Sometimes you'd like to configure an application so that it starts for any user who uses 'startx' (or logs in through xdm?). For example, I have a policy on my systems that all users should be running xautolock (a program that invoke an xscreensaver or xlock module after a period of mouse/keyboard inactivity).
On a Debian Woody/Sid (2.2 or later) system this can be done by copying or linking a file into /etc/X11/Xsession.d/. This would be a script similar to one you'd add to /etc/init.d/. For example I added a file called 60xautolock consisting of the single line:
/usr/bin/X11/xautolock -time 2 -corners 00-+ -cornerdelay 2 &
I suspect it should be marked as executable; I just set the perms on mine to match the others therein.
(BTW: this xautolock enables a "blank now" hot spot in the lower right corner of the screen, and a "never blank" hot spot in the lower right; so a user can blank the screen with a 2 second delay by shoving their mouse pointer far into the corner; it also sets the automatic blanking to occur in 2 minutes: the default of 10 min. is way too long!)
Here's another Debian tip:
Debian normally configures xdm to invoke the X server with the -auth argument. This allows one to configure their X session to allow remote clients, or local clients under other user IDs to connect to the X server (to run in your X session).
This is useful even if you've accepted the recommendation to configure Xfree86 4.x with the "-nolisten tcp" option (to disable remote clients from direct X protocol access). It allows you to run X under you're own user ID while allowing root to open programs on your display (particularly handy if you want to run ethereal, which will refuse to run SUID/root but which needs access to X and root permission to sniff on your network interfaces).
The problem is that Debian doesn't normally invoke X with the -auth option when you use the startx script. Of course you could use xhost +localhost; but this allows any local user to access your X session; rather than allowing you to control it in a more fine-grained fashion.
The solution is to edit the /etc/X11/xinit/xserverrc file, inserting one command and adding an option to another:
#!/bin/sh /usr/bin/X11/xauth add :0 . $(dd if=/dev/urandom count=2 2> /dev/null | md5sum) exec /usr/bin/X11/X -dpi 100 -nolisten tcp -auth $HOME/.Xauthority ## . . . . . . . . . . . . . . . . . . . . ^^^^^^^^^^^^^^^^^^^^^^^
... last comment line (starting with ##) underscores the addition to that command. The xauth command is being used to create the ~/.Xauthority file.
For root to gain access to this session you'd issue a command like:
xauth -f ~$YOU/.Xauthority extract - `hostname`/unix:0 | xauth merge -
... from a root shell (perhaps by opening an xterm and using the su or sudo commands). (Hint: obviously anyone who can read your .Xauthority file can use it to gain access to your X sessions; so maintaining these on NFS home directories is BAD; yet another reason why NFS stands for "no freakin' security").
That's the easiest and most secure means available for supporting remote X clients; if you call the OpenSSH client with the -X (enable/request X11 forwarding) and if the remote ssh daemon allows it; and if you have your DISPLAY variable set (which is always the case when you start an xterm under X; since it's how the X libraries linked into xterm "found" your X server) then the remote daemon will spawn off a proxy --- an instance of the daemon that will "pretend" to be an X server on display number 10, 11, or higher. That daemon will automatically relay Xprotocol events to your client which will relay them through the local Unix domain socket to your server. This is all automatic with most versions of ssh (except for the newer OpenSSH client which defaults to disabling X11 forwarding and thus requires the -X switch).
Please make sure you use capital X, as -x in lowercase tells it to disable this feature, even if the local sysadmin has chosen to okay a tunneled X connection by default. -- Heather
This allows you to run X with ports 6000 (and up) closed; (preventing remote systems from even seeing that you're running it; much less giving them the opportunity to attack your X server) and still allows you to easily support remote X clients.
SSH X11 forwarding also works through NAT/IP masquerading and any firewall that allows other ssh traffic.
This matter has come up many times before, and will surely come up many times in the future. I hope by putting Yan-Fa's crisp description and our extra notes in Tips, that more people who need it, will find it easily. -- Heather
There's a simpler way to put a new root password on a linux system if you've forgotten it and have physical access. Which I haveto assume this person has since they're messing with partitions.
If you have lilo installed, interrupt the boot up process
at the lilo prompt and type:
kernelImageName single
(one example would be linux as your kernelImageName.)
-- Heather
This will boot you up in single user mode and allow you to chance the password. This has the added advantage of running all the standard run level 1 processes, including mounting of partitions.
Yan-Fa Li
Things to look out for, however:
If you like to get your hands dirty you can also edit the /etc/sysconfig/desktop file (or create it if it doesn't exist) and put in the line: DESKTOP=KDE
This has the added advantage of changed the XDM to KDM instead of GDM.
Y
Hi,
From the Department of Scripting Newbieville, here's a tiny function I've added to my .bashrc and ended up using quite often:
addy () { if [ $# -eq 1 ] then grep -i "$1" "$HOME/.mail_aliases" | mawk '{ print($3) }' else echo "Usage: addy <searchstring>" fi }
Given a search string (part of a name, nickname or address) as input, it'll output any matching email addresses it finds in an email aliases file (~/.mail_aliases, in this case). The alias file contains lines in the format used by mutt - for example:
alias nickname whoever@wherever (Real Name)
If you use WindowMaker and have xmessage, you can add something similar to a menu by adding the following, as a single line, to the menu config file of your choice:
"Find email address..." SHEXEC "xmessage -nearmouse `grep -i \'%a(Email address finder,Enter search string:)\' .mail_aliases | mawk '{ print($3) }'`"
Thanks to everyone involved with Linux Gazette - you're great!
