Monday, August 11, 2008

The War Against Tedium In The GUI

(Reproduced from The Furtive Penguin)

Extend Your Context Menu With Nautilus-Actions

In a recent post I extolled the virtues of the command line. Today I want to suggest a tip for avoiding GUI tedium. I know that many people argue that the 'average user' is comforted by uniformity in the appearance of the desktop apps that he/she uses. We are all supposed to prefer using ONE app for the same task on a recurring basis. Personally I crave both variety and easy access to it.


Nautilus is a redoubtable file browser and I have nothing but admiration for it. Occasionally though I may want to use 'Thunar' or 'Endeavour' or marvel at the concentric ring analysis of my current file usage that 'Filelight' provides. On these occasions its nice to have simple context menu access to the appropriate app. Thanks to the wonder of 'Nautilus-Actions' this is easy to arrange.


In order to duplicate this setup you will need four packages:- thunar, filelight, endeavour2 and nautilus-actions. If you are using Ubuntu they can all be downloaded via synaptic or apt-get.


Once the nautilus-actions package has been installed you will find an icon in System --> Preferences called Nautilus Actions Configuration. Click on it and click 'Add". If you want to add the programs listed above to your right context menu simply ensure that the three configuration panels in the 'Add a New Action' panel look like the screenshots below.






Repeat three times, once for each package, and if all goes well ( difficult to see why it wouldn't ) your context menu should look something like this :-




Now you can browse folders and subfolders with four different filebrowsers simultaneously and all from the comfort of your context menu. An exercise in futility? Perhaps, but it all helps in the war against monotony on the desktop. Of course there are many other ways in which the nautilus-actions package can be used to customize the desktop, many of them no doubt, much more useful than the above.


In conclusion it should be pointed out that filelight isn't really a filebrowser, more of a sophisticated and aesthetically pleasing disk usage analyzer. But since it will let you drill down into directories and open many types of file it almost does the job. Here's a screenshot for anyone who may not be familiar with it:-





Protect Your Files and Folders with Chattr and Lcap

(Reproduced from The Furtive Penguin)

A recurring theme in the endless series of "Is Linux Ready for the Desktop?" articles is the proposition that using the Bash shell is too complex for the average user. The underlying assumption being that the "average user" is only capable of clicking buttons in a GUI and will be confused beyond all hope of recall if he/she has to type a couple of syllables in a terminal. I believe that this is every bit as false as it is insulting. Heres the truth:-

The bash shell is:-

1. Easy

2. Fun

The specific purpose of this article is to introduce the chattr command and the LCAP utility. Both of these tools are easy to master and of considerable use to any linux user who wishes to protect vital files or folders. Let's suppose that your computer and user account are shared. Perhaps you allow the kids to use it from time to time to play godawful online flash-based games. The day will inevitably come when they decide to explore the contents of your home folder and just as inevitably they will want to experiment with the right-click context menu. How can you prevent an orgy of "accidental" file deletion and protect your vital work or finance-related folders?

Most distro's come with chattr installed by default. Lcap will need to be installed independently, though if you use Ubuntu it is available in the repositories. Simply fire up synaptic and search for "lcap". If you are using another distro packages are available from the following sources.

packetstorm

caspian.dotconf.net

Now we will set the immutable bit on the files that we wish to protect. Files or folders with the immutable bit set cannot be moved, deleted, renamed or appended to. They are immutable and consequently safe from the ravages of the juvenile hordes. So, how does it work? Open a terminal. Firstly you will need to su to root on most linux distro's. On Ubuntu, of course you would use the sudo command and issue your admin password when requested. Heres the full command:-

chattr +i /some/file/or/folder OR ( on Ubuntu )

sudo chattr +i /some/file/or/folder

This command effectively sets the immutable bit on your selected file or folder. If you want to make a folder and all its contents immutable, do this:-

chattr -R +i /some/file/or/folder OR ( on Ubuntu )

sudo chattr -R +i /some/file/or/folder

To remove the immutable bit you simply issue the following command:-

chattr -i /some/file/or folder OR ( on Ubuntu )

sudo chattr -i /some/file/or/folder

What could be simpler?

