https://wiki.archlinux.org/api.php?action=feedcontributions&user=Eldog&feedformat=atomArchWiki - User contributions [en]2024-03-29T15:17:17ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Security&diff=757850Security2022-11-23T12:51:22Z<p>Eldog: Options ordering matters for `faillock` - reset must be after --user $USERNAME</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:File systems]]<br />
[[Category:Networking]]<br />
[[de:Sicherheit]]<br />
[[es:Security]]<br />
[[fa:امنیت]]<br />
[[ja:セキュリティ]]<br />
[[pt:Security]]<br />
[[ru:Security]]<br />
[[zh-hans:Security]]<br />
{{Related articles start}}<br />
{{Related|Arch Security Team}}<br />
{{Related|General recommendations}}<br />
{{Related|PAM}}<br />
{{Related|Capabilities}}<br />
{{Related|List of Applications/Security}}<br />
{{Related|Arch package guidelines/Security}}<br />
{{Related articles end}}<br />
This article contains recommendations and best practices for [[Wikipedia:Hardening (computing)|hardening]] an Arch Linux system.<br />
<br />
== Concepts ==<br />
<br />
* It ''is'' possible to tighten security to the point where the system is unusable. Security and convenience must be balanced. The trick is to create a secure ''and'' useful system.<br />
* The biggest threat is, and will always be, the user.<br />
* The [[Wikipedia:Principle of least privilege|principle of least privilege]]: Each part of a system should only be able to access what is strictly required, and nothing more.<br />
* Defense in depth: Security works better in independent layers. When one layer is breached, another should stop the attack.<br />
* Be a little paranoid. And be suspicious. If anything sounds too good to be true, it probably is!<br />
* You can never make a system 100% secure unless you unplug the machine from all networks, turn it off, lock it in a safe, smother it in concrete and never use it.<br />
* Prepare for failure. Create a plan ahead of time to follow when your security is broken.<br />
<br />
== Passwords ==<br />
<br />
Passwords are key to a secure Linux system. They secure your [[Users and groups|user accounts]], [[Data-at-rest encryption|encrypted filesystems]], and [[SSH keys|SSH]]/[[GPG]] keys. They are the main way a computer chooses to trust the person using it, so a big part of security is just about picking secure passwords and protecting them.<br />
<br />
=== Choosing secure passwords ===<br />
<br />
Passwords must be complex enough to not be easily guessed from e.g. personal information, or [[Wikipedia:Password cracking|cracked]] using methods like social engineering or brute-force attacks. The tenets of strong passwords are based on ''length'' and ''randomness''. In cryptography the quality of a password is referred to as its [[Wikipedia:Entropic security|entropic security]]. <br />
<br />
Insecure passwords include those containing:<br />
<br />
* Personally identifiable information (e.g., your dog's name, date of birth, area code, favorite video game)<br />
* Simple character substitutions on words (e.g., {{ic|k1araj0hns0n}}), as modern dictionary attacks can easily work with these<br />
* Root "words" or common strings followed or preceded by added numbers, symbols, or characters (e.g., {{ic|DG091101%}})<br />
* Common phrases or short strings of dictionary words (e.g. {{ic|photocopyhauntbranchexpose}}) including with character substitution (e.g. {{ic|Ph0toc0pyh4uN7br@nch3xp*se}}) <br />
* Any of the [[wikipedia:List_of_the_most_common_passwords|most common passwords]]<br />
<br />
The best choice for a password is something long (the longer, the better) and generated from a random source. It is important to use a long password. [https://www.theregister.com/2019/02/14/password_length Weak hash algorithms allow an 8-character password hash to be compromised in just a few hours.]<br />
<br />
Tools like {{Pkg|pwgen}} or {{AUR|apg}} can generate random passwords. However, these passwords can be difficult to memorize. One memorization technique (for ones typed often) is to generate a long password and memorize a minimally secure number of characters, temporarily writing down the full generated string. Over time, increase the number of characters typed - until the password is ingrained in muscle memory and need not be remembered. This technique is more difficult, but can provide confidence that a password will not turn up in wordlists or "intelligent" brute force attacks that combine words and substitute characters.<br />
<br />
Apart from password management, {{Pkg|keepassxc}} offers password/passphrase generation. It is possible to customize the generation in a GUI. Dictionary based passphrases are also supported.<br />
<br />
One technique for memorizing a password is to use a mnemonic phrase, where each word in the phrase reminds you of the next character in the password.<br />
Take for instance “the girl is walking down the rainy street” could be translated to {{ic|t6!WdtR5}} or, less simply, {{ic|t&6!RrlW@dtR,57}}.<br />
This approach could make it easier to remember a password, but note that the various letters have very different probabilities of being found at the start of words ([[Wikipedia:Letter frequency#Relative frequencies of the first letters of a word in the English language|Wikipedia:Letter frequency]]). <br />
<br />
Another effective technique can be to write randomly generated passwords down and store them in a ''safe'' place, such as in a wallet, purse or document safe. Most people do a generally good job of protecting their physical valuables from attack, and it is easier for most people to understand physical security best practices compared to digital security practices.<br />
<br />
It is also very effective to combine the mnemonic and random technique by saving long randomly generated passwords with a [[password manager]], which will be in turn accessed with a memorable "master password" that must be used only for that purpose. The master password must be memorized and never saved. This requires the password manager to be installed on a system to easily access the password (which could be seen as an inconvenience or a security feature, depending on the situation). Some password managers also have smartphone apps which can be used to display passwords for manual entry on systems without that password manager installed. Note that a password manager introduces a single point of failure if you ever forget the master password.<br />
<br />
It can be effective to use a memorable long series of unrelated words as a password. The theory is that if a sufficiently long phrase is used, the gained entropy from the password's length can counter the lost entropy from the use of dictionary words. This [https://xkcd.com/936/ xkcd comic] demonstrates the entropy tradeoff of this method, taking into account the limited set of possible words for each word in the passphrase. If the set of words you choose from is large (multiple thousand words) and you choose 5-7 or even more random words from it, this method provides great entropy, even assuming the attacker knows the set of possible words chosen from and the number of words chosen. See e.g. [https://www.rempe.us/diceware/ Diceware] for more.<br />
<br />
See [https://www.iusmentis.com/security/passphrasefaq/ The passphrase FAQ] or [[Wikipedia:Password strength]] for some additional background.<br />
<br />
=== Maintaining passwords ===<br />
<br />
Once you pick a strong password, be sure to keep it safe. Watch out for [[Wikipedia:Keylogger|keyloggers]] (software and hardware), screen loggers, [[Wikipedia:Social engineering (security)|social engineering]], [[Wikipedia:Shoulder surfing (computer security)|shoulder surfing]], and avoid reusing passwords so insecure servers cannot leak more information than necessary. [[List of applications/Security#Password managers|Password managers]] can help manage large numbers of complex passwords: if you are copy-pasting the stored passwords from the manager to the applications that need them, make sure to clear the copy buffer every time, and ensure they are not saved in any kind of log (e.g. do not paste them in plain terminal commands, which would store them in files like {{ic|.bash_history}}). Note that password managers that are implemented as browser extensions may be vulnerable to [https://www.spookjs.com side channel attacks]. These can be mitigated by using password managers that run as separate applications.<br />
<br />
As a rule, do not pick insecure passwords just because secure ones are harder to remember. Passwords are a balancing act. It is better to have an encrypted database of secure passwords, guarded behind a key and one strong master password, than it is to have many similar weak passwords. Writing passwords down is perhaps equally effective [https://www.schneier.com/blog/archives/2005/06/write_down_your.html], avoiding potential vulnerabilities in software solutions while requiring physical security.<br />
<br />
Another aspect of the strength of the passphrase is that it must not be easily recoverable from other places.<br />
<br />
If you use the same passphrase for disk encryption as you use for your login password (useful e.g. to auto-mount the encrypted partition or folder on login), make sure that {{ic|/etc/shadow}} ends up on an encrypted partition or/and uses a strong key derivation function (i.e. yescrypt/bcrypt/argon2 or sha512 with PBKDF2, but not md5 or low iterations in PBKDF2) for the stored password hash (see [[SHA password hashes]] for more information).<br />
<br />
If you are backing up your password database, make sure that each copy is not stored behind any other passphrase which in turn is stored in it, e.g. an encrypted drive or an authenticated remote storage service, or you will not be able to access it in case of need; a useful trick is to protect the drives or accounts where the database is backed up using a simple cryptographic hash of the master password. Maintain a list of all the backup locations: if one day you fear that the master passphrase has been compromised you will have to change it immediately on all the database backups and the locations protected with keys derived from the master password.<br />
<br />
Version-controlling the database in a secure way can be very complicated: if you choose to do it, you must have a way to update the master password of all the database versions. It may not always be immediately clear when the master password is leaked: to reduce the risk of somebody else discovering your password before you realize that it leaked, you may choose to change it on a periodical basis. If you fear that you have lost control over a copy of the database, you will need to change all the passwords contained in it within the time that it may take to brute-force the master password, according to its entropy.<br />
<br />
=== Password hashes ===<br />
<br />
{{Expansion|Mention [[Wikipedia:Key derivation function|key derivation functions]], in particular argon2, bcrypt, scrypt and PBKDF2, how to use them, advantages and disadvantages, especially regarding custom-hardware-based brute-force attacks.|section=Removal of incorrect warning}}<br />
<br />
By default, Arch stores the hashed user passwords in the root-only-readable {{ic|/etc/shadow}} file, separated from the other user parameters stored in the world-readable {{ic|/etc/passwd}} file, see [[Users and groups#User database]]. See also [[#Restricting root]].<br />
<br />
Passwords are set with the '''passwd''' command, which [[Wikipedia:Key stretching|stretches]] them with the [[Wikipedia:Crypt (C)|crypt]] function and then saves them in {{ic|/etc/shadow}}. See also [[SHA password hashes]]. The passwords are also [[Wikipedia:Salt (cryptography)|salted]] in order to defend them against [[Wikipedia:Rainbow table|rainbow table]] attacks.<br />
<br />
See also [https://www.slashroot.in/how-are-passwords-stored-linux-understanding-hashing-shadow-utils How are passwords stored in Linux (Understanding hashing with shadow utils)].<br />
<br />
=== Enforcing strong passwords with pam_pwquality ===<br />
<br />
''pam_pwquality'' provides protection against [[Wikipedia:Dictionary attack|Dictionary attacks]] and helps configure a password policy that can be enforced throughout the system. It is based on ''pam_cracklib'', so it is backwards compatible with its options.<br />
<br />
[[Install]] the {{Pkg|libpwquality}} package.<br />
<br />
{{Warning|The ''root'' account is not affected by this policy by default.}}<br />
<br />
{{Note|<br />
* You can use the ''root'' account to set a password for a user that bypasses the desired/configured policy. This is useful when setting temporary passwords.<br />
* Current security guidelines around passwords, e.g. from NIST, but also from others, do not recommend enforcing special characters, since they often only lead to predictable alterations.<br />
}}<br />
<br />
If for example you want to enforce this policy:<br />
<br />
* prompt 2 times for password in case of an error (retry option)<br />
* 10 characters minimum length (minlen option)<br />
* at least 6 characters should be different from old password when entering a new one (difok option)<br />
* at least 1 digit (dcredit option)<br />
* at least 1 uppercase (ucredit option)<br />
* at least 1 lowercase (lcredit option)<br />
* at least 1 other character (ocredit option)<br />
* cannot contain the words "myservice" and "mydomain"<br />
* enforce the policy for root<br />
<br />
Edit the {{ic|/etc/pam.d/passwd}} file to read as:<br />
<br />
{{bc|1=<br />
#%PAM-1.0<br />
password required pam_pwquality.so retry=2 minlen=10 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 [badwords=myservice mydomain] enforce_for_root<br />
password required pam_unix.so use_authtok sha512 shadow<br />
}}<br />
<br />
The {{ic|password required pam_unix.so use_authtok}} instructs the ''pam_unix'' module to not prompt for a password but rather to use the one provided by ''pam_pwquality''.<br />
<br />
You can refer to the {{man|8|pam_pwquality}} and {{man|8|pam_unix}} man pages for more information.<br />
<br />
== CPU ==<br />
<br />
=== Microcode ===<br />
<br />
See [[microcode]] for information on how to install important security updates for your CPU's microcode.<br />
<br />
=== Hardware vulnerabilities ===<br />
<br />
Some CPUs contain hardware vulnerabilities. See the [https://docs.kernel.org/admin-guide/hw-vuln/ kernel documentation on hardware vulnerabilities] for a list of these vulnerabilities, as well as mitigation selection guides to help customize the kernel to mitigate these vulnerabilities for specific usage scenarios.<br />
<br />
To check if you are affected by a known vulnerability, run the following:<br />
<br />
$ grep -r . /sys/devices/system/cpu/vulnerabilities/<br />
<br />
In most cases, updating the kernel and microcode will mitigate vulnerabilities.<br />
<br />
==== Simultaneous multithreading (hyper-threading) ====<br />
<br />
[[Wikipedia:Simultaneous multithreading|Simultaneous multithreading]] (SMT), also called hyper-threading on Intel CPUs, is a hardware feature that may be a source of [https://docs.kernel.org/admin-guide/hw-vuln/l1tf.html L1 Terminal Fault] and [https://docs.kernel.org/admin-guide/hw-vuln/mds.html Microarchitectural Data Sampling] vulnerabilities. The Linux kernel and microcode updates contain mitigations for known vulnerabilities, but [https://docs.kernel.org/admin-guide/hw-vuln/l1tf.html#virtualization-with-untrusted-guests disabling SMT may still be required on certain CPUs if untrusted virtualization guests are present].<br />
<br />
SMT can often be disabled in your system's firmware. Consult your motherboard or system documentation for more information. You can also disable SMT in the kernel by adding the following [[kernel parameters]]:<br />
<br />
l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force<br />
<br />
== Memory ==<br />
<br />
=== Hardened malloc ===<br />
<br />
[https://github.com/GrapheneOS/hardened_malloc hardened_malloc] ({{AUR|hardened_malloc}}, {{AUR|hardened-malloc-git}}) is a hardened replacement for [[Wikipedia:GNU C Library|glibc]]'s malloc(). The project was originally developed for integration into Android's [[Wikipedia:Bionic (software)|Bionic]] and [[Wikipedia:musl|musl]] by Daniel Micay, of [[Wikipedia:GrapheneOS|GrapheneOS]], but he has also built in support for standard Linux distributions on the x86_64 architecture.<br />
<br />
While hardened_malloc is not yet integrated into glibc (assistance and pull requests welcome) it can be used easily with LD_PRELOAD. In testing so far, it only causes issues with a handful of applications if enabled globally in {{ic|/etc/ld.so.preload}}. Since hardened_malloc has a performance cost, you may want to decide which implementation to use on a case-by-case basis based on attack surface and performance needs.<br />
<br />
To try it out in a standalone manner, use the hardened-malloc-preload wrapper script, or manually start an application with the proper preload value:<br />
<br />
LD_PRELOAD="/usr/lib/libhardened_malloc.so" /usr/bin/firefox<br />
<br />
Proper usage with [[Firejail]] can be found on its wiki page, and some configurable build options for hardened_malloc can be found on the github repo.<br />
<br />
== Storage ==<br />
<br />
=== Data-at-rest encryption ===<br />
<br />
[[Data-at-rest encryption]], preferably full-disk encryption with a [[#Passwords|strong passphrase]], is the only way to guard data against physical recovery. This provides complete security when the computer is turned off or the disks in question are unmounted.<br />
<br />
Once the computer is powered on and the drive is mounted, however, its data becomes just as vulnerable as an unencrypted drive. It is therefore best practice to unmount data partitions as soon as they are no longer needed.<br />
<br />
Certain programs, like [[dm-crypt]], allow the user to encrypt a loop file as a virtual volume. This is a reasonable alternative to full-disk encryption when only certain parts of the system need be secure.<br />
<br />
You may also [[Trusted Platform Module#Data-at-rest encryption with LUKS|encrypt a drive with the key stored in a TPM]], although it has had [https://tpm.fail vulnerabilites in the past] and the key can be extracted by a [https://pulsesecurity.co.nz/articles/TPM-sniffing bus sniffing attack].<br />
<br />
==== File encryption ====<br />
<br />
{{Merge|Data-at-rest encryption|File encryption is still a type of encryption at rest (as opposed to in use or transit).}}<br />
<br />
While data-at-rest encryption is useful at protecting data on physical media, it can not be used to protect data on a remote system that you can not control (such as on cloud storages). In that case, file encryption will be useful.<br />
<br />
These are some methods to encrypt files:<br />
* Some [[Archiving and compression|archiving and compressing]] tools also provide encryption. Some examples are {{Pkg|p7zip}} ({{ic|-p}} flag), {{Pkg|zip}} ({{ic|-e}} flag).<br />
* [[GnuPG]] can be used to [[GnuPG#Encrypt and decrypt|encrypt files]].<br />
* {{Pkg|age}} is a simple and easy to use file encryption tool. It also supports multiple recipients and encryption using SSH keys, which is useful for secure file sharing.<br />
<br />
=== File systems ===<br />
<br />
The kernel now prevents security issues related to hardlinks and symlinks if the {{ic|fs.protected_hardlinks}} and {{ic|fs.protected_symlinks}} sysctl switches are enabled, so there is no longer a major security benefit from separating out world-writable directories.<br />
<br />
File systems containing world-writable directories can still be kept separate as a coarse way of limiting the damage from disk space exhaustion. However, filling {{ic|/var}} or {{ic|/tmp}} is enough to take down services. More flexible mechanisms for dealing with this concern exist (like [[Disk quota|quotas]]), and some [[file systems]] include related features themselves (Btrfs has quotas on subvolumes).<br />
<br />
==== Mount options ====<br />
<br />
Following the principle of least privilege, file systems should be mounted with the most restrictive mount options possible (without losing functionality).<br />
<br />
Relevant mount options are:<br />
<br />
* {{ic|nodev}}: Do not interpret character or block special devices on the file system.<br />
* {{ic|nosuid}}: Do not allow set-user-identifier or set-group-identifier bits to take effect.<br />
* {{ic|noexec}}: Do not allow direct execution of any binaries on the mounted file system.<br />
** Setting {{ic|noexec}} on {{ic|/home}} disallows executable scripts and breaks [[Wine]]*, [[Steam]], PyCharm, [[.NET]], etc.<br />
** Some packages (building {{Pkg|nvidia-dkms}} for example) may require {{ic|exec}} on {{ic|/var}}.<br />
<br />
{{Note|Wine does not need the {{ic|exec}} flag for opening Windows executables. It is only needed when Wine itself is installed in {{ic|/home}}.}}<br />
<br />
File systems used for data should always be mounted with {{ic|nodev}}, {{ic|nosuid}} and {{ic|noexec}}.<br />
<br />
Potential file system mounts to consider:<br />
<br />
* {{ic|/var}}<br />
* {{ic|/home}}<br />
* {{ic|/dev/shm}}<br />
* {{ic|/tmp}}<br />
* {{ic|/boot}}<br />
<br />
=== File access permissions ===<br />
<br />
The default [[file permissions]] allow read access to almost everything and changing the permissions can hide valuable information from an attacker who gains access to a non-root account such as the {{ic|http}} or {{ic|nobody}} users. You can use [[chmod]] to take away all permissions from the group and others:<br />
<br />
# chmod go-7 ''path_to_hide''<br />
<br />
{{Warning|Do not apply this broadly. Try this for one config at a time, ensuring that it is worth hiding, and that it will not break program functionality. You may need to remove the {{ic|g}} from the command (or re-add the permission with {{ic|chmod g+r ''path''}} if already ran) if the group is relied on.}}<br />
<br />
Some paths to consider are:<br />
