Linux-Misc Digest #697, Volume #21 Mon, 6 Sep 99 03:13:08 EDT
Contents:
Here is a HOWTO I wrote on loopback encrypted filesystems for linux. ("Ryan T. Rhea")
Re: Marx vs. Nozick (Maciej Stachowiak)
Re: Amiga, QNX, Linux and Revolution (Guy Macon)
Re: Amiga, QNX, Linux and Revolution (Jerry Leslie)
How to address email without domain name? (Bo Berglund)
Re: Amiga, QNX, Linux and Revolution (Guy Macon)
Re: Amiga, QNX, Linux and Revolution ("Robert M. Cosby")
Re: sysinfo load information (Tim Moore)
----------------------------------------------------------------------------
From: "Ryan T. Rhea" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.unix
Subject: Here is a HOWTO I wrote on loopback encrypted filesystems for linux.
Date: Mon, 06 Sep 1999 06:04:26 +0000
This is a multi-part message in MIME format.
==============D42002ADF597FBA09C431F48
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I have seen a lot of posts requesting information on encrypted
filesystems for linux. I wrote this HOWTO in response. This
documentation details a method for secure storage of encrypted data in a
file. The file can be mounted as a filesystem and it will transparently
encrypt all the data within. I originally wanted this to be posted on
the Linux Documentation Project's web site but I have been unable to get
any response. As a result I decided to post this to a couple of
newsgroups and hope people will find it on deja.com. The HOWTO is
attached as a generic ASCII text file.
Sincerely,
Ryan T. Rhea
[EMAIL PROTECTED]
==============D42002ADF597FBA09C431F48
Content-Type: text/plain; charset=us-ascii;
name="loopback_encrypted_filesystem_howto.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="loopback_encrypted_filesystem_howto.txt"
Linux Encrypted File-systems Mini-HOWTO
Copyright Ryan T. Rhea, 1999
[EMAIL PROTECTED]
This document explains how to setup and then use a filesystem
that, when mounted by a user, dynamically and transparently
encrypts its contents. The filesystem is stored in a regular
file, which can be hidden or named non-conspicuously such that it
would most likely be overlooked. This allows for a high level of
secure storage of data.
Knowledge of kernel compilation, kernel source code, and a lot of
patience are required.
NOTE: This process will only work with the 2.2.x' series
kernels, and as a minimum you will have to patch to at least
2.2.9' before continuing. I have only tried this with the
2.2.9' kernel and the 2.2.10' international crypto patch.
Also, I used a streamlined (small, fast) kernel that doesn't use
any modules - you can use the encryption as a module with a
modularized kernel, but your on your own. The instructions here
should provide enough info to get you started. There are further
instructions on applying patches in the details' section later
in this document.
Kernel source can be found at:
ftp://ftp.kerneli.org
There is a HOWTO on the process of recompiling kernels at:
http://metalab.unc.edu/LDP/HOWTO
This document may be reproduced and distributed in whole or in
part, without fee, subject to the following conditions:
- The copyright notice above and this permission notice must be
preserved complete on all complete or partial copies.
- Any translation or derived work must be approved by the author
in writing before distribution.
- If you distribute this work in part, instructions for obtaining
he complete version of this manual must be included, and a means
for obtaining a complete version provided.
- All source code in this document is placed under the GNU
General Public License, available via anonymous FTP from:
ftp://prep.ai.mit.edu/pub/gnu/COPYING
Overview
The process uses the device /dev/loop*' (where * can be 0-7 on
most installations) to mount a loopback filesystem. The same
process can be used without encryption to store a linux
filesystem on a non-linux partition. There is a HOWTO on this at
the LDP site mentioned previously.
Different types of encryption can be used, including XOR, DES,
twofish, blowfish, cast128, serpent, mars, rc6, dfc, and idea.
The program losetup' (loopback setup) is what associates your
encrypted file with a filesystem and it's cipher type. As far as
I can tell, XOR and DES are directly built in to losetup's
functionality. The other ciphers are added at the kernel level.
You can only have one of these ciphers work at a time. This
seems strange to me, but kernels built with more than one cipher
enabled do not work with losetup'. This document uses the
serpent algorithm because it is strong yet remarkably fast, and
it's freely distributable under the GPL. According to it's
documentation, serpent uses a 128-bit block cipher designed by
Ross Anderson, Eli Biham and Lars Knudsen. It provides users
with the highest practical level of assurance that no shortcut
attacks will be found. The documentation on serpent as well as
the source code can be found at:
http://www.cl.cam.ac.uk/~rja14/serpent.html
� Summary
There are many steps involved in the process. I will provide
details for these steps in the next section. I thought it would
be nice to provide a summary first to provide reference (if you
are experienced with unix/linux you probably don't need the
details anyway). Here they are summarized as follows:
1) Download the patch-int-2.2.10.4' international kernel patch
from:
ftp://ftp.kerneli.org/pub/kerneli/v2.2/
2) Patch the kernel
3) Run config' (or menuconfig' or xconfig') to configure
your MakeFile' for the new kernel. The options to enable
encryption are scattered. First of all, before you will see
any other options you must enable Prompt for development
and/or incomplete code/drivers' under Code Maturity level
options'. Under Crypto options' enable crypto ciphers'
and serpent'. Once again, this document assumes you are
using serpent, but try whatever you want. DES is known to
have serious bugs with 2.2.10.4 - it may not work at all.
