Copyright © 2001-2013 The BLFS Development Team
Copyright © 2001-2013, The BLFS Development Team
All rights reserved.
This book is licensed under a Creative Commons License.
Computer instructions may be extracted from the book under the MIT License.
Linux® is a registered trademark of Linus Torvalds.
2013-09-13
Revision History | ||
---|---|---|
Revision 7.4 | 2013-09-13 | Eighth Release |
Revision 6.3 | 2008-08-24 | Seventh release |
Revision 6.2.0 | 2007-02-14 | Sixth release |
Revision 6.1 | 2005-08-14 | Fifth release |
Revision 6.0 | 2005-04-02 | Fourth release |
Revision 5.1 | 2004-06-05 | Third release |
Revision 5.0 | 2003-11-06 | Second release |
Revision 1.0 | 2003-04-25 | First release |
Abstract
This book follows on from the Linux From Scratch book. It introduces and guides the reader through additions to the system including networking, graphical interfaces, sound support, and printer and scanner support.
After five years, The BLFS Team is happy to present version 7.4 of Beyond Linux From Scratch. This version includes approximately 750 packages beyond the base Linux From Scratch Version 7.4 book.
Keeping up to date with released packages that are useful to users is a challenge. On average, three new packages are released every day, seven days a week. As of this writing, BLFS is current. The vast majority of packages in the book have been verified to work in an LFS-7.4 environment, however a few (26) packages have only been built and not tested primarily due to hardware constraints.
This release would not have been possible without the help of a lot of people over the years. Specific thanks for the many hours spent making BLFS what it is goes to the following:
Andy Benton
Wayne Blaszczyk
Guy Dalziel
Ag Hatzimanikas
DJ Lucas
Randy McMurchy
Ken Moffat
Fernando de Oliveria
Chris Staub
Ragnar Thomsen
Thomas Trepl
Igor Zivkovic
Bruce Dubbs
September 13, 2013
Having helped out with Linux From Scratch for a short time, I noticed that we were getting many queries as to how to do things beyond the base LFS system. At the time, the only assistance specifically offered relating to LFS were the LFS hints (http://www.linuxfromscratch.org/hints). Most of the LFS hints are extremely good and well written but I (and others) could still see a need for more comprehensive help to go Beyond LFS - hence BLFS.
BLFS aims to be more than the LFS-hints converted to XML although much of our work is based around the hints and indeed some authors write both hints and the relevant BLFS sections. We hope that we can provide you with enough information to not only manage to build your system up to what you want, whether it be a web server or a multimedia desktop system, but also that you will learn a lot about system configuration as you go.
Thanks as ever go to everyone in the LFS/BLFS community; especially those who have contributed instructions, written text, answered questions and generally shouted when things were wrong!
Finally, we encourage you to become involved in the community; ask questions on the mailing list or news gateway and join in the fun on #lfs at irc.linuxfromscratch.org. You can find more details about all of these in the Introduction section of the book.
Enjoy using BLFS.
Mark Hymers
markh <at> linuxfromscratch.org
BLFS Editor (July 2001–March 2003)
I still remember how I found the BLFS project and started using the instructions that were completed at the time. I could not believe how wonderful it was to get an application up and running very quickly, with explanations as to why things were done a certain way. Unfortunately, for me, it wasn't long before I was opening applications that had nothing more than "To be done" on the page. I did what most would do, I waited for someone else to do it. It wasn't too long before I am looking through Bugzilla for something easy to do. As with any learning experience, the definition of what was easy kept changing.
We still encourage you to become involved as BLFS is never really finished. Contributing or just using, we hope you enjoy your BLFS experience.
Larry Lawrence
larry <at> linuxfromscratch.org
BLFS Editor (March 2003–June 2004)
The BLFS project is a natural progression of LFS. Together, these projects provide a unique resource for the Open Source Community. They take the mystery out of the process of building a complete, functional software system from the source code contributed by many talented individuals throughout the world. They truly allow users to implement the slogan "Your distro, your rules."
Our goal is to continue to provide the best resource available that shows you how to integrate many significant Open Source applications. Since these applications are constantly updated and new applications are developed, this book will never be complete. Additionally, there is always room for improvement in explaining the nuances of how to install the different packages. To make these improvements, we need your feedback. I encourage you to participate on the different mailing lists, news groups, and IRC channels to help meet these goals.
Bruce Dubbs
bdubbs <at> linuxfromscratch.org
BLFS Editor (June 2004–December 2006)
My introduction to the [B]LFS project was actually by accident. I was trying to build a GNOME environment using some how-tos and other information I found on the web. A couple of times I ran into some build issues and Googling pulled up some old BLFS mailing list messages. Out for curiosity, I visited the Linux From Scratch web site and shortly thereafter was hooked. I've not used any other Linux distribution for personal use since.
I can't promise anyone will feel the sense of satisfaction I felt after building my first few systems using [B]LFS instructions, but I sincerely hope that your BLFS experience is as rewarding for you as it has been for me.
The BLFS project has grown significantly the last couple of years. There are more package instructions and related dependencies than ever before. The project requires your input for continued success. If you discover that you enjoy building BLFS, please consider helping out in any way you can. BLFS requires hundreds of hours of maintenance to keep it even semi-current. If you feel confident enough in your editing skills, please consider joining the BLFS team. Simply contributing to the mailing list discussions with sound advice and/or providing patches to the book's XML will probably result in you receiving an invitation to join the team.
Randy McMurchy
randy <at> linuxfromscratch.org
BLFS Editor (December 2006–January 2011)
This book is mainly aimed at those who have built a system based on the LFS book. It will also be useful for those who are using other distributions, but for one reason or another want to manually build software and are in need of some assistance. Note that the material contained in this book, in particular the dependency listings, is based upon the assumption that you are using a base LFS system with every package listed in the LFS book already installed and configured. BLFS can be used to create a range of diverse systems and so the target audience is probably nearly as wide as that of the LFS book. If you found LFS useful, you should also like this!
Last updated on 2012-08-22 06:45:43 -0700
This book is divided into the following parts.
This part contains information which is essential to the rest of the book.
Here we introduce basic configuration and security issues. We also discuss a range of editors, file systems, and shells which aren't covered in the main LFS book.
In this section we cover libraries which are often needed by the rest of the book as well as system utilities. Information on Programming (including recompiling GCC to support its full range of languages) concludes this part.
Here we cover how to connect to a network when you aren't using the simple static IP setup given in the main LFS book. Networking libraries and command-line networking tools are also covered here.
Here we deal with setting up mail and other servers (such as SSH, Apache, etc.).
This part explains how to set up a basic X Window System installation along with some generic X libraries and Window managers.
For those who want to use the K Desktop Environment or some parts of it, this part covers it.
GNOME is the main alternative to KDE in the Desktop Environment arena.
Xfce is an lightweight alternative to GNOME and KDE.
Office programs and graphical web browsers are important to most people. They, along with some generic X software can be found in this part of the book.
Here we cover setting multimedia libraries and drivers along with some audio, video and CD-writing programs.
The PST part of the book covers document handling with applications like Ghostscript, CUPS and DocBook to installing texlive.
The Appendices cover information which doesn't belong in the main book; they are mainly there as a reference.
Last updated on 2013-08-20 10:31:41 -0700
The software used to create BLFS applications is constantly being updated and enhanced. Security warnings and bug fixes may become available after the BLFS book has been released. To check whether the package versions or instructions in this release of BLFS need any modifications to accommodate security vulnerabilities or other bug fixes, please visit http://www.linuxfromscratch.org/blfs/errata/7.4/ before proceeding with your build. You should note any changes shown and apply them to the relevant section of the book as you progress with building the applications in BLFS.
If you do run into a problem, a good place to look for solutions is the development version of the book. This is where additions of new packages, updates of package versions, and corrections are made on a daily basis.
Last updated on 2013-09-13 12:50:39 -0700
The Beyond Linux From Scratch book is designed to carry on from where the LFS book leaves off. But unlike the LFS book, it isn't designed to be followed straight through. Reading the Which sections of the book? part of this chapter should help guide you through the book.
Please read most of this part of the book carefully as it explains quite a few of the conventions used throughout the book.
Unlike the Linux From Scratch book, BLFS isn't designed to be followed in a linear manner. This is because LFS provides instructions on how to create a base system which is capable of turning into anything from a web server to a multimedia desktop system. BLFS attempts to guide you in the process of going from the base system to your intended destination. Choice is very much involved.
Everyone who reads the book will want to read certain sections. The Introduction part, which you are currently reading, contains generic information. Especially take note of the information in Chapter 2, Important Information, as this contains comments about how to unpack software, issues related to using different locales and various other aspects which apply throughout the book.
The part on Post LFS Configuration and Extra Software is where most people will want to turn next. This deals with not just configuration but also Security (Chapter 4, Security), File Systems (Chapter 5, File Systems and Disk Management), Editors (Chapter 6, Editors) and Shells (Chapter 7, Shells). Indeed, you may wish to reference certain parts of this chapter (especially the sections on Editors and File Systems) while building your LFS system.
Following these basic items, most people will want to at least browse through the General Libraries and Utilities part of the book. This part contains information on many items which are prerequisites for other sections of the book as well as some items (such as Chapter 13, Programming) which are useful in their own right. Note that you don't have to install all of these libraries and packages found in this part to start with as each BLFS installation procedure tells you which packages it depends upon so you can choose the program you want to install and see what it needs.
Likewise, most people will probably want to look at the Networking part. It deals with connecting to the Internet or your LAN (Chapter 14, Connecting to a Network) using a variety of methods such as DHCP and PPP, and with items such as Networking Libraries (Chapter 17, Networking Libraries) and various basic networking programs and utilities.
Once you have dealt with these basics, you may wish to configure more advanced network services. These are dealt with in the Servers part of the book. Those wanting to build servers should find a good starting point there. Note that this section also contains information on various database packages.
The next parts of the book principally deal with desktop systems. This portion of the book starts with a part talking about X and Window Managers. This part also deals with some generic X-based libraries (Chapter 25, X Libraries). After this, KDE and GNOME are given their own parts which are followed by one on X Software.
The book then moves on to deal with Multimedia packages. Note that many people may want to use the ALSA-1.0.27 instructions from this chapter quite near the start of their BLFS journey; they are placed here simply because it is the most logical place for them.
The final part of the main BLFS book deals with Printing, Scanning and Typesetting. This is useful for most people with desktop systems and even those who are creating mainly server systems will find it useful.
We hope you enjoy using BLFS and find it useful.
Last updated on 2012-12-19 11:57:20 -0800
To make things easy to follow, there are a number of conventions used throughout the book. Following are some examples:
./configure --prefix=/usr
This form of text is designed to be typed exactly as seen unless otherwise noted in the surrounding text. It is also used to identify references to specific commands.
install-info: unknown option
`--dir-file=/mnt/lfs/usr/info/dir'
This form of text (fixed width text) is showing screen output, probably a result from issuing a command. It is also used to show filenames such as
/boot/grub/grub.conf
Emphasis
This form of text is used for several purposes in the book but mainly to emphasize important points or to give examples as to what to type.
http://www.linuxfromscratch.org/
This form of text is used for hypertext links external to the book such as HowTos, download locations, websites, etc.
This form of text is used for links internal to the book such as another section describing a different package.
cat > $LFS/etc/group << "EOF"
root:x:0:
bin:x:1:
......
EOF
This type of section is used mainly when creating configuration files. The first command (in bold) tells the system to create the file
$LFS/etc/group
from whatever is typed on the following lines until the sequence EOF is encountered. Therefore, this whole section is generally typed as seen.
<REPLACED TEXT>
This form of text is used to encapsulate text that should be modified and is not to be typed as seen, or copy and pasted. Note that the square brackets are not part of the text, but should be substituted for as well.
root
This form of text is used to show a specific system user or group reference in the instructions.
Last updated on 2007-04-04 12:42:53 -0700
This is BLFS-BOOK version 7.4 dated September 13th, 2013. This is the development branch of the BLFS book, currently targeting the LFS development book. If this version (7.4) is older than a month, it's likely that your mirror hasn't been synchronized recently and a newer version is probably available for download or viewing. Check one of the mirror sites at http://www.linuxfromscratch.org/mirrors.html for an updated version.
Last updated on 2008-05-10 18:20:50 -0700
The BLFS project has a number of mirrors set up world-wide to make it easier and more convenient for you to access the website. Please visit the http://www.linuxfromscratch.org/mirrors.html website for the list of current mirrors.
Last updated on 2007-04-04 12:42:53 -0700
Within the BLFS instructions, each package has two references for finding the source files for the package—an HTTP link and an FTP link (some packages may only list one of these links). Every effort has been made to ensure that these links are accurate. However, the World Wide Web is in continuous flux. Packages are sometimes moved or updated and the exact URL specified is not always available.
To overcome this problem, the BLFS Team, with the assistance of Server Beach, has made an HTTP/FTP site available at anduin.linuxfromscratch.org. This site has all the sources of the exact versions of the packages used in BLFS. If you can't find the BLFS package you need, get it there.
We would like to ask a favor, however. Although this is a public resource for you to use, please do not abuse it. We have already had one unthinking individual download over 3 GB of data, including multiple copies of the same files that are placed at different locations (via symlinks) to make finding the right package easier. This person clearly did not know what files he needed and downloaded everything. The best place to download files is the site or sites set up by the source code developer. Please try there first.
Last updated on 2012-12-19 11:57:20 -0800
Current release: 7.4 – September 13th, 2013
Changelog Entries:
September 13th, 2013
September 12th, 2013
September 11th, 2013
[bdubbs] - Update to ImageMagick-6.8.6-9.
[bdubbs] - Update to wireshark-1.10.2. Fixes #4050.
[igor] - Update to xterm-297. Fixes #4051.
[bdubbs] - Update to seahorse-3.9.91 and gcr-3.9.91. Tag seahorse for LFS 7.4 completing tagging all packages.
[fernando] - Update to OJDK to add procedures to check/update Certificate Authority Certificates. Fixes #3997.
September 10th, 2013
[ken] - Update to gnumeric-1.12.7. Fixes #4048.
[ken] - Update to mdadm-3.3. Fixes #4023.
[bdubbs] - Update to gnome-desktop-3.8.4. Fixes #4033.
[bdubbs] - Update to xf86-video-vesa-2.3.3. Fixes #4047.
[ken] - Add grilo-0.2.6, required by totem.
[rthomsen] - KDE 4.11.1. Fixes #4025.
[igor] - Xorg updates. Fixes #4046.
September 9th, 2013
[bdubbs] - Update to p11-kit-0.20.1. Fixes #4043.
[bdubbs] - Update to at-3.1.14. Fixes #4045.
[bdubbs] - Update to talloc-2.1.0. Fixes #4044.
[bdubbs] - Update to postfix-2.10.2. Fixes #4037.
[bdubbs] - Update to gnome-themes-standard-3.8.4. Fixes #4042.
[bdubbs] - Update to dbus-1.6.14. Fixes #4035.
[ken] - Update to gnumeric-1.12.6. Fixes #4007.
[bdubbs] - Update to audacious-3.4.1. Fixes #4026.
[bdubbs] - Update to ghostscript-9.10. Fixes #4027.
[bdubbs] - Update to graphviz-2.34.0. Fixes #4038.
[ken] - Update to goffice-0.10.7. Fixes #4041.
[bdubbs] - Update to Qt-5.1.1. Fixes #4010.
[ken] - Reinstate seahorse, link to it from epiphany.
September 8th, 2013
September 7th, 2013
[ken] - remove perl modules no longer referenced after gnucash was moved to the archive - Crypt::SSLeay, Date::Manip, Finance::Quote, HTML::TableExtract.
September 6th, 2013
September 5th, 2013
September 4th, 2013
September 3rd, 2013
[igor] - Update to iso-codes-3.46. Fixes #4021.
September 2nd, 2013
[ken] - Update to cups-filters-1.0.37. Fixes #4009.
[bdubbs] - Update to libsecret-0.16. Fixes #4003.
[fernando] - Update to LibreOffice-4.1.1. Instructions to optionally build in /opt are restored. Fixes #4016.
[igor] - Update to giflib-5.0.5. Fixes #4020.
[igor] - Update to subversion-1.8.3. Fixes #4015.
September 1st, 2013
[bdubbs] - Update to gtk+-3.8.4. Fixes #4018.
[bdubbs] - Update to gdb-7.6.1. Fixes #4017.
[bdubbs] - Update to gnutls-3.2.4. Fixes #4019.
[bdubbs] - Update to gstreamer-1.0.10. Fixes #4008.
[igor] - Update to desktop-file-utils-0.22. Fixes #4014.
[igor] - Update to harfbuzz-0.9.20. Fixes #4013.
[igor] - Update to cairo-1.12.16. Fixes #4002.
August 31st, 2013
[bdubbs] - Update to poppler-0.24.1. Fixes #4000.
[igor] - Update to keyutils-1.5.6.
August 29th, 2013
August 28th, 2013
[igor] - MesaLib-9.2.0 (thanks to Armin's patch).
[ken] - note audacious dependencies for CD playing.
August 27th, 2013
August 26th, 2013
August 25th, 2013
[bdubbs] - Added grantlee-0.3.0. It is now a required dependency of kdepim.
[bdubbs] - Update to php-5.5.2. Fixes #3983.
[fernando] - Fix WebKitGTK+-1.10.2 to build with Bison 3.0; more lfs7.4 tags.
August 24th, 2013
August 23rd, 2013
[fernando] - freetype: comment broken ftp link; compressdoc: note to alternatively use editor; cacerts: change wget to recommended and cut-and-pasting to copy-and-pasting.
[krejzi] - libmng 2.0.2.
August 22nd, 2013
[bdubbs] - Update to gnupg-2.0.21. Fixes #3985.
[ken] - libjpeg-turbo can be built with either NASM or yasm (now tested with yasm on i686).
[krejzi] - Colord 1.0.3.
[krejzi] - CUPS Filters 1.0.36.
[krejzi] - FFmpeg 1.2.1.
[krejzi] - File Roller 3.8.4.
[krejzi] - Gnumeric 1.12.5.
[krejzi] - GOffice 0.10.5.
[krejzi] - libgtop 2.28.5.
[krejzi] - libwnck 3.4.7.
[krejzi] - OpenLDAP 2.4.36.
[krejzi] - Serf 1.3.1.
[krejzi] - UDisks 2.1.1.
[krejzi] - Xorg Intel Driver 2.21.15.
August 20th, 2013
[bdubbs] - Update to qemu-1.6.0. Fixes #3979.
[ken] - Note that yasm can build libjpeg-turbo on x86_64.
[krejzi] - Added libva 1.2.1.
[krejzi] - Added libvdpau 0.7.
[krejzi] - Midori 0.5.5.
August 19th, 2013
[fernando] - Xulrunner: tweaks, note for memory used for building.
[ken] - Add sed to postfix to compile with current BerkeleyDB.
August 18th, 2013
[fernando] - Update to Firefox-23.0.1/Xulrunner-23.0.1.
[fernando] - Libreoffice: Fix build with system neon.
[rthomsen] - Amarok 2.8.0. Fixes #3981.
August 17th, 2013
August 16th, 2013
[fernando] - LibreOffice: fixes to build dictionaries, help and languages support. Thanks to David B.
August 14th, 2013
[igor] - Xorg ATI Driver-7.2.0.
August 12th, 2013
[bdubbs] - Update to openbox-3.5.2.
[bdubbs] - Update to curl-7.32.0.
August 11th, 2013
[bdubbs] - Update to glib-2.36.4.
[bdubbs] - Update to samba-4.0.8.
[bdubbs] - Update to vim-7.4.
[krejzi] - Added Qt 5.1.0.
[krejzi] - Added qtchooser 31.
[krejzi] - Transmission 2.82.
August 9th, 2013
[bdubbs] - Update to gmime-2.6.17.
[bdubbs] - Update to xprop-1.2.2, xset-1.2.3, and xwd-1.0.6 in Xorg Apps.
August 8th, 2013
[bdubbs] - Update to pixman-0.30.2.
[bdubbs] - Update to {libburn,libisoburn,libisofs}-1.3.2.
[krejzi] - Split Python Modules and Xorg Drivers into several XML files. Thanks to Denis Mugnier for the patches.
[fernando] - Update to thunderbird-17.0.8.
[bdubbs] - Update to seamonkey-2.20.
[fernando] - Update to firefox-23.0 and xulrunner-23.0
August 7th, 2013
[bdubbs] - Update to libwnck-3.4.6.
[bdubbs] - Update to iptables-1.4.20.
August 6th, 2013
[bdubbs] - Refine Xorg environment instructions.
August 4th, 2013
[bdubbs] - Update to unrar-5.0.10.
[fernando] - Tag xsane for lfs73_checked, add xscanimage.desktop, add a note for xscanimage GIMP plugin
[krejzi] - giflib 5.0.4.
[krejzi] - Xorg Intel Driver 2.21.14.
[krejzi] - KDE 4.10.5.
[krejzi] - Akonadi 1.10.2.
[krejzi] - Attica 0.4.2.
[krejzi] - Shared Desktop Ontologies 0.11.0.
[krejzi] - mtdev 1.1.4.
August 3rd, 2013
[bdubbs] - Update to mc-4.8.10.
[bdubbs] - Update to dhcpcd-6.0.5.
August 2nd, 2013
[fernando] - Fix download URLs for sane-frontends.
[bdubbs] - Update to LVM2-2.02.99.
[bdubbs] - Update to iso-codes-3.45.
[bdubbs] - Added sections on stripping and removing .la files to Notes on Buiiding Software in the Introduction. Fixes #3764
[bdubbs] - Update to libdiscid-0.5.2.
[bdubbs] - Update to graphviz-2.32.0.
[bdubbs] - Update to libgsf-1.14.28.
[igor] - Mercurial-2.7.
[krejzi] - MesaLib 9.1.6.
August 1st, 2013
[bdubbs] - Update to seamonkey-2.19.
[bdubbs] - Update to cups-filters-1.0.35.
[bdubbs] - Update to balsa-2.5.1.
[bdubbs] - Update to icedtea-web-1.4.
July 31st, 2013
[bdubbs] - Move gnucash and deprecated gnome packages to the archive.
[bdubbs] - Update to gnome-icon-theme-symbolic-3.8.3.
[krejzi] - neon 0.30.0.
[krejzi] - Parole 0.5.2.
[krejzi] - Transmission 2.81.
[krejzi] - MySQL 5.6.13.
[krejzi] - GOffice 0.10.4.
[krejzi] - Gnumeric 1.12.4.
[bdubbs] - Update to dhcpcd-6.0.4.
[krejzi] - Updated GNOME Applications to latest ones.
[bdubbs] - Update to cups-1.6.3.
[bdubbs] - Updated to texlive-20130530.
[krejzi] - Added SCons 2.3.0.
[krejzi] - Serf 1.3.0.
[krejzi] - Clutter Gst 2.0.6.
[krejzi] - Gimp 2.8.6.
[krejzi] - GStreamer 1.0.9.
[krejzi] - GStreamer Base Plugins 1.0.9.
[krejzi] - GStreamer Good Plugins 1.0.9.
[krejzi] - GStreamer Bad Plugins 1.0.9.
[krejzi] - GStreamer Ugly Plugins 1.0.9.
[krejzi] - GStreamer Libav 1.0.9.
July 30th, 2013
[krejzi] - LibreOffice 4.1.0.
[bdubbs] - Update to ghostscript-9.07.
[bdubbs] - Update to docbook-xsl-1.78.1.
[ken] - xf86-video-intel-2.21.13.
[bdubbs] - Update to audacious{,-plugins}-3.4.
[bdubbs] - Update to gnutls-3.2.3.
[bdubbs] - Update to xine-lib-1.2.3.
[bdubbs] - Update to libdiscid-0.5.1.
[krejzi] - Updated Xorg components to latest ones.
[krejzi] - Xorg Wacom Driver 0.22.1.
[bdubbs] - Update to poppler-0.24.0.
[bdubbs] - Update to nmap-6.40.
[bdubbs] - Update to lynx2.8.8dev.16.
[igor] - Xorg Nouveau Driver-1.0.9.
[krejzi] - VLC 2.0.8.
July 29th, 2013
[bdubbs] - Update to bind-9.9.3-P2 and bind-utils.
[bdubbs] - Update to wireshark-1.10.1.
[bdubbs] - Update to upower-0.9.21.
[bdubbs] - Update to ibus-1.5.3.
July 28th, 2013
[bdubbs] - Update to libgcrypt-1.5.3.
[bdubbs] - Update to qemu-1.5.2.
[bdubbs] - Update to gnupg-1.4.14.
[bdubbs] - Update to cifs-utils-6.1.
[bdubbs] - Update to samba-4.0.7.
[krejzi] - Updated GNOME Core packages to latest ones.
[krejzi] - Mozilla JS 17.0.0.
[krejzi] - WebKitGTK+ 2.0.4.
[krejzi] - AccountsService 0.6.34.
[igor] - FAAD2: prevent installation of mp4ff library and header files.
July 27th, 2013
[bdubbs] - Update to nfs-utils-1.2.8.
July 25th, 2013
[bdubbs] - Update to virtuoso-2.1.7.
[bdubbs] - Update to soprano-2.9.3.
[bdubbs] - Update to sendmail.8.14.7.
[bdubbs] - Update to postfix-2.10.1.
[bdubbs] - Update to proftpd-1.3.4d.
[bdubbs] - Update to bind-9.9.3-P1.
[bdubbs] - Update to apache-2.4.6.
[igor] - Qt-4.8.5.
July 24th, 2013
[bdubbs] - Update to NASM-2.10.09.
[bdubbs] - Update to git-1.8.3.4.
[bdubbs] - Update to xscreensaver-5.22.
[bdubbs] - Update to libpng-1.6.3.
[bdubbs] - Update to openobex-1.7.1.
[bdubbs] - Update to p11-kit-0.18.5.
[bdubbs] - Update to NetworkManager-0.9.8.2.
[igor] - Restored libgee-0.6.8 from archive as it is needed by LXDE.
[bdubbs] - Update to fetchmail-6.3.26.
[bdubbs] - Update to re-alpine-2.03.
[igor] - Subversion-1.8.1.
[bdubbs] - Update to libnice-0.1.4.
[bdubbs] - Update to dhcpcd-6.0.3.
July 23rd, 2013
[bdubbs] - Update to wireshark-1.10.0.
[bdubbs] - Update to gsl-1.16.
[igor] - Harfbuzz-0.9.19.
[igor] - ALSA Utilities-1.0.27.2.
July 22nd, 2013
[bdubbs] - Update to ruby-2.0.0-p247.
[bdubbs] - Update to php-5.5.0.
[bdubbs] - Update to librep-0.92.3.
[igor] - xterm-296.
[igor] - Xorg Evdev Driver-2.8.1.
[bdubbs] - Update to gcc-4.8.1 to bring in sync with LFS.
[igor] - MesaLib-9.1.5.
July 21st, 2013
[bdubbs] - Updated to current perl modules: Data::Manio-6.40, HTML::Parser-3.71, LWP-6.05, and Net::DNS-0.72.
[bdubbs] - Updated to cmake-2.8.11.2.
[igor] - Added Unbound-1.4.20.
[igor] - Added ldns-1.6.16.
[igor] - Whois-5.0.26.
[igor] - Fix giflib build if xmlto is not installed (thanks Nathan Coulson).
July 20th, 2013
[bdubbs] - Touch up OpenJDK-1.7.0.40/IcedTea-2.4.1 instructions and data.
July 18th, 2013
[igor] - Mercurial-2.6.3.
July 17th, 2013
[bdubbs] - Update to OpenJDK-1.7.0.40/IcedTea-2.4.1.
[bdubbs] - Update to JUnit-4.11.
[igor] - Downgraded Lua to 5.1.5
[bdubbs] - Update to apache-ant-1.9.2.
[igor] - Bazaar-2.5.1.
July 16th, 2013
[bdubbs] - Reorganized the Programming chapter to put all Java related packages together in a sub-section. Moved Apache-ant to this sub-section.
[igor] - Git-1.8.3.3.
July 15th, 2013
[bdubbs] - Update to unrar-5.0.8.
[bdubbs] - Update to sysstat-10.1.6.
[bdubbs] - Update to sg3_utils-1.36.
[bdubbs] - Update to mc-4.8.9.
[bdubbs] - Update to lm_sensors-3.3.4.
[bdubbs] - Update to colord-1.0.2.
[igor] - Berkeley DB-6.0.20.
[krejzi] - MySQL 5.6.12.
[krejzi] - PulseAudio 4.0.
July 14th, 2013
[bdubbs] - Update to ImageMagick-6.8.6-5.
[bdubbs] - Update to gtk-doc-1.19.
[krejzi] - Added PyXDG 0.25, a Python Module.
[krejzi] - D-Bus Python 1.2.0.
[krejzi] - GStreamer 1.0.8.
[krejzi] - GStreamer Base Plugins 1.0.8.
[krejzi] - GStreamer Good Plugins 1.0.8.
[krejzi] - GStreamer Bad Plugins 1.0.8.
[krejzi] - GStreamer Ugly Plugins 1.0.8.
[krejzi] - GStreamer Libav 1.0.8.
[bdubbs] - Update to qpdf-5.0.0.
[bdubbs] - Update to libwebp-0.3.1.
[bdubbs] - Update to giflib-4.2.1.
[krejzi] - Cogl 1.14.0.
[krejzi] - Clutter 1.14.4.
[krejzi] - Clutter Gst 2.0.4.
[krejzi] - Clutter Gtk 1.4.4.
[bdubbs] - Update to slib-3b4.
[krejzi] - Added PyCairo 1.10.0, a Python 3 module.
[krejzi] - PyGObject 3.8.3.
[krejzi] - PyAtSpi2 2.8.0.
[igor] - VLC: fix compilation with FLAC-1.3.0.
[igor] - GnuTLS-3.2.2.
[igor] - mpg123-1.15.4.
[ken] - Fixed SoundTouch for recent Automake.
[igor] - lcms2-2.5.
[igor] - Fixed SDL for compilation with libX11-1.6.0.
July 13th, 2013
[bdubbs] - Update to libidn-1.28.
[bdubbs] - Update to libgsf-1.14.26.
[bdubbs] - Update to iso-codes-3.44.
[bdubbs] - Update to gmime-2.6.16.
[bdubbs] - Update to exempi-2.2.1.
[bdubbs] - Update to boost-1.54.0.
July 12th, 2013
[bdubbs] - Update to zsh-5.0.2.
[bdubbs] - Update to emacs-24.3.
[bdubbs] - Update to ed-1.9.
[bdubbs] - Update to xfsprogs-3.1.11.
[bdubbs] - Update to gptfdisk-0.8.7.
[bdubbs] - Update to fuse-2.9.3.
[bdubbs] - Update to stunnel-4.56.
[bdubbs] - Update to p11-kit-0.18.4.
[bdubbs] - Update to nettle-2.7.1.
[bdubbs] - Update to MIT Kerberos V5-1.11.3.
[bdubbs] - Update to iptables-1.4.19.1.
[igor] - Thunderbird-17.0.7.
July 11th, 2013
[bdubbs] - Updated to cracklib-2.9.0.
July 10th, 2013
[igor] - Added acpid-2.0.19.
[igor] - Added pm-utils-1.4.1.
July 8th, 2013
[igor] - NSS-3.15.1.
[igor] - GTK+-2.4.20.
[igor] - alsa-lib-1.0.27.2 and alsa-utils-1.0.27.1.
[igor] - xterm-295.
July 7th, 2013
[igor] - libxcb: Automake fix and XKB extension.
[ken] - fixes for firefox built on xulrunner.
July 6th, 2013
[ken] - firefox- and xulrunner-22.0.
July 5th, 2013
[krejzi] - GLib Networking 2.36.2.
[krejzi] - GSettings Desktop Schemas 3.8.2.
[krejzi] - librsvg 2.37.0.
[krejzi] - libsoup 2.42.2.
[krejzi] - Vala 0.20.1.
[krejzi] - WebKitGTK+ 2.0.3.
[igor] - libidn-1.27.
July 4th, 2013
[igor] - libmad: x84_64 and optimization fixes (thanks Mykyta Iziumtsev).
July 3rd, 2013
[ken] - libXv-1.0.9 and libXi-1.7.2.
July 2nd, 2013
[krejzi] - Added Serf 1.2.1.
[krejzi] - libdrm 2.4.46.
[krejzi] - MesaLib 9.1.4.
[krejzi] - Xorg Server 1.14.2.
[krejzi] - Xorg Intel Driver 2.21.11.
June 30th, 2013
[bdubbs] - Updated to subversion-1.8.0.
[bdubbs] - Updated to qemu-1.5.1.
[bdubbs] - Updated to poppler-0.22.5.
