Answers 88

From LXF Wiki

Answers 88

<title>Secure CDs</title>

<question>With Windows, there are commands in Nero and other software that enable you to put copy protection on to the CD-ROMs that you make. Is there such a command with Linux? Also, I could not get Rute to work from your latest magazine [Coverdisc, LXF86]. </question>

<answer>If by "copy protection" you mean the sort of thing that commercial CDs have, the answer appears to be no. The idea of restricting copying is anathema to free software. However, if you want to encrypt your data to protect it from prying eyes, such as when backing up personal files, the answer is yes. You might have come across an application called Cdrecord, which is the CD-writing back-end used by most CD programs. There is a patch for this available to add encryption of the data as it is written to disc. Most distros do not include the patched version of Cdrecord (which is contained in a package called cdrtools), but you can tell if your copy includes encryption with

cdrecord --version

If this does not state that encryption is included you will have to patch and build it yourself. This is a fairly simple process: download the Cdrtools source from ftp://ftp.berlios.de/pub/cdrecord and the matching patch from http://burbon04.gmxhome.de/linux/CDREncryption.html, then execute the following commands as root:

tar xjf cdrtools-VERSION.tar.bz2
zcat cdrtools-VERSION-encrypt-1.0.diff.gz |
patch -p0
cd cdrtools-VERSION
make
make install

You will need the GCC compiler and associated tools to do this; installing the gcc package should pull in everything you need. Now you can create an encrypted CD by adding -encrypt -encpass=ahardtoguesspassword to the cdrecord command. If you are using a GUI CD-burning program, such as K3b, you can add arguments to Cdrecord in the program's preferences. Store the password in a file and use -encpassfile instead of -encpass if you prefer. Keeping the password file on a USB key would improve security. Reading the encrypted CD requires that you have dm-crypt support in your kernel (you almost certainly will have) and the cryptsetup package installed. Mounting the disc is a two-stage process:

cryptsetup -r -c aes -s 256 -h sha256 create
ecdrom /dev/cdrom
mount /dev/mapper/ecdrom /mnt/cdrom

You could put these commands in a script to save typing them every time. If you have your password in a file, add --key-file /path.to/key to the cryptsetup command to save typing in the password. Unmounting follows a similar process:

umount /mnt/cdrom
cryptsetup remove ecdrom

As for your second question, Rute is standard HTML, so you should be able to read it by loading Help/RUTE/rute/index.html into any web browser. If this fails, let us know the exact error message it gives. </answer>

<title>Stealth Linux</title>

<question>I belong to a computer club that is 98% Windows-oriented and I'd like to install Mepis 6.0 on the club's laptop to demonstrate Linux and perhaps persuade some members to try it. Installing Grub on the MBR [master boot record] is not a good idea as the laptop is also used by our members to take home and they wouldn't like the idea of choosing Linux or Windows XP at boot (some are not interested in Linux). How do you create a boot CD to boot Grub and then choose Windows or Linux? Creating a boot floppy is not an option as the laptop has no floppy drive, and using a USB floppy is a problem. </question>

<answer>Jozien, I commend you on your mission to show your fellow club members the joys of Linux through SimplyMepis. Now to your problem. There are two possible solutions to this. The first is to use Smart Boot Manager. This is a bootloader disk that also works from a CD. You'll find an ISO image in the Essentials/SBM directory of the cover DVD. To use this, you must install the bootloader for Mepis into the root partition rather than the MBR; this option is offered during the installation process. When you boot normally, the original Windows bootloader for the MBR will be used and the computer will boot straight into Windows. When you boot from the CD, a menu will appear, from which you can choose the partition to boot ­ select the Linux root partition here and it should boot. If the Linux partitions do not appear in the menu, press Ctrl+H to rescan the hard disk ­ I've needed this with some hardware. The Smart Boot Manager CD is only used to run the bootloader. You can remove it as soon as the Smart Boot Manager menu appears, which means you can also use SBM to boot recalcitrant DVDs and CDs. Another option is to stick with a bootloader on the MBR but hide its menu. To do this with Grub, install Mepis as normal, with the bootloader on the MBR; then boot into it and edit /boot/grub/menu.lst as root. Change the timeout to something short, say 5 (seconds), then add these lines after the timeout:

 hiddenmenu
 default 1

Grub counts from zero so default 1 makes the second menu entry the default. Now when you boot, users will see a message like `Press Esc to enter the menu' and a countdown from 5 before Windows boots. Unless they press the Esc key, they will not see any reference to Linux. Let us know how you get on! </answer>

