< index >
	Hands-on Guide to the Debian GNU Operating System

Hands-on Guide to the Debian GNU Operating System Davor Ocelic <docelic/@/linux.hr> Revision History Revision 2.4 30 March 2002 Revised by: docelic This is the initial release. Revision 2.5 02 May 2002 Revised by: docelic Spelling & grammar corrections, Spanish translation (all by Walter Echarri) Revision 2.6 03 June 2002 Revised by: docelic Content improvements, Walter's grammar corrections. Revision 2.7 24 July 2002 Revised by: docelic The lyx->sgml variant just didn't work, output documents were so bad-looking. I've re-written it manually in docbook sgml, with newbiedoc stylesheets. Revision 2.8 12 September 2002 Revised by: docelic Thanks to Gürkan Sengün (gurkan/@/linuks.mine.nu) for various good tips, suggestions and links (and hosting the guide!) Revision 2.9 15 September 2002 Revised by: docelic Improvements; links to external resources. Revision 3.0 16 September 2002 Revised by: docelic Improvements; looks fine now. Revision 3.1 6 January 2003 Revised by: docelic Spelling and style corrections by Walter Echarri. Revision 3.2 9 Feb 2003 Revised by: docelic Added the 'Debian GNU kernels' chapter. Revision 3.3 8 Mar 2003 Revised by: docelic Refactoring, more small updates Revision 3.4 18 Mar 2003 Revised by: docelic Added details, corrected sgml source bits Table of Contents 1. Table of Contents 2. Introduction 2.1. Official "Hands-on Guide" download sites 2.2. Acknowledgements 3. Conventions 4. Basic theory 4.1. Unix 4.2. Free Software, GNU and Linux 4.3. GNU kernel - The Hurd 4.4. The Debian GNU system, its design goals and basic ingredients 5. Basic system management 5.1. Package management 5.2. Getting familiar with system messages 5.3. The X Window System, basic principles and Debian setup 5.4. Virtual consoles 5.5. Shutting down the system 5.6. General notes for hardware support 5.7. Enabling the mouse in text consoles 5.8. Hard disk throughput 5.9. Monitoring non-free software on your machine 5.10. Firewalls 5.11. Setting up IP Masquerading/NAT 5.12. System login procedure, the shell startup and config files 5.13. Regular user accounts 5.14. Switching to root account without a password 5.15. Account login regulation 5.16. Tcp wrappers 5.17. Manually unpacking .deb files 5.18. Checking the MD5 sums of installed Debian packages 5.19. Shared sessions 5.20. Runlevels and system services 5.21. The Debian 'alternatives' system 5.22. Periodically checking for the available disk space 5.23. Creating and extracting file archives 5.24. Copying, mirroring and re-downloading Debian packages 5.25. Package recompilation 5.26. Linking to your local Internet Service Provider 5.27. The package popularity contest 5.28. Accessing data on MS Windows partitions 6. Linux processes 6.1. Introduction 6.2. Basic process-related commands 6.3. Two distinct types of executable files 6.4. How to start a process 6.5. How to terminate a process 6.6. How to put a process to sleep? 6.7. Process priorities 6.8. Processes and their input/output functions 6.9. Leaving processes running while you're away 7. Using Debian GNU 7.1. Common keystrokes 7.2. Terminal settings 7.3. Learning and using the vim editor 7.4. The readline key and function bindings 7.5. User configuration files 7.6. Command aliases 7.7. Advanced command line features 7.8. Customizing the X session 7.9. Reporting bugs 8. Debian GNU kernels 8.1. Basic kernel information 8.2. Kernel recompilation 8.3. Kernel image installation 8.4. System bootloader 9. Try to do it yourself first 9.1. A generic tasklist 9.2. getting help on IRC 9.3. How not to ask questions on IRC 9.4. Frequently used terms 1. Table of Contents 2. Introduction The Guide is available under the terms of the GNU GPL license, and you should probably read it after you successfully install the Debian GNU system on your computer (with or without the help of the Debian installation guide). This is a step-by-step document with many examples, which should relatively quickly answer most of your questions and help you build the correct mindset to solve further problems on your own; I am known for repeating that the idea and logic count, not the exact implementation or usage details (I am all for the "give man a fish and he can eat today, teach a man to fish and can eat forever" principle here). I tried to make it a balanced mix bewteen the administrator's and the user's guide; it is probably too broad for those who belong to either of the two extreme categories. The approach I used should fit home users best - people who do have a Debian installation and a root access at hand, and want to learn and experiment. We will properly define basic terms, explain the system design goals, cover the most important end-user issues and show many command line examples. Since this is a Debian guide, we will not hesitate to use Debian-specific features and commands, but note that most of it (ideologically, at least) applies to other Linux or Unix systems as well. Finally, by saying this is a beginner's guide, we definitely don't restrict ourselves to system basics, I believe the guide is hiding many beautiful details that even experienced users might find useful or amusing. Please note that all the fine information presented here can also be found in respective packages' documentation and is more detailed and comprehensive there. Therefore, it is implicitly suggested to read official software and system documentation in combination with this guide (the dpkg(8) and apt(8) manual pages are perfect to show there's much more of it than we mention here). Generally, www.tldp.org (former linuxdoc), www.debian.org and www.debian.org/doc, /usr/{doc, share/doc, local/share/doc} directories, and the man and info pages on your system are the right information sources. After you finish reading this guide, you'll probably want to read other on-topic manuals available from the Debian documentation directory. 2.1. Official "Hands-on Guide" download sites http://debguide.sarovar.org/ or http://sarovar.org/projects/debguide/ http://www.debian.org/doc/manuals/hands-on/ http://colt.projectgamma.com/debguide/ http://www.linuks.mine.nu/~docelic/debguide/ 2.2. Acknowledgements Walter Echarri <wecharri/@/infovia.com.ar>: the Spanish translation, extensive proof-reading, numerous grammar/style corrections, and motivation. Thanks Wally ;) Adam Garside <asg/@/gimp.shacknet.nu>: proof-reading and grammar/style corrections. Gürkan Sengün (gurkan/@/linuks.mine.nu) for various good tips, suggestions and links (and hosting the guide!). Thanks to all who sent their comments, suggestions or updates. 3. Conventions All system commands are emphasized (free, top, ps) and optionally given in single quotes ('rm'). In case we are referring to the program manual pages, the names also include the section of the manual, as you see from the dpkg(8) and apt(8) examples. All package, file and directory names are emphasized and start with / (slash) or ~ (tilde): /etc/init.d/, ~/.bash_profile Symbols like [PID] indicate you should replace [PID] with the real value of "PID"; for example, kill -9 [PID] Inside chapters, text between "[" and "]" angle brackets provides short explanations, [like the example here] In code and command-line examples, all user input is prefixed with $ (for user commands) or # (for commands which require root permissions). Program output is edited for brevity and has no prefix. While this might prevent you from directly copy-pasting the instructions to your shell, it is always a good thing to use your brain and ponder while re-typing. Unix, GNU, Debian and Linux are words that can sometimes, depending on the context, be used interchangeably. Throughout the guide, I tried to be consistent in always using the word with the broadest scope for which a given note applies. For instance, we would talk about the Unix command line, GNU tools, Debian-way of doing things and Linux process management. 4. Basic theory Let's use this chapter to identify some common misinterpretations and properly define the terms we will use everywhere in this document. We'll start with general terms, such as Unix, GNU or Free Software, and then say something about the Debian Project itself. A little glossary of the various terms that you'll be encountering is provided in the appendix. Let's start. 4.1. Unix In earlier versions of this document, I used to say that Unix was a common name for a group of superior operating systems which shared most of the key design ideas. While there was nothing wrong with that statement, I went to search the Internet for some more formal explanations: Short introduction on the UGU site says: Unix - /yoo'niks/ Plural "Unices". An interactive time-sharing operating system invented in 1969 by Ken Thompson after Bell Labs left the Multics project, originally so he could play games on his scavenged PDP-7. Dennis Ritchie, the inventor of C, is considered a co-author of the system. Similar and more detailed description from searchSolaris: Unix is an operating system that originated at Bell Labs in 1969 as an interactive time-sharing system. Ken Thompson and Dennis Ritchie are considered the inventors of Unix. The name (pronounced YEW-nihks) was a pun based on an earlier system, Multics. In 1974, Unix became the first operating system written in the C language. Unix has evolved as a kind of large freeware product, with many extensions and new ideas provided in a variety of versions of Unix by different companies, universities, and individuals. Partly because it was not a proprietary operating system owned by any one of the leading computer companies and partly because it is written in a standard language and embraced many popular ideas, Unix became the first open or standard operating system that could be improved or enhanced by anyone. A composite of the C language and shell (user command) interfaces from different versions of Unix were standardized under the auspices of the IEEE as the Portable Operating System Interface (POSIX ). In turn, the POSIX interfaces were specified in the X/Open Programming Guide 4.2 (also known as the "Single Unix Specification" and "Unix 95"). Version 2 of the Single Unix Specification is also known as Unix 98. The "official" trademarked Unix is now owned by the The Open Group, an industry standards organization, which certifies and brands Unix implementations.   