Regardless of which cipher you want, make sure you ONLY
ENABLE ONE CIPHER! There are several important options to
select under Block Devices'. These include Loopback
device support', Use relative block numbers as basis for
transfer functions (RECOMMENDED)', and General encryption
support'. DO NOT select cast 128' or twofish' encryption
here. Also note that you don't need any of the crypto
options under the various network categories. I will not go
any further into configuration of the kernel, it is out of
the scope of this document and can be found at the LDP site.
4) Compile the new kernel.
5) Edit /etc/lilo.conf' to add the new kernel image. Run
lilo -v' to add the kernel to the boot loader.
6) Download the source for the util-linux-2.2.9v' package
from:
ftp://ftp.kernel.org/pub/linux/utils/util-linux/
7) Extract the util-linux' source.
8) Apply the corresponding patch found in your
/usr/src/linux/Documentation/crypto/' directory.
9) CAREFULLY read the INSTALL' file! This package contains
the sources for many system dependent files (important
tools such as login','passwd',and init'). If you don't
carefully edit the MCONFIG file before compiling these
sources have a boot disk and/or shotgun ready because your
system will be quite confused. Basically you want to set
almost all of the HAVE_*' fields equal to yes so that the
important authentication tools are not compiled and written
over. The tools you do want rebuilt are mount' and
losetup' to accommodate the new encryption schemes. I
suggest that you refer to the details section below for this
step.
10) Compile the util-linux' source.
11) Reboot the machine with the new kernel.
12) Edit /etc/fstab', adding an entry for your mount point as
follows:
/dev/loop0 /mnt/crypt ext2 user,noauto,rw,loop 0 0'
13) Create the directory that will hold your filesystem, as in
/mnt/crypt' above.
14) Do a chmod a+rw /dev/loop*'.
15) As the user, create your encrypted file as follows:
run dd if=/dev/zero of=/etc/cryptfile bs=1k count=1000'
16) Run losetup as follows:
losetup -e serpent /dev/loop0 /etc/cryptfile'
You only have one chance to enter the password, be careful.
17) Make your
ext2 filesystem as follows:
mkfs -t ext2 /dev/loop0 100000'
18) Now you can mount the encrypted filesystem with:
mount -t ext2 /dev/loop0 /mnt/crypt'
19) When your done, you want to unmount and protect your
filesystem as follows:
umount /dev/loop0'
losetup -d /dev/loop0'
Details
Kernel Patches:
You can upgrade from `2.2.x' releases by patching. Each patch
that is released for `2.2.x' contains bugfixes. New features
will be added to the Linux `2.3.x' development kernel. To
install by patching, get all the newer patch files and do the
following:
`cd /usr/src'
`gzip -cd patchXX.gz | patch -p0'
Repeat xx for all versions bigger than the version of your
current source tree, IN ORDER.
The default directory for the kernel source is `/usr/src/linux'.
If your source is installed somewhere else, I would suggest using
a symbolic link from /usr/src/linux.
Editing MCONFIG' for the util-linux' package compilation:
The following are excerpts from the MCONFIG' file I used to
compile the util-linux' package. Note that this is fairly
specific for my setup, which is loosely based on RedHat 5.2. The
point is to make sure you don't overwrite any important system
tools such as login, getty, or passed. Anyway, here are the
important lines as follows:
CPU=$(shell uname -m | sed s/I.86/intel/)
LOCALEDIR=/usr/share/locale
HAVE_PAM=no
HAVE_SHADOW=yes
HAVE_PASSWD=yes
REQUIRE_PASSWORD=yes
ONLY_LISTED_SHELLS=yes
HAVE_SYSVINIT=yes
HAVE_SYSVINIT_UTILS=yes
HAVE_GETTY=yes
USE_TTY_GROUP=yes
HAVE_RESET=yes
HAVE_SLN=yes
CC=gcc
Editing /etc/fstab':
Note that you could use any of the eight loopback devices, from
dev/loop0' to '/dev/loop7'. Also, use whatever mount point you
want instead of /mnt/crypt'. I use a folder in my home
directory - which happens to have 700 permissions - preventing
other users from viewing the mount point. In any case, you will
have to create the directory for the mount point.
