This is a small HowTo page written by Ole Martin Dahl. If you have any questions, corrections, or contributions send a mail to . And sorry for the bad english!

News

Table of Contents

Introduction

I purchased a Whitebox CL50 (www.whitebox.no), or Compal CL50 which is its factory name, in the autumn of 2003. On the laptop I run Linux (Fedora) together with Windows XP through dual boot. I have collected some information during the configuring and running Fedora on this machine that I hope can be useful for others that own a Compal CL50.


Hardware

Installing Fedora (dual boot with Windows XP)

With an empty hardrive, I recommend to install Windows XP first then Fedora, this will prevent a troublesome boot sector. If Windows is already installed on the hardrive, Fedora will automatically locate this installation and add Windows in the grub boot loader. The hard disk's partition table entries is as follows (wise to set up before or during the installation, e.g. using fdisk, partition magic or similar):

/dev/hda1 10 GB NTFS # For Windows XP and other pirate SW :-)
/dev/hda2 35 GB FAT32 # Shared partition between Windows and Linux (documents, mail, mp3s etc.)
/dev/hda3 1 GB SWAP # Linux swap space
/dev/hda4 8 GB EXT3 # Linux system
/dev/hda5 6 GB EXT3 # Linux home

The installation of Fedora, currently Fedora core 4, from CD or DVD image is straight forward. Anaconda, the graphical installer, is so easy that even your grandmother could do a fine install. Remember to select the correct partition table entries for SWAP (hda3), / (hda4), and /home (hda5). The lcd screen I use is the generic 1400x1050 lcd screen, I have not found out what the exact name is for the screen that is installed on the Compal CL50. The generic driver do however work fine.


Configuring Fedora

Starting up through grub, Fedora should boot on the first try. When logged in, using gnome in my case, fire up a terminal and become root. If a Gnome error message appeared on first boot and you had to click "log in anyway" enter your prefered name for your PC in "/etc/hosts".

su - # makes you root!
vi /etc/hosts # edits the hosts file

Sudo

Firstly I like to add my user to the sudoers file, making it possible to run diverse programs as root without using "su -" all the time. Run the command "visudo", and add the line "user ALL=(ALL) ALL" at the end ("user" being your username).


Framebuffer

The next useful thing to do is to use a higher resolution in the virtual terminal. The Fedora kernel have enabled framebuffer support so I just open /etc/grub.conf and add vga=791 (1024x768x16) to the kernel line:

kernel /boot/vmlinuz-2.6.12-1.1398_FC4 ro root=LABEL=/ rhgb quiet vga=791

fstab

Now, it can be a good idea to mount the shared FAT32 partition. This is done by adding the line:

/dev/hda2   /mnt/windisk   vfat  rw,owner,umask=000,uid=500,gid=500   0 0

to /etc/fstab. Here 500 represent the user identification number of my user on the system (figure it out with the "id" command). Then create the directory "windisk" by running "sudo mkdir /mnt/windisk". Then at last run "mount windisk" and you have easy access to the FAT32 partition.


ACPI

The power saving features of the Pentium M, i.e. CPU throteling, works out of the box in the later Fedora Core releases. For own control you can just add CPU frequency scaling monitor applet in gnome and it is possible to see current CPU frequency and even lock the CPU frequency if you are in need of saving power. Other ACPI features like hibernating etc. have not been explored since I don't use them.


yum

The easiest way to install and update software in Fedora is to use yum. Adding some additional repositories the the /etc/yum.conf file is recommended. I use the DAG wieers yum repository and the livna yum repositories for additional packages on my system. Add the following to /etc/yum.conf:

[dag]
name=Dag APT Repository
baseurl=http://dag.freshrpms.net/fedora/$releasever/en/$basearch/dag/
http://dag.atrpms.net/fedora/$releasever/en/$basearch/dag/
http://ftp.heanet.ie/pub/freshrpms/pub/dag/fedora/$releasever/en/$basearch/dag/
enabled=0
gpgcheck=1

[livna-stable]
name=Livna for Fedora Core $releasever - $basearch - Base
baseurl=http://rpm.livna.org/fedora/$releasever/$basearch/RPMS.lvn/
enabled=0
gpgcheck=1

[livna-testing]
name=Livna for Fedora Core $releasever - $basearch - Testing
baseurl=http://rpm.livna.org/fedora/$releasever/$basearch/RPMS.lvn-testing
enabled=0
gpgcheck=1