4.2. Free Software, GNU and Linux Some time later, Richard Stallman, a MIT hacker, started an initiative to create a completely free operating system (free as in freedom). Among other things, his decision was based on frustrations and problems he saw in non-disclosure agreements. They once prevented his colleague from giving him the source code for a laser printer driver (Stallman wanted to include automatic paper-jam notification features). Highly motivated to do The Right Thing (tm), he later quit the job at MIT (so they couldn't possibly claim copyright on his work) and, in 1984, started the GNU ("Gnu's Not Unix") project, whose goal was to protect freedom and supply users with full-featured free software packages for their computers. GNU is a wonderful philosophy that could surely affect non computer-related areas as well. You can see the original Stallman's announcement from Sep 27, 1983 / 10:35:59 PST in the excellent Google Groups archive! GNU developers have re-written all the necessary Unix system tools and utilities, released them as Free Software (under the GNU GPL licence), and they only needed a kernel to accomplish the initial goal. Independently, in 1991, Linus Torvalds (from the Helsinki University) announced his first public release of the kernel he was working on - Linux. He was a student back then, and wanted to create a cheap alternative to high-priced Unix systems, which would run on PC (i386) compatible machines. Combining the Linux kernel and the GNU tools, the free GNU/Linux system became a reality. Linus wrote the kernel from scratch ("from zero") and it was one of the first free Unix-like variants which, supported by the great GNU community and their software, got the Free Software movement really going (from the general-public perspective, not technically, of course). All the way back in 1994, Peter van der Linden wrote the following in his excellent book, titled “Expert C Programming; Deep C Secrets” (ISBN 0-13-177429-8): The Free Software Foundation is a unique organization founded by ace MIT hacker Richard Stallman. By the way, we use “hacker” in the old benevolent sense of “gifted programmer”; the term has been debased by the media, so outsiders use it to mean “evil genius”. Like the adjective bad, “hacker” how has two opposing meanings, and you have to figure it our from the context. Stallman's Free Software foundation was founded on the philosophy that software should be free and freely available to all. FSF's charter is “to eliminate restrictions on copying, redistribution, understanding and modification of computer programs” and their ambition is to create a public-domain implementation of Unix called GNU (it stands for “GNU's Not Unix”. Yes, really). Many computer science graduate students and others agree with the GNU philosophy, and have worked on software products that FSF packages and distributes for free. This pool of skilled labor donating their talent has resulted in some good software. One of the FSF's best products is the GNU C compiler family. gcc is a robust, agressive optimizing compiler, available for many hardware platforms and sometimes better than the manufacturer's compiler. However, there were other efforts, such as those by the BSD people who still had problems with the licensing issues and copyrights, but they have rewritten all the parts in question and released free BSD variants: FreeBSD, NetBSD and OpenBSD. Please Note:   Linux (and other free operating systems today) have picked up the best from the Unix world and additionally, they have many end-user advantages over the orthodox Unix machines (primarily in aspects of "user friendlyness" and GUI environments). 4.2.1. Open Source Open Source is a somewhat newer term which was generally accepted to help promote Free Software in commercial environments. It relies only on practical benefits of open source code (quality, reliability, cost of maintenance) and has no greater philosophy behind it. More information can be found at the Open Source Initiative (OSI) website. It is therefore important to know the disctinction between the two. Important!   Read more about the Free Software, Open Source and the correct interpretation of the word free on the Debian's What Does Free Mean? page. 4.3. GNU kernel - The Hurd It is interesting to mention that Linux is a monolithic kernel and shares many ideas with its Unix counterparts. However, the GNU people have a different vision of how kernels should look like and they are working on The Hurd microkernel. Debian GNU/Hurd port is in progress, and you can see the current status or download the software from the Debian GNU/Hurd port page. Monolithic and microkernels are fundamentally different, and there's been much of debate if microkernels would ever prove useful in real-life application. Linus Torvalds, for example, is constantly bashing microkernel operating systems ("just say NO to drugs, and maybe you won't end up like The Hurd people"). Alan Cox, the maintainer of the production tree of the Linux kernel, who has more sympathies for The Hurd, once said that The Hurd was more about Richard Stallman's idea about how a system should work to promote community than about high perfomance OS design. Technically, The Hurd and microkernels in general do offer many advantages over the traditional Unix kernels; those interested in getting more information should see hurd-paper.html and hurd-talk.html (for The Hurd), or the QNX website (for the proprietary, mature, microkernel-based Unix). 4.4. The Debian GNU system, its design goals and basic ingredients Let's quote something from the official About Debian page: Debian was begun in August 1993 by Ian Murdock, as a new distribution which would be made openly, in the spirit of Linux and GNU. Debian was meant to be carefully and conscientiously put together, and to be maintained and supported with similar care. It started as a small, tightly-knit group of Free Software hackers, and gradually grew to become a large, well-organized community of developers and users. Since many people have asked, Debian is pronounced 'deb ee n'. It comes from the names of the creator of Debian, Ian Murdock, and his wife, Debra. Debian is produced by nearly one thousand developers spread around the world who volunteer in their spare time. Few of the developers have actually met in person. Communication is done primarily through e-mail (mailing lists at lists.debian.org) and IRC (#debian channel at irc.debian.org). The Debian Project is an association of individuals who have made common cause to create a free operating system. This operating system that we have created is called Debian GNU/Linux, or simply Debian for short. An operating system is the set of basic programs and utilities that make your computer run. At the core of an operating system is the kernel. The kernel is the most fundamental program on the computer and does all the basic housekeeping and lets you start other programs. Debian systems currently use the Linux kernel. Linux is a completely free piece of software started by Linus Torvalds and supported by thousands of programmers worldwide. However, work is in progress to provide Debian for other kernels, primarily for the Hurd. The Hurd is a collection of servers that run on top of a microkernel (such as Mach) to implement different features. The Hurd is free software produced by the GNU project. A large part of the basic tools that fill out the operating system come from the GNU project; hence the names: GNU/Linux and GNU/Hurd. These tools are also free. Of course, the thing that people want is application software: programs to help them get what they want to do done, from editing documents to running a business to playing games to writing more software. Debian comes with over 8710 packages (precompiled software that is bundled up in a nice format for easy installation on your machine) -- all of it free. It's a bit like a tower. At the base is the kernel. On top of that are all the basic tools. Next is all the software that you run on the computer. At the top of the tower is Debian -- carefully organizing and fitting everything so it all works together. You may be wondering: why would people spend hours of their own time to write software, carefully package it, and then give it all away? The answers are as varied as the people who contribute. Some people like to help others. Many write programs to learn more about computers. More and more people are looking for ways to avoid the inflated price of software. A growing crowd contribute as a thank you for all the great free software they've received from others. Many in academia create free software to help get the results of their research into wider use. Businesses help maintain free software so they can have a say in how it develops -- there's no quicker way to get a new feature than to implement it yourself! Of course, a lot of us just find it great fun. Debian is so committed to free software that we thought it would be useful if that commitment was formalized in a written document. Thus, our Social Contract was born. 5. Basic system management As we've just covered a bit of the theory, we'll now move on to the basic system administration issues. We will start with basic topics (with software installation, for example), then cover the hardware configuration principles (including the graphical X Window System), suggest generally good things to do with fresh Debian installations and provide help and examples for common software packages. 