Copyright © 2001-2005 BLFS Development Team
Copyright © 2001-2005, BLFS Development Team
All rights reserved.
Descriptive text is licensed under a Creative Commons License.
Computer instructions are licensed under the Academic Free License v. 2.1.
Linux® is a registered trademark of Linus Torvalds.
2005-08-14
Revision History | |
---|---|
Revision 6.1 | 2005-08-14 |
Fifth Release | |
Revision 6.0 | 2005-04-02 |
Fourth release | |
Revision 5.1 | 2004-06-05 |
Third release | |
Revision 5.0 | 2003-11-06 |
Second release | |
Revision 1.0 | 2003-04-25 |
First release |
Abstract
This book follows on from the Linux From Scratch book. It introduces and guides the reader through additions to the system including networking, graphical interfaces, sound support, and printer and scanner support.
Having helped out with Linux From Scratch for a short time, I noticed that we were getting many queries as to how to do things beyond the base LFS system. At the time, the only assistance specifically offered relating to LFS were the LFS hints (http://www.linuxfromscratch.org/hints). Most of the LFS hints are extremely good and well written but I (and others) could still see a need for more comprehensive help to go Beyond LFS - hence BLFS.
BLFS aims to be more than the LFS-hints converted to XML although much of our work is based around the hints and indeed some authors write both hints and the relevant BLFS sections. We hope that we can provide you with enough information to not only manage to build your system up to what you want, whether it be a web server or a multimedia desktop system, but also that you will learn a lot about system configuration as you go.
Thanks as ever go to everyone in the LFS/BLFS community; especially those who have contributed instructions, written text, answered questions and generally shouted when things were wrong!
Finally, we encourage you to become involved in the community; ask questions on the mailing list or news gateway and join in the fun on #lfs at irc.linuxfromscratch.org. You can find more details about all of these in the Introduction section of the book.
Enjoy using BLFS.
Mark Hymers
markh <at> linuxfromscratch.org
BLFS Editor (July 2001–March 2003)
I still remember how I found the BLFS project and started using the instructions that were completed at the time. I could not believe how wonderful it was to get an application up and running very quickly, with explanations as to why things were done a certain way. Unfortunately, for me, it wasn't long before I was opening applications that had nothing more than "To be done" on the page. I did what most would do, I waited for someone else to do it. It wasn't too long before I am looking through Bugzilla for something easy to do. As with any learning experience, the definition of what was easy kept changing.
We still encourage you to become involved as BLFS is never really finished. Contributing or just using, we hope you enjoy your BLFS experience.
Larry Lawrence
larry <at> linuxfromscratch.org
BLFS Editor (March 2003–June 2004)
The BLFS project is a natural progression of LFS. Together, these projects provide a unique resource for the Open Source Community. They take the mystery out of the process of building a complete, functional software system from the source code contributed by many talented individuals throughout the world. They truly allow users to implement the slogan "Your distro, your rules."
Our goal is to continue to provide the best resource available that shows you how to integrate many significant Open Source applications. Since these applications are constantly updated and new applications are developed, this book will never be complete. Additionally, there is always room for improvement in explaining the nuances of how to install the different packages. To make these improvements, we need your feedback. I encourage you to participate on the different mailing lists, news groups, and IRC channels to help meet these goals.
Bruce Dubbs
bdubbs <at> linuxfromscratch.org
BLFS Editor (June 2004–Present)
Version 6.0 is a major milestone in the evolution of BLFS. This version provides installation instructions for 357 packages and an additional 21 sections covering configuration and customization of different aspects of your system.
Changes and upgrades to the individual packages are detailed in the Change Log. There you will see literally hundreds of changes made since the last edition. In this change log, one name that you will see over and over is Randy McMurchy. Without his efforts this release would not have been possible. I want to take this opportunity to thank him for the hundreds of hours he has worked to produce this release. I also want to thank the other editors, both past and present, whose insight and effort have made this current version possible. Last, but certainly not least, I want to thank our resident XSL wizard, Manuel Canales Esparcia, whose ability to format a complicated document such as BLFS is truly amazing.
There are two other areas of change that are worthy of note. First, the license that BLFS is released under has changed significantly. In fact, it is now released under two licenses. The first license, the Creative Commons License, covers the descriptive text in the book. The second, the Academic Free License v. 2.1, covers the instructions actually used to build and install the packages. These licenses, along with the book itself, represent our ongoing commitment to open and free software.
The final area of change is the addition of an Index. This section of the book is still incomplete, but as the book continues to be developed, will become an excellent resource for finding programs, libraries, configuration files, and references to kernel configuration requirements. I hope you find it useful.
Bruce Dubbs
March 17, 2005
Version 6.1 is an incremental update of BLFS. This version continues the tradition of providing an extensive set of instructions for extending a basic Linux From Scratch system. The instructions in this version of BLFS are based on the LFS 6.1 Book. As usual, the list of packages that have been upgraded or added are in the Change Log.
One major accomplishment in this version of the book is the completion of the Index. This section is now a relatively complete (but not perfect) reference for the components of the various packages in the book.
In any task as large and complex as this book, there are bound to be errors. The editors of the book are dedicated to keeping the book up to date. We appreciate any feedback in helping us to make the book as accurate as possible. The best place to provide comments is via the mailing list at mailto:blfs-dev@linuxfromscratch.org.
Enjoy!
Bruce Dubbs
August 1, 2005
This book is mainly aimed at those who have built a system based on the LFS book. It will also be useful for those who are using other distributions, but for one reason or another want to manually build software and are in need of some assistance. BLFS can be used to create a range of diverse systems and so the target audience is probably nearly as wide as that of the LFS book. If you found LFS useful, you should also like this!
Since Release 5.0, the BLFS book version matches the LFS book version. This book may be incompatible with a previous or latter release of the LFS book.
This book is divided into the following parts.
This part contains information which is essential to the rest of the book.
Here we introduce basic configuration and security issues. We also discuss a range of editors, file systems, and shells which aren't covered in the main LFS book.
In this section we cover libraries which are often needed by the rest of the book as well as system utilities. Information on Programming (including recompiling GCC to support its full range of languages) concludes this part.
Here we cover how to connect to a network when you aren't using the simple static IP setup given in the main LFS book.
Networking libraries and command-line networking tools make up the bulk of this part.
Here we deal with setting up mail and other servers (such as SSH, Apache, etc.).
This part explains how to set up a basic X Window System installation along with some generic X libraries and Window managers.
For those who want to use the K Desktop Environment or some parts of it, this part covers it.
GNOME is the main alternative to KDE in the Desktop Environment arena and we cover both GNOME-1.4 and GNOME-2.10 here.
Office programs and graphical web browsers are important to most people. They, along with some generic X software can be found in this part of the book.
Here we cover setting multimedia libraries and drivers along with some audio, video and CD-writing programs.
The PST part of the book covers document handling with applications like Ghostscript, CUPS and DocBook to installing TeX.
The Appendices cover information which doesn't belong in the main book; they are mainly there as a reference.
The Beyond Linux From Scratch book is designed to carry on from where the LFS book leaves off. But unlike the LFS book, it isn't designed to be followed straight through. Reading the Which sections of the book? part of this chapter should help guide you through the book.
Please read most of this part of the book carefully as it explains quite a few of the conventions we use throughout the book.
We would like to thank the following people and organizations for their contributions toward the BLFS and LFS projects:
All those people listed on the Credits page for submitting patches, instructions and corrections to the book. The former editor would especially like to thank Bruce, Larry and Billy for their enormous inputs to the project.
Mark Stone <mstone <at> linux.com> for donating the linuxfromscratch.org servers.
Gerard Beekmans <gerard <at> linuxfromscratch.org> for starting and writing the vast majority of the LFS project.
Jesse Tie-Ten-Quee <higho <at> @linuxfromscratch.org> for answering many questions on IRC, having a great deal of patience and for not killing the former editor for the joke in the original BLFS announcement!
DREAMWVR.COM for their ongoing sponsorship by donating various resources to the LFS and related sub projects.
Robert Briggs for donating the linuxfromscratch.org and linuxfromscratch.com domain names.
Frank Skettino <bkenoah <at> oswd.org> at OSWD for coming up the initial design of the LFS and BLFS websites.
Garrett LeSage <garrett <at> linux.com> for creating the LFS banner
Jeff Bauman (former co-editor of the book) for his assistance with getting BLFS off the ground.
Countless other people on the various LFS and BLFS mailing lists who are making this book happen by giving their suggestions, testing the book and submitting bug reports.
Many people have contributed both directly and indirectly to BLFS. This page lists all of those we can think of. We may well have left people out and if you feel this is the case, drop us line. Many thanks to all of the LFS community for their assistance with this project. If you are in the list and wish to have your email address included, again please drop us a line to bdubbs@linuxfromscratch.org and we'll be happy to add it. We don't include email addresses by default so if you want it included, please state so when you contact us.
Editor: Bruce Dubbs <bdubbs@linuxfromscratch.org>
Co-Editors: Randy McMurchy, Larry Lawrence, Igor Zivkovic, DJ Lucas, Tushar Teredesai, David Jensen, Manuel Canales Esparcia, and Richard Downing.
Chapter 01. Based on the LFS introductory text by Gerard Beekmans, modified by Mark Hymers for BLFS.
Chapter 02: The /usr versus /usr/local debate: Andrew McMurry.
Chapter 02: Going beyond BLFS: Tushar Teredesai.
Chapter 02: Package Management: Tushar Teredesai.
Chapter 03: /etc/inputrc: Chris Lynn.
Chapter 03: Customizing your logon & vimrc: Mark Hymers.
Chapter 03: /etc/shells: Igor Zivkovic.
Chapter 03: Random number script Larry Lawrence.
Chapter 03: Creating a Custom Boot Device Bruce Dubbs.
Chapter 03: The Bash Shell Startup Files James Robertson revised by Bruce Dubbs.
Chapter 03: Compressed docs Olivier Peres.
Chapter 04: Firewalling: Henning Rohde with thanks to Jeff Bauman. Revised by Bruce Dubbs.
Chapter 11: Which Mark Hymers with many thanks to Seth Klein and Jesse Tie-Ten-Quee.
Chapter 25: X Window System Environment: Bruce Dubbs.
Chapter 27: Intro to Window Managers: Bruce Dubbs.
Chapters 28 and 29: KDE: Bruce Dubbs.
Chapters 30, 31, and 32: GNOME: Larry Lawrence.
aalib, Alsa, ffmpeg, gocr, MPlayer, opendivx, transcode, xvid and xsane: Alex Kloss
AbiWord, at-spi, ATK, audiofile, avifile, bc, bonobo-activation, bug-buddy, cdrdao, cdrtools, cpio, curl, dhcp, enlightenment, eog, esound, fcron, fluxbox, FNLIB, gail, galeon, gconf-editor, gdbm, gedit, gimp, GLib2, gmp, gnet, gnome-applets, gnome-desktop, gnome-games, gnome-icon-theme, gnome-libs, gnome-media, gnome-mime-data, gnome-panel, gnome-session, gnome-system-monitor, gnome-terminal, gnome-themes, gnome-utils, gnome-vfs, gnome2-user-docs, gnumeric, GTK+2, gtk-doc, gtk-engines, gtk-thinice-engine, eel, imlib, intltool, lame, libao, libart_lgpl, libbonobo, libbonoboui, libgail-gnome, libglade2, libgnome, libgnomecanvas, libgnomeprint, libgnomeprintui, libgnomeui, libgsf, libgtkhtml, libgtop, libIDL, libogg, librep, librsvg, libvorbis, libwnck, libxml2, libxslt, linc, LPRng, Linux_PAM, metacity, MIT Kerberos 5,MPlayer, mutt, nautilus, nautilus-media, oaf, OpenJade, OpenSP, OpenSSH, ORBit, ORBit2, pan, Pango, pccts, pcre, pkgconfig, postfix, procmail, Python, QT, rep-gtk, ruby, sawfish, scrollkeeper, sgml-common, sgml-dtd, shadow, startup-notification, unzip, vorbis-tools, vte, wget, XFce, xine, xml-dtd, yelp and zip: Larry Lawrence
CDParanoia, mpg123, SDL and XMMS: Jeroen Coumans
alsa, cvs, dhcpcd, gpm, hdparm, libjpeg, libmng, libpng, libtiff, libungif, giflib, links, lynx, openssl, tcsh, which, zsch, zlib: Mark Hymers
traceroute: Jeff Bauman
db and lcms: Jeremy Jones and Mark Hymers
aspell, balsa, bind, bonobo, bonobo-conf, cvs server, db-3.3.11, db-3.1.17, emacs, evolution, exim, expat, gal, gnome-print, GnuCash, gtkhtml, guppi, guile, guppi, g-wrap, leafnode, lesstif, libcapplet, libesmtp, libfam, libghttp, libglade, pine, portmap, PostgreSQL, pspell, qpopper, readline, reiserfs, Samba, sendmail, slrn, soup, tex, tcp-wrappers, and xinetd: Billy O'Connor
ProFTPD and rsync: Daniel Baumann
ESP Ghostscript: Matt Rogers
ALSA Tools, Apache Ant, Cyrus-SASL, DejaGnu, desktop-file-utils, DocBook DSSSL Stylesheets, DocBook-utils, Ethereal, Evolution Data Server, Exim (many additions), Expect, FOP, FreeTTS, FriBidi, gnome-audio, gnome-backgrounds, gnome-menus, GNOME Doc Utils, GnuCash (many additions), Heimdal, HTML Tidy, JadeTeX, Java Access Bridge, LessTif (rewrite), libexif, libgail-gnome, libgnomecups, MPlayer (extensive overhaul), Other Programming Tools, PDL, Perl Modules, pilot-link, Samba 3 (many additions), Shadow (rewrite), SANE (original instructions by Alex Kloss), SLIB, Stunnel, Sysstat and system-tools-backends: Randy McMurchy
Screen: Andreas Pedersen
PHP: Jeremy Utley
Gimp-Print and libusb: Alexander E. Patrakov
Fetchmail and WvDial: Paul Campbell
UDFtools, Perl modules (initial version) and Bluefish: Richard Downing
Epiphany, FLAC, File Roller, GNOME Magnifier, GNOME Netstatus, GNOME Speech, GOK, GPdf, GnomeMeeting, Gnopernicus, Imlib2, LZO, MC, NASM, Nautilus CD Burner, OpenQuicktime, Speex, XScreenSaver, Zenity, compface, freeglut, gcalctool, gucharmap, id3lib, kde-i18n, kdeaccessibility, kdebindings, kdesdk, kdevelop, kdewebdev, libFAME, liba52, libdv, libdvdcss, libdvdread, libmad, libmikmod and libmpeg3: Igor Zivkovic
tripwire: Manfred Glombowski
ALSA Firmware, ALSA OSS, inetutils, gdk, GLib, GTK+, libxml and vim: James Iwanek
iptables: Henning Rohde
joe, nano, nmap, slang, w3m and whois: Timothy Bauscher
MySQL: Jesse Tie-Ten-Quee
fontconfig, gcc, gcc2, jdk, mozilla, nas, openoffice, ispell, nail, ImageMagick, hd2u, STLport, tcl, tk and bind-utils: Tushar Teredesai
cracklib, libpcap, ncpfs, netfs, ppp(update), RP-PPPoE, Samba-3 and Subversion: DJ Lucas
ntp: Eric Konopka
nfs-utils: Reinhard
Fernando Arbeiza for doing great quality assurance on Shadow utilizing PAM. The machine access he saved may have been yours.
Archaic for trouble shooting the mozilla section by performing multiple builds and for providing a description of the various mozilla extensions.
Gerard Beekmans for generally putting up with us and for running the whole LFS project.
Oliver Brakmann for developing the dhcpcd patch for FHS compliance.
Ian Chilton for writing the nfs hint.
Nathan Coulson for writing the new network bootscripts.
Nathan Coulson, DJ Lucas and Zack Winkles for reworking the bootscripts used throughout the book.
Jim Harris for writing the dig-nslookup-host.txt hint on which the bind-utils instructions are based.
Lee Harris for writing the gpm.txt hint on which our gpm instructions are based.
Marc Heerdink for creating patches for tcp_wrappers and portmap and for writing the gpm2.txt hint on which our gpm instruction are based.
Mark Hymers for initiating the BLFS project and writing many of the initial chapters of the book.
J_Man for submitting a gpm-1.19.3.diff file on which our gpm instructions are based.
Jeremy Jones (otherwise known as mca) for hacking Makefiles and general assistance.
Steffen Knollmann for revising the JadeTeX instructions to work with Tex-3.0.
Eric Konopka for writing the ntp.txt hint on which the ntp section is based.
Scot McPherson for writing the gnome-1.4.txt hint from which was gathered useful information and for warning us that GNOME Version 2.0 may not be ready to put in the book.
Alexander E. Patrakov for patches and suggestions to improve the book content, assistance with alsa dev.d helpers, and increasing the l10n awareness.
Ted Riley for writing the Linux-PAM + CrackLib + Shadow hint on which reinstalling Shadow to use PAM is based.
Unlike the Linux From Scratch book, BLFS isn't designed to be followed in a linear manner. This is because LFS provides instructions on how to create a base system which is capable of turning into anything from a web server to a multimedia desktop system. BLFS is where we try to guide you in the process of going from the base system to your intended destination. Choice is very much involved.
Everyone who reads the book will want to read certain sections. The Introduction part–which you are currently reading–contains generic information. Especially take note of the information in Important Information (Chapter 2, Important Information), as this contains comments about how to unpack software and various other aspects which apply throughout the book.
The part on Post LFS Configuration and Extra Software is where most people will want to turn next. This deals with not just configuration but also Security (Chapter 4, Security), File Systems (Chapter 5, File Systems), Editors (Chapter 6, Editors) and Shells (Chapter 7, Shells). Indeed, you may wish to reference certain parts of this chapter (especially the sections on Editors and File Systems) while building your LFS system.
Following these basic items, most people will want to at least browse through the General Libraries and Utilities part of the book. This part contains information on many items which are prerequisites for other sections of the book as well as some items (such as Programming (Chapter 12, Programming) which are useful in their own right. Note that you don't have to install all of these libraries and packages found in this part to start with, each BLFS install procedure tells you which packages it depends upon so you can choose the program you want to install and see what it needs.
Likewise, most people will probably want to look at the Connecting to a Network and Basic Networking parts. The first of these deals with connecting to the Internet or your LAN using a variety of methods such as DHCP (Chapter 14, DHCP Clients) and Dial-Up Connections (Chapter 13, Dial-up Networking). The second of these parts deals with items such as Networking Libraries (Chapter 16, Networking Libraries) and various basic networking programs and utilities.
Once you have dealt with these basics, you may wish to configure more advanced network services. These are dealt with in the Servers part of the book. Those wanting to build servers should find a good starting point there. Note that Servers also contains information on various database packages.
The next parts of the book principally deal with desktop systems. This portion of the book starts with a part talking about X and Window Managers. This part also deals with some generic X-based libraries (Chapter 26, X Libraries). After this, KDE and GNOME are given their own parts which are followed by one on X Software.
The book then moves on to deal with Multimedia packages. Note that many people may want to use the ALSA-1.0.9 instructions from this chapter quite near the start of their BLFS journey; they are placed here simply because it is the most logical place for them.
The final part of the main BLFS book deals with Printing, Scanning and Typesetting. This is useful for most people with desktop systems and even those who are creating mainly server systems will find it useful.
We hope you enjoy using BLFS and find it useful.
To make things easy to follow, there are a number of conventions used throughout the book. Following are some examples:
./configure --prefix=/usr
This form of text is designed to be typed exactly as seen unless otherwise noted in the surrounding text. It is also used to identify references to specific commands.
install-info: unknown option `--dir-file=/mnt/lfs/usr/info/dir'
This form of text (fixed width text) is showing screen output, probably as the result of commands issued and is also used to show filenames such as /boot/grub/grub.conf
Emphasis
This form of text is used for several purposes in the book but mainly to emphasize important points or to give examples as to what to type.
http://www.linuxfromscratch.org/
This form of text is used for hypertext links external to the book such as HowTo's, download locations, websites, etc.
This form of text is used for links internal to the book such as another section describing a different package.
cat > $LFS/etc/group << "EOF" root:x:0: bin:x:1: ...... EOF
This type of section is used mainly when creating configuration files. The first command (in bold) tells the system to create the file $LFS/etc/group from whatever is typed on the following lines until the sequence EOF is encountered. Therefore, this whole section is generally typed as seen.
[REPLACED TEXT]
This form of text is used to encapsulate text that should be modified and is not to be typed as seen, or copy and pasted. Note that the square brackets are not part of the text, but should be substituted for as well.
root
This form of text is used to show a specific system user reference in the instructions.
This is BLFS-BOOK version 6.1 dated August 14st, 2005. If this version is older than a month, a newer version is probably already available for download. Check one of the mirror sites below for updated versions.
The BLFS project has a number of mirrors setup world-wide to make it easier and more convenient for you to access the website. Please visit the http://www.linuxfromscratch.org/mirrors.html website for the list of current mirrors.
Within the BLFS instructions, each package has two references for finding the source files for the package—an http link and an ftp link (some packages may only list one of these links). Every effort has been made to ensure that these links are accurate. However, the World Wide Web is in continuous flux. Packages are sometimes moved or updated and the exact URL specified is not always available.
To overcome this problem, the BLFS Team, with the assistance of Server Beach, has made an http/ftp site available at anduin.linuxfromscratch.org. This site has all the sources of the exact versions of the packages used in BLFS. If you can't find the BLFS package you need, get it there.
We would like to ask a favor, however. Although this is a public resource for you to use, we do not want to abuse it. We have already had one unthinking individual download over 3 GB of data, including multiple copies of the same files that are placed at different locations (via symlinks) to make finding the right package easier. This person clearly did not know what files he needed and downloaded everything. The best place to download files is the site or sites set up by the source code developer. Please try there first.
Please note that the Change Log only lists which editor was responsible for putting the changes into SVN; please read the Credits page in Chapter 1 for details on who wrote what.
6.1 – August 14st, 2005
August 19th, 2005 [dj]: Updated dev.d scripts and surrounding text in alsa-utils.
August 12th, 2005 [randy]: Added a command to the PostgreSQL instructions to fix broken ownership of installed files.
August 11th, 2005 [randy]: Applied a patch contributed by stirling to fix many broken download URLs.
August 11th, 2005 [randy]: Added a new section "Other Programming Tools" to Chapter 12 - Programming.
August 9th, 2005 [bdubbs]: BLFS-6.1-pre2 release.
August 9th, 2005 [dj]: Added default PATH for pam_env and a note about the lack of ENV_SUPATH.
August 8th, 2005 [randy]: Added instructions to install patches to Ruby and NASM that fix security vulnerabilities discovered in both packages, thanks to Ken Moffat for the suggestions.
August 8th, 2005 [randy]: Modified documentation installation in the Fontconfig instructions.
August 8th, 2005 [randy]: Modified the Shadow instructions so that builders will not receive configuration errors during the testing recommended by the warning note.
August 7th, 2005 [randy]: Removed building the MPFR library from the GMP instructions.
July 31st, 2005 [randy]: Updated to libpcap-0.9.3 and moved the instructions from Chapter 8 "General Libraries" to Chapter 16 "Networking libraries"; updated to HTML Tidy-050722 and Ethereal-0.10.12.
July 31st, 2005 [dj]: Updated bootscripts tarball, added ALSA dev.d helper scripts, corrected SSL instructions for postfix, and updated postfix to 2.2.5.
July 31st, 2005 [richard]: Updated to firefox-1.0.6.
July 30th, 2005 [bdubbs]: Updated to fetchmail-6.2.5.2.
July 30th, 2005 [bdubbs]: Updated to mc-4.6.1.
July 30th, 2005 [richard]: Updated to thunderbird-1.0.6 with enigmail-0.92.0 and ipc-1.1.3.
July 30th, 2005 [tushar]: Added boot-time consistency check for ext3 partitions.
July 29th, 2005 [bdubbs]: Updated to exim-5.52.
July 29th, 2005 [bdubbs]: Updated to iptables-1.3.3.
July 29th, 2005 [richard]: Revised wording about LFS newsserver.
July 29th, 2005 [richard]: Updated to fcron-2.9.7 changing dependency wording for the required text editor.
July 28th, 2005 [richard]: Updated to curl-7.14.0.
July 28th, 2005 [richard]: Updated to LZO-2.01.
July 28th, 2005 [richard]: Updated to libvorbis-1.1.1 and vorbis-tools-1.1.1.
July 28th, 2005 [dj]: Added security patch for OpenOffice and removed broken optimization patch for JDK.
July 27th, 2005 [bdubbs]: Updated escape sequence explanation in the /etc/issue discussion in Chapter 3.
July 27th, 2005 [tushar]: Updated to aspell-0.60.3.
July 27th, 2005 [tushar]: Updated to libxml2-2.6.20.
July 27th, 2005 [tushar]: Updated to pkg-config-0.19.
July 27th, 2005 [tushar]: Updated to speex-1.0.5.
