Even before your system boots, you should decide what level of security you want to implement. To begin with, don't connect your machine to the network until you have decided what to do.
Security is a vast subject that goes beyond the scope of this HOWTO; two good starting points are the Linux Security Administrator's Guide http://www.securityportal.com/lasg and the Linux Security Guide http://nic.com/~dave/SecurityAdminGuide/index.html . You should consider at least the following steps: using shadow passwords (Shadow Password HOWTO), restricting network access to the machine (Section Section 3.4), using the Secure Shell (http://www.openssh.org ) or the Secure Remote Password ( http://srp.stanford.edu/srp/). Good luck.
To keep your installation in shape, it's essential that you know exactly what happened to your machine, which packages you installed that day, what you removed or modified, and so on. So, the first thing you'll do before you tamper with your machine is start a ``logbook''. Therein you'll take note of every move you make as root; in my own logbook I also keep a section where I list all modified system files, additional .rpms, and .tar.gz I installed. Optimally, backtracking your moves you should be able to re-obtain a fresh installation.
Make a backup copy of the system files you touch. Better still, use RCS; you'll be able to backtrack all changes. Never work as root without logging your moves!
If you missed this step during installation or have changed your keyboard, you'll have to:
look for a suitable key table starting from /usr/lib/kbd/keymaps/i386; for example, querty/it-latin1.kmap.gz supports the Italian keyboard;
edit the file /etc/sysconfig/keyboard so as it reads: KEYTABLE="it-latin1";
to set up the keyboard repeat rate and delay time, add this line to /etc/rc.d/rc.sysinit:
/sbin/kbdrate -s -r 16 -d 500 # or whatever you like |
To load the key table, issue
/etc/rc.d/init.d/keytable start |
Other special keys will be dealt with in the following sections. To enable NumLock on by default, add these lines to /etc/rc.d/rc.sysinit:
for tty in /dev/tty[1-9]*; do setleds -D +num < $tty done |
Normally, the Linux console cannot distinguish between, say, Arrow and Shift-arrow, but some applications (namely, the editor Section 4.5.3) do. Normally, these key bindings are only available in xterm. The following key map, which you can choose to load at boot time, is very handy:
# Load this key map with: loadkey shift.map # Shift + Up shift keycode 103 = F100 string F100 = "\033[a" # Shift + Left shift keycode 106 = F101 string F101 = "\033[c" # Shift + Right shift keycode 105 = F102 string F102 = "\033[d" # Shift + Down shift keycode 108 = F103 string F103 = "\033[b" # Ctrl + Ins control keycode 110 = F104 string F104="\033[2^" # Shift + Ins shift keycode 110 = F105 string F105="\033[2$" # Shift + PgUp shift keycode 104 = F106 string F106 = "\033[5$" # Shift + PgDn shift keycode 109 = F107 string F107 = "\033[6$" # Shift + Home shift keycode 102 = F108 string F108 = "\033[1$" # Shift + End shift keycode 107 = F109 string F109 = "\033[4$" # Shift + Del shift keycode 111 = F110 string F110 = "\033[3$" # Ctrl + Del control keycode 111 = F111 string F111 = "\033[3^" |
Make a couple of boot floppies for your newly installed system. Your distribution may include a command for creating such a floppy (say, mkbootdisk or something like that); if not, these commands will do:
#~ dd if=/boot/vmlinuz-2.0.36-0.7 of=/dev/fd0 # use your kernel image #~ rdev /dev/fd0 /dev/hda2 # your Linux root partition |
Also, have at least a couple of rescue disks ready. There's a wide choice of rescue disks at ftp://metalab.unc.edu/pub/Linux/system/recovery ; if you don't know which one to choose, I suggest you try out Tomsbtrt, whose home page is http://www.toms.net/rb . It's very complete, but some utilities seem missing at first; for example, ftp is not there but you get nc (netcat) instead. Please read its documentation.
Why stick to white on black in Linux console? With the setterm command you can choose nicer combinations:
setterm -background blue -foreground red -bold on -store |
Type setterm alone for a list of arguments.
