Running with Ubuntu GNU/Linux

Table of Contents

Index Edit Contact

1 Introduction

Ubuntu is often believed to be bloated and slow, and users are recommended to install other distributions like Arch Linux if they want to have a 'lean' system. This belief is mistaken. Ubuntu can provide a very good mix of leanness and convenience.

This page is a beginner's guide on how to install and setup such a system. It's based on my own preferences and notes.

I used 14.4 for testing to write this, but everything should work with versions 12.4 and later. If it changes then I will update it.

2 Install

2.1 Picking the right installer

Ubuntu media come in two forms: desktop and server. The desktop installer doesn't offer many options. We'll be getting the server image from:

I recommend getting the latest release. The system can be upgraded to a new release fairly easily.

2.2 Before Proceeding

As always, backup important data and find some room for a new install. If you have any kind of special setup not covered here (such as UEFI or PPPoE), you should either read about it carefully before installation or have another Internet-capable device nearby.

2.3 Boot options

Once you've booted the install media, you will have access to additional options through the function keys F1-F6.

Some to consider are:

  • Expert mode Enabling this gives more options in the installer. You shouldn't need most of the options, but one that's interesting is that you can choose to have a separate /home partition, or separate /home, /usr, /var, and /tmp partitions. Having separate partitions can sometimes be useful. On the other hand, it's annoying if you run out of space on one of them.
  • Install a minimal system Enabling this will install a slightly smaller system (1.1G normally, 1G with 'minimal')
  • Free software only If you enable this, the installer won't add the multiverse and restricted software repositories.

Select 'Install Ubuntu Server' and press enter to boot into the installer

2.4 Some installation options

The installer will ask you some simple questions.

After setting up a user, it will ask you if you want to encrypt the user(s) home directories. The method used seems rather inconvenient. I recommend saying no here.

When partitioning disks, the installer will ask you what partitioning method to use. I strongly recommend picking encrypted LVM. This will encrypt all partitions except /boot.

The weakest part of the encryption will be your passphrase. Read carefully and pick a good one.

The installer will ask you if you want automatic security updates. This is a good idea and it's easy to toggle it later if you change your mind.

Next is the software selection. Leave everything unchecked unless you actually want it.

The system will install and then reboot.

3 Post-install

3.1 Using tmux

Login as the user you created. Tmux is very useful for managing terminals. It's already installed, all you need to do is, well… run 'tmux'

If you've never used it before, Control-b ? (usually written as: C-b ?) will bring up the keybindings.

3.2 Firewall

It's not a bad idea to immediately enable the firewall:

sudo ufw enable
sudo ufw default deny outgoing
sudo ufw allow out 80/tcp
sudo ufw allow out 443/tcp
sudo ufw allow out to <DNS SERVER IP HERE> port 53

This will drop all incoming connections, and all outgoing connections except HTTP and HTTPS. You should add rules here only as required.

If your dns server was set automatically through DHCP or PPPoE, you can find it with

cat /etc/resolv.conf

3.3 Setting apt defaults

open /etc/apt/apt.conf for editing

sudo apt-get install zile
sudo zile /etc/apt/apt.conf

and add

APT::Install-Recommends "0";
APT::Install-Suggests "0";

This will make apt-get not consider recommended and suggested packages as dependencies. It will still print what it recommends installing every time you install a package through apt-get, so you'll need to consider what you actually need.

3.4 Updating

The packages that came on the install media are probably outdated. It's important to update to the latest

sudo apt-get update
sudo apt-get dist-upgrade

It's not a bad idea to reboot after this.

3.5 World un-readable

By default, anyone can read files that users create. This is for compatibility with services like HTTP servers, but if you're not using those it's possible to slightly increase security by making your files accessible to you.

First we need make sure only you have access to your home directory

chmod -R go-rwx ~

Then open ~/.bashrc and put

umask 077

at the end. This makes it so newly created files can't be accessed by other users.

