This is my tech tips file


mkisofs, cdrecord, isoinfo, mount .iso

how to create an iso file from files and/or directories

mkisofs -R -r -v -o filename.iso filepath
-R means Rock Ridge (for Unix), or use -J for Joliet (Windows)
-r means leaves permissions wide open for -R so the disc is actually readable
filepath/ will not appear in the iso file

how to "burn" an iso onto CDR

First use cdrecord -scanbus to determine the settings for the dev= argument... You can also try cdrecord dev=help

cdrecord -v speed=8 dev=0,4,0  -data  cd_image.iso
              		  |       |              -|-
                 or4     or1          .iso filename

how to list the contents of an iso file

isoinfo -f -R -i isofile.iso

how to mount an ISO image in Linux

mount -t iso9660 isofile.iso /tmp/iso -o loop

Mutt settings for using IMAP folders, setting From: address

# put these in .muttrc
# This ensures your return address has the right hostname
set hostname=""
#1.Tell mutt to use your IMAP INBOX as your $spoolfile:
set spoolfile={}INBOX
#2.Set your $folder to your IMAP root:
set folder={}imap
set imap_user=username
set imap_pass=whatever
# This will prompt to save read messages into a dated folder e.g. 2002-10
set mbox=+`/bin/date +%Y-%m`
# for more info see

"sent" vs. "sent items"

mutt uses sent (by default?)
outlook (express) uses sent items

Apache, ServerName, VirtualHost, ServerAlias

only use ONE ServerName in a given VirtualHost containers.
Use ServerAlias if there is more than one name for the server

CDDB freedb lookup - here are the settings I use for kscd cddbp 888 - http 80 /~cddb/cddb.cgi

FreeBSD log_in_vain, ipalias, periodic, pkg_add, pkg_version

log connections to closed ports, watch for port scanning and stuff

sysctl -w net.inet.tcp.log_in_vain=1
sysctl -w net.inet.udp.log_in_vain=1

how to add an ip alias address on FreeBSD

host1# ifconfig fxp0 alias netmask 0xffffffff 
or netmask 
#use netmask of if on same network as existing ip/device

how to remove an alias address on FreeBSD

host1# ifconfig fxp0 -alias

periodic scripts- control with /etc/periodic.conf to suppress email output...use logging instead

cp /etc/defaults/periodic.conf /etc/periodic.conf change daily_output="root" to daily_output="/var/log/daily.log" and so on.

But on older systems (3.4 etc) there is no mention of periodic.conf, so just tweak the /etc/crontab like so...

59      1       *       *       *       root    periodic daily 2>&1 >>/var/log/daily.log
30      3       *       *       6       root    periodic weekly 2>&1 >>/var/log/weekly.log
30      5       1       *       *       root    periodic monthly 2>&1 >>/var/log/monthly.log
some systems have |sendmail root in the /etc/crontab AND recognize /etc/periodic.conf in which case you should modify /etc/crontab and remove the | sendmail root string

Tell pkg_add to use passive mode for ftp transfers (applies to fetch also)


Use pkg_version to grok the installed ports that are eligible for upgrade

pkg_version -c -v
This will show the commands you can use to upgrade all the ports. It isn't perfect (it doesn't take into account any dependencies) but it has worked for me a number of times. I usually just capture the output into a file and step through each port one-by-one. Be sure to cvsup ports-all before embarking!

Using pw(8) for user administration

Use the pw(8) utility to remove users instead of rmuser. pw userdel username will only remove the user from /etc/passwd, /etc/master.passwd and /etc/group
pw -r userdel username will also remove the user's home dirrectory

expire a user account using pw(8) on freebsd

pw usermod -n username -e 10-10-2001

unexpire a user account using pw(8) on freebsd

pw usermod -n username -e ''

Quickly show what services are enabled via inetd

grep -v '^#' /etc/inetd.conf

ports / packages / versions / hurrah!

pkg_version -v -c # commands to upgrade each installed port/package
pkg_version -v # show the status of installed ports/packages

