Even before your system boots, you should decide what level of security you want to implement. To begin with, don't connect your machine to the network until you have decided what to do.
Security is a vast subject that goes beyond the scope of this HOWTO; two good starting points are the Linux Security Administrator's Guide at http://www.seifried.org/lasg and the Linux Security Guide at http://nic.com/~dave/Security. You should consider at least the following steps: using shadow passwords (Shadow Password HOWTO), restricting network access to the machine (Section Restricting Network Access), using the Secure Shell ( http://www.cs.hut.fi/ssh/) or the Secure Remote Password ( http://srp.stanford.edu/srp/). Good luck.
To keep your installation in shape, it's essential that you know exactly what happened to your machine, which packages you installed that day, what you removed or modified, and so on. So, the first thing you'll do before you tamper with your machine is start a ``logbook''. Therein you'll take note of every move you make as root; in my own logbook I also keep a section where I list all modified system files, additional .rpms, and .tar.gz I installed. Optimally, backtracking your moves you should be able to re-obtain a pristine installation.
Make a backup copy of the system files you touch. Better still, use RCS; you'll be able to backtrack all changes. Never work as root without logging your moves!
If you missed this step during installation or have changed your keyboard, you'll have to:
it.map selects the Italian keyboard;
KEYTABLE="it";
/sbin/kbdrate -s -r 16 -d 500 # or whatever you like
To load the key table, issue /etc/rc.d/init.d/keytable start. Other special keys will be considered in the following sections.
To enable NumLock on by default, add these lines to /etc/rc.d/rc.sysinit:
for tty in /dev/tty[1-9]*; do
setleds -D +num < $tty
done
Make a couple of boot floppies for your newly installed system. Your distribution may include a command for creating such a floppy; if not, these commands will do:
#~ dd if=/boot/vmlinuz-2.0.36-0.7 of=/dev/fd0 # use your kernel image
#~ rdev /dev/fd0 /dev/hda2 # your Linux partition
Also, have at least a couple of rescue disks ready. There's a wide choice of rescue disks at ftp://metalab.unc.edu/pub/Linux/system/recovery; if you don't know which one to choose, I suggest you try out Tomsbtrt.
IMHO, the first thing to do next is build a kernel that best suits your
system. It's very simple to do but, in any case, refer to the README
file in /usr/src/linux/ or the Kernel HOWTO. Hints:
SVGATextMode (see Section
SVGATextMode) is
probably the best solution. Anyway, the Big Cursor kernel patch is on
http://www.linuxhq.com/patch/20-p0239.html;
modprobe indicating
that some modules can't be located, that means that your
/etc/conf.modules needs mending. For instance, if you don't use
the ipx and appletalk modules, add these lines:
alias net-pf-4 off
alias net-pf-5 off
On some systems, sendmail hangs the machine for a couple of minutes
at boot time. There are two cases: 1) the machine is not directly connected
to the Internet, 2) the machine is connected, and has a permanent IP
address.
Quick fix for the first case: make sure your /etc/hosts contains a line that reads
127.0.0.1 localhost
For the second case: the lock is caused by /etc/hosts containing a line like
127.0.0.1 localhost your_host_name
which you will split this way:
127.0.0.1 localhost
w.x.y.z your_host_name
See also Section Hostname.
Your (E)IDE hard disk's performance can be greatly enhanced by
carefully using hdparm(8). If your Linux distribution
doesn't include it, you'll find on
ftp://metalab.unc.edu/pub/Linux/system/hardware; look for a
file called hdparm-X.Y.tar.gz.
Since many details depend on your hard disk and HD controller, I can't give you a general recipe. You risk to toast your filesystem, so read the man page carefully before using some of the options. At its simplest, you could add the following line to /etc/rc.d/rc.sysinit:
/sbin/hdparm -c1 /dev/hda # first IDE drive assumed
which enables (E)IDE 32-bit I/O support. As for the `-m' option,
this is what hdparm author Mark Lord emailed me:
(...) if your system uses components from the past couple of years [< 1997], it will be fine. Older than that, there *may* be a problem (unlikely). The really buggy chips were the CMD0646 and RZ1000 chips, used *extensively* on 486 and (early) 586 motherboards about 2-3 years ago.
For recent machines, these settings should work fine:
/sbin/hdparm -c1 -A1 -m16 -d1 /dev/hda
To use the parallel port version of the Zip drive you can use the default
driver that comes with recent (2.x.x) kernels. During kernel configuration,
make sure that SCSI support and SCSI disk support are enabled. Remember,
there can be conflicts between the printer and the Zip drive on the same
parallel port, so you will want to use kernel modules. There's an
alternative ppa driver at
http://www.torque.net/~campbell.
Zip disks are sold preformatted on partition /dev/sda4. To enable the Zip, append this to /etc/rc.d/rc.sysinit:
# Enable the Zip drive
/sbin/modprobe ppa
Zip disks can be mounted via /etc/fstab as shown below, or via Mtools adding this line to your /etc/mtools.conf:
drive z: file="/dev/sda4" exclusive
besides, the command mzip allows you to eject, query the status,
write and password protect Zip disks; man mzip for details.
