying protocol allows the client software to communicate with the proxy server to relay information about the request to it, so that it can, in turn, relay that to a process that runs on the external servers. This is called "traversal."

Non-SOCKS proxies have to have some other traversal mechanism. Many of them are "manually traversed" --- I telnet or ftp to the TIS FWTK proxies (for example) and I log in as "myname@myrealtarget.org." --- in other words I encode additional account and destination information into the prompts where I'd normally just put my account name.

DeleGate allows you do use this manual traversal mechanism when you are stuck with a non-SOCKSified client.

I've also seen reference to another SOCKS server package called "Dante" --- that's also listed at Freshmeat (http://www.freshmeat.net).

There are also a few other types of proxies for special services. For example the Apache web server, and the CERN web server and a few others can be used as "caching web proxies." Squid can proxy and cache for web and FTP.

Some services, such as mail and DNS are inherently "proxy" capable by design. I can't adequately cover DNS or e-mail services in this message. There are full-sized books on each of these.

So that's the very basics of using Linux as a gateway between a private LAN and the Internet. If you get a set of "real" IP addresses, and you insist on using these to allow "DRIP" (directly routed IP) into your LAN you don't have to do any of this IP masquerading or proxying --- but you should do some packet filtering to protect your client systems and servers.

Good packet filtering is difficult. I alluded to one of the problem when I pointed out that FTP involves two different connections --- an outgoing control connection and an incoming data connection. There's also a "PASV" or "passive" mode which can help with that --- but it still involves two connections. This wreaks havoc with simple packet filtering plans since we can't just blindly deny "incoming" connection requests (based on the states of the "SYN" and "ACK" flags in the TCP packet headers. One of the "advantages" (or complications) of "stateful inspection" is that it tracks these constituent connections (and the TCP sequencing of all connections) to ensure consistency.

A decent set of packet filters will involve much more code than the set of proxying and masquerading examples I've shown here. I personally don't like DRIP configurations. I think they represent too much risk for typical home and small business networks. However, here's a sample

# Flush the packet filtering tables
/root/bin/flushfw

# Set default policy to deny

/sbin/ipfwadm -I -p deny
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -O -p deny


# Some anti-martian rules -- and log them
	## eth1 is outside interface

/sbin/ipfwadm -I -o -W eth1 -a deny -S 192.168.0.0/16
/sbin/ipfwadm -I -o -W eth1 -a deny -S 172.16.0.0/12
/sbin/ipfwadm -I -o -W eth1 -a deny -S 10.0.0.0/8
/sbin/ipfwadm -I -o -W eth1 -a deny -S 127.0.0.0/8

# Some anti-leakage rules -- with logging
	## eth1 is outside interface

/sbin/ipfwadm -O -o -W eth1 -a deny -S 192.168.0.0/16
/sbin/ipfwadm -O -o -W eth1 -a deny -S 172.16.0.0/12
/sbin/ipfwadm -O -o -W eth1 -a deny -S 10.0.0.0/8
/sbin/ipfwadm -O -o -W eth1 -a deny -S 127.0.0.0/8

	## these are taken from RFC1918 --- plus
	## the 127.* which is reserved for loopback interfaces


# An anti-spoofing rule -- with logging
/sbin/ipfwadm -I -o -W eth1 -a deny -S 222.250.185.16/28

# No talking to our fw machine directly
	## (all packets are destined for forwarding to elsewhere)

/sbin/ipfwadm -I -o -a deny -D 222.250.185.14/32
/sbin/ipfwadm -I -o -a deny -D 222.250.185.30/32


# An anti-broadcast Rules
	## (block broadcasts)
/sbin/ipfwadm -F -o -a deny -D 222.250.185.15/32
/sbin/ipfwadm -F -o -a deny -D 222.250.185.31/32

# Allow DNS
	## only from the servers listed in my caching server's
	## /etc/resolv.conf

/sbin/ipfwadm -F -a acc -D 222.250.185.18/32 -P udp  -S 192.155.183.72/32
/sbin/ipfwadm -F -a acc -D 222.250.185.18/32 -P udp  -S 192.174.82.4/32
/sbin/ipfwadm -F -a acc -D 222.250.185.18/32 -P udp  -S 192.174.82.12/32

# anti-reserved ports rules
	##  block incoming access to all services
/sbin/ipfwadm -F -o -a deny -D 222.250.185.16/28 1:1026 -P tcp
/sbin/ipfwadm -F -o -a deny -D 222.250.185.16/28 1:1026 -P udp


# Diode
	## (block incoming SYN/-ACK connection requests)
	## breaks FTP
/sbin/ipfwadm -F -o -a deny -D 222.250.185.16/28 -y

## /sbin/ipfwadm -F -o -i acc \
##	-S 0.0.0.0/0 20 -D 222.250.185.16/28 1026:65535 -y
##	simplistic FTP allow grr!


# Allow client side access:
	## (allow packets that are part of existing connections)
/sbin/ipfwadm -F -o -a acc -D 222.250.185.16/28 -k

There are bugs in that filter set. Reading the comments you'll see where I know of a rule that handles most FTP --- but opens risks any services that run on ports above 1024 --- like X windows (6000+) etc. This would simply require the attacker to have control of their system (be root on their own Linux or other Unix system --- not too tough) and for them to create package that appeared to come from their TCP port 20 (the ftp data port). That's also trivial for anyone with a copy of 'spak' (send packet).

So, I have this rule commented out and I don't show a set of rules to allow localhost systems to connect to a proxy FTP system.

Note that these addresses are bogus. They don't point to anything that I know of.

The only parts of this set of filters that I feel confident about are the parts where I deny access for incoming spoofed packets (the ones that claim to be from my own addresses or from non-routable or "martian" addresses like localhost). I also have rules to prevent my system from "leaking" any stray private net and/or martian packets out into the Internet. This is a courtesy --- and it has the practical benefit that I'm much less likely to "leak" any confidential data that I'm sharing between "private net" system on my LAN --- even if I screw up my routing tables and try to send them out.

I've read a bit about ipfil (Darren Reed's IP Filtering package --- which is the de facto standard on FreeBSD and other BSD systems and which can be compiled and run on Linux. This seems to offer some "stateful" features that might allow one to more safely allow non-passive FTP. However, I don't know the details.

The 2.2 kernels will include revamped kernel packet filtering which will be controlled by the 'ipchains' command. This is also available as a set of unofficial patches to the 2.0 series of kernels. This doesn't seem to offer any "stateful inspection" features but it does have a number of enhancents over the existing ifpwadm controlled tables.

Your last question was about configuring Linux as an Internet server (presumably for public web pages, FTP or other common Internet services.

As you might have gathered by now; that is the same as providing these service to your own LAN. Under Linux (and other forms of Unix) any service default to world-wide availability (which is why we have firewalls).

I've spent some time describing how Linux and other Unix systems need to be specially configured in order to limit access to services to specific networks. Otherwise someone in Brazil can as easily print document on your printer as you.

To be an Internet server all you have to do is have a static IP address (or regularly update your address record at http://www.ml.org). Once people know how to route requests to your server --- assuming you haven't taken steps to block those requests --- Linux will serve them.

Most of the challenges in setting up networks relate to addressing, routing, naming and security. Most of us still use "static" routing for our own networks --- just manually assigning IP addresses when we first deploy our new systems. Most of us with dial-in PPP get dynamic IP addresses from our ISP's. Some sites now use DHCP to provide dynamic addresses to desktop systems (servers still need consistent addresses --- and using DHCP for those just introduced additional opportunities for failure).

For routing, subnetting, and LAN segmentation issues --- read my posting on routing from last month (I think Heather is publishing it this month). That's about 30 pages long!

(The one thing I glossed over in that was "proxyarp" on ethernet. It's covered in another message this month so glance at it if you'd like to learn more.)

I hope I've imparted some hint on the importance of considering your systems security. Even if you have nothing of value on your systems --- if the thought of some cracker vandalizing your files for kicks is of no concern to you --- it is irresponsible to connect a poorly secured system to the Internet (since your compromised system may be used to harass other networks).

I would like to write a faq about this after I'm done... hopefully I can help other after a bit of exprimenting myself.

While the offer is appreciated --- it would be more of a book than an FAQ. However, I would like to see some "Case Studies" --- descriptions of typical SOHO (small office, home office), departmental, and enterprise Linux (and heterogenous) installations.

These would include network maps, "sanitized" examples of the addresses, routing tables and configuration files for all services that are deployed in the network, on all of the clients and servers present. Company, domain and other names, and IP addresses would be "anonymized" to discourage any abuse and minimize any risk represented by exposure. (E-mail addresses of the contributors could be "blind" aliased through my domain or hotmail, or whatever).

The important thing here is to define the precise mixture of services that you intend to provide and the list of users and groups to which you intend to provide them. This is a process that I've harped on before -- requirements analysis.

You need to know who you are serving and what services they need.

Thanks
Nilesh.

Persistent Boot Sector

From Hummingbird Designs on Thu, 24 Dec 1998

Hi,

I installed Linux on my PC at work and had everything working with System commander, I have to use NT for some apps we use at work.

anyway, I was trying to get the nic card working so I tried using the setup tool to install the kernel from the Cdrom that is used to install linux off a network. Now everytime I turn on the machine it gives me the screen as if I had installed a bootdsk like when you first install Linux. I have done EVERYTHING I know of to get that out of there . . .I used a zerofill utility that goes over each and every sector of every track and fills it with 0's including the MBR. and that damn message still comes up everytime I boot. . . I was thinking of removing my Hard drive and seeing if it flashed my BIOS or something cause according to Quantum9its a quantum drive) their utility is almost like a low level format.

"the setup tool..." (what setup tool?) "the screen as if I had installed a bootdsk[sic]" (what screen?) "EVERYTHING" (what is "everything?"). "zerofill utility" (what utility?) "that damn message" (what damn message?).

You do seem to be a bit sketchy on the specifics so I'll have to guess.

You had (some distribution of) Linux installed on your system in a dual boot configuration with NT. You were using System Commander as your primary boot manager. Presumably you installed LILO (the Linux loader) into the "logical boot record" (the "superblock") of one of your Linux filesystems (presumably the root fs). While trying to configure or troubleshoot some problem with a network card (NIC) you used some sort of "setup" utility which somehow configured your system to bypass System Commander's boot record (presumably by overwriting it with a copy of LILO). You've tried some ways to restore your System Commander installation, and/or to build a new MBR, and those have been unsuccessful.

O.K. Given that guess work I have a hypothesis. You may have run something like 'FDISK /MBR' from your NT boot disk. This may have enabled the active partition in your MBR. The DOS MBR code would load the logical boot record of the active partition. If your Linux partition (with its copy of LILO in the superblock" ) just happened to be the active partition at the time --- you might see that copy of LILO (one of two that had been installed on your disk, one on the MBR and the other in the LBR/superblock) as the first screen on boot up.

(I'm not sure this scenario accounts for all of your symptoms since this is all based on guesswork).

I have no idea what your "zero fill" utility is doing --- but it almost certainly is not zero'ing out track zero of your hard drive (including the MBR). That would render the system unbootable and would destroy the primary copy of your partition table (the last 50 bytes or so of the MBR). The Linux/Unix command to do this is very simple:

dd if=/dev/zero of=/dev/hda bs=512 count=63

... where /dev/hda is the first IDE drive, 512 is the bytes per sector and count is the number of sectors in a typical track. DON'T DO THIS! (If you insist on doing this, first double check which device you want to use, the first IDE is /dev/hda and the first SCSI is /dev/sda, then check the number of sectors per track --- which should be listed in your CMOS setup for an IDE drive and would be listed in your vendor documentation and possibly by your SCSI adapter diagnostics firmware).

You could save a copy of your MBR and partition table using dd with a command like:

dd if=/dev/hda bs=512 count=1 of=/root/mbr.bin

... which you can use in scripts to compare and replace your MBR in future mishaps.

It's possible that System Commander's boot loader is still in the MBR --- but that it's been configured to skip it's opening menu/selection prompting and boot directly off of your Linux partition.

Of course it's also possible that Linux as completely taken over your system; that's it's run amok and overwritten every partition and drive on the system. In my experience that would only happen if you (or someone) told it do do this. I've never seen Linux touch any part of a hard drive unless it was "told" to do so. (Unlike MS-DOS, OS/2, and Windows which periodically trash the MBR when they hang --- apparently scribbling register or random memory contents over track zero, sector zero when those zero's just happen to be in the the register during the dying spasms of those systems).

There is virtually no chance that Linux touched your flash BIOS --- so this is not a bug in your firmware. I'd say that this "zerofill" utility is highly suspect. Obviously Linux users just use the 'dd' command for this sort of thing.

As for how to fix you problem. You could try re-installing System Commander. I've never used it --- but it seems that it can find most types of partitions during installation --- so it should be able to find your NT and Linux filesystems and install a new copy of it's boot loader code to start either of these systems. I've never used System Commander --- but it is commercial software --- so it SHOULD come with some technical support. Perhaps they can walk you through the re-installation.

Keep in mind that LILO can still be installed on your MBR, your superblock, or both, so it might still show up after you have System Commander or NT's boot manager installed. It should then only come up after you've selected an option from your primary boot loader. This can be a bit confusing --- so you can reconfigure lilo to bypass any prompts or delays when you're calling it in this fashion.

Keep in mind that you can also find, download, and install LOADLIN.EXE into a DOS directory somewhere on your system. You can use that instead of LILO (it's a DOS program that loads linux kernels). I've heard a rumor that there is an NT native console application (an NT .EXE that you'd run under a CMD.EXE shell) to load Linux. I've never seen it.

If you end up having to re-install Linux and NT (probably unnecessary --- but it might be the easiest way) you can configure Linux to boot from floppy and never touch the boot records on your hard disk. It's also possible to configure Linux to use some other hard disk on your system --- and not have it touch your primary drive at all.

Read through back issues of this column and go through the various multi-boot HOWTO's and mini-HOWTO's at the LDP site (http://metalab.unc.edu/LDP) and it's mirrors. There are many options.

C's from home and a nic card I know to install linux over the network and see if that gets rif of it.

I don't get this at all. How would you expect installing Linux (over a network or otherwise) to get rid of a Linux boot loader.

any help would be appreciated
Brian Korsund

Secondary MX Records: How and Why

From Craig Capodilupo on Thu, 24 Dec 1998

Some domains have multiple MX records. Sometimes the MX record of lower preference, say 20, is an off-site domain. Does this off-site server have to be configured to hold mail until the primary exchanger is back online?

I am going to use my UNIX server as a secondary mail exchanger but I am not sure if it has to be configured.

In the good old days there was no special tricks to providing secondary MX for your friends. They would just add you mail server to their DNS records, listing you as a "less preferred" mail exchanger (an MX record with a higher value than any of yours). Mail would be relayed automatically.

This was in the days of "promiscuous mail relaying" --- it was easier to just let anyone relay mail though anyone else. However, just as venereal disease contributed to the demise of the "free love" promiscuity of the '60's --- the blight of spam as spelled the end of open e-mail relaying in our decade.

The problem was that spammers would dump their e-mail on any open relay --- one piece of mail that might be addressed to thousands of happless recipients (and with the return addresses forged on top of that).

When you install 'sendmail' version 8.9.x and later the open relay to which early versions defaulted are now closed. You'll have to create a relay map (default location in /etc/mail/relay-domains) to enable relaying for your sites).

There are some questions that relate to this in the 'sendmail' FAQ at:

http://www.sendmail.org/faq/section3.html#3.27

... although you could disable this feature and allow promiscuous relaying --- I'd not suggest this.

You'd eventually get hit by a spammer and then you'll probably end up on Paul Vixie's "Real-time blackhole list" (the RPL) or on "DorkSlayer's" ORBS (open relay blocking system). There are many sites these days that subscribe to these free DNS lookup services in their "check_relay" macros --- and deny any mail access whatsoever from any site listed on one or either of these.

However, that should be all there is to it. Normally your mail would just get tossed into the queue at your MX secondary's site where it will languish until your site is back up (or less busy, or whatever). In other words whatever connectivity problem the original sender's site had in getting to your primary MX host will probably go away within a few hours --- and your secondary MX will relay your mail during its normal queue runs. The orginal sender will get delay notifications (4 hours, 4 days, etc) according to the settings in your secondary's configuration files.

Some people use these features in their firewall configuration --- they place a higher MX host outside their main network (on the exposed network segment) --- and all outside mail has to hit it first (since they can never connect to the preferred hosts inside due to the packet filters). The packet filters then allow that exposed host (and only that exposed host) to transfer files into the domain. Thus the potential attacker can't attempt to directly exploit bugs in the internal SMTP daemon (especially if the "exposed" host is behind an anti-spoofing screen, and has "source routing" disabled, which all Linux systems default to).

A more elegant approach is to use "split DNS" --- so that the external/exposed MX host appears (to the outside world) to be the preferred mail destination while the real preferred system (to your internal systems, and to your exposed host itself) is sequestered on your internal network using non-routable "private net" addresses. The advantage to this is that your potential attackers don't have any information about your internal structure --- and they can't route packets to your internal hosts at all (those don't have "real" IP addresses). Thus the outside attacker has to resort to high wizardry to get packets to your hosts, before any exploits can even be attempted.

(I should note that any attacks that can be carried through the mail contents will still get delivered to you. The bugs this protects you from are those in the TCP connection handling of the daemons --- not in the parsing of headers and message contents).

I've heard of some sites that maintain separate queues for their relay neighbors. I don't know exactly how that works --- but its similar to the way that ISP's maintain queues for their SMTP customers. Basically they create a rule (probably an entry in their mailertable) that calls the relay mailer with an extra parameter. Thus all the queue items end up in special, separate directories. Then the SMTP ETRN command can be used (by customers) to force a queue delivery (something like: 'sendmail -q -O QueueDirectory=/var/spool/mqueue.customerX') when the customer's connection comes up.

Then there are sites that deliver all mail to a given site into a single mail spool (mbox) file. Hopefully they are adding the "X-envelope-To:" headers as they do this. Then their clients use 'fetchmail' to grab these messages, split them back out and dispatch them according to the delivery policies at the disconnected site.

Personally I still prefer UUCP for handling mail to disconnected sites. However, it is getting increasingly difficult for new users to find people who understand UUCP. (Oddly one study showed that the use of UUCP hasn't decreased at all -- it's grown at a slow, steady couple of percent all along. However, compared to the explosive growth of the Internet it as seemed, by comparison to completely disappeared. I think UUCP is still a very good option for emerging countries and for anyone that isn't maintaining dedicated connections to the Internet --- though I'd say that a bit of work should be done on simple configuration tools and examples. It's easy enough to use UUCP as a transport for DNS/Internet "domain" style addresses. So we don't need to ever return to the bad old days of "bang paths").

TIA,
Craig

'lpd' Bug: "restricted service" option; Hangs Printer Daemon

From Michael Martinez on Thu, 24 Dec 1998

The lpd that RedHat linux supplies has a problem. If you send it a print job across the network, and you do not have an account on the print serve, lpd forks a child, creates an entry for you in the queue, then hangs because it can't find your user id. Do you know a remedy for this?

Michael Martinez
System Administrator, C.S. Dept, New Mexico Tech

I think I read about this in the security mailing lists recently. It seems to be related to the "restricted service" (rs) option in your /etc/printcap.

One option would be to remove the rs option from the printcap and use packet filtering and hosts_access (TCP_Wrappers) to restrict access to your print server(s).

Then look for updates to the packqage itself.

The first thing to do is to report this to Red Hat Inc. after checking their web site and for any updates to this package. First find the package name using rpm -q /usr/sbin/lpd. This will tell you which RPM package included the lpd command.

Then connect to ftp://updates.redhat.com (or one of its mirror sites). I don't see one there yet. If you aren't already using the most current Red Hat version (5.2 at this point) then check for that package in the RPMS directory for the latest. Red Hat Inc normally embeds the version in the package and file names.

My S.u.S.E. system (which uses RPM format but uses a different suite of RPM files) reports lprold-3.0.1-14 as the package name that owns '/bin/sbin/lpd' --- so I'd look for a S.u.S.E. RPM that was later than that.

Failing that look for a Debian package (an update) and try using "alien" to convert that into an RPM. Look up the Debian maintainer for that package at the http://www.debian.org web site.

If that doesn't work, look for a canonical "home" site for the package (lpr/lpd is a classic BSD subsystem --- so looking at the FreeBSD NetBSD and/or OpenBSD sites for a later version of the "tarball" (sources in .tar format) might work. Look in the man pages and run 'strings' on the lpd binary --- and look through other docs (use rpm -ql <packagename> for a list of all files in that package) to see if an author or maintainer for the base package is listed. Then you can look at that maintainer's web site or FTP server, and/or possibly e-mail them.

(The BSD sites are http://www.freebsd.org, http://www.netbsd.org, http://www.openbsd.org, in case you needed them.)

If you have a competent programmer on hand (I'm am not a competent programmer) you could have them look through the sources and apply a fix. Then you'd e-mail the diffs to your patches to the maintainer of the package (possibly copying Red Hat Inc as well). If you also looked at the Debian site for an update you can copy their maintainer on your fix as well.

They may not accept your patches --- but they will certainly appreciate the effort and it may help them focus on the right part of the code.

This is how Linux got where it is today. (I've sent patches in on 'sendmail', 'md5sum' and 'tripwire' in the past --- and I'm not a programmer. So anyone who does feel competent in the art should not be intimidated by the notion, and won't have to spend nearly as long poring over the sources as I did for my pathetic little suggestions).

I'd like to suggest one modest "New Year's Resolution" to every Linux user:

Find one bug or typo. Fix it.

... hunt through the man pages, docs, sources, etc of a few of your favorite packages. Find one thing that's wrong or missing, correct it (or find someone to do it with you) and submit the patch to the appropriate parties.

Last year was the first year Linux was taken "seriously." Let's make this the year that we prove that the "open source" (TM) process is maintainable and yields truly superior and mature results.

LPD forks and hangs/Linux

From Michael Martinez on Sat, 26 Dec 1998

Thanks a bunch for your great, documented help. Just so you know, RH 5.2 ships with this problem. So, I'll check out the other resources you gave me. I've considered writing a patch for it - I might just do it!

Merry Christmas,

Michael Martinez
System Administrator, C.S. Dept, New Mexico Tech

Dual Boot Configurations

From Justin Jenkins on Thu, 24 Dec 1998

I'm ashamed to ask this but I don't know how! i got a copy at work, and installed it on an old 166 I would like to install it on my 450 can you help me?? -thanks Justin

Have you tried the HOWTO?

http://metalab.unc.edu/LDP/HOWTO/mini/Linux+DOS+Win95+OS2.html

Microtek Scanner Support: Alejandro's Tale

From AmericanPride88 on Sat, 26 Dec 1998

Hello Alejandro, I'm pretty annoyed that when I went to download the file at Microtek Ibelieve it was this?/ epp 264 exe.

They didn't have it available , They should at least include some info about their hardware on a CD so that my Hardware Wizard can setup the right driver for the Damn Scanner, someone suggested. I try a HP scanner. I believe I will

Return the C3 tomorrow. It was my Christmas present it's been nothing but a Dissapointment to me. Thank you...

