https://wiki.archlinux.org/api.php?action=feedcontributions&user=Harvie&feedformat=atomArchWiki - User contributions [en]2024-03-29T07:36:49ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Gamepad&diff=788807Gamepad2023-09-30T20:44:48Z<p>Harvie: Both PS4 and PS5 controllers need userspace hid for bluetooth to work</p>
<hr />
<div>[[Category:Input devices]]<br />
[[Category:Gaming]]<br />
[[ja:ゲームパッド]]<br />
Many gamepads are working out-of-the-box nowadays, but there are still many potential problems and sources for errors since gamepad support in applications varies by a lot.<br />
<br />
{{Expansion|Need info about differences between API, how to switch between them.|section=Joystick API vibration support}}<br />
<br />
Linux has two different input systems for gamepads – the original Joystick interface and the newer evdev-based interface.<br />
<br />
{{ic|1=/dev/input/jsX}} maps to the Joystick API interface and {{ic|/dev/input/event*}} maps to the evdev ones (this also includes other input devices such as mice and keyboards). Symbolic links to those devices are also available in {{ic|/dev/input/by-id/}} and {{ic|/dev/input/by-path/}} where the legacy Joystick API has names ending with {{ic|-joystick}} while the evdev have names ending with {{ic|-event-joystick}}.<br />
<br />
Most new games will default to the evdev interface as it gives more detailed information about the buttons and axes available and also adds support for force feedback.<br />
<br />
While SDL1 defaults to evdev interface you can force it to use the old Joystick API by setting the environment variable {{ic|1=SDL_JOYSTICK_DEVICE=/dev/input/js0}}. This can help many games such as X3. SDL2 supports only the new evdev interface.<br />
<br />
== Installation ==<br />
<br />
Unless you are using very old joystick that uses [[Wikipedia:Game port|Gameport]] or a proprietary USB protocol, you will need just the generic USB Human Interface Device (HID) modules.<br />
<br />
For an extensive overview of all joystick related modules in Linux, you will need access to the Linux kernel sources — specifically the Documentation section. Unfortunately, official kernel packages do not include what we need. If you have the kernel sources downloaded, have a look at {{ic|Documentation/input/joydev/}}. You can browse the kernel source tree at [https://kernel.org/ kernel.org] by clicking the "browse" (cgit - the git frontend) link for the kernel that you are using, then clicking the "tree" link near the top. Alternatively, see [https://docs.kernel.org/input/joydev/joystick.html documentation from the latest kernel].<br />
<br />
Some joysticks need specific modules, such as the Microsoft Sidewinder controllers ({{ic|sidewinder}}), or the Logitech digital controllers ({{ic|adi}}). Many older joysticks will work with the simple {{ic|analog}} module. If your joystick is plugging in to a gameport provided by your soundcard, you will need your soundcard drivers loaded — however, some cards, like the Soundblaster Live, have a specific gameport driver ({{ic|emu10k1-gp}}). Older ISA soundcards may need the {{ic|ns558}} module, which is a standard gameport module.<br />
<br />
As you can see, there are many different modules related to getting your joystick working in Linux, so everything is not covered here. Please have a look at the documentation mentioned above for details.<br />
<br />
=== Loading the modules for analogue devices ===<br />
<br />
You need to load a module for your gameport ({{ic|ns558}}, {{ic|emu10k1-gp}}, {{ic|cs461x}}, etc...), a module for your joystick ({{ic|analog}}, {{ic|sidewinder}}, {{ic|adi}}, etc...), and finally the kernel joystick device driver ({{ic|joydev}}). You can [[load the module at boot]], or simply [[modprobe]] it. The {{ic|gameport}} module should load automatically, as this is a dependency of the other modules.<br />
<br />
=== USB gamepads ===<br />
<br />
You need to get USB working, and then modprobe your gamepad driver, which is {{ic|usbhid}}, as well as {{ic|joydev}}. <br />
If you use a usb mouse or keyboard, {{ic|usbhid}} will be loaded already and you just have to load the {{ic|joydev}} module.<br />
<br />
{{Note|If your Xbox 360 gamepad is connected with the Play&Charge USB cable it will show up in {{ic|lsusb}} but it will not show up as an input device in {{ic|/dev/input/js*}}, see [[#Xbox 360 controller]].}}<br />
<br />
== Configuration ==<br />
<br />
=== Testing ===<br />
<br />
Once the modules are loaded, you should be able to find a new device: {{ic|/dev/input/js0}} and a file ending with {{ic|-event-joystick}} in {{ic|/dev/input/by-id}} directory. You can simply {{ic|cat}} those devices to see if the joystick works — move the stick around, press all the buttons - you should see mojibake printed when you move the sticks or press buttons.<br />
<br />
If you get a permission error, see [[#Device permissions]].<br />
<br />
Both interfaces are also supported in [[Wine]] and reported as separate devices. You can test them (including vibration feedback) with {{ic|wine control joy.cpl}}.<br />
<br />
==== Joystick API ====<br />
<br />
There are a lot of applications that can test this old API, {{ic|jstest}} from the {{pkg|joyutils}} package is the simplest one. If the output is unreadable because the line printed is too long you can also use graphical tools. KDE Plasma has a built in one in ''System Settings > Input Devices > Game Controller''. There is {{AUR|jstest-gtk-git}} as an alternative.<br />
<br />
Use of {{ic|jstest}} is fairly simple, you just run {{ic|jstest /dev/input/js0}} and it will print a line with state of all the axes (normalised to {{ic|{-32767,32767}<nowiki/>}}) and buttons.<br />
<br />
After you start {{ic|jstest-gtk}}, it will just show you a list of joysticks available, you just need to select one and press Properties.<br />
<br />
==== evdev API ====<br />
<br />
The new 'evdev' API can be tested using the SDL2 joystick test application or using {{ic|evtest}} from {{Pkg|evtest}} or {{ic|evtest-qt}} from {{AUR|evtest-qt-git}}. Install {{AUR|sdl2-jstest-git}} and then run {{ic|sdl2-jstest --test 0}}. Use {{ic|sdl2-jstest --list}} to get IDs of other controllers if you have multiple ones connected.<br />
<br />
To test force feedback on the device, use {{ic|fftest}} from {{Pkg|linuxconsole}}:<br />
<br />
$ fftest /dev/input/by-id/usb-*event-joystick<br />
<br />
==== HTML5 Gamepad API ====<br />
<br />
Go to https://gamepad-tester.com/. Currently, testing vibration and producing a visual of the gamepad is supported in [[Chromium]] but not [[Firefox]]. Additionally, as of version 107.0.5304.121-1, Chromium can read Joystick devices but not evdev.<br />
<br />
=== Setting up deadzones and calibration ===<br />
<br />
{{Expansion|Describe calibration instructions for evdev|section=Unclear instructions on how to calibrate}}<br />
<br />
If you want to set up the deadzones (or remove them completely) of your analog input you have to do it separately for the xorg (for mouse and keyboard emulation), Joystick API and evdev API.<br />
<br />
==== Wine deadzones ====<br />
<br />
Add the following registry entry and set it to a string from {{ic|0}} to {{ic|10000}} (affects all axes):<br />
<br />
HKEY_CURRENT_USER\Software\Wine\DirectInput\DefaultDeadZone<br />
<br />
Source: [https://wiki.winehq.org/UsefulRegistryKeys UsefulRegistryKeys]<br />
<br />
==== Xorg deadzones ====<br />
<br />
Add a similar line to {{ic|/etc/X11/xorg.conf.d/51-joystick.conf}} (create if it does not exist):<br />
<br />
{{hc|1=/etc/X11/xorg.conf.d/51-joystick.conf|2=<br />
Section "InputClass"<br />
Option "MapAxis1" "deadzone=1000"<br />
EndSection<br />
}}<br />
<br />
{{ic|1000}} is the default value, but you can set anything between {{ic|0}} and {{{{ic|30000}}. To get the axis number see the "Testing Your Configuration" section of this article.<br />
If you already have an option with a specific axis just type in the {{ic|1=deadzone=value}} at the end of the parameter separated by a space.<br />
<br />
==== Joystick API deadzones and calibration ====<br />
<br />
The easiest way is using ''jstest-gtk'' from {{AUR|jstest-gtk-git}}. Select the joystick you want to edit, click the ''Properties'' button. On this new window, click the ''Calibration'' button ('''do not''' click ''Start Calibration'' after that). You can then set the {{ic|CenterMin}} and {{ic|CenterMax}} values, which control the center deadzone, and {{ic|RangeMin}} and {{ic|RangeMax}}, which control the end of throw deadzones. Note that the calibration settings are applied when the application opens the device, so you need to restart your game or test application to see updated calibration settings.<br />
<br />
After you set the deadzones, you also can create an [[udev]] rule to make all changes permanent:<br />
<br />
First, grab the vendor id of your joystick (replace {{ic|''X''}} with your joystick's number, it is usually {{ic|0}}):<br />
<br />
$ udevadm info -q property --property ID_VENDOR_ID --value /dev/input/js''X''<br />
<br />
Also grab the model id:<br />
<br />
$ udevadm info -q property --property ID_MODEL_ID --value /dev/input/js''X''<br />
<br />
If the commands above give you an empty output, it could be because your controller is connected via Bluetooth, making these unique attributes only visible on the parent device(s). To mitigate this, you could try finding other unique attributes by running:<br />
<br />
$ udevadm info -a /dev/input/js''X''<br />
<br />
This will list all available attributes from your device (and parent devices). So, for example, if the parent device of your joystick has the attribute {{ic|1=ATTRS{uniq}=="a0:b1:c2:d3:e4:f5"}}, or maybe both {{ic|1=ATTRS{idVendor}=="054c"}} and {{ic|1=ATTRS{idProduct}=="09cc"}}, then you can use these instead of {{ic|ENV{ID_VENDOR_ID} }} and {{ic|ENV{ID_MODEL_ID} }} in the ''udev'' rule below.<br />
<br />
You can also have both rules at the same time, just separate them with a new line.<br />
<br />
Anyway, now use ''jscal'' to dump the new calibration settings of your joystick:<br />
<br />
$ jscal -p /dev/input/js''X''<br />
<br />
Now, modify this ''udev'' rule with the values you got:<br />
<br />
{{hc|1=/etc/udev/rules.d/85-jscal-custom-calibration.rules|2=<br />
ACTION=="add", KERNEL=="js[0-9]*", ENV{ID_VENDOR_ID}=="054c", ENV{ID_MODEL_ID}=="09cc", RUN+="/usr/bin/jscal -s 1,1,1,1 /dev/input/js%n"<br />
}}<br />
<br />
This rule will automatically run {{ic|/usr/bin/jscal -s 1,1,1,1 /dev/input/js%n}} whenever you connect a joystick with vendor id {{ic|054c}} and model id {{ic|09cc}}. The {{ic|/dev/input/js%n}} part is required to automatically determine the correct joystick, so '''do not''' remove it.<br />
<br />
Finally, [[Udev#Loading new rules|load]] this new ''udev'' rule.<br />
<br />
==== evdev API deadzones and calibration ====<br />
<br />
The ''evdev-joystick'' tool from the {{pkg|linuxconsole}} package can be used to view and change deadzones and calibration for {{ic|evdev}} API devices.<br />
<br />
To view your device configuration:<br />
$ evdev-joystick --showcal /dev/input/by-id/usb-*-event-joystick<br />
<br />
To change the deadzone for a particular axis, use a command like:<br />
$ evdev-joystick --evdev /dev/input/by-id/usb-*-event-joystick --axis 0 --deadzone 0<br />
<br />
To set the same deadzone for all axes at once, omit the {{ic|--axis 0}} option.<br />
<br />
Use udev rules file to set them automatically when the controller is connected.<br />
<br />
Note that inside the kernel, the value is called {{ic|flatness}} and is set using the {{ic|EVIOCSABS}} {{ic|ioctl}}.<br />
<br />
Default configuration will look like similar to this:<br />
<br />
{{hc|$ evdev-joystick --showcal /dev/input/by-id/usb-Madcatz_Saitek_Pro_Flight_X-55_Rhino_Stick_G0000090-event-joystick|2= Supported Absolute axes:<br />
Absolute axis 0x00 (0) (X Axis) (min: 0, max: 65535, flatness: 4095 (=6.25%), fuzz: 255)<br />
Absolute axis 0x01 (1) (Y Axis) (min: 0, max: 65535, flatness: 4095 (=6.25%), fuzz: 255)<br />
Absolute axis 0x05 (5) (Z Rate Axis) (min: 0, max: 4095, flatness: 255 (=6.23%), fuzz: 15)<br />
Absolute axis 0x10 (16) (Hat zero, x axis) (min: -1, max: 1, flatness: 0 (=0.00%), fuzz: 0)<br />
Absolute axis 0x11 (17) (Hat zero, y axis) (min: -1, max: 1, flatness: 0 (=0.00%), fuzz: 0)<br />
}}<br />
<br />
While a more reasonable setting would be achieved with something like this (repeat for other axes):<br />
<br />
{{hc|$ evdev-joystick --evdev /dev/input/by-id/usb-Madcatz_Saitek_Pro_Flight_X-55_Rhino_Stick_G0000090-event-joystick --axis 0 --deadzone 512|2= Event device file: /dev/input/by-id/usb-Madcatz_Saitek_Pro_Flight_X-55_Rhino_Stick_G0000090-event-joystick<br />
Axis index to deal with: 0<br />
New dead zone value: 512<br />
Trying to set axis 0 deadzone to: 512<br />
Absolute axis 0x00 (0) (X Axis) Setting deadzone value to : 512<br />
(min: 0, max: 65535, flatness: 512 (=0.78%), fuzz: 255)<br />
}}<br />
<br />
==== Virtual xboxdrv gamepad deadzones and calibration ====<br />
<br />
It is possible to use ''xboxdrv'' to present your gamepad as a virtual xbox360 gamepad, while handling the axis calibration and deadzones.<br />
<br />
Imagine that you tested your gamepad with ''evtest-qt'', and find out that your left joystick cannot reach the maximum read value when you direct it to top most position. The side effect of this is that in some games (for example, HITMAN 2) the character cannot run.<br />
<br />
Run ''xboxdrv'' and determine how the problematic axis is called. In this case it is {{ic|Y1}}. Now try to direct it to top most position several times, and determine the lowest value that you saw. Imagine it is {{ic|29426}}. Now to be on a safe side, we take the value that is lower than that, like {{ic|29000}}. Run the command:<br />
# xboxdrv --detach-kernel-driver --calibration Y1=-32767:128:29000<br />
This will translate the values of your real gamepad from {{ic|128}} (center) to {{ic|29000}} (max readable value on top) of {{ic|Y1}} axis to the ideal values of virtual gamepad.<br />
<br />
Nice thing about ''xboxdrv'' is that it exports resulting device as both old Joystick API and new style evdev API so it should be compatible with basically any application. You can now see in jstest that the values of axis {{ic|1}} (corresponds to vertical axis of left joystick) is read from {{ic|0}} to {{ic|-32767}}, and in ''evtest-qt'' that you can reach the maximum value. And your character in game can run.<br />
<br />
===== Configuring curves and responsiveness =====<br />
<br />
In case your game requires just limited amount of buttons or has good support for multiple controllers, you may have good results with using ''xboxdrv'' to change response curves of the joystick.<br />
<br />
Below are example setups for Saitek X-55 HOTAS:<br />
<br />
$ xboxdrv --evdev /dev/input/by-id/usb-Madcatz_Saitek_Pro_Flight_X-55_Rhino_Throttle_G0000021-event-joystick \<br />
--evdev-no-grab --evdev-absmap 'ABS_#40=x1,ABS_#41=y1,ABS_X=x2,ABS_Y=y2' --device-name 'Hat and throttle' \<br />
--ui-axismap 'x2^cal:-32000:0:32000=,y2^cal:-32000:0:32000=' --silent<br />
<br />
this maps the {{ic|EV_ABS}} event with id of 40 and 41 (use ''xboxdrv'' with {{ic|--evdev-debug}} to see the events registered), which is the normally inaccessible "mouse pointer" on the throttle, to first gamepad joystick and throttles to second joystick, it also clamps the top and lower ranges as they not always register fully.<br />
<br />
A bit more interesting is the setup for the stick:<br />
<br />
$ xboxdrv --evdev /dev/input/by-id/usb-Madcatz_Saitek_Pro_Flight_X-55_Rhino_Stick_G0000090-event-joystick \<br />
--evdev-no-grab --evdev-absmap 'ABS_X=x1' --evdev-absmap 'ABS_Y=y1' --device-name 'Joystick' \<br />
--ui-axismap 'x1^cal:-32537:-455:32561=,x1^dead:-900:700:1=,x1^resp:-32768:-21845:-2000:0:2000:21485:32767=' \<br />
--ui-axismap 'y1^cal:-32539:-177:32532=,y1^dead:-700:2500:1=,y1^resp:-32768:-21845:-2000:0:2000:21485:32767=' \<br />
--evdev-absmap 'ABS_RZ=x2' --ui-axismap 'x2^cal:-32000:-100:32000,x2^dead:-1500:1000:1=,x2^resp:-32768:-21845:-2000:0:2000:21485:32767=' \<br />
--silent<br />
<br />
this maps the 3 joystick axes to gamepad axes and changes the calibration (min value, centre value, max value), dead zones (negative side, positive side, flag to turn smoothing) and finally change of response curve to a more flat one in the middle.<br />
<br />
You can also modify the responsiveness by setting the {{ic|sen}} (sensitivity) parameter. Setting it to value of {{ic|0}} will give you a linear sensitivity, value of {{ic|-1}} will give very insensitive axis while value of {{ic|1}} will give very sensitive axis. You can use intermediate values to make it less or more sensitive. Internally ''xboxdrv'' uses a quadratic formula to calculate the resulting value, so this setting gives a more smooth result than {{ic|resp}} shown above.<br />
<br />
=== Disable joystick from controlling mouse ===<br />
<br />
If you want to play games with your gamepad, you might want to disable its joystick control over mouse cursor. To do this, edit {{ic|/etc/X11/xorg.conf.d/51-joystick.conf}} (create if it does not exists) so that it looks like this:<br />
<br />
{{hc|/etc/X11/xorg.conf.d/51-joystick.conf |<br />
Section "InputClass"<br />
Identifier "joystick catchall"<br />
MatchIsJoystick "on"<br />
MatchDevicePath "/dev/input/event*"<br />
Driver "joystick"<br />
'''Option "StartKeysEnabled" "False"'''<br />
'''Option "StartMouseEnabled" "False"'''<br />
EndSection}}<br />
<br />
=== Using gamepad to send keystrokes ===<br />
<br />
A couple of programs exist to map gamepad buttons to keyboard keys, including:<br />
<br />
* {{AUR|qjoypad}}<br />
* {{AUR|antimicrox}}<br />
* {{AUR|sc-controller}}<br />
* {{Pkg|steam}} - see [[Steam#Steam Input]]<br />
<br />
All work well without the need for additional X.org configuration.<br />
<br />
==== Xorg configuration example ====<br />
<br />
This is a good solution for systems where restarting Xorg is a rare event because it is a static configuration loaded only on X startup. The example runs on a [[Kodi]] media PC, controlled with a Logitech Cordless RumblePad 2. Due to a problem with the d-pad (a.k.a. "hat") being recognized as another axis, [[Joy2key]] was used as a workaround. Since {{Pkg|kodi}} version 11.0 and {{AUR|joy2key}} 1.6.3-1, this setup no longer worked and the following was created for letting Xorg handle joystick events.<br />
<br />
First, [[install]] the {{AUR|xf86-input-joystick}} package. Then, create an X configuration file: <br />
<br />
{{hc|/etc/X11/xorg.conf.d/51-joystick.conf|2=<br />
Section "InputClass"<br />
Identifier "Joystick hat mapping"<br />
Option "StartKeysEnabled" "True"<br />
#MatchIsJoystick "on"<br />
Option "MapAxis5" "keylow=113 keyhigh=114"<br />
Option "MapAxis6" "keylow=111 keyhigh=116"<br />
EndSection<br />
}}<br />
<br />
{{Note|The {{ic|MatchIsJoystick "on"}} line does not seem to be required for the setup to work, but you may want to uncomment it.}}<br />
<br />
=== Remapping of gamepad buttons and more ===<br />
<br />
With some programs you can also configure your gamepad further, including the following potential features:<br />
<br />
* Remapping buttons and axes.<br />
** Assigning mapping profiles to different games.<br />
* Emulating a different type of gamepad. As noted in [[#Mimic Xbox 360 controller]], software can often behave better when seemingly given an Xbox 360 Controller, as this is a very common controller that many games have been tested with.<br />
* Additional functionality such as Macros, On-Screen-Displays etc.<br />
<br />
List of software:<br />
<br />
* {{App|SC Controller|Open-source software supporting button remapping and Xbox 360 Controller emulation.|https://github.com/Ryochan7/sc-controller|{{AUR|sc-controller}}}}<br />
* {{App|[[Steam]]|Proprietary storefront whose client supports rebinding gamepad inputs via [https://partner.steamgames.com/doc/features/steam_controller Steam Input]. When enabled, Steam exposes a Steam Controller to games that opt into the Steam Input API, as well as an emulated Xbox 360 Controller to games using traditional gamepad APIs. See [[Steam#Steam Input]] for further details.|https://store.steampowered.com/about/|{{Pkg|steam}}}}<br />
* {{App|[[xboxdrv]]|Xbox 360 controller driver which supports emulating the controller from a different input controller. Even if you don't have or need (in the sense of [[#Mimic Xbox 360 controller]]) a 360 controller, this is still flexible option for performing remapping.|https://xboxdrv.gitlab.io/|{{AUR|xboxdrv}}}}<br />
<br />
==== Remapping of gamepad on SDL2 applications ====<br />
<br />
Gamepads can be remapped for SDL2 applications using the {{ic|SDL_GAMECONTROLLERCONFIG}} environment variable. For each line, it includes the gamepad's GUID, a name, button / axis mappings and a platform. The controller's GUID can be retreived by installing {{AUR|sdl2-jstest-git}} and then running {{ic|sdl2-jstest --list}}.<br />
<br />
For example, to map Microsoft Xbox 360 controllers with different GUIDs:<br />
<br />
{{hc|~/.bashrc|2=export SDL_GAMECONTROLLERCONFIG="<br />
030000005e0400008e02000001000000,Microsoft Xbox 360,a:b0,b:b1,back:b6,dpdown:h0.1,dpleft:h0.2,dpright:h0.8,dpup:h0.4,leftshoulder:b4,leftstick:b9,lefttrigger:a2,leftx:a0,lefty:a1,rightshoulder:b5,rightstick:b10,righttrigger:a5,rightx:a3,righty:a4,start:b7,x:b2,y:b3,platform:Linux,<br />
030000005e0400008e02000004010000,Microsoft Xbox 360,a:b0,b:b1,back:b6,dpdown:h0.4,dpleft:h0.8,dpright:h0.2,dpup:h0.1,guide:b8,leftshoulder:b4,leftstick:b9,lefttrigger:a2,leftx:a0,lefty:a1,rightshoulder:b5,rightstick:b10,righttrigger:a5,rightx:a3,righty:a4,start:b7,x:b2,y:b3,platform:Linux,<br />
"}}<br />
<br />
Some apps extract mapping information from a {{ic|gamecontrollerdb.txt}} file. It can be edited graphically with {{AUR|controllermap}}. An up to date database can be found on [https://github.com/gabomdq/SDL_GameControllerDB].<br />
<br />
== Specific devices ==<br />
<br />
While most gamepads, especially USB based ones should just work, some may require (or give better results) if you use alternative drivers. If it does not work the first time, do not give up, and read the following sections thoroughly!<br />
<br />
=== Dance pads ===<br />
<br />
Most dance pads should work. However some pads, especially those used from a video game console via an adapter, have a tendency to map the directional buttons as axis buttons. This prevents hitting left-right or up-down simultaneously. This behavior can be fixed for devices recognized by xpad via a module option:<br />
<br />
# modprobe -r xpad<br />
# modprobe xpad dpad_to_buttons=1<br />
<br />
If that did not work, you can try {{AUR|axisfix-git}} or patching the {{ic|joydev}} kernel module (https://github.com/adiel-mittmann/dancepad).<br />
<br />
=== Logitech Thunderpad Digital ===<br />
<br />
Logitech Thunderpad Digital will not show all the buttons if you use the {{ic|analog}} module. Use the device specific {{ic|adi}} module for this controller.<br />
<br />
=== Nintendo Gamecube Controller ===<br />
<br />
Dolphin Emulator has a [https://wiki.dolphin-emu.org/index.php?title=How_to_use_the_Official_GameCube_Controller_Adapter_for_Wii_U_in_Dolphin page on their wiki] that explains how to use the official Nintendo USB adapter with a Gamecube controller. This configuration also works with the Mayflash Controller Adapter if the switch is set to "Wii U".<br />
<br />
=== Nintendo Switch Pro Controller and Joy-Cons ===<br />
<br />
==== Using the kernel Nintendo HID driver ====<br />
<br />
The hid-nintendo kernel HID driver was mainlined in kernel 5.16. If you are using an earlier kernel, you will need to install the [[DKMS]] module named {{AUR|hid-nintendo-dkms}}. The driver provides support for rumble, battery level, and control of the player and home LEDs. It supports the Nintendo Switch Pro Controller over both USB and Bluetooth in addition to the Joy-Cons.<br />
<br />
An alternate DKMS module named {{AUR|hid-nintendo-nso-dkms}} patches in support for the Switch Online NES and SNES controllers.<br />
<br />
===== Using joycond userspace daemon =====<br />
<br />
The hid-nintendo kernel driver does not handle the combination of two Joy-Cons into one virtual input device. That functionality has been left up to userspace. {{AUR|joycond-git}} is a userspace daemon that combines two kernel Joy-Con evdev devices into one virtual input device using uinput. An application can use two Joy-Cons as if they are a single controller. When the daemon is active, Switch controllers will be placed in a pseudo pairing mode, and the LEDs will start flashing. Holding the triggers can be used to pair controllers and make them usable. To pair two Joy-Cons together, press one trigger on each Joy-Con.<br />
<br />
===== Mimic Xbox 360 controller =====<br />
<br />
Some games and emulators are hardcoded to work with an Xbox 360 controller, and will not work with other controllers. To get around this, you need to create a virtual Xbox 360 controller that emulates the expected interface, but is bound to your controller's inputs. This can be done with [[Steam#Steam Input|Steam Input]] or [[#Mimic Xbox 360 controller with other controllers|xboxdrv]].<br />
<br />
==== Use positional layout on SDL2 applications ====<br />
<br />
By default, SDL2 maps buttons on Nintendo controllers according to the gamepad's label instead of the button's position. This is enabled by the [https://github.com/libsdl-org/SDL/blob/b886f4c6c97f3d37d65f65afdb6bd68148fd4de6/include/SDL_hints.h#L508 SDL_HINT_GAMECONTROLLER_USE_BUTTON_LABELS] setting, which defaults to {{ic|1}} for controllers known to use the Nintendo button layout,[https://github.com/libsdl-org/SDL/blob/7c05ea0a0ef075527fd745215d5d8a77f667bc21/src/joystick/SDL_gamecontrollerdb.h] and {{ic|0}} for other controllers.[https://github.com/libsdl-org/SDL/blob/ec58a817ef66efc23d7d6e964844317673b23ead/src/joystick/SDL_gamecontroller.c#L1575-L1582] This behavior can be overridden for all controllers by setting the {{ic|SDL_HINT_GAMECONTROLLER_USE_BUTTON_LABELS}} [[environment variable]]. For example, if Nintendo's conception of A/B and X/Y is undesirable, set {{ic|1=SDL_HINT_GAMECONTROLLER_USE_BUTTON_LABELS=0}}.<br />
<br />
=== iPEGA-9017s and other Bluetooth gamepads ===<br />
<br />
If you want to use one of the widely available Bluetooth gamepads, such as iPEGA-9017s designed mostly for Android and iOS devices you would need {{AUR|xboxdrv}}, {{Pkg|bluez}}, {{Pkg|bluez-plugins}}, and {{Pkg|bluez-utils}}. You should connect it in gamepad mode (if there are different modes, choose the gamepad one). Technically it is ready to be used, but in most cases games would not recognize it, and you would have to map it individually for all application. The best way to simplify it and make it work with all applications is to mimic Microsoft X360 controller with {{AUR|xboxdrv}}.<br />
Once connected you can create a udev rule to give it a persistent name, that would come in handy when setting it up.<br />
<br />
{{hc|/etc/udev/rules.d/99-btjoy.rules|2=<br />
#Create a symlink to appropriate /dev/input/eventX at /dev/btjoy<br />
ACTION=="add", SUBSYSTEM=="input", ATTRS{name}=="Bluetooth Gamepad", ATTRS{uniq}=="00:17:02:01:ae:2a", SYMLINK+="btjoy"<br />
}}<br />
<br />
Replace "Bluetooth Gamepad" with your device name and "00:17:02:01:ae:2a" with your device's address.<br />
<br />
Next, create a configuration for {{AUR|xboxdrv}} somewhere, for example:<br />
<br />
{{hc|~/.config/xboxdrv/ipega.conf|2=<br />
#iPEGA PG-9017S Config <br />
<br />
[xboxdrv]<br />
evdev-debug = true<br />
evdev-grab = true<br />
rumble = false<br />
mimic-xpad = true<br />
<br />
[evdev-absmap]<br />
ABS_HAT0X = dpad_x<br />
ABS_HAT0Y = dpad_y<br />
<br />
ABS_X = X1<br />
ABS_Y = Y1<br />
<br />
ABS_Z = X2<br />
ABS_RZ = Y2<br />
<br />
[axismap]<br />
-Y1 = Y1<br />
-Y2 = Y2<br />
<br />
[evdev-keymap]<br />
BTN_EAST=a<br />
BTN_C=b<br />
BTN_NORTH=y<br />
BTN_SOUTH=x<br />
BTN_TR2=start<br />
BTN_TL2=back<br />
BTN_Z=rt<br />
BTN_WEST=lt<br />
<br />
BTN_MODE = guide<br />
}}<br />
<br />
Refer to {{man|1|xboxdrv|url=https://xboxdrv.gitlab.io/xboxdrv.html}} to see all the options.<br />
<br />
Now when you have the configuration and your device is connected you can start the {{AUR|xboxdrv}} like so:<br />
<br />
# xboxdrv --evdev /dev/btjoy --config .config/xboxdrv/ipega.conf<br />
<br />
Your games will now work with bluetooth gamepad as long as xboxdrv is running.<br />
<br />
==== iPEGA-9068 and 9087 ====<br />
<br />
For this model, use the same procedures as above, but with the configs:<br />
<br />
{{hc|~/.config/xboxdrv/ipega.conf|2=<br />
#iPEGA PG-9068 and PG-9087 Config <br />
<br />
[xboxdrv]<br />
evdev-debug = true<br />
evdev-grab = true<br />
rumble = false<br />
mimic-xpad = true<br />
<br />
[evdev-absmap]<br />
ABS_HAT0X = dpad_x<br />
ABS_HAT0Y = dpad_y<br />
<br />
ABS_X = X1<br />
ABS_Y = Y1<br />
<br />
ABS_Z = X2<br />
ABS_RZ = Y2<br />
<br />
[axismap]<br />
-Y1 = Y1<br />
-Y2 = Y2<br />
<br />
[evdev-keymap]<br />
BTN_A=a<br />
BTN_B=b<br />
BTN_Y=y<br />
BTN_X=x<br />
BTN_TR=rb<br />
BTN_TL=lb<br />
BTN_TR2=rt<br />
BTN_TL2=lt<br />
BTN_THUMBL=tl<br />
BTN_THUMBR=tr<br />
BTN_START=start<br />
BTN_SELECT=back<br />
<br />
BTN_MODE = guide<br />
}}<br />
<br />
==== Defender X7 ====<br />
<br />
For this model, use the same procedures as above, but with the configs:<br />
<br />
{{hc|~/.config/xboxdrv/defender.conf|2=<br />
#Defender x7 xboxdrv config<br />
<br />
[xboxdrv]<br />
evdev-debug = true<br />
evdev-grab = true<br />
rumble = false<br />
mimic-xpad = true<br />
<br />
[evdev-absmap]<br />
ABS_HAT0X = dpad_x<br />
ABS_HAT0Y = dpad_y<br />
<br />
ABS_X = X1<br />
ABS_Y = Y1<br />
<br />
ABS_Z = X2<br />
ABS_RZ = Y2<br />
<br />
[axismap]<br />
-Y1 = Y1<br />
-Y2 = Y2<br />
<br />
[evdev-keymap]<br />
BTN_EAST=b<br />
BTN_NORTH=x<br />
BTN_SOUTH=a<br />
BTN_WEST=y<br />
BTN_TR2=rt<br />
BTN_TL2=lt<br />
BTN_TR=rb<br />
BTN_TL=lb<br />
BTN_THUMBL=tl<br />
BTN_THUMBR=tr<br />
BTN_START=start<br />
BTN_SELECT=back<br />
<br />
BTN_MODE = guide<br />
}}<br />
<br />
Now when you have the configuration and your device is connected you can start the {{AUR|xboxdrv}} like so:<br />
<br />
# xboxdrv --evdev /dev/btjoy --config .config/xboxdrv/defender.conf<br />
<br />
=== Stadia Controller ===<br />
<br />
The Stadia controller can also be mapped with xboxdrv:<br />
<br />
{{hc<br />
|~/.config/xboxdrv/stadia.conf|2=<br />
# Stadia xboxdrv config<br />
<br />
[xboxdrv]<br />
mimic-xpad=true<br />
silent=true<br />
<br />
[evdev-absmap]<br />
ABS_X=x1<br />
ABS_Y=y1<br />
ABS_Z=x2<br />
ABS_RZ=y2<br />
ABS_GAS=rt<br />
ABS_BRAKE=lt<br />
ABS_HAT0X=dpad_x<br />
ABS_HAT0Y=dpad_y<br />
<br />
[axismap]<br />
-y1=y1<br />
-y2=y2<br />
<br />
[evdev-keymap]<br />
BTN_SOUTH=A<br />
BTN_EAST=B<br />
BTN_NORTH=X<br />
BTN_WEST=Y<br />
<br />
BTN_START=start<br />
BTN_SELECT=back<br />
BTN_MODE=guide<br />
<br />
BTN_THUMBL=tl<br />
BTN_THUMBR=tr<br />
BTN_TR=rb<br />
BTN_TL=lb<br />
}}<br />
<br />
=== Steam Controller ===<br />
<br />
{{Note|Kernel 4.18 [https://lore.kernel.org/lkml/20180416122703.22306-1-rodrigorivascosta@gmail.com/ provides a kernel driver] for wired/wireless use of the steam controller as a controller input device without [[Steam]].}}<br />
<br />
The [[Steam]] client will recognize the controller and provide keyboard/mouse/gamepad emulation while Steam is running. The in-game Steam overlay needs to be enabled and working in order for gamepad emulation to work. You may need to run {{ic|udevadm trigger}} with root privileges or plug the dongle out and in again, if the controller does not work immediately after installing and running Steam. If all else fails, try restarting the computer while the dongle is plugged in.<br />
<br />
If you are using the controller connected via Bluetooth LE, make sure the user is part of the {{ic|input}} group.<br />
<br />
If you cannot get the Steam Controller to work, see [[#Steam Controller not pairing]].<br />
<br />
Alternatively you can install {{AUR|python-steamcontroller-git}} to have controller and mouse emulation without Steam or {{AUR|sc-controller}} for a versatile graphical configuration tool simillar to what is provided by the Steam client.<br />
<br />
{{Note|If you do not use the [[Steam runtime]], you might actually need to disable the overlay for the controller to work in certain games (Rocket Wars, Rocket League, Binding of Isaac, etc.). Right click on a game in your library, select "Properties", and uncheck "Enable Steam Overlay".}}<br />
<br />
==== Wine ====<br />
<br />
{{AUR|python-steamcontroller-git}} can also be used to make the Steam Controller work for games running under Wine. You need to find and download the application {{ic|xbox360cemu.v.3.0}} (e.g. from [https://github.com/jacobmischka/ds4-in-wine/tree/master/xbox360cemu.v.3.0 here]). Then copy the files {{ic|dinput8.dll}}, {{ic|xbox360cemu.ini}}, {{ic|xinput1_3.dll}} and {{ic|xinput_9_1_0.dll}} to the directory that contains your game executable. Edit {{ic|xbox360cemu.ini}} and only change the following values under {{ic|[PAD1]}} to remap the Steam Controller correctly to a XBox controller.<br />
<br />
{{hc|xbox360cemu.ini|2= Right Analog X=4<br />
Right Analog Y=-5<br />
A=1<br />
B=2<br />
X=3<br />
Y=4<br />
Back=7<br />
Start=8<br />
Left Thumb=10<br />
Right Thumb=11<br />
Left Trigger=a3<br />
Right Trigger=a6}}<br />
<br />
Now start python-steamcontroller in Xbox360 mode ({{ic|sc-xbox.py start}}). You might also want to copy {{ic|XInputTest.exe}} from {{ic|xbox360cemu.v.3.0}} to the same directory and run it with Wine in order to test if the mappings work correctly. However neither mouse nor keyboard emulation work with this method.<br />
<br />
Alternatively you can use {{AUR|sc-controller}} for a similar graphical setup as Steam's own configurator. As of writing, it is a bit buggy here and there but offers an easy click and go way of configuring the controller.<br />
<br />
=== Xbox 360 controller ===<br />
<br />
Both the wired and wireless (with the ''Xbox 360 Wireless Receiver for Windows'') controllers are supported by the {{ic|xpad}} kernel module and should work without additional packages. Note that using a wireless Xbox360 controller with the Play&Charge USB cable will not work. The cable is for recharging only and does not transmit any input data over the wire.<br />
<br />
It has been reported that the default xpad driver has some issues with a few newer wired and wireless controllers, such as:<br />
* incorrect button mapping. ([https://github.com/ValveSoftware/steam-for-linux/issues/95#issuecomment-14009081 discussion in Steam bugtracker])<br />
* not-working sync. ([https://bbs.archlinux.org/viewtopic.php?id=156028 discussion in Arch Forum])<br />
* all four LEDs keep blinking, but controller works. TLP's USB autosuspend is one sure cause of this issue with wireless controllers. See below for fix.<br />
<br />
If you use the [[TLP]] power management tool, you may experience connection issues with your Microsoft wireless adapter (e.g. the indicator LED will go out after the adapter has been connected for a few seconds, and controller connection attempts fail, four LEDs keep blinking but controller works). This is due to TLP's USB autosuspend functionality, and the solution is to add the Microsoft wireless adapter's device ID to TLP blacklist<br />
(to check device ID to blacklist, run {{ic|tlp-stat -u}}; for original MS wireless dongle just add {{ic|1=USB_DENYLIST="045e:0719"}} to {{ic|/etc/tlp.conf}}),<br />
check [https://linrunner.de/en/tlp/docs/tlp-configuration.html#usb TLP configuration] for more details.<br />
<br />
If you experience such issues, you can use [[#xboxdrv]] as the default {{ic|xpad}} driver instead.<br />
<br />
If you wish to use the controller for controlling the mouse, or mapping buttons to keys, etc. you should use the {{AUR|xf86-input-joystick}} package (configuration help can be found using {{man|4|joystick|url=https://manpages.debian.org/latest/xserver-xorg-input-joystick/joystick.4.en.html}}). If the mouse locks itself in a corner, it might help changing the {{ic|MatchDevicePath}} in {{ic|/etc/X11/xorg.conf.d/50-joystick.conf}} from {{ic|/dev/input/event*}} to {{ic|/dev/input/js*}}.<br />
<br />
In order to connect via Bluetooth using KDE, add the following [[kernel parameter]] {{ic|1=bluetooth.disable_ertm=1}}.<br />
<br />
If you experience problems with the rumble feature not working in games, it may be necessary to set the environment variable {{ic|1=SDL_JOYSTICK_HIDAPI=0}}<br />
<br />
==== xboxdrv ====<br />
<br />
[https://gitlab.com/xboxdrv/xboxdrv xboxdrv] is an alternative to {{ic|xpad}} which provides more functionality and might work better with certain controllers. It works in userspace and can be launched as system service. <br />
<br />
Install it with the {{AUR|xboxdrv}} package. Then [[start]]/[[enable]] {{ic|xboxdrv.service}}.<br />
<br />
If you have issues with the controller being recognized but not working in steam games or working but with incorrect mappings, it may be required to modify you configuration as such:<br />
{{hc<br />
|/etc/default/xboxdrv|2=<br />
[xboxdrv]<br />
silent = true<br />
device-name = "Xbox 360 Wireless Receiver"<br />
mimic-xpad = true<br />
deadzone = 4000<br />
<br />
[xboxdrv-daemon]<br />
dbus = disabled<br />
}}<br />
<br />
Then [[restart]] {{ic|xboxdrv.service}}.<br />
<br />
===== Multiple controllers =====<br />
<br />
xboxdrv supports a multitude of controllers, but they need to be set up in {{ic|/etc/default/xboxdrv}}. For each extra controller, add an {{ic|1=next-controller = true}} line. For example, when using 4 controllers, add it 3 times:<br />
<br />
{{bc|1=<br />
[xboxdrv]<br />
silent = true<br />
next-controller = true<br />
next-controller = true<br />
next-controller = true<br />
[xboxdrv-daemon]<br />
dbus = disabled<br />
}}<br />
<br />
Then [[restart]] {{ic|xboxdrv.service}}.<br />
<br />
===== Mimic Xbox 360 controller with other controllers =====<br />
<br />
xboxdrv can be used to make any controller register as an Xbox 360 controller with the {{ic|--mimic-xpad}} switch. This may be desirable for games that support Xbox 360 controllers out of the box, but have trouble detecting or working with other gamepads.<br />
<br />
First, you need to find out what each button and axis on the controller is called. You can use {{Pkg|evtest}} for this. Run {{ic|evtest}} and select the device event ID number ({{ic|/dev/input/event*}}) that corresponds to your controller. Press the buttons on the controller and move the axes to read the names of each button and axis.<br />
<br />
Here is an example of the output:<br />
{{bc|<nowiki><br />
Event: time 1380985017.964843, type 4 (EV_MSC), code 4 (MSC_SCAN), value 90003<br />
Event: time 1380985017.964843, type 1 (EV_KEY), code 290 (BTN_THUMB2), value 1<br />
Event: time 1380985017.964843, -------------- SYN_REPORT ------------<br />
Event: time 1380985018.076843, type 4 (EV_MSC), code 4 (MSC_SCAN), value 90003<br />
Event: time 1380985018.076843, type 1 (EV_KEY), code 290 (BTN_THUMB2), value 0<br />
Event: time 1380985018.076843, -------------- SYN_REPORT ------------<br />
Event: time 1380985018.460841, type 4 (EV_MSC), code 4 (MSC_SCAN), value 90002<br />
Event: time 1380985018.460841, type 1 (EV_KEY), code 289 (BTN_THUMB), value 1<br />
Event: time 1380985018.460841, -------------- SYN_REPORT ------------<br />
Event: time 1380985018.572835, type 4 (EV_MSC), code 4 (MSC_SCAN), value 90002<br />
Event: time 1380985018.572835, type 1 (EV_KEY), code 289 (BTN_THUMB), value 0<br />
Event: time 1380985018.572835, -------------- SYN_REPORT ------------<br />
Event: time 1380985019.980824, type 4 (EV_MSC), code 4 (MSC_SCAN), value 90006<br />
Event: time 1380985019.980824, type 1 (EV_KEY), code 293 (BTN_PINKIE), value 1<br />
Event: time 1380985019.980824, -------------- SYN_REPORT ------------<br />
Event: time 1380985020.092835, type 4 (EV_MSC), code 4 (MSC_SCAN), value 90006<br />
Event: time 1380985020.092835, type 1 (EV_KEY), code 293 (BTN_PINKIE), value 0<br />
Event: time 1380985020.092835, -------------- SYN_REPORT ------------<br />
Event: time 1380985023.596806, type 3 (EV_ABS), code 3 (ABS_RX), value 18<br />
Event: time 1380985023.596806, -------------- SYN_REPORT ------------<br />
Event: time 1380985023.612811, type 3 (EV_ABS), code 3 (ABS_RX), value 0<br />
Event: time 1380985023.612811, -------------- SYN_REPORT ------------<br />
Event: time 1380985023.708768, type 3 (EV_ABS), code 3 (ABS_RX), value 14<br />
Event: time 1380985023.708768, -------------- SYN_REPORT ------------<br />
Event: time 1380985023.724772, type 3 (EV_ABS), code 3 (ABS_RX), value 128<br />
Event: time 1380985023.724772, -------------- SYN_REPORT ------------<br />
</nowiki>}}<br />
<br />
In this case, {{ic|BTN_THUMB}}, {{ic|BTN_THUMB2}} and {{ic|BTN_PINKIE}} are buttons and {{ic|ABS_RX}} is the X axis of the right analogue stick.<br />
You can now mimic an Xbox 360 controller with the following command:<br />
<br />
$ xboxdrv --evdev /dev/input/event* --evdev-absmap ABS_RX=X2 --evdev-keymap BTN_THUMB2=a,BTN_THUMB=b,BTN_PINKIE=rt --mimic-xpad<br />
<br />
The above example is incomplete. It only maps one axis and 3 buttons for demonstration purposes. Use {{ic|xboxdrv --help-button}} to see the names of the Xbox controller buttons and axes and bind them accordingly by expanding the command above. Axes mappings should go after {{ic|--evdev-absmap}} and button mappings follow {{ic|--evdev-keymap}} (comma separated list; no spaces).<br />
<br />
By default, xboxdrv outputs all events to the terminal. You can use this to test that the mappings are correct. Append the {{ic|--silent}} option to keep it quiet.<br />
<br />
==== Using generic/clone controllers ====<br />
<br />
Some clone gamepads might require a specific initialization sequence in order to work ([https://superuser.com/a/1380235 Super User answer]). For that you should run the following python script as the root user:<br />
<br />
{{bc|1=<br />
#!/usr/bin/env python3<br />
<br />
import usb.core<br />
<br />
dev = usb.core.find(idVendor=0x045e, idProduct=0x028e)<br />
<br />
if dev is None:<br />
raise ValueError('Device not found')<br />
else:<br />
dev.ctrl_transfer(0xc1, 0x01, 0x0100, 0x00, 0x14) <br />
}}<br />
<br />
=== Xbox Wireless Controller / Xbox One Wireless Controller ===<br />
<br />
==== Connect Xbox Wireless Controller with USB cable ====<br />
<br />
This is supported by the kernel and works any without additional packages.<br />
<br />
==== Connect Xbox Wireless Controller with Bluetooth ====<br />
<br />
===== Update controller firmware via Windows 10 =====<br />
<br />
The firmware of the Xbox Wireless Controller used to cause loops of connecting/disconnecting with Bluez. The best workaround is to plug the controller (via a USB cord) to a Windows 10 computer, download the [https://apps.microsoft.com/store/detail/xbox-accessories/9NBLGGH30XJ3?hl=en-us&gl=us Xbox Accessories] application through the Microsoft Store, and update the firmware of the controller.<br />
<br />
===== xpadneo =====<br />
<br />
A relatively new driver which does support the Xbox One S and Xbox Series X|S controller via Bluetooth is called [https://github.com/atar-axis/xpadneo/ xpadneo]. In addition to these two models, it has also basic support for the Xbox Elite Series 2 Wireless controller. In exchange for fully supporting just two controllers so far, it enables one to read out the correct battery level, supports rumble (even the one on the trigger buttons - L2/R2), corrects the (sometimes wrong) button mapping and more.<br />
<br />
Installation is done using DKMS: {{AUR|xpadneo-dkms-git}}.<br />
<br />
{{Note|Pairing a new Xbox One S controller for the first time may prove difficult, from not pairing at all to entering a connect/disconnect loop. These problems are described [https://github.com/atar-axis/xpadneo/issues/295 there]. The best way to reliably pair the controller is to first pair it in Windows 10. However, this needs be done using the same Bluetooth adapter. A solution is to install a free copy of Windows 10 Evaluation on a Virtual machine (using [[QEMU]] or [[VirtualBox]], taking care of the Bluetooth adapter passthrough requirements, ''e.g.'' as an USB device) using Arch Linux as your host, and pair in Windows 10 first, then do the same again under your Arch Linux system. Then pairing will succeed and there will be no need of further Windows 10 use.}}<br />
<br />
==== Connect Xbox Wireless Controller with Microsoft Xbox Wireless Adapter ====<br />
<br />
===== xone =====<br />
<br />
[https://github.com/medusalix/xone xone] is a Linux kernel driver for Xbox One and Xbox Series X|S accessories. It serves as a modern replacement for xpad, supersedes xow. Currently working via wired or with the wireless dongle. This driver is still in active development.<br />
<br />
Install {{AUR|xone-dkms-git}} and, if using the wireless dongle, {{AUR|xone-dongle-firmware}}. To retain the functionality of Xbox and Xbox 360 controllers install {{AUR|xpad-noone-dkms}}{{Broken package link|package not found}}. Reboot your system.<br />
<br />
{{Note|The headers corresponding to your kernel are required; see [[DKMS#Installation]].}}<br />
<br />
If the controller performs poorly (low polling rate) after being paired, you will need to [https://support.xbox.com/en-US/help/hardware-network/controller/update-xbox-wireless-controller update the controller's firmware] in Windows using the "Xbox Accessories" app from the Microsoft Store. Theoretically this should be possible with USB passthrough to a Windows virtual machine, but you may need to dual boot to an actual (baremetal) Windows installation for the Xbox Accessories application to see the controller and do the firmware update.<br />
<br />
Also, if you dual boot Windows, pairing the controller & adapter in Windows may cause the pairing to be lost in Linux. You will need to re-pair the controller & dongle when you reboot into Linux. This also happens in the other direction — when the controller & dongle are paired in Linux, they will need to be re-paired the next time you want to use them in Windows.<br />
<br />