July 27th, 2005 [bdubbs]: Updated to KDE-3.4.1.
July 27th, 2005 [djensen]: Updated to Bluefish-1.0.2.
July 27th, 2005 [djensen]: Updated to ImageMagick-6.2.3-5.
July 25th, 2005 [djensen]: Updated to ALSA-1.0.9.
July 25th, 2005 [tushar]: Fix symlink related bug in cpio. See Bug # 1464.
July 25th, 2005 [randy]: Updated to Heimdal-0.7.
July 25th, 2005 [djensen]: Updated to Imlib2-1.2.1.
July 25th, 2005 [djensen]: Updated to freeglut-2.4.0.
July 25th, 2005 [tushar]: Added optional defines to xorg to allow installation into standard directories.
July 24th, 2005 [dj]: Updated to Linux-PAM-0.80 and corrected sed for /etc/login.defs in Shadow instructions.
July 24th, 2005 [randy]: Updated to CrackLib-2.8.3.
July 23rd, 2005 [djensen]: Added security patch to Mpg123.
July 23rd, 2005 [randy]: Updated to Shadow-4.0.9 via a patch from DJ Lucas.
July 22nd, 2005 [randy]: Added textual updates to the "After LFS Configuration" chapter.
July 21st, 2005 [randy]: Added additional text to the "Conventions" and "Unpacking" sections; numerous typo, grammar and tagging fixes to the "Introduction" chapter.
July 20th, 2005 [tushar]: Added testsuite to pango.
July 20th, 2005 [larry]: Removed document instructions from mysql, no longer in package.
July 20th, 2005 [randy]: Updated to Stunnel-4.11.
July 19th, 2005 [randy]: Updated to Doxygen-1.4.3.
July 18th, 2005 [randy]: Updated to Nail-11.24 and Cyrus-SASL-2.1.21.
July 17th, 2005 [randy]: Updated to GnuCash-1.8.11.
July 17th, 2005 [tushar]: Updated Notes on Building Software.
July 14th, 2005 [randy]: Added Finance::QuoteHist module and dependencies to Perl Modules instructions.
July 14th, 2005 [djensen]: Updated to Tcl-8.4.11 and Tk-8.4.11.
July 14th, 2005 [djensen]: Updated to Gst-plugins-0.8.10.
July 14th, 2005 [bdubbs]: Updated to koffice-1.4.0b.
July 13th, 2005 [randy]: Major overhaul to the Perl Modules instructions including adding new modules, removing obsolete modules, adding additional dependencies, complete text rewrite and new page layout.
July 12th, 2005 [djensen]: Updated to Nmap-3.81.
July 11th, 2005 [tushar]: Install static library and header in PCI Utilities.
July 11th, 2005 [djensen]: Remove inappropriate patch from OpenSSL-0.9.7g.
July 10th, 2005 [djensen]: Added recommendation to skip the Berkeley DB test-suite.
July 9th, 2005 [djensen]: Updated to Libpcap-0.9.1.
July 9th, 2005 [djensen]: Updated to Libtiff-3.7.3.
July 9th, 2005 [tushar]: For fcron, replace switch --with-answer-all=no with --with-boot-install=no.
July 9th, 2005 [tushar]: Added make check to intltool.
July 9th, 2005 [dj]: Updated blfs-bootscripts and added RTC instructions to MPlayer.
July 8th, 2005 [tushar]: Added document installation to fontconfig.
July 7th, 2005 [djensen]: Added document installation to NTP-4.2.0.
July 3rd, 2005 [tushar]: Added note on installation of ispell and spell wrappers in aspell.
July 3rd, 2005 [tushar]: Added note that gmp testsuite is highly recommended.
July 3rd, 2005 [djensen]: Updated to ImageMagick-6.2.3-3.
July 3rd, 2005 [djensen]: Updated to GIMP-2.2.8.
July 1st, 2005 [djensen]: Updated to Berkeley DB-4.3.28.
Jun 30th, 2005 [djensen]: Updated to Pkgconfig-0.18.
Jun 29th, 2005 [djensen]: Updated to MySQL-4.1.12.
Jun 28th, 2005 [djensen]: Updated to Hdparm-6.1.
Jun 28th, 2005 [djensen]: Updated to Nano-1.2.5.
Jun 28th, 2005 [djensen]: Updated to Libgsf-1.12.0.
Jun 28th, 2005 [djensen]: Updated to PCRE-6.1.
Jun 28th, 2005 [randy]: Updated Perl Modules: HTML::Parser-3.45, HTML::TableExtract-2.02, DateManip-5.44, Module-CoreList-2.02 and Compress::Zlib-1.34; added dependencies to Finance::Quote Perl Module.
Jun 26th, 2005 [dj]: Added optimization patch to JDK instructions.
Jun 25th, 2005 [randy]: Updated G-Wrap dependencies; updated to Perl Module Module::Info-0.28.
Jun 23th, 2005 [djensen]: Updated to Cdrdao-1.2.0.
Jun 21th, 2005 [djensen]: Updated to OpenSSL-0.9.7g.
Jun 21th, 2005 [djensen]: Corrected http download url in Transcode.
Jun 21th, 2005 [djensen]: Updated to XFce-4.2.2.
Jun 21th, 2005 [djensen]: Updated to Dillo-0.8.5.
Jun 21th, 2005 [djensen]: Updated to GSview-4.7.
Jun 20th, 2005 [djensen]: Updated to Freetype-2.1.10.
Jun 20th, 2005 [djensen]: Updated to Fontconfig-2.3.2.
Jun 20th, 2005 [djensen]: Moved Libwnck from gnome/core to x/libs.
Jun 20th, 2005 [djensen]: Separated the DB-4.3.27 test from the build, they are not compatible.
Jun 20th, 2005 [dj]: Added missing required patch to dhcp instructions.
June 19th, 2005 [djensen]: Changed links to t1lib-5.1.0 and mcript link to mcrypt.sourceforge.net/
Jun 18th, 2005 [dj]: Added dhcp-3.0.2-gcc_3.4.3-2.patch, updated dhclient instructions to print settings obtained in bootscript, and added libmawt.so symlink to JDK instructions.
June 18th, 2005 [djensen]: Updated to Fluxbox-0.9.13
June 18th, 2005 [djensen]: Updated to Ghostscript-8.51. Separated root/user.
June 18th, 2005 [igor]: Updated to Postfix-2.2.3.
June 17th, 2005 [igor]: Updated to Apache-2.0.54.
June 17th, 2005 [djensen]: Updated to NcFTP-3.1.9. Separated root/user.
June 17th, 2005 [djensen]: Updated to Pine-4.63. Separated root/user.
June 16th, 2005 [djensen]: Updated to Gnet-2.0.7. Added alternate gtk-doc/html doc install directory.
June 16th, 2005 [djensen]: Added document installation to W3m, separated user/root commands in W3m, Pan, Balsa, Compface, Fetchmail, Mutt, Slrn, Net-tools, NTP and Enscript.
June 15th, 2005 [djensen]: Updated to Hd2u-1.0.0. Separated user and root commands.
June 15th, 2005 [djensen]: Separated user/root instructions and/or updated Installed Directories for Libao, Libmpeg123, Libmad, OpenQuicktime, libFAME, Speex, Libdvdread, FLAC, Gst-plugins, Libcroco, Libesmtp, Libungif, MC, GSview, AAlib and Rep-gtk
June 15th, 2005 [djensen]: Updated to Avifile-0.7-0.7.43. removed pc sed.
June 15th, 2005 [djensen]: Removed --mandir configure switch from Dhcpcd.
June 15th, 2005 [archaic]: Updated to vsftpd-2.0.3.
June 14th, 2005 [djensen]: Added 8 plugin links and a python version sed to Abiword.
June 14th, 2005 [bdubbs]: Updated to autofs-4.1.4.
June 13th, 2005 [djensen]: Updated to PostgreSQL-8.0.3. Added testsuite command.
June 13th, 2005 [randy]: Modified installation path of GNOME-1.4 libraries to /opt/gnome-1.4.
June 13th, 2005 [djensen]: Added a2ps instructions to install the downloaded fonts. Added possible testsuite.
June 12th, 2005 [bdubbs]: Corrected startup scripts. Removed xterm-title and substituted extra-prompt.sh.
June 12th, 2005 [bdubbs]: Changed location of ispell dictionaries to /usr/share/ispell.
June 12th, 2005 [djensen]: Simplified the PSUtils build instructions. Separated user and root instructions.
June 12th, 2005 [bdubbs]: Updated to thunderbird-1.0.2 and fixed problem in the installation of thunderbird's defaults directory.
June 12th, 2005 [bdubbs]: Added instruction to make rc.iptables executable in firewalling section.
June 12th, 2005 [bdubbs]: Updated cpio instructions to ensure LSB testsuites pass internationalization tests.
June 12th, 2005 [djensen]: Updated to Links-2.1pre17. Added SDL to optional dependencies. Separated user and root instructions.
June 12th, 2005 [randy]: Added new package FriBidi-0.10.5.
June 11th, 2005 [djensen]: Updated to AbiWord-2.2.8, build instructions altered to build and install plugins.
June 10th, 2005 [djensen]: Fixed md5sum joe-3.3. Completed XFree86 update to 4.5.0
June 10th, 2005 [randy]: Added additional optional dependencies to the Bluefish instructions.
June 10th, 2005 [djensen]: Updated to joe-3.3.
June 8th, 2005 [randy]: Updated to PCRE-6.0 using a patch submitted by David Jensen; added documentation installation to the Imlib instructions.
June 6th, 2005 [randy]: Added a note to the Samba instructions about unprivileged users mounting SMB shares; updated JDK binary version to 1.5.0_03; updated to ZSH-4.2.5; added installation of documentation to the PCRE instructions, suggested by David Jensen.
June 6th, 2005 [bdubbs]: Updated bind and bind-utils sections to version 9.3.1.
June 5th, 2005 [randy]: Removed "which" as a dependency of DocBook-utils and created a note saying it must be installed; clarified why 'yes' is piped to 'make config' in the introduction of the installation section of Net-Tools (fixes bug #1259).
June 5th, 2005 [randy]: Created Samba client instruction page, suggested by Alexander Patrakov; added additional configuration text to the Samba server instructions, submitted by Alexander Patrakov; added SWAT (without Stunnel) configuration instructions to the Samba server instructions, suggested by Jim Gifford; removed Stunnel and added XFS as dependencies of the Samba package; added instructions to create a nobody user in the Samba server bootscript installation section, suggested by Frank Olschewski.
June 5th, 2005 [bdubbs]: Integrated system uid and gid values into individual packages.
June 5th, 2005 [bdubbs]: Added blufish-1.0.1 from patch provided by theOldFellow.
June 4th, 2005 [randy]: Standardized the creation of the nobody user (without a valid login shell) in the NFS Utilities and Postfix instructions.
June 3rd, 2005 [randy]: Updated Samba configuration information as suggested by Alexander Patrakov (fixes bug #1386); Updated to rsync-2.6.5 and OpenSSH-4.1p1.
June 3rd, 2005 [igor]: Updated to ImageMagick-6.2.3-0.
June 1st, 2005 [randy]: Updated to Galeon-1.3.21, Sysstat-6.0.0, HTML Tidy-050531, Whois-4.7.5 and Tcsh-6.14.00; moved installation of tcsh to /bin instead of /usr/bin and updated /etc/shells during the Tcsh installation.
May 31st, 2005 [bdubbs]: Added section explaining system user and group numerical assignments.
May 31st, 2005 [randy]: Removed the explicit path from the GDM bootscript commands and updated the GDM instructions to include a note to update the script if $GNOME_PREFIX is non-stardard; updated bootscripts to version 20050531.
May 30th, 2005 [randy]: Updated to GDM-2.6.0.9, GNOME Speech-0.3.7, Gnopernicus-0.10.9 and GOK-1.0.4; added new package libexif-0.6.12; moved libexif to a required dependency of Nautilus.
May 29th, 2005 [bdubbs]: Updated to Firefox-1.0.4.
May 29th, 2005 [bdubbs]: Updated to Mozilla-1.7.8.
May 29th, 2005 [randy]: Updated to Gnumeric-1.4.3 and changed the installation path to /usr (thanks to Bruce Dubbs, David Jensen and Jody Goldberg for their input); added popt to the libgnomeprint depedencies, suggested by David Jensen; updated to GNOME Magnifier-0.12.1.
May 28th, 2005 [randy]: Updated to Ethereal-0.10.11, reported by Matthias Berndt.
May 27th, 2005 [igor]: Updated to GIMP-2.2.7.
May 25th, 2005 [randy]: Updated installation commands in the FreeTTS instructions.
May 23rd, 2005 [randy]: Updated to libgail-gnome-1.1.1 and Java Access Bridge-1.4.5.
May 22nd, 2005 [randy]: Added new package FreeTTS-1.2.1.
May 22nd, 2005 [manuel]: Finished the book sources retagging and indentation to match current template.xml.
May 19th, 2005 [randy]: Updated to GnomeMeeting-1.2.1.
May 18th, 2005 [archaic]: GPM: Moved the LDFLAGS option from the configure command to the make command as libm wasn't being properly pulled into the environment.
May 18th, 2005 [randy]: Fixed documentation installation command in the EsounD instructions, suggested by David Jensen; fixed skin file MD5sum in the MPlayer instructions, suggested by Zibeli Aton.
May 18th, 2005 [randy]: Updated to GConf Editor-2.10.0, GNOME Netstatus-2.10.0, gcalctool-5.5.42, GPdf-2.10.0 and Zenity-2.10.0; commented out the Nautilus Media package from inclusion in the book.
May 17th, 2005 [randy]: Updated to GNOME System Monitor-2.10.1, bug-buddy-2.10.0, EOG-2.10.0, AT SPI-1.6.4, gtksourceview-1.2.0, gedit-2.10.2, GGV-2.8.4 and File Roller-2.10.3.
May 16th, 2005 [randy]: Added new package gnome-audio-2.0.0; updated to GNOME Utils-2.10.1 and GNOME Games-2.10.1.
May 15th, 2005 [randy]: Updated to Evolution-2.2.2, Epiphany-1.6.2, Nautilus CD Burner-2.10.1 and GNOME Media-2.10.2.
May 12th, 2005 [randy]: Updated to GAL-2.4.2 and GtkHTML-3.6.2.
May 11th, 2005 [manuel]: Fixed a typo in JDK, reported by William Harrington.
May 11th, 2005 [randy]: Updated to libgnomecups-0.2.0, libgnomeprint-2.10.3, libgnomeprintui-2.10.2, Evolution Data Server-1.2.2 and gucharmap-1.4.3.
May 11th, 2005 [randy]: Updated all the GNOME-2 core package instructions to the GNOME 2.10.1 release (ORBit-2.12.2, libbonobo-2.8.1, GConf-2.10.0, GNOME VFS-2.10.1, libgnome-2.10.0, libgnomecanvas-2.10.0, libbonoboui-2.8.1, GNOME Icon Theme-2.10.1, gnome-keyring-0.4.2, libgnomeui-2.10.0, GTK Engines-2.6.3, GNOME Themes-2.10.1, GNOME Desktop-2.10.1, libwnck-2.10.0, GNOME Panel-2.10.1, GNOME Session-2.10.0, VTE-0.11.13, GNOME Terminal-2.10.0, LibGTop-2.10.1, GAIL-1.8.3, GNOME Applets-2.10.1, EEL-2.10.1, Nautilus-2.10.1, GNOME Doc Utils-0.2.0, libgtkhtml-2.6.3, Yelp-2.6.5 and Control Center-2.10.1). Many of the add-on packages build with existing instructions, however, all of them will be updated ASAP.
May 11th, 2005 [randy]: Added three new GNOME-2 packages: gnome-menus-2.10.1, gnome-backgrounds-2.10.1 and system-tools-backends-1.2.0.
May 10th, 2005 [randy]: Increment BLFS Bootscripts version to 20050509.
May 9th, 2005 [igor]: Updated to MySQL-4.1.11.
May 8th, 2005 [randy]: Updated to Metacity-2.10.1; updated XScreenSaver dependencies and build instructions.
May 6th, 2005 [randy]: Updated to GIMP-2.2.6 and gst-plugins-0.8.8; removed the --disable-docs-build switch from the GStreamer instructions, suggested by Matthew Burgess.
May 5th, 2005 [manuel]: Shortened the Tidy documentation generation commands.
May 5th, 2005 [dj]: Removed bad MANPATH variable from JDK instructions and fixed CLASSPATH for spaces in filenames.
May 4th, 2005 [igor]: Updated to Fcron-2.9.6.
May 4th, 2005 [randy]: Updated to GStreamer-0.8.10.
May 3rd, 2005 [randy]: Updated to CVS-1.11.20 and HTML Tidy-050502; added MPlayer to the list of FFmpeg's dependencies as it can utilize the shared post-processing library.
May 2nd, 2005 [randy]: Updated to xine Libraries-1.0.1.
May 1st, 2005 [randy]: Updated to MPlayer-1.0pre7; added a sed command to the FFmpeg instructions to fix an issue on MMX capable machines.
April 29th, 2005 [bdubbs]: Update to aRts 1.4, kde 3.4, and kdevelop 3.2.
April 28th, 2005 [dj]: Added doublefree patch to OOo instructions, corrected gcc patch and libmawt symlink. Added a description for javaws to JDK instructions.
April 28th, 2005 [randy]: Added documentation installation to the id3lib instructions.
April 27th, 2005 [randy]: Updated to FLAC-1.1.2, libdv-0.104 and XviD-1.0.3; added Doxygen dependency and documentation installation to the libdvdcss instructions; added documentation installation to the liba52 instructions.
April 26th, 2005 [randy]: Updated to GStreamer-0.8.9 and libao-0.8.6; added a download URL to the PassiveTeX dependency in the libvorbis instructions; added installation of HTML documentation to the SDL and libmikmod instructions.
April 24th, 2005 [dj]: Updated to JDK-1.5.0, added gcc-3.4.2+ and jdk-1.5.0 patches to OpenOffice, and added jdk-1.5.0 patch for fop.
April 24th, 2005 [randy]: Fixed incorrect path pointing to the documentation in the Cyrus-SASL configuration section and incorrect library versions in the chmod commands in the OpenLDAP instructions, both pointed out by syaodzir; added documentation installation to the startup-notification instructions.
April 23rd, 2005 [bdubbs]: Updated to nfs-utils-1.0.7. Added comments about user nobody and pointed to section on netfs.
April 23rd, 2005 [randy]: Updated to librsvg-2.9.5.
April 22nd, 2005 [randy]: Updated to Firefox-1.0.3, libgsf-1.11.1, libglade-2.5.1 and Mozilla-1.7.7; added instructions to Firefox and Mozilla to utilize the JDK Java plugin.
April 21st, 2005 [bdubbs]: Upgraded to xscreensaver-4.21.
April 21st, 2005 [bdubbs]: Added patch to libmilmod.
April 20th, 2005 [bdubbs]: Updated qt instructions to eliminate an unnecessary copy procedure and fixed qmqke.conf adjustment.
April 20th, 2005 [randy]: Updated to Doxygen-1.4.2.
April 19th, 2005 [randy]: Updated to NAS-1.7.
April 19th, 2005 [bdubbs]: Updated to qt-3.3.4; fixed some configuration problems with build method 1.
April 18th, 2005 [randy]: Updated to shared-mime-info-0.16, hicolor-icon-theme-0.8 and GnuPG-1.4.1.
April 17th, 2005 [randy]: Updated to LessTif-0.94.4, intltool-0.33 and Module-Info-0.27 (Perl module); added an "Other Window Managers" section to Chapter 27.
April 17th, 2005 [manuel]: Updated the stylesheets to use DocBook-XSL 1.68.1.
April 15th, 2005 [randy]: Updated to libsoup-2.2.3, Samba-3.0.14a and libmng-1.0.9; added documentation installation commands to the LZO instructions; added a patch to fix a build issue and documentation installation commands to the lcms instructions.
April 14th, 2005 [randy]: Updated to libxklavier-2.0 and pkgconfig-0.17.2.
April 13th, 2005 [randy]: Updated to Glib-2.6.4, GTK+-2.6.7, Whois-4.7.2, Imlib2-1.2.0 and libart_lgpl-2.3.17; added documentation installation commands to the giflib and libungif instructions.
April 12th, 2005 [randy]: Updated to Samba-3.0.13 and pkgconfig-0.17.1.
April 12th, 2005 [bdubbs]: Finish server reorganization. Moved php to Programming and NFS to Major Servers.
April 12th, 2005 [bdubbs]: Major reorganization of server sections. Consolidated 'Server Networking' and 'Content Serving'.
April 11th, 2005 [dj]: Added 'Additional X Windows Configuration' page.
April 11th, 2005 [randy]: Updated to Nail-11.22, Guile-1.6.7 and Subversion-1.1.4; moved Guile instructions from 'Chapter 8 - General Libraries' to 'Chapter 12 - Programming'.
April 10th, 2005 [randy]: Updated to NASM-0.98.39 and Sendmail-8.13.4.
April 10th, 2005 [igor]: Updated to libIDL-0.8.5 and Firefox-1.0.2.
April 9th, 2005 [randy]: Updated to PHP-5.0.4.
April 8th, 2005 [randy]: Updated to PostgreSQL-8.0.1 and Aspell-0.60.2.
April 7th, 2005 [randy]: Updated the JadeTex instructions to work with Tex-3.0, contributed by Steffen Knollmann.
April 6th, 2005 [igor]: Updated to ATK-1.9.1.
April 6th, 2005 [randy]: Updated to MySQL-4.1.10a and TeX-3.0.
April 5th, 2005 [randy]: Added a note to the GCC-3.4.3 instructions to install a missing interface header file.
April 4th, 2005 [randy]: Updated to OpenLDAP-2.2.24, Stunnel-4.09, GTK-Doc-1.3 and OpenSSH-4.0p1; added a command to the cURL instructions to fix a broken test script.
April 4th, 2005 [igor]: Updated to OpenSSL-0.9.7f contributed by Anderson Lizardo.
April 3rd, 2005 [manuel]: Updated the XML sources to use DocBook XML DTD-4.4.
April 3rd, 2005 [randy]: Updated to libxslt-1.1.14.
April 2nd, 2005 [randy]: Added which as a required dependency of DocBook-utils, reported by Andrew Benton; updated to libxml2-2.6.19.
April 1st, 2005 [randy]: Updated to DocBook XML DTD-4.4 and DocBook XSL Stylesheets-1.68.1.
March 31st, 2005 [bdubbs]: Updated the install instructions for xinetd to use /etc/xinetd.d/ directory structure. Patch by John Gnew.
March 31st, 2005 [randy]: Updated to libxml2-2.6.18 and libxslt-1.1.13.
March 30th, 2005 [randy]: Updated to libusb-0.1.10a and Python-2.4.1.
March 29th, 2005 [randy]: Updated to DocBook DSSSL Stylesheets-1.79 (with rewrite of instructions); fixed deprecated tar option in Vim instructions; added a note to the Fontconfig instructions to have the SGMLSpm Perl module installed if DocBook-utils is installed.
March 28th, 2005 [randy]: Updated to DocBook-SGML-DTD-4.4; added manpage installation to OpenJade instructions, suggested by Andrew Benton.
March 27th, 2005 [randy]: Updated to libtiff-3.7.2, pkgconfig-0.16.0 and ALSA-1.0.8.
March 26th, 2005 [randy]: Updated to HTML Tidy-050324 and UnZip-5.52.
March 25th, 2005 [randy]: Updated to GCC-3.4.3.
March 24th, 2005 [randy]: Updated to Sysstat-5.1.5, Fontconfig-2.3.1 and Expect-5.43.0; added a note the the Tk instructions about running the test suite.
March 23rd, 2005 [randy]: Updated to Shadow-4.0.7; added security patch to Vim instructions; added daemon fixes patch to Inetutils instructions.
March 22nd, 2005 [randy]: Added the installation of documentation to the Linux-PAM instructions.
March 21st, 2005 [larry]: Updated to emacs-21.4a.
March 18th, 2005 [randy]: Added a sed command to the Zip instructions to fix an installation problem, suggested by Matthew Burgess.
March 17th, 2005 [bdubbs]: Released Version 6.0-pre1.
The linuxfromscratch.org server is hosting a number of mailing lists that are used for the development of the BLFS book. These lists include, among others, the main development and support lists.
For more information regarding which lists are available, how to subscribe to them, archive locations, etc. visit http://www.linuxfromscratch.org/mail.html.
All the mailing lists hosted at linuxfromscratch.org are also accessible via the NNTP server. All messages posted to a mailing list will be copied to its correspondent newsgroup. Note, however, that as this is written, it is not possible to write to the mailing lists via the NNTP service.
The news server can be reached at news.linuxfromscratch.org.
If you encounter a problem while using this book, and your problem is not listed in the FAQ (http://www.linuxfromscratch.org/faq), you will find that most of the people on Internet Relay Chat (IRC) and on the mailing lists are willing to help you. An overview of the LFS mailing lists can be found in Mailing lists. To assist us in diagnosing and solving your problem, include as much relevant information as possible in your request for help.
