linux magazine uk 27

3www.linux-magazine.com February 2003

While waiting for a new distribution toinstall over Christmas, I passed the timereading a recent survey. Exciting stuffabout the Total Cost of Ownership ofdifferent servers. Why am I sharing thisnugget of information with you whenyou have enough spam mail and post toread yourself?

Well, the survey is about Linux serversand was completed by a reputablecompany called IDC. The report com-pares differing types of servers fromsmall webservers to file and print serversover a five year period.

The conclusion was that MicrosoftWindows 2000 was cheaper in everycase except web serving, where the costwas marginal. The reason for the expen-sive Linux option was the support costs,where Linux engineers are more expen-sive. The survey was based on 104 largeUS companies and was conducted bytelephone interviews.

A very clever survey only spoiled bythe fact that it was sponsored byMicrosoft. No matter how you dress upthe figures, the licensing cost forMicrosoft is an ongoing charge. A Sunmanager came out almost straight awaysaying that the figures for training under

Linux were not quite what the surveyproposed.

Either way, I started to think aboutLinux training and certification. Linux isgetting more press each day, morecompanies are turning to it. This in turnis leading to more jobs that require Linuxskills. The problem is how do you, as anemployer sort, out the wheat from thechaff? How, as an employee, do youensure your skills are recognized?

LPI and RHCE certification may be theanswer as both require some knowledge,but I am sure sometime this year we willsuddenly see an influx of supportengineers adding Linux to the usual listof qualifications. Courses are importantas they do help you gain knowledge andI would always recommend one if youcan possibly do it. Anything in the questfor knowledge.

My heart tells me that Linux is morethan just another qualification to list.The desire to learn, play and exploreLinux is not easily quantifiable. The time we have been using Linux does notmatter as many of those new to Linuxare just as knowledgeable and practicalskills are gained through exploration.The distribution used does not count as eventually all the distributions start to merge and become similar. Thediffeences standing out in your mind likesmiles on friends’ faces.

I am left with the feeling that Linuxwill become just another thing to tick on a CV for most and only the realenthusiasts will care. It will become easyto bluff during an interview where theemployer does not have the time to doall the background study.

Who do you give the job to?Someone with a string of qualificationswho lists five years Debian experience or

the self-proclaimed newbie who hasbeen through ten distros in the last sixmonths, but prefers the command line?

On a recent mailing list, a systemadmin asked a lot of simple questions.This caused the group to split into thosewho thought that asking questions was a good thing and those who thoughtanyone advertising themselves as anadmin should have thought about theproblem before firing off mail questionsto more than one list. We should beencouraging the questions, but we alsomust prompt them to read around thesubject as well.

Long live the quest for knowledge…

Happy Hacking,

Ticking BoxesWe pride ourselves on the originsof our publication, which comefrom the early days of the Linuxrevolution.Our sister publication in Germany,founded in 1994, was the firstLinux magazine in Europe. Sincethen, our network and expertisehas grown and expanded with theLinux community around theworld.As a reader of Linux Magazine,you are joining an informationnetwork that is dedicated to distributing knowledge and technical expertise.We’re notsimply reporting on the Linux and Open Source movement,we’re part of it.

This month we have added a new section to the magazine:The World News pages are aimed at showing just how much Linux has become a global phenomenon.Thenews items will show how Linux is solvingproblems from many different perspectives.

We may find that what occurs in one distantcountry has great relevance to us and eitherthe encouragement or techniques usedcould help us to find our own solution to IT problems.

World News

COMMENTWelcome

Dear Linux Magazine Reader,

John SouthernEditor

44 SuSE Openexchange ServerIt’s “Seconds out and round

four” for the SuSE E-Mail

Server. The SuSE Open-

exchange Server will surely

get admins thinking about

whether they can completely

replace Microsoft’s Groupware

solution. It is based on the

new UnitedLinux and provides

for a quick and simple YaST

based setup controlling

Comfire.

52 fstabThe file system table (fstab) contains information on the

partitions and volumes that need to be inserted into the

directory tree on star-

ting up the system.

The table allows the

administrator to con-

figure and enhance the

security of a multi-

user system by apply-

ing various options.

4 February 2003 www.linux-magazine.com

February 2003LINUX MAGAZINE

NEWS

Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Get that international feeling with Linux World News.

Insecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Zack’s news roundup from the kernel developers.

Letters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

COVER STORY

Security Intro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Is your data valuable? Is it worth protecting?

SE Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Systrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Protect your system by placing it in a tightly locked jail of legitimate system calls.

VServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Multiple servers coexisting on a single computer.

RSBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Rule Set Based Access Control security offers protection.

REVIEWS

Graphical Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42The latest in graphical games for your entertainment.

SuSE Openexchange Server . . . . . . . . . . . . . . . . . . . . . . . . 44

Caché 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Object-oriented database review.

KNOW HOW

Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48What are the processes running as your system boots?

fstab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

XEmacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Why launch an extra mail program? XEmacs can cope.

20 SE LinuxSophisticated access controls are fundamental to a secure

Linux environment. SE Linux, developed by the National

Security Agency and released under the GPL, is a complex

system that allows admins granular control over privileges.

We look at the basics and practical applications.

70 Driving DataWhen we start writing a

piece of software, we

usually use data that’s

been hard-coded into the

system. In this article we

look at how to move

away from primitive,

hard-coded data and

learn how to resource

and handle external

assets. We make the code

data-driven.

88 WaveToolsMP3 files are all the rage, so why bother with wav files? The

fact is, every MP3 boils down to a wave descriptor of some

kind and waves

are universal.

This article shows

you the kind of

antics that you

can get up to with

wav files and the

WaveTools utility.

61 Diskless ClientsLinux-based diskless clients offer the same potential as fully-

fledged traditional workstations, but with far lower hardware

expense, less noise, and less administrative effort involved.

We provide the

know-how and

introduce the

programs you

need to run

Linux Diskless

Clients.


LINUX MAGAZINEFebruary 2003

SYSADMIN

Charly’s column . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Real System Admin tips and tricks to help you.

Diskless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

User tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Command line control for adding, deleting andmodifying user accounts under Linux.

PROGRAMMING

Driving Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Automated tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Peer review remains the best method of ensuring quality code. Automated tools can also be employed. In this article we look at such a tool, and show how it can be used to improve your code.

LINUX USER

KTools: Controlling users . . . . . . . . . . . . . . . . . . . . . . . . . . . 82KDE system tools to help you get to grips with useradministration, runlevels and hard disk storage.

DeskTOPia: Snow and Fire . . . . . . . . . . . . . . . . . . . . . . . . . . 84Bring some of the seasonal flair to your desktop.

Out of the Box: Watching the watcher . . . . . . . . . . . 86Every Linux system writes logfiles, but who really looksat them on a regular basis? Keep track of critical events.

WaveTools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

COMMUNITY

Linux Bangalore 2002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91A report from the recent Indian conference.

Brave GNU World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Giving a new perspective on the GNU world.

The User Group Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

SERVICE

Events / Advertiser Index / Call for Papers . . . . . . . 96

Subscription CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Next Month / Contact Info . . . . . . . . . . . . . . . . . . . . . . . . . 98

Software News


NEWS Software

If you are a keen KDE user and havebeen following the predicted timelinesset, then many of you would have beenexpecting to have had the chance to playwith what should have been the latestrelease of the KDE desktop environment.

It was hoped that the latest KDErelease would have been launched mid-December 2002. Initially, a single

incident of a bug was reported, but this proved to be more widespread, with similar incidents of this problemappearing throughout the code.

The call to halt the version releasecame just days before it was due to be distributed, when it became apparentthat the bug had worked its way into many other parts of the code and,unfortunately, became a showstopper.

While the code could have beencombed through in about a week, thiswould have put the launch much tooclose to the holiday season so the deve-lopment team reached the pragmaticview to hold off until 8th January.

If you are still a keen KDE user, thenthe excitement can start all over again,because the new release date for version3.1 should be just a few days after youread this. Fingers crossed. ■

http://www.kde.org/info/3.1.html

■ KDE 3.1 release delayed – showstopper bug found

■ EiffelStudio for Business development softwareEiffel may not be the most commonprogramming language in use today, butthe continued development of EiffelStudio, which has just hit version 5.2,means people must be using it.Efficiency in use is Eiffel’s claim to fameand for some it is now the language ofchoice when developing business-oriented applications for the small to medium size company. This efficiencyis made more apparent when you have consideration for thedevelopment of multipleplatforms, which are alsobusiness critical.

This latest release leavesthe Linux developer with afaster compiler. The GUI,having been redesigned,now reflects Eiffel’s cross-platform nature and aidsdevelopers in the creationof applications that willwork in an identical fashioneven though they are

running on different platforms, be it a Unix, Windows or embedded system.Continued tweaking has made im-provements to the debugging system andnow the developer has the opportunityto call upon external tools from withinEiffelStudio.

Those that have yet to try Eiffel areinvited to download a Free Edition ofthis IDE from the web site. ■

http://www.eiffel.com/

■ Box of delights for Java developers

Java developers are, on one hand, luckyto have so many development tools andresources at their disposal. The otherhand weighs heavy though, with theneed to install and configure all of thesepackages to figure out which one is mostcapable of handling the task you require.If only someone could package them allup into one development distribution totake this misery away.

Yes, you’ve guessed it, that is exactlywhat EJB solutions has done with theirOut-of-the-Box product, which will auto-matically install over 50 Open Sourcepackages, sensibly configured so theyare ready to run in a matter of minutes.You also get QuickStart project guidesand samples of Java applications, com-plete with source code. This would alsomake for a useful system on which tolearn more about programming withprojects like JBoss, Tomcat or MySQL.

While EJB does offer a free to down-load community edition just for Linuxusers, the keener or more professionallybased of you will probably want to takeone of the chargeable packages, whichstart from just US $19.95 (£12.75 or Euro19.75 approx.) ■

http://www.ejbsolutions.com/

■ RealNetworks community initiative

Helix is a community of independentdevelopers who are being given a hugehelping hand from RealNetworks,makers of RealPlayer, which comes withmost boxed sets of Linux. Thiscommunity is looking to develop anopen platform for the delivery of digitalmedia, such as the streaming of audioand video.

RealNetworks has handed over morecode, this time for their ‘DNA Producer’package, to the community to furtherhelp in this goal. Back in October 2002,they released the ‘DNA Client’ software.

This initial release has made a realimpact on the community project. Now,more than 5,000 developers haveregistered with the Helix project. Manyhands make light work. ■

http://www.helixcommunity.org http://www.realnetworks.com/


NEWS Software

■ ISO-compliant databasemanagement

ThinkSQL is a relational databasemanagement system designed for modern hardware and an equallymodern OS, like Linux.

The developer’s aim is to makeThinkSQL as fully compliant to the ISOSQL standard as practically possible, andtheir most recent beta version release,which is free to download from the linkbelow, takes us all one step closer to thisideal situation.

The current features for version 0.4.09, which is still a beta, includeNative APIs for Open Standards, ODBCprotocols, as you would expect, but alsohave built in support for Borland’sDelphi and Kylix.

The multi-threaded server has supportfor server-side cursors with hold andreturn options. ■

http://www.thinksql.co.uk/

■ Desktop Linux advancesDecember saw the release of updatedversions of ShaoLin Aptus, a simplifiedLinux workstation deployment andmanagement solution, which comes inthree flavors.

ShaoLin Aptus 2.0 Small Business isdesigned for the small to medium sizedenterprise where ease of Linux deploy-ment is paramount.

A remote bootup system means thatclient systems can be configured andmanaged with just a few mouse clicksfrom a central control.

The Professional versionbuilds on the SmallBusiness version and nowincludes the necessaryscalability required of anenterprise system.

The Schools versionadds to this yet again, in-corporating a WorkstationBooking system. It is thiswhich will allow a schoolto maximize the use oftheir machines by allow-

ing control of the amount of time aparticular user has access to a machine.Where machines are scarce, the lastthing anyone needs is someone hoggingresources.

This functionality is applied to theuser’s Linux distribution of choice.ShaoLin Aptus has full support andintegration with versions of Linux fromRed Hat, Mandrake, SuSE and UnitedLinux systems. ■

http://www.shaolinmicro.com/

While it is so very important for vendorsto meet customers at such events like the LinuxWorld Expo to be held in New York this month, the value ofbringing developers together is more so. FOSDEM, the Free Open SourceDevelopers European Meeting, is one ofthe most successful events to do justthis, with its 3rd meeting being held in Brussels over a busy weekend ofFebruary 8–9 2003.

Though it is described as a Europeanmeeting, many developers from theworld over will make the effort to attend.Last year, just to pick two names out at random, David Wheeler came fromNorth America to tell packed halls aboutsecure Linux programming, whileMiguel de Icaza came from SouthAmerica to tell us more about Ximianand development tools and libraries likeBonobo and Mono.

Speakers are still being confirmed, sofull details are not yet available as wewrite, but we can say, for those that havea passion for databases and databasedesign, Ann Harrison will be along to

give details of the Firebird project andDavid Axmark will talk about MySQL.

So much needs to be crammed into thetwo days that many of the lectures runsimultaneously, so subject themes havehad to be set up to try and maximizewhat people can get to.

This year’s FOSDEM lecture themeswill concentrate on the development ofOpen Source software for the Desktop,Education, Multimedia and ToolkitSoftware, as well as the previously-mentioned database development.

In previous years the nature of theevent has been pretty much a lecture-style event, it looks as if the organizersare keen to add to this for this year, andinclude a stream of practical tutorialevents following on from last year’sGnomeMeeting demonstration.

If this has sparked some interest, do not forget to contact your local Linux User Group, many of these will be arranging group bookings, so con-siderable savings could be made on boththe travel and accommodation. ■

http://www.fosdem.org/

■ The Linux Test ProjectEverybody wants stable, reliable androbust Linux distributions. They alsowant similar featured packages to gowith them.

With so much development goingahead in the world of Linux, proving justthis has become a headache. Wherethere is a hole, you can expect someOpen Source project to fill it, and so it iswith the Linux Test Project.

In joint partnership with SGI, IBM andthe Open Standards Development Labs,this project is developing test suites toput the Linux kernel and closely tiedapplications under close scrutiny, toshow that those main tenants hold true.

The goal is to automate as much ofthis testing process as possible. In doingso, it is hoped to speed the process upand to minimize errors.

Being Open Source, obviously there isan encouraging welcome to the Linuxcommunity to run these tests forthemselves and to look at, and possiblyimprove upon, the testing suite.

Recently added to the range of tests inthe suite of programs, take a closer lookat sigset() and sigaction() interactionsand improvements to the schedulingtests. ■

http://ltp.sourceforge.net/

■ FOSDEM meeting in February


Business NEWS

Business News

January 21st 2003 will see the opening ofthe 5th LinuxWorld Conference & Expo,to be held in the USA. The location isNew York City.

One of the main advantages ofbringing together hardware and softwarevendors with their customer and userbase is that it allows for that all-important exchange of ideas that helpsdrive the industry onwards.

The opening featured keynote speechis due from Hector Ruiz, president andCEO of AMD, a company that sees muchvirtue in competition:

“Together, AMD and the Open Sourcecommunity are helping to offer newpossibilities in 64-bit computing thatgive businesses and governments aliketechnology choices they have neverhad.” he said at a recent pressannouncement, highlighting the close-ness that the open source communitycan bring, thanks in part to gatheringssuch as this.

In addition, Steven A Mills, the SeniorVice President of IBM and Randy Mott,senior VP and CIO of Dell Computerswill also give keynote speeches tohighlight how vendors see Linuxdevelopments both now and in thefuture.

LinuxWorld also aims to show howvendors see these important develop-ments and progressions affecting their ITindustry world and how the real worldwill be affected by that in turn. Linuxstill has strong growth, especially whencompared to other IT sectors, and thecontinuing strength of shows like thisserve to illustrate this both to those inthe industry as well as those outside.

Having an event with such aconcentrated and exclusively-focusedview on Linux and Open Source givesrise to a synergy where business decisionmakers will be able to gain more thanjust information and development ofresources and contacts, they will also get

to feel that they will be involved inchanging future events and not justreacting to them. ■

http://events.linuxworldexpo.com/

■ LinuxWorld Conference & Expo 2003

■ Open Standards encouragedata sharing

Recent research by Borland, partly inpreparation for its European conference,has highlighted the growth of companieswho are now beginning to understandthe value to others and themselves forsharing company data, and doing so by using simple and convenient OpenStandards for the exchange. It alsobecame apparent that many of thesecompanies were also keen to exchangevarious types of data through quitespecific Web Services.

More than half of the companies thattook part are actively developing WebServices based on Java EnterpriseEdition platforms reinforced by thevaluable use of Open Standards, whichonly goes to make the lives of everyonemore straightforward.

The growing use of Open Standardsallows easier communication betweencompanies, and because of the develop-ment of this infrastructure, it will followon that the maximum use of a muchuntapped source of business potentialcan be realized, so that where in-formation needs to be shared, it can be. ■

http://www.borland.com

In a pan-European deal which includesGermany, France and the UnitedKingdom, Sony Information TechnologyEurope has signed a deal with SunMicrosystems regarding the StarOffice6.0 office productivity package.

This puts Sun Microsystems in a veryinteresting position with their efforts to reach out to the IT sector with theiraffordable Open Standards productivitysuite, because Sony has an ever growingworldwide PC market of desktop Vaiosystems, with some industry reportssuggesting that they are as high as 8thposition on the market leader board.

This pan-European initiative fits wellwith its global position, for StarOffice 6.0is also available in New Zealand andAustralia with Hyundai machines and isavailable as part of a bundle withvarious Linux distributions like Lindows,TurboLinux, SuSE and Mandrake for therest of the world.

The deal will help reduce thedominance that Microsoft has gained. ■

http://www.sun.com/staroffice/http://www.sel.sony.com/sel/

■ StarOffice Bundle of Sony joy


NEWS Business

Benefit Retail Solutions has released itsECS retail package. This solution hasbeen specifically designed to provideprecise inventory control in businessesthat are split over many sites, most com-monly retail chain stores.

Once again, the factors of stabilityand reliability are expressed as leadingreasons for choosing a Linux-basedsolution, and the chance to lower the total cost of ownership for any soft-ware system a business is looking toinstall.

Tight stock control allows businessesto work with tighter margins and reduceunnecessary expense of surplus ware-housing, which, in turn, has a positiveeffect on purchase order and stockprocessing.

Something that is usually considered atriple win for businesses that can get itright. Even though the ECS software is

platform independent, Benefit RetailSolutions has worked closely with SCO,developing their product for SCO Linuxversion 4.0. This now ties nicely in withthe new line of UnitedLinux distributionsas well.

“We have been evaluating the move to Linux for a while now and therecent launch and industry momentumof UnitedLinux has made it an even more attractive proposition for ourcustomers,” says Stuart Kay, the BusinessDevelopment Manager of Benefit RetailSolutions.

“Having looked at the differentsolutions available, we found that thequality, performance and support offeredby SCO Linux was unsurpassed, makingit the obvious choice for us to workwith.” ■

http://www.sco.com/http://www.unitedlinux.com/

■ Java-based retail solutions with UnitedLinux

Red Hat has set down plans toincorporate the needs of carrier gradetelecommunication applications into itsLinux Advanced Server product, aimingfor a release date around mid-2003.

Working with the Open SourceDevelopment Labs Carrier Grade LinuxWorking Group support, Red Hat isaware of what additional features needto be included to make the productviable. This includes improvements tothe portability and performance featuresas well as POSIX threading and a furthereffort for additional high availabilityclustering capabilities.

The Red Hat LinuxAdvanced Server alreadyhas stability under itsbelt, which is one of the main criteria whencatering for serviceswhich supply voice, data and wireless needsin today’s ever deman-ding technology-drivenworld.

It is Linux’s continuedability to reduce thetotal cost of ownershipthat makes it such aninteresting and viable

proposition for service providers,especially for those that are using Intelhardware for their main telecommuni-cations infrastructure.

The demands put upon a system arequite unique for this type of technology.Signalling servers, which form part ofthe telecommunications infrastructure,have very high demands, with require-ments to deal with sub-millisecond realtime events in very large numbers,maybe 10,000 or more. ■

http://www.redhat.com/http://www.osdl.org/

Applications

Middleware Components

High Availability Hardware Platforms

High Availability ComponentsHA Platform Interfaces

HA Application Interfaces

Solution-specific components to be defined by vendors

Java CORBA Databases ...

Scope of the Carrier Grade Linux Working Group

Linux OSwith Carrier Grade Enhancements

Standard Interfaces (LSB, POSIX...) High Availability Interfaces Service Interfaces

Hardened Device Drivers Co-Processor InterfacesHW Configuration & Management Interfaces

Carrier Grade Linux Architecture

■ Carrier Grade communications for Red Hat

■ Remember to backupThe value of making your backupsregularly and securely cannot be high-lighted enough. Up until now, there has not been a concerted effort, for anenterprise level infrastructure, to offerinformation about the hardware issuesinvolved in producing tape backup.

The TOLIS Group has taken it uponthemselves to produce the Linux TapeDevice Certification program where they have taken a broad range of tapebackup devices from a range of manu-factures like HP, Seagate and TandbergData, and tested them for compatibilityand compliance.

The TOLIS Group develops their owndata backup and recovery software, but they are making this informationmore generally available to the Linuxcommunity, setting up a site just for thispurpose. ■

http://www.linuxtapecert.org/

■ Red Hat Technical Workstation

It has been discussed for some time now,but this could be the first concertedeffort for Red Hat to stake their claim onLinux desktop use.

This offering, which is due to be withus in the first quarter 2003, will see thedeployment of a Technical Workstation,aimed squarely at the technical, andexperienced user.

It could be seen as a new option forthose companies who seek an alternativeto a Microsoft-dominated environmentand reduce the total cost of ownershipafter changes in licensing models.

This Technical Workstation is designedfor development and graphical applica-tions, and so will help to provideenterprise development platforms whichwill be naturally at home with anyAdvanced Server products.

While it is recognized that this is avery tightly controlled area, the lessonslearned from this closed environmentwill surely filter down and make way formore general desktop products,gradually being designed for a widerdesktop audience.

As yet, no price structure has beenannounced for the product. ■

http://www.redhat.com

World News


NEWS World

linux.conf.au, formerly the Conferenceof Australian Linux Users (CALU),Australia’s annual Linux technical

conference, is coming to Perth, WesternAustralia in January 2003.

Big names have been billed includingAlan Cox, Telsa Gwynne, Hemos (from

■ Dutch Open Source Lobbywins in The Hague

In the Netherlands, the Lower House ofthe Dutch Parliament has recentlyaccepted a motion by the Groenlinksparty to use Open Source software andOpen Standards in government andstate-financed institutions.

In this, Groenlinks claims that thecurrent situation of having just a fewsoftware vendors “violates democraticprinciples of accessibility and trans-parency”. A first step in the rightdirection would be to make the use ofOpen Standards mandatory. Followingthat, the party insists on Open Sourcesoftware and copyleft as a means tomake the workings of the Dutchgovernment “more transparent, morecontrollable, and therefore more stableand more secure”.

The motion, aptly called “Softwareopen u” or “Open software”, a Dutchpun on “Open sesame”, is available onthe Groenlinks website. ■

http://www.groenlinks.nl/partij/2dekamer/publikaties/SoftwareOpenU!.htmhttp://www.groenlinks.nl/partij/2dekamer/publikaties/Softwarenota191102.pdf

■ Penguin help for Norwegian schools

By the end of 2004, 50 percent of allschools in the Middle Norwegian countySør-Trøndelag will use Linux. At leastthis is the aim of the recently foundedproject SPIST, a loose association ofLinux-in-school protagonists from theregional center Trondheim (which LinuxCounter ranks 2nd place in the list ofcities with more than 100 000 inhabi-tants) and the county’s 25 municipalities.

Key to the project is the (still beta) Skolelinux distribution (see LinuxMagazine No. 25, p. 90) for whichseveral local companies already provideprofessional support. One of the firsttasks is to find advisors for studentprojects helping schools with thedeployment process. ■

http://www.spist.no/http://www.skolelinux.no/

■ Indic language solutionsOver the past year, the attempt to findIndian-language computing solutions onthe GNU/Linux front has seen someimpressive strides take place. Followingcampaigning by young sparks like TapanParikh, G Karunakar and team, thechance of getting “Indic language”solutions seem to have brightened. Oneproblem is the lack of links betweenIndian initiatives, and the internationalvolunteer software efforts.

From font designers to GNOMEdevelopers, collaborators in distant partsof the globe have been voicing theirinterest in helping find solutions toIndia’s special challenges. These include

multiple scripts, characters which oftenjoin each other, and a bewilderingvariety in the numbers and letters. ■

https://lists.sourceforge.net/lists/listinfo/indic-computing-users

■ Project guidance for Indian students

Techies from Mumbai, the commercialcapital of India formerly called Bombay,are working to find new ways to promoteFree Software projects among theirstudents and thus increase the Indiancontribution to Free and Open SourceSoftware projects.

“We have plans to set up a groupwaresystem that will enable the respectivestudents to choose a project and beguided by any of the senior LUGmembers online.” says Trevor Warren,who fathers the idea of the new ProjectResource Center together with Dr.Nagarjuna G (a prominent Mumbai-based advocate of Free Software) and thelocal Linux User Group.

The focus is not so much on bringingentirely new software projects intobeing, but to fill in the missing gaps invarious projects such as those availableon Freshmeat.net, Sourceforge.net, or inthe GNU Hurd kernel. Those interestedare invited to join the Free SoftwareProjects mailing list. ■

http://mail.sarai.net/mailman/listinfo/prc

Slashdot) and Andrew Tridgell (whoclaims to have been present when LinusTorvalds got bitten by a penguin).

Over four days, from the 22nd to 25th January, the entire Linux spectrumwill be covered, from GNOME to file-systems to teaching with Open Source as well as the Linux kernel itself. Inaddition there will be “Birds of aFeather” meetings, tutorials, andARQuake; all located at the beautifulUniversity of Western Australia, on theedge of the Swan River.

This year’s linux.conf.au will also playhost to the Debian mini-conf for the twodays before the main conference, as wellas numerous other mini-confs onsubjects such as IPv6, education andLinux gaming. ■

http://www.linux.conf.au/

■ Linux Australia gets together

World NEWS

■ Conference on software patents in Belgium

Last November, the Green Party Group atthe European Parliament organized aconference on software patents at theParliament’s facilities in Brussels.Among the speakers were RichardStallman, Brian Kahin of the Universityof Maryland, and Francois Pellegrini ofthe University of Bordeaux.

The conference was attended by a verylarge number of people and addressedthe patent issue from different per-spectives (legal, economic), followed bycase studies and discussion.

Hope remains that some of the attend-ing politicians gained an understandingof why software patents should not beallowed in Europe. The software patentworkgroup of the “Foundation for a FreeInformation Infrastructure” (FFII) hasmore information. ■

http://swpat.ffii.org/http://swpat.ffii.org/events/2002/europarl11/index.en.html#medi021126

It happened quite by coincidence: Inmid-November last year, Microsoft’s BillGates was visiting India around the sametime as Free Software Foundationfounder Richard M. Stallman. Gatespoured into India money – with pro-mises of a few hundred million dollarsmore.

It was the guru of free code, Stallman,who turned quite a few heads by hisarguments. On the national TV channels,the media was interviewing both Gatesand Stallman within hours of each other.The differences in their approach couldnot be more stark.

From talking to academics inBangalore, to meeting businessmen andengineering college students in coastalGoa, to releasing his book and meetingwith officials in Delhi, Stallman carriedon determinedly, even if his visit wasmarked by limited funding and initiallymarkedly less media interest. Comingafter Stallman, Gates faced a number of

tough and potentially embarrassingquestions over his sudden emphasis forphilanthropy in India, including fundingfor AIDS.

For a country squeezed by the highprices of proprietary software, and alimited ability to make its own softwareskills benefit the common man,Stallman’s message was clear.

Free software could encourage localbusinessmen rather than paying “hugesums to a few rich (global) businesses”for their products, he told industrialistsand politicians.

Not surprisingly, segments of theIndian business press were also open tosuch perspectives. Stallman suggestedthat businesses and governments usingGNU/Linux as a “bargaining chip” to getbetter deals from proprietary firms were“missing the point” about the criticalfreedom debate. ■

http://www.gnu.org/http://www.microsoft.com/

■ Stallman and Gates in India

advertisement

Insecurity News


Distributor Security Sources CommentDebian Info: www.debian.org/security/, Debian have integrated current security advisories

List: debian-security-announce, on their web site.The advisories take the form of HTMLReference: DSA-… 1) pages with links to patches.The security page also

contains a note on the mailing list.Mandrake Info: www.mandrakesecure.net, MandrakeSoft run a web site dedicated to security

List: security-announce, topics. Amongst other things the site contains security Reference: MDKSA-… 1) advisories and references to mailing lists.The

advisories are HTML pages,but there are no links to the patches.

Red Hat Info: www.redhat.com/errata/ Red Hat categorizes security advisories as Errata: UnderList: www.redhat.com/mailing-lists/ the Errata headline any and all issues for individual (linux-security and redhat-announce-list) Red Hat Linux versions are grouped and discussed.The Reference: RHSA-… 1) security advisories take the form of HTML pages with

links to patches.SCO Info: www.sco.com/support/security/, You can access the SCO security page via the support

List: www.sco.com/support/forums/ area.The advisories are provided in clear text format.announce.html,Reference: CSSA-… 1)

Slackware List: www.slackware.com/lists/ Slackware do not have their own security page, but do (slackware-security), offer an archive of the Security mailing List.Reference: slackware-security …1)

SuSE Info: www.suse.de/uk/private/support/ There is a link to the security page on the homepage.security/, The security page contains information on the mailingPatches: www.suse.de/uk/private/ list and advisories in text format. Security patches for download/updates/, individual SuSE Linux versions are marked red on the List: suse-security-announce, general update page and comprise a short description Reference: suse-security-announce … 1) of the patched vulnerability.

1) Security mails are available from all the above-mentioned distributions via the reference provided.

Security Posture of Major Distributions

NEWS Insecurity

■ imTatsuya Kinoshita discovered that IM,which contains interface commands andPerl libraries for E-mail and NetNews,creates temporary files insecurely.

The impwagent program creates atemporary directory in an insecuremanner in /tmp using predictabledirectory names without checking thereturn code of mkdir, so it’s possible toseize a permission of the temporarydirectory by local access as another user.

The immknmz program creates atemporary file in an insecure manner in/tmp using a predictable filename, so anattacker with local access can easilycreate and overwrite files as anotheruser.

These problems have been fixed inversion 141-18.1 for the current stabledistribution (woody), in version 133-2.2of the old stable distribution (potato)and in version 141-20 for the unstabledistribution (sid). ■

Debian reference DSA-202-1 im

■ smb2wwwRobert Luberda found a security problemin smb2www, a Windows Networkclient that is accessible through a webbrowser. This could lead a remoteattacker to execute arbitrary programsunder the user id www-data on the hostwhere smb2www is running.

This problem has been fixed in version980804-16.1 for the current stabledistribution (woody), in version 980804-8.1 of the old stable distribution (potato)and in version 980804-17 for theunstable distribution (sid). ■

Debian reference DSA-203-1 smb2www

■ kdelibsThe KDE team has discovered avulnerability in the support for variousnetwork protocols via the KIO. Theimplementation of the rlogin and telnetprotocols allows a carefully crafted URLin an HTML page, HTML email or otherKIO-enabled application to executearbitrary commands on the system usingthe victim’s account on the vulnerablecomputer system.

This problem has been fixed bydisabling rlogin and telnet in version2.2.2-13.woody.5 for the current stabledistribution (woody). The old stabledistribution (potato) is not affected sinceit doesn’t contain KDE. A correction forthe package in the unstable distribution(sid) is not yet available. ■

Debian reference DSA-204-1 kdelibs

■ freeswanBindview discovered a problem inseveral IPSEC implementations that donot properly handle certain very shortpackets. IPSEC is a set of securityextensions to IP which provideauthentication and encryption. Free/SWan in Debian is affected by this and issaid to cause a kernel panic.

This problem has been fixed in version1.96-1.4 for the current stable distri-

■ kernelThe kernel in Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 is vulnerable to alocal denial of service attack. Updatedpackages are available which addressthis vulnerability, as well as bugs inseveral drivers.

The Linux kernel handles the basicfunctions of the operating system. A vulnerability in the Linux kernel has been discovered in which a non-root user can cause the machine tofreeze. This kernel addresses thevulnerability.

Note: This bug is specific to the x86 architecture kernels only, and doesnot affect ia64 or other architectures.

In addition, a bug in the maestro3soundcard driver has been fixed as wellas a bug in the xircom pcmcia drivernetwork driver and the tg3 networkdriver for Broadcom gigabit ethernetchips. All users of Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 should upgrade to the errata packages.

Thanks go to Christopher Devine forreporting the vulnerability on bugtraq,and Petr Vandrovec for being the first tosupply a fix to the community. ■

Red Hat reference RHSA-2002:262-07

bution (woody) and in version 1.99-1 forthe unstable distribution (sid). The oldstable distribution (potato) does notcontain Free/SWan packages. ■

Debian reference DSA-201-1 freeswan

■ sambaA vulnerability in samba versions 2.2.2through 2.2.6 was discovered by theDebian samba maintainers.

A bug in the length checking forencrypted password change requestsfrom clients could be exploited using abuffer overrun attack on the smbd stack.This attack would have to be crafted insuch a way that converting a DOScodepage string to little endian UCS2unicode would translate into anexecutable block of code.

This vulnerability has been fixed insamba version 2.2.7, and the updatedpackages have had a patch applied to fixthe problem. ■

Mandrake reference MDKSA-2002:081

■ xinetdXinetd contains a denial-of-service (DoS)vulnerability. UPDATE 2002-12-02:Updated packages are available to fixissues encountered with the previouserrata packages.

Xinetd is a secure replacement forinetd, the Internet services daemon.

Versions of Xinetd prior to 2.3.7 leakfile descriptors for the signal pipe toservices that are launched by xinetd.This could allow an attacker to execute aDoS attack via the pipe. The CommonVulnerabilities and Exposures project hasassigned the name CAN-2002-0871 tothis issue. Red Hat Linux 7.3 shippedwith xinetd version 2.3.4 and is thereforevulnerable to this issue.

Thanks to Solar Designer fordiscovering this issue. ■


■ kerberosA remotely exploitable stack bufferoverflow has been found in the Kerberosv4 compatibility administration daemon.

Kerberos is a network authenticationsystem. A stack buffer overflow has beenfound in the implementation of theKerberos v4 compatibility administrationdaemon (kadmind4), which is part of thethe MIT krb5 distribution.

This vulnerability is present in version1.2.6 and earlier of the MIT krb5distribution and can be exploited to gainunauthorized root access to a KDC host.

The attacker does not need toauthenticate to the daemon to success-fully perform this attack. kadmind4 isincluded in the Kerberos packages inRed Hat Linux 6.2, 7, 7.1, 7.2, 7.3, and 8.0, but by default is not enabled or used.

All users of Kerberos are advised toupgrade to the errata packages whichcontain a backported patch. ■


■ OpenLDAPThe SuSE Security Team reviewed criticalparts of the OpenLDAP package. SuSEfound several buffer overflows and otherbugs remote attackers could exploit togain access on systems running vulnera-ble LDAP servers. In addition to thesebugs, various local exploitable bugswithin the OpenLDAP2 libraries (openldap2-devel package) have been fixed.

Since there is no workaround possibleexcept shutting down the LDAP server,we strongly recommend an update.Please download the update package foryour distribution and install it, using thecommand “rpm -Fhv file.rpm”.

The packages are being offered toinstall from the SuSE maintenance web.To be sure the update takes effect youhave to restart the LDAP server byexecuting the following command as theroot user:

/etc/rc.d/ldap restart

SuSE reference SuSE-SA:2002:047

■ WindowMakerAl Viro discovered a vulnerability in theWindowMaker window manager. Afunction used to load images, for exam-ple when configuring a new backgroundimage or previewing themes, contains abuffer overflow.

The function calculates the amount ofmemory necessary to load the image bydoing some multiplication but does notcheck the results of this multiplication,which may not fit into the destinationvariable, resulting in a buffer overflowwhen the image is loaded. ■

Mandrake reference MDKSA-2002:085

advertisement

Zack’s Kernel News


The Kernel Mailing List comprises the core ofLinux development activities.Traffic volumesare immense and keeping up to date with the entire scope of development is a virtuallyimpossible task for one person. One of thefew brave souls that take on this impossibletask is Zack Brown.Our regular monthlycolumn keeps you up to date on the latestdiscussions anddecisions, selected andsummarized by Zack.Zack has been publishing a weeklydigest, the Kernel Traffic Mailing List forseveral years now, reading just the digestis a time consuming task.Linux Magazine now provides you with the quintessence of Linux Kernel activitiesstraight from the horse’s mouth.

INFO

NEWS Kernel

■ SubversiveThe BitKeeper version control systemcontinues to make inroads into kerneldevelopment. The NUMA schedulerrecently decided to adopt BitKeeper, as away to more closely track kerneldevelopments, and provide timelypatches against the latest versions.

BitKeeper, a commercial product of theBitMover corporation, was adopted byLinus Torvalds for kernel developmentafter a long struggle by the program’sauthor, Larry McVoy, to provide all thefeatures needed by Linus.

None of the kernel developers arehappy about relying on a commercial,closed source product for kerneldevelopment, but the absense of a freealternative that satisfy all needs, makesit difficult to be too critical.

In the wake of Linus’ decision to useBitKeeper, a number of free versioncontrol systems have begun to receivemassive support from the developercommunity. One of these, Subversion,seems to be the most promising, though

it is still far from overtaking BitKeeper’sformidable feature set.

Subversion at the moment aims to be a replacement for CVS, the ubi-quitous Concurrent Versioning System.Subversion already solves many of the problems that plagued CVS users,such as the inability to delete directoriesonce they have been created, and thedifficulty of renaming files.

One of the main advantages of theBitKeeper program over the Subversionproject is the ability to merge twodistinct repositories.

In Subversion, there is typically asingle repository that acts as a server.Developers pull the directory from theserver, make changes, and then pushthose changes back onto the server forother developers to see.

In BitKeeper, each developer has theirown fully-fledged repository, which theycan use without reference to a centralserver. When two developers on a singleproject wish to share their work, they

simply merge their two monolithicrepositories together. BitKeeper makesthis a very easy proposition, but it is stillout of reach of the Subversion project forquite some time.

Folks who are interested in theongoing development and contributingto the Subversion project should go tohttp://subversion.tigris.org/ website formore information. ■

■ Retro-computingLinux development sometimes takessome wild twists and turns. In the not-too-distant past (2.5 was in full swing atthe time), Linus Torvalds offered to letsomeone maintain the old 0.1 kerneltree, when that person found a bug withthat version.

Now, at the moment of 2.5 feature-freeze, Carl-Daniel Hailfinger pointed outthat somewhere along the way, theancient XiaFS filesystem had beenallowed to drop out of the kernel.

Would Linus accept patches toforward-port it into 2.5? Linus called this“an ironic form of retrocomputing,” that“gets high points on my ‘surrealitymeter’”. He said sure he’d take patches,and he’d even accept them after thefeature freeze.

It turned out that Andries Brouwermanaged to dig up a floppy disk with anXiaFS filesystem on it, which he imagedand sent over to Carl. ■

■ Hunting bugsA Bugzilla bug-tracking system has beenset up for the kernel. The primary goal isto help pave the way for a timely 2.6 (or3.0) stable series. Such a system canpotentially be quite useful for all stagesof development. These sorts of auxiliarytools seem to be cropping up more andmore in recent months.

Traditionally, Linus Torvalds has beenreluctant to use anything more than amailing list and an FTP site for patches,but in that past year we have seen the adoption of BitKeeper; a host ofdocuments describing lists of main-tainers, bug reports, status of features;and now at last, an actual bug trackingsystem.

The problem with any bug-trackingsystem, however, is that they requireconstant supervision, or else theybecome more trouble than they’re worth.The ability to track bugs is usefulbecause it promises to keep records of

the progress of debugging efforts, whilepreventing excessive duplication of bugreports. Duplicate reports can overrunthe system unless constantly sifted andorganized, and frivolous reports canlikewise take up so much time that thevalue of the bug database is lost.

David S. Miller was one of the first tovolunteer to maintain a portion of thebugzilla database, and turned out to beone of its most vocal critics. After a dayor so of dealing with the system, he hadfound so many frivolous reports, that hefelt his time was being entirely wasted.

In typical free software fashion,various developers then proceeded todiscuss different ways of improving thesystem, solving the various problemsthat had occured, and ensuring that thedatabase would remain usable anduseful. By the end of the first wave ofdiscussion, even David felt there wasreason to be hopeful. ■


Kernel NEWS

■ Changing timeThe devfs filesystem has always beencontroversial. Richard Gooch, its author,maintained it for a long time before itsinclusion in the official kernel tree. Theintention of devfs was to replace thenightmarish /dev directory, whichcontained endless unused device files,with a saner interface containing onlyfiles corresponding to devices actuallyinstalled on the system.

The implementation has provedtroubling for many developers. Behaviorthat had been standard for years, wasaltered under devfs in ways that seemedarbitrary.

Even after its inclusion in the officialsources, the quality of the devfs code hasbeen harshly criticized. Alexander Viroin particular, has complained of raceconditions and other qualities that mightmake devfs dangerous to rely on. Shortlyafter the feature freeze, he examined thedevfs code quite closely, and proposed anumber of changes to its exported API,among other things.

The problem with altering anestablished API is that it breaksbackward compatibility for existingprograms that rely on those interfaces.Richard pointed this out, saying that anychange in the devfs API, especially suchfar reaching changes as Alexander hadproposed, would break compatibilitybetween 2.4 and 2.5 kernels.