If you can suggest a compatible Driver or anything else please do. Thanks again!1

Sincerely, Rebecca

Who is Alejandro?

Rebecca, it looks like you have sent this message astray. First I'm not Alejandro, I'm Jim Dennis. You sent this to "linux-questions-only@ssc.com" which is the access point to the Linux Gazette "Answer Guy" column --- providing free technical support (and a bit of spleen venting and curmudgeonly commentary) for users of Linux.

Your message doesn't relate to Linux as far as I can see. We don't often use ".exe" files and Linux doesn't need a "Hardware Wizard" to find and use any of its devices (except for the guy at the keyboard, perhaps).

The primary resource for supporting scanners under Linux would be SANE (Scanner Access is Now Easy) at: http://www.mostang.com/sane

Modem HOWTO Author Gets Offer RE: WinModems

From bf347 on Sat, 26 Dec 1998

I'm the author of the new Modem-HOWTO. Someone sent me email saying that he could put me in touch with someone who might release the info needed to write a driver for Lucent LT Winmodems. Is anyone interested? Is the first line of this message truncated? It is on my dumb terminal. I'm writing this from a BBS that allows no editing of this message.

Dave Lawyer
bf347@lafn.org

Ironically I was just answering another correspondent who got burned by one of these things.

As I said there, I'll never purchase any internal modem.

However, I'll post this message to my editor (it should appear in the February LG if at all). Maybe someone else will be interested.

[ February when you got it in December? I sometimes defer by one month, but not short messages like this one. Get more coffee. BTW the other querent has a Lucent WinModem, so I'm sure there's at least one interested reader. Contrary to usual, I've left his address available in case any readers want to make contact to take on the task. -- Heather ]

You could also send a message to the SVLUG (Silicon Valley Linux Users Group) list --- since you appear to be in Los Angeles. I realize that L.A. doesn't have as large and active a LUG as the SF Bay and Silicon Valley areas --- thought I've heard that you're working on it.

Look at http://www.svlug.org and http://www.balug.org for a couple of Linux users groups up in Northern Cal that might have some interested programmers. Also be sure to shop it around at your local UG's and in the newsgroups and mailing lists. I'm sure that someone will pick off the job --- if the people at Lucent, or wherever, aren't too onerous.

The message came through fine.

Condolences to Another Victim of the "LoseModem" Conspiracy

From simone on Sat, 26 Dec 1998

I think I allready know th answer...

Well I have a Lucent modem 56K (it has been a mistake i didn't know winmodems existance I was so happy with my old 14400)

It doesn't work with linux or solaris (so sad)

Do you have any suggestions?

Return the modem. Complain bitterly to the retailer and get their assurances that they will stop ripping off their customers with these pieces of garbage posing as computer peripherals.

Then get an external modem. So far I've never heard of an external "winmodem" --- and I've heard that it's not feasible to design one. Sticking with external modems has always been a good idea. They are more expensive but they've always been better products. Generally they are more reliable (probably less power fluctuation and electronic crosstalk from the other components inside the PC). It's also safer and better for the rest of the PC (less crosstalk with the internal modem, less heat in the case, virtually no chance that a modem that gets zapped by a phone line power surge will destroy your CPU or memory chips in the computer, etc). Finally it's much more convenient for most users (you have status lights; you can move the modem to other systems easily and replace it with an old "test" modem easily).

I personally will not ever buy an internal modem. Not ever!

thanks for reading
sorry for bad English
waitig for an answer

No problem. I still have some other messages in Spanish, Portugese, and maybe some in Italian that I haven't answered yet. I haven't had the time to cut and paste them into Babelfish for the "rough" translation.

Un cordiale saluto Montanari

Reading Audio Tapes using HP-DAT Drive

From Thomas Kruse on Fri, 25 Dec 1998

Hi! I wonder, if you can help me with the following issue: I bought a brand new SCSI HP-DAT streamer. In the manual it is described to treat audio-dat tapes as if they were read-only. I tried to fetch the data from the tape, but I get always i/o erorrs. (I tried "cat /dev/st0" "dd if=/dev/st0...") Do I need special software or is it impossible to "read" audio tapes with Linux? (I heard rumors, that this is possible with special Win95 software)

Regards, Thomas

That's an excellent question. I have absolutely no idea. I guess you could look at the Linux st driver sources and see if they need to be changed. I guess you might even write to the author or maintainer of the st driver to ask for advice.

Looking under /usr/src/linux I find, in .../drivers/scsi/st.c that the 2.0.36 sources list Kai Makisara as the author. I've blind copied his addresses on this response.

Kai, thanks for the work on the 'st' driver. What would prevent one from reading audio tapes using /dev/stX under Linux?

I'm sorry if you're getting two copies of this I wasn't sure which address from the st.c file to use.

(Note: this message is in response to a Linux Gazette "Answer Guy" question. I'll be happy to post any response --- which may end up prevent future questions on this topic. If this is buried in an FAQ, HOWTO, or man page somewhere, please point us at it and forgive us for not finding it).

More on: Reading Audio Tapes using HP-DAT Drive

From Kai Makisara on Sat, 26 Dec 1998

There are (at least) two issues when using audio DAT tapes in a computer DAT drive:

1. You may or may not be successful in using audio media to record digital data. The tape cartridge does not contain the MRS (Media Recognition System) identification data that most of the digital tapes nowadays have. The drive uses this data to determine the tape length, etc. By default, the HP drives I have seen treat any non-MRS tapes read-only. You can change this with a switch. I assume this is what the HP manual means but not what you are interested in.
2. You may be able to read audio data using a computer DAT. This depends on the firmware of the DAT driver. As far as I know, most computer DAT drives are unable to read audio data. There have been some drives from Silicon Graphics that were able to read audio data. As far as I know, they were ordinary Archive DATs with special firmware. You needed special SCSI commands to read audio data (I don't know the commands).

   The Linux SCSI tape driver does not currently have any support for reading audio data.

   Kai

   Thanks Kai.

   I presume this is a result of the music industry's lobbying. The big record companies (Sony, Columbia, et al) have been interferring with the digital electronics industry for years in a misguided effort to discourage bootlegging.

   Oh well. We're already at the stage where some people are providing free writing --- the beginnings of an "open content" movement. This will probably encompassing music and literature much as the "open source (TM)" movement has made an impact on software.

   I don't object to spending money on a good book or a decent CD. I'd just like to see more of it go to the artist and I'd like some assurance that corporate politics and big business aren't exerting undue control over the contents. However, I'll leave it at that before this becomes overly political (and overtly subversive).

   ---

   Best of Answer Guy: A Volunteer?

   From EvilEd on Fri, 25 Dec 1998

   Hi,

   I've been reading "Answer Guy" for a while now. I have to say, it's really informative and cool. Would'nt it be great to have an archive or a separate page for "Best of Answer Guy 1998"?

   Thanks and more power, EVILed

   Wow! That sounds like a great News Year's project. Would you like to do it? Would anywhere like to do it?

   If y'all put together your favorite 50 or 100 questions, answers and rants from me --- I'll annotate them with updated links and comments. So you'll get a retrospective on how things have changed since I wrote some of those messages. (In many cases I've learned more after that fact --- often from reader comments and corrections. In other cases things have just changed since I wrote my responses).

   However, I can't do this myself. I wrote all that stuff and the thought of reading back through all of it is mind numbing. So, if someone wants to volunteer on this --- let me know.

   ---

   termcap/terminfo Oddities to Remotely Run SCO App

   From Eric Freden on Fri, 25 Dec 1998

   Dear Answer Guy,

   I managed to solve my keybinding problem without your help (thanks anyway). Here is a synopsis: I needed to run proprietary software (in Cobol, no less) on a PPro running SCO Unixware via telnet from a PII running RedHat 5.0. The SCO box had a limited termcap file, none of which matched type linux (Linux console) or xterm (for Linux X). Changing TERM in Linux does not alter function key bindings! The only way I could change keybindings was to mess with /usr/lib/kbd/keytables which changes bindings at boot or /usr/X11/lib/X11/xkb which alters bindings upon startx. Both of these methods are global in nature and will "break" existing applications like emacs. I read the man pages on xterm where there is an option to change to Sun style function keys bindings (which was not SCO compatible either).

   Then I noticed that xterm and nxterm (i.e. color xterm) bind F1--F4 differently!?!?! By sheer luck, SCO has a termcap entry called coxterm that is compatible with nxterm keybindings. There is no termcap or terminfo entry for nxterm in Linux. Why not? For that matter, I see no effect in function keymappings after changing existing termcap entries, compiling with tic, and rebooting . Why not?

   Eric Freden

   Last I heard Eric S. Raymond was still maintaining the termcap file. He's also listed in the author's section in the 'terminfo' man page. So perhaps he'd be the best person to address these issues?

   (I've copied him on this. Hi Eric! Missed you at LISA. Hope to see you at LinuxWorld Expo next March).

   ---

   Arabic BiDi Support for Linux

   From Anas Nashif on Fri, 25 Dec 1998

   Hi, I was wondering if its possible in one way or another to use arabic on linux.. Is there anything being done in this field? and how difficult it is to implement it?

   thanks,
   anas

   Anas Nashif       Universitaet Mannheim

   Sorry it took me so long to answer this question. I finally did get around to doing a Yahoo! search on "+Linux +Arabic" and found this reference:

   Linux in Turkey

   http://www.slashdot.org/articles/98/09/05/1624256.shtml

   ... the references to Arabic ensued from the thread discussion after the main article. So far as I know there is no direct BiDi (bidirectional text) support for Linux yet. Some applications such as emacs/xemacs with MULE (multi language extensions) do provide some support for this. However I don't know much about the details.

   Happy Ramadan, and good luck.

   ---

   Automated Updates

   From Josh on Fri, 25 Dec 1998

   A quick suggestion for the updates question.

   A student at georgia tech has written two excellent scripts, autorpm and logwatch. Autorpm will automatically keep your system up to date with the current redhat updates. Autorpm can be found at ftp.kaybee.org. It saves a lot of work on the system admins part.

   He was going to add them to the LSM, but I'm not sure if he has yet.

   Josh

   There's also an 'autoup.sh' script for Debian systems.

   I'd suggest that these systems be used with considerable trepidation (if at all). However, they do make sense for some cases. For example I'm pretty sure you can configure these to watch some internal server.

   So, as the sysadmin for a medium to large installation you could manually grab and test updates --- or set up a "sacrificial" system to automatically grab them. Then, when you've vetted the updates you can post the RPM or .deb files to your internal server where you're client systems would pick it up.

   There's also a package called 'cfengine' by Mark Burgess which can help with various configuration details that might need to be tuned after any sort of automated update or software/configuration file distribution. (The old fashioned Unix way to automate updates to client systems is to use 'rdist' --- preferably over 'ssh' for better security).

   'cfengine' is the "awk of configuration management." Basically a 'cfengine' script is a series of class descriptions, assertions and corrective actions. So you can express policies like: All Red Hat Linux systems running 2.0.30 kernel in this DNS subdomain and in this NIS netgroup, on any Tuesday (a series of class specifications) should have less than 100Mb of log files under /var/log (an assertion) and should have more that 40Mb of free space thereunder (another assertion) OR we should rotate the logs, removing the really old ones and compressing the other non-current ones (a corrective action).

   'cfengine' is an interesting project I'd like to see the security features beefed up considerably and I'd like to see it undergo a comprehensive security audit (by the OpenBSD and/or Linux SecAudit teams).

   Naturally 'cfengine' is one of those tools with which you can shoot off your foot, at about the HIP! So you should be very careful when you first start playing with it.

   More info on that package can be found at its canonical home page: http://www.iu.hioslo.no/cfengine

   Kirk Bauer (autorpm's author) doesn't seem to maintain a web page touting it's features. So you'll have to grab the file via FTP.

   There's also a package called 'rpmwatch' which is listed at: http://www.iaehv.nl/users/grimaldo/info/scripts

   More info on autoup.sh can be found in the Debian FAQ:

   http://www.debian.org/doc/FAQ/debian-faq-10.html

   ... or directly at these sites:

   http://www.taz.net.au/autoup http://csanders.vicnet.net.au/autoup

   ---

   Liam Greenwood: Your XDM question

   From Liam Greenwood on Fri, 25 Dec 1998

   Here's a suggestion that I'll just pass along.

   To run XDM and not run have XDM start an Xserver on your local host:

   
   telinit 3  # go to runlevel 3 (no xdm)
   

   edit the file /etc/X11/xdm/Xservers and comment out the line which looks like this:

   
   :0 local /usr/X11R6/bin/X
   

   ...by putting a # at the start.

   
   telinit 5   # go to runlevel 5 to start xdm
   

   (on a Red hat system... others may have the config file in another place).

   Cheers, Liam

   ---

   Don't tell my Mother I'm a programmer... ...she thinks I'm a piano player in a brothel.

   ---

   'rsh' as 'root' Denied

   From Walt Smith on Thu, 24 Dec 1998

   hi,

   I can run a program using rsh as 'user' on the same pc. i.e. rsh pcname ls (or thereabouts) It won't run as 'root'.

   There is one file that is supposed to be used as a config if running as root. It makes no difference. Do I need to recompile rsh wil a particular option?

   You probably won't need to recompile it.

   The most common version of 'in.rshd' that's included with Linux will allow you to invoke it with the -h option (added to the appropriate line in the target system's /etc/inetd.conf file) to over-ride this restriction. If you're using Red Hat with PAM then you'll have to consider reconfiguring the appropriate file under /etc/pam.d/ to remove the option that prevent root access therein (I don't have that configuration file handy since I'm not using PAM on any of my boxes at home, at this point).

   All of this is in the man pages (in.rshd for the daemon).

   I'll go on record to recommand that you ban 'rsh' and 'rlogin' from your networks completely --- using 'ssh' instead. Later, when we have ubiquitous deployment of IPSec (transport layer security for TCP/IP) and Secure DNS (the ability to digitally sign and authenticate hostname/IP records) it may be acceptable to re-introduce these protocols.... maybe.

   regards,

   Walt...in Baltimore respond to XXXXXXX@bcplXXXXXX

   Did you ever program in BCPL?

   ---

   Copyright © 1999, James T. Dennis
   Published in The Linux Gazette Issue 36 January 1999

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Booting Linux with the NT Loader

   By Gustavo Larriera

   ---

   On these days technical professionals like you and me often must deal with the following scenario: To make Linux and NT peacefully coexist on the same machine. Many HOW-TOs have been written -and it's a good advice to give them a look- about how to configure LILO (The Linux Loader) to do the task. Unfortunately, classic documentation have little references about the NT Loader. Yes, I know for some people there's some kind of religious war between Linux and NT out there :-) But from the point of view of a IT professional, the main objective is to have the job well done.

   In many real-life situations we must tackle with a installation where it is not desirable to alter the NT boot process. May be it is your machine's boss and he/she prefers to keep on booting the same way for ever ;-) In this article I will focus on how to configure the NT Loader so as to boot Linux (and continue booting NT also!).

   I hope these tips will help Linux users to successfully boot Linux through the NT Loader the easiest way. The procedure I will explain works for NT Server 4 and NT Workstation 4 running on Intel-compatible PC.

   The Scenario

   After long conversation you have convinced your boss to put Linux on her computer machine. She is a happy NT user, she loves Word and Excel and such. She also is a clever person and has decided to give Linux a try. So she wants to have Linux installed. Just a moment: She prefers to keep booting with her familiar loading menu, from where she can choose to boot NT or DOS. Her wishes are your wishes, so you decide not to use LILO to dual-boot her computer.

   The MBR considered useful

   The most important thing you must always remember is that many software products sit on your unique precious hard disk's Master Boot Record (MBR). So does NT without asking and so optionally does LILO if you want to. The machine's BIOS executes code stored on the active partition to initiate your preferred OS.

   When NT is installed, the MBR is modified to load a program called NTLDR from the active partition's root directory. The original MBR is saved on a small file called BOOTSECT.DOS. After a NT installation, be careful never overwrite the MBR, because the NT will no longer boot. To fix this problem, a NT user needs the NT's Emergency Repair Disk (ERD).

   With those things in mind, take note you must be careful to configure LILO *not* to install on MBR. Instead you will need to configure LILO on the root partition of Linux. That's safe for NT and Linux can live without the MBR.

   NT loading process

   Once the NTLDR program launchs the NT user watch the "OS Loader V4.xx" message. Then NTLDR shifts the processor to 386 mode and starts a very simple file system. After that, it reads the file BOOT.INI to find out if there are other operating systems and prompts the user with a menu. A typical BOOT.INI looks like this:

   [boot loader]
   timeout=30
   default=multi(0)disk(0)rdisk(0)partition(2)\WINNT
   
   [operating systems]
   multi(0)disk(0)rdisk(0)partition(2)\WINNT="NT V4 is here"
   multi(0)disk(0)rdisk(0)partition(2)\WINNT="NT V4 VGAMODE" /basevideo /sos
   C:\="DOS is here"
   

   The BOOT.INI file has two sections. The "boot loader section" specifies how long in seconds will be the menu on screen and the default menu choice. The "opearating systems section" specifies the different OSs the user can choose. We can read the machine boots NT (either in normal mode or in VGA diagnosing mode) and also can boot DOS. We can deduce from this example that DOS boots from the partition C: (first partition on first disk) and NT boots from the second partition. Typical installations have a C: partition formatted with DOS's FAT file system and NT on another partition formatted with its NTFS (NT File System).

   If the user chooses to load NT, another program NTDETECT.COM runs to check the existent hardware. If everything was okay, the NT kernel is loaded and that's all we need to know.

   Let's examine what happens if the user decide to choose other OS rather than NT. In this situation, NTLDR needs to know which is the boot sector required to load the non-NT OS. The appropiate boot sector image must exists on a small 512-byte file. For instance, to load DOS, NTLDR searches for a boot sector image file called BOOTSECT.DOS. This image was created by the NT installation.

   So, what if I want to load Linux? It's quite simple, all we need is a boot sector image file, let's name it BOOTSECT.LIN (later we'll see how to obtain this file). You must put BOOTSECT.LIN on C: and edit BOOT.INI, the "operating systems section" now looking something like this:

   [operating systems]
   multi(0)disk(0)rdisk(0)partition(2)\WINNT="NT V4 is here"
   multi(0)disk(0)rdisk(0)partition(2)\WINNT="NT V4 VGAMODE" /basevideo /sos
   C:\="DOS is here"
   C:\BOOTSECT.LIN="Now Linux is here" 
   

   The BOOT.INI can be edited with any plain ASCII text editor. Normally this file has system-hidden-readonly attributes, so you must change them using the 'attrib' DOS command or within NT, from the file's property dialogbox.

   The Linux side of the story

   Now let's concentrate on the Linux shore. We need to install Linux, configure LILO and create the BOOTSECT.LIN file.

   The first step is to have Linux installed. We all know how to do that: Choose appropiate partitions for Linux system, swap and user's stuff, run installation program, etc. Easy cake, first step is completed okay in less than 45 minutes.

   Then we must configure LILO. We also know how to do that, but be careful *not* to install LILO on the MBR (unless you hate NT too much :-)) When configuring LILO, choose to install it on your Linux root partition. If you don't know how to configure LILO, spend some minutes reading the HOW-TOs or use some of the useful setup programs most modern Linux distributions have. My installation is S.u.S.E., so I use the 'yast' (Yet Another Setup Tool).

   Once LILO is configured (let's asume the Linux root partition is /dev/hda3) we must use 'dd' to create the boot record image. Login as root and do the following:

   # dd if=/dev/hda3 bs=512 count=1 of=/dosc/bootsect.lin 
   

   Prior you have mounted the FAT C: partition as /dosc. Just in case you cannot access to this partition, for instance if it's formatted with NTFS, just write BOOTSECT.LIN to a DOS-formatted diskette or some partition where NT can read from. If you put BOOTSECT.LIN in a place othet than C:\ remember to modify the BOOT.INI file accordingly.

   Now your boss can choose Linux from her NT Loader's menu. The NTLDR will load the BOOTSECT.INI and she'll see the LILO prompt. Then she'll plunge into her new Linux box. Finally, if you configured LILO to load Linux and also the DOS on C: when LILO prompts, your boss will reload from the active C: partition, again into NT Loader. The procedure described may be repeated if you wish to boot several Linuxes, you must just create appropiated boot sector image files for each of your Linuxes.

   ---

   Copyright © 1999, Gustavo Larriera
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Defining a Linux-based Production System

   By Jurgen Defurne

   ---

   Introduction

   In a previous article ("Thoughts About Linux", LG, October) I browsed upon several topics to use Linux in business, not only for networking and communication, but also for real production systems. There are several conditions which need to be fulfilled, but it should be possible to define a basic database system, which is rapidly deployed and has everything that is needed in such a system.
   The past two months I have been increasing my knowledge about Linux and available tools on Linux. There are several points which need further elaboration, but I have a fairly good idea of what is needed.

   Goal

   The goal is to have a look at the parts which are needed to implement a reliable production database system, together with the tools needed to provide for (rapid) (inhouse) development, but for a fairly lower cost than is needed with traditional platforms. It must be reliable, in the sense that all necessary procedures for a minimum downtime are available, with the emphasis that a little downtime can be tolerated.
   I do need to place a remark here. I worked on several projects, where people tried to save time by asking for rapid development, or trying to save money by reusing parts which lay around, or by converting systems. What happened in all cases was that both money and time were lost, the main reason being not understanding all aspects of the problems.
   This is a mistake I don't want to make. I think that I now have enough experience to show a way to achieve the above defined goal, describing a Linux-based production platform which has lower deployment and exploitation costs.

   Basic recommendations

   These are general guidelines. The first part in creating and exploiting a successful production system is in constraining the amount of tools that are needed on the platform. This leads to the second part of success, understanding and knowing your tools. Experience is still the most valuable tool, but depending on the amount and complexity of tools, much time can be wasted trying to get to know the tools that are at hand. Good handbooks with clear examples and thorough cross-references are a great help, as are courses on the subjects that matter.

   Hardware

   At the moment I won't go very deep into hardware. The base platform should be a standard PC with an IDE harddrive on a PCI controller which is fast back-to-back capable. I tested the basic data rate of a Compaq Despro system (166 MHz, Triton II chipset) and got a raw data-speed (unbuffered, using write()) of 2.5 MB (megabytes)/s. I suppose that for a small entry platform this is fairly reasonable. Further tests should be developed to test the loading of the machine under production circumstances.
   The most important part , however, is that all machines running Linux with production data, should be equipped with a UPS. This is because the e2fs file system (as most Un*x filesystems) is very vulnerable in the case of an unexpected system shutdown. For this reason, a tape drive is also indispensable, with good backup and restore procedures which must be run from day 0.

   Production tools

   Our main engine is the database management system. For production purposes, the following features must be available :
   • Fast query capability
   • Batch job entry
   • Printing
   • Telecommunication
   • Transaction monitoring
   • Journaling
   • User interfacing

   Fast query capability

   This feature is especially necessary for interactive applications. Your clients shouldn't wait half a minute before the requested operation is fulfilled. This capability can be enhanced by buffering, faster CPU's, faster disk-drives, faster bus-systems and RAID.

