lioks'

Although I mostly use FreeBSD to perform many tasks, it can also be useful to have access to Windows binaries. Multiple choices are available: emulation, dual booting and virtualization. I personally dislike wine since it is not capable to run every binaries and even the ones he can emulate sometimes need hard tweaking to get them work correctly. Dual booting is not an option for me because I want to be able to run simultaneously FreeBSD and Windows binary. For those reasons I prefer to use VirtualBox to get a full Windows operating system, it may seem like a waste of ressources but by now, virtualization is easily supported by most of the modern computers.
I already see people ready to burn me with reflexion like “Don’t be stupid, there is an open source solution for what you need !”, that’s mostly true but there are many reasons to want to use a particular closed source software including compatibility issues or company restriction to some software and this debate is not the point of this post. :P

As usual we start with the compilation of the port, don’t forget to activate the “Enable Guest Additions” on the config screen, we will use this later:

# cd /usr/ports/emulators/virtualbox && make config-recursive install clean


To be able to use VirtualBox, we need to do some settings to our system, starting by loading a kernel module:

# kldload vboxdrv


It will be ok if you want to use VirtualBox once, but I assume you want to use it regularly, so get the module loaded at boot by adding this line to /boot/loader.conf:

vboxdrv_load="YES"


VirtualBox will also need to have the proc filesystem mounted.
Edit /etc/fstab:

proc /proc procfs rw 0 0

and mount this new entry:

# mount /proc


Last step is to add yourself and the users you want to be able to use VirtualBox to the vboxusers group:

# pw groupmod vboxusers -m lioks


We are now ready to use VirtualBox:

% VirtualBox


Now create a new virtual machine, specifying the type of the OS you are about to install (i.e. Windows XP).
Set the memory size you want it to have, and create a new virtual hard drive.
I chose “Dynamically expanding storage” as my hard drive type, it allows the virtual drive to expand on the real hard drive as you need more space in your virtual machine. The maximum size you set for the disk will be used by the guest OS to determine the virtual size of this disk.

You should by now have a new machine available on the side menu of VirtualBox, right-click on it and go to the settings menu. In the CDROM/DVDROM option you can attach to this machine a cd/dvd drive or an iso file.
I’ll skip the Windows installation steps since there is almost no human intervention needed :P

Once your fresh Windows Xp is up and running in your box, click on the Devices menu and select Install Guest Additions.
Follow the instructions (Windows-style :p) and reboot your virtual machine.
These additions will provide you with video drivers which allow you to have a real resolution, full-screen mode, the possibility to integrate windows from your guest OS in your host OS and a smooth focus switching.

You also can set up access to directories in your host OS using the Devices->Shared Folders menu, they will appear in your guest Windows Xp as network folders.

That’s it, now you should not have any problem installing and using softwares like Office or VisualStudio, I did not have to configure anything to get network work properly, it was working just fine the first time I launched my new virtual machine :)

You can even launch your virtual machine without using the VirtualBox interface:

% VBoxManage startvm "vm name here"


I had a bunch of screenshots for this tutorial but I can’t manage to find where i put them, so I hope you will find what you need without visual support ;)
(I will upload them if I ever find them again…)
See you.

I often hear from people who don’t use FreeBSD that it’s an operating system only dedicated to server/production purposes.
In a way, yes, FreeBSD is not as user-friendly than popular Linux distributions and it’s sometimes hard to get what you want working the way you want but I don’t think that people who use FreeBSD would be satisfied with an apt-get everything_you_need-any-version ;)
Computers are now expected to browse the web correctly, allowing you to watch youtube video, play flash games and be flooded by plugin-based ads..
Of course, FreeBSD can!