===== xow =====<br />
<br />
[https://github.com/medusalix/xow xow] is a project that allows connection with a wireless dongle. It is currently in very early stages of development. It can be installed via {{AUR|xow-git}}{{Broken package link|package not found}}<br />
<br />
[[#xone|xone]] (made by the same developer) supersedes xow; using xone instead of xow is "highly recommended."<br />
<br />
=== Logitech Dual Action ===<br />
<br />
The Logitech Dual Action gamepad has a very similar mapping to the PS2 pad, but some buttons and triggers need to be swapped to mimic the Xbox controller.<br />
<br />
# xboxdrv --evdev /dev/input/event* \<br />
--evdev-absmap ABS_X=x1,ABS_Y=y1,ABS_RZ=x2,ABS_Z=y2,ABS_HAT0X=dpad_x,ABS_HAT0Y=dpad_y \<br />
--axismap -Y1=Y1,-Y2=Y2 \<br />
--evdev-keymap BTN_TRIGGER=x,BTN_TOP=y,BTN_THUMB=a,BTN_THUMB2=b,BTN_BASE3=back,BTN_BASE4=start,BTN_BASE=lt,BTN_BASE2=rt,BTN_TOP2=lb,BTN_PINKIE=rb,BTN_BASE5=tl,BTN_BASE6=tr \<br />
--mimic-xpad --silent<br />
<br />
=== PlayStation 2 controller via USB adapter ===<br />
<br />
To fix the button mapping of PS2 dual adapters and mimic the Xbox controller you can run the following command:<br />
<br />
# xboxdrv --evdev /dev/input/event* \<br />
--evdev-absmap ABS_X=x1,ABS_Y=y1,ABS_RZ=x2,ABS_Z=y2,ABS_HAT0X=dpad_x,ABS_HAT0Y=dpad_y \<br />
--axismap -Y1=Y1,-Y2=Y2 \<br />
--evdev-keymap BTN_TOP=x,BTN_TRIGGER=y,BTN_THUMB2=a,BTN_THUMB=b,BTN_BASE3=back,BTN_BASE4=start,BTN_BASE=lb,BTN_BASE2=rb,BTN_TOP2=lt,BTN_PINKIE=rt,BTN_BASE5=tl,BTN_BASE6=tr \<br />
--mimic-xpad --silent<br />
<br />
=== PlayStation 3 controller ===<br />
<br />
==== Pairing via USB ====<br />
<br />
If you own a PS3 controller and can connect with USB, plug it to your computer and press the PS button. The controller will power up and one of the four LEDs should light up indicating the controller's number.<br />
<br />
==== Pairing via Bluetooth ====<br />
<br />
Install {{Pkg|bluez}} {{Pkg|bluez-utils}} {{Pkg|bluez-plugins}}. Make sure bluetooth is working by following the first five steps of [[Bluetooth#Pairing]] and leave the bluetoothctl command running, then turn on the controller by pressing the middle 'PS' button(all 4 leds should be blinking quickly ~4 hz) and connect to your computer using usb. Lastly, type yes in the bluetoothctl prompt when asked '{{ic|Authorize service 00001124-0000-1000-8000-00805f9b34fb (yes/no)}}'.<br />
<br />
Alternative instructions:<br />
To connect your PS3 controller to your computer using Bluetooth, you first need to install {{Pkg|bluez}} and {{Pkg|bluez-plugins}} then connect your controller via USB. A pop-up should appear asking for pairing. Click on Trust & Authorize. You can now unplug your controller and press the PS button. The controller will connect and a LED will remain solid. You can now use it to play games. Connecting using the USB cable is only needed after the controller has been connected to another system.<br />
<br />
{{Tip|There are many complicated instructions on the internet on setting up a PS3 controller that require many steps such as compiling and installing qtsixa or sixpair and setting up the controller manually, or patching bluez with some specific patches. None of this is necessary on a modern Linux kernel and after installing bluez-plugins.}}<br />
<br />
=== PlayStation 3/4 controller ===<br />
<br />
The DualShock 3, DualShock 4 and Sixaxis controllers work out of the box when plugged in via USB (the PS button will need to be pushed to begin). They can also be used wirelessly via Bluetooth.<br />
<br />
Steam properly recognizes it as a PS3 pad and Big Picture can be launched with the PS button. Big Picture and some games may act as if it was a 360 controller. Gamepad control over mouse is on by default. You may want to turn it off before playing games, see [[#Joystick moving mouse]].<br />
<br />
==== Pairing via Bluetooth ====<br />
<br />
Install the {{Pkg|bluez}}, {{Pkg|bluez-plugins}}, and {{Pkg|bluez-utils}} packages, which includes the ''sixaxis'' plugin. Then [[start]] the [[bluetooth]] service and ensure bluetooth is powered on. If using ''bluetoothctl'' start it in a terminal and then plug the controller in via USB. You should be prompted to trust the controller in bluetoothctl. A graphical bluetooth front-end may program your PC's bluetooth address into the controller automatically. Hit the PlayStation button and check that the controller works while plugged in.<br />
<br />
You can now disconnect your controller. The next time you hit the PlayStation button it will connect without asking anything else.<br />
<br />
Alternatively, on a PS4 controller you can hold the share button and the PlayStation button simultaneously (for a few seconds) to put the gamepad in pairing mode, and pair as you would normally.<br />
<br />
GNOME's Settings also provides a graphical interface to pair sixaxis controllers when connected by wire.<br />
<br />
Remember to disconnect the controller when you are done as the controller will stay on when connected and drain the battery.<br />
<br />
{{Note|If the controller does not connect, make sure the bluetooth interface is turned on and the controllers have been trusted. (See [[Bluetooth]])}}<br />
<br />
==== Using generic/clone controllers ====<br />
<br />
Using generic/clone Dualshock controllers is possible, however there is an issue that may require to install a patched package. The default Bluetooth protocol stack does not detect some of the clone controllers. The {{AUR|bluez-ps3}} package is a version patched to be able to detect them.<br />
{{AUR|bluez-plugins-ps3}} is another package that only patch the bluez-plugins may work for some controllers.<br />
<br />
=== PlayStation 4 controller ===<br />
<br />
==== Pairing via USB ====<br />
<br />
Connect your controller via USB and press the {{ic|PS}} button.<br />
<br />
==== Pairing via Bluetooth ====<br />
<br />
If you want to use bluetooth mode, hold down the {{ic|PS}} button and {{ic|Share}} button together. The white LED of the controller should blink very quickly, and the wireless controller can be paired with your bluetooth manager (bluez, gnome-bluetooth).<br />
<br />
Bluetooth connection of Dualsense requires enabling userspace HID support, otherwise Dualsense refuses Bluetooth connection after pairing. If userspace HID is not already enabled, this can be done by editing or creating new file {{ic|/etc/bluetooth/input.conf}} with line {{ic|UserspaceHID{{=}}true}} and [[restart]]ing the {{ic|bluetooth.service}}.<br />
<br />
==== Disable touchpad acting as mouse ====<br />
<br />
This fixes conflicts with games that actually use touchpad as part of the gamepad, such as Rise of the Tomb Raider. This will work with both DualShock4 and DualSense controllers.<br />
<br />
===== libinput =====<br />
<br />
If using [[libinput]] with [[Xorg]], or if using [[Wayland]], then you can follow [[Libinput#Using environment variable]] to disable the touchpad device.<br />
<br />
Note that, since the touchpad is just one part of the controller, selecting the input device by vendor and product IDs will not suffice. Instead, consider selecting the device by name, e.g. {{ic|1=ATTRS{name}=="Wireless Controller Touchpad"}}. For a full set of attributes you can use, consult {{ic|udevadm info --attribute-walk --name{{=}}''device_path''}}, where {{ic|''device_path''}} is the path to the device, such as {{ic|/dev/input/event''n''}} or {{ic|/dev/input/by-id/''identifier''}}.<br />
<br />
===== Xorg configuration snippet =====<br />
<br />
If using Xorg, you can follow [[Xorg#Persistently disable input source]] with {{ic|MatchProduct "Wireless Controller Touchpad"}} to disable the DualShock4/DualSense touchpad. See {{ic|xinput list}} for detected product names.<br />
<br />
=== Playstation 5 (Dualsense) controller ===<br />
<br />
Bluetooth connection of Dualsense requires enabling userspace HID support, otherwise Dualsense refuses Bluetooth connection after pairing. If userspace HID is not already enabled, this can be done by editing or creating new file {{ic|/etc/bluetooth/input.conf}} with line {{ic|UserspaceHID{{=}}true}} and [[restart]]ing the {{ic|bluetooth.service}}.<br />
<br />
==== Configuration ====<br />
<br />
Button mapping (thanks to [https://github.com/yoyossef/ds360 yoyossef]):<br />
<br />
# xboxdrv \<br />
--evdev /dev/input/by-id/usb-Sony_Interactive_Entertainment_DualSense_Wireless_Controller-if03-event-joystick \<br />
--evdev-absmap ABS_HAT0X=dpad_x,ABS_HAT0Y=dpad_y,ABS_X=X1,ABS_Y=Y1,ABS_RX=X2,ABS_RY=Y2,ABS_Z=LT,ABS_RZ=RT \<br />
--evdev-keymap BTN_SOUTH=A,BTN_EAST=B,BTN_NORTH=Y,BTN_WEST=X,BTN_START=start,BTN_MODE=guide,BTN_SELECT=back \<br />
--evdev-keymap BTN_TL=LB,BTN_TR=RB,BTN_TL2=LT,BTN_TR2=RT,BTN_THUMBL=TL,BTN_THUMBR=TR \<br />
--axismap -y1=y1,-y2=y2 \<br />
--mimic-xpad \<br />
--silent<br />
<br />
Some applications, for example, Steam inside Geforce NOW inside web browser, may be confused with original joystick events, which shadow the newly created event source.<br />
Simply deleting {{ic|/dev/input/js0}} works this around.<br />
<br />
The PlayStation and mode buttons still do not work, however.<br />
<br />
==== dualsensectl ====<br />
<br />
[https://github.com/nowrep/dualsensectl dualsensectl] is a tool that can toggle the lightbar and microphone (and its LED), monitor the battery status, and power off the controller. To use it, [[install]] {{AUR|dualsensectl-git}}.<br />
<br />
== Tips and Tricks ==<br />
<br />
=== Gamepad over network ===<br />
<br />
If you want to use your gamepad with another computer over a network, you can use [[USB/IP]] or {{AUR|netstick-git}} to do this.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Device permissions ===<br />
<br />
Gamepad devices are affected by [[Udev#Allowing regular users to use devices|udev rules]]: unless they grant access to the device, it simply will not be readable by users. This section investigates the possibility of you already having a configuration file handling this.<br />
<br />
Any gamepad device, regardless of whether it is over USB or Bluetooth, is handled by the [https://docs.kernel.org/input/input_uapi.html "input" subsystem of the kernel], corresponding with {{ic|/dev/input}}. It's also common for udev rules to target the [https://docs.kernel.org/hid/hidraw.html "hidraw" kernel module]. Combining these, we can understand udev's handling of these devices by inspecting the configuration shipped by packages:<br />
<br />
$ grep --extended-regexp 'SUBSYSTEM=="input"|KERNEL=="hidraw' --recursive /usr/lib/udev/rules.d<br />
<br />
Some examples of applications which ship noteworthy rules:<br />
<br />
* [[systemd]]'s default rules set the group of all {{ic|input}} devices to {{ic|input}}, and the mode of joystick devices to {{ic|664}} [https://github.com/systemd/systemd/blob/edfb4a474e5cbef6578a70aae7f08a0f435c6c6a/rules.d/50-udev-default.rules.in#L33].<br />
* [[Steam]] ships udev rules allowing access to a variety of controllers. See [https://steamcommunity.com/app/353370/discussions/2/1735465524711324558/ this Steam discussion] for further info about the contents of the rules.<br />
* [[Dolphin emulator]] ships udev rules allowing access to controllers it supports.<br />
<br />
If your system does not already happen to have a udev rule for the device you want to use, you can either write one yourself or install the {{AUR|game-devices-udev}} package and restart your computer.<br />
<br />
{{Note|It is possible to add a user to the {{ic|input}} group in order to give them access to all devices. However, this is not recommended [https://github.com/systemd/systemd/issues/4288].}}<br />
<br />
=== Joystick moving mouse ===<br />
<br />
Sometimes USB gamepad can be recognized as HID mouse (only in X, it is still being installed as {{ic|/dev/input/js0}} as well). Known issue is cursor being moved by the joystick, or escaping to en edge of a screen right after plugin. If your application can detect gamepad by itself, you can remove the {{AUR|xf86-input-joystick}} package.<br />
<br />
A more gentle solution is described in [[#Disable joystick from controlling mouse]].<br />
<br />
=== Gamepad is not working in FNA/SDL based games ===<br />
<br />
If you are using a generic non-widely used gamepad you may encounter issues getting the gamepad recognized in games based on SDL. Since [https://github.com/flibitijibibo/FNA/commit/e55742cfe7e38b778a21ed8a12cb2f2081490d8d 14 May 2015], FNA supports dropping a {{ic|gamecontrollerdb.txt}} into the executable folder of the game, for example the [https://github.com/gabomdq/SDL_GameControllerDB SDL_GameControllerDB].<br />
<br />
As an alternative and for older versions of FNA or for SDL you can generate a mapping yourself by downloading the SDL source code via https://libsdl.org/, navigating to {{ic|/test/}}, compile the {{ic|controllermap.c}} program (alternatively install {{AUR|controllermap}}) and run the test. After completing the controllermap test, a GUID will be generated that you can put in the {{ic|SDL_GAMECONTROLLERCONFIG}} environment variable which will then be picked up by SDL/FNA games. For example:<br />
<br />
$ export SDL_GAMECONTROLLERCONFIG="030000008f0e00000300000010010000,GreenAsia Inc. USB Joystick ,platform:Linux,x:b3,a:b2,b:b1,y:b0,back:b8,start:b9,dpleft:h0.8,dpdown:h0.0,dpdown:h0.4,dpright:h0.0,dpright:h0.2,dpup:h0.0,dpup:h0.1,leftshoulder:h0.0,leftshoulder:b6,lefttrigger:b4,rightshoulder:b7,righttrigger:b5,leftstick:b10,rightstick:b11,leftx:a0,lefty:a1,rightx:a3,righty:a2,"<br />
<br />
=== Gamepad is not recognized by all programs ===<br />
<br />
Some software, Steam for example, will only recognize the first gamepad it encounters. Due to a bug in the driver for Microsoft wireless periphery devices this can in fact be the bluetooth dongle. If you find you have a {{ic|/dev/input/js*}} and {{ic|/dev/input/event*}} belonging to you keyboard's bluetooth transceiver you can get automatically get rid of it by creating according udev rules: <br />
<br />
{{hc|/etc/udev/rules.d/99-btcleanup.rules|2=<br />
ACTION=="add", KERNEL=="js[0-9]*", SUBSYSTEM=="input", KERNELS=="...", ATTRS{bInterfaceSubClass}=="00", ATTRS{bInterfaceProtocol}=="00", ATTRS{bInterfaceNumber}=="02", RUN+="/usr/bin/rm /dev/input/js%n"<br />
ACTION=="add", KERNEL=="event*", SUBSYSTEM=="input", KERNELS=="...", ATTRS{bInterfaceSubClass}=="00", ATTRS{bInterfaceProtocol}=="00", ATTRS{bInterfaceNumber}=="02", RUN+="/usr/bin/rm /dev/input/event%n"<br />
}}<br />
<br />
Correct the {{ic|1=KERNELS=="..."}} to match your device. The correct value can be found by running<br />
<br />
# udevadm info -an /dev/input/js0<br />
<br />
Assuming the device in question is {{ic|/dev/input/js0}}. After you placed the rule reload the rules with<br />
<br />
# udevadm control --reload<br />
<br />
Then replug the device making you trouble. The joystick and event devices should be gone, although their number will still be reserved. But the files are out of the way.<br />
<br />
=== Vibration does not work in certain Windows games ===<br />
<br />
Some Windows games look for an Xbox 360 controller in particular, causing vibration to not work even with otherwise functional XInput gamepads. One example of such game is [https://www.pcgamingwiki.com/wiki/Inside Inside].<br />
<br />
As a work-around for these games:<br />
<br />
* [[Kernel modules#Manual module handling|Unload]] the {{ic|xpad}} kernel module.<br />
* Launch {{ic|xboxdrv}}, including Xbox 360 mimicking gamepad and with vibration support:<br />
<br />
# xboxdrv --mimic-xpad --force-feedback<br />
<br />
=== Steam Controller ===<br />
<br />
==== Steam Controller not pairing ====<br />
<br />
There are some unknown cases where the packaged udev rule for the Steam controller does not work ({{bug|47330}}). The most reliable workaround is to make the controller world readable. Copy the rule {{ic|/usr/lib/udev/rules.d/70-steam-controller.rules}} to {{ic|/etc/udev/rules.d}} with a later prioritiy and change anything that says {{ic|1=MODE="0660"}} to {{ic|1=MODE="066'''6'''"}} e.g.<br />
<br />
{{hc|/etc/udev/rules.d/99-steam-controller-perms.rules|2=<br />
...<br />
SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"<br />
...<br />
}}<br />
<br />
You may have to reboot in order for the change to take effect.<br />
<br />
==== Steam Controller makes a game crash or not recognized ====<br />
<br />
If your Steam Controller is working well in Steam Big Picture mode, but not recognized by a game or the game starts crashing when you plug in the controller, this may be because of the native driver that has been added to the Linux kernel 4.18. Try to unload it, restart Steam and replug the controller.<br />
<br />
The module name of the driver is {{ic|hid_steam}}, so to unload it you may perform:<br />
<br />
# rmmod hid_steam<br />
<br />
=== Xbox One Wireless Gamepad detected but no inputs recognized ===<br />
<br />
This can occur when using a third party Xbox One controller with the {{ic|xpad}} or [[#xboxdrv]] drivers. Try switching to [[#xpadneo]].<br />
<br />
=== Playstation 4 controllers ===<br />
<br />
==== Controller not recognized when using Bluetooth ====<br />
<br />
[[Install]] the {{AUR|ds4drv}} package and run it with the hidraw ({{ic|ds4drv --hidraw}}) backend parameter.<br />
<br />
==== Button mapping ====<br />
<br />
To fix the button mapping of PS4 controller you can use the following command with xboxdrv (or try with the [https://github.com/chrippa/ds4drv ds4drv] program, {{AUR|ds4drv}}):<br />
<br />
# xboxdrv \<br />
--evdev /dev/input/by-id/usb-Sony_Computer_Entertainment_Wireless_Controller-event-joystick\<br />
--evdev-absmap ABS_X=x1,ABS_Y=y1 \<br />
--evdev-absmap ABS_Z=x2,ABS_RZ=y2 \<br />
--evdev-absmap ABS_HAT0X=dpad_x,ABS_HAT0Y=dpad_y \<br />
--evdev-keymap BTN_A=x,BTN_B=a \<br />
--evdev-keymap BTN_C=b,BTN_X=y \<br />
--evdev-keymap BTN_Y=lb,BTN_Z=rb \<br />
--evdev-keymap BTN_TL=lt,BTN_TR=rt \<br />
--evdev-keymap BTN_SELECT=tl,BTN_START=tr \<br />
--evdev-keymap BTN_TL2=back,BTN_TR2=start \<br />
--evdev-keymap BTN_MODE=guide \<br />
--axismap -y1=y1,-y2=y2 \<br />
--mimic-xpad \<br />
--silent<br />
<br />
==== Motion controls taking over joypad controls and/or causing unintended input with joypad controls ====<br />
<br />
{{Style|Could likely use the same solution as [[Gamepad#Disable touchpad acting as mouse]], which is already refactored into other pages where appropriate.}}<br />
<br />
With certain cloud gaming applications such as Parsec and Shadow, the Dualshock 4 V1 and V2 motion controls can conflict with the joypad controls resulting in the joypad not working, and with certain input sensitive games, especially racing games, the motion controls can cause unintentional drift during joypad control gameplay.<br />
<br />
This can be worked around by disabling the motion controls and the touchpad by adding the following udev rules:<br />
<br />
{{hc|1=/etc/udev/rules.d/51-disable-DS3-and-DS4-motion-controls.rules|2=<br />
SUBSYSTEM=="input", ATTRS{name}=="*Controller Motion Sensors", RUN+="/bin/rm %E{DEVNAME}", ENV{ID_INPUT_JOYSTICK}=""<br />
SUBSYSTEM=="input", ATTRS{name}=="*Controller Touchpad", RUN+="/bin/rm %E{DEVNAME}", ENV{ID_INPUT_JOYSTICK}=""<br />
}}<br />
<br />
Then [[udev#Loading new rules|reload the rules]] or reboot: these rules should work in both USB and Bluetooth mode.</div>Harviehttps://wiki.archlinux.org/index.php?title=Talk:F2FS&diff=787468Talk:F2FS2023-09-11T16:01:39Z<p>Harvie: added signature</p>
<hr />
<div>== Adding warning about F2FS potentially being unsafe? ==<br />
<br />
I know F2FS is probably less popular choice than [[Btrfs]] (and other systems) for Arch install, but given than btrfs justfully have warnings listed on its page about it's stability, especially in certain circumstances and I had my filesystem become corrupted beyond repair on btrfs before, I think F2FS should be mentioned to have its issues. I recently started fiddling with F2FS on my Arch install, and I had it not only corrupt the file system, but also become impossible to mount with ''can't find valid checkpoint'' error, dropping me to emergency shell in initramfs. This happens when I uncleanly shut down the system when the rootfs was mounted and it seems that fsck.f2fs corrupted it even further in subsequent boot (and both -a and -f options aren't helping either). Luckily, I didn't lost any valuable data, but it seems that other were not so lucky with this filesystem, having the same error and losing their data [https://forum.voidlinux.eu/t/f2fs-data-recovery-help/4087], especially when using encryption [https://sourceforge.net/p/linux-f2fs/mailman/message/35928135/][https://superuser.com/questions/1225447/f2fs-lost-data-wont-mount-and-fsck-doesnt-work]. With that in mind, wouldn't it be good to note that in wiki with possibly a visible warning at the beginning? Not sure if the issue wouldn't be there with 4.15 kernel, but I certainly wouldn't consider the file system 100% safe for regular use, especially in comparison to btrfs that is still hinted as such. [[User:Faalagorn|Faalagorn]] [[User talk:Faalagorn|☎]]/[[Special:Contributions/Faalagorn|✓]] 13:47, 30 January 2018 (UTC)<br />
: I would have appreciated if someone told me that {{ic|btrfs}} is not suitable for partitions sized less than 100GB because of how metadata and snapshots are handled. [[User:Tallero|Tallero]] ([[User talk:Tallero|talk]]) 19:18, 5 November 2018 (UTC)<br />
:: We probably should move btrfs discussion elsewhere, but the upstream [https://btrfs.wiki.kernel.org/index.php/FAQ#if_your_device_is_small btrfs wiki] indicates btrfs is fine below 16GiB with specific options and above 16GiB with the default options. Chunks are allocated 1GB at a time, so I'm not sure why < 100GB would be a problem. [[User:Bobpaul|Bobpaul]] ([[User talk:Bobpaul|talk]]) 17:46, 6 November 2018 (UTC)<br />
::: If you have no space left, balancing won't start and basically you won't know in advance how much you have to free your disk to make it work again; on ubuntu, apt takes btrfs snapshots on major upgrades without size checking (because yay, snapshots), so it is really easy to fill the disk; this is the case of many other btrfs snapshot utilities. The last time I encountered similar problems, archwiki page about btrfs was not so complete to let me solve the task in less than two or three hours. I can not provide an actual reproduction of the bug because I learned from my mistakes and never used btrfs on small partitions again. <br />
::: Sincerely, I can not advice anyone a file system that after ten years still does not display the correct free space amount in {{ic|df}}. Anyway, I posted about this same problem yesterday in btrfs discussion page. It is so common that "solutions" are present in its faq, too. [[User:Tallero|Tallero]] ([[User talk:Tallero|talk]]) 23:41, 6 November 2018 (UTC)<br />
:::: (I moved your reply to stay in the thread.) That's a fair complaint, but is a problem with lack of freespace, not partition size. ZFS, btrfs, and several other file systems struggle when the partition surpasses a certain level of full, even on several TB arrays. These file systems have their place, but that place is usually "kept below 50% utilization." I do disagree with SuSe and Ubuntu choosing this file system as default for desktop users, but it's a great fit for my home server. [[User:Bobpaul|Bobpaul]] ([[User talk:Bobpaul|talk]]) 01:10, 7 November 2018 (UTC)<br />
: If there are citable issues (known bugs, known configurations that can be problematic, etc) then I think it's reasonable to add a warning. If it's simply you personally had a problem, then that's not very useful; it's hard for someone to look at an individuals anecdote and know whether it was a filesystem problem or an external issue like a hardware failure. That said, it looks like have you citations for some known issue(s) so go ahead and write up a warning if you feel it's justified. Don't be afraid to edit wikis; that's what why they're here. [[User:Bobpaul|Bobpaul]] ([[User talk:Bobpaul|talk]]) 18:02, 6 November 2018 (UTC)<br />
::I think a big problem with F2FS is the general lack of citable ''anything''. It's my impression that F2FS is primarily used in some Android smartphones, and most of the knowledge and experience with actually using F2FS is kept inside Samsung and Google. I've had a ton of weird problems with F2FS, and I've been entirely unable to find relevant information. [[User:Rosvall|Rosvall]] ([[User talk:Rosvall|talk]]) 08:37, 16 September 2022 (UTC)<br />
: I do have issues with F2FS very frequently, especially when an unclean shutdown happened, especially if using compression. This is a very easy to reproduce bug. Just create an Arch install with a F2FS root, install a bunch of things, force shutdown your computer (or VM), and restart. If it doesn't fail then, it'll fail afterwards. [[User:Aviallon|Aviallon]] ([[User talk:Aviallon|talk]]) 07:22, 24 September 2020 (UTC)<br />
<br />
== Power loss claims ==<br />
<br />
Page says following: "F2FS has a weak fsck that can lead to data loss in case of a sudden power loss"<br />
<br />
I had some of the described issues with f2fs-tools 0.15, but it seems to be better with 0.16. Haven't checked the changelog of f2fs-tools, but situation might be bit better now. --[[User:Harvie|Harvie]] ([[User talk:Harvie|talk]]) 16:01, 11 September 2023 (UTC)<br />
<br />
== USB-flash keys & memory-cards... ==<br />
<br />
One could get the impression that F2FS is not suitable for USB-flash drives and other flash memory-cards as it is stated in this page that FSFS is only suitable for FTL-based flash drives and that this only include SCSI/SATA/PCIe/NVMe drives.<br />
Is this really true? That it's not suitable for USB-flash drives?<br />
Some claims it's exactly on these "stupid" flash-drives that F2FS it strongest.<br />
This should be more clear on the page.<br />
<br />
{{Unsigned|2023-03-05T14:51:37|MrCalvin}}}}</div>Harviehttps://wiki.archlinux.org/index.php?title=Talk:F2FS&diff=787467Talk:F2FS2023-09-11T16:01:13Z<p>Harvie: F2FS fsck might be better now</p>
<hr />
<div>== Adding warning about F2FS potentially being unsafe? ==<br />
<br />
I know F2FS is probably less popular choice than [[Btrfs]] (and other systems) for Arch install, but given than btrfs justfully have warnings listed on its page about it's stability, especially in certain circumstances and I had my filesystem become corrupted beyond repair on btrfs before, I think F2FS should be mentioned to have its issues. I recently started fiddling with F2FS on my Arch install, and I had it not only corrupt the file system, but also become impossible to mount with ''can't find valid checkpoint'' error, dropping me to emergency shell in initramfs. This happens when I uncleanly shut down the system when the rootfs was mounted and it seems that fsck.f2fs corrupted it even further in subsequent boot (and both -a and -f options aren't helping either). Luckily, I didn't lost any valuable data, but it seems that other were not so lucky with this filesystem, having the same error and losing their data [https://forum.voidlinux.eu/t/f2fs-data-recovery-help/4087], especially when using encryption [https://sourceforge.net/p/linux-f2fs/mailman/message/35928135/][https://superuser.com/questions/1225447/f2fs-lost-data-wont-mount-and-fsck-doesnt-work]. With that in mind, wouldn't it be good to note that in wiki with possibly a visible warning at the beginning? Not sure if the issue wouldn't be there with 4.15 kernel, but I certainly wouldn't consider the file system 100% safe for regular use, especially in comparison to btrfs that is still hinted as such. [[User:Faalagorn|Faalagorn]] [[User talk:Faalagorn|☎]]/[[Special:Contributions/Faalagorn|✓]] 13:47, 30 January 2018 (UTC)<br />
: I would have appreciated if someone told me that {{ic|btrfs}} is not suitable for partitions sized less than 100GB because of how metadata and snapshots are handled. [[User:Tallero|Tallero]] ([[User talk:Tallero|talk]]) 19:18, 5 November 2018 (UTC)<br />
:: We probably should move btrfs discussion elsewhere, but the upstream [https://btrfs.wiki.kernel.org/index.php/FAQ#if_your_device_is_small btrfs wiki] indicates btrfs is fine below 16GiB with specific options and above 16GiB with the default options. Chunks are allocated 1GB at a time, so I'm not sure why < 100GB would be a problem. [[User:Bobpaul|Bobpaul]] ([[User talk:Bobpaul|talk]]) 17:46, 6 November 2018 (UTC)<br />
::: If you have no space left, balancing won't start and basically you won't know in advance how much you have to free your disk to make it work again; on ubuntu, apt takes btrfs snapshots on major upgrades without size checking (because yay, snapshots), so it is really easy to fill the disk; this is the case of many other btrfs snapshot utilities. The last time I encountered similar problems, archwiki page about btrfs was not so complete to let me solve the task in less than two or three hours. I can not provide an actual reproduction of the bug because I learned from my mistakes and never used btrfs on small partitions again. <br />
::: Sincerely, I can not advice anyone a file system that after ten years still does not display the correct free space amount in {{ic|df}}. Anyway, I posted about this same problem yesterday in btrfs discussion page. It is so common that "solutions" are present in its faq, too. [[User:Tallero|Tallero]] ([[User talk:Tallero|talk]]) 23:41, 6 November 2018 (UTC)<br />
:::: (I moved your reply to stay in the thread.) That's a fair complaint, but is a problem with lack of freespace, not partition size. ZFS, btrfs, and several other file systems struggle when the partition surpasses a certain level of full, even on several TB arrays. These file systems have their place, but that place is usually "kept below 50% utilization." I do disagree with SuSe and Ubuntu choosing this file system as default for desktop users, but it's a great fit for my home server. [[User:Bobpaul|Bobpaul]] ([[User talk:Bobpaul|talk]]) 01:10, 7 November 2018 (UTC)<br />
: If there are citable issues (known bugs, known configurations that can be problematic, etc) then I think it's reasonable to add a warning. If it's simply you personally had a problem, then that's not very useful; it's hard for someone to look at an individuals anecdote and know whether it was a filesystem problem or an external issue like a hardware failure. That said, it looks like have you citations for some known issue(s) so go ahead and write up a warning if you feel it's justified. Don't be afraid to edit wikis; that's what why they're here. [[User:Bobpaul|Bobpaul]] ([[User talk:Bobpaul|talk]]) 18:02, 6 November 2018 (UTC)<br />
::I think a big problem with F2FS is the general lack of citable ''anything''. It's my impression that F2FS is primarily used in some Android smartphones, and most of the knowledge and experience with actually using F2FS is kept inside Samsung and Google. I've had a ton of weird problems with F2FS, and I've been entirely unable to find relevant information. [[User:Rosvall|Rosvall]] ([[User talk:Rosvall|talk]]) 08:37, 16 September 2022 (UTC)<br />
: I do have issues with F2FS very frequently, especially when an unclean shutdown happened, especially if using compression. This is a very easy to reproduce bug. Just create an Arch install with a F2FS root, install a bunch of things, force shutdown your computer (or VM), and restart. If it doesn't fail then, it'll fail afterwards. [[User:Aviallon|Aviallon]] ([[User talk:Aviallon|talk]]) 07:22, 24 September 2020 (UTC)<br />
<br />
== Power loss claims ==<br />
<br />
Page says following: "F2FS has a weak fsck that can lead to data loss in case of a sudden power loss"<br />
<br />
I had some of the described issues with f2fs-tools 0.15, but it seems to be better with 0.16. Haven't checked the changelog of f2fs-tools, but situation might be bit better now.<br />
<br />
== USB-flash keys & memory-cards... ==<br />
<br />
One could get the impression that F2FS is not suitable for USB-flash drives and other flash memory-cards as it is stated in this page that FSFS is only suitable for FTL-based flash drives and that this only include SCSI/SATA/PCIe/NVMe drives.<br />
Is this really true? That it's not suitable for USB-flash drives?<br />
Some claims it's exactly on these "stupid" flash-drives that F2FS it strongest.<br />
This should be more clear on the page.<br />
<br />
{{Unsigned|2023-03-05T14:51:37|MrCalvin}}}}</div>Harviehttps://wiki.archlinux.org/index.php?title=Syncthing&diff=700763Syncthing2021-11-04T16:13:23Z<p>Harvie: Syncthing FUSE</p>
<hr />
<div>[[Category:Synchronization]]<br />
[[Category:Peer-to-peer]]<br />
[[ja:Syncthing]]<br />
{{Related articles start}}<br />
{{Related|Resilio Sync}}<br />
{{Related|Synchronization and backup programs}}<br />
{{Related articles end}}<br />
<br />
[https://syncthing.net Syncthing] is an open-source file synchronization client/server application,<br />
written in [[Go]], implementing its own, equally free [https://docs.syncthing.net/specs/bep-v1.html Block Exchange Protocol].<br />
All transit communications between syncthing nodes are encrypted using [[Wikipedia: Transport_Layer_Security|TLS]], and all nodes are uniquely identified with cryptographic certificates.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|syncthing}} package.<br />
<br />
Syncthing provides a [[#Web-GUI]] for control and monitoring. [https://docs.syncthing.net/users/contrib.html#gui-wrappers GUI wrappers] like [[#Syncthing-GTK]] and [[#Syncthing Tray]] (provided in separate packages) also exist.<br />
<br />
== Running Syncthing ==<br />
<br />
=== Starting Syncthing ===<br />
<br />
Run the {{ic|syncthing}} binary manually from a terminal. The multiple optional parameters are described in {{man|1|syncthing}}.<br />
{{Note|You can run multiple copies of syncthing, but only one instance per user as syncthing locks the database to it. Check logs for errors related to locked database.}}<br />
<br />
=== Autostarting Syncthing ===<br />
<br />
Syncthing can either be installed as a [[systemd|systemd system-wide]] service or as a [[systemd/User|systemd user]] service to run automatically at startup.<br />
<br />
==== System service ====<br />
<br />
Running Syncthing as a system service ensures that it is running at startup even if the user has no active session, it is intended to be used on a server.<br />
[[Enable]] and [[start]] the {{ic|syncthing@''myusername''.service}} where ''myusername'' is the actual name of the Syncthing user.<br />
<br />
{{Note|If a service account was created explicitly for syncthing (e.g. via {{ic|useradd -r}}) then ensure that the user has a valid home directory otherwise the service will immediately fail. Syncthing attempts to put configuration files into $HOME/.config/syncthing}}<br />
<br />
==== User service ====<br />
<br />
Running Syncthing as a ''systemd user'' service ensures that Syncthing only starts after the user has logged into the system (e.g., via the graphical login screen, or ssh). Thus, the user service is intended to be used on a (multiuser) desktop computer. To use the user service, [[start/enable]] the user unit {{ic|syncthing.service}} (i.e. with the {{ic|--user}} flag).<br />
<br />
{{Tip|It is also possible to run the systemd-user service at boot (i.e. without logging in) using [[Systemd/User#Automatic start-up of systemd user instances]].}}<br />
<br />
=== Syncthing-GTK ===<br />
<br />
{{AUR|syncthing-gtk}} provides a [[GTK]] graphical user interface, desktop notifications and integration with the file managers [[Nautilus]], [[Nemo]] and Caja.<br />
Syncthing can be launched by Syncthing-GTK: use the interface settings to run syncthing-gtk at startup, and to state whether to launch the syncthing daemon.<br />
<br />
{{Note|When launching the syncthing daemon using both systemd and syncthing-gtk, it might happen that two syncthing instances run concurrently leading to high CPU consumption: one launched by syncthing-gtk, and the other (slightly later) by systemd. To solve this, either avoid launching syncthing using systemd, or configure syncthing-gtk to wait for the syncthing daemon.}}<br />
<br />
=== Web-GUI ===<br />
<br />
Syncthing provides a web interface accessible by default on http://localhost:8384.<br />
{{Tip|To access the GUI remotely, see the [https://docs.syncthing.net/users/faq.html#how-do-i-access-the-web-gui-from-another-computer FAQ].}}<br />
<br />
=== Syncthing Tray ===<br />
<br />
{{aur|syncthingtray}} complements the Web-GUI by providing a Qt-based system tray icon and desktop notifications. There exists a desktop environment neutral version and a plasmoid for [[Plasma]] 5. It also provides integration with systemd and the [[Dolphin]] file manager.<br />
<br />
The packages also comes with the syncthingctl utility which allows to interact with Syncthing from the command line.<br />
<br />
== Configuration ==<br />
<br />
After installation, Syncthing already has a proper start-up configuration. New servers and/or folders can be added by visiting the web interface. For detailed instructions on how to setup a simple network, read [https://docs.syncthing.net/intro/getting-started.html Syncthing's getting started]. <br />
<br />
After a successful first start, a default repository at {{ic|~/Sync}} is created. You can see this in the web admin interface. On the right is the list of nodes you have added. On the left is the list of repositories, which are folders you can choose to share with other nodes.<br />
<br />
To add another node, click "Add Node" underneath the list of nodes. You will be prompted for their Node ID (which can be found on the other machine by clicking {{ic|Edit > Show ID}}) as well as a short name and the address.<br />
If you specify "dynamic" for the address, the syncthing announce server will be used to automatically exchange addresses between nodes. If you want to know more about Node IDs, including the cryptographic implications, you can read the appropriate [https://docs.syncthing.net/dev/device-ids.html Syncthing documentation page].<br />
<br />
After saving the configuration, the syncthing server restarts automatically. Next, you can either change the configuration of the default node (click its name and then {{ic|Edit}}), or create a new one to share data with. Simply tick the node you wish to share the data with, and they will have permission to access it.<br />
<br />
=== Local network setup ===<br />
<br />
In the typical case several machines share a LAN (''Local Area Network'') behind a NAT (''Network Address Translation'') router, it is advised for a versatile configuration to:<br />
<br />
* Activate both local and global discovery on each node. This will allow discovery in all situations, including if some of the nodes are mobile devices like laptops or Android phones, and leave the LAN and connect to the internet from the outside. This way they will still be found with global discovery.<br />
<br />
* Use a different [https://docs.syncthing.net/users/config.html#listen-addresses listen address port] for each machine, like {{ic|tcp://:22010}}, {{ic|tcp://:22011}}, {{ic|tcp://:22012}} and so forth. This will differentiate the nodes on the global discovery servers and avoid the ''"Connected to myself - should not happen"'' message on the other local devices whenever they leave the LAN.<br />
<br />
* If running multiple instances for different users on the same machine, set a different port for each user's ''localAnnouncePort'' (IPv4 broadcasts) as to avoid Syncthing complaints and choose the same ''localAnnounceMCAddr'' (IPv6 multicasts) as to find other devices on the LAN without global discovery (see [https://docs.syncthing.net/users/config.html#options-element Options Element]).<br />
<br />
* If two instances on the same machine should find each other without global discovery, add {{ic|tcp://127.0.0.1:xxxxx}} as device's second ''address'', e.g., {{ic|tcp://127.0.0.1:22001}} and {{ic|tcp://127.0.0.1:22002}} (see [https://docs.syncthing.net/users/config.html#device-element Device Element]).<br />
<br />
* Enable if possible [[Wikipedia:universal plug and play|UPnP]] port forwarding or manually forward each port to the right machine on the LAN. When a new node is discovered, Syncthing tries to use its configured listening port, ''22000'' by default. If this port happens to be closed, it will seek another port locally: whenever ''NAT traversal'' is enabled in Syncthing, it will attempt to use UPnP to map a random external port to the internal listening port chosen, for example ''22000''. If UPnP is not supported or if this is not desirable, each port should be manually forwarded to the right machine on the LAN. Eventually, if no open port can be found on both sides, [https://docs.syncthing.net/users/relaying.html relaying] will be used.<br />
<br />
=== Using inotify ===<br />
<br />
[[Wikipedia:inotify|inotify]] ''(inode notify)'' is a Linux kernel subsystem that acts to extend filesystems to notice changes to the filesystem, and report those changes to applications. Syncthing supports inotify and the functionality can be enabled in the configuration menu for individual folders.<br />
<br />
== Participate in the infrastructure ==<br />
<br />
One can participate in the [https://docs.syncthing.net/dev/infrastructure.html Syncthing infrastructure] by running a global discovery server or a relay server.<br />
<br />
=== Running a relay ===<br />
<br />
Syncthing has the ability to connect two devices via a [https://docs.syncthing.net/users/relaying.html relay] when it is not possible to establish a direct connection between them. Relayed connections are end-to-end encrypted in the usual manner, so the relay has no insight into the connection other than the knowledge of the IP addresses and device IDs.<br />
<br />
Anyone can run a [https://docs.syncthing.net/users/strelaysrv.html relay server] and it will automatically join the [https://relays.syncthing.net/ Syncthing relay pool] and be available to all Syncthing's users. To run your own relay, [[install]] {{Pkg|syncthing-relaysrv}} and [[systemd#Using units|Start/Enable]] {{ic|syncthing-relaysrv.service}}. Rate limiting and other options can be configured via the command line. These options can be set in the {{ic|ExecStart}} directive of the service [[drop-in file]] as follows:<br />
<br />
{{hc|/etc/systemd/system/syncthing-relaysrv.service.d/override.conf|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/syncthing-relaysrv -global-rate 500000 -provided-by ''relayprovidername''}}<br />
<br />
{{Note|The relay listens by default to port ''22067'' for data and ''22070'' for service status (used for public statistics), they should therefore be open for TCP connections. The default ports can be respectively overridden with the {{ic|-listen}} and {{ic|-status-srv}} options if necessary. }}<br />
<br />
{{Tip|The traffic statistics of a particular relay are accessible by default on port 22070, e.g. http://example.com:22070/status}}<br />
<br />
=== Running a discovery server ===<br />
<br />
[https://docs.syncthing.net/specs/globaldisco-v3.html Global discovery] is used by Syncthing to find peers on the internet.<br />
Any device announces itself at startup to the discovery server which stores the device ID, IP address, port and current time. <br />
Then on request, for a given device ID, it returns the information stored in JSON format, for instance.<br />
<br />
As an example, the request {{ic|<nowiki>https://discovery.syncthing.net/?device=ITZRNXE-YNROGBZ-HXTH5P7-VK5NYE5-QHRQGE2-7JQ6VNJ-KZUEDIU-5PPR5AM</nowiki>}} returns {{ic|{"seen":"2020-02-29T14:56:08.34589801Z","addresses":["quic://212.121.228.172:22000","tcp://212.121.228.172:22000"]} }}.<br />
<br />
A list of public of [https://docs.syncthing.net/dev/infrastructure.html#global-discovery-servers global discovery server] is provided. In addition, anyone can run a [https://docs.syncthing.net/users/stdiscosrv.html discovery server], to run your own, [[install]] the {{aur|syncthing-discosrv}} package.<br />
<br />
The discovery server requires certificates to run, which should ideally be placed in {{ic|/var/discosrv}}. The user/group {{ic|syncthing}} needs permissions to be able to read the certificate files. You need to edit the systemd unit file to correctly point to the certificates (and to undertake any other configuration change you may want, see [https://docs.syncthing.net/users/stdiscosrv.html#configuring list]).<br />
<br />
{{hc|/usr/lib/systemd/system/syncthing-discosrv.service|2=<br />
[Unit]<br />
Description=Syncthing discovery server<br />
After=network.target<br />
<br />
[Service]<br />
User=syncthing<br />
Group=syncthing<br />
ExecStart=/usr/bin/syncthing-discosrv -db-dsn /var/discosrv/discosrv.db -cert /var/discosrv/cert.pem -key /var/discosrv/key.pem<br />
Restart=on-failure<br />
SuccessExitStatus=2<br />
<br />
PrivateDevices=true<br />
ProtectSystem=full<br />
ProtectHome=true<br />
NoNewPrivileges=true<br />
<br />
[Install]<br />
WantedBy=multi-user.target}}<br />
<br />
To point the client to your discovery server, change the {{ic|Global Discovery Servers}} variable under Settings to {{ic|<nowiki>https://yourserver:8443/</nowiki>}} (default port) or whatever port you have reconfigured to. The variable takes a comma-separated list of discovery servers. It is possible to include multiple ones, including the default one. <br />
<br />
If you are using self-signed certificates, the client refuses to connect unless you append the discovery server ID to its domain. The ID is printed to stdout upon launching the discovery server. Amend the ''Global Discovery Servers'' entry to add the ID: {{ic|<nowiki>https://yourserver.com:8443/?id=AAAAAAA-BBBBBBB-CCCCCCC-DDDDDDD-EEEEEEE-FFFFFFF-GGGGGGG-HHHHHHH</nowiki>}}.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Stop journal spam ===<br />
<br />
Syncthing can be quite noisy even while it is not doing anything. The service ExecStart can be overridden to filter output directly without an extra script (adjust "grep" as needed):<br />
{{hc|/etc/systemd/system/syncthing@.service.d/nospam.conf|<nowiki><br />
[Service]<br />
ExecStart=<br />
ExecStart=/bin/bash -c 'set -o pipefail; /usr/bin/syncthing -no-browser -no-restart -logflags=0 | grep -v "INFO: "'</nowiki>}}<br />
<br />
=== Run in VirtualBox ===<br />