Other folks have been quick to pointout that this compatibility has alreadybeen compromised in other ways, and so this further breakage might seemacceptable as well, in light of that.Richard did promise to examineAlexander’s suggestions. ■

■ Hard decisionsEVMS, the Enterprise VolumeManagement System, radically changeddirection in November, after the featurefreeze. When it became clear that LinusTorvalds would not accept their patch intime for 2.6 (or 3.0), the EVMS teamdecided to rethink their ability tomaintain their patch.

EVMS consisted of a kernel moduleportion and a user-space portion. Themodule portion controlled devices, andallowed disks to be set up in seamlessarrays, while the user-space portioncontrolled the arrays thus created.

For a long time there was controversysurrounding EVMS, because other kernelmodules like the md driver offered muchof the same functionality, while EVMShad a reputation for being particularlyinvasive, taking over functionality thatmany developers felt would be best leftin other areas.

After much soul-searching, the EVMS team decided to ditch their ownkernel module portion of development,and rework the user-space portion tointerface with other existing kernelmodules like the md driver. It was adifficult decision to make, because itinvolved not only extensive modi-fications to existing code, but also thecomplete abandonment of their kernel-based work.

Alan Cox, Alexander Viro, and othersexpressed their admiration at the EVMSteam’s ability to make such a painfuldecision, that ultimately, they felt, wouldbe the right thing. The team expects tohave a good portion of functionality backby early 2003, with some of the more dif-ficult features taking somewhat longer. ■

■ CrushingA new compressed filesystem has hit thescene. Phillip Lougher announced thefirst public release of SquashFS.

SquashFS uses the zlib library toprovide a high degree of compression ina read-only filesystem. It is not the onlycompressed filesystem out there. Cramfsand zisofs both provide read-onlycompression, and in fact, Phillip foundhis initial inspiration for SquashFS in thecramfs model.

Why a new filesystem, when there are others boasting similar features?Essentially, Phillip wanted to overcomevarious drawbacks in the other systems.In fact, SquashFS gives better com-pression than cramfs, can handle largerfiles and filesystems, and provides moreinode information. Zisofs has more over-head than SquashFS, taking between 5%and 61% more space, depending on thedirectory structure being compressed.

It might have been possible for Phillipto pick one of those projects, and simplycontribute his code and ideas to it, butone of the benefits of free software isthat you do not have to stick with whathas gone before.

Almost as soon as Phillip made hisinitial announcement, there wererequests for a version of SquashFS thatwould also allow writing data back intothe filesystem. Phillip was not averse tothe idea, though he was quick to pointout that there would be trade-offsinvolved. Uncompressing andrecompressing the entire filesystem foreach change would be prohibitivelyslow, while simply compressing modifi-cations separately would achieve a lowercompression rate. ■

■ Change of heartOne feature that Linus Torvalds hassteadfastly resisted for years, has beenthe inclusion of a kernel-based debugger.

While such a thing would allowdevelopers to interrupt and step throughrunning systems, examining stateinformation and values of variables inmemory, Linus has always felt that theproper way to debug kernel code was atthe source level. His insistence that thesource code itself be the primary placefrom which to analyze kernel behavior,

has irked many developers, who assertthat an in-kernel debugger would in noway diminish the ability of anyone toexamine the sources directly.

Linus has defended his position by anappeal to Darwinism: he wishes to breedout developers who are unable to dogood work using only the sources and adecent testing environment. However, inNovember he showed signs that hisposition on this matter may havechanged. He told developers that he

would consider including a kernel-baseddebugger in his tree, if it would allowdebugging a running system across astandard network, using standard net-working hardware.

A number of top developers imme-diately began laying plans for the properdesign to use. The upcoming stableseries is unlikely to begin life with akernel-based debugger, but I wouldn’t besurprised to see an incarnation goinginto the next developer series. ■

package from which it was not possibleto create a deb (or rpm) package.

The largest problem seems to be thatprogrammers are not aware of thesetools and when inspecting software, theystart looking at the (generated) Makefile,which obviously results in errors andfrustration. As a result, I think it isimportant to make the users of Makefilesaware of a ‘better’ and more completesystem that can be used that requiresmuch less effort to use and enablesconfiguring your software at compiletime in a straightforward way.

If you are interested, the introductionslides of the session we are using in ourresearch group can be found on http://lesbos.esat.kuleuven.ac.be/~mleeman/downloads/athens-opensource-0.4.pdf(as well as on the subscriber CD). ■

Marc Leeman, Email

■ It’s time to grow upConfidence in technology’s ability todeliver real value to the business is at an all-time low and if the IT industry is to regain credibility in the eyes ofbusinesses then it has to start deliveringon its promises.

While new technology will always bean alluring but immature child, thelessons of the last three years have

taught us that it can nolonger afford to act likean adolescent. There arethousands of medium-sized firms in the UKwho have paid the high-est price for the ITindustry’s immatureattitude to businessneeds.

They also form the backbone of oureconomy and representthe UK’s commercialinfluence in highlycompetitive globalmarkets.

It is therefore critical to stop the rotand begin supporting them withtechnologies and services appropriate totheir particular business needs to allowthem to grow and meet the challenges ofglobal commerce.

Vendors should concentrate on sellingdirect to enterprise customers and leavethe resellers to interpret theirtechnologies for medium-sized firms.

Users should see the channel as aninvisible extension of their businesses. Inturn, the channel must not abuse thetrust of IT directors by paying lip serviceto their business needs while secretlytargeting them as juicy prey. The channelneeds to earn the trust and respect of ITDirectors. Once earned, IT directors willbenefit from freeing up valuableresources to concentrate on strategies togrow the business.

We must focus on the business, notthe technology. If we can achieve thisthen the IT industry will have truly comeof age. But if we fail, vendors willcontinue to underperform, the channelwill shrink as customers hold back fromall but the most essential of ITpurchases, and the IT director’s job willcease to exist.

Most importantly, we will never winback the credibility of the investmentcommunity on which the future growthof the UK IT industry depends. ■

Yours sincerely,Mark Simmonds General ManagerAnix Group

■ AutoMake your filesDear Linux Magazine,

I’ve been reading your Magazine forsome time now, and while I agree withmost of the articles and think they offerexcellent value for the readers, there isone thing I want to point out in issue 25.

Pages 62–65 cover the use and creationof Makefiles. These are indeed a valuable and powerful tool whenwriting software in the hands of an ex-perienced, or better, the ‘conscientious’programmer.

Writing the Makefiles manually isfeasible for small projects but for largerprojects this becomes a serious effort tomaintain these files manually. Further-more, you’ll quickly find out thatdevelopers see this as a drain and do notmaintain them properly.

In my experience, it pays much betterto teach programmers the GNU auto-tools. If you are aware of these tools,you’ll know that these have theadvantage of figuring out dependencies(build), checking the build environment,generating configuration headers, etc.These tools are based on M4 (cf. p40–43)and perl.

When these tools are used, you’ll beassured that all the typical make targetsare created (esp. uninstall) and I haveyet to come accross the first software


NEWS Letters

Letters to the editor

Write Access

Figure 1: Marc Leeman’s introduction into AutoMake and other GNUtools

Many roads lead to Linuxsecurity, and thus the term“hardening” has a multitude of

meanings. The aim remains clear –preventing intrusions and if the worstshould happen, at least mitigating theeffects. This is a crucial part of thesystem administrator’s job. The securityconscious administrator will ensure thatany software installed is absolutelynecessary, choose secure alternatives, beprudent with access rights, modifyconfigurations, enable exhaustive log-ging and auditing, apply securityupdates quickly, and enforce policies forstrong passwords. Bastille Linux is a bighelp when performing these tasks, anduses a GUI to step the administratorthrough all the tasks involved.

Preventing ExploitsKernel patches that generically preventexploits can provide protection frompreviously unknown security holes. Theclassic Openwall http://www.openwall.com/ product ensures that the processorwill ignore any executable stack code,thus dooming many buffer overflowexploits to failure. Skillful crackers maystill be able to cause damage, but at leastthe hurdles will be a lot higher. AnOpenwall port to the 2.4 kernel gavebirth to GR Security. It uses the Paxpatch and comprises of an ACL system(Access Control List). In addition tokernel patches special C compilers alsoprovide protection from buffer over-flows. Stack Guard http://immunix.org, amodified GCC, is one product that hasmanaged to make a name for itself.

If you are unable to prevent an attack,at least you should be able to mitigate


SE Linux.......................................20A secure Linux environment with granularadmin control over privileges

Systrace.......................................28Protect your system by placing it in a jail oflegitimate system calls.

VServer ........................................32Multiple servers coexisting peacefully on asingle computer.

RSBAC ...........................................36Rule Set Based Access Control protection.

Cover Story

MAC system.Medusa DS9, and the

new, but promising,Linsec are alternatives.

If you do not feel up tointegrating these techniques your-

self, you might like to use a hardeneddistribution. Owl is an offspin of theOpenwall project http://www.openwall.com/Owl/. Wirex develops and distrib-utes Immunix System 7: This Red Hatderivative was compiled using StackGuard protection. Castle http://castle.altlinux.ru combines Mandrake Linuxwith RSBAC and the Openwall patches.And LIDS provides protection forEngarde Secure Linux http://www.engardelinux.org. The OSD group hasdeveloped a hardened distribution basedon Red Hat and SE Linux http://www.securityenhancedlinux.com.

Kaladix http://www.kaladix.org is aproject going through some changes andhas altered its base platform from LFS(Linux from Scratch) to Gentoo. Kaladixis RSBAC hardened, contains bufferoverflow protection, and implements avariety of security strategies. It promisesto make a high level of security availableto anyone interested in employing it. ■

theeffects. Achroot jailwill lock pro-cesses in their ownfenced off file systemtree, but it provideslittle protectionagainst a rootexploits.

Compartmentscan help in thiscase: It takes thecapabilities awayfrom processes and thus prevents themfrom breaking out of their jail. VServer(see page 32) allows you to put whole, ormultiple, Linux distributions in a jail,and run them simultaneously on a singlemachine. Systrace (page 28) does notneed a virtual environment to be able torestrict the capabilities of individualapplications to a minimum.

Access ControlMandatory Access Control (MAC) allowsthe system administrator to specifypermitted access from a central point.What the rule definitions contain, will bedefined by the on-site security model. SELinux (page 20) implements the flaskarchitecture, and RSBAC (page 36) evenprovides a variety of models. We havepreviously looked at LIDS in LinuxMagazine. Despite its name, the LinuxIntrusion Detection System is basically a

Protecting Linux Against Attacks

Hardening!Today’s computers are exposed to ingenious but vicious attacks, some of which

are launched by local users. If protected by the appropriate patches and

security tools, penguins can be a lot harder than the malevolent hacker might

expect, and more importantly, they are survivors! BY ACHIM LEITNER

COVER STORYSecuring Linux

to allow root to do everything and non-privileged users to do nothing, Flaskprovides more granular security levelsthat apply both to file access privilegesand to inter process communication anda whole range of additional features.

As is the case with other packages, SELinux has only limited potential for com-pensating the weaknesses in protocols orapplications, but it does help to mitigatetheir effect. The security server is thecentral element in the Flask architecturalmodel and responsible for any securitybased decisions. The name is derivedfrom the original Mach implementationswhere it used to be a userspace process,but on Linux the server runs as a kernelsubsystem.

Object managers are the second Flask component. They manage securityattributes, ensure appropriate bindingsfor the objects (files, processes, sockets…) and enforce the decisions made by the security server. Object managersare well-known kernel subsystems, suchas process managers, file systems, or

sockets whose functionality have beenenhanced.

Security decisions are reached byreference to so-called security contexts,which are basically a container for agroup of security attributes. A contextcomprises the user ID, the user’s role, atype and an optional MLS (Multi LevelSecurity) level. Only legal combintationsthat the security server recognizes arepermitted.

Practical AbstractionThe individual components of a securitycontext originate from the abstractionlevels introduced by SE Linux. Theselevels simplify the task of coping withthe complex reality of all possible typesaccess. Access control must specify theconditions under which each program isgranted access to specific objects.

The first abstraction layer concernsusers. The fact that SE Linux useradministration is not based on the Linuxuser ID has several advantages, forexample, the SE Linux user ID cannot

Rumors about mathematicians whocan break any conceivable codeabound in various urban legends.

But is IT security itself merely a myth?The National Security Agency (NSA)

begs to differ on this issue, and hasbecome actively involved in enhancingLinux security. One of the more notableresults is Security Enhanced Linux (SE Linux), which started life as anexperimental prototype [1].

SE Linux provides additional accesscontrol features for Linux. It usespolicies to decide what parts of thesystem users will have access to – that is, what files a process running with the privileges of a specific account canaccess, or what network connections theprocess can open.

Non-privileged users cannot influencethe policy, which is applied as amandatory control by the admin user. SELinux thus implements MAC (MandatoryAccess Control, see insert “ImportantTerms”). However, granular securitydoes impact the complexity of SE Linux.

To run a program securely on SELinux, the admin user needs to knowevery file the process opens and everysubroutine it calls. But the level ofsecurity the admin user can achievemakes it well worth the effort.

Practical Concepts – not onlyfor LinuxThe SE Linux security model was notoriginally designed for Linux. The NSAoriginally developed the architecturalprototypes for the Mach kernel [13] inco-operation with Secure Computing[12] (of TIS Firewall Toolkit fame): DTMach (Distributed Trusted Mach) andDTOS (Distributed Trusted OperatingSystem). The Linux port was firstintroduced when continued develop-ment led to the release of Flask (the FluxAdvanced Security Kernel).

The Flask system’s task is to ensuredata integrity and trustworthiness – inother words, it provides access controls.Where a normal Linux kernel might tend

Sophisticated access controls are fundamental to a secure Linux environment.

SE Linux, which was developed by the National Security Agency (NSA) and

released under GPL, is a complex system that allows the administrator

granular control over privileges. This article looks into the background, basics,

installation and practical applications.

BY CARSTEN GROHMANN, KONSTANTIN AGOUROS AND ACHIM LEITNER

Practical Applications for Security Enhanced Linux

Security Rules


SE LinuxCOVER STORY

Peter Doeberl,visipix.com

be changed after logging on. To changetheir privileges users have to changeeither their role (an additional securityattribute), or their type (the thirdattribute class).

To help the admin user keep track,despite the sheer bulk and complexity ofthe rules involved, multiple Linux userscan be combined to form a single non-privileged user. The generic SE Linuxuser, “user_u”, is an example of thisfeature. In fact, the policy only needs tobe customized for users who requiremore than the default privileges assignedto “user_u”.

On SE Linux the term “user” isnormally applied to actual people withinteractive access to the system, with“system_u” being the exception.

However, there is no need to addpseudo-users for specific processes, as the privileges assigned to these -processes are defined by the individualtype. Having said this, some programsstill need to be run as their own useraccounts – in fact, file system privileges,for which SE Linux does not provide anabstraction, require this. Separate usermanagement means that both of theseindependent components must allow anaction to make it succeed.

Freely definable roles provide the nextlayer of abstraction (RBAC, Role-BasedAccess Control). It is possible to runmultiple processes and applicationswithin the context of a single role. Rolesare modelled on the tasks performed by aprocess or file. The sample configurationdetailed in the following sections usesthree roles: “system_r”, “sysadm_r”, and“user_r”. System processes run in thecontext of the “system_r” role, normalusers are assigned “user_r”, and the “sysadm_r” role is provided foradministrative users.

Forceful TypesTypes provide an additional abstractionlayer (TE, Type Enforcement); in factwhether access is allowed or denied willfinally be decided by reference to thetype. The rules define what types canaccess what other types. You may alsodiscover references to domains, but thedifference between domains and types ispurely linguistic. Types that are bound toprocesses are referred to as domains,although no internal distinction is made.

SE Linux defines the type by referenceto the role, and not by investigating theuser ID or filename. And privileges areascertained by the types assigned to arole. A user working in the context of the“user_r” role will not be able to load akernel module, not even if she is root,but she will be allowed to load a kernelmodule when working in the context ofthe “sysadm_r” role, provided she ispermitted to assume this role.

After issuing the “newrole” commandto change your role and after completingauthentication, a new process is launchedfor the new role. Of course this assumesthat role changes are permissible on the current machine, and that the user is allowed to occupy both roles. Aschanging a domain is merely a specific

way of changing a type, again a newprocess is required to change from one domain to another. The followingconventions are recommended to helpkeep track of users, types, roles anddomains:• user: “_u”• role: “_r”• type or domain: “_t”The “_u” suffix is not used for users ofLinux systems to help distinguishbetween the two models.

Enforcing DecisionsTo allow practical applications, securityattributes are combined to form asecurity context. The security context ofa subject (a process) or an object (a file,socket, IPC object …) comprises a


COVER STORYSE Linux

DAC: Discretionary Access Control (the typical Linux procedure) allows users to modify accessprivileges to their own objects at their own discretion. DAC commonly refers to user ID based accesscontrol.Whether or not an action is permitted is decided by evaluating the user ID of the subjectand the object owner.There are only two types of users: normal users and superusers.Domain: Security attribute of a process within the TE (Type Enforcement) model. SE Linux TE does not differentiate between types and domains. However, types that refer to subjects (thatis, processes) are commonly referred to as domains.Label: Symbolic descriptor for subjects and objects that allow SE Linux to reach a decision onwhether to allow or deny access. A label contains the security attributes which are applied by acentral policy. In the case of SE Linux the label resides within the security context.MAC: Mandatory Access Control refers to a policy administrator defining access privileges centrally. Users and their processes are not allowed to edit the policy, which governs all access.Many definitions assume a special form of MLS for MAC, and thus refer to generic MAC as non-discretionary access control.MLS: Multi Level Security assigns a security level to subjects and objects, in line with layers of security for important documents: confidential, secret, top secret. Only users with sufficient securityclearance are allowed access to objects.Object: Refers to any component accessed, such as files, directories or network sockets.Permissions: Depend on the object type. For files they could be read, write, create, rename, orexecute, for example – for processes possibly fork, ptrace, or signal.PSID: The persistent SID is the permanent version of a security ID. A PSID is considered persistentwhen it survives after rebooting. It represents the binding between an object and its securitycontext, as in the case of files, for example.Policy: This set of rules defines who can access what, where and with what privileges.RBAC: Role Based Access Control describes access control by means of roles. In SE Linux permissionsderive from the types and domains associated with a role.Role: Roles simplify user management. Users are assigned roles depending on the tasks they need to perform. Permissions are assigned to users via their roles; users can be assigned to rolesindependently.Security Context: A combination of user ID, role and type.To retain compatibility to other securitymodels, the security context is a text string whose content is parsed by the security server.SID: The security ID is a number that points to a tangible security context.This binding is applied bythe SE Linux security server at runtime.Subject: Active component in a system, that is a process.TE: Type enforcement defines access by domains (subject classes) to types (classes of objects), orother domains by reference to an access matrix. SE Linux simplifies this model and also describesdomains as types.The matrix defines permitted interactions between types.Type: Security attribute of an object within the TE (type enforcement) model.User: SE Linux user management is independent of the Linux user ID.

Important Terms

system. One interesting idea that thedevelopers of SE Linux are looking into[11], is the concept of binding SIDs to IPSEC security associations, thusallowing networked applications runningon various SE Linux hosts to be run atthe same security layer.

Before access occurs, the objectmanager sends the security contexts ofboth the subject and the object to thesecurity server, which will make a rule-based decision. If a process attempts toaccess a file, the object manager registersthe “open()” call and asks the securityserver to legitimize the attempt (seeFigure 1). In contrast to normal Linuxkernels, the manager will issue the samerequest for each write or read access. Anormal kernel will only make this deci-sion once on initial access. If the rightsof the open file are changed, the processcan continue reading – SE Linux wouldprevent this from happening.

The Access Vector Cache (AVC) isdesigned to prevent system performancefrom suffering under the load generatedby requests of this type. The securityserver’s responses are stored in the cache,allowing faster processing of knownrequests. And this means that totalperformance is not noticeably affected by

continual clearance requests. If the per-missions defined in the SE Linux policychange, the security server marks anymodified entries in the AVC as invalid.Figure 2 clarifies this type of access.

Each process is run in a protectedcontext of its own. User ID “0” has noinfluence on this, unless the rules containexplicit instructions to the contrary. Thisallows you to confine processes andenable or disable system calls. You canalso precisely define any files that theprocess will be allowed to read, write, or create. You can even remove anyprivileges that might be harmful to thesystem from processes that require moreextensive privileges (in order to bindports below 1024, for example). Even ifan attacker attains root access, she willstill be confined to the jail.

The SE Linux sources are covered bythe GPL and can be downloaded from theNSA [1] and Sourceforge [3] websites. Inour lab environment we installed thecomplete package [2] on a minimal SuSE7.3 system. As SE Linux is based on RedHat, some minimal changes are requiredbefore installing. Note that SE Linuxcurrently supports the Ext 2, Ext 3, andReiserFS file systems.

Installing SE LinuxRoot privileges are required to install SELinux. Expanding the archive will createthe “lsm-2.4” subdirectory with therevised kernel, and “selinux” with therequired programs and rules. The kernelcomprises the LSM (Linux SecurityModules) [4] patches, which add thehooks the kernel requires to implementSE Linux as a kernel module. The SuSEkernel does not support SE Linux, as theextensive modifications it contains pre-vent the admin user from installing theLSM and SE Linux patches. Unless other-

three-part colon-separated text string.Attributes are the user, the user’s role,and the type, for example “system_u:object_r:inetd_exec_t”.

The security server assigns a securitycontext to each process. The securitycontext comprises a set of rules, theparent process, and the user ID for the process. The rules must define what processes can spawn what child processes. This technique wouldstop a compromised sendmail processlaunching “/bin/tcsh”, for example.

In order to specify the security context,the rules assign a label to each object.The permissions are far more granularthan the privileges usually assigned byLinux. In the case of files, for example,SE Linux distinguishes between read,write, create, rename, and execute per-missions. Process permissions can allowor deny fork, ptrace, or signalling.

At runtime SE Linux does not alwaysuse an extensive string representation,instead assigning numbers (so-calledSIDs, Security Identifiers) to representthe strings. These integers are only valid locally and temporarily, however,persistent SIDs (PSIDs) can be assignedto file system objects. Their securitycontext binding is stored in the file


SE LinuxCOVER STORY

A number of tools are required to compile SE Linux.The tools are included in thefollowing RPM packages for SuSE Linux 7.3:• “d”series: bison, gettext, flex, pam_devel,

openssl_devel, patch, slang (for scurses.h)and yacc

• “a”series: diffutils, ncurses (for libcurses),texinfo (for makeinfo), and util-linux (for more)

• “ap”series: sharutilsYou may require additional packagesdepending on your own configuration.

SuSE Packages for SE Linux

Figure 1: When a subject attempts to access an object the object manager intervenes by consulting thesecurity server and asking for confirmation that the access request is legitimate

Enforce policy

Object Manager

(process)Subject

Accessto object

Security Server

Security PolicyDecision

Query privileges/permissions

Enfo

rce

Deci

de

Object(file, socket)

Figure 2: The security server’s decision to permit or deny access is cached as an access vector toaccelerate the handling of this request in the future

Enforce policy

Object Manager Access Vector Cache(stores decision)

Security Server

Security PolicyAnswer

from cacheAnswerin cache

If answer is not cached:pass on query

Query privileges/permissions

wise designated, the new “selinux”subdirectory is used as the starting pointfor any subsequent steps. If you are in ahurry, you can place the whole installa-tion in the capable hands of a makefile:“make quickinstall”, however, the moreroundabout approach also has its pointsof interest. You will need a few tools forthe installation, the “SuSE Packages forSE Linux” box gives details.

A few modifications to the LSM kernelare also required for SE Linux. Theappropriate patches are located in the“selinux/module” subdirectory. Simplyissue the “make insert” command here.

To write the kernel to “/boot” auto-matically you will need to uncommentthe line containing “export INSTALL_PATH=/boot” – but again you can leavethis step to a patch file.

An additional patch changes the kernelimage filename to “/boot/vmlinuz-selinux”, thus retaining the originalkernel, which is particularly useful whileperforming tests and for troubleshootinglater. The last two patches referred to areavailable from [6]:

cd ../lsm-2.4patch -p0 U

< ../kernel_install_path.diffpatch -p0 U

< ../kernel_vmlinuz-selinux.diff

The new kernel still needs to be con-figured for the local machine, althoughyou can use an existing “.config” as a ref-erence point. SE Linux requires “NetworkPacket Filtering” from “NetworkingOptions” and one or two “SecurityOptions” (Figure 3). The “NSA SELinuxDevelopment Support” module is a bighelp when defining your own sets ofrules. It launches SE Linux in permissivemode, instead of enforcing mode, whichmeans that any actions that break therules will not be prevented, but merelylogged. The kernel is then generated withthe following:

make dep U

&& make bzImage && make modulesU

&& make modules_installU&& make bzlilo && make clean

The next step is to make the boot loaderaware of the new kernel and its features.

SE Linux automatically boots toPermissive Mode with developmentsupport, but you can set the boot option“enforcing=1” to change this.

It is usually a good idea to add two boot configurations to the existingconfiguration: the first entry should bootSE Linux with “enforcing=1” set. Noadditional parameters should be definedfor the second entry, and should boot SELinux in permissive mode. Enforcingmode should be the default to preventsecurity measures being disabled onrebooting.

Enabling or Disabling GUILoginBefore starting the installation pro-cedure, you might like to check whetheryour machine boots to runlevel 3(without GUI login). The displaymanagers have not been adapted toreflect the new login pattern and will notwork. Instead of editing your “/etc/init-tab” you can simply add “append=3” tothe SE Linux entries in “/etc/lilo.conf”,and then launch “lilo” to enable thenewly modified configuration.

If you really need a GUI login, you canuse a modified GDM for Red Hat, whichis available from [3] or the KDM Patch from [8]. You can easily launch X11 by typing “startx” to run KDE or Gnomeon SE Linux, but unfortunately there areno rules for the desktop environments.

The SE Linuxpackage has anumber of modifieduserspace programs.Most of them are installed in the directory below/usr/local/selinux”,exceptions beingOpenSSH, login,the cron daemon,and such like.

Follow the normal make procedure,“make && make install”, in “selinux/module” and “selinux/libsecure”. Othertools will require two patches availablefrom [6]:

patch -p0<utils_makefile_Uuselargefile.diffpatch -p0<utils_libncurses.diff

You cannot compile the sources on SuSELinux without applying these patches.The “selinux/utils/Makefile” contains“./configure” commands for most tools,and you can also configure the optionshere. “make && make install” in the“utils” subdirectory will create andinstall these packages; this also appliesto the setfiles tool in the “selinux/set-files” subdirectory.

A Soft Landing Without HardLinksYou will need to remove one furtherobstacle before configuring SE Linux.The “/etc/localtime” is a hard link (seealso the “SE Linux Tips” insert), andthis is something SE Linux cannothandle, as it means two different securityentries pointing to the same inode.

cd /etccp localtime localtime.hlrm localtimemv localtime.hl localtime

To prevent “SuSEconfig” from redefiningthis hard link, you will need to set the“TIMEZONE="timezone"” entry in “/etc/rc.config” to “YAST_ASK”. SuSE 8.0 ornewer stores this entry in “/etc/sysconfig/clock”. If the system uses other hardlinks, SE Linux will issue a warningwhen defining security contexts.

As almost all the files that influence SE Linux behavior are stored below


COVER STORYSE Linux

Figure 3: When defining a configuration with “make xconfig”, a few optionalsecurity modules need to be added to the kernel:“Capabilities Support” and“NSA SELinux Support” are mandatory and “Development Support” is useful

/home/[^/]* -d system_u:object_r:user_home_dir_t/var/run(/.*) system_u:object_r:var_run_t/var/run/.*\.*pid <<none>>

Listing 1: File Contexts

user will not be able to access the “/root”directory.

In practical applications, roles are used to permit or deny access to variousprograms. One example of this is the“insmod” program. The members of the“sysadm_r” role and the system itself areallowed to use the program, as both rolescomprised the “insmod_t” domain (thatis, type). In contrast, normal users withthe “user_r” role assignment will nothave permission. This prevents userswith the “user_r” role assignment fromloading kernel modules. Even if a userescalates her privileges to root (user ID 0), she will not be able to load anymodules, unless she additionally hasaccess to the “sysadm_r” role.

Security Contexts for Filesand ProcessesThe files below “file_contexts” assign security contexts to file systementries. “types.fc” contains non-specific,program independent assignments, andapplication specific assignments arelocated below “program”. Taking a look at these files should help to shedsome light on how SE Linux works (see Listing 1). Each line starts with a file system entry, which can easily becharacterized by a regular expression.The “^” and “$” anchors at the start and end of the lines can be omitted

as SE Linux will add these controllingcharacters automatically.

The file entry may be followed by a filetype, which is supplied as a parameterwith a minus sign prepended. “-d”represents a directory entry, and the rulewill thus apply to directories only. Enter“--” instead, if the rule is meant fornormal files only.

The security context is shown at theend of the line. It always includes theuser, “system_u”, the role, “object_r”,and a corresponding type. Files created atSE Linux runtime are automaticallyassigned the user, role and type definedfor the process that created them. Toavoid creating a security context, you canalso specify “<<none>>” at this point.

If a file matches multiple rules, SELinux will apply the last line the filematches. The second line in Listing 1matches all the file system entries below“/var/run” and assigns the “system_u:object_r:var_run_t” security context tothem. The next line removes thisassignment for any of the entries endingin “.pid”.

This just goes to show how importantthe order is: Mixing up line 2 and 3would assign the security context to the PID files. Thus, entries must bearranged in ascending order ofspecificity. The wrong order will oftenproduce unexpected results.

“selinux/policy”, this directory will bethe starting point for the next few steps.Comments in the configuration files areindicated by hash signs, “#”, as youwould expect. The content of these filesis interpreted by the “m4” macro pre-processor; many admins will be familiarwith this tool from configuring sendmail.The macros help simplify more complexconfigurations, however, the initial stepsand normal use will not mean youneeding to brush up on your “m4” skills.

Configuring SE LinuxThe “users” file assigns a usable role to every user, and the system policy will only apply to user accounts listed in the file. The first thing you should do is delete the sample users “jdoe” and “jadmin”. The entries follow the“user username roles role;” pattern or, if multiple roles are permitted, “userusername roles { role1 role2 };”.

There are three additional pre-definedusers: “system_u”. the system user,“root”, and “user_u”. Any users notexplicitly named are automaticallyassigned to the default user “user_u”and assume the “user_r”. Thus, you donot need to add every single Linux userto this file. The following line contains asample entry for a non-privileged user:

user foo roles { user_r bar_r };

To assign additional permissions to auser, you can allow the user access to the“sysadm_r” role. If the entry for a userspecifies multiple roles, the user canchange roles at any time. The “sysadm_r”role will assign root equivalent SE Linuxpermissions to the user, however, thisdoes not imply root privileges on theunderlying Linux system, as SE Linuxaccess control works on top of thestandard Linux access control. Thus, the


SE LinuxCOVER STORY

1 Jul 5 17:36:36 max kernel: avc: denied { read } for pid=616 exe=/sbin/mingetty path=/2/fd/10 dev=00:03ino=163850 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:init_t tclass=lnk_file

2 Jul 5 17:36:36 max kernel:3 Jul 5 17:36:36 max kernel: avc: denied { read } for pid=616 exe=/sbin/mingetty path=/450/maps dev=00:03ino=29491213 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_t tclass=file

4 Jul 5 17:36:36 max kernel:5 Jul 5 17:36:36 max kernel: avc: denied { getattr } for pid=616 exe=/sbin/mingetty path=/450/mapsdev=00:03 ino=29491213 scontext=system_u:system_r:getty_t tcontext=system_u:system_r:postfix_master_ttclass=file

Listing 2: Mingetty Error Messages

## add SE Linux utilities and man pages to path and manpath#uname -r | grep --silent selinuxif [ "$?" = "0" ] ; thenPATH=/usr/local/selinux/bin:/usr/local/selinux/sbin:$PATHMANPATH=/usr/local/selinux/man:$MANPATHexport PATH MANPATH

fi

Listing 3: Extending Paths

The different terms used for typeenforcement – that is “type” for files and“domain” for processes – are reflected in the names of the configuration files. The “selinux/policy/domains/program”directory contains files which end in“.te” (type enforcement), which are usedto define permissible access types (thatis what domain is allowed what kind of access to what type). Only the typedefinitions are significant in “*.te” files,but not file names, user IDs or roles.

To allow permissions to be assigned asforeseen, you will need to assign securitycontexts to your processes. Files endingin “.fc” (file context) in the “selinux/policy/file_contexts/program” sub-directory are responsible for this task.The security context of a process isderived from the security context of theprogram file, which is defined by an“*.fc” file.

Customized SettingsSE Linux will only perform as designed ifyou tailor it to reflect your currentdistribution. As the defaults are Red Hatspecific, you will need to modify them tocorrespond to a SuSE system. Thisparticularly applies to the file systementries in the left column of the “*.fc”files, as these two distributions usedifferent paths for various programs.

To avoid the time-consuming processof modifying these files manually, youmight like to check out the additionalSuSE rules located at [7]. To simplify the process of applying modified SELinux rules in the future, the specificrules have been organized in the“suse.fc” and “suse.te” files. You willneed to copy “suse.fc” to the“selinux/policy/file_contexts/program”directory, and “suse.te” needs to becopied to “selinux/policy/domains/program”.

“selinux/utils/appconfig” contains afew files used to configure the programsmodified for SE Linux. All of these filesshould be copied to “/etc/security” first.The “default_contexts” file defines whatroles and what type are assigned by default to local logins, logins via SSH, and cronjobs. The entries in“default_type” assign a default type toeach role. The format of these entries is“role:domain”. You will need to modifythis file, if you define additional roles.

The other files do not need modifying.The only line in “initrc_context” definesthe security context for any init scriptsrun by calling “run_init”. “passwd_ context” and “shadow_context” definethe security context for “/etc/passwd”and “/etc/shadow”. This allows variouswrapper programs, such as “spasswd”,to restore the context after “passwd” andother programs have added to these files.

The “policy/rbac” file is used forconfiguring the RBAC mechanism (Role Based Access Control) and shouldnot be modified, unless a new rolenecessitates this step. The existing rulesdo not require any role changes; anunpremeditated role change couldendanger the security of the wholesystem. The file is line based andadheres to the following syntax:

allow old_role new_role;

In contrast to type changes, which aredefined by rule sets of their own, everyline in this file explicitly permits clearlydefined role changes.

Mingetty with MaxiPrivilegesIf you use SuSE’s mingetty, you shouldbe prepared for a barrage of messagesabout missing permissions (Listing 2).

This mingetty variant needs to parse thePID directories below “/proc”. As thesedirectories are assigned to the securitycontext of the process that owns them,mingetty would require read permissionsfor too many different types, and thusdefeat the aim of SE Linux.

One possible solution is to use the RedHat mingetty package [9]. The binaryRPM can be created from the source RPMby issuing “rpm --rebuild mingetty-1.00-1.src.rpm” and installed by issuing “rpm-ihv --force mingetty -1.00-1.rpm”. Thisaction will overwrite the SuSE counter-part. The exact path to the newly createdmingetty package will depend on yourdistribution, but normally defaults to“/usr/src/packages/RPMS/i386”.

After completing these customizationsteps, you can create your policy in the“selinux/policy” by following the “make&& make install” pattern. The policy isapplied after rebooting your system.However, “make load” is availableduring SE Linux runtime to load the newpolicy immediately.

A Question of PolicyThe next step uses “make reset” to bindsecurity contexts to file system entries,and places a “…security” directory in the root directories of any file systemsmounted and supported.


COVER STORYSE Linux

PID SID CONTEXT COMMAND1 7 system_u:system_r:init_t init [2 7 system_u:system_r:init_t [keventd]3 7 system_u:system_r:init_t [kapmd]4 1 system_u:system_r:kernel_t [ksoftirqd_CPU0]5 1 system_u:system_r:kernel_t [kswapd]6 1 system_u:system_r:kernel_t [bdflush]7 1 system_u:system_r:kernel_t [kupdated]8 7 system_u:system_r:init_t [kreiserfsd]

214 169 system_u:system_r:syslogd_t /sbin/syslogd217 166 system_u:system_r:klogd_t /sbin/klogd -c 1279 172 system_u:system_r:atd_t /usr/sbin/atd489 176 system_u:system_r:inetd_t /usr/sbin/xinetd -reuse550 180 system_u:system_r:crond_t /usr/sbin/crond574 182 system_u:system_r:getty_t /sbin/mingetty --noclear t575 186 system_u:system_r:local_login_t login -- root576 182 system_u:system_r:getty_t /sbin/mingetty tty3577 182 system_u:system_r:getty_t /sbin/mingetty tty4578 182 system_u:system_r:getty_t /sbin/mingetty tty5579 182 system_u:system_r:getty_t /sbin/mingetty tty6603 187 root:sysadm_r:sysadm_t -bash622 187 root:sysadm_r:sysadm_t ps ax --context

Listing 4: Processes

the “sysadm_r” role – of course this isalso true of other modes. If SE Linuxboots without any errors, issuing “ps ax --context” will produce similar output to that shown in Listing 4 – that is, it will show the processes within theirappropriate security contexts. The thirdcolumn in this output lists the securitycontext in the “user:role:type” formatmentioned previously.

Any processes belonging to a user willbe run with the user’s ID and role. Bothattributes are inherited by any childprocesses. The security context forsystem processes is not user-definable,as they will always run with thepermissions of the “system_u” user, andwithin the context of the “system_r”role. Only the domain (that is, the type)will depend on the actual process. Ifevery process runs within the context ofthe same domain, the files below“selinux/policy/file_contexts” may nothave been correctly customized.

The fact that child processes inheritdomains can mean that some processeswill still reside in the “initrc_t” domainafter booting. However, this domain isused exclusively for launching thescripts below “/etc/init.d/”. The admincan either stop the RC scripts launchingthese programs, or define a domain forthe programs that are launched.

The “ls / --context” command listssecurity contexts for files (Listing 5). Theoutput has some resemblance to “ps”. Ifnew files are created on shutting downor booting the system, they will not havea label or a security context, even if theyare covered by a policy rule. You can

The “…security” directory contains adatabase with the PSIDs (PersistentSecurity Identifiers), which use theinodes of the individual files and directo-ries for the appropriate security context.Changes are applied on rebooting thesystem, but you can enable them in thecurrent SE Linux session by typing“make relabel”. This command is alsorequired if a non SE Linux kernel wasrunning. Floppy and CD drives areassigned a security context dynamicallywhen mounted.

When adding new rules to a system,you should update the policy first beforechanging the security context files.Failing to do so could mean that the system does not recognize a newtype that you have applied to files anddirectories. In this case, SE Linux wouldprevent potentially critical access.

Before booting SE Linux for the firsttime, you might like to extend the pathsto include the paths for the manpagesand programs. The easiest way to do thisis to refer to Listing 3, which can be runas “/etc/profile.local” .

Booting and Logging OnBooting to permissive mode isrecommended to avoid losing controlwhen incomplete or erroneous rules areapplied. In this case you can change to


SE LinuxCOVER STORY

drwxr-xr-x root root system_u:object_r:root_t ./drwxr-xr-x root root system_u:object_r:root_t ../drwx------ root root system_u:object_r:file_labels_t ...security/drwxr-xr-x root root system_u:object_r:bin_t bin/drwxr-xr-x root root system_u:object_r:boot_t boot/lrwxrwxrwx root root system_u:object_r:root_t cdromlrwxrwxrwx root root system_u:object_r:root_t cdrwdrwxr-xr-x root root system_u:object_r:device_t dev/drwxr-xr-x root root system_u:object_r:etc_t etc/lrwxrwxrwx root root system_u:object_r:root_t floppydrwxr-xr-x root root system_u:object_r:user_home_t home/drwxr-xr-x root root system_u:object_r:lib_t lib/drwxr-xr-x root root system_u:object_r:lost_found_t lost+found/drwxr-xr-x root root system_u:object_r:root_t media/drwxr-xr-x root root system_u:object_r:root_t mnt/drwxr-xr-x root root system_u:object_r:root_t opt/dr-xr-xr-x root root system_u:object_r:proc_t proc/drwx------ root root system_u:object_r:sysadm_home_t root/drwxr-xr-x root root system_u:object_r:sbin_t sbin/drwxrwxrwt root root system_u:object_r:tmp_t tmp/drwxr-xr-x root root system_u:object_r:usr_t usr/drwxr-xr-x root root system_u:object_r:var_t var/

Listing 5: File System

Avoid hard links: A file referred to by differentnames via a common inode is not allowed tohave different privileges.The security contextrefers to the inode and thus both names areplaced in the same context,although the filecontext configuration might attempt toassign two different contexts.Do not convert Ext 2 to Ext 3: If you do use an Ext 3 file system, it should not be aconverted Ext 2 file system.The “.journal”file created by this process can cause trouble,as there is no file type defined for it.No RAM disk: You should launch SE Linuxwithout initializing a RAM disk.Mixing SE Linux and standard Linux: If youboot a non SE Linux kernel, you should deleteall the “…selinux”directories and regeneratethe security context for the files beforerebooting SE Linux.Mailing list archive: The archive for the SE Linux mailing list is only updatedinfrequently on the home page [1].You may prefer to use a different archive [5].Backing up the configuration: You can copy the “seliunux/policy”to “/etc/selinux/policy”in order to simplify backing up theconfiguration files.Faster setfiles: Running “setfiles”can takequite a while if you have a lot of files toprocess. As an alternative, consider running“setfiles”manually and only processing filesystems that have been modified.Theworking directory must be “selinux/policy”.You will need to issue the “setfiles file_contexts/file_contexts partition_root”command. If the file “file_contexts/file_contexts”does not exist, or is too old, you can instead use the “make filecontext/filecontext”syntax. It is simpler to use “chcon”rather than “setfiles”for less critical changes.X server: If you intend to use an X server,you should follow the steps described in point4 of the “selinux/README”section in theinstallation manual, and then run “startx”.Our experiments with KDE 2 produced only a few error messages, and a set of rules forKDE should remedy the situation.Root login: The current rule set does notallow “sshd”to “/root”‘s home directory.SSH based root login should therefore beavoided.You can and should switch IDsand roles later using “su -”and “newrole”.Boot messages: Looking at the bootmessages provides further insight into SELinux.You can ascertain the current SE Linux mode, for example.

