Sunday, April 02, 2006

Fun SuSE 10 Advanced Desktop Hacks

I've been attempting to use Linux exclusively for my personal desktop for about a year now, and it has gone surprisingly well (when I don't go without sleep and accidentally reformat my entire freakin' drive, that is). I've learned a few nifty hacks along the way that has made my life inside of KDE that much sweeter. Such as:


You can allow Linux to use WINS for native hostname resolution (like what Windows machines would do if you have a directory server) by installing samba-winbind and hacking /etc/nsswitch.conf to have the following line:
hosts: files lwres dns wins

and then restarting nscd. Since your WINS server is responding to your computer from a broadcast message you may have to open UDP ports 1100 to 1200 on your firewall config; responses are sent back to those ports with NetBIOS.

EDIT: Ports 1100 to 1200 are conservative - in actuality NetBIOS sends back on a somewhat random (but seemingly incremental) UDP port between 1000 and 4000. That means you actually have to open ports 1000 to 4000 for UDP wholesale - which of course major league sucks for security. However, it appears even Windows Firewall has to do this - talking to the local security expert I found that Windows Firewall briefly opens up this port range during NetBIOS queries. Ugly design? Hell yeah.


You can automatically mount/unmount remote directories and file shares upon login, using pam_mount. This adds functionality kinda like Windows' "mapped drive," except it uses Linux' central authentication mechanism and your mounted drive can be absolutely anything you want (NFS, Samba, a local file system, etc). First, change /etc/pam.d/xdm to have
auth optional pam_mount.so use_first_pass
session optional pam_mount.so


Next, modify /etc/security/pam_mount.conf to add your mount point. For example, I want to have users' individual shares on my file server automatically map to their Documents directory in KDE. To do that, all I need to add to my pam_mount.conf is:
volume * smb fileserverhostname & ~/Documents uid=&,gid=users - -

Things are then automatically mounted/unmounted as they login/logout of KDE.


I like to allow passwordless logins for two accounts. Both of them have very restrictive access, and both are basically setup in kiosk mode. Since the accounts themselves are pretty locked down, I don't need to worry about someone walking up and using the account. That's pretty much what they were designed for.

SuSE by default, however, has a special "local" configuration in SuSE 10 that you can't override using their admin tools in order to skip local password authentication in KDE's login manager. To do so, you need to edit /etc/opt/kde3/share/config/kdm/kdmrc and remove the sections [X-:0-Core] and [X-:0-Greeter]. You can then use KDE's Control Center to administer the login manager and allow passwordless logins.


For some reason that completely fails me, SuSE doesn't allow users to share devices by default. This means if you use KDE's "Switch User" functionality the second person logged on won't be able to connect to your sound device.

To remedy this, modify /etc/logindevperm. You'll see the octal mask for file/device permissions in the second column, along with a list of devices in the third. By default everything is allowed to run only with single user permissions, but for things like sound we want to open it up for everyone. Change the file to have 0666 permissions on devices you want to open up, such as:
:0 0666 /dev/dsp:/dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3
:0 0666 /dev/sequencer:/dev/sequencer2:/dev/music

No comments:

Post a Comment