   Batch job entry

   This is a very valuable production tool. There are much jobs which depend on the daily production changes, but which need much processing time afterwards. These are mostly run at night, always on the same points of time, daily, weekly, monthly or yearly.

   Printing

   Printing is a very important action in every production system and should be looked after from the design phase. This is because many companies have several documents that are official. Not only printing on laser- or inkjet printers should be supported, but also printing with heavy duty printing equipment for invoices, multi-sheet paper, etc.

   Telecommunication

   Telecommunication is not only about the Internet. There are still many systems out there that work with direct lines between them. The main reason is that this gives the people who are responsible for the services, a much greater degree of control over access and implementation. In addition to TCP/IP; e-mail and fax, support for X.25 should also be an option in this area.
   People should also have control over the messages and/or faxes they send. A queue of messages should be available, where everybody can see all messages globally (dest, time, etc) and where they have access to their own messages.

   Transaction monitoring

   With transaction monitoring, I mean the ability to rollback pending updates on database tables. This feature is especially needed when one modification concerns several tables. These modifications must all be committed at the same time, or be rolled back into the previous state.

   Journaling

   This capability is needed to repair files and filesystems which got corrupted due to a system failure. After restarting the system, a special program is used to undo all changes which couldn't be committed. In this sense, journaling stands very close to transaction monitoring.

   User interfacing

   This is a tricky part, because it is part development and part production. On the production side, the interface system should give users rapid access to their applications and also partition all applications between departments. Most production systems I have seen do this with menu's. There are several reasons. The main reason is that most production systems still work with character-based applications. There are many GUI's out there, but production systems will still be solely character based (except for graphics and printing, but I consider these niche markets), even on a GUI. The second reson is that a production system usually has lots and lots of large and little program's. You just can't iconify them all and put them in maps. Then you would only have a graphical menu, with all icons adding more to confusion than clarity.

   What's available ?

   Note : When I name or specify products, I will only specify those with which I am already familiar. I presume that any one of you will have his/her own choices. They serve as basic examples, and do not imply any preferences on my side.

   The only database system on Linux I personally know for the moment, is PostgreSQL. It supports SQL and transaction monitoring. Is it fast ? I don't know. One should have a backup of a complete production database, which can then be used to test against the real production machine, with interactive, background and batch jobs running like they do in the real world.

   For batch jobs, crond should always be started. In addition to this, the at and batch commands can be used to have a more structured implementation of business processes.

   For printing, I know (and use) the standard Linux tools lpd, Ghostscript and TeTeX. There might be a catch however. In some places you need to merge documents with data. The main reason for this is that a wordprocessing package offers more control over the format and contents of the document, instead of printing the document with a simple reporting application. On my current workplace, a migration to HP is busy. The solution there is WordPerfect. In the past, I have used this solution under DOS, to automatically start WP and produce a merged document. Is this possible too with StarOffice ?
   Are there other print solutions which offer more interactive control over the printing process than lpd ? Users should have more easy access to their printjobs and the printing process.

   Telecommunication is a real strong point of Linux. I won't enumerate them all. Even if it doesn't support X.25, it is still possible to use direct dial-up lines using SLIP or PPP.

   Journaling is the weakest point of Linux. I have worked with the following filesystems : FAT, HPFS, NTFS, e2fs, the Novell filesystem and the filesystem of the WANG VS minicomputer system. With all these systems, I have had power-failures or crashes, but the only file-system that gives trouble after this is e2fs. In all other cases, a filesystem check repairs all damage and the computer continues. On WANG VS, index-sequential files are available. When a crash occurs, the physical integrity of an indexed file can be compromised. To defend against this, there are two solutions. The first is reorganizing the file. This is copying the file on a record-by-record basis. This rebuilds the complete file and its indices, and inserts or deletes which were not committed are rejected. The second option is using the built in transaction system. A file can flagged as belonging to a database. Every modification to these files is logged until the transaction is completely committed. After a failure has occurred, the files can be restored in their original states using the existing journals. This is a matter of minutes.
   I think that the only filesystem on PC which offers comparable functionality is that of Novell.
   The e2fs file system check works, but it does offer not enough explanation. When there is a really bad crash, the filesystem is just a mess.

   Development tools

   I will describe here the kind of tools that I needed when I was maintaining a production database in a previous job. The main theme here is that programmers in a production environment should be productive. This means that they should be offered a complete package, with all tools and documentation necessary to start immediately (or in a relatively short time). This means that for every package there should be a short, practical tutorial available.
   I will divide this section into two parts, the first being necessary tools, the second being optional tools. Also necessary for development is a methodology. This methodology should be equal through all delivered tools. The easiest way to do this is through an integrated development environment.

   Compulsory development tools

   Which tools are the minimum needed to start coding without much hassle ? I found these tools to be invaluable on several platforms :
   • An integrated development environment
   • A powerful editor
   • An interactive screen development package
   • A data dictionary
   • A high-level language with DBMS preprocessor support
   • A scripting language

   Integrated development environment

   Your IDE should give access to all your tools in an easy and consistent manner. It should be highly customisable, but be delivered with in a configuration which gives direct access to all installed tools.

   Editor

   If you have a real good editor, it can act as an integrated development environment. Features which enhance productivity are powerful search-and-replace capabilities and macro features (even a simple record-only macro feature is better than no macro features). Syntax colouring is nice, but one can live easy without it. Syntax completion can be nice, but you have to learn to live with it. Besides, the editor cannot know which parts of statement you don't need, so ultimately you will have more clutter in your source, or you waste your time erasing unnecessary source code.

   Screen development

   This is an area where big savings can be done. For powerful screen development you need the following parts in the development package :
   1. Standard screens which are drawn upon information in the data dictionary
   2. Easy passing of variables between screens and applications
   3. A standard way of activating a screen in an application
   The savings are on several places. If you create a new screen, then you should immediately get a default screen with all fields from the requested table. After this, only some repositioning and formatting to local business standards needs to be done. I worked with two such systems, FoxPro and WANG PACE, and the savings are tremendous in all parts of the software cycle (prototyping, implementation and maintenance).

   Data dictionary

   A data dictionary is a powerful tool, from which much information can be extracted for all parts of the development process. The screen builder and the HL preprocessor should be able to extract their information from the data dictionary. The ability to define field- and record-checking functions in the data dictionary instead of the application program, eliminates the need to propagate changes in this code through all applications. With the proper reports, one should also be able to look at different angles into the structure of the database.

   High level language with DBMS preprocessor support

   You can't do complete development without a high-level language. There are always functions needed which can't be implemented through the database system. To make development easier, it should be possible to embed database control statements in the source program. The compiler should be invoked automatically.

   Scripting language

   A scripting language is very useful in several aspects. Preparing batch jobs is part of it. I also found out that a business system consists of several reusable pieces, which can be easily strung together using a scripting language. Also, the overall steering and maintenance of the system can be greatly simplified.

   Optional development tools

   These are tools that were avalailable on several platforms, which can come in handy, but aren't necessarily usable to deliver production environment applications. I found out that these are little used.
   • Interactive query system
   • Report editor

   Interactive query system

   This is often designed to be used by people which are not programmers. Experience has thaught me however that people who are not programmers in a business, don't have the time to learn these tools. It is a useful tool for a programmer to test queries and views, but it isn't really useful as a production tool. Only in some cases, for real quick and dirty work, is it worth using.

   Report editor

   This is even a more overestimated tool. I shared thoughts about this with other programmers, and our conclusion was : bosses always ask reports which are much more complicated than a simple report editor can handle. It would be far better to use a programming language specifically designed for reporting (any one know of such a thing ? Any experiences with Perl for extraction and reporting ?).

   What's available ?

   Note : I will direct my attention only at the compulsory development tools. The rest of the environment will be centered around the features of PostgreSQL.

   As an integrated development environment, EMACS is probably the first which comes to mind. It integrates even with my second subject, a powerful editor. Is it even at all possible to draw a line between the two ? Is EMACS a powerful editor which serves as a development environment, or is it a development environment which is tightly integrated with its editor?

   The data dictionary, the screen development package and the DBMS preprocessor are more thightly bound than other parts of the package. The screen editor and the DBMS preprocessor should get their information from the data dictionary, and the DBMS HL statements should also provide for interaction with screens. It should be both possible to develop screens for X-windows, as well for character-based terminals.
   In the field of high level languages, there are several options, but a business oriented language is still missing. Yes, I am talking COBOL here, although an xBase dialect is also great for such applications. I have programmed for eight years in several languages, only the last two year in COBOL, and it IS better for expressing business programs than C/C++. If anyone would ask me now to write business programs in C/C++, I think the first thing I would do was write a preprocessor so that I could express my programs with COBOL-like syntax.
   I don't know how ADA goes for business programs, but a combination of GNAT, with a provision to copy embedded SQL statements to the translated C-source and then through the SQL preprocessor would maybe work.
   I only had a small look at Perl, and from Tcl and Python I know absolutely nothing, but while interactive languages are fine for interactive programs, you should also bear in mind that some programs must process much data, and that therefore access to a native code compiler is essential.
   There is another point in which only COBOL is good. This is in financial mathematics. This is due to the use of packed decimal numbers up to 18 digits long where the decimal point can be in any place. You should have compiler support for that too. On the x86 platform this capability exists in the numerical processor, which is capable of loading and storing 18 digit packed decimal numbers. Computations are carried out in the internal 80-bit floating point format of the co-processor.

   When you have a Linux system, the first scripting language you run into is probably that of the bash shell. This should be sufficient for most purposes, although my experiences with scripting languages is that they benefit greatly from statements for simple interaction (prompting and simple field entry).

   What should be delivered ?

   As I said before, this list doesn't present any endorsement from me towards any of these products or programs. This list should be expanded with all products which fit in either one of these categories, so all hints all wellcome.
   Another weak point in some areas of Linux is documentation. For a production environment, the Linux documentation project is probably a must, preprinted from the Postscript sources. For the commercial products, good documentation is also not a problem. For other parts of Linux tools, the books from O'Reilly & Associates are very valuable. HOWTO's are NOT suited for a production environment, but since they are more about implementation, they are suitable for the people who put the system together. The catch is this : when a system is delivered, all necessary documentation should be prepared and delivered too. I worked with several on-line documentation systems, but when in a production environment, nothing beats printed documentation.
    

   Production system
   DBMS - Fast query/update - Transaction processing - Journaling	postgreSQL mySQL mSQL Adabas c-tree Plus/Faircom Server ...
   Communication	ppp slip efax ...
   Batch job entry	crond at batch
   Printing	lpd
   User interfacing	?
   Development system
   IDE	EMACS
   Editor	EMACS vi
   Screen development	Depends on DBMS
   Data dictionary	Depends on DBMS
   Application language	C C++ Cobol ? Perl Tcl(/Tk) Python Java
   Scripting language	bash

   Summary

   I am still trying to drag Linux into business. If you want to do business using Linux, you should be able to deliver a complete system to the customer. In this article I outlined the components of such a system and some weaknesses which should be overcome. As a result, I created a table enumerating the needed components for such a system.
   This table is absolutely not finished. I welcome all references to programs and products to update this table. It should be possible to publish an update once a month. What I also should do, is extend the table with references to available documentation.
   Another part which needs more attention is developing tests to assess the power of the database system, ie. what can be expected in terms of throughput and response under several load scenarios.
    

   ---

   Copyright © 1999, Jurgen Defurne
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   EMACSulation

   By Eric Marsden

   ---

   This column is devoted to getting more out of Emacs, text editor extraordinaire. Each issue I plan to present an Emacs extension which can improve your productivity, make the sun shine more brightly and the grass greener.

   ---

   Why is the word abbreviate so long?

   Time saving

   You've probably noticed that Emacs goes to a fair bit of trouble to save you typing. The minibuffer offers a history mechanism which allows you to recall and edit previous commands, and many minibuffer entry prompts try to complete whatever you're typing when you hit TAB. This behaviour was the inspiration for the readline and history libraries, which are used in several shells and commandline interpreters.

   This column is dedicated to another of these keystroke-saving features in Emacs: the abbreviation facility. Do you get sick of typing in repetitive phrases such as your company's name, or your phone number? Abbreviations are here to save your fingers. For example, you could ask Emacs to expand LAAS to Laboratoire d'Analyse et d'Architecture des Systèmes. The expansion happens once you type a non word-constituent character after the abbreviation (a space, for instance, though the exact definition of a word separation depends on the mode you are using).

   This is the Emacs abbrev mechanism. You can either use a minor mode called abbrev-mode, which will cause abbrevs to expand automatically (you enable the minor-mode by saying M-x abbrev-mode), or you can expand them on demand by saying C-x a e with the cursor positioned after the abbreviation. Your abbreviations can be saved to a file when you quit Emacs and reloaded automatically when you launch it:

   ;; if there is an abbrev file, read it in (if (file-exists-p abbrev-file-name) (read-abbrev-file))

   Defining an abbrev

   To create an abbrev definition, type the abbreviation (LAAS in the example above) in a buffer, say C-x a i g, then enter the text you would like it to expand to in the minibuffer. This slightly arcane sequence creates a global abbrev, which will apply in all modes. Try it out by entering the abbreviation and saying C-x a e (e for expand). Emacs also allows you to create abbreviations which will be active only in a specific mode by saying C-x a i l instead (in a buffer which is already in the appropriate mode). M-x list-abbrevs displays a list of all currently defined abbrevs.

   Mail abbrevs

   Since the dawn of time, Unix mail programs have used the ~/.mailrc file to allow users to create their own email aliases. The mail-abbrevs mechanism reads in the contents of this file and defines abbreviations which will be expanded in the To: and Cc: fields of any email you compose in Emacs. Here is an example of the ~/.mailrc alias syntax:

       alias dsssl        dssslist@mulberrytech.com
       alias cohorts      rabah jarboui almeida behnia
       alias bond         "James Bond <bond@guerilla.net>"
   

   There are other more sophisticated addressbook systems around, such as Jamie Zawinski's BBDB, but they won't allow you to share aliases with other mailers. You can have mail-abbrev minor mode activated whenever you compose an email in Emacs using the following line in your ~/.emacs:

   ;; unnecessary if you use XEmacs (add-hook 'message-setup-hook 'mail-abbrevs-setup)

   Dynamic abbrevs

   The standard abbreviation facility requires you explicitly to register your abbrevs, which is fine for things you type every week, but is a hassle for expressions which only occur in one document. Emacs also supports dynamic abbrevs, which try to guess the word you are currently typing from the surrounding text. This is very useful for programming in languages which encourage VeryLongVariableNames: you only need type the variable name once, after which it suffices to type the first few letters followed by M-/, and Emacs will try to complete the variable name.

   To be very precise, dabbrev searches for the least distant word of which the word under the cursor is a prefix, starting by examining words in the current buffer before the cursor position, then words after the cursor, and finally in all the other buffers in your Emacs. If there are several possible expansions (ie the text you have typed isn't a unique prefix), pressing M-/ cycles though the successive possibilities. Saying SPC M-/ lets you complete phrases which contain several words.

   Diehard vi users might be interested to read the tribulations of a user who tried to implement a limited version of dabbrevs in vi.

   Completion

   The Completion package, by Jim Salem, is similar in function to dynamic abbrevs, but uses a different keybinding (M-RET) and a subtly different algorithm. Rather than searching for a completion which is close in the buffer, it starts by searching through words which you have typed in recently (falling back to searching open buffers if this fails). The history of recently used words is saved automatically when you quit Emacs. To enable completion (you can use it instead of, or as well as, dabbrevs), put the following in your ~/.emacs:

   (require 'completion) (initialize-completions)

   Hippie Expand

   Filename completion in the minibuffer is a truly wonderful keystroke saver, and you might find yourself wishing you could use it when entering a filename in a regular buffer. Wish no longer: this is one of the features offered by the fabulous hippie-expand package.

   Hippie-expand, by Anders Holst, is a singing and dancing abbrev mechanism, which is capable of many different types of dynamic abbrevs. It can expand according to:

   • file name: if you type /usr/X then hit the expansion key, it will expand to /usr/X11R6/;
   • exact line match: searches for a line in the buffer which has the current line as a prefix;
   • the contents of the current buffer, and other buffers on failure, just like dabbrev;
   • the contents of the kill-ring (which is where Emacs stores text that you have killed, or ``cut'' in MacOS terminology, in a circular buffer). Rather than typing M-y to cycle through positions in the kill-ring, you can hippie-expand on the first word in the killed text.

   Hippie-expand is not active by default, so you need to bind it to a key. Here's what I use:

   (define-key global-map (read-kbd-macro "M-RET") 'hippie-expand)

   Go forth and save keystrokes.

   Feedback

   Glenn Barry sent me a comment on the EMACSulation on gnuclient/gnuserv:

   Just read and enjoyed your article on gnuserv/gnuclient in the Linux Gazette. But you forgot the use of gnuserv/gnuclient that makes it incredibly useful; one can access their full running emacs session by logging-in via a tty remotely (rlogin/telnet) and running "gnuclient -nw" ... makes working from home a breeze (even over low speed (28.8) links). Note you do have to rlogin to the system running the emacs w/gnuserv, as the gnuclient -nw does not work over the net (at least that's what the man page says). It took me awhile to figure this out so it would be nice to make sure folks know about this great capability.

   The -nw switch asks Emacs to start up in console mode, which makes it much more useable over a slow connection than using a remote display with X11. Note that XEmacs is able to use ANSI colors on the console or in an xterm, while GNU Emacs currently can't do color but does offer a text-mode menubar.

   Glenn also gave an illustration of the power of ffap: he has customized it to recognize Sun bug numbers under the cursor and dispatch a dynamically generated URL to a web front end for their bug tracking system.

   Next time ...

   Next month I'll look at skeleton insertion and templating mechanisms in Emacs. Don't hesitate to contact me at <emarsden@mail.dotcom.fr> with comments, corrections or suggestions (what's your favorite couldn't-do-without Emacs extension package?). C-u 1000 M-x hail-emacs !

   PS: Emacs isn't in any way limited to Linux, since implementations exist for many other operating systems (and some systems which only halfway operate). However, as one of the leading bits of free software, one of the most powerful, complex and customizable, I feel it has its place in the Linux Gazette.

   ---

   EMACSulation #1, February 1998
   EMACSulation #2, March 1998
   EMACSulation #3, April 1998
   EMACSulation #4, June 1998
   EMACSulation #5, August 1998

   ---

   Copyright © 1999, Eric Marsden
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Evaluating postgreSQL for a Production Environment

   By Jurgen Defurne

   ---

   Introduction

   With the advent of relatively powerful, free and/or cheap software, I wanted to see if I was able to create a production environment around Linux and a DBMS. In the past I have worked with several DBMS products in several environments. My goal was to evaluate the Linux/postgreSQL against the several environments I am familiar with. Out of these environments I will pick the aspects which I think are important in a production environment.

   Past production environments

   I have worked in three stages of production environment. These were the unconnected PC environment, the connected PC environment (file/print server networking), and multi-user/multi-tasking environment (minicomputer). I will introduce the several tools in order of this complexity.

   Some terms will need to be explicitly defined, because the xBase terminology is sometimes confusing. The term 'database' here means the collection of several related tables which are needed to store organised data. The term 'table' is used to define one collection of identical data, a set. This is because in the original xBase languages, 'database' was used as to mean 'table'.

   FoxBase

   Effectively being a much faster clone of dBase III, FoxBase contained the minimum necessary to define the tables of a database and a programming language which contained all necessary to write applications very quickly.

   A database consisted of several tables and their indexes. The association of tables and their indexes must explicitly be done using commands.

   The programming language used is completely procedural. It contains statements to create menu's, open and close tables, filter tables (querying), insert, update and delete records, view records through screens and a browse statement. Defining all these things in a program is quite straightforward. Records are manipulated as program variables. All data is stored in ASCII format.

   One special feature which originated in dBase, are 'macro's'. These macro's are text strings, which could be compiled and interpreted at run-time. This was a necessary feature, because most statements took string arguments without quotes, e.g. OPEN MY_TABLE. If you wanted to define a statement with a parameter, you could not directly refer to a variable. Trying to execute OPEN ARG_TABLE, the program would search for the file 'ARG_TABL'. To circumvent this problem you need to code the following :

       ARG_TABLE = "MY_TABLE"
       OPEN &ARG_TABLE

   Clipper

   Clipper originated as a dBase compiler, but added soon after powerful extensions to the language. I have also worked with the Summer '87 and the 5.0 version. At the database level, nothing changed very much from FoxBase, but at the user interface level and the programming level, several advanced features offered faster development turn-around times and advanced user interfacing. The macro feature was still available, but Clipper expanded it through code blocks. In the original implementation, a macro needed to be evaluated every time it was used. In cases where macro's where used to filter data, this amounted to waste of computing time. The introduction of the code block made it possible to compile a macro just once and then use the compiled version.

   Other features where the introduction of some object-oriented classes for user interfacing, a powerful multi-dimensional array type, declarations for static and local variables and a plethora of functions to manipulate arrays and tables. The flipside of all this was that learning to effectively use the language took some more time. I have two books about Clipper 5.0 and they are quite large.

   FoxPro 2.0

   FoxPro was the successor of FoxBase. It added GUI-features to the text-interface, making it possible to work with overlapping windows. FoxPro 2.0 also added embedded SQL statements. It was only a subset with SELECT, INSERT, UPDATE and DELETE, but this offered already a substantial advantage over the standard query statements. It also offered a better integration between tables and their indexes, and one of the most powerful query optimizers ever developed. They also provided some development tools, of which the most important where the screen development and the source documentation tools.

   Clipper and FoxPro made it also possible to program for networks and thus enable multi-user database systems.

   WANG PACE

   WANG PACE is a fully integrated DBMS development system which runs on the WANG VS minicomputers. It offers an extended data dictionary with field- and record-level validation, HL-language triggers and view-definitions. All defined objects contain a version count. When an object is modified and subsequent programs are not, then a runtime error is generated when compiled versions don't match DD versions. It also offers a powerful screen editor, a report editor and a query-by-example system. Access through COBOL, COBOL85 or RPGII is available with a pre-processor which compiles embedded statements into API-calls.

   Summary of important features

   If I look in retrospect to these systems, what were the important features which made programming more productive ? This reference must be made against postgreSQL and the available libraries for interfacing to the back-end. It must also be made from the point of the production programmer, who must be able to write applications without being bothered by irrelevant details.
   • Field names translate to native variable names
   
   Defining a field name for a table makes it available under the same name to the program which can then use it as an ordinary, native variable.
    
   • Uniform memory allocation system
   
   The xBase systems have a dynamic memory allocation scheme, which is completely handled by the runtime library. COBOL is fully statically allocated. In none of these languages the programmer needs to be concerned with tracking allocated memory.
    
   • Direct update through the current record
   
   The manipulated record is available to update the table through one or another UPDATE statement.
    
   • Database statements have the same format as the application language
   
   When programming in xBase, the statements to extract and manipulate data from the database tables formed an integral part of the procedure language.
   In COBOL, the statements where embedded and processed by a preprocessor. The syntax of the available statements was made to resemble COBOL syntax, with its strong and weak points.
    
   • Simple definition and usage of screens
   
   In xBase, there are simple yet powerful statements available for defining screens. Screens are called through only one or two statements.
   In WANG PACE, screens can only be defined through the screen editor. There are three statements available : one to use menu's, one to process one record in a cursor and an iterative version to process all records in a cursor. Most screen processing is handled through the run-time libraries.