You must have Mozilla Firefox installed:

# cd /usr/ports/www/firefox35 && make config-recursive install clean


Since some of the plugins are using linux emulation, we have to install it and get it running ;

# cd /usr/ports/emulators/linux_base-f10/ && make config-recursive install clean


If you don’t have the linux kernel module loaded, linux_base-f10 won’t build:

# kldload linux


You also have to get it loaded every time you start your computer by adding this line to /etc/rc.conf:

linux_enable="YES"


Since we will need it later, let’s mount the linux proc filesystem at boot time.
Add this line to /etc/fstab:

linproc /usr/compat/linux/proc linprocfs rw 0 0

Reboot is not needed to mount the linux proc filesystem:

# mount /usr/compat/linux/proc


Second step is to install nspluginwrapper, a tool that helps you link plugins to your current browser (i.e. firefox):

# cd /usr/ports/www/nspluginwrapper && make config-recursive install clean


Ok let’s start with Flash Player 9, I also have tested flash 10 and it was working for me but I prefer flash 9 for some retro-compatibility issues.
First we have to install it from the ports:

# cd /usr/ports/www/linux-flashplugin9 && make install clean


I have Mplayer already installed with a large bunch of options activated (i’ll maybe cover it in a future post), that’s why I want to install mplayer plugin.
Although most of the videos on Internet are in flv (flash) format, there are still some exotic format videos and mplayer will play them:

# /usr/ports/www/mplayer-plugin && make config-recursive install clean


If you don’t want to be asked to download each time you open a link to a pdf, linux emulation of Adobe Reader support a plugin which allows embedded view of pdf files in firefox.
For some reason I was unable to get acroread9 working with firefox, so let’s install acroread8

# /usr/ports/print/acroread8 && make install clean


librsvg is an open source SVG rendering library which (probably) provides to Firefox a better handling of SVG graphics but I cover this plugin’s installation only because I like to read the funny description in about:plugins ;)

# cd /usr/ports/graphics/librsvg2 && make config-recursive install clean


Java plugin can also be useful but compilation of this port is long and painful.

# /usr/ports/java/jdk16 && make config-recursive install clean

As you can see, the FreeBSD port system don’t fetch neither build this port !
Due to license restriction, you will have to fetch manually almost every needed file, and even create an account on Sun website to be able to get them all. :P
Here is the list of the files I had do download manually and move to /urs/ports/distfiles/:

http://www.java.net/download/jdk6/6u3/promoted/b05/jdk-6u3-fcs-src-b05-jrl-24_sep_2007.jar
http://www.java.net/download/jdk6/6u3/promoted/b05/jdk-6u3-fcs-bin-b05-jrl-24_sep_2007.jar
http://www.java.net/download/jdk6/6u3/promoted/b05/jdk-6u3-fcs-mozilla_headers-b05-unix-24_sep_2007.jar
http://www.FreeBSDFoundation.org/cgi-bin/download?download=diablo-caffe-freebsd7-i386-1.6.0_07-b02.tar.bz2

from http://java.sun.com/javase/downloads/index.jsp:

tzupdater-1_3_18-2009k.zip

from http://www.eyesbeyond.com/freebsddom/java/jdk16.html:

bsd-jdk16-patches-4.tar.bz2


nspluginwrapper will now link all the plugins it finds with your user’s specific firefox plugin folder, so you have to use it with each user your want to be able to access new plugins:

% nspluginwrapper -v -a -i
% nspluginwrapper -i /usr/local/Adobe/Reader8/ENU/Adobe/Reader8/Browser/intellinux/nppdf.so

The second line is needed because nspluginwrapper didn’t find Adobe Reader plugin.

Unfortunately, nspluginwrapper was unable to link the Java plugin so I created a symlink:

% ln -s /usr/local/jdk1.6.0/jre/plugin/i386/ns7/libjavaplugin_oji.so ~/.mozilla/plugins/


(Re-)start firefox3 and you should be able to list all those plugins by giving about:plugins in the navigation bar.