Before asking for help, you should review the following items:
Is the hardware support compiled into the kernel or available as a module to the kernel? If it is a module, is it configured properly in modules.conf and has it been loaded? You should use lsmod as the root user to see if it's loaded. Check the syslog.log or run modprobe [driver] to review any error message. If it loads properly, you may need to add the modprobe command to your boot scripts.
Are your permissions properly set, especially for devices? LFS uses groups to make these settings easier, but it also adds the step of adding users to groups to allow access. A simple moduser -G audio [user] may be all that's necessary for that user to have access to the sound system. Any question that starts out with “It works as root, but not as ...” requires a thorough review of permissions prior to asking.
BLFS liberally uses /opt/[package]. The main objection to this centers around the need to expand your environment variables for each package placed there (e.g., PATH=$PATH:/opt/kde/bin). In most cases, the package instructions will walk you through the changes, but some will not. The section called “Going Beyond BLFS” is available to help you check.
Apart from a brief explanation of the problem you're having, the essential things to include in your request are:
the version of the book you are using (being 6.1),
the package or section giving you problems,
the exact error message or symptom you are receiving,
whether you have deviated from the book or LFS at all.
(Note that saying that you've deviated from the book doesn't mean that we won't help you. It'll just help us to see other possible causes of your problem.)
Expect guidance instead of specific instructions. If you are instructed to read something, please do so. It generally implies that the answer was way too obvious and that the question would not have been asked if a little research was done prior to asking. The volunteers in the mailing list prefer not to be used as an alternative to doing reasonable research on your end. In addition, the quality of your experience with BLFS is also greatly enhanced by this research, and the quality of volunteers is enhanced because they don't feel that their time has been abused, so they are far more likely to participate.
An excellent article on asking for help on the Internet in general has been written by Eric S. Raymond. It is available online at http://www.catb.org/~esr/faqs/smart-questions.html. Read and follow the hints in that document and you are much more likely to get a response to start with and also to get the help you actually need.
Please direct your emails to one of the BLFS mailing lists. See Mailing lists for more information on the available mailing lists.
The current BLFS maintainer is Bruce Dubbs. If you need to reach Bruce, send an email to bdubbs@linuxfromscratch.org.
Package Management is an often requested addition to the LFS Book. A Package Manager allows tracking the installation of files making it easy to remove and upgrade packages. And before you begin to wonder, NO—this section does not talk about any particular package manager, nor does it recommend one. What it provides is a roundup of the more popular techniques and how they work. The perfect package manager for you may be among these techniques or may be a combination of two or more of these techniques. This section briefly mentions issues that may arise when upgrading packages.
Some reasons why no package manager is mentioned in LFS or BLFS:
Dealing with package management takes the focus away from the goals of these books—teaching how a Linux system is built.
There are multiple solutions for package management, each having its strengths and drawbacks. Including one that satisfies all audiences is difficult.
There are some hints written on the topic of package management. Visit the Hints subproject to find if one of them fits your need.
A Package Manager makes it easy to upgrade to newer versions when they are released. Generally the instructions in the LFS and BLFS Book can be used to upgrade to the newer versions. Here are some points that you should be aware of when upgrading packages, especially on a running system.
If one of the toolchain packages (Glibc, GCC or Binutils) needs to be upgraded to a newer minor version, it is safer to rebuild LFS. Though you may be able to get by rebuilding all the packages in their dependency order, we do not recommend it. For example, if glibc-2.2.x needs to be updated to glibc-2.3.x, it is safer to rebuild. For micro version updates, a simple reinstallation usually works, but is not guaranteed. For example, upgrading from glibc-2.3.4 to glibc-2.3.5 will not usually cause any problems.
If a package containing a shared library is updated, and if the name of the library changes, then all the packages dynamically linked to the library need to be recompiled to link against the newer library. (Note that there is no correlation between the package version and the name of the library.) For example, consider a package foo-1.2.3 that installs a shared library with name libfoo.so.1. Say you upgrade the package to a newer version foo-1.2.4 that installs a shared library with name libfoo.so.2. In this case, all packages that are dynamically linked to libfoo.so.1 need to be recompiled to link against libfoo.so.2. Note that you should not remove the previous libraries until the dependent packages are recompiled.
If you are upgrading a running system, be on the lookout for packages that use cp instead of install to install files. The latter command is usually safer if the executable or library is already loaded in memory.
The following are some common package management techniques. Before making a decision on a package manager, do some research on the various techniques, particularly the drawbacks of the particular scheme.
Yes, this is a package management technique. Some folks do not find the need for a package manager because they know the packages intimately and know what files are installed by each package. Some users also do not need any package management because they plan on rebuilding the entire system when a package is changed.
This is a simplistic package management that does not need any extra package to manage the installations. Each package is installed in a separate directory. For example, package foo-1.1 is installed in /usr/pkg/foo-1.1 and a symlink is made from /usr/pkg/foo to /usr/pkg/foo-1.1. When installing a new version foo-1.2, it is installed in /usr/pkg/foo-1.2 and the previous symlink is replaced by a symlink to the new version.
The environment variables such as those mentioned in the section called “Going Beyond BLFS” need to be expanded to include /usr/pkg/foo. For more than a few packages, this scheme becomes unmanageable.
This is a variation of the previous package management technique. Each package is installed similar to the previous scheme. But instead of making the symlink, each file is symlinked into the /usr hierarchy. This removes the need to expand the environment variables. Though the symlinks can be created by the user to automate the creation, many package managers have been written using this approach. A few of the popular ones are Stow, Epkg, Graft, and Depot.
The installation needs to be faked, so that the package thinks that it is installed in /usr though in reality it is installed in the /usr/pkg hierarchy. Installing in this manner is not usually a trivial task. For example, consider that you are installing a package libfoo-1.1. The following instructions may not install the package properly:
./configure --prefix=/usr/pkg/libfoo/1.1 make make install
The installation will work, but the dependent packages may not link to libfoo as you would expect. If you compile a package that links against libfoo, you may notice that it is linked to /usr/pkg/libfoo/1.1/lib/libfoo.so.1 instead of /usr/lib/libfoo.so.1 as you would expect. The correct approach is to use DESTDIR strategy to fake installation of the package. This approach works as follows:
./configure --prefix=/usr make make DESTDIR=/usr/pkg/libfoo/1.1 install
Most of the packages do support this approach, but there are some which do not. For the non-compliant packages, you may either need to manually install the package, or you may find that it is easier to install some problematic packages into /opt.
In this technique, a file is timestamped before the installation of the package. After the installation, a simple use of the find command with the appropriate options can generate a log of all the files installed after the timestamp file was created. A package manager written with this approach is install-log.
Though this scheme has the advantage of being simple, it has two drawbacks. If during installation, the files are installed with any timestamp other than the current time, those files will not be tracked by the package manager. Also, this scheme can only be used when one package is installed at a time. The logs are not reliable if two packages are being installed on two different consoles.
In this approach, a library is preloaded before installation. During installation, this library tracks the packages that are being installed by attaching itself to various executables such as cp, install, mv and tracking the system calls that modify the filesystem. For this approach to work, all the executables need to be dynamically linked without the suid or sgid bit. Preloading the library may cause some unwanted side-effects during installation. Therefore, do perform some tests to ensure that the package manager does not break anything and logs all the appropriate files.
In this scheme, the package installation is faked into a separate tree as described in the Symlink style package management. After the installation, a package archive is created using the installed files. This archive is then used to install the package either on the local machine or can even be used to install the package on other machines.
This approach is used by most of the package managers found in the commercial distributions. Examples of package managers that follow this approach are RPM, pkg-utils, Debian's apt, and Gentoo's Portage system.
This scheme, unique to LFS, was devised by Matthias Benkmann, and is available from the Hints Project. In this scheme, each package is installed as a separate user into the standard locations. Files belonging to a package are easily identified by checking the user ID. The features and shortcomings of this approach are too complex to describe in this section. For the details please see the hint at http://www.linuxfromscratch.org/hints/downloads/files/more_control_and_pkg_man.txt.
Those people who have built an LFS system will be aware of the general principles of downloading and unpacking software. We will however repeat some of that information here for those new to building their own software.
Each set of installation instructions contains a URL from which you can download the package. We do however keep a selection of patches available via HTTP. These are referenced as needed in the installation instructions.
While you can keep the source files anywhere you like, we assume that you have unpacked them and unzipped any required patches into /usr/src.
We can not emphasize strongly enough that you should start from a clean source tree each time. This means that if you have had an error, it's usually best to delete the source tree and re-unpack it before trying again. This obviously doesn't apply if you're an advanced user used to hacking Makefiles and C code, but if in doubt, start from a clean tree.
The golden rule of Unix System Administration is to use your superpowers only when necessary. Hence, BLFS recommends that you build software as an unprivileged user and only become the root user when installing the software. This philosophy is followed in all the packages in this book. Unless otherwise specified, all instructions should be executed as an unprivileged user. The book will advise you on instructions that need root privileges.
If a file is in .tar format and compressed, it is unpacked by running one of the following commands:
tar -xvf filename.tar.gz tar -xvf filename.tgz tar -xvf filename.tar.Z tar -xvf filename.tar.bz2
You may omit using the v parameter in the commands shown above and below if you wish to suppress the verbose listing of all the files in the archive as they are extracted. This can help speed up the extraction as well as make any errors produced during the extraction more obvious to you.
You can also use a slightly different method:
bzcat filename.tar.bz2 | tar -xv
Finally, you sometimes need to be able to unpack patches which are generally not in .tar format. The best way to do this is to copy the patch file to /usr/src and then run one of the following commands depending on whether the file is a .gz or .bz2 file:
gunzip -v patchname.gz bunzip2 -v patchname.bz2
Generally, to verify that the downloaded file is genuine and complete, many package maintainers also distribute md5sums of the files. To verify the md5sum of the downloaded files, download both the file and the corresponding md5sum file to the same directory (preferably from different on-line locations), and (assuming file.md5sum is the md5sum file downloaded) run the following command:
md5sum -c file.md5sum
If there are any errors, they will be reported. Note that the BLFS book includes md5sums for all the source files also. To use the BLFS supplied md5sums, you can create a file.md5sum (place the md5sum data and the exact name of the downloaded file on the same line of a file, separated by white space) and run the command shown above. Alternately, simply run the command shown below and compare the output to the md5sum data shown in the BLFS book.
md5sum [name_of_downloaded_file]
For larger packages, it is convenient to create log files instead of staring at the screen hoping to catch a particular error or warning. Log files are also useful for debugging and keeping records. The following command allows you to create an installation log. Replace [command] with the command you intend to execute.
( [command] 2>&1 | tee compile.log && exit $PIPESTATUS )
2>&1 redirects error messages to the same location as standard output. The tee command allows viewing of the output while logging the results to a file. The parentheses around the command run the entire command in a subshell and finally the exit $PIPESTATUS command ensures the result of the [command] is returned as the result and not the result of the tee command.
Should I install XXX in /usr or /usr/local?
This is a question without an obvious answer for an LFS based system.
In traditional Unix systems, /usr usually contains files that come with the system distribution, and the /usr/local tree is free for the local administrator to manage. The only really hard and fast rule is that Unix distributions should not touch /usr/local, except perhaps to create the basic directories within it.
With Linux distributions, like Red Hat, Debian etc. a possible rule is that /usr is managed by the distribution's package system and /usr/local is not. This way the package manager's database knows about every file within /usr.
LFS users build their own system and so deciding where the system ends and local files begin is not straightforward. So the choice should be made in order to make things easier to administer. There are several reasons for dividing files between /usr and /usr/local.
On a network of several machines all running LFS, or mixed LFS and other Linux distributions, /usr/local could be used to hold packages that are common between all the computers in the network. It can be NFS mounted or mirrored from a single server. Here local indicates local to the site.
On a network of several computers all running an identical LFS system /usr/local could hold packages that are different between the machines. In this case local refers to the individual computers.
Even on a single computer /usr/local can be useful if you have several distributions installed simultaneously, and want a place to put packages that will be the same on all of them.
Or you might regularly rebuild your LFS, but want a place to put files that you don't want to rebuild each time. This way you can wipe the LFS file system and start from a clean partition every time without losing everything.
Some people ask why not use your own directory tree, e.g., /usr/site, rather than /usr/local?
There is nothing stopping you, many sites do make their own trees, however it makes installing new software more difficult. Automatic installers often look for dependencies in /usr and /usr/local, and if the file it is looking for is in /usr/site instead, the installer will probably fail unless you specifically tell it where to look.
What is the BLFS position on this?
All of the BLFS instructions install programs in /usr with optional instructions to install into /opt for some specific packages.
As you follow the various sections in the book, you will observe that the book occasionally includes patches that are required for a successful and secure installation of the packages. The general policy of the book is to include patches that fall in one of the following criteria:
Fixes a compilation problem.
Fixes a security problem.
Fixes a broken functionality.
In short, the book only includes patches that are either required or recommended. There is a Patches subproject which hosts various patches (including the patches referenced in the books) to enable you to configure your LFS the way you like it.
The BLFS Bootscripts package contains the init scripts that are used throughout the book. It is assumed that you will be using the BLFS Bootscripts package in conjunction with a compatible LFS-Bootscripts package. Refer to ../../../../lfs/view/stable/chapter07/bootscripts.html for more information on the LFS-Bootscripts package.
Package Information
The BLFS Bootscripts package will be used throughout the BLFS book for startup scripts. Unlike LFS, each init script has a separate install target in the BLFS Bootscripts package. It is recommended you keep the package source directory around until completion of your BLFS system. When a script is requested from BLFS Bootscripts, simply change to the directory and as the root user, execute the given make install-[init-script] command. This command installs the init script to its proper location (along with any auxiliary configuration scripts) and also creates the appropriate symlinks to start and stop the service at the appropriate run-level.
It is advisable to peruse each bootscript before installation to ascertain that it satisfies your need. Also verify that the start and stop symlinks it creates match your preferences.
The packages that are installed in this book are only the tip of the iceberg. We hope that the experience you gained with the LFS book and the BLFS book will give you the background needed to compile, install and configure packages that are not included in this book.
When you want to install a package to a location other than /, or /usr, you are installing outside the default environment settings on most machines. The following examples should assist you in determining how to correct this situation. The examples cover the complete range of settings that may need updating, but they are not all needed in every situation.
Expand the PATH to include $PREFIX/bin.
Expand the PATH for root to include $PREFIX/sbin.
Add $PREFIX/lib to /etc/ld.so.conf or expand LD_LIBRARY_PATH to include it. Before using the latter option, check out http://www.visi.com/~barr/ldpath.html. If you modify /etc/ld.so.conf, remember to update /etc/ld.so.cache by executing ldconfig as the root user.
Add $PREFIX/man to /etc/man.conf or expand MANPATH.
Add $PREFIX/info to INFOPATH.
Add $PREFIX/lib/pkgconfig to PKG_CONFIG_PATH.
Add $PREFIX/include to CPPFLAGS when compiling packages that depend on the package you installed.
If you are in search of a package that is not in the book, the following are different ways you can search for the concerned package.
If you know the name of the package, then search FreshMeat for it at http://freshmeat.net/. Also search Google at http://google.com/. Sometimes a search for the rpm at http://rpmfind.net/ or the deb at http://www.debian.org/distrib/packages#search_packages can also lead to a link to the package.
If you know the name of the executable, but not the package that the executable belongs to, first try a google search with the name of the executable. If the results are overwhelming, try searching for the given executable in the Debian repository at http://www.debian.org/distrib/packages#search_contents.
Some general hints on handling new packages:
Many of the newer packages follow the ./configure && make && make install process. Help on the options accepted by configure can be obtained via the command ./configure --help.
Most of the packages contain documentation on compiling and installing the package. Some of the documents are excellent, some not so excellent. Check out the homepage of the package for any additional and updated hints for compiling and configuring the package.
If you are having a problem compiling the package, try searching the lfs archives at http://search.linuxfromscratch.org/ for the error or if that fails try searching Google. If everything else fails, try the blfs-support mailing-list/news-group.
If you have found a package that is only available in .deb or .rpm format, there are two small scripts, rpm2targz and deb2targz that are available at http://downloads.linuxfromscratch.org/deb2targz.tar.bz2 and http://downloads.linuxfromscratch.org/rpm2targz.tar.bz2 to convert the archives into a simple tar.gz format.
The intention of LFS is to provide a basic system which you can build upon. There are several things about tidying up the system which many people wonder about once they have done the base install. We hope to cover these issues in this chapter.
Most people coming from non-Unix like backgrounds to Linux find the concept of text-only configuration files slightly strange. In Linux, just about all configuration is done via the manipulation of text files. The majority of these files can be found in the /etc hierarchy. There are often graphical configuration programs available for different subsystems but most are simply pretty front ends to the process of editing a text file. The advantage of text-only configuration is that you can edit parameters using your favorite text editor, whether that be vim, emacs, or any other editor.
The first task is making a recovery boot device in Creating a Custom Boot Device because it's the most critical need. Then the system is configured to ease addition of new users, because this can affect the choices you make in the two subsequent topics—The Bash Shell Startup Files and The vimrc Files.
The remaining topics, Customizing your Logon with /etc/issue, The /etc/shells File, Random number generation, Compressing man and info pages, autofs-4.1.4, and Configuring for Network Filesystems are then addressed, in that order. They don't have much interaction with the other topics in this chapter.
This section is really about creating a rescue device. As the name rescue implies, the host system has a problem, often lost partition information or corrupted file systems, that prevent it from booting and/or operating normally. For this reason, you must not depend on resources from the host being "rescued". To presume that any given partition or hard drive will be available is a risky presumption.
In a modern system, there are many devices that can be used as a rescue device: floppy, cdrom, usb drive, or even a network card. Which one you use depends on your hardware and your BIOS. In the past, we usually thought of rescue device as a floppy disk. Today, many systems do not even have a floppy drive.
Building a complete rescue device is a challenging task. In many ways, it is equivalent to building an entire LFS system. In addition, it would be a repetition of information already available. For these reasons, the procedures for a rescue device image are not presented here.
The software of today's systems has grown large. Linux 2.6 no longer supports booting directly from a floppy. In spite of this, there are solutions available using older versions of Linux. One of the best is Tom's Root/Boot Disk available at http://www.toms.net/rb/. This will provide a minimal Linux system on a single floppy disk and provides the ability to customize the contents of your disk if necessary.
There are several sources that can be used for a rescue CD-ROM. Just about any commercial distribution's installation CD-ROMs or DVDs will work. These include RedHat, Mandrake, and SuSE. One very popular option is Knoppix.
In addition, the LFS Community has developed its own Boot CD-ROM available at ftp://anduin.linuxfromscratch.org/isos/. A copy of this CD-ROM is available with the printed version of the Linux From Scratch book. If you download the ISO image, use cdrecord to copy the image to a CD-ROM.
In the future, the build instructions for this CD-ROM will be presented, but they are not available at the time of this writing.
A USB Pen drive, sometimes called a Thumb drive, is recognized by Linux as a SCSI device. Using one of these devices as a rescue device has the advantage that it is usually large enough to hold more than a minimal boot image. You can save critical data to the drive as well as use it to diagnose and recover a damaged system. Booting such a drive requires BIOS support, but building the system consists of formatting the drive, adding GRUB as well as the Linux kernel and supporting files.
Together, the /usr/sbin/useradd command and /etc/skel directory (both are easy to set up and use) provide a way to assure new users are added to your LFS system with the same beginning settings for things such as the PATH, keyboard processing and other environmental variables. Using these two facilities makes it easier to assure this initial state for each new user added to the system.
The /etc/skel directory holds copies of various initialization and other files that may be copied to the new user's home directory when the /usr/sbin/useradd program adds the new user.
The useradd program uses a collection of default values kept in /etc/default/useradd, if it exists. If this file does not exist, then it uses some internal defaults. You can see the default values by running /usr/sbin/useradd -D.
To change these values to something new, create a base /etc/default/useradd file as the root user with the same values as the output of /usr/sbin/useradd -D. Here is a sample:
# Begin /etc/default/useradd GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL= SKEL=/etc/skel # End /etc/default/useradd
The only thing missing from the file is a default shell. Add that by running the following command as the root user:
/usr/sbin/useradd -D -s/bin/bash
This will set the SHELL= line to SHELL=/bin/bash.
useradd has many parameters that can be set in the /etc/default/useradd file. For more information see man useradd.
To get started, create an /etc/skel directory and make sure it is writable only by the system administrator, usually root. Creating the directory as root is the best way to go.
The mode of any files from this part of the book that you put in /etc/skel should be writable only by the owner. Also, since there is no telling what kind of sensitive information a user may eventually place in their copy of these files, you should make them unreadable by "group" and "other".
You can also put other files in /etc/skel and different permissions may be needed for them.
Decide which initialization files should be provided in every (or most) new user's home directory. The decisions you make will affect what you do in the next two sections, The Bash Shell Startup Files and The vimrc Files. Some or all of those files will be useful for root, any already-existing users, and new users.
The files from those sections that you might want to place in /etc/skel include .inputrc, .bash_profile, .bashrc, .bash_logout, .dircolors, and .vimrc. If you are unsure which of these should be placed there, just continue to the following sections, read each section and any references provided, and then make your decision.
You will run a slightly modified set of commands for files which are placed in /etc/skel. Each section will remind you of this. In brief, the book's commands have been written for files not added to /etc/skel and instead just sends the results to the user's home directory. If the file is going to be in /etc/skel, change the book's command(s) to send output there instead and then just copy the file from /etc/skel to the appropriate directories, like /etc, ~ or the home directory of any other user already in the system.
When adding a new user with useradd, use the -m parameter, which tells useradd to create the user's home directory and copy files from /etc/skel (can be overridden) to the new user's home directory. For example (perform as the root user):
useradd -m [newuser]
Throughout BLFS, many packages install programs that run as daemons or in some way should have a user or group name assigned. Generally these names are used to map a user ID (uid) or group ID (gid) for system use. Generally the specific uid or gid numbers used by these applications are not significant. The exception of course, is that root has a uid and gid of 0 (zero) that is indeed special. The uid values are stored in /etc/passwd and the gid values are found in /etc/group.
Customarily, Unix systems classify users and groups into two categories: system users and regular users. The system users and groups are given low numbers and regular users and groups have numeric values greater than all the system values. The cutoff for these numbers is found in two parameters in the /etc/login.defs configuration file. The default UID_MIN value is 1000 and the default GID_MIN value is 100. If a specific uid or gid value is not specified when creating a user with useradd or a group with groupadd the values assigned will always be above these cutoff values.
Additionally, the Linux Standards Base recommends that system uid and gid values should be below 100.
Below is a table of suggested uid/gid values used in BLFS. These can be changed as desired, but provide a suggested set of consistent values.
Table 3.1. UID/GID Suggested Values
Name | uid | gid |
---|---|---|
bin | 1 | 1 |
lp | 9 | |
usb | 14 | |
named | 20 | 20 |
gdm | 21 | 21 |
fcron | 22 | 22 |
apache | 25 | 25 |
smmsp | 26 | 26 |
exim | 31 | 31 |
postfix | 32 | 32 |
postdrop | 33 | |
sendmail | 34 | |
34 | ||
vmailman | 35 | 35 |
news | 36 | 36 |
mysql | 40 | 40 |
postgres | 41 | |
ftp | 45 | 45 |
proftpd | 46 | 46 |
vsftpd | 47 | 47 |
rsyncd | 48 | 48 |
sshd | 50 | 50 |
stunnel | 51 | 51 |
svn | 56 | 56 |
svntest | 57 | |
games | 60 | 60 |
anonymous | 98 | |
nobody | 99 | |
nogroup | 99 |
One value that is missing is 65534. This value is customarily assigned to the user nobody and group nogroup and is unnecessary. The issue is explained in more detail in the first note in the NFS Utilities Installation section.
The shell program /bin/bash (hereafter referred to as just "the shell") uses a collection of startup files to help create an environment. Each file has a specific use and may affect login and interactive environments differently. The files in the /etc directory generally provide global settings. If an equivalent file exists in your home directory it may override the global settings.
An interactive login shell is started after a successful login, using /bin/login, by reading the /etc/passwd file. This shell invocation normally reads /etc/profile and its private equivalent ~/.bash_profile upon startup.
An interactive non-login shell is normally started at the command-line using a shell program (e.g., [prompt]$/bin/bash) or by the /bin/su command. An interactive non-login shell is also started with a terminal program such as xterm or konsole from within a graphical environment. This type of shell invocation normally copies the parent environment and then reads the user's ~/.bashrc file for additional startup configuration instructions.
A non-interactive shell is usually present when a shell script is running. It is non-interactive because it is processing a script and not waiting for user input between commands. For these shell invocations, only the environment inherited from the parent shell is used.
The file ~/.bash_logout is not used for an invocation of the shell. It is read and executed when a user exits from an interactive login shell.
Many distributions use /etc/bashrc for system wide initialization of non-login shells. This file is usually called from the user's ~/.bashrc file and is not built directly into bash itself. This convention is followed in this section.