[bdubbs] - Updated to libusb-compat-0.1.5.
[bdubbs] - Updated to usbutils-007.
[bdubbs] - Updated to nss-3.15.
[bdubbs] - Updated to nspr-4.10.
[bdubbs] - Updated to libgpg-error-1.12.
[bdubbs] - Updated to libassuan-2.1.1.
[bdubbs] - Updated to iso-codes-3.43.
[bdubbs] - Reverted gst-plugins-{base,good,bad,ugly} to stable versions.
[bdubbs] - Reverted gstreamer to stable version.
June 29th, 2013
[bdubbs] - Updated to gst-plugins-{base,good,bad,ugly}-1.1.1.
[bdubbs] - Updated to gstreamer-1.1.1.
[bdubbs] - Updated to gpgme-1.4.2.
[bdubbs] - Updated to gtkmm-3.8.1.
[bdubbs] - Updated to gtkmm-2.24.4.
[bdubbs] - Updated to pangomm-2.34.0.
[bdubbs] - Updated to gtk+-3.8.2.
June 28th, 2013
[bdubbs] - Updated to pango-1.34.1.
[bdubbs] - Updated to gobject-introspection-1.36.0.
[bdubbs] - Updated to gtk+-2.24.19.
[krejzi] - Fontconfig 2.10.93.
[krejzi] - LLVM 3.3.
June 27th, 2013
[bdubbs] - Updated to gdk-pixbuf-2.28.2.
[bdubbs] - Updated to freetype-2.5.0.1.
[bdubbs] - Updated to gnutls-3.2.1.
[bdubbs] - Updated to dbus-1.6.12.
[bdubbs] - Updated to curl-7.31.0.
[bdubbs] - Updated to Berkeley db-6.0.19.
[igor] - Transmission-2.80.
[bdubbs] - Updated to glibmm-2.36.2.
[bdubbs] - Updated to atkmm-2.22.7.
June 26th, 2013
[bdubbs] - Updated to at-spi2-atk-2.8.1.
[bdubbs] - Updated to at-spi2-core-2.8.0.
[bdubbs] - Updated to atk-2.8.0.
[bdubbs] - Updated to glib-2.36.3.
[bdubbs] - Updated to acl-2.2.52.
[bdubbs] - Updated to apr-1.4.8.
[bdubbs] - Updated to sudo-1.8.7.
June 25th, 2013
[bdubbs] - Updated to qemu-1.5.0. Fixes #3862
June 19th, 2013
[igor] - Added Lua-5.2.2.
June 18th, 2013
[ken] - patch openssl-1.0.1e and wget-1.14 for perl-5.18.
June 16th, 2013
[krejzi] - Added xcb-util-keysyms and xcb-util-wm.
June 14th, 2013
[ken] - xf86-video-intel-2.21.9.
[ken] - libXrender-0.9.8 and libXvMC-1.0.8.
June 6th, 2013
[krejzi] - Added libwebp 0.3.0.
[krejzi] - WebKitGTK+ 2.0.2.
June 5th, 2013
[igor] - attr-2.4.47.
[igor] - Nmap-6.25.
June 2nd, 2013
[igor] - OpenSSH-6.2p2.
[igor] - Sudo-1.8.6p8.
[igor] - mercurial-2.6.2.
[igor] - Subversion-1.7.10.
[igor] - Ruby-2.0.0.
June 1st, 2013
[igor] - Git-1.8.3.
[igor] - Harfbuzz-0.9.18.
[igor] - ICU-51.2.
[igor] - libjpeg-turbo-1.3.0.
[igor] - SQLite-3.7.17.
[igor] - FLAC-1.3.0.
[igor] - BIND-9.9.3.
[igor] - PCRE-8.33.
[igor] - libogg-1.3.1.
[krejzi] - Removed GNOME from the book.
May 30th, 2013
[ken] - rxvt-unicode-9.18.
May 24th, 2013
[igor] - Updated libxml2 and Screen instructions to reflect changes in newer LFS versions.
May 22nd, 2013
[krejzi] - Updated Kernel Configuration for Xorg Drivers. Thanks to Igor Živković for the patch.
[krejzi] - MesaLib 9.1.3.
[krejzi] - Xorg Intel Driver 2.21.7.
May 21st, 2013
[ken] - ImageMagick 6.8.5-6.
May 19th, 2013
[krejzi] - Doxygen 1.8.4.
[krejzi] - GPGME 1.4.1.
[krejzi] - ISO Codes 3.42.
[krejzi] - libburn 1.3.0.
[krejzi] - libidn 1.26.
[krejzi] - libisoburn 1.3.0.
[krejzi] - libisofs 1.3.0.
[krejzi] - libnl 3.2.22.
[krejzi] - Midori 0.5.2.
[krejzi] - OpenOBEX 1.7.
[krejzi] - p11-kit 0.18.2.
[krejzi] - Pinentry 0.8.3.
[krejzi] - Polkit 0.111.
[krejzi] - Poppler 0.22.4.
[krejzi] - Qpdf 4.1.0.
May 17th, 2013
[krejzi] - Amarok 2.7.1.
[krejzi] - CMake 2.8.11.
[krejzi] - Colord 1.0.0.
[krejzi] - Firefox/Xulrunner 21.0.
[krejzi] - JSON-C 0.11.
[krejzi] - libdrm 2.4.45.
[krejzi] - libical 1.0.
[krejzi] - Midori 0.5.1.
[krejzi] - Python 3.3.2.
[krejzi] - Ruby 1.9.3-p429.
[krejzi] - Thunderbird 17.0.6.
[krejzi] - Xorg Synaptics Driver 1.7.1.
May 12th, 2013
[krejzi] - Cyrus SASL 2.1.26.
[krejzi] - FFmpeg 1.2.1.
[krejzi] - Fluxbox 1.3.5. Thanks to Igor Živković for the patch.
[krejzi] - Git 1.8.2.3.
[krejzi] - GnuPG 2.0.20.
[krejzi] - GnuTLS 3.1.11.
[krejzi] - libpcap 1.4.0.
[krejzi] - MPlayer 1.1.1.
[krejzi] - Python 2.7.5.
[krejzi] - SBC 1.1.
[krejzi] - Soprano 2.9.2.
[krejzi] - Whois 5.0.25.
May 9th, 2013
[krejzi] - FreeType 2.4.12.
[krejzi] - LibreOffice 4.0.3.
[krejzi] - Pixman 0.30.0.
[krejzi] - Xfce4 Notifyd 0.2.4.
May 8th, 2013
[rthomsen] - KDE 4.10.3.
[rthomsen] - Akonadi 1.9.2.
May 7th, 2013
[krejzi] - Updated Xfce4 components to latest available ones.
May 5th, 2013
[krejzi] - Colord 0.1.34.
[krejzi] - GParted 0.16.1.
[krejzi] - MesaLib 9.1.2.
[krejzi] - Soprano 2.9.1.
[krejzi] - Telepathy Mission Control 5.14.1.
[krejzi] - Updated Xorg Applications to latest available ones. Fixed Luit and XModMap build.
April 27th, 2013
[rthomsen] - Added sed to allow Akonadi to use MySQL 5.6.
[krejzi] - AccountsService 0.6.31.
[krejzi] - Apache HTTPD 2.4.4.
[krejzi] - Apr Util 1.5.1.
[krejzi] - Check 0.9.10.
[krejzi] - Colord 0.1.33.
[krejzi] - D-Bus 1.6.10.
[krejzi] - Farstream 0.2.3.
[krejzi] - GDB 7.6.
[krejzi] - Git 1.8.2.2.
[krejzi] - Gnumeric 1.12.2.
[krejzi] - GOffice 0.10.2.
[krejzi] - GParted 0.16.0.
[krejzi] - GStreamer 1.0.7.
[krejzi] - GStreamer Base Plugins 1.0.7.
[krejzi] - GStreamer Good Plugins 1.0.7.
[krejzi] - GStreamer Bad Plugins 1.0.7.
[krejzi] - GStreamer Ugly Plugins 1.0.7.
[krejzi] - GStreamer Libav 1.0.7.
[krejzi] - Guile 2.0.9.
[krejzi] - Harfbuzz 0.9.16.
[krejzi] - IBus 1.5.2.
[krejzi] - JSON GLib 0.16.0.
[krejzi] - libdrm 2.4.44.
[krejzi] - libgcrypt 1.5.2.
[krejzi] - liboauth 1.0.1.
[krejzi] - libpng 1.6.2.
[krejzi] - libtasn1 3.3.
[krejzi] - libxml2 2.9.1.
[krejzi] - MySQL 5.6.11.
[krejzi] - Nano 2.3.2.
[krejzi] - Nettle 2.7.
[krejzi] - PCI Utils 3.2.0.
[krejzi] - Sharutils 4.13.5.
April 24th, 2013
[krejzi] - Added Xorg Cirrus Driver, used by Qemu virtual GPU.
[rthomsen] - Added QJson 0.8.1.
April 21st, 2013
[ken] - rxvt-unicode-9.16.
[ken] - NFS-utils-1.2.7.
[ken] - patch xine-ui-0.99.7 so that opening files from the menu works.
[ken] - Openssh-6.2p1.
April 17th, 2013
[krejzi] - Freeglut 2.8.1.
[krejzi] - Xorg Server 1.14.1.
[krejzi] - Xorg VMWare Driver 13.0.1.
April 14th, 2013
[krejzi] - ALSA 1.0.27.
[krejzi] - CUPS Filters 1.0.34.
[krejzi] - cURL 7.30.0.
[krejzi] - Firefox/Xulrunner 20.0.1.
[krejzi] - libdiscid 0.5.0.
[krejzi] - MIT Kerberos V5 1.11.2.
[krejzi] - p11-kit 0.18.
[krejzi] - Poppler 0.22.3.
[krejzi] - SQLite 3.7.16.2.
April 8th, 2013
[krejzi] - CUPS Filters 1.0.33.
[krejzi] - Git 1.8.2.1.
[krejzi] - Harfbuzz 0.9.15.
[krejzi] - VLC 2.0.6.
April 7th, 2013
[krejzi] - Mpg123 1.15.3.
[krejzi] - Python 2.7.4.
[krejzi] - Python 3.3.1.
[krejzi] - Telepathy GLib 2.20.2.
[krejzi] - Xorg Intel Driver 2.21.6.
[krejzi] - Xorg Synaptics Driver 1.7.0.
April 5th, 2013
[krejzi] - Firefox/Xulrunner 20.0.
[krejzi] - libpng 1.6.1.
[krejzi] - LibreOffice 4.0.2.
[krejzi] - OpenLDAP 2.4.35.
[krejzi] - Thunderbird 17.0.5.
[rthomsen] - KDE 4.10.2.
[ken] - Postgresql-9.2.4. Fixes #3796.
March 31st, 2013
[rthomsen] - Mercurial 2.5.2. Fixes #3797.
[krejzi] - ISC Bind 9.9.2-P2.
[krejzi] - ISC DHCP 4.2.5-P1.
[krejzi] - libdrm 2.4.43.
[krejzi] - SQLite 3.7.16.1.
[krejzi] - Xorg Evdev Driver 2.8.0.
[krejzi] - Xorg Nouveau Driver 1.0.7.
[krejzi] - Xorg OpenChrome Driver 0.3.2.
March 26th, 2013
[bdubbs] - Update to bind-9.9.2-P1. Fixes #3697.
March 25th, 2013
[krejzi] - libffi 3.0.13.
March 24th, 2013
[krejzi] - GnuTLS 3.1.10.
[krejzi] - NSPR 4.9.6.
March 23rd, 2013
[krejzi] - AudioFile 0.3.6.
[krejzi] - Colord 0.1.31.
[krejzi] - Colord GTK 0.1.25.
[krejzi] - CUPS 1.6.2.
[krejzi] - CUPS Filters 1.0.31.
[krejzi] - GStreamer 1.0.6.
[krejzi] - GStreamer Base Plugins 1.0.6.
[krejzi] - GStreamer Good Plugins 1.0.6.
[krejzi] - GStreamer Bad Plugins 1.0.6.
[krejzi] - GStreamer Ugly Plugins 1.0.6.
[krejzi] - GStreamer Libav 1.0.6.
[krejzi] - GTK+ 2.24.17.
[krejzi] - Harfbuzz 0.9.14.
[krejzi] - ICU 51.1.
[krejzi] - libburn 1.2.8.
[krejzi] - libgcrypt 1.5.1.
[krejzi] - libisoburn 1.2.8.
[krejzi] - libisofs 1.2.8.
[krejzi] - MesaLib 9.1.1.
[krejzi] - Poppler 0.22.2.
[krejzi] - SQLite 3.7.16.
[krejzi] - UDisks 2.1.0.
[krejzi] - UPower 0.9.20.
[krejzi] - Xorg Intel Driver 2.21.5.
March 18th, 2013
[thomas] - fcron 3.1.2.
March 16th, 2013
[bdubbs] - Changed from qemu-kvm to qemu-1.4.0 which now includes kvm options.
[krejzi] - Added Glamor EGL 0.5.0.
[krejzi] - Added GtkSourceView 2.10.5.
[krejzi] - Added libgusb 0.1.6.
[krejzi] - Added libunique 1.1.6.
[krejzi] - Added Mousepad 0.3.0.
[krejzi] - Added Ristretto 0.6.3.
[krejzi] - Added Xfce4 Mixer 4.10.0.
[krejzi] - AbiWord 2.9.4.
[krejzi] - Colord 0.1.30.
[krejzi] - CUPS Filters 1.0.30.
[krejzi] - D-Bus GLib Bindings 0.100.2.
[krejzi] - DejaGnu 1.5.1.
[krejzi] - Evolution 3.6.4.
[krejzi] - Exo 0.10.2.
[krejzi] - FFmpeg 1.2.
[krejzi] - Git 1.8.2.
[krejzi] - Gnumeric 1.12.1.
[krejzi] - GOffice 0.10.1.
[krejzi] - GPGME 1.4.0.
[krejzi] - GTK Xfce Engine 3.0.1.
[krejzi] - Harfbuzz 0.9.13.
[krejzi] - Iptables 1.4.18.
[krejzi] - libassuan 2.1.0.
[krejzi] - libdvdcss 1.2.13.
[krejzi] - Midori 0.4.9.
[krejzi] - OpenLDAP 2.4.34.
[krejzi] - Parole 0.5.0.
[krejzi] - Telepathy Logger 0.8.0.
[krejzi] - Thunar 1.6.2.
[krejzi] - Thunderbird 17.0.4.
[krejzi] - Tumbler 0.1.27.
[krejzi] - Xfce4 Terminal 0.6.1.
[krejzi] - Xfdesktop 4.10.2.
[krejzi] - Xorg Intel Driver 2.21.4.
[krejzi] - Enabled support for Radeon "South Islands" GPUs in MesaLib and Xorg ATI Driver by default.
March 15th, 2013
[bdubbs] - Add a fix to udev-extras keymap Makefile issue exposed by LFS-7.3.
March 13th, 2013
[bdubbs] - Update to php-5.4.11. Fixes #3694.
March 10th, 2013
[bdubbs] - Added patch to bridge-utils caused by linux-3.8 include file change.
[bdubbs] - Update to gptfdisk-0.8.6.
[rthomsen] - Phonon-backend-vlc 0.6.2. Fixes #3784.
[rthomsen] - Akonadi 1.9.1.
[rthomsen] - KDE 4.10.1.
[krejzi] - Firefox/Xulrunner 19.0.2.
[krejzi] - LibreOffice 4.0.1.
[krejzi] - Xorg Server 1.14.0.
[krejzi] - Xorg Nouveau Driver 1.0.6.
[krejzi] - Xorg Synaptics Driver 1.6.3.
[krejzi] - Xorg Wacom Driver 0.20.0.
March 9th, 2013
[bdubbs] - Update to Lynx-2.8.8dev.15. Fixes #3655.
March 8th, 2013
March 7th, 2013
[bdubbs] - Fix link to Chineese fonts. Fixes #3821.
[bdubbs] - Update wording of DRI detection in Xorg configuration.
March 6th, 2013
[bdubbs] - Update to xterm-291. Fixes #3728.
March 5th, 2013
[bdubbs] - Remove gperf dependency from xcb-util because is is no longer used.
[bdubbs] - Remove optional generation of text documents from gperf because it breaks the install without TeXLive.
March 4th, 2013
[bdubbs] - Updated to traceroute-2.0.19. Add a note about the differences between this package and the version installed in the LFS package inetutils. Fixes #3730.
March 3rd, 2013
[krejzi] - Added a patch to fix segfault in cURL.
[krejzi] - AudioFile 0.3.5.
[krejzi] - Clutter Gst 2.0.2.
[krejzi] - Ekiga 4.0.1.
[krejzi] - FFmpeg 1.1.3.
[krejzi] - GMime 2.6.15.
[krejzi] - Graphviz 2.30.1.
[krejzi] - Gtk VNC 0.5.2.
[krejzi] - libarchive 3.1.2.
[krejzi] - libdiscid 0.3.2.
[krejzi] - libffi 3.0.12.
[krejzi] - libgpg-error 1.11.
[krejzi] - libpwquality 1.2.1.
[krejzi] - Mpg123 1.15.1.
[krejzi] - MySQL 5.5.30.
[krejzi] - NetworkManager 0.9.8.0.
[krejzi] - Opal 3.10.10.
[krejzi] - pkg-config 0.28.
[krejzi] - Postfix 2.10.0.
[krejzi] - Ptlib 2.10.10.
[krejzi] - Raptor 2.0.9.
[krejzi] - sg3_utils 1.35.
[krejzi] - Shared Mime Info 1.1.
[krejzi] - Updated to latest GNOME packages.
March 2nd, 2013
[krejzi] - Bluefish 2.2.4.
[krejzi] - LibreOffice 4.0.0.
[krejzi] - Pidgin 2.10.7.
[krejzi] - Thunderbird 17.0.3.
[krejzi] - Transmission 2.77.
March 1st, 2013
[krejzi] - Boost 1.53.0.
[krejzi] - Cairo 1.12.14.
[krejzi] - cURL 7.29.0.
[krejzi] - Gimp 2.8.4.
[krejzi] - Git 1.8.1.5.
[krejzi] - Gnumeric 1.12.0.
[krejzi] - GnuTLS 3.1.9.1.
[krejzi] - GOffice 0.10.0.
[krejzi] - GTK+ 2.24.16.
[krejzi] - libdrm 2.4.42.
[krejzi] - libgsf 1.14.26.
[krejzi] - libnl 3.2.21.
[krejzi] - libpng 1.5.14.
[krejzi] - libtirpc 0.2.3.
[krejzi] - MesaLib 9.1.
[krejzi] - MIT Kerberos V5 1.11.1.
[krejzi] - NSPR 4.9.5.
[krejzi] - NSS 3.14.3.
[krejzi] - Ntfs-3g 2013.1.13.
[krejzi] - OpenSSL 1.0.1e.
[krejzi] - p11-kit 0.15.2.
[krejzi] - Poppler 0.22.1.
[krejzi] - Ruby 1.9.3-p392.
[krejzi] - XKeyboard Config 2.8.
[krejzi] - Xorg ATI Driver 7.1.0.
[krejzi] - Xorg Intel Driver 2.21.3.
[krejzi] - XScreenSaver 5.21.
February 27th, 2013
[ken] - Update message about NIS and RPC headers in libtirpc.
February 21st, 2013
[wblaszcz] - Fixed JSON-C missing headers issue. Fixes #3808.
February 20th, 2013
[randy] - Updated GnuPG to 1.4.13.
February 18th, 2013
[randy] - Minor fixes and dependency updates.
February 13th, 2013
[randy] - Added instructions to libiodbc and Virtuoso so they play nice with unixODBC.
February 11th, 2013
[randy] - Updated Perl Module Date::Manip to 6.38.
[randy] - Updated FFmpeg to 1.1.2.
[krejzi] - Added wpa service configuration to wpa_supplicant instructions.
February 10th, 2013
[randy] - Updated ImageMagick to 6.8.2-8.
[krejzi] - Updated GCC instructions to install Ada and Go compilers. Thanks to Pierre Labastie for the patch.
February 9th, 2013
[rthomsen] - KDE 4.10.0.
[rthomsen] - Added xcb-util-image 0.3.9 and xcb-util-renderutil 0.3.8.
February 7th, 2013
[randy] - Minor modifications and added dependencies to the SANE instructions.
[rthomsen] - Cairo 1.12.12.
[rthomsen] - Strigi 0.7.8.
[rthomsen] - Phonon-backend-gstreamer 4.6.3.
February 4th, 2013
[randy] - Updated Enscript to 1.6.6.
February 3rd, 2013
[thomas] - Samba 3.6.12.
February 2nd, 2013
[rthomsen] - Dhcpcd 5.6.7.
[randy] - Modified the build commands and dependencies in the VLC instructions.
January 29th, 2013
[randy] - Modified the dependencies for the XML::Simple Perl Module instructions.
January 26th, 2013
[randy] - Added a dependency and modified the libical instructions.
[thomas] - PostgreSQL 9.2.2
January 25th, 2013
[krejzi] - Clutter Gst 2.0.0.
[krejzi] - Colord 0.1.28.
[krejzi] - CrackLib 2.8.22.
[krejzi] - DHCP 4.2.5.
[krejzi] - Doxygen 1.8.3.1.
[krejzi] - Ed 1.7.
[krejzi] - Evolution 3.6.3.
[krejzi] - JSON C 0.10.
[krejzi] - MesaLib 9.0.2.
[krejzi] - Postfix 2.9.5.
[krejzi] - Rasqal 0.9.30.
[krejzi] - Sharutils 4.13.3.
[krejzi] - Soprano 2.9.0.
[krejzi] - Transmission 2.76.
[krejzi] - Xorg Server 1.13.2.
[krejzi] - Updated some GNOME Core packages to latest available upstream.
January 24th, 2013
[krejzi] - MySQL 5.5.29.
[randy] - Updated Audacious/Audacious-Plugins to 3.3.3
January 23rd, 2013
[randy] - Added a patch to the gst-plugins-ugly instructions to fix building against the new libcdio API.
January 21st, 2013
[randy] - Modified dependencies and general cleanup of the Gimp instructions.
January 20th, 2013
[randy] - Added a patch to the GeoClue instructions so it will build against GPSD.
[krejzi] - Firefox/Xulrunner 18.0.1.
[krejzi] - Thunderbird 17.0.2.
[krejzi] - Xorg Intel Driver 2.20.19.
[thomas] - fcron 3.1.1.
January 19th, 2013
[krejzi] - Replaced libjpeg 8d with libjpeg-turbo 1.2.1.
[krejzi] - Amarok 2.7.0.
[krejzi] - Cairo 1.12.10.
[krejzi] - CMake 2.8.10.2.
[krejzi] - ICU 50.1.2.
[krejzi] - libdrm 2.4.41.
[krejzi] - libnl 3.2.19.
[krejzi] - Nettle 2.6.
[krejzi] - Polkit 0.110.
[krejzi] - Qpdf 4.0.1.
[krejzi] - Taglib 1.8.
[krejzi] - WPA Supplicant 2.0.
[krejzi] - Xorg Intel Driver 2.20.18.
[krejzi] - Xorg VMMouse Driver 13.0.0.
[krejzi] - Xorg VMware Driver 13.0.0.
January 18th, 2013
[krejzi] - Graphviz 2.30.0.
[krejzi] - libsoup 2.40.3.
[krejzi] - Ruby 1.9.3-p374.
[krejzi] - Tcl 8.6.0.
[krejzi] - Tk 8.6.0.
[krejzi] - Removed Tcl extension build instructions from SQLite page as it is now part of Tcl 8.6.0.
[krejzi] - Fixed Python 2 bsddb module build against newer Berkeley DB.
[krejzi] - Updated GNOME 3.6 packages to latest available ones.
[randy] - Added DESTDIR instructions to packages that update '/usr/share/glib-2.0/schemas'.
[randy] - Updated the xincludes files.
[randy] - Updated package URLs.
January 15th, 2013
[randy] - Remove an unneeded parameter from the libmpeg2 instructions.
[randy] - Corrected the API documentation installation instructions in the xine-lib instructions.
[randy] - Tweaked the MPlayer instructions and updated the default skin tarball.
January 13th, 2013
[randy] - Added a parameter to the CUPS-Filters instructions.
January 12th, 2013
[krejzi] - Colord 0.1.27.
[krejzi] - GStreamer 1.0.5.
[krejzi] - GStreamer Base Plugins 1.0.5.
[krejzi] - GStreamer Good Plugins 1.0.5.
[krejzi] - GStreamer Bad Plugins 1.0.5.
[krejzi] - GStreamer Ugly Plugins 1.0.5.
[krejzi] - GStreamer Libav 1.0.5.
[krejzi] - GTK+ 3.6.4.
[krejzi] - libburn 1.2.6.
[krejzi] - libisoburn 1.2.6.
[krejzi] - libisofs 1.2.6.
[krejzi] - SQLite 3.7.15.2.
[krejzi] - UPower 0.9.19.
January 11th, 2013
[Randy] - Added commands to the Fribidi instructions so that it will link against the GLib-2 library.
[Randy] - Added dependencies to the yasm instructions.
January 10th, 2013
[krejzi] - CUPS Filters 1.0.29.
[Randy] - Updated to Samba-3.6.10.
[Randy] - Added dependencies to the Guile and GnuTLS instructions.
January 5th, 2013
[krejzi] - Added SBC 1.0.
[krejzi] - Re Added Transcode 1.1.7.
[krejzi] - AccountsService 0.6.30.
[krejzi] - Akonadi 1.9.0.
[krejzi] - Cogl 1.12.2.
[krejzi] - Farstream 0.2.2.
[krejzi] - GnuTLS 3.1.6.
[krejzi] - GTK+ 3.6.3.
[krejzi] - Iptables 1.4.17.
[krejzi] - KDE 4.9.5.
[krejzi] - libdiscid 0.3.0.
[krejzi] - lm_sensors 3.3.3.
[krejzi] - MIT Kerberos V5 1.11.
[krejzi] - PulseAudio 3.0.
[krejzi] - Qpdf 4.0.0.
[krejzi] - Redland 1.0.16.
[krejzi] - SoundTouch 1.7.1.
[krejzi] - Talloc 2.0.8.
[krejzi] - UDisks 2.0.1.
[krejzi] - Xorg Wacom Driver 0.19.0.
January 2nd, 2013
[krejzi] - IBus 1.5.1.
[krejzi] - Nasm 2.10.07.
[krejzi] - Ruby 1.9.3-p362.
January 1st, 2013
[krejzi] - Removed Cairo expose_snapshot patch since it causes more problems than it solves.
[bdubbs] - Add gptfdisk-0.8.5. Moved parted to disk management chapter.
[bdubbs] - Archive 2012 changelog.
Last updated on 2013-09-13 12:50:39 -0700
The linuxfromscratch.org server is hosting a number of mailing lists that are used for the development of the BLFS book. These lists include, among others, the main development and support lists.
For more information regarding which lists are available, how to subscribe to them, archive locations, etc., visit http://www.linuxfromscratch.org/mail.html.
Last updated on 2007-04-04 12:42:53 -0700
The BLFS Project has created a Wiki for users to comment on pages and instructions at http://wiki.linuxfromscratch.org/blfs/wiki. Comments are welcome from all users.
The following are the rules for posting:
Users must register and log in to edit a page.
Suggestions to change the book should be made by creating a new ticket, not by making comments in the Wiki.
Questions with your specific installation problems should be made by subscribing and mailing to the BLFS Support Mailing List at mailto:blfs-support AT linuxfromscratch D0T org.
Discussions of build instructions should be made by subscribing and mailing to the BLFS Development List at mailto:blfs-dev AT linuxfromscratch D0T org.
Inappropriate material will be removed.
Last updated on 2007-04-04 12:42:53 -0700
If you encounter a problem while using this book, and your problem is not listed in the FAQ (http://www.linuxfromscratch.org/faq), you will find that most of the people on Internet Relay Chat (IRC) and on the mailing lists are willing to help you. An overview of the LFS mailing lists can be found in Mailing lists. To assist us in diagnosing and solving your problem, include as much relevant information as possible in your request for help.
Before asking for help, you should review the following items:
Is the hardware support compiled into the kernel or
available as a module to the kernel? If it is a module,
is it configured properly in modprobe.conf
and has it been loaded?
You should use lsmod as the
root
user to see if
it's loaded. Check the sys.log
file or run modprobe <driver>
to review any error message. If it loads properly, you
may need to add the modprobe command to
your boot scripts.
Are your permissions properly set, especially for
devices? LFS uses groups to make these settings easier,
but it also adds the step of adding users to groups to
allow access. A simple usermod -G audio <user>
may be all that's necessary for that user to have
access to the sound system. Any question that starts
out with “It works as root,
but not as ...” requires a thorough review
of permissions prior to asking.
BLFS liberally uses /opt/
.
The main objection to this centers around the need to
expand your environment variables for each package
placed there (e.g., PATH=$PATH:/opt/kde/bin). In most
cases, the package instructions will walk you through
the changes, but some will not. The section called
“Going Beyond
BLFS” is available to help you check.
<package>
Apart from a brief explanation of the problem you're having, the essential things to include in your request are:
the version of the book you are using (being 7.4),
the package or section giving you problems,
the exact error message or symptom you are receiving,
whether you have deviated from the book or LFS at all,
if you are installing a BLFS package on a non-LFS system.
(Note that saying that you've deviated from the book doesn't mean that we won't help you. It'll just help us to see other possible causes of your problem.)
Expect guidance instead of specific instructions. If you are instructed to read something, please do so. It generally implies that the answer was way too obvious and that the question would not have been asked if a little research was done prior to asking. The volunteers in the mailing list prefer not to be used as an alternative to doing reasonable research on your end. In addition, the quality of your experience with BLFS is also greatly enhanced by this research, and the quality of volunteers is enhanced because they don't feel that their time has been abused, so they are far more likely to participate.
An excellent article on asking for help on the Internet in general has been written by Eric S. Raymond. It is available online at http://www.catb.org/~esr/faqs/smart-questions.html. Read and follow the hints in that document and you are much more likely to get a response to start with and also to get the help you actually need.
Last updated on 2009-09-24 22:43:37 -0700
Many people have contributed both directly and indirectly to BLFS. This page lists all of those we can think of. We may well have left people out and if you feel this is the case, drop us a line. Many thanks to all of the LFS community for their assistance with this project.
Fernando de Oliveira
Bruce Dubbs
Ken Moffat
Ragnar Thomsen
Igor Zivkovic
The list of contributors is far too large to provide detailed information about the contributions for each contributor. Over the years, the following individuals have provided significant inputs to the book:
Timothy Bauscher
Daniel Bauman
Jeff Bauman
Andy Benton
Wayne Blaszczyk
Paul Campbell
Nathan Coulson
Jeroen Coumans
Guy Dalziel
Robert Daniels
Richard Downing
Manuel Canales Esparcia
Jim Gifford
Manfred Glombowski
Ag Hatzimanikas
Mark Hymers
James Iwanek
Armin Krejzi
David Jensen
Jeremy Jones
Seth Klein
Alex Kloss
Eric Konopka
Larry Lawrence
DJ Lucas
Chris Lynn
Randy McMurchy
Andrew McMurry
Billy O'Connor
Alexander Patrakov
Olivier Peres
Andreas Pedersen
Henning Rohde
Matt Rogers
James Robertson
Henning Rohde
Chris Staub
Jesse Tie-Ten-Quee
Thomas Trepl
Tushar Teredesai
Jeremy Utley
Zack Winkles
Christian Wurst
Fernando Arbeiza
Miguel Bazdresch
Gerard Beekmans
Oliver Brakmann
Jeremy Byron
Ian Chilton
David Ciecierski
Jim Harris
Lee Harris
Marc Heerdink
Steffen Knollmann
Eric Konopka
Scot McPherson
Ted Riley
Last updated on 2013-09-08 08:20:07 -0700
Please direct your emails to one of the BLFS mailing lists. See Mailing lists for more information on the available mailing lists.
Last updated on 2012-02-05 21:15:51 -0800
This chapter is used to explain some of the policies used throughout the book, to introduce important concepts and to explain some issues you may see with some of the included packages.
Those people who have built an LFS system may be aware of the general principles of downloading and unpacking software. Some of that information is repeated here for those new to building their own software.
Each set of installation instructions contains a URL from which you can download the package. The patches; however, are stored on the LFS servers and are available via HTTP. These are referenced as needed in the installation instructions.
While you can keep the source files anywhere you like, we assume that you have unpacked the package and changed into the directory created by the unpacking process (the 'build' directory). We also assume you have uncompressed any required patches and they are in the directory immediately above the 'build' directory.