<br />
* {{ic|/boot}}: The [[Partitioning#/boot|boot directory]], which includes the [[vmlinuz]] and [[initramfs]] images.<br />
* {{ic|/etc/nftables.conf}}: The [[nftables]] configuration, applicable to {{Pkg|nftables}} and {{Pkg|iptables-nft}}.<br />
* {{ic|/etc/iptables}}: The legacy [[iptables]] configuration, applicable to {{Pkg|iptables}}.<br />
<br />
The default [[umask]] {{ic|0022}} can be changed to improve security for newly created files. The [https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm NSA RHEL5 Security Guide] suggests a umask of {{ic|0077}} for maximum security, which makes new files not readable by users other than the owner. To change this, see [[Umask#Set the mask value]].<br />
<br />
=== Backups ===<br />
<br />
{{Merge|System backup|There is a dedicated page for system backups.}}<br />
<br />
Regularly create backups of important data. Regularly test the integrity of the backups. Regularly test that the backups can be restored.<br />
<br />
Make sure that at least one copy of the data is stored offline, i.e. not connected to the system under threat in any way. [[Wikipedia:Ransomware|Ransomware]] and other destructive attacks may also attack any connected backup systems.<br />
<br />
=== SSD "frozen" status ===<br />
<br />
See [[Solid state drive#Setting the SSD state to "frozen" after waking up from sleep]].<br />
<br />
== User setup ==<br />
<br />
=== Do not use the root account for daily use ===<br />
<br />
Following the principle of least privilege, do not use the root user for daily use. Create a non-privileged user account for each person using the system. Use [[sudo]] as necessary for temporary privileged access.<br />
<br />
=== Enforce a delay after a failed login attempt ===<br />
<br />
Add the following line to {{ic|/etc/pam.d/system-login}} to add a delay of at least 4 seconds between failed login attempts:<br />
<br />
{{hc|/etc/pam.d/system-login|2=<br />
auth optional pam_faildelay.so delay=4000000<br />
}}<br />
<br />
{{ic|4000000}} is the time in microseconds to delay.<br />
<br />
=== Lock out user after three failed login attempts ===<br />
<br />
As of {{Pkg|pambase}} 20200721.1-2, {{ic|pam_faillock.so}} is enabled by default to lock out users for 10 minutes after 3 failed login attempts in a 15 minute period (see {{Bug|67644}}). The lockout only applies to password authentication (e.g. login and ''sudo''), public key authentication over SSH is still accepted. To prevent complete denial-of-service, this lockout is disabled for the root user.<br />
<br />
To unlock a user, do:<br />
<br />
$ faillock --user ''username'' --reset<br />
<br />
By default, the lock mechanism is a file per-user located at {{ic|/run/faillock/}}. Deleting or emptying the file unlocks that user—the directory is owned by root, but the file is owned by the user, so the {{ic|faillock}} command only empties the file, therefore does not require root.<br />
<br />
The module {{ic|pam_faillock.so}} can be configured with the file {{ic|1=/etc/security/faillock.conf}}. The lockout parameters:<br />
<br />
* {{ic|unlock_time}} — the lockout time (in seconds, default 10 minutes).<br />
* {{ic|fail_interval}} — the time in which failed logins can cause a lockout (in seconds, default 15 minutes).<br />
* {{ic|deny}} — the number of failed logins before lockout (default 3).<br />
<br />
{{Tip|The primary purpose for the lockout is to slow down brute-force attacks so that they become infeasible. Hence, if lockouts due to mistyping of passwords become too frequent, relaxing the number of attempts may be preferred to reducing the lockout time.}}<br />
<br />
{{Note|{{ic|1=deny = 0}} will disable the lockout mechanism entirely.}}<br />
<br />
By default, all user locks are lost after reboot. If your attacker can reboot the machine, it is more secure if locks persist. To make locks persist, change the {{ic|dir}} parameter in {{ic|1=/etc/security/faillock.conf}} to {{ic|/var/lib/faillock}}.<br />
<br />
No restart is required for changes to take effect. See {{man|5|faillock.conf}} for further configuration options, such as enabling lockout for the root account, disabling for centralized login (e.g. LDAP), etc.<br />
<br />
=== Limit amount of processes ===<br />
<br />
On systems with many, or untrusted users, it is important to limit the number of processes each can run at once, therefore preventing [[Wikipedia:Fork bomb|fork bombs]] and other denial of service attacks. {{ic|/etc/security/limits.conf}} determines how many processes each user, or group can have open, and is empty (except for useful comments) by default. Adding the following lines to this file will limit all users to 100 active processes, unless they use the {{ic|prlimit}} command to explicitly raise their maximum to 200 for that session. These values can be changed according to the appropriate number of processes a user should have running, or the hardware of the box you are administrating. <br />
<br />
* soft nproc 100<br />
* hard nproc 200<br />
<br />
The current number of threads for each user can be found with {{ic|ps --no-headers -Leo user {{!}} sort {{!}} uniq --count}}. This may help with determining appropriate values for the limits.<br />
<br />
=== Use Wayland ===<br />
<br />
Prefer using [[Wayland]] over [[Xorg]]. Xorg's design predates modern security practices and is [https://security.stackexchange.com/questions/4641/why-are-people-saying-that-the-x-window-system-is-not-secure/4646#4646 considered insecure] by many. For example, Xorg applications may record keystrokes while inactive.<br />
<br />
If you must run Xorg, it is recommended to [[Xorg#Rootless Xorg|avoid running it as root]]. Within Wayland, the XWayland compatibility layer will automatically use rootless Xorg.<br />
<br />
== Restricting root ==<br />
<br />
The root user is, by definition, the most powerful user on a system. It is also difficult to audit the root user account. It is therefore important to restrict usage of the root user account as much as possible. There are a number of ways to keep the power of the root user while limiting its ability to cause harm.<br />
<br />
=== Use sudo instead of su ===<br />
<br />
{{Merge|sudo|There is a dedicated article.}}<br />
<br />
Using [[sudo]] for privileged access is preferable to [[su]] for a number of reasons.<br />
<br />
* It keeps a log of which normal privilege user has run each privileged command.<br />
* The root user password need not be given out to each user who requires root access.<br />
* {{ic|sudo}} prevents users from accidentally running commands as ''root'' that do not need root access, because a full root terminal is not created. This aligns with the [[Wikipedia:Principle of least privilege|principle of least privilege]].<br />
* Individual programs may be enabled per user, instead of offering complete root access just to run one command. For example, to give the user ''alice'' access to a particular program:<br />
<br />
# visudo<br />
<br />
{{hc|/etc/sudoers|2=<br />
alice ALL = NOPASSWD: /path/to/program<br />
}}<br />
<br />
Or, individual commands can be allowed for all users. To mount Samba shares from a server as a regular user:<br />
<br />
%users ALL=/sbin/mount.cifs,/sbin/umount.cifs<br />
<br />
This allows all users who are members of the group users to run the commands {{ic|/sbin/mount.cifs}} and {{ic|/sbin/umount.cifs}} from any machine (ALL).<br />
<br />
{{Tip|To use restricted version of {{ic|nano}} instead of {{ic|vi}} with {{ic|visudo}},<br />
<br />
{{hc|/etc/sudoers|2=<br />
Defaults editor=/usr/bin/rnano<br />
}}<br />
<br />
Exporting {{ic|1=EDITOR=nano visudo}} is regarded as a severe security risk since everything can be used as an {{ic|EDITOR}}.<br />
}}<br />
<br />
==== Editing files using sudo ====<br />
<br />
See [[Sudo#Editing files]]. Alternatively, you can use an editor like {{ic|rvim}} or {{ic|rnano}} which has restricted capabilities in order to be safe to run as root.<br />
<br />
=== Restricting root login ===<br />
<br />
Once [[sudo]] is properly configured, full root access can be heavily restricted or denied without losing much usability. To disable root, but still allowing to use [[sudo]], you can use {{ic|passwd --lock root}}.<br />
<br />
==== Allow only certain users ====<br />
<br />
The [[PAM]] {{ic|pam_wheel.so}} lets you allow only users in the group {{ic|wheel}} to login using [[su]]. See [[su#su and wheel]].<br />
<br />
==== Denying SSH login ====<br />
<br />
Even if you do not wish to deny root login for local users, it is always good practice to [[OpenSSH#Deny|deny root login via SSH]]. The purpose of this is to add an additional layer of security before a user can completely compromise your system remotely.<br />
<br />
==== Specify acceptable login combinations with access.conf ====<br />
<br />
When someone attempts to log in with [[PAM]], {{ic|/etc/security/access.conf}} is checked for the first combination that matches their login properties. Their attempt then fails or succeeds based on the rule for that combination. <br />
<br />
+:root:LOCAL<br />
-:root:ALL<br />
<br />
Rules can be set for specific groups and users. In this example, the user archie is allowed to login locally, as are all users in the wheel and adm groups. All other logins are rejected:<br />
<br />
+:archie:LOCAL<br />
+:(wheel):LOCAL<br />
+:(adm):LOCAL<br />
-:ALL:ALL<br />
<br />
Read more at {{man|5|access.conf}}<br />
<br />
== Mandatory access control ==<br />
<br />
[[Wikipedia:Mandatory Access Control|Mandatory access control]] (MAC) is a type of security policy that differs significantly from the [[Wikipedia:Discretionary Access Control|discretionary access control]] (DAC) used by default in Arch and most Linux distributions. MAC essentially means that every action a program could perform that affects the system in any way is checked against a security ruleset. This ruleset, in contrast to DAC methods, cannot be modified by users. Using virtually any mandatory access control system will significantly improve the security of your computer, although there are differences in how it can be implemented.<br />
<br />
=== Pathname MAC ===<br />
<br />
Pathname-based access control is a simple form of access control that offers permissions based on the path of a given file. The downside to this style of access control is that permissions are not carried with files if they are moved about the system. On the positive side, pathname-based MAC can be implemented on a much wider range of filesystems, unlike labels-based alternatives.<br />
<br />
* [[AppArmor]] is a [[Wikipedia:Canonical (company)|Canonical]]-maintained MAC implementation seen as an "easier" alternative to SELinux.<br />
* [[TOMOYO]] is another simple, easy-to-use system offering mandatory access control. It is designed to be both simple in usage and in implementation, requiring very few dependencies.<br />
<br />
=== Labels MAC ===<br />
<br />
Labels-based access control means the extended attributes of a file are used to govern its security permissions. While this system is arguably more flexible in its security offerings than pathname-based MAC, it only works on filesystems that support these extended attributes.<br />
<br />
* [[SELinux]], based on a [[Wikipedia:NSA|NSA]] project to improve Linux security, implements MAC completely separate from system users and roles. It offers an extremely robust multi-level MAC policy implementation that can easily maintain control of a system that grows and changes past its original configuration.<br />
<br />
=== Access Control Lists ===<br />
<br />
[[Access Control Lists]] (ACLs) are an alternative to attaching rules directly to the filesystem in some way. ACLs implement access control by checking program actions against a list of permitted behavior.<br />
<br />
== Kernel hardening ==<br />
<br />
=== Kernel self-protection / exploit mitigation ===<br />
<br />
The {{pkg|linux-hardened}} package uses a [https://github.com/anthraxx/linux-hardened basic kernel hardening patch set] and more security-focused compile-time configuration options than the {{pkg|linux}} package. A custom build can be made to choose a different compromise between security and performance than the security-leaning defaults.<br />
<br />
However, it should be noted that several packages will not work when using this kernel. For example:<br />
<br />
* {{AUR|skypeforlinux-preview-bin}}<br />
* {{AUR|skypeforlinux-stable-bin}}<br />
* {{pkg|throttled}}<br />
<br />
If you use an out-of-tree driver such as [[NVIDIA]], you may need to switch to its [[DKMS]] package.<br />
<br />
==== Userspace ASLR comparison ====<br />
<br />
The {{pkg|linux-hardened}} package provides an improved implementation of Address Space Layout Randomization for userspace processes. The {{pkg|paxtest}} command can be used to obtain an estimate of the provided entropy:<br />
<br />
===== 64-bit processes =====<br />
<br />
{{hc|linux-hardened 5.4.21.a-1-hardened|<br />
Anonymous mapping randomization test : 32 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 40 quality bits (guessed)<br />
Heap randomization test (PIE) : 40 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : 32 quality bits (guessed)<br />
Main executable randomization (PIE) : 32 quality bits (guessed)<br />
Shared library randomization test : 32 quality bits (guessed)<br />
VDSO randomization test : 32 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 40 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 40 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 44 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 44 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 34 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 34 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: 32 bits (guessed)<br />
Randomization under memory exhaustion @0 : 32 bits (guessed)<br />
}}<br />
<br />
{{hc|linux 5.5.5-arch1-1|<br />
Anonymous mapping randomization test : 28 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 28 quality bits (guessed)<br />
Heap randomization test (PIE) : 28 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : 28 quality bits (guessed)<br />
Main executable randomization (PIE) : 28 quality bits (guessed)<br />
Shared library randomization test : 28 quality bits (guessed)<br />
VDSO randomization test : 20 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 30 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 30 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 22 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 22 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 28 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 28 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: 29 bits (guessed)<br />
Randomization under memory exhaustion @0 : 29 bits (guessed)<br />
}}<br />
<br />
{{hc|linux-lts 4.19.101-1-lts|<br />
Anonymous mapping randomization test : 28 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 28 quality bits (guessed)<br />
Heap randomization test (PIE) : 28 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : 28 quality bits (guessed)<br />
Main executable randomization (PIE) : 28 quality bits (guessed)<br />
Shared library randomization test : 28 quality bits (guessed)<br />
VDSO randomization test : 19 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 30 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 30 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 22 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 22 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 28 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 28 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: 28 bits (guessed)<br />
Randomization under memory exhaustion @0 : 28 bits (guessed)<br />
}}<br />
<br />
===== 32-bit processes (on an x86_64 kernel) =====<br />
<br />
{{hc|linux-hardened|<br />
Anonymous mapping randomization test : 16 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 22 quality bits (guessed)<br />
Heap randomization test (PIE) : 27 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : No randomization<br />
Main executable randomization (PIE) : 18 quality bits (guessed)<br />
Shared library randomization test : 16 quality bits (guessed)<br />
VDSO randomization test : 16 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 24 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 24 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 28 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 28 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 18 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 16 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: 18 bits (guessed)<br />
Randomization under memory exhaustion @0 : 18 bits (guessed)<br />
}}<br />
<br />
{{hc|linux|<br />
Anonymous mapping randomization test : 8 quality bits (guessed)<br />
Heap randomization test (ET_EXEC) : 13 quality bits (guessed)<br />
Heap randomization test (PIE) : 13 quality bits (guessed)<br />
Main executable randomization (ET_EXEC) : No randomization<br />
Main executable randomization (PIE) : 8 quality bits (guessed)<br />
Shared library randomization test : 8 quality bits (guessed)<br />
VDSO randomization test : 8 quality bits (guessed)<br />
Stack randomization test (SEGMEXEC) : 19 quality bits (guessed)<br />
Stack randomization test (PAGEEXEC) : 19 quality bits (guessed)<br />
Arg/env randomization test (SEGMEXEC) : 11 quality bits (guessed)<br />
Arg/env randomization test (PAGEEXEC) : 11 quality bits (guessed)<br />
Offset to library randomisation (ET_EXEC): 8 quality bits (guessed)<br />
Offset to library randomisation (ET_DYN) : 13 quality bits (guessed)<br />
Randomization under memory exhaustion @~0: No randomization<br />
Randomization under memory exhaustion @0 : No randomization<br />
}}<br />
<br />
=== Restricting access to kernel pointers in the proc filesystem ===<br />
<br />
Setting {{ic|kernel.kptr_restrict}} to 1 will hide kernel symbol addresses in {{ic|/proc/kallsyms}} from regular users without {{ic|CAP_SYSLOG}}, making it more difficult for kernel exploits to resolve addresses/symbols dynamically. This will not help that much on a pre-compiled Arch Linux kernel, since a determined attacker could just download the kernel package and get the symbols manually from there, but if you are compiling your own kernel, this can help mitigating local root exploits. This will break some {{Pkg|perf}} commands when used by non-root users (but many {{Pkg|perf}} features require root access anyway). See {{Bug|34323}} for more information.<br />
<br />
Setting {{ic|kernel.kptr_restrict}} to 2 will hide kernel symbol addresses in {{ic|/proc/kallsyms}} regardless of privileges.<br />
<br />
{{hc|/etc/sysctl.d/51-kptr-restrict.conf|2=<br />
kernel.kptr_restrict = 1<br />
}}<br />
<br />
{{Note|{{pkg|linux-hardened}} sets {{ic|1=kptr_restrict=2}} by default rather than {{ic|0}}.}}<br />
<br />
=== BPF hardening ===<br />
<br />
BPF is a system used to load and execute bytecode within the kernel dynamically during runtime. It is used in a number of Linux kernel subsystems such as networking (e.g. XDP, tc), tracing (e.g. kprobes, uprobes, tracepoints) and security (e.g. seccomp). It is also useful for advanced network security, performance profiling and dynamic tracing.<br />
<br />
BPF was originally an acronym of [[Wikipedia:Berkeley Packet Filter|Berkeley Packet Filter]] since the original classic BPF was used for packet capture tools for BSD. This eventually evolved into Extended BPF (eBPF), which was shortly afterwards renamed to just BPF (not an acronym). BPF should not be confused with packet filtering tools like iptables or netfilter, although BPF can be used to implement packet filtering tools.<br />
<br />
BPF code may be either interpreted or compiled using a [[Wikipedia:Just-in-time compilation|Just-In-Time (JIT) compiler]]. The Arch kernel is built with {{ic|CONFIG_BPF_JIT_ALWAYS_ON}} which disables the BPF interpreter and forces all BPF to use JIT compilation. This makes it harder for an attacker to use BPF to escalate attacks that exploit SPECTRE-style vulnerabilities. See [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=290af86629b25ffd1ed6232c4e9107da031705cb the kernel patch which introduced CONFIG_BPF_JIT_ALWAYS_ON] for more details.<br />
<br />
The kernel includes a hardening feature for JIT-compiled BPF which can mitigate some types of JIT spraying attacks at the cost of performance and the ability to trace and debug many BPF programs. It may be enabled by setting {{ic|net.core.bpf_jit_harden}} to {{ic|1}} (to enable hardening of unprivileged code) or {{ic|2}} (to enable hardening of all code).<br />
<br />
See the {{ic|net.core.bpf_*}} settings in the [https://docs.kernel.org/admin-guide/sysctl/net.html kernel documentation] for more details.<br />
<br />
{{Tip|<br />
* {{Pkg|linux-hardened}} sets {{ic|1=net.core.bpf_jit_harden=2}} by default rather than {{ic|0}}.<br />
* By default, BPF programs can be run even by unprivileged users. To change that behaviour set {{ic|1=kernel.unprivileged_bpf_disabled=1}}[https://access.redhat.com/security/cve/cve-2021-33624].<br />
}}<br />
<br />
=== ptrace scope ===<br />
<br />
The {{man|2|ptrace}} syscall provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. {{ic|ptrace}} is commonly used by debugging tools including ''gdb'', ''strace'', ''perf'', ''reptyr'' and other debuggers. However, it also provides a means by which a malicious process can read data from and take control of other processes.<br />
<br />
Arch enables the [https://docs.kernel.org/admin-guide/LSM/Yama.html Yama LSM] by default, which provides a {{ic|kernel.yama.ptrace_scope}} [[kernel parameter]]. This parameter is set to {{ic|1}} (restricted) by default which prevents tracers from performing a {{ic|ptrace}} call on traces outside of a restricted scope unless the tracer is privileged or has the {{ic|CAP_SYS_PTRACE}} [[Capabilities|capability]]. This is a significant improvement in security compared to the classic permissions. Without this module, there is no separation between processes running as the same user (in the absence of additional security layers such as {{man|7|pid_namespaces}}).<br />