For more information see info bash -- Nodes: Bash Startup Files and Interactive Shells.
Most of the instructions below are used to create files located in the /etc directory structure which requires you to execute the commands as the root user. If you elect to create the files in user's home directories instead, you should run the commands as an unprivileged user.
Here is a base /etc/profile. This file starts by setting up some helper functions and some basic parameters. It specifies some bash history parameters and, for security purposes, disables keeping a permanent history file for the root user. It also sets a default user prompt. It then calls small, single purpose scripts in the /etc/profile.d directory to provide most of the initialization.
For more information on the escape sequences you can use for your prompt (i.e., the PS1 environment variable) see info bash -- Node: Printing a Prompt.
cat > /etc/profile << "EOF" # Begin /etc/profile # Written for Beyond Linux From Scratch # by James Robertson <jameswrobertson@earthlink.net> # modifications by Dagmar d'Surreal <rivyqntzne@pbzpnfg.arg> # System wide environment variables and startup programs. # System wide aliases and functions should go in /etc/bashrc. Personal # environment variables and startup programs should go into # ~/.bash_profile. Personal aliases and functions should go into # ~/.bashrc. # Functions to help us manage paths. Second argument is the name of the # path variable to be modified (default: PATH) pathremove () { local IFS=':' local NEWPATH local DIR local PATHVARIABLE=${2:-PATH} for DIR in ${!PATHVARIABLE} ; do if [ "$DIR" != "$1" ] ; then NEWPATH=${NEWPATH:+$NEWPATH:}$DIR fi done export $PATHVARIABLE="$NEWPATH" } pathprepend () { pathremove $1 $2 local PATHVARIABLE=${2:-PATH} export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}" } pathappend () { pathremove $1 $2 local PATHVARIABLE=${2:-PATH} export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1" } # Set the initial path export PATH=/bin:/usr/bin if [ $EUID -eq 0 ] ; then pathappend /sbin:/usr/sbin unset HISTFILE fi # Setup some environment variables. export HISTSIZE=1000 export HISTIGNORE="&:[bf]g:exit" #export PS1="[\u@\h \w]\\$ " export PS1='\u@\h:\w\$ ' for script in /etc/profile.d/*.sh ; do if [ -r $script ] ; then . $script fi done # Now to clean up unset pathremove pathprepend pathappend # End /etc/profile EOF
Now create the /etc/profile.d directory, where the individual initialization scripts are placed:
install --directory --mode=0755 --owner=root --group=root /etc/profile.d
This script uses the ~/.dircolors and /etc/dircolors files to control the colors of file names in a directory listing. They control colorized output of things like ls --color. The explanation of how to initialize these files is at the end of this section.
cat > /etc/profile.d/dircolors.sh << "EOF" # Setup for /bin/ls to support color, the alias is in /etc/bashrc. if [ -f "/etc/dircolors" ] ; then eval $(dircolors -b /etc/dircolors) if [ -f "$HOME/.dircolors" ] ; then eval $(dircolors -b $HOME/.dircolors) fi fi alias ls='ls --color=auto' EOF
This script adds several useful paths to the PATH and PKG_CONFIG_PATH environment variables. If you want, you can uncomment the last section to put a dot at the end of your path. This will allow executables in the current working directory to be executed without specifiying a ./, however you are warned that this is generally considered a security hazard.
cat > /etc/profile.d/extrapaths.sh << "EOF" if [ -d /usr/local/lib/pkgconfig ] ; then pathappend /usr/local/lib/pkgconfig PKG_CONFIG_PATH fi if [ -d /usr/local/bin ]; then pathprepend /usr/local/bin fi if [ -d /usr/local/sbin -a $EUID -eq 0 ]; then pathprepend /usr/local/sbin fi for directory in $(find /opt/*/lib/pkgconfig -type d 2>/dev/null); do pathappend $directory PKG_CONFIG_PATH done for directory in $(find /opt/*/bin -type d 2>/dev/null); do pathappend $directory done if [ -d ~/bin ]; then pathprepend ~/bin fi #if [ $EUID -gt 99 ]; then # pathappend . #fi EOF
This script sets up the default inputrc configuration file. If the user does not have individual settings, it uses the global file.
cat > /etc/profile.d/readline.sh << "EOF" # Setup the INPUTRC environment variable. if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ] ; then INPUTRC=/etc/inputrc fi export INPUTRC EOF
Some applications need a specific TERM setting to support color.
cat > /etc/profile.d/tinker-term.sh << "EOF" # This will tinker with the value of TERM in order to convince certain # apps that we can, indeed, display color in their window. if [ -n "$COLORTERM" ]; then export TERM=xterm-color fi if [ "$TERM" = "xterm" ]; then export TERM=xterm-color fi EOF
Setting the umask value is important for security. Here the default group write permissions are turned off for system users and when the user name and group name are not the same.
cat > /etc/profile.d/umask.sh << "EOF" # By default we want the umask to get set. if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then umask 002 else umask 022 fi EOF
If X is installed, the PATH and PKG_CONFIG_PATH variables are also updated.
cat > /etc/profile.d/X.sh << "EOF" if [ -x /usr/X11R6/bin/X ]; then pathappend /usr/X11R6/bin fi if [ -d /usr/X11R6/lib/pkgconfig ] ; then pathappend /usr/X11R6/lib/pkgconfig PKG_CONFIG_PATH fi EOF
This script shows an example of a different way of setting the prompt. The normal variable, PS1, is supplemented by PROMPT_COMMAND. If set, the value of PROMPT_COMMAND is executed as a command prior to issuing each primary prompt. The sequence \e is an ESC character. \a is a BEL character. For a reference on xterm escape sequences, see http://rtfm.etla.org/xterm/ctlseq.html.
cat > /etc/profile.d/extra-prompt.sh << "EOF" PROMPT_COMMAND="echo -ne '\e[1m${USER}@${HOSTNAME} : ${PWD}\e[0m\a'" export PROMPT_COMMAND EOF
The escape sequences above are BOLD, NORMAL, and BEL.
This script shows how to set some environment variables necessary for native language support. Setting these variables properly gives you:
the output of programs translated into your native language
correct classification of characters into letters, digits and other classes – this is necessary for Bash to accept keystrokes properly in non-English locales
the alphabetical sorting order correct for your country
proper default paper size
correct formatting of monetary, time and date values
Replace [ll] with the two-letter code for your language (e.g., “en”) and [CC] with the two-letter code for your country (e.g., “GB”). Also you may need to specify (and this is actually the preferred form) your character encoding (e.g., “iso8859-1”) after a dot (so that the result is “en_GB.iso8859-1”). Issue the following command for more information:
man 3 setlocale
The list of all locales supported by Glibc can be obtained by running the following command:
locale -a
After you are sure about your locale settings, create the /etc/profile.d/i18n.sh file:
cat > /etc/profile.d/i18n.sh << "EOF" # Set up i18n variables export LC_ALL=[ll]_[CC] export LANG=[ll]_[CC] export G_FILENAME_ENCODING=@locale EOF
The LC_ALL variable sets the same value for all locale categories. For better control, you may prefer to set values individually for all categories listed in the output of the locale command.
The G_FILENAME_ENCODING variable tells applications such as Glib and GTK+ that filenames are in the default locale encoding and not in UTF-8 as assumed by default.
Here is a base /etc/bashrc. Comments in the file should explain everything you need.
cat > /etc/bashrc << "EOF" # Begin /etc/bashrc # Written for Beyond Linux From Scratch # by James Robertson <jameswrobertson@earthlink.net> # updated by Bruce Dubbs <bdubbs@linuxfromscratch.org> # Make sure that the terminal is set up properly for each shell if [ -f /etc/profile.d/tinker-term.sh ]; then source /etc/profile.d/tinker-term.sh fi # System wide aliases and functions. # System wide environment variables and startup programs should go into # /etc/profile. Personal environment variables and startup programs # should go into ~/.bash_profile. Personal aliases and functions should # go into ~/.bashrc # Provides a colored /bin/ls command. Used in conjunction with code in # /etc/profile. alias ls='ls --color=auto' # Provides prompt for non-login shells, specifically shells started # in the X environment. [Review the LFS archive thread titled # PS1 Environment Variable for a great case study behind this script # addendum.] #export PS1="[\u@\h \w]\\$ " export PS1='\u@\h:\w\$ ' # End /etc/bashrc EOF
Here is a base ~/.bash_profile. If you want each new user to have this file automatically, just change the output of the command to /etc/skel/.bash_profile and check the permissions after the command is run. You can then copy /etc/skel/.bash_profile to the home directories of already existing users, including root, and set the owner and group appropriately.
cat > ~/.bash_profile << "EOF" # Begin ~/.bash_profile # Written for Beyond Linux From Scratch # by James Robertson <jameswrobertson@earthlink.net> # updated by Bruce Dubbs <bdubbs@linuxfromscratch.org> # Personal environment variables and startup programs. # Personal aliases and functions should go in ~/.bashrc. System wide # environment variables and startup programs are in /etc/profile. # System wide aliases and functions are in /etc/bashrc. append () { # First remove the directory local IFS=':' local NEWPATH for DIR in $PATH; do if [ "$DIR" != "$1" ]; then NEWPATH=${NEWPATH:+$NEWPATH:}$DIR fi done # Then append the directory export PATH=$NEWPATH:$1 } if [ -f "$HOME/.bashrc" ] ; then source $HOME/.bashrc fi if [ -d "$HOME/bin" ] ; then append $HOME/bin fi unset append # End ~/.bash_profile EOF
Here is a base ~/.bashrc. The comments and instructions for using /etc/skel for .bash_profile above also apply here. Only the target file names are different.
cat > ~/.bashrc << "EOF" # Begin ~/.bashrc # Written for Beyond Linux From Scratch # by James Robertson <jameswrobertson@earthlink.net> # Personal aliases and functions. # Personal environment variables and startup programs should go in # ~/.bash_profile. System wide environment variables and startup # programs are in /etc/profile. System wide aliases and functions are # in /etc/bashrc. if [ -f "/etc/bashrc" ] ; then source /etc/bashrc fi # End ~/.bashrc EOF
This is an empty ~/.bash_logout that can be used as a template. You will notice that the base ~/.bash_logout does not include a clear command. This is because the clear is handled in the /etc/issue file.
cat > ~/.bash_logout << "EOF" # Begin ~/.bash_logout # Written for Beyond Linux From Scratch # by James Robertson <jameswrobertson@earthlink.net> # Personal items to perform on logout. # End ~/.bash_logout EOF
If you want to use the dircolors capability, then run the following command. The /etc/skel setup steps shown above also can be used here to provide a ~/.dircolors file when a new user is set up. As before, just change the output file name on the following command and assure the permissions, owner, and group are correct on the files created and/or copied.
dircolors -p > /etc/dircolors
If you wish to customize the colors used for different file types, you can edit the /etc/dircolors file. The instructions for setting the colors are embedded in the file.
Finally, Ian Macdonald has written an excellent collection of tips and tricks to enhance your shell environment. You can read it online at http://www.caliban.org/bash/index.shtml.
The LFS book installs Vim as its text editor. At this point it should be noted that there are a lot of different editing applications out there including Emacs, nano, Joe and many more. Anyone who has been around the Internet (especially usenet) for a short time will certainly have observed at least one flame war, usually involving Vim and Emacs users!
The LFS book creates a basic vimrc file. In this section you'll find an attempt to enhance this file. At startup, vim reads /etc/vimrc and ~/.vimrc (i.e., the global vimrc and the user-specific one). Note that this is only true if you compiled vim using LFS-3.1 onwards. Prior to this, the global vimrc was /usr/share/vim/vimrc.
Here is a slightly expanded .vimrc that you can put in ~/.vimrc to provide user specific effects. Of course, if you put it into /etc/skel/.vimrc instead, it will be made available to users you add to the system later. You can also copy the file from /etc/skel/.vimrc to the home directory of users already on the system, such as root. Be sure to set permissions, owner, and group if you do copy anything directly from /etc/skel.
" Begin .vimrc set columns=80 set wrapmargin=8 set ruler " End .vimrc
A FAQ on the LFS mailing lists regards the comment tags in vimrc. Note that they are " instead of the more usual # or //. This is correct, the syntax for vimrc is slightly unusual.
Below you'll find a quick explanation of what each of the options in this example file means here:
set columns=80: This simply sets the number of columns used on the screen.
set wrapmargin=8: This is the number of characters from the right window border where wrapping starts.
set ruler: This makes vim show the current row and column at the bottom right of the screen.
More information on the many vim options can be found by reading the help inside vim itself. Do this by typing :help in vim to get the general help, or by typing :help usr_toc.txt to view the User Manual Table of Contents.
When you first boot up your new LFS system, the logon screen will be nice and plain (as it should be in a bare-bones system). Many people however, will want their system to display some information in the logon message. This can be accomplished using the file /etc/issue.
The /etc/issue file is a plain text file which will also accept certain escape sequences (see below) in order to insert information about the system. There is also the file issue.net which can be used when logging on remotely. ssh however, will only use it if you set the option in the configuration file and will not interpret the escape sequences shown below.
One of the most common things which people want to do is clear the screen at each logon. The easiest way of doing that is to put a "clear" escape sequence into /etc/issue. A simple way of doing this is to issue the command clear > /etc/issue. This will insert the relevant escape code into the start of the /etc/issue file. Note that if you do this, when you edit the file, you should leave the characters (normally '^[[H^[[2J') on the first line alone.
Terminal escape sequences are special codes recognized by the terminal. The ^[ represents an ASCII ESC character. The sequence ESC [ H puts the cursor in the upper left hand corner of the screen and ESC 2 J erases the screen. For more information on terminal escape sequences see http://rtfm.etla.org/xterm/ctlseq.html
The following sequences are recognized by agetty (the program which usually parses /etc/issue). This information is from man agetty where you can find extra information about the logon process.
The issue file can contain certain character sequences to display various information. All issue sequences consist of a backslash (\) immediately followed by one of the letters explained below (so \d in /etc/issue would insert the current date).
b Insert the baudrate of the current line. d Insert the current date. s Insert the system name, the name of the operating system. l Insert the name of the current tty line. m Insert the architecture identifier of the machine, e.g., i686. n Insert the nodename of the machine, also known as the hostname. o Insert the domainname of the machine. r Insert the release number of the kernel, e.g., 2.6.11.12. t Insert the current time. u Insert the number of current users logged in. U Insert the string "1 user" or "<n> users" where <n> is the number of current users logged in. v Insert the version of the OS, e.g., the build-date etc.
The shells file contains a list of login shells on the system. Applications use this file to determine whether a shell is valid. For each shell a single line should be present, consisting of the shell's path, relative to the root of the directory structure (/).
For example, this file is consulted by chsh to determine whether an unprivileged user may change the login shell for her own account. If the command name is not listed, the user will be denied of change.
It is a requirement for applications such as GDM which does not populate the face browser if it can't find /etc/shells, or FTP daemons which traditionally disallow access to users with shells not included in this file.
cat > /etc/shells << "EOF" # Begin /etc/shells /bin/sh /bin/bash # End /etc/shells EOF
The Linux kernel supplies a random number generator which is accessed through /dev/random and /dev/urandom. Programs that utilize the random and urandom devices, such as OpenSSH, will benefit from these instructions.
When a Linux system starts up without much operator interaction, the entropy pool (data used to compute a random number) may be in a fairly predictable state. This creates the real possibility that the number generated at startup may always be the same. In order to counteract this effect, you should carry the entropy pool information across your shut-downs and start-ups.
Install the /etc/rc.d/init.d/random init script included with the blfs-bootscripts-6.1 package.
make install-random
Man and info reader programs can transparently process files compressed with gzip or bzip2, a feature you can use to free some disk space while keeping your documentation available. However, things are not that simple; man directories tend to contain links—hard and symbolic—which defeat simple ideas like recursively calling gzip on them. A better way to go is to use the script below.
cat > /usr/sbin/compressdoc << "EOF" #!/bin/bash # VERSION: 20050112.0027 # # Compress (with bzip2 or gzip) all man pages in a hierarchy and # update symlinks - By Marc Heerdink <marc @ koelkast.net> # # Modified to be able to gzip or bzip2 files as an option and to deal # with all symlinks properly by Mark Hymers <markh @ linuxfromscratch.org> # # Modified 20030930 by Yann E. Morin <yann.morin.1998 @ anciens.enib.fr> # to accept compression/decompression, to correctly handle hard-links, # to allow for changing hard-links into soft- ones, to specify the # compression level, to parse the man.conf for all occurrences of MANPATH, # to allow for a backup, to allow to keep the newest version of a page. # # Modified 20040330 by Tushar Teredesai to replace $0 by the name of the # script. # (Note: It is assumed that the script is in the user's PATH) # # Modified 20050112 by Randy McMurchy to shorten line lengths and # correct grammar errors. # # TODO: # - choose a default compress method to be based on the available # tool : gzip or bzip2; # - offer an option to automagically choose the best compression # methed on a per page basis (eg. check which of # gzip/bzip2/whatever is the most effective, page per page); # - when a MANPATH env var exists, use this instead of /etc/man.conf # (useful for users to (de)compress their man pages; # - offer an option to restore a previous backup; # - add other compression engines (compress, zip, etc?). Needed? # Funny enough, this function prints some help. function help () { if [ -n "$1" ]; then echo "Unknown option : $1" fi ( echo "Usage: $MY_NAME <comp_method> [options] [dirs]" && \ cat << EOT Where comp_method is one of : --gzip, --gz, -g --bzip2, --bz2, -b Compress using gzip or bzip2. --decompress, -d Decompress the man pages. --backup Specify a .tar backup shall be done for all directories. In case a backup already exists, it is saved as .tar.old prior to making the new backup. If a .tar.old backup exists, it is removed prior to saving the backup. In backup mode, no other action is performed. And where options are : -1 to -9, --fast, --best The compression level, as accepted by gzip and bzip2. When not specified, uses the default compression level for the given method (-6 for gzip, and -9 for bzip2). Not used when in backup or decompress modes. --force, -F Force (re-)compression, even if the previous one was the same method. Useful when changing the compression ratio. By default, a page will not be re-compressed if it ends with the same suffix as the method adds (.bz2 for bzip2, .gz for gzip). --soft, -S Change hard-links into soft-links. Use with _caution_ as the first encountered file will be used as a reference. Not used when in backup mode. --hard, -H Change soft-links into hard-links. Not used when in backup mode. --conf=dir, --conf dir Specify the location of man.conf. Defaults to /etc. --verbose, -v Verbose mode, print the name of the directory being processed. Double the flag to turn it even more verbose, and to print the name of the file being processed. --fake, -f Fakes it. Print the actual parameters compman will use. dirs A list of space-separated _absolute_ pathnames to the man directories. When empty, and only then, parse ${MAN_CONF}/man.conf for all occurrences of MANPATH. Note about compression: There has been a discussion on blfs-support about compression ratios of both gzip and bzip2 on man pages, taking into account the hosting fs, the architecture, etc... On the overall, the conclusion was that gzip was much more efficient on 'small' files, and bzip2 on 'big' files, small and big being very dependent on the content of the files. See the original post from Mickael A. Peters, titled "Bootable Utility CD", dated 20030409.1816(+0200), and subsequent posts: http://linuxfromscratch.org/pipermail/blfs-support/2003-April/038817.html On my system (x86, ext3), man pages were 35564KB before compression. gzip -9 compressed them down to 20372KB (57.28%), bzip2 -9 got down to 19812KB (55.71%). That is a 1.57% gain in space. YMMV. What was not taken into consideration was the decompression speed. But does it make sense to? You gain fast access with uncompressed man pages, or you gain space at the expense of a slight overhead in time. Well, my P4-2.5GHz does not even let me notice this... :-) EOT ) | less } # This function checks that the man page is unique amongst bzip2'd, # gzip'd and uncompressed versions. # $1 the directory in which the file resides # $2 the file name for the man page # Returns 0 (true) if the file is the latest and must be taken care of, # and 1 (false) if the file is not the latest (and has therefore been # deleted). function check_unique () { # NB. When there are hard-links to this file, these are # _not_ deleted. In fact, if there are hard-links, they # all have the same date/time, thus making them ready # for deletion later on. # Build the list of all man pages with the same name DIR=$1 BASENAME=`basename "${2}" .bz2` BASENAME=`basename "${BASENAME}" .gz` GZ_FILE="$BASENAME".gz BZ_FILE="$BASENAME".bz2 # Look for, and keep, the most recent one LATEST=`(cd "$DIR"; ls -1rt "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}" \ 2>/dev/null | tail -n 1)` for i in "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}"; do [ "$LATEST" != "$i" ] && rm -f "$DIR"/"$i" done # In case the specified file was the latest, return 0 [ "$LATEST" = "$2" ] && return 0 # If the file was not the latest, return 1 return 1 } # Name of the script MY_NAME=`basename $0` # OK, parse the command-line for arguments, and initialize to some # sensible state, that is: don't change links state, parse # /etc/man.conf, be most silent, search man.conf in /etc, and don't # force (re-)compression. COMP_METHOD= COMP_SUF= COMP_LVL= FORCE_OPT= LN_OPT= MAN_DIR= VERBOSE_LVL=0 BACKUP=no FAKE=no MAN_CONF=/etc while [ -n "$1" ]; do case $1 in --gzip|--gz|-g) COMP_SUF=.gz COMP_METHOD=$1 shift ;; --bzip2|--bz2|-b) COMP_SUF=.bz2 COMP_METHOD=$1 shift ;; --decompress|-d) COMP_SUF= COMP_LVL= COMP_METHOD=$1 shift ;; -[1-9]|--fast|--best) COMP_LVL=$1 shift ;; --force|-F) FORCE_OPT=-F shift ;; --soft|-S) LN_OPT=-S shift ;; --hard|-H) LN_OPT=-H shift ;; --conf=*) MAN_CONF=`echo $1 | cut -d '=' -f2-` shift ;; --conf) MAN_CONF="$2" shift 2 ;; --verbose|-v) let VERBOSE_LVL++ shift ;; --backup) BACKUP=yes shift ;; --fake|-f) FAKE=yes shift ;; --help|-h) help exit 0 ;; /*) MAN_DIR="${MAN_DIR} ${1}" shift ;; -*) help $1 exit 1 ;; *) echo "\"$1\" is not an absolute path name" exit 1 ;; esac done # Redirections case $VERBOSE_LVL in 0) # O, be silent DEST_FD0=/dev/null DEST_FD1=/dev/null VERBOSE_OPT= ;; 1) # 1, be a bit verbose DEST_FD0=/dev/stdout DEST_FD1=/dev/null VERBOSE_OPT=-v ;; *) # 2 and above, be most verbose DEST_FD0=/dev/stdout DEST_FD1=/dev/stdout VERBOSE_OPT="-v -v" ;; esac # Note: on my machine, 'man --path' gives /usr/share/man twice, once # with a trailing '/', once without. if [ -z "$MAN_DIR" ]; then MAN_DIR=`man --path -C "$MAN_CONF"/man.conf \ | sed 's/:/\\n/g' \ | while read foo; do dirname "$foo"/.; done \ | sort -u \ | while read bar; do echo -n "$bar "; done` fi # If no MANPATH in ${MAN_CONF}/man.conf, abort as well if [ -z "$MAN_DIR" ]; then echo "No directory specified, and no directory found with \`man --path'" exit 1 fi # Fake? if [ "$FAKE" != "no" ]; then echo "Actual parameters used:" echo -n "Compression.......: " case $COMP_METHOD in --bzip2|--bz2|-b) echo -n "bzip2";; --gzip|__gz|-g) echo -n "gzip";; --decompress|-d) echo -n "decompressing";; *) echo -n "unknown";; esac echo " ($COMP_METHOD)" echo "Compression level.: $COMP_LVL" echo "Compression suffix: $COMP_SUF" echo -n "Force compression.: " [ "foo$FORCE_OPT" = "foo-F" ] && echo "yes" || echo "no" echo "man.conf is.......: ${MAN_CONF}/man.conf" echo -n "Hard-links........: " [ "foo$LN_OPT" = "foo-S" ] && echo "convert to soft-links" || echo "leave as is" echo -n "Soft-links........: " [ "foo$LN_OPT" = "foo-H" ] && echo "convert to hard-links" || echo "leave as is" echo "Backup............: $BACKUP" echo "Faking (yes!).....: $FAKE" echo "Directories.......: $MAN_DIR" echo "Verbosity level...: $VERBOSE_LVL" exit 0 fi # If no method was specified, print help if [ -z "${COMP_METHOD}" -a "${BACKUP}" = "no" ]; then help exit 1 fi # In backup mode, do the backup solely if [ "$BACKUP" = "yes" ]; then for DIR in $MAN_DIR; do cd "${DIR}/.." DIR_NAME=`basename "${DIR}"` echo "Backing up $DIR..." > $DEST_FD0 [ -f "${DIR_NAME}.tar.old" ] && rm -f "${DIR_NAME}.tar.old" [ -f "${DIR_NAME}.tar" ] && mv "${DIR_NAME}.tar" "${DIR_NAME}.tar.old" tar -cfv "${DIR_NAME}.tar" "${DIR_NAME}" > $DEST_FD1 done exit 0 fi # I know MAN_DIR has only absolute path names # I need to take into account the localized man, so I'm going recursive for DIR in $MAN_DIR; do MEM_DIR=`pwd` cd "$DIR" for FILE in *; do # Fixes the case were the directory is empty if [ "foo$FILE" = "foo*" ]; then continue; fi # Fixes the case when hard-links see their compression scheme change # (from not compressed to compressed, or from bz2 to gz, or from gz # to bz2) # Also fixes the case when multiple version of the page are present, # which are either compressed or not. if [ ! -L "$FILE" -a ! -e "$FILE" ]; then continue; fi # Do not compress whatis files if [ "$FILE" = "whatis" ]; then continue; fi if [ -d "$FILE" ]; then cd "${MEM_DIR}" # Go back to where we ran "$0", # in case "$0"=="./compressdoc" ... # We are going recursive to that directory echo "-> Entering ${DIR}/${FILE}..." > $DEST_FD0 # I need not pass --conf, as I specify the directory to work on # But I need exit in case of error "$MY_NAME" ${COMP_METHOD} ${COMP_LVL} ${LN_OPT} ${VERBOSE_OPT} \ ${FORCE_OPT} "${DIR}/${FILE}" || exit 1 echo "<- Leaving ${DIR}/${FILE}." > $DEST_FD1 cd "$DIR" # Needed for the next iteration of the loop else # !dir if ! check_unique "$DIR" "$FILE"; then continue; fi # Check if the file is already compressed with the specified method BASE_FILE=`basename "$FILE" .gz` BASE_FILE=`basename "$BASE_FILE" .bz2` if [ "${FILE}" = "${BASE_FILE}${COMP_SUF}" \ -a "foo${FORCE_OPT}" = "foo" ]; then continue; fi # If we have a symlink if [ -h "$FILE" ]; then case "$FILE" in *.bz2) EXT=bz2 ;; *.gz) EXT=gz ;; *) EXT=none ;; esac if [ ! "$EXT" = "none" ]; then LINK=`ls -l "$FILE" | cut -d ">" -f2 \ | tr -d " " | sed s/\.$EXT$//` NEWNAME=`echo "$FILE" | sed s/\.$EXT$//` mv "$FILE" "$NEWNAME" FILE="$NEWNAME" else LINK=`ls -l "$FILE" | cut -d ">" -f2 | tr -d " "` fi if [ "$LN_OPT" = "-H" ]; then # Change this soft-link into a hard- one rm -f "$FILE" && ln "${LINK}$COMP_SUF" "${FILE}$COMP_SUF" chmod --reference "${LINK}$COMP_SUF" "${FILE}$COMP_SUF" else # Keep this soft-link a soft- one. rm -f "$FILE" && ln -s "${LINK}$COMP_SUF" "${FILE}$COMP_SUF" fi echo "Relinked $FILE" > $DEST_FD1 # else if we have a plain file elif [ -f "$FILE" ]; then # Take care of hard-links: build the list of files hard-linked # to the one we are {de,}compressing. # NB. This is not optimum has the file will eventually be # compressed as many times it has hard-links. But for now, # that's the safe way. inode=`ls -li "$FILE" | awk '{print $1}'` HLINKS=`find . \! -name "$FILE" -inum $inode` if [ -n "$HLINKS" ]; then # We have hard-links! Remove them now. for i in $HLINKS; do rm -f "$i"; done fi # Now take care of the file that has no hard-link # We do decompress first to re-compress with the selected # compression ratio later on... case "$FILE" in *.bz2) bunzip2 $FILE FILE=`basename "$FILE" .bz2` ;; *.gz) gunzip $FILE FILE=`basename "$FILE" .gz` ;; esac # Compress the file with the given compression ratio, if needed case $COMP_SUF in *bz2) bzip2 ${COMP_LVL} "$FILE" && chmod 644 "${FILE}${COMP_SUF}" echo "Compressed $FILE" > $DEST_FD1 ;; *gz) gzip ${COMP_LVL} "$FILE" && chmod 644 "${FILE}${COMP_SUF}" echo "Compressed $FILE" > $DEST_FD1 ;; *) echo "Uncompressed $FILE" > $DEST_FD1 ;; esac # If the file had hard-links, recreate those (either hard or soft) if [ -n "$HLINKS" ]; then for i in $HLINKS; do NEWFILE=`echo "$i" | sed s/\.gz$// | sed s/\.bz2$//` if [ "$LN_OPT" = "-S" ]; then # Make this hard-link a soft- one ln -s "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF" else # Keep the hard-link a hard- one ln "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF" fi # Really work only for hard-links. Harmless for soft-links chmod 644 "${NEWFILE}$COMP_SUF" done fi else # There is a problem when we get neither a symlink nor a plain # file. Obviously, we shall never ever come here... :-( echo -n "Whaooo... \"${DIR}/${FILE}\" is neither a symlink " echo "nor a plain file. Please check:" ls -l "${DIR}/${FILE}" exit 1 fi fi done # for FILE done # for DIR EOF chmod 755 /usr/sbin/compressdoc
Now, as root, you can issue the command compressdoc --bz2 to compress all your system man pages. You can also run compressdoc --help to get comprehensive help about what the script is able to do.