We can not emphasize strongly enough that you should start from
a clean source tree each
time. This means that if you have had an error during
configuration or compilation, it's usually best to delete the
source tree and re-unpack it before trying again. This obviously
doesn't apply if you're an advanced user used to hacking
Makefile
s and C code, but if in
doubt, start from a clean tree.
The golden rule of Unix System Administration is to use your
superpowers only when necessary. Hence, BLFS recommends that
you build software as an unprivileged user and only become
the root
user when installing
the software. This philosophy is followed in all the packages
in this book. Unless otherwise specified, all instructions
should be executed as an unprivileged user. The book will
advise you on instructions that need root
privileges.
If a file is in .tar
format and
compressed, it is unpacked by running one of the following
commands:
tar -xvf filename.tar.gz tar -xvf filename.tgz tar -xvf filename.tar.Z tar -xvf filename.tar.bz2
You may omit using the v
parameter in the commands shown above and below if you wish
to suppress the verbose listing of all the files in the
archive as they are extracted. This can help speed up the
extraction as well as make any errors produced during the
extraction more obvious to you.
You can also use a slightly different method:
bzcat filename.tar.bz2 | tar -xv
Finally, you sometimes need to be able to unpack patches
which are generally not in .tar
format. The best way to do this is to copy the patch file to
the parent of the 'build' directory and then run one of the
following commands depending on whether the file is a
.gz
or .bz2
file:
gunzip -v patchname.gz bunzip2 -v patchname.bz2
Generally, to verify that the downloaded file is genuine and
complete, many package maintainers also distribute md5sums of
the files. To verify the md5sum of the downloaded files,
download both the file and the corresponding md5sum file to
the same directory (preferably from different on-line
locations), and (assuming file.md5sum
is the md5sum file downloaded)
run the following command:
md5sum -c file.md5sum
If there are any errors, they will be reported. Note that the
BLFS book includes md5sums for all the source files also. To
use the BLFS supplied md5sums, you can create a file.md5sum
(place the md5sum data and the
exact name of the downloaded file on the same line of a file,
separated by white space) and run the command shown above.
Alternately, simply run the command shown below and compare
the output to the md5sum data shown in the BLFS book.
md5sum <name_of_downloaded_file>
For larger packages, it is convenient to create log files
instead of staring at the screen hoping to catch a particular
error or warning. Log files are also useful for debugging and
keeping records. The following command allows you to create
an installation log. Replace <command>
with the
command you intend to execute.
( <command>
2>&1 | tee compile.log && exit $PIPESTATUS )
2>&1
redirects error
messages to the same location as standard output. The
tee command
allows viewing of the output while logging the results to a
file. The parentheses around the command run the entire
command in a subshell and finally the exit $PIPESTATUS command
ensures the result of the <command>
is returned
as the result and not the result of the tee command.
There are times when automating the building of a package can
come in handy. Everyone has their own reasons for wanting to
automate building, and everyone goes about it in their own
way. Creating Makefile
s,
Bash scripts, Perl scripts or simply a list of
commands used to cut and paste are just some of the methods
you can use to automate building BLFS packages. Detailing how
and providing examples of the many ways you can automate the
building of packages is beyond the scope of this section.
This section will expose you to using file redirection and
the yes command
to help provide ideas on how to automate your builds.
You will find times throughout your BLFS journey when you will come across a package that has a command prompting you for information. This information might be configuration details, a directory path, or a response to a license agreement. This can present a challenge to automate the building of that package. Occasionally, you will be prompted for different information in a series of questions. One method to automate this type of scenario requires putting the desired responses in a file and using redirection so that the program uses the data in the file as the answers to the questions.
Building the CUPS package is a good example of how redirecting a file as input to prompts can help you automate the build. If you run the test suite, you are asked to respond to a series of questions regarding the type of test to run and if you have any auxiliary programs the test can use. You can create a file with your responses, one response per line, and use a command similar to the one shown below to automate running the test suite:
make check < ../cups-1.1.23-testsuite_parms
This effectively makes the test suite use the responses in the file as the input to the questions. Occasionally you may end up doing a bit of trial and error determining the exact format of your input file for some things, but once figured out and documented you can use this to automate building the package.
Sometimes you will only need to provide one response, or provide the same response to many prompts. For these instances, the yes command works really well. The yes command can be used to provide a response (the same one) to one or more instances of questions. It can be used to simulate pressing just the Enter key, entering the Y key or entering a string of text. Perhaps the easiest way to show its use is in an example.
First, create a short Bash script by entering the following commands:
cat > blfs-yes-test1 << "EOF"
#!/bin/bash
echo -n -e "\n\nPlease type something (or nothing) and press Enter ---> "
read A_STRING
if test "$A_STRING" = ""; then A_STRING="Just the Enter key was pressed"
else A_STRING="You entered '$A_STRING'"
fi
echo -e "\n\n$A_STRING\n\n"
EOF
chmod 755 blfs-yes-test1
Now run the script by issuing ./blfs-yes-test1 from the command line. It will wait for a response, which can be anything (or nothing) followed by the Enter key. After entering something, the result will be echoed to the screen. Now use the yes command to automate the entering of a response:
yes | ./blfs-yes-test1
Notice that piping yes by itself to the script results in y being passed to the script. Now try it with a string of text:
yes 'This is some text' | ./blfs-yes-test1
The exact string was used as the response to the script. Finally, try it using an empty (null) string:
yes '' | ./blfs-yes-test1
Notice this results in passing just the press of the Enter key to the script. This is useful for times when the default answer to the prompt is sufficient. This syntax is used in the Net-tools instructions to accept all the defaults to the many prompts during the configuration step. You may now remove the test script, if desired.
In order to automate the building of some packages, especially those that require you to read a license agreement one page at a time, requires using a method that avoids having to press a key to display each page. Redirecting the output to a file can be used in these instances to assist with the automation. The previous section on this page touched on creating log files of the build output. The redirection method shown there used the tee command to redirect output to a file while also displaying the output to the screen. Here, the output will only be sent to a file.
Again, the easiest way to demonstrate the technique is to show an example. First, issue the command:
ls -l /usr/bin | more
Of course, you'll be required to view the output one page at
a time because the more filter was used. Now
try the same command, but this time redirect the output to a
file. The special file /dev/null
can be used instead of the
filename shown, but you will have no log file to examine:
ls -l /usr/bin | more > redirect_test.log 2>&1
Notice that this time the command immediately returned to the shell prompt without having to page through the output. You may now remove the log file.
The last example will use the yes command in combination with output redirection to bypass having to page through the output and then provide a y to a prompt. This technique could be used in instances when otherwise you would have to page through the output of a file (such as a license agreement) and then answer the question of “do you accept the above?”. For this example, another short Bash script is required:
cat > blfs-yes-test2 << "EOF"
#!/bin/bash
ls -l /usr/bin | more
echo -n -e "\n\nDid you enjoy reading this? (y,n) "
read A_STRING
if test "$A_STRING" = "y"; then A_STRING="You entered the 'y' key"
else A_STRING="You did NOT enter the 'y' key"
fi
echo -e "\n\n$A_STRING\n\n"
EOF
chmod 755 blfs-yes-test2
This script can be used to simulate a program that requires you to read a license agreement, then respond appropriately to accept the agreement before the program will install anything. First, run the script without any automation techniques by issuing ./blfs-yes-test2.
Now issue the following command which uses two automation techniques, making it suitable for use in an automated build script:
yes | ./blfs-yes-test2 > blfs-yes-test2.log 2>&1
If desired, issue tail blfs-yes-test2.log to see the end of the paged output, and confirmation that y was passed through to the script. Once satisfied that it works as it should, you may remove the script and log file.
Finally, keep in mind that there are many ways to automate and/or script the build commands. There is not a single “correct” way to do it. Your imagination is the only limit.
For each package described, BLFS lists the known dependencies. These are listed under several headings, whose meaning is as follows:
Required means that the target package cannot be correctly built without the dependency having first been installed.
Recommended means that BLFS strongly suggests this package is installed first for a clean and trouble-free build, that won't have issues either during the build process, or at run-time.
Optional means that this package might be installed for added functionality. Often BLFS will describe the dependency to explain the added functionality that will result.
On occasion you may run into a situation in the book when a package will not build or work properly. Though the Editors attempt to ensure that every package in the book builds and works properly, sometimes a package has been overlooked or was not tested with this particular version of BLFS.
If you discover that a package will not build or work properly, you should see if there is a more current version of the package. Typically this means you go to the maintainer's web site and download the most current tarball and attempt to build the package. If you cannot determine the maintainer's web site by looking at the download URLs, use Google and query the package's name. For example, in the Google search bar type: 'package_name download' (omit the quotes) or something similar. Sometimes typing: 'package_name home page' will result in you finding the maintainer's web site.
In LFS, stripping of debugging symbols was discussed a couple of times. When building BLFS packages, there are generally no special instructions that discuss stripping again. It is probably not a good idea to strip an executable or a library while it is in use, so exiting any windowing environment is a good idea. Then you can do:
find /{,usr/}{bin,lib,sbin} -type f -exec strip --strip-unneeded {} \;
If you install programs in other directories such as /opt or /usr/local, you may want to strip the files there too.
For more information on stripping, see http://www.technovelty.org/linux/stripping-shared-libraries.html.
One of the side effects of packages that use Autotools, including libtool, is that they create many files with an .la extention. These files are not needed in an LFS environment. If there are conflicts with pkgconfig entries, they can actually prevent successful builds. You may want to consider removing these files periodically:
find /lib /usr/lib -not -path "*Image*" -a -name \*.la -delete
The above command removes all .la files with the exception of those that have "Image" (ImageMagick) as a part of the path. The .la files are used by the ImageMagick modules subdirectory are used by the program. There may be other exceptions by packages not in BLFS.
Last updated on 2013-08-02 20:44:50 -0700
Should I install XXX in /usr
or /usr/local
?
This is a question without an obvious answer for an LFS based system.
In traditional Unix systems, /usr
usually contains files that come with the system distribution,
and the /usr/local
tree is free
for the local administrator to manage. The only really hard and
fast rule is that Unix distributions should not touch
/usr/local
, except perhaps to
create the basic directories within it.
With Linux distributions like Red Hat, Debian, etc., a possible
rule is that /usr
is managed by
the distribution's package system and /usr/local
is not. This way the package
manager's database knows about every file within /usr
.
LFS users build their own system and so deciding where the
system ends and local files begin is not straightforward. So
the choice should be made in order to make things easier to
administer. There are several reasons for dividing files
between /usr
and /usr/local
.
On a network of several machines all running LFS, or
mixed LFS and other Linux distributions, /usr/local
could be used to hold
packages that are common between all the computers in the
network. It can be NFS mounted or mirrored from a single
server. Here local indicates local to the site.
On a network of several computers all running an
identical LFS system, /usr/local
could hold packages that are
different between the machines. In this case local refers
to the individual computers.
Even on a single computer, /usr/local
can be useful if you have
several distributions installed simultaneously, and want
a place to put packages that will be the same on all of
them.
Or you might regularly rebuild your LFS, but want a place to put files that you don't want to rebuild each time. This way you can wipe the LFS file system and start from a clean partition every time without losing everything.
Some people ask why not use your own directory tree, e.g.,
/usr/site
, rather than
/usr/local
?
There is nothing stopping you, many sites do make their own
trees, however it makes installing new software more difficult.
Automatic installers often look for dependencies in
/usr
and /usr/local
, and if the file it is looking for
is in /usr/site
instead, the
installer will probably fail unless you specifically tell it
where to look.
What is the BLFS position on this?
All of the BLFS instructions install programs in /usr
with optional instructions to install
into /opt
for some specific
packages.
Last updated on 2007-04-04 12:42:53 -0700
As you follow the various sections in the book, you will observe that the book occasionally includes patches that are required for a successful and secure installation of the packages. The general policy of the book is to include patches that fall in one of the following criteria:
Fixes a compilation problem.
Fixes a security problem.
Fixes a broken functionality.
In short, the book only includes patches that are either required or recommended. There is a Patches subproject which hosts various patches (including the patches referenced in the books) to enable you to configure your LFS the way you like it.
Last updated on 2007-04-04 12:42:53 -0700
The BLFS Bootscripts package contains the init scripts that are used throughout the book. It is assumed that you will be using the BLFS Bootscripts package in conjunction with a compatible LFS-Bootscripts package. Refer to ../../../../lfs/view/7.4/chapter07/bootscripts.html for more information on the LFS-Bootscripts package.
Package Information
The BLFS Bootscripts package will be used throughout the BLFS
book for startup scripts. Unlike LFS, each init script has a
separate install target in the BLFS Bootscripts package. It is
recommended you keep the package source directory around until
completion of your BLFS system. When a script is requested from
BLFS Bootscripts, simply change to the directory and as the
root
user, execute the given
make install-<init-script>
command. This command installs the init script to its proper
location (along with any auxiliary configuration scripts) and
also creates the appropriate symlinks to start and stop the
service at the appropriate run-level.
It is advisable to peruse each bootscript before installation to ascertain that it satisfies your need. Also verify that the start and stop symlinks it creates match your preferences.
Last updated on 2007-04-04 12:42:53 -0700
The original libraries were simply an archive of routines from which the required routines were extracted and linked into the executable program. These are described as static libraries (libfoo.a). On some old operating systems they are the only type available.
On almost all Linux platforms there are also shared libraries (libfoo.so) - one copy of the library is loaded into virtual memory, and shared by all the programs which call any of its functions. This is space efficient.
In the past, essential programs such as a shell were often
linked statically so that some form of minimal recovery
system would exist even if shared libraries, such as libc.so,
became damaged (e.g. moved to lost+found
after fsck following an unclean
shutdown). Nowadays, most people use an alternative system
install or a Live CD if they have to recover. Journaling
filesystems also reduce the likelihood of this sort of
problem.
Developers, at least while they are developing, often prefer to use static versions of the libraries which their code links to.
Within the book, there are various places where configure switches such as --disable-static are employed, and other places where the possibility of using system versions of libraries instead of the versions included within another package is discussed. The main reason for this is to simplify updates of libraries.
If a package is linked to a dynamic library, updating to a newer library version is automatic once the newer library is installed and the program is (re)started (provided the library major version is unchanged, e.g. going from libfoo.so.2.0 to libfoo.so.2.1. Going to libfoo.so.3 will require recompilation - ldd can be used to find which programs use the old version). If a program is linked to a static library, the program always has to be recompiled. If you know which programs are linked to a particular static library, this is merely an annoyance. But usually you will not know which programs to recompile.
Most libraries are shared, but if you do something unusual,
such as moving a shared library to /lib
accidentally breaking the .so
symlink in /usr/lib
while keeping the static library
in /lib
, the static library
will be silently linked into the programs which need it.
One way to identify when a static library is used, is to deal
with it at the end of the installation of every package.
Write a script to find all the static libraries in
/usr/lib
or wherever you are
installing to, and either move them to another directory so
that they are no longer found by the linker, or rename them
so that libfoo.a becomes e.g. libfoo.a.hidden. The static
library can then be temporarily restored if it is ever
needed, and the package needing it can be identified. You may
choose to exclude some of the static libraries from glibc if
you do this (libc_nonshared.a, libg.a,
libieee.a, libm.a, libpthread_nonshared.a, librpcsvc.a,
libsupc++.a
) to simplify compilation.
If you use this approach, you may discover that more packages than you were expecting use a static library. That was the case with nettle-2.4 in its default static-only configuration: It was required by GnuTLS-3.0.19, but also linked into package(s) which used GnuTLS, such as glib-networking-2.32.3.
Many packages put some of their common functions into a static library which is only used by the programs within the package and, crucially, the library is not installed as a standalone library. These internal libraries are not a problem - if the package has to be rebuilt to fix a bug or vulnerability, nothing else is linked to them.
When BLFS mentions system libraries, it means shared versions of libraries. Some packages such as Firefox-23.0.1 and ghostscript-9.10 include many other libraries. When they link to them, they link statically so this also makes the programs bigger. The version they ship is often older than the version used in the system, so it may contain bugs - sometimes developers go to the trouble of fixing bugs in their included libraries, other times they do not.
Sometimes, deciding to use system libraries is an easy decision. Other times it may require you to alter the system version (e.g. for libpng-1.6.4 if used for Firefox-23.0.1). Occasionally, a package ships an old library and can no longer link to the current version, but can link to an older version. In this case, BLFS will usually just use the shipped version. Sometimes the included library is no longer developed separately, or its upstream is now the same as the package's upstream and you have no other packages which will use it. In those cases, you might decide to use the included static library even if you usually prefer to use system libraries.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/libraries
Last updated on 2013-02-11 10:51:17 -0800
This page contains information about locale related problems and issues. In the following paragraphs you'll find a generic overview of things that can come up when configuring your system for various locales. Many (but not all) existing locale related problems can be classified and fall under one of the headings below. The severity ratings below use the following criteria:
Critical: The program doesn't perform its main function. The fix would be very intrusive, it's better to search for a replacement.
High: Part of the functionality that the program provides is not usable. If that functionality is required, it's better to search for a replacement.
Low: The program works in all typical use cases, but lacks some functionality normally provided by its equivalents.
If there is a known workaround for a specific package, it will appear on that package's page. For the most recent information about locale related issues for individual packages, check the User Notes in the BLFS Wiki.
Severity: Critical
Some programs require the user to specify the character
encoding for their input or output data and present only a
limited choice of encodings. This is the case for the
-X
option in a2ps-4.14 and Enscript-1.6.6, the -input-charset
option in unpatched Cdrtools,
and the character sets offered for display in the menu of
Links-2.7. If the required encoding is not in
the list, the program usually becomes completely unusable.
For non-interactive programs, it may be possible to work
around this by converting the document to a supported input
character set before submitting to the program.
A solution to this type of problem is to implement the necessary support for the missing encoding as a patch to the original program or to find a replacement.
Severity: High for non-text documents, low for text documents
Some programs, nano-2.3.2 or JOE-3.7 for example, assume that documents are always in the encoding implied by the current locale. While this assumption may be valid for the user-created documents, it is not safe for external ones. When this assumption fails, non-ASCII characters are displayed incorrectly, and the document may become unreadable.
If the external document is entirely text based, it can be converted to the current locale encoding using the iconv program.
For documents that are not text-based, this is not possible. In fact, the assumption made in the program may be completely invalid for documents where the Microsoft Windows operating system has set de facto standards. An example of this problem is ID3v1 tags in MP3 files (see the BLFS Wiki ID3v1Coding page for more details). For these cases, the only solution is to find a replacement program that doesn't have the issue (e.g., one that will allow you to specify the assumed document encoding).
Among BLFS packages, this problem applies to nano-2.3.2, JOE-3.7, and all media players except Audacious-3.4.1.
Another problem in this category is when someone cannot read the documents you've sent them because their operating system is set up to handle character encodings differently. This can happen often when the other person is using Microsoft Windows, which only provides one character encoding for a given country. For example, this causes problems with UTF-8 encoded TeX documents created in Linux. On Windows, most applications will assume that these documents have been created using the default Windows 8-bit encoding.
In extreme cases, Windows encoding compatibility issues may be solved only by running Windows programs under Wine.
Severity: Critical
The POSIX standard mandates that the filename encoding is the
encoding implied by the current LC_CTYPE locale category.
This information is well-hidden on the page which specifies
the behavior of Tar and
Cpio programs. Some programs
get it wrong by default (or simply don't have enough
information to get it right). The result is that they create
filenames which are not subsequently shown correctly by
ls, or they
refuse to accept filenames that ls shows properly. For the
GLib-2.36.4 library, the problem can be
corrected by setting the G_FILENAME_ENCODING
environment variable to
the special "@locale" value. Glib2 based programs that don't respect
that environment variable are buggy.
The Zip-3.0 and UnZip-6.0 have this problem because they hard-code the expected filename encoding. UnZip contains a hard-coded conversion table between the CP850 (DOS) and ISO-8859-1 (UNIX) encodings and uses this table when extracting archives created under DOS or Microsoft Windows. However, this assumption only works for those in the US and not for anyone using a UTF-8 locale. Non-ASCII characters will be mangled in the extracted filenames.
The general rule for avoiding this class of problems is to avoid installing broken programs. If this is impossible, the convmv command-line tool can be used to fix filenames created by these broken programs, or intentionally mangle the existing filenames to meet the broken expectations of such programs.
In other cases, a similar problem is caused by importing filenames from a system using a different locale with a tool that is not locale-aware (e.g., OpenSSH-6.3p1). In order to avoid mangling non-ASCII characters when transferring files to a system with a different locale, any of the following methods can be used:
Transfer anyway, fix the damage with convmv.
On the sending side, create a tar archive with the
--format=posix
switch passed to tar (this will be the
default in a future version of tar).
Mail the files as attachments. Mail clients specify the encoding of attached filenames.
Write the files to a removable disk formatted with a FAT or FAT32 filesystem.
Transfer the files using Samba.
Transfer the files via FTP using RFC2640-aware server (this currently means only wu-ftpd, which has bad security history) and client (e.g., lftp).
The last four methods work because the filenames are automatically converted from the sender's locale to UNICODE and stored or sent in this form. They are then transparently converted from UNICODE to the recipient's locale encoding.
Severity: High or critical
Many programs were written in an older era where multibyte locales were not common. Such programs assume that C "char" data type, which is one byte, can be used to store single characters. Further, they assume that any sequence of characters is a valid string and that every character occupies a single character cell. Such assumptions completely break in UTF-8 locales. The visible manifestation is that the program truncates strings prematurely (i.e., at 80 bytes instead of 80 characters). Terminal-based programs don't place the cursor correctly on the screen, don't react to the "Backspace" key by erasing one character, and leave junk characters around when updating the screen, usually turning the screen into a complete mess.
Fixing this kind of problems is a tedious task from a programmer's point of view, like all other cases of retrofitting new concepts into the old flawed design. In this case, one has to redesign all data structures in order to accommodate to the fact that a complete character may span a variable number of "char"s (or switch to wchar_t and convert as needed). Also, for every call to the "strlen" and similar functions, find out whether a number of bytes, a number of characters, or the width of the string was really meant. Sometimes it is faster to write a program with the same functionality from scratch.
Among BLFS packages, this problem applies to xine-ui-0.99.7 and all the shells.
Severity: Low
LFS expects that manual pages are in the language-specific (usually 8-bit) encoding, as specified on the LFS Man DB page. However, some packages install translated manual pages in UTF-8 encoding (e.g., Shadow, already dealt with), or manual pages in languages not in the table. Not all BLFS packages have been audited for conformance with the requirements put in LFS (the large majority have been checked, and fixes placed in the book for packages known to install non-conforming manual pages). If you find a manual page installed by any of BLFS packages that is obviously in the wrong encoding, please remove or convert it as needed, and report this to BLFS team as a bug.
You can easily check your system for any non-conforming manual pages by copying the following short shell script to some accessible location,
#!/bin/sh
# Begin checkman.sh
# Usage: find /usr/share/man -type f | xargs checkman.sh
for a in "$@"
do
# echo "Checking $a..."
# Pure-ASCII manual page (possibly except comments) is OK
grep -v '.\\"' "$a" | iconv -f US-ASCII -t US-ASCII >/dev/null 2>&1 \
&& continue
# Non-UTF-8 manual page is OK
iconv -f UTF-8 -t UTF-8 "$a" >/dev/null 2>&1 || continue
# Found a UTF-8 manual page, bad.
echo "UTF-8 manual page: $a" >&2
done
# End checkman.sh
and then issuing the following command (modify the command
below if the checkman.sh script is not
in your PATH
environment
variable):
find /usr/share/man -type f | xargs checkman.sh
Note that if you have manual pages installed in any location
other than /usr/share/man
(e.g., /usr/local/share/man
),
you must modify the above command to include this additional
location.
Last updated on 2013-02-11 10:51:17 -0800
The packages that are installed in this book are only the tip of the iceberg. We hope that the experience you gained with the LFS book and the BLFS book will give you the background needed to compile, install and configure packages that are not included in this book.
When you want to install a package to a location other than
/
, or /usr
, you are installing outside the default
environment settings on most machines. The following examples
should assist you in determining how to correct this situation.
The examples cover the complete range of settings that may need
updating, but they are not all needed in every situation.
Expand the PATH
to include
$PREFIX/bin
.
Expand the PATH
for
root
to include
$PREFIX/sbin
.
Add $PREFIX/lib
to
/etc/ld.so.conf
or expand
LD_LIBRARY_PATH
to include it.
Before using the latter option, check out http://xahlee.org/UnixResource_dir/_/ldpath.html.
If you modify /etc/ld.so.conf
, remember to update
/etc/ld.so.cache
by
executing ldconfig as the
root
user.
Add $PREFIX/man
to
/etc/man_db.conf
or expand
MANPATH
.
Add $PREFIX/info
to
INFOPATH
.
Add $PREFIX/lib/pkgconfig
to PKG_CONFIG_PATH
. Some
packages are now installing .pc
files in $PREFIX/share/pkgconfig
, so you may
have to include this directory also.
Add $PREFIX/include
to
CPPFLAGS
when compiling
packages that depend on the package you installed.
Add $PREFIX/lib
to
LDFLAGS
when compiling
packages that depend on a library installed by the
package.
If you are in search of a package that is not in the book, the following are different ways you can search for the desired package.
If you know the name of the package, then search Freecode
for it at http://freecode.com/. Also
search Google at http://google.com/. Sometimes a
search for the rpm
at
http://rpmfind.net/ or the
deb
at http://www.debian.org/distrib/packages#search_packages
can also lead to a link to the package.
If you know the name of the executable, but not the package that the executable belongs to, first try a Google search with the name of the executable. If the results are overwhelming, try searching for the given executable in the Debian repository at http://www.debian.org/distrib/packages#search_contents.
Some general hints on handling new packages:
Many of the newer packages follow the ./configure && make && make install process. Help on the options accepted by configure can be obtained via the command ./configure --help.
Most of the packages contain documentation on compiling and installing the package. Some of the documents are excellent, some not so excellent. Check out the homepage of the package for any additional and updated hints for compiling and configuring the package.
If you are having a problem compiling the package, try searching the LFS archives at http://www.linuxfromscratch.org/search.html for the error or if that fails, try searching Google. Often, a distribution will have already solved the problem (many of them use development versions of packages, so they see the changes sooner than those of us who normally use stable released versions). But be cautious - all builders tend to carry patches which are no longer necessary, and to have fixes which are only required because of their particular choices in how they build a package. You may have to search deeply to find a fix for the package version you are trying to use, or even to find the package (names are sometimes not what you might expect, e.g. ghostscript often has a prefix or a suffix in its name), but the following notes might help:
Arch http://www.archlinux.org/packages/
- enter the package name in the 'Keywords' box,
select the package name, select one of the 'SVN
Entries' fields, then select the PKGBUILD
to see how they build
this package, or look at any patches.
Debian ftp://ftp.uk.debian.org/debian/pool
(use your country's version if there is one) - the
source will be in .tar.gz tarballs (either the
original upstream .orig
source, or else a
dfsg
containing those
parts which comply with debian's free software
guidelines) accompanied by versioned .diff.gz or
.tar.gz additions. These additions often show how
the package is built, and may contain patches. In
the .diff.gz versions, any patches create files in
debian/patches
.
Fedora http://pkgs.fedoraproject.org/cgit/ - this site is still occasionally overloaded, but it is an easy way of looking at .spec files and patches. If you know their name for the package (e.g. mesa.git) you can append that to the URI to get to it. If not, use the search box. If the site is unavailable, try looking for a local mirror of ftp.fedora.com (the primary site is usually unavailable if fedora cgit is not responding) and download a source rpm to see what they do.
Gentoo - the mirrors for ebuilds and patches seem
to be well-hidden, and they change frequently.
Also, if you have found a mirror, you need to know
which directory the application has been assigned
to. The ebuilds themselves can be found at
http://packages.gentoo.org/
- use the search field. If there are any patches, a
mirror will have them in the files/
directory. Depending on
your browser, or the mirror, you might need to
download the ebuild to be able to read it. Treat
the ebuild as a sort of pseudo-code / shell
combination - look in particular for sed commands and
patches, or hazard a guess at the meanings of the
functions such as dodoc.
openSUSE http://download.opensuse.org/factory/repo/src-oss/suse/src/ - source only seems to be available in source rpms.
Slackware - the official package browser is
currently broken. The site at http://slackbuilds.org/
has current and previous versions in their
unofficial repository with links to homepages,
downloads, and some individual files, particularly
the .SlackBuild
files.
Ubuntu ftp://ftp.ubuntu.com/ubuntu/pool/ - see the debian notes above.
If everything else fails, try the blfs-support mailing-list.
If you have found a package that is only available in
.deb
or .rpm
format, there are two small scripts,
rpm2targz and
deb2targz that
are available at http://downloads.linuxfromscratch.org/deb2targz.tar.bz2
and http://downloads.linuxfromscratch.org/rpm2targz.tar.bz2
to convert the archives into a simple tar.gz
format.
You may also find an rpm2cpio script useful. The Perl version in the linux kernel archives at http://lkml.indiana.edu/hypermail/linux/kernel/0210.2/att-0093/01-rpm2cpio works for most source rpms. The rpm2targz script will use an rpm2cpio script or binary if one is on your path. Note that rpm2cpio will unpack a source rpm in the current directory, giving a tarball, a spec file, and perhaps patches or other files.
Last updated on 2013-08-26 08:43:33 -0700
The intention of LFS is to provide a basic system which you can build upon. There are several things about tidying up the system which many people wonder about once they have done the base install. We hope to cover these issues in this chapter.
Most people coming from non-Unix like backgrounds to Linux find
the concept of text-only configuration files slightly strange. In
Linux, just about all configuration is done via the manipulation
of text files. The majority of these files can be found in the
/etc
hierarchy. There are often
graphical configuration programs available for different
subsystems but most are simply pretty front ends to the process
of editing a text file. The advantage of text-only configuration
is that you can edit parameters using your favorite text editor,
whether that be vim, emacs, or any other editor.
The first task is making a recovery boot device in Creating a Custom Boot Device because it's the most critical need. Then the system is configured to ease addition of new users, because this can affect the choices you make in the two subsequent topics—The Bash Shell Startup Files and The vimrc Files.
The remaining topics, Customizing your Logon with /etc/issue, The /etc/shells File, Random number generation, Compressing man and info pages, Autofs-5.0.7, and Configuring for Network Filesystems are then addressed, in that order. They don't have much interaction with the other topics in this chapter.
This section is really about creating a rescue device. As the name rescue implies, the host system has a problem, often lost partition information or corrupted file systems, that prevents it from booting and/or operating normally. For this reason, you must not depend on resources from the host being "rescued". To presume that any given partition or hard drive will be available is a risky presumption.
In a modern system, there are many devices that can be used as a rescue device: floppy, cdrom, usb drive, or even a network card. Which one you use depends on your hardware and your BIOS. In the past, a rescue device was thought to be a floppy disk. Today, many systems do not even have a floppy drive.
Building a complete rescue device is a challenging task. In many ways, it is equivalent to building an entire LFS system. In addition, it would be a repetition of information already available. For these reasons, the procedures for a rescue device image are not presented here.
The software of today's systems has grown large. Linux 2.6 no longer supports booting directly from a floppy. In spite of this, there are solutions available using older versions of Linux. One of the best is Tom's Root/Boot Disk available at http://www.toms.net/rb/. This will provide a minimal Linux system on a single floppy disk and provides the ability to customize the contents of your disk if necessary.
There are several sources that can be used for a rescue CD-ROM. Just about any commercial distribution's installation CD-ROMs or DVDs will work. These include RedHat, Mandrake, and SuSE. One very popular option is Knoppix.
Also, the LFS Community has developed its own LiveCD available at http://www.linuxfromscratch.org/livecd/. This LiveCD, is no longer capable of building an entire LFS/BLFS system, but is stiil a good rescue CD-ROM. If you download the ISO image, use xorriso to copy the image to a CD-ROM.
The instructions for using GRUB2 to make a custom rescue CD-ROM are also available in LFS Chapter 8.
A USB Pen drive, sometimes called a Thumb drive, is recognized by Linux as a SCSI device. Using one of these devices as a rescue device has the advantage that it is usually large enough to hold more than a minimal boot image. You can save critical data to the drive as well as use it to diagnose and recover a damaged system. Booting such a drive requires BIOS support, but building the system consists of formatting the drive, adding GRUB as well as the Linux kernel and supporting files.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/CreatingaCustomBootDevice
Last updated on 2013-02-11 10:51:17 -0800
Together, the /usr/sbin/useradd command and
/etc/skel
directory (both are
easy to set up and use) provide a way to assure new users are
added to your LFS system with the same beginning settings for
things such as the PATH
, keyboard
processing and other environmental variables. Using these two
facilities makes it easier to assure this initial state for
each new user added to the system.