<br />
It is possible to have Syncthing connect both locally and globally within a [[VirtualBox]] virtual machine (''VM'') while keeping its network adapter in the [https://www.virtualbox.org/manual/ch06.html#network_nat standard NAT] mode (as opposed to [https://www.virtualbox.org/manual/ch06.html#network_bridged bridged networking] attached to the host computer's adapter). <br />
<br />
To enable this mode, Syncthing should listen to a port in the VM different from the listening port already used by the host.<br />
For example, if the default 22000 port is used by the host, one could use 22001 in the VM.<br />
The listening port in the VM can be changed through Syncthing's [https://docs.syncthing.net/users/config.html#listen-addresses Sync Protocol Listen Addresses] to {{ic|tcp://:22001}} in the GUI ''Settings''.<br />
<br />
The 22001/TCP port of the host must be forwarded to the guest in this configuration. This can be done with the following command:<br />
$ VBoxManage modifyvm ''myvmname'' --natpf1 "syncthing,tcp,,22001,,22001"<br />
In this setup, relaying should not be necessary: local devices can connect to the VM on port 22001 while global devices are accessible as long as they have themselves an open port.<br />
<br />
{{Note|local discovery in this setup is limited because the discovery listening port 21027 is already used by the host. The guest is therefore not able to build a table of local announcements though it can still broadcast to the local network via the VM NAT and announce itself. The steps described above allow to run a functioning server in the default NAT configuration but bridged networking is recommended for an optimal setup.}}<br />
<br />
=== Running through a proxy ===<br />
<br />
Syncthing can be run through a proxy to enable use behind a corporate firewall or tunneling via SSH. According to the [https://docs.syncthing.net/users/proxying.html using proxies] documentation it is necessary to set the {{ic|all_proxy}} environment variable, and it must indicate a ''socks5'' proxy type.<br />
<br />
* If the service is run from a script or from the command line, you must set the variables beforehand as follows:<br />
<br />
export all_proxy="socks5://''proxy_address'':''proxy_port''"<br />
export no_proxy="127.0.0.1"<br />
<br />
* If it is run as a service, you must define the variables in the service configuration as follows:<br />
<br />
{{hc|/etc/systemd/system/syncthing@''myusername''.service.d/override.conf|2=<br />
[Service]<br />
Environment="all_proxy=socks5://''proxy_address'':''proxy_port''"<br />
Environment="no_proxy=127.0.0.1"}}<br />
<br />
You must then reload systemd daemons configurations:<br />
<br />
# systemctl daemon-reload<br />
<br />
and [[restart]] the {{ic|syncthing@''myusername''.service}}.<br />
<br />
This file can be edited using systemd facility {{ic|systemctl edit --full syncthing@''myusername''.service}} according to the [[systemd#Editing provided units]] section.<br />
<br />
=== Syncthing FUSE ===<br />
<br />
[https://github.com/burkemw3/syncthingfuse SyncthingFUSE] is FUSE driver which allows to mount syncthing share without actualy syncing it to local storage. <br />
<br />
When you open a file, the contents are served from a local cache, if possible. If the contents are not in the cache, then SyncthingFUSE asks peers for the contents and adds them to the cache. The local cache will not grow larger than a fixed size, though. If no peers are currently available for the file, then opening the file will fail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Database issue ===<br />
<br />
One may encounter database issue at some stage. To force a rescan of files and resync of database use the following command:<br />
<br />
$ syncthing -reset-database<br />
<br />
=== read-only file system error on /etc although run as root ===<br />
<br />
In case Syncthing complains it is a read-only file system although the user (e.g. root on {{ic|/etc}}) has write permissions, check the template unit's definition:<br />
<br />
$ systemctl cat syncthing@.service<br />
<br />
Within the {{ic|[Service]}} part, there is a {{ic|Hardening}} part and below that, there is a {{ic|ProtectSystem}} directive which is set to {{ic|full}} by default. See {{man|5|systemd.exec|SANDBOXING}} for more information on this directive.<br />
<br />
Create a [[drop-in file]] to override the value to something that suits your needs. If you are trying to sync a sub-folder of {{ic|/etc}}, {{ic|1=ProtectSystem='''true'''}} should do the trick.<br />
<br />
=== Others ===<br />
<br />
See [https://docs.syncthing.net/dev/debugging.html Debugging Syncthing].</div>Harviehttps://wiki.archlinux.org/index.php?title=Intel_graphics&diff=424463Intel graphics2016-03-07T01:00:46Z<p>Harvie: new example</p>
<hr />
<div>[[Category:Graphics]]<br />
[[Category:X server]]<br />
[[cs:Intel graphics]]<br />
[[de:Intel]]<br />
[[es:Intel graphics]]<br />
[[fr:Intel]]<br />
[[hu:Intel graphics]]<br />
[[it:Intel graphics]]<br />
[[ja:Intel Graphics]]<br />
[[pl:Intel graphics]]<br />
[[ru:Intel graphics]]<br />
[[zh-cn:Intel graphics]]<br />
[[zh-tw:Intel graphics]]<br />
{{Related articles start}}<br />
{{Related|Intel GMA3600}}<br />
{{Related|Poulsbo}}<br />
{{Related|Xorg}}<br />
{{Related|Kernel mode setting}}<br />
{{Related|Xrandr}}<br />
{{Related|Hybrid graphics}}<br />
{{Related articles end}}<br />
<br />
Since Intel provides and supports open source drivers, Intel graphics are now essentially plug-and-play.<br />
<br />
For a comprehensive list of Intel GPU models and corresponding chipsets and CPUs, see [[Wikipedia:Comparison of Intel graphics processing units|this comparison on Wikipedia]].<br />
<br />
{{Note|PowerVR-based graphics ([[GMA 500]] and [[Intel GMA3600|GMA 3600]] series) are not supported by open source drivers.}}<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|xf86-video-intel}} package. It provides the DDX driver for 2D acceleration and it pulls in {{Pkg|mesa}} as a dependency, providing the DRI driver for 3D acceleration.<br />
<br />
To enable OpenGL support, also install {{Pkg|mesa-libgl}}. If you are on x86_64 and need 32-bit support, also install {{Pkg|lib32-mesa-libgl}} from the [[multilib]] repository.<br />
<br />
Follow [[VA-API]] and [[VDPAU]] for hardware-accelerated video processing; on older GPUs, this is provided instead by the [[XvMC]] driver, which is included with the DDX driver.<br />
<br />
== Configuration ==<br />
<br />
There is no need for any configuration to run [[Xorg]].<br />
<br />
{{Note|The latest generation of integrated GPUs (Skylake/HD 530 for instance) may require additional configuration, see [[#Skylake Support]]}}<br />
<br />
However, to take advantage of some driver options, you will need to create a Xorg configuration file similar to the one below:<br />
<br />
{{hc|/etc/X11/xorg.conf.d/20-intel.conf|<br />
Section "Device"<br />
Identifier "Intel Graphics"<br />
Driver "intel"<br />
#Option "DRI" "3"<br />
#Option "TearFree" "true"<br />
#Option "AccelMethod" "uxa" #old stable<br />
Option "AccelMethod" "sna" #new default<br />
#Option "AccelMethod" "glamor" #experimental<br />
EndSection<br />
}}<br />
<br />
Additional options are added by the user on new lines below {{ic|Driver}}.<br />
<br />
{{Note|<br />
*You may need to indicate {{ic|AccelMethod}} when creating a configuration file, even just to set it to the default method (currently {{ic|"sna"}}); otherwise, X may crash.<br />
*You might need to add more device sections than the one listed above. This will be indicated where necessary.}} <br />
<br />
For the full list of options, see the [[man page]] for {{ic|intel}}.<br />
<br />
== Loading ==<br />
<br />
The Intel kernel module should load fine automatically on system boot.<br />
<br />
If it does not happen, then:<br />
<br />
* Make sure you do '''not''' have {{ic|nomodeset}} or {{ic|1=vga=}} as a [[kernel parameter]], since Intel requires kernel mode-setting.<br />
* Also, check that you have not disabled Intel by using any modprobe blacklisting within {{ic|/etc/modprobe.d/}} or {{ic|/usr/lib/modprobe.d/}}.<br />
<br />
=== Enable early KMS ===<br />
<br />
{{Tip|If you have problems with the resolution, you can check whether [[Kernel mode setting#Forcing modes and EDID|enforcing the mode]] helps.}}<br />
<br />
[[Kernel mode setting]] (KMS) is supported by Intel chipsets that use the i915 DRM driver and is mandatory and enabled by default. <br />
<br />
KMS is typically initialized after the [[Arch boot process#initramfs|initramfs stage]]. It is possible, however, to enable KMS during the initramfs stage. To do this, add the {{ic|i915}} module to the {{ic|MODULES}} line in {{ic|/etc/mkinitcpio.conf}}:<br />
<br />
MODULES="... i915 ..."<br />
<br />
{{Tip|<br />
Users might need to add {{Ic|intel_agp}} before {{Ic|i915}} to suppress the ACPI errors. The order matters because the modules are activated in sequence. This might be required for resuming from hibernation to work with changed display configuration!}}<br />
<br />
If you are using a custom [[Wikipedia:Extended display identification data|EDID]] file, you should embed it into initramfs as well:<br />
<br />
{{hc|/etc/mkinitcpio.conf|<br />
2=FILES="/lib/firmware/edid/your_edid.bin"}}<br />
<br />
Now, regenerate the initramfs:<br />
<br />
# mkinitcpio -p linux<br />
<br />
The change takes effect at the next reboot.<br />
<br />
== Module-based Powersaving Options ==<br />
<br />
The {{ic|i915}} kernel module allows for configuration via [[Kernel modules#Setting module options|module options]]. Some of the module options impact power saving.<br />
<br />
A list of all options along with short descriptions and default values can be generated with the following command:<br />
<br />
$ modinfo -p i915<br />
<br />
To check which options are currently enabled, run<br />
<br />
# systool -m i915 -av<br />
<br />
You will note that the {{ic|i915.powersave}} option which "enable[s] powersavings, fbc, downclocking, etc." is enabled by default, resulting in per-chip powersaving defaults. It is however possible to configure more aggressive powersaving by using [[Kernel modules#Setting module options|module options]].<br />
<br />
{{Warning|1=Diverting from the defaults will mark the kernel as [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fc9740cebc3ab7c65f3c5f6ce0caf3e4969013ca tainted] from Linux 3.18 onwards. This basically implies using other options than the per-chip defaults is considered experimental and not supported by the developers. }}<br />
<br />
The following set of options should be generally safe to enable:<br />
<br />
{{hc|/etc/modprobe.d/i915.conf|<nowiki><br />
options i915 enable_rc6=1 enable_fbc=1 lvds_downclock=1 semaphores=1<br />
</nowiki>}}<br />
<br />
You can experiment with higher values for {{ic|enable_rc6}}, but your GPU may not support them or the activation of the other options [https://wiki.archlinux.org/index.php?title=Talk:Intel_Graphics&oldid=327547#Kernel_Module_options].<br />
<br />
Framebuffer compression, for example, may be unreliable or unavailable on Intel GPU generations before Sandy Bridge (generation 6). This results in messages logged to the system journal similar to this one:<br />
kernel: drm: not enough stolen space for compressed buffer, disabling.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Enable Glamor Acceleration Method ===<br />
<br />
[https://wiki.freedesktop.org/www/Software/Glamor/ Glamor] is Intel's experimental OpenGL 2D acceleration method and is not documented in the manpages. To use it, add the following line to your [[#Configuration|configuration file]]:<br />
Option "AccelMethod" "glamor"<br />
<br />
{{Note|This acceleration method is experimental and may not be stable for your system.}}<br />
<br />
=== Direct Rendering Infrastructure 3 (DRI3) ===<br />
<br />
By default Direct Rendering Infrastructure 2 (DRI2) is used. To enable the next generation of DRI, [[Wikipedia:Direct_Rendering_Infrastructure#DRI3|DRI3]], which contains several improvements, add the following line to your [[#Configuration|configuration file]]:<br />
Option "DRI" "3"<br />
<br />
To verify that DRI3 is enabled you can check the [[Xorg]] log files after restarting.<br />
<br />
=== Tear-free video ===<br />
<br />
The SNA acceleration method causes tearing for some people. To fix this, enable the {{ic|"TearFree"}} option in the driver by adding the following line to your [[#Configuration|configuration file]]:<br />
Option "TearFree" "true"<br />
<br />
See the [https://bugs.freedesktop.org/show_bug.cgi?id=37686 original bug report] for more info.<br />
<br />
{{Note|<br />
* This option may not work when {{ic|SwapbuffersWait}} is {{ic|false}}.<br />
* This option is problematic for applications that are very picky about vsync timing, like [[Wikipedia:Super Meat Boy|Super Meat Boy]].<br />
* This option does not work with UXA acceleration method, only with SNA.<br />
}}<br />
<br />
=== Disable Vertical Synchronization (VSYNC) ===<br />
The intel-driver uses [http://www.intel.com/support/graphics/sb/CS-004527.htm Triple Buffering] for vertical synchronization, this allows for full performance and avoids tearing. To turn vertical synchronization off (e.g. for benchmarking) use this {{ic|.drirc}} in your home directory:<br />
<br />
{{hc|~/.drirc|<br />
<device screen&#61;"0" driver&#61;"dri2"><br />
<application name&#61;"Default"><br />
<option name&#61;"vblank_mode" value&#61;"0"/><br />
</application><br />
</device>}}<br />
<br />
{{Warning|Do not use {{Pkg|driconf}} to create this file, it is buggy and will set the wrong driver.}}<br />
<br />
=== Setting scaling mode ===<br />
<br />
This can be useful for some full screen applications:<br />
<br />
$ xrandr --output LVDS1 --set PANEL_FITTING param<br />
<br />
where {{ic|param}} can be:<br />
<br />
* {{ic|center}}: resolution will be kept exactly as defined, no scaling will be made,<br />
* {{ic|full}}: scale the resolution so it uses the entire screen or<br />
* {{ic|full_aspect}}: scale the resolution to the maximum possible but keep the aspect ratio.<br />
<br />
If it does not work, try:<br />
<br />
$ xrandr --output LVDS1 --set "scaling mode" param<br />
<br />
where {{ic|param}} is one of {{ic|"Full"}}, {{ic|"Center"}} or {{ic|"Full aspect"}}.<br />
<br />
=== KMS Issue: console is limited to small area ===<br />
<br />
One of the low-resolution video ports may be enabled on boot which is causing the terminal to utilize a small area of the screen. To fix, explicitly disable the port with an i915 module setting with {{ic|1=video=SVIDEO-1:d}} in the kernel command line parameter in the bootloader. See [[Kernel parameters]] for more info.<br />
<br />
If that does not work, try disabling TV1 or VGA1 instead of SVIDEO-1.<br />
<br />
=== H.264 decoding on GMA 4500 ===<br />
<br />
The {{Pkg|libva-intel-driver}} package provides MPEG-2 decoding only for GMA 4500 series GPUs. The H.264 decoding support is maintained in a separated g45-h264 branch, which can be used by installing {{AUR|libva-intel-driver-g45-h264}} package. Note however that this support is experimental and its development has been abandoned. Using the VA-API with this driver on a GMA 4500 series GPU will offload the CPU but may not result in as smooth a playback as non-accelerated playback. Tests using mplayer showed that using vaapi to play back an H.264 encoded 1080p video halved the CPU load (compared to the XV overlay) but resulted in very choppy playback, while 720p worked reasonably well [https://bbs.archlinux.org/viewtopic.php?id=150550]. This is echoed by other experiences [http://www.emmolution.org/?p=192&cpage=1#comment-12292].<br />
<br />
=== Setting brightness and gamma ===<br />
<br />
See [[Backlight]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== SNA issues ===<br />
From {{ic|man 4 intel}}:<br />
:''There are a couple of backends available for accelerating the DDX. "UXA" (Unified Acceleration Architecture) is the mature backend that was introduced to support the GEM driver model. It is in the process of being superseded by "SNA" (Sandybridge's New Acceleration). Until that process is complete, the ability to choose which backend to use remains for backwards compatibility.''<br />
<br />
''SNA'' is the default acceleration method in {{Pkg|xf86-video-intel}}. If you are experience issues with ''SNA'' (e.g. pixelated graphics, corrupt text, etc.), try using ''UXA'' instead, which can be done by adding the following line to your [[#Configuration|configuration file]]:<br />
Option "AccelMethod" "uxa"<br />
<br />
=== Blank screen during boot, when "Loading modules" ===<br />
<br />
If using "late start" KMS and the screen goes blank when "Loading modules", it may help to add {{ic|i915}} and {{ic|intel_agp}} to the initramfs. See [[Kernel mode setting#Early KMS start]] section.<br />
<br />
Alternatively, appending the following [[kernel parameter]] seems to work as well:<br />
<br />
video=SVIDEO-1:d<br />
<br />
If you need to output to VGA then try this:<br />
<br />
video=VGA-1:1280x800<br />
<br />
=== X freeze/crash with intel driver ===<br />
<br />
Some issues with X crashing, GPU hanging, or problems with X freezing, can be fixed by disabling the GPU usage with the {{ic|NoAccel}} option - add the following lines to your [[#Configuration|configuration file]]:<br />
Option "NoAccel" "True"<br />
<br />
Alternatively, try to disable the 3D acceleration only with the {{ic|DRI}} option:<br />
Option "DRI" "False"<br />
<br />
If you experience crashes and have<br />
<br />
Option "TearFree" "true"<br />
Option "AccelMethod" "sna"<br />
<br />
in your configuration file, in most cases these can be fixed by adding<br />
<br />
i915.semaphores=1<br />
<br />
to your boot parameters.<br />
<br />
If you are using kernel 4.0.X or above on Baytrail architecture and frequently encounter complete system freezes (especially when watching video or using GFX intensivelly), you should try adding the following kernel option as a workaround, until [https://bugzilla.kernel.org/show_bug.cgi?id=109051 this bug] will be fixed permanently.<br />
<br />
intel_idle.max_cstate=1<br />
<br />
=== Adding undetected resolutions ===<br />
<br />
This issue is covered on the [[Xrandr#Adding undetected resolutions|Xrandr page]].<br />
<br />
=== Weathered colors (color range problem) ===<br />
<br />
{{Note|This problem is related to the [http://lists.freedesktop.org/archives/dri-devel/2013-January/033576.html changes] in the kernel 3.9. This problem still remains in kernel 4.1.}}<br />
Kernel 3.9 contains a new default "Automatic" mode for the "Broadcast RGB" property in the Intel driver. It is almost equivalent to "Limited 16:235" (instead of the old default "Full") whenever an HDMI/DP output is in a [http://raspberrypi.stackexchange.com/questions/7332/what-is-the-difference-between-cea-and-dmt CEA mode]. If a monitor does not support signal in limited color range, it will cause weathered colors.<br />
<br />
{{Note|Some monitors/TVs support both color range. In that case an option often known as ''Black Level'' may need to be adjusted to make them handle the signal correctly.}}<br />
<br />
One can force mode e.g. {{ic|xrandr --output <HDMI> --set "Broadcast RGB" "Full"}} (replace {{ic|<HDMI>}} with the appropriate output device, verify by running {{ic|xrandr}}). You can add it into your {{ic |.xprofile}}, make it executable to run the command before it will start the graphical mode.<br />
<br />
{{Note|Some TVs can handle signal in limited range only. Setting Broadcast RGB to "Full" will cause color clipping. You may need to set it to "Limited 16:235" manually to avoid the clipping.}}<br />
<br />
Also there are other related problems which can be fixed editing GPU registers. More information can be found [http://lists.freedesktop.org/archives/intel-gfx/2012-April/016217.html] and [http://github.com/OpenELEC/OpenELEC.tv/commit/09109e9259eb051f34f771929b6a02635806404c].<br />
<br />
Unfortunately, the Intel driver does not support setting the color range through an {{ic|xorg.conf.d}} configuration file.<br />
<br />
A [https://bugzilla.kernel.org/show_bug.cgi?id=94921 bug report] is filed and a patch can be found in the attachment.<br />
<br />
=== Backlight is not adjustable===<br />
<br />
If after resuming from suspend, the hotkeys for changing the screen brightness do not take effect, check your configuration against the [[Backlight]] article.<br />
<br />
If the problem persists, try one of the following [[kernel parameters]]:<br />
<br />
acpi_osi=Linux<br />
acpi_osi="!Windows 2012"<br />
acpi_osi=<br />
<br />
=== Disabling frame buffer compression ===<br />
<br />
Enabling frame buffer compression on pre-Sandy Bridge CPUs results in endless error messages:<br />
<br />
$ dmesg |tail <br />
[ 2360.475430] [drm] not enough stolen space for compressed buffer (need 4325376 bytes), disabling<br />
[ 2360.475437] [drm] hint: you may be able to increase stolen memory size in the BIOS to avoid this<br />
<br />
The solution is to disable frame buffer compression which will slightly increase power consumption. In order to disable it add {{ic|i915.enable_fbc&#61;0}} to the kernel line parameters. More information on the results of disabled compression can be found [http://zinc.canonical.com/~cking/power-benchmarking/background-colour-and-framebuffer-compression/results.txt here].<br />
<br />
=== Corruption/Unresponsiveness in Chromium and Firefox ===<br />
<br />
If you experience corruption or unresponsiveness in Chromium and/or Firefox [[#SNA issues|set the AccelMethod to "uxa"]].<br />
<br />
=== Kernel crashing w/kernels 4.0+ on Broadwell/Core-M chips ===<br />
<br />
A few seconds after X/Wayland loads the machine will freeze and journalctl will log a kernel crash referencing the Intel graphics as below:<br />
<br />
Jun 16 17:54:03 hostname kernel: BUG: unable to handle kernel NULL pointer dereference at (null)<br />
Jun 16 17:54:03 hostname kernel: IP: [< (null)>] (null)<br />
...<br />
Jun 16 17:54:03 hostname kernel: CPU: 0 PID: 733 Comm: gnome-shell Tainted: G U O 4.0.5-1-ARCH #1<br />
...<br />
Jun 16 17:54:03 hostname kernel: Call Trace:<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa055cc27>] ? i915_gem_object_sync+0xe7/0x190 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa0579634>] intel_execlists_submission+0x294/0x4c0 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa05539fc>] i915_gem_do_execbuffer.isra.12+0xabc/0x1230 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa055d349>] ? i915_gem_object_set_to_cpu_domain+0xa9/0x1f0 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff811ba2ae>] ? __kmalloc+0x2e/0x2a0<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa0555471>] i915_gem_execbuffer2+0x141/0x2b0 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa042fcab>] drm_ioctl+0x1db/0x640 [drm]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa0555330>] ? i915_gem_execbuffer+0x450/0x450 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff8122339b>] ? eventfd_ctx_read+0x16b/0x200<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff811ebc36>] do_vfs_ioctl+0x2c6/0x4d0<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff811f6452>] ? __fget+0x72/0xb0<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff811ebec1>] SyS_ioctl+0x81/0xa0<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff8157a589>] system_call_fastpath+0x12/0x17<br />
Jun 16 17:54:03 hostname kernel: Code: Bad RIP value.<br />
Jun 16 17:54:03 hostname kernel: RIP [< (null)>] (null)<br />
<br />
This can be fixed by disabling execlist support which was changed to default on with kernel 4.0. Add the following kernel parameter:<br />
i915.enable_execlists=0<br />
<br />
This is known to be broken to at least kernel 4.0.5.<br />
<br />
===Skylake Support===<br />
<br />
For linux kernels older than 4.3.x, {{ic|i915.preliminary_hw_support&#61;1}} must be added to your boot parameters for the driver to work on the new Intel Skylake (6th gen.) GPUs. On a fully updated system running kernel 4.3.x and up, this step is unneccesary.<br />
<br />
The i915 DRM driver is known to cause various GPU hangs, crashes and even full system freezes. It might be neccesary to disable hardware acceleration to workaround these issues. One solution is to use the following Xorg configuration.<br />
<br />
{{hc|/etc/X11/xorg.conf.d/20-intel.conf|<br />
Section "Device"<br />
Identifier "Intel Graphics"<br />
Driver "intel"<br />
Option "DRI" "false"<br />
EndSection<br />
}}<br />
<br />
Otherwise, specific applications such as Chromium and Firefox browsers can be instructed to disable hardware rendering directly.<br />
<br />
Another option that seems to work for some users is to add the {{ic|1=i915.enable_rc6=0}} kernel boot parameter, which will cause the CPU/GPU to remain in high-power modes, but seems to resolve most cases of GPU hangs and system freezes.<br />
<br />
== See also ==<br />
<br />
* https://01.org/linuxgraphics/documentation (includes a list of supported hardware)</div>Harviehttps://wiki.archlinux.org/index.php?title=Lenovo_ThinkPad_X201&diff=372698Lenovo ThinkPad X2012015-05-05T18:11:32Z<p>Harvie: Prevent LID switch from waking up</p>
<hr />
<div>[[Category:Lenovo]]<br />
[[pl:Lenovo ThinkPad X201]]<br />
The X201 is a 4-core subnotebook produced by Lenovo. See [http://www.thinkwiki.org/wiki/Category:X201 Thinkwiki] for more information.<br />
<br />
Arch installs and runs flawlessly. Some specials features need tweaks, though.<br />
<br />
== Graphics ==<br />
<br />
Xorg should automatically load the intel driver without any configuration. Have a look at [[Intel]] if something is wrong.<br />
<br />
As of the first quarter of 2013 there seems to be an issue related to Mesa 9.0, described at the freekdesktop Bugtracker ([https://bugs.freedesktop.org/show_bug.cgi?id=59593 #59593]),<br />
that makes the integrated Intel Ironlake Mobile GPU crash and will only resolve after a reboot.<br />
<br />
== Hibernation ==<br />
<br />
See [[Suspend and hibernate]].<br />
<br />
=== Prevent LID switch from waking up ===<br />
<br />
{{hc|/etc/tmpfiles.d/disable-lid-wakeup.conf|2=w /proc/acpi/wakeup - - - - LID}}<br />
== Fbsplash ==<br />
<br />
To make [[fbsplash]] work, i915 has to be added to the modules array in mkinitcpio.conf:<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=MODULES="i915"}}<br />
<br />
== Power Saving ==<br />
<br />
=== Fan control ===<br />
<br />
There are some discussions concerning overheating-related shutdowns when running under full load (video encoding, etc) ([http://forums.lenovo.com/t5/X-Series-ThinkPad-Laptops/x201-random-shutdown/td-p/227471] [https://bugs.launchpad.net/ubuntu/+source/linux/+bug/751689]).<br />
<br />
[[Thinkpad Fan Control]] contains instructions to install tpfand as a custom replacement for hardware (bios-) fan control.<br />
<br />
{{Warning|Wrong settings may damage your machine! Use with caution!}}<br />
<br />
Start {{ic|tpfan-admin}} and adjust the settings (by clicking on the sensor's graph). You should split the graph (via context menu) and set the fan to '''full-speed''' when the sensor reaches, say, 65 °C. You may also edit the config file directly.<br />
<br />
=== TLP ===<br />
<br />
You may install [[TLP]] instead of [[Laptop Mode Tools]] to automate power saving operations.<br />
<br />
=== Frequency Scaling ===<br />
<br />
One can use {{Pkg|cpupower}} to control frequency scaling; see [[Cpufrequtils]] for more information.<br />
<br />
=== Undervolting ===<br />
<br />
Undervolting is not possible with the intel core iX cpu.<br />
<br />
=== Bootloader kernel options ===<br />
<br />
Add these kernel options to your bootloader's config file to make use of power saving mechanismens which are turned off by default because of reported instabilities. For me, they do a great job on my X201.<br />
<br />
{{Warning|These options can cause instability on your system! Try them and remove them if you are experiencing problems.}}<br />
<br />
==== grub2 ====<br />
{{hc|/etc/default/grub|2=GRUB_CMDLINE_LINUX_DEFAULT="[...] i915_enable_rc6=1 i915_enable_fbc=1"}}<br />
Update grub.cfg afterwards: {{ic|grub-mkconfig -o /boot/grub/grub.cfg}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== No speaker output ===<br />
<br />
Try pressing the '''mute button''' (beside the Escape key). See [http://www.stderr.nl/Blog/Hardware/Thinkpad/WeirdMuteButtonBehaviour.html this article] for details.<br />
<br />
=== Backlight keys not working ===<br />
<br />
Try booting with the following kernel parameter:<br />
<br />
{{bc|1=video.use_native_backlight=0}}</div>Harviehttps://wiki.archlinux.org/index.php?title=EncFS&diff=371666EncFS2015-04-28T14:28:39Z<p>Harvie: /etc/pam.d/system-login</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:File systems]]<br />
[[ja:EncFS]]<br />
{{Related articles start}}<br />
{{Related|Disk encryption}}<br />
{{Related articles end}}<br />
'''EncFS''' is a userspace stackable cryptographic file-system similar to [[eCryptfs]], and aims to secure data with the minimum hassle. It uses [[wikipedia:Filesystem_in_Userspace|FUSE]] to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as [[TrueCrypt]] and [[dm-crypt]].<br />
<br />
EncFS is definitely the simplest software if you want to try disk encryption on Linux.<br />
<br />
This has a number of advantages and disadvantages compared to these systems. Firstly, it does not require any root privileges to implement; any user can create a repository of encrypted files. Secondly, one does not need to create a single file and create a file-system within that; it works on existing file-system without modifications.<br />
<br />
This does create a few disadvantages, though; because the encrypted files are not stored in their own file, someone who obtains access to the system can still see the underlying directory structure, the number of files, their sizes and when they were modified. They cannot see the contents, however.<br />
<br />
This particular method of securing data is obviously not perfect, but there are situations in which it is useful.<br />
<br />
For more details on how EncFS compares to other disk encryption solution, see [[Disk encryption#Comparison table]].<br />
<br />
== Comparison to eCryptFS ==<br />
<br />
[[System_Encryption_with_eCryptfs|eCryptFS]] is implemented in kernelspace and therefore a little bit harder to configure. You have to remember various encryption options (used cyphers, key type, etc...). With EncFS this is not the case, because it stores the encryption metadata information in a per-directory configuration file ({{ic|.encfs6.xml}}). So you do not have to remember anything (except the passphrase). <br />
<br />
The performance of both depends on the type of disk activity. While eCryptFS can perform faster in some cases because there is less overhead by context switching (between kernel and userspace), EncFS has advantages in other cases because the encryption metadata is centralized and not stored in the individual files' headers. For more information [https://github.com/vgough/encfs/blob/master/PERFORMANCE.md benchmark examples] are provided by the EncFS project.<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] the {{Pkg|encfs}} package from the [[official repositories]].<br />
<br />
{{Warning|A security [https://defuse.ca/audits/encfs.htm review] (February 2014) of ''encfs'' discovered a number of security issues in the stable release 1.7.4 (June 2014). Please consider the report and the references in it for updated information before using the release.}}<br />
<br />
== Usage ==<br />
<br />
To create a secured repository, type:<br />
$ encfs ~/.''name'' ~/''name''<br />
Note that absolute paths must be used. This will be followed by a prompt about whether you want to go with the default options, expert configuration or a paranoid preset. The latter allows specifying algorithms and other options. The former is a fairly secure default setup. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at {{ic|~/.''name''}}, and their unencrypted versions in {{ic|~/''name''}}.<br />
<br />
To unmount the file-system, type:<br />
$ fusermount -u ~/''name''<br />
<br />
To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.<br />
<br />
== User friendly mounting ==<br />
<br />
=== Mount using Gnome Encfs Manager ===<br />
<br />
The [http://libertyzero.com/GEncfsM/ Gnome Encfs Manager] is an easy to use manager and mounter for encfs stashes featuring per-stash configuration, Gnome Keyring support, a tray menu inspired by Cryptkeeper but using the AppIndicator API and lots of unique features. <br />
<br />
The author has created a [[Unofficial_user_repositories#gnome-encfs-manager|repository]] that tends to be slightly more up to date than the AUR package {{AUR|gnome-encfs-manager}}. Please see [[pacman]] on how to install any of the packages.<br />
<br />
=== Mount using gnome-encfs ===<br />
<br />
gnome-encfs integrates EncFS folders into the GNOME desktop by storing their passwords in the keyring and optionally mounting them at login using GNOME's autostart mechanism. See https://bitbucket.org/obensonne/gnome-encfs/.<br />
This method has the advantage that mounting and can automated and the password does not have to be the same as your user password.<br />
<br />
=== Mount using CryptKeeper trayicon ===<br />
<br />
Quite simple app, just install {{AUR|cryptkeeper}} from AUR and add it to your X session.<br />
<br />
=== Mount at login using pam_encfs ===<br />
<br />
Install {{AUR|pam_encfs}}. See also:<br />
* http://pam-encfs.googlecode.com/svn/trunk/README<br />
* http://pam-encfs.googlecode.com/svn/trunk/pam_encfs.conf<br />
* https://wiki.edubuntu.org/EncryptedHomeFolder<br />
* http://code.google.com/p/pam-encfs/<br />
<br />
==== Single password ====<br />
<br />
{{Warning|Note that if you will use same password (eg.: using try_first_pass or use_first_pass) for login and encfs (so encfs will mount during your login) then you should use [[SHA password hashes]] (Preferably SHA512 with some huge number of rounds) and (which is most important) '''secure password''', because hash of your password is probably stored in unencrypted form in {{ic|/etc/shadow}} and it can be cracked in order to get your encfs password (because it is same as your regular unix login password).}}<br />
<br />
==== /etc/pam.d/ ====<br />
<br />
Note that when you are using ''try_first_pass'' parameter to ''pam_unix.so'' then you will have to set EncFS to use same password as you are using to login (or vice-versa) and you will be entering just single password. Without this parameter you will need to enter two passwords.<br />
<br />
===== setup pam_encfs for all login methods =====<br />
<br />
<br />
Put encfs line to /etc/pam.d/system-login as follows:<br />
<br />
{{bc|<nowiki><br />
#%PAM-1.0<br />
<br />
auth required pam_tally.so onerr=succeed file=/var/log/faillog<br />
auth required pam_shells.so<br />
auth requisite pam_nologin.so<br />
auth include system-auth<br />
auth sufficient pam_encfs.so #### THIS LINE ####<br />
<br />
account required pam_access.so<br />
account required pam_nologin.so<br />
account include system-auth<br />
<br />
password include system-auth<br />
<br />
session optional pam_loginuid.so<br />
session include system-auth<br />
session optional pam_motd.so motd=/etc/motd<br />
session optional pam_mail.so dir=/var/spool/mail standard quiet<br />
-session optional pam_systemd.so<br />
session required pam_env.so<br />
</nowiki>}}<br />
<br />
===== login =====<br />
<br />
This section tells how to make encfs automount when you are logging in by virtual terminal.<br />
{{Note|If you only want to use it through GDM, you may pass this and go right to the [[#gdm|GDM section]] below.}}<br />
<br />
Edit the file {{ic|/etc/pam.d/login}}:<br />
<br />
{{bc|<nowiki><br />
#%PAM-1.0<br />
<br />
auth required pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so nullok try_first_pass<br />
#auth required pam_unix.so nullok<br />
auth required pam_tally.so onerr=succeed file=/var/log/faillog<br />
# use this to lockout accounts for 10 minutes after 3 failed attempts<br />
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog<br />
account required pam_access.so<br />
account required pam_time.so<br />
account required pam_unix.so<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so md5 shadow use_authtok<br />
session required pam_unix.so<br />
session required pam_env.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session optional pam_loginuid.so<br />
-session optional pam_ck_connector.so nox11<br />
#Automatic unmount (optional):<br />
#session required pam_encfs.so<br />
</nowiki>}}<br />
{{Warning|Note that automatic unmout will process even when there is another session. eg.: logout on VC can unmout encfs mounted by GDM session that is still active.}}<br />
<br />
===== gdm =====<br />
<br />
This section explains how to make encfs automount when you are logging in by GDM.<br />
{{Note|For debug purposes you may try automount on virtual console login first. [[#login|This article has a section about automount on virtual console login]].}}<br />
<br />
Edit the file {{ic|/etc/pam.d/gdm-password}}.<br />
<br />
Insert (do not overwrite) the following into the bottom of gdm-password:<br />
<br />
{{bc|<nowiki><br />
#%PAM-1.0<br />
auth requisite pam_nologin.so<br />
auth required pam_env.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so try_first_pass<br />
auth optional pam_gnome_keyring.so<br />
account required pam_unix.so<br />
session required pam_limits.so<br />
session required pam_unix.so<br />
session optional pam_gnome_keyring.so auto_start<br />
password required pam_unix.so<br />
session required pam_encfs.so<br />
</nowiki>}}<br />
<br />
Save and exit.<br />
<br />
===== Configuration =====<br />
<br />
Edit {{ic|/etc/security/pam_encfs.conf}} :<br />
<br />
Recommended: comment out the line<br />
<br />
encfs_default --idle=1<br />
<br />
This flag will unmount your encrypted folder after 1 minute of inactivity. If you are automounting this on login, you probably would like to keep this mounted for as long as you are logged in.<br />
<br />
At the bottom, comment any existing demo entries and add:<br />
{{bc|<br />
#USERNAME SOURCE TARGET PATH ENCFS Options FUSE Options<br />
foo /home/foo/EncryptedFolder /home/foo/DecryptedFolder -v allow_other<br />
}}<br />
<br />
Next, edit {{ic|/etc/fuse.conf}}:<br />
Uncomment:<br />
user_allow_other<br />
<br />
To test your config, open a new virtual terminal (e.g. {{ic|Ctrl+Alt+F4}}) and login. You should see pam successfuly mount your EncFS folder.<br />
<br />
=== Mount when USB drive with EncFS folders is inserted using fsniper ===<br />
<br />
Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We will use {{AUR|fsniper}} (filesystem watching daemon using inotify) and {{Pkg|git}} (for askpass binary).<br />
<br />
See more at https://github.com/Harvie/Programs/tree/master/bash/encfs/automount (latest version of files used in the [[#How to|How to]]).<br />
<br />
==== How to ====<br />
<br />
'''1.''' You need USB automount working for this - like thunar or nautilus does.<br \><br />
'''2.''' Make encrypted folder on your drive, eg.: {{ic|encfs /media/USB/somename /media/USB/somename.plain}} (and then unmount everything).<br \><br />
'''3.''' Create a {{ic|~/.config/fsniper/config}} file:<br />
{{bc|<nowiki><br />
watch {<br />
/etc/ {<br />
mtab {<br />
# %% is replaced with the filename of the new file<br />
handler = encfs-automount.sh %%;<br />
}<br />
}<br />
}<br />
</nowiki>}}<br />
'''4.''' install helper script:<br />
{{bc|<nowiki><br />
#!/bin/sh<br />
# ~/.config/fsniper/scripts/encfs-automount.sh<br />
# Quick & dirty script for automounting EncFS USB drives<br />
# TODO:<br />
# - Unmounting!!!<br />
#<br />
ASKPASS="/usr/lib/git-core/git-gui--askpass"<br />
<br />
lock=/tmp/fsniper_encfs.lock<br />
lpid=$(cat "$lock" 2>/dev/null) &&<br />
ps "$lpid" | grep "$lpid" >/dev/null && {<br />
echo "Another instance of fsniper_encfs is running"<br />
exit;<br />
}<br />
echo $BASHPID > "$lock";<br />
sleep 2;<br />
<br />
echo<br />
echo ==== EncFS automount script for fsniper ====<br />
<br />
list_mounts() {<br />
cat /proc/mounts | cut -d ' ' -f 2<br />
}<br />
<br />
list_mounts | while read mount; do<br />
config="$mount"'/*/.encfs*';<br />
echo Looking for "$config"<br />
config="$(echo $config)"<br />
[ -r "$config" ] && {<br />
cyphertext="$(dirname "$config")";<br />
plaintext="$cyphertext".plain<br />
echo Found config: "$config";<br />
echo Trying to mount: "$cyphertext to $plaintext";<br />
list_mounts | grep "$plaintext" >/dev/null && {<br />
echo Already mounted: "$plaintext"<br />
} || {<br />
echo Will mount "$cyphertext to $plaintext"<br />
"$ASKPASS" "EncFS $cyphertext to $plaintext" | encfs --stdinpass "$cyphertext" "$plaintext"<br />
}<br />
}<br />
done<br />
echo<br />
<br />
rm "$lock" 2>/dev/null<br />
</nowiki>}}<br />
'''5.''' Make sure that /usr/lib/git-core/git-gui--askpass is working for you (that is why you need git package - but you can adjust the helper script).<br \><br />
'''6.''' Try {{ic|fsniper --log-to-stdout}} in terminal (askpass should appear when USB drive is inserted).<br \><br />
'''7.''' Add {{ic|fsniper --daemon}} to your session.<br \><br />
'''8.''' Do not forget to unmount encfs before removing drive.<br />
<br />
=== Mount using KDE KWallet ===<br />
This can be done by the kdeencfs script: http://jaxartes.net/files/kdeencfs <br \><br />
More information about usage of that script here: http://jaxartes.net/linux/kdeencfs.html <br \><br />
You have to [[pacman|install]] the {{Pkg|kdebase-kdialog}} package from the [[official repositories]] to use that.<br />
<br />
== Encrypted backup ==<br />
<br />
{{Warning|If you follow below examples to separate the encryption options file from the data, you - of course - need to ensure you have a separate backup of the options file in plaintext as well. If your disk crashes and you have not backed it up in plaintext, the backup alone will help nothing because the file contains cryptographic metadata! The good point is that the file is static, you do not need to back it up repetitively over time unless you change the password.}}<br />
<br />
=== Backup encrypted directory ===<br />
<br />
An encrypted directory may be backed up and restored to another location like it is. This is possible, because the configuration file for the encryption options/metadata is actually stored in the directory itself in plaintext in the hidden {{ic|.encfs6.xml}} file. This poses no direct problem, because the password is not in it. <br />
<br />
However, if you - for example - store the backup on a remote location (e.g. in the cloud) or a portable device, you might feel uncomfortable about it. In this case it also is no problem to manually move the file out of the directory before creating the backup. You can even move it permanently and still mount and access the files, if you pass its location to ''encfs'' via the {{ic|ENCFS6_CONFIG}} environment variable. For the [[#Usage]] example above: <br />
$ mv ~/.name/encfs6.xml ~/.<br />
$ ENCFS6_CONFIG=~/encfs6.xml encfs ~/.name /name<br />
<br />
=== Backup plaintext directory ===<br />
<br />
The following example assumes you want to create an encrypted backup of an existing plaintext directory {{ic|~/mythesis}} which contains the file {{ic|thesis.txt}}. <br />
<br />
First, we create the encrypted backup of the existing plaintext directory: <br />
<br />
$ encfs --reverse ~/mythesis /tmp/thesisbackup <br />
<br />
Note the directory order is reversed to normal usage in this case. Using the {{ic|--reverse}} option has two effects: Firstly, the configuration file is now stored in the plaintext directory and {{ic|/tmp/thesisbackup}} only contains it in encrypted form. Secondly, the files in {{ic|/tmp/thesisbackup}} are not persistent. They will vanish once it is unmounted (no, this is not due to usage of the {{ic|/tmp}} mountpoint). <br />
<br />
For the second reason, now is the time to copy the encrypted files to the desired backup location, ''before'' unmounting the temporary ''encfs'' directory again: <br />
$ cp -R /tmp/thesisbackup/* /mnt/usbstick/<br />
$ fusermount -u /tmp/thesisbackup <br />
and done. <br />
<br />
To restore (or view) the backup, we need access to the encryption options in plaintext, which has to be passed to ''encfs'' with the environment variable {{ic|ENCFS6_CONFIG}} (we use a different directory in order not to mess up the existing {{ic|~/mythesis}}): <br />
<br />
$ ENCFS6_CONFIG=~/mythesis/.encfs6.xml ~/mnt/usbstick/thesisbackup ~/restoremythesis <br />
<br />
If you now list the restore location, it will contain two files: <br />
<br />
$ ls -la ~/restoremythesis<br />
... <br />
-rw-r--r-- 1 student student 1078 3. Jan 12:33 .encfs6.xml<br />
-rw-r--r-- 1 student student 42 3. Jan 12:33 thesis.txt<br />
...<br />
<br />
== See also ==<br />
<br />
* [https://vgough.github.io/encfs/ EncFS] - project homepage <br />
* [https://defuse.ca/audits/encfs.htm Security audit] of EncFS by Taylor Hornby (January 14, 2014).</div>Harviehttps://wiki.archlinux.org/index.php?title=NetworkManager&diff=241829NetworkManager2012-12-27T01:02:56Z<p>Harvie: /* Full AP */</p>
<hr />
<div>[[Category:Networking]]<br />
[[cs:NetworkManager]]<br />
[[de:Networkmanager]]<br />
[[es:NetworkManager]]<br />
[[fr:NetworkManager]]<br />
[[it:NetworkManager]]<br />
[[pt:NetworkManager]]<br />
[[ru:NetworkManager]]<br />
[[tr:NetworkManager]]<br />
[[zh-CN:NetworkManager]]<br />
{{Article summary start}}<br />
{{Article summary text|Covers installation and configuration of NetworkManager &ndash; a set of co-operative tools that make networking simple and straightforward.}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Networking overview}}}}<br />
{{Article summary end}}<br />
<br />
[http://projects.gnome.org/NetworkManager/ NetworkManager] is a program for providing detection and configuration for systems to automatically connect to network. NetworkManager's functionality can be useful for both wireless and wired networks. For wireless networks, NetworkManager prefers known wireless networks and has the ability to switch to the most reliable network. NetworkManager-aware applications can switch from online and offline mode. NetworkManager also prefers wired connections over wireless ones, has support for modem connections and certain types of VPN. NetworkManager was originally developed by Red Hat and now is hosted by the [[GNOME]] project.<br />
