Copyright © 2001-2007 BLFS Development Team
Copyright © 2001-2007, BLFS Development Team
All rights reserved.
Descriptive text is licensed under a Creative Commons License.
Computer instructions are licensed under the Academic Free License v. 2.1.
Linux® is a registered trademark of Linus Torvalds.
2007-02-14
| Revision History | ||
|---|---|---|
| Revision 6.2.0 | 2007-02-14 | Sixth release |
| Revision 6.1 | 2005-08-14 | Fifth release |
| Revision 6.0 | 2005-04-02 | Fourth release |
| Revision 5.1 | 2004-06-05 | Third release |
| Revision 5.0 | 2003-11-06 | Second release |
| Revision 1.0 | 2003-04-25 | First release |
Abstract
This book follows on from the Linux From Scratch book. It introduces and guides the reader through additions to the system including networking, graphical interfaces, sound support, and printer and scanner support.
Having helped out with Linux From Scratch for a short time, I noticed that we were getting many queries as to how to do things beyond the base LFS system. At the time, the only assistance specifically offered relating to LFS were the LFS hints (http://www.linuxfromscratch.org/hints). Most of the LFS hints are extremely good and well written but I (and others) could still see a need for more comprehensive help to go Beyond LFS - hence BLFS.
BLFS aims to be more than the LFS-hints converted to XML although much of our work is based around the hints and indeed some authors write both hints and the relevant BLFS sections. We hope that we can provide you with enough information to not only manage to build your system up to what you want, whether it be a web server or a multimedia desktop system, but also that you will learn a lot about system configuration as you go.
Thanks as ever go to everyone in the LFS/BLFS community; especially those who have contributed instructions, written text, answered questions and generally shouted when things were wrong!
Finally, we encourage you to become involved in the community; ask questions on the mailing list or news gateway and join in the fun on #lfs at irc.linuxfromscratch.org. You can find more details about all of these in the Introduction section of the book.
Enjoy using BLFS.
Mark Hymers
markh <at> linuxfromscratch.org
BLFS Editor (July 2001–March 2003)
I still remember how I found the BLFS project and started using the instructions that were completed at the time. I could not believe how wonderful it was to get an application up and running very quickly, with explanations as to why things were done a certain way. Unfortunately, for me, it wasn't long before I was opening applications that had nothing more than "To be done" on the page. I did what most would do, I waited for someone else to do it. It wasn't too long before I am looking through Bugzilla for something easy to do. As with any learning experience, the definition of what was easy kept changing.
We still encourage you to become involved as BLFS is never really finished. Contributing or just using, we hope you enjoy your BLFS experience.
Larry Lawrence
larry <at> linuxfromscratch.org
BLFS Editor (March 2003–June 2004)
The BLFS project is a natural progression of LFS. Together, these projects provide a unique resource for the Open Source Community. They take the mystery out of the process of building a complete, functional software system from the source code contributed by many talented individuals throughout the world. They truly allow users to implement the slogan "Your distro, your rules."
Our goal is to continue to provide the best resource available that shows you how to integrate many significant Open Source applications. Since these applications are constantly updated and new applications are developed, this book will never be complete. Additionally, there is always room for improvement in explaining the nuances of how to install the different packages. To make these improvements, we need your feedback. I encourage you to participate on the different mailing lists, news groups, and IRC channels to help meet these goals.
Bruce Dubbs
bdubbs <at> linuxfromscratch.org
BLFS Editor (June 2004–December 2006)
My introduction to the [B]LFS project was actually by accident. I was trying to build a GNOME environment using some how-tos and other information I found on the web. A couple of times I ran into some build issues and Googling pulled up some old BLFS mailing list messages. Out for curiosity, I visited the Linux From Scratch web site and shortly thereafter was hooked. I've not used any other Linux distribution for personal use since.
I can't promise anyone will feel the sense of satisfaction I felt after building my first few systems using [B]LFS instructions, but I sincerely hope that your BLFS experience is as rewarding for you as it has been for me.
The BLFS project has grown significantly the last couple of years. There are more package instructions and related dependencies than ever before. The project requires your input for continued success. If you discover that you enjoy building BLFS, please consider helping out in any way you can. BLFS requires hundreds of hours of maintenance to keep it even semi-current. If you feel confident enough in your editing skills, please consider joining the BLFS team. Simply contributing to the mailing list discussions with sound advice and/or providing patches to the book's XML will probably result in you receiving an invitation to join the team.
Randy McMurchy
randy <at> linuxfromscratch.org
BLFS Editor (December 2006–Present)
Version 6.2.0 is the complement to the LFS 6.2 book. More time has elapsed between the release of the previous version (6.1) and this one than in any other release cycle. Much of this is due to the fact that LFS 6.2 took much longer to be released than was originally anticipated. Many new packages have been introduced in the 6.2.0 version, as well as many updates, refinements and additions to the existing packages.
The BLFS book now provides build and configuration instructions for almost 400 packages. Some of the new packages introduced in this version are: autotooled XOrg, HAL, D-BUS, GStreamer (now broken out into separate plugin packages), usbutils, libquicktime, GraphViz, K3b, dvd+rw-tools, NSS, Libidn, GAIM, Poppler, SeaMonkey, XChat, Audacious, cairo and unixODBC. Major updates include GNOME-2.14.3 (with several new GNOME packages such as Totem, gnome-mount and gnome-volume-manager), KDE-3.5.6, Firefox-1.5.x, Thunderbird-1.5.x, and most of the mainline server packages. As always, the list of packages that have been upgraded or added as well as configuration and build command changes are annotated in the Change Log.
Unfortunately, BLFS activity was semi-stagnant for several months after (and shortly before) the LFS 6.2 release. Therefore, many of the packages are somewhat dated (compared to previous BLFS versions). This brings us to why the versioning scheme has changed. This release is 6.2.0 as we fully anticipate releasing another version (6.2.1) just as soon as possible. The 6.2.1 release will also be based on the LFS-6.2 book, but will include updated packages, and fixes for any errors which may be discovered in 6.2.0.
As always, the main thrust of BLFS development will be to support the changes in the current LFS development book, but any changes or updates to the BLFS development book (that are compatible with LFS 6.2) will also be merged into the BLFS 6.2 branch. This way, a 6.2.1 version of BLFS should be released fairly soon, and should provide a very current and stable Linux platform.
Enjoy!
Randy McMurchy
January 31, 2007
This book is mainly aimed at those who have built a system based on the LFS book. It will also be useful for those who are using other distributions, but for one reason or another want to manually build software and are in need of some assistance. Note that the material contained in this book, in particular the dependency listings, is based upon the assumption that you are using a base LFS system with every package listed in the LFS book already installed and configured. BLFS can be used to create a range of diverse systems and so the target audience is probably nearly as wide as that of the LFS book. If you found LFS useful, you should also like this!
Since Release 5.0, the BLFS book version matches the LFS book version. This book may be incompatible with a previous or latter release of the LFS book.
This book is divided into the following parts.
This part contains information which is essential to the rest of the book.
Here we introduce basic configuration and security issues. We also discuss a range of editors, file systems, and shells which aren't covered in the main LFS book.
In this section we cover libraries which are often needed by the rest of the book as well as system utilities. Information on Programming (including recompiling GCC to support its full range of languages) concludes this part.
Here we cover how to connect to a network when you aren't using the simple static IP setup given in the main LFS book.
Networking libraries and command-line networking tools make up the bulk of this part.
Here we deal with setting up mail and other servers (such as SSH, Apache, etc.).
This part explains how to set up a basic X Window System installation along with some generic X libraries and Window managers.
For those who want to use the K Desktop Environment or some parts of it, this part covers it.
GNOME is the main alternative to KDE in the Desktop Environment arena and we cover both GNOME-1.4 and GNOME-2.14 here.
Office programs and graphical web browsers are important to most people. They, along with some generic X software can be found in this part of the book.
Here we cover setting multimedia libraries and drivers along with some audio, video and CD-writing programs.
The PST part of the book covers document handling with applications like Ghostscript, CUPS and DocBook to installing teTeX.
The Appendices cover information which doesn't belong in the main book; they are mainly there as a reference.
The software used to create BLFS applications is constantly being updated and enhanced. Security warnings and bug fixes may become available after the BLFS book has been released. To check whether the package versions or instructions in this release of BLFS need any modifications to accommodate security vulnerabilities or other bug fixes, please visit http://www.linuxfromscratch.org/blfs/errata/6.2.0/ before proceeding with your build. You should note any changes shown and apply them to the relevant section of the book as you progress with building the applications in BLFS.
The Beyond Linux From Scratch book is designed to carry on from where the LFS book leaves off. But unlike the LFS book, it isn't designed to be followed straight through. Reading the Which sections of the book? part of this chapter should help guide you through the book.
Please read most of this part of the book carefully as it explains quite a few of the conventions used throughout the book.
We would like to thank the following people and organizations for their contributions toward the BLFS and LFS projects:
All those people listed on the Credits page for submitting patches, instructions and corrections to the book. The former editor would especially like to thank Bruce, Larry and Billy for their enormous inputs to the project.
Jeff Bauman (former co-editor of the book) for his assistance with getting BLFS off the ground.
Gerard Beekmans <gerard <at> linuxfromscratch.org> for starting and writing the vast majority of the LFS project.
Robert Briggs for donating the linuxfromscratch.org and linuxfromscratch.com domain names.
DREAMWVR.COM for their ongoing sponsorship by donating various resources to the LFS and related sub projects.
Bruce Dubbs for donating the anduin package server and his substantial contribution to the purchase of the new quantum server.
Garrett LeSage <garrett <at> linux.com> for creating the LFS banner.
Frank Skettino <bkenoah <at> oswd.org> at OSWD for coming up with the initial design of the LFS and BLFS websites.
Mark Stone <mstone <at> linux.com> for donating the original linuxfromscratch.org servers.
Jesse Tie-Ten-Quee <higho <at> @linuxfromscratch.org> for answering many questions on IRC, having a great deal of patience and for not killing the former editor for the joke in the original BLFS announcement!
Countless other people on the various LFS and BLFS mailing lists who are making this book possible by giving their suggestions, testing the book and submitting bug reports.
Many people have contributed both directly and indirectly to BLFS. This page lists all of those we can think of. We may well have left people out and if you feel this is the case, drop us a line. Many thanks to all of the LFS community for their assistance with this project. If you are in the list and wish to have your email address included, again please drop us a line to randy AT linuxfromscratch D0T org and we'll be happy to add it. We don't include email addresses by default so if you want it included, please state so when you contact us.
Editor: Randy McMurchy <randy AT linuxfromscratch D0T org>
Co-Editors: Bruce Dubbs, Larry Lawrence, Igor Zivkovic, DJ Lucas, Tushar Teredesai, David Jensen, Archaic, Manuel Canales Esparcia, Dan Nicholson, Andy Benton and Alexander E. Patrakov.
Chapter 01. Based on the LFS introductory text by Gerard Beekmans, modified by Mark Hymers for BLFS.
Chapter 02: The /usr versus /usr/local debate: Andrew McMurry.
Chapter 02: Going beyond BLFS: Tushar Teredesai.
Chapter 02: Package Management: Tushar Teredesai.
Chapter 02: Automated Building Procedures: Randy McMurchy.
Chapter 02: Locale Related Issues: Alexander Patrakov and Randy McMurchy.
Chapter 03: /etc/inputrc: Chris Lynn.
Chapter 03: Customizing your logon & vimrc: Mark Hymers.
Chapter 03: /etc/shells: Igor Zivkovic.
Chapter 03: Random number script Larry Lawrence.
Chapter 03: Creating a Custom Boot Device Bruce Dubbs.
Chapter 03: The Bash Shell Startup Files James Robertson revised by Bruce Dubbs.
Chapter 03: Compressed docs Olivier Peres.
Chapter 04: Firewalling: Henning Rohde with thanks to Jeff Bauman. Revised by Bruce Dubbs.
Chapter 11: Which Mark Hymers with many thanks to Seth Klein and Jesse Tie-Ten-Quee.
Chapter 25: X Window System Environment: Bruce Dubbs.
Chapter 27: Intro to Window Managers: Bruce Dubbs.
Chapters 28 and 29: KDE: Bruce Dubbs.
Chapters 30, 31, and 32: GNOME: Larry Lawrence.
traceroute: Jeff Bauman
ProFTPD and rsync: Daniel Baumann
joe, nano, nmap, slang, w3m and whois: Timothy Bauscher
Fetchmail and WvDial: Paul Campbell
CDParanoia, mpg123, SDL and XMMS: Jeroen Coumans
UDFtools, Perl modules (initial version) and Bluefish: Richard Downing
sudo, wireless_tools: Bruce Dubbs
tripwire: Manfred Glombowski
alsa, cvs, dhcpcd, gpm, hdparm, libjpeg, libmng, libpng, libtiff, giflib, links, lynx, openssl, tcsh, which and zsh: Mark Hymers
ALSA Firmware, ALSA OSS, inetutils, GLib, GTK+, libxml and vim: James Iwanek
db and lcms: Jeremy Jones and Mark Hymers
aalib, Alsa, ffmpeg, MPlayer, transcode, xvid and xsane: Alex Kloss
ntp: Eric Konopka
AbiWord, at-spi, ATK, audiofile, avifile, bc, bonobo-activation, bug-buddy, cdrdao, cdrtools, cpio, curl, dhcp, eog, esound, fcron, fluxbox, gail, galeon, gconf-editor, gdbm, gedit, gimp, GLib2, gmp, gnet, gnome-applets, gnome-desktop, gnome-games, gnome-icon-theme, gnome-libs, gnome-media, gnome-mime-data, gnome-panel, gnome-session, gnome-system-monitor, gnome-terminal, gnome-themes, gnome-utils, gnome-vfs, gnome-user-docs, gnumeric, GTK+2, gtk-doc, gtk-engines, eel, imlib, intltool, lame, libao, libart_lgpl, libbonobo, libbonoboui, libgail-gnome, libglade2, libgnome, libgnomecanvas, libgnomeprint, libgnomeprintui, libgnomeui, libgsf, libgtkhtml, libgtop, libIDL, libogg, librep, librsvg, libvorbis, libwnck, libxml2, libxslt, LPRng, Linux-PAM, metacity, MIT Kerberos 5, MPlayer, mutt, nautilus, oaf, OpenJade, OpenSP, OpenSSH, ORBit, ORBit2, pan, Pango, pcre, pkgconfig, postfix, procmail, Python, QT, rep-gtk, ruby, sawfish, scrollkeeper, sgml-common, sgml-dtd, shadow, startup-notification, unzip, vorbis-tools, vte, wget, XFce, xine, xml-dtd, yelp and zip: Larry Lawrence
Archive::Zip, cracklib, JDK-5, libdrm, libpcap, Mesa, ncpfs, netfs, OpenOffice-2, pppd (update), RP-PPPoE, Samba-3, Subversion, Xorg-7 and xterm: DJ Lucas
ALSA Tools, Apache Ant, cairo, Cyrus-SASL, D-BUS, DejaGnu, desktop-file-utils, DocBook DSSSL Stylesheets, DocBook-utils, dvd+rw-tools, Ethereal, Evince, Evolution Data Server, Exim (many additions), Expect, FOP, FreeTTS, FriBidi, GC, GCC (rewrite), GMime, gnome-audio, gnome-backgrounds, gnome-menus, gnome-mount, gnome-screensaver, gnome-volume-manager, GNOME Doc Utils, GNOME Keyring Manager, GnuCash (many additions), GOffice, Graphviz, GStreamer Base Plug-ins, GStreamer Good Plug-ins, GStreamer Ugly Plug-ins, HAL, Heimdal, HTML Tidy, ISO Codes, JadeTeX, Java Access Bridge, K3b, LessTif (rewrite), libexif, libgail-gnome, libgnomecups, Libidn, libmpeg2, libmusicbrainz, libquicktime, MIT Kerberos V5 (many updates and enhancements), MPlayer (extensive overhaul), NSS, Other Programming Tools, PDL, Perl Modules, pilot-link, Poppler, PyXML, Samba 3 (many additions), SANE (original instructions by Alex Kloss), Shadow (rewrite), SLIB, Sound Juicer, Stunnel, Sysstat, system-tools-backends, Totem, unixODBC and usbutils: Randy McMurchy
aspell, balsa, bind, bonobo, bonobo-conf, cvs server, emacs, evolution, exim, expat, gnome-print, GnuCash, gtkhtml, guppi, guile, g-wrap, leafnode, lesstif, libcapplet, libesmtp, libghttp, libglade, pine, portmap, PostgreSQL, qpopper, reiserfs, Samba, sendmail, slrn, soup, teTeX, tcp-wrappers, and xinetd: Billy O'Connor
Gimp-Print, libusb and TIN: Alexander E. Patrakov
Screen: Andreas Pedersen
nfs-utils: Reinhard
ESP Ghostscript: Matt Rogers
iptables: Henning Rohde
fontconfig, gcc, jdk, mozilla, nas, openoffice, ispell, mailx, ImageMagick, hd2u, tcl, tk and bind-utils: Tushar Teredesai
MySQL: Jesse Tie-Ten-Quee
PHP: Jeremy Utley
Ekiga, Epiphany, FLAC, File Roller, GNOME Magnifier, GNOME Netstatus, GNOME Speech, GOK, Gnopernicus, Imlib2, LZO, MC, NASM, Nautilus CD Burner, Speex, XScreenSaver, Zenity, compface, freeglut, gcalctool, gucharmap, id3lib, kde-i18n, kdeaccessibility, kdebindings, kdesdk, kdevelop, kdewebdev, libFAME, liba52, libdv, libdvdcss, libdvdread, libmad, libmikmod and libmpeg3: Igor Zivkovic
Fernando Arbeiza for doing great quality assurance on Shadow utilizing PAM. The machine access he saved may have been yours.
Miguel Bazdresch for many suggestions and contributions to the Other Programming Tools section.
Gerard Beekmans for generally putting up with us and for running the whole LFS project.
Oliver Brakmann for developing the dhcpcd patch for FHS compliance.
Ian Chilton for writing the nfs hint.
Nathan Coulson for writing the new network bootscripts.
Nathan Coulson, DJ Lucas and Zack Winkles for reworking the bootscripts used throughout the book.
Jim Harris for writing the dig-nslookup-host.txt hint on which the bind-utils instructions are based.
Lee Harris for writing the gpm.txt hint on which our gpm instructions are based.
Marc Heerdink for creating patches for tcp_wrappers and portmap and for writing the gpm2.txt hint on which our gpm instruction are based.
Mark Hymers for initiating the BLFS project and writing many of the initial chapters of the book.
J_Man for submitting a gpm-1.19.3.diff file on which our gpm instructions are based.
Jeremy Jones (otherwise known as mca) for hacking Makefiles and general assistance.
Steffen Knollmann for revising the JadeTeX instructions to work with teTex-3.0.
Eric Konopka for writing the ntp.txt hint on which the ntp section is based.
Scot McPherson for writing the gnome-1.4.txt hint from which was gathered useful information and for warning us that GNOME Version 2.0 may not be ready to put in the book.
Alexander E. Patrakov for patches and suggestions to improve the book content, assistance with alsa dev.d helpers, and increasing the l10n awareness.
Ted Riley for writing the Linux-PAM + CrackLib + Shadow hint on which reinstalling Shadow to use PAM is based.
Jeremy Byron and David Ciecierski for assisting with, modifying, and testing various OpenOffice-2.0-pre builds and patches.
Unlike the Linux From Scratch book, BLFS isn't designed to be followed in a linear manner. This is because LFS provides instructions on how to create a base system which is capable of turning into anything from a web server to a multimedia desktop system. BLFS is where we try to guide you in the process of going from the base system to your intended destination. Choice is very much involved.
Everyone who reads the book will want to read certain sections. The Introduction part, which you are currently reading, contains generic information. Especially take note of the information in Chapter 2, Important Information, as this contains comments about how to unpack software, issues related to using different locales and various other aspects which apply throughout the book.
The part on Post LFS Configuration and Extra Software is where most people will want to turn next. This deals with not just configuration but also Security (Chapter 4, Security), File Systems (Chapter 5, File Systems), Editors (Chapter 6, Editors) and Shells (Chapter 7, Shells). Indeed, you may wish to reference certain parts of this chapter (especially the sections on Editors and File Systems) while building your LFS system.
Following these basic items, most people will want to at least browse through the General Libraries and Utilities part of the book. This part contains information on many items which are prerequisites for other sections of the book as well as some items (such as Chapter 12, Programming) which are useful in their own right. Note that you don't have to install all of these libraries and packages found in this part to start with as each BLFS installation procedure tells you which packages it depends upon so you can choose the program you want to install and see what it needs.
Likewise, most people will probably want to look at the Connecting to a Network and Basic Networking parts. The first of these deals with connecting to the Internet or your LAN using a variety of methods such as DHCP (Chapter 14, DHCP Clients) and Dial-Up Connections (Chapter 13, Dial-up Networking). The second of these parts deals with items such as Networking Libraries (Chapter 16, Networking Libraries) and various basic networking programs and utilities.
Once you have dealt with these basics, you may wish to configure more advanced network services. These are dealt with in the Servers part of the book. Those wanting to build servers should find a good starting point there. Note that this section also contains information on various database packages.
The next parts of the book principally deal with desktop systems. This portion of the book starts with a part talking about X and Window Managers. This part also deals with some generic X-based libraries (Chapter 26, X Libraries). After this, KDE and GNOME are given their own parts which are followed by one on X Software.
The book then moves on to deal with Multimedia packages. Note that many people may want to use the ALSA-1.0.13 instructions from this chapter quite near the start of their BLFS journey; they are placed here simply because it is the most logical place for them.
The final part of the main BLFS book deals with Printing, Scanning and Typesetting. This is useful for most people with desktop systems and even those who are creating mainly server systems will find it useful.
We hope you enjoy using BLFS and find it useful.
To make things easy to follow, there are a number of conventions used throughout the book. Following are some examples:
./configure --prefix=/usr
This form of text is designed to be typed exactly as seen unless otherwise noted in the surrounding text. It is also used to identify references to specific commands.
install-info: unknown option `--dir-file=/mnt/lfs/usr/info/dir'
This form of text (fixed width text) is showing screen output, probably a result from issuing a command. It is also used to show filenames such as /boot/grub/grub.conf
Emphasis
This form of text is used for several purposes in the book but mainly to emphasize important points or to give examples as to what to type.
http://www.linuxfromscratch.org/
This form of text is used for hypertext links external to the book such as HowTos, download locations, websites, etc.
This form of text is used for links internal to the book such as another section describing a different package.
cat > $LFS/etc/group << "EOF" root:x:0: bin:x:1: ...... EOF
This type of section is used mainly when creating configuration files. The first command (in bold) tells the system to create the file $LFS/etc/group from whatever is typed on the following lines until the sequence EOF is encountered. Therefore, this whole section is generally typed as seen.
<REPLACED TEXT>
This form of text is used to encapsulate text that should be modified and is not to be typed as seen, or copy and pasted. Note that the square brackets are not part of the text, but should be substituted for as well.
root
This form of text is used to show a specific system user or group reference in the instructions.
This is BLFS-BOOK version 6.2.0 dated February 14th, 2007. This version is intended as the complement to the LFS 6.2 book.
The BLFS project has a number of mirrors set up world-wide to make it easier and more convenient for you to access the website. Please visit the http://www.linuxfromscratch.org/mirrors.html website for the list of current mirrors.
Within the BLFS instructions, each package has two references for finding the source files for the package—an HTTP link and an FTP link (some packages may only list one of these links). Every effort has been made to ensure that these links are accurate. However, the World Wide Web is in continuous flux. Packages are sometimes moved or updated and the exact URL specified is not always available.
To overcome this problem, the BLFS Team, with the assistance of Server Beach, has made an HTTP/FTP site available at anduin.linuxfromscratch.org. This site has all the sources of the exact versions of the packages used in BLFS. If you can't find the BLFS package you need, get it there.
We would like to ask a favor, however. Although this is a public resource for you to use, we do not want to abuse it. We have already had one unthinking individual download over 3 GB of data, including multiple copies of the same files that are placed at different locations (via symlinks) to make finding the right package easier. This person clearly did not know what files he needed and downloaded everything. The best place to download files is the site or sites set up by the source code developer. Please try there first.
Please note that the Change Log only lists which editor was responsible for putting the changes into SVN; please read the Credits page in Chapter 1 for details on who wrote what.
Current release: 6.2.0 – February 14th, 2007
Changelog Entries:
February 14th, 2007
[randy] - Released BLFS Version 6.2.0.
[randy] - Added an FTP download URL in the Links instructions as the HTML URL is currently unavailable.
[dnicholson] - Added a patch from Ag Hatzimanikas to fix issues with UTF-8 in Vorbis Tools.
[randy] - Added an additional parameter to the Expect configure command to fix a build problem in certain situations; also added a note to run the test suite.
[dnicholson] - Fixed three package link labels to match their titles. Thanks to Chuck Rohde.
[randy] - Minor modifications to the MesaLib instructions, both text explanations and commands.
February 13th, 2007
[dnicholson] - Textual fixes from Chuck Rohde.
[dnicholson] - Added text be more explicit that luit is not a required dependency of xterm.
[dnicholson] - Added a reminder to set the necessary variables when building packages for Xorg-7.
[dnicholson] - Reverted two changes in MC and ReiserFS specific to LFS-SVN.
February 11th, 2007
[dnicholson] - Add information for running the Vim testsuite. Patch from Ag Hatzimanikas.
February 10th, 2007
[dnicholson] - Moved the Linux-PAM dependency in Xorg-7 from the Libraries to the Applications.
[dnicholson] - Converted UTF-8 man pages in the Xorg-7 drivers. Thanks to Alexander Patrakov for supplying the fixes.
February 7th, 2007
[randy] - Released BLFS 6.2.0-rc2.
[randy] - Updated to iptables-1.3.6, thanks to Andy Beverley for helping solve some build issues.
February 6th, 2007
[dnicholson] - Populated the contents for the Xorg-7 Xbitmaps, Applications, Data, Fonts, Server, and Drivers sections.
[dnicholson] - Fixed the grammar on the Xorg-7 Utilities and Libraries pages to use full sentences to describe the package contents.
February 5th, 2007
[randy] - Clarified the text in the Mutt and FCron instructions that an MTA should install the sendmail command.
February 4th, 2007
[dnicholson] - Populated the package contents for the Xorg-7 Protocol Headers, Utilities, and Libraries sections.
[dnicholson] - Added an optional libcap dependency to vsftpd.
[dnicholson] - Added instructions for installing the Xorg-7 man pages to $XORG_PREFIX/share/man and configuring Man-DB to use that location. Fixes ticket #2229.
February 3rd, 2007
[randy] - Released Version 6.2.0-rc1.
February 2nd, 2007
[alexander] - Added CUPS and LPRng as recommended dependencies of a2ps.
[alexander] - Added some caution boxes for packages that are not going to work in multibyte locales.
[bdubbs] - Updated to Koffice-1.6.1.
[bdubbs] - Updated to KDE-3.5.6. Added runtime dependencies to kdelibs and kdebase thanks to Chris Staub. Added a change to kdebindings to reduce build time by a factor of five thanks to Dan Nicholson.
February 1st, 2007
[randy] - Changed the references of polypaudio to the new project name of PulseAudio, also updated the URL.
[randy] - Fixed broken URL for the "Why LD_LIBRARY_PATH is bad" site in the Beyond BLFS page.
[randy] - Fixed broken download URLs in the ISO Codes instructions.
[randy] - Enabled the D-BUS FTP download URL.
[randy] - Fixed broken download URL for a known working version of Pyrex in the D-Bus instructions.
[randy] - Fixed broken download URLs in the HTML Tidy instructions.
January 31st, 2007
[randy] - Broke out the separate sections of the Preface into separate XML files and added 6.2.0 release information to the Preface.
[alexander] - Upgraded GC to version 6.8 in order to fix the build failure with GCC-4.1.1.
January 30th, 2007
[randy] - Added a note to the D-Bus instructions to identify a known working version of Pyrex, thanks to DJ Lucas for the report.
[randy] - Updated several Perl Modules versions: Business-ISBN-Data-1.13, Business-ISBN-1.84, Devel-Symdump-2.07, HTML-Element-Extended-1.17, HTML-Tree-3.23, Module-Corelist-2.09, PAR-Dist-0.21, Pod-Coverage-0.18, Test-Pod-Coverage-1.08 and Test-Prereq-1.032.
January 29th, 2007
[dnicholson] - Updated the desktop-file-utils page to more closely reflect the XDG Base Directory Specification and corrected the information on the gnome-menus page. Fixes ticket #2172. Thanks to Luca Piol for the report.
[dnicholson] - Set the sysconfdir for libxfce4util, fixing ticket #2227.
January 28th, 2007
[randy] - Updated the default MPlayer codecs and skin versions.
[randy] - Fixed broken download URLs in the NAS, libmikmod, OpenOffice, SANE Backends, ESP Ghostscript, CUPS, GPM, Transcode, FOP and teTeX instructions.
[dj] - Removed modification of JAI source file in FOP instructions.
[dj] - Updated to JDK-1.5.0_10 and modified the jdk.sh profile.d script.
January 27th, 2007
[randy] - Fixed broken download URLs in the Tin, RSync, PostgreSQL, MySQL and Apache HTTPD server instructions.
January 26th, 2007
[dj] - Modified Linux-PAM configuration in the Shadow instructions.
[dj] - Updated to vsftpd-2.0.5.
[randy] - Updated to ISO Codes-0.58-1.
[randy] - Fixed Starlink download URLs in the PDL instructions, fixed broken Shadow, Python, PPP, WVDial and NTP download URLs.
January 24th, 2007
[randy] - Fixed the Zip, Unzip and FTP GCC download URLs.
[dnicholson] - Reverted the xsetpointer upgrade as it is broken with the inputproto in Xorg-7.1.
[dnicholson] - Actually apply the xorg-server and luit version upgrades.
January 23rd, 2007
[dnicholson] - Patchlevel upgrades to the Xorg-7 packages. Removed unneeded patches encompassed in these updates. See #2225 for more details.
[dnicholson] - Changed the download location for the Xorg-7 wget lists and md5sums file.
January 22nd, 2007
[alexander] - Added some options to Lynx for better locale support. Fixes ticket #1961.
[randy] - Updated to ZSH-4.2.6 and added a warning for users with multibyte locales.
January 21st, 2007
[dnicholson] - Added an example local session configuration file for D-Bus showing how to add new service directories. Changed the Epiphany instructions to reference this instead of symlinking its service file to the standard location.
[dnicholson] - Added optional configuration to HAL to prevent methods on fixed disk drives.
[dnicholson] - Fixed the X Input Devices User Notes link to point to a more appropriate place on the Wiki. Closes #2190.
[dnicholson] - Remove unneeded sed command from the Luit instructions. Fixes #2123.
[dnicholson] - Added text to the Locale Related Issues page suggesting the User Notes on the BLFS Wiki for the most recent information. Closes ticket #1993.
[alexander] - Removed obsolete statements about problems with MC and Nano from the Locale Related Issues page.
[dnicholson] - Updated to Thunderbird-1.5.0.9 with enigmail-0.94.2.
[dnicholson] - Updated to Firefox-1.5.0.9.
January 20th, 2007
[randy] - Modified the Spiffy, Test::Base and YAML Perl Module instructions so that UTF-8 encoded manual pages are not installed.
[randy] - Modified the XScreenSaver instructions so that a UTF-8 encoded manual page is not installed.
[randy] - Added a shell script and additional information about UTF-8 manual pages to the Locale Related Issues page.
[randy] - Moved the CM-Super type1ec.sty file from the texmf-local directory structure to the texmf structure.
[bdubbs] - Updated to seamonkey-1.1.
January 19th, 2007
[alexander] - Added Debian patch and bash-3.2 compatibility patch to MC. Fixes #2189.
January 18th, 2007
[dnicholson] - Added ftp:// links for the Xorg-7.1 packages.
[dnicholson] - Updated security patches for Xorg-6.9.0 and xorg-server-1.1.0.
[dnicholson] - Changed the i18n.sh profile text to reference the LFS locale discussion and moved the GLib specific settings to that package's page. Fixes #2012.
[randy] - Added text to the 'Locale Related Issues' page which discusses improperly encoded manual pages.
[randy] - Added sed commands to the ImageMagick and Xorg evdev packages to remove UTF-8 encoded manual pages.