<br />
{{Note|By default, you can still use tools which require {{ic|ptrace}} by running them as privileged processes, e.g. using [[sudo]].}}<br />
<br />
If you do not need to use debugging tools, consider setting {{ic|kernel.yama.ptrace_scope}} to {{ic|2}} (admin-only) or {{ic|3}} (no {{ic|ptrace}} possible) to harden the system.<br />
<br />
=== hidepid ===<br />
<br />
{{Expansion|1=[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fb5ce62c5920b6e0a8a061f2fe80e0403281e10 Linux 5.8 implemented private instances] and new values for {{ic|1=hidepid=}}.}}<br />
<br />
{{Warning|<br />
* This may cause issues for certain applications like an application running in a sandbox and [[Xorg]] (see workaround).<br />
* This causes issues with [[D-Bus]], [[Polkit]], [[PulseAudio]] and [[bluetooth]] when using {{Pkg|systemd}} > 237.64-1.<br />
}}<br />
<br />
The kernel has the ability to hide other users' processes, normally accessible via {{ic|/proc}}, from unprivileged users by mounting the {{ic|proc}} filesystem with the {{ic|1=hidepid=}} and {{ic|1=gid=}} options documented in https://docs.kernel.org/filesystems/proc.html. <br />
<br />
This greatly complicates an intruder's task of gathering information about running processes, whether some daemon runs with elevated privileges, whether other user runs some sensitive program, whether other users run any program at all, makes it impossible to learn whether any user runs a specific program (given the program does not reveal itself by its behaviour), and, as an additional bonus, poorly written programs passing sensitive information via program arguments are now protected against local eavesdroppers.<br />
<br />
The {{ic|proc}} [[Users and groups#System groups|group]], provided by the {{Pkg|filesystem}} package, acts as a whitelist of users authorized to learn other users' process information. If users or services need access to {{ic|/proc/<pid>}} directories beyond their own, [[Users and groups#Group management|add them to the group]].<br />
<br />
For example, to hide process information from other users except those in the {{ic|proc}} group:<br />
<br />
{{hc|/etc/fstab|2=<br />
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0<br />
}}<br />
<br />
For user sessions to work correctly, an exception needs to be added for ''systemd-logind'':<br />
<br />
{{hc|/etc/systemd/system/systemd-logind.service.d/hidepid.conf|2=<br />
[Service]<br />
SupplementaryGroups=proc<br />
}}<br />
<br />
=== Restricting module loading ===<br />
<br />
The default Arch kernel has {{ic|CONFIG_MODULE_SIG_ALL}} enabled which signs all kernel modules build as part of the {{Pkg|linux}} package. This allows the kernel to restrict modules to be only loaded when they are signed with a valid key, in practical terms this means that all out of tree modules compiled locally or provides by packages such as {{Pkg|virtualbox-host-modules-arch}} cannot be loaded. Kernel module loading can be restricted by setting the [[kernel parameter]] {{ic|1=module.sig_enforce=1}}. More information can be found at the [https://docs.kernel.org/admin-guide/module-signing.html kernel documentation].<br />
<br />
=== Disable kexec ===<br />
<br />
Kexec allows replacing the current running kernel.<br />
<br />
{{hc|/etc/sysctl.d/51-kexec-restrict.conf|2=<br />
kernel.kexec_load_disabled = 1<br />
}}<br />
<br />
{{Tip|kexec is disabled by default in {{pkg|linux-hardened}}.}}<br />
<br />
=== Kernel lockdown mode ===<br />
<br />
Since Linux 5.4 the kernel [https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aefcf2f4b58155d27340ba5f9ddbe9513da8286d has gained] an optional [https://mjg59.dreamwidth.org/55105.html lockdown feature], intended to strengthen the boundary between UID 0 (root) and the kernel. When enabled some applications may cease to work who rely on low-level access to either hardware or the kernel.<br />
<br />
To use lockdown, its LSM must be initialized and a lockdown mode must be set.<br />
<br />
All [[Kernel#Officially supported kernels|officially supported kernels]] initialize the LSM, but none of them enforce any lockdown mode. <br />
<br />
{{Tip|Enabled LSMs can be verified by running {{ic|cat /sys/kernel/security/lsm}}.}}<br />
<br />
Lockdown has two modes of operation:<br />
<br />
* {{ic|integrity}}: kernel features that allow userland to modify the running kernel are disabled (kexec, bpf).<br />
* {{ic|confidentiality}}: kernel features that allow userland to extract confidential information from the kernel are also disabled.<br />
<br />
To enable kernel lockdown at runtime, run:<br />
<br />
# echo ''mode'' > /sys/kernel/security/lockdown<br />
<br />
To enable kernel lockdown on boot, use the [[kernel parameter]] {{ic|1=lockdown=''mode''}}.<br />
<br />
{{Note|<br />
* Kernel lockdown cannot be disabled at runtime.<br />
* Kernel lockdown disables [[hibernation]].<br />
}}<br />
<br />
See also {{man|7|kernel_lockdown}}.<br />
<br />
=== Linux Kernel Runtime Guard (LKRG) ===<br />
<br />
[https://www.openwall.com/lkrg/ LKRG] ({{AUR|lkrg-dkms}}) is a kernel module which performs integrity checking of the kernel and detection of exploit attempts.<br />
<br />
== Sandboxing applications ==<br />
<br />
See also [[Wikipedia:Sandbox (computer security)]].<br />
<br />
{{Note|The user namespace configuration item {{ic|CONFIG_USER_NS}} is currently enabled in {{Pkg|linux}} (4.14.5 or later), {{Pkg|linux-lts}} (4.14.15 or later), {{Pkg|linux-zen}} (4.14.4-2 or later) and {{Pkg|linux-hardened}}. Lack of it may prevent certain sandboxing features from being made available to applications.}}<br />
<br />
{{Warning|Unprivileged user namespace usage ({{ic|CONFIG_USER_NS_UNPRIVILEGED}}) is enabled by default in {{Pkg|linux}} (5.1.8 or later), {{Pkg|linux-lts}} (4.19.55-2 or later) and {{Pkg|linux-zen}} (5.1.14.zen1-2 or later) unless the {{ic|kernel.unprivileged_userns_clone}} [[sysctl]] is set to {{ic|0}}. Since this greatly increases the attack surface for local privilege escalation, it is advised to disable this manually, or use the {{Pkg|linux-hardened}} kernel. For more information see {{Bug|36969}}.}}<br />
<br />
=== Firejail ===<br />
<br />
[[Firejail]] is an easy to use and simple tool for sandboxing applications and servers alike. Firejail is suggested for browsers and internet facing applications, as well as any servers you may be running.<br />
<br />
=== bubblewrap ===<br />
<br />
[[bubblewrap]] is a sandbox application developed from [[Wikipedia:Flatpak|Flatpak]] with an even smaller resource footprint than Firejail. While it lacks certain features such as file path whitelisting, bubblewrap does offer bind mounts as well as the creation of user/IPC/PID/network/cgroup namespaces and can support both simple and complex sandboxes.<br />
<br />
=== chroots ===<br />
<br />
Manual [[chroot]] jails can also be constructed.<br />
<br />
=== Linux containers ===<br />
<br />
[[Linux Containers]] are another good option when you need more separation than the other options (short of KVM and VirtualBox) provide. LXC is run on top of the existing kernel in a pseudo-chroot with their own virtual hardware.<br />
<br />
=== Other virtualization options ===<br />
<br />
Using full virtualization options such as [[VirtualBox]], [[KVM]], [[Xen]] or [https://www.qubes-os.org/ Qubes OS] (based on Xen) can also improve isolation and security in the event you plan on running risky applications or browsing dangerous websites.<br />
<br />
== Network and firewalls ==<br />
<br />
=== Firewalls ===<br />
<br />
While the stock Arch kernel is capable of using [[Wikipedia:Netfilter|Netfilter]]'s [[iptables]] and [[nftables]], they are not enabled by default. It is highly recommended to set up some form of firewall to protect the services running on the system. Many resources (including ArchWiki) do not state explicitly which services are worth protecting, so enabling a firewall is a good precaution.<br />
<br />
* See [[iptables]] and [[nftables]] for general information.<br />
* See [[Simple stateful firewall]] for a guide on setting up an iptables firewall.<br />
* See [[:Category:Firewalls]] for other ways of setting up netfilter.<br />
* See [[Ipset]] for blocking lists of ip addresses, such as those from Bluetack.<br />
* {{AUR|Opensnitch}} is a configurable inbound and outbound firewall with support for configurable rules by application, port, host, etc.<br />
<br />
==== Open ports ====<br />
<br />
{{Style|"Open ports" is not a good title since it disregards interfaces and addresses that the application may be bound to. From the firewalls' point of view, ports may be "open" even if no application listens on them at the moment.}}<br />
<br />
Some services listen for inbound traffic on open network ports. It is important to only bind these services to the addresses and interfaces that are strictly necessary. It may be possible for a remote attacker to [https://samy.pl/slipstream/ exploit flawed network protocols to access exposed services]. This can even happen with [https://nvd.nist.gov/vuln/detail/CVE-2019-13450 processes bound to localhost].<br />
<br />
In general, if a service only needs to be accessible to the local system, bind to a Unix domain socket ({{man|7|unix}}) or a loopback address such as {{ic|localhost}} instead of a non-loopback address like {{ic|0.0.0.0/0}}.<br />
<br />
If a service needs to be accessible to other systems via the network, control the access with strict [[firewall]] rules and configure authentication, authorization and encryption whenever possible.<br />
<br />
You can list all current open ports with {{ic|ss -l}}. To show all '''l'''istening '''p'''rocesses and their '''n'''umeric '''t'''cp and '''u'''dp port numbers:<br />
<br />
# ss -lpntu<br />
<br />
See {{man|8|ss}} for more options.<br />
<br />
=== Kernel parameters ===<br />
<br />
Kernel parameters which affect networking can be set using [[Sysctl]]. For how to do this, see [[Sysctl#TCP/IP stack hardening]].<br />
<br />
=== SSH ===<br />
<br />
To mitigate [[Wikipedia:Brute-force attack|brute-force attacks]] it is recommended to enforce key-based authentication. For OpenSSH, see [[OpenSSH#Force public key authentication]]. Alternatively [[Fail2ban]] or [[Sshguard]] offer lesser forms of protection by monitoring logs and writing [[firewall]] rules but open up the potential for a denial of service, since an attacker can [[wikipedia:Spoofing_attack#Spoofing_and_TCP/IP|spoof]] packets as if they came from the administrator after identifying their address. Spoofing IP has lines of defense, such as by [[sysctl#Reverse path filtering|reverse path filtering]] and [[sysctl#Disable ICMP redirects|disabling ICMP redirects]].<br />
<br />
You may want to harden authentication even more by using two-factor authentication. [[Google Authenticator]] provides a two-step authentication procedure using one-time passcodes (OTP).<br />
<br />
Denying root login is also a good practice, both for tracing intrusions and adding an additional layer of security before root access. For OpenSSH, see [[OpenSSH#Deny]].<br />
<br />
Mozilla publishes an [https://infosec.mozilla.org/guidelines/openssh.html OpenSSH configuration guide] which configures more verbose audit logging and restricts ciphers.<br />
<br />
=== DNS ===<br />
<br />
The default domain name resolution (DNS) configuration is highly compatible but has security weaknesses. See [[Domain name resolution#Privacy and security|DNS privacy and security]] for more information.<br />
<br />
=== Proxies ===<br />
<br />
Proxies are commonly used as an extra layer between applications and the network, sanitizing data from untrusted sources. The attack surface of a small proxy running with lower privileges is significantly smaller than a complex application running with the end user privileges.<br />
<br />
For example the DNS resolver is implemented in {{Pkg|glibc}}, that is linked with the application (that may be running as root), so a bug in the DNS resolver might lead to a remote code execution. This can be prevented by installing a DNS caching server, such as [[dnsmasq]], which acts as a proxy. [https://googleonlinesecurity.blogspot.it/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html]<br />
<br />
=== Managing TLS certificates ===<br />
<br />
See [[TLS#Trust management]].<br />
<br />
== Physical security ==<br />
<br />
Physical access to a computer is root access given enough time and resources. However, a high ''practical'' level of security can be obtained by putting up enough barriers.<br />
<br />
An attacker can gain full control of your computer on the next boot by simply attaching a malicious IEEE 1394 (FireWire), Thunderbolt or PCI Express device as they are given full memory access by default.[https://web.archive.org/web/20210312083421/http://breaknenter.org/2014/09/inception-metasploit-integration/] For Thunderbolt, you can restrict the direct memory access completely or to known devices, see [[Thunderbolt#User device authorization]]. For Firewire and PCI Express, here is little you can do from preventing this, or modification of the hardware itself - such as flashing malicious firmware onto a drive. However, the vast majority of attackers will not be this knowledgeable and determined.<br />
<br />
[[#Data-at-rest encryption]] will prevent access to your data if the computer is stolen, but malicious firmware can be installed to obtain this data upon your next log in by a resourceful attacker.<br />
<br />
=== Locking down BIOS ===<br />
<br />
Adding a password to the BIOS prevents someone from booting into removable media, which is basically the same as having root access to your computer. You should make sure your drive is first in the boot order and disable the other drives from being bootable if you can.<br />
<br />
=== Boot loaders ===<br />
<br />
It is highly important to protect your [[boot loader]]. An unprotected boot loader can bypass any login restrictions, e.g. by setting the {{ic|1=init=/bin/sh}} [[kernel parameter]] to boot directly to a shell.<br />
<br />
==== Syslinux ====<br />
<br />
Syslinux supports [[Syslinux#Security|password-protecting your bootloader]]. It allows you to set either a per-menu-item password or a global bootloader password.<br />
<br />
==== GRUB ====<br />
<br />
[[GRUB]] supports bootloader passwords as well. See [[GRUB/Tips and tricks#Password protection of GRUB menu]] for details. It also has support for [[GRUB#Encrypted /boot|encrypted /boot]], which only leaves some parts of the bootloader code unencrypted. GRUB's configuration, [[kernel]] and [[initramfs]] are encrypted.<br />
<br />
=== Secure Boot ===<br />
<br />
[[Secure Boot]] is a feature of [[UEFI]] that allows authentication of the files your computer boots. This helps preventing some [[Wikipedia:Evil maid attack|evil maid attacks]] such as replacing files inside the boot partition. Normally computers come with keys that are enrolled by vendors (OEM). However these can be removed and allow the computer to enter ''Setup Mode'' which allows the user to enroll and manage their own keys.<br />
<br />
The secure boot page guides you through how to set secure boot up by [[Unified Extensible Firmware Interface/Secure Boot#Using your own keys|using your own keys]].<br />
<br />
=== Trusted Platform Module (TPM) ===<br />
<br />
[[Trusted Platform Module|TPMs]] are hardware microprocessors which have cryptographic keys embedded. This forms the fundamental root of trust of most modern computers and allows end-to-end verification of the boot chain. They can be used as internal smartcards, attest the firmware running on the computer and allow users to insert secrets into a tamper-proof and brute-force resistant store.<br />
<br />
=== Boot partition on removable flash drive ===<br />
<br />
One popular idea is to place the boot partition on a flash drive in order to render the system unbootable without it. Proponents of this idea often use [[#Data-at-rest encryption|full-disk encryption]] alongside, and some also use [[Dm-crypt/Specialties#Encrypted system using a detached LUKS header|detached encryption headers]] placed on the boot partition.<br />
<br />
This method can also be merged with [[Dm-crypt/Specialties#Encrypted /boot and a detached LUKS header on USB|encrypting /boot]].<br />
<br />
=== Automatic logout ===<br />
<br />
If you are using [[Bash]] or [[Zsh]], you can set {{ic|TMOUT}} for an automatic logout from shells after a timeout.<br />
<br />
For example, the following will automatically log out from virtual consoles (but not terminal emulators in X11):<br />
<br />
{{hc|/etc/profile.d/shell-timeout.sh|<nowiki><br />
TMOUT="$(( 60*10 ))";<br />
[ -z "$DISPLAY" ] && export TMOUT;<br />
case $( /usr/bin/tty ) in<br />
/dev/tty[0-9]*) export TMOUT;;<br />
esac<br />
</nowiki>}}<br />
<br />
If you really want EVERY Bash/Zsh prompt (even within X) to timeout, use:<br />
<br />
$ export TMOUT="$(( 60*10 ))";<br />
<br />
Note that this will not work if there is some command running in the shell (eg.: an SSH session or other shell without {{ic|TMOUT}} support). But if you are using VC mostly for restarting frozen GDM/Xorg as root, then this is very useful.<br />
<br />
=== Protect against rogue USB devices ===<br />
<br />
Install [[USBGuard]], which is a software framework that helps to protect your computer against rogue USB devices (a.k.a. [https://opensource.srlabs.de/projects/badusb BadUSB], [https://github.com/samyk/poisontap PoisonTap] or [https://lanturtle.com/ LanTurtle]) by implementing basic whitelisting and blacklisting capabilities based on device attributes.<br />
<br />
=== Volatile data collection ===<br />
<br />
A computer that is powered on may be vulnerable to [https://fedvte.usalearning.gov/courses/CSI/course/videos/pdf/CSI_D01_S05_T01_STEP.pdf volatile data collection]{{Dead link|2022|09|23|status=403}}. It is a best practice to turn a computer completely off at times it is not necessary for it to be on, or if the computer's physical security is temporarily compromised (e.g. when passing through a security checkpoint).<br />
<br />
== Packages ==<br />
<br />
=== Authentication ===<br />
<br />
[https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html#overview Attacks on package managers] are possible without proper use of package signing, and can affect even package managers with [https://www2.cs.arizona.edu/stork/packagemanagersecurity/faq.html proper signature systems]. Arch uses package signing by default and relies on a web of trust from 5 trusted master keys. See [[Pacman-key]] for details.<br />
<br />
=== Upgrades ===<br />
<br />
It is important to regularly [[System maintenance#Upgrading the system|upgrade the system]].<br />
<br />
=== Follow vulnerability alerts ===<br />
<br />
Subscribe to the Common Vulnerabilities and Exposure (CVE) Security Alert updates, made available by National Vulnerability Database, and found on the [https://nvd.nist.gov/download.cfm NVD Download webpage]. The [https://security.archlinux.org/ Arch Linux Security Tracker] serves as a particularly useful resource in that it combines Arch Linux Security Advisory (ASA), Arch Linux Vulnerability Group (AVG) and CVE data sets in tabular format. The tool {{Pkg|arch-audit}} can be used to check for vulnerabilities affecting the running system. A graphical system tray, {{Pkg|arch-audit-gtk}}, can also be used. See also [[Arch Security Team]].<br />
<br />
You should also consider subscribing to the release notifications for software you use, especially if you install software through means other than the main repositories or AUR. Some software have mailing lists you can subscribe to for security notifications. Source code hosting sites often offer RSS feeds for new releases.<br />
<br />
=== Rebuilding packages ===<br />
<br />
Packages can be rebuilt and stripped of undesired functions and features as a means to reduce attack surface. For example, {{Pkg|bzip2}} can be rebuilt without {{ic|bzip2recover}} in an attempt to circumvent [https://security.archlinux.org/CVE-2016-3189 CVE-2016-3189]. Custom hardening flags can also be applied either manually or via a wrapper.<br />
<br />
{{Merge|Arch package guidelines/Security|Security related build flags have their own article.}}<br />
<br />
{{Accuracy|Copy-pasted from a 3 years old blog post. The compiler flags are specific to [[GCC]], some are hardly security related (e.g. {{ic|-O2}}, {{ic|-g}}, {{ic|-Wall}}).}}<br />
<br />
{| class="wikitable"<br />
! Flag !! Purpose<br />
|-<br />
| -D_FORTIFY_SOURCE=2 || Run-time buffer overflow detection <br />
|-<br />
| -D_GLIBCXX_ASSERTIONS || Run-time bounds checking for C++ strings and containers <br />
|-<br />
| -fasynchronous-unwind-tables || Increased reliability of backtraces <br />
|-<br />
| -fexceptions || Enable table-based thread cancellation <br />
|-<br />
| -fpie -Wl,-pie || Full ASLR for executables <br />
|-<br />
| -fpic -shared || No text relocations for shared libraries <br />
|-<br />
| -fplugin=annobin || Generate data for hardening quality control <br />
|-<br />
| -fstack-clash-protection || Increased reliability of stack overflow detection <br />
|-<br />
| -fstack-protector or -fstack-protector-all || Stack smashing protector <br />
|-<br />
| -fstack-protector-strong || Likewise <br />
|-<br />
| -g || Generate debugging information <br />
|-<br />
| -grecord-gcc-switches || Store compiler flags in debugging information <br />
|-<br />
| -mcet -fcf-protection || Control flow integrity protection <br />
|-<br />
| -O2 || Recommended optimizations <br />
|-<br />
| -pipe || Avoid temporary files, speeding up builds <br />
|-<br />
| -Wall || Recommended compiler warnings <br />
|-<br />
| -Werror=format-security || Reject potentially unsafe format string arguments <br />
