Beyond Linux® From Scratch

Version 6.1

BLFS Development Team

Copyright © 2001-2005, BLFS Development Team

All rights reserved.

Descriptive text is licensed under a Creative Commons License.

Computer instructions are licensed under the Academic Free License v. 2.1.

Linux® is a registered trademark of Linus Torvalds.


Revision History
Revision 6.1 2005-08-14
Fifth Release
Revision 6.0 2005-04-02
Fourth release
Revision 5.1 2004-06-05
Third release
Revision 5.0 2003-11-06
Second release
Revision 1.0 2003-04-25
First release


This book follows on from the Linux From Scratch book. It introduces and guides the reader through additions to the system including networking, graphical interfaces, sound support, and printer and scanner support.


This book is dedicated to the LFS community

Table of Contents



Having helped out with Linux From Scratch for a short time, I noticed that we were getting many queries as to how to do things beyond the base LFS system. At the time, the only assistance specifically offered relating to LFS were the LFS hints ( Most of the LFS hints are extremely good and well written but I (and others) could still see a need for more comprehensive help to go Beyond LFS - hence BLFS.

BLFS aims to be more than the LFS-hints converted to XML although much of our work is based around the hints and indeed some authors write both hints and the relevant BLFS sections. We hope that we can provide you with enough information to not only manage to build your system up to what you want, whether it be a web server or a multimedia desktop system, but also that you will learn a lot about system configuration as you go.

Thanks as ever go to everyone in the LFS/BLFS community; especially those who have contributed instructions, written text, answered questions and generally shouted when things were wrong!

Finally, we encourage you to become involved in the community; ask questions on the mailing list or news gateway and join in the fun on #lfs at You can find more details about all of these in the Introduction section of the book.

Enjoy using BLFS.

Mark Hymers
markh <at>
BLFS Editor (July 2001–March 2003)

I still remember how I found the BLFS project and started using the instructions that were completed at the time. I could not believe how wonderful it was to get an application up and running very quickly, with explanations as to why things were done a certain way. Unfortunately, for me, it wasn't long before I was opening applications that had nothing more than "To be done" on the page. I did what most would do, I waited for someone else to do it. It wasn't too long before I am looking through Bugzilla for something easy to do. As with any learning experience, the definition of what was easy kept changing.

We still encourage you to become involved as BLFS is never really finished. Contributing or just using, we hope you enjoy your BLFS experience.

Larry Lawrence
larry <at>
BLFS Editor (March 2003–June 2004)

The BLFS project is a natural progression of LFS. Together, these projects provide a unique resource for the Open Source Community. They take the mystery out of the process of building a complete, functional software system from the source code contributed by many talented individuals throughout the world. They truly allow users to implement the slogan "Your distro, your rules."

Our goal is to continue to provide the best resource available that shows you how to integrate many significant Open Source applications. Since these applications are constantly updated and new applications are developed, this book will never be complete. Additionally, there is always room for improvement in explaining the nuances of how to install the different packages. To make these improvements, we need your feedback. I encourage you to participate on the different mailing lists, news groups, and IRC channels to help meet these goals.

Bruce Dubbs
bdubbs <at>
BLFS Editor (June 2004–Present)

Preface to Version 6.0

Version 6.0 is a major milestone in the evolution of BLFS. This version provides installation instructions for 357 packages and an additional 21 sections covering configuration and customization of different aspects of your system.

Changes and upgrades to the individual packages are detailed in the Change Log. There you will see literally hundreds of changes made since the last edition. In this change log, one name that you will see over and over is Randy McMurchy. Without his efforts this release would not have been possible. I want to take this opportunity to thank him for the hundreds of hours he has worked to produce this release. I also want to thank the other editors, both past and present, whose insight and effort have made this current version possible. Last, but certainly not least, I want to thank our resident XSL wizard, Manuel Canales Esparcia, whose ability to format a complicated document such as BLFS is truly amazing.

There are two other areas of change that are worthy of note. First, the license that BLFS is released under has changed significantly. In fact, it is now released under two licenses. The first license, the Creative Commons License, covers the descriptive text in the book. The second, the Academic Free License v. 2.1, covers the instructions actually used to build and install the packages. These licenses, along with the book itself, represent our ongoing commitment to open and free software.

The final area of change is the addition of an Index. This section of the book is still incomplete, but as the book continues to be developed, will become an excellent resource for finding programs, libraries, configuration files, and references to kernel configuration requirements. I hope you find it useful.

Bruce Dubbs
March 17, 2005

Preface to Version 6.1

Version 6.1 is an incremental update of BLFS. This version continues the tradition of providing an extensive set of instructions for extending a basic Linux From Scratch system. The instructions in this version of BLFS are based on the LFS 6.1 Book. As usual, the list of packages that have been upgraded or added are in the Change Log.

One major accomplishment in this version of the book is the completion of the Index. This section is now a relatively complete (but not perfect) reference for the components of the various packages in the book.

In any task as large and complex as this book, there are bound to be errors. The editors of the book are dedicated to keeping the book up to date. We appreciate any feedback in helping us to make the book as accurate as possible. The best place to provide comments is via the mailing list at


Bruce Dubbs
August 1, 2005

Who Would Want to Read this Book

This book is mainly aimed at those who have built a system based on the LFS book. It will also be useful for those who are using other distributions, but for one reason or another want to manually build software and are in need of some assistance. BLFS can be used to create a range of diverse systems and so the target audience is probably nearly as wide as that of the LFS book. If you found LFS useful, you should also like this!

Since Release 5.0, the BLFS book version matches the LFS book version. This book may be incompatible with a previous or latter release of the LFS book.


This book is divided into the following parts.

Part I - Introduction

This part contains information which is essential to the rest of the book.

Part II - Post LFS Configuration and Extra Software

Here we introduce basic configuration and security issues. We also discuss a range of editors, file systems, and shells which aren't covered in the main LFS book.

Part III - General Libraries and Utilities

In this section we cover libraries which are often needed by the rest of the book as well as system utilities. Information on Programming (including recompiling GCC to support its full range of languages) concludes this part.

Part IV - Connecting to a Network

Here we cover how to connect to a network when you aren't using the simple static IP setup given in the main LFS book.

Part V - Basic Networking

Networking libraries and command-line networking tools make up the bulk of this part.

Part VI - Major Servers

Here we deal with setting up mail and other servers (such as SSH, Apache, etc.).

Part VII - X + Window Managers

This part explains how to set up a basic X Window System installation along with some generic X libraries and Window managers.


For those who want to use the K Desktop Environment or some parts of it, this part covers it.


GNOME is the main alternative to KDE in the Desktop Environment arena and we cover both GNOME-1.4 and GNOME-2.10 here.

Part X - X Software

Office programs and graphical web browsers are important to most people. They, along with some generic X software can be found in this part of the book.

Part XI - Multimedia

Here we cover setting multimedia libraries and drivers along with some audio, video and CD-writing programs.

Part XII - Printing, Scanning and Typesetting (PST)

The PST part of the book covers document handling with applications like Ghostscript, CUPS and DocBook to installing TeX.


The Appendices cover information which doesn't belong in the main book; they are mainly there as a reference.


Chapter 1. Welcome to BLFS

The Beyond Linux From Scratch book is designed to carry on from where the LFS book leaves off. But unlike the LFS book, it isn't designed to be followed straight through. Reading the Which sections of the book? part of this chapter should help guide you through the book.

Please read most of this part of the book carefully as it explains quite a few of the conventions we use throughout the book.


We would like to thank the following people and organizations for their contributions toward the BLFS and LFS projects:

  • All those people listed on the Credits page for submitting patches, instructions and corrections to the book. The former editor would especially like to thank Bruce, Larry and Billy for their enormous inputs to the project.

  • Mark Stone <mstone <at>> for donating the servers.

  • Gerard Beekmans <gerard <at>> for starting and writing the vast majority of the LFS project.

  • Jesse Tie-Ten-Quee <higho <at>> for answering many questions on IRC, having a great deal of patience and for not killing the former editor for the joke in the original BLFS announcement!

  • DREAMWVR.COM for their ongoing sponsorship by donating various resources to the LFS and related sub projects.

  • Robert Briggs for donating the and domain names.

  • Frank Skettino <bkenoah <at>> at OSWD for coming up the initial design of the LFS and BLFS websites.

  • Garrett LeSage <garrett <at>> for creating the LFS banner

  • Jeff Bauman (former co-editor of the book) for his assistance with getting BLFS off the ground.

  • Countless other people on the various LFS and BLFS mailing lists who are making this book happen by giving their suggestions, testing the book and submitting bug reports.


Many people have contributed both directly and indirectly to BLFS. This page lists all of those we can think of. We may well have left people out and if you feel this is the case, drop us line. Many thanks to all of the LFS community for their assistance with this project. If you are in the list and wish to have your email address included, again please drop us a line to and we'll be happy to add it. We don't include email addresses by default so if you want it included, please state so when you contact us.


  • Editor: Bruce Dubbs <>

  • Co-Editors: Randy McMurchy, Larry Lawrence, Igor Zivkovic, DJ Lucas, Tushar Teredesai, David Jensen, Manuel Canales Esparcia, and Richard Downing.

Text Authors

  • Chapter 01. Based on the LFS introductory text by Gerard Beekmans, modified by Mark Hymers for BLFS.

  • Chapter 02: The /usr versus /usr/local debate: Andrew McMurry.

  • Chapter 02: Going beyond BLFS: Tushar Teredesai.

  • Chapter 02: Package Management: Tushar Teredesai.

  • Chapter 03: /etc/inputrc: Chris Lynn.

  • Chapter 03: Customizing your logon & vimrc: Mark Hymers.

  • Chapter 03: /etc/shells: Igor Zivkovic.

  • Chapter 03: Random number script Larry Lawrence.

  • Chapter 03: Creating a Custom Boot Device Bruce Dubbs.

  • Chapter 03: The Bash Shell Startup Files James Robertson revised by Bruce Dubbs.

  • Chapter 03: Compressed docs Olivier Peres.

  • Chapter 04: Firewalling: Henning Rohde with thanks to Jeff Bauman. Revised by Bruce Dubbs.

  • Chapter 11: Which Mark Hymers with many thanks to Seth Klein and Jesse Tie-Ten-Quee.

  • Chapter 25: X Window System Environment: Bruce Dubbs.

  • Chapter 27: Intro to Window Managers: Bruce Dubbs.

  • Chapters 28 and 29: KDE: Bruce Dubbs.

  • Chapters 30, 31, and 32: GNOME: Larry Lawrence.

Installation Instruction Authors

  • aalib, Alsa, ffmpeg, gocr, MPlayer, opendivx, transcode, xvid and xsane: Alex Kloss

  • AbiWord, at-spi, ATK, audiofile, avifile, bc, bonobo-activation, bug-buddy, cdrdao, cdrtools, cpio, curl, dhcp, enlightenment, eog, esound, fcron, fluxbox, FNLIB, gail, galeon, gconf-editor, gdbm, gedit, gimp, GLib2, gmp, gnet, gnome-applets, gnome-desktop, gnome-games, gnome-icon-theme, gnome-libs, gnome-media, gnome-mime-data, gnome-panel, gnome-session, gnome-system-monitor, gnome-terminal, gnome-themes, gnome-utils, gnome-vfs, gnome2-user-docs, gnumeric, GTK+2, gtk-doc, gtk-engines, gtk-thinice-engine, eel, imlib, intltool, lame, libao, libart_lgpl, libbonobo, libbonoboui, libgail-gnome, libglade2, libgnome, libgnomecanvas, libgnomeprint, libgnomeprintui, libgnomeui, libgsf, libgtkhtml, libgtop, libIDL, libogg, librep, librsvg, libvorbis, libwnck, libxml2, libxslt, linc, LPRng, Linux_PAM, metacity, MIT Kerberos 5,MPlayer, mutt, nautilus, nautilus-media, oaf, OpenJade, OpenSP, OpenSSH, ORBit, ORBit2, pan, Pango, pccts, pcre, pkgconfig, postfix, procmail, Python, QT, rep-gtk, ruby, sawfish, scrollkeeper, sgml-common, sgml-dtd, shadow, startup-notification, unzip, vorbis-tools, vte, wget, XFce, xine, xml-dtd, yelp and zip: Larry Lawrence

  • CDParanoia, mpg123, SDL and XMMS: Jeroen Coumans

  • alsa, cvs, dhcpcd, gpm, hdparm, libjpeg, libmng, libpng, libtiff, libungif, giflib, links, lynx, openssl, tcsh, which, zsch, zlib: Mark Hymers

  • traceroute: Jeff Bauman

  • db and lcms: Jeremy Jones and Mark Hymers

  • aspell, balsa, bind, bonobo, bonobo-conf, cvs server, db-3.3.11, db-3.1.17, emacs, evolution, exim, expat, gal, gnome-print, GnuCash, gtkhtml, guppi, guile, guppi, g-wrap, leafnode, lesstif, libcapplet, libesmtp, libfam, libghttp, libglade, pine, portmap, PostgreSQL, pspell, qpopper, readline, reiserfs, Samba, sendmail, slrn, soup, tex, tcp-wrappers, and xinetd: Billy O'Connor

  • ProFTPD and rsync: Daniel Baumann

  • ESP Ghostscript: Matt Rogers

  • ALSA Tools, Apache Ant, Cyrus-SASL, DejaGnu, desktop-file-utils, DocBook DSSSL Stylesheets, DocBook-utils, Ethereal, Evolution Data Server, Exim (many additions), Expect, FOP, FreeTTS, FriBidi, gnome-audio, gnome-backgrounds, gnome-menus, GNOME Doc Utils, GnuCash (many additions), Heimdal, HTML Tidy, JadeTeX, Java Access Bridge, LessTif (rewrite), libexif, libgail-gnome, libgnomecups, MPlayer (extensive overhaul), Other Programming Tools, PDL, Perl Modules, pilot-link, Samba 3 (many additions), Shadow (rewrite), SANE (original instructions by Alex Kloss), SLIB, Stunnel, Sysstat and system-tools-backends: Randy McMurchy

  • Screen: Andreas Pedersen

  • PHP: Jeremy Utley

  • Gimp-Print and libusb: Alexander E. Patrakov

  • Fetchmail and WvDial: Paul Campbell

  • UDFtools, Perl modules (initial version) and Bluefish: Richard Downing

  • Epiphany, FLAC, File Roller, GNOME Magnifier, GNOME Netstatus, GNOME Speech, GOK, GPdf, GnomeMeeting, Gnopernicus, Imlib2, LZO, MC, NASM, Nautilus CD Burner, OpenQuicktime, Speex, XScreenSaver, Zenity, compface, freeglut, gcalctool, gucharmap, id3lib, kde-i18n, kdeaccessibility, kdebindings, kdesdk, kdevelop, kdewebdev, libFAME, liba52, libdv, libdvdcss, libdvdread, libmad, libmikmod and libmpeg3: Igor Zivkovic

  • tripwire: Manfred Glombowski

  • ALSA Firmware, ALSA OSS, inetutils, gdk, GLib, GTK+, libxml and vim: James Iwanek

  • iptables: Henning Rohde

  • joe, nano, nmap, slang, w3m and whois: Timothy Bauscher

  • MySQL: Jesse Tie-Ten-Quee

  • fontconfig, gcc, gcc2, jdk, mozilla, nas, openoffice, ispell, nail, ImageMagick, hd2u, STLport, tcl, tk and bind-utils: Tushar Teredesai

  • cracklib, libpcap, ncpfs, netfs, ppp(update), RP-PPPoE, Samba-3 and Subversion: DJ Lucas

  • ntp: Eric Konopka

  • nfs-utils: Reinhard

General Acknowledgments

  • Fernando Arbeiza for doing great quality assurance on Shadow utilizing PAM. The machine access he saved may have been yours.

  • Archaic for trouble shooting the mozilla section by performing multiple builds and for providing a description of the various mozilla extensions.

  • Gerard Beekmans for generally putting up with us and for running the whole LFS project.

  • Oliver Brakmann for developing the dhcpcd patch for FHS compliance.

  • Ian Chilton for writing the nfs hint.

  • Nathan Coulson for writing the new network bootscripts.

  • Nathan Coulson, DJ Lucas and Zack Winkles for reworking the bootscripts used throughout the book.

  • Jim Harris for writing the dig-nslookup-host.txt hint on which the bind-utils instructions are based.

  • Lee Harris for writing the gpm.txt hint on which our gpm instructions are based.

  • Marc Heerdink for creating patches for tcp_wrappers and portmap and for writing the gpm2.txt hint on which our gpm instruction are based.

  • Mark Hymers for initiating the BLFS project and writing many of the initial chapters of the book.

  • J_Man for submitting a gpm-1.19.3.diff file on which our gpm instructions are based.

  • Jeremy Jones (otherwise known as mca) for hacking Makefiles and general assistance.

  • Steffen Knollmann for revising the JadeTeX instructions to work with Tex-3.0.

  • Eric Konopka for writing the ntp.txt hint on which the ntp section is based.

  • Scot McPherson for writing the gnome-1.4.txt hint from which was gathered useful information and for warning us that GNOME Version 2.0 may not be ready to put in the book.

  • Alexander E. Patrakov for patches and suggestions to improve the book content, assistance with alsa dev.d helpers, and increasing the l10n awareness.

  • Ted Riley for writing the Linux-PAM + CrackLib + Shadow hint on which reinstalling Shadow to use PAM is based.

Which Sections of the Book Do I Want?

Unlike the Linux From Scratch book, BLFS isn't designed to be followed in a linear manner. This is because LFS provides instructions on how to create a base system which is capable of turning into anything from a web server to a multimedia desktop system. BLFS is where we try to guide you in the process of going from the base system to your intended destination. Choice is very much involved.

Everyone who reads the book will want to read certain sections. The Introduction part–which you are currently reading–contains generic information. Especially take note of the information in Important Information (Chapter 2, Important Information), as this contains comments about how to unpack software and various other aspects which apply throughout the book.

The part on Post LFS Configuration and Extra Software is where most people will want to turn next. This deals with not just configuration but also Security (Chapter 4, Security), File Systems (Chapter 5, File Systems), Editors (Chapter 6, Editors) and Shells (Chapter 7, Shells). Indeed, you may wish to reference certain parts of this chapter (especially the sections on Editors and File Systems) while building your LFS system.

Following these basic items, most people will want to at least browse through the General Libraries and Utilities part of the book. This part contains information on many items which are prerequisites for other sections of the book as well as some items (such as Programming (Chapter 12, Programming) which are useful in their own right. Note that you don't have to install all of these libraries and packages found in this part to start with, each BLFS install procedure tells you which packages it depends upon so you can choose the program you want to install and see what it needs.

Likewise, most people will probably want to look at the Connecting to a Network and Basic Networking parts. The first of these deals with connecting to the Internet or your LAN using a variety of methods such as DHCP (Chapter 14, DHCP Clients) and Dial-Up Connections (Chapter 13, Dial-up Networking). The second of these parts deals with items such as Networking Libraries (Chapter 16, Networking Libraries) and various basic networking programs and utilities.

Once you have dealt with these basics, you may wish to configure more advanced network services. These are dealt with in the Servers part of the book. Those wanting to build servers should find a good starting point there. Note that Servers also contains information on various database packages.

The next parts of the book principally deal with desktop systems. This portion of the book starts with a part talking about X and Window Managers. This part also deals with some generic X-based libraries (Chapter 26, X Libraries). After this, KDE and GNOME are given their own parts which are followed by one on X Software.

The book then moves on to deal with Multimedia packages. Note that many people may want to use the ALSA-1.0.9 instructions from this chapter quite near the start of their BLFS journey; they are placed here simply because it is the most logical place for them.

The final part of the main BLFS book deals with Printing, Scanning and Typesetting. This is useful for most people with desktop systems and even those who are creating mainly server systems will find it useful.

We hope you enjoy using BLFS and find it useful.

Conventions Used in this Book

To make things easy to follow, there are a number of conventions used throughout the book. Following are some examples:

./configure --prefix=/usr

This form of text is designed to be typed exactly as seen unless otherwise noted in the surrounding text. It is also used to identify references to specific commands.

install-info: unknown option

This form of text (fixed width text) is showing screen output, probably as the result of commands issued and is also used to show filenames such as /boot/grub/grub.conf


This form of text is used for several purposes in the book but mainly to emphasize important points or to give examples as to what to type.

This form of text is used for hypertext links external to the book such as HowTo's, download locations, websites, etc.


This form of text is used for links internal to the book such as another section describing a different package.

cat > $LFS/etc/group << "EOF"

This type of section is used mainly when creating configuration files. The first command (in bold) tells the system to create the file $LFS/etc/group from whatever is typed on the following lines until the sequence EOF is encountered. Therefore, this whole section is generally typed as seen.


This form of text is used to encapsulate text that should be modified and is not to be typed as seen, or copy and pasted. Note that the square brackets are not part of the text, but should be substituted for as well.


This form of text is used to show a specific system user reference in the instructions.

Book Version

This is BLFS-BOOK version 6.1 dated August 14st, 2005. If this version is older than a month, a newer version is probably already available for download. Check one of the mirror sites below for updated versions.

Mirror Sites

The BLFS project has a number of mirrors setup world-wide to make it easier and more convenient for you to access the website. Please visit the website for the list of current mirrors.

Getting the Source Packages

Within the BLFS instructions, each package has two references for finding the source files for the package—an http link and an ftp link (some packages may only list one of these links). Every effort has been made to ensure that these links are accurate. However, the World Wide Web is in continuous flux. Packages are sometimes moved or updated and the exact URL specified is not always available.

To overcome this problem, the BLFS Team, with the assistance of Server Beach, has made an http/ftp site available at This site has all the sources of the exact versions of the packages used in BLFS. If you can't find the BLFS package you need, get it there.

We would like to ask a favor, however. Although this is a public resource for you to use, we do not want to abuse it. We have already had one unthinking individual download over 3 GB of data, including multiple copies of the same files that are placed at different locations (via symlinks) to make finding the right package easier. This person clearly did not know what files he needed and downloaded everything. The best place to download files is the site or sites set up by the source code developer. Please try there first.

Change Log

Please note that the Change Log only lists which editor was responsible for putting the changes into SVN; please read the Credits page in Chapter 1 for details on who wrote what.

6.1 – August 14st, 2005

  • August 19th, 2005 [dj]: Updated dev.d scripts and surrounding text in alsa-utils.

  • August 12th, 2005 [randy]: Added a command to the PostgreSQL instructions to fix broken ownership of installed files.

  • August 11th, 2005 [randy]: Applied a patch contributed by stirling to fix many broken download URLs.

  • August 11th, 2005 [randy]: Added a new section "Other Programming Tools" to Chapter 12 - Programming.

  • August 9th, 2005 [bdubbs]: BLFS-6.1-pre2 release.

  • August 9th, 2005 [dj]: Added default PATH for pam_env and a note about the lack of ENV_SUPATH.

  • August 8th, 2005 [randy]: Added instructions to install patches to Ruby and NASM that fix security vulnerabilities discovered in both packages, thanks to Ken Moffat for the suggestions.

  • August 8th, 2005 [randy]: Modified documentation installation in the Fontconfig instructions.

  • August 8th, 2005 [randy]: Modified the Shadow instructions so that builders will not receive configuration errors during the testing recommended by the warning note.

  • August 7th, 2005 [randy]: Removed building the MPFR library from the GMP instructions.

  • July 31st, 2005 [randy]: Updated to libpcap-0.9.3 and moved the instructions from Chapter 8 "General Libraries" to Chapter 16 "Networking libraries"; updated to HTML Tidy-050722 and Ethereal-0.10.12.

  • July 31st, 2005 [dj]: Updated bootscripts tarball, added ALSA dev.d helper scripts, corrected SSL instructions for postfix, and updated postfix to 2.2.5.

  • July 31st, 2005 [richard]: Updated to firefox-1.0.6.

  • July 30th, 2005 [bdubbs]: Updated to fetchmail-

  • July 30th, 2005 [bdubbs]: Updated to mc-4.6.1.

  • July 30th, 2005 [richard]: Updated to thunderbird-1.0.6 with enigmail-0.92.0 and ipc-1.1.3.

  • July 30th, 2005 [tushar]: Added boot-time consistency check for ext3 partitions.

  • July 29th, 2005 [bdubbs]: Updated to exim-5.52.

  • July 29th, 2005 [bdubbs]: Updated to iptables-1.3.3.

  • July 29th, 2005 [richard]: Revised wording about LFS newsserver.

  • July 29th, 2005 [richard]: Updated to fcron-2.9.7 changing dependency wording for the required text editor.

  • July 28th, 2005 [richard]: Updated to curl-7.14.0.

  • July 28th, 2005 [richard]: Updated to LZO-2.01.

  • July 28th, 2005 [richard]: Updated to libvorbis-1.1.1 and vorbis-tools-1.1.1.

  • July 28th, 2005 [dj]: Added security patch for OpenOffice and removed broken optimization patch for JDK.

  • July 27th, 2005 [bdubbs]: Updated escape sequence explanation in the /etc/issue discussion in Chapter 3.

  • July 27th, 2005 [tushar]: Updated to aspell-0.60.3.

  • July 27th, 2005 [tushar]: Updated to libxml2-2.6.20.

  • July 27th, 2005 [tushar]: Updated to pkg-config-0.19.

  • July 27th, 2005 [tushar]: Updated to speex-1.0.5.

  • July 27th, 2005 [bdubbs]: Updated to KDE-3.4.1.

  • July 27th, 2005 [djensen]: Updated to Bluefish-1.0.2.

  • July 27th, 2005 [djensen]: Updated to ImageMagick-6.2.3-5.

  • July 25th, 2005 [djensen]: Updated to ALSA-1.0.9.

  • July 25th, 2005 [tushar]: Fix symlink related bug in cpio. See Bug # 1464.

  • July 25th, 2005 [randy]: Updated to Heimdal-0.7.

  • July 25th, 2005 [djensen]: Updated to Imlib2-1.2.1.

  • July 25th, 2005 [djensen]: Updated to freeglut-2.4.0.

  • July 25th, 2005 [tushar]: Added optional defines to xorg to allow installation into standard directories.

  • July 24th, 2005 [dj]: Updated to Linux-PAM-0.80 and corrected sed for /etc/login.defs in Shadow instructions.