The /etc/skel
directory holds
copies of various initialization and other files that may be
copied to the new user's home directory when the /usr/sbin/useradd program
adds the new user.
The useradd
program uses a collection of default values kept in
/etc/default/useradd
. This file
is created in a base LFS installation by the Shadow package. If it has been removed or
renamed, the useradd program uses some
internal defaults. You can see the default values by running
/usr/sbin/useradd
-D.
To change these values, simply modify the /etc/default/useradd
file as the root
user. An alternative to directly
modifying the file is to run useradd as the root
user while supplying the desired
modifications on the command line. Information on how to do
this can be found in the useradd man page.
To get started, create an /etc/skel
directory and make sure it is
writable only by the system administrator, usually root
. Creating the directory as
root
is the best way to go.
The mode of any files from this part of the book that you put
in /etc/skel
should be writable
only by the owner. Also, since there is no telling what kind of
sensitive information a user may eventually place in their copy
of these files, you should make them unreadable by "group" and
"other".
You can also put other files in /etc/skel
and different permissions may be
needed for them.
Decide which initialization files should be provided in every
(or most) new user's home directory. The decisions you make
will affect what you do in the next two sections, The Bash Shell Startup Files
and The vimrc Files. Some
or all of those files will be useful for root
, any already-existing users, and new
users.
The files from those sections that you might want to place in
/etc/skel
include .inputrc
, .bash_profile
, .bashrc
, .bash_logout
, .dircolors
, and .vimrc
. If you are unsure which of these
should be placed there, just continue to the following
sections, read each section and any references provided, and
then make your decision.
You will run a slightly modified set of commands for files
which are placed in /etc/skel
.
Each section will remind you of this. In brief, the book's
commands have been written for files not added to /etc/skel
and instead just sends the results
to the user's home directory. If the file is going to be in
/etc/skel
, change the book's
command(s) to send output there instead and then just copy the
file from /etc/skel
to the
appropriate directories, like /etc
, ~
or the
home directory of any other user already in the system.
When adding a new user with useradd, use the -m
parameter, which tells useradd to create the user's
home directory and copy files from /etc/skel
(can be overridden) to the new
user's home directory. For example (perform as the root
user):
useradd -m <newuser>
Last updated on 2007-10-16 06:49:09 -0700
Throughout BLFS, many packages install programs that run as
daemons or in some way should have a user or group name
assigned. Generally these names are used to map a user ID (uid)
or group ID (gid) for system use. Generally the specific uid or
gid numbers used by these applications are not significant. The
exception of course, is that root
has a uid and gid of 0 (zero) that is
indeed special. The uid values are stored in /etc/passwd
and the gid values are found in
/etc/group
.
Customarily, Unix systems classify users and groups into two
categories: system users and regular users. The system users
and groups are given low numbers and regular users and groups
have numeric values greater than all the system values. The
cutoff for these numbers is found in two parameters in the
/etc/login.defs
configuration
file. The default UID_MIN value is 1000 and the default GID_MIN
value is 1000. If a specific uid or gid value is not specified
when creating a user with useradd or a group with
groupadd the
values assigned will always be above these cutoff values.
Additionally, the Linux Standard Base recommends that system uid and gid values should be below 100.
Below is a table of suggested uid/gid values used in BLFS beyond those defined in a base LFS installation. These can be changed as desired, but provide a suggested set of consistent values.
Table 3.1. UID/GID Suggested Values
Name | uid | gid |
---|---|---|
bin | 1 | |
lp | 9 | |
adm | 16 | |
atd | 17 | 17 |
messagebus | 18 | 18 |
lpadmin | 19 | |
named | 20 | 20 |
gdm | 21 | 21 |
fcron | 22 | 22 |
systemd-journal | 23 | |
apache | 25 | 25 |
smmsp | 26 | 26 |
polkitd | 27 | 27 |
exim | 31 | 31 |
postfix | 32 | 32 |
postdrop | 33 | |
sendmail | 34 | |
34 | ||
vmailman | 35 | 35 |
news | 36 | 36 |
kdm | 37 | 37 |
mysql | 40 | 40 |
postgres | 41 | 41 |
ftp | 45 | 45 |
proftpd | 46 | 46 |
vsftpd | 47 | 47 |
rsyncd | 48 | 48 |
sshd | 50 | 50 |
stunnel | 51 | 51 |
svn | 56 | 56 |
svntest | 57 | |
pulse | 58 | 58 |
pulse-access | 59 | |
games | 60 | 60 |
kvm | 61 | |
wireshark | 62 | |
scanner | 70 | |
colord | 71 | 71 |
ldap | 83 | 83 |
avahi | 84 | 84 |
avahi-autoipd | 85 | 85 |
netdev | 86 | |
ntp | 87 | 87 |
unbound | 88 | 88 |
anonymous | 98 | |
nobody | 99 | |
nogroup | 99 |
One value that is missing is 65534. This value is customarily
assigned to the user nobody
and
group nogroup
and is
unnecessary.
Last updated on 2013-07-21 16:16:47 -0700
Although most devices needed by packages in BLFS and beyond are
set up properly by udev using
the default rules installed by LFS in /etc/udev/rules.d
, there are cases where the
rules must be modified or augmented.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/aboutdevices
If there are multiple sound cards in a system, the "default"
sound card becomes random. The method to establish sound card
order depends on whether the drivers are modules or not. If
the sound card drivers are compiled into the kernel, control
is via kernel command line parameters in /boot/grub/grub.cfg
. For example, if a
system has both an FM801 card and a SoundBlaster PCI card,
the following can be appended to the command line:
snd-fm801.index=0 snd-ens1371.index=1
If the sound card drivers are built as modules, the order can
be established in the /etc/modprobe.conf
file with:
options snd-fm801 index=0
options snd-ens1371 index=1
USB devices usually have two kinds of device nodes associated with them.
The first kind is created by device-specific drivers (e.g., usb_storage/sd_mod or usblp) in the kernel. For example, a USB mass storage device would be /dev/sdb, and a USB printer would be /dev/usb/lp0. These device nodes exist only when the device-specific driver is loaded.
The second kind of device nodes (/dev/bus/usb/BBB/DDD, where BBB is the bus number and DDD is the device number) are created even if the device doesn't have a kernel driver. By using these "raw" USB device nodes, an application can exchange arbitrary USB packets with the device, i.e., bypass the possibly-existing kernel driver.
Access to raw USB device nodes is needed when a userspace program is acting as a device driver. However, for the program to open the device successfully, the permissions have to be set correctly. By default, due to security concerns, all raw USB devices are owned by user root and group usb, and have 0664 permissions (the read access is needed, e.g., for lsusb to work and for programs to access USB hubs). Packages (such as SANE and libgphoto2) containing userspace USB device drivers also ship udev rules that change the permissions of the controlled raw USB devices. That is, rules installed by SANE change permissions for known scanners, but not printers. If a package maintainer forgot to write a rule for your device, report a bug to both BLFS (if the package is there) and upstream, and you will need to write your own rule.
There is one situation when such fine-grained access control with pre-generated udev rules doesn't work. Namely, PC emulators such as KVM, QEMU and VirtualBox use raw USB device nodes to present arbitrary USB devices to the guest operating system (note: patches are needed in order to get this to work without the obsolete /proc/bus/usb mount point described below). Obviously, maintainers of these packages cannot know which USB devices are going to be connected to the guest operating system. You can either write separate udev rules for all needed USB devices yourself, or use the default catch-all "usb" group, members of which can send arbitrary commands to all USB devices.
Before Linux-2.6.15, raw USB device access was performed not with /dev/bus/usb/BBB/DDD device nodes, but with /proc/bus/usb/BBB/DDD pseudofiles. Some applications (e.g., VMware Workstation) still use only this deprecated technique and can't use the new device nodes. For them to work, use the "usb" group, but remember that members will have unrestricted access to all USB devices. To create the fstab entry for the obsolete usbfs filesystem:
usbfs /proc/bus/usb usbfs devgid=14,devmode=0660 0 0
Adding users to the "usb" group is inherently insecure, as they can bypass access restrictions imposed through the driver-specific USB device nodes. For instance, they can read sensitive data from USB hard drives without being in the "disk" group. Avoid adding users to this group, if you can.
Fine-tuning of device attributes such as group name and
permissions is possible by creating extra udev rules, matching on something like
this. The vendor and product can be found by searching the
/sys/devices
directory entries
or using udevadm
info after the device has been attached. See
the documentation in the current udev directory of /usr/share/doc
for details.
SUBSYSTEM=="usb_device", SYSFS{idVendor}=="05d8", SYSFS{idProduct}=="4002", \
GROUP:="scanner", MODE:="0660"
The above line is used for descriptive purposes only. The scanner udev rules are put into place when installing SANE-1.0.23.
In some cases, it makes sense to disable udev completely and create static devices. Servers are one example of this situation. Does a server need the capability of handling dynamic devices? Only the system administrator can answer that question, but in many cases the answer will be no.
If dynamic devices are not desired, then static devices must
be created on the system. In the default configuration, the
/etc/rc.d/rcS.d/S10udev
boot
script mounts a tmpfs
partition over the /dev
directory. This problem can be overcome by mounting the root
partition temporarily:
If the instructions below are not followed carefully, your system could become unbootable.
mount --bind / /mnt cp -a /dev/* /mnt/dev rm /etc/rc.d/rcS.d/{S10udev,S50udev_retry} umount /mnt
At this point, the system will use static devices upon the next reboot. Create any desired additional devices using mknod.
If you want to restore the dynamic devices, recreate the
/etc/rc.d/rcS.d/{S10udev,S50udev_retry}
symbolic links and reboot again. Static devices do not need
to be removed (console and null are always needed) because
they are covered by the tmpfs
partition. Disk usage for devices is negligible (about
20–30 bytes per entry.)
Last updated on 2012-03-13 11:19:34 -0700
The shell program /bin/bash
(hereafter referred to as just "the shell") uses a collection
of startup files to help create an environment. Each file has a
specific use and may affect login and interactive environments
differently. The files in the /etc
directory generally provide global
settings. If an equivalent file exists in your home directory
it may override the global settings.
An interactive login shell is started after a successful login,
using /bin/login
, by reading the
/etc/passwd
file. This shell
invocation normally reads /etc/profile
and its private equivalent
~/.bash_profile
upon startup.
An interactive non-login shell is normally started at the
command-line using a shell program (e.g., [prompt]$
/bin/bash) or by the
/bin/su command.
An interactive non-login shell is also started with a terminal
program such as xterm or konsole from within a
graphical environment. This type of shell invocation normally
copies the parent environment and then reads the user's
~/.bashrc
file for additional
startup configuration instructions.
A non-interactive shell is usually present when a shell script is running. It is non-interactive because it is processing a script and not waiting for user input between commands. For these shell invocations, only the environment inherited from the parent shell is used.
The file ~/.bash_logout
is not
used for an invocation of the shell. It is read and executed
when a user exits from an interactive login shell.
Many distributions use /etc/bashrc
for system wide initialization of
non-login shells. This file is usually called from the user's
~/.bashrc
file and is not built
directly into bash itself. This convention
is followed in this section.
For more information see info bash -- Nodes: Bash Startup Files and Interactive Shells.
Most of the instructions below are used to create files
located in the /etc
directory
structure which requires you to execute the commands as the
root
user. If you elect to
create the files in user's home directories instead, you
should run the commands as an unprivileged user.
Here is a base /etc/profile
.
This file starts by setting up some helper functions and some
basic parameters. It specifies some bash history parameters
and, for security purposes, disables keeping a permanent
history file for the root
user. It also sets a default user prompt. It then calls
small, single purpose scripts in the /etc/profile.d
directory to provide most of
the initialization.
For more information on the escape sequences you can use for
your prompt (i.e., the PS1
environment variable) see info
bash -- Node:
Printing a Prompt.
cat > /etc/profile << "EOF"
# Begin /etc/profile
# Written for Beyond Linux From Scratch
# by James Robertson <jameswrobertson@earthlink.net>
# modifications by Dagmar d'Surreal <rivyqntzne@pbzpnfg.arg>
# System wide environment variables and startup programs.
# System wide aliases and functions should go in /etc/bashrc. Personal
# environment variables and startup programs should go into
# ~/.bash_profile. Personal aliases and functions should go into
# ~/.bashrc.
# Functions to help us manage paths. Second argument is the name of the
# path variable to be modified (default: PATH)
pathremove () {
local IFS=':'
local NEWPATH
local DIR
local PATHVARIABLE=${2:-PATH}
for DIR in ${!PATHVARIABLE} ; do
if [ "$DIR" != "$1" ] ; then
NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
fi
done
export $PATHVARIABLE="$NEWPATH"
}
pathprepend () {
pathremove $1 $2
local PATHVARIABLE=${2:-PATH}
export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}"
}
pathappend () {
pathremove $1 $2
local PATHVARIABLE=${2:-PATH}
export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1"
}
# Set the initial path
export PATH=/bin:/usr/bin
if [ $EUID -eq 0 ] ; then
pathappend /sbin:/usr/sbin
unset HISTFILE
fi
# Setup some environment variables.
export HISTSIZE=1000
export HISTIGNORE="&:[bf]g:exit"
# Setup a red prompt for root and a green one for users.
NORMAL="\[\e[0m\]"
RED="\[\e[1;31m\]"
GREEN="\[\e[1;32m\]"
if [[ $EUID == 0 ]] ; then
PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"
else
PS1="$GREEN\u [ $NORMAL\w$GREEN ]\$ $NORMAL"
fi
for script in /etc/profile.d/*.sh ; do
if [ -r $script ] ; then
. $script
fi
done
# Now to clean up
unset pathremove pathprepend pathappend
# End /etc/profile
EOF
Now create the /etc/profile.d
directory, where the individual initialization scripts are
placed:
install --directory --mode=0755 --owner=root --group=root /etc/profile.d
This script uses the ~/.dircolors
and /etc/dircolors
files to control the
colors of file names in a directory listing. They control
colorized output of things like ls --color. The
explanation of how to initialize these files is at the end
of this section.
cat > /etc/profile.d/dircolors.sh << "EOF"
# Setup for /bin/ls to support color, the alias is in /etc/bashrc.
if [ -f "/etc/dircolors" ] ; then
eval $(dircolors -b /etc/dircolors)
if [ -f "$HOME/.dircolors" ] ; then
eval $(dircolors -b $HOME/.dircolors)
fi
fi
alias ls='ls --color=auto'
EOF
This script adds several useful paths to the PATH
and PKG_CONFIG_PATH
environment variables. If
you want, you can uncomment the last section to put a dot
at the end of your path. This will allow executables in the
current working directory to be executed without specifying
a ./, however you are warned that this is generally
considered a security hazard.
cat > /etc/profile.d/extrapaths.sh << "EOF"
if [ -d /usr/local/lib/pkgconfig ] ; then
pathappend /usr/local/lib/pkgconfig PKG_CONFIG_PATH
fi
if [ -d /usr/local/bin ]; then
pathprepend /usr/local/bin
fi
if [ -d /usr/local/sbin -a $EUID -eq 0 ]; then
pathprepend /usr/local/sbin
fi
if [ -d ~/bin ]; then
pathprepend ~/bin
fi
#if [ $EUID -gt 99 ]; then
# pathappend .
#fi
EOF
This script sets up the default inputrc
configuration file. If the user
does not have individual settings, it uses the global file.
cat > /etc/profile.d/readline.sh << "EOF"
# Setup the INPUTRC environment variable.
if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ] ; then
INPUTRC=/etc/inputrc
fi
export INPUTRC
EOF
Setting the umask value is important for security. Here the default group write permissions are turned off for system users and when the user name and group name are not the same.
cat > /etc/profile.d/umask.sh << "EOF"
# By default, the umask should be set.
if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then
umask 002
else
umask 022
fi
EOF
This script sets an environment variable necessary for native language support. A full discussion on determining this variable can be found on the LFS Bash Shell Startup Files page.
cat > /etc/profile.d/i18n.sh << "EOF"
# Set up i18n variables
export LANG=<ll>
_<CC>
.<charmap>
<@modifiers>
EOF
Here is a base /etc/bashrc
.
Comments in the file should explain everything you need.
cat > /etc/bashrc << "EOF"
# Begin /etc/bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <jameswrobertson@earthlink.net>
# updated by Bruce Dubbs <bdubbs@linuxfromscratch.org>
# System wide aliases and functions.
# System wide environment variables and startup programs should go into
# /etc/profile. Personal environment variables and startup programs
# should go into ~/.bash_profile. Personal aliases and functions should
# go into ~/.bashrc
# Provides a colored /bin/ls command. Used in conjunction with code in
# /etc/profile.
alias ls='ls --color=auto'
# Provides prompt for non-login shells, specifically shells started
# in the X environment. [Review the LFS archive thread titled
# PS1 Environment Variable for a great case study behind this script
# addendum.]
NORMAL="\[\e[0m\]"
RED="\[\e[1;31m\]"
GREEN="\[\e[1;32m\]"
if [[ $EUID == 0 ]] ; then
PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"
else
PS1="$GREEN\u [ $NORMAL\w$GREEN ]\$ $NORMAL"
fi
# End /etc/bashrc
EOF
Here is a base ~/.bash_profile
.
If you want each new user to have this file automatically,
just change the output of the command to /etc/skel/.bash_profile
and check the
permissions after the command is run. You can then copy
/etc/skel/.bash_profile
to the
home directories of already existing users, including
root
, and set the owner and
group appropriately.
cat > ~/.bash_profile << "EOF"
# Begin ~/.bash_profile
# Written for Beyond Linux From Scratch
# by James Robertson <jameswrobertson@earthlink.net>
# updated by Bruce Dubbs <bdubbs@linuxfromscratch.org>
# Personal environment variables and startup programs.
# Personal aliases and functions should go in ~/.bashrc. System wide
# environment variables and startup programs are in /etc/profile.
# System wide aliases and functions are in /etc/bashrc.
append () {
# First remove the directory
local IFS=':'
local NEWPATH
for DIR in $PATH; do
if [ "$DIR" != "$1" ]; then
NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
fi
done
# Then append the directory
export PATH=$NEWPATH:$1
}
if [ -f "$HOME/.bashrc" ] ; then
source $HOME/.bashrc
fi
if [ -d "$HOME/bin" ] ; then
append $HOME/bin
fi
unset append
# End ~/.bash_profile
EOF
Here is a base ~/.bashrc
. The
comments and instructions for using /etc/skel
for .bash_profile
above also apply here. Only
the target file names are different.
cat > ~/.bashrc << "EOF"
# Begin ~/.bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <jameswrobertson@earthlink.net>
# Personal aliases and functions.
# Personal environment variables and startup programs should go in
# ~/.bash_profile. System wide environment variables and startup
# programs are in /etc/profile. System wide aliases and functions are
# in /etc/bashrc.
if [ -f "/etc/bashrc" ] ; then
source /etc/bashrc
fi
# End ~/.bashrc
EOF
This is an empty ~/.bash_logout
that can be used as a template. You will notice that the base
~/.bash_logout
does not include
a clear
command. This is because the clear is handled in the
/etc/issue
file.
cat > ~/.bash_logout << "EOF"
# Begin ~/.bash_logout
# Written for Beyond Linux From Scratch
# by James Robertson <jameswrobertson@earthlink.net>
# Personal items to perform on logout.
# End ~/.bash_logout
EOF
If you want to use the dircolors
capability, then run the
following command. The /etc/skel
setup steps shown above also can
be used here to provide a ~/.dircolors
file when a new user is set
up. As before, just change the output file name on the
following command and assure the permissions, owner, and
group are correct on the files created and/or copied.
dircolors -p > /etc/dircolors
If you wish to customize the colors used for different file
types, you can edit the /etc/dircolors
file. The instructions for
setting the colors are embedded in the file.
Finally, Ian Macdonald has written an excellent collection of tips and tricks to enhance your shell environment. You can read it online at http://www.caliban.org/bash/index.shtml.
Last updated on 2012-12-19 11:57:20 -0800
The LFS book installs Vim as its text editor. At this point it should be noted that there are a lot of different editing applications out there including Emacs, nano, Joe and many more. Anyone who has been around the Internet (especially usenet) for a short time will certainly have observed at least one flame war, usually involving Vim and Emacs users!
The LFS book creates a basic vimrc
file. In this section you'll find an
attempt to enhance this file. At startup, vim reads the global
configuration file (/etc/vimrc
)
as well as a user-specific file (~/.vimrc
). Either or both can be tailored to
suit the needs of your particular system.
Here is a slightly expanded .vimrc
that you can put in ~/.vimrc
to provide user specific effects. Of
course, if you put it into /etc/skel/.vimrc
instead, it will be made
available to users you add to the system later. You can also
copy the file from /etc/skel/.vimrc
to the home directory of
users already on the system, such as root
. Be sure to set permissions, owner,
and group if you do copy anything directly from /etc/skel
.
" Begin .vimrc
set columns=80
set wrapmargin=8
set ruler
" End .vimrc
Note that the comment tags are " instead of the more usual # or
//. This is correct, the syntax for vimrc
is slightly unusual.
Below you'll find a quick explanation of what each of the options in this example file means here:
set columns=80
: This simply
sets the number of columns used on the screen.
set wrapmargin=8
: This is the
number of characters from the right window border where
wrapping starts.
set ruler
: This makes
vim show
the current row and column at the bottom right of the
screen.
More information on the many vim options can be found by
reading the help inside vim itself. Do this by typing
:help
in vim to get the general help,
or by typing :help
usr_toc.txt
to view the User Manual Table of Contents.
Last updated on 2007-10-16 06:02:24 -0700
When you first boot up your new LFS system, the logon screen
will be nice and plain (as it should be in a bare-bones
system). Many people however, will want their system to display
some information in the logon message. This can be accomplished
using the file /etc/issue
.
The /etc/issue
file is a plain
text file which will also accept certain escape sequences (see
below) in order to insert information about the system. There
is also the file issue.net
which
can be used when logging on remotely. ssh however, will only use it
if you set the option in the configuration file and will
not interpret the escape
sequences shown below.
One of the most common things which people want to do is clear
the screen at each logon. The easiest way of doing that is to
put a "clear" escape sequence into /etc/issue
. A simple way of doing this is to
issue the command clear >
/etc/issue. This will insert the relevant
escape code into the start of the /etc/issue
file. Note that if you do this,
when you edit the file, you should leave the characters
(normally '^[[H^[[2J') on the first line alone.
Terminal escape sequences are special codes recognized by the terminal. The ^[ represents an ASCII ESC character. The sequence ESC [ H puts the cursor in the upper left hand corner of the screen and ESC 2 J erases the screen. For more information on terminal escape sequences see http://rtfm.etla.org/xterm/ctlseq.html
The following sequences are recognized by agetty (the program which
usually parses /etc/issue
). This
information is from man
agetty where you can find extra information
about the logon process.
The issue
file can contain
certain character sequences to display various information. All
issue
sequences consist of a
backslash (\) immediately followed by one of the letters
explained below (so \d
in
/etc/issue
would insert the
current date).
b Insert the baudrate of the current line.
d Insert the current date.
s Insert the system name, the name of the operating system.
l Insert the name of the current tty line.
m Insert the architecture identifier of the machine, e.g., i686.
n Insert the nodename of the machine, also known as the hostname.
o Insert the domainname of the machine.
r Insert the release number of the kernel, e.g., 2.6.11.12.
t Insert the current time.
u Insert the number of current users logged in.
U Insert the string "1 user" or "<n> users" where <n> is the
number of current users logged in.
v Insert the version of the OS, e.g., the build-date etc.
Last updated on 2007-04-04 12:42:53 -0700
The shells
file contains a list
of login shells on the system. Applications use this file to
determine whether a shell is valid. For each shell a single
line should be present, consisting of the shell's path,
relative to the root of the directory structure (/).
For example, this file is consulted by chsh to determine whether an unprivileged user may change the login shell for her own account. If the command name is not listed, the user will be denied of change.
It is a requirement for applications such as GDM which does not populate the face
browser if it can't find /etc/shells
, or FTP daemons which
traditionally disallow access to users with shells not included
in this file.
cat > /etc/shells << "EOF"
# Begin /etc/shells
/bin/sh
/bin/bash
# End /etc/shells
EOF
Last updated on 2007-04-04 12:42:53 -0700
The Linux kernel supplies a random number generator which is
accessed through /dev/random
and
/dev/urandom
. Programs that
utilize the random and urandom devices, such as OpenSSH, will benefit from these
instructions.
When a Linux system starts up without much operator interaction, the entropy pool (data used to compute a random number) may be in a fairly predictable state. This creates the real possibility that the number generated at startup may always be the same. In order to counteract this effect, you should carry the entropy pool information across your shut-downs and start-ups.
Install the /etc/rc.d/init.d/random
init script included
with the blfs-bootscripts-20130908 package.
make install-random
Last updated on 2007-04-04 12:42:53 -0700
Man and info reader programs can transparently process files
compressed with gzip or bzip2, a feature you can use
to free some disk space while keeping your documentation
available. However, things are not that simple; man directories
tend to contain links—hard and symbolic—which
defeat simple ideas like recursively calling gzip on them. A better way to
go is to use the script below. If you would prefer to download
the file instead of creating it by typing or copy-and-pasting,
you can find it at
http://anduin.linuxfromscratch.org/files/BLFS/svn/compressdoc
(the file should be installed in the /usr/sbin
directory).
cat > /usr/sbin/compressdoc << "EOF"
#!/bin/bash
# VERSION: 20080421.1623
#
# Compress (with bzip2 or gzip) all man pages in a hierarchy and
# update symlinks - By Marc Heerdink <marc @ koelkast.net>
#
# Modified to be able to gzip or bzip2 files as an option and to deal
# with all symlinks properly by Mark Hymers <markh @ linuxfromscratch.org>
#
# Modified 20030930 by Yann E. Morin <yann.morin.1998 @ anciens.enib.fr>
# to accept compression/decompression, to correctly handle hard-links,
# to allow for changing hard-links into soft- ones, to specify the
# compression level, to parse the man.conf for all occurrences of MANPATH,
# to allow for a backup, to allow to keep the newest version of a page.
#
# Modified 20040330 by Tushar Teredesai to replace $0 by the name of the
# script.
# (Note: It is assumed that the script is in the user's PATH)
#
# Modified 20050112 by Randy McMurchy to shorten line lengths and
# correct grammar errors.
#
# Modified 20060128 by Alexander E. Patrakov for compatibility with Man-DB.
#
# Modified 20060311 by Archaic to use Man-DB manpath utility which is a
# replacement for man --path from Man.
#
# Modified 20080421 by Dan Nicholson to properly execute the correct
# compressdoc when working recursively. This means the same compressdoc
# will be used whether a full path was given or it was resolved from PATH.
#
# Modified 20080421 by Dan Nicholson to be more robust with directories
# that don't exist or don't have sufficient permissions.
#
# Modified 20080421 by Lars Bamberger to (sort of) automatically choose
# a compression method based on the size of the manpage. A couple bug
# fixes were added by Dan Nicholson.
#
# Modified 20080421 by Dan Nicholson to suppress warnings from manpath
# since these are emitted when $MANPATH is set. Removed the TODO for
# using the $MANPATH variable since manpath(1) handles this already.
#
# TODO:
# - choose a default compress method to be based on the available
# tool : gzip or bzip2;
# - offer an option to restore a previous backup;
# - add other compression engines (compress, zip, etc?). Needed?
# Funny enough, this function prints some help.
function help ()
{
if [ -n "$1" ]; then
echo "Unknown option : $1"
fi
( echo "Usage: $MY_NAME <comp_method> [options] [dirs]" && \
cat << EOT
Where comp_method is one of :
--gzip, --gz, -g
--bzip2, --bz2, -b
Compress using gzip or bzip2.
--automatic
Compress using either gzip or bzip2, depending on the
size of the file to be compressed. Files larger than 5
kB are bzipped, files larger than 1 kB are gzipped and
files smaller than 1 kB are not compressed.
--decompress, -d
Decompress the man pages.
--backup Specify a .tar backup shall be done for all directories.
In case a backup already exists, it is saved as .tar.old
prior to making the new backup. If a .tar.old backup
exists, it is removed prior to saving the backup.
In backup mode, no other action is performed.
And where options are :
-1 to -9, --fast, --best
The compression level, as accepted by gzip and bzip2.
When not specified, uses the default compression level
for the given method (-6 for gzip, and -9 for bzip2).
Not used when in backup or decompress modes.
--force, -F Force (re-)compression, even if the previous one was
the same method. Useful when changing the compression
ratio. By default, a page will not be re-compressed if
it ends with the same suffix as the method adds
(.bz2 for bzip2, .gz for gzip).
--soft, -S Change hard-links into soft-links. Use with _caution_
as the first encountered file will be used as a
reference. Not used when in backup mode.
--hard, -H Change soft-links into hard-links. Not used when in
backup mode.
--conf=dir, --conf dir
Specify the location of man_db.conf. Defaults to /etc.
--verbose, -v Verbose mode, print the name of the directory being
processed. Double the flag to turn it even more verbose,
and to print the name of the file being processed.
--fake, -f Fakes it. Print the actual parameters compressdoc will use.
dirs A list of space-separated _absolute_ pathnames to the
man directories. When empty, and only then, use manpath
to parse ${MAN_CONF}/man_db.conf for all valid occurrences
of MANDATORY_MANPATH.
Note about compression:
There has been a discussion on blfs-support about compression ratios of
both gzip and bzip2 on man pages, taking into account the hosting fs,
the architecture, etc... On the overall, the conclusion was that gzip
was much more efficient on 'small' files, and bzip2 on 'big' files,
small and big being very dependent on the content of the files.
See the original post from Mickael A. Peters, titled
"Bootable Utility CD", dated 20030409.1816(+0200), and subsequent posts:
http://linuxfromscratch.org/pipermail/blfs-support/2003-April/038817.html
On my system (x86, ext3), man pages were 35564KB before compression.
gzip -9 compressed them down to 20372KB (57.28%), bzip2 -9 got down to
19812KB (55.71%). That is a 1.57% gain in space. YMMV.
What was not taken into consideration was the decompression speed. But
does it make sense to? You gain fast access with uncompressed man
pages, or you gain space at the expense of a slight overhead in time.