|-<br />
| -Werror=implicit-function-declaration || Reject missing function prototypes <br />
|-<br />
| -Wl,-z,defs || Detect and reject underlinking <br />
|-<br />
| -Wl,-z,now || Disable lazy binding <br />
|-<br />
| -Wl,-z,relro || Read-only segments after relocation <br />
|}<br />
<br />
* [https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ Flags and info source]<br />
<br />
== See also ==<br />
<br />
* [https://security.archlinux.org/ Arch Linux Security Tracker]<br />
* [https://wiki.centos.org/HowTos/OS_Protection CentOS Wiki: OS Protection]<br />
* [https://developer.ibm.com/technologies/linux/articles/l-harden-desktop/ Hardening the Linux desktop]<br />
* [https://web.archive.org/web/20190701140035/https://www.ibm.com/developerworks/linux/tutorials/l-harden-server/index.html Hardening the Linux server]<br />
* [https://github.com/lfit/itpol/blob/master/linux-workstation-security.md Linux Foundation: Linux workstation security checklist]<br />
* [https://www.privacyguides.org/ privacyguides.org Privacy Resources]<br />
* [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/ Red Hat Enterprise Linux 7 Security Guide]<br />
* [https://www.debian.org/doc/manuals/securing-debian-manual/index.en.html Securing Debian Manual]<br />
* [https://web.archive.org/web/20140220055801/http://crunchbang.org:80/forums/viewtopic.php?id=24722 The paranoid #! Security Guide]</div>Eldoghttps://wiki.archlinux.org/index.php?title=Very_Secure_FTP_Daemon&diff=519962Very Secure FTP Daemon2018-05-02T12:09:22Z<p>Eldog: Add failure to list directory with more than a few files use case for seccomp_sandbox=NO option</p>
<hr />
<div>[[Category:FTP servers]]<br />
[[cs:Very Secure FTP Daemon]]<br />
[[es:Very Secure FTP Daemon]]<br />
[[it:Very Secure FTP Daemon]]<br />
[[ja:Very Secure FTP Daemon]]<br />
[[ru:Very Secure FTP Daemon]]<br />
[[zh-hans:Very Secure FTP Daemon]]<br />
[https://security.appspot.com/vsftpd.html vsftpd] (''Very Secure FTP Daemon'') is a lightweight, stable and secure FTP server for UNIX-like systems.<br />
<br />
== Installation ==<br />
<br />
[[Install]] {{pkg|vsftpd}} and [[start/enable]] the {{ic|vsftpd.service}} daemon.<br />
<br />
To use [[Wikipedia:xinetd|xinetd]] for monitoring and controlling vsftpd connections, see [[#Using xinetd]].<br />
<br />
== Configuration ==<br />
Most of the settings in vsftpd are done by editing the file {{ic|/etc/vsftpd.conf}}. The file itself is well-documented, so this section only highlights some important changes you may want to modify. For all available options and documentation, see the {{man|5|vsftpd.conf}} man page. Files are served by default from {{ic|/srv/ftp}}.<br />
<br />
Enable connections {{ic|/etc/hosts.allow}}:<br />
# Allow all connections<br />
vsftpd: ALL<br />
# IP address range<br />
vsftpd: 10.0.0.0/255.255.255.0<br />
<br />
=== Enabling uploading ===<br />
The {{Ic|WRITE_ENABLE}} flag must be set to YES in {{ic|/etc/vsftpd.conf}} in order to allow changes to the filesystem, such as uploading:<br />
write_enable=YES<br />
<br />
=== Local user login ===<br />
One must set the line {{ic|local_enable}} in {{ic|/etc/vsftpd.conf}} to {{ic|YES}} in order to allow users in {{ic|/etc/passwd}} to login:<br />
local_enable=YES<br />
<br />
=== Anonymous login ===<br />
These lines controls whether anonymous users can login. By default, anonymous logins are enabled for download only from {{ic|/srv/ftp}}:<br />
{{hc|1=/etc/vsftpd.conf|2=<br />
...<br />
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).<br />
anonymous_enable=YES<br />
...<br />
# Uncomment this to allow the anonymous FTP user to upload files. This only<br />
# has an effect if the above global write enable is activated. Also, you will<br />
# obviously need to create a directory writable by the FTP user.<br />
#anon_upload_enable=YES<br />
#<br />
# Uncomment this if you want the anonymous FTP user to be able to create<br />
# new directories.<br />
#anon_mkdir_write_enable=YES<br />
...<br />
}}<br />
You may also add e.g. the following options (see {{man|5|vsftpd.conf}} for more):<br />
{{hc|1=/etc/vsftpd.conf|2=<br />
# No password is required for an anonymous login <br />
no_anon_password=YES<br />
<br />
# Maximum transfer rate for an anonymous client in Bytes/second <br />
anon_max_rate=30000<br />
<br />
# Directory to be used for an anonymous login <br />
anon_root=/example/directory/<br />
}}<br />
<br />
=== Chroot jail ===<br />
A chroot environment that prevents the user from leaving its home directory can be set up. To enable this, add the following lines to {{ic|/etc/vsftpd.conf}}:<br />
chroot_list_enable=YES<br />
chroot_list_file=/etc/vsftpd.chroot_list<br />
The {{Ic|chroot_list_file}} variable specifies the file which contains users that are jailed.<br />
<br />
For a more restricted environment, specify the line:<br />
chroot_local_user=YES<br />
This will make local users jailed by default. In this case, the file specified by {{Ic|chroot_list_file}} lists users that are '''not''' in a chroot jail.<br />
<br />
=== Limiting user login ===<br />
It's possible to prevent users from logging into the FTP server by adding two lines to {{ic|/etc/vsftpd.conf}}:<br />
userlist_enable=YES<br />
userlist_file=/etc/vsftpd.user_list<br />
{{Ic|userlist_file}} now specifies the file which lists users that are not able to login.<br />
<br />
If you only want to allow certain users to login, add the line:<br />
userlist_deny=NO<br />
The file specified by {{Ic|userlist_file}} will now contain users that are able to login.<br />
<br />
=== Limiting connections ===<br />
The data transfer rate, i.e. number of clients and connections per IP for local users can be limited by adding the information in {{ic|/etc/vsftpd.conf}}:<br />
local_max_rate=1000000 # Maximum data transfer rate in bytes per second<br />
max_clients=50 # Maximum number of clients that may be connected<br />
max_per_ip=2 # Maximum connections per IP<br />
<br />
=== Using xinetd ===<br />
<br />
Xinetd provides enhanced capabilities for monitoring and controlling connections. It is not necessary though for a basic good working vsftpd-server.<br />
<br />
Installation of vsftpd will add a necessary service file, {{ic|/etc/xinetd.d/vsftpd}}. By default services are disabled. Enable the ftp service:<br />
<pre><br />
service ftp<br />
{<br />
socket_type = stream<br />
wait = no<br />
user = root<br />
server = /usr/bin/vsftpd<br />
log_on_success += HOST DURATION<br />
log_on_failure += HOST<br />
disable = no<br />
}<br />
</pre><br />
<br />
If you have set the vsftpd daemon to run in standalone mode make the following change in {{ic|/etc/vsftpd.conf}}:<br />
listen=NO<br />
Otherwise connection will fail:<br />
500 OOPS: could not bind listening IPv4 socket<br />
<br />
Instead of starting the vsftpd daemon start and [[enable]] {{ic|xinetd.service}}.<br />
<br />
=== Using SSL/TLS to secure FTP ===<br />
<br />
First, you need a ''X.509 SSL/TLS'' certificate to use TLS. If you do not have one, you can easily generate a self-signed certificate as follows: <br />
# cd /etc/ssl/certs<br />
# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout vsftpd.pem -out vsftpd.pem<br />
# chmod 600 vsftpd.pem<br />
You will be asked questions about your company, etc. As your certificate is not a trusted one, it does not really matter what is filled in, it will just be used for encryption. To use a trusted certificate, you can get one from a certificate authority like [[Let's Encrypt]]. <br />
<br />
Then, edit the configuration file:<br />
{{hc|/etc/vsftpd.conf|2=<br />
ssl_enable=YES<br />
<br />
# if you accept anonymous connections, you may want to enable this setting<br />
#allow_anon_ssl=NO<br />
<br />
# by default all non anonymous logins and forced to use SSL to send and receive password and data, set to NO to allow non secure connections<br />
force_local_logins_ssl=NO<br />
force_local_data_ssl=NO<br />
<br />
# TLS v1 protocol connections are preferred and this mode is enabled by default while SSL v2 and v3 are disabled<br />
# the settings below are the default ones and do not need to be changed unless you specifically need SSL<br />
#ssl_tlsv1=YES<br />
#ssl_sslv2=NO<br />
#ssl_sslv3=NO<br />
<br />
# provide the path of your certificate and of your private key<br />
# note that both can be contained in the same file or in different files<br />
rsa_cert_file=/etc/ssl/certs/vsftpd.pem<br />
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem<br />
<br />
# this setting is set to YES by default and requires all data connections exhibit session reuse which proves they know the secret of the control channel.<br />
# this is more secure but is not supported by many FTP clients, set to NO for better compatibility<br />
require_ssl_reuse=NO<br />
}}<br />
<br />
=== Resolve hostname in passive mode ===<br />
To override the IP address vsftpd advertises in passive mode by the hostname of your server and have it DNS resolved at startup, add the following two lines in {{ic|/etc/vsftpd.conf}}:<br />
pasv_addr_resolve=YES<br />
pasv_address=''yourdomain.org''<br />
<br />
{{Note|<br />
* For dynamic DNS, it is '''not''' necessary to periodically update ''pasv_address'' and restart the server as it can sometimes be read.<br />
* You may not be able to connect in passive mode via LAN anymore, in this case try the active mode instead from the LAN clients.<br />
}}<br />
<br />
=== Port configurations ===<br />
It may be necessary to adjust the default FTP listening port and the passive mode data ports:<br />
* For FTP servers exposed to the web, to reduce the likelihood of the server being attacked, the listening port can be changed to something other than the standard port 21. <br />
* To limit the passive mode ports to open ports, a range can be provided.<br />
The ports can be defined in the configuration file as illustrated below:<br />
{{hc|/etc/vsftpd.conf|2=<br />
listen_port=2211<br />
<br />
pasv_min_port=5000<br />
pasv_max_port=5003<br />
}}<br />
<br />
=== Configuring iptables ===<br />
Often the server running the FTP daemon is protected by an [[iptables]] firewall. To allow access to the FTP server the corresponding port needs to be opened using something like<br />
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT<br />
This article won't provide any instruction on how to set up iptables but here is an example: [[Simple stateful firewall]].<br />
<br />
There are some kernel modules needed for proper FTP connection handling by iptables that should be referenced here. Among those especially ''nf_conntrack_ftp''. It is needed as FTP uses the given ''listen_port'' (21 by default) for commands only; all the data transfer is done over different ports. These ports are chosen by the FTP daemon at random and for each session (also depending on whether active or passive mode is used). To tell iptables that packets on ports should be accepted, ''nf_conntrack_ftp'' is required. To load it automatically on boot create a new file in {{ic|/etc/modules-load.d}} e.g.:<br />
# echo nf_conntrack_ftp > /etc/modules-load.d/nf_conntrack_ftp.conf<br />
<br />
If the kernel >= 4.7 you either need to set ''net.netfilter.nf_conntrack_helper=1'' via ''sysctl'' e.g. <br />
# echo net.netfilter.nf_conntrack_helper=1 > /etc/sysctl.d/70-conntrack.conf<br />
or use<br />
# iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp<br />
<br />
== Tips and tricks ==<br />
=== PAM with virtual users ===<br />
Since [[PAM]] no longer provides {{ic|pam_userdb.so}} another easy method is to use {{AUR|libpam_pwdfile}}. For environments with many users another option could be {{AUR|pam_mysql}}{{Broken package link|{{aur-mirror|pam_mysql}}}}. This section is however limited to explain how to configure a chroot environment and authentication by {{ic|pam_pwdfile.so}}.<br />
<br />
In this example we create the directory {{ic|vsftpd}}:<br />
# mkdir /etc/vsftpd<br />
<br />
One option to create and store user names and passwords is to use the Apache generator htpasswd:<br />
# htpasswd -c /etc/vsftpd/.passwd<br />
A problem with the above command is that vsftpd might not be able to read the generated MD5 hashed password. If running the same command with the -d switch, crypt() encryption, password become readable by vsftpd, but the downside of this is less security and a password limited to 8 characters. Openssl could be used to produce a MD5 based BSD password with algorithm 1:<br />
# openssl passwd -1<br />
<br />
Whatever solution the produced {{ic|/etc/vsftpd/.passwd}} should look like this:<br />
username1:hashed_password1<br />
username2:hashed_password2<br />
...<br />
<br />
Next you need to create a PAM service using {{ic|pam_pwdfile.so}} and the generated {{ic|/etc/vsftpd/.passwd}} file. In this example we create a PAM policy for ''vsftpd'' with the following content:<br />
{{hc|/etc/pam.d/vsftpd|auth required pam_pwdfile.so pwdfile /etc/vsftpd/.passwd<br />
account required pam_permit.so}}<br />
<br />
Now it is time to create a home for the virtual users. In the example {{ic|/srv/ftp}} is decided to host data for virtual users, which also reflects the default directory structure of Arch. First create the general user virtual and make {{ic|/srv/ftp}} its home:<br />
# useradd -d /srv/ftp virtual<br />
Make virtual the owner:<br />
# chown virtual:virtual /srv/ftp<br />
<br />
A basic {{ic|/etc/vsftpd.conf}} with no private folders configured, which will default to the home folder of the virtual user:<br />
# pointing to the correct PAM service file<br />
pam_service_name=vsftpd<br />
write_enable=YES<br />
hide_ids=YES<br />
listen=YES<br />
connect_from_port_20=YES<br />
anonymous_enable=NO<br />
local_enable=YES<br />
dirmessage_enable=YES<br />
xferlog_enable=YES<br />
chroot_local_user=YES<br />
guest_enable=YES<br />
guest_username=virtual<br />
virtual_use_local_privs=YES<br />
<br />
Some parameters might not be necessary for your own setup. If you want the chroot environment to be writable you will need to add the following to the configuration file:<br />
allow_writeable_chroot=YES<br />
Otherwise vsftpd because of default security settings will complain if it detects that chroot is writable.<br />
<br />
[[Start]] {{ic|vsftpd.service}}.<br />
<br />
You should now be able to login from a ftp-client with any of the users and passwords stored in {{ic|/etc/vsftpd/.passwd}}.<br />
<br />
==== Adding private folders for the virtual users ====<br />
First create directories for users:<br />
# mkdir /srv/ftp/user1<br />
# mkdir /srv/ftp/user2<br />
# chown virtual:virtual /srv/ftp/user?/<br />
<br />
Then, add the following lines to {{ic|/etc/vsftpd.conf}}:<br />
local_root=/srv/ftp/$USER<br />
user_sub_token=$USER<br />
<br />
== Troubleshooting ==<br />
<br />
=== vsftpd: no connection (Error 500) with recent kernels (3.5 and newer) and .service ===<br />
If you encounter failures when listing directories with more than a few files add this to your /etc/vsftpd.conf<br />
seccomp_sandbox=NO<br />
<br />
=== vsftpd: refusing to run with writable root inside chroot() ===<br />
As of vsftpd 2.3.5, the chroot directory that users are locked to must not be writable. This is in order to prevent a security vulnerabilty.<br />
<br />
The safe way to allow upload is to keep chroot enabled, and configure your FTP directories.<br />
<br />
local_root=/srv/ftp/user<br />
<br />
# mkdir -p /srv/ftp/user/upload<br />
#<br />
# chmod 550 /srv/ftp/user<br />
# chmod 750 /srv/ftp/user/upload<br />
<br />
If you must:<br />
<br />
You can put this into your {{ic|/etc/vsftpd.conf}} to workaround this security enhancement (since vsftpd 3.0.0; from [http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/ Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()]):<br />
allow_writeable_chroot=YES<br />
or alternative:<br />
<br />
Install {{AUR|vsftpd-ext}}{{Broken package link|{{aur-mirror|vsftpd-ext}}}} and set in the conf file allow_writable_root=YES<br />
<br />
=== FileZilla Client: GnuTLS error -8 -15 -110 when connecting via SSL ===<br />
vsftpd tries to display plain-text error messages in the SSL session. In order to debug this, temporarily disable encryption and you will see the correct error message.[http://ramblings.linkerror.com/?p=45] [https://serverfault.com/questions/772494/vsftpd-list-causes-gnutls-error-15]<br />
<br />
=== vsftpd.service fails to run on boot ===<br />
If you have enabled {{ic|vsftpd.service}} and it fails to run on boot, make sure it is set to load after {{ic|network.target}} in the service file:<br />
<br />
{{hc|/usr/lib/systemd/system/vsftpd.service|2=<br />
[Unit]<br />
Description=vsftpd daemon<br />
After=network.target}}<br />
<br />
=== ipv6 only fails with: 500 OOPS: run two copies of vsftpd for IPv4 and IPv6 ===<br />
you most likely have commented out the line<br />
<br />
# When "listen" directive is enabled, vsftpd runs in standalone mode and<br />
# listens on IPv4 sockets. This directive cannot be used in conjunction<br />
# with the listen_ipv6 directive.<br />
#listen=YES<br />
#<br />
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6<br />
# sockets, you must run two copies of vsftpd with two configuration files.<br />
# Make sure, that one of the listen options is commented !!<br />
listen_ipv6=YES<br />
<br />
instead of setting<br />
<br />
# When "listen" directive is enabled, vsftpd runs in standalone mode and<br />
# listens on IPv4 sockets. This directive cannot be used in conjunction<br />
# with the listen_ipv6 directive.<br />
listen=NO<br />
<br />
=== vsftpd connections fail on a machine using nis with: yp_bind_client_create_v2: RPC: Unable to send ===<br />
as mentioned on the vsftpd faq page, "...built-in sandboxing uses network isolation on Linux. This<br />
may be interfering with any module that needs to use the network to perform operations or lookups"<br />
<br />
add this undocumented line to your {{ic|/etc/vsftpd.conf}}<br />
isolate_network=NO<br />
<br />
== See also ==<br />
* [http://vsftpd.beasts.org/ vsftpd official homepage]<br />
* [http://vsftpd.beasts.org/vsftpd_conf.html vsftpd.conf man page]<br />
* [https://security.appspot.com/vsftpd/FAQ.txt vsftpd FAQ]</div>Eldoghttps://wiki.archlinux.org/index.php?title=Chromium&diff=468096Chromium2017-02-10T23:18:01Z<p>Eldog: When switching back from using Nvidia Optimus I couldn't get WebGL to work, deleting the Local State from my profile did the trick.</p>
<hr />
<div>[[Category:Web browser]]<br />
[[de:Chromium]]<br />
[[es:Chromium]]<br />
[[fr:chromium]]<br />
[[it:Chromium]]<br />
[[ja:Chromium]]<br />
[[ru:Chromium]]<br />
[[zh-hans:Chromium]]<br />
{{Related articles start}}<br />
{{Related|Chromium/Tips and tricks}}<br />
{{Related|Browser plugins}}<br />
{{Related|Firefox}}<br />
{{Related|Opera}}<br />
{{Related articles end}}<br />
<br />
[[Wikipedia:Chromium (web browser)|Chromium]] is an open-source graphical web browser from "The Chromium Project", based on the [[Wikipedia:Blink (web engine)|Blink]] rendering engine.<br />
<br />
== Installation ==<br />
<br />
The open-source project, '''Chromium''', can be [[install]]ed with the {{Pkg|chromium}} package. <br />
<br />
Other alternatives include:<br />
<br />
* {{App|Chromium Beta Channel|the beta version|https://googlechromereleases.blogspot.com/|{{AUR?|chromium-beta}}}}<br />
* {{App|Chromium Dev Channel|the development version|https://googlechromereleases.blogspot.com/|{{AUR|chromium-dev}}}}<br />
* {{App|Chromium snapshot builds|the untested nightly version|https://build.chromium.org/|{{AUR|chromium-snapshot-bin}}}}<br />
* {{App|Chromium with [[VA-API]] support|with a patch to enable VA-API|https://www.chromium.org/|{{AUR|chromium-vaapi}}}}<br />
<br />
The derived browser, '''Google Chrome''', bundled with Widevine [[Wikipedia:Encrypted Media Extensions|EME]] (for e.g. Netflix), can be [[install]]ed with the {{AUR|google-chrome}} package.<br />
<br />
Other alternatives include:<br />
<br />
* {{App|Google Chrome Beta Channel|the beta version|https://www.google.com/chrome|{{AUR|google-chrome-beta}}}}<br />
* {{App|Google Chrome Dev Channel|the development version|https://www.google.com/chrome|{{AUR|google-chrome-dev}}}}<br />
<br />
{{Note|Google Chrome dropped 32 bits support, and only supports 64 bits installation}}<br />
<br />
See these [https://chromium.googlesource.com/chromium/src/+/master/docs/chromium_browser_vs_google_chrome.md two] [http://news.softpedia.com/news/Google-Chrome-vs-Chromium-Understanding-Stable-Beta-Dev-Releases-and-Version-No-140060.shtml articles] for an explanation of the differences between Stable/Beta/Dev, as well as Chromium vs. Chrome and an explanation of the version numbering.<br />
<br />
On top of the different Chromium build channels, a number of forks exist with more or less special features; see [[List of applications#Blink-based]].<br />
<br />
== Configuration ==<br />
<br />
=== Default applications ===<br />
<br />
To set Chromium as the default browser and to change which applications Chromium launches when opening downloaded files, see [[default applications]].<br />
<br />
=== Flash Player plugin ===<br />
<br />
{{Note|Chromium no longer supports the Netscape plugin API (NPAPI), so {{pkg|flashplugin}} from the repositories cannot be used.}}<br />
<br />
''Pepper Flash'' is the Flash Player plugin, using the new Pepper plugin API. To install it for Chromium, [[install]] it the {{AUR|pepper-flash}} package.<br />
<br />
Make sure the plugin is enabled in {{ic|chrome://plugins}} and restart Chromium via its menu.<br />
<br />
=== Widevine Content Decryption Module plugin ===<br />
<br />
Widevine is Google's Encrypted Media Extensions (EME) Content Decryption Module (CDM). It is used to watch premium video content such as Netflix. It comes bundled with Chrome.<br />
<br />
To install the Widevine CDM for Chromium, install the {{AUR|chromium-widevine}} package.<br />
<br />
Make sure the plugin is enabled in {{ic|chrome://plugins}}.<br />
<br />
