Sudo on Fedora 15

Sudo allows users to run commands as root while logging the command and its arguments.

In short, sudo first authenticates a user using their own password, then checks /etc/sudoers to see what sudo permissions (if any) the user has, then executes and logs the command if the user is allowed.

This is the preferred way to run commands as root for a few reasons:

  1. You do not need to give out the root password to users.
  2. You can limit which commands a user can run as root.
  3. All sudo commands are logged.

To use sudo on Fedora 15, first make sure the package is installed:

bash$ rpm -q sudo
sudo-1.7.4p5-4.fc15.x86_64

If it is not installed, su to root and install the package.

bash$ su -
root# yum install sudo

Next, edit the sudo configuration file by using the visudo command. Visudo locks the /etc/sudoers file against simultaneous edits, provides sanity checks, and checks for configuration errors. Avoid directly editing the /etc/sudoers file.

root# visudo

You will see that there are a variety of options, but let’s look at this line which is enabled on Fedora 15 by default:

%wheel	ALL=(ALL)	ALL

This means that all users in the wheel group can run all commands as root on all systems that this sudoers file lives on. The sudoers file is designed so that you can have a single configuration live on various hosts and allow or disallow users by hostname.

Since this line is enabled in sudoers, quit visudo by exiting the editor and check what groups your username belongs to. In this example, my username is victor.

root# groups victor
victor : victor

In order to give the user full access to root using sudo, add the user to the wheel group.

root# usermod -a -G wheel victor
root# groups victor
victor : victor wheel

Next, logout of the root shell.

root# logout

Now, as your user, you can use sudo to run commands as root. The first time you run sudo, some warnings and advice will be printed to the screen.

bash$ sudo /usr/bin/test

Type in your password (not the root password), and you will successfully run /usr/bin/test as root. If the default configuration is kept, sudo will not prompt a user for their password until after 5 minutes from their last sudo command.

By default (on Fedora 15), sudo logs its usage into /var/log/secure by configuration of /etc/sudoers and /etc/rsyslog.conf. Normally, you need root permissions to read /var/log/secure, but now that you have sudo access, you can read the file. Read the sudo logs with something like this:

bash$ sudo grep sudo /var/log/secure

Finally, see /etc/sudoers and the SUDOERS(5) man page for syntax on how to configure access rights for users based on group, command and hostname.

bash$ less /etc/sudoers
bash$ man sudoers

Airprint on Fedora 15

It is possible to AirPrint from your iPhone or iPad to your network attached (or USB) printer using Fedora 15 and CUPS. No additional software on your iPhone is needed, you just need to make sure Avahi, CUPS and your Firewall is configured properly.

First, make sure you have Avahi and CUPS installed. These are part of the default installation, so you should have some version of them installed.

bash$ rpm -q cups avahi
cups-1.4.8-2.fc15.x86_64
avahi-0.6.30-3.fc15.x86_64

Additionally, If you are running Gnome3 and find that the System Settings -> Printers lacks some configuration options, use the Fedora system-config-printer tool from the command line to configure your printers. The Gnome3 interface under System Settings -> Printers will see the configurations you make with system-config-printer.

If you don’t have the packages you need installed, use YUM to install them:

bash$ sudo yum install cups avahi system-config-printer

If you had to install the packages, make sure that CUPS and Avahi are started and enabled to start on boot. Otherwise, skip this step.

bash$ for SERVICE in cups avahi; do
> /sbin/chkconfig $SERVICE on
> /sbin/service $SERVICE start
> done

First, you will need your printer to be installed and configured on the Fedora 15 system. Do this with System Settings -> Printers or system-config-printer. If your printer is already installed and working, skip this step.

bash$ sudo system-config-printer

Once your printer is installed and working, note it’s name in CUPS. For instance, my printer is called Epson.

bash$ lpstat -p
printer Epson is idle.  enabled since Sun 02 Oct 2011 08:20:54 PM EDT
                	Ready to print.

Next, you will need to configure your printer with Avahi (a system which facilitates service discovery on your local network). Do this by editing a new service file under /etc/avahi/services. In this example, I name the file printer.service, but any name will work.

bash$ sudo vim /etc/avahi/services/

Now, insert this XML into the file making sure to change ‘Epson’ to your printer name as listed in lpstat -p. Feel free to also change the options for your printer in the various <txt-record> entries.