Tips for SE Linux

then issue “make relabel” in the policydirectory to add the missing labels. You should then watch your machine inpermissive mode for a while, just in caseyou need to modify the rules.

Command Line ToolsSE Linux also comprises a few userspacetools. The “avc_enforcing” programdisplays the current SE Linux mode, thatis “enforcing” or “permissive”. The“avc_toggle” tool allows you to togglebetween modes and does not require anyadditional parameters.

Just like the standard Linux “su”command, “newrole” launches a newshell with a different role.

The “newrole -r sysadm_r” promptsthe user for a password before changingto the “sysadm_r” role. The passwordprompt ensures that only users, and notshell scripts, can change roles. Thefollowing conditions must be fulfilledbefore a user can change role:• The user must be a member of both

roles in “users”.• The role change must be permitted by

the “rbac” file.The “newrules.pl” is important. It is located in the “selinux/scripts/”directory and allows you to create newrules from kernel messages.

Calling “newrules.pl --help” willdisplay the syntax. The “-v” is particu-larly interesting: it adds a commentcomprising information on the offendingprocess to the rule. “run_init” is used tolaunch init scripts. After prompting for apassword, the program changes to the “/etc/security/initrc_context” securitycontext and runs the init script.

Modified Progs for SE LinuxTo use SE Linux additional features, thepackage contains a number of modifiedprograms, such as “ps”, “ls”, “find”, “id”,and “mkdir”. The modified “tar” tool alsobacks up the security context of the files.

“runas” launches a program in adifferent environment, with a differentrole or in a different context, for example.

“chcon” changes the security contextof files and directories, however, thesechanges are reverted when you run“make relabel”.

“setfiles” is used to define a securitycontext for a file system, and “load _policy” loads a new policy. “list_sids”

displays the security identifier (SID), and“sid_to_context” displays the securitycontext for a SID.

Linux typically allows root to changeother users’ passwords without knowingtheir current passwords. This privilege ishard-coded into tools such as “passwd”,“chfn”, and “chsh”. All three tools needwrite privileges for the password files, so a simple policy is inappropriate in this case. Wrappers provide a solution:“spasswd”, “schfn”, and “schsh” ensurethat users can only change their owndata, unless they have specialpermission. Permission does not dependon the user ID, but on the domain.

Critical modifications also apply to “login”, “sshd”, and “crond”. As cron fulfills a large number of systemspecific tasks, it is difficult to define an appropriate rule. The recommendedprocedure is to comment out any tasksyou do not require cron to perform, anddefine a set of rules for a cron domainfor any remaining tasks. The SuSE crondis called “cron”, whereas the SE Linuxenhanced version is called “crond”. The“/etc/init.d/cron” init script will needsome modifications (the “CRON_BIN”variable defines the name of the binary).

There are also no rules for YaST. The program requires quite extensivepermissions. As defining a complete set of rules may be extremely time-consuming, you can either do withoutYaST or run the tool in permissive mode.

ConclusionsSE Linux provides the admin user withextremely granular control over a system.However, this potential advantage canturn out to be troublesome: the morerules you implement, and the morecomplicated they become, the moredifficult it will be to check and trouble-shoot them. In other words, potential forerror will increase. However, you canmitigate the danger by defining groups ofrules, such as original, unchanged SELinux rules, operating specific rules usedto customize SE Linux for your distribu-tion, and system specific rules that reflectlocal conditions. This allows you to intro-duce and maintain new rules more easily.

Alternatively, you might considerreducing the range of tasks a programperforms, instead of defining a largenumber of new rules. Your goals will

define your approach: It is easier toremove a few cronjobs (such as updatingthe locate database via “updatedb”) thandefining a few additional crond specificrules. Many tasks, however, areindispensable and you will not be able toavoid defining appropriate rules. ■


COVER STORYSE Linux

[1] SE Linux home page at NSA:http://www.nsa.gov/selinux/

[2] SE Linux package (36 MB): http://www.nsa.gov/selinux/download2.html

[3] SE Linux project home page atSourceforge:http://sourceforge.net/projects/selinux/

[4] LSM-Kernel: http://lsm.immunix.org[5] Alternative mailing list archive: http://

marc.theaimsgroup.com/?l=selinux[6] Patches for SE Linux:

ftp://ftp.linux-magazin.de/pub/listings/magazin/2003/01/SELinux/installpatches_20020930.tar.gz

[7] Additional rules for SuSE:ftp://ftp.linux-magazin.de/pub/listings/magazin/2003/01/SELinux/suse_rules_20021105.tar.gz

[8] SE Linux patch for KDM:http://www.coker.com.au/selinux/kdm/

[9] Mingetty packaget“mingetty-1.00-1.src.rpm”: http://www.rpmfind.net

[10]Stephen Smalley,“Configuring theSELinux Policy”: http://www.nsa.gov/selinux/policy2-abs.html

[11] Peter Loscocco and Stephen Smalley,“Integrating Flexible Support for SecurityPolicies into the Linux Operating System”:http://www.nsa.gov/selinux/freenix01-abs.html

[12] Secure Computing Corporation:http://www.securecomputing.com

[13] Mach-Kernel:http://www-2.cs.cmu.edu/afs/cs.cmu.edu/project/mach/public/www/mach.html

INFO

Carsten Grohmann has beeninterested in computers ever sincethe KC87 was invented, and startedworking with Linux in 1997.He has been working as a systemadministrator since 2000.Konstantin Agouros startedinvestigating Unix and the Internetin 1989, and has been interested in Linux since 1994. He is responsiblefor the Competence Center Securityat Netage.

THE A

UTHO

RS

decide to either permit or deny theaction. Systrace comprises a kernelpatch, a command line program, and a gtk GUI (BSD license). All threecomponents are available from [1].

Userspace applications use systemcalls to access the kernel. System callsprovide services in areas where securityis critical, such as file handling, networkconnections, or the heap. Table 1provides an overview of commonsyscalls. More than 200 calls areavailable on most UNIX type operatingsystems, and they provide the only wayto invoke persistent changes to a system.Without them a process could notperform any useful tasks, althoughadmittedly an attacker would not be ableto get up to any mischief either.

No Attacks withoutSystem CallsA typical attack might succeed due to abuffer overflow in a web server thatallows an intruder access to a shell. Themalevolent hacker would then injectexploit code that runs with the privilegesof the web server process. The code willneed to execute a few system calls, suchas “fork()” and “execve()” for example,to launch the shell. Thus, the realdamage is not caused by the securityhole itself, but by a syscall it allows. Assecurity holes are more or lessinevitable, admins often monitor systemcalls in order to provide an extra layer ofsystem protection.

Normally an application will have access to any system calls

it requires. Nothingwould prevent theweb server fromlaunching a shell andserving it up to anyuser connecting tothe web server. Thisaction is undesirableand the server wasnot programmed toperform it, but a

software bug allows the attacker to trick the application into behaving in way the authors did not envisage.

Each application needs access to asubset of the syscall interfacefunctionality. A simple web server listenson TCP port 80, responds to HTTPrequests, and serves up files from astandard directory structure. The webserver is not required to provide anyother services, and it particularly doesnot need to launch an interactive shell or read “/etc/passwd”. The system calls a program that allows you to describe its legitimate functions.Systrace makes use of this fact: itmonitors the system calls and develops a policy based on these calls. Anyapplication that is controlled by thesystrace program can only work withinthe bounds of the policy.

PoliciesA systrace policy comprises a set ofrules. Each rule controls a syscall and its parameters, specifying whether or not the call is allowed. The simple rules outlined in the following exampleallow for the “fchdir()” and “fstat()”system calls:

linux-fchdir: permitlinux-fstat: permit

A rule containing the “deny” keywordinstead of “permit” would prevent these

Systrace, the kernel gatekeeper,forces processes to respect a policyfor system calls, thus restricting

access to a host. Of course this will notremove any existing vulnerabilities, butit will mitigate the consequences. If aprogram is not required to launch anyother processes, the systrace policy willdisable the syscall normally used for thispurpose. An intruder will be unable toopen a shell, even if she has gainedcomplete control over an active process.

To enforce the policy, systraceintercepts system calls at kernel leveland launches only those functionsintended by the legitimate user. If anapplication attempts to step outside thebounds set by systrace, a GUI popupwarns the user and prompts them to

Vulnerabilities in web servers,

browsers, IRC clients or audio players

may allow programs to perform all

kinds of malevolent tricks.

Systrace protects your system from

unpleasant consequences by placing

it in a tightly locked jail of legitimate

system calls.

BY MARIUS AAMODT ERIKSEN

AND NIELS PROVOS

Systrace Enforces Rules for Permitted System Calls

Gatekeeper


SystraceCOVER STORY

Syscall Functionfork Creates a new processexecve Executes a fileopen Opens a fileread Reads from a file descriptorwrite Writes to a file descriptorconnect Uses a socket to open a connection to a remote hostbind Binds a socket to a nameunlink Deletes a directory entry

Table 1: Common System Calls

H&A Ram

m fiee visuelle,visipix.com

system calls. Rules can also apply to aspecific parameter of a syscall:

linux-fsread: filename eq U

"/tmp/foo" then permitlinux-fsread: filename match U

"/etc/*" then deny[enoent]

Based on these rules, the program isallowed to read the file “/tmp/foo”, butfiles that match the “/etc/*” will lead toan “ENOENT” error. Instead of runningthe syscall, systrace informs theapplication that the file does not exist.

Policy GrammarThe policy grammar is identical for allsystem calls. Each rule begins with thename of an emulation and the syscall,e.g.“linux-fsread”. This is followed by alist of conditions, and an action (“deny”or “permit”) to be taken by systrace. As Linux does not support syscall emula-tion, each rule starts with the “linux”string. Systrace also supports OpenBSDand NetBSD and both these systems canemulate various syscall variants.

An optional error code can beappended to the action (this defaults to“EPERM”, operation not permitted). Theuser can optionally choose to havesystrace log specific activities by addingthe “log” keyword at the end of the rule.The BNF specification (Backus NaurForm) of the policy syntax is shown inListing 1.

A few predicates are available torestrict the validity of rules. They defineadditional conditions for the actions andcurrently apply to users or groups on thesystem. Predicates are appended to therule following a comma, for example:

linux-fsread: filename eq U

"/etc" then deny[eperm], if U

group != wheel

This rule only restricts users who are notmembers of the “wheel” group.

Arguments are defined for the majorityof system calls. For example, “open”expects to be passed the name of the file to be opened. Systrace translatesthese parameters into a human readableformat, displaying them as strings andcomparing them with the rules. Systraceoffers a range of operators for thiscomparison (see Table 2).

Implementation: Setting Upa Base CampWhen implementing systracefunctionality, you first need to find anappropriate place to insert controlmechanisms. Looking at the path of asyscall reveals several potentialcandidates. Applications initiate systemcalls by writing to specific registers andinvoking soft interrupts (the “int”instruction on i386 processors). Thestandard C library (libc) is typicallyresponsible for setting up and initiatingsyscalls. A large proportion of the Clibrary functionality derives from systemcalls, for example “open()”, “read()” and“write()”. The system call path is shownin Figure 1.

Syscalls can be intercepted andmodified in each of these layers. Intercepting system calls in the librarylayer (libc) would be trivial: You coulduse the “LD_PRELOAD” environmentvariable to preload a library on top oflibc. The new library would provide allof libc’s system call functionality.

Unfortunately, an attacker wouldeasily be able to sidestep this mechanismby making an application invoke thesystem call itself, instead of using libc.And the method would not work forstatically linked programs. Additionally,there are a few systrace functions thatcannot be run in userspace.

Gatekeeper – Syscall GatewaySo it would seem that the kernel layer isthe natural place to intercept systemcalls. This is the only place where youcan be sure to catch every syscall, nomatter where or how it was initiated.Every system call enters the kernel viathe syscall gateway, which acts as aninterrupt handler for the soft interruptused by system calls.

The gateway reads a register (“eax” fori386 processors) to ascertain the systemcall number, which is a simply index intothe system call table containing functionpointers to individual kernel functions.The gateway parses the values of thesyscall number and then initiates thecorrect function which performs the taskspecified by the system call. In order toreject a system call, systrace mustintercept it before it is executed. Systracehooks into the call gateway to do so.

Most of syscall’s functionality isimplemented in a userspace program.The kernel hook is provided by device:“/dev/systrace”. The userspace sectionof systrace reads kernel messages via thedevice and invokes “ioctl” calls for thedevice in order to return messages.

Systrace Takes the HelmAn application must be launched by the“systrace” userspace utility to initialize


COVER STORYSystrace

Operator Functionmatch Is true if the file name for a glob-pattern

matches “fnmatch(3)”eq Is true if the syscall argument exactly

matches the string following the operatorneq Logical negation of “eq”sub Looks for matches in a substring of the

system call argumentnsub Is the logical negation of “sub”inpath Is true if the syscall argument is a subpath

of the string following the operatorre Looks for matches for a regular expression

in the syscall argument

Table 2: String Matchingwith Systrace01 filter = expression "then" action errorcode logcode

02 expression = symbol | "not" expression | "(" expression ")" |03 expression "and" expression | expression "or" expression04 symbol = string typeoff "match" cmdstring |05 string typeoff "eq" cmdstring | string typeoff "neq"cmdstring |06 string typeoff "sub" cmdstring | string typeoff "nsub"cmdstring |07 string typeoff "inpath" cmdstring | "true"08 typeoff = /* empty */ | "[" number "]"09 action = "permit" | "deny"10 errorcode = /* empty */ | "[" string "]"11 logcode = /* empty */ | "log"

Listing 1: Systrace Policy Syntax

To do so, the kernel componentqueues a message which is thenforwarded to the userspace systracecomponent via the “/dev/systrace”device. The message contains thenumber and any parameters for thesystem call. The userspace componentlooks up matches for the syscall andparameters in the policy for the currentapplication and tells the kernel whataction to perform if a match is found. If it cannot find an appropriate rule,systrace will interactively prompt theuser for a decision. In enforcement modeany actions not defined in the policy willbe prevented and logged.

Decisive UsersSystrace uses either the console or a GUI to prompt the user for a decision,displaying the syscall and any para-meters in both cases. The user candecide to permit or deny the action, orcreate a new rule. If the user chooses to“deny”, the error message defined in the“deny” request is returned (this defaultsto “EPERM”). Systrace will allow thesystem call to be dispatched if the userchooses “permit”.

As an additional security measure, thekernel kills any processes currently beingmonitored by systrace if the monitoringprocess (that is “systrace”) terminates inan unexpected fashion.

In some cases the userspace systracecomponent wants to know the returnvalue of the system call, and the kernelcomponent indicates the value after the call has been processed. This isparticularly useful for “execve()” calls.In the case of successful system calls,systrace will use the policy assigned tothe new program in future.

First Training – then ProductionTo use Systrace on a process, it has to bestarted with the “systrace” utility, forexample, to run netscape under systrace:

% systrace netscape

systrace. The command opens a sessionto the kernel portion of systrace byopening the “/dev/systrace” device. Itforks a new process, uses an “ioctl”command to tag the process, and uses“execve()” to run the application it needsto monitor.

The modified call gateway checks eachsystem call to discover whether or not the process has been tagged. If so,control is passed to the systrace hook.Systrace looks up the system call numberin its policy cache to ascertain whetheror not a simple rule exists for the call(that is “permit” or “deny” without anyadditional arguments).

If systrace discovers a simple rule, it performs the action described by the rule. If there is no cached action,systrace turns to its userspacecounterpart to ask for a decision.


SystraceCOVER STORY

Figure 1: Userspace processes use libc to initiatesystem calls.“/bin/cp” calls the “write()” libraryfunction, which selects the appropriate syscall via the “eax” register

Kernel

Use

rsp

ace

write()

eax = 4; int 0x80

/bin/cp

/usr/lib/libc.a

Figure 2: In interactive mode systrace warns theuser when a program contravenes policy rules. Inour example, XMMS has attempted to read theroot directory “/”

Monkey.org is an example of systrace in a production environment.The private UNIX shell provider runs the processes of its approximately 200 users on systrace.The admins have defined policies for everyprogram installed at monkey.org for thispurpose.Every user’s login shell is set to “stsh”(systrace shell).“stsh”spawns the user’s realshell as a systraced process allowing everyprocess a user starts to be monitored.Systrace runs in enforcement mode andthus denies any syscall not envisaged by apolicy, and logs any contraventions.Theadministrators can parse their logs andchange their policies accordingly, if required.

Systrace and Monkey.org

01 linux-fsread: filename eq "/etc/ld.so.preload" then permit02 linux-fsread: filename eq "/etc/ld.so.cache" then permit03 linux-fsread: filename eq "/lib/libpthread.so.0" then permit04 linux-fsread: filename eq "/usr/X11R6/lib/libSM.so.6" then permit05 linux-fsread: filename eq "/usr/X11R6/lib/libICE.so.6" then permit06 linux-fsread: filename eq "/usr/lib/libxmms.so.1" then permit07 [...]08 linux-fswrite: filename eq "/dev/dsp" then permit09 linux-fsread: filename eq "/home/marius/.xmms/menurc" then permit10 linux-fsread: filename eq "/dev/mixer" then permit11 linux-fsread: filename eq "/home/marius/.xmms/xmms.m3u" then permit12 linux-fsread: filename eq "/home/marius" then permit13 [...]14 linux-pipe: permit15 linux-clone: permit16 linux-rt_sigsuspend: permit17 linux-poll: permit18 linux-getppid: permit19 linux-kill: pidname eq "/usr/bin/xmms" and signame eq "<unknown>: 32"then permit

Listing 2: Sample lines from the XMMS policy

This will cause the tool to launch aNetscape process which it tags formonitoring. If a policy already exists forthe application, it will simply be applied,if not, systrace will create a new policy.Systrace notifies the user whenever itencounters a system call that does notmatch an entry in the policy.

Systrace also provides a training mode launched by the “-A” flag. In this mode the behavior displayed by the application is defined as normal.Systrace monitors the system calls initiated by the application andgenerates an appropriate policy fromthem. Let us look at XMMS:

% systrace -A xmms

In training mode you should launcheverything that is considered normal forthe program, such as play a few songs, inthe case of XMMS.

Taming XMMSAfter quitting the XMMS applicationsystrace will store the new rules in“$HOME/.systrace/usr_bin_xmms”.

Listing 2 provides a few examples. Thepolicy comprises about 100 entries thatmainly refer to file system access forlibraries and plug-ins, additionally thesound device is opened and used. Itmakes sense to check the generatedpolicy for any unusual parts – just in

case you were attacked while goingthrough the training stage. Systracewould classify the attacker’s activities asnormal and allow them in future.

Using the policy, systrace can nowmonitor the application: “systracexmms”. This should allow XMMS to run normally, unless the user tries some-thing not envisaged by the policy. A user might attempt to access the rootdirectory “/” by selecting it from the fileselection dialog box in XMMS. Thiswould provoke a systrace error as can beseen in Figure 2. The following policyentry would then prevent this kind ofaccess permanently:

filename eq "/" then U

deny[eacces]

The entry also specifies that syscallshould return an “EACCES” messagewhen denying access, informing XMMSthat it does not have the requiredpermissions. XMMS then informs theuser that it cannot read the directory (seeFigure 3). If XMMS contains a bug thatallows an attacker to access a user’sprivate files, systrace would notice thisabnormal behavior and warn the user.XMMS does not normally need access to these files, and the policy has no ruleson them.

Once policies have been definedsystrace can be run in enforcement

mode. In this mode, systrace will notprompt the user if it notices abnormalbehavior, instead denying the syscall andwriting a message to the syslog.

ConclusionSystrace places applications in a policyjail, thereby restricting the damage asecurity hole can cause (see Figure 4).Effectively the policy describes anapplication’s intended usage of systemcalls. When systrace is running, itinforms the user about system callactivity not covered by the policy. Theuser can then decide whether systraceshould permit or deny the call. ■


COVER STORYSystrace

Figure 4: Systrace catches the configure script in a trojaned version of fragroute:The source package has been manipulated by malevolent hackers and attempts to open a TCP connection to port 6667 on IP 216.80.99.202

Figure 3: A systrace policy denies access to “/” and returns an “EACCES”error message. The file dialog in XMMS reacts by displaying themessage “Directory unreadable: Permission denied”

[1] Systrace home page: http://www.citi.umich.edu/u/provos/systrace/

INFO

Marius Aamodt Eriksen is an opensource developer and a computerengineering undergraduate studentat the University of Michigan in AnnArbor, Michigan. He also portedsystrace to Linux.Niels Provos has developednumerous Open Source Programs,systrace being one of them. He iscurrently working on his doctorate atUniversity of Michigan in Ann Arbor,Michigan. His research topics arecomputer and network security. He is also interested in steganography.

THE A

UTHO

RS

variant of this category is the user modekernel [2]. The additional kernel runs as a virtual machine and acts like anapplication from the real kernel’s view-point. Processes running on a user modekernel cannot access the underlyingLinux system. VMware [3], or the LGPLlicensed Plex86 [4], take this conceptanother step further by emulating thePCs peripheral devices, including thehard disk, NIC and video adapter.

Emulators as an AlternativeEmulators allow you to replicate thesame environment on different hardwaretypes, like SCSI on IDE and vice versa.You can install almost any operatingsystem or application on the virtual PC.

As emulators require their ownmemory area and a virtual hard diskprovided by special files on the host sys-tem, it is more or less impossible tobreak out of the virtual system. Even ifan attacker manages to escalate herprivileges to root, the underlying system

is still inaccessible to her. She can onlydisrupt normal operations by over-loading the CPU or hard disks, orgenerating excessive network traffic.

Systems such as Bochs [5] (LGPLlicense) that emulate not only theperipheral devices, but also theprocessor allow a Macintosh computer to emulate a PC with an Athlon CPU.However, emulations place a heavy loadon the CPU, and virtual execution speedsare normally in the region of a few MHz.This approach thus hardly lends itself topractical applications.

Im addition, user mode Linux and the emulators we have discussed so far requires enormous amounts of RAM,as every virtual machine needs its ownkernel, including buffers, cache, andsome unused memory. The machinescannot share these resources, and alsorequire separate hard disk resources for acomplete Linux system.

Peers of the RealmVirtual server contexts are an elegantcompromise. Fundamentally, a virtualserver context is a change root jail withimportant enhancements.

The 2.2 kernel version and later allow root processes to drop some oftheir capabilities, such as the right tobind a port, to change the time, or kill anarbitrary process, for example (Table 1contains additional examples). Withoutthese capabilities, a process is notallowed to perform any of these tasks.The “include/linux/capability.h” file inthe kernel sources provides for anyadditional information.

The combination of reduced capa-bilities and a change root environmentprovides a fairly secure subsystem,where an attacker with (reduced) rootprivileges cannot do too much harm.However, the attacker will still be able tosee all the processes on the machine,including processes running outside ofher own environment. VServer resolvesthis issue by introducing a kernel patchthat defines so-called contexts. Each

Sandbox security, a concept madepopular by Java, also works forServer processes on Linux. Admins

like to keep their customers sites apart,particularly when hosting multiple sites with active content (server-sidescripting). An encapsulated environmentprotects normal servers so well that evena successful attack tends merely to affectpart of the system.

Virtual server contexts (VServer, [1])offer exactly this kind of protection, by running programs in a sandboxedenvironment to protect them from theeffects of a successful attack. The idea is as old as UNIX itself. The simplestvariant is to set up a user account for each service. UNIX access privilegesprevent an intruder from manipulatingdata belonging to other users, or evenfrom gaining read access. Change root (“chroot”) environments take thisconcept a step further by defining a rootmapped directory for a process. Theprocess is thus jailed in the directory treeand cannot see any files outside the jail.

Both of these variants ensure that an attacker cannot see the processesbelonging to another user. If the attackermanages to compromise root, she canbreak out of the “chroot” jail,manipulate arbitrary files, and causearbitrary damage.

Problems of this kind can be avoidedby using an emulator. The simplest

Multiple Linux Systems coexisting

peacefully on a single computer:

virtual server contexts permit this

kind of segregation, thus providing

security without the overheads

emulators cause. And even root is

confined to his own little realm.

BY KURT HUWIG

Virtual Server Contexts in Practical Applications

Divide and Conquer


VServerCOVER STORY

Hannes Keller,visipix.com

context encapsulates its own processes,thus preventing an attacker from inter-fering with other processes on the hostsystem. Despite this, all these contextsuse the same kernel, the same RAM, thesame cache, and the same hard disk.

The overheads involved with thistechnique are quite small, allowing acomputer to run far more virtual serversthan it could run virtual machineswithout a considerable hardware up-grade.

For users particularly low on resourcesthere is even a script that comparesindividual contexts and replacesidentical files (with the exception ofconfiguration files) with hardlinks. Nomatter how many contexts are running,identical files will always occupy thesame amount of space.

A Small Patch for OneServer…As the VServer concept utilizes theunderlying functionality of a hostsystem, the kernel patch has anextremely small footprint [6], weighingin at a mere 82 Kbytes without com-pression. Add a few administrative tools,available either as RPMs or as a sourcearchive (“.tar.gz”).

After patching the kernel and re-booting, the admin user can get on withthe job in hand. The admin user needs tocreate a subdirectory below “/vservers”for each server context and to install aLinux distribution (see “MinimizingDistributions”). The quickest way to dothis, is to install a pre-installed Linuxsystem to the subdirectory.

Each server context requires its own “/etc/vservers/Servername.conf”configuration file (“/usr/lib/vserver/sample.conf” provides an example),where the admin user will at least need toadd the IP address for the virtual server.Listing 2 shows an example.

Table 2 provides anoverview of the avail-able options. “vserverservername start” willlaunch the virtualserver context. As theSSH daemon is notrunning in our example,“vserver servernameenter” will provideaccess to the context(see Figure 1). You cantype “exit” to quit thecontext, just like any shell.

Within the context none of the hostmachine’s processes are visible. You do not need to enter the virtual servercontext to invoke a single command,however, instead you can issue “vserverservername exec command”. “vserverservername stop” will stop the context,as the name implies. “vserver-stat”provides information on the context, see Figure 2.

Running a number of similar in-stallations on a single host system cansave a lot of hard disk space. Hardlinksare used to replace multiple instances offiles with a single copy. However, thisfile cannot be written to by any of theserver contexts as any changes wouldapply equally to all contexts. To over-come this problem the “immutable” flagis set for any hardlinks.

Immutable?The immutable bit prevents users – and even root in the case of contexts –from modifying a file. However, it alsoprevents you from deleting the file,which makes updating impossible. Toresolve this issue VServer introduces theimmutable linkage invert bit. If this bit isset with the immutable flag, you candelete the file (the hardlink), althoughyou still cannot modify it. Luckily, this isthe way package managers work, that is,

they will delete a file first beforeinstalling a new version.

Hardlinks should not only be used forconfiguration files but also for binariesand libraries. VServer provides a toolthat can distinguish between the twoand takes care of the binaries: “vunify”.It queries the package manager (onlyRPM at present, although work is inprogress on Debian “dpkg”) for anyappropriate files, and automaticallyreplaces any duplicates with hardlinks.One context is used as a referenceinstallation, and the copies in all othercontexts are replaced by hardlinks:

/usr/lib/vserver/vunify U

refserver Server1 Server2 -- ALL

The parameter “ALL” tells the tool to check all the RPMs, but alternativelyyou can supply a list of RPM names. The results are amazing – a Red Hatinstallation shrank from 2 Gbytes to amere 38 Mbytes. “vrpm” can be used toinstall new packages on multiple servers:

vrpm Server1 Server2 U

-- -hiv package.rpm

The server name “ALL” ensures that thepackage is installed on all your servers:

vrpm ALL -- -hiv package.rpm


COVER STORYVServer

Capability DescriptionCAP_NET_RAW Creates arbitrary IP packets, as used by “ping”

for exampleCAP_SYS_TIME Set time (date”,“netdate”,“xntpd”)CAP_NET_BROADCAST Send broadcast packets (e.g. Samba)CAP_NET_BIND_SERVICE Binds ports below 1024CAP_CHOWN Change owner of a fileCAP_KILL Send signals (such as SIGHUP or SIGKILL) to

arbitrary processesCAP_SYS_CHROOT Initiate change root jailCAP_SYS_BOOT Reboot system

Table 1: Capabilities

Figure 1: The admin user can issue the “vserver myserver enter” command toenter the server context. Once there, only the processes belonging to thecurrent context are visible

Figure 2: The “vserver-stat” command provides an overview of the status ofall the VServers running on a host machine. The rightmost column gives theVserver name

directory, and launches “init”. You canalso issue these commands individually:“chcontext” creates a new context, orchanges to an existing context, “chbind”binds a process to specified IP addresses,and “reducecap” restricts root privileges.Normal users can only add new contextswith “chcontext”, but root is allowed tochange to an existing context.

It is easy to demonstrate that processesrunning in different contexts cannot seeeach other using “/usr/sbin/chcontextbash”. “ps aux” in the new shell listsonly three processes: “init”, “bash”, and“ps”. New processes, such as “xterm”are only visible in this context, and canonly be killed from within the context.Despite this segregation of processes,root still has far-reaching privileges.“reducecap --secure bash” removesroot’s global privileges, and using“reducecap --show” shows the privilegesthat still exist.

TrapsA server context may look like a realserver, but there are a few peculiaritiesyou should be aware of. All the servercontexts run on the same kernel andthus on the same TCP/IP stack. Thus,each context can bind only to the IP

address assigned to it, and definitely not to localhost. Attempts to access127.0.0.1 will fail. But most programsare quite happy to accept the IP addressof the server context as the “localhost”entry in “/etc/hosts”.

If you run multiple server contexts ona single-homed host, a dial up computerfor example, the guest systems will notbe able to connect to the internet

It makes sense to re-launch “vunify” at this point to remove any duplicatepackages installed in your server contents.

The processes running in the individual server contexts cannot see each other. Although this is exactly whatthe doctor ordered, it does have thedisadvantage that the admin user cannot see every active process on the hostmachine. Context 1 has a special signi-ficance here, as it can see the processesof every other context. You can use this context to display a list of all theprocesses running in all the contexts onyour host machine.

To simplify administrative tasks the“vtop”, “vps”, “vpstree”, and “vkill”programs are available for the sametasks as their non-v relatives perform,provided they are running in context 1.“vps” additionally displays the name of acontext, where “MAIN” represents thehost context, 0, and “ALL_PROCS” refersto context 1.

The VServer patch adds three systemcalls used for context management to thekernel. The “vserver” command initiatesthese syscalls to create a new context, toassign an IP address to the context, andto restrict its capabilities. Additionally,the tools calls “chroot” in the server


VServerCOVER STORY

01 #!/bin/bash02 TARGETDIR=/vserver/suse03 TMPDIR=/tmp/rpmdir04 PKGLIST=/tmp/paketliste05 SRCDIR=/media/dvd06 ARCH=i5860708 rm -rf $TMPDIR09 mkdir -p $TMPDIR10 cd $TMPDIR11 for pkg in `cat $PKGLIST` ; do12 for rpm in $SRCDIR/suse/${ARCH}/${pkg}-[0-9]*.rpm ; do13 test -f ${rpm} && ln -s ${rpm} .14 done15 for rpm in $SRCDIR/suse/noarch/${pkg}-[0-9]*.rpm ; do16 test -f ${rpm} && ln -s ${rpm} .17 done18 done19 test -d $TARGETDIR || mkdir -p $TARGETDIR20 mkdir -p $TARGETDIR/etc21 mkdir -p $TARGETDIR/var/lib/rpm22 cp /etc/passwd /etc/shadow /etc/group* $TARGETDIR/etc23 rpm --root=$TARGETDIR --initdb24 rpm --root=$TARGETDIR -hiv *.rpm

Listing 1: Installing Packages

A VServer context normally does not requirea full Linux distribution with all thegimmicks that implies. A minimalinstallation is normally perfectly okay foruse as a server.Your best option is to install aminimal version of your favorite distributionin order to provide an environment you arefamiliar with.Debian: Straight to the Target with“debootstrap”The “debootstrap”[7] program is required toinstall Debian in a directory.The program isavailable in Debian and RPM packages.Thoseof you who don’t mind downloading a 22Mbyte file can install the program directlyvia the internet by invoking “debootstrapwoody /vserver/servername http://ftp.de.debian.org/debian”. If you have the CDs, thecommand syntax is:“debootstrap woody/vserver/servername file:///cdrom/debian”.Red Hat and MandrakeThe VServer package provides scripts for RedHat 7.2, 7.3, and 8.0, and for Mandrake Linux8.2. Mount the CD-ROM (“/mnt/cdrom”) toget started.The “/usr/lib/vserver/install-rh8.0 servername”command will install RedHat 8.0, for example.Manual Labor Required for SuSEThe late YaST 1 used to be able to install SuSE Linux in an arbitrary directory.Unfortunately,YaST 2 is no longer capable of doing this, so you will have to install thepackages manually.The “suse/setup/descrMinimal. sel”file on the firstInstallation CD is the place to start.The filecontains a list of the RPM packages requiredfor a minimal installation.You need theRPMs between the “+Ins:”and “-Ins:”tags inthis list, and also “yast2-trans- en_US”forEnglish language support.The next step is to run a script (see Listing 1)to install the packages.The script reads the“$PKGLIST”file, creates a list of symlinks tothe RPMs, and then installs all the packagesin a single sweep.This is essential to auto-matically resolve the RPM dependenciesbetween the packages. If you want to go toall that trouble, you can sort the packages inthe right order, and then use a “for”loop toinstall them.

“Minimizing Distributions”

directly, as NAT (Network AddressTranslation) does not work locally.Outgoing packages will contain the IPaddress of the server context (which isinvalid outside of the host system),meaning that replies will not reach thecontext. To avoid this, the host systemmust provide proxies (Squid, Bind…)and each context must use them.

VServer cannot use file system quotas,although each context has its own“/etc/passwd”, which it uses to manageits own range of user IDs.

However, the file system can see theIDs in all the contexts on your hostmachine when calculating quotas. Ifduplicate IDs occur, the file system willregard the files in each context asbelonging to the same user ID. If a userin one context exceeds the quota, anyother users with the same ID in everyother context will be effected. VServer’sauthor is looking into a patch that re-maps user IDs on the fly for every

context to provide globally unique IDs.Virtual server contexts provide newmethods of server management.

Web servers with root access are oneobvious application. If customers wantto install their own scripts, databases,services, or similar they can do so withintheir own contexts. Misconfigurations or successful compromises will berestricted to a single context and will notendanger the other servers.

VServer Provides EnhancedSecurityIt is easier to discover hostile activitywithin a server context. If an attackerinstalled a rootkit on a normal server, itmight be difficult to discover, as thesystem tools required to discover therootkit would presumably have beenreplaced by tools that conceal thepresence of the kit.

Virtual server contexts make it easy to discover rootkits, provided the hostsystem has not been compromised. Thecontexts are stored in subdirectories ofthe host system and can be viewed atthat point; you could use Tripwire toscan for modified files and notify you ofany changes.

VServer also simplifies backing upmultiple servers; instead of backing up multiple hosts, the backup programsimply backs up the “/vserver”directories. If a client forgets their rootpasswords, the host system admin can

easily reset it by editing the “passwd”file in the subdirectory belonging to theclient’s server context.

In a restricted context, VServers arealso useful for server consolidation. Youcan replace multiple stand-alone serverswith a single server, provided of coursethey all run on Linux.

The distribution is unimportant in this case, in fact it is quite simple to run Debian, Red Hat, and SuSEsimultaneously on a single host. But the inverse case also applies; shouldcircumstances dictate this course ofaction, you can export virtual servercontexts to stand-alone machines.

ConclusionVServer allows a host machine toassume the role of a virtual server farm.You can run multiple parallel Linuxinstallations on a single machine withoutthe overheads involved with emulatorssuch as VMware. If you want to separateyour mail, web and ftp servers to preventa malevolent hacker compromising allyour services with a single exploit, thistool can help you avoid investing inadditional hardware. And VServers areextremely practical with respect toadministrative tasks, allowing you toinstall new software on the machines innext to no time. ■


COVER STORYVServer

01 # /etc/vserver/myserver.conf02 IPROOT=192.168.0.103 IPROOTDEV=eth004 S_HOSTNAME=myserver.domain.Uco.uk05 S_FLAGS="lock nproc"06 ULIMIT="-H -u 1000"07 S_CAPS="CAP_NET_RAW"

Listing 2:Sample Configuration

Option DescriptionIPROOT IP address of virtual server. Use space character to separate multiple addresses.The name of the

network adapter can be optionally supplied, colon-separated.IPROOTDEV The network adapter that should use the IP.IPROOTMASK Network mask for IP address.This defaults to the network mask of the network adapter.IPROOTBCAST Broadcast address for the IP address.This defaults to the broadcast address of the network

adapter.ONBOOT Specifies whether the init script should launch the server automatically on booting.“yes”and “no”

are valid options.S_CAPS The capabilities that should be assigned to the context.S_CONTEXT Context number.This defaults to a new number.S_DOMAINNAME NIS domain name.S_HOSTNAME Host name.S_NICE Minimum nice level for all processes in this context.S_FLAGS Miscellaneous flags, separated by space characters.“lock”prevents the context from creating a

new context.“sched”causes the scheduler to treat all the processes in this context as a single process and thus avoids overloading the CPU with too many processes.“nproc”applies the ulimitvalue for the number of user processes globally to this context.“private”prevents other contexts from changing to this context – including the host context.“fakeinit”spoofs process ID 1 for the command, allowing “/sbin/init”to be called.

ULIMIT the ulimit parameter for the context.The “S_FLAGS”entry “nproc”applies the process limit to the whole context.

Table 2: Options

[1] VServer: http://www.solucorp.qc.ca/miscprj/s_context.hc

[2] User Mode Linux:http://user-mode-linux.sourceforge.net/

[3] VMWare: http://www.vmware.com[4] Plex86: http://savannah.nongnu.org/

projects/plex86[5] Bochs: http://bochs.sourceforge.net/[6] VServer sources:

ftp://ftp.solucorp.qc.ca/pub/vserver[7] Debian bootstrap: http://people.debian.

org/~blade/install/debootstrap/

INFO

Kurt Huwig is theChairman of the iKuSystemhaus AG inSaarbrücken, Ger-many, and has beeninstalling Linuxservers since 1996.Kurt spends his freetime authoring for the Open AntivirusProject, a GPL licensed virus scanner.

THE A

UTHO

R

account used to run that process. Thus, an attacker, if fortunate, canmanipulate any files belonging to thecompromised account with the gainedaccess privileges.

The all-powerful system administrator,root, is the most dangerous of the issuesmentioned so far. Many activities are restricted to the root user, fromadministrative tasks to simple actions.Thus most service are originallylaunched with root privileges and havesuperuser access to the whole system,without ever actually needing theseextensive privileges.

What is worse is the fact that manyservices need to be run with rootprivileges (or to be able to assume rootprivileges at any time) to allow them tochange to any user account. The POSIXcapabilities introduced to the Linux

kernel a while back, allow a programlaunched by root to drop someprivileges, but this is left up to theprogram itself.

Architectural RequirementsThe main aim for the developers ofRSBAC was to produce a flexible andeffective access control system as anadd-on for existing Linux mechanisms.To achieve this goal, the system mustfulfill a number of requirements:

It must provide the underlyingplatform to allow the developer toprogram access control models quicklyand simply. This permits a cleardistinction between components thatmake decisions, and components thatenforce them.

The enforcement components actindependently of the components that

Linux security holes typically occurin Server programs and S bit tools.The best approach would be to

avoid mistakes and update programsimmediately if a bug occurs. This is notalways possible, the next best thing is torestrict potential damage, and this iswhere access control systems such asRSBAC come into play [1].

If an attacker exploits the securityholes in servers or s bit tools, access tothe system should be restricted to aminimum. In this case, even a successfulcompromise will cause only limiteddamage, and protective mechanisms canbe implemented directly in the operatingsystem kernel.

The standard Linux kernel preventsaccess to various resources such as files,directories or system configurations, butunfortunately the standard mechanismsare fraught with weaknesses:• Poor granularity• Discretionary access control• An all-powerful root userLinux access controls only offer thestandard privileges read, write andexecute; additionally they only allowdistinct privileges to be defined for theowner of a file, the members of a groupand all others. Restrictions typically donot apply to the root user. Thegranularity of these privileges is thusinsufficient for many tasks.

Linux Privileges – not enoughThe owner of a file can do what shepleases with that file, this is commonlyreferred to as DAC, or discretionaryaccess control. If an attacker hascompromised a process, the attacker’sactivities assume the privileges of the

Integrating multiple security models simultaneously in the kernel and

detailed logs of any access:The free Rule Set Based Access Control

(RSBAC) security System offers customized protection for a wide range

of requirements. BY AMON OTT

Architecture of Rule Set Based Access Control (RSBAC)

Security Architecture


RSBACCOVER STORY

Ronald Raefle ,visipix.com

Amon Ott is a self-employed com-puter scientist and the author of the RSBAC system.His mainstay is bespoke develop-ment and Linux firewalls, preferablywith RSBAC. He is also working on his doctorate, which he hopes tocomplete shortly.

THE A

UTHO

R

make decisions. New decision modelscan use the underlying infrastructure.

A large number of tried and trustedsecurity models exist for various tasks,and combinations of these modelssometimes make sense, depending onthe situation. The underlying frame-work should thus support multiplesecurity models simultaneously and in-dependently, allowing the administratorto choose the most suitable model forthe current assignment. No matter whatmodel is in use, activities and anydecisions taken need to be logged, andthe logs must be protected fromattempted manipulation.

The original RSBAC system designedfulfills nearly all these criteria. Over thecourse of the last five years the range offunctions and monitored objects hasincreased dramatically, allowing RSBACto monitor networks. The main elementsof the original have been tested duringthis time and the developers see noreason to revise them.