  • July 24th, 2005 [randy]: Updated to CrackLib-2.8.3.

  • July 23rd, 2005 [djensen]: Added security patch to Mpg123.

  • July 23rd, 2005 [randy]: Updated to Shadow-4.0.9 via a patch from DJ Lucas.

  • July 22nd, 2005 [randy]: Added textual updates to the "After LFS Configuration" chapter.

  • July 21st, 2005 [randy]: Added additional text to the "Conventions" and "Unpacking" sections; numerous typo, grammar and tagging fixes to the "Introduction" chapter.

  • July 20th, 2005 [tushar]: Added testsuite to pango.

  • July 20th, 2005 [larry]: Removed document instructions from mysql, no longer in package.

  • July 20th, 2005 [randy]: Updated to Stunnel-4.11.

  • July 19th, 2005 [randy]: Updated to Doxygen-1.4.3.

  • July 18th, 2005 [randy]: Updated to Nail-11.24 and Cyrus-SASL-2.1.21.

  • July 17th, 2005 [randy]: Updated to GnuCash-1.8.11.

  • July 17th, 2005 [tushar]: Updated Notes on Building Software.

  • July 14th, 2005 [randy]: Added Finance::QuoteHist module and dependencies to Perl Modules instructions.

  • July 14th, 2005 [djensen]: Updated to Tcl-8.4.11 and Tk-8.4.11.

  • July 14th, 2005 [djensen]: Updated to Gst-plugins-0.8.10.

  • July 14th, 2005 [bdubbs]: Updated to koffice-1.4.0b.

  • July 13th, 2005 [randy]: Major overhaul to the Perl Modules instructions including adding new modules, removing obsolete modules, adding additional dependencies, complete text rewrite and new page layout.

  • July 12th, 2005 [djensen]: Updated to Nmap-3.81.

  • July 11th, 2005 [tushar]: Install static library and header in PCI Utilities.

  • July 11th, 2005 [djensen]: Remove inappropriate patch from OpenSSL-0.9.7g.

  • July 10th, 2005 [djensen]: Added recommendation to skip the Berkeley DB test-suite.

  • July 9th, 2005 [djensen]: Updated to Libpcap-0.9.1.

  • July 9th, 2005 [djensen]: Updated to Libtiff-3.7.3.

  • July 9th, 2005 [tushar]: For fcron, replace switch --with-answer-all=no with --with-boot-install=no.

  • July 9th, 2005 [tushar]: Added make check to intltool.

  • July 9th, 2005 [dj]: Updated blfs-bootscripts and added RTC instructions to MPlayer.

  • July 8th, 2005 [tushar]: Added document installation to fontconfig.

  • July 7th, 2005 [djensen]: Added document installation to NTP-4.2.0.

  • July 3rd, 2005 [tushar]: Added note on installation of ispell and spell wrappers in aspell.

  • July 3rd, 2005 [tushar]: Added note that gmp testsuite is highly recommended.

  • July 3rd, 2005 [djensen]: Updated to ImageMagick-6.2.3-3.

  • July 3rd, 2005 [djensen]: Updated to GIMP-2.2.8.

  • July 1st, 2005 [djensen]: Updated to Berkeley DB-4.3.28.

  • Jun 30th, 2005 [djensen]: Updated to Pkgconfig-0.18.

  • Jun 29th, 2005 [djensen]: Updated to MySQL-4.1.12.

  • Jun 28th, 2005 [djensen]: Updated to Hdparm-6.1.

  • Jun 28th, 2005 [djensen]: Updated to Nano-1.2.5.

  • Jun 28th, 2005 [djensen]: Updated to Libgsf-1.12.0.

  • Jun 28th, 2005 [djensen]: Updated to PCRE-6.1.

  • Jun 28th, 2005 [randy]: Updated Perl Modules: HTML::Parser-3.45, HTML::TableExtract-2.02, DateManip-5.44, Module-CoreList-2.02 and Compress::Zlib-1.34; added dependencies to Finance::Quote Perl Module.

  • Jun 26th, 2005 [dj]: Added optimization patch to JDK instructions.

  • Jun 25th, 2005 [randy]: Updated G-Wrap dependencies; updated to Perl Module Module::Info-0.28.

  • Jun 23th, 2005 [djensen]: Updated to Cdrdao-1.2.0.

  • Jun 21th, 2005 [djensen]: Updated to OpenSSL-0.9.7g.

  • Jun 21th, 2005 [djensen]: Corrected http download url in Transcode.

  • Jun 21th, 2005 [djensen]: Updated to XFce-4.2.2.

  • Jun 21th, 2005 [djensen]: Updated to Dillo-0.8.5.

  • Jun 21th, 2005 [djensen]: Updated to GSview-4.7.

  • Jun 20th, 2005 [djensen]: Updated to Freetype-2.1.10.

  • Jun 20th, 2005 [djensen]: Updated to Fontconfig-2.3.2.

  • Jun 20th, 2005 [djensen]: Moved Libwnck from gnome/core to x/libs.

  • Jun 20th, 2005 [djensen]: Separated the DB-4.3.27 test from the build, they are not compatible.

  • Jun 20th, 2005 [dj]: Added missing required patch to dhcp instructions.

  • June 19th, 2005 [djensen]: Changed links to t1lib-5.1.0 and mcript link to

  • Jun 18th, 2005 [dj]: Added dhcp-3.0.2-gcc_3.4.3-2.patch, updated dhclient instructions to print settings obtained in bootscript, and added symlink to JDK instructions.

  • June 18th, 2005 [djensen]: Updated to Fluxbox-0.9.13

  • June 18th, 2005 [djensen]: Updated to Ghostscript-8.51. Separated root/user.

  • June 18th, 2005 [igor]: Updated to Postfix-2.2.3.

  • June 17th, 2005 [igor]: Updated to Apache-2.0.54.

  • June 17th, 2005 [djensen]: Updated to NcFTP-3.1.9. Separated root/user.

  • June 17th, 2005 [djensen]: Updated to Pine-4.63. Separated root/user.

  • June 16th, 2005 [djensen]: Updated to Gnet-2.0.7. Added alternate gtk-doc/html doc install directory.

  • June 16th, 2005 [djensen]: Added document installation to W3m, separated user/root commands in W3m, Pan, Balsa, Compface, Fetchmail, Mutt, Slrn, Net-tools, NTP and Enscript.

  • June 15th, 2005 [djensen]: Updated to Hd2u-1.0.0. Separated user and root commands.

  • June 15th, 2005 [djensen]: Separated user/root instructions and/or updated Installed Directories for Libao, Libmpeg123, Libmad, OpenQuicktime, libFAME, Speex, Libdvdread, FLAC, Gst-plugins, Libcroco, Libesmtp, Libungif, MC, GSview, AAlib and Rep-gtk

  • June 15th, 2005 [djensen]: Updated to Avifile-0.7-0.7.43. removed pc sed.

  • June 15th, 2005 [djensen]: Removed --mandir configure switch from Dhcpcd.

  • June 15th, 2005 [archaic]: Updated to vsftpd-2.0.3.

  • June 14th, 2005 [djensen]: Added 8 plugin links and a python version sed to Abiword.

  • June 14th, 2005 [bdubbs]: Updated to autofs-4.1.4.

  • June 13th, 2005 [djensen]: Updated to PostgreSQL-8.0.3. Added testsuite command.

  • June 13th, 2005 [randy]: Modified installation path of GNOME-1.4 libraries to /opt/gnome-1.4.

  • June 13th, 2005 [djensen]: Added a2ps instructions to install the downloaded fonts. Added possible testsuite.

  • June 12th, 2005 [bdubbs]: Corrected startup scripts. Removed xterm-title and substituted

  • June 12th, 2005 [bdubbs]: Changed location of ispell dictionaries to /usr/share/ispell.

  • June 12th, 2005 [djensen]: Simplified the PSUtils build instructions. Separated user and root instructions.

  • June 12th, 2005 [bdubbs]: Updated to thunderbird-1.0.2 and fixed problem in the installation of thunderbird's defaults directory.

  • June 12th, 2005 [bdubbs]: Added instruction to make rc.iptables executable in firewalling section.

  • June 12th, 2005 [bdubbs]: Updated cpio instructions to ensure LSB testsuites pass internationalization tests.

  • June 12th, 2005 [djensen]: Updated to Links-2.1pre17. Added SDL to optional dependencies. Separated user and root instructions.

  • June 12th, 2005 [randy]: Added new package FriBidi-0.10.5.

  • June 11th, 2005 [djensen]: Updated to AbiWord-2.2.8, build instructions altered to build and install plugins.

  • June 10th, 2005 [djensen]: Fixed md5sum joe-3.3. Completed XFree86 update to 4.5.0

  • June 10th, 2005 [randy]: Added additional optional dependencies to the Bluefish instructions.

  • June 10th, 2005 [djensen]: Updated to joe-3.3.

  • June 8th, 2005 [randy]: Updated to PCRE-6.0 using a patch submitted by David Jensen; added documentation installation to the Imlib instructions.

  • June 6th, 2005 [randy]: Added a note to the Samba instructions about unprivileged users mounting SMB shares; updated JDK binary version to 1.5.0_03; updated to ZSH-4.2.5; added installation of documentation to the PCRE instructions, suggested by David Jensen.

  • June 6th, 2005 [bdubbs]: Updated bind and bind-utils sections to version 9.3.1.

  • June 5th, 2005 [randy]: Removed "which" as a dependency of DocBook-utils and created a note saying it must be installed; clarified why 'yes' is piped to 'make config' in the introduction of the installation section of Net-Tools (fixes bug #1259).

  • June 5th, 2005 [randy]: Created Samba client instruction page, suggested by Alexander Patrakov; added additional configuration text to the Samba server instructions, submitted by Alexander Patrakov; added SWAT (without Stunnel) configuration instructions to the Samba server instructions, suggested by Jim Gifford; removed Stunnel and added XFS as dependencies of the Samba package; added instructions to create a nobody user in the Samba server bootscript installation section, suggested by Frank Olschewski.

  • June 5th, 2005 [bdubbs]: Integrated system uid and gid values into individual packages.

  • June 5th, 2005 [bdubbs]: Added blufish-1.0.1 from patch provided by theOldFellow.

  • June 4th, 2005 [randy]: Standardized the creation of the nobody user (without a valid login shell) in the NFS Utilities and Postfix instructions.

  • June 3rd, 2005 [randy]: Updated Samba configuration information as suggested by Alexander Patrakov (fixes bug #1386); Updated to rsync-2.6.5 and OpenSSH-4.1p1.

  • June 3rd, 2005 [igor]: Updated to ImageMagick-6.2.3-0.

  • June 1st, 2005 [randy]: Updated to Galeon-1.3.21, Sysstat-6.0.0, HTML Tidy-050531, Whois-4.7.5 and Tcsh-6.14.00; moved installation of tcsh to /bin instead of /usr/bin and updated /etc/shells during the Tcsh installation.

  • May 31st, 2005 [bdubbs]: Added section explaining system user and group numerical assignments.

  • May 31st, 2005 [randy]: Removed the explicit path from the GDM bootscript commands and updated the GDM instructions to include a note to update the script if $GNOME_PREFIX is non-stardard; updated bootscripts to version 20050531.

  • May 30th, 2005 [randy]: Updated to GDM-, GNOME Speech-0.3.7, Gnopernicus-0.10.9 and GOK-1.0.4; added new package libexif-0.6.12; moved libexif to a required dependency of Nautilus.

  • May 29th, 2005 [bdubbs]: Updated to Firefox-1.0.4.

  • May 29th, 2005 [bdubbs]: Updated to Mozilla-1.7.8.

  • May 29th, 2005 [randy]: Updated to Gnumeric-1.4.3 and changed the installation path to /usr (thanks to Bruce Dubbs, David Jensen and Jody Goldberg for their input); added popt to the libgnomeprint depedencies, suggested by David Jensen; updated to GNOME Magnifier-0.12.1.

  • May 28th, 2005 [randy]: Updated to Ethereal-0.10.11, reported by Matthias Berndt.

  • May 27th, 2005 [igor]: Updated to GIMP-2.2.7.

  • May 25th, 2005 [randy]: Updated installation commands in the FreeTTS instructions.

  • May 23rd, 2005 [randy]: Updated to libgail-gnome-1.1.1 and Java Access Bridge-1.4.5.

  • May 22nd, 2005 [randy]: Added new package FreeTTS-1.2.1.

  • May 22nd, 2005 [manuel]: Finished the book sources retagging and indentation to match current template.xml.

  • May 19th, 2005 [randy]: Updated to GnomeMeeting-1.2.1.

  • May 18th, 2005 [archaic]: GPM: Moved the LDFLAGS option from the configure command to the make command as libm wasn't being properly pulled into the environment.

  • May 18th, 2005 [randy]: Fixed documentation installation command in the EsounD instructions, suggested by David Jensen; fixed skin file MD5sum in the MPlayer instructions, suggested by Zibeli Aton.

  • May 18th, 2005 [randy]: Updated to GConf Editor-2.10.0, GNOME Netstatus-2.10.0, gcalctool-5.5.42, GPdf-2.10.0 and Zenity-2.10.0; commented out the Nautilus Media package from inclusion in the book.

  • May 17th, 2005 [randy]: Updated to GNOME System Monitor-2.10.1, bug-buddy-2.10.0, EOG-2.10.0, AT SPI-1.6.4, gtksourceview-1.2.0, gedit-2.10.2, GGV-2.8.4 and File Roller-2.10.3.

  • May 16th, 2005 [randy]: Added new package gnome-audio-2.0.0; updated to GNOME Utils-2.10.1 and GNOME Games-2.10.1.

  • May 15th, 2005 [randy]: Updated to Evolution-2.2.2, Epiphany-1.6.2, Nautilus CD Burner-2.10.1 and GNOME Media-2.10.2.

  • May 12th, 2005 [randy]: Updated to GAL-2.4.2 and GtkHTML-3.6.2.

  • May 11th, 2005 [manuel]: Fixed a typo in JDK, reported by William Harrington.

  • May 11th, 2005 [randy]: Updated to libgnomecups-0.2.0, libgnomeprint-2.10.3, libgnomeprintui-2.10.2, Evolution Data Server-1.2.2 and gucharmap-1.4.3.

  • May 11th, 2005 [randy]: Updated all the GNOME-2 core package instructions to the GNOME 2.10.1 release (ORBit-2.12.2, libbonobo-2.8.1, GConf-2.10.0, GNOME VFS-2.10.1, libgnome-2.10.0, libgnomecanvas-2.10.0, libbonoboui-2.8.1, GNOME Icon Theme-2.10.1, gnome-keyring-0.4.2, libgnomeui-2.10.0, GTK Engines-2.6.3, GNOME Themes-2.10.1, GNOME Desktop-2.10.1, libwnck-2.10.0, GNOME Panel-2.10.1, GNOME Session-2.10.0, VTE-0.11.13, GNOME Terminal-2.10.0, LibGTop-2.10.1, GAIL-1.8.3, GNOME Applets-2.10.1, EEL-2.10.1, Nautilus-2.10.1, GNOME Doc Utils-0.2.0, libgtkhtml-2.6.3, Yelp-2.6.5 and Control Center-2.10.1). Many of the add-on packages build with existing instructions, however, all of them will be updated ASAP.

  • May 11th, 2005 [randy]: Added three new GNOME-2 packages: gnome-menus-2.10.1, gnome-backgrounds-2.10.1 and system-tools-backends-1.2.0.

  • May 10th, 2005 [randy]: Increment BLFS Bootscripts version to 20050509.

  • May 9th, 2005 [igor]: Updated to MySQL-4.1.11.

  • May 8th, 2005 [randy]: Updated to Metacity-2.10.1; updated XScreenSaver dependencies and build instructions.

  • May 6th, 2005 [randy]: Updated to GIMP-2.2.6 and gst-plugins-0.8.8; removed the --disable-docs-build switch from the GStreamer instructions, suggested by Matthew Burgess.

  • May 5th, 2005 [manuel]: Shortened the Tidy documentation generation commands.

  • May 5th, 2005 [dj]: Removed bad MANPATH variable from JDK instructions and fixed CLASSPATH for spaces in filenames.

  • May 4th, 2005 [igor]: Updated to Fcron-2.9.6.

  • May 4th, 2005 [randy]: Updated to GStreamer-0.8.10.

  • May 3rd, 2005 [randy]: Updated to CVS-1.11.20 and HTML Tidy-050502; added MPlayer to the list of FFmpeg's dependencies as it can utilize the shared post-processing library.

  • May 2nd, 2005 [randy]: Updated to xine Libraries-1.0.1.

  • May 1st, 2005 [randy]: Updated to MPlayer-1.0pre7; added a sed command to the FFmpeg instructions to fix an issue on MMX capable machines.

  • April 29th, 2005 [bdubbs]: Update to aRts 1.4, kde 3.4, and kdevelop 3.2.

  • April 28th, 2005 [dj]: Added doublefree patch to OOo instructions, corrected gcc patch and libmawt symlink. Added a description for javaws to JDK instructions.

  • April 28th, 2005 [randy]: Added documentation installation to the id3lib instructions.

  • April 27th, 2005 [randy]: Updated to FLAC-1.1.2, libdv-0.104 and XviD-1.0.3; added Doxygen dependency and documentation installation to the libdvdcss instructions; added documentation installation to the liba52 instructions.

  • April 26th, 2005 [randy]: Updated to GStreamer-0.8.9 and libao-0.8.6; added a download URL to the PassiveTeX dependency in the libvorbis instructions; added installation of HTML documentation to the SDL and libmikmod instructions.

  • April 24th, 2005 [dj]: Updated to JDK-1.5.0, added gcc-3.4.2+ and jdk-1.5.0 patches to OpenOffice, and added jdk-1.5.0 patch for fop.

  • April 24th, 2005 [randy]: Fixed incorrect path pointing to the documentation in the Cyrus-SASL configuration section and incorrect library versions in the chmod commands in the OpenLDAP instructions, both pointed out by syaodzir; added documentation installation to the startup-notification instructions.

  • April 23rd, 2005 [bdubbs]: Updated to nfs-utils-1.0.7. Added comments about user nobody and pointed to section on netfs.

  • April 23rd, 2005 [randy]: Updated to librsvg-2.9.5.

  • April 22nd, 2005 [randy]: Updated to Firefox-1.0.3, libgsf-1.11.1, libglade-2.5.1 and Mozilla-1.7.7; added instructions to Firefox and Mozilla to utilize the JDK Java plugin.

  • April 21st, 2005 [bdubbs]: Upgraded to xscreensaver-4.21.

  • April 21st, 2005 [bdubbs]: Added patch to libmilmod.

  • April 20th, 2005 [bdubbs]: Updated qt instructions to eliminate an unnecessary copy procedure and fixed qmqke.conf adjustment.

  • April 20th, 2005 [randy]: Updated to Doxygen-1.4.2.

  • April 19th, 2005 [randy]: Updated to NAS-1.7.

  • April 19th, 2005 [bdubbs]: Updated to qt-3.3.4; fixed some configuration problems with build method 1.

  • April 18th, 2005 [randy]: Updated to shared-mime-info-0.16, hicolor-icon-theme-0.8 and GnuPG-1.4.1.

  • April 17th, 2005 [randy]: Updated to LessTif-0.94.4, intltool-0.33 and Module-Info-0.27 (Perl module); added an "Other Window Managers" section to Chapter 27.

  • April 17th, 2005 [manuel]: Updated the stylesheets to use DocBook-XSL 1.68.1.

  • April 15th, 2005 [randy]: Updated to libsoup-2.2.3, Samba-3.0.14a and libmng-1.0.9; added documentation installation commands to the LZO instructions; added a patch to fix a build issue and documentation installation commands to the lcms instructions.

  • April 14th, 2005 [randy]: Updated to libxklavier-2.0 and pkgconfig-0.17.2.

  • April 13th, 2005 [randy]: Updated to Glib-2.6.4, GTK+-2.6.7, Whois-4.7.2, Imlib2-1.2.0 and libart_lgpl-2.3.17; added documentation installation commands to the giflib and libungif instructions.

  • April 12th, 2005 [randy]: Updated to Samba-3.0.13 and pkgconfig-0.17.1.

  • April 12th, 2005 [bdubbs]: Finish server reorganization. Moved php to Programming and NFS to Major Servers.

  • April 12th, 2005 [bdubbs]: Major reorganization of server sections. Consolidated 'Server Networking' and 'Content Serving'.

  • April 11th, 2005 [dj]: Added 'Additional X Windows Configuration' page.

  • April 11th, 2005 [randy]: Updated to Nail-11.22, Guile-1.6.7 and Subversion-1.1.4; moved Guile instructions from 'Chapter 8 - General Libraries' to 'Chapter 12 - Programming'.

  • April 10th, 2005 [randy]: Updated to NASM-0.98.39 and Sendmail-8.13.4.

  • April 10th, 2005 [igor]: Updated to libIDL-0.8.5 and Firefox-1.0.2.

  • April 9th, 2005 [randy]: Updated to PHP-5.0.4.

  • April 8th, 2005 [randy]: Updated to PostgreSQL-8.0.1 and Aspell-0.60.2.

  • April 7th, 2005 [randy]: Updated the JadeTex instructions to work with Tex-3.0, contributed by Steffen Knollmann.

  • April 6th, 2005 [igor]: Updated to ATK-1.9.1.

  • April 6th, 2005 [randy]: Updated to MySQL-4.1.10a and TeX-3.0.

  • April 5th, 2005 [randy]: Added a note to the GCC-3.4.3 instructions to install a missing interface header file.

  • April 4th, 2005 [randy]: Updated to OpenLDAP-2.2.24, Stunnel-4.09, GTK-Doc-1.3 and OpenSSH-4.0p1; added a command to the cURL instructions to fix a broken test script.

  • April 4th, 2005 [igor]: Updated to OpenSSL-0.9.7f contributed by Anderson Lizardo.

  • April 3rd, 2005 [manuel]: Updated the XML sources to use DocBook XML DTD-4.4.

  • April 3rd, 2005 [randy]: Updated to libxslt-1.1.14.

  • April 2nd, 2005 [randy]: Added which as a required dependency of DocBook-utils, reported by Andrew Benton; updated to libxml2-2.6.19.

  • April 1st, 2005 [randy]: Updated to DocBook XML DTD-4.4 and DocBook XSL Stylesheets-1.68.1.

  • March 31st, 2005 [bdubbs]: Updated the install instructions for xinetd to use /etc/xinetd.d/ directory structure. Patch by John Gnew.

  • March 31st, 2005 [randy]: Updated to libxml2-2.6.18 and libxslt-1.1.13.

  • March 30th, 2005 [randy]: Updated to libusb-0.1.10a and Python-2.4.1.

  • March 29th, 2005 [randy]: Updated to DocBook DSSSL Stylesheets-1.79 (with rewrite of instructions); fixed deprecated tar option in Vim instructions; added a note to the Fontconfig instructions to have the SGMLSpm Perl module installed if DocBook-utils is installed.

  • March 28th, 2005 [randy]: Updated to DocBook-SGML-DTD-4.4; added manpage installation to OpenJade instructions, suggested by Andrew Benton.

  • March 27th, 2005 [randy]: Updated to libtiff-3.7.2, pkgconfig-0.16.0 and ALSA-1.0.8.

  • March 26th, 2005 [randy]: Updated to HTML Tidy-050324 and UnZip-5.52.

  • March 25th, 2005 [randy]: Updated to GCC-3.4.3.

  • March 24th, 2005 [randy]: Updated to Sysstat-5.1.5, Fontconfig-2.3.1 and Expect-5.43.0; added a note the the Tk instructions about running the test suite.

  • March 23rd, 2005 [randy]: Updated to Shadow-4.0.7; added security patch to Vim instructions; added daemon fixes patch to Inetutils instructions.

  • March 22nd, 2005 [randy]: Added the installation of documentation to the Linux-PAM instructions.

  • March 21st, 2005 [larry]: Updated to emacs-21.4a.

  • March 18th, 2005 [randy]: Added a sed command to the Zip instructions to fix an installation problem, suggested by Matthew Burgess.

  • March 17th, 2005 [bdubbs]: Released Version 6.0-pre1.

Mailing Lists

The server is hosting a number of mailing lists that are used for the development of the BLFS book. These lists include, among others, the main development and support lists.

For more information regarding which lists are available, how to subscribe to them, archive locations, etc. visit

News Server

All the mailing lists hosted at are also accessible via the NNTP server. All messages posted to a mailing list will be copied to its correspondent newsgroup. Note, however, that as this is written, it is not possible to write to the mailing lists via the NNTP service.

The news server can be reached at

Asking for Help and the FAQ

If you encounter a problem while using this book, and your problem is not listed in the FAQ (, you will find that most of the people on Internet Relay Chat (IRC) and on the mailing lists are willing to help you. An overview of the LFS mailing lists can be found in Mailing lists. To assist us in diagnosing and solving your problem, include as much relevant information as possible in your request for help.

Things to Check Prior to Asking

Before asking for help, you should review the following items:

  • Is the hardware support compiled into the kernel or available as a module to the kernel? If it is a module, is it configured properly in modules.conf and has it been loaded? You should use lsmod as the root user to see if it's loaded. Check the syslog.log or run modprobe [driver] to review any error message. If it loads properly, you may need to add the modprobe command to your boot scripts.

  • Are your permissions properly set, especially for devices? LFS uses groups to make these settings easier, but it also adds the step of adding users to groups to allow access. A simple moduser -G audio [user] may be all that's necessary for that user to have access to the sound system. Any question that starts out with “It works as root, but not as ...” requires a thorough review of permissions prior to asking.

  • BLFS liberally uses /opt/[package]. The main objection to this centers around the need to expand your environment variables for each package placed there (e.g., PATH=$PATH:/opt/kde/bin). In most cases, the package instructions will walk you through the changes, but some will not. The section called “Going Beyond BLFS” is available to help you check.

Things to Mention

Apart from a brief explanation of the problem you're having, the essential things to include in your request are:

  • the version of the book you are using (being 6.1),

  • the package or section giving you problems,

  • the exact error message or symptom you are receiving,

  • whether you have deviated from the book or LFS at all.