Oh, I almost forgot it but I encountered a strange problem using libflashplayer.so, Flash wasn’t working properly (no sound on some machines and no Flash at all for some others) and by checking the needed dependencies with Linux ldd I noticed that Flash library is unable to find libssl.so.5.
By checking in /usr/compat/linux/lib/, libssl.so.0.9.8g is present though and symlinking it as libssl.so.5 just don’t work. :P
In desperation I copied it:

# cp /usr/compat/linux/lib/libssl.so.0.9.8g /usr/compat/linux/lib/libssl.so.5

And it works! Another mystery of Linux compatibily, I guess… ;)

Enjoy!

Mounting usb devices is a common task and many system take care of it without user’s intervention.
Under FreeBSD you can use hald (Hardware Abstraction Layer daemon) which use D-Bus objects for each device and mount your usb devices automatically, but you can also do it directly with the mount command.

Connect your device and take a look to the 10 last lines of your system console:

% dmesg | tail -n 10


You should see something like that:

da0 at umass-sim0 bus 0 target 0 lun 0
da0: Removable Direct Access SCSI-2 device
da0: 40.000MB/s transfers
da0: 7799MB (15974398 512 byte sectors: 255H 63S/T 994C)


Name of the device node and label may vary but we can see here that an usb device named JetFlash TS8GJFV10 8.07 is connected to my machine and referenced as da0.
Next step is to mount the first partition (slice) on the device to your filesystem (i.e. a directory):

# mount -t msdosfs /dev/da0s1 /mnt


The -t option specifies the type of the filesystem to mount, for a FAT flash drive use msdosfs, for a NTFS hard drive you have to specify ntfs and so on. For more informations about exotic filesystems, you should take a look at the mount(8) manpage.
The data on your drive can now be accessed in your filesystem through /mnt.

Reverting the process is quite easy:

# umount /mnt


Mounting iso files can be a bit more tricky, you have to create a virtual device attached to an iso image and mount it using the mount command:

# mdconfig -a -t vnode -f ~/file.iso -u 1
# mount -t cd9660 /dev/md1 /mnt

The first line creates a device node linked to ~/file.iso in /dev named md1.
The second line is a classic mount command specifying a cd9660 filesystem, the filesystem used by cdrom/dvdrom drives.

When you finished using your iso file, you can unmount the device, but don’t forget to destroy the virtual device:

# umount /mnt
# mdconfig -d -u 1


Ok, now you can mount usb drives or iso images but you have to perform the mount operation as root using su or sudo.
It can be useful to create a group of users able to mount usb and virtual devices:

# pw groupadd mounters


You can now add the users you want to be able to mount to this group:

# pw groupmod mounters -m lioks


Edit /etc/devfs.rules to add these new devices rules:

[localrules=10]
add path 'da*' mode 0660 group mounters
add path 'md*' mode 0660 group mounters


… and rc.conf to add this ruleset:

devfs_system_ruleset="localrules"


The last thing to do is to tune your kernel to allow any user to use the mount command:

# sysctl vfs.usermount=1


To have this done each time your start your system, add the following line to /etc/sysctl.conf:

vfs.usermount=1


Done ! Next time you will log in as an user member of the mounters group you should be able to use usb devices (and iso images) without any root privileges.
Don’t forget to make sure you have read/write permissions on the target directory :P

sshd is the Secure Shell Daemon and allows an user to gain a remote shell on a foreign machine.
Unlike telnet, it allows one to exchange data on a secure way over the internet/a private network.
Although it’s often configured for simple password authentication, it can also be set up for a stronger security mechanism by using RSA/DSA keypairs.

First you need to generate your clients personnal keypair using ssh-keygen:

% ssh-keygen

After asking you a passphrase for these keys they are placed by default in ~/.ssh/:
- ~/.ssh/id_rsa.pub is your public key and can be used by anyone to encrypt data
- ~/.ssh/id_rsa is your private key and is needed to decrypt data encrypted with the public key

Now we can configure sshd on the machine you want to gain remote access.
All these modifications must be made on /etc/ssh/sshd_config:

PasswordAuthentication no

This should be set to no, since we want RSA key + passphrase authentication.