<br />
== Base install ==<br />
<br />
NetworkManager can be installed with the package {{Pkg|networkmanager}}, available in the [[official repositories]].<br />
<br />
=== VPN support ===<br />
<br />
Network Manager VPN support is based on a plug-in system. If you need VPN support via network manager you have to install one of the following packages in [[official repositories]]:<br />
<br />
networkmanager-openvpn<br />
networkmanager-pptp<br />
networkmanager-vpnc<br />
<br />
== Graphical front-ends ==<br />
<br />
To configure and have easy access to NetworkManager most people will want to install an applet. This GUI front-end usually resides in the system tray (or notification area) and allows network selection and configuration of NetworkManager. Various applets exist for different types of desktops.<br />
<br />
=== GNOME ===<br />
<br />
GNOME's {{Pkg|network-manager-applet}} (formerly gnome-network-manager) is lightweight enough and works across all environments.<br />
<br />
If you want to store authentication details (Wireless/DSL) and enable global connection settings, i.e "available to all users" install and configure [[GNOME Keyring]].<br />
<br />
=== KDE4 ===<br />
<br />
The KNetworkManager front-end has been made available since KDE 4.4 as a Plasma widget available in the official repositories:<br />
{{Pkg|kdeplasma-applets-networkmanagement}}.<br />
<br />
The GNOME counterpart works just as nicely, or even better (has more features and detects more hardware).<br />
<br />
{{Note|If you are changing from another network managing tool like [[Wicd]], do not forget to set the default 'Network Management Backend' in <br />
System Settings -> Hardware -> Information Sources}}<br />
<br />
If you have both the Plasma widget and {{ic|nm-applet}} installed and do not want to start {{ic|nm-applet}} when using KDE, add the following line to {{ic|/etc/xdg/autostart/nm-applet.desktop}}:<br />
NotShowIn=KDE<br />
<br />
=== XFCE ===<br />
{{Pkg|network-manager-applet}} will work fine in XFCE, but in order to see notifications, ''including error messages'', {{ic|nm-applet}} needs an implementation of the Freedesktop desktop notifications specification (see the [http://www.galago-project.org/specs/notification/0.9/index.html Galapago Project]) to display them. To enable notifications install {{Pkg|xfce4-notifyd}}, a package that provides an implementation for the specification.<br />
<br />
Without such a notification daemon, {{ic|nm-applet}} outputs the following errors to stdout/stderr:<br />
<br />
(nm-applet:24209): libnotify-WARNING **: Failed to connect to proxy<br />
<br />
** (nm-applet:24209): WARNING **: get_all_cb: couldn't retrieve<br />
system settings properties: (25) Launch helper exited with unknown<br />
return code 1.<br />
<br />
** (nm-applet:24209): WARNING **: fetch_connections_done: error<br />
fetching connections: (25) Launch helper exited with unknown return<br />
code 1.<br />
<br />
** (nm-applet:24209): WARNING **: Failed to register as an agent:<br />
(25) Launch helper exited with unknown return code 1<br />
<br />
{{ic|nm-applet}} will still work fine, though, but without notifications.<br />
<br />
=== Openbox ===<br />
<br />
To function properly in Openbox, the GNOME applet requires the {{Pkg|xfce4-notifyd}} notification daemon for the same reason as in XFCE and the {{Pkg|gnome-icon-theme}} package to be able to display the applet in the systray.<br />
<br />
If you want to store authentication details (Wireless/DSL) install and configure [[gnome-keyring]].<br />
<br />
{{Note|If the ''networkmanager'' daemon is in {{ic|rc.conf}}, the following settings are obsolete or the applet will be started twice.}}<br />
<br />
To have Openbox's autostart start {{ic|nm-applet}} properly, you may need to delete the file {{ic|/etc/xdg/autostart/nm-applet.desktop}} (You may need to delete this file again after every update to {{Pkg|network-manager-applet}}).<br />
<br />
Then in {{ic|autostart}}, start {{ic|nm-applet}} with this line:<br />
<br />
(sleep 3 && /usr/bin/nm-applet --sm-disable) &<br />
<br />
If you experience errors connecting, make sure you have your [[D-Bus]] user session started.<br />
<br />
=== Other desktops and window managers ===<br />
<br />
In all other scenarios it is recommended to use the GNOME applet. You will also need to be sure that the {{Pkg|gnome-icon-theme}} package is installed to be able to display the applet.<br />
<br />
To store connection secrets install and configure [[gnome-keyring]].<br />
<br />
In order to run {{ic|nm-applet}} without a systray, you can use {{Pkg|trayer}} or {{Pkg|stalonetray}}. For example, you can add a script like this one in your path:<br />
{{hc|nmgui|<nowiki><br />
#!/bin/sh<br />
nm-applet > /dev/null 2>/dev/null &<br />
stalonetray > /dev/null 2>/dev/null<br />
killall nm-applet<br />
</nowiki>}}<br />
<br />
When you close the stalonetray window, it closes {{ic|nm-applet}} too, so no extra memory is used once you are done with network settings.<br />
<br />
=== Command line ===<br />
<br />
The {{Pkg|networkmanager}} package contains [http://manpages.ubuntu.com/manpages/maverick/man1/nmcli.1.html nmcli] since version 0.8.1.<br />
<br />
== Configuration ==<br />
<br />
NetworkManager will require some additional steps to be able run properly.<br />
<br />
Verify that your {{ic|/etc/hosts}} is correct before continuing. If you previously tried to connect before doing this step, NetworkManager may have altered it. An example hostname line in {{ic|/etc/hosts}}:<br />
<br />
{{bc|<br />
#<ip-address> <hostname.domain.org> <hostname> <br />
127.0.0.1 localhost.localdomain localhost dell-latitude<br />
}}<br />
<br />
=== Disable current network setup ===<br />
<br />
You will want to disable your current network setup to be able to properly test NetworkManager:<br />
# If using the Arch Linux network scripts, [[Daemon|stop]] the network daemon.<br />
# Bring down your NIC's (Network Interface Controllers, i.e. network cards). For example (using the {{Pkg|iproute2}} package):<br />
<br />
ip link set down eth0<br />
ip link set down wlan0<br />
<br />
# Edit {{ic|/etc/rc.conf}} where DHCP or a static IP address are defined by commenting them out:<br />
{{Note|Following settings are obsolete in the most recent rc.conf.}}<br />
{{bc|<nowiki><br />
#eth0="dhcp" <br />
#wlan0="dhcp" <br />
INTERFACES=(!eth0 !wlan0)<br />
</nowiki>}}<br />
<br />
# Finally, edit {{ic|/etc/rc.conf}} to '''remove''' the default ''network'' daemon or any other network management daemons you may be using.<br />
<br />
=== Enable NetworkManager ===<br />
<br />
How you enable NetworkManager depends on how your system is configured. New installations now use [[systemd]] by default.<br />
<br />
Once the NetworkManager daemon is started, it will automatically connect to any available "system connections" that have already been configured. Any "user connections" or unconfigured connections will need {{ic|nmcli}} or an applet to configure and connect.<br />
<br />
==== Enable NetworkManager with systemd ==== <br />
<br />
You can enable NetworkManager at startup with the following command:<br />
<br />
{{bc|# systemctl enable NetworkManager}}<br />
<br />
You can start the NetworkManager daemon immediately with the following command:<br />
<br />
{{bc|# systemctl start NetworkManager}}<br />
<br />
{{Note|If you have services which fail if they are started before the network is up, you have to use {{ic|NetworkManager-wait-online.service}} instead. This is however hardly ever necessary since most network daemons start up fine, even if the network has not been configured yet.}}<br />
<br />
==== Enable NetworkManager with legacy initscripts ====<br />
<br />
To enable NetworkManager at startup, edit the ''DAEMONS'' line in {{ic|/etc/rc.conf}} by '''adding''' the ''networkmanager'' daemon, after the dbus daemon:<br />
<br />
DAEMONS=( ...'''dbus networkmanager'''... )<br />
<br />
Be sure that the package {{Pkg|dbus}} is installed as NetworkManager will require it. To start other services (daemons) that require a network connection see the next section on how to set them up.<br />
<br />
You can start the NetworkManager daemon immediately with the following commands:<br />
<br />
{{bc|# rc.d start dbus}}<br />
{{bc|# rc.d start networkmanager}}<br />
<br />
{{Note|Initscripts are depricated: https://www.archlinux.org/news/end-of-initscripts-support/}}<br />
<br />
=== Set up PolicyKit permissions ===<br />
<br />
See [[General Troubleshooting#Session permissions]] for setting up a working session.<br />
<br />
With a working session, you have several options for granting the necessary privileges to NetworkManager:<br />
<br />
''Option 1.'' Run a [[PolicyKit]] authentication agent when you log in, such as {{ic|/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1}} (part of {{Pkg|polkit-gnome}}). You will be prompted for your password whenever you add or remove a network connection.<br />
<br />
''Option 2.'' Add yourself to the {{ic|wheel}} group. You will not have to enter your password, but your user account may be granted other permissions as well, such as the ability to use [[sudo]] without entering the root password.<br />
<br />
''Option 3.'' Add yourself to the {{ic|network}} group and create the following file:<br />
{{hc|/etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules|<nowiki><br />
polkit.addRule(function(action, subject) {<br />
if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) {<br />
return polkit.Result.YES;<br />
}<br />
});</nowiki>}}<br />
All users in the {{ic|network}} group will be able to add and remove networks without a password. This will not work under systemd if you do not have an active session with [[Systemd#Using_systemd-logind|systemd-logind]].<br />
<br />
=== Network services with NetworkManager dispatcher===<br />
<br />
There are quite a few network services that you will not want running until NetworkManager brings up an interface. Good examples are [[OpenNTPD]] and network filesystem mounts of various types (e.g. '''netfs'''). NetworkManager has the ability to start these services when you connect to a network and stop them when you disconnect.<br />
<br />
To use this feature, scripts can be added to the {{ic|/etc/NetworkManager/dispatcher.d}} directory. These scripts will need to have executable, user permissions. For security, it is good practice to make them owned by '''root:root''' and writable only by the owner.<br />
<br />
The scripts will be run in alphabetical order at connection time, and in reverse alphabetical order at disconnect time. They receive two arguments: the name of the interface (e.g. ''eth0'') and the status (''up'' or ''down''). To ensure what order they come up in, it is common to use numerical characters prior to the name of the script (e.g. {{ic|10_portmap}} or {{ic|30_netfs}} (which ensures that the portmapper is up before NFS mounts are attempted).<br />
<br />
{{Warning|For security reason. You should disable write access for group and other. For example use 755 mask.<br />
In other case it can refuse to execute script, with error message "nm-dispatcher.action: Script could not be executed: writable by group or other, or set-UID." in {{ic|/var/log/messages.log}} }}<br />
{{Warning|if you connect to foreign or public networks, be aware of what services you are starting and what servers you expect to be available for them to connect to. You could make a security hole by starting the wrong services while connected to a public network.}}<br />
<br />
==== Start OpenNTPD ====<br />
<br />
The following example starts the OpenNTPD daemon when an interface is brought up. Save the file as {{ic|/etc/NetworkManager/dispatcher.d/20_openntpd}} and make it executable.<br />
{{bc|<nowiki><br />
#!/bin/sh<br />
<br />
INTERFACE=$1 # The interface which is brought up or down<br />
STATUS=$2 # The new state of the interface<br />
<br />
case "$STATUS" in<br />
'up') # $INTERFACE is up<br />
exec rc.d start openntpd<br />
;;<br />
'down') # $INTERFACE is down<br />
# Check for active interface and down if no one active<br />
if [ ! `nm-tool|grep State|cut -f2 -d' '` = "connected" ]; then<br />
exec rc.d stop openntpd<br />
fi<br />
;;<br />
esac<br />
</nowiki>}}<br />
<br />
==== Mount remote folder with sshfs ====<br />
<br />
As the script is run in a very restrictive environment, you have to export {{ic|SSH_AUTH_SOCK}} in order to connect to your SSH agent. There are different ways to accomplish this, see [https://bbs.archlinux.org/viewtopic.php?pid=1042030#p1042030 this link] for more information. The example below works with [[gnome-keyring]], and will ask you for the password if not unlocked already. In case NetworkManager connects automatically on login, it is likely gnome-keyring has not yet started and the export will fail (hence the sleep). The {{ic|UUID}} to match can be found in {{ic|/etc/NetworkManager/system-connections/}}). <br />
<br />
#!/bin/bash<br />
USER=<your sshfs user><br />
if [ $CONNECTION_UUID == <connection UUID> ]; then<br />
case "$2" in<br />
<br />
up)<br />
#sleep 10<br />
export SSH_AUTH_SOCK=$(find /tmp/keyring-*/ -type s -user $USER -group users -name ssh)<br />
su $USER -c "/usr/bin/sshfs user@host:/remote/folder /local/folder/"<br />
;;<br />
<br />
down)<br />
fusermount -u /local/folder<br />
;;<br />
esac<br />
fi<br />
<br />
==== Use dispatcher to connect to a VPN after a network-connection is established ====<br />
<br />
In this example we want to connect automatically to a previously defined VPN connection after connecting to a specific WiFi network. First thing to do is to create the dispatcher script that defines what to do after we are connected to the network. <br />
<br />
:1. Create the dispatcher script:<br />
{{hc|/etc/NetworkManager/dispatcher.d/vpn-up|<nowiki><br />
VPN_NAME=<name of VPN connection defined in NetworkManager><br />
ESSID=<wifi network ESSID (not connection name)><br />
if [ "$2" = "up" -o "$2" = "vpn-down" ]; then # -o "$2" = "vpn-down" makes VPN reconnect after VPN connection interrupt<br />
if [ "$(iwgetid | grep ':"'$ESSID'"')" ]; then # check for ESSID match<br />
nmcli con up id "$VPN_NAME"; # parentheses needed for VPN connection names with spaces<br />
fi<br />
elif [ "$2" = "down" ]; then # disconnect VPN prior to disconnecting from the network<br />
if [ "$(iwgetid | grep ':"'$ESSID'"')" ]; then # check for ESSID match and that VPN is actually connected<br />
if [ $(nmcli con status id "$VPN_NAME" | grep -c activated) ]; then<br />
nmcli con down id "$VPN_NAME";<br />
fi<br />
fi<br />
fi<br />
</nowiki>}}<br />
Remember to make it executable with {{ic|chmod +x}} and to make the VPN connection available to all users. <br />
<br />
Trying to connect using this setup will fail and NetworkManager will complain about 'no valid VPN secrets', because of [http://projects.gnome.org/NetworkManager/developers/migrating-to-09/secrets-flags.html the way VPN secrets are stored] which brings us to step 2:<br />
<br />
:2. Edit your VPN connection configuration file to make NetworkManager store the secrets by itself rather than inside a keyring [https://bugzilla.redhat.com/show_bug.cgi?id=710552 that will be inaccessible for root]: open up {{ic|/etc/NetworkManager/system-connections/<name of your VPN connection>}} and change the {{ic|password-flags}} and {{ic|secret-flags}} form {{ic|1}} to {{ic|0}}.<br />
<br />
{{Note|It may now be necessary to re-open the NetworkManager connection editor and re-enter the VPN passwords/secrets.}}<br />
<br />
==== Use /etc/rc.conf to control services started by networkmanager ====<br />
<br />
Some Arch users may dislike having two places where the launching of daemons is configured. Using this method, network services started by NetworkManager are controlled from {{ic|rc.conf}} by the use of a {{ic|NET_DAEMONS}} array in the same fashion as the typical {{ic|DAEMONS}} array<br />
<br />
# Install {{AUR|networkmanager-dispatcher-net_daemons}} from the [[AUR]].<br />
# Ensure ''dbus'' and ''networkmanager'' are both in the {{ic|DAEMONS}} line in {{ic|rc.conf}}.<br />
# Add a {{ic|NET_DAEMONS}} line to rc.conf which includes all services you do not want started until after the network connection is established.<br />
<br />
Example {{ic|DAEMONS}} and {{ic|NET_DAEMONS}} in {{ic|rc.conf}} are shown below:<br />
<br />
{{bc|<nowiki><br />
# DAEMONS<br />
# -------<br />
#<br />
DAEMONS=(syslog-ng crond dbus networkmanager)<br />
NET_DAEMONS=(iptables nscd sshd samba avahi-daemon avahi-dnsconfd openntpd)<br />
</nowiki>}}<br />
<br />
=== Proxy settings ===<br />
<br />
NetworkManager does not directly handle proxy settings, but if you are using GNOME, you could use [http://marin.jb.free.fr/proxydriver/ proxydriver] wich handles proxy settings using NetworkManager's informations. You can find the package for {{AUR|proxydriver}} in the [[AUR]].<br />
<br />
In order for proxydriver to be able to change the proxy settings, you would need to execute this command, as part of the GNOME startup process (System -> Preferences -> Startup Applications):<br />
<br />
xhost +si:localuser:your_username<br />
<br />
See: [[Proxy settings]]<br />
<br />
== Testing ==<br />
<br />
NetworkManager applets are designed to load upon login so no further configuration should be necessary for most users. If you have already disabled your previous network settings and disconnected from your network, you can now test if NetworkManager will work. The first step is to [[Daemon|start]] the ''networkmanager'' daemon.<br />
<br />
Some applets will provide you with a {{ic|.desktop}} file so that the NetworkManager applet can be loaded through the application menu. If it does not, you are going to either have to discover the command to use or logout and login again to start the applet. Once the applet is started, it will likely begin polling network connections with for auto-configuration with a DHCP server.<br />
<br />
To start the GNOME applet in non-xdg-compliant window managers like [[Awesome]]:<br />
<br />
nm-applet --sm-disable &<br />
<br />
For static IPs you will have to configure NetworkManager to understand them. The process usually involves right-clicking the applet and selecting something like 'Edit Connections'.<br />
<br />
== Troubleshooting ==<br />
<br />
Some fixes to common problems.<br />
<br />
=== No traffic via PPTP tunnel ===<br />
<br />
PPTP connection logins successfully, you see ppp0 interface with correct VPN IP, but you cannot even ping remote IP. It is due to lack of MPPE (Microsoft Point-to-Point Encryption) support in stock Arch pppd. It is recommended to first try with the stock Arch {{Pkg|ppp}} as it may work as intended.<br />
<br />
To solve the problem it should be sufficient to install {{AUR|ppp-mppe}} from the [[AUR]].<br />
<br />
=== Network management disabled ===<br />
<br />
Sometimes when NetworkManager shuts down but the pid (state) file does not get removed and you will get a 'Network management disabled' message. If this happens, you'll have to remove it manually:<br />
<br />
# rm /var/lib/NetworkManager/NetworkManager.state<br />
<br />
If this happens upon reboot, you can add an action to your {{ic|/etc/rc.local}} to have it removed upon bootup:<br />
<br />
{{bc|<nowiki>nmpid=/var/lib/NetworkManager/NetworkManager.state<br />
[ -f $nmpid ] && rm $nmpid</nowiki>}}<br />
<br />
=== NetworkManager prevents DHCPCD from using resolv.conf.head and resolv.conf.tail ===<br />
<br />
Sometimes it is problematic to add static items to {{ic|resolv.conf}} when it is constantly rewritten by NetworkManager and {{ic|dhcpcd}}. A simple solution is using the following script:<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
# <br />
# /etc/NetworkManager/dispatcher.d/99-resolv.conf-head_and_tail<br />
# Include /etc/resolv.conf.head and /etc/resolv.conf.tail to /etc/resolv.conf<br />
#<br />
# scripts in the /etc/NetworkManager/dispatcher.d/ directory<br />
# are called alphabetically and are passed two parameters:<br />
# $1 is the interface name, and $2 is “up” or “down” as the<br />
# case may be.<br />
<br />
resolvconf='/etc/resolv.conf';<br />
cat "$resolvconf"{.head,,.tail} 2>/dev/null > "$resolvconf".tmp<br />
mv -f "$resolvconf".tmp "$resolvconf"<br />
</nowiki>}}<br />
<br />
This script is also available in the [https://aur.archlinux.org/packages/networkmanager-dispatch-resolv AUR] for convenience<br />
<br />
=== Preserving changes to resolv.conf ===<br />
<br />
NetworkManager will attempt to write DNS information from DHCP into {{ic|/etc/resolv.conf}}, overwriting the existing contents. To prevent this, you can set the immutable bit on the file:<br />
# chattr +i /etc/resolv.conf<br />
<br />
To modify the file in the future, first remove the immutable bit:<br />
# chattr -i /etc/resolv.conf<br />
<br />
=== DHCP problems ===<br />
<br />
If you have problems with getting an IP via DHCP, try to add the following to your {{ic|/etc/dhclient.conf}}:<br />
interface "eth0" {<br />
send dhcp-client-identifier 01:aa:bb:cc:dd:ee:ff;<br />
}<br />
Where {{ic|aa:bb:cc:dd:ee:ff}} is the MAC address of this NIC. The MAC address can be found using the {{ic|ip link show eth0}} command from the {{Pkg|iproute2}} package.<br />
<br />
For some (incompliant) routers, you will not be able to connect properly unless you comment the line<br />
require dhcp_server_identifier<br />
in {{ic|/etc/dhcpcd.conf}} (note that this file is distinct from {{ic|dhcpd.conf}}). This should not cause issues unless you have multiple DHCP servers on your network (not typical); see [http://technet.microsoft.com/en-us/library/cc977442.aspx this page] for more information.<br />
<br />
=== Hostname problems ===<br />
Add the following line to /etc/NetworkManager/NetworkManager.conf:<br />
dhcp=dhcpcd<br />
then restart.<br />
systemctl restart NetworkManager<br />
source https://bbs.archlinux.org/viewtopic.php?id=152376<br />
=== Missing default route ===<br />
<br />
On at least one KDE4 system, no default route was created when establishing wireless connections with NetworkManager. Changing the route settings of the wireless connection to remove the default selection "Use only for resources on this connection" solved the issue.<br />
<br />
=== 3G modem not detected ===<br />
<br />
If NetworkManager (from v0.7.999) does not detect your 3G modem, but you still can connect using [[wvdial]], try installing <br />
{{Pkg|modemmanager}} and restart NetworkManager daemon with {{ic|rc.d restart networkmanager}}. It may also be necessary to replug or restart your modem. This utility provides support for hardware not in NetworkManager's default database.<br />
<br />
=== Switching off WLAN on laptops ===<br />
<br />
Sometimes NetworkManager will not work when you disable your WiFi adapter with a switch on your laptop and try to enable it again afterwards. This is often a problem with {{ic|rfkill}}. Install {{Pkg|rfkill}} from the [[official repositories]] and use <br />
<br />
$ watch -n1 rfkill list all<br />
<br />
to check if the driver notifies {{ic|rfkill}} about the wireless adapter's status.<br />
If one identifier stays blocked after you switch on the adapter you could try to manually unblock it with (where X is the number of the identifier provided by the above output):<br />
<br />
# rfkill event unblock X<br />
<br />
=== Static IP settings revert to DHCP ===<br />
<br />
Due to an unresolved bug, when changing default connections to static IP, {{ic|nm-applet}} may not properly store the configuration change, and will revert to automatic DHCP.<br />
<br />
To work around this issue you have to edit the default connection (e.g. "Auto eth0") in {{ic|nm-applet}}, change the connection name (e.g. "my eth0"), uncheck the "Available to all users" checkbox, change your static IP settings as desired, and click '''Apply'''. This will save a new connection with the given name.<br />
<br />
Next, you will want to make the default connection not connect automatically. To do so, run<br />
<br />
$ sudo nm-connection-editor # you must use sudo, not su<br />
<br />
In the connection editor, edit the default connection (eg "Auto eth0") and uncheck "Connect automatically". Click '''Apply''' and close the connection editor.<br />
<br />
=== Cannot edit connections as normal user ===<br />
<br />
See [[#Set_up_PolicyKit_permissions]].<br />
<br />
=== Forget hidden wireless network ===<br />
<br />
Since hidden network are not displayed in the selection list of the Wireless view, they cannot be forgotten (removed) with the GUI. You can delete one with the following command:<br />
<br />
# rm /etc/NetworkManager/system-connections/[SSID]<br />
$ sudo rm /etc/NetworkManager/system-connections/[SSID] # sudo equivalent<br />
<br />
This works for any other connection.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Sharing internet connection over wifi ===<br />
<br />
You can share your internet connection (eg.: 3G or wired) by few clicks using nm. You will need supported wifi card (Cards based on Atheros AR9xx or at least AR5xx are probably best choice)<br />
<br />
==== Ad-hoc ====<br />
<br />
* pacman -S dnsmasq<br />
* custom dnsmasq.conf may interfere with nm (not sure about this, but i think so)<br />
* Click on nm-applet -> Create new wireless network<br />
* Follow wizard (if using WEP be sure to use 5 or 13 charactes long password, different lengths will fail)<br />
* Settings will remain stored for next time you'll need it<br />
<br />
==== Real AP ====<br />
<br />
Support of infrastructure mode (which is needed by Andoid phones as they don't intentionally support ad-hoc) is not currently supported by NetworkManager, but is in active development...<br />
<br />
See: http://fedoraproject.org/wiki/Features/RealHotspot<br />
<br />
=== Checking if networking is up inside a cron job or script ===<br />
<br />
Some cron jobs require networking to be up to succeed. You may wish to avoid running these jobs when the network is down. To accomplish this, add an '''if''' test for networking that queries NetworkManager's {{ic|nm-tool}} and checks the state of networking. The test shown here succeeds if any interface is up, and fails if they are all down. This is convenient for laptops that might be hardwired, might be on wireless, or might be off the network. <br />
if [ `nm-tool|grep State|cut -f2 -d' '` == "connected" ]; then<br />
#Whatever you want to do if the network is online<br />
else<br />
#Whatever you want to do if the network is offline - note, this and the else above are optional<br />
fi<br />
<br />
This useful for a {{ic|cron.hourly}} script that runs {{ic|fpupdate}} for the F-Prot virus scanner signature update, as an example. Another way it might be useful, with a little modification, is to differentiate between networks using various parts of the output from {{ic|nm-tool}}; for example, since the active wireless network is denoted with an asterisk, you could grep for the network name and then grep for a literal asterisk.<br />
<br />
=== Automatically unlock keyring after login ===<br />
<br />
==== GNOME ====<br />
<br />
# Right click on the {{ic|nm-applet}} icon in your panel and select Edit Connections and open the Wireless tab<br />
# Select the connection you want to work with and click the Edit button<br />
# Check the boxes “Connect Automatically” and “Available to all users”<br />
Log out and log back in to complete.<br />
<br />
{{Note|The following method is dated and known not to work on at least one machine!}}<br />
* In {{ic|/etc/pam.d/gdm}} (or your corresponding daemon in {{ic|/etc/pam.d}}), add these lines at the end of the "auth" and "session" blocks if they do not exist already: <br />
auth optional pam_gnome_keyring.so<br />
session optional pam_gnome_keyring.so auto_start<br />
<br />
* In {{ic|/etc/pam.d/passwd}}, use this line for the 'password' block:<br />
password optional pam_gnome_keyring.so<br />
<br />
:Next time you log in, you should be asked if you want the password to be unlocked automatically on login.<br />
<br />
==== KDE ====<br />
{{Note|See http://live.gnome.org/GnomeKeyring/Pam for reference, and if you are using KDE with KDM, you can use {{AUR|pam-keyring-tool}} from the [[AUR]].}}<br />
<br />
Put a script like the following in {{ic|~/.kde4/Autostart}}:<br />
#!/bin/sh<br />
echo PASSWORD | /usr/bin/pam-keyring-tool --unlock --keyring=default -s<br />
Similar should work with Openbox, LXDE, etc.<br />
<br />
==== SLiM login manager ====<br />
<br />
*In {{ic|/etc/pam.d/slim}}, add these lines at the end of the "auth" and "session" blocks if they do not exist already: <br />
auth optional pam_gnome_keyring.so<br />
session optional pam_gnome_keyring.so auto_start<br />
<br />
*In {{ic|/etc/pam.d/passwd}}, use this line for the 'password' block:<br />
password optional pam_gnome_keyring.so<br />
<br />
*In {{ic|~/.xinitrc}}, add this at the very top, before launching your window manager and other applications:<br />
# test for an existing bus daemon, just to be safe<br />
if test -z "$DBUS_SESSION_BUS_ADDRESS" ; then<br />
# if not found, launch a new one<br />
eval `dbus-launch --sh-syntax --exit-with-session`<br />
echo "D-Bus per-session daemon address is: $DBUS_SESSION_BUS_ADDRESS"<br />
fi<br />
<br />
:Next time you log in, you should be asked if you want the password to be unlocked automatically on login.<br />
<br />
=== Ignore specific devices ===<br />
<br />
Sometimes it may be desired that NetworkManager ignores specific devices and does not try to configure addresses and routes for them.<br />
<br />
:1. You can quickly and easily ignore devices by MAC by using the following in {{ic|/etc/NetworkManager/NetworkManager.conf}} :<br />
[keyfile]<br />
unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4<br />
:After you have put this in, [[Daemon|restart]] NetworkManager, and you should be able to configure interfaces without NetworkManager altering what you have set.<br />
<br />
:2. If that is not appropriate, you could ignore by HAL.<br />
::* First you have to find out the Hal UDI (e.g. with {{ic|lshal}}):<br />
...<br />
info.product = 'Networking Interface' (string)<br />
info.subsystem = 'net' (string)<br />
info.udi = '/org/freedesktop/Hal/devices/net_00_1f_11_01_06_55' (string)<br />
linux.hotplug_type = 2 (0x2) (int)<br />
linux.subsystem = 'net' (string)<br />
...<br />
<br />
::* Add the udi to {{ic|/etc/NetworkManager/nm-system-settings.conf}}:<br />
[keyfile]<br />
unmanaged-devices=/org/freedesktop/Hal/devices/net_00_1f_11_01_06_55<br />
<br />
:Multiple devices can be specified, delimited by semicolons:<br />
<br />
[keyfile]<br />
unmanaged-devices=/org/freedesktop/Hal/devices/net_00_1f_11_01_06_55;/org/freedesktop/Hal/devices/net_00_2c_6d_e2_08_af<br />
<br />
:You do not need to restart NetworkManager for the changes to take effect.<br />
<br />
:3. Devices could also be ignored at boot time by using following script (change {{ic|NetworkManager.conf}} with {{ic|nm-system-settings.conf}} if using a version of NetworkManager smaller than 0.8.1):<br />
#!/bin/sh<br />
# author: tim noise <darknoise@drkns.net><br />
COUNT=0<br />
TARGET_FILE="/etc/NetworkManager/NetworkManager.conf"<br />
for i in `lshal | grep -A6 'Networking Interface' | awk -F "'" '/info.udi = / {print $2}'`; do<br />
if [ $COUNT = 0 ]; then<br />
COUNT=$COUNT+1;<br />
echo "unmanaged-devices=$i" >> $TARGET_FILE<br />
else<br />
echo -n ";$i" >> $TARGET_FILE<br />
fi<br />
done<br />
printf "\n" >> $TARGET_FILE<br />
<br />
:It can be changed to ignore WiFi devices, etc. being used on a non-persistant filesystem.<br />
<br />
=== Connect faster ===<br />
<br />
==== Disabling IPv6 ====<br />
<br />
Slow connection or reconnection to the network may be due to superfluous IPv6 queries in NetworkManager. If there is no IPv6 support on the local network, connecting to a network may take longer than normal while NetworkManager tries to establish an IPv6 connection that eventually times out. The solution is to disable IPv6 within NetworkManager which will make network connection faster. This has to be done once for every network you connect to.<br />
<br />
* Right-click on the network status icon.<br />
* Click on "Edit Connections".<br />
* Go to the "Wired" or "Wireless" tab, as appropriate.<br />
* Select the name of the network.<br />
* Click on "Edit".<br />
* Go to the "IPv6 Settings" tab.<br />
* In the "Method" dropdown, choose "Ignore/Disabled".<br />
* Click on "Save".<br />
<br />
==== Speed up DHCP by disabling ARP probing in DHCPCD ====<br />
<br />
{{ic|dhcpcd}} contains an implementation of a recommendation of the DHCP standard ([http://www.ietf.org/rfc/rfc2131.txt RFC2131] section 2.2) to check via ARP if the assigned IP address is really not taken. This seems mostly useless in home networks, so you can save about 5 seconds on every connect by adding the following line to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noarp<br />
<br />
This is equivalent to passing {{ic|--noarp}} to {{ic|dhcpcd}}, and disables the described ARP probing, speeding up connections to networks with DHCP.<br />
<br />
==== Use OpenDNS servers ====<br />
<br />
Create {{ic|/etc/resolv.conf.opendns}} with the nameservers:<br />
<br />
nameserver 208.67.222.222<br />
nameserver 208.67.220.220<br />
<br />
And have the dispatcher replace the discovered DHCP servers with the OpenDNS ones:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/dns-servers-opendns|<nowiki><br />
#!/bin/bash<br />
# Use OpenDNS servers over DHCP discovered servers<br />
<br />
cp -f /etc/resolv.conf.opendns /etc/resolv.conf</nowiki>}}<br />
<br />
Make the script executable:<br />
<br />
# chmod +x /etc/NetworkManager/dispatcher.d/dns-servers-opendns</div>Harviehttps://wiki.archlinux.org/index.php?title=NetworkManager&diff=241415NetworkManager2012-12-23T19:27:45Z<p>Harvie: Ad-hoc tethering</p>
<hr />
<div>[[Category:Networking]]<br />
[[cs:NetworkManager]]<br />
[[de:Networkmanager]]<br />
[[es:NetworkManager]]<br />
[[fr:NetworkManager]]<br />
[[it:NetworkManager]]<br />
[[pt:NetworkManager]]<br />
[[ru:NetworkManager]]<br />
[[tr:NetworkManager]]<br />
[[zh-CN:NetworkManager]]<br />
{{Article summary start}}<br />
{{Article summary text|Covers installation and configuration of NetworkManager &ndash; a set of co-operative tools that make networking simple and straightforward.}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Networking overview}}}}<br />
{{Article summary end}}<br />
<br />
[http://projects.gnome.org/NetworkManager/ NetworkManager] is a program for providing detection and configuration for systems to automatically connect to network. NetworkManager's functionality can be useful for both wireless and wired networks. For wireless networks, NetworkManager prefers known wireless networks and has the ability to switch to the most reliable network. NetworkManager-aware applications can switch from online and offline mode. NetworkManager also prefers wired connections over wireless ones, has support for modem connections and certain types of VPN. NetworkManager was originally developed by Red Hat and now is hosted by the [[GNOME]] project.<br />
<br />
== Base install ==<br />
<br />
NetworkManager can be installed with the package {{Pkg|networkmanager}}, available in the [[official repositories]].<br />
<br />
=== VPN support ===<br />
<br />
Network Manager VPN support is based on a plug-in system. If you need VPN support via network manager you have to install one of the following packages in [[official repositories]]:<br />
<br />
networkmanager-openvpn<br />
networkmanager-pptp<br />
networkmanager-vpnc<br />
<br />
== Graphical front-ends ==<br />
<br />
To configure and have easy access to NetworkManager most people will want to install an applet. This GUI front-end usually resides in the system tray (or notification area) and allows network selection and configuration of NetworkManager. Various applets exist for different types of desktops.<br />
<br />
=== GNOME ===<br />
<br />
GNOME's {{Pkg|network-manager-applet}} (formerly gnome-network-manager) is lightweight enough and works across all environments.<br />
<br />
If you want to store authentication details (Wireless/DSL) and enable global connection settings, i.e "available to all users" install and configure [[GNOME Keyring]].<br />
<br />
=== KDE4 ===<br />
<br />
The KNetworkManager front-end has been made available since KDE 4.4 as a Plasma widget available in the official repositories:<br />
{{Pkg|kdeplasma-applets-networkmanagement}}.<br />
<br />
The GNOME counterpart works just as nicely, or even better (has more features and detects more hardware).<br />
<br />
{{Note|If you are changing from another network managing tool like [[Wicd]], do not forget to set the default 'Network Management Backend' in <br />
System Settings -> Hardware -> Information Sources}}<br />
<br />
If you have both the Plasma widget and {{ic|nm-applet}} installed and do not want to start {{ic|nm-applet}} when using KDE, add the following line to {{ic|/etc/xdg/autostart/nm-applet.desktop}}:<br />
NotShowIn=KDE<br />
<br />
=== XFCE ===<br />
{{Pkg|network-manager-applet}} will work fine in XFCE, but in order to see notifications, ''including error messages'', {{ic|nm-applet}} needs an implementation of the Freedesktop desktop notifications specification (see the [http://www.galago-project.org/specs/notification/0.9/index.html Galapago Project]) to display them. To enable notifications install {{Pkg|xfce4-notifyd}}, a package that provides an implementation for the specification.<br />
<br />
Without such a notification daemon, {{ic|nm-applet}} outputs the following errors to stdout/stderr:<br />
<br />
(nm-applet:24209): libnotify-WARNING **: Failed to connect to proxy<br />
<br />
** (nm-applet:24209): WARNING **: get_all_cb: couldn't retrieve<br />
system settings properties: (25) Launch helper exited with unknown<br />
return code 1.<br />
<br />
** (nm-applet:24209): WARNING **: fetch_connections_done: error<br />
fetching connections: (25) Launch helper exited with unknown return<br />
code 1.<br />
<br />
** (nm-applet:24209): WARNING **: Failed to register as an agent:<br />
(25) Launch helper exited with unknown return code 1<br />
<br />
{{ic|nm-applet}} will still work fine, though, but without notifications.<br />
<br />
=== Openbox ===<br />
<br />
To function properly in Openbox, the GNOME applet requires the {{Pkg|xfce4-notifyd}} notification daemon for the same reason as in XFCE and the {{Pkg|gnome-icon-theme}} package to be able to display the applet in the systray.<br />
<br />
If you want to store authentication details (Wireless/DSL) install and configure [[gnome-keyring]].<br />
<br />
{{Note|If the ''networkmanager'' daemon is in {{ic|rc.conf}}, the following settings are obsolete or the applet will be started twice.}}<br />
<br />
To have Openbox's autostart start {{ic|nm-applet}} properly, you may need to delete the file {{ic|/etc/xdg/autostart/nm-applet.desktop}} (You may need to delete this file again after every update to {{Pkg|network-manager-applet}}).<br />
<br />
Then in {{ic|autostart}}, start {{ic|nm-applet}} with this line:<br />
<br />
(sleep 3 && /usr/bin/nm-applet --sm-disable) &<br />
<br />
If you experience errors connecting, make sure you have your [[D-Bus]] user session started.<br />
<br />
=== Other desktops and window managers ===<br />
<br />
In all other scenarios it is recommended to use the GNOME applet. You will also need to be sure that the {{Pkg|gnome-icon-theme}} package is installed to be able to display the applet.<br />
<br />
To store connection secrets install and configure [[gnome-keyring]].<br />
<br />
In order to run {{ic|nm-applet}} without a systray, you can use {{Pkg|trayer}} or {{Pkg|stalonetray}}. For example, you can add a script like this one in your path:<br />
{{hc|nmgui|<nowiki><br />
#!/bin/sh<br />
nm-applet > /dev/null 2>/dev/null &<br />
stalonetray > /dev/null 2>/dev/null<br />
killall nm-applet<br />
</nowiki>}}<br />
<br />
When you close the stalonetray window, it closes {{ic|nm-applet}} too, so no extra memory is used once you are done with network settings.<br />
<br />
=== Command line ===<br />
<br />
The {{Pkg|networkmanager}} package contains [http://manpages.ubuntu.com/manpages/maverick/man1/nmcli.1.html nmcli] since version 0.8.1.<br />
<br />
== Configuration ==<br />
<br />
NetworkManager will require some additional steps to be able run properly.<br />
<br />
Verify that your {{ic|/etc/hosts}} is correct before continuing. If you previously tried to connect before doing this step, NetworkManager may have altered it. An example hostname line in {{ic|/etc/hosts}}:<br />
<br />
{{bc|<br />
#<ip-address> <hostname.domain.org> <hostname> <br />
127.0.0.1 localhost.localdomain localhost dell-latitude<br />
}}<br />
<br />
=== Disable current network setup ===<br />
<br />
You will want to disable your current network setup to be able to properly test NetworkManager:<br />
# If using the Arch Linux network scripts, [[Daemon|stop]] the network daemon.<br />
# Bring down your NIC's (Network Interface Controllers, i.e. network cards). For example (using the {{Pkg|iproute2}} package):<br />
<br />
ip link set down eth0<br />
ip link set down wlan0<br />
<br />
# Edit {{ic|/etc/rc.conf}} where DHCP or a static IP address are defined by commenting them out:<br />
{{Note|Following settings are obsolete in the most recent rc.conf.}}<br />
{{bc|<nowiki><br />
#eth0="dhcp" <br />
#wlan0="dhcp" <br />
INTERFACES=(!eth0 !wlan0)<br />
</nowiki>}}<br />
<br />
# Finally, edit {{ic|/etc/rc.conf}} to '''remove''' the default ''network'' daemon or any other network management daemons you may be using.<br />
<br />
=== Enable NetworkManager ===<br />
<br />
How you enable NetworkManager depends on how your system is configured. New installations now use [[systemd]] by default.<br />
<br />
Once the NetworkManager daemon is started, it will automatically connect to any available "system connections" that have already been configured. Any "user connections" or unconfigured connections will need {{ic|nmcli}} or an applet to configure and connect.<br />
<br />
==== Enable NetworkManager with systemd ==== <br />
<br />
You can enable NetworkManager at startup with the following command:<br />
<br />
{{bc|# systemctl enable NetworkManager}}<br />
<br />
You can start the NetworkManager daemon immediately with the following command:<br />
<br />
{{bc|# systemctl start NetworkManager}}<br />
<br />
{{Note|If you have services which fail if they are started before the network is up, you have to use {{ic|NetworkManager-wait-online.service}} instead. This is however hardly ever necessary since most network daemons start up fine, even if the network has not been configured yet.}}<br />
<br />
==== Enable NetworkManager with legacy initscripts ====<br />
<br />
To enable NetworkManager at startup, edit the ''DAEMONS'' line in {{ic|/etc/rc.conf}} by '''adding''' the ''networkmanager'' daemon, after the dbus daemon:<br />
<br />
DAEMONS=( ...'''dbus networkmanager'''... )<br />
<br />
Be sure that the package {{Pkg|dbus}} is installed as NetworkManager will require it. To start other services (daemons) that require a network connection see the next section on how to set them up.<br />
<br />
You can start the NetworkManager daemon immediately with the following commands:<br />
<br />
{{bc|# rc.d start dbus}}<br />
{{bc|# rc.d start networkmanager}}<br />
<br />
{{Note|Initscripts are depricated: https://www.archlinux.org/news/end-of-initscripts-support/}}<br />
<br />
=== Set up PolicyKit permissions ===<br />
<br />
See [[General Troubleshooting#Session permissions]] for setting up a working session.<br />
<br />
With a working session, you have several options for granting the necessary privileges to NetworkManager:<br />
<br />
''Option 1.'' Run a [[PolicyKit]] authentication agent when you log in, such as {{ic|/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1}} (part of {{Pkg|polkit-gnome}}). You will be prompted for your password whenever you add or remove a network connection.<br />
<br />
''Option 2.'' Add yourself to the {{ic|wheel}} group. You will not have to enter your password, but your user account may be granted other permissions as well, such as the ability to use [[sudo]] without entering the root password.<br />
<br />
''Option 3.'' Add yourself to the {{ic|network}} group and create the following file:<br />
{{hc|/etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules|<nowiki><br />
polkit.addRule(function(action, subject) {<br />
if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) {<br />
return polkit.Result.YES;<br />
}<br />
});</nowiki>}}<br />
All users in the {{ic|network}} group will be able to add and remove networks without a password. This will not work under systemd if you do not have an active session with [[Systemd#Using_systemd-logind|systemd-logind]].<br />
<br />
=== Network services with NetworkManager dispatcher===<br />
<br />
There are quite a few network services that you will not want running until NetworkManager brings up an interface. Good examples are [[OpenNTPD]] and network filesystem mounts of various types (e.g. '''netfs'''). NetworkManager has the ability to start these services when you connect to a network and stop them when you disconnect.<br />
<br />
To use this feature, scripts can be added to the {{ic|/etc/NetworkManager/dispatcher.d}} directory. These scripts will need to have executable, user permissions. For security, it is good practice to make them owned by '''root:root''' and writable only by the owner.<br />
<br />
The scripts will be run in alphabetical order at connection time, and in reverse alphabetical order at disconnect time. They receive two arguments: the name of the interface (e.g. ''eth0'') and the status (''up'' or ''down''). To ensure what order they come up in, it is common to use numerical characters prior to the name of the script (e.g. {{ic|10_portmap}} or {{ic|30_netfs}} (which ensures that the portmapper is up before NFS mounts are attempted).<br />