Inner ValuesWe need to explain a few terms, in orderto describe the internal architecture, sobear with us. From the access controlperspective a subject attempts to invokea specific type of access to an object. Ona Linux system, the following occurs: aprocess (the subject) attempts to read(access type) a file (object).

The various object types are cate-gorized by target type on an RSBACsystem (see Table 1 for an overview).RSBAC also distinguishes a large number

of access types (request types) that areapplied to the object types.

Table 2 lists a selection of access types,some of which are used in our practicalexample later. The entire list is availablein the documentation from [1]. The basicbuilding blocks of the RSBAC systemsare shown in Figure 1. The enforcementcomponent, or Access Control Enforce-ment Facility, AEF, mainly comprisesenhancements of existing systemfunctions.

These enhancements require thedecision making element, or AccessControl Decision Facility, ADF, to reach a decision before any access, andso possible compromise is permitted.

If the ADF refuses access, the AEF willreturn an “access denied” error to the subject. The decision facility and the data structures used are mostlyindependent of the kernel version. OnlyAEF requires one or two changes toexisting kernel functions. Thiscomponent was produced by enhancingexisting syscalls.

Components co-operatingAccess control involves a number ofsteps. The subject (the process) calls asystem function to request access to anobject (1). An extension of this function(the AEF) reads some system values,such as the process ID, the type, and ID of the target object (2), before callingthe decision facility, ADF; and handingon the information it has collected andthe type of access (3). The request isoriginally addressed to the central

decision facility of the ADF. Thisfunction requests individual decisionsfrom all active decision modules. Themodules read attributes from datastructures (4) and reach a decision:permitted, not defined, or denied.

The central function collates theindividual decisions, and returns acollective decision (5). The ADF isrestrictive in this respect; if a singlemodule returns a negative reply, the ADFwill deny access. Actions are onlypermitted if all the modules agree thatthey should be permitted.

In the case of a negative decision, thesystem call is halted and returns anaccess error to the process (6). In thecase of positive decisions, the AEF forksto the system call itself. If the call issuccessful, the AEF sends a message tothis effect to the ADF (7).

The central messaging function of theADF is responsible for passing themessage to the appropriate modulefunctions. The module functions retrievethe current attributes from the datastructures (8), update them (9) andconfirm that the call has been completedcorrectly (10).

If a new object was created by the system call, the message from the AEF to the ADF will contain the type and ID for the new object. Thedecision modules then create theattributes of the object. After confirming,the system function passes the requested


COVER STORYRSBAC

Figure 1: A subject’s access to an object is monitored by the Access Enforcement Facility (AEF). The AccessDecision Facility (ADF) decides whether to permit or deny access

Subject

Object

AEF

Data structures

1

Accessrequest

3 Request decision 7 Notify

5 Answer: Granted or not granted0 Confirm

4, 8Access todata structures

9 Update2 readSystem values

6 If access is denied: error message (and cancel)

q

Access

ADFRC

AUTH

ACL

System values

Linux Kernel

Name DescriptionFILE Also includes special device and

UNIX network files if they are handled as files

DIR Directory

FIFO Pipe with name entry in file system

SYMLINK Symbolic link

IPC Inter Process Communication objecton System V basis

SCD System Control Data – global system settings and objects such as host names or time

USER User object mainly serves the purpose of managing attribute assignments

PROCESS Process object for receiving signals or reading process statuses

NETDEV Network device

NETTEMP Network template

NETOBJ Network object – normally sockets

Table 1: Target Types

a “CREATE” request for the targetdirectory, creates the file and informs the decision facility of the new object.Otherwise a “TRUNCATE” request isissued for the file, the open functiontruncates the file to zero, and reports thesuccess of the operation.

After this preparatory work, the syscallgenerates a “READ_WRITE_OPEN”request and opens the file. The ADFlearns that the file has been opened and updates the file’s attributes. Thisprovides the process with a descriptor sothat the process can go on running.

Data Storage StructuresAs already mentioned, so-calledattributes, which are assigned to everyuser, process, and object are the basis for each access decision. Attributemanagement is the task of the generaldata storage facilities. Additional modelspecific data, such as groups or accessmatrixes that cannot be organized withingeneric structures, also exist. Model

specific structures provide storagefacilities in this case.

The data storage component takes careof the thankless task of list management,thus reducing the load on the datastorage components; this involves disk storage, SMP locking (for multi-processor systems), and similar tasks. It stores the majority of this data in a generic list system that allows anynumber of generic one or two-tiered list systems (lists of sublists), withindices and data fields of any size to beeasily registered.

The decision facilities register theirlists on RSBAC initialization or whenbinding a file system. Only a few of thelists are implemented differently due tospecific conditions.

Persistent DataIf necessary generic lists can providepersistent data storage, that is the datastored in the lists will survive a reboot orderegistration. To achieve this, the

data (11) and control back to theinvoking process.

A Practical ExampleA practical example is useful to ourunderstanding of the theoretical path.When a process wants to open a file for read and write access, it uses“sys_open()” with appropriate para-meters. The parameters might specifythat “sys_open()” should create the file ifit does not already exist, or possiblytruncates the file to zero length if the fileexists.

If the ADF rejects one of the followingdecisive questions, the system callterminates and issues an “access denied”message. The first thing “sys_open()”needs to do, is to resolve the filename, to discover the inode.

An auxiliary function, whose RSBACextension sends a “SEARCH” request tothe ADF for every folder touched, takescare of this. If the file does not exist, theextension of the open function generates


RSBACCOVER STORY

Name Object Types DescriptionBIND NETDEV, NETOBJ Bind network addressesCLOSE FILE, DIR, FIFO, DEV, IPC, NETOBJ Close a file descriptorCONNECT NETOBJ Open connection to remote nodeCREATE DIR (where), IPC, NETTEMP, NETOBJ Create objectDELETE FILE, DIR, FIFO, IPC, NETTEMP Delete objectEXECUTE FILE Execute fileNET_SHUTDOWN NETOBJ Close connection channelREAD DIR, SYMLINK, IPC, NETTEMP Read from object

(optionally FILE, FIFO, DEV, NETOBJ)READ_WRITE_OPEN FILE, FIFO, DEV, IPC Open for reading and writingRECEIVE NETOBJ Receive data from remote nodeSEARCH DIR, SYMLINK Name resolutionSEND NETOBJ Send data to remote nodeTRUNCATE FILE Change length of file

Table 2: Request Types

Figure 2: Admins can use network templates to assign access privileges tonetwork address and port ranges. In our example, the ports on all the hostsin the IP network 192.168.200.0/24 have been selected

Figure 3: The main administration menu provides the RSBAC user with astraightforward configuration interface, with simple control over all of theDecision Module functions

Figure 4: RSBAC needs to be enabled in the Linux kernel. A configurationmenu is available for basic settings

“rsbacd” kernel daemon periodicallysaves any lists tagged as changed inspecial protected directories on the harddisk, where they are read by the datastorage facility on re-registering the list.A registration parameter specifies whatpartition these files can be stored on toallow targeted binding of any of the filesystem objects.

Modules can optionally supply adefault value when registering a list. If a list element goes missing at a laterdate, the data storage facility will alsosupply this value. For optimizationpurposes, any persistent elements con-taining default values are deleted.

If a value changes, the data storagefacility reinstates the element. In thecase of two-tiered lists, sublists aregenerated or deleted as required. Thisprocedure keeps the length of the lists toa minimum and thus reduces the accesstimes needed.

Every list element is assigned a timelimit when it is created or updated, andis removed once this period expires. Thischaracteristic is used by some decision

facilities to generate temporary entries orprivileges. Persistent values are markedwith a value of “0”. Generic lists areimplemented as double linked, sortedlists that allow you to register bothdescriptive and comparative functionsfor optimized access.

If a function of this type has not beenregistered, simple “memcmp()” basedmemory comparison is used. [2] providesa more detailed description of the listmanagement interfaces and parameters.

Rule TemplatesNetwork connections are fairlyephemeral in most cases; data packetsare often transmitted individually andindependently. That makes it particularlydifficult to assign attributes to them, asadministrative overheads would bepunitive. RSBAC provides networktemplates for this task. They describemultiple network end nodes based onvarious criteria, such as the protocolfamily, connection type, networkprotocol or port number. Figure 2 showsan example of how they are defined.

RSBAC will not store the attributesseparately for each network end node, orfor each connection, but collectively in atemplate. The end nodes of the network(that is the source or target of datatransmission) inherit their values fromthe most suitable template (that is thetemplate with the lowest descriptor).This allows the ADF to reach a decisionfor “CONNECT” type access by referenceto the template attributes of the sourceor target address by simply looking upthe template.

AdministrationTemplates allow you to specify that aspecific user should only be allowedaccess to the local network via theInternet Protocol TCP, or that a browsercan only access the HTTP proxy port on your firewall. There is no need toconfigure each individual connection.

As RSBAC stores all of these settings in the kernel or in protected files,administrative tasks mean initiatingsystem calls or accessing the “/proc” filesystem. This allows the kernel to

COVER STORYRSBAC

advertisement

configuration of most modules, but is anormal user like everyone else, apartfrom that.

A support module called “AUTH” was introduced to help out with user IDmanagement, which is a critical issue.“AUTH” allows you to define the userIDs that specific programs and processescan assume. A process can only assumean ID that “AUTH” allows it to assume,any others are prohibited.

A number of RSBAC administrationtools are available. They facilitate manyadministrative tasks and provide userinterfaces for the RSBAC system calls.Menus provide for easier use – seeFigure 3 for an example of the main“rsbac_menu” menu. RSBAC is probablythe oldest and – judged by its codebasemost extensive – free access control

system for the Linux kernel. Its clear and modular structure ensure that the authors could keep track on development activities. RSBAC has become quite popular in Europewhere the system is in widespread use.Conservative estimates suggest thatRSBAC is in use on several hundredproduction systems. ■

designate users who are permitted tochange specific settings. And this isRSBAC’s solution to the major issue ofthe all-powerful root user: If theconfiguration files were stored in normalfiles, users with write access to these files would then automaticallyhave administrative privileges. RSBACallows multiple administrators to havedifferent privileges.

Self-ControlWith only a few exceptions, eachdecision module is responsible for itsown attributes. Models with scientificbackgrounds, such as RC and ACL (seeinsert “Decision Modules in RSBAC”) inparticular, support the delegation ofadministrative tasks to multiple users.Root still has special rights in the default


RSBACCOVER STORY

Before you can install RSBAC, you first needto download the sources from the homepage.They comprise three parts: a tararchive contains modules that areindependent of the kernel version. A versiondependent kernel patch is additionallyrequired.There is also a tar archive withadministration tools.The RSBAC patchmainly comprises the initialization calls andadds system calls for AEF tasks. As analternative, you can also download pre-com-piled kernel sources as a bzip2 tar archive.The kernels supplied by most distributionshave mostly been through wide rangingmodifications, and this often leads to issues.In this case, you may have to resort to theoriginal kernel, available from ftp://ftp.kernel.org/pub/linux/kernels or a mirror site.After expanding the tar archive in the maindirectory for your kernel sources, and apply-ing the patches, follow normal procedure toconfigure, compile and install the kernel.The additional “Rule Set Based AccessControl”menu shown in Figure 4 comprisesa number of submenus with a wide range ofoptions, with help texts for each option.Default values are OK for most applications.When you reboot, the “rsbac_auth_enable_login”kernel parameter allows the loginprogram to switch to any user ID in order to permit users to log on.The “rsbac_softmode”parameter is useful for initialtests, as it merely logs decisions withoutenforcing them.After successfully launching the system,you can go on to expand the support toolsand follow the usual steps,“./configure && make && make install”to compile andinstall them. If the RSBAC kernel sources are not available in “/usr/src/linux”, youmight like to try the configure parameter “--with-kerneldir”.

Installation

[1] RSBAC home page:http://www.rsbac.org[2] Interface to the generic list system:

http://www.rsbac.org/lists.htm

INFO

The current, stable RSBAC version 1.2.1 comprises the following decision modules and rules, someof which are used to implement more complex security models.MAC – Mandatory Access Control, Bell-La Padula.FC – Functional Control:This simple role model allows access to security information for securityofficers only and allows only administrators to access system information.SIM – Security Information Modification: Only security officers are allowed to modify data taggedas security information.PM – Privacy Model: A data protection model devised by Simone Fischer-Hübner to implementEuropean data protection guidelines.MS – Malware Scan: Checks files for malevolent software during read and execute access.Version1.2.1 contains only a scanner prototype, the pre-release version 1.2.2-pre1 uses a professional virusprotection software by F-Prot. Support for additional scanners is planned.FF – File Flags: Global attributes apply to files and directories,“execute_only”,“no_execute”,“read_only”,“append_only”, for example.RC – Role Compatibility:This powerful role model was designed specifically with Linux servers inmind. It defines roles for users and programs, and types for all kinds of objects. Access privilegesfor each type can be specified for every role.The model also allows a schema for a strict delegationof administrative tasks to multiple roles, and defines time limits for access and administrativeprivileges.AUTH – Authentication Enforcement:This module governs “CHANGE_OWNER”requests for processes and thus any “setuid()”calls. Processes and programs can only access user IDsspecifically allowed to them.ACL – Access Control Lists: An access control list is assigned for each object, to define thepermissible access types for various subjects. Subjects are defined as user IDs, RC roles, and ACLgroups. If an object does not have an entry for a specific subject, it will inherit the rights assignedto a superordinate object, for example a directory. An inherited rights mask is available to filterinheritance, allowing any rights assigned to be filtered out for all subjects.The ACL model alsodefines superordinate default ACLs, individual group management for every user, and time limitsfor any rights and group memberships assigned.CAP – Linux Capabilities: Allows you to assign minimum and maximum Linux capabilities(delegated root privileges) to any user and program.Thus server programs can run as normal user accounts, or root programs can be executed with restricted privileges.JAIL – Process Jails:This module introduces a new system call “rsbac_jail()”, which is funda-mentally an extension of the FreeBSD jail. Programs launched within the jail are captured in a chroot environment with restricted administrative and network privileges.

Decision Modules in RSBAC

familiarise yourself with the controls,almost all of which can be done from themouse or trackball. During the play ofthe game there are three modes andpossibly a fourth, should you just bestarting the game or are playing a shotfrom a foul. This fourth mode allows youto place the cue ball where you see fit,within the rules of the game by using thecurser keys. Once the cue ball is fixed inits position, you then have the chance tostudy how the balls lie.

The function keys F1 – F8 will takeyou to pre-defined views of the table.Pressing either one of the mouse buttonswhile moving the mouse will allow youto rotate your view of the table or controlthe angle of elevation relative to the table,

while the cursor keys move your point ofview relative to the plane of the table.

Yes, I agree, it sounds horrendouslycomplex, and, to be honest for the firstfew minutes it really is, but suddenlysomething clicks.

Hitting the middle button now takesyou to your ‘aim’ view, and the controlof the view now becomes relative to thecue ball. Pressing and holding themiddle button then adds power to thestrength of the shot and when the buttonis released, the shot is played.

The game designers have included atutorial section to help you walk throughthese initial stages.

What is impressive is the rendering of the table and the balls in real time as

Maybe you are looking to immerseyourself in a different reality,your computer can be the very

tool to help you achieve that goal.

BillardGLOne very absorbing, and totally frivoloususe of time is BillardGL [1], a FreeSoftware pool simulator. Now this mightjust be some frivolous fun for you, but itis actually being developed as part of thecourse work for the guys who are takingComputer Graphics at the University ofFreiburg in Germany. And the results ofthat coursework are most spectacular.

The games web site has .RPMs and.deb files for download – and if you arevery lucky, you may even find them onthis month’s subscription CD – as well asbinaries for Windows and Mac OS Xplatforms. The binaries are not verydemanding on external libraries, so theyshould work with almost every dis-tribution, so long as you have OpenGLloaded.

This program needs to be able to makethe most of your 3D graphics card, and,unfortunately, if you don’t have 3Dgraphics on your machine, you won’t beplaying this game. While the demands onthe libraries are minimal, the demandsmade on the hardware are not so.

As a minimum, you will need to havea Celeron 300 processor and 64MB ofRAM available, with a graphics cardcomparable to an nVidia TNT card. Toget the most out of the game you willneed a Pentium III and 128B RAM to gowith your GeForce, or comparable,graphics card.

Once installed, either by using yourfavourite graphical package manager orthe command line

rpm -i UBillardGL-1.75-6.i386.rpm

all you need to do is start to play, eitherfrom a menu, if you can figure out whereit’s been hidden, or from the commandline by name,

BillardGL

From its default starting point you willget the opportunity to enter into atutorial mode, which is very handy,because you will need the chance to

It is important to, occasionally, take some time for yourself, to relax, to enjoy

other pursuits. It is those very pursuits that we are going to explore, because,

now that you have all you need to know about making your networks safe and

secure from prying eyes, all that’s left to do is play a few games.

BY COLIN MURPHY

Color overload

Playing around


Graphical GamesREVIEWS

Figure 1: Once the shot has been played you then get to see how the balls lie

you shoot them across about, evenoccasionally sinking one. Attentionhas been paid to the rules of thegames you can play, which, at themoment, are only 8 and 9 ball pool,so, for example, at the initial breakfour balls need to hit cushions or afoul is awarded.

The game is glorious to look at andmost playable, even though it is in anunfinished form. There is noautomated opponent and there is nosound, even though their web sitegives a good impression to thelengths they have gone to capturesome audio for later inclusion in thegame. I am sure there will also be ademand for other types of games to beadded, Billards for instance.

So a nice, gentle stroll around a pool table might not be everyone’s ideafor a fun time, and I am sure that those of you that have blisteringly fast 3d graphics cards will all be familiarwith the first person perspectiveshoot’em up type games, like UnrealTournament 2003, though wonderfullyeye catching it is.

PachiInstead, we will settle back for some 2Dfun and Pachi el Marciano [2]. If you arefamiliar with games like Manic Miner,then you have Pachi, but with theaddition of 20 years of graphics art skills.The charms here are the characters,which, before they make it to screen, arehand drawn, scanned in and thencolorized to give the unique and unusualgraphic effect.

Available for download in binary form,for Windows and Linux, especially for

those who just want to get on and playand as source code as well, for thosewho want to help, and people do.

Due to inexperience, the author wasunable to produce a generic Makefilethat people could use to compile withthe usual ./configure make make installincantation that we are all familiar with,until someone offered to help out.

TrackballsTrackballs [3] is another one of thoseSDL based games. This gets its historyfrom the arcade classic “MarbleMadness”. In the game you control asmall blue marble which you have toguide around a maze in a limited time.Just imagine the gravity of the situation!

Each maze also has a collection ofobstacles ranging from sharp pencils topools of acid. You can make the marblejump ramps if you follow the correctcourse and build up enough momentum.Hitting the obstacles, running out of timeor falling off the maze onto the tiled floorend each turn. The game still remains

under development, butthe binaries workedflawlessly.

A simple editor (Guile1.6.0) allows you to createyour own levels if thethree supplied levels arenot enough. What isobvious is the effort thesegames developers areputting into providing allof the other effects thatmake games so absorbing,and this includes back-ground music. The Pachidevelopers have friends

who were in a band and persuadedthem to allow the distribution of theirmusic with the game. Music Track-balls comes from one of the threesupplied Ogg Vorbis encoded tracks,but special effects rely on .wavencodes sounds.

Spheres of ChaosThis shareware game (£5, US $8 forthe full version) is based on Asteroidsbut rather than the usual vectorgraphics uses very fast SDL basedcolorful images. The small downloaddemo at 254K [4] goes to show justwhat is possible with an eye for

colour and simple modular graphics.The game is smooth in control as you

would expect but the colorful explosionsand the way the asteroids change shapeand size when you shoot them makesthe game a cut above the rest. The gamegets quicker and alien spaceshipsmaterialize to chase and shoot at you.

After the first level things start to getmuch more difficult with space-minesand more modular asteroids that oncehit appear to break into smallerspaceships and hunt you down.

The overall graphical effect is one ofpsychedelic mayhem and a good after-noon was happily spent shootingeverything that moved. Because thegame is written under the SDL system itis already available under Windows,Linux and RISC-OS. ■


REVIEWSGraphical Games

Figure 2: Pachi the Martian begins another adventure

Figure 4: Spheres of Chaos – shoot everythingthat moves

[1] Billard GL: http://www.billardgl.de[2] Pachi: http://dragontech.sourceforge.net[3] Trackballs: http://www.lysator.liu.se/

~mbrx/trackballs[4] Spheres of Chaos: http://www.chaotica.

u-net.com/chaos.htm

INFO

Figure 3: Trackballs showing a flying ball (which missedthe platform ledge)

additionally provides aweb-based tool for config-uring both a DHCP serverand a name server formultiple zones, which iscertainly a welcomeaddition for the smallbusiness user.

The pre-configured spamfilter, Spamassassin, is also new with initial testsproducing useful results. Both the spam filter andthe SIEVE based mailfilter[2] are configurable via theweb based frontend.

Of course, users willhardly notice these newfeatures, in contrast to thenew web interface, whichnot only impressed onaccount of its colorscheme, but due to thefact that it definitelyseems to be far more tightly inte-grated with the new Comfire groupwareand mail frontend than any of itspredecessor.

Admin’s Little HelperThe Groupware component includestypical components such as a web-basedcalendar and address book, but also a to-do list, a project management tool, aknowledge base, document managementfacilities, a clipboard and a forum.

This allows you to define associationsbetween objects, such as assigning a taskto a file in the document managementcomponent. This feature looks extremelypolished, although a trouble ticket toolwould round things off nicely.

Admins in heterogeneous networkenvironments will be more interested in another feature. In contrast to theprevious SuSE E-Mail Server product,data synchronization for the ubiquitousMicrosoft Outlook product is not onlyavailable via net-based Palm-Sync, butdirectly via an Outlook plug-in.

The current plug-in version not onlyallows you to synchronize Outlookaddress data with the LDAP basedaddress book, but also to synch calendardata and define appointments. A groupappointment feature is due for release atthe beginning of 2003.

As regards user management, the webfrontend simplifies the admin user’s taskby allowing easy access to user data, and

Of course it is fun to makedisparaging remarks aboutMicrosoft’s Exchange Server, but

the underlying concept of this group-ware solution has become so popularwith so many enterprises that marketopportunities for alternatives seemrealistic.

This prompted SuSE to introduce anew product, the SuSE OpenexchangeServer, at the Systems 2002 show inMunich, Germany. The server is basedon an equally new United Linuxdistribution and provides a quick andsimple YaST based setup.

Just like its predecessor, which wentunder the name of SuSE E-Mail Server,the new challenger to Microsoft’sdominance uses a combination ofPostfix, Cyrus IMAPD, LDAP, andPostgreSQL. The new name is mainlydown to the fact that Comfire [1], whichitself uses Apache and Tomcat, hasassumed the role of the webmail andgroupware component. This centralcomponent (Figure 1) is a closed sourceproduct, which makes the Open component in the product’s new namesomewhat debatable.

SuSE supplies two exhaustive manualsdesigned to provide the admin or userwith additional information. Besidesdescribing the installation procedure, the admin manual specifically coversusing the administrative web front-ends and the configuration of mail clients in a networked environment. The user manual discusses the remainingfunctionality of the web frontend.

In addition to the email serverfunctionality, SuSE also provides Sambawith LDAP support. The web frontendallows you to configure the system as aPrimary Domain Controller (PDC). SuSE

It’s “Seconds out and round four” for the SuSE E-Mail Server – and the new

name, SuSE Openexchange Server, shows where SuSE are heading. This will

surely get admins thinking about whether they can completely replace

Microsoft’s Groupware solution. BY NICO LUMMA

SuSE Linux Openexchange Server

Open Exchange


SuSE Openexchange ServerREVIEWS

Basic Configuration:approx. £800 +VAT (license for tengroupware clients, an unlimited number ofexternal POP3/IMAP-E-Mail- Clients, 30 daysinstallation support, 12 months systemsupport and update service)Five additional groupware licenses:approx. £100 +VATAdditional information:http://www.suse.de/uk/business/products/suse_business/openexchange/

SuSE Openexchange Server

not only when creating new users. Youcan define access restrictions for thegroupware product to hide specificcomponents from individual users.

The “Groups and Folders” area allowsyou to assign individual users to multiplegroups, and create a folder for Cyrus.Also, the web frontend allows you tochange the Postfix and Cyrus IMAPDconfiguration, or to add an SSL con-figuration, and is capable of updatingany appropriate files in a single step.

The administrative frontend is roundedoff by an LDAP browser. Openexchangesupports system administration by pro-viding a web-based mail queue viewer.The “rrdtool” [3], which creates graphsto help visualize the system load or mail

traffic volumes (Figure 2), is particularlyuseful. LDAP still remains the centralcomponent of SuSE’s OpenexchangeServer, thus providing admins with auniform basis for user data. If the adminuser decides to set up the Samba PDC, toallow the users to authenticate directlyto the network, users can type the samepassword for email and Windows.

Admin ChicaneryUnfortunately, the installation proce-dures dictated by SuSE proved to befairly hostile. Why do SuSE insist on youinstalling a new system, in stark contrastto their declared goal of simple updates?Sites running SuSE E-Mail Server 3.1have no alternative but to back up and

restore their user data. The scripts pro-vided by SuSE took the pain out of thebackup and restore operations.

It is also hard to understand why theserver automatically boots to runlevel 5 and serves up the KDE desktop. Theinitial applause for the server-side spamfilter is also somewhat muted by the fact that Spamassassin does not run as adaemon and thus produces unnecessaryoverheads on larger scale systems.

As SuSE offer seamless Samba inte-gration, the fact that the current versionoffers a server-side virus scanner in theform of AMaViS, and the Samba “vscan”package (which scans Samba based fileservers for viruses) is, however, anoticeable improvement compared toprevious versions.

All in all, the Openexchange Serveroffers a range of functions that will fulfillthe requirements of many enterprises,and that makes Openexchange a genuinealternative to Microsoft Exchange. ■


REVIEWSSuSE Openexchange Server

Kerio Mailserver 5

Figure 1: The new Comfire groupware product provides enhanced value Figure 2: Mail traffic volume at a glance

[1] Comfire: http://www.comfire.de/englisch/produkt/produkt.htm

[2] SIEVE: http://www.cyrusoft.com/sieve/[3] “rrdtool”: http://www.rrdtool.org/

INFO

Nico Lumma is theHead of IT atOrangemedia.deGmbH and looks backon years ofexperience with thepractical applicationof Linux in enterpriseenvironments.

THE A

UTHO

R

The trend towards integrated web frontendbased email solutions for small to medium-sized businesses, has prompted Kerio to offera 30 day trial license for the Kerio Mailserver(Version 5) product (you can download aversion from http://www.kerio.com/us/kms_home.html).The server supports IMAP,Web-Mail,WAP, and POP3 connections withoptional SSL encryption.In addition to the standard version, whichsupports the Grisoft AVG, NOD32, F-Secure,and eTrust InoculateIT virus scanners, theproduct is also available with integratedsupport for McAfee Anti-Virus.We had notrouble installing both RPM packages with the server and the separate admin console(approx. 6 Mbyte in total) in our labenvironment.

The admin frontend for Windows and Linuxbased systems was immediately available andprovided direct access to critical settings.Kerios Web-Mail component is somewhatspartan and restricted to writing an readingemail,although this may be sufficient fornormal use.A license for a maximum of 20 clients isavailable for US $370 , with 20 additional userlicenses costing a further70 US dollars.The versionwith an integratedMcAffee virus scannercosts somewhere in theregion of US $680 for 20licenses, with 20additional user licensescosting a further US $230.


An object oriented database

like Caché prevents the so-called

paradigm break between the

database layer and the object

oriented application. Unfortunately,

the new Caché 5 version seems to

have developed a nasty list towards

Windows.

BY BERNHARD RÖHRIG

Version 5 of Caché, the postrelational Database

Access to ObjectsPrajuab M

anklang,visipix.com

Intersystems from Cambridge, USA,has released a major update of thepostrelational database Caché 5.

Today, fast and error-free applicationdevelopment is more or less unthinkablewithout object oriented workflows.However, in many cases this contrastswith the management of the underlyingdata in the form of SQL tables.

This so-called paradigm break requiresall kinds of contortions to be handledfrom the developer.

One of the systems that prevents thisbreak, or at least mitigates its effect, isthe database management software,Caché, which recently went to version 5.

Linux Magazine was given anexclusive opportunity to test a pre-release version.

Caché does not manage databases as flat, relation tables, but rather asobjects. A proprietary Unified DataArchitecture that allows both objectoriented and SQL access provides theunderlying framework (see Figure 1).This allows almost arbitrary frontends toaccess the datastores, in order to retrieveand analyze data.

This in turn allows developers to use tools with which they are familiar,

and so prevents a dependence on aspecific operating system, allowing for different server- and client-sideoperating systems to be used. CachéServer Pages (CSP) are a particularlyinteresting feature, as they generate dataand event based HTML or XML code,which is then rendered by the user’s own browser, on the fly.

The Linux operating systems Red Hat 7.2 and SuSE 7.3 are both supported,but earlier or later versions of thesedistributions should also work with onlyslight modifications provided they usethe 2.4 version of the kernel.

Removing Obstacles toInstallationAs regards the installation, very little has changed in comparison to previousversions. The fact that the docu-mentation can now be accessed directlyon the CD makes life somewhat easierfor new users. This is quite important as

most Linux distributions do not provideenough shared memory for the voraciousdatabase server, which unfortunatelyneeds to be fired up during theinstallation procedure to install thesystem database. So if you have notheeded all the warnings that can befound in the documentation, your firstinstallation attempt is most probablydoomed to failure.

To remedy this situation check themaximum shared memory size andincrease it, if required:

# cat /proc/sys/kernel/shmmax33554432

# echo "200000000" > U

/proc/sys/kernel/shmmax

If your system has 256 Mbytes or lessmemory, you can use a slightly lowervalue. The “echo” command should beadded to a start-up script, such as“/etc/init.d /boot.local”.

Caché 5REVIEWS


Figure 1: Caché provides various access approaches for datastores

Java EJB ActiveX .NET C++ CSP SOAP ODBC JDBC

Objects XML SQL

Basic Caché Object Script Class Library

SQL-Gateway

ActiveX-Gateway

Multidimensional Caché Data Engine

Caché-Server

Bernhard Röhrig is anIT consultant and haswritten several bookson Linux/Unix anddatabases.You can reach him onthe Internet at :http://www.roehrig.com.TH

E AUT

HOR

[1] Free evaluation copy: http://www.intersystems.de/downloads/

[2] Kirsten, Ihringer, Schulte, Rudd:“Object-oriented Application Development: Usingthe Cache Postrelational Database”,Springer Verlag, ISBN 3-540-67319-9

INFO• Improved Performance• Complete support for XML (class

definitions, objects as XML documents)• Not for Linux: IDE with editors, wizards

and debugger (Caché Studio)• Class Inspector for effective class

definition management• Basic and Java for Caché methods• More effective compiling of classes• Enhanced SQL engine and manager• ODBC driver for Linux• Enhanced Java support including J2EE

and EJB• SOAP access• New Active X gateway• Enhanced CSP technology

Innovations at a Glance

A free single-user license of Caché 5 forLinux is available for download athttp://www.intersystems.com/downloads/index.htmlThe download comes with a onlinedocumentation set as well as a “BuildingApplications with Caché”tutorial.

Intersystems Caché 5

Apart from this, administrators cannormally rely on the installation script todo what it is supposed to do. The bugswhich were evident in previous versionsof the system seem to have beenremoved, and this allows you to installeven the web server connection withvery little administartor intervention.

You can skip the license key input andinstall the database in a single-usermode [1], the license can be extended atany time later.

After completing the installation stepsyou can immediately start using thedatabase server. You might like to enterhttp://localhost/csp/samples/menu.cspin your browser to gain a first impressionof the server’s versatility.

The documentation is far more ex-haustive, more consistent, and easier touse than that of previous versions, andfully integrated in the Linux variant. Toaccess the documentation on Linux, typehttp://localhost:1972/docbook/DocBook.UI.Page.cls in your browser. Incidentally,the documentation itself is a Caché XMLapplication.

Of course progress has not only beenmade with respect to the documentation;there are many additions and enhance-ments of the server proper. Some of them are described in the “Innovationsat a glance …”. In line with currenttrends, the program makes more use ofstandards such as XML, but the Basiclanguage also plays a more prominentrole than previously.

The new Caché Studio workbenchreplaces both the Object Architect andthe Studio of previous versions andoffers a uniform workbench for thedevelopment of class definitions, methodcode and CSP pages.

Macromedia Dreamweaver, which pro-vides its own interface, still provides a useful alternative for developing CSP pages.

The debugger is new to the Studioworkbench; it should help reduce some

development effort, and allow thedeveloper to tackle more complexprojects. The Studio and the user-friendly management tools where somedetails are definitely improved, ob-viously require a GUI, and this is the badnews for Linux users: The new Cachéversion does not provide an X windowimplementation.

Mandatory WindowsDevelopment PlatformIn other words, if you want to runeverything on a single server, you haveno alternative, but to purchase VMwareand additional Windows licenses. Ofcourse, all the tools are available forremote use via TCP/IP.

For the command-line inclined, youcan still use telnet to send instructionsdirectly to the database server. Thecommands required for this are outlinedin the Caché Object Script Referencesection of the online documentation.Some of the most important commandsare also detailed under [2].

ConclusionCaché 5.0 is a noteworthy alternativedatabase and application server forLinux. Improvements in comparison withprevious versions mean that up-dating is recommended, and newcomers woulddo well to look into Caché. However,since the developer environment isreserved exclusively to Windows, Cachéis definitely not an option for the Linux purists. ■

REVIEWSCaché 5

concerned with the hardware. In this phase more exotic peripheralcomponents are initialized. Additionally,certain maintenance tasks are per-formed; for example the system checksthe hard disk briefly for errors, or tidiesup areas used for storing temporary files.

Finally, various daemons and servicesare started to allow the Unix system toget on with the job in hand. The order inwhich all this occurs is precisely definedand carefully pre-meditated.

Kernelspace and UserspaceBefore we take a detailed look at theindividual steps, it is important to makea distinction between where and howindividual functions are executed. Thisalso decides if and how easily we canmanipulate these functions.

The first few steps after switching onthe system have nothing to do withLinux. The BIOS is something that meremortals normally have nothing to dowith, although you might need to installan update from time to time. And thefirst program that the BIOS loads fromthe boot sector is not really part of theoperating system proper. The so-calledboot loader merely has the task oflaunching the operating sys-tem. Besides theWindows NT

boot loader, thereare one or twomajor contenders inthe world of Linux, suchas LILO and GRUB. Whatthey all have in common isthe fact that the load andlaunch the operating system ker-nel at start-up.

For every kind of activity that fol-lows this step, Unix type operatingsystems provide two fundamental

options: Functions can run in the kernelor user space. Typical kernel functionsare tasks such as initializing major hard-ware drivers during the boot process. Toinfluence what happens within thekernel you need to modify the Linuxsource code and re-compile – this is the domain of alpha nerds!

Userspace refers to everything that canbe controlled by “normal” programs orscripts. Of course, there is interactionbetween the two. If a userspace programwants to access the hard disk, it will calla corresponding kernel function. And inthe case of Linux, kernel modules makethings particularly complex. Modules aredefinitely kernel functions, however,they are loaded and controlled byuserspace programs.

HardwareThe first few messages that appear onscreen are thus generated by the kernel,and we will not be investigating themany further in this article; after all,you cannot influencethem without

There is something fascinatingabout the boot procedure. It allstarts with a small amount of

silicon and a tiny program in the BIOS that is only loading an equally tiny program on the hard disk.

Then something happens, and at the end of whatever it may be, yourworkstation is up and running, andcompletely in control of its horde of complex hardware features andperipheral devices, with a networkconnection and a bunch of daemonsenabled – in other words, you have areal, live Linux system.

The boot procedure’s main task iseasily summarized – to initialize thehardware and software.

The data structure of theoperating kernel is pre-pared first; this isfollowed by a rudi-mentary check ofthe available hardware, after which theappropriate drivers are loaded. Thisallows the system to create the pre-conditions required to load the operatingsystem proper. After the BIOS and theboot sector have completed their tasks,the details they have ascertained aboutthe hard disk are temporarily lost.

Linux then goes on to load normalprograms, although they too are initially

When you switch a computer on it

will display a number of cryptic

messages before indicating that it

is ready for use by showing the

login window. This article shows

you the background processes going

on while your system is booting.

BY MARC ANDRÉ SELIG

From init to eternity

Ready – Steady – Go!


InitializationKNOW HOW

considerable background knowledge.But after ten or twenty seconds the kernel has finished its preparatorywork, and launches the first userspaceprogram.

For most of today’s Linux distributionsthis will tend to be a short script calledlinuxrc, which is stored along with a few modules on a RAM disk created bythe boot sector program. linuxrc isdesigned to load drivers and functionsrequired to continue the boot processwhich have not been incorporated askernel components. Drivers for SCSIhard disks, encrypted hard disks orimportant network drivers are someexamples.

The functionality provided by linuxrcis optional – if all the drivers required by the system have been compiled intothe kernel, meaning that no additionalmodules need to be loaded, you can dowithout linuxrc and the accompanyingRAM disk.

However, it is unlikely that you willneed to edit this script yourself, as this task is normally performed by your distribution’s installation routine,to ensure that script will include thecommands required for your computerand to guarantee that the RAM disk isavailable. If you modify your kernel at alater stage, you can save a lot of effort by

compiling any features you need into thekernel proper instead of using modules.

An important goal must be reached bythe end of this step: the remainder of theoperating system must be available onthe hard disk, that is, at least the rootpartition with the directories /bin, /sbin,/lib, /etc, /dev, and /tmp must beaccessible. Full access will normally notbe provided at this stage; that is, writeaccess is normally prohibited. But atleast the kernel can access the pre-defined sections of the partition.

init: The Mother of AllProcesses

After preparing the hardware, thekernel will then launch the boot processas the user sees it. No matter, what youmay change at a later stage, the firstprogram to be launched will always be /sbin/init. Everything that happenson a Unix system originates in init as itlaunches every other program and script.

Unfortunately, this is where thingsstart getting complicated again. Althoughit is clearly defined that init must be thefirst process to be launched, it is far lessclear what init should do.

There are two common approaches forLinux. The first approach is calledsimpleinit and basically runs a simplescript. The second approach is called

SysVinit and is used by well-knowndistributions such as Red Hat, SuSE, or Mandrake. The name SysVinit isderived from Unix System V – so you willfind a similar init functionality on otherUnix distributions, such as Solaris, forexample. The configuration of SysVinitis twofold; the configuration file proper is called /etc/inittab. It contains a tablethat assigns programs to specific eventsand starts a program when an eventoccurs.

An “event” would be the “bootprocess”, “transition to a networkedenvironment”, or “shutdown computer”.The second part of the init configurationcomprises so-called init scripts, which we will be looking into in more detailshortly.

RunlevelRunlevels are an important concept of SysVinit. A runlevel describes anoperating state of a Unix system. Table“Critical /etc/inittab entries“ contains anoverview of each status as they aretypically defined.

/etc/inittabThe inittab file controls the behavior ofinit and contains comments (introducedby a hash sign #) and instructions in atable. Listing “Typical Runlevels on a


KNOW HOWInitialization

Figure 1: Summary of the boot process

linuxrc loadsdriver modules

Switch on, Self Check

BIOS loads the bootsector of the harddisk

Bootloader: Selection of the operating system and kernels

Loading Linux... Kernel and initialisation

Start Init

Change to matching the runlevel

RAM Disk availableyes

no

rc.sysinit: Network and filesystems preparation

BIOS: The BIOS (Basic Input/Output System)is normally stored on a programmablememory device (modern computers useEEPROMs) on your computer’s motherboard.In addition to the setup program thatprovides some hardware setup functionality,it normally contains some routines thatcontrol your computer’s boot logics. It tellsthe computer to read the boot sector on thehard disk, that is a few kilobytes of data, andrun the program located there – and nothingelse.The software in the boot sector isresponsible for everything else.Theoretically,the BIOS can include device drivers for DOSbased operating systems, but these are notused by Linux under normal circumstances.Boot sector: The boot sector occupies the firsttrack on the hard disk, and may contain aprogram responsible for loading theoperating system.There is only one mainboot sector on each hard disk, the so-calledMaster Boot Record (MBR), and an additionalboot sector for each individual partition.TheMBR is normally used to select an operatingsystem when several OSes are installed onthe same computer, or to load the boot sectoron a hard disk partition, which in turnlaunches the operating system itself.

GLOSSARY

is only run on booting. Lines includingthe wait keyword contain scripts that areexecuted on entering the correspondingrunlevel. They stop inappropriateprograms, for example, a web serverrunning on the machine should beterminated before rebooting. On theother hand, wait scripts also launch newprograms required for the variousoperating statuses.

Finally, the fourth column in theinittab entry describes the program andany parameters, which will be calledproviding any applicable conditions havebeen fulfilled.

init ActivitiesIn a typical configuration as shown here, init will perform three tasks afterbooting:• First, basic settings are applied by

running the rc.sysinit script.• Second, init will switch to the runlevel

specified in initdefault, thus startingvarious daemons and server programs.

• Third, a software that generates loginprompts is launched. Depending onthe peripheral devices attached, thiscan mean a normal character based orGUI login, or it mayinvolve initializing amodem or an ISDNadapter. Network loginswill be the domain of various daemons,however.

The basic configurationtasks performed by rc.sysinitnormally comprise thefollowing tasks for mostdistributions: the operatingsystem clock is synchro-nized with the hardwareclock; the hard disks are

scanned for errors, and then mounted. The swap partition is activated, and a

keyboard driver may be loaded to allowthe administrator to interact with thesystem in case a hard disk error isdetected. The network subsystem isprepared, for example, by setting thehost name. Additionally variousjanitorial tasks are also performed.