Don't forget that a few programs, like the X Window System and XEmacs also install their documentation in non-standard places (such as /usr/X11R6/man, etc.). Be sure to add these locations to the file /etc/man.conf, as MANPATH [/path] lines.
Example:
... MANPATH /usr/share/man MANPATH /usr/local/man MANPATH /usr/X11R6/man MANPATH /opt/qt/doc/man ...
Generally, package installation systems do not compress man/info pages, which means you will need to run the script again if you want to keep the size of your documentation as small as possible. Also, note that running the script after upgrading a package is safe; when you have several versions of a page (for example, one compressed and one uncompressed), the most recent one is kept and the others are deleted.
The autofs package contains userspace tools that work with the kernel to mount and un-mount removable file systems. This is useful for allowing users to mount floppies, cdroms and other removable storage devices without requiring the system administrator to mount the devices. This may not be ideal for all installations, so be aware of the risks before implementing this feature.
Download (HTTP): http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.4.tar.bz2
Download (FTP): ftp://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.4.tar.bz2
Download MD5 sum: 7e3949114c00665b4636f0c318179657
Download size: 168 KB
Estimated disk space required: 2.3 MB
Estimated build time: less than 0.1 SBU
Recommended Patch: http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.4-misc-fixes.patch
Recommended Patch: http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.4-multi-parse-fix.patch
Recommended Patch: http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.4-non-replicated-ping.patch
Verify that kernel support has been compiled in or built as modules in the following areas:
File systems Kernel automounter version 4 support Y or M Network File Systems NFS file system support Y or M SMB file system support Y or M
Recompile and install the new kernel, if necessary.
Install autofs by running the following commands:
patch -Np1 -i ../autofs-4.1.4-misc-fixes.patch && patch -Np1 -i ../autofs-4.1.4-multi-parse-fix.patch && patch -Np1 -i ../autofs-4.1.4-non-replicated-ping.patch && ./configure --prefix=/ --mandir=/usr/share/man && make
Now, as the root user:
make install && rm /etc/rc.d/init.d/autofs
rm /etc/rc.d/init.d/autofs: This command removes the installed script which only works on specific distributions.
The installation process creates auto.master, auto.misc and auto.net. You will replace the auto.master with the following commands:
mv /etc/auto.master /etc/auto.master.bak && cat > /etc/auto.master << "EOF" # Begin /etc/auto.master /media /etc/auto.misc # End /etc/auto.master EOF
This file mounts a new media directory over the one created by LFS and will therefore hide any mounts made by the fstab file into that directory.
While this package could be used to mount NFS shares and SMB shares, that feature is not configured in these instructions. NFS shares are covered on the next page.
The auto.misc must be configured to your working hardware. The loaded configuration file should load your cdrom if /dev/cdrom is active or it can be edited to match your device setup and examples for floppies are available in the file and easily activated. Documentation for this file is available using the man 5 autofs command.
Install the /etc/rc.d/init.d/autofs mount script and /etc/sysconfig/autofs.conf support file included with the blfs-bootscripts-6.1 package.
make install-autofs
The time-out variable is set in /etc/sysconfig/autofs.conf. The installed file sets a default of 60 seconds of inactivity before unmounting the device. A much shorter time may be necessary to protect buffer writing to a floppy if users tend to remove the media prior to the timeout setting.
While LFS is capable of mounting network file systems such as NFS, these are not mounted by the mountfs init script. Network file systems must be mounted after the networking is activated and unmounted before the network goes down. The netfs bootscript was written to handle both boot-time mounting of network filesystems, if the entry in /etc/fstab contains the _netdev option, and unmounting of all network filesystems before the network is brought down.
As the root user, install the /etc/rc.d/init.d/netfs bootscript included with the blfs-bootscripts-6.1 package.
make install-netfs
Security takes many forms in a computing environment. This chapter gives examples of three different types of security: access, prevention and detection.
Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall. For applications that don't offer the best security, you can use the Stunnel package to wrap an application daemon inside an SSL tunnel.
Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the TAR ball after the packager creates it.
Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.
The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, notably OpenSSH, email applications and web browsers (for accessing HTTPS sites).
Download (HTTP): http://www.openssl.org/source/openssl-0.9.7g.tar.gz
Download (FTP): ftp://ftp.openssl.org/source/openssl-0.9.7g.tar.gz
Download MD5 sum: 991615f73338a571b6a1be7d74906934
Download size: 3.0 MB
Estimated disk space required: 35 MB
Estimated build time: 0.9 SBU
bc-1.06 (recommended if you run the test suite during the build)
Install OpenSSL by running the following commands:
patch -Np1 -i ../openssl-0.9.7g-fix_manpages-1.patch && ./config --openssldir=/etc/ssl --prefix=/usr shared && make MANDIR=/usr/share/man
To test the results, issue: make test.
Now, as the root user:
make MANDIR=/usr/share/man install && cp -v -r certs /etc/ssl
no-rc5 no-idea: When added to the ./config command, this will eliminate the building of those encryption methods. Patent licenses may be needed for you to utilize either of those methods in your projects.
make MANDIR=/usr/share/man; make MANDIR=/usr/share/man install: These commands install OpenSSL with the man pages in /usr/share/man instead of /etc/ssl/man.
cp -v -r certs /etc/ssl: The certificates must be copied manually since the install script skips this step.
Most people who just want to use OpenSSL for providing functions to other programs such as OpenSSH and web browsers won't need to worry about configuring OpenSSL. Configuring OpenSSL is an advanced topic and so those who do would normally be expected to either know how to do it or to be able to find out how to do it.
The CrackLib package contains a library used to enforce strong passwords by comparing user selected passwords to words in chosen word lists.
Download (HTTP): http://prdownloads.sourceforge.net/cracklib/cracklib-2.8.3.tar.gz
Download MD5 sum: 13f82f75b892cbd0ba7cb9069e307006
Download size: 480 KB
Estimated disk space required: 27.6 MB
Estimated build time: 0.1 SBU
Recommended word list for English-speaking countries (size: 4.4 MB; md5sum: d18e670e5df560a8745e1b4dede8f84f): http://prdownloads.sourceforge.net/cracklib/cracklib-words.gz
Required patch to create a library used with the Heimdal Kerberos 5 package: http://www.linuxfromscratch.org/blfs/downloads/6.1/cracklib-2.8.3-heimdal-1.patch
There are additional word lists available for download, e.g., from http://www.cotse.com/tools/wordlists.htm. CrackLib can utilize as many, or as few word lists you choose to install.
Users tend to base their passwords on regular words of the spoken language, and crackers know that. CrackLib is intended to filter out such bad passwords at the source using a dictionary created from word lists. To accomplish this, the word list(s) for use with CrackLib must be an exhaustive list of words and word-based keystroke combinations likely to be chosen by users of the system as (guessable) passwords.
The default word list recommended above for downloading mostly satisfies this role in English-speaking countries. In other situations, it may be necessary to download (or even create) additional word lists.
Note that word lists suitable for spell-checking are not usable as CrackLib word lists in countries with non-Latin based alphabets, because of “word-based keystroke combinations” that make bad passwords.
If desired, apply the Heimdal patch (note that with this patch the original library is not affected; this patch only creates an additional library used by the Heimdal password-checking routines):
patch -Np1 -i ../cracklib-2.8.3-heimdal-1.patch
Install CrackLib by running the following commands:
./configure --prefix=/usr --datadir=/lib && make
Now, as the root user:
make install && mv -v /usr/lib/libcrack.so.2* /lib && ln -v -sf ../../lib/libcrack.so.2.8.0 /usr/lib/libcrack.so
The following commands can be used to install the recommended word list. Other word lists (text based, one word per line) can also be used by simply installing them into /usr/share/dict.
install -v -m644 -D ../cracklib-words.gz \ /usr/share/dict/cracklib-words.gz && gunzip -v /usr/share/dict/cracklib-words.gz && ln -v -s cracklib-words /usr/share/dict/words && echo $(hostname) >>/usr/share/dict/cracklib-extra-words && create-cracklib-dict /usr/share/dict/cracklib-words \ /usr/share/dict/cracklib-extra-words
If desired, check the proper operation of the library as an unprivileged user using the tests included with the package:
make test
--datadir=/lib: This parameter forces the installation of the CrackLib dictionary to the /lib hierarchy.
mv -v /usr/lib/libcrack.so.2* /lib and ln -v -sf ../../lib/libcrack.so.2.8.0 ...: These two commands move the libcrack.so.2.8.0 library and associated symlink from /usr/lib to /lib, then recreates the /usr/lib/libcrack.so symlink pointing to the relocated file.
install -v -m644 -D ...: This command creates the /usr/share/dict directory (if it doesn't already exist) and installs the compressed word list there.
ln -v -s cracklib-words /usr/share/dict/words: The word list is linked to /usr/share/dict/words as historically, words is the primary word list in the /usr/share/dict directory. Omit this command if you already have a /usr/share/dict/words file installed on your system.
echo $(hostname) >>...: The value of hostname is echoed to a file called cracklib-extra-words. This extra file is intended to be a site specific list which includes easy to guess passwords such as company or department names, user's names, product names, computer names, domain names, etc.
create-cracklib-dict ...: This command creates the CrackLib dictionary from the word lists. Modify the command to add any additional word lists you have installed.
The Linux-PAM package contains Pluggable Authentication Modules. This is useful to enable the local system administrator to choose how applications authenticate users.
Download (HTTP): http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.80.tar.bz2
Download (FTP): ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.80.tar.bz2
Download MD5 sum: ccff87fe639efdfc22b1ba4a0f08ec57
Download size: 376 KB
Estimated disk space required: 8.6 MB
Estimated build time: 0.2 SBU
Documentation
Optional documentation: http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.80-docs.tar.bz2
sgmltools-lite and Berkeley DB-4.3.28 (for pam_userdb module)
Install Linux-PAM by running the following commands:
sed -i 's|DICT_DIR_CANDIDATES="|&/lib /lib/cracklib |' \ configure && ./configure --enable-static-libpam --with-mailspool=/var/mail \ --enable-read-both-confs --sysconfdir=/etc \ --mandir=/usr/share/man && make
If you downloaded the documentation and wish to install it, unpack the tarball into the doc directory:
tar -jxf ../Linux-PAM-0.80-docs.tar.bz2 -C doc
Now, as the root user:
make install && mv -v /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a /usr/lib && rm -v /lib/libpam{,c,_misc}.so && ln -v -sf ../../lib/libpam.so.0.80 /usr/lib/libpam.so && ln -v -sf ../../lib/libpam_misc.so.0.80 /usr/lib/libpam_misc.so && ln -v -sf ../../lib/libpamc.so.0.80 /usr/lib/libpamc.so
Install the documentation using the following commands:
install -v -d -m755 /usr/share/doc/Linux-PAM-0.80 && for DOCTYPE in html ps specs txts do cp -v -R doc/$DOCTYPE /usr/share/doc/Linux-PAM-0.80 done
sed -i 's|DICT_DIR_CANDIDATES="|&/lib /lib/cracklib |' configure: This command changes where configure looks to find the CrackLib dictionary.
--enable-static-libpam: This switch builds static PAM libraries as well as the dynamic libraries.
--with-mailspool=/var/mail: This switch makes the mailspool directory FHS compliant.
--enable-read-both-confs: This switch lets the local administrator choose which configuration file setup to use.
mv -v /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a /usr/lib: This command moves the static libraries to /usr/lib to comply with FHS guidelines.
rm -v /lib/libpam{,c,_misc}.so; ln -v -sf ... /usr/lib/...: These commands move the .so symlinks from /lib to /usr/lib.
Configuration information is placed in /etc/pam.d/ or /etc/pam.conf depending on user preference. Below are example files of each type:
# Begin /etc/pam.d/other auth required pam_unix.so nullok account required pam_unix.so session required pam_unix.so password required pam_unix.so nullok # End /etc/pam.d/other # Begin /etc/pam.conf other auth required pam_unix.so nullok other account required pam_unix.so other session required pam_unix.so other password required pam_unix.so nullok # End /etc/pam.conf
The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM guide for system administrators is recommended for further reading.
Refer to http://www.kernel.org/pub/linux/libs/pam/modules.html for a list of various modules available.
You should now reinstall the Shadow-4.0.9 package.
Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed Linux-PAM. If you did, this will allow programs like login and su to utilize PAM.
Download (FTP): ftp://ftp.pld.org.pl/software/shadow/old/shadow-4.0.9.tar.bz2
Download MD5 sum: 66e3a3a60ea6b021a7babff311b07607
Download size: 1.1 MB
Estimated disk space required: 13 MB
Estimated build time: 0.3 SBU
Patch to fix several invalid warning messages when used with Linux_PAM: http://www.linuxfromscratch.org/blfs/downloads/6.1/shadow-4.0.9-Linux_PAM_fixes-1.patch
Reinstall Shadow by running the following commands:
patch -Np1 -i ../shadow-4.0.9-Linux_PAM_fixes-1.patch && ./configure --libdir=/lib --enable-shared \ --with-libpam --without-libcrack && sed -i 's/groups$(EXEEXT) //' src/Makefile && sed -i '/groups/d' man/Makefile && make
Now, as the root user:
make install && mv -v /usr/bin/passwd /bin && mv -v /lib/libshadow.*a /usr/lib && rm -v /lib/libshadow.so && ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
--without-libcrack: This switch tells Shadow not to use libcrack. This is desired as Linux-PAM already contains libcrack.
sed -i ...: These commands are used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.
The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents):
install -v -m644 /etc/login.defs /etc/login.defs.orig && for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \ PORTTIME_CHECKS_ENAB CONSOLE \ MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \ SU_WHEEL_ONLY MD5_CRYPT_ENAB \ CONSOLE_GROUPS ENVIRON_FILE \ ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \ ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \ CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE do sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs done
If you have CrackLib installed, also comment out four more lines using the following command:
for FUNCTION in OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \ PASS_CHANGE_TRIES PASS_ALWAYS_WARN do sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs done
Add the following Linux-PAM configuration files to /etc/pam.d/ (or add them to /etc/pam.conf with the additional field for the program).
cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_env.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_cracklib.so retry=3 difok=8 minlen=5 \ dcredit=3 ocredit=3 \ ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/login EOF
cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_unix.so md5 shadow # End /etc/pam.d/login EOF
cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_cracklib.so retry=3 difok=8 minlen=5 \ dcredit=3 ocredit=3 \ ucredit=2 lcredit=2 password required pam_unix.so md5 shadow use_authtok # End /etc/pam.d/passwd EOF
cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF
cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session optional pam_mail.so dir=/var/mail standard session required pam_env.so session required pam_unix.so # End /etc/pam.d/su EOF
cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF
for PROGRAM in chpasswd newusers groupadd groupdel \ groupmod useradd userdel usermod do install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM done
At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. If you cannot find and fix the error, you should recompile Shadow replacing --with-libpam with --without-libpam in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system.
Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required:
cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF
Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command:
if [ -f /etc/login.access ]; then mv -v /etc/login.access /etc/login.access.NOUSE fi
Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command:
if [ -f /etc/limits ]; then mv -v /etc/limits /etc/limits.NOUSE fi
During previous configuration, several items were removed from /etc/login.defs. Some of these items are now controlled by the pam_env.so module and the /etc/security/pam_env.conf configuration file. In particular, the default path has been changed. To recover your default path, execute the following commands:
ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
awk '{ print $2 }' | sed 's/PATH=//'` &&
echo 'PATH DEFAULT='`echo "${ENV_PATH}"`' OVERRIDE=${PATH}' \
>> /etc/security/pam_env.conf &&
unset ENV_PATH
ENV_SUPATH is no longer supported. You must create a valid /root/.bashrc file to provide a modified path for the super user.
A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/stable/chapter06/shadow.html#contents-shadow.
The next part of this chapter deals with firewalls. The principal firewall tool for Linux, as of the 2.4 kernel series, is iptables. It replaces ipchains from the 2.2 series and ipfwadm from the 2.0 series. You will need to install iptables if you intend on using any form of a firewall.
Download (HTTP): http://www.iptables.org/files/iptables-1.3.3.tar.bz2
Download (FTP): ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.3.tar.bz2
Download MD5 sum: 86d88455520cfdc56fd7ae27897a80a4
Download size: 176 KB
Estimated disk space required: 4.8 MB
Estimated build time: 0.2 SBU
A firewall in Linux is accomplished through a portion of the kernel called netfilter. The interface to netfilter is iptables. To use it, the appropriate kernel configuration parameters are found in Device Drivers -> Networking Support -> Networking Options -> Network Packet Filtering -> IP: Netfilter Configuration.
Installation of iptables will fail if raw kernel headers are found in /usr/src/linux either as actual files or a symlink. As of the Linux 2.6 kernel series, this directory should no longer exist because appropriate headers were installed from the Linux-Libc-Headers package during the base LFS installation.
For some non-x86 architectures, the raw kernel headers may be required. In that case, add the environment variable KERNEL_DIR=/usr/src/linux to the make commands below.
Install iptables by running the following commands:
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin
Now, as the root user:
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install
PREFIX=/usr LIBDIR=/lib BINDIR=/sbin: Compiles and installs iptables libraries into /lib, binaries into /sbin and the remainder into the /usr hierarchy instead of /usr/local. Firewalls are generally activated during the boot process and /usr may not be mounted at that time.
Introductory instructions for configuring your firewall are presented in the next section: Firewalling
To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables init script included in the blfs-bootscripts-6.1 package.
make install-iptables
Before you read this part of the chapter, you should have already installed iptables as described in the previous section.
The general purpose of a firewall is to protect a computer or a network against malicious access.
In a perfect world, every daemon or service on every machine is perfectly configured and immune to flaws such as buffer overflows or other problems regarding its security. Furthermore, you trust every user accessing your services. In this world, you do not need to have a firewall.
In the real world however, daemons may be misconfigured and exploits against essential services are freely available. You may wish to choose which services are accessible by certain machines or you may wish to limit which machines or applications are allowed external access. Alternatively, you may simply not trust some of your applications or users. You are probably connected to the Internet. In this world, a firewall is essential.
Don't assume however, that having a firewall makes careful configuration redundant, or that it makes any negligent misconfiguration harmless. It doesn't prevent anyone from exploiting a service you intentionally offer but haven't recently updated or patched after an exploit went public. Despite having a firewall, you need to keep applications and daemons on your system properly configured and up to date. A firewall is not a cure all, but should be an essential part of your overall security strategy.
The word firewall can have several different meanings.
This is a hardware device or software program commercially sold (or offered via freeware) by companies such as Symantec which claims that it secures a home or desktop computer connected to the Internet. This type of firewall is highly relevant for users who do not know how their computers might be accessed via the Internet or how to disable that access, especially if they are always online and connected via broadband links.
This is a system placed between the Internet and an intranet. To minimize the risk of compromising the firewall itself, it should generally have only one role—that of protecting the intranet. Although not completely risk free, the tasks of doing the routing and IP masquerading (rewriting IP headers of the packets it routes from clients with private IP addresses onto the Internet so that they seem to come from the firewall itself) are commonly considered relatively secure.
This is often an old computer you may have retired and nearly forgotten, performing masquerading or routing functions, but offering non-firewall services such as a web-cache or mail. This may be used for home networks, but is not to be considered as secure as a firewall only machine because the combination of server and router/firewall on one machine raises the complexity of the setup.
This box performs masquerading or routing, but grants public access to some branch of your network which, because of public IPs and a physically separated structure, is essentially a separate network with direct Internet access. The servers on this network are those which must be easily accessible from both the Internet and intranet. The firewall protects both networks. This type of firewall has a minimum of three network interfaces.
This introduction on how to setup a firewall is not a complete guide to securing systems. Firewalling is a complex issue that requires careful configuration. The scripts quoted here are simply intended to give examples of how a firewall works. They are not intended to fit into any particular configuration and may not provide complete protection from an attack.