   Features available when installing postgreSQL

   The four first features can be installed using the ecpg preprocessor. This makes it possible to use native program variables, you don't have to worry about memory allocation, because the run-time library takes care of it, and updates can also take place using the selected program-variables.

   What is missing, is a special form of include statement. Now you need to know which fields are in a table if you want to use a 'exec sql declare' statement. It would be better if there was something like 'exec sql copy fields from <tablename>'. If the tabledefinition then changes, recompiling the program will adjust to the new definitions.

   Using the pgaccess program (under X-windows) provides access to the data dictionary in a more elegant manner.

   Summary

   I started out to write a critique on postgreSQL because of the summary documentation which is delivered in the package. This made it rather hard to find and use all the components which provide additional functions.

   I started describing my experiences on other platforms to get an insight in what a production environment should deliver to the programmer. Then I started to look closely at the delivered documentation and to my surprise all components that I needed where in fact in the package.

   The following critique still remains however. The documentation of the package is too much fragmented, and most parts of the documentation are centered around technical aspects which do not bother the production programmer. This is understandable however. The documentation is written by the same people that implement them. I know of my own experience that writing a user manual is very hard and it is easy to get lost in the technical details of the implementation that you know about.

   The following parts of postgreSQL are important for the production programmer, and their documentation should be better integrated.

   • The psql processor

   
   This is a nice tool to define all necessary objects in a database, to get acquainted with SQL and to test ideas and verify joins and queries.

   • The ecpg preprocessor

   
   This is the main production tool to write applications which use database manipulation statements. This capacity should probably be extended to other languages too. Since all bindings from the selected cursor are made to program variables, records can be processed without the hassle of converting them from and to ASCII, and updates can be made through the 'exec sql update' statement.

   • The pgaccess package

   
   The pgaccess package provides access to all parts of the database and offers the ability to design screens and reports. It is still in a development phase. I hope it will be extended in the future, because the basic idea is excellent and the first implementations are worthwile.

   The libpq library is of no real value to a production programmer. It should be mainly a tool to be used in implementing integrated environments and database access languages. It could e.g. be used to create an xBase like environment (for those who wish to use this).

   Further research

   In the following weeks (months) I hope to setup a complete database system over a network, with one server and several types of clients (workstation, terminal, remote computer) through several interfaces (Ethernet, serial connections). I will investigate the several platforms for application development. I intend to have a closer look at the provided tools in the postgreSQL package (developing a simple database for my strip book collection), but I will also look at the possibilities that Java offers a development platform with JDBC, screen design and application programming.

   One last note : for the moment I concentrate on using tools that I don't need to pay for, because I need the money for my hardware platforms and for my house. This does not mean that I am a die-hard 'software should be gratis' advocate. A production environment favors to pay for software, because then it knows that it has a complete tool with support and warranty (horror stories about bad support not withstanding).

   ---

   Copyright © 1999, Jurgen Defurne
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   A Linux Journal Review: This article appeared first in the July 1998 issue of Linux Journal.

   ---

   Introducing Samba

   By John Blair

   ---

   The whole point of networking is to allow computers to easily share information. Sharing information with other Linux boxes, or any UNIX host, is easy--tools such as FTP and NFS are readily available and frequently set up easily ``out of the box''. Unfortunately, even the most die-hard Linux fanatic has to admit the operating system most of the PCs in the world are running is one of the various types of Windows. Unless you use your Linux box in a particularly isolated environment, you will almost certainly need to exchange information with machines running Windows. Assuming you're not planning on moving all of your files using floppy disks, the tool you need is Samba.

   Samba is a suite of programs that gives your Linux box the ability to speak SMB (Server Message Block). SMB is the protocol used to implement file sharing and printer services between computers running OS/2, Windows NT, Windows 95 and Windows for Workgroups. The protocol is analogous to a combination of NFS (Network File System), lpd (the standard UNIX printer server) and a distributed authentication framework such as NIS or Kerberos. If you are familiar with Netatalk, Samba does for Windows what Netatalk does for the Macintosh. While running the Samba server programs, your Linux box appears in the ``Network Neighborhood'' as if it were just another Windows machine. Users of Windows machines can ``log into'' your Linux server and, depending on the rights they are granted, copy files to and from parts of the UNIX file system, submit print jobs and even send you WinPopup messages. If you use your Linux box in an environment that consists almost completely of Windows NT and Windows 95 machines, Samba is an invaluable tool.

   

   Figure 1. The Network Neighborhood, Showing the Samba Server

   Samba also has the ability to do things that normally require the Windows NT Server to act as a WINS server and process ``network logons'' from Windows 95 machines. A PAM module derived from Samba code allows you to authenticate UNIX logins using a Windows NT Server. A current Samba project seeks to reverse engineer the proprietary Windows NT domain-controller protocol and re-implement it as a component of Samba. This code, while still very experimental, can already successfully process a logon request from a Windows NT Workstation computer. It shouldn't be long before it will act as a full-fledged Primary Domain Controller (PDC), storing user account information and establishing trust relationships with other NT domains. Best of all, Samba is freely available under the GNU public license, just as Linux is. In many environments the Windows NT Server is required only to provide file services, printer spools and access control to a collection of Windows 95 machines. The combination of Linux and Samba provides a powerful low-cost alternative to the typical Microsoft solution.

   Windows Networking

   Understanding how Samba does its job is easier if you know a little about how Windows networking works. Windows clients use file and printer resources on a server by transmitting ``Server Message Block'' over a NetBIOS session. NetBIOS was originally developed by IBM to define a networking interface for software running on MS-DOS or PC-DOS. It defines a set of networking services and the software interface for accessing those services, but does not specify the actual protocol used to move bits on the network.

   Three major flavors of NetBIOS have emerged since it was first implemented, each differing in the transport protocol used. The original implementation was referred to as NetBEUI (NetBIOS Extended User Interface), which is a low-overhead transport protocol designed for single segment networks. NetBIOS over IPX, the protocol used by Novell, is also popular. Samba uses NetBIOS over TCP/IP, which has multiple advantages.

   TCP/IP is already implemented on every operating system worth its salt, so it has been relatively easy to port Samba to virtually every flavor of UNIX, as well as OS/2, VMS, AmigaOS, Apple's Rhapsody (which is really NextSTEP) and (amazingly) mainframe operating systems like CMS. Samba is also used in embedded systems, such as stand-alone printer servers and Whistle's InterJet Internet appliance. Using TCP/IP also means that Samba fits in nicely on large TCP/IP networks, such as the Internet. Recognizing these advantages, Microsoft has renamed the combination of SMB and NetBIOS over TCP/IP the Common Internet Filesystem (CIFS). Microsoft is currently working to have CIFS accepted as an Internet standard for file transfer.

   

   Figure 2. SMB's Network View compared to OSI Networking Reference Model

   Samba's Components

   A Samba server actually consists of two server programs: smbd and nmbd. smbd is the core of Samba. It establishes sessions, authenticates clients and provides access to the file system and printers. nmbd implements the ``network browser''. Its role is to advertise the services that the Samba server has to offer. nmbd causes the Samba server to appear in the ``Network Neighborhood'' of Windows NT and Windows 95 machines and allows users to browse the list of available resources. It would be possible to run a Samba server without nmbd, but users would need to know ahead of time the NetBIOS name of the server and the resource on it they wish to access. nmbd implements the Microsoft network browser protocol, which means it participates in browser elections (sometimes called ``browser wars''), and can act as a master or back-up browser. nmbd can also function as a WINS (Windows Internet Name Service) server, which is necessary if your network spans more than one TCP/IP subnet.

   Samba also includes a collection of other tools. smbclient is an SMB client with a shell-based user interface, similar to FTP, that allows you to copy files to and from other SMB servers, as well as allowing you to access SMB printer resources and send WinPopup messages. For users of Linux, there is also an SMB file system that allows you to attach a directory shared from a Windows machine into your Linux file system. smbtar is a shell script that uses smbclient to store a remote Windows file share to, or restore a Windows file share from a standard UNIX tar file.

   The testparm command, which parses and describes the contents of your smb.conf file, is particularly useful since it provides an easy way to detect configuration mistakes. Other commands are used to administer Samba's encrypted password file, configure alternate character sets for international use and diagnose problems.

   Configuring Samba

   As usual, the best way to explain what a program can do is to show some examples. For two reasons, these examples assume that you already have Samba installed. First, explaining how to build and install Samba would be enough material for an article of its own. Second, since Samba is available as Red Hat and Debian packages shortly after each new stable release is announced, installation under Linux is a snap. Further, most ``base'' installations of popular distributions already automatically install Samba.

   Before Samba version 1.9.18 it was necessary to compile Samba yourself if you wished to use encrypted password authentication. This was true because Samba used a DES library to implement encryption, making it technically classified as a munition by the U.S. government. Binary versions of Samba with encrypted password support could not be legally exported from the United States, which led mirror sites to avoid distributing pre-compiled copies of Samba with encryption enabled. Starting with version 1.9.18, Samba uses a modified DES algorithm not subject to export restrictions. Now the only reason to build Samba yourself is if you like to test the latest alpha releases or you wish to build Samba with non-standard features.

   Since SMB is a large and complex protocol, configuring Samba can be daunting. Over 170 different configuration options can appear in the smb.conf file, Samba's configuration file. In spite of this, have no fear. Like nearly all aspects of UNIX, it is pretty easy to get a simple configuration up and running. You can then refine this configuration over time as you learn the function of each parameter. Last, the latest version of Samba, when this article was written in late January, was 1.9.18p1. It is possible that the behavior of some of these options will have changed by the time this is printed. As usual, the documentation included with the Samba distribution (especially the README file) is the definitive source of information.

   The smb.conf file is stored by the Red Hat and Debian distributions in the /etc directory. If you have built Samba yourself and haven't modified any of the installation paths, it is probably stored in /usr/local/samba/lib/smb.conf. All of the programs in the Samba suite read this one file, which is structured like a Windows *.INI file, for configuration information. Each section in the file begins with a name surrounded by square brackets and either the name of a service or one of the special sections: [global], [homes] or [printers].

   Each configuration parameter is either a global parameter, which means it controls something that affects the entire server, or a service parameter, which means it controls something specific to each service. The [global] section is used to set all the global configuration options, as well as the default service settings. The [homes] section is a special service section dynamically mapped to each user's home directory. The [printers] section provides an easy way to share every printer defined in the system's printcap file.

   A Simple Configuration

   The following smb.conf file describes a simple and useful Samba configuration that makes every user's home directory on my Linux box available over the network.

   [global]
   	netbios name = FRODO
   	workgroup = UAB-TUCC
   	server string = John Blair's Linux Box
   	security = user
   	printing = lprng
   
   [homes]
   	comment = Home Directory
   	browseable = no
   	read only = no
   

   The settings in the [global] section set the name of the host, the workgroup of the host and the string that appears next to the host in the browse list. The security parameter tells Samba to use ``user level'' security. SMB has two modes of security: share, which associates passwords with specific resources, and user, which assigns access rights to specific users. There isn't enough space here to describe the subtleties of the two modes, but in nearly every case you will want to use user-level security.

   The printing command describes the local printing system type, which tells Samba exactly how to submit print jobs, display the print queue, delete print jobs and other operations. If your printing system is one that Samba doesn't already know how to use, you can specify the commands to invoke for each print operation.

   Since no encryption mode is specified, Samba will default to using plaintext password authentication to verify every connection using the standard UNIX password utilities. Remember, if your Linux distributions uses PAM, the PAM configuration must be modified to allow Samba to authenticate against the password database. The Red Hat package handles this automatically. Obviously, in many situations, using plaintext authentication is foolish. Configuring Samba to support encrypted passwords is outside the scope of this article, but is not difficult. See the file ENCRYPTION.txt in the /docs directory of the Samba distribution for details.

   The settings in the [homes] section control the behavior of each user's home directory share. The comment parameter sets the string that appears next to the resource in the browse list. The browseable parameter controls whether or not a service will appear in the browse list. Something non-intuitive about the [homes] section is that setting browseable = no still means that a user's home directory will appear as a directory with its name set to the authenticated user's username. For example, with browseable = no, when I browse this Samba server I will see a share called jdblair. If browseable = yes, both a share called homes and jdblair would appear in the browse list. Setting read only = no means that users should be able to write to their home directory if they are properly authenticated. They would not, however, be able to write to their home directory if the UNIX access rights on their home directory prevented them from doing so. Setting read only = yes would mean that the user would not be able to write to their home directory regardless of the actual UNIX permissions.

   The following configuration section would grant access to every printer that appears in the printcap file to any user that can log into the Samba server. Note that the guest ok = yes normally doesn't grant access to every user when the server is using user-level security. Every print service must define printable = yes.

   [printers]
   	browseable = no
   	guest ok = yes
   	printable = yes
   

   This last configuration snippet adds a server share called public that grants read-only access to the anonymous ftp directory. You will have to set up the printer driver on the client machine. You can use the printer name and printer driver commands to automate the process of setting up the printer client on Windows 95 and Windows NT clients.

   [public]
   	comment = Public FTP Directory
   	path = /home/ftp/pub
   	browseable = yes
   	read only = yes
   	guest ok = yes
   

   

   Figure 3. Appearance of Samba Configuration in Windows Explorer

   Be aware that this description doesn't explain some subtle issues, such as the difference between user and share level security and other authentication issues. It also barely scratches the surface of what Samba can do. On the other hand, it's a good example of how easy it can be to create a simple but working smb.conf file.

   Conclusions

   Samba is the tool of choice for bridging the gap between UNIX and Windows systems. This article discussed using Samba on Linux in particular, but it is also an excellent tool for providing access to more traditional UNIX systems like Sun and RS/6000 servers. Further, Samba exemplifies the best features of free software, especially when compared to commercial offerings. Samba is powerful, well supported and under continuous active improvement by the Samba Team.

   Resources

   The Samba home page, at http://samba.anu.edu.au/samba/, is the definitive source for news and information about Samba. The documentation distributed with Samba is relatively unorganized, but covers every aspect of server configuration. If you have questions about Samba, first consult the FAQ, then try the Samba Mailing List. The location of both can be found on the Samba home page.

   The book Samba: Integrating UNIX and Windows, by John Blair and published by SSC, covers all aspects of installation, configuration and maintenance of a Samba server.

   ---

   Copyright © 1999, John Blair
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Linux Installation Primer, Part 5

   By Ron Jenkins

   ---

   Copyright Ó 1998 by Ron Jenkins. This work is provided on an "as is" basis. The author provides no warranty whatsoever, either express or implied, regarding the work, including warranties with respect to its merchantability or fitness for any particular purpose.
   The author welcomes corrections and suggestions. He can be reached by electronic mail at rjenkins@qni.com, or at his personal homepage: http://www.qni.com/~rjenkins/.

   Corrections, as well as updated versions of all of the author's works may be found at the URL listed above.

   NOTE: As you can see, I am moving to a new ISP. Please bear with me as I get everything in working order. The e-mail address is functional; the web site will be operational hopefully around mid December or early January.

   SPECIAL NOTE: Due to the quantity of correspondence I receive, if you are submitting a question or request for problem resolution, please see my homepage listed above for suggestions on information to provide.

   I only test my columns on the operating systems specified. I don't have access to a MAC, I don't use Windows 95, and have no plans to use Windows 98. If someone would care to provide equivalent instructions for any of the above operating systems, I will be happy to include them in my documents.

   ADDENDUM TO LAST MONTH'S COLUMN:

   I neglected to mention that you should consider purchasing some cable ties, coaxial clips, or other devices to dress your cabling properly.

   These should be available at your local computer store, or a large selection can be found on page # 163 of the Radio Shack 1999 Catalog. (Space limitations preclude listing them all.)

   This will allow you to bundle the cable or cables neatly together, attach them firmly to the baseboard or whatever area in which you are installing them, and make troubleshooting and maintenance of cabling problems much easier.

   Finally, consider marking each end of your cables in some way so you know which ends go together. There are a variety of ways to do this, including simply writing on the cable itself with a sharpie or white pen, noting the location or machine it is intended for, or my favorite, using color coded tape wrapped at each end.

   Also, each connection on a 10BASE2 coaxial bus network will require a BNC "tee" connector. This should be included with your network card. If not go to Radio Shack and get some (PN# 278-112.) They are cheaper than buying them at a computer store. Finally, don't forget the termination devices. You will need two. These are available either at your local computer store, or at Radio Shack (PN# 278-270.)

   Part Five: Deploying a home network

   This month we will utilize the home networking plan we prepared last month, and bring it to fruition.

   This is going to involve several steps, and I will present them in the order I recommend, but ultimately it will be up to you to choose your deployment method.

   Additionally, I will offer step by step instructions on the configuration of the networking components and protocols. This will give you the basic functionality upon which you will add to as this series continues.

   The goal of this installment will be to get the networking hardware and software installed, provide basic connectivity, and simple name resolution and file sharing services.

   The more advanced services, such as sendmail, DNS, routing, ftp, web, print services, and gateway service will be covered in the next installment.

   As with each installment of this series, there will be some operations required by each distribution that may or may not be different in another. I will diverge from the generalized information when necessary, as always.

   In this installment, I will cover the following topics:

   • Pre-installation planning.
   • Preparing the cabling.
   • Preparing the file server.
   • Preparing the workstations.
   • Installing the cabling.
   • Installing the hardware.
   • Installing the software.
   • Configuration of the file server.
   • Configuration of the work stations.
   • Testing the installation.
   • Troubleshooting the installation.
   • References.
   • Resources for further information.
   • Preview of next month’s installment.
   • About the Author.

   Assumptions that apply to the following installation instructions:

   To keep this installment to a manageable size, as well maintaining an acceptable level of simplicity, the following things will be assumed.

   We will be installing a three node network, consisting of a file server, one Windows NT client, and one Linux client. Physically, all three machines are on a single table. The Linux client is at the extreme left, the Linux fileserver is in the center, and the NT client is at the extreme right.

   In the 10BASE2 (coaxial or bus configuration,) the cabling will be run along the rear edge of the table and fastened by clips available for this purpose either from a computer store or at Radio Shack as previously mentioned.

   In the 10BASET or star configuration, the hub will be placed alongside the file server, and the cabling will emanate from the hub to the various machines, The three cables will be bundled together with cable ties, forming one larger diameter group of cables that can be treated as a single cable. This will be attached to the back of the table using clips as described above.

   The NIC’s I will use are NE2000 ISA bus combo cards, with both a BNC and a RJ-45 interface. The cards will be Plug and Play cards which require you to use a utility diskette under DOS, provided with the card, to configure it. This utility diskette also contains the NT drivers for the card.

   I use FREE DOS, available at http://sunsite.unc.edu to create the DOS boot disk. You may or may not have to create your own DOS boot disk, depending on what kind of NIC you have.

   Two of our NE2000 NICs will be set to the following:

   IO = 0x320 (320), IRQ = 10

   The third one will be configured by NT.

   These are by far the most common cards people usually start out with. If you are using something different, the instructions should be similar. Just make sure you can turn off the Plug and Play feature (bug?) for the Linux machines, if necessary. This usually only applies to ISA NICs, as kernels => 2.0.34 usually do a pretty good job of snagging PCI NICs.

   This should provide the information required for most any size network, the steps will just need to be duplicated for the extra clients and/or servers.

   I will use the terms UNIX and Linux somewhat interchangeably, except where I am explicitly referring to something unique to a particular flavor of UNIX, in which case I will note the difference.

   If you will be integrating Novell or MAC clients, you're on your own. I have not touched Novell since 3.1, and I don't have access to a MAC machine. The AppleTalk and IPX HOW-TOs may be of some assistance to you.

   Further, it will be assumed you are using "reserved" IP addresses for your home network. We will use the Class C reserved network 192.168.1.0. The netmask for our network, thus will be 255.255.255.0. We will give the file server the IP 192.168.1.2, and the hostname fileserver01. The Linux client's IP will be 192.168.1.3, with the hostname linux01. Finally, the NT client's IP will be 192.168.1.4, with a hostname of nt01. I am keeping the 192.168.1.1 address and the hostname gateway01 for the gateway machine we will build next month.

   The domain name of this network will be home.net.

   The NT domain (not to be confused with the actual domain) name will be HOME.

   The NT client will access the file services using SAMBA, and the Linux client will access file services using the native Network File System (NFS.)

   Name resolution will be accomplished using common hosts and resolv.conf files, and a little trick for the NT box.

   When finished you should be able to ping all machines both by IP address, and hostname.

   Additionally, you should be able to access the disk storage on the file server from either client, with both read and write access.

   Pre-installation planning:

   Review of the network plan: Look over the network plan ONE LAST TIME. Make sure you have acquired all the necessary hardware, software, and cabling, as well as a hub or termination devices, if required.

   Preparing the common files: Since we will not be using DNS for name resolution at this point, we will rely on primarily three files for the UNIX machines, and one file for the NT box.

   Unique to the UNIX machines will be:

   /etc/hosts.conf

   /etc/resolv.conf

   These two files will be propagated throughout the Linux portion of the network, along with the hosts file described below.

   The first file, hosts.conf, simply tells the Linux box what means to use to resolve IP addresses to hostnames, and the order in which it should use them.

   There are basically two methods utilized for name resolution. The hosts file (see below for more information,) which we will use in this installation, and a DNS server, usually another UNIX box running a program called the Berkeley Internet Name Daemon (BIND.)

   First, cd to etc/, then open the hosts.conf file, or create it if necessary, and edit it to contain the line:

   order hosts,bind

   Then close the file. This simply tells the Linux box to first check it’s hosts file to find another machine on the network before trying anything else.

   Next, open the resolv.conf file, or create it if necessary, and edit it to contain the lines:

   domain home.net

   search home.net

   After you are finished, close the file. This tells the Linux box it's domain name, and to search this domain first before implementing any external name resolution.

   The purpose of this is to keep your local network name resolution on the local network. This will become important later when we hook these machines up to the Internet through a gateway machine.

   Common to both the NT and UNIX machines will be:

   A hosts file, which is simply a listing of all the machines on a local area network, which translates IP addresses to hostnames.

   Open the hosts file with your favorite editor, again creating it if necessary, and create entries for the loopback adapter, also known as the localhost, and each machine on your network. This file will be copied to each machine, thus allowing both the UNIX boxes and the NT machine to find each other by hostname.

   Entries in the hosts file are created using the following syntax:

   IP address Fully Qualified Domain Name (FQDN) hostname

   For example, for the machine bear.foobar.net, with an IP of 206.113.102.193, the proper entry would be:

   206.113.102.193 bear.foobar.net bear

   A SHORT NOTE ON THE LOOPBACK ADAPTER: this interface, also known as the localhost, MUST be the first entry in any hosts file.

   So, to create the hosts file we will be using across our entire network, edit it to contain the following lines:

   127.0.0.1 localhost

   192.168.1.1 gateway01.home.net gateway01

   192.168.1.2 fileserver01.home.net fileserver01

   192.168.1.3 linux01.home.net linux01

   192.168.1.4 nt01.home.net nt01

   On the UNIX machines, this file also lives in the /etc directory, while on the NT machine it will live in /winnt/system32/drivers/etc directory.