If on the other hand you seek protection from a slightly more sophisticated threat, perhaps from someone with whom you share a computer who also knows your administrative password, you might resort to using lcap. Lcap removes from the superuser the capability to set or unset the immutable bit ( amongst other things ). If you summon lcap with no arguments you will be presented with a list of capabilities, we are primarily interested in CAP_LINUX_IMMUTABLE. To remove root's ability to set or unset this bit, do the following:-

lcap CAP_LINUX_IMMUTABLE

Below are some shots of the terminal before and after issuing this command. You will plainly see that the asterisk after CAP_LINUX_IMMUTABLE is missing from the second shot denoting that this capability has been successfully removed from the superuser. But dont worry this is not irreversible! It can only be reversed however, by rebooting the system.

Before

After


OK so this is not foolproof but it does provide a fair degree of protection and should be sufficient to safeguard against any but the most determined and knowledgeable vandals. Anyone seeking further information about chattr or lcap should consult the appropriate man pages or the links provided on this article's linkslist page. Hope someone finds this helpful.



Share And Protect

(Reproduced from The Furtive Penguin)


Access Controls With ACL and Eiciel

Traditionally Unix-based systems have dealt with the issue of sharing access to files and folders by tweaking group permissions. As the numbers of new Linux adopters grows in the wake of the Dell and Walmart initiatives perhaps it is time to publicize a more intuitive ( and GUI based ) option. Linux is designed from the ground up to be a multi-user system and family machines are likely to have more than one user account if only to keep the kids from 'accidentally' deleting important files. But what if you want to share certain resources amongst all users on a system? The easiest solution is to create a 'shared' folder in the /home directory and manage access using ACL's.

To do this you need to issue the following command as root:-

mkdir /home/shared

or sudo mkdir /home/shared ( if you are using Ubuntu )

If you are reasonably confident that no adverse security consequences will result you can make this folder world-writable thus:-

chmod 666 /home/shared

or sudo chmod 666 /home/shared ( Ubuntu )

If you want some other user ( besides root ) to own this folder, lets say 'userone', you would do the following:-

chown userone /home/shared

or sudo chown userone /home/shared ( Ubuntu )

Now in order to give you fine-grained control over the contents of this folder and generally make the whole thing work as intended we need to install two packages and tweak one configuration file. The packages in question are 'acl' and 'eiciel', On an Ubuntu system these can be installed with the following commands ( or via Synaptic if you prefer to use the GUI ):-

apt-get install acl

apt-get install eiciel

The 'acl' package gives you access to two commands, 'getfacl' and 'setfacl' which allow you to view and set access control lists at the command line. The 'eiciel' package adds a new tab to the 'properties' view in Nautilus which essentially does the same thing in the GUI. See screenshot below:-

Access Control List Tab in the Nautilus Properties Dailog Box

As you can see this panel allows me, the owner, ( userone ) to grant usertwo read, write or execute permissions on a per file basis. Consequently you can add files to your shared folder with confidence. Each file can have its own individualized user profile and no one need have more permissions than they need or can be trusted with. At the same time everything in the folder can be made readable by all users on the system.

In order to make this work there is one more essential step. You need to edit a system file called /etc/fstab.( BE CAREFUL! Back it up first in case of disaster. ) You will need to open an editor and insert 'acl' in the appropriate place. See 'before' and 'after' example below:-

BEFORE

/dev/hda1 /boot ext3 defaults 0 2 #size=100

/dev/hda2 none swap sw 0 0 #size=250

/dev/hda3 / ext3 defaults,errors=remount-ro 0 1 #size=remaining

/dev/fd0 /floppy auto defaults,user,noauto 0 0

/dev/cdrom /cdrom iso9660 defaults,ro,user,noauto 0 0

proc /proc proc defaults 0 0

AFTER

/dev/hda1 /boot ext3 defaults 0 2 #size=100

/dev/hda2 none swap sw 0 0 #size=250

/dev/hda3 / ext3 defaults,errors=remount-ro,acl 0 1 #size=remaining

/dev/fd0 /floppy auto defaults,user,noauto 0 0

/dev/cdrom cdrom iso9660 defaults,ro,user,noauto 0 0

proc /proc proc defaults 0 0

Insert 'acl' in the line that refers to the partition you want to use access control lists on and reboot. When your machine restarts you will be able to use eiciel in the GUI ( or 'getfacl' and 'setfacl' from the command line ) to set up acl's.

And thats all there is to it! I hope someone finds this helpful.