Customization of these scripts for your specific situation will be necessary for an optimal configuration, but you should make a serious study of the iptables documentation and creating firewalls in general before hacking away. Have a look at the list of links for further reading at the end of this section for more details. There you will find a list of URLs that contain quite comprehensive information about building your own firewall.
The firewall configuration script installed in the iptables section differs from the standard configuration script. It only has two of the standard targets: start and status. The other targets are clear and lock. For instance if you issue:
/etc/rc.d/init.d/iptables start
the firewall will be restarted just as it is upon system startup. The status target will present a list of all currently implemented rules. The clear target turns off all firewall rules and the lock target will block all packets in and out of the computer with the exception of the loopback interface.
The main startup firewall is located in the file /etc/rc.d/rc.iptables. The sections below provide three different approaches that can be used for a system.
You should always run your firewall rules from a script. This ensures consistency and a record of what was done. It also allows retention of comments that are essential for understanding the rules long after they were written.
A Personal Firewall is designed to let you access all the services offered on the Internet, but keep your box secure and your data private.
Below is a slightly modified version of Rusty Russell's recommendation from the Linux 2.4 Packet Filtering HOWTO. It is still applicable to the Linux 2.6 kernels.
cat > /etc/rc.d/rc.iptables << "EOF" #!/bin/sh # Begin $rc_base/rc.iptables # Insert connection-tracking modules # (not needed if built into the kernel) modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don¹t send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Drop Spoofed Packets coming in on an interface, where responses # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable Explicit Congestion Notification # too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn # Set a known state iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # These lines are here in case rules are already in place and the # script is ever rerun on the fly. We want to remove all rules and # pre-existing user defined chains before we implement new rules. iptables -F iptables -X iptables -Z iptables -t nat -F # Allow local-only connections iptables -A INPUT -i lo -j ACCEPT # Free output on any interface to any ip for any service # (equal to -P ACCEPT) iptables -A OUTPUT -j ACCEPT # Permit answers on already established connections # and permit new connections related to established ones # (e.g. port mode ftp) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Log everything else. What's Windows' latest exploitable vulnerability? iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " # End $rc_base/rc.iptables EOF chmod 700 /etc/rc.d/rc.iptables
This script is quite simple, it drops all traffic coming into your computer that wasn't initiated from your computer, but as long as you are simply surfing the Internet you are unlikely to exceed its limits.
If you frequently encounter certain delays at accessing FTP servers, take a look at BusyBox example number 4.
Even if you have daemons or services running on your system, these will be inaccessible everywhere but from your computer itself. If you want to allow access to services on your machine, such as ssh or ping, take a look at BusyBox.
A true Firewall has two interfaces, one connected to an intranet, in this example eth0, and one connected to the Internet, here ppp0. To provide the maximum security for the firewall itself, make sure that there are no unnecessary servers running on it such as X11 et al. As a general principle, the firewall itself should not access any untrusted service (think of a remote server giving answers that makes a daemon on your system crash, or even worse, that implements a worm via a buffer-overflow).
cat > /etc/rc.d/rc.iptables << "EOF" #!/bin/sh # Begin $rc_base/rc.iptables echo echo "You're using the example configuration for a setup of a firewall" echo "from Beyond Linux From Scratch." echo "This example is far from being complete, it is only meant" echo "to be a reference." echo "Firewall security is a complex issue, that exceeds the scope" echo "of the configuration rules below." echo "You can find additional information" echo "about firewalls in Chapter 4 of the BLFS book." echo "http://www.linuxfromscratch.org/blfs" echo # Insert iptables modules (not needed if built into the kernel). modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe iptable_nat modprobe ip_nat_ftp modprobe ipt_MASQUERADE modprobe ipt_LOG modprobe ipt_REJECT # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don¹t send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Drop Spoofed Packets coming in on an interface where responses # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # Disable Explicit Congestion Notification # Too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn # Set a known state iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # These lines are here in case rules are already in place and the # script is ever rerun on the fly. We want to remove all rules and # pre-existing user defined chains before we implement new rules. iptables -F iptables -X iptables -Z iptables -t nat -F # Allow local connections iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow forwarding if the initiated on the intranet iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! ppp+ -m state --state NEW -j ACCEPT # Do masquerading # (not needed if intranet is not using private ip-addresses) iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE # Log everything for debugging # (last of all rules, but before policy rules) iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " # Enable IP Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward EOF chmod 700 /etc/rc.d/rc.iptables
With this script your intranet should be reasonably secure against external attacks. No one should be able to setup a new connection to any internal service and, if it's masqueraded, makes your intranet invisible to the Internet. Furthermore, your firewall should be relatively safe because there are no services running that a cracker could attack.
If the interface you're connecting to the Internet doesn't connect via PPP, you will need to change ppp+ to the name of the interface (e.g., eth1) which you are using.
This scenario isn't too different from the Masquerading Router, but additionally offers some services to your intranet. Examples of this can be when you want to administer your firewall from another host on your intranet or use it as a proxy or a name server.
Outlining a true concept of how to protect a server that offers services on the Internet goes far beyond the scope of this document. See the references at the end of this section for more information.
Be cautious. Every service you have enabled makes your setup more complex and your firewall less secure. You are exposed to the risks of misconfigured services or running a service with an exploitable bug. A firewall should generally not run any extra services. See the introduction to the Masquerading Router for some more details.
If you want to add services such as internal Samba or name servers that do not need to access the Internet themselves, the additional statements are quite simple and should still be acceptable from a security standpoint. Just add the following lines into the script before the logging rules.
iptables -A INPUT -i ! ppp+ -j ACCEPT iptables -A OUTPUT -o ! ppp+ -j ACCEPT
If daemons, such as squid, have to access the Internet themselves, you could open OUTPUT generally and restrict INPUT.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -j ACCEPT
However, it is generally not advisable to leave OUTPUT unrestricted. You lose any control over trojans who would like to "call home", and a bit of redundancy in case you've (mis-)configured a service so that it broadcasts its existence to the world.
To accomplish this, you should restrict INPUT and OUTPUT on all ports except those that it's absolutely necessary to have open. Which ports you have to open depends on your needs: mostly you will find them by looking for failed accesses in your log files.
Have a Look at the Following Examples:
Squid is caching the web:
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \ -j ACCEPT
Your caching name server (e.g., named) does its lookups via UDP:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
You want to be able to ping your computer to ensure it's still alive:
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
If you are frequently accessing FTP servers or enjoy chatting, you might notice certain delays because some implementations of these daemons have the feature of querying an identd on your system to obtain usernames. Although there's really little harm in this, having an identd running is not recommended because many security experts feel the service gives out too much additional information.
To avoid these delays you could reject the requests with a 'tcp-reset':
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
To log and drop invalid packets (packets that came in after netfilter's timeout or some types of network scans):
iptables -I INPUT -p tcp -m state --state INVALID \ -j LOG --log-prefix "FIREWALL:INVALID" iptables -I INPUT -p tcp -m state --state INVALID -j DROP
Anything coming from the outside should not have a private address, this is a common attack called IP-spoofing:
iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP
There are other addresses that you may also want to drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link Local Networks), and 192.0.2.0/24 (IANA defined test network).
If your firewall is a DHCP client, you need to allow those packets:
iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \ -d 255.255.255.255 --dport 68 -j ACCEPT
To simplify debugging and be fair to anyone who'd like to access a service you have disabled, purposely or by mistake, you could REJECT those packets that are dropped.
Obviously this must be done directly after logging as the very last lines before the packets are dropped by policy:
iptables -A INPUT -j REJECT
These are only examples to show you some of the capabilities of the firewall code in Linux. Have a look at the man page of iptables. There you will find much more information. The port numbers needed for this can be found in /etc/services, in case you didn't find them by trial and error in your log file.
Finally, there is one fact you must not forget: The effort spent attacking a system corresponds to the value the cracker expects to gain from it. If you are responsible for valuable information, you need to spend the time to protect it properly.
www.netfilter.org - Homepage of the netfilter/iptables project
Netfilter related FAQ
Netfilter related HOWTO's
en.tldp.org/LDP/nag2/x-087-2-firewall.html
en.tldp.org/HOWTO/Security-HOWTO.html
en.tldp.org/HOWTO/Firewall-HOWTO.html
www.ibm.com/developerworks/security/library/s-fire.html
www.ibm.com/developerworks/security/library/s-fire2.html
www.interhack.net/pubs/fw-faq/
www.linuxsecurity.com/docs/
www.little-idiot.de/firewall (German & outdated, but very comprehensive)
www.linuxgazette.com/issue65/stumpel.html
linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html
staff.washington.edu/dittrich/misc/ddos
www.e-infomax.com/ipmasq
www.circlemud.org/~jelson/writings/security/index.htm
www.securityfocus.com
www.cert.org - tech_tips
security.ittoolbox.com
www.linux-firewall-tools.com/linux/
logi.cc/linux/athome-firewall.php3
www.insecure.org/reading.html
www.robertgraham.com/pubs/firewall-seen.html
The GnuPG package contains a public/private key encryptor. This is becoming useful for signing files or emails as proof of identity and preventing tampering with the contents of the file or email.
Download (HTTP): http://public.ftp.planetmirror.com/pub/gnupg/gnupg-1.4.1.tar.bz2
Download (FTP): ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.1.tar.bz2
Download MD5 sum: fdfc5553d0904cd65011e47a42a9532c
Download size: 2.8 MB
Estimated disk space required: 32 MB
Estimated build time: 0.42 SBU
OpenLDAP-2.2.24, libusb-0.1.10a, cURL-7.14.0, MTA, DocBook-utils-0.6.14 and docbook-to-man
Install GnuPG by running the following commands:
./configure --prefix=/usr --libexecdir=/usr/lib && make
Now, as the root user:
make install && chmod -v 4755 /usr/bin/gpg
--libexecdir=/usr/lib: This command creates a gnupg directory in /usr/lib instead of /usr/libexec.
chmod -v 4755 /usr/bin/gpg: gpg is installed setuid root to avoid swapping out sensitive data.
The Tripwire package contains programs used to verify the integrity of the files on a given system.
Download (HTTP): http://www.frenchfries.net/paul/tripwire/tripwire-portable-0.9.tar.gz
Download MD5 sum: 02610d0593fe04d35d809ff6c5becc02
Download size: 869 KB
Estimated disk space required: 22 MB
Estimated build time: 2.96 SBU
MTA (See Chapter 22, Mail Server Software)
Compile Tripwire by running the following commands:
sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg && ./configure --prefix=/usr --sysconfdir=/etc/tripwire && make
Now, as the root user:
make install && cp -v policy/*.txt /usr/share/doc/tripwire
The default configuration is to use a local MTA. If you don't have an MTA installed and have no wish to install one, modify install.cfg to use an SMTP server instead.
sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg: This command tells the package to install the program database and reports in /var/lib/tripwire.
make install: This command creates the Tripwire security keys as well as installing the binaries. There are two keys: a site key and a local key which are stored in /etc/tripwire/.
cp -v policy/*.txt /usr/share/doc/tripwire: This command installs the documentation.
Tripwire uses a policy file to determine which files are integrity checked. The default policy file (/etc/tripwire/twpol.txt) is for a default Redhat installation and will need to be updated for your system.
Policy files should be tailored to each individual distribution and/or installation. Some custom policy files can be found below:
http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt
Checks integrity of all files
http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt
Custom policy file for Base LFS 3.0 system
http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt
Custom policy file for SuSE 7.2 system
Download the custom policy file you'd like to try, copy it into /etc/tripwire/, and use it instead of twpol.txt. It is, however, recommended that you make your own policy file. Get ideas from the examples above and read /usr/share/doc/tripwire/policyguide.txt for additional information. twpol.txt is a good policy file for beginners as it will note any changes to the file system and can even be used as an annoying way of keeping track of changes for uninstallation of software.
After your policy file has been transferred to /etc/tripwire/ you may begin the configuration steps (perform as the root):
twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \ /etc/tripwire/twpol.txt && tripwire --init
To use Tripwire after creating a policy file to run a report, use the following command:
tripwire --check > /etc/tripwire/report.txt
View the output to check the integrity of your files. An automatic integrity report can be produced by using a cron facility to schedule the runs.
Please note that after you run an integrity check, you must examine the report (or email) and then modify the Tripwire database to reflect the changed files on your system. This is so that Tripwire will not continually notify you that files you intentionally changed are a security violation. To do this you must first ls -l /var/lib/tripwire/report/ and note the name of the newest file which starts with linux- and ends in .twr. This encrypted file was created during the last report creation and is needed to update the Tripwire database of your system. Then, as the root user, type in the following command making the appropriate substitutions for [?]:
tripwire --update -twrfile \ /var/lib/tripwire/report/linux-[???????]-[??????].twr
You will be placed into vim with a copy of the report in front of you. If all the changes were good, then just type :x and after entering your local key, the database will be updated. If there are files which you still want to be warned about, remove the 'x' before the filename in the report and type :x.
Heimdal is a free implementation of Kerberos 5 that aims to be compatible with MIT krb5 and is backward compatible with krb4. Kerberos is a network authentication protocol. Basically it preserves the integrity of passwords in any untrusted network (like the Internet). Kerberized applications work hand-in-hand with sites that support Kerberos to ensure that passwords cannot be stolen or compromised. A Kerberos installation will make changes to the authentication mechanisms on your network and will overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper and Shadow packages.
Download (HTTP): http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-0.7.tar.gz
Download (FTP): ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.7.tar.gz
Download MD5 sum: 0a8097a8772d5d2de8c5539d3182b82a
Download size: 4.5 MB
Estimated disk space required: 91 MB
Estimated build time: 2.4 SBU
Required Patch: http://www.linuxfromscratch.org/blfs/downloads/6.1/heimdal-0.7-fhs_compliance-1.patch
Required patch for CrackLib support: http://www.linuxfromscratch.org/blfs/downloads/6.1/heimdal-0.7-cracklib-1.patch
OpenSSL-0.9.7g and Berkeley DB-4.3.28
Linux-PAM-0.80, OpenLDAP-2.2.24, X (X.org-6.8.2 or XFree86-4.5.0), CrackLib-2.8.3 (compiled with the heimdal patch) and krb4
Some sort of time synchronization facility on your system (like NTP-4.2.0) is required since Kerberos won't authenticate if the time differential between a kerberized client and the KDC server is more than 5 minutes.
Before installing the package, you may want to preserve the ftp program from the Inetutils package. This is because using the Heimdal ftp program to connect to non-kerberized ftp servers may not work properly. It will allow you to connect (letting you know that transmission of the password is clear text) but will have problems doing puts and gets. Issue the following command as the root user.
mv -v /usr/bin/ftp /usr/bin/ftpn
If you wish the Heimdal package to link against the CrackLib library (requires CrackLib-2.8.3 installed with the heimdal patch), you must apply a patch:
patch -Np1 -i ../heimdal-0.7-cracklib-1.patch
Install Heimdal by running the following commands:
patch -Np1 -i ../heimdal-0.7-fhs_compliance-1.patch && ./configure --prefix=/usr \ --sysconfdir=/etc/heimdal \ --libexecdir=/usr/sbin \ --datadir=/var/lib/heimdal \ --localstatedir=/var/lib/heimdal \ --enable-shared \ --with-readline=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install && install -v -m755 -d /usr/share/doc/heimdal-0.7/standardisation && install -v -m644 doc/{init-creds,layman.asc} \ /usr/share/doc/heimdal-0.7 && install -v -m644 doc/standardisation/* \ /usr/share/doc/heimdal-0.7/standardisation && mv -v /bin/login /bin/login.shadow && mv -v /bin/su /bin/su.shadow && mv -v /usr/bin/{login,su} /bin && ln -v -sf ../../bin/login /usr/bin && mv -v /usr/lib/lib{otp,kafs,krb5,asn1,roken,crypto}.so.* \ /usr/lib/libdb-4.3.so /lib && ln -v -sf ../../lib/libdb-4.3.so /usr/lib/libdb.so && ln -v -sf ../../lib/libdb-4.3.so /usr/lib/libdb-4.so && for SYMLINK in otp.so.0.1.3 kafs.so.0.4.1 krb5.so.17.4.0 \ asn1.so.6.1.0 roken.so.16.1.0 crypto.so.0.9.7 do ln -v -sf ../../lib/lib$SYMLINK \ /usr/lib/lib`echo $SYMLINK | cut -d. -f1`.so done ldconfig
--libexecdir=/usr/sbin: This switch puts the daemon programs into /usr/sbin.
If you want to preserve all your existing Inetutils package daemons, install the Heimdal daemons into /usr/sbin/heimdal (or wherever you want). Since these programs will be called from (x)inetd or rc scripts, it really doesn't matter where they are installed, as long as they are correctly specified in the /etc/(x)inetd.conf file and rc scripts. If you choose something other than /usr/sbin, you may want to move some of the user programs (such as kadmin) to /usr/sbin manually so they'll be in the privileged user's default PATH.
mv ... .shadow; mv ... /bin; ln -v -sf ../../bin...: The login and su programs installed by Heimdal belong in the /bin directory. The login program is symlinked because Heimdal is expecting to find it in /usr/bin. The old executables are preserved before the move to keep things sane should breaks occur.
mv ... /lib; ln -v -sf ../../lib/lib... /usr/lib...: The login and su programs installed by Heimdal link against Heimdal libraries as well as libraries provided by the OpenSSL and Berkeley DB packages. These libraries are moved to /lib to be FHS compliant and also in case /usr is located on a separate partition which may not always be mounted.
All the configuration steps shown below must be accomplished by the root user unless otherwise noted.
Create the Kerberos configuration file with the following commands:
install -v -m755 -d /etc/heimdal && cat > /etc/heimdal/krb5.conf << "EOF" # Begin /etc/heimdal/krb5.conf [libdefaults] default_realm = [EXAMPLE.COM] encrypt = true [realms] [EXAMPLE.COM] = { kdc = [hostname.example.com] admin_server = [hostname.example.com] kpasswd_server = [hostname.example.com] } [domain_realm] .[example.com] = [EXAMPLE.COM] [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb.log # End /etc/heimdal/krb5.conf EOF chmod -v 644 /etc/heimdal/krb5.conf
You will need to substitute your domain and proper hostname for the occurrences of the [hostname] and [EXAMPLE.COM] names.
default_realm should be the name of your domain changed to ALL CAPS. This isn't required, but both Heimdal and MIT krb5 recommend it.
encrypt = true provides encryption of all traffic between kerberized clients and servers. It's not necessary and can be left off. If you leave it off, you can encrypt all traffic from the client to the server using a switch on the client program instead.
The [realms] parameters tell the client programs where to look for the KDC authentication services.
The [domain_realm] section maps a domain to a realm.
Store the master password in a key file using the following commands:
install -v -m755 -d /var/lib/heimdal && kstash
Create the KDC database:
kadmin -l
The commands below will prompt you for information about the principles. Choose the defaults for now unless you know what you are doing and need to specify different values. You can go in later and change the defaults, should you feel the need. You may use the up and down arrow keys to use the history feature of kadmin in a similar manner as the bash history feature.
At the kadmin> prompt, issue the following statement:
init [EXAMPLE.COM]
The database must now be populated with at least one principle (user). For now, just use your regular login name or root. You may create as few, or as many principles as you wish using the following statement:
add [loginname]
The KDC server and any machine running kerberized server daemons must have a host key installed:
add --random-key host/[hostname.example.com]
After choosing the defaults when prompted, you will have to export the data to a keytab file:
ext host/[hostname.example.com]
This should have created two files in /etc/heimdal: krb5.keytab (Kerberos 5) and srvtab (Kerberos 4). Both files should have 600 (root rw only) permissions. Keeping the keytab files from public access is crucial to the overall security of the Kerberos installation.
Eventually, you'll want to add server daemon principles to the database and extract them to the keytab file. You do this in the same way you created the host principles. Below is an example:
add --random-key ftp/[hostname.example.com]
(choose the defaults)
ext ftp/[hostname.example.com]
Exit the kadmin program (use quit or exit) and return back to the shell prompt. Start the KDC daemon manually, just to test out the installation:
/usr/sbin/kdc &
Attempt to get a TGT (ticket granting ticket) with the following command:
kinit [loginname]
You will be prompted for the password you created. After you get your ticket, you should list it with the following command:
klist
Information about the ticket should be displayed on the screen.
To test the functionality of the keytab file, issue the following command:
ktutil list
This should dump a list of the host principals, along with the encryption methods used to access the principals.
At this point, if everything has been successful so far, you can feel fairly confident in the installation, setup and configuration of your new Heimdal Kerberos 5 installation.
Install the /etc/rc.d/init.d/heimdal init script included in the blfs-bootscripts-6.1 package:
make install-heimdal
To use the kerberized client programs (telnet, ftp, rsh, rxterm, rxtelnet, rcp, xnlock), you first must get a TGT. Use the kinit program to get the ticket. After you've acquired the ticket, you can use the kerberized programs to connect to any kerberized server on the network. You will not be prompted for authentication until your ticket expires (default is one day), unless you specify a different user as a command line argument to the program.
The kerberized programs will connect to non-kerberized daemons, warning you that authentication is not encrypted. As mentioned earlier, only the ftp program gives any trouble connecting to non-kerberized daemons.
In order to use the Heimdal X programs, you'll need to add a service port entry to the /etc/services file for the kxd server. There is no 'standardized port number' for the 'kx' service in the IANA database, so you'll have to pick an unused port number. Add an entry to the services file similar to the entry below (substitute your chosen port number for [49150]):
kx [49150]/tcp # Heimdal kerberos X kx [49150]/udp # Heimdal kerberos X
For additional information consult the Heimdal hint on which the above instructions are based.
MIT krb5 is a free implementation of Kerberos 5. Kerberos is a network authentication protocol. It centralizes the authentication database and uses kerberized applications to work with servers or services that support Kerberos allowing single logins and encrypted communication over internal networks or the Internet.
Download (HTTP): http://web.mit.edu/kerberos/www/dist/krb5/1.4/krb5-1.4.1-signed.tar
Download MD5 sum: 617e0071fa5b74ab4116f064678af551
Download size: 6.4 MB
Estimated disk space required: TBD MB
Estimated build time: TBD SBU
The instructions for MIT Krb5 have not yet been validated by the BLFS Editors. Until this section is updated, the Editors reccomend using Heimdal-0.7 to implement the functionality of this package.
The Cyrus SASL package contains a Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.
Download (HTTP): http://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.21.tar.gz
Download (FTP): ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.21.tar.gz
Download MD5 sum: dde02db234dea892bee298390890502e
Download size: 1.6 MB
Estimated disk space required: 16 MB
Estimated build time: 0.3 SBU
Linux-PAM-0.80, OpenLDAP-2.2.24, Heimdal-0.7 or MIT krb5-1.4.1, JDK-1.5.0, MySQL-4.1.12, PostgreSQL-8.0.3, Berkeley DB-4.3.28, GDBM-1.8.3, krb4, SQLite and Dmalloc
Install Cyrus SASL by running the following commands:
./configure --prefix=/usr --sysconfdir=/etc \ --with-dbpath=/var/lib/sasl/sasldb2 \ --with-saslauthd=/var/run && make
This package does not come with a test suite. If you are planning on using the GSSAPI authentication mechanism, it is recommended to test it after installing the package using the sample server and client programs which were built in the preceding step. Instructions for performing the tests can be found at http://www.linuxfromscratch.org/hints/downloads/files/cyrus-sasl.txt.
Now, as the root user:
make install && install -v -m644 saslauthd/saslauthd.8 /usr/share/man/man8 && install -v -m755 -d /usr/share/doc/cyrus-sasl-2.1.21 && install -v -m644 doc/{*.{html,txt,fig},ONEWS,TODO} \ saslauthd/LDAP_SASLAUTHD /usr/share/doc/cyrus-sasl-2.1.21 && install -v -m700 -d /var/lib/sasl
--with-dbpath=/var/lib/sasl/sasldb2: This parameter forces the saslauthd database to be created in /var/lib/sasl instead of /etc.
--with-saslauthd=/var/run: This parameter forces saslauthd to use the FHS compliant directory /var/run for variable run-time data.
--with-ldap: This parameter enables use with OpenLDAP.
--enable-ldapdb: This parameter enables the LDAPDB authentication backend. There is a circular dependency with this parameter which requires you to build the Cyrus SASL package, then the OpenLDAP package (with SASL support), then finally building the Cyrus SASL package again with this parameter.
install -v -m644 ...: These commands install documentation which is not installed by the make install command.
install -v -m700 -d /var/lib/sasl: This directory must exist when starting saslauthd. If you're not going to be running the daemon, you may omit the creation of this directory.
/etc/saslauthd.conf (for LDAP configuration) and /usr/lib/sasl2/Appname.conf (where "Appname" is the application defined name of the application)
See file:///usr/share/doc/cyrus-sasl-2.1.21/sysadmin.html for information on what to include in the application configuration files. See file:///usr/share/doc/cyrus-sasl-2.1.21/LDAP_SASLAUTHD for configuring saslauthd with OpenLDAP.