3.6 Tracking /etc

It's a good idea to keep track of what happens in /etc. etckeeper is a wrapper around version control systems that does this

sudo apt-get install etckeeper git

etckeeper assumes you're using the bazaar VCS, but I chose git because it's what I know best. We need to uncomment git by removing the #

VCS="git"

in /etc/etckeeper/etckeeper.conf

and also comment out the other one with

#VCS="bzr"

Had you installed bzr, it would have initialized etckeeper automatically, but on other VCS you have to do it yourself

sudo etckeeper init

etckeeper will auto-add and commit everything in /etc every time you add or remove packages through apt-get. Let's try it out by installing a fancy git tool!

sudo apt-get install tig

now you can run

cd etc; sudo tig

to browse changes in /etc

3.7 X.Org

It's time to install X.Org

sudo apt-get install xserver-xorg xinit i3 rxvt-unicode

open ~/.xinitrc and add

exec i3

Now start it:

xinit -- -nolisten tcp

Setting up X was painful for a long time. Every time I do this and it just works I feel like I'm living in the future.

This should start up X.Org with the i3 window manager. After you accept the default settings you should have blank screen.

Press WinKey-Enter twice (usually written as: M-return, M for meta) to open two terminals. Then press M-S-down (S = shift) arrow to rearrange the terminal layout

If you haven't used i3 before, read the man page for more keybindings and then experiment. It's a very useful window manager.

The statusbar just displays which workspace we're on which isn't very useful and wastes space. Let's comment it out in at the end of ~/.i3/config:

#bar {
#        status_command i3status
#}

Since we're there let's also add another keybinding:

bindsym $mod+b border toggle

Now if you reload i3 by pressing M-S-r the statusbar should disappear.

Pressing M-b will toggle the decorations for the focused window, which is useful for saving screen space.

3.8 ranger & ncdu

While using bash and coreutils is fine, at some point you'll probably want a more specialized interface for managing files. Once such interface is ranger:

ncdu is a ncurses interface to du - disk usage utility. It makes it very easy to see what's eating up disk space.

sudo apt-get install ranger ncdu

Press ? to load the man page.

3.9 Firefox

Let's install Firefox

sudo apt-get install firefox

The firefox package comes with an AppArmor profile, so let's take care of that before starting firefox for the first time

3.10 AppArmor

Normally, an application running with a user id is able to do anything the user can do. AppArmor is a Linux kernel module that additionally restricts programs. An AppArmor profile for a program lists all files and capabilities that the program is allowed to use. Anything not on the list is denied and logged. For example, it's possible to restrict a PDF reader to only be able to read files with the .pdf extension, and deny write and network access altogether (for some reason this is an exercise left to the reader however). AppArmor implements so-called Mandatory Access Controls. It's not the most sophisticated MAC framework, but it is probably the most convenient to use.

Ubuntu comes with AppArmor enabled, all we need to do is install extra profiles and turn the profiles to enforcing mode.

sudo apt-get install apparmor-profiles apparmor-utils
cd /etc/apparmor.d/
sudo find . -maxdepth 1 -type f -exec aa-enforce '{}' \;

You can check that the profiles are enforced by running

aa-status

3.11 More Firefox

Now that we've enabled the AA profile for firefox, it's time to start and configure it

Press M-2 to switch to the second workspace, press M-d to bring up dmenu, type in firefox and press enter to run it.

Open the preferences and press M-w to switch to a tabbed layout.

Type in about:blank as your home page.

We can take some simple precautions to help avoid being tracked by corporations and agencies on the web:

On the privacy tab, select 'custom settings for history', then set 'accept third-party cookies' to never and 'keep until' to 'I close firefox'. Check 'clear history when firefox closes', click settings and check all the options except 'saved passwords'. Uncheck the two 'Remember…' options above.

Since we're here. Go to advanced - data choices and uncheck the health and crash reporters.

