July 2008 (#152):

• Mailbag
• Talkback
• 2-Cent Tips
• News Bytes, by Deividson Luiz Okopnik and Howard Dyckoff
• Review of the Plat'Home OpenBlockS, by Ben Okopnik
• Apertium: Open source machine translation, by Jimmy O'Regan
• Joey's Notes: Access Control Lists, by Joey Prestia
• Wireless Configuration for Desktops, by Muthaiah Ramanathan
• A Slightly Advanced Introduction to Vim, by Pranesh Srinivasan
• HelpDex, by Shane Collinge
• Ecol, by Javier Malonda
• XKCD, by Randall Munroe

Mailbag

This month's answers created by:

[ Sayantini Ghosh, Amit Kumar Saha, Ben Okopnik, Joey Prestia, Kapil Hari Paranjape, René Pfeiffer, Neil Youngman, Paul Sephton, Rick Moen, Thomas Adam, Thomas Bonham ]
...and you, our readers!

---

Gazette Matters

---

LG server is down...

Ben Okopnik [ben at linuxmafia.com]

Sun, 1 Jun 2008 11:33:22 -0700

...and it's quite the story. Not because of us specifically, but because theplanet is such a huge data center - i.e., it's causing a huge outage all over the place.

To quote Doug Erwin of theplanet (issued at 10:46 PM, May 31 2008):

   This evening at 4:55pm CDT in our H1 data center, electrical gear
   shorted, creating an explosion and fire that knocked down three walls
   surrounding our electrical equipment room. Thankfully, no one was
   injured. In addition, no customer servers were damaged or lost.
   
   We have just been allowed into the building to physically inspect the
   damage. Early indications are that the short was in a high-volume wire
   conduit. We were not allowed to activate our backup generator plan based
   on instructions from the fire department.
   
   This is a significant outage, impacting approximately 9,000 servers and
   7,500 customers. All members of our support team are in, and all vendors
   who supply us with data center equipment are on site. Our initial
   assessment, although early, points to being able to have some service
   restored by mid-afternoon on Sunday. Rest assured we are working around
   the clock.

Our publication process is rolling on regardless of this, of course. In principle, we should be back up pretty much as soon as theplanet is. For the moment, if anyone needs to contact me, I'll be monitoring this linuxmafia.com address.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://linuxgazette.net *

[ Thread continues here (6 messages/4.61kB) ]

---

small request for the editor

Ben Okopnik [ben at linuxgazette.net]

Tue, 10 Jun 2008 22:44:31 -0400

Hi, Nicola -

On Mon, Jun 09, 2008 at 09:28:54PM +0200, nicola giacobbe wrote:

> Hello,
> I have just discovered your webzine (it is that the name?), it is fresh  
> and full of nice goodies and I am eager to get all past issues. Of course  
> they are available but just downloading it without a thanks or a hug  
> seemed rather rude.

Actually, we make them available for exactly that purpose; we even have a repository with all the issues compressed into tarballs for downloading.

http://linuxgazette.net/ftpfiles/

> Are you willing to sell them on DVD for a nominal sum (let's say $10+S&H)?  

Nope - it's all free!

> Or is there any other way to even your good job?
> Just let me know...

Nicola, you've just "paid". Thank you for your considerate question, and you're more than welcome. I hope you enjoy reading LG!

Best regards,

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

---

Our Mailbag

---

U.S. sanctions-compliant Linux

Simon Lascelles [simon.lascelles at rems.com]

Thu, 26 Jun 2008 17:38:51 +0100

We are looking for a version of Linux we can use legally in Syria. Do you know of a list of all Linux variants and their country of origin or do you know of a variant that is export compliant?

-- 
Simon Lascelles 
Managing Director
REMS International
 
Email:  <blocked::mailto:simon.lascelles@rems.com> simon.lascelles@rems.com
Web Site:  <http://www.rems.com/> http://www.rems.com/
Mobile: 07956 676112
Telephone: 01727 848800

Yahoo: rems25x8@yahoo.com

Mobile communications are changing the face of business, and organisations that deploy mobile solutions will reap the greatest competitive advantage

_________________________________________________

[ Thread continues here (10 messages/35.63kB) ]

---

Spam Prevention by Enforcing Standards

Rick Moen [rick at linuxmafia.com]

Wed, 11 Jun 2008 20:51:25 -0700

Recently received Chez Moen, and I replied back saying it's indeed an astute and elegant idea, which I might very well adopt for my own domains. (In the absence of an MX = mail exchanger record in the DNS for a mail-receiving machine on the Internet, RFC 2821 specifies that the sending host should fallback on the "A" = forward lookup record, instead. This was also true with the original SMTP-defining RFC, RFC 821.)

And, in case anyone is wondering, Gokhan Gucukoglu's name is Turkish. He seems to be based in the UK, and is one of those protean characters active broadly across free / open source software, just to make the rest of us look bad by comparison. ;->

----- Forwarded message from Sabahattin Gucukoglu <mail@sabahattin-gucukoglu.com> -----

Date: Wed, 11 Jun 2008 09:48:55 +0100
From: Sabahattin Gucukoglu <mail@sabahattin-gucukoglu.com>
To: rick@linuxmafia.com
Subject: Spam Prevention by Enforcing Standards

Hi,

I notice that linuxmafia.com has just one MX, linuxmafia.com. See RFC 2821 section 5: remove your MX record; there is an implicit MX rule. Good MTAs know it, most spammers, their spamware, their agents, etc, etc, still don't. It's a great little trick and is doing me bloody wonders. (It may on very, very rare occasions break mailers which insist that there be an MX record when you issue MAIL FROM linuxmafia.com; such mailers are broken and you really don't want to talk to them anyway .)

(If you wonder why I noticed at all, it's your multiline greeting.)

Cheers, Sabahattin

-- 
Sabahattin Gucukoglu <mail<at>sabahattin<dash>gucukoglu<dot>com>
Address harvesters, snag this: feedme@yamta.org
Phone: +44 20 88008915
Mobile: +44 7986 053399
http://sabahattin-gucukoglu.com/

[ Thread continues here (13 messages/28.27kB) ]

---

Cron Sandbox

dar ksyte [dksyte at googlemail.com]

Tue, 17 Jun 2008 10:09:21 +0100

Google brought me to you. You might be interested in this new resource for experimenting with crontab commands.

For most of us, setting up a new cron job is not something we do every day. So we can easily forget the details.

Cron Sandbox at HxPI offers an opportunity to play with the crontab scheduling commands in safety.

Type in the 'm h D M Dw' parameters and see a calendar of job execution times/dates.

http://www.hxpi.com/cron_sandbox.php

Regards

Dar Ksyte

[ Thread continues here (9 messages/8.87kB) ]

---

For users of RMAIL in Emacs, how do you deal with spam messages?...

don warner saklad [don.saklad at gmail.com]

Fri, 30 May 2008 08:51:32 -0400

For users of RMAIL in Emacs, how do you deal with spam messages?...

Not all messages appear with SpamAssassin headers.

[ Thread continues here (6 messages/5.86kB) ]

---

Followup: Using Ubuntu 8.04 on Notebook?

Amit k. Saha [amitsaha.in at gmail.com]

Fri, 30 May 2008 08:47:27 +0530

On Mon, May 19, 2008 at 9:54 PM, Amit k. Saha <amitsaha.in@gmail.com> wrote:

> Hi Ben,
>
> On Sun, May 18, 2008 at 9:56 PM, Ben Okopnik <ben@linuxgazette.net> wrote:
>> On Sun, May 18, 2008 at 02:51:36PM +0530, Amit k. Saha wrote:
>>> Hello all,
>>>
>>> I have installed Ubuntu 8.04 (32-bit) beta on my 32-bit notebook and
>>> the Ubuntu 8.04(64-bit) on a friend's 64-bit laptop. I am using Acer
>>> laptops.
>>>
>>> In both cases, using the touchpad to click (single/double-click) is
>>> pretty troublesome and needs a rather "hard" hit on the pad. I have
>>> tried setting the mouse preferences similar to the one on Ubuntu 7.04
>>> (which I use), but to no avail.