If you need to run the saslauthd daemon at system startup, install the /etc/rc.d/init.d/cyrus-sasl init script included in the blfs-bootscripts-6.1 package.
make install-cyrus-sasl
You'll need to modify the init script and replace the [authmech] parameter to the -a switch with your desired authentication mechanism.
The Stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. Stunnel can be used to add SSL functionality to commonly used Inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the server package source code.
Download (HTTP): http://www.stunnel.org/download/stunnel/src/stunnel-4.11.tar.gz
Download (FTP): ftp://stunnel.mirt.net/stunnel/stunnel-4.11.tar.gz
Download MD5 sum: 253c50435d4d81cba6f19ca34266e6dc
Download size: 484 KB
Estimated disk space required: 4.0 MB
Estimated build time: 0.1 SBU
The stunnel daemon will be run in a chroot jail by an unprivileged user. Create the new user, group and chroot home directory structure using the following commands as the root user:
groupadd -g 51 stunnel && useradd -c "Stunnel Daemon" -d /var/lib/stunnel \ -g stunnel -s /bin/false -u 51 stunnel && install -v -m700 -o stunnel -g stunnel -d /var/lib/stunnel/run
A signed SSL Certificate and a Private Key is necessary to run the stunnel daemon. If you own, or have already created a signed SSL Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem before starting the build (ensure only root has read and write access), otherwise you will be prompted to create one during the installation process. The .pem file must be formatted as shown below:
-----BEGIN RSA PRIVATE KEY----- [many encrypted lines of unencrypted key] -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- [many encrypted lines of certificate] -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- [multiple encrypted lines of DH parameters] -----END DH PARAMETERS-----
Install Stunnel by running the following commands:
./configure --prefix=/usr --sysconfdir=/etc \ --localstatedir=/var/lib && make
This package does not come with a test suite.
Now, as the root user:
make install
--sysconfdir=/etc: This parameter forces the configuration directory to /etc instead of /usr/etc.
--localstatedir=/var/lib: This parameter causes the installation process to create /var/lib/stunnel instead of /usr/var/stunnel.
make install: This command installs the package and, if you did not copy an stunnel.pem file to the /etc/stunnel directory, prompts you for the necessary information to create one. Ensure you reply to the
Common Name (FQDN of your server) [localhost]:
prompt with the name or IP address you will be using to access the service(s).
Create a basic /etc/stunnel/stunnel.conf configuration file using the following commands:
cat >/etc/stunnel/stunnel.conf << "EOF" # File: /etc/stunnel/stunnel.conf pid = /run/stunnel.pid chroot = /var/lib/stunnel client = no setuid = stunnel setgid = stunnel EOF
Next, you need to add the service(s) you wish to encrypt to the configuration file. The format is as follows:
[[service]] accept = [hostname:portnumber] connect = [hostname:portnumber]
If you use Stunnel to encrypt a daemon started from [x]inetd, you may need to disable that daemon in the /etc/[x]inetd.conf file and enable a corresponding [service]_stunnel service. You may have to add an appropriate entry in /etc/services as well.
For a full explanation of the commands and syntax used in the configuration file, run man stunnel. To see a BLFS example of an actual setup of an stunnel encrypted service, read the the section called “Configuring SWAT” in the Samba instructions.
To automatically start the stunnel daemon when the system is rebooted, install the /etc/rc.d/init.d/stunnel bootscript from the blfs-bootscripts-6.1 package.
make install-stunnel
Journaling file systems reduce the time needed to recover a file system that was not unmounted properly. While this can be extremely important in reducing downtime for servers, it has also become popular for desktop environments. This chapter contains a variety of journaling file systems.
Ext3 is a journaling file system that is an extension to the ext2 file system. It is backward compatible with ext2 and the conversion from ext2 to ext3 is trivial.
You don't need to install anything to use ext3, all the required packages are available with a bare LFS system.
When building the kernel, ensure that you have compiled in ext3 support. If you want your root partition to be ext3, then compile the ext3 support in the kernel, else you may compile it as a module. Recompile the kernel if needed.
Edit your /etc/fstab. For each partition that you want to convert into ext3, edit the entry so that it looks similar to the following line.
/dev/hd[XX] /mnt_point ext3 defaults 1 1
In the above line, replace /dev/hd[XX] by the partition (e.g., /dev/hda2), /mnt_point by the mount point (e.g., /home). The 1 in the last field ensures that the partition will be checked for consistency during the boot process by the checkfs script as recommended by the maintainer. You may replace the ext3 fs type in the above by auto if you want to ensure that the partition is mounted even if you accidentally disable ext3 support in the kernel.
For each partition that you have converted to ext3 in /etc/fstab, enable the journal for the partition by running the following command.
tune2fs -j /dev/hd[XX]
Remount the concerned partitions, or simply reboot if you have recompiled the kernel to enable ext3 support.
More information is available at http://www.zip.com.au/~akpm/linux/ext3/ext3-usage.html. This information is still relevant to the 2.6 kernels.
The ReiserFS package contains various utilities for use with the Reiser file system.
Download (HTTP): http://ftp.namesys.com/pub/reiserfsprogs/reiserfsprogs-3.6.19.tar.gz
Download (FTP): ftp://ftp.namesys.com/pub/reiserfsprogs/reiserfsprogs-3.6.19.tar.gz
Download MD5 sum: b42cf15f6651c3ceff5cb84996c0d539
Download size: 400 KB
Estimated disk space required: 7.9 MB
Estimated build time: 0.16 SBU
Install ReiserFS by running the following commands:
./configure --prefix=/usr --sbindir=/sbin && make
Now, as the root user:
make install && ln -sf reiserfsck /sbin/fsck.reiserfs && ln -sf mkreiserfs /sbin/mkfs.reiserfs
--prefix=/usr: This ensures that the manual pages are installed in the correct location while still installing the programs in /sbin as they should be.
--sbindir=/sbin: This ensures that the ReiserFS utilities are installed in /sbin as they should be.
The XFS package contains administration and debugging tools for the XFS file system.
Download (HTTP): http://mirrors.sunsite.dk/xfs/download/cmd_tars/xfsprogs-2.6.25.src.tar.gz
Download (FTP): ftp://oss.sgi.com/projects/xfs/download/cmd_tars/xfsprogs-2.6.25.src.tar.gz
Download MD5 sum: 65fbf692f348b57f21edd4813733d9ae
Download size: 833 KB
Estimated disk space required: 25.2 MB
Estimated build time: 0.59 SBU
Install XFS by running the following commands:
sed -i 's/autoconf//' Makefile && make
Now, as the root user:
make install
sed -i 's/autoconf//' Makefile: This command disables running autoconf because it is unnecessary.
This chapter is referenced in the LFS book for those wishing to use other editors on their LFS system. You're also shown how some LFS installed programs benefit from being recompiled after GUI libraries have been installed.
The Vim package, which is an abbreviation for VI IMproved, contains a vi clone with extra features as compared to the original vi.
The default LFS instructions install vim as a part of the base system. If you would prefer to link vim against X, you should recompile vim to enable GUI mode. There is no need for special instructions since X support is automatically detected.
Download (HTTP): http://ftp.at.vim.org/pub/vim/unix/vim-6.3.tar.bz2
Download (FTP): ftp://ftp.vim.org/pub/vim/unix/vim-6.3.tar.bz2
Download MD5 sum: 821fda8f14d674346b87e3ef9cb96389
Download size: 3.7 MB
Estimated disk space required: 48 MB
Estimated build time: 0.59 SBU
Required patch: http://www.linuxfromscratch.org/blfs/downloads/6.1/vim-6.3-security_fix-1.patch
Translated Vim messages: http://ftp.at.vim.org/pub/vim/extra/vim-6.3-lang.tar.gz
X (XFree86-4.5.0 or X.org-6.8.2)
GTK+-2.6.7, LessTif-0.94.4, Python-2.4.1, Tcl-8.4.11, Ruby-1.8.2 and GPM-1.20.1
If you recompile Vim to link against X, and your X libraries are not on the root partition, you will no longer have an editor for use in emergencies. You may choose to install an additional editor, not link Vim against X, or move the current vim executable to the /bin directory under a different name such as vi.
If desired, unpack the translated messages archive:
tar -zxf ../vim-6.3-lang.tar.gz --strip-components=1
Install Vim by running the following commands:
echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h && echo '#define SYS_GVIMRC_FILE "/etc/gvimrc"' >> src/feature.h && patch -Np1 -i ../vim-6.3-security_fix-1.patch && ./configure --prefix=/usr --with-features=huge && make
Now, as the root user:
make install
--with-features=huge: This switch enables all the additional features available in Vim.
--enable-gui=no: If you prefer not to link Vim against X, use this switch.
A list of the reinstalled files, along with their short descriptions can be found at ../../../../lfs/view/stable/chapter06/vim.html#contents-vim.
The Emacs package contains an extensible, customizable, self-documenting real-time display editor.
Download (HTTP): http://ftp.gnu.org/pub/gnu/emacs/emacs-21.4a.tar.gz
Download (FTP): ftp://ftp.gnu.org/pub/gnu/emacs/emacs-21.4a.tar.gz
Download MD5 sum: 5ec2c01f7604cf207628de0e82181647
Download size: 20 MB
Estimated disk space required: 96.8 MB
Estimated build time: 4.20 SBU
X (XFree86-4.5.0 or X.org-6.8.2), libjpeg-6b, libpng-1.2.8, libtiff-3.7.3, and libungif-4.1.3 or giflib-4.1.3
Install Emacs by running the following commands:
./configure --prefix=/usr --libexecdir=/usr/sbin && make bootstrap
Now, as the root user:
make install
The nano package contains a small, simple text editor which aims to replace Pico, the default editor in the Pine package.
Download (HTTP): http://www.nano-editor.org/dist/v1.2/nano-1.2.5.tar.gz
Download (FTP): ftp://ftp.uni-koeln.de/editor/nano-1.2.5.tar.gz
Download MD5 sum: f2b3efbf1cf356d736740d531b6b22c4
Download size: 891 KB
Estimated disk space required: 5.1 MB
Estimated build time: 0.1 SBU
Install nano by running the following commands:
./configure --prefix=/usr --sysconfdir=/etc/nano \ --enable-color --enable-multibuffer --enable-nanorc && make
This package does not come with a test suite.
Now, as the root user:
make install && install -v -m644 -D nanorc.sample /etc/nano/nanorc.sample && install -v -m755 -d /usr/share/doc/nano-1.2.5 && install -v -m644 *.html /usr/share/doc/nano-1.2.5
Example configuration (create as a system-wide /etc/nano/nanorc or a personal ~/.nanorc file)
set autoindent set const set fill 72 set historylog set multibuffer set nohelp set regexp set smooth set suspend
Another example is the nanorc.sample file in the /etc/nano directory. It includes color configurations and has some documentation included in the comments.
JOE (Joe's own editor) is a small text editor capable of emulating WordStar, Pico, and Emacs.
Download (HTTP): http://prdownloads.sourceforge.net/joe-editor/joe-3.3.tar.gz
Download MD5 sum: 02221716679c039c5da00c275d61dbf4
Download size: 468 KB
Estimated disk space required: 6.4 MB
Estimated build time: 0.15 SBU
Install JOE by running the following commands:
./configure --sysconfdir=/etc --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install
Ed is a line-oriented text editor. It is used to create, display, modify and otherwise manipulate text files, both interactively and via shell scripts. Ed isn't something which many people use. It's described here because it can be used by the patch program if you encounter an ed-based patch file. This happens rarely because diff-based patches are preferred these days.
Download (HTTP): http://ftp.gnu.org/pub/gnu/ed/ed-0.2.tar.gz
Download (FTP): ftp://ftp.gnu.org/pub/gnu/ed/ed-0.2.tar.gz
Download MD5 sum: ddd57463774cae9b50e70cd51221281b
Download size: 182 KB
Estimated disk space required: 2.9 MB
Estimated build time: 0.02 SBU
Ed normally uses the mktemp function to create temporary files in /tmp, but this function contains a vulnerability (see the section on Temporary Files at http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/avoid-race.html). Apply the following patch to make Ed use mkstemp instead, a secure way to create temporary files:
patch -Np1 -i ../ed-0.2-mkstemp-1.patch
Install Ed by running the following commands:
./configure --prefix=/usr --exec-prefix="" && make
Now, as the root user:
make install
--exec-prefix="": This forces the programs to be installed into the /bin directory. Having the programs available there is useful in the event of the /usr partition being unavailable.
The Bluefish package contains a powerful X Window System editor designed for web designers, but also suitable as a programmer's editor. Bluefish supports many programming and markup languages, and as such is ideal for editing XML and HTML files.
Download (HTTP): http://pkedu.fbt.eitn.wau.nl/~olivier/downloads/bluefish-1.0.2.tar.bz2
Download (FTP): ftp://ftp.ratisbona.com/pub/bluefish/downloads/bluefish-1.0.2.tar.bz2
Download MD5 sum: 281d72f5c45c913671c36bc6b7b45445
Download size: 1.4 MB
Estimated disk space required: 23.0 MB
Estimated build time: 0.3 SBU
GTK+-2.6.7 and PCRE-6.1
GNOME Virtual File System-2.10.1 (for remote files), Aspell-0.60.3 (for spellchecking), libgnomeui-2.10.0, GNOME MIME Data-2.4.2, desktop-file-utils-0.10 and shared-mime-info-0.16
Install Bluefish by running the following commands:
./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install
We are all familiar with the Bourne Again SHell, but there are two other user interfaces that are considered useful modern shells -- the Berkeley Unix C shell and the Korn shell. This chapter installs packages compatible with these additional shell types.
ash is a shell that is the most compliant with the Bourne Shell (not to be confused with Bourne Again SHell i.e., Bash installed in LFS) without any additional features. Bourne Shell is available on most commercial UNIX systems. Hence ash is useful for testing scripts to be sh-compliant. It also has small memory and space requirements compared to the other sh-compliant shells.
Download (FTP): ftp://distro.ibiblio.org/pub/linux/distributions/slackware/slackware_source/ap/ash/ash-0.4.0.tar.gz
Download MD5 sum: 1c59f5b62a081cb0cb3b053c01d79529
Download size: 118 KB
Estimated disk space required: 2.2 MB
Estimated build time: 0.06 SBU
Install ASH by running the following commands:
patch -Np1 -i ../ash-0.4.0-cumulative_fixes-1.patch && make
Now, as the root user:
install -v -m 755 sh /bin/ash && install -v -m 644 sh.1 /usr/share/man/man1/ash.1
If you would like to make ash the default sh shell, make a symlink.
ln -v -sf ash /bin/sh
The Tcsh package contains “an enhanced but completely compatible version of the Berkeley Unix C shell (csh)”. This is useful as an alternative shell for those who prefer C syntax to that of the bash shell, and also because some programs require the C shell in order to perform installation tasks.
Download (HTTP): http://gd.tuwien.ac.at/utils/shells/tcsh/tcsh-6.14.00.tar.gz
Download (FTP): ftp://ftp.funet.fi/pub/unix/shells/tcsh/tcsh-6.14.00.tar.gz
Download MD5 sum: 353d1bb7d2741bf8de602c7b6f0efd79
Download size: 859 KB
Estimated disk space required: 9 MB
Estimated build time: 0.2 SBU
Install Tcsh by running the following commands:
./configure --prefix=/usr --bindir=/bin && make && sh ./tcsh.man2html
This package does not come with a test suite.
Now, as the root user:
make install && make install.man && ln -v -sf tcsh /bin/csh && ln -v -sf tcsh.1 /usr/man/man1/csh.1 && install -v -m755 -d /usr/share/doc/tcsh-6.14.00/html && install -v -m644 tcsh.html/* /usr/share/doc/tcsh-6.14.00/html && install -v -m644 FAQ /usr/share/doc/tcsh-6.14.00
--bindir=/bin: This installs the tcsh program in /bin instead of /usr/bin.
sh ./tcsh.man2html: This creates HTML documentation from the formatted man page.
ln -v -sf tcsh /bin/csh: The FHS states that if there is a C shell installed, there should be a symlink from /bin/csh to it. This creates that symlink.
There are numerous configuration files for the C shell. Examples of these are /etc/csh.cshrc, /etc/csh.login, /etc/csh.logout, ~/.tcshrc, ~/.cshrc, ~/.history, ~/.cshdirs, ~/.login, and ~/.logout. More information on these files can be found in the tcsh(1) man page.
The ZSH package contains a command interpreter (shell) usable as an interactive login shell and as a shell script command processor. Of the standard shells, ZSH most closely resembles KSH but includes many enhancements.
Download (HTTP): http://prdownloads.sourceforge.net/zsh/zsh-4.2.5.tar.bz2
Download MD5 sum: e2060f743dcdf3b383e80e862a6548fe
Download size: 2.0 MB
Estimated disk space required: 24 MB
Estimated build time: 0.5 SBU
Install ZSH by running the following commands:
./configure --prefix=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install && make install.info
There are a whole host of configuration files for ZSH including /etc/zshenv, /etc/zprofile, /etc/zshrc, /etc/zlogin, and /etc/zlogout. You can find more information on these in the zsh(1) and related man pages.
Libraries contain code which is often required by more than one program. This has the advantage that each program doesn't need to duplicate code (and risk introducing bugs), it just has to call functions from the libraries installed on the system. The most obvious example of a set of libraries is Glibc which is installed during the LFS book. This contains all of the C library functions which programs use.
There are two types of libraries: static and shared. Shared libraries (usually libXXX.so) are loaded into memory from the shared copy at runtime (hence the name). Static libraries (libXXX.a ) are actually linked into the program executable file itself, thus making the program file larger. Quite often, you will find both static and shared copies of the same library on your system.
Generally, you only need to install libraries when you are installing software that needs the functionality they supply. In the BLFS book, each package is presented with a list of (known) dependencies. Thus, you can figure out which libraries you need to have before installing that program. If you are installing something without using BLFS instructions, usually the README or INSTALL file will contain details of the program's requirements.
There are certain libraries which nearly everyone will need at some point. In this chapter we list these and some others and explain why you may want to install them.
The PCRE package contains Perl Compatible Regular Expression libraries. These are useful for implementing regular expression pattern matching using the same syntax and semantics as Perl 5.
Download (FTP): ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-6.1.tar.bz2
Download MD5 sum: 069a8c34df7ec4bd0dad8f26c64c9dd3
Download size: 543 KB
Estimated disk space required: 11.4 MB
Estimated build time: 0.3 SBU
Install PCRE by running the following commands:
./configure --prefix=/usr --enable-utf8 && make
To test the results, issue: make runtest.
Now, as the root user:
make install && install -v -m755 -d /usr/share/doc/pcre-6.1/html && install -v -m644 doc/html/* /usr/share/doc/pcre-6.1/html && install -v -m644 doc/{Tech.Notes,*.txt} /usr/share/doc/pcre-6.1
If you reinstall Grep after installing PCRE, Grep will get linked against PCRE and may cause problems if /usr is a separate mount point. To avoid this, either pass the option --disable-perl-regexp when executing ./configure for Grep or move libpcre to /lib as follows.
mv -v /usr/lib/libpcre.so.* /lib/ && ln -v -sf ../../lib/libpcre.so.0 /usr/lib/libpcre.so
--enable-utf8: This switch includes the code for handling UTF-8 character strings in the library.
The popt package contains the popt libraries which are used by some programs to parse command-line options.
Download (HTTP): http://ftp.debian.org/debian/pool/main/p/popt/popt_1.7.orig.tar.gz
Download (FTP): ftp://ftp.debian.org/debian/pool/main/p/popt/popt_1.7.orig.tar.gz
Download MD5 sum: 5988e7aeb0ae4dac8d83561265984cc9
Download size: 562 KB
Estimated disk space required: 5.5 MB
Estimated build time: 0.17 SBU
Patch level upgrade: http://ftp.debian.org/debian/pool/main/p/popt/popt_1.7-5.diff.gz
Install popt by running the following commands:
patch -Np1 -i ../popt_1.7-5.diff && ./configure --prefix=/usr && cp configure.in configure.ac && touch configure.in configure.ac && make
To test the results, issue: make check.
Now, as the root user:
make install
cp configure.in configure.ac: Because configure.in is updated with the patch, this file is needed for make to work properly.
touch configure.in configure.ac: Ensure file timestamps are the same.
The slang package contains the slang library, which provides facilities such as display/screen management, keyboard input, and keymaps.
Download (HTTP): http://gd.tuwien.ac.at/editors/davis/slang/v1.4/slang-1.4.9.tar.bz2
Download (FTP): ftp://space.mit.edu/pub/davis/slang/v1.4/slang-1.4.9.tar.bz2
Download MD5 sum: 4fbb1a7f1257e065ca830deefe13d350
Download size: 624 KB
Estimated disk space required: 10.7 MB
Estimated build time: 0.2 SBU
Install slang by running the following commands:
./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install
Now, as the unprivileged user:
make elf
And finally, as the root user:
make install-elf && chmod 755 /usr/lib/libslang.so.1.4.9
make elf and make install-elf: These commands create and install the dynamic shared library version of slang.
As with most libraries, there is no configuration to do, save that the library directory i.e., /opt/lib or /usr/local/lib should appear in /etc/ld.so.conf so that ldd can find the shared libraries. After checking that this is the case, /sbin/ldconfig should be run while logged in as root.
The FAM package contains a File Alteration Monitor which is useful for notifying applications of changes to the file system.
Download (HTTP): http://gd.tuwien.ac.at/opsys/linux/gentoo/distfiles/fam-2.7.0.tar.gz
Download (FTP): ftp://oss.sgi.com/projects/fam/download/stable/fam-2.7.0.tar.gz
Download MD5 sum: 1bf3ae6c0c58d3201afc97c6a4834e39
Download size: 301 KB
Estimated disk space required: 7.7 MB
Estimated build time: 0.26 SBU
Dnotify patch (Recommended): http://www.linuxfromscratch.org/blfs/downloads/6.1/fam-2.7.0-dnotify-1.patch
Install FAM by running the following commands:
patch -Np1 -i ../fam-2.7.0-dnotify-1.patch && chmod -v 755 configure && autoreconf -f -i && ./configure --prefix=/usr --sysconfdir=/etc && make
Now, as the root user:
make install
patch -Np1 -i ../fam-2.7.0-dnotify-1.patch: This patch enables FAM to use the Linux kernel dnotify mechanism to inform the calling process of file modifications, rather than polling the file system for modifications.
chmod -v 755 configure: configure is set to read-only and autoreconf will fail if the permissions aren't changed.
autoreconf -f -i: The autotools need rebuilding because the dnotify patch affects configure.ac and Makefile.am.
Configuring the File Alteration Monitor. Perform the following instructions as the root user.
If you use inetd, add the FAM entry to /etc/inetd.conf with the following command:
echo "sgi_fam/1-2 stream rpc/tcp wait root /usr/sbin/famd fam" \ >> /etc/inetd.conf
If you use xinetd, the following command will create the FAM file as /etc/xinetd.d/sgi_fam (be sure the nogroup group exists):
cat >> /etc/xinetd.d/sgi_fam << "EOF" # Begin /etc/xinetd.d/sgi_fam # description: FAM - file alteration monitor service sgi_fam { type = RPC UNLISTED socket_type = stream user = root group = nogroup server = /usr/sbin/famd wait = yes protocol = tcp rpc_version = 2 rpc_number = 391002 } # End /etc/xinetd.d/sgi_fam EOF
If you do not have an inetd daemon installed and have no wish to install one, you can also start famd during system startup by installing the /etc/rc.d/init.d/fam init script included in the blfs-bootscripts-6.1 package.
make install-fam
The libxml package contains the libxml libraries. These are useful for parsing XML files.
Download (HTTP): http://ftp.gnome.org/pub/GNOME/sources/libxml/1.8/libxml-1.8.17.tar.bz2
Download (FTP): ftp://ftp.gnome.org/pub/GNOME/sources/libxml/1.8/libxml-1.8.17.tar.bz2
Download MD5 sum: c7d1b9b1cbfcfbbc56c92f424c37d32c
Download size: 743 KB
Estimated disk space required: 14 MB
Estimated build time: 0.3 SBU
Install libxml by running the following commands:
./configure --prefix=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install
The libxml2 package contains XML libraries. These are useful for parsing XML files.
Download (HTTP): http://ftp.gnome.org/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.20.tar.bz2
Download (FTP): ftp://ftp.gnome.org/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.20.tar.bz2
Download MD5 sum: 342f722d1770071be19253f229fef677
Download size: 3.0 MB
Estimated disk space required: 79.3 MB
Estimated build time: 0.50 SBU (additional 0.65 SBU to run the testsuite)
Install libxml2 by running the following commands:
./configure --prefix=/usr --with-history && make
To test the results, issue: make check.
Now, as the root user:
make install
The libxslt package contains XSLT libraries. These are useful for extending libxml2 libraries to support XSLT files.
Download (HTTP): http://ftp.gnome.org/pub/GNOME/sources/libxslt/1.1/libxslt-1.1.14.tar.gz
Download (FTP): ftp://xmlsoft.org/libxslt-1.1.14.tar.gz
Download MD5 sum: db71660bb7d01ccd4e6be990af8d813b
Download size: 2.6 MB
Estimated disk space required: 36 MB
Estimated build time: 0.32 SBU
Install libxslt by running the following commands:
./configure --prefix=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install
The GMP package contains math libraries. These have useful functions for arbitrary precision arithmetic.
