May
30
Today I needed to setup a couple of virtual machines for a client and realized that I had removed my installation of VMware Server. Off I went to the VMware download page and what did I find? A day-old release of VMware Server 1.0.6! I figured you’d all appreciate an updated blog post on how to install VMware Server 1.0.6 on Ubuntu 8.04, so here we are. (This is much simpler than the previous post, How To Install VMware Server 1.0.5 on Ubuntu 8.04)
Downloading the Requirements
The first step, of course, is to download VMware Server 1.0.6. You’ll want to download the .tar.gz version. This command can be used for a direct download:
wget -c http://download3.vmware.com/software/vmserver/VMware-server-1.0.6-91891.tar.gz
The second step is to install some development tools that we’ll need to get things running. Use the following command or click the package names to install the requirements:
sudo aptitude install build-essential linux-kernel-devel linux-headers-generic xinetd
You will also need to generate a serial number to run VMware Server. Visit this link to register and generate the number of codes you might want. Remember to print the codes or write them down because in my experience they are not emailed to you.
OK, at this point we should have all of the requirements, now we can get to work…
Installation and Configuration
Let’s unpack the VMware archive that we downloaded and run the VMware installer.
tar xf VMware-server-1.0.6-*.tar.gz
cd vmware-server-distrib
sudo ./vmware-install.pl
The Last Step
If you attempt to run vmware at this point you might notice that it spits out some nasty errors and complains at you. There is one more thing we need to setup.
Basically VMware is missing and complaining about some cairo libraries and gcc. So, the simple fix for this is to point to them by using a symbolic link:
sudo ln -sf /usr/lib/gcc/i486-linux-gnu/4.2.3/libgcc_s.so /usr/lib/vmware/lib/libgcc_s.so.1/libgcc_s.so.1
sudo ln -sf /usr/lib/libpng12.so.0 /usr/lib/vmware/lib/libpng12.so.0/libpng12.so.0
At this point you should be able to launch vmware and enjoy some virtualization goodness. Enjoy!
I post tutorials very regularly on this site. You may want to consider subscribing to the RSS feed. Or if you'd prefer these tips sent to your inbox you can use Email Subscriptions.
May
17
I was just setting up Evolution again and went through the steps of setting up my personal account and my Ubuntu account. I’ve heard some people run into problems doing this considering the Ubuntu account, on the incoming side, is bound to your default address in Launchpad, but you still need to send mail out. Here is how I did it.
note: as you’ve likely noticed I don’t do a lot of screen shots on this blog primarily because I can’t ever get the formatting to look the way I’d like. As you see below some of the text is not properly displaying under each picture, but tries to display to the right. I’ve been fighting it for hours. I finally decided to just post as-is. If you have any suggestions on WP formatting with graphics let me know.
Creating an Outbound-Only Account in Evolution
- To create a secondary account to be used for sending mail (one that does not require receiving), we’ll need to open the Preferences Window, which is found in Edit > Preferences.
- Click “Add”, which will open the Account Assistant for creating new email account settings. Click “Forward” on the first introductory window.
- Fill out the Identity information, ie; Full Name and your outbound email address. In this case I am using my ubuntu.com address. Click “Forward”.
- On the “Recieving Email” step we will set the Server Type to “None”, and click “Forward”.
- On the “Sending Email” step we will populate your SMTP settings. In my case I am using my gmail account as the outbound SMTP server. Click “Forward”.
- On the “Account Management” step we will give this account a unique name. In this case “Ubuntu”.
- Click “Forward” and then “Apply” and you should be finished.
You can then repeat these steps for the total number of accounts that you need send-access with while the reply-to still goes elsewhere. I’ve been using this setup for my Ubuntu account for a few years now and its simple enough, and quick to setup.
The steps are slightly different if you’re using Thunderbird. Maybe I can get that installed here soon and walk through those steps as well. Enjoy.
May
13
I’m sure many of you have heard by this point that there is a reported vulnerability in openSSL and openSSH. The basis of this is that they keys that are generated when you use these tools (ie; installing openssh-server, etc) are generated in a weak manner and can be prone to simple brute force attacking.
If you’ve never installed openssh-server, used openssh-clients or generated an X.509 certificate you should be safe. If you have done any of the above keep reading for a validation and fix instructions. It can’t hurt to run the validation script in either case, just to be safe.
Security patches have been deployed to the Ubuntu archives so the first step is to, of course, apply any security patches available.