Printing tips

printing ascii multiple pages per sheet (2 in this example)

a2ps -E hostmap-209
or saved to a postscript file
a2ps -E hostmap-209

printing postscript multiple pages per sheet

mpage -2 -Plp   #2 pages per sheet
mpage -4 ...
to do the same directly from netscape, enter this for the "print command"
mpage -2 -Plp
also -O and -E complement each other for two-sided book-style printouts
 eg fold&staple booklets

cups - (printer administration)

Browse to http://localhost:631/

To set a default printer (must be done on the command line)
lpoptions -d printername
then send sighup to cupsd process id

General Linux tips

if a mount hangs

turn on portmap & nfslock

ipchains on linux

if you have the firewall at high security then NFS mounts won't work. here's how I fixed on redhat 7.1
-A input -s (ipaddress of NFS server) -d 0/0 -j ACCEPT

portmap is NOT needed for nfs mounts (client-side) only for nfs exports (server-side)
nfslock is NOT needed for client-side nfs mounting, but I could be wrong
exception - mutt would not work without nfslock running (rpc.statd)

CORRECTION 6/27/2002
portmap should be running for client-side or mount could hang
portmap & nfslock should be running for server-side

Here is the rule I used in /etc/sysconfig/ipchains that worked (put before any REJECT lines)
-A input -s (ipaddress of NFS server) -d 0/0 -j ACCEPT

monitor active connections on a server

while ( 1 ) ; netstat -na | grep ESTA | wc -l sleep 1 end or use systat -netstat

expire a user account on redhat (or see FreeBSD method above)

/usr/sbin/usermod -e 2001-10-01 username (or some date in the past)

unexpire a user account on redhat (or see FreeBSD method above)

/usr/sbin/usermod -e '' username

OpenSSH tips


fatal: buffer_get: trying to get more bytes than in buffer

This happens when you paste the public-key into authorized_keys2 and the single line becomes multiple lines. Use vi to join the lines or just paste from a better-equipped xterm. You can also scp .ssh/ target:.ssh/authorized_keys2 if no other keys are present in the target file.

dns and dig tips

bind-9 does not include named-xfer, but you can do the same thing with dig

dig @ axfr
or use
dig <zone> axfr +multiline

Using +multiline will ensure the zone's SOA record is more readable, buy placing each value on a separate line (as most humans do).

find what version of bind is running on a host

dig version.bind chaos txt

if you see this type of message in the log

sshd[7147]: warning: /etc/hosts.allow, line 28: host name/address mismatch: !=
it means that
doesn't return the same ip returned by
dig -x
in other words, there is a forward/reverse resolution mismatch.

openssl tips

how to view a certificate details

you can see the details of the received certificate via the command:

$ openssl x509 -noout -text -in server.crt

how to renew a private-CA-signed cert that is/will expire

My example is using ssl-ca.0-1 YMMV

The only thing about ssl-ca.0-1 that sucks is that when you run it DELETES your config file after you're done.
In any case, the process of renewing a self-signed certificate once it has expired is as follows:

  1. Revoke the existing (expired) certificate
  2. Sign the (existing) CSR to create a new certificate
To do this I created and

# cp
# cp
# patch < server-patch
# patch < user-patch
Here is the patchfile for, save as server-patch:
---  Sun Apr 23 01:29:24 2000
+++  Tue Aug 12 08:18:32 2003
@@ -19,6 +19,8 @@
        exit 1
 # Sign it with our CA key #
 #   make sure environment exists
@@ -65,6 +67,11 @@
 extendedKeyUsage       = serverAuth,clientAuth,msSGC,nsSGC
 basicConstraints       = critical,CA:false
+# Revoke existing cert
+echo "CA revoking: $CERT.crt:"
+openssl ca -config ca.config -revoke $CERT.crt
+mv $CERT.crt $CERT.crt.revoked
 #  sign the certificate
 echo "CA signing: $CERT.csr -> $CERT.crt:"
and here is the patchfile for, save as user-patch:
---   2004-01-08 07:30:45.000000000 -0800
+++  2004-01-08 07:38:29.000000000 -0800
@@ -62,6 +62,11 @@
 extendedKeyUsage       = emailProtection,clientAuth
+# Revoke the old (expired/expiring) certificate
+echo "CA revoking: $CERT.crt:"
+openssl ca -config ca.config -revoke $CERT.crt
+mv $CERT.crt $CERT.crt.revoked
 #  sign the certificate
 echo "CA signing: $CERT.csr -> $CERT.crt:"
 openssl ca -config ca.config -out $CERT.crt -infiles $CERT.csr