To prevent malicious packages to some extent, you should add the public GPG keys for each yum repository:

sudo rpm --import /usr/share/doc/fedora-release-3/RPM-GPG-KEY*
sudo rpm --import http://download.fedora.redhat.com/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras
sudo rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
sudo rpm --import http://rpm.livna.org/RPM-LIVNA-GPG-KEY

Then a "yum update" is in place to update the system to the bleeding edge of linux distributions (Fedora!):

sudo yum update

To get mp3 support you can run:

sudo yum --enablerepo=livna-stable install gstreamer-plugins-mp3

Rythmbox and the genius Amarok mp3 players use this plugin to play mp3s. To play videos I use mplayer:

sudo yum --enablerepo=livna-stable install mplayer

Java

Go to http://java.sun.com/ and download the latest JRE (the file is named "jre-"version-number"-linux-i586-rpm.bin"). Then open a terminal, locate the downloaded file, and install it:

sudo sh jre-"version-number"-linux-i586-rpm.bin
#...answer some licence things..
rpm -ivh jre-"version-number"-linux-i586-rpm
sudo ln -s /usr/java/jre"version-number"/plugin/i386/ns7/libjavaplugin_oji.so /usr/lib/mozilla/plugins/libjavaplugin_oji.so # this makes java work in firefox

Flash

If you need it you can get a rpm at http://sluglug.ucsc.edu/macromedia/site_ucsc.html. Download, and install with "rpm -ivh packagename.rpm".


Video card

There are now ATI driver RPMs available through livna.org that are designed especially for Fedora. Install them by yum:

sudo yum --enablerepo livna-stable install ati-fglrx kernel-module-fglrx-`(uname -r)`

That installs the ATI driver for your current kernel, and it should become active the next time you reboot your machine. If you update your kernel, you have to install the newest ATI driver also (usually this module is available in RPM by livna a few days after the new kernel is released by Fedora).


Wireless card

The wireless card I have on my laptop is a Z-com XG (v0.1) card (I think..). "lspci" reports this hardware information:

02:02.0 Network controller: Intersil Corporation Intersil ISL3890 [Prism GT/Prism Duette] (rev 01)
Subsystem: Unknown device 17cf:0014
Flags: bus master, medium devsel, latency 128, IRQ 11
Memory at d0000000 (32-bit, non-prefetchable) [size=8K]
Capabilities: [dc] Power Management version 1

The NIC works fine with the prism54 drivers, that has enabled support in the FC4 kernel. However you must have the firmware for this card to be able to run it properly. The firmware comes with the windows drivers. To get it, I booted into windows, then used the device manager and found the location of the windows drivers (c:\windows\system32\dirvers\wlandcb.sys). In that directory, together with the .sys file you will find a .arm file (wlandcb.arm) which is the firmware file you need in Linux. In Linux copy and rename this file as follows:

cp wlandcb.arm /lib/firmware/isl3890
cp wlandcb.arm /usr/lib/hotplug/firmware/isl3890 # this line may not be necessary in FC4

Then the wireless card should work just fine! Start system-config-network and setup the card, or use iwconfig in the terminal. WEP protection works with the prism54 drivers, but WPA do not work with this driver (correct me if I am wrong). I have tried to use ndiswrapper with windows drivers to be able to use the wpa_suppliant software, but without success. The thing that seems to be stopping this from working is that the card requires the firmware file to function. I am not sure if such firmware dependent NICs can be used at all with ndiswrapper, so for now I have to use prism54 without WPA support. Anyone out there that know how to use ndiswrapper or even WPA with the ISL3890 NIC please send me a recipe!


Bluetooth

Todo!


Security

Here I have some scribblings about how to keep the laptop system secure from outside threats. On the current configuration, the Windows XP installation is of course most the vulnerable, however using some heavy anti-virus/personal firewall and running windows update regulary should keep most threats out. I am a bit extra interest in information security (my line of work!), so I like to share some tricks I have collected to keep the Fedora install secure and have some control over what is happing on the system. I am online through diverse Internet connections, and there are not always a perimeter defense in front of the computer, so I like to add some extra protection on the portable computer.


Physical Security

To protect the computer from theft in some degree, I use a kensington cable lock when I have to leave the laptop unatended. Recommended!. I also set a BIOS password on the computer. Helps a bit from physical access, but not much!