5.1. Package management The first thing we will take a closer look at is the Debian package management system. We'll take a tour of dpkg(8), apt(8) and other package management related tools. What we're referring to when we say package management is the set of tools we use for browsing, installation, configuration and removal of software packages. Please Note:   All the package management backends and frontends (dpkg, apt-get, synaptic, aptitute, dselect, ...) use the same package database. This means that the changes made by one are seen by other tools as well, and you can therefore combine them all. If you're not specifically interested in all the details and command line switches at the moment (that is, if this is just your easy late night reading ;-), then just briefly remember the command names and their purpose, and skip down to the Getting familiar with system messages subchapter. 5.1.1. dpkg dpkg is a medium-level package manager for Debian. Unless you run into problems with apt-get, you will generally not have to use it directly. Most notably, dpkg does not have the automatic package retrieval methods, and does not resolve dependencies on its own. -i vim_6.0.093-1.deb install package vim, version 6.0.093, Debian revision 1. Two things to note here: You need to know where the .deb file is located, and provide the path to it. dpkg does not check for dependencies so vim could be unpacked, but its configuration would be delayed until you install all the required packages (which is a boring and generally stupid job to do manually; see apt-get below). -r vim Remove package vim if there are no installed programs that depend on vim; leave configuration files on the system. --purge vim Remove package vim and all its configuration files. --configure vim Configure package vim. --configure --pending Configure all pending packages. --get-selections Retrieve current package states from the dpkg database. --set-selections Set package states. Accepts output generated from the option above. Of course, it can also be used on a per-package basis; echo “vim hold” | dpkg --set-selections would set package vim 'on hold'. Once you load this list with --get-selections, use apt-get dselect-upgrade to actually make the packages [de]install on the system. --force-depends Option which could be used everywhere with dpkg, but it almost always leads to dpkg database corruption (specifically, version mismatches) and total dependency chaos. If you later plan to use apt-get, never use this option as it instantly breaks apt (you can, however, use apt-get -f install and apt will do its best to clean up the mess). -l produce package list (keep an eye on the desired and status (first two) columns) -S /path/to/file find out which package does file belong to -L vim show all files installed by package vim --status vim Status information for the package vim, similar to apt-cache show 5.1.2. dpkg-reconfigure dpkg-reconfigure is a tool you use to reconfigure debconf-enabled packages (those which use debconf to ask questions and get answers about the local configuration). dpkg-reconfigure gpm reconfigure package gpm. Only applicable if the package (gpm in this case) relies on debconf. dpkg-reconfigure debconf reconfigure debconf itself. You can choose between few types of interactive or non-interactive package configuration modes. Non-interactive mode is very useful if you are performing mass or automated installations. Tip   Sometimes (due to a bug in a specific package's debconf interface), you won't be able to successfuly configure the package; this is very likely to happen from time to time if you use the Debian unstable tree. Common examples would be the 'Accept' buttons which don't actually accept the input or text fields which are always considered empty. A possible hack solution for this kind of problem is to reconfigure debconf to non-interactive, then configure the problematic package and finally reconfigure back to some sort of interactive mode. Tip   You will most probably be using this command to reconfigure the X Window System every now and then, so just remember this command, which is the elegant Debian-specific way to deal with the configuration: dpkg-reconfigure xserver-xfree86 5.1.3. apt The apt package provides a few command-line tools you will need to successfully use apt-get(8), the tool for high-level package management. 5.1.3.1. apt-setup apt-setup (beware, from the base-config package) opens up a ncurses-based apt configuration tool. Basically, it asks a series of questions and then updates the package files (you can do the same manually by editing /etc/apt/sources.list and running apt-get update). Also check the netselect package, which should select the fastest mirror servers for you automatically. It can sometimes come handy to do telnet linuks.mine.nu | tail -n 5 > /etc/apt/sources.list to retrieve the apt sources for the Debian unstable branch. For more exotic apt sources, check www.apt-get.org. 5.1.3.2. apt-cdrom If you have the packages on your cdroms, you will use the apt-cdrom utility to index them. # apt-cdrom add 5.1.3.3. apt-get apt-get is an apt package handling utility. It is probably the most convenient way to install or remove packages, as it automatically calculates dependencies and adjusts package lists. While dpkg allows you to install any .deb file (provided you have the appropriate .deb file saved locally), apt-get does not. It uses the /etc/apt/sources.list file as its list of 'package sources'; it parses them and creates a big list of all available packages. So whatever you do, you're restricted to packages known to apt. This is both powerful and elegant way to deal with package management, and some of the complicated tasks (such as the package or whole distribution release upgrades) become so easy with Debian GNU that you will hardly believe it! Other, rpm-based distributions are trying to catch up with apt, either by reimplementing the logic in their own programs or porting apt to their systems, but of course, Debian always knows better so stay with the winning team. update Retrieve and update the package lists. Call this every time you change the /etc/apt/sources.list file, or on a daily basis if you use the remote apt sources (those that might update their contents). install vim Install package vim. apt uses its internal database to find out where is the package located (it could be on some of your CDs, the Internet or local apt mirror). apt-get install vim=6.0.093-1 The same as above but installs version 6.0.093-1 specifically (use apt-cache to see available versions for a package). --reinstall install vim Self-explanatory now. remove vim Remove package vim (and other packages which strictly depend on it). --purge remove vim Completely remove package vim and other packages which strictly depend on it. This also removes config files, which normally stay on the system. upgrade Upgrade packages on the system. Whether there are any candidates for upgrade depends on the apt mirror and your local database (for example, if you set a package on Hold, it will be skipped). You can use the -s switch to just check out which packages would actually get upgraded. Some time ago, I read about RedHat's tool which allowed Internet updates, but required you to first send a list of all packages you have on your system (so that RedHat server could compare it to the database and then report new packages available). Apt doesn't work that way - it anonymously grabs whole lists and then locally decides which packages you are interested in. You would think that's the only reasonable way to do an update, but then you see people from RedHat ... Tip   To upgrade specific packages only, either re-run apt-get install [package names], or run debfoster -u [package]. -f install fix Debian installation; perform necessary steps to get internal database back in order. Handy when you previously mess it up with dpkg --force-depends (although it usually means package downgrades or mass deinstalls). 5.1.3.4. apt-cache apt-cache can be used to query the dpkg package database. show vim show internal information on package vim (version, sizes, dependencies, conflicts, suggests, description ...) search vim search the database for package names or descriptions that contain vim. --names-only only search package's Name field (otherwise it looks in all fields). 