I upgraded to the final release of Ubuntu 8.04 and things are fine now!

-Amit

-- 
Amit Kumar Saha
http://amitksaha.blogspot.com

---

Query on linux source code

Tue, 17 Jun 2008 17:37:55 +0930

Hi Guys,

I was finally able to do the compilation process. Thanks for the help.

Another question:

1. I am using a tcpdump network sniffer to capture packets of the tcp header. I wanted to analyze a specific variable like smoothed rtt (srtt). I already changed the header file to include this new srtt variable into the option side of the tcp.h header file and also change the tcp_input.c source code to incorporate the said variable into the options side. I am confused whether tcp_input.c is the correct code to change since tcp_output.c and tcp.c is also in the linux kernel code. I am also confused how to output this new srtt variable into the tcp header so as to be captured by the tcpdump and be seen in the tracefiles.

Is there a specific function in the code to be manipulated to do the task? Any help would be appreciated.

Thank you very much in advance.

Cheers,

Dom

[ Thread continues here (2 messages/2.96kB) ]

---

C++'s cout and hexadecimal output

René Pfeiffer [lynx at luchs.at]

Thu, 26 Jun 2008 01:16:04 +0200

Hello, Gang!

I am trying to compute a SHA1 hash inside a C++ program without linking to additional libraries. There are some SHA1 code snippets around and they seem to work. So far so good. In order to compare SHA1 sums it's nice to have them in hexadecimal representation. The SHA1 code I used holds the sum in a byte array which is basically an array of unsigned chars. Creating hexadecimal output can be done as follows:

// Filename:  hex_output.cc - cout test firing range
 
#include <iomanip>
#include <ios>
#include <iostream>
 
#include <stdlib.h>
 
using namespace std;
 
int main(int argc, char **argv) {
    unsigned char array[10];
    unsigned short i;
 
    // An array with a French accent (sorry, SCNR)
    array[0] =3D 'A';
    array[1] =3D 'L';
    array[2] =3D 'L';
    array[3] =3D 'o';
    array[4] =3D ' ';
    array[5] =3D 'O';
    array[6] =3D 'r';
    array[7] =3D 'l';
    array[8] =3D 'd';
    array[9] =3D '!';
    for( i=3D0; i<10; i++) {
        cout << hex << setfill('0') << setw(2) << nouppercase << array[i];
    }
    cout << endl << endl;
    return(0);
}

Unfortunately this outputs: 0A0L0L0o0 0O0r0l0d0!

As soon as I change the cout line to

cout << hex << setfill('0') << setw(2) << nouppercase << (unsigned short)array[i];

it works and produces: 414c4c6f204f726c6421

It's late and I still lack my good night coffee, but why is that? I didn't expect this behaviour.

Best, René.

[ Thread continues here (4 messages/5.91kB) ]

---

kernel header modification

Wed, 11 Jun 2008 15:23:44 +0930

Good day!

I am adding new variables to the tcp header(tcp.h) of the linux kernel and reflect this changes to the source code .Kindly shed light to my confusions below:

1. Do I have to recompile the whole kernel to reflect the changes in the header files and source code(i.e., tcp.c, tcp_input.c, etc)?

2. If so, what are the necessary steps involved( i.e., re-compile process) to reflect the new variables I added to the header file and the source codes?

3. Thank you very much in advance for the support.

Cheers,

Dom

[ Thread continues here (6 messages/7.81kB) ]

---

BLOCKSIZE unset by default

Mahesh Aravind [ra_mahesh at yahoo.com]

Sat, 21 Jun 2008 08:25:02 -0700 (PDT)

Dear TAG,

I was playing around the command line (learning), and I came across df(1) reporting block size in "1k-blocks". But my dumpe2fs(8) says the block size is 4096 (4K). Shouldn't it be doing thus by default?

It seems this is filed as a Bug under Ubuntu (Bug #180415).

One suggestion is for the install program to calculate the blocksize at install time, and put it somewhere safe (immutable). Like 'export BLOCKSIZE=<whatever>' in /etc/profile.

I also saw that adding ' (apostrophe) before the block size will yield you a digit separator -- cool, eh?

I did:

BLOCKSIZE="'4096" ls -l
           ^ <- see this?

and it gave me size figures separated by commas!

My $LANG is en_IN.UTF-8

YMMV

Regards,

Mahesh Aravind

[ Thread continues here (8 messages/8.55kB) ]

---

Spammy Job Offer

Ben Okopnik [ben at linuxgazette.net]

Wed, 28 May 2008 19:15:41 -0400

[[[ This had some other Subject line when the spammer sent it out. I chose to replace it with something more accurate. -- Kat ]]]

On Tue, May 27, 2008 at 03:03:29PM -0600, XXXX XXXXXX wrote:

> 
> Hello,
> 
> My customer located in West Austin is searching for a recent graduate
> that has significant academic / internship experience with embedded
> software development.  They seek someone with C programming experience
> in a Linux / QNX environment.
> 
> If you or someone you know qualified, please call me or have them call me directly.
> 
> My number is XXX-XXX-XXXX

Thanks for letting us know... that you're a spammer. I will not, for the moment, report you to the Federal Trade Commission's "spam@uce.gov", the FBI's Internet Fraud Complaint Center, or your state's attorney - but that's only because this is the first time you've done this here. For now, I'll grant you the courtesy of believing you to be completely clueless and ignorant rather than assuming that you knowingly violated Texas law (http://www.spamlaws.com/state/tx.shtml) as well as your network provider's Acceptable Use Policy.

I have, however, blocked you from this mailing list. Have a pleasant day.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

[ Thread continues here (18 messages/30.46kB) ]

---

You have 6 messages, 1 add friend request

Terence Timburwa [invitation at ASPAMMERNETWORK.invalid]

Wed, 4 Jun 2008 10:12:08 +0100

Terence Timburwa has added you as a friend on [a spammer network]

[[[ Rest of the message with all the spammy splendor of bogus claims of "you have 6 messages" and "click here to remove" "click here for this" "click here for that" removed. -- Kat ]]]

[ Thread continues here (4 messages/2.72kB) ]

---

How to refine a spam delete technique for beginners, emphasis on beginner.

don warner saklad [don.saklad at gmail.com]

Thu, 12 Jun 2008 00:07:32 -0400

What other hints, tips or pointers are there with RMAIL in Emacs?... about how to refine a spam delete technique for beginners, emphasis on beginner.

For example...

. by using
     C-c C-s C-s
     C-c C-s C-L
 
. by using
     Esc C-s rolex
     Esc C-s viag
     Esc C-s pharm
     and so forth
  and referring to charts at
  http://www.barracudacentral.com/index.cgi?p=spam
             online pharmacies
             replica products
             other spam
             illegal advertising
             casino and gaming
             software sales
             spam insurance
             credit and debt relief
             bank phishing
             job offers
 
. or ...?
     ...?

For beginners with dotfile and programming skills below minimal, if at all !

---

Terence Timburwa added you as a friend on $$$$...