These activities will depend on yourdistribution – early Linux systems werenormally restricted to clock synch, hostname setting, and hard disk checks.

Defining RunlevelsAs we learned previously, a programcalled init controls the programs runduring the boot process. We have alsolooked into the configuration file,/etc/inittab, which defines the defaultrunlevel that the system will assume onbooting. But how does the computerknow what the runlevel comprises?

Each runlevel from 0 through 6 (seeTable “Critical /etc/inittab entries“) has its own directory that contains adetailed description of the runlevel. Ona “normal” Linux system the directoryfor runlevel 5 would be /etc/rc.d/rc5.d,

Unix System“ shows a short excerptcontaining some critical entries.

Each line in the table comprises four colon-separated entries. The linestarts with one or two letters or figures as a mnemonic abbreviation for thecorresponding entry. The following entrycontains one or multiple digits andspecifies the runlevels where the entry isvalid. For example, mingetty in Listing“Typical Runlevels on a Unix System“ isonly launched in runlevels 2 through 5;the line with shutdown immediatelypreceding it, is not restricted to specificrunlevels, and is thus available foractioning in all cases.

The third entry can contain a keywordfor additional conditions. This normallydefaults to respawn, that is the cor-responding program is restarted if it terminates. For example, mingettygenerates a login prompt. If a userterminates a session, mingetty is relaunched and is thus available for thenext user.

once is an alternative option, that is,the program is run once only when thesystem enters the current runlevel. Thisoperating mode is useful for daemonsand other programs that retire into thebackground immediately after beinglaunched. If init attempted to relaunchthese programs immediately, a largenumber of instances would be createdwithin an extremely short period of time, and this would inevitably cause acrash of the computer.

The disadvantage is that init will notreact if one of these programs isprematurely terminated.

The listing also contains a number of keywords: initdefault specifies therunlevel that the system defaults to onbooting; sysinit describes a program that


InitializationKNOW HOW

Runlevel Status Description0 The system is being shut down.1 Maintenance mode (a single user mode, where only the administrator can

work).2 Restricted system functionality, for example, network services or GUI support

may not be available.3 The system is fully operational.4 This runlevel is available for your own settings. However, most administrators

will tend to modify an existing runlevel rather than defining a new runlevel 4.5 The system is fully operational. Depending on your distribution either runlevel

3 or 5 may be used for this status.6 The system is being prepared for rebooting.

Typical Runlevels on a Unix System

# Default runlevel after bootid:3:initdefault:

# Initializationsi::sysinit:/etc/rc.d/rc.sysinit

# Individual runlevelsl0:0:wait:/etc/rc.d/rc 0l1:1:wait:/etc/rc.d/rc 1l2:2:wait:/etc/rc.d/rc 2l3:3:wait:/etc/rc.d/rc 3l4:4:wait:/etc/rc.d/rc 4l5:5:wait:/etc/rc.d/rc 5l6:6:wait:/etc/rc.d/rc 6

# What happens on Ctrl-Alt-Del?ca::ctrlaltdel:/sbin/shutdown -t3 -r now

# Text Mode Login1:2345:respawn:/sbin/mingetty tty12:2345:respawn:/sbin/mingetty tty23:2345:respawn:/sbin/mingetty tty3

# GUI Mode Loginx:5:respawn:/usr/X11R6/bin/xdm -nodaemon

Critical /etc/inittab entries

for example, but names may varydepending on your distribution –/etc/rc5.d or even /etc/init.d/rc5.d arecommon alternatives.

These directories contain the so-calledinit scripts, each of which controls one ofyour computer’s subsystems, such as theclock, the mail server, the web server oreven the print spooler. The syntax for initscripts is uniform: when an init script iscalled, it passes exactly one argument,either start or stop, depending on whetherthe service in question needs itself to beinitialized or stopped. Many scripts canhandle additional arguments for othertasks, but each init script will be aware of

start and stop. Thus, init is capable ofcontrolling each subsystem automatically.

When a system enters a differentrunlevel (see Figure 2), init will call allthe init scripts in the correspondingrunlevel directory. Changing to runlevel2 will launch the scripts in /etc/rc.d/rc2.d, for example. Let’s take a look atthe directory:

$ ls /etc/rc.d/rc2.dK09sshd S16apmdS75keytableK75netfs S20random S90xfsK89portmap S30syslogd S99localS08ipchains S40crondS10network S60lpd

The name of each script comprises ofthree sections:• The letter “K” or “S” specifies whether

to Kill or Start a subsystem.• A two digit number between 00 and 99

specifies the order in which the scriptsare called.

• An abbreviation describes the sub-system to make life easier for admins.

The runlevel directory shown in ourexample will thus kill the sshd, netfs,and portmap services. It then goes on tore-initialize a number of subsystems, inorder to correct network settings or loada keyboard driver, for example. Currentdistributions tend to avoid calling sub-systems that are already running, thusavoiding duplicate daemons.

A neat Unix system administrativestyle involves init scripts in the runleveldirectories using links to otherdirectories. The scripts themselves willthus be stored in /etc/init.d or/etc/rc.d/init.d. To activate a subsystem,you simply create a new link:

# cd /etc/rc.d/rc5.d# ln ../init.d/mysql S97mysql# cd ../rc0.d# ln ../init.d/mysql K02mysql# cd ../rc1.d# ln ../init.d/mysql K02mysql# cd ../rc6.d# ln ../init.d/mysql K02mysql

The advantage: Changes to the init scriptimmediately apply to all copies, thusavoiding version conflicts. The exampleshows another important technique;when you create a new start link, youshould immediately create appropriatestop links for runlevels 0, 1, and 6.

ProspectiveIf you have an hour or so to spare, take a look at the init scripts for the majorrunlevels on your system. You can learna lot about your system by doing so –and at the same time brush up on yourshell programming skills. A word ofwarning at this point: Do not fool aroundwith init. A single mistake in the bootconfiguration can tie your computer upcompletely – and you might not evennotice until you reboot next morning. ■


Marc André Seligspends half of histime working as ascientific assistant atthe University ofTrier and as a medical doctor inthe Schramberghospital. If he happens to find timefor it, his currenty preoccupation is programing web based databases onvarious Unix platforms.

THE A

UTHO

R

KNOW HOWInitialization

Links: Links are a vital concept for Unix styleoperating systems. Instead of creating a newfile, you create a directory that points at theoriginal file.When a program accesses thisnew entry, it will see the content of the linkedoriginal file.Hard links cannot be distinguished from theoriginal file, whereas symbolic links are in factonly pointers.

GLOSSARY

Figure 2: Procedures on changing runlevel

Start script

S08ipchainsS10networkS16apmdS20randomS30syslogdS40crondS60lpdS75keytable

S99localS90xfs

Stop script

K09sshdK75netfsK89portmap

root gives command: telinit 2

Signal at init

call /etc/rc.d/rc 2

Scripts from /etc/rc2.d (or the like):

Look up in /etc/inittab: Anything new for runlevel 2?

system, refers to the entry in columnfive, (fs_freq), for its configuration data.Refer to the dump manpages foradditional details on the functionalityprovided by this backup tool.

Like its predecessor, the last column is also read by a program. In this case it tells the fsck command how to checkthe consistency of the file system. The root directory is tagged with a 1, anyother file systems with a 2. A value of 0

is assigned for file systems such as CD-ROMs that do not need to be checkedby fsck.

Now let’s add a few examples to therudimentary /etc/fstab in Listing 1.

CD-ROM and DVDAfter taking a quick look at the contentsof our two tables, it should be noproblem to define an entry that allows usto mount the CD-ROM drive – at least forhome users with stand-alone computers,as we will see:

/dev/cdrom /cdrom auto U

ro,noauto,user,exec 0 0

Let’s look at the syntax of the line. The/dev/cdrom entry specifies the devicename of the drive. In this case,

During the boot process the/etc/fstab file is read by themount command in an init script

and implemented line by line. It includesentries for device files, CD-Rom drivesand hard disk partitions which areavailable for immediate access after thesystem initialization.

The administrator can use theconfiguration in this file to assign mountpoints to drives and partitions, to specifythe file system or regulate the access bitsvia access bits. Let us take a closer lookat the entries in Listing 1.

The fact that the entries are dividedinto six columns is immediatelyapparent. The first column, (fs_spec),contains the device file name belongingto the partition. The second column,(fs_file), contains the mount point, thatis the position where the medium isinserted into the directory tree.

The third column, (fs_vfstype), is usedto define the file system type. Table 1contains a list of some of the availablesystem types.

The entries in the fourth column,(fs_mntops), define access to thevolume. As you can see in Listing 1, thiscolumn can contain multiple, commaseparated options. These statements arealso available in the command line, ifyou supply them as mount commandline options.

The manpages for this command alsoprovide detailed information on thevarious parameters. You can refer toTable 2 for an initial overview of themount options.

The dump program that creates abackup of the data on an Ext2 file

The file system table (fstab) contains information on the partitions and

volumes that need to be inserted into the directory tree on starting up the

system. The table allows the administrator to enhance the security of a

multi-user system by applying various options. BY ANDREAS KNEIB

File Systems

Fstab in the dark


fstabKNOW HOW

# The following lines are designed to explain and implement assignments# (fs_spec) (fs_file) (fs_vfstype) (fs_mntops) (fs_freq) (fs_passno)# [1] [2] [3] [4] [5] [6]/dev/hda1 /boot ext2 defaults 1 2/dev/hda2 / ext2 defaults 1 1proc /proc proc defaults 0 0

Listing 1: fstab example

/dev/cdrom is a symbolic link thatpoints to the proper device file (forexample /dev/hdc). The /cdrom fieldindicates the mount point in thedirectory tree.

In this case the drive is mounteddirectly below the root directory in/cdrom. Some distributions collatemount points for removable mediabelow /mnt or /media.

You could choose the file system typeiso9660 instead of auto if you areexperiencing difficulty mounting DVDs.The ro option permits read only access tothe mounted medium.

The noauto entry does not bind thedrive on starting the system, but waitsfor an explicit mount /cdrom commandin the shell. The user allows any user toissue the mount command. The sameapplies to users executing programs on the CD, as stipulated by the execkeyword; if noexec is stipulated, it isimpossible to start programs, althoughthe x attributes normally required to doso are present. Whether or not youdecide to use these options depends onyour approach to secure administration.

You can create a similar entry for afloppy drive:

/dev/fd0 /floppy auto U

noauto,user 0 0

In this case the ro hasbeen omitted, to allowwrite access to thefloppy. But the execoption has beenremoved to preventusers from startingprograms stored on floppy disks.

From Process Administrationto USBThe system stores various internal kerneladministration data in files. Thisprinciple applies both to the proc filesystem and USB devices (usbdevfs).devpts is now the base for pseudoterminals operations.

All of these files provide interfacesused by emulators, such as xterm. Toallow devices and processes to runsmoothly after booting the system, threevirtual file systems must be added to theconfiguration, as shown in Listing 2.

Taming WindowsThe following section looks into thesecurity of DOS and Windows partitions.We will be mounting a Windows 98partition first. Read and write access tothis section of the directory tree shouldbe available to every user. Additionally,the file system will be activated by amount /win98 command, issued by root:

/dev/hda3 /win98 vfat U

noauto,umask=0 0 0

The umask option in this entry has notbeen discussed previously. As Table 2shows, the option sets inverse fileprivileges. What does that mean? Justlike the chmod command, umask workswith octal numbers. The access bits arecalculated by subtracting the desired fileprivileges from seven, and assigning theresult as the umask.

The access privileges for the modesread, write and execute (octal 7) are thusassigned by entering 0, r-x (octal 5) byentering 2, and rw- (octal 6) by typing a1. As Windows 98 does not supportaccess privileges for files, we can useLinux access bits to impose an extralevel of security.

In this case we are applying fairly lax security privileges, since umask=0will allow any user to read, write andexecute any file. You can type man

-P “less +‘/^[ ]*umask’” bash foradditional information on using maskedfile privileges.

The quiet, iocharset=, and uni_xlateoptions are interesting in this context.They specify error handling andcharacter set management. As theseaspects are beyond the scope of thisarticle, refer to the mount manpages forfurther details.

Let us now move on to the nextcandidate, Windows XP, where we willbe applying a more stringent level of filesystem security.

/dev/hda4 /winxp ntfs U

ro,uid=999,gid=555,user 0 0

As Windows XP, NT, and 2000 use theNTFS file system, only read-only access(ro) is currently available (the driver is also capable of write access, but this is currently experimental and disabled in the standard kernel). The uid=and gid= options are used here. These abbreviations are short for User Identification (UID) and GroupIdentification (GID).

Explanation: The /etc/passwd containsa list of all users, which includes detailson the number assigned to a user andthe user’s group memberships. You canalso ascertain these values by typing idor id username:

[andreas]~ > iduid=500(andreas) gid=100(users)Groups=100(users),[...],42U(trusted)

The UID/GID options allow you to assigna user and group ID to each Windows XPfile. Now, all you need to do is launchumask and create an appropriate group,to allow for a more granular accesscontrol of Windows.

Samba and NFSLet us stick with Windows for the timebeing and investigate Microsoft’s ownvariant of a network directory. The


KNOW HOWfstab

devpts /dev/pts devpts defaults 0 0usbdevfs /proc/bus/usb usbdevfs defaults 0 0proc /proc proc defaults 0 0

Listing 2: Virtual file systems

auto Assign file system automaticallyext2 ext2 file systemext3 ext3 file systemreiserfs Reiser file systemjfs IBM Journaling file systemminix Minix file systemvfat Windows 95,Windows 98 or DOS

file systemntfs Windows NT/2000/XP file systemmsdos MS-DOS Floppy/Partitionsumsdos MS-DOS with Unix add-onshpfs OS/2 file systemxiafs Xia file systemswap Swap files/partitionsusbdevfs USB device administrationdevpts Pseudo terminalsproc Process administrationiso9660 DVDs/CD-ROMsudf Universal Disk Format (DVDs)nfs Network File Systemsmbfs Server Message Block Protocolignore (ignore partition)

Table 1: Common filesystem types

linux1:/out /nfs nfs U

user,noauto 0 0

This causes the computer to export the/out directory as linux1. The directorymust be entered in the /etc/exports fileon this computer, however, we will notbe looking into NFS at this stage.

Users in CommandFiles in MP3 format are a good idea. Youcan listen to them, list, manage andcollect them. And above all else, you canwaste a lot of space on the file systemwith them. What options are available tothe administrator to prevent individualuser collections from getting out ofcontrol? The answer is, use quotas [1].

Quotas allow the system administratorto restrict the amount of storage capacityavailable to groups and individual users.You can define the quotas with eitherdynamic or hard limits.

Quotas use separate configuration filesto manage partitions, and are simple toapply. The original HOWTO is available

on the Web at [2]. However, quotasupport must be compiled into thekernel, if you intend to use quotas.

As a full description of configuring thisprogram is beyond the scope of thisarticle, we will be focusing on the entriesin /etc/fstab. The usrquota option isprovided to restrict the amount of spaceavailable to users. The option is enteredimmediately after the defaults entry andaffects the /home partition:

/dev/hda5 /home ext2 U

defaults,usrquota 1 1

You can replace usrquota by grpquota toapply quotas to groups:

/dev/hda6 /usr ext2 U

defaults,grpquota 1 1

If required, you can apply both settingsto a single partition:

/dev/hda6 /var ext2 U

defaults,usrquota,grpquota 1 1

A separation of system and user data canbe achieved by defining appropriatepartitions for your Linux installation.This allows for ease of administrativeintervention. Also, a well-planned fstabstructure will save an administratorheadaches – especially when under timepressure with things going wrong. ■

counterpart to the Network File System(NFS) commonly found on Unix is theServer Message Block or SMB. AWindows server can use this protocol to provide access to its data. You willneed to install Samba, to access externalWindows computers via Linux. Thesmbclient tool provides access to sharedWindows directories. But it is a lot easierto mount the directory in the localdirectory tree:

//win/C /winc smbfs U

user,noauto 0 0

This entry allows the C directory on thewin computer to be accessed by any userin the /winc directory on Linux.

However, the user will be promptedfor a password after issuing the mountcommand. Although users can supply ausername parameter when issuing themount command (-o username=tux,password=pw), you might like tosimplify this task:

//win/C /winc smbfs U

user,noauto,username="tux",Upassword="pw" 0 0

You might be a little confused at thispoint, because you have not been able to find the username and passwordcommands in man mount. The programactually runs smbmount at this point,and the smbmount manpages are whereyou should be looking for further detailson this topic.

The configuration required to mount adirectory via the Network File System(NFS) is similar and can be seen if weuse the following:


fstabKNOW HOW

Figure 1: Mounting the subscription CD in the directory tree Figure 2: Refusing access

defaults defaults: rw, suid, dev, exec, auto, nouser and async

exec allows binary and script executionnoexec prevents binary and script executionuser allows a user to mount the file systemnoauto must be mounted by the mount commandro mounts the file system in read-only moderw mounts the file system in read-write modeumask= inverse bitmask of the access privileges

(e.g. for FAT file systems)uid= User ID of the datagid= Group ID of the datasync Synchronous I/O Operations

Table 2: Overview ofmount options

[1] Quotas: http://www.sourceforge.net/projects/linuxquota

[2] Quota Howto: http://www.tldp.org/HOWTO/mini/Quota.html

INFO


news. You will need to assign a list to the variable including the news accessmethod in the first field (nnspool –“netnews spool” in this case). Thesecond (empty) field is not significant inour case.

The advantage of nnspool is that thismethod is extremely quick. However,this is not much consolation if there are no news groups stored in your spooldirectory. You will need a program thatfetches news, such as aptly namedfetchnews tool, which is installed withthe leafnode news server, in order topopulate your spool directory.

Gnus can use the NNTP protocol totalk to the server. This second accessmethod is referred to as nntp and has theadvantage that you are not restricted to asingle news spool, but can ask a serverto request and manage news frommultiple external sources. The

(setq gnus-select-method U

'(nntp "localhost"))

entry in ~/.gnus tells Gnus that youwant to use a news server that you haveinstalled locally (localhost). To use anexternal news server instead of a localone, simply replace localhost with theInternet address of the remote server.

If the remote server requires you tosupply some kind of authentication (thatis a username and password) in order tofetch or send news, you can store yourauthentication data in the ~/.authinfofile, which you will probably need tocreate at this point:

machine news.server.co.uk loginUusername password secret

Replace news.server.co.uk with the nameof the server, username with your ownusername secret with your password onthe news server. You can then add thefollowing line

(setq nntp-authinfo-file U

"~/.authinfo")

to your ~/.gnus file to tell Gnus whereto find your access information.

You have mail (or maybe not)Gnus differs from other mail and news programs in one particular aspect; from the user’s viewpoint it does notdistinguish between mail and news. Thisallows you to assign both file types tospecific groups or delete them after awhile. And there is little to distinguish theprocedures for accessing mail or news.

Whether you need to edit a text,source code, or a web site, thetext editor probably comes

top of the “most frequently usedprogram” charts. However, if, to send anemail you are supposed to launch an external mail client which in turn will launch a text editor. “You must bejoking!”, is the cry that you’ll hear frommost Emacs users as both XEmacs andEmacs provide an add-on that allows youto extend their functionality to includemail and News: Gnus [1].

Typing the Emacs commands M-xgnus or xemacs -f gnus & in a shellprovides access to the mail and newsclient. However, do not expect too muchat this point, because you will still needto tell Gnus where to access your mailand newsgroup resources.

Beg, steal or borrow?Gnus can read netnews from a specialdirectory (the so-called spool), from alocal news server (for example, leafnode,sn or INN) or access an external server.To read news from the spool, add the following line to the .gnus file to your home directory (this is where Gnus will expect to find all theconfiguration information):

(setq gnus-select-method U

'(nnspool ""))

The gnus-select-method variablespecifies how Gnus will access your

Communicating by email is mainly a

question of actually writing some-

thing – so why bother launching an

extra mail program if your (X)Emacs

text editor is already running?

BY OLIVER MUCH

Email and Newsgroups with (X)Emacs and Gnus

GNU Tools for news

KNOW HOWXEmacs


XEmacsKNOW HOW

Your first task will be to tell Gnuswhere to access mail. The variousbackends that are available for thispurpose are distinguished by the waythey store mail: Should each message bestored in a file of its own, or do you want to store all your electronic corres-pondence in a single file?

In the first case, you will need the“Mail Spool” backend, which stores eachincoming message as a file in the~/Mail directory. The following entry in~/.gnus specifies the method

(setq gnus-secondary-select-Umethods '((nnml "")))

Of course this requires tons of inodes,which is a bad idea for computersrunning low on resources.

The good news is that the mail spoolallows Gnus extremely fast read accessto your mail, so your decision should bebased on a compromise between thesetwo factors. This assumes that your mailis already in your local inbox. You mightlike to use fetchmail to move your mailfrom your provider’s POP3 server to yourinbox, although Gnus can actually fetchmail without any help from externalprograms. The following settings allowGnus to do so

(setq mail-sources'((file :path U

"/var/spool/mail/username")(pop :server "pop3.mail.co.uk"

:user "username":port "pop3":password "secret")))

The mail-sources variable is used to storethe sources from which you will bereceiving mail.

In our example, Gnus retrieves mailmessages for the user username from afile in /var/spool/mail/ username and

also from an external mail serverpop3.mail.co.uk. The user account onthis system is username and the pass-word for the account is secret. The pop3protocol is used for communicating withthe server. Of course Gnus needs onlineaccess to retrieve mail from this location.

Who am I?To provide details on yourself in yourmail and news posting headers, you canadd the following entries to ~/.gnus:

(setq message-from-style 'anglesuser-mail-address U

"[email protected]"mail-host-address U

"my.computer.name"message-syntax-checks U

'((sender . disabled)))

Replace [email protected] withyour valid email address and type yourhost name for my.computer.name. Youcan set the message-from-style variable to‘angles to tell the program to place youraddress in angled bracket. You will notwant Gnus to check your address, as itmay not correspond with the addressassigned by your provider (message-syn-tax-checks ‘((sender . disabled))).

Mail ChaosGnus will normally store your mail in asingle directory called nnml:mail.misc.However, if you subscribe to multiplemailing lists, you might like to tell Gnus to sort your incoming mail on thebasis of customized criteria to preventimportant messages drowning in a floodof spam. The program reads the nnmail-split-methods to decide what messages tostore where.

As Listing 1 shows, the variable ex-pects a list comprising of two elements,where the first element specifies thename of the folder where you want Gnus

to store the incoming messages, and thesecond contains a regular expression(“regexp”). The expression should allowGnus to recognize the messages to beplaced in a particular folder. In ourexample, the first entry stores messagesfor your private email address (repre-sented by [email protected]) inthe private folder, no matter whether thestrings To:, Cc:, CC: or Resent: occur inthe header.

The next two elements are designed totidy up your mailing list subscriptions.Gnus will recognize mail from the Linuxmailing list by the fact that the [Linux]string occurs in the subject line. TheEmacs list cannot use this method,instead relying on the source [email protected] to identifyappropriate messages. The last entryplaces any mail that does not match apreviously defined category in other, andthis is why the record does not contain aregular expression

Up and Running!After completing this preparatory work,it is time to launch Gnus. The programwill first attempt to retrieve your mail,before moving on to the newsgroups you subscribe to – although you do notactually subscribe to any newsgroups atthis point. Gnus is quite helpful in this point and attempts to load a few

News: Short for “Usenet News”this originallyentailed using the NNTP protocol to accesscomputer network independent newsgroups,and more commonly known as an Internetservice today.NNTP: The “Netnews Transport Protocol”isthe language that news servers and clients(such as Gnus) use to talk to each other.M-x: Press the [Meta] key (this will normallybe the [Alt] or [Esc] key on a PC keyboard) andthen [x], to let Emacs know that you areready to type a command – the Emacs gnuscommand in our example .Spool: Designates a directory used by a newsor mail server to store usenet articles oremail.Inode: Contains file information for a singlefile, such as the type, the owner, or who hasaccess privileges.The number of inodes isdefined when creating the file system andthus inodes are a finite resource.Header: The header of a posting or mailcontains administrative details on the sender,the subject, the creation date and the pathfrom the sender to the recipient.You can viewthe header using t in the *Article* buffer.

GLOSSARY

(set nnmail-split-methods'( ("private""^\$To:\\|Cc:\\|CC:\\|Resent:\$.*[email protected]")

("Linux" "^Subject:.*\\[Linux\\]")("Emacs"

"^\$To:\\|Cc:\\|CC:\\|Resent:\$.*[email protected]")("other" ""))

)

Listing 1: Mail Splitting in ~/.gnus


KNOW HOWXEmacs

new items. To stop receiving postingsfrom a group, type S t in the *Group*buffer to unsubscribe. To have Gnuscompletely remove the group, press S k(“kill”) for the group you want toremove. To remove multiple newsgroups,press C-Space on the first group, selectadditional groups with the arrow keys,and remove them by pressing S w or C-w.Incidentally, don’t worry if you make amistake here, as A k will reinstate thedeleted groups.

Keeping Things TidyIf you like to keep things tidy, despitesubscribing to hundreds of groups, youcan simply ask Gnus to organize yourgroups by topic in the *Group* buffer.You will need to define a few topics (T n)before doing so. Gnus displays the mini-buffer, where you can enter a user-definable name for each topic. If younotice a typo or find a more suitablename for the topic, you can type T rlater, and rename the container.

T m will move, and T c will copy anewsgroup to a topic container – in thelatter case, the newsgroup will appear inmultiple topic containers.

T TAB allows you to intend theselected topic to make it a subtopic of aprevious container (Figure 1 shows youhow neat that can look). If youmistakenly indent a topic you can pressM-TAB to go back.

Reading News PostingsNeatly organized news containersmaking reading news postings twice asenjoyable. To do so, navigate to a groupthat you want to read and press theSPACE key. Gnus will read the group and

display two buffers after doing so. Thetop, *Summary*, buffer contains a list ofany postings you have not yet read, andthe lower, *Article*, buffer (Figure 3)displays the content of the first article.You can type C-x o or h to toggle betweenthe two buffers.

If you select a group name and press RET, Gnus will display only the *Summary* buffer (Figure 2). The gnus-summary-line-format variable isused to influence the appearance of the summary buffer in ~/.gnus; the C-h v gnus-summary-line-format RETcommand will provide more details. Youcan also change the appearance of thesummary mode line via the gnus-summary-mode-line-format variable.

To select the next unread article at the current cursor position in the*Summary* buffer, simply press theSPACE key; pressing RET will open thecurrent article – whether you have readit or not. N (or G N) moves to the next,and P (or G P) to the previous article. Ofcourse, you can also use the cursor keysto move through the list of postings. Tomove between postings with the samesubject, type G C-n for the next, or G C-pfor the previous occurrence.

You may want to read only a selectionof the articles in a group; to do so press /s to restrict the display to a specific(“subject”); / a will restrict the display tothe postings by a specific author. Note,that this only restricts how the postingsin a newsgroup are displayed, but willnot delete articles with different subjectsor authors.

If a posting that you want to display is longer than the buffer permits, youcan use SPACE to scroll the file page by

beginners’ groups, which are defined inthe gnus-default-subscribed-newsgroupsvariable for you.

The fastest way to subscribe to anewsgroup is to press S s (or alter-natively Shift-u). In this case Gnusdisplays the Group: prompt in the mini-buffer, allowing you to type the name of the required group and press RET toconfirm. Simply type part of the groupname and then press the [Tab] key toautomatically complete the group name(the auto-extension function is reliablein nearly all cases).

If you are not yet sure about the groupsyou might be interested in, you can typeA A instead of S s. The *Group* bufferwill then display a list containing all thegroups on the news server you stipulated.This may take a while, depending on theserver, so Gnus also allows you to press Aa and display only groups that match aregular expression. The mini-bufferprompts you with Gnus apropos(regexp):. If you are only interested in thealt groups stored in the tree structure,that is alt.*, you can type ^alt.* at thispoint, and press RET to confirm.

If the group name is insufficient as a search criterion, you can search forkeywords in the group (“description”). Ifyou type A d, Gnus will again display themini-buffer and expect you to enter aregular search expression.

When you launch the program, onlynewsgroups containing unread articlesare displayed by default. If you want toresearch a newsgroup whose articles youhave already read, press A u (or L) in the*Group* buffer to have Gnus displaygroups without any unread items. Youcan type A s or l to hide groups with no

Figure 1: The *Group” buffer in topic mode Figure 2: A *Summary” buffer


page. Press SPACE again at the end of thearticle to move to the next unread articlein the group. If there are no more articlesin the current group, you are auto-matically moved to the first article in thenext group.

DEL does the opposite, that is it scrollsback page by page. To read line by lineyou can press RET instead; M-RET goesback one line. < returns to the top, and> goes to the end of the article. Pressingh once more will switch from the*Article* buffer to the *Summary*buffer, which you can quit by pressing qto return to the *Group* buffer.

Have I got news for you!If, after reading a posting, you suddenlyfeel the urge to communicate with theoutside world, you can compose a newarticle by pressing the a key in the*Summary* buffer for a group. Gnus is quite helpful at this point andautomatically designates the group name as the target for the new article.

If you press a in the *Group* buffer,however, you must additionally supplythe group name after the Newsgroups:keyword. The [Tab] key again helps

simplify your task. Supply a comma-separated list of group names tocrosspost in multiple groups. Do notforget to add a Followup-To: header bytyping C-c C-f C-f and defining a single (!)target group, to allow any answers toyour posting to be routed correctly.

Type F to reply to a posting. This will cause Gnus to create a new buffer containing the original text, “>”characters are prepended to the original,allowing readers to recognize it as aquote. You can press S o p to forward anarticle from one group to another.

After editing your contribution to thediscussion, you can press C-c C-s to sendit on its way. If you run out of timebefore completing your text, you cansave it by pressing C-x C-s. Gnusprovides a new pseudo group callednndrafts:drafts for this purpose. To finishoff an article, select it using the arrowkeys, edit it using M-x gnus-draft-edit-message, and post it using M-xgnus-draft-send-message.

Mail Follows SuitOf course, what we just discussed in thecontext of news equally applies to mail –

no matter whether you have pressed mto compose a new message, or R to replyto a message in one of your mail or newsgroups. If you want to reply to all therecipients of message, you can press S Wto do so. The commands S o m and C-c C-f are available for the forwarding of messages.

Of course Gnus can attach files (Figure4). To attach a file, press C-c C-a (mml-attach-file) and select the file. Yourcursor should be at a position below thefollowing line to do so

--text follows this line--

If the file type suggested by Gnus isinappropriate, you can again press the[Tab] key to automagically display a listof possible file types (such as text/htmlfor an HTML attachment, for example),and select an appropriate type yourself.Finally, Gnus will prompt you to type a short description in order to let therecipient know what the attached fileactually contains.

Receiving mail attachments is aslightly more relaxed procedure: Gnussimply displays the attachment at theend of the message (Figure 5). K owill allow you to store the attachmentsindividually in a directory that youspecify yourself.

Best ReadsTime is short, so you probably won’twant to wade through newsgroups andmailing lists with hundreds of newentries a day.

Many mail clients or newsreaders useso-called killfiles to filter the deluge ofnew messages preventing messages from

Tree structure: Newsgroup names arecomprised of abbreviations for languages andtopics, separated by periods, where the expres-sion to the right of a period is subordinate tothe expression on the left.This provides forease of navigation in hierarchical structure ofkeywords and allows you to select groups thatdeal with topics you are interested in. Groupsstarting with it. are in Italian, for example;it.comp. will lead to Italian computer groups,where the it.comp. groups (such as it.comp.linux) will be dedicated to operating systems.

Crossposting: This describes the act ofpublishing articles with identical content inmultiple groups.Crossposting is a technique that you shoulduse sparingly, and never use to post a questionin round robin fashion in any groups thatmight be applicable.If you decide that crossposting is appropriate,you should at least ensure that any answerswill be posted in a single group, to prevent thethreads of the discussion from fraying, and toallow any interested readers to participate.

GLOSSARY

Figure 3: The *Article” buffer Figure 4: Composing Mail …

XEmacsKNOW HOW


• i refers to themessage ID, that isthe unique identifierfor the message.

• f applies the scoreto the author, justlike a but addi-tionally specifiesthat the rule shouldbe applied to any“follow ups” to thisauthor’s postings.

Gnus will thenprompt you to decide how futuremessages with content similar to theselected header should be processed:

Increase header 'subject' with U

match type (sefr?):

You can specify the following• e an exact match,• s only a substring of the specified

search string need occur• f Gnus should remove any whitespace,

punctuation etc. before comparing• r will use a regular expression for

comparison. The regexp still needs tobe defined on the basis of the currentstring. If the header you are using as areference point (such as the messageID) contains numbers, you can alsoperform numeric comparison: Is thecompared value smaller than (<),equal to (=), or larger than (>) the value defined in the header for thecurrent message?

You can then go on to specify whetherthe scores defined by the new ruleshould be applied temporarily (t),permanently (p), or i ( “immediately”).

If you choose the first of these options,Gnus will drop the rule after a certainperiod, which you can specify in thegnus-score-expiry-days variable – thisdefaults to seven days.

This option is particularly useful for subject lines as discussions on aspecific subject do not normally last for more than a few days. In contrast,Gnus will never drop a permanentscoring rule. Gnus follows the “out ofsight, out of mind” principle for ruleswith the i flag without saving them to afile first.

To assign a positive score to PeterMiller, you would first type I after findinga particularly good posting by him, and

then answer Gnus prompts by typing a e p. After pressing p the mini-bufferappears as Gnus needs to know whatyou want to compare: in our case ithappens to be the content of the From:line, which contains his name.

To save yourself from reading Peter’smeanderings on the subject of floppydrives ancient and modern, now find anappropriate thread and type L s s pfloppy RET. This means that any mes-sages containing the word “floppy” inthe subject line will be permanentlyassigned a negative score.

You can now press V S to discover thescore assigned to the current message. Incontrast, V t will show you the rules thatled to the score. V R tells Gnus to reapplyyour scoring rules to the current*Summary* buffer.

And that’s not all, folks!As a true descendent of Emacs, ofcourse, Gnus will never be short onfunctionality: It can repair damagedpostings, display HTML files, auto-matically adjust scoring rules to matchyour reading habits, and more.

It is worth spending some time readingthe info file included with the tool. The Gnus homepage [1] and MyGnus [2]are also recommended as good sourcesof information.

If you still need more help, you mightlike to turn to the experts in thegnu.emacs.gnus newsgroup. And if thisis all getting to be too much for you, youcan still console yourself with thethought that pressing q will terminatethe Gnus. ■

authors you are not interested in fromeven reaching you.

But Gnus provides a far more usefulmechanism, allowing you to grademessages according to various criteria(for example, author, keyword in subjectline). Gnus will then use the grade todecide what to do with each message –delete it, mark it as read (which will hidethe message next time you open thegroup), or in the case of particularlyinteresting messages highlight themessage and move it up in the ranks ofthe *Summary* buffer.

To get things going, every mail or newsmessage is assigned the value defined inthe gnus-summary-default-score variable(normally ‘0’). If you particularly enjoy“Peter Miller”‘s postings in a specificnews group, you can increase Peter’sscore, in order to highlight anything heposts in future and place any messagesfrom Peter near the top of the*Summary* buffer.

Unfortunately, Peter has a regrettabletendency to get involved in discussionson old floppy drives, a topic that doesnot exactly fire your imagination.

The good news is that you can down-grade messages on this subject bysearching for a specific word in theirsubject lines. You can assign messagesthat contain the keyword a negativescore that outweighs the positive scoreyou assigned to Peter. This will allowGnus to mark Peter’s messages as read.

In practical terms this means selectinga message and pressing I to (“increase”),or L (“lower”)the score. Gnus willdisplay the mini-buffer and ask you tospecify the header entry that you want tograde in this way:

Increase header (asbhirxeldft?):

The options for your answer are definedas follows:• a applies to the author’s name.• s means that you want to grade the

subject line in the current message.• x means you are grading the Xref

header which contains all the groupsthis message was posted to.

• If you select r, Gnus will evaluate theReferences header which contains themessage IDs for the message that thecurrent message refers to.

• l applies to the number of lines.

Figure 5: … and reading it

[1] Gnus homepage: http://www.gnus.org/[2] MyGnus: http://my.gnus.org/

INFO

KNOW HOWXEmacs


Charly’s columnSYSADMIN

The DHCP server’s configuration filedesignates address pools fromwhich your clients are assigned IP

addresses. In the case of the popular ISCDHCP Server the files appear as follows:

subnet 10.0.0.0 netmask U

255.255.255.0 {range 10.0.0.50 10.0.0.99;option routers 10.0.0.254;

}

This means that addresses 10.0.0.50through 10.0.0.99 will be assigned. If all 49 of these addresses are already inuse and user number 50 powers up her computer, she is in trouble – and youwill be too, shortly, as soon as she getson the phone to you. How can you avoidupsets of this kind?

The first place to look is the “dhcpd.leases” file, which contains an entry likethe following example for each user:

lease 10.0.0.96 {starts 1 2002/10/07 10:42:44;ends 1 2002/10/07 12:42:44;binding state active;next binding state free;hardware ethernet U

00:04:76:9f:b0:02;uid "\001\000\004v\237\260U

\002";client-hostname "funghi";

}

The “binding state active” status tells me that this lease is currently in use, inother words the IP address 10.0.0.96 isunavailable at present.

In larger networks, manually parsingthe the “dhcpd.leases” file is far tootime-consuming. This is where a re-porting tool like Reportdhcp [1] canmake itself useful.

Reportdhcp HelpsThe small perl script is fundamentallyready to run – you simply need tomodify the paths in “reportdhcp.pl”:

my $dhcpfile = U

"/var/dhcp/dhcpd.leases";my $dhcpdconf = U

"/etc/dhcpd.conf";my $CGI = "/cgi-bin";

After customizing the “reportdhcp.pl”script, you simply move it to the “cgi-bin” directory on your web server –ideally this will be the machine that yourDHCP server is running on. If not youcan always use “scp” or rsync-over-ssh totransfer “dhcpd.conf” and “dhcpd.leases”to your web server.

After installation, reportdhcp willparse these files and report its findings inHTML format. Now you can tell at aglance how many leases are available ineach network, and how many of theseare currently “active” (see Figure 1).Additionally, the tool can sort the leasesit finds by IP address, age or hostname(Figure 2), and even provides a basicsearch tool.

You can now tell at a glance that thewater level in the (address) pool is quitehigh enough thank you. So it’s off homefor the pool attendant. ■

DHCP is a clever invention. You assign a pool of addresses to the DHCP server

which uses them to serve your clients. How can the admin user find out

how many and which addresses have already been assigned? It doesn’t bear

thinking about what might happen if the pool ran dry. BY CHARLY KÜHNAST

The Sysadmin’s Daily Grind: DHCP-Server watch

A full tank

Charly Kühnast is aUnix SystemManager at a publicdatacenter in Moers,near Germany’sfamous River Rhine.His tasks includeensuring firewallsecurity and availability and takingcare of the DMZ (demilitarized zone).

THE A

UTHO

R

[1] Reportdhcp: http://www.omar.org/opensource/reportdhcp/

INFO

User tools ..................................62Many paths will lead you to the new useraccount on your Linux computer.

Diskless Clients......................64Standard PC components make thingseven cheaper.

SYSADMIN

Figure 1: Reportdhcp indicates the total numberof leases and how many of them are “active”

Figure 2: Reportdhcp additional sorts the leases itdiscovers by IP address, age, or name

IT environments that do not tie up toomany of your IT staff, or take toolarge a proportion out of your IT

budget are understandably becomingmore and more popular.

Thin clients provide a useful approachtowards standardization and automa-tion. This kind of computer can help youcut costs by using minimal hardware.

Using the Linux operating system alsoprovides these platforms with a solid andflexible software basis at extremely lowcosts. Clients of this type do not dependon specialized hardware, but can beimplemented using traditional PC hard-ware. Depending on the application, therequirements may be so minimal thatyou might even be able to put your old

Pentium class computers back to work.The pre-condition for high-performanceoperations with diskless clients – that isa high-performance Ethernet installation– can normally be assumed.

This article provides the know-howand introduces the programs you need torun Linux Diskless Clients (LDC). Somebasic information is available from [6]which provides information, examples,and additional material. The mathematicsfaculty of the University of Göttingen,and the Remigianum Highschool inBorken, Germany, provide examples ofpractical implementations of the materialin this article, including a seminary,desktops for the teaching staff and a poolof student desktops.

Protocols and TechnologiesDiskless Clients normally boot from a ROM. There are two advantages in this. For one thing, major hardware com-ponent failures are extremely unlikely,and for another thing, administrativetasks are performed exclusively on theserver. The boot ROM implementationEtherboot [4] is also a great example of a GPL tool.

Network hardware manufacturers usethe Pre-Execution Environment (PXE),one of Intel’s Wired for Management(WfM) components, to harmonize LANbased boot software. Both use theDynamic Host Configuration Protocol(DHCP) to provide a basic IP con-figuration that controls the way the

Linux based diskless clients offer the same potential as fully-fledged traditional workstations, but with far

lower hardware expense, less noise, and less administrative effort involved. Standard PC components make

things even cheaper. BY DIRK VON SUCHODOLETZ

Linux Based Diskless Clients – A Step by Step Guide

Jump Starting theNetwork


KNOW HOWDiskless Clients

configuration in order to boot. Etherbootprovides a so-called kernel tagging tool.PXE uses Etherboot’s capabilities orcooperates with the Syslinux bootloaderto provide an alternative strategy (seethe “Syslinux and PXE” section).

The Client Boot SoftwareWhen selecting boot software, the idea is to avoid configurations that requirespecialized hardware. The softwareshould be available immediately afterswitching on a machine without anyuser interaction. Special features, suchas a boot menu that allows the user to boot from a floppy disk if required, arealso conceivable.

Chaining is also possible. If the work-station is unable to boot from thenetwork, the boot software will searchother devices for boot blocks. All ofthese approaches should behave in auniform manner, from the server’sviewpoint, to restrict customization to aminimum. This applies equally to

various older kernels for Etherboot,PXE/Syslinux (discussed below), andcommercial boot ROMs.