Am I Affected?
The first item at hand is verifying whether or not you have been affected by the vulnerability. As mentioned above there are some common tasks that would qualify, but lets test your machine to make sure.
Download the script linked below and run it using the example syntax below:
dowkd.pl.gz (Download this file and unzip)
dowkd.pl PGP signature (Optionally verify the signature of the script)
Cut-n-Paste command-line example of downloading and running the test:
wget -c http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
gunzip dowkd.pl.gz
chmod u+x dowkd.pl
./dowkd.pl user
./dowkd.pl host <hostname>
If you see output similar to:
/home/username/.ssh/id_dsa.pub:1: weak key
…then you have been affected by the vulnerability. If you do not see “weak key” reported then you are OK.
How Do I Fix My Machine?
To update your machine and patch the vulnerability the first thing you want to do is check for and apply any system updates available. The main Ubuntu archives have been updated with the fixes. If you are using an alternate mirror the fix may not have propagated yet, so you may not see it available for another few hours.
Apply any updates:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
You should see an update for openssl and openssh packages (along with anything else available).
After these new packages have been applied you’ll want to regenerate any keys that you’ve generated (ie; openssh keys, CA cert, etc).
UPDATE: The latest package release will automagically re-create any server-side ssh keys for you and notify you of the reason. Also, there is a new utility built into the latest release that will check keys for you. After your updates are applied try the tool:
ssh-vulnkey
To generate a new openssh key for your user: (This only required if ‘./dowkd.pl user‘ reports weak)
ssh-keygen -t dsa -b 1024
To generate a new openssh key for your server: (This only required if ./dowkd.pl host <hostname> reports weak)
sudo rm /etc/ssh/ssh_host_{dsa,rsa}_key*
sudo dpkg-reconfigure -plow openssh-server
You should now run the validation script again and make sure it does not report any errors. If you still see reported warnings such as:
/home/username/.ssh/authorized_hosts:1: weak key
…this means that you have authorized_host keys saved that are still affected. Open the .ssh/authorized_hosts file with a text editor and delete the affected line (:1: means line 1, etc).
Continue to run the ./dowkd.pl script until no weaknesses are reported.
These steps should be run on any system that you manage to ensure they are sufficiently patched.
May
10
I was looking at some of the most popular posts on my blog, as reported by my awstats installation, and I noticed that one of the most popular is a post outlining common keyboard shortcuts for Compiz-Fusion on Ubuntu 7.10. Apparently everybody loves their eye-candy!
I thought, now that Ubuntu 8.04 “Hardy” is released, I’d update the basic configuration suggestions and hopefully help a few more of you get your bling-on.
The Compiz-Check Script
Recently I saw a post over at Forlong’s Blog releasing a script that will check your hardware in regards to Compiz support. From the article:
Compiz-Check is a script to test if Compiz is able to run on your system/setup and if not, it will tell you the reason why.
If you’ve had issues with Compiz support in the past I’d suggest running this script and pay attention to the output towards reasons why it appears to be unsupported. In some cases it is simply a matter of poor hardware. In other cases its only a matter of software changes, and may help you get things going.
To download and run the script:
wget http://blogage.de/files/3729/download -O compiz-check
chmod +x compiz-check
./compiz-check
If everything comes out as “OK” you should be able to activate Compiz as seen in the Compiz configuration instructions.
Driver Support With Envy
Another very useful tool I’ve found is the Envy tool, which will install required non-free driver support for nvidia or ATI cards for you. I’ll admit that I’ve only used this occasionally, considering I have intel graphics cards on my main laptops, but in the situations where I have needed it things have worked great.
If you are using Ubuntu 8.04 “Hardy” you can try the newer EnvyNG, which is available in the universe repository. How to install EnvyNG on Ubuntu 8.04.
If you are still using a previous version of Ubuntu you can try the legacy version of Envy, instructions here.
Are there any other common tips that I’ve missed? If you know of any other great resources for Compiz support tests, nvidia or ATI driver installation, or basic Compiz tweaks please comment and share with the rest of us.
May
9
A Root Shell On Ubuntu : The Right Way
Filed Under Ubuntu | 28 Comments
Just the other day we were having a discussion on using the root shell in Ubuntu. Now, remember, the root user account is disabled with no assigned password on a default Ubuntu system so administrative tasks need to be done using the sudo command. For nearly all of the administration you would need sudo will be adequate. There are occasionally those fringe cases where you might require a root shell. Below I have a few alternatives and then, if you must, the correct way of opening a root shell.