Well, my P4-2.5GHz does not even let me notice this... :-)
EOT
) | less
}
# This function checks that the man page is unique amongst bzip2'd,
# gzip'd and uncompressed versions.
# $1 the directory in which the file resides
# $2 the file name for the man page
# Returns 0 (true) if the file is the latest and must be taken care of,
# and 1 (false) if the file is not the latest (and has therefore been
# deleted).
function check_unique ()
{
# NB. When there are hard-links to this file, these are
# _not_ deleted. In fact, if there are hard-links, they
# all have the same date/time, thus making them ready
# for deletion later on.
# Build the list of all man pages with the same name
DIR=$1
BASENAME=`basename "${2}" .bz2`
BASENAME=`basename "${BASENAME}" .gz`
GZ_FILE="$BASENAME".gz
BZ_FILE="$BASENAME".bz2
# Look for, and keep, the most recent one
LATEST=`(cd "$DIR"; ls -1rt "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}" \
2>/dev/null | tail -n 1)`
for i in "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}"; do
[ "$LATEST" != "$i" ] && rm -f "$DIR"/"$i"
done
# In case the specified file was the latest, return 0
[ "$LATEST" = "$2" ] && return 0
# If the file was not the latest, return 1
return 1
}
# Name of the script
MY_NAME=`basename $0`
# OK, parse the command-line for arguments, and initialize to some
# sensible state, that is: don't change links state, parse
# /etc/man_db.conf, be most silent, search man_db.conf in /etc, and don't
# force (re-)compression.
COMP_METHOD=
COMP_SUF=
COMP_LVL=
FORCE_OPT=
LN_OPT=
MAN_DIR=
VERBOSE_LVL=0
BACKUP=no
FAKE=no
MAN_CONF=/etc
while [ -n "$1" ]; do
case $1 in
--gzip|--gz|-g)
COMP_SUF=.gz
COMP_METHOD=$1
shift
;;
--bzip2|--bz2|-b)
COMP_SUF=.bz2
COMP_METHOD=$1
shift
;;
--automatic)
COMP_SUF=TBD
COMP_METHOD=$1
shift
;;
--decompress|-d)
COMP_SUF=
COMP_LVL=
COMP_METHOD=$1
shift
;;
-[1-9]|--fast|--best)
COMP_LVL=$1
shift
;;
--force|-F)
FORCE_OPT=-F
shift
;;
--soft|-S)
LN_OPT=-S
shift
;;
--hard|-H)
LN_OPT=-H
shift
;;
--conf=*)
MAN_CONF=`echo $1 | cut -d '=' -f2-`
shift
;;
--conf)
MAN_CONF="$2"
shift 2
;;
--verbose|-v)
let VERBOSE_LVL++
shift
;;
--backup)
BACKUP=yes
shift
;;
--fake|-f)
FAKE=yes
shift
;;
--help|-h)
help
exit 0
;;
/*)
MAN_DIR="${MAN_DIR} ${1}"
shift
;;
-*)
help $1
exit 1
;;
*)
echo "\"$1\" is not an absolute path name"
exit 1
;;
esac
done
# Redirections
case $VERBOSE_LVL in
0)
# O, be silent
DEST_FD0=/dev/null
DEST_FD1=/dev/null
VERBOSE_OPT=
;;
1)
# 1, be a bit verbose
DEST_FD0=/dev/stdout
DEST_FD1=/dev/null
VERBOSE_OPT=-v
;;
*)
# 2 and above, be most verbose
DEST_FD0=/dev/stdout
DEST_FD1=/dev/stdout
VERBOSE_OPT="-v -v"
;;
esac
# Note: on my machine, 'man --path' gives /usr/share/man twice, once
# with a trailing '/', once without.
if [ -z "$MAN_DIR" ]; then
MAN_DIR=`manpath -q -C "$MAN_CONF"/man_db.conf \
| sed 's/:/\\n/g' \
| while read foo; do dirname "$foo"/.; done \
| sort -u \
| while read bar; do echo -n "$bar "; done`
fi
# If no MANDATORY_MANPATH in ${MAN_CONF}/man_db.conf, abort as well
if [ -z "$MAN_DIR" ]; then
echo "No directory specified, and no directory found with \`manpath'"
exit 1
fi
# Check that the specified directories actually exist and are readable
for DIR in $MAN_DIR; do
if [ ! -d "$DIR" -o ! -r "$DIR" ]; then
echo "Directory '$DIR' does not exist or is not readable"
exit 1
fi
done
# Fake?
if [ "$FAKE" != "no" ]; then
echo "Actual parameters used:"
echo -n "Compression.......: "
case $COMP_METHOD in
--bzip2|--bz2|-b) echo -n "bzip2";;
--gzip|--gz|-g) echo -n "gzip";;
--automatic) echo -n "compressing";;
--decompress|-d) echo -n "decompressing";;
*) echo -n "unknown";;
esac
echo " ($COMP_METHOD)"
echo "Compression level.: $COMP_LVL"
echo "Compression suffix: $COMP_SUF"
echo -n "Force compression.: "
[ "foo$FORCE_OPT" = "foo-F" ] && echo "yes" || echo "no"
echo "man_db.conf is....: ${MAN_CONF}/man_db.conf"
echo -n "Hard-links........: "
[ "foo$LN_OPT" = "foo-S" ] &&
echo "convert to soft-links" || echo "leave as is"
echo -n "Soft-links........: "
[ "foo$LN_OPT" = "foo-H" ] &&
echo "convert to hard-links" || echo "leave as is"
echo "Backup............: $BACKUP"
echo "Faking (yes!).....: $FAKE"
echo "Directories.......: $MAN_DIR"
echo "Verbosity level...: $VERBOSE_LVL"
exit 0
fi
# If no method was specified, print help
if [ -z "${COMP_METHOD}" -a "${BACKUP}" = "no" ]; then
help
exit 1
fi
# In backup mode, do the backup solely
if [ "$BACKUP" = "yes" ]; then
for DIR in $MAN_DIR; do
cd "${DIR}/.."
if [ ! -w "`pwd`" ]; then
echo "Directory '`pwd`' is not writable"
exit 1
fi
DIR_NAME=`basename "${DIR}"`
echo "Backing up $DIR..." > $DEST_FD0
[ -f "${DIR_NAME}.tar.old" ] && rm -f "${DIR_NAME}.tar.old"
[ -f "${DIR_NAME}.tar" ] &&
mv "${DIR_NAME}.tar" "${DIR_NAME}.tar.old"
tar -cvf "${DIR_NAME}.tar" "${DIR_NAME}" > $DEST_FD1
done
exit 0
fi
# I know MAN_DIR has only absolute path names
# I need to take into account the localized man, so I'm going recursive
for DIR in $MAN_DIR; do
MEM_DIR=`pwd`
if [ ! -w "$DIR" ]; then
echo "Directory '$DIR' is not writable"
exit 1
fi
cd "$DIR"
for FILE in *; do
# Fixes the case were the directory is empty
if [ "foo$FILE" = "foo*" ]; then continue; fi
# Fixes the case when hard-links see their compression scheme change
# (from not compressed to compressed, or from bz2 to gz, or from gz
# to bz2)
# Also fixes the case when multiple version of the page are present,
# which are either compressed or not.
if [ ! -L "$FILE" -a ! -e "$FILE" ]; then continue; fi
# Do not compress whatis files
if [ "$FILE" = "whatis" ]; then continue; fi
if [ -d "$FILE" ]; then
# We are going recursive to that directory
echo "-> Entering ${DIR}/${FILE}..." > $DEST_FD0
# I need not pass --conf, as I specify the directory to work on
# But I need exit in case of error. We must change back to the
# original directory so $0 is resolved correctly.
(cd "$MEM_DIR" && eval "$0" ${COMP_METHOD} ${COMP_LVL} ${LN_OPT} \
${VERBOSE_OPT} ${FORCE_OPT} "${DIR}/${FILE}") || exit $?
echo "<- Leaving ${DIR}/${FILE}." > $DEST_FD1
else # !dir
if ! check_unique "$DIR" "$FILE"; then continue; fi
# With automatic compression, get the uncompressed file size of
# the file (dereferencing symlinks), and choose an appropriate
# compression method.
if [ "$COMP_METHOD" = "--automatic" ]; then
declare -i SIZE
case "$FILE" in
*.bz2)
SIZE=$(bzcat "$FILE" | wc -c) ;;
*.gz)
SIZE=$(zcat "$FILE" | wc -c) ;;
*)
SIZE=$(wc -c < "$FILE") ;;
esac
if (( $SIZE >= (5 * 2**10) )); then
COMP_SUF=.bz2
elif (( $SIZE >= (1 * 2**10) )); then
COMP_SUF=.gz
else
COMP_SUF=
fi
fi
# Check if the file is already compressed with the specified method
BASE_FILE=`basename "$FILE" .gz`
BASE_FILE=`basename "$BASE_FILE" .bz2`
if [ "${FILE}" = "${BASE_FILE}${COMP_SUF}" \
-a "foo${FORCE_OPT}" = "foo" ]; then continue; fi
# If we have a symlink
if [ -h "$FILE" ]; then
case "$FILE" in
*.bz2)
EXT=bz2 ;;
*.gz)
EXT=gz ;;
*)
EXT=none ;;
esac
if [ ! "$EXT" = "none" ]; then
LINK=`ls -l "$FILE" | cut -d ">" -f2 \
| tr -d " " | sed s/\.$EXT$//`
NEWNAME=`echo "$FILE" | sed s/\.$EXT$//`
mv "$FILE" "$NEWNAME"
FILE="$NEWNAME"
else
LINK=`ls -l "$FILE" | cut -d ">" -f2 | tr -d " "`
fi
if [ "$LN_OPT" = "-H" ]; then
# Change this soft-link into a hard- one
rm -f "$FILE" && ln "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
chmod --reference "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
else
# Keep this soft-link a soft- one.
rm -f "$FILE" && ln -s "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
fi
echo "Relinked $FILE" > $DEST_FD1
# else if we have a plain file
elif [ -f "$FILE" ]; then
# Take care of hard-links: build the list of files hard-linked
# to the one we are {de,}compressing.
# NB. This is not optimum has the file will eventually be
# compressed as many times it has hard-links. But for now,
# that's the safe way.
inode=`ls -li "$FILE" | awk '{print $1}'`
HLINKS=`find . \! -name "$FILE" -inum $inode`
if [ -n "$HLINKS" ]; then
# We have hard-links! Remove them now.
for i in $HLINKS; do rm -f "$i"; done
fi
# Now take care of the file that has no hard-link
# We do decompress first to re-compress with the selected
# compression ratio later on...
case "$FILE" in
*.bz2)
bunzip2 $FILE
FILE=`basename "$FILE" .bz2`
;;
*.gz)
gunzip $FILE
FILE=`basename "$FILE" .gz`
;;
esac
# Compress the file with the given compression ratio, if needed
case $COMP_SUF in
*bz2)
bzip2 ${COMP_LVL} "$FILE" && chmod 644 "${FILE}${COMP_SUF}"
echo "Compressed $FILE" > $DEST_FD1
;;
*gz)
gzip ${COMP_LVL} "$FILE" && chmod 644 "${FILE}${COMP_SUF}"
echo "Compressed $FILE" > $DEST_FD1
;;
*)
echo "Uncompressed $FILE" > $DEST_FD1
;;
esac
# If the file had hard-links, recreate those (either hard or soft)
if [ -n "$HLINKS" ]; then
for i in $HLINKS; do
NEWFILE=`echo "$i" | sed s/\.gz$// | sed s/\.bz2$//`
if [ "$LN_OPT" = "-S" ]; then
# Make this hard-link a soft- one
ln -s "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF"
else
# Keep the hard-link a hard- one
ln "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF"
fi
# Really work only for hard-links. Harmless for soft-links
chmod 644 "${NEWFILE}$COMP_SUF"
done
fi
else
# There is a problem when we get neither a symlink nor a plain
# file. Obviously, we shall never ever come here... :-(
echo -n "Whaooo... \"${DIR}/${FILE}\" is neither a symlink "
echo "nor a plain file. Please check:"
ls -l "${DIR}/${FILE}"
exit 1
fi
fi
done # for FILE
done # for DIR
EOF
Doing a very large copy/paste directly to a terminal may result in a corrupted file. Copying to an editor may overcome this issue.
As root
, make compressdoc executable for
all users:
chmod -v 755 /usr/sbin/compressdoc
Now, as root
, you can issue the
command compressdoc
--bz2 to compress all your system man pages.
You can also run compressdoc
--help to get comprehensive help about what the
script is able to do.
Don't forget that a few programs, like the X Window System and XEmacs also install their documentation in
non-standard places (such as /usr/X11R6/man
, etc.). Be sure to add these
locations to the file /etc/man_db.conf
, as MANDATORY_MANPATH
</path>
lines.
Example:
...
MANDATORY_MANPATH /usr/share/man
MANDATORY_MANPATH /usr/X11R6/man
MANDATORY_MANPATH /usr/local/man
MANDATORY_MANPATH /opt/qt/doc/man
...
Generally, package installation systems do not compress man/info pages, which means you will need to run the script again if you want to keep the size of your documentation as small as possible. Also, note that running the script after upgrading a package is safe; when you have several versions of a page (for example, one compressed and one uncompressed), the most recent one is kept and the others are deleted.
Last updated on 2013-08-23 04:37:46 -0700
The lsb_release script gives information about the Linux Standards Base (LSB) status of the distribution.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://sourceforge.net/projects/lsb/files/lsb_release/1.4/lsb-release-1.4.tar.gz
Download MD5 sum: 30537ef5a01e0ca94b7b8eb6a36bb1e4
Download size: 12 KB
Estimated disk space required: 80 KB
Estimated build time: less than 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/lsb_release
Install lsb_release by running the following commands:
./help2man -N --include ./lsb_release.examples \ --alt_version_key=program_version ./lsb_release > lsb_release.1
Now, as the root
user:
install -v -m 644 lsb_release.1 /usr/share/man/man1/lsb_release.1 && install -v -m 755 lsb_release /usr/bin/lsb_release
Last updated on 2013-08-17 13:38:01 -0700
Security takes many forms in a computing environment. After some initial discussion, this chapter gives examples of three different types of security: access, prevention and detection.
Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall. The Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries can be installed and shared among the many applications requiring them. For applications that don't offer the best security, you can use the Stunnel package to wrap an application daemon inside an SSL tunnel.
Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the tarball after the packager creates it.
Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.
All software has bugs. Sometimes, a bug can be exploited, for example to allow users to gain enhanced privileges (perhaps gaining a root shell, or simply accessing or deleting other user's files), or to allow a remote site to crash an application (denial of service), or for theft of data. These bugs are labelled as vulnerabilities.
The main place where vulnerabilities get logged is cve.mitre.org. Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled as "reserved" when distributions start issuing fixes. Also, some vulnerabilities apply to particular combinations of configure options, or only apply to old versions of packages which have long since been updated in BLFS.
BLFS differs from distributions - there is no BLFS security team, and the editors only become aware of vulnerabilities after they are public knowledge. Sometimes, a package with a vulnerability will not be updated in the book for a long time. Issues can be logged in the Trac system, which might speed up resolution.
The normal way for BLFS to fix a vulnerability is, ideally, to update the book to a new fixed release of the package. Sometimes that happens even before the vulnerability is public knowledge, so there is no guarantee that it will be shown as a vulnerability fix in the Changelog. Alternatively, a sed command, or a patch taken from a distribution, may be appropriate.
The bottom line is that you are responsible for your own security, and for assessing the potential impact of any problems.
To keep track of what is being discovered, you may wish to follow the security announcements of one or more distributions. For example, Debian has Debian security. Fedora's links on security are at the Fedora wiki. details of Gentoo linux security announcements are discussed at Gentoo security. and the Slackware archives of security announcements are at Slackware security.
The most general English source is perhaps the Full Disclosure Mailing List, but please read the comment on that page. If you use other languages you may prefer other sites such as http://www.heise.de/security heise.de (German) or cert.hr (Croatian). These are not linux-specific. There is also a daily update at lwn.net for subscribers (free access to the data after 2 weeks, but their vulnerabilities database at lwn.net/Vulnerabilities is unrestricted).
For some packages, subscribing to their 'announce' lists will provide prompt news of newer versions.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/vulnerabilities
Last updated on 2012-10-25 23:15:09 -0700
The acl package contains utilities to administer Access Control Lists, which are used to define more fine-grained discretionary access rights for files and directories.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://download.savannah.gnu.org/releases/acl/acl-2.2.52.src.tar.gz
Download MD5 sum: a61415312426e9c2212bd7dc7929abda
Download size: 384 KB
Estimated disk space required: 9.1 MB
Estimated build time: 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/acl
Install acl by running the following commands:
sed -i -e 's|/@pkg_name@|&-@pkg_version@|' \ include/builddefs.in && INSTALL_USER=root \ INSTALL_GROUP=root \ ./configure --prefix=/usr --libexecdir=/usr/lib --disable-static && make
For meaningful results, the tests need to be carried out on a file system that supports extended attributes. It is also required that Coreutils is re-installed after acl is installed so that the extra acl bit displays correctly on a ls command.
Now, as the root
user:
make install install-dev install-lib && chmod -v 755 /usr/lib/libacl.so && mv -v /usr/lib/libacl.so.* /lib && ln -sfv ../../lib/libacl.so.1 /usr/lib/libacl.so && install -v -m644 doc/*.txt /usr/share/doc/acl-2.2.52
You should now re-install Coreutils and proceed to run the test suite.
There are three sets of tests that come with this package.
The local partition where the tests are run must be mounted
with acl configured as described below. Additionally, the
users bin
and daemon
must be created or modified to
have a proper shell and home directory and the group
daemon
must be a member of
the bin
group. The kernel
must also be configured with the appropriate ACL options
(there are nine different options).
To run the standard tests run make tests . As
root
user, run make root-tests.
The third set of tests are Network File System (NFS) specific. See the contents of the test files in the test/nfs/ directory for the setup requirements.
sed -i ... include/builddefs.in: This command modifies the documentation directory so that it is a versioned directory.
--disable-static
:
This switch prevents installation of static versions of the
libraries.
There is no configuration to acl itself, but to get any use out of acl, a filesystem needs to support access control lists.
One way to achieve this is to add the acl option to an ext3
filesystem in the /etc/fstab
file as shown below:
# file system mount-point type options dump fsck # order /dev/sda1 / ext3 defaults,acl,user_xattr 0 2
Last updated on 2013-08-22 13:45:41 -0700
The attr package contains utilities to administer the extended attributes on filesystem objects.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://download.savannah.gnu.org/releases/attr/attr-2.4.47.src.tar.gz
Download MD5 sum: 84f58dec00b60f2dc8fd1c9709291cc7
Download size: 336 KB
Estimated disk space required: 3.5 MB
Estimated build time: 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/attr
Install attr by running the following commands:
sed -i -e 's|/@pkg_name@|&-@pkg_version@|' include/builddefs.in && INSTALL_USER=root \ INSTALL_GROUP=root \ ./configure --prefix=/usr --disable-static && make
There are three sets of tests that come with this package. Issue the following to execute all three: make tests root-tests ext-tests. For meaningful results, the tests need to be carried out on a file system that supports extended attributes.
Now, as the root
user:
make install install-dev install-lib && chmod -v 755 /usr/lib/libattr.so && mv -v /usr/lib/libattr.so.* /lib && ln -sfv ../../lib/libattr.so.1 /usr/lib/libattr.so
sed ... include/builddefs.in: This command modifies the documentation directory so that it is a versioned directory.
--disable-static
:
This switch prevents installation of static versions of the
libraries.
There is no configuration to attr itself, but to get any use out of attr, a filesystem needs to support extended attributes.
One way to achieve this is to add the user_xattr option to
an ext3 filesystem in the /etc/fstab
file as shown below:
# file system mount-point type options dump fsck # order /dev/sda1 / ext3 defaults,acl,user_xattr 0 2
Last updated on 2013-08-22 13:45:41 -0700
The Public Key Inrastructure is used for many security issues in a Linux system. In order for a certificate to be trusted, it must be signed by a trusted agent called a Certificate Authority (CA). The certificates loaded by this section are from the list on the Mozilla version control system and formats it into a form used by OpenSSL-1.0.1e. The certificates can also be used by other applications either directly of indirectly through openssl.
This package is known to build and work properly using an LFS-7.4 platform.
CA Certificate Download: http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
CA Bundle size: 1.2 MB
Estimated disk space required: 1.2 MB
Estimated build time: less than 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cacerts
First create a script to reformat a certificate into a form
needed by openssl. As the
root
user:
cat > /bin/make-cert.pl << "EOF"
#!/usr/bin/perl -w
# Used to generate PEM encoded files from Mozilla certdata.txt.
# Run as ./mkcrt.pl > certificate.crt
#
# Parts of this script courtesy of RedHat (mkcabundle.pl)
#
# This script modified for use with single file data (tempfile.cer) extracted
# from certdata.txt, taken from the latest version in the Mozilla NSS source.
# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Authors: DJ Lucas
# Bruce Dubbs
#
# Version 20120211
my $certdata = './tempfile.cer';
open( IN, "cat $certdata|" )
|| die "could not open $certdata";
my $incert = 0;
while ( <IN> )
{
if ( /^CKA_VALUE MULTILINE_OCTAL/ )
{
$incert = 1;
open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
|| die "could not pipe to openssl x509";
}
elsif ( /^END/ && $incert )
{
close( OUT );
$incert = 0;
print "\n\n";
}
elsif ($incert)
{
my @bs = split( /\\/ );
foreach my $b (@bs)
{
chomp $b;
printf( OUT "%c", oct($b) ) unless $b eq '';
}
}
}
EOF
chmod +x /bin/make-cert.pl
The following script creates the certificates and a bundle of
all the certificates. It creates a ./certs
directory and ./BLFS-ca-bundle-${VERSION}.crt
. Again
create this script as the root
user:
cat > /bin/make-ca.sh << "EOF"
#!/bin/bash
# Begin make-ca.sh
# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
#
# The file certdata.txt must exist in the local directory
# Version number is obtained from the version of the data.
#
# Authors: DJ Lucas
# Bruce Dubbs
#
# Version 20120211
certdata="certdata.txt"
if [ ! -r $certdata ]; then
echo "$certdata must be in the local directory"
exit 1
fi
REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
if [ -z "${REVISION}" ]; then
echo "$certfile has no 'Revision' in CVS_ID"
exit 1
fi
VERSION=$(echo $REVISION | cut -f2 -d" ")
TEMPDIR=$(mktemp -d)
TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
CONVERTSCRIPT="/bin/make-cert.pl"
SSLDIR="/etc/ssl"
mkdir "${TEMPDIR}/certs"
# Get a list of staring lines for each cert
CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
# Get a list of ending lines for each cert
CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
# Start a loop
for certbegin in ${CERTBEGINLIST}; do
for certend in ${CERTENDLIST}; do
if test "${certend}" -gt "${certbegin}"; then
break
fi
done
# Dump to a temp file with the name of the file as the beginning line number
sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
done
unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
mkdir -p certs
rm certs/* # Make sure the directory is clean
for tempfile in ${TEMPDIR}/certs/*.tmp; do
# Make sure that the cert is trusted...
grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
if test "${?}" = "0"; then
# Throw a meaningful error and remove the file
cp "${tempfile}" tempfile.cer
perl ${CONVERTSCRIPT} > tempfile.crt
keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
echo "Certificate ${keyhash} is not trusted! Removing..."
rm -f tempfile.cer tempfile.crt "${tempfile}"
continue
fi
# If execution made it to here in the loop, the temp cert is trusted
# Find the cert data and generate a cert file for it
cp "${tempfile}" tempfile.cer
perl ${CONVERTSCRIPT} > tempfile.crt
keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
mv tempfile.crt "certs/${keyhash}.pem"
rm -f tempfile.cer "${tempfile}"
echo "Created ${keyhash}.pem"
done
# Remove blacklisted files
# MD5 Collision Proof of Concept CA
if test -f certs/8f111d69.pem; then
echo "Certificate 8f111d69 is not trusted! Removing..."
rm -f certs/8f111d69.pem
fi
# Finally, generate the bundle and clean up.
cat certs/*.pem > ${BUNDLE}
rm -r "${TEMPDIR}"
EOF
chmod +x /bin/make-ca.sh
Add a short script to remove expired certificates from a
directory. Again create this script as the root
user:
cat > /bin/remove-expired-certs.sh << "EOF"
#!/bin/bash
# Begin /bin/remove-expired-certs.sh
#
# Version 20120211
# Make sure the date is parsed correctly on all systems
function mydate()
{
local y=$( echo $1 | cut -d" " -f4 )
local M=$( echo $1 | cut -d" " -f1 )
local d=$( echo $1 | cut -d" " -f2 )
local m
if [ ${d} -lt 10 ]; then d="0${d}"; fi
case $M in
Jan) m="01";;
Feb) m="02";;
Mar) m="03";;
Apr) m="04";;
May) m="05";;
Jun) m="06";;
Jul) m="07";;
Aug) m="08";;
Sep) m="09";;
Oct) m="10";;
Nov) m="11";;
Dec) m="12";;
esac
certdate="${y}${m}${d}"
}
OPENSSL=/usr/bin/openssl
DIR=/etc/ssl/certs
if [ $# -gt 0 ]; then
DIR="$1"
fi
certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
today=$( date +%Y%m%d )
for cert in $certs; do
notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
date=$( echo ${notafter} | sed 's/^notAfter=//' )
mydate "$date"
if [ ${certdate} -lt ${today} ]; then
echo "${cert} expired on ${certdate}! Removing..."
rm -f "${cert}"
fi
done
EOF
chmod +x /bin/remove-expired-certs.sh
The following commands will fetch the certificates and
convert them to the correct format. If desired, a web browser
may be used instead of wget
but the file will need to be saved with the name certdata.txt
. These commands can be
repeated as necessary to update the CA Certificates.
certhost='http://mxr.mozilla.org' && certdir='/mozilla/source/security/nss/lib/ckfw/builtins' && url="$certhost$certdir/certdata.txt?raw=1" && wget --output-document certdata.txt $url && unset certhost certdir url && make-ca.sh && remove-expired-certs.sh certs
Now, as the root
user:
SSLDIR=/etc/ssl && install -d ${SSLDIR}/certs && cp -v certs/*.pem ${SSLDIR}/certs && c_rehash && install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt && ln -sv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt && unset SSLDIR
Finally, clean up the current directory:
rm -r certs BLFS-ca-bundle*
After installing or updating certificates, if OpenJDK is installed, update the certificates for Java using the procedures at the section called “Install or update the JRE Certificate Authority Certificates (cacerts) file”.
is a bash script
that reformats the |
|
is a utility perl script that converts a single binary certificate (.der format) into .pem format. |
|
is a utility perl
script that removes expired certificates from a
directory. The default directory is |
Last updated on 2013-09-11 10:21:08 -0700
The ConsoleKit package is a framework for keeping track of the various users, sessions, and seats present on a system. It provides a mechanism for software to react to changes of any of these items or of any of the metadata associated with them.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://anduin.linuxfromscratch.org/sources/BLFS/svn/c/ConsoleKit-0.4.6.tar.xz
Download MD5 sum: 6aaadf5627d2f7587aa116727e2fc1da
Download size: 356 KB
Estimated disk space required: 8.0 MB
Estimated build time: 0.3 SBU
acl-2.2.52, dbus-glib-0.100.2 and Xorg Libraries
Linux-PAM-1.1.7 and Polkit-0.111
If you intend NOT to install polkit, you will need to manually edit the ConsoleKit.conf file to lock down the service. Failure to do so may be a huge SECURITY HOLE.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/consolekit
Install ConsoleKit by running the following commands:
./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --enable-udev-acl \ --enable-pam-module \ --libexecdir=/usr/lib/ConsoleKit && make
This package does not come with a test suite.
Now, as the root
user:
make install
--enable-udev-acl
: This switch
enables building of the udev-acl tool, which is
used to allow normal users to access device nodes normally
only accessible to root
.
--enable-pam-module
: This switch
enables building of the ConsoleKit PAM module which is needed for
ConsoleKit to work correctly
with PAM. Remove if
Linux PAM is NOT installed.
--enable-docbook-docs
: Use this
switch if xmlto is installed
and you wish to build the API documentation.
If you use Linux PAM you
need to configure Linux
PAM to activate ConsoleKit upon user login. This can
be achieved by editing the /etc/pam.d/system-session
file as the
root
user:
cat >> /etc/pam.d/system-session << "EOF" # Begin ConsoleKit addition session optional pam_loginuid.so session optional pam_ck_connector.so nox11 # End ConsoleKit addition EOF
You will also need a helper script that creates a file in
/var/run/console
named as the
currently logged in user and that contains the D-Bus address of the session. You can
create the script by running the following commands as the
root
user:
cat > /usr/lib/ConsoleKit/run-session.d/pam-foreground-compat.ck << "EOF" #!/bin/sh TAGDIR=/var/run/console [ -n "$CK_SESSION_USER_UID" ] || exit 1 [ "$CK_SESSION_IS_LOCAL" = "true" ] || exit 0 TAGFILE="$TAGDIR/`getent passwd $CK_SESSION_USER_UID | cut -f 1 -d:`" if [ "$1" = "session_added" ]; then mkdir -p "$TAGDIR" echo "$CK_SESSION_ID" >> "$TAGFILE" fi if [ "$1" = "session_removed" ] && [ -e "$TAGFILE" ]; then sed -i "\%^$CK_SESSION_ID\$%d" "$TAGFILE" [ -s "$TAGFILE" ] || rm -f "$TAGFILE" fi EOF chmod -v 755 /usr/lib/ConsoleKit/run-session.d/pam-foreground-compat.ck
See /usr/share/doc/ConsoleKit/spec/ConsoleKit.html for more configuration.
Last updated on 2013-08-22 15:40:33 -0700
The CrackLib package contains a library used to enforce strong passwords by comparing user selected passwords to words in chosen word lists.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://downloads.sourceforge.net/cracklib/cracklib-2.9.0.tar.gz
Download MD5 sum: e0f94ac2138fd33c7e77b19c1e9a9390
Download size: 616 KB
Estimated disk space required: 30 MB
Estimated build time: less than 0.1 SBU
Recommended word list for English-speaking countries (size: 4.5 MB; md5sum: 7fa6ba0cd50e7f9ccaf4707c810b14f1): http://downloads.sourceforge.net/cracklib/cracklib-words-20080507.gz
There are additional word lists available for download, e.g., from http://www.cotse.com/tools/wordlists.htm. CrackLib can utilize as many, or as few word lists you choose to install.
Users tend to base their passwords on regular words of the spoken language, and crackers know that. CrackLib is intended to filter out such bad passwords at the source using a dictionary created from word lists. To accomplish this, the word list(s) for use with CrackLib must be an exhaustive list of words and word-based keystroke combinations likely to be chosen by users of the system as (guessable) passwords.
The default word list recommended above for downloading mostly satisfies this role in English-speaking countries. In other situations, it may be necessary to download (or even create) additional word lists.
Note that word lists suitable for spell-checking are not usable as CrackLib word lists in countries with non-Latin based alphabets, because of “word-based keystroke combinations” that make bad passwords.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cracklib
Install CrackLib by running the following commands:
./configure --prefix=/usr \ --with-default-dict=/lib/cracklib/pw_dict \ --disable-static && make
Now, as the root
user:
make install && mv -v /usr/lib/libcrack.so.2* /lib && ln -v -sf ../../lib/libcrack.so.2.9.0 /usr/lib/libcrack.so
Issue the following commands as the root
user to install the recommended word
list and create the CrackLib
dictionary. Other word lists (text based, one word per line)
can also be used by simply installing them into /usr/share/dict
and adding them to the
create-cracklib-dict
command.
install -v -m644 -D ../cracklib-words-20080507.gz \ /usr/share/dict/cracklib-words.gz && gunzip -v /usr/share/dict/cracklib-words.gz && ln -v -s cracklib-words /usr/share/dict/words && echo $(hostname) >>/usr/share/dict/cracklib-extra-words && install -v -m755 -d /lib/cracklib && create-cracklib-dict /usr/share/dict/cracklib-words \ /usr/share/dict/cracklib-extra-words
If desired, check the proper operation of the library as an unprivileged user by issuing the following command:
make test
If you are installing CrackLib after your LFS system has been completed and you have the Shadow package installed, you must reinstall Shadow-4.1.5.1 if you wish to provide strong password support on your system. If you are now going to install the Linux-PAM-1.1.7 package, you may disregard this note as Shadow will be reinstalled after the Linux-PAM installation.
--with-default-dict=/lib/cracklib/pw_dict
:
This parameter forces the installation of the CrackLib dictionary to the /lib
hierarchy.
--disable-static
:
This switch prevents installation of static versions of the
libraries.
mv -v /usr/lib/libcrack.so.2*
/lib and ln -v
-sf ../../lib/libcrack.so.2.8.1 ...: These
two commands move the libcrack.so.2.8.1
library and associated
symlink from /usr/lib
to
/lib
, then recreates the
/usr/lib/libcrack.so
symlink
pointing to the relocated file.
install -v -m644 -D
...: This command creates the /usr/share/dict
directory (if it doesn't
already exist) and installs the compressed word list there.
ln -v -s cracklib-words
/usr/share/dict/words: The word list is
linked to /usr/share/dict/words
as historically, words
is the
primary word list in the /usr/share/dict
directory. Omit this
command if you already have a /usr/share/dict/words
file installed on
your system.
echo $(hostname)
>>...: The value of hostname is echoed to a
file called cracklib-extra-words
. This extra file is
intended to be a site specific list which includes easy to
guess passwords such as company or department names, user's
names, product names, computer names, domain names, etc.
create-cracklib-dict ...: This command creates the CrackLib dictionary from the word lists. Modify the command to add any additional word lists you have installed.
Last updated on 2013-08-22 15:40:33 -0700
The Cyrus SASL package contains a Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.
This package is known to build and work properly using an LFS-7.4 platform.
Download (FTP): ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.26.tar.gz
Download MD5 sum: a7f4e5e559a0e37b3ffc438c9456e425
Download size: 5.0 MB
Estimated disk space required: 30 MB
Estimated build time: 0.5 SBU
Linux-PAM-1.1.7, MIT Kerberos V5-1.11.3, MySQL-5.6.13, OpenJDK-1.7.0.40/IcedTea-2.4.1, OpenLDAP-2.4.36, PostgreSQL-9.3.0, SQLite-3.8.0.2, krb4 and Dmalloc
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cyrus-sasl
Install Cyrus SASL by running the following commands:
patch -Np1 -i ../cyrus-sasl-2.1.26-fixes-1.patch && autoreconf -fi && pushd saslauthd autoreconf -fi && popd ./configure --prefix=/usr \ --sysconfdir=/etc \ --enable-auth-sasldb \ --with-dbpath=/var/lib/sasl/sasldb2 \ --with-saslauthd=/var/run/saslauthd \ CFLAGS=-fPIC make
This package does not come with a test suite. If you are planning on using the GSSAPI authentication mechanism, it is recommended to test it after installing the package using the sample server and client programs which were built in the preceding step. Instructions for performing the tests can be found at http://www.linuxfromscratch.org/hints/downloads/files/cyrus-sasl.txt.