<title>Proxy pest</title>

<question>I'm getting entries like the following in my Apache server log: `GET http://cn.yahoo.com/ HTTP/1.1" 200 291' Note the request for a completely different domain to mine and the protocol prepended to it, which would normally be stripped off. What concerns me is that the server is returning a code of 200. Should I be concerned? </question>

<answer>Yes, you should be concerned. It appears that someone is attempting to use your server as a web proxy. If you have the mod_proxy module loaded and a ProxyRequests directive in one of your configuration files, Apache's proxy server will be activated. Even if proxying is not activated, you could see a log entry like this; if you are using virtual hosting Apache will normally return the homepage for your default virtual host. You should be able to tell from the IP addresses and frequency of these log entries whether this is a single, misconfigured computer or scripted attempts to find suitable servers to exploit. If the size of the returned page is always the same, irrespective of the URL requested, Apache is returning a local page ­ probably an error message from the small size. In this case, you are not acting as a proxy for nefarious activities and the only harm done is the extra load on your server and bandwidth to service these requests. You can disable proxying altogether by using the --disable-proxy option when building Apache, or by ensuring that the -D PROXY option is not used when starting Apache. If you are receiving a large number of these requests from robot scripts, you could look at blocking or dropping these addresses with iptables, which would save the server having to reply to them, even with an error. </answer>

<title>Dual box</title>

<question>I currently have Windows XP on my computer but am looking to change over to Linux. Can I load Ubuntu without disrupting my XP? The reason being I have broadband and my ISP doesn't support Linux. If I do load Ubuntu will the partitions it puts disrupt my XP? I have an 80GB drive with at least 40GB available for Ubuntu. </question>

<answer>What you are asking for is called dual booting ­ almost all Linux installers support this. This used to be regarded as a somewhat hazardous process (although I have never had a problem in many, many installations) but the current Linux installers are much better and safer. The Ubuntu installer will offer to resize your Windows partition to create space on your hard disk for Ubuntu. All you need to do is tell it how much space to give to each OS. Fragmentation of the Windows partition affects how well the installer can resize it, so you should defragment the disk from Windows before installing Ubuntu. Simply right-click on the drive in My Computer and select Properties, go to the Tools tab and hit Defragment Now. The installer will also add a new bootloader with a menu that offers you the choice of Linux or Windows each time you boot. I should warn you that resizing a filesystem is potentially dangerous; for example, a power failure during the process could trash your data. The chances of a problem are minimal, but the consequences could be serious. If you value your data, back it up first. As far as your broadband connection is concerned, actually it will most likely work on Linux, depending on the type of broadband (cable or ADSL) and the hardware you use to connect. Lack of Linux support from most ISPs is just that: they don't provide support. This does not mean that you cannot use their service with Linux. Provided you have a modem with an Ethernet connection, either for ADSL or cable, you should have no problem getting online with Linux. In most cases you'll find that it is simply a case of configuring your Ethernet connection to set up its address automatically, which is generally the default anyway. </answer>

<title>Pretty printing</title>

<question>I have a very useful utility on Windows called FinePrint, which buffers print requests and enables me to preview them, reorder them, delete pages from them, save them, print them 2-up, 4-up, double-sided, booklet... and so on. I would be lost without it. Is there anything remotely similar available for Linux, which batches print requests and allows them to be manipulated before they are sent to the printer? </question>