<br />
{{Warning|For security reason. You should disable write access for group and other. For example use 755 mask.<br />
In other case it can refuse to execute script, with error message "nm-dispatcher.action: Script could not be executed: writable by group or other, or set-UID." in {{ic|/var/log/messages.log}} }}<br />
{{Warning|if you connect to foreign or public networks, be aware of what services you are starting and what servers you expect to be available for them to connect to. You could make a security hole by starting the wrong services while connected to a public network.}}<br />
<br />
==== Start OpenNTPD ====<br />
<br />
The following example starts the OpenNTPD daemon when an interface is brought up. Save the file as {{ic|/etc/NetworkManager/dispatcher.d/20_openntpd}} and make it executable.<br />
{{bc|<nowiki><br />
#!/bin/sh<br />
<br />
INTERFACE=$1 # The interface which is brought up or down<br />
STATUS=$2 # The new state of the interface<br />
<br />
case "$STATUS" in<br />
'up') # $INTERFACE is up<br />
exec rc.d start openntpd<br />
;;<br />
'down') # $INTERFACE is down<br />
# Check for active interface and down if no one active<br />
if [ ! `nm-tool|grep State|cut -f2 -d' '` = "connected" ]; then<br />
exec rc.d stop openntpd<br />
fi<br />
;;<br />
esac<br />
</nowiki>}}<br />
<br />
==== Mount remote folder with sshfs ====<br />
<br />
As the script is run in a very restrictive environment, you have to export {{ic|SSH_AUTH_SOCK}} in order to connect to your SSH agent. There are different ways to accomplish this, see [https://bbs.archlinux.org/viewtopic.php?pid=1042030#p1042030 this link] for more information. The example below works with [[gnome-keyring]], and will ask you for the password if not unlocked already. In case NetworkManager connects automatically on login, it is likely gnome-keyring has not yet started and the export will fail (hence the sleep). The {{ic|UUID}} to match can be found in {{ic|/etc/NetworkManager/system-connections/}}). <br />
<br />
#!/bin/bash<br />
USER=<your sshfs user><br />
if [ $CONNECTION_UUID == <connection UUID> ]; then<br />
case "$2" in<br />
<br />
up)<br />
#sleep 10<br />
export SSH_AUTH_SOCK=$(find /tmp/keyring-*/ -type s -user $USER -group users -name ssh)<br />
su $USER -c "/usr/bin/sshfs user@host:/remote/folder /local/folder/"<br />
;;<br />
<br />
down)<br />
fusermount -u /local/folder<br />
;;<br />
esac<br />
fi<br />
<br />
==== Use dispatcher to connect to a VPN after a network-connection is established ====<br />
<br />
In this example we want to connect automatically to a previously defined VPN connection after connecting to a specific WiFi network. First thing to do is to create the dispatcher script that defines what to do after we are connected to the network. <br />
<br />
:1. Create the dispatcher script:<br />
{{hc|/etc/NetworkManager/dispatcher.d/vpn-up|<nowiki><br />
VPN_NAME=<name of VPN connection defined in NetworkManager><br />
ESSID=<wifi network ESSID (not connection name)><br />
if [ "$2" = "up" -o "$2" = "vpn-down" ]; then # -o "$2" = "vpn-down" makes VPN reconnect after VPN connection interrupt<br />
if [ "$(iwgetid | grep ':"'$ESSID'"')" ]; then # check for ESSID match<br />
nmcli con up id "$VPN_NAME"; # parentheses needed for VPN connection names with spaces<br />
fi<br />
elif [ "$2" = "down" ]; then # disconnect VPN prior to disconnecting from the network<br />
if [ "$(iwgetid | grep ':"'$ESSID'"')" ]; then # check for ESSID match and that VPN is actually connected<br />
if [ $(nmcli con status id "$VPN_NAME" | grep -c activated) ]; then<br />
nmcli con down id "$VPN_NAME";<br />
fi<br />
fi<br />
fi<br />
</nowiki>}}<br />
Remember to make it executable with {{ic|chmod +x}} and to make the VPN connection available to all users. <br />
<br />
Trying to connect using this setup will fail and NetworkManager will complain about 'no valid VPN secrets', because of [http://projects.gnome.org/NetworkManager/developers/migrating-to-09/secrets-flags.html the way VPN secrets are stored] which brings us to step 2:<br />
<br />
:2. Edit your VPN connection configuration file to make NetworkManager store the secrets by itself rather than inside a keyring [https://bugzilla.redhat.com/show_bug.cgi?id=710552 that will be inaccessible for root]: open up {{ic|/etc/NetworkManager/system-connections/<name of your VPN connection>}} and change the {{ic|password-flags}} and {{ic|secret-flags}} form {{ic|1}} to {{ic|0}}.<br />
<br />
{{Note|It may now be necessary to re-open the NetworkManager connection editor and re-enter the VPN passwords/secrets.}}<br />
<br />
==== Use /etc/rc.conf to control services started by networkmanager ====<br />
<br />
Some Arch users may dislike having two places where the launching of daemons is configured. Using this method, network services started by NetworkManager are controlled from {{ic|rc.conf}} by the use of a {{ic|NET_DAEMONS}} array in the same fashion as the typical {{ic|DAEMONS}} array<br />
<br />
# Install {{AUR|networkmanager-dispatcher-net_daemons}} from the [[AUR]].<br />
# Ensure ''dbus'' and ''networkmanager'' are both in the {{ic|DAEMONS}} line in {{ic|rc.conf}}.<br />
# Add a {{ic|NET_DAEMONS}} line to rc.conf which includes all services you do not want started until after the network connection is established.<br />
<br />
Example {{ic|DAEMONS}} and {{ic|NET_DAEMONS}} in {{ic|rc.conf}} are shown below:<br />
<br />
{{bc|<nowiki><br />
# DAEMONS<br />
# -------<br />
#<br />
DAEMONS=(syslog-ng crond dbus networkmanager)<br />
NET_DAEMONS=(iptables nscd sshd samba avahi-daemon avahi-dnsconfd openntpd)<br />
</nowiki>}}<br />
<br />
=== Proxy settings ===<br />
<br />
NetworkManager does not directly handle proxy settings, but if you are using GNOME, you could use [http://marin.jb.free.fr/proxydriver/ proxydriver] wich handles proxy settings using NetworkManager's informations. You can find the package for {{AUR|proxydriver}} in the [[AUR]].<br />
<br />
In order for proxydriver to be able to change the proxy settings, you would need to execute this command, as part of the GNOME startup process (System -> Preferences -> Startup Applications):<br />
<br />
xhost +si:localuser:your_username<br />
<br />
See: [[Proxy settings]]<br />
<br />
== Testing ==<br />
<br />
NetworkManager applets are designed to load upon login so no further configuration should be necessary for most users. If you have already disabled your previous network settings and disconnected from your network, you can now test if NetworkManager will work. The first step is to [[Daemon|start]] the ''networkmanager'' daemon.<br />
<br />
Some applets will provide you with a {{ic|.desktop}} file so that the NetworkManager applet can be loaded through the application menu. If it does not, you are going to either have to discover the command to use or logout and login again to start the applet. Once the applet is started, it will likely begin polling network connections with for auto-configuration with a DHCP server.<br />
<br />
To start the GNOME applet in non-xdg-compliant window managers like [[Awesome]]:<br />
<br />
nm-applet --sm-disable &<br />
<br />
For static IPs you will have to configure NetworkManager to understand them. The process usually involves right-clicking the applet and selecting something like 'Edit Connections'.<br />
<br />
== Troubleshooting ==<br />
<br />
Some fixes to common problems.<br />
<br />
=== No traffic via PPTP tunnel ===<br />
<br />
PPTP connection logins successfully, you see ppp0 interface with correct VPN IP, but you cannot even ping remote IP. It is due to lack of MPPE (Microsoft Point-to-Point Encryption) support in stock Arch pppd. It is recommended to first try with the stock Arch {{Pkg|ppp}} as it may work as intended.<br />
<br />
To solve the problem it should be sufficient to install {{AUR|ppp-mppe}} from the [[AUR]].<br />
<br />
=== Network management disabled ===<br />
<br />
Sometimes when NetworkManager shuts down but the pid (state) file does not get removed and you will get a 'Network management disabled' message. If this happens, you'll have to remove it manually:<br />
<br />
# rm /var/lib/NetworkManager/NetworkManager.state<br />
<br />
If this happens upon reboot, you can add an action to your {{ic|/etc/rc.local}} to have it removed upon bootup:<br />
<br />
{{bc|<nowiki>nmpid=/var/lib/NetworkManager/NetworkManager.state<br />
[ -f $nmpid ] && rm $nmpid</nowiki>}}<br />
<br />
=== NetworkManager prevents DHCPCD from using resolv.conf.head and resolv.conf.tail ===<br />
<br />
Sometimes it is problematic to add static items to {{ic|resolv.conf}} when it is constantly rewritten by NetworkManager and {{ic|dhcpcd}}. A simple solution is using the following script:<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
# <br />
# /etc/NetworkManager/dispatcher.d/99-resolv.conf-head_and_tail<br />
# Include /etc/resolv.conf.head and /etc/resolv.conf.tail to /etc/resolv.conf<br />
#<br />
# scripts in the /etc/NetworkManager/dispatcher.d/ directory<br />
# are called alphabetically and are passed two parameters:<br />
# $1 is the interface name, and $2 is “up” or “down” as the<br />
# case may be.<br />
<br />
resolvconf='/etc/resolv.conf';<br />
cat "$resolvconf"{.head,,.tail} 2>/dev/null > "$resolvconf".tmp<br />
mv -f "$resolvconf".tmp "$resolvconf"<br />
</nowiki>}}<br />
<br />
This script is also available in the [https://aur.archlinux.org/packages/networkmanager-dispatch-resolv AUR] for convenience<br />
<br />
=== Preserving changes to resolv.conf ===<br />
<br />
NetworkManager will attempt to write DNS information from DHCP into {{ic|/etc/resolv.conf}}, overwriting the existing contents. To prevent this, you can set the immutable bit on the file:<br />
# chattr +i /etc/resolv.conf<br />
<br />
To modify the file in the future, first remove the immutable bit:<br />
# chattr -i /etc/resolv.conf<br />
<br />
=== DHCP problems ===<br />
<br />
If you have problems with getting an IP via DHCP, try to add the following to your {{ic|/etc/dhclient.conf}}:<br />
interface "eth0" {<br />
send dhcp-client-identifier 01:aa:bb:cc:dd:ee:ff;<br />
}<br />
Where {{ic|aa:bb:cc:dd:ee:ff}} is the MAC address of this NIC. The MAC address can be found using the {{ic|ip link show eth0}} command from the {{Pkg|iproute2}} package.<br />
<br />
For some (incompliant) routers, you will not be able to connect properly unless you comment the line<br />
require dhcp_server_identifier<br />
in {{ic|/etc/dhcpcd.conf}} (note that this file is distinct from {{ic|dhcpd.conf}}). This should not cause issues unless you have multiple DHCP servers on your network (not typical); see [http://technet.microsoft.com/en-us/library/cc977442.aspx this page] for more information.<br />
<br />
=== Hostname problems ===<br />
Add the following line to /etc/NetworkManager/NetworkManager.conf:<br />
dhcp=dhcpcd<br />
then restart.<br />
systemctl restart NetworkManager<br />
source https://bbs.archlinux.org/viewtopic.php?id=152376<br />
=== Missing default route ===<br />
<br />
On at least one KDE4 system, no default route was created when establishing wireless connections with NetworkManager. Changing the route settings of the wireless connection to remove the default selection "Use only for resources on this connection" solved the issue.<br />
<br />
=== 3G modem not detected ===<br />
<br />
If NetworkManager (from v0.7.999) does not detect your 3G modem, but you still can connect using [[wvdial]], try installing <br />
{{Pkg|modemmanager}} and restart NetworkManager daemon with {{ic|rc.d restart networkmanager}}. It may also be necessary to replug or restart your modem. This utility provides support for hardware not in NetworkManager's default database.<br />
<br />
=== Switching off WLAN on laptops ===<br />
<br />
Sometimes NetworkManager will not work when you disable your WiFi adapter with a switch on your laptop and try to enable it again afterwards. This is often a problem with {{ic|rfkill}}. Install {{Pkg|rfkill}} from the [[official repositories]] and use <br />
<br />
$ watch -n1 rfkill list all<br />
<br />
to check if the driver notifies {{ic|rfkill}} about the wireless adapter's status.<br />
If one identifier stays blocked after you switch on the adapter you could try to manually unblock it with (where X is the number of the identifier provided by the above output):<br />
<br />
# rfkill event unblock X<br />
<br />
=== Static IP settings revert to DHCP ===<br />
<br />
Due to an unresolved bug, when changing default connections to static IP, {{ic|nm-applet}} may not properly store the configuration change, and will revert to automatic DHCP.<br />
<br />
To work around this issue you have to edit the default connection (e.g. "Auto eth0") in {{ic|nm-applet}}, change the connection name (e.g. "my eth0"), uncheck the "Available to all users" checkbox, change your static IP settings as desired, and click '''Apply'''. This will save a new connection with the given name.<br />
<br />
Next, you will want to make the default connection not connect automatically. To do so, run<br />
<br />
$ sudo nm-connection-editor # you must use sudo, not su<br />
<br />
In the connection editor, edit the default connection (eg "Auto eth0") and uncheck "Connect automatically". Click '''Apply''' and close the connection editor.<br />
<br />
=== Cannot edit connections as normal user ===<br />
<br />
See [[#Set_up_PolicyKit_permissions]].<br />
<br />
=== Forget hidden wireless network ===<br />
<br />
Since hidden network are not displayed in the selection list of the Wireless view, they cannot be forgotten (removed) with the GUI. You can delete one with the following command:<br />
<br />
# rm /etc/NetworkManager/system-connections/[SSID]<br />
$ sudo rm /etc/NetworkManager/system-connections/[SSID] # sudo equivalent<br />
<br />
This works for any other connection.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Sharing internet connection over wifi ===<br />
<br />
You can share your internet connection (eg.: 3G or wired) by few clicks using nm. You will need supported wifi card (Cards based on Atheros AR9xx or at least AR5xx are probably best choice)<br />
<br />
==== Ad-hoc ====<br />
<br />
* pacman -S dnsmasq<br />
* custom dnsmasq.conf may interfere with nm (not sure about this, but i think so)<br />
* Click on nm-applet -> Create new wireless network<br />
* Follow wizard (if using WEP be sure to use 5 or 13 charactes long password, different lengths will fail)<br />
* Settings will remain stored for next time you'll need it<br />
<br />
==== Full AP ====<br />
<br />
Support of infrastructure mode (which is needed by Andoid phones as they don't intentionally support ad-hoc) is not currently supported by NetworkManager, but is in active development...<br />
<br />
=== Checking if networking is up inside a cron job or script ===<br />
<br />
Some cron jobs require networking to be up to succeed. You may wish to avoid running these jobs when the network is down. To accomplish this, add an '''if''' test for networking that queries NetworkManager's {{ic|nm-tool}} and checks the state of networking. The test shown here succeeds if any interface is up, and fails if they are all down. This is convenient for laptops that might be hardwired, might be on wireless, or might be off the network. <br />
if [ `nm-tool|grep State|cut -f2 -d' '` == "connected" ]; then<br />
#Whatever you want to do if the network is online<br />
else<br />
#Whatever you want to do if the network is offline - note, this and the else above are optional<br />
fi<br />
<br />
This useful for a {{ic|cron.hourly}} script that runs {{ic|fpupdate}} for the F-Prot virus scanner signature update, as an example. Another way it might be useful, with a little modification, is to differentiate between networks using various parts of the output from {{ic|nm-tool}}; for example, since the active wireless network is denoted with an asterisk, you could grep for the network name and then grep for a literal asterisk.<br />
<br />
=== Automatically unlock keyring after login ===<br />
<br />
==== GNOME ====<br />
<br />
# Right click on the {{ic|nm-applet}} icon in your panel and select Edit Connections and open the Wireless tab<br />
# Select the connection you want to work with and click the Edit button<br />
# Check the boxes “Connect Automatically” and “Available to all users”<br />
Log out and log back in to complete.<br />
<br />
{{Note|The following method is dated and known not to work on at least one machine!}}<br />
* In {{ic|/etc/pam.d/gdm}} (or your corresponding daemon in {{ic|/etc/pam.d}}), add these lines at the end of the "auth" and "session" blocks if they do not exist already: <br />
auth optional pam_gnome_keyring.so<br />
session optional pam_gnome_keyring.so auto_start<br />
<br />
* In {{ic|/etc/pam.d/passwd}}, use this line for the 'password' block:<br />
password optional pam_gnome_keyring.so<br />
<br />
:Next time you log in, you should be asked if you want the password to be unlocked automatically on login.<br />
<br />
==== KDE ====<br />
{{Note|See http://live.gnome.org/GnomeKeyring/Pam for reference, and if you are using KDE with KDM, you can use {{AUR|pam-keyring-tool}} from the [[AUR]].}}<br />
<br />
Put a script like the following in {{ic|~/.kde4/Autostart}}:<br />
#!/bin/sh<br />
echo PASSWORD | /usr/bin/pam-keyring-tool --unlock --keyring=default -s<br />
Similar should work with Openbox, LXDE, etc.<br />
<br />
==== SLiM login manager ====<br />
<br />
*In {{ic|/etc/pam.d/slim}}, add these lines at the end of the "auth" and "session" blocks if they do not exist already: <br />
auth optional pam_gnome_keyring.so<br />
session optional pam_gnome_keyring.so auto_start<br />
<br />
*In {{ic|/etc/pam.d/passwd}}, use this line for the 'password' block:<br />
password optional pam_gnome_keyring.so<br />
<br />
*In {{ic|~/.xinitrc}}, add this at the very top, before launching your window manager and other applications:<br />
# test for an existing bus daemon, just to be safe<br />
if test -z "$DBUS_SESSION_BUS_ADDRESS" ; then<br />
# if not found, launch a new one<br />
eval `dbus-launch --sh-syntax --exit-with-session`<br />
echo "D-Bus per-session daemon address is: $DBUS_SESSION_BUS_ADDRESS"<br />
fi<br />
<br />
:Next time you log in, you should be asked if you want the password to be unlocked automatically on login.<br />
<br />
=== Ignore specific devices ===<br />
<br />
Sometimes it may be desired that NetworkManager ignores specific devices and does not try to configure addresses and routes for them.<br />
<br />
:1. You can quickly and easily ignore devices by MAC by using the following in {{ic|/etc/NetworkManager/NetworkManager.conf}} :<br />
[keyfile]<br />
unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4<br />
:After you have put this in, [[Daemon|restart]] NetworkManager, and you should be able to configure interfaces without NetworkManager altering what you have set.<br />
<br />
:2. If that is not appropriate, you could ignore by HAL.<br />
::* First you have to find out the Hal UDI (e.g. with {{ic|lshal}}):<br />
...<br />
info.product = 'Networking Interface' (string)<br />
info.subsystem = 'net' (string)<br />
info.udi = '/org/freedesktop/Hal/devices/net_00_1f_11_01_06_55' (string)<br />
linux.hotplug_type = 2 (0x2) (int)<br />
linux.subsystem = 'net' (string)<br />
...<br />
<br />
::* Add the udi to {{ic|/etc/NetworkManager/nm-system-settings.conf}}:<br />
[keyfile]<br />
unmanaged-devices=/org/freedesktop/Hal/devices/net_00_1f_11_01_06_55<br />
<br />
:Multiple devices can be specified, delimited by semicolons:<br />
<br />
[keyfile]<br />
unmanaged-devices=/org/freedesktop/Hal/devices/net_00_1f_11_01_06_55;/org/freedesktop/Hal/devices/net_00_2c_6d_e2_08_af<br />
<br />
:You do not need to restart NetworkManager for the changes to take effect.<br />
<br />
:3. Devices could also be ignored at boot time by using following script (change {{ic|NetworkManager.conf}} with {{ic|nm-system-settings.conf}} if using a version of NetworkManager smaller than 0.8.1):<br />
#!/bin/sh<br />
# author: tim noise <darknoise@drkns.net><br />
COUNT=0<br />
TARGET_FILE="/etc/NetworkManager/NetworkManager.conf"<br />
for i in `lshal | grep -A6 'Networking Interface' | awk -F "'" '/info.udi = / {print $2}'`; do<br />
if [ $COUNT = 0 ]; then<br />
COUNT=$COUNT+1;<br />
echo "unmanaged-devices=$i" >> $TARGET_FILE<br />
else<br />
echo -n ";$i" >> $TARGET_FILE<br />
fi<br />
done<br />
printf "\n" >> $TARGET_FILE<br />
<br />
:It can be changed to ignore WiFi devices, etc. being used on a non-persistant filesystem.<br />
<br />
=== Connect faster ===<br />
<br />
==== Disabling IPv6 ====<br />
<br />
Slow connection or reconnection to the network may be due to superfluous IPv6 queries in NetworkManager. If there is no IPv6 support on the local network, connecting to a network may take longer than normal while NetworkManager tries to establish an IPv6 connection that eventually times out. The solution is to disable IPv6 within NetworkManager which will make network connection faster. This has to be done once for every network you connect to.<br />
<br />
* Right-click on the network status icon.<br />
* Click on "Edit Connections".<br />
* Go to the "Wired" or "Wireless" tab, as appropriate.<br />
* Select the name of the network.<br />
* Click on "Edit".<br />
* Go to the "IPv6 Settings" tab.<br />
* In the "Method" dropdown, choose "Ignore/Disabled".<br />
* Click on "Save".<br />
<br />
==== Speed up DHCP by disabling ARP probing in DHCPCD ====<br />
<br />
{{ic|dhcpcd}} contains an implementation of a recommendation of the DHCP standard ([http://www.ietf.org/rfc/rfc2131.txt RFC2131] section 2.2) to check via ARP if the assigned IP address is really not taken. This seems mostly useless in home networks, so you can save about 5 seconds on every connect by adding the following line to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noarp<br />
<br />
This is equivalent to passing {{ic|--noarp}} to {{ic|dhcpcd}}, and disables the described ARP probing, speeding up connections to networks with DHCP.<br />
<br />
==== Use OpenDNS servers ====<br />
<br />
Create {{ic|/etc/resolv.conf.opendns}} with the nameservers:<br />
<br />
nameserver 208.67.222.222<br />
nameserver 208.67.220.220<br />
<br />
And have the dispatcher replace the discovered DHCP servers with the OpenDNS ones:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/dns-servers-opendns|<nowiki><br />
#!/bin/bash<br />
# Use OpenDNS servers over DHCP discovered servers<br />
<br />
cp -f /etc/resolv.conf.opendns /etc/resolv.conf</nowiki>}}<br />
<br />
Make the script executable:<br />
<br />
# chmod +x /etc/NetworkManager/dispatcher.d/dns-servers-opendns</div>Harviehttps://wiki.archlinux.org/index.php?title=MSI_Wind_U100&diff=180398MSI Wind U1002012-01-26T15:23:49Z<p>Harvie: /* Networking */</p>
<hr />
<div>{{i18n|MSI Wind U100}}<br />
[[Category:MSI (English)]] <br />
This article pertains to the MSI Wind U100 netbook/sub-notebook.<br />
<br />
==Hardware==<br />
* CPU: Intel Atom N270 1.6Ghz<br />
* RAM: 1024 Mb, DDR2 667Mhz (optional)<br />
* HDD: WD 80Gb SATA (optional)<br />
* VGA: Intel 945 GMA, 64 MB DDR<br />
* LCD: 1024x600, 10.2" widescreen<br />
* WLAN: Realtek RTL8187SE , 802.11 a/b/g<br />
* LAN: Realtek RTL8101/02<br />
* CAM: 1.3 Mpix<br />
* BAT: LI-ON 3 cell 2200 mAh, 2 hours (optional)<br />
* Bluetooth, card reader, 3x USB 2.0<br />
* Touchpad: Synaptics or Sentelic<br />
<br />
===lspci===<br />
00:00.0 Host bridge: Intel Corporation Mobile 945GME Express Memory Controller Hub (rev 03) <br />
00:02.0 VGA compatible controller: Intel Corporation Mobile 945GME Express Integrated Graphics Controller (rev 03)<br />
00:02.1 Display controller: Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller (rev 03)<br />
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 02)<br />
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 02)<br />
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 02)<br />
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #1 (rev 02)<br />
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #2 (rev 02)<br />
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #3 (rev 02)<br />
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #4 (rev 02)<br />
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 02)<br />
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e2)<br />
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 02)<br />
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) SATA IDE Controller (rev 02)<br />
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101E/RTL8102E PCI Express Fast Ethernet controller (rev 02)<br />
02:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8187SE Wireless LAN Controller (rev 22)<br />
<br />
Some have other wireless cards:<br />
02:00.0 Network controller: Atheros Communications Inc. AR928X Wireless Network Adapter (PCI-Express) (rev 01)<br />
<br />
==Installing==<br />
There are several possible ways to install Arch onto a MSI Wind U100. The most usual methods are booting from a USB stick/memory card, or from an external CD/DVD drive. Refer to the Beginners' Guide [[Beginners' Guide#CD installer|CD installer]] part for instructions on obtaining an ISO image and burning to a CD, or consult the [[Beginners' Guide#USB stick|USB stick]] section for indications on writing the image to a USB device.<br />
<br />
Regardless of choice, finish by hooking up the external device (CD drive or USB stick) to the notebook. Hold the F11 key while booting in order to get to the boot device menu, then proceed by selecting the appropriate device and install as normal.<br />
<br />
==CPU==<br />
===cpufreq===<br />
you should use '''acpi-cpufreq''' driver which will allow you to slow down your CPU to 800MHz (p4-clockmod driver will work too, but it's not intended to be used with governors like ondemand, it should be used just for manual underclocking usig hotkeys or ACPI events like AC-disconnection because it's too slow to react fast enough to be suitable for use with automatic scaling based on CPU usage and therefore kernel will refuse to use such governors. however you can underclock cpu down to 200MHz using this driver). Probably you will also want to use '''cpufreq-ondemand''' governor.<br />
===overclock===<br />
It is possible to overclock the MSI Wind using an upgraded BIOS. The overclock (turbo mode) can be activated with Fn+F10, however, this overclock is not reported in /proc/cpuinfo or by cpufreq-info.<br />
<br />
==Multimedia==<br />
===Audio===<br />
Audio is supported through ALSA with virtually no configuration. Following the [[ALSA]] article should cover all that is needed.<br />
<br />
===Video===<br />
The on-board graphics uses the Intel driver. To install with [[pacman]]:<br />
# pacman -S xf86-video-intel<br />
<br />
Aside from that, there are no out-of-the-ordinary configuration steps. Consult [[Xorg]] and [[Intel]] for more information.<br />
<br />
===Webcam===<br />
First, do not forget to activate the webcam with the hotkey Fn+F6. If it's still not working, then try loading the module. The webcam should be supported through the {{Ic|uvcvideo}} module by default, if not: <br />
# modprobe uvcvideo<br />
<br />
To load the webcam driver automatically, adding uvcvideo to the {{Ic|MODULES}} array in {{filename|/etc/[[rc.conf]]}} may be needed:<br />
MODULES=(uvcvideo)<br />
<br />
The webcam uses a resolution of 640x480. As a warning, recording video with higher resolutions may result in a lower framerate.<br />
<br />
==Networking==<br />
===Wireless===<br />
<br />
Determine which card the particular u100 version has by running {{Ic|lspci}}. These are the possibilities:<br />
*Realtek 8187se B/G<br />
*Ralink RT2860 B/G/N<br />
*Atheros AR928X B/G/N<br />
<br />
The {{Ic|lspci}} output should mention the company name.<br />
<br />
====Realtek====<br />
Since kernel 2.6.29 there's a working driver included in the staging line. The module is {{Ic|rtl8187se}} and should get loaded without intervention. This network adapter is known to be buggy, so it's unlikely that this driver will show significant progress over its current state. Using [[ndiswrapper]] in place of the in-kernel module is recommended because of this situation.<br />
<br />
====Ralink====<br />
The RT2860 now works out of the box with rt2x00pci drivers.<br />
<br />
====Atheros====<br />
AR5001 (rev 02) works out of the box with ath5k or mad wifi drivers.<br />
<br />
===BlueTooth===<br />
Some versions of MSI Wind do have internal USB bluetooth module. It should be autodetected (using modules btusb, bluetooth and rfkill). However there is bug (probably in kernel) that prevent's people from toggling bluetooth using fn+f11 if it wasn't active during boot. (toggling wifi using fn+f11 remains working) If you happen to reboot your linux with BT deactivated, you will probably need to use windows or some distribution without this bug (BackTrack 4 was reported to work) to activate it again. There is hope this will be fixed in future. (please let us know if you will find any solution for this issue)<br />
<br />
===Touchpad===<br />
<br />
====Sentelic====<br />
The Sentelic Finger Sensing Pad driver (version 1.0.0) is included in kernel 2.26.32 and above, however, it may be difficult to get the configuration utility (fspc) to work correctly. It is possible to configure the pad manually by adding the following lines to your /etc/rc.local<br />
# Disable tap-to-click:<br />
echo -n c>>/sys/devices/platform/i8042/serio1/flags<br />
<br />
# Disable vertical tap scrolling:<br />
echo -e \0>>/sys/devices/platform/i8042/serio1/vscroll<br />
<br />
# Disable horizontal tap scrolling:<br />
echo -e \0>>/sys/devices/platform/i8042/serio1/hscroll<br />
<br />
===LAN===<br />
The Ethernet adapter functions thanks to the {{Ic|r8169}} module present in kernels 2.26.31 and newer.<br />
<br />
==Memory stick reader==<br />
The multi-card reader appears to work automatically.<br />
<br />
==Power management==<br />
pm-utils usually works without issues. However, some users have reported that it may require adding the [[Pm-utils#Resume Hook|resume hook]] and removing the [[Pm-utils#Blank screen issue|autodetect hook]] before working correctly.<br />
<br />
==Resources==<br />
* [[MSI Wind U120]] - Arch Linux wiki on the MSI Wind U120<br />
* [http://www.msimobile.com/ MSI Notebook Official Website] - BIOS upgrades can be found here<br />
* [http://www.insanelywind.com/forum/ InsanelyWind] - Community website dedicated to MSI Wind netbooks, includes forums and a wiki</div>Harviehttps://wiki.archlinux.org/index.php?title=MSI_Wind_U100&diff=180394MSI Wind U1002012-01-26T15:15:38Z<p>Harvie: cpufreq howto</p>
<hr />
<div>{{i18n|MSI Wind U100}}<br />
[[Category:MSI (English)]] <br />
This article pertains to the MSI Wind U100 netbook/sub-notebook.<br />
<br />
==Hardware==<br />
* CPU: Intel Atom N270 1.6Ghz<br />
* RAM: 1024 Mb, DDR2 667Mhz (optional)<br />
* HDD: WD 80Gb SATA (optional)<br />
* VGA: Intel 945 GMA, 64 MB DDR<br />
* LCD: 1024x600, 10.2" widescreen<br />
* WLAN: Realtek RTL8187SE , 802.11 a/b/g<br />
* LAN: Realtek RTL8101/02<br />
* CAM: 1.3 Mpix<br />
* BAT: LI-ON 3 cell 2200 mAh, 2 hours (optional)<br />
* Bluetooth, card reader, 3x USB 2.0<br />
* Touchpad: Synaptics or Sentelic<br />
<br />
===lspci===<br />
00:00.0 Host bridge: Intel Corporation Mobile 945GME Express Memory Controller Hub (rev 03) <br />
00:02.0 VGA compatible controller: Intel Corporation Mobile 945GME Express Integrated Graphics Controller (rev 03)<br />
00:02.1 Display controller: Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller (rev 03)<br />
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 02)<br />
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 02)<br />
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 02)<br />
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #1 (rev 02)<br />
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #2 (rev 02)<br />
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #3 (rev 02)<br />
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #4 (rev 02)<br />
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 02)<br />
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e2)<br />
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 02)<br />
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) SATA IDE Controller (rev 02)<br />
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101E/RTL8102E PCI Express Fast Ethernet controller (rev 02)<br />
02:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8187SE Wireless LAN Controller (rev 22)<br />
<br />
Some have other wireless cards:<br />
02:00.0 Network controller: Atheros Communications Inc. AR928X Wireless Network Adapter (PCI-Express) (rev 01)<br />
<br />
==Installing==<br />
There are several possible ways to install Arch onto a MSI Wind U100. The most usual methods are booting from a USB stick/memory card, or from an external CD/DVD drive. Refer to the Beginners' Guide [[Beginners' Guide#CD installer|CD installer]] part for instructions on obtaining an ISO image and burning to a CD, or consult the [[Beginners' Guide#USB stick|USB stick]] section for indications on writing the image to a USB device.<br />
<br />
Regardless of choice, finish by hooking up the external device (CD drive or USB stick) to the notebook. Hold the F11 key while booting in order to get to the boot device menu, then proceed by selecting the appropriate device and install as normal.<br />
<br />
==CPU==<br />
===cpufreq===<br />
you should use '''acpi-cpufreq''' driver which will allow you to slow down your CPU to 800MHz (p4-clockmod driver will work too, but it's not intended to be used with governors like ondemand, it should be used just for manual underclocking usig hotkeys or ACPI events like AC-disconnection because it's too slow to react fast enough to be suitable for use with automatic scaling based on CPU usage and therefore kernel will refuse to use such governors. however you can underclock cpu down to 200MHz using this driver). Probably you will also want to use '''cpufreq-ondemand''' governor.<br />
===overclock===<br />
It is possible to overclock the MSI Wind using an upgraded BIOS. The overclock (turbo mode) can be activated with Fn+F10, however, this overclock is not reported in /proc/cpuinfo or by cpufreq-info.<br />
<br />
==Multimedia==<br />
===Audio===<br />
Audio is supported through ALSA with virtually no configuration. Following the [[ALSA]] article should cover all that is needed.<br />
<br />
===Video===<br />
The on-board graphics uses the Intel driver. To install with [[pacman]]:<br />
# pacman -S xf86-video-intel<br />
<br />
Aside from that, there are no out-of-the-ordinary configuration steps. Consult [[Xorg]] and [[Intel]] for more information.<br />
<br />
===Webcam===<br />
First, do not forget to activate the webcam with the hotkey Fn+F6. If it's still not working, then try loading the module. The webcam should be supported through the {{Ic|uvcvideo}} module by default, if not: <br />
# modprobe uvcvideo<br />
<br />
To load the webcam driver automatically, adding uvcvideo to the {{Ic|MODULES}} array in {{filename|/etc/[[rc.conf]]}} may be needed:<br />
MODULES=(uvcvideo)<br />
<br />
The webcam uses a resolution of 640x480. As a warning, recording video with higher resolutions may result in a lower framerate.<br />
<br />
==Networking==<br />
===Wireless===<br />
<br />
Determine which card the particular u100 version has by running {{Ic|lspci}}. These are the possibilities:<br />
*Realtek 8187se B/G<br />
*Ralink RT2860 B/G/N<br />
*Atheros AR928X B/G/N<br />
<br />
The {{Ic|lspci}} output should mention the company name.<br />
<br />
====Realtek====<br />
Since kernel 2.6.29 there's a working driver included in the staging line. The module is {{Ic|rtl8187se}} and should get loaded without intervention. This network adapter is known to be buggy, so it's unlikely that this driver will show significant progress over its current state. Using [[ndiswrapper]] in place of the in-kernel module is recommended because of this situation.<br />
<br />
====Ralink====<br />
The RT2860 now works out of the box with rt2x00pci drivers.<br />
<br />
====Atheros====<br />
AR5001 (rev 02) works out of the box with ath5k or mad wifi drivers.<br />
<br />
===Touchpad===<br />
<br />
====Sentelic====<br />
The Sentelic Finger Sensing Pad driver (version 1.0.0) is included in kernel 2.26.32 and above, however, it may be difficult to get the configuration utility (fspc) to work correctly. It is possible to configure the pad manually by adding the following lines to your /etc/rc.local<br />
# Disable tap-to-click:<br />
echo -n c>>/sys/devices/platform/i8042/serio1/flags<br />
<br />
# Disable vertical tap scrolling:<br />
echo -e \0>>/sys/devices/platform/i8042/serio1/vscroll<br />
<br />
# Disable horizontal tap scrolling:<br />
echo -e \0>>/sys/devices/platform/i8042/serio1/hscroll<br />
<br />
===LAN===<br />
The Ethernet adapter functions thanks to the {{Ic|r8169}} module present in kernels 2.26.31 and newer.<br />
<br />
==Memory stick reader==<br />
The multi-card reader appears to work automatically.<br />
<br />
==Power management==<br />
pm-utils usually works without issues. However, some users have reported that it may require adding the [[Pm-utils#Resume Hook|resume hook]] and removing the [[Pm-utils#Blank screen issue|autodetect hook]] before working correctly.<br />
<br />
==Resources==<br />
* [[MSI Wind U120]] - Arch Linux wiki on the MSI Wind U120<br />
* [http://www.msimobile.com/ MSI Notebook Official Website] - BIOS upgrades can be found here<br />
* [http://www.insanelywind.com/forum/ InsanelyWind] - Community website dedicated to MSI Wind netbooks, includes forums and a wiki</div>Harviehttps://wiki.archlinux.org/index.php?title=Unofficial_user_repositories&diff=179308Unofficial user repositories2012-01-20T19:05:00Z<p>Harvie: /* Signed */ fixed typo</p>
<hr />
<div>[[Category: Package management (English)]]<br />
{{i18n|Unofficial User Repositories}}<br />
==Why unofficial user repositories==<br />
Since the AUR only allows users to upload PKGBUILD and other package build related files, but does not provide a means for distributing a binary package, a user may want to create a binary repository of their packages elsewhere.<br />
<br />
==The future of Unofficial repos==<br />
I'd like to see more work of this type. Sometimes there are certain projects that don't mesh well with other things, such as the community repo. The 'kdemod' project is a good example. If you want to contribute with your own builds, you can check page [[Custom local repository]].<br />
<br />
In the future, well-thought-out user repositories may be ideal for lots of supplementary things. Forming a "web of trust" is important in cases like this, so we may begin keeping a list of "recommended" repositories somewhere, in order to make it seem more official and trustworthy.<br />
<br />
[[User:Phrakture|Phrakture]] 12:50, 18 May 2007 (EDT)<br />
<br />
==List of PUR (unofficial user repositories)==<br />
===Any===<br />
"Any" repos are architecture-independent, i.e. they can be used on both i686 and x86_64 systems.<br />
<pre><br />
[herecura-stable-any]<br />
# Just some stuff; a few java apps, wallpapers, small scripts, xbmc-skin<br />
Server = http://repo.herecura.be/herecura-stable/any<br />
<br />
[herecura-testing-any]<br />
# Some any testing stuff, xbmc-svn skin<br />
Server = http://repo.herecura.be/herecura-testing/any<br />
<br />
[xyne-any]<br />
# The home of Xyne's contributions.<br />
# More info including a package list can be found at http://xyne.archlinux.ca/repos<br />
Server = http://xyne.archlinux.ca/repos/xyne-any/<br />
<br />
[arch-fonts]<br />
# Prebuilt packages for font packages found in AUR<br />
# This should be faster than building from source<br />
# as many have download speed of 10KB/s. If you find<br />
# missing font, email to <gmail.com: jesse.jaara><br />
Server = http://huulivoide.pp.fi/Arch/arch-fonts<br />
</pre><br />
<br />
===Both i686 and x86_64===<br />
====Signed====<br />
<pre><br />
[allanbrokeit]<br />
# http://allanmcrae.com/2011/06/the-allanbrokeit-repo-that-might-really-break-your-system/<br />
SigLevel = PackageOptional<br />
Server = http://allanmcrae.com/$repo/$arch<br />
<br />
[heftig]<br />
# Includes linux-zen and aurora (firefox development build - works alongside firefox in extra.)<br />
# https://bbs.archlinux.org/viewtopic.php?id=117157<br />
SigLevel = PackageOptional<br />
Server = http://pkgbuild.com/~heftig/repo/$arch<br />
</pre><br />
<br />
====Unsigned====<br />
<!--Not exactly same as 'any' repositories, this section should probably be separate.--><br />
Repositories with both i686 and x86_64 versions. The $arch variable will be set automatically by pacman.<br />
<pre><br />
[adslgr]<br />
# The Hellenic (Greek) archlinux unofficial repository with many interesting packages.<br />
Server = http://archlinuxgr.tiven.org/archlinux/$arch<br />
<br />
[archlinuxfr]<br />
# The French Arch Linux communities packages.<br />
Server = http://repo.archlinux.fr/$arch<br />
<br />
[archaudio-production]<br />
# verified PKGBUILDs AND tested packages<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archaudio-preview]<br />
# unverified PKGBUILDs AND/OR untested packages<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archaudio-nightly]<br />
# verified devel PKGBUILDs<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archaudio-experimental]<br />
# unverified devel PKGBUILDs<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archstuff]<br />
# AUR's most voted and many bin32-* and lib32-* packages.<br />
Server = http://archstuff.vs169092.vserver.de/$arch<br />
<br />
[arsch]<br />
# From users of orgizm.net<br />
Server = http//arsch.orgizm.net/$arch<br />
<br />
[burg]<br />
# Burg bootloader repo<br />
# More info : http://archydeb.wordpress.com/<br />
Server = http://dl.dropbox.com/u/11529444/repos/archlinux/burg/$arch<br />
<br />
[catalyst]<br />
# ATI Catalyst proprietary drivers.<br />
Server = http://catalyst.apocalypsus.net/repo/catalyst/$arch<br />
<br />
[haskell]<br />
# ArchHaskell repository<br />
Server = http://www.kiwilight.com/$repo/$arch<br />
<br />
[repo-ck]<br />
# ARCH kernel and modules with Brain Fuck Scheduler and all the goodies in the ck1 patch set<br />
# See the linux-ck wiki page for more<br />
Server = http://repo-ck.com/$arch<br />
<br />
[kittyserve]<br />
# Contains kittykatt's packages and packages from friends of kittykatt, as well as most mint-related packages<br />
Server = http://repo.kattz.tk/$arch<br />
<br />
[kxstudio-free]<br />
# KXStudio Free<br />
Server = http://kxstudio.sf.net/repo/arch/$arch<br />
<br />
[kxstudio-non-free]<br />
# KXStudio Non-Free<br />
Server = http://kxstudio.sf.net/repo/arch/$arch <br />
<br />
[mate]<br />
# Contains official mate desktop packages (gnome2 fork)<br />
Server = http://matsusoft.com.ar/repository/archlinux/mate/$arch<br />
Server = ftp://tridex.net/mate/$arch<br />
<br />
[radeon]<br />
# ATI Radeon X.Org drivers, bleeding edge 'git' builds.<br />
Server = http://spiralinear.org/perry3d/$arch<br />
<br />
[sergej-repo]<br />
# ion3 and some other stuff.<br />
# http://code.google.com/p/archlinux-stuff/source/browse/trunk<br />
Server = http://repo.p5n.pp.ru/sergej-repo/$arch/<br />
<br />
[suckless]<br />
# suckless.org packages<br />
Server = http://dl.suckless.org/arch/$arch<br />
<br />
[herecura-stable]<br />
# Additional apps not found in community.<br />
Server = http://herecura.be/repo/herecura-stable/$arch<br />
<br />
[herecura-testing]<br />
# Additional apps for testing build against stable Arch.<br />
Server = http://herecura.be/repo/herecura-testing/$arch<br />
</pre><br />
<br />
===i686 only===<br />
<pre><br />
[andrwe]<br />
# For a list of packages see: http://andrwe.org/doku.php/linux/repository<br />
Server = http://repo.andrwe.org/i686<br />
<br />
[arch-graphics]<br />
# Repository aimed to provide applications mainly for 3D graphics.<br />
# For more info, look at http://arch-graphics.kx.cz/<br />
Server = http://arch-graphics.kx.cz/repo/i686<br />
<br />
[cgr-i686]<br />
# Packages for some ChicoGeek's PKGBUILDs.<br />
Server = http://cgr.i686.googlepages.com/<br />
<br />
[chaox-stable]<br />
# Pentesting packages and custom kernel patched for WIFI injection.<br />
Server = http://repo.chaox.net/stable<br />
<br />
[compiz-fusion]<br />
# compiz-fusion-git<br />
# Updated to June 2008.<br />
Server = http://compiz.dreamz-box.de/i686<br />
<br />
[esclinux]<br />
# Mostly games, interactive fiction and abc notation stuffs already on AUR.<br />
Server = http://download.tuxfamily.org/esclinuxcd/ressources/repo/i686/<br />
<br />
[fukawi]<br />
# Some Nagios Stuff; molly-guard; celtx and various networking tools.<br />
Server = http://repo.fukawi2.nl/i686/<br />
Server = ftp://repo.fukawi2.nl/i686/<br />
<br />
[jose1711]<br />
# Most of the packages I maintain in AUR (games, tools)<br />
Server = http://arch.l33t.in/i686/<br />
<br />
[kde4-eyecandy-32]<br />
# Useful and beautiful plasmoids and themes for KDE4.<br />
Server = http://archlinuxgr.tiven.org/kde4-eyecandy/i686<br />
<br />
[kpiche]<br />
# Stable OpenSync packages.<br />
Server = http://kpiche.archlinux.ca/repo<br />
<br />
[rfad]<br />
# Repository made by haxit | Contact at: requiem [at] archlinux.us for package suggestions!<br />
Server = http://web.ncf.ca/ey723/archlinux/repo/<br />
<br />
[xdemon-repo]<br />
# madwimax, kismet-svn and aircrack-svn, etc...<br />
Server=http://repo.x-demon.org/archlinux/os/i686<br />
<br />
[studioidefix]<br />
# Precompiled boxee packages.<br />
Server = http://studioidefix.googlecode.com/hg/repo/i686<br />
<br />
[mingw32]<br />
# Libs & tools for crosscompiling for Win32, mainly taken from AUR.<br />
# Contact: Alexander 'hatred' Drozdov <adrozdoff [at] gmail (dot) com> (Russian-speaked guys can write on Russian :-)<br />
Server = http://hatred.homelinux.net/archlinux/mingw32/os/i686<br />
<br />
[ayatana]<br />