Now, as the root
user:
make install && install -v -dm755 /usr/share/doc/cyrus-sasl-2.1.26 && install -v -m644 doc/{*.{html,txt,fig},ONEWS,TODO} \ saslauthd/LDAP_SASLAUTHD /usr/share/doc/cyrus-sasl-2.1.26 && install -v -dm700 /var/lib/sasl
--with-dbpath=/var/lib/sasl/sasldb2
:
This switch forces the sasldb database to be
created in /var/lib/sasl
instead of /etc
.
--with-saslauthd=/var/run/saslauthd
:
This switch forces saslauthd to use the FHS
compliant directory /var/run/saslauthd
for variable run-time
data.
--enable-auth-sasldb
:
This switch enables SASLDB authentication backend.
--with-dblib=gdbm
:
This switch forces GDBM to
be used instead of Berkeley
DB.
--with-ldap
: This switch enables
the OpenLDAP support.
--enable-ldapdb
: This switch
enables the LDAPDB authentication backend. There is a
circular dependency with this parameter. See http://wiki.linuxfromscratch.org/blfs/wiki/cyrus-sasl
for a solution to this problem.
--enable-java
: This switch
enables compiling of the Java support libraries.
--enable-login
: This option
enables unsupported LOGIN authentication.
--enable-ntlm
: This option
enables unsupported NTLM authentication.
install -v -m644 ...: These commands install documentation which is not installed by the make install command.
install -v -m700 -d /var/lib/sasl: This directory must exist when starting saslauthd or using the sasldb plugin. If you're not going to be running the daemon or using the plugins, you may omit the creation of this directory.
/etc/saslauthd.conf
(for
saslauthd
LDAP configuration) and /etc/sasl2/Appname.conf
(where "Appname"
is the application defined name of the application)
See file:///usr/share/doc/cyrus-sasl-2.1.26/sysadmin.html for information on what to include in the application configuration files.
See file:///usr/share/doc/cyrus-sasl-2.1.26/LDAP_SASLAUTHD for configuring saslauthd with OpenLDAP.
See file:///usr/share/doc/cyrus-sasl-2.1.26/gssapi.html for configuring saslauthd with Kerberos.
If you need to run the saslauthd daemon at
system startup, install the /etc/rc.d/init.d/saslauthd
init script
included in the blfs-bootscripts-20130908 package
using the following command:
make install-saslauthd
You'll need to modify /etc/sysconfig/saslauthd and
replace the
parameter
with your desired authentication mechanism.
AUTHMECH
is used to list loadable SASL plugins and their properties. |
|
is the SASL authentication server. |
|
is used to list the users in the SASL password
database |
|
is used to set and delete a user's SASL password
and mechanism specific secrets in the SASL password
database |
|
is a test utility for the SASL authentication server. |
|
is a general purpose authentication library for server and client applications. |
Last updated on 2013-08-22 15:40:33 -0700
The GnuPG package contains a public/private key encryptor. This is useful for signing files or emails as proof of identity and preventing tampering with the contents of the file or email. For a more enhanced version of GnuPG which supports S/MIME, see the GnuPG-2.0.21 package.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://anduin.linuxfromscratch.org/sources/BLFS/svn/g/gnupg-1.4.14.tar.bz2
Download (FTP): ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.14.tar.bz2
Download MD5 sum: 99dede468204cb6ee22de7e3e3772ab1
Download size: 3.5 MB
Estimated disk space required: 45 MB
Estimated build time: 0.6 SBU
OpenLDAP-2.4.36, libusb-compat-0.1.5, cURL-7.32.0, an MTA, and docbook-to-man
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gnupg
Install GnuPG by running the following commands:
./configure --prefix=/usr --libexecdir=/usr/lib && make
If you have texlive-20130530 installed and you wish to create documentation in alternate formats, issue the following command:
make -C doc pdf html
To test the results, issue: make check.
Note that if you have already installed GnuPG 2, the instructions below will
overwrite /usr/share/man/man1/gpg-zip.1
. Now, as the
root
user:
make install && install -v -m755 -d /usr/share/doc/gnupg-1.4.14 && cp -v /usr/share/gnupg/FAQ \ /usr/share/doc/gnupg-1.4.14 && install -v -m644 doc/{highlights-1.4.txt,OpenPGP,samplekeys.asc,DETAILS} \ /usr/share/doc/gnupg-1.4.14
If you created alternate formats of the documentation,
install it using the following command as the root
user:
cp -v -R doc/gnupg1.{html,pdf} /usr/share/doc/gnupg-1.4.14
--libexecdir=/usr/lib
: This
command creates a gnupg
directory in /usr/lib
instead
of /usr/libexec
.
Last updated on 2013-08-22 15:40:33 -0700
The GnuPG 2 package is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440 and the S/MIME standard as described by several RFCs. GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP and S/MIME. It does not conflict with an installed GnuPG-1.4.14 OpenPGP-only version.
This package is known to build and work properly using an LFS-7.4 platform.
Download (FTP): ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.21.tar.bz2
Download MD5 sum: 48c05f5dfe97cf21ae0ced811aaad750
Download size: 4.1 MB
Estimated disk space required: 65 MB
Estimated build time: 1.2 SBU
Pth-2.0.7, Libassuan-2.1.1, libgcrypt-1.5.3, and Libksba-1.3.0
PIN-Entry-0.8.3 (Run-time requirement for most of the package's functionality)
OpenLDAP-2.4.36, libusb-compat-0.1.5, cURL-7.32.0, GNU adns, and an MTA
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gnupg2
Install GnuPG 2 by running the following commands:
./configure --prefix=/usr \ --libexecdir=/usr/lib/gnupg2 \ --docdir=/usr/share/doc/gnupg-2.0.21 && make && makeinfo --html --no-split -o doc/gnupg_nochunks.html doc/gnupg.texi && makeinfo --plaintext -o doc/gnupg.txt doc/gnupg.texi
If you have texlive-20130530 installed and you wish to create documentation in alternate formats, issue the following commands:
make -C doc pdf ps html
To test the results, issue: make check.
Note that if you have already installed GnuPG, the instructions below will
overwrite /usr/share/man/man1/gpg-zip.1
. Now, as the
root
user:
make install && install -v -m755 -d /usr/share/doc/gnupg-2.0.21/html && install -v -m644 doc/gnupg_nochunks.html \ /usr/share/doc/gnupg-2.0.21/gnupg.html && install -v -m644 doc/*.texi doc/gnupg.txt \ /usr/share/doc/gnupg-2.0.21
If you created alternate formats of the documentation,
install it using the following command as the root
user:
install -v -m644 doc/gnupg.html/* \ /usr/share/doc/gnupg-2.0.21/html && install -v -m644 doc/gnupg.{pdf,dvi,ps} \ /usr/share/doc/gnupg-2.0.21
--libexecdir=/usr/lib/gnupg2
:
This switch creates a gnupg
directory in /usr/lib
instead
of /usr/libexec
.
--docdir=/usr/share/doc/gnupg-2.0.21
:
This switch changes the default docdir to /usr/share/doc/gnupg-2.0.21
.
--enable-symcryptrun
:
This switch enables building the symcryptrun program.
is used to create and populate user's |
|
is a wrapper script used to run gpgconf with the
|
|
is a daemon used to manage secret (private) keys independently from any protocol. It is used as a backend for gpg and gpgsm as well as for a couple of other utilities. |
|
is a utility used to communicate with a running gpg-agent. |
|
is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool used to provide digital encryption and signing services using the OpenPGP standard. |
|
is a utility used to automatically and reasonable
safely query and modify configuration files in the
|
|
is a utility currently only useful for debugging.
Run it with |
|
is a tool similar to gpg used to provide digital encryption and signing services on X.509 certificates and the CMS protocol. It is mainly used as a backend for S/MIME mail processing. |
|
is a simple tool used to interactively generate a certificate request which will be printed to stdout. |
|
is a verify only version of gpg2. |
|
is used to list, export and import Keybox data. |
|
is a daemon used to manage smartcards. It is usually invoked by gpg-agent and in general not used directly. |
|
is a simple symmetric encryption tool. |
|
is used to listen to a Unix Domain socket created by any of the GnuPG tools. |
Last updated on 2013-09-05 10:04:34 -0700
The GnuTLS package contains libraries and userspace tools which provide a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards by the IETF's TLS working group. Quoting from the TLS protocol specification:
“The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.”
GnuTLS provides support for TLS 1.1, TLS 1.0 and SSL 3.0 protocols, TLS extensions, including server name and max record size. Additionally, the library supports authentication using the SRP protocol, X.509 certificates and OpenPGP keys, along with support for the TLS Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA) extension and X.509 and OpenPGP certificate handling.
This package is known to build and work properly using an LFS-7.4 platform.
Download (FTP): ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.4.tar.xz
Download MD5 sum: 79ef8538d65128b7ed47046649b98c27
Download size: 4.7 MB
Estimated disk space required: 104 MB
Estimated build time: 1.2 SBU (additional 1.2 SBU if running the testsuite)
Certificate Authority Certificates and libtasn1-3.3
GTK-Doc-1.19, Guile-2.0.9, libidn-1.28, p11-kit-0.20.1, Unbound-1.4.20 (to build the DANE library), and Valgrind (used during the test suite)
Note that if you do not install libtasn1-3.3, an older version shipped in the GnuTLS tarball will be used instead.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gnutls
Install GnuTLS by running the following commands:
./configure --prefix=/usr \ --disable-static \ --with-default-trust-store-file=/etc/ssl/ca-bundle.crt && make
To test the results, issue: make check.
Now, as the root
user:
make install
If you did not pass the --enable-gtk-doc
parameter to the
configure
script, you can install the API documentation to the
/usr/share/gtk-doc/html/gnutls
directory using the following command as the root
user:
make -C doc/reference install-data-local
--with-default-trust-store-file=/etc/ssl/ca-bundle.crt
:
This switch tells configure where to find the
CA Certificates.
--disable-static
:
This switch prevents installation of static versions of the
libraries.
--enable-gtk-doc
: Use this
parameter if GTK-Doc is
installed and you wish to rebuild and install the API
documentation.
is used to generate X.509 certificates, certificate requests, and private keys. |
|
is a simple wrapper that waits for TLS/SSL connections, and proxies them to an unencrypted location. |
|
is a tool used to generate and check DNS resource records for the DANE protocol. |
|
is a simple client program to set up a TLS connection to some other computer. |
|
is a simple client program to set up a TLS connection to some other computer and produces very verbose progress results. |
|
is a simple server program that listens to incoming TLS connections. |
|
is a program that can parse and print information about OCSP requests/responses, generate requests and verify responses. |
|
is a program that allows handling data from PKCS #11 smart cards and security modules. |
|
is a simple program that generates random keys for use with TLS-PSK. |
|
is a simple program that emulates the programs in the Stanford SRP (Secure Remote Password) libraries using GnuTLS. |
|
contains the core API functions and X.509 certificate API functions. |
Last updated on 2013-09-01 09:34:27 -0700
The GPGME package is a C language library that allows to add support for cryptography to a program. It is designed to make access to public key crypto engines like GnuPG or GpgSM easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification and key management.
This package is known to build and work properly using an LFS-7.4 platform.
Download (FTP): ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.3.tar.bz2
Download MD5 sum: 334e524cffa8af4e2f43ae8afe585672
Download size: 956 KB
Estimated disk space required: 23 MB
Estimated build time: 0.4 SBU
GnuPG-1.4.14 or GnuPG-2.0.21 (used during the testsuite)
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gpgme
Install GPGME by running the following commands:
./configure --prefix=/usr --disable-fd-passing && make
To test the results, issue: make check.
Now, as the root
user:
make install
--disable-fd-passing
: This option
disables a problem causing a hang for some operations on some
systems.
Last updated on 2013-08-23 03:32:24 -0700
The next part of this chapter deals with firewalls. The principal firewall tool for Linux is Iptables. You will need to install Iptables if you intend on using any form of a firewall.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://www.netfilter.org/projects/iptables/files/iptables-1.4.20.tar.bz2
Download (FTP): ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.20.tar.bz2
Download MD5 sum: 387b92d3efcf4f07fe31c3bf0f1d18f5
Download size: 540 KB
Estimated disk space required: 23 MB
Estimated build time: 0.2 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/iptables
A firewall in Linux is accomplished through a portion of the kernel called netfilter. The interface to netfilter is Iptables. To use it, the appropriate kernel configuration parameters are found in Networking Support ⇒ Networking Options ⇒ Network Packet Filtering Framework.
The installation below does not include building some
specialized extension libraries which require the raw
headers in the Linux
source code. If you wish to build the additional extensions
(if you aren't sure, then you probably don't), you can look
at the INSTALL
file to see an
example of how to change the KERNEL_DIR=
parameter to
point at the Linux source
code. Note that if you upgrade the kernel version, you may
also need to recompile Iptables and that the BLFS team has
not tested using the raw kernel headers.
For some non-x86 architectures, the raw kernel headers may
be required. In that case, modify the KERNEL_DIR=
parameter to
point at the Linux source
code.
Install Iptables by running the following commands:
./configure --prefix=/usr \ --exec-prefix= \ --bindir=/usr/bin \ --with-xtlibdir=/lib/xtables \ --with-pkgconfigdir=/usr/lib/pkgconfig \ --enable-libipq \ --enable-devel && make
This package does not come with a test suite.
Now, as the root
user:
make install && ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml && for file in libip4tc libip6tc libipq libiptc libxtables do ln -sfv ../../lib/`readlink /lib/${file}.so` /usr/lib/${file}.so && rm -v /lib/${file}.so && mv -v /lib/${file}.la /usr/lib && sed -i "s@libdir='@&/usr@g" /usr/lib/${file}.la done
--exec-prefix=
:
Ensure all binaries and libraries end up in /
directory tree.
--with-xtlibdir=/lib/xtables
:
Ensure all Iptables modules
are installed in the /lib/xtables
directory.
--with-pkgconfigdir=/usr/lib/pkgconfig
:
Ensure all the pkgconfig files are in the standard location.
--enable-libipq
: This switch
enables building of libipq.so
which can be used by some packages outside of BLFS.
--enable-devel
: This switch
enables installation of Iptables development headers that can be
used by some packages outside of BLFS.
ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml: Ensure the symbolic link for iptables-xml is relative.
Introductory instructions for configuring your firewall are presented in the next section: Firewalling
To set up the iptables firewall at boot, install the
/etc/rc.d/init.d/iptables
init script included in the blfs-bootscripts-20130908 package.
make install-iptables
is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. |
|
is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file. |
|
is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file. |
|
is used to convert the output of iptables-save to
an XML format. Using the |
|
are a set of commands for IPV6 that parallel the iptables commands above. |
Last updated on 2013-08-20 13:22:42 -0700
Before you read this part of the chapter, you should have already installed iptables as described in the previous section.
The general purpose of a firewall is to protect a computer or a network against malicious access.
In a perfect world, every daemon or service on every machine is perfectly configured and immune to flaws such as buffer overflows or other problems regarding its security. Furthermore, you trust every user accessing your services. In this world, you do not need to have a firewall.
In the real world however, daemons may be misconfigured and exploits against essential services are freely available. You may wish to choose which services are accessible by certain machines or you may wish to limit which machines or applications are allowed external access. Alternatively, you may simply not trust some of your applications or users. You are probably connected to the Internet. In this world, a firewall is essential.
Don't assume however, that having a firewall makes careful configuration redundant, or that it makes any negligent misconfiguration harmless. It doesn't prevent anyone from exploiting a service you intentionally offer but haven't recently updated or patched after an exploit went public. Despite having a firewall, you need to keep applications and daemons on your system properly configured and up to date. A firewall is not a cure all, but should be an essential part of your overall security strategy.
The word firewall can have several different meanings.
This is a hardware device or software program commercially sold (or offered via freeware) by companies such as Symantec which claims that it secures a home or desktop computer connected to the Internet. This type of firewall is highly relevant for users who do not know how their computers might be accessed via the Internet or how to disable that access, especially if they are always online and connected via broadband links.
This is a system placed between the Internet and an intranet. To minimize the risk of compromising the firewall itself, it should generally have only one role—that of protecting the intranet. Although not completely risk free, the tasks of doing the routing and IP masquerading (rewriting IP headers of the packets it routes from clients with private IP addresses onto the Internet so that they seem to come from the firewall itself) are commonly considered relatively secure.
This is often an old computer you may have retired and nearly forgotten, performing masquerading or routing functions, but offering non-firewall services such as a web-cache or mail. This may be used for home networks, but is not to be considered as secure as a firewall only machine because the combination of server and router/firewall on one machine raises the complexity of the setup.
This box performs masquerading or routing, but grants public access to some branch of your network which, because of public IPs and a physically separated structure, is essentially a separate network with direct Internet access. The servers on this network are those which must be easily accessible from both the Internet and intranet. The firewall protects both networks. This type of firewall has a minimum of three network interfaces.
This introduction on how to setup a firewall is not a complete guide to securing systems. Firewalling is a complex issue that requires careful configuration. The scripts quoted here are simply intended to give examples of how a firewall works. They are not intended to fit into any particular configuration and may not provide complete protection from an attack.
Customization of these scripts for your specific situation will be necessary for an optimal configuration, but you should make a serious study of the iptables documentation and creating firewalls in general before hacking away. Have a look at the list of links for further reading at the end of this section for more details. There you will find a list of URLs that contain quite comprehensive information about building your own firewall.
The firewall configuration script installed in the iptables section differs from the standard configuration script. It only has two of the standard targets: start and status. The other targets are clear and lock. For instance if you issue:
/etc/rc.d/init.d/iptables start
the firewall will be restarted just as it is upon system startup. The status target will present a list of all currently implemented rules. The clear target turns off all firewall rules and the lock target will block all packets in and out of the computer with the exception of the loopback interface.
The main startup firewall is located in the file /etc/rc.d/rc.iptables
. The sections below
provide three different approaches that can be used for a
system.
You should always run your firewall rules from a script. This ensures consistency and a record of what was done. It also allows retention of comments that are essential for understanding the rules long after they were written.
A Personal Firewall is designed to let you access all the services offered on the Internet, but keep your box secure and your data private.
Below is a slightly modified version of Rusty Russell's recommendation from the Linux 2.4 Packet Filtering HOWTO. It is still applicable to the Linux 2.6 kernels.
cat > /etc/rc.d/rc.iptables << "EOF"
#!/bin/sh
# Begin rc.iptables
# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# End $rc_base/rc.iptables
EOF
chmod 700 /etc/rc.d/rc.iptables
This script is quite simple, it drops all traffic coming into your computer that wasn't initiated from your computer, but as long as you are simply surfing the Internet you are unlikely to exceed its limits.
If you frequently encounter certain delays at accessing FTP servers, take a look at BusyBox example number 4.
Even if you have daemons or services running on your system, these will be inaccessible everywhere but from your computer itself. If you want to allow access to services on your machine, such as ssh or ping, take a look at BusyBox.
A true Firewall has two interfaces, one connected to an intranet, in this example eth0, and one connected to the Internet, here ppp0. To provide the maximum security for the firewall itself, make sure that there are no unnecessary servers running on it such as X11 et al. As a general principle, the firewall itself should not access any untrusted service (think of a remote server giving answers that makes a daemon on your system crash, or even worse, that implements a worm via a buffer-overflow).
cat > /etc/rc.d/rc.iptables << "EOF"
#!/bin/sh
# Begin rc.iptables
echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.linuxfromscratch.org/blfs"
echo
# Insert iptables modules (not needed if built into the kernel).
modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp+ -m conntrack --ctstate NEW -j ACCEPT
# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
EOF
chmod 700 /etc/rc.d/rc.iptables
With this script your intranet should be reasonably secure against external attacks. No one should be able to setup a new connection to any internal service and, if it's masqueraded, makes your intranet invisible to the Internet. Furthermore, your firewall should be relatively safe because there are no services running that a cracker could attack.
If the interface you're connecting to the Internet
doesn't connect via PPP, you will need to change
<ppp+>
to
the name of the interface (e.g., eth1) which you are
using.
This scenario isn't too different from the Masquerading Router, but additionally offers some services to your intranet. Examples of this can be when you want to administer your firewall from another host on your intranet or use it as a proxy or a name server.
Outlining a true concept of how to protect a server that offers services on the Internet goes far beyond the scope of this document. See the references at the end of this section for more information.
Be cautious. Every service you have enabled makes your setup more complex and your firewall less secure. You are exposed to the risks of misconfigured services or running a service with an exploitable bug. A firewall should generally not run any extra services. See the introduction to the Masquerading Router for some more details.
If you want to add services such as internal Samba or name servers that do not need to access the Internet themselves, the additional statements are quite simple and should still be acceptable from a security standpoint. Just add the following lines into the script before the logging rules.
iptables -A INPUT -i ! ppp+ -j ACCEPT
iptables -A OUTPUT -o ! ppp+ -j ACCEPT
If daemons, such as squid, have to access the Internet themselves, you could open OUTPUT generally and restrict INPUT.
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
However, it is generally not advisable to leave OUTPUT unrestricted. You lose any control over trojans who would like to "call home", and a bit of redundancy in case you've (mis-)configured a service so that it broadcasts its existence to the world.
To accomplish this, you should restrict INPUT and OUTPUT on all ports except those that it's absolutely necessary to have open. Which ports you have to open depends on your needs: mostly you will find them by looking for failed accesses in your log files.
Have a Look at the Following Examples:
Squid is caching the web:
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
-j ACCEPT
Your caching name server (e.g., named) does its lookups via UDP:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
You want to be able to ping your computer to ensure it's still alive:
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
If you are frequently accessing FTP servers or enjoy chatting, you might notice certain delays because some implementations of these daemons have the feature of querying an identd on your system to obtain usernames. Although there's really little harm in this, having an identd running is not recommended because many security experts feel the service gives out too much additional information.
To avoid these delays you could reject the requests with a 'tcp-reset':
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
To log and drop invalid packets (packets that came in after netfilter's timeout or some types of network scans) insert these rules at the top of the chain:
iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
-j LOG --log-prefix "FIREWALL:INVALID "
iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP
Anything coming from the outside should not have a private address, this is a common attack called IP-spoofing:
iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP
There are other addresses that you may also want to drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link Local Networks), and 192.0.2.0/24 (IANA defined test network).
If your firewall is a DHCP client, you need to allow those packets:
iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT
To simplify debugging and be fair to anyone who'd like to access a service you have disabled, purposely or by mistake, you could REJECT those packets that are dropped.
Obviously this must be done directly after logging as the very last lines before the packets are dropped by policy:
iptables -A INPUT -j REJECT
These are only examples to show you some of the
capabilities of the firewall code in Linux. Have a look at
the man page of iptables. There you will find much more
information. The port numbers needed for this can be found
in /etc/services
, in case you
didn't find them by trial and error in your log file.
Finally, there is one fact you must not forget: The effort spent attacking a system corresponds to the value the cracker expects to gain from it. If you are responsible for valuable information, you need to spend the time to protect it properly.
www.netfilter.org - Homepage of the netfilter/iptables project
Netfilter related FAQ
Netfilter related HOWTO's
en.tldp.org/LDP/nag2/x-087-2-firewall.html
en.tldp.org/HOWTO/Security-HOWTO.html
en.tldp.org/HOWTO/Firewall-HOWTO.html
www.linuxsecurity.com/docs/
www.little-idiot.de/firewall (German & outdated, but very comprehensive)
linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html
staff.washington.edu/dittrich/misc/ddos
www.e-infomax.com/ipmasq
www.circlemud.org/~jelson/writings/security/index.htm
www.securityfocus.com
www.cert.org - tech_tips
security.ittoolbox.com
www.insecure.org/reading.html
Last updated on 2012-10-16 10:13:00 -0700
The libcap2 package implements the user-space interfaces to the POSIX 1003.1e capabilities available in Linux kernels. These capabilities are a partitioning of the all powerful root privilege into a set of distinct privileges.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://ftp.de.debian.org/debian/pool/main/libc/libcap2/libcap2_2.22.orig.tar.gz
Download (FTP): ftp://ftp.de.debian.org/debian/pool/main/libc/libcap2/libcap2_2.22.orig.tar.gz
Download MD5 sum: b4896816b626bea445f0b3849bdd4077
Download size: 72 KB
Estimated disk space required: 1.3 MB
Estimated build time: less than 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/libcap2
Install libcap2 by running the following commands:
make
This package does not come with a test suite.
If you want to disable installing the static library, use this sed:
sed -i '/install.*STALIBNAME/ s/^/#/' libcap/Makefile
Now, as the root
user:
make RAISE_SETFCAP=no install
RAISE_SETFCAP=no
:
This parameter skips trying to use setcap on itself. This avoids an
installation error if the kernel or file system do not
support extended capabilities.
Last updated on 2013-08-20 15:41:29 -0700
The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users.
This package is known to build using an LFS 7.4 platform but has not been tested.
Download (HTTP): http://linux-pam.org/library/Linux-PAM-1.1.7.tar.bz2
Download MD5 sum: 9f90888cd22212a6b5af2920f4eaaf1b
Download size: 1.1 MB
Estimated disk space required: 36 MB
Estimated build time: 0.3 SBU
Optional Documentation
Download (HTTP): http://linux-pam.org/documentation/Linux-PAM-1.1.7-docs.tar.bz2
Download MD5 sum: 808054213e884e69e3f7045d80700da1
Download size 152 KB
Berkeley DB-6.0.20, CrackLib-2.9.0, libtirpc-0.2.3 and Prelude
docbook-xml-4.5, docbook-xsl-1.78.1, fop-1.1, libxslt-1.1.28 and w3m-0.5.3
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/linux-pam
If you downloaded the documentation, unpack the tarball by issuing the following command.
tar -xf ../Linux-PAM-1.1.7-docs.tar.bz2 --strip-components=1
Install Linux PAM by running the following commands:
./configure --prefix=/usr \ --sysconfdir=/etc \ --docdir=/usr/share/doc/Linux-PAM-1.1.7 \ --disable-nis && make
To test the results, a configuration file must be created.
This file will be removed after the tests have completed.
Ensure there are no errors produced by the tests before
continuing the installation. First create the configuration
file by issuing the following commands as the root
user:
install -v -m755 -d /etc/pam.d && cat > /etc/pam.d/other << "EOF" auth required pam_deny.so account required pam_deny.so password required pam_deny.so session required pam_deny.so EOF
Now run the tests by issuing make check.
Remove the configuration file created earlier by issuing the
following command as the root
user:
rm -rfv /etc/pam.d
Now, as the root
user:
make install && chmod -v 4755 /sbin/unix_chkpwd
--disable-nis
: This switch
disables building of the Network Information Service/Yellow
Pages support in pam_unix and pam_access modules. Remove it
if you have installed libtirpc-0.2.3.
chmod -v 4755
/sbin/unix_chkpwd: The unix_chkpwd helper program
must be setuid so that non-root
processes can access the shadow
file.
Configuration information is placed in /etc/pam.d/
. Below is an example file:
# Begin /etc/pam.d/other
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
password required pam_unix.so nullok
# End /etc/pam.d/other
The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information.
Refer to http://debian.securedservers.com/kernel/pub/linux/libs/pam/modules.html for a list of various third-party modules available.
You should now reinstall the Shadow-4.1.5.1 package.
is a helper binary that creates home directories. |
|
is used to interrogate and manipulate the login counter file. |
|
is used to interrogate and manipulate the login counter file, but does not have some limitations that pam_tally does. |
|
is used to check if the default timestamp is valid |
|
is a helper binary that verifies the password of the current user. |
|
is a helper binary that updates the password of a given user. |
|
provides the interfaces between applications and the PAM modules. |
Last updated on 2013-09-12 20:08:10 -0700
MIT Kerberos V5 is a free implementation of Kerberos 5. Kerberos is a network authentication protocol. It centralizes the authentication database and uses kerberized applications to work with servers or services that support Kerberos allowing single logins and encrypted communication over internal networks or the Internet.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://web.mit.edu/kerberos/www/dist/krb5/1.11/krb5-1.11.3-signed.tar
Download MD5 sum: 56f0ae274b285320b8a597cb89442449
Download size: 11 MB
Estimated disk space required: 178 MB (Additional 20 MB if running the testsuite)
Estimated build time: 1.0 SBU (additional 3.0 SBU if running the testsuite)
DejaGnu-1.5.1 (required to run the testsuite), keyutils-1.5.6, OpenLDAP-2.4.36, Python-2.7.5 (used during the testsuite) and rpcbind-0.2.1 (used during the testsuite)
Some sort of time synchronization facility on your system (like ntp-4.2.6p5) is required since Kerberos won't authenticate if there is a time difference between a kerberized client and the KDC server.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/mitkrb
MIT Kerberos V5 is
distributed in a TAR file containing a compressed TAR package
and a detached PGP ASC
file.
You'll need to unpack the distribution tar file, then unpack
the compressed tar file before starting the build.
After unpacking the distribution tarball and if you have
GnuPG-1.4.14 installed, you can
authenticate the package. First, check the contents of the
file krb5-1.11.3.tar.gz.asc
.
gpg --verify krb5-1.11.3.tar.gz.asc krb5-1.11.3.tar.gz
You will probably see output similar to:
gpg: Signature made Wed Aug 8 22:29:58 2012 GMT using RSA key ID F376813D gpg: Can't check signature: public key not found
You can import the public key with:
gpg --keyserver pgp.mit.edu --recv-keys 0xF376813D
Now re-verify the package with the first command above. You should get a indication of a good signature, but the key will still not be certified with a trusted signature. Trusting the downloaded key is a separate operation but it is up to you to determine the level of trust.
Build MIT Kerberos V5 by running the following commands:
cd src && sed -e "s@python2.5/Python.h@& python2.7/Python.h@g" \ -e "s@-lpython2.5]@&,\n AC_CHECK_LIB(python2.7,main,[PYTHON_LIB=-lpython2.7])@g" \ -i configure.in && sed -e "s@interp->result@Tcl_GetStringResult(interp)@g" \ -i kadmin/testing/util/tcl_kadm5.c && autoconf && ./configure CPPFLAGS="-I/usr/include/et -I/usr/include/ss" \ --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var/lib \ --with-system-et \ --with-system-ss \ --enable-dns-for-realm && make
The regression test suite is designed to be run after the installation has been completed.
Now, as the root
user:
make install && for LIBRARY in gssapi_krb5 gssrpc k5crypto kadm5clnt_mit kadm5srv_mit \ kdb5 kdb_ldap krb5 krb5support verto ; do [ -e /usr/lib/lib$LIBRARY.so.*.* ] && chmod -v 755 /usr/lib/lib$LIBRARY.so.*.* done && mv -v /usr/lib/libkrb5.so.3* /lib && mv -v /usr/lib/libk5crypto.so.3* /lib && mv -v /usr/lib/libkrb5support.so.0* /lib && ln -v -sf ../../lib/libkrb5.so.3.3 /usr/lib/libkrb5.so && ln -v -sf ../../lib/libk5crypto.so.3.1 /usr/lib/libk5crypto.so && ln -v -sf ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so && mv -v /usr/bin/ksu /bin && chmod -v 755 /bin/ksu && install -v -dm755 /usr/share/doc/krb5-1.11.3 && cp -vfr ../doc/* /usr/share/doc/krb5-1.11.3 && unset LIBRARY
To test the installation, you must have DejaGnu-1.5.1 installed and issue: make check.
sed -e ...: First sed fixes Python detection and second one fixes build with Tcl 8.6.
--enable-dns-for-realm
: This
switch allows realms to be resolved using the DNS server.
--with-system-et
: This switch
causes the build to use the system-installed versions of the
error-table support software.
--with-system-ss
: This switch
causes the build to use the system-installed versions of the
subsystem command-line interface software.
--localstatedir=/var/lib
: This
parameter is used so that the Kerberos variable run-time data
is located in /var/lib
instead
of /usr/var
.
mv -v /usr/bin/ksu
/bin: Moves the ksu program to the
/bin
directory so that it is
available when the /usr
filesystem is not mounted.
--with-ldap
: Use this switch if
you want to compile OpenLDAP
database backend module.
You should consider installing some sort of password
checking dictionary so that you can configure the
installation to only accept strong passwords. A
suitable dictionary to use is shown in the CrackLib-2.9.0 instructions. Note
that only one file can be used, but you can concatenate
many files into one. The configuration file shown below
assumes you have installed a dictionary to /usr/share/dict/words
.