IMHO, the first thing to do next is build a kernel that best suits your system. It's very simple to do but, in any case, refer to the README file in /usr/src/linux/ or the Kernel HOWTO. Hints:
consider carefully your needs. Choosing a kernel configuration, applying the patches, and compiling it once and for all is more productive than reconfiguring and recompiling each month; this is especially true if your Linux box is a server. Don't forget to include support for all the hardware you might likely add in the future (e.g. SCSI, Zip, network cards, etc); using modules is usually the best choice;
notebook users: if you plan to use a PCMCIA modem/fax, remember to compile serial support in the kernel. Don't compile it as a module, as this would need more complex configuration;
remember to compile everything you need; i.e., don't forget the pcmcia modules, or the ALSA sound drivers;
to save time the next time you reconfigure and recompile the kernel, it's a good idea to save your configuration on a file and keep it in a safe place. If you upgrade the kernel and use ``make oldconfig'', your old config file will be taken and any not included features will be prompted whether they should be included, resulting in a new, upgraded config file.
Your (E)IDE hard disk's performance can be greatly enhanced by carefully using hdparm(8). If your Linux distribution doesn't include it, you'll find on ftp://metalab.unc.edu/pub/Linux/system/hardware ; look for a file called hdparm-X.Y.tar.gz.
Since many details depend on your hard disk and HD controller, I can't give you a general recipe. You risk to toast your filesystem, so read the man page carefully before using some of the options. At its simplest, you could add the following line to /etc/rc.d/rc.sysinit:
/sbin/hdparm -c1 /dev/hda # first IDE drive assumed |
which enables (E)IDE 32-bit I/O support. As for the `-m' option, this is what hdparm author Mark Lord emailed me:
" (...) if your system uses components from the past couple of years [< 1997], it will be fine. Older than that, there *may* be a problem (unlikely). The really buggy chips were the CMD0646 and RZ1000 chips, used *extensively* on 486 and (early) 586 motherboards about 2-3 years ago. "
For recent machines, these settings should work fine:
/sbin/hdparm -c1 -A1 -m16 -d1 /dev/hda |
Stock kernels include the driver for both old (ppa) and new (imm) Zip drives. If you recompile the kernel, make sure that SCSI support and SCSI disk support are enabled. Remember, there can be conflicts between the printer and the Zip drive on the same parallel port, so you have better use kernel modules.
Zip disks are sold preformatted on partition /dev/sda4. To enable the Zip, append this to /etc/rc.d/rc.sysinit:
# Enable the Zip drive /sbin/modprobe ppa # imm for recent models |
Zip disks can be mounted via /etc/fstab as shown below, or via Mtools adding this line to your /etc/mtools.conf:
drive z: file="/dev/sda4" exclusive |
besides, the command mzip allows you to eject, query the status, write and password protect Zip disks; man mzip for details. The Mtools home page is at http://linux.wauug.org/pub/knaff/mtools.
Devices in /dev (or better, links to the actual device drivers) may be missing. Check what devices your mouse, modem, and CD--ROM drive correspond to, then do what follows:
~# cd /dev /dev# ln -s ttyS0 mouse; ln -s ttyS1 modem; ln -s hdb cdrom; ln -s sda4 zip |
In most notebooks the mouse device is /dev/psaux: take this into account when configuring X11. If you wish, do chmod 666 to these devices to make them fully accessible by every user.
My desktop PC is fitted with an old Sound Blaster 16; even if you've got something different, you may take what follows as guidelines.
I compiled the sound card support as a module (sb.o). Then I put this in /etc/conf.modules:
options sb io=0x220 irq=5 dma=1 dma16=5 mpu_io=0x330 alias sound sb |
To enable the sound, make sure that modprobe sound is invoked in /etc/rc.d/rc.sysinit. Alternatively, get the tool sndconfig from the RedHat site.
Besides the standard kernel sound drivers, the Alsa drivers ( http://www.alsa-project.org) are an excellent choice. Strangely, though, the sound channels are muted by default. You'll want to use aumix and this /etc/aumixrc to set the volume to 100%:
vol:100:100:P synth:100:100:P pcm:100:100:P line:100:100:P mic:100:100:R cd:100:100:P |
If you wish to customise the login messages, check whether your /etc/rc.d/rc.local overwrites /etc/issue and /etc/motd. (RedHat does.) If so, get on with your editor.