January 17th, 2007
[dnicholson] - Updated the ALSA Library, Plugins, Utilities, Tools and Firmware to version 1.0.13. Updated ALSA OSS to 1.0.12. Fixes tickets #2112 and #2201. Notes have been added for untested packages.
[dnicholson] - Fixed the ALSA udev rules to work properly with the Udev and rules in stable LFS. Closes ticket #2125.
[dnicholson] - Added an http:// link for the gpm package.
[dnicholson] - Fixed the GLib-2 ftp:// link. Thanks to Guy Dalziel for spotting the error.
[alexander] - Removed the dead link to the old LiveCD hint.
[dnicholson] - Updated to HAL-0.5.7.1.
January 15th, 2007
[randy] - Modified all the Sourceforge download links to use the new standard Sourceforge has implemented.
[randy] - Added a comment to the XFCE instructions saying that hicolor-icon-theme is a run-time dependency.
[randy] - Added commands to the teTeX instructions to install the cm-super type1ec.sty font file.
[alexander] - Added reiserfsprogs build fix for LFS SVN.
[randy] - Updated to Lynx-2.8.6.
January 14th, 2007
[randy] - Added Alexander to the list of BLFS Editors.
[randy] - Fixed a broken download URL in the SLIB instructions, thanks to Leo Peschier for pointing it out.
[bdubbs] - Added security patch to unzip.
[bdubbs] - Updated patch in ed to correct an error. Thanks to Tyler Berry.
[randy] - Updated the md5sums and build data for the GNOME accessibility packages to be compatible with GNOME-2.14.3, This completes the GNOME-2.14.3 update.
[bdubbs] - Updated to Python-2.4.4.
[bdubbs] - Updated to dhcp-3.0.5.
[randy] - Updated the md5sums and build data for the GNOME add-on utilities to be compatible with GNOME-2.14.3.
[alexander] - Removed the commands that remove vim tutorials.
[alexander] - Updated to xfsprogs-2.8.18, added notes about the lack of testsuites to xfsprogs and reiserfsprogs.
January 13th, 2007
[bdubbs] - Updated to vim-7.0.
[bdubbs] - Updated to bind-9.3.3.
[bdubbs] - Updated to openssh-4.5p1.
[bdubbs] - Updated to openssl-0.9.8d.
January 11th, 2007
[randy] - Updated to MIT Kerberos V5-1.6. Also overhauled the instructions to fit the updated version and included enhancements to the instructions.
December 22nd, 2006
[randy] - Updated to Evolution-2.6.3.
[randy] - Updated GtkHTML, gtksourceview and Evolution Data Server to versions used with GNOME-2.14.3.
[randy] - Updated to GNOME-2.14.3. The “Core” packages are completely finished, the “Additional” packages still require updates to the MD5sums and build sizes/times.
December 20th, 2006
[dnicholson] - Updated to xterm-223.
[dnicholson] - Ensured that the terminfo files from xterm are installed in the system terminfo database.
[dnicholson] - Removed the --datadir setting for Xorg-7. Some packages had broken configurations that caused files to be installed to the wrong location. Forcing ${datadir} to match ${libdir} worked around these problems, but they have now been resolved properly upstream.
December 15th, 2006
[tushar] - Remove autoreconf command from popt. The tarball that matches the md5sum has the generated files.
December 11th, 2006
[randy] - Updated to GStreamer-0.10.11, GST Plugins Base-0.10.11, GST Plugins Good-0.10.4 and GST Plugins Ugly-0.10.4
December 10th, 2006
[randy] - Updated to GSview-4.8 and fixed an issue with GSview using recent versions of ESP Ghostscript.
December 9th, 2006
[dnicholson] - Updated to Nano-2.0.1.
December 8th, 2006
[randy] - Added Sharutils (for the uudecode program) to the FreeTTS required dependencies, thanks to Chris Staub for the report.
[randy] - Updated to Samba-3.0.23d.
December 7th, 2006
[randy] - Updated to CUPS-1.2.7.
December 6th, 2006
[randy] - Added a note to the GNOME Panel instructions saying that the libxml2 Python module must be available.
December 4th, 2006
[randy] - Updated to Whois-4.7.20.
October 28th, 2006
[dnicholson] - Changed the structure of the Locale Related Issues page to describe general classes of problems. The package specific workarounds have been moved to their respective pages. Thanks to Alexander Patrakov for providing the rewrite, which better supports these situations.
October 27th, 2006
[bdubbs] - Updated to qt-3.3.7.
[dnicholson] - Fixed Screen description to reflect that UTF-8 is now available. Thanks to Alexander Patrakov for the suggestion.
[dnicholson] - Updated to libmusicbrainz-2.1.4, fixing security vulnerability CVE-2006-4197. Closes ticket #2181.
October 26th, 2006
[dnicholson] - Updated to Screen-4.0.3, fixing a security vulnerability. Closes ticket #2197.
October 25th, 2006
[dnicholson] - Fixed the hdparm instructions to work correctly when installing to an alternate prefix. Thanks to Miguel Bazdresch for reporting the problem. Fixes ticket #2196.
[bdubbs] - Updated to zip 2.32.
October 23rd, 2006
[randy] - Updated the Exim instructions documentation links.
October 22nd, 2006
[randy] - Added a note to the GTK+2 instructions about the test suite requiring an X Window session.
[randy] - Removed references to the shared library from the UnZip instructions. Thanks to Gabriel Batir for the report.
[randy] - Added a sed command to the Graphviz instructions so that the Java bindings will build correctly if you have the JDK installed.
October 19th, 2006
[dnicholson] - Added needed macro to use Cyrus-SASL in Postfix.
[dnicholson] - Updated to OpenLDAP-2.3.27.
October 15th, 2006
[djensen] - Updated to Ruby-1.8.5. Fixes #2127.
[djensen] - Updated Seamonkey to Enigmail-0.94.1. Fixes #2170.
October 14th, 2006
[dnicholson] - Added information about creating the /dev/dvd symlink for Mplayer with links pointing back to the relevant section of the LFS book. Fixes #1995.
[dnicholson] - Removed the note about installing UUID from the XFS page as the only libuuid comes from E2fsprogs. It is assumed that E2fsprogs is installed from LFS. Closes #2176.
[dnicholson] - Added PAM configuration to the host.def example in Xorg-6.9.0 and XFree86-4.6.0. It is commented out by default.
[dnicholson] - Updated to Postfix-2.3.3. Added configuration to automatically install HTML and README docs.
October 12th, 2006
[dnicholson] - Fixed broken ASH download link and added text about lack of test suite. Fixes ticket #2130.
[dnicholson] - Fixed broken Rsync download link. Thanks to Miguel Bazdresch for the fix.
[dnicholson] - Fixed GNOME Doc Utils so that the pkg-config files are always installed. Closes #2126.
[dnicholson] - Patched Emacs to ensure that the AltGr key is recognized. Added information about lack of test suite.
October 11th, 2006
[dnicholson] - Applied security patches to Xorg-6.9.0 and libXfont-1.1.0.
[randy] - Updated to NSS-3.11.3.
October 8th, 2006
[dnicholson] - Updated to Firefox-1.5.0.7. Fixes #2150.
[dnicholson] - Updated to Thunderbird-1.5.0.7 and Enigmail-0.94.1. Fixes #2151 and #2171.
[dnicholson] - Updated to Links-2.1pre23. Installed some user documentation from the tarball. Closes #2042.
October 5th, 2006
[randy] - Changed the TCP ports used by tunneled SWAT in the Samba instructions from 901 and 902 to 904 and 905 so that there is no conflict with the IANA database.
[randy] - Updated to cairo-1.2.4.
October 1st, 2006
[dnicholson] - Fixed an issue with with rendering of OpenGL applications with MesaLib by adding an appropriate compiler flag. Thanks to Alexander Patrakov for the report and the fix. Closes ticket #2103.
[dnicholson] - Fixed an error with output redirection in MesaLib when /bin/sh is not Bash. Fixes ticket #2118.
September 30th, 2006
[djensen] - Updated to Balsa-2.3.13.
September 25th, 2006
[djensen] - Added 2 seds to LPRng-3.8.28, fixing a gcc-4.1 bug and a syntax error for newer makes.
[dnicholson] - Updated to dhcpcd-2.0.8. Changed the build to execute the dhcpcd.exe configuration file.
September 24th, 2006
[djensen] - Updated to SeaMonkey-1.0.5. Added the optional pango patch.
[randy] - Added a patch to the Heimdal instructions to fix a security vulnerability identified in MIT advisories CVE-2006-3083 and CVE-2006-3084.
September 19th, 2006
[djensen] - Updated to Mpg123-0.60.
September 16th, 2006
[djensen] - Removed a possible spurious doc dir installation in EsounD.
[bdubbs] - Updated to openssl-0.9.8c.
September 14th, 2006
[randy] - Fixed broken Linux-PAM documentation download URL.
September 12th, 2006
[dj] - Updated to JDK-1.0.5_08.
September 10th, 2006
[bdubbs] - Updated to nfs-utils-1.0.10.
[bdubbs] - Updated bootscripts to properly handle non-TERM stop signals.
[bdubbs] - Added creation of bin user to portmap.
[bdubbs] - Updated to pcre-6.7.
September 5th, 2006
[dnicholson] - Updated to Thunderbird-1.5.0.5. Reordered the patches so that they can apply cleanly.
September 4th, 2006
[dnicholson] - Updated to Firefox-1.5.0.6. Changed the order of the patches so that they can apply cleanly.
[dnicholson] - Fixed the text describing the default PKG_CONFIG_PATH to include /usr/share/pkgconfig. Fixes #2117. Thanks to Joe Ciccone.
[dnicholson] - Removed the ispell package as it has problems in UTF-8 locales and the aspell package is superior. Fixes ticket #2101.
[dnicholson] - Updated to xterm-218. Fixes tickets #2096 and #2100.
[bdubbs] - Fixed wording in php describing ini file. Thanks to Pippin for pointing this out.
[dnicholson] - Moved xterm, rman, MesaLib and libdrm packages out of the Xorg-7 chapter as they are now developed externally. Added notes to their pages to indicate that they should only be built when using Xorg-7. Fixes ticket #2120.
[dnicholson] - Added a missing program description to the Luit page.
August 30th, 2006
[djensen] - Updated to JOE-3.5.
August 29th, 2006
[dnicholson] - Fixed the download link for the Linux-PAM docs. Thanks to Tor Olav Slava.
[dnicholson] - Removed the reference to the vimrc question in the FAQ since it no longer exists. Thanks to Peter Ennis.
[dnicholson] - Minor text update on the bootdisk page. Thanks to Peter Ennis.
August 9th, 2006
[dnicholson] - Added patch to fix a security vulnerability in Mutt-1.5.11. Fixes ticket #2072.
[dnicholson] - Added patches to fix security vulnerabilities in Xorg-7.1. Closes ticket #2100.
[dnicholson] - Added configuration for HAL and gnome-volume-manager for use without the pam_console module.
[dnicholson] - Fixed a broken iptables link and a typo on the About Devices page. Thanks to Gabriel Batir.
August 7th, 2006
[dnicholson] - Added a patch to fix security vulnerabilities in Xorg-6.9.0. See ticket #2100. Removed fix for Glibc sys/kd.h as it is now in LFS stable.
August 6th, 2006
[randy] - Noted in the Evince instructions that shared-mime-info is a run-time requirement.
[randy] - Updated to libsoup-2.2.96.
[randy] - Added XMLRPC-EPI as an optional dependency of PHP.
August 5th, 2006
[randy] - Updated to libwnck-2.14.3.
[randy] - Updated to libglade-2.6.0.
[randy] - Updated to GTK+-2.8.20.
[dnicholson] - Removed /etc/profile.d/tinker-term.sh since it is no longer needed with the Ncurses in stable LFS-6.2.
August 4th, 2006
[randy] - Updated to libpng-1.2.12.
[randy] - Updated to libIDL-0.8.7.
[randy] - Added libxslt as a required dependency of the GNOME Doc Utils package.
[randy] - Updated to libxslt-1.1.17.
[randy] - Updated to libxml2-2.6.26.
August 3rd, 2006
[randy] - Added four upstream patches to the Berkeley-DB instructions.
August 2nd, 2006
[randy] - Updated the book to point at LFS 'stable' and use LFS stable package versions of Coreutils and Flex.
[randy] - Removed an obsolete ldconfig command from the OAF instructions.
July 25th, 2006
[randy] - Updated to GIMP-2.2.12.
July 24th, 2006
[randy] - Updated to libquicktime-0.9.9.
July 22nd, 2006
[randy] - Updated to Avifile-0.7.45.
July 15th, 2006
[randy] - Fixed the creation of the symbolic link in the Gnumeric instructions to fix access to the help documentation if GNOME is installed in a prefix other than /usr, thanks to Alessandro Alocci for spotting the error and contributing the fix.
July 13th, 2006
[dnicholson] - Fixed patch XML tags for Firefox and Thunderbird. Closes ticket #2069. Thanks to Joe Ciccone.
July 11th, 2006
[randy] - Updated to K3b-0.12.16 and clarified the dependencies to fix Ticket #2015.
[randy] - Added DAO to the Glossary.
[randy] - Updated to CVS-1.11.22.
July 9th, 2006
[randy] - Added a note about some additional optional dependencies in the Cdrdao instructions.
[dj] - Clarified instructions concerning alternate X Window System installation prefix.
[dj] - Corrected permission of installed files in OpenOffice instructions.
July 8th, 2006
[dj] - Added instructions to QT installation to account for alternate installation prefix in X Window System.
July 7th, 2006
[randy] - Updated the Apache Ant instructions to specify the version of Junit you should use.
[randy] - Added new package - gnome-screensaver-2.14.2.
[andy] - Updated ppp to 2.4.4.
July 6th, 2006
[dnicholson] - Fixed typo in libusb udev rule creation. Thanks to Johannes Lächele.
July 4th, 2006
[dnicholson] - Updated Firefox and Thunderbird to version 1.5.0.4. Added a patch to fix the builds with --enable-pango.
[randy] - Added a command to the Linux-PAM instructions to alter the unix_chkpwd password helper setuid, thanks to Jürg Billeter for pointing this out.
July 3rd, 2006
[randy] - Updated the Zenity and GNOME Keyring Manager package instructions to be compatible with the GNOME-2.14.2 update.
[dj] - Clarified text surrounding additional downloads section of OpenOffice instructions.
July 2nd, 2006
[randy] - Updated to GNOME System Monitor-2.14.4.
[randy] - Updated the GConf Editor, gedit, bug-buddy, EOG and File Roller package instructions to be compatible with the GNOME-2.14.2 update.
[dj] - Updated to OpenOffice-2.0.3.
[andy] - Updated SDL to SDL-1.2.11
July 1st, 2006
[randy] - Removed unnecessary --sysconfdir and --localstatedir parameters from the GStreamer (and plugins) instructions. Updated the 'Good' Plugins with a --sysconfdir parameter that will force the GConf configuration files into the correct location.
[randy] - Updated the GNOME Utilities and GNOME Games package instructions to be compatible with the GNOME-2.14.2 update.
June 30th, 2006
[randy] - Updated the GNOME Accessibility packages' instructions to be compatible with the GNOME-2.14.2 update.
June 29th, 2006
[dnicholson] - Changed the installation instructions and explanations in XFS to be more consistent with the rest of the book. Thanks to Chris Staub for prompting the change.
[dnicholson] - Fixed sed command in WvStreams to not alter a non-existent file. Thanks to Angel Tsankov.
June 28th, 2006
[randy] - Renamed the GnomeMeeting package to Ekiga and updated the instructions to be compatible with the GNOME-2.14.2 update.
[randy] - Updated the dependencies and build commands in the gnome-volume-manager instructions to conform with GNOME-2.14.2. There is still some additional information that needs to be added to this page after the additions are finalized via BLFS-Dev discussion.
[dj] - Updated JDK, source and bin, to jdk-1.5.0 update 7.
June 27th, 2006
[randy] - Added new package GStreamer Ugly Plugins-0.10.3
[randy] - Updated the Nautilus CD Burner, GNOME Media and Sound Juicer instructions to conform with the GNOME 2.14.2 update.
[randy] - Completed the gnome-mount instructions.
June 26th, 2006
[randy] - Replaced many instances of repetitive similar text with xinclude files in various package instructions.
June 25th, 2006
[randy] - Minor fixes and clean-up to the core GNOME-2 package instructions including standardizing the text in the 'Command Explanations' section by using xinclude files and changing the creation of symbolic links to using PYTHONPATH so Python can find modules installed in non-standard locations.
[randy] - Added some new xinclude files to replace the repetitive similar text in many package instructions.
June 24th, 2006
[randy] - Created a new BLFS BootScript tarball to reflect the updated HAL script.
[randy] - Updated to GDM-2.14.9.
[randy] - Updated to Totem-1.4.2.
[randy] - Updated to gcalctool-5.8.16.
June 23rd, 2006
[randy] - Added new package GStreamer Good Plug-ins-0.10.3.
[randy] - Created a new BLFS BootScript tarball to reflect the updated GDM script.
[randy] - Updated the Evince, Poppler and GNOME Netstatus instructions to conform with the GNOME-2.14.2 update.
June 21st, 2006
[randy] - Updated the Epiphany and gucharmap instructions to conform with the GNOME-2.14.2 update.
[randy] - Updated the GNOME2 additional libraries instructions to conform with the GNOME-2.14.2 update. This leaves the GNOME2 Accessibility and Additional Utility packages to update.
[randy] - Updated to Evolution-2.6.2.
[randy] - Added new package gnome-mount-0.4 (not fully complete, but added now to fix a validation issue).
[randy] - Updated to GNOME-2.14.2. All version entities have been updated with the core package updates being complete. The 'Additional' packages will be updated in upcoming commits.
[randy] - Changed references to GNOME2 User Docs to the renamed package of GNOME User Docs.
June 20th, 2006
[randy] - Removed all instances of the old GStreamer Plug-ins package and replaced them with the new GStreamer Base Plug-ins.
[randy] - Updated to GStreamer-0.10.8.
[randy] - Updated to Metacity-2.14.5.
[randy] - Updated to libsoup-2.2.94.
[randy] - Updated to libwnck-2.14.2.
[randy] - Updated to libxklavier-2.2.
[randy] - Updated to HAL-0.5.7.
[randy] - Updated to D-BUS-0.62.
[dnicholson] - Updated to TIN-1.8.2.
[randy] - Added new package GStreamer Base Plug-ins-0.10.8
[randy] - Replaced the obsolete Howl dependency in the xinetd and Gaim instructions with an Avahi dependency.
[randy] - Fixed broken download URL in the Pilot-Link instructions.
[randy] - Removed cairo as a recommended dependency of Pango.
[bdubbs] - Fixed typo in NAS instructions.
June 19th, 2006
[randy] - Updated to ISO Codes-0.51-1.1.
[randy] - Updated to GMime-2.2.2.
June 13th, 2006
[randy] - Removed Fontconfig as an optional dependency of Pango as it is required in one way or another, thanks to Chris Staub for pointing this out.
[tushar] - Removed incorrect dependencies from gtk+
June 11th, 2006
[randy] - Updated to ImageMagick-6.2.8-0.
June 6th, 2006
[randy] - Added a sed command to the Crypt::SSLeay Perl module instructions to fix a bug exposed by newer versions of OpenSSL.
[randy] - Modified the existing, and added new dependencies to the Module::Build Perl module instructions.
[randy] - Added the dependencies for the YAML Perl module.
[randy] - Added new Perl modules: Pod::Readme-0.081, Spiffy-0.30, Test::Base-0.50 and Test::Portability::Files-0.05
[randy] - Updated several Perl modules: Archive::Tar-1.29, Business::ISBN::Data-1.11, Digest::SHA-5.41, ExtUtils::CBuilder-0.18, HTML::Parser-3.54, Module::Build-0.2801, Module::Signature-0.54, PAR::Dist-0.09, Pod::Simple-3.04, Test::Pod-1.24, Test::Prereq-1.031, version-0.63 and YAML-0.58.
June 5th, 2006
[andy] - Updated the Cdrtools ascii patch so that it applies properly.
May 31st, 2006
[dj] - Updated xorg-server and xterm dependencies.
May 29th, 2006
[dnicholson] - Fixes for the X Window System Components page. Add information for setting up DRI correctly. Thanks to Peter Steiger for the alert. Clarified the relationship between the Xft font system and Fontconfig. Thanks to Archaic for reviewing the previous contents.
[dnicholson] - Simplified mv command and fixed the explanation of the --enable-xine option in GStreamer Plug-ins. Thanks to Chris Staub for the patch.
[dnicholson] - Changed the text explaining the need for the mkisofs and cdrecord patches in Cdrtools. Thanks to Alexander Patrakov for the clarification.
[dnicholson] - Added optional dependencies for rebuilding the Mutt documentation. Thanks to Ag Hatzimanikas for the information.
May 27th, 2006
[randy] - Updated to librsvg-2.14.4.
[randy] - Added intltool as an optional dependency of libgnomecups.
[randy] - Updated to libgsf-1.14.1.
[randy] - Updated to Gtk+-2.8.18.
[randy] - Updated to Pango-1.12.3.
[randy] - Updated to GLib-2.10.3.
May 26th, 2006
[manuel] - Made all dependencies on a mail server actual cross-references.
May 25th, 2006
[randy] - Updated to desktop-file-utils-0.11.
[dj] - Updated Xorg Modular to 7.1 release.
[dj] - Updated to xterm-213.
[dj] - Updated to Mesa-6.5.
May 24th, 2006
[randy] - Updated the ALSA Plugins dependencies and installed plugin module list; also added documentation installation commands to the ALSA Plugins instructions.
[randy] - Several fixes to the MPlayer instructions: added a sed command to fix the getline function name issue, added a patch to fix the round function issue, fixed the creation of the font symlink to point to /usr/share/fonts, commented out the command and text that created a /dev/dvd device file as this is now done in LFS.
[randy] - Modified the way the GLUT library dependency is described in the LibTIFF instructions.
[randy] - Modified the configure script in the libfame instructions using a sed so that the -fstrict-aliasing flag is properly passed along to the Makefiles.
May 23rd, 2006
[randy] - Clarified the XvMC Wrapper dependency in the MPlayer and xine libraries instructions.
[randy] - Added libid3tag as an optional dependency of imlib2.
May 21st, 2006
[randy] - Updated to libdvdread-0.9.6.
[randy] - Updated codecs to the 20060501 versions in the MPlayer instructions.
[randy] - Added a note to the D-BUS instructions that you must have Qt installed if you are planning on using HAL with KDE.
[randy] - Added a note to the lm_sensors dependency in the kdebase instructions that the Sysfs Utilities package is also required.
[tushar] - Added note that proxymngr requires lbxproxy.
May 20th, 2006
[randy] - Added a patch to the kdelibs instructions so it will build if you have CUPS-1.2.x installed. The patch does not affect the build with lesser versions of CUPS. Thanks to Matthew Carson for chasing down the problem and sending in the patch.
[dnicholson] - Added -ifv arguments to the autoreconf command in libdrm so that libtoolize will be run. The shared library is created without the .so suffix without it.
[randy] - Added new package usbutils-0.72.
May 19th, 2006
[randy] - Changed the GNAT installation in the GCC instructions to use the existing Makefile, which eliminates the need to install Tcsh, thanks to Jim Gifford for the tip.
May 18th, 2006
[randy] - Moved the ScrollKeeper instructions from Chapter 31 - GNOME Core Packages to Chapter 10 - General Utilities as the package installation prefix is /usr and other-than-GNOME packages can utilize it.
[randy] - Added libacl as an optional dependency of Samba.
[randy] - Added additional commands to the LessTif instructions to accommodate an X Window System installation in /usr.
[dj] - Corrected NAS bootscript after installation.
[dj] - Standardized Xorg7 PREFIX commands using XORG_PREFIX.
[dj] - Re-added sed to fix incorrect path in luit.
May 17th, 2006
[bdubbs] - Changed home directory of named to /srv/named.
[bdubbs] - Added "About Devices" page.
[dnicholson] - Added two patches to Cdrtools improving its use in locales with non-ISO-8859-1 character sets. Fixes ticket #1837. Thanks to Alexander Patrakov for explaining the situation and supplying the patches.
[randy] - Added jbig2dec as an optional dependency of ESP GhostScript.
[dj] - Moved libdrm, mesa, xterm, and rman to xorg7 section.
[dj] - Added test suite notes to each xorg7 page.
May 16th, 2006
[bdubbs] - Added UTF-8 patch to Pine.
[randy] - Added documentation installation commands to the popt instructions.
[bdubbs] - Added paps-0.6.6 for UTF-8 printing.
[randy] - Updated to PHP-5.1.4.
[dj] - Added rman-3.2.
May 15th, 2006
[randy] - Added librsvg as an optional dependency of ImageMagick.
[bdubbs] - Update to postfix-2.2.9.
May 14th, 2006
[randy] - Updated to Apache HTTPD-2.2.2.
[randy] - Added a note to the MySQL instructions about TCP Wrapper and MySQL's test suite.
[randy] - Added a note to the cURL instructions about TCP Wrapper and cURL's test suite.
[dj] - Updated OpenOffice patch for system Firefox and added OpenOffice to list of packages that will utilize system nss in Mozilla product pages.
May 13th, 2006
[bdubbs] - Remove malloc switch from kdelibs.
[tushar] - Add GTK1 dependency for vim.
[bdubbs] - Added XChat-2.6.2.
[randy] - Updated the GCC (gcj) dependency in the Libidn instructions to include the gjdoc package also.
[randy] - Updated to GTK-Doc-1.6.
May 12th, 2006
[dnicholson] - Updated to GIMP-2.2.11 and gimp-help-2-0.10.
[randy] - Updated to libxslt-1.1.16.
[bdubbs] - Created a consolidated autofs patch to combine nine small patches and updated autofs to reflect the combined patch file.
[bdubbs] - Updated to imlib2-1.2.2.
[bdubbs] - Updated to intltool-0.34.2.
May 11th, 2006
[randy] - Added commands to the JDK instructions to run a demo program with the newly created java binary to provide a basic test of the build.
[randy] - Added commands to the cpio instructions to create alternate forms of the documentation.
[dj] - Added note to not build MesaLib with X11R6 and removed Xfree and xorg-6.9 from required deps.
[andy] - Updated to XFree86-4.6.0.
May 10th, 2006
[randy] - Added resmgr as an optional dependency of ALSA Library.
[randy] - Renamed the TeX package to its proper name - teTeX.
[dj] - Added sed for additional xorg-6.9.0 security vulnerability.
[dj] - Updated dependencies for Xorg-7.0.0 section and corrected text.
May 9th, 2006
[randy] - Updated to PCI Utilities-2.2.3.
[randy] - Modified the Expect build commands to work with the new Tcl build method.
[randy] - Added an additional command to the Sysstat installation so that a configuration file containing the history variable is installed.
[randy] - Added a note to the Shadow instructions about running the Linux-PAM test suite.
[randy] - Updated to Linux-PAM-0.99.4.0.
May 8th, 2006
[bdubbs] - Updated to ImageMagick-6.2.7-5.
[bdubbs] - Updated to libgtkhtml-2.11.0.
[bdubbs] - Updated to rsync-2.6.8.
May 7th, 2006
[randy] - Removed the ext3 file system page from the book as this file system is now the LFS default.
[randy] - Modified the Tcl and Tk instructions to install the library interface headers using the maintainer's recommended method and removed all the hacks from previous installation methods.
May 6th, 2006
[bdubbs] - Updated to alsa-1.0.11.
[bdubbs] - Updated to dhcp-3.0.4.
[dnicholson] - Fixed EsounD installation to note that the documentation can only be installed with DocBook-utils. Thanks to Chris Staub for the patch.
[tushar] - Updated to Popt-1.10.4.
[dnicholson] - Updated to Bluefish-1.0.5.
[dnicholson] - Updated to Firefox-1.5.0.3.
May 5th, 2006
[bdubbs] - Updated to nmap-4.03.
[bdubbs] - Updated to Leafnode-1.11.5.
[bdubbs] - Updated to AFPL Ghostscript-8.53.
[bdubbs] - Updated to libxml2-2.6.24.
[bdubbs] - Updated to proftpd-1.3.0.
[bdubbs] - Updated to mysql-5.0.21.
[bdubbs] - Updated to ntp-4.2.0a.
[dj] - Reorganized X Window System chapter.
[dj] - Spilt Xorg-7 instructions into several pages.
[dj] - Corrected links in Mesa and xterm instructions for new xorg7 pages.
May 4th, 2006
[bdubbs] - Updated to ESP Ghostscript-8.15.2.
[bdubbs] - Updated to openssl-0.9.8b.
[bdubbs] - Simplified mysql compilation flags. Thanks to Archaic.
May 3rd, 2006
[bdubbs] - Updated sed for openssh to link crypto libraries statically.
[bdubbs] - Updated location of kernel options in iptables. Thanks to Allard Welter who pointed this out.
May 1st, 2006
[randy] - Updated to XScreenSaver-4.24.
[randy] - Updated to Gtk+-2.8.17.
[randy] - Updated to ATK-1.11.4.
[randy] - Updated to Pango-1.12.2.
[randy] - Updated to Ethereal-0.99.0.
April 30th, 2006
[bdubbs] - Removed the gid for bin and usb as they are defined in LFS. Added comment in the section about users and groups that base entries are in LFS.
[randy] - Updated to K3b-0.12.15.
[randy] - Updated to NFS Utilities-1.0.8.
[andy] - Updated Pine to 4.64 and Abiword-2.4.4.
April 29th, 2006
[bdubbs] - Updated to exim-4.61.
[bdubbs] - Updated to Links-2.1pre21.
[randy] - Updated to Galeon-2.0.1.
[randy] - Added a new category 'Integrated Development Environments' to the 'Other Programming Tools' page and added additional components to the page.
[randy] - Updated Tcl and Tk to 8.4.13. Also modified the build commands to not use any user-created environment variables.
[bdubbs] - Changed openssh libexecdir to /usr/lib/openssh.
[bdubbs] - Added instruction to optionally enable ssl support to dillo.
April 28th, 2006
[randy] - Added new package libquicktime-0.9.8 and removed the Openquicktime package.
[bdubbs] - Updated to seamonkey-1.0.1.
[bdubbs] - Updated to rp-pppoe-3.8.
[bdubbs] - Updated bootscripts Makefile to install autofs after cleanfs.
[randy] - Updated to Berkeley DB-4.4.20.
April 27th, 2006
[bdubbs] - Updated to gc-6.6.
[bdubbs] - Updated to mysql-5.0.20a. Fixed all testsuite failures.
[dnicholson] - Updated to OpenSSL-0.9.8a. Added patch to Cyrus-SASL for compatibility with this version of OpenSSL.
[randy] - Updated to GCC-4.0.3
[randy] - Updated to GMP-4.2
[bdubbs] - Updated to vsftpd-2.0.4
April 26th, 2006
[bdubbs] - Updated libexecdir location in emacs.
[randy] - Added clarification about NSS/NSPR libraries to the Evolution and Evolution Data Server instructions.
[bdubbs] - Updated to iso-codes-0.51.
[bdubbs] - Updated ntp configuration to use pool servers.
[bdubbs] - Updated to dhcp-3.0.3.
[bdubbs] - Updated to WvStreams-4.2.2.
[randy] - Updated to Balsa-2.3.12.
April 25th, 2006
[dnicholson] - Fixes for Cyrus SASL-2.1.21. Added patch to allow OpenLDAP => 2.3, converted GCC-4 patch to a sed, and added a sed command to put saslauthd man page in the correct location. Noted method to address LDAPDB plugin circular dependency in the User Notes.
[bdubbs] - Dropped NCPFS from the book due to lack of testing ability. Placed contents in the User Notes.
[randy] - Updated to GMime-2.2.1.
[bdubbs] - Added errata page to preface.
[dnicholson] - Updated to Thunderbird-1.5.0.2.
[randy] - Updated to libESMTP-1.0.4.
[randy] - Added a sed command to the PDL instructions to fix a build issue caused by ExtUtils::MakeMaker-6.30 which was introduced in Perl-5.8.8.
[bdubbs] - Fixed configuration instructions in GPM. Thanks to Chris Staub.
[bdubbs] - Updated to fcron-3.0.1.
[bdubbs] - Added a note about adding FORTRAN 77 to the gcc-3 instructions.