# GNOME apps: emerillon, glabels, gnome-subtitles, gnome-web-photo, nautilus-sound-converter, ocrfeeder, pdfmod, planner, rygel, transmageddon…<br />
# Mapping apps: bt747, foxtrotgps, gpsprune, marble, merkaartor, navit…<br />
# Other apps with Ayatana support: audio-recorder, cloudsn, deja-dup, gnome-activity-journal, gtg, gwibber, onboard, sbackup, synapse, uget…<br />
# Other apps: backintime, covergloobus, desktopnova, gdesklets, gloobus-preview, keepnote, kompozer, nautilus-terminal, pinta, xnoise…<br />
# Packages from Ubuntu: humanity-icon-theme, ubuntu-light-themes, ubuntuone-client, ubuntu-sounds, notify-osd, indicator-applet…<br />
# More info: http://ayatana.info/<br />
Server = http://repo.ayatana.info/<br />
<br />
[sylar_repo]<br />
# My built packages.<br />
# Additional info and package list: see http://dl.dropbox.com/u/8192972/arch_repo/arch_repo.html<br />
Server = http://dl.dropbox.com/u/8192972/arch_repo/repo<br />
<br />
[kernel26-pae]<br />
# PAE-enabled 32-bit kernel 2.6.39<br />
Server = http://kernel26-pae.archlinux.ca/<br />
<br />
[linux-pae]<br />
# PAE-enabled 32-bit kernel 3.0<br />
Server = http://pae.archlinux.ca/<br />
<br />
[aur]<br />
# most common packages in aur<br />
# readme: http://dl.dropbox.com/u/10527821/repo/i686/readme.txt<br />
# packages: http://dl.dropbox.com/u/10527821/repo/i686/pkglst.txt<br />
http://dl.dropbox.com/u/10527821/repo/i686/<br />
<br />
</pre><br />
<br />
===x86_64 only===<br />
<pre><br />
[andrwe]<br />
# For a list of packages see: http://andrwe.dyndns.org/doku.php/blog/repository<br />
Server = http://repo.andrwe.org/x86_64<br />
<br />
[archstudio]<br />
# ArchAudio Packages <br />
# Optimized for Intel Core {i3,i5,i7} CPU <br />
# Package Details: http://dl.dropbox.com/u/5977716/archstudio.html<br />
Server = http://dl.dropbox.com/u/5977716/x86_64<br />
<br />
[compiz-fusion]<br />
# compiz-fusion-git<br />
Server = http://compiz.dreamz-box.de/x86_64<br />
<br />
[kde4-eyecandy-64]<br />
# Useful and beautiful plasmoids and themes for KDE4.<br />
Server = http://archlinuxgr.tiven.org/kde4-eyecandy/x86_64<br />
<br />
[nightly]<br />
# Nightly builds of some packages from the AUR.<br />
# Repo-Tracker: http://bugs.arch-nightly.net<br />
Server = http://arch-nightly.net/repo/x86_64<br />
<br />
[zen]<br />
# Various and zengeist' AUR packages.<br />
Server = http://zloduch.cz/archlinux/x86_64<br />
<br />
[seiichiro]<br />
# VDR and some plugins, mms, foo2zjs-drivers<br />
Server = http://repo.seiichiro0185.org/x86_64<br />
<br />
[studioidefix]<br />
# Precompiled boxee packages.<br />
Server = http://studioidefix.googlecode.com/hg/repo/x86_64<br />
<br />
[pyropeter]<br />
# My AUR packages: https://aur.archlinux.org/packages.php?SeB=m&K=pyropeter<br />
Server = http://keks.selfip.org/arch/pyropeter<br />
</pre><br />
<br />
==Add your own repository to this list==<br />
If you have your own repository, please add this to this list, so that all other users knows where to find your packages.</div>Harviehttps://wiki.archlinux.org/index.php?title=Unofficial_user_repositories&diff=179307Unofficial user repositories2012-01-20T19:04:03Z<p>Harvie: allan moved to signed</p>
<hr />
<div>[[Category: Package management (English)]]<br />
{{i18n|Unofficial User Repositories}}<br />
==Why unofficial user repositories==<br />
Since the AUR only allows users to upload PKGBUILD and other package build related files, but does not provide a means for distributing a binary package, a user may want to create a binary repository of their packages elsewhere.<br />
<br />
==The future of Unofficial repos==<br />
I'd like to see more work of this type. Sometimes there are certain projects that don't mesh well with other things, such as the community repo. The 'kdemod' project is a good example. If you want to contribute with your own builds, you can check page [[Custom local repository]].<br />
<br />
In the future, well-thought-out user repositories may be ideal for lots of supplementary things. Forming a "web of trust" is important in cases like this, so we may begin keeping a list of "recommended" repositories somewhere, in order to make it seem more official and trustworthy.<br />
<br />
[[User:Phrakture|Phrakture]] 12:50, 18 May 2007 (EDT)<br />
<br />
==List of PUR (unofficial user repositories)==<br />
===Any===<br />
"Any" repos are architecture-independent, i.e. they can be used on both i686 and x86_64 systems.<br />
<pre><br />
[herecura-stable-any]<br />
# Just some stuff; a few java apps, wallpapers, small scripts, xbmc-skin<br />
Server = http://repo.herecura.be/herecura-stable/any<br />
<br />
[herecura-testing-any]<br />
# Some any testing stuff, xbmc-svn skin<br />
Server = http://repo.herecura.be/herecura-testing/any<br />
<br />
[xyne-any]<br />
# The home of Xyne's contributions.<br />
# More info including a package list can be found at http://xyne.archlinux.ca/repos<br />
Server = http://xyne.archlinux.ca/repos/xyne-any/<br />
<br />
[arch-fonts]<br />
# Prebuilt packages for font packages found in AUR<br />
# This should be faster than building from source<br />
# as many have download speed of 10KB/s. If you find<br />
# missing font, email to <gmail.com: jesse.jaara><br />
Server = http://huulivoide.pp.fi/Arch/arch-fonts<br />
</pre><br />
<br />
===Both i686 and x86_64===<br />
====Signed====<br />
<pre><br />
[heftig]<br />
[allanbrokeit]<br />
# http://allanmcrae.com/2011/06/the-allanbrokeit-repo-that-might-really-break-your-system/<br />
SigLevel = PackageOptional<br />
Server = http://allanmcrae.com/$repo/$arch<br />
<br />
# Includes linux-zen and aurora (firefox development build - works alongside firefox in extra.)<br />
# https://bbs.archlinux.org/viewtopic.php?id=117157<br />
SigLevel = PackageOptional<br />
Server = http://pkgbuild.com/~heftig/repo/$arch<br />
</pre><br />
<br />
====Unsigned====<br />
<!--Not exactly same as 'any' repositories, this section should probably be separate.--><br />
Repositories with both i686 and x86_64 versions. The $arch variable will be set automatically by pacman.<br />
<pre><br />
[adslgr]<br />
# The Hellenic (Greek) archlinux unofficial repository with many interesting packages.<br />
Server = http://archlinuxgr.tiven.org/archlinux/$arch<br />
<br />
[archlinuxfr]<br />
# The French Arch Linux communities packages.<br />
Server = http://repo.archlinux.fr/$arch<br />
<br />
[archaudio-production]<br />
# verified PKGBUILDs AND tested packages<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archaudio-preview]<br />
# unverified PKGBUILDs AND/OR untested packages<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archaudio-nightly]<br />
# verified devel PKGBUILDs<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archaudio-experimental]<br />
# unverified devel PKGBUILDs<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archstuff]<br />
# AUR's most voted and many bin32-* and lib32-* packages.<br />
Server = http://archstuff.vs169092.vserver.de/$arch<br />
<br />
[arsch]<br />
# From users of orgizm.net<br />
Server = http//arsch.orgizm.net/$arch<br />
<br />
[burg]<br />
# Burg bootloader repo<br />
# More info : http://archydeb.wordpress.com/<br />
Server = http://dl.dropbox.com/u/11529444/repos/archlinux/burg/$arch<br />
<br />
[catalyst]<br />
# ATI Catalyst proprietary drivers.<br />
Server = http://catalyst.apocalypsus.net/repo/catalyst/$arch<br />
<br />
[haskell]<br />
# ArchHaskell repository<br />
Server = http://www.kiwilight.com/$repo/$arch<br />
<br />
[repo-ck]<br />
# ARCH kernel and modules with Brain Fuck Scheduler and all the goodies in the ck1 patch set<br />
# See the linux-ck wiki page for more<br />
Server = http://repo-ck.com/$arch<br />
<br />
[kittyserve]<br />
# Contains kittykatt's packages and packages from friends of kittykatt, as well as most mint-related packages<br />
Server = http://repo.kattz.tk/$arch<br />
<br />
[kxstudio-free]<br />
# KXStudio Free<br />
Server = http://kxstudio.sf.net/repo/arch/$arch<br />
<br />
[kxstudio-non-free]<br />
# KXStudio Non-Free<br />
Server = http://kxstudio.sf.net/repo/arch/$arch <br />
<br />
[mate]<br />
# Contains official mate desktop packages (gnome2 fork)<br />
Server = http://matsusoft.com.ar/repository/archlinux/mate/$arch<br />
Server = ftp://tridex.net/mate/$arch<br />
<br />
[radeon]<br />
# ATI Radeon X.Org drivers, bleeding edge 'git' builds.<br />
Server = http://spiralinear.org/perry3d/$arch<br />
<br />
[sergej-repo]<br />
# ion3 and some other stuff.<br />
# http://code.google.com/p/archlinux-stuff/source/browse/trunk<br />
Server = http://repo.p5n.pp.ru/sergej-repo/$arch/<br />
<br />
[suckless]<br />
# suckless.org packages<br />
Server = http://dl.suckless.org/arch/$arch<br />
<br />
[herecura-stable]<br />
# Additional apps not found in community.<br />
Server = http://herecura.be/repo/herecura-stable/$arch<br />
<br />
[herecura-testing]<br />
# Additional apps for testing build against stable Arch.<br />
Server = http://herecura.be/repo/herecura-testing/$arch<br />
</pre><br />
<br />
===i686 only===<br />
<pre><br />
[andrwe]<br />
# For a list of packages see: http://andrwe.org/doku.php/linux/repository<br />
Server = http://repo.andrwe.org/i686<br />
<br />
[arch-graphics]<br />
# Repository aimed to provide applications mainly for 3D graphics.<br />
# For more info, look at http://arch-graphics.kx.cz/<br />
Server = http://arch-graphics.kx.cz/repo/i686<br />
<br />
[cgr-i686]<br />
# Packages for some ChicoGeek's PKGBUILDs.<br />
Server = http://cgr.i686.googlepages.com/<br />
<br />
[chaox-stable]<br />
# Pentesting packages and custom kernel patched for WIFI injection.<br />
Server = http://repo.chaox.net/stable<br />
<br />
[compiz-fusion]<br />
# compiz-fusion-git<br />
# Updated to June 2008.<br />
Server = http://compiz.dreamz-box.de/i686<br />
<br />
[esclinux]<br />
# Mostly games, interactive fiction and abc notation stuffs already on AUR.<br />
Server = http://download.tuxfamily.org/esclinuxcd/ressources/repo/i686/<br />
<br />
[fukawi]<br />
# Some Nagios Stuff; molly-guard; celtx and various networking tools.<br />
Server = http://repo.fukawi2.nl/i686/<br />
Server = ftp://repo.fukawi2.nl/i686/<br />
<br />
[jose1711]<br />
# Most of the packages I maintain in AUR (games, tools)<br />
Server = http://arch.l33t.in/i686/<br />
<br />
[kde4-eyecandy-32]<br />
# Useful and beautiful plasmoids and themes for KDE4.<br />
Server = http://archlinuxgr.tiven.org/kde4-eyecandy/i686<br />
<br />
[kpiche]<br />
# Stable OpenSync packages.<br />
Server = http://kpiche.archlinux.ca/repo<br />
<br />
[rfad]<br />
# Repository made by haxit | Contact at: requiem [at] archlinux.us for package suggestions!<br />
Server = http://web.ncf.ca/ey723/archlinux/repo/<br />
<br />
[xdemon-repo]<br />
# madwimax, kismet-svn and aircrack-svn, etc...<br />
Server=http://repo.x-demon.org/archlinux/os/i686<br />
<br />
[studioidefix]<br />
# Precompiled boxee packages.<br />
Server = http://studioidefix.googlecode.com/hg/repo/i686<br />
<br />
[mingw32]<br />
# Libs & tools for crosscompiling for Win32, mainly taken from AUR.<br />
# Contact: Alexander 'hatred' Drozdov <adrozdoff [at] gmail (dot) com> (Russian-speaked guys can write on Russian :-)<br />
Server = http://hatred.homelinux.net/archlinux/mingw32/os/i686<br />
<br />
[ayatana]<br />
# GNOME apps: emerillon, glabels, gnome-subtitles, gnome-web-photo, nautilus-sound-converter, ocrfeeder, pdfmod, planner, rygel, transmageddon…<br />
# Mapping apps: bt747, foxtrotgps, gpsprune, marble, merkaartor, navit…<br />
# Other apps with Ayatana support: audio-recorder, cloudsn, deja-dup, gnome-activity-journal, gtg, gwibber, onboard, sbackup, synapse, uget…<br />
# Other apps: backintime, covergloobus, desktopnova, gdesklets, gloobus-preview, keepnote, kompozer, nautilus-terminal, pinta, xnoise…<br />
# Packages from Ubuntu: humanity-icon-theme, ubuntu-light-themes, ubuntuone-client, ubuntu-sounds, notify-osd, indicator-applet…<br />
# More info: http://ayatana.info/<br />
Server = http://repo.ayatana.info/<br />
<br />
[sylar_repo]<br />
# My built packages.<br />
# Additional info and package list: see http://dl.dropbox.com/u/8192972/arch_repo/arch_repo.html<br />
Server = http://dl.dropbox.com/u/8192972/arch_repo/repo<br />
<br />
[kernel26-pae]<br />
# PAE-enabled 32-bit kernel 2.6.39<br />
Server = http://kernel26-pae.archlinux.ca/<br />
<br />
[linux-pae]<br />
# PAE-enabled 32-bit kernel 3.0<br />
Server = http://pae.archlinux.ca/<br />
<br />
[aur]<br />
# most common packages in aur<br />
# readme: http://dl.dropbox.com/u/10527821/repo/i686/readme.txt<br />
# packages: http://dl.dropbox.com/u/10527821/repo/i686/pkglst.txt<br />
http://dl.dropbox.com/u/10527821/repo/i686/<br />
<br />
</pre><br />
<br />
===x86_64 only===<br />
<pre><br />
[andrwe]<br />
# For a list of packages see: http://andrwe.dyndns.org/doku.php/blog/repository<br />
Server = http://repo.andrwe.org/x86_64<br />
<br />
[archstudio]<br />
# ArchAudio Packages <br />
# Optimized for Intel Core {i3,i5,i7} CPU <br />
# Package Details: http://dl.dropbox.com/u/5977716/archstudio.html<br />
Server = http://dl.dropbox.com/u/5977716/x86_64<br />
<br />
[compiz-fusion]<br />
# compiz-fusion-git<br />
Server = http://compiz.dreamz-box.de/x86_64<br />
<br />
[kde4-eyecandy-64]<br />
# Useful and beautiful plasmoids and themes for KDE4.<br />
Server = http://archlinuxgr.tiven.org/kde4-eyecandy/x86_64<br />
<br />
[nightly]<br />
# Nightly builds of some packages from the AUR.<br />
# Repo-Tracker: http://bugs.arch-nightly.net<br />
Server = http://arch-nightly.net/repo/x86_64<br />
<br />
[zen]<br />
# Various and zengeist' AUR packages.<br />
Server = http://zloduch.cz/archlinux/x86_64<br />
<br />
[seiichiro]<br />
# VDR and some plugins, mms, foo2zjs-drivers<br />
Server = http://repo.seiichiro0185.org/x86_64<br />
<br />
[studioidefix]<br />
# Precompiled boxee packages.<br />
Server = http://studioidefix.googlecode.com/hg/repo/x86_64<br />
<br />
[pyropeter]<br />
# My AUR packages: https://aur.archlinux.org/packages.php?SeB=m&K=pyropeter<br />
Server = http://keks.selfip.org/arch/pyropeter<br />
</pre><br />
<br />
==Add your own repository to this list==<br />
If you have your own repository, please add this to this list, so that all other users knows where to find your packages.</div>Harviehttps://wiki.archlinux.org/index.php?title=Unofficial_user_repositories&diff=179306Unofficial user repositories2012-01-20T18:42:23Z<p>Harvie: We should distinguis between signed and unsigned repos. this is example.</p>
<hr />
<div>[[Category: Package management (English)]]<br />
{{i18n|Unofficial User Repositories}}<br />
==Why unofficial user repositories==<br />
Since the AUR only allows users to upload PKGBUILD and other package build related files, but does not provide a means for distributing a binary package, a user may want to create a binary repository of their packages elsewhere.<br />
<br />
==The future of Unofficial repos==<br />
I'd like to see more work of this type. Sometimes there are certain projects that don't mesh well with other things, such as the community repo. The 'kdemod' project is a good example. If you want to contribute with your own builds, you can check page [[Custom local repository]].<br />
<br />
In the future, well-thought-out user repositories may be ideal for lots of supplementary things. Forming a "web of trust" is important in cases like this, so we may begin keeping a list of "recommended" repositories somewhere, in order to make it seem more official and trustworthy.<br />
<br />
[[User:Phrakture|Phrakture]] 12:50, 18 May 2007 (EDT)<br />
<br />
==List of PUR (unofficial user repositories)==<br />
===Any===<br />
"Any" repos are architecture-independent, i.e. they can be used on both i686 and x86_64 systems.<br />
<pre><br />
[herecura-stable-any]<br />
# Just some stuff; a few java apps, wallpapers, small scripts, xbmc-skin<br />
Server = http://repo.herecura.be/herecura-stable/any<br />
<br />
[herecura-testing-any]<br />
# Some any testing stuff, xbmc-svn skin<br />
Server = http://repo.herecura.be/herecura-testing/any<br />
<br />
[xyne-any]<br />
# The home of Xyne's contributions.<br />
# More info including a package list can be found at http://xyne.archlinux.ca/repos<br />
Server = http://xyne.archlinux.ca/repos/xyne-any/<br />
<br />
[arch-fonts]<br />
# Prebuilt packages for font packages found in AUR<br />
# This should be faster than building from source<br />
# as many have download speed of 10KB/s. If you find<br />
# missing font, email to <gmail.com: jesse.jaara><br />
Server = http://huulivoide.pp.fi/Arch/arch-fonts<br />
</pre><br />
<br />
===Both i686 and x86_64===<br />
====Signed====<br />
<pre><br />
[heftig]<br />
# Includes linux-zen and aurora (firefox development build - works alongside firefox in extra.)<br />
# https://bbs.archlinux.org/viewtopic.php?id=117157<br />
SigLevel = PackageOptional<br />
Server = http://pkgbuild.com/~heftig/repo/$arch<br />
</pre><br />
<br />
====Unsigned====<br />
<!--Not exactly same as 'any' repositories, this section should probably be separate.--><br />
Repositories with both i686 and x86_64 versions. The $arch variable will be set automatically by pacman.<br />
<pre><br />
[adslgr]<br />
# The Hellenic (Greek) archlinux unofficial repository with many interesting packages.<br />
Server = http://archlinuxgr.tiven.org/archlinux/$arch<br />
<br />
[allanbrokeit]<br />
# http://allanmcrae.com/2011/06/the-allanbrokeit-repo-that-might-really-break-your-system/<br />
Server = http://allanmcrae.com/$repo/$arch<br />
<br />
[archlinuxfr]<br />
# The French Arch Linux communities packages.<br />
Server = http://repo.archlinux.fr/$arch<br />
<br />
[archaudio-production]<br />
# verified PKGBUILDs AND tested packages<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archaudio-preview]<br />
# unverified PKGBUILDs AND/OR untested packages<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archaudio-nightly]<br />
# verified devel PKGBUILDs<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archaudio-experimental]<br />
# unverified devel PKGBUILDs<br />
Server = http://repos.archaudio.org/$repo/$arch<br />
<br />
[archstuff]<br />
# AUR's most voted and many bin32-* and lib32-* packages.<br />
Server = http://archstuff.vs169092.vserver.de/$arch<br />
<br />
[arsch]<br />
# From users of orgizm.net<br />
Server = http//arsch.orgizm.net/$arch<br />
<br />
[burg]<br />
# Burg bootloader repo<br />
# More info : http://archydeb.wordpress.com/<br />
Server = http://dl.dropbox.com/u/11529444/repos/archlinux/burg/$arch<br />
<br />
[catalyst]<br />
# ATI Catalyst proprietary drivers.<br />
Server = http://catalyst.apocalypsus.net/repo/catalyst/$arch<br />
<br />
[haskell]<br />
# ArchHaskell repository<br />
Server = http://www.kiwilight.com/$repo/$arch<br />
<br />
[repo-ck]<br />
# ARCH kernel and modules with Brain Fuck Scheduler and all the goodies in the ck1 patch set<br />
# See the linux-ck wiki page for more<br />
Server = http://repo-ck.com/$arch<br />
<br />
[kittyserve]<br />
# Contains kittykatt's packages and packages from friends of kittykatt, as well as most mint-related packages<br />
Server = http://repo.kattz.tk/$arch<br />
<br />
[kxstudio-free]<br />
# KXStudio Free<br />
Server = http://kxstudio.sf.net/repo/arch/$arch<br />
<br />
[kxstudio-non-free]<br />
# KXStudio Non-Free<br />
Server = http://kxstudio.sf.net/repo/arch/$arch <br />
<br />
[mate]<br />
# Contains official mate desktop packages (gnome2 fork)<br />
Server = http://matsusoft.com.ar/repository/archlinux/mate/$arch<br />
Server = ftp://tridex.net/mate/$arch<br />
<br />
[radeon]<br />
# ATI Radeon X.Org drivers, bleeding edge 'git' builds.<br />
Server = http://spiralinear.org/perry3d/$arch<br />
<br />
[sergej-repo]<br />
# ion3 and some other stuff.<br />
# http://code.google.com/p/archlinux-stuff/source/browse/trunk<br />
Server = http://repo.p5n.pp.ru/sergej-repo/$arch/<br />
<br />
[suckless]<br />
# suckless.org packages<br />
Server = http://dl.suckless.org/arch/$arch<br />
<br />
[herecura-stable]<br />
# Additional apps not found in community.<br />
Server = http://herecura.be/repo/herecura-stable/$arch<br />
<br />
[herecura-testing]<br />
# Additional apps for testing build against stable Arch.<br />
Server = http://herecura.be/repo/herecura-testing/$arch<br />
</pre><br />
<br />
===i686 only===<br />
<pre><br />
[andrwe]<br />
# For a list of packages see: http://andrwe.org/doku.php/linux/repository<br />
Server = http://repo.andrwe.org/i686<br />
<br />
[arch-graphics]<br />
# Repository aimed to provide applications mainly for 3D graphics.<br />
# For more info, look at http://arch-graphics.kx.cz/<br />
Server = http://arch-graphics.kx.cz/repo/i686<br />
<br />
[cgr-i686]<br />
# Packages for some ChicoGeek's PKGBUILDs.<br />
Server = http://cgr.i686.googlepages.com/<br />
<br />
[chaox-stable]<br />
# Pentesting packages and custom kernel patched for WIFI injection.<br />
Server = http://repo.chaox.net/stable<br />
<br />
[compiz-fusion]<br />
# compiz-fusion-git<br />
# Updated to June 2008.<br />
Server = http://compiz.dreamz-box.de/i686<br />
<br />
[esclinux]<br />
# Mostly games, interactive fiction and abc notation stuffs already on AUR.<br />
Server = http://download.tuxfamily.org/esclinuxcd/ressources/repo/i686/<br />
<br />
[fukawi]<br />
# Some Nagios Stuff; molly-guard; celtx and various networking tools.<br />
Server = http://repo.fukawi2.nl/i686/<br />
Server = ftp://repo.fukawi2.nl/i686/<br />
<br />
[jose1711]<br />
# Most of the packages I maintain in AUR (games, tools)<br />
Server = http://arch.l33t.in/i686/<br />
<br />
[kde4-eyecandy-32]<br />
# Useful and beautiful plasmoids and themes for KDE4.<br />
Server = http://archlinuxgr.tiven.org/kde4-eyecandy/i686<br />
<br />
[kpiche]<br />
# Stable OpenSync packages.<br />
Server = http://kpiche.archlinux.ca/repo<br />
<br />
[rfad]<br />
# Repository made by haxit | Contact at: requiem [at] archlinux.us for package suggestions!<br />
Server = http://web.ncf.ca/ey723/archlinux/repo/<br />
<br />
[xdemon-repo]<br />
# madwimax, kismet-svn and aircrack-svn, etc...<br />
Server=http://repo.x-demon.org/archlinux/os/i686<br />
<br />
[studioidefix]<br />
# Precompiled boxee packages.<br />
Server = http://studioidefix.googlecode.com/hg/repo/i686<br />
<br />
[mingw32]<br />
# Libs & tools for crosscompiling for Win32, mainly taken from AUR.<br />
# Contact: Alexander 'hatred' Drozdov <adrozdoff [at] gmail (dot) com> (Russian-speaked guys can write on Russian :-)<br />
Server = http://hatred.homelinux.net/archlinux/mingw32/os/i686<br />
<br />
[ayatana]<br />
# GNOME apps: emerillon, glabels, gnome-subtitles, gnome-web-photo, nautilus-sound-converter, ocrfeeder, pdfmod, planner, rygel, transmageddon…<br />
# Mapping apps: bt747, foxtrotgps, gpsprune, marble, merkaartor, navit…<br />
# Other apps with Ayatana support: audio-recorder, cloudsn, deja-dup, gnome-activity-journal, gtg, gwibber, onboard, sbackup, synapse, uget…<br />
# Other apps: backintime, covergloobus, desktopnova, gdesklets, gloobus-preview, keepnote, kompozer, nautilus-terminal, pinta, xnoise…<br />
# Packages from Ubuntu: humanity-icon-theme, ubuntu-light-themes, ubuntuone-client, ubuntu-sounds, notify-osd, indicator-applet…<br />
# More info: http://ayatana.info/<br />
Server = http://repo.ayatana.info/<br />
<br />
[sylar_repo]<br />
# My built packages.<br />
# Additional info and package list: see http://dl.dropbox.com/u/8192972/arch_repo/arch_repo.html<br />
Server = http://dl.dropbox.com/u/8192972/arch_repo/repo<br />
<br />
[kernel26-pae]<br />
# PAE-enabled 32-bit kernel 2.6.39<br />
Server = http://kernel26-pae.archlinux.ca/<br />
<br />
[linux-pae]<br />
# PAE-enabled 32-bit kernel 3.0<br />
Server = http://pae.archlinux.ca/<br />
<br />
[aur]<br />
# most common packages in aur<br />
# readme: http://dl.dropbox.com/u/10527821/repo/i686/readme.txt<br />
# packages: http://dl.dropbox.com/u/10527821/repo/i686/pkglst.txt<br />
http://dl.dropbox.com/u/10527821/repo/i686/<br />
<br />
</pre><br />
<br />
===x86_64 only===<br />
<pre><br />
[andrwe]<br />
# For a list of packages see: http://andrwe.dyndns.org/doku.php/blog/repository<br />
Server = http://repo.andrwe.org/x86_64<br />
<br />
[archstudio]<br />
# ArchAudio Packages <br />
# Optimized for Intel Core {i3,i5,i7} CPU <br />
# Package Details: http://dl.dropbox.com/u/5977716/archstudio.html<br />
Server = http://dl.dropbox.com/u/5977716/x86_64<br />
<br />
[compiz-fusion]<br />
# compiz-fusion-git<br />
Server = http://compiz.dreamz-box.de/x86_64<br />
<br />
[kde4-eyecandy-64]<br />
# Useful and beautiful plasmoids and themes for KDE4.<br />
Server = http://archlinuxgr.tiven.org/kde4-eyecandy/x86_64<br />
<br />
[nightly]<br />
# Nightly builds of some packages from the AUR.<br />
# Repo-Tracker: http://bugs.arch-nightly.net<br />
Server = http://arch-nightly.net/repo/x86_64<br />
<br />
[zen]<br />
# Various and zengeist' AUR packages.<br />
Server = http://zloduch.cz/archlinux/x86_64<br />
<br />
[seiichiro]<br />
# VDR and some plugins, mms, foo2zjs-drivers<br />
Server = http://repo.seiichiro0185.org/x86_64<br />
<br />
[studioidefix]<br />
# Precompiled boxee packages.<br />
Server = http://studioidefix.googlecode.com/hg/repo/x86_64<br />
<br />
[pyropeter]<br />
# My AUR packages: https://aur.archlinux.org/packages.php?SeB=m&K=pyropeter<br />
Server = http://keks.selfip.org/arch/pyropeter<br />
</pre><br />
<br />
==Add your own repository to this list==<br />
If you have your own repository, please add this to this list, so that all other users knows where to find your packages.</div>Harviehttps://wiki.archlinux.org/index.php?title=EncFS&diff=144736EncFS2011-06-10T05:57:48Z<p>Harvie: Categories</p>
<hr />
<div>{{i18n|EncFS}}<br />
[[Category:Security (English)]]<br />
[[Category:File systems (English)]]<br />
[[Category:HOWTOs (English)]]<br />
<br />
'''EncFS''' is a userspace stackable cryptographic file-system similar to [[System_Encryption_with_eCryptfs|eCryptFS]], and aims to secure data with the minimum hassle. It uses [[FUSE]] to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as [[TrueCrypt]] and [[System_Encryption_with_LUKS|dm-crypt]].<br />
<br />
EncFS is definetely the simplest software if you want to try disk encryption on Linux.<br />
<br />
This has a number of advantages and disadvantages compared to these systems. Firstly, it does not require any root privileges to implement; any user can create a repository of encrypted files. Secondly, one does not need to create a single file and create a file-system within that; it works on existing file-system without modifications.<br />
<br />
This does create a few disadvantages, though; because the encrypted files are not stored in their own file, someone who obtains access to the system can still see the underlying directory structure, the number of files, their sizes and when they were modified. They cannot see the contents, however.<br />
<br />
This particular method of securing data is obviously not perfect, but there are situations in which it is useful.<br />
<br />
===Comparison to eCryptFS===<br />
[[System_Encryption_with_eCryptfs|eCryptFS]] is implemented in kernelspace and therefore little bit harder to configure. You have to remember various encryption options (used cyphers, key type, etc...), in EncFS this is not the case, because EncFS is storing these informations in it's signature so you don't have to remember anything (except the passphrase :-). But it's authors claims that eCryptFS is faster because there's no overhead caused by context switching (between kernel and userspace).<br />
<br />
==Installation==<br />
Install the {{package Official|encfs}} package using [[pacman]]:<br />
# pacman -S encfs<br />
<br />
==Usage==<br />
To create a secured repository, type:<br />
$ encfs ~/.DIRNAME ~/DIRNAME<br />
This will be followed by a prompt about whether you want to go with the default (paranoid options) or expert configuration. The latter allows specifying algorithms and other options. The former is a fairly secure default setup. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at {{filename|~/.DIRNAME}}, and their unencrypted versions in '''{{filename|~/DIRNAME}}'''.<br />
<br />
To unmount the file-system, type:<br />
$ fusermount -u ~/DIRNAME<br />
<br />
To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.<br />
<br />
<br />
==User friendly mounting==<br />
<br />
===Mount using CryptKeeper trayicon===<br />
Quite simple app, just install from AUR and add to your X session:<br />
* http://aur.archlinux.org/packages.php?ID=12743<br />
<br />
===Mount at login using pam_encfs===<br />
Pam module<br />
* http://aur.archlinux.org/packages.php?ID=2759<br />
* http://pam-encfs.googlecode.com/svn/trunk/README<br />
* http://pam-encfs.googlecode.com/svn/trunk/pam_encfs.conf<br />
* https://wiki.edubuntu.org/EncryptedHomeFolder<br />
* http://code.google.com/p/pam-encfs/<br />
<br />
====Single password====<br />
Note that if you will use same password (eg.: using try_first_pass or use_first_pass) for login and encfs (so encfs will mount during your login) then you should use [[SHA password hashes]] (Preferably SHA512 with some huge numer of rounds) and (which is most important) SECURE PASSWORD! because hash of your password is probably stored in unencrypted form in /etc/shadow and it can be cracked in order to get your encfs password (because it's same as your regular unix login password).<br />
<br />
====/etc/pam.d/====<br />
Note that when you are using '''try_first_pass''' parameter to '''pam_unix.so''' then you'll have to set EncFS to use same password as you are using to login (or vice-versa) and you'll be entering just single password. Without this parameter you'll need to enter two passwords.<br />
=====login=====<br />
I am personally not using pam_encfs in login, but only in GDM because i don't expect VC to be user friendly. Anyway you will probably need to debug configuration for login and then migrate it to gdm, because it's faster and easier to debug on console.<br />
<pre><br />
#%PAM-1.0<br />
<br />
auth required pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so nullok try_first_pass<br />
#auth required pam_unix.so nullok<br />
auth required pam_tally.so onerr=succeed file=/var/log/faillog<br />
# use this to lockout accounts for 10 minutes after 3 failed attempts<br />
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog<br />
account required pam_access.so<br />
account required pam_time.so<br />
account required pam_unix.so<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so md5 shadow use_authtok<br />
session required pam_unix.so<br />
session required pam_env.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session optional pam_loginuid.so<br />
-session optional pam_ck_connector.so nox11<br />
#Automatic unmount (optional):<br />
#session required pam_encfs.so<br />
</pre><br />
Note that automatic unmout will process even when there is another session. eg.: logout on VC can unmout encfs mounted by GDM session that is still active (that's why i don't use pam_encfs on console).<br />
=====gdm=====<br />
<pre><br />
#%PAM-1.0<br />
auth requisite pam_nologin.so<br />
auth required pam_env.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so try_first_pass<br />
auth optional pam_gnome_keyring.so<br />
account required pam_unix.so<br />
session required pam_limits.so<br />
session required pam_unix.so<br />
session optional pam_gnome_keyring.so auto_start<br />
password required pam_unix.so<br />
session required pam_encfs.so<br />
</pre><br />
<br />
===Mount at Gnome startup using gnome-encfs===<br />
* http://aur.archlinux.org/packages.php?ID=37097<br />
<br />
===Mount when USB drive with EncFS folders is inserted using fsniper===<br />
Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We'll use fsniper (filesystem watching daemon using inotify) and git (for askpass binary).<br />
<br />
* http://aur.archlinux.org/packages.php?ID=16677<br />
* https://github.com/Harvie/Programs/tree/master/bash/encfs/automount (latest version of files used in following HOWTO)<br />
<br />
====HOWTO====<br />
# (you need USB automount working for this - like thunar or nautilus does)<br />
# make encrypted folder on your drive, eg.: '''encfs /media/USB/somename /media/USB/somename.plain''' (and then unmount everything)<br />
# install fsniper and git from aur<br />
# configure fsniper:<br />
<pre><br />
# ~/.config/fsniper/config<br />
# You can get fsniper at http://code.l3ib.org/?p=fsniper.git<br />
<br />
watch {<br />
/etc/ {<br />
mtab {<br />
# %% is replaced with the filename of the new file<br />
handler = encfs-automount.sh %%;<br />
}<br />
}<br />
}<br />
</pre><br />
# install helper script:<br />
<pre><br />
#!/bin/sh<br />
# ~/.config/fsniper/scripts/encfs-automount.sh<br />
# Quick & dirty script for automounting EncFS USB drives<br />
# TODO:<br />
# - Unmounting!!!<br />
#<br />
ASKPASS="/usr/lib/git-core/git-gui--askpass"<br />
<br />
lock=/tmp/fsniper_encfs.lock<br />
lpid=$(cat "$lock" 2>/dev/null) &&<br />
ps "$lpid" | grep "$lpid" >/dev/null && {<br />
echo "Another instance of fsniper_encfs is running"<br />
exit;<br />
}<br />
echo $BASHPID > "$lock";<br />
sleep 2;<br />
<br />
echo<br />
echo ==== EncFS automount script for fsniper ====<br />
<br />
list_mounts() {<br />
cat /proc/mounts | cut -d ' ' -f 2<br />
}<br />
<br />
list_mounts | while read mount; do<br />
config="$mount"'/*/.encfs*';<br />
echo Looking for "$config"<br />
config="$(echo $config)"<br />
[ -r "$config" ] && {<br />
cyphertext="$(dirname "$config")";<br />
plaintext="$cyphertext".plain<br />
echo Found config: "$config";<br />
echo Trying to mount: "$cyphertext to $plaintext";<br />
list_mounts | grep "$plaintext" >/dev/null && {<br />
echo Already mounted: "$plaintext"<br />
} || {<br />
echo WOOHOO Will mount "$cyphertext to $plaintext"<br />
"$ASKPASS" "EncFS $cyphertext to $plaintext" | encfs --stdinpass "$cyphertext" "$plaintext"<br />
}<br />
}<br />
done<br />
echo<br />
<br />
rm "$lock" 2>/dev/null<br />
</pre><br />
# Make sure that /usr/lib/git-core/git-gui--askpass is working for you (that's why you need git package - but you can adjust the helper script)<br />
# try '''fsniper --log-to-stdout''' in terminal (askpass should appear when USB drive is inserted)<br />
# add '''fsniper --daemon''' to your session<br />
# don't forget to unmount encfs before removing drive</div>Harviehttps://wiki.archlinux.org/index.php?title=EncFS&diff=144735EncFS2011-06-10T05:25:40Z<p>Harvie: /* Mount at login using pam_encfs */ Single password</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:HOWTOs (English)]]<br />
'''EncFS''' is a userspace stackable cryptographic file-system similar to [[System_Encryption_with_eCryptfs|eCryptFS]], and aims to secure data with the minimum hassle. It uses [[FUSE]] to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as [[TrueCrypt]] and [[System_Encryption_with_LUKS|dm-crypt]].<br />
<br />
EncFS is definetely the simplest software if you want to try disk encryption on Linux.<br />
<br />
This has a number of advantages and disadvantages compared to these systems. Firstly, it does not require any root privileges to implement; any user can create a repository of encrypted files. Secondly, one does not need to create a single file and create a file-system within that; it works on existing file-system without modifications.<br />
<br />
This does create a few disadvantages, though; because the encrypted files are not stored in their own file, someone who obtains access to the system can still see the underlying directory structure, the number of files, their sizes and when they were modified. They cannot see the contents, however.<br />
<br />
This particular method of securing data is obviously not perfect, but there are situations in which it is useful.<br />
<br />
===Comparison to eCryptFS===<br />
[[System_Encryption_with_eCryptfs|eCryptFS]] is implemented in kernelspace and therefore little bit harder to configure. You have to remember various encryption options (used cyphers, key type, etc...), in EncFS this is not the case, because EncFS is storing these informations in it's signature so you don't have to remember anything (except the passphrase :-). But it's authors claims that eCryptFS is faster because there's no overhead caused by context switching (between kernel and userspace).<br />
<br />
==Installation==<br />
Install the {{package Official|encfs}} package using [[pacman]]:<br />
# pacman -S encfs<br />
<br />
==Usage==<br />
To create a secured repository, type:<br />
$ encfs ~/.DIRNAME ~/DIRNAME<br />
This will be followed by a prompt about whether you want to go with the default (paranoid options) or expert configuration. The latter allows specifying algorithms and other options. The former is a fairly secure default setup. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at {{filename|~/.DIRNAME}}, and their unencrypted versions in '''{{filename|~/DIRNAME}}'''.<br />
<br />
To unmount the file-system, type:<br />
$ fusermount -u ~/DIRNAME<br />
<br />
To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.<br />
<br />
<br />
==User friendly mounting==<br />
<br />
===Mount using CryptKeeper trayicon===<br />
Quite simple app, just install from AUR and add to your X session:<br />
* http://aur.archlinux.org/packages.php?ID=12743<br />
<br />
===Mount at login using pam_encfs===<br />
Pam module<br />
* http://aur.archlinux.org/packages.php?ID=2759<br />
* http://pam-encfs.googlecode.com/svn/trunk/README<br />
* http://pam-encfs.googlecode.com/svn/trunk/pam_encfs.conf<br />
* https://wiki.edubuntu.org/EncryptedHomeFolder<br />
* http://code.google.com/p/pam-encfs/<br />
<br />
====Single password====<br />
Note that if you will use same password (eg.: using try_first_pass or use_first_pass) for login and encfs (so encfs will mount during your login) then you should use [[SHA password hashes]] (Preferably SHA512 with some huge numer of rounds) and (which is most important) SECURE PASSWORD! because hash of your password is probably stored in unencrypted form in /etc/shadow and it can be cracked in order to get your encfs password (because it's same as your regular unix login password).<br />
<br />
====/etc/pam.d/====<br />
Note that when you are using '''try_first_pass''' parameter to '''pam_unix.so''' then you'll have to set EncFS to use same password as you are using to login (or vice-versa) and you'll be entering just single password. Without this parameter you'll need to enter two passwords.<br />
=====login=====<br />
I am personally not using pam_encfs in login, but only in GDM because i don't expect VC to be user friendly. Anyway you will probably need to debug configuration for login and then migrate it to gdm, because it's faster and easier to debug on console.<br />
<pre><br />
#%PAM-1.0<br />
<br />
auth required pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so nullok try_first_pass<br />
#auth required pam_unix.so nullok<br />
auth required pam_tally.so onerr=succeed file=/var/log/faillog<br />
# use this to lockout accounts for 10 minutes after 3 failed attempts<br />
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog<br />
account required pam_access.so<br />
account required pam_time.so<br />
account required pam_unix.so<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so md5 shadow use_authtok<br />
session required pam_unix.so<br />
session required pam_env.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session optional pam_loginuid.so<br />
-session optional pam_ck_connector.so nox11<br />
#Automatic unmount (optional):<br />
#session required pam_encfs.so<br />
</pre><br />
Note that automatic unmout will process even when there is another session. eg.: logout on VC can unmout encfs mounted by GDM session that is still active (that's why i don't use pam_encfs on console).<br />
=====gdm=====<br />
<pre><br />
#%PAM-1.0<br />
auth requisite pam_nologin.so<br />
auth required pam_env.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so try_first_pass<br />
auth optional pam_gnome_keyring.so<br />
account required pam_unix.so<br />
session required pam_limits.so<br />
session required pam_unix.so<br />
session optional pam_gnome_keyring.so auto_start<br />
password required pam_unix.so<br />
session required pam_encfs.so<br />
</pre><br />
<br />
===Mount at Gnome startup using gnome-encfs===<br />
* http://aur.archlinux.org/packages.php?ID=37097<br />
<br />
===Mount when USB drive with EncFS folders is inserted using fsniper===<br />
Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We'll use fsniper (filesystem watching daemon using inotify) and git (for askpass binary).<br />
<br />
* http://aur.archlinux.org/packages.php?ID=16677<br />
* https://github.com/Harvie/Programs/tree/master/bash/encfs/automount (latest version of files used in following HOWTO)<br />
<br />
====HOWTO====<br />
# (you need USB automount working for this - like thunar or nautilus does)<br />
# make encrypted folder on your drive, eg.: '''encfs /media/USB/somename /media/USB/somename.plain''' (and then unmount everything)<br />
# install fsniper and git from aur<br />
# configure fsniper:<br />
<pre><br />
# ~/.config/fsniper/config<br />
# You can get fsniper at http://code.l3ib.org/?p=fsniper.git<br />
<br />
watch {<br />
/etc/ {<br />
mtab {<br />
# %% is replaced with the filename of the new file<br />
handler = encfs-automount.sh %%;<br />
}<br />
}<br />
}<br />
</pre><br />
# install helper script:<br />
<pre><br />
#!/bin/sh<br />
# ~/.config/fsniper/scripts/encfs-automount.sh<br />
# Quick & dirty script for automounting EncFS USB drives<br />
# TODO:<br />
# - Unmounting!!!<br />
#<br />
ASKPASS="/usr/lib/git-core/git-gui--askpass"<br />
<br />
lock=/tmp/fsniper_encfs.lock<br />
lpid=$(cat "$lock" 2>/dev/null) &&<br />
ps "$lpid" | grep "$lpid" >/dev/null && {<br />
echo "Another instance of fsniper_encfs is running"<br />
exit;<br />
}<br />
echo $BASHPID > "$lock";<br />
sleep 2;<br />
<br />
echo<br />
echo ==== EncFS automount script for fsniper ====<br />
<br />
list_mounts() {<br />
cat /proc/mounts | cut -d ' ' -f 2<br />
}<br />
<br />
list_mounts | while read mount; do<br />
config="$mount"'/*/.encfs*';<br />
echo Looking for "$config"<br />
config="$(echo $config)"<br />
[ -r "$config" ] && {<br />
cyphertext="$(dirname "$config")";<br />
plaintext="$cyphertext".plain<br />
echo Found config: "$config";<br />
echo Trying to mount: "$cyphertext to $plaintext";<br />
list_mounts | grep "$plaintext" >/dev/null && {<br />
echo Already mounted: "$plaintext"<br />
} || {<br />
echo WOOHOO Will mount "$cyphertext to $plaintext"<br />
"$ASKPASS" "EncFS $cyphertext to $plaintext" | encfs --stdinpass "$cyphertext" "$plaintext"<br />
}<br />
}<br />
done<br />
echo<br />
<br />
rm "$lock" 2>/dev/null<br />
</pre><br />
# Make sure that /usr/lib/git-core/git-gui--askpass is working for you (that's why you need git package - but you can adjust the helper script)<br />
# try '''fsniper --log-to-stdout''' in terminal (askpass should appear when USB drive is inserted)<br />
# add '''fsniper --daemon''' to your session<br />
# don't forget to unmount encfs before removing drive</div>Harviehttps://wiki.archlinux.org/index.php?title=EncFS&diff=143336EncFS2011-06-01T01:46:27Z<p>Harvie: intro</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:HOWTOs (English)]]<br />
'''EncFS''' is a userspace stackable cryptographic file-system similar to [[System_Encryption_with_eCryptfs|eCryptFS]], and aims to secure data with the minimum hassle. It uses [[FUSE]] to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as [[TrueCrypt]] and [[System_Encryption_with_LUKS|dm-crypt]].<br />
<br />
EncFS is definetely the simplest software if you want to try disk encryption on Linux.<br />
<br />
This has a number of advantages and disadvantages compared to these systems. Firstly, it does not require any root privileges to implement; any user can create a repository of encrypted files. Secondly, one does not need to create a single file and create a file-system within that; it works on existing file-system without modifications.<br />
<br />
This does create a few disadvantages, though; because the encrypted files are not stored in their own file, someone who obtains access to the system can still see the underlying directory structure, the number of files, their sizes and when they were modified. They cannot see the contents, however.<br />
<br />
This particular method of securing data is obviously not perfect, but there are situations in which it is useful.<br />
<br />
===Comparison to eCryptFS===<br />
[[System_Encryption_with_eCryptfs|eCryptFS]] is implemented in kernelspace and therefore little bit harder to configure. You have to remember various encryption options (used cyphers, key type, etc...), in EncFS this is not the case, because EncFS is storing these informations in it's signature so you don't have to remember anything (except the passphrase :-). But it's authors claims that eCryptFS is faster because there's no overhead caused by context switching (between kernel and userspace).<br />
<br />
==Installation==<br />
Install the {{package Official|encfs}} package using [[pacman]]:<br />
# pacman -S encfs<br />
<br />
==Usage==<br />
To create a secured repository, type:<br />
$ encfs ~/.DIRNAME ~/DIRNAME<br />
This will be followed by a prompt about whether you want to go with the default (paranoid options) or expert configuration. The latter allows specifying algorithms and other options. The former is a fairly secure default setup. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at {{filename|~/.DIRNAME}}, and their unencrypted versions in '''{{filename|~/DIRNAME}}'''.<br />
<br />
To unmount the file-system, type:<br />
$ fusermount -u ~/DIRNAME<br />
<br />
To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.<br />
<br />
<br />
==User friendly mounting==<br />
<br />
===Mount using CryptKeeper trayicon===<br />
Quite simple app, just install from AUR and add to your X session:<br />
* http://aur.archlinux.org/packages.php?ID=12743<br />
<br />
===Mount at login using pam_encfs===<br />
Pam module<br />
* http://aur.archlinux.org/packages.php?ID=2759<br />
* http://pam-encfs.googlecode.com/svn/trunk/README<br />
* http://pam-encfs.googlecode.com/svn/trunk/pam_encfs.conf<br />