Tim
Hmm, Answer Gang recommended djbdns without mentioning that it's proprietary software? Ouch. Bad gang, no biscuit.
I said "some" and I didn't mention how many people are currently signed onto TAG. It's more than two. Maybe next time I'll gather the whole flaming thread from across its 3 mailing lists.
However I've cc'd the Gang at large so a few more people can take a bushwhack at me
I ragged on his philosophy a tiny bit and noted that I won't use it. Even, a technical rather than religious/copyright reason not to.
But I was also slaving over hot perl scripts and HTML mashed taters
trying to get the mailbag and tips sections cooked. If you smell smoke
coming out of my ears that's surely my melted brain
-- Heather
Thanks Rick! Everyone else, I hope you find this particular 2c tip especially handy. I'd enjoy hearing some folks will tell us how useful or annoying they find these things.
I see no signs that they want any money from me. Can you point me to a URL that wants payment?
Sure.
Here's the subscription policy page, clarifying that their stuff is subscription-only now, and why:
http://www.mail-abuse.org/subscription.html
Here's the Fee Structure page that it points to:
http://www.mail-abuse.org/feestructure.html
(note, you really want tables support to read that)
... so it merely depends on who you are.
Which tool must I now use to set up a printer? it used to be printtool on older systems (RedHat/Mandrake)
Please !
Danie Robberts
The Answer Gang replied with a few distro specific notes:
Not really sure how to get this where it needs to go.
This is the right place. It will be published in next month's 2-Cent Tips, unless Heather has too much other material. -- Mike
I have recently had the same problem with random seg faults that you addressed in August TAG.
I bought a new computer, pieced it together, and put 384M in it. When I initially installed linux, it was dog slow, and running top, I noticed that I only had 64M visible (I think, incredibly less that 384 to be sure). I did a little checking and learned that the motherboard has a known problem of not seeing all the memory. So I entered the line "mem=384M". I then started getting random seg faults. I couldn't figure it out for a long time.
Even though I had a graphics card with on-board memory, my bios still alotted 64M to the AGP device on the motherboard. I reduced this (couldn't get rid of it, or set to 0), and allowed for the use in my lilo.conf entry, and all is wonderful now.
Sorry about the verbosity.
-Tom
Hi,
I have done some reading and searching but the solution to our problem still eludes me.
I volunteer for a non-profit freenet ccil.org and would like to setup smtp
authenication so that CCIL users who buy connectivity from other ISP's
will continue to use our stable and reliable mail sevices. The system our
mail runs on is a Debian potato box running the default smtp server exim.
Can you point me to a HOWTO?
Thanks,
Chuck
Are you asking how to allow users of your systems to access mail on your system even though they are not in your domain? If so, you want a program called pop-before-smtp (here's one URL I found over on google: http://rpmfind.net/linux/RPM/PLDtest/i686/pop-before-smtp-1.21-3.noarch.html ).
It's easy to setup and allows your users to access their email from anywhere in the world.
-- Sincerely, Faber Fedor
Has anybody tried Subversion? According to the web page (http://subversion.tigris.org), it's at Milestone 2 alpha development, and aims to have all CVS features plus:
It was recommended by someone on the Cheetah (http://www.cheetahtemplate.org) mailing list.
At print time, it reached its Milestone 3, is now self hosted (they use their own code and not CVS anymore), and they hope to be feature complete in early October.
Compare also Bitkeeper, (www.bitmover.com), a project by Larry McVoy and others aimed toward successful source control of big, complicated projects. -- Heather
Hi,
Can you use the same source for compiling a kernel on both an Intel based machine as well as a Sun?
I would like to know before I break my Sun
thanx
Danie
It should automatically detect the architecture it's compiling on and produce the right kernel.
However, whenever you install a new kernel, you always want to have a plan of escape in case the new kernel doesn't boot. That means making sure your old kernel is still ready to go and you know how to switch back to it. Popular ways to do this are to put the new kernel on a boot floppy, leaving the hard-disk setup alone, or arranging for LILO to boot one or the other from its menu. I'm not sure if Sun computers have LILO (Alphas use a multi-OS program called MILO instead), but they should have something equivalent. -- Mike
I can answer that. They use SILO, which works a little differently from LILO, but in a way, it makes it much easier to have multiple kernels.
Booting a Sparc takes more code than a PC does, but the disk partitioning utilities available to linux are not real clear on that concept. So SILO installs a tiny first stage loader whose only job in the whole world is to find the second stage. The second stage has more room than LILO does, so it is also smart enough to read its own config file. Thus SILO doesn't need to be re-invoked all the time when you make configuration changes.
But I wouldn't change what you let the bootprom memorize, until you are dead certain the new one works.
I'll add that the Sparc Debian disc might make an acceptable rescue disc if you get really screwed up, but it's still better to be careful. -- Heather
What combination of open source software should be used to create a portal site? How could a beginner build and test such a site?
The Gang replies:
Thank you for the reply. It is very helpful. Gives me a lot of new places to look.
peace