<answer>Not only is there something like this available for Linux, but you may already have it installed! KDE's print program KPrinter offers much of what you describe. When you print from a KDE program, click on the Properties button in the printer dialog and you'll see options to do things like printing two or four pages per sheet. KPrinter can be used with non- KDE applications ­ most programs have an option to set the print command, which usually defaults to lp or lpr. Change this to kprinter and all print requests will go through the KDE print system. If you want some of the other features you mention, you will have to use the command line the possibilities you mention are all there, and then some, but without a controlling GUI. The best program I have found for this is a2ps, the Any To PostScript filter. This is provided with most distros and may already be installed on your system. As the name implies, a2ps takes data in (almost) any format and outputs it as PostScript, ready for sending to your printer. The filter part of the description is the interesting part, because a2ps does more than translate one file format to another, it also lays it out according to your specification. Running

a2ps -4 myfile -d

will print myfile four pages to a sheet and send the results to the default printer. As a filter, a2ps is ideal for inclusion in a pipeline, taking its input from one program and sending it to another. If you use this as the print command for a program

a2ps -=booklet | kghostview -

it will process the program's output according to the user option booklet and send it to KGhostView. You can then preview the layout before pressing the Print button in KGhostView. User options are a powerful feature of a2ps. Set in the user's config file at ~/.a2ps/a2psrc, they enable you to group a number of settings as a single option, a sort of option macro. You will find full details of this in the a2ps info page ­ run info a2ps in a terminal or type info:/a2ps into Konqueror's location bar. </answer>

<title>Clearing the queue</title>

<question>My server is running Qmail and I have a lot of failure notice emails in the mail queue. How do I clear the mail queue on my mail server? </question>

<answer>To solve this problem you'll need a tool called QmHandle. It can easily be downloaded from http://hurricane.hinasu.net/scripts/qmHandle. This is a modified version of the tool with some extra functionality added. Using QmHandle you can then delete messages based on sender and also on recipient. Run ./qmHandle to get more information; here's a run-down of the parameters available (taken from the man page):

 -a: try to send queued messages now (Qmail must be running).
 -l: list message queues.
 -L: list local message queue.
 -R: list remote message queue.
 -s: show some statistics.
 -mN: display message number N.
 -dN: delete message number N.
 -Stext: delete all messages that have/contain text as Subject.
 -Ftext: delete all messages that have/contain text as Sender.
 -Ttext: delete all messages that have/contain text as Recipient
 -D: delete all messages in the queue (local and remote)
 -V: print program version Additional (optional) parameters:
 -c: display colored output
 -N: list message numbers only (to be used either with -l, -L or -R)

You can view or delete multiple message ie -d123 -v456 -d567. So to answer your question, you would need to run the QmHandle command like this:

 ./qmHandle -S'failure'

</answer>

<title>Which printer, which SUSE?</title>

<question>I print photographs as an amateur and for that purpose purchased a Canon i865 printer. I've had it a year and until now it was more than satisfactory for my needs (as a Windows user). Three months ago I moved my home computer to Kubuntu, which is very user friendly. Now I feel I can try other distros. However, I cannot get my printer to work from Linux. There seem to be no drivers available for this (and many other Canon printers). All my printing is done through my dual-booted Windows. To make the move to Linux complete I need to be able to print. I have tried various methods to print, setting up a generic printer, various Canon drivers that are available etc. Nothing works. I did get two pieces of `advice' from a forum I tried:

1 Changing my printer.
2 Buying a driver from a firm called TurboPrint.

Are these the only solutions? Secondly, in LXF82 you included a desktop version 10.1 of SUSE. Now in LXF84 you include the SLED 10 version which, if I understand correctly, is mainly for server use. In the accompanying article it is also highly recommended for desktop users. Could you explain to a novice like me how to make a decision as to which of these distros to use if I'm thinking of trying to use SUSE? </question>