[randy] - Added a short note about the GCC-3.4.6 Fortran installation instructions on the BLFS Wiki to the GCC-4.0.x instructions.
[Randy] - Modifications to the PDL instructions: added an FTP download location, rewrite of the introductory text to include a discussion about a proper version of Fortran, updated some of the dependency package download URLs and changed the links to a Fortran compiler to the one on the BLFS Wiki.
[andy] - Updated to OpenSP-1.5.2.
April 24th, 2006
[randy] - Updated the introductory text of the GCC-3 instructions to better explain its use, and to add a link to the Wiki pointing to a Fortran specific installation.
[bdubbs] - Updated to qpopper-4.0.9. Added standalone instructions and a configuration file. Added an initialization script to the bootscripts and bootscripts Makefile.
April 23rd, 2006
[bdubbs] - Updated to dhcpcd-2.0.5.
[dj] - Updated to OpenOffice-2.0.2.
[bdubbs] - Added a note to Apache that the apache user's home directory of /dev/null may fail for some add-ons.
[bdubbs] - Updated to fetchmail-6.3.4.
April 22nd, 2006
[bdubbs] - Updated Additional X Window System Configuration section.
[randy] - Updated to ExtUtils-F77-1.15.
[randy] - Modified the method of using cpan in the Perl Modules instructions, thanks to William Zhou for the suggestion.
[bdubbs] - Updated to iptables-1.3.5.
[dnicholson] - Fixes for TIN. Moved some run-time dependencies to the Configuration section. Installed documentation files. Added command to install default configuration files.
April 21st, 2006
[dnicholson] - Updated to Firefox-1.5.0.2.
[randy] - Updated to Filter-1.32.
[randy] - Updated to Net::DNS-0.57.
[randy] - Updated to Digest::SHA1-2.11.
[randy] - Updated to Net::IP-1.24.
[bdubbs] - Updated to bind-9.3.2. Updated bind-utils also.
[andy] - Added Audacious-1.0.0.
[andy] - Updated to Fluxbox 0.9.15.1.
April 20th, 2006
[bdubbs] - Updated to hdparm-6.6.
[bdubbs] - Updated udftools to compile with gcc4. Also deleted the kernel patch from the package because it is in linux 2.6.16 and later.
[dnicholson] - Added TIN version 1.8.1 to the book. Removed slrn. Thanks to Alexander Patrakov. Closes tickets #1845 and #1847.
[dnicholson] - Updated to Python-2.4.3.
[bdubbs] - Updated to glib-2.10.2.
April 19th, 2006
[tushar] - Corrected vim option description.
[bdubbs] - Updated to iso-codes-0.50.
[bdubbs] - Updated proftpd instructions.
[randy] - Updated to Socket6-0.19.
[randy] - Updated to Finance::QuoteHist-1.07.
[randy] - Updated to HTML::TableExtract-2.07.
[randy] - Added new Perl module; Text::CSV_PP-1.01.
[randy] - Updated to Finance::Quote-1.11.
[randy] - Updated to libwww-perl-5.805 (also renamed the package from LWP).
[randy] - Updated to libxml2-2.6.23.
[bdubbs] - Updated to nmap-4.01.
[dnicholson] - Changed X Window System to required dependency for Imlib-1.9.15. Fixes ticket #1792.
[randy] - Updated to Test::Prereq-1.030.
[randy] - Updated to Module::CoreList-2.04.
[randy] - Updated to GnuCash-1.8.12.
April 18th, 2006
[randy] - Downgraded to Guile-1.6.7 and G-Wrap-1.3.4 and modified the SLIB instructions to work with the downgraded packages. These changes are to support GnuCash which will not work with the more recent versions.
[manuel] - Removed creation of xsl-stylesheets-current symlink.
[bdubbs] - Updated to wireless_tools.28.
April 17th, 2006
[bdubbs] - Changed vim to match LFS instructions regarding UTF-8 locales.
[bdubbs] - Updated to kde-3.5.2.
April 15th, 2006
[bdubbs] - Updated to koffice-1.5.0.
[randy] - Updated the SLIB patch to a -2 version.
[randy] - Removed some optional dependencies (Gtk-1 and guile-gtk) from the G-Wrap instructions.
[dj] - Wrapped the lnx_agp.c sed in a testcase to make the change, only if required in Xorg-6.9 and Xorg-7.0 instructions.
[dj] - Added install command to create the /usr/share/fonts directory to Xorg-6.9, Xorg-7.0, and XFree86 instructions.
April 14th, 2006
[dnicholson] - Added sed to Xorg-6.9.0 to fix security vulnerability in ticket #1876. Changed sed to include linux/types.h to be the same as that in Xorg-7.0.0.
[randy] - Updated all the wiki links to point to the existing package wiki page if one existed.
[dnicholson] - Added information about the Nano development version which supplies UTF-8 support to Locale Related Issues. Added a caution on the Nano page.
[dnicholson] - Added pkg-config as a required dependency for MesaLib. Fixes ticket #1904.
[randy] - Readded the links in the Perl Modules instructions to the MD5sums of all the Perl Module source tarballs.
[randy] - Moved GConf-1 from an optional to a required dependency in the GNOME-VFS-1 and GtkHTML-1 instructions.
[randy] - Added new package Graphviz-2.8.
[bdubbs] - Added openssl as a required dependency of tripwire.
[andy] - Updated to Gnumeric-1.6.3 and Goffice-0.2.1.
April 13th, 2006
[randy] - Added the Io programming language to Chapter 12 - "Other Programming Tools".
April 12th, 2006
[randy] - Updates to the Enscript instructions: added a patch to fix security vulnerabilities, added commands to build alternate formats of the documentation, fixed the wiki link to point to the already existing wiki page.
[bdubbs] - Updated to tripwire-2.4.0.1.
[randy] - Updated to Whois-4.7.13.
April 11th, 2006
[dnicholson] - Added gcc4 patch for nfs-utils-1.0.7.
[bdubbs] - Updated bootscripts version to 20060411
April 10th, 2006
[randy] - Added the 'User Notes' wiki link to each package page.
[randy] - Changed all instances of .[so,a] to .{so,a} (brackets changed to braces).
[randy] - Changed all [some_text] instances to <some_text> (square brackets changed to angle brackets).
April 9th, 2006
[randy] - Changed all the references to X Window System links to a common entity displayed as 'X Window System'.
[randy] - Updated to Doxygen-1.4.6.
April 8th, 2006
[randy] - Updated to GnuPG-1.4.3.
[dj] - Moved to gzipped bsh tarball in OpenOffice-2.0.0 instructions.
[randy] - Updated to librsvg-2.14.3.
[randy] - Updated to libgsf-1.14.0.
April 7th, 2006
[randy] - Updated to hicolor-icon-theme-0.9.
[randy] - Updated to shared-mime-info-0.17.
[randy] - Updated to libcroco-0.6.1.
April 6th, 2006
[randy] - Added a parameter to the Subversion build commands to disable the use of Berkeley DB; also added commands to fix the improper permissions on the installed documentation.
[dnicholson] - Fixed typo in Xorg-7 font installation. Fixed typos in X Window System Components fonts section.
[randy] - Updated to Poppler-0.4.5.
April 5th, 2006
[randy] - Updated to Qt-3.3.6.
[dj] - Added sed to correct glibc header problem in xorg-server.
[bdubbs] - Added Wireless Tools.
April 4th, 2006
[randy] - Updated to Subversion-1.3.1.
[randy] - Updated Xpdf-3.01 to patch-level 2.
April 2nd, 2006
[randy] - Updated to libusb-0.1.12.
[randy] - Updated to G-Wrap-1.9.6.
[randy] - Updated to SLIB-3a3.
[randy] - Updated to Guile-1.8.0.
[randy] - Updated to Ruby-1.8.4.
[randy] - Updated the HTTP download link in the PPP instructions.
[randy] - Commented out the link to the 'non-root dial-out HOWTO' from the WvDial instructions as it is no longer available.
[randy] - Updated to Samba-3.0.22.
March 31st, 2006
[randy] - Changed the name of the Nail package to its new name of 'Heirloom mailx' and updated to the 12.0 version.
[randy] - Updated to Sendmail-8.13.6.
[randy] - Updated to Linux-PAM-0.99.3.0.
[randy] - Updated to Shadow-4.0.15 (now current with the LFS version).
[randy] - Updated to PHP-5.1.2.
[randy] - Updated to cURL-7.15.3.
[randy] - Updated to Stunnel-4.15.
March 30th, 2006
[randy] - Updated to Libidn-0.6.3.
[randy] - Updated to GTK-Doc-1.5.
[randy] - Added XML::Parser as a required dependency and intltool as an optional dependency of ScrollKeeper.
[randy] - Added LWP as an optional dependency of XML::Parser.
March 29th, 2006
[randy] - Updated to OpenLDAP-2.3.20 (stable-20060227).
[dnicholson] - Fixed typo and added font size setting to Xterm configuration.
[dnicholson] - Updated to OpenSSH-4.3p2
[randy] - Updated to PostgreSQL-8.1.3.
March 28th, 2006
[randy] - Updated to Heimdal-0.7.2.
[dnicholson] - Changed --with-luit to --enable-luit in Xterm. Added information about configuring in Xterm.
[dnicholson] - Added --without-add-fonts back into Fontconfig with a different note describing its use. Added more information about configuring Fontconfig and a link to the user's manual.
[dnicholson] - Reworked the fonts section of X Window System Components. Added detailed description of both font services and more links to available fonts. Thanks to Alexander Patrakov, Andrew Benton, Bruce Dubbs and Ken Moffat for their contributions.
[dnicholson] - Added commands to make only TrueType fonts available to Fontconfig in Xorg-6.9.0, Xorg-7.0.0 and XFree86-4.5.0. Fixed name of luit patch in Xorg-6.9.0.
[randy] - Updated to Firefox-1.5.0.1.
[dj] - Fixed xorg-server download link.
[dj] - Removed unneeded -lglut from Mesa Demos linker flags.
March 27th, 2006
[randy] - Updated to Gtk+-2.8.16.
[randy] - Updated to Pango-1.12.0.
[randy] - Updated to ATK-1.11.3.
[randy] - Updated to GLib-2.10.1.
[randy] - Updated to cairo-1.0.4.
March 26th, 2006
[dnicholson] - Changed note for Bc test suite. Removed one unnecessary test. Thanks to Bruce Dubbs.
[dnicholson] - Updated to LibTIFF-3.8.2. Noted optional dependency of MesaLib for the GLUT library.
[randy] - Updated to Whois-4.7.12.
[randy] - Applied a patch sent in by Chris Staub to suppress some unneeded screen output by the update-pciids command.
[randy] - Updated to Tcl-8.4.12 and Tk-8.4.12.
March 25th, 2006
[dj] - Updated individual X.org packages (wget files updated) and corrected two instructions where $XORG_CONFIG should be used.
[dnicholson] - Removed patches in Bc and replaced with equivalent seds. Fixed segmentation faults with bc -l. Fixes #1846. Added commands for test suite. Removed libedit dependency as it conflicts with Readline and causes problems.
March 24th, 2006
[randy] - Updated to Expat-2.0.0.
[randy] - Updated to S-Lang-2.0.6.
[randy] - Updated to PCRE-6.6.
[andy] - Updated Fluxbox to 0.9.15
March 23rd, 2006
[randy] - Added a note to the CrackLib instructions advising to reinstall Shadow if you need strong password support without installing Linux-PAM.
[randy] - Modified the Shadow instructions to reflect that it needs to be reinstalled (and provided the modified commands) if CrackLib is installed without Linux-PAM.
[randy] - Updated to CrackLib-2.8.9.
March 22nd, 2006
[archaic] - Updated the Coreutils entity in the Net-Tools page.
March 21st, 2006
[randy] - Updated Perl version entity to 5.8.8 to match current LFS SVN.
March 19th, 2006
[randy] - Changed the Expect dependency in the DejaGnu instructions to a run-time-only dependency.
March 18th, 2006
[dnicholson] - Updated compressdoc script to use Man-DB.
March 16th, 2006
[randy] - Added new package K3b.
[randy] - Created two XInclude files to replace instances of identical text in several KDE packages.
March 15th, 2006
[dnicholson] - Added sed to libexif commands to fix Ticket #1785.
[dj] - Added --mandir switch to dhcpcd instructions.
March 14th, 2006
[bdubbs] - Clarified jdk download instructions and made minor updates to the install of the binary version.
March 13th, 2006
[dj] - Removed font path comments and defines from Xorg and XFree86 host.def files.
[dj] - Fixed typos, clarified library installation, added pkg-config note, and added return notes for data packages and luit to Xorg-7 instructions.
March 9th, 2006
[bdubbs] - Updated to gnupg-1.4.2.2 to fix security problem.
March 7th, 2006
[dj] - Updated to dhcpcd-2.0.2.
March 6th, 2006
[dnicholson] - Moved libgtkhtml to General Libraries since it is not a GNOME library. Change prefix to /usr.
[dj] - Removed /usr/share/fonts symlink in Xorg-7 instructions.
March 5th, 2006
[dj] - Updated to xorg-6.9.0
March 4th, 2006
[dj] - Updated JDK to account for Xorg-7.0.0.
March 3rd, 2006
[dj] - Updated Xorg-7 and Mesa to use alternate module path.
[dj] - Separated user and root commands in Xorg-7.0.0.
March 2nd, 2006
[dnicholson] - Updated to Mutt-1.5.11. Added note about use of development release.
[dj] - Added command explanations and corrected prefix for xterm, libdrm, and Mesa.
[dj] - Added Xorg-7.0 and corrected links in xterm and Mesa pages.
[dj] - Added Xorg-7 to all X dependency references.
March 1st, 2006
[dnicholson] - Update to XFS-2.7.11. Expanded library installation commands.
[randy] - Final cleanup to the GNOME add-on packages after the 2.12.2 update.
February 27th, 2006
[randy] - Added a patch to fix librsvg if NSS/NSPR is installed.
[dnicholson] - Added note that tinker-term.sh is irrelevant with Ncurses-5.5+ and shouldn't be installed in that situation.
[bdubbs] - Added seamonkey-1.0 and deleted mozilla.
February 25th, 2006
[dj] - Added libdrm, Mesa, and xterm packages.
February 23rd, 2006
[bdubbs] - Removed duplicate installation of lndir in xorg and xfree86.
February 21st, 2006
[bdubbs] - Simplified unzip instructions.
February 13th, 2006
[randy] - Updated to Gnome System Monitor-2.12.2.
February 12th, 2006
[randy] - Updated to GConf Editor-2.12.1.
[archaic] - Updated to Postfix-2.2.8.
[randy] - Text updates and corrections provided by a patch sent in by Chris Staub.
[randy] - Replaced the commands to modify the *ns*.pc pkgconfig files with commands to create symlinks to the actual NSS/NSPR .pc files in the Firefox, Mozilla and Thunderbird instructions as suggested by Dan Nicholson.
[randy] - Abbreviated the commands used to install the NSS libraries in the NSS instructions as suggested by Tushar Teredesai.
[randy] - Updated to Galeon-2.0.0.
February 10th, 2006
[randy] - Added new package dvd+rw-tools-6.1.
February 9th, 2006
[randy] - Updated to Transcode-1.0.2.
[randy] - Minor corrections and updates to the Avifile instructions.
February 8th, 2006
[randy] - Updated to Totem-1.2.1.
[randy] - Updated to Gnumeric-1.6.2.
February 7th, 2006
[randy] - Updated to GOffice-0.2.0.
[randy] - Updated to Evolution-2.4.2.1.
February 6th, 2006
[randy] - Updated to GtkHTML-3.8.2.
[randy] - Updated Gnopernicus to fit the GNOME-2.12.2 version changes.
February 5th, 2006
[randy] - Updated to GNOME Magnifier-0.12.3.
[randy] - Updated to libgail-gnome-1.1.3.
[randy] - Modified the instructions for linking to installed plugins and removed the commands to create /usr/lib/mozilla compatibility links from the Mozilla instructions.
[randy] - Updated the following GNOME Add-on package instructions to fit the 2.12.2 version changes: GDM, Java Access Bridge, GNOME Speech.
February 4th, 2006
[randy] - Updated the following GNOME Add-on package instructions to fit the 2.12.2 version changes: Epiphany, gnome-volume-manager, GNOME Games, Sound Juicer.
February 3rd, 2006
[randy] - Updated the following GNOME Add-on package instructions to fit the 2.12.2 version changes: libgnomecups, libgnomeprint, libgnomeprintui, libgtkhtml, Evolution Data Server, system-tools-backends, EOG, gucharmap, File Roller, Gnome Utilities, Nautilus CD Burner.
[randy] - Updated the GNOME Core packages to the 2.12.2 version. Modified the /opt installation path to /opt/gnome-2.12.2, the configuration directory to /etc/gnome/2.12.2 and the libexecdir settings to a subdirectory of $GNOME_PREFIX/lib. The GNOME add-on packages version entities also now reflect the 2.12.2 version, though the actual package instructions have not been updated.
[randy] - Added a new page in the GNOME Core section for the shared-mime-info package as it is not a direct dependency of any GNOME Core package any longer.
[randy] - Updated Evolution Data Server dependencies to reflect the NSS package and modified the libexecdir setting.
[randy] - Updated to Metacity-2.12.2.
[randy] - Updated to libwnck-2.12.2.
[randy] - Updated to libsoup-2.2.7.
February 2nd, 2006
[randy] - Updated to XScreenSaver-4.23.
February 1st, 2006
[randy] - Updated to LZO-2.02.
[randy] - Updated to Cdrdao-1.2.1.
[bdubbs] - Updated vim to version 6.4.
January 31st, 2006
[randy] - Removed the piping of 'yes' commands from the installation of the packages containing Sun license agreements (JDK binary, FOP and FreeTTS) and instead provided a note to reference the text about automating builds.
January 30th, 2006
[randy] - Renamed the 'unpacking' page in Chapter 2 to 'building-notes' as this more accurately reflects the page and added a new section 'Automated Building Procedures' to the 'building-notes' page.
January 29th, 2006
[randy] - Added instructions to build the Akode package, added a patch to fix a build issue with libtunepimp, and adjusted the dependencies in the Kdemultimedia instructions.
[randy] - Updated all the links to files located on the Anduin server to use entities.
[andy] - Updated glib2 to 2.8.6.
January 28th, 2006
[randy] - Updated numerous items in the GStreamer Plug-ins instructions.
[andy] - Updated GConf to 2.12.1
[andy] - Updated gtk+2 to 2.8.11
January 27th, 2006
[bdubbs] - Added section on the BLFS Wiki.
[bdubbs] - Removed section on package management because it has been incorporated into LFS.
[randy] - Modified the instruction to apply the patch in the kdegraphics instructions as the patch has changed, thanks to Miguel Bazdresch for the report.
[randy] - Added a note to the GStreamer instructions about Valgrind breaking the build.
[andy] - Updated libxklavier to 2.1.
January 25th, 2006
[randy] - Added Python to the ISO Codes dependencies. Thanks to Jay McHugh for sending in the report.
[randy] - Updated to Mozilla-1.7.12, changed the build method to use 'client.mk' and '.mozconfig', added instructions to use system-installed NSS/NSPR libraries and added additional configuration information.
[randy] - Changed the default to render SVG graphics in the Firefox instructions.
January 23rd, 2006
[randy] - Updated to Thunderbird-1.5, changed the build method to use 'client.mk' and '.mozconfig', added instructions to use system-installed NSS/NSPR libraries and added additional configuration information.
[randy] - Added information about using system-installed versions of the NSS/NSPR libraries and added additional configuration information to the Firefox instructions.
[randy] - Added new package Network Security Services, NSS-3.11.
January 22nd, 2006
[randy] - Adjusted some dependencies using a patch sent in by Chris Staub.
January 21st, 2006
[bdubbs] - Added the post-3.4.3-kdelibs-kjs.diff security vulnerability patch to the kdelibs instructions.
January 18th, 2006
[randy] - Modified the sed command in the Firefox instructions so that it can be run multiple times, also modified the instructions for creating symlinks to the system-wide mozilla plugin directory.
[randy] - Added a dependency and updated text to the Xine Libraries instructions.
[randy] - Updated to ImageMagick-6.2.5-5.
January 17th, 2006
[tushar] - Modify unzip compilation to enable unzip to unzip files up to 4 GB.
[bdubbs] - Added patch for sudo to clear selected environment variables. Submitted by archaic.
[randy] - Updated to the HTML::TableExtract-2.06 Perl Module and added new modules HTML::Element::Extended and HTML::Tree as dependencies; also more reorganization and singling out of the Perl Modules.
[tushar] - Change lynx installation target to install-full.
[tushar] - Removed obsolete note for zipcloack.
[randy] - Added three new Perl Modules as dependencies of the Digest::SHA module: Devel::Symdump, Pod::Coverage and Test::Pod::Coverage.
January 16th, 2006
[randy] - Updated to the Digest::SHA-5.32 Perl Module and numerous text and dependency corrections/additions in the Perl Modules instructions.
[randy] - Singled out the Text::Diff module in the Perl Modules instructions.
[randy] - Updated to the Module::Signature-0.51 Perl Module and singled it out in the instructions.
[randy] - Added optional dependencies to the Archive::Zip and HTML::Tagset Perl Modules instructions.
[randy] - Updated to the ExtUtils::CBuilder-0.15 and ExtUtils::ParseXS-2.15 Perl Modules.
[randy] - Updated to the YAML-0.50 Perl Module and provided a note in the Module::Build instructions about using an older version of YAML.
[randy] - Updated to the Module::Info-0.30 Perl Module and added new optional dependencies.
January 15th, 2006
[randy] - Replaced the Test::Builder::Tester Perl Module with the Test::Simple-0.62 module.
[randy] - Updated to the Test::Pod-1.22 Perl Module.
[randy] - Updated to the HTML::Tagset-3.10, HTML::Parser-3.48 and Pod::Simple-3.03 Perl Modules.
[randy] - Singled out the Compress::Zlib module in the Perl Modules instructions and updated to the 1.41 version.
January 14th, 2006
[randy] - Added a note to run the test suite and added documentation installation commands to the GnuPG instructions.
January 12th, 2006
[randy] - Updates to the FFmpeg instructions: added a patch and dependency URLs to fix the AMR support and added additional documentation installation commands.
January 11, 2006
[randy] - Updates to MPlayer: added an x264 patch, added new dependencies, updated the version of the Skins file.
[andy] - Updated to abiword-2.4.2.
January 10th, 2006
[randy] - Fixed broken commands in the XviD instructions.
[randy] - Corrections to the CVS instructions: fixed broken download URLs and corrected documentation installation commands.
January 9th, 2006
[randy] - Updated the MPlayer instructions with the new URL for the LIVE555 Streaming Media web site.
January 8th, 2006
[randy] - Updated to Ethereal-0.10.14.
[randy] - Updated to libmusicbrainz-2.1.2.
[randy] - Minor updates to the Kdegraphics instructions: added new dependencies, added a note about creating the API documentation, added a note about the OCR support, updated the installed programs, libraries and directories list.
January 7th, 2006
[randy] - Removed the Berkeley DB dependency from packages utilizing it as BDB is now built in LFS.
[randy] - Updated to Berkeley DB-4.4.16, added a patch to the Python instructions to support the new BDB, updated the Heimdal instructions to account for the changed library file names.
[randy] - Updated to GIMP-2.2.10.
[andy] - Updated to xvidcore-1.1.0.
January 6th, 2006
[randy] - Updated SANE back ends to 1.0.17 and front ends to 1.0.14.
[randy] - Modified the command to run the libcroco test suite.
January 5th, 2006
[randy] - Updated to Poppler-0.4.3.
[randy] - Updated to giflib-4.1.4.
[randy] - Updated to libexif-0.6.13.
[randy] - Added the CAN-2005-3193 security vulnerability patch to the kdegraphics instructions.
January 4th, 2006
[randy] - Minor additions to the kdebase instructions: added optional dependencies, added a configuration section which includes information about run-time packages, and added installed programs, libraries and directories.
[igor] - Updated to Xpdf-3.01pl1.
January 2nd, 2006
[randy] - Added significant updates to the HAL instructions: updated the dependencies, modified the command that changes the storage device policy, added text and a visual chart to explain the requirements of the hal-device-manager program, added commands to allow for locale specific needs in the storage device policy, and some general text cleanup.
[randy] - Updated the D-BUS instructions to include text that identifies the needs of the HAL package.
December 31st, 2005
[randy] - Added a sed command to the D-Bus instructions to change a 'jar' command to 'fastjar' due to the changes in GCC-4.0.x.
December 30th, 2005
[randy] - Added some optional dependencies to the Kdelibs instructions.
[randy] - Added new package Libidn-0.6.0.
[andy] - Added new package Gaim-1.5.0.
December 29th, 2005
[randy] - Removed libogg and added NAS to the optional dependencies of aRts.
[randy] - Added a caution note to the MC instructions about the UTF-8 related issues.
[randy] - Added a caution note to the UnZip instructions about the locale related issues.
[randy] - Added new section 'Locale Related Issues' to Chapter 2, 'Important Information', thanks to Alexander Patrakov for contributing the text for this page. The page is very incomplete and many more packages with locale related issues will be added.
December 28th, 2005
[randy] - Added new package GOffice-0.1.2.
December 27th, 2005
[randy] - Updated to libgsf-1.13.3.
[randy] - Removed the unneeded 'make' command from the hicolor-icon-theme instructions.
[randy] - Minor cleanup to libgnomeprint dependencies and removed an unneeded switch from the configure command.
[randy] - Minor cleanup to libgnomecups dependencies.
[randy] - Updated to ISO Codes-0.49.
December 26th, 2005
[randy] - Updated to Doxygen-1.4.5.
[randy] - Minor changes to the Qt instructions: fixed HTTP download URL, added test suite notes, modified the configure command to include switches for the recommended dependencies and added appropriate notes about the recommended dependencies.
[randy] - Updated to little cms-1.15.
[randy] - Updated to Sendmail-8.13.5.
[dj] - Added colorls patch to tcsh instructions.
[dj] - Corrected additional recommended and optional dependencies in OpenOffice instructions.
[andy] - Update xine-lib to 1.1.1.
December 25th, 2005
[randy] - Updated to LibMPEG3-1.6.
December 24th, 2005
[randy] - Fixed a syntax error in the configure scripts and simplified the existing sed commands in the Tcl and Tk instructions.
[randy] - Added pkg-config and ALSA Library as required dependencies of the ALSA Plugins package, thanks to Joe Ciccone for pointing out the omission.
[randy] - Fixed GTK+-2 documentation installation commands, thanks to Nico R. for pointing out the breakage.
[randy] - Updated to Firefox-1.5, modified the method used to build it and added a command to fix an anonymous enum in an interface header file.
[dj] - Added GTK+-2 to OpenOffice required dependencies and removed FreeType and OpenLDAP (OpenLDAP is currently broken).
December 23rd, 2005
[andy] - Updated librsvg to 2.12.7.
[andy] - Updated Gnome doc utils to 0.4.4.
December 22nd, 2005
[andy] - Updated XFce to 4.2.3.2.
December 21st, 2005
[archaic] - Removed the obsolete sed in sudo and added a note to use visudo to edit the sudoers file.
December 20th, 2005
[randy] - Commented out the Python and Perl bindings build notes from the Subversion instructions as there is a build failure using current versions of SWIG and (B)LFS packages.
[randy] - Added documentation installation commands to the Guile instructions.
December 19th, 2005
[randy] - Modified the sed command in the OpenSSH instructions to better allow for repeated builds.
[bdubbs] - Updated to nmap-3.95.
[bdubbs] - Added sed to Bind to prevent invalid warnings in the log.
[randy] - Updated to Samba-3.0.20b.
[andy] - Updated to Gnumeric-1.6.1.
December 18th, 2005
[randy] - Updated to ESP Ghostscript-8.15.1.
[bdubbs] - Changed configure instruction in gimp to use recommended dependencies. Added note that the switches to configure need to be changed if the recommended dependencies are not installed.
[bdubbs] - Updated to whois-4.7.10.
[bdubbs] - Updated to KDE-3.5 and kdevelop 3.3.0.
December 17th, 2005
[randy] - Updated to PHP-5.1.1.
December 16th, 2005
[randy] - Updated to Stunnel-4.14.
[randy] - Updated to Ruby-1.8.3.
December 15, 2005
[randy] - Updated to Aspell-0.60.4.
[randy] - Added a sed command to the FOP instructions which fixes an obsolete tail command in the JAI binary.
[randy] - Updated to Gamin-0.1.7.
[bdubbs] - Removed section on newsserver.
[randy] - Updated to Apache HTTP Server-2.2.0.
December 14th, 2005
[randy] - Updated to OpenLDAP-2.3.11.
[randy] - Updated to PostgreSQL-8.1.1.
December 13th, 2005
[bdubbs] - Update description of LiveCD.
[randy] - Updated to MySQL-5.0.16.
[bdubbs] - Update koffice to version 1.4.2.
[bdubbs] - Removed libungif.
[randy] - Updated to GTK+-2.8.9.
[andy] - Updated to Abiword-2.4.1
December 11th, 2005
[randy] - Updated to Pango-1.10.2.
[randy] - Updated to GLib-2.8.4.
December 10th, 2005
[randy] - Updated to Heimdal-0.7.1.
December 9th, 2005
[randy] - Fixed command typos in the Gnome Menus and Gnome Volume Manager instructions.
[andy] - Updated Fluxbox to version 0.9.14.
[andy] - Added details of how to create a fluxbox.desktop file to the Fluxbox page.
December 8th, 2005
[bdubbs] - Updated to curl-7.15.1.
December 7th, 2005
[bdubbs] - Added sed to remove incomplete tests from test program in popt.
[bdubbs] - Removed reference to non-existent esound.ps from EsounD-0.2.36.
[bdubbs] - Removed --with-history option from libxml2. Added a caution that the make check command can hang forever under certain conditions with the option.
[bdubbs] - Added Andy Benton to the list of BLFS editors.
[randy] - Added GTK-Doc as a dependency of libxml, thanks to go moko for pointing out the omission.
[randy] - Added Ghostscript as a dependency of Doxygen.
[randy] - Added GNOME Doc Utils as a dependency of Evince, thanks to David Rosal for pointing out the omission.
[randy] - Updated to libvorbis-1.1.2.
[randy] - Updated to libogg-1.1.3.
December 6th, 2005
[dj] - Completed dependencies, removed optional configure parameters and added the no_mozilla (firefox) patch for OpenOffice.
December 3rd, 2005
[randy] - Updated to GCC-4.0.2.
[bdubbs] - Updated to qt-3.3.5.
December 2nd, 2005
[dj] - Updated JDK binary version to 1.5.0_06.
December 1st, 2005
[dj] - Added several fixes to OpenOffice instructions.
November 30th, 2005
[randy] - Updated to xinetd-2.3.14.
[randy] - Added a command to create the logging directory in the GDM instructions, thanks to Vincent Fretin for pointing out the oversight.
[randy] - Updated to PCI Utilities-2.2.1.
[randy] - Updated to Sysstat-6.0.2.
November 29th, 2005
[randy] - Updated to Shadow-4.0.13.
[randy] - Updated to Linux-PAM-0.99.2.0. Note that many of the installation commands have changed.
[dj] - Updated ash patch for use with gcc-4.x.
November 27th, 2005
[randy] - Added an FTP download URL and changed the documentation installation to a versioned directory in the Fontconfig instructions.
[randy] - Added documentation installation and clarified the purpose of the sed command in the FreeType instructions.
November 26th, 2005
[randy] - Added a note to the Lynx instructions that identifies, and shows how to avoid, a security vulnerability.
[randy] - Updated to S-Lang-2.0.5.
[randy] - Updated the text in the Net-tools instructions to reflect the updated version of Coreutils.
November 25th, 2005
[randy] - Updated to OpenSSL-0.9.7i
[randy] - Updated to pkg-config-0.20
November 24th, 2005
[randy] - Updated to CrackLib-2.8.6 and modified the installation commands to work with the newer version.
November 23rd, 2005
[bdubbs] - Added sed to sudo to correct a security issue (Archaic). Also added --enable-shell-sets-home switch (Gerard).
November 22nd, 2005
[bdubbs] - Added sudo-1.6.8p12.
[randy] - Updated to HTML Tidy-051026. Also updated the docs to 051020 and changed the documentation directory to a versioned name.