   Now that we have prepared our common files, we can move to actual deployment preparations.

   Logistics and downtime: While this is not as great a concern on a home network as it is on a commercial LAN, it is still important to consider the impact the network installation will have on your machines, as well as what if any interruption of productivity might occur.

   You have two major, and one minor option in this regard:

   • The blitz method: This method entails setting aside a period of time when all machines may be downed, cabling, hardware and software installed and configured all in one contiguous session. Best for very small networks, and non commercial networks.
   • The phased method: This method involves a more conservative, cautious approach. Individual machines or sections of the network are downed one at a time, configured, tested, and brought back up before moving to the next section. This minimizes the interruption of productivity, and loss of computer services. Best for larger networks or most any commercial network.
   • A combination of the two: In any installation other than an extremely small network such as our example here, some combination of the two methods is usually the most practical approach. For instance, you may choose to blitz all the server machines, so that file services and other services will be immediately available to the client machines. After the blitz of the servers, you may then choose to slowly integrate the client machines by department, by priority of use, or most commonly, the suits first, then everyone else. As an aside, if you are deploying a network in a commercial environment, never underestimate the effect of office politics in your planning. While the executives may not technically need to be on the network as soon as your programmers or designers, remember to keep the man with the checkbook happy, and you will find your next upgrade much easier to justify.

   Preparing the cabling:

   10BASE2: Double check that you have sufficient coaxial cable, in the proper lengths, to interconnect all the machines on your bus. Remember, the cable strings from machine to machine, so I recommend physically laying out the cable between each machine to make sure you have enough, and the proper lengths. Finally, be sure you have the proper clips and ties to dress the cables neatly.

   10BASET: Depending on whether you bought the cables already made up, or made them yourself, the same general rules stated above will also apply here. Placement and layout of the cabling will be largely determined by your placement of the hub. Try to place the hub in such a way as to assure the shortest average length from the hub to each machine. As mentioned above, make sure you have sufficient materials to neatly run, anchor, and wrap your cabling.

   Preparing the file server:

   Memory issues: A good rule of thumb for any computer, and especially servers, is the more RAM the better. Since this is a home network, this is not as big an issue, but still important.

   Disk storage issues: If you can afford it, get SCSI drives. They work better and last longer. If you are on a budget, EIDE or UDMA drives will do in a pinch, but be aware they will not stand up as well under heavy, constant use.

   Backup device issues: I use a SCSI DAT drive, and have always had good results with it. Whatever you choose, MAKE SURE IT IS SUPPORTED BY Linux BEFORE YOU BUY IT! And backup up anything on any of the machines you will be working on that you cannot afford to lose!

   Power interruption and loss of data: You should consider at least protecting your fileserver with an Uninterruptable Power Supply (UPS.) I can recommend APC and Tripp-Lite products here. Why? Because they put they're money where they're mouth is on the warranty provided. Try to get one with two protected outlets, and jacks for your phone line. This will come in handy later when we do the gateway. Surges don't just come over the power lines. Ideally all your machines should have one, but try to make sure you get one for the file server.

   Preparing the client workstations:

   Linux box: not really much to do here, as most everything you need should already be installed. All your networking software should already be there. The only possible exception to this is if you have a RedHat machine, and you chose dialup workstation during installation. In this case, you may or may not have to install additional packages. Check your documentation.

   NT box: Here you will need to have your CD-ROM handy, as the networking software is probably not on your machine unless you explicitly requested it during the installation process. The software I am talking about here is separate and distinct from what is required for Dial Up Networking (DUN.)

   Surge protectors: If you cannot afford a UPS for each machine, at least put a quality surge protector on the two clients. Avoid the temptation to buy a bargain one. APC and Tripp-Lite are ones I can recommend for the same reasons as stated above. If either of these machines has any peripherals connected to it such printers, modems, scanners, etc. make sure these are protected as well.

   Installing the cabling:

   10BASE2: This is a fairly straightforward process. Simply lay the cable along the back on the table (or whatever your machines are on,) where you plan to install them. Do not anchor the cables at this time.

   10BASET: Once you have determined where your hub will be located, lay out the cable from the hub to each machine. Do not bundle or anchor the cables at this time.

   Installing the hardware:

   Network Interface Cards: This is fairly straightforward. Power off your machine. Remove the case cover and find an empty expansion slot appropriate for your type of card. Make sure it is firmly seated, and that you replace the screw that holds it in place.

   If the card is an ISA card, and is going into one of the Linux boxes, be sure to disable the Plug and Play feature and make note of the IO address and IRQ the card is using. There is usually some of setup program to help you with this. Write these values down as you will need them later.

   A QUICK NOTE ON IO ADDRESSES AND IRQ's: Some cards may require you to manually set the IO and IRQ values using jumpers on the card. Use care here. If you choose an IO address or IRQ already in use by another device, all sorts of nasty things can happen. Here are some good ones to try that generally work:

   IO Address:

   0x300 (300)

   0x310 (310)

   0x320 (320)

   IRQ:

   10, 11, or 12.

   If the card is a PCI card, have a go at auto detection first, then failing that, use the DOS setup program if required. Here at most, you may have to specify the IO address, which usually looks something similar 0x6xxx.

   In any case, once the card is set, be sure to write the pertinent information down. You will need it later on the Linux boxes, and you may or may not need it on the NT box.

   10BASE2:

   • Connectors and termination: Connect the tee to the NIC. On the Linux client and the NT client, place a termination device one side of the tee. Then using the cables you laid out earlier, connect the machines together.

   10BASET:

   • Installing the hub: This should consist of nothing more than setting it down on the table and plugging it in. In other situations, you may or may not find it advantageous to mount it on the wall, or even under the table.
   • Connecting to the hub: Using the cables you laid out before, connect one end of each cable to the appropriate NIC. Now you may bundle, but not anchor the cabling, starting at the each client on either end, and working toward the fileserver in the middle.

   Installing the software:

   Required software:

   Common:

   The /etc/hosts file: as specified above.

   The /etc/hosts.conf file: as specified above.

   The /etc/resolv.conf file: as specified above.

   Specific to the file server:

   If necessary, copy the above common files to the appropriate directories.

   SAMBA: This may or may not already be present on your system. If not, use pkgtool on a Slackware box to install it, and glint or the command RPM:ivh <name of samba.rpm> to install it on a RedHat box. Once you have verified it is installed, configure it as follows:

   • In the /etc directory, there should be an smb.conf-sample file. You may copy this to a new file called smb.conf, or create your own from scratch. I recommend using the sample one at first.
   • Edit the line workgroup = WORKGROUP and change it to workgroup = home.net
   • Next, look for a line similar to the following: hosts allow = xxx.xxx.x. Where xxx.xxx.x. represent the first three octets of your network address, 192.168.1. in the example. Additionally, be sure to allow the loopback interface. So the correct entry would be : hosts allow = 192.168.1. 127. 
   • Finally, look for the line: remote announce = xxx.xx.x.xxx and change it to 192.168.1.255 for our example network.

   NFS services: This should already be installed on your Linux boxes.

   A possible exception is RedHat, again if the NFS server and client options were not selected during installation. If necessary, install them. Once you have verified the software is installed on your system, configure as follows:

   The /etc/exports file: This is fairly simple. There is much more to NFS than what I will present here, but briefly, and entry in the exports file uses the following syntax:

   /name/of/directory/to/export (type of access) who.can.access

   So as an example, to export the home directory with read and write permissions, to anyone in the home.net, the correct entry would be:

   /home (rw,no_root_squash) *.home.net

   Specific to the NT client: Copy the hosts file ONLY to the specified location. Insert your NT CD-ROM and choose start/settings/controlpanel/network. Depending on whether you have been using this machine for DUN, you may or may not have some of the software already installed. If not just follow the prompts, with the following objectives:

   Install ONLY the TCP/IP protocol.

   When the time comes to install your Network Adapter (NIC), you can try to let it auto-detect first, then failing that, choose Have Disk and use the diskette supplied with your NIC.

   You can safely accept the defaults at this point. If prompted for information such as hostname, IP address, or netmask, refer to the stated configuration above.

   You may be prompted to reboot several times. Do so.

   Specific to the Linux client: Copy the common files to the appropriate directories.

   The only exception would be if you desired to make directories on the Linux client available to the NT client. If this is the case, simply repeat the SAMBA instructions for the file server above on the Linux client as well.

   Configuration of the file server:

   Basic Networking – the first step on the UNIX boxes is to get the NIC recognized. On a Slackware machine, this is done by editing /etc/rc.d/rc.modules and uncommenting the line that will load the kernel module necessary for your particular NIC, and possibly passing the IO address and/or the IRQ to help Linux find the card. Scroll down to the Network Device Support section, and look for the line:

   #/sbin/modprobe/ ne io=0x320 #NE2000 at 0x320

   Uncomment the line by deleting the pound sign. Depending on what release of Slackware you are using, you may or may not have to specify the IRQ as well. This should not be necessary if you are using release 3.5 or higher.

   Next, you will want to configure your networking software. Use the netconfig utility for this. Follow the prompts, with the following in mind:

   When asked if you will be using only loopback, answer no.

   Leave the default gateway blank.

   Leave the nameserver stuff blank.

   In RedHat, you can use the linuxconf utility in either text mode or under X. I have had a few bad experiences with the X version, so I recommend using the text mode version.

   At the command prompt, type linuxconf <RETURN>

   You will be presented with a dialog box.

   Choose Config/Networking/Client tasks/Basic host information.

   First, set your hostname to fileserver01.home.net, then tab to quit to return to the previous screen. Choose Adaptor 1, use the spacebar to select the following parameters:

   • Enabled
   • Config mode Manual

   Next enter the proper hostname, domain, IP, netmask, device number, kernel module, IO, and IRQ for machine. In our case, the proper data is:

   fileserver01.home.net

   fileserver01

   192.168.1.2

   255.255.255.0

   eth0

   ne

   0x320

   10

   If at any point, you are prompted for a default gateway, leave it blank for now.

   After you have entered this information, choose quit, accept, quit, quit, quit, until you are asked to activate your changes.

   If you want, you can use linuxconf to add your user accounts now, or do it manually later.

   Reboot.

   Configuration of the workstations:

   Configuration of the NT client – Choose start/settings/controlpanel/network.

   Select the Identification tab. Make sure your Workgroup is set to HOME.

   Select the Protocols tab. Highlight TCP/IP. Click on Properties.

   Select the IP Address tab, and make sure Specify an IP address is selected, and that the IP and netmask are correct. Additionally, make sure the Default Gateway is blank.

   Select the DNS tab. Enter your hostname (nt01) and domain (home.net) in the appropriate boxes.

   Select the WINS Address tab. Make sure the WINS server boxes are blank, and uncheck the Enable DNS for Windows Resolution and Enable LMHOSTS Lookup boxes if necessary.

   Select OK. When prompted that one of the adapters has an empty WINS something or other, select yes to continue. Select close. You will be prompted to reboot.

   Configuration of the Linux client – The network configuration will be the same as the fileserver instructions.

   Testing the installation:

   If any of these testing procedures fail, go to the troubleshooting section for suggestions on how to correct the problem.

   Testing for physical connectivity – To test physical connectivity, ping one of the other hosts on the network. You should see some return information and statistics. Depress Ctrl+C to exit.

   Testing the loopback adapter – To test the loopback adapter, simply ping 127.0.0.1.

   Testing the NIC – To test the NIC, simply ping the IP address of the NIC.

   Using ifconfig and ipconfig -

   In Linux and NT, there are utilities provided to assist you in assessing the condition of your networking setup and hardware. They are called ifconfig and ipconfig, respectively.

   On a Linux box, at the command prompt: ifconfig <RETURN> should yield two entries – one for the Loopback Adapter called lo, and one for your NIC, called eth0.

   On an NT box the command ipconfig should yield one entry, describing your Ethernet adapter.

   Testing name resolution – To test name resolution simply ping by hostname, such as fileserver01, nt01, linux01, etc.

   Testing file services –

   • Linux NFS – To test the NFS services, CD to /mnt, and create a directory called test. Then try to mount the remote directory to it. For instance, in our example above, we are exporting /home on the fileserver machine, so let’s mount it under test: mount –t nfs fileserver01:/home /mnt/test <RETURN>. If all went well, you should now be able to access the remote directory from the Linux client.
   • NT SAMBA – double-click on Network Neighborhood. Under Home, you should see both your NT client and the Linux machine, fileserver01. Double click on the entry for fileserver01. If your user account has been created on the Linux box, you should be able to enter your username and password when prompted, and be taken directly to your home directory on the Linux box.

   Troubleshooting the installation:

   Troubleshooting physical connectivity problems –

   • ping 127.0.0.1. If this fails, you have an improper networking configuration. Go back and recheck all your settings and required files. If this works, try to ping the IP address of the NIC installed in the machine. If this does not work, make sure the card is being recognized by Linux. If the NIC has more than one interface e.g. RJ-45 (10BASET) and a BNC (10BASE2,) make sure you have the correct one activated. If all goes well up until this point, try to ping another machine on the network by IP address. If this fails, see the next section on cable integrity.

   Cable integrity –

   • If you cannot ping any other machine on the network, and you have tried all of the above, here are some tips for isolating cabling problems.
   • 10BASE2 – move the termination of the bus to the next machine in line. Try to ping it. If this fails, try another cable. Repeat the ping test. If it still fails, suspect a termination problem. See below.
   • 10BASET – check that the RJ-45 connector is firmly seated in the NIC and the hub. If the cable is good, there should be an LED lit up above the port on the hub into which the cable is inserted. If the LED is not lit, try another cable.

   Termination integrity –

   • This only applies to 10BASE2 or bus networks. Terminators are usually a pass or fail type of deal. Either they work or they don't. First try another cable, and check to see if you are getting link lights on the NIC. Finally, double check combo cards to make sure the BNC interface is active.

   Troubleshooting name resolution problems:

   • First, try to ping by IP address. If this fails, check cabling, termination, and NIC recognition at boot time. On the UNIX boxes, ifconfig <RETURN> should show the loopback interface and eth0. If the NIC is not recognized, make sure Plug and Play is turned off, and you have passed the correct IO and IRQ parameters to the kernel. On an NT box, ipconfig <RETURN> should yield similar results. If not, check your network configuration. /start/programs/administrative tools/nt diagnostics may be of some help here.
   • If the ping by IP is successful, try to ping by hostname. If this fails, check your hosts file and make sure it matches the one above. If this is a UNIX box, check your hosts.conf and resolv.conf files and make sure they match the examples. If this is a NT box, make sure you placed the hosts file in the proper directory as specified above.

   Troubleshooting NFS problems –

   • If you cannot mount a remote drive, check the /etc/exports file on the machine that physically contains the directory you are trying to mount. Make sure the desired directory is being exported correctly.
   • If you can mount the remote directory, but can read and/or write, go back to the exports file and check the permissions.

   Troubleshooting SAMBA problems –

   • If the Linux box does not show up in the Network Neighborhood, make sure that both the NT box and the /etc/smb.conf files are using the HOME workgroup.
   • If the Linux box shows up, but you cannot access the shares, see if you are running Service Pack 3. If so, read the SAMBA docs for the required registry change that will need to be made to the NT machine.
   • Finally, make sure the username/password combination you are trying to use exists on the UNIX box as well as the NT box.

   References:

   Previous columns:

   Linux Installation Primer parts three and four

   Other:

   Ethernet HOW-TO

   Net-3 HOW-TO

   Network Administrator’s Guide

   Mastering Windows NT Server 4 (3^rd Edition)

   Resources for further information:

   The Linux Documentation Project

   http://www.patoche.org/LTT/

   http://www.ugu.com/

   http://www.stokely.com/unix.sysadm.resources/

   alt.unix.wizards

   comp.security.unix

   comp.unix.admin

   alt.os.linux.slackware

   comp.os.linux.networking

   comp.os.linux.hardware

   linux.redhat.misc

   Coming in Part Six: the long awaited Internet Gateway!

   ---

   Previous ``Linux Installation Primer'' Columns

   Linux Installation Primer #1, September 1998
   Linux Installation Primer #2, October 1998
   Linux Installation Primer #3, November 1998
   Linux Installation Primer #4, December 1998
   

   ---

   Copyright © 1999, Ron Jenkins
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Linux on a Shoestring

   By Vivek Haldar

   ---

   This article first appeared in the September 1998 issue of PC Quest, India's leading infotech magazine.

   ---

   Table of Contents

   • INTRODUCTION
   • SAVE RAM!
     • RECOMPILE THE KERNEL
     • STOP SOME SERVICES!
     • HOW TO REMOVE SERVICES FROM A RUNLEVEL
     • WHICH SERVICES TO KEEP, AND WHICH TO REMOVE
     • SERVICES YOU MIGHT WANT TO KEEP
   • SAVE DISK SPACE
     • HOW TO REMOVE A PACKAGE
     • WHICH PACKAGES DO I REMOVE?
   • WINDING UP

   ---

   INTRODUCTION

   With every operating system out there screaming "Give me more!" - more disk space, more RAM, more Mhz - it's comforting to know that there is one savior out there for those of us not endowed with the sizzlingly latest hardware. Yes, I am talking about Linux.

   Though Linux shines as a network operating system, and is often projected as one, the fact is that it makes a great single user OS as well - something that one could use on a non-networked home PC.

   And in that case, there are a number of ways in which you could tweak your system to get more punch out of it - even on machines as antiquated as 486s, and with as little RAM as 8MB.

   Now please remember that you need to be logged in as root to do all the following things. Our attack will be two pronged - to minimize usage of RAM, and to save disk space.

   SAVE RAM!

   RECOMPILE THE KERNEL

   The kernel that is installed out of the box does the job, but its a catch-all kernel, with almost everything compiled into it. Which means that its bigger than it has to be for you. If you compile your own kernel from the kernel sources, it could be upto 100kb smaller than the default vmlinuz kernel. Besides, its very helpful to know how to compile the kernel. It's quite simple actually. You first configure it, that is, you say what all you want in your kernel. And then you compile it.

   Linux has reached that advanced stage in its evolution where even the kernel configuration can be done graphically. The kernel sources usually reside in /usr/src/linux. To get the graphical configuration running, do "make menuconfig"(for text based menus), or "make xconfig"(for graphical setup in X). You'll be presented with a long list of configurable options, and before deciding, it is advisable to see the sagely help note which goes along with each. The notes always give sound advice, and you should follow it. By doing so, you'll land up with exactly the things that you need compiled into your kernel, and nothing else. I would also suggest reading the README file in the source directory. Once you've configured everything, quit X if you're running it. This is so that you can do the compilation in text mode, without a heavy X running, and with more available RAM.

   Do "make dep; make zImage", go have coffee, and come back after some time. Once that is done, the README explains in no uncertain terms what to do with your new kernel, and I would only be reproducing it if I told you.

   STOP SOME SERVICES!

   When a normal Linux system is running, there are a number of background jobs constantly running on it, each for a specific purpose - these are called daemons. For example, sendmail, the mail daemon, is the process which takes care of all the sending and routing of mail. A number of such daemons are started at bootup. And to group together sets of daemons that you might want to start for specific purposes, you have runlevels, which are simply groupings of services to start and stop. For example, on a normal Linux system runlevel 1, which is single user mode, will obviously need a lot fewer services to be running than runlevel 3, the full fledged multi user mode.

   Linux, by default, boots into runlevel 3. Now it turns out that of the myriad services started in that runlevel, some of them a simple non networked home PC could do without. For example, you obviously wouldn't want to waste precious RAM by running sendmail on such a machine. Yeah, it can be fun to send mail back and forth between root@localhost, and someuser@localhost, but that wears off pretty fast.

   HOW TO REMOVE SERVICES FROM A RUNLEVEL

   With RedHat, it's all very simple. Administration is definitely one of the areas in which RedHat scores over other distributions. After logging in as root, start X, and from an xterm, start "tksysv". This is the graphical runlevel editor.

   You'll see six columns, one for each runlevel. Now we'll only be fiddling with runlevel 3, the one which Linux normally boots into. Each column will have two halves, the top one for services to start at bootup, and the botton one for services to stop at shutdown. All you have to do to remove a particular service is to select it, and press Del. Thats it. Just remember to save your changes before quitting.

   WHICH SERVICES TO KEEP, AND WHICH TO REMOVE

   Actually, it's much simpler to tell you which ones to keep. Remember, all this tweaking is only in runlevel 3. Now the bare essentials are :

   • kerneld - nothing will work without this!
   • syslog - must have around for kernel to log messages. The logs are helpful for seeing what was going on with your system in case something goes wrong(actually, nothing ever goes wrong with Linux!).
   • keytable - you need this if want to be able to use your keyboard!
   • rc.local - this is where some trivial nitty gritties happen, after all the other services have been started.

   You simply need to have the above four services. Without them, as some say, "not everything will work."

   SERVICES YOU MIGHT WANT TO KEEP

   Then there are the fence sitters - non critical services which you might want to keep, if you need them, or if you fancy them.

   • crond - this runs a number of trivial jobs periodically, the most important of which is to make sure that your log files don't get too large. you can run it if you're paranoid.
   • atd - this deamon is required if you want to run "at" jobs, i.e., jobs which begin execution at a time specified by you. people working on large, multi-user systems which are up 24 hours, everyday, use this to run heavy computational jobs at night, when loads on the system are lighter. but on a simple home machine, i don't see much use for it. after all, you're the only one using it!
   • gpm - this allows you to use the mouse in text mode. useful sometimes only if you work in text mode, and a complete waste if you work in x.

   SAVE DISK SPACE

   Actually, there's nothing much you can do here, except removing unwanted packages. Redhat linux has a superb, easy to use, and comprehensive package management system which can keep track of almost every non user file on your disk. Everything installed on your system is part of some package, and packeges can be uninstalled.

   HOW TO REMOVE A PACKAGE

   Just run "glint", the graphical interface to the redhat package management system, from a command line while in x, and you will get a graphical interface to all the packages installed on your system. The packages are classified, and show up in a directory browser like window. To remove a package, just select it and click on the "uninstall" button on the right side.

   WHICH PACKAGES DO I REMOVE?

   Beware though, there are some critical packages which shouldn't be uninstalled. In glint, it's generally advisable to not touch the "base" and "library" packages unless you know exactly what you are doing.

   For others, see their description(click the "query" button). If you haven't used that package in a long time, or don't foresee using it, it's generally safe to remove it. In case removing a package affects any other package, glint will tell you. It's all quite safe. If you do end up needing the package, you can always reinstall it from the CD.

   WINDING UP

   These were only a few suggestions that you could try out. The more comfortable you get with Linux, and the more you explore, the more ideas you'll get to tweak your system to get the most out of it.

   Linux is an OS which is more forgiving to experimentation than most others. So think, and try it out!

   ---

   Copyright © 1999, Vivek Haldar
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   The Linux User

   By Bryan Patrick Coleman

   ---

   Who uses Linux? This question has changed as Linux evolves. Originally none but the ultra hacker or the core developers of the OS were the ones to use it. As different functionality got added, more and more less technically oriented people began to use Linux.