<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
      <name>Epson</name>
      <service>
            <type>_ipp._tcp</type>
            <subtype>_universal._sub._ipp._tcp</subtype>
            <port>631</port>
            <txt-record>txtver=1</txt-record>
            <txt-record>qtotal=1</txt-record>
            <txt-record>rp=printers/Epson</txt-record>
            <txt-record>ty=Epson</txt-record>
            <txt-record>adminurl=http://printers.00:631/printers/Epson</txt-record>
            <txt-record>note=Epson</txt-record>
            <txt-record>priority=0</txt-record>
            <txt-record>product=virtual Printer</txt-record>
            <txt-record>printer-state=3</txt-record>
            <txt-record>printer-type=0x801046</txt-record>
            <txt-record>Transparent=T</txt-record>
            <txt-record>Binary=T</txt-record>
            <txt-record>Fax=F</txt-record>
            <txt-record>Color=T</txt-record>
            <txt-record>Duplex=T</txt-record>
            <txt-record>Staple=F</txt-record>
            <txt-record>Copies=T</txt-record>
            <txt-record>Collate=F</txt-record>
            <txt-record>Punch=F</txt-record>
            <txt-record>Bind=F</txt-record>
            <txt-record>Sort=F</txt-record>
            <txt-record>Scan=F</txt-record>
            <txt-record>pdl=application/octet-stream,application/pdf,application/postscript,image/jpeg,image/png,image/urf</txt-record>
            <txt-record>URF=W8,SRGB24,CP1,RS600</txt-record>
      </service>
</service-group>

Using Perl LWP::UserAgent to View Server Headers

Unless configured to do otherwise, most HTTP and FTP servers will supply you with identifying information in the form of a server header. Using Perl’s LWP::UserAgent, you can connect to a server and display the header information.

First, you’ll need LWP::UserAgent. You can install this using Perl’s CPAN repositories:

sudo perl -MCPAN -e 'install LWP::UserAgent'

After LWP::UserAgent is installed, you can use Perl to connect to the server and download the information. Here is an example script which takes one argument and displays the information:

#!/bin/env perl
 
use warnings;           # keep us warned
use strict;             # keep us honest
use LWP::UserAgent;     # for web requests
 
my $url;                # init url var
my $serverheader;       # init server header var
 
# require one argument
if ($#ARGV != 0) {
 
    printf("Usage: %s \n", $0);
    exit(1);
 
} else { $url = $ARGV[0]; }
 
# build connection properties
my $ua = LWP::UserAgent->new();
$ua->timeout(10);
$ua->agent('Mozilla/5.0');
 
# connect and get
my $response = $ua->get($url);
 
# if we can connect...
if ($response->is_success) {
 
    # grab server header
    $serverheader = $response->server;
 
    # if server header exists...
    if (defined($serverheader)) {
 
        # print server header
        printf("%s\n", $response->server);
 
    # else, print a message
    } else { printf("No server header available.\n"); }
 
# else, print connection status
} else { printf("%s\n", $response->status_line); }
 
exit(0);

Assuming that the code is saved as getinfo.pl and executable (chmod +x), you can use it to fetch interesting information from various HTTP and FTP servers.

bash$ ./getinfo.pl http://www.apache.org
Apache/2.3.15-dev (Unix) mod_ssl/2.3.15-dev OpenSSL/1.0.0c

bash$ ./getinfo.pl ftp://apache.mirrors.pair.com
apache.mirrors.pair.com NcFTPd Server (licensed copy)

Of course, some sites do not publish HTTP headers (but most do).

bash$ ./getinfo.pl http://www.facebook.com
No server header available.

Finally, the code will show you if there is an error:

bash$ ./getinfo.pl http://badurl
500 Can't connect to badurl:80 (Bad hostname 'badurl')

Read & Remove EXIF Data From the Command Line

Most digital cameras will insert metadata into images. This metadata is stored using the exchangeable image file format (EXIF) and can contain camera specifications, exposure settings, thumbnails, GPS coordinates and more. This article outlines some Linux command line tools you can use for reading, editing and removing EXIF metadata from images.