=== PDF viewer plugin ===<br />
<br />
Chromium and Google Chrome are bundled with the ''Chromium PDF Viewer'' plugin, so installing a third-party plugin is not required.<br />
<br />
If you prefer another implementation, disable the ''Chromium PDF Viewer'' plugin in {{ic|chrome://plugins}}, and install one of the following alternatives:<br />
<br />
==== PDF.js ====<br />
<br />
See the main article: [[Browser plugins#PDF.js]]<br />
<br />
=== Certificates ===<br />
<br />
Chromium uses [[Network Security Services|NSS]] for certificate management. Certificates can be managed in {{ic|Settings}} → {{ic|Show advanced settings...}} → {{ic|Manage Certificates...}}.<br />
<br />
== Tips and tricks ==<br />
<br />
See the main article: [[Chromium/Tips and tricks]].<br />
<br />
<br />
== Troubleshooting ==<br />
<br />
=== Constant freezes under KDE ===<br />
<br />
[[Uninstall]] {{pkg|libcanberra-pulse}}. See: [https://bbs.archlinux.org/viewtopic.php?pid=1228558 BBS#1228558].<br />
<br />
=== Fonts ===<br />
<br />
{{Note|Chromium does not fully integrate with fontconfig/GTK/Pango/X/etc. due to its sandbox. For more information, see the [https://dev.chromium.org/developers/linux-technical-faq Linux Technical FAQ].}}<br />
<br />
==== Font rendering issues in PDF plugin ====<br />
<br />
To fix the font rendering in some PDFs one has to install the {{Pkg|ttf-liberation}} package, otherwise the substituted font causes text to run into other text. This was [https://code.google.com/p/chromium/issues/detail?id=369991 reported on the chromium bug tracker] by an Arch user.<br />
<br />
=== Force 3D acceleration ===<br />
<br />
{{Warning|Disabling the rendering blacklist may cause unstable behaviour, including crashes of the host. See the bug reports in {{ic|chrome://gpu}}.}}<br />
<br />
First follow [[Hardware video acceleration]]. Then, to force 3D rendering, ''enable'' the flags: "Override software rendering list", "GPU rasterization", "Zero-copy rasterizer" in {{ic|chrome://flags}}. Check if it is working in {{ic|chrome://gpu}}. This may also alleviate tearing issues with the [[radeon]] driver.<br />
<br />
If "Native GpuMemoryBuffers" under {{ic|chrome://gpu}} mentions software rendering, you additionally need to pass the {{ic|--enable-native-gpu-memory-buffers}} flag, or some optimizations (like the zero-copy rasterizer) won't do anything. This flag isn't available under {{ic|chrome://flags}} - it must be passed in either the chromium-flags.conf file (as noted in [[Chromium/Tips_and_tricks#Making_flags_persistent]]) or directly on the command line.<br />
<br />
=== WebGL ===<br />
{{Warning|[[Catalyst]] does not support the {{ic|GL_ARB_robustness}} extension. When using this driver, it is possible that a malicious site could use WebGL to perform a DoS attack on your graphic card.}}<br />
<br />
There is the possibility that your graphics card has been blacklisted by Chromium. See [[#Force 3D acceleration]].<br />
<br />
If you are using Chromium with [[Bumblebee]], WebGL might crash due to GPU sandboxing. In this case, you can disable GPU sandboxing with {{ic|optirun chromium --disable-gpu-sandbox}}.<br />
<br />
Visit {{ic|chrome://gpu/}} for debugging information about WebGL support.<br />
<br />
Chromium can save incorrect data about your GPU in your user profile (e.g. if you use switch between an Nvidia card using Optimus and Intel, it will show the Nvidia card in {{ic|chrome://gpu}} even when you're not using it or primusrun/optirun). Running using a different user directory, e.g, {{ic|1=chromium --user-data-dir=$(mktemp -d)}} may solve this issue. For a persistent solution you can reset the GPU information by deleting {{ic|~/.config/chromium/Local\ State}}.<br />
<br />
=== Distorted GUI ===<br />
<br />
Chromium's graphical interface may look unsightly, distorted and zoomed in on high-DPI displays. To disable any attempts to scale display according to device DPI, use {{ic|1=--force-device-scale-factor=1}}.<br />
<br />
=== Disable keyring password prompt ===<br />
<br />
{{Accuracy|1=Is this a reference to a chrome 53 bug? [https://bbs.archlinux.org/viewtopic.php?id=216736] If so, it's fixed in 53.0.2785.101-1}}<br />
<br />
See [[GNOME/Keyring#Passwords are not remembered]]. You may also need to edit the Chromium command line to append {{ic|1=--password-store=gnome}}.<br />
<br />
== See also ==<br />
<br />
* [https://www.chromium.org/ Chromium homepage]<br />
* [https://googlechromereleases.blogspot.com Google Chrome release notes]<br />
* [https://chrome.google.com/webstore/category/home Chrome web store]<br />
* [[Wikipedia:Chromium (web browser)#Differences from Google Chrome|Differences between Chromium and Google Chrome]]<br />
* [http://peter.sh/experiments/chromium-command-line-switches/ List of Chromium command-line switches]</div>Eldoghttps://wiki.archlinux.org/index.php?title=Samba&diff=266734Samba2013-07-17T10:12:14Z<p>Eldog: /* smbnetfs */</p>
<hr />
<div>[[Category:Networking]]<br />
[[cs:Samba]]<br />
[[de:Samba]]<br />
[[da:Samba]]<br />
[[es:Samba]]<br />
[[fr:Samba]]<br />
[[it:Samba]]<br />
[[ru:Samba]]<br />
[[sr:Samba]]<br />
[[tr:Samba]]<br />
[[zh-CN:Samba]]<br />
[[zh-TW:Samba]]<br />
[[ja:Samba]]<br />
{{Article summary start|Summary}}<br />
{{Article summary text|Installing, configuring and troubleshooting Samba}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|NFS}}<br />
{{Article summary wiki|Samba Domain Controller}}<br />
{{Article summary end}}<br />
'''Samba''' is a re-implementation of the SMB/CIFS networking protocol, it facilitates file and printer sharing among Linux and Windows systems as an alternative to [[NFS]]. Some users say that Samba is easily configured and that operation is very straight-forward. However, many new users run into problems with its complexity and non-intuitive mechanism. It is strongly suggested that the user stick close to the following directions.<br />
<br />
==Required packages==<br />
===Server===<br />
To share files with Samba, install {{Pkg|samba}}, from the [[Official Repositories]].<br />
<br />
===Client===<br />
Only {{Pkg|smbclient}} is required to access files from a Samba/SMB/CIFS server. It is also available from the Official Repositories.<br />
<br />
==Server configuration==<br />
The {{ic|/etc/samba/smb.conf}} file must be created before starting the service. Once that is set up, users may opt for using an advanced configuration interface like SWAT.<br />
<br />
As root, copy the default Samba configuration file to {{ic|/etc/samba/smb.conf}}:<br />
{{bc|# cp /etc/samba/smb.conf.default /etc/samba/smb.conf}}<br />
<br />
===Creating a share===<br />
Edit {{ic|/etc/samba/smb.conf}}, scroll down to the '''Share Definitions''' section. The default configuration automatically creates a share for each user's home directory. It also creates a share for printers by default.<br />
<br />
There are a number of commented sample configurations included. More information about available options for shared resources can be found in {{ic|man smb.conf}}. [http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html Here] is the on-line version.<br />
<br />
=== Creating user share path ===<br />
This marks the named objects for automatic export to the environment of subsequently executed commands:<br />
{{bc|<nowiki># export USERSHARES_DIR="/var/lib/samba/usershares"<br />
# export USERSHARES_GROUP="sambashare"</nowiki>}}<br />
This creates the usershares directory in var/lib/samba:<br />
{{bc|<nowiki># mkdir -p ${USERSHARES_DIR}</nowiki>}}<br />
This makes the group sambashare:<br />
{{bc|<nowiki># groupadd ${USERSHARES_GROUP}</nowiki>}}<br />
This changes the owner of the directory and group you just created to root:<br />
{{bc|<nowiki># chown root:${USERSHARES_GROUP} ${USERSHARES_DIR}</nowiki>}}<br />
This changes the permissions of the usershares directory so that users in the group sambashare can read, write and execute files:<br />
{{bc|<nowiki># chmod 01770 ${USERSHARES_DIR}</nowiki>}}<br />
Set the following variable in {{ic|smb.conf}} configuration file: <br />
{{hc|/etc/samba/smb.conf|2=...<br />
[global]<br />
usershare path = /var/lib/samba/usershares<br />
usershare max shares = 100<br />
usershare allow guests = yes<br />
usershare owner only = False<br />
...<br />
}}<br />
Save the file and then add your user to the group sambashares replacing "your_username" with the name of your user:<br />
{{bc|# usermod -a -G ${USERSHARES_GROUP} your_username}}<br />
<br />
Restart Samba<br />
<br />
Log out and log back in. You should now be able to configure your samba share using GUI. For example, in [[Thunar]] you can right click on any directory and share it on the network.<br />
When the error {{ic|You are not the owner of the folder}} appears, simply try to reboot the system.<br />
<br />
===Adding a user===<br />
To log into a Samba share, a samba user is needed. The user '''must''' already have a [[Users and Groups|Linux user account]] with the same name on the server, otherwise running the next command will fail:<br />
# pdbedit -a -u <user><br />
<br />
{{Note|As of version 3.4.0, smbpasswd is no longer used by default. Existing smbpasswd databases can be [[Samba/Troubleshooting#Changes_in_Samba_version_3.4.0|converted to the new format]]}}<br />
<br />
=== Web-based configuration (SWAT)===<br />
'''SWAT''' (Samba Web Administration Tool) is a facility that is part of the Samba suite. Whether or not to use this tool remains a matter of personal preference. It does allow for quick configuration and has context-sensitive help for each {{ic|smb.conf}} parameter. SWAT also provides an interface for monitoring of current state of connection(s), and allows network-wide MS Windows network password management.<br />
<br />
{{Warning|Before using SWAT, be warned that SWAT will completely replace {{ic|/etc/samba/smb.conf}} with a fully optimized file that has been stripped of all comments, and only non-default settings will be written to the file.}}<br />
<br />
To use SWAT, two [[systemd]] unit files come with the samba package that allow for socket activation. The SWAT service will be called automatically should a user call on the configured socket. In this case, a TCP connection on a specific port.<br />
<br />
First, review the socket configuration:<br />
{{hc|/usr/lib/systemd/system/swat.socket|<nowiki><br />
[Unit]<br />
Description=SWAT Samba Web Admin Tool<br />
<br />
[Socket]<br />
ListenStream=127.0.0.1:901<br />
Accept=true<br />
<br />
[Install]<br />
WantedBy=sockets.target<br />
</nowiki>}}<br />
<br />
{{Note|By default SWAT will only be available from the localhost, the system the SWAT service is installed on. If SWAT should be available for external connections, copy the unit to {{ic|<nowiki>/etc/systemd/system/swat.socket</nowiki>}}, and replace 127.0.0.1 with your system's LAN ip. i.e. {{ic|<nowiki>192.168.1.80:901</nowiki>}}.}}<br />
<br />
When satisfied with the configuration, start the socket:<br />
# systemctl start swat.socket<br />
<br />
Or, should you want to enable SWAT during boot, enable:<br />
# systemctl enable swat.socket<br />
<br />
The web interface can now be accessed on port 901 by default:<br />
{{ic|http://localhost:901/}}<br />
<br />
{{Note|An all-encompasing [[Webmin]] tool is also available, and the SWAT module can be loaded there.}}<br />
<br />
=== Starting the service ===<br />
Start/enable Samba via the [http://www.samba.org/samba/docs/man/manpages-3/smbd.8.html smbd] and [http://www.samba.org/samba/docs/man/manpages-3/nmbd.8.html nmbd] at boot:<br />
systemctl enable smbd.service<br />
systemctl enable nmbd.service<br />
<br />
Run them right now as well (otherwise you'd have to reboot):<br />
systemctl start smbd.service<br />
systemctl start nmbd.service<br />
<br />
On Windows side, be sure to change smb.conf to the Windows Workgroup. (Windows default: WORKGROUP)<br />
<br />
Be sure that your machine is not named Localhost, since it will resolve on Windows to 127.0.0.1.<br />
<br />
==Client configuration==<br />
Shared resources from other computers on the LAN may be accessed and mounted locally by GUI or CLI methods. The graphical manner is limited since most lightweight Desktop Environments do not have a native way to facilitate accessing these shared resources.<br />
<br />
There are two parts to share access. First is the underlying file system mechanism, and second is the interface which allows the user to select to mount shared resources. Some environments have the first part built into them.<br />
<br />
===Manual mounting===<br />
Install {{pkg|smbclient}} from the [[Official Repositories]].<br />
<br />
To list public shares on a server:<br />
{{bc|$ smbclient -L <hostname> -U%}}<br />
<br />
Create a mount point for the share:<br />
{{bc|# mkdir /mnt/MOUNTPOINT}}<br />
<br />
Mount the share using the {{ic|mount.cifs}} type. Not all the options listed below are needed or desirable (ie. {{ic|password}}).<br />
{{bc|# <nowiki>mount -t cifs //SERVER/SHARENAME /mnt/MOUNTPOINT -o user=USERNAME,password=PASSWORD,workgroup=WORKGROUP,ip=SERVERIP</nowiki>}}<br />
{{ic|'''SERVER'''}}<br />
:The Windows system name.<br />
{{ic|'''SHARENAME'''}}<br />
:The shared directory.<br />
{{ic|'''MOUNTPOINT'''}}<br />
:The local directory where the share will be mounted.<br />
{{ic|'''-o <nowiki>[options]</nowiki>'''}}<br />
:See {{ic|man mount.cifs}} for more information:<br />
{{Note|Abstain from using a trailing '''/'''. {{ic|//SERVER/SHARENAME'''/'''}} will not work.}}<br />
====Add Share to /etc/fstab====<br />
The simplest way to add an fstab entry is something like this:<br />
{{hc|/etc/fstab|<nowiki><br />
//SERVER/SHARENAME /mnt/MOUNTPOINT cifs username=USER,password=PASSWORD,workgroup=WORKGROUP,ip=SERVERIP 0 0</nowiki>}}<br />
However, storing passwords in a world readable file is not recommended! A safer method would be to use a credentials file. As an example, create a file and {{ic|chmod 600 <filename>}} so only the owning user can read and write to it. It should contain the following information:<br />
{{hc|/path/to/credentials/sambacreds|<nowiki><br />
username=USERNAME<br />
password=PASSWORD</nowiki>}}<br />
and the line in your fstab should look something like this:<br />
{{hc|/etc/fstab|<nowiki><br />
//SERVER/SHARENAME /mnt/MOUNTPOINT cifs username=USER,credentials=/path/to/credentials/sambacreds,workgroup=WORKGROUP,ip=SERVERIP 0 0</nowiki>}}<br />
If using '''systemd''' (modern installations), one can utilize the '''comment=systemd.automount''' option, which speeds up service boot by a few seconds. Also, one can map current user and group to make life a bit easier, utilizing '''uid''' and '''gid''' options ('''warning:''' using the uid and gid options may cause input ouput errors in programs that try to fetch data from network drives):<br />
{{hc|/etc/fstab|<nowiki>//SERVER/SHARENAME /mnt/MOUNTPOINT cifs credentials=/path/to/smbcredentials,comment=systemd.automount,uid=USERNAME,gid=USERGROUP 0 0</nowiki>}}<br />
<br />
====User mounting====<br />
{{hc|/etc/fstab|<nowiki>//SERVER/SHARENAME /mnt/MOUNTPOINT cifs users,credentials=/path/to/smbcredentials,workgroup=WORKGROUP,ip=SERVERIP 0 0</nowiki>}}<br />
{{note|Note: The option is user'''s''' (plural). For other filesystem types handled by mount, this option is usually ''user''; sans the "'''s'''".}}<br />
<br />
This will allow users to mount it as long as the mount point resides in a directory controllable by the user; i.e. the user's home. For users to be allowed to mount and unmount the Samba shares with mount points that they do not own, use [[Samba#smbnetfs|smbnetfs]], or grant privileges using [[sudo]].<br />
<br />
===Automatic Mounting===<br />
There are several ways to easily browse shared resources:<br />
====smbnetfs====<br />
Install {{pkg|smbnetfs}}, from the [[Official Repositories]].<br />
<br />
Add the following line to {{ic|/etc/fuse.conf}}:<br />
{{bc|user_allow_other}}<br />
and load the {{ic|fuse}} [[kernel module]]:<br />
{{bc|# modprobe fuse}}<br />
<br />
If a username and a password are required to access some of the shared folders, edit /etc/smbnetfs/.smb/smbnetfs.conf and uncomment the line starting with "auth":<br />
<br />
{{hc|/etc/smbnetfs/.smb/smbnetfs.conf|<br />
auth "hostname" "username" "password"<br />
}}<br />
<br />
Make sure to {{ic|chmod 600 /etc/smbnetfs/.smb/smbnetfs.conf}}, and any include files for smbnetfs to work correctly.<br />
<br />
To mount the network<br />
smbnetfs <MOUNT_POINT><br />
<br />
To browse the network<br />
smbtree<br />
<br />
===== Daemon =====<br />
Start and enable the '''smbnetfs''' [[daemon]].<br />
systemctl start smbnetfs.service<br />
<br />
To enable on boot.<br />
# Will be mounted on /mnt/smbnet/<br />
systemctl enable smbnetfs.service<br />
<br />
====fusesmb====<br />
{{Note|1=Because {{ic|smbclient 3.2.X}} is malfunctioning with {{ic|fusesmb}}, revert to using older versions if necessary. See the [https://bbs.archlinux.org/viewtopic.php?id=58434 relevant forum topic] for details.}}<br />
<br />
# Install {{AUR|fusesmb}}, available in the [[Arch User Repository]].<br />
# Create a mount point: {{ic|# mkdir /mnt/fusesmb}}<br />
# Load {{ic|fuse}} [[kernel module]].<br />
# Mount the shares: {{bc|# fusesmb -o allow_other /mnt/fusesmb}}<br />
<br />
====autofs====<br />
See [[Autofs]] for information on the kernel-based automounter for Linux.<br />
<br />
===File Manager Configuration===<br />
====Nautilus====<br />
In order to access samba shares through Nautilus, install the {{pkg|gvfs-smb}} package, available in the [[Official Repositories]].<br />
<br />
Press {{keypress|Ctrl+L}} and enter {{ic|smb://servername/share}} in the location bar to access your share.<br />
<br />
The mounted share is likely to be present at {{ic|/run/user/<your UID>/gvfs}} in the filesystem.<br />
<br />
====Thunar and pcmanfm====<br />
For access using Thunar or pcmanfm, install {{pkg|gvfs-smb}}, available in the Official Repositories. <br />
<br />
Go to {{ic|smb://servername/share}}, to access your share.<br />
<br />
====KDE====<br />
KDE, has the ability to browse Samba shares built in. Therefore do not need any additional packages. However, for a GUI in the KDE System Settings, install the {{pkg|kdenetwork-filesharing}} package from the [[Official Repositories]]<br />
<br />
====Other Graphical Environments====<br />
There are a number of useful programs, but they may need to have packages created for them. This can be done with the Arch package build system. The good thing about these others is that they do not require a particular environment to be installed to support them, and so they bring along less baggage.<br />
<br />
* {{pkg|pyneighborhood}} is available in the [[Official Repositories]].<br />
* LinNeighborhood, RUmba, xffm-samba plugin for Xffm are not available in the official repositories or the [[AUR]]. As they are not officially (or even unofficially supported), they may be obsolete and may not work at all.<br />
<br />
==See also==<br />
* [[{{FULLPAGENAME}}/Tips and tricks|Tips and tricks]] - A dedicated page for alternate configurations and suggestions.<br />
* [[{{FULLPAGENAME}}/Troubleshooting|Troubleshooting]] - A dedicated page for solving common (or not so common) issues.<br />
* [http://www.samba.org/samba/docs/SambaIntro.html Samba: An Introduction]<br />
* [http://www.samba.org/ Official Samba site]</div>Eldoghttps://wiki.archlinux.org/index.php?title=Samba&diff=266733Samba2013-07-17T10:10:21Z<p>Eldog: /* smbnetfs */ Instruction for mounting using smbnetfs</p>
<hr />
<div>[[Category:Networking]]<br />
[[cs:Samba]]<br />
[[de:Samba]]<br />
[[da:Samba]]<br />
[[es:Samba]]<br />
[[fr:Samba]]<br />
[[it:Samba]]<br />
[[ru:Samba]]<br />
[[sr:Samba]]<br />
[[tr:Samba]]<br />
[[zh-CN:Samba]]<br />
[[zh-TW:Samba]]<br />
[[ja:Samba]]<br />
{{Article summary start|Summary}}<br />
{{Article summary text|Installing, configuring and troubleshooting Samba}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|NFS}}<br />
{{Article summary wiki|Samba Domain Controller}}<br />
{{Article summary end}}<br />
'''Samba''' is a re-implementation of the SMB/CIFS networking protocol, it facilitates file and printer sharing among Linux and Windows systems as an alternative to [[NFS]]. Some users say that Samba is easily configured and that operation is very straight-forward. However, many new users run into problems with its complexity and non-intuitive mechanism. It is strongly suggested that the user stick close to the following directions.<br />
<br />
==Required packages==<br />
===Server===<br />
To share files with Samba, install {{Pkg|samba}}, from the [[Official Repositories]].<br />
<br />
===Client===<br />
Only {{Pkg|smbclient}} is required to access files from a Samba/SMB/CIFS server. It is also available from the Official Repositories.<br />
<br />
==Server configuration==<br />
The {{ic|/etc/samba/smb.conf}} file must be created before starting the service. Once that is set up, users may opt for using an advanced configuration interface like SWAT.<br />
<br />
As root, copy the default Samba configuration file to {{ic|/etc/samba/smb.conf}}:<br />
{{bc|# cp /etc/samba/smb.conf.default /etc/samba/smb.conf}}<br />
<br />
===Creating a share===<br />
Edit {{ic|/etc/samba/smb.conf}}, scroll down to the '''Share Definitions''' section. The default configuration automatically creates a share for each user's home directory. It also creates a share for printers by default.<br />
<br />
There are a number of commented sample configurations included. More information about available options for shared resources can be found in {{ic|man smb.conf}}. [http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html Here] is the on-line version.<br />
<br />
=== Creating user share path ===<br />
This marks the named objects for automatic export to the environment of subsequently executed commands:<br />
{{bc|<nowiki># export USERSHARES_DIR="/var/lib/samba/usershares"<br />