5.1.3.5. apt-rdepends apt-rdepends performs recursive dependency listings similar to apt-cache. It searches through the APT cache to find package dependencies, and it knows how to emulate the result of calling apt-cache with both depends and dotty options. By default, it shows a complete dependencies listing. 5.1.3.6. Graphically representing package dependencies apt-cache dotty takes a list of packages on the command line and generates output suitable for use by dotty from the GraphVis package. The result will be a set of nodes and edges representing the relationships between the packages. By default the given packages will trace out all dependent packages which can produce a very large graph. This can be turned off by setting the APT::Cache::GivenOnly option (man apt_preferences). The resulting nodes will have several shapes, normal packages are boxes, pure provides are triangles, mixed provides are diamonds, hexagons are missing packages. Orange boxes mean recursion was stopped [leaf packages], blue lines are pre-depends, green lines are conflicts. # apt-cache dotty vim | dot -Tps > Caution   dotty cannot graph larger sets of packages. 5.1.4. grep-dctrl The grep-dctrl utility greps Debian control files. The grep-dctrl program can answer such questions as What is the Debian package foo? Which version of the Debian package bar is now current? Which Debian packages does John Doe maintain? Which Debian packages are somehow related to the Scheme programming language? and with some help, Who maintains the essential packages of a Debian system? It is a specialised grep program that is meant for processing any file which has the general format of a Debian package control file, as described in the Debian Packaging Manual. These include the dpkg available file, the dpkg status file, and the Packages files on a distribution medium (such as a Debian CD-ROM or an FTP site carrying Debian). For instance, too see all the packages for a maintainer, do: $ grep-dctrl --show Package --field Maintainer 'Maintainer Name' /var/lib/apt/lists/* For a lot more usage examples, see the grep-dctrl(1) man page. 5.1.5. debfoster and deborphan Tools to weed out unnecessary Debian packages. Their use is trivial. For example, to remove all unnecessary packages, you could do: # apt-get --purge remove `deborphan` 5.1.6. dpkg-repack dpkg-repack package provides us with a tool to bundle installed packages back into the .deb format. If any changes have been made to the package while it was unpacked (ie, files in /etc modified), the new package would inherit the changes. This utility can make it easy to copy packages from one computer to another, or to recreate packages that are installed on your system, but no longer available elsewhere. # dpkg-repack vim 5.1.7. dpkg-divert dpkg-divert overrides a package's version of a file. File diversions are a way of forcing dpkg not to install a file into its location, but to a different location. Diversions can be used through the Debian package scripts to move a file away when it causes a conflict. System administrators can also use it to override some package's configuration file, or whenever some files (which aren't marked as 'conffiles') need to be preserved by dpkg, when installing a newer version of a package which contains those files. I used it in our ttysnoop+ssh setup (see below): # dpkg-divert --divert /bin/login.real --add /bin/login 5.1.8. dpkg-statoverride stat overrides are the way to tell dpkg to use a different owner or mode for a file when a package is installed. This can be used to force programs that are normaly setuid to be installed without a setuid flag, or only executable by a certain group. See the dpkg-statoverride(8) man page for details. 5.2. Getting familiar with system messages It is very important to learn how does the system communicate with its users (or administrators). One can always find the exact source of the problem and take appropriate actions (simple, proven-to-be-useful tasks help in almost any situation), so this is why the chapter had priority in the final document layout. 5.2.1. Boot messages During the boot, the system kernel prints out a lot of interesting information (unless the quiet option was passed to it). The copy of the messages is saved in the /var/log/dmesg file (which does not grow with time). The dmesg command, however, will show you the last 4 KB of recent kernel messages. 5.2.2. System logging daemon Unix machines have a standardized way for programs, applications and daemons to send messages to the global system logger (syslog). There are many syslog implementations available; with Debian, you can choose betweeen the default traditional BSD sysklogd, syslog-ng and metalog. Each message has an indication of the facility (message source) and severity (importance level). The date, time, host and process information is automatically generated by syslog, and should not be a part of the message itself. The syslog daemon distributes messages to files, pipes, remote destinations or users, using the schema specified in the /etc/syslog.conf file (for the traditional BSD sysklogd). All the logs from a vanilla ("out of the box") Debian system are written to files in the /var/log/ directory. Please Note:   Nothing prevents you from specifying multiple destinations for the same message. To collect all system messages (for strictly educational purposes :) in a single file, add a line like this in /etc/syslog.conf: *.* TAB /var/log/allmessages [TAB is there to warn you that you really have to press the TAB key, spaces don't do it right]. Then create an empty /var/log/allmessages file (choose your favorite, both variants here do the same): # touch /var/log/allmessages > And just reload the sysklogd daemon configuration: # /etc/init.d/sysklogd reload Now go to some idle virtual console, and type (see the tail(1) man page): $ tail -f /var/log/allmessages Do something to your system (for example, logout, login or use 'su' on another console, and watch messages appear!). This is an excellent way to learn more about the system and how it works. Also, you can detect any anomalies and error reports that would otherwise go unnoticed. If you are writing shell scripts, or modifying your ~/.bash_profile, you can use the 'logger' command to log your messages via syslog. Please Note:   I prefer echoing all messages to /dev/tty12 which makes them easy to check just by switching to the virtual console 12 (Alt+F12). If you are using the X graphical interface most of the time, check out the root-tail package which monitors log files and prints messages to your root window (the background). You can also log messages to pipes and then read them with a GUI application, or use some of the standard tools which simply look at the files in /var/log. 5.2.3. Logging ppp messages It is nice to have all ppp logs go to /var/log/ppp.log; the 'plog' command will then work as expected. The following will add a line to /etc/syslog.conf and restart the syslog daemon (we used the traditional BSD sysklogd in the example): # echo -e "local2.*\t/var/log/ppp.log" >> /etc/syslog.conf > 5.3. The X Window System, basic principles and Debian setup 5.3.1. The XFree86 Project, an open-source X Window System implementation From www.XFree86.org: The XFree86 Project, Inc is the organization which produces XFree86, a freely redistributable open-source implementation of the X Window System which runs on Unix(R) and Unix-like operating systems such as Linux, all of the BSD variants, Sun Solaris x86, Mac OS X (via Darwin), as well as other platforms like OS/2 and Cygwin. XFree86, the product, provides a client/server interface between display hardware (the mouse, keyboard, and video displays) and the desktop environment while also providing both the windowing infrastructure and a standardized application interface (API). XFree86 is platform-independent, network-transparent and extensible. With XFree86 a user cannot only choose the desktop environment they prefer, but because we are an open-source project, users can also modify and update their systems as they see best. As XFree86 has always been an unabashed supporter of freedom of the user desktop, so we encourage users to customise and personalise their desktops with the application of their choice, whether it be KDE, GNOME, Enlightenment, Blackbox, AfterStep, fvwm or twm. Our goal at XFree86 is to have X run on every platform available, including those we do not currently support, as the best windowing system available on that platform. 5.3.2. The X Strike Force: XFree86/X Window System support for Debian Visit the X Strike Force homepage. 5.3.3. XFree86 Installation Debian potato (2.2) is shipped with XFree86 version 3.6.6, while Debian woody (3.0) has XFree86 version 4. See current status at the X Strike Force homepage. X4 brings a lot of improvements and is now standard in Debian. There's not much difference from administration perspective, but notes will be put where appropriate. You can install basic X support, the icewm window manager and the wdm display manager with: # apt-get install xserver-xfree86 xbase-clients xfonts-base icewm icewm-themes wdm Please Note:   If you're using X3, do apt-cache search xserver- and install the appropriate one instead of xserver-xfree86. wdm is a better-looking equivalent to xdm, the X Display Manager (it opens up graphical login prompts). It is nice to have it, especially if you want to install more window managers, and then select which one to use from the wdm's menu. If you are using Gnome or KDE consider using their native gdm or kdm programs. 