   Now the question is how far will Linux go toward being an OS for the end user. The response that is the healthiest for continued growth would be as far as one can go. What you say would you turn Linux into a next generation Windows. No, but there is more to it than that. nifty To effectively become an end user product and keep the hackable quality of Linux should be the new focus. That means when developing open source software you are developing for everyone from the ultimate power user / hacker to the less than average user that may have never used a computer before. Yes some people have never used computers before still in this day and age.

   What does this mean for development? First and foremost make everything you possible can configurable. Not just different makes for different needs but truly extendable interfaces using guile or python for example. But also there need to be defaults. So after your application is installed a user can simply start your program and it look polished. As long as your source code is available the hard core hacker is happy. But for hacker wouldi-be's it is very important that source code is internally documented.

   But wait we can go a step beyond simply creating fully configurable applications that are extendable and come with default settings. How about "smart" applications. Maybe you have installed application A on your system and application B comes along from the same people that brought you A. Wow you would love to have it so you install it and low and behold all of the little tweaks that you have made to A are already configured for application B. Since A and B are smart applications they have communicated and B now knows what you like. Of course not everyone likes there applications deciding what they like so all smart applications should be lobotomyzable.

   Now for the real fire. How about all this plus the application is ready for immediately distributed computing, not only distributed but PVM aware so if you connect to a Beowulf cluster your application is ready to do some super computing. Groups can be formed across the web i.e. ready made intranet. Security is of course built in so you company or organization can just set up there own key and away they go.

   Why stop at just X or the console or even Linux. I your application is completely system aware no matter where you are or what computer your using a person just has to start up there application and it does the rest going so far as trying to figure out which way you like your application and if your going to be doing distributed work.

   In short the new wave of computing will be all things for all people. This new approach needs a new name I think. I prefer liquid or fluid UI or interfacing framework. Some might think of Java. Java however is slow, slow and in the end it is only one library. What I have in mind would be more of a set of wrapper classes one for each library used. And one wrapper that would handle all of the calls to the widget sets and do all of the AI work. This double wrapper approach would cut a lot of the time and effort of emulating multiple classes.

   ---

   Copyright © 1999, Bryan Patrick Coleman
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Kernel 2.2's Frame-buffer Option

   By Larry Ayers

   ---

   Introduction

   The long-awaited new stable version 2.2 of the Linux kernel is on the verge of release as the new year begins; a great variety of new features and drivers will be included. One of the new features is the option to use a new device type for the virtual consoles, the frame buffer device (/dev/fb[0-7].) This new device type isn't really essential for the many Linux users running Intel machines, but those people using Alpha, Sparc, PPC, or any of the other platforms supported by Linux should benefit, as the idea behind the frame buffer console is to provide a hardware-independent console device.

   Geert Uytterhoeven, a Belgian programmer and one of the primary frame buffer developers, wrote a succinct introduction to one of the frame buffer documents included with the kernel source:
   

   The frame buffer device provides an abstraction for the graphics hardware. It represents the frame buffer of some video hardware and allows application software to access the graphics hardware through a well-defined interface, so the software doesn't need to know anything about the low-level (hardware register) stuff.

   Users of Intel machines already have methods available to vary the size of the text console screen, such as the video=ask Lilo parameter and the SVGATextMode utility. I've used SVGATextMode for quite some time to set the console text to a 116x34 resolution. It works fine, but while configuring recent 2.2 beta kernels with menuconfig I couldn't help but be intrigued by the choices offered in the Console Drivers sub-screen. My video card these days is a Matrox Mystique, and when I saw a new frame buffer driver for Matrox cards and another option for Mystique support I just had to give it a try.

   Installation Tips

   The first time I tried a kernel with Matrox frame buffer support I could see that the card was detected (as the boot messages scrolled by) and the penguin logo's appearance at the upper right corner of the screen seemed to indicate that at least part of this compiled-in feature was working, but the console was the same old 80x25 default. Back to the documentation, where I learned that a utility called fbset would be helpful. This small program (written by Geert Uytterhoeven and Roman Zippel) is used to change or query the current frame buffer mode. Even more important, the installation of fbset creates the special device files /dev/fb[0-7] which are needed for frame buffer functionality. The fbset archive can be found at this FTP site.

   Another document found in the fb subdirectory of the kernel source's Documentation directory is called matroxfb.txt. Written by Petr Vandrovec, the Czech developer responsible for the Matrox frame buffer drivers, this document is a great help in setting up workable frame buffer modes. Another, more generic document called vesafb.txt can be consulted when setting up modes for other VESA-2.0 compliant video cards.

   There are two ways to tell the kernel which frame buffer mode to use. While experimenting, setting the mode specification at the Lilo prompt is a quick way to try a mode out. Let's say that your main dependable kernel is the first one in the /etc/lilo.conf file, and the frame buffer kernel is the second and is named bzImage-2.2. Your computer boots, the LILO prompt appears, and you press the shift key. Here is an example of a mode being set:
   

   LILO bzImage-2.2 video=matrox:vesa:0x188

   If the mode is acceptable, the console screen will switch to the new mode (in this case, 960x720) soon after the boot messages begin to scroll by. The relevant boot messages will look something like this:
   

   
   matroxfb: Matrox Mystique (PCI) detected 
   matroxfb: 960x720x8bpp (virtual: 960x4364) 
   matroxfb: framebuffer at 0xE0000000, mapped to 0xc4807000, size 4194304 
   Console: switching to colour frame buffer device 120x45 
   fb0: MATROX VGA frame buffer device 
   

   If you like the mode, a variation of the above Lilo command can be inserted directly into the /etc/lilo.conf file; the line should look something like this:
   

   append="video=matrox:vesa:392"

   The quotes are essential, and notice that the hex number 0x188 has been converted to its decimal equivalent 392, since Lilo can't understand hex numbers in the lilo.conf file.

   Once the frame buffer kernel is booted the fbset utility can be used to switch to other modes. Mode specifications can be derived from X modes, but not wanting to spend hours fooling around with this I took the easy way out. Before I edited the lilo.conf file so that the mode would be set automatically when booting, I tried several different hex numbers at the Lilo prompt. After booting each one I ran fbset without any arguments. When run this way fbset outputs to the screen the current mode specs in a format usable in the (initially nonexistent) config file /etc/fb.modes. Here's a sample of the output:
   

   
   kbdmode "name"
       # D: 56.542 MHz, H: 45.598 kHz, V: 59.998 Hz
       geometry 960 720 960 4364 8
       timings 17686 144 24 28 8 112 4
   endmode
   

   Several of these mode specs can be pasted into a new /etc/fb.modes file, substituting different mnemonic names for the "name" in the pasted output. One useful mode to include is a basic, non-color text mode, either by trying one of the text modes described in the documentation or simply by running fbset -depth 0. SVGAlib console graphics programs won't run properly in frame buffer consoles with higher color-depths. Once a fb.modes file has been created the frame buffer mode can be changed by running the command fbset name, where "name" is one of the mode names in the file.

   Frame Buffers and X

   Naturally, the big question many readers will have is "Will X Windows run when started from a frame buffer console?". The answer is "It depends.". Some combinations of X servers and video cards are known to have problems, especially when switching back and forth from X to a virtual console. This can be a problem with SVGATextMode as well. The XFree86 3.3.3 SVGA server I've been using with my Matrox card has worked well with the frame-buffer consoles. Your mileage may vary.

   There is a special server available in source form; it's called XF68_FBDev and it's included in the XFree86 3.2 (and later) sources. Binaries aren't available, and the server is unaccelerated and would mainly be of interest to those running Linux on non-standard hardware such as PPC.

   Conclusion

   The majority of Linux users probably won't be using the frame buffer kernel options any time soon. It has advantages with some hardware, but it takes time to figure out and use effectively, and the benefits are nice for console users but won't be of much use to those who spend most of their time in X Windows. I think that the reason it will be a part of the next stable kernel release is that frame buffer devices aren't Intel-specific, as is much of the current console code. It's likely that the much-anticipated release of XFree86 4.0 (possibly this year) will include more frame buffer compatibility in its server modules, such as seems to exist now in the SVGA server.

   ---

   Last modified: Sun 3 Jan 1999

   ---

   Copyright © 1999, Larry Ayers
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Running Your Own Domain Over a Part Time Dialup

   By Joe Merlino

   ---

   You love your linux box. You love the power. You love the flexability. You love the freedom. You really love the utter non-microsoftness of it. But deep down inside, you know there's something missing. A deep longing sits within you, crying out to be assuaged.

   Your friends with full-time ethernet connections have it. Your really rich friend with a T-1 to the house has it. They can log into their linux boxen any time they want. They have their own domain names. You probably even have an account on one of their machines. But look what you're stuck with. Sure your modem's pretty fast, but it only dials up when you tell it to, and you can't tell it when you're not logged in. Even if you set it up to run as a cron job, you wouldn't know where to telnet to because your ISP gives you a different IP number every time you dial in.

   How do you get remote access?

   Fear not. There Is A Way. For the price of a dialup PPP account, you can have that precious remote access. And if you're willing to pay the freight to InterNIC (you can scrape up seventy bucks, can't you?) you can even have your own domain. Here's how:

   ---

   STEP 1 - SETTING UP PPP

   The general setup of PPP connections on Linux is well documented elsewhere, so I won't go into it, except to say that you need to have PPP set up to run non-interactively from a command line. Graphical programs to activate PPP such as EZPPP or Red Hat's netcfg won't work. This is because you're going to create a script to be run as a cron job, and that script needs to be able to call your PPP-connecting script.

   For the purposes of this article, my PPP-connecting script is called /etc/ppp/ppp-on, and the script that ends the PPP connection is called /etc/ppp/ppp-off. You should be able to find examples of these sorts of scrips on the web.

   ---

   STEP 2 - DYNAMIC DNS SERVICE

   You probably have Domain Name Service (DNS) through your ISP, but your ISP doesn't keep track of your particular connection because it changes every time you dial in. Your ISP does this because it has more users than it does IP numbers. This makes sense when you consider that most of the people who use the service only connect for a short time - a couple of hours at most. You can probably get a full-time connection and a static IP number from your ISP, but such things are typically pretty expensive.

   The thing is, you don't really need a static IP number to have a constant domain name. As long as the Domain Name Server where your domain name lives knows what your IP number is *at any given time*, you can get to your machine. And the DNS server where you domain name lives doesn't have to be the same one that belongs to your ISP.

   I use a service provided by a company called Dyndns (www.dyndns.com) Dyndns will, for a fee, maintain your domain name in its database. The domain name you get can either be a subdomain of theirs (i.e. yourdomain.dyndns.com), which is cheaper, or your can have your own unique domain name (i.e. yourdomain.com), which is somewhat more expensive. If you want a unique domain name, irst, you have to register your domain name with InterNIC (www.internic.net). Dyndns will do this for you, for a fee, but it's so easy to do, you might as well save yourself the money and do it yourself. When you register with InterNIC, you have to supply the IP numbers of a primary and secondary DNS server. These numbers are available on Dyndns's web page. Once all of this goes through (read: is paid for), you're good to go.

   The next thing you do is download a client program from Dyndns's website. They have a couple of different clients you can choose from (one in C, and one in Perl), and it might take some experimenting to figure out which one is better for you (even then, I had to have a friend of mine hack the Perl client a little to make it work).

   When you are logged into your ISP, you run the client program. The client program gets your current IP number from the output of the 'ifconfig' command, and reports it to Dyndns's DNS server. Your domain name is now pointed at your machine.

   [Note: Nothing I've said in this section should be considered an endorsement of or advertisement for Dyndns. I've used their service as an example because it's the service I use, and it's what I'm familiar with.]

   ---

   STEP 3 - AUTOMATING THE CONNECTION

   You've got the domain name, you've got the DNS service, amd you've got the client program working. Now you need a way to make the computer log itself onto your ISP without your actually being there to do it. Ah, the wonders of Linux! This is taken care of with a simple shell script. Here's what I use:

   #!/bin/bash
   
   #  This is a script that attempts to log into a remote dialup and
   #  establish a PPP connection. If it is sucessful, it runs 'ntpdate'
   #  (network clock set), NamedControl.pl (a perl script to update
   #  the dynamic DNS), and fetchmail for all accounts. If it fails, it
   #  makes two more attempts, and then exits.
   
   #  This script is released under the GNU General Public Licence. No
   #  warrenty whatsoever is expressed or implied.
   
   #  Original version was written by Joe Merlino <joe@negia.net>, November,
   #  1997.
   
   #  If you have an idea for an improvement to this script, please let me
   #  know. 
   
   #  set iteration counter at 1
   i=1
   while [ $i -le 3 ]
     do
   
       #  This part tests for the availability of the modem. If the modem
       #  is available, it runs /etc/ppp/ppp-on. If not, it reports and
       #  exits.
   
       (
       if (test -e /var/lock/LCK..modem)
         then 
           echo modem not available  # for some reason this didn't work. 
           exit 0
         else
           /etc/ppp/ppp-on
           sleep 45
        fi
       )
   
       #  This part tests for the modem lock file, and if it exists, runs
       #  the various programs needed to update the system from the network.
       #  if the lock file is not found, it reports and exits.
   
       (
       #!/bin/bash
       if (test -e /var/lock/LCK..modem)
         then  
           /etc/ppp/netpack  #invoke 'netpack' script
           echo done
         else
          echo no connection
       fi
       )
       sleep 60
   
         #  This part again tests for the lock file, and if it finds it, sets
         #  the iteration counter to 4 (so the script will exit). If the lock
         #  file is not found, it incriments the counter by one.
   
         if (test -e /var/lock/LCK..modem)
           then
             i=3
         fi
         i=`expr $i + 1`
         echo $i
     done
   

   You'll notice that this script calls another script, 'netpack'. I've done that because I have a set of things I like to do when my machine logs itself in. At the very least, 'netpack' should include your dynamic DNS client script. I would also recommend that it include whatever you use to download your email (e.g. 'fetchmail' or 'popclient' or whatever). It would also be possible to replace the line that calls 'netpack' with a series of lines that call the various programs, but I like the modular design because I can edit 'netpack' on it's own.

   I put both this script (which I named 'auto-up'), and 'netpack' in /etc/ppp/.

   Once you've got all that set up, try running it manually to make sure it works. (Don't forget to give yourself execute permission.) Once you've established that it works, set it up as a cron job (using the 'crontab -e' command) to run whenever you want to have remote access to your linux box. Also, set up /etc/ppp/ppp-off to run when you want your access to end.

   [Note: Some ISPs have a limit on the amount of time you can be connected without doing anything. This is to keep people from logging in and simply leaving their computers connected indefinitely. You should be aware of your ISP's policy with regard to this.]

   And there it is. You now have remote access to your machine at specified times. Now you can start pining for a full-time connection.

   Addendum: Between the time I wrote this article, and the time that this issue of Linux Gazette was posted, DynDNS added a web-based update system to its already existing methods. This means that you can update DynDNS manually, with your browser.

   It also gives us the opportunity to write another Perl client. This one can be much more compact, and should work "out of the box" with only one small hack required for your account information.

   If you want to use it, simply copy the text between the ---CUT--- lines to a file, give yourself execute permission, and use it in place of the other client program.
   
   
   

   
   ---------------CUT------------------
   
   #!/usr/bin/perl
   
   #
   # Client script for HTTP update of DynDNS's Dynamic Domain service.
   # Written by Joe Merlino  12/31/98
   # Licence: GNU GPL
   #
   
   use IO::Socket;
   
   # Replace the values below with your information as indicated
   
   $host = "master.dyndns.com";
   $myhost = "myhost";		#replace with your hostname
   $myname = "postmaster";		
   $mypass = "mypass";		#replace with your password
   
   
   # This part opens a connection to DynDNS's web server.
   $remote = IO::Socket::INET->new(
   	Proto => "tcp",
   	PeerAddr => "$host",
   	PeerPort => "http(80)"
   	) 
   	or die "couldn't open $host";
   
   # This part sends an HTTP request containing your information.
   print $remote "GET /dyndns/cgi/DynDNSWeb.cgi?name=$myname&passwd=$mypass&domain=$myhost&IP=AUTO HTTP/1.0\n\n";
   
   
   #This part extracts and prints DynDNS's response.
   while ($hrm = <$remote>) {
   
   	if ($hrm =~ /UPDATE/) {
   		$message = $hrm
   	}
   
   	if ($line =~ /THERE/) {
   		$message = $hrm
   	}
   }
   
   print "DynDNS: $message";
   
   -close $remote;
   ---------------CUT------------------
   

   ---

   Copyright © 1999, Joe Merlino
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Setting Up a PPP/POP Dial-in Server USING Red Hat Linux 5.1

   By Hassan Ali

   ---

   DISCLAIMER:

   This worked for me. Your mileage may vary!

   OBJECTIVES:
   To install PPP and POP/IMAP services on a Red Hat Linux 5.1 server for dial-in users.

   TOOLS:
   Red Hat Linux 5.1 CDs

   ASSUMPTIONS:
   You have a PC with basic installation of Red Hat Linux 5.1 with a Linux kernel that supports IP forwarding.

   ---

   STEP 1: Install "mgetty" (if not yet installed) from Red Hat 5.1 CD #1
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   1. Login as "root", insert Red Hat 5.1 CD #1 in the CD-ROM drive and mount it using the command:

           # mount -t iso9660 /dev/hdb /mnt/cdrom
      

      (It is assumed that your CD-ROM drive is device /dev/hdb, if not change it accordingly)
   2. Get to the RPMS directory:

           # cd /mnt/cdrom/RedHat/RPMS
      

   3. Install "mgetty" rpm files:

           # rpm -Uvh mgetty*
      

      This will install mgetty and all its cousins, but who cares!! If you hate extended family, have your way and replace "mgetty*" with "mgetty-1.1.14-2.i386.rpm".
   4. At the end of /etc/mgetty+sendfax/mgetty.config file, add the following set of three lines for each serial port connected to a modem for dial-in users. Here is an example for /dev/ttyS1 and /dev/ttyC15:

           # For US Robotics Sportster 28.8 with speaker off
           port ttyS1
           init-chat "" ATZ OK AT&F1M0E1Q0S0=0 OK
           answer-chat "" ATA CONNECT \c \r
      
           # For Practical Peripheral 14.4 with fax disabled and prolonged
           # carrier wait time (90 sec)
           port ttyC15
           init-chat "" ATZ OK AT&F1M0E1Q0S0=0S7=90+FCLASS=0 OK
           answer-chat "" ATA CONNECT \c \r
      

      Notes:
      1. AT&F1 sets hardware flow-control mode on many modems. For other modems use appropriate initializations in the init-chat line.
      2. Just in case you wonder why I took as an example a ttyC15 port; well, you may have such a port if you have a multiport serial card. If you need one, I recommend Cyclades cards.
   5. In /etc/mgetty+sendfax/login.config file, search for the line that starts with /AutoPPP/. Make sure that it is not commented (i.e. there is no "#" at the beginning of the line), and edit it to be:

           /AutoPPP/	-	a_ppp  	/etc/ppp/ppplogin
      

      If you wish to have users' login names (rather than "a_ppp") to appear in the /var/run/utmp and /var/log/wtmp log files, then the above line should be:

           /AutoPPP/	-	-	/etc/ppp/ppplogin
      

   6. In /etc/inittab file, search for the section that runs "getty" processes and add at the end of that section one line of the following form for each modem port. Example here is given for ttyS1 and ttyC15.

           7:2345:respawn:/sbin/mgetty -x 3 ttyS1
           8:2345:respawn:/sbin/mgetty -x 3 ttyC15
      

      [the first number (7,8) is arbitrary (in fact I have seen in some cases "s1", "s2", etc, used instead). Just give a different number for each port. And why not you go by the order!!? Me wonders!]
   7. Connect the modems to the serial ports, switch them ON and then initialize "mgetty" with the command:

           # init q
      

      NOTE: If you spawn "mgetty" on a serial port with no modem connected to it, or the modem is not switched ON, you'll get lots of error messages in "/var/log/messages" or/and in the other mgetty ("/var/log/log_mg.ttyXX") log files. In fact those error messages may continuosly pop up on your screen. Quite annoying, eh? To avoid this annoyance, each serial port that has no modem connected to it should have its corresponding lines commented out in /etc/inittab and in /etc/mgetty+sendfax/mgetty.config files.

   ---

   STEP 2: Install PPP (if not installed) from Red Hat 5.1 CD #1
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   1. If the Red Hat CD #1 is properly mounted (see STEP 1.1), to install PPP type the following command:

       # rpm -Uvh /mnt/cdrom/RedHat/RPMS/ppp*
      

   2. Edit /etc/ppp/options files to read as follows:

           -detach
           crtscts
           netmask 255.255.255.0
           asyncmap 0
           modem
           proxyarp
      

      NOTES:
      1. Use appropriate netmask for your network. It doesn't have to be 255.255.255.0, in fact in my case it was 255.255.255.224
      2. Read man pages for "pppd" to understand those options.
   3. Edit /etc/ppp/ppplogin file (create it if it doesn't exist) to read as follows:

           mesg n
           tty -echo
           /usr/sbin/pppd silent auth -chap +pap login
      

      Make the file executable using command:

           # chmod +x /etc/ppp/ppplogin
      

      NOTE: We're going to use PAP authentication BUT using the ordinary /etc/passwd password file. That's what "+pap login" means.
   4. For each serial port connected to a modem, create a corresponding /etc/ppp/options.ttyXX file, where "XX" is "S1" for ttyS1 port, "S2" for ttyS2 port, "C15" for ttyC15, etc. In one such file put the following line:

           myhost:ppp01
      

      where "myhost" is the hostname of the PPP server - change it accordingly to the actual hostname of your Linux box. If you're more forgetful than you can REMEMBER to admit, remind yourself of the hostname of your server using the "hostname" command.

           # hostname
      

      The word "ppp01" used above is just an arbitrarily chosen name for the virtual host associated with one of the PPP dial-in lines and its corresponding IP address as defined in /etc/hosts file (to be discussed later). In another /etc/ppp/options.ttyXX file, you may wish to type in the following line:

           myhost:ppp02
      

      That is, here you define a different PPP hostname, "ppp02". Use a different hostname for each serial port. You can choose any names that your lil' old heart desires! They don't have to be ppp01, ppp02, ppp03, etc. They can be "junkie", "newbie", "noname", whatever!
   5. Edit /etc/ppp/pap-secrets file and add one line as shown below for each IP address that is to be dynamically assigned to PPP dial-in users. This, of course, assumes that you have a pool of IP addresses that you can assign to your dial-in clients:

           # Secrets for authentication using PAP
           # client	server		secret		IP addresses
           *		*		""		10.0.0.3
           *		*		""		10.0.0.4
      

      This says: no PAP secrets (passwords) set for any client from anywhere in the world with the shown IP address. We don't need to use PAP secrets if we will be using /etc/passwd instead. If you are REALLY not paranoid, you can have just one following line that will serve all the IP addresses (yours and your neighbour's!):

           # Secrets for authentication using PAP
           # client	server		secret		IP addresses
           *		*		""		*	
      

   6. Make /usr/sbin/pppd program setuid "root" by using command:

           # chmod u+s /usr/sbin/pppd
      

   7. Edit /etc/hosts file to assign IP addresses to all PPP hostnames you used in STEP 2.4. Use the pool of IP addresses used in STEP 2.5:

           10.0.0.3	ppp01	ppp01.mydomain.com
           10.0.0.4	ppp02	ppp02.mydomain.com
      

      NOTE: Replace "mydomain.com" with the actual domain name of your PPP server. Just in case you're confused, I assume your PPP server is "myhost.mydomain.com".