(Note that saying that you've deviated from the book doesn't mean that we won't help you. It'll just help us to see other possible causes of your problem.)

Expect guidance instead of specific instructions. If you are instructed to read something, please do so. It generally implies that the answer was way too obvious and that the question would not have been asked if a little research was done prior to asking. The volunteers in the mailing list prefer not to be used as an alternative to doing reasonable research on your end. In addition, the quality of your experience with BLFS is also greatly enhanced by this research, and the quality of volunteers is enhanced because they don't feel that their time has been abused, so they are far more likely to participate.

An excellent article on asking for help on the Internet in general has been written by Eric S. Raymond. It is available online at Read and follow the hints in that document and you are much more likely to get a response to start with and also to get the help you actually need.

Contact Information

Please direct your emails to one of the BLFS mailing lists. See Mailing lists for more information on the available mailing lists.

The current BLFS maintainer is Bruce Dubbs. If you need to reach Bruce, send an email to

Chapter 2. Important Information

Package Management

Package Management is an often requested addition to the LFS Book. A Package Manager allows tracking the installation of files making it easy to remove and upgrade packages. And before you begin to wonder, NO—this section does not talk about any particular package manager, nor does it recommend one. What it provides is a roundup of the more popular techniques and how they work. The perfect package manager for you may be among these techniques or may be a combination of two or more of these techniques. This section briefly mentions issues that may arise when upgrading packages.

Some reasons why no package manager is mentioned in LFS or BLFS:

  • Dealing with package management takes the focus away from the goals of these books—teaching how a Linux system is built.

  • There are multiple solutions for package management, each having its strengths and drawbacks. Including one that satisfies all audiences is difficult.

There are some hints written on the topic of package management. Visit the Hints subproject to find if one of them fits your need.

Upgrade Issues

A Package Manager makes it easy to upgrade to newer versions when they are released. Generally the instructions in the LFS and BLFS Book can be used to upgrade to the newer versions. Here are some points that you should be aware of when upgrading packages, especially on a running system.

  • If one of the toolchain packages (Glibc, GCC or Binutils) needs to be upgraded to a newer minor version, it is safer to rebuild LFS. Though you may be able to get by rebuilding all the packages in their dependency order, we do not recommend it. For example, if glibc-2.2.x needs to be updated to glibc-2.3.x, it is safer to rebuild. For micro version updates, a simple reinstallation usually works, but is not guaranteed. For example, upgrading from glibc-2.3.4 to glibc-2.3.5 will not usually cause any problems.

  • If a package containing a shared library is updated, and if the name of the library changes, then all the packages dynamically linked to the library need to be recompiled to link against the newer library. (Note that there is no correlation between the package version and the name of the library.) For example, consider a package foo-1.2.3 that installs a shared library with name Say you upgrade the package to a newer version foo-1.2.4 that installs a shared library with name In this case, all packages that are dynamically linked to need to be recompiled to link against Note that you should not remove the previous libraries until the dependent packages are recompiled.

  • If you are upgrading a running system, be on the lookout for packages that use cp instead of install to install files. The latter command is usually safer if the executable or library is already loaded in memory.

Package Management Techniques

The following are some common package management techniques. Before making a decision on a package manager, do some research on the various techniques, particularly the drawbacks of the particular scheme.

It is All in My Head!

Yes, this is a package management technique. Some folks do not find the need for a package manager because they know the packages intimately and know what files are installed by each package. Some users also do not need any package management because they plan on rebuilding the entire system when a package is changed.

Install in Separate Directories

This is a simplistic package management that does not need any extra package to manage the installations. Each package is installed in a separate directory. For example, package foo-1.1 is installed in /usr/pkg/foo-1.1 and a symlink is made from /usr/pkg/foo to /usr/pkg/foo-1.1. When installing a new version foo-1.2, it is installed in /usr/pkg/foo-1.2 and the previous symlink is replaced by a symlink to the new version.

The environment variables such as those mentioned in the section called “Going Beyond BLFS” need to be expanded to include /usr/pkg/foo. For more than a few packages, this scheme becomes unmanageable.

Symlink Style Package Management

This is a variation of the previous package management technique. Each package is installed similar to the previous scheme. But instead of making the symlink, each file is symlinked into the /usr hierarchy. This removes the need to expand the environment variables. Though the symlinks can be created by the user to automate the creation, many package managers have been written using this approach. A few of the popular ones are Stow, Epkg, Graft, and Depot.

The installation needs to be faked, so that the package thinks that it is installed in /usr though in reality it is installed in the /usr/pkg hierarchy. Installing in this manner is not usually a trivial task. For example, consider that you are installing a package libfoo-1.1. The following instructions may not install the package properly:

./configure --prefix=/usr/pkg/libfoo/1.1
make install

The installation will work, but the dependent packages may not link to libfoo as you would expect. If you compile a package that links against libfoo, you may notice that it is linked to /usr/pkg/libfoo/1.1/lib/ instead of /usr/lib/ as you would expect. The correct approach is to use DESTDIR strategy to fake installation of the package. This approach works as follows:

./configure --prefix=/usr
make DESTDIR=/usr/pkg/libfoo/1.1 install

Most of the packages do support this approach, but there are some which do not. For the non-compliant packages, you may either need to manually install the package, or you may find that it is easier to install some problematic packages into /opt.

Timestamp Based

In this technique, a file is timestamped before the installation of the package. After the installation, a simple use of the find command with the appropriate options can generate a log of all the files installed after the timestamp file was created. A package manager written with this approach is install-log.

Though this scheme has the advantage of being simple, it has two drawbacks. If during installation, the files are installed with any timestamp other than the current time, those files will not be tracked by the package manager. Also, this scheme can only be used when one package is installed at a time. The logs are not reliable if two packages are being installed on two different consoles.


In this approach, a library is preloaded before installation. During installation, this library tracks the packages that are being installed by attaching itself to various executables such as cp, install, mv and tracking the system calls that modify the filesystem. For this approach to work, all the executables need to be dynamically linked without the suid or sgid bit. Preloading the library may cause some unwanted side-effects during installation. Therefore, do perform some tests to ensure that the package manager does not break anything and logs all the appropriate files.

Creating Package Archives

In this scheme, the package installation is faked into a separate tree as described in the Symlink style package management. After the installation, a package archive is created using the installed files. This archive is then used to install the package either on the local machine or can even be used to install the package on other machines.

This approach is used by most of the package managers found in the commercial distributions. Examples of package managers that follow this approach are RPM, pkg-utils, Debian's apt, and Gentoo's Portage system.

User Based Management

This scheme, unique to LFS, was devised by Matthias Benkmann, and is available from the Hints Project. In this scheme, each package is installed as a separate user into the standard locations. Files belonging to a package are easily identified by checking the user ID. The features and shortcomings of this approach are too complex to describe in this section. For the details please see the hint at

Notes on Building Software

Those people who have built an LFS system will be aware of the general principles of downloading and unpacking software. We will however repeat some of that information here for those new to building their own software.

Each set of installation instructions contains a URL from which you can download the package. We do however keep a selection of patches available via HTTP. These are referenced as needed in the installation instructions.

While you can keep the source files anywhere you like, we assume that you have unpacked them and unzipped any required patches into /usr/src.

We can not emphasize strongly enough that you should start from a clean source tree each time. This means that if you have had an error, it's usually best to delete the source tree and re-unpack it before trying again. This obviously doesn't apply if you're an advanced user used to hacking Makefiles and C code, but if in doubt, start from a clean tree.

Building Software as an Unprivileged (non-root) User

The golden rule of Unix System Administration is to use your superpowers only when necessary. Hence, BLFS recommends that you build software as an unprivileged user and only become the root user when installing the software. This philosophy is followed in all the packages in this book. Unless otherwise specified, all instructions should be executed as an unprivileged user. The book will advise you on instructions that need root privileges.

Unpacking the Software

If a file is in .tar format and compressed, it is unpacked by running one of the following commands:

tar -xvf filename.tar.gz
tar -xvf filename.tgz
tar -xvf filename.tar.Z
tar -xvf filename.tar.bz2


You may omit using the v parameter in the commands shown above and below if you wish to suppress the verbose listing of all the files in the archive as they are extracted. This can help speed up the extraction as well as make any errors produced during the extraction more obvious to you.

You can also use a slightly different method:

bzcat filename.tar.bz2 | tar -xv

Finally, you sometimes need to be able to unpack patches which are generally not in .tar format. The best way to do this is to copy the patch file to /usr/src and then run one of the following commands depending on whether the file is a .gz or .bz2 file:

gunzip -v patchname.gz
bunzip2 -v patchname.bz2

Verifying File Integrity Using 'md5sum'

Generally, to verify that the downloaded file is genuine and complete, many package maintainers also distribute md5sums of the files. To verify the md5sum of the downloaded files, download both the file and the corresponding md5sum file to the same directory (preferably from different on-line locations), and (assuming file.md5sum is the md5sum file downloaded) run the following command:

md5sum -c file.md5sum

If there are any errors, they will be reported. Note that the BLFS book includes md5sums for all the source files also. To use the BLFS supplied md5sums, you can create a file.md5sum (place the md5sum data and the exact name of the downloaded file on the same line of a file, separated by white space) and run the command shown above. Alternately, simply run the command shown below and compare the output to the md5sum data shown in the BLFS book.

md5sum [name_of_downloaded_file]

Creating Log Files During Installation

For larger packages, it is convenient to create log files instead of staring at the screen hoping to catch a particular error or warning. Log files are also useful for debugging and keeping records. The following command allows you to create an installation log. Replace [command] with the command you intend to execute.

( [command] 2>&1 | tee compile.log && exit $PIPESTATUS )

2>&1 redirects error messages to the same location as standard output. The tee command allows viewing of the output while logging the results to a file. The parentheses around the command run the entire command in a subshell and finally the exit $PIPESTATUS command ensures the result of the [command] is returned as the result and not the result of the tee command.

The /usr Versus /usr/local Debate

Should I install XXX in /usr or /usr/local?

This is a question without an obvious answer for an LFS based system.

In traditional Unix systems, /usr usually contains files that come with the system distribution, and the /usr/local tree is free for the local administrator to manage. The only really hard and fast rule is that Unix distributions should not touch /usr/local, except perhaps to create the basic directories within it.

With Linux distributions, like Red Hat, Debian etc. a possible rule is that /usr is managed by the distribution's package system and /usr/local is not. This way the package manager's database knows about every file within /usr.

LFS users build their own system and so deciding where the system ends and local files begin is not straightforward. So the choice should be made in order to make things easier to administer. There are several reasons for dividing files between /usr and /usr/local.

  • On a network of several machines all running LFS, or mixed LFS and other Linux distributions, /usr/local could be used to hold packages that are common between all the computers in the network. It can be NFS mounted or mirrored from a single server. Here local indicates local to the site.

  • On a network of several computers all running an identical LFS system /usr/local could hold packages that are different between the machines. In this case local refers to the individual computers.

  • Even on a single computer /usr/local can be useful if you have several distributions installed simultaneously, and want a place to put packages that will be the same on all of them.

  • Or you might regularly rebuild your LFS, but want a place to put files that you don't want to rebuild each time. This way you can wipe the LFS file system and start from a clean partition every time without losing everything.

Some people ask why not use your own directory tree, e.g., /usr/site, rather than /usr/local?

There is nothing stopping you, many sites do make their own trees, however it makes installing new software more difficult. Automatic installers often look for dependencies in /usr and /usr/local, and if the file it is looking for is in /usr/site instead, the installer will probably fail unless you specifically tell it where to look.

What is the BLFS position on this?

All of the BLFS instructions install programs in /usr with optional instructions to install into /opt for some specific packages.

Optional Patches

As you follow the various sections in the book, you will observe that the book occasionally includes patches that are required for a successful and secure installation of the packages. The general policy of the book is to include patches that fall in one of the following criteria:

  • Fixes a compilation problem.

  • Fixes a security problem.

  • Fixes a broken functionality.

In short, the book only includes patches that are either required or recommended. There is a Patches subproject which hosts various patches (including the patches referenced in the books) to enable you to configure your LFS the way you like it.

BLFS Boot Scripts

The BLFS Bootscripts package contains the init scripts that are used throughout the book. It is assumed that you will be using the BLFS Bootscripts package in conjunction with a compatible LFS-Bootscripts package. Refer to ../../../../lfs/view/stable/chapter07/bootscripts.html for more information on the LFS-Bootscripts package.

The BLFS Bootscripts package will be used throughout the BLFS book for startup scripts. Unlike LFS, each init script has a separate install target in the BLFS Bootscripts package. It is recommended you keep the package source directory around until completion of your BLFS system. When a script is requested from BLFS Bootscripts, simply change to the directory and as the root user, execute the given make install-[init-script] command. This command installs the init script to its proper location (along with any auxiliary configuration scripts) and also creates the appropriate symlinks to start and stop the service at the appropriate run-level.


It is advisable to peruse each bootscript before installation to ascertain that it satisfies your need. Also verify that the start and stop symlinks it creates match your preferences.

Going Beyond BLFS

The packages that are installed in this book are only the tip of the iceberg. We hope that the experience you gained with the LFS book and the BLFS book will give you the background needed to compile, install and configure packages that are not included in this book.

When you want to install a package to a location other than /, or /usr, you are installing outside the default environment settings on most machines. The following examples should assist you in determining how to correct this situation. The examples cover the complete range of settings that may need updating, but they are not all needed in every situation.

  • Expand the PATH to include $PREFIX/bin.

  • Expand the PATH for root to include $PREFIX/sbin.

  • Add $PREFIX/lib to /etc/ or expand LD_LIBRARY_PATH to include it. Before using the latter option, check out If you modify /etc/, remember to update /etc/ by executing ldconfig as the root user.

  • Add $PREFIX/man to /etc/man.conf or expand MANPATH.

  • Add $PREFIX/info to INFOPATH.

  • Add $PREFIX/lib/pkgconfig to PKG_CONFIG_PATH.

  • Add $PREFIX/include to CPPFLAGS when compiling packages that depend on the package you installed.

If you are in search of a package that is not in the book, the following are different ways you can search for the concerned package.

Some general hints on handling new packages:

  • Many of the newer packages follow the ./configure && make && make install process. Help on the options accepted by configure can be obtained via the command ./configure --help.

  • Most of the packages contain documentation on compiling and installing the package. Some of the documents are excellent, some not so excellent. Check out the homepage of the package for any additional and updated hints for compiling and configuring the package.

  • If you are having a problem compiling the package, try searching the lfs archives at for the error or if that fails try searching Google. If everything else fails, try the blfs-support mailing-list/news-group.


If you have found a package that is only available in .deb or .rpm format, there are two small scripts, rpm2targz and deb2targz that are available at and to convert the archives into a simple tar.gz format.

Post LFS Configuration and Extra Software

Chapter 3. After LFS Configuration Issues

The intention of LFS is to provide a basic system which you can build upon. There are several things about tidying up the system which many people wonder about once they have done the base install. We hope to cover these issues in this chapter.

Most people coming from non-Unix like backgrounds to Linux find the concept of text-only configuration files slightly strange. In Linux, just about all configuration is done via the manipulation of text files. The majority of these files can be found in the /etc hierarchy. There are often graphical configuration programs available for different subsystems but most are simply pretty front ends to the process of editing a text file. The advantage of text-only configuration is that you can edit parameters using your favorite text editor, whether that be vim, emacs, or any other editor.

The first task is making a recovery boot device in Creating a Custom Boot Device because it's the most critical need. Then the system is configured to ease addition of new users, because this can affect the choices you make in the two subsequent topics—The Bash Shell Startup Files and The vimrc Files.

The remaining topics, Customizing your Logon with /etc/issue, The /etc/shells File, Random number generation, Compressing man and info pages, autofs-4.1.4, and Configuring for Network Filesystems are then addressed, in that order. They don't have much interaction with the other topics in this chapter.

Creating a Custom Boot Device

Decent Rescue Boot Device Needs

This section is really about creating a rescue device. As the name rescue implies, the host system has a problem, often lost partition information or corrupted file systems, that prevent it from booting and/or operating normally. For this reason, you must not depend on resources from the host being "rescued". To presume that any given partition or hard drive will be available is a risky presumption.

In a modern system, there are many devices that can be used as a rescue device: floppy, cdrom, usb drive, or even a network card. Which one you use depends on your hardware and your BIOS. In the past, we usually thought of rescue device as a floppy disk. Today, many systems do not even have a floppy drive.

Building a complete rescue device is a challenging task. In many ways, it is equivalent to building an entire LFS system. In addition, it would be a repetition of information already available. For these reasons, the procedures for a rescue device image are not presented here.

Creating a Rescue Floppy

The software of today's systems has grown large. Linux 2.6 no longer supports booting directly from a floppy. In spite of this, there are solutions available using older versions of Linux. One of the best is Tom's Root/Boot Disk available at This will provide a minimal Linux system on a single floppy disk and provides the ability to customize the contents of your disk if necessary.

Creating a Bootable CD-ROM

There are several sources that can be used for a rescue CD-ROM. Just about any commercial distribution's installation CD-ROMs or DVDs will work. These include RedHat, Mandrake, and SuSE. One very popular option is Knoppix.

In addition, the LFS Community has developed its own Boot CD-ROM available at A copy of this CD-ROM is available with the printed version of the Linux From Scratch book. If you download the ISO image, use cdrecord to copy the image to a CD-ROM.

In the future, the build instructions for this CD-ROM will be presented, but they are not available at the time of this writing.

Creating a Bootable USB Drive

A USB Pen drive, sometimes called a Thumb drive, is recognized by Linux as a SCSI device. Using one of these devices as a rescue device has the advantage that it is usually large enough to hold more than a minimal boot image. You can save critical data to the drive as well as use it to diagnose and recover a damaged system. Booting such a drive requires BIOS support, but building the system consists of formatting the drive, adding GRUB as well as the Linux kernel and supporting files.

Configuring for Adding Users

Together, the /usr/sbin/useradd command and /etc/skel directory (both are easy to set up and use) provide a way to assure new users are added to your LFS system with the same beginning settings for things such as the PATH, keyboard processing and other environmental variables. Using these two facilities makes it easier to assure this initial state for each new user added to the system.

The /etc/skel directory holds copies of various initialization and other files that may be copied to the new user's home directory when the /usr/sbin/useradd program adds the new user.


The useradd program uses a collection of default values kept in /etc/default/useradd, if it exists. If this file does not exist, then it uses some internal defaults. You can see the default values by running /usr/sbin/useradd -D.

To change these values to something new, create a base /etc/default/useradd file as the root user with the same values as the output of /usr/sbin/useradd -D. Here is a sample:

# Begin /etc/default/useradd


# End /etc/default/useradd

The only thing missing from the file is a default shell. Add that by running the following command as the root user:

/usr/sbin/useradd -D -s/bin/bash

This will set the SHELL= line to SHELL=/bin/bash.

useradd has many parameters that can be set in the /etc/default/useradd file. For more information see man useradd.


To get started, create an /etc/skel directory and make sure it is writable only by the system administrator, usually root. Creating the directory as root is the best way to go.

The mode of any files from this part of the book that you put in /etc/skel should be writable only by the owner. Also, since there is no telling what kind of sensitive information a user may eventually place in their copy of these files, you should make them unreadable by "group" and "other".

You can also put other files in /etc/skel and different permissions may be needed for them.

Decide which initialization files should be provided in every (or most) new user's home directory. The decisions you make will affect what you do in the next two sections, The Bash Shell Startup Files and The vimrc Files. Some or all of those files will be useful for root, any already-existing users, and new users.

The files from those sections that you might want to place in /etc/skel include .inputrc, .bash_profile, .bashrc, .bash_logout, .dircolors, and .vimrc. If you are unsure which of these should be placed there, just continue to the following sections, read each section and any references provided, and then make your decision.

You will run a slightly modified set of commands for files which are placed in /etc/skel. Each section will remind you of this. In brief, the book's commands have been written for files not added to /etc/skel and instead just sends the results to the user's home directory. If the file is going to be in /etc/skel, change the book's command(s) to send output there instead and then just copy the file from /etc/skel to the appropriate directories, like /etc, ~ or the home directory of any other user already in the system.

When Adding a User

When adding a new user with useradd, use the -m parameter, which tells useradd to create the user's home directory and copy files from /etc/skel (can be overridden) to the new user's home directory. For example (perform as the root user):

useradd -m [newuser]

About System Users and Groups

Throughout BLFS, many packages install programs that run as daemons or in some way should have a user or group name assigned. Generally these names are used to map a user ID (uid) or group ID (gid) for system use. Generally the specific uid or gid numbers used by these applications are not significant. The exception of course, is that root has a uid and gid of 0 (zero) that is indeed special. The uid values are stored in /etc/passwd and the gid values are found in /etc/group.

Customarily, Unix systems classify users and groups into two categories: system users and regular users. The system users and groups are given low numbers and regular users and groups have numeric values greater than all the system values. The cutoff for these numbers is found in two parameters in the /etc/login.defs configuration file. The default UID_MIN value is 1000 and the default GID_MIN value is 100. If a specific uid or gid value is not specified when creating a user with useradd or a group with groupadd the values assigned will always be above these cutoff values.

Additionally, the Linux Standards Base recommends that system uid and gid values should be below 100.

Below is a table of suggested uid/gid values used in BLFS. These can be changed as desired, but provide a suggested set of consistent values.

Table 3.1. UID/GID Suggested Values

Name uid gid
bin 1 1
lp 9
usb 14
named 20 20
gdm 21 21
fcron 22 22
apache 25 25
smmsp 26 26
exim 31 31
postfix 32 32
postdrop 33
sendmail 34
mail 34
vmailman 35 35
news 36 36
mysql 40 40
postgres 41
ftp 45 45
proftpd 46 46
vsftpd 47 47
rsyncd 48 48
sshd 50 50
stunnel 51 51
svn 56 56
svntest 57
games 60 60
anonymous 98
nobody 99
nogroup 99

One value that is missing is 65534. This value is customarily assigned to the user nobody and group nogroup and is unnecessary. The issue is explained in more detail in the first note in the NFS Utilities Installation section.

The Bash Shell Startup Files

The shell program /bin/bash (hereafter referred to as just "the shell") uses a collection of startup files to help create an environment. Each file has a specific use and may affect login and interactive environments differently. The files in the /etc directory generally provide global settings. If an equivalent file exists in your home directory it may override the global settings.

An interactive login shell is started after a successful login, using /bin/login, by reading the /etc/passwd file. This shell invocation normally reads /etc/profile and its private equivalent ~/.bash_profile upon startup.

An interactive non-login shell is normally started at the command-line using a shell program (e.g., [prompt]$/bin/bash) or by the /bin/su command. An interactive non-login shell is also started with a terminal program such as xterm or konsole from within a graphical environment. This type of shell invocation normally copies the parent environment and then reads the user's ~/.bashrc file for additional startup configuration instructions.

A non-interactive shell is usually present when a shell script is running. It is non-interactive because it is processing a script and not waiting for user input between commands. For these shell invocations, only the environment inherited from the parent shell is used.

The file ~/.bash_logout is not used for an invocation of the shell. It is read and executed when a user exits from an interactive login shell.

Many distributions use /etc/bashrc for system wide initialization of non-login shells. This file is usually called from the user's ~/.bashrc file and is not built directly into bash itself. This convention is followed in this section.

For more information see info bash -- Nodes: Bash Startup Files and Interactive Shells.


Most of the instructions below are used to create files located in the /etc directory structure which requires you to execute the commands as the root user. If you elect to create the files in user's home directories instead, you should run the commands as an unprivileged user.


Here is a base /etc/profile. This file starts by setting up some helper functions and some basic parameters. It specifies some bash history parameters and, for security purposes, disables keeping a permanent history file for the root user. It also sets a default user prompt. It then calls small, single purpose scripts in the /etc/profile.d directory to provide most of the initialization.

For more information on the escape sequences you can use for your prompt (i.e., the PS1 environment variable) see info bash -- Node: Printing a Prompt.

cat > /etc/profile << "EOF"
# Begin /etc/profile
# Written for Beyond Linux From Scratch
# by James Robertson <>
# modifications by Dagmar d'Surreal <rivyqntzne@pbzpnfg.arg>

# System wide environment variables and startup programs.

# System wide aliases and functions should go in /etc/bashrc.  Personal
# environment variables and startup programs should go into
# ~/.bash_profile.  Personal aliases and functions should go into
# ~/.bashrc.

# Functions to help us manage paths.  Second argument is the name of the
# path variable to be modified (default: PATH)
pathremove () {
        local IFS=':'
        local NEWPATH
        local DIR
        local PATHVARIABLE=${2:-PATH}
        for DIR in ${!PATHVARIABLE} ; do
                if [ "$DIR" != "$1" ] ; then
        export $PATHVARIABLE="$NEWPATH"

pathprepend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}

pathappend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}

# Set the initial path
export PATH=/bin:/usr/bin

if [ $EUID -eq 0 ] ; then
        pathappend /sbin:/usr/sbin
        unset HISTFILE

# Setup some environment variables.
export HISTSIZE=1000
export HISTIGNORE="&:[bf]g:exit"
#export PS1="[\u@\h \w]\\$ "
export PS1='\u@\h:\w\$ '

for script in /etc/profile.d/*.sh ; do
        if [ -r $script ] ; then
                . $script

# Now to clean up
unset pathremove pathprepend pathappend

# End /etc/profile

The /etc/profile.d Directory

Now create the /etc/profile.d directory, where the individual initialization scripts are placed:

install --directory --mode=0755 --owner=root --group=root /etc/profile.d


This script uses the ~/.dircolors and /etc/dircolors files to control the colors of file names in a directory listing. They control colorized output of things like ls --color. The explanation of how to initialize these files is at the end of this section.

cat > /etc/profile.d/ << "EOF"
# Setup for /bin/ls to support color, the alias is in /etc/bashrc.
if [ -f "/etc/dircolors" ] ; then
        eval $(dircolors -b /etc/dircolors)

        if [ -f "$HOME/.dircolors" ] ; then
                eval $(dircolors -b $HOME/.dircolors)
alias ls='ls --color=auto'


This script adds several useful paths to the PATH and PKG_CONFIG_PATH environment variables. If you want, you can uncomment the last section to put a dot at the end of your path. This will allow executables in the current working directory to be executed without specifiying a ./, however you are warned that this is generally considered a security hazard.

cat > /etc/profile.d/ << "EOF"
if [ -d /usr/local/lib/pkgconfig ] ; then
        pathappend /usr/local/lib/pkgconfig PKG_CONFIG_PATH
if [ -d /usr/local/bin ]; then
        pathprepend /usr/local/bin
if [ -d /usr/local/sbin -a $EUID -eq 0 ]; then
        pathprepend /usr/local/sbin
for directory in $(find /opt/*/lib/pkgconfig -type d 2>/dev/null); do
        pathappend $directory PKG_CONFIG_PATH
for directory in $(find /opt/*/bin -type d 2>/dev/null); do
        pathappend $directory
if [ -d ~/bin ]; then
        pathprepend ~/bin
#if [ $EUID -gt 99 ]; then
#        pathappend .