Suggestions:
Use a inconspicuous directory for the mount point. I would
suggest creating a folder with 700 permissions inside your home
folder. The same goes for the file that holds the data. I use a
filename like sysfile' or config.data' inside the
/etc/folder'. This will usually get overlooked.
I created very simple Perl scripts to mount and unmount the
filesystem with one command. Write these, make them executable
(chmod u+x), and store them somewhere in your path.
#!/usr/bin/perl -w
#
#simple utility to setup loopback encryption filesystem
#Copyright 1999 by Ryan T. Rhea
$cmd1 = `losetup -e serpent /dev/loop0 /etc/cryptfile`;
$cmd2 = `mount /mnt/crypt`;
print $cmd1;
print $cmd2;
Name the above script loop', and then you can be on your way
with one command ( loop') and a password.
#!/usr/bin/perl -w
#
#simple utility to deactivate loopback encryption filesystem
#Copyright 1999 by Ryan T. Rhea
$cmd1 = `umount /mount/crypt`;
$cmd2 = `losetup -d /dev/loop0`;
print $cmd1;
print $cmd2;
Name the second one unloop', and then typing unloop' will
quickly deactivate your filesystem.
==============D42002ADF597FBA09C431F48==
------------------------------
From: Maciej Stachowiak <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.advocacy,comp.os.linux.advocacy,gnu.misc.discuss
Subject: Re: Marx vs. Nozick
Date: 06 Sep 1999 02:15:09 -0400
[EMAIL PROTECTED] (Richard Kulisz) writes:
> In article <[EMAIL PROTECTED]>,
> Maciej Stachowiak <[EMAIL PROTECTED]> wrote:
> >[EMAIL PROTECTED] (Richard Kulisz) writes:
> >Hmmmm... GNU/Linux is competition for Microsoft Windows (as well as
> >for proprietary Unixen, *BSD, MacOS, etc). Does that mean it is
> >inherently destructive?
>
> GNU/Linux is /in conflict/ with MS Crudware and though many people
> would be happy to blow up Redmond with a tactical nuclear warhead,
> I don't believe this is motivated by a desire for Linux to "win"
> but a sincere wish to exterminate a plague on modern civilization.
>
> Self-preservation (greed) is sufficient reason to want to eliminate
> slavery, you don't need to invoke "competition" with slavers.
> Again, to prove that competition is occuring, you must show that
> net, overall, destruction occurs or explain why it can't.
So basically what you are saying is that competition is inherently
destructive because you have defined competition as an interaction
that is inherently desctructive. That's bullshit. You can't argue
anything from that, beccause that is not what most people mean when
they say "competition". For example, the vast majority of people would
say that GNU/Linux and Microsoft Windows are in competition. Just as
they would say that Ford and General Motors are in competition. You
can't just substitute your circular definition in the later case but
not the former.
> >> An employer tells you when you can piss, when you can eat, where you
> >> have to sit, and what you have to do for a third of your day. Sure as
> >> bloody hell sounds like a dictator to me!
> >
> >Dude, I think you need to get a new job. Your boss sounds like a real
> >asshole.
>
> :-) Thankfully, I'm not subject to that horror yet, but taking a look
> at disgruntled.com is enough to turn my stomach.
My point was that not all employers are such assholes. For example,
mine isn't. I have a strict policy of not working anywhere that wants
me to pee in a cup or work a specific set of hours or any shit like
that. Under this policy I am making enough money that in a few years I
will be able to live solely off of equity and not labor, i.e. become a
capitalist. Whoops! I forgot! Social mobility is impossible! There's
no way someone whose parents were once on welfare could rise to join
the capitalist class.
- Maciej
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: comp.os.qnx,comp.sys.amiga.misc
Subject: Re: Amiga, QNX, Linux and Revolution
Date: 05 Sep 1999 23:20:57 PDT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Terrance
Richard Boyes) wrote:
>
>Paul E. Bell <[EMAIL PROTECTED]> wrote:
>> "Jeffrey C. Dege" wrote:
>>>
>[snip]
>
>>> You still have the option of compiling drivers into the kernel, and
>>> there are one or two oddball drivers that can only be linked that
>>> way, but the great majority of drivers can be dynamically loaded.
>
>> Ok, but can they be dynamically unloaded, when no longer needed?
>
>Yes, the modules "handler" handles that.
Hey, NT needs a full reboot if you change the IP address of the
default gateway! And Linux, Amiga, AND QNX all *refuse* to add this
*vital* feature! Try to top THAT kind of robust design!
--
BTW, look at www.sun.com; they just bought out the makers of StarOffice
and it's now a free and download. Runs on Linux, Windows, Solaris
Intel, Solaris SPARC, and OS/2.