note that this script ( must be run with both the csr and crt in the current working directory.

Here is a real-life example...

$ ./

CA revoking:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Revoking Certificate 02.
Data Base Updated
CA signing: ->
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'Washington'
localityName          :PRINTABLE:'Seattle'
organizationName      :PRINTABLE:'Mark Foster'
organizationalUnitName:PRINTABLE:'Secure Mail Server'
commonName            :PRINTABLE:''
emailAddress          :IA5STRING:''
Certificate is to be certified until Aug 11 15:27:33 2004 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: <-> CA cert OK
Now, because this is a server certificate I intend to use to encrypt IMAP sessions using SSL, I need to have it in the right place, in /usr/local/ssl/certs/imapssld.pem (I am using UW-IMAP on FreeBSD)

cat > /usr/local/ssl/certs/imapssld.pem

mysql Tips

show access perms in mysql

mysql> show grants for root@localhost;
| grants for root@localhost                                           |
| grant all privileges on *.* to 'root'@'localhost' with grant option |
1 row in set (0.00 sec)

RedHat Linux Tips

If you see this:
rpmdb: Suspiciously high nelem of 4294967294 on page 0
error: db4 error(-30979) from db->verify: DB_VERIFY_BAD: Database verification failed
Do this:
rpm --rebuilddb -v

Gentoo Tips

locale errors if you see something like this...
(process:8319): gdk-warning **: locale not supported by c library

(process:8319): gtk-warning **: locale not supported by c library.
        using the fallback 'c' locale.
or this
~ mdf@gentoo1>perl -v
perl: warning: setting locale failed.
perl: warning: please check that your locale settings:
        language = (unset),
        lc_all = (unset),
        lang = "en_us.utf-8"
    are supported and installed on your system.
perl: warning: falling back to the standard locale ("c").

this is perl, v5.8.0 built for i686-linux
then the solution is to set your lc_all environment variable
~ mdf@gentoo1>setenv LC_ALL C
on a gentoo-1.4rc1 system, add this line into /etc/env.d/00basic for permanency.

Keychain errors

/usr/bin/keychain: line 1: mkdtemp:: command not found
This happens when disk is full, check df -h and clean up.

Core Dumps

Sooner or later you'll get some program core dumping on you. A common error message seen in this case is Segmentation fault (core dumped

If you want to get an idea of what happened (YMMV) try some of the following things. Let's assume the core dump is named core

>file core
core: ELF 32-bit LSB core file of 'mail' (signal 11), Intel 80386, version 1

This is from a linux system. While this is a little helpful, we know what type of signal caused the core dump. man signal(3) for more about that.

>file /inetd.core
/inetd.core: ELF 32-bit LSB core file Intel 80386, version 1 (FreeBSD), FreeBSD-style, from 'inetd'

This is from a FreeBSD system obviously. Notice that it doesn't say anything about the signal.

>strings core | less
Cannot give -f and people to send to.
Mail version %s.  Type ? for help.
detract asked to insert commas
From %s %s
Can't reopen image
Expanding alias to depth larger than %d
No names to unpack

Sometimes you can find a string that will give a clue about what happened. My impression is that this is usually near the end of the output.

>gdb executable_name core_file

I've done this and it worked great! It told me the specific line number that had a problem. Apparently this only works if the program was compiled with debugging symbols, and surely it must not have been stripped [see strip(1)].

Here's a specific example. It didn't do quite as well as what happened above, but is nonetheless useful...