This script sets up the default inputrc configuration file. If the user does not have individual settings, it uses the global file.

cat > /etc/profile.d/ << "EOF"
# Setup the INPUTRC environment variable.
if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ] ; then
export INPUTRC


Some applications need a specific TERM setting to support color.

cat > /etc/profile.d/ << "EOF"
# This will tinker with the value of TERM in order to convince certain
# apps that we can, indeed, display color in their window.

if [ -n "$COLORTERM" ]; then
  export TERM=xterm-color

if [ "$TERM" = "xterm" ]; then
  export TERM=xterm-color


Setting the umask value is important for security. Here the default group write permissions are turned off for system users and when the user name and group name are not the same.

cat > /etc/profile.d/ << "EOF"
# By default we want the umask to get set.
if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then
  umask 002
  umask 022


If X is installed, the PATH and PKG_CONFIG_PATH variables are also updated.

cat > /etc/profile.d/ << "EOF"
if [ -x /usr/X11R6/bin/X ]; then
        pathappend /usr/X11R6/bin
if [ -d /usr/X11R6/lib/pkgconfig ] ; then
        pathappend /usr/X11R6/lib/pkgconfig PKG_CONFIG_PATH


This script shows an example of a different way of setting the prompt. The normal variable, PS1, is supplemented by PROMPT_COMMAND. If set, the value of PROMPT_COMMAND is executed as a command prior to issuing each primary prompt. The sequence \e is an ESC character. \a is a BEL character. For a reference on xterm escape sequences, see

cat > /etc/profile.d/ << "EOF"
PROMPT_COMMAND="echo -ne '\e[1m${USER}@${HOSTNAME} : ${PWD}\e[0m\a'"

The escape sequences above are BOLD, NORMAL, and BEL.


This script shows how to set some environment variables necessary for native language support. Setting these variables properly gives you:

  • the output of programs translated into your native language

  • correct classification of characters into letters, digits and other classes – this is necessary for Bash to accept keystrokes properly in non-English locales

  • the alphabetical sorting order correct for your country

  • proper default paper size

  • correct formatting of monetary, time and date values

Replace [ll] with the two-letter code for your language (e.g., “en”) and [CC] with the two-letter code for your country (e.g., “GB”). Also you may need to specify (and this is actually the preferred form) your character encoding (e.g., “iso8859-1”) after a dot (so that the result is “en_GB.iso8859-1”). Issue the following command for more information:

man 3 setlocale

The list of all locales supported by Glibc can be obtained by running the following command:

locale -a

After you are sure about your locale settings, create the /etc/profile.d/ file:

cat > /etc/profile.d/ << "EOF"
# Set up i18n variables
export LC_ALL=[ll]_[CC]
export LANG=[ll]_[CC]
export G_FILENAME_ENCODING=@locale

The LC_ALL variable sets the same value for all locale categories. For better control, you may prefer to set values individually for all categories listed in the output of the locale command.

The G_FILENAME_ENCODING variable tells applications such as Glib and GTK+ that filenames are in the default locale encoding and not in UTF-8 as assumed by default.

Other Initialization Values

Other initialization can easily be added to the profile by adding additional scripts to the /etc/profile.d directory.


Here is a base /etc/bashrc. Comments in the file should explain everything you need.

cat > /etc/bashrc << "EOF"
# Begin /etc/bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <>
# updated by Bruce Dubbs <>

# Make sure that the terminal is set up properly for each shell

if [ -f /etc/profile.d/ ]; then
  source /etc/profile.d/

# System wide aliases and functions.

# System wide environment variables and startup programs should go into
# /etc/profile.  Personal environment variables and startup programs
# should go into ~/.bash_profile.  Personal aliases and functions should
# go into ~/.bashrc

# Provides a colored /bin/ls command.  Used in conjunction with code in
# /etc/profile.

alias ls='ls --color=auto'

# Provides prompt for non-login shells, specifically shells started
# in the X environment. [Review the LFS archive thread titled
# PS1 Environment Variable for a great case study behind this script
# addendum.]

#export PS1="[\u@\h \w]\\$ "
export PS1='\u@\h:\w\$ '

# End /etc/bashrc


Here is a base ~/.bash_profile. If you want each new user to have this file automatically, just change the output of the command to /etc/skel/.bash_profile and check the permissions after the command is run. You can then copy /etc/skel/.bash_profile to the home directories of already existing users, including root, and set the owner and group appropriately.

cat > ~/.bash_profile << "EOF"
# Begin ~/.bash_profile
# Written for Beyond Linux From Scratch
# by James Robertson <>
# updated by Bruce Dubbs <>

# Personal environment variables and startup programs.

# Personal aliases and functions should go in ~/.bashrc.  System wide
# environment variables and startup programs are in /etc/profile.
# System wide aliases and functions are in /etc/bashrc.

append () {
  # First remove the directory
  local IFS=':'
  local NEWPATH
  for DIR in $PATH; do
     if [ "$DIR" != "$1" ]; then

  # Then append the directory
  export PATH=$NEWPATH:$1

if [ -f "$HOME/.bashrc" ] ; then
        source $HOME/.bashrc

if [ -d "$HOME/bin" ] ; then
  append $HOME/bin

unset append

# End ~/.bash_profile


Here is a base ~/.bashrc. The comments and instructions for using /etc/skel for .bash_profile above also apply here. Only the target file names are different.

cat > ~/.bashrc << "EOF"
# Begin ~/.bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <>

# Personal aliases and functions.

# Personal environment variables and startup programs should go in
# ~/.bash_profile.  System wide environment variables and startup
# programs are in /etc/profile.  System wide aliases and functions are
# in /etc/bashrc.

if [ -f "/etc/bashrc" ] ; then
        source /etc/bashrc

# End ~/.bashrc


This is an empty ~/.bash_logout that can be used as a template. You will notice that the base ~/.bash_logout does not include a clear command. This is because the clear is handled in the /etc/issue file.

cat > ~/.bash_logout << "EOF"
# Begin ~/.bash_logout
# Written for Beyond Linux From Scratch
# by James Robertson <>

# Personal items to perform on logout.

# End ~/.bash_logout


If you want to use the dircolors capability, then run the following command. The /etc/skel setup steps shown above also can be used here to provide a ~/.dircolors file when a new user is set up. As before, just change the output file name on the following command and assure the permissions, owner, and group are correct on the files created and/or copied.

dircolors -p > /etc/dircolors

If you wish to customize the colors used for different file types, you can edit the /etc/dircolors file. The instructions for setting the colors are embedded in the file.

Finally, Ian Macdonald has written an excellent collection of tips and tricks to enhance your shell environment. You can read it online at

The /etc/vimrc and ~/.vimrc Files

The LFS book installs Vim as its text editor. At this point it should be noted that there are a lot of different editing applications out there including Emacs, nano, Joe and many more. Anyone who has been around the Internet (especially usenet) for a short time will certainly have observed at least one flame war, usually involving Vim and Emacs users!

The LFS book creates a basic vimrc file. In this section you'll find an attempt to enhance this file. At startup, vim reads /etc/vimrc and ~/.vimrc (i.e., the global vimrc and the user-specific one). Note that this is only true if you compiled vim using LFS-3.1 onwards. Prior to this, the global vimrc was /usr/share/vim/vimrc.

Here is a slightly expanded .vimrc that you can put in ~/.vimrc to provide user specific effects. Of course, if you put it into /etc/skel/.vimrc instead, it will be made available to users you add to the system later. You can also copy the file from /etc/skel/.vimrc to the home directory of users already on the system, such as root. Be sure to set permissions, owner, and group if you do copy anything directly from /etc/skel.

" Begin .vimrc

set columns=80
set wrapmargin=8
set ruler

" End .vimrc

A FAQ on the LFS mailing lists regards the comment tags in vimrc. Note that they are " instead of the more usual # or //. This is correct, the syntax for vimrc is slightly unusual.

Below you'll find a quick explanation of what each of the options in this example file means here:

  • set columns=80: This simply sets the number of columns used on the screen.

  • set wrapmargin=8: This is the number of characters from the right window border where wrapping starts.

  • set ruler: This makes vim show the current row and column at the bottom right of the screen.

More information on the many vim options can be found by reading the help inside vim itself. Do this by typing :help in vim to get the general help, or by typing :help usr_toc.txt to view the User Manual Table of Contents.

Customizing your Logon with /etc/issue

When you first boot up your new LFS system, the logon screen will be nice and plain (as it should be in a bare-bones system). Many people however, will want their system to display some information in the logon message. This can be accomplished using the file /etc/issue.

The /etc/issue file is a plain text file which will also accept certain escape sequences (see below) in order to insert information about the system. There is also the file which can be used when logging on remotely. ssh however, will only use it if you set the option in the configuration file and will not interpret the escape sequences shown below.

One of the most common things which people want to do is clear the screen at each logon. The easiest way of doing that is to put a "clear" escape sequence into /etc/issue. A simple way of doing this is to issue the command clear > /etc/issue. This will insert the relevant escape code into the start of the /etc/issue file. Note that if you do this, when you edit the file, you should leave the characters (normally '^[[H^[[2J') on the first line alone.


Terminal escape sequences are special codes recognized by the terminal. The ^[ represents an ASCII ESC character. The sequence ESC [ H puts the cursor in the upper left hand corner of the screen and ESC 2 J erases the screen. For more information on terminal escape sequences see

The following sequences are recognized by agetty (the program which usually parses /etc/issue). This information is from man agetty where you can find extra information about the logon process.

The issue file can contain certain character sequences to display various information. All issue sequences consist of a backslash (\) immediately followed by one of the letters explained below (so \d in /etc/issue would insert the current date).

b   Insert the baudrate of the current line.
d   Insert the current date.
s   Insert the system name, the name of the operating system.
l   Insert the name of the current tty line.
m   Insert the architecture identifier of the machine, e.g., i686.
n   Insert the nodename of the machine, also known as the hostname.
o   Insert the domainname of the machine.
r   Insert the release number of the kernel, e.g.,
t   Insert the current time.
u   Insert the number of current users logged in.
U   Insert the string "1 user" or "<n> users" where <n> is the
    number of current users logged in.
v   Insert the version of the OS, e.g., the build-date etc.

The /etc/shells File

The shells file contains a list of login shells on the system. Applications use this file to determine whether a shell is valid. For each shell a single line should be present, consisting of the shell's path, relative to the root of the directory structure (/).

For example, this file is consulted by chsh to determine whether an unprivileged user may change the login shell for her own account. If the command name is not listed, the user will be denied of change.

It is a requirement for applications such as GDM which does not populate the face browser if it can't find /etc/shells, or FTP daemons which traditionally disallow access to users with shells not included in this file.

cat > /etc/shells << "EOF"
# Begin /etc/shells


# End /etc/shells

Random Number Generation

The Linux kernel supplies a random number generator which is accessed through /dev/random and /dev/urandom. Programs that utilize the random and urandom devices, such as OpenSSH, will benefit from these instructions.

When a Linux system starts up without much operator interaction, the entropy pool (data used to compute a random number) may be in a fairly predictable state. This creates the real possibility that the number generated at startup may always be the same. In order to counteract this effect, you should carry the entropy pool information across your shut-downs and start-ups.

Install the /etc/rc.d/init.d/random init script included with the blfs-bootscripts-6.1 package.

make install-random

Compressing Man and Info Pages

Man and info reader programs can transparently process files compressed with gzip or bzip2, a feature you can use to free some disk space while keeping your documentation available. However, things are not that simple; man directories tend to contain links—hard and symbolic—which defeat simple ideas like recursively calling gzip on them. A better way to go is to use the script below.

cat > /usr/sbin/compressdoc << "EOF"
# VERSION: 20050112.0027
# Compress (with bzip2 or gzip) all man pages in a hierarchy and
# update symlinks - By Marc Heerdink <marc @>
# Modified to be able to gzip or bzip2 files as an option and to deal
# with all symlinks properly by Mark Hymers <markh @>
# Modified 20030930 by Yann E. Morin <yann.morin.1998 @>
# to accept compression/decompression, to correctly handle hard-links,
# to allow for changing hard-links into soft- ones, to specify the
# compression level, to parse the man.conf for all occurrences of MANPATH,
# to allow for a backup, to allow to keep the newest version of a page.
# Modified 20040330 by Tushar Teredesai to replace $0 by the name of the
# script.
#   (Note: It is assumed that the script is in the user's PATH)
# Modified 20050112 by Randy McMurchy to shorten line lengths and
# correct grammar errors.
#     - choose a default compress method to be based on the available
#       tool : gzip or bzip2;
#     - offer an option to automagically choose the best compression
#       methed on a per page basis (eg. check which of
#       gzip/bzip2/whatever is the most effective, page per page);
#     - when a MANPATH env var exists, use this instead of /etc/man.conf
#       (useful for users to (de)compress their man pages;
#     - offer an option to restore a previous backup;
#     - add other compression engines (compress, zip, etc?). Needed?

# Funny enough, this function prints some help.
function help ()
  if [ -n "$1" ]; then
    echo "Unknown option : $1"
  ( echo "Usage: $MY_NAME <comp_method> [options] [dirs]" && \
  cat << EOT
Where comp_method is one of :
  --gzip, --gz, -g
  --bzip2, --bz2, -b
                Compress using gzip or bzip2.

  --decompress, -d
                Decompress the man pages.

  --backup      Specify a .tar backup shall be done for all directories.
                In case a backup already exists, it is saved as .tar.old
                prior to making the new backup. If a .tar.old backup
                exists, it is removed prior to saving the backup.
                In backup mode, no other action is performed.

And where options are :
  -1 to -9, --fast, --best
                The compression level, as accepted by gzip and bzip2.
                When not specified, uses the default compression level
                for the given method (-6 for gzip, and -9 for bzip2).
                Not used when in backup or decompress modes.

  --force, -F   Force (re-)compression, even if the previous one was
                the same method. Useful when changing the compression
                ratio. By default, a page will not be re-compressed if
                it ends with the same suffix as the method adds
                (.bz2 for bzip2, .gz for gzip).

  --soft, -S    Change hard-links into soft-links. Use with _caution_
                as the first encountered file will be used as a
                reference. Not used when in backup mode.

  --hard, -H    Change soft-links into hard-links. Not used when in
                backup mode.

  --conf=dir, --conf dir
                Specify the location of man.conf. Defaults to /etc.

  --verbose, -v Verbose mode, print the name of the directory being
                processed. Double the flag to turn it even more verbose,
                and to print the name of the file being processed.

  --fake, -f    Fakes it. Print the actual parameters compman will use.

  dirs          A list of space-separated _absolute_ pathnames to the
                man directories. When empty, and only then, parse
                ${MAN_CONF}/man.conf for all occurrences of MANPATH.

Note about compression:
  There has been a discussion on blfs-support about compression ratios of
  both gzip and bzip2 on man pages, taking into account the hosting fs,
  the architecture, etc... On the overall, the conclusion was that gzip
  was much more efficient on 'small' files, and bzip2 on 'big' files,
  small and big being very dependent on the content of the files.

  See the original post from Mickael A. Peters, titled
  "Bootable Utility CD", dated 20030409.1816(+0200), and subsequent posts:

  On my system (x86, ext3), man pages were 35564KB before compression.
  gzip -9 compressed them down to 20372KB (57.28%), bzip2 -9 got down to
  19812KB (55.71%). That is a 1.57% gain in space. YMMV.

  What was not taken into consideration was the decompression speed. But
  does it make sense to? You gain fast access with uncompressed man
  pages, or you gain space at the expense of a slight overhead in time.
  Well, my P4-2.5GHz does not even let me notice this... :-)

) | less

# This function checks that the man page is unique amongst bzip2'd,
# gzip'd and uncompressed versions.
#  $1 the directory in which the file resides
#  $2 the file name for the man page
# Returns 0 (true) if the file is the latest and must be taken care of,
# and 1 (false) if the file is not the latest (and has therefore been
# deleted).
function check_unique ()
  # NB. When there are hard-links to this file, these are
  # _not_ deleted. In fact, if there are hard-links, they
  # all have the same date/time, thus making them ready
  # for deletion later on.

  # Build the list of all man pages with the same name
  BASENAME=`basename "${2}" .bz2`
  BASENAME=`basename "${BASENAME}" .gz`

  # Look for, and keep, the most recent one
  LATEST=`(cd "$DIR"; ls -1rt "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}" \
         2>/dev/null | tail -n 1)`
  for i in "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}"; do
    [ "$LATEST" != "$i" ] && rm -f "$DIR"/"$i"

  # In case the specified file was the latest, return 0
  [ "$LATEST" = "$2" ] && return 0
  # If the file was not the latest, return 1
  return 1

# Name of the script
MY_NAME=`basename $0`

# OK, parse the command-line for arguments, and initialize to some
# sensible state, that is: don't change links state, parse
# /etc/man.conf, be most silent, search man.conf in /etc, and don't
# force (re-)compression.
while [ -n "$1" ]; do
  case $1 in
      MAN_CONF=`echo $1 | cut -d '=' -f2-`
      shift 2
      let VERBOSE_LVL++
      exit 0
      MAN_DIR="${MAN_DIR} ${1}"
      help $1
      exit 1
      echo "\"$1\" is not an absolute path name"
      exit 1

# Redirections
case $VERBOSE_LVL in
     # O, be silent
     # 1, be a bit verbose
     # 2 and above, be most verbose
     VERBOSE_OPT="-v -v"

# Note: on my machine, 'man --path' gives /usr/share/man twice, once
# with a trailing '/', once without.
if [ -z "$MAN_DIR" ]; then
  MAN_DIR=`man --path -C "$MAN_CONF"/man.conf \
            | sed 's/:/\\n/g' \
            | while read foo; do dirname "$foo"/.; done \
            | sort -u \
            | while read bar; do echo -n "$bar "; done`

# If no MANPATH in ${MAN_CONF}/man.conf, abort as well
if [ -z "$MAN_DIR" ]; then
  echo "No directory specified, and no directory found with \`man --path'"
  exit 1

# Fake?
if [ "$FAKE" != "no" ]; then
  echo "Actual parameters used:"
  echo -n "Compression.......: "
  case $COMP_METHOD in
    --bzip2|--bz2|-b) echo -n "bzip2";;
    --gzip|__gz|-g) echo -n "gzip";;
    --decompress|-d) echo -n "decompressing";;
    *) echo -n "unknown";;
  echo " ($COMP_METHOD)"
  echo "Compression level.: $COMP_LVL"
  echo "Compression suffix: $COMP_SUF"
  echo -n "Force compression.: "
  [ "foo$FORCE_OPT" = "foo-F" ] && echo "yes" || echo "no"
  echo "man.conf is.......: ${MAN_CONF}/man.conf"
  echo -n "Hard-links........: "
  [ "foo$LN_OPT" = "foo-S" ] &&
  echo "convert to soft-links" || echo "leave as is"
  echo -n "Soft-links........: "
  [ "foo$LN_OPT" = "foo-H" ] &&
  echo "convert to hard-links" || echo "leave as is"
  echo "Backup............: $BACKUP"
  echo "Faking (yes!).....: $FAKE"
  echo "Directories.......: $MAN_DIR"
  echo "Verbosity level...: $VERBOSE_LVL"
  exit 0

# If no method was specified, print help
if [ -z "${COMP_METHOD}" -a "${BACKUP}" = "no" ]; then
  exit 1

# In backup mode, do the backup solely
if [ "$BACKUP" = "yes" ]; then
  for DIR in $MAN_DIR; do
    cd "${DIR}/.."
    DIR_NAME=`basename "${DIR}"`
    echo "Backing up $DIR..." > $DEST_FD0
    [ -f "${DIR_NAME}.tar.old" ] && rm -f "${DIR_NAME}.tar.old"
    [ -f "${DIR_NAME}.tar" ] &&
    mv "${DIR_NAME}.tar" "${DIR_NAME}.tar.old"
    tar -cfv "${DIR_NAME}.tar" "${DIR_NAME}" > $DEST_FD1
  exit 0

# I know MAN_DIR has only absolute path names
# I need to take into account the localized man, so I'm going recursive
for DIR in $MAN_DIR; do
  cd "$DIR"
  for FILE in *; do
    # Fixes the case were the directory is empty
    if [ "foo$FILE" = "foo*" ]; then continue; fi

    # Fixes the case when hard-links see their compression scheme change
    # (from not compressed to compressed, or from bz2 to gz, or from gz
    # to bz2)
    # Also fixes the case when multiple version of the page are present,
    # which are either compressed or not.
    if [ ! -L "$FILE" -a ! -e "$FILE" ]; then continue; fi

    # Do not compress whatis files
    if [ "$FILE" = "whatis" ]; then continue; fi

    if [ -d "$FILE" ]; then
      cd "${MEM_DIR}"  # Go back to where we ran "$0",
                       # in case "$0"=="./compressdoc" ...
      # We are going recursive to that directory
      echo "-> Entering ${DIR}/${FILE}..." > $DEST_FD0
      # I need not pass --conf, as I specify the directory to work on
      # But I need exit in case of error
      ${FORCE_OPT} "${DIR}/${FILE}" || exit 1
      echo "<- Leaving ${DIR}/${FILE}." > $DEST_FD1
      cd "$DIR"  # Needed for the next iteration of the loop

    else # !dir
      if ! check_unique "$DIR" "$FILE"; then continue; fi

      # Check if the file is already compressed with the specified method
      BASE_FILE=`basename "$FILE" .gz`
      BASE_FILE=`basename "$BASE_FILE" .bz2`
      if [ "${FILE}" = "${BASE_FILE}${COMP_SUF}" \
         -a "foo${FORCE_OPT}" = "foo" ]; then continue; fi

      # If we have a symlink
      if [ -h "$FILE" ]; then
        case "$FILE" in
            EXT=bz2 ;;
            EXT=gz ;;
            EXT=none ;;

        if [ ! "$EXT" = "none" ]; then
          LINK=`ls -l "$FILE" | cut -d ">" -f2 \
               | tr -d " " | sed s/\.$EXT$//`
          NEWNAME=`echo "$FILE" | sed s/\.$EXT$//`
          mv "$FILE" "$NEWNAME"
          LINK=`ls -l "$FILE" | cut -d ">" -f2 | tr -d " "`

        if [ "$LN_OPT" = "-H" ]; then
          # Change this soft-link into a hard- one
          rm -f "$FILE" && ln "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
          chmod --reference "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
          # Keep this soft-link a soft- one.
          rm -f "$FILE" && ln -s "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
        echo "Relinked $FILE" > $DEST_FD1

      # else if we have a plain file
      elif [ -f "$FILE" ]; then
        # Take care of hard-links: build the list of files hard-linked
        # to the one we are {de,}compressing.
        # NB. This is not optimum has the file will eventually be
        # compressed as many times it has hard-links. But for now,
        # that's the safe way.
        inode=`ls -li "$FILE" | awk '{print $1}'`
        HLINKS=`find . \! -name "$FILE" -inum $inode`

        if [ -n "$HLINKS" ]; then
          # We have hard-links! Remove them now.
          for i in $HLINKS; do rm -f "$i"; done

        # Now take care of the file that has no hard-link
        # We do decompress first to re-compress with the selected
        # compression ratio later on...
        case "$FILE" in
            bunzip2 $FILE
            FILE=`basename "$FILE" .bz2`
            gunzip $FILE
            FILE=`basename "$FILE" .gz`

        # Compress the file with the given compression ratio, if needed
        case $COMP_SUF in
            bzip2 ${COMP_LVL} "$FILE" && chmod 644 "${FILE}${COMP_SUF}"
            echo "Compressed $FILE" > $DEST_FD1
            gzip ${COMP_LVL} "$FILE" && chmod 644 "${FILE}${COMP_SUF}"
            echo "Compressed $FILE" > $DEST_FD1
            echo "Uncompressed $FILE" > $DEST_FD1

        # If the file had hard-links, recreate those (either hard or soft)
        if [ -n "$HLINKS" ]; then
          for i in $HLINKS; do
            NEWFILE=`echo "$i" | sed s/\.gz$// | sed s/\.bz2$//`
            if [ "$LN_OPT" = "-S" ]; then
              # Make this hard-link a soft- one
              ln -s "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF"
              # Keep the hard-link a hard- one
              ln "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF"
            # Really work only for hard-links. Harmless for soft-links
            chmod 644 "${NEWFILE}$COMP_SUF"

        # There is a problem when we get neither a symlink nor a plain
        # file. Obviously, we shall never ever come here... :-(
        echo -n "Whaooo... \"${DIR}/${FILE}\" is neither a symlink "
        echo "nor a plain file. Please check:"
        ls -l "${DIR}/${FILE}"
        exit 1
  done # for FILE
done # for DIR

chmod 755 /usr/sbin/compressdoc

Now, as root, you can issue the command compressdoc --bz2 to compress all your system man pages. You can also run compressdoc --help to get comprehensive help about what the script is able to do.

Don't forget that a few programs, like the X Window System and XEmacs also install their documentation in non-standard places (such as /usr/X11R6/man, etc.). Be sure to add these locations to the file /etc/man.conf, as MANPATH [/path] lines.


    MANPATH /usr/share/man
    MANPATH /usr/local/man
    MANPATH /usr/X11R6/man
    MANPATH /opt/qt/doc/man

Generally, package installation systems do not compress man/info pages, which means you will need to run the script again if you want to keep the size of your documentation as small as possible. Also, note that running the script after upgrading a package is safe; when you have several versions of a page (for example, one compressed and one uncompressed), the most recent one is kept and the others are deleted.