<answer>Canon printers are notoriously poorly supported in Linux (unlike Canon scanners and cameras ­ I wouldn't part with either of mine) but there is a driver that is reported to give excellent results with this printer and the good news is that you probably have it installed already. When configuring your printer, select Canon BJC-8200 as the printer type ­the BJC 8200 driver works with the Canon i865 up to the printer's maximum resolution. There are actually two drivers for the BJC-8200: one included with CUPS (the standard print system) and the other in the gimp-print package. If you have Gimp-Print (or Gutenprint, as the latest versions are called) installed you will be given a choice of the two drivers; you should try each of them to see which works best for your needs. Installing the printer can be done from your distro's configuration programs, such as Yast in SUSE, or through a web browser. Point your browser to http://localhost:631, click on the Add Printer button and answer the questions. Once you have set up the printer with one of the drivers, you can click on the Printers tab and click on Modify Printer' when you wish to try the other driver. TurboPrint is a commercial set of printer drivers that supports more printers than CUPS or Gutenprint (the company is Zedonet GmbH). Being commercial means it can buy developer kits from the printer manufacturers. The quality is excellent and you can download a demo version from www.turboprint.de/english.html. The demo adds a small TurboPrint logo to prints made at the highest quality, but this doesn't stop you from gauging the quality yourself to decide whether it is worth spending ¤30 on the full version. On to your question about the different SUSE flavours. SLED is the SUSE Linux Enterprise Desktop ­ it is a desktop system aimed at business use. There is a server version, called SLES. Then SUSE 10.1 is the latest release of OpenSUSE, the open source, community-supported version of SUSE. Either of these will work for you, although there have been some problems with the updates system in SUSE 10.1. Despite the `Enterprise' designation, SLED contains a lot of software that is equally useful to home users. It is impossible to say which of the two will suit you the best, or whether you'd prefer to stay with Kubuntu (but note that SLED uses Gnome whereas OpenSUSE has the KDE desktop as used by Kubuntu), so the only sensible advice is to try them yourself. </answer>

<title>Mounting Mepis</title>

<question>I bought your magazine today [Get Started With Mepis Linux Special] in order to try out Mepis Linux on a Dell Dimension PC, which already has Windows XP and Red Hat Enterprise Server (version 3) installed on it. The Microsoft product is what one would (sadly) expect but Red Hat proves very difficult when it comes to installing anything. The instructions I have often don't work so I thought I would try Mepis. The system has a CD drive but not a DVD drive so I bought the CD version, but I just can't get it to install. Every option on the menu (as given on image one on page 12 of your magazine) eventually leads to a line on screen which reads:

  `Mounting MEPIS filesystem... mount:
   Mounting dev/loop0/ on /linux
   failed: Invalid argument
   done.
   Can't start up filesystem
   Halting...'

I've tried the Ctrl+Alt+F7 and Ctrl+Alt+F8 but these don't do anything. </question>

<answer>It is possible you have a faulty or damaged disc, but before you return it for a replacement, there are a couple of things you can try ­ it may be an incompatibility with your hardware. There are a number of options you can pass to Mepis when booting; press F1 at the menu screen and select Boot Options from the bottom of the list to see the choices. You type these options at the main menu screen (as shown in the first picture). The two most likely to have success here are

acpi=off
failsafe

Try these in turn, then investigate some others. If the same error comes up every time, it is most likely that your drive is having trouble reading the disc. If possible, try the disc in another computer; booting from the disc only runs it as a Live CD; it does not start the installation, so you don't have to worry about affecting any computer you try it on. If it still fails, you should contact us at the address or phone number given on the back of the disc sleeves. If the disc works in other computers, it is likely that your CD drive is either dirty or failing. As drives get older the laser loses some power and the laser lens gets dirty (especially if people smoke near the computer). A lens cleaner may help. </answer>

<title>Dirty mail</title>

<question>I run a mail server. Can you tell me how I can monitor mailboxes for corruption? </question>

<answer>Have a look for this error in the mail log /var/log/maillog): `File isn't in mbox format - Couldn't open INBOX' If you find it, the mailbox is definitely corrupted. To avoid checking mailboxes manually, here's a script you can use:

#!/usr/bin/env python
import os, sys, re
mailpath = `/var/mail'
mailboxes = os.listdir(mailpath)
re_valid = re.compile(`From\s+[^\s]', re.I)
mailboxes.sort()
for m in mailboxes:
  fn = mailpath + os.sep + m
  if not os.path.isdir(fn):
     f = open(fn, `r')
     l = f.readline()
     if l:
         if re_valid.match(l):
             continue
         print "Invalid: %s" % m

Name the script verifymailboxes.bin and run it with python veryfimailboxes.bin </answer>

<title>Certified users</title>

<question>I am building a website (LAMP-based) that will provide sensitive information and store sensitive customer data in the database. The site will be restricted to specific IP addresses but I would like to add certificate based authentication so that every user that is allowed to use the site should have a personal certificate in their browser that would be used in conjunction with their username and password. That way, if someone tried to enter the site from an accepted IP address but did not have the correct username­password­ browser certificate combination, they would be rejected. Can you tell if it is possible to do that? </question>

<answer>This is certainly possible. Apache can use SSL to authenticate clients with certificates, as well as to authenticate the server to the client. You will want the latter too, as it is important for your users to know they have connected to the correct server before sending sensitive information. The first step is to put your certificate and its keyfile in Apache's configuration directory, preferably in an ssl subdirectory, and then to add these lines to httpd.conf to activate SSL and give their location:

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:
+HIGH:+MEDIUM:+LOW:+SSLv2:
+EXP:+eNULL
SSLCertificateFile conf/ssl/
myserver.crt
 SSLCertificateKeyFile conf/ssl/
 myserver.key

Configure Apache to listen on port 443 (or create a virtual host for this and add the above lines to the virtual host's definition), and Apache will now authenticate the server to clients using your certificate. To authenticate each client with the server, add these lines to httpd.conf (or within a <Directory> container in your virtual host's definition):

 SSLVerifyClient require
 SSLVerifyDepth 1
 SSLCACertificateFile conf/ssl/myserver.crt

This will block access to any client that does not have a certificate signed by the server, so you need to create one for each user by running these commands on the server:

 openssl genrsa -des3 -out
 username.key 1024
openssl req -new -key username.key -out username.csr
openssl x509 -req -in username.csr -out username.crt -sha1 -CA
myserver.crt -CAkey myserver.key
-CAcreateserial -days 365
openssl pkcs12 -export -in
username.crt -inkey username.key
-name "$USER Cert" -out
username.p12
openssl pkcs12 -in username.p12 -
clcerts -nokeys -info

The export stage will prompt for an `export password' This is needed, along with the username.p12 file, to install the certificate in the user's browser. The last line simply displays the certificate so you can check that all is well. For maximum security, install the certificate yourself, then the user will not be able to copy it to another machine as they will not know the password. </answer>

<title>Video on SUSE</title>

<question>When I try to install w32codec on SUSE 10.1,I get messages like

`Transaction failed: Package transaction failed:
 Can not find resolvable  w32codec-all 20060611-0.pm.0'

or

 `2006-06-03 08:55:00 w32codec-all-
 20060501-0.pm.0.i586.rpm install failed
  rpm
  output: error: unpacking of archive failed
  on file /usr/lib/codecs: cpio: rename
  failed - Is a directory'

What should I do so I can see video files? </question>

<answer>You don't say where you obtained the w32codec package ­ it could be that the file you downloaded was corrupt, or that it is not compatible with SUSE 10.1. The safest way to install the Win32 codecs, and any other software, is through Yast. The default Yast setup only includes the installation discs and may be an update repository, so the first step is to add extra software sources. Run Yast and select Installation Source in the Software section; click on Add and pick HTTP from the menu that pops up. Now type