Etherboot – the Free BootROM PackageThe Etherboot package [4] providesdrivers for nearly every popular networkadapter, including gigabit and wirelessLAN adapters. It can interact with otherboot loaders, dual boot configurationsand boot menus. Since Etherboot isavailable as a GPL license, you can im-plement any number of installationswithout incurring any costs.

Boot images from the Etherbootpackage are so compact that they caneasily be embedded in standard EPROMsand flash ROMs for NICs. However, youshould be aware that any additionalfunctionality, such as using NFS as thekernel transfer protocol, will increase thesize and possibly overflow the capacityof older EPROMs, especially in ISAnetwork adapters.

As an alternative, the code can beimplemented as a BIOS extension codeon the motherboard. (DOS) Programs,such as “cbrom.exe” for Phoenix/Awardand “amibcp.exe” for AMI BIOSs per-form the modification (see insert“Special BIOS Tools”). The boot imagesoccupy between 8 and 64 Kbytes. Thecode includes NIC drivers and theprotocols DHCP and TFTP, or NFS.

Thanks to open sources, the prospectsof being able to customize to reflectspecialized network environments aregood. The fact that Etherboot supportsalternatively booting clients from harddisk, floppy or CD-ROM drives is an interesting feature that provides a backup solution in case the boot server fails.

Grub (the Grand Unified Bootloader,which provides an alternative to Lilo)also has an Etherboot module. The fact that Etherboot can both createexecutable DOS-files and rides directly to the boot sector is useful for testingand debugging.

Etherboot ConfigurationOptionsEtherboot stores its options in the self-documenting “Config” file in the sourcedirectory. The exhaustive documentationcontains further details, however, you

Linux based client boots. The Trivial FileTransfer Protocol (TFTP) is typicallyused to transport the operating systemkernel, although Etherboot can alter-natively use the Network File System(NFS). DHCP, TFTP, and NFS as all arebased on UDP.

In addition to the network file system,diskless clients need a writable filesystem that can store data dynamically.TEMPFS was chosen for this task, as itdynamically changes its size to reflectthe amount of data it is required to store.The ancient RAM disk might provide analternative. A transparent file systemsuch as the Sun OS 4.x Translucent File System (TFS) would be ideal, butunfortunately this is not available forLinux, although Bernhard M. Wiedermann[8] is working on a promisingTranslucent FS for Linux. This wouldgreatly simplify the file system structurefor the configuration files.

The boot kernel, which is transferredacross the network, requires a special


Diskless ClientsKNOW HOW

Figure 1: Boot sequence for a Linux diskless client showing the Etherboot and PXE approaches

Thin Client Server

With or without Bootloader

PC-BIOS searches for components

Etherboot PXE

DHCP: (Base data) DHCP-Request: (Base IP-Configuration)

Boots the Kernel/Mounts the RAM-Disk

Export the Init-Scripts/ Initialize the Network card

NFSD TFTPD Tag the Boot kernel per NFS

Tag the Boot kernel per NFS

DHCPD: IP and further configuration

NFSD: /nfsroot/dxs /tmp/dxs/opt/usr(/var/cache/fonts)(/var/lib/texmf)...

dhcclient-script mounts the Root-FS and writes configuration files

pivot_root swaps RAM-Disk with the Root-FS (after /mnt mounted)

Classical Init-Process starts from generated/mounted Root-FS

will need to download it separately fromthe development site [4]. The type andquantity of options you choose willaffect the size of the ROM image created.EPROMs have a capacity of between 128and 512 Kbits; BIOS Flash ROMs needenough free space.

The administrator also uses the con-figuration file to specify how to load thekernel image. The current Etherbootimplementation can use NFS instead ofTFTP, and NFS is needed later for theclients’ route file systems. Additionally, aserver side service can increase systemsecurity. On the other hand NFS supportwill add a few Kbytes to the size of theROM code.

If you want to change the boot menu(boot from network or local device), youcan edit “etherboot.h” to do so. The fileis stored in the same directory as theconfiguration file. If you want Etherbootto issue a different vendor code identifierstring then the default, “Etherboot”, to

the DHCP server, you will need to edit“main.c”. Both options need to beenabled in the central configuration file.

Compiling the ROM CodeTo create a “*.rom” image, you simplyinvoke “make” in the source directory.The images are placed in the “bin32”subdirectory. It makes sense to test theboot images first by booting from afloppy. Invoking “make bin32/name_of_networkadapter .fd0” will create a ROMimage with an additional floppy bootheader for “/dev/fd0”.

Attentive readers may already havenoticed that the “make” syntax alsoallows you to use “cat” to monitor thecreation of the ROM image on a floppy.You can copy this method to avoid the more roundabout “make” syntax. Asimilar method is used to create PXEimages, which the client boot softwarewill load later.

Mknbi Builds Boot ImagesThe “mknbi-linux” perl script will createboot images for other operating systems– DOS for example – in addition to



Figure 2: Etherboot starts from a diskette image

Special tools are used to add the Etherbootcode as an extension ROM to the -motherboard’s BIOS.These (DOS) tools areactually intended for mainboardmanufacturers,who need to add firmware forIDE or SCSI controllers,anti-virus solutions,andso on to the standard BIOS.The Etherbootextension also falls into this category.However,you should exercise caution,asincorrect BIOS contents will cause a totalfailure of your motherboard.Care and a spare

flash chip containing the original BIOS will helpyou avoid these pitfalls.The tools describedbelow access the flash chip directly,and this iswhy you need to store an image of the BIOS ina file – normal flash programs can be used bothto create and to restore an image.

Award and Phoenix BIOSType “cbrom.exe”without any parameters todisplay the available options.“cbrom bios.bin/d”displays the free space in the ROM file –

that is, the space available for your ownprograms.The BIOS in the Flash ROM istypically compressed. And this is why cbromcompresses its own code. Etherboot needsbetween 8 an 20 Kbytes of free storage space.If this is not available,“cbrom bios.bin/[pci|ncr|logo|isa] release”will remove anyBIOS components that are not absolutelynecessary, such as manufacturers’ logos or theSymbios/NCR SCSI code, which a disklesssystem will have no use for.The “cbrombios.bin /[pci|isa] bootimg.rom [D000:0]”command adds the compiled Etherboot codeto the BIOS.“bootimg.rom”is the code thatyou would normally burn on an EPROM.The“[pci|isa]”option depends on the NIC. Cbromsupplies a memory address for ISA adapters to allow the code to copied to this addressduring the boot sequence.

AMI BIOSIn contrast to “cbrom.exe”, the AMI tool,“amibcp.exe”, is menu driven.You launch itwithout any command line parameters andload the BIOS file by running the first menuitem,“Load BIOS from Disk File”.“Edit BIOSModules”is used to edit the BIOS modules.The free space available for extensions isshown at the bottom of your screen.You can press the [Ins] key to add extensionmodules, preferably using the “compressed”option. [Esc] quits the editing area, and “Save BIOS File to Disk”writes the modifiedBIOS to a file.

Special Tools for BIOS

Figure 3: Cbrom analyses the BIOS of an ABIT BP6 motherboard

tomized Etherboot configuration, whichproceeds with the boot sequence. Thiscombination is particularly useful if PXE is available and you want to avoid having both invasive hard andsoftware configurations.

A kernel customized to supportEtherboot is all you need to avoid havingto provide boot kernels, although thisdoes assume a carefully configuredDHCP server that will supply the rightdata for the PXE request and thesubsequent Etherboot request. Youmight like to refer to the howto at [2].

DHCP – the CentralConfiguration ToolThe Dynamic Host ConfigurationProtocol (DHCP) is the network protocol

used in our case to supply both clientsystem configurations, including host-names, IP addresses, netmasks and thegateway address, and server IPs (time,swap, NIS, and print server). The menuand motd options also allow the DHCPserver to supply parameters for theEtherboot boot ROM software.

The administrator should take care todefine a meaningful structure for theconfiguration file that the DHCP daemon“/etc/dhcpd.conf” uses. In addition to a“subnet” statement, the “group” optionand categorizing by subnet can helporganize configuration blocks with thesame parameters. Listing 2 shows anexample of a typical configuration.

DHCP allows you to supply so-calledvendor (that is additional) options. Thecode area 128 through 255 is reserved for options of this kind. Listing 3 makes heavy use of this potential. Thefollowing variable types are available:string”, “integer”, “boolean”, “text”, “ip-number”, and all of these types can be combined to build arrays.

Admins who suspect that they mayneed a large number of configurationfiles, might want to increase the packetsize of the BOOTP reply packet from thedefault (572 bytes) to 1024 bytes: “dhcp-max-message-size 1024”. These optionsare set at the top of the server daemon

Linux. Type “man mknbi” for furtherdetails. Kernel tagging is enabled bytyping “mknbi -o Bootimage -d /nfs-root/dxs -ip rom kernelimage [ramdiskimage]”, for example.

The options specified in this syntax arethe kernel file, the output file (thenetwork bootable kernel), and the NFSroot. The last option tells the kernel toretrieve its IP configuration from theboot ROM’s DHCP/BOOTP request. Theproject discussed in this article does not need this option, however, as theDHCP request is initiated in the INITTARenvironment [9].

Syslinux and PXEPXE is another mechanism that allowsyou to boot diskless machines from the network. Some NICs and compactmotherboards may already have PXEimplementations. PXE Linux by PeterAnvin is distributed with the Syslinuxpackage [7]. Syslinux provides a kind ofenhanced “loadlin” (a second stage bootloader), which cooperates with PXE anduses TFTP to load a Linux kernel withoptions and a RAM disk. It would beequally feasible to use boot sectorimages for other operating systems thusproviding a network controlled multi-boot environment.

PXE Linux retrieves kernel boot infor-mation from a file in the “pxelinux.cfg/”subdirectory on the server, where thefilename is the hexadecimal repre-sentation of the client’s IP address. If thisfile does not exist, PXE Linux truncatesthe name character by character, andcompares the name again. If this alsofails, a default configuration file is used.

PXE can also cooperate with Etherboot.This leads to a staggered boot sequence:PXE wakes up first and loads a cus-



# For prompting ...CFLAGS32+= -DMOTD -DIMAGE_MENU# [...]# Change download protocol to NFS, default is TFTPCFLAGS32+= -DDOWNLOAD_PROTO_NFS# For prompting and default on timeoutCFLAGS32+= -DASK_BOOT=3 -DANS_DEFAULT=ANS_NETWORK# [...]# Enabling this makes the boot ROM require a Vendor Class# Identifier of "Etherboot" in the Vendor Encapsulated OptionsCFLAGS32+= -DREQUIRE_VCI_ETHERBOOT

Listing 1: Excerpt from “Config.h”

01 option domain-name "math.uni-goettingen.de goe.net gwdg.de";02 filename "/nfsroot/bootimg";03 use-host-decl-names on;04 default-lease-time 72000;05 max-lease-time 144000;06 subnet 134.76.60.0 netmask 255.255.252.0 {07 option domain-name-servers 134.76.60.21, 134.76.60.100;08 option ntp-servers ntps1.gwdg.de, ntps2.gwdg.de;09 option font-servers dionysos.stud.uni-goettingen.de;10 option x-display-manager s4, s5, s6, s9, s10, s11, s12;11 option routers 134.76.63.254;12 option broadcast-address 134.76.63.255;13 class "PXEClient:" {14 match if substring (option vendor-class-identifier, \15 0, 10) = "PXEClient:";16 filename "/nfsroot/dxs/boot/3c905c-tpo.pxe"; }17 group {18 option lpr-servers 134.76.60.2;19 host dxs02 {20 hardware ethernet 00:00:1C:D2:87:DF;21 fixed-address 134.76.60.64; ''22 #...

Listing 2: “dhcpd.conf”

and client (“dhclient”) configurationfiles. Listing 3 is intended as an examplebut by no means comprises a completelist of options.

The option “128” defines a magicpacket which enables menu optionevaluation for Etherboot. Option “160”specifies default values for the menuoptions, that is the field to select after atimeout. “192” and following define theappearance of the menu that Etherbootdisplays after talking to the DHCP server.Options “223” and following (these are arbitrary numbers that are not inuse) define various variables for disklessclient configuration.

Our example shows how to specifywhether or not a service should bestarted. This provides flexibility todistinguish between clients in hetero-geneous environments.

Vendor code identifiers are defined as fixed DHCP options: “vendor-class-identifier” to allow the server to identifya client, and “vendor-encapsulated-options” to allow clients to identify the server. This allows the server todifferentiate between clients and returndifferent values for a single option.

In fact, this is essential if you have aboot sequence that uses both PXE andEtherboot, as PXE will receive anidentical IP configuration but will loadthe Etherboot PXE image instead of thekernel image. The “class” statementshown in our example helps to allow this distinction to be made. If the coderecognizes a PXE implementation on aspecial 3COM adapter, it will modify thecontent of the DHCP “file” field.

Client Side ConfigurationOptionsThe “dhclient” command is used forclient side configuration tasks, that is the dynamic assignment of an IP addresswith Linux. Obviously, the client con-figuration will need to match your DHCPserver configuration. “dhclient-script” isused to enter, or apply, the appropriatesettings.

The excerpts from “dhclient-script”(Listing 5) indicate how the clients workwith DHCP. Variables are interpreted andused for configuration tasks, or otherfiles are written. You could compare thiswith the boot scripts for System V init.

Of course, Listing 5 is a bash script,but you could just as easily use anotherscript language. The important thing isto reflect the flow direction of theinformation path: DHCP server ->DHCP client -> script -> configurationfile/ service. Any additions you make oroptions you add or remove need to keepto this path.

Organization and FileSystemsInstalling a client file system that has to do without a storage device of its own,is obviously going to be different from a normal hard disk installation, parti-cularly if it is the root file System. Asingle, uniform directory is used to serve a large number of machines withdifferent functions and components.This has a positive effect on the server’scaching behavior.

If the server machine uses the sameoperating system on the same processor

architecture, you canuse some areas of thefile system for your

clients. This may even allow you tocentralize software management on theserver. However, if you do use licensedsoftware, you will need to ensure thatthe licenses reflect the number of thinclients that access the software. Theserver does not allow client access to those parts of its file system that are reserved for configuration files, ortemporary directories with sockets for XFree86, MySQL and others. Thisalso applies to areas where securityrestrictions apply.

The file system hierarchy standards for free Unix operating systems organizethe file system tree along the lines of thecriteria shown in Table 1. This allows theNFS export options to be depicted in amatrix, like the one shown in Table 2.The client stores dynamic data, such asconfiguration files, logfiles, and socketsin its memory (TEMPFS, RAMFS or aRAM disk).

Some Things Don’t BelongOn the RAM DiskAs you cannot simply move everythingonto the RAM disk, some fine tuning in the form of individual shares, andsymlinks is required. The standardapplication directories, “/opt” and“/usr”, can normally be shared for read-only access without any difficulty.

The special “/dev” need not beexported if you use a device file systemdaemon. Otherwise you would need to



1 # -- lot of information to be transferred --02 dhcp-max-message-size 1024;03 # -- user defined options --04 option o128 code 128 = string;05 option o129 code 129 = string;06 option menudflts code 160 = string;07 option motdline1 code 184 = string;08 option menuline1 code 192 = string;09 option menuline2 code 193 = string;10 option menuline3 code 194 = string;11 option start-x code 223 = string;12 option start-snmp code 224 = string;13 option start-sshd code 225 = string;14 option start-xdmcp code 226 = string;15 option start-cron code 227 = string;

Listing 3: DHCP-Vendor-Options

01 # /etc/dhclient.conf02 send dhcp-max-message-size 1024;03 send dhcp-lease-time 3600;04 request subnet-mask, broadcast-address, time-offset,routers, domain-name, domain-name-servers, host-name;05 require subnet-mask, domain-name-servers;06 timeout 40;07 retry 40;08 reboot 10;09 select-timeout 5;10 initial-interval 2;11 script "/sbin/dhclient-script";

Listing 4: “dhclient.conf”

static dynamiclocal;/etc, /boot /tmp, /var/run, /var/logdistributable;/opt, /usr /var/cache/texmf, /var/spool

Table 1:Assignment Criteria

must be based on individualrequirements. Reducing RAM disk usagewill mean more administrative taskswhen allocating storage.

In our example the “/etc” con-figuration directory has been split into astatic section, “/etc.s”, and a RAM disksection “/RAM/etc”. The former is ex-ported by the server for read-only access.The remainder is already incorporated inINITTAR and is mirrored on “/etc” by alink. It contains links to “/etc.s” for allthe static elements. A translucent filesystem would reduce the effort involvedin creating crosslinks [8].

INITTARThe Init-RD (Initial RAM Disk) is notonly impractical and inflexible, but hasalso been unnecessary since TEMPFSwas introduced. This is how it works:• Mount an empty TEMPFS as the root

file system.• Expand a tar.gz image, that is passed

to the kernel just like Init-RD.• Launch the replacement “init” script.INITTAR is not restricted to a fixed size,and does not need to be formatted with afile system; it is quite sufficient to createa gzipped tar file. You will, however,

need to patch and recompile the kernelfor TEMPFS. [9]

Two-Step Boot SequenceThe Linux diskless client described inthis article is initialized along the lines of more modern Linux distributions. The minimal RAM disk environmentdescribed previously, is launched beforemounting the root file system. Itperforms configuration tasks, such asloading the kernel modules for the filesystem or a RAID array.

The two-step boot sequence alsosimplifies troubleshooting the kernel.Only those elements required to start thesystem are linked into the kernel,everything else is loaded when required.

Additionally, instead of running “init”the shell script previously used to findand load the NIC kernel module islaunched. “dhclient” retrieves the IP andother configuration files. “dhclient-script” takes care of the IP configuration,mounts the file system and writes the configuration files, before passingcontrol back to “init”, which mounts theRAM disk file system as “/RAM”, andreinstates the mounted root file systemas the root directory, “/”.

export it to the client’s RAM disk, justlike “/etc” and “/var”. In this scenariothe directories exported by NFS are asshown in Listing 6.

Setting Up the File SystemAssuming the same processorarchitecture and a similar software basefor both client and server, the next step isto extract the root file system for theclients, preferably using a shell script.The script first creates the completedirectory tree before copying parts of theserver file system to it, or mountingthem during the initialization phase.

Additionally, the script either copies orlinks any programs and libraries in the“/lib”, “/bin”, and “/sbin” directoriesthat the clients need to access. If the client root file system is stored on a separate server partition, the files are copied, in all other cases hard linksare created (soft links cannot be usedtransparently via NFS). Additionally,hard links also provoke desirablebehavior by ensuring that changes madeto the server file system will immediatelybe reflected on the server. However, be careful when using hard links, asupdates may affect inode data.

In most cases you will need to ensurethat special machine specific directories,such as “/lib/modules” are not simplycopied, but populated with the data yourthin clients required. This also applies tosome files in “/var” and “/etc”: machineand IP specific files, such as “hosts”,“resolv.conf”, “HOSTNAME”, “fstab”,and so on, should be placed on the RAMdisk. But it would be preferable for theclients to use NFS to bind other areasthat are the same for every client, suchas “/etc/opt” with its copious data, andthe root file system.

Of course, your decision as to howfiles and directories are best accessed



01 # dhclient-script02 #...03 # set up snmpd configuration04 test -n "$new_start_snmp" && \05 sed -e "s,NETADDR/MASK,$netaddr/$new_subnet_mask,g" \06 /etc/ucdsnmpd.conf.default >/etc/ucdsnmpd.conf07 #...08 sed -e "s,KEYTABLE=.*,KEYTABLE=\"$LANG\",i" \09 -e "s,START_GPM=.*,START_GPM=$start_gpm,i" \10 -e "s,GPM_.*,GPM_PARAM=\"-t $MP -m $MD\",i" \11 -e "s,START_X=.*,START_X=\"$new_start_x\",i" \12 -e "s,START_SNMP.*,START_SNMPD=$new_start_snmp,i" \13 -e "s,START_SSHD.*,START_SSHD=$new_start_sshd,i" \14 -e "s,DISPLAYM.*,DISPLAYMANAGER=$new_start_xdmcp,i" \15 -e "s,DEFAULT_WM.*,DEFAULT_WM=\"$defaultwm\",i" \16 -e "s,CRON.*,CRON=\"$new_start_cron\",i" \17 -e "s,START_RWHOD.*,START_RWHOD=$new_start_rwhod,i" \18 -e "s,START_LPD.*,START_LPD=\"$start_lpd\",i" \19 -e "s,START_CUPS.*,START_CUPS=\"$start_cups\",i" \20 -e "s,START_YPBIND.*,START_YPBIND=\"$start_nis\",i" \21 -e "s,START_XNTPD.*,START_XNTPD=\"$start_xntp\",i" \22 -e "s,XNTPD_I.*,XNTPD_INITIAL_NTPDATE=\"$initntp\",i" \23 -e "s,VMWARE.*,VMWARE=\"$new_start_vmkernel\",i" \24 /etc/rc.config.default | grep -v "#" >/etc/rc.config;25 #...

Listing 5: “dhclient-script“

Directories Complete Part None/opt */usr */clientroot */etc */tmp */var */dev *

Table 2:Possible NFS Exports

Finally, the traditional “init” is launchedfrom the root file system to complete the initialization phase. And this is the point where the traditional bootsequence, with its runlevel system (Sys-V-Init below the “/etc/init.d”directory) kicks in.

Inittab and Client OperatingModeDynamically configuring “/etc/inittab”allows you to select the operating modefor the client in GUI mode. Thisapproach is more flexible than using thedisplay manager on the desktop. DHCPdata can be used to select and configurea window manager. A shell script thenlaunches additional programs.

Traditional GUI logins with a hostchooser, use “init” and “/etc/inittab” tolaunch the X server. In case of kioskoperations it would be preferable to startthe machine directly without the displaymanager, using an “init” controlled“xinit” command.

Setting Up the HardwareIt is important for the project to supportvarious client hardware configurations.Two approaches are possible to avoidhaving to create a customized root filesystem for every individual machine.One of them involves defining DHCPoptions to specify the graphics adapter,the screen resolution, the mouse, andany kernel modules that need to beloaded. The other approach uses theautomatic hardware detection facilitiesprovided by Linux distributions, such as“hwinfo” in the case of SuSE.

Both of these approaches can bescripted. Host and device specific filesshould be avoided, if at all possible.They tend to get forgotten when changes

are made or updates applied, and are aconstant source of errors.

Tricky TroubleshootingOn a diskless system, the networkconfiguration must work before you canactually start logging anything on theclient, and that makes troubleshootingmore tricky than usual. The server logfileshould contain a few hints. Sometroubleshooting tasks can be performedremotely – particularly in the case ofXFree86 configurations – if the secureshell daemon “sshd” is running on theclient machine.

To debug the initial boot steps, yourinitialization and configuration scriptsshould be able to issue debuggingmessages, that indicate the cause of any failures, and offer possible remedies.A logfile that traces the boot sequence,and the hardware and software setupcan provide additional information.

ConclusionDiskless clients require more initialsetting up work than traditional work-stations, but even a smaller number of identical clients will more thancompensate. The solution presented inthis article scales particularly well.

The delay for loading the clientconfigurations and typical client re-sponse times is typically shorter thancomparable figures for stand-aloneworkstations – although this will dependto some extent on your server per-formance and network bandwidth.

The open software architecture isbased entirely on established standardprotocols and applications, which areavailable for a variety of platforms, and well-documented programminglanguages, such as bash and perl. Thisallows the project to interface with other

platforms. For example, you can use a Citrix Metaframe client to access aWindows server and provide seamlessdesktop integration. There are severalJava runtime environments for Linux,and this provides access to a number of platform independent programs suchas SAP-R/3 frontends. If required, thedesktop provided by the architecturediscussed in this article can be runentirely in the background.

This results in a cheap, license-free,and scalable solution for commercialplatforms such as kiosk, or point-of-saleproducts. And IT security profits fromdiskless clients. Large sections of the filesystem are mounted with read-onlyaccess which makes manipulating pro-grams and libraries extremely difficult.Also, it is harder for malevolent users tohide their own programs and scripts. Thefocus of securing and configuring clientsmoves from the client to the server, aterrain which is far easier for the adminto monitor. ■



01 # Base directory (root file system for client)02 /nfsroot/dxs 10.10.156.0/255.255.252.0(ro,no_root_squash)03 # Extension of /tmp for specific users (lots of space!)04 /tmp/dxs 10.10.156.0/255.255.252.0(rw,no_root_squash)05 # Application directories06 /usr 10.10.156.0/255.255.252.0(ro)07 /opt 10.10.156.0/255.255.252.0(ro)08 # Additional areas for LaTeX users09 /var/lib/texmf 10.10.156.0/255.255.252.0(ro)10 /var/cache/fonts 10.10.156.0/255.255.252.0(rw)

Listing 6: Possible NFS Export Configuration

[1] Droms, Ralph; Lemon,Ted:“The DHCPHandbook”; New Riders Publishing, 1999

[2] How to setup a PXE 2.x server on Linux:http://clic.mandrakesoft.com/documentation/pxe/

[3] Rom-o-matic.net:http://www.rom-o-matic.net

[4] Etherboot project:http://etherboot.sourceforge.net andhttp://www.etherboot.org

[5] Linux Terminal Server Project:http://www.ltsp.org

[6] Göttinger Project Linux Diskless Clients:http://ldc.goe.net

[7] Syslinux: http://syslinux.zytor.com[8] Concept of Translucency: http://www.

informatik.hu-berlin.de/~wiedeman/development/translucency-statement.txt

[9] INITTAR: http://www.escape.de/users/outback/linux/index_en.html

INFO

Dirk von Suchodoletz has beenworking with Linux since late 1993,but did not realize the potentialLinux offered until years later. :-)Working with X11 graphic interfaceand the Linux kernel at the Universityof Goettingen, the author designedseveral Linux Diskless Client (LDC)solutions.

THE A

UTHO

R


User toolsSYSADMIN

that is indicating that the password has been stored in another file(/etc/shadow).

• UID: a unique “User IDentificationnumber” is assigned for each user;root is always assigned 0, any othernumbers can be assigned freely,however, 1 through 99 are typicallyreserved for system accounts.

• GID: this is the “Group IDenti-fication number” that defines groupmembership; each user must be amember of at least one group (see also/etc/shadow).

• additionalInfo: more specific details onthe user; this field can contain severalwords (although it is normally used forthe user’s first name and surname).

• home: the user’s home directory,which normally defaults to /home/username.

• shell: the program which will belaunched as the user’s command lineinterpreter when the user logs on; thisnormally defaults to /bin/bash orsomething similar.

Before you enter a new user, you should think about the user ID youintend to assign them, and about the group that the user will belong to. The UID must be unique for every user, and the GID must correspondto a group defined in /etc/group.

In most cases the number corre-sponding to the users group will beassigned (although you can define a newgroup in /etc/group):

asteroid:~# less /etc/group[...]users:x:100:

Now, let us assume that you want tocreate a new user called petronella, andmake her a member of users; the

corresponding entry would need to betyped as follows:

petronella:x:501:100:Testhuhn:U/home/petronella/:/bin/bash

To add the new user to other groups, youwould have to enter her UID in thedesired groups, /etc/group, for example:

audio:x:29:huhn,easter,Upetronella

Most systems use shadow passwords,and this means that you will need anadditional entry in the /etc/shadow file.The colon-separated format is stillretained here:

username:password:age:min_age:Umax_age:warning:buffer:invalid:Uother

The field can be interpreted as follows:• username: the username, refer to

/etc/passwd.• password: the encrypted password;

if you see an asterisk * at this point, a valid password that the usercould log on with has not beenassigned; this is often the case for“administrative users”, such asdaemon, bin or lp.

• age: the age of the password countedin days after 1st January 1970 (UNIX’sbirthday) up to the point of the lastmodification.

• min_age: the number of days whichmust elapse before you can change thepassword.

• max_age: the number of days until thepassword needs to be changed.

In this issue of User Tools we will betaking a walk on the admin side oflife with Linux and providing back-

ground information, tricks and tools forcommand Line user administration.

Back to the roots…You will need root privileges for all thecommands covered in this issue. Beforewe investigate individual usermanagement programs, let us first take alook at the various configuration filesand discuss their syntax. Fundamentally,the following steps will lead to thecreation of a new account:• specify the username, UID, and group

membership• enter the data in the appropriate files

below /etc• set the password for the new account• create a home directory for the user• optional: copy configuration files from

/etc/skel to the new home directory• use chown and chgrp to assign privi-

leges for the new /home directoryTo create a new user manually, you firstneed to edit /etc/passwd, the central filefor user management on UNIX; you canuse any editor to do so. Older systemstended to store individual userpasswords in this file; today they willnormally be placed in /etc/shadow. Theindividual lines in this text file compriseof various “fields” which are separatedby colons:

username:password:UID:GID:UadditionalInfo:home:shell

In more simple terms this means:• username: the name with which the

user will log on.• password: formerly the encrypted

password was stored here; but now the user will merely find an x –

Many paths will lead you to the new user account on your Linux computer

– you can either head for to all those configuration files manually or use a

graphical tool provided by your distribution. BY HEIKE JURZIK

useradd, usermod, userdel

Super User


User tools SYSADMIN

• warning: the number of days noticeneeded to warn the user that herpassword is about to expire.

• buffer: the number of days until theaccount really becomes invalid (as akind of buffer).

• invalid: the number of days (countedfrom 1st January 1970) until the pass-word becomes invalid.

• other: the final field is reserved.The first two entries are mandatory,while others are optional. The new entryfor the user “petronella” in /etc/shadowthus appears as follows:

petronella:!:::::::

The second field, which currentlycontains a placeholder, !, (this fieldshould never be left empty for securityreasons) should normally contain anencrypted password. Make sure that youare logged on as root, and round thefollowing passwd command:

asteroid:~# passwd petronellaEnter new UNIX password:Retype new UNIX password:passwd: password updated U

successfully

Now proceed to assign a whole directoryto the new user and optionally copysome initialization files to this directory:

asteroid:~# mkdir U

/home/petronellaasteroid:~# cp -v U

/etc/skel/.* /home/petronella/etc/skel/.alias -> U

/home/petronella/.alias/etc/skel/.bash_logout -> U

/home/petronella/.bash_logout/etc/skel/.bash_profile -> U

/home/petronella/.bash_profile/etc/skel/.bashrc -> U

/home/petronella/.bashrc/etc/skel/.cshrc -> U

/home/petronella/.cshrc

To provide the new user with access you will now need to modify theprivileges for this directory:

asteroid:~# chown petronella U

/home/petronella/.*asteroid:~# chgrp users U

/home/petronella/.*

Fully automaticThe useradd, userdel, and usermodcommands are practical command linetools to take the headache out of all thatediting work. The useradd program isused to create user accounts, as thename would suggest. Running thecommand without any additional flagswill display an overview of the mostimportant parameters:

asteroid:~# useraddusage: useradd [-u uid [-o]][-g group] [-G group,...][-d home] [-s shell][-c comment] [-m [-k template]][-f inactive] [-e expire ][-p passwd] nameuseradd -D [-g group] [-b base][-s shell] [-f inactive][-e expire ]

There are two different approaches tousing this program: you can eithersupply the new UID, GID, the new wholedirectory, etc. as command line options,or you can use the -D parameter todefine defaults, which the command willthen process.

Let’s take a look at the individualparameters first. -u specifies the UID. Ifyou attempt to use a number that hasalready been assigned, the program willend and display an error message:useradd: uid 100 is not unique.

You can use the -g flag to assign aprimary GID for the user; additionalgroups are assigned by means of acomma-separated list, such as -G GID2,GID3…. To define the user’s homedirectory, add -d /home/username, andto assign a default shell, for example -s/bin/bash. To ensure that the homedirectory is actually created, you willalso need to set the -m flag.

By default, the files in /etc/skel arecopied to the new /home directory. The -c parameter can be used to define theuser’s full name (which is stored in theadditional Info field in /etc/passwd).Quotes are needed to write multiplewords. If an encrypted password alreadyexists for the user, you can set thispassword with the option -p crypt_pw.The full syntax is therefore as follows:

asteroid:~# useradd -u U

501 -g 100 -d /home/petronellaU

-m -s /bin/bash -c"Test-User petronella"

Now let’s take a look at the configurationfiles to see whether everything turnedout OK. The entry for the password in/etc/shadow still reads !. This meansrunning the passwd once more.

useradd is a lot quicker, if you use thedefault settings. You can specify the -Doption to view the default settings:

asteroid:~# useradd -DGROUP=100HOME=/homeINACTIVE=-1EXPIRE=SHELL=/bin/bashSKEL=/etc/skel

To apply these defaults, you can simplytype useradd petronella; but do notforget to set the -m flag, to ensure thatthe home directory is really created. Ofcourse, you can modify the defaultconfiguration; useradd -D -g GID willchange the standard group, useradd -D -bthe default home directory, and useradd -D -s the standard shell. If, after creatinga new user, you discover that one ormore settings are incorrect, and thus youneed to modify an existing account, youmight like to investigate usermod. Thistool provides the same options (and thesame functionality) as useradd.

The third program in this group iscalled userdel, and is responsible fordeleting user accounts. You cannotdelete a logged on user; similarly, anyprocesses belonging to the user must bekilled before launching userdel. Thecommand only has one parameter, -r,which will delete the user’s homedirectory and any files it contains inaddition to the account.

Debian systems provide a Perl script called adduser. You can run thescript interactively when creating newusers. The script prompts you to enterdata for the new user step-by-step and adds corresponding entries to theconfiguration files. The current version,3.47, is still included with DebianWoody. The source code is availablefrom http://ftp.debian.org/debian/pool/main/a/adduser/adduser_3.47.tar.gz;Debian users can type apt-get installadduser to install the tool. ■

loadshome.cfm?f=2&wf_id=45. You donot need to rush for Konqueror just yethowever, as I shall be describing thepertinent parts here.

Tall Trees In GeorgiaEvery 3DS file is split into chunks, and each chunk is part of a hierarchy.This means that each chunk (a blockdescribing an individual piece of data –an object’s colour, for instance) can haveone or more child blocks ‘inside’ it, inmuch the same way as XML or HTMLembeds tags.

Unlike XML, it is a binary format. Theparent-child relationship of chunks areconceptually no different to that of theLinux file-system. You can sneak a peakat the hierarchy of a sample 3DS file in

Figure 1 (p72) to see how this will lookfor our program.

Chunked formats allow the vendor(along with standards bodies, otherdevelopers, and end users) to addcustom chunks into the format with-out breaking other applications; itbecomes both forward, and backwards,compatible. Because it is a hierarchy, anapplication may omit or include entiresub-trees of data depending on howrelevant they are to the file, or programin question.

The application reading the file canthen ignore chunks (in their entirety) ifthey don’t recognise (or need) one, andcontinue with those that they can, orwant to, read. This also makes it easierto write a parser (which in turn ensures

With the possible exception of the 16 bit demo scene,nothing ever uses a spinning

cube. We want rockets, tanks, people –anything, in fact, except spinning cubes!

In this article we look at how to move away from primitive, hard-coded, data, and learn how to resource andhandle external assets – to use the geekvernacular, it becomes data-driven. Asan example, we’ll be developing a 3Dmesh viewer (using 3DS files – see Box 1) from first principles, starting witha look at the file format, and step-by-step learning how to effectively andefficiently bring it into memory andmanipulate it.

I Owe You NothingBefore we can load a file we need to understand it. Whilst it is usuallydesirable to use a pre-written library, itwould make for a very short article! Weare therefore only re-inventing the wheelfor the purpose of education.

However, I usually find writing a fileloader helps me not only understand theformat better, but allows me to makebetter use of the data I have to process.For all data-driven work, I recommendhaving good documentation and samplesto hand – even if you have to pay moneyfor it!

The documentation we shall be usingto describe the format can be found athttp://www.whisqu.se/per/docs/graphics56.htm This is a simplified version of the(now released) specification from http://sparks.discreet.com/downloads/downU

Whenever we start writing a piece

of software, we usually use data that’s

been hard-coded into the program.

Nearly every 3D demo features a

spinning cube.

BY STEVEN GOODWIN

Importing Assets

Data Driven By You


CPROGRAMMING

a greater penetration for the format)since you only need to handle theelements you’re interested in.

This predictable structure encompassesunpredictable data, that makes self-de-scribing formats like this and XML loved– and others, like that of Microsoft Word,hated!

Head MusicA 3DS file chunk begins with a smallheader describing the data: an ID, and itssize in bytes. This is then followed bythe data itself (see Table 1). It really isthat simple! Every step of the processinvolves the same set of operations:• Read two bytes to discover the chunk

ID• Read four bytes to discover the size • If we understand what to do with the

chunk, process it! • If we don’t, skip over that chunk • Repeat from 1, until there’s no file leftProcessing a chunk is also very simple –it’s either data (so we load it intomemory accordingly), or it’s morechunks (in which case we repeat thesteps above). This is known as ‘parsing’the file; we use the known file structureto perform an analysis, giving meaningto the data.

High and DrySince we now have a basic grasp of theformat we should get a 3DS file andprocess it by hand. This is known as ‘dryrunning’. To do this we need a file to useas our proverbial guinea pig. Naturally,we want to be impressed by our work, so we start looking for a T-Rex fromJurassic Park, or Princess Fiona fromShrek, perhaps.

Alas, this is misplaced optimism –start small. Very small. Ideally, you

should start with a model of a cube(Sorry)! At this size, it can be manuallyexamined by hand with a tool named‘hexdump’. Each point, line andparameter can then be compared withyour source model as an integrity check.Then, if you are happy with your under-standing of that section of the format,you can add features (incrementally) tothe model: if you only change one thingat a time, there’s only one thing to go wrong!

Since I am not an artist, I shall use a 9K rocket model from the Internet (see Box 2: 3DS Models). Its validity has been independently verified by runningit through several different renderingpackages and other model viewers tocheck for errors.

Keep on RunningHaving now got a 3DS file and anunderstanding of the format, the nextstep is to take a hexdump of the 3DS fileand print it out. I’ll wait while you dothat. No really. Print it out! You may besurprised how much easier it is to workthrough with a hard copy of the file (seeListing 1).

Let us now perform a ‘dry-run’! Thefirst chunk we can see is 4d4d, and isae220000 bytes long. This translates to a‘main block’ chunk (see Table 2: Chunk

IDs for a partial list) that is 8878 bytes insize (since it’s in hex, and we must readall numbers backwards – we’ll see whylater). We are only 6 bytes into thischunk, so we can conclude there’sanother 8872 bytes of this chunk to go,and so we process it. Which, by the filespecification and definition means wemust read the next header!

This one has an id of 0002 (readingbackwards, remember!) and is 10 byteslong. We don’t know what the 0002chunk is, so we skip over the remaining4 bytes and read another chunk! 3D3D is


PROGRAMMINGC

Start location (*) End location (*) Size Name(bytes)

0 1 2 Chunk ID2 5 4 Nextchunk6 ?? ?? Data in

chunk(*) An offset in bytes from the beginning of the chunk

Table 1: 3DS Chunk

3D Studio was a DOS-only package fromAutodesk, and was, for many years, theindustry standard for 3D computer gamemodelling. Although Discreet (or its parentcompany, Autodesk) no longer supports the3DS format, many packages still do.This isfor a good reason.

It can hold data for a number of differentmodels, as well as storing keyframe(animation) data and dummy nodes(indicating a position on the model forattaching other objects).There are alsoseveral open source viewers and toolsavailable, such as view3ds and lib3ds.

Box 1: 3DS?

As a programmer with little-to-no artisticability I have to download my own personalartist from the Internet! There are severalweb sites that will provide you with free 3DSmodels for personal use.Google will return you the following:http://www.fantasticarts.com/3dmodels/http://www.egypt3d.com/3D_Models/3d_models.html

Box 2: 3DS models

Name Parent Of ID (hex)Main Block - 4d4dMesh Data Main Block 3d3dKeyframes Main Block b000Object Description Mesh Data 4000Polygon Data Object Description 4100Light Object Description 4600Camera Object Description 4700Vertex List Polygon Data 4110Face List Polygon Data 4120A more comprehensive list can be downloaded from:http://sparks.discreet.com/downloads

Table 2: Chunk IDs

$ hexdump -C rocket.3ds | head00000000 4d 4d ae 22 00 00 02 00 0a 00 00 00 03 00 00 00 |MM."..........|00000010 3d 3d b2 21 00 00 01 00 0a 00 00 00 01 00 00 00 |==.!..........|00000020 ff af 67 00 00 00 00 a0 16 00 00 00 52 6f 63 6b |..g.......Rock|00000030 65 74 73 68 69 70 20 62 6c 75 65 00 10 a0 0f 00 |etship blue..|00000040 00 00 11 00 09 00 00 00 00 00 ef 20 a0 0f 00 00 |........ ....|00000050 00 11 00 09 00 00 00 00 00 ef 30 a0 0f 00 00 00 |.......0.....|00000060 11 00 09 00 00 00 00 00 00 40 a0 10 00 00 00 31 |[email protected]|00000070 00 0a 00 00 00 00 00 00 00 00 a1 08 00 00 00 01 |.............|00000080 00 81 a0 06 00 00 00 00 40 3b 21 00 00 52 6f 63 |.....@;!..Roc|00000090 6b 65 74 73 68 00 00 41 2c 21 00 00 10 41 80 0c |ketsh..A,!..A.|

Listing 1: 3DS file header in hex

fread(&id, sizeof(short), 1, U

file_ptr);fread(&size, sizeof(long), 1, U

file_ptr);

There are three basic errors shown here,which are common to a lot of asset-handling routines.• The size of the ‘short’ variable might

not always be two bytes. • No errors are handled. • This might not be compiled on an x86

machine.The first can be fixed simply by creatingtwo custom types in a common headerfile, say mv_types.h.

typedef unsigned short tWORD;typedef long tLONG;

The second problem is a question ofdiscipline: all possible circumstancesmust be catered for, so the error codesfrom ‘fread’ must be checked. See Box 3:Stability, for more information.