The Mtools home page is at
http://linux.wauug.org/pub/knaff/mtools.
Devices in /dev (or better, links to the actual device drivers) may
be missing. Check what devices your mouse, modem, and CD--ROM drive
correspond to, then do what follows:
~# cd /dev
/dev# ln -s ttyS0 mouse; ln -s ttyS1 modem; ln -s hdb cdrom; ln -s sda4 zip
In most notebooks the mouse device is /dev/psaux: take this into account when configuring X11.
If you want, do chmod 666 to these devices to make them fully
accessible by every user.
All I own is an old Sound Blaster 16; even if you've got something different, you may take what follows as guidelines.
I compiled the sound card support as a module (sb.o).
Then I put this in /etc/conf.modules:
options sb io=0x220 irq=5 dma=1 dma16=5 mpu_io=0x330
alias sound sb
To enable the sound, make sure that modprobe sound is invoked in
/etc/rc.d/rc.sysinit. Alternatively, get the tool
sndconfig from the RedHat site.
If you wish to customise the login messages, check whether your /etc/rc.d/rc.local overwrites /etc/issue and /etc/motd. (RedHat does.) If so, get on with your editor.
If you'd like a colourised login message, you may adapt your
rc.local inserting lines like these:
# put a real escape character instead of ^[. To do this:
# emacs: ^Q ESC vi: ^V ESC joe: ` 0 2 7 jed: ` ESC
ESC="^[" # a real escape character
BLUE="$ESC[44;37m"
NORMAL="$ESC[40;37m"
CLEAR="$ESC[H$ESC[J"
> /etc/issue
echo "$CLEAR" >> /etc/issue
echo "$BLUE Welcome to MyServer (192.168.1.1) " >> /etc/issue
echo "$NORMAL " >> /etc/issue
echo "" >> /etc/issue
Issuing the command hostname new_host_name may not be enough. To
avoid the dreaded sendmail lock, follow these steps (only valid
for a stand--alone machine):
new_host_name.localdomain);
127.0.0.1 localhost new_host_name.locadomain
gpm mouse services are useful to perform cut and paste in tty mode, and
to use the mouse in some applications. For Red Hat, check that you have a
file called /etc/sysconfig/mouse and that it reads:
MOUSETYPE="Microsoft"
XEMU3=yes
Moreover, you must have a file /etc/rc.d/init.d/gpm, where you'll put additional command line parameters. Mine reads:
...
daemon gpm -t $MOUSETYPE -d 2 -a 5 -B 132 # two-button mouse
...
Obviously, make sure this configuration is right for your mouse type. In
most notebooks, MOUSETYPE is ``PS/2''.
For Caldera, all you have to do is append this line to /etc/rc.d/rc.boot:
/usr/bin/gpm
On S.u.S.E., gpm options go in /etc/rc.config; on
Debian, you'll edit /etc/gpm.conf.
If you like to use menus in console with Ctrl-button, then configure
gpm-root. Edit the default menu in /etc/gpm-root.conf,
then launch gpm-root from /etc/rc.d/rc.local.
It's handy to have mount points for the floppy, other devices and NFS-exported directories. For example, you can do the following:
~# cd /mnt
/mnt# mkdir floppy; mkdir cdrom; mkdir win; mkdir zip; mkdir server
This creates mount points for a DOS/Win floppy, an ext2 floppy, the CD--ROM, the Windows partition, the parallel port Zip drive, and a NFS directory.
Now edit the file /etc/fstab and add the following entries:
/dev/fd0 /mnt/floppy auto user,noauto 0 1
/dev/cdrom /mnt/cdrom iso9660 ro,user,noauto 0 1
/dev/zip /mnt/zip vfat user,noauto,exec 0 1
/dev/hda1 /mnt/win vfat user,noauto 0 1
server:/export /mnt/server nfs defaults
Obviously, you must use the correct device in the first field. Recent
kernels support fat32 partitions natively; for older ones, there's a kernel
patch at
http://bmrc.berkeley.edu/people/chaffee/fat32.html.
man mount for further information.
Note the ``auto'' filesystem type in the first line; it allows you to mount
both ext2 and vfat (DOS/Windows) floppies. You may find mtools more
convenient.
Many users run both Linux and DOS/Windows on their PC, and want to choose at boot time which os to use; this should be done at install time, but in case, do what follows. Let's suppose that /dev/hda1 contains DOS/Windows and that /dev/hda2 contains Linux.
~# fdisk
Using /dev/hda as default device!
Command (m for help):a
Partition number (1-4): 2
Command (m for help):w
~#
This makes the Linux partition bootable. Then write this basic /etc/lilo.conf file:
boot = /dev/hda2
compact # may conflict with "linear"
delay = 100 # 10 seconds
linear # gets rid of the "1024 cylinder" problem
# message = /boot/bootmesg.txt # write your own, if you will
root = current
image = /boot/vmlinuz # boot linux by default as this entry comes first
label = linux
read-only
# append="mem=128M" # to see more memory than 64M
other = /dev/hda1
table = /dev/hda
label = dos
Now issue /sbin/lilo and you're done. Being lilo a
crucial part of your installation, you're strongly advised to read its
documentation anyway.