Reading and Editing EXIF Metadata with ExifTool

ExifTool is powerful a Perl program that can be used to read and edit EXIF metadata in images. To install ExifTool as /usr/bin/exiftool on Fedora, install the perl-Image-ExifTool package:

su -c 'yum install perl-Image-ExifTool'

Alternatively, you can use CPAN to install ExifTool in /usr/local/bin/exiftool.

su -c "perl -MCPAN -e'install Image::ExifTool'"

After installation, you will have the exiftool command available in /usr/bin or /usr/local/bin. To view the EXIF metadata in an image, just past the image as an argument to exiftool.

exiftool dsc_0790.jpg

Here is a snippet of the output from the above command:

ExifTool Version Number         : 7.60
File Name                       : dsc_0790.jpg
Directory                       : .
File Size                       : 4.4 MB
File Modification Date/Time     : 2008:07:16 09:45:20-07:00
File Type                       : JPEG
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
Make                            : NIKON CORPORATION
Camera Model Name               : NIKON D200
Orientation                     : Horizontal (normal)
X Resolution                    : 300
Y Resolution                    : 300
Resolution Unit                 : inches
Software                        : Bibble 4.10a
Modify Date                     : 2007:06:23 22:00:14
Exposure Time                   : 1/40
F Number                        : 2.0
Exposure Program                : Aperture-priority AE
ISO                             : 100
.
.
.

ExifTool has many options for editing and removing EXIF metadata in images. To see the available options, use the –help switch or read the ExifTool documentation.

exiftool --help

Reading EXIF Metadata with Jhead

Jhead is a command line tool for displaying EXIF data embedded in JPEG images. On Fedora, use Yum to install Jhead:

su -c 'yum install jhead'

Now, use /usr/bin/jhead to read EXIF metadata:

jhead dsc_0790.jpg

Here is an example of the output produced by the jhead command:

File name    : dsc_0790.jpg
File size    : 4654488 bytes
File date    : 2008:07:16 09:45:20
Camera make  : NIKON CORPORATION
Camera model : NIKON D200
Date/Time    : 2007:06:23 22:00:14
Resolution   : 3880 x 2608
Flash used   : No
Focal length : 50.0mm  (35mm equivalent: 75mm)
Exposure time: 0.025 s  (1/40)
Aperture     : f/2.0
ISO equiv.   : 100
Exposure bias: 1.00
Whitebalance : Auto
Exposure     : aperture priority (semi-auto)
GPS Latitude : ? ?
GPS Longitude: ? ?
======= IPTC data: =======
(C)Flag       : 0
DateCreated   : 20070623
Time Created  : 220014
Record vers.  : 4

Removing EXIF Metadata with ImageMagick

If you need to strip the EXIF metadata from images, use ImageMagick’s mogrify command. To install ImageMagick on Fedora, use Yum:

su -c 'yum install ImageMagick'

After ImageMagick is installed, you will have /usr/bin/mogrify available. The mogrify command can be used to strip Exif data from images.

mogrify -strip imagename.jpg

If you need to process a large number of files, use find and xargs:

find ./folder_of_images -name '*.jpg' | xargs mogrify -strip

How to Connect to a VNC Server Using SSH

Need to connect to a VNC server behind a firewall that only allows SSH traffic? With SSH access to the VNC server, you can tunnel the VNC traffic through an SSH connection. This will encrypt your VNC traffic through an SSH tunnel.

To begin, SSH to the VNC server and forward the local client’s 5904 TCP port to the VNC server’s port 5901.

client$ ssh user@vncserver.mydomain.com -L 5904:*:5901

Next, In a new window, direct vncviewer to your localhost 5904 port and the traffic will be forwarded to your VNC server’s port 5901.

client$ vncviewer localhost:5904

If you get any errors, be sure that your client’s firewall is not blocking localhost’s port 5904.

client$ su -c "iptables -L"

An Explanation of .bashrc and .bash_profile

An Explanation of .bashrc and .bash_profile

Both the ~/.bashrc and ~/.bash_profile are scripts that might be executed when bash is invoked. The ~/.bashrc file gets executed when you run bash using an interactive shell that is not a login shell. The ~/.bash_profile only gets executed during a login shell. What does this all mean? The paragraphs below explains interactive shells, login shells, .bashrc, .bash_profile and other bash scripts that are executed during login.