Rick Moen [rick at linuxmafia.com]

Wed, 11 Jun 2008 19:38:12 -0700

Quoting Terence Timburwa (first_reminder@THATANNOYINGSPAMMERNETWORK.INVALID):

> Dear tag, 
> Terence Timburwa

[[[ There was more to this, but I've stripped it out. -- Kat ]]]

That's funny: I'd already permanently consigned to the outer darkness the domain that sent us this rubbish last month, but neglected to do likewise with two other variants. I'm attending to that oversight, now.

---

Apache -- Redirect if found this "Regex"

Smile Maker [britto_can at yahoo.com]

Thu, 19 Jun 2008 04:05:20 -0700 (PDT)

Folks:

I have recently upgraded all of my jsp's to php's and pointed my rr to the new server. But for the backward compatibility How do i say to apache "if it finds request for any "jsp " go to this php page"

-- 
Britto

[ Thread continues here (8 messages/5.55kB) ]

---

tcp.c and tcp_input inquiry

Fri, 30 May 2008 12:13:58 +0930

Hi guys,

Good day!

I am currently doing my phd in telecommunications working on tcp. I found the document tcp_input.c and tc.c source code document at a website but browsing through my kernel, I cannot find the source codes mentioned. Thus, this inquiry.

It would be appreciated if you can kindly help me on my questions since I am new to tcp.

1. I am using fedora core6 linux and I cannot find the file tcp_input.c and tcp.c in the kernel. Where can I find this code in the kernel since I need to do some modification on the tcp header as part of my thesis?

2. What are the steps in inserting an estimated value into a kernel variable?

I have already visited the linux kernel faq and I cannot find the answer to my questions ( or maybe I need to browse more). I hope you can shed light on the above queries. Thank you very much in advance.

Cheers,

Dom Ignacio

[ Thread continues here (11 messages/13.96kB) ]

---

Searching for multiple strings/patterns with 'grep'

Amit k. Saha [amitsaha.in at gmail.com]

Mon, 23 Jun 2008 11:52:44 +0530

Hello TAG,

I have a text file from which I want to list only those lines which contain either pattern1 or patern2 or both.

How to do this with 'gre'p?

Assume, file is 'patch', and 'string1' and 'string2' are the two patterns.

The strings for me are: 'ha_example' and 'handler'- so I cannot possibly write a regex for that.

Thanks, Amit

-- 
Amit Kumar Saha
http://blogs.sun.com/amitsaha/
http://amitksaha.blogspot.com

[ Thread continues here (3 messages/2.70kB) ]

---

Talkback: Discuss this article with The Answer Gang

Talkback

Talkback:123/smith.html

[ In reference to "A Short Tutorial on XMLHttpRequest()" in LG#123 ]

Jimmy O'Regan [joregan at gmail.com]

Mon, 2 Jun 2008 23:11:51 +0100

I was trying to remember how to use XMLHttpRequest, and just wanted to pop a note to say thanks for a useful article!

One thing: if you're trying to test something offline, Firefox will disallow any open() requests (to try to prevent XSS). http://www.captain.at/howto-ajax-permission-denied-xmlhttprequest.php has some details about it.

Or, better yet, here's the test page I was using (the rest of 'base' is 'webservice/ws.php' - I don't think Apertium's server is quite up to widespread use of the webservice yet):

<html>
<head>
<title>Translate as you type</title>
 
<script language=javascript type="text/javascript">
<!--
var base = "http://xixona.dlsi.ua.es/"
 
var http_request;
function GetTranslation(dir, data) {
 
	// For offline testing:
	// (see: http://www.captain.at/howto-ajax-permission-denied-xmlhttprequest.php)
	//try {
	//	netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
	//} catch (e) {
	//	alert("Permission UniversalBrowserRead denied.");
	//}
 
	if (window.XMLHttpRequest) {
		http_request = new XMLHttpRequest();
	} else if (window.ActiveXObject) {
		http_request = new ActiveXObject ("Microsoft.XMLHTTP");
	}
 
	if (!http_request) {
		alert ("Cannot create XMLHttpRequest instance");
		return false;
	} else {
		var url = base + "?mode=" + dir + "&text=" + escape(data);
		//alert(url);
		http_request.abort();
		http_request.onreadystatechange = GetAsync;
		http_request.open("GET", url, true);
		http_request.send(null);
	}
}
 
function GetAsync() {
	if (http_request.readyState != 4 || http_request.status != 200) {
		return;
	}
 
	document.getElementById("translation").innerHTML=
		http_request.responseText;
	//alert(http_request.responseText);
	setTimeout("GetAsync()", 100);
	return;
}
// -->
</script>
</head>
 
<body>
<!-- direction hardcoded -->
<textarea id="input" onkeyup='GetTranslation("en-es",
document.getElementById("input").value)'>
</textarea>
 
<p id="translation"></p>
 
</body>
</html>

---

Talkback:151/lg.tips.html

[ In reference to "/lg.tips.html" in LG#151 ]

Thomas Bonham [thomasbonham at bonhamlinux.org]

Thu, 29 May 2008 05:02:49 -0700

Ben Okopnik wrote:

> On Tue, May 27, 2008 at 03:41:01PM -0700, Thomas Bonham wrote:
>   
>> Hi All,
>>
>> Here is a 2 cent tip which is a  little Perl script for looping through 
>> directory's.
>>     
>
> Why not just use 'File::Find'? It's included in the default Perl
> install, and is both powerful and flexible.
>
> ```
> use File::Find;
>
> find(sub { do_whatever_you_want_here }, @directories_to_search);
> '''
>
> For more info, see 'perldoc File::Find'.

Perl File::Find didn't have everything that I want to be able to do this function. I was not just trying to find files with this but also was try to find items that was in different directory's.

When looking around on the internet for that I want to do everything thing that I was able to find said not to use file::find because it wasn't powerful enough for that I was doing so I just create that function to do some different things along the way.

Thomas

[ Thread continues here (21 messages/26.84kB) ]

---

Talkback:151/melinte.html

[ In reference to "Monitoring Function Calls" in LG#151 ]

Francesco Russo [francescor82 at email.it]

Wed, 04 Jun 2008 19:26:00 +0200

About the article http://linuxgazette.net/151/melinte.html, there's a typo: the architecture name is x86_64, not x86_86.

-- 
Francesco Russo
The White Rabbit put on his spectacles. 'Where shall I begin, please
your Majesty?' he asked.
'Begin at the beginning,' the King said gravely, 'and go on till you
come to the end: then stop.'
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

[ Thread continues here (2 messages/1.38kB) ]

---

Talkback:151/weiner.html (2)

[ In reference to "USB thumb drive RAID" in LG#151 ]

s. keeling [keeling at nucleus.com]

Sun, 15 Jun 2008 16:14:39 -0600

This was just too cool not to try it. It works great. I now have a 7 Gb RAID 5 on three 4 Gb pendrives.

Caveats:

   -  make sure the hub you buy leaves enough room between slots to
      insert your keys.  Some can be pretty tight.  Keys are all
      shapes and sizes, and some are pretty fat.  That tiny, elegant
      little hub may be cute, but is it usable?  I got the skinny Sony
      4 Gb MicroVaults, but still their button controlling the
      retractable connector gets in the way.  Staples generic Relay
      keys are too wide to use with this hub.
 
   -  The price range on this stuff is all over the map too, so best
      to shop around.  I bought a Targus hub for ca. $40, then found
      an Illum for $17.  Nowhere on the Targus does it mention USB
      2.0.  Is it?  Dunno.  It's going back.
 
   -  Just to be different (yet again), Debian Etch/Stable barfed on
      your mdadm syntax.  It insists on "-l 5" instead of "-l=5",
      ditto "-n 3" instead of "-n=3".
 