Most of the examples presented hereare without full error checking, allowingus to focus on the more pertinent parts ofthe code. However the full source isavailable on the Subscriber CD.

The third situation is subtler. It is the issue of endian-ness (see LM, issue23, p69). Basically, this is where the orderof the individual bytes within a wordvary between processors. This is why wehad to read the chunk size backwardsearlier. The x86 family are consideredlittle endian and would work fine withthe above code. The 68000 Motorolaarchitecture would not, however.

When handling external file formatsyou should note carefully the endian-

next and easily recognised as a modelchunk… and so on. This is one reasonfor using small files – it’s a much easierprocess.

Having done this, we can understandwhat the program should be doingwhich makes it possible to check that it’sworking properly. We can now move onto implementing it!

Doin’ the DoLooking at the algorithm referencedabove, it seems logical to write theReadChunkHeader function first. How-ever, the code to do it is not as obviousas perhaps you’d think.


CPROGRAMMING

Your program will be working with odd files,of odd dimensions and odd sizes.You can nolonger make assumptions about its con-tents, or limits. If the file supports 65536options, then make sure your program cancope with 65536 – even if the only softwaregenerating those files is limited to 100!Every return value (especially from file andmemory functions, like fread and malloc)must be checked. It is possible the file will becorrupt, broken, or maliciously hacked andso can not be trusted!Not only that, but once each section of a filehas been found (e.g. model data), we shouldinitialise its contents to sensible values:

pMesh->iNumFaces = 0;pMesh->iNumVertices = 0;

This way, if a file lacks any particularcomponent, the program will not comeacross uninitialised data and try to use it. C++ classes support constructors thatare automatically called when an objectis created, making it an ideal language for these tasks.If you’re not currently in the habit of beingthis paranoid – start now! Robust, stable,code like this is no bad thing.You wouldn’ttrust a stranger typing in your root shell, sowhy should you allow their data throughyour program without checks?

Box 3: Stability

Figure 1: Sample Rocket Mesh – Hierarchy of Chunks

ness of the format itself – this is anothergood reason for printing out the hexdump of a sample file, as this makes iteasy to see. You should not, however, beconcerned with the endian format of thetarget machine since it is always possibleto create endian-independent code:

BOOL mv_ReadWord(FILE U

*file_ptr, tWORD *pWord){int c;

if ((c = fgetc(file_ptr)) U

== -1)return FALSE;

*pWord = (tWORD)c;if ((c = fgetc(file_ptr)) U

== -1)return FALSE;

*pWord |= (tWORD)c<<8;return TRUE;

}

This can be extended to an equivalentmv_ReadLong function, or combinedwith it to make an all-encompassingmv_ReadChunk routine. My reasoningfor this particular implementation is thatby passing the address of a variable intothe function, we can effectively pass twovalues out – the bytes read in from thedisc, and an error condition (see Listing2). If you think it’s paranoia – you’reright – now go and read Box 3 again!

Building Steam with a Grainof SaltFrom these little acorns, great oaks ofcode shall grow. Referring back to the fileformat, we can write a parsing functionquite simply – as shown in Listing 3.

This function is fairly typical of thetype we’ll need for write for this parser.It consists of a prototype that includesthe file pointer (telling us where to getthe data from), a size of the data to read,and a object pointer telling us where toput the data, once it’s been read.

The main loop (lines 18 to 31),consists of each step 1 to 5, outlinedabove. The functionality of each stepshould be self-explanatory.

Lines 8 & 9 make a note of when wehave to stop reading. The method I’veadopted here is to pass the total blocksize into each function, and let it self-terminate (line 31) at the appropriatetime. This isn’t the nicest code in the

world, but it accurately does the job! Ifyou’re designing a chunked format ofyour own I’d recommend adding achunk with an ID (say 0xffff) that means‘all done, return to your parent’, to maketermination easier to handle.

Because we’re entering a new branchof the tree, and this branch has someinteresting data associated to it, we

create a structure (line 11) for this data tofit into. Lines 15 and 16 prepare somedefault mesh data in case nothing elsedoes. This way the render code cancheck the data before blindly usingpointers (or data) that may be invalid.Another case of writing robust code.

This code can be used as a templatefor parsing other chunks, say for the


PROGRAMMINGC

BOOL mv_ReadChunk(FILE *file_ptr, tWORD *pID, tLONG *pSize){if (mv_ReadWord(file_ptr, pID) == FALSE) return FALSE;if (mv_ReadLong(file_ptr, pSize) == FALSE) return FALSE;return TRUE;

}

Listing 2: Passing values out

01 MV_MODEL *mv_ParseMeshData(FILE *file_ptr, tLONG mesh_size, MV_OBJECT *pObj)02 {03 tWORD id;04 tLONG size;05 tLONG end_of_block;06 MV_MODEL *pMesh;0708 end_of_block = ftell(file_ptr) + mesh_size;

/* where the block should end... */09 end_of_block -= sizeof(tWORD)+sizeof(tLONG);

/*...ignoring the header */1011 pMesh = (MV_MODEL *)malloc(sizeof(MV_MODEL));12 if (!pMesh)13 return (MV_MODEL *)0;1415 pMesh->iNumFaces = 0;16 pMesh->iNumVertices = 0;1718 do19 {20 mv_ReadChunk(file_ptr, &id, &size);2122 switch(id)23 {24 case SMV_OBJECTDESCRIPTION:25 mv_ParseObjectBlock(file_ptr, size, pObj, pMesh);26 break;27 default:28 mv_SkipChunk(file_ptr, size);29 }30 }31 while(ftell(file_ptr) < end_of_block);3233 return pMesh;34 }

Listing 3: Parsing function

to read our data, we need to handle it inan efficient way.

Pictures Of Matchstick MenEvery 3D mesh is composed of faces.Lots of them. Each face is a triangle withthree points; each point being called avertex. So storing a mesh is simply acase of storing every vertex – of everytriangle. This is normally done with twolists: a vertex list, and a face list (see Box 4 and 5).

A list of triangle vertices is rarely used because in most meshes, each facenormally joins at least one other facealong an edge, meaning they will sharetwo vertices. By referencing the points ina list (as opposed to labelling themexplicitly) we can save a lot of memory.

For example, the rocket has 266 vertices,and 250 faces. At 12 bytes per vertex,and 6 bytes per face, the mesh requires6,312 bytes. Whereas, if each face wasstored with its vertices explicitly listed, itwould take 18,720 bytes (as each face isnow 36 bytes). The savings becomemore pronounced as meshes becomelarger and more complex.

So how does this help us? It tells usthat the format is optimised for size, notusage. We must take this format andstore it internally in a manner that helpsour program. Music formats, such asMP3 and MIDI are intended to be playedin a linear fashion, so their formats lend themselves instead to streaming(you may notice the slight pause whenjumping into the middle of an MP3).

To start with we should test our parserby creating a simple OpenGL framework,using the data in whatever format wehappen to have. As a bonus to thosecommitted Linux Magazine readers;issue 8 (p72) includes a piece of Glutframework code that opens a window,accepts input from the keyboard andmouse and draws a teapot on screen! A quick copy and paste and it’s in ourproject, with the glutSolidTeapot callreplaced with our own draw code whichlooks as shown in Listing 5.

Best That You Can DoThere are two issues when it comes to choosing the best internal format. The first is for handling the object’sproperties (say, position and orientation)and the second is for the rendering. So is this a trade-off?

No. They should be held in differentstructures! The properties could be heldin an MV_OBJECT structure (forinstance) that details where the objectsposition is and what it is called. And aseparate structure (MV_MODEL, forexample) should describe how to draw it.

They are, after all, different entities,especially since the position will changemore often than the mesh data will. Byseparating them in this way, the internalformat can change several times, so onlythe rendering function needs to beupdated. What’s more, the MV_MODELcan describe which format of data it’s using, allowing us to use differentformats within the same program… forthe same type of object!

mesh data, polygon data, or vertex list(see Table 2: Chunk IDs). The MainBlock will read data, and only respond to Mesh Data, at which point it calls asimilar function (called mv_ParseMeshData) which in turn looks for ObjectDescriptions. This then looks for PolygonData, Lights or Cameras.

It is best to separate these intofunctions because it improves readability,re-emphasises the hierarchal nature ofthe file, and allows you to take specialcases into account.

For example, the Object Descriptionstarts with a NUL terminated ASCIIstring before reading the chunks. We canimplement that easily and cleanly with aseparate function – an example is shownin Listing 4. Having now got some code


CPROGRAMMING

BOOL mv_ParseObjectBlock(FILE *file_ptr, U

tLONG block_size, MV_OBJECT *pObj, MV_MODEL *pMesh){tWORD id;tLONG size;tLONG end_of_block;

end_of_block = ftell(file_ptr) + block_size;/* where the block should end... */end_of_block -= sizeof(tWORD)+sizeof(tLONG);/*...ignoring the header */

mv_ReadString(file_ptr, pObj->szName, sizeof(pObj->szName));

do{if (mv_ReadChunk(file_ptr, &id, &size) == FALSE)

return FALSE;switch(id){case SMV_POLYGONDATA:

mv_ParsePolygonData(file_ptr, size, pMesh);break;

case SMV_MESHLIGHT:mv_SkipChunk(file_ptr, size);break;

case SMV_MESHCAMERA:mv_SkipChunk(file_ptr, size);break;

default:mv_SkipChunk(file_ptr, size);

}}

while(ftell(file_ptr) < end_of_block);return TRUE;

}

Listing 4: Reading in chunks

typedef struct {char szName[256];MVERTEX position;float xangle, U

yangle, zangle;MV_MODEL *pMesh;} MV_OBJECT;

This object should have its own set offunctions to manipulate it, keeping itmodular and distinct from the file parsingcode. Again, this distance allows featuresto be added and changed without amajor code overhaul (see Listing 6).

And a set of manipulation functionswould not go amiss, as in our example:

void Obj_SetPosition(MV_OBJECT U

pObj, float x, float y, float z){

pObj->pos.x = x;pObj->pos.y = y;pObj->pos.z = z;

}

Improving the format can be done (in OpenGL) using ‘array elements’

or ‘display lists’.These should becomputed on load and stored in place ofthe mesh data we loaded above. Theinternal methods, or structure, are notimportant unless you’re an OpenGLprogrammer (it’s the same data, but in adifferent format).

What is important, however, is thatsuch a format exists and may have no relation to the 3DS file we startedwith! You should arrange program data in a format suitable for the program– not the disc. We are fairly lucky in so much as a good OpenGL format can be created quite easily by expandingthe face vertices with fairly minimalwork on our part.

Alternative render code using ‘arrayelements’. Made possible because weload the vertices from the 3DS file in the correct manner initially (seeListing 7).

We could also use our MV_MODELstructure to store the colour (or graphicimage) for each mesh face within thisstructure, or add the face normal (thedirection it’s facing) to perform hiddenface removal, or produce better lighting.

This is information that could either be present within the file format, orcomputed from existing data. We simplyput the data at the fingertips of therender code, where it deserves to be.Whatever format results, we could (nay,

should!) save the data out as a raw blockthat can be loaded in (much quicker)next time. These resultant files areplatform dependant and target ready:meaning we load them in, set up ourpointers and *wham!* away we go! Anexample is shown in Listing 8.

In a larger project, these files may be packaged with others (in much thesame manner as a ‘tar’ file) to speed uploading, and ease distribution.

As we’ve seen, there can be a lot ofwork in parsing a file format and storingit efficiently in memory. When it’s done,your programs take on an extra edge ofprofessionalism and the next steptowards the big time. ■


PROGRAMMINGC

for(i=0;i<iNumFaces;i++){glBegin(GL_LINE_LOOP);

glVertex3d(pVList[pFList[i].v1].x,pVList[pFList[i].v1].y, pVList[pFList[i].v1].z);



glEnd();}

Listing 5: Copy and PasteMV_OBJECT *Obj_CreateObject(void){MV_OBJECT *pObj;

pObj = (MV_OBJECT *)malloc(sizeof(MV_OBJECT));if (pObj == 0)

return (MV_OBJECT *)0;

pObj->pos.x = pObj->pos.y = pObj->pos.z = 0;Obj->xangle = pObj->yangle = pObj->zangle = 0;pObj->pMesh = 0;return pObj;

}

Listing 6: More modules

glEnableClientStateU(GL_VERTEX_ARRAY);glVertexPointer(3, GL_FLOAT, 0,U(void *)pCurrMesh->pVertexList);for(i=0;i<pCurrMesh->iNumFaces;i++){glBegin(GL_LINE_LOOP);glArrayElement( pFList[i].v1);glArrayElement( pFList[i].v2);glArrayElement( pFList[i].v3);

glEnd();}

Listing 7: Render

fwrite(&iNumVertices, sizeof(iNumVertices), 1, file_ptr);fwrite(pVertexList, sizeof(MVERTEX), iNumVertices, file_ptr);

fwrite(&iNumFaces, sizeof(iNumVertices), 1, file_ptr);fwrite(pFaceList, sizeof(MFACE), iNumFaces, file_ptr);

Listing 8: Wham18 1 02 1 03 2 0

… etc …

Box 5: Face List

-21.000000 0.000000 100.000000-34.000000 5.000000 73.000000-31.000000 8.000000 73.000000

… etc …

Box 4: Vertex List

under any modern Unix.To build Splintfrom its source tarball where <version>is a string such as 3.0.1.6

$ tar -zxvf splint-<version>.tgz$ cd splint-<version>

start the actual build

$ make

this stage requires root privileges

$ make install

If you have any difficulties or problemsbuilding from the source, there is abinary package available that runsstraight out of the box with no externaldependencies, and is available for Linux,FreeBSD, Windows and Solaris from theSplint homepage.

I’ve got two legsSplint has to be able to read and parse the code in the same manner as a compiler would. So, if you haveparticular include directories that needto be used, you can either add acommand line switch (as you wouldwith gcc), or use the environmentvariable LARCH_PATH, mimicking howa Makefile would handle it.

For example, to add an includedirectory for a single run:

$ splint -I /usr/src/myprojectU/include sptest.c

Or, to make that directory available on each run of splint in this terminalsession (if using ‘bash’), we use:

$ export LARCH_PATH=/usr/srcU/myproject/include

To make this persistent across sessionsadd the line to your .bashrc or .bash_profile file, depending on your setup.Header files in the same directory asyour source files do not need to beexplicitly referenced as they are includedby default.

You can test the install by typing:

$ splint --help version

A pleasant splint banner indicates thatyou now have a fully working install ofthe package. Now let us look at what itcan do for us by running it with a simplesample program.

You’re the doctor of mydreamsWe have, below, the complete sourcecode that we are going to use as our testbed for splint. Please note this code isnot production quality, and deliberatelycontains bugs. It does, however, compile100% cleanly with the strict gcc settingsof -Wall, -ansi and -pedantic.

Program errors annoy users andhinder development. Software thattakes a month to write will often

take just as long again to debug and fixbefore the end product is deployed.Compiler warnings, although useful, donot go far enough to prevent a number ofbugs that should be trapped at a muchearlier stage.

Splint (formally called lclint) is asemantic checker which reads andunderstands your code. It can look atwhat you have said – and determine ifthat’s what you meant.

In contrast, the compiler will point outshow stopping syntax errors (such asundefined variables), which prevent anexecutable from being built. Manysemantic errors can be caught by turningon all compiler warnings, but this is stillnot enough in most instances. (See Box1: Swear and curse).

I’m a lumberjack…Splint is available as a binary, or sourcepackage which can be downloaded fromwww.splint.org, with the current version(3.0.1.6) weighing in at around 1.5 MB.

The source is built using the standardGNU tool chain and should compile

Whilst peer review is the best method of ensuring quality code, automated

tools can also be employed. In this article we look at such a tool, and show

how it can be used to improve your code.

BY STEVEN GOODWIN & DEAN WILSON

Quality Code

Walking Upright


Automated toolsPROGRAMMING

Splint can be a very exacting program. As anexample of this, please note the followingcode sample:

#include <stdio.h>int main(int argc, char **argv) {int a=0;if (a = 4);return 0;}

This code has no warnings when compiledwith ‘gcc test.c’, but succeeds in detectingone warning when all compiler warningsare enabled with -Wall. Splint, in contrast,will pick up a grand total of 5 errors (orpossible errors) in the same piece of code.Image the potential minefields present in a larger project!

Box 1: Swear and curse

Steven Goodwin is a LeadProgrammer who has just finishedhis fifth computer game. He has hadmore bugs than you’ve had hotdinners…but he claims they allbelong to Dean Wilson.Dean Wilson works in Perl, C and shellscripts at WebPerform Group Ltd inthe City. His bug count currentlyexceeds the GNP of Japan…but heclaims they all belong to StevenGoodwin.

THE A

UTHO

RS

the different categories of problem thatsplint produces.

One of the first things to spot are thetwo ‘Parameter … not used’ errors online 28, one with argc as the unusedparameter, and one with argv. Bothvariables are present in our main()function, but neither are used. There is a good reason for this (in our case); ourprogram doesn’t use them.

Does this mean we can ignore thiserror? Only in this specific case. Invirtually every other situation an unusedparameter means there is someimportant data being orphaned insidethe function. This should, invariably, becorrected. In this instance we shouldamend our source code to tellmaintenance programmers that we arenot using these parameters intentionally. For example:

argc = argc;argv = argv;

Splint will no longer report this warningfor argc and argv, although it will bereported for other unused parameters

in the program. If you wish to ignore this type of error wholesale (i.e. in everyproblematic occurrence of the code) youcan ask splint to ignore this type of errorwith the command:

$ splint --paramuse test.c

After running this command on theoriginal source you will notice there arenow only 12 warnings present, with bothof those in the ‘unused parameter’category having been removed.

Most of splint’s warnings are groupedinto such categories that can be ignoredwith a command line switch like ‘--paramuse’. This allows you to ignorespecific types of error if you either don’tagree with them, or they are notapplicable to the product you areworking on. Working through the errorlist above you should be able to pick outa number of such switches.

There are over one hundred differentflags available, and so would beimpractical to list them all here. You canreview the categories available by usingthe command:

$ splint --help flags

The individual categories (memory,pointers and parameters, for example)can be shown with the equally simple:

$ splint --help memory

It’s fun to charter anaccountant…Once the simpler errors have beenremoved, it is a good idea to progressthrough the list, solving each error inturn. After a problem area has beendetected, briefly read the remainingproblems to see if your fix couldadversely affect other areas of the code.

When you are happy with yourchange, re-run splint to check that theerror has gone, and no other warningswere produced as a result of your newcode change.

Looking at our output, we see there’s aproblem with line 10.

t.c:10:19: Function parameterarray declared as manifest array(size constant is meaningless)

$ gcc -Wall -ansi -pedantic U

test.c

Although these settings may appearoverly conservative, in a real-worldscenario where code is critical, or portedacross multiple systems, these settingswould be the norm (see Listing 1).

The program uses Numerology tocalculate a mystical number which is derived from a persons name. Thisnumber can be used to tell your fortune,describe your personality, or demon-strate your character traits (like health,wealth, and gullibility). Allegedly!

So there’s our code. 46 lines of code. 0warnings. Can there be anything wrong?For starters it doesn’t terminate – itappears to spin. So we need some extrahelp tracking down the error. Let us runsplint and look for further clues…(seeListing 2)

All things dull and uglyWow! 14 warnings for a ‘perfect’ piece ofcode. Let’s break these errors down tosee where they come from, and why. Theexperienced reader may care to notice



1 #include <stdio.h>23 int mapping[] = {4 1, 1, 4, 2, 4, 4, 2, 1,5 5, 4, 4, 2, 1, 5, 2, 5,6 5, 5, 4, 3, 3, 3, 3, 2,7 5, 5,8 };910 int num_calc(char array[11])11 {12 int i;13 int total=0;14 char c;1516 for(i=0;i<sizeof(array)/

sizeof(array[0]);i++)17 {18 c = array[i];19 if (c >= 'A' && c <='Z')20 total +=mapping

[(int)c-'A'];21 else if (c >= 'a' && c

<= 'z')22 total +=mapping

[(int)c-'a'];23 }24

25 return total;26 }2728 int main

(int argc, char**argv) {29 char message[11] =

{"Mystic Meg"};30 unsigned int num;3132 if ((num = num_calc(message)))33 {34 /* reduce until its negative

*/35 do36 num -= 10;37 while(num>=0);3839 /* Since we've overshot, add

the last ten back*/40 num += 10;4142 printf("The magic number for

%s is %d\n", message, num);43 }4445 return 0;46 }

Listing 1: Sample code

This tells us we are implying, byincluding the square brackets, that thefunction takes an array as an argument.It doesn’t. ‘C’ can not pass arrays; onlypointers to the start of arrays. We shouldtherefore correct the code thus:

int num_calc(char *array)

Although not a problem as far as thecompiler is concerned (both versionsproduce the same code), a maintenanceprogrammer might imagine that this isactually trying to pass an array, andcould be liable to introduce errors basedon this incorrect assumption, as we willsee later.

Gifts for all the familyUpon re-running splint we notice thatwe’re down to 10 errors. Great, youmight think. We’ve only made one(benign) change, but it has produced

an unexpected side effect – it hides apotential error. This is another goodreason why you should make changesincrementally to the code (as you wouldwhen the compiler produces errors) andnot in bulk.

The error we lost concerned the sizeofoperator in line 16. By referring to thesizeof a pointer, we are only considering(on a 32 bit machine) 4 bytes. By namingthe pointer as if it were an array, thecoder implied it would be 11 bytes long(the array size). This flaw can be fixedby re-writing the code correctly with thestrlen function.

for(i=0;i<strlen(array);i++)

Our next error involves a type mismatch.Instead of blindly replacing the type wemust make sure there are no com-plications. In this example, the ‘strlen’function returns a value of type ‘size_t’.

This is a system-defined type (frommalloc.h) which has enough capacity to store any possible memory locationthat the system could address. It is -sometimes referenced as the size of the‘sizeof’ operator.

It is more ‘correct’ to use size_tbecause the loop is intended to referencean arbitrary array which could, intheory, extend across the whole memory.

Changing the type here does not causeus any problems, especially since underour (32 bit x86) machines it is only a change in sign (from signed tounsigned), but it is only true in this case.Changing signs arbitrarily is a dangerouscomfort with which to surroundyourself. You will see the proof of thispoint shortly.

Our next problem is one of types,which occurs twice (once at line 20, andonce on 22): we use a char to referencean integer array element. Since ‘C’


PROGRAMMINGAutomated tools

$ splint t.c

Splint 3.0.1.6 --- 23 June 1912

t.c:10:19: Function parameter array declared as manifest array(size constant is meaningless)A formal parameter is declaredas an array with size. The sizeof the array is ignored in thiscontext, since the array formalparameter is treated as apointer.(Use -fixedformalarrayto inhibit warning)

t.c: (in function num_calc)t.c:16:18: Parameter to sizeof isan array-type functionparameter: sizeof((array))Operand of a sizeof operator isa function parameter declared asan array. The value of sizeofwill be the size of a pointer tothe element type, not the numberof elements in the array. (Use-sizeofformalarray to inhibitwarning)

t.c:16:10: Operands of < have incompatible types (int,arbitrary unsigned integraltype): i< sizeof((array))/sizeof((array[0]))

To ignore signs in typecomparisons use +ignoresigns

t.c:20:21: Incompatible types for- (int, char): (int)c - 'A'A character constant is used asan int. Use +charintliteralto allow character constants tobe used as ints. (This is safesince the actual type of a charconstant is int.)

t.c:22:21: Incompatible types for- (int, char): (int)c - 'a'

t.c: (in function main)t.c:29:20: Initializer block formessage has 1 element, butdeclared as char [11]: "MysticMeg" Initializer does notdefine all elements of adeclared array. (Use-initallelements to inhibitwarning)

t.c:32:6: Assignment of int tounsigned int:num = num_calc(message)

t.c:32:5: Test expression for ifnot boolean, type unsigned int:(num = num_calc(message))Test expression type is notboolean or int. (Use-predboolint to inhibit warning)

t.c:37:8: Comparison of unsignedvalue involving zero: num >= 0

An unsigned value is used in acomparison with zero in a waythat is either a bug orconfusing. (Use -unsignedcompareto inhibit warning)

t.c:42:53: Format argument 2 toprintf (%d) expects int getsunsigned int: numt.c:42:38: Corresponding formatcode

t.c:28:14: Parameter argc not usedA function parameter is not usedin the body of the function. Ifthe argument is needed for typecompatibility or future plans,use /*@unused@*/ in the argumentdeclaration. (Use -paramuse toinhibit warning)

t.c:28:27: Parameter argv not usedt.c:3:5: Variable exported but notused outside t: mappingA declaration is exported, butnot used outside this module.Declaration can use staticqualifier. (Use -exportlocal toinhibit warning)

t.c:10:5: Function exported but not used outside t: num_calc

t.c:26:1: Definition of num_calc

Finished checking --- 14 codewarnings

First output from splint

error is what appears to be a simple typemismatch. However, remembering whatwe said earlier about changing typesarbitrarily, we take a closer look at howthis variable is deployed.

First off, the num_calc functionreturns an integer, and tries to assign itto an unsigned integer. So which shouldbe changed, the function or the assign-ment? Since the function may return anerror code as a negative number in thefuture it’s not unreasonable to assume itshould be a signed int.

The next problematic line (37) showsus the real crux of the problem: anunsigned value can not be negative bydefinition. This means the ‘<= 0’ cannever be true, which is the cause of ourprogramming hanging.

Doh! Why didn’t the programmer spotthis? More to the point, perhaps: whydoesn’t gcc? An analysis of the algorithmshows us that the number needs tobecome negative in order for the loop toterminate (lines 35-37), and so weconclude that a signed integer is the wayto go. Checking the third of these errorswe notice that the printf format specifieris also wrong, confirming our suspicions.

Finland has it allThe last two errors are also connected.They both reference exported identifiers:one variable, one function. In ‘C’, it ispossible to reference variables from onefile in another by extern’ing them.

extern int mapping[];

While this is not necessarily a bad thing, it allows another file to corrupt themapping data (or call our num_calc)without our permission. Generally, if thefunction is private to that file – make itprivate with the keyword ‘static’. This,again, explains to the compiler what wemean, and not what we say.

Although it’s a simple change, andmay appear to some as inconsequential,it is very important and should not beignored and allowed to fester.

…buttered scones for teaAnd there you have it. A completelydebugged and lint-free program. It hasnot taken a particularly long time to doit, but has provided a much stabler basefrom which to work, and exorcised many

bad style demons that could confusemaintenance programmers in the future.This newly found confidence in the codewill encourage further features to beadded, and old ones enhanced.

As you can see, splint enablesprogrammers to detect bugs before theybecome problems. It should find its wayinto the development cycle, along with -Wall as part of the build process, toshorten the bug-fix cycle, and soenabling developers to spend more timeon new features. ■

allows chars to do this (using the rules of promotion), there is not really a bigproblem with the code.

Instead of passing an extra switch to the splint program, we shall formallyfix the code with type casts. This, inaddition to giving us a nice safe piece of code, allows the program to run under splint without warnings, even ifsomeone else runs it without thecommand line switches.

Finland. Finland. Finland.The next three issues are very simple sowe shall cover them together (althoughin practice we actually stepped througheach one in turn). We have (in order), an initializer with extraneous braces(29), an assignment inside a conditional(34) and (on the same line) the testexpression itself which resolves to a non-boolean answer.

The braces problem does not show upunder the compiler because strings in ‘C’are simply arrays of characters, so anarray of strings is just a bigger array(with NUL terminators at the end of eachstring). If the array were used moreextensively, however, problems wouldsoon arise.

The conditional assignment does notshow up as a warning under gcc becausethere are two brackets around theexpression. This trick, to stop compilerwarnings under gcc, doesn’t work undersplint. And, because it should be lint-freewe shall amend the code accordingly,thus we can use:

num = num_calc(message);if (num > 0)

{... etc ...

The ‘> 0’ not only provides a booleanresult, but emphasizes the correct resultwe seek. Although the function does notcurrently return values less than zero, ifit did (for error conditions, say), thesewould be picked up correctly too.(Remember that ‘C’ refers to all non-zeronumbers as ‘true’).

Another quick run of splint and we’redown to 5 warnings.

Some things in life are bad…The next problem actually causes threeissues. Sequentially speaking, the first



Whilst splint can highlight many of thesemantic mistakes that gcc can not, it is by no means a stand alone or infallibleprogram. Because it doesn’t have togenerate program code for the source,it can make (occasionally incorrect)assumptions about other parts of the code.For example, it can miss situations wherefunctions are used without formatdeclarations.This can be fatal in situationswhere the return type of the function is afloating point number, and the implicitdeclaration will be deduced as an integer:which is incorrect. Fortunately, the compilerwill spot this particular instance – so youmust not be lulled into a sense of false secu-rity by running with lax compiler options.Sometimes, the humanistic element ofcoding can also cause problems Splint isunable to detect; consider the sourcefragment below. Not only is Splint unable tofind the errors, but usually a human beingwill also fail to notice them.

int a = 10l;int b = 020;int c;c = a/b;Here, the result of c is not 101, but 0! This isbecause the value ‘101’ is actually ‘10l’, with alower case ‘L’at the end.The visualdifference between ‘1’and ‘l’ is small, andvery difficult to ascertain.This should behandled by enforcing coding standards thatrequire the use of an upper case ‘L’, andcommenting when such numbers are used,to ease the readability.The same is true for numbers which are pre-fixed with zero, this will cause the ‘C’compiler to treat them as octal numbers.This gives us, essentially:

int a = 10;int b = 16;So naturally, the integral result of 10/16 willbe zero, causing a fairly severe bug.

Box 2: Never be rude

show you two pages; the first pagecontains the current users on yoursystem (Figure 1 left), the second showsthe current groups.

You can use the buttons in the toolbar,or menu items, to add, delete, or editusers and groups, and this allows you to avoid console commands such as useradd and their ilk.

As we prefer a hands-on approacheven in administrative areas we simplycreate a new user called Beelzebub. To do so, click on the User / Addmenu item, or the Add icon, and type the user name Beelzebub in thetextbooks that appears. Then click on OKto confirm. The window that thenappears allows you to enter details for the new user (Figure 1 right). Whatshell you want the user to work withwhen she logs on? What’s the user’s real name? Should the user have a home directory of her own, or not?

Additionally, youcan use the PasswordManagement tab –surprise, surprise – tomanage Beelzebub’spassword. This is alsothe place where youcan specify whenBeelzebub’s accountwill expire, or when anew password willneed to be changed.

The Group taballows you to specifythe groups whereBeelzebub will be amember (Figure 2).

Normally users will be members in onlyone UNIX group, but there are caseswhere you want to assign specific rightsto several users, and therefore decide toadd them to groups which contain theappropriate privileges.

The Group tab in KUser providesaccess to a menu containing all theavailable groups. If you want to addBeelzebub is one of these groups, simplyselect the required group and check it.KUser will add Beelzebub to the groupimmediately, and if you uncheck thegroup, the user will be immediatelyremoved from the group.

Getting to Grips with Boot ScriptsJust like KUser, the KSysV program isreserved for system administrators, and

Anyone who has worked withLinux for a while will appreciatethat Linux is a genuine multi-user

system. However, the advantages thatLinux offers do imply taking care of afew administrative tasks that you mightnot be familiar with, if you’ve only dealtwith Windows so far.

No need to panic – KUser provides youwith a GUI tool that should make yourtasks a lot easier, as do all the programsthat we will be discussing in this article.KUser is part of the kdeadmin package,and so your Linux distribution shouldhave it on board.

As user administration is one of thesystem administrators tasks, the kdesutool will first prompt you to enter theroot password, if you attempt to launchKUser as an underprivileged user via thekdesu kuser command or the start menu(in the case of SuSE, for example, System/ Configuration / KUser). KUser will then

It’s time to get administrative. Just a handful of KDE system tools will help

you get to grips with user administration, runlevels and hard disk storage.

BY STEFANIE TEUFEL

KUser, KSysV, KdiskFree, KwikDisk

Controllingusers


In this column we present tools, month bymonth, which have proven to be especiallyuseful when working under KDE, solve aproblem which otherwise is deliberatelyignored, or are just some of the nicer thingsin life, which – once discovered – youwouldn’t want to do without.

KTOOLS

KToolsLINUX USER

Figure 1: Account data for Beelzebub

Figure 2: Birds of a feather

that’s a good idea because KSysV is usedto manage symbolic links from the/etc/rc.d/rc0.d through rc6.d directoriesto the script directory, /etc/rc.d/init.d,which – amongst other tasks – definedwhat services are launched on bootingthe system (older distributions maypossibly use different paths).

This does not prevent you fromlaunching the program via the KMenu(System / Configuration / SysV Init Editoron SuSE), or entering the ksysv &command in a terminal emulation is a normal user – to view the bootconfiguration. If you additionally supplythe root password (in the command lineyou can ensure that you are prompted bytyping kdesu ksysv), you will be able tospecify the services launched when youstart your machine, depending on thecurrent runlevel.

If you launch KsysV with rootprivileges, the till the default to English,unless the country and language settingsfor root have been modified. If you needto modify the settings, you can runkdesu kcontrol in a control centerlaunched on an underprivileged user’sdesktop to do so.

If the init scripts on your machine asstored in a different place, you will needto edit the path settings in Configure /SysV Init Editor setup / paths. NewerKDE 3 versions even provide a wizardthat appears when you launch theprogram for the first time.

The KsysV program window (seeFigure 3) displays links to any serviceswith init scripts in the init.d directory.There is also a list of services launchedfor each runlevel.

If you do not want to initialize aservice in a specific runlevel (becauseyou do not need the HTTP server, forexample), all you need to do is drag the entry from the column in which itresides to the trashcan to the bottom leftof Available System Services. Clickingwith the left mouse button on a servicedisplays additional information, whichmay be somewhat sparse (Figure 3,small window).

To add a new service to a runlevel,drag the entry from the columncontaining the available system servicesand drop it in the Startcolumn for the desiredrunlevel. KSysV will createan appropriate symboliclink in the file system.

Make sure you knowwhat you are doing asincorrect settings at thispoint can prevent yourLinux system from booting.And this is why you need toexplicitly save your changesby selecting File / Saveconfiguration.

Hard disk storage is a finite resource,no matter how large your hard disk maybe, so it makes sense to launchKDiskFree (Figure 4) from time to time,just to check the status of your hard diskresources.

To launch the hard disk managersimply navigate the K Menu down tothe System / File system / KDiskFreeentry, or simply type kdf & in yourfavorite shell. You can also allow theKDE control center to launch the toolfor you and display the results in theInformation section below BlockOriented Devices.

Incidentally, KDiskFree has a partner:Look for KwikDisk below System / Filesystem in the K Menu. This twin tool candock onto the control bar and show youall the mounted disks, and drives,including the amount of free space oneach, when you click on the buildingblock icon. So there are no more excusesfor not noticing that you were runningout of space (Figure 5).

KDiskFree also has its stronger points.Besides the disk size, thefree space, and the loadthe tool will also supplydetails on the file system,and mount points foryour disks and devices.Talking about mountpoints, KDiskFree allowsyou to mount andunmount disks by pointand click – just like the CD-ROM and floppyicons on the KDEdesktop. ■


LINUX USERKTools

Runlevel: an operating status of a Linuxsystems. Runlevels 2 through 5 can beindividually configured for various tasks, forexample, automatically launching all theservers you require on booting, from HTTP toSamba.You could define another runlevel asyour workstation mode and boot to a GUIlogin manager, such as xdm or kdm.Themachine will boot to the default runlevel asspecified in /etc/inittab file.

GLOSSARY

Figure 3: Runlevels at a glance Figure 4: Enough space? KdiskFree and above “kcmshell partitions”

Figure 5: KwikDisk for a quickoverview

Like a snowstorm? All you need to do,is increase the number of snowflakesfrom the default value of 100 to amaximum of 1000 (using the -snowflakesparameter) and additionally specify -unsmooth to add a little action. Youmight like use the -nowind option toprevent the wind from blowing every 30seconds, or even use the -windtimer anda value in seconds to define a longerinterval between storms.

If all that snow on your windows andat the bottom of your desktop is gettingon your nerves, you can change thesetting using the -nokeepsnow and -nokeepsnowonwindows or -nokeepsnowonscreen options. Alternatively, youcan heap up genuine snow hills, byredefining the default snow depth foryour windows with -wsnowdepth, or foryour desktop with -ssnowdepth.

Those of you inclined to do so caneven remove Rudolph the reindeer’s rednose with the -norudolf option. If youfinally do not want to be reminded ofChristmas, simply send Santa Claus on awell-earned holiday by additionallysupplying the -nosanta parameter.

The manpage for xsnow includes a fewnice sample command lines and pro-

vides details on additional options, butyou can produce some quite pleasanteffects by experimenting. There is noneed to worry about doing somethingwrong, as the program will automaticallyuse the maximum permissible values ifyou overstep any thresholds.

Special requests for the partymoodJust like in real life, there is no cateringfor everybody’s taste in desktop back-grounds – and in this case there are oneor two quirks to look out for whenrunning the program on KDE.

If you want to launch xsnow in version3 of this popular desktop environment,you will have to enable the optionSupport Programs in Desktop Windowin Look & Feel / Desktop. Use theBackground option to select a back-ground color, as the xsnow -bg option,normally used to set a background color

The party season has just finished,and with Christmas and the NewYear finally over we can try to

extend the happy feelings for a littlelonger. So why not dress up your Linuxcomputer to match your party spiritthroughout the remaining wintermonths. Two programs, xsnow [1], andxfireworks [2], will help you find the right costume, that is desktop background for the occasion. Afterperforming the installation stepsdescribed in the Box “Installation”, thecelebrations can continue.

Silent NightWhen you initially launch xsnowwithout supplying any parameters, yourdesktop is magically transformed into awinter wonderland. Santa Claus with hisreindeers and his sleigh jingle homewardafter Christmas through the forest, whilesnowflakes slowly collect on the sills ofyour desktop windows (Figure 1).

If Santa Claus is too big for your liking,you might like to try:

xsnow -santa 1 &

You can modify almost all the otherdetails in a similar way using combinations of parameters.

For example, typing -sc and -tc plus thename of color will change the color ofthe snowflakes and/or trees (you can usethe xcolorsel program to show you whatcolors are available).

The department store shelves are full of after Christmas sales, and street lights brighten the winter nights, and that

means it’s time for deskTOPia to keep things in the party spirit, and to bring some seasonal flair to your desktop.

BY ANDREA MÜLLER

xsnow and xfireworks

Keeping the fun going


Only you can decide how your desktoplooks.With deskTOPia we regularly take youwith us on a journey into the land of window managers and desktop environments, presenting the useful andthe colorful viewers and pretty toys.

DESKTOPIA

deskTOPiaLINUX USER

Root window: this is the mother of all ofdesktop windows.The root window, fromwhich all other windows are derived, doesnot have a frame, but instead forms thedesktop background.

GLOSSARY

causes display problems on KDE.You can then launch the programas described, although you willhave to live with snowflakes destroyingyour desktop icons. A short spell of “virtual snow clearing” with thewindow was soon have your desktopback to normal.

Bright LightsAs the name would suggest, xfireworksproduces a firework display on yourdesktop background. The programmer,

Hiroaki Sakai, actuallyproduced this tool with“Hanabi Taikai”, a popularevent celebrated in summeron various Japanese rivers,

in mind. I am sureHiroaki would notmind us using theprogram for otherevents.

Just like xsnow,xfireworks offersvarious parameterswith which youcan configure theprogram, althoughit is still quiteimpressive if youdo not use any ofthese options.

Fireworks is best on a blackbackground. If you have selected thedifference background color, you can tellxfireworks to switch to black by typing:

xfireworks -bg black &

Unfortunately, this does not apply toKDE users, as your favorite desktopenvironment refuses to cooperate with

pyromaniacs. Although the program hassensible defaults, you might like to trysome fine tuning. As some settings canplace a heavy load on your CPU andgraphics adapter, the options that youmodify will probably be defined by yourcomputer equipment.

Provided you have suitably quickcomputer, the following line:

xfireworks -probability 200 U

-fine 200 -after-image 125 U

-color-length 150 &

should produce some presentableresults. You can set the -probability flagto raise the number of rockets. Raisingthe value for -fine will create realisticand smooth explosions; -after-imagespecifies the length of the aftergloweffect, and -color-length increases the period before the sparks are finallyextinguished in the sky.

Users of older computers might preferto reduce the values for -after-image and-fine. 65–80 will still produce quiteuseful effects, but below this value thewhole scene is more likely to remind youof confetti than fireworks.

If running the program leads to displayproblems, you might like to try the -no-direct-draw option. In this case,xfireworks will not draw directly in theroot window, but instead store thecurrent image in a file, which it will usefor a background sideshow.

If you modified the makefile asdescribed in Box 1, you will finddescriptions of the individual fireworksin /usr/local/etc/xfireworks.conf. You canuse these as templates for designing yourown fireworks. Type:

xfireworks -f myfireworks.conf &

to tell xfireworks to use the descriptionsin myfireworks.conf, or you can usefireworks from the author’s website [3],or from the subscription CD. ■


LINUX USERdeskTOPia

Figure 1: xsnow without any parameters

Figure 2: Corrupting icons

It’s easy for Debian users – all they need to dois install the precompiled binary packages.Unless your package manager refuses toinstall the xsnow Red Hat RPM file on thesubscription CD, you will only need to fire upyour compiler if you want fireworks on yourmachine.The XFree development packagesfor your distribution must be preinstalled.xsnowType the following command to unzip thesource code archive

tar -xzf xsnow-1_42.tar.gz…, changed to the new directory,xsnow-1.42,and type xmkmf. If you do not want to installthe software in /usr/X11R6, instead preferringto use the standard directory for compiledsoftware, /usr/local, you will need to edit themakefile.To do so, change the lines

MANPATH=/usr/X11R6/manBINDIR=/usr/X11R6/binto

MANPATH=/usr/local/manBINDIR=/usr/local/binAfter storing the file, type the following:

make depend

makesu(type the root password)make installmake install.manxfireworksJust like xsnow, xfireworks is suppliedwithout a configure script, but at least itincludes a makefile.You might also like tomodify this file in order to install theprogram in /usr/local.Unpack the tar archive first, then change tothe new xfireworks-1.3 directory, open themakefile with your favorite editor, andchange the lines

PREFIX =/usr/X11R6to

PREFIX=/usr/localNow you can compile the program with

makesu

(type the root password)make installand install it in /usr/local/bin.