For more information please see the RootSudo page on the Ubuntu Community Wiki.
Alternatives To A Root Shell
One of the most common reasons that a user might need a root shell is due to output redirection not working as expecting while using sudo. This can be bypassed fairly easily. Let me outline an example:
sudo echo “foo” > /root/somefile
The above example will not work because the normal user does not have access to write to the root user home directory, and combining the redirection in the command we’ve lost sudo access.
An alternative that will work would look something like this:
echo "foo" | sudo tee /root/somefile
This will echo the output on the console but the tee command ('man tee‘ for more information) will also take that output and write it to the file as expected. Also note that 'tee -a' will work in the same fashion as >>, appending the data to the current file vs overwriting.
The Proper Way To A Root Shell
If you still need a root shell (perhaps you’ve come across a different scenario? perhaps you’re just lazy? perhaps you’re coming from another distribution?) let me outline the proper way to gain a root shell.
DISCLAIMER: This should be avoided if at all possible. It is not suggested to run a root shell on an Ubuntu system. Use at your own risk. See examples above, etc.
sudo -i
The command sudo -i is the equivalent to the 'su -' command. This will properly change to the root user, switch to the root user’s home directory, use his (her?) environment values, etc.
sudo -s
The command sudo -s is the equivalent to the 'su' command. This will change to the root user but will not properly use his (her?) environment values, etc.
The WRONG Way To A Root Shell
Please DO NOT use the following methods to gain root access:
sudo bash, sudo sh, sudo su -, sudo su, sudo -i -u root
If you currently do use these methods this post was written for you!
UPDATE: Based on the feedback in the comments for this post I’ll try to expand the reasoning on *why* the right way is the preferred way.
First of all we need to understand some background information. When a user creates a session there are a number of environment values that are set. To have a look at some of these try this command:
env
This will output a number of details about the current working environment. These environment values may be different for different users. Some of the values are generated by way of the .bashrc file (assuming a bash shell, of course), the .bash_profile, etc. Take a look at the .bashrc in your users home directory and compare it with the .bashrc in root’s home directory.
diff -u ~/.bashrc /root/.bashrc
You should see some differences, and this is just from one of the multiple files that are read during a proper login.
When creating a root shell by using ‘sudo bash‘ you are not incorporating the root environment properly. You are creating a shell with root privileges but the env output is still that of your user. Each user, whether unprivileged or root, should have unique environment settings to truly be that user. This will be the case for ‘sudo bash‘, ‘sudo su‘ and ‘sudo sh‘.
May
4
Why ufw Does Not Need A GUI
Filed Under Security | 12 Comments
I’ve been hearing more and more recent requests (at OpenWeek -chat and in blog comments) regarding a request for a GUI on top of ufw. I wanted to take a second and outline more clearly what ufw is, which will likely stop these requests. I think its just a simple matter of not truly understand what ufw does which leads to these. Bottom line, there are already a number of GUI firewall applications, adding one for ufw would be basically pointless. (Before you argue that point, keep reading.)
What is ufw?
ufw, or “uncomplicated firewall”, is simply a management tool for creating kernel-level firewall rules which is done via the netfilter kernel module and iptables userspace tool. iptables has been around for quite a long time, is very, very robust and very widely used. It is installed by default on any Ubuntu system, but no “rules” have historically been applied to it. (Technically, every Linux system has a firewall utility built into the kernel, but if no rules are applied to that filter nothing is actually being specifically allowed or denied.)
The reason ufw was developed (I sat in on the sprint at UDS for this) is that we wanted to create a server-level firewalling utility that was a little bit more “for human beings”. While iptables is already installed and available for use, the syntax can be complicated. For example, lets say you wanted to block all connections from the IP address 10.100.0.5:
iptables : sudo iptables -A INPUT -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5
Another slightly more complicated example could be written for blocking specific ports and protocols:
iptables: sudo iptables -A INPUT --dport 22 -s 10.100.0.5 -j REJECT
ufw: sudo ufw deny from 10.100.0.5 to any port 22
ufw is creating the iptables / netfilter rule “under the hood”, but allowing us to create the rules in a simpler way. Both of the commands above basically do the same thing, ufw simply “uncomplicates” the process.
For those that are looking for a GUI on top of ufw, remember that you already have tools such as Firestarter or lokkit, etc. Those are graphical tools which create and manage iptables / netfilter rules “under the hood”. ufw is simply a command-line tool to manage iptables / netfilter rules “under the hood”.