If you'd like a colourised login message, you may adapt your rc.local inserting lines like these:
# put a real escape character instead of ^[. To do this: # emacs: ^Q ESC vi: ^V ESC joe: ` 0 2 7 jed: ` ESC ESC="^[" # a real escape character BLUE="$ESC[44;37m" NORMAL="$ESC[40;37m" CLEAR="$ESC[H$ESC[J" > /etc/issue echo "$CLEAR" >> /etc/issue echo "$BLUE Welcome to MyServer (192.168.1.1) " >> /etc/issue echo "$NORMAL " >> /etc/issue echo "" >> /etc/issue |
Issuing the command hostname new_host_name may not be enough. To avoid the dreaded sendmail lock, follow these steps (only valid for a stand--alone machine):
edit /etc/sysconfig/network and change the hostname therein (e.g. new_host_name.your_domain);
edit /etc/HOSTNAME appropriately;
append the new hostname in the line in /etc/hosts:
127.0.0.1 localhost new_host_name.your_domain |
gpm mouse services are useful to perform cut and paste in tty mode, and to use the mouse in some applications. Make sure that you have a file called /etc/sysconfig/mouse and that it reads:
MOUSETYPE="Microsoft" XEMU3=yes |
Moreover, you must have a file /etc/rc.d/init.d/gpm, where you'll put additional command line parameters. Mine reads:
... daemon gpm -t $MOUSETYPE -d 2 -a 5 -B 132 # two-button mouse ... |
Obviously, make sure this configuration is right for your mouse type. In most notebooks, MOUSETYPE is ``PS/2''.
If you like to use menus in console with Ctrl-button, then configure gpm-root. Edit the default menu in /etc/gpm-root.conf, then launch gpm-root from /etc/rc.d/rc.local.
It's handy to have mount points for the floppy, other devices and NFS-exported directories. For example, you can do the following:
~# cd /mnt; mkdir floppy cdrom win zip server |
This creates mount points for a DOS/Win floppy, the CD--ROM, the Windows partition, the parallel port Zip drive, and an NFS directory.
Now edit the file /etc/fstab and add the following entries:
/dev/fd0 /mnt/floppy auto user,noauto 0 1 /dev/cdrom /mnt/cdrom iso9660 ro,user,noauto 0 1 /dev/zip /mnt/zip vfat user,noauto,exec 0 1 /dev/hda1 /mnt/win vfat user,noauto 0 1 server:/export /mnt/server nfs defaults |
Obviously, you must use the correct device in the first field.
Note the `auto' filesystem type in the first line; it allows you to mount both ext2 and vfat (DOS/Windows) floppies, but you need a recent version of mount. You may find mtools more convenient.
If you don't like the mounting/unmounting thing, consider using autofs(5). You tell the autofs daemon what to automount and where starting with a file, /etc/auto.master. Its structure is simple:
/misc /etc/auto.misc /mnt /etc/auto.mnt |
In this example you tell autofs to automount media in /misc and /mnt, while the mountpoints are specified in/etc/auto.misc and /etc/auto.mnt. An example of /etc/auto.misc:
# an NFS export server -ro my.buddy.net:/pub/export # removable media cdrom -fstype=iso9660,ro :/dev/hdb floppy -fstype=auto :/dev/fd0 |
Start the automounter. From now on, whenever you try to access the inexistent mount point /misc/cdrom, il will be created and the CD-ROM will be mounted.
Many users run both Linux and DOS/Windows on their PC, and want to choose at boot time which os to use; this should be done at install time, but in case, do what follows. Let's suppose that /dev/hda1 contains DOS/Windows and that /dev/hda2 contains Linux.
~# fdisk Using /dev/hda as default device! Command (m for help):a Partition number (1-4): 2 Command (m for help):w ~# |
This makes the Linux partition bootable. Then write this basic /etc/lilo.conf file:
boot = /dev/hda2 compact # may conflict with "linear" delay = 100 # 10 seconds linear # gets rid of the "1024 cylinder" problem #lba32 # alternative message = /boot/bootmesg.txt # write your own, if you will root = current image = /boot/vmlinuz # boot linux by default as this entry comes first label = linux read-only # append="mem=128M" # to see more memory than 64M other = /dev/hda1 table = /dev/hda label = win |
Now issue /sbin/lilo and you're done. Being lilo a crucial part of your installation, you're strongly advised to read its documentation anyway.