5.3.4. XFree86 Server Configuration When you install the packages, the configuration process will start automatically. If you don't get it right the first time, you can always re-run configuration with: # dpkg-reconfigure xserver-common > The interface is very clean and should help you create working XFree configs in no time. In case of problems, inspect the config file (/etc/X11/XF86Config-4 or /etc/X11/XF86Config) manually to make sure you have the right Driver option, and that UseFBDev option is set to false (these are the most common errors). Tip   If you see no UseFBDev option in the config file, you need to manually add it and set it to false. The proper location to do it is the Section "Device" part of the config file, and it needs to look more or look like this: Section "Device" Driver "ati" Option "UseFBDev" "false" BusID "PCI:1:0:0" EndSection 5.3.5. Tuning the resolution in X When you start X, it picks the default color depth, loads in the list of available resolutions for the given depth, and displays the highest one. You can then cycle over other pre-defined resolutions with Ctrl+Alt+'+' and '-'. All this is set up in /etc/X11/XF86Config-4. Here's an excerpt from the configuration for 16bit colors with default resolution 1024x768: ... Section "Screen" ... DefaultDepth 16 SubSection "Display" Depth 1 Modes "1152x864" "1024x768" "800x600" "640x480" EndSubSection ... SubSection "Display" Depth 16 Modes "1024x768" "800x600" "640x480" EndSubSection ... EndSection ... To explicitly start X with 16bit colors (if there's no DefaultDepth option or it is different), use: startx -- -bpp 16 If you want to further experiment with refresh rates and resolutions, either manually tune VertRefresh, HorizSync and Modeline (in X3 only) definitions in X config file, or see OpenBSD's X tuning guidelines. 5.3.6. Device autodetection To take advantage of some kind of device autodetection, see the following three programs: read-edid, hardware information-gathering tool for VESA PnP monitors mdetect, mouse device autodetection tool discover, hardware identification system 5.3.7. The client-server model Since X is a client-server based model (as are most other things in Unix), it means you have a whole new domain of features at your disposal. We'll discuss them now. Typical local-user/local-machine session When you start X (with startx, xinit or X), it opens the first free virtual console (that is console 7 in most Linux distributions), and starts X server on it (X server uses the DISPLAY environment variable to detect the target display, and in this case it is “localhost:0”; just “:0” or undefined DISPLAY variable have the same effect). The X server then starts the window manager of your preference and the desktop screen shows up. All the files needed are found on your local disk. You can switch back to your console screens with Ctrl+Alt+F1, F2 etc... To get back to your X display, use Alt+F7. To close your X session, either find some form of a Logout button in your window manager, or simply use Ctrl+Alt+Backspace. Just as you can have more virtual text consoles, you can have more completely separate X displays on a single display device (of course, even under different usernames): To see it in practice, start X (with startx& command), then switch back to text console with Ctrl+Alt+F1, and run 'startx -- :1&'. Bravo! You have two X sessions running now! Switch between them with Ctrl+Alt+F7 and Ctrl+Alt+F8. Remote displays on your machine Let's say you have two machines, Monarch and Denali. You are sitting at Denali, and would like to start some X program on Monarch, but have the display locally on Denali's monitor (Note that this isn't a common file sharing: in our case, the program is really executed on Monarch, only the display is sent to Denali). We will use one very convenient approach (there are other ways, of course) - we will use slogin program (an alias for ssh actually) to log in to monarch. The slogin command will set up the .Xauthority magic cookie file and the DISPLAY variable automatically, so all we need to do is to start our application. Try xeyes. Here's an example for convenience: denali:~$ slogin monarch Enter password: xxxxx monarch:~$ echo $DISPLAY denali:0 monarch:~$ xeyes& Please Note:   Note however that you must have the following options enabled for the example above to work: X11Forwarding in /etc/ssh/sshd_config and ForwardX11 in /etc/ssh/ssh_config. To restart the ssh daemon, use /etc/init.d/ssh restart 5.3.8. The Direct Rendering Infrastructure (DRI) Here's a little introduction from the Documentation/Configure.help file (the kernel-doc-* packages): AGP (the Accelerated Graphics Port) is a bus system mainly used to connect graphic cards to the rest of the system. If you have an AGP system, it will be possible to use the AGP features of your 3D rendering video card. Note that this is the only way to have XFree4/GLX use write-combining with MTRR support on the AGP bus. Without it, OpenGL direct rendering will be a lot slower but still faster than PIO. Kernel-level support for the Direct Rendering Infrastructure (DRI) was introduced in XFree86 4.0 (which you do have, if you use Debian Woody (3.0) or newer releases). 5.3.9. XFree86 Notes X3 has fewer drivers and you must install specific drivers for specific groups of graphic cards (for example, xserver-rage128, mach32, mach64, i128, 3dlabs, agx, 8514, s3v etc...). In X4, we solve this by only installing xserver-xfree86, which is modular and loads the appropriate modules at runtime. Also, the config file is /etc/X11/XF86Config-4 for X4, and just /etc/X11/XF86Config for old X3. Generally, only use X3 on old machines where you want to save some memory. 5.3.10. Troubleshooting Check the /var/log/XFree86.log and ~/.xsession-errors files for hints. Edit /etc/X11/XF86Config-4 and search for the line Option "UseFBDev" "true" and turn 'true' to 'false'. If it still doesn't work, edit Driver= config parameter. After you make sure the driver option is ok, but it still doesn't work, try tweaking HorizSync and VertRefresh values. Try with this: HorizSync 30-80 VertRefresh 40-90 Make sure you do have some version of a window manager installed, apt-get install icewm should do. dpkg-reconfigure xserver-xfree86 should open up an interactive configurator, try with it. 5.3.11. Window managers Now you have X window system running. Let's make this clear: You need the X server because it knows how to communicate with your hardware and actually display graphics. But that's all it does. How your interface really looks like depends purely on the 'window manager'. If you listened to me, you are probably running icewm now, but there are others (when you install them, they become the default or show up in wdm's login menu). Try wmaker, blackbox, afterstep, xfce or enlightenment. Also try twm and fvwm at least for historical reasons, to understand the Unix folklore ;) If you install GUI environments like Gnome or KDE, you won't have to worry about window managers as they will aready be taken care of. Don't be disappointed by the look of wdm or icewm (tastes difer), you have plenty of other variants to choose; Definitely check out the Window Managers for X website. To get a program which shows you graphical login (so you don't have to log in the console and type startx every time), install package wdm (or any of its relatives; xdm, kdm or gdm). Also, you will be able to select which window manager to use from the wdm's menu. You can also run X without the window manager (usually for testing purposes). Try starting xinit. 