One of the best things about firefox is how many addons there are for it. Here are some I recommend

These are only the most basic tweaks. Firefox is a beast.

3.12 Youtube sans flash

Youtube is entertaining and sometimes even useful. Browser plugins on the other hand are a terrible idea and HTML5 doesn't always work. Fortunately there's a way around these problems

sudo apt-get install mplayer youtube-dl

We can now download and play videos:

youtube-dl -f 18 http://www.youtube.com/watch?v=UdfY25gDjK8
mplayer Richard\ Stallman\ signs\ my\ laptop\ and\ removes\ Windows\ 8\ license-UdfY25gDjK8.mp4

It used to be possible to play videos directly without saving them by using youtube-dl -g, but google now returns HTTPS URLs and mplayer only understands HTTP.

Despite the name, youtube-dl supports quite a few video sites.

3.13 GTK2 appearance

The default look of GTK is not the best. The easiest way to change it is to install and run lxappearance.

sudo apt-get install lxappearance gtk2-engines
lxappearnace

3.14 apt-file

It's often useful to know which package a file came from. apt-file is a tool for searching files in packages.

sudo apt-get install apt-file
sudo apt-file update

As a test we can look for packages that come with AppArmor profiles:

apt-file search '/etc/apparmor.d'

3.15 Other software

Some recommendations

  • lyx a WYSIWYG editor that exports to LaTeX (and so PDF, DVI). For writing everything from letters to books. Especially useful for anything science-y
  • emacs an editor that's also a web browser, video editor, spreadsheet, IRC and mail client,…
  • gimp raster graphics editor
  • audacity audio editor
  • ffmpeg very capable command-line video/audio editor
  • irssi IRC client
  • zathura PDF viewer
  • djview4 DJVU viewer
  • mutt IMAP/SMTP email client
  • feh miniaml image viewer
  • rtorrent minimal torrent client

4 grsecurity

4.1 Why and how

grsecurity is a patch for the linux kernel that provides many additional security features including its own MAC framework. It is not part of the kernel (at the moment) so it has to be installed manually.

Is it necessary? Good question. But building a kernel is fun and you should do it at least once.

4.2 Building the Linux kernel

We'll need some tools

sudo apt-get install build-essential libncurses5-dev gcc-4.8-plugin-dev
mkdir ~/src
cd ~/src

go to

https://www.kernel.org/

and download the latest kernel source. Grab the matching grsecurity patch and gradm from

https://grsecurity.net/download.php

Download the key and signatures, and let's verify the downloads:

gpg --import spender-gpg-key.asc
gpg --verify grsecurity*.patch.sig grsecurity*.patch
gpg --verify gradm*.tar.gz.sig gradm*.tar.gz

and the Linux kernel source too (keyservers live on port 11371):

sudo ufw allow out 11371/tcp
gpg --recv-keys 6092693E
xz -cd linux-*.tar.xz | gpg --verify linux-*.tar.sign -

gpg will complain that the keys aren't trusted. But that is a tricky affair.

tar xf linux*.tar.gz
cd linux*
patch -p1 < ../grsecurity*.patch
make menuconfig

At this point you will get menu system with many options and you should look over them carefully. Since we've patched with grsecurity, you should enable it in Security Options, or it's all for naught. Prominent options you may want to disable are various hotplugging features and IA32 emulation.

Once you're done, it's time to build the kernel

make deb-pkg

If you have more than one core, you can parallelize the build process with -jN, e.g.:

make -j8 deb-pkg

Once it's done, you'll have fresh kernel packages. Install them with

dpkg -i *.deb

Reboot and select the new kernel on the boot loader.

4.3 It doesn't work

Your system didn't boot, or perhaps the keyboard isn't responding, or your sound card isn't detected. That's OK. It might take a couple of iterations to get everything working the first time. Try again.

Author: Denis Volk

Created: 2014-05-01 Thu 15:48

Emacs 24.3.1 (Org mode 8.2.4)

Validate