To boot Linux from DOS/Windows without resetting, put LOADLIN.EXE in a directory (in the DOS partition!) included in the DOS path; then copy your kernel to, say, C:\TEMP\VMLINUZ. The following simple .BAT file will boot Linux:
rem linux.bat smartdrv /C loadlin c:\temp\vmlinuz root=/dev/hda2 ro |
If you use Windows 9x, set the properties of this .BAT so as it starts in MS--DOS mode.
Making a backup copy of your MBR before installing Linux is a safe move. Prepare a Windows rescue floppy, and make sure it includes FDISK.EXE. To restore the MBR, all you have to do is
A:\> fdisk /mbr |
All distributions I know have a configuration tool for setting up the printer (printtool, yast, or magicfilter); if you don't have it, this is a basic manual configuration.
Let's suppose you have a non--PostScript (non ``Windows-only'' too!) printer you want to use to print raw text (e.g., C source files) and PostScript files via Ghostscript, which is assumed to be already installed.
Setting up the printer involves a few steps:
find out which one the parallel print device is: try
~# echo "hello, world" > /dev/lp0 ~# echo "hello, world" > /dev/lp1 |
make two spool directories:
~# cd /var/spool/lpd /var/spool/lpd/# mkdir raw; mkdir postscript |
if your printer exibits the ``staircase effect'' (most inkjets do), you'll need a filter. Try to print two lines with
~# echo "first line" > /dev/lp1 ; echo "second line" > /dev/lp1 |
first line second line |
#!/bin/sh # This filter eliminates the "staircase effect" awk '{print $0, "\r"}' |
make a filter for PostScript emulation. Write the following filter as /var/spool/lpd/postscript/filter:
#!/bin/sh DEVICE=djet500 RESOLUTION=300x300 PAPERSIZE=a4 SENDEOF= nenscript -TUS -ZB -p- | if [ "$DEVICE" = "PostScript" ]; then cat - else gs -q -sDEVICE=$DEVICE \ -r$RESOLUTION \ -sPAPERSIZE=$PAPERSIZE \ -dNOPAUSE \ -dSAFER \ -sOutputFile=- - fi if [ "$SENDEOF" != "" ]; then printf "\004" fi |
finally, add the following entries in /etc/printcap:
# /etc/printcap lp|ps|PS|PostScript|djps:\ :sd=/var/spool/lpd/postscript:\ :mx#0:\ :lp=/dev/lp1:\ :if=/var/spool/lpd/postscript/filter:\ :sh: raw:\ :sd=/var/spool/lpd/raw:\ :mx#0:\ :lp=/dev/lp1:\ :if=/var/spool/lpd/raw/filter:\ :sh: |
For more complex or exotic printing configurations, the Printing-HOWTO awaits you.
If you use printtool, be aware that the GSDEVICE chosen by Printtool will work, but not necessarily at its best for your printer. You may consider fiddling a bit with the file postscript.cfg; for instance, I changed GSDEVICE from cdj500 to djet500 and now my prints come out much quicker.
This utility, available on ftp://tsx-11.mit.edu/pub/linux/sources/sbin, is useful for changing the console screen resolution, font, and cursor shape. Users whose language include accented characters will be able to use them in console applications, while notebook users may change the cursor shape to make it more visible.
Edit /etc/TextConfig or /etc/TextMode, starting with the default VGA definition. Europeans should be happy with this ``LoadFont'' section:
Option "LoadFont" FontProg "/usr/bin/setfont" FontPath "/usr/lib/kbd/consolefonts" FontSelect "lat1u-16.psf" 8x16 9x16 8x15 9x15 FontSelect "lat1u-14.psf" 8x14 9x14 8x13 9x13 FontSelect "lat1u-12.psf" 8x12 9x12 8x11 9x11 FontSelect "lat1u-08.psf" 8x8 9x8 8x7 9x7 |
Once you're done, try your configuration with a command like SVGATextMode "80x34x9", and if everything appears to be working fine, remove the warnings from /etc/TextMode and include this line in etc/rc.d/rc.sysinit:
# SVGATextMode /usr/sbin/SVGATextMode "80x34x9" |
Please note that the block cursor only works with some modes; on my notebook, "80x30x9".