Automate Mounting of File Systems

Introduction to Autofs

The autofs package contains userspace tools that work with the kernel to mount and un-mount removable file systems. This is useful for allowing users to mount floppies, cdroms and other removable storage devices without requiring the system administrator to mount the devices. This may not be ideal for all installations, so be aware of the risks before implementing this feature.

Package Information

Additional Downloads

Kernel Configuration

Verify that kernel support has been compiled in or built as modules in the following areas:

File systems
    Kernel automounter version 4 support        Y or M
Network File Systems
    NFS file system support                     Y or M
    SMB file system support                     Y or M

Recompile and install the new kernel, if necessary.

Installation of Autofs

Install autofs by running the following commands:

patch -Np1 -i ../autofs-4.1.4-misc-fixes.patch &&
patch -Np1 -i ../autofs-4.1.4-multi-parse-fix.patch &&
patch -Np1 -i ../autofs-4.1.4-non-replicated-ping.patch &&
./configure --prefix=/ --mandir=/usr/share/man &&

Now, as the root user:

make install &&
rm /etc/rc.d/init.d/autofs

Command Explanations

rm /etc/rc.d/init.d/autofs: This command removes the installed script which only works on specific distributions.

Configuring Autofs

Config Files

/etc/sysconfig/autofs.conf, /etc/auto.master, /etc/auto.misc, and /etc/

Configuration Information

The installation process creates auto.master, auto.misc and You will replace the auto.master with the following commands:

mv /etc/auto.master /etc/auto.master.bak &&
cat > /etc/auto.master << "EOF"
# Begin /etc/auto.master

/media  /etc/auto.misc

# End /etc/auto.master


This file mounts a new media directory over the one created by LFS and will therefore hide any mounts made by the fstab file into that directory.

While this package could be used to mount NFS shares and SMB shares, that feature is not configured in these instructions. NFS shares are covered on the next page.

The auto.misc must be configured to your working hardware. The loaded configuration file should load your cdrom if /dev/cdrom is active or it can be edited to match your device setup and examples for floppies are available in the file and easily activated. Documentation for this file is available using the man 5 autofs command.

Boot Script

Install the /etc/rc.d/init.d/autofs mount script and /etc/sysconfig/autofs.conf support file included with the blfs-bootscripts-6.1 package.

make install-autofs

The time-out variable is set in /etc/sysconfig/autofs.conf. The installed file sets a default of 60 seconds of inactivity before unmounting the device. A much shorter time may be necessary to protect buffer writing to a floppy if users tend to remove the media prior to the timeout setting.


Installed Program: automount
Installed Libraries: autofs modules
Installed Directories: /lib/autofs and /var/run/autofs

Short Descriptions


is the daemon that performs the mounting when a request is made for the device.

Configuring for Network Filesystems

While LFS is capable of mounting network file systems such as NFS, these are not mounted by the mountfs init script. Network file systems must be mounted after the networking is activated and unmounted before the network goes down. The netfs bootscript was written to handle both boot-time mounting of network filesystems, if the entry in /etc/fstab contains the _netdev option, and unmounting of all network filesystems before the network is brought down.

As the root user, install the /etc/rc.d/init.d/netfs bootscript included with the blfs-bootscripts-6.1 package.

make install-netfs

Chapter 4. Security

Security takes many forms in a computing environment. This chapter gives examples of three different types of security: access, prevention and detection.

Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall. For applications that don't offer the best security, you can use the Stunnel package to wrap an application daemon inside an SSL tunnel.

Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the TAR ball after the packager creates it.

Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.


Introduction to OpenSSL

The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, notably OpenSSH, email applications and web browsers (for accessing HTTPS sites).

Package Information

Additional Downloads

OpenSSL Dependencies


bc-1.06 (recommended if you run the test suite during the build)

Installation of OpenSSL

Install OpenSSL by running the following commands:

patch -Np1 -i ../openssl-0.9.7g-fix_manpages-1.patch &&
./config --openssldir=/etc/ssl --prefix=/usr shared &&
make MANDIR=/usr/share/man

To test the results, issue: make test.

Now, as the root user:

make MANDIR=/usr/share/man install &&
cp -v -r certs /etc/ssl

Command Explanations

no-rc5 no-idea: When added to the ./config command, this will eliminate the building of those encryption methods. Patent licenses may be needed for you to utilize either of those methods in your projects.

make MANDIR=/usr/share/man; make MANDIR=/usr/share/man install: These commands install OpenSSL with the man pages in /usr/share/man instead of /etc/ssl/man.

cp -v -r certs /etc/ssl: The certificates must be copied manually since the install script skips this step.

Configuring OpenSSL

Config Files


Configuration Information

Most people who just want to use OpenSSL for providing functions to other programs such as OpenSSH and web browsers won't need to worry about configuring OpenSSL. Configuring OpenSSL is an advanced topic and so those who do would normally be expected to either know how to do it or to be able to find out how to do it.


Installed Programs: c_rehash, openssl, and openssl_fips_fingerprint
Installed Libraries: libcrypto.[so,a] and libssl.[so,a]
Installed Directories: /etc/ssl and /usr/include/ssl

Short Descriptions


is a Perl script that scans all files in a directory and adds symbolic links to their hash values.


is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for various functions which are documented in man 1 openssl.


implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS and S/MIME, and they have also been used to implement OpenSSH, OpenPGP, and other cryptographic standards.


implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API, documentation on which can be found by running man 3 ssl.


Introduction to CrackLib

The CrackLib package contains a library used to enforce strong passwords by comparing user selected passwords to words in chosen word lists.

Package Information

Additional Downloads

There are additional word lists available for download, e.g., from CrackLib can utilize as many, or as few word lists you choose to install.


Users tend to base their passwords on regular words of the spoken language, and crackers know that. CrackLib is intended to filter out such bad passwords at the source using a dictionary created from word lists. To accomplish this, the word list(s) for use with CrackLib must be an exhaustive list of words and word-based keystroke combinations likely to be chosen by users of the system as (guessable) passwords.

The default word list recommended above for downloading mostly satisfies this role in English-speaking countries. In other situations, it may be necessary to download (or even create) additional word lists.

Note that word lists suitable for spell-checking are not usable as CrackLib word lists in countries with non-Latin based alphabets, because of “word-based keystroke combinations” that make bad passwords.

Installation of CrackLib

If desired, apply the Heimdal patch (note that with this patch the original library is not affected; this patch only creates an additional library used by the Heimdal password-checking routines):

patch -Np1 -i ../cracklib-2.8.3-heimdal-1.patch

Install CrackLib by running the following commands:

./configure --prefix=/usr --datadir=/lib &&

Now, as the root user:

make install &&
mv -v /usr/lib/* /lib &&
ln -v -sf ../../lib/ /usr/lib/

The following commands can be used to install the recommended word list. Other word lists (text based, one word per line) can also be used by simply installing them into /usr/share/dict.

install -v -m644 -D ../cracklib-words.gz \
    /usr/share/dict/cracklib-words.gz &&
gunzip -v /usr/share/dict/cracklib-words.gz &&
ln -v -s cracklib-words /usr/share/dict/words &&
echo $(hostname) >>/usr/share/dict/cracklib-extra-words &&
create-cracklib-dict /usr/share/dict/cracklib-words \

If desired, check the proper operation of the library as an unprivileged user using the tests included with the package:

make test

Command Explanations

--datadir=/lib: This parameter forces the installation of the CrackLib dictionary to the /lib hierarchy.

mv -v /usr/lib/* /lib and ln -v -sf ../../lib/ ...: These two commands move the library and associated symlink from /usr/lib to /lib, then recreates the /usr/lib/ symlink pointing to the relocated file.

install -v -m644 -D ...: This command creates the /usr/share/dict directory (if it doesn't already exist) and installs the compressed word list there.

ln -v -s cracklib-words /usr/share/dict/words: The word list is linked to /usr/share/dict/words as historically, words is the primary word list in the /usr/share/dict directory. Omit this command if you already have a /usr/share/dict/words file installed on your system.

echo $(hostname) >>...: The value of hostname is echoed to a file called cracklib-extra-words. This extra file is intended to be a site specific list which includes easy to guess passwords such as company or department names, user's names, product names, computer names, domain names, etc.

create-cracklib-dict ...: This command creates the CrackLib dictionary from the word lists. Modify the command to add any additional word lists you have installed.


Installed Programs: cracklib-check, cracklib-format, cracklib-packer, cracklib-unpacker and create-cracklib-dict
Installed Libraries: libcrack.[so,a] and optionally, libcrack_heimdal.[so,a]
Installed Directories: /lib/cracklib and /usr/share/dict

Short Descriptions


is used to create the CrackLib dictionary from the given word list(s).


provides a fast dictionary lookup method for strong password enforcement.


Introduction to Linux-PAM

The Linux-PAM package contains Pluggable Authentication Modules. This is useful to enable the local system administrator to choose how applications authenticate users.

Package Information

Additional Downloads

Linux-PAM Dependencies




sgmltools-lite and Berkeley DB-4.3.28 (for pam_userdb module)

Installation of Linux-PAM

Install Linux-PAM by running the following commands:

sed -i 's|DICT_DIR_CANDIDATES="|&/lib /lib/cracklib |' \
    configure &&
./configure --enable-static-libpam --with-mailspool=/var/mail \
    --enable-read-both-confs --sysconfdir=/etc \
    --mandir=/usr/share/man &&

If you downloaded the documentation and wish to install it, unpack the tarball into the doc directory:

tar -jxf ../Linux-PAM-0.80-docs.tar.bz2 -C doc

Now, as the root user:

make install &&
mv -v /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a /usr/lib &&
rm -v /lib/libpam{,c,_misc}.so &&
ln -v -sf ../../lib/ /usr/lib/ &&
ln -v -sf ../../lib/ /usr/lib/ &&
ln -v -sf ../../lib/ /usr/lib/

Install the documentation using the following commands:

install -v -d -m755 /usr/share/doc/Linux-PAM-0.80 &&
for DOCTYPE in html ps specs txts
    cp -v -R doc/$DOCTYPE /usr/share/doc/Linux-PAM-0.80

Command Explanations

sed -i 's|DICT_DIR_CANDIDATES="|&/lib /lib/cracklib |' configure: This command changes where configure looks to find the CrackLib dictionary.

--enable-static-libpam: This switch builds static PAM libraries as well as the dynamic libraries.

--with-mailspool=/var/mail: This switch makes the mailspool directory FHS compliant.

--enable-read-both-confs: This switch lets the local administrator choose which configuration file setup to use.

mv -v /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a /usr/lib: This command moves the static libraries to /usr/lib to comply with FHS guidelines.

rm -v /lib/libpam{,c,_misc}.so; ln -v -sf ... /usr/lib/...: These commands move the .so symlinks from /lib to /usr/lib.

Configuring Linux-PAM

Config Files

/etc/security/* and /etc/pam.d/* or /etc/pam.conf

Configuration Information

Configuration information is placed in /etc/pam.d/ or /etc/pam.conf depending on user preference. Below are example files of each type:

# Begin /etc/pam.d/other

auth            required     nullok
account         required
session         required
password        required     nullok

# End /etc/pam.d/other

# Begin /etc/pam.conf

other           auth            required     nullok
other           account         required
other           session         required
other           password        required     nullok

# End /etc/pam.conf

The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM guide for system administrators is recommended for further reading.

Refer to for a list of various modules available.


You should now reinstall the Shadow-4.0.9 package.


Installed Programs: unix_chkpwd and pam_tally
Installed Libraries: libpam.[so,a], libpamc.[so,a], and libpam_misc.[so,a]
Installed Directories: /etc/pam.d, /etc/security, /lib/security, and /usr/include/security

Short Descriptions


checks user passwords that are stored in read protected databases.


is used to view or manipulate the faillog file.


provides the interfaces between applications and the PAM modules.


Introduction to Shadow

Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did, this will allow programs like login and su to utilize PAM.

Package Information

Additional Downloads

Shadow Dependencies



Installation of Shadow

Reinstall Shadow by running the following commands:

patch -Np1 -i ../shadow-4.0.9-Linux_PAM_fixes-1.patch &&
./configure --libdir=/lib --enable-shared \
    --with-libpam --without-libcrack &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
sed -i '/groups/d' man/Makefile &&

Now, as the root user:

make install &&
mv -v /usr/bin/passwd /bin &&
mv -v /lib/libshadow.*a /usr/lib &&
rm -v /lib/ &&
ln -v -sf ../../lib/ /usr/lib/

Command Explanations

--without-libcrack: This switch tells Shadow not to use libcrack. This is desired as Linux-PAM already contains libcrack.

sed -i ...: These commands are used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.

Configuring Linux-PAM to Work with Shadow

Config Files

/etc/pam.d/* or alternatively /etc/pam.conf, /etc/login.defs and /etc/security/*

Configuration Information

Configuring /etc/login.defs

The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents):

install -v -m644 /etc/login.defs /etc/login.defs.orig &&
                SU_WHEEL_ONLY MD5_CRYPT_ENAB \
    sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs

If you have CrackLib installed, also comment out four more lines using the following command:

    sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
Configuring the /etc/pam.d/ Files

Add the following Linux-PAM configuration files to /etc/pam.d/ (or add them to /etc/pam.conf with the additional field for the program).

'login' (with CrackLib)
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

auth        requisite
auth        requisite
auth        required
account     required
account     required
session     required
session     required
session     required
session     optional      dir=/var/mail standard
session     optional
session     required
password    required  retry=3 difok=8 minlen=5 \
                                            dcredit=3 ocredit=3 \
                                            ucredit=2 lcredit=2
password    required      md5 shadow use_authtok

# End /etc/pam.d/login
'login' (without CrackLib)
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

auth        requisite
auth        requisite
auth        required
auth        required
account     required
account     required
session     required
session     required
session     optional      dir=/var/mail standard
session     optional
session     required
password    required      md5 shadow

# End /etc/pam.d/login
'passwd' (with CrackLib)
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password    required  retry=3 difok=8 minlen=5 \
                                            dcredit=3  ocredit=3 \
                                            ucredit=2  lcredit=2
password    required      md5 shadow use_authtok

# End /etc/pam.d/passwd
'passwd' (without CrackLib)
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password    required      md5 shadow

# End /etc/pam.d/passwd
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

auth        sufficient
auth        required
account     required
session     optional     dir=/var/mail standard
session     required
session     required

# End /etc/pam.d/su
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage

auth        sufficient
auth        required
account     required
session     required
password    required

# End /etc/pam.d/chage
'chpasswd', 'newusers', 'groupadd', 'groupdel', 'groupmod', 'useradd', 'userdel', and 'usermod'
for PROGRAM in chpasswd newusers groupadd groupdel \
               groupmod useradd userdel usermod
    install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
    sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM


At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. If you cannot find and fix the error, you should recompile Shadow replacing --with-libpam with --without-libpam in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system.


Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required:

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required
auth        required
account     required
session     required
password    required
password    required

# End /etc/pam.d/other
Configuring Login Access

Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command:

if [ -f /etc/login.access ]; then
    mv -v /etc/login.access /etc/login.access.NOUSE
Configuring Resource Limits

Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command:

if [ -f /etc/limits ]; then
    mv -v /etc/limits /etc/limits.NOUSE
Configuring Default Environment

During previous configuration, several items were removed from /etc/login.defs. Some of these items are now controlled by the module and the /etc/security/pam_env.conf configuration file. In particular, the default path has been changed. To recover your default path, execute the following commands:

ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
    awk '{ print $2 }' | sed 's/PATH=//'` &&
echo 'PATH        DEFAULT='`echo "${ENV_PATH}"`'        OVERRIDE=${PATH}' \
    >> /etc/security/pam_env.conf &&
unset ENV_PATH


ENV_SUPATH is no longer supported. You must create a valid /root/.bashrc file to provide a modified path for the super user.


A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/stable/chapter06/shadow.html#contents-shadow.


Introduction to Iptables

The next part of this chapter deals with firewalls. The principal firewall tool for Linux, as of the 2.4 kernel series, is iptables. It replaces ipchains from the 2.2 series and ipfwadm from the 2.0 series. You will need to install iptables if you intend on using any form of a firewall.

Package Information

Kernel Configuration

A firewall in Linux is accomplished through a portion of the kernel called netfilter. The interface to netfilter is iptables. To use it, the appropriate kernel configuration parameters are found in Device Drivers -> Networking Support -> Networking Options -> Network Packet Filtering -> IP: Netfilter Configuration.

Installation of Iptables


Installation of iptables will fail if raw kernel headers are found in /usr/src/linux either as actual files or a symlink. As of the Linux 2.6 kernel series, this directory should no longer exist because appropriate headers were installed from the Linux-Libc-Headers package during the base LFS installation.

For some non-x86 architectures, the raw kernel headers may be required. In that case, add the environment variable KERNEL_DIR=/usr/src/linux to the make commands below.

Install iptables by running the following commands:

make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin

Now, as the root user:

make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install

Command Explanations

PREFIX=/usr LIBDIR=/lib BINDIR=/sbin: Compiles and installs iptables libraries into /lib, binaries into /sbin and the remainder into the /usr hierarchy instead of /usr/local. Firewalls are generally activated during the boot process and /usr may not be mounted at that time.

Configuring Iptables

Introductory instructions for configuring your firewall are presented in the next section: Firewalling

Boot Script

To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables init script included in the blfs-bootscripts-6.1 package.

make install-iptables


Installed Programs: iptables, iptables-restore, iptables-save and ip6tables
Installed Libraries: libip6t_*.so and libipt_*.so
Installed Directory: /lib/iptables

Short Descriptions


is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.


is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file.


is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.


is used to set up, maintain, and inspect the tables of IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.


library modules are various modules (implemented as dynamic libraries) which extend the core functionality of iptables.

Setting Up a Network Firewall

Before you read this part of the chapter, you should have already installed iptables as described in the previous section.

Introduction to Firewall Creation

The general purpose of a firewall is to protect a computer or a network against malicious access.

In a perfect world, every daemon or service on every machine is perfectly configured and immune to flaws such as buffer overflows or other problems regarding its security. Furthermore, you trust every user accessing your services. In this world, you do not need to have a firewall.

In the real world however, daemons may be misconfigured and exploits against essential services are freely available. You may wish to choose which services are accessible by certain machines or you may wish to limit which machines or applications are allowed external access. Alternatively, you may simply not trust some of your applications or users. You are probably connected to the Internet. In this world, a firewall is essential.

Don't assume however, that having a firewall makes careful configuration redundant, or that it makes any negligent misconfiguration harmless. It doesn't prevent anyone from exploiting a service you intentionally offer but haven't recently updated or patched after an exploit went public. Despite having a firewall, you need to keep applications and daemons on your system properly configured and up to date. A firewall is not a cure all, but should be an essential part of your overall security strategy.

Meaning of the Word "Firewall"

The word firewall can have several different meanings.

This is a hardware device or software program commercially sold (or offered via freeware) by companies such as Symantec which claims that it secures a home or desktop computer connected to the Internet. This type of firewall is highly relevant for users who do not know how their computers might be accessed via the Internet or how to disable that access, especially if they are always online and connected via broadband links.

This is a system placed between the Internet and an intranet. To minimize the risk of compromising the firewall itself, it should generally have only one role—that of protecting the intranet. Although not completely risk free, the tasks of doing the routing and IP masquerading (rewriting IP headers of the packets it routes from clients with private IP addresses onto the Internet so that they seem to come from the firewall itself) are commonly considered relatively secure.

This is often an old computer you may have retired and nearly forgotten, performing masquerading or routing functions, but offering non-firewall services such as a web-cache or mail. This may be used for home networks, but is not to be considered as secure as a firewall only machine because the combination of server and router/firewall on one machine raises the complexity of the setup.

Firewall with a Demilitarized Zone [Not Further Described Here]

This box performs masquerading or routing, but grants public access to some branch of your network which, because of public IPs and a physically separated structure, is essentially a separate network with direct Internet access. The servers on this network are those which must be easily accessible from both the Internet and intranet. The firewall protects both networks. This type of firewall has a minimum of three network interfaces.


This type of firewall does routing or masquerading, but does not maintain a state table of ongoing communication streams. It is fast, but quite limited in its ability to block undesired packets without blocking desired packets.

Now You Can Start to Build your Firewall


This introduction on how to setup a firewall is not a complete guide to securing systems. Firewalling is a complex issue that requires careful configuration. The scripts quoted here are simply intended to give examples of how a firewall works. They are not intended to fit into any particular configuration and may not provide complete protection from an attack.

Customization of these scripts for your specific situation will be necessary for an optimal configuration, but you should make a serious study of the iptables documentation and creating firewalls in general before hacking away. Have a look at the list of links for further reading at the end of this section for more details. There you will find a list of URLs that contain quite comprehensive information about building your own firewall.

The firewall configuration script installed in the iptables section differs from the standard configuration script. It only has two of the standard targets: start and status. The other targets are clear and lock. For instance if you issue:

/etc/rc.d/init.d/iptables start

the firewall will be restarted just as it is upon system startup. The status target will present a list of all currently implemented rules. The clear target turns off all firewall rules and the lock target will block all packets in and out of the computer with the exception of the loopback interface.

The main startup firewall is located in the file /etc/rc.d/rc.iptables. The sections below provide three different approaches that can be used for a system.


You should always run your firewall rules from a script. This ensures consistency and a record of what was done. It also allows retention of comments that are essential for understanding the rules long after they were written.

Personal Firewall

A Personal Firewall is designed to let you access all the services offered on the Internet, but keep your box secure and your data private.

Below is a slightly modified version of Rusty Russell's recommendation from the Linux 2.4 Packet Filtering HOWTO. It is still applicable to the Linux 2.6 kernels.

cat > /etc/rc.d/rc.iptables << "EOF"

# Begin $rc_base/rc.iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Donąt send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT

# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# End $rc_base/rc.iptables
chmod 700 /etc/rc.d/rc.iptables

This script is quite simple, it drops all traffic coming into your computer that wasn't initiated from your computer, but as long as you are simply surfing the Internet you are unlikely to exceed its limits.

If you frequently encounter certain delays at accessing FTP servers, take a look at BusyBox example number 4.

Even if you have daemons or services running on your system, these will be inaccessible everywhere but from your computer itself. If you want to allow access to services on your machine, such as ssh or ping, take a look at BusyBox.

Masquerading Router

A true Firewall has two interfaces, one connected to an intranet, in this example eth0, and one connected to the Internet, here ppp0. To provide the maximum security for the firewall itself, make sure that there are no unnecessary servers running on it such as X11 et al. As a general principle, the firewall itself should not access any untrusted service (think of a remote server giving answers that makes a daemon on your system crash, or even worse, that implements a worm via a buffer-overflow).

cat > /etc/rc.d/rc.iptables << "EOF"

# Begin $rc_base/rc.iptables

echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo ""

# Insert iptables modules (not needed if built into the kernel).

modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ipt_REJECT

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Donąt send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local connections
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD  -i ! ppp+ -m state --state NEW      -j ACCEPT

# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "

# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
chmod 700 /etc/rc.d/rc.iptables

With this script your intranet should be reasonably secure against external attacks. No one should be able to setup a new connection to any internal service and, if it's masqueraded, makes your intranet invisible to the Internet. Furthermore, your firewall should be relatively safe because there are no services running that a cracker could attack.


If the interface you're connecting to the Internet doesn't connect via PPP, you will need to change ppp+ to the name of the interface (e.g., eth1) which you are using.


This scenario isn't too different from the Masquerading Router, but additionally offers some services to your intranet. Examples of this can be when you want to administer your firewall from another host on your intranet or use it as a proxy or a name server.


Outlining a true concept of how to protect a server that offers services on the Internet goes far beyond the scope of this document. See the references at the end of this section for more information.

Be cautious. Every service you have enabled makes your setup more complex and your firewall less secure. You are exposed to the risks of misconfigured services or running a service with an exploitable bug. A firewall should generally not run any extra services. See the introduction to the Masquerading Router for some more details.

If you want to add services such as internal Samba or name servers that do not need to access the Internet themselves, the additional statements are quite simple and should still be acceptable from a security standpoint. Just add the following lines into the script before the logging rules.

iptables -A INPUT  -i ! ppp+  -j ACCEPT
iptables -A OUTPUT -o ! ppp+  -j ACCEPT

If daemons, such as squid, have to access the Internet themselves, you could open OUTPUT generally and restrict INPUT.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT

However, it is generally not advisable to leave OUTPUT unrestricted. You lose any control over trojans who would like to "call home", and a bit of redundancy in case you've (mis-)configured a service so that it broadcasts its existence to the world.

To accomplish this, you should restrict INPUT and OUTPUT on all ports except those that it's absolutely necessary to have open. Which ports you have to open depends on your needs: mostly you will find them by looking for failed accesses in your log files.

Have a Look at the Following Examples:

  • Squid is caching the web:

    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED \
      -j ACCEPT
  • Your caching name server (e.g., named) does its lookups via UDP:

    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
  • You want to be able to ping your computer to ensure it's still alive:

    iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT
  • If you are frequently accessing FTP servers or enjoy chatting, you might notice certain delays because some implementations of these daemons have the feature of querying an identd on your system to obtain usernames. Although there's really little harm in this, having an identd running is not recommended because many security experts feel the service gives out too much additional information.

    To avoid these delays you could reject the requests with a 'tcp-reset':

    iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
  • To log and drop invalid packets (packets that came in after netfilter's timeout or some types of network scans):

    iptables -I INPUT -p tcp -m state --state INVALID \
      -j LOG --log-prefix "FIREWALL:INVALID"
    iptables -I INPUT -p tcp -m state --state INVALID -j DROP
  • Anything coming from the outside should not have a private address, this is a common attack called IP-spoofing:

    iptables -A INPUT -i ppp+ -s     -j DROP
    iptables -A INPUT -i ppp+ -s  -j DROP
    iptables -A INPUT -i ppp+ -s -j DROP

    There are other addresses that you may also want to drop:,, (multicast and experimental), (Link Local Networks), and (IANA defined test network).

  • If your firewall is a DHCP client, you need to allow those packets:

    iptables -A INPUT  -i ppp0 -p udp -s --sport 67 \
       -d --dport 68 -j ACCEPT
  • To simplify debugging and be fair to anyone who'd like to access a service you have disabled, purposely or by mistake, you could REJECT those packets that are dropped.