Download (HTTP): http://ftp.gnu.org/gnu/gmp/gmp-4.1.4.tar.bz2
Download (FTP): ftp://ftp.gnu.org/gnu/gmp/gmp-4.1.4.tar.bz2
Download MD5 sum: 0aa7d3b3f5b5ec5951e7dddd6f65e891
Download size: 1.6 MB
Estimated disk space required: 60.8 MB
Estimated build time: 0.88 SBU (additional 0.81 SBU to run the testsuite)
Install GMP by running the following commands:
./configure --prefix=/usr --enable-cxx --enable-mpbsd && make
To test the results, issue: make check. Owing to various reports of mis-compilations, the maintainer strongly recommends running the test-suite and report any failures. The libraries should not be used in a production environment if there are problems running make check.
Now, as the root user:
make install
--enable-cxx: This parameter enables C++ support by building the libgmpxx libraries.
--enable-mpbsd: This parameter enables building the Berkeley MP compatibility (libmp) libraries.
The GDBM package contains the GNU Database Manager. This is a disk file format database which stores key/data-pairs in single files. The actual data of any record being stored is indexed by a unique key, which can be retrieved in less time than if it was stored in a text file.
Download (HTTP): http://ftp.gnu.org/gnu/gdbm/gdbm-1.8.3.tar.gz
Download (FTP): ftp://ftp.gnu.org/gnu/gdbm/gdbm-1.8.3.tar.gz
Download MD5 sum: 1d1b1d5c0245b1c00aff92da751e9aa1
Download size: 223 KB
Estimated disk space required: 2.75 MB
Estimated build time: 0.08 SBU
Install GDBM by running the following commands:
./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make BINOWN=root BINGRP=root install
In addition, you may need to install the DBM and NDBM compatibility headers and library since some applications look for these older dbm routines.
make BINOWN=root BINGRP=root install-compat
make BINOWN=root BINGRP=root install: This command overrides the BINOWN and BINGRP variables in the Makefile changing ownership of the installed files to root instead of the bin user.
The glib package contains a low-level core library. This is useful for providing data structure handling for C, portability wrappers and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system.
Download (HTTP): http://gd.tuwien.ac.at/graphics/gimp/gtk/v1.2/glib-1.2.10.tar.gz
Download (FTP): ftp://ftp.gtk.org/pub/gtk/v1.2/glib-1.2.10.tar.gz
Download MD5 sum: 6fe30dad87c77b91b632def29dd69ef9
Download size: 412 KB
Estimated disk space required: 6.4 MB
Estimated build time: 0.19 SBU
Install glib by running the following commands:
patch -Np1 -i ../glib-1.2.10-gcc34-1.patch && ./configure --prefix=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install && chmod -v 755 /usr/lib/libgmodule-1.2.so.0.0.10
The glib package contains a low-level core library. This is useful for providing data structure handling for C, portability wrappers and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system.
Download (HTTP): http://gd.tuwien.ac.at/graphics/gimp/gtk/v2.6/glib-2.6.4.tar.bz2
Download (FTP): ftp://ftp.gtk.org/pub/gtk/v2.6/glib-2.6.4.tar.bz2
Download MD5 sum: af7eeb8aae764ff763418471ed6eb93d
Download size: 2.3 MB
Estimated disk space required: 40.9 MB
Estimated build time: 2.82 SBU (includes rebuilding documentation)
Install glib by running the following commands:
./configure --prefix=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install
--enable-gtk-doc: This switch will rebuild the API documentation during the make command.
The libIDL package contains libraries for Interface Definition Language files. This is a specification for defining portable interfaces.
Download (HTTP): http://ftp.gnome.org/pub/GNOME/sources/libIDL/0.8/libIDL-0.8.5.tar.bz2
Download (FTP): ftp://ftp.gnome.org/pub/GNOME/sources/libIDL/0.8/libIDL-0.8.5.tar.bz2
Download MD5 sum: c63f6513dc7789d0575bea02d62d58d7
Download size: 332 KB
Estimated disk space required: 4.9 MB
Estimated build time: 0.13 SBU
Install libIDL by running the following commands:
./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install
The libcroco package contains libcroco libraries. This is useful for providing a CSS API.
Download (HTTP): http://ftp.gnome.org/pub/gnome/sources/libcroco/0.6/libcroco-0.6.0.tar.bz2
Download (FTP): ftp://ftp.gnome.org/pub/gnome/sources/libcroco/0.6/libcroco-0.6.0.tar.bz2
Download MD5 sum: 78fb2bf78d469df83b1fc94ce196c1c4
Download size: 360 KB
Estimated disk space required: 8.7 MB
Estimated build time: 0.22 SBU
Install libcroco by running the following commands:
./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install
The libgsf package contains libgsf libraries. These are useful for providing an extensible input/output abstraction layer for structured file formats.
Download (HTTP): http://ftp.gnome.org/pub/gnome/sources/libgsf/1.12/libgsf-1.12.0.tar.bz2
Download (FTP): ftp://ftp.gnome.org/pub/gnome/sources/libgsf/1.12/libgsf-1.12.0.tar.bz2
Download MD5 sum: 34c4672edd2e4e814fb82d7b94d71ffd
Download size: 428 KB
Estimated disk space required: 10.1 MB
Estimated build time: 0.3 SBU
GNOME Virtual File System-2.10.1 (required for GNOME-2 support) and GTK-Doc-1.3
Install libgsf by running the following commands:
./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install
The libglade package contains libglade libraries. These are useful for loading Glade interface files in a program at runtime.
Download (HTTP): http://ftp.gnome.org/pub/GNOME/sources/libglade/2.5/libglade-2.5.1.tar.bz2
Download (FTP): ftp://ftp.gnome.org/pub/GNOME/sources/libglade/2.5/libglade-2.5.1.tar.bz2
Download MD5 sum: e4734a59f1f2308d7714dc0ebf8163f1
Download size: 317 KB
Estimated disk space required: 5.1 MB
Estimated build time: 0.15 SBU
Install libglade by running the following commands:
./configure --prefix=/usr && make
Now, as the root user:
make install
The expat package contains a stream oriented C library for parsing XML.
Download (HTTP): http://prdownloads.sourceforge.net/expat/expat-1.95.8.tar.gz
Download MD5 sum: aff487543845a82fe262e6e2922b4c8e
Download size: 314 KB
Estimated disk space required: 4.2 MB
Estimated build time: 0.08 SBU
Check (for running the test suite)
Install expat by running the following commands:
./configure --prefix=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install
The libesmtp package contains the libesmtp libraries which are used by some programs to manage email submission to a mail transport layer.
Download (HTTP): http://www.stafford.uklinux.net/libesmtp/libesmtp-1.0.3r1.tar.bz2
Download MD5 sum: c07aa79293aa36298626fe5e68d6bfba
Download size: 270 KB
Estimated disk space required: 6.9 MB
Estimated build time: 0.16 SBU
Install libesmtp by running the following commands:
./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install
The Aspell package contains an interactive spell checking program and the Aspell libraries. Aspell can either be used as a library or as an independent spell checker.
Download (HTTP): http://ftp.gnu.org/gnu/aspell/aspell-0.60.3.tar.gz
Download (FTP): ftp://ftp.gnu.org/gnu/aspell/aspell-0.60.3.tar.gz
Download MD5 sum: ca44ac2fcfdc7213e03d3b5610ce141a
Download size: 1.6 MB
Estimated disk space required: 26.0 MB (Additional 8 MB for en dict)
Estimated build time: 0.62 SBU
You'll need to download at least one dictionary. The link below will take you to a page containing links to dictionaries in many languages.
Aspell dictionaries: ftp://ftp.gnu.org/gnu/aspell/dict
Install Aspell by running the following commands:
./configure --prefix=/usr && make
Now, as the root user:
make install
If you do not plan to install Ispell, then copy the wrapper script ispell:
install -v -m 755 scripts/ispell /usr/bin/
If you do not plan to install Spell, then copy the wrapper script spell:
install -v -m 755 scripts/spell /usr/bin/
The ispell package contains a spell checker that can handle international languages.
Download (HTTP): http://membled.com/work/patches/ispell/ispell-3.2.06.epa7.tar.bz2
Download MD5 sum: d5d867e62776524f60b3b5dcc3d8014f
Download size: 1.2 MB
Estimated disk space required: 11 MB
Estimated build time: less than 0.1 SBU
The first step is to create local.h.
sed -e "s:/usr/local:/usr:g" -e "s:/lib:/share/ispell:" \ local.h.linux > local.h
By default, ispell only installs an American English dictionary. To set up other languages, check out the config.X file for the #define entry to append to local.h.
Build ispell using the following commands:
make
To test the build, issue: make test.
Now, as the root user:
make install
sed -e "s:/usr/local:/usr:g" -e "s:/lib:/share/ispell:" local.h.linux > local.h: This command corrects the installation directories of the package.
The SLIB package is a portable library for the programming language Scheme. It provides a platform independent framework for using “packages” of Scheme procedures and syntax. SLIB contains useful packages for all Scheme implementations, including Guile. Its catalog can be transparently extended to accommodate packages specific to a site, implementation, user or directory.
Download (HTTP): http://swiss.csail.mit.edu/ftpdir/scm/OLD/slib3a1.tar.gz
Download MD5 sum: dc1aa0ffb9e2414223ceefc315f6baf9
Download size: 705 KB
Estimated disk space required: 8.6 MB
Estimated build time: 0.01 SBU
Install SLIB by issuing the following commands:
patch -Np1 -i ../slib-3a1-automate_install-1.patch && make
Now, as the root user:
make prefix=/usr/ install && make prefix=/usr/ catalogs && make prefix=/usr/ installinfo
make prefix=/usr/ catalogs: This command builds the SLIB Scheme implementation catalog.
make prefix=/usr/ installinfo: This commands installs the info documentation.
The G-Wrap package contains tools for exporting C libraries into Scheme interpreters.
Download (HTTP): http://www.gnucash.org/pub/g-wrap/source/g-wrap-1.3.4.tar.gz
Download MD5 sum: bf29b8b563cc27d9f7fd90a6243653aa
Download size: 403 KB
Estimated disk space required: 3.1 MB
Estimated build time: 0.1 SBU
Install G-Wrap by running the following commands:
./configure --prefix=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install
LZO is a data compression library which is suitable for data decompression and compression in real-time. This means it favors speed over compression ratio.
Download (HTTP): http://www.oberhumer.com/opensource/lzo/download/lzo-2.01.tar.gz
Download (FTP): ftp://ftp.uni-koeln.de/util/arc/lzo-2.01.tar.gz
Download MD5 sum: 0068c3f5a6325323dcdad3a4c52ed51e
Download size: 591 KB
Estimated disk space required: 8.7 MB
Estimated build time: 0.28 SBU
NASM-0.98.39 and Dmalloc
Install LZO by running the following commands:
./configure --prefix=/usr --enable-shared && make
Now, as the root user:
make install && install -v -m755 -d /usr/share/doc/lzo-2.01 && install -v -m644 doc/* /usr/share/doc/lzo-2.01
The libusb package contains a library used by some applications for USB device access.
Download (HTTP): http://prdownloads.sourceforge.net/libusb/libusb-0.1.10a.tar.gz
Download MD5 sum: c6062b29acd2cef414bcc34e0decbdd1
Download size: 375 KB
Estimated disk space required: 7.4 MB (additional 1.3 MB to install documentation)
Estimated build time: 0.1 SBU
OpenJade-1.3.2 and DocBOOK SGML DTD-4.2
Install libusb by running the following commands:
./configure --prefix=/usr --disable-build-docs && make
If you wish to build the API documentation, issue the following command:
make apidox
Now, as the root user:
make install
If you built the HTML user manual, install it using the following commands as the root user:
install -v -d -m755 /usr/share/doc/libusb-0.1.10a/html && install -v -m644 doc/html/* /usr/share/doc/libusb-0.1.10a/html
If you built the API documentation, install it using the following commands as the root user:
install -v -d -m755 /usr/share/doc/libusb-0.1.10a/apidocs && install -v -m644 apidocs/html/* \ /usr/share/doc/libusb-0.1.10a/apidocs
--disable-build-docs: This switch avoids building the HTML user manual. If you wish to build the user manual, you may need to remove the OpenSP catalog definitions from the system SGML catalogs. Use the following command before building the package to accomplish this:
sed -i.orig \ -e "/CATALOG \/etc\/sgml\/OpenSP-1.5.1.cat/d" \ /etc/sgml/catalog \ /etc/sgml/sgml-docbook.cat
libusb requires the usbfs kernel filesystem to be mounted on /proc/bus/usb. Applications require the files in this directory to be accessible to the user, sometimes for both reading and writing. To restrict access to USB devices, ensure the usb group exits on your system. If necessary, create the usb group using the following command:
groupadd -g 14 usb
Ensure that you have compiled the “USB device filesystem” directly into the kernel or compiled it as a module (listing the resulting “usbcore” module in the /etc/sysconfig/modules file). You should also have an entry similar to the line below in your /etc/fstab file:
usbfs /proc/bus/usb usbfs devgid=14,devmode=0660 0 0
Depending on what your system will be used for, you may or may not require the graphics and font libraries. Most desktop machines will want them for use with graphical applications. Most servers on the other hand, will not require them.
The libjpeg package contains libraries that allow compression of image files based on the Joint Photographic Experts Group standard. It is a "lossy" compression algorithm.
Download (HTTP): http://www.photopost.com/jpegsrc.v6b.tar.gz
Download (FTP): ftp://ftp.uu.net/graphics/jpeg/jpegsrc.v6b.tar.gz
Download MD5 sum: dbd5f3b47ed13132f04c685d608a7547
Download size: 599 KB
Estimated disk space required: 4.6 MB
Estimated build time: 0.15 SBU
Install libjpeg by running the following commands:
./configure --prefix=/usr --enable-static --enable-shared && make
To test the results, issue: make test.
Now, as the root user:
make install
--enable-static --enable-shared: These switches tell libjpeg to build both shared and static libraries.
As with most libraries, there is no configuration to do, save that the library directory i.e., /opt/lib or /usr/local/lib should appear in /etc/ld.so.conf so that ldd can find the shared libraries. After checking that this is the case, /sbin/ldconfig should be run while logged in as root.
The libpng package contains libraries used by other programs for reading and writing PNG files.
Download (HTTP): http://prdownloads.sourceforge.net/libpng/libpng-1.2.8.tar.bz2
Download MD5 sum: 00cea4539bea4bd34cbf8b82ff9589cd
Download size: 376 KB
Estimated disk space required: 5.75 MB
Estimated build time: 0.13 SBU
Required Patch to explicitly link libpng against system libraries: http://www.linuxfromscratch.org/blfs/downloads/6.1/libpng-1.2.8-link_to_proper_libs-1.patch
Install libpng by running the following commands:
patch -Np1 -i ../libpng-1.2.8-link_to_proper_libs-1.patch && make prefix=/usr ZLIBINC= \ ZLIBLIB= -f scripts/makefile.linux
To test the results, issue: make -f scripts/makefile.linux test.
Now, as the root user:
make prefix=/usr install -f scripts/makefile.linux
ZLIBINC=; ZLIBLIB=: This forces libpng to look for the Zlib includes and libraries in the default locations (/usr/include and /usr/lib respectively).
-f scripts/makefile.linux: This points make at the Linux version of the Makefile as libpng doesn't use an Autoconf routine. Instead, it has various Makefiles for different platforms.
As with most libraries, there is no configuration to do, save that the library directory i.e., /opt/lib or /usr/local/lib should appear in /etc/ld.so.conf so that ldd can find the shared libraries. After checking that this is the case, /sbin/ldconfig should be run while logged in as root.
The libtiff package contains the TIFF libraries and associated utilities. The libraries are used by many programs for reading and writing TIFF files and the utilities are useful for general work with TIFF files.
Download (FTP): ftp://ftp.remotesensing.org/libtiff/tiff-3.7.3.tar.gz
Download MD5 sum: 8a4511793f4b20b91ddee0e53bc08dea
Download size: 1.3 MB
Estimated disk space required: 17.7 MB
Estimated build time: 0.5 SBU
libjpeg-6b, X (XFree86-4.5.0 or X.org-6.8.2) and freeglut-2.4.0
Install libtiff by running the following commands:
./configure --prefix=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install
The libungif package contains libraries for reading all GIFs and writing non-compressed ones as well as programs for converting and working with GIF files. The libraries are useful for any graphics program wishing to deal with GIF files while the programs are useful for conversion purposes as well as cleaning up images.
The reason libungif only writes non-compressed GIFs is due to a legal issue with LZW compression (which Unisys claimed a patent on). Reading GIFs is not a problem as the decompression routines do not seem to be limited in this way. Note that this has in the past been disputed. The best way to avoid this whole mess is to simply use libungif for looking at GIF images on the web, while in any pages which you design, use the open source PNG format instead (which uses, not surprisingly, the libpng library) which has no patent issues at all.
Download (HTTP): http://prdownloads.sourceforge.net/libungif/libungif-4.1.3.tar.bz2
Download MD5 sum: 8c198831cc0495596c78134b8849e9ad
Download size: 430 KB
Estimated disk space required: 6.2 MB
Estimated build time: 0.16 SBU
X (XFree86-4.5.0 or X.org-6.8.2)
Install libungif by running the following commands:
./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install && install -v -m755 -d /usr/share/doc/libungif-4.1.3/html && install -v -m644 doc/*.{png,html} \ /usr/share/doc/libungif-4.1.3/html && install -v -m644 doc/*.txt \ /usr/share/doc/libungif-4.1.3
The giflib package contains libraries for reading and writing GIFs as well as programs for converting and working with GIF files. The libraries are useful for any graphics program wishing to deal with GIF files while the programs are useful for conversion purposes as well as cleaning up images.
Download (HTTP): http://prdownloads.sourceforge.net/libungif/giflib-4.1.3.tar.bz2
Download MD5 sum: 22efc9599ccf91d288374dcf0679abf1
Download size: 440 KB
Estimated disk space required: 6.2 MB
Estimated build time: 0.16 SBU
X (XFree86-4.5.0 or X.org-6.8.2)
Install giflib by running the following commands:
./configure --prefix=/usr && make
Now, as the root user:
make install && install -v -m755 -d /usr/share/doc/giflib-4.1.3/html && install -v -m644 doc/*.{png,html} \ /usr/share/doc/giflib-4.1.3/html && install -v -m644 doc/*.txt \ /usr/share/doc/giflib-4.1.3
The lcms library is used by other programs to provide color management facilities.
Download (HTTP): http://www.littlecms.com/lcms-1.14.tar.gz
Download MD5 sum: 5a803460aeb10e762d97e11a37462a69
Download size: 654 KB
Estimated disk space required: 18.4 MB
Estimated build time: 0.34 SBU (includes building the Python module)
Required patch (if building the Python module): http://www.linuxfromscratch.org/blfs/downloads/6.1/lcms-1.14-gcc343-1.patch
libtiff-3.7.3, libjpeg-6b and Python-2.4.1 (with SWIG)
Install lcms by running the following commands:
patch -Np1 -i ../lcms-1.14-gcc343-1.patch && ./configure --prefix=/usr && make
To test the results, issue: make check.
Now, as the root user:
make install && install -v -m755 -d /usr/share/doc/lcms-1.14 && install -v -m644 doc/* /usr/share/doc/lcms-1.14
The libmng libraries are used by programs wanting to read and write Multiple-image Network Graphics (MNG) files which are the animation equivalents to PNG files.
Download (HTTP): http://prdownloads.sourceforge.net/libmng/libmng-1.0.9.tar.gz
Download MD5 sum: ff1205ef70855a75c098ea09690413c6
Download size: 554 KB
Estimated disk space required: 7.1 MB
Estimated build time: 0.11 SBU
libjpeg-6b and lcms-1.14
Install libmng by running the following commands:
cp makefiles/makefile.linux Makefile && make
Now, as the root user:
make prefix=/usr install && install -v -m644 doc/man/*.3 /usr/share/man/man3 && install -v -m644 doc/man/*.5 /usr/share/man/man5 && install -v -m755 -d /usr/share/doc/libmng-1.0.9 && install -v -m644 doc/*.{png,txt} /usr/share/doc/libmng-1.0.9
cp makefiles/makefile.linux Makefile: There are no autotools shipped with this package. The Linux Makefile is copied to the root of the source tree, facilitating the installation.
install ...: The documentation files are not installed by the installation procedure, so they are copied manually.
The FreeType2 package contains a library to allow applications to properly render TrueType fonts.
Download (HTTP): http://prdownloads.sourceforge.net/freetype/freetype-2.1.10.tar.bz2
Download MD5 sum: a4012e7d1f6400df44a16743b11b8423
Download size: 1.0 MB
Estimated disk space required: 19.1 MB
Estimated build time: 0.3 SBU
Install FreeType2 by running the following commands:
sed -i -r 's:.*(#.*BYTE.*) .*:\1:' \ include/freetype/config/ftoption.h && ./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install
sed -i -r 's:.*(#.*BYTE.*) .*:\1:' include/freetype/config/ftoption.h: Uncomments configuration options.
The Fontconfig package is a library for configuring and customizing font access.
Download (HTTP): http://fontconfig.org/release/fontconfig-2.3.2.tar.gz
Download MD5 sum: 7354f9f125ea78a8f2851cb9c31d4866
Download size: 942 KB
Estimated disk space required: 13.0 MB
Estimated build time: 0.2 SBU
The numbering system of Fontconfig is unusual. The beta versions of the package are numbered with a 9x in the last portion of the release number. This means that 2.3.90 is a beta release and the most current release is of the form 2.3.2
FreeType-2.1.10 and expat-1.95.8
If you have DocBook-utils installed and you remove the --disable-docs parameter from the configure command below, you must have SGMLSpm and JadeTeX-3.13 installed also, or the Fontconfig build will fail.
Install Fontconfig by running the following commands:
./configure --prefix=/usr --sysconfdir=/etc --disable-docs && make
To test the results, issue: make check.
Now, as the root user:
make install && install -v -m755 -d /usr/share/doc/fontconfig/fontconfig-devel && install -v -m644 doc/*.3 /usr/share/man/man3 && install -v -m644 doc/*.5 /usr/share/man/man5 && install -v -m644 doc/*.{html,pdf,txt} /usr/share/doc/fontconfig && install -v -m644 doc/fontconfig-devel/* \ /usr/share/doc/fontconfig/fontconfig-devel
--disable-docs: This switch avoids building the documentation (the release tarball includes pre-generated documentation).
The configuration file for Fontconfig is /etc/fonts/fonts.conf. Generally you do not want to edit this file. To put a new font directory in the configuration, create (or update) the /etc/fonts/local.conf file with your local information. The default location of fonts in Fontconfig is:
/usr/share/fonts
~/.fonts
X also includes an internal (and older) version of Fontconfig and unless it is explicitly disabled when building Xorg or XFree86, the internal version is created leaving two slightly incompatible libraries on your system. It is recommended that you only install one version.
The libart_lgpl package contains the libart libraries. These are useful for high-performance 2D graphics.
Download (HTTP): http://ftp.gnome.org/pub/GNOME/sources/libart_lgpl/2.3/libart_lgpl-2.3.17.tar.bz2
Download (FTP): ftp://ftp.gnome.org/pub/GNOME/sources/libart_lgpl/2.3/libart_lgpl-2.3.17.tar.bz2
Download MD5 sum: dfca42529393c8a8f59dc4dc10675a46
Download size: 289 KB
Estimated disk space required: 4.7 MB
Estimated build time: 0.14 SBU
Install libart_lgpl by running the following commands:
./configure --prefix=/usr && make
This package does not come with a test suite.
Now, as the root user:
make install
The librsvg package contains librsvg libraries and tools used to manipulate, convert and view Scalable Vector Graphic (SVG) images.
Download (HTTP): http://ftp.gnome.org/pub/GNOME/sources/librsvg/2.9/librsvg-2.9.5.tar.bz2
Download (FTP): ftp://ftp.gnome.org/pub/GNOME/sources/librsvg/2.9/librsvg-2.9.5.tar.bz2
Download MD5 sum: 44799d75e940eb4150acdae4f63cbe2a
Download size: 392 KB
Estimated disk space required: 9.8 MB
Estimated build time: 0.3 SBU
GTK+-2.6.7, libxml2-2.6.20, libart_lgpl-2.3.17 and popt-1.7-5
libcroco-0.6.0, libgsf-1.12.0, GNOME Virtual File System-2.10.1, libgnomeprintui-2.10.2, Mozilla-1.7.8, GTK-Doc-1.3 and DocBook-utils-0.6.14
Install librsvg by running the following commands:
./configure --prefix=/usr --sysconfdir=/etc \ --disable-gtk-doc && make
Now, as the root user:
make install
--disable-gtk-doc: This option prevents the rebuilding of documentation during the make command.