[randy] - Updated to FriBidi-0.10.7.
[randy] - Added DocBook SGML DTD-3.1 as a dependency to perform the tests outlined in the DocBook DSSSL Stylesheets instructions.
[randy] - Updated to Ethereal-0.10.13.
[randy] - Added new package GC-6.5.
November 21st, 2005
[randy] - Updated the Rsync bootscript to remove the --compress parameter, thanks to Jeremy Huntwork for reporting the problem.
[randy] - Added --disable-python to the configure command in the D-BUS instructions to fix a broken build identified by Filip Bartmann.
[randy] - Added --disable-libwrap to the configure command in the Stunnel instructions to fix a broken build identified by Filip Bartmann.
[randy] - Added new package gnome-volume-manager-1.5.1 to the Utilities section of Chapter 31.
[randy] - Modified the libexecdir parameter passed to configure and tweaked the storage device policy in the HAL instructions.
November 19th, 2005
[randy] - Added notes to start a D-BUS session daemon to the D-BUS, GDM and GNOME Configuration instructions.
[dj] - Cleaned up OpenOffice instructions and added a no-pam patch.
November 18th, 2005
[randy] - Added a GCC4 patch to the libvorbis instructions, thanks to Steffen Knollman for discovering the problem and contributing the patch.
[igor] - Updated to rsync-2.6.6.
November 17th, 2005
[randy] - Added new package Sound Juicer-2.12.2 to the Utilities section of Chapter 31.
[dj] - Corrected OpenOffice patch names.
November 15th, 2005
[dj] - Updated to OpenOffice-2.0.0
November 14th, 2005
[randy] - Updated to Balsa-2.3.6.
November 13th, 2005
[randy] - Added several more entries to the 'Other Programming Tools' section. Many thanks to Miguel Bazdresch for his suggestions and other contributions.
November 12th, 2005
[dj] - Updated GCC4 patches for Mozilla projects to include xptinfo.h anonymous enum patch.
November 9th, 2005
[randy] - Updated references to source and md5sum files on the Anduin server due to the Anduin reorganization.
[randy] - Added several more programming languages to the 'Other Programming Tools' section.
November 7th, 2005
[randy] - Added several programming languages to the 'Other Programming Tools' section.
[dj] - Added Archive::Zip to the Perl Modules page.
November 5th, 2005
[dj] - Updated alsa-restore script per Alexander Patrakov's suggestions.
November 4th, 2005
[randy] - Added a patch to the libgsf instructions so that the configure script properly discovers GConf.
November 3rd, 2005
[randy] - Added new package GMime-2.1.17.
November 1st, 2005
[randy] - Added A-A-P, Mono, OProfile, OGDL and R to the 'Other Programming Tools' section.
[randy] - Added new package libmpeg2-0.4.0b.
[randy] - Updated to Transcode-1.0.1.
October 31st, 2005
[randy] - Added new package libmusicbrainz-2.1.1.
October 30th, 2005
[randy] - Added new package Totem-1.2.0.
[dj] - Updated to JDK-1.5.0_05.
October 29th, 2005
[archaic] - Updated to PCI-Utilities-2.2.0.
October 28th, 2005
[igor] - Updated to SDL-1.2.9.
[igor] - Updated to CVS-1.11.21.
October 25th, 2005
[randy] - Added new package Evince-0.4.0 and removed the GPDF package from the GNOME Add-on section.
October 23rd, 2005
[igor] - Updated to MPlayer-1.0pre7try2.
[randy] - Added new package Poppler-0.4.2.
October 21st, 2005
[randy] - Added new package GNOME Keyring Manager-2.12.0.
October 20th, 2005
[randy] - Added new package ISO Codes-0.48.
October 19th, 2005
[randy] - Added new package PyXML-0.8.4.
[randy] - Added category headers to the GNOME Add-on packages Table-of-Contents. Many thanks to Manuel Canales Esparcia for the XML wizardry to make this happen.
October 18th, 2005
[randy] - Added a patch and an additional command to enable the streaming audio method in the GNOME Speech instructions.
[randy] - Updated to GDM-2.8.0.5.
October 17th, 2005
[randy] - Updated to GOK-1.0.5.
[igor] - Updated to HTML Tidy-051013.
[randy] - Updated to Gnopernicus-0.12.0.
[randy] - Updated to GNOME Speech-0.3.8.
October 16th, 2005
[randy] - Updated to GNOME Magnifier-0.12.2; moved the creation of the xextensions.pc file from the GNOME Magnifier to the XFree86 instructions.
[igor] - Updated to PHP-5.0.5.
[randy] - Modified dependencies in the libgtkhtml instructions.
[igor] - Updated to PCRE-6.4.
[igor] - Updated to cURL-7.15.0.
October 15th, 2005
[igor] - Added the gcc4 patch for NTP.
[igor] - Updated to Fcron-3.0.0.
[igor] - Updated to Apache-2.0.55.
[igor] - Updated to Python-2.4.2.
[igor] - Updated to Berkeley DB-4.3.29.
[randy] - Updated to GGV-2.12.0.
[igor] - Updated to Firefox-1.0.7.
[randy] - Updated to AT SPI-1.6.6.
[igor] - Updated to libtiff-3.7.4.
[igor] - Updated to cairo-1.0.2.
[randy] - Updated to Zenity-2.12.1.
[randy] - Updated to GNOME-Netstatus-2.12.0.
October 14th, 2005
[igor] - Updated to libpcap-0.9.4.
[igor] - Updated to Wget-1.10.2.
[randy] - Updated to GNOME System Monitor-2.12.1.
[igor] - Updated to OpenSSL-0.9.7h.
[randy] - Updated to GConf Editor-2.12.0.
[randy] - Updated to File Roller-2.12.1.
[randy] - Updated to EOG-2.12.1.
[randy] - Updated to gedit-2.12.1.
October 13th, 2005
[igor] - Updated Vim security patch.
[randy] - Updated to GNOME Games-2.12.1.
[randy] - Updated to Epiphany-1.8.2.
[randy] - Changed Python from an optional to a recommended dependency in the GNOME Doc Utils dependencies.
October 12th, 2005
[randy] - Updated to gcalctool-5.6.31.
October 11th, 2005
[randy] - Updated to gtksourceview-1.4.2.
[randy] - Updated to bug-buddy-2.12.1.
[randy] - Updated to GnomeMeeting-1.2.2.
[randy] - Updated to GNOME Utilities-2.12.1.
[randy] - Updated to GNOME Media-2.12.0.
[randy] - Updated to Nautilus CD Burner-2.12.1.
[randy] - Updated to Evolution-2.4.1.
October 10th, 2005
[randy] - Updated to GtkHTML-3.8.1.
[randy] - Updated to system-tools-backends-1.4.0.
[randy] - Updated to libgnomeprintui-2.12.1.
[randy] - Updated to libgnomeprint-2.12.1.
[randy] - Updated to libgnomecups-0.2.2.
[randy] - Added GTK+-2 as a required dependency of libgtkhtml.
[randy] - Updated to Evolution Data Server-1.4.1.1.
[randy] - Updated core GNOME packages to the 2.12.1 release of GNOME. GNOME add-on packages are updated only to the release versions. The individual updates to the GNOME add-on packages will be accomplished individually.
October 8th, 2005
[tushar] - Replaced FAM with Gamin.
October 6th, 2005
[randy] - Updated to librsvg-2.12.4.
[dj] - Updated to JDK (source build) 1.5.0_04.
[dj] - Updated to OpenOffice 1.1.5.
October 5th, 2005
[randy] - Updated to Metacity-2.12.1.
[randy] - Updated to libwnck-2.12.1.
[randy] - Updated to GTK+-2.8.6.
[randy] - Updated to Pango-1.10.1.
[randy] - Updated to GLib-2.8.3.
[randy] - Updated to libxml2-2.6.22.
[randy] - Added the --disable-error-on-warning parameter to the GnuCash configure command as using GCC-4.0.x will generate warnings which will break the build if the parameter is not used.
[randy] - Added a patch to the Guile instructions and changed the sed command in the SLIB instructions so that the two packages work nicely together.
October 4th, 2005
[tushar] - Prevent gcc fixincludes from running to match LFS instructions.
[randy] - Added a sed command to the GtkHTML-1 instructions to fix a GCC-4.0.x build problem.
[randy] - Added a GCC-4 patch to the Soup instructions.
[randy] - Added a GCC-4 patch to the Guppi instructions.
[randy] - Added a GCC-4 patch to the GConf-1.0.9 instructions.
[randy] - Added a sed command to the Bonobo-1.4 instructions to fix a GCC-4 build problem.
October 3rd, 2005
[randy] - Added a GCC-4 patch to the GNOME Libraries-1.4 instructions.
[randy] - Clarified the dependencies in the Imlib instructions.
[randy] - Updated to AbiWord-2.2.10.
October 1st, 2005
[randy] - Added new package HAL-0.5.4.
September 26th, 2005
[randy] - Added new package D-BUS-0.50.
September 25th, 2005
[randy] - Added a patch to fix a build problem with newer versions of libgsf and added a sed command so the default is to build the Perl plugin module to the Gnumeric instructions.
September 22nd, 2005
[dj] - Updated JDK-1.5.0 gcc4 patch.
September 21st, 2005
[randy] - Updated to Samba-3.0.20.
[bdubbs] - Reverted gcc build instructions.
[randy] - Updated to EsounD-0.2.36.
[randy] - Updated to Metacity-2.12.0.
[randy] - Updated to Libwnck-2.12.0.
September 20th, 2005
[david] - Added a sed to build Cdrdao-1.2.0 with gcc-4.0.1.
[randy] - Updated to GTK+-2.8.3.
[randy] - Updated to ATK-1.10.3.
[randy] - Updated to Pango-1.10.0.
[randy] - Updated to GLib-2.8.1.
[randy] - Added a command to create an X Render pkg-config file to the XFree86 instructions. Also created notes in the Metacity and cairo instructions to ensure this file exists.
[randy] - Added new package cairo-1.0.0.
[bdubbs] - Changed gcc build instructions to use a simple make. Added a note to use make bootstrap if the base compiler is not gcc-4.0.1.
September 19th, 2005
[bdubbs] - Added a patch to build mozilla with gcc-4.0.1.
[randy] - Updated to gucharmap-1.4.4.
[randy] - Updated to GST-Plugins-0.8.11.
[richard] - Added a sed to fix the build of the test suite for cpio-2.6 when using gcc-4.0.1. Suggested by Matthew Burgess
September 18th, 2005
[randy] - Updated to Xine User Interface-0.99.4.
[randy] - Updated to Xine Libraries-1.1.0.
[richard] - Updated to bluefish-1.0.4.
September 17th, 2005
[randy] - Added an alternate installation location for the shared library interface headers to the AFPL Ghostscript and ESP Ghostscript instructions.
[randy] - Updated to ImageMagick-6.2.4-5.
[randy] - Updated the Business::ISBN Perl module to 1.82.
[randy] - Updated the Test::Prereq Perl module to 1.028.
[randy] - Updated the Module::Signature Perl module to 0.50.
[randy] - Updated the Digest::SHA Perl module to 5.31.
[randy] - Updated the ExtUtils::ParseXS Perl module to 2.12.
[randy] - Updated the ExtUtils::CBuilder Perl module to 0.13.
[randy] - Updated the Archive::Tar Perl module to 1.26, added new Perl modules Text::Diff and Algorithm::Diff.
[randy] - Updated the Compress::Zlib Perl module to 1.38.
September 15th, 2005
[randy] - Updated to SANE-backends-1.0.16.
[randy] - Updated to the 0.9 version of the Gimp Help system, added a GCC-4 patch to the Gimp instructions.
[randy] - Updated to librsvg-2.11.1.
September 14th, 2005
[randy] - Removed redundant GTK+-2 dependency from the libgnomeprintui instructions.
[randy] - Updated to libgsf-1.12.3.
[randy] - Added documentation installation commands and corrected the note about the test suite in the libcroco instructions.
September 13th, 2005
[randy] - Added commands to the CVS instructions to create and install additional documentation.
[randy] - Updated to GStreamer-0.8.11 and adjusted the documentation files chown command to only run if the docs were built and installed.
September 12th, 2005
[tushar] - Moved creation of mad.pc to libmad section.
[randy] - Updated to VTE-0.11.15.
[randy] - Corrected the GNOME-1.4 OMF directory in the ScrollKeeper instructions.
[randy] - Updated to GCC-4.0.1.
September 11th, 2005
[randy] - Minor corrections to the XSL Stylesheets instructions, suggested by Manuel Canales Esparcia.
September 10th, 2005
[randy] - Added a note to the Tcl and Tk instructions to ensure the environment variables are properly set.
[randy] - Added a GCC-4 patch to the Xorg instructions.
[randy] - Updated to DocBook XSL Stylesheets-1.69.1.
[igor] - Updated to RP-PPPoE-3.6.
[dj] - Added a GCC-4 patch and updated 'fixed_paths' patch in JDK source build instructions.
[dj] - Added new Udev rules file for ALSA devices.
[dj] - Updated volume restore script for use with Udev versions greater than 058.
September 9th, 2005
[randy] - Added a GCC-4 patch to the libexif instructions.
[randy] - Added a GCC-4 patch to the Avifile instructions.
[randy] - Added a GCC-4 patch to the FFmpeg instructions.
[randy] - Added a GCC-4 patch to the MPlayer instructions.
[randy] - Added a GCC-4 patch to the Xvid instructions.
[randy] - Added a GCC-4 patch to the SDL instructions.
[randy] - Added a GCC-4 patch to the Firefox instructions.
[randy] - Added a GCC-4 patch to the Thunderbird instructions.
[randy] - Added a GCC-4 patch to the XMMS instructions.
[randy] - Added a GCC-4 patch to the Qt instructions.
[randy] - Added a GCC-4 patch and documentation installation commands to the NAS instructions.
[randy] - Added a GCC-4 patch to the Cyrus-SASL instructions.
[randy] - Added a GCC-4 patch to the Guile instructions.
[randy] - Replaced the Kernel_Headers patch with a GCC-4 patch in the Inetutils instructions.
[randy] - Added a GCC-4 patch to the xinetd instructions.
[randy] - Added a GCC-4 patch to the Linux-PAM instructions.
[randy] - Updated to intltool-0.34.1.
[randy] - Updated to libsoup-2.2.6.1.
September 8th, 2005
[randy] - Added a sed command to the libxklavier instructions to fix a GCC-4.x build problem.
[randy] - Updated to libxslt-1.1.15.
[randy] - Updated to libxml2-2.6.21.
September 7th, 2005
[richard] - Updated to XScreenSaver-4.22.
September 6th, 2005
[richard] - Added patch to GnuPG-1.4.2 as required by release notes.
[randy] - Updated to libIDL-0.8.6. Also added documentation installation commands to the instructions.
September 5th, 2005
[randy] - Updated to Subversion-1.2.3
September 4th, 2005
[randy] - Updated to OpenSSH-4.2p1. Also added some documentation installation commands to the instructions.
September 3rd, 2005
[randy] - Updated to HTML Tidy-050826.
[randy] - Updated to cURL-7.14.1.
September 2nd, 2005
[randy] - Added commands to the Heimdal instructions to preserve and restore some overwritten interface headers and libraries. Also listed the dependencies in a more accurate manner.
[randy] - Updated to MySQL-4.1.14.
[randy] - Fixed some broken commands in the TeX instructions.
September 1st, 2005
[randy] - Added documentation installation commands to the ALSA Libraries instructions.
August 31st, 2005
[randy] - Updated to Shadow-4.0.12.
[randy] - Updated to Wget-1.10.1.
August 30th, 2005
[bdubbs] - Updated to Mozilla-1.7.11.
[randy] - Removed obsolete dependencies from the LZO instructions.
August 29th, 2005
[bdubbs] - Updated to KDE-3.4.2. Added notes about the location of configuruation files. Updated optional dependencies.
[richard] - Added definition of dependency terms to Notes on Building Software.
August 28th, 2005
[randy] - Added documentation installation commands to the Xvid instructions.
[randy] - Added documentation installation commands to the libdv instructions.
[randy] - Updated to whois-4.7.6.
[randy] - Updated to libdvdcss-1.2.9.
[randy] - Added a patch to fix the XMMS plugin and added a sed command to fix the Valgrind testing in the FLAC instructions.
August 27th, 2005
[randy] - Added a patch to fix the test suite in the id3lib instructions.
[randy] - Updated the GCC patch and provided documentation installation commands to the libmpeg3 instructions.
August 26th, 2005
[randy] - Added fixes to the Thunderbird instructions: 1) the Movemail and RSS & Blogs account setup options are now available 2) modified the Enigmail setup so that it actually works 3) fixed the profile locking problem 4) made it so that if a mailto: URL is clicked, a message compose window is opened with the To: field filled out.
August 25th, 2005
[randy] - Added a command to the Firefox instructions to fix the profile locking problem and an optional command to open a new tab in an existing browser window, both suggested by Kevin Somervill. Thanks to Dan Nicholson for the reminder about Kevin's suggestions.
August 24th, 2005
[randy] - Modified SLIB instructions to use teTeX instead of Lynx to create the text documentation.
August 22nd, 2005
[randy] - Fixed chmod commands in GDM instructions, thanks to Hugo Villeneuve for pointed it out.
[randy] - Updated to Xpdf-3.01
[randy] - Updated to SLIB-3a2
August 21st, 2005
[randy] - Modifications to XMMS instructions: remove libogg as a dependency, added commands to install documentation and added an FTP download URL.
[richard] - Updated to Leafnode-1.11.3.
August 20th, 2005
[randy] - Added a new package, unixODBC-2.2.11 to BLFS.
[randy] - Renamed the FOP patch to adhere with the naming standards.
[randy] - Updated to GnuPG-1.4.2.
[randy] - Updated to GCC-3.4.4, modified the command to create the ffitarget.h interface header in /usr/include.
August 19th, 2005
[dj] - Updated dev.d scripts and surrounding text in alsa-utils.
[randy] - Updated to Sysstat-6.0.1.
[randy] - Updated to Apache Ant-1.6.5.
[randy] - Updated to Nail-11.25.
[randy] - Updated to Subversion-1.2.1.
[bdubbs] - Updated to KOffice-1.4.1.
August 17th, 2005
[randy] - Updated to GCC-3.3.6.
[randy] - Updated to Doxygen-1.4.4.
August 16th, 2005
[bdubbs] - Added instructions for cm-super fonts to TeX.
[randy] - Added additional parameters to the configure command and added a note to run the test suite to the Gimp-Print instructions.
[dj] - Updated cups bootscript installation to remove existing scripts and changed note to show that CUPS should be started after Samba.
August 15th, 2005
[randy] - Added a patch and a note about running the test suite to the CUPS instructions.
August 14th, 2005
[randy] - Updates to PHP: added new dependencies, placed the dependencies in catagories, added instructions to install documentation, added instruction to update php.ini and minor textual corrections.
[randy] - Updated to GTK-Doc-1.4.
[randy] - Updated to HTML Tidy-050803.
[randy] - Updated to Shadow-4.0.11.1.
[randy] - Added a configure switch to OpenLDAP to create the executables dynamically linked to the libraries.
[randy] - Added documentation installation commands to the GTK+ (version 1) instructions.
August 13th, 2005
[larry] - Add a warning to MIT KRB5 concerning the use of login.krb5 as a substitute for login.
[randy] - Updated to OpenLDAP-2.2.6 stable version; also added dependencies and configuration explanation.
August 12th, 2005
[randy] - Added a command to the PostgreSQL instructions to fix broken ownership of installed files.
August 11th, 2005
[randy] - Updated the JDK binary version to 1.5.0_04.
[randy] - Added sharutils as an optional dependency of Berkeley DB.
[randy] - Applied a patch contributed by stirling to fix many broken download URLs.
[randy] - Added a new section "Other Programming Tools" to Chapter 12 - Programming.
August 10th, 2005
[randy] - Added style information files and documentation installation commands to the JadeTeX instructions.
August 9th, 2005
[randy] - Modified the CrackLib instructions to include an alternate source for word lists, how to incorporate additional word lists, and added additional text contributed by Alexander Patrakov.
[dj] - Added default PATH for pam_env and a note about the lack of ENV_SUPATH.
August 8th, 2005
[randy] - Modified documentation installation in the Fontconfig instructions.
[randy] - Modified the Shadow instructions so that builders will not receive configuration errors during the testing recommended by the warning note.
[randy] - Added instructions to install a patch to Ruby that fixes a security vulnerability, thanks to Ken Moffat for the suggestion.
[randy] - Added instructions to install a patch to NASM that fixes a security vulnerability, thanks to Ken Moffat for the suggestion.
[randy] - Added documentation installation commands to the expat instructions.
August 7th, 2005
[randy] - Removed building the MPFR library from the GMP instructions.
August 6th, 2005
[larry] - Added dictionary file to MIT Kerberos setup and made adjusts for PAM.
[randy] - Updated to S-Lang-2.0.4.
August 5th, 2005
[randy] - Updated to Wget-1.10.
[randy] - Updated to PCRE-6.2.
August 1st, 2005
[bdubbs] - Released Version 6.1-pre1.
The linuxfromscratch.org server is hosting a number of mailing lists that are used for the development of the BLFS book. These lists include, among others, the main development and support lists.
For more information regarding which lists are available, how to subscribe to them, archive locations, etc., visit http://www.linuxfromscratch.org/mail.html.
The BLFS Project has created a Wiki for users to comment on pages and instructions at http://wiki.linuxfromscratch.org/blfs/wiki. Comments are welcome from all users.
The following are the rules for posting:
Users must register and log in to edit a page.
Suggestions to change the book should be made by creating a new ticket, not by making comments in the Wiki.
Questions with your specific installation problems should be made by subscribing and mailing to the BLFS Support Mailing List at mailto:blfs-support@linuxfromscratch.org.
Discussions of build instructions should be made by subscribing and mailing to the BLFS Development List at mailto:blfs-dev@linuxfromscratch.org.
Inappropriate material will be removed.
If you encounter a problem while using this book, and your problem is not listed in the FAQ (http://www.linuxfromscratch.org/faq), you will find that most of the people on Internet Relay Chat (IRC) and on the mailing lists are willing to help you. An overview of the LFS mailing lists can be found in Mailing lists. To assist us in diagnosing and solving your problem, include as much relevant information as possible in your request for help.
Before asking for help, you should review the following items:
Is the hardware support compiled into the kernel or available as a module to the kernel? If it is a module, is it configured properly in modprobe.conf and has it been loaded? You should use lsmod as the root user to see if it's loaded. Check the sys.log file or run modprobe <driver> to review any error message. If it loads properly, you may need to add the modprobe command to your boot scripts.
Are your permissions properly set, especially for devices? LFS uses groups to make these settings easier, but it also adds the step of adding users to groups to allow access. A simple moduser -G audio <user> may be all that's necessary for that user to have access to the sound system. Any question that starts out with “It works as root, but not as ...” requires a thorough review of permissions prior to asking.
BLFS liberally uses /opt/<package>. The main objection to this centers around the need to expand your environment variables for each package placed there (e.g., PATH=$PATH:/opt/kde/bin). In most cases, the package instructions will walk you through the changes, but some will not. The section called “Going Beyond BLFS” is available to help you check.
Apart from a brief explanation of the problem you're having, the essential things to include in your request are:
the version of the book you are using (being 6.2.0),
the package or section giving you problems,
the exact error message or symptom you are receiving,
whether you have deviated from the book or LFS at all,
if you are installing a BLFS package on a non-LFS system.
(Note that saying that you've deviated from the book doesn't mean that we won't help you. It'll just help us to see other possible causes of your problem.)
Expect guidance instead of specific instructions. If you are instructed to read something, please do so. It generally implies that the answer was way too obvious and that the question would not have been asked if a little research was done prior to asking. The volunteers in the mailing list prefer not to be used as an alternative to doing reasonable research on your end. In addition, the quality of your experience with BLFS is also greatly enhanced by this research, and the quality of volunteers is enhanced because they don't feel that their time has been abused, so they are far more likely to participate.
An excellent article on asking for help on the Internet in general has been written by Eric S. Raymond. It is available online at http://www.catb.org/~esr/faqs/smart-questions.html. Read and follow the hints in that document and you are much more likely to get a response to start with and also to get the help you actually need.
Please direct your emails to one of the BLFS mailing lists. See Mailing lists for more information on the available mailing lists.
The current BLFS maintainer is Randy McMurchy. If you need to reach Randy, send an email to randy AT linuxfromscratch D0T org.
This chapter is used to explain some of the policies used throughout the book, to introduce important concepts and to explain some issues you may see with some of the included packages.
Those people who have built an LFS system may be aware of the general principles of downloading and unpacking software. We will however repeat some of that information here for those new to building their own software.
Each set of installation instructions contains a URL from which you can download the package. We do however keep a selection of patches available via HTTP. These are referenced as needed in the installation instructions.
While you can keep the source files anywhere you like, we assume that you have unpacked the package and changed into the directory created by the unpacking process (the 'build' directory). We also assume you have uncompressed any required patches and they are in the directory immediately above the 'build' directory.
We can not emphasize strongly enough that you should start from a clean source tree each time. This means that if you have had an error during configuration or compilation, it's usually best to delete the source tree and re-unpack it before trying again. This obviously doesn't apply if you're an advanced user used to hacking Makefiles and C code, but if in doubt, start from a clean tree.
The golden rule of Unix System Administration is to use your superpowers only when necessary. Hence, BLFS recommends that you build software as an unprivileged user and only become the root user when installing the software. This philosophy is followed in all the packages in this book. Unless otherwise specified, all instructions should be executed as an unprivileged user. The book will advise you on instructions that need root privileges.
If a file is in .tar format and compressed, it is unpacked by running one of the following commands:
tar -xvf filename.tar.gz tar -xvf filename.tgz tar -xvf filename.tar.Z tar -xvf filename.tar.bz2
You may omit using the v parameter in the commands shown above and below if you wish to suppress the verbose listing of all the files in the archive as they are extracted. This can help speed up the extraction as well as make any errors produced during the extraction more obvious to you.
You can also use a slightly different method:
bzcat filename.tar.bz2 | tar -xv
Finally, you sometimes need to be able to unpack patches which are generally not in .tar format. The best way to do this is to copy the patch file to parent of the 'build' directory and then run one of the following commands depending on whether the file is a .gz or .bz2 file:
gunzip -v patchname.gz bunzip2 -v patchname.bz2
Generally, to verify that the downloaded file is genuine and complete, many package maintainers also distribute md5sums of the files. To verify the md5sum of the downloaded files, download both the file and the corresponding md5sum file to the same directory (preferably from different on-line locations), and (assuming file.md5sum is the md5sum file downloaded) run the following command:
md5sum -c file.md5sum
If there are any errors, they will be reported. Note that the BLFS book includes md5sums for all the source files also. To use the BLFS supplied md5sums, you can create a file.md5sum (place the md5sum data and the exact name of the downloaded file on the same line of a file, separated by white space) and run the command shown above. Alternately, simply run the command shown below and compare the output to the md5sum data shown in the BLFS book.
md5sum <name_of_downloaded_file>
For larger packages, it is convenient to create log files instead of staring at the screen hoping to catch a particular error or warning. Log files are also useful for debugging and keeping records. The following command allows you to create an installation log. Replace <command> with the command you intend to execute.
( <command> 2>&1 | tee compile.log && exit $PIPESTATUS )
2>&1 redirects error messages to the same location as standard output. The tee command allows viewing of the output while logging the results to a file. The parentheses around the command run the entire command in a subshell and finally the exit $PIPESTATUS command ensures the result of the <command> is returned as the result and not the result of the tee command.
There are times when automating the building of a package can come in handy. Everyone has their own reasons for wanting to automate building, and everyone goes about it in their own way. Creating Makefiles, Bash scripts, Perl scripts or simply a list of commands used to cut and paste are just some of the methods you can use to automate building BLFS packages. Detailing how and providing examples of the many ways you can automate the building of packages is beyond the scope of this section. This section will expose you to using file redirection and the yes command to help provide ideas on how to automate your builds.
You will find times throughout your BLFS journey when you will come across a package that has a command prompting you for information. This information might be configuration details, a directory path, or a response to a license agreement. This can present a challenge to automate the building of that package. Occasionally, you will be prompted for different information in a series of questions. One method to automate this type of scenario requires putting the desired responses in a file and using redirection so that the program uses the data in the file as the answers to the questions.
Building the CUPS package is a good example of how redirecting a file as input to prompts can help you automate the build. If you run the test suite, you are asked to respond to a series of questions regarding the type of test to run and if you have any auxiliary programs the test can use. You can create a file with your responses, one response per line, and use a command similar to the one shown below to automate running the test suite:
make check < ../cups-1.1.23-testsuite_parms
This effectively makes the test suite use the responses in the file as the input to the questions. Occasionally you may end up doing a bit of trial and error determining the exact format of your input file for some things, but once figured out and documented you can use this to automate building the package.
Sometimes you will only need to provide one response, or provide the same response to many prompts. For these instances, the yes command works really well. The yes command can be used to provide a response (the same one) to one or more instances of questions. It can be used to simulate pressing just the Enter key, entering the Y key or entering a string of text. Perhaps the easiest way to show its use is in an example.
First, create a short Bash script by entering the following commands:
cat > blfs-yes-test1 << "EOF" #!/bin/bash echo -n -e "\n\nPlease type something (or nothing) and press Enter ---> " read A_STRING if test "$A_STRING" = ""; then A_STRING="Just the Enter key was pressed" else A_STRING="You entered '$A_STRING'" fi echo -e "\n\n$A_STRING\n\n" EOF chmod 755 blfs-yes-test1
Now run the script by issuing ./blfs-yes-test1 from the command line. It will wait for a response, which can be anything (or nothing) followed by the Enter key. After entering something, the result will be echoed to the screen. Now use the yes command to automate the entering of a response:
yes | ./blfs-yes-test1
Notice that piping yes by itself to the script results in y being passed to the script. Now try it with a string of text:
yes 'This is some text' | ./blfs-yes-test1
The exact string was used as the response to the script. Finally, try it using an empty (null) string:
yes '' | ./blfs-yes-test1
Notice this results in passing just the press of the Enter key to the script. This is useful for times when the default answer to the prompt is sufficient. This syntax is used in the Net-tools instructions to accept all the defaults to the many prompts during the configuration step. You may now remove the test script, if desired.
In order to automate the building of some packages, especially those that require you to read a license agreement one page at a time, requires using a method that avoids having to press a key to display each page. Redirecting the output to a file can be used in these instances to assist with the automation. The previous section on this page touched on creating log files of the build output. The redirection method shown there used the tee command to redirect output to a file while also displaying the output to the screen. Here, the output will only be sent to a file.
Again, the easiest way to demonstrate the technique is to show an example. First, issue the command:
ls -l /usr/bin | more
Of course, you'll be required to view the output one page at a time because the more filter was used. Now try the same command, but this time redirect the output to a file. The special file /dev/null can be used instead of the filename shown, but you will have no log file to examine:
ls -l /usr/bin | more > redirect_test.log 2>&1
Notice that this time the command immediately returned to the shell prompt without having to page through the output. You may now remove the log file.
The last example will use the yes command in combination with output redirection to bypass having to page through the output and then provide a y to a prompt. This technique could be used in instances when otherwise you would have to page through the output of a file (such as a license agreement) and then answer the question of “do you accept the above?”. For this example, another short Bash script is required:
cat > blfs-yes-test2 << "EOF" #!/bin/bash ls -l /usr/bin | more echo -n -e "\n\nDid you enjoy reading this? (y,n) " read A_STRING if test "$A_STRING" = "y"; then A_STRING="You entered the 'y' key" else A_STRING="You did NOT enter the 'y' key" fi echo -e "\n\n$A_STRING\n\n" EOF chmod 755 blfs-yes-test2
This script can be used to simulate a program that requires you to read a license agreement, then respond appropriately to accept the agreement before the program will install anything. First, run the script without any automation techniques by issuing ./blfs-yes-test2.
Now issue the following command which uses two automation techniques, making it suitable for use in an automated build script:
yes | ./blfs-yes-test2 > blfs-yes-test2.log 2>&1
If desired, issue tail blfs-yes-test2.log to see the end of the paged output, and confirmation that y was passed through to the script. Once satisfied that it works as it should, you may remove the script and log file.