5.3.12. Fonts for X Fonts you might want are found in xfonts-* packages. Type this command to search for them: # apt-cache search xfonts- If you are interested in using the Microsoft ttf fonts, there are font servers which can handle them, and I'd recommend you try xfstt. No fonts come with it since they all have non-free licenses. That means you have to get the ttf fonts yourself, copy them to /usr/share/fonts/truetype/, add FontPath “unix/:7101” to /etc/X11/XF86Config, execute /etc/init.d/xfstt restart and then restart X. To browse installed fonts, see the xfontsel and gfontview programs. Also, check out the http://www.linuks.mine.nu/fonts/readme file. Actually, X4 can deal with TrueType fonts directly, you don't need the ttf-enable font server; simply add the ttf FontPath in the X config file. TODO: find the fontpaths for all xfonts- packages and list them here 5.3.13. Gpm (the console mouse driver) and the XFree86 You will most probably have problems with gpm and XFree86 running at the same time. The solution would be to set repeat type to 'raw' in gpm's config and mouse device to /dev/gpmdata in X config file, but that doesn't always give usable results. I prefer to shut down gpm. 5.4. Virtual consoles 5.4.1. Virtual consoles setup in /etc/inittab Almost all GNU/Linux distributions ship with predefined 'virtual terminals' - completely separate text screens or consoles which are available with left Alt + F1-F6 keystrokes (only 6 consoles are enabled by default). You can also use the command-line method to switch between them (see the chvt command), and you can open them automatically with the open command. To add more virtual consoles, edit the file/etc/inittab (as the superuser, of course) and add more lines like those: 5:23:respawn:/sbin/getty 38400 tty5 6:23:respawn:/sbin/getty 38400 tty6 [You can see which fields have to be incremented]. For changes in that file to take effect, exit the text editor and type init q. If you create more than 12 consoles, you won't be able to access them with left Alt (since the last F key you have is 12), so use right Alt key to reach consoles 13 - 24. You can also use Alt + left_arrow or right_arrow to cycle through open consoles. Alt+print_screen key switches between two last used virtual consoles. If you are switching from X to the console, you need to use Ctrl+Alt, instead of just Alt. The deallocvt command frees memory still associated with virtual terminals which are no longer in use [by applications, not you of course]. This is not so important anymore, since you probably have plenty of ram and few kilobytes mean nothing to you. 5.4.2. VGA fonts sizes in the console If you don't like such big letters in the console, execute this: # lilo -R 'linux vga=ask' ; reboot This would set up LILO parameters on the next boot (linux vga=ask), and reboot the machine (since vga mode can only be set at boot, unless you mess with 'svgatextmode' package - but don't do that). When you find a nice vga mode, you should edit /etc/lilo.conf and make it permanent there: image=/vmlinuz label=Linux read-only append="vga=X" [X is replaced with the actual value you like, try '6' for example]. Then, run 'lilo' to apply changes. If you see the penguin in the upper left corner of your screen, you are using a framebuffer (VESA mode). In that case, there are more screen modes available to you, see the table on the Framebuffer HOWTO page. 5.4.3. Font types for the console Install the fonter package and you will be able to edit/create your own fonts, or use some of the standard ones you get: $ consolechars -f /usr/share/fonter/crakrjak.fnt $ consolechars -f /usr/share/fonter/elite.fnt $ consolechars -f iso01.f16 5.4.4. The console keymaps To see current keyboard mappings, you would simply do: $ dumpkeys > keymap After you tune the 'keymap' file to your needs, load it back with the loadkeys command. To see just how advanced the idea of the Linux console is, run the loadkeys program, and type the following in its prompt: string F1 = "Hello, World!" [Ctrl+d] Then just press the F1 key to see the consequences. 5.5. Shutting down the system Some of the commands you can use: # shutdown -h now > To reboot: # shutdown -r now > Sometimes the shutdown -c (shutdown cancelation command) comes handy. You can also use Ctrl+Alt+Del (in the console) to reboot, and this behavior is controlled from /etc/inittab. 5.6. General notes for hardware support Getting a piece of hardware to work is a fairly easy task (although it wasn't so in the past, so always show the due respect for the developer community). Basically, you have to be able to categorize the hardware and know how the specific devices are usually configured under Debian GNU or Linux. Hard disks and CD Roms are supported by the kernel. Sound and network cards are supported by the kernel. Audio settings are saved in a mixer program's config (aumix, for example), and the setup information for the network is in the /etc/network/interfaces file; see interfaces(5) manual. Graphic adapters can use the kernel support (mainly for AGP utilization and true hardware acceleration) but the drivers are usually the XFree server modules. You configure them by invoking dpkg-reconfigure xserver-xfree86. Mice are supported in user space, by the console gpm package, or the graphical X server. The kernel, however, needs to support the port the mouse is connected to (serial, PS/2, USB ...). Use gpmconfig or dpkg-reconfigure xserver-xfree86. Modems (standard hardware modems, not winmodems nor their recent HCF and HSF camouflages) require no special drivers, they are supported by the kernel serial driver which is almost certainly already active on your machine. If you have a winmodem (or those new HSF or HCF things), just forget it (supporting things which are "bad by design" doesn't make much sense in the Debian world). Configure the dial-up account with the pppconfig utility. Scanners, digital cameras and USB devices use either kernel or userspace "drivers" (depending on the model and driver design), but the kernel needs to have basic support for them included. Debian GNU sports a nice tool for kernel module configuration - the modconf utility. However, the whole story with kernel modules is trivial. You have three basic commands (modprobe, rmmod, lsmod) and a bunch of modules in the /lib/modules/`uname -r` directory to choose from. For instance, to load the driver for a 3Com network card and an onboard AMD VIA audio chip, you would do (so, without modconf): # modprobe 3c59x > And to make the modules load at each boot, you'd add them to the /etc/modules file. If you want to use it this way, you must know the module names. Until you get some experience, use modconf. Please Note:   If you are planing to compile your own kernel, definitely use the kernel-package helper (specifically, the make-kpkg command), which will save you a lot of trouble. Kernel compilation procedure now has its own chapter inside this guide, we'll come to it. 5.7. Enabling the mouse in text consoles It is nice to have a mouse working in text consoles; you can copy just by selecting the text, and you can paste with buttons 2 or 3. Install the gpm package and it will automatically ask you for configuration. If you want to delay it, or you don't get it right the first time, you can always re-run the config tool later (it's called gpmconfig). Here's an example for you: for my wheel mouse, I answered this to gpmconfig questions: Where is your mouse? /dev/psaux (that's PS2 port, use /dev/ttyS0 or /dev/ttyS1 for serial ports 1 and 2). What type is your mouse? imps2 (most mice work with imps2 or ps2. Try 'ms' or 'bare' for serial mice) responsiveness? *leave empty* repeat protocol? use 'none' additional arguments? *leave empty* Test the config and enjoy. 5.8. Hard disk throughput To see how good can it be, use the hdparm utility, switch to 'single' mode and test it: # apt-get install hdparm > On ~1 Ghz PC machines, you should see cache reads of about 180 MB/sec (although this number has virtually no limit, on newer machines you get 500 MB/sec in a blink), and unbuffered disk I/O of about 30MB/sec on IDE disks (unless you're lucky enough to have those new and shiny 70MB/s IBMs). Things vary, though. If you see poor performance (it can get as low as 2MB/sec), recompile the kernel and test it after that; you'll most probably see enormous improvements. Another great speed improvement comes from enabling DMA, say: # hdparm -d1 /dev/hda You can add the above command near the end of the /etc/init.d/bootmisc.sh and it will be re-activated on every machine boot (which is what you want). To sum up, unbuffered transfers of 25 MB/sec or more are okay for the traditional PC IDE disks. If you feel lucky, use hdparm and try to fine-tune the hard disk parameters even further; see if it does any good for you. Once you're fine with the performance, remember to adjust the line in /etc/init.d/bootmisc.sh. 5.9. Monitoring non-free software on your machine # apt-get install vrms 5.10. Firewalls 5.10.1. What is a firewall That question would wave made little sense a few years ago (before 1997) but it seems to be a must today, when most computer-related things are just dumbed down and hidden behind graphical interfaces, and children waste their time practicing skills they have no or little use for in the real world. Anyway, on to the subject. Running an Unix machine involves a great deal of responsibility, especially today when people have high-speed Internet connections at their homes; Unix systems don't basically make a difference between physically local and remote users. Anyone who gains access to your machine (especially to privileged accounts) can use it to compromise you and other hosts on your network or attack other Internet sites and cover his tracks. Depending on the type and success of the attack, sometimes the only solace you have is the physical access to the machine and the ability to reinstall it (let alone the backups you didn't make). Therefore, we will now introduce you to firewall software: A firewall is a set of related programs, located at a network gateway server or the user's machine, which protect the private resources from unauthorized [ab]use. Basically, a firewall examines each network packet to determine whether to forward it toward its destination. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources. This means we will use a firewall to control access to our machine, keeping in mind that we distinguish connections initiated by us, and those initiated by the remote ends. Caution   Installing and (mis)configuring a firewall is by no means enough to enforce the site usage policy or provide a satisfying level of security, but it does make a big difference compared to a vanilla ('out of the box') system (having a car doesn't make you a driver, but it solves a mandatory pre-requisite). 