   ---

   STEP 3: Install POP/IMAP servers (if not installed) from Red Hat 5.1 CD #1
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   1. With the Red Hat CD #1 properly mounted, issue the following command to install POP and IMAP:

           # rpm -Uvh /mnt/cdrom/RedHat/RPMS/imap*
      

   2. Check /etc/inetd.conf file to see if "pop-2", "pop-3", and "imap" service lines are all uncommented. If not, uncomment them (i.e remove the leading "#"). If you only want to support POP3 clients, just uncomment the "pop-3" line. If POP2 and POP3 files are not in the "imap*" RPM file, try to see if you have "ipop*" RPM file and use it instead.
   3. Activate the new services by using command:

           # kill -HUP `cat /var/run/inetd.pid`
      

   ---

   STEP 4: Enable IP fowarding
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~

   1. If you use the already compiled Linux kernel that comes with Red Hat 5.1, it does normally have support for IP forwarding. If you compile your own Linux kernel, you have to enable "IP: forwarding/gatewaying" networking option during compilation. For RFC compliance, the default bootup process does not enable IP forwarding. Enable IP forwarding by setting it to "yes" in /etc/sysconfig/network file, like so:

           FORWARD_IPV4=yes
      

   2. Activate IP forwarding by using command:

           # echo "1" > /proc/net/ip_forward
      

      or by rebooting the system.