# export USERSHARES_GROUP="sambashare"</nowiki>}}<br />
This creates the usershares directory in var/lib/samba:<br />
{{bc|<nowiki># mkdir -p ${USERSHARES_DIR}</nowiki>}}<br />
This makes the group sambashare:<br />
{{bc|<nowiki># groupadd ${USERSHARES_GROUP}</nowiki>}}<br />
This changes the owner of the directory and group you just created to root:<br />
{{bc|<nowiki># chown root:${USERSHARES_GROUP} ${USERSHARES_DIR}</nowiki>}}<br />
This changes the permissions of the usershares directory so that users in the group sambashare can read, write and execute files:<br />
{{bc|<nowiki># chmod 01770 ${USERSHARES_DIR}</nowiki>}}<br />
Set the following variable in {{ic|smb.conf}} configuration file: <br />
{{hc|/etc/samba/smb.conf|2=...<br />
[global]<br />
usershare path = /var/lib/samba/usershares<br />
usershare max shares = 100<br />
usershare allow guests = yes<br />
usershare owner only = False<br />
...<br />
}}<br />
Save the file and then add your user to the group sambashares replacing "your_username" with the name of your user:<br />
{{bc|# usermod -a -G ${USERSHARES_GROUP} your_username}}<br />
<br />
Restart Samba<br />
<br />
Log out and log back in. You should now be able to configure your samba share using GUI. For example, in [[Thunar]] you can right click on any directory and share it on the network.<br />
When the error {{ic|You are not the owner of the folder}} appears, simply try to reboot the system.<br />
<br />
===Adding a user===<br />
To log into a Samba share, a samba user is needed. The user '''must''' already have a [[Users and Groups|Linux user account]] with the same name on the server, otherwise running the next command will fail:<br />
# pdbedit -a -u <user><br />
<br />
{{Note|As of version 3.4.0, smbpasswd is no longer used by default. Existing smbpasswd databases can be [[Samba/Troubleshooting#Changes_in_Samba_version_3.4.0|converted to the new format]]}}<br />
<br />
=== Web-based configuration (SWAT)===<br />
'''SWAT''' (Samba Web Administration Tool) is a facility that is part of the Samba suite. Whether or not to use this tool remains a matter of personal preference. It does allow for quick configuration and has context-sensitive help for each {{ic|smb.conf}} parameter. SWAT also provides an interface for monitoring of current state of connection(s), and allows network-wide MS Windows network password management.<br />
<br />
{{Warning|Before using SWAT, be warned that SWAT will completely replace {{ic|/etc/samba/smb.conf}} with a fully optimized file that has been stripped of all comments, and only non-default settings will be written to the file.}}<br />
<br />
To use SWAT, two [[systemd]] unit files come with the samba package that allow for socket activation. The SWAT service will be called automatically should a user call on the configured socket. In this case, a TCP connection on a specific port.<br />
<br />
First, review the socket configuration:<br />
{{hc|/usr/lib/systemd/system/swat.socket|<nowiki><br />
[Unit]<br />
Description=SWAT Samba Web Admin Tool<br />
<br />
[Socket]<br />
ListenStream=127.0.0.1:901<br />
Accept=true<br />
<br />
[Install]<br />
WantedBy=sockets.target<br />
</nowiki>}}<br />
<br />
{{Note|By default SWAT will only be available from the localhost, the system the SWAT service is installed on. If SWAT should be available for external connections, copy the unit to {{ic|<nowiki>/etc/systemd/system/swat.socket</nowiki>}}, and replace 127.0.0.1 with your system's LAN ip. i.e. {{ic|<nowiki>192.168.1.80:901</nowiki>}}.}}<br />
<br />
When satisfied with the configuration, start the socket:<br />
# systemctl start swat.socket<br />
<br />
Or, should you want to enable SWAT during boot, enable:<br />
# systemctl enable swat.socket<br />
<br />
The web interface can now be accessed on port 901 by default:<br />
{{ic|http://localhost:901/}}<br />
<br />
{{Note|An all-encompasing [[Webmin]] tool is also available, and the SWAT module can be loaded there.}}<br />
<br />
=== Starting the service ===<br />
Start/enable Samba via the [http://www.samba.org/samba/docs/man/manpages-3/smbd.8.html smbd] and [http://www.samba.org/samba/docs/man/manpages-3/nmbd.8.html nmbd] at boot:<br />
systemctl enable smbd.service<br />
systemctl enable nmbd.service<br />
<br />
Run them right now as well (otherwise you'd have to reboot):<br />
systemctl start smbd.service<br />
systemctl start nmbd.service<br />
<br />
On Windows side, be sure to change smb.conf to the Windows Workgroup. (Windows default: WORKGROUP)<br />
<br />
Be sure that your machine is not named Localhost, since it will resolve on Windows to 127.0.0.1.<br />
<br />
==Client configuration==<br />
Shared resources from other computers on the LAN may be accessed and mounted locally by GUI or CLI methods. The graphical manner is limited since most lightweight Desktop Environments do not have a native way to facilitate accessing these shared resources.<br />
<br />
There are two parts to share access. First is the underlying file system mechanism, and second is the interface which allows the user to select to mount shared resources. Some environments have the first part built into them.<br />
<br />
===Manual mounting===<br />
Install {{pkg|smbclient}} from the [[Official Repositories]].<br />
<br />
To list public shares on a server:<br />
{{bc|$ smbclient -L <hostname> -U%}}<br />
<br />
Create a mount point for the share:<br />
{{bc|# mkdir /mnt/MOUNTPOINT}}<br />
<br />
Mount the share using the {{ic|mount.cifs}} type. Not all the options listed below are needed or desirable (ie. {{ic|password}}).<br />
{{bc|# <nowiki>mount -t cifs //SERVER/SHARENAME /mnt/MOUNTPOINT -o user=USERNAME,password=PASSWORD,workgroup=WORKGROUP,ip=SERVERIP</nowiki>}}<br />
{{ic|'''SERVER'''}}<br />
:The Windows system name.<br />
{{ic|'''SHARENAME'''}}<br />
:The shared directory.<br />
{{ic|'''MOUNTPOINT'''}}<br />
:The local directory where the share will be mounted.<br />
{{ic|'''-o <nowiki>[options]</nowiki>'''}}<br />
:See {{ic|man mount.cifs}} for more information:<br />
{{Note|Abstain from using a trailing '''/'''. {{ic|//SERVER/SHARENAME'''/'''}} will not work.}}<br />
====Add Share to /etc/fstab====<br />
The simplest way to add an fstab entry is something like this:<br />
{{hc|/etc/fstab|<nowiki><br />
//SERVER/SHARENAME /mnt/MOUNTPOINT cifs username=USER,password=PASSWORD,workgroup=WORKGROUP,ip=SERVERIP 0 0</nowiki>}}<br />
However, storing passwords in a world readable file is not recommended! A safer method would be to use a credentials file. As an example, create a file and {{ic|chmod 600 <filename>}} so only the owning user can read and write to it. It should contain the following information:<br />
{{hc|/path/to/credentials/sambacreds|<nowiki><br />
username=USERNAME<br />
password=PASSWORD</nowiki>}}<br />
and the line in your fstab should look something like this:<br />
{{hc|/etc/fstab|<nowiki><br />
//SERVER/SHARENAME /mnt/MOUNTPOINT cifs username=USER,credentials=/path/to/credentials/sambacreds,workgroup=WORKGROUP,ip=SERVERIP 0 0</nowiki>}}<br />
If using '''systemd''' (modern installations), one can utilize the '''comment=systemd.automount''' option, which speeds up service boot by a few seconds. Also, one can map current user and group to make life a bit easier, utilizing '''uid''' and '''gid''' options ('''warning:''' using the uid and gid options may cause input ouput errors in programs that try to fetch data from network drives):<br />
{{hc|/etc/fstab|<nowiki>//SERVER/SHARENAME /mnt/MOUNTPOINT cifs credentials=/path/to/smbcredentials,comment=systemd.automount,uid=USERNAME,gid=USERGROUP 0 0</nowiki>}}<br />
<br />
====User mounting====<br />
{{hc|/etc/fstab|<nowiki>//SERVER/SHARENAME /mnt/MOUNTPOINT cifs users,credentials=/path/to/smbcredentials,workgroup=WORKGROUP,ip=SERVERIP 0 0</nowiki>}}<br />
{{note|Note: The option is user'''s''' (plural). For other filesystem types handled by mount, this option is usually ''user''; sans the "'''s'''".}}<br />
<br />
This will allow users to mount it as long as the mount point resides in a directory controllable by the user; i.e. the user's home. For users to be allowed to mount and unmount the Samba shares with mount points that they do not own, use [[Samba#smbnetfs|smbnetfs]], or grant privileges using [[sudo]].<br />
<br />
===Automatic Mounting===<br />
There are several ways to easily browse shared resources:<br />
====smbnetfs====<br />
Install {{pkg|smbnetfs}}, from the [[Official Repositories]].<br />
<br />
Add the following line to {{ic|/etc/fuse.conf}}:<br />
{{bc|user_allow_other}}<br />
and load the {{ic|fuse}} [[kernel module]]:<br />
{{bc|# modprobe fuse}}<br />
<br />
If a username and a password are required to access some of the shared folders, edit /etc/smbnetfs/.smb/smbnetfs.conf and uncomment the line starting with "auth":<br />
<br />
{{hc|/etc/smbnetfs/.smb/smbnetfs.conf|<br />
auth "hostname" "username" "password"<br />
}}<br />
<br />
Make sure to {{ic|chmod 600 /etc/smbnetfs/.smb/smbnetfs.conf}}, and any include files for smbnetfs to work correctly.<br />
<br />
To mount the network<br />
smbnetfs <MOUNT_POINT><br />
<br />
===== Daemon =====<br />
Start and enable the '''smbnetfs''' [[daemon]].<br />
systemctl start smbnetfs.service<br />
<br />
To enable on boot.<br />
# Will be mounted on /mnt/smbnet/<br />
systemctl enable smbnetfs.service<br />
<br />
====fusesmb====<br />
{{Note|1=Because {{ic|smbclient 3.2.X}} is malfunctioning with {{ic|fusesmb}}, revert to using older versions if necessary. See the [https://bbs.archlinux.org/viewtopic.php?id=58434 relevant forum topic] for details.}}<br />
<br />
# Install {{AUR|fusesmb}}, available in the [[Arch User Repository]].<br />
# Create a mount point: {{ic|# mkdir /mnt/fusesmb}}<br />
# Load {{ic|fuse}} [[kernel module]].<br />
# Mount the shares: {{bc|# fusesmb -o allow_other /mnt/fusesmb}}<br />
<br />
====autofs====<br />
See [[Autofs]] for information on the kernel-based automounter for Linux.<br />
<br />
===File Manager Configuration===<br />
====Nautilus====<br />
In order to access samba shares through Nautilus, install the {{pkg|gvfs-smb}} package, available in the [[Official Repositories]].<br />
<br />
Press {{keypress|Ctrl+L}} and enter {{ic|smb://servername/share}} in the location bar to access your share.<br />
<br />
The mounted share is likely to be present at {{ic|/run/user/<your UID>/gvfs}} in the filesystem.<br />
<br />
====Thunar and pcmanfm====<br />
For access using Thunar or pcmanfm, install {{pkg|gvfs-smb}}, available in the Official Repositories. <br />
<br />
Go to {{ic|smb://servername/share}}, to access your share.<br />
<br />
====KDE====<br />
KDE, has the ability to browse Samba shares built in. Therefore do not need any additional packages. However, for a GUI in the KDE System Settings, install the {{pkg|kdenetwork-filesharing}} package from the [[Official Repositories]]<br />
<br />
====Other Graphical Environments====<br />
There are a number of useful programs, but they may need to have packages created for them. This can be done with the Arch package build system. The good thing about these others is that they do not require a particular environment to be installed to support them, and so they bring along less baggage.<br />
<br />
* {{pkg|pyneighborhood}} is available in the [[Official Repositories]].<br />
* LinNeighborhood, RUmba, xffm-samba plugin for Xffm are not available in the official repositories or the [[AUR]]. As they are not officially (or even unofficially supported), they may be obsolete and may not work at all.<br />
<br />
==See also==<br />
* [[{{FULLPAGENAME}}/Tips and tricks|Tips and tricks]] - A dedicated page for alternate configurations and suggestions.<br />
* [[{{FULLPAGENAME}}/Troubleshooting|Troubleshooting]] - A dedicated page for solving common (or not so common) issues.<br />
* [http://www.samba.org/samba/docs/SambaIntro.html Samba: An Introduction]<br />
* [http://www.samba.org/ Official Samba site]</div>Eldoghttps://wiki.archlinux.org/index.php?title=Samba&diff=266730Samba2013-07-17T10:08:45Z<p>Eldog: /* smbnetfs */ Added command to start smbnetfs service</p>
<hr />
<div>[[Category:Networking]]<br />
[[cs:Samba]]<br />
[[de:Samba]]<br />
[[da:Samba]]<br />
[[es:Samba]]<br />
[[fr:Samba]]<br />
[[it:Samba]]<br />
[[ru:Samba]]<br />
[[sr:Samba]]<br />
[[tr:Samba]]<br />
[[zh-CN:Samba]]<br />
[[zh-TW:Samba]]<br />
[[ja:Samba]]<br />
{{Article summary start|Summary}}<br />
{{Article summary text|Installing, configuring and troubleshooting Samba}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|NFS}}<br />
{{Article summary wiki|Samba Domain Controller}}<br />
{{Article summary end}}<br />
'''Samba''' is a re-implementation of the SMB/CIFS networking protocol, it facilitates file and printer sharing among Linux and Windows systems as an alternative to [[NFS]]. Some users say that Samba is easily configured and that operation is very straight-forward. However, many new users run into problems with its complexity and non-intuitive mechanism. It is strongly suggested that the user stick close to the following directions.<br />
<br />
==Required packages==<br />
===Server===<br />
To share files with Samba, install {{Pkg|samba}}, from the [[Official Repositories]].<br />
<br />
===Client===<br />
Only {{Pkg|smbclient}} is required to access files from a Samba/SMB/CIFS server. It is also available from the Official Repositories.<br />
<br />
==Server configuration==<br />
The {{ic|/etc/samba/smb.conf}} file must be created before starting the service. Once that is set up, users may opt for using an advanced configuration interface like SWAT.<br />
<br />
As root, copy the default Samba configuration file to {{ic|/etc/samba/smb.conf}}:<br />
{{bc|# cp /etc/samba/smb.conf.default /etc/samba/smb.conf}}<br />
<br />
===Creating a share===<br />
Edit {{ic|/etc/samba/smb.conf}}, scroll down to the '''Share Definitions''' section. The default configuration automatically creates a share for each user's home directory. It also creates a share for printers by default.<br />
<br />
There are a number of commented sample configurations included. More information about available options for shared resources can be found in {{ic|man smb.conf}}. [http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html Here] is the on-line version.<br />
<br />
=== Creating user share path ===<br />
This marks the named objects for automatic export to the environment of subsequently executed commands:<br />
{{bc|<nowiki># export USERSHARES_DIR="/var/lib/samba/usershares"<br />
# export USERSHARES_GROUP="sambashare"</nowiki>}}<br />
This creates the usershares directory in var/lib/samba:<br />
{{bc|<nowiki># mkdir -p ${USERSHARES_DIR}</nowiki>}}<br />
This makes the group sambashare:<br />
{{bc|<nowiki># groupadd ${USERSHARES_GROUP}</nowiki>}}<br />
This changes the owner of the directory and group you just created to root:<br />
{{bc|<nowiki># chown root:${USERSHARES_GROUP} ${USERSHARES_DIR}</nowiki>}}<br />
This changes the permissions of the usershares directory so that users in the group sambashare can read, write and execute files:<br />
{{bc|<nowiki># chmod 01770 ${USERSHARES_DIR}</nowiki>}}<br />
Set the following variable in {{ic|smb.conf}} configuration file: <br />
{{hc|/etc/samba/smb.conf|2=...<br />
[global]<br />
usershare path = /var/lib/samba/usershares<br />
usershare max shares = 100<br />
usershare allow guests = yes<br />
usershare owner only = False<br />
...<br />
}}<br />
Save the file and then add your user to the group sambashares replacing "your_username" with the name of your user:<br />
{{bc|# usermod -a -G ${USERSHARES_GROUP} your_username}}<br />
<br />
Restart Samba<br />
<br />
Log out and log back in. You should now be able to configure your samba share using GUI. For example, in [[Thunar]] you can right click on any directory and share it on the network.<br />
When the error {{ic|You are not the owner of the folder}} appears, simply try to reboot the system.<br />
<br />
===Adding a user===<br />
To log into a Samba share, a samba user is needed. The user '''must''' already have a [[Users and Groups|Linux user account]] with the same name on the server, otherwise running the next command will fail:<br />
# pdbedit -a -u <user><br />
<br />
{{Note|As of version 3.4.0, smbpasswd is no longer used by default. Existing smbpasswd databases can be [[Samba/Troubleshooting#Changes_in_Samba_version_3.4.0|converted to the new format]]}}<br />
<br />
=== Web-based configuration (SWAT)===<br />
'''SWAT''' (Samba Web Administration Tool) is a facility that is part of the Samba suite. Whether or not to use this tool remains a matter of personal preference. It does allow for quick configuration and has context-sensitive help for each {{ic|smb.conf}} parameter. SWAT also provides an interface for monitoring of current state of connection(s), and allows network-wide MS Windows network password management.<br />
<br />
{{Warning|Before using SWAT, be warned that SWAT will completely replace {{ic|/etc/samba/smb.conf}} with a fully optimized file that has been stripped of all comments, and only non-default settings will be written to the file.}}<br />
<br />
To use SWAT, two [[systemd]] unit files come with the samba package that allow for socket activation. The SWAT service will be called automatically should a user call on the configured socket. In this case, a TCP connection on a specific port.<br />
<br />
First, review the socket configuration:<br />
{{hc|/usr/lib/systemd/system/swat.socket|<nowiki><br />
[Unit]<br />
Description=SWAT Samba Web Admin Tool<br />
<br />
[Socket]<br />
ListenStream=127.0.0.1:901<br />
Accept=true<br />
<br />
[Install]<br />
WantedBy=sockets.target<br />
</nowiki>}}<br />
<br />
{{Note|By default SWAT will only be available from the localhost, the system the SWAT service is installed on. If SWAT should be available for external connections, copy the unit to {{ic|<nowiki>/etc/systemd/system/swat.socket</nowiki>}}, and replace 127.0.0.1 with your system's LAN ip. i.e. {{ic|<nowiki>192.168.1.80:901</nowiki>}}.}}<br />
<br />
When satisfied with the configuration, start the socket:<br />
# systemctl start swat.socket<br />
<br />
Or, should you want to enable SWAT during boot, enable:<br />
# systemctl enable swat.socket<br />
<br />
The web interface can now be accessed on port 901 by default:<br />
{{ic|http://localhost:901/}}<br />
<br />
{{Note|An all-encompasing [[Webmin]] tool is also available, and the SWAT module can be loaded there.}}<br />
<br />
=== Starting the service ===<br />
Start/enable Samba via the [http://www.samba.org/samba/docs/man/manpages-3/smbd.8.html smbd] and [http://www.samba.org/samba/docs/man/manpages-3/nmbd.8.html nmbd] at boot:<br />
systemctl enable smbd.service<br />
systemctl enable nmbd.service<br />
<br />
Run them right now as well (otherwise you'd have to reboot):<br />
systemctl start smbd.service<br />
systemctl start nmbd.service<br />
<br />
On Windows side, be sure to change smb.conf to the Windows Workgroup. (Windows default: WORKGROUP)<br />
<br />
Be sure that your machine is not named Localhost, since it will resolve on Windows to 127.0.0.1.<br />
<br />
==Client configuration==<br />
Shared resources from other computers on the LAN may be accessed and mounted locally by GUI or CLI methods. The graphical manner is limited since most lightweight Desktop Environments do not have a native way to facilitate accessing these shared resources.<br />
<br />
There are two parts to share access. First is the underlying file system mechanism, and second is the interface which allows the user to select to mount shared resources. Some environments have the first part built into them.<br />
<br />
===Manual mounting===<br />
Install {{pkg|smbclient}} from the [[Official Repositories]].<br />
<br />
To list public shares on a server:<br />
{{bc|$ smbclient -L <hostname> -U%}}<br />
<br />
Create a mount point for the share:<br />
{{bc|# mkdir /mnt/MOUNTPOINT}}<br />
<br />
Mount the share using the {{ic|mount.cifs}} type. Not all the options listed below are needed or desirable (ie. {{ic|password}}).<br />
{{bc|# <nowiki>mount -t cifs //SERVER/SHARENAME /mnt/MOUNTPOINT -o user=USERNAME,password=PASSWORD,workgroup=WORKGROUP,ip=SERVERIP</nowiki>}}<br />
{{ic|'''SERVER'''}}<br />
:The Windows system name.<br />
{{ic|'''SHARENAME'''}}<br />
:The shared directory.<br />
{{ic|'''MOUNTPOINT'''}}<br />
:The local directory where the share will be mounted.<br />
{{ic|'''-o <nowiki>[options]</nowiki>'''}}<br />
:See {{ic|man mount.cifs}} for more information:<br />
{{Note|Abstain from using a trailing '''/'''. {{ic|//SERVER/SHARENAME'''/'''}} will not work.}}<br />
====Add Share to /etc/fstab====<br />
The simplest way to add an fstab entry is something like this:<br />
{{hc|/etc/fstab|<nowiki><br />
//SERVER/SHARENAME /mnt/MOUNTPOINT cifs username=USER,password=PASSWORD,workgroup=WORKGROUP,ip=SERVERIP 0 0</nowiki>}}<br />
However, storing passwords in a world readable file is not recommended! A safer method would be to use a credentials file. As an example, create a file and {{ic|chmod 600 <filename>}} so only the owning user can read and write to it. It should contain the following information:<br />
{{hc|/path/to/credentials/sambacreds|<nowiki><br />
username=USERNAME<br />
password=PASSWORD</nowiki>}}<br />
and the line in your fstab should look something like this:<br />
{{hc|/etc/fstab|<nowiki><br />
//SERVER/SHARENAME /mnt/MOUNTPOINT cifs username=USER,credentials=/path/to/credentials/sambacreds,workgroup=WORKGROUP,ip=SERVERIP 0 0</nowiki>}}<br />
If using '''systemd''' (modern installations), one can utilize the '''comment=systemd.automount''' option, which speeds up service boot by a few seconds. Also, one can map current user and group to make life a bit easier, utilizing '''uid''' and '''gid''' options ('''warning:''' using the uid and gid options may cause input ouput errors in programs that try to fetch data from network drives):<br />