5.10.2. Firewall setup in Debian GNU/Linux Free software firewalls have evolved. The old Linux 2.0 kernel series used ipfwadm, 2.2 had ipchains and the current stable 2.4 branch sports the shiny netfilter, sympathized even by those who always preferred BSD systems for that part of the job. The user-space part (for netfilter) is covered by the iptables package, which is a rather low-level interface to the firewall functions so some people (yes, we too) tend to use frontends; I found ferm to be The Frontend. ferm is a 'firewall rule parser for linux designed to maintain and setup complicated firewall rules'. Fair enough. # apt-get install ferm We will now see what a generic home-firewall setup looks like. The policy we will follow is: drop everything, permit only port 113, manually specified IPs and traffic initiated by our side. You should read ferm man page and the examples in /usr/share/doc/ferm/examples/, but here's my suggestion to get us going: # /etc/security/ferm.rules option automod option iptables option clearall option createchains chain input policy drop; chain output policy drop; chain forward policy drop; chain output accept; chain input proto icmp accept; chain input if ( eth0 lo ) { saddr 192.168.7.110/24 accept; saddr 127.0.0.1 accept; drop log; } chain input if ppp0 { saddr 129.70.28.189 ACCEPT; saddr 161.53.41.91 ACCEPT; proto tcp dport 113 ACCEPT; state (established,related) ACCEPT; drop log; } The example assumes your machine has the local IP address 192.168.7.110 and netmask 255.255.255.0. Adjust the host IP (netmask is probably okay). The example assumes your Internet link is a dial-up connection ppp0. Adjust according to your setup. Tip   If you use dport or sport options in your rules, you must also include the proto tcp or udp specification. To make the rules active: # ferm /etc/security/ferm.rules You could also add this command to the /etc/ppp/ip-up script, to have it start automatically, whenever the dialup link goes up. 5.10.3. More protection Unless you are playing games under Wine or WineX, you could be interested in applying the grsecurity patches to your kernel (see apt-cache search grsec). You could also install the Prelude Hybrid IDS (Intrusion Detection System) on your machines. 5.11. Setting up IP Masquerading/NAT Multiple computers can all share the single connection (to the Internet usually) installed on the gateway machine. The procedure to set it up is trivial: On the 'server' machine # apt-get install ipmasq On client machines # route add default gw [server.ip] To make client side changes permanent, add 'gateway' option to the /etc/network/interfaces file. Also, make sure the /etc/resolv.conf files on client machines are valid (copy from the main machine would do if you substitute references to 127.0.0.1 with the server's IP as it is seen from the local network). Please Note:   If it doesn't work for you (you get 'Operation not permitted' errors even on the server machine), try '/etc/init.d/iptables stop'). For laptops, or computers which often change their network environment, see the divine package. 5.12. System login procedure, the shell startup and config files 5.12.1. The system getty We've mentioned the /etc/inittab file before. During the system boot, the init process (it always has the PID 1, it's the first process the kernel runs) reads that file and (among other things) initializes the virtual consoles, usually by starting the getty program on them. The system getty opens up a login prompt on the specified consoles and waits for users. When you enter an username and password, your authentication request reaches the PAM layer (Pluggable Authentication Modules), where it gets checked for validity (using the /etc/pam.d/login rules); the check usually includes reading the /etc/passwd, /etc/group and /etc/shadow files and verifying the user's password and expiration dates. Please note that we are talking about the defaults here, the PAM system has endless configuration options, and it wouldn't be hard to make it use the retina scan instead of passwords to authenticate users. The PAM was originally developed at Sun Microsystems, but the Linux people maintain a fairly compatible Linux-PAM tree. For the complete Linux-PAM user, administration and developer manuals, see the PAM documentation at kernel.org FTP site (the documentation is not on www.tldp.org). The hint:   The getty does wait for your login, but if you do not authenticate successfully the first time, the next login prompt you would see would not be served by getty, but by the /bin/login program itself. They look almost the same, but I thought you'd appreciate this detail. You would see the original getty again either when you finish your work and log out, or you reach the maximum login retry limit, in which case the /bin/login would terminate and the init process would spawn another getty on that console. If you press Enter on the empty console login prompt and it immediately serves you a new one, you know you're talking to the system getty. The /bin/login program would wait for a timeout instead, then tell you the login is incorrect. 5.12.2. The login shell If the PAM layer gives you a green light, the login program spawns a shell for you (exactly which shell is specified in the last field of your /etc/passwd record). The shell then: Executes /etc/profile and checks some other files (/etc/environment for example) Executes the ~/.bash_profile dotfile, or ~/.profile if the former doesn't exist Finally, gives you the shell prompt Please Note:   The root user does NOT read the /etc/profile and it's dotfile is /root/.profile. It's just a convention, the root's dotfile name is not exactly enforced by the system, ~/.bash_profile would have priority if present. Also, the ~/.bash_profile is parsed only if you use the bash shell (check out the last field in 'getent passwd $USER'). If your shell is /bin/sh or something else, only the ~/.profile file will be read (if it exists at all). 5.13. Regular user accounts If you are logged in as root, create a new regular user account with the 'adduser' command and reopen this guide in it. To illustrate why using root account for user tasks is strongly discouraged, I will quote a good summary by Debian users on IRC channel #debian@OPN: It has been said that root is the administrative account - only use it when root power is needed. So no reading mail, compiling programs, or running applications as root. And don't even think about irc'ing as root, it increases the danger from exploits and trojans (such as bliss). If you visit #debian on irc.openprojects.net, and people see you are logged in as root, they will most definitely harass you about it. You should always be logged in as a regular user, and change current user ID (to root) only when necessary, using the 'su' command (or install advanced control mechanisms, such as 'sudo'). 5.14. Switching to root account without a password However, the problem is that you always have to type in the root password when you want to 'su' to root. To avoid this (that is, to enable 'su'ing to root without a password), edit the /etc/group file, and insert this line (anywhere): wheel:x:28:username1,username2 and in /etc/pam.d/su, uncomment this line (remove the # char at the beginning, or copy this line there if you don't have it): auth sufficient pam_wheel.so trust That will allow users named 'username1' and 'username2' to type 'su' and become root without a password. Also, it will allow them to start processes as root on command-by-command basis with su -c '/command/to/execute with arguments'. Tip   To test it for the first time, completely log out and then log back in to reinitialize user groups information. Caution   Note that once you do it, the system security depends on username1 and username2 account passwords. 5.15. Account login regulation Since most of the accounts on your machine will be used locally by you, you don't want people logging in remotely, do you? (they first need an account password for that, but they might get it easier than you think). Edit file /etc/security/access.conf, read short info there and add something like this to the file: -:username1 username2:ALL EXCEPT LOCAL This denies login to username1 and username2 accounts from all locations except your own machine. Tip   To make sshd obey the same restrictions, you need to put "UseLogin yes" directive in the /etc/ssh/sshd_config file and restart sshd (/etc/init.d/ssh restart). Actually, you deserve the whole story here: to minimize security risks, the portable version of OpenSSH uses the "privilege separation" mechanism which is enabled by default. Privilege separation, on the other hand, breaks PAM (if you ever wondered why /etc/pam.d/ssh doesn't work as you expected). So by saying "UseLogin yes" here, we put /etc/pam.d/login in effect (inconsistent and dirty, but it works for the moment). 