Create the Kerberos configuration file with the following
commands issued by the root
user:
cat > /etc/krb5.conf << "EOF"
# Begin /etc/krb5.conf
[libdefaults]
default_realm = <LFS.ORG>
encrypt = true
[realms]
<LFS.ORG>
= {
kdc = <belgarath.lfs.org>
admin_server = <belgarath.lfs.org>
dict_file = /usr/share/dict/words
}
[domain_realm]
.<lfs.org>
= <LFS.ORG>
[logging]
kdc = SYSLOG[:INFO[:AUTH]]
admin_server = SYSLOG[INFO[:AUTH]]
default = SYSLOG[[:SYS]]
# End /etc/krb5.conf
EOF
You will need to substitute your domain and proper
hostname for the occurrences of the <belgarath>
and
<lfs.org>
names.
default_realm
should be the
name of your domain changed to ALL CAPS. This isn't
required, but both Heimdal and MIT recommend it.
encrypt = true
provides
encryption of all traffic between kerberized clients and
servers. It's not necessary and can be left off. If you
leave it off, you can encrypt all traffic from the client
to the server using a switch on the client program
instead.
The [realms]
parameters tell
the client programs where to look for the KDC
authentication services.
The [domain_realm]
section
maps a domain to a realm.
Create the KDC database:
kdb5_util create -r <LFS.ORG>
-s
Now you should populate the database with principals
(users). For now, just use your regular login name or
root
.
kadmin.localkadmin:
add_policy dict-onlykadmin:
addprinc -policy dict-only<loginname>
The KDC server and any machine running kerberized server daemons must have a host key installed:
kadmin:
addprinc -randkey host/<belgarath.lfs.org>
After choosing the defaults when prompted, you will have to export the data to a keytab file:
kadmin:
ktadd host/<belgarath.lfs.org>
This should have created a file in /etc
named krb5.keytab
(Kerberos 5). This file
should have 600 (root
rw
only) permissions. Keeping the keytab files from public
access is crucial to the overall security of the Kerberos
installation.
Exit the kadmin program (use quit or exit) and return back to the shell prompt. Start the KDC daemon manually, just to test out the installation:
/usr/sbin/krb5kdc
Attempt to get a ticket with the following command:
kinit <loginname>
You will be prompted for the password you created. After you get your ticket, you can list it with the following command:
klist
Information about the ticket should be displayed on the screen.
To test the functionality of the keytab file, issue the following command:
ktutilktutil:
rkt /etc/krb5.keytabktutil:
l
This should dump a list of the host principal, along with the encryption methods used to access the principal.
At this point, if everything has been successful so far, you can feel fairly confident in the installation and configuration of the package.
For additional information consult Documentation for krb5-1.11.3 on which the above instructions are based.
If you want to start Kerberos services at boot, install the
/etc/rc.d/init.d/krb5
init
script included in the blfs-bootscripts-20130908
package using the following command:
make install-krb5
is a host keytable manipulation utility. |
|
is an utility used to make modifications to the Kerberos database. |
|
is a server for administrative access to a Kerberos database. |
|
is the KDC database utility. |
|
removes the current set of tickets. |
|
is used to authenticate to the Kerberos server as a principal and acquire a ticket granting ticket that can later be used to obtain tickets for other services. |
|
reads and displays the current tickets in the credential cache. |
|
is a program for changing Kerberos 5 passwords. |
|
takes a principal database in a specified format and converts it into a stream of database records. |
|
receives a database sent by kprop and writes it as a local database. |
|
gives information on how to link programs against libraries. |
|
is the Kerberos 5 server. |
|
is the super user program using Kerberos protocol.
Requires a properly configured |
|
makes the specified credential cache the primary cache for the collection, if a cache collection is available. |
|
is a program for managing Kerberos keytabs. |
|
prints keyversion numbers of Kerberos principals. |
|
used to contact a sample server and authenticate to it using Kerberos 5 tickets, then display the server's response. |
|
is the sample Kerberos 5 server. |
|
contain the Generic Security Service Application Programming Interface (GSSAPI) functions which provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments. |
|
contains the administrative authentication and password checking functions required by Kerberos 5 client-side programs. |
|
contain the administrative authentication and password checking functions required by Kerberos 5 servers. |
|
is a Kerberos 5 authentication/authorization database access library. |
|
is an all-purpose Kerberos 5 library. |
Last updated on 2013-08-23 03:32:24 -0700
The Nettle package contains the low-level cryptographic library that is designed to fit easily in many contexts.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
Download (FTP): ftp://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
Download MD5 sum: 003d5147911317931dd453520eb234a5
Download size: 1.5 MB
Estimated disk space required: 94 MB
Estimated build time: 0.6 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/nettle
Install Nettle by running the following commands:
./configure --prefix=/usr && make
To test the results, issue: make check.
If you want to disable installing the static library, use this sed:
sed -i '/^install-here/ s/install-static//' Makefile
Now, as the root
user:
make install && chmod -v 755 /usr/lib/libhogweed.so.2.5 /usr/lib/libnettle.so.4.7 && install -v -m755 -d /usr/share/doc/nettle-2.7.1 && install -v -m644 nettle.html /usr/share/doc/nettle-2.7.1
calulates a hash value using a specified algorithm. |
|
outputs a sequence of pseudorandom (non-cryptographic) bytes, using Knuth's lagged fibonacci generator. The stream is useful for testing, but should not be used to generate cryptographic keys or anything else that needs real randomness. |
|
converts private and public RSA keys from PKCS #1 format to sexp format. |
|
converts an s-expression to a different encoding. |
Last updated on 2013-09-01 13:59:10 -0700
The Network Security Services (NSS) package is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. This is useful for implementing SSL and S/MIME or other Internet security standards into an application.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/nss-3.15.1.tar.gz
Download (FTP): ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/nss-3.15.1.tar.gz
Download MD5 sum: fb68f4d210ac9397dd0d3c39c4f938eb
Download size: 6.0 MB
Estimated disk space required: 74 MB
Estimated build time: 1.2 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/nss
This package does not support parallel build.
Install NSS by running the following commands:
patch -Np1 -i ../nss-3.15.1-standalone-2.patch && cd nss && make BUILD_OPT=1 \ NSPR_INCLUDE_DIR=/usr/include/nspr \ USE_SYSTEM_ZLIB=1 \ ZLIB_LIBS=-lz \ $([ $(uname -m) = x86_64 ] && echo USE_64=1) \ $([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)
This package does not come with a test suite.
Now, as the root
user:
cd ../dist && install -v -m755 Linux*/lib/*.so /usr/lib && install -v -m644 Linux*/lib/{*.chk,libcrmf.a} /usr/lib && install -v -m755 -d /usr/include/nss && cp -v -RL {public,private}/nss/* /usr/include/nss && chmod 644 /usr/include/nss/* && install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin && install -v -m644 Linux*/lib/pkgconfig/nss.pc /usr/lib/pkgconfig
BUILD_OPT=1
: This
option is passed to make so that the build is
performed with no debugging symbols built into the binaries
and the default compiler optimizations are used.
NSPR_INCLUDE_DIR=/usr/include/nspr
:
This option sets the location of the nspr headers.
USE_SYSTEM_ZLIB=1
:
This option is passed to make to ensure that the
libssl3.so
library is linked to
the system installed zlib
instead of the in-tree version.
ZLIB_LIBS=-lz
: This
option provides the linker flags needed to link to the system
zlib.
$([ $(uname -m) = x86_64 ]
&& echo USE_64=1): The USE_64=1
option is required on x86_64, otherwise
make will try
(and fail) to create 32-bit objects. The [ $(uname -m) =
x86_64 ] test ensures it has no effect on a 32 bit system.
([ -f /usr/include/sqlite3.h ]
&& echo NSS_USE_SYSTEM_SQLITE=1):
This tests if sqlite is
installed and if so it echos the option
NSS_USE_SYSTEM_SQLITE=1 to make so that libsoftokn3.so
will link against the system
version of sqlite.
is the Mozilla Certificate Database Tool. It is a command-line utility that can create and modify the Netscape Communicator cert8.db and key3.db database files. It can also list, generate, modify, or delete certificates within the cert8.db file and create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key3.db file. |
|
is used to determine the NSS library settings of the installed NSS libraries. |
|
is a tool for importing certificates and keys from pkcs #12 files into NSS or exporting them. It can also list certificates and keys in such files. |
Last updated on 2013-08-20 13:51:02 -0700
The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementions of telnet and rcp respectively.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.3p1.tar.gz
Download (FTP): ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.3p1.tar.gz
Download MD5 sum: 225e75c9856f76011966013163784038
Download size: 1.2 MB
Estimated disk space required: 35 MB (additional 10 MB if running the tests)
Estimated build time: 0.4 SBU (running the tests takes at least 10 minutes, irrespective of processor speed)
Linux-PAM-1.1.7, X Window System, MIT Kerberos V5-1.11.3, libedit, OpenSC, and libsectok
OpenJDK-1.7.0.40/IcedTea-2.4.1, Net-tools-CVS_20101030, and Sysstat-10.1.7.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSH
OpenSSH runs as two
processes when connecting to other computers. The first
process is a privileged process and controls the issuance of
privileges as necessary. The second process communicates with
the network. Additional installation steps are necessary to
set up the proper environment, which are performed by issuing
the following commands as the root
user:
install -v -m700 -d /var/lib/sshd && chown -v root:sys /var/lib/sshd && groupadd -g 50 sshd && useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd
Install OpenSSH by running the following commands:
./configure --prefix=/usr \ --libexecdir=/usr/lib/openssh \ --sysconfdir=/etc/ssh \ --datadir=/usr/share/sshd \ --with-md5-passwords \ --with-privsep-path=/var/lib/sshd && make
The testsuite requires an installed copy of scp to complete the
multiplexing tests. To run the test suite, first copy the
scp program to
/usr/bin
, making sure that you
back up any existing copy first.
To test the results, issue: make tests.
Now, as the root
user:
make install && install -v -m755 contrib/ssh-copy-id /usr/bin && install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 && install -v -m755 -d /usr/share/doc/openssh-6.3p1 && install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-6.3p1
--sysconfdir=/etc/ssh
: This
prevents the configuration files from being installed in
/usr/etc
.
--datadir=/usr/share/sshd
: This
switch puts the Ssh.bin file (used for SmartCard
authentication) in /usr/share/sshd
.
--with-md5-passwords
:
This enables the use of MD5 passwords.
--with-pam
: This
parameter enables Linux-PAM
support in the build.
--with-xauth=/usr/bin/xauth
:
Set the default location for the xauth binary for X
authentication. Change the location if xauth will be installed to
a different path. This can also be controlled from
sshd_config
with the
XAuthLocation keyword. You can omit this switch if
Xorg is already installed.
--with-kerberos5=/usr
: This
option is used to include Kerberos 5 support in the build.
--with-libedit
: This
option enables line editing and history features for
sftp.
~/.ssh/*
, /etc/ssh/ssh_config
, and /etc/ssh/sshd_config
There are no required changes to any of these files.
However, you may wish to view the /etc/ssh/
files and make any changes
appropriate for the security of your system. One
recommended change is that you disable root
login via ssh. Execute the
following command as the root
user to disable root
login via ssh:
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with ssh-keygen and then copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_HOSTNAME for the hostname of the remote computer and you'll also need to enter you password for the ssh command to succeed:
ssh-keygen && public_key="$(cat ~/.ssh/id_rsa.pub)" && ssh REMOTE_HOSTNAME "echo ${public_key} >> ~/.ssh/authorized_keys" && unset public_key
Once you've got passwordless logins working it's actually
more secure than logging in with a password (as the private
key is much longer than most people's passwords). If you
would like to now disable password logins, as the
root
user:
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config && echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
If you added LinuxPAM
support and you want ssh to use it then you will need to
add a configuration file for sshd and enable use of LinuxPAM. Note, ssh only uses PAM to
check passwords, if you've disabled password logins these
commands are not needed. If you want to use PAM issue the
following commands as the root
user:
sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && chmod 644 /etc/pam.d/sshd && echo "UsePAM yes" >> /etc/ssh/sshd_config
Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.
To start the SSH server at system boot, install the
/etc/rc.d/init.d/sshd
init
script included in the blfs-bootscripts-20130908
package.
make install-sshd
is a file copy program that acts like rcp except it uses an encrypted protocol. |
|
is an FTP-like program that works over the SSH1 and SSH2 protocols. |
|
is an SFTP server subsystem. This program is not normally called directly by the user. |
|
is a symlink to ssh. |
|
is an rlogin/rsh-like client program except it uses an encrypted protocol. |
|
is a daemon that listens for ssh login requests. |
|
is a tool which adds keys to the ssh-agent. |
|
is an authentication agent that can store private keys. |
|
is a script that enables logins on remote machine using local keys. |
|
is a key generation tool. |
|
is a utility for gathering public host keys from a number of hosts. |
|
is used by ssh to access the local host keys and generate the digital signature required during hostbased authentication with SSH protocol version 2. This program is not normally called directly by the user. |
|
is a ssh-agent helper program for PKCS#11 support. |
Last updated on 2013-09-13 12:50:39 -0700
The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, such as OpenSSH, email applications and web browsers (for accessing HTTPS sites).
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://www.openssl.org/source/openssl-1.0.1e.tar.gz
Download (FTP): ftp://ftp.openssl.org/source/openssl-1.0.1e.tar.gz
Download MD5 sum: 66bf6f10f060d561929de96f9dfe5b8c
Download size: 4.3 MB
Estimated disk space required: 55 MB
Estimated build time: 1.5 SBU
bc-1.06.95 (required for full coverage by the test suite during the build) and MIT Kerberos V5-1.11.3
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSL
Install OpenSSL with the following commands:
patch -Np1 -i ../openssl-1.0.1e-fix_parallel_build-1.patch && patch -Np1 -i ../openssl-1.0.1e-fix_pod_syntax-1.patch && ./config --prefix=/usr \ --openssldir=/etc/ssl \ shared \ zlib-dynamic && make
To test the results, issue: make test.
If you want to disable installing the static libraries, use this sed:
sed -i 's# libcrypto.a##;s# libssl.a##' Makefile
Now, as the root
user:
make MANDIR=/usr/share/man MANSUFFIX=ssl install && install -dv -m755 /usr/share/doc/openssl-1.0.1e && cp -vfr doc/* /usr/share/doc/openssl-1.0.1e
shared
: This
parameter forces the creation of shared libraries along with
the static libraries.
zlib-dynamic
: This
parameter adds compression/decompression functionality using
the libz
library.
no-rc5 no-idea
: When added to the
./config
command, this will eliminate the building of those encryption
methods. Patent licenses may be needed for you to utilize
either of those methods in your projects.
make MANDIR=/usr/share/man
MANSUFFIX=ssl install: This command installs
OpenSSL with the man pages
in /usr/share/man
instead of
/etc/ssl/man
and appends "ssl"
suffix to the manual page names to avoid conflicts with
manual pages installed by other packages.
Most users will want to install Certificate Authority Certificates for validation of downloaded certificates. For example, these certificates can be used by git-1.8.4, cURL-7.32.0 or Wget-1.14 when accessing secure (https protocol) sites. To do this, follow the instructions from the Certificate Authority Certificates page.
Users who just want to use OpenSSL for providing functions to
other programs such as OpenSSH and web browsers do not need
to worry about additional configuration. This is an
advanced topic and so those who do need it would normally
be expected to either know how to properly update
/etc/ssl/openssl.cnf
or be
able to find out how to do it.
is a Perl script that scans all files in a directory and adds symbolic links to their hash values. |
|
is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for various functions which are documented in man 1 openssl. |
|
implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS and S/MIME, and they have also been used to implement OpenSSH, OpenPGP, and other cryptographic standards. |
|
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API, documentation on which can be found by running man 3 ssl. |
Last updated on 2013-08-17 13:38:01 -0700
The p11-kit package Provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://p11-glue.freedesktop.org/releases/p11-kit-0.20.1.tar.gz
Download MD5 sum: 88c651137f76a167336639371eafd8cc
Download size: 1.1 MB
Estimated disk space required: 74 MB
Estimated build time: 0.4 SBU
Certificate Authority Certificates, libtasn1-3.3, and libffi-3.0.13
NSS-3.15.1, GTK-Doc-1.19 and libxslt-1.1.28
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/p11-kit
Install p11-kit by running the following commands:
./configure --prefix=/usr --sysconfdir=/etc && make
To test the results, issue: make check.
Now, as the root
user:
make install
--with-hash-impl=freebl
: Use this
switch if you want to use Freebl library from NSS for SHA1 and MD5 hashing.
--enable-doc
: Use this switch if
you have installed GTK-Doc-1.19 and libxslt-1.1.28 and wish
to rebuild the documentation and generate manual pages.
Last updated on 2013-09-09 15:17:21 -0700
Polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to communicate with privileged processes.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://www.freedesktop.org/software/polkit/releases/polkit-0.111.tar.gz
Download MD5 sum: 81b116edf986d8e13502929a171f4e0d
Download size: 1.4 MB
Estimated disk space required: 17 MB
Estimated build time: 0.5 SBU
GLib-2.36.4, Intltool-0.50.2 and JS-17.0.0
docbook-xml-4.5, docbook-xsl-1.78.1, GTK-Doc-1.19, libxslt-1.1.28 and Linux-PAM-1.1.7
If libxslt-1.1.28 is installed, then
docbook-xml-4.5 and docbook-xsl-1.78.1 are required.
If you have installed libxslt-1.1.28, but you do not
want to install any of the DocBook packages mentioned, you
will need to use --disable-man-pages
in the instructions
below.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/polkit
There should be a dedicated user and group to take control of
the polkitd
daemon after it is started. Issue the following commands as
the root
user:
groupadd -fg 27 polkitd && useradd -c "PolicyKit Daemon Owner" -d /etc/polkit-1 -u 27 \ -g polkitd -s /bin/false polkitd
Install Polkit by running the following commands:
./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --with-authfw=shadow \ --disable-static \ --libexecdir=/usr/lib/polkit-1 && make
To test the results, issue: make check. Note that system D-Bus daemon must be running for the testsuite to complete. There is also a warning about ConsoleKit database not present, but that one can be safely ignored.
Now, as the root
user:
make install
--with-authfw=shadow
:
This parameter configures the package to use the Shadow rather than the Linux PAM Authentication framework.
Remove it if you would like to use Linux PAM.
--disable-static
:
This switch prevents installation of static versions of the
libraries.
--enable-gtk-doc
: Use this
parameter if GTK-Doc is
installed and you wish to rebuild and install the API
documentation.
If you did not build Polkit with Linux PAM support, you can skip this section.
If you have built Polkit
with Linux PAM support,
you need to modify the default PAM configuration file which
was installed by default to get Polkit to work correctly with BLFS.
Issue the following commands as the root
user to create the configuration
file for Linux PAM:
cat > /etc/pam.d/polkit-1 << "EOF"
# Begin /etc/pam.d/polkit-1
auth include system-auth
account include system-account
password include system-password
session include system-session
# End /etc/pam.d/polkit-1
EOF
is used to obtain information about registered PolicyKit actions. |
|
is used to check whether a process is authorized for action. |
|
allows an authorized user to execute a command as another user. |
|
is used to start a textual authentication agent for the subject. |
|
provides the org.freedesktop.PolicyKit1 D-Bus service on the system message bus. |
|
contains the Polkit authentication agent API functions. |
|
contains the Polkit authorization API functions. |
Last updated on 2013-09-12 04:52:21 -0700
Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://pkg-shadow.alioth.debian.org/releases/shadow-4.1.5.1.tar.bz2
Download MD5 sum: a00449aa439c69287b6d472191dc2247
Download size: 2.1 MB
Estimated disk space required: 38 MB
Estimated build time: 0.3 SBU
Linux-PAM-1.1.7 or CrackLib-2.9.0
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/shadow
The installation commands shown below are for installations where Linux-PAM has been installed (with or without a CrackLib installation) and Shadow is being reinstalled to support the Linux-PAM installation.
If you are reinstalling Shadow to provide strong password
support using the CrackLib
library without using Linux-PAM, ensure you add the
--with-libcrack
parameter to the configure script below
and also issue the following command:
sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs
Reinstall Shadow by running the following commands:
sed -i 's/groups$(EXEEXT) //' src/Makefile.in && find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; && sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in && sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \ -e 's@/var/spool/mail@/var/mail@' etc/login.defs && sed -i -e 's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@' \ -e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@' etc/login.defs && ./configure --prefix=/usr --sysconfdir=/etc && make
This package does not come with a test suite.
Now, as the root
user:
make install && mv -v /usr/bin/passwd /bin
sed -i 's/groups$(EXEEXT) //' src/Makefile.in: This sed is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.
find man -name Makefile.in -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced.
sed -i -e '...' -e '...' man/Makefile.in: This command disables the installation of Chinese and Korean manual pages, since Man-DB cannot format them properly.
sed -i -e 's@#ENCRYPT_METHOD
DES@ENCRYPT_METHOD SHA512@' -e 's@/var/spool/mail@/var/mail@'
etc/login.defs: Instead of using the default
'DES' method, this command modifies the installation to use
the more secure 'SHA512' method of hashing passwords, which
also allows passwords longer than eight characters. It also
changes the obsolete /var/spool/mail
location for user mailboxes
that Shadow uses by default
to the /var/mail
location.
sed -i -e
's@PATH=/sbin:/bin:/usr/sbin:/usr/bin@&:/usr/local/sbin:/usr/local/bin@'
-e 's@PATH=/bin:/usr/bin@&:/usr/local/bin@'
etc/login.defs: This sed expands PATH to
/usr/local/bin
for normal and
root
user and to /usr/local/sbin
for root
user only.
mv -v /usr/bin/passwd
/bin: The passwd program may be
needed during times when the /usr
filesystem is not mounted so it is
moved into the root partition.
Shadow's stock configuration
for the useradd
utility may not be desirable for your installation. One
default parameter causes useradd to create a mailbox
file for any newly created user. useradd will make the group
ownership of this file to the mail
group with 0660 permissions. If you
would prefer that these mailbox files are not created by
useradd, issue
the following command as the root
user:
sed -i 's/yes/no/' /etc/default/useradd
The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required.
Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the Linux-PAM-1.1.7 page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following link:
The login
program currently performs many functions which
Linux-PAM modules should
now handle. The following sed command will
comment out the appropriate lines in /etc/login.defs
, and stop login from performing
these functions (a backup file named /etc/login.defs.orig
is also created to
preserve the original file's contents). Issue the
following commands as the root
user:
install -v -m644 /etc/login.defs /etc/login.defs.orig && for FUNCTION in FAIL_DELAY FAILLOG_ENAB \ LASTLOG_ENAB \ MAIL_CHECK_ENAB \ OBSCURE_CHECKS_ENAB \ PORTTIME_CHECKS_ENAB \ QUOTAS_ENAB \ CONSOLE MOTD_FILE \ FTMP_FILE NOLOGINS_FILE \ ENV_HZ PASS_MIN_LEN \ SU_WHEEL_ONLY \ CRACKLIB_DICTPATH \ PASS_CHANGE_TRIES \ PASS_ALWAYS_WARN \ CHFN_AUTH ENCRYPT_METHOD \ ENVIRON_FILE do sed -i "s/^${FUNCTION}/# &/" /etc/login.defs done
As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods
for configuration. The commands below assume that you've
chosen to use a directory based configuration, where each
program has its own configuration file. You can
optionally use a single /etc/pam.conf
configuration file by
using the text from the files below, and supplying the
program name as an additional first field for each line.
As the root
user, replace
the following Linux-PAM
configuration files in the /etc/pam.d/
directory (or add the
contents to the /etc/pam.conf
file) using the following
commands:
cat > /etc/pam.d/system-account << "EOF"
# Begin /etc/pam.d/system-account
account required pam_unix.so
# End /etc/pam.d/system-account
EOF
cat > /etc/pam.d/system-auth << "EOF"
# Begin /etc/pam.d/system-auth
auth required pam_unix.so
# End /etc/pam.d/system-auth
EOF
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password
# check new passwords for strength (man pam_cracklib)
password required pam_cracklib.so type=Linux retry=3 difok=5 \
difignore=23 minlen=9 dcredit=1 \
ucredit=1 lcredit=1 ocredit=1 \
dictpath=/lib/cracklib/pw_dict
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_cracklib
# above (or any previous modules)
password required pam_unix.so sha512 shadow use_authtok
# End /etc/pam.d/system-password
EOF
In its default configuration, owing to credits,
pam_cracklib will allow multiple case passwords as
short as 6 characters, even with the minlen
value set to 11.
You should review the pam_cracklib(8) man page and
determine if these default values are acceptable for
the security of your system.
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password
# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password required pam_unix.so sha512 shadow try_first_pass
# End /etc/pam.d/system-password
EOF
cat > /etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session
session required pam_unix.so
# End /etc/pam.d/system-session
EOF
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login
# Set failure delay before next prompt to 3 seconds
auth optional pam_faildelay.so delay=3000000
# Check to make sure that the user is allowed to login
auth requisite pam_nologin.so
# Check to make sure that root is allowed to login
# Disabled by default. You will need to create /etc/securetty
# file for this module to function. See man 5 securetty.
#auth required pam_securetty.so
# Additional group memberships - disabled by default
#auth optional pam_group.so
# include the default auth settings
auth include system-auth
# check access for the user
account required pam_access.so
# include the default account settings
account include system-account
# Set default environment variables for the user
session required pam_env.so
# Set resource limits for the user
session required pam_limits.so
# Display date of last login - Disabled by default
#session optional pam_lastlog.so
# Display the message of the day - Disabled by default
#session optional pam_motd.so
# Check user's mail - Disabled by default
#session optional pam_mail.so standard quiet
# include the default session and password settings
session include system-session
password include system-password
# End /etc/pam.d/login
EOF
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd
password include system-password
# End /etc/pam.d/passwd
EOF
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su
# always allow root
auth sufficient pam_rootok.so
auth include system-auth
# include the default account settings
account include system-account
# Set default environment variables for the service user
session required pam_env.so
# include system session defaults
session include system-session
# End /etc/pam.d/su
EOF
cat > /etc/pam.d/chage << "EOF"
#Begin /etc/pam.d/chage
# always allow root
auth sufficient pam_rootok.so
# include system defaults for auth account and session
auth include system-auth
account include system-account
session include system-session
# Always permit for authentication updates
password required pam_permit.so
# End /etc/pam.d/chage
EOF
for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \ groupmems groupmod newusers useradd userdel usermod do install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM} sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM} done
At this point, you should do a simple test to see if
Shadow is working as
expected. Open another terminal and log in as a user,
then su
to root
. If you do not
see any errors, then all is well and you should proceed
with the rest of the configuration. If you did receive
errors, stop now and double check the above
configuration files manually. You can also run the test
suite from the Linux-PAM package to assist you in
determining the problem. If you cannot find and fix the
error, you should recompile Shadow adding the --without-libpam
switch to the
configure
command in the above instructions (also move the
/etc/login.defs.orig
backup file to /etc/login.defs
). If you fail to do
this and the errors remain, you will be unable to log
into your system.
Currently, /etc/pam.d/other
is configured to allow anyone with an account on the
machine to use PAM-aware programs without a configuration
file for that program. After testing Linux-PAM for proper configuration,
install a more restrictive other
file so that program-specific
configuration files are required:
cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
# End /etc/pam.d/other
EOF
Instead of using the /etc/login.access
file for controlling
access to the system, Linux-PAM uses the pam_access.so
module along with the
/etc/security/access.conf
file. Rename the /etc/login.access
file using the
following command:
[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}
A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/7.4/chapter06/shadow.html#contents-shadow.
Last updated on 2013-08-23 03:32:24 -0700
The stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. stunnel can be used to add SSL functionality to commonly used Inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the server package source code.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://mirrors.zerg.biz/stunnel/stunnel-4.56.tar.gz
Download (FTP): ftp://ftp.stunnel.org/stunnel/stunnel-4.56.tar.gz
Download MD5 sum: ac4c4a30bd7a55b6687cbd62d864054c
Download size: 532 KB
Estimated disk space required: 6.0 MB
Estimated build time: 0.2 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/stunnel
The stunnel
daemon will be run in a chroot jail by an
unprivileged user. Create the new user and group using the
following commands as the root
user:
groupadd -g 51 stunnel && useradd -c "stunnel Daemon" -d /var/lib/stunnel \ -g stunnel -s /bin/false -u 51 stunnel
A signed SSL Certificate and a Private Key is necessary to
run the stunnel daemon. If you
own, or have already created a signed SSL Certificate you
wish to use, copy it to /etc/stunnel/stunnel.pem
before starting
the build (ensure only root
has read and write access), otherwise you will be prompted
to create one during the installation process. The
.pem
file must be formatted
as shown below:
-----BEGIN PRIVATE KEY-----
<many encrypted lines of private key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<many encrypted lines of certificate>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<encrypted lines of dh parms>
-----END DH PARAMETERS-----
Install stunnel by running the following commands:
./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --disable-libwrap && make
This package does not come with a test suite.
Now, as the root
user:
make docdir=/usr/share/doc/stunnel-4.56 install
--sysconfdir=/etc
:
This parameter forces the configuration directory to
/etc
instead of /usr/etc
.
--localstatedir=/var
:
This parameter sets the installation to use /var/lib/stunnel
instead of creating and
using /usr/var/stunnel
.
--disable-libwrap
:
This parameter is required if you don't have tcpwrappers installed. Remove the
parameter if tcpwrappers is
installed.
make docdir=...
install: This command installs the package,
changes the documentation installation directory to standard
naming conventions and, if you did not copy an stunnel.pem
file to the /etc/stunnel
directory, prompts you for the
necessary information to create one. Ensure you reply to the
Common Name (FQDN of your server) [localhost]:
prompt with the name or IP address you will be using to access the service(s).
As the root
user, create
the directory used for the .pid
file that is created when the
stunnel daemon starts:
install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run
Next, create a basic /etc/stunnel/stunnel.conf
configuration
file using the following commands as the root
user:
cat >/etc/stunnel/stunnel.conf << "EOF" &&
; File: /etc/stunnel/stunnel.conf
pid = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert = /etc/stunnel/stunnel.pem
EOF
chmod -v 644 /etc/stunnel/stunnel.conf
Finally, you need to add the service(s) you wish to encrypt to the configuration file. The format is as follows:
[<service>
]
accept = <hostname:portnumber>
connect = <hostname:portnumber>
If you use stunnel to
encrypt a daemon started from [x]inetd, you may need to
disable that daemon in the /etc/[x]inetd.conf
file and enable a
corresponding <service>
_stunnel
service. You may have to add an appropriate entry in
/etc/services
as well.
For a full explanation of the commands and syntax used in the configuration file, run man stunnel. To see a BLFS example of an actual setup of an stunnel encrypted service, read the the section called “Configuring SWAT” in the Samba instructions.
To automatically start the stunnel daemon when the
system is rebooted, install the /etc/rc.d/init.d/stunnel
bootscript from
the blfs-bootscripts-20130908 package.
make install-stunnel
Last updated on 2013-08-22 15:40:33 -0700
The Sudo package allows a
system administrator to give certain users (or groups of
users) the ability to run some (or all) commands as
root
or another user while
logging the commands and arguments.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://www.sudo.ws/sudo/dist/sudo-1.8.7.tar.gz
Download (FTP): ftp://ftp.twaren.net/Unix/Security/Sudo/sudo-1.8.7.tar.gz
Download MD5 sum: a02367090e1dac8d0c1747de1127b6bf
Download size: 1.9 MB
Estimated disk space required: 31 MB
Estimated build time: 0.3 SBU
AFS, FWTK, Linux-PAM-1.1.7, MIT Kerberos V5-1.11.3, an MTA (that provides a sendmail command), OpenLDAP-2.4.36, Opie and SecurID
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/sudo
Install Sudo by running the following commands:
./configure --prefix=/usr \ --libexecdir=/usr/lib/sudo \ --docdir=/usr/share/doc/sudo-1.8.7 \ --with-timedir=/var/lib/sudo \ --with-all-insults \ --with-env-editor && make
This package does not come with a test suite.
Now, as the root
user:
make install
--with-timedir=/var/lib/sudo
:
This switch places the variable time stamp files in a FHS
compatible location.
--with-all-insults
: This switch
includes all the sudo insult
sets.
--with-env-editor
: This switch
enables use of the environment variable EDITOR for
visudo.
There are many options to sudo's configure command. Check the configure --help output for a complete list.
The sudoers
file can be quite
complicated. It is composed of two types of entries:
aliases (basically variables) and user specifications
(which specify who may run what). The installation installs
a default configuration that has no privileges installed
for any user.
One example usage is to allow the system administrator to execute any program without typing a password each time root privileges are needed. This can be configured as:
# User alias specification User_Alias ADMIN = YourLoginId # Allow people in group ADMIN to run all commands without a password ADMIN ALL = NOPASSWD: ALL
For details, see man sudoers.