Login Shells (.bash_profile)

A login shell is a bash shell that is started with – or –login. The following are examples that will invoke a login shell.

sudo su -
bash --login
ssh user@host

When BASH is invoked as a login shell, the following files are executed in the displayed order.

/etc/profile
~/.bash_profile
~/.bash_login
~/.profile
Although ~/.bashrc is not listed here, most default ~/.bash_profile scripts run ~/.bashrc.

Purely Interactive Shells (.bashrc)

Interactive shells are those not invoked with -c and whose standard input and output are connected to a terminal. Interactive shells do not need to be login shells. Here are some examples that will evoke an interactive shell that is not a login shell.

sudo su
bash
ssh user@host /path/to/command

In this case of an interactive but non-login shell, only ~/.bashrc is executed. In most cases, the default ~/.bashrc script executes the system’s /etc/bashrc.

Be warned that you should never echo output to the screen in a ~/.bashrc file. Otherwise, commands like ‘ssh user@host /path/to/command’ will echo output unrelated to the command called.

Non-interactive shells

Non-interactive shells do not automatically execute any scripts like ~/.bashrc or ~/.bash_profile. Here are some examples of non-interactive shells.

su user -c /path/to/command
bash -c /path/to/command

Fedora 10 Rar and Unrar

By default, Rar is not available in Fedora 10. If all you need to do is extract files from a Rar archive, unrar from RPM Fusion’s YUM repositories will work. If you need to create Rar archives, then you will have to download and install the complete Rar package from DAG. The instructions below show you how.

Only Need to Extract Files?

First, install RPM Fusion’s free and nonfree YUM repositories. For detailed information about installing RPM Fusion, see: http://rpmfusion.org/Configuration

su -c "rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm"
su -c "rpm -Uvh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm"

Next, install the unrar packages from RPMFusion’s nonfree repository.

su -c "yum install unrar"

Done! You now have unrar in /usr/bin/unrar. This binary can only extract files from Rar archives. Use this command to see all available options:

/usr/bin/unrar -?

Need to Create Rar Archives?

First, download the source RPM from DAG: http://dag.wieers.com/rpm/packages/rar

wget -c http://dag.wieers.com/rpm/packages/rar/rar-3.5.1-1.rf.src.rpm

Now, install the source RPM. This will create a $HOME/rpmbuild tree. Please note that you do not need to be root.

rpm -iv  rar-3.5.1-1.rf.src.rpm

Next, build a binary package in $HOME/rpmbuild. Again, no need to be root.

rpmbuild -bb ~/rpmbuild/SPECS/rar.spec

Finally, install the built RPM as root:

su -c "rpm -Uvh $HOME/rpmbuild/RPMS/$(arch)/rar-3.5.1-1.rf.x86_64.rpm"

Done! You now have rar in /usr/bin/rar. This binary can build and extract Rar files. Use this command to see all available options:

/usr/bin/rar -?

Passwordless SSH

Passwordless SSH can be accomplished using SSH’s public key authentication. To configure passwordless SSH, follow the directions below. Warning: passwordless SSH will make your systems less secure. If you are comfortable with that, the directions below will walk you through server and client configurations. Then, I’ll show you how to debug SSH if you encounter problems.

SSHD Server Configuration

First, you must ensure that your SSHD server allows for passwordless authentication using public keys. If you do not have root access to the server, do not worry. By default, public key authentication over protocol 2 is enabled. Skip this step. If you have any problems, contact your System Administrator.

If you have root privileges, edit your system’s /etc/ssh/sshd_config and apply the following settings. I suggest you disable protocol 1 RSA key based authentication and leave all other settings alone for now. Visit the man page SSHD_CONFIG(5) for details.