Finally, keep in mind that there are many ways to automate and/or script the build commands. There is not a single “correct” way to do it. Your imagination is the only limit.
For each package described, BLFS lists the known dependencies. These are listed under several headings, whose meaning is as follows:
Required means that the target package cannot be correctly built without the dependency having first been installed.
Recommended means that BLFS strongly suggests this package is installed first for a clean and trouble-free build, that won't have issues either during the build process, or at run-time.
Optional means that this package might be installed for added functionality. Often BLFS will describe the dependency to explain the added functionality that will result.
Should I install XXX in /usr or /usr/local?
This is a question without an obvious answer for an LFS based system.
In traditional Unix systems, /usr usually contains files that come with the system distribution, and the /usr/local tree is free for the local administrator to manage. The only really hard and fast rule is that Unix distributions should not touch /usr/local, except perhaps to create the basic directories within it.
With Linux distributions like Red Hat, Debian, etc., a possible rule is that /usr is managed by the distribution's package system and /usr/local is not. This way the package manager's database knows about every file within /usr.
LFS users build their own system and so deciding where the system ends and local files begin is not straightforward. So the choice should be made in order to make things easier to administer. There are several reasons for dividing files between /usr and /usr/local.
On a network of several machines all running LFS, or mixed LFS and other Linux distributions, /usr/local could be used to hold packages that are common between all the computers in the network. It can be NFS mounted or mirrored from a single server. Here local indicates local to the site.
On a network of several computers all running an identical LFS system, /usr/local could hold packages that are different between the machines. In this case local refers to the individual computers.
Even on a single computer, /usr/local can be useful if you have several distributions installed simultaneously, and want a place to put packages that will be the same on all of them.
Or you might regularly rebuild your LFS, but want a place to put files that you don't want to rebuild each time. This way you can wipe the LFS file system and start from a clean partition every time without losing everything.
Some people ask why not use your own directory tree, e.g., /usr/site, rather than /usr/local?
There is nothing stopping you, many sites do make their own trees, however it makes installing new software more difficult. Automatic installers often look for dependencies in /usr and /usr/local, and if the file it is looking for is in /usr/site instead, the installer will probably fail unless you specifically tell it where to look.
What is the BLFS position on this?
All of the BLFS instructions install programs in /usr with optional instructions to install into /opt for some specific packages.
As you follow the various sections in the book, you will observe that the book occasionally includes patches that are required for a successful and secure installation of the packages. The general policy of the book is to include patches that fall in one of the following criteria:
Fixes a compilation problem.
Fixes a security problem.
Fixes a broken functionality.
In short, the book only includes patches that are either required or recommended. There is a Patches subproject which hosts various patches (including the patches referenced in the books) to enable you to configure your LFS the way you like it.
The BLFS Bootscripts package contains the init scripts that are used throughout the book. It is assumed that you will be using the BLFS Bootscripts package in conjunction with a compatible LFS-Bootscripts package. Refer to ../../../../lfs/view/6.2/chapter07/bootscripts.html for more information on the LFS-Bootscripts package.
Package Information
The BLFS Bootscripts package will be used throughout the BLFS book for startup scripts. Unlike LFS, each init script has a separate install target in the BLFS Bootscripts package. It is recommended you keep the package source directory around until completion of your BLFS system. When a script is requested from BLFS Bootscripts, simply change to the directory and as the root user, execute the given make install-<init-script> command. This command installs the init script to its proper location (along with any auxiliary configuration scripts) and also creates the appropriate symlinks to start and stop the service at the appropriate run-level.
It is advisable to peruse each bootscript before installation to ascertain that it satisfies your need. Also verify that the start and stop symlinks it creates match your preferences.
This page contains information about locale related problems and issues. In the following paragraphs you'll find a generic overview of things that can come up when configuring your system for various locales. Many (but not all) existing locale related problems can be classified and fall under one of the headings below. The severity ratings below use the following criteria:
Critical: The program doesn't perform its main function. The fix would be very intrusive, it's better to search for a replacement.
High: Part of the functionality that the program provides is not usable. If that functionality is required, it's better to search for a replacement.
Low: The program works in all typical use cases, but lacks some functionality normally provided by its equivalents.
If there is a known workaround for a specific package, it will appear on that package's page. For the most recent information about locale related issues for individual packages, check the User Notes in the BLFS Wiki.
Severity: Critical
Some programs require the user to specify the character encoding for their input or output data and present only a limited choice of encodings. This is the case for the -X option in a2ps-4.13b and Enscript-1.6.4, the -input-charset option in unpatched Cdrtools-2.01, and the character sets offered for display in the menu of Links-2.1pre23. If the required encoding is not in the list, the program usually becomes completely unusable. For non-interactive programs, it may be possible to work around this by converting the document to a supported input character set before submitting to the program.
A solution to this type of problem is to implement the necessary support for the missing encoding as a patch to the original program (as done for Cdrtools-2.01 in this book), or to find a replacement.
Severity: High for non-text documents, low for text documents
Some programs, nano-2.0.1 or JOE-3.5 for example, assume that documents are always in the encoding implied by the current locale. While this assumption may be valid for the user-created documents, it is not safe for external ones. When this assumption fails, non-ASCII characters are displayed incorrectly, and the document may become unreadable.
If the external document is entirely text based, it can be converted to the current locale encoding using the iconv program.
For documents that are not text-based, this is not possible. In fact, the assumption made in the program may be completely invalid for documents where the Microsoft Windows operating system has set de facto standards. An example of this problem is ID3v1 tags in MP3 files (see the BLFS Wiki ID3v1Coding page for more details). For these cases, the only solution is to find a replacement program that doesn't have the issue (e.g., one that will allow you to specify the assumed document encoding).
Among BLFS packages, this problem applies to nano-2.0.1, JOE-3.5, and all media players except audacious-1.0.0.
Another problem in this category is when someone cannot read the documents you've sent them because their operating system is set up to handle character encodings differently. This can happen often when the other person is using Microsoft Windows, which only provides one character encoding for a given country. For example, this causes problems with UTF-8 encoded TeX documents created in Linux. On Windows, most applications will assume that these documents have been created using the default Windows 8-bit encoding. See the teTeX Wiki page for more details.
In extreme cases, Windows encoding compatibility issues may be solved only by running Windows programs under Wine.
Severity: Critical
The POSIX standard mandates that the filename encoding is the encoding implied by the current LC_CTYPE locale category. This information is well-hidden on the page which specifies the behavior of Tar and Cpio programs. Some programs get it wrong by default (or simply don't have enough information to get it right). The result is that they create filenames which are not subsequently shown correctly by ls, or they refuse to accept filenames that ls shows properly. For the GLib-2.10.3 library, the problem can be corrected by setting the G_FILENAME_ENCODING environment variable to the special "@locale" value. Glib2 based programs that don't respect that environment variable are buggy.
The Zip-2.32, UnZip-5.52, and Nautilus CD Burner-2.14.3 have this problem because they hard-code the expected filename encoding. UnZip contains a hard-coded conversion table between the CP850 (DOS) and ISO-8859-1 (UNIX) encodings and uses this table when extracting archives created under DOS or Microsoft Windows. However, this assumption only works for those in the US and not for anyone using a UTF-8 locale. Non-ASCII characters will be mangled in the extracted filenames.
On the other hand, Nautilus CD Burner checks names of files added to its window for UTF-8 validity. This is wrong for users of non-UTF-8 locales. Also, Nautilus CD Burner unconditionally calls mkisofs with the -input-charset UTF-8 parameter, which is only correct in UTF-8 locales.
The general rule for avoiding this class of problems is to avoid installing broken programs. If this is impossible, the convmv command-line tool can be used to fix filenames created by these broken programs, or intentionally mangle the existing filenames to meet the broken expectations of such programs.
In other cases, a similar problem is caused by importing filenames from a system using a different locale with a tool that is not locale-aware (e.g., NFS Utilities-1.0.10 or OpenSSH-4.5p1). In order to avoid mangling non-ASCII characters when transferring files to a system with a different locale, any of the following methods can be used:
Transfer anyway, fix the damage with convmv.
On the sending side, create a tar archive with the --format=posix switch passed to tar (this will be the default in a future version of tar).
Mail the files as attachments. Mail clients specify the encoding of attached filenames.
Write the files to a removable disk formatted with a FAT or FAT32 filesystem.
Transfer the files using Samba.
Transfer the files via FTP using RFC2640-aware server (this currently means only wu-ftpd, which has bad security history) and client (e.g., lftp).
The last four methods work because the filenames are automatically converted from the sender's locale to UNICODE and stored or sent in this form. They are then transparently converted from UNICODE to the recipient's locale encoding.
Severity: High or critical
Many programs were written in an older era where multibyte locales were not common. Such programs assume that C "char" data type, which is one byte, can be used to store single characters. Further, they assume that any sequence of characters is a valid string and that every character occupies a single character cell. Such assumptions completely break in UTF-8 locales. The visible manifestation is that the program truncates strings prematurely (i.e., at 80 bytes instead of 80 characters). Terminal-based programs don't place the cursor correctly on the screen, don't react to the "Backspace" key by erasing one character, and leave junk characters around when updating the screen, usually turning the screen into a complete mess.
Fixing this kind of problems is a tedious task from a programmer's point of view, like all other cases of retrofitting new concepts into the old flawed design. In this case, one has to redesign all data structures in order to accommodate to the fact that a complete character may span a variable number of "char"s (or switch to wchar_t and convert as needed). Also, for every call to the "strlen" and similar functions, find out whether a number of bytes, a number of characters, or the width of the string was really meant. Sometimes it is faster to write a program with the same functionality from scratch.
Among BLFS packages, this problem applies to Ed-0.2, xine User Interface-0.99.4 and all shells.
Severity: Low
LFS expects that manual pages are in the language-specific (usually 8-bit) encoding, as specified on the LFS Man DB page. However, some packages install translated manual pages in UTF-8 encoding (e.g., Shadow, already dealt with), or manual pages in languages not in the table. Not all BLFS packages have been audited for conformance with the requirements put in LFS (the large majority have been checked, and fixes placed in the book for packages known to install non-conforming manual pages). If you find a manual page installed by any of BLFS packages that is obviously in the wrong encoding, please remove or convert it as needed, and report this to BLFS team as a bug.
You can easily check your system for any non-conforming manual pages by copying the following short shell script to some accessible location,
#!/bin/sh
# Begin checkman.sh
# Usage: find /usr/share/man -type f | xargs checkman.sh
for a in "$@"
do
# echo "Checking $a..."
# Pure-ASCII manual page (possibly except comments) is OK
grep -v '.\\"' "$a" | iconv -f US-ASCII -t US-ASCII >/dev/null 2>&1 && continue
# Non-UTF-8 manual page is OK
iconv -f UTF-8 -t UTF-8 "$a" >/dev/null 2>&1 || continue
# If we got here, we found UTF-8 manual page, bad.
echo "UTF-8 manual page: $a" >&2
done
# End checkman.sh
and then issuing the following command (modify the command below if the checkman.sh script is not in your PATH environment variable):
find /usr/share/man -type f | xargs checkman.sh
Note that if you have manual pages installed in any location other than /usr/share/man (e.g., /usr/local/share/man), you must modify the above command to include this additional location.
The packages that are installed in this book are only the tip of the iceberg. We hope that the experience you gained with the LFS book and the BLFS book will give you the background needed to compile, install and configure packages that are not included in this book.
When you want to install a package to a location other than /, or /usr, you are installing outside the default environment settings on most machines. The following examples should assist you in determining how to correct this situation. The examples cover the complete range of settings that may need updating, but they are not all needed in every situation.
Expand the PATH to include $PREFIX/bin.
Expand the PATH for root to include $PREFIX/sbin.
Add $PREFIX/lib to /etc/ld.so.conf or expand LD_LIBRARY_PATH to include it. Before using the latter option, check out http://xahlee.org/UnixResource_dir/_/ldpath.html. If you modify /etc/ld.so.conf, remember to update /etc/ld.so.cache by executing ldconfig as the root user.
Add $PREFIX/man to /etc/man_db.conf or expand MANPATH.
Add $PREFIX/info to INFOPATH.
Add $PREFIX/lib/pkgconfig to PKG_CONFIG_PATH. Some packages are now installing .pc files in $PREFIX/share/pkgconfig, so you may have to include this directory also.
Add $PREFIX/include to CPPFLAGS when compiling packages that depend on the package you installed.
If you are in search of a package that is not in the book, the following are different ways you can search for the desired package.
If you know the name of the package, then search FreshMeat for it at http://freshmeat.net/. Also search Google at http://google.com/. Sometimes a search for the rpm at http://rpmfind.net/ or the deb at http://www.debian.org/distrib/packages#search_packages can also lead to a link to the package.
If you know the name of the executable, but not the package that the executable belongs to, first try a Google search with the name of the executable. If the results are overwhelming, try searching for the given executable in the Debian repository at http://www.debian.org/distrib/packages#search_contents.
Some general hints on handling new packages:
Many of the newer packages follow the ./configure && make && make install process. Help on the options accepted by configure can be obtained via the command ./configure --help.
Most of the packages contain documentation on compiling and installing the package. Some of the documents are excellent, some not so excellent. Check out the homepage of the package for any additional and updated hints for compiling and configuring the package.
If you are having a problem compiling the package, try searching the LFS archives at http://search.linuxfromscratch.org/ for the error or if that fails, try searching Google. If everything else fails, try the blfs-support mailing-list.
If you have found a package that is only available in .deb or .rpm format, there are two small scripts, rpm2targz and deb2targz that are available at http://downloads.linuxfromscratch.org/deb2targz.tar.bz2 and http://downloads.linuxfromscratch.org/rpm2targz.tar.bz2 to convert the archives into a simple tar.gz format.
The intention of LFS is to provide a basic system which you can build upon. There are several things about tidying up the system which many people wonder about once they have done the base install. We hope to cover these issues in this chapter.
Most people coming from non-Unix like backgrounds to Linux find the concept of text-only configuration files slightly strange. In Linux, just about all configuration is done via the manipulation of text files. The majority of these files can be found in the /etc hierarchy. There are often graphical configuration programs available for different subsystems but most are simply pretty front ends to the process of editing a text file. The advantage of text-only configuration is that you can edit parameters using your favorite text editor, whether that be vim, emacs, or any other editor.
The first task is making a recovery boot device in Creating a Custom Boot Device because it's the most critical need. Then the system is configured to ease addition of new users, because this can affect the choices you make in the two subsequent topics—The Bash Shell Startup Files and The vimrc Files.
The remaining topics, Customizing your Logon with /etc/issue, The /etc/shells File, Random number generation, Compressing man and info pages, autofs-4.1.4, and Configuring for Network Filesystems are then addressed, in that order. They don't have much interaction with the other topics in this chapter.
This section is really about creating a rescue device. As the name rescue implies, the host system has a problem, often lost partition information or corrupted file systems, that prevent it from booting and/or operating normally. For this reason, you must not depend on resources from the host being "rescued". To presume that any given partition or hard drive will be available is a risky presumption.
In a modern system, there are many devices that can be used as a rescue device: floppy, cdrom, usb drive, or even a network card. Which one you use depends on your hardware and your BIOS. In the past, we usually thought of rescue device as a floppy disk. Today, many systems do not even have a floppy drive.
Building a complete rescue device is a challenging task. In many ways, it is equivalent to building an entire LFS system. In addition, it would be a repetition of information already available. For these reasons, the procedures for a rescue device image are not presented here.
The software of today's systems has grown large. Linux 2.6 no longer supports booting directly from a floppy. In spite of this, there are solutions available using older versions of Linux. One of the best is Tom's Root/Boot Disk available at http://www.toms.net/rb/. This will provide a minimal Linux system on a single floppy disk and provides the ability to customize the contents of your disk if necessary.
There are several sources that can be used for a rescue CD-ROM. Just about any commercial distribution's installation CD-ROMs or DVDs will work. These include RedHat, Mandrake, and SuSE. One very popular option is Knoppix.
Also, the LFS Community has developed its own LiveCD available at http://www.linuxfromscratch.org/livecd/. This LiveCD, in addition to having boot and rescue capabilities, is capable of building an entire LFS/BLFS system. A copy of this CD-ROM is available with the printed version of the Linux From Scratch book. If you download the ISO image, use cdrecord to copy the image to a CD-ROM.
A USB Pen drive, sometimes called a Thumb drive, is recognized by Linux as a SCSI device. Using one of these devices as a rescue device has the advantage that it is usually large enough to hold more than a minimal boot image. You can save critical data to the drive as well as use it to diagnose and recover a damaged system. Booting such a drive requires BIOS support, but building the system consists of formatting the drive, adding GRUB as well as the Linux kernel and supporting files.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/CreatingaCustomBootDevice
Together, the /usr/sbin/useradd command and /etc/skel directory (both are easy to set up and use) provide a way to assure new users are added to your LFS system with the same beginning settings for things such as the PATH, keyboard processing and other environmental variables. Using these two facilities makes it easier to assure this initial state for each new user added to the system.
The /etc/skel directory holds copies of various initialization and other files that may be copied to the new user's home directory when the /usr/sbin/useradd program adds the new user.
The useradd program uses a collection of default values kept in /etc/default/useradd, if it exists. If this file does not exist, then it uses some internal defaults. You can see the default values by running /usr/sbin/useradd -D.
To change these values to something new, create a base /etc/default/useradd file as the root user with the same values as the output of /usr/sbin/useradd -D. Here is a sample:
# Begin /etc/default/useradd GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL= SKEL=/etc/skel # End /etc/default/useradd
The only thing missing from the file is a default shell. Add that by running the following command as the root user:
/usr/sbin/useradd -D -s/bin/bash
This will set the SHELL= line to SHELL=/bin/bash.
useradd has many parameters that can be set in the /etc/default/useradd file. For more information see man useradd.
To get started, create an /etc/skel directory and make sure it is writable only by the system administrator, usually root. Creating the directory as root is the best way to go.
The mode of any files from this part of the book that you put in /etc/skel should be writable only by the owner. Also, since there is no telling what kind of sensitive information a user may eventually place in their copy of these files, you should make them unreadable by "group" and "other".
You can also put other files in /etc/skel and different permissions may be needed for them.
Decide which initialization files should be provided in every (or most) new user's home directory. The decisions you make will affect what you do in the next two sections, The Bash Shell Startup Files and The vimrc Files. Some or all of those files will be useful for root, any already-existing users, and new users.
The files from those sections that you might want to place in /etc/skel include .inputrc, .bash_profile, .bashrc, .bash_logout, .dircolors, and .vimrc. If you are unsure which of these should be placed there, just continue to the following sections, read each section and any references provided, and then make your decision.
You will run a slightly modified set of commands for files which are placed in /etc/skel. Each section will remind you of this. In brief, the book's commands have been written for files not added to /etc/skel and instead just sends the results to the user's home directory. If the file is going to be in /etc/skel, change the book's command(s) to send output there instead and then just copy the file from /etc/skel to the appropriate directories, like /etc, ~ or the home directory of any other user already in the system.
When adding a new user with useradd, use the -m parameter, which tells useradd to create the user's home directory and copy files from /etc/skel (can be overridden) to the new user's home directory. For example (perform as the root user):
useradd -m <newuser>
Throughout BLFS, many packages install programs that run as daemons or in some way should have a user or group name assigned. Generally these names are used to map a user ID (uid) or group ID (gid) for system use. Generally the specific uid or gid numbers used by these applications are not significant. The exception of course, is that root has a uid and gid of 0 (zero) that is indeed special. The uid values are stored in /etc/passwd and the gid values are found in /etc/group.
Customarily, Unix systems classify users and groups into two categories: system users and regular users. The system users and groups are given low numbers and regular users and groups have numeric values greater than all the system values. The cutoff for these numbers is found in two parameters in the /etc/login.defs configuration file. The default UID_MIN value is 1000 and the default GID_MIN value is 100. If a specific uid or gid value is not specified when creating a user with useradd or a group with groupadd the values assigned will always be above these cutoff values.
Additionally, the Linux Standard Base recommends that system uid and gid values should be below 100.
Below is a table of suggested uid/gid values used in BLFS beyond those defined in a base LFS installation. These can be changed as desired, but provide a suggested set of consistent values.
Table 3.1. UID/GID Suggested Values
| Name | uid | gid |
|---|---|---|
| bin | 1 | |
| lp | 9 | |
| messagebus | 18 | 18 |
| haldaemon | 19 | 19 |
| named | 20 | 20 |
| gdm | 21 | 21 |
| fcron | 22 | 22 |
| apache | 25 | 25 |
| smmsp | 26 | 26 |
| exim | 31 | 31 |
| postfix | 32 | 32 |
| postdrop | 33 | |
| sendmail | 34 | |
| 34 | ||
| vmailman | 35 | 35 |
| news | 36 | 36 |
| mysql | 40 | 40 |
| postgres | 41 | 41 |
| ftp | 45 | 45 |
| proftpd | 46 | 46 |
| vsftpd | 47 | 47 |
| rsyncd | 48 | 48 |
| sshd | 50 | 50 |
| stunnel | 51 | 51 |
| svn | 56 | 56 |
| svntest | 57 | |
| games | 60 | 60 |
| anonymous | 98 | |
| nobody | 99 | |
| nogroup | 99 |
One value that is missing is 65534. This value is customarily assigned to the user nobody and group nogroup and is unnecessary. The issue is explained in more detail in the first note in the NFS Utilities Installation section.
Although most devices needed by packages in BLFS and beyond are set up properly by udev using the default rules installed by LFS in /etc/udev/rules.d, there are cases where the rules must be modified or augmented.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/aboutdevices
If there are multiple sound cards in a system, the "default" sound card becomes random. The method to establish sound card order depends on whether the drivers are modules or not. If the sound card drivers are compiled into the kernel, control is via kernel command line parameters in /boot/grub/menu.lst. For example, if a system has both an FM801 card and a SoundBlaster PCI card, the following can be appended to the command line:
snd-fm801.index=0 snd-ens1371.index=1
If the sound card drivers are built as modules, the order can be established in the /etc/modprobe.conf file with:
options snd-fm801 index=0 options snd-ens1371 index=1
Fine-tuning of device attributes such as group name and permissions is possible by creating extra udev rules, matching on something like this (on one line). The vendor and product can be found by searching the /sys/devices directory entries or using udevinfo after the device has been attached. See the documentation in the current udev directory of /usr/share/doc for details.
SUBSYSTEM=="usb_device", SYSFS{idVendor}=="05d8",
SYSFS{idProduct}=="4002", GROUP:="scanner", MODE:="0640"
Some older applications, such as VMware, need the following deprecated entry in the /etc/fstab file. This is not normally needed.
usbfs /proc/bus/usb usbfs devgid=14,devmode=0660 0 0
In some cases, it makes sense to disable udev completely and create static devices. Servers are one example of this situation. Does a server need the capability of handling dynamic devices? Only the system administrator can answer that question, but in many cases the answer will be no.
If dynamic devices are not desired, then static devices must be created on the system. In the default configuration, the /etc/rc.d/rcsysinit.d/S10udev boot script mounts a tmpfs partition over the /dev directory. This problem can be overcome by mounting the root partition temporarily:
If the instructions below are not followed carefully, your system could become unbootable.
mount --bind / /mnt
cp -a /dev/* /mnt/dev
rm /etc/rc.d/rcsysinit.d/{S10udev,S45udev_retry}
umount /mnt
At this point, the system will use static devices upon the next reboot. Create any desired additional devices using mknod.
If you want to restore the dynamic devices, recreate the /etc/rc.d/rcsysinit.d/{S10udev,S45udev_retry} symbolic links and reboot again. Static devices do not need to be removed (console and null are always needed) because they are covered by the tmpfs partition. Disk usage for devices is negligible (about 20–30 bytes per entry.)
The shell program /bin/bash (hereafter referred to as just "the shell") uses a collection of startup files to help create an environment. Each file has a specific use and may affect login and interactive environments differently. The files in the /etc directory generally provide global settings. If an equivalent file exists in your home directory it may override the global settings.
An interactive login shell is started after a successful login, using /bin/login, by reading the /etc/passwd file. This shell invocation normally reads /etc/profile and its private equivalent ~/.bash_profile upon startup.
An interactive non-login shell is normally started at the command-line using a shell program (e.g., [prompt]$/bin/bash) or by the /bin/su command. An interactive non-login shell is also started with a terminal program such as xterm or konsole from within a graphical environment. This type of shell invocation normally copies the parent environment and then reads the user's ~/.bashrc file for additional startup configuration instructions.
A non-interactive shell is usually present when a shell script is running. It is non-interactive because it is processing a script and not waiting for user input between commands. For these shell invocations, only the environment inherited from the parent shell is used.
The file ~/.bash_logout is not used for an invocation of the shell. It is read and executed when a user exits from an interactive login shell.
Many distributions use /etc/bashrc for system wide initialization of non-login shells. This file is usually called from the user's ~/.bashrc file and is not built directly into bash itself. This convention is followed in this section.
For more information see info bash -- Nodes: Bash Startup Files and Interactive Shells.
Most of the instructions below are used to create files located in the /etc directory structure which requires you to execute the commands as the root user. If you elect to create the files in user's home directories instead, you should run the commands as an unprivileged user.
Here is a base /etc/profile. This file starts by setting up some helper functions and some basic parameters. It specifies some bash history parameters and, for security purposes, disables keeping a permanent history file for the root user. It also sets a default user prompt. It then calls small, single purpose scripts in the /etc/profile.d directory to provide most of the initialization.
For more information on the escape sequences you can use for your prompt (i.e., the PS1 environment variable) see info bash -- Node: Printing a Prompt.
cat > /etc/profile << "EOF"
# Begin /etc/profile
# Written for Beyond Linux From Scratch
# by James Robertson <jameswrobertson@earthlink.net>
# modifications by Dagmar d'Surreal <rivyqntzne@pbzpnfg.arg>
# System wide environment variables and startup programs.
# System wide aliases and functions should go in /etc/bashrc. Personal
# environment variables and startup programs should go into
# ~/.bash_profile. Personal aliases and functions should go into
# ~/.bashrc.
# Functions to help us manage paths. Second argument is the name of the
# path variable to be modified (default: PATH)
pathremove () {
local IFS=':'
local NEWPATH
local DIR
local PATHVARIABLE=${2:-PATH}
for DIR in ${!PATHVARIABLE} ; do
if [ "$DIR" != "$1" ] ; then
NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
fi
done
export $PATHVARIABLE="$NEWPATH"
}
pathprepend () {
pathremove $1 $2
local PATHVARIABLE=${2:-PATH}
export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}"
}
pathappend () {
pathremove $1 $2
local PATHVARIABLE=${2:-PATH}
export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1"
}
# Set the initial path
export PATH=/bin:/usr/bin
if [ $EUID -eq 0 ] ; then
pathappend /sbin:/usr/sbin
unset HISTFILE
fi
# Setup some environment variables.
export HISTSIZE=1000
export HISTIGNORE="&:[bf]g:exit"
#export PS1="[\u@\h \w]\\$ "
export PS1='\u@\h:\w\$ '
for script in /etc/profile.d/*.sh ; do
if [ -r $script ] ; then
. $script
fi
done
# Now to clean up
unset pathremove pathprepend pathappend
# End /etc/profile
EOF
Now create the /etc/profile.d directory, where the individual initialization scripts are placed:
install --directory --mode=0755 --owner=root --group=root /etc/profile.d
This script uses the ~/.dircolors and /etc/dircolors files to control the colors of file names in a directory listing. They control colorized output of things like ls --color. The explanation of how to initialize these files is at the end of this section.
cat > /etc/profile.d/dircolors.sh << "EOF"
# Setup for /bin/ls to support color, the alias is in /etc/bashrc.
if [ -f "/etc/dircolors" ] ; then
eval $(dircolors -b /etc/dircolors)
if [ -f "$HOME/.dircolors" ] ; then
eval $(dircolors -b $HOME/.dircolors)
fi
fi
alias ls='ls --color=auto'
EOF
This script adds several useful paths to the PATH and PKG_CONFIG_PATH environment variables. If you want, you can uncomment the last section to put a dot at the end of your path. This will allow executables in the current working directory to be executed without specifiying a ./, however you are warned that this is generally considered a security hazard.
cat > /etc/profile.d/extrapaths.sh << "EOF"
if [ -d /usr/local/lib/pkgconfig ] ; then
pathappend /usr/local/lib/pkgconfig PKG_CONFIG_PATH
fi
if [ -d /usr/local/bin ]; then
pathprepend /usr/local/bin
fi
if [ -d /usr/local/sbin -a $EUID -eq 0 ]; then
pathprepend /usr/local/sbin
fi
for directory in $(find /opt/*/lib/pkgconfig -type d 2>/dev/null); do
pathappend $directory PKG_CONFIG_PATH
done
for directory in $(find /opt/*/bin -type d 2>/dev/null); do
pathappend $directory
done
if [ -d ~/bin ]; then
pathprepend ~/bin
fi
#if [ $EUID -gt 99 ]; then
# pathappend .
#fi
EOF
This script sets up the default inputrc configuration file. If the user does not have individual settings, it uses the global file.
cat > /etc/profile.d/readline.sh << "EOF"
# Setup the INPUTRC environment variable.
if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ] ; then
INPUTRC=/etc/inputrc
fi
export INPUTRC
EOF
Setting the umask value is important for security. Here the default group write permissions are turned off for system users and when the user name and group name are not the same.
cat > /etc/profile.d/umask.sh << "EOF" # By default we want the umask to get set. if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then umask 002 else umask 022 fi EOF
If X is installed, the PATH and PKG_CONFIG_PATH variables are also updated.
cat > /etc/profile.d/X.sh << "EOF"
if [ -x /usr/X11R6/bin/X ]; then
pathappend /usr/X11R6/bin
fi
if [ -d /usr/X11R6/lib/pkgconfig ] ; then
pathappend /usr/X11R6/lib/pkgconfig PKG_CONFIG_PATH
fi
EOF
This script shows an example of a different way of setting the prompt. The normal variable, PS1, is supplemented by PROMPT_COMMAND. If set, the value of PROMPT_COMMAND is executed as a command prior to issuing each primary prompt. The sequence \e is an ESC character. \a is a BEL character. For a reference on xterm escape sequences, see http://rtfm.etla.org/xterm/ctlseq.html.
cat > /etc/profile.d/extra-prompt.sh << "EOF"
PROMPT_COMMAND='echo -ne "\e[1m${USER}@${HOSTNAME} : ${PWD}\e[0m\a"'
export PROMPT_COMMAND
EOF
The escape sequences above are BOLD, NORMAL, and BEL.