To boot Linux from DOS/Windows without resetting, put LOADLIN.EXE in a
directory (in the DOS partition!) included in the DOS path; then copy your
kernel to, say, C:\TEMP\VMLINUZ. The following simple
.BAT file will boot Linux:
rem linux.bat
smartdrv /C
loadlin c:\temp\vmlinuz root=/dev/hda2 ro
If you use Windows 9x, set the properties of this .BAT so as it
starts in MS--DOS mode.
Making a backup copy of your MBR before installing Linux is a safe move.
Use restorrb (included in the FIPS package) before
installation, or a Linux rescue floppy to issue this command:
rescue:~# dd if=/dev/hda of=MBR bs=512 count=1
then make at least two copies of the file MBR on floppies. Should
disaster strike, you'll be able to restore your old MBR by issuing:
rescue:~# dd if=/mnt/MBR of=/dev/hda bs=446 count=1
assuming that a floppy containing MBR is mounted under
/mnt. Alternatively, use a DOS rescue floppy to issue
FDISK /MBR.
You will want to be able to read mail messages written in HTML or containing exotic file formats. Make sure you have two files: /etc/mime.types and /etc/mailcap. The first one lists file types and related extensions, like:
application/postscript ps eps
image/jpeg jpe jpeg jpg
text/html html
while the second one tells the mail client how to display that file type.
You may receive mail from people who use Microsoft Outlook, whose messages are in multi--part MIME format. These two lines, put in etc/mailcap, should let you read those messages:
text/plain; less %s; needsterminal
text/html; lynx -force_html %s; needsterminal
All distributions I know have a configuration tool for setting up the
printer (printtool, yast, or magicfilter); if you
don't have it, this is a basic manual configuration.
Let's suppose you have a non--PostScript (non ``Windows-only'' too!) printer you want to use to print raw text (e.g., C source files) and PostScript files via Ghostscript, which is assumed to be already installed.
Setting up the printer involves a few steps:
~# echo "hello, world" > /dev/lp0
~# echo "hello, world" > /dev/lp1
~# cd /var/spool/lpd
/var/spool/lpd/# mkdir raw; mkdir postscript
~# echo "first line" > /dev/lp1 ; echo "second line" > /dev/lp1
first line
second line
#!/bin/sh
# This filter eliminates the "staircase effect"
awk '{print $0, "\r"}'
chmod 755 /var/spool/lpd/raw/filter.
#!/bin/sh
DEVICE=djet500
RESOLUTION=300x300
PAPERSIZE=a4
SENDEOF=
nenscript -TUS -ZB -p- |
if [ "$DEVICE" = "PostScript" ]; then
cat -
else
gs -q -sDEVICE=$DEVICE \
-r$RESOLUTION \
-sPAPERSIZE=$PAPERSIZE \
-dNOPAUSE \
-dSAFER \
-sOutputFile=- -
fi
if [ "$SENDEOF" != "" ]; then
printf "\004"
fi
# /etc/printcap
lp|ps|PS|PostScript|djps:\
:sd=/var/spool/lpd/postscript:\
:mx#0:\
:lp=/dev/lp1:\
:if=/var/spool/lpd/postscript/filter:\
:sh:
raw:\
:sd=/var/spool/lpd/raw:\
:mx#0:\
:lp=/dev/lp1:\
:if=/var/spool/lpd/raw/filter:\
:sh:
For more complex or exotic printing configurations, the Printing-HOWTO awaits you.
If you use printtool, be aware that the GSDEVICE chosen by Printtool
will work, but not necessarily at its best for your printer. You may
consider fiddling a bit with the file postscript.cfg; for instance,
I changed GSDEVICE from cdj500 to djet500 and now my
prints come out much quicker.
This utility, available on ftp://tsx-11.mit.edu/pub/linux/sources/sbin, is useful for changing the console screen resolution, font, and cursor shape. Users whose language include accented characters will be able to use them in console applications, while notebook users may change the cursor shape to make it more visible.
Edit /etc/TextConfig or /etc/TextMode, starting with the default VGA definition. Europeans should be happy with this ``LoadFont'' section:
Option "LoadFont"
FontProg "/usr/bin/setfont"
FontPath "/usr/lib/kbd/consolefonts"
FontSelect "lat1u-16.psf" 8x16 9x16 8x15 9x15
FontSelect "lat1u-14.psf" 8x14 9x14 8x13 9x13
FontSelect "lat1u-12.psf" 8x12 9x12 8x11 9x11
FontSelect "lat1u-08.psf" 8x8 9x8 8x7 9x7
Once you're done, try your configuration with a command like
SVGATextMode "80x34x9", and if everything appears to be working
fine, remove the warnings from
/etc/TextMode and include this line in
etc/rc.d/rc.sysinit:
# SVGATextMode
/usr/sbin/SVGATextMode "80x34x9"
Please note that the block cursor only works with some modes; on my notebook, "80x32x9".