The Sudo developers
highly recommend using the visudo program to edit
the sudoers
file. This will
provide basic sanity checking like syntax parsing and
file permission to avoid some possible mistakes that
could lead to a vulnerable configuration.
If you've built Sudo with
PAM support, issue the
following command as the root
user to create the PAM configuration file:
cat > /etc/pam.d/sudo << "EOF"
# Begin /etc/pam.d/sudo
# include the default auth settings
auth include system-auth
# include the default account settings
account include system-account
# Set default environment variables for the service user
session required pam_env.so
# include system session defaults
session include system-session
# End /etc/pam.d/sudo
EOF
chmod 644 /etc/pam.d/sudo
executes a command as another user as permitted by
the |
|
is a hard link to sudo that implies
the |
|
allows for safer editing of the |
|
is used to play back or list the output logs created by sudo. |
Last updated on 2013-08-17 13:38:01 -0700
The Tripwire package contains programs used to verify the integrity of the files on a given system.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://downloads.sourceforge.net/tripwire/tripwire-2.4.2.2-src.tar.bz2
Download MD5 sum: 2462ea16fb0b5ae810471011ad2f2dd6
Download size: 704 KB
Estimated disk space required: 31 MB
Estimated build time: 1.3 SBU (includes interactive time during install)
An MTA
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/tripwire
Compile Tripwire by running the following commands:
sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg && sed -i -e 's/!Equal/!this->Equal/' src/cryptlib/algebra.h && sed -i -e '/stdtwadmin.h/i#include <unistd.h>' src/twadmin/twadmincl.cpp && ./configure --prefix=/usr --sysconfdir=/etc/tripwire && make
The default configuration is to use a local MTA. If you
don't have an MTA installed and have no wish to install
one, modify install/install.cfg
to use an SMTP server
instead. Otherwise the install will fail.
This package does not come with a test suite.
Now, as the root
user:
make install && cp -v policy/*.txt /usr/doc/tripwire
sed -i -e
's@TWDB="${prefix}@TWDB="/var@'
install/install.cfg: This command tells the
package to install the program database and reports in
/var/lib/tripwire
.
sed ... src/cryptlib/algebra.h: Fix a compilation issue with gcc-4.7.
sed ... src/twadmin/twadmincl.cpp: Fix a compilation issue with gcc-4.7.
make install:
This command creates the Tripwire security keys as well as
installing the binaries. There are two keys: a site key and a
local key which are stored in /etc/tripwire/
.
cp -v policy/*.txt /usr/doc/tripwire: This command installs the tripwire sample policy files with the other tripwire documentation.
Tripwire uses a policy
file to determine which files are integrity checked. The
default policy file (/etc/tripwire/twpol.txt
) is for a default
installation and will need to be updated for your system.
Policy files should be tailored to each individual
distribution and/or installation. Some example policy files
can be found in /usr/doc/tripwire/
(Note that
/usr/doc/
is a symbolic link
on LFS systems to /usr/share/doc/
).
If desired, copy the policy file you'd like to try into
/etc/tripwire/
instead of
using the default policy file, twpol.txt
. It is, however, recommended
that you edit your policy file. Get ideas from the examples
above and read /usr/doc/tripwire/policyguide.txt
for
additional information. twpol.txt
is a good policy file for
learning about Tripwire as
it will note any changes to the file system and can even be
used as an annoying way of keeping track of changes for
uninstallation of software.
After your policy file has been edited to your satisfaction
you may begin the configuration steps (perform as the
root
) user:
twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \ /etc/tripwire/twpol.txt && tripwire --init
Depending on your system and the contents of the policy file, the initialization phase above can take a relatively long time.
Tripwire will identify file changes in the critical system files specified in the policy file. Using Tripwire while making frequent changes to these directories will flag all these changes. It is most useful after a system has reached a configuration that the user considers stable.
To use Tripwire after creating a policy file to run a report, use the following command:
tripwire --check > /etc/tripwire/report.txt
View the output to check the integrity of your files. An automatic integrity report can be produced by using a cron facility to schedule the runs.
Reports are stored in binary and, if desired, encrypted.
View reports, as the root
user, with:
twprint --print-report -r /var/lib/tripwire/report/<report-name.twr>
After you run an integrity check, you should examine the
report (or email) and then modify the Tripwire database to reflect the
changed files on your system. This is so that Tripwire will not continually notify
you that files you intentionally changed are a security
violation. To do this you must first ls -l
/var/lib/tripwire/report/ and note the name
of the newest file which starts with your system name as
presented by the command uname -n
and ends in
.twr
. These files were
created during report creation and the most current one is
needed to update the Tripwire database of your system. As
the root
user, type in the
following command making the appropriate report name:
tripwire --update --twrfile /var/lib/tripwire/report/<report-name.twr>
You will be placed into Vim with a copy of the report in front of you. If all the changes were good, then just type :wq and after entering your local key, the database will be updated. If there are files which you still want to be warned about, remove the 'x' before the filename in the report and type :wq.
A good summary of tripwire operations can be found at http://va-holladays.no-ip.info:2200/tools/security-docs/tripwire-v1.0.pdf.
is a signature gathering utility that displays the hash function values for the specified files. |
|
is the main file integrity checking program. |
|
administrative and utility tool used to perform certain administrative functions related to Tripwire files and configuration options. |
|
prints Tripwire database and report files in clear text format. |
Last updated on 2013-08-23 03:32:24 -0700
Journaling file systems reduce the time needed to recover a file system that was not unmounted properly. While this can be extremely important in reducing downtime for servers, it has also become popular for desktop environments. This chapter contains other journaling file systems you can use instead of the default LFS extended file system (ext2/3/4). It also provides introductory material on managing disk arrays.
The only purpose of an initramfs is to mount the root filesystem. The initramfs is a complete set of directories that you would find on a normal root filesystem. It is bundled into a single cpio archive and compressed with one of several compression algorithms.
At boot time, the boot loader loads the kernel and the initramfs image into memory and starts the kernel. The kernel checks for the presence of the initramfs and, if found, mounts it as / and runs /init. The init program is typically a shell script. Note that the boot process takes longer, possibly significantly longer, if an initramfs is used.
For most distributions, kernel modules are the biggest reason to have an initramfs. In a general distribution, there are many unknowns such as file system types and disk layouts. In a way, this is the opposite of LFS where the system capabilities and layout are known and a custom kernel is normally built. In this situation, an initramfs is rarely needed.
There are only four primary reasons to have an initramfs in the LFS environment: loading the rootfs from a network, loading it from an LVM logical volume, having an encrypted rootfs where a password is required, or for the convenience of specifying the rootfs as a LABEL or UUID. Anything else usually means that the kernel was not configured properly.
If you do decide to build an initramfs, the following scripts will provide a basis to do it. The scripts will allow specifying a rootfs via partition UUID or partition LABEL or a rootfs on an LVM logical volume. They do not support an encrypted root file system or mounting the rootfs over a network card. For a more complete capability see the LFS Hints or dracut.
To install these scripts, run the following commands as the
root
user:
cat > /sbin/mkinitramfs << "EOF"
#!/bin/bash
# This file based in part on the mkinitrafms script for the LFS LiveCD
# written by Alexander E. Patrakov and Jeremy Huntwork.
copy()
{
local file
if [ "$2" == "lib" ]; then
file=$(PATH=/lib:/usr/lib type -p $1)
else
file=$(type -p $1)
fi
if [ -n $file ] ; then
cp $file $WDIR/$2
else
echo "Missing required file: $1 for directory $2"
rm -rf $WDIR
exit 1
fi
}
if [ -z $1 ] ; then
INITRAMFS_FILE=initrd.img-no-kmods
else
KERNEL_VERSION=$1
INITRAMFS_FILE=initrd.img-$KERNEL_VERSION
fi
if [ -n "$KERNEL_VERSION" ] && [ ! -d "/lib/modules/$1" ] ; then
echo "No modules directory named $1"
exit 1
fi
printf "Creating $INITRAMFS_FILE... "
binfiles="sh cat cp dd killall ls mkdir mknod mount "
binfiles="$binfiles umount sed sleep ln rm uname"
sbinfiles="udevadm modprobe blkid switch_root"
#Optional files and locations
for f in mdadm udevd; do
if [ -x /sbin/$f ] ; then sbinfiles="$sbinfiles $f"; fi
done
unsorted=$(mktemp /tmp/unsorted.XXXXXXXXXX)
DATADIR=/usr/share/mkinitramfs
INITIN=init.in
# Create a temporrary working directory
WDIR=$(mktemp -d /tmp/initrd-work.XXXXXXXXXX)
# Create base directory structure
mkdir -p $WDIR/{bin,dev,lib/firmware,run,sbin,sys,proc}
mkdir -p $WDIR/etc/{modprobe.d,udev/rules.d}
touch $WDIR/etc/modprobe.d/modprobe.conf
ln -s lib $WDIR/lib64
# Create necessary device nodes
mknod -m 640 $WDIR/dev/console c 5 1
mknod -m 664 $WDIR/dev/null c 1 3
# Install the udev configuration files
cp /etc/udev/udev.conf $WDIR/etc/udev/udev.conf
for file in $(find /etc/udev/rules.d/ -type f) ; do
cp $file $WDIR/etc/udev/rules.d
done
# Install any firmware present
cp -a /lib/firmware $WDIR/lib
# Copy the RAID configureation file if present
if [ -f /etc/mdadm.conf ] ; then
cp /etc/mdadm.conf $WDIR/etc
fi
# Install the init file
install -m0755 $DATADIR/$INITIN $WDIR/init
if [ -n "$KERNEL_VERSION" ] ; then
if [ -x /bin/kmod ] ; then
binfiles="$binfiles kmod"
else
binfiles="$binfiles lsmod"
sbinfiles="$sbinfiles insmod"
fi
fi
# Install basic binaries
for f in $binfiles ; do
ldd /bin/$f | sed "s/\t//" | cut -d " " -f1 >> $unsorted
copy $f bin
done
# Add lvm if present
if [ -x /sbin/lvm ] ; then sbinfiles="$sbinfiles lvm"; fi
for f in $sbinfiles ; do
ldd /sbin/$f | sed "s/\t//" | cut -d " " -f1 >> $unsorted
copy $f sbin
done
# Add udevd libraries if not in /sbin
if [ -x /lib/udev/udevd ] ; then
ldd /lib/udev/udevd | sed "s/\t//" | cut -d " " -f1 >> $unsorted
fi
# Add module symlinks if appropriate
if [ -n "$KERNEL_VERSION" ] && [ -x /bin/kmod ] ; then
ln -s kmod $WDIR/bin/lsmod
ln -s kmod $WDIR/bin/insmod
fi
# Add lvm symlinks if appropriate
if [ -x /sbin/lvm ] ; then
ln -s lvm $WDIR/sbin/lvchange
ln -s lvm $WDIR/sbin/lvrename
ln -s lvm $WDIR/sbin/lvextend
ln -s lvm $WDIR/sbin/lvcreate
ln -s lvm $WDIR/sbin/lvdisplay
ln -s lvm $WDIR/sbin/lvscan
ln -s lvm $WDIR/sbin/pvchange
ln -s lvm $WDIR/sbin/pvck
ln -s lvm $WDIR/sbin/pvcreate
ln -s lvm $WDIR/sbin/pvdisplay
ln -s lvm $WDIR/sbin/pvscan
ln -s lvm $WDIR/sbin/vgchange
ln -s lvm $WDIR/sbin/vgcreate
ln -s lvm $WDIR/sbin/vgscan
ln -s lvm $WDIR/sbin/vgrename
ln -s lvm $WDIR/sbin/vgck
fi
# Install libraries
sort $unsorted | uniq | while read library ; do
if [ "$library" == "linux-vdso.so.1" ] ||
[ "$library" == "linux-gate.so.1" ]; then
continue
fi
copy $library lib
done
cp -a /lib/udev $WDIR/lib
# Install the kernel modules if requested
if [ -n "$KERNEL_VERSION" ]; then
find \
/lib/modules/$KERNEL_VERSION/kernel/{crypto,fs,lib} \
/lib/modules/$KERNEL_VERSION/kernel/drivers/{block,ata,md,firewire} \
/lib/modules/$KERNEL_VERSION/kernel/drivers/{scsi,message,pcmcia,virtio} \
/lib/modules/$KERNEL_VERSION/kernel/drivers/usb/{host,storage} \
-type f 2> /dev/null | cpio --make-directories -p --quiet $WDIR
cp /lib/modules/$KERNEL_VERSION/modules.{builtin,order} \
$WDIR/lib/modules/$KERNEL_VERSION
depmod -b $WDIR $KERNEL_VERSION
fi
( cd $WDIR ; find . | cpio -o -H newc --quiet | gzip -9 ) > $INITRAMFS_FILE
# Remove the temporary directory and file
rm -rf $WDIR $unsorted
printf "done.\n"
EOF
chmod 0755 /sbin/mkinitramfs
mkdir -p /usr/share/mkinitramfs && cat > /usr/share/mkinitramfs/init.in << "EOF" #!/bin/sh PATH=/bin:/usr/bin:/sbin:/usr/sbin export PATH problem() { printf "Encountered a problem!\n\nDropping you to a shell.\n\n" sh } no_device() { printf "The device %s, which is supposed to contain the\n" $1 printf "root file system, does not exist.\n" printf "Please fix this problem and exit this shell.\n\n" } no_mount() { printf "Could not mount device %s\n" $1 printf "Sleeping forever. Please reboot and fix the kernel command line.\n\n" printf "Maybe the device is formatted with an unsupported file system?\n\n" printf "Or maybe filesystem type autodetection went wrong, in which case\n" printf "you should add the rootfstype=... parameter to the kernel command line.\n\n" printf "Available partitions:\n" } do_mount_root() { mkdir /.root [ -n "$rootflags" ] && rootflags="$rootflags," rootflags="$rootflags$ro" case "$root" in /dev/* ) device=$root ;; UUID=* ) eval $root; device="/dev/disk/by-uuid/$UUID" ;; LABEL=*) eval $root; device="/dev/disk/by-label/$LABEL" ;; "" ) echo "No root device specified." ; problem ;; esac while [ ! -b "$device" ] ; do no_device $device problem done if ! mount -n -t "$rootfstype" -o "$rootflags" "$device" /.root ; then no_mount $device cat /proc/partitions while true ; do sleep 10000 ; done else echo "Successfully mounted device $root" fi } init=/sbin/init root= rootdelay= rootfstype=auto ro="ro" rootflags= device= mount -n -t devtmpfs devtmpfs /dev mount -n -t proc proc /proc mount -n -t sysfs sysfs /sys mount -n -t tmpfs tmpfs /run read -r cmdline < /proc/cmdline for param in $cmdline ; do case $param in init=* ) init=${param#init=} ;; root=* ) root=${param#root=} ;; rootdelay=* ) rootdelay=${param#rootdelay=} ;; rootfstype=*) rootfstype=${param#rootfstype=} ;; rootflags=* ) rootflags=${param#rootflags=} ;; ro ) ro="ro" ;; rw ) ro="rw" ;; esac done # udevd location depends on version if [ -x /sbin/udevd ]; then UDEV_PATH=/sbin else UDEV_PATH=/lib/udev fi ${UDEV_PATH}/udevd --daemon --resolve-names=never udevadm trigger udevadm settle if [ -f /etc/mdadm.conf ] ; then mdadm -As ; fi if [ -x /sbin/vgchange ] ; then /sbin/vgchange --noudevsync -a y > /dev/null ; fi if [ -n "$rootdelay" ] ; then sleep "$rootdelay" ; fi do_mount_root killall -w ${UDEV_PATH}/udevd exec switch_root /.root "$init" "$@" EOF
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/initramfs
To build an initramfs, run the following as the root
user:
mkinitramfs [KERNEL VERSION]
The optional argument is the directory where the appropriate
kernel modules are located. This must be a subdirectory of
/lib/modules
. If no modules are
specified, then the initramfs is named initrd.img-no-kmods. If a kernel
version is specified, the initrd is named initrd.img-$KERNEL_VERSION and is
only appropriate for the specific kernel specified. The
output file will be placed in the current directory.
After generating the initrd, copy it to the /boot
directory.
Now edit /boot/grub/grub.cfg
and add a new menuentry. Below are several examples.
# Generic initramfs and root fs identified by UUID menuentry "LFS Dev (LFS-7.0-Feb14) initrd, Linux 3.0.4" { linux /vmlinuz-3.0.4-lfs-20120214 root=UUID=54b934a9-302d-415e-ac11-4988408eb0a8 ro initrd /initrd.img-no-kmods }
# Generic initramfs and root fs on LVM partition menuentry "LFS Dev (LFS-7.0-Feb18) initrd lvm, Linux 3.0.4" { linux /vmlinuz-3.0.4-lfs-20120218 root=/dev/mapper/myroot ro initrd /initrd.img-no-kmods }
# Specific initramfs and root fs identified by LABEL menuentry "LFS Dev (LFS-7.1-Feb20) initrd label, Linux 3.2.6" { linux /vmlinuz-3.2.6-lfs71-120220 root=LABEL=lfs71 ro initrd /initrd.img-3.2.6-lfs71-120220 }
Finally, reboot the system and select the desired system.
Last updated on 2013-02-11 10:51:17 -0800
FUSE (Filesystem in Userspace) is a simple interface for userspace programs to export a virtual filesystem to the Linux kernel. Fuse also aims to provide a secure method for non privileged users to create and mount their own filesystem implementations.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://downloads.sourceforge.net/fuse/fuse-2.9.3.tar.gz
Download MD5 sum: 33cae22ca50311446400daf8a6255c6a
Download size: 564 KB
Estimated disk space required: 9.5 MB
Estimated build time: 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/fuse
Enable the following options in the kernel configuration and recompile the kernel if necessary:
File systems --->
[*] FUSE (Filesystem in Userspace) support
After the configure script has finished you will see a warning shown below. You can safely disregard this warning.
configure: WARNING:
******************************************************************
* Please install util-linux version 2.18 or later which supports *
* --fake and --no-canonicalize options in mount and umount *
******************************************************************
Install Fuse by running the following commands:
./configure --prefix=/usr --disable-static INIT_D_PATH=/tmp/init.d && make
If you have Doxygen-1.8.5 installed and wish to build the API documentation, issue doxygen doc/Doxyfile.
This package does not come with a test suite.
Now, as the root
user:
make install && mv -v /usr/lib/libfuse.so.* /lib && ln -sfv ../../lib/libfuse.so.2.9.3 /usr/lib/libfuse.so && rm -rf /tmp/init.d && install -v -m755 -d /usr/share/doc/fuse-2.9.3 && install -v -m644 doc/{how-fuse-works,kernel.txt} \ /usr/share/doc/fuse-2.9.3
If you built the API documentation, install it as the
root
user by issuing the
following commands:
install -v -m755 -d /usr/share/doc/fuse-2.9.3/api && install -v -m644 doc/html/* \ /usr/share/doc/fuse-2.9.3/api
--disable-static
:
This switch prevents installation of static versions of the
libraries.
INIT_D_PATH=/tmp/init.d
: This
parameter installs the bootscript into /tmp/init.d
as a bootscript is not
required.
mv -v /usr/lib/libfuse.so.*
/lib: This moves the FUSE library to the root filesystem so
that it is available early in the boot process in case
/usr
is mounted on a separate
partition and ntfs-3g-2013.1.13 is built with a
system-installed version of FUSE.
rm -rf /tmp/init.d: This removes the unneeded bootscript.
Some options regarding mount policy can be set in the file
/etc/fuse.conf
. To install
the file run the following command as the root
user:
cat > /etc/fuse.conf << "EOF" # Set the maximum number of FUSE mounts allowed to non-root users. # The default is 1000. # #mount_max = 1000 # Allow non-root users to specify the 'allow_other' or 'allow_root' # mount options. # #user_allow_other EOF
Additional information about the meaning of the configuration options are found in the man page.
Last updated on 2013-08-22 04:10:10 -0700
The jfsutils package contains administration and debugging tools for the jfs file system.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://jfs.sourceforge.net/project/pub/jfsutils-1.1.15.tar.gz
Download MD5 sum: 8809465cd48a202895bc2a12e1923b5d
Download size: 532 KB
Estimated disk space required: 8.9 MB
Estimated build time: 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/jfs
Enable the following option in the kernel configuration and recompile the kernel:
File Systems:
JFS filesystem support: M or Y
Install jfsutils by running the following commands:
sed "s@<unistd.h>@&\n#include <sys/types.h>@g" -i fscklog/extract.c && ./configure && make
This package does not come with a test suite.
Now, as the root
user:
make install
sed "s@<unistd.h>@&\n#include <sys/types.h>@g" -i fscklog/extract.c: Fixes building with Glibc 2.17.
is used to replay the JFS transaction log, check a JFS formatted device for errors, and fix any errors found. |
|
is a hard link to fsck.jfs. |
|
constructs an JFS file system. |
|
is a hard link to mkfs.jfs. |
|
is a program which can be used to perform various low-level actions on a JFS formatted device. |
|
extracts a JFS fsck service log into a file and/or formats and displays the extracted file. |
|
dumps the contents of the journal log from the specified JFS formatted device into output file ./jfslog.dmp. |
|
adjusts tunable file system parameters on JFS file systems. |
Last updated on 2013-08-23 03:32:24 -0700
The LVM2 package is a package that manages logical partitions. It allows spanning of file systems across multiple physical disks and disk partitions and provides for dynamic growing or shrinking of logical partitions.
This package is known to build and work properly using an LFS-7.4 platform.
Download (FTP): ftp://sources.redhat.com/pub/lvm2/LVM2.2.02.100.tgz
Download MD5 sum: 9629cf5728544d7e637cafde1f73d777
Download size: 1.3 MB
Estimated disk space required: 22 MB
Estimated build time: 0.3 SBU
mdadm-3.3 (for checks) and xfsprogs-3.1.11 (for checks)
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/lvm2
Enable the following option in the kernel configuration and recompile the kernel:
There are several other Device Mapper options in the kernel beyond those listed below. In order to get reasonable results if running the regression tests, all must be enabled either internally or as a module.
Device Drivers --->
Multiple devices driver support (RAID and LVM): Y
Device mapper support: Y or M
Crypt target support: (optional)
Snapshot target: (optional)
Mirror target: (optional)
Install LVM2 by running the following commands:
./configure --prefix=/usr \ --exec-prefix= \ --with-confdir=/etc \ --enable-applib \ --enable-cmdlib \ --enable-pkgconfig \ --enable-udev_sync && make
The check command must be run as the root
user. Also the tests are known to
hang if at least one partition on a hard drive is not set up
as a Linux LVM partition (type 8e00). To test the results,
issue: make
check as the root
user.
Now, as the root
user:
make install
--enable-applib
: This switch
enables building of the shared application library.
--enable-cmdlib
: This switch
enables building of the shared command library. It is
required when building the event daemon.
--enable-pkgconfig
: This switch
enables installation of pkg-config support files.
--enable-udev_sync
: This switch
enables synchronisation with Udev processing.
--enable-dmeventd
: This switch
enables building of the Device
Mapper event daemon.
is a low level logical volume management tool. |
|
is an utility used to resize or check filesystem on a device. |
|
provides the command-line tools for LVM2. Commands are implemented via sympolic links to this program to manage physical devices (pv*), volume groups (vg*) and logical volumes (lv*). |
|
is a script that modifies the locking configuration in the LVM2 configuration file. |
|
is a tool used to dump various information concerning LVM2. |
|
is used to import a duplicated VG (e.g. hardware snapshot). |
|
contains the Device Mapper API functions. |
Last updated on 2013-08-27 10:06:41 -0700
The storage technology known as RAID (Redundant Array of Independent Disks) combines multiple physical disks into a logical unit. The drives can generally be combined to provide data redundancy or to extend the size of logical units beyond the capability of the physical disks or both. The technology also allows for providing hardware maintenance without powering down the system.
The types of RAID organization are described in the RAID Wiki.
Note that while RAID provides protection against disk failures, it is not a substitute for backups. A file deleted is still deleted on all the disks of a RAID array. Modern backups are generally done via rsync-3.0.9.
There are three major types of RAID implementation: Hardware RAID, BIOS-based RAID, and Software RAID.
Hardware based RAID provides capability through proprietary hardware and data layouts. The control and configuration is generally done via firmware in conjunction with executable programs made available by the device manufacturer. The capabilities are generally supplied via a PCI card, although there are some instances of RAID components integrated in to the motherboard. Hardware RAID may also be available in a stand-alone enclosure.
One advantage of hardware-based RAID is that the drives are offered to the operating system as a logical drive and no operating system dependent configuration is needed.
Disadvantages include difficulties in transferring drives from one system to another, updating firmware, or replacing failed RAID hardware.
Some computers offter a hardware-like RAID implementation in the system BIOS. Sometime this is referred to as 'fake' RAID as the capabilites are generally incorporated into firmware without any hardware acceleration.
The advantages and disadvantages of BIOS-based RAID are generally the same as hardware RAID with the additional disadvantage that there is no hardware acceleration.
In some cases, BIOS-based RAID firmware is enabled by default (e.g. some DELL systems). If software RAID is desired, this option must be explicitly disabled in the BIOS.
Software based RAID is the most flexible form of RAID. It is easy to install and update and provides full capability on all or part of any drives available to the system. In BLFS, the RAID software is found in mdadm-3.3.
Configuring a RAID device is straight forward using
mdadm. Generally devices are
created in the /dev
directory
as /dev/mdx
where x is an integer.
The first step in creating a RAID array is to use
partitioning software such as fdisk
or parted-3.1 to define
the partitions needed for the array. Usually, there will be
one partition on each drive participating in the RAID array,
but that is not strictly necessary. For this example, there
will be four disk drives: /dev/sda
, /dev/sdb
, /dev/sdc
, and /dev/sdd
. They will be partitioned as
follows:
Partition Size Type Use
sda1: 100 MB fd Linux raid auto /boot (RAID 1) /dev/md0
sda2: 10 GB fd Linux raid auto / (RAID 1) /dev/md1
sda3: 2 GB 83 Linux swap swap
sda4 300 GB fd Linux raid auto /home (RAID 5) /dev/md2
sdb1: 100 MB fd Linux raid auto /boot (RAID 1) /dev/md0
sdb2: 10 GB fd Linux raid auto / (RAID 1) /dev/md1
sdb3: 2 GB 83 Linux swap swap
sdb4 300 GB fd Linux raid auto /home (RAID 5) /dev/md2
sdc1: 12 GB fd Linux raid auto /usr/src (RAID 0) /dev/md3
sdc2: 300 GB fd Linux raid auto /home (RAID 5) /dev/md2
sdd1: 12 GB fd Linux raid auto /usr/src (RAID 0) /dev/md3
sdd2: 300 GB fd Linux raid auto /home (RAID 5) /dev/md2
Is this arrangement, a separate boot partition is created as
the first small RAID array and a root filesystem as the
secong RAID array, both mirrored. The third partition is a
large (about 1TB) array for the /home
directory. This provides an ability
to stripe data across multiple devices, improving speed for
botih reading and writing large files. Finally, a fourth
array is created that concatenates two partitions into a
larger device.
All mdadm commands must be
run as the root
user.
To create these RAID arrays the commands are:
/sbin/mdadm -Cv /dev/md0 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1 /sbin/mdadm -Cv /dev/md1 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2 /sbin/mdadm -Cv /dev/md3 --level=0 --raid-devices=2 /dev/sdc1 /dev/sdd1 /sbin/mdadm -Cv /dev/md2 --level=5 --raid-devices=4 \ /dev/sda4 /dev/sdb4 /dev/sdc2 /dev/sdd2
The devices created can be examined by device. For example,
to see the details of /dev/md1
,
use /sbin/mdadm --detail
/dev/md1
:
Version : 1.2
Creation Time : Tue Feb 7 17:08:45 2012
Raid Level : raid1
Array Size : 10484664 (10.00 GiB 10.74 GB)
Used Dev Size : 10484664 (10.00 GiB 10.74 GB)
Raid Devices : 2
Total Devices : 2
Persistence : Superblock is persistent
Update Time : Tue Feb 7 23:11:53 2012
State : clean
Active Devices : 2
Working Devices : 2
Failed Devices : 0
Spare Devices : 0
Name : core2-blfs:0 (local to host core2-blfs)
UUID : fcb944a4:9054aeb2:d987d8fe:a89121f8
Events : 17
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1
From this point, the partitions can be formated with the
filesystem of choice (e.g. ext3, ext4, xfsprogs-3.1.11,
reiserfsprogs-3.6.24, etc). The
formatted partitions can then be mounted. The /etc/fstab
ifile can use the devices
created for mounting at boot time and the linux command line
in /boot/grub/grub.cfg
can
specify root=/dev/md1
.
The swap devices should be specified in the /etc/fstab
file as normal. The kernel
normally stripes swap data across multiple swap files and
should not be made part of a RAID array.
For further options and management details of RAID devices,
refer to man
mdadm
.
Additional details for monitoring RAID arrays and dealing with problems can be found at the Linux RAID Wiki.
Last updated on 2013-02-11 10:51:17 -0800
The mdadm package contains administration tools for software RAID.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://www.kernel.org/pub/linux/utils/raid/mdadm/mdadm-3.3.tar.xz
Download MD5 sum: abb19b309281b93cf79d29fb2dfb2e85
Download size: 390 KB
Estimated disk space required: 8.3 MB
Estimated build time: less than 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/mdadm
Enable the following options in the kernel configuration and recompile the kernel, if necessary. Only the RAID types desired are required.
File Systems:
Device Drivers:
Multiple devices driver support (RAID and LVM): Y
RAID support: Y or M
Autodetect RAID arrays during kernel boot: Y
Linear (append) mode: Y or M
RAID-0 (striping) mode : Y or M
RAID-1 (mirroring) mode : Y or M
RAID-10 (mirrored striping) mode: Y or M
RAID-4/RAID-5/RAID-6 mode : Y or M
Install mdadm by running the following commands:
make
If you wish to run the tests, ensure that your kernel
supports RAID and that a version of mdadm is not already
running, and issue: make
test and then, as the root
user: ./test
Now, as the root
user:
make install
--make everything
: This switch
creates extra programs, particularly a statically-linked
version of mdadm and also versions of
mdassemble.
These all need to be manually installed.
Last updated on 2013-09-10 16:12:35 -0700
The Ntfs-3g package contains an open source, driver for Windows NTFS file system. This can mount Windows partitions so that they are writeable and allows you edit or delete Windows files from Linux.
This package is known to build and work properly using an LFS-7.4 platform.
Download (HTTP): http://tuxera.com/opensource/ntfs-3g_ntfsprogs-2013.1.13.tgz
Download MD5 sum: 2d6fb47ddf62b51733227126fe9227fe
Download size: 1.2 MB
Estimated disk space required: 24 MB
Estimated build time: 0.4 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/ntfs-3g
Enable the following options in the kernel configuration and recompile the kernel if necessary:
File systems --->
[*] FUSE (Filesystem in Userspace) support
Install Ntfs-3g by running the following commands:
./configure --prefix=/usr --disable-static && make
This package does not come with a test suite.
Now, as the root
user:
make install && ln -sv ../bin/ntfs-3g /sbin/mount.ntfs && ln -sv /usr/share/man/man8/{ntfs-3g,mount.ntfs}.8
If you want ordinary users to be able to mount NTFS
partitions you'll need to set mount.ntfs with the root user
ID. Note: it is probably unsafe to do this on a computer that
needs to be secure (like a server). As the root
user:
chmod -v 4755 /sbin/mount.ntfs
--disable-static
:
This switch prevents installation of static versions of the
libraries.
--with-fuse=external
: Ntfs-3g
comes with a version of Fuse which it statically compiles
into lowntfs-3g
and ntfs-3g. If
you have installed Fuse-2.9.3 use this --with-fuse=external
option to dynamically
link lowntfs-3g
and ntfs-3g to
libfuse.
ln -sv ../bin/ntfs-3g /sbin/mount.ntfs: Creating /sbin/mount.ntfs makes mount default to using Ntfs-3g to mount NTFS partitions.
chmod -v 4755 /sbin/mount.ntfs: Making mount.ntfs setuid root allows non root users to mount NTFS partitions.
To mount a Windows partition at boot time, put a line like this in /etc/fstab:
/dev/sda1 /mnt/windows auto defaults 0 0
To allow users to mount a usb stick with an NTFS filesystem on it, put a line similar this (change sdc1 to whatever a usb stick would be on your system) in /etc/fstab:
/dev/sdc1 /mnt/usb auto user,noauto,umask=0,utf8 0 0
For a user to be able to mount the usb stick they will need
to be able to write to /mnt/usb
, so as the root
user:
chmod -v 777 /mnt/usb