   -  I notice my copy of Sidux LiveCD does not contain mdadm, drat.
      Haven't looked at Knoppix yet.
 
   -  echo "(3 * 39.94) + 17" | bc -l == 136.82.  I just bought an
      Acomdata USB external 320 Gb 7200 rpm hard drive for 139.85.
      320 for $140, vs. 7 for $137, doesn't really make much sense,
      but it's still fun.

Thanks for helping me make a fun toy, and for a nicely written and enjoyable article.

-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)
- -

---

Talkback:151/weiner.html

[ In reference to "USB thumb drive RAID" in LG#151 ]

Mohammad Farooq [farooqym at gmail.com]

Tue, 3 Jun 2008 10:51:54 +0400

This PCI card is an alternative to USB. It can support up to 4 CF cards. http://news.cnet.com/8301-13580_3-9803084-39.html

[ Thread continues here (2 messages/0.96kB) ]

---

Talkback:151/lg_mail.html

[ In reference to "Mailbag" in LG#151 ]

Benno Schulenberg [bensberg at justemail.net]

Fri, 13 Jun 2008 15:06:33 +0200

[[[ In re: 'lang="utf-8" makes Firefox use an ugly font' from LG#151 -- Kat ]]]

Hmm, not very nice of you to not CC me on the continued discussion.

Benno Schulenberg wrote:

> However, I'd still like to suggest you replace "utf-8" in the
> 'lang' attributes with "en", because utf-8 is not a language, and
> the language the Linux Gazette pages are written in is English.

As Kapil Hari Paranjape said, my main point was that "utf-8" is not a language name. But unlike Kapil says, lang is a _language code; it has nothing to do with the encoding.

  http://www.w3.org/TR/REC-html40/struct/dirlang.html
 
  lang = language-code [CI]
      This attribute specifies the base_language of an element's
      attribute values and text content.
 
  Language information specified via the lang attribute may be used
  by a user agent to control rendering in a variety of ways.

The base language of the Linux Gazette looks to be English. So use "en". If you want to be perfect, mark any snippets in other languages with the appropriate lang attribute.

http://www.w3.org/TR/xhtml2/mod-i18n.html

Benno

[ Thread continues here (3 messages/5.68kB) ]

---

Talkback:136/pfeiffer.html

Yannis Broustis [broustis at gmail.com]

Tue, 3 Jun 2008 17:07:44 +0300

Hello,

I ran the tcpsnoop on two machines, and, similarly as in Pfeiffer's example, the contention window does not get larger than 2, as time progresses.

Any ideas why?

Thanks, Y.

[ Thread continues here (2 messages/1.15kB) ]

---

Talkback: Discuss this article with The Answer Gang

2-Cent Tips

2-cent tip: Checking HTTP servers

Thomas Bonham [thomasbonham at bonhamlinux.org]

Sat, 14 Jun 2008 20:20:42 -0700

Hi All,

I will share the socket code that I wrote for checking to see if your http server is running. This will need to be run from a remote computer.

There will be something that you may need to change some things around for your needs and at this time it will not work with https it is only for http.

Here is the code I have put a few notes in where you may need to change for your needs.

#!/usr/bin/perl
use Socket;
$host = $ARGV[0];
$port = $ARGV[1];
$iaddr = inet_aton($host) || die "Unable to determine address for $host";
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) ||
    return "Unable to create a new socket: $!";
connect(SOCKET, $paddr) || die "Connection refused by $host: $!";
select(SOCKET);
$| = 1;
select(stdout);
print SOCKET "GET / HTTP/1.1\n";
print SOCKET "Host: $host\n";
print SOCKET "Connection: close\n";
print SOCKET "\n";
my $i = 0;
while (<SOCKET>) {
    if($i < 1) {
        # May need to change to match what header you would like back
        if($_ !~/^HTTP\/1.1 200 OK/) {
            # Do something here
        }
        break;
    }
    $i++;
}

Thomas

---

2-cent tip: Speeding up Knoppix

Ben Okopnik [ben at linuxgazette.net]

Sat, 28 Jun 2008 20:24:33 -0400

----- Forwarded message from Oscar Laycock <oscar_laycock@yahoo.co.uk> -----
 
   I run a Knoppix CD on an old PC with only 128 meg of RAM. To speed things
   up, to reduce the swapping, I cut down on the memory set aside for my
   work:
 
   mount -t tmpfs /ramdisk /ramdisk -o remount,rw,size=15m,mode=755
 
   Maybe you can do something similar on other live CD's?
    
----- End forwarded message -----

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

---

2-cent tip: Removing the comments out of a configuration file

Thomas Bonham [thomasbonham at bonhamlinux.org]

Fri, 06 Jun 2008 07:51:55 -0700

Hi All,

I thought I would sure this little perl script that will remove the comments out of a configuration file.

#!/usr/bin/perl -w
# Thomas Bonham
# 06/06/08
 
if($#ARGV !=0) {
    print "usage: path to the configuration\n";
    exit;
}
$fileName=$ARGV[0];
open(O,"<$fileName") || die($!);
open(N,">$fileName.free") || die($!);
while(<O>) {
    next if($_  =~/^#.*/) ;
    print N $_
}

Thomas

[ Thread continues here (16 messages/15.65kB) ]

---

Talkback: Discuss this article with The Answer Gang

News Bytes

By Deividson Luiz Okopnik and Howard Dyckoff

Contents: News in General Conferences and Events Distro News Software and Product News

Selected and Edited by the LG NewsBytes team.

Please submit your News Bytes items in plain text; other formats may be rejected without reading. [You have been warned!] A one- or two-paragraph summary plus a URL has a much higher chance of being published than an entire press release. Submit items to bytes@linuxgazette.net.

---

---

Talkback: Discuss this article with The Answer Gang

---

Deividson was born in União da Vitória, PR, Brazil, on 14/04/1984. He became interested in computing when he was still a kid, and started to code when he was 12 years old. He is a graduate in Information Systems and is finishing his specialization in Networks and Web Development. He codes in several languages, including C/C++/C#, PHP, Visual Basic, Object Pascal and others.

Deividson works in Porto União's Town Hall as a Computer Technician, and specializes in Web and Desktop system development, and Database/Network Maintenance.

---

Howard Dyckoff is a long term IT professional with primary experience at Fortune 100 and 200 firms. Before his IT career, he worked for Aviation Week and Space Technology magazine and before that used to edit SkyCom, a newsletter for astronomers and rocketeers. He hails from the Republic of Brooklyn [and Polytechnic Institute] and now, after several trips to Himalayan mountain tops, resides in the SF Bay Area with a large book collection and several pet rocks.

Howard maintains the Technology-Events blog at blogspot.com from which he contributes the Events listing for Linux Gazette. Visit the blog to preview some of the next month's NewsBytes Events.

Review of the Plat'Home OpenBlockS

By Ben Okopnik

The Setup

Some months ago, Plat'Home sent us a press release detailing their new product, the Plat'Home Open Micro Server [1]. The writeup seemed promising - lots of keywords designed to ping a geek's heart, warm his kidneys, and titillate his imagination:

>    Hi Ben,
>    Wanted to introduce you to Plat'Home [www.plathome.com], the company
>    that introduced the fledgling Linux operating system to Japan in 1993 and
>    is now offering its flagship product, the OpenMicroServer, in the U.S.
>     Their current customer list is quite impressive * NTT, Japan's largest
>    company, KDDI, Sony, Fujitsu, and Toshiba, among others.
>    Plat'Home designed the customizable SSD/Linux operating system for the
>    OpenMicroServer. OpenMicroServers can be fully administered over the
>    network, and do not require a connection to display or I/O devices such as
>    a monitor, keyboard or mouse.
>    The neat thing about the OpenMicroServer is that it fits in the palm of
>    your hand, so it's quite portable. And thanks to integrated Power over
>    Ethernet (PoE) functionality, it can even work without a separate power
>    supply cable. This means no mangy cables and no need to be next to a
>    power outlet. Additionally, it does not contain a cooling fan, so it's
>    quiet, and has the ability to operate in super hot* 104+
>    degree* conditions.