{{hc|/etc/fstab|<nowiki>//SERVER/SHARENAME /mnt/MOUNTPOINT cifs credentials=/path/to/smbcredentials,comment=systemd.automount,uid=USERNAME,gid=USERGROUP 0 0</nowiki>}}<br />
<br />
====User mounting====<br />
{{hc|/etc/fstab|<nowiki>//SERVER/SHARENAME /mnt/MOUNTPOINT cifs users,credentials=/path/to/smbcredentials,workgroup=WORKGROUP,ip=SERVERIP 0 0</nowiki>}}<br />
{{note|Note: The option is user'''s''' (plural). For other filesystem types handled by mount, this option is usually ''user''; sans the "'''s'''".}}<br />
<br />
This will allow users to mount it as long as the mount point resides in a directory controllable by the user; i.e. the user's home. For users to be allowed to mount and unmount the Samba shares with mount points that they do not own, use [[Samba#smbnetfs|smbnetfs]], or grant privileges using [[sudo]].<br />
<br />
===Automatic Mounting===<br />
There are several ways to easily browse shared resources:<br />
====smbnetfs====<br />
Install {{pkg|smbnetfs}}, from the [[Official Repositories]].<br />
<br />
Add the following line to {{ic|/etc/fuse.conf}}:<br />
{{bc|user_allow_other}}<br />
and load the {{ic|fuse}} [[kernel module]]:<br />
{{bc|# modprobe fuse}}<br />
<br />
If a username and a password are required to access some of the shared folders, edit /etc/smbnetfs/.smb/smbnetfs.conf and uncomment the line starting with "auth":<br />
<br />
{{hc|/etc/smbnetfs/.smb/smbnetfs.conf|<br />
auth "hostname" "username" "password"<br />
}}<br />
<br />
Make sure to {{ic|chmod 600 /etc/smbnetfs/.smb/smbnetfs.conf}}, and any include files for smbnetfs to work correctly.<br />
<br />
===== Daemon =====<br />
Start and enable the '''smbnetfs''' [[daemon]].<br />
systemctl start smbnetfs.service<br />
<br />
To enable on boot.<br />
# Will be mounted on /mnt/smbnet/<br />
systemctl enable smbnetfs.service<br />
<br />
====fusesmb====<br />
{{Note|1=Because {{ic|smbclient 3.2.X}} is malfunctioning with {{ic|fusesmb}}, revert to using older versions if necessary. See the [https://bbs.archlinux.org/viewtopic.php?id=58434 relevant forum topic] for details.}}<br />
<br />
# Install {{AUR|fusesmb}}, available in the [[Arch User Repository]].<br />
# Create a mount point: {{ic|# mkdir /mnt/fusesmb}}<br />
# Load {{ic|fuse}} [[kernel module]].<br />
# Mount the shares: {{bc|# fusesmb -o allow_other /mnt/fusesmb}}<br />
<br />
====autofs====<br />
See [[Autofs]] for information on the kernel-based automounter for Linux.<br />
<br />
===File Manager Configuration===<br />
====Nautilus====<br />
In order to access samba shares through Nautilus, install the {{pkg|gvfs-smb}} package, available in the [[Official Repositories]].<br />
<br />
Press {{keypress|Ctrl+L}} and enter {{ic|smb://servername/share}} in the location bar to access your share.<br />
<br />
The mounted share is likely to be present at {{ic|/run/user/<your UID>/gvfs}} in the filesystem.<br />
<br />
====Thunar and pcmanfm====<br />
For access using Thunar or pcmanfm, install {{pkg|gvfs-smb}}, available in the Official Repositories. <br />
<br />
Go to {{ic|smb://servername/share}}, to access your share.<br />
<br />
====KDE====<br />
KDE, has the ability to browse Samba shares built in. Therefore do not need any additional packages. However, for a GUI in the KDE System Settings, install the {{pkg|kdenetwork-filesharing}} package from the [[Official Repositories]]<br />
<br />
====Other Graphical Environments====<br />
There are a number of useful programs, but they may need to have packages created for them. This can be done with the Arch package build system. The good thing about these others is that they do not require a particular environment to be installed to support them, and so they bring along less baggage.<br />
<br />
* {{pkg|pyneighborhood}} is available in the [[Official Repositories]].<br />
* LinNeighborhood, RUmba, xffm-samba plugin for Xffm are not available in the official repositories or the [[AUR]]. As they are not officially (or even unofficially supported), they may be obsolete and may not work at all.<br />
<br />
==See also==<br />
* [[{{FULLPAGENAME}}/Tips and tricks|Tips and tricks]] - A dedicated page for alternate configurations and suggestions.<br />
* [[{{FULLPAGENAME}}/Troubleshooting|Troubleshooting]] - A dedicated page for solving common (or not so common) issues.<br />
* [http://www.samba.org/samba/docs/SambaIntro.html Samba: An Introduction]<br />
* [http://www.samba.org/ Official Samba site]</div>Eldoghttps://wiki.archlinux.org/index.php?title=Dropbox&diff=257031Dropbox2013-05-14T08:05:16Z<p>Eldog: /* Filesystem monitoring problem */</p>
<hr />
<div>[[Category:Internet Applications]]<br />
[[de:Dropbox]]<br />
[[it:Dropbox]]<br />
[[zh-TW:Dropbox]]<br />
[[ru:Dropbox]]<br />
[https://www.dropbox.com Dropbox] is a file sharing system that recently introduced a GNU/Linux client. Use it to transparently sync files across computers and architectures. Simply drop files into your {{ic|~/Dropbox}} folder, and they will automatically sync to your centralized repository.<br />
<br />
==Installation==<br />
<br />
{{AUR|dropbox}} can be installed from the [[Arch User Repository|AUR]]. Alternatively, {{AUR|dropbox-experimental}} is also available.<br />
<br />
# After installing the package, you can start Dropbox from your application menu or run {{ic|dropboxd}} from the command-line. The client icon will appear in the system tray.<br />
# A pop-up will notify you that Dropbox is running from an unsupported location. Click on Don't ask again since you know that you have installed it from AUR rather than from the official homepage.<br />
# Eventually a pop-up will ask you to log in to your Dropbox account or create a new account. Enter your credentials.<br />
# After some time you will see a "Welcome to Dropbox" pop-up, which will give you the opportunity to view a short tour of Dropbox.<br />
# Press the "Finish and go to My Dropbox".<br />
<br />
For [[KDE]] users, no further steps are required (it is enough to install the above {{AUR|dropbox}} package from the AUR), as KDE saves running applications when logging out and restarts them automatically. Similarly for [[Xfce]] users, dropbox will be restarted automatically next time you login since the {{ic|dropbox.desktop}} file be placed in {{ic|~/.config/autostart}}.<br />
<br />
===Optional packages===<br />
<br />
*For a command-line interface, install {{AUR|dropbox-cli}} from the [[Arch User Repository|AUR]].<br />
*For integration with Nautilus, install {{AUR|nautilus-dropbox}} from the AUR. The Nautilus plugin will start Dropbox automatically.<br />
*For integration with Nemo, install {{AUR|nemo-dropbox-git}} from the AUR.<br />
*For integration with [[Thunar]], install {{AUR|thunar-dropbox}} from the AUR.<br />
*For [[KDE]] users, there is a KDE client available: {{AUR|kfilebox}} from the AUR.<br />
<br />
===Automatically Starting Dropbox===<br />
<br />
Dropbox can be automatically started by adding {{Ic|dropboxd}} to {{ic|~/.xinitrc}} (or {{ic|~/.config/openbox/autostart}}, depending on your setup). Alternatively, you can [[#Run as daemon with systemd|start it as a daemon]].<br />
<br />
== Alternative to install: use the web interface ==<br />
<br />
If all you need is basic access to the files in your Dropbox, you can use the web interface at https://www.dropbox.com/ to upload and download files to your Dropbox. This can be a viable alternative to running a Dropbox daemon and mirroring all the files on your own machine.<br />
<br />
==Run as daemon with systemd==<br />
<br />
Recent versions of Dropbox come with a systemd service file. By default running Dropbox as a daemon does not give you an icon in the system tray, but syncs your files and folders in the background. If you want to have tray support, then you have to copy the service file to {{ic|/etc/systemd/system/dropbox@.service}} and add the environment variable.<br />
<br />
# echo ".include /usr/lib/systemd/system/dropbox@.service<br />
[Service]<br />
Environment=DISPLAY=:0" > /etc/systemd/system/dropbox@.service<br />
<br />
Finally, to enable the daemon for your user, so that it will start at login:<br />
# systemctl enable dropbox@<user><br />
Note that you have to manually start Dropbox the first time after installation, so that it runs through the login and setup screen. Further, you need to uncheck the option '''Start Dropbox on system startup''' in order to prevent Dropbox from being started twice. The daemon can then be used subsequently.<br />
<br />
===Run as a daemon with systemd user===<br />
<br />
If you have followed the [[systemd/User]] wiki page, you probably want to start dropbox only when you log in or launch your WM/DE. The solution in that case is to create a service in your home directory instead of using the sysadmin account:<br />
<br />
{{hc|$HOME/.config/systemd/user/dropbox@.service|<nowiki><br />
[Unit]<br />
Description=Dropbox as a systemd service<br />
After=xorg.target<br />
<br />
[Service]<br />
ExecStart=/home/your_user/.dropbox-dist/dropbox<br />
ExecReload=/bin/kill -HUP $MAINPID<br />
Environment=DISPLAY=%i<br />
<br />
[Install]<br />
WantedBy=mystuff.target<br />
</nowiki>}}<br />
<br />
They you can start/enable it with:<br />
<br />
systemctl --user {start|enable} dropbox@:0.service<br />
<br />
That way you can easily start it in your main display (likely :0) or in another one, without having to hard code it.<br />
<br />
{{Note|After a lot of trial and error I found that using {{ic|/usr/bin/dropboxd}} didn't start the service and it didn't show any error either (even when running it directly from the terminal worked fine). I believe it has to do that starting it that way systemd doesn't know which user is actually running the daemon.}}<br />
<br />
==Without Nautilus (Another Way)==<br />
<br />
Another way to use Dropbox without Nautilus but with another file manager like Thunar or Pcmanfm is described below:<br />
<br />
1. Create a fake Nautilus script that will launch Thunar:<br />
$ sudo touch /usr/bin/nautilus && sudo chmod +x /usr/bin/nautilus && sudo nano /usr/bin/nautilus<br />
<br />
2. Insert this text into the file, then save and exit:<br />
#!/bin/bash<br />
exec thunar $2<br />
exit 0<br />
<br />
3. Launch Dropbox<br />
$ dropboxd<br />
<br />
4. Click on the Dropbox tray icon to open your Dropbox folder in Thunar.<br />
<br />
{{Note|In this way there is no need to create a Dropbox daemon in {{ic|/etc/rc.d/}} and to start it at boot via {{ic|/etc/rc.conf}} or to make it start via your session manager: just leave the "Start Dropbox on system startup" option flagged in the Preferences window.}}<br />
<br />
{{Note|If you already have Nautilus installed but do not want to use it, don't modify the existing file under {{ic|/usr/bin}}, just change the {{ic|/usr/bin}} for {{ic|/opt/dropbox}} in the step 2 above, like this: {{Ic|$ sudo touch /opt/dropbox/nautilus && sudo chmod +x /opt/dropbox/nautilus && sudo nano /opt/dropbox/nautilus}}. Dropbox will look in this path first!}}<br />
<br />
==Securing Your Dropbox==<br />
<br />
If you want to store sensitive data in your Dropbox, you should encrypt it before. Syncing to Dropbox is encrypted, but all files are (for the time being) stored on the server unencrypted just as you put them in your Dropbox.<br />
<br />
* Dropbox works with [[TrueCrypt]], and after you initially uploaded the TrueCrypt volume to Dropbox, performance is quite okay, because Dropbox has a working binary diff.<br />
<br />
* Another possibility is to use [[EncFS]], which has the advantage that all files are encrypted separately, i.e. you do not have to determine in advance the size of the content you want to encrypt and your encrypted directory grows and shrinks while you add/delete/modify files in it. You can also mount an encrypted volume at startup using the {{ic|-S}} option of {{Ic|encfs}} to avoid having to input the passphrase, but note that your encrypted files are not secure from someone who has direct access to your computer.<br />
<br />
===Setup EncFS With Dropbox===<br />
Follow the Wiki instructions to install [[EncFS]].<br />
<br />
Assuming you have set your Dropbox directory as ~/Dropbox:<br />
<br />
Create a folder. Files you want synced to Dropbox will go in here.<br />
$ mkdir ~/Private<br />
<br />
Run the following and enter a password when asked:<br />
$ encfs ~/Dropbox/Encrypted ~/Private<br />
<br />
Your secure folder is ready for use; creating any file inside ~/Private will automatically encrypt it into ~/Dropbox/Encrypted, which will then be synced to your cloud storage.<br />
<br />
To mount your EncFS folder on every boot, follow the instructions in the EncFS wiki here:<br />
https://wiki.archlinux.org/index.php/EncFS#User_friendly_mounting<br />
<br />
==Multiple Dropbox Instances==<br />
<br />
If you need to separate or distinguish your data, personal and work usage for example, you can subscribe to Dropbox with different email addresses and have multiple directories synced to different instances.<br />
<br />
The basic principle and general how-to are described in the [http://www.dropboxwiki.com/Multiple_Instances_On_Unix Dropbox Wiki].<br />
<br />
{{Note|When dealing with multiple instances you have to select the Dropbox destination folder, which the Dropbox installer asks in the last step; usage examples may be {{ic|/home/dropbox-personal}}, {{ic|/home/dropbox-work}}, and so on.}}<br />
<br />
For convenience, here is a script that I use to accomplish the task: just add a dir in the "dropboxes" list to have another instance of Dropbox, referring to the dir, loaded at script startup.<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash <br />
<br />
#******************************* <br />
# Multiple dropbox instances <br />
#******************************* <br />
<br />
dropboxes=(.dropbox-personal .dropbox-work) <br />
<br />
for dropbox in ${dropboxes[@]} <br />
do <br />
if ! [ -d $HOME/$dropbox ];then <br />
mkdir $HOME/$dropbox <br />
fi <br />
HOME=$HOME/$dropbox/ /usr/bin/dropbox start -i <br />
done <br />
</nowiki>}}<br />
<br />
==Dropbox on Laptops==<br />
<br />
Dropbox itself is pretty good at dealing with connectivity problems. If you have a laptop and roam between different network environments, Dropbox will have problems reconnecting if you do not restart it. The easiest way to solve this with [[netcfg]] is to use POST_UP and PRE_DOWN.<br />
<br />
In every network profile you use (or in the [[Netcfg#Per-interface_configuration]]), add the appropriate commands:<br />
{{bc|<nowiki><br />
POST_UP="any other code; su -c 'DISPLAY=:0 /usr/bin/dropboxd &' your_user"<br />
PRE_DOWN="any other code; killall dropbox"<br />
</nowiki>}}<br />
For [[netctl]], use ExecUpPost and ExecDownPre respectively. Add '|| true' to your command to make sure [[netctl]] will bring up your profile, although Dropbox fails to start.<br />
{{bc|<nowiki><br />
ExecUpPost="any other code; su -c 'DISPLAY=:0 /usr/bin/dropboxd &' your_user || true"<br />
ExecDownPre="any other code; killall dropbox"<br />
</nowiki>}}<br />
Obviously, your_user has to be edited and 'any other code;' can be omitted if you do not have any. The above will make sure that Dropbox is running only if there is a network profile active.<br />
<br />
If you have connectivity problem with [[NetworkManager]], [https://bbs.archlinux.org/viewtopic.php?pid=790905, this thread] on forum should be useful.<br />
<br />
==Known Issues==<br />
===Dropbox keeps saying Downloading files===<br />
But in fact now files are synced with your box. This problem is likely to appear when your Dropbox folder is located on a NTFS partition whose mount path contains spaces. See more in the [[https://bbs.archlinux.org/viewtopic.php?id=153368 forums]]. To resolve the problem pay attention to your entry in {{ic|/etc/fstab}}. Avoid spaces in the mount path and set write permissions:<br />
<br />
UUID=01CD2ABB65E17DE0 /run/media/username/Windows ntfs-3g uid=username,gid=users 0 0<br />
<br />
===Change the Dropbox location from the installation wizard===<br />
Some users experience the problem during setting-up Dropbox that they cannot select a Dropbox folder other than {{ic|/home/username/Dropbox}}. In this case when the window for changing the path is shown , hit CTRL+L, enter the location (e.g. /mnt/data/Dropbox) and click on the 'Choose' or 'Open' button.<br />
<br />
===Context menu entries in file manager do not work===<br />
Several file managers such as Thunar, Nautilus or its fork Nemo come with extensions that provide context menu entries for files and folders inside your Dropbox. Most of them will result in a browser action such as opening the file or folder in dropbox.com or sharing the link. If you experience these entries to not working, then you are likely to have not set the {{ic|$BROWSER}} variable which Dropbox requires. You can check that by <br />
<br />
echo $BROWSER<br />
<br />
To set your {{ic|$BROWSER}} variable open {{ic|~/.profile}} and replace {{ic|chromium}} with your default browser:<br />
<br />
if [ -n "$DISPLAY" ]; then<br />
BROWSER=chromium<br />
fi<br />
<br />
===Connecting...===<br />
{{Note|It seems that this issue has been fixed in later versions of dropbox (sometime before 1.6.0-2). It might be reasonable to test before installing one of the following scripts}}<br />
It may happen that Dropbox cannot connect successfully because it was loaded before an Internet connection was established. To solve the problem the content of the file {{ic|/opt/dropbox/dropboxd}} needs to be replaced with the following: <br />
<br />
<br />
#!/bin/sh<br />
<br />
# Copyright 2008 Evenflow, Inc., 2010 Dropbox<br />
#<br />
# Environment script for the dropbox executable.<br />
<br />
start_dropbox() {<br />
PAR=$(dirname $(readlink -f $0))<br />
OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH<br />
LD_LIBRARY_PATH=$PAR:$LD_LIBRARY_PATH <br />
<br />
TMP1=`ps ax|grep dropbox|grep -v grep`<br />
if [ -n "$TMP1" ]; then<br />
kill -9 $(pidof dropbox) >/dev/null 2>&1<br />
fi<br />
exec $PAR/dropbox $@ &<br />
}<br />
<br />
do_dropbox() {<br />
start_dropbox >/dev/null 2>&1<br />
while [ 1 ]; do<br />
sleep 5<br />
ERROR="$(net_test)"<br />
if [ -n "$ERROR" ]; then<br />
LAST_ERROR=1<br />
else<br />
if [ -n "$LAST_ERROR" ]; then<br />
# Connection seems to be up but last cycle was down<br />
LAST_ERROR=""<br />
start_dropbox >/dev/null 2>&1<br />
fi<br />
fi<br />
done<br />
<br />
}<br />
<br />
net_test() {<br />
TMP1="$(ip addr |grep "inet " |grep -v "127.0.0.1")"<br />
[ -z "$TMP1" ] && echo "error"<br />
}<br />
<br />
do_dropbox<br />
<br />
Following is an alternative script that will check for an actual Internet connection by using {{pkg|curl}} to check if any entry in a list of hosts and IP addresses is available.<br />
If none of the specified hosts are available, the script will wait and try again (albeit not forever).<br />
The way the script increments the waiting time is quite messy, but the logic goes like this:<br />
<br />
Start with a wait time of 5 seconds.<br />
<br />
Multiply by 1.5.<br />
<br />
Do this as long as the wait time is less than 1500 seconds (25 minutes), and the check_net()<br />
function returns non-zero values (failure).<br />
<br />
#!/bin/bash<br />
<br />
# Copyright 2008 Evenflow, Inc., 2010 Dropbox<br />
#<br />
# Environment script for the dropbox executable.<br />
<br />
WAIT_TIME=5 #initial time to wait between checking the internet connection<br />
#HOSTS="www.google.com www.wikipedia.org 8.8.8.8 208.67.222.222"<br />
HOSTS="www.google.com www.wikipedia.org "<br />
<br />
PAR=$(dirname $(readlink -f $0))<br />
OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH<br />
LD_LIBRARY_PATH=$PAR${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH<br />
<br />
#non-zero exit code iff none of the hosts could be reached<br />
check_net() {<br />
local ret=1<br />
for i in $HOSTS; do<br />
#ping -w2 -c2 $i > /dev/null 2>&1 && ret=0 && break<br />
curl -o /dev/null $i > /dev/null 2>&1 && ret=0 && break<br />
done<br />
echo $ret<br />
}<br />
<br />
#if dropbox is running; kill it. Then start dropbox<br />
start_dropbox() {<br />
local tmp=`ps ax|grep -E "[0-9] $PAR/dropbox"|grep -v grep`<br />
if [ -n "$tmp" ]; then<br />
kill -9 $(pidof dropbox) > /dev/null 2>&1<br />
fi<br />
exec $PAR/dropbox $@ > /dev/null 2>&1 &<br />
}<br />
<br />
#loop over: start dropbox iff check_net returns 0<br />
#loop (and with it, the entire script) terminates when dropbox has been restarted,<br />
#+ or the waiting time has exeeded 1500 seconds (it grows 50% with each iteration of the loop)<br />
attempt_startup() {<br />
while [ $WAIT_TIME -lt 1500 ] ; do<br />
if [ $(check_net) -eq 0 ]; then<br />
start_dropbox<br />
exit<br />
fi<br />
sleep $WAIT_TIME<br />
#WAIT_TIME=$(($WAIT_TIME+$WAIT_TIME/2))<br />
let "WAIT_TIME += WAIT_TIME/2"<br />
done<br />
}<br />
<br />
start_dropbox<br />
attempt_startup &<br />
<br />
{{Tip|When you update Dropbox via your preferred AUR helper, the file will (usually) be reverted to the default one. You can prevent this with {{ic|chattr +i /opt/dropbox/dropboxd}} which will make the file immutable. To reverse this action simply use {{ic|chattr -i /opt/dropbox/dropboxd}}. }}<br />
<br />
===Dropbox does not start - "This is usually because of a permission error"===<br />
<br />
====Check permissions====<br />
Make sure that you own Dropbox's directories before running the application. This includes<br />
*{{ic|~/.dropbox}} - Dropbox's configuration directory<br />
*{{ic|~/Dropbox}} - Dropbox's download directory (default)<br />
You can ensure this by changing their owner with {{ic|chown -R}}.<br />
<br />
This error could also be caused by {{ic|/var}} being full.<br />
<br />
====Re-linking your account====<br />
[https://www.dropbox.com/help/72 Dropbox's FAQ] suggests that this error may be caused by misconfiguration and is fixed by (re)moving the current configuration folder<br />
# mv ~/.dropbox ~/.dropbox.old<br />
and restarting Dropbox.<br />
<br />
====Errors caused by running out of space====<br />
