apt-get is a command-line package handling utility while aptitude is a high-level interface to the package manager. There isn’t much difference between the two except aptitude will remove unused package dependencies automatically whereas with apt-get you have to do it manually. Neither removes dependencies as that would cause problems. Dependencies are packages that are depended on by other packages. You don’t want to remove them.
To remove unused packages with apt-get use
sudo apt-get autoremove
With aptitude there is nothing to do as it’s automatic.
Tags: apt-get, aptitude, Debian, Ubuntu
Posted by Hans-Henry Jakobsen
I’m running Debian Etch because I prefer the stable Debian package tree. This is all great but the software is a little outdated compared to other distributions like Ubuntu. That is where backports come in. Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever it is possible) on a stable Debian distribution. They recommend you to pick out single backports which fits your needs, and not to use all backports available here.
Using backports is simple
deb http://www.backports.org/debian etch-backports main contrib non-free
apt-get update
You might get a error message
Reading package lists... Done W: GPG error: http://www.backports.org etch-backports Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EA8E8B2116BA136C W: You may want to run apt-get update to correct these problems
This message comes on Debian Etch because you haven’t imported the backports keyring. It’s easily fixed by running the command
apt-get install debian-backports-keyring
apt-get -t etch-backports install nmap
It is important to remember that if you forget to tell apt-get that nmap is installed from backports and run another apt-get install nmap it will remove my backports package.
A simple solution to this is to use pinning
Edit /etc/apt/preferences, the file has to be created if you haven’t used pinning before
Package: nmap Pin: release a=etch-backports Pin-Priority: 999
Now the system “remembers” that nmap is installed from the backports repository and you don’t have to worry about it anymore, nice.
Source: http://www.backports.org/
Tags: apt-get, backports, Debian, Etch
Posted by Hans-Henry Jakobsen
sudo apt-get install totem-xine libxine1-ffmpeg libdvdread3
sudo /usr/share/doc/libdvdread3/install-css.sh
After you have done the above excercise, insert a DVD into your drive. Totem will open and the movie will be played.
Posted by Hans-Henry Jakobsen
Many simple exploits that are used against machines, (via vulnerable PHP applications or local users, etc), rely upon being able to execute commands in /tmp. If this is a seperate partition or file system you can gain some protection by marking it non-executable. The common problem with this is that apt-get fails to work with such a setup.
When you mount a partition there are many flags that can be used, two interesting ones are:
noexec nosetuid
(A full list can be read as part of man mount).
The two flags are explained fully in the man page for mount, but briefly:
Mounting filesystems with these flags set raises the bar a little, but it doesn’t stop files from being executed. The Linux linker and loader will permit binaries to be run:
# Make /tmp non-executable root@earth:~# mount -o remount,noexec /tmp # Copy an executable into it root@earth:~# cp /bin/ls /tmp root@earth:~# chmod 755 /tmp/ls # Test it - the execution should fail. root@earth:~# /tmp/ls bash: /tmp/ls: Permission denied # But .. what's this? It still runs? root@earth:~# /lib/ld-linux.so.2 /tmp/ls Mail public_html # cleanup root@earth:~# rm /tmp/ls root@earth:~# mount -o remount,exec /tmp
With that in mind you might wonder what the point is? Well it foils any simplistic attack that relies upon putting a script in /tmp and running it. If they’ve got shell access they can probably figure it out, but an automated tool would be foiled – for the moment.
To make your system have a non-executable /tmp partition you must edit the way that it is mounted in the file /etc/fstab. Find the line that contains /tmp and change the defaults to read nosuid,noexec instead.
For example this is my updated /etc/fstab file:
/dev/sda3 /tmp ext3 noexec,nosuid 0 2
This will take effect the next time you mount the filesystem, you can do this now with:
mount -o remount /tmp
Very if it by running:
root@earth:/tmp# mount |grep /tmp /dev/sda3 on /tmp type ext3 (rw,noexec,nosuid)
The output line should contain the two words ‘noexec,nosuid’ in it. If this is in place then you’re covered.
The only problem now is that when apt-get upgrades your system it will sometimes place scripts inside the temp directory which will now not be executable.
The fix for this is to temporarily make the temporary directory executable before running apt-get and then remove the execution bits afterwards. This would be a troublesome thing to remember doing ourselves – but thankfully we can set it up to be automatic.
Add the following to the file /etc/apt/apt.conf:
DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";}; DPkg::Post-Invoke {"mount -o remount /tmp";};
In Debian Etch (4.0) the file is named /etc/apt/apt.conf.d/70debconf
This contains two lines, one running before any packing installation and one afterwards. They merely execute the commands required to add and remove the execute permissions on the /tmp
Source: http://www.debian-administration.org/articles/57
Tags: apt-get, Debian, fstab, mount, Ubuntu
Posted by Hans-Henry Jakobsen
This post describes how to install MaxMind Geo::IP perl module on Debian Etch.
You need the GeoIP C library (that includes also the free GeoLite Country database). This is fortunately available in the Debian repositories.
apt-get install libgeoip1 libgeoip-dev
To install the GeoIP perl module, we need to download the perl module locally from MaxMind or from CPAN. Uncompress the file and compile.
perl Makefile.PL make make test make install
Tags: apt-get, Debian, geoip, perl
Posted by Hans-Henry Jakobsen