5.16. Tcp wrappers Tcp wrappers are a standard part of Debian, and allow you to simply control access to system services (mostly to those started from the inetd meta daemon). If you want to deny all services to remote addresses, make sure the file /etc/hosts.allow is empty, and put this in /etc/hosts.deny: ALL: ALL EXCEPT LOCAL 127.0.0.1: DENY For more information (including on how to trigger system commands upon incomming requests) read hosts_access(5) and hosts_options(5) man pages. Please Note:   Tcp wrappers and a firewall have very little in common; the level at which the allow/deny decision takes place is fundamentally different. With a firewall, it happens on a lowest, packet level: the packet targeted at say, an ftp port, could be dropped by the firewall as soon as it gets received by the network hardware and processed by the operating system's network layer (it wouldn't even reach the ftp daemon). With tcp wrappers, the packet does reach its destination (or the inetd, at least). The request validity check is usually performed before the server forks a new child process to service the incoming request. 5.17. Manually unpacking .deb files From time to time you wish to unpack a .deb file to see its contents (or to recover some system files). Fortunately, Debian's .deb files need no special tools to be unpacked, they are simple 'ar' archives containing two files: data.tar.gz and control.tar.gz. Here are some examples: Using dpkg to unpack the contents of a .deb file to an arbitrary directory: $ dpkg -x package.deb /tmp/package Using 'ar' to unpack the data tarball: $ ar x package.deb data.tar.gz Using 'ar' to unpack the control tarball: $ ar x package.deb control.tar.gz Please Note:   If you're not careful when upgrading/downgrading the gnu libc package on your system, you'll most probably loose the /sbin/ldconfig command, and most of the things you try to do will fail for that reason. If that's why you are reading this, then one solution is to unpack the libc6 package manually and copy the ldconfig command back in place; the other thing you can do is to create an empty ldconfig, which would simply return success: # echo "#!/bin/sh" > /sbin/ldconfig > 5.18. Checking the MD5 sums of installed Debian packages It is often useful to verify the files on your system, either to detect unauthorized modifications or just to find out which files you once modifed and then forgot about them. # apt-get install debsums > 5.19. Shared sessions Terminal sessions shared by more than one concurrent user can be very useful. On a few occasions, I was asked to remotely tune machines (such as sound card drivers or XFree86 support), and the other party wanted to keep a complete track of my actions (for educational and controlling purposes). It is possible to achieve that effect by using either screen or ttysnoop. 5.19.1. screen Using screen to make shared sessions is very easy, but it requires both parties to cooperate (so you must trust the other end) and involves shared account passwords (which is a bad thing if it becomes your habbit). All one must do is to login as say, 'username1' (ssh -l username1 localhost) and run 'screen', then wait for the other party to log on to the system (under the same username, of course) and run 'screen -x'. (This tip was provided by electr0n@OPN). 5.19.2. ttysnoop ttysnoop is a trivial but very convenient tool that can be used to share, monitor or control user terminals. Enabling ttysnoop on your machine is dangerous; it could violate your security policy or leave the system in an unusable state if not done properly. The ttysnoop itself doesn't need any special setup (except the /etc/snooptab file maybe) if both parties cooperate (one starts the ttysnoops server, and the other starts the ttysnoop client). However, installing it so that the ttysnoops gets started during the login does require a few changes in the system configuration files. We will show here how to replace the system's login binary with ttysnoops and how to enable it for ssh connections. The procedure is delicate, as we said already, so we will comment each line you are about to execute in your shell. Caution   The /bin/login file, an important part of every Unix system, will get modified. This means that all applications which use /bin/login will be affected; in other words, it would become possible for users who posess the root password to completely monitor and control those character data streams (with the root password they could do it anyway, but not *so* easily). You shouldn't notice any visual changes, but please understand that the ttysnoop server will hook itself between the login program and the user (/dev/ttyp*). If you want specific services not to use the snooped /bin/login, instruct them to use /bin/login.real as the login program (that's exactly what we will do with the system getty). # dpkg-divert --divert /bin/login.real --add /bin/login # mv /bin/login /bin/login.real # echo "* socket login /bin/login.real" > /etc/snooptab # cp /etc/inittab /etc/inittab.valid # perl -p -i,orig -e 's#getty#getty -l /bin/login.real#g' /etc/inittab # ln -sf /usr/sbin/ttysnoops /bin/login # init q # echo "UseLogin yes" >> /etc/ssh/sshd_config # /etc/init.d/ssh restart We already described the dpkg-divert command above. It "diverts" the file /bin/login to /bin/login.real, meaning that new packages which contain /bin/login file will unpack it to a different location, /bin/login.real. To undo this step, use dpkg-divert --remove /bin/login. Move /bin/login to /bin/login.real. The system login will be corrupted till step 6, when we re-create the /bin/login file. To undo this step, use mv /bin/login.real /bin/login. Create the /etc/snooptab file, which contains a single rule "* socket login /bin/login.real". See man ttysnoop(8) for details. Create a copy of the /etc/inittab file in /etc/inittab.valid. This is important; if anything bad happens to /etc/inittab you could end up with an unusable system, so having a valid copy lying around is encouraged (also leave one shell opened, so that you can put the valid file back in place even if you break system login). Using Perl, edit the file /etc/inittab in-place, and replace every occurence of 'getty' with 'getty -l /bin/login.real'. The copy of the original file is saved in /etc/inittab,orig. *Never* run this command twice before putting the ,orig file back first (or you'll end up with something like 'getty -l /bin/login.real -l /bin/login.real'). In case of trouble, copy the .valid file from the previous step onto /etc/inittab. Also, note that we use 'getty -l' (where -l is smallcaps -L, not the number -1). We re-create the /bin/login, making it a symbolic link to /usr/sbin/ttysnoops, the ttysnoop server. Reload the init process, which re-reads the /etc/inittab file. If you made a mistake in some of the previous steps, your local consoles probably won't work anymore; that's why we suggested to leave one shell open and have a copy of the original /etc/inittab. If you decide to put the old inittab back, don't forget to move the login.real file back too and remove the divert. We append 'UseLogin yes' to the end of the sshd configuration file. We restart the sshd daemon. Warning   Enabling ttysnoop on your machine is dangerous; it could violate your security policy or leave the system in an unusable state if not done properly. For example, if you loose the ability to start X as a regular system user, chances are you did not make getty use the original login program so either fix that, or run dpkg-reconfigure xserver-common and allow anyone to run X server (a bad thing to do). You can test the setup locally (but the same idea applies to remote logins, of course): ssh to your localhost (execute: ssh 127.0.0.1 or ssh 0, which works on Linux only) switch to another virtual console (or X terminal) and login as root. Find out the correct tty device (ttyp*) for our snoop target: # w | grep ttyp myuser ttyp0 - 4:20am 3.00s 0.05s 0.02s -bash invoke the ttysnoop to hook to /dev/ttyp0: $ /usr/sbin/ttysnoop ttyp0 type in root password (to authenticate with ttysnoops) and enjoy your shared view ;p When letting people log in remotely to your machine, ssh is strongly-preferred way to connect. Do not even bother with telnet (which is an unencrypted and insecure service). If you have special needs or demand telnet anyway, check out working configurations from the sample /etc/snooptab files. 5.20. Runlevels and system services 5.20.1. System boot and the init process This is a very interesting and important part of every Unix system. In most common scenarios, you have LILO installed as the bootloader. LILO (the LInux LOader) accepts parameters on the command line, but Debian has been configured (in default configuration) not to show the LILO boot prompt. To make it appear, hold the Alt key at the 'LILO' message (during boot, just before you see the 'Loading linux ....' message) and you'll be able to pass arbitrary parameters to kernel. You can type anything there, and it will later be visible in the /proc/cmdline file. After the kernel gets loaded, it starts 'init' as the first system process. Init executes the tasks defined in the /etc/rcS.d directory. Init then enters default runlevel 2 (other Linux distributions mostly use runlevel 3 as the default) and executes the tasks defined in the /etc/rc2.d/ directory. Init directories consist of symbolic links to files in /etc/init.d/; here's an example: $ ls -la /etc/rc2.d/ | cut -b 57- ... S20net-acct -> ../init.d/net-acct S20openldapd -> ../init.d/openldapd S20postgresql -> ../init.d/postgresql ... The 'S' prefix starts a service, while 'K' stops it (for the given runlevel). The numbers determine the order in which the scripts are run