This script sets an environment variable necessary for native language support. A full discussion on determining this variable can be found on the LFS Bash Shell Startup Files page.
cat > /etc/profile.d/i18n.sh << "EOF" # Set up i18n variables export LANG=<ll>_<CC>.<charmap><@modifiers> EOF
Here is a base /etc/bashrc. Comments in the file should explain everything you need.
cat > /etc/bashrc << "EOF" # Begin /etc/bashrc # Written for Beyond Linux From Scratch # by James Robertson <jameswrobertson@earthlink.net> # updated by Bruce Dubbs <bdubbs@linuxfromscratch.org> # Make sure that the terminal is set up properly for each shell if [ -f /etc/profile.d/tinker-term.sh ]; then source /etc/profile.d/tinker-term.sh fi # System wide aliases and functions. # System wide environment variables and startup programs should go into # /etc/profile. Personal environment variables and startup programs # should go into ~/.bash_profile. Personal aliases and functions should # go into ~/.bashrc # Provides a colored /bin/ls command. Used in conjunction with code in # /etc/profile. alias ls='ls --color=auto' # Provides prompt for non-login shells, specifically shells started # in the X environment. [Review the LFS archive thread titled # PS1 Environment Variable for a great case study behind this script # addendum.] #export PS1="[\u@\h \w]\\$ " export PS1='\u@\h:\w\$ ' # End /etc/bashrc EOF
Here is a base ~/.bash_profile. If you want each new user to have this file automatically, just change the output of the command to /etc/skel/.bash_profile and check the permissions after the command is run. You can then copy /etc/skel/.bash_profile to the home directories of already existing users, including root, and set the owner and group appropriately.
cat > ~/.bash_profile << "EOF"
# Begin ~/.bash_profile
# Written for Beyond Linux From Scratch
# by James Robertson <jameswrobertson@earthlink.net>
# updated by Bruce Dubbs <bdubbs@linuxfromscratch.org>
# Personal environment variables and startup programs.
# Personal aliases and functions should go in ~/.bashrc. System wide
# environment variables and startup programs are in /etc/profile.
# System wide aliases and functions are in /etc/bashrc.
append () {
# First remove the directory
local IFS=':'
local NEWPATH
for DIR in $PATH; do
if [ "$DIR" != "$1" ]; then
NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
fi
done
# Then append the directory
export PATH=$NEWPATH:$1
}
if [ -f "$HOME/.bashrc" ] ; then
source $HOME/.bashrc
fi
if [ -d "$HOME/bin" ] ; then
append $HOME/bin
fi
unset append
# End ~/.bash_profile
EOF
Here is a base ~/.bashrc. The comments and instructions for using /etc/skel for .bash_profile above also apply here. Only the target file names are different.
cat > ~/.bashrc << "EOF" # Begin ~/.bashrc # Written for Beyond Linux From Scratch # by James Robertson <jameswrobertson@earthlink.net> # Personal aliases and functions. # Personal environment variables and startup programs should go in # ~/.bash_profile. System wide environment variables and startup # programs are in /etc/profile. System wide aliases and functions are # in /etc/bashrc. if [ -f "/etc/bashrc" ] ; then source /etc/bashrc fi # End ~/.bashrc EOF
This is an empty ~/.bash_logout that can be used as a template. You will notice that the base ~/.bash_logout does not include a clear command. This is because the clear is handled in the /etc/issue file.
cat > ~/.bash_logout << "EOF" # Begin ~/.bash_logout # Written for Beyond Linux From Scratch # by James Robertson <jameswrobertson@earthlink.net> # Personal items to perform on logout. # End ~/.bash_logout EOF
If you want to use the dircolors capability, then run the following command. The /etc/skel setup steps shown above also can be used here to provide a ~/.dircolors file when a new user is set up. As before, just change the output file name on the following command and assure the permissions, owner, and group are correct on the files created and/or copied.
dircolors -p > /etc/dircolors
If you wish to customize the colors used for different file types, you can edit the /etc/dircolors file. The instructions for setting the colors are embedded in the file.
Finally, Ian Macdonald has written an excellent collection of tips and tricks to enhance your shell environment. You can read it online at http://www.caliban.org/bash/index.shtml.
The LFS book installs Vim as its text editor. At this point it should be noted that there are a lot of different editing applications out there including Emacs, nano, Joe and many more. Anyone who has been around the Internet (especially usenet) for a short time will certainly have observed at least one flame war, usually involving Vim and Emacs users!
The LFS book creates a basic vimrc file. In this section you'll find an attempt to enhance this file. At startup, vim reads /etc/vimrc and ~/.vimrc (i.e., the global vimrc and the user-specific one). Note that this is only true if you compiled vim using LFS-3.1 onwards. Prior to this, the global vimrc was /usr/share/vim/vimrc.
Here is a slightly expanded .vimrc that you can put in ~/.vimrc to provide user specific effects. Of course, if you put it into /etc/skel/.vimrc instead, it will be made available to users you add to the system later. You can also copy the file from /etc/skel/.vimrc to the home directory of users already on the system, such as root. Be sure to set permissions, owner, and group if you do copy anything directly from /etc/skel.
" Begin .vimrc set columns=80 set wrapmargin=8 set ruler " End .vimrc
Note that the comment tags are " instead of the more usual # or //. This is correct, the syntax for vimrc is slightly unusual.
Below you'll find a quick explanation of what each of the options in this example file means here:
set columns=80: This simply sets the number of columns used on the screen.
set wrapmargin=8: This is the number of characters from the right window border where wrapping starts.
set ruler: This makes vim show the current row and column at the bottom right of the screen.
More information on the many vim options can be found by reading the help inside vim itself. Do this by typing :help in vim to get the general help, or by typing :help usr_toc.txt to view the User Manual Table of Contents.
When you first boot up your new LFS system, the logon screen will be nice and plain (as it should be in a bare-bones system). Many people however, will want their system to display some information in the logon message. This can be accomplished using the file /etc/issue.
The /etc/issue file is a plain text file which will also accept certain escape sequences (see below) in order to insert information about the system. There is also the file issue.net which can be used when logging on remotely. ssh however, will only use it if you set the option in the configuration file and will not interpret the escape sequences shown below.
One of the most common things which people want to do is clear the screen at each logon. The easiest way of doing that is to put a "clear" escape sequence into /etc/issue. A simple way of doing this is to issue the command clear > /etc/issue. This will insert the relevant escape code into the start of the /etc/issue file. Note that if you do this, when you edit the file, you should leave the characters (normally '^[[H^[[2J') on the first line alone.
Terminal escape sequences are special codes recognized by the terminal. The ^[ represents an ASCII ESC character. The sequence ESC [ H puts the cursor in the upper left hand corner of the screen and ESC 2 J erases the screen. For more information on terminal escape sequences see http://rtfm.etla.org/xterm/ctlseq.html
The following sequences are recognized by agetty (the program which usually parses /etc/issue). This information is from man agetty where you can find extra information about the logon process.
The issue file can contain certain character sequences to display various information. All issue sequences consist of a backslash (\) immediately followed by one of the letters explained below (so \d in /etc/issue would insert the current date).
b Insert the baudrate of the current line.
d Insert the current date.
s Insert the system name, the name of the operating system.
l Insert the name of the current tty line.
m Insert the architecture identifier of the machine, e.g., i686.
n Insert the nodename of the machine, also known as the hostname.
o Insert the domainname of the machine.
r Insert the release number of the kernel, e.g., 2.6.11.12.
t Insert the current time.
u Insert the number of current users logged in.
U Insert the string "1 user" or "<n> users" where <n> is the
number of current users logged in.
v Insert the version of the OS, e.g., the build-date etc.
The shells file contains a list of login shells on the system. Applications use this file to determine whether a shell is valid. For each shell a single line should be present, consisting of the shell's path, relative to the root of the directory structure (/).
For example, this file is consulted by chsh to determine whether an unprivileged user may change the login shell for her own account. If the command name is not listed, the user will be denied of change.
It is a requirement for applications such as GDM which does not populate the face browser if it can't find /etc/shells, or FTP daemons which traditionally disallow access to users with shells not included in this file.
cat > /etc/shells << "EOF" # Begin /etc/shells /bin/sh /bin/bash # End /etc/shells EOF
The Linux kernel supplies a random number generator which is accessed through /dev/random and /dev/urandom. Programs that utilize the random and urandom devices, such as OpenSSH, will benefit from these instructions.
When a Linux system starts up without much operator interaction, the entropy pool (data used to compute a random number) may be in a fairly predictable state. This creates the real possibility that the number generated at startup may always be the same. In order to counteract this effect, you should carry the entropy pool information across your shut-downs and start-ups.
Install the /etc/rc.d/init.d/random init script included with the blfs-bootscripts-20060910 package.
make install-random
Man and info reader programs can transparently process files compressed with gzip or bzip2, a feature you can use to free some disk space while keeping your documentation available. However, things are not that simple; man directories tend to contain links—hard and symbolic—which defeat simple ideas like recursively calling gzip on them. A better way to go is to use the script below. If you would prefer to download the file instead of creating it by typing or cut-and-pasting, you can find it at http://anduin.linuxfromscratch.org/files/BLFS/compressdoc (the file should be installed in the /usr/sbin directory).
cat > /usr/sbin/compressdoc << "EOF"
#!/bin/bash
# VERSION: 20060311.0028
#
# Compress (with bzip2 or gzip) all man pages in a hierarchy and
# update symlinks - By Marc Heerdink <marc @ koelkast.net>
#
# Modified to be able to gzip or bzip2 files as an option and to deal
# with all symlinks properly by Mark Hymers <markh @ linuxfromscratch.org>
#
# Modified 20030930 by Yann E. Morin <yann.morin.1998 @ anciens.enib.fr>
# to accept compression/decompression, to correctly handle hard-links,
# to allow for changing hard-links into soft- ones, to specify the
# compression level, to parse the man.conf for all occurrences of MANPATH,
# to allow for a backup, to allow to keep the newest version of a page.
#
# Modified 20040330 by Tushar Teredesai to replace $0 by the name of the
# script.
# (Note: It is assumed that the script is in the user's PATH)
#
# Modified 20050112 by Randy McMurchy to shorten line lengths and
# correct grammar errors.
#
# Modified 20060128 by Alexander E. Patrakov for compatibility with Man-DB.
#
# Modified 20060311 by Archaic to use Man-DB manpath utility which is a
# replacement for man --path from Man.
#
# TODO:
# - choose a default compress method to be based on the available
# tool : gzip or bzip2;
# - offer an option to automagically choose the best compression
# methed on a per page basis (eg. check which of
# gzip/bzip2/whatever is the most effective, page per page);
# - when a MANPATH env var exists, use this instead of /etc/man_db.conf
# (useful for users to (de)compress their man pages;
# - offer an option to restore a previous backup;
# - add other compression engines (compress, zip, etc?). Needed?
# Funny enough, this function prints some help.
function help ()
{
if [ -n "$1" ]; then
echo "Unknown option : $1"
fi
( echo "Usage: $MY_NAME <comp_method> [options] [dirs]" && \
cat << EOT
Where comp_method is one of :
--gzip, --gz, -g
--bzip2, --bz2, -b
Compress using gzip or bzip2.
--decompress, -d
Decompress the man pages.
--backup Specify a .tar backup shall be done for all directories.
In case a backup already exists, it is saved as .tar.old
prior to making the new backup. If a .tar.old backup
exists, it is removed prior to saving the backup.
In backup mode, no other action is performed.
And where options are :
-1 to -9, --fast, --best
The compression level, as accepted by gzip and bzip2.
When not specified, uses the default compression level
for the given method (-6 for gzip, and -9 for bzip2).
Not used when in backup or decompress modes.
--force, -F Force (re-)compression, even if the previous one was
the same method. Useful when changing the compression
ratio. By default, a page will not be re-compressed if
it ends with the same suffix as the method adds
(.bz2 for bzip2, .gz for gzip).
--soft, -S Change hard-links into soft-links. Use with _caution_
as the first encountered file will be used as a
reference. Not used when in backup mode.
--hard, -H Change soft-links into hard-links. Not used when in
backup mode.
--conf=dir, --conf dir
Specify the location of man_db.conf. Defaults to /etc.
--verbose, -v Verbose mode, print the name of the directory being
processed. Double the flag to turn it even more verbose,
and to print the name of the file being processed.
--fake, -f Fakes it. Print the actual parameters compressdoc will use.
dirs A list of space-separated _absolute_ pathnames to the
man directories. When empty, and only then, use manpath
to parse ${MAN_CONF}/man_db.conf for all valid occurrences
of MANDATORY_MANPATH.
Note about compression:
There has been a discussion on blfs-support about compression ratios of
both gzip and bzip2 on man pages, taking into account the hosting fs,
the architecture, etc... On the overall, the conclusion was that gzip
was much more efficient on 'small' files, and bzip2 on 'big' files,
small and big being very dependent on the content of the files.
See the original post from Mickael A. Peters, titled
"Bootable Utility CD", dated 20030409.1816(+0200), and subsequent posts:
http://linuxfromscratch.org/pipermail/blfs-support/2003-April/038817.html
On my system (x86, ext3), man pages were 35564KB before compression.
gzip -9 compressed them down to 20372KB (57.28%), bzip2 -9 got down to
19812KB (55.71%). That is a 1.57% gain in space. YMMV.
What was not taken into consideration was the decompression speed. But
does it make sense to? You gain fast access with uncompressed man
pages, or you gain space at the expense of a slight overhead in time.
Well, my P4-2.5GHz does not even let me notice this... :-)
EOT
) | less
}
# This function checks that the man page is unique amongst bzip2'd,
# gzip'd and uncompressed versions.
# $1 the directory in which the file resides
# $2 the file name for the man page
# Returns 0 (true) if the file is the latest and must be taken care of,
# and 1 (false) if the file is not the latest (and has therefore been
# deleted).
function check_unique ()
{
# NB. When there are hard-links to this file, these are
# _not_ deleted. In fact, if there are hard-links, they
# all have the same date/time, thus making them ready
# for deletion later on.
# Build the list of all man pages with the same name
DIR=$1
BASENAME=`basename "${2}" .bz2`
BASENAME=`basename "${BASENAME}" .gz`
GZ_FILE="$BASENAME".gz
BZ_FILE="$BASENAME".bz2
# Look for, and keep, the most recent one
LATEST=`(cd "$DIR"; ls -1rt "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}" \
2>/dev/null | tail -n 1)`
for i in "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}"; do
[ "$LATEST" != "$i" ] && rm -f "$DIR"/"$i"
done
# In case the specified file was the latest, return 0
[ "$LATEST" = "$2" ] && return 0
# If the file was not the latest, return 1
return 1
}
# Name of the script
MY_NAME=`basename $0`
# OK, parse the command-line for arguments, and initialize to some
# sensible state, that is: don't change links state, parse
# /etc/man_db.conf, be most silent, search man_db.conf in /etc, and don't
# force (re-)compression.
COMP_METHOD=
COMP_SUF=
COMP_LVL=
FORCE_OPT=
LN_OPT=
MAN_DIR=
VERBOSE_LVL=0
BACKUP=no
FAKE=no
MAN_CONF=/etc
while [ -n "$1" ]; do
case $1 in
--gzip|--gz|-g)
COMP_SUF=.gz
COMP_METHOD=$1
shift
;;
--bzip2|--bz2|-b)
COMP_SUF=.bz2
COMP_METHOD=$1
shift
;;
--decompress|-d)
COMP_SUF=
COMP_LVL=
COMP_METHOD=$1
shift
;;
-[1-9]|--fast|--best)
COMP_LVL=$1
shift
;;
--force|-F)
FORCE_OPT=-F
shift
;;
--soft|-S)
LN_OPT=-S
shift
;;
--hard|-H)
LN_OPT=-H
shift
;;
--conf=*)
MAN_CONF=`echo $1 | cut -d '=' -f2-`
shift
;;
--conf)
MAN_CONF="$2"
shift 2
;;
--verbose|-v)
let VERBOSE_LVL++
shift
;;
--backup)
BACKUP=yes
shift
;;
--fake|-f)
FAKE=yes
shift
;;
--help|-h)
help
exit 0
;;
/*)
MAN_DIR="${MAN_DIR} ${1}"
shift
;;
-*)
help $1
exit 1
;;
*)
echo "\"$1\" is not an absolute path name"
exit 1
;;
esac
done
# Redirections
case $VERBOSE_LVL in
0)
# O, be silent
DEST_FD0=/dev/null
DEST_FD1=/dev/null
VERBOSE_OPT=
;;
1)
# 1, be a bit verbose
DEST_FD0=/dev/stdout
DEST_FD1=/dev/null
VERBOSE_OPT=-v
;;
*)
# 2 and above, be most verbose
DEST_FD0=/dev/stdout
DEST_FD1=/dev/stdout
VERBOSE_OPT="-v -v"
;;
esac
# Note: on my machine, 'man --path' gives /usr/share/man twice, once
# with a trailing '/', once without.
if [ -z "$MAN_DIR" ]; then
MAN_DIR=`manpath -C "$MAN_CONF"/man_db.conf \
| sed 's/:/\\n/g' \
| while read foo; do dirname "$foo"/.; done \
| sort -u \
| while read bar; do echo -n "$bar "; done`
fi
# If no MANDATORY_MANPATH in ${MAN_CONF}/man_db.conf, abort as well
if [ -z "$MAN_DIR" ]; then
echo "No directory specified, and no directory found with \`manpath'"
exit 1
fi
# Fake?
if [ "$FAKE" != "no" ]; then
echo "Actual parameters used:"
echo -n "Compression.......: "
case $COMP_METHOD in
--bzip2|--bz2|-b) echo -n "bzip2";;
--gzip|__gz|-g) echo -n "gzip";;
--decompress|-d) echo -n "decompressing";;
*) echo -n "unknown";;
esac
echo " ($COMP_METHOD)"
echo "Compression level.: $COMP_LVL"
echo "Compression suffix: $COMP_SUF"
echo -n "Force compression.: "
[ "foo$FORCE_OPT" = "foo-F" ] && echo "yes" || echo "no"
echo "man_db.conf is....: ${MAN_CONF}/man_db.conf"
echo -n "Hard-links........: "
[ "foo$LN_OPT" = "foo-S" ] &&
echo "convert to soft-links" || echo "leave as is"
echo -n "Soft-links........: "
[ "foo$LN_OPT" = "foo-H" ] &&
echo "convert to hard-links" || echo "leave as is"
echo "Backup............: $BACKUP"
echo "Faking (yes!).....: $FAKE"
echo "Directories.......: $MAN_DIR"
echo "Verbosity level...: $VERBOSE_LVL"
exit 0
fi
# If no method was specified, print help
if [ -z "${COMP_METHOD}" -a "${BACKUP}" = "no" ]; then
help
exit 1
fi
# In backup mode, do the backup solely
if [ "$BACKUP" = "yes" ]; then
for DIR in $MAN_DIR; do
cd "${DIR}/.."
DIR_NAME=`basename "${DIR}"`
echo "Backing up $DIR..." > $DEST_FD0
[ -f "${DIR_NAME}.tar.old" ] && rm -f "${DIR_NAME}.tar.old"
[ -f "${DIR_NAME}.tar" ] &&
mv "${DIR_NAME}.tar" "${DIR_NAME}.tar.old"
tar -cvf "${DIR_NAME}.tar" "${DIR_NAME}" > $DEST_FD1
done
exit 0
fi
# I know MAN_DIR has only absolute path names
# I need to take into account the localized man, so I'm going recursive
for DIR in $MAN_DIR; do
MEM_DIR=`pwd`
cd "$DIR"
for FILE in *; do
# Fixes the case were the directory is empty
if [ "foo$FILE" = "foo*" ]; then continue; fi
# Fixes the case when hard-links see their compression scheme change
# (from not compressed to compressed, or from bz2 to gz, or from gz
# to bz2)
# Also fixes the case when multiple version of the page are present,
# which are either compressed or not.
if [ ! -L "$FILE" -a ! -e "$FILE" ]; then continue; fi
# Do not compress whatis files
if [ "$FILE" = "whatis" ]; then continue; fi
if [ -d "$FILE" ]; then
cd "${MEM_DIR}" # Go back to where we ran "$0",
# in case "$0"=="./compressdoc" ...
# We are going recursive to that directory
echo "-> Entering ${DIR}/${FILE}..." > $DEST_FD0
# I need not pass --conf, as I specify the directory to work on
# But I need exit in case of error
"$MY_NAME" ${COMP_METHOD} ${COMP_LVL} ${LN_OPT} ${VERBOSE_OPT} \
${FORCE_OPT} "${DIR}/${FILE}" || exit 1
echo "<- Leaving ${DIR}/${FILE}." > $DEST_FD1
cd "$DIR" # Needed for the next iteration of the loop
else # !dir
if ! check_unique "$DIR" "$FILE"; then continue; fi
# Check if the file is already compressed with the specified method
BASE_FILE=`basename "$FILE" .gz`
BASE_FILE=`basename "$BASE_FILE" .bz2`
if [ "${FILE}" = "${BASE_FILE}${COMP_SUF}" \
-a "foo${FORCE_OPT}" = "foo" ]; then continue; fi
# If we have a symlink
if [ -h "$FILE" ]; then
case "$FILE" in
*.bz2)
EXT=bz2 ;;
*.gz)
EXT=gz ;;
*)
EXT=none ;;
esac
if [ ! "$EXT" = "none" ]; then
LINK=`ls -l "$FILE" | cut -d ">" -f2 \
| tr -d " " | sed s/\.$EXT$//`
NEWNAME=`echo "$FILE" | sed s/\.$EXT$//`
mv "$FILE" "$NEWNAME"
FILE="$NEWNAME"
else
LINK=`ls -l "$FILE" | cut -d ">" -f2 | tr -d " "`
fi
if [ "$LN_OPT" = "-H" ]; then
# Change this soft-link into a hard- one
rm -f "$FILE" && ln "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
chmod --reference "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
else
# Keep this soft-link a soft- one.
rm -f "$FILE" && ln -s "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
fi
echo "Relinked $FILE" > $DEST_FD1
# else if we have a plain file
elif [ -f "$FILE" ]; then
# Take care of hard-links: build the list of files hard-linked
# to the one we are {de,}compressing.
# NB. This is not optimum has the file will eventually be
# compressed as many times it has hard-links. But for now,
# that's the safe way.
inode=`ls -li "$FILE" | awk '{print $1}'`
HLINKS=`find . \! -name "$FILE" -inum $inode`
if [ -n "$HLINKS" ]; then
# We have hard-links! Remove them now.
for i in $HLINKS; do rm -f "$i"; done
fi
# Now take care of the file that has no hard-link
# We do decompress first to re-compress with the selected
# compression ratio later on...
case "$FILE" in
*.bz2)
bunzip2 $FILE
FILE=`basename "$FILE" .bz2`
;;
*.gz)
gunzip $FILE
FILE=`basename "$FILE" .gz`
;;
esac
# Compress the file with the given compression ratio, if needed
case $COMP_SUF in
*bz2)
bzip2 ${COMP_LVL} "$FILE" && chmod 644 "${FILE}${COMP_SUF}"
echo "Compressed $FILE" > $DEST_FD1
;;
*gz)
gzip ${COMP_LVL} "$FILE" && chmod 644 "${FILE}${COMP_SUF}"
echo "Compressed $FILE" > $DEST_FD1
;;
*)
echo "Uncompressed $FILE" > $DEST_FD1
;;
esac
# If the file had hard-links, recreate those (either hard or soft)
if [ -n "$HLINKS" ]; then
for i in $HLINKS; do
NEWFILE=`echo "$i" | sed s/\.gz$// | sed s/\.bz2$//`
if [ "$LN_OPT" = "-S" ]; then
# Make this hard-link a soft- one
ln -s "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF"
else
# Keep the hard-link a hard- one
ln "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF"
fi
# Really work only for hard-links. Harmless for soft-links
chmod 644 "${NEWFILE}$COMP_SUF"
done
fi
else
# There is a problem when we get neither a symlink nor a plain
# file. Obviously, we shall never ever come here... :-(
echo -n "Whaooo... \"${DIR}/${FILE}\" is neither a symlink "
echo "nor a plain file. Please check:"
ls -l "${DIR}/${FILE}"
exit 1
fi
fi
done # for FILE
done # for DIR
EOF
As root, make compressdoc executable for all users:
chmod -v 755 /usr/sbin/compressdoc
Now, as root, you can issue the command compressdoc --bz2 to compress all your system man pages. You can also run compressdoc --help to get comprehensive help about what the script is able to do.
Don't forget that a few programs, like the X Window System and XEmacs also install their documentation in non-standard places (such as /usr/X11R6/man, etc.). Be sure to add these locations to the file /etc/man_db.conf, as MANDATORY_MANPATH </path> lines.
Example:
...
MANDATORY_MANPATH /usr/share/man
MANDATORY_MANPATH /usr/X11R6/man
MANDATORY_MANPATH /usr/local/man
MANDATORY_MANPATH /opt/qt/doc/man
...
Generally, package installation systems do not compress man/info pages, which means you will need to run the script again if you want to keep the size of your documentation as small as possible. Also, note that running the script after upgrading a package is safe; when you have several versions of a page (for example, one compressed and one uncompressed), the most recent one is kept and the others are deleted.
The autofs package contains userspace tools that work with the kernel to mount and un-mount removable file systems. This is useful for allowing users to mount floppies, cdroms and other removable storage devices without requiring the system administrator to mount the devices. This may not be ideal for all installations, so be aware of the risks before implementing this feature.
Download (HTTP): http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.4.tar.bz2
Download (FTP): ftp://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.4.tar.bz2
Download MD5 sum: 7e3949114c00665b4636f0c318179657
Download size: 168 KB
Estimated disk space required: 2.3 MB
Estimated build time: less than 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/autofs
Verify that kernel support has been compiled in or built as modules in the following areas:
File systems ⇒
Kernel automounter version 4 support Y or M
Network File Systems ⇒
NFS file system support Y or M (optional)
SMB file system support Y or M (optional)
Recompile and install the new kernel, if necessary.
Install autofs by running the following commands:
patch -Np1 -i ../autofs-4.1.4-consolidated-1.patch && ./configure --prefix=/ --mandir=/usr/share/man && make
Now, as the root user:
make install && rm /etc/rc.d/init.d/autofs
patch -Np1 -i ../autofs-4.1.4-consolidated-1.patch: This patch is a consolidation of nine small patches available at http://ftp.kernel.org/pub/linux/daemons/autofs/v4/. The patches can be applied individually if desired.
rm /etc/rc.d/init.d/autofs: This command removes the installed script which only works on specific distributions.
The installation process creates auto.master, auto.misc and auto.net. You will replace the auto.master with the following commands:
mv /etc/auto.master /etc/auto.master.bak && cat > /etc/auto.master << "EOF" # Begin /etc/auto.master /media /etc/auto.misc # End /etc/auto.master EOF
This file mounts a new media directory over the one created by LFS and will therefore hide any mounts made by the fstab file into that directory.
While this package could be used to mount NFS shares and SMB shares, that feature is not configured in these instructions. NFS shares are covered on the next page.
The auto.misc must be configured to your working hardware. The loaded configuration file should load your cdrom if /dev/cdrom is active or it can be edited to match your device setup and examples for floppies are available in the file and easily activated. Documentation for this file is available using the man 5 autofs command.
Install the /etc/rc.d/init.d/autofs mount script and /etc/sysconfig/autofs.conf support file included with the blfs-bootscripts-20060910 package.
make install-autofs
The time-out variable is set in /etc/sysconfig/autofs.conf. The installed file sets a default of 60 seconds of inactivity before unmounting the device. A much shorter time may be necessary to protect buffer writing to a floppy if users tend to remove the media prior to the timeout setting.
While LFS is capable of mounting network file systems such as NFS, these are not mounted by the mountfs init script. Network file systems must be mounted after the networking is activated and unmounted before the network goes down. The netfs bootscript was written to handle both boot-time mounting of network filesystems, if the entry in /etc/fstab contains the _netdev option, and unmounting of all network filesystems before the network is brought down.
As the root user, install the /etc/rc.d/init.d/netfs bootscript included with the blfs-bootscripts-20060910 package.
make install-netfs
Security takes many forms in a computing environment. This chapter gives examples of three different types of security: access, prevention and detection.
Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall. The Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries can be installed and shared among the many applications requiring them. For applications that don't offer the best security, you can use the Stunnel package to wrap an application daemon inside an SSL tunnel.
Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the tarball after the packager creates it.
Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.
The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, notably OpenSSH, email applications and web browsers (for accessing HTTPS sites).
Download (HTTP): http://www.openssl.org/source/openssl-0.9.8d.tar.gz
Download (FTP): ftp://ftp.openssl.org/source/openssl-0.9.8d.tar.gz
Download MD5 sum: 8ed1853538e1d05a1f5ada61ebf8bffa
Download size: 3.2 MB
Estimated disk space required: 38.1 MB
Estimated build time: 1.1 SBU (additional 0.6 SBU to run the test suite)
bc-1.06 (recommended if you run the test suite during the build)
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSL
To avoid a lot of warnings caused by using a deprecated compilation option, run:
sed -i -e 's/mcpu/march/' config
Install OpenSSL by running the following commands:
patch -Np1 -i ../openssl-0.9.8d-fix_manpages-1.patch && ./config --openssldir=/etc/ssl --prefix=/usr shared && make MANDIR=/usr/share/man
To test the results, issue: make test.
Now, as the root user:
make MANDIR=/usr/share/man install &&
cp -v -r certs /etc/ssl &&
install -v -d -m755 /usr/share/doc/openssl-0.9.8d &&
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
/usr/share/doc/openssl-0.9.8d
no-rc5 no-idea: When added to the ./config command, this will eliminate the building of those encryption methods. Patent licenses may be needed for you to utilize either of those methods in your projects.
make MANDIR=/usr/share/man; make MANDIR=/usr/share/man install: These commands install OpenSSL with the man pages in /usr/share/man instead of /etc/ssl/man.
cp -v -r certs /etc/ssl: The certificates must be copied manually as the default installation skips this step.
Most people who just want to use OpenSSL for providing functions to other programs such as OpenSSH and web browsers won't need to worry about configuring OpenSSL. Configuring OpenSSL is an advanced topic and so those who do would normally be expected to either know how to do it or to be able to find out how to do it.
The CrackLib package contains a library used to enforce strong passwords by comparing user selected passwords to words in chosen word lists.
Download (HTTP): http://downloads.sourceforge.net/cracklib/cracklib-2.8.9.tar.gz
Download MD5 sum: 9a8c9eb26b48787c84024ac779f64bb2
Download size: 575 KB
Estimated disk space required: 29.2 MB (without Python bindings)
Estimated build time: 0.1 SBU
Recommended word list for English-speaking countries (size: 4.4 MB; md5sum: d18e670e5df560a8745e1b4dede8f84f): http://downloads.sourceforge.net/cracklib/cracklib-words.gz
Required patch to create a library used with the Heimdal Kerberos 5 package: http://www.linuxfromscratch.org/patches/blfs/6.2.0/cracklib-2.8.9-heimdal-1.patch
There are additional word lists available for download, e.g., from http://www.cotse.com/tools/wordlists.htm. CrackLib can utilize as many, or as few word lists you choose to install.
Users tend to base their passwords on regular words of the spoken language, and crackers know that. CrackLib is intended to filter out such bad passwords at the source using a dictionary created from word lists. To accomplish this, the word list(s) for use with CrackLib must be an exhaustive list of words and word-based keystroke combinations likely to be chosen by users of the system as (guessable) passwords.
The default word list recommended above for downloading mostly satisfies this role in English-speaking countries. In other situations, it may be necessary to download (or even create) additional word lists.
Note that word lists suitable for spell-checking are not usable as CrackLib word lists in countries with non-Latin based alphabets, because of “word-based keystroke combinations” that make bad passwords.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cracklib
If desired, apply the Heimdal patch (note that with this patch the original library is not affected; this patch only creates an additional library used by the Heimdal password-checking routines):
patch -Np1 -i ../cracklib-2.8.9-heimdal-1.patch
Install CrackLib by running the following commands:
./configure --prefix=/usr \
--with-default-dict=/lib/cracklib/pw_dict &&
make
Now, as the root user:
make install && mv -v /usr/lib/libcrack.so.2* /lib && ln -v -sf ../../lib/libcrack.so.2.8.0 /usr/lib/libcrack.so
Issue the following commands as the root user to install the recommended word list and create the CrackLib dictionary. Other word lists (text based, one word per line) can also be used by simply installing them into /usr/share/dict and adding them to the create-cracklib-dict command.
install -v -m644 -D ../cracklib-words.gz \
/usr/share/dict/cracklib-words.gz &&
gunzip -v /usr/share/dict/cracklib-words.gz &&
ln -v -s cracklib-words /usr/share/dict/words &&
echo $(hostname) >>/usr/share/dict/cracklib-extra-words &&
install -v -m755 -d /lib/cracklib &&
create-cracklib-dict /usr/share/dict/cracklib-words \
/usr/share/dict/cracklib-extra-words
If desired, check the proper operation of the library as an unprivileged user using the tests included with the package:
make test
If you are installing CrackLib after your LFS system has been completed and you have the Shadow package installed, you must reinstall Shadow-4.0.15 if you wish to provide strong password support on your system. If you are now going to install the Linux-PAM-0.99.4.0 package, you may disregard this note as Shadow will be reinstalled after the Linux-PAM installation.
--with-default-dict=/lib/cracklib/pw_dict: This parameter forces the installation of the CrackLib dictionary to the /lib hierarchy.
mv -v /usr/lib/libcrack.so.2* /lib and ln -v -sf ../../lib/libcrack.so.2.8.0 ...: These two commands move the libcrack.so.2.8.0 library and associated symlink from /usr/lib to /lib, then recreates the /usr/lib/libcrack.so symlink pointing to the relocated file.
install -v -m644 -D ...: This command creates the /usr/share/dict directory (if it doesn't already exist) and installs the compressed word list there.
ln -v -s cracklib-words /usr/share/dict/words: The word list is linked to /usr/share/dict/words as historically, words is the primary word list in the /usr/share/dict directory. Omit this command if you already have a /usr/share/dict/words file installed on your system.
echo $(hostname) >>...: The value of hostname is echoed to a file called cracklib-extra-words. This extra file is intended to be a site specific list which includes easy to guess passwords such as company or department names, user's names, product names, computer names, domain names, etc.
create-cracklib-dict ...: This command creates the CrackLib dictionary from the word lists. Modify the command to add any additional word lists you have installed.