Since it sounded like a flexible and interesting gadget, I volunteered to review it (despite already having way too much to do, on the principle that one more task in the huge flood wouldn't be noticeable. :)

The Synopsis

When I received it, my first reaction was "Whoa, that's a lot bigger than I expected!" Then I realized that I'd been misled by the hype. I quote, again:

The neat thing about the OpenMicroServer is that it fits in the palm of your hand, so it's quite portable.

Perhaps I'd misinterpreted the above statement, and "fits in the palm of your hand" actually means "in the palm of King Kong's hand" - although it's arguable whether this unit is smaller than Fay Wray's waist. I'd bet on Fay, myself. In reality, it's about half the size of an average laptop, although a bit lighter. Add in the cables and the power adapter (which, despite the claims about Power Over Ethernet (PoE), was indeed required - I, at least, could not get PoE to work), and the weight/size of the unit is something they should have buried in the documentation instead of boasting about it. On the other hand, I may be looking for restraint where only over-enthusiasm abounds...

(Doing a bit more digging on the Net turned up a reference in which they had indeed buried the size data, coyly mentioning a "1U rack mount size". This turns out to be 17.3" x 7.3" x 1.8" inches, a.k.a. 440x184x44mm overall! That same reference uses the term "tiny" in addition to "palm of your hand".)

Next, like a good lad, I attempted to read the documentation. Frankly, I felt like just plugging it in and having a go - this would be a certain sort of test of its own, since a stand-alone computer should work intuitively in many ways - but I was already getting a certain feeling about this, and decided to treat it with maximum latitude and circumspection.

A large number of the initial pages of the printed (actually, photocopied) manual were consumed in warnings. In fact, in a long life of reading equipment manuals for a variety of things - power tools, welding equipment, sailing gear, scuba gear, large power systems, computers, etc. - I've never seen anything like it; there were warnings about leaking capacitors as well as warnings about placing the unit on top of things (I was fascinated and read the details - it seems that it could actually fall and hurt someone. Who would have thought it???) Most people, after reading this part, would be too terrified to ever come near it again... but after many repetitions of a calming mantra, I was able to go on with the process - only to scratch myself on a badly-finished corner of the case. It seems that it's easier to write warnings than to make a metal case that won't attack the user.

Once past that initial hurdle, I started delving into the meat of the docs - which were written in Japanese. Actually, the words used were English, and so was the grammar - but the structure and the phrasing were pure 日本語 (Nihongo). The spelling was excellent, too - and yet, it was nearly incomprehensible; many of the paragraphs were repeated, and the structure was indefinite and vague (there was no hierarchy of any sort.)

However, I had a secret weapon: my wife happens to be of Japanese extraction, and so I had a ready-made translator and partner in exploration of this deep, dark cave. Take that, you manual-manglers! :) She read the Japanese version of the manual, translated it into English, and we went merrily rolling along - except in the many cases where the Japanese didn't make any sense either. Some of which could then be resolved by reading the English version. Woo-hoo, linguistic adventures Indiana Jones style!

To be completely fair about this, it really wasn't about the language - although that by itself would be a "do not pass 'GO', do not collect $200" factor. The problem was that the organization of the manual was so poor that no amount of translation would have made it work. E.g., if you wanted the password for logging in via the serial interface, you had to figure out that you should go forward a few chapters into the Ethernet section and use their web password to do so. On the other hand, if you had the facility for remembering every single fact in a manual, I suppose you could read the entire thing and somehow cross-reference everything in your mind. I will admit that I am explicitly not a paragon of such virtues; if I can't find it in the relevant section pointed to by the index, I tend to take 'strace' (or perhaps 'ldd', or sometimes an axe) to the thing. In this case, Plat'Home had supplied me with a 4" or so Ethernet cable, so I decided to try that route first.

Armed with the minimal amount of information that the two of us were able to glean, I went poking and prodding at the 'soft' end of this box. 'nmap' showed that the appropriate listeners (plus a few others - none of which were documented) were indeed running on it; however, plain old port 80 was not available - theoretically because you'd want to leave it available for standard HTTP service to the world from this box - and 880 was handling web administration logins. A technically odd choice, that, since 880 is still a low (i.e., privileged) port and requires root permissions to access; this is the common reason for using port 8080, or other ports above 1024, for similar situations. By the same token, the pre-allocated IP addresses for this box were a little unusual: "192.168.252.254" constrains you to either have your own address in the xxx.xxx.252.xxx IP range or to use an odd netmask - neither of which is normally necessary or desirable, and is certainly not common practice.

ben@Tyr:~$ nmap 192.168.252.254
Starting Nmap 4.20 ( http://insecure.org ) at 2008-04-14 14:02 EDT
Interesting ports on 192.168.252.254:
Not shown: 1692 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
23/tcp  open  telnet
37/tcp  open  time
111/tcp open  rpcbind
880/tcp open  unknown

Surfing over to http://192.168.252.254:880, I found a very crude, early-days-of-the-Web page - <FONT SIZE="-1"> tags and all, with no styling or anything resembling an attempt to make it pleasant or professional-looking - redirecting me to the Web interface. Which was just as crude looking, and - crowning touch - with all the link text written in Japanese. The effect was somewhat spoiled by the fact that I could roll over the links and see the names of the links ('password.html', etc.), but except for that, it was a complete and perfect mystery. Doubly so, since I thought I was reviewing a computer. Perhaps I was mistaken, and it was a new puzzle game?

Since the web username was 'root' (at least somewhat startling, in the context of a box the services of which you're supposed to expose to the world), I decided to immediately change the password, and went to the 'パスワード' ('password') link... which contained nothing beyond the page title and a copyright bar. Looking at 'View source' revealed the reason - the page consisted of only the following HTML:

<h1>password</h1>
<!--password-->
<hr><B>&copy; 2001-2005 Plat'Home CO., LTD., Heart Internet
Service</B><BR><FONT SIZE="-1">OpenMicroServer Auto Configuration,
Version: 4.00, Last Build: Sun Dec 18 15:47:39 JST 2005</FONT><BR>
</body></html>

In other words, the page did exactly nothing useful - there wasn't even any form input HTML that would accept a new password.

Somewhat discouraged by now, I checked out the remaining links, guessing - and sometimes being wrong about - their functions. The configuration options for the servers, the DNS config, etc. were mostly either crude, incomplete, ineffective, or all three. Just for comparison, a typical Linksys router interface is slick, intuitive, and rather complete in its functionality; if Plat'Home had simply ripped it off used it as an inspiration, they would have been much, much better off - even before they made any changes or improvements. Given the many excellent examples of router UI out there today, there's literally no reason for anything this poor.

Just for kicks, I decided to see if the console interface was any better... and couldn't get in, even armed with the root password, and despite the fact that I'd just exchanged some email with their technical contact person.

ben@Tyr:~$ telnet 192.168.252.254
Trying 192.168.252.254...
Connected to 192.168.252.254.
Escape character is '^]'.

Linux 2.6.12 (LinuxServer) (ttyp0)

LinuxServer login: root
Password: 
Login incorrect
<Ctrl-C>
ben@Tyr:~$ ftp 192.168.252.254
Connected to 192.168.252.254.
220 ssd-linux FTP server (tnftpd 20040810) ready.
530 User anonymous unknown.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> user root
331 Password required for root.
Password: 
530 User root may not use FTP.
Login failed.

