Filesystem capabilities are supposed to be an improvement over simply running something as the root user. The idea is that you identify the specific special powers a program needs and then give it the ability to do only those special powers. Unfortunately, capabilities have become very complicated, with some individual capabilities being used to grant so many special powers that they might as well just be the root user after all.
In particular, kernel developers who create new powers don't always know of which capability that power should be a part, so any given capability can end up providing either too much or too little power to the program.
Michael Kerrisk recently began an effort to document some basic guidelines to help developers figure out which capability would best house any particular new power. For example, “Don't choose CAP_SYS_ADMIN if you can possibly avoid it!” Apparently CAP_SYS_ADMIN has become a huge dumping ground for powers of all sorts, falling prey to the might-as-well-be-root syndrome.
Unfortunately, Casey Schaufler pointed out some POSIX history that led to poor decisions being made early on, regarding how to organize filesystem capabilities. For example:
Everyone involved was looking to use capabilities to meet B2 least privilege requirements in NSA security evaluations. Because those evaluations were of security policy, by far the easiest thing to do was to create a single capability for all the things that didn't show up in the security policy and declare that the people doing the evaluation didn't have to look over there.
Ultimately, my guess is that filesystem capabilities will have to be replaced by some kind of non-POSIX solution that's better thought out, but what that might look like remains an open question.
The fbdev drivers have been on the chopping block for quite a while now, as the DRM framework has been trying to replace them for years. But whenever anyone tries to get rid of those last straggling fbdev drivers, Geert Uytterhoeven or someone else always asks the same question: “Can DRM be used to create extremely simple display drivers?” And, the answer is always “Yes, absolutely! Not right now, but soon!” At which point Geert or someone else vetoes the expurgation, and the process begins again some months later.
But, this time it turned out, as Daniel Vetter noted, DRM has indeed advanced to the point of being able to produce those simple drivers right now. The community had heard the objections, and the community had answered. It took a little time, this time, for this to be made clear. Partly this was because Geert had gone through the rejection ritual so many times in the past that it had become an ingrained habit.
But once the truth finally became clear, Geert withdrew his objections, and now it looks as though the last few remaining fbdev drivers soon will be history—or at least, the remaining obstacles are no longer absolute deal-breakers.
This has been a long time coming, and the DRM folks have had to endure a lot of frustration in the process, so there was much ringing of bells when the path was cleared at last.
One thing that's no fun is when the CPU itself contains security holes. It's a real pain to discover that certain opcodes leak crucial information, because it essentially means that those opcodes never should be used. They're just wasted transistors, taking up space on the chip.
Paolo Bonzini recently wanted to disable several CPU instructions for KVM, such as the SGDT and SIDT opcodes, which he said could leak kernel addresses into userspace. Once leaked, those addresses could be used to defeat certain security measures, such as address layout randomization.
So, that's happening. Meanwhile, folks like Liang Z Li have offered to help lock down those issues.
Everyone wants to support USB type C, the new USB connector that works right side up and upside down. And, Heikki Krogerus of Intel recently posted some patches to support this. There was quite a bit of discussion and review of the patch, and enough problems arose that Greg Kroah-Hartman took a deeper look at the code. The patch turned out to have so many deep structural problems, Greg insisted that Heikki take the code back to Intel and have the engineers there give it a thorough going-over before Greg even would agree to look at it again.
So, that was harsh. Nobody likes to hear that their code is so bad that the upstream maintainer won't even look at future versions unless the downstream maintainers stage some sort of intervention. But, that's what happened.
Ultimately, USB type C support will be coming sooner rather than later. There's a lot of motivation to support it, given its popularity in the real world. I would imagine that the Intel engineers already are much closer to a proper patch.
It feels weird to mention a Microsoft product in Linux Journal. But to be honest, there are some cool things coming out of the Microsoft Garage (www.microsoft.com/garage). One of those things is “Next Lock Screen”, which is an Android app that brings interactive tools to the lock screen.
This concept isn't revolutionary, but with Next Lock Screen, it's done very well. It's possible to launch apps, interact with messages and get customized notifications all without unlocking your phone. Do you prefer to have your calendar events on your lock screen? Done. Want to control your music? Done. Again, nothing here is really new, it's just integrated and customizable in a way that takes a bunch of good ideas and repackages them into a slick lock screen. You also can get the Bing wallpaper on your lock screen, which is pretty cool, because honestly, the Bing photo of the day is almost always incredible.
If you're not afraid to try an app developed by Microsoft, I urge you to check out Next Lock Screen. It makes a locked phone far more useful! (I should add that enabling interaction on your lock screen does make it far less secure, so be careful as to which features you enable.) Check it out at the Google Play Store.