* https://wiki.edubuntu.org/EncryptedHomeFolder<br />
* http://code.google.com/p/pam-encfs/<br />
<br />
====/etc/pam.d/====<br />
Note that when you are using '''use_first_pass''' parameter to '''pam_unix.so''' then you'll have to set EncFS to use same password as you are using to login (or vice-versa) and you'll be entering just single password. Without this parameter you'll need to enter two passwords.<br />
=====login=====<br />
I am personally not using pam_encfs in login, but only in GDM because i don't expect VC to be user friendly. Anyway you will probably need to debug configuration for login and then migrate it to gdm, because it's faster and easier to debug on console.<br />
<pre><br />
#%PAM-1.0<br />
<br />
auth required pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so nullok use_first_pass<br />
#auth required pam_unix.so nullok<br />
auth required pam_tally.so onerr=succeed file=/var/log/faillog<br />
# use this to lockout accounts for 10 minutes after 3 failed attempts<br />
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog<br />
account required pam_access.so<br />
account required pam_time.so<br />
account required pam_unix.so<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so md5 shadow use_authtok<br />
session required pam_unix.so<br />
session required pam_env.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session optional pam_loginuid.so<br />
-session optional pam_ck_connector.so nox11<br />
#Automatic unmount (optional):<br />
#session required pam_encfs.so<br />
</pre><br />
Note that automatic unmout will process even when there is another session. eg.: logout on VC can unmout encfs mounted by GDM session that is still active (that's why i don't use pam_encfs on console).<br />
=====gdm=====<br />
<pre><br />
#%PAM-1.0<br />
auth requisite pam_nologin.so<br />
auth required pam_env.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so use_first_pass<br />
auth optional pam_gnome_keyring.so<br />
account required pam_unix.so<br />
session required pam_limits.so<br />
session required pam_unix.so<br />
session optional pam_gnome_keyring.so auto_start<br />
password required pam_unix.so<br />
session required pam_encfs.so<br />
</pre><br />
<br />
===Mount at Gnome startup using gnome-encfs===<br />
* http://aur.archlinux.org/packages.php?ID=37097<br />
<br />
===Mount when USB drive with EncFS folders is inserted using fsniper===<br />
Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We'll use fsniper (filesystem watching daemon using inotify) and git (for askpass binary).<br />
<br />
* http://aur.archlinux.org/packages.php?ID=16677<br />
* https://github.com/Harvie/Programs/tree/master/bash/encfs/automount (latest version of files used in following HOWTO)<br />
<br />
====HOWTO====<br />
# (you need USB automount working for this - like thunar or nautilus does)<br />
# make encrypted folder on your drive, eg.: '''encfs /media/USB/somename /media/USB/somename.plain''' (and then unmount everything)<br />
# install fsniper and git from aur<br />
# configure fsniper:<br />
<pre><br />
# ~/.config/fsniper/config<br />
# You can get fsniper at http://code.l3ib.org/?p=fsniper.git<br />
<br />
watch {<br />
/etc/ {<br />
mtab {<br />
# %% is replaced with the filename of the new file<br />
handler = encfs-automount.sh %%;<br />
}<br />
}<br />
}<br />
</pre><br />
# install helper script:<br />
<pre><br />
#!/bin/sh<br />
# ~/.config/fsniper/scripts/encfs-automount.sh<br />
# Quick & dirty script for automounting EncFS USB drives<br />
# TODO:<br />
# - Unmounting!!!<br />
#<br />
ASKPASS="/usr/lib/git-core/git-gui--askpass"<br />
<br />
lock=/tmp/fsniper_encfs.lock<br />
lpid=$(cat "$lock" 2>/dev/null) &&<br />
ps "$lpid" | grep "$lpid" >/dev/null && {<br />
echo "Another instance of fsniper_encfs is running"<br />
exit;<br />
}<br />
echo $BASHPID > "$lock";<br />
sleep 2;<br />
<br />
echo<br />
echo ==== EncFS automount script for fsniper ====<br />
<br />
list_mounts() {<br />
cat /proc/mounts | cut -d ' ' -f 2<br />
}<br />
<br />
list_mounts | while read mount; do<br />
config="$mount"'/*/.encfs*';<br />
echo Looking for "$config"<br />
config="$(echo $config)"<br />
[ -r "$config" ] && {<br />
cyphertext="$(dirname "$config")";<br />
plaintext="$cyphertext".plain<br />
echo Found config: "$config";<br />
echo Trying to mount: "$cyphertext to $plaintext";<br />
list_mounts | grep "$plaintext" >/dev/null && {<br />
echo Already mounted: "$plaintext"<br />
} || {<br />
echo WOOHOO Will mount "$cyphertext to $plaintext"<br />
"$ASKPASS" "EncFS $cyphertext to $plaintext" | encfs --stdinpass "$cyphertext" "$plaintext"<br />
}<br />
}<br />
done<br />
echo<br />
<br />
rm "$lock" 2>/dev/null<br />
</pre><br />
# Make sure that /usr/lib/git-core/git-gui--askpass is working for you (that's why you need git package - but you can adjust the helper script)<br />
# try '''fsniper --log-to-stdout''' in terminal (askpass should appear when USB drive is inserted)<br />
# add '''fsniper --daemon''' to your session<br />
# don't forget to unmount encfs before removing drive</div>Harviehttps://wiki.archlinux.org/index.php?title=EncFS&diff=143332EncFS2011-06-01T01:36:22Z<p>Harvie: User friendly mounting</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:HOWTOs (English)]]<br />
'''EncFS''' is a userspace cryptographic file-system, and aims to secure data with the minimum hassle. It uses [[FUSE]] to mount an encrypted directory onto another directory specified by the user. It does not use a loopback system like some other comparable systems such as [[TrueCrypt]] and [[dm-crypt]].<br />
<br />
This has a number of advantages and disadvantages compared to these systems. Firstly, it does not require any root privileges to implement; any user can create a repository of encrypted files. Secondly, one does not need to create a single file and create a file-system within that; it works on existing file-system without modifications.<br />
<br />
This does create a few disadvantages, though; because the encrypted files are not stored in their own file, someone who obtains access to the system can still see the underlying directory structure, the number of files, their sizes and when they were modified. They cannot see the contents, however.<br />
<br />
This particular method of securing data is obviously not perfect, but there are situations in which it is useful.<br />
<br />
==Installation==<br />
Install the {{package Official|encfs}} package using [[pacman]]:<br />
# pacman -S encfs<br />
<br />
==Usage==<br />
To create a secured repository, type:<br />
$ encfs ~/.DIRNAME ~/DIRNAME<br />
This will be followed by a prompt about whether you want to go with the default (paranoid options) or expert configuration. The latter allows specifying algorithms and other options. The former is a fairly secure default setup. After entering a key for the encryption, the encoded file-system will be created and mounted. The encoded files are stored, in this example, at {{filename|~/.DIRNAME}}, and their unencrypted versions in '''{{filename|~/DIRNAME}}'''.<br />
<br />
To unmount the file-system, type:<br />
$ fusermount -u ~/DIRNAME<br />
<br />
To remount the file-system, issue the first command, and enter the key used to encode it. Once this has been entered, the file-system will be mounted again.<br />
<br />
<br />
==User friendly mounting==<br />
<br />
===Mount using CryptKeeper trayicon===<br />
Quite simple app, just install from AUR and add to your X session:<br />
* http://aur.archlinux.org/packages.php?ID=12743<br />
<br />
===Mount at login using pam_encfs===<br />
Pam module<br />
* http://aur.archlinux.org/packages.php?ID=2759<br />
* http://pam-encfs.googlecode.com/svn/trunk/README<br />
* http://pam-encfs.googlecode.com/svn/trunk/pam_encfs.conf<br />
* https://wiki.edubuntu.org/EncryptedHomeFolder<br />
* http://code.google.com/p/pam-encfs/<br />
<br />
====/etc/pam.d/====<br />
Note that when you are using '''use_first_pass''' parameter to '''pam_unix.so''' then you'll have to set EncFS to use same password as you are using to login (or vice-versa) and you'll be entering just single password. Without this parameter you'll need to enter two passwords.<br />
=====login=====<br />
I am personally not using pam_encfs in login, but only in GDM because i don't expect VC to be user friendly. Anyway you will probably need to debug configuration for login and then migrate it to gdm, because it's faster and easier to debug on console.<br />
<pre><br />
#%PAM-1.0<br />
<br />
auth required pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so nullok use_first_pass<br />
#auth required pam_unix.so nullok<br />
auth required pam_tally.so onerr=succeed file=/var/log/faillog<br />
# use this to lockout accounts for 10 minutes after 3 failed attempts<br />
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog<br />
account required pam_access.so<br />
account required pam_time.so<br />
account required pam_unix.so<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so md5 shadow use_authtok<br />
session required pam_unix.so<br />
session required pam_env.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session optional pam_loginuid.so<br />
-session optional pam_ck_connector.so nox11<br />
#Automatic unmount (optional):<br />
#session required pam_encfs.so<br />
</pre><br />
Note that automatic unmout will process even when there is another session. eg.: logout on VC can unmout encfs mounted by GDM session that is still active (that's why i don't use pam_encfs on console).<br />
=====gdm=====<br />
<pre><br />
#%PAM-1.0<br />
auth requisite pam_nologin.so<br />
auth required pam_env.so<br />
auth sufficient pam_encfs.so<br />
auth required pam_unix.so use_first_pass<br />
auth optional pam_gnome_keyring.so<br />
account required pam_unix.so<br />
session required pam_limits.so<br />
session required pam_unix.so<br />
session optional pam_gnome_keyring.so auto_start<br />
password required pam_unix.so<br />
session required pam_encfs.so<br />
</pre><br />
<br />
===Mount at Gnome startup using gnome-encfs===<br />
* http://aur.archlinux.org/packages.php?ID=37097<br />
<br />
===Mount when USB drive with EncFS folders is inserted using fsniper===<br />
Simple method to automount (asking for password) encfs when USB drive with EncFS one or more folders in root is inserted. We'll use fsniper (filesystem watching daemon using inotify) and git (for askpass binary).<br />
<br />
* http://aur.archlinux.org/packages.php?ID=16677<br />
* https://github.com/Harvie/Programs/tree/master/bash/encfs/automount (latest version of files used in following HOWTO)<br />
<br />
====HOWTO====<br />
# (you need USB automount working for this - like thunar or nautilus does)<br />
# make encrypted folder on your drive, eg.: '''encfs /media/USB/somename /media/USB/somename.plain''' (and then unmount everything)<br />
# install fsniper and git from aur<br />
# configure fsniper:<br />
<pre><br />
# ~/.config/fsniper/config<br />
# You can get fsniper at http://code.l3ib.org/?p=fsniper.git<br />
<br />
watch {<br />
/etc/ {<br />
mtab {<br />
# %% is replaced with the filename of the new file<br />
handler = encfs-automount.sh %%;<br />
}<br />
}<br />
}<br />
</pre><br />
# install helper script:<br />
<pre><br />
#!/bin/sh<br />
# ~/.config/fsniper/scripts/encfs-automount.sh<br />
# Quick & dirty script for automounting EncFS USB drives<br />
# TODO:<br />
# - Unmounting!!!<br />
#<br />
ASKPASS="/usr/lib/git-core/git-gui--askpass"<br />
<br />
lock=/tmp/fsniper_encfs.lock<br />
lpid=$(cat "$lock" 2>/dev/null) &&<br />
ps "$lpid" | grep "$lpid" >/dev/null && {<br />
echo "Another instance of fsniper_encfs is running"<br />
exit;<br />
}<br />
echo $BASHPID > "$lock";<br />
sleep 2;<br />
<br />
echo<br />
echo ==== EncFS automount script for fsniper ====<br />
<br />
list_mounts() {<br />
cat /proc/mounts | cut -d ' ' -f 2<br />
}<br />
<br />
list_mounts | while read mount; do<br />
config="$mount"'/*/.encfs*';<br />
echo Looking for "$config"<br />
config="$(echo $config)"<br />
[ -r "$config" ] && {<br />
cyphertext="$(dirname "$config")";<br />
plaintext="$cyphertext".plain<br />
echo Found config: "$config";<br />
echo Trying to mount: "$cyphertext to $plaintext";<br />
list_mounts | grep "$plaintext" >/dev/null && {<br />
echo Already mounted: "$plaintext"<br />
} || {<br />
echo WOOHOO Will mount "$cyphertext to $plaintext"<br />
"$ASKPASS" "EncFS $cyphertext to $plaintext" | encfs --stdinpass "$cyphertext" "$plaintext"<br />
}<br />
}<br />
done<br />
echo<br />
<br />
rm "$lock" 2>/dev/null<br />
</pre><br />
# Make sure that /usr/lib/git-core/git-gui--askpass is working for you (that's why you need git package - but you can adjust the helper script)<br />
# try '''fsniper --log-to-stdout''' in terminal (askpass should appear when USB drive is inserted)<br />
# add '''fsniper --daemon''' to your session<br />
# don't forget to unmount encfs before removing drive</div>Harviehttps://wiki.archlinux.org/index.php?title=Security&diff=143277Security2011-05-31T06:35:30Z<p>Harvie: TMOUT fix, noexec workaround = insecure, encryption</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:File systems (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
{{expansion}}<br />
<br />
Instructions on how to harden and secure an Arch Linux system.<br />
<br />
==Concepts==<br />
*It ''is'' possible to tighten the security so much as to make your system unusable. The trick is to secure it without overdoing it.<br />
*There are many other things that can be done to heighten the security, but the biggest threat is, and will always be, the user himself. When you think security, you have to think layers. When one layer is breached, another should stop the attack. But you can never make the system 100% secure unless you unplug the machine from all networks, lock it in a safe and never use it!<br />
*Be a little paranoid. It helps. And be suspicious. If anything sounds too good to be true, it probably is!<br />
*[[Wikipedia:Principle of least privilege|Principle of least privilege]]<br />
<br />
==Physical security==<br />
{{Note|You can ignore this section if you just want to secure your computer against remote threats.}}<br />
Physical access to a computer is basically root access, but you can stop an attacker from having access without removing your hard drive (also see [[#Encryption]]) or resetting your BIOS settings (both of which involve opening the computer). <br />
<br />
===Locking down BIOS===<br />
<br />
Adding a password to the BIOS prevents someone from booting into removable media, which is basically the same as having root access to your computer. You should make sure your drive is first in the boot order (and disable the other drives from being bootable if you can.<br />
<br />
===Bootloader password===<br />
<br />
It’s highly important to protect your bootloader. There’s a magic kernel parameter called '''init=/bin/sh'''. This makes any user/login restrictions totally useless.<br />
<br />
Good (strong) passwords can be obtained with ease, through the use of the apg package, or Automated Password Generator. <br />
<br />
====grub====<br />
*[[Grub#Password protection]]<br />
<br />
====grub2====<br />
<!-- this should use a hash like the grub instructions, also, this should be on the grub2 page --><br />
<br />
Best way is to set password on changing boot parameters. Add the following to ''/boot/grub/grub.cfg'' (assume login is “master” and password “retsam”):<br />
<br />
<pre>set superusers master<br />
password master retsam</pre><br />
<br />
Don’t forget to set 600 permissions on grub.cfg!<br />
<br />
===Disable CTRL-ALT-DEL===<br />
To ensure that no one just walks up to your computer and presses CTRL-ALT-DEL to restart your machine, you can disable the capture of CTRL-ALT-DEL in the file ''/etc/inittab''.<br />
I could see this being used in a production environment, where the operator needs to use the keyboard but the computer itself is locked away.<br />
<br />
Open the file ''/etc/inittab'' and find the line<br />
<br />
ca::ctrlaltdel:/sbin/shutdown -t3 -r now<br />
<br />
comment out the line by inserting a leading #.<br />
This change will not take effect until you restart or issue the command<br />
<br />
# /sbin/init -q<br />
<br />
Of course if someone has physical access to your machine he could just press the power button to shutdown the machine!<br />
<br />
=== Automatic logout on VCs (and SSH) ===<br />
If you are using bash, you can set TMOUT, so you will never forget open shell on VC (where xscreensaver is not protecting you).<br />
<br />
here is example script, that can be placed to eg.: /etc/profile.d/shell-timeout.sh<br />
<br />
TMOUT="$(( 60*10 ))";<br />
[ -z "$DISPLAY" ] && export TMOUT;<br />
case $( /usr/bin/tty ) in<br />
/dev/tty[0-9]*) export TMOUT;;<br />
esac<br />
<br />
if you really want EVERY bash prompt (even within X) to timeout, than you can use just:<br />
<br />
export TMOUT="$(( 60*10 ))";<br />
<br />
Note that this will not work if there's some command running in the bash (eg.: some ssh session or other shell without TMOUT support). But if you are using VC mostly for restarting frozen GDM/Xorg as root, then this is very usefull.<br />
<br />
==Partitions==<br />
<br />
Any directories writable by a regular user should be mounted separately from / to avoid hardlink vulnerabilities and Denial of Service attacks (quotas don't stop a user from causing a DoS if there are world-writable directories).<br />
<br />
Absolute minimum partition layout for a secure system:<br />
*'''/'''<br />
*'''/var:''' /var/spool/mail, /var/lock and /var/tmp are world writable, also, logging can be used by an attacker to fill the partition<br />
*'''/tmp:''' world writable<br />
*'''/home:''' writable by regular users<br />
<br />
{{Note|/tmp can be mounted as tmpfs, so you don't need to create a partition for it.}}<br />
<br />
===Mount options===<br />
Following the principle of least privilege, partitions should be mounted with the most restrictive mount options possible (without losing functionality).<br />
<br />
====Relevant mount options====<br />
<br />
*'''nodev:''' Do not interpret character or block special devices on the file system.<br />
*'''nosuid:''' Do not allow set-user-identifier or set-group-identifier bits to take effect.<br />
*'''noexec:''' Do not allow direct execution of any binaries on the mounted filesystem.<br />
<br />
====Potential usage====<br />
<br />
{{Note|Data partitions should always be mounted with nodev,nosuid,noexec.}}<br />
<br />
{|<br />
| align="center" style="background:#f0f0f0;"|'''Partition'''<br />
| align="center" style="background:#f0f0f0;"|'''nodev'''<br />
| align="center" style="background:#f0f0f0;"|'''nosuid'''<br />
| align="center" style="background:#f0f0f0;"|'''noexec'''<br />
|-<br />
| /var||yes||yes||yes<br />
|- style="background:#e4e4e4"<br />
| /home||yes||yes||yes, if you don't code or use wine<br />
|-<br />
| /dev/shm||yes||yes||yes<br />
|- style="background:#e4e4e4"<br />
| /tmp||yes||yes||maybe, breaks compiling packages and various other things<br />
|-<br />
| /boot||yes||yes||yes<br />
|-<br />
|}<br />
<br />
====Workaround for noexec====<br />
<br />
If you should indeed need to run a program from a data partition, a workaround could be to use a script to remount the partition with the option EXEC. Then perform the desired task and then remount the partition with the option NOEXEC again.<br />
<br />
Please see following example:<br />
<br />
#!/bin/bash<br />
mount -o remount,exec /tmp<br />
/tmp/someprogram<br />
mount -o remount,noexec /tmp<br />
<br />
Note that this is not so secure (actually it's just race-condition), as anyone can run your wrapper in loop and then use another loop to<br />
killall -SIGSTOP /tmp/someprogram<br />
which will let him to execute anything from that partition. If he cannot launch the wrapper (or kill it), he still can use infinite loop to catch the moment when you are using the wrapper and launch desired executable.<br />
<br />
==Filesystem permissions==<br />
The default filesystem permissions allow read access to almost everything and changing the permissions can hide valuable information from an attacker who gains access to a non-root account such as the http or nobody users.<br />
<br />
For example:<br />
<br />
# chmod 700 /boot /etc/{iptables,arptables}<br />
<br />
==Disk encryption==<br />
You should know that encryption is only way for protecting your data against people that have physical access to your hardware. But once you mount an encrypted volume you have to be sure that you are only person having physical or root access to machine. (nothing in system is safe against root)<br />
<br />
* [[System_Encryption_with_LUKS]]<br />
* [[EncFS]]<br />
* [[System_Encryption_with_eCryptfs]]<br />
<br />
==User setup==<br />
After installation make a normal user for daily use. Don’t use the root user for daily use!<br />
Pick a secure password. I trust you know not to use a dictionary word or something like your dogs name.<br />
A password should be at least eight characters long. Contain a mix of upper and lower case letters. It should include at least one number and/or one special character.<br />
<br />
If you, like me, have a good memory for passwords then you can use a program like '''pwgen''' to create a bunch of passwords and print them on the screen. Then just pick one to use.<br />
Alternately you can make a password using the first characters from every word in a sentence.<br />
Take for instance “the girl is walking down the rainy street” could be translated to “t6!WdtR5”. This approach could make it easier to remember a password.<br />
<br />
==Restricting su==<br />
See [[su#Security]] for details.<br />
<br />
==No root login at the console==<br />
Changing the configuration to disallow root to login from the console makes it harder for an intruder to gain access to the system. The intruder would have to guess both a user-name that exists on the system and that users password. When root is allowed to log in via the console, an intruder only need to guess a password.<br />
Blocking root login at the console is done by changing the file /etc/securetty and commenting out the tty lines.<br />
All you have to do is change<br />
<br />
<pre>tty1</pre><br />
<br />
to<br />
<br />
<pre>#tty1</pre><br />
<br />
Repeat for any tty you wish to block.<br />
To check the effect of this change, start by commenting out only one line. Then goto that particular console and try to login as root. You will be greeted by the message “Login incorrect”.<br />
Now that we’re sure it works, go back and comment out the rest of the tty lines.<br />
<br />
==Lockout user after three failed login attempts==<br />
To further heighten the security it is possible to lockout a user after a specified number of failed login attempts. The user account can either be locked until the root user unlocks it, or automatically be unlocked after a set time.<br />
To lockout a user for ten minutes after three failed login attempts you have to change the file /etc/pam.d/login. Find the line that reads<br />
<br />
<pre>#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog</pre><br />
<br />
and remove the leading #. Then find the line that reads<br />
<br />
<pre>auth required pam_tally.so onerr=succeed file=/var/log/faillog</pre><br />
<br />
and insert a leading # on the line. If you don’t do this, then every failed login attempt will be counted twice. That’s all there is to it. If you feel adventures, make three failed login attempts. Then you can see for yourself what happens.<br />
To unlock a user manually use the following command as root<br />
<br />
<pre>[root@localhost] pam_tally --user --reset</pre><br />
<br />
If you want to permanently lockout a user after 3 failed login attempts, then just remove the unlock_time part of the line. Then the user can not login until root unlocks the account.<br />
<br />
==Use sudo for system commands==<br />
To make a user run some system commands as root it is advisable to use sudo to give that user the needed authority. It wouldn’t be good to hand out the root password to just anyone.<br />
Even if you are the only user on the system, using sudo is a good idea to keep from using a root console too much. Sometimes you just forget to logout again!<br />
<br />
Setting up sudo is quite easy. Just use the visudo command to bring up the configuration file in the editor.<br />
The file already includes some examples you can use. I will show you one command that I always add to my sudoers file.<br />
I want to be able to mount samba shares from my server on my workstation with a regular user, so I add the following using visudo<br />
<br />
<pre>%users ALL=/sbin/mount.cifs,/sbin/umount.cifs</pre><br />
<br />
This allows all users who are members of the group users to run the commands ''/sbin/mount.cifs'' and ''/sbin/umount.cifs'' from any machine(ALL).<br />
If you’re not comfortable with using the vi style editor, you can use the following to use nano instead.<br />
<br />
<s><pre>[root@localhost] EDITOR=nano visudo</pre></s><br />
<br />
The above is not correct security wise. See following paragraph for explanation.<br />
<br />
By default, visudo doesn’t follow EDITOR envvar. Also it’s regarded as severe security risk since everything can be used as EDITOR (hello, rootkits!). The best practice is to add the following line to ''/etc/sudoers'' (remember to put full path to your favourite editor):<br />
<br />
<pre>Defaults editor=/usr/bin/nano</pre><br />
<br />
Don’t forget to use only visudo for this!<br />
<br />
Please be careful not to enable the line that gives the user power over all commands! Only few commands should be made available to run as root via sudo.<br />
<br />
==Password hashes==<br />
Consider switching from MD5 hashes to [[SHA password hashes]] to make it near impossible for someone to reverse the hashes into your plaintext passwords.<br />
<br />
==Access control==<br />
*[[AppArmor]] (pathname)<br />
*[[SELinux]] (labels)<br />
*[[Tomoyo]] (pathname)<br />
*[[grsecurity]]<br />
<br />
==Firewall==<br />
*See [[Simple stateful firewall]] for a guide on setting up an netfilter (iptables) firewall.<br />
*See [[Firewalls]] for other ways of setting up netfilter.<br />
*See [[iptables]] for general info.<br />
<br />
==TCP/IP stack hardening==<br />
<br />
[[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]]<br />
<br />
==Kernel hardening==<br />
[[grsecurity]]<br />
<br />
==Authenticating Updates==<br />
Until package signing is added to Arch Linux, use of [http://igurublog.wordpress.com/downloads/script-paccheck/ paccheck] ([http://aur.archlinux.org/packages.php?ID=46763 AUR], [https://bbs.archlinux.org/viewtopic.php?id=113917 Forum]) is recommended to help authenticate packages downloaded from mirrors.<br />
<br />
==Resources==<br />
* Securing and Hardening Red Hat Linux Production Systems <br />http://www.puschitz.com/SecuringLinux.shtml<br />
* Securing Linux, Part 1: Introduction <br />http://www.ibm.com/developerworks/linux/library/l-seclnx1.html<br />
* Securing and Optimizing Linux <br />http://www.faqs.org/docs/securing/index.html<br />
* UNIX and Linux Security Checklist v3.0 <br />http://www.auscert.org.au/5816</div>Harviehttps://wiki.archlinux.org/index.php?title=Security&diff=143275Security2011-05-31T06:19:04Z<p>Harvie: bash TMOUT</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:File systems (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
{{expansion}}<br />
<br />
Instructions on how to harden and secure an Arch Linux system.<br />
<br />
==Concepts==<br />
*It ''is'' possible to tighten the security so much as to make your system unusable. The trick is to secure it without overdoing it.<br />
*There are many other things that can be done to heighten the security, but the biggest threat is, and will always be, the user himself. When you think security, you have to think layers. When one layer is breached, another should stop the attack. But you can never make the system 100% secure unless you unplug the machine from all networks, lock it in a safe and never use it!<br />
*Be a little paranoid. It helps. And be suspicious. If anything sounds too good to be true, it probably is!<br />
*[[Wikipedia:Principle of least privilege|Principle of least privilege]]<br />
<br />
==Physical security==<br />
{{Note|You can ignore this section if you just want to secure your computer against remote threats.}}<br />
Physical access to a computer is basically root access, but you can stop an attacker from having access without removing your hard drive (also see [[#Encryption]]) or resetting your BIOS settings (both of which involve opening the computer). <br />
<br />
===Locking down BIOS===<br />
<br />
Adding a password to the BIOS prevents someone from booting into removable media, which is basically the same as having root access to your computer. You should make sure your drive is first in the boot order (and disable the other drives from being bootable if you can.<br />
<br />
===Bootloader password===<br />
<br />
It’s highly important to protect your bootloader. There’s a magic kernel parameter called '''init=/bin/sh'''. This makes any user/login restrictions totally useless.<br />
<br />
Good (strong) passwords can be obtained with ease, through the use of the apg package, or Automated Password Generator. <br />
<br />
====grub====<br />
*[[Grub#Password protection]]<br />
<br />
====grub2====<br />
<!-- this should use a hash like the grub instructions, also, this should be on the grub2 page --><br />
<br />
Best way is to set password on changing boot parameters. Add the following to ''/boot/grub/grub.cfg'' (assume login is “master” and password “retsam”):<br />
<br />
<pre>set superusers master<br />
password master retsam</pre><br />
<br />
Don’t forget to set 600 permissions on grub.cfg!<br />
<br />
===Disable CTRL-ALT-DEL===<br />
To ensure that no one just walks up to your computer and presses CTRL-ALT-DEL to restart your machine, you can disable the capture of CTRL-ALT-DEL in the file ''/etc/inittab''.<br />
I could see this being used in a production environment, where the operator needs to use the keyboard but the computer itself is locked away.<br />
<br />
Open the file ''/etc/inittab'' and find the line<br />
<br />
ca::ctrlaltdel:/sbin/shutdown -t3 -r now<br />
<br />
comment out the line by inserting a leading #.<br />
This change will not take effect until you restart or issue the command<br />
<br />
# /sbin/init -q<br />
<br />
Of course if someone has physical access to your machine he could just press the power button to shutdown the machine!<br />
<br />
=== Automatic logout on VCs (and SSH) ===<br />
If you are using bash, you can set TMOUT, so you will never forget open shell on VC (where xscreensaver is not protecting you).<br />
<br />
here is example script, that can be placed to eg.: /etc/profile.d/login-timeout.sh<br />
<br />
TMOUT="$(( 60*10 ))";<br />
[ -z "$DISPLAY" ] && export TMOUT;<br />
case $( /usr/bin/tty ) in<br />
/dev/tty[0-9]*) export TMOUT;;<br />
esac<br />
<br />
if you really want EVERY bash prompt (even within X) to timeout, than you can use just:<br />
<br />
export TMOUT="$(( 60*10 ))";<br />
<br />
Note that this will not work if there's some command running in the bash (eg.: some ssh session or other shell without TMOUT support). But if you are using VC mostly for restarting frozen GDM/Xorg as root, then this is very usefull.<br />
<br />
==Partitions==<br />
<br />
Any directories writable by a regular user should be mounted separately from / to avoid hardlink vulnerabilities and Denial of Service attacks (quotas don't stop a user from causing a DoS if there are world-writable directories).<br />
<br />
Absolute minimum partition layout for a secure system:<br />
*'''/'''<br />
*'''/var:''' /var/spool/mail, /var/lock and /var/tmp are world writable, also, logging can be used by an attacker to fill the partition<br />
*'''/tmp:''' world writable<br />
*'''/home:''' writable by regular users<br />
<br />
{{Note|/tmp can be mounted as tmpfs, so you don't need to create a partition for it.}}<br />
<br />
===Mount options===<br />
Following the principle of least privilege, partitions should be mounted with the most restrictive mount options possible (without losing functionality).<br />
<br />
====Relevant mount options====<br />
<br />
*'''nodev:''' Do not interpret character or block special devices on the file system.<br />
*'''nosuid:''' Do not allow set-user-identifier or set-group-identifier bits to take effect.<br />
*'''noexec:''' Do not allow direct execution of any binaries on the mounted filesystem.<br />
<br />
====Potential usage====<br />
<br />
{{Note|Data partitions should always be mounted with nodev,nosuid,noexec.}}<br />
<br />
{|<br />
| align="center" style="background:#f0f0f0;"|'''Partition'''<br />
| align="center" style="background:#f0f0f0;"|'''nodev'''<br />
| align="center" style="background:#f0f0f0;"|'''nosuid'''<br />
| align="center" style="background:#f0f0f0;"|'''noexec'''<br />
|-<br />
| /var||yes||yes||yes<br />
|- style="background:#e4e4e4"<br />
| /home||yes||yes||yes, if you don't code or use wine<br />
|-<br />
| /dev/shm||yes||yes||yes<br />
|- style="background:#e4e4e4"<br />
| /tmp||yes||yes||maybe, breaks compiling packages and various other things<br />
|-<br />
| /boot||yes||yes||yes<br />
|-<br />
|}<br />
<br />
====Workaround for noexec====<br />
<br />
If you should indeed need to run a program from a data partition, a workaround could be to use a script to remount the partition with the option EXEC. Then perform the desired task and then remount the partition with the option NOEXEC again.<br />
<br />
Please see following example:<br />
<br />
<pre>#!/bin/bash<br />
mount -o remount,exec /tmp<br />
/tmp/someprogram<br />
mount -o remount,noexec /tmp</pre><br />
<br />
==Filesystem permissions==<br />
The default filesystem permissions allow read access to almost everything and changing the permissions can hide valuable information from an attacker who gains access to a non-root account such as the http or nobody users.<br />
<br />
For example:<br />
<br />
# chmod 700 /boot /etc/{iptables,arptables}<br />
<br />
==User setup==<br />
After installation make a normal user for daily use. Don’t use the root user for daily use!<br />
Pick a secure password. I trust you know not to use a dictionary word or something like your dogs name.<br />
A password should be at least eight characters long. Contain a mix of upper and lower case letters. It should include at least one number and/or one special character.<br />
<br />
If you, like me, have a good memory for passwords then you can use a program like '''pwgen''' to create a bunch of passwords and print them on the screen. Then just pick one to use.<br />
Alternately you can make a password using the first characters from every word in a sentence.<br />
Take for instance “the girl is walking down the rainy street” could be translated to “t6!WdtR5”. This approach could make it easier to remember a password.<br />
<br />
==Restricting su==<br />
See [[su#Security]] for details.<br />
<br />
==No root login at the console==<br />
Changing the configuration to disallow root to login from the console makes it harder for an intruder to gain access to the system. The intruder would have to guess both a user-name that exists on the system and that users password. When root is allowed to log in via the console, an intruder only need to guess a password.<br />
Blocking root login at the console is done by changing the file /etc/securetty and commenting out the tty lines.<br />
All you have to do is change<br />
<br />
<pre>tty1</pre><br />
<br />
to<br />
<br />
<pre>#tty1</pre><br />
<br />
Repeat for any tty you wish to block.<br />
To check the effect of this change, start by commenting out only one line. Then goto that particular console and try to login as root. You will be greeted by the message “Login incorrect”.<br />
Now that we’re sure it works, go back and comment out the rest of the tty lines.<br />
<br />
==Lockout user after three failed login attempts==<br />
To further heighten the security it is possible to lockout a user after a specified number of failed login attempts. The user account can either be locked until the root user unlocks it, or automatically be unlocked after a set time.<br />
To lockout a user for ten minutes after three failed login attempts you have to change the file /etc/pam.d/login. Find the line that reads<br />
<br />
<pre>#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog</pre><br />
<br />
and remove the leading #. Then find the line that reads<br />
<br />
<pre>auth required pam_tally.so onerr=succeed file=/var/log/faillog</pre><br />
<br />
and insert a leading # on the line. If you don’t do this, then every failed login attempt will be counted twice. That’s all there is to it. If you feel adventures, make three failed login attempts. Then you can see for yourself what happens.<br />
To unlock a user manually use the following command as root<br />
<br />
<pre>[root@localhost] pam_tally --user --reset</pre><br />
<br />
If you want to permanently lockout a user after 3 failed login attempts, then just remove the unlock_time part of the line. Then the user can not login until root unlocks the account.<br />
<br />
==Use sudo for system commands==<br />
To make a user run some system commands as root it is advisable to use sudo to give that user the needed authority. It wouldn’t be good to hand out the root password to just anyone.<br />
Even if you are the only user on the system, using sudo is a good idea to keep from using a root console too much. Sometimes you just forget to logout again!<br />
<br />
Setting up sudo is quite easy. Just use the visudo command to bring up the configuration file in the editor.<br />
The file already includes some examples you can use. I will show you one command that I always add to my sudoers file.<br />
I want to be able to mount samba shares from my server on my workstation with a regular user, so I add the following using visudo<br />
<br />
<pre>%users ALL=/sbin/mount.cifs,/sbin/umount.cifs</pre><br />
<br />
This allows all users who are members of the group users to run the commands ''/sbin/mount.cifs'' and ''/sbin/umount.cifs'' from any machine(ALL).<br />
If you’re not comfortable with using the vi style editor, you can use the following to use nano instead.<br />
<br />
<s><pre>[root@localhost] EDITOR=nano visudo</pre></s><br />
<br />
The above is not correct security wise. See following paragraph for explanation.<br />
<br />
By default, visudo doesn’t follow EDITOR envvar. Also it’s regarded as severe security risk since everything can be used as EDITOR (hello, rootkits!). The best practice is to add the following line to ''/etc/sudoers'' (remember to put full path to your favourite editor):<br />
<br />
<pre>Defaults editor=/usr/bin/nano</pre><br />
<br />
Don’t forget to use only visudo for this!<br />
<br />
Please be careful not to enable the line that gives the user power over all commands! Only few commands should be made available to run as root via sudo.<br />
<br />
==Password hashes==<br />
Consider switching from MD5 hashes to [[SHA password hashes]] to make it near impossible for someone to reverse the hashes into your plaintext passwords.<br />
<br />
==Access control==<br />
*[[AppArmor]] (pathname)<br />
*[[SELinux]] (labels)<br />
*[[Tomoyo]] (pathname)<br />
*[[grsecurity]]<br />
<br />
==Firewall==<br />
*See [[Simple stateful firewall]] for a guide on setting up an netfilter (iptables) firewall.<br />
*See [[Firewalls]] for other ways of setting up netfilter.<br />
*See [[iptables]] for general info.<br />
<br />
==TCP/IP stack hardening==<br />
<br />
[[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]]<br />
<br />
==Kernel hardening==<br />
[[grsecurity]]<br />
<br />
==Authenticating Updates==<br />
Until package signing is added to Arch Linux, use of [http://igurublog.wordpress.com/downloads/script-paccheck/ paccheck] ([http://aur.archlinux.org/packages.php?ID=46763 AUR], [https://bbs.archlinux.org/viewtopic.php?id=113917 Forum]) is recommended to help authenticate packages downloaded from mirrors.<br />
<br />
==Resources==<br />
* Securing and Hardening Red Hat Linux Production Systems <br />http://www.puschitz.com/SecuringLinux.shtml<br />
* Securing Linux, Part 1: Introduction <br />http://www.ibm.com/developerworks/linux/library/l-seclnx1.html<br />
* Securing and Optimizing Linux <br />http://www.faqs.org/docs/securing/index.html<br />
* UNIX and Linux Security Checklist v3.0 <br />http://www.auscert.org.au/5816</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120653AppArmor2010-11-05T02:40:52Z<p>Harvie: /* Mounts (/etc/fstab securityfs) */</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features (TODO):<br />
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX<br />
* chase missing dependencies<br />
* test everything<br />
* make list of files that should go to backup=() arrays in packages...<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
** make some package with profiles for all [core] packages enabled by default without need for any further user configuration<br />
** etc...<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor http://aur.pastebin.com/beQ4BjGX<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
* KNOW-HOW<br />
<br />
== Links ==<br />
* Official pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://help.ubuntu.com/community/AppArmor<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/maverick/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/maverick/man8/apparmor_parser.8.html<br />
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See [https://apparmor.wiki.kernel.org/index.php/Apparmor/upstream_release_notes here] for details. There are compatibility patches that can be applied on top of the 2.6.36 kernel to reintroduce these interfaces, but do not currently build against the Arch Linux kernel.<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
To test profiles, or enforce the use of AppArmor it must be enabled at boot time. To do this add apparmor=1 security=apparmor to the kernel boot parameters in /boot/grub/menu.lst so the entry for the Arch Linux kernel looks something like<br />
<br />
# (0) Arch Linux<br />
title Arch Linux [/boot/vmlinuz26]<br />
root (hd0,1)<br />
kernel /boot/vmlinuz26 root=/dev/sdaX resume=/dev/sdaY ro '''apparmor=1 security=apparmor'''<br />
initrd /boot/kernel26.img<br />
<br />
Once you are happy with all your profiles, you may wish to force users to boot with AppArmor enabled. To do this add a password entry to the start of /boot/grub/menu.lst. This will prevent users editing any boot entries or using the Grub shell (which permits read access to any file on the system such as /etc/shadow) before booting. You can also password protect any insecure entries in /boot/grub/menu.lst that you do not want unauthorized users to boot by adding the lock command (or another password) immediately below the title line for that entry. See [[Grub#Password_protection]] or [http://www.gnu.org/software/grub/manual/legacy/Security.html#Security Security in the Grub Manual] for more details. If you are going to the trouble of securing Grub don't forget to secure your BIOS settings as well or users will be able to boot from their own CDs and USB sticks, gaining root access to the machine.<br />
<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
none /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
http://aur.pastebin.com/beQ4BjGX<br />
The RC.d file of Slackware might be more interesting than ubuntu's init.d version<br />
http://sprunge.us/IbeJ<br />
<br />
==== For developers ====<br />
<br />
from /lib/apparmor/rc.apparmor.functions<br />
<br />
# NOTE: rc.apparmor initscripts that source this file need to implement<br />
# the following set of functions:<br />
# aa_action<br />
# aa_log_action_start<br />
# aa_log_action_end<br />
# aa_log_success_msg<br />
# aa_log_warning_msg<br />
# aa_log_failure_msg<br />
# aa_log_skipped_msg<br />
# aa_log_daemon_msg<br />
# aa_log_end_msg<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120652AppArmor2010-11-05T02:40:16Z<p>Harvie: /* Init scripts */</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features (TODO):<br />
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX<br />
* chase missing dependencies<br />
* test everything<br />
* make list of files that should go to backup=() arrays in packages...<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
** make some package with profiles for all [core] packages enabled by default without need for any further user configuration<br />
** etc...<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor http://aur.pastebin.com/beQ4BjGX<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
* KNOW-HOW<br />
<br />
== Links ==<br />
* Official pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://help.ubuntu.com/community/AppArmor<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/maverick/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/maverick/man8/apparmor_parser.8.html<br />
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See [https://apparmor.wiki.kernel.org/index.php/Apparmor/upstream_release_notes here] for details. There are compatibility patches that can be applied on top of the 2.6.36 kernel to reintroduce these interfaces, but do not currently build against the Arch Linux kernel.<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
To test profiles, or enforce the use of AppArmor it must be enabled at boot time. To do this add apparmor=1 security=apparmor to the kernel boot parameters in /boot/grub/menu.lst so the entry for the Arch Linux kernel looks something like<br />
<br />
# (0) Arch Linux<br />
title Arch Linux [/boot/vmlinuz26]<br />
root (hd0,1)<br />
kernel /boot/vmlinuz26 root=/dev/sdaX resume=/dev/sdaY ro '''apparmor=1 security=apparmor'''<br />
initrd /boot/kernel26.img<br />
<br />