Contacting Plat'Home's technical experts didn't produce any good results - except, perhaps, a confirmation that I wasn't crazy and the interface was this bad (their attitude seemed to be "That's not a problem, sir - that's a feature!") They were quite nice, and very polite, but an excuse like "you can't log into FTP or telnet via Ethernet, only via the serial interface - that's a security feature!" indicates either a completely wrong-headed idea about what is necessary for a web server, or a stuck excuse mechanism. Again, there's no justifiable reason for either of these in a company in the computer field today.

As a last, vain hope, I tried connecting to the box via a serial interface. Due to my fairly extensive experience with serial/cellphone connections in my early days of mobile Linux connections, I consider myself quite knowledgeable about it... but this box defeated me; I could never get it to talk to me either via 'minicom', 'kermit', or any of my other serial configuration tools. (For the doubting Thomases among us - yes, the port was configured and enabled. Yes, I have serial support compiled in the kernel. Yes, "serial.o" was loaded.) I gave up, and shipped it back to Plat'Home.

The Denouement

In conclusion, I have to say that the Plat'Home OpenBlockS appears to be a prototype that's about 3/4 of the way through development rather than a market-ready product. I'd have enjoyed playing with it if it had been the nifty toy represented by their PR department... but I saw nothing that justified the hype. For the moment, my impression of this product is anything but positive.

---

[1] While I was waiting for the unit, Plat'Home contacted me to say that the Open Micro Server that they were originally going to ship had been superceded by the OpenBlockS and that they were sending me the newer unit; hence, the change from the original PR to the actual unit. The claims, however, didn't change much - except, perhaps, to become even more hyperbolic than the original.

Talkback: Discuss this article with The Answer Gang

---

Ben is the Editor-in-Chief for Linux Gazette and a member of The Answer Gang.

Ben was born in Moscow, Russia in 1962. He became interested in electricity at the tender age of six, promptly demonstrated it by sticking a fork into a socket and starting a fire, and has been falling down technological mineshafts ever since. He has been working with computers since the Elder Days, when they had to be built by soldering parts onto printed circuit boards and programs had to fit into 4k of memory. He would gladly pay good money to any psychologist who can cure him of the recurrent nightmares.

His subsequent experiences include creating software in nearly a dozen languages, network and database maintenance during the approach of a hurricane, and writing articles for publications ranging from sailing magazines to technological journals. After a seven-year Atlantic/Caribbean cruise under sail and passages up and down the East coast of the US, he is currently anchored in St. Augustine, Florida. He works as a technical instructor for Sun Microsystems and a private Open Source consultant/Web developer. His current set of hobbies includes flying, yoga, martial arts, motorcycles, writing, and Roman history; his Palm Pilot is crammed full of alarms, many of which contain exclamation points.

He has been working with Linux since 1997, and credits it with his complete loss of interest in waging nuclear warfare on parts of the Pacific Northwest.

Apertium: Open source machine translation

By Jimmy O'Regan

About Apertium

Apertium is an open source shallow-transfer machine translation (MT) system. In addition to the translation engine, it also provides tools for manipulating linguistic data, and translators designed to run using the engine. At the time of writing, there are stable bilingual translators available for English-Catalan, English-Spanish, Catalan-Spanish, Catalan-French, Spanish-Portuguese, Spanish-Galician, and French-Spanish; as well as monolingual translators that translate from Esperanto to Catalan and to Spanish, and from Romanian to Spanish. There are also a number of unstable translators in various stages of development. (A list of language pairs, updated daily, is available on the Apertium wiki).

In other words, Apertium is the open-source Systran (the engine that powers Babelfish).

Apertium version 1 was based on existing translators that had been designed by the Transducens group at the Universitat d'Alacant, and funded by the OpenTrad consortium. Subsequent development has been funded by the university, as well as by Prompsit Language Engineering. While Apertium 1 was designed with the Romance languages of Spain in mind, Apertium 2 added support for less-related languages (Catalan-English); Apertium 3 added Unicode support.

Apertium is designed according to the Unix philosophy: translation is performed in stages by a set of tools that operate on a simple text stream. Other tools can be added to the pipeline as required, and the text stream can be modified using standard tools. There is also a wrapper script (called simply apertium) that takes care of most of the details.

$ echo 'Esta es Gloria, mi amiga argentina'|apertium es-en
This is Gloria, my Argentinian friend

(That example was picked at random from 'Teach Yourself Spanish Grammar' - translation quality is not always that high, though).

Apertium packages are available for Debian and Ubuntu (apt-get install apertium); packages are not yet available for other distributions, though it has been used successfully on several distributions. The mildly curious may prefer to try the Surf and Translate demo on the Apertium Web site.

I intend to follow this article with articles of a more tutorial nature; the rest of this article is intended to give an explanation of the most common terms in machine translation.

Types of Machine Translation

Machine translation systems differ in sophistication, and there are several basic approaches to translation. At the basic level, any translation system has to include dictionary lookup; however, this can also use a stemmer to find the basic form of a word (instead of looking up 'beers' in the dictionary, it looks up 'beer'), or a morphological analyser (which operates much like a stemmer, but also includes grammatical information - Apertium's analyser would return beer<n><pl> from the word 'beers', to tell the rest of the system that the word is a noun, and plural).

Rule-based systems were the first 'real' kind of machine translation system. Rather than simply translating word to word, rules are developed that allow for words to be placed in different places, to have different meaning depending on context, etc. The Georgetown-IBM experiment in 1954 was one of the first rule-based machine translation systems; Systran and Apertium are RBMT systems.

Example Based Machine Translation (EBMT) systems translate using the results of previous translations. Translation Memory systems are the most basic example of EBMT; more complicated TM systems (such as OmegaT), which use techniques such as fuzzy matching to suggest similar translations, are closer to the original idea behind EBMT.

Statistical Machine Translation (SMT) is, at its most basic, a more complicated form of word translation, where statistical weights are used to decide the most likely translation of a word. Modern SMT systems are phrase-based rather than word-based, and assemble translations using the overlap in phrases. Google Translate is based on SMT; there is also an open-source system for SMT called Moses.

Interlingua systems are an extension of rule-based systems that use an intermediate language instead of direct translation. Systems based on Interlingua can then more readily translate between various combinations of languages. OpenLogos is an open-source Interlingua-based machine translator, based on the Logos system; a competitor of Systran.

Transfer-based systems are another approach to rule-based machine transfer, influenced by the Interlingua idea. Instead of using a whole language, an intermediate representation of equivalent pieces is used. This still uses language-pair-specific translation, but the amount of language-specific rules are reduced to a minimum. There are two kinds of transfer-based translation: shallow transfer (syntactic), where words are translated based on combinations of word types; and deep transfer (semantic), which uses a representation of the meaning of each word as a basis for how it should be translated.

Most current machine translation systems are hybrid systems: Moses is primarily SMT, but can use morphological analysers to add extra confidence in translation options; Apertium uses statistical methods for word sense disambiguation.

SMT is the current focus of most serious research in MT, but rule-based systems still have a number of advantages. First and foremost, SMT systems require the availability of a large amount of text in both languages¹, which for most language pairs is not available. Secondly, the generated dictionaries contain all likely word combinations for both languages, which both consume a lot of memory and take much more processing time than do the kind of dictionaries used in rule-based systems (which also have the advantage of being useful as human-readable dictionaries - TinyLex is a Java ME program for bilingual dictionaries that uses Apertium data).