>gdb /usr/sbin/inetd /inetd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...(no debugging symbols found)...

warning: exec file is newer than core file.
Core was generated by `inetd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/ debugging symbols found)...done.
Reading symbols from /usr/lib/ debugging symbols found)...done.
Reading symbols from /usr/lib/ debugging symbols found)...done.
Reading symbols from /usr/lib/ debugging symbols found)...done.
Reading symbols from /usr/libexec/ debugging symbols found)...done.
#0  0x804ad66 in getsockname ()

Notice that last line? I believe that means "narrow your bug search to the routine name getsocketname()."


# wildcard mx etc, add
search .
# to the /etc/resolv.conf file

regexp masks
4th quarter 2001
3rd quarter 2000	2nd		1st
20000[789]*		20000[456]	20000[123]

Sendmail is now called local-host-names

generate rpm from tar
Up to date RPMs for various distributions can be found at helixcode.
Up to date packages can also be generated from the source by running
"rpm -ta dia-*.tar.gz"

# ls listings
ls -hAl # show human readable output size of all  files except . and ..

looking for -lz?
~ mdf@smokey>rpm -q --whatprovides /usr/lib/

# clear mac (ARP) entries on a Cisco Catalyst 2900/3500 switch
clear mac-address-table 

#cleanup 0 zero byte files 
find . -size 0 -delete

#move file hierarchies using tar
tar -cf - -c srcdir . | tar xpf - -c destdir
# or using cp on freebsd
cp -pvr srcdir destdiro
# or cp on redhat (v is optional verbose)
cp -av srcdir destdir/

# create a tarball from files using find
find . -name 'ccode*' -print | tar --create --verbose --file=/tmp/ccode.tar -t -

# stronghold wouldn't work with a new certificate. then i found this on the web 
why do i receive a "no shared cipher" or "no common encryption algorithm" error?
   the "no shared cipher" or "no common encryption algorithm" error message occurs when a new certificate has been
   installed, but it hasn't been read properly when the server is started. to fix this, please stop the server with the
   "stop-server" script, wait a minute for all the stronghold httpd processes to die, then restart it with the "start-server" script.

if galeon won't start, complaining of gconf problems, try 
rm ~/.gconfd/lock/*

screenshot: import -window root -crop 1240x1024+40+0 -quality 90 corner1.png
import -window root -crop 1240x1024+40+0 -colors 256 -quality 75 corner1-75.jpg
 this grabs a screenshot of a remote x user's desktop
import -window root -display damondesk1.jpg

insert a revision tag from rcs into a document (checked-into same)
put $id: tips,v 1.9 2003/04/24 14:06:48 mdf exp $ into the document
or here's  the perl syntax to extract just the version number (1.20)
my @a = split(/\s/, '$revision: 1.9 $'); #this will change w/ rcs tag
$version = $a[1]; undef(@a);
see the rcsintro page for more info.

transparent gif
use gimp and create a layer that is 'transparent'. on the other layer (where the image is)
select the shape(s) and copy to clipboard. change to transparent layer and paste.
delete the old (other) layer. go to image-flatten image, then immediately save-as gif.

killall not working, try this command
ps axf | grep program | awk '{ print $1 }' | xargs kill -9

if you are a hostmaster (contact) for domain names, use mutt as your mailer
since it allows you to set the from address easily. Evolution will also.

rcs: how can i show the revision number inside the file?
type (dollar-sign)Id:(dollar-sign) somewhere inside a comment in the file, and it will be expanded to show revision information every time the file is checked out.

rsync error:
building file list ... pop_dir /some/file/folder/path : Permission denied
I got this error after NOT using su - rsyncuser, but had done su rsyncuser
instead. Must be something to do with the environment.
Solution: su - rsyncuser

outlook - setting it to mark a message as read, immediately...
Tools...Options...Other...Preview Pane

Head shot © 2003-2004 Mark Foster

If I was helpful, please let me know !

$Id: tips.html,v 1.2 2005/11/12 16:35:13 mdf Exp $