The existing GUI tools (Firestarter) and ufw both use iptables underneath, so adding a GUI to ufw would basically be re-creating Firestarter, which is not really needed. ufw is simply a less complicated way to create firewall (iptables) “rules” on the command line.
May
3
UPDATE: This tutorial has been updated for VMware Server 1.0.6. See the updated instructions here, at How To Install VMware Server 1.0.6 on Ubuntu 8.04.
Now that most of the modern world has upgraded to Ubuntu 8.04 I’ve begun to see comments regarding VMware Server no longer working. You may have used my previous article, Installing VMware Server on Ubuntu 7.10, which has worked great. Now that 8.04 “Hardy” is installed things have become a bit more complicated unfortunately.
The problem is that VMware has not updated their latest versions to make use of the latest kernel, GCC or gnome libraries. So, we’ve got two options.
- Wait for a new VMware release and hope they patch everything.
- Follow the rest of this tutorial and get your hands dirty on the terminal. We can make it work, but we have to hammer it into submission.
So, I’ll assume because you’re still reading that you’ve opted for the hammer into submission option. Let’s get started.
Downloading the Requirements
The first step, of course, is to download VMware Server 1.0.5. You’ll have to agree to the EULA (actually twice. Once before download and once during installation. Remember, VMware is free-as-in-beer but not free-as-in-speech.)
The second step is to install some development tools that we’ll need to get things running. Use the following command or click the package names to install the requirements:
sudo aptitude install build-essential linux-kernel-devel linux-headers-generic xinetd
The third step is to download one more tool to help in the manual build process for VMware Server 1.0.5. What we need is a script which will help in the custom config hosted at Google Code. Download the vmware-any-any-update-116.tgz.
You will also need to generate a serial number to run VMware Server. Visit this link to register and generate the number of codes you might want. Remember to print the codes or write them down because in my experience they are not emailed to you.
OK, at this point we should have all of the requirements, now we can get to work…
Installation and Configuration
Let’s unpack the VMware archive that we downloaded and run the VMware installer. NOTE: After some basic configuration it will ask you to run vmware-config.pl. DO NOT RUN vmware-config.pl, WE ARE NOT READY YET.
tar xf VMware-server-1.0.5
cd vmware-server-distrib
sudo ./vmware-install.pl
When it asks you to run vmware-config.pl you want to answer “no” and this is where the vmware-any-any-116.tgz patch comes in.
cd ..
tar xf vmware-any-any-update-116.tgz
cd vmware-any-any-update116
sudo ./runme.pl
After this runs it will ask you again if you want to run vmware-config.pl. At this point select “yes”.
The Last Step
If you attempt to run vmware at this point you might notice that it spits out some nasty errors and complains at you. There is one more thing we need to setup. (Hey, VMware, if you’re reading this will you please incorporate these fixes into your official download already!)
Basically VMware is missing and complaining about some cairo libraries and gcc. So, the simple fix for this is to point to them by using a symbolic link:
sudo ln -sf /usr/lib/gcc/i486-linux-gnu/4.2.3/libgcc_s.so /usr/lib/vmware/lib/libgcc_s.so.1/libgcc_s.so.1
sudo ln -sf /usr/lib/libpng12.so.0 /usr/lib/vmware/lib/libpng12.so.0/libpng12.so.0
At this point you should be able to launch vmware and enjoy some virtualization goodness. Please stay tuned for virtualization updates regarding virtualbox and the new KVM!
sources: I want to throw a big thanks to my buddy Igor for helping figure out these tweaks. Check out his blog, with these and other instructions, here.
UPDATE: based on some of the comments below I’ve added the “-f” to the symbolik link options.
May
1
I wanted to throw out a quick thank-you to all those that attended my OpenWeek Presentation today. I think things went really well and had some great questions and suggestions from those in attendance. If you missed the presentation and would like to catch up on the logs you can find them here.
It also appears that we’ve formed a loose new team/group, dedicated to advancement of Ubuntu support on the EeePC. If you’d like to participate please drop me a note (see my contact page) or drop by the #ubuntu-eeepc irc channel for discussion. Our goal is to have 100% support out-of-the-box by Ubuntu 8.10 “Intrepid”. Think we can do it? 
Loading ...-
Blogroll
OSCON
Subscribe to the RSS feed!