A common error that might happen is that there is no more available space on your {{ic|/tmp}} and {{ic|/var}} partitions. If this happens, Dropbox will crash on startup with the following error in its log:<br />
{{bc|<br />
Exception: Not a valid FileCache file<br />
}}<br />
A detailed story of such an occurrence can be found in the [https://bbs.archlinux.org/viewtopic.php?pid=973458 forums]. Make sure there is enough space available before launching Dropbox.<br />
<br />
====Locale caused errors====<br />
Try starting {{Ic|dropboxd}} with this code:<br />
<br />
LANG=$LOCALE<br />
dropboxd<br />
<br />
(You can also use a different value for LANG; it must be in the format "en_US.UTF-8")<br />
This helps when running from a Bash script or Bash shell where {{ic|/etc/rc.d/functions}} has been loaded<br />
<br />
====Filesystem monitoring problem====<br />
If you have a lot of files to sync in your Dropbox folder, you might get the following error:<br />
<br />
Unable to monitor filesystem<br />
Please run: echo 100000 | sudo tee /proc/sys/fs/inotify/max_user_watches and restart Dropbox to correct the problem.<br />
<br />
This can be fixed easily by adding<br />
<br />
fs.inotify.max_user_watches = 100000<br />
<br />
to {{ic|/etc/sysctl.conf}} and then reload the kernel parameters<br />
<br />
# sysctl -p<br />
<br />
===Proxy Settings===<br />
The easiest way to set Dropbox's proxy settings is by defining them manually in the Proxies tab of the Preferences window. Alternatively, you can also set it to 'Auto-detect' and then export your proxy server to the http_proxy env variable prior to starting Dropbox (HTTP_PROXY is also usable)<br />
env http_proxy=http://your.proxy.here:port /usr/bin/dropboxd<br />
or<br />
export http_proxy=http://your.proxy.here:port<br />
/usr/bin/dropboxd<br />
<br />
Take note, Dropbox will only use proxy settings of the form http://your.proxy.here:port, not your.proxy.here:port as some other applications do.<br />
<br />
==Alternatives==<br />
*[[Ubuntu One]] - {{Pkg|ubuntuone-client}}<br />
*[https://spideroak.com/ Spider Oak] - {{AUR|spideroak}}<br />
*[http://kdropbox.deuteros.es/ KFileBox] - {{AUR|kfilebox}}<br />
*[https://www.wuala.com/ Wuala] - {{AUR|wuala}}</div>Eldoghttps://wiki.archlinux.org/index.php?title=Dropbox&diff=257030Dropbox2013-05-14T08:04:39Z<p>Eldog: </p>
<hr />
<div>[[Category:Internet Applications]]<br />
[[de:Dropbox]]<br />
[[it:Dropbox]]<br />
[[zh-TW:Dropbox]]<br />
[[ru:Dropbox]]<br />
[https://www.dropbox.com Dropbox] is a file sharing system that recently introduced a GNU/Linux client. Use it to transparently sync files across computers and architectures. Simply drop files into your {{ic|~/Dropbox}} folder, and they will automatically sync to your centralized repository.<br />
<br />
==Installation==<br />
<br />
{{AUR|dropbox}} can be installed from the [[Arch User Repository|AUR]]. Alternatively, {{AUR|dropbox-experimental}} is also available.<br />
<br />
# After installing the package, you can start Dropbox from your application menu or run {{ic|dropboxd}} from the command-line. The client icon will appear in the system tray.<br />
# A pop-up will notify you that Dropbox is running from an unsupported location. Click on Don't ask again since you know that you have installed it from AUR rather than from the official homepage.<br />
# Eventually a pop-up will ask you to log in to your Dropbox account or create a new account. Enter your credentials.<br />
# After some time you will see a "Welcome to Dropbox" pop-up, which will give you the opportunity to view a short tour of Dropbox.<br />
# Press the "Finish and go to My Dropbox".<br />
<br />
For [[KDE]] users, no further steps are required (it is enough to install the above {{AUR|dropbox}} package from the AUR), as KDE saves running applications when logging out and restarts them automatically. Similarly for [[Xfce]] users, dropbox will be restarted automatically next time you login since the {{ic|dropbox.desktop}} file be placed in {{ic|~/.config/autostart}}.<br />
<br />
===Optional packages===<br />
<br />
*For a command-line interface, install {{AUR|dropbox-cli}} from the [[Arch User Repository|AUR]].<br />
*For integration with Nautilus, install {{AUR|nautilus-dropbox}} from the AUR. The Nautilus plugin will start Dropbox automatically.<br />
*For integration with Nemo, install {{AUR|nemo-dropbox-git}} from the AUR.<br />
*For integration with [[Thunar]], install {{AUR|thunar-dropbox}} from the AUR.<br />
*For [[KDE]] users, there is a KDE client available: {{AUR|kfilebox}} from the AUR.<br />
<br />
===Automatically Starting Dropbox===<br />
<br />
Dropbox can be automatically started by adding {{Ic|dropboxd}} to {{ic|~/.xinitrc}} (or {{ic|~/.config/openbox/autostart}}, depending on your setup). Alternatively, you can [[#Run as daemon with systemd|start it as a daemon]].<br />
<br />
== Alternative to install: use the web interface ==<br />
<br />
If all you need is basic access to the files in your Dropbox, you can use the web interface at https://www.dropbox.com/ to upload and download files to your Dropbox. This can be a viable alternative to running a Dropbox daemon and mirroring all the files on your own machine.<br />
<br />
==Run as daemon with systemd==<br />
<br />
Recent versions of Dropbox come with a systemd service file. By default running Dropbox as a daemon does not give you an icon in the system tray, but syncs your files and folders in the background. If you want to have tray support, then you have to copy the service file to {{ic|/etc/systemd/system/dropbox@.service}} and add the environment variable.<br />
<br />
# echo ".include /usr/lib/systemd/system/dropbox@.service<br />
[Service]<br />
Environment=DISPLAY=:0" > /etc/systemd/system/dropbox@.service<br />
<br />
Finally, to enable the daemon for your user, so that it will start at login:<br />
# systemctl enable dropbox@<user><br />
Note that you have to manually start Dropbox the first time after installation, so that it runs through the login and setup screen. Further, you need to uncheck the option '''Start Dropbox on system startup''' in order to prevent Dropbox from being started twice. The daemon can then be used subsequently.<br />
<br />
===Run as a daemon with systemd user===<br />
<br />
If you have followed the [[systemd/User]] wiki page, you probably want to start dropbox only when you log in or launch your WM/DE. The solution in that case is to create a service in your home directory instead of using the sysadmin account:<br />
<br />
{{hc|$HOME/.config/systemd/user/dropbox@.service|<nowiki><br />
[Unit]<br />
Description=Dropbox as a systemd service<br />
After=xorg.target<br />
<br />
[Service]<br />
ExecStart=/home/your_user/.dropbox-dist/dropbox<br />
ExecReload=/bin/kill -HUP $MAINPID<br />
Environment=DISPLAY=%i<br />
<br />
[Install]<br />
WantedBy=mystuff.target<br />
</nowiki>}}<br />
<br />
They you can start/enable it with:<br />
<br />
systemctl --user {start|enable} dropbox@:0.service<br />
<br />
That way you can easily start it in your main display (likely :0) or in another one, without having to hard code it.<br />
<br />
{{Note|After a lot of trial and error I found that using {{ic|/usr/bin/dropboxd}} didn't start the service and it didn't show any error either (even when running it directly from the terminal worked fine). I believe it has to do that starting it that way systemd doesn't know which user is actually running the daemon.}}<br />
<br />
==Without Nautilus (Another Way)==<br />
<br />
Another way to use Dropbox without Nautilus but with another file manager like Thunar or Pcmanfm is described below:<br />
<br />
1. Create a fake Nautilus script that will launch Thunar:<br />
$ sudo touch /usr/bin/nautilus && sudo chmod +x /usr/bin/nautilus && sudo nano /usr/bin/nautilus<br />
<br />
2. Insert this text into the file, then save and exit:<br />
#!/bin/bash<br />
exec thunar $2<br />
exit 0<br />
<br />
3. Launch Dropbox<br />
$ dropboxd<br />
<br />
4. Click on the Dropbox tray icon to open your Dropbox folder in Thunar.<br />
<br />
{{Note|In this way there is no need to create a Dropbox daemon in {{ic|/etc/rc.d/}} and to start it at boot via {{ic|/etc/rc.conf}} or to make it start via your session manager: just leave the "Start Dropbox on system startup" option flagged in the Preferences window.}}<br />
<br />
{{Note|If you already have Nautilus installed but do not want to use it, don't modify the existing file under {{ic|/usr/bin}}, just change the {{ic|/usr/bin}} for {{ic|/opt/dropbox}} in the step 2 above, like this: {{Ic|$ sudo touch /opt/dropbox/nautilus && sudo chmod +x /opt/dropbox/nautilus && sudo nano /opt/dropbox/nautilus}}. Dropbox will look in this path first!}}<br />
<br />
==Securing Your Dropbox==<br />
<br />
If you want to store sensitive data in your Dropbox, you should encrypt it before. Syncing to Dropbox is encrypted, but all files are (for the time being) stored on the server unencrypted just as you put them in your Dropbox.<br />
<br />
* Dropbox works with [[TrueCrypt]], and after you initially uploaded the TrueCrypt volume to Dropbox, performance is quite okay, because Dropbox has a working binary diff.<br />
<br />
* Another possibility is to use [[EncFS]], which has the advantage that all files are encrypted separately, i.e. you do not have to determine in advance the size of the content you want to encrypt and your encrypted directory grows and shrinks while you add/delete/modify files in it. You can also mount an encrypted volume at startup using the {{ic|-S}} option of {{Ic|encfs}} to avoid having to input the passphrase, but note that your encrypted files are not secure from someone who has direct access to your computer.<br />
<br />
===Setup EncFS With Dropbox===<br />
Follow the Wiki instructions to install [[EncFS]].<br />
<br />
Assuming you have set your Dropbox directory as ~/Dropbox:<br />
<br />
Create a folder. Files you want synced to Dropbox will go in here.<br />
$ mkdir ~/Private<br />
<br />
Run the following and enter a password when asked:<br />
$ encfs ~/Dropbox/Encrypted ~/Private<br />
<br />
Your secure folder is ready for use; creating any file inside ~/Private will automatically encrypt it into ~/Dropbox/Encrypted, which will then be synced to your cloud storage.<br />
<br />
To mount your EncFS folder on every boot, follow the instructions in the EncFS wiki here:<br />
https://wiki.archlinux.org/index.php/EncFS#User_friendly_mounting<br />
<br />
==Multiple Dropbox Instances==<br />
<br />
If you need to separate or distinguish your data, personal and work usage for example, you can subscribe to Dropbox with different email addresses and have multiple directories synced to different instances.<br />
<br />
The basic principle and general how-to are described in the [http://www.dropboxwiki.com/Multiple_Instances_On_Unix Dropbox Wiki].<br />
<br />
{{Note|When dealing with multiple instances you have to select the Dropbox destination folder, which the Dropbox installer asks in the last step; usage examples may be {{ic|/home/dropbox-personal}}, {{ic|/home/dropbox-work}}, and so on.}}<br />
<br />
For convenience, here is a script that I use to accomplish the task: just add a dir in the "dropboxes" list to have another instance of Dropbox, referring to the dir, loaded at script startup.<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash <br />
<br />
#******************************* <br />
# Multiple dropbox instances <br />
#******************************* <br />
<br />
dropboxes=(.dropbox-personal .dropbox-work) <br />
<br />
for dropbox in ${dropboxes[@]} <br />
do <br />
if ! [ -d $HOME/$dropbox ];then <br />
mkdir $HOME/$dropbox <br />
fi <br />
HOME=$HOME/$dropbox/ /usr/bin/dropbox start -i <br />
done <br />
</nowiki>}}<br />
<br />
==Dropbox on Laptops==<br />
<br />
Dropbox itself is pretty good at dealing with connectivity problems. If you have a laptop and roam between different network environments, Dropbox will have problems reconnecting if you do not restart it. The easiest way to solve this with [[netcfg]] is to use POST_UP and PRE_DOWN.<br />
<br />
In every network profile you use (or in the [[Netcfg#Per-interface_configuration]]), add the appropriate commands:<br />
{{bc|<nowiki><br />
POST_UP="any other code; su -c 'DISPLAY=:0 /usr/bin/dropboxd &' your_user"<br />
PRE_DOWN="any other code; killall dropbox"<br />
</nowiki>}}<br />
For [[netctl]], use ExecUpPost and ExecDownPre respectively. Add '|| true' to your command to make sure [[netctl]] will bring up your profile, although Dropbox fails to start.<br />
{{bc|<nowiki><br />
ExecUpPost="any other code; su -c 'DISPLAY=:0 /usr/bin/dropboxd &' your_user || true"<br />
ExecDownPre="any other code; killall dropbox"<br />
</nowiki>}}<br />
Obviously, your_user has to be edited and 'any other code;' can be omitted if you do not have any. The above will make sure that Dropbox is running only if there is a network profile active.<br />
<br />
If you have connectivity problem with [[NetworkManager]], [https://bbs.archlinux.org/viewtopic.php?pid=790905, this thread] on forum should be useful.<br />
<br />
==Known Issues==<br />
===Dropbox keeps saying Downloading files===<br />
But in fact now files are synced with your box. This problem is likely to appear when your Dropbox folder is located on a NTFS partition whose mount path contains spaces. See more in the [[https://bbs.archlinux.org/viewtopic.php?id=153368 forums]]. To resolve the problem pay attention to your entry in {{ic|/etc/fstab}}. Avoid spaces in the mount path and set write permissions:<br />
<br />
UUID=01CD2ABB65E17DE0 /run/media/username/Windows ntfs-3g uid=username,gid=users 0 0<br />
<br />
===Change the Dropbox location from the installation wizard===<br />
Some users experience the problem during setting-up Dropbox that they cannot select a Dropbox folder other than {{ic|/home/username/Dropbox}}. In this case when the window for changing the path is shown , hit CTRL+L, enter the location (e.g. /mnt/data/Dropbox) and click on the 'Choose' or 'Open' button.<br />
<br />
===Context menu entries in file manager do not work===<br />
Several file managers such as Thunar, Nautilus or its fork Nemo come with extensions that provide context menu entries for files and folders inside your Dropbox. Most of them will result in a browser action such as opening the file or folder in dropbox.com or sharing the link. If you experience these entries to not working, then you are likely to have not set the {{ic|$BROWSER}} variable which Dropbox requires. You can check that by <br />
<br />
echo $BROWSER<br />
<br />
To set your {{ic|$BROWSER}} variable open {{ic|~/.profile}} and replace {{ic|chromium}} with your default browser:<br />
<br />
if [ -n "$DISPLAY" ]; then<br />
BROWSER=chromium<br />
fi<br />
<br />
===Connecting...===<br />
{{Note|It seems that this issue has been fixed in later versions of dropbox (sometime before 1.6.0-2). It might be reasonable to test before installing one of the following scripts}}<br />
It may happen that Dropbox cannot connect successfully because it was loaded before an Internet connection was established. To solve the problem the content of the file {{ic|/opt/dropbox/dropboxd}} needs to be replaced with the following: <br />
<br />
<br />
#!/bin/sh<br />
<br />
# Copyright 2008 Evenflow, Inc., 2010 Dropbox<br />
#<br />
# Environment script for the dropbox executable.<br />
<br />
start_dropbox() {<br />
PAR=$(dirname $(readlink -f $0))<br />
OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH<br />
LD_LIBRARY_PATH=$PAR:$LD_LIBRARY_PATH <br />
<br />
TMP1=`ps ax|grep dropbox|grep -v grep`<br />
if [ -n "$TMP1" ]; then<br />
kill -9 $(pidof dropbox) >/dev/null 2>&1<br />
fi<br />
exec $PAR/dropbox $@ &<br />
}<br />
<br />
do_dropbox() {<br />
start_dropbox >/dev/null 2>&1<br />
while [ 1 ]; do<br />
sleep 5<br />
ERROR="$(net_test)"<br />
if [ -n "$ERROR" ]; then<br />
LAST_ERROR=1<br />
else<br />
if [ -n "$LAST_ERROR" ]; then<br />
# Connection seems to be up but last cycle was down<br />
LAST_ERROR=""<br />
start_dropbox >/dev/null 2>&1<br />
fi<br />
fi<br />
done<br />
<br />
}<br />
<br />
net_test() {<br />
TMP1="$(ip addr |grep "inet " |grep -v "127.0.0.1")"<br />
[ -z "$TMP1" ] && echo "error"<br />
}<br />
<br />
do_dropbox<br />
<br />
Following is an alternative script that will check for an actual Internet connection by using {{pkg|curl}} to check if any entry in a list of hosts and IP addresses is available.<br />
If none of the specified hosts are available, the script will wait and try again (albeit not forever).<br />
The way the script increments the waiting time is quite messy, but the logic goes like this:<br />
<br />
Start with a wait time of 5 seconds.<br />
<br />
Multiply by 1.5.<br />
<br />
Do this as long as the wait time is less than 1500 seconds (25 minutes), and the check_net()<br />
function returns non-zero values (failure).<br />
<br />
#!/bin/bash<br />
<br />
# Copyright 2008 Evenflow, Inc., 2010 Dropbox<br />
#<br />
# Environment script for the dropbox executable.<br />
<br />
WAIT_TIME=5 #initial time to wait between checking the internet connection<br />
#HOSTS="www.google.com www.wikipedia.org 8.8.8.8 208.67.222.222"<br />
HOSTS="www.google.com www.wikipedia.org "<br />
<br />
PAR=$(dirname $(readlink -f $0))<br />
OLD_LD_LIBRARY_PATH=$LD_LIBRARY_PATH<br />
LD_LIBRARY_PATH=$PAR${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH<br />
<br />
#non-zero exit code iff none of the hosts could be reached<br />
check_net() {<br />
local ret=1<br />
for i in $HOSTS; do<br />
#ping -w2 -c2 $i > /dev/null 2>&1 && ret=0 && break<br />
curl -o /dev/null $i > /dev/null 2>&1 && ret=0 && break<br />
done<br />
echo $ret<br />
}<br />
<br />
#if dropbox is running; kill it. Then start dropbox<br />
start_dropbox() {<br />
local tmp=`ps ax|grep -E "[0-9] $PAR/dropbox"|grep -v grep`<br />
if [ -n "$tmp" ]; then<br />
kill -9 $(pidof dropbox) > /dev/null 2>&1<br />
fi<br />
exec $PAR/dropbox $@ > /dev/null 2>&1 &<br />
}<br />
<br />
#loop over: start dropbox iff check_net returns 0<br />
#loop (and with it, the entire script) terminates when dropbox has been restarted,<br />
#+ or the waiting time has exeeded 1500 seconds (it grows 50% with each iteration of the loop)<br />
attempt_startup() {<br />
while [ $WAIT_TIME -lt 1500 ] ; do<br />
if [ $(check_net) -eq 0 ]; then<br />
start_dropbox<br />
exit<br />
fi<br />
sleep $WAIT_TIME<br />
#WAIT_TIME=$(($WAIT_TIME+$WAIT_TIME/2))<br />
let "WAIT_TIME += WAIT_TIME/2"<br />
done<br />
}<br />
<br />
start_dropbox<br />
attempt_startup &<br />
<br />
{{Tip|When you update Dropbox via your preferred AUR helper, the file will (usually) be reverted to the default one. You can prevent this with {{ic|chattr +i /opt/dropbox/dropboxd}} which will make the file immutable. To reverse this action simply use {{ic|chattr -i /opt/dropbox/dropboxd}}. }}<br />
<br />
===Dropbox does not start - "This is usually because of a permission error"===<br />
<br />
====Check permissions====<br />
Make sure that you own Dropbox's directories before running the application. This includes<br />
*{{ic|~/.dropbox}} - Dropbox's configuration directory<br />
*{{ic|~/Dropbox}} - Dropbox's download directory (default)<br />
You can ensure this by changing their owner with {{ic|chown -R}}.<br />
<br />
This error could also be caused by {{ic|/var}} being full.<br />
<br />
====Re-linking your account====<br />
[https://www.dropbox.com/help/72 Dropbox's FAQ] suggests that this error may be caused by misconfiguration and is fixed by (re)moving the current configuration folder<br />
# mv ~/.dropbox ~/.dropbox.old<br />
and restarting Dropbox.<br />
<br />
====Errors caused by running out of space====<br />
A common error that might happen is that there is no more available space on your {{ic|/tmp}} and {{ic|/var}} partitions. If this happens, Dropbox will crash on startup with the following error in its log:<br />
{{bc|<br />
Exception: Not a valid FileCache file<br />
}}<br />
A detailed story of such an occurrence can be found in the [https://bbs.archlinux.org/viewtopic.php?pid=973458 forums]. Make sure there is enough space available before launching Dropbox.<br />
<br />
====Locale caused errors====<br />
Try starting {{Ic|dropboxd}} with this code:<br />
<br />
LANG=$LOCALE<br />
dropboxd<br />
<br />
(You can also use a different value for LANG; it must be in the format "en_US.UTF-8")<br />
This helps when running from a Bash script or Bash shell where {{ic|/etc/rc.d/functions}} has been loaded<br />
<br />
====Filesystem monitoring problem====<br />
If you have a lot of files to sync in your Dropbox folder, you might get the following error:<br />
<br />
Unable to monitor filesystem<br />
Please run: echo 100000 | sudo tee /proc/sys/fs/inotify/max_user_watches and restart Dropbox to correct the problem.<br />
<br />
This can be fixed easily by adding<br />
<br />
fs.inotify.max_user_watches = 100000<br />
<br />
to {{ic|/etc/sysctl.conf}} and then reload the kernel parameters with <br />
<br />
# sysctl -p<br />
<br />
===Proxy Settings===<br />
The easiest way to set Dropbox's proxy settings is by defining them manually in the Proxies tab of the Preferences window. Alternatively, you can also set it to 'Auto-detect' and then export your proxy server to the http_proxy env variable prior to starting Dropbox (HTTP_PROXY is also usable)<br />
env http_proxy=http://your.proxy.here:port /usr/bin/dropboxd<br />
or<br />
export http_proxy=http://your.proxy.here:port<br />
/usr/bin/dropboxd<br />
<br />
Take note, Dropbox will only use proxy settings of the form http://your.proxy.here:port, not your.proxy.here:port as some other applications do.<br />
<br />
==Alternatives==<br />
*[[Ubuntu One]] - {{Pkg|ubuntuone-client}}<br />
*[https://spideroak.com/ Spider Oak] - {{AUR|spideroak}}<br />
*[http://kdropbox.deuteros.es/ KFileBox] - {{AUR|kfilebox}}<br />
*[https://www.wuala.com/ Wuala] - {{AUR|wuala}}</div>Eldog