    Obviously this must be done directly after logging as the very last lines before the packets are dropped by policy:

    iptables -A INPUT -j REJECT

These are only examples to show you some of the capabilities of the firewall code in Linux. Have a look at the man page of iptables. There you will find much more information. The port numbers needed for this can be found in /etc/services, in case you didn't find them by trial and error in your log file.


Finally, there is one fact you must not forget: The effort spent attacking a system corresponds to the value the cracker expects to gain from it. If you are responsible for valuable information, you need to spend the time to protect it properly.


Introduction to GnuPG

The GnuPG package contains a public/private key encryptor. This is becoming useful for signing files or emails as proof of identity and preventing tampering with the contents of the file or email.

Package Information

GnuPG Dependencies


OpenLDAP-2.2.24, libusb-0.1.10a, cURL-7.14.0, MTA, DocBook-utils-0.6.14 and docbook-to-man

Installation of GnuPG

Install GnuPG by running the following commands:

./configure --prefix=/usr --libexecdir=/usr/lib &&

Now, as the root user:

make install &&
chmod -v 4755 /usr/bin/gpg

Command Explanations

--libexecdir=/usr/lib: This command creates a gnupg directory in /usr/lib instead of /usr/libexec.

chmod -v 4755 /usr/bin/gpg: gpg is installed setuid root to avoid swapping out sensitive data.


Installed Programs: gpg, gpgsplit, and gpgv
Installed Libraries: None
Installed Directories: /usr/lib/gnupg and /usr/share/gnupg

Short Descriptions


is the backend (command-line interface) for this OpenPGP implementation.


separates key rings.


is a verify only version of gpg.


Introduction to Tripwire

The Tripwire package contains programs used to verify the integrity of the files on a given system.

Package Information

Tripwire Dependencies


MTA (See Chapter 22, Mail Server Software)

Installation of Tripwire

Compile Tripwire by running the following commands:

sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg &&
./configure --prefix=/usr --sysconfdir=/etc/tripwire &&

Now, as the root user:

make install &&
cp -v policy/*.txt /usr/share/doc/tripwire

The default configuration is to use a local MTA. If you don't have an MTA installed and have no wish to install one, modify install.cfg to use an SMTP server instead.

Command Explanations

sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg: This command tells the package to install the program database and reports in /var/lib/tripwire.

make install: This command creates the Tripwire security keys as well as installing the binaries. There are two keys: a site key and a local key which are stored in /etc/tripwire/.

cp -v policy/*.txt /usr/share/doc/tripwire: This command installs the documentation.

Configuring Tripwire

Config Files


Configuration Information

Tripwire uses a policy file to determine which files are integrity checked. The default policy file (/etc/tripwire/twpol.txt) is for a default Redhat installation and will need to be updated for your system.

Policy files should be tailored to each individual distribution and/or installation. Some custom policy files can be found below:
Checks integrity of all files
Custom policy file for Base LFS 3.0 system
Custom policy file for SuSE 7.2 system

Download the custom policy file you'd like to try, copy it into /etc/tripwire/, and use it instead of twpol.txt. It is, however, recommended that you make your own policy file. Get ideas from the examples above and read /usr/share/doc/tripwire/policyguide.txt for additional information. twpol.txt is a good policy file for beginners as it will note any changes to the file system and can even be used as an annoying way of keeping track of changes for uninstallation of software.

After your policy file has been transferred to /etc/tripwire/ you may begin the configuration steps (perform as the root):

twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
    /etc/tripwire/twpol.txt &&
tripwire --init

Usage Information

To use Tripwire after creating a policy file to run a report, use the following command:

tripwire --check > /etc/tripwire/report.txt

View the output to check the integrity of your files. An automatic integrity report can be produced by using a cron facility to schedule the runs.

Please note that after you run an integrity check, you must examine the report (or email) and then modify the Tripwire database to reflect the changed files on your system. This is so that Tripwire will not continually notify you that files you intentionally changed are a security violation. To do this you must first ls -l /var/lib/tripwire/report/ and note the name of the newest file which starts with linux- and ends in .twr. This encrypted file was created during the last report creation and is needed to update the Tripwire database of your system. Then, as the root user, type in the following command making the appropriate substitutions for [?]:

tripwire --update -twrfile \

You will be placed into vim with a copy of the report in front of you. If all the changes were good, then just type :x and after entering your local key, the database will be updated. If there are files which you still want to be warned about, remove the 'x' before the filename in the report and type :x.

Changing the Policy File

If you are unhappy with your policy file and would like to modify it or use a new one, modify the policy file and then execute the following commands as the root user:

twadmin --create-polfile /etc/tripwire/twpol.txt &&
tripwire --init


Installed Programs: siggen, tripwire, twadmin, and twprint.
Installed Libraries: None
Installed Directories: /etc/tripwire, /usr/share/doc/tripwire, and /var/lib/tripwire

Short Descriptions


is a signature gathering utility that displays the hash function values for the specified files.


is the main file integrity checking program.


administrative and utility tool used to perform certain administrative functions related to Tripwire files and configuration options.


prints Tripwire database and report files in clear text format.


Introduction to Heimdal

Heimdal is a free implementation of Kerberos 5 that aims to be compatible with MIT krb5 and is backward compatible with krb4. Kerberos is a network authentication protocol. Basically it preserves the integrity of passwords in any untrusted network (like the Internet). Kerberized applications work hand-in-hand with sites that support Kerberos to ensure that passwords cannot be stolen or compromised. A Kerberos installation will make changes to the authentication mechanisms on your network and will overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper and Shadow packages.

Package Information

Additional Downloads

Heimdal Dependencies


OpenSSL-0.9.7g and Berkeley DB-4.3.28


Linux-PAM-0.80, OpenLDAP-2.2.24, X ( or XFree86-4.5.0), CrackLib-2.8.3 (compiled with the heimdal patch) and krb4


Some sort of time synchronization facility on your system (like NTP-4.2.0) is required since Kerberos won't authenticate if the time differential between a kerberized client and the KDC server is more than 5 minutes.

Installation of Heimdal

Before installing the package, you may want to preserve the ftp program from the Inetutils package. This is because using the Heimdal ftp program to connect to non-kerberized ftp servers may not work properly. It will allow you to connect (letting you know that transmission of the password is clear text) but will have problems doing puts and gets. Issue the following command as the root user.

mv -v /usr/bin/ftp /usr/bin/ftpn

If you wish the Heimdal package to link against the CrackLib library (requires CrackLib-2.8.3 installed with the heimdal patch), you must apply a patch:

patch -Np1 -i ../heimdal-0.7-cracklib-1.patch

Install Heimdal by running the following commands:

patch -Np1 -i ../heimdal-0.7-fhs_compliance-1.patch &&
./configure --prefix=/usr \
            --sysconfdir=/etc/heimdal \
            --libexecdir=/usr/sbin \
            --datadir=/var/lib/heimdal \
            --localstatedir=/var/lib/heimdal \
            --enable-shared \
            --with-readline=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/heimdal-0.7/standardisation &&
install -v -m644 doc/{init-creds,layman.asc} \
    /usr/share/doc/heimdal-0.7 &&
install -v -m644 doc/standardisation/* \
    /usr/share/doc/heimdal-0.7/standardisation &&
mv -v /bin/login /bin/login.shadow &&
mv -v /bin/su /bin/su.shadow &&
mv -v /usr/bin/{login,su} /bin &&
ln -v -sf ../../bin/login /usr/bin &&
mv -v /usr/lib/lib{otp,kafs,krb5,asn1,roken,crypto}.so.* \
      /usr/lib/ /lib &&
ln -v -sf ../../lib/ /usr/lib/ &&
ln -v -sf ../../lib/ /usr/lib/ &&
for SYMLINK in \
    ln -v -sf ../../lib/lib$SYMLINK \
        /usr/lib/lib`echo $SYMLINK | cut -d. -f1`.so

Command Explanations

--libexecdir=/usr/sbin: This switch puts the daemon programs into /usr/sbin.


If you want to preserve all your existing Inetutils package daemons, install the Heimdal daemons into /usr/sbin/heimdal (or wherever you want). Since these programs will be called from (x)inetd or rc scripts, it really doesn't matter where they are installed, as long as they are correctly specified in the /etc/(x)inetd.conf file and rc scripts. If you choose something other than /usr/sbin, you may want to move some of the user programs (such as kadmin) to /usr/sbin manually so they'll be in the privileged user's default PATH.

mv ... .shadow; mv ... /bin; ln -v -sf ../../bin...: The login and su programs installed by Heimdal belong in the /bin directory. The login program is symlinked because Heimdal is expecting to find it in /usr/bin. The old executables are preserved before the move to keep things sane should breaks occur.

mv ... /lib; ln -v -sf ../../lib/lib... /usr/lib...: The login and su programs installed by Heimdal link against Heimdal libraries as well as libraries provided by the OpenSSL and Berkeley DB packages. These libraries are moved to /lib to be FHS compliant and also in case /usr is located on a separate partition which may not always be mounted.

Configuring Heimdal

Config Files


Configuration Information


All the configuration steps shown below must be accomplished by the root user unless otherwise noted.

Master KDC Server Configuration

Create the Kerberos configuration file with the following commands:

install -v -m755 -d /etc/heimdal &&
cat > /etc/heimdal/krb5.conf << "EOF"
# Begin /etc/heimdal/krb5.conf

    default_realm = [EXAMPLE.COM]
    encrypt = true

    [EXAMPLE.COM] = {
        kdc = []
        admin_server = []
        kpasswd_server = []

    .[] = [EXAMPLE.COM]

    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb.log

# End /etc/heimdal/krb5.conf
chmod -v 644 /etc/heimdal/krb5.conf

You will need to substitute your domain and proper hostname for the occurrences of the [hostname] and [EXAMPLE.COM] names.

default_realm should be the name of your domain changed to ALL CAPS. This isn't required, but both Heimdal and MIT krb5 recommend it.

encrypt = true provides encryption of all traffic between kerberized clients and servers. It's not necessary and can be left off. If you leave it off, you can encrypt all traffic from the client to the server using a switch on the client program instead.

The [realms] parameters tell the client programs where to look for the KDC authentication services.

The [domain_realm] section maps a domain to a realm.

Store the master password in a key file using the following commands:

install -v -m755 -d /var/lib/heimdal &&

Create the KDC database:

kadmin -l

The commands below will prompt you for information about the principles. Choose the defaults for now unless you know what you are doing and need to specify different values. You can go in later and change the defaults, should you feel the need. You may use the up and down arrow keys to use the history feature of kadmin in a similar manner as the bash history feature.

At the kadmin> prompt, issue the following statement:


The database must now be populated with at least one principle (user). For now, just use your regular login name or root. You may create as few, or as many principles as you wish using the following statement:

add [loginname]

The KDC server and any machine running kerberized server daemons must have a host key installed:

add --random-key host/[]

After choosing the defaults when prompted, you will have to export the data to a keytab file:

ext host/[]

This should have created two files in /etc/heimdal: krb5.keytab (Kerberos 5) and srvtab (Kerberos 4). Both files should have 600 (root rw only) permissions. Keeping the keytab files from public access is crucial to the overall security of the Kerberos installation.

Eventually, you'll want to add server daemon principles to the database and extract them to the keytab file. You do this in the same way you created the host principles. Below is an example:

add --random-key ftp/[]

(choose the defaults)

ext ftp/[]

Exit the kadmin program (use quit or exit) and return back to the shell prompt. Start the KDC daemon manually, just to test out the installation:

/usr/sbin/kdc &

Attempt to get a TGT (ticket granting ticket) with the following command:

kinit [loginname]

You will be prompted for the password you created. After you get your ticket, you should list it with the following command:


Information about the ticket should be displayed on the screen.

To test the functionality of the keytab file, issue the following command:

ktutil list

This should dump a list of the host principals, along with the encryption methods used to access the principals.

At this point, if everything has been successful so far, you can feel fairly confident in the installation, setup and configuration of your new Heimdal Kerberos 5 installation.

Install the /etc/rc.d/init.d/heimdal init script included in the blfs-bootscripts-6.1 package:

make install-heimdal
Using Kerberized Client Programs

To use the kerberized client programs (telnet, ftp, rsh, rxterm, rxtelnet, rcp, xnlock), you first must get a TGT. Use the kinit program to get the ticket. After you've acquired the ticket, you can use the kerberized programs to connect to any kerberized server on the network. You will not be prompted for authentication until your ticket expires (default is one day), unless you specify a different user as a command line argument to the program.

The kerberized programs will connect to non-kerberized daemons, warning you that authentication is not encrypted. As mentioned earlier, only the ftp program gives any trouble connecting to non-kerberized daemons.

In order to use the Heimdal X programs, you'll need to add a service port entry to the /etc/services file for the kxd server. There is no 'standardized port number' for the 'kx' service in the IANA database, so you'll have to pick an unused port number. Add an entry to the services file similar to the entry below (substitute your chosen port number for [49150]):

kx              [49150]/tcp   # Heimdal kerberos X
kx              [49150]/udp   # Heimdal kerberos X

For additional information consult the Heimdal hint on which the above instructions are based.


Installed Programs: afslog, dump_log, ftp, ftpd, hprop, hpropd, ipropd-master, ipropd-slave, kadmin, kadmind, kauth, kcm, kdc, kdestroy, kf, kfd, kgetcred, kinit, klist, kpasswd, kpasswdd, krb5-config, kstash, ktutil, kx, kxd, login, mk_cmds, otp, otpprint, pagsh, pfrom, popper, push, rcp, replay_log, rsh, rshd, rxtelnet, rxterm, string2key, su, telnet, telnetd, tenletxr, truncate-log, verify_krb5_conf and xnlock
Installed Libraries: libasn1.[so,a], libeditline.[so,a], libgssapi.[so,a], libhdb.[so,a], libkadm5clnt.[so,a], libkadm5srv.[so,a], libkafs.[so,a], libkrb5.[so,a], libotp.[so,a], libroken.[so,a], libsl.[so,a] and libss.[so,a]
Installed Directories: /etc/heimdal, /usr/include/kadm5, /usr/share/doc/heimdal-0.7 and /var/lib/heimdal

Short Descriptions


obtains AFS tokens for a number of cells.


is a kerberized FTP client.


is a kerberized FTP daemon.


takes a principal database in a specified format and converts it into a stream of Heimdal database records.


is a server that receives a database sent by hprop and writes it as a local database.


is a daemon which runs on the master KDC server which incrementally propagates changes to the KDC database to the slave KDC servers.


is a daemon which runs on the slave KDC servers which incrementally propagates changes to the KDC database from the master KDC server.


is a utility used to make modifications to the Kerberos database.


is a server for administrative access to the Kerberos database.


is a symbolic link to the kinit program.


is a process based credential cache for Kerberos tickets.


is a Kerberos 5 server.


removes a principle's current set of tickets.


is a program which forwards tickets to a remote host through an authenticated and encrypted stream.


is a server used to receive forwarded tickets.


obtains a ticket for a service.


is used to authenticate to the Kerberos server as a principal and acquire a ticket granting ticket that can later be used to obtain tickets for other services.


reads and displays the current tickets in the credential cache.


is a program for changing Kerberos 5 passwords.


is a Kerberos 5 password changing server.


gives information on how to link programs against Heimdal libraries.


stores the KDC master password in a file.


is a program for managing Kerberos keytabs.


is a program which securely forwards X connections.


is the daemon for kx.


is a kerberized login program.


manages one-time passwords.


prints lists of one-time passwords.


is a script that runs push --from.


is a kerberized POP-3 server.


is a kerberized POP mail retrieval client.


is a kerberized rcp client program.


is a kerberized rsh client program.


is a kerberized rsh server.


starts a secure xterm window with a telnet to a given host and forwards X connections.


starts a secure remote xterm.


maps a password into a key.


is a kerberized su client program.


is a kerberized telnet client program.


is a kerberized telnet server.


forwards X connections backwards.


checks krb5.conf file for obvious errors.


is a program that acts as a secure screen saver for workstations running X.


provides the ASN.1 and DER functions to encode and decode the Kerberos TGTs.


is a command-line editing library with history.


contain the Generic Security Service Application Programming Interface (GSSAPI) functions which provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments.


is a Heimdal Kerberos 5 authentication/authorization database access library.


contains the administrative authentication and password checking functions required by Kerberos 5 client-side programs.


contain the administrative authentication and password checking functions required by Kerberos 5 servers.


contains the functions required to authenticated to AFS.


is an all-purpose Kerberos 5 library.


contains the functions required to handle authenticating one time passwords.


is a library containing Kerberos 5 compatibility functions.

MIT Krb5-1.4.1

Introduction to MIT Krb5

MIT krb5 is a free implementation of Kerberos 5. Kerberos is a network authentication protocol. It centralizes the authentication database and uses kerberized applications to work with servers or services that support Kerberos allowing single logins and encrypted communication over internal networks or the Internet.

Package Information

Installation of MIT Krb5


The instructions for MIT Krb5 have not yet been validated by the BLFS Editors. Until this section is updated, the Editors reccomend using Heimdal-0.7 to implement the functionality of this package.

Command Explanations

Configuring MIT Krb5


Cyrus SASL-2.1.21

Introduction to Cyrus SASL

The Cyrus SASL package contains a Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.

Package Information

Cyrus SASL Dependencies




Linux-PAM-0.80, OpenLDAP-2.2.24, Heimdal-0.7 or MIT krb5-1.4.1, JDK-1.5.0, MySQL-4.1.12, PostgreSQL-8.0.3, Berkeley DB-4.3.28, GDBM-1.8.3, krb4, SQLite and Dmalloc

Installation of Cyrus SASL

Install Cyrus SASL by running the following commands:

./configure --prefix=/usr --sysconfdir=/etc \
            --with-dbpath=/var/lib/sasl/sasldb2 \
            --with-saslauthd=/var/run &&

This package does not come with a test suite. If you are planning on using the GSSAPI authentication mechanism, it is recommended to test it after installing the package using the sample server and client programs which were built in the preceding step. Instructions for performing the tests can be found at

Now, as the root user:

make install &&
install -v -m644 saslauthd/saslauthd.8 /usr/share/man/man8 &&
install -v -m755 -d /usr/share/doc/cyrus-sasl-2.1.21 &&
install -v -m644 doc/{*.{html,txt,fig},ONEWS,TODO} \
    saslauthd/LDAP_SASLAUTHD /usr/share/doc/cyrus-sasl-2.1.21 &&
install -v -m700 -d /var/lib/sasl

Command Explanations

--with-dbpath=/var/lib/sasl/sasldb2: This parameter forces the saslauthd database to be created in /var/lib/sasl instead of /etc.

--with-saslauthd=/var/run: This parameter forces saslauthd to use the FHS compliant directory /var/run for variable run-time data.

--with-ldap: This parameter enables use with OpenLDAP.

--enable-ldapdb: This parameter enables the LDAPDB authentication backend. There is a circular dependency with this parameter which requires you to build the Cyrus SASL package, then the OpenLDAP package (with SASL support), then finally building the Cyrus SASL package again with this parameter.

install -v -m644 ...: These commands install documentation which is not installed by the make install command.

install -v -m700 -d /var/lib/sasl: This directory must exist when starting saslauthd. If you're not going to be running the daemon, you may omit the creation of this directory.

Configuring Cyrus SASL

Config Files

/etc/saslauthd.conf (for LDAP configuration) and /usr/lib/sasl2/Appname.conf (where "Appname" is the application defined name of the application)

Configuration Information

See file:///usr/share/doc/cyrus-sasl-2.1.21/sysadmin.html for information on what to include in the application configuration files. See file:///usr/share/doc/cyrus-sasl-2.1.21/LDAP_SASLAUTHD for configuring saslauthd with OpenLDAP.

Init Script

If you need to run the saslauthd daemon at system startup, install the /etc/rc.d/init.d/cyrus-sasl init script included in the blfs-bootscripts-6.1 package.

make install-cyrus-sasl


You'll need to modify the init script and replace the [authmech] parameter to the -a switch with your desired authentication mechanism.


Installed Programs: saslauthd, sasldblistusers2, and saslpasswd2
Installed Libraries:,, and numerous SASL plugins and Java classes
Installed Directories: /usr/include/sasl, /usr/lib/java/classes/sasl, /usr/lib/sasl2, /usr/share/doc/cyrus-sasl-2.1.21, and /var/lib/sasl

Short Descriptions


is the SASL authentication server.


is used to list the users in the SASL password database.


is used to set and delete a user's SASL password and mechanism specific secrets in the SASL password database.

is a general purpose authentication library for server and client applications.


Introduction to Stunnel

The Stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. Stunnel can be used to add SSL functionality to commonly used Inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the server package source code.

Package Information

Stunnel Dependencies





Installation of Stunnel

The stunnel daemon will be run in a chroot jail by an unprivileged user. Create the new user, group and chroot home directory structure using the following commands as the root user:

groupadd -g 51 stunnel &&
useradd -c "Stunnel Daemon" -d /var/lib/stunnel \
        -g stunnel -s /bin/false -u 51 stunnel &&
install -v -m700 -o stunnel -g stunnel -d /var/lib/stunnel/run


A signed SSL Certificate and a Private Key is necessary to run the stunnel daemon. If you own, or have already created a signed SSL Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem before starting the build (ensure only root has read and write access), otherwise you will be prompted to create one during the installation process. The .pem file must be formatted as shown below:

[many encrypted lines of unencrypted key]
[many encrypted lines of certificate]
[multiple encrypted lines of DH parameters]

Install Stunnel by running the following commands:

./configure --prefix=/usr --sysconfdir=/etc \
    --localstatedir=/var/lib &&

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

--sysconfdir=/etc: This parameter forces the configuration directory to /etc instead of /usr/etc.

--localstatedir=/var/lib: This parameter causes the installation process to create /var/lib/stunnel instead of /usr/var/stunnel.

make install: This command installs the package and, if you did not copy an stunnel.pem file to the /etc/stunnel directory, prompts you for the necessary information to create one. Ensure you reply to the

Common Name (FQDN of your server) [localhost]:

prompt with the name or IP address you will be using to access the service(s).

Configuring Stunnel

Config Files


Configuration Information

Create a basic /etc/stunnel/stunnel.conf configuration file using the following commands:

cat >/etc/stunnel/stunnel.conf << "EOF"
# File: /etc/stunnel/stunnel.conf

pid = /run/
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel


Next, you need to add the service(s) you wish to encrypt to the configuration file. The format is as follows:

accept  = [hostname:portnumber]
connect = [hostname:portnumber]

If you use Stunnel to encrypt a daemon started from [x]inetd, you may need to disable that daemon in the /etc/[x]inetd.conf file and enable a corresponding [service]_stunnel service. You may have to add an appropriate entry in /etc/services as well.

For a full explanation of the commands and syntax used in the configuration file, run man stunnel. To see a BLFS example of an actual setup of an stunnel encrypted service, read the the section called “Configuring SWAT” in the Samba instructions.

Boot Script

To automatically start the stunnel daemon when the system is rebooted, install the /etc/rc.d/init.d/stunnel bootscript from the blfs-bootscripts-6.1 package.

make install-stunnel


Installed Programs: stunnel and stunnel3
Installed Library:
Installed Directories: /etc/stunnel, /var/lib/stunnel, and /usr/share/doc/stunnel

Short Descriptions


is a program designed to work as an SSL encryption wrapper between remote clients and local ([x]inetd-startable) or remote servers.


is a Perl wrapper script to use stunnel 3.x syntax with stunnel >=4.05.

contains the API functions required by Stunnel.

Chapter 5. File Systems

Journaling file systems reduce the time needed to recover a file system that was not unmounted properly. While this can be extremely important in reducing downtime for servers, it has also become popular for desktop environments. This chapter contains a variety of journaling file systems.


Ext3 is a journaling file system that is an extension to the ext2 file system. It is backward compatible with ext2 and the conversion from ext2 to ext3 is trivial.

You don't need to install anything to use ext3, all the required packages are available with a bare LFS system.

When building the kernel, ensure that you have compiled in ext3 support. If you want your root partition to be ext3, then compile the ext3 support in the kernel, else you may compile it as a module. Recompile the kernel if needed.

Edit your /etc/fstab. For each partition that you want to convert into ext3, edit the entry so that it looks similar to the following line.

/dev/hd[XX] /mnt_point ext3 defaults 1 1

In the above line, replace /dev/hd[XX] by the partition (e.g., /dev/hda2), /mnt_point by the mount point (e.g., /home). The 1 in the last field ensures that the partition will be checked for consistency during the boot process by the checkfs script as recommended by the maintainer. You may replace the ext3 fs type in the above by auto if you want to ensure that the partition is mounted even if you accidentally disable ext3 support in the kernel.

For each partition that you have converted to ext3 in /etc/fstab, enable the journal for the partition by running the following command.

tune2fs -j /dev/hd[XX]

Remount the concerned partitions, or simply reboot if you have recompiled the kernel to enable ext3 support.

More information is available at This information is still relevant to the 2.6 kernels.


Introduction to ReiserFS

The ReiserFS package contains various utilities for use with the Reiser file system.

Package Information

Installation of ReiserFS

Install ReiserFS by running the following commands:

./configure --prefix=/usr --sbindir=/sbin &&

Now, as the root user:

make install &&
ln -sf reiserfsck /sbin/fsck.reiserfs &&
ln -sf mkreiserfs /sbin/mkfs.reiserfs

Command Explanations

--prefix=/usr: This ensures that the manual pages are installed in the correct location while still installing the programs in /sbin as they should be.

--sbindir=/sbin: This ensures that the ReiserFS utilities are installed in /sbin as they should be.


Installed Programs: debugreiserfs, mkreiserfs, reiserfsck, reiserfstune, and resize_reiserfs
Installed Libraries: None
Installed Directories: None

Short Descriptions


can sometimes help to solve problems with ReiserFS file systems. If it is called without options, it prints the super block of any ReiserFS file system found on the device.


creates a ReiserFS file system.


is used to check or repair a ReiserFS file system.


is used for tuning the ReiserFS journal. WARNING: Don't use this utility without first reading the man page thoroughly.


is used to resize an unmounted ReiserFS file system.