Once you are happy with all your profiles, you may wish to force users to boot with AppArmor enabled. To do this add a password entry to the start of /boot/grub/menu.lst. This will prevent users editing any boot entries or using the Grub shell (which permits read access to any file on the system such as /etc/shadow) before booting. You can also password protect any insecure entries in /boot/grub/menu.lst that you do not want unauthorized users to boot by adding the lock command (or another password) immediately below the title line for that entry. See [[Grub#Password_protection]] or [http://www.gnu.org/software/grub/manual/legacy/Security.html#Security Security in the Grub Manual] for more details. If you are going to the trouble of securing Grub don't forget to secure your BIOS settings as well or users will be able to boot from their own CDs and USB sticks, gaining root access to the machine.<br />
<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
http://aur.pastebin.com/beQ4BjGX<br />
The RC.d file of Slackware might be more interesting than ubuntu's init.d version<br />
http://sprunge.us/IbeJ<br />
<br />
==== For developers ====<br />
<br />
from /lib/apparmor/rc.apparmor.functions<br />
<br />
# NOTE: rc.apparmor initscripts that source this file need to implement<br />
# the following set of functions:<br />
# aa_action<br />
# aa_log_action_start<br />
# aa_log_action_end<br />
# aa_log_success_msg<br />
# aa_log_warning_msg<br />
# aa_log_failure_msg<br />
# aa_log_skipped_msg<br />
# aa_log_daemon_msg<br />
# aa_log_end_msg<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120651AppArmor2010-11-05T01:52:09Z<p>Harvie: TODO update</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features (TODO):<br />
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX<br />
* chase missing dependencies<br />
* test everything<br />
* make list of files that should go to backup=() arrays in packages...<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
** make some package with profiles for all [core] packages enabled by default without need for any further user configuration<br />
** etc...<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor http://aur.pastebin.com/beQ4BjGX<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
* KNOW-HOW<br />
<br />
== Links ==<br />
* Official pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://help.ubuntu.com/community/AppArmor<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/maverick/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/maverick/man8/apparmor_parser.8.html<br />
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See [https://apparmor.wiki.kernel.org/index.php/Apparmor/upstream_release_notes here] for details. There are compatibility patches that can be applied on top of the 2.6.36 kernel to reintroduce these interfaces, but do not currently build against the Arch Linux kernel.<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
To test profiles, or enforce the use of AppArmor it must be enabled at boot time. To do this add apparmor=1 security=apparmor to the kernel boot parameters in /boot/grub/menu.lst so the entry for the Arch Linux kernel looks something like<br />
<br />
# (0) Arch Linux<br />
title Arch Linux [/boot/vmlinuz26]<br />
root (hd0,1)<br />
kernel /boot/vmlinuz26 root=/dev/sdaX resume=/dev/sdaY ro '''apparmor=1 security=apparmor'''<br />
initrd /boot/kernel26.img<br />
<br />
Once you are happy with all your profiles, you may wish to force users to boot with AppArmor enabled. To do this add a password entry to the start of /boot/grub/menu.lst. This will prevent users editing any boot entries or using the Grub shell (which permits read access to any file on the system such as /etc/shadow) before booting. You can also password protect any insecure entries in /boot/grub/menu.lst that you do not want unauthorized users to boot by adding the lock command (or another password) immediately below the title line for that entry. See [[Grub#Password_protection]] or [http://www.gnu.org/software/grub/manual/legacy/Security.html#Security Security in the Grub Manual] for more details. If you are going to the trouble of securing Grub don't forget to secure your BIOS settings as well or users will be able to boot from their own CDs and USB sticks, gaining root access to the machine.<br />
<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
http://aur.pastebin.com/beQ4BjGX<br />
The RC.d file of Slackware might be more interesting than ubuntu's init.d version<br />
http://sprunge.us/IbeJ<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120310AppArmor2010-10-30T16:54:39Z<p>Harvie: /* When compared to Ubuntu */</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features (TODO):<br />
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX<br />
* chase missing dependencies<br />
* test everything<br />
* make list of files that should go to backup=() arrays in packages...<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
* Split-package (Can't do this in AUR. Right now it's all-in-one package.)<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor http://aur.pastebin.com/beQ4BjGX<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
* KNOW-HOW<br />
<br />
== Links ==<br />
* Official pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://help.ubuntu.com/community/AppArmor<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
However, integration of AppArmor into the 2.6.36 kernel is not quite complete. It is missing network mediation and some of the interfaces for introspection. See [https://apparmor.wiki.kernel.org/index.php/Apparmor/upstream_release_notes here] for details. There are compatibility patches that can be applied on top of the 2.6.36 kernel to reintroduce these interfaces, but do not currently build against the Arch Linux kernel.<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
http://aur.pastebin.com/beQ4BjGX<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120280AppArmor2010-10-30T03:14:16Z<p>Harvie: /* Links */</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features (TODO):<br />
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX<br />
* chase missing dependencies<br />
* test everything<br />
* make list of files that should go to backup=() arrays in packages...<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
* Split-package (Can't do this in AUR. Right now it's all-in-one package.)<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor http://aur.pastebin.com/beQ4BjGX<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://help.ubuntu.com/community/AppArmor<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
http://aur.pastebin.com/beQ4BjGX<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120278AppArmor2010-10-30T03:09:10Z<p>Harvie: /* Implementation Status */</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features (TODO):<br />
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX<br />
* chase missing dependencies<br />
* test everything<br />
* make list of files that should go to backup=() arrays in packages...<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
* Split-package (Can't do this in AUR. Right now it's all-in-one package.)<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor http://aur.pastebin.com/beQ4BjGX<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
http://aur.pastebin.com/beQ4BjGX<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120276AppArmor2010-10-30T03:02:01Z<p>Harvie: init script draft</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features (TODO):<br />
* init (rc.d) scripts! http://aur.pastebin.com/beQ4BjGX<br />
* test for missing dependencies<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
* Split-package (Can't do this in AUR. Right now it's all-in-one package.)<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor http://aur.pastebin.com/beQ4BjGX<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
http://aur.pastebin.com/beQ4BjGX<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120273AppArmor2010-10-30T02:08:21Z<p>Harvie: /* Links */</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features (TODO):<br />
* init (rc.d) scripts!<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
* Split-package (Can't do this in AUR. Right now it's all-in-one package.)<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* https://apparmor.wiki.kernel.org/index.php/Distro_CentOS<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120269AppArmor2010-10-30T01:26:47Z<p>Harvie: /* aur/apparmor package */</p>
<hr />
<div>{{stub}}[[Category:Security (English)]][[Category:Kernel (English)]][[Category:Networking (English)]][[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features (TODO):<br />
* init (rc.d) scripts!<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
* Split-package (Can't do this in AUR. Right now it's all-in-one package.)<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120268AppArmor2010-10-30T01:25:10Z<p>Harvie: /* Implementation Status */</p>
<hr />
<div>{{stub}}[[Category:Security (English)]][[Category:Kernel (English)]][[Category:Networking (English)]][[Category:HOWTOs (English)]]<br />
[[Wikipedia:AppArmor|AppArmor]] is a MAC (Mandatory Access Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
AppArmor is currently available in Arch Linux kernel and [[AUR]], but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
=== aur/apparmor package ===<br />
Added lot of features:<br />
* apparmor-parser<br />
* libapparmor<br />
* apparmor-utils<br />
* apparmor-profiles<br />
* apparmor-notify<br />
* apparmor-lib<br />
* apparmor-perl<br />
* apparmor-python<br />
* apparmor-ruby<br />
* apparmor-dbus<br />
* apparmor-profile-editor<br />
<br />
But we still miss following features:<br />
* init (rc.d) scripts!<br />
* changehat modules for PAM(!), Apache and Tomcat (btw those are dependent on libapparmor)<br />
* out-of-box-experience know-how<br />
* apparmor gnome applet (can't build, deprecated...)<br />
<br />
==== When compared to Ubuntu ====<br />
we have almost everything that is in following Ubuntu packages:<br />
* apparmor<br />
* apparmor-profiles<br />
* apparmor-utils<br />
* apparmor-notify<br />
* apparmor-docs<br />
* libapparmor1<br />
* libapparmor-dev<br />
* libapparmor-perl<br />
<br />
We don't have<br />
* /etc/init.d/apparmor<br />
* packages: libapache2-mod-apparmor libpam-apparmor<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from [[AUR]].<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120257AppArmor2010-10-29T22:25:54Z<p>Harvie: /* Links */</p>
<hr />
<div>{{stub}}[[Category:Security (English)]][[Category:Kernel (English)]][[Category:Networking (English)]][[Category:HOWTOs (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel and AUR, but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* http://ubuntuforums.org/showthread.php?t=1008906 (Very good tutorial on HOWTO make profiles and configure AppArmor)<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from AUR.<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120256AppArmor2010-10-29T20:46:22Z<p>Harvie: See also SELinux</p>
<hr />
<div>{{stub}}[[Category:Security (English)]][[Category:Kernel (English)]][[Category:Networking (English)]][[Category:HOWTOs (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel and AUR, but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from AUR.<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[SELinux]]<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=SELinux&diff=120255SELinux2010-10-29T20:46:07Z<p>Harvie: See Also</p>
<hr />
<div>[[Category:Security (English)]][[Category:Kernel (English)]][[Category:Networking (English)]][[Category:HOWTOs (English)]]<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. Its architecture strives to streamline the volume of software charged with security policy enforcement, which is closely aligned with the Trusted Computer System Evaluation Criteria (TCSEC, referred to as Orange Book) requirement for trusted computing base (TCB) minimization (applicable to evaluation classes B3 and A1) but is quite unrelated to the least privilege requirement (B2, B3, A1) as is often claimed. The germinal concepts underlying SELinux can be traced to several earlier projects by the U.S. National Security Agency (NSA). [1]<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Prerequisites==<br />
<br />
Only ext2, ext3, ext4, JFS and XFS filesystems are supported to use SELinux. <br />
<br />
{{Note| This is probably not needed anymore:}}<br />
<br />
XFS users should use 512 byte inodes (the default is 256). SELinux uses extended attributes for storing security labels in files. XFS stores this in the inode, and if the inode is too small, an extra block has to be used, which wastes a lot of space and incurs performace penalties.<br />
<br />
# mkfs.xfs -i size=512 /dev/sda1 (for example)<br />
<br />
==Installing needed packages==<br />
<br />
You should install at least ''kernel26-selinux'', ''selinux-pam'', ''selinux-usr-policycoreutils'' and ''selinux-refpolicy-src'' from the [[AUR]]. Installing all SELinux connected packages is recommended.<br />
<br />
When installing from [[AUR]], you can use an [[AUR helper]] or download tarballs from AUR manually and build with makepkg. Especially when installing for the first time, take extreme caution when replacing the pam and coreutils packages, as they are vital to your system. Having the Arch Linux liveCD or liveUSB ready to use is strongly encouraged.<br />
<br />
{{Warning| Do '''not''' remove pam via sudo, as PAM is what takes care of authentication and you just removed it. Instead first ''su'' to root and then do ''pacman -Rd pam'', ''pacman -U selinux-pam''. Doing ''pacman -Rd coreutils'', ''pacman -U selinux-coreutils'' may also cause you troubles, so maybe the best way is to install selinux packages from liveCD chroot to your system.}}<br />
<br />
{{Warning| Do '''not''' install ''selinux-sysvinit'' package unless everything is set up, as you may end with unbootable system. Or, don't reboot unless you have everything set up.}}<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group. Group ''selinux-system-utilities'' is used for modified packages from [core] repository. Group ''selinux-userspace'' contains packages from SELinux Userspace project. Security policies belong to ''selinux-policies'' group. Other packages are in ''selinux-extras'' group.<br />
<br />
====SELinux aware system utils====<br />
<br />
;{{Package AUR|kernel26-selinux}}<br />
:SELinux enabled kernel (replaces ''selinux-kernel26''). Compiling custom modules like virtualbox works.<br />
<br />
;{{Package AUR|selinux-coreutils}}<br />
:Modified coreutils package compiled with SELinux support enabled.<br />
<br />
;{{Package AUR|selinux-flex}}<br />
:Flex version needed only to build checkpolicy. Current flex has error causing failure in checkmodule command.<br />
<br />
;{{Package AUR|selinux-pam}}<br />
:PAM package with pam_selinux.so.<br />
<br />
;{{Package AUR|selinux-sysvinit}}<br />
:Sysvinit which loads policy at startup. Be careful; It fails if SELinux policy cannot be loaded!<br />
<br />
;{{Package AUR|selinux-util-linux-ng}}<br />
:Modified util-linux-ng package compiled with SELinux support enabled.<br />
<br />
;{{Package AUR|selinux-udev}}<br />
:Modified udev package compiled with SELinux support enabled for labeling of files in /dev to work correctly.<br />
<br />
;{{Package AUR|selinux-findutils}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible.<br />
<br />
;{{Package AUR|selinux-sudo}}<br />
:Modified sudo package compiled with SELinux support which sets security context correctly.<br />
<br />
;{{Package AUR|selinux-procps}}<br />
:Procps package with SELinux patch based on some Fedora patches.<br />
<br />
;{{Package AUR|selinux-psmisc}}<br />
:Psmisc package compiled with SELinux support; adds e.g. -Z option to killall.<br />
<br />
;{{Package AUR|selinux-shadow}}<br />
:Shadow package compiled with SELinux support; contains modified /etc/pam.d/login file to set correct security context for user after login.<br />
<br />
;{{Package AUR|selinux-cronie}}<br />
:Fedora fork of Vixie cron with SELinux enabled.<br />
<br />
;{{Package AUR|selinux-logrotate}}<br />
:Logrotate package compiled with SELinux support.<br />
<br />
;{{Package AUR|selinux-openssh}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions.<br />
<br />
====SELinux userspace====<br />
;{{Package AUR|selinux-usr-checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{Package AUR|selinux-usr-libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{Package AUR|selinux-usr-libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{Package AUR|selinux-usr-libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{Package AUR|selinux-usr-policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{Package AUR|selinux-usr-sepolgen}}<br />
:A python library for parsing and modifying policy source.<br />
<br />
====SELinux policy====<br />
<br />
;{{Package AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
====Other SELinux tools====<br />
<br />
;{{Package AUR|selinux-setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
==Configuration==<br />
<br />
After the installation of needed packages, you have to set up a few things so that SELinux can be used.<br />
<br />
===Changing boot loader configuration===<br />
<br />
You have to manually change grub's /boot/grub/menu.lst so that the custom kernel is booted, e.g.:<br />
<br />
# (1) Arch Linux<br />
title Arch Linux (SELinux)<br />
root (hd0,4)<br />
kernel /boot/vmlinuz26-selinux root=/dev/sda5 ro vga=775<br />
initrd /boot/kernel26-selinux.img<br />
<br />
===Mounting selinuxfs===<br />
<br />
Add following to /etc/fstab:<br />
<br />
none /selinux selinuxfs noauto 0 0<br />
<br />
Don't forget to create the mountpoint:<br />
<br />
mkdir /selinux<br />
<br />
===Main SELinux configuration file===<br />
Main SELinux configuration file (/etc/selinux/config) is part of the {{Package AUR|selinux-refpolicy}} package currently in the AUR. It has default contents as follows:<br />
<br />
# This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# permissive - SELinux prints warnings <br />
# instead of enforcing.<br />
# disabled - No SELinux policy is loaded.<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Default policy for Arch Linux is:<br />
# refpolicy<br />
SELINUXTYPE=refpolicy<br />
<br />
{{Note|<nowiki>Option SELINUX=permissive is suitable only for testing. It gives no security. When everything is set up and working, you should change it to SELINUX=enforcing. Option SELINUXTYPE=refpolicy specifies the name of used policy. Change it if you choose another name for your policy. If you plan to compile policy from source, you have to create the file yourself.</nowiki>}}<br />
<br />
===Set up PAM===<br />
<br />
Correctly set-up PAM is important to get a proper security context after login. If you installed {{Package AUR|selinux-shadow}} from AUR, there should be following lines in ''/etc/pam.d/login'':<br />
<br />
# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close<br />
# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open<br />
<br />
if not, add them to the file. Similarly for loging in via SSH in ''/etc/pam.d/sshd'', which is part of {{Package AUR|selinux-openssh}} package.<br />
<br />
If you want to use SELinux with GUI, you should add abovementioned lines to other files such as ''/etc/pam.d/kde'', ''/etc/pam.d/kde-np'', ... depending on you login manager.<br />
<br />
{{Note|Running SELinux with GUI applications in Arch Linux is not much supported at the time being.}}<br />
<br />
==Reference policy==<br />
<br />
There are currently two possible ways of installing reference policy: From a precompiled package ({{Package AUR|selinux-refpolicy}}) or from a source package ({{Package AUR|selinux-refpolicy-src}}).<br />
<br />
{{Note| It is possible to have both the source and the binary package installed. If you plan to build from source in that case, you sould probably change the name of policy in build.conf to avoid overwriting of selinux-refpolicy package files.}}<br />
<br />
===Installing a precompiled refpolicy===<br />
<br />
Install {{Package AUR|selinux-refpolicy}} from AUR. This is a modular-otherways-vanilla refpolicy. This package includes policy headers (you can therefore compile your own modules), policy documentation and an install script which will load the policy for you and relabel your filesystem (which will likely take some time). It does not include the sources though.<br />
<br />
This package also includes the main SELinux configuration file (/etc/selinux/config) defaulting to refpolicy and permissive SELinux enforcement for testing purposes.<br />
<br />
You should verify that the policy was correctly loaded, that is if the file /etc/selinux/refpolicy/policy/policy.24 has non-zero size. If so and if you have installed {{Package AUR|selinux-sysvinit}} and other needed packages you are ready to reboot and make sure that everything works.<br />
<br />
In case the policy was not correctly loaded you can as root use the following command inside of the /usr/share/selinux/refpolicy directory to do so:<br />
<br />
/bin/ls *.pp | /bin/grep -Ev "base.pp|enableaudit.pp" | /usr/bin/xargs /usr/sbin/semodule -s refpolicy -b base.pp -i<br />
<br />
To manually relabel your filesystem you can as root use:<br />
<br />
/sbin/restorecon -r /<br />
<br />
===Installing refpolicy from a source package===<br />
<br />
Install {{Package AUR|selinux-refpolicy-src}} from AUR. Edit the file /etc/selinux/refpolicy/src/policy/build.conf to your liking. <br />
<br />
{{Note|Build configuration file build.conf is overwritten on every selinux-refpolicy-src package upgrade, so backup your configuration.}}<br />
<br />
To build, install and load policy from source do the following. (For other posibilities consult the README file located in /etc/selinux/refpolicy/src/policy/.)<br />
<br />
cd /etc/selinux/refpolicy/src/policy<br />
make bare<br />
make conf <br />
make load<br />
<br />
Copy or link the compiled binary policy to /etc/policy.bin for sysvinit to find and install selinux-sysvinit:<br />
<br />
ln -s /etc/selinux/refpolicy/policy/policy.21 /etc/policy.bin<br />
<br />
At this moment files doesn't have any context, so you should relabel the whole filesystem, which will take a while:<br />
<br />
make relabel<br />
<br />
Create the main SELinux configuration file (/etc/selinux/config) acording to exaple in related section.<br />
<br />
Now you are ready to reboot and make sure that everything works.<br />
<br />
==Post-installation steps==<br />
<br />
You can check that SELinux is working with ''sestatus''. You should get something like:<br />
<br />
SELinux status: enabled<br />
SELinuxfs mount: /selinux<br />
Current mode: permissive<br />
Mode from config file: enforcing<br />
Policy version: 24<br />
Policy from config file: refpolicy<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
touch /etc/rc.d/restorecond<br />
chmod ugo+x /etc/rc.d/restorecond<br />
<br />
Which should contain:<br />
<br />
#!/bin/sh<br />
restorecond<br />
<br />
{{Note|Don't forget to add restorecond into your daemons array in /etc/rc.conf}}<br />
<br />
To switch to enforcing mode without reboot, you can use:<br />
<br />
echo 1 >/selinux/enforce<br />
<br />
{{Note|<nowiki>If setting SELINUX=enforcing in /etc/selinux/config doesn't work for you, create /etc/rc.d/selinux-enforce containing the preceeding command similarly as with restorecond daemon.</nowiki>}}<br />
<br />
<br />
<br />
==Useful tools==<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
*'''restorecon''': Restores the context of a file/directory (or recusively with -R) based on any policy rules <br />
*'''rlpkg''': Relabels any files belonging to that gentoo package to their proper security context (if they have one) <br />
*'''chcon''': Change the context on a specific file <br />
*'''audit2allow''': Reads in log messages from the AVC log file and tells you what rules would fix the error. Don't just add these rules without looking at them though, they cannot detect errors in other places (ie the application running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts. <br />
<br />
==References==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
<br />
== See also ==<br />
* [[AppArmor]] (Similar to SELinux, much easier to configure, but not such complex)<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120171AppArmor2010-10-28T15:09:09Z<p>Harvie: Kernel interfaces</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel and AUR, but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
After reboot you can test if apparmor is really enabled using this command as root:<br />
# cat /sys/module/apparmor/parameters/enabled <br />
Y<br />
(Y=enabled, N=disabled, no such file = module not in kernel)<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
<br />
== System Configuration ==<br />
=== Mounts (/etc/fstab securityfs) ===<br />
https://apparmor.wiki.kernel.org/index.php/Kernel_interfaces<br />
securityfs /sys/kernel/security securityfs defaults 0 0<br />
<br />
=== Init scripts ===<br />
In future we'll implement some /etc/rc.d/ scripts that will enable and load profiles during startup.<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from AUR.<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120169AppArmor2010-10-28T15:00:56Z<p>Harvie: /* Implementation Status */</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel and AUR, but we still don't have the user-space tools tested:<br />
* http://aur.archlinux.org/packages.php?ID=42279<br />
* https://bugs.archlinux.org/task/21406<br />
<br />
It will take some time to make everything work Out-of-the-box.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from AUR.<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120168AppArmor2010-10-28T14:59:30Z<p>Harvie: /* UserSpace Tools */</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel, but we still don't have the user-space tools tested:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== UserSpace Tools ==<br />
=== Users ===<br />
You can currently install userspace tools from AUR.<br />
<br />
=== Maintainers ===<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120167AppArmor2010-10-28T14:58:14Z<p>Harvie: /* AppArmor Packages */</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel, but we still don't have the user-space tools tested:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
* aur/[http://aur.archlinux.org/packages.php?ID=42279 apparmor]<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== UserSpace Tools ==<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120166AppArmor2010-10-28T14:30:51Z<p>Harvie: /* Enable */</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel, but we still don't have the user-space tools tested:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=1 security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== UserSpace Tools ==<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=DNSSEC&diff=120164DNSSEC2010-10-28T14:14:35Z<p>Harvie: /* See Also */ page moved</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]][[Category:Cryptography (English)]]<br />
<br />
<br />
== Facts ==<br />
* http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions<br />
* http://www.dnssec.net/<br />
** http://www.dnssec.net/practical-documents<br />
** http://www.dnssec.net/rfc<br />
* https://www.iana.org/dnssec/<br />
* https://www.dnssec-tools.org/<br />
* http://linux.die.net/man/1/sshfp<br />
* http://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux<br />
<br />
<br />
<br />
== DNSSEC Packages ==<br />
* '''dnssec-root-zone-trust-anchors''' http://aur.archlinux.org/packages.php?ID=39315<br />
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/<br />
** VERY important!<br />
* '''ldns''' http://aur.archlinux.org/packages.php?ID=18996<br />
** DNS(SEC) library '''libldns'''<br />
** drill tool (like dig with DNSSEC support)<br />
*** can be used for basic DNSSEC validation. eg.:<br />
**** Should success ''(return 0)'':<br />
***** '''drill -TD nic.cz''' ''#valid DNSSEC key''<br />
***** '''drill -TD google.com''' ''#not signed domain''<br />
**** Should fail ''(simulating fraudent DNS records)'':<br />
***** '''drill -TD rhybar.cz'''<br />
***** '''drill -TD badsign-a.test.dnssec-tools.org'''<br />
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''<br />
* '''dnssec-tools''' http://aur.archlinux.org/packages.php?ID=39294 ''(package is very experimental and volatile right now)''<br />
** '''Currently SEGFAULTs on successfuly validated domains''' on ArchLinux... watch bugtrack: https://www.dnssec-tools.org/trac/search?q=archlinux<br />
** https://www.dnssec-tools.org/<br />
** another good library '''libval''' which can add DNSSEC support to lots of programs<br />
*** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Applications<br />
** some tools https://www.dnssec-tools.org/wiki/index.php/DNSSEC-Tools_Components<br />
*** https://www.dnssec-tools.org/wiki/index.php/Applications<br />
** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html<br />
** [[PERL]] API<br />
* '''openssh-dnssec''' http://aur.archlinux.org/packages.php?ID=39296<br />
** see lower on this page<br />
* '''sshfp''' http://aur.archlinux.org/packages.php?ID=29185<br />
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.<br />
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC<br />
<br />
== Howto enable DNSSEC in specific software ==<br />
<br />
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:<br />
* patches<br />
** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Applications<br />
** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Application_Development<br />
* plugins, extensions, wrappers<br />
* universal LD_PRELOAD wrapper<br />
** overriding calls to: gethostbyname(3), gethostbyaddr(3), getnameinfo(3), getaddrinfo(3), res_query(3)<br />
** libval-shim from dnssec-tools: http://www.dnssec-tools.org/docs/tool-description/libval_shim.html<br />
* DNS proxy<br />
<br />
<br />
=== [[OpenSSH]] (fixes only weak point in SSH design) ===<br />
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh<br />
** http://www.dnssec-tools.org/readme/README.ssh<br />
* openssh-dnssec wrapper http://aur.archlinux.org/packages.php?ID=39296<br />
** DNSSEC (ldns) wrapper for OpenSSH client.<br />
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).<br />
** usage: '''alias ssh=ssh-dnssec'''<br />
<br />
=== [[Firefox]] (secure browsing - enchancment of HTTPS) ===<br />
* DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/<br />
* DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html<br />
** you need ldns and dnssec-root-zone-trust-anchors packages for this plugin<br />
* dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox<br />
<br />
=== [[Chromium]]/<s>[[Google Chrome]]</s> (secure browsing - enchancment of HTTPS) ===<br />
* Vote for [http://code.google.com/p/chromium/issues/detail?id=50874 #50874]<br />
** Patches not yet...<br />
** [http://chromium.googlecode.com/issues/attachment?aid=-8803347052009476090&name=chromium-drill-dnssec-validator.zip&token=6e3489c4e5c62bfaae02516be442d7da DNSSEC Drill extension] (EXPERIMENTAL!)<br />
*** you need ldns and dnssec-root-zone-trust-anchors packages for this plugin<br />
<br />
=== [[Bind]] (serving signed DNS zones) ===<br />
* http://www.dnssec.net/practical-documents<br />
** http://www.cymru.com/Documents/secure-bind-template.html '''(configuration template!)'''<br />
** http://www.bind9.net/manuals<br />
** http://www.bind9.net/BIND-FAQ<br />
* http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/<br />
<br />
=== [[Postfix]] (fight spam and frauds) ===<br />
* dnssec-tools + patch<br />
=== [[jabberd]] (fight spam and frauds) ===<br />
* dnssec-tools + patch<br />
=== [[Thunderbird]] (secure logins) ===<br />
* dnssec-tools + patch<br />
=== [[lftp]] (secure downloads and logins) ===<br />
* dnssec-tools + patch<br />
=== [[wget]] (secure downloads) ===<br />
* dnssec-tools + patch<br />
=== [[proftpd]] ===<br />
* dnssec-tools + patch<br />
=== [[Sendmail]] (fight spam and frauds) ===<br />
* dnssec-tools + patch<br />
=== [[LibSPF]] ===<br />
* dnssec-tools + patch<br />
=== [[ncftp]] (secure downloads and logins) ===<br />
* dnssec-tools + patch<br />
=== [[libpurple]] ([[pidgin]] + [[finch]] -> secure messaging) ===<br />
* no patches yet<br />
* Vote for [http://developer.pidgin.im/ticket/12413 #12413]<br />
<br />
<br />
== DNSSEC Hardware ==<br />
You can check if your router/modem/AP/etc... supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python & GTK+ based app) to know if it's DNSSEC compatible and using this tool you can also upload gathered data to server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on [http://www.dnssec-tester.cz/ dnssec-tester] website.<br />
<br />
== See Also ==<br />
* [[AppArmor]]</div>Harviehttps://wiki.archlinux.org/index.php?title=Apparmor&diff=120163Apparmor2010-10-28T14:13:54Z<p>Harvie: moved to AppArmor</p>
<hr />
<div>#REDIRECT [[AppArmor]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120162AppArmor2010-10-28T14:13:22Z<p>Harvie: moved from Apparmor</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel, but we still don't have the user-space tools tested:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== UserSpace Tools ==<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=AppArmor&diff=120161AppArmor2010-10-28T14:04:37Z<p>Harvie: redirect</p>
<hr />
<div>#REDIRECT [[Apparmor]]</div>Harviehttps://wiki.archlinux.org/index.php?title=Apparmor&diff=120160Apparmor2010-10-28T14:02:40Z<p>Harvie: /* Links */</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel, but we still don't have the user-space tools tested:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* https://wiki.ubuntu.com/ApparmorProfileMigration<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== UserSpace Tools ==<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=Apparmor&diff=120159Apparmor2010-10-28T13:38:20Z<p>Harvie: /* Enable */ no risks</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel, but we still don't have the user-space tools tested:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
Note that you can safely enable apparmor and '''it will not affect the system''' at all until you will enable it, load profiles and set them to enforce mode by userspace tools. So you don't have to be afraid to enable AA for testing purposes until you are enforcing AA profiles from init scripts (on each startup).<br />
<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== UserSpace Tools ==<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=Apparmor&diff=120158Apparmor2010-10-28T13:34:22Z<p>Harvie: /* Links */</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel, but we still don't have the user-space tools tested:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* Oficial pages<br />
** kernel: https://apparmor.wiki.kernel.org/<br />
** userspace: https://launchpad.net/apparmor<br />
<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== UserSpace Tools ==<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=Apparmor&diff=120157Apparmor2010-10-28T13:30:07Z<p>Harvie: compatibility of versions</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel, but we still don't have the user-space tools tested:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== UserSpace Tools ==<br />
You need userspace tools that are compatible with your kernel version. The compatibility list can be found here: https://apparmor.wiki.kernel.org/index.php/AppArmor_versions<br />
eg.: Kernel 2.6.36 is compatible with AppArmor 2.5.1<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=Apparmor&diff=120156Apparmor2010-10-28T12:22:56Z<p>Harvie: AppArmor in [testing]</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently available in ArchLinux kernel, but we still don't have the user-space tools tested:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
* kernel26 2.6.36 (currently in [testing] have AppArmor support)<br />
<br />
== Kernel Configuration ==<br />
Here is configuration of ArchLinux kernel which enables AppArmor (just FYI, you don't need to touch it):<br />
CONFIG_SECURITY_APPARMOR=y<br />
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0<br />
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set<br />
<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=Apparmor&diff=119919Apparmor2010-10-24T23:42:55Z<p>Harvie: grub2 configuration</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently not available on ArchLinux, but we are working on it:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://en.wikipedia.org/wiki/Linux_Security_Modules<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
<br />
== AppArmor Packages ==<br />
n/a<br />
<br />
== GRUB Configuration ==<br />
=== GRUB1 ===<br />
=== GRUB2 ===<br />
<br />
==== Enable ====<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''security=apparmor'''<br />
initrd /kernel26.img<br />
}<br />
<br />
==== Disable ====<br />
AppArmor will be disabled by default in ArchLinux, so you will not need to disable it explicitly until you will build your own kernel with AppArmor enabled by default.<br />
# (0) Arch Linux<br />
menuentry "Arch Linux" {<br />
set root=(hd0,1)<br />
linux /vmlinuz26 root=/dev/sda1 ro '''apparmor=0 security=""'''<br />
initrd /kernel26.img<br />
}<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harviehttps://wiki.archlinux.org/index.php?title=DNSSEC&diff=119907DNSSEC2010-10-24T20:42:52Z<p>Harvie: see also</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]][[Category:Cryptography (English)]]<br />
<br />
<br />
== Facts ==<br />
* http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions<br />
* http://www.dnssec.net/<br />
** http://www.dnssec.net/practical-documents<br />
** http://www.dnssec.net/rfc<br />
* https://www.iana.org/dnssec/<br />
* https://www.dnssec-tools.org/<br />
* http://linux.die.net/man/1/sshfp<br />
* http://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux<br />
<br />
<br />
<br />
== DNSSEC Packages ==<br />
* '''dnssec-root-zone-trust-anchors''' http://aur.archlinux.org/packages.php?ID=39315<br />
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/<br />
** VERY important!<br />
* '''ldns''' http://aur.archlinux.org/packages.php?ID=18996<br />
** DNS(SEC) library '''libldns'''<br />
** drill tool (like dig with DNSSEC support)<br />
*** can be used for basic DNSSEC validation. eg.:<br />
**** Should success ''(return 0)'':<br />
***** '''drill -TD nic.cz''' ''#valid DNSSEC key''<br />
***** '''drill -TD google.com''' ''#not signed domain''<br />
**** Should fail ''(simulating fraudent DNS records)'':<br />
***** '''drill -TD rhybar.cz'''<br />
***** '''drill -TD badsign-a.test.dnssec-tools.org'''<br />
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''<br />
* '''dnssec-tools''' http://aur.archlinux.org/packages.php?ID=39294 ''(package is very experimental and volatile right now)''<br />
** '''Currently SEGFAULTs on successfuly validated domains''' on ArchLinux... watch bugtrack: https://www.dnssec-tools.org/trac/search?q=archlinux<br />
** https://www.dnssec-tools.org/<br />
** another good library '''libval''' which can add DNSSEC support to lots of programs<br />
*** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Applications<br />
** some tools https://www.dnssec-tools.org/wiki/index.php/DNSSEC-Tools_Components<br />
*** https://www.dnssec-tools.org/wiki/index.php/Applications<br />
** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html<br />
** [[PERL]] API<br />
* '''openssh-dnssec''' http://aur.archlinux.org/packages.php?ID=39296<br />
** see lower on this page<br />
* '''sshfp''' http://aur.archlinux.org/packages.php?ID=29185<br />
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.<br />
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC<br />
<br />
== Howto enable DNSSEC in specific software ==<br />
<br />
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:<br />
* patches<br />
** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Applications<br />
** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Application_Development<br />
* plugins, extensions, wrappers<br />
* universal LD_PRELOAD wrapper<br />
** overriding calls to: gethostbyname(3), gethostbyaddr(3), getnameinfo(3), getaddrinfo(3), res_query(3)<br />
** libval-shim from dnssec-tools: http://www.dnssec-tools.org/docs/tool-description/libval_shim.html<br />
* DNS proxy<br />
<br />
<br />
=== [[OpenSSH]] (fixes only weak point in SSH design) ===<br />
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh<br />
** http://www.dnssec-tools.org/readme/README.ssh<br />
* openssh-dnssec wrapper http://aur.archlinux.org/packages.php?ID=39296<br />
** DNSSEC (ldns) wrapper for OpenSSH client.<br />
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).<br />
** usage: '''alias ssh=ssh-dnssec'''<br />
<br />
=== [[Firefox]] (secure browsing - enchancment of HTTPS) ===<br />
* DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/<br />
* DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html<br />
** you need ldns and dnssec-root-zone-trust-anchors packages for this plugin<br />
* dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox<br />
<br />
=== [[Chromium]]/<s>[[Google Chrome]]</s> (secure browsing - enchancment of HTTPS) ===<br />
* Vote for [http://code.google.com/p/chromium/issues/detail?id=50874 #50874]<br />
** Patches not yet...<br />
** [http://chromium.googlecode.com/issues/attachment?aid=-8803347052009476090&name=chromium-drill-dnssec-validator.zip&token=6e3489c4e5c62bfaae02516be442d7da DNSSEC Drill extension] (EXPERIMENTAL!)<br />
*** you need ldns and dnssec-root-zone-trust-anchors packages for this plugin<br />
<br />
=== [[Bind]] (serving signed DNS zones) ===<br />
* http://www.dnssec.net/practical-documents<br />
** http://www.cymru.com/Documents/secure-bind-template.html '''(configuration template!)'''<br />
** http://www.bind9.net/manuals<br />
** http://www.bind9.net/BIND-FAQ<br />
* http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/<br />
<br />
=== [[Postfix]] (fight spam and frauds) ===<br />
* dnssec-tools + patch<br />
=== [[jabberd]] (fight spam and frauds) ===<br />
* dnssec-tools + patch<br />
=== [[Thunderbird]] (secure logins) ===<br />
* dnssec-tools + patch<br />
=== [[lftp]] (secure downloads and logins) ===<br />
* dnssec-tools + patch<br />
=== [[wget]] (secure downloads) ===<br />
* dnssec-tools + patch<br />
=== [[proftpd]] ===<br />
* dnssec-tools + patch<br />
=== [[Sendmail]] (fight spam and frauds) ===<br />
* dnssec-tools + patch<br />
=== [[LibSPF]] ===<br />
* dnssec-tools + patch<br />
=== [[ncftp]] (secure downloads and logins) ===<br />
* dnssec-tools + patch<br />
=== [[libpurple]] ([[pidgin]] + [[finch]] -> secure messaging) ===<br />
* no patches yet<br />
* Vote for [http://developer.pidgin.im/ticket/12413 #12413]<br />
<br />
<br />
== DNSSEC Hardware ==<br />
You can check if your router/modem/AP/etc... supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python & GTK+ based app) to know if it's DNSSEC compatible and using this tool you can also upload gathered data to server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on [http://www.dnssec-tester.cz/ dnssec-tester] website.<br />
<br />
== See Also ==<br />
* [[Apparmor]]</div>Harviehttps://wiki.archlinux.org/index.php?title=Apparmor&diff=119906Apparmor2010-10-24T20:41:46Z<p>Harvie: fixed categories</p>
<hr />
<div>{{stub}}[[Category:Networking (English)]][[Category:Security (English)]]<br />
Apparmor is a MAC (Manditory Acccess Control) system, implemented upon LSM (Linux Security Modules).<br />
<br />
== Implementation Status ==<br />
Apparmor is currently not available on ArchLinux, but we are working on it:<br />
https://bugs.archlinux.org/task/21406<br />
<br />
You can help us by adding packages (especialy AA userspace tools) to AUR.<br />
<br />
== Links ==<br />
* https://bugs.archlinux.org/task/21406<br />
* http://stuff.mit.edu/afs/sipb/contrib/linux/Documentation/apparmor.txt <br />
* http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html<br />
* http://manpages.ubuntu.com/manpages/hardy/man8/apparmor_parser.8.html<br />
* http://bodhizazen.net/aa-profiles/<br />
* http://ubuntuforums.org/showthread.php?t=1008906<br />
* http://kernel.org/pub/linux/security/apparmor/apparmor-2.6.36-patches.tgz<br />
* https://apparmor.wiki.kernel.org/index.php/Gittutorial<br />
<br />
== AppArmor Packages ==<br />
n/a<br />
<br />
== More Info ==<br />
Ubuntu, Suse and a number of other Linux distributions use it. Redhat uses SELINUX which is apparently a little bit more difficult to configure properly. There exists another framework called [[Tomoyo]] but it is not currently integrated with any distributions.<br />
<br />
It suplements, rather than replaces the standard POSIX access control system.<br />
<br />
What you can do with it is very easily create profiles for applications which either acccess the Internet or listen via IP (e.g servers).<br />
<br />
One may specify at quite a fine grained level what applications may or may not do. <br />
<br />
Taking a common example - Firefox is frequently the victim of Zero day exploits. If you were to browse to a website that ran a buffer overflow or such thing against your browser - all data accessible to Firefox would then belong to the attackers, think SSH keys, password stores etc etc.<br />
<br />
Likewise Wireshark (tcpdump) has had decoder modules with buffer overflows before, imagine the scenario - you suspect a server has been compromised, run a packet capture on the network, and then your own machine is compromised (tcpdump must run as root).<br />
<br />
For both these applications, apparmor profiles exist. The configuration is stored in easy to read text files in /etc/apparmor.d/<application name>.<br />
<br />
You can lock down your applications using wildcards, specifying for example that Firefox can only read the ~/Downloads folder and it's own profile directory, that it cannot create shell processes etc.<br />
<br />
Every breach of policy triggers a message in the syslog, many distributions also integrate it into DBUS so that you get realtime violation warnings popping up on your desktop.<br />
<br />
== See also ==<br />
* [[DNSSEC]]</div>Harvie