# Disable protocol 1 RSA key based authentication
RSAAuthentication no
# Protocol 2 public key based authentication
PubkeyAuthentication yes
# Authorized public keys file
AuthorizedKeysFile .ssh/authorized_keys

If you make any changes, save them and restart your SSH server.

service sshd restart

SSH Client Configuration

Now that the server is configured, log into your client system and examine /etc/ssh/ssh_config. This is the SSH client configuration file and you do not need to edit it.

less /etc/ssh/ssh_config

By default, public key authentication over protocol 2 is enabled for clients. You only need to make sure that it is not disabled. If it is, create an ~/.ssh/config to override the /etc/ssh/ssh_config options.

cp -a /etc/ssh/ssh_config ~/.ssh/config

Then edit it and add this to the “Host *” block:

PubkeyAuthentication yes

Create Client Key

With the client in order, you need to create a public and private key pair. The following command will build a RSA key pair. Hit for all questions asked. This will create a RSA key pair in ~/.ssh/. The private key is called id_rsa and the public key is id_rsa.pub.

ssh-keygen -t rsa

Use Key for Authentication

Now that you have a public and private key pair, put the public key on the server you wish to log into without a password. You will need to put the public key inside the server’s /home/user/.ssh/authorized_keys file. This file can contain multiple keys, so you generally do not want to just copy over it. Note that the authorized_keys2 file was deprecated in OpenSSH 3.0 (2001).

cat ~/.ssh/id_rsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

Alternatively, modern releases of SSH have a command to help you copy keys.

ssh-copy-id -i ~/.ssh/id_rsa.pub user@server

Test and Debug SSH

Now, test.

ssh username@server date

If you get prompted for a password, check the server’s system logs for clues. You can also enable debugging in /etc/ssh/sshd_config with the following directive.

LogLevel DEBUG

Other options are INFO, VERBOSE, DEBUG2 and DEBUG3. See the man page SSHD_CONFIG(5) for details. For the client, the exact same option can be placed inside a /etc/ssh/ssh_config’s Host block. See SSH_CONFIG(5) for client debugging details.

man 5 sshd_config
man 5 ssh_config

Installing Compiz on Fedora 10

The Compiz window manager is available on Fedora 10. Since Compiz uses 3D graphics acceleration via Fedora’s OpenGL libraries, you will need a descent graphics card (and their drivers) installed on your Fedora system. For more information on Compiz see: http://www.freedesktop.org/wiki/Software/Compiz

Gnome Compiz Install

If you are using Gnome, run:

su -c "yum install compiz-gnome"

Then, run the following and click on “Enable Desktop Effects”

/usr/bin/desktop-effects

KDE Compiz Install

KDE users should run:

su -c "yum install compiz-kde"

Then, run the following command, select “Compiz” and click “OK”

/usr/bin/kde-desktop-effects.sh

Fedora 10 MP3 Support

Fedora 10 does not come with built-in MP3 support. To get MP3 support with Fedora, you can use RPM Fusion’s YUM repositories to download MP3 enabled RPMs.

Enable RPM Fusion

First, install RPM Fusion’s free and nonfree YUM repositories. For detailed information about installing RPM Fusion, see: http://rpmfusion.org/Configuration


su -c "rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm"
su -c "rpm -Uvh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm"

Install GStreamer

Next, run this command to get the gstreamer plugins.


su -c "yum install gstreamer gstreamer-plugins-bad gstreamer-plugins-ugly"

Install Applications and Libraries

For Amarok with MP3 support, install these packages:


su -c "yum install amarok phonon-backend-gstreamer"

For MPlayer with MP3 support, install these RPMs:


su -c "yum install mplayer gnome-mplayer gnome-mplayer-common mencoder"

For XMMS with MP3 support, install the following:


su -c "yum install xmms xmms-mp3"

For xine with MP3 support, install these RPMs:


su -c "yum install xine xine-lib-extras-nonfree"

To create MP3s with LAME, install lame and lame-mp3x.


su -c "yum install lame lame-mp3x"

Run this command to install everything:


su -c "yum install xmms xine mplayer amarok xmms-mp3 gstreamer phonon-backend-gstreamer gstreamer-plugins-bad gstreamer-plugins-ugly xine-lib-extras-nonfree mplayer gnome-mplayer-common mencoder gnome-mplayer lame lame-mp3x"