PermitEmptyPasswords no

If you want to use password authentication instead of public keys, for obvious reasons, you REALLY should set this to no…


ChallengeResponseAuthentication no

This will disable FreeBSD built-in PAM authentication (but not password-based authentication).


PermitRootLogin no

It’s a really a bad habit to log as root on a machine, especially over ssh because you want to be able to log/audit user’s activity.
A better way is to give some people the privileges they need using groups or login classes and/or sudo.


Protocol 2

You must restrict connections to SSHv2 because SSHv1 is now considered obsolete due to MITM vulnerabilities.


X11Forwarding no

Since I don’t need to forward X11 traffic, I like to disable it because it can make the client vulnerable to X11 attacks.
If this is a concern to you, more informations can be found in sshd_config(5) and ssh_config(5) manpages.


AllowUsers ...
AllowGroups ...
DenyUsers ...
DenyGoups ...

Last but not least, these powerful options allow you to manually specify who can log in or not by User/Group names.
If you plan to accept very few ssh connections, I strongly recommand you to use these options. Additional security is always welcome…
These options are processed in this order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.

Now simply copy the public keys (id_rsa.pub, remember ?) of your clients in the authorized_keys file, by default it should be ~/.ssh/authorized_keys, ~ being the home directory of the user they want to log as.
Then add the following line to /etc/rc.conf to enable sshd at startup and reboot your host machine:

sshd_enable="YES"


Your clients can now remotely get a shell on your machine, but they must possess the private key associated to the public key in authorized_keys and the passphrase, needless to say that it’s way more secure than simple password authentication.
One more thing about rsa/dsa keys, only give them if you are sure of the identity of the receiver and please, by more secure way than mail ;-)

This may be obvious for most Un*x users but this is a question I’m asked so frequently…

If you don’t have Xorg already installed, it may be a good idea to start by installing it:

# cd /usr/ports/x11/xorg && make config-recursive install clean

The FreeBSD ports system will take care of building and installing needed dependencies, using the config-recursive rule will ask the port system to bring you all the dependencies’ config menu before starting any compilation operation.
This should work smoothly but sometimes there is still a config menu that config-recursive did not find, so don’t be surprised if one pop up in the middle of the dependencies compilation.

Once X is built and installed, let’s try to auto-generate a xorg.conf file and start X with this brand new conf:

# Xorg -configure
# Xorg -config /root/xorg.conf.new

If you can see that the X server is running, then move this working xorg.conf to his default place and give startx a try:

# mkdir -p /etc/X11/
# cp /root/xorg.conf.new /etc/X11/xorg.conf
# startx

You should have twm launched, a very basic window manager, for some reason on my machine my mouse and keyboard were disabled and I had to add this to my xorg.xonf to get them running properly:

Section "ServerFlags"
Option "AllowEmptyInput" "false"
EndSection


I personnaly dislike twm and I want to use fluxbox as my window manager:

# cd /usr/ports/x11-wm/fluxbox && make install clean
# echo "exec startfluxbox" > ~/.xinitrc

startx looks in the user’s home folder for this .xinitrc to know which window manager you want to use.
Using startx, you should be now in the fluxbox window manager (good bye twm).

Your X server is up and running a nice window manager, but you want more !
I’m a lazy guy and typing startx& ; exit after each boot is too much for me, so let’s install xdm:

# cd /usr/ports/x11/xdm/ && make install clean

Just like startx, xdm look for a file named .xsession in the user’s home directory to know which window manager you want to be launched after authentication:

# echo "exec startfluxbox" > ~/.xsession

This will add fluxbox for the root user, don’t forget to create one in each user’s home specifying the WM that user wants to use.

The last step is to activate the preconfigured tty in /etc/ttys.
In this file you should see a line like this one:

ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure

Simply change it to look like this:

ttyv8 "/usr/local/bin/xdm -nodaemon" xterm on secure

And that’s it, reboot your computer and you should see a nice (?) X window prompting you for your login & password and launching your favorite window manager once authenticated.