------------------------------
From: [EMAIL PROTECTED] (Jerry Leslie)
Crossposted-To: comp.os.qnx,comp.sys.amiga.misc,comp.realtime
Subject: Re: Amiga, QNX, Linux and Revolution
Date: 6 Sep 1999 05:28:54 GMT
Casper ([EMAIL PROTECTED]) wrote:
: Unless something has recently changed, I don't recall ever reading
: that NASA uses Linux in any form.
The following were found via Altavista:
o http://aol11.wff.nasa.gov/rtlinux/
Real-time Linux at NASA
o http://accl.lerc.nasa.gov/highperf/index.html
Glenn ACCL High Performance Computing
o http://cesdis1.gsfc.nasa.gov/linux/
Linux at CESDIS
o http://beowulf.gsfc.nasa.gov/
Beowulf Project at CESDIS
--Jerry Leslie (my opinions are strictly my own)
------------------------------
From: [EMAIL PROTECTED] (Bo Berglund)
Crossposted-To: comp.os.linux.questions
Subject: How to address email without domain name?
Reply-To: [EMAIL PROTECTED]
Date: Mon, 06 Sep 1999 06:23:42 GMT
My question is simply this:
How is the mail address supposed to be written for a user on a system
which does not have a registered domain name?
I have a Linux system on a fixed address on the Internet but I have
failed sending email to users on that system using this formula:
[EMAIL PROTECTED]
What happens is that the mail is returned by my ISP with a comment
that the name resolution failed, it could not find a domain named
"123.123.123.123"
My reckoning is that the name resolution is only necessary to
translate domain names into IP addresses for further processing and in
my case the IP number is supplied directly. But what is the correct
syntax?
TIA
Bo Berglund
Software developer in Sweden
[EMAIL PROTECTED]
PGP: My public key is available at the following locations:
Idap://certserver.pgp.com
http://pgpkeys.mit.edu:11371
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: comp.os.qnx,comp.sys.amiga.misc
Subject: Re: Amiga, QNX, Linux and Revolution
Date: 05 Sep 1999 23:25:41 PDT
In article <7qv5dj$rqf$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Jason Le Vaillant) wrote:
>jiff jiff jiff jiff jiff jiff jiff jiff!
I saw that video. There is such a thing as *too* much peanut butter...
>lih-nucks lih-nucks lih-nucks, lih-nucks!
Yup. That's the soundtrack for the "jiff jiff jiff jiff jiff jiff jiff jiff!"
video all right. Sure beats the DVD sequel, "spam spam spam spam spam spam
spam spam spam spam spam spam spam spam spam!".
------------------------------
From: "Robert M. Cosby" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.qnx,comp.sys.amiga.misc
Subject: Re: Amiga, QNX, Linux and Revolution
Date: Sun, 05 Sep 1999 23:10:00 -0700
Keith Blakemore-Noble wrote:
>
> On or around 05 Sep 1999 16:46:10 PDT, Guy Macon wrote something about
> "Re: Amiga, QNX, Linux and Revolution"...
> > In article <7qu9oh$gqk$[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] (Joe Cosby) wrote:
> > >>
> > >>>>It's Gif, not jif!!
> > >>>>
> > >>>>(Unless, of course, one chooses to pronounce "graphic" [the
> > >>>>>>>>word in "gif"] as "jraphic", perhaps? :) ).
> > >>>
> > >>> The creators of the gif format insist it's `jif'
> > >>
> > >> One must assume that they pronouce jpeg as "gpej" then? ;-)
> >
> > Well if they pronounce Graphic Interchange Format as "jif", then
> > pronouncing Joint Photographic Experts Group as "gpeg" seems to make
> > just as much sense.
>
> That would be, presumably, the "goint photojraphic experts jroup", yes?
>
> ;-)
>
> "jif" indeed! Pah!!!!!
> --
> http://www.BuiltWithAmiga.org Member of Team *AMIGA* and ICOA
I have a strong suspicion that .gif being pronounced "jif" was just a
popular assumption on the pronunciation that established itself before
anyone thought to get official about it.
Jif, schmiff, it's all peanut butter to me... 8^)
Coz
------------------------------
Date: Mon, 06 Sep 1999 00:09:24 -0700
From: Tim Moore <[EMAIL PROTECTED]>
Subject: Re: sysinfo load information
Boyana Norris wrote:
>
> Can somebody shed some light on the load information returned by the sysinfo
> function (I'm using RedHat 5.2)? The 1, 5, and 15-minute load averages are
> returned as unsigned long ints. What are the units of measurement? There is
Average number of process ready to run during the last 1, 5 and 15
minutes.
--
timothymoore "Everything is permitted. Nothing is forbidden."
bigfoot WS Burroughs.
com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.misc) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Misc Digest
******************************