The Linux-PAM package contains Pluggable Authentication Modules. This is useful to enable the local system administrator to choose how applications authenticate users.
Download (HTTP): http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.99.4.0.tar.bz2
Download (FTP): ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.99.4.0.tar.bz2
Download MD5 sum: 267ea71253615342261f9fc486d06647
Download size: 783 KB
Estimated disk space required: 19.8 MB
Estimated build time: 0.5 SBU
Optional documentation: http://www.kernel.org/pub/linux/libs/pam/pre/doc/Linux-PAM-0.99.4.0-docs.tar.bz2
CrackLib-2.8.9, Prelude, and sgmltools-lite
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/linux-pam
If you downloaded the documentation, unpack the tarball into the doc directory of the source tree:
tar -xf ../Linux-PAM-0.99.4.0-docs.tar.bz2 -C doc
Install Linux-PAM by running the following commands:
./configure --libdir=/usr/lib \
--sbindir=/lib/security \
--enable-securedir=/lib/security \
--enable-docdir=/usr/share/doc/Linux-PAM-0.99.4.0 \
--enable-read-both-confs &&
make
The test suite will not provide meaningful results until the package has been installed and configured. If, after installing the package and creating a minimum configuration as shown below in the 'other' example, you wish to run the tests, issue make check.
Don't delete the Linux-PAM source tree until after you reinstall the Shadow package. The reinstallation of the Shadow package includes much more stringent security for the PAM configuration, and you can run the Linux-PAM test suite after completing the Shadow instructions to test the new setup. All the tests should pass.
Now, as the root user:
make install && chmod -v 4755 /lib/security/unix_chkpwd && mv -v /lib/security/pam_tally /sbin && mv -v /usr/lib/libpam*.so.0* /lib && ln -v -sf ../../lib/libpam.so.0.81.3 /usr/lib/libpam.so && ln -v -sf ../../lib/libpamc.so.0.81.0 /usr/lib/libpamc.so && ln -v -sf ../../lib/libpam_misc.so.0.81.2 /usr/lib/libpam_misc.so
If you downloaded the documentation, install it using the following command:
for DOCTYPE in html pdf ps txts
do
cp -v -R doc/$DOCTYPE /usr/share/doc/Linux-PAM-0.99.4.0
done
--libdir=/usr/lib: This parameter results in the libraries being installed in /usr/lib.
--sbindir=/lib/security: This parameter results in two executables, one which is not intended to be run from the command line, being installed in the same directory as the PAM modules. One of the executables is later moved to the /sbin directory.
--enable-securedir=/lib/security: This parameter results in the PAM modules being installed in /lib/security.
--enable-docdir=...: This parameter results in the documentation being installed in a versioned directory name.
--enable-read-both-confs: This parameter allows the local administrator to choose which configuration file setup to use.
chmod -v 4755 /lib/security/unix_chkpwd: The unix_chkpwd password-helper program must be setuid so that non-root processes can access the shadow-password file.
mv -v /lib/security/pam_tally /sbin: The pam_tally program is designed to be run by the system administrator, possibly in single-user mode, so it is moved to the appropriate directory.
mv -v /usr/lib/libpam*.so.0* /lib: This command moves the dynamic libraries to /lib as they may be required in single user mode.
ln -v -sf ...: These commands recreate the .so symlinks as the libraries they pointed to were moved to /lib.
Configuration information is placed in /etc/pam.d/ or /etc/pam.conf depending on system administrator preference. Below are example files of each type:
# Begin /etc/pam.d/other auth required pam_unix.so nullok account required pam_unix.so session required pam_unix.so password required pam_unix.so nullok # End /etc/pam.d/other # Begin /etc/pam.conf other auth required pam_unix.so nullok other account required pam_unix.so other session required pam_unix.so other password required pam_unix.so nullok # End /etc/pam.conf
The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information.
Refer to http://www.kernel.org/pub/linux/libs/pam/modules.html for a list of various modules available.
You should now reinstall the Shadow-4.0.15 package.
Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.
Download (HTTP): http://ftp.pld.org.pl/software/shadow/old/shadow-4.0.15.tar.bz2
Download (FTP): ftp://ftp.pld.org.pl/software/shadow/old/shadow-4.0.15.tar.bz2
Download MD5 sum: a0452fa989f8ba45023cc5a08136568e
Download size: 1.2 MB
Estimated disk space required: 15.5 MB
Estimated build time: 0.3 SBU
Linux-PAM-0.99.4.0 and/or CrackLib-2.8.9
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/shadow
The installation shown below is for a situation where Linux-PAM has been installed (with or without a CrackLib installation) and Shadow is being reinstalled to support the Linux-PAM installation. If you are reinstalling Shadow to provide strong password support via the CrackLib library and you have not installed Linux-PAM, ensure you add the --with-libcrack parameter to the configure script below.
Reinstall Shadow by running the following commands:
./configure --libdir=/lib \
--enable-shared \
--without-selinux &&
sed -i 's/groups$(EXEEXT) //' src/Makefile &&
find man -name Makefile -exec sed -i '/groups/d' {} \; &&
sed -i -e 's/ ko//' \
-e 's/ zh_CN zh_TW//' \
man/Makefile &&
for i in de es fi fr id it pt_BR; do
convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
done &&
for i in cs hu pl; do
convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
done &&
convert-mans UTF-8 EUC-JP man/ja/*.? &&
convert-mans UTF-8 KOI8-R man/ru/*.? &&
convert-mans UTF-8 ISO-8859-9 man/tr/*.? &&
make
This package does not come with a test suite.
Now, as the root user:
make install && mv -v /usr/bin/passwd /bin && mv -v /lib/libshadow.*a /usr/lib && rm -v /lib/libshadow.so && ln -v -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so
--without-selinux: Support for selinux is enabled by default, but selinux is not built in a base LFS system. The configure script will fail if this option is not used.
sed -i 's/groups$(EXEEXT) //' src/Makefile: This command is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.
find man -name Makefile -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced.
sed -i -e '...' -e '...' man/Makefile: This command disables the installation of Chinese and Korean manual pages, since Man-DB cannot format them properly.
convert-mans ...: These commands are used to convert some of the man pages so that Man-DB will display them in the expected encodings.
mv -v /usr/bin/passwd /bin: The passwd program may be needed during times when the /usr filesystem is not mounted so it is moved into the root partition.
mv -v ...; rm -v ...; ln -v ...: These commands are used to move the libshadow library to the root partition to support the moving of the passwd program earlier.
The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required.
Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the Linux-PAM-0.99.4.0 page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following links:
The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents). Issue the following commands as the root user:
install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
PORTTIME_CHECKS_ENAB CONSOLE \
MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
SU_WHEEL_ONLY MD5_CRYPT_ENAB \
CONSOLE_GROUPS ENVIRON_FILE \
ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \
OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
PASS_CHANGE_TRIES PASS_ALWAYS_WARN
do
sed -i "s/^$FUNCTION/# &/" /etc/login.defs
done
As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for configuration. The commands below assume that you've chosen to use a directory based configuration, where each program has its own configuration file. You can optionally use a single /etc/pam.conf configuration file by using the text from the files below, and supplying the program name as an additional first field for each line.
As the root user, create the /etc/pam.d directory with the following command:
install -v -d -m755 /etc/pam.d
While still the root user, add the following Linux-PAM configuration files to the /etc/pam.d/ directory (or add the contents to the /etc/pam.conf file) with the following commands:
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_unix.so
account required pam_access.so
account required pam_unix.so
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
session required pam_unix.so
password required pam_cracklib.so retry=3 difok=8 minlen=5 \
dcredit=3 ocredit=3 \
ucredit=2 lcredit=2
password required pam_unix.so md5 shadow use_authtok
# End /etc/pam.d/login
EOF
cat > /etc/pam.d/login << "EOF" # Begin /etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so account required pam_access.so account required pam_unix.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so password required pam_unix.so md5 shadow # End /etc/pam.d/login EOF
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd
password required pam_cracklib.so retry=3 difok=8 minlen=5 \
dcredit=3 ocredit=3 \
ucredit=2 lcredit=2
password required pam_unix.so md5 shadow use_authtok
# End /etc/pam.d/passwd
EOF
cat > /etc/pam.d/passwd << "EOF" # Begin /etc/pam.d/passwd password required pam_unix.so md5 shadow # End /etc/pam.d/passwd EOF
cat > /etc/pam.d/su << "EOF" # Begin /etc/pam.d/su auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session optional pam_mail.so dir=/var/mail standard session required pam_env.so session required pam_unix.so # End /etc/pam.d/su EOF
cat > /etc/pam.d/chage << "EOF" # Begin /etc/pam.d/chage auth sufficient pam_rootok.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so password required pam_permit.so # End /etc/pam.d/chage EOF
for PROGRAM in chpasswd newusers groupadd groupdel \
groupmod useradd userdel usermod
do
install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done
At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. You can also run the test suite from the Linux-PAM package to assist you in determining the problem. If you cannot find and fix the error, you should recompile Shadow replacing --with-libpam with --without-libpam in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system.
Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required:
cat > /etc/pam.d/other << "EOF" # Begin /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so session required pam_deny.so password required pam_deny.so password required pam_warn.so # End /etc/pam.d/other EOF
If you preserved the source tree from the Linux-PAM package (or you feel like unpacking that tarball, then running configure and make), now would be a good time to run the test suite from this package. This test suite will use the configuration you just finished during the tests. All the tests should pass.
Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command:
if [ -f /etc/login.access ]; then
mv -v /etc/login.access /etc/login.access.NOUSE
fi
Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command:
if [ -f /etc/limits ]; then
mv -v /etc/limits /etc/limits.NOUSE
fi
During previous configuration, several items were removed from /etc/login.defs. Some of these items are now controlled by the pam_env.so module and the /etc/security/pam_env.conf configuration file. In particular, the default path has been changed. To recover your default path, execute the following commands:
ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
awk '{ print $2 }' | sed 's/PATH=//'` &&
echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\
' OVERRIDE=${PATH}' \
>> /etc/security/pam_env.conf &&
unset ENV_PATH
ENV_SUPATH is no longer supported. You must create a valid /root/.bashrc file to provide a modified path for the super-user.
A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/6.2/chapter06/shadow.html#contents-shadow.
The next part of this chapter deals with firewalls. The principal firewall tool for Linux, as of the 2.4 kernel series, is iptables. It replaces ipchains from the 2.2 series and ipfwadm from the 2.0 series. You will need to install iptables if you intend on using any form of a firewall.
Download (HTTP): http://www.netfilter.org/projects/iptables/files/iptables-1.3.6.tar.bz2
Download (FTP): ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.6.tar.bz2
Download MD5 sum: 077e886a9c90a11bb47f3d7a4fc4a689
Download size: 185 KB
Estimated disk space required: 5.5 MB
Estimated build time: 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/iptables
A firewall in Linux is accomplished through a portion of the kernel called netfilter. The interface to netfilter is iptables. To use it, the appropriate kernel configuration parameters are found in Networking ⇒ Networking Options ⇒ Network Packet Filtering ⇒ Core Netfilter Configuration (and) IP: Netfilter Configuration.
The installation below does not include building some specialized extension libraries which require the raw headers in the Linux source code. If you wish to build the additional extensions (if you aren't sure, then you probably don't), you can look at the INSTALL file to see an example of how to change the KERNEL_DIR= parameter to point at the Linux source code. Note that if you upgrade the kernel version, you may also need to recompile iptables and that the BLFS team has not tested using the raw kernel headers.
For some non-x86 architectures, the raw kernel headers may be required. In that case, modify the KERNEL_DIR= parameter to point at the Linux source code.
Install iptables by running the following commands:
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin KERNEL_DIR=/usr
This package does not come with a test suite.
Now, as the root user:
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin KERNEL_DIR=/usr install
PREFIX=/usr LIBDIR=/lib BINDIR=/sbin: Compiles and installs iptables libraries into /lib, binaries into /sbin and the remainder into the /usr hierarchy instead of /usr/local. Firewalls are generally activated during the boot process and /usr may not be mounted at that time.
KERNEL_DIR=/usr: This parameter is used to point at the sanitized kernel headers in /usr and not use the raw kernel headers in /usr/src/linux.
Introductory instructions for configuring your firewall are presented in the next section: Firewalling
To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables init script included in the blfs-bootscripts-20060910 package.
make install-iptables
Before you read this part of the chapter, you should have already installed iptables as described in the previous section.
The general purpose of a firewall is to protect a computer or a network against malicious access.
In a perfect world, every daemon or service on every machine is perfectly configured and immune to flaws such as buffer overflows or other problems regarding its security. Furthermore, you trust every user accessing your services. In this world, you do not need to have a firewall.
In the real world however, daemons may be misconfigured and exploits against essential services are freely available. You may wish to choose which services are accessible by certain machines or you may wish to limit which machines or applications are allowed external access. Alternatively, you may simply not trust some of your applications or users. You are probably connected to the Internet. In this world, a firewall is essential.
Don't assume however, that having a firewall makes careful configuration redundant, or that it makes any negligent misconfiguration harmless. It doesn't prevent anyone from exploiting a service you intentionally offer but haven't recently updated or patched after an exploit went public. Despite having a firewall, you need to keep applications and daemons on your system properly configured and up to date. A firewall is not a cure all, but should be an essential part of your overall security strategy.
The word firewall can have several different meanings.
This is a hardware device or software program commercially sold (or offered via freeware) by companies such as Symantec which claims that it secures a home or desktop computer connected to the Internet. This type of firewall is highly relevant for users who do not know how their computers might be accessed via the Internet or how to disable that access, especially if they are always online and connected via broadband links.
This is a system placed between the Internet and an intranet. To minimize the risk of compromising the firewall itself, it should generally have only one role—that of protecting the intranet. Although not completely risk free, the tasks of doing the routing and IP masquerading (rewriting IP headers of the packets it routes from clients with private IP addresses onto the Internet so that they seem to come from the firewall itself) are commonly considered relatively secure.
This is often an old computer you may have retired and nearly forgotten, performing masquerading or routing functions, but offering non-firewall services such as a web-cache or mail. This may be used for home networks, but is not to be considered as secure as a firewall only machine because the combination of server and router/firewall on one machine raises the complexity of the setup.
This box performs masquerading or routing, but grants public access to some branch of your network which, because of public IPs and a physically separated structure, is essentially a separate network with direct Internet access. The servers on this network are those which must be easily accessible from both the Internet and intranet. The firewall protects both networks. This type of firewall has a minimum of three network interfaces.
This introduction on how to setup a firewall is not a complete guide to securing systems. Firewalling is a complex issue that requires careful configuration. The scripts quoted here are simply intended to give examples of how a firewall works. They are not intended to fit into any particular configuration and may not provide complete protection from an attack.
Customization of these scripts for your specific situation will be necessary for an optimal configuration, but you should make a serious study of the iptables documentation and creating firewalls in general before hacking away. Have a look at the list of links for further reading at the end of this section for more details. There you will find a list of URLs that contain quite comprehensive information about building your own firewall.
The firewall configuration script installed in the iptables section differs from the standard configuration script. It only has two of the standard targets: start and status. The other targets are clear and lock. For instance if you issue:
/etc/rc.d/init.d/iptables start
the firewall will be restarted just as it is upon system startup. The status target will present a list of all currently implemented rules. The clear target turns off all firewall rules and the lock target will block all packets in and out of the computer with the exception of the loopback interface.
The main startup firewall is located in the file /etc/rc.d/rc.iptables. The sections below provide three different approaches that can be used for a system.
You should always run your firewall rules from a script. This ensures consistency and a record of what was done. It also allows retention of comments that are essential for understanding the rules long after they were written.
A Personal Firewall is designed to let you access all the services offered on the Internet, but keep your box secure and your data private.
Below is a slightly modified version of Rusty Russell's recommendation from the Linux 2.4 Packet Filtering HOWTO. It is still applicable to the Linux 2.6 kernels.
cat > /etc/rc.d/rc.iptables << "EOF" #!/bin/sh # Begin $rc_base/rc.iptables # Insert connection-tracking modules # (not needed if built into the kernel) modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don¹t send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Drop Spoofed Packets coming in on an interface, where responses # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable Explicit Congestion Notification # too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn # Set a known state iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # These lines are here in case rules are already in place and the # script is ever rerun on the fly. We want to remove all rules and # pre-existing user defined chains before we implement new rules. iptables -F iptables -X iptables -Z iptables -t nat -F # Allow local-only connections iptables -A INPUT -i lo -j ACCEPT # Free output on any interface to any ip for any service # (equal to -P ACCEPT) iptables -A OUTPUT -j ACCEPT # Permit answers on already established connections # and permit new connections related to established ones # (e.g. port mode ftp) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Log everything else. What's Windows' latest exploitable vulnerability? iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " # End $rc_base/rc.iptables EOF chmod 700 /etc/rc.d/rc.iptables
This script is quite simple, it drops all traffic coming into your computer that wasn't initiated from your computer, but as long as you are simply surfing the Internet you are unlikely to exceed its limits.
If you frequently encounter certain delays at accessing FTP servers, take a look at BusyBox example number 4.
Even if you have daemons or services running on your system, these will be inaccessible everywhere but from your computer itself. If you want to allow access to services on your machine, such as ssh or ping, take a look at BusyBox.
A true Firewall has two interfaces, one connected to an intranet, in this example eth0, and one connected to the Internet, here ppp0. To provide the maximum security for the firewall itself, make sure that there are no unnecessary servers running on it such as X11 et al. As a general principle, the firewall itself should not access any untrusted service (think of a remote server giving answers that makes a daemon on your system crash, or even worse, that implements a worm via a buffer-overflow).
cat > /etc/rc.d/rc.iptables << "EOF" #!/bin/sh # Begin $rc_base/rc.iptables echo echo "You're using the example configuration for a setup of a firewall" echo "from Beyond Linux From Scratch." echo "This example is far from being complete, it is only meant" echo "to be a reference." echo "Firewall security is a complex issue, that exceeds the scope" echo "of the configuration rules below." echo "You can find additional information" echo "about firewalls in Chapter 4 of the BLFS book." echo "http://www.linuxfromscratch.org/blfs" echo # Insert iptables modules (not needed if built into the kernel). modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe iptable_nat modprobe ip_nat_ftp modprobe ipt_MASQUERADE modprobe ipt_LOG modprobe ipt_REJECT # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don¹t send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Drop Spoofed Packets coming in on an interface where responses # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # Disable Explicit Congestion Notification # Too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn # Set a known state iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # These lines are here in case rules are already in place and the # script is ever rerun on the fly. We want to remove all rules and # pre-existing user defined chains before we implement new rules. iptables -F iptables -X iptables -Z iptables -t nat -F # Allow local connections iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow forwarding if the initiated on the intranet iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! ppp+ -m state --state NEW -j ACCEPT # Do masquerading # (not needed if intranet is not using private ip-addresses) iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE # Log everything for debugging # (last of all rules, but before policy rules) iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " # Enable IP Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward EOF chmod 700 /etc/rc.d/rc.iptables
With this script your intranet should be reasonably secure against external attacks. No one should be able to setup a new connection to any internal service and, if it's masqueraded, makes your intranet invisible to the Internet. Furthermore, your firewall should be relatively safe because there are no services running that a cracker could attack.
If the interface you're connecting to the Internet doesn't connect via PPP, you will need to change <ppp+> to the name of the interface (e.g., eth1) which you are using.
This scenario isn't too different from the Masquerading Router, but additionally offers some services to your intranet. Examples of this can be when you want to administer your firewall from another host on your intranet or use it as a proxy or a name server.
Outlining a true concept of how to protect a server that offers services on the Internet goes far beyond the scope of this document. See the references at the end of this section for more information.
Be cautious. Every service you have enabled makes your setup more complex and your firewall less secure. You are exposed to the risks of misconfigured services or running a service with an exploitable bug. A firewall should generally not run any extra services. See the introduction to the Masquerading Router for some more details.
If you want to add services such as internal Samba or name servers that do not need to access the Internet themselves, the additional statements are quite simple and should still be acceptable from a security standpoint. Just add the following lines into the script before the logging rules.
iptables -A INPUT -i ! ppp+ -j ACCEPT iptables -A OUTPUT -o ! ppp+ -j ACCEPT
If daemons, such as squid, have to access the Internet themselves, you could open OUTPUT generally and restrict INPUT.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -j ACCEPT
However, it is generally not advisable to leave OUTPUT unrestricted. You lose any control over trojans who would like to "call home", and a bit of redundancy in case you've (mis-)configured a service so that it broadcasts its existence to the world.
To accomplish this, you should restrict INPUT and OUTPUT on all ports except those that it's absolutely necessary to have open. Which ports you have to open depends on your needs: mostly you will find them by looking for failed accesses in your log files.
Have a Look at the Following Examples:
Squid is caching the web:
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \ -j ACCEPT
Your caching name server (e.g., named) does its lookups via UDP:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
You want to be able to ping your computer to ensure it's still alive:
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
If you are frequently accessing FTP servers or enjoy chatting, you might notice certain delays because some implementations of these daemons have the feature of querying an identd on your system to obtain usernames. Although there's really little harm in this, having an identd running is not recommended because many security experts feel the service gives out too much additional information.
To avoid these delays you could reject the requests with a 'tcp-reset':
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
To log and drop invalid packets (packets that came in after netfilter's timeout or some types of network scans):
iptables -I INPUT -p tcp -m state --state INVALID \ -j LOG --log-prefix "FIREWALL:INVALID" iptables -I INPUT -p tcp -m state --state INVALID -j DROP
Anything coming from the outside should not have a private address, this is a common attack called IP-spoofing:
iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP
There are other addresses that you may also want to drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link Local Networks), and 192.0.2.0/24 (IANA defined test network).
If your firewall is a DHCP client, you need to allow those packets:
iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \ -d 255.255.255.255 --dport 68 -j ACCEPT
To simplify debugging and be fair to anyone who'd like to access a service you have disabled, purposely or by mistake, you could REJECT those packets that are dropped.
Obviously this must be done directly after logging as the very last lines before the packets are dropped by policy:
iptables -A INPUT -j REJECT
These are only examples to show you some of the capabilities of the firewall code in Linux. Have a look at the man page of iptables. There you will find much more information. The port numbers needed for this can be found in /etc/services, in case you didn't find them by trial and error in your log file.
Finally, there is one fact you must not forget: The effort spent attacking a system corresponds to the value the cracker expects to gain from it. If you are responsible for valuable information, you need to spend the time to protect it properly.
www.netfilter.org - Homepage of the netfilter/iptables project
Netfilter related FAQ
Netfilter related HOWTO's
en.tldp.org/LDP/nag2/x-087-2-firewall.html
en.tldp.org/HOWTO/Security-HOWTO.html
en.tldp.org/HOWTO/Firewall-HOWTO.html
www.ibm.com/developerworks/security/library/s-fire.html
www.ibm.com/developerworks/security/library/s-fire2.html
www.linuxsecurity.com/docs/
www.little-idiot.de/firewall (German & outdated, but very comprehensive)
www.linuxgazette.com/issue65/stumpel.html
linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html
staff.washington.edu/dittrich/misc/ddos
www.e-infomax.com/ipmasq
www.circlemud.org/~jelson/writings/security/index.htm
www.securityfocus.com
www.cert.org - tech_tips
security.ittoolbox.com
www.linux-firewall-tools.com/linux/
logi.cc/linux/athome-firewall.php3
www.insecure.org/reading.html
www.robertgraham.com/pubs/firewall-seen.html
The GnuPG package contains a public/private key encryptor. This is becoming useful for signing files or emails as proof of identity and preventing tampering with the contents of the file or email.
Download (HTTP): http://public.ftp.planetmirror.com/pub/gnupg/gnupg-1.4.3.tar.bz2
Download (FTP): ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.3.tar.bz2
Download MD5 sum: d237d8fe1c4afa379f56dbda0e0b40e4
Download size: 3.1 MB
Estimated disk space required: 38.1 MB
Estimated build time: 0.5 SBU
OpenSSL-0.9.8d, OpenLDAP-2.3.27, libusb-0.1.12, cURL-7.15.3, an MTA, DocBook-utils-0.6.14, and docbook-to-man
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gnupg
Install GnuPG by running the following commands:
./configure --prefix=/usr --libexecdir=/usr/lib && make
If you have teTeX-3.0 installed and you wish to create documentation in alternate formats, issue the following commands:
make -C doc pdf ps html && makeinfo --plaintext -o doc/gpg.txt doc/gpg.texi && makeinfo --plaintext -o doc/gpgv.txt doc/gpgv.texi
To test the results, issue: make check.
Now, as the root user:
make install &&
chmod -v 4755 /usr/bin/gpg &&
install -v -m755 -d /usr/share/doc/gnupg-1.4.3 &&
mv -v /usr/share/gnupg/{FAQ,faq.html} /usr/share/doc/gnupg-1.4.3 &&
install -v -m644 \
doc/{highlights-1.4.txt,OpenPGP,samplekeys.asc,DETAILS,*.texi} \
/usr/share/doc/gnupg-1.4.3
If you created alternate formats of the documentation, install it using the following command as the root user:
cp -v -R doc/gpg{,v}.{dvi,html,pdf,ps,txt} /usr/share/doc/gnupg-1.4.3
--libexecdir=/usr/lib: This command creates a gnupg directory in /usr/lib instead of /usr/libexec.
chmod -v 4755 /usr/bin/gpg: gpg is installed setuid root to avoid swapping out sensitive data.
The Tripwire package contains programs used to verify the integrity of the files on a given system.
Download (HTTP): http://downloads.sourceforge.net/tripwire/tripwire-2.4.0.1-src.tar.bz2?download
Download MD5 sum: b371f79ac23cacc9ad40b1da76b4a0c4
Download size: 1.2 MB
Estimated disk space required: 37 MB
Estimated build time: 1.6 SBU
An MTA
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/tripwire
Compile Tripwire by running the following commands:
ln -s contrib install &&
patch -Np1 -i ../tripwire-2.4.0.1-gcc4_build_fixes-1.patch &&
sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg &&
./configure --prefix=/usr --sysconfdir=/etc/tripwire &&
make
The default configuration is to use a local MTA. If you don't have an MTA installed and have no wish to install one, modify install/install.cfg to use an SMTP server instead. Otherwise the install will fail.
Now, as the root user:
make install && cp -v policy/*.txt /usr/share/doc/tripwire
ln -s contrib install: This command creates a symbolic link in the build directory needed for installation.
sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg: This command tells the package to install the program database and reports in /var/lib/tripwire.
make install: This command creates the Tripwire security keys as well as installing the binaries. There are two keys: a site key and a local key which are stored in /etc/tripwire/.
cp -v policy/*.txt /usr/share/doc/tripwire: This command installs the documentation.
Tripwire uses a policy file to determine which files are integrity checked. The default policy file (/etc/tripwire/twpol.txt) is for a default Redhat installation and will need to be updated for your system.
Policy files should be tailored to each individual distribution and/or installation. Some custom policy files can be found below:
http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt
Checks integrity of all files
http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt
Custom policy file for Base LFS 3.0 system
http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt
Custom policy file for SuSE 7.2 system
Download the custom policy file you'd like to try, copy it into /etc/tripwire/, and use it instead of twpol.txt. It is, however, recommended that you make your own policy file. Get ideas from the examples above and read /usr/share/doc/tripwire/policyguide.txt for additional information. twpol.txt is a good policy file for beginners as it will note any changes to the file system and can even be used as an annoying way of keeping track of changes for uninstallation of software.
After your policy file has been transferred to /etc/tripwire/ you may begin the configuration steps (perform as the root):
twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
/etc/tripwire/twpol.txt &&
tripwire --init
To use Tripwire after creating a policy file to run a report, use the following command:
tripwire --check > /etc/tripwire/report.txt
View the output to check the integrity of your files. An automatic integrity report can be produced by using a cron facility to schedule the runs.
Please note that after you run an integrity check, you must examine the report (or email) and then modify the Tripwire database to reflect the changed files on your system. This is so that Tripwire will not continually notify you that files you intentionally changed are a security violation. To do this you must first ls -l /var/lib/tripwire/report/ and note the name of the newest file which starts with linux- and ends in .twr. This encrypted file was created during the last report creation and is needed to update the Tripwire database of your system. Then, as the root user, type in the following command making the appropriate substitutions for <?>:
tripwire --update -twrfile \
/var/lib/tripwire/report/linux-<???????>-<??????>.twr
You will be placed into vim with a copy of the report in front of you. If all the changes were good, then just type :x and after entering your local key, the database will be updated. If there are files which you still want to be warned about, remove the 'x' before the filename in the report and type :x.
A good summary of tripwire operations can be found at http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html.
Heimdal is a free implementation of Kerberos 5 that aims to be compatible with MIT krb5 and is backward compatible with krb4. Kerberos is a network authentication protocol. Basically it preserves the integrity of passwords in any untrusted network (like the Internet). Kerberized applications work hand-in-hand with sites that support Kerberos to ensure that passwords cannot be stolen or compromised. A Kerberos installation will make changes to the authentication mechanisms on your network and will overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper and Shadow packages.
Download (HTTP): http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-0.7.2.tar.gz
Download (FTP): ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.7.2.tar.gz
Download MD5 sum: c937580d6f8b11bf7f0e540530e1dc18
Download size: 4.5 MB
Estimated disk space required: 96.9 MB
Estimated build time: 2.5 SBU
Required Patch: ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.7.2-setuid-patch.txt
Required Patch: http://www.linuxfromscratch.org/patches/blfs/6.2.0/heimdal-0.7.2-fhs_compliance-1.patch
Required patch for CrackLib support: http://www.linuxfromscratch.org/patches/blfs/6.2.0/heimdal-0.7.2-cracklib-1.patch
Berkeley DB-4.4.20 is recommended (installed in LFS) or GDBM-1.8.3
Linux-PAM-0.99.4.0, OpenLDAP-2.3.27, X Window System, CrackLib-2.8.9 (compiled with the heimdal patch), and krb4
Some sort of time synchronization facility on your system (like NTP-4.2.0a) is required since Kerberos won't authenticate if the time differential between a kerberized client and the KDC server is more than 5 minutes.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/heimdal
Ensure you really need a Kerberos installation before you decide to install this package. Failure to install and configure the package in accordance with the instructions below can alter your system so that users cannot log in.
If you wish the Heimdal package to link against the CrackLib library to provide enforcement of strong passwords (requires CrackLib-2.8.9 installed with the heimdal patch), you must apply a patch:
patch -Np1 -i ../heimdal-0.7.2-cracklib-1.patch
Install Heimdal by running the following commands:
patch -Np1 -i ../heimdal-0.7.2-setuid-patch.txt &&
patch -Np1 -i ../heimdal-0.7.2-fhs_compliance-1.patch &&
./configure --prefix=/usr \
--sysconfdir=/etc/heimdal \
--libexecdir=/usr/sbin \
--datadir=/var/lib/heimdal \
--localstatedir=/var/lib/heimdal \
--enable-shared \
--with-readline=/usr &&
make
If you wish to create HTML documentation, issue the following command:
make -C doc heimdal.html
If you wish to create a text-based version of the documentation, issue the following commands:
cd doc && makeinfo --plaintext -o heimdal.txt heimdal.texi && cd ..
To test the results, issue: make check.