I love reading. Sadly, the 24 hours I get per day seems to be inadequate for the tasks I need to accomplish. That might change as my teenagers turn into college kids and then begin to start families of their own. For now, however, between drama class and basketball practice, it seems like it takes about 30 hours to accomplish a 24-hour day. Needless to say, I don't read as many books as I'd like.
Normally I take advantage of commute time to listen to audiobooks. That actually works quite well, and I'm able to read 30–40 books a year. Most of those books are fiction, but still, I'm grateful for audiobooks. Not long ago, I discovered a different sort of audiobook. I honestly have mixed feelings about the concept, but imagine if Cliff Notes and Audiobooks had a baby. That baby might be called “Blinkist”.
Blinkist is a company that condenses books into very short summaries. They are available via text (for Kindle and the like), but for me, the professionally narrated audio versions are really what work best. Rather than reading an audiobook over the course of a week, I can “read” a book on the way to the grocery store. I'm shocked to admit, the summaries of entire books are surprisingly useful. For many books, the summary from Blinkist is enough. For some, the “blinks” make me want to read the entire book. That means although it's not a 100% replacement for reading, it adds value (and knowledge) to my life.
There is a three-day free trial that allows you to read as many books as you like. I urge you to give it a try. After the three days, you can either default to the free account, which allows you to listen (or read) one pre-chosen free book a day, or opt for a paid subscription. For text-only “blinks”, it's $50/year. For unlimited text and audio “blinks”, it's $80/year. Thankfully, three days is a enough time to figure out if it's something you find worth buying.
Thanks to its cool way of fitting more information into our over-busy lives and its handy mobile app for “blinking” on the go, Blinkist gets the Editors' Choice award this month. If nothing else, check out the free trial at www.blinkist.com. You can read a surprising number of books in three free days!
With Linux, it's fairy easy to find the large files on your system by doing something like this:
du -ahx / | sort -rh | head -20
Unfortunately, Windows users don't usually have equivalent tools. That's where something like WinDirStat comes into play. It's a file browser that uses incredible GUI elements to show you the files on your system with file size shown as rectangles. Big files are shown as big rectangles, and their file types are specified by color. It's a great visual way to sort your filesystem and get rid of (or at least find) extremely large files.
If you use Windows on a regular basis, but seem to have a shrinking hard drive, I urge you to download WinDirStat to get real-time statistics on your filesystem. It's open source and, of course, free to download at https://windirstat.net.
Let's dig back into some chemistry software to see what kind of work you can do on your Linux machine. Specifically, let's look at Jmol, a Java application that is available as both a desktop application and a web-based applet (jmol.sourceforge.net).
You can use Jmol to help analyze the results you get from other software packages that actually calculate the chemical effects you are researching. It can read in dozens of different file formats, and you can use it to visualize everything from small molecules to huge macromolecules, like proteins. You also can visualize crystals and orbitals. You even can visualize animated events, such as chemical reactions and molecular vibrations.
Most Linux distributions should have Jmol available within their package management repositories. For example, you can install it on Debian-based distributions with this command:
sudo apt-get install jmol
If you want to use the latest and greatest version, download it from the main project website. The download comes as a simple zip file containing everything you need to run Jmol. You also will need to install a Java virtual machine in order to run Jmol.
If you installed Jmol from the package manager, you probably will have a script available that will make running Jmol easier. If you install it from the binary zip file, you will need to run it manually by calling Java and using the JAR file as a command-line option.
When you first start Jmol, you'll see a blank screen, ready for input. Across the top is a series of icons allowing for easy access to the key functions available within Jmol. If you already have data files to analyze, you can use them. Otherwise, you may need some sample files in order to play with the functionality available.
The binary distribution doesn't include any sample files in order to save on download bandwidth; however, several sample data files are available from the main website. You can get the entire set by downloading a snapshot of the source files. In the examples for the rest of this article, I'm using several of the sample data files available from the source snapshot download.
The simplest example is just to load a data file and see what it looks like. Figure 2 shows what you get when you load the sample file Jmol-datafiles/gaussian/phenylnitrine.g94.out.
The data display is an interactive one. Using your mouse, you can click and drag the molecule to rotate it around to see all of the details.
The Display menu item provides a number of options to play with the molecule. The Atom menu item allows you to change how much of the van der Waals force field to show. The Bond menu item shows how thick to make the bonds between atoms. With these two options, you can tailor the display so that the appropriate amount of detail is shown. The Label menu item allows you to add either symbols, names or atomic numbers to the atoms within the molecule.
Near the bottom of the Display menu, there is a check box for whether hydrogen atoms are displayed within the display of the molecule.
While I'm talking about how to affect the display of the molecule, I should mention that the View menu item provides a number of presets on how to line up the molecule. So, with a single click, you can view the molecule along any of its axes.