packman.unixheads.com/suse/10.1 

in the Server Name, press OK and click on Finish. This adds the Packman repository, which contains such goodies as the Win32 codec files. You can also add the main SUSE repositories for both free and non-free packages (the latter are excluded from OpenSUSE discs) with mirrors. kernel.org/opensuse/distribution/SL-10.1/inst-source and mirrors.kernel.org/opensuse/distribution/SL-10.1/non-oss-inst-source. Now you can go into the installation section of Yast and install w32codecs-all. This will enable you to play various video file formats, but you will still be unable to watch copy-protected DVDs ­ the Xine libraries provided with SUSE OSS (OpenSUSE) do not have support for libdvdcss, needed to decrypt protected DVDs. As you have added the Packman repository to Yast, an update should take care of this, but you also need to install libdvdcss, so open a terminal as root and type

 yast --install http://download.videolan.org/pub/
 libdvdcss/1.2.9/rpm/libdvdcss2-1.2.9-1.i386.rpm

For more information on extending SUSE OSS 10.1 by adding the missing, but useful, non-free parts, see the Jem Report at www.thejemreport.com/mambo/content/view/254. </answer>

<title>Unwritable cards</title>

<question>My Evesham Voyager (running XP Pro and Ubuntu 64) will read but not write SD cards whether the slider is locked or unlocked. The card works fine in my brother's Toshiba. I have contacted Evesham and reloaded USB drivers but to no avail. I thought it might be helpful if I told them I'm dual boot and that the same happens in Linux. They now refuse to help, saying they can't support a dual-boot PC, and that I must reformat the hard drive! I only recently reinstalled everything so don't want to do that, and I want to continue with Ubuntu. XP lists generic USB drives CFC, MMC, MSC, but there's no SDC even though the slot is supposed to be 4-in-1. In Ubuntu the Read, Write and Execute permission buttons are all ticked. I thought I'd try HardInfo after reading the article in your October issue [HotPicks, LXF84], but loading fails because glibc is too old. I'm told `you need at least the following symbols in glibc:GLIBC_2.0' yet I've installed all auto updates. It tells me that upgrading glibc is highly dangerous, that whoever built the package did not build correctly, and that I should report this to the provider and ask them to rebuild using apbuild. Can you help? </question>

<answer>Right. If this happens in both Windows and Linux, your card reader is almost certainly at fault and you will need to get Evesham to fix it, something that the company should do whichever operating system is installed because this is a hardware fault. If Evesham insists on your removing Linux, you could use Partition Image (www.partimage.org) to back up your Linux partition(s). But if this error only happens in Linux, it is most likely a permissions problem. Even though the directory at which the device is mounted is writable by you, the underlying device may not be. Can you write to the card as root? You don't need to log into the desktop as root to do this; assuming the card is mounted at /media/sd, open a terminal and type

 sudo touch /media/sd/tmp

If you can write as root, it would appear that the device node for the card is not writable by your normal user. Run mount to see the device name ­ you'll see something like

 /dev/sda1 on /media/sd type vfat (rw,noexec,nosuid,nodev,noatime,uid=1000,utf8,shortname=lower)

at the end of mount's output, showing that the device, in this example, is /dev/sda1. Inspect the permissions on the device node with

 ls -l /dev/sda1

You will see something like

 brw-rw---- 1 root plugdev 8, 1 Oct 23 17:29 /dev/sda1

This shows that the device is owned by the root user and the plugdev group. The rw-rw---- shows that the user and group can read and write and that others cannot, so you need to ensure that you are a member of the plugdev group. Run id from the terminal to see which groups you belong to and use the following commands to add yourself to plugdev:

 sudo gpasswd -a $USER plugdev
 newgrp plugdev

The first command adds you to the plugdev group; the second makes that your current group, otherwise you would have to log out and back in again for the change to take effect. The HardInfo error is odd, because Ubuntu Dapper comes with version 2.3.6 of glibc. This could be an error in the Autopackage build. An older version of HardInfo is in the Ubuntu Universe repository ­ the latest version, 0.4.1, is in the Ubuntu Edgy repository. Add

deb http://archive.ubuntu.com edgy main universe

to /etc/apt/sources.lst and you will be able to install it from Synaptic. We have also included a Deb package of HardInfo on the DVD. </answer>