Now, as the root user:
mv -v /usr/include/fnmatch.h /usr/include/fnmatch.h.glibc &&
mv -v /usr/include/glob.h /usr/include/glob.h.glibc &&
mv -v /usr/include/ss/ss.h /usr/include/ss/ss.h.e2fsprogs &&
mv -v /usr/lib/libss.a /usr/lib/libss.a.e2fsprogs &&
mv -v /usr/lib/libss.so /usr/lib/libss.so.e2fsprogs &&
make install &&
mv -v /usr/include/fnmatch.h /usr/include/fnmatch.h.heimdal &&
mv -v /usr/include/fnmatch.h.glibc /usr/include/fnmatch.h &&
mv -v /usr/include/glob.h /usr/include/glob.h.heimdal &&
mv -v /usr/include/glob.h.glibc /usr/include/glob.h &&
install -v -m755 -d /usr/share/doc/heimdal-0.7.2/standardisation &&
install -v -m644 doc/{init-creds,layman.asc} \
/usr/share/doc/heimdal-0.7.2 &&
install -v -m644 doc/standardisation/* \
/usr/share/doc/heimdal-0.7.2/standardisation &&
mv -v /bin/login /bin/login.shadow &&
mv -v /bin/su /bin/su.shadow &&
mv -v /usr/bin/{login,su} /bin &&
ln -v -sf ../../bin/login /usr/bin &&
mv -v /usr/lib/lib{otp,kafs,krb5,asn1,roken,crypto}.so.* \
/usr/lib/libdb-4.4.so /lib &&
ln -v -sf ../../lib/libdb-4.4.so /usr/lib/libdb.so &&
ln -v -sf ../../lib/libdb-4.4.so /usr/lib/libdb-4.so &&
for SYMLINK in otp.so.0.1.3 kafs.so.0.4.1 krb5.so.17.4.0 \
asn1.so.6.1.0 roken.so.16.1.0 crypto.so.0.9.8
do
ln -v -sf ../../lib/lib$SYMLINK \
/usr/lib/lib`echo $SYMLINK | cut -d. -f1`.so
done
ldconfig
If you built the HTML or text-based documentation, install it using the following commands as the root user:
install -v -m755 -d /usr/share/doc/heimdal-0.7.2/html &&
install -v -m644 doc/heimdal.html/* \
/usr/share/doc/heimdal-0.7.2/html &&
install -v -m644 doc/heimdal.txt /usr/share/doc/heimdal-0.7.2
mv -v /usr/include/... and mv -v /usr/lib/libss.*: The Heimdal installation will overwrite two interface headers from the Glibc package and an interface header, static library and library symbolic link from the E2fsprogs package. These commands move the original files out of the way before the installation, and then restore the original Glibc headers after the installation. The two Heimdal headers are renamed and preserved on the system. Testing has shown that the system is stable using the Heimdal version of the libss library and interface header.
--libexecdir=/usr/sbin: This switch puts the daemon programs into /usr/sbin.
If you want to preserve all your existing Inetutils package daemons, install the Heimdal daemons into /usr/sbin/heimdal (or wherever you want). Since these programs will be called from (x)inetd or rc scripts, it really doesn't matter where they are installed, as long as they are correctly specified in the /etc/(x)inetd.conf file and rc scripts. If you choose something other than /usr/sbin, you may want to move some of the user programs (such as kadmin) to /usr/sbin manually so they'll be in the privileged user's default PATH.
mv ... .shadow; mv ... /bin; ln -v -sf ../../bin...: The login and su programs installed by Heimdal belong in the /bin directory. The login program is symlinked because Heimdal is expecting to find it in /usr/bin. The old executables are preserved before the move so that they can be restored if you experience problems logging into the system after the Heimdal package is installed and configured.
mv ... /lib; ln -v -sf ../../lib/lib... /usr/lib...: The login and su programs installed by Heimdal link against Heimdal libraries as well as libraries provided by the OpenSSL and Berkeley DB packages. These libraries are moved to /lib to be FHS compliant and also in case /usr is located on a separate partition which may not always be mounted.
All the configuration steps shown below must be accomplished by the root user unless otherwise noted.
Create the Kerberos configuration file with the following commands:
install -v -m755 -d /etc/heimdal &&
cat > /etc/heimdal/krb5.conf << "EOF"
# Begin /etc/heimdal/krb5.conf
[libdefaults]
default_realm = <EXAMPLE.COM>
encrypt = true
[realms]
<EXAMPLE.COM> = {
kdc = <hostname.example.com>
admin_server = <hostname.example.com>
kpasswd_server = <hostname.example.com>
}
[domain_realm]
.<example.com> = <EXAMPLE.COM>
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb.log
# End /etc/heimdal/krb5.conf
EOF
chmod -v 644 /etc/heimdal/krb5.conf
You will need to substitute your domain and proper hostname for the occurrences of the <hostname> and <EXAMPLE.COM> names.
default_realm should be the name of your domain changed to ALL CAPS. This isn't required, but both Heimdal and MIT krb5 recommend it.
encrypt = true provides encryption of all traffic between kerberized clients and servers. It's not necessary and can be left off. If you leave it off, you can encrypt all traffic from the client to the server using a switch on the client program instead.
The [realms] parameters tell the client programs where to look for the KDC authentication services.
The [domain_realm] section maps a domain to a realm.
Store the master password in a key file using the following commands:
install -v -m755 -d /var/lib/heimdal && kstash
Create the KDC database:
kadmin -l
The commands below will prompt you for information about the principles. Choose the defaults for now unless you know what you are doing and need to specify different values. You can go in later and change the defaults, should you feel the need. You may use the up and down arrow keys to use the history feature of kadmin in a similar manner as the bash history feature.
At the kadmin> prompt, issue the following statement:
init <EXAMPLE.COM>
The database must now be populated with at least one principle (user). For now, just use your regular login name or root. You may create as few, or as many principles as you wish using the following statement:
add <loginname>
The KDC server and any machine running kerberized server daemons must have a host key installed:
add --random-key host/<hostname.example.com>
After choosing the defaults when prompted, you will have to export the data to a keytab file:
ext host/<hostname.example.com>
This should have created two files in /etc/heimdal: krb5.keytab (Kerberos 5) and srvtab (Kerberos 4). Both files should have 600 (root rw only) permissions. Keeping the keytab files from public access is crucial to the overall security of the Kerberos installation.
Eventually, you'll want to add server daemon principles to the database and extract them to the keytab file. You do this in the same way you created the host principles. Below is an example:
add --random-key ftp/<hostname.example.com>
(choose the defaults)
ext ftp/<hostname.example.com>
Exit the kadmin program (use quit or exit) and return back to the shell prompt. Start the KDC daemon manually, just to test out the installation:
/usr/sbin/kdc &
Attempt to get a TGT (ticket granting ticket) with the following command:
kinit <loginname>
You will be prompted for the password you created. After you get your ticket, you should list it with the following command:
klist
Information about the ticket should be displayed on the screen.
To test the functionality of the keytab file, issue the following command:
ktutil list
This should dump a list of the host principals, along with the encryption methods used to access the principals.
At this point, if everything has been successful so far, you can feel fairly confident in the installation, setup and configuration of your new Heimdal Kerberos 5 installation.
Install the /etc/rc.d/init.d/heimdal init script included in the blfs-bootscripts-20060910 package:
make install-heimdal
To use the kerberized client programs (telnet, ftp, rsh, rxterm, rxtelnet, rcp, xnlock), you first must get a TGT. Use the kinit program to get the ticket. After you've acquired the ticket, you can use the kerberized programs to connect to any kerberized server on the network. You will not be prompted for authentication until your ticket expires (default is one day), unless you specify a different user as a command line argument to the program.
The kerberized programs will connect to non-kerberized daemons, warning you that authentication is not encrypted.
In order to use the Heimdal X programs, you'll need to add a service port entry to the /etc/services file for the kxd server. There is no 'standardized port number' for the 'kx' service in the IANA database, so you'll have to pick an unused port number. Add an entry to the services file similar to the entry below (substitute your chosen port number for <49150>):
kx <49150>/tcp # Heimdal kerberos X kx <49150>/udp # Heimdal kerberos X
For additional information consult the Heimdal hint on which the above instructions are based.
MIT Kerberos V5 is a free implementation of Kerberos 5. Kerberos is a network authentication protocol. It centralizes the authentication database and uses kerberized applications to work with servers or services that support Kerberos allowing single logins and encrypted communication over internal networks or the Internet.
Download (HTTP): http://web.mit.edu/kerberos/www/dist/krb5/1.6/krb5-1.6-signed.tar
Download MD5 sum: a365e39ff7d39639556c2797a0e1c3f4
Download size: 12.0 MB
Estimated disk space required: 124 MB
Estimated build time: 1.4 SBU
Linux-PAM-0.99.4.0 (for xdm based logins), OpenLDAP-2.3.27, and DejaGnu-1.4.4 (required to run the test suite)
Some sort of time synchronization facility on your system (like NTP-4.2.0a) is required since Kerberos won't authenticate if there is a time difference between a kerberized client and the KDC server.
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/mitkrb
MIT Kerberos V5 is distributed in a TAR file containing a compressed TAR package and a detached PGP ASC file. You'll need to unpack the distribution tar file, then unpack the compressed tar file before starting the build.
After unpacking the distribution tarball and if you have GnuPG-1.4.3 installed, you can authenticate the package with the following command:
gpg - -verify krb5-1.6.tar.gz.asc
Build MIT Kerberos V5 by running the following commands:
cd src &&
./configure CPPFLAGS="-I/usr/include/et -I/usr/include/ss" \
--prefix=/usr \
--sysconfdir=/etc/krb5 \
--localstatedir=/var/lib \
--with-system-et \
--with-system-ss \
--enable-dns-for-realm \
--mandir=/usr/share/man &&
make
The regression test suite is designed to be run after the installation has been completed.
Now, as the root user:
make install &&
mv -v /usr/bin/ksu /bin &&
chmod -v 755 /bin/ksu &&
mv -v /usr/lib/libkrb5.so.3* /lib &&
mv -v /usr/lib/libk5crypto.so.3* /lib &&
mv -v /usr/lib/libkrb5support.so.0* /lib &&
ln -v -sf ../../lib/libkrb5.so.3.3 /usr/lib/libkrb5.so &&
ln -v -sf ../../lib/libk5crypto.so.3.1 /usr/lib/libk5crypto.so &&
ln -v -sf ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so&&
install -m644 -v ../doc/*.info* /usr/share/info &&
for INFOFILE in 425 5-admin 5-install 5-user; do
install-info --info-dir=/usr/share/info \
/usr/share/info/krb$INFOFILE.info
rm ../doc/krb$INFOFILE.info*
done &&
install -m755 -v -d /usr/share/doc/krb5-1.6 &&
cp -Rv ../doc/* /usr/share/doc/krb5-1.6
login.krb5 does not support Shadow passwords. As a result, when the Kerberos server is unavailable, the default fall through to /etc/password will not work because the passwords have been moved to /etc/shadow during the LFS build process. Entering the following commands without moving the passwords back to /etc/password could prevent any logins.
After considering (and understanding) the above warning, the following commands can be entered as the root user to replace the existing login program with the Kerberized version (after preserving the original) and move the support libraries to a location available when the /usr filesystem is not mounted:
mv -v /bin/login /bin/login.shadow && install -m755 -v /usr/sbin/login.krb5 /bin/login && mv -v /usr/lib/libdes425.so.3* /lib && mv -v /usr/lib/libkrb4.so.2* /lib && ln -v -sf ../../lib/libdes425.so.3.0 /usr/lib/libdes425.so && ln -v -sf ../../lib/libkrb4.so.2.0 /usr/lib/libkrb4.so && ldconfig
To test the installation, you must have DejaGnu-1.4.4 installed and issue: make check. The RPC layer tests will require a portmap daemon (see portmap-5beta) running and configured to listen on the regular network interface (not localhost). See the “Testing the Build” section of the krb5-install.html file in the ../doc directory for complete information on running the regression tests.
--enable-dns-for-realm: This parameter allows realms to be resolved using the DNS server.
--with-system-et: This parameter causes the build to use the system-installed versions of the error-table support software.
--with-system-ss: This parameter causes the build to use the system-installed versions of the subsystem command-line interface software.
--localstatedir=/var/lib: This parameter is used so that the Kerberos variable run-time data is located in /var/lib instead of /usr/var.
mv -v /usr/bin/ksu /bin: Moves the ksu program to the /bin directory so that it is available when the /usr filesystem is not mounted.
mv -v ... /lib && ln -v -sf ...: These libraries are moved to /lib so they are available when the /usr filesystem is not mounted.
You should consider installing some sort of password checking dictionary so that you can configure the installation to only accept strong passwords. A suitable dictionary to use is shown in the CrackLib-2.8.9 instructions. Note that only one file can be used, but you can concatenate many files into one. The configuration file shown below assumes you have installed a dictionary to /usr/share/dict/words.
Create the Kerberos configuration file with the following commands issued by the root user:
install -v -m755 -d /etc/krb5 &&
cat > /etc/krb5/krb5.conf << "EOF"
# Begin /etc/krb5/krb5.conf
[libdefaults]
default_realm = <LFS.ORG>
encrypt = true
[realms]
<LFS.ORG> = {
kdc = <belgarath.lfs.org>
admin_server = <belgarath.lfs.org>
dict_file = /usr/share/dict/words
}
[domain_realm]
.<lfs.org> = <LFS.ORG>
[logging]
kdc = SYSLOG[:INFO[:AUTH]]
admin_server = SYSLOG[INFO[:AUTH]]
default = SYSLOG[[:SYS]]
# End /etc/krb5/krb5.conf
EOF
You will need to substitute your domain and proper hostname for the occurences of the <belgarath> and <lfs.org> names.
default_realm should be the name of your domain changed to ALL CAPS. This isn't required, but both Heimdal and MIT recommend it.
encrypt = true provides encryption of all traffic between kerberized clients and servers. It's not necessary and can be left off. If you leave it off, you can encrypt all traffic from the client to the server using a switch on the client program instead.
The [realms] parameters tell the client programs where to look for the KDC authentication services.
The [domain_realm] section maps a domain to a realm.
Create the KDC database:
kdb5_util create -r <LFS.ORG> -s
Now you should populate the database with principles (users). For now, just use your regular login name or root.
kadmin.local kadmin: add_policy dict-only kadmin: addprinc -policy dict-only <loginname>
The KDC server and any machine running kerberized server daemons must have a host key installed:
kadmin: addprinc -randkey host/<belgarath.lfs.org>
After choosing the defaults when prompted, you will have to export the data to a keytab file:
kadmin: ktadd host/<belgarath.lfs.org>
This should have created a file in /etc/krb5 named krb5.keytab (Kerberos 5). This file should have 600 (root rw only) permissions. Keeping the keytab files from public access is crucial to the overall security of the Kerberos installation.
Eventually, you'll want to add server daemon principles to the database and extract them to the keytab file. You do this in the same way you created the host principles. Below is an example:
kadmin: addprinc -randkey ftp/<belgarath.lfs.org> kadmin: ktadd ftp/<belgarath.lfs.org>
Exit the kadmin program (use quit or exit) and return back to the shell prompt. Start the KDC daemon manually, just to test out the installation:
/usr/sbin/krb5kdc &
Attempt to get a ticket with the following command:
kinit <loginname>
You will be prompted for the password you created. After you get your ticket, you can list it with the following command:
klist
Information about the ticket should be displayed on the screen.
To test the functionality of the keytab file, issue the following command:
ktutil ktutil: rkt /etc/krb5/krb5.keytab ktutil: l
This should dump a list of the host principal, along with the encryption methods used to access the principal.
At this point, if everything has been successful so far, you can feel fairly confident in the installation and configuration of the package.
Install the /etc/rc.d/init.d/kerberos init script included in the blfs-bootscripts-20060910 package.
make install-kerberos
To use the kerberized client programs (telnet, ftp, rsh, rcp, rlogin), you first must get an authentication ticket. Use the kinit program to get the ticket. After you've acquired the ticket, you can use the kerberized programs to connect to any kerberized server on the network. You will not be prompted for authentication until your ticket expires (default is one day), unless you specify a different user as a command line argument to the program.
The kerberized programs will connect to non kerberized daemons, warning you that authentication is not encrypted.
Using kerberized server programs (telnetd, kpropd, klogind and kshd) requires two additional configuration steps. First the /etc/services file must be updated to include eklogin and krb5_prop. Second, the inetd.conf or xinetd.conf must be modified for each server that will be activated, usually replacing the server from Inetutils-1.4.2.
For additional information consult Documentation for krb-1.6 on which the above instructions are based.
The Cyrus SASL package contains a Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.
Download (HTTP): http://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.21.tar.gz
Download (FTP): ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.21.tar.gz
Download MD5 sum: dde02db234dea892bee298390890502e
Download size: 1.6 MB
Estimated disk space required: 16 MB
Estimated build time: 0.3 SBU
Linux-PAM-0.99.4.0, OpenLDAP-2.3.27, Heimdal-0.7.2 or MIT Kerberos V5-1.6, JDK-1.5.0_10, MySQL-5.0.21, PostgreSQL-8.1.3, GDBM-1.8.3, krb4, SQLite, and Dmalloc
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cyrus-sasl
Install Cyrus SASL by running the following commands:
patch -Np1 -i ../cyrus-sasl-2.1.21-openldap23-1.patch &&
patch -Np1 -i ../cyrus-sasl-2.1.21-openssl98-1.patch &&
sed -i '/sasl_global/s/^static //' lib/client.c &&
sed -i 's/cat8/man8/' saslauthd/Makefile.in &&
./configure --prefix=/usr --sysconfdir=/etc \
--with-dbpath=/var/lib/sasl/sasldb2 \
--with-saslauthd=/var/run &&
make
This package does not come with a test suite. If you are planning on using the GSSAPI authentication mechanism, it is recommended to test it after installing the package using the sample server and client programs which were built in the preceding step. Instructions for performing the tests can be found at http://www.linuxfromscratch.org/hints/downloads/files/cyrus-sasl.txt.
Now, as the root user:
make install &&
install -v -m755 -d /usr/share/doc/cyrus-sasl-2.1.21 &&
install -v -m644 doc/{*.{html,txt,fig},ONEWS,TODO} \
saslauthd/LDAP_SASLAUTHD /usr/share/doc/cyrus-sasl-2.1.21 &&
install -v -m700 -d /var/lib/sasl
sed ... lib/client.c: This command fixes an issue when compiling Cyrus SASL with GCC-4.
sed 's/cat8/man8/' ...: This command puts the saslauthd man page in a more standard location.
--with-dbpath=/var/lib/sasl/sasldb2: This parameter forces the saslauthd database to be created in /var/lib/sasl instead of /etc.
--with-saslauthd=/var/run: This parameter forces saslauthd to use the FHS compliant directory /var/run for variable run-time data.
--with-ldap: This parameter enables use with OpenLDAP.
--enable-ldapdb: This parameter enables the LDAPDB authentication backend. There is a circular dependency with this parameter. See http://wiki.linuxfromscratch.org/blfs/wiki/cyrus-sasl for a solution to this problem.
install -v -m644 ...: These commands install documentation which is not installed by the make install command.
install -v -m700 -d /var/lib/sasl: This directory must exist when starting saslauthd. If you're not going to be running the daemon, you may omit the creation of this directory.
/etc/saslauthd.conf (for saslauthd LDAP configuration) and /usr/lib/sasl2/Appname.conf (where "Appname" is the application defined name of the application)
See file:///usr/share/doc/cyrus-sasl-2.1.21/sysadmin.html for information on what to include in the application configuration files. See file:///usr/share/doc/cyrus-sasl-2.1.21/LDAP_SASLAUTHD for configuring saslauthd with OpenLDAP.
If you need to run the saslauthd daemon at system startup, install the /etc/rc.d/init.d/cyrus-sasl init script included in the blfs-bootscripts-20060910 package.
make install-cyrus-sasl
You'll need to modify the init script and replace the <authmech> parameter to the -a switch with your desired authentication mechanism.
The Stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. Stunnel can be used to add SSL functionality to commonly used Inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the server package source code.
Download (HTTP): http://www.stunnel.org/download/stunnel/src/stunnel-4.15.tar.gz
Download (FTP): ftp://stunnel.mirt.net/stunnel/stunnel-4.15.tar.gz
Download MD5 sum: 2c00153ad099a5f9c5609e8d1dbbe470
Download size: 497 KB
Estimated disk space required: 4.2 MB
Estimated build time: 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/stunnel
The stunnel daemon will be run in a chroot jail by an unprivileged user. Create the new user, group and chroot home directory structure using the following commands as the root user:
groupadd -g 51 stunnel &&
useradd -c "Stunnel Daemon" -d /var/lib/stunnel \
-g stunnel -s /bin/false -u 51 stunnel &&
install -v -m 1770 -o stunnel -g stunnel -d /var/lib/stunnel/run
A signed SSL Certificate and a Private Key is necessary to run the stunnel daemon. If you own, or have already created a signed SSL Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem before starting the build (ensure only root has read and write access), otherwise you will be prompted to create one during the installation process. The .pem file must be formatted as shown below:
-----BEGIN RSA PRIVATE KEY----- <many encrypted lines of unencrypted key> -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- <many encrypted lines of certificate> -----END CERTIFICATE-----
Install Stunnel by running the following commands:
sed -i -e 's|nogroup|stunnel|' \
-e 's|$(prefix)/var/lib|$(localstatedir)|' \
tools/Makefile.in
sed -i 's|doc/stunnel|&-$(VERSION)|' {,doc/,tools/}Makefile.in &&
./configure --prefix=/usr --sysconfdir=/etc \
--localstatedir=/var/lib --disable-libwrap &&
make
This package does not come with a test suite.
Now, as the root user:
make install
sed -i -e '...' -e '...' tools/Makefile.in: This sed command modifies the group and directory used for the chroot jail to conform with the parameters created earlier.
sed -i '...' {,doc/,tools/}Makefile.in: This sed command modifies the location of the installed docs to a versioned directory.
--sysconfdir=/etc: This parameter forces the configuration directory to /etc instead of /usr/etc.
--localstatedir=/var/lib: This parameter sets the installation to use /var/lib/stunnel instead of creating and using /usr/var/stunnel.
--disable-libwrap: This parameter is required if you don't have tcpwrappers installed. Remove the parameter if tcpwrappers is installed.
make install: This command installs the package and, if you did not copy an stunnel.pem file to the /etc/stunnel directory, prompts you for the necessary information to create one. Ensure you reply to the
Common Name (FQDN of your server) [localhost]:
prompt with the name or IP address you will be using to access the service(s).
Create a basic /etc/stunnel/stunnel.conf configuration file using the following commands:
cat >/etc/stunnel/stunnel.conf << "EOF" && # File: /etc/stunnel/stunnel.conf pid = /run/stunnel.pid chroot = /var/lib/stunnel client = no setuid = stunnel setgid = stunnel EOF chmod -v 644 /etc/stunnel/stunnel.conf
Next, you need to add the service(s) you wish to encrypt to the configuration file. The format is as follows:
[<service>] accept = <hostname:portnumber> connect = <hostname:portnumber>
If you use Stunnel to encrypt a daemon started from [x]inetd, you may need to disable that daemon in the /etc/[x]inetd.conf file and enable a corresponding <service>_stunnel service. You may have to add an appropriate entry in /etc/services as well.
For a full explanation of the commands and syntax used in the configuration file, run man stunnel. To see a BLFS example of an actual setup of an stunnel encrypted service, read the the section called “Configuring SWAT” in the Samba instructions.
To automatically start the stunnel daemon when the system is rebooted, install the /etc/rc.d/init.d/stunnel bootscript from the blfs-bootscripts-20060910 package.
make install-stunnel
The sudo package allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments.
Download (HTTP): http://www.courtesan.com/sudo/dist/sudo-1.6.8p12.tar.gz
Download MD5 sum: b29893c06192df6230dd5f340f3badf5
Download size: 576 KB
Estimated disk space required: 3.6 MB
Estimated build time: less than 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/sudo
Install sudo by running the following commands:
patch -Np1 -i ../sudo-1.6.8p12-envvar_fix-1.patch &&
./configure --prefix=/usr --libexecdir=/usr/lib \
--enable-noargs-shell --with-ignore-dot --with-all-insults \
--enable-shell-sets-home &&
make
Now, as the root user:
make install
--enable-noargs-shell: This switch allows sudo to run a shell if invoked with no arguments.
--with-ignore-dot: This switch causes sudo to ignore '.' in the PATH.
--with-all-insults: This switch includes all the sudo insult sets.
--enable-shell-sets-home: This switch sets HOME to the target user in shell mode.
There are many options to sudo's configure command. Check the configure --help output for a complete list.
The sudoers file can be quite complicated. It is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). The installation installs a default configuration that has no privileges installed for any user.
One example usage is to allow the system administrator to execute any program without typing a password each time root privileges are needed. This can be configured as:
# User alias specification User_Alias ADMIN = YourLoginId # Allow people in group ADMIN to run all commands without a password ADMIN ALL = NOPASSWD: ALL
For details, see man sudoers.
The Sudo developers highly recommend using the visudo program to edit the sudoers file. This will provide basic sanity checking like syntax parsing and file permission to avoid some possible mistakes that could lead to a vulnerable configuration.
The Network Security Services (NSS) package is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. This is useful for implementing SSL and S/MIME or other Internet security standards into an application.
The NSS package requires the Netscape Portable Runtime (NSPR) libraries as a prerequisite for building. The NSS package tarball contains the code necessary to build the NSPR libraries. These libraries are built and installed using the instructions below. Essentially, the NSS package is now a combined NSS/NSPR installation.
Download (HTTP): http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_3_RTM/src/nss-3.11.3-with-nspr-4.6.3.tar.gz
Download (FTP): ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_3_RTM/src/nss-3.11.3-with-nspr-4.6.3.tar.gz
Download MD5 sum: e50f0e1ccb964ed02c22eec02e4d30d2
Download size: 4.9 MB
Estimated disk space required: 65.2 MB
Estimated build time: 0.8 SBU (additional 0.9 SBU to run the test suite)
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/nss
Install NSS by running the following commands:
bash export WORKINGDIR=$PWD && export BUILD_OPT=1 && patch -Np1 -i ../nss-3.11.3-with-nspr-4.6.3-fedora_fixes-1.patch && cd mozilla/security/nss && make nss_build_all && cd ../.. && export NSS_LINUXDIR=$(basename `ls -d $WORKINGDIR/mozilla/dist/Linux*`)
To test the results, you'll need to set the domain name of your system in the DOMSUF environment variable. Most of the tests will fail if you don't provide the correct domain name. A self-generated log file will be parsed at the end of the test to display how many tests passed. It should return 800. To run the tests, ensure you change the export DOMSUF command below to an appropriate value, e.g., mydomain.com and issue the following commands:
bash export DOMSUF=<validdomain.name> && export PATH=$PATH:$WORKINGDIR/mozilla/dist/$NSS_LINUXDIR/bin && export TEST_RESULTSDIR=$WORKINGDIR/mozilla/tests_results/security && cd security/nss/tests && sed -i 's/gmake/make/' common/init.sh && ./all.sh && grep Passed $TEST_RESULTSDIR/$(hostname).1/results.html | wc -l && exit
If you switch to the root user using a method that does not inherit the environment from the unprivileged user, ensure that root's NSS_LINUXDIR environment variable is set correctly before proceeding with the installation commands.
Now, as the root user:
install -v -m755 nsprpub/$NSS_LINUXDIR/config/nspr-config \
security/nss/cmd/config/nss-config \
/usr/bin &&
install -v -m755 -d /usr/lib/pkgconfig &&
install -v -m644 nsprpub/lib/pkgconfig/nspr.pc \
security/nss/lib/pkgconfig/nss.pc \
/usr/lib/pkgconfig &&
cd dist &&
install -v -m755 $NSS_LINUXDIR/lib/*.so /usr/lib &&
install -v -m644 $NSS_LINUXDIR/lib/{*.chk,libcrmf.a} /usr/lib &&
install -v -m755 -d /usr/include/{nss,nspr} &&
install -v -m644 {public,private}/nss/* /usr/include/nss &&
cp -v -RL $NSS_LINUXDIR/include/* /usr/include/nspr &&
chmod -v 644 /usr/include/nspr/prvrsion.h
Now as the unprivileged user, exit the bash shell started at the beginning of the installation to restore the environment to the original state.
exit
bash: Shells are started as many environment variables are created during the installation process. Exiting the shells serves the purpose of restoring the environment and returning back to the original directory when the installation is complete.
export WORKINGDIR=$PWD: This variable is set because many of the commands are dependent on knowing the full path of certain directories. WORKINGDIR establishes a known path so that all others can be determined relative to this.
export BUILD_OPT=1: This variable is set so that the build is performed with no debugging symbols built into the binaries and that the default compiler optimizations are used.
export NSS_LINUXDIR=...: This variable is set so that the exact name of the architecture specific directories where the binaries are stored in the source tree can be determined.
make nss_build_all: This command builds the NSPR and NSS libraries and creates a dist directory which houses all the programs, libraries and interface headers. None of the programs created by this process are installed onto the system using the default instructions. If you need any of these programs installed, you can find them in the mozilla/dist/bin directory of the source tree.
export PATH=...: This command sets the PATH environment variable to include the executables in the source tree as some of them are required to run the test suite.
sed -i 's/gmake/make/' common/init.sh: This command changes the command used to compile some test programs.
| nspr-config |
is used to determine the NSPR installation settings of the installed NSPR libraries. |
| nss-config |
is used to determine the NSS library settings of the installed NSS libraries. |
The libnspr4.so, libplc4.so and libplds4.so libraries make up the Netscape Portable Runtime (NSPR) libraries. These libraries provide a platform-neutral API for system level and libc like functions. The API is used in the Mozilla client, many of the Netscape/AOL/iPlanet offerings and other software applications.
The libcrmf.a, libfreebl.so, libnss3.so, libnssckbi.so, libsmime3.so, libsoftokn3.so and libnssl3.so libraries make up the NSS libraries.
Journaling file systems reduce the time needed to recover a file system that was not unmounted properly. While this can be extremely important in reducing downtime for servers, it has also become popular for desktop environments. This chapter contains two other journaling file systems you can use instead of the default LFS third extended file system.
The ReiserFS package contains various utilities for use with the Reiser file system.
Download (HTTP): http://ftp.namesys.com/pub/reiserfsprogs/reiserfsprogs-3.6.19.tar.gz
Download (FTP): ftp://ftp.namesys.com/pub/reiserfsprogs/reiserfsprogs-3.6.19.tar.gz
Download MD5 sum: b42cf15f6651c3ceff5cb84996c0d539
Download size: 400 KB
Estimated disk space required: 7.9 MB
Estimated build time: 0.16 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/reiser
Install ReiserFS by running the following commands:
./configure --prefix=/usr --sbindir=/sbin && make
This package does not come with a test suite.
Now, as the root user:
make install && ln -sf reiserfsck /sbin/fsck.reiserfs && ln -sf mkreiserfs /sbin/mkfs.reiserfs
--prefix=/usr: This ensures that the manual pages are installed in the correct location while still installing the programs in /sbin as they should be.
--sbindir=/sbin: This ensures that the ReiserFS utilities are installed in /sbin as they should be.
The XFS package contains administration and debugging tools for the XFS file system.
Download (HTTP): http://mirrors.sunsite.dk/xfs/download/cmd_tars/xfsprogs_2.8.18-1.tar.gz
Download (FTP): ftp://oss.sgi.com/projects/xfs/download/cmd_tars/xfsprogs_2.8.18-1.tar.gz
Download MD5 sum: 6ce9e198cc79ebec6f6fb1f34ffa7709
Download size: 956 KB
Estimated disk space required: 17.9 MB
Estimated build time: 0.57 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/xfs
Install XFS by running the following commands:
sed -i '/autoconf/d' Makefile &&
make DEBUG=-DNDEBUG INSTALL_USER=root INSTALL_GROUP=root \
LOCAL_CONFIGURE_OPTIONS="--enable-readline=yes"
This package does not come with a test suite.
Now, as the root user:
make install &&
make install-dev &&
install -v -m755 -D libhandle/libhandle.la /usr/lib/libhandle.la &&
chmod -v 755 /lib/libhandle.so* &&
rm -f /lib/libhandle.{a,la,so} &&
ln -svf ../../lib/libhandle.so.1 /usr/lib/libhandle.so
sed -i '/autoconf/d' Makefile: This command disables running autoconf because it is unnecessary.
make DEBUG=-DNDEBUG: The XFS build will fail using the default -DDEBUG flags.
INSTALL_USER=root INSTALL_GROUP=root: This sets the owner and group of the installed files.
LOCAL_CONFIGURE_OPTIONS="...": This passes extra configuration options to the configure script. The example --enable-readline=yes parameter enables linking the XFS programs with the libreadline.so library, in order to allow editing interactive commands.
OPTIMIZER="...": Adding this parameter to the end of the make command overrides the default optimization settings.
make install-dev: This command installs static XFS libraries, their headers and the corresponding documentation. Currently, DMAPI and xfsdump are the only packages that use the installed libraries.
install -v ... and the three following commands fix the installation of libhandle libraries.