   ---

   STEP 5: Test the server
   ~~~~~~~~~~~~~~~~~~~~~~~

   1. First create users (if not ready). You can give them "/home/username" home directory and "/bin/bash" login shell if you want them to have both "PPP" and shell access. Give them "/home/username" home directory and "/etc/ppp/ppplogin" login program if you want them to have PPP access but not shell access. It's better to use "usercfg" tool to set-up new users. Typical /etc/passwd file entries may be as follows:

           jodoe:tdgsHjBn/hkg.:509:509:John Doe:/home/jodoe:/bin/bash
           jadoe:t8j/MonJd9kxy:510:510:Jane Doe:/home/jadoe:/etc/ppp/ppplogin
      

      In this example, John Doe will have both PPP and shell access, while Jane Doe will only have PPP access. If you have just started to wonder how John Doe may have PPP access, the answer lies with the /AutoPPP/ configuration in "mgetty" - it does the magic. Any user that will dial in and talk PPP, mgetty will give him/her the /etc/ppp/ppplogin program.

      So, if John Doe dials-in using Windows 95 dial-up adaptor which is set up to make a PPP connection, mgetty will give John Doe PPP access. If he dials in with any other communication software e.g HyperTerminal, (with no PPP negotiation) he will be given the normal login shell. This will never happen for Jane Doe. She will always be welcome by the "/etc/ppp/ppplogin" program.

      In fact "mgetty" allows you to use the same modem lines for various protocols. For example, your UUCP clients (if you have any) may use the same modem lines as your PPP clients! Of course, you have to give your UUCP clients "/var/spool/uucppublic" home directory and "/usr/sbin/uucico" login program.

   2. Assuming you have a web server (Apache) already setup (it's a piece-a-cake to setup Apache), use a web browser, and a POP e-mail client (e.g Eudora) on a remote PC connected to a modem and a phone line. If it is a Windows 95/98 PC, setup the Dial-up Adaptor appropriately by specifying the IP address of the PPP server as the Gateway, use correct DNS IP address, and specify that the server will assign an IP address automatically. In the POP client (e.g Eudora), set SMTP and POP host as the IP address of the PPP/POP server.

      Now dial-up the server and wait for connection. Test out web browsing, and POP mail sending and receiving. If it doesn't work... something is wrong somewhere ;-)

   ---

   REFERENCES:

   1. PPP-HOWTO 2. NET-3-HOWTO 3. "Using Linux", Bill Ball, published by Que (around US$30 - highly recommended) 4. mgetty documentation

   ---

   Copyright © 1999, Hassan O. Ali
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Touchpad Cures Inflammation

   By Bill Bennet

   ---

   Here are some reasons to go to a little touchpad for Linux:

   1. It will exercise your whole hand digit by digit.
   2. When you take the pressure off of your "clicker finger" your chronic carpal tunnel and joint soreness will go away in a few days.
   3. When you work without soreness, you will enjoy your Linux box even more than you do now.
   4. You can really truly do magic hand gestures to make your machine go.
   5. It works better in Linux than in the monopoly system!

            So, what make and model are we talking about? It is the Elite 800 dpi EZ-Pointe serial touchpad by PC Concepts. I got mine at Computer Avenue (www.computeravenue.com). Developed for the Windows-Intel monopoly system, it comes with a diskette that holds the "drivers" for Microsoft's DOS and their 16-bit and 32-bit window managers.

             The DOS setup of the pad is simply a matter of putting the diskette in the floppy drive and copying the "drivers" over to your machine. You get the usual triple set of instructions: one for DOS, one for 16-bit gui DOS and one very "clickety" set of instructions for 32-bit gui DOS 7.0.

             After about twenty minutes of fiddling and adjusting, you are back to square one: you have installed a serial pointing device. Yes, you can enter in some key bindings coupled with clicks of the primary and secondary switches. You can set up hotspots accessible from a set of keys and clicks of switches. When the play-time is done (about twenty minutes or so - depends how playful you feel), you have to reboot your machine to record the settings. Ok, no problem.

             Now you can use the pad. You will find that all of the fiddling and customizing was a waste of time, since you will just be doing same-old, same-old with a new pointing device. When it comes to RSI, you can get yourself a better mouse or you can get yourself a totally new pointing device.

             The time comes when you want to see this thing work in Linux. Then you realize that your DOS fiddlings with "drivers" will be impossible in Linux because all of the "drivers" are written for the Widows-Intel monopoly system. It makes me think.

             Where does the typical hardware problem start? Right! It starts with standard manufacturing procedure: you follow the market. So the typical hardware problem in Linux is about hardware that will work only when a set of mystical registers is set up; those settings which can only be set with DOS software. We all know that the majority of PC owners are forced to get DOS software when they buy their machine. All we need is hardware that works on its own interface (like your BIOS and CMOS at startup) and hardware that will accept signals from any software, as long as the signals are correct.

             The non-standard hardware that uses non-standard settings is often (too often) kept from us by manufacturers who force the signing of a NDA (non-disclosure agreement) in order to protect their secrets. Ask yourself: is it a secret because it is simple and elegant? My answer is that these companies are afraid of a certain big, bad wolf company that steals innovation; this same thief claims to be the leading innovator! It is no wonder, then, that certain hardware is not yet open to Open Source.

             We also need for the manufacturers to hear that Linuxians will purchase from "Linux friendly" companies first. First and foremost, the consumer can really influence the computer industry by supporting the protocols that are open and free for all users. So do not buy from a company that seeks to own the protocols and do buy from companies that adhere to the protocols as they have been established.

             Enter the serial port protocol for the serial mouse. A mouse is a mouse. Evidence for the DOJ: a "regular" mouse is a Microsoft mouse. If any of you folks think that there is no need to curb monopolies and their anti-competitive, locked in, exclusive contracts, remember this: a "regular" mouse used to be an Apple mouse. Apple had the home computer mouse first and they played fair. It is my contention that Apple needed to play a bit more hard-nosed. Just look at who "owns" (influences) them now.

             The defacto standard for a "regular" serial mouse is based on its ubiquitous placement as an accessory for the monopoly system PC. Besides, we users like pointing devices. For the sake of clarity, you even call a "regular" mouse or the touchpad a Microsoft mouse when you install Linux.

             Well, it is time to leave the pad plugged in and reboot the machine to Linux. Good. Let us see if it works without all of these DOS driver fiddlings. You wait. You hope. You curse the monopoly. Then it happens.

             Gpm -t ms is running. You brush a digit across the pad. It's alive! Now for startx.

             The pad will work as a regular mouse in Linux without any of those annoying "drivers" because the Linux mouse config is ready for any serial mouse. No drivers. No fiddling. And the left and right buttons work just fine. In fact, it seems to me that the motion is smoother.

   Give me a bit of skin anyday

             The standard procedure for operating a mouse is odd to watch if you look at it like a non-computer-familiar person. The operator holds the hand in readiness on top of the mouse. Whether you are a "micro-wrist-twitch" artist or a "full-shoulder-pusher" or a "swing-punch-twister" it all looks the same: your finger rests on the clicker and moves in one axis, making a tiny movement over and over. The term "clickfest" was coined as a derisive remark by some person with an aching "mouse wrist" and and a sore "clicker finger", I'll bet.

             Enter the pad, man. Brush a finger, any finger across the smooth touch pad. Your cursor will follow. Skin is in. Try a knuckle. Any skin covered body part will do. Now do a little light tap on a menu button. It responds. Do a light double tap. This light double tap is now your new "clickety-click". You do have switches, and they make drag and drop a little easier. I prefer to do the light stroke thing at this time; it just is way too cool and human, if you know what I mean.

             Then you try some fine pointer movement, such as in xpainting or GIMP-ing. Wow! The finest single pixel motion is waiting for you with a touchpad. It is done with a "fingerprint rollover" of a fingertip; just like you get when they throw you in a holding cell at your local ticket giving outlet. You get good traction and positive one-to-one feedback from the pointer with none of that annoying mouse-ball slippage. The finishing touch is the drag and drop, where you can move to your target, take your digit away from the pad surface (the cursor stays put), move it to one edge of the pad, touch down and tap twice to light up the target, and drag your targeted item to its destination. It is just a pleasure to work with a touchpad.

             So that is it. No HOWTO is needed for this seriously fun way to point and click on your screen. Best of all, there is no fiddling with no damn "drivers".

             When your carpal tunnel soreness goes away you may once again be carefree and easy-going at your monitor. Do you suppose that flame wars are due to pain from mousing in addition to the pain in the usual place? Adios from this desktop.

   ---

   gpm note

             The gpm for a two button mouse is gpm -t bare. It also works on gpm -t ms if you want or need three-button emulation.

   ---

   3 button emulation note

             As a three-button mouse emulator, the pad is very nice because the middle pair of left/right switches are about 1 millimeter apart and can easily be pressed together with one finger. The point is that you do not have to make any adjustments from your "regular" mouse setup, which is in /etc/X11/XF86Config in the pointer section. Just plug it in and make it go.

   ---

   rodent protocol

   To see the various rodent protocols, type "man mouse" to see the fine documentation.

   ---

   I was set up!

   XF86Setup is the graphical setter upper for your mouse and X Windows.

   Xconfigurator is the console/xterm setter upper for this same job.

   xf86config is the text based setter upper.-- pick a binary, any binary

   ---

   Reference reading:

   XFree86 HOWTO -- required reading for Linuxians -- see secret video timings

   3-Button-Mouse HOWTO -- you might have fun with this -- prep for surgery

   Loadlin+Win95 mini-HOWTO -- to beat the "DOS only" hardware trick

   "Loadlin.exe Installer", Linux Gazette issue #34, November, 1998 -- step by step

   ---

   
   
   made with Emacs 20.2.1 on an i486 with GNU/Linux 2.0.32

   The word damn is used to emphasize an adamant position and is in no way meant as an affront to sincere readers.

   ---

   Copyright © 1999, Bill Bennet
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   Through the Looking Glass: Finding Evidence of Your Cracker

   By Chris Kuethe

   ---

   You've subscribed to Bugtraq and The Happy Hacker list, bought yourself a copy of The Happy Hacker, and read The Cuckoo's Egg a few times. It's been a very merry Christmas, with the arrival of a cable modem and a load of cash for you, so you run out and go shopping to start your own hacker lab. A week later, you notice that one of your machines is being an especially slow slug and you've got no disk space. Guess what - you got cracked, and now it's time to clean up the mess. The only way to be sure you get it right is to restore from a clean backup - usually install media and canonical source - but let's see what the "h4x0r" left for us to study.

   In late October of this year, we experienced a rash of attacks on some workstations here at the University of Alberta's Department of Mathematical Sciences. Many of our faculty machines run RedHat 5.1 (there's a good platform to learn how to try to secure...) since it's cheap and easy to install. Workstations are often dual-boot with Windows 95, but we'll be phasing that out as we get Citrix WinFrame installed. This paper is an analysis of the compromise of one professor's machine.

   One fine day I was informed that we'd just had another break-in, and it was time for me to show my bosses some magic. But like a skilled cardshark who's forced to use an unmarked deck, my advantage of being at the console had been tainted. Our cracker had used a decent rootkit and almost covered her tracks.

   In general, a rootkit is a collection of utilities a cracker will install in order to keep her root access. Things like versions of ps, ls, passwd, sh, and other fairly essential utilities will be replaced with versions containing back doors. In this way, the cracker can control how much evidence she leaves behind. Ls gets replaced so that the cracker's files don't show up, and ps is done so that her processes are not displayed either. Commonly a cracker will leave a sniffer and a backdoor hidden somwhere on your machine. Packet sniffers - programs that record network traffic which can be configured to filter for login names and passwords - are not part of a rootkit per se, but they are nearly as loved by hackers as a buggered copy of ls. What wouldn't want to try intercept other legitimate user passwords?

   In nearly all cases, you can trust the copy of ls on the cracked box to lie like a rug. Don't bet on finding any suspicious files with it, and don't trust the filesizes or dates it reports; there's a reason why a rootkit binary is generally bigger than the real one, but we'll get there in a moment. In order to find anything interesting, you'll have to use find. Find is a clever version of 'ls -RalF | grep | grep | ... | grep '. It has a powerful matching syntax to allow precise specification of where to look and what to look for. I wasn't being picky - anything whose name began with a dot was worth looking at. The command: find / -name ".*" -ls

   Sandwiched in the middle of a ton of useless temporary files and the usual '.thingrc' files (settings like MS-DOS's .ini) we found '/etc/rc.d/init.d/...'. Yes, with 3 dots. One dot by itself isn't suspicious, nor are two. Play around with DOS for about two seconds and you'll see why: '.' means "this directory" and '..' means "one directory up." They exist in every directory and are necessary for the proper operation of the file system. But '...' ? That has no special reason to exist.

   Well, it was getting late, and I was fried after a day of class and my contacts were drying up, so I listed /etc/rc.d/init.d/ to check for this object. Nada. Just the usual SysV / RH5.1 init files. To see who was lying, changed my directory into /tmp/foo, the echoed the current date into a file called '...' and tried ls on it. '...' was not found. I'd found the first rootkit binary: a copy of ls written to not show the name '...' . I will admit that find is another target to be compromised; in this case it was still clean and gave me some useful information.

   Now that we knew that '...' was not part of a canonical distribution, I moved into to it and had a look. There were only two files; linsniffer and tcp.log. I viewed tcp.log with more and made a list of the staff who would get some unhappy news. Ps didn't show the sniffer running, but ps should not be trusted in this case, so I had to check another way.

   We were running in tcsh, an enhanced C-syntax shell which supports asychronous (background) job execution. I typed './linsniffer &' which told tcsh to run the program called linsniffer in this directory, and background it. Tcsh said that was job #1, with process ID 2640. Time for another ps - and no linsniffer. Well, that wasn't too shocking. Either ps was hacked or linsniffer changed its name to something else. The kicker: 'ps 2640' reported that there were no processes available. Good enough. Ps got cracked. This was the second rootkit binary. Kill the currently running sniffer.

   Now we check the obvious: /etc/passwd. There were no strange entries and all the logins worked. That is, the passwords were unchanged. In fact the only wierd thing was that the file had been modified earlier in the day. An invocation of last showed us that 'bomb' had logged in for a short time around 235am. That time would prove to be significant. Ain't nobody here but us chickens, and none of us is called bomb...

   I went and got my crack-detection disk - a locked floppy with binaries I trust - and mounted the RedHat CD. I used my clean ls and found that the real ls was about 28K, while the rootkit one was over 130K! Would anyone like to explain to me what all those extra bytes are supposed to be? The 'file' program has our answer: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked, not stripped. Aha! So when she compiled it, our scriptkiddie forgot to strip the file. That means that gcc left all its debugging info in the file. Indeed, stripping the program brings it down to 36K, which is about reasonable for the extra functionality (hiding certain files) that was added.

   Remember how I mentioned that the increased filesize is important? This is where we find out why. First, new "features" have been added. Second, the binaries have verbose symbol tables, to aid debugging without having to include full debug code. And third, many scriptkiddies like to compile things with debugging enabled, thinking that it'll give them more debug-mode backdoors. Certainly our 'kiddie was naive enough to think so. Her copy of ls had a full symbol table, and source and was compiled from /home/users/c/chlorine/fileutils- 3.13/ls.c - which is useful info. We can fetch canonical distributions and compare those against what's installed to get another clue into what she may have damaged.

   I naively headed for the log files, which were, of course, nearly as pure as the driven snow. In fact the only evidence of a crack they held was a four day gap. Still, I did find out something useful: this box seemed to have TCP wrappers installed. OK, those must have failed somehow since she got in to our system. On RH51, the TCP wrappers live in /usr/sbin/in.* so what's this in.sockd doing in /sbin? Being Naughty, that's what. I munged in.sockd through strings, and found some very interesting strings indeed. I quote: You are being logged , FUCK OFF , /bin/sh , Password: , backon . I doubt that this is part of an official RedHat release.

   I quickly checked the other TCP wrappers, and found that RedHat's in.rshd is 11K, and the one on the HD was 200K. OK, 2 bogus wrappers. It seems that, looking at the file dates, this cracked wrapper came out the day after RH51 was released. Spooky, huh?

   I noticed that these binaries, though dynamicically linked, used libc5, not libc6 which we have. Sure, libc5 exists, but nothing, and I mean nothing at all uses it. Pure background compatiblity code. After checking the other suspect binaries, they too used libc5. Thats where strings and grep (or a pager) gets used.

   Now I'm getting bored of looking by hand, so lets narrow our search a little using find. Try everything in October of this year... I doubt our cracker was the patient sort - look at her mistakes so far - so she probably didn't get on before the beginning of the month. I don't claim to be a master of the find syntax, so I did this:

   find / -xdev -ls | grep "Oct" | grep -v "19[89][0-7]" > octfiles.txt
   

   In english: start from the root, and don't check on other drives, print out all the file names. Pass this through a grep which filters everything except for "Oct" and then another grep to filter out years that I don't care about. Sure, the 80's produced some good music (Depeche Mode) and good code (UN*X / BSD) but this is not the time to study history.

   One of the files reported by the find was /sbin/in.sockd. Interestingly enough, ps said that there was one unnamed process with a low (76) process id owned by uid=0, gid=26904. That group is unknown on campus here - whose is it? And how did this file get run so early so as to get that low a PID? In.sockd has that uid/gid pair... funky. It has to get called from the init scripts since this process appears on startup, with a consistently low PID. Grepping the rc.sysinit file for in.sockd, the last 2 lines of the file are this:

   #Start Socket Deamon
   exec in.sockd
   

   Yeah, sure... That's not part of the normal install. And Deamon is spelled wrong. Should a spellchecker be included as an crack- detector? Well, RedHat isn't famous for poor docs and tons of typos, but it is possible to add words to a dictionary. So our cracker tried to install a backdoor and tried to disguise it by stuffing it in with some related programs. This adds credibility to my theory that our cracker has so far confined her skills to net searches for premade exploits.

   The second daemon that was contaminated was rshd. About 10 times as big as the standard copy, it can't be up to anything but trouble. What does rsh mean here? RemoteSHell or RootShell? Your guess is as good as mine.

   So far what we've found are compromised versions of ls, ps, rshd, in.sockd, and the party's just beginning. I suggest that once you're finished reading this, you do a web search for rootkit and see how many you can scrounge up and defeat. You have to know what to look for in order to be able to remove it.

   While the log files had been all but wiped clean, the console still had some errors printed on it, quite a few after 0235h. One of these was a refusal to serve root access to / via nfs at 0246h. That coincided perfectly with the last access time to the NFS manpage. So our scriptkiddie found something neat, and she tried to mount this computer via NFS, but she didn't set it up properly. All crackers, I'd say, make mistakes. If they did everything perfectly we'd never notice them and there would be no problems. But it's the problems that arise from their flaws that cause us any amount of grief. So read your manuals. The more thorougly you know your system, the more likely you are to notice abnormalities.

   One of the useful things (for stopping a cracker) about NFS is that if the server goes down, all the NFS clients with directories still mounted will hang. You'll have to 120-cycle the machine to get it back. Hmmm. This presents an interesting tool opportunity: write a script to detect an NFS hack, and if a remote machine gets in, ifconfig that interface off. Granted, that presents a possible denial-of-service if authorized users get cut off. But it's useful if you don't want your workstation getting compromised.

   At this point I gave up. I learned what I'd set out to do - how to find the crap left behind by a cracker. Since the owner of this system had all her files on (removed) removable media there was no danger of them being in any way compromised. The ~janedoe directory was mounted off a Jaz disk which she took home at night, so I just dropped the CD into her drive and reinstalled. This is why you always keep user files on a separate partition, why you always keep backups and why it's a good plan to write down where to get the sources for things you downloaded, if you can't keep the original archives.

   Now that we've accumulated enough evidence and we're merely spirited sluggers pulverizing an equine cadaver, it's time to consider the appropriate response. Similar to Meinel's you-can-get-punched and you-can-go-to-jail warnings in The Happy Hacker, I would suggest that a vicious retaliatory hack is not appropriate. In Canada, the RCMP does actually have their collective head out of the sand. I am not a lawyer, so don't do anything based on these words except find a lawyer of your own. With that out of the way, suffice it to say that we're big on property protection here. Aside from finding a lawyer of your own, my advice here is for you to call the national police, whoever they are. People like the RCMP, FBI, BKA, MI-5 and KGB probably don't mind a friendly phone call, especially if you're calling to see how you can become a better law-abiding citizen. Chances are, you'll get some really good tips, or at least some handy references. And of course you'll know someone who'll help you prosecute.

   My communication with RCMP's Commercial Crimes unit (that includes theft of computing and/or network services) can be summarized as follows: E-mail has no expectation of privacy. You wish email was a secret, but wake up and realize that it's riskier than a postcard. As systems administrator, you can do anything you want with your computer - since it's your responsibility either because you own it or because you are its appointed custodian - so long as you warn the users first. So I can monitor each and every byte all of my users send or receive, since they've been warned verbally, electronically and in writing, of my intent to do so. My browse of the FBI's website shows similar things. But that was only browsing. Don't run afoul of provincial or state laws regulating the interception of electronic communication either.

   NOTE: While I have attempted to make this reconstruction of events as accurate as possible, there's always a chance I might have misread a log entry, or have misinterpreted something. Further, this article is solely my opinion, and should not be read as the official position of my employer.

   Appendix A: Programs you want in a crack-detection kit

   • find, ps, ls, cp, rm, mv
   • gdb, nm, strings, file, strip
   • (GNU)tar, gzip, grep
   • less / more
   • vi / pico
   • tcsh / bash / csh / sh
   • mount
   For security reasons these should all be statically linked.

   Appendix B: References WinFrame:
   http://www.citrix.com/

   RedHat 5.1:
   http://www.redhat.com/
   http://www.rootshell.com/ http://www.netspace.org/lsv-archive/bugtraq.html

   About the filesystem:
   McKusik, M.K., Joy, W.N., Leffler, S.J., Fabry, R.S., "A Fast File System for UNIX" Unix System Manager's Manual, Computer Systems Reseach Group, Berkeley. SMM-14 April 1986

   LEA and Computer Crime:
   http://www.rcmp-grc.gc.ca/html/cpu-cri.htm
   http://www.fbi.gov/programs/compcrim.htm
   

   ---

   Copyright © 1999, Chris Kuethe
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   USENIX LISA Vendor Exhibit Trip Report

   By Paul L. Lussier

   ---

   Thu, 10 Dec 1998
   I went into Boston yesterday, 09 December, for the Vendor Exhibit at the LISA conference. My most immediate and overwhelming feeling was one of major disappointment in myself for not having pushed on my management to send me to this conference :( It looks like it's a really great conference. Alas, I'm trying to be positive and look at it from the point of view of "Why waste a trip to your own backyard that might be better spent traveling elsewhere :)"

   Anyway, the vendor exhibit was fantastic, though my guess is it's only really good for those of us who do hard-core sysadmin'ing for a living. The average Linux enthusiast might have been bored, since it really is nothing more than a lot of vendors hawking their wares (Though *everyone* would have enjoyed all the free stuff :)

   Ironically, the one major vendor who was conspicuously absent was Sun. All the other vendors were there, Network Appliance, Auspex, Compaq (never did see maddog though), IBM, SGI (at least I saw a booth with an INDY in it).

   There were a lot of what I call "Want-Ad" booths to. Collective Technologies (formerly Pencom System Administration), Sprint Paranet, Fidelity, and several other companies there for sole reason of trying to recruit people.

   The Open Source contingent was there in full force with booths for RedHat OpenBSD, The Free Software Foundation, etc. There were several booths from various software companies, most of whom I've heard of, and even several I haven't.

   I spent a lot of time talking to various companies for things directly related to my needs here at work, and got in some personal geek talk re: Linux as well.

   I stopped by the RedHat booth, and was kind of disappointed. They just didn't seem excited to be there. Maybe it was because I keep to much up-to-date on them and they had *absolutely nothing* new to tell me that I didn't already know. I got the distinct impression they were tired of being there. It very well could have been that they wanted to be talking to those who aren't yet converted to Linux yet, but instead kept getting inundated with the RH fan club :) I don't think they've adjusted to be on top of the world yet. I heard someone come by and say, "Hey, we're planning on another 10 RH Linux servers in then month of so!" The RH response, was an un-enthusiastic "Oh, that's cool." As if they had heard the same thing all day long, and really didn't want to hear it anymore. I don't think they knew how to deal with their success. It could also have been that this particular guy was one of the RH developers, not a PR/Marketing person.

   I spoke with a guy at the OpenBSD booth, I think it was Theo de Radt himself. I mentioned I tried to get the latest release from amazon.com last week, which, according to the OpenBSD site, is selling it. Yet amazon doesn't have any mention of 2.4, only 2.3. He basically got really upset at that, mentioning that *they* sent him an e-mail the same day of the 2.4 release announcement stating they had already gotten 170 requests for it. His only response was "Well then fix your web page. You just lost $1700US. They all bought it off the OpenBSD site!" So, needless to say, I'll be getting 2.4 directly from them :)

   There were 3 sw booths I stopped at that really got me intrigued. First there was Aurora Software from Pelham, NH (I think). Their product is called SARCheck. It's for Solaris, and it's a front end reporting mechanism for ps and SAR. Supposedly it assists in performance monitoring and tuning by taking the output of ps and sar, translating it into English, and then making recommendations on what to change, why, and how. I think the sw is $150 per system, not per CPU (this means that I can use it on my 14 processor Sun E4500, and only pay $150). This sounds really good, and I'm hoping to be able play with it real soon.

   The next company was Shpink Software (yes, really!:) . Their product is the Network Shell (nsh). This looks *really, really, really cool*. In short, it's a client/server system where you can 'cd' to a UNC path on another machine. This differs greatly from NFS in that nsh has the ability to *execute commands* on the remote system. For example, say I have 3 systems, a Linux box, an NT box, and a Solaris box. From my Linux system I can:

   	linux> tar cvf //solaris/foo.tar //nt/users
   

   or:

   	linux> cd //solaris/etc
   	linux> vi passwd
   

   Basically, nsh removes the need for rlogin/telnet sessions to a system and provides for heavily encrypted sessions, user/machine ACLs, and many other niceties. The price is incredibly reasonable at $150 per seat. The advised way of using nsh is to set up a limited number of machines as "administration" hosts, and run the server daemon where ever else you need to. Nsh comes with Perl modules to allow access from perl programs, and works on all major versions of Unix/Linux, with the nsh daemon available for W95/NT.

   Now, for the last, but one of the neatest! Spiderplant. This is an environmental monitoring gizmo that can connect to the serial port of any system. In short, you can designate any system as an environment monitoring station and connect this little black box to your serial port. It costs $100 for "The little black box" and 1 probe, $15 extra for each additional probe. The software is Open Source so you can hack it to your heart's content :) Here are the vital stats:

   	      Temperature Range: 
   	            -55/+125 C in 0.1 C. 
   	      Accuracy: 
   	            0.5 C. 
   	      Sensors: 
   	            15 (or more) per device, 16 devices per serial line. 
   	      Data Connection: 
   	            RS-232, 1200 baud, 8,N,1. 
   	            DB9 or DB25 connector to computer. 
   	      Size: 
   	            Main unit measures 3.5" x 2.25" x 1". 
   	            Comes with 14-foot serial cable, 10-foot probe cable. 
   	      Certification: 
   	            Complies with FCC rules part 15
   		    (Class B, for home or office use, US and Canada).
   

   Here are the URLs for the products mentioned:

   	http://www.openbsd.org/
   	http://www.sarcheck.com/
   	http://www.shpink.com/
   	http://www.spiderplant.com/
   	http://www.shpink.com/
   

   Hopefully someone will provide a trip report of the rest of the LISA conference for those of us unfortunate enough to have missed it.

   --
   Paul

   ---

   Copyright © 1999, Paul Lussier
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   "Linux Gazette...making Linux just a little more fun!"

   ---

   X Windows versus Windows 95/98/NT: No contest

   By Paul Gregory Cooper

   ---

   In the December Issue of the Linux Journal Sergio Martinez wrote in asking for a (quick) article about the differences between X and Windows 95/98/NT (w95) -- see below. This is my attempt to answer his questions - I remember asking similar things when I started using UNIX 4 years ago. [More answers can be found in the 2 Cent Tips Column. --Editor] I've tried to aim this article at the 'Linux newbie' and as I am not an X hacker, and never been a w95 hacker, there may well be inaccuracies, but I have tried to capture the ideas and spirit of X (and w95, such as it has any). I would be pleased to hear from Xperts and newbies alike.

   Sergio has asked questions relating to GNOME and KDE and for the most part I treat them as equivalent (in the same way I'm treating all window managers as equivalent). I should state now that I prefer using GNOME over KDE, irrespective of the ongoing KDE / Open Source debate, hence I have more experience in GNOME than in KDE. This too may lead to inaccuracies.

   Mail criticisms to pgc@maths.warwick.ac.uk.

   ---

   This is Sergios mail;

   I'm just writing in with an idea for a quick article. I've been using the GNOME desktop. I'm a relative Linux newbie though, and I think that many of your less experienced readers could probably benefit from a short article about window managers. These are some things I currently don't quite understand:

   1.Terminology: The differences (if any) among a GUI, a window manager, a desktop, and an interface. How do they differ from X windows?

   2.Do all window managers (like GNOME or KDE or FVWM95) run on top of X windows?

   3.What exactly does it mean for an application to be GNOME or KDE aware? What happens if it's not? Can you still run it?

   4.What exactly do the GTK+ (for GNOME) or Troll (for KDE) libraries do?

   5.How does the history of Linux (or UNIX) window managers compare to that of say, the desktop given to Win98/95 users? How, specifically, does Microsoft limit consumer's choices by giving them just one kind of desktop, supposedly one designed for ease of use?

   6.What's happening with Common Desktop Environment? Is it correct that it's not widely adopted among Linux users because it's a resource hog, or not open source?

   These are some questions that might make an enlightening, short article. Thank you for your consideration.

   -- Sergio E. Martinez

   ---

   Before I try to answer each point I'll try to give a quick intro into X-windows.

   Think of X as just another program. When you type startx what happens is that X starts (shock!), in the background, and runs the .xinitrc file. The .xinitrc tells X what programs to start once X itself has started - more on this later. (Some systems use the .Xclients file instead of .xinitrc - I'll just use .xinintrc).

   So X is just another program but what does it do? Roughly speaking X takes control of the screen from the command line and provides the system with the ability to create windows and communicate with them. Basically that's ALL it does - decorating, moving, resizing, focus, etc, (i.e. managing the windows X provides) is left to the window manager.

   What's clever about X is uses a client/server model and is network transparent. This is a bunch of jargon - what does it mean?

   When you type startx you are starting the X-server, when you run an 'X-application', e.g. netscape, this is a client to which the X-server gives a window. Similarly xterm is an X-app which puts the command line in a window.

   Network transparency doesn't mean much if you're not networked so let's suppose the computer you started X on is called fourier and is networked. Now a program on any computer on the network can ask the X-server on fourier to start a window for it (on fourier), for instance from fourier you could telnet to cauchy (another computer on your network) and run netscape and have the netscape window appear on your screen (connected to fourier).

   In fact it works the other way round too - an X-server can have many screens (or, as it calls them, displays) connected to it at once - all different - and those screens can be at the other end of a network. This goes back to (one of) the original design purpose(s) of X which was for X-terminals, i.e. things that looked like a computer but were no more than a screen, some memory, a bios, and a network card connected to one (or many) UNIX mainframe(s). See this page for details of how to turn old 386/486's into xterminals.

   1.Terminology: The differences (if any) among a GUI, a window manager, a desktop, and an interface. How do they differ from X windows?

   Ok, so we have more jargon - I hope I get this right ;-). An interface is the way in which a piece of software interacts with the user. Unix commands use a command line interface (CLI) whereas X-applications use a graphical user interface (GUI). However different applications tend to use different approaches to the GUI, for instance when you select a menu does one click bring the menu up (e.g. netscape) or do you have to hold the mouse button down (e.g. ghostview). What GNOME, KDE, and w95 try to provide a consistent GUI amongst all applications, or at least amongst the common parts of applications, e.g. menus, file selection, window controls, scrollbars, etc. See the GUI hall of fame/shame for examples of good/bad GUI design (in windows environment).

   As was mentioned above a window manager takes over where X leaves of - that is, controlling the windows X gives it. Window managers usually give you alot more that the just the ability to move, resize, or iconify windows. Many also provide virtual desktops, taskbars, themes, app managers, etc. See Window managers for X for a list of most, if not all, wm's.

   Desktop has (as far as I can tell) two usages. We use 'the desktop' to refer to the background part of the screen. GNOME, KDE, W95, and MacOS all 'provide a desktop' meaning the background is more that just a canvas for a nice picture - it acts like any directory in the system. Technically all this means is that you can place files onto it. However these may be data (like a letter to gran) or programs, (e.g. netscape, emacs, etc). Usually this 'background as directory' philosophy is coupled with a graphical file manager, so that when you (double) click on a file either it runs (if it's a program) or a suitable program is started to read the data in the file. In this context 'desktop' can also include a GUI, so that when people say that all Linux/UNIX is missing is a 'desktop' what they mean is a consistent design of common parts of programs, a graphical file manager, and the ability to leave files littered on the desktop ;-)

   2.Do all window managers (like GNOME or KDE or FVWM95) run on top of X windows?

   I like to think of the window manager, fvwm95, window maker, etc, and the desktop, GNOME or KDE, as running in conjunction with X - but this is just semantics. The window manager and/or desktop is started (in the .xinitrc file) after X has started.

   The traditional (i.e. pre KDE/GNOME) setup of .xinitrc (after some environment settings) is to have some xterms and a window manager, so the last lines of the .xinitrc might look like;

   xterm &
   xterm &
   fvwm95
   

   The window manager is the last thing started by .xinitrc and when the wm exits, .xinitrc finishes and then X terminates.

   If you were using GNOME the last few lines of the .xinitrc would now be;

   fvwm95 &
   gnome-session
   

   And for KDE it would be;

   startkde
   

   As before GNOME (KDE) are the last things started by .xinitrc and so when you logout of GNOME (KDE) the gnome-session (startkde) termintes, .xinitrc finishes, and then X terminates.

   In both these examples the xterms are left out as GNOME and KDE provide sessions management, which means any application left running when the session ends get started when you startup the next time. Windows has some session management too.

   See the next answer as to why the window manager is started for GNOME but not for KDE.

   3.What exactly does it mean for an application to be GNOME or KDE aware? What happens if it's not? Can you still run it?

   AFAIK an application is a GNOME (KDE) application of it conforms to the GNOME (KDE) GUI guidelines/specifications and uses the Gtk+ (qt) libraries. All this means is that GNOME apps use Gtk+ to build menu's, buttons, scroll bars, file selectors, etc and they do so in a consistent way (as defined by the GNOME team), e.g. all menus are left justified, all apps have a FILE menu as the left-most menu, etc. Same for KDE except they use the qt library by Troll Tech (and possibly a different set of design guidelines).

   Any GNOME app will run provided you have Gtk+ (and the other GNOME libraries) installed and similarly any KDE app will run so long as you have qt (and other KDE libraries) installed - you do not have to be running GNOME/KDE to use a GNOME/KDE application. The only other additional thing GNOME/KDE apps may have is drag and drop awareness, e.g. in GNOME you can drag a JPG from a GMC (file manger) window into an ElectricEyes (graphics viewer) window and ElecticEyes will display this file. You can do similar things in KDE.

   GNOME and KDE have different attitudes to window managers. KDE prefers to work with its own window manager Kvm, and GNOME is 'window manager agnostic' - well those are the 'party lines'. You can get other wm's to work with KDE (so I'm told) and GNOME should work with any wm but prefers to work with a window manager that is ICCCM compliant and 'GNOME aware'. I'm not sure what this means but I know the only totally compliant wm is Enlightenment DR0.15 (which is only available through CVS at the moment) followed by icewm, and with blackbox and windowmaker a little way behind. I think that the KDE team are working towards making KDE less dependent on Kvm and defining what a KDE wm should be.

   4.What exactly do the GTK+ (for GNOME) or Troll (for KDE) libraries do?

   Whoops - I think I answered this above. Gtk+ and qt are toolkits for building menu's, buttons, scrollbars, dialog boxes, and loads more.

   5.How does the history of Linux (or UNIX) window managers compare to that of say, the desktop given to Win98/95 users? How, specifically, does Microsoft limit consumer's choices by giving them just one kind of desktop, supposedly one designed for ease of use?

   I'm not sure I understand this question let alone know how to answer it, so instead I'll answer what I think you might be asking which is; What's the difference between UNIX + X and W95/98/NT.

   The first thing to point out is the component nature of the UNIX approach to a GUI/Desktop. First we have the OS itself, in our case Linux, on top of that we have the window system, X, and in conjunction with that we have the window manager, fvwm (for example), and in conjunction with these two we have the desktop/gui, either GNOME or KDE. This follows the general philosophy of UNIX which is to build small tools that interact which each other in well defined ways. It may seem shambolic but it is a strength. It means that one or other of the pieces can be interchanged, which gives the user lots of choice (perhaps too much), and also allows for technological improvements. For instance X is just one windowing system and may not last forever (gasp!) There are others, e.g. the hungry programmers Y.

   This also gives the user the choice of which window manager or desktop to use, or in fact whether to use windows and desktops at all - it may seem strange but some people prefer the command line, and others use X and a window manager but don't like GNOME or KDE.

   Windows95/98/NT on the other hand is a different kettle of fish. Here the OS, GUI, WM, and desktop aren't clearly separated (as in UNIX) but are all rolled into one. Thus you have whatever choice Microsoft happen to give you, i.e. windows themes.

   For Microsoft this is an advantage - it stops people butting in and rewriting parts of their OS which could potentially lose them money. For instance they realized that with the old windows 2/3.1 you could simply replace MS DOS with another compatible DOS such as DR DOS from Caldera. In an ongoing court case Caldera allege that MS added code to windows to make it seem like there was a bug in DR DOS. With 9*/NT being all rolled in one there is no need to resort to such tactics.

   IMO the W95 desktop is inferior because the user is limited to one design whereas on a linux system there is a wm + desktop to suit just about everybody (including those that don't want either a wm or a desktop).

   6.What's happening with Common Desktop Environment? Is it correct that it's not widely adopted among Linux users because it's a resource hog, or not open source?

   It's not widely adopted because it is commercial, not open source, a resourse hog, has security problems (RedHat stopped selling it for this reason), and is IMHO outdated.

   ---

   Copyright © 1999, Paul Gregory Cooper
   Published in Issue 36 of Linux Gazette, January 1999

   ---

   

   ---

   

   Copyright © 1999 Specialized Systems Consultants, Inc.
   For information regarding copying and distribution of this material see the Copying License.

   ---

   Contents:

   • About This Month's Authors
   • Not Linux

   ---

   About This Month's Authors

   ---

   Hassan Ali

   Hassan is a Ph.D. degree holder in numerical techniques applied to electromagnetics from the University of Ottawa, Canada. He is presently working with NORTEL NETWORKS in Ottawa, Canada, as a specialist in software tools used to predict signal integrity, and electromagnetic compatibility (EMC) on printed circuit boards. Having been introduced to Linux by a friend about 2 years ago, he has never stopped having fun with it. Hassan loves to write about whatever little he knows about for others to learn or to correct him.

   Larry Ayers

   Larry lives on a small farm in northern Missouri, where he is currently engaged in building a timber-frame house for his family. He operates a portable band-saw mill, does general woodworking, plays the fiddle and searches for rare prairie plants, as well as growing shiitake mushrooms. He is also struggling with configuring a Usenet news server for his local ISP.

   Bill Bennet

   Bill, the ComputerHelperGuy, lives in Selkirk, Manitoba, Canada; the "Catfish Capitol of North America" if not the world. He is on the Internet at www.chguy.net. He tells us "I have been a PC user since 1983 when I got my start as a Radio Shack manager. After five years in the trenches, I went into business for myself. Now happily divorced from reality, I live next to my Linux box and sell and support GPL distributions of all major Linux flavours. I was a beta tester for the PC version of Playmaker Football and I play `pentium-required' games on the i486. I want to help Linux become a great success in the gaming world, since that will be how Linux will take over the desktop from DOS." It is hard to believe that his five years of university was only good for fostering creative writing skills.

   John Blair

   John currently works as a software engineer at Cobalt Microserver. When he's not hacking Cobalt's cute blue Qube, he's hanging out with his wife Rachel and newborn son Ethan. John is also the author of Samba: Integrating UNIX and Windows, published by SSC.

   Bryan Patrick Coleman

   Bryan attends the University of North Carolina at Greensboro where he is persuing a B.S. in both Computer Science and Anthropology. He has been involved with Linux since 1994 kernel?, and helped found the Triad Linux Users Group located in central North Carolina. His future plans are for a PhD in computer science and a career where he can use Linux.

   Paul Cooper

   Paul is a Ph.D. student at the Mathematics Institute Warwick university. To help finance his studies he also works in the dept. computer support team, mostly writing documentation. His main interest outside of Maths and Linux, is American Football, in particular playing for the university team, the Warwick Wolves.

   Jurgen Defurne

   Jurgen is an Analyst/programmer in financial company (Y2K and Euro). He became interested in microprocessors 18 years ago, when my eyes saw the TRS-80 in the Tandy (Radio Shack) catalog. I read all I could find about microprocessors, which was then mostly confined to 8080/8088/Z80. The only thing he could do back then was write programs in assembler without even having a computer. When he was 18, he gathered enough money to buy his first computer, the Sinclair ZX Spectrum. He studied electronics and learned programming mostly on his own. He worked with several languages (C, C++, xBase/Clipper, Cobol, FORTH) and several different systems in different areas: programming of test equipment, single- and multi-user databases in quality control and customer support, and PLCs in an aluminium foundry/milling factory.

   Jim Dennis

   Jim is the proprietor of Starshine Technical Services. His professional experience includes work in the technical support, quality assurance, and information services (MIS) departments of software companies like Quarterdeck, Symantec/ Peter Norton Group, and McAfee Associates -- as well as positions (field service rep) with smaller VAR's. He's been using Linux since version 0.99p10 and is an active participant on an ever-changing list of mailing lists and newsgroups. He's just started collaborating on the 2nd Edition for a book on Unix systems administration. Jim is an avid science fiction fan -- and was married at the World Science Fiction Convention in Anaheim.

   Vivek Haldar

   Vivek is a third year BTech student at the Indian Institute of Technology, and has been using Linux for the past two years, both at home and college.

   Ron Jenkins

   Ron has over 20 years experience in RF design, satellite systems, and UNIX/NT administration. He currently resides in Central Missouri where he will be spending the next 6 to 8 months recovering from knee surgery and looking for some telecommuting work. Ron is married and has two stepchildren.

   Chris Kuethe

   Chris is a system administrator at the University of Alberta's Mathematics Department. A little on the paranoid side, his main interests are in security and cryptography. Still a student, his plans include graduate work in Computing Science and moving to warmer lands.

   Gustavo Larriera

   Gustavo teachs database courses at Universitario Autonomo del Sur (Montevideo, Uruguay). He is also the webmaster of the only official mirror site of Linux Gazette in his country [http://www.silab.ei.edu.uy/lg/]. He is a Linux average user and also a Microsoft Certified Professional in NT. He hopes that is not considered a great disadvantage :-)

   Joe Merlino

   Joe Merlino is a library assistant at Georgia Tech. He lives with his wife in Athens, Georgia. Consequently, he spends a lot of time in the car, where he thinks up projects to try on his linux box.

   ---

   Not Linux

   ---

   Thanks to all our authors, not just the ones above, but also those who wrote giving us their tips and tricks and making suggestions. Thanks also to our new mirror sites.

   With the Holidays, I took a week vacation to go back to Houston and visit family and friends. I had a wonderful time. My grandchildren are smarter and more beautiful each time I see them. I have a new picture of Sarah and Rebecca on my home page.

   My best friend, Benegene, had arranged for a get together with three friends from our university (Baylor) days. We had a lot of fun catching up and talking about old times. It was amazing how different the memories were that stood out in each of our minds. Only goes to prove that what one person finds remarkable may be quite "ho hum" to the next. Ah well, it was a good evening and one I hope will be repeated.

   Have fun!

   ---

   Marjorie L. Richardson
   Editor, Linux Gazette, gazette@ssc.com

   ---

   

   ---

   Linux Gazette Issue 36, January 1999, http://www.linuxgazette.com
   This page written and maintained by the Editor of Linux Gazette, gazette@ssc.com