Introduction to XFS

The XFS package contains administration and debugging tools for the XFS file system.

Package Information

Installation of XFS


If you did not install the E2fsprogs package in LFS, you must install it, or UUID before proceeding with the installation of XFS.

Install XFS by running the following commands:

sed -i 's/autoconf//' Makefile &&

Now, as the root user:

make install

Command Explanations

sed -i 's/autoconf//' Makefile: This command disables running autoconf because it is unnecessary.


Installed Programs: fsck.xfs, mkfs.xfs, xfs_admin, xfs_bmap, xfs_check, xfs_copy, xfs_db, xfs_freeze, xfs_growfs, xfs_info, xfs_io, xfs_logprint, xfs_mkfile, xfs_ncheck, xfs_repair, and xfs_rtcp
Installed Library:
Installed Directory: /usr/share/doc/xfsprogs

Short Descriptions


simply exits with a zero status, since XFS partitions are checked at mount time.


constructs an XFS file system.


changes the parameters of an XFS file system.


prints block mapping for an XFS file.


checks XFS file system consistency.


copies the contents of an XFS file system to one or more targets in parallel.


is used to debug an XFS file system.


suspends access to an XFS file system.


expands an XFS file system.


is equivalent to invoking xfs_growfs, but specifying that no change to the file system is to be made.


is a debugging tool like xfs_db, but is aimed at examining the regular file I/O path rather than the raw XFS volume itself.


prints the log of an XFS file system.


creates an XFS file, padded with zeroes by default.


generates pathnames from inode numbers for an XFS file system.


repairs corrupt or damaged XFS file systems.


copies a file to the real-time partition on an XFS file system.

contains functions to map filesystem handles to a corresponding open file descriptor for that filesystem.

Chapter 6. Editors

This chapter is referenced in the LFS book for those wishing to use other editors on their LFS system. You're also shown how some LFS installed programs benefit from being recompiled after GUI libraries have been installed.


Introduction to Vim

The Vim package, which is an abbreviation for VI IMproved, contains a vi clone with extra features as compared to the original vi.

The default LFS instructions install vim as a part of the base system. If you would prefer to link vim against X, you should recompile vim to enable GUI mode. There is no need for special instructions since X support is automatically detected.

Package Information

Additional Downloads

Vim Dependencies


X (XFree86-4.5.0 or


GTK+-2.6.7, LessTif-0.94.4, Python-2.4.1, Tcl-8.4.11, Ruby-1.8.2 and GPM-1.20.1

Installation of Vim


If you recompile Vim to link against X, and your X libraries are not on the root partition, you will no longer have an editor for use in emergencies. You may choose to install an additional editor, not link Vim against X, or move the current vim executable to the /bin directory under a different name such as vi.

If desired, unpack the translated messages archive:

tar -zxf ../vim-6.3-lang.tar.gz --strip-components=1

Install Vim by running the following commands:

echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h &&
echo '#define SYS_GVIMRC_FILE "/etc/gvimrc"' >> src/feature.h &&
patch -Np1 -i ../vim-6.3-security_fix-1.patch &&
./configure --prefix=/usr --with-features=huge &&

Now, as the root user:

make install

Command Explanations

--with-features=huge: This switch enables all the additional features available in Vim.

--enable-gui=no: If you prefer not to link Vim against X, use this switch.


A list of the reinstalled files, along with their short descriptions can be found at ../../../../lfs/view/stable/chapter06/vim.html#contents-vim.

Installed Programs: gview, gvim, gvimdiff, rgview, and rgvim
Installed Libraries: None
Installed Directory: /usr/share/vim

Short Descriptions


starts gvim in read-only mode.


is the editor that runs under X and includes a GUI.


edits two or three versions of a file with gvim and shows the differences.


is a restricted version of gview.


is a restricted version of gvim.


Introduction to Emacs

The Emacs package contains an extensible, customizable, self-documenting real-time display editor.

Package Information

Emacs Dependencies


X (XFree86-4.5.0 or, libjpeg-6b, libpng-1.2.8, libtiff-3.7.3, and libungif-4.1.3 or giflib-4.1.3

Installation of Emacs

Install Emacs by running the following commands:

./configure --prefix=/usr --libexecdir=/usr/sbin &&
make bootstrap

Now, as the root user:

make install


Installed Programs: b2m, ctags, ebrowse, emacs, emacsclient, etags, grep-changelog, and rcs-checkin
Installed Libraries: None
Installed Directories: /usr/sbin/emacs and /usr/share/emacs

Short Descriptions


is a program to convert mail files from RMAIL format to Unix “mbox” format.


creates cross-reference tagfile database files for source code.


permits browsing of C++ class hierarchies from within emacs.


is an editor.


attaches an emacs session to an already running emacsserver instance.


is another program to generate source code cross-reference tagfiles.


prints entries in Change Logs matching various criteria.


is a shell script used to check files into RCS.


Introduction to Nano

The nano package contains a small, simple text editor which aims to replace Pico, the default editor in the Pine package.

Package Information

Nano Dependencies



Installation of Nano

Install nano by running the following commands:

./configure --prefix=/usr --sysconfdir=/etc/nano \
    --enable-color --enable-multibuffer --enable-nanorc &&

This package does not come with a test suite.

Now, as the root user:

make install &&
install -v -m644 -D nanorc.sample /etc/nano/nanorc.sample &&
install -v -m755 -d /usr/share/doc/nano-1.2.5 &&
install -v -m644 *.html /usr/share/doc/nano-1.2.5

Configuring nano

Config Files

/etc/nano/nanorc and ~/.nanorc

Configuration Information

Example configuration (create as a system-wide /etc/nano/nanorc or a personal ~/.nanorc file)

set autoindent
set const
set fill 72
set historylog
set multibuffer
set nohelp
set regexp
set smooth
set suspend

Another example is the nanorc.sample file in the /etc/nano directory. It includes color configurations and has some documentation included in the comments.


Installed Programs: nano
Installed Libraries: None
Installed Directory: /usr/share/doc/nano

Short Descriptions


is a small, simple text editor which aims to replace Pico, the default editor in the Pine package.


Introduction to JOE

JOE (Joe's own editor) is a small text editor capable of emulating WordStar, Pico, and Emacs.

Package Information

Installation of JOE

Install JOE by running the following commands:

./configure --sysconfdir=/etc --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install

Configuring JOE

Config Files

/etc/joe/jmacsrc, /etc/joe/joerc, /etc/joe/jpicorc, /etc/joe/jstarrc, /etc/joe/rjoerc, and ~/.joerc


Installed Programs: jmacs, joe, jpico, jstar, rjoe, and termidx
Installed Libraries: None
Installed Directory: /etc/joe

Short Descriptions


is a symbolic link to joe used to launch Emacs emulation mode.


is a small text editor capable of emulating WordStar, Pico, and Emacs.


is a symbolic link to joe used to launch Pico emulation mode.


is a symbolic link to joe used to launch WordStar emulation mode.


is a symbolic link to joe that restricts JOE to editing only files which are specified on the command-line.


is a program used by joe to generate the termcap index file.


Introduction to Ed

Ed is a line-oriented text editor. It is used to create, display, modify and otherwise manipulate text files, both interactively and via shell scripts. Ed isn't something which many people use. It's described here because it can be used by the patch program if you encounter an ed-based patch file. This happens rarely because diff-based patches are preferred these days.

Package Information

Additional Downloads

Installation of Ed

Ed normally uses the mktemp function to create temporary files in /tmp, but this function contains a vulnerability (see the section on Temporary Files at Apply the following patch to make Ed use mkstemp instead, a secure way to create temporary files:

patch -Np1 -i ../ed-0.2-mkstemp-1.patch

Install Ed by running the following commands:

./configure --prefix=/usr --exec-prefix="" &&

Now, as the root user:

make install

Command Explanations

--exec-prefix="": This forces the programs to be installed into the /bin directory. Having the programs available there is useful in the event of the /usr partition being unavailable.


Installed Programs: ed and red
Installed Libraries: None
Installed Directories: None

Short Descriptions


is a line-oriented text editor.


is a restricted ed—it can only edit files in the current directory and cannot execute shell commands.


Introduction to Bluefish

The Bluefish package contains a powerful X Window System editor designed for web designers, but also suitable as a programmer's editor. Bluefish supports many programming and markup languages, and as such is ideal for editing XML and HTML files.

Package Information

Bluefish Dependencies


GTK+-2.6.7 and PCRE-6.1


GNOME Virtual File System-2.10.1 (for remote files), Aspell-0.60.3 (for spellchecking), libgnomeui-2.10.0, GNOME MIME Data-2.4.2, desktop-file-utils-0.10 and shared-mime-info-0.16

Installation of Bluefish

Install Bluefish by running the following commands:

./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install

Configuring Bluefish

Config Files


Configuration Information

The directory ~/.bluefish is created by the program when it is first run, and the configuration files are maintained by the program automatically to preserve settings from run to run.


Installed Program: bluefish
Installed Libraries: None
Installed Directory: /usr/share/bluefish

Short Descriptions


is an X Window System editor for markup and programming.

Other Editors

pico is a text editor installed as a part of Pine-4.63.

mcedit is a text editor installed as part of MC-4.6.1.

Chapter 7. Shells

We are all familiar with the Bourne Again SHell, but there are two other user interfaces that are considered useful modern shells -- the Berkeley Unix C shell and the Korn shell. This chapter installs packages compatible with these additional shell types.


Introduction to ASH

ash is a shell that is the most compliant with the Bourne Shell (not to be confused with Bourne Again SHell i.e., Bash installed in LFS) without any additional features. Bourne Shell is available on most commercial UNIX systems. Hence ash is useful for testing scripts to be sh-compliant. It also has small memory and space requirements compared to the other sh-compliant shells.

Package Information

Additional Downloads

Installation of ASH

Install ASH by running the following commands:

patch -Np1 -i ../ash-0.4.0-cumulative_fixes-1.patch &&

Now, as the root user:

install -v -m 755 sh /bin/ash &&
install -v -m 644 sh.1 /usr/share/man/man1/ash.1

If you would like to make ash the default sh shell, make a symlink.

ln -v -sf ash /bin/sh

Configuring ASH

Config Files

ASH sources /etc/profile and $HOME/.profile


Installed Program: ash
Installed Libraries: None
Installed Directories: None

Short Description


is a sh-compliant shell.


Introduction to Tcsh

The Tcsh package contains “an enhanced but completely compatible version of the Berkeley Unix C shell (csh)”. This is useful as an alternative shell for those who prefer C syntax to that of the bash shell, and also because some programs require the C shell in order to perform installation tasks.

Package Information

Installation of Tcsh

Install Tcsh by running the following commands:

./configure --prefix=/usr --bindir=/bin &&
make &&
sh ./tcsh.man2html

This package does not come with a test suite.

Now, as the root user:

make install &&
make &&
ln -v -sf tcsh /bin/csh &&
ln -v -sf tcsh.1 /usr/man/man1/csh.1 &&
install -v -m755 -d /usr/share/doc/tcsh-6.14.00/html &&
install -v -m644 tcsh.html/* /usr/share/doc/tcsh-6.14.00/html &&
install -v -m644 FAQ /usr/share/doc/tcsh-6.14.00

Command Explanations

--bindir=/bin: This installs the tcsh program in /bin instead of /usr/bin.

sh ./tcsh.man2html: This creates HTML documentation from the formatted man page.

ln -v -sf tcsh /bin/csh: The FHS states that if there is a C shell installed, there should be a symlink from /bin/csh to it. This creates that symlink.

Configuring Tcsh

Config Files

There are numerous configuration files for the C shell. Examples of these are /etc/csh.cshrc, /etc/csh.login, /etc/csh.logout, ~/.tcshrc, ~/.cshrc, ~/.history, ~/.cshdirs, ~/.login, and ~/.logout. More information on these files can be found in the tcsh(1) man page.

Configuration Information

Update /etc/shells to include the C shell program names (as the root user):

cat >> /etc/shells << "EOF"


Installed Program: tcsh
Installed Libraries: None
Installed Directory: /usr/share/doc/tcsh-6.14.00

Short Descriptions


is an enhanced but completely compatible version of the Berkeley Unix C shell, csh. It is usable as both an interactive shell and a script processor.


Introduction to ZSH

The ZSH package contains a command interpreter (shell) usable as an interactive login shell and as a shell script command processor. Of the standard shells, ZSH most closely resembles KSH but includes many enhancements.

Package Information

ZSH Dependencies



Installation of ZSH

Install ZSH by running the following commands:

./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install &&

Configuring ZSH

Config Files

There are a whole host of configuration files for ZSH including /etc/zshenv, /etc/zprofile, /etc/zshrc, /etc/zlogin, and /etc/zlogout. You can find more information on these in the zsh(1) and related man pages.

Configuration Information

Update /etc/shells to include the ZSH shell program names (as the root user):

cat >> /etc/shells << "EOF"


Installed Programs: zsh and zsh-4.2.5
Installed Libraries: None
Installed Directories: /usr/lib/zsh and /usr/share/zsh

Short Description


is a shell which has command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and a host of other features.

General Libraries and Utilities

Chapter 8. General Libraries

Libraries contain code which is often required by more than one program. This has the advantage that each program doesn't need to duplicate code (and risk introducing bugs), it just has to call functions from the libraries installed on the system. The most obvious example of a set of libraries is Glibc which is installed during the LFS book. This contains all of the C library functions which programs use.

There are two types of libraries: static and shared. Shared libraries (usually are loaded into memory from the shared copy at runtime (hence the name). Static libraries (libXXX.a ) are actually linked into the program executable file itself, thus making the program file larger. Quite often, you will find both static and shared copies of the same library on your system.

Generally, you only need to install libraries when you are installing software that needs the functionality they supply. In the BLFS book, each package is presented with a list of (known) dependencies. Thus, you can figure out which libraries you need to have before installing that program. If you are installing something without using BLFS instructions, usually the README or INSTALL file will contain details of the program's requirements.

There are certain libraries which nearly everyone will need at some point. In this chapter we list these and some others and explain why you may want to install them.


Introduction to PCRE

The PCRE package contains Perl Compatible Regular Expression libraries. These are useful for implementing regular expression pattern matching using the same syntax and semantics as Perl 5.

Package Information

Installation of PCRE

Install PCRE by running the following commands:

./configure --prefix=/usr --enable-utf8 &&

To test the results, issue: make runtest.

Now, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/pcre-6.1/html &&
install -v -m644 doc/html/* /usr/share/doc/pcre-6.1/html &&
install -v -m644 doc/{Tech.Notes,*.txt} /usr/share/doc/pcre-6.1

If you reinstall Grep after installing PCRE, Grep will get linked against PCRE and may cause problems if /usr is a separate mount point. To avoid this, either pass the option --disable-perl-regexp when executing ./configure for Grep or move libpcre to /lib as follows.

mv -v /usr/lib/* /lib/ &&
ln -v -sf ../../lib/ /usr/lib/

Command Explanations

--enable-utf8: This switch includes the code for handling UTF-8 character strings in the library.


Installed Programs: pcregrep, pcretest, and pcre-config
Installed Libraries: libpcre.[so,a], libpcrecpp.[so,a] and libpcreposix.[so,a]
Installed Directory: /usr/share/doc/pcre-6.1

Short Descriptions


is a grep that understands Perl compatible regular expressions.


can test a Perl compatible regular expression.


is used during the compile process of programs linking to the PCRE libraries.


Introduction to Popt

The popt package contains the popt libraries which are used by some programs to parse command-line options.

Package Information

Additional Downloads

Installation of Popt

Install popt by running the following commands:

patch -Np1 -i ../popt_1.7-5.diff &&
./configure --prefix=/usr &&
cp &&
touch &&

To test the results, issue: make check.

Now, as the root user:

make install

Command Explanations

cp Because is updated with the patch, this file is needed for make to work properly.

touch Ensure file timestamps are the same.


Installed Programs: None
Installed Library: libpopt.[so,a]
Installed Directories: None

Short Descriptions


is used to parse command-line options.


Introduction to Slang

The slang package contains the slang library, which provides facilities such as display/screen management, keyboard input, and keymaps.

Package Information

Installation of Slang

Install slang by running the following commands:

./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install

Now, as the unprivileged user:

make elf

And finally, as the root user:

make install-elf &&
chmod 755 /usr/lib/

Command Explanations

make elf and make install-elf: These commands create and install the dynamic shared library version of slang.

Configuring Slang

Configuration Information

As with most libraries, there is no configuration to do, save that the library directory i.e., /opt/lib or /usr/local/lib should appear in /etc/ so that ldd can find the shared libraries. After checking that this is the case, /sbin/ldconfig should be run while logged in as root.


Installed Programs: None
Installed Library: libslang.[so,a]
Installed Directory: /usr/share/doc/slang


Introduction to FAM

The FAM package contains a File Alteration Monitor which is useful for notifying applications of changes to the file system.

Package Information

Additional Downloads

FAM Dependencies



Installation of FAM

Install FAM by running the following commands:

patch -Np1 -i ../fam-2.7.0-dnotify-1.patch &&
chmod -v 755 configure &&
autoreconf -f -i &&
./configure --prefix=/usr --sysconfdir=/etc &&

Now, as the root user:

make install

Command Explanations

patch -Np1 -i ../fam-2.7.0-dnotify-1.patch: This patch enables FAM to use the Linux kernel dnotify mechanism to inform the calling process of file modifications, rather than polling the file system for modifications.

chmod -v 755 configure: configure is set to read-only and autoreconf will fail if the permissions aren't changed.

autoreconf -f -i: The autotools need rebuilding because the dnotify patch affects and

Configuring FAM

Config Files

/etc/rpc, /etc/fam.conf, /etc/inetd.conf or /etc/xinetd.conf or /etc/xinetd.d/fam

Configuration Information

Configuring the File Alteration Monitor. Perform the following instructions as the root user.

If you use inetd, add the FAM entry to /etc/inetd.conf with the following command:

echo "sgi_fam/1-2 stream  rpc/tcp wait root /usr/sbin/famd fam" \
    >> /etc/inetd.conf

If you use xinetd, the following command will create the FAM file as /etc/xinetd.d/sgi_fam (be sure the nogroup group exists):

cat >> /etc/xinetd.d/sgi_fam << "EOF"
# Begin /etc/xinetd.d/sgi_fam

# description: FAM - file alteration monitor
    service sgi_fam
        type            = RPC UNLISTED
        socket_type     = stream
        user            = root
        group           = nogroup
        server          = /usr/sbin/famd
        wait            = yes
        protocol        = tcp
        rpc_version     = 2
        rpc_number      = 391002

# End /etc/xinetd.d/sgi_fam

If you do not have an inetd daemon installed and have no wish to install one, you can also start famd during system startup by installing the /etc/rc.d/init.d/fam init script included in the blfs-bootscripts-6.1 package.

make install-fam


Installed Program: famd
Installed Library: libfam.[so,a]
Installed Directories: None

Short Descriptions


is the file alteration monitor daemon.


contains functions that support the file allocation monitor.


Introduction to Libxml

The libxml package contains the libxml libraries. These are useful for parsing XML files.

Package Information

Installation of Libxml

Install libxml by running the following commands:

./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install


Installed Program: xml-config
Installed Library: libxml.[so,a]
Installed Directories: /usr/include/gnome-xml and /usr/share/gnome-xml

Short Descriptions


provides the functions for programs to parse files that use the XML format.


Introduction to Libxml2

The libxml2 package contains XML libraries. These are useful for parsing XML files.

Package Information

Libxml2 Dependencies



Installation of Libxml2

Install libxml2 by running the following commands:

./configure --prefix=/usr --with-history &&

To test the results, issue: make check.

Now, as the root user:

make install

Command Explanations

--with-history: Enables readline support.


Installed Programs: xml2-config, xmlcatalog, and xmllint
Installed Libraries: libxml2.[so,a] and optionally, the libxml2mod.[so,a] Python module
Installed Directories: /usr/include/libxml2, /usr/share/doc/libxml2-2.6.20, and /usr/share/doc/libxml2-python-2.6.20

Short Descriptions


determines the compile and linker flags that should be used to compile and link programs that use libxml2.


is used to monitor and manipulate XML and SGML catalogs.


parses XML files and outputs reports (based upon options) to detect errors in XML coding.


libraries provide the functions for programs to parse files that use the XML format.


Introduction to Libxslt

The libxslt package contains XSLT libraries. These are useful for extending libxml2 libraries to support XSLT files.

Package Information

Libxslt Dependencies




Python-2.4.1 and libgcrypt

Installation of Libxslt

Install libxslt by running the following commands:

./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install


Installed Programs: xslt-config and xsltproc
Installed Libraries: libexslt.[so,a], libxslt.[so,a] and optionally, libxsltmod.[so,a] Python modules
Installed Directories: /usr/include/libxslt, /usr/share/doc/libxslt-1.1.14, and /usr/share/doc/libxslt-python-1.1.14

Short Descriptions


is used to find out the pre-processor, linking and compiling flags necessary to use the libxslt libraries in 3rd-party programs.


is used to apply XSLT stylesheets to XML documents.


provides extensions to the libxml2 libraries to parse files that use the XSLT format.


is used to provide extensions to XSLT functions.


Introduction to GMP

The GMP package contains math libraries. These have useful functions for arbitrary precision arithmetic.

Package Information

Installation of GMP

Install GMP by running the following commands:

./configure --prefix=/usr --enable-cxx --enable-mpbsd &&

To test the results, issue: make check. Owing to various reports of mis-compilations, the maintainer strongly recommends running the test-suite and report any failures. The libraries should not be used in a production environment if there are problems running make check.

Now, as the root user:

make install

Command Explanations

--enable-cxx: This parameter enables C++ support by building the libgmpxx libraries.

--enable-mpbsd: This parameter enables building the Berkeley MP compatibility (libmp) libraries.


Installed Programs: None
Installed Libraries: libgmp.[so,a], libgmpxx.[so,a] and libmp.[so,a]
Installed Directories: None

Short Descriptions


contains functions to operate on signed integers, rational numbers, and floating point numbers.


Introduction to GDBM

The GDBM package contains the GNU Database Manager. This is a disk file format database which stores key/data-pairs in single files. The actual data of any record being stored is indexed by a unique key, which can be retrieved in less time than if it was stored in a text file.

Package Information

Installation of GDBM

Install GDBM by running the following commands:

./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make BINOWN=root BINGRP=root install

In addition, you may need to install the DBM and NDBM compatibility headers and library since some applications look for these older dbm routines.

make BINOWN=root BINGRP=root install-compat

Command Explanations

make BINOWN=root BINGRP=root install: This command overrides the BINOWN and BINGRP variables in the Makefile changing ownership of the installed files to root instead of the bin user.


Installed Programs: None
Installed Libraries: libgdbm.[so,a] and libgdbm_compat.[so,a]
Installed Directories: None

Short Descriptions


contains functions to manipulate a hashed database.


Introduction to GLib

The glib package contains a low-level core library. This is useful for providing data structure handling for C, portability wrappers and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system.

Package Information

Additional Downloads

Installation of GLib

Install glib by running the following commands:

patch -Np1 -i ../glib-1.2.10-gcc34-1.patch &&
./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install &&
chmod -v 755 /usr/lib/


Installed Programs: glib-config
Installed Libraries: libglib.[so,a], libgmodule.[so,a] and libgthread.[so,a]
Installed Directories: /usr/include/glib-1.2 and /usr/lib/glib

Short Descriptions


is a tool that is used by configure scripts to determine the compiler and linker flags that should be used to compile and link programs that use GLib.


libraries contain a low-level core library for the GIMP Toolkit.


Introduction to GLib

The glib package contains a low-level core library. This is useful for providing data structure handling for C, portability wrappers and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system.

Package Information

Glib Dependencies





Installation of GLib

Install glib by running the following commands:

./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install

Command Explanations

--enable-gtk-doc: This switch will rebuild the API documentation during the make command.


Installed Programs: glib-genmarshal, glib-gettextize, glib-mkenums, and gobject-query
Installed Libraries:,,, and
Installed Directories: /usr/include/glib-2.0, /usr/lib/glib-2.0, /usr/share/glib-2.0, /usr/share/gtk-doc/html/glib, and /usr/share/gtk-doc/html/gobject

Short Descriptions


is a C code marshaller generation utility for GLib closures.


is a variant of the gettext internationalization utility.


is a C language enum description generation utility.


is a small utility that draws a tree of types.

GLib libraries

contain a low-level core library for the GIMP Toolkit.


Introduction to LibIDL

The libIDL package contains libraries for Interface Definition Language files. This is a specification for defining portable interfaces.

Package Information

LibIDL Dependencies



Installation of LibIDL

Install libIDL by running the following commands:

./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install


Installed Program: libIDL-config-2
Installed Library: libIDL-2.[so,a]
Installed Directory: /usr/include/libIDL-2.0/libIDL

Short Descriptions


determines the compile and linker flags that should be used to compile and link programs that use libIDL-2.


libraries provide the functions to create and maintain trees of CORBA Interface Definition Language (IDL) files.


Introduction to Libcroco

The libcroco package contains libcroco libraries. This is useful for providing a CSS API.

Package Information

Libcroco Dependencies


GLib-2.6.4 and libxml2-2.6.20

Installation of Libcroco

Install libcroco by running the following commands:

./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install


Installed Program: csslint-0.6
Installed Library: libcroco.[so,a]
Installed Directory: /usr/include/libcroco-0.6.0


Introduction to Libgsf

The libgsf package contains libgsf libraries. These are useful for providing an extensible input/output abstraction layer for structured file formats.

Package Information

Libgsf Dependencies


GLib-2.6.4 and libxml2-2.6.20


GNOME Virtual File System-2.10.1 (required for GNOME-2 support) and GTK-Doc-1.3

Installation of Libgsf

Install libgsf by running the following commands:

./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install


Installed Programs: None
Installed Libraries: libgsf-1.[so,a] and optionally, libgsf-gnome-1.[so,a]
Installed Directories: /usr/include/libgsf-1 and /usr/share/gtk-doc/html/gsf


Introduction to Libglade

The libglade package contains libglade libraries. These are useful for loading Glade interface files in a program at runtime.