SElinux

Fedora comes with a state of the art security feature that is worth mentioning: SELinux. Security-Enhanced Linux (SELinux) is simply said a implementation of flexible mandatory access control in Fedora. I have SELinux enabled, and use the targeted policy. This policy apply access restrictions to specific services, but not all services (the strict policy will place a policy on all processes). More and more services are put under this targeted policy by Fedora. The policy can be configured through "system-config-securitylevel". Much is happening in the SElinux project and new policies will be available in the future.


Keep updated

In Fedora the most important is also to keep updated. The easiest way is to run "yum update" regulary, e.g. using crontab or doing it manually when you feel you have the right bandwidth available.


Partitions

Seperating the harddrive partitions are recommended to make easy recovery after a crash or serious security incident. I only separate /home from /, and feel that is enough for my case. However many recommend seperating /, /boot, /usr, /tmp, /home and /var. On a server this may be more important.


Services

Keeping the amount of network services running to the absolout necessary ones are important in any enviroment. Disabeling other services is aslo smart, to improve boot time etc. On my laptop i have the following services enabled:

acpid # "laptop" daemon (power, cpu-control, etc.)
anacron # runs cronjobs that should have been runned during power off
apmd # battery checker
ati-fglrx # native ATI driver daemon
auditd # linux auditing daemon
cpuspeed # pentium m support
crond # linux cron jobs
cups # printing
firestarter/iptables # the firewall
gpm # support for mouse in text-based programs
haldaemon # hardware abstraction layer daemon
lmsensors # motherboard monitoring
mDNSresponder # network configuration
messagebus # reporting system events
netfs # needed for samba support
network # the NICs
nifd # NIC monitoring
pcmcia # to support PCMCIA cards
smb # for accessing/providing windows shares
snmpd # for using some sysadmin tools (not a necisity)
sshd # ssh access
syslog # system loging
vmware # if you use this

Change the service setup with:

sudo /usr/sbin/serviceconf

Processes and services

You can manage processes by some nice "native" Linux commands:

system-config-services
chkconfig
service
pstree
ps aux
top

Users and accounts

If you have multiple users on the system (you should have at least two! i.e. you and root), use strong passwords (test them with John the Ripper, "sudo yum install john") for each user and use root as seldom as possible (use sudo if you need to run somthing as root). Read /etc/passwd regulary to look for irregularities, e.g. duplicate users (UIDs) and also keep the /etc/sudoers file correct. Usefull command to check users are: "w" (whos logged in), "last" (who has logged in recently), lastb (who failed to logg in recently).


File access

A nice trick is to use find to have controll over files that have "loose" file permissions:

#locate world writable files
sudo find / -path /proc -prune -o \ -perm +o=w ! \( -type d -perm +o=t \) ! -type l
#locate SUID and SGID files
sudo find / -xdev -type f -perm +ug=s
#locate device special files
sudo find / \( -type b -o -type c \) -ls
sudo find /dev -type f ! -name MAKEDEV

Traffic analysis

If you wonder what kind of network traffic that is aimed at you or is sent from you, "tcpdump" and "ethereal" can be useful. I yet not been able to get airsnort, for wireless sniffing, to work with built in wireless card.


Secure communication

Using OpenSSH is useful when communicating, e.g. with "sftp", "ssh" or "scp". When using SSH it is recommended that you do not use the less secure SSH-1 protocol and it is also smart to disable root login. Disabling password authentication is also smart, if you boder handeling ssh keys. I have my keys securly stored on a usb dongle. This and other things can be altered by editing "/etc/ssh/sshd_config".
Another usefull secure communication channel is TLS/SSL. Here stunnel can be worth looking into.
For secure mail exchange I use GPG (open source version of the famous Zimmermann signature/encryption tool PGP). If you use thunderbird for mail there is a easy to use GUI plugin that can handle GPG keys, signatures, and encryption called enigmail. Just find the plugin for your current thunderbird version and install it through thunderbird.

Nice everyday programs

Here I list some programs available in linux that I have found very useful in everyday operation of my Linux laptop. It is a mixture of gnome and KDE applications. I run all of them successfully in my gnome desktop environment, with of course all the KDE dependent packages installed by yum (It would be fine if gnome and KDE could cooperate more, then I think Linux as a desktop system would be superior on the PC market.)

Links

Todo!


© 2004 Ole Martin

Valid XHTML 1.0! Valid CSS!