Another aspect of SMT that may or may not be a drawback, depending on your perspective, is that they use monolingual models as a way of determining how to combine the phrases they translate. The upside is that, unless they encounter words that don't exist in their dictionaries, the output will be of better quality than with rule-based translation. The downside is that this translation may bear very little relation to the source sentence. With a rule-based system, a bad translation will look like garbage.

Why Open Source Translation?

The best translations depend on the closeness of the languages involved: all other things being equal, a Spanish - Portuguese translator will give a better translation than a Spanish - English translator. Another factor is the domain: words that could be ambiguous in general use may only have one meaning in a specific context. This is well known, and for this reason, most commercial translation systems provide the ability to choose specific domains, and to specify meanings in a user-defined dictionary that can override the system dictionary.

What they don't provide, however, is a way to specify custom rules.

In the majority of machine translation uses, documents are translated in bulk, and later edited. Human translators are expensive, and machine translation is used to reduce this cost, or even to remove it entirely. In the majority of cases, the human editor will be expected to follow an in-house style guide; even if the translation is accurate and clear, it would most likely still require editing to conform to this style guide. Even if the translator can't give better accuracy, it can still reduce expense by reducing the amount of editing a document requires.

The usual solution to this is to combine translation memory with automatic translation. A better solution would be to combine translation memory with a fully customisable machine translator - an open source machine translator.

SMT is starting to be used by companies who seek to provide 'bespoke' machine translators with example-based features, which can adapt as corrections are made to the translation. However, as the selection of a phrase is based on the amount of occurrences, the same correction has to be made a number of times - potentially hundreds or even thousands of times.

Consider this example:

Wolę piekło chaosu od piekła porządku.²

In Polish, the preposition 'od' means 'from', with a few exceptions. The above sentence is one example of such an exception:

I prefer the hell of chaos to the hell of order.

Writing a rule in Apertium to say that the preposition 'od' is 'to' following the verb 'woleć' is quite simple, and takes a lot less time than does writing enough examples for an SMT-based translator to infer the same, and doesn't carry the risk of harming cases that were previously handled correctly.

A Glimpse of the Future

I hope I've made some of you more interested in Apertium: my next article will be a tutorial covering the creation of morphological analysers in Apertium. Anyone too impatient for that can find more information on the Apertium wiki, and there are usually a number of people available on #apertium on irc.freenode.org available to answer questions.

1 In a paper from Google Research, they describe a method of overcoming this problem by using the statistical translation probabilities of multiple languages (which they have used recently, in their newest language additions); essentially, cross-referencing multiple bilingual dictionaries to create new ones. The tool that does this in Apertium is called apertium-crossdics. (The paper also suggests that "One solution is to create such parallel data by automatic translation and then retaining reliable translations by using confidence metrics", which is a bit like saying that infinite monkeys can at least translate the works of Shakespeare).

2 Wisława Szymborska, Możliwości (English)

Talkback: Discuss this article with The Answer Gang

---

Jimmy is a single father of one, who enjoys long walks... Oh, right.

Jimmy has been using computers from the tender age of seven, when his father inherited an Amstrad PCW8256. After a few brief flirtations with an Atari ST and numerous versions of DOS and Windows, Jimmy was introduced to Linux in 1998 and hasn't looked back.

In his spare time, Jimmy likes to play guitar and read: not at the same time, but the picks make handy bookmarks.

Joey's Notes: Access Control Lists

By Joey Prestia

Linux has the ability to use access control lists at the file level. This allows file owners and system administrators to define who has access and what level of access they have beyond the level of fliesystem permissions.

Assume that a company has a team of employees working on a project. Each employee, depending on their role and level of responsibility, needs a different set of permissions; this can be implemented via access control lists (another, and perhaps better term is discretionary access control lists.) In the event that the material is classified to some but not to all, these ACLs make things easy for the company in that security can be handled without the need to involve more people other than those directly concerned.

ACLs are available with the ext3 file system. By default, Red Hat Enterprise Linux 5 sets the capability for ACLs on all the ext3 partitions at install time. What this means is that if you create a new partition that was not in existence at install time and try to use access control lists on it, you can't: you will have to add the mount option ACL in the /etc/fstab file to make that feature available.

Most relevant commands support ACL lists, but some don't; if you're in doubt, you should check the man pages to make sure. "tar", for example, does not support access control lists.

Setting up a partition for ACLs

Let's walk through setting up and using ACLs to get the feel of the fine grained-level of control that is available by using access control lists. Since I have unpartitioned space on this drive, I will run through the process of setting up ACLs on the new partition:

[root@localhost ~]# fdisk /dev/hda
[root@localhost ~]# partprobe
[root@localhost ~]# mkfs.ext3 -L /srv/data /dev/hda10

Next, I need to edit the /etc/fstab file and add the new partition and the mount options for access control lists.

[root@localhost ~]# vi /etc/fstab


LABEL=/            /                       ext3    defaults        1 1
LABEL=/boot    	   /boot                   ext2    defaults        1 2
devpts             /dev/pts                devpts  gid=5,mode=620  0 0
tmpfs              /dev/shm                tmpfs   defaults        0 0
LABEL=/home        /home              	   ext3  usrquota,grpquota 1 2
proc               /proc                   proc    defaults        0 0
sysfs              /sys                    sysfs   defaults        0 0
LABEL=/tmp         /tmp                    ext3    defaults        1 2
LABEL=/usr         /usr                    ext3    defaults        1 2
LABEL=/var         /var                    ext3    defaults        1 2
LABEL=SWAP-hda3    swap                    swap    defaults        0 0
LABEL=/srv/data    /srv/data               ext3    defaults,acl    1 1

After that, I'll make a directory and mount our new partition.

[root@localhost ~]# mkdir /srv/data
[root@localhost ~]# mount -a

Now, I'll add a group called "programming", and create several users belonging to that group: "teamleader", "prog1", "prog2", and "tech". I'll also need to change the ownership and permissions on this directory to those appropriate for our new group. As a result, files created in this directory will belong to group "programming".

[root@localhost ~]# groupadd programming
[root@localhost ~]# chown .programming /srv/data
[root@localhost ~]# chmod 2770 /srv/data
[root@localhost ~]# useradd teamleader -G programming 
[root@localhost ~]# passwd teamleader
[root@localhost ~]# useradd prog1 -G programming
[root@localhost ~]# passwd prog1
[root@localhost ~]# useradd prog2 -G programming
[root@localhost ~]# passwd prog2
[root@localhost ~]# useradd tech -G programming
[root@localhost ~]# passwd tech
[root@localhost ~]# cd /srv/data
[root@localhost data]# ls
lost+found
[root@localhost data]# su teamleader
[teamleader@localhost data]$ 
[teamleader@localhost data]$ touch project
[teamleader@localhost data]$ chmod 700 project 

At this point the teamleader has created a project and restricted access to it via the filesystem.