Jmol also can display animations of events, along with static images. The animations subdirectory contains several examples that you can play with. When you load it up, you start with a static image of the molecule as before.
Within the icon bar at the top of the window, there are a series of buttons at the far right-hand side that allow you to step through the frames of the animation frame by frame. If you want to see the full animation, there's set of options under the Tools→Animate menu item. Here, you can go through the animation once, or you can put it on a loop.
You can even use a mode called Palindrome that goes forward through the animation and then backward. That way, you need to calculate only one half of the motion, yet you still are able to visualize the entire range of the motion.
Several more analysis tools are available. Clicking the Tools→Spectra→JSpecView menu item pops up a new window. Under the File menu item, you'll find options to add extra files, or do H1 or C13 simulations. You can select Tools→Measurements to measure the distance between atoms within your molecule, and you can set the units used for those measurements with the Tools→Distance Units menu item. You actually can edit the molecule after it is loaded too.
If you click the icon button with the hover-over description “Open the model kit”, you'll get a small set of drop-down items on the top left side of the display window. It allows you to delete atoms, move bonds around or even change the atom species at specific locations.
If you have some type of analysis that you need to repeat several times, Jmol supports the addition of macros. Macros are just simple text files that contain a set of Jmol instructions. If you save them in the ~/.jmol/macros directory, Jmol will pick them up and provide them within the Macros menu item.
The language for the macros is the same used for Jmol's scripting capabilities. This scripting language is based on of RasMol, with some minor changes. There is a full language reference available at chemapps.stolaf.edu/jmol/docs.
You also can use scripts interactively by clicking the File→Script Editor menu item. This pops up a new window where you can write your script, check its syntax and then run it within Jmol. This provides a huge amount of power, allowing you to get the exact type of analysis you need.
Once you've done your analysis, several output options are available. The File→Export menu item gives you four options. You can select Export Image to save a static image in one of several image file formats.
Because Jmol also operates as a Java applet, you can select Export to Web Page to generate a web page that you then can use within your own website to share your research results.
If you want a higher-resolution image of a molecule, you can select Render in POV-Ray to use the POV-Ray external program to render a high quality 3D image.
The last export option is Write State, which saves the current workspace so that you can reload it later and continue your analysis. There also is an extra output option under Tools→Gaussian that pops up another window. Here you can set several options for a Gaussian input file that you can then use to run further simulations of your molecule.
With these tools, you easily can share your research results with others and build on the work you are doing.
I recently wrote about my “perfect tea”-steeping device. It's nothing more than a plastic mug-shaped device that has a sieve built in for straining tea leaves after the steeping process is complete. I use it every day. Really. And compared to the tech pieces I normally write in Linux Journal, that little UpFront blurb garnered me quite a few emails asking for details. It also got me a few messages explaining that brewing tea in a plastic cup was an unforgivable sin. One email, however, did make me think. I was asked about my Breville One Touch Tea Maker.
For Christmas (or a birthday?) a few years back, my incredible wife bought me a $250 tea maker. The One Touch treats making tea a bit like making coffee. You put the tea leaves into a basket, and the brewing process is automatic. The cool part is that it makes the water the perfect temperature and steeps the leaves for the exact right time depending on the type of tea you're making. And you know what? It makes the best tea I've ever had. Seriously. It makes tea noticeably better than any other method I've used. And yet, I rarely use it. Why?
It turns out that although the One Touch isn't exactly difficult to clean, it does take some effort. That's frustrating. The real gotcha, however, is that I don't drink the entire pot of tea quickly enough, and even though the One Touch keeps tea hot for an hour, I find myself heating cold tea in the microwave. It is possible to make a smaller batch of tea, but if you're going to go through the hassle of brewing a pot of tea, why wouldn't you make a full pot? So most of the time I use my One Touch pot to heat water, and then brew tea in the plastic steeper. It's crazy.
My Breville One Touch has been instrumental in my thinking when it comes to tech purchases, and I wish I'd learned its lesson sooner. My PlayStation 4 Pro? I actually find the PS3 is just as fun and a fraction of the price. My rackmount Xeon ESXi server? The few Raspberry Pi servers I have are actually more useful and flexible. Heck, even my fancy new F-150 pickup isn't half as fun as my 43-year-old Volkswagen Beetle.
So what did my $250 tea maker teach me? Marketing and popularity aren't what make things great. It's a lesson I should have learned years ago, because Linux is free, and yet it's the operating system that brings me the most joy!
There is only one success—to be able to spend your life in your own way.
When a thought is too weak to be expressed simply, it should be rejected.
—Marquis de Vauvenargues
Do something. If it doesn't work, do something else. No idea is too crazy.
The most profound statements are often said in silence.
The most potent muse of all is our own inner child.