Installation

[1] http://www.euronet.nl/~rja/Xsnow/[2] http://web.ffn.ne.jp/~hsakai/myfreesoft/

#11[3] http://web.ffn.ne.jp/~hsakai/myfreesoft/

xfireworks.html

INFO

modify the group membership of thelogfiles to match (chgrp adm). You willalso need to set root-tail‘s privileges sothat the program is always launchedwith the adm group ID (chmod 2711).

Just look who’s logging now!Now you can display the /var/log/messages file in the root window:

root-tail /var/log/messages

If nothing happens, you can always usethe logger tool to provoke some output:

logger "This is a test"

The message should appear in the logfilea short while later, where it will bepicked up by root-tail and displayed onyour desktop. Unfortunately, KDE usersstill have an issue to deal with, as yourfavorite desktop environment has theunfriendly habit of covering the rootwindow with its own backgroundimages. Any other desktop environmentor window manager should get alongjust fine with root-tail. You can quit thetest by pressing [Ctrl-c].

Instead of monitoring just one file,root-tail can monitor multiple filessimultaneously. To distinguish betweenlogfiles more easily, the program allowsyou to define a color for each logfile –colors are entered for each filename as acomma-separated list. The followingcommand

root-tail /var/log/messages,Uwhite /var/log/kern.log,green

will display the latest entries in themessages and kern.log files in white orgreen. root-tail will prepend the filenamein square brackets each time it outputs ablock of text.

The following syntax tells root-tail tomonitor three files and provide output inthree different colors. To do so, a shadowis added to the font aspect (-shade) andthe color and position of the text outputin the root window are defined (-g 80x25+0-52).

In addition, the program runs as adaemon in the background, thanks tothe -f option:

root-tail -f -g 80x25+0-52 U

-fn 6x10 -shadeU/var/log/messages,white U

/var/log/daemon.log,yellowU/var/log/kern.log,green

Figure 1 shows the logfiles for the packetfilter as output by root-tail, shortly afterterminating the PPP connection.

Beep showDo you prefer an audible warning signal?tailbeep will allow your Linux system toproduce a beep with a user-definablefrequency and length when specificcharacter strings occur in a logfile.

A tool of this type is particularly useful for headless machines, for example,computers without a display or keyboardthat normally hang around in officecorners, such as dedicated routers.

You can download the sources for theprogram at http://soomka.com/, or asusual, simply access the subscription

Not reading the logfiles of anInternet machine is just likehiding your head in the sand,

and letting the malevolent hackers andscript kids out there on the Web havetheir wicked way. Hopefully – cross yourheart and hope to die – this is not aproblem, but who really enjoys readingall the logfiles?

There is a lot less effort involved inrunning a tool on top of your X Windowsystem to provide an overview of thecurrent log entries. The tool’s name, root-tail, is derived from the fact that the tool behaves like the UNIX tailcommand, and displays its outputtransparently on top of the root window,allowing the current background (if any)to remain visible.

You can download the sources athttp://www.goof.com/pcg/marc/root-tail.html or from the subscription CD. Thesources are not the obsolete originals,but debugged versions maintained byMarc Lehmann.

The installation steps depend on the distribution you use (Listing 1). Inthis case, we have focused on makinglogfiles, such as /var/log/messagesvisible to root-tail without having tolaunch the program with root privileges.If you do not already have an admgroup, you will need to create it and

Every Linux system writes logfiles, but who really looks at them on a regular

basis? root-tail and tailbeep can help you keep track of critical events.

BY CHRISTIAN PERLE

Out of the box

Watching thewatcher


There are thousands of tools and utilities forLinux.“Out of the box”takes a pick of thebunch and each month suggests a littleprogram, which we feel is either absolutelyindispensable or unduly ignored.

OUT OF THE BOX

Out of the BoxLINUX USER

CD. Installing the tool is a lot lesscomplicated than in the case of root-tail,as tailbeep does not need to bridge thegap between root privileges and the Xdisplay:

tar xzf tailbeep-0.44.tar.gzcd tailbeep-0.44makestrip tailbeepsu (enter root password)cp tailbeep /usr/local/binexit

To test the installation, ensure that you have root privileges and then typethe following:

tailbeep -f /var/log/messages U

-s "test 123" -t /dev/tty12

tailbeep will now wait for the test 123string to occur in the /var/log/messagesfile. You can use /dev/tty12 as theterminal for the beep. Now use thelogger, which we already mentioned, towrite the target string to the log:

logger "test 123"

tailbeep should respond immediately. Ifyou do not like the default frequency andlength of the beep, you can use the -F frequency (in Hertz) and -M length

(in milliseconds) to changethese settings. If your testworked, you can press [Ctrl-c] to terminate the program.

It makes sense to run tailbeep as a backgrounddaemon rather than stipulatea command to launch thetool. You might like to write ashort init script for this task(see article on page 48).

The tailbeep script on the subscription CD reads the /etc/tailbeep.conf file,supplies defaults for any missingparameters, and sends tailbeep into thebackground (option -d).

Now type grep -w initdefault /etc/inittab to discover the default runlevel. If id:2:initdefault: is returned (default forDebian), runlevel 2 will be assumed asthe default on booting, so you will needto create a symlink in /etc/rc2.d:

cd /etc/rc2.dln -s ../init.d/tailbeep U

S80tailbeep

SuSE, Red Hat, and Mandrake userunlevel 3 or 5 by default. Additionally,the name of the directory with the init

scripts is /etc/rc.d/init.d or /etc/rc.d/rc5.d on these systems.

Now create the configuration file forthe tailbeep service. Listing 2 shows anexample. The most important line in thesample file, PAT=“SRC=”, defines thestring SRC= as a search pattern, whichmeans that tailbeep will respond to logentries for the iptables packet filter.Assuming logging has been enabled foryour packet filter, you will actually beable to hear port scans.

Other search patterns are possible,such as Accepted password for in the/var/log/auth.log file. In this case, thesystem will respond to valid logins viassh. Additionally, the -x program_nameoption allows you to launch a program,when the search pattern is discovered.Be careful when choosing this option –do not forget that the program islaunched with root privileges. ■


LINUX USEROut of the Box

tail: Shows the end of a file. In a specialfollow-up (option -f), it notices additions to afile and updates the display accordingly.Root window: This window is displayed firstwhen you fire up an X server, and providesthe background for the X desktop.Daemon:“Disk and execution monitor”, aserver that runs without interactive input.Packet filter: A firewall type that isimplemented in the Linux kernel, inspectsincoming and outgoing network datapackets, and decides whether to process orreject them on the basis of pre-defined rules.PPP:“Point to Point Protocol”, a protocol thatsends IP packets across serial lines, such asmodems or null modem connectors. PPP isalso used for DSL connections with PPP onEthernet (PPPoE).Symlink: A special file whose contents are apath (the target pointed to). If you read orwrite the content of a “symbolic link”createdby the ln -s command, the system will in factaccess the target the link points to.Portscan: Automatically rattling on the doorsand windows (ports) of a machine connectedto the net, to discover the network serviceslistening there.When performed by externalusers, a port scan is normally the first step inthe process of discovering the machine’ssecurity vulnerabilities.

GLOSSARY

tar xzf root-tail-0.2.tar.gzcd root-tail-0.2xmkmfmakestrip root-tailsu (type root password)cp root-tail /usr/local/bincp root-tail.man/usr/local/man/man1/root-tail.1Only for Mandrake, Red Hat, and SuSE:

groupadd admchgrp adm /var/log/messageschmod 640 /var/log/messagesFor all distributions:

chgrp adm /usr/local/bin/root-tailchmod 2711 /usr/local/bin/root-tailexit

Listing 1:Installing root-tail

Figure 1: root-tail displaying logfiles in the root window

# tailbeep configuration file## File to monitor?FILE="/var/log/messages"# Beep, when ever iptables logssomething:PAT="SRC="# 5 kHz frequencyFREQ="5000"# but only a short beep, to avoidwaking up the admin:DUR="25"

Listing 2:/etc/tailbeep.conf

Root Tail: http://www.goof.com/pcg/marc/root-tail.htmlTailbeep: http://soomka.com/

INFO

links to ensure that the WaveToolsprograms will be in your search path:

for i in wcat wcut wfct wflt U

winf wplot wview; U

do ln -s /usr/local/wavetoolsU/wavetools-1.0-bin/$i U

/usr/local/bin/ ; done

The list in Table 1 provides an initialoverview of the features offered by theWaveTools suite.

In the beginning there wasthe waveBefore we start discussing wav files, letus create a few for a start. To do so, let us try to remember the theoreticalstructure of a wav file. It digitallyrepresents the air pressure modulationsthat our ears interpret as an acousticsensation, where increased pressure isrepresented by positive values, anddecreased pressure as negative values.

The sampling rate tells you how manytimes per second the value is deter-mined, and the resolution describes theaccuracy with which the sampled valuesare represented (8 bit, 16 bit…). The wfctcommand is required to produce a wav

file. The command offers a variety ofoptions that influence the type of wavfile created. In addition to the -o para-meter (where the name of the output fileis directly appended as in -ofile.wav) thewave form can have the followingoptions:• -r for rectangular wave, • -t for triangular wave,• -w for a saw-tooth wave, • -n for noise, • -i for rectangular pulses and• without any options for a sinus wave.Of course the wave needs to know itslength and frequency. These values arealso supplied as parameters with Hz forhertz and s for seconds.

All the programs in the WaveTools suitare additionally capable of recognizingand applying the letters:

The WaveTools are currently atversion 1.0. One of the changes incomparison to the previous version

(0.9) is the fact that DOS support is nolonger available, a fact that actuallymade me quite fond of WaveTools.

Installation from the sources isextremely simple. Ensure that you areroot of course, and create a new directoryby typing:

mkdir /usr/local/wavetools

Change into the new directory, mountthe subscription CD and expand thearchive there:

tar xzf /cdrom/LinuxMagazineU/wave/wavetools-1.0-bin.tgz

Then go on to create a few symbolic

MP3 is all the rage so why bother

with wav files? The fact is every MP3

boils down to a wave descriptor of

some kind, and waves are universal.

This shows you the kind of antics

you can get up to with wav files and

WaveTools.

BY VOLKER SCHMITT

WaveTools

Sound advice


WaveToolsLINUX USER

winf Displays information for a wav file

wcat Can concatenate wav files and converttheir sampling characteristics

wcut Cuts areas out of a wav file

wflt Filters wav files

wfct Creates wav files

wmix Links wav files

wview Displays wav files interactively

wplot Creates a PostScript file with a time/ amplitude graph

Table 1: Wave Tools

Sampling rate also referred to as a samplingfrequency.The sampling rate of a music CD is44.1 Hz, for example.The resolution is also referred to as thequantization. A music CD has a 16 bitresolution and thus provides 65536 differentamplitude values. In contrast, an 8 bitrecording will provide only 256 values.

GLOSSARY

• m (for milli), • c (for centi), • d (for deci), • k (for kilo), and • K (for a factor of 1024) as qualifiers for units. Thus WaveToolsprograms will correctly identify 10msas meaning 10 milliseconds. Therefore asinus wave that produces an a atstandard pitch for two seconds will beproduced by

wfct -osinus.wav 440Hz 2s

Additional options are available to definethe quality (that is the sampling rate)and the resolution (see Table 2).

Taking a LookAfter you have created a wav file to yourown specifications you can use anypopular player, such as play or wavp toplay the file via the command line.

To visualize the sinus wave stored in the wav in our example, you mightlike to launch the graphical WaveToolsprogram, wplot.

As the output produced by a twosecond sinus wave is slightly difficult to interpret, let’s just plot the first tenmilliseconds instead. The wplot options

-sstarttime and -lduration are availablefor this job. The command

wplot -s0s -l10ms -osinus.ps U

sinus.wav

will create a postscript file that you caneasily display by typing display sinus.ps.

The modular structure of theWaveTools programs allows you to usethem in command line pipes, and theyalso lend themselves to scripting. In this case you would leave out the -o flagand use the | character to pipe standardoutput to a different command (seeFigure 1).

The wplot program has a fewadditional parameters which are self-explanatory with the possible exceptionof -t, which merely adds the offset by the-s flag to the legend (see Figure 1 and seealso Table 3).

Waves: Peaks and ValleysYou can mix multiple input files usingthe wmix program. Mixing in this case means adding (by default) or multiplying the amplitude values (byspecifying the -m flag).

Before you start, you should be awareof the fact that the WaveTools displayamplitude values in the range [-1,1).Thus, if the addition creates valuesoutside of this range (overmodulation),they would normally be cut off, butwmix is clever enough to reduce theamplitude values to allow the maximumamplitude to be represented.

Overmodulation can be prevented byspecifying the -s option, which assumingn input files will multiply by 1/n. If youare multiplying anyway, you can omitthis step, as values within the range [-1,1) will still be within this range whenmultiplied. In this case multiplication

will tend to flatten the amplitude values,which in itself could be an issue. Again asolution is close at hand in the form ofthe parameter -n which normalizes thewav output by raising all the amplitudevalues so that they reach a maximumpeak of 1. Table 4 contains an overviewof the options for wmix.

Time for a test run: Let us take threesinus waves, a high frequency wave at 1000 Hz, a standard pitch (440 Hz)and a low frequency wave at 200 Hz.These waves are added by wmix anddisplayed directly using wplot anddisplay (Figure 2):

(wfct 200Hz 10ms; wfct 440Hz U

10ms; wfct 1000Hz 10ms) | U

wmix - - - | wplot | display

Hey Mr. DJ!The filter program wflt is the star of the WaveTools suite. It provides a varietyof features, such as linear transformationof amplitudinal values, that is y =y*amplification + bias. The parametersare supplied as -gamplification and -abias. Again you can use the -n flag tonormalize the output.

Also, three acoustic filters are available: low, high and band-pass. Thenames of these filters indicate their uses, that is for filtering low and highfrequencies, and in the case of the band-pass filter removing a particular (mainlymid-) frequency range from the input (or


LINUX USERWaveTools

-srate Sampling rate (default 11025 Hz)-bquant Quantification (default 8 Bit)-aampl Amplitude (default 1 = 100%)-pphase Phase shift (default 0 rad/deg/%)-r Rectangular wave-t Triangular wave-w Saw-tooth wave-n Noise-iwidth Rectangular pulse-ofile Output file in wav format-h Help-v verbose mode

Table 2: wfct Options

Figure 1: wfct 440Hz 1s | wplot -s10ms -l10ms -t |display

Figure 2: (wfct 200Hz 10ms; wfct 440Hz 10ms;wfct 1000Hz 10ms) | wmix - - - | wplot | display

-sstarttime start offset-eendtime end offset-lduration duration-t real time axis-wwidth width of graph (default 10 cm)-fsize font size (default 10 pt)-ofile output file-h help-v verbose

Table 3: wplot Options

-n normalizes to a maximum value of 1-s multiplies input by 1/n-m multiplies input instead of adding it-ofile output file-h help-v verbose

Table 4: wmix Options

Optical AnalysisNow that we have got to know variousfilters, let’s get back to our originalexperiment with wmix; it involved threesinus waves that we superimposed.

It would be interesting to find outwhether the filters are capable ofseparating the three original waveformsagain. To find out, I have programmed ashort script called frequencysplit.sh (youwill find it on the subscription CD).

The script expects thefrequencies (withoutunits, i.e. Hz) and theduration (without units,i.e. ms). You canoptionally supply a fifthparameter, -t, -r, or -w to define a different

waveform (compare to wfct). Calling

frequencysplit.sh U

200 440 1000 10

will create wav and ps files for 10millisecond sinus waves at 200 Hz, 440Hz, and 1000. The script then goes on toadd and normalize these files, beforesplitting them again via high, low andband-pass filters.

The results are again stored in wavand ps files (the files are stored aswaveXY.wav and waveXY.ps). You canthen view the wave files (see Figure 3)by launching the disp_freq.sh script.

Experiment with different frequencieswhen you run frequencysplit.sh, orchange the range in the script (you mayfind that large values will tend to flattenthe results).

If you want to run disp_freq.sh inorder to investigate the wave files moreclosely, you should choose a low valuefor the duration, such as 10. If you preferto listen to the wav files, you will of course need a longer value for theduration, for example 3000 for 3 seconds.

Tip: You might like to use a programsuch as XMMS, if you want to view thefrequency while also listening to theoutput. Figure 4 clearly shows the threepeaks of the original low, mid-range, andhigh frequency waves in the wavemix.wav file, which were superimposed inthis wav file.

We will be looking at cosinus waves,additional WaveTools programs and afew interesting applications for them infuture issues. ■

to be more precise lowering and raisingamplitudes in this range).

Filters of this kind are also used for practical applications as in the case of two- or three-way speakers, wherethey are used as diplexers. This allowsthe tweeters to mainly play higherfrequencies and leave basses to thewoofers. As you might have guessed,special frequencies are assigned asreference points for the frequenciesallowed to pass through thefilter. And it is preciselythese values that wfltexpects as a parameter foreach filter (see Table 5).

Thus, if you want wflt toamplify the frequency rangebelow a specific frequency,300 Hz for example, and reduce anyhigher frequencies, you need thefollowing syntax for wflt

wflt -l300Hz -ofile input

A similar syntax is used to set the high-pass filter (option -f) and the band-passfilter (option -b). The band-pass filter, which merely raisesthe values in the frequency range by a specified value, also allows you todefine its scope using the option -w.Experiment with different values; in factyou can control wav files in a similarway to twiddling the dials on yourequalizer at home.


WaveToolsLINUX USER

-mrange midrange filter-lfrequency low-pass filter-ffrequency high-pass filter-bfrequency band-pass filter-wscope scope of band-pass-gamplification amplification-abias Offset to zero-c center file-n normalize file-r play file backwards-i invert file-ofile output file-h help-v verbose

Table 5: wflt Options

Figure 4: Playingwavemix.wav with XMMS

Figure 3: frequencysplit.sh 200 440 1000 10; disp_freq.sh

[1] WaveTools http://tph.tuwien.ac.at/~oemer/wavetools.html

INFO

Volker Schmitt is a mathematicianand works for a large insurance com-pany. His previous experience withwaves was mainly in the form of Fourier transformations in thecontext of analytical numeric theory,and as produced by the PA systemdown at the local disco.

THE A

UTHO

R

Held in early-December for thesecond year, this event is shapingup into India’s most ambitious

Open Source event. In terms of numbers,nothings comes close to challenge it.

Still, for a sub-continent sized countryof India’s dimensions, a lot more couldperhaps be done to rope in the realdiversity of GNU/Linux.

“We have more talks per minute thanmany international conferences. It’s abig thing … This year we tried our levelbest to keep the audiences out, and wefailed again. We were about two timesover-subscribed in terms of (seating)capacity,” said Atul Chitnis, a key moverand decision-maker behind the eventhosted by Bangalore’s LUG.

LB/2002’s some 70-plus talks weredrawing attention globally too. Thewebsite http://linux-bangalore.org/2002/had drawn some 100,000 hits. Most fromoutside the country.

Like last year, the meet drew in thenumbers. Long queues were visible onDay One, a little shorter than last year’sperhaps because the three-day event waspriced at Rs 300 (£4, Euros 6) unlike thefree-entry of the past.

It continued to get high-level corporatesupport. HP and IBM were the top corporatesponsors. “What really tickles me pink isthat the Government of India (a sponsorthis year) is saying, ‘Hey guys, you aredoing a good thing.’” added Chitnis.

Even Microsoft went thereOne surprise speaker was Microsoft,speaking about their “shared source”alternatives. Organisers stressed thatthose representing the company weretechnical people, and hence questionsabout license-issues would not be taken.

Programmers from local software firmsand students were in the majority. Mostwere duly impressed by the quality ofspeakers, and the information impartedin parallel sessions that sometimes wenton in five halls simultaneously.

Tracks were available in development,sysadmins, users and the businesssector, emerging issues, government andeducation, and kernel-related trends.

Sponsors also gave keynotes, rangingfrom the inspiring (for example Brij Sethiof HP’s “preaching to achieve personalexcellence” in an Open Source world) to the somewhat boring. Delhi-based 24-year-old Naba Kumar, who spoke on C programming under Linux, didn’tfail to impress the youngsters in thecrowd by what is possible at his age.Naba is a GNOME developer, andfounder of the Anjuta project, an inte-grated development environment.

Other talks dealt with Qt programming,super-computing clusters, embeddedLinux, e-governance, Linux in robotics,and much else. There were discussionson Indian language computing.

There was even a rock show at the endof the three-day meet, in a city where theyounger generation is fast moving intothe globalised culture of pizzas and pubs.

Local users predominatedIn some ways, much more could havebeen done. Talks were largely by volun-teers, meaning that a number ofpotential quality inputs went un-invitedand overlooked. Despite its goals ofbeing a national meet, some LUGs acrossIndia might have not learnt of it on time.

Besides, this is marketed strictly as anOpen Source event, keeping proponentsof the parallel Free Software movement –already incorporated as a company, andmainly active around the neighbouring stateof Kerala – largely outside its activities.

“They could have at least shown thetwo potential paths (of Open Source andFree Software). Here, it was made out tobe as if there is just one path available,”said Mitul Limbani, the CTO of EnteruxSolutions. Based in India’s commercialcapital of Mumbai, Enterux are con-sultants and solution providers for Freeand Open Source-based systems.

“It’s very well organised, except thaton the first day there was too muchpressure (long queues) for food. Thisevent is better organised than many backhome,” said Israeli software expert inembedded solutions, Roi Hadar.

Anil Bajaj of Anil Electricals, fromBangalore’s plush Mahatma GandhiRoad area, felt that the Bangalore usergroup was “not talking about giving freesupport”, said Anil, who works in hard-ware: “We should create a communitywere support is available easily (at lowcost or for free). Unless we have arevolution by our youth, things will notimprove drastically”. ■

Take some 2000 Linux enthusiastic,

place them in the region known as

the Silicon Valley of South Asia,

pepper it up with significant funding

support – what you have is Linux

Bangalore 2002.

Linux Bangalore 2002

On the Linux move


COMMUNITYLinux Bangalore 2002

Figure 2: Affordable prices of GNU/Linux softwareis a reason for its popularity in a region like India

Figure 1: Indic computing solutions on theGNU/Linux front seem closer than ever

The program is written in Perl andBash, massively employing XML and itworks in four steps. First, logfiles arenormalized into a “Distilled Log Format”(DLF) in preparation of the second step,where they are analyzed by generic toolswhich can be used across services. Theoutput format of those tools is XML,which in the fourth step can then betranslated into one of the final formats.

Currently, Lire has input filters for 29different services, still counting. A newservice can simply be added by writing aconverter into the DLF format.

A special advantage of Lire is that itdoes allow you to compare differentimplementations of the same service,like the MTAs exim and postfix.

The project has already proven itself to perform well in companies withlogfiles of several gigabytes for tasks like performance measuring, systemmaintenance, problem solution and

marketing, so with this in mind it can beconsidered stable.

Accordingly to Josh Koenig, who filledout the Brave GNU World questionnaire,the biggest weakness is currently theAPI, which is not easily understood orwell-documented. Besides a user-friendly GUI, this is a major concern offurther development.

Help on these areas as well as filtersfor new services are very welcome. Alsothe group seeks help making Lirepopular especially in medium to largesize companies.

The hard core of the LogReportdevelopment team consists of Joost vanBaal, Francis Lacoste, Egon Willighagen,Josh Koenig and Wessel Dankers,although many developers from differentcountries around the world have con-tributed. The project is being maintainedby the LogReport Foundation, a charita-ble association in the Netherlands.

Besides being technically useful, thisproject also offers a very nice example ofone of the most important economicadvantages of Free Software, the pre-vention of repetition of work.

GNU Source HighlightGNU Source Highlight [2] by LorenzoBettini takes a source code and createssyntax-highlighted output in HTML orXHTML. It has evolved out of the toolsjava2html and cpp2html, which wereintroduced in issue #21 of the Brave GNUWorld and have dissolved into GNUSource Highlight.

Currently input filters exist for Java,C/C++, Prolog, Perl, PHP3, Python,Flex and ChangeLog. Filters for otherlanguages can be added, however.

The project itself was written in C++and is stable according to LorenzoBettini. He is now working on a new

Since coping with administration iscertainly among the most commonLinux needs, the following feature

has been moved to the top.

LireIt is tradition on Unix systems that allproceedings and activities in the systemof services like web server, mail server,name server, databases and many moreare written into logfiles. This protocol ofactivities allows system administrators tomonitor their systems closely.

The logfiles can quickly become fairlylarge, which makes handling them hard.Although they are usually in ASCIIformat, a file size of several megabytescan not really be completely grasped bya human being.

On top of this, data only becomesinformation when approached with acertain question. A significant part of thedata will be irrelevant to the question, soin practice this means that information isusually buried under irrelevant data andtherefore almost inaccessible.

This problem has occurred in manyplaces for several years now and hastriggered the development of programsto aid people in the analysis of logfiles.

So on April 6th, 2000, severalcomputer scientists from Dutch com-panies got together to discuss the tedioustask of log analysis. It became apparentthat each of their companies createdsolutions that were merely duplicatingefforts already completed in other com-panies.

In order to end this multiplication ofwork, the LogReport team began writinga program as Free Software under theGNU General Public License (GPL),which should accomplish these tasksreliably in a professional environment.Two years later, Lire [1] was published.

Like Douglas Adam’s “Electric Monks”of, which free humans from the boringtask of believing, it is the goal of Lire tofree people from the tedious task oflogfile reading. Hence the name, becausethe French word “lire” means “reading.”

Welcome to another issue of the Brave GNU

World. This time with a with an eye on tools to help

make your day easier. BY GEORG C. F. GREVE

The monthly GNU column

Brave GNU World


Brave GNU WorldCOMMUNITY

Lire architecture

output format (LaTeX) and would like towrite a better description language forprogramming languages in order toreplace Flex, which is currently used forthis purpose.

Most of the support he received forthis project was in terms of filters fordifferent programming languages writtenby other developers. John Millaway forinstance wrote the filters for Flex andChangeLog, Christian W. Zuckschwedtand Josh Hiloni contributed the XHTMLoutput and Martin Gebert wrote thePython filter. Alain Barbet wrote thefilters for PHP3 and Perl.

The major weakness of the project atthe moment is that references offunctions can currently not be mappedto their definitions, as only lexicalanalysis is being performed. Fixing thisand writing more filters would thereforebe good ways of supporting the project.

Naturally, developers using GNUSource Highlight as commandline tool orinteractive CGI in the web are theclassical user group of the project, butthere are also users who just appreciate agood graphical user interface.

Ksrc2htmlKsrc2html [3] by Martin Gebert is agraphical user interface for GNU SourceHighlight; also available under the GNUGeneral Public License (GPL), whichmakes it Free Software. As the namesuggests, Ksrc2html is based uponC++, Qt and KDE 2, an update to KDE3 is planned.

Ksrc2html allows a formatting previewin order to allow better control over theparameters. Also settings for colors and

font types can be made interactively andsaved for later usage.

Thanks to Xavier Outhier, who tookcare of the French translation.

Martin considers the project to bestable, although he does plan to expandthe dialog for colors and font types in away that will allow adjustment fordifferent programming languages.

He would like it to be known that help with the KDE 3 port would bewelcome.

Free Software in AsiaAs our Asian readers will probably behappy to read, on July 10th, 2002, the“Free Software Initiative Japan” (FSIJ)[4] was founded. It seeks to further FreeSoftware in Japan and create the basisfor a future FSF Japan or FSF Asia.

Chairman of the FSIJ is Prof. MasayukiIda, who was acting as the “VicePresident Japan” of the Free SoftwareFoundation North America for a longtime and with whom the members of theFree Software Foundation Europe ledintensive discussions during his tripthrough Europe last year.

In order to provide an impulse for FreeSoftware in Japan, the FSIJ organized the“Free Software Symposium 2002” inTokyo on October 22nd and 23rd. Beingthe first event of its kind in Asia,speakers from China, Thailand, Japan,Singapore, Germany, Italy and the USAwere invited to provide an interestingconference programme.

Besides the more technically orientedpresentations about Debian, the HURDproject or RedFlag Linux, the ChineseGNU/Linux distribution, there were alsospeeches about the larger issues of FreeSoftware and the situations in both Asiaand Europe.

The round table on the evening ofOctober 22nd discussed the issues ofbetter international co-operation forinternationalization of programs anddocumentation as well as the possibilityof a solution oriented database for FreeSoftware. Even though these issueswould certainly not be solved in twohours, some practical ideas were foundthat are now being pursued by mail.

All in all this was an important stepforward for Free Software in Asia, whichalso intensified the dialog between theAsian countries. Building upon it, it is

considered to hold a followup-eventsometime around February or March2003 in Thailand.

Maybe it will be possible to establishthese events as a permanent institutionwandering from country to country inAsia. It is very good to see that Free Soft-ware is also on the rise in Asia.

Asian readers of the Brave GNU Worldwho would like to get involved shouldprobably get in touch with the FSIJ orGNU China [5].

Until the next timeEnough Brave GNU World for thismonth. Although the repetition mightcause some to skip over it, as everymonth I am asking for questions, ideas,comments and mails about interestingGNU projects.

Despite the danger of being buriedunder more mail, I’d like to ask you aconcrete question. In reference to Dou-glas Adams, I’d like to hear what is themost important question to you that FreeSoftware provides the answer to. Likeeverything else, please send yourquestions to the usual address. [6].


COMMUNITYBrave GNU World

[1] Lire home page http://www.logreport.org[2] Source Highlight home page http://www.

gnu.org/software/src-highlite/[3] Ksrc2html home page http://murphy.

netsolution-net.de/Ksrc2.html[4] Free Software Initiative of Japan http://

www.fsij.org[5] GNU China http://www.gnuchina.org[6] Home page of Georg’s Brave GNU World

http://brave-gnu-world.org Send ideas,comments and questions to Brave GNUWorld [email protected]

INFO

FSIJ

Ksrc2html main window

We are always looking for article submissions andnew authors for the magazine. Although we willconsider articles covering any Linux topic, the

following themes are of special interest:• System Administration• Useful hints, tips and tricks• Security, both news and techniques• Product Reviews, especially from real world experience• Community news and projects

If you have an idea for an article, please send a proposal [email protected]. The proposal should contain anoutline of the article idea, an estimate of the article length, abrief description of your background, and your completecontact information.

Articles are usually about 800 words per page, althoughcode listings and images often reduce this amount. Thetechnical level of the article should be consistent with ourtypical content. Remember that Linux Magazine is read inmany countries, and your article may be translated for use inour sister publications. Therefore, it is best to avoid usingslang and idioms that might not be understood by all readers.

Be careful when referring to particular dates or events inthe future. Many weeks will pass between the submission ofyour manuscript and the final copy in the reader’s hands.

When submitting proposals or manuscripts, please use asubject text that helps us to quickly identify your email as anarticle proposal for a particular topic. Screenshots and othersupporting materials are always welcome. Don’t worry aboutthe file format of the text and materials, we can work withalmost anything.

Please send all correspondence regarding articles [email protected]. ■

Call for Papers


Advertiser Web Site Page

1 & 1 oneandone.co.uk 11

Cyclades www.cyclades.co.uk Outside BackCover

Dedicated Servers www.dedicated-servers.co.uk 7

Digital Networks www.dnuk.com 39

FOSDEM 2003 www.fosdem.org 41

GeCAD Software www.ravantivirus.com 15

Hewlett Packard www.hplinuxworld.com Inside FrontCover

LinuxPark CeBIT www.cebit-info.de Inside BackCover

Linux Magazine www.linux-magazine.com 77Back Issues

Linux Magazine www.linux-magazine.com Bind-inSubscription 66–67

Red Hat Europe www.europe.redhat.com 13

Advertiser Index

Event DateLocation Web Site

Spam Conference Jan 17 2003Cambridge, MA–USA www.spamconference.org

LinuxWorld Conference & Expo Jan 21–24 2003New York, NY–USA www.linuxworldexpo.com

Linux.conf.au Jan 22–25 2003Perth,WA–Australia conf.linux.org.au

SAINT-2003 Jan 27–31 2003Orlando, Florida–USA www.saint2003.org

FOSDEM 2003 Feb 8–9 2003Brussels–Belgium www.fosdem.org

NordU/USENIX 2003 Feb 10–14 2003Västerås–Sweden www.nordu.org

Desktop Linux Summit Feb 20–21 2003San Diego, CA–USA www.desktoplinux.com/summit

LinuxPark CeBIT 2003 Mar 12–19 2003Hannover–Germany www.cebit.de

PyCon DC 2003 Mar 26 –28 2003Washington, DC–USA www.python.org/pycon

Ruby Con Mar 28–30 2003Dearborn, MI–USA www.rubi-con.org

Linux Events

Events / Advertiser Index / Call for Papers LINUX MAGAZINE

Once identified, the mail canthen be optionally tagged asspam for later filtering usingthe user's own mail user-agent application.

SpamAssassin typicallydifferentiates successfully bet-ween spam and non-spam inbetween 95% and 99% ofcases, depending on whatkind of mail you get.

WaveToolsWaveTools is a softwarelibrary consisting of eightprograms for manipulatingmono WAV Files. It waswritten as a toolbox forgenerating and preprocessingsmall test samples. If youwant to write your own effectfilters or sound analysis tools

and don't want to messaround with format

conversions orstandard inputfilters, or if youjust want toarrange some WAVs for your voicemodem, you will find this useful.

RAV AntiVirusThe evaluation version is fully functional

for a period of 30 days. In the evaluationperiod the user has the opportunity to

test and learn about all the product’s capa-bilities, with no restriction in this respect. RAV

provides both an intuitive Graphical User Interfaceand a command line for expert users.

GamesOur games selection gives you the opportunity to relaxand play one of these four fine 3D games:• BillardGL: This one requires an nVidia or OpenGL

equivalent graphic card as it relies heavily onhardware acceleration.

• Trackballs: It requires the SDL libraries. In this game you guide a marble around mazes avoiding theobstacles in a given time.

• Spheres of Chaos: This game is based on Asteroidsbut is much more colorful.

• Pachi el Marciano: The last game in the series is aplatform game where you have to collect all theobjects on each level. ■

The CD ROM with your subscription issue contains all thesoftware listed below, saving you hours of searching anddownloading time. On this month’s subscription CD ROM

we start with the latest development software to hit the servers.Included, alongside KDevelop, we have all the files that wemention in the magazine, in the most convenient formats.

KDevelopKDevelop is an integrated Linux development environmentaimed at producing Linux applications in the easiest possibleway. It features:• Project Management: The project file keeps all information

for your project files like file properties (include or excludefrom distribution), and projects can be created and changedindividually. The generated projects are autoconf/automake-compatible.

• Dialog Editor: KDevelop provides you with an easy way to create GUI interfaces with the built-in dialog editor. Youcan let KDevelop generate the dialog sourcecode and get fullcontrol of the dialog functionality.

• Classparser / Classtools: The classview currently featuresthe parsing of almost any C++ and C statement,nested classes, structures within classes andoperators as well as namespaces. It is alsopossible to add methods and attributesusing the classtools dialogs.

• Integrated Debugger: WithKDevelop 1.1 you are providedwith a complete integrateddebugger which lets you use KDevelop’s classviewereven more efficiently. Whendebugging you can easilyaccess the sourcecode to setbreakpoints and watch variablesof your application.

• Graphical Class Viewer: Thegraphical class viewer offers you thepossibility to get an overview of yourproject and all of your classes.

• Application Wizard: The KAppWizard offers the generationof different application frameworks to create new programs.Available as a standard KDE application with menubar, tool-bar and statusbar, a mini-KDE-application with an emptyMainwindow, a complete GNOME application, a Qt-onlybased application also with menubar, toolbar and statusbarand finally a C/C++ Terminal application type.

SpamAssassinSpamAssassin is a mail filter which attempts to identify spam using text analysis and several internet-based realtimeblacklists. Using its rule base, it uses a wide range of heuristictests on mail headers and body text to identify "spam", alsoknown as unsolicited commercial email.


Subscription CD

LINUX MAGAZINESubscription CD

Subscribe & SaveSave yourself hours of downloadtime in the future with theLinux Magazine subscriptionCD! Each subscription copy ofthe magazine includes a CD like the one described here freeof charge.

In addition, a subscription willsave you over 16% compared tothe cover price, and it ensuresthat you’ll get advanced LinuxKnow-How delivered to yourdoor every month.

Subscribe to Linux Magazinetoday!

Order Online:www.linux-magazine.com/Subs

Or use the order form betweenp66 and p67 in this magazine.


On Sale: 8 February

Samba controlPractical help and tutorials on usingSamba to connect Windows clients.Windows users can access file and printservices without knowing that thoseservices are being offered by a Unix host.

Samba is an open source CIFSimplementation. We cover everythingyou have ever wanted to know aboutdomains and authentication.

March 2003: Issue 28

Next month highlightsEditor John Southern,

[email protected]

Assistant Colin Murphy,Editor [email protected]

International Patricia Jung, [email protected], Editors Heike Jurzik, [email protected],

Ulrich Wolf, [email protected]

International Leon Brooks, Stephanie Cooke, Armijn Hemel, News Editors Patricia Jung, Davyd Madeley, Philip Paeps

Contributors Konstantin Agouros, Zack Brown, Marius Aamodt Eriksen, Steven Goodwin, Georg C. F. Greve, Carsten Grohmann, Peer Heinlein, Kurt Huwig, Heike Jurzik,Andreas Kneib, Charly Kühnast, Achim Leitner, Nico Lumma, Oliver Much,Colin Murphy, Andrea Müller, Amon Ott, Christian Perle, Niels Provos, Bernhard Röhrig, Volker Schmitt, Marc André Selig, Dirk von Suchodoletz, Stefanie Teufel, Dean Wilson

Production Hans-Jörg Ehren,Coordinator [email protected]

Layout Judith Erb, Elgin Grabe, Klaus Rehfeld

Cover Design Pinball Werbeagentur

Advertising www.linux-magazine.com/AdvertiseSalesAll countries Brian Osborn, [email protected] (except phone +49 651 99 36 216, Germany, fax +49 651 99 36 217Austria, Switz.)

Germany Osmund Schmidt,Austria [email protected] phone +49 6335 9110, fax +49 6335 7779

Management (Vorstand)Hermann Plank, [email protected],Rosie Schuster, [email protected]

Project ManagementHans-Jörg Ehren, [email protected]

Subscription www.linux-magazine.com/SubsSubscription rate (12 issues including monthly CD)United Kingdom £ 39.90Other Europe Euro 64.90Outside Europe – SAL Euro 74.90(combined air / surface mail transport)Outside Europe – Airmail Euro 84.90phone +49 89 9934 1167, fax +49 89 9934 1199,[email protected]

Linux MagazineStefan-George-Ring 2481929 Munich, [email protected], phone +49 89 9934 1167, fax +49 89 9934 1199

www.linux-magazine.com – Worldwidewww.linuxmagazine.com.au – Australiawww.linux-magazine.ca – Canadawww.linux-magazine.co.uk – United Kingdom

While every care has been taken in the content of themagazine, the publishers cannot be held responsible for theaccuracy of the information contained within it or anyconsequences arising from the use of it. The use of the CD provided with the magazine or any material provided on it is at your own risk. The CD is thoroughly checked for any viruses or errors before reproduction.

Copyright and Trademarks ©2002 Linux New Media Ltd. Nomaterial may be reproduced in any form whatsoever in wholeor in part without the written permission of the publishers. Itis assumed that all correspondence sent, for example, letters,e-mails, faxes, photographs, articles, drawings, are suppliedfor publication or license to third parties on a non-exclusiveworldwide basis by Linux New Media unless otherwise stated in writing.

Linux is a trademark of Linus Torvalds.

ISSN 14715678 Printed in Germany.

Linux Magazine is published monthly by Linux New MediaAG, Munich, Germany, and Linux New Media Ltd, Manchester, England. Company registered in England.

Distributed by COMAG Specialist, Tavistock Road, West Drayton, Middlesex, UB7 7QE, United Kingdom

Next monthLINUX MAGAZINE

Privileged InformationRead, write, and execute file privilegesare explained in nearly every Unix orLinux manual. Hiding in the systemhowever is more, the notorious SUID bit,for example. This special privilege isreferred to as the “sticky bit”, and it reallydoes make the directories sticky.

The files stored there can only bedeleted by their owners, even if otherusers have write privileges for thedirectory. We show you how to controlthis useful feature.

IceWMThe Ice Window Manager has now beenaround long enough to be consideredstable and feature-full. IceWM is a smallbut powerful window manager for theX11 Window System whose main goalsare being comfortable to use, being sim-ple and fast, and not getting in the way.IceWM delivers full GNOME complianceand partial KDE compliance.

BochsBochs is a highly-portable Open SourcePC emulator written in C++. It includesemulation of the Intel x86 CPU, commonI/O devices, and a custom BIOS.

Currently, Bochs is capable of runningmost Operating Systems inside theemulation including Linux, Windows 95,DOS, and more recently Windows NT 4.Typically this allows you to run OSs and software within the emulator onyour workstation, almost as if you had a machine inside of a machine.

Practical NetworkingNetworking plays an important role intoday’s IT world. So important that wewill give step by step guides to setting upnetworks with your distribution. Thehands-on workshop will explain quicklyand simply what you need to do.

We cover a broad spectrum oftechniques from printing over a networkto using web-based administration tools.The software is explained from the basicsso you can be up and running quickly.

linux magazine uk 27

Documents

Transcript of linux magazine uk 27