Using getfacl

The command "getfacl" shows the ACL/permission information for a specified file or directory:

[teamleader@localhost data]$ getfacl project
# file: project
# owner: teamleader
# group: programming
user::rwx
group::---
other::---

Using setfacl

This command sets access controls. There are three fields on the command line that you need to be aware of:

identifier:user/group:permissions

The identifier can be expressed as:

 u - will affect the access rights of the specified user 	
 g - will affect the access rights of the specified group
 o - will affect the access rights of all others
 m - will affect the effective rights mask 

user/group is the intended username or groupname, which can also be expressed as a UID or GID.

permissions are:

 r or 6 - read access
 w or 4 - write access
 x or 1 - execute permission 
 - or 0 - no permissions

Of course permissions may be combined such as r-x or 5 depending on what you want. Using the command in its simplest form looks like this:

setfacl [options] identifier:user/group: permissions filename

Creating ACLs

	
[teamleader@localhost data]$ setfacl -m u:prog1:rwx project 
[teamleader@localhost data]$ setfacl -m u:prog2:rw- project 
[teamleader@localhost data]$ getfacl project
# file: project
# owner: teamleader
# group: programming
user::rwx
user:prog1:rwx
user:prog2:rw-
group::---
mask::rwx
other::---

At this point we promoted our programmers permissions: "prog1" can now read, write, and execute; and "prog2" has read and write access. Notice also that the output from "getfacl" now has a "mask" field at the bottom: the mask is a maximum rights level and can be used to immediately restrict the permissions on this file. In addition, if you do an "ls -l", the listing will show a "+" at the end of the permissions for each filename that has ACLs enabled:

[teamleader@localhost data]$ ls -l
total 13
drwx------  2 root       programming 12288 Mar 19 21:59 lost+found
-rwxrw----+ 1 teamleader programming     0 Mar 22 20:30 project
[teamleader@localhost data]$ 

The "programming" group needs at least read permissions on this file, since other programmers will need to see what is in the document. If we do not specify the group explicitly when we execute the "setfacl" command, it is assumed as you can see below:

[teamleader@localhost data]$ setfacl -m g::r project 
[teamleader@localhost data]$ getfacl project 
# file: project
# owner: teamleader
# group: programming
user::rwx
user:prog1:rwx
user:prog2:rw-
group::r--
mask::rwx
other::---

Restricting effective rights

By changing the mask, I can change the current effective permissions to the most restrictive level as defined by the mask and have those become the effective permissions. Even if a user or group has permissions in excess of what the effective mask is set to, the mask will restrict their effective rights.

[teamleader@localhost data]$ setfacl -m mask::r project 
[teamleader@localhost data]$ getfacl project 
# file: project
# owner: teamleader
# group: programming
user::rwx
user:prog1:rwx                  #effective:r--
user:prog2:rw-                  #effective:r--
group::r--
mask::r--
other::---

Removing a user from an ACL

If we want to remove one of our programmers - e.g., "prog1" - from the ACL for this project and revert his permissions back to what the group has, this would be done as follows:

[teamleader@localhost data]$ setfacl -x u:prog1: project
[teamleader@localhost data]$ getfacl project
# file: project
# owner: teamleader
# group: programming
user::rwx
user:prog2:rw-
group::r--
mask::rw-
other::---

The "-x" switch removes the associated user, group, or other, from the associated access control list - so "prog1" now only has group level access (and probably a pay cut to go with it).

Transfer of ACL attributes from a specification file

What if we were to store our ACL attributes in a file containing the line "u:prog1:rwx"? We could use the "-M" switch to pass the attributes on to a new file.

[teamleader@localhost data]$ touch file
[teamleader@localhost data]$ echo "u:prog1:rwx" > acl 
[teamleader@localhost data]$ setfacl -M acl file
[teamleader@localhost data]$ getfacl file
# file: file
# owner: teamleader
# group: programming
user::rw-
user:prog1:rwx
group::rw-
mask::rwx
other::r--

We have successfully transferred the ACL attributes in the file "acl" to the empty file "file". Did you notice how the effective rights mask jumped up from "rw-" to "rwx"? If you did not want the effective rights mask to change when you modify permissions you could use the "-n" option alongside your other options to prevent it.

Copying the ACLs from one file to another

To copy a file's ACL to another file you would execute "getfacl filewith.acl | setfacl -b -n -M - fileneeding.acl" as I will show below. The last "-" is important; it tells "setfacl" to read the data from standard input, which is being supplied by the preceding pipe.

[teamleader@localhost data]$ getfacl filewith.acl 
# file: filewith.acl
# owner: teamleader
# group: programming
user::rw-
user:prog1:rwx
group::rw-
mask::rwx
other::r--

[teamleader@localhost data]$ touch fileneeding.acl
[teamleader@localhost data]$ getfacl filewith.acl | setfacl -b -n -M - fileneeding.acl 
[teamleader@localhost data]$ getfacl fileneeding.acl
# file: fileneeding.acl
# owner: teamleader
# group: programming
user::rw-
user:prog1:rwx
group::rw-
mask::rwx
other::r--

Inheriting a directory's ACL from the parent

Directories can have a default ACL, which defines the access permissions that files under the directory inherit when they are created. A default ACL affects subdirectories as well as files. First, let's set up a directory with a set of default permissions. Access defaults are created by using the "-d" switch when modifying a directory.

[teamleader@localhost data]$ mkdir work
[teamleader@localhost data]$ setfacl -d -m g::r-x work/
[teamleader@localhost data]$ getfacl work/
# file: work
# owner: teamleader
# group: programming
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

Observe as I create a child directory below, "work/week1". Notice that "week1" will inherit the default ACL permissions of the parent directory "work":

[teamleader@localhost data]$ mkdir work/week1
[teamleader@localhost data]$ getfacl work/week1/
# file: work/week1
# owner: teamleader
# group: programming
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

Inheriting a file's default ACLs from the parent

Last of all, let's see how these defaults propagate to a simple file created in the "work/week1" directory. I'll show the parent's ACL first, then create the file:

[teamleader@localhost data]$ getfacl work/week1/
# file: work/week1
# owner: teamleader
# group: programming
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

[teamleader@localhost data]$ touch work/week1/day1
[teamleader@localhost data]$ getfacl work/week1/day1 
# file: work/week1/day1
# owner: teamleader
# group: programming
user::rw-
group::r--
other::r--

[teamleader@localhost data]$ umask 
0002

Note that the file was created with an active umask of 0002. This means that the file should have had permissions of 664; instead it was created with default permissions of 644 because of the default ACL on the directory and the inheriting of the ACL from the parent directory.

This is not an exhaustive list of all the possibilities; however, just these basics should be enough to get you started using access control lists. ACLs can be used to regulate permissions for special situations where regular Linux permissions will not quite handle the job; they can also lighten the administrative overhead when project-level managers learn to use them correctly and effectively. In addition, ACLs can be a valuable tool in any administrator's toolbox to help regulate security.

Resources

• POSIX Access Control Lists on Linux
• SUSE Linux Administration Guide
• Michael Jang's book "Red Hat Certified Engineer Linux Study Guide", 5th Edition
• Mark G. Sobell's book "A Practical Guide to Red Hat Linux", 3rd Edition

Talkback: Discuss this article with The Answer Gang

---

Joey was born in Phoenix and started programming at the age fourteen on a Timex Sinclair 1000. He was driven by hopes he might be able to do something with this early model computer. He soon became proficient in the BASIC and Assembly programming languages. Joey became a programmer in 1990 and added COBOL, Fortran, and Pascal to his repertoire of programming languages. Since then has become obsessed with just about every aspect of computer science. He became enlightened and discovered RedHat Linux in 2002 when someone gave him RedHat version six. This started off a new passion centered around Linux. Currently Joey is completing his degree in Linux Networking and working on campus for the college's RedHat Academy in Arizona. He is also on the staff of the Linux Gazette as the Mirror Coordinator.

Wireless Configuration for Desktops

By Muthaiah Ramanathan

"Anyone who has never made a mistake has never tried anything new."
 -- Albert Einstein 

Introduction

Let me start with pointers to the two most valuable (in my personal view) resources that I constantly referred to prior to deciding which PCI wireless card would be the best fit for my home system running Fedora Core 5.

URL A: Madwifi Compatible Cards from Netgear
URL B: Comprehensive List of cards from