Package Information

Libglade Dependencies


libxml2-2.6.20 and GTK+-2.6.7


Python-2.4.1 and GTK-Doc-1.3

Installation of Libglade

Install libglade by running the following commands:

./configure --prefix=/usr &&

Now, as the root user:

make install

Command Explanations

--enable-gtk-doc: This switch can be added to rebuild the HTML documentation.


Installed Program: libglade-convert (requires python and
Installed Library: libglade-2.0.[so,a]
Installed Directories: /usr/include/libglade-2.0, /usr/share/xml/libglade, and /usr/share/gtk-doc/html/libglade

Short Descriptions


is used to convert old Glade interface files to Glade-2.0 standards.


contain the functions necessary to load Glade interface files.


Introduction to Expat

The expat package contains a stream oriented C library for parsing XML.

Package Information

Expat Dependencies


Check (for running the test suite)

Installation of Expat

Install expat by running the following commands:

./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install


Installed Program: xmlwf
Installed Library: libexpat.[so,a]
Installed Directories: None

Short Descriptions


is a non-validating utility to check whether or not XML documents are well formed.


contains API functions for parsing XML.


Introduction to Libesmtp

The libesmtp package contains the libesmtp libraries which are used by some programs to manage email submission to a mail transport layer.

Package Information

Libesmtp Dependencies



Installation of Libesmtp

Install libesmtp by running the following commands:

./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install


Installed Program: libesmtp-config
Installed Libraries: libesmtp.[so,a] and libesmtp SASL plugins
Installed Directory: /usr/lib/esmtp-plugins

Short Descriptions


displays version information and the options used to compile libesmtp.


is used to manage submission of electronic mail to a Mail Transport Agent.

libesmtp SASL plugins

are used to integrate libesmtp with SASL authentication.


Introduction to Aspell

The Aspell package contains an interactive spell checking program and the Aspell libraries. Aspell can either be used as a library or as an independent spell checker.

Package Information

Additional Downloads

You'll need to download at least one dictionary. The link below will take you to a page containing links to dictionaries in many languages.

Aspell Dependencies



Installation of Aspell

Install Aspell by running the following commands:

./configure --prefix=/usr &&

Now, as the root user:

make install

If you do not plan to install Ispell, then copy the wrapper script ispell:

install -v -m 755 scripts/ispell /usr/bin/

If you do not plan to install Spell, then copy the wrapper script spell:

install -v -m 755 scripts/spell /usr/bin/

Configuring Aspell

Configuration Information

After Aspell is installed, you must set up at least one dictionary. Install one or more dictionaries by running the following commands:

./configure &&

Now, as the root user:

make install


Installed Programs: aspell, aspell-import, precat, preunzip, prezip, prezip-bin, pspell-config, run-with-aspell, word-list-compress and optionally, ispell and spell
Installed Libraries: and
Installed Directories: /usr/include/pspell and /usr/lib/aspell-0.60

Short Descriptions


is a utility that can function as an ispell -a replacement, as an independent spell checker, as a test utility to test out Aspell features, and as a utility for managing dictionaries.


is a wrapper around aspell to invoke it in ispell compatible mode.


is a wrapper around aspell to invoke it in spell compatible mode.


imports old personal dictionaries into Aspell.


decompresses a prezipped file to stdout.


decompresses a prezipped file.


is a prefix delta compressor, used to compress sorted word lists or other similar text files.


is called by the various wrapper scripts to perform the actual compressing and decompressing.


displays information about the libpspell installation, mostly for use in build scripts.


is a script to help use Aspell as an ispell replacement.


compresses or decompresses sorted word lists for use with the Aspell spell checker.

contains spell checking API functions.

is an interface to the libaspell library. All the spell checking functionality is now in libaspell but this library is included for backward compatibility.


Introduction to Ispell

The ispell package contains a spell checker that can handle international languages.

Package Information

Installation of Ispell

The first step is to create local.h.

sed -e "s:/usr/local:/usr:g" -e "s:/lib:/share/ispell:" \
    local.h.linux > local.h

By default, ispell only installs an American English dictionary. To set up other languages, check out the config.X file for the #define entry to append to local.h.

Build ispell using the following commands:


To test the build, issue: make test.

Now, as the root user:

make install

Command Explanations

sed -e "s:/usr/local:/usr:g" -e "s:/lib:/share/ispell:" local.h.linux > local.h: This command corrects the installation directories of the package.


Installed Program: ispell
Installed Libraries: None
Installed Directory: /usr/share/ispell

Short Descriptions


is used for spell checking.


Introduction to SLIB

The SLIB package is a portable library for the programming language Scheme. It provides a platform independent framework for using “packages” of Scheme procedures and syntax. SLIB contains useful packages for all Scheme implementations, including Guile. Its catalog can be transparently extended to accommodate packages specific to a site, implementation, user or directory.

Package Information

Additional Downloads

SLIB Dependencies



Installation of SLIB

Install SLIB by issuing the following commands:

patch -Np1 -i ../slib-3a1-automate_install-1.patch &&

Now, as the root user:

make prefix=/usr/ install &&
make prefix=/usr/ catalogs &&
make prefix=/usr/ installinfo

Command Explanations

make prefix=/usr/ catalogs: This command builds the SLIB Scheme implementation catalog.

make prefix=/usr/ installinfo: This commands installs the info documentation.


Installed Program: slib
Installed Libraries: a Scheme library system.
Installed Directory: /usr/share/guile/slib

Short Descriptions


is a shell script used to initialize SLIB in a named Scheme implementation. It can also be used to initialize an SLIB session using a given executable.


Introduction to G-Wrap

The G-Wrap package contains tools for exporting C libraries into Scheme interpreters.

Package Information

G-Wrap Dependencies




GLib-1.2.10, GTK+-1.2.10 and guile-gtk

Installation of G-Wrap

Install G-Wrap by running the following commands:

./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install


Installed Program: g-wrap-config
Installed Libraries: /usr/lib/libgw-*.[so,a] and /usr/lib/libgwrap-*.[so,a]
Installed Directories: /usr/include/g-wrap and /usr/share/guile/g-wrap

Short Descriptions


is a tool to generate CFLAGS for linking C code to the Scheme runtime libraries.


Introduction to LZO

LZO is a data compression library which is suitable for data decompression and compression in real-time. This means it favors speed over compression ratio.

Package Information

LZO Dependencies


NASM-0.98.39 and Dmalloc

Installation of LZO

Install LZO by running the following commands:

./configure --prefix=/usr --enable-shared &&

Now, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/lzo-2.01 &&
install -v -m644 doc/* /usr/share/doc/lzo-2.01


Installed Programs: None
Installed Library: liblzo2.[so,a]
Installed Directory: /usr/share/doc/lzo-2.01

Short Descriptions


is a data compression and decompression library.


Introduction to Libusb

The libusb package contains a library used by some applications for USB device access.

Package Information

Libusb Dependencies

Optional (Required to Build the HTML User Manual)

OpenJade-1.3.2 and DocBOOK SGML DTD-4.2

Optional (Required to Build the API Documentation)

Doxygen-1.4.3 and GraphViz

Installation of Libusb

Install libusb by running the following commands:

./configure --prefix=/usr --disable-build-docs &&

If you wish to build the API documentation, issue the following command:

make apidox

Now, as the root user:

make install

If you built the HTML user manual, install it using the following commands as the root user:

install -v -d -m755 /usr/share/doc/libusb-0.1.10a/html &&
install -v -m644 doc/html/* /usr/share/doc/libusb-0.1.10a/html

If you built the API documentation, install it using the following commands as the root user:

install -v -d -m755 /usr/share/doc/libusb-0.1.10a/apidocs &&
install -v -m644 apidocs/html/* \

Command Explanations

--disable-build-docs: This switch avoids building the HTML user manual. If you wish to build the user manual, you may need to remove the OpenSP catalog definitions from the system SGML catalogs. Use the following command before building the package to accomplish this:

sed -i.orig \
    -e "/CATALOG \/etc\/sgml\/" \
    /etc/sgml/catalog \

Configuring Libusb

libusb requires the usbfs kernel filesystem to be mounted on /proc/bus/usb. Applications require the files in this directory to be accessible to the user, sometimes for both reading and writing. To restrict access to USB devices, ensure the usb group exits on your system. If necessary, create the usb group using the following command:

groupadd -g 14 usb

Ensure that you have compiled the “USB device filesystem” directly into the kernel or compiled it as a module (listing the resulting “usbcore” module in the /etc/sysconfig/modules file). You should also have an entry similar to the line below in your /etc/fstab file:

usbfs  /proc/bus/usb  usbfs  devgid=14,devmode=0660  0  0


Installed Program: usb-config
Installed Libraries: libusb.[so,a] and libusbpp.[so,a]
Installed Directory: /usr/share/doc/libusb-0.1.10a

Short Descriptions


is a script that provides the right compiler and linker flags for programs using libusb.


libraries contain C functions for accessing USB hardware.

Chapter 9. Graphics and Font Libraries

Depending on what your system will be used for, you may or may not require the graphics and font libraries. Most desktop machines will want them for use with graphical applications. Most servers on the other hand, will not require them.


Introduction to Libjpeg

The libjpeg package contains libraries that allow compression of image files based on the Joint Photographic Experts Group standard. It is a "lossy" compression algorithm.

Package Information

Installation of Libjpeg

Install libjpeg by running the following commands:

./configure --prefix=/usr --enable-static --enable-shared &&

To test the results, issue: make test.

Now, as the root user:

make install

Command Explanations

--enable-static --enable-shared: These switches tell libjpeg to build both shared and static libraries.

Configuring Libjpeg

Configuration Information

As with most libraries, there is no configuration to do, save that the library directory i.e., /opt/lib or /usr/local/lib should appear in /etc/ so that ldd can find the shared libraries. After checking that this is the case, /sbin/ldconfig should be run while logged in as root.


Installed Programs: cjpeg, djpeg, jpegtran, rdjpgcom, and wrjpgcom
Installed Library: libjpeg.[so,a]
Installed Directories: None

Short Descriptions


compresses image files to produce a JPEG/JFIF file on the standard output. Currently supported input file formats are: PPM (PBMPLUS color format), PGM (PBMPLUS gray-scale format), BMP, and Targa.


decompresses image files from JPEG/JFIF format to either PPM (PBMPLUS color format), PGM (PBMPLUS gray-scale format), BMP, or Targa format.


is used for lossless transformation of JPEG files.


displays text comments from within a JPEG file.


inserts text comments into a JPEG file.


library is used by many programs for reading and writing JPEG format files.


Introduction to Libpng

The libpng package contains libraries used by other programs for reading and writing PNG files.

Package Information

Additional Downloads

Installation of Libpng

Install libpng by running the following commands:

patch -Np1 -i ../libpng-1.2.8-link_to_proper_libs-1.patch &&
make prefix=/usr ZLIBINC= \
    ZLIBLIB= -f scripts/makefile.linux

To test the results, issue: make -f scripts/makefile.linux test.

Now, as the root user:

make prefix=/usr install -f scripts/makefile.linux

Command Explanations

ZLIBINC=; ZLIBLIB=: This forces libpng to look for the Zlib includes and libraries in the default locations (/usr/include and /usr/lib respectively).

-f scripts/makefile.linux: This points make at the Linux version of the Makefile as libpng doesn't use an Autoconf routine. Instead, it has various Makefiles for different platforms.

Configuring Libpng

Configuration Information

As with most libraries, there is no configuration to do, save that the library directory i.e., /opt/lib or /usr/local/lib should appear in /etc/ so that ldd can find the shared libraries. After checking that this is the case, /sbin/ldconfig should be run while logged in as root.


Installed Programs: libpng-config and libpng12-config
Installed Libraries: libpng.[so,a] and libpng12.[so,a]
Installed Directory: /usr/include/libpng12

Short Descriptions


is a symlink to libpng12-config.


provides configuration information for libpng.

libpng.[so,a] and libpng12.[so,a]

are a collection of routines used to create and manipulate PNG format graphics files. The PNG format was designed as a replacement for GIF and, to a lesser extent, TIFF, with many improvements and extensions and lack of patent problems.


Introduction to Libtiff

The libtiff package contains the TIFF libraries and associated utilities. The libraries are used by many programs for reading and writing TIFF files and the utilities are useful for general work with TIFF files.

Package Information

Libtiff Dependencies


libjpeg-6b, X (XFree86-4.5.0 or and freeglut-2.4.0

Installation of Libtiff

Install libtiff by running the following commands:

./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install


Installed Programs: bmp2tiff, fax2ps, fax2tiff, gif2tiff, pal2rgb, ppm2tiff, ras2tiff, raw2tiff, rgb2ycbcr, thumbnail, tiff2bw, tiff2pdf, tiff2ps, tiff2rgba, tiffcmp, tiffcp, tiffdither, tiffdump, tiffgt, tiffinfo, tiffmedian, tiffset, and tiffsplit
Installed Libraries: libtiff.[so,a] and libtiffxx.[so,a]
Installed Directory: /usr/share/doc/tiff-3.7.3

Short Descriptions


converts a Microsoft Windows Device Independent Bitmap image file to a TIFF image.


converts a TIFF facsimile to compressed PostScript file.


creates a TIFF Class F fax file from raw fax data.


creates a TIFF file from a GIF87 format image file.


converts a palette color TIFF image to a full color image.


creates a TIFF file from a PPM image file.


creates a TIFF file from a Sun rasterfile.


converts a raw byte sequence into TIFF.


converts non-YCbCr TIFF images to YCbCr TIFF images.


creates a TIFF file with thumbnail images.


converts a color TIFF image to grayscale.


converts a TIFF image to a PDF document.


converts a TIFF image to a PostScript file.


converts a wide variety of TIFF images into an RGBA TIFF image.


compares two TIFF files.


copies (and possibly converts) a TIFF file.


converts a grayscale image to bilevel using dithering.


prints verbatim information about TIFF files.


displays an image stored in a TIFF file in an X window.


prints information about TIFF files.


applies the median cut algorithm to data in a TIFF file.


sets the value of a TIFF header to a specified value.


splits a multi-image TIFF into single-image TIFF files.


contains the API functions used by the libtiff programs as well as other programs to read and write TIFF files.


contains the C++ API functions used by programs to read and write TIFF files.


Introduction to Libungif

The libungif package contains libraries for reading all GIFs and writing non-compressed ones as well as programs for converting and working with GIF files. The libraries are useful for any graphics program wishing to deal with GIF files while the programs are useful for conversion purposes as well as cleaning up images.

The reason libungif only writes non-compressed GIFs is due to a legal issue with LZW compression (which Unisys claimed a patent on). Reading GIFs is not a problem as the decompression routines do not seem to be limited in this way. Note that this has in the past been disputed. The best way to avoid this whole mess is to simply use libungif for looking at GIF images on the web, while in any pages which you design, use the open source PNG format instead (which uses, not surprisingly, the libpng library) which has no patent issues at all.

Package Information

Libungif Dependencies


X (XFree86-4.5.0 or

Installation of Libungif

Install libungif by running the following commands:

./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/libungif-4.1.3/html &&
install -v -m644 doc/*.{png,html} \
    /usr/share/doc/libungif-4.1.3/html &&
install -v -m644 doc/*.txt \


Installed Programs: gif2epsn, gif2ps, gif2rgb, gif2x11, gifasm, gifbg, gifburst, gifclip, gifclrmp, gifcolor, gifcomb, gifcompose, giffiltr, giffix, gifflip, gifhisto, gifinfo, gifinter, gifinto, gifovly, gifpos, gifrotat, gifrsize, gifspnge, giftext, gifwedge, icon2gif, raw2gif, rgb2gif, and text2gif
Installed Library: libungif.[so,a]
Installed Directory: /usr/share/doc/libungif-4.1.3

Short Descriptions


dumps images saved as GIF files on Epson type printers.


print GIF files on laser printers supporting PostScript.


convert images saved as GIF to 24-bit RGB image(s).


display images saved as GIF files under X Window System.


assemble multiple GIFs into one, or burst a multiple-image GIF.


generate a single-color test pattern GIF.


burst a GIF image into subrectangles.


clip or crop a GIF image.


modify GIF image colormaps.


generate color test patterns.


combine 2 GIF images of exactly the same size into one.


use (un)giflib tools to compose images.


template code for filtering a GIF sequentially.


clumsily attempts to fix truncated GIF images.


flip GIF image along X or Y axis or rotate by 90 degrees.


generate color-frequency histogram from a GIF.


gives information on a GIF file.


convert between interlaced and non-interlaced images.


end-of-pipe fitting for GIF-processing pipelines.


generate one composite GIF from a multiple-image GIF.


change a GIF's screen size or recondition it.


rotate a GIF through any desired angle.


resize a GIF by deletion or duplication of bits.


template code for filtering a GIF with in-core operations.


print (text only) general information about a GIF.


create a test GIF image resembling a color monitor test pattern.


converter/deconverter to/from an editable text format.


convert raw 8-bit image data into GIF files.


convert 24 bit images to a GIF image using color quantization.


generate GIF images out of regular text in 8x8 font.


Introduction to Giflib

The giflib package contains libraries for reading and writing GIFs as well as programs for converting and working with GIF files. The libraries are useful for any graphics program wishing to deal with GIF files while the programs are useful for conversion purposes as well as cleaning up images.

Package Information

Giflib Dependencies


X (XFree86-4.5.0 or

Installation of Giflib

Install giflib by running the following commands:

./configure --prefix=/usr &&

Now, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/giflib-4.1.3/html &&
install -v -m644 doc/*.{png,html} \
    /usr/share/doc/giflib-4.1.3/html &&
install -v -m644 doc/*.txt \


Installed Programs: gif2epsn, gif2ps, gif2rgb, gif2x11, gifasm, gifbg, gifburst, gifclip, gifclrmp, gifcolor, gifcomb, gifcompose, giffiltr, giffix, gifflip, gifhisto, gifinfo, gifinter, gifinto, gifovly, gifpos, gifrotat, gifrsize, gifspnge, giftext, gifwedge, icon2gif, raw2gif, rgb2gif, and text2gif
Installed Library: libgif.[so,a]
Installed Directory: /usr/share/doc/giflib-4.1.3

Short Descriptions


dumps images saved as GIF files on Epson type printers.


prints GIF files on laser printers supporting PostScript.


converts images saved as GIF to 24-bit RGB images.


displays images saved as GIF files under X Window System.


assembles multiple GIFs into one, or burst a multiple-image GIF.


generates a single-color test pattern GIF.


bursts a GIF image into subrectangles.


clips or crops a GIF image.


modifies GIF image colormaps.


generates color test patterns.


combines two GIF images of exactly the same size into one.


uses giflib tools to compose images.


is a template for filtering a GIF sequentially.


clumsily attempts to fix truncated GIF images.


flips a GIF image along the X or Y axis or rotates an image by 90 degrees.


generate a color-frequency histogram from a GIF.


gives information about a GIF file.


converts between interlaced and non-interlaced images.


is an end-of-pipe fitting for GIF-processing pipelines.


generates one composite GIF from a multiple-image GIF.


changes a GIF's screen size or reconditions it.


rotates a GIF through any desired angle.


resizes a GIF by deletion or duplication of bits.


is a template for filtering a GIF with in-core operations.


prints (text only) general information about a GIF file.


creates a test GIF image resembling a color monitor test pattern.


is a converter/deconverter to/from an editable text format.


converts raw 8-bit image data into GIF files.


converts 24 bit images to a GIF image using color quantization.


generates GIF images out of regular text in 8x8 font.


contains API functions required by the giflib programs and any other programs needing library functionality to read, write and manipulate GIF images.


Introduction to Lcms

The lcms library is used by other programs to provide color management facilities.

Package Information

  • Download (HTTP):

  • Download (FTP):

  • Download MD5 sum: 5a803460aeb10e762d97e11a37462a69

  • Download size: 654 KB

  • Estimated disk space required: 18.4 MB

  • Estimated build time: 0.34 SBU (includes building the Python module)

Additional Downloads

Lcms Dependencies


libtiff-3.7.3, libjpeg-6b and Python-2.4.1 (with SWIG)

Installation of Lcms

Install lcms by running the following commands:

patch -Np1 -i ../lcms-1.14-gcc343-1.patch &&
./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/lcms-1.14 &&
install -v -m644 doc/* /usr/share/doc/lcms-1.14


Installed Programs: icc2ps, icclink, icctrans, wtpt and optionally, tifficc and jpegicc
Installed Libraries: liblcms.[so,a] and the optional Python module
Installed Directory: /usr/share/doc/lcms-1.14

Short Descriptions


generates PostScript CRD or CSA from ICC profiles.


links two or more profiles into a single device link profile.


is a color space conversion calculator.


shows media white of profiles, identifying black body locus.


is an ICC profile applier for TIFF files.


is an ICC profile applier for JPEG files.


is used by the lcms programs as well as other programs to provide color management facilities.


Introduction to Libmng

The libmng libraries are used by programs wanting to read and write Multiple-image Network Graphics (MNG) files which are the animation equivalents to PNG files.

Package Information

Libmng Dependencies


libjpeg-6b and lcms-1.14

Installation of Libmng

Install libmng by running the following commands:

cp makefiles/makefile.linux Makefile &&

Now, as the root user:

make prefix=/usr install &&
install -v -m644 doc/man/*.3 /usr/share/man/man3 &&
install -v -m644 doc/man/*.5 /usr/share/man/man5 &&
install -v -m755 -d /usr/share/doc/libmng-1.0.9 &&
install -v -m644 doc/*.{png,txt} /usr/share/doc/libmng-1.0.9

Command Explanations

cp makefiles/makefile.linux Makefile: There are no autotools shipped with this package. The Linux Makefile is copied to the root of the source tree, facilitating the installation.

install ...: The documentation files are not installed by the installation procedure, so they are copied manually.


Installed Programs: None
Installed Library: libmng.[so,a]
Installed Directory: /usr/share/doc/libmng-1.0.9

Short Descriptions


provides functions for programs wishing to read and write MNG files which are animation files without the patent problems associated with certain other formats.


Introduction to FreeType2

The FreeType2 package contains a library to allow applications to properly render TrueType fonts.

Package Information

Installation of FreeType2

Install FreeType2 by running the following commands:

sed -i -r 's:.*(#.*BYTE.*) .*:\1:' \
     include/freetype/config/ftoption.h &&
./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

sed -i -r 's:.*(#.*BYTE.*) .*:\1:' include/freetype/config/ftoption.h: Uncomments configuration options.


Installed Program: freetype-config
Installed Library: libfreetype.[so,a]
Installed Directory: /usr/include/freetype2

Short Descriptions


is used to get FreeType compilation and linking information.


contains functions to add TrueType font capabilities to the X Window system.


Introduction to Fontconfig

The Fontconfig package is a library for configuring and customizing font access.

Package Information


The numbering system of Fontconfig is unusual. The beta versions of the package are numbered with a 9x in the last portion of the release number. This means that 2.3.90 is a beta release and the most current release is of the form 2.3.2

Fontconfig Dependencies


FreeType-2.1.10 and expat-1.95.8




If you have DocBook-utils installed and you remove the --disable-docs parameter from the configure command below, you must have SGMLSpm and JadeTeX-3.13 installed also, or the Fontconfig build will fail.

Installation of Fontconfig

Install Fontconfig by running the following commands:

./configure --prefix=/usr --sysconfdir=/etc --disable-docs &&

To test the results, issue: make check.

Now, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/fontconfig/fontconfig-devel &&
install -v -m644 doc/*.3 /usr/share/man/man3 &&
install -v -m644 doc/*.5 /usr/share/man/man5 &&
install -v -m644 doc/*.{html,pdf,txt} /usr/share/doc/fontconfig &&
install -v -m644 doc/fontconfig-devel/* \

Command Explanations

--disable-docs: This switch avoids building the documentation (the release tarball includes pre-generated documentation).

Configuring Fontconfig

Config Files

/etc/fonts/* and /etc/fonts/conf.d/*

Configuration Information

The configuration file for Fontconfig is /etc/fonts/fonts.conf. Generally you do not want to edit this file. To put a new font directory in the configuration, create (or update) the /etc/fonts/local.conf file with your local information. The default location of fonts in Fontconfig is:

  • /usr/share/fonts

  • ~/.fonts


X also includes an internal (and older) version of Fontconfig and unless it is explicitly disabled when building Xorg or XFree86, the internal version is created leaving two slightly incompatible libraries on your system. It is recommended that you only install one version.


Installed Programs: fc-cache, fc-list, and fc-match
Installed Library: libfontconfig.[so,a]
Installed Directories: /etc/fonts and /usr/include/fontconfig

Short Descriptions


is used to create font information caches.


is used to create font lists.


is used to match available fonts, or find fonts that match a given pattern.


contains functions used by the Fontconfig programs and also by other programs to configure or customize font access.


Introduction to Libart_lgpl

The libart_lgpl package contains the libart libraries. These are useful for high-performance 2D graphics.

Package Information

Installation of Libart_lgpl

Install libart_lgpl by running the following commands:

./configure --prefix=/usr &&

This package does not come with a test suite.

Now, as the root user:

make install


Installed Program: libart2-config
Installed Library: libart_lgpl_2.[so,a]
Installed Directory: /usr/include/libart-2.0

Short Descriptions


is used as the anti-aliased render engine for libgnomecanvas and as a graphics support library for many other packages.


Introduction to Librsvg

The librsvg package contains librsvg libraries and tools used to manipulate, convert and view Scalable Vector Graphic (SVG) images.

Package Information

Librsvg Dependencies


GTK+-2.6.7, libxml2-2.6.20, libart_lgpl-2.3.17 and popt-1.7-5


libcroco-0.6.0, libgsf-1.12.0, GNOME Virtual File System-2.10.1, libgnomeprintui-2.10.2, Mozilla-1.7.8, GTK-Doc-1.3 and DocBook-utils-0.6.14

Installation of Librsvg

Install librsvg by running the following commands:

./configure --prefix=/usr --sysconfdir=/etc \
    --disable-gtk-doc &&

Now, as the root user:

make install

Command Explanations

--disable-gtk-doc: This option prevents the rebuilding of documentation during the make command.


Installed Programs: rsvg and rsvg-view
Installed Libraries: librsvg-2.[so,a], GTK+ modules and Mozilla plugins
Installed Directories: /usr/include